10135A-ENU - TrainerHandbook - Vol1 исправленный

OFFICIAL
MICROSOFT
LEARNING
PRODUCT
10135A
Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Volume 1
Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010
xv
Contents
Module 1: Deploying Microsoft Exchange Server 2010
Lesson 1: Overview of Exchange Server 2010 requirements Lesson 2: Installing Exchange Server 2010 Server Roles Lab A: Installing Exchange Server 2010 Lesson 3: Completing an Exchange Server 2010 Installation Lab B: Verifying an Exchange Server 2010 Installation 1-4 1-19 1-42 1-49 1-59
Module 2: Configuring Mailbox Servers

Lesson 1: Overview of Exchange Server 2010 Administrative Tools Lesson 2: Configuring Mailbox Server Roles Lesson 3: Configuring Public Folders Lab: Configuring Mailbox Servers 2-3 2-17 2-43 2-53
Module 3: Managing Recipient Objects

Lesson 1: Managing Mailboxes Lesson 2: Managing Other Recipients Lesson 3: Configuring E-mail Address Policies Lesson 4: Configuring Address Lists Lesson 5: Performing Bulk Recipient Management Tasks Lab: Managing Exchange Recipients 3-4 3-25 3-34 3-40 3-49 3-53
Module 4: Managing Client Access

Lesson 1: Configuring the Client Access Server Role Lesson 2: Configuring Client Access Services for Outlook Clients Lab A: Configuring Client Access Servers for Outlook Anywhere Access Lesson 3: Configuring Outlook Web App Lesson 4: Configuring Mobile Messaging Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync 4-3 4-28 4-53 4-60 4-74 4-85
xvi
Module 5: Managing Message Transport

Lesson 1: Overview of Message Transport Lesson 2: Configuring Message Transport Lab: Managing Message Transport 5-3 5-18 5-38
Module 6: Implementing Messaging Security

Lesson 1: Deploying Edge Transport Servers Lesson 2: Deploying an Antivirus Solution Lab A: Configuring Edge Transport Servers and Forefront Protection 2010 Lesson 3: Configuring an Anti-Spam Solution Lesson 4: Configuring Secure SMTP Messaging Lab B: Implementing Anti-Spam Solutions 6-4 6-21 6-31 6-37 6-55 6-71
Lab Answer Keys Appendix

Module 1 Lab A: Installing Exchange Server 2010 Module 1 Lab B: Verifying an Exchange Server 2010 Installation Module 2 Lab: Configuring Mailbox Databases Module 3 Lab: Managing Exchange Recipients Module 4 Lab A: Configuring Client Access Servers for Outlook Anywhere Access Module 4 Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync Module 5 Lab: Managing Message Transport Module 6 Lab A: Configuring Edge Transport Servers and Forefront Protection 2010 Module 6 Lab B: Implementing Anti-Spam Solutions L1-1 L1-8 L2-13 L3-19 L4-35 L4-43 L5-53 L6-65 L6-72
About This Course
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description
This course will provide you with the knowledge and skills to configure and manage a Microsoft Exchange Server 2010 messaging environment. This course will teach you how to configure Exchange Server 2010, as well as provide guidelines, best practices, and considerations that will help you optimize your Exchange server deployment.
Audience
This course is intended for people aspiring to be enterprise-level messaging administrators. Others who may take this course include IT generalists and help desk professionals who want to learn about Exchange Server 2010. People coming into the course are expected to have at least 3 years experience working in the IT fieldtypically in the areas of network administration, help desk, or system administration. They are not expected to have experience with previous Exchange Server versions.
Student Prerequisites
This course requires that you meet the following prerequisites: Experience managing Windows Server 2003 or Microsoft Window Server 2008 operating systems. Experience with Active Directory directory services or Active Directory Domain Services (AD DS). Fundamental knowledge of network technologies including Domain Name System (DNS) and firewall technologies. Experience managing backup and restore on Windows Servers. Experience using Windows management and monitoring tools such as Microsoft Management Console, Active Directory Users and Computers, Performance Monitor, Event Viewer, and Internet Information Services (IIS) Administrator.
About This Course
ii
Experience using Windows networking and troubleshooting tools such as Network Monitor, Telnet, and NSLookup. Fundamental knowledge of certificates and Public Key Infractructur (PKI).
Course Objectives
After completing this course, students will be able to: Install and deploy Exchange Server 2010. Configure Mailbox servers and mailbox server components. Manage recipient objects. Configure the Client Access server role. Manage message transport. Configure the secure flow of messages between the Exchange Server organization and the Internet. Implement a high availability solution for Mailbox servers and other server roles. Plan and implement backup and restore for the server roles. Plan and configure messaging policy and compliance. Configure Exchange Server permissions and security for internal and external access. Monitor and maintain the messaging system. Transition an Exchange Server 2003 or Exchange Server 2007 organization to Exchange Server 2010. Configure the Unified Messaging Server role and Unified Messaging components. Implement high availability across multiple sites and implement Federated Sharing.
About This Course
iii
Course Outline
This section provides an outline of the course: Module 1, Deploying Microsoft Exchange Server 2010 describes how to prepare for, and perform, an installation of Exchange Server 2010. This module also provides details on the Exchange Server 2010 deployment. Module 2, Configuring Mailbox Servers describes the Exchange Management Console and Exchange Management Shell management tools. This module also describes the Mailbox server role, some of the new Exchange Server 2010 features, and the most common Mailbox server role post-installation tasks. The module concludes with a discussion about public-folder configuration and usage. Module 3, Managing Recipient Objects describes how you can manage recipient objects, address policies, and address lists in Exchange Server 2010, and the procedures for performing bulk management tasks in Exchange Management Shell. Module 4, Managing Client Access describes how to implement the Client Access server role in Exchange Server 2010. Module 5, Managing Message Transport describes how to manage message transport in Exchange Server 2010, which includes topics such as components of message transport, how Exchange Server 2010 routes messages, and how you can troubleshoot message-transport issues. Additionally, this module provides details on deploying the Exchange Server 2010 Hub Transport server. Module 6, Implementing Messaging Security describes how to plan for and deploy an Exchange Server 2010 Edge Transport server role, and the security issues related to the deployment. Additionally, it describes how to configure secure Simple Mail Transfer Protocol (SMTP) messaging as well as Domain Security. Module 7, Implementing High Availability describes the high-availability technology built into Exchange Server 2010 and some of the outside factors that affect highly available solutions. This module provides details about how to deploy highly available mailbox databases as well as other Exchange Server 2010 server roles. Module 8, Implementing Backup and Recovery describes the Exchange Server 2010 backup and restore features, and what you should consider when creating a backup plan.
About This Course
iv
Module 9, Configuring Messaging Policy and Compliance describes how to configure the Exchange Server 2010 messaging policy and compliance features. Module 10, Securing Microsoft Exchange Server 2010 describes how to secure your Exchange Server deployment by configuring administrative permissions and securing the Exchange Server configuration. Module 11, Maintaining Microsoft Exchange Server 2010 describes how to monitor and maintain your Exchange Server environment. Additionally, it also describes troubleshooting techniques for fixing problems that may arise. Module 12, Transitioning from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 describes the options that organizations have when they choose to implement Exchange Server 2010. Additionally, it describes how to transition an existing Exchange Server 2003 or Exchange Server 2007 organization to Exchange Server 2010. Appendix A, Implementing Unified Messaging describes how Unified Messaging works with your telephony system and Exchange Server environment, and how to configure Unified Messaging. Appendix B, Advanced Topics in Exchange Server 2010 describes how to deploy two advanced Exchange Server features: highly available Exchange Server across multiple data centers and Federated Sharing.
About This Course
Course Materials
The following materials are included with your kit: Course Handbook. A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed. Course Companion CD. Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Lessons: Include detailed information for each topic, expanding on the content in the Course Handbook. Labs: Include complete lab exercise information and answer keys in digital form to use during lab time. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, Microsoft Press. Student Course Files: Include the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
About This Course
vi
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Hyper-V deployed on Windows Server 2008 to perform the labs.
Important: At the end of each lab, you must revert the virtual machine back to the state the virtual machine was in before the lab started. To revert a virtual machine, perform the following steps: 1. In Hyper-V Manager, right click the virtual machine name and click Revert. 2. In the Revert dialog box, click Yes.
The following table shows the role of each virtual machine used in this course:
Virtual machine 10135A-NYC-DC1 10135A-NYC-SVR1 10135A-NYC-SVR2 10135A-VAN-DC1 10135A-VAN-EX1 10135A-VAN-EX2 10135A-VAN-EX3 10135A-VAN-EDG 10135A-VAN-CL1 10135A-VAN-TMG Role Domain controller in the Contoso.com domain Member server in the Contoso.com domain Member server in the Contoso.com domain Domain controller in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Exchange 2010 server in the Adatum.com domain Exchange 2010 Edge Transport server Client computer in the Adatum.com domain Microsoft Forefront Threat Management Gateway server in the Adatum.com domain Exchange 2010 server in the Adatum.com domain
10135A-VAN-Exchange Server 2003 10135A-VAN-SVR1
Standalone server
About This Course
vii
Software Configuration
The following software is installed on each VM: Windows Server 2008 R2, Release Candidate build Windows 7, Release Candidate build Exchange Server 2010, Release Candidate build Microsoft Office 2007, Service Pack 2 Microsoft Forefront Threat Management Gateway, Beta 3
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. All of the aforementioned virtual machines are deployed in each student computer.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor Dual 120 GB hard disks 7200 RM SATA or better* 8 GB RAM DVD drive Network adapter Super VGA (SVGA) 17-inch monitor Microsoft Mouse or compatible pointing device Sound card with amplified speakers
*Striped In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 x 768 pixels, 16-bit colors.
Deploying Microsoft Exchange Server 2010
1-1
Module 1
Contents:
Lesson 1: Overview of Exchange Server 2010 requirements Lesson 2: Installing Exchange Server 2010 Server Roles Lab A: Installing Exchange Server 2010 Lesson 3: Completing an Exchange Server 2010 Installation Lab B: Verifying an Exchange Server 2010 Installation 1-4 1-19 1-42 1-49 1-59
1-2
Module Overview
This module describes how to prepare for, and perform, an installation of Microsoft Exchange Server 2010. The most important task in preparing for an Exchange Server 2010 installation is to ensure that the Active Directory directory services environment is ready. Exchange Server 2010 requires an Active Directory deployment because Active Directory stores all configuration and recipient information that Exchange Server uses. This module also provides details on the Exchange Server 2010 deployment. To install Exchange Server 2010 properly for your environment, you must be aware of the server roles that Exchange Server can install. Additionally, you should be aware of the infrastructure, hardware, and software requirements for introducing Exchange Server 2010 into a messaging environment. Finally, you should know how to verify, troubleshoot, and secure the installation.
1-3
After completing this module, you will be able to: Describe the infrastructure requirements to install Exchange Server 2010. Install Exchange Server 2010 server roles. Complete an Exchange Server 2010 installation.
1-4
Lesson 1
Overview of Exchange Server 2010 Requirements
In this lesson, you will review the requirements for installing Exchange Server 2010. The most important requirement is the Active Directory deployment, but you also must ensure that you implement the appropriate Domain Name System (DNS) infrastructure. You also should be aware of the Exchange Server 2010 infrastructure requirements when you perform an installation, and when you need to troubleshoot deployment issues. After completing this lesson, you will be able to: Describe the Active Directory components. Describe the Active Directory partitions. Describe how Exchange Server 2010 uses Active Directory.
1-5
Describe the DNS requirements for Exchange Server 2010. Prepare Active Directory for Exchange Server 2010. Describe the integration of Active Directory and Exchange Server 2010.
1-6
Discussion: Reviewing Active Directory Components
Key Points
Active Directory is the integrated, distributed directory service that is included with the Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server operating systems. Many applications, such as Exchange Server 2010, integrate with Active Directory. This creates a link between user accounts and applications, which enables single sign-on for applications. Additionally, the Active Directory replication capabilities enable distributed applications to replicate application-configuration data.
1-7
Discussion Questions
Based on your experience, consider the following questions: Question: What is the definition of a domain? Question: What is the definition of a forest? Question: Under what circumstances would an organization deploy multiple domains in the same forest? Question: Under what circumstances might an organization deploy multiple forests? Question: What are trusts? Question: What type of information do domains in a forest share? Question: What is the functionality of a domain controller? Question: What is a global catalog server? Question: What is the definition of an Active Directory site? Question: What is Active Directory replication? Question: How do Active Directory sites affect replication?
1-8
Reviewing Active Directory Partitions
Key Points
Active Directory information falls into four types of partitions: domain, configuration, schema, and application. These directory partitions are the replication units in Active Directory.
Domain Partition
A domain partition contains all objects in the domains directory. Domain objects replicate to every domain controller in that domain, and include user and computer accounts, and groups. A subset of the domain partition replicates to all domain controllers in the forest that are global catalog servers. If you configure a domain controller as a global catalog server, it holds a complete copy of its own domains objects and a subset of attributes for every domains objects in the forest.
1-9
Configuration Partition
The configuration partition contains configuration information for Active Directory and applications, including Active Directory site and site link information. Additionally, some distributed applications and services store information in the configuration partition. This information replicates through the entire forest so each domain controller has a replica of the configuration partition.
Schema Partition
The schema partition contains definition information for all object types and their attributes that you can create in Active Directory. This data is common to all domains in the forest, and Active Directory replicates it to all domain controllers in the forest. However, only one domain controller maintains a writable copy of the schema. By default, this domain controller, known as the Schema Master, is the first domain controller installed in an Active Directory forest.
Application Partitions
An administrator or an application during installation creates application partitions manually. Application partitions hold specific application data that the application requires. The main benefit of application partitions is replication flexibility. You can specify the domain controllers that hold a replica of an application partition, and these domain controllers can include a subset of domain controllers throughout the forest. Exchange Server 2010 does not use application partitions to store information.
1-10
How Exchange Server 2010 Uses Active Directory
Key Points
To ensure proper placement of Active Directory components in relation to computers running Exchange Server, you must understand how Exchange Server 2010 communicates with Active Directory Domain Services (AD DS) and uses Active Directory information to function.
Note: The Exchange Server 2010 Edge Transport server role does not use Active Directory to store configuration information. Instead, the Edge Transport server role uses Active Directory Lightweight Directory Services (AD LDS). For more details, see Module 6, Implementing Messaging Security.
1-11
Forests
An Exchange Server organization and an Active Directory forest have a one-to-one relationship. You cannot have an Exchange Server organization that spans multiple Active Directory forests. You also cannot have multiple Exchange Server organizations within a single Active Directory forest.
Schema Partition
The Exchange Server 2010 installation process modifies the schema partition to enable the creation of Exchange Server-specific objects. The installation process also adds Exchange Server-specific attributes to existing objects.
Configuration Partition
The configuration partition stores configuration information for the Exchange Server 2010 organization. Because Active Directory replicates the configuration partition among all domain controllers in the forest, configuration of the Exchange Server 2010 organization replicates throughout the forest.
Domain Partition
The domain partition holds information about recipient objects. This includes mailbox-enabled users, and mail-enabled users, groups, and contacts. Objects that are mailbox-enabled or mail-enabled have preconfigured attributes, such as e-mail addresses.
Global Catalog
When you install Exchange Server 2010, the e-mail attributes for mail-enabled and mailbox-enabled objects replicate to the global catalog. The following is true: The global address list is generated from the recipients list in an Active Directory forests global catalog. Exchange Hub Transport servers access the global catalog to find the location of a recipient mailbox when delivering messages. Exchange Client Access servers access the global catalog server to locate the user Mailbox server and to display the global address list to Microsoft Office Outlook, Microsoft Outlook Web App, or Exchange ActiveSync clients.
1-12
Important: Because of the importance of the global catalog in an Exchange Server organization, you must deploy at least one global catalog in each Active Directory site that contains an Exchange 2010 server. You must deploy enough global catalog servers to ensure adequate performance.
Note: Windows Server 2008 provides a new type of domain controllera read-only domain controller (RODC). Exchange Server 2010 does not use RODCs or RODCs that you configure as global catalog servers (ROGC). This means that you should not deploy an Exchange 2010 server in any site that contains only RODCs or ROGCs.
1-13
Reviewing DNS Requirements for Exchange Server 2010
Key Points
Each computer running Exchange Server must use DNS to locate Active Directory and global catalog servers. As a site-aware application, Exchange Server 2010 prefers to communicate with directory servers that are located in the same site as the computer running Exchange Server.
Role of DNS
Exchange Server services use DNS to locate a valid domain controller or global catalog. By default, each time a domain controller starts the Netlogon service, it updates DNS with service (SRV) records that describe it as a domain controller and global catalog server, if applicable.
SRV Resource Records

SRV resource records are DNS records. These records identify servers that provide specific services on the network. For example, an SRV resource record can contain information to help clients locate a domain controller in a specific domain or site.
1-14
All SRV resource records use a standard format, which consists of several fields. These fields contain information that AD DS uses to map a service back to the computer that provides the service. SRV resource records use the following format:
_Service_.Protocol.Name Ttl Class SRV Priority Weight Port Target
The SRV records for domain controllers and global catalog servers are registered with several different variations to allow locating domain controllers and global catalog servers in several different ways. One option is to register DNS records by site name, which enables computers running Exchange Server to find domain controllers and global catalog servers in the local Active Directory site. Exchange Server always performs DNS resource queries for the local Active Directory site first.
Host Records
Host records provide a host name to IP address mapping. Host records are required for each domain controller and other hosts that need to be accessible to Exchange Servers or client computers. Host records can use IPv4 (A records) or IPv6 (AAAA records).
MX Records
A Mail Exchanger (MX) record is a resource record that allows servers to locate other servers to deliver Internet e-mail using the Simple Mail Transfer Protocol (SMTP). An MX record identifies the SMTP server that will accept inbound messages for a specific DNS domain. Each MX record contains a host name and a preference value. When you deploy multiple SMTP servers that are accessible from the Internet, you can assign equal preference values to each MX record to enable load balancing between the SMTP servers. You also can specify a lower preference value for one of the MX records. All messages are routed through the SMTP server that has the lower preference-value MX record, unless that server is not available.
Note: In addition to SRV, Host, and MX records, you also may need to configure Sender Policy Framework (SPF) records to support Sender ID spam filtering. Module 6 provides more information on SPF records. Additionally, some organizations use reverse lookups as an option for spam filtering, so you should consider adding reverse lookup records for all SMTP servers that send your organizations e-mail.
1-15
Preparing Active Directory for Exchange Server 2010
Key Points
To install Exchange Server 2010, you need to run the Exchange Server 2010 setup command for preparing the Active Directory forest for the installation. You can use the setup command with the following switches.
Setup switch /PrepareAD /OrganizationName: organizationname Explanation
Prepares the global Exchange Server objects in Active Directory,

creates the Exchange Universal Security Groups in the root domain, and prepares the current domain
Must be run by a member of the Enterprise Admins group

/PrepareLegacy ExchangePermissions
Necessary if the organization contains Exchange Server 2003

servers
Modifies the permissions assigned to the Enterprise Exchange

Servers group to allow the Recipient Update Service to run
Must be run by a member of the Enterprise Admins group
1-16
(continued)
Setup switch /PrepareSchema Explanation
Prepares the schema for the Exchange Server 2010 installation Must be run by a member of the Enterprise Admins and
Schema Admins groups
/PrepareDomain /PrepareDomain domainname /PrepareAllDomains
Prepares the domain for Exchange Server 2010 by creating a

new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers
Not required in the domain where /PrepareAD is run Can prepare specific domains by adding the domains fully
qualified domain name (FQDN), or prepare all domains in the forest
Must be run by a member of the Enterprise Admins and

Domain Admins groups
Important: You must prepare the Active Directory forest in the same domain and the same site as the domain controller that hosts the Schema Master role.
Options for Preparing Active Directory

You have the following options when you prepare Active Directory for Exchange Server 2010: In an organization that is not running an earlier Exchange Server version, and which has a single domain in the Active Directory forest, you do not need to prepare Active Directory before installing the first Exchange server. In this scenario, you can just install Exchange Server 2010, and all of the Active Directory schema changes are implemented during the install. If the user account that you are using to update the schema is a member of the Schema Admins and the Enterprise Admins group, you do not need to run /PrepareLegacyExchangePermissions and /PrepareSchema before running /PrepareAD. If your account has the right permissions, the /PrepareAD process also configures the legacy permissions and makes the required schema changes.
1-17
Demonstration: Integration of Active Directory and Exchange Server 2010
Key Points
In this demonstration, you will review the integration of Active Directory and Exchange Server 2010.
Demonstration Steps
1. 2. 3. On a domain controller, open Active Directory Users and Computers. In the Active Directory domain, expand the Microsoft Exchange Security Groups organizational unit. Review the description and membership of the following Active Directory groups: Organization Management Recipient Management View-Only Organization Management Discovery Management
1-18
4. 5.
Open ADSI Edit, and connect to the domain partition. Review the information in the domain partition. Connect to the configuration partition. Review the information in the configuration partition, and in the CN=Services, CN=Microsoft Exchange, CN=Exchangeorganizationname container. Connect to the schema partition. Review the information in the schema partition, and point out the attributes and class objects that begin with ms-Exch.
6.
Question: How do you assign permissions in your Exchange organization? How will you assign permissions using the Exchange security groups? Question: Which Active Directory partition would you expect to contain the following information? Users e-mail address Exchange connector for sending e-mail to the Internet Exchange Server configuration
1-19
Lesson 2
Installing Exchange Server 2010 Server Roles
Before you install Exchange Server 2010, you need to understand the concept of Exchange Server 2010 server roles. Each server role provides a specific set of functionality that an Exchange Server organization requires. When you install Exchange Server 2010, you can install all server roles on the same computer, except for the Edge Transport server role. Alternately, you can distribute the roles across multiple computers. After you decide which server role to deploy in each Exchange server, you must ensure that the network infrastructure and servers are ready for the Exchange Server 2010 installation. After completing this lesson, you will be able to: Describe the server roles included in Exchange Server 2010. Describe the options for deploying Exchange Server 2010. Describe the hardware recommendations for combining server roles in Exchange Server 2010.
1-20
Describe the options for integrating Exchange Server 2010 and Exchange Online Services. Describe the infrastructure requirements for installing Exchange Server 2010. Describe the server requirements for installing Exchange Server 2010. Describe the considerations for deploying Exchange Server 2010 servers as virtual machines. Describe the process for installing Exchange Server 2010. Describe the options for performing an unattended installation.
1-21
Overview of Server Roles in Exchange Server 2010
Key Points
Exchange Server 2010 provides functionality that falls into five separate server roles. When you install Exchange Server 2010, you can select one or more of these roles for installation on the server. Large organizations might deploy several servers with each role, whereas a small organization might combine all server roles except the Edge Transport server role on one computer.
Important: Exchange Server 2010 server roles are a logical grouping of features and components that perform a specific function in the messaging environment. You can install all server roles, except the Edge Transport server role, on the same physical computer.
1-22
Exchange Server 2010 Server Roles

The following server roles are included in Exchange Server 2010: Hub Transport server role. The Hub Transport server role is responsible for message routing. The Hub Transport server performs message categorization and routing, and handles all messages that pass through an organization. You must configure at least one Hub Transport server in each Active Directory site that contains a Mailbox server or a Unified Messaging server, and the server running the Hub Transport server role must be a member of an Active Directory domain. Mailbox server role. The Mailbox server role is responsible for managing mailbox and public folder databases. Mailboxes and public folders reside on the Mailbox servers. Mailbox servers contain mailbox and public folder databases. You can enable high availability by adding mailbox servers to a Database Availability Group (DAG). Because Mailbox servers require Active Directory access, you must install this role on a member server in an Active Directory domain. Edge Transport server role. The Edge Transport server role is the Simple Mail Transport Protocol (SMTP) gateway server between your organization and the Internet. To ensure security, you should deploy the computer that runs the Edge Transport server role in a perimeter network, and it should not be a member of your internal Active Directory forest. Because the Edge Transport server is not part of an Active Directory domain, it cannot use Active Directory to store configuration information. Instead, it uses AD LDS on Windows Server 2008 computers to access recipient and configuration information. Client Access server role. The Client Access server role enables connections from all available client protocols to the Exchange Server mailboxes. You must assign at least one Client Access server in each Active Directory site that contains a Mailbox server. Client protocols that connect through a Client Access server include: Messaging Application Programming Interface (MAPI) clients Outlook Web App clients Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) clients Outlook Anywhere, which is known as remote procedure call (RPC) over HTTP in Exchange Server 2003 Exchange ActiveSync clients
1-23
Note: In previous Exchange Server versions, MAPI clients connect directly to the Mailbox servers. In Exchange Server 2010, all clients, including MAPI clients, connect to the Client Access servers. MAPI clients still connect directly to Mailbox servers when accessing public folders.
Unified Messaging server role. The Unified Messaging server role provides the foundation of services that integrate voice and fax messages into your organizations messaging infrastructure. This role requires the presence of three server roles: Hub Transport, Client Access, and Mailbox. The Unified Messaging server provides access to voice messages and faxes.
1-24
Deployment Options for Exchange Server 2010
Key Points
You can deploy the server roles in Exchange Server 2010 in several different scenarios, depending on an organizations size and requirements. If you are an administrator, it is important to understand the deployment scenarios when you plan an Exchange Server system.
1-25
Exchange Server 2010 Editions

Exchange Server 2010 is available as Standard Edition and Enterprise Edition. The Standard Edition should meet the messaging needs of small and medium corporations, but also may be suitable for specific server roles or branch offices. The Enterprise Edition is for large enterprise corporations, and enables you to create additional databases apart from including other advanced features.
Feature Database Support Database Storage Limit Standard Edition Five databases No software storage limit; storage limit is hardware dependent Enterprise Edition 100 databases No software storage limit; storage limit is hardware dependent Supported
DAG membership
Supported
Exchange Server 2010 Client Access Licenses

Exchange Server 2010 has two client-access license (CAL) options: Exchange Server Standard CAL. Provides access to e-mail, shared calendaring, Outlook Web App, and ActiveSync. Exchange Server Enterprise CAL. Requires a standard CAL, and provides access to additional features such as unified messaging, per-user and per-distributionlist journaling, managed custom e-mail folders, and Forefront Protection for Exchange Server.
Deployment Scenarios for a Simple Organization

In a small organization, you can install all the server rolesexcept the Edge Transport server roleon a single computer. Small organizations might also consider using Exchange Online services.
1-26
Deployment Scenarios for a Standard Organization

Medium-sized organizations should consider installing the required services and Exchange server roles on multiple computers. A typical deployment scenario for a medium-sized organization may include: Two domain controllers for each domain. Two Exchange servers configured with the Mailbox server role and other server roles, except the Edge Transport server role.
Note: In Exchange Server 2007, Mailbox servers that were part of a failover cluster could not run additional Exchange server roles. With Exchange Server 2010, Exchange servers that are part of a DAG also can host other Exchange server roles, except the Edge Transport server role.
One Exchange server configured with the Edge Transport server role.
Deployment Scenarios for a Large or Complex Organization

A large or complex organization needs to deploy dedicated servers for each server role, and may have to deploy multiple servers for each role. A typical deployment scenario for a large organization can include: Two domain controllers and global catalog servers for each organizational domain. If the organization includes multiple Active Directory sites, and you are deploying Exchange servers in a site, you should deploy global catalog servers in the site. One or more Exchange servers configured with the Mailbox server role. You can deploy multiple Mailbox servers in each Active Directory site. One or more Exchange servers dedicated to each of the other server roles. You must deploy at least one Hub Transport server and Client Access server in each Active Directory site that includes a Mailbox server. If the organization has a smaller branch office, you can deploy multiple Exchange servers hosting all the server roles except for the Edge Transport server role, and configure the Mailbox servers to be part of a DAG. One or more Exchange servers configured with the Edge Transport server role. Multiple servers provide redundancy and scalability.
1-27
Hardware Recommendations for Combining Server Roles
Key Points
You can install all roles, except the Edge Transport server role, on a single computer. When you design the hardware configuration for servers on which you install multiple server roles, consider the following recommendations: You should plan for at least two processor cores, at a minimum, for a server with multiple server roles. The recommended number of processor cores is eight, while 24 is the maximum recommended number. You should design a server with multiple roles to use half of the available processor cores for the Mailbox role and the other half for the Client Access and Hub Transport roles. You should plan for the following memory configuration for a server with multiple server roles: 8 gigabytes (GB) and between 2 megabytes (MB) and 10 MB per mailbox. This can vary based on the user profile and the number of storage groups. We recommend 64 GB as the maximum amount of memory you need.
1-28
To accommodate the Client Access and Hub Transport server roles on the same server as the Mailbox server role, you should reduce the number of mailboxes per core calculation, based on the average client profile by 20 percent. You can deploy multiple Exchange server roles on a mailbox server that is a DAG member. This means that you can provide full redundancy for the Mailbox, Hub Transport, and Client Access server roles on just two Exchange servers.
1-29
Options for Integrating Exchange Server 2010 and Exchange Online Services
Key Points
One deployment option available in Exchange Server 2010 is to integrate your messaging system with Exchange Online Services. Exchange Online Services is part of the Business Productivity Online services that Microsoft offers.
Business Productivity Online

The Business Productivity Online is a set of Microsoft-hosted messaging and collaboration solutions, including Microsoft Exchange Online, Microsoft SharePoint Online, Microsoft Office Live Meeting, and Microsoft Office Communications Online. These services are available on a subscription basis.
1-30
Exchange Online Services

When you subscribe to Exchange Online Services, you can take advantage of the following features: E-mail and calendar functions. Exchange Online delivers e-mail services, including spam filtering, antivirus protection, and mobile-device synchronization. Through Microsoft Office Outlook 2007 and Outlook Web App, you can use the advanced e-mail, calendar, contact, and task management features of Exchange Online. E-mail coexistence and migration tools. The Business Productivity Online Standard Suite includes e-mail coexistence and migration tools. If you have Active Directory directory services and Microsoft Exchange Server, the Microsoft Online Services Directory Synchronization tool synchronizes your user accounts, contacts, and groups from your local environment to Microsoft Online Services. This tool also makes your Microsoft Exchange Global Address List (GAL) available in Exchange Online.
Exchange Online Services and Exchange Server 2010

Exchange Server 2010 provides additional functionality with Exchange Online Services. With Exchange Server 2010, you can host some of the mailboxes in an internal Exchange organization, which displays as the On-Premise Exchange organization in the Exchange Management Console. Additionally, you can host some of your organizations mailboxes on Exchange Online. You can use the Exchange Management Console to move mailboxes to the Exchange Online Services and manage those mailboxes. For more information on Exchange Online Services, refer to the links provided on the CD.
1-31
Infrastructure Requirements for Exchange Server 2010
Key Points
Before you deploy Exchange Server 2010 in your organization, you need to ensure that your organization meets Active Directory and DNS requirements.
Active Directory Requirements

You must meet the following Active Directory requirements before you can install Exchange Server 2010: The domain controller that is the schema master must have Windows Server 2003 Service Pack 1 (SP1) or later, Windows Server 2008, or Windows Server 2008 R2 installed. By default, the schema master runs on the first Windows domain controller installed in a forest. In each of the sites where you deploy Exchange Server 2010, at least one global catalog server must be installed and run Windows Server 2003 SP1 or later, Windows Server 2008, or Windows Server 2008 R2. The Active Directory domain and forest functional levels must run Windows Server 2003, at the minimum.
1-32
DNS Requirements
Before you install Exchange Server 2010, you must ensure that your organization meets the following requirements: You must configure DNS correctly in your Active Directory forest. All servers that run Exchange Server 2010 must be able to locate Active Directory domain controllers, global catalog servers, and other Exchange servers.
1-33
Server Requirements for Exchange Server 2010
Key Points
Exchange Server 2010 requires a minimum level of hardware, and specific software, before you can install it.
Hardware Requirements
You can deploy Exchange Server 2010 only on 64-bit versions of Windows Server 2008 or Windows Server 2008 R2 running on 64-bit hardware.
Resource Processor Requirement
x64 architecture-based computer with Intel processor that supports

Intel 64 architecture (formerly known as Intel EM64T).
AMD processor that supports the AMD64 platform. Intel Itanium IA64 processors not supported.
Memory A minimum of 2 GB of system memory, plus 2 to 6 MB per mailbox. This recommendation is based on the number of mailbox databases and the user-usage profile.
1-34
(continued)
Resource Disk Requirement 1.2 GB disk space for Exchange Server files and 200 MB of free disk space on the system drive. Drives formatted with NTFS file systemfor all Exchange Server related volumes.
File system
Important: Exchange Server 2010 is available only in 64-bit versions, which means that you can install all components, including the Exchange Management tools, only on 64-bit operating systems.
Exchange Server 2010 Prerequisite Software

All Exchange Server 2010 servers must have the following software installed: Active Directory Domain Services (AD DS) management tools, which is required on all Exchange Server 2010 servers, except for Edge Transport servers Microsoft .NET Framework 3.5 (SP1) or later Windows Remote Management (WinRM) Windows PowerShell Version 2
Important: The Net.Tcp Port Sharing Service must be configured to start automatically before starting the Exchange server installation.
Server Role Installation Requirements

Each server role in Exchange Server 2010 has slightly different installation requirements. All server roles, except for the Edge Transport server role, require some Web Server components, such as Internet Information Services (IIS).
1-35
Considerations for Deploying Exchange Server 2010 as a Virtual Machine
Key Points
One option with Exchange Server 2010 is to deploy the servers as virtual machines.
Benefits of Using Virtual Machines

Deploying Exchange Server 2010 servers as virtual machines provides the same advantages as deploying other servers as virtual machines. You can deploy all Exchange Server 2010 server roles as virtual machines, except for the Unified Messaging server role.
1-36
The benefits of deploying Exchange Servers as virtual machines include: Increases hardware utilization and decreases the number of physical servers. In many organizations, the servers deployed in data centers have very low hardware utilization. Deploying Exchange Servers as virtual machines provides server-management options that are not available for physical servers. Because virtual machines are just a set of files, you may have additional management options with virtual machines. For example, to increase a virtual machines hardware level, you can assign more of the host resources to the virtual machine, or move the virtual machine files to a more powerful host server.
Note: Microsoft supports Exchange Server 2010 running as virtual machines for all virtualization vendors that are validated through the Windows Server Virtualization Validation Program. See http://go.microsoft.com/fwlink/?LinkId=179865 for details.
Considerations for Deploying Exchange Server 2010 Servers as Virtual Machines

While running Exchange Server 2010 as a virtual machine provides some benefits, you also should consider the following issues: Exchange servers can be designed to ensure that that the servers fully utilize the available hardware. For example, in a large organization, you can deploy several thousand mailboxes to a Mailbox server or deploy a Client Access server with sufficient client connections so that your organization fully utilizes all hardware resources. One of the benefits of running virtual machines is that you can configure high availability within the virtual machine environment. For example, you can deploy Quick Migration in Windows Server 2008 Hyper-V or Live Migration in Windows Server 2008 R2 Hyper-V. However, Microsoft does not support running both DAGs and a virtual machine-based high availability solution. If you require high availability, you should use the Exchange Server 2010 solution.
1-37
The storage used by the Exchange Server guest machine can be virtual storage of a fixed size, SCSI pass-through storage, or Internet SCSI (iSCSI) storage. Pass-through storage is storage that is configured at the host level and dedicated to one guest machine. To provide the best performance for Exchange server storage, use either pass-through disks or fixed-size virtual disks. Running Exchange servers as virtual machines can complicate performance monitoring. The performance data between the host and virtual machine is not consistent because the virtual machine uses only some part of the hosts resources. One of the most common performance bottlenecks for Mailbox servers is network input/output (I/O). When you run Mailbox servers in a virtual environment, the virtual machines have to share this I/O bandwidth with the host machine and other virtual machine servers deployed on the same host. A heavily utilized Mailbox server can consume all of the available I/O bandwidth, which makes it impractical to host additional virtual machines on the physical server. If you are planning to deploy Exchange Server 2010 as a virtual machine, ensure that you plan the virtual hardware requirements carefully. You must assign the same hardware resources to the Exchange Server virtual machine as you would assign to a physical server running the same workload.
1-38
Process for Installing Exchange Server 2010
Key Points
The Exchange Server 2010 graphical setup program guides you through the installation process. The following steps provide a high-level installation overview: 1. Install the prerequisite software. If you install Exchange Server on Windows Server 2008 R2, the correct versions of Windows PowerShell and Windows Remote Management are installed already. To start the installation, run setup.exe from the installation source. The Setup program checks to ensure that the correct software is installed on the computer. After you finish installing all the required software, you can proceed with the installation of Exchange Server 2010. Exchange Server 2010 provides the option to install additional language packs that will enable the management tools to display in languages other than English. You can choose to install the language packs during the installation.
2.
3. 4.
1-39
5.
The Installation Type page of the wizard presents you with the option to perform a Typical Exchange Server Installation or a Custom Exchange Server Installation. The typical installation option installs the Hub Transport server role, the Client Access server role, the Mailbox server role, and the Exchange Management tools. The custom installation option allows you to choose the roles you want to install. If this is the first Exchange Server 2010 server in the deployment, and you do not run setup /PrepareAD, you are prompted for the Exchange organization name. If you chose the Mailbox server role, the Exchange Setup program prompts you if you have any Office Outlook 2003 or Entourage clients in the organization. If you choose Yes, Exchange Setup creates the public folders required by these clients for the offline address book and for sharing calendar information. If you choose to install the Client Access server role, you also can configure the external domain name for the Client Access server. Clients use this external domain name to connect to the server from the Internet.
6.
7.
8.
Note: Exchange Server 2010 supports Office Outlook 2003 SP1 or later clients. The only Entourage version supported by Exchange Server 2010 is Entourage 2008, Web Services Edition. This version of Entourage requires public folders.
1-40
Unattended Installation Options
Key Points
You can use the command line to perform an unattended Exchange Server 2010 installation. When you use the command line, you can use parameters to install specified roles or configure other setup options.
Note: To run an unattended installation with setup parameters, you must run setup.com or setup rather than setup.exe. To see all the parameters available for use with setup.com, run the command with the /? parameter.
The syntax for this command is:

Setup.com [/roles:<roles to install>] [/mode:<setup mode>] [/console] [/?][/targetdir:<destination folder>] [/prepareAD] [/domaincontroller]
1-41
For example, if you want to install Exchange Server 2010 into the default path, and specify the roles of Hub Transport, Client Access, and Mailbox, you would enter the command:
Setup.com /r:H,M,C
1-42
Lab A: Installing Exchange Server 2010
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. In Hyper-V Manager, click 10135A--NYC-DC1, and in the Actions pane, click Start. 3. 10135A- NYC-DC1: Domain controller in the Contoso.com domain.
In the Actions pane, click Connect. Click the CTRL+ALT+DELETE button in the top-left corner of the Virtual Machine Connection window.
1-43
4.
Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Contoso
5.
Repeat these steps to start, and log on to the 10135A--NYC-SVR2 virtual machine. 10135A- NYC-SVR2: Member server in the Contoso.com domain.
.
Lab Scenario
You are working as a messaging administrator in Contoso Ltd. Your organization is preparing to install its first Exchange Server 2010 server. Contoso Ltd. is a large multinational organization that includes offices in Seattle, Washington, in the United States, and in Tokyo, Japan. Contoso Ltd. does not have a previous version of Exchange Server deployed so you do not have to upgrade a previous messaging system. Before installing Exchange Server 2010, you must verify that the Active Directory environment is ready for the installation. You also must verify that all computers that will run Exchange Server 2010 meet the prerequisites for installing Exchange.
1-44
Exercise 1: Evaluating Requirements for an Exchange Server Installation

Scenario
The Active Directory administrators at Contoso Ltd. are testing the Exchange Server 2010 deployment by deploying a domain controller in a test environment. The server administration team has deployed a Windows Server 2008 R2 server that you can use to deploy the first Exchange Server 2010 server in the test organization. You need to verify that the Active Directory environment and the server meet all prerequisites for installing Exchange Server 2010. Use the following checklist to verify that the prerequisites are met.
Prerequisite Active Directory domain controllers: Windows Server 2003 SP2 or later Active Directory domain and forest functional level: Windows Server 2003 or higher DNS requirements Exchange Server 2010 schema changes Active Directory Domain Services (AD DS) management tools Microsoft .NET Framework 3.5 or later Windows Remote Management (WinRM) Windows PowerShell Version 2 2007 Office System Converter: Microsoft Filter Pack Achieved? Yes or No
Yes or No
Yes or No Yes or No Yes or No Yes or No Yes or No Yes or No Yes or No
1-45
(continued)
Prerequisite Web Server (IIS) server role along with the following role services: Achieved? Yes or No
ISAPI Extensions IIS 6 Metabase Compatibility IIS 6 Management Console Basic Authentication Windows Authentication Digest Authentication Dynamic Content Compression .NET Extensibility Yes or No
Windows Server 2008 features
WCF HTTP Activation RPC over HTTP Proxy

The main tasks for this exercise are as follows: 1. 2. 3. Evaluate the Active Directory requirements. Evaluate the DNS requirements. Evaluate the server requirements.
Task 1: Evaluate the Active Directory requirements

1. 2. 3. On NYC-DC1, evaluate whether the domain controller requirements are met. Evaluate whether the domain and forest functional level requirements are met. Use Adsiedit.msc to evaluate whether the Exchange schema changes are applied.
Task 2: Evaluate the DNS requirements

On NYC-SVR2, use Ipconfig, Ping, and NSLookup to evaluate DNS name resolution functionality.
1-46
Task 3: Evaluate the server requirements

1. 2. 3. On NYC-SVR2, evaluate whether the required Windows Server 2008 features, including the required AD DS administration tools, are installed. Evaluate whether the Microsoft Internet Information Services (IIS) components are installed. Evaluate whether the prerequisite software is installed.
Results: After this exercise, you should have evaluated whether your organization meets the Active Directory, DNS, and server requirements for installing Exchange Server 2010. You should have identified the additional components that need to be installed or configured to meet the requirements.
1-47
Exercise 2: Preparing for an Exchange Server 2010 Installation

Scenario
Now that you have identified which prerequisites are not met in the current AD DS and server configuration, you need to update the environment to meet them. The main tasks for this exercise are as follows: 1. 2. Install the Windows Server 2008 server roles and features. Prepare AD DS for the Exchange Server 2010 installation.
Task 1: Install the Windows Server 2008 server roles and features
1. 2. On NYC-SVR2, in Server Manager, install the prerequisite server roles and features for Exchange Server 2010. Configure the Net.Tcp Port Sharing Service to start Automatically.
Task 2: Prepare AD DS for the Exchange Server 2010 installation

1. 2. In Hyper-V Manager, connect C:\Program Files\Microsoft Learning \10135\Drives\EXCH201064.iso as the DVD drive for NYC-SVR2. From a command prompt, run the Exchange Server setup program with the /PrepareAD parameter. Configure an Exchange organization name of Contoso.
Results: After this exercise, you should have prepared the Active Directory and server configuration for the Exchange Server 2010 installation.
1-48
Exercise 3: Installing Exchange Server 2010

Scenario
After you prepare the environment, continue with the Exchange Server 2010 server installation. The main task for this exercise is as follows: Install Microsoft Exchange Server 2010.
Task 1: Install Microsoft Exchange Server 2010

1. 2. 3. 4. Start the Exchange Server 2010 installation. Choose to install only the languages on the DVD. Perform a Typical Exchange Server Installation. Choose to enable access for Outlook 2003 or Entourage clients.
Results: After this exercise, you should have installed Exchange Server 2010.
1-49
Lesson 3
Completing an Exchange Server 2010 Installation
After you install the necessary server roles in Exchange Server 2010, you should verify the installation and perform post-installation tasks, including securing Exchange Server 2010 and installing additional third-party software, if necessary. This lesson describes the post-installation tasks that you should perform. After completing this lesson, you will be able to: Verify an Exchange Server 2010 installation. Verify an Exchange Server 2010 deployment. Describe how to troubleshoot an Exchange Server 2010 installation. Describe how to finalize an Exchange Server 2010 installation.
1-50
Demonstration: Verifying an Exchange Server 2010 Installation
Key Points
If all prerequisites are met, the Exchange Server installation should complete successfully. However, you should verify that the installation was successful.
Demonstration Steps
1. 2. 3. 4. 5. 6. On VAN-EX1, open the Services management console, and review the Microsoft Exchange services that were added during the installation. Open Windows Explorer, and browse to C:\ExchangeSetupLogs. Review the contents of the ExchangeSetup.log file. Describe some of the other files in this folder: Browse to C:\Program Files\Microsoft\Exchange Server\V14. Describe the contents of the folders in this location. Open the Exchange Management Console.
1-51
7. 8. 9.
Under Server Configuration, verify that the server that you installed is listed. Click Toolbox and review the installed tools. In the left pane, click Recipient Configuration. Create a new mailbox.
10. Open Internet Explorer, and connect to the Outlook Web App site on a Client Access server. Log on using the credentials for the new mailbox that you created. 11. Send an e-mail to the mailbox that you created. Verify that the messages delivery.
Additional Tests to Verify Installation

After the Exchange Server 2010 installation finishes, you also can take the following steps to verify that the installation was successful: Check the Exchange setup log files. The installation process creates several log files that the C:\ExchangeSetupLogs directory stores. Review the setup logs for errors that occur during installation. Ensure that the Exchange Management Console opens and displays the installed Exchange server. Create a user account with a mailbox and connect to that mailbox using an Office Outlook client or Outlook Web App.
For more information: For detailed information about each of the log files created during the installation, see Exchange Server Help.
1-52
Demonstration: Verifying the Exchange Server 2010 Deployment
Key Points
The Microsoft Exchange Server Best Practices Analyzer Tool automatically examines an Exchange Server deployment and determines whether the configuration meets with Microsoft best practices. Microsoft performs periodic updates on the definitions that the Exchange Server Best Practices Analyzer uses, so they typically reflect the latest version of the Microsoft best practices recommendations. We recommend running the Exchange Server Best Practices Analyzer after you install a new Exchange server, upgrade an existing Exchange server, or make configuration changes. You can find the Exchange Server Best Practices Analyzer in the Toolbox node of the Exchange Management Console. In this demonstration, your instructor will run the Exchange Server Best Practices Analyzer and review the generated reports.
1-53
Note: For more information about the Exchange Server Best Practices Analyzer, view the Exchange Server Best Practices Analyzer Help that is available with the Exchange Server Best Practices Analyzer Tool.
Demonstration Steps
1. 2. 3. 4. On VAN-EX1, open Exchange Management Console, and click Toolbox. Start the Best Practices Analyzer, and clear the options to check for updates and to join the customer improvement program. Go to the Welcome page. Start a new scan. Choose to perform a Health Check scan to scan the server that you just installed. When the scan finishes, view the following tabs and reports: Critical Issues All Issues Recent Changes Informational Items Tree reports Other reports
1-54
Troubleshooting an Exchange Server 2010 Installation
Key Points
The Exchange Server installation should complete successfully if you meet all prerequisites. However, if the installation does not complete properly, it is important for you to follow a consistent troubleshooting process.
Troubleshooting Process
Each time you troubleshoot any application or service, you should follow a consistent process, as this ensures that you do not miss steps and that problems are resolved quickly.
1-55
Potential Problems and Resolutions

Some common installation problems and solutions are: Net.TCP Port Sharing Service not set to start automatically. You must set this service to start automatically. Insufficient disk space. Your server might not have the necessary disk space to install Exchange Server 2010. To resolve this, either increase your servers disk space or remove unnecessary files to create more free space. Missing software components. Your server might not have all of the required software components for the server roles you want to implement. To resolve this, determine the required software components, download them if necessary, and install them. Incorrect DNS configuration. Exchange Server 2010 relies on global catalog servers to perform many operations, and uses DNS to find global catalog servers. If the DNS configuration is incorrect, your server might not be able to find a global catalog server. To verify the problem, use the dcdiag tool. To resolve the problem, ensure that the Exchange server and domain controllers are all using the appropriate internal DNS servers. Incorrect domain functional level. All domains with Exchange Server 2010 recipients or servers must be at Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 functional level. To resolve this problem, raise the domain functional level to the appropriate functional level. Insufficient Active Directory permissions. When you install Exchange Server 2010, you need sufficient permissions to extend the Active Directory schema and modify the Active Directory configuration partition. To perform the initial schema extension, you must be a member of the Enterprise Admins and Schema Admins groups. Insufficient Exchange permissions. To install Exchange Server 2010 into an existing organization, you must be a member of the Exchange Admins group. You also must run Setup.exe with the /PrepareLegacyExchangePermissions switch. Wait for replication throughout the Exchange Server organization before you continue.
1-56
Finalizing the Exchange Server Installation
Key Points
After finishing the Exchange Server installation, you might need to perform additional steps to finalize the server deployment.
Configuring Exchange Server Security

Security is important for all the servers in your environment. However, security is even more important for computers running Exchange Server. For most organizations, messaging is a critical part of the network. People rely on messaging to perform their jobs. Use the following steps to secure computers running Exchange Server 2010: Restrict physical access. Like all servers, physical access to a computer running Exchange Server should be restricted. Any server that you can access physically also can be compromised easily. Restrict communication. You can use firewalls to restrict the communication between servers, and between servers and clients.
1-57
Reduce the attack surface. To limit software flaws that hackers can use, eliminate unnecessary software and services from your Exchange servers. In particular, Edge Transport servers should have only the necessary services and software running because they are exposed to the Internet. Restrict permissions. Evaluate who has permissions to manage Active Directory in your organization. Users who are domain administrators can add themselves to any group, and so they could manage all Exchange Server recipients and computers running Exchange Server in that domain. Reduce delegated Active Directory management permissions in a more granular way if you do not want all of the domain administrators to be capable of managing Exchange Server as well.
Configure Additional Software

Before you install any additional software, ensure that it Microsoft certifies it for use with Exchange Server 2010. Some of the additional software you might want to install or configure includes: Antivirus software. Antivirus software can be used with the Edge Transport server and internal servers. You can install ForeFront Protection for Exchange Servers on Exchange Server 2010, or deploy and configure third party antivirus solutions. Anti-spam software. Anti-spam software can significantly reduce unsolicited commercial e-mail messages that your users receive, and have to manage. Exchange Server 2010 provides anti-spam features on the Edge Transport server role and the Hub Transport server role. Most organizations that deploy anti-spam software on Exchange Server 2010 will deploy it on the Edge Transport server, but you also can enable and configure anti-spam features on Hub Transport servers. Many organizations choose to deploy third-party antispam solutions. Backup software. To back up Exchange Server 2010 servers, you must deploy backup software that uses Volume Shadow Copy Service (VSS) to perform the backup.
1-58
Monitoring tools and agents. One example of a monitoring tool is Microsoft System Center Operations Manager. Operations Manager allows you to proactively monitor and manage your Exchange servers by installing monitoring agents on them.
Important: There are additional tasks that you must perform for each server role. Later modules cover these tasks.
1-59
Lab B: Verifying an Exchange Server 2010 Installation
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-NYC-DC1 and the 10135A-NYC-SVR2 virtual machines are running. 3. 10135A- NYC-DC1: Domain controller in the Contoso.com domain. 10135A- NYC-SVR2: Member server in the Contoso.com domain.
If required, connect to the virtual machines.
1-60
Lab Scenario
You have completed the installation of the first Exchange Server at Contoso Ltd. You now need to verify that the installation completed successfully. You also should ensure that the installation meets the best practices that Microsoft suggests.
1-61
Exercise 1: Verifying an Exchange Server 2010 Installation

The main tasks for this exercise are as follows: 1. 2. 3. 4. View the Exchange Server services. View the Exchange Server folders. Create a new user, and send a test message. Run the Exchange Server Best Practices Analyzer Tool.
Task 1: View the Exchange Server services

1. 2. Open the Services console. Review the status for each Exchange Server service.
Task 2: View the Exchange Server folders.

Using Windows Explorer, browse to C:\Program Files\Microsoft \Exchange Server\v14. This list of folders includes ClientAccess, Mailbox, and TransportRoles. The three roles were installed as part of the typical setup.
Task 3: Create a new user, and send a test message

1. 2. 3. 4. 5. Open the Exchange Management Console. Under Recipient Configuration, create a new mailbox with a new user account named TestUser and a password of Pa$$w0rd. Using Internet Explorer, open https://NYC-SVR2/owa. Log on as TestUser, and send a message to Administrator. Log on to Outlook Web App as Administrator, and verify that the message was delivered.
1-62
Task 4: Run the Exchange Server Best Practices Analyzer tool

1. 2. 3. Start the Exchange Server Best Practices Analyzer. Run a Health Check scan with a name of Post-Installation Test. Scan only NYC-SVR2. Review the information in the Exchange Server Best Practices Analyzer report.
Results: After this exercise, you should have verified that the Exchange Server 2010 server installation completed successfully.
To prepare for the next module

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135AVAN-DC1, and then in the Actions pane, click Connect.
Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
6. 7.
Wait for 10135A-VAN-DC1 to start, and then start 10135A-VAN-EX1. Connect to the virtual machine. Wait for 10135A-VAN-EX1 to start, and then start 10135A-VAN-EX3. Connect to the virtual machine.
1-63
Module Review and Takeaways
Review Questions
1. The installation of Exchange Server 2010 fails. What information sources can you use to troubleshoot the issue?
2.
What factors should you consider while purchasing new servers for your Exchange Server 2010 deployment?
3.
How would the deployment of additional Exchange Server 2010 servers vary from the deployment of the first server?
1-64
Common Issues Related to Installing Exchange Server 2010

Identify the causes for the following common issues related to installing Exchange Server 2010 and explain the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue You start the Exchange installation and get an error message stating that you do not have sufficient permissions. Troubleshooting tip
Verify that you are logged on to the

domain.
Verify the account has sufficient

permissions.
You start the Exchange installation and the prerequisite check fails. You run setup with /PrepareAD parameter and receive an error message.
Verify that the server meets the software

requirements.
Ensure that you are running setup in the

same Active Directory site as the schema master domain controller.
Real-World Issues and Scenarios

1. An organization has a main office and multiple smaller branch offices. What criteria would you use to decide whether to install an Exchange server in a branch office? What additional factors should you consider if you decide to deploy an Exchange server in the branch office?
2.
An organization has deployed Active Directory directory services within two different forests. What issues will this organization experience when they deploy Exchange Server 2010?
3.
An organization is planning to deploy Exchange Server 2010 servers as virtual machines running on Hyper-V in Windows Server 2008 R2. What factors should the organization consider in their planning?
1-65
Best Practices for Deploying Exchange Server 2010

Supplement or modify the following best practices for your own work situations: Plan the hardware specifications for your Exchange Server 2010 servers to allow for growth. In most organizations, the amount of e-mail traffic and the size of the user mailboxes are growing rapidly. Consider deploying at least two Exchange Server 2010 servers. With two servers, you can provide complete redundancy for the core Exchange server roles. When deploying multiple Exchange servers with dedicated server roles for each server, deploy the server roles in the following order: a. b. c. Client Access server Hub Transport server Mailbox server
d. Unified Messaging server You can deploy the Edge Transport server at any time, but it does not integrate automatically with your organization until you deploy a Hub Transport server.
Configuring Mailbox Servers
2-1
Module 2
Contents:
Lesson 1: Overview of Exchange Server 2010 Administrative Tools Lesson 2: Configuring Mailbox Server Roles Lesson 3: Configuring Public Folders Lab: Configuring Mailbox Servers 2-3 2-17 2-43 2-53
2-2
Module Overview
The Microsoft Exchange Server management tools provide a flexible environment that enables administrators to manage all sizes of Microsoft Exchange Server 2010 messaging deployments. Successful Exchange Server messaging professionals need to understand where configuration elements reside within the Exchange Management Console and the basics of the Exchange Management Shell. This module describes these management tools. This module also describes the Mailbox server role, some of the new Exchange Server 2010 features, and the most common Mailbox server role post-installation tasks. The module concludes with a discussion about public folder configuration and usage. After completing this module, you will be able to: Describe the Exchange Server 2010 administrative tools. Configure mailbox server roles. Configure public folders.
2-3
Lesson 1
Overview of Exchange Server 2010 Administrative Tools
This lesson introduces you to the Exchange Management Console, Exchange Management Shell, and the Exchange Control Panel (ECP). These tools are the main interfaces that Exchange Server administrators use daily, so a detailed understanding of when and how to use each interface is vital. After completing this lesson, you will be able to: Describe the Exchange Management Console. Describe the Exchange Management Shell and Windows PowerShell. Identify the benefits of using remote Windows PowerShell.
2-4
Use Exchange Management Shell cmdlets. Work with the Exchange Management Shell. Apply Exchange Manage Shell cmdlet examples. Describe the Exchange Control Panel.
2-5
Demonstration: What Is the Exchange Management Console?
Key Points
In this demonstration, you will review how to navigate the Exchange Management Console, and use it to manage Exchange Server. The Exchange Management Console uses the Microsoft Management Console 3.0 (MMC) paradigm of a four-pane environment. The Console Tree is a unique feature of the Exchange Management Console, and it has four main nodes: Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox. These four nodes have four distinct functions.
Organization Configuration
The Organization Configuration node contains all configuration options for each Exchange server role that affects the messaging systems functionality. This node allows you to configure database management, ActiveSync policies, journal and transport rules, message-formatting options, and e-mail domain management.
2-6
Server Configuration
The Server Configuration node contains the configuration options for each Exchange server in the organization. Settings that you can manipulate include server diagnostic-logging settings, product-key management, and the per-server configuration of the Microsoft Outlook Web App.
Recipient Configuration
The Recipient Configuration node contains the configuration and creation tasks for mailboxes, distribution groups, and contacts. You also can use it to move or reconnect mailboxes.
Toolbox
The Toolbox node contains utilities and tools that you can use to monitor, troubleshoot, and manage Exchange Server. These tools include Exchange Best Practices Analyzer, Public Folder Management Console (PFMC), Messaging Tracking, and Database Recovery Management. You also can use the Exchange Management Console to manage both onsite and hosted Exchange Server 2010 environments, most notably the Microsoft Business Productivity Online Suite (BPOS). The Console Trees root node also includes two tabs in the Content pane: Organizational Health and Customer Feedback. The Organizational Health tab displays a report on the overall status of the Exchange Server organization that includes information about the number of deployed databases, servers, and Client Access Licenses. Use the Customer Feedback tab to enable the Customer Experience Improvement Program and to access Exchange Server documentation.
Demonstration Steps
1. 2. 3. 4. 5. Open the Exchange Management Console. Note the consoles layout: Console Tree on the left, Content pane in the middle, and Actions pane on the right. Notice that the Console Tree has four nodes: Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox. Expand each Console Tree section to view the available nodes. In the Console Tree, expand Organization Configuration, click Mailbox, and then view the information available in the Content pane.
2-7
6. 7.
In the Console Tree, expand Server Configuration, click Mailbox, and then view the information in the Content pane. In the Console Tree, expand Recipient Configuration, click Mailbox, and then view the information in the Content pane.
Question: Does the Exchange Management Console organization seem logical to you? Why? Question: Does the Exchange Management Console have the same functionality as it did in previous Exchange Server versions? What is different about this version?
2-8
What Are the Exchange Management Shell and Windows PowerShell?
Key Points
The Exchange Management Shell and the Exchange Management Console run on top of Windows PowerShell version 2.0 command-line interface. They use cmdlets, which are commands that run within Windows PowerShell. Each cmdlet completes a single administrative task, and you can combine cmdlets to perform complex administrative tasks. In Exchange Management Shell, there are approximately 700 cmdlets that perform Exchange Server management tasks, and even more non-Exchange Server cmdlets that are in the basic Windows PowerShell shell design. Exchange Management Shell is more than just a command-line interface that you can use to manage Exchange Server 2010. Exchange Management Shell is a complete management shell that offers a complex and extensible scripting engine that has sophisticated looping functions, variables, and other programmatic features so that you can create powerful administrative scripts quickly.
2-9
The Benefits of Remote Windows PowerShell
Key Points
Exchange Server 2010 builds on the success of Microsoft Exchange Server 2007 usage of Windows PowerShell 1.0 by leveraging its remote Windows PowerShell functionality within Windows PowerShell 2.0. By using the remote Windows PowerShell feature, Exchange Server 2010 includes many new features.
2-10
New Features in Exchange Server 2010

Exchange Server 2010 contains the following new features: Role Based Access Control (RBAC). RBAC enables you to assign granular permissions to administrators, and more closely align the roles that you assign users and administrators to the actual roles they hold within your organization. In Exchange Server 2007, the server-permissions model applied only to the administrators that managed the Exchange Server 2007 infrastructure. However, RBAC now controls both the administrative tasks that you can perform and the extent to which users can perform their own administrative tasks. RBAC controls who can access what, and where, through management roles, assignments, and scopes. Using remote Windows PowerShell allows you to run the cmdlets on the server while controlling how they execute. Client/server management model. All cmdlets run remotely from an Exchange server rather than from the management client. This allows the server to process the client requests, thereby reducing their impact. Since the cmdlets run on the remote server, and not the client, you only need to install Windows PowerShell 2.0 on the management machine if you do not need the graphical user interface (GUI) tools. Standard protocols that allow easier management through firewalls. Remote Windows PowerShell leverages Windows Remote Management (WinRM) for connectivity through standard HTTPS connections. Since corporate firewalls often allow HTTPS by default, using Windows PowerShell requires no additional firewall configuration.
These new features enable scenarios such as simplified cross-domain management, management from workstations that do not have installed management tools, management through firewalls, and the ability to throttle resources that management tasks consume.
2-11
Exchange Management Shell Cmdlets
Key Points
All shell cmdlets present as verb-noun pairs. A hyphen (-) without spaces separate the verb-noun pair, and the cmdlet nouns are always singular. Verbs refer to the action that the cmdlet takes. Nouns refer to the object on which the cmdlet takes action. For example, in the Get-User cmdlet, the verb is Get, and the noun is User. All cmdlets that manage a particular feature share the same noun. For detailed information about using cmdlets, refer to the CD content.
Using Cmdlets Together

Pipelining is the process of using multiple cmdlets simultaneously to gather information, which you then can pass to other cmdlets for additional processing. Pipelining allows you to chain one cmdlet to another so that the previous cmdlets results act as input to the next cmdlet. To pipeline information from one cmdlet to another, specify the pipe character between the cmdlets. The pipe character is a vertical bar (|). You can pipeline more than two cmdlets. In fact, you can use as many as necessary to achieve the results you desire.
2-12
Demonstration: Working with the Exchange Management Shell
Key Points
In this demonstration, you will review how to create a mailbox, and how to use Windows PowerShell scripting and pipelining to change the address on multiple mailboxes. The instructor also will describe basic cmdlet aliases.
Demonstration Steps
The instructor will run the following cmdlets: Get-Mailbox Get-Mailbox | Format-List Get-Mailbox | fl Get-Mailbox | Format-Table Get-Mailbox | ft Name, Database, IssueWarningQuota Get-Help New-Mailbox
2-13
Get-Help New-Mailbox -detailed Get-Help New-Mailbox -examples $Temp = Text $Temp $password = Read-Host Enter password AsSecureString New-Mailbox -UserPrincipalName chris@contoso.com -Alias Chris Database Mailbox Database 1 -Name ChrisAshton -OrganizationalUnit Users -Password $password -FirstName Chris -LastName Ashton DisplayName Chris Ashton -ResetPasswordOnNextLogon $true
Note: Assign a password to a new user by specifying the Read-Host cmdlet with the -AsSecureString switch, because passwords cannot be stored as simple strings.
2-14
Exchange Management Shell Examples
Key Points
One of the best ways to become proficient with Windows PowerShell is to review cmdlets that administrators use the most often. The following example retrieves a list of all the users, filters only users that are located in the Sales organizational unit (OU), and then mail-enables the users:
Get-User | Where-Object {$_.distinguishedname -ilike "*ou=sales,dc=contoso,dc=com"} | Enable-Mailbox -database "Mailbox Database 1"
The following example returns all members in the RemoteUsers distribution group, and then sets the MaxReceiveSize on each of the members mailboxes:
Get-DistributionGroup "RemoteUsers" | Get-DistributionGroupMember | Set-Mailbox -MaxReceiveSize 10MB
2-15
The following example retrieves a list of all mailboxes on VAN-EX1, and then moves these mailboxes to Mailbox Store 2:
Get-Mailbox -server VAN-EX1 | New-MoveRequest -Local -targetDatabase " "Mailbox Store 2"
The following example removes all messages from addresses that start with the word Tom from the message queue:
Get-Message -Filter {FromAddress -like "Tom*" } | Remove-Message
The following example returns the status of all mailbox copies from the local server:
Get-MailboxDatabaseCopyStatus
2-16
Introducing the Exchange Control Panel
Key Points
The ECP is a new feature in Exchange Server 2010. It enables end users and Exchange Server specialists to manage many aspects of the messaging environment from a secure Web page that includes inbox rules, public groups, account information, call-answering rules, and retention policies. You can assign permissions to ECP users by assigning and customizing one of the preconfigured RBAC groups. The ECP runs on the Client Access servers, and you access it either from the Options menu in Outlook Web App.
2-17
Lesson 2
Configuring Mailbox Server Roles
This module describes how to configure the Mailbox server after you install it. Since the Mailbox server stores all of the mailbox and public folder data, it is a critical component in an Exchange Server messaging system. You also will learn about databases, database storage considerations, and managing the number and size of databases. After completing this lesson, you will be able to: Describe your initial mailbox configuration tasks. Configure the Mailbox server role. Describe mailbox and public folder databases. Describe database file types. Describe the process for updating mailbox databases. Configure database options.
2-18
Identify Exchange Server 2010 storage improvements. Describe your database storage options. Describe direct attached storage. Describe storage area networks. Manage mailbox size limits. Identify the criteria to consider when implementing databases.
2-19
Initial Mailbox Configuration Tasks
Key Points
Complete the following steps after deploying the Mailbox server role: Secure the server. Before deploying mailboxes on the Mailbox server role, you should secure the server, which includes configuring permissions at the organizational and server levels. This reduces the Exchange Servers attack surface. Create and configure databases. Exchange Server 2010 uses mailbox databases or public folder databases to store messages. As a result, before creating mailboxes on the server, you need to create the required databases.
2-20
Configure public folders. Although recent Exchange Server versions deemphasize the role of public folders, Microsoft continues to support public folders fully, and you must configure them if you have Outlook 2003 or earlier clients. However, if you are using Office Outlook 2007 or later clients, public folders are not required to support offline address-book distribution or calendar information. During the installation of the first Exchange Server 2010 into a new Active Directory Domain Service (AD DS) or Active Directory directory service forest, you have the option to support older Office Outlook and Entourage clients. Exchange Server creates a public folder database if you choose this option. You also can create public folders after installation if you do not configure them during setup. Configure recipients, including resource mailboxes. The Mailbox server role manages all user mailboxes, so deploying the Mailbox server role includes configuring recipients. Configure the offline address book. Outlook 2007 (and higher) clients support retrieving offline address books with HTTP, rather than only with public folders, as in previous Office Outlook versions.
2-21
Demonstration: How to Configure Mailbox Server Role Configuration Options
Key Points
In this demonstration, you will review how to configure the Mailbox server role with the Exchange Management Console.
Demonstration Steps
1. 2. 3. 4. Open the Exchange Management Console. In the Console Tree, expand Server Configuration, and then click Mailbox. Note the available options in the Actions pane: Manage Diagnostic Logging Properties, Enter Product Key, and Properties. View the properties of the server and review the options on the General, System Settings, Messaging Records Management, and Customer Feedback Options tabs. View the Manage Diagnostic Logging options.
5.
2-22
Question: What additional tasks do you need to perform on the Mailbox server role after the Exchange Server 2010 installation occurs?
2-23
What Are Mailbox and Public Folder Databases?
Key Points
To manage Mailbox servers properly, you need to know how they store mailbox and public folder contents. Exchange Server 2010 stores mailbox and public folder contents in databases, which enhances performance and reduces storage utilization. Mailbox servers can maintain mailbox databases and public folder databases, and each database consists of a single rich-text database (.edb) file. Exchange Server 2010 mailbox servers store all messages in this database regardless of which type of client sends or reads the messages. Mailbox databases store the messages for mailbox-enabled users. Users cannot have a mailbox without a mailbox database. Public folder databases store the contents of public folders. Unlike previous Exchange Server versions that required unique database names only within a storage group, Exchange Server 2010 requires unique database names across the entire Exchange Server organization.
2-24
In Exchange Server 2010, each database has a single set of transaction logs, which store database changes. Database changes include all messages sent to or from the database. Transaction logs are an essential part of disaster recovery if you need to restore a mailbox or public folder database. By default, all databases and transaction logs are stored in one folder within the Exchange Server directory (C:\Program Files\Microsoft\Exchange Server\v14 \Mailbox). Each database has its own folder. Although Exchange Server 2010 does not require separating databases and transaction logs, given the appropriate redundancy, performing this separation increases recoverability. You should consider it if your organization does not employ other availability options. If the disk storing a database fails, you will need the transaction logs to recover activity since your last backup. If your transaction logs also are lost, along with the database, you can recover only to the point of your last back up. The Exchange Server 2010 database schema was changed significantly to improve its performance over previous Exchange Server versions. The new database schema now performs larger and more-sequential input/output (I/O) transactions, optimizes performance on lower end disk systems, and reduces the database maintenance that you must perform. These improvements were accomplished by removing single-instance storage and increasing the page size from 8 kilobytes (KB) to 32 KB. In Microsoft Exchange 2000 Server and Exchange Server 2003, there was an option to create multiple databases and have them share a set of transaction logs. This was called a storage group. In Exchange Server 2007, having multiple databases in a storage group was available only for databases that did not have high availability features enabled. In Exchange Server 2010, there is no option to have multiple databases to share a single set of transaction logs.
2-25
What Are the Database File Types?
Key Points
A database consists of a collection of file types, each of which performs different functions. <Log Prefix>.chk. This checkpoint file determines which transactions require processing to move the checkpoint file from the transaction log file to the database. Each databases log prefix determines its checkpoint file name. For example, the checkpoint file name for a database with prefix E00 would be E00.chk. This checkpoint file is several kilobytes in size, and does not grow. <Log Prefix>.log. This is the databases current transaction log file. An example is E00.log. The maximum amount of data storage for this file is 1 megabyte (MB). When this file reaches its maximum storage of 1 MB, Exchange Server renames it and creates a new current transaction log. <Log Prefix>xxxxxxxx.log. Exchange Server renames and files this transaction log file. Log files use sequential hexadecimal names. For example, the first log file for the first database on a server would be E0000000001.log. Each transaction log file is always 1 MB.
2-26
<Log Prefix>res00001.jrs and <Log Prefix>res00002.jrs. These are the reserved transaction logs for the database. Exchange Server 2010 uses these only as emergency storage when the disk becomes full and it can write no new transactions to disk. An example is E00res00001.jrs. When Exchange Server 2010 runs out of disk space, it writes the current transaction to disk, and then dismounts the database. The reserved transaction logs ensure minimal loss of data that is in transit to the database. The reserved transaction logs always are 1 MB each. Tmp.edb. This temporary workspace is for processing transactions. Exchange Server 2010 deletes the contents of this file when it dismounts the database or when the Microsoft Exchange Information Store service stops. This file typically is a few megabytes in size. <Log Prefix>tmp.log. This is the transaction log file for the temporary workspace. An example is E00tmp.log. This file does not exceed 1 MB. <File Name>.edb. This is the rich-text database file that stores content for mailbox and public folder databases. An example is Database.edb. Each mailbox or public folder database is contained in a single file. Database files can grow very large, depending on the content that the database stores.
2-27
Mailbox Database Update Process
Key Points
The following process takes place when a Mailbox server receives a message: 1. 2. The Mailbox server receives the message. The Mailbox server writes the message to the current transaction log and memory cache simultaneously.
Note: If the current transaction log reaches 1 MB of storage, Exchange Server 2010 renames it and creates a new current transaction log.
2-28
3. 4. 5.
The Mailbox server writes the transaction from memory cache to the appropriate database. The Mailbox server updates the checkpoint file to indicate that the transaction was committed successfully to the database. Clients can access and read the message in the database.
2-29
Demonstration: Configuring Database Options
Key Points
Several configuration options are set at the database level. Three key management tabs contain these options: Maintenance, Limits, and Client Settings. In this demonstration, you will review these tabs, and explain how you can use them to configure your database options.
The Maintenance Tab

Use the Maintenance tab to specify a journal recipient when you are using database journaling. However, we recommend using journaling rules for journaling in Exchange Server 2010. The maintenance schedule is the period of time in which Exchange Server performs database maintenance. In Exchange Server 2010, online defragmentation occurs continually, so you use the maintenance window primarily to remove deleted items and mailboxes.
2-30
The Maintenance tab has a checkbox that you can select to keep the database from mounting at startup. You typically use this checkbox, and another that allows the database to be overwritten by a restore, during recovery or database-maintenance tasks. The checkbox for enabling circular logging sets the transaction-logging mode so that Exchange Server 2010 overwrites the transaction logs after they are committed to the database. Circular logging does not allow you to recover a database to a point in time other than when the last full backup was completed. We recommend circular logging only in test environments or in high availability configurations in which adequate redundancy negates the need for this type of recovery.
The Limits Tab

Use the Limits tab to set the maximum size for mailboxes that the database stores, and to specify the notification schedule for sending messages to users who are approaching these limits. The deletion settings specify how long the database stores deleted items and mailboxes after the user deletes them. You can use the dumpster to recover items that users have deleted and purged from their Deleted Items folder, without having to perform a restore from a backup.
The Client Settings Tab

Use the Client Settings tab to configure the default public folder, if necessary, and the default offline address book for all mailboxes in the database.
Demonstration Steps
1. 2. 3. 4. 5. Open the Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. Select the Database Management tab, and then view the properties of a mailbox database. View the properties on the General, Maintenance, Limits, and Client Settings tabs. Run the Move Database Path Wizard to move the database files.
2-31
Question: When would you need to move the path of the transaction logs or databases? Question: When might you use circular logging?
2-32
Exchange Server 2010 Storage Improvements
Key Points
Exchange Server 2010 introduces several significant changes that reduce storage costs and improve performance, including changes to the database schema, the use of compression, and the change to 32 KB database pages. Additionally, further improvements minimize database fragmentation by writing data sequentially on disk, which also improves disk performance. Lastly, when you combine the reduced storage input/output (I/O) requirements with the new database high availability features, you may be able to leverage inexpensive direct-attached storage for larger Exchange Server deployments. Since the storage I/O requirements are lower in Exchange Server 2010, more storage options are available. Still, you should ensure that your storage method meets the business and technical requirements for the Exchange Server deployment. Tools such as Load Simulator and JetStress are available to approximate usage patterns, and you can use these tools to test various hardware configurations in your environment.
2-33
Options for Database Storage
Key Points
Exchange Server 2010 now supports several disk storage options, including Serial Advanced Technology Attachment (SATA), Solid-state disk (SSD), and Serial Attached small computer system interface (SCSI), or SAS. When selecting which storage solution to use, the goal is to ensure that the storage will provide the performance that your environment requires.
JBOD (Just a Bunch Of Disks)

JBOD is a collection of disks that have no redundancy or fault tolerance. Usually, JBOD solutions are lower cost than solutions that use redundant array of independent disks (RAID). JBOD adds fault tolerance by using multiple copies of the databases on separate disks.
2-34
RAID
RAID increases disk-access performance and fault tolerance. The most common RAID options are: RAID 0 (striping). Increases read and write performance by spreading data across multiple disks. However, it offers no fault tolerance. Performance increases as you add more disks. You add fault tolerance by using multiple copies of the databases on separate RAID sets. RAID 1 (mirroring). Increases fault tolerance by placing redundant copies of data on two disks. Read performance is faster than a single disk, but write performance is slower than RAID 0. Half of the disks are used for data redundancy. RAID 5 (striping with parity). Increases fault tolerance by spreading data and parity information across three or more disks. If one disk fails, the missing data is calculated based on the remaining disks. Read and write performance for RAID 5 is slower than RAID 0. At most, only one third of the disks are used to store parity information. RAID 0+1 (mirrored striped sets). Increases fault tolerance by mirroring two RAID 0 sets. This provides very fast read and write performance, and excellent fault tolerance. RAID 6 (striping with double parity). Increases fault tolerance by spreading data and parity information across four or more disks. If up to two disks fail, RAID 6 calculates the missing data based on data and parity information stored on the remaining disks. Read and write performance for RAID 6 typically is slower than RAID 0, and RAID 6 does not have a read penalty. The main benefit of RAID 6 is the ability to rebuild missing data if you have two failures per RAID group, and to reduce the impact of rebuilding the RAID set when a disk fails. RAID 1+0 or RAID 10 (mirrored sets in a striped set). Provides fault tolerance and improved performance, but increases complexity. The difference between RAID 0+1 and RAID 1+0 is that RAID 1+0 creates a striped set from a series of mirrored drives. In a failed disk situation, RAID 1+0 performs better and is more fault tolerant than RAID 0+1.
2-35
Data Storage Options: Direct Attached Storage
Key Points
Direct attached storage is any disk system that connects physically to your server. This includes hard disks inside the server or those that connect by using an external enclosure. Some external enclosures include hardware-based RAID. For example, external disk enclosures can combine multiple disks in a RAID 5 set that appears to the server as a single large disk. In general, direct attached storage provides good performance, but it provides limited scalability because of the units physical size. You must manage direct attached storage on a per-server basis. Exchange Server 2010 performs well with the scalability and performance characteristics of direct attached storage.
2-36
Direct attached storage provides the following benefits: Lower cost Exchange Server solution. Direct attached storage usually provides a substantially lower purchase cost than other technologies. Easy implementation. Direct attached storage typically is easy to manage, and requires very little training. Distributed failure points. Each Exchange server has separate disk systems, so the failure of a single system does not affect the entire Exchange messaging system negatively, assuming that you configure your Exchange servers for high availability.
2-37
Data Storage Options: Storage Area Networks
Key Points
A storage area network (SAN) is a network dedicated to providing servers with access to storage devices. A SAN provides advanced storage and management capabilities, such as data snapshots, and high performance. SANs use either Fibre Channel switching or Internet SCSI (iSCSI) to provide fast and reliable connectivity between storage and applications. Fibre Channel switching or iSCSI allows many servers to connect to a single SAN. Fibre Channel is a standard SAN architecture that runs on fiber optic cabling. Because Fibre Channel is specifically for SANs, it is the fastest architecture available, and most SANs use it. SANs are complex and require specialized knowledge to design, operate, and maintain. Most SANs also are more expensive than direct attached storage.
2-38
SANs provide the following benefits: A large RAM cache that keeps disk access from becoming a bottleneck. The reduced I/O requirements of Exchange Server 2010 make it more likely that an iSCSI-based SAN will meet your requirements in small and mediumsized deployments. However, you should test all hardware configurations thoroughly before deployment to ensure that they meet your organizations required performance characteristics. Highly scalable storage solutions. Messaging systems are growing continually, and require larger storage over time. As your needs expand, a SAN allows you to add disks to your storage. Most SANs incorporate storage virtualization, which allows you to add disks and allocate the new disks to your Exchange server. Multiple servers attached to a single SAN. If you use a SAN, you can connect multiple computers running Exchange Server, and then divide the storage among them. Enhanced backup, recovery, and availability. SANs use volume mirroring and snapshot backups. Because SANs allow multiple connections, you can connect high performance back-up devices to the SAN. SANs also allow you to designate different RAID levels to different storage partitions.
For cost-conscious SAN implementations, iSCSI may be a viable option. An iSCSI network encapsulates SCSI commands in TCP/IP packets over standard Ethernet cabling and switches. You should implement this technology only on dedicated storage networks that are 1 gigabit per second (Gbps) or faster.
2-39
Demonstration: How to Manage Mailbox Size Limits
Key Points
In this demonstration, you will review how to use the Exchange Management Console to configure storage quotas, and how to use the Exchange Management Shell to configure storage quotas in bulk or simultaneously. You can enforce size limits either on a specific mailbox or on a database, which applies the settings on all mailboxes in the database, by default. The three options available to set a limit on mailboxes and on the database are: Issue warning at (KB). When a mailbox reaches the size you specify, at a predetermined schedule (daily by default), mailbox-enabled users receive a message indicating that their mailboxes have become too large. Prohibit send at (KB). When a mailbox reaches the size you specify, the user no longer can send messages and receives a warning message that the mailbox is too large. The mailbox can still receive messages.
2-40
Prohibit send and receive at (KB). When a mailbox reaches the size you specify, the user can no longer send or receive messages, and receives a warning message that the mailbox is too large. If the organization uses a Unified Messaging server, prohibiting e-mail reception can result in lost e-mail messages, voice-mail messages, and faxes. Most organizations elect not to use this option.
You also can use mailbox database defaults to set limits on the database. Exchange Server 2010 enables this by default, and if you use it, the mailbox inherits any settings that you assign to the database that stores the mailbox. Deleted item retention settings work similarly to size limits in that you can assign them either on the mailbox or database. By default, all mailboxes also inherit deleted time retention from the database.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. 8. Open the Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and click Mailbox. Right-click a user mailbox, and click Properties. Click the Mailbox Settings tab, and double-click Storage Quotas. Unselect Use mailbox database defaults, and modify the value for Prohibit send and receive at (MB). Open Exchange Management Shell. Configure the database limits with the Get-MailboxDatabase cmdlet. Configure just the user mailboxes that are contained in the Marketing department with the Get-Mailbox.
2-41
Discussion: Considerations for Implementing Databases
Key Points
It is important to plan properly for any changes you want to make in the Exchange Server environment. When considering which sort of storage to use for new databases, note the following: Give each set of transaction logs its own hard disk. You likely will achieve the best performance when transaction logs do not share disks with any other data. However, if you do not require high performance, and there are enough copies of the data, you may not require this. Use RAID 5 to enhance performance and fault tolerance for databases. RAID 5 increases read and write performance for random disk access and fault tolerance. Use RAID 1 to provide fault tolerance for transaction logs. RAID 1 keeps two complete copies of transaction logs for fault tolerance, and it provides good write performance for data that is written serially.
2-42
Use a SAN, which provides excellent scalability and manageability for storage in large Exchange Server organizations. A Fibre Channel SAN provides the best performance, but this high level of performance may be more than you need to support your organizations requirements. SANs also add considerable cost and complexity. Use the prohibit send at storage limit to manage storage growth. This storage limit forces users to address the size of their mailbox before sending additional messages. Halting message reception is risky, because important business data might get lost. However, a warning may not be enough encouragement for users to lower their mailbox size.
Question: What should you consider when naming databases? Question: When would you want or need to create multiple databases? Question: Why would you want to reduce the number of databases? Question: What should you consider when planning to build additional Mailbox servers?
2-43
Lesson 3
Configuring Public Folders
This lesson covers public folders, and details how you can configure them. Although public folders have been deemphasized since Exchange Server 2007, they remain a useful feature of Exchange Server 2010. It is essential to understand when to use public folders and how to configure them properly. After completing this lesson, you will be able to: Describe public folders. Configure public folder replication. Describe how clients access public folders. Configure public folders. Identify when to use SharePoint instead of public folders.
2-44
What Are Public Folders?
Key Points
A public folder is a repository for different information types, such as e-mail messages, text documents, and multimedia files. A public folder database stores public folder contents, which you can share with Exchange Server organization users. Organizations typically use public folders as: A location to store contacts for the entire organization. Centralized calendars for tracking events. Discussion groups. A location in which to receive and store messages for a workgroup, such as the Help desk. A storage location for custom applications.
2-45
Additionally, system public folders support legacy Office Outlook versions for free/busy information, custom forms, and offline address books. One alternative to public folders is Windows SharePoint Services, which is a Web-based platform that stores data centrally for the enterprise, workgroups, and individuals. You can create multiple SharePoint sites for specific tasks, including: Team collaboration Project management Help-desk management Expense reimbursement Vacation scheduling
For collaboration, Windows SharePoint Services goes beyond the capabilities that public folders offer. Some of the features that a SharePoint site offers are: Document collaboration, including checking in, checking out, and version control. This feature allows you to track changes to documents and prevent team members from editing multiple versions of a single document. Alerts sent out when content changes. Alerts enable you to monitor content and act when that content changes. For example, a project team could be alerted automatically when the project schedule changes. Extensibility by developers for building applications. In some cases, you can use public folders to manage application data, but SharePoint sites can perform many of the same tasks.
One area in which SharePoint services does not provide similar functionality to Exchange Server is in the ability to perform multimaster replication. Because Windows SharePoint Services is tied to Microsoft SQL Server, only one writable copy of the data is available at a time, whereas public folders can have multiple readable and writable copies of a public folder available around the globe. The next topic details public folder replication.
2-46
Configuring Public Folder Replication
Key Points
Public folder content replication is an e-mail-based process for copying public folder content between computers running Exchange Server. When you modify a public folder or its contents, the public folder database that contains the replica of the public folder that you change sends a descriptive e-mail message to the other public folder databases that host a replica of the public folder. To reduce network traffic, Exchange Server includes information about multiple changes in one e-mail message. If any message exceeds the specified size limit, that message is sent as a separate replication message. Exchange Server routes these replication messages the same way that it routes other e-mail messages. By default, public folder content replicates every 15 minutes, and you cannot set replication to less than every minute. Because AD DS and Active Directory store the public folder configuration objects, AD DS and Active Directory replication must be working correctly to ensure that the configuration is available to all Exchange servers. When you create a public folder, only one replica of that public folder exists within the Exchange Server organization.
2-47
Using multiple replicas allows you to place public folder content in the physical server locations where users are located. This results in faster access to public folder content and reduced communication across wide area network (WAN) links between physical locations. Public folder replication also provides fault tolerance for public folders.
Note: You also need to replicate the public folder tree.
2-48
How Clients Access Public Folders
Key Points
The public folder connection process for Messaging Application Programming Interface (MAPI)-based clients is: 1. If the public folder is located on the user accounts default public folder database, Exchange Server directs the client to this database for the public folder contents. If the public folder contents are not stored in the user accounts default public folder database, Exchange Server redirects the client to a public folder database on a computer running Exchange Server 2010 in the local Active Directory site. If no computer running Exchange Server 2010 or Exchange Server 2007 on the local Active Directory site has a copy of the public folder contents, Exchange Server redirects the client to the Active Directory site with the lowest cost site link that does have a copy of the public folder contents.
2.
3.
2-49
4.
If there is no computer running Exchange Server 2010 or Exchange Server 2007 that has a copy of the public folder contents, Exchange Server redirects the client to a computer running Microsoft Exchange Server 2003 that has a copy of the public folder contents, using the cost assigned to the routing group connector(s). Exchange Server 2010 does not enable this by default. Rather, you must enable it with the Set-RoutingGroupConnector cmdlet. If no public folder replica exists on the local Active Directory site, a remote Active Directory site, or on a computer running Exchange Server 2003, the client cannot access the contents of the requested public folder.
5.
Note: For Outlook Web App clients to view public folders, a replica of the public folder must be available on an Exchange Server 2010 mailbox server.
2-50
Demonstration: How to Configure Public Folders
Key Points
In this demonstration, you will review how to use the PFMC, Exchange Management Shell, and Office Outlook to configure public folders. You will see how to: Use the PFMC to add replicas and set permissions on a public folder. Use Exchange Management Shell to add permissions to a public folder. Open Outlook, and then view the permissions for the public folder.
2-51
Demonstration Steps Use the PFMC to add replicas and set permissions on a public folder
1. 2. 3. 4. 5. Open the Exchange Management Console. Open the PFMC, and then connect to a Mailbox server. Create a new public folder named Sales. View the properties of the Sales public folder, and then view the options on the General, Statistics, Limits, and Replication tabs. Add a replica to the Sales public folder.
Use the Exchange Management Shell to add permissions to a public folder

The instructor will run the following cmdlets:
Get-PublicFolderClientPermission \Sales Add-PublicFolderClientPermission \Sales -AccessRights EditAllItems -User Jason
Use Outlook to view and edit public folder permissions

1. 2. 3. Logon to VAN-CL1 as Adatum\Administrator. Open Outlook. View the permissions for the Sales public folder.
2-52
When to Use SharePoint Instead of Public Folders
Key Points
Exchange Server 2010 fully supports public folders. However, there are several reasons that another complementary technology may be a better solution. You need to move custom applications that use Exchange Server event sinks or organizational forms to a supported platform, such as SharePoint, by using the InfoPath information-gathering program. If you are using public folders to share documents, consider moving these documents to SharePoint for additional features, such as versioning and file locking. Depending on its scope, a new Exchange Server deployment that includes calendar sharing, contact sharing, discussion forums, or distribution group archives, can use Exchange Server public folders or SharePoint. Additionally, when deploying new custom applications, use Exchange Web Services and/or SharePoint, depending on the applications scope. Question: For what does your company currently use public folders and SharePoint?
2-53
Lab: Configuring Mailbox Servers
Lab Setup
Important: If required, start the 10135A-VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VANEX3 virtual machines are running. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain
2-54
3.
10135A-VAN-EX3: Exchange 2010 server in the Adatum.com domain
If required, connect to the virtual machines. Log on to the computers as Adatum\Administrator, using the password Pa$$w0rd.
Lab Scenario
You are a new messaging administrator at A. Datum Corporation, and your manager has left instructions indicating that you need to create and configure a database for the executive group, and then move the existing database for the accounting group to a new location. Additionally, you need to add an additional public folder database, and then replicate data to it.
2-55
Exercise 1: Configuring Mailbox Databases

Scenario
You must configure the executives database so that the mailbox does not send or receive messages after the mailbox size reaches 1,024 MB. Additionally, you should ensure that a warning is sent to users if their mailbox reaches 850 MB. The main tasks for this exercise are: 1. 2. 3. Create a new database for the Executive mailboxes. Configure the Executive mailbox database with appropriate limits. Move the existing Accounting database to a new location.
Task 1: Create a new database for the Executive mailboxes

1. 2. 3. 4. On VAN-EX1, open the Exchange Management Console. Create a new database named Executive on VAN-EX1. Store database files in C:\Mailbox\Executive. Store log files in C:\Mailbox\Executive.
Task 2: Configure the Executive mailbox database with appropriate limits

1. Configure the limits on the Executive database: Prohibit send and receive: 1024000 Issue warning: 850000
2-56
Task 3: Move the existing Accounting database to a new location

1. 2. 3. Move the Accounting database files. Store database files in C:\Mailbox\Accounting. Store log files in C:\Mailbox\Accounting.
Results: After this exercise, you should have created a new database, set the specified limits, and moved the existing Accounting database to a new folder.
2-57
Exercise 2: Configuring Public Folders

Scenario
Before creating a new public folder database and replicating it, you must check the numbers of items and size in the Executive public folder so that you can later verify that the replication was successful. The main tasks for this exercise are as follows: 1. 2. 3. 4. Check Executives public folder statistics. Create a public folder database on VAN-EX3. Add a replica of the Executives public folder on VAN-EX3. Verify replication between VAN-EX1 and VAN-EX3.
Task 1: Check Executives public folder statistics

1. 2. On VAN-EX3, open the Exchange Management Console, and in the Toolbox node, open the Public Folder Management Console. In the Public Folder Management Console, connect to VAN-EX1, and view the number of items and size in the Executives public folder on VAN-EX1. Write down Total Items ______________________ Write down Size (KB) ________________________
Task 2: Create a public folder database on VAN-EX3

Create a new public folder database on VAN-EX3 named PF-VAN-EX3. Store database files in C:\Mailbox\PF-VAN-EX3\PF-VAN-EX3.edb. Store log files in C:\Mailbox\PF-VAN-EX3.
Task 3: Add a replica of the Executives public folder on VAN-EX3

Add PF-VAN-EX3 as a replica for the Executives public folders, and then wait for replication to complete.
Note: It can take up to 15 minutes for replication to complete.
2-58
Task 4: Verify replication between VAN-EX1 and VAN-EX3

Verify the number and size of items in the Executives public folder on VAN-EX3.
Results: After this exercise, you should have created a new public folder database on VAN-EX3 and added replicas for each public folder.

6. 7.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.
2-59
Review Questions
1. Which tools can you use to manage Exchange Server 2010?
2.
What customizations can you make on mailbox databases?
3.
When can you use public folders?
2-60
Common Issues Related to Designing Mailbox Databases

Identify the causes for the following common issues related to designing and implementing Exchange Server mailbox databases and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue You are planning to deploy a new Mailbox server on a different server and storage platform. Troubleshooting tip Use performance-testing tools, such as Exchange Load Generator or Jet Stress, to ensure the Mailbox server will perform adequately. Verify that the mailboxes are set to inherit limit settings from the database, rather than having to be set separately. Verify that a replica of the required public folders exists on an Exchange Server 2010 server.
After applying limits on each of the mailbox databases, some of the users are exceeding these limits. You are migrating from Exchange Server 2003, and none of the users with Exchange Server 2010 mailboxes can access legacy public folders via Outlook Web App.

1. Your organization needs to determine which storage solution to deploy for the new Exchange Server 2010 messaging environment. What information should you consider when selecting the hardware?
2.
Your organization would like to automate creation of user mailboxes for employees based on their status in your organizations human-resources system. What can you use to perform this automation?
3.
Your organization wants to reduce administrative costs. One suggestion is to give department heads and administrative assistants the necessary access to manage departmental and project-based groups. What can you use to accomplish this task?
2-61
Best Practices Related to Public Folder Deployment Planning

Supplement or modify the following best practices for your own work situations: Determine the public folder features that your organization needs, such as multiple master replications. Determine whether other solutions, such as SharePoint or InfoPath, meet user needs better. Define specific age and size limits, so that public folder data does not grow uncontrolled and outdated.
Tools
Tool Exchange Management Console Use for Where to find it Start menu
Configuring the Exchange

Server organization, its servers, and its recipients
Exchange Management Shell
Configuring the Exchange

Server organization, its servers, and its recipients
Start menu
Completing bulk-management
tasks Exchange Control Panel
Managing recipients
Outlook Web App
Managing Recipient Objects
3-1
Module 3
Contents:
Lesson 1: Managing Mailboxes Lesson 2: Managing Other Recipients Lesson 3: Configuring E-Mail Address Policies Lesson 4: Configuring Address Lists Lesson 5: Performing Bulk Recipient Management Tasks Lab: Managing Exchange Recipients 3-4 3-25 3-34 3-40 3-49 3-53
3-2
Module Overview
In any messaging system, you need to create recipients and configure them to send and receive e-mail. As a Microsoft Exchange Server messaging administrator, you often must create, modify, or delete recipient objects. Therefore, it is important to have a good understanding of recipient management. In Exchange Server 2010, you can easily perform bulk management of Exchange Server recipient objects by using the Exchange Management Shell. This module describes how you can manage recipient objects, address policies, and address lists in Exchange Server 2010, and the procedures for performing bulk management tasks in Exchange Management Shell. After completing this module, you will be able to: Manage mailboxes in Exchange Server 2010. Manage other recipients in Exchange Server 2010.
3-3
Configure e-mail address policies. Configure address lists. Perform bulk recipient management tasks.
3-4
Lesson 1
Managing Mailboxes
Apart from creating mailboxes, you may need to modify mailbox options to meet the needs of users and ensure optimal performance of the messaging environment. Based on your organizations requirements, and its users, you also may have to move mailboxes to different servers or databases, and configure resources. This lesson provides an overview of Exchange Server recipient objects and the available configuration options. Additionally, this lesson covers the reasons and procedures for moving mailboxes, and explains how to configure resource mailboxes. After completing this lesson, you will be able to: Identify the different recipient object types in Exchange Server 2010. Manage mailbox user accounts. Describe how to configure mailbox settings. Configure mailbox permissions.
3-5
Describe the reasons for moving mailboxes. Move mailboxes by using the Exchange Management Console. Describe the purpose and functionality of resource mailboxes. Describe how to design resource booking policies. Manage resource mailboxes.
3-6
Discussion: Types of Exchange Server Recipients
Key Points
In Microsoft Exchange Server 2003, you can use the Active Directory Users and Computers functionality to perform all individual recipient management tasks. However, in Microsoft Exchange Server 2007, and subsequently in Exchange Server 2010, you cannot use Active Directory Users and Computers to manage Exchange Server recipients. You must configure all Exchange Server-specific recipient settings in the Exchange Management Console or the Exchange Management Shell. Exchange Server recipients are mail-enabled when they have associated e-mail addresses, but do not have Exchange mailboxes. For example, a contact that has been mail-enabled becomes a mail contact. Exchange Server 2010 supports the following recipient types: User mailboxes. A mailbox that you can assign to an individual user in your Exchange Server organization. It typically contains messages, calendar items, contacts, tasks, documents, and other important business data.
3-7
Mail users or mail-enabled Active Directory users. These are users outside the Exchange Server organization that have an external e-mail address. All messages sent to the mail user are routed to this external e-mail address. A mail user is similar to a mail contact, except that a mail user has Active Directory logon credentials and can access resources. Resource mailboxes (Room mailboxes and Equipment mailboxes). A resource mailbox that you can assign to a meeting location, or to a resource such as a projector. You can include resource mailboxes as resources in meeting requests, which provides a simple and efficient way of scheduling resource usage. Mail contact or mail-enabled contacts. These contacts contain information about people or organizations that exist outside an Exchange Server organization and that have an external e-mail address. Exchange Server routes all messages sent to the mail contact to this external e-mail address. Mail-enabled security and distribution groups. You can use a mail-enabled Active Directory security group object to grant access permissions to Active Directory resources, and you also can use it to distribute messages. You can use a mailenabled Active Directory distribution group object to distribute messages to a group of recipients. Dynamic distribution groups. A distribution group that uses recipient filters and conditions to derive its membership at the time messages are sent. Linked mailboxes. You can assign a linked mailbox to an individual user in a separate, trusted forest.
You can use a mail-enabled user when Exchange Server 2010 is not responsible for sending and receiving mail for an Active Directory user, but you want that user to appear in the global address list (GAL). You might do this for remote sales people that prefer to use e-mail based on their own Internet service providers (ISP). You can only mail-enable universal security groups and universal distribution groups in Exchange Server 2010, similar to Exchange Server 2007. Question: How is a mail-enabled contact different from a mail-enabled user?
3-8
Demonstration: How to Manage Mailboxes
Key Points
In this demonstration, you will see how to manage mailboxes by performing common operations such as creating, deleting, and removing mailbox user accounts.
Demonstration Steps
Use the Exchange Management shell to mail-enable an existing user: 1. 2. Open Active Directory Users and Computers, and ensure that Daniel Brunner exists in the Users container. Open Exchange Management Shell, and run the following cmdlets: 3. Enable-MailUser Daniel Brunner externalemailaddress Daniel@contoso.com Disable-MailUser Daniel Brunner
In Active Directory Users and Computers, verify that the Daniel Brunner user still exists.
3-9
Create a new mail-enabled user with the Exchange Management Console. 1. 2. 3. Open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Run the New Mailbox Wizard, and create a new user account and mailbox for Kim Akers. Create the mailbox in the Accounting mailbox database.
Note: Remove-mailbox deletes the specified user account and mailbox, and disable-mailbox removes the mailbox, but leaves the user account enabled.
Question: What tools do you prefer to use for managing mailbox users? Question: How does your organization delegate Exchange and Active Directory management tasks?
3-10
Configuring Mailbox Settings
Key Points
Exchange Server 2010 provides several options for configuring a single mailbox. Many of these options are similar to those available for managing an Active Directory domain services environment. Mailbox configuration options include: General User Information Address and Phone Organization Account Member Of
3-11
However, some configuration options are unique to Exchange Server such as: Mail Flow Settings. There are three mail-flow settings: delivery options, message-size restrictions, and message-delivery restrictions: Use the delivery options to set: Who can send an e-mail message from that mailbox. A recipient to whom all messages are forwarded. The maximum number of recipients to which the mailbox can send a single message.
Use the message-size restrictions options to specify the maximum size for the messages that the mailbox sends or receives. Use the message delivery restrictions options to control the recipients that can send messages to the mailbox.
Mailbox Features. Use these options to configure the mailboxs specific features, such as Microsoft Outlook Web App, Exchange ActiveSync, Unified Messaging, Post Office Protocol version 3 (POP3), Internet Message Access Protocol version 4 (IMAP4), and the Archive mailbox. Calendar Settings. Use this option to configure how a mailbox processes meeting requests. Mailbox Settings. There are four mailbox settings: messaging records management, federated sharing, storage quotas, and archive quota. E-Mail Addresses. Use this option to configure the e-mail addresses assigned to the mailbox.
Question: Why would you configure mailbox size limits on individual mailboxes?
3-12
Demonstration: How to Configure Mailbox Permissions
Key Points
In this demonstration, you will see how to assign Full Access and Send As permissions to a mailbox.
Demonstration Steps
Assign Wei Yu send as permissions on Kim Akerss mailbox: 1. 2. 3. 4. 5. Open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. In the Results pane, select the Kim Akers mailbox, and then in the Actions pane, click Manage Send As Permission. In the Manage Send As Permission Wizard, click Add. In the Select User or Group dialog box, choose Wei Yu, and then click OK.
3-13
6. 7.
Click Manage. Click Finish.
Assign Wei Yu full access to Kim Akerss mailbox: 1. 2. 3. 4. Select the Kim Akers mailbox, and then in the Actions pane, click Manage Full Access Permission. In the Manage Full Access Permission Wizard, click Add. In the Select User or Group dialog box, choose Wei Yu, and then click OK. Click Manage, and then click Finish.
Question: When would more than one user need to access the same mailbox? Question: What is the difference between Send on behalf of permissions and Send As permissions?
3-14
Reasons for Moving Mailboxes
Key Points
You might need to move your organizations mailboxes. The following scenarios list the common reasons for moving mailboxes: Transition. When you transition an existing Exchange Server 2007 or Exchange Server 2003 organization to Exchange Server 2010, you need to move mailboxes from the existing Exchange servers to an Exchange Server 2010 Mailbox server. Realignment. You can move mailboxes to realign based on specific values. For example, you may want to move a mailbox from one database to another that has a larger mailbox size limit. Investigating an issue. If you need to investigate an issue with a mailbox, you can move that mailbox to a different server. For example, you can move all mailboxes that have corrupted messages to one server. Corrupted mailboxes. If you encounter corrupted mailboxes, you can move the mailboxes to a different server or database to fix the corruption.
3-15
Physical location changes. You can move mailboxes to a server that is in a different Active Directory site. For example, if a user moves to a different physical location, you can move that users mailbox to a server that is in a site closer to the new location. Separation of administrative roles. A company may want to separate the administration of Microsoft Exchange from administration of Microsoft Windows accounts. To do this, you can move mailboxes from a single forest into a resource forest scenario, in which the Microsoft Exchange mailboxes reside in one forest and their associated Windows user accounts reside in a separate forest. Outsourcing e-mail administration. A company may want to outsource the administration of e-mail and retain the administration of Windows user accounts. To do this, you can move mailboxes from a single forest into a resource forest scenario, in which the Microsoft Exchange mailboxes reside in one forest and their associated Windows user accounts reside in a separate forest. Integrating e-mail and user-account administration. A company might want to change from a separated or outsourced e-mail administration model to a model in which e-mail and user accounts are managed from the same forest. To do this, you can move mailboxes from a resource forest scenario to a single forest, in which the Microsoft Exchange mailboxes and Windows user accounts reside in the same forest. Reducing Database size. In cases where data has been removed from a database and there is a lot of white-space, rather than performing an offline defragmentation on the database, you can move the contained mailboxes online to a new database and delete the original database.
While a move request is in progress, the mailbox stays online, allowing the user to continue sending and receiving e-mail. You can view the move request status in the Exchange Management Console and Exchange Management Shell. The request can have one of the following statuses: Queued for move Move in progress Ready to complete Completing
3-16
Demonstration: How to Move Mailboxes
Key Points
In this demonstration, you will see how to move mailboxes by using the Exchange Management Console.
Demonstration Steps
Move Kim Akerss mailbox to Mailbox Database 1: 1. 2. 3. 4. 5. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Select the Kim Akers mailbox, and then in the Actions pane, click New Local Move Request. In the New Local Move Request Wizard, click Browse. Select Mailbox Database 1, and then click OK.
3-17
6. 7. 8. 9.
Click Next. Verify that Skip the mailbox is selected, and then click Next. Click New. Click Finish.
Question: What is the benefit of scheduling mailbox moves?
3-18
What Are Resource Mailboxes?
Key Points
Resource mailboxes are specific types of mailboxes that you can use to represent meeting rooms or shared equipment, and you can include them as resources in meeting requests. The Active Directory user that is associated with a resource mailbox is a disabled account. Room mailboxes. These are resource mailboxes that you can assign to meeting locations, such as conference rooms, auditoriums, and training rooms. Equipment mailboxes. These are resource mailboxes that you can assign to nonlocation-specific resources, such as portable computer projectors, microphones, or company cars.
3-19
You can include both types of resource mailboxes as resources in meeting requests, and thus provide a simple and efficient way to utilize resources for your users. You can configure resource mailboxes to automatically process incoming meeting requests based on the resource booking policies that are defined by the resource owners. For example, you can configure a conference room to automatically accept incoming meeting requests except recurring meetings, which can be subject to approval by the resource owner. You can create a resource mailbox as a room or as equipment. After creating the resource mail box, you must configure properties such as location and size. Then, you must define the resource booking policy and enable the resource booking attendant.
3-20
Designing Resource Booking Policies
Key Points
A resource booking policy specifies: Who can schedule a resource. When the resource can be scheduled. What meeting information will be visible on the resources calendar. The response message that meeting organizers will receive.
Exchange Server 2010 provides various resource mailboxes, such as meeting rooms and equipment. You can invite these resources to meetings as a way of reserving the meeting room or equipment. Exchange Server 2010 provides several options for managing users who can book meetings using resource mailboxes.
3-21
Options for Configuring Automate Processing Settings

Exchange Server 2010 provides several options that you can use for configuring resource mailbox settings and to customize it to meet most business needs. There are three values for Automate Processing: None, Booking Attendant (AutoAccept), and Calendar Attendant (AutoUpdate). By default, the Calendar Attendant is enabled on each resource mailbox. For the resource mailbox to process and accept meeting requests, you must enable the Booking Attendant. In Exchange Server 2010, both the Exchange Management Console and Exchange Management Shell can be used to configure resource mailboxes. Three common scheduling scenarios used are automatic booking, manual approval by delegates, and manual approval from the resources. To enable automatic booking, the booking attendant should be enabled and the policy should be configured. To enable manual approval by delegates, the booking attendant should be enabled, and then All Book In Policy should be disabled. Next the All Request In Policy should be enabled, and the delegates should be specified. To enable manual approval from the mailbox, the booking attendant should be left disabled.
Considerations for Developing a Resource Booking Policy

When designing the resource booking policy, you must consider: Who can schedule a resource and whether all users should be able to book a resource for a meeting. You might accept the default settings for most resources in the organization, but consider restricting who can book heavily used or important resources. For example, if you use a resource room mailbox to manage the schedule for a large conference room, you may want to restrict who can book meetings in the conference room. When users can schedule the resource. You may want to set restrictions on the time of day when meetings can be booked with a resource, or restrict the meeting length or meeting recurrence.
3-22
The automatic acceptance policy for the meeting resource. By default, all resource mailboxes are configured to accept all new appointment requests as tentative, until a user approves the request. Because the meeting is set to tentative, this also enables other users to book the meeting resource for the same time. By changing the Automate Processing attribute for the resource mailbox, you can modify the default behavior. The default value is configured as Auto Update. If you set the value to Auto Accept, the resource mailbox accepts all meetings from authorized users automatically, and prevents other users from booking the resource at the same time.
Question: How will you use resource mailboxes in your environment?
3-23
Demonstration: How to Manage Resource Mailboxes
Key Points
In this demonstration, you will use Exchange Management Console to create a resource mailbox, and then configure it to accept appointments and create a delegate for the resource.
Demonstration Steps
1. 2. 3. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Create a new room mailbox with the following information: Name: Conference Room 1 User logon name (User Principal Name): ConferenceRoom1 Password: Pa$$w0rd Alias: ConferenceRoom1
3-24
4. 5. 6. 7.
After creating the room mailbox, modify the properties, and enable the resource booking attendant. Open Internet Explorer, and log on to Outlook Web App as Adatum\Administrator with the password of Pa$$w0rd. In Outlook Web App, create a new Meeting Request. In the Untitled Meeting window, type Sales Meeting as the subject, type Administrator in the To field, and type Conference Room 1 in the Location field, and then click the Scheduling Assistant tab. Select a Start time and an End time. Click the down arrow next to Select Rooms, and then click More.
8. 9.
10. In the Address Book window, double-click Conference Room 1, and then click OK. 11. Send the meeting request and verify that the resource accepted the invitation.
Question: How does your organization use resource mailboxes? Question: Which attributes are useful for your resource mailboxes?
3-25
Lesson 2
Managing Other Recipients
Exchange Server also includes other recipient types that provide additional functionality, such as sending e-mail to an entire company department or sharing e-mail addresses between users, for recipients outside your company. In this lesson, you will be introduced to the other recipient types in Exchange Server 2010 such as contacts and distribution groups. After completing this lesson, you will be able to: Describe the functionality of mail contacts and mail users. Describe the purpose of a distribution group. Explain the options for configuring distribution groups. Manage distribution groups by using the Exchange Control Panel.
3-26
What Are Mail Contacts and Mail Users?
Key Points
Mail contacts are mail-enabled Active Directory contacts. These contacts contain information about people or organizations that exist outside your Exchange Server organization. You can view mail contacts in the GAL and other address lists, and you can add them as members to distribution groups. Each contact has an external e-mail address, and all e-mail messages that are sent to a contact are automatically forwarded to that address. If multiple people within your organization contact a trusted external person, you can create a mail contact with the persons e-mail address. This allows Exchange Server users to select that person from the GAL for sending e-mail. Mail users are similar to mail contacts. Both have external e-mail addresses, they contain information about people outside your Exchange Server organization, and you can display them in the GAL and other address lists. However, unlike a mail contact, mail users have Active Directory logon credentials and can access resources to which they are granted permission.
3-27
If a person external to your organization requires access to resources on your network, you should create a mail user instead of a mail contact. For example, you may want to create mail users for short-term consultants who require access to your server infrastructure, but who will use their own external e-mail addresses. In another scenario, you can create mail users for whom you do not want to maintain an Exchange Server mailbox. For example, after an acquisition, the acquired company may maintain its own messaging infrastructure, but it may also need access to your networks resources. For those users, you might want to create mail users instead of mailbox users. Question: When would you use mail-enabled contacts? Question: Why would you use a mail-enabled contact rather than a mail-enabled user?
3-28
What Are Distribution Groups?
Key Point
You can use mail-enabled groups to allow end users to send e-mail to multiple recipients. Mail-enabled groups also allow you to assign permissions simultaneously to multiple users for Exchange Server objects, such as private mailboxes and public folders. In Exchange Server 2010, mail-enabled groups belong to one of the following four categories: Universal Security groups. Can be mail-enabled and can be assigned permissions outside of Exchange Server. Distribution groups. Are mail-enabled and can only be assigned Exchange Server permissions for things such as Public folders. The two types of distribution groups are: Static Dynamic
3-29
Public groups. End users can manage these distribution groups through the Exchange Control Panel. Within Exchange Control Panel, the end user can add or remove group members, moderate the group, or even request access to other public groups. Moderated groups. These are distribution groups that allow the group manager to approve or reject either all messages sent to the group or from specific users. You can use moderated groups to restrict the conversations that occur between group members.
Question: When would your organization use distribution groups? Question: When would your organization use public and moderated groups?
3-30
Options for Configuring Distribution Groups
Key Points
Similar to the options available for configuring mailboxes, there are a number of options available for configuring mail-enabled groups. You can configure several options for Exchange Server distribution groups, including: Group membership. These are the objects that are in the distribution group. Maximum message size. Use this option to set the maximum size for messages that can be sent to the distribution group. Message delivery options. Use these options to configure which users can send messages to the group. Address list visibility. Use this option to hide the group from the address list. You can use this option when the distribution group is used mainly for receiving e-mail from the Internet, and internal users do not need it.
3-31
Delivery of out-of-office messages. Enable this option to send out-of-office messages back to the message sender, if one of the distribution group recipients has enabled out-of-office notifications. Non-delivery reports. Use this option to configure non-delivery reports (NDR). You can choose to send an NDR or specify whether they are sent to the distribution lists manager or to the message originator. E-mail addresses for the group. Use this option to configure the distribution groups e-mail address. Message moderation. Use these options to assign moderators permissions to review all messages that are sent to the distribution list. You also can configure a list of users that do not require moderation. Additionally, you can configure notifications to alert the message originators if their message is approved or not. Membership approval. Use these options to control if and how users can join or leave the group: Choose whether owner approval is required to join the group. If you choose Open, users can join this distribution group without the approval of the distribution group owners. If you choose Closed, only distribution group owners can add members to the group. Requests to join this distribution group will be rejected automatically. If you choose owner approval, users can request membership on this distribution group. The distribution group owner must approve requests to join the group before the user can join. Choose whether the group is open to leave. If you choose Open, users can leave this distribution group without the approval of the distribution group owners. If you choose Closed, only distribution group owners can remove members from this distribution group. Requests to leave this distribution group will be rejected automatically.
Question: What is the advantage of enforcing a naming convention for distribution groups?
3-32
Demonstration: How to Manage Groups by Using the Exchange Control Panel
Key Points
Public groups is a new feature that enables users that have the requisite permissions to add distribution groups, manage membership, and moderate content.
Demonstration Steps
Add Kim Akers to the Recipient Management role group: 1. 2. 3. 4. On VAN-EX1, in Active Directory Users and Computers, add Kim Akers to the Recipient Management role group. Log on to Exchange Control Panel as Kim Akers, and create a new Sales Group. Log on to Exchange Control Panel as Adatum\Kim with the password of Pa$$w0rd. Select Public Groups, and create a new Public Group.
3-33
5.
In the New Group window, configure the following information: Display name: Sales Alias: Sales Description: Sales Department
6.
Add the following members: Manoj Syamala Rohinton Wadia Paul West
7. 8. 9.
Expand Membership Approval, and select Owner Approval. Click Save. Sign out of Exchange Control Panel.
Log on to ECP as Wei Yu, and ask to join the Sales group: 1. 2. 3. 4. 5. 6. Log on to Exchange Control Panel as Adatum\Wei with the password of Pa$$w0rd. In the left pane, select Groups. In the Public Groups I Belong to section, click Join. In the All Groups window, select Sales, and then click Join. Click Close. Sign out of Exchange Control Panel.
Approve Wei Yus request to be added to the Sales Group: 1. 2. 3. 4. Log on to Outlook Web App as Adatum\Kim with the password of Pa$$w0rd. Double-click the Request to Join Distribution Group message in the inbox. In the Request to Join Distribution Group message pane, click Approve. Close Outlook Web App.
Question: When would you use public groups?
3-34
Lesson 3
Configuring E-Mail Address Policies
In many messaging systems, you might host multiple Single Mail Transfer Protocol (SMTP) domains, and thus you would need to manage the e-mail addresses assigned to the Exchange recipients. To ensure that recipients have appropriate email addresses, you can create and apply e-mail address policies. In this lesson, you will learn about e-mail address policies and how to configure them. After completing this lesson, you will be able to: Describe the purpose and functionality of e-mail address policies. Configure e-mail address policies.
3-35
What Are E-Mail Address Policies?
Key Points
For a recipient to send or receive e-mail messages, the recipient must have an email address. E-mail address policies generate the primary and secondary e-mail addresses for your recipients so they can receive and send e-mail. You must create an accepted domain so that a domain in an e-mail address policy functions properly. An accepted domain is an SMTP namespace that you can configure Exchange servers to send messages to, or from which they can receive messages. By default, Exchange Server contains an e-mail address policy for every mailenabled user. This default policy specifies the recipients alias as the local part of the e-mail address and uses the default accepted domain. The local part of an email address is the name that appears before the @ symbol. However, you can configure how your recipients e-mail addresses display. To specify additional email addresses for all recipients or just a subset, you can modify the default policy or create additional e-mail address policies.
3-36
Creating an E-mail Address Policy

Exchange Server applies an e-mail address policy to recipient group based upon an OPATH filter. OPATH is a querying language designed to query object-data sources. The filter defines the search scope in the Active Directory forest and the attributes to match. The New E-mail Address Policy Wizard provides a standard list of recipient scope filters. These include: All recipient types. Select this check box if you do not want to filter recipient type. Users with Exchange mailboxes. Select this check box if you want your e-mail address policy to apply to users who have Exchange Server 2010, Exchange Server 2007, and Exchange Server 2003 mailboxes. Users with Exchange mailboxes are those that have a user domain account and a mailbox in the Exchange organization. Users with external e-mail addresses. Select this check box if you want your e-mail address policy to apply to users who have external e-mail addresses. Users with external e-mail accounts have user domain accounts in the Active Directory directory service, but use e-mail accounts that are external to the organization. This enables them to be included in the GAL and added to distribution lists. Resource mailboxes. Select this check box if you want your e-mail address policy to apply to Exchange resource mailboxes. Resource mailboxes let you administer company resources, such as a conference room or company vehicle, through a mailbox. Contacts with external e-mail addresses. Select this check box if you want your e-mail address policy to apply to contacts with external e-mail addresses. Mail-enabled groups resemble distribution groups, as messages sent to a mailenabled group account will go to several recipients. Mail-enabled groups. Select this check box if you want your e-mail address policy to apply to security groups or distribution groups that have been mailenabled.
3-37
The second part of the E-mail Address Policy filter has conditions in one of the following categories: Recipient is in a State or Province. Select this check box if you want the email address policy to include only recipients from specific states or provinces. The Address and Phone tabs in the recipients properties contains this information. Recipient is in a Department. Select this check box if you want the e-mail address policy to include only recipients in specific departments. The Organization tab in the recipients properties contains this information. Recipient is in a Company. Select this check box if you want the e-mail address policy to include only recipients in specific companies. The Organization tab in the recipients properties contains this information. Custom Attribute equals Value. There are 15 custom attributes for each recipient. There is a separate condition for each custom attribute. If you want the e-mail address policy to include only recipients that have a specific value set for a specific custom attribute, select the check box that corresponds to that custom attribute.
When creating an e-mail address policy, you can use the following e-mail address types: Precanned SMTP e-mail address. Precanned SMTP e-mail addresses are commonly used e-mail address types that Exchange Server provides for you. Custom SMTP e-mail address. If you do not want to use one of the precanned SMTP e-mail addresses, you can specify a custom SMTP e-mail address. NonSMTP e-mail address. Exchange Server 2010 supports a number of nonSMTP address types.
3-38
Demonstration: How to Configure E-Mail Address Policies
Key Points
In this demonstration, you will see how to modify existing e-mail address policies, create new policies, and configure an alias.
Demonstration Steps
Create a new e-mail address policy for Fourth Coffee recipients: 1. 2. 3. Open the Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then select Hub Transport. Create a new e-mail address policy named with these attributes: Name: Fourth Coffee Display Name: Fourth Coffee
3-39
4. 5. 6.
Recipient container to apply filter: Adatum.com Included recipient types: All Recipient types
Use the user Alias as the local part of the e-mail address. Select fourthcoffee.com as the accepted domain. Apply the e-mail address policy immediately.
Verify that the e-mail address policy has been applied: 1. 2. 3. 4. 5. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. In the Results pane, double-click Jane Dow. View the current E-Mail addresses that have been assigned. Change the Company attribute to Fourth Coffee. View the current e-mail addresses that have been assigned.
3-40
Lesson 4
Configuring Address Lists
Address lists are similar to a telephone book in that they provide a clearinghouse in which users can locate, send e-mail to, and find information about, other users. In larger or specialized organizations, you may need to modify the lists organization. In this lesson, you will learn about address lists and how to manage them. After completing this lesson, you will be able to: Explain the functionality of address lists. Explain the reasons for configuring address lists. Configure address lists. Describe how to configure offline address books. Describe the options for deploying offline address books.
3-41
What Are Address Lists?
Key Points
Address lists are recipient objects that are grouped together based on a Lightweight Directory Access Protocol (LDAP) query for specific Active Directory attributes. You can use address lists to sort the GAL into multiple views, which makes it easier to locate recipients. This is especially helpful for very large or highly segmented organizations. Similar to configuring e-mail address policies, you can configure address lists with recipient filters that determine which objects belong in each address list. Address lists are evaluated every time a mail-enabled account is modified to determine on which address lists it should appear.
3-42
Discussion: Reasons for Configuring Address Lists
Key Points
For most small or medium organizations, you would not need to make changes to the default address lists. However, in large organizations, you might need to modify the default configuration. Question: What are the reasons for creating multiple address lists? Geographic organization. Departmental organization. Recipient type organization.
3-43
Question: How do you use address lists in your organization? Question: How do you use a recipient filter and Active Directory attributes to create address lists? Is the necessary information already in Active Directory accounts?
3-44
Demonstration: How to Configure Address Lists
Key Points
In this demonstration, you will see how to create and configure address lists.
Demonstration Steps
Create a new E-mail Address list for Fourth Coffee recipients: 1. 2. 3. Open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then select Mailbox. Create a new address list with the following attributes. Name: Fourth Coffee Display Name: Fourth Coffee Container: \ Recipient container to apply filter: Adatum.com Included recipient types: All Recipient types
3-45
4. 5. 6.
Use the Recipient is in a Company condition to apply this policy to only recipients that list Fourth Coffee for their company attribute. Preview the address list. Apply the e-mail address list immediately.
Verify the new address list is working: 1. 2. 3. Log on to Outlook Web App as Adatum\George with the password of Pa$$w0rd. Open the Address book, and view the members of the Fourth Coffee address list. Close Outlook Web App.
3-46
Configuring Offline Address Books
Key Points
Exchange Server 2010 provides several configuration options for deploying offline address books offline address books. Outlook uses the offline address book when you configure it to use a cached mode Outlook profile or when it is in offline mode. The default offline address book contains the entire GAL, but does not include any additional GALs that have been created. By default, the offline address book is generated only once each day. This means that any additions, deletions, or changes made to mail-enabled recipients are only committed to the offline address book once each day, unless you modify the schedule to generate the offline address book more often. In many environments, you would need to modify the offline address book generation schedule to accommodate the rate of change in a particular Exchange Server organization.
3-47
As a best practice, whether you use a single offline address book or multiple offline address books, consider the following factors as you plan and implement your offline address book strategy: Size of each offline address book in your organization. Number of offline address book downloads. How many clients will you need to download the offline address book? Overall number of changes made to the directory. If a large number of changes are made, the size of the differential offline address book downloads also will be large.
3-48
Options for Deploying Offline Address Books
Key Points
Public folder distribution is the distribution method by which Outlook 2003, or clients that are working offline or through a dial-up connection, access the offline address book. With public folder distribution, the generation process for the offline address book places the files directly in one of the public folders, and then Exchange Server store replication copies the data to other public folder distribution points. Outlook 2007 and newer clients that are working in cached mode, offline or through a dial-up connection, use Web-based distribution to access the offline address book. Web-based distribution does not require the use of public folders. With Web-based distribution, after the offline address book generates, the Client Access server replicates the files. Web-based distribution uses HTTPS and BITS. If you require redundancy, you can use multiple Client Access servers as publishing points.
3-49
Lesson 5
Performing Bulk Recipient Management Tasks
Managing a large number of recipients can be time consuming. Manual changes also are also prone to error. You can use the Exchange Management Shell to create scripts that automate these management tasks. In this lesson, you will be introduced to bulk management of recipients and using Exchange Management Shell to manage multiple recipients. After completing this lesson, you will be able to: Describe the benefits of managing recipients in bulk. Manage multiple recipients.
3-50
Discussion: Benefits of Managing Recipients in Bulk
Key Points
Exchange Management Shell cmdlets are powerful tools that you can use for managing multiple recipients simultaneously. The cmdlets use features such as pipelining and filtering to sort the results of one cmdlet and apply the result to another cmdlet. Exchange Management Shell also is a very powerful scripting tool for managing multiple recipients in bulk. In small organizations, you might not need to manage multiple recipients at the same time. However, in medium or large organizations, you may often need to manage multiple users at the same time, and it is useful to know how to use Exchange Management Shell to do that. Question: Describe situations where you need to create multiple recipients. Question: Describe situations where multiple recipients need to be modified.
3-51
Demonstration: How to Manage Multiple Recipients
Key Points
Exchange Management Shell provides several features that you can use to perform bulk recipient management. For relatively simple tasks, you can pipe output between cmdlets to retrieve a list of appropriate objects, and then you can modify them. You can use scripting for complex tasks, such as creating users from a .csv file.
Demonstration Steps
1. The instructor will run the following cmdlets:
Get-User filter {Company eq "Fourth Coffee"} Disable-mailbox Jane Get-User filter {Company eq "Fourth Coffee"} | Enable-Mailbox database "Mailbox Database 1"
3-52
2.
The instructor will run the following script. The script will create mailboxes based on information provided in a .csv file.
## Section 1 ## Define Database for new mailboxes $db="Mailbox Database 1" ## Define User Principal name $upndom="Adatum.com" ## Section 2 ## Import csv file into variable $users $users = import-csv $args[0] ## Section 3 ## Function to convert password string to secure string function SecurePassword([string]$plainPassword) { $secPassword = new-object System.Security.SecureString Foreach($char in $plainPassword.ToCharArray()) { $secPassword.AppendChar($char) } $secPassword } ## Section 4 ## Create new mailboxes and users foreach ($i in $users) { $sp = SecurePassword $i.password $upn = $i.FirstName + "@" + $upndom $display = $i.FirstName + " " + $i.LastName New-Mailbox -Password $sp -Database $db DisplayName $display UserPrincipalName $upn -Name $i.FirstName -FirstName $i.FirstName -LastName $i.LastName -OrganizationalUnit $i.OU }
3.
In Exchange Management Console, verify that the users listed in the .csv file have been created.
Question: Which tasks will you automate with PowerShell scripts?
3-53
Lab: Managing Exchange Recipients
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-CL1 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-CL1: Windows 7 client computer in the Adatum.com domain.
If required, connect to the virtual machines. Log on to the computers as Adatum\Administrator, using the password Pa$$w0rd.
3-54
Lab Scenario
You are the messaging administrator for A. Datum Corporation. Your company is purchasing a new company called Adventure Works. Adventure Works recipients will need to maintain a separate e-mail domain and address list. You also must create new mailboxes for the new departments employees.
3-55
Exercise 1: Managing Recipients

Scenario
Your manager wants you to complete several tasks in preparation for the Adventure Works acquisition project. The main tasks for this exercise are: 1. 2. 3. 4. 5. Create and configure a mailbox for called Adventure Works Questions. Create a resource mailbox and configure auto-accept settings for the Adventure Works Project Room. Move George Schallers mailbox to VAN-EX1\Mailbox Database 1. Create and configure a mail-enabled contact for Ian Palangio at Woodgrove Bank. Create a moderated distribution list for Adventure Works Project, and delegate an administrator.
Task 1: Create and configure a mailbox called Adventure Works Questions

1. 2. On VAN-EX1, open the Exchange Management Console. Create a new mailbox named Adventure Works Questions in the Mailbox Database 1 database. Configure a user logon name of AdventureWksQ, and a password of Pa$$w0rd. Assign George Schaller full access to the Adventure Works Questions mailbox.
3.
Task 2: Create a resource mailbox, and configure auto-accept settings for the ProjectRoom
1. In Exchange Management Console, create a new room mailbox named ProjectRoom in the Mailbox Database 1 database. Configure a user logon name of ProjectRoom, and a password of Pa$$w0rd. Enable the Booking Attendant on ProjectRoom.
2.
3-56
Task 3: Move George Schallers mailbox to VAN-EX1\Mailbox Database 1

In Exchange Management Console, create a new local move request to move George Schallers mailbox to VAN-EX1\Mailbox Database 1.
Task 4: Create and configure a mail-enabled contact for Ian Palangio at Woodgrove Bank
In Exchange Management Console, create a new mail-enabled contact for Ian Palangio, using an alias of IanPalangioWB and an e-mail address of ian.palangio@woodgrovebank.com.
Task 5: Create a moderated distribution list for the Adventure Works Project, and delegate an administrator
1. 2. In Exchange Management Console, create a new Distribution group called Adventure Works Project with an alias of AdventureWorksProject. Add the following recipients to the Adventure Works Project group: 3. George Schaller Ian Palangio Wei Yu Paul West
Specify George Schaller as the group moderator, and enable moderation of all messages.
3-57
Task 6: Verify that changes were completed successfully

1. 2. 3. Log on to VAN-CL1 as Administrator, and open Outlook. Create and send a new meeting request. Invite the Adventure Works Project group, and specify ProjectRoom as the room. On VAN-EX1, open Outlook Web App, log on as Adatum\George, using the password Pa$$w0rd, and accept the meeting request message. Send the response now.
Results: After this exercise, you should have completed all of the assigned tasks, which include creating a mailbox, creating a resource mailbox, moving a mailbox, creating a contact, and creating a moderated distribution group.
3-58
Exercise 2: Configuring E-Mail Address Policies

Scenario
Adventure Works maintains a distinct identity for customers, but some functions, such as accounting, are integrated with A. Datum Corporation. To ensure that users receive all e-mail properly, they must be able to receive e-mail at all domains, but use their own domain as the reply-to address. The main tasks for this exercise are: 1. 2. Create an e-mail address policy for Adventure Works users. Verify that addresses were applied to A. Datum users.
Task 1: Create an e-mail address policy for Adventure Works users

1. 2. On VAN-EX1, open the Exchange Management Console. Create a new e-mail address policy with the following configuration: a. b. c. Apply to all recipients with a company attribute of Adventure Works the Adatum.com domain. SMTP address: first name.last name@adventure-works.com. Accepted domain: Adventure-works.com.
Task 2: Verify that addresses are applied correctly

1. 2. In the Exchange Management Console, view the properties for George Schaller, and modify his company description to Adventure Works. Confirm that George Schaller has an e-mail address using the adventureworks.com domain.
Results: After this exercise, you should have created an e-mail address policy for Adventure Works users.
3-59
Exercise 3: Configuring Address Lists

Scenario
New address lists and offline address books are necessary to organize the address books for users in the combined A. Datum and Adventure Works organization. However, each organization requires a separate address to make it easier to find users. You also must create a new offline address book that includes those address lists to support sales people with portable computers. The main tasks for this exercise are: 1. 2. 3. 4. 5. Create an empty container address list named Companies. Create a new address list for Adventure Works recipients. Create a new address list for A. Datum recipients. Verify the new address list is available in Outlook. Create a new offline address book for the Adventure Works address list.
Task 1: Create an empty container address list named Companies

1. 2. On VAN-EX1, open the Exchange Management Console. In the Mailbox node of the Organization Configuration work center, create a new address list named Companies with no recipients.
Task 2: Create a new address list for Adventure Works recipients

Create a new address list Adventure Works in Companies for all recipients with the Company Adventure Works.
Task 3: Create a new address list for A. Datum Corporation recipients

Create a new address list A Datum in Companies for all recipients with the Company A. Datum.
3-60
Task 4: Verify the new address list is available in Outlook

1. 2. 3. Log on to VAN-CL1 as Administrator, and open Outlook. Verify that the address book contains the address lists for A. Datum and Adventure Works. Log off VAN-CL1.
Task 5: Create a new offline address book for the Adventure Works address list to support both Office Outlook 2003 and Outlook 2007 clients
1. 2. On VAN-EX1, open Exchange Management Console. Create a new offline address book named Companies with the Adventure Works and A. Datum address lists, and enable distributions through Webbased distribution and public folders. Use the OAB folder on VAN-EX1 for Web-based distribution. Close the Exchange Management Console.
3.
Results: After this exercise, you should have created an address list for the A. Datum and Adventure Works users, and an offline address book for each organization.
3-61
Exercise 4: Performing Bulk Recipient Management Tasks

Scenario
Your manager left you a number of recipient management tasks to complete for the new Adventure Works users: Add a header line to the .csv file exported from the Human Resources (HR) system. Modify the CreateUsersLab.ps1 script, and import Adventure Works users from a .csv file. Define mailbox limits for all users in the Adventure Works company.
The main tasks for this exercise are: 1. 2. 3. 4. 5. Add a header line to the .csv file exported from the Human Resources (HR) system. Modify the CreateUsersLab.ps1 script to Adventure Works users from a .csv file. Create the AdventureWorks OU in the Adatum.com domain Run CreateUsersLab.ps1 to Adventure Works users from a .csv file. Define mailbox limits for all Adventure Works company users.
Task 1: Add a header to the .csv file exported from the HR system
1. 2. On VAN-EX1, open D:\Labfiles\Users.csv in Notepad. Add a header line that defines each column: 3. FirstName LastName Password
Save the changes to Users.csv, and close Notepad.
3-62
Task 2: Modify the CreateUsersLab.ps1 script to import Adventure Works users from a .csv file
1. 2. Open D:\Labfiles\CreateUsersLab.ps1 in Notepad. Modify CreateUsersLab.ps1 as required to: 3. Configure the database to create users as Mailbox Database 1. Configure the user principal name to be adatum.com. Place users in the AdventureWorks OU. Configure the .csv import file to be D:\Labfiles\Users.csv. Configure the $pwd to be based on the password field in the Users.csv. Configure the first and last name. Configure the user principal name (UPN) as first name@adatum.com. Configure the alias to be the first name and last name, with no space between the names. Configure the display name to be the first name and last name, with a space between the names.
Save the changes to CreateUsersLab.ps1, and close Notepad.
Task 3: Create the AdventureWorks Organizational Unit

1. 2. Open Active Directory Users and Computers. Create an OU named AdventureWorks.
Task 4: Run CreateUsersLab.ps1 to import the Adventure Works Users

1. 2. Open the Exchange Management Shell. Run D:\Labfiles\CreateUsersLab.ps1.
3-63
Task 5: Set mailbox limits for all Adventure Works users

1. Run Get-Mailbox cmdlet to retrieve a list of all Adventure Works users: 2. OrganizationalUnit: AdventureWorks
Set mailbox limits by piping the list of mailboxes to the Set-Mailbox cmdlet: IssueWarningQuota 100MB ProhibitSendQuota 150MB
Results: After this exercise, you should have created all of the additional Adventure Works users with an Exchange Management Shell script, and then have set the storage quota.
To Prepare for the Next Module

6.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.
3-64
7.
Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
Important: If you are using Windows Server 2008 R2 as the host operating system, complete the following steps before starting VAN-CL1. 1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135A-VAN-CL1, and click Settings. 2. Click Network Adapter, and select the Enable spoofing of MAC addresses check box. Click OK. This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network.
8.
Wait for VAN-EX2 to start, and then start VAN-CL1. Connect to the virtual machine.
3-65
Review Questions
1. How would you ensure that meeting requests to room mailboxes are validated manually before being approved?
2.
How would you give access to allow a user to send messages from another mailbox, without giving them access to the mailbox contents?
3.
What should you consider when configuring offline address book distribution?
3-66
Common Issues Related to Configuring Offline Address Books

Identify the causes for the following common issues related to configuring offline address books, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue The offline address book is not upto-date with changes made during the day. Outlook 2003 clients are not able to download the offline address book. Troubleshooting tip Check to make sure that the offline address book is scheduled to be generated more than one time each day. Check to make sure the offline address book is being distributed in a public folder.

1. A company that has two large divisions and one Exchange Server organization. Employees in each division rarely communicate with each other. What can you do to reduce the number of recipients the employees of each division see when they open the Exchange address list?
2.
An organization has a large number of projects that leverage distribution groups. Managing group members takes considerable time. You need to reduce the time the help desk spends managing groups so that they can work on other issues.
3.
You employ contractors that need an e-mail address from your company. The company needs to enable the contracts to receive these messages in their current third-party mailboxes.
3-67
Best Practices Related to Managing Recipient Objects

Supplement or modify the following best practices for your own work situations: Define clear naming conventions and adhere to them. Naming conventions help identify location and purpose of recipient objects, and helps both end users and administrators locate recipients easily. Test global changes prior to making them in production. Changes to global settings, like e-mail address policies, should be tested in a lab environment before you make changes in production. This avoids configuration errors.
Managing Client Access
4-1
Module 4
Contents:
Lesson 1: Configuring the Client Access Server Role Lesson 2: Configuring Client Access Services for Outlook Clients Lab A: Configuring Client Access Servers for Outlook Anywhere Access Lesson 3: Configuring Outlook Web App Lesson 4: Configuring Mobile Messaging Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync 4-3 4-28 4-53 4-60 4-74 4-85
4-2
Module Overview
Microsoft Exchange Server 2010 provides access to user mailboxes for many different clients. All messaging clients access Exchange Server mailboxes through a Client Access server. Because of the importance of this server role, you must understand how to configure it to support all different client types. This module provides details on how to implement the Client Access server role in Exchange Server 2010. After completing this module, you will be able to: Configure the Client Access server role. Configure Client Access services for Outlook Clients. Configure Microsoft Office Outlook Web App. Configure mobile messaging.
4-3
Lesson 1
Configuring the Client Access Server Role
You can implement the Client Access server role on an Exchange server that has other roles except the Edge Transport server role. Alternately, you can deploy the Client Access server role on one or more dedicated servers. In many organizations, the Client Access server is accessible from the Internet, thus securing the Client Access servers is an important part of deployment. This lesson describes the process for deploying and securing a Client Access server. After completing this lesson, you will be able to: Describe how client access works in Exchange Server 2010. Describe how client access works with multiple sites. Describe the Client Access server deployment options. Configure a Client Access server. Secure a Client Access server.
4-4
Explain Client Access server deployment considerations. Configure Client Access server certificates. Describe the configuration options for Post Office Protocol 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) client access. Describe how to configure the Client Access server for secure Internet access.
4-5
How Client Access Works
Key Points
In Exchange Server 2010, all messaging clients connect to a Client Access server when accessing an Exchange Server mailbox. For users to access their mailbox, you must deploy a Client Access server in the same site as the Mailbox server.
Important: In Exchange Server 2007 or earlier Exchange server versions, MAPI clients such as Microsoft Office Outlook, connect directly to Mailbox servers. In Exchange Server 2010, with the introduction of the Remote Procedure Call (RPC) Client Access service, MAPI clients no longer connect directly to the Mailbox servers for mailbox access.
4-6
How Client Access Servers Work

The following steps describe what happens when a messaging client connects to the Client Access server: 1. If the client connects from the Internet using a non-MAPI connection, then the client connects to the Client Access server using the client protocol. Only the protocol ports for client connections must be available on the external firewall. If the client connects from the internal network using Office Outlook configured as a MAPI client, then the client connects to the Client Access server using MAPI RPC connections. The Client Access server connects to a Microsoft Active Directory directory service domain controller by using Kerberos to authenticate the user. Internet Information Services (IIS) or the RPC Client Access service on the Client Access server performs the authentication. The Client Access server uses a Lightweight Directory Access Protocol (LDAP) request to a global catalog server to locate the Mailbox server that manages the users mailbox. The Client Access server connects to the Mailbox server using a MAPI RPC to submit messages to the mailbox database, or to read messages.
2.
3.
4.
4-7
How Client Access Works with Multiple Sites
Key Points
Deploying Client Access servers in an environment with multiple Active Directory sites adds complexity to deployment planning, particularly when you consider the options for providing Internet access to those Client Access servers.
How Client Access Works with Multiple Internet Access Points

If you have multiple Active Directory sites, you can provide Internet access to each sites Client Access servers. To enable this option, you must configure an external URL for each Client Access server. You also must ensure that clients can resolve the URL name in the Domain Name System (DNS) and can connect to the Client Access server using the appropriate protocol.
4-8
When an Internet client connects to the Client Access server from the Internet in this scenario, the Client Access server authenticates the user, and then queries a global catalog server for the user mailbox location. At this point, the Client Access server has two options: 1. If the users mailbox is located in the same site as the Client Access server, then the Client Access server connects to the mailbox server to fulfill the client request. If the users mailbox is located in a different site from the Client Access server, the Client Access server contacts a domain controller to locate the Client Access server in the site where the user mailbox is located. If you configure the Client Access server with an external URL, then the Client Access server redirects the client request to the Client Access server in the site that contains the user mailbox. If you do not configure an external URL for the Client Access server in the site that contains the user mailbox, the Client Access server receiving the request proxies the client request to the Client Access server in the appropriate site.
2.
Note: Exchange Server 2010 can redirect only Outlook Web App clients to another Client Access server in a different site. It proxies all other Client Access server client requests to a Client Access server in the same site as the user mailbox. To optimize access for non-Outlook Web App clients, you must configure the clients to connect directly to a Client Access server in the users home site.
How Client Access Works with a Single Internet Access Point

The Client Access server in the site containing the user mailbox might not be accessible from the Internet, or it might not have an external URL configured. In this scenario, when the user connects to a Client Access server in a site that does not contain the user mailbox, the Client Access server proxies the client request to the Client Access server in the site where the users mailbox is located. This proxy process uses the same protocol as the client. In the destination site, the Client Access server then uses RPC to connect to the Mailbox server managing the user mailbox.
4-9
For the Client Access server to proxy the client request, you must configure the Client Access servers that are not accessible from the Internet to use Integrated Windows authentication. Exchange Server supports proxying for clients that use Outlook Web App, Microsoft Exchange ActiveSync, and Exchange Web Services.
Best Practice: To optimize user mailbox access, you should enable Internet access to the Client Access servers in each site. This access is particularly important if you have slow network connections between Active Directory site locations.
4-10
Deployment Options for a Client Access Server
Key Points
When planning your Client Access server deployment, you must meet certain requirements to ensure a successful deployment. Additionally, there are options for deploying Client Access servers in scenarios where servers require higher availability, or you have multiple sites.
Requirements for Client Access Server Deployment

When you deploy Client Access servers, you must meet the following requirements: You must have at least one Client Access server in each Active Directory site where you have Mailbox servers deployed. Client Access servers should have a fast network connection to Mailbox servers, to support RPC connectivity.
4-11
Client Access servers should have a fast network connection to domain controllers and global catalog servers. If users need to access their mailboxes from the Internet through the Client Access server, then the server must be accessible from the Internet using HTTP or HTTPS, IMAP4, or POP3.
Best Practice: Because the server running the Client Access server role must be a member server in an Active Directory domain, you cannot deploy the Client Access server role in a perimeter network. Instead, use an application layer firewall, such as Microsoft Forefront Threat Management Gateway, to publish the Client Access server services to the Internet.
Options for Client Access Server Deployment

The Client Access server role performs a critical function in your Exchange Server organization. You have the following options when deploying the Client Access server role: You can deploy the Client Access server role on the same computer as all other Exchange Server 2010 server rolesexcept for the Edge Transport server role. Installing all server roles on a single server does not provide additional availability, and does offer limited scalability. You can deploy the Client Access server role on a dedicated server. This deployment provides additional scalability and performance benefits. You also can deploy multiple servers running the Client Access server role. To provide high availability for Client Access servers, you can deploy Network Load Balancing, or deploy a hardware network load balancer to manage connections to the Client Access servers. In Exchange Server 2010, you also can configure Client Access arrays to provide failover and redundancy. A Client Access array is a container object used by Exchange Server 2010 Client Access servers. When you deploy database availability groups (DAGs) Exchange Server 2010 uses Client Access arrays to track which mailbox databases are located in each Active Directory site, and to manage the client connection failovers to the local mailbox databases.
4-12
Note: You can install Client Access servers on Mailbox servers that are DAG members. However, just adding the Client Access server to a DAG member does not provide high availability for the Client Access server. To provide high availability for Client Access servers, you need to implement a Client Access array, and deploy a network load balancing solution. For more information on Client Access arrays, see Module 7, Implementing High Availability.
4-13
Demonstration: How to Configure a Client Access Server
Key Points
In this demonstration, you will see how to configure the global Client Access server settings, as well as the settings for each Client Access server in the organization.
Demonstration Steps
1. 2. Open the Exchange Management Console. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Client Access. You apply settings to all Client Access servers and mailboxes while in the Organization Configuration node. Review the default polices on the Outlook Web App Mailbox Policies and Exchange ActiveSync Mailbox Policies tabs. In the left pane, expand Server Configuration, and then click Client Access.
3. 4.
4-14
5.
Examine the properties of one of the listed Client Access servers. These properties display information only, and cannot be used to configure the server settings. In the results pane, review the settings available on each of the tabs. These settings configure the Client Access server settings for the Client Access server virtual directories.
6.
Question: Why would you create multiple Outlook Web App Mailbox policies or Exchange ActiveSync polices, rather than just use the default policies? Question: Why would you modify the server settings on one Client Access server to be different from those on another Client Access server?
4-15
Securing a Client Access Server
Key Points
In many organizations, the Client Access server is accessible from the Internet for Outlook Anywhere, Outlook Web App, or Exchange ActiveSync clients. Therefore, it is critical that you ensure that the Client Access server that faces the Internet is as secure as possible.
Securing Communications Between Clients and Client Access Servers

To encrypt the network traffic between messaging clients and the Client Access server, you must secure the network traffic using Secure Sockets Layer (SSL). To configure the Client Access server to use SSL, complete the following steps: 1. Obtain and install a server certificate on the Client Access server. Ensure that the certificate name exactly matches the server name that users will use to access the Client Access server. Also ensure that the certificate that the Certification Authority (CA) issues is trusted by all of the client computers and mobile devices that will be accessing the server. Configure the Client Access server virtual directories in IIS to require SSL.
2.
4-16
Configuring Secure Authentication

Exchange Server 2010 provides several authentication options for clients communicating with the Client Access server. If the server has multiple authentication options enabled, it negotiates with the client to determine the most secure authentication method that both support.
Standard Authentication Options

The following standard authentication options are available on the Client Access server: Integrated Windows authentication. Integrated Windows authentication is the most secure standard authentication option.
Important: When using a single Internet-accessible Client Access server for all sites, you must enable Windows Integrated authentication on all of the Client Access servers that are not Internet accessible. For example, the outward-facing Outlook Web App server can use forms-based authentication, but the internal Client Access servers must be configured to allow Integrated Windows authentication.
Digest authentication. Digest authentication secures the password by transmitting it as a hash value over the network. Basic authentication. Basic authentication transmits passwords in clear text over the network: therefore, you should always secure Basic authentication by using SSL encryption. Basic authentication is the authentication option that is most widely supported by clients.
Forms-Based Authentication
Forms-based authentication is available only for Outlook Web App and ECP. When you use this option, it replaces the other authentication methods. This is the preferred authentication option for Outlook Web App because it provides enhanced security. When you use forms-based authentication, Exchange Server uses cookies to encrypt the user logon credentials in the client computer's Web browser. Tracking the use of this cookie allows Exchange Server to time-out inactive sessions.
4-17
The time required before an inactive session times out varies depending on the computer type selected during logon. If you choose a public or shared computer, the session times out after 15 minutes of inactivity. If you choose a private computer, the session times out after 12 hours of inactivity.
Note: You can configure the time-out values for public and private computers by modifying the Client Access server registry. You can do this by using the Regedit utility, or the Set-ItemProperty cmdlet. For more information about how to configure these settings, see the Set the Forms-Based Authentication Private Computer Cookie Time-Out Value topic in Exchange Server 2010 Help.
Forms-based authentication is enabled by default for Outlook Web App, and for ECP.
Protecting the Client Access Server with an Application Layer Firewall

To provide an additional layer of security for network traffic and to protect the Client Access server, deploy an application-layer firewall or reverse proxy, such as Microsoft Internet Security and Acceleration (ISA) Server 2006 or Forefront Threat Management Gateway, between the Internet and the Client Access server. Application layer firewalls provide the following benefits: You can configure the firewall as the endpoint for the client SSL connection. You can offload SSL decryption to the firewall. If you use ISA Server 2006 or Forefront Threat Management Gateway as the application layer firewall, you can configure the firewall to pre-authenticate all client connections using forms-based authentication.
Note: If you use certificate-based authentication for Exchange ActiveSync, you must configure a server-publishing rule that forwards the client traffic to the Exchange Server computer without decrypting the packets on the ISA Server computer.
4-18
Considerations for Implementing Client Access Server Certificates
Key Points
Because of the importance of using SSL secure network traffic between Client Access servers and messaging clients, you must ensure that you deploy the appropriate certificates on the Client Access servers. You can secure all client connections to the Client Access server using SSL.
Note: By default, the Client Access server is configured with a self-signed certificate that is not trusted by clients. You should remove this certificate and install a certificate from a trusted CA.
4-19
Choosing a Certification Authority

One of the most important considerations when planning the use of certificates is identifying the source of the certificates. Exchange Server 2010 can use self-signed certificates, certificates issued by a public CA, or certificates issued by a private CA. In an Exchange Server 2010 environment, you can use the self-signed certificates for internal communication, such as for securing Simple Mail Transfer Protocol (SMTP) connections between Hub Transport servers. You also can use these certificates to secure client connections to Client Access servers. However, because none of the client computers trusts this certificate, we do not recommend this solution. Rather, you should consider obtaining a certificate from a public CA or internal CA for all Client Access servers. In most cases, you should deploy a certificate issued by a public CA if users access the Client Access server from the Internet. If users access the Client Access server from the Internet, it is important that the clients trust this certificate, and that they have access to certificate revocation lists from any location. If only computers that are members of the internal domain access the Client Access server, you could consider using an internal, or private, CA. By deploying an Enterprise CA, you can automate the process of distributing and managing certificates and certificate revocation lists.
Note: If you are planning to enable Federated Sharing, you must obtain a certificate for your Internet-accessible Client Access servers from a public, trusted CA.
Identifying the Client Protocols Required

As you plan the certificate deployment, you need to determine the client protocols that are used to connect to the Client Access server, and ensure that your certificate is configured for each certificate type.
4-20
Planning the Certificate Names

For clients to connect to the Client Access server using SSL without receiving an error message, the names on the certificate must match the names that the clients use to connect to the server. You can implement this configuration by using the following options: Obtain a separate certificate for each client protocol that requires a unique name. This may require multiple certificates for all Client Access servers. This may also require multiple Web sites in IIS. This is the most complicated option to configure. Configure all clients to use the same server name. For example, you could configure all clients to use the server name mail.contoso.com, and obtain a certificate for just that one name. Obtain a certificate with multiple subject alternative names. Most public CAs support the use of multiple names in the certificates subject alternative name extension. When you use one of these certificates, clients can connect to the Client Access server using any of the names listed in the subject alternative name. Use a certificate with a wildcard name. Most public CAs also support the use of wildcards in the certificate request. For example, you could request a certificate using the subject of *.contoso.com, and use that certificate for client connections.
Note: Not all clients support wildcard certificates. Microsoft Outlook, Microsoft Internet Explorer, and Window Mobile 6 or newer clients support wildcard certificates, but you need to verify this functionality for all messaging clients that are used in your organization before deploying these certificates. Deploying wildcard certificates is also considered a security risk in many organizations because the certificate can be used for any server name in the domain. If this certificate is compromised, all hosts names for the organization are also compromised.
4-21
Demonstration: How to Configure Certificates for Client Access Servers
Key Points
In this demonstration, you will see how to configure a Windows Server 2008 Certification Authority to support certificate requests with multiple subject alternative names. You will then see how to use the New Exchange Certificate Wizard to request a certificate for a Client Access server, and how to install that certificate.
Demonstration Steps
By default, the Windows Server 2008 Certification Authority does not issue certificates with multiple subject alternative names, so you will need to modify the server configuration. To enable the CA to issue these certificates, perform the following steps: 1. Run the certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command, and then restart the Certificate Services.
4-22
2. 3. 4.
In the Exchange Server, open the Exchange Management Console, select Server Configuration, and then click Client Access. Click Configure External Client Access Domain, and configure the external domain name for Client Access servers in the organization. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. This wizard helps you determine what type of certificates you need for your Exchange organization. On the Introduction page, enter a user-friendly name for your certificate. On the Domain Scope page, do not select the Enable wildcarding for this certificate check box. On the Exchange Configuration page, configure the certificate request to include Outlook Web App on the Internet and Intranet, Exchange ActiveSync and Autodiscover. On the Certificate Domains page, accept the names that will be added to the certificate request. On the Organization and Location page, enter information about your Exchange organization. Click the Browse button to select a location for the certificate request file, and enter the desired file name.
5. 6. 7.
8. 9.
10. On the Certificate Completion page, verify that all the information you have entered is correct. If it is, click the New button. 11. On the Completion page, click Finish. 12. Provide the certificate request file to your CA. After the certificate has been issued, complete the certificate installation process. 13. In the Exchange Management Console, select Server Configuration. 14. In the Actions pane, click Complete Pending Request. 15. Import the certnew.cer file. 16. In the Actions pane, click Assign Services to Certificate. 17. Assign the certificate to Internet Information Services on VAN-EX1.
4-23
Question: What would you need to change in this procedure if you were also enabling secure access to IMAP4 using a server name of IMAP4? Question: How would this process change if you were requesting a certificate from an external, public CA?
4-24
Options for Configuring POP3 and IMAP4 Client Access
Key Points
By default, Exchange Server 2010 supports POP3 and IMAP4 client connections, but the services are set to start manually. If you want to enable user access for these protocols, you must start the services and configure them to start automatically.
Configuration Options
If you choose to enable POP3 or IMAP4 access, you can configure the following settings.
Option Bindings Description Enables the configuration of the local server addresses that will be used for unencrypted TLS or SSL connections. Enables the configuration of supported authentication options. Support options include basic authentication, Integrated Windows authentication, and secure logon requiring TLS. The default setting is secure logon.
Authentication
4-25
(continued)
Option Connection settings Description Enables the configuration of server settings, such as time-out settings, connection limits, and the command relay or proxy target port (used for connections to an Exchange Server 2003 back-end server). Enables the configuration of the message formats used for these protocols, and for configuring how clients will retrieve calendar requests. On each user account, you can enable or disable access for the POP3 and IMAP4 protocols. By default, all users are enabled for access.
Retrieval settings
User access
4-26
Configuring the Client Access Server for Internet Access
Key Points
To enable access to the Client Access server from the Internet, you need to complete the following steps: 1. Configure the external URLs for each of the required client options. You can configure all of the Client Access server Web server-based features with an external URL. This URL is used to access the Web site from external locations. By default, the external URL is blank. For Internet-facing Client Access servers, the external URL should be configured to use the name published in DNS for that Active Directory site. The external URL should also use the same name as the one used for the server certificate. For Client Access servers that will not have an Internet presence, the setting should remain blank. Configure external DNS name resolution. For each Client Access server that you are exposing to the Internet, you need to verify that the host name can be resolved on the Internet.
2.
4-27
3.
Configure access to the Client Access server virtual directories. Each of the client access methods uses a different virtual directory. If you are using a standard firewall or application layer firewall that filters client requests based on the virtual directory, you need to ensure that all virtual directories are accessible through the firewall. Implement SSL certificates with multiple subject alternative names. If you are using multiple host names for the Client Access services, or if you are publishing Autodiscover to the Internet, then ensure that the SSL certificates that you deploy on each Client Access server have the required server names listed in the subject alternative name extension. Plan for Client Access server access with multiple sites. If your organization has multiple locations and Active Directory sites, and you are deploying Exchange servers in each site, your first decision is whether you will make the Client Access servers in each site accessible from the Internet. If you choose not to make the Client Access server accessible, you should not configure an external URL for it. All client requests to that server will then be proxied from an Internet-accessible Client Access server.
4.
5.
4-28
Lesson 2
Configuring Client Access Services for Outlook Clients
The Client Access servers in Exchange Server 2010 provide several services for Office Outlook clients. For the most part, these services are enabled by default for Outlook clients on the internal network, but you may need to modify some of the settings. Additionally, you can make some of these services available to Outlook clients connecting the Exchange servers from outside the environment. In this case, you need to enable these features, and ensure that they are configured correctly. After completing this lesson, you will be able to: Describe the services provided by a Client Access server for Outlook clients. Describe the RPC client access services feature. Describe Autodiscover functionality. Configure Autodiscover.
4-29
Describe the Availability Service, and its purpose. Explain the MailTips purpose and functionality. Configure MailTips. Describe the Outlook Anywhere functionality. Configure Outlook Anywhere. Explain how to troubleshoot Outlook client connectivity.
4-30
Services Provided by a Client Access Server for Outlook Clients
Key Points
In Exchange Server 2010, the Client Access server role provides critical services for all messaging clients, including Office Outlook clients. The following table lists the services provided for Outlook clients:
Service RPC Client Access services Description Enables MAPI clients such as Outlook to connect to user mailboxes. The client connects to the Client Access server using a MAPI connection. The Autodiscover service configures client computers that are running Outlook 2007 or later, or supported mobile devices. The Autodiscover process configures the Outlook client profile, including the mailbox server, Availability service, and offline address book download locations.
Autodiscover
4-31
(continued)
Service Availability Description The Availability service is used to make free/busy information available for Outlook 2007 and Outlook Web App clients. The Availability service retrieves free/busy information from Mailbox servers or Public folders, and presents the information to the clients. The MailTips feature provides notifications for users regarding potential issues with sending a message, before they send the message. The Client Access server makes offline address book available through a Web service. Only Microsoft Office Outlook 2007 or later clients are capable of retrieving OABs from a Web service. The ECP is a Webbased management interface that can be used to enable selfservice for mailbox users, and enables users to perform specific management tasks without having access to the entire Exchange management interface. Exchange Web Services enables client applications to communicate with the Exchange server. You also can access Exchange Web Services programmatically. It provides access to much of the same data made available through Office Outlook. Exchange Web Services clients can integrate Outlook data into line-of-business (LOB) applications. Outlook Anywhere enables Outlook 2003 or later clients to access the user mailbox by using RPCs encapsulated in an HTTP or HTTPS packet. This enables secure access to user mailboxes from clients located on the Internet.
MailTips
Offline Address Book download
ECP
Exchange Web Services
Outlook Anywhere
4-32
What Is RPC Client Access Services?
Key Points
One the most significant architectural changes in Exchange Server 2010 is that the Client Access server now supports all client connections, including MAPI client connections from Outlook clients. In previous Exchange Server versions, Outlook configured as a MAPI client always connects to the Mailbox server directly, rather than connecting to a front-end or Client Access server. In Exchange Server 2010, all clients connect to the Client Access server role, regardless of the client protocol used.
How RPC Client Access Services Works

Because of the change in the messaging architecture, the client communication with the mailbox server has changed in the following way: In Exchange Server 2010, when a MAPI client starts, it connects to a Client Access server. The client protocol has not changed, and it remains compatible with older Outlook versions, up to Outlook 2003 SP2. When the client connects to the Client Access server, the Client Access server uses a MAPI RPC connection to communicate with the Mailbox server.
4-33
When the client such as an Outlook Web App client requests the Global Address List (GAL), the Client Access server role now provides a Name Service Provider Interface (NSPI) service, and it queries the GAL on behalf of the client. This means that all client connections for address book lookups are now sent to the Client Access server rather than a Global Catalog server.
RPC Client Access Services Benefits

RPC Client Access services provide a number of benefits: All clients now use the same mailbox access architecture. For organizations that deploy highly available Mailbox servers, client outages have been reduced in situations where a mailbox database fails over to another server. When a mailbox fails over to another server, the Client Access server is notified, and the client connections are redirected to the new server within seconds. In a failover scenario, clients in Exchange Server 2007 would be disconnected for one to 15 minutes. In Exchange Server 2010, if one Client Access server in a Client Access server array fails, the client will immediately reconnect to another Client Access server in the array. If a mailbox server fails, the client is disconnected for 30 seconds. Mailboxes can now be moved from one Mailbox server to another, even while the user is online and connected to the mailbox. The new architecture supports more concurrent client connections to the mailbox server. In Exchange Server 2007, each mailbox server can handle 64,000 connections. That number increases to 250,000 RPC context handle limit in Exchange 2010.
4-34
What Is Autodiscover?
Key Points
The Autodiscover service in Exchange Server 2010 simplifies Office Outlook 2007 or later client configuration. Autodiscover provides configuration information that Outlook requires to create a profile for the client. Outlook clients can also use the Autodiscover service to repair Exchange Server connection settings if a profile is corrupted, or if the user mailbox is moved to a different server. The Autodiscover service uses a users e-mail address and password to provide profile settings to Outlook 2007 or later clients, and supported mobile devices.
How Autodiscover Works

Outlook 2010 connects to Exchange Server 2010 in the following manner: 1. When you install the Client Access server role, a service connection point (SCP) is configured automatically in Active Directory for the Client Access server. This SCP includes the Client Access server URL.
4-35
2.
When Outlook 2010 starts for the first time, Outlook uses the user name or the users e-mail address and password to configure the MAPI profile automatically. Exchange Server uses configuration information from the Active Directory directory service to build an Outlook configuration template. The configuration template includes information about Active Directory and the Exchange Server 2010 organization and topology. Outlook also uses the SCP to locate the Autodiscover service on an Exchange Server 2010 computer with the Client Access server role installed. The information includes the download location for the Availability Web service, and the Offline Address Book. Outlook downloads the required configuration information from the Autodiscover service. Outlook then uses the appropriate configuration settings to connect to Exchange Server 2010.
3.
4. 5.
Supported Clients and Protocols

Autodiscover supports the following clients and protocols:
Client application Office Outlook 2010 Outlook Anywhere Exchange ActiveSync Entourage 2008, Exchange Web Services Edition Protocol RPC over TCP/IP RPC over HTTP Exchange ActiveSync over HTTP Exchange Web Services (HTTPS)
Note: Exchange Server 2010 supports Autodiscover for Exchange ActiveSync Service clients. However, the Exchange ActiveSync Service client must be running Windows Mobile 6 to support this feature.
4-36
Configuring Autodiscover
Key Points
By default, the Autodiscover settings for internal clients are automatically configured, and Outlook 2007 or later clients are automatically configured to use the appropriate services. In some cases, you may want to modify the default settings. For external clients, you need to configure the appropriate DNS settings to ensure that external clients can locate the Client Access server that is accessible from the Internet.
Configuring the Autodiscover Settings

To enable Autodiscover, you must have at least one Client Access server that is running the Autodiscover service. When you install the Client Access server role, the Autodiscover virtual directory is created automatically in IIS.
4-37
To manage Autodiscover settings, you must use the following Exchange Management Shell cmdlets.
Task Configure the Autodiscover SCP Create a new Autodiscover virtual directory Remove an Autodiscover virtual directory Configure an Office Outlook provider Locate an Office Outlook provider or providers on the virtual directory Exchange Management Shell cmdlet Set-ClientAccessServer New-AutodiscoverVirtualDirectory
Remove-AutodiscoverVirtualDirectory Set-OutlookProvider Get-OutlookProvider
Configuring Autodiscover for Multiple Sites

If your organization has deployed Exchange servers in multiple Active Directory sites, you should consider configuring site affinity for the Autodiscover service. To use site affinity, you specify which Active Directory sites are preferred for clients to connect to a particular Autodiscover service instance. To configure site affinity, use a cmdlet as shown in the following example:
Set-ClientAccessServer -Identity "ServerName" -AutodiscoverServiceInternalURI "https://VANEX1/autodiscover/autodiscover.xml" AutodiscoverSiteScope "HeadOffice"
This cmdlet configures the URI for the Autodiscover service in the HeadOffice site to use the VAN-EX1 server.
Configuring DNS to Support Autodiscover

For external clients to be able to locate the appropriate Client Access servers, you must configure DNS with the correct information. When the Outlook client attempts to locate the Client Access server, it first tries to locate the SCP information in the Active Directory directory service. If the client is outside the network, Active Directory is not available. Therefore, the client queries DNS for a server name based on the SMTP address that the user provides. Office Outlook queries DNS for the following URLs: https://autodiscover.e-maildomain/autodiscover/autodiscover.xml https://<e-maildomain/autodiscover/autodiscover.xml
4-38
To enable Autodiscover, you must configure a DNS record on the DNS server that the client uses to provide name resolution for that request. The DNS record should point to a Client Access server that is accessible from the Internet.
Using the Test E-mail AutoConfiguration Feature in Outlook 2010

You can use the Test E-mail AutoConfiguration feature in Outlook 2010 to test whether Autodiscover is working correctly.
Note: You also can use the Exchange Management Shell cmdlet Test-OutlookWebServices to test the Autodiscover settings on a Client Access server.
4-39
What Is the Availability Service?
Key Points
Exchange Server 2010 makes free/busy information available to both Outlook 2007 or later, and Outlook Web App clients, by using the Availability service. The Availability service replaces the public folder used to store free/busy information in previous Exchange Server versions.
Note: Only Outlook 2007 or later and Outlook Web App use the Availability service. Outlook 2003 clients continue to use the Schedule+ Free Busy Information public folder. This folder must be available on an Exchange server for these clients to function.
4-40
How Availability Service Works Availability service provides free/busy information by using the following process: 1. When you start the Scheduling Assistant in Outlook 2007 or Outlook Web App, the client sends a request to the URL provided to the client during Autodiscover. The request includes all invited users, including resource mailboxes. The Client Access server Availability service queries Active Directory to determine the user mailbox location. For any mailbox in the same site as the Client Access server, the request is sent directly to the Mailbox server to retrieve the users current free/busy information. If the mailbox is in a different site than the Client Access server, the request is sent by proxy to a Client Access server in the site where the user mailbox is located. The Client Access server in the destination site extracts the availability information from the Mailbox server, and replies to the requesting Client Access server. If the mailbox for one of the invited users is on a computer running Exchange Server 2003, Availability service queries the public folder that contains the free/busy information for the user. Availability service combines the free/busy information for all invited users, and presents it to the Outlook 2007 or Outlook Web App client.
2.
3.
4.
5.
Deploying Availability Service

Availability service is deployed by default on all Client Access servers and does not need configuration except in scenarios where you are integrating the free/busy information from multiple forests. Autodiscover delivers the service location for Availability service to Outlook 2007 clients. Availability service is located at the URL http://servername/EWS.
4-41
What Are MailTips?
Key Points
MailTips are informative messages displayed to users before they send a message. MailTips inform a user about issues or limitations with the message the user intends to send. Exchange Server 2010 analyzes the message, including the list of recipients to which it is addressed. If it detects a potential problem, it notifies the user with MailTips prior to sending the message. With the help of the information provided by MailTips, senders can adjust the message they compose to avoid undesirable situations or nondelivery reports (NDRs).
4-42
Types of MailTips
Exchange Server 2010 provides several default MailTips, including the following examples: Mailbox Full. This MailTip displays if the sender adds a recipient whose mailbox is full, and if your organization has implemented a Prohibit Receive restriction for mailboxes over a specified size. Recipient Out of Office. This MailTip displays the first 250 characters of the outof-office reply configured by the recipient, if a recipient has configured an outof-office rule. Restricted Recipient. This MailTip displays if the sender adds a recipient for which delivery restrictions are configured, and prohibits this sender from sending the message. External Recipients. This MailTip displays if the sender adds a recipient that is external, or adds a distribution group that contains external recipients. Large Audience. This MailTip displays if the sender adds a distribution group that has more than the large audience size configured in your organization. By default, Exchange Server displays this MailTip for messages to distribution groups that have more than 25 members.
You can also configure custom MailTips in the Exchange Management Shell. A custom MailTip can be assigned to any recipient. For example, you could configure a custom MailTip for a recipient who is on an extended leave, or for a distribution group where all members of the group will be out of the office. Alternately, you can create a custom MailTip for a distribution group that explains the purpose of the group and thus reduces its misuse. When you configure a custom MailTip, it displays when a user composes a message for a specified recipient.
Note: MailTips are available only in Exchange Server 2010 Outlook Web App, or when using Microsoft Office Outlook 2010 or later. MailTips are not available in Outlook 2007.
4-43
How MailTips Work

MailTips are implemented as a Web service in Exchange Server 2010. When a sender composes a message, the client software makes an Exchange Web service call to Exchange Server 2010 server with the Client Access server role installed, to get the list of MailTips. The Exchange Server 2010 server responds with the list of MailTips that apply to that message, and the client software displays the MailTips to the sender. The Client Access server uses the following process to compile MailTips for a specific message: 1. 2. The mail client queries the Web service on the Client Access server for MailTips that apply to the recipients in the message. The Client Access server gathers MailTip data: The Client Access server queries the Active Directory Domain Service (AD DS) and reads group metrics data. The Client Access server queries the Mailbox server to gather the Recipient Out-of-Office and Mailbox Full MailTips. If the recipient's mailbox is on another site, then the Client Access server requests MailTips information from the Client Access server in the remote site.
3.
The Client Access server returns MailTips data back to the client.
Note: Several MailTips are available when the Outlook client is offline. To enable this functionality, the redesign of the structure of the offline address book now includes some of the information that MailTips requires. MailTips that require current information from Active Directory or the user mailbox, are the only MailTips that will not work while the Outlook client is offline. MailTips that will not work offline are the Invalid Internal Recipient, the Mailbox Full, and the Recipient Out-of-Office MailTips.
4-44
Demonstration: How to Configure MailTips
Key Points
In this demonstration, you will see how to review and configure default MailTips for an Exchange Server 2010 organization, and how to configure custom MailTips. You will also confirm that the MailTips functions as expected.
Demonstration Steps
1. 2. 3. 4. In Exchange Management Shell, use the Get-OrganizationConfig cmdlet to review the default configuration for MailTips. Use the Set-OrganizationConfig MailTipsLargeAudienceThreshold 10 cmdlet to modify the large distribution group threshold setting. Use the Set-DistributionGroup Marketing MailTip The marketing team will be at a conference till next week. cmdlet to configure a custom MailTip. Log on to Outlook Web App. Prepare test messages to verify that the default and custom MailTips work as expected.
4-45
Question: Will you leave MailTips enabled in your organization? How will you modify the default configuration?
4-46
What Is Outlook Anywhere?
Key Points
When you enable Outlook Anywhere, an Outlook 2003 or later client can connect to a server running Exchange Server 2010 or Exchange Server 2007 using RPCs encapsulated in an HTTP or HTTPS packet. This feature is a secure option for connecting to the Exchange server from the Internet while using a MAPI client. How Does Outlook Anywhere Work? To deploy Outlook Anywhere, you need to deploy the Outlook 2007 or Outlook 2003 client and the RPC proxy service running on Windows Server 2008. The following is a description of the communication process between all components in an RPC-over-HTTP configuration: 1. All communication between the Outlook client and the Client Access server is sent using HTTPS. The client establishes a connection to the Client Access server for each RPC request that it sends, and then establishes a second connection for responses from the Client Access server. When the client connects, the Client Access server authenticates the user by forwarding the authentication request to a domain controller.
2.
4-47
3. 4.
After the user is authenticated, the Client Access server uses an RPC connection to communicate with the Mailbox server hosting the user mailbox. If the client requests a Global Address List lookup, the NSPI component on the Client Access server will send a Lightweight Directory Access Protocol (LDAP) query to a global catalog server.
4-48
Demonstration: How to Configure Outlook Anywhere
Key Points
When configuring Outlook Anywhere, you must configure the Exchange Client Access server, and then configure the Outlook clients.
Implementing Outlook Anywhere

To configure Outlook Anywhere on Exchange Server 2010, you must perform the following high-level steps: 1. Configure a computer running Windows Server 2008 as the RPC proxy server by installing the RPC over HTTP Proxy feature in Server Manager. When you select this feature, the required Web Server (IIS) role services are installed on the server. You should install the RPC over HTTP Proxy feature on the Client Access server. Install a server certificate on the RPC proxy server. By default, Outlook Anywhere requires SSL encryption. Configure the RPC virtual directory to require SSL.
2.
4-49
3.
Enable Outlook Anywhere in the Exchange Management Console. When you enable RPC over HTTP, you must configure both an external host name and authentication method. Configure the Outlook 2007 or Outlook 2003 profile on the client to use RPC over HTTP to connect to the Client Access server.
4.
Demonstration Steps
1. On the Client Access server, use the following cmdlet to review the Autodiscover configuration:
Get-ClientAccessServer id VAN-EX1 | FL
2. 3. 4.
On the Client Access server, verify that the RPC over HTTP Proxy feature is installed. On the Client Access server, in Exchange Management Console, click Enable Outlook Anywhere, using a host name that is resolvable from the Internet. On the Client Access server, in Internet Information Services (IIS) Manager, verify that the RPC virtual directory is configured to use SSL and that it is configured to accept Basic and Windows Authentication. On the client computer, configure the Outlook account properties to Connect to Microsoft Exchange using HTTP, and then click Exchange Proxy Settings. In the Microsoft Exchange Proxy Settings dialog box, complete the following information: Use the URL (https://): external host name for the Client Access server. Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default)
5. 6.
7.
From the client, open Outlook and connect to the server.
4-50
8.
Press and hold the CTRL key, and then right-click the Office Outlook icon in the Windows 7 operating system notification area. Click Connection Status. Confirm that the Conn column lists HTTPS as the connection method. Press and hold CTRL, and then click the Outlook icon in the notification area of the Windows task bar. Click Test E-mail AutoConfiguration.
9.
10. Click Test. View the information displayed on both the Results and Log tabs.
4-51
Troubleshooting Outlook Client Connectivity
Key Points
To troubleshoot Outlook with MAPI connectivity to an Exchange server, use the following steps: 1. Identify network connectivity issues. If the Outlook client or the Exchange server experiences problems connecting to the network, Outlook shows a status of Disconnected, and no new messages can be transferred between the client and the server. Identify name resolution issues. Outlook clients must be able to resolve the name of the Exchange server to which they are connecting. By default, Outlook 2007 clients use DNS host-name resolution to resolve the name of the Exchange server to its IP address. Identify client configuration issues. A client configuration issue can occur in Outlook or Windows configurations. An improperly configured client can prevent the computer from connecting to the Exchange server, or create intermittent connectivity problems.
2.
3.
4-52
4.
Identify server configuration or service-availability issues. A configuration error can prevent some or all users from connecting to the Exchange server. Based on the symptom that the user is experiencing, you can verify configuration by using the Exchange Server Best Practices Analyzer Tool, or examine server properties by using the Exchange Management Console. If the client computer is using Outlook Anywhere to connect to the Client Access server, it may be a Client Access server certificate issue. Outlook Anywhere relies on valid server certificates to provide secure communication with the server. Invalid names on certificates, expired certificates, or nontrusted certificates can cause connectivity issues between these clients and a Client Access server.
5.
Tip: To ensure that a valid server certificate is trusted and can be used for connecting with Outlook Anywhere, you should connect from a Web browser to the RPC virtual directory on the Exchange server. If the user receives a prompt with a warning message about the certificate authenticity, then there is an issue with the certificate configuration. This will lead to problems with Outlook Anywhere, Autodiscover, and Exchange ActiveSync.
6.
You can use the Test E-Mail AutoConfiguration Wizard in Outlook 2007 to test whether Autodiscover is configured correctly. When you run the wizard, it will provide information whether the client could connect to the Autodiscover service on a Client Access server, and it will display the information that it received through the Autoconfiguration process.
4-53
Lab A: Configuring Client Access Servers for Outlook Anywhere Access
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-CL1 virtual machines are running. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain
4-54
10135A-VAN-CL1: Client computer in the Adatum.com domain
Important: If you are using Windows Server 2008 R2 as the host operating system, you must complete the following steps before starting VAN-CL1. 1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135A-VAN-CL1, and click Settings. 2. Click Network Adapter, and select the Enable spoofing of MAC addresses check box. Click OK. This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network.
3.
If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1, and VAN-EX2 as Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-CL1 at this point.
Lab Scenario
You are working as a messaging administrator in A. Datum Corporation. Your organization has decided to deploy Client Access servers so that the servers are accessible from the Internet for a variety of messaging clients. To ensure that the deployment is as secure as possible, you must secure the Client Access server, and configure a certificate on the server that will support the messaging client connections. You also need to configure the server to support Outlook Anywhere connections.
4-55
Exercise 1: Configuring Client Access Servers

Scenario
As a messaging administrator in A. Datum Corporation, you have deployed the Exchange Server environment, and you are now working on configuring the Client Access servers. The organization has decided to use a certificate from the internal CA to secure all client connections to the server. You need to enable this configuration, and then you need to ensure that Outlook clients can still connect to the server. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Prepare the Windows Server 2008 CA to issue certificates with multiple subject alternative names. Configure an External Client Access Domain for VAN-EX2. Prepare a Server Certificate request for VAN-EX2. Request the certificate from the CA. Import and assign the IIS Exchange service to the new certificate. Verify Outlook connectivity to the Exchange Server.
Task 1: Prepare the Windows Server 2008 CA to issue certificates with multiple subject alternative names
1. On VAN-DC1, open a command prompt and use the certutil -setreg policy \EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command to configure the CA policy. Restart the Certificate Services.
2.
4-56
Task 2: Configure an External Client Access Domain for VAN-EX2

1. 2. 3. On VAN-EX2, open the Exchange Management Console and configure an External Client Access Domain named mail.Adatum.com. Apply the external domain name just to VAN-EX2. Verify that the External Client Access Domain was applied to the owa (Default Web Site) virtual directory.
Task 3: Prepare a Server Certificate request for VAN-EX2

1. On VAN-EX2, run the New Exchange Certificate Wizard using the following configuration options: 2. Friendly name: ADatum Mail Certificate Outlook Web App is on the intranet mail.adatum.com as the server name for all services Outlook Web App is on the Internet Exchange ActiveSync is enabled Autodiscover is used on the Internet Long URL is used for AutoDiscover Organization: A Datum Organizational Unit: Messaging Country/region: Canada City/locality: Vancouver State/province: BC
Save the file using the name CertRequest.req.
4-57
Task 4: Request the certificate from the CA

1. 2. Copy the text of the certificate request file to the clipboard. Connect to http://van-dc1/certsrv, and create a new certificate request using the contents of the certificate request file. Use an advanced certificate request using a base-64-encoded CMC or PKCS#10 file. Copy and paste the contents of the CertRequest.req file into the Saved Request field. Request a Web server certificate. Download the certificate and save it. View the certificate. Verify that the certificate includes several subject alternative names, and then click OK.
3. 4.
Task 5: Assign the IIS Exchange Service to the new certificate

1. 2. In the Exchange Management console, use the Complete Pending Request Wizard to import the Adatum Mail certificate. In the Exchange Management console, use the Assign Services to Certificate Wizard to assign the Adatum Mail certificate to the Internet Information Services service.
Task 6: Verify Outlook connectivity to the Exchange Server

1. 2. 3. On VAN-CL1, log on as Molly using the password Pa$$w0rd. Open Microsoft Office Outlook 2007, and verify that a profile is automatically created for Molly. In Office Outlook, click Tools, and then click Account Settings. Verify that the Outlook profile is configured to use VAN-EX2 as the mailbox server.
Results: After this exercise, you should have configured the security settings for VAN-EX2 by using the Security Configuration Wizard, and installed a server certificate from the internal CA on the server. You should have also verified Outlook client connectivity to the Exchange server.
4-58
Exercise 2: Configuring Outlook Anywhere

Scenario
A. Datum Corporation has several users who are frequently out of the office. These users all have laptop computers, and they want to use Office Outlook to connect to their Exchange Server mailboxes while in the office or out of the office. You need to configure the Client Access server to enable Outlook Anywhere, and then configure a client to connect to the server using RPC over HTTPS. Finally, you need to verify that the connection works. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure a DNS record for Mail.Adatum.com. Configure Outlook Anywhere on VAN-EX2. Configure the Outlook profile to use Outlook Anywhere. Verify Outlook Anywhere connectivity.
Task 1: Configure a DNS record for Mail.Adatum.com

On VAN-DC1, create a new host record for Mail.adatum.com using an IP address of 10.10.0.21.
Task 2: Configure Outlook Anywhere on VAN-EX2

1. 2. 3. 4. On VAN-EX2, verify that the RPC over HTTP Proxy feature is installed. In the Exchange Management Console, enable Outlook Anywhere for VAN-EX2. Configure an external host name of Mail.adatum.com, and choose NTLM authentication. Restart VAN-EX2.
Task 3: Configure the Outlook profile to use Outlook Anywhere

1. 2. On VAN-CL1, ensure that you are logged on as Adatum\Molly. Modify the profile for Molly to connect to Microsoft Exchange using HTTP.
4-59
3.
Configure the Exchange Proxy server settings as follows: Use this URL (https://): mail.adatum.com Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default)
4.
Close Outlook.
Task 4: Verify Outlook Anywhere connectivity

1. 2. On VAN-CL1, open Outlook and verify that you are connected to the Exchange server. Press and hold CTRL, and then right-click the Office Outlook icon in the Windows 7 notification area. Confirm that the Conn column lists HTTPS as the connection method. You may need to click the up arrow in the Windows 7 notification area to view the Office Outlook icon. Use the E-mail AutoConfiguration tool to review the settings Autodiscover provided to the client. Log off VAN-CL1.
3. 4.
Results: After this exercise, you should have enabled Outlook Anywhere on VAN-EX2, and configured a client profile to use Outlook Anywhere. You also verified the Outlook Anywhere functionality.
To prepare for the next lab

Do not shut down the virtual machines and revert them back to their initial state when you finish this lab. The virtual machines are required to complete the last lab in this module.
4-60
Lesson 3
Configuring Outlook Web App
Exchange Server 2010 uses Outlook Web App to provide access to user mailboxes through a Web browser. Many organizations provide users with access to Outlook Web App from the Internet. Some organizations also use Outlook Web App internally. In both scenarios, deploying Outlook Web App is quite easy because only a Web browser is required as a client. This lesson describes how to configure Outlook Web App for Exchange Server 2010. After completing this lesson, you will be able to: Describe Outlook Web App features. Identify Outlook Web App configuration options. Describe the file and data access options in Outlook Web App.
4-61
Configure Outlook Web App. Configure Outlook Web App policies. Configure user options using the ECP.
4-62
What Is Outlook Web App?
Key Points
Outlook Web App allows users to access their mailboxes through a Web browser. The feature set in Outlook Web App closely mimics features available in Outlook 2010, and may provide features that are not available in previous Outlook versions. In some cases, it may be possible to use Outlook Web App in place of Outlook 2010. Outlook Web App has been redesigned in Exchange Server 2010 to include features such as chat, text messaging, mobile phone integration, and enhanced conversation view. In Exchange Server 2010, these features are accessible from an expanded set of Web browsers, including Microsoft Internet Explorer 6.0 or later, Firefox, Safari, and Google's Chrome.
4-63
Benefits of Outlook Web App

Outlook Web App provides many important benefits for an organization. These include: All communication between the Outlook Web App client and the Client Access server is sent using HTTP. You can easily secure this information using SSL. This also means that it is easy to configure firewalls or reverse proxies to enable Internet access to Outlook Web App, as only a single port is required. Outlook Web App does not require that you deploy or configure a messaging client; all client computers, including computers that run Linux or Macintosh, have a Web browser available. This means that users can access their mailbox from any client that can access the Client Access servers URL. Outlook Web App in Exchange Server 2010 also provides access to some features that are only available through Outlook Web App or Outlook 2010. For example, features such as the archive mailbox or conversation view can be accessed through Outlook Web App without deploying Outlook 2010.
Limitations of Outlook Web App

Outlook Web App cannot provide offline access to mailboxes. If the Exchange server hosting Outlook Web App is offline, users cannot read or send messages. If offline access to files is required, you must select another remote-access method to the Exchange server. Outlook 2007 using Outlook Anywhere, POP3, and IMAP clients can cache messages to provide offline access. Question: What is Outlook Web App for Exchange Server 2010? Question: What are the benefits of Outlook Web App? Question: When would you use Outlook Web App instead of Outlook or Windows Mail?
4-64
Configuration Options for Outlook Web App
Key Points
Although Outlook Web App is available automatically on Client Access servers, you must configure Outlook Web App to support your users specific requirements.
Outlook Web App Configuration Tasks

When configuring Outlook Web App, you need to complete the following tasks: Install and configure a server certificate to enable SSL for all client connections. Configure the Outlook Web App virtual directory. When you install the Client Access server role, an Outlook Web App virtual directory is configured in the default IIS Web site on the Client Access server. In most cases, you might not need to modify the Outlook Web App virtual directory settings, other than configuring the default Web site to use a CA certificate for SSL, and to set the authentication options.
4-65
Configure segmentation settings. You can enable or disable specific Outlook Web App features for Exchange Server 2010 Outlook Web App users. Access the Outlook Web App virtual directory properties in the Exchange Management Console to configure the segmentation settings. Modify the attachment handling settings. You can configure the attachment settings by configuring the WebReady Document Viewing settings on the Outlook Web App virtual directory. Configure Gzip compression settings. Gzip enables data compression, which is optimal for slow network connections. Configure Web beacon settings. A Web beacon is a file objectsuch as a transparent graphic or an imagethat is put on a Web site or in an e-mail message. Web beacons are typically used together with HTML cookies to monitor user behavior on a Web site, or to validate a recipient's e-mail address when an e-mail message containing a Web beacon is opened. Web beacons and HTML forms also can contain harmful code, and can be used to circumvent e-mail filters. By default, Web beacons and HTML forms are set to UserFilterChoice. This blocks all Web beacons and HTML forms, but lets the user unblock them on individual messages. You can use the Exchange Management Shell to change the type of filtering that is used for Web beacon and HTML form content in Outlook Web App. If you change the setting to ForceFilter, this blocks all Web beacons and HTML forms. If you change the setting to DisableFilter, this allows all Web beacons and HTML forms.
4-66
What Is File and Data Access for Outlook Web App?
Key Points
File and data access provide Outlook Web App users different levels of access to files that are attached to messages or that are located in Microsoft Windows SharePoint Services document libraries, and shared folders on the internal network. When using the Windows SharePoint Services and Windows file shares integration option, users can access documents from a link embedded in an e-mail message.
4-67
Configuring File and Data Access

You can configure the following settings when configuring file and data access for Outlook Web App users: Enable WebReady Document Viewing or force WebReady Document Viewing. When you enable WebReady Document Viewing, and a user attempts to open a file in the message window, the file is converted to HTML, and then displayed in the Web browser. This enables users to view the files on the local computer even if the native application for the file is not installed on the computer. If only WebReady Document Viewing is enabled, users cannot save the document to the local hard disk or view the document in its native application. By default, only a limited number of file types can be viewed through WebReady Document Viewing. Direct file access. Direct file access lets users open files that are attached to e-mail messages and files that are stored in Windows SharePoint Services document libraries and in Windows file shares. Configure different settings for public or private computers. When users connect to Outlook Web App, they can choose whether they are connecting from public or private computers. You can configure different direct file access and WebReady Document Viewing settings for each option. Configure access to Windows SharePoint Services document libraries or Windows file shares. By default, if you enable direct file access, users can access files on both Windows SharePoint Services document libraries or Windows file shares. You can configure access to these features by using the Set-OwaVirtualDirectory cmdlet. For example, to disable access to file shares from public computers, use the Set-OwaVirtualDirector -Identity owa (default web site) UNCAccessOnPublicComputersEnabled $false cmdlet. Restrict or enable access. You can configure how users interact with files by using the Allow, Block, or Force Save options for direct file access and by configuring the file extensions for WebReady Document Viewing. You can also configure which servers will be accessible through Outlook Web App.
4-68
Demonstration: How to Configure Outlook Web App
Key Points
In this demonstration, you will see how to configure several different Outlook Web App aspects. As you will see in this demonstration, you may need to use several different tools to configure Outlook Web App.
Demonstration Steps
1. 2. On the Client Access server, ensure that the Outlook Web App virtual directory is configured to use SSL, and is using the correct server certificate. In the Exchange Management Console, on the owa (Default Web Site) Properties, configure the external URL with the required authentication and segmentation settings. In the Exchange Management Shell, use the set-owavirtualdirectory owa (Default Web Site) ForceSaveFileTypes .xls, cmdlet to force attachments with an .xls extension to be saved to disk before they can be opened.
3.
4-69
4. 5.
Use the set-owavirtualdirectory owa (Default Web Site) GzipLevel Off, cmdlet to disable Gzip compression for Outlook Web App. Use the Set-OwaVirtualDirectory -identity Owa (Default Web Site) FilterWebBeaconsAndHtmlForms ForceFilter cmdlet to block all Web beacons.
4-70
Demonstration: How to Configure Outlook Web App Policies
Key Points
One of the new features in Exchange Server 2010 is the option to configure multiple Outlook Web App policies for users. In previous Exchange Server versions, all users receive the same settings when they connect to Outlook Web App. With Exchange Server 2010 Outlook Web App policies, you can configure unique policies and assign them to users.
Demonstration Steps
1. 2. 3. In Exchange Management Console, in the Organization Configuration node, click Client Access. Click New Outlook Web App Mailbox Policy. Provide a name for the policy, and configure the policy settings. After creating the policy, you can configure additional settings by accessing the policy properties.
4-71
4. 5.
Assign the policy to a user account by accessing the Outlook Web App properties on the Mailbox Features tab. Log on to Outlook Web App as the user, and test the policy application.
4-72
Demonstration: How to Configure User Options Using the ECP
Key Points
Another new feature in Exchange Server 2010 is the ECP. You can use the ECP to perform several different administrative functions, but users also can use the ECP to modify their mailbox settings. In this demonstration, you will see how you can configure the ECP virtual directory and view some of the available ECP configuration options.
Demonstration Steps
1. 2. On the Client Access server, in IIS Manager, review the settings for the ecp virtual directory. In the Exchange Management Console, review the settings for the ecp (Default Web Site) virtual directory on each Client Access server.
4-73
3. 4.
As a user, access the ECP by opening Internet Explorer, and accessing https://servername/ecp. Log on to the ECP, and review the settings that can be modified by the user.
4-74
Lesson 4
Configuring Mobile Messaging
Exchange Server 2010 supports mobile devices as a messaging client. With Exchange Server 2010, you can synchronize mailbox content and perform most of the same tasks with mobile devices as you can with other messaging clients. Exchange Server 2010 also provides administrative options for managing mobile devices. This lesson describes how to implement and manage mobile access for Exchange Server 2010. After completing this lesson, you will be able to: Describe the purpose and functionality of Exchange ActiveSync. Configure Exchange ActiveSync. Identify security options for Exchange ActiveSync. Configure Exchange ActiveSync policies. Manage mobile devices.
4-75
What Is Exchange ActiveSync?
Key Points
Exchange ActiveSync provides mobile devices with access to Exchange Server 2010 mailboxes. The Exchange ActiveSync communication process is optimized to function over high-latency and low-bandwidth networks. By default, Exchange ActiveSync is available for all users after you install a Client Access server.
Note: Exchange ActiveSync has been licensed to many different mobile device manufacturers that produce devices that run Windows Mobile or another operating system. Exchange ActiveSync features are dependent on the mobile device and the operating system version running on the mobile device. You will need to verify which features are supported on your mobile device.
4-76
How Exchange ActiveSync Works

When users connect to the Client Access server with a mobile device, the following process occurs: 1. The Exchange ActiveSync client connects using HTTPS, to the Microsoft Server ActiveSync virtual directory on the Client Access server. The Client Access server authenticates the client. If the users mailbox is on a Mailbox server in the same site as the Client Access server, then the Client Access server connects to the users Mailbox server using an RPC connection. If the Mailbox server is in a different site, then the Client Access server proxies the client request to a Client Access server in the appropriate site. If the mobile client is running the Messaging and Security Feature Pack for Microsoft Windows Mobile 5.0 or later, or is a non-Windows Mobile device that is Direct Push-capable, Exchange ActiveSync can use Direct Push technology to ensure that messages are delivered to the mobile client when they connect to the Exchange server. With Direct Push technology, the mobile device maintains a constant HTTPS connection to the Client Access server, resulting in instant message retrieval and real-time access to e-mail.
2.
3.
4-77
Demonstration: How to Configure Exchange ActiveSync
Key Points
In this demonstration, you will see how to configure the Exchange ActiveSync settings on a Client Access server and how to configure a Windows Mobile device to use ActiveSync to synchronize with the Exchange server.
Demonstration Steps
1. On the Client Access server, in IIS Manager, clear the option to require SSL for the Exchange ActiveSync virtual directory.
Caution: In a production environment, you should require SSL for the Exchange ActiveSync virtual directory. You are disabling SSL only because the mobile emulator does not trust the server certificate.
2.
In Exchange Management Console, configure authentication and remote file server settings on the Microsoft-Server-ActiveSync virtual directory.
4-78
3. 4.
On the mobile device emulator, configure the network settings so that the emulator can communicate with the Client Access server. In mobile device emulator, start ActiveSync, and then configure the emulator to connect to the Client Access server using an account that is enabled for Exchange ActiveSync. Synchronize the device. Test ActiveSync by sending a message from another user to the user logged on to the mobile device. Verify that the message arrives, and respond to the message.
5. 6.
4-79
Options for Securing Exchange ActiveSync
Mobile clients such as Exchange ActiveSync clients, are difficult to secure. Because the devices are small and portable, they are susceptible to being lost or stolen. At the same time, they may contain highly confidential information. The storage cards that fit into mobile device expansion slots can store increasingly large amounts of data. While this data-storage capacity is important to the mobile-device user, it also heightens the concern about data falling into the wrong hands. Mobile clients also are difficult to manage using centralized policies because the devices might rarely, or never, connect to the internal network. The devices also do not require Active Directory accounts, so you cannot use Group Policy Objects (GPOs) to manage the client settings.
Note: System Center Mobile Device Manager 2008 is a System Center products available from Microsoft is. If you deploy this product, Windows Mobile 6.1 devices can be listed in Active Directory, and managed through Active Directory and Mobile Device Manager policies.
4-80
Implementing Exchange ActiveSync Policies

Exchange ActiveSync policies provide one option for securing mobile devices. When you apply the policy to a user, the mobile device automatically downloads the policy the next time the device connects to the Client Access server. To ensure that mobile devices are as secure as possible, you should configure Exchange ActiveSync policies that require device passwords, and encrypt the data stored on the mobile device.
Managing Mobile Devices

You can manage mobile devices using either the Exchange Management Console or the Exchange Management Shell. With these tools, you can perform the following tasks: View a list of all mobile devices that any enterprise user is using. Send or cancel remote wipe commands to mobile devices. View the status of pending remote-wipe requests for each mobile device. View a transaction log that indicates which administrators have issued remotewipe commands, and the mobile devices to which those commands pertain. Delete an old or unused partnership between devices and users.
Note: The option to manage a mobile device for a user mailbox in the Exchange Management Console is available only after the user has synchronized with the Exchange Server from a mobile device. You also can manage mobile devices in the Exchange Management Shell by using the Remove-ActiveSyncDevice and the Clear-ActiveSyncDevice cmdlets.
Configuring Self-Service Mobile Device Management

Users also can manage their own mobile devices by accessing the ECP. One of the options available is the Phone tab. From this tab, users can wipe a device that they have configured, and can delete partnerships for devices that they no longer use. Self-service management is enabled by default for all users who are assigned to a Microsoft Exchange ActiveSync mailbox policy.
4-81
Enabling SSL for the Mobile Device Connections

To ensure that the communication between the mobile device and the Client Access server is secure, you should ensure that the Microsoft Server ActiveSync virtual directory is configured to require SSL.
Installing CA Root Certificates on Mobile Devices

Just like desktop computers, mobile devices are configured to trust the root certificates for most public CAs. However, if you choose to use an internal CA to provide certificates for your Client Access servers, you must configure the mobile devices to trust the root CAs by installing the root certificates on the device. To install a CA certificate on a Windows Mobile phone, you might need to copy the root certificate directly to the mobile device, and then install the certificate. You can use an ActiveSync connection between the device and a desktop or portable computer to copy the certificate file to the device, or transfer the file using a storage card. If you do not enable SSL for the Exchange ActiveSync connection, you also can e-mail a root certificate to the device. After copying the certificate to the device, you can install the certificate manually by double-clicking the .cer file. If you use Windows Mobile 2003 or older devices, you can use a tool such as SmartPhoneAddcert.exe to install the certificate.
4-82
Demonstration: How to Configure Exchange ActiveSync Policies
Key Points
One of the features in Exchange Server 2010 is that you can manage mobile users and devices with Exchange ActiveSync mailbox policies. When you create a policy, you can configure the following options: Allow or block nonprovisionable devices. This option permits you to specify whether devices that do not fully support the device security settings can synchronize with the Exchange Server computer. Enable, disable, or limit attachment downloads. This option allows you to enable or disable attachment downloads, and configure a maximum attachment download size. Configure devices to require passwords. If you choose to require passwords, you also can configure the following attributes: Minimum password length. A requirement for alphanumeric passwords.
4-83
Inactivity time before the password is required. The option to enable password recovery. A requirement for device encryption. Number of failed attempts allowed. This option specifies whether you want the device memory wiped after a specific number of failed logon attempts.
Options for disabling removable storage, cameras, Wi-Fi, or Bluetooth. Options for configuring synchronization settings such as message size limits. Options for enabling additional mobile device applications such as Web browsers, unsigned applications, or for defining allowed and blocked applications.
Note: Some of these features were implemented with Windows Mobile 5.0 devices. Some features, such as encryption on the local device, and Windows SharePoint Services and Windows File Shares integration, are available only with Windows Mobile 6 or later. Some settings also require an Enterprise Client Access License for each mailbox.
In this demonstration, you will see how to configure Exchange ActiveSync policies.
Demonstration Steps
1. 2. 3. 4. In the Exchange Management Console, access the Organization Configuration node, and then click Client Access. Create New Exchange ActiveSync Mailbox Policy, and then configure the available settings. After creating the policy, access the policy properties and configure the additional settings. Access a user mailboxs properties. On the Mailbox Features tab, click Exchange ActiveSync, and then click Properties. Assign the appropriate Exchange ActiveSync policy. Confirm that the policy is being applied to the user.
5.
4-84
Demonstration: How to Manage Mobile Devices
Key Points
In this demonstration, you will view the options that a user has for managing their mobile devices, using ECP. You will then see how an administrator can also manage the user's mobile device.
Demonstration Steps
1. 2. 3. As a user, connect to the ECP site on a Client Access server. Log on and access the Phone tab on the user Properties page. As an Exchange administrator, access the user in the Exchange Management Console Mailbox container, and then click OK. In the Actions pane, click Manage Mobile Device. On the Manage Mobile Device page, view the options available to manage the mobile device, including wiping the device.
4. 5.
4-85
Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-CL1 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain. 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain. 10135A-VAN-CL1: Client computer in the Adatum.com domain.
4-86
Lab Scenario
To enable client access to the server, your organization has decided to enable both Outlook Web App and Exchange ActiveSync for its users. However, the security officer at A. Datum Corporation has defined security requirements for the Outlook Web App and Exchange ActiveSync deployment. Therefore, you need to enable the security features for both Outlook Web App and Exchange ActiveSync.
4-87
Exercise 1: Configuring Outlook Web App

Scenario
A. Datum Corporation has several users who work regularly from outside the office. These users should be able to check their e-mail from any client computer, including client computers located in public areas. To provide this functionality, you must configure the server settings for Outlook Web App, and configure Outlook Web App policies. You also need to verify that the settings have been successfully applied. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure IIS to use the Internal CA certificate. Configure Outlook Web App settings for all users. Configure an Outlook Web App Mailbox Policy for the Branch Managers. Verify the Outlook Web App configuration.
Task 1: Configure IIS to use the Internal CA certificate

1. 2. On VAN-EX2, in Internet Information Services (IIS) Manager, verify that the owa virtual directory under the Default Web Site is configured to require SSL Verify that the Default Web Site is configured to use the Adatum Mail Certificate. .
Task 2: Configure Outlook Web App settings for all users

1. On VAN-EX2, in Exchange Management Console, verify that the owa virtual directory is configured to use forms-based authentication. Modify the formsbased authentication to use the user name only and to use the Adatum.com domain automatically. Disable the Tasks and Rules display for all users. Use the set-owavirtualdirectory owa (Default Web Site) ForceSaveFileTypes .doc cmdlet to force all users to save Word documents before opening them. Use the set-owavirtualdirectory owa (Default Web Site) GzipLevel Off cmdlet to disable GZip compression.
2. 3.
4.
4-88
5.
Use the Set-OwaVirtualDirectory -identity Owa (Default Web Site) FilterWebBeaconsAndHtmlForms ForceFilter cmdlet to block all Web beacons and HTML forms. Use the IISReset /noforce command to restart IIS.
6.
Task 3: Configure an Outlook Web App Mailbox Policy for the branch managers
1. 2. 3. Create a new Outlook Web App Mailbox policy, and configure the policy with the name Branch Managers Policy. Configure the policy to prevent branch managers from changing their password. Apply the policy to all users in the Branch Managers organizational unit (OU).
Task 4: Verify the Outlook Web App configuration

1. 2. 3. 4. 5. On VAN-EX1, connect to https://mail.Adatum.com/owa. Log on to Outlook Web App as Adatum\Sharon using the password Pa$$w0rd. Sharon is not in the Branch Managers OU. Verify that the Tasks folder is not displayed in the user mailbox, and that Sharon cannot configure a new Inbox rule in the ECP. Connect to OWA again, and log on as Adatum\Johnson using the password Pa$$w0rd. Johnson is in the Branch Managers OU. Verify that the Tasks folder is listed in the user mailbox, but that Johnson is not able to change his password.
Results: After this exercise, you should have configured Outlook Web App on VANEX2. This configuration includes assigning the internal CA certificate to the Default Web Site, and configuring Outlook Web App settings for all users, as well as for specific users. You also should have verified the Outlook Web App settings.
4-89
Exercise 2: Configuring Exchange ActiveSync

Scenario
A. Datum Corporation has several users who use Windows Mobile devices to access their mail. You need ensure that these users can access their mailboxes using Exchange ActiveSync. To ensure that the client connection is secure, you must configure an Exchange ActiveSync policy, and apply it to a user account. You will also install a root certificate on the mobile device, and configure SSL security. Lastly, you need to manage the mobile device as both an administrator and a user using ECP. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Disable SSL for Exchange ActiveSync. Verify the Exchange ActiveSync virtual directory configuration. Connect to the server using Exchange ActiveSync. Create a new Exchange ActiveSync mailbox policy. Validate the Exchange ActiveSync mailbox policy. Install a root CA on the mobile device. Wipe the mobile device.
Task 1: Disable SSL for Exchange ActiveSync

On VAN-EX2, in Internet Information Services (IIS) Manager, configure the Microsoft-Server-ActiveSync virtual directory so that it does not require SSL. You are configuring this setting just for the initial testing.
Task 2: Verify the Exchange ActiveSync virtual directory configuration

On VAN-EX2, in Exchange Management Console, review the configuration for the Microsoft Server ActiveSync virtual directory on VAN-EX2.
4-90
Task 3: Connect to the server using Exchange ActiveSync

1. On VAN-CL1, log on as Adatum\Administrator. Start the Windows Mobile 6.1.4 Professional emulator. On the emulator properties, enable NE2000 PCMIA network adapter, and configure it to bind to the connected network card. In Windows Mobile 6 Professional, click Start, and then click Settings. On the Connections tab, configure the network adapter settings to connect to the Internet using the NE2000 Compatible Ethernet Driver. Configure the network adapter to use the following settings: 6. IP address: 10.10.0.51 Subnet mask: 255.255.0.0 Default gateway: 10.10.0.1 DNS server: 10.10.0.10
2.
3. 4.
5.
In Windows Mobile 6 Professional, start ActiveSync, and start the process for setting up the device to sync with Exchange Server. Use the following information to configure the client: E-mail address: ScottMacdonald@adatum.com User name: Scott Password: Pa$$w0rd Domain: Adatum Server address: VAN-EX2.adatum.com SSL: Disabled Synchronize all Calendar and E-mail items
7.
8. 9.
Verify that the synchronization succeeds. On VAN-CL1, connect to https://mail.adatum.com/owa, and log on as adatum\Wei using the password Pa$$w0rd.
10. Send a test message to Scott.
4-91
11. On the mobile device, verify that Scott received the message, and reply to it. 12. In Outlook Web App, verify that the reply message was received.
Task 4: Create a new Exchange ActiveSync mailbox policy

1. On VAN-EX2, in Exchange Management Console, create a new Exchange ActiveSync Mailbox policy with the following configuration: 2. 3. Name: EAS Policy 1 Enable non-provisionable devices Enable attachments to be downloaded to the device Require passwords Enable password recovery
Review the other Exchange ActiveSync Mailbox policy settings. Apply the Exchange ActiveSync Mailbox policy to Scott MacDonald.
Task 5: Validate the Exchange ActiveSync mailbox policy

1. 2. On VAN-CL1, synchronize the mobile client. Verify that the new policy is applied, and provide a password of 12345.
Task 6: Install a root CA on the mobile device

1. 2. 3. 4. 5. On VAN-CL1, open Internet Explorer, and connect to http://van-dc1/certsrv. Download the CA certificate chain from the CA, and save the file. Open Outlook Web App, and send a message to Scott. Attach the certificate file to the message. In Windows Mobile device, synchronize the mailbox. Open the message with the certificate and double-click the file. Accept the certificate installation.
4-92
6. 7. 8.
On VAN-EX2, in Internet Information Services (IIS) Manager, configure the Microsoft-Server-ActiveSync virtual directory to require SSL. On VAN-CL1, in the Windows Professional emulator, modify the ActiveSync settings to use SSL. Verify that the client can synchronize successfully.
Task 7: Wipe the mobile device

1. 2. 3. 4. On VAN-CL1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Scott, and verify that you can manage the mobile device. On VAN-EX2, in the Exchange Management Console, perform a remote wipe of Scott's device. On VAN-CL1, verify that the mobile device restarts the next time it synchronizes.
Results: After this exercise, you should have configured the Exchange server environment to support Exchange ActiveSync. You first verified that Exchange ActiveSync worked, and then enhanced the security configuration by creating a more secure Exchange ActiveSync Mailbox policy, and by enabling SSL for all Exchange ActiveSync connections.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
4-93
5.
To connect to the virtual machine for the next modules lab, click 10135AVAN-DC1, and then in the Actions pane, click Connect.
6. 7.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.
4-94
Review Questions
1. You need to ensure that users from the Internet can connect to a Client Access server by using Outlook Anywhere. How will you configure the firewall between the Internet and the Client Access server? You need to ensure that the same Exchange ActiveSync policies are assigned to all users, with the exception of the Executives group. This group requires higher security settings. What should you do? You have deployed an Exchange Server 2010 server in an organization that includes several Exchange Server 2003 servers. How will Exchange Server 2010 obtain free\busy information for user mailboxes on the Exchange Server 2003 servers?
2.
3.
4-95
Common Issues Related to Client Connectivity to the Client Access Server

Identify the causes for the following common issues related to client connectivity to the Client Access server, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue Users using Web browsers other than Internet Explorer may have trouble authenticating. Troubleshooting tip Although Exchange Server 2010 supports most Web browsers, your Web browser may not support formsbased authentication or Windows Integrated Authentication. As a last resort, you can use Basic Authentication with SSL. Ensure that the certificate configured on the Client Access server is trusted by all clients. The best way to do this is to obtain a certificate from a trusted Public CA. Use a tool such as Microsoft Exchange Server Remote Connectivity Anaylzer to identify the issue. Many components must be functioning to enable connectivity. The Remote Connectivity Anaylzer tool will check information such as DNS records, authentication, certificate issues, and Autodiscover.
Clients receive certificaterelated errors when they connect to the Client Access server. Users from the Internet are not able to connect to the Client Access server.
4-96

1. Your organization has two locations with an Internet connection in each location. You need to ensure that when users access their e-mail using Outlook Web App from the Internet, they will always connect to the Client Access server in their home office. You are planning on enabling Outlook Web App, Outlook Anywhere, and Exchange ActiveSync access to your Client Access server. You want to ensure that all client connections are secure by using SSL, and that none of the clients receives errors when they connect to the Client Access server. You plan on requesting a certificate from a Public CA. What should you include in the certificate request? You have deployed two Client Access servers in the same Active Directory site. When one of the Client Access servers shuts down, users can no longer access their e-mail. What should you do?
2.
3.
Best Practices Related to Planning the Client Access Server Deployment

Supplement or modify the following best practices for your own work situations. When designing the Client Access server configuration, consider the following recommendations: The recommended processor configuration for Client Access servers is eight processor cores, and the maximum recommended number of processor cores is 12. You should deploy at least two processor cores for Client Access serverseven in small organizationsbecause of the addition of the RPC Client Access service on the Client Access server. As a general guideline, you should deploy three Client Access server processor cores in an Active Directory site for every four Mailbox server processor cores. The recommended memory configuration for Client Access server is 2 gigabytes (GB) per processor core, with a maximum of 8 GB. Deploying Client Access servers on a perimeter network is not a supported scenario. The Client Access server must be deployed on the internal network. The Client Access server role must be installed on a member server, and it must have access to a domain controller and global catalog server, as well as the Mailbox servers inside the organization.
4-97
Tools
Tool Microsoft Exchange Server Remote Connectivity Anaylzer Test E-Mail AutoConfiguration Use for connectivity for messaging clients. Where to find it /?LinkId=179969
Troubleshooting Internet http://go.microsoft.com/fwlink
Troubleshooting
Outlook Connectivity to the Client Access server.
Open Outlook, press and hold CTRL, right-click the Outlook connection object, and then click Test E-Mail AutoConfiguration. Administrative Tools
Internet Information Server (IIS) Manager
Configuring SSL settings

for Client Access server virtual directories.
Managing Message Transport
5-1
Module 5
Contents:
Lesson 1: Overview of Message Transport Lesson 2: Configuring Message Transport Lab: Managing Message Transport 5-3 5-18 5-38
5-2
Module Overview
This module details how to manage message transport in Microsoft Exchange Server 2010. To implement message transport in Exchange Server 2010, it is important to understand the components of message transport, how Exchange Server 2010 routes messages, and how you can troubleshoot message-transport issues. This module also provides details on deploying the Exchange Server 2010 Hub Transport server, and the options that you can configure. After completing this module, you will be able to: Describe message transport in Exchange Server 2010. Configure message transport.
5-3
Lesson 1
Overview of Message Transport
In this lesson, you will review message flow and the components that message transport requires, especially when you implement multiple Exchange Server 2010 Hub Transport servers. To understand message flow, you should know how message routing works within an Exchange Server organization, and how Exchange Server routes messages between Active Directory Domain Services (AD DS) sites or outside the Exchange Server organization. Exchange Server 2010 provides several tools for troubleshooting Simple Mail Transfer Protocol (SMTP) message delivery, and this lesson describes how you can use these troubleshooting tools. After completing this lesson, you will be able to: Describe message flow. Describe the components of message transport. Describe how an Exchange Server organization routes messages. Describe message routing between Active Directory sites.
5-4
Describe options for modifying the default message flow. Describe the tools for troubleshooting SMTP message delivery. Troubleshoot SMTP message delivery.
5-5
Discussion: Overview of Message Flow
Key Points
Exchange Server 2010 uses the SMTP message protocol standard. Therefore, it is important to understand how SMTP works. Exchange Server 2010 also supports several message-flow scenarios. Based on your organizations messaging environment, you can implement a suitable message-flow scenario.
Discussion Questions
Based on your experience, consider the following questions: Question: What is SMTP? Question: What are the various message-flow scenarios? Question: What type of message-flow scenarios do most organizations implement?
5-6
Components of Message Transport
Key Points
The message transport pipeline in Exchange Server 2010 consists of several components that work together to route messages. Messages from outside the organization enter the transport pipeline through an SMTP Receive connector on an Edge Transport server, a Hub Transport server, or another SMTP server. Messages inside the organization enter the transport pipeline through the SMTP connector on a Hub Transport server, through agent submission, from the Pickup or Replay directory, or by direct placement by the store driver in the Submission queue.
Submission Queue
When the Microsoft Exchange Transport service starts, the categorizer creates one Submission queue on each Edge Transport server and Hub Transport server. The Submission queue stores all messages on disk until the categorizer processes them for further delivery. The categorizer cannot process a message unless a server promotes it to the Submission queue. While the categorizer processes a message, it remains in the Submission queue. After the categorizer categorizes a message successfully, it removes it from the Submission queue.
5-7
Store Driver
Messages sent by mailbox users enter the message-transport pipeline from the senders Outbox. The store driver on the Hub Transport server retrieves messages from the senders Outbox, and submits them to a Submission queue.
Microsoft Exchange Mail Submission Service

The Microsoft Exchange Mail Submission service is a notification service running on Mailbox servers. It notifies a Hub Transport server role in the local Active Directory site when a message is available for retrieval from a senders Outbox. The store driver on the notified Hub Transport server role picks up the message from the senders Outbox.
Categorizer
The categorizer retrieves one message at a time from the Submission queue, and always picks the oldest message first. On an Edge Transport server, categorization of an inbound message is a short process in which the categorizer verifies the recipient SMTP address and places the message directly into the delivery queue. From the delivery queue, it routes the message to a Hub Transport server.
Pickup Directory
Most messages enter the message transport pipeline through SMTP Receive connectors or by submission through the store driver. However, messages also can enter the message transport pipeline by being placed in the Pickup directory on a Hub Transport server or an Edge Transport server.
5-8
How Are Messages Routed in an Exchange Server Organization?
Key Points
In an Exchange Server messaging environment, you must deploy a Hub Transport server role in each Active Directory site where a Mailbox server role or a Unified Messaging server is installed. Hub Transport servers deliver all messages in an Exchange Server 2010 organization, including messages sent between two recipients with mailboxes located in the same Mailbox database, on the same site, and between Active Directory sites. The following process describes how a Hub Transport server delivers mail within a single Active Directory site: 1. 2. The message flow begins when a message is submitted to the message store on an Exchange Server 2010 Mailbox server role. When the Microsoft Exchange Mail Submission service detects that a message is available and waiting in an Outbox, it picks an available Hub Transport server and submits a new message notification to the store driver.
5-9
3.
The store driver retrieves the message from the Mailbox server role. The store driver uses MAPI to connect to the users Outbox and collect any messages that are awaiting delivery. The store driver submits the messages to the categorizer submission queue, for processing, and also moves a copy of the message from the users Outbox to the users Sent Items folder.
Note: While the message is passing through the Hub Transport server role, the server can use transport agents to modify the message or the message flow. For example, transport agents can apply custom routing or journaling rules, or perform antivirus filtering.
4.
For messages destined to arrive at a Mailbox server on the same Active Directory site, the store driver places the message in a local delivery queue and delivers the message through MAPI to the Mailbox server role. For messages destined to arrive at a Mailbox server on another Active Directory site, the Hub Transport server uses the Active Directory site-link information to determine the route to the destination site. After determining the path, the Hub Transport server connects directly to the server on the remote site. If no Hub Transport server on the destination site is available, the store driver routes the message to a Hub Transport server that is closer to the destination site. For messages destined for the Internet, the Hub Transport server delivers the message to an Edge Transport server, which delivers the message to the appropriate Internet e-mail server. If the organization does not use an Edge Transport server, a Hub Transport server delivers the message directly to the appropriate Internet e-mail server using SMTP.
5.
6.
5-10
How Are Messages Routed Between Active Directory Sites?
Key Points
For remote mail-flow scenarios, the initial steps, in which the message passes from the Mailbox server to the Hub Transport server, are identical to those of the local mail-flow scenario.
Understanding Remote Mail Flow

When a message is addressed to a recipient in the same Exchange Server organization, but in a different Active Directory site, the following process takes place: 1. The local Mailbox server uses Active Directory site-membership information to determine which Hub Transport servers are located in the same Active Directory site as the Mailbox server. The Mailbox server submits the message to the local Hub Transport server. If more than one Hub Transport server exists in the site, the Mailbox server will load-balance message delivery to all available Hub Transport servers.
5-11
2.
The Hub Transport server performs recipient resolution and queries AD DS to match the recipient e-mail address to a recipient account. The recipient account information includes the fully qualified domain name (FQDN) of the users Mailbox server. The FQDN determines the Active Directory site of the users Mailbox server. In a default configuration, the local Hub Transport server opens an SMTP connection to the remote Hub Transport server in the destination site, and then delivers the message. After a Hub Transport server in the destination Active Directory site receives the message, it forwards the message to the appropriate Mailbox server in the destination Active Directory site. If the message has multiple recipients whose mailboxes are in different Active Directory sites, Exchange Server uses delayed fan-out to optimize message delivery. If the recipients share a portion of the path, or the entire path, then Exchange Server sends a single copy of the message with these recipients until the bifurcation point. Exchange Server then bifurcates and sends a separate copy to each recipient. For example, if the least-cost routes from Site1 to Site3 and Site4 both pass through Site2, then Exchange Server sends a single copy of a message intended for recipients in Site3 and Site4 to a Hub Transport server in Site2. Then, the Hub Transport server in Site2 sends two copies of the message: one each to a Hub Transport server in Site3 and Site4.
3.
4.
How Exchange Server 2010 Deals with Message-Delivery Failure

If a Hub Transport server cannot deliver a message to a Hub Transport server in the destination site, the Hub Transport server uses the least-cost routing path to deliver the message as close as possible to the destination site. The source Hub Transport server attempts to deliver the message to a Hub Transport server in the last site before the destination site, along the least-cost routing path. The Hub Transport server continues to trace the path backward until it makes a connection to a Hub Transport server. The Hub Transport server queues the messages in that Active Directory site, and the queue is in a retry state. If Hub Transport servers are not available in any site along the least-cost route, the message is queued on the local Hub Transport server. This behavior is called queue at point of failure.
5-12
Options for Modifying the Default Message Flow
Key Points
In some cases, you may want to modify the default message routing configuration. You can do this by configuring specific Active Directory sites as Hub sites, and by assigning Exchange Server-specific routing costs to Active Directory site links. Hub sites are central sites that you define to route messages. By default, Hub Transport servers in one site will try to deliver messages to a recipient in another site by establishing a direct connection to a Hub Transport server in the remote Active Directory site. However, you can modify the default message-routing topology in three ways.
Configuring Hub Sites

You can configure one or more Active Directory sites in your organization as hub sites. When a hub site exists along the least-cost routing path between two Hub Transport servers, the messages are routed to a Hub Transport server in the hub site for processing before they are relayed to the destination server.
5-13
Important: The Hub Transport server routes a message through a hub site only if it exists along the least-cost routing path. The originating Hub Transport server always calculates the lowest cost route first, and then checks if any of the sites on the route are hub sites. If the lowest cost route does not include a hub site, the Hub Transport server will attempt a direct connection. Use the Set-ADSite Identity sitename HubSiteEnabled $true cmdlet to configure a site as hub site.
Configuring Exchange-Specific Routing Costs

You also can modify the default message-routing topology by configuring an Exchange-specific cost to an Active Directory IP site link. If you assign an Exchange-specific cost to the site link, the Hub Transport server determines the least-cost routing path by using this attribute rather than the Active Directoryassigned cost.
Note: Use the Set-AdSiteLink Identity ADsitelinkname ExchangeCost value cmdlet to assign Exchange specific routing costs. You also can use the SetAdSiteLink Identity ADsitelinkname MaxMessageSize value cmdlet to assign a maximum message size limit for messages sent between Active Directory sites.
Configuring Expansion Servers for Distribution Groups

You also can modify the default routing topology by assigning expansion servers for distribution groups. By default, when a message is sent to a distribution group, the first Hub Transport server that receives the message expands the distribution list and calculates how to route the messages to each recipient in the list. If you configure an expansion server for the distribution list, all messages sent to the distribution list are sent to the specified Hub Transport server, which then expands the list and distributes the messages. For example, you can use expansion servers for location-based distribution groups to ensure that the local Hub Transport server resolves them.
Best Practice: You might need to review the Active Directory site design when you deploy Exchange Server 2010, to adjust the IP site links and site-link costs so that you optimize delayed fan-out and instead queue at the point of failure.
5-14
Tools for Troubleshooting SMTP Message Delivery
Key Points
Similar to Exchange Server 2007, Exchange Server 2010 also provides several tools for troubleshooting SMTP message delivery.
Tip: Exchange Server 2010 relies on the Active Directory site configuration for message routing. Therefore, to troubleshoot a message-routing issue, you might need to use Active Directory tools to validate or modify site, site link, or IP subnet information, and to verify Active Directory replication. You can use the Active Directory Sites and Services tool to view IP subnets and site links.
5-15
Using Exchange Server Best Practices Analyzer

The Exchange Server Best Practices Analyzer is a tool that you can use to check the Exchange server configuration and the health of your Exchange server topology. This tool automatically examines an Exchange server deployment and determines whether the configuration is in line with Microsoft best practices. You should run the Best Practices Analyzer after you install a new Exchange server, upgrade an existing Exchange server, or make configuration changes.
Using the Mail Flow Troubleshooter

The Mail Flow Troubleshooter tool assists Exchange Server administrators in troubleshooting common mail-flow problems.
Using the Queue Viewer

Like previous Exchange Server versions, messages waiting to be processed or delivered reside in message queues on the Exchange Server Hub Transport servers. However, unlike Exchange Server versions before 2007, all message queues reside in a local Exchange Server database on the server. The message queues provide a very useful diagnostic tool to locate and identify messages that have not been delivered.
Note: For more information on the queues that Exchange Server 2010 uses, and the process for troubleshooting message flow, see the Managing Queues page on the Microsoft Technet Web site.
Using Message Tracking and Tracking Log Explorer

You also can use message tracking to troubleshoot message flow. By default, message tracking is enabled on Hub Transport servers, and all message-tracking logs are stored in the C:\Program Files\Microsoft\Exchange Server \TransportRoles\Logs\MessageTracking folder.
5-16
Note: To view the message-tracking logs, use the Message Tracking and Tracking Log Explorer tools available in the Exchange Management Console Toolbox. In Exchange Server 2010, users also can track their messages using the Exchange Control Panel (ECP). The Message Tracking tool does not provide the level of detail that the Tracking Log Explorer provides. For example, sending a message between two Exchange servers that are in the same Active Directory site does not show the Exchange server names in Message Tracking whereas Tracking Log Explorer provides you with this information.
Using the Routing Log Viewer

You can use the routing log viewer to open a routing log file that contains information about how the routing topology appears to the server. You can use this information when you troubleshoot message routing within the organization or to the Internet.
Using Protocol Logging

You also can configure protocol logging to provide detailed information for troubleshooting message flow. Protocol logging is enabled on the SMTP Send connector or SMTP Receive connector properties, and the log files are stored in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog folder.
Using Telnet
You can use Telnet to check if the SMTP port responds, or to directly send a SMTP mail to a connector to see if the connector accepts it. Telnet is a Windows Server 2008 feature, and you use it from the command line using the following syntax: telnet <servername> SMTP or Port #. For example, you can use either TELNET VAN-EX1 SMTP or TELNET VAN-EX1 25, both being basically the same.
5-17
Demonstration: How to Troubleshoot SMTP Message Delivery
Key Points
In this demonstration, you will see how to use Telnet and Queue Viewer to troubleshoot SMTP message delivery.
Demonstration Steps
1. 2. 3. 4. 5. Open the Command Prompt window. To start the Telnet tool, at the command prompt, type Telnet VAN-EX1 SMTP, and try to send a mail using Telnet. In Exchange Management Console, from the Toolbox pane in Exchange Management Console, start the Queue Viewer tool. Suspend and resume the Submission queue. Close Queue Viewer.
5-18
Lesson 2
Configuring Message Transport
To configure message transport in an Exchange Server organization, you must first configure the Hub Transport servers. It is important to understand the various message-transport concepts and components, such as accepted and remote domains and SMTP connectors. This lesson also describes the various tasks of configuring a Hub Transport server and message routing. After completing this lesson, you will be able to: Describe the process for configuring Hub Transport Servers. Configure Hub Transport Servers. Describe the options for configuring message transport. Describe accepted domains. Describe remote domains. Configure accepted and remote domains.
5-19
Describe an SMTP connector. Configure SMTP Send and Receive connectors. Describe the purpose and functionality of back pressure.
5-20
Process for Configuring Hub Transport Servers
Key Points
By default, when you install a Hub Transport server in an Exchange Server 2010 organization, this enables message routing within the organization. However, you might need to configure additional options on the Hub Transport server role. To configure a Hub Transport server, use the following process: 1. 2. Configure server-specific settings. These settings include internal Domain Name System (DNS) configuration and connection limits. Configure authoritative domains and e-mail address policies. An authoritative domain is one for which the Exchange Server organization accepts messages and has mailboxes. You first must configure an authoritative domain before you can configure e-mail address policies to apply e-mail addresses to recipients and accept inbound SMTP messages for those recipients.
5-21
3.
Configure a postmaster mailbox. For each accepted domain, you must configure a postmaster mailbox. The postmaster mailbox must meet the requirements of RFC 2822, and to receive NDRs and DSNs. You can create a new mailbox, or you can add the postmaster alias to an existing mailbox user. Configure Internet message flow. If you are not deploying an Edge Transport server, you will need to configure the Hub Transport server to enable inbound and outbound mail flow. To enable inbound mail flow, configure an SMTP Receive connector to accept anonymous connections on port 25 using a network interface that is accessible from the Internet. To enable outbound email flow, configure an SMTP Send connector with an address space of *that can use DNS or a smart host to send messages to the Internet. If you are using the Hub Transport server to send and receive e-mail from the Internet, you should configure antivirus and anti-spam agents on the Hub Transport server.
4.
Note: We strongly recommend that you use an Edge Transport server role or some other SMTP relay server to send and receive messages from the Internet. If you are using an SMTP gateway server other than an Exchange Server 2010 Edge Transport server role, you still will need to configure the SMTP Send connector and SMTP Receive connector. The only difference is that you should configure the SMTP gateway server as the smart host on the SMTP Send connector and accept only connections from the SMTP gateway server on the SMTP Receive connector. As an alternative to managing your own Edge Transport server role, you should also consider Exchange Hosted Services.
5.
Configure messaging policies. By default, messaging policies are not applied to messages passing through the Hub Transport server role. As part of the Hub Transport server role deployment, you must configure your organizations transport and journaling rules. Configure administrative permissions. As part of the Hub Transport server role deployment, you can choose to delegate permissions to configure and monitor the server.
6.
5-22
Demonstration: How to Configure Hub Transport Servers
Key Points
In this demonstration, you will review the options for configuring Hub Transport servers.
Demonstration Steps
1. On VAN-EX1, if required, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange OnPremises, expand Organization Configuration, and then click Hub Transport. On the Global Settings tab, double-click Transport Settings and review the options on the Message Delivery tab.
2.
3.
5-23
4.
In Exchange Management Console, expand Server Configuration, and then click Hub Transport. Open Hub Transport server properties and review the options on the Log Settings tab and Limits tab. At the Exchange Management Shell command prompt, type Get-TransportServer -I van-ex1 |fl, and then press ENTER.
5.
5-24
Options for Configuring Message Transport
Key Points
Exchange Server 2010 supports various additional options that you can configure on the message transport. These options include transport rules, Rights Protection using transport protection rules, journaling, enhanced disclaimers, and moderated transport.
Note: This module provides a high-level overview of these options. Module 8 provides more details on these options.
Transport Rules
Transport Rules inspect messages for conditions that the rule specifies, and then applies the rules to messages that meet the conditions, and none of the exceptions. Exchange Server 2010 includes several new predicates and actions, and provides additional flexibility in creating rules and additional options for actions that you can apply to messages.
5-25
Rights Protection Using Transport Protection Rules

You can use transport protection rules to protect messaging content by rightsprotecting e-mail messages and attachments of supported file types, such as Microsoft Office Word or Microsoft Office Excel. Transport protection rules apply Rights Management Services (RMS) templates to messages in transport, which restrict the recipients that can access a message, and specify the actions that can be performed by recipients of the message, such as printing a message or an attachment, and forwarding a message. You can use the Active Directory Rights Management Services (AD RMS component of Exchange Server 2010 to protect messaging content.
Journaling
Journaling is the ability to record all communications, including e-mail communications, in an organization for use in the organizations e-mail retention or archival strategy.
Enhanced Disclaimers
Exchange 2010 lets you add disclaimers that can include hyperlinks, images, and HTML-formatted text. You also can insert Active Directory attributes that are substituted for the senders attributes when a message triggers a disclaimer rule.
Moderated Transport
Using the moderated transport feature in Exchange Server 2010, you can make it mandatory that a moderator approves all e-mail messages that are sent to specific recipients. You can configure any type of recipient as a moderated recipient, and Exchange 2010 Hub Transport servers ensures that all messages sent to those recipients go through an approval process.
Anti-Spam and Antivirus Protection

The built-in protection features in Exchange Server 2010 provide anti-spam and antivirus protection for messages. Although these built-in protection features are for use in the perimeter network on the Edge Transport server role, you also can configure the Edge Transport agents on the Hub Transport server. Although, Exchange Server 2010 includes some antivirus protection features, such as transport rules that you can configure to prevent a virus attack, it does not include any virus-scanning software. Therefore, you should consider a third-party virus scanning software, such as Microsoft Forefront Security for Exchange to provide additional antivirus protection.
5-26
What Are Accepted Domains?
Key Points
As part of the Hub Transport server-configuration process, you should configure the domains for which the Hub Transport server will accept e-mail, and configure users with alternate e-mail addresses.
Configuring Accepted Domains

The accepted domain property specifies one or more SMTP domain names for which the Exchange server receives mail. If an SMTP Receive connector on the Exchange Server 2010 Hub Transport server receives a message that is addressed to a domain that is not on the accepted domain list, it rejects the message and sends an NDR. To configure an accepted domain, access the Organization Configuration node, and then click Hub Transport. You can view the current accepted domains in the Accepted Domains tab, and you can create additional domains by clicking New Accepted Domain in the Actions pane.
5-27
When you create a new accepted domain, you have three options for the domain type you want to create: Authoritative Domain. Select this option if the recipients using this domain name have mailboxes in the Exchange Server organization. Internal Relay Domain. Select this option if the Hub Transport or Edge Transport server should accept the e-mail, but relay it to another messaging organization in another Active Directory forest. The recipients in an internal relay domain do not have mailboxes in this Exchange organization, but do have contacts in the global address list (GAL). When messages are sent to the contacts, the Hub Transport server or Edge Transport server forwards them to another SMTP server. External Relay Domain. Select this option if the Hub Transport or Edge Transport server should accept the e-mail, but relay it to an alternate SMTP server. In this scenario, the transport server receives the messages for recipients in the external relay domain, and then routes the messages to the e-mail system for the external relay domain. This requires a Send connector from the transport server to the external relay domain.
Note: To configure accepted domains using the Exchange Management Shell, use the New-AcceptedDomain or Set-AcceptedDomain cmdlet.
5-28
What Are Remote Domains?
Key Points
Remote domains define SMTP domains that are external to your Exchange organization. You can create remote domain entries to define the settings for message transfer between the Exchange Server 2010 organization and domains outside your AD DS forest. When you create a remote domain entry, you control the types of messages that are sent to that domain. You also can apply messageformat policies and acceptable character sets for messages that are sent from your organizations users to the remote domain. The settings for remote domains determine the Exchange organizations global configuration settings.
Creating Remote Domain Entries

You can create remote domain entries to define the mail-transfer settings between the Exchange Server 2010 organization and a domain that is outside your Active Directory forest. When you create a domain entry, you provide a name to help the administrator identify the entrys purpose when they view configuration settings.
5-29
Configuring Remote Domain Settings

The configuration for a remote domain determines the out-of-office message settings for e-mail that is sent to the remote domain and the message format settings for e-mail that is sent to the remote domain.
Out-of-Office Message Settings

The out-of-office message settings control the messages that are sent to recipients in the remote domain. The types of out-of-office messages that are available in your organization depend on both the Microsoft Office Outlook client version and the Exchange Server version on which the users mailbox is located. An out-of-office message is set on the Outlook client but is sent by the Exchange server. Exchange Server 2010 supports three out-of-office message classifications: external, internal, and legacy.
Message Format Options Including Acceptable Character Sets

You can configure multiple message format options to specify message delivery and formatting policies for the messages that are sent to recipients in the remote domain. The first set of options on the Message Format tab apply restrictions to the types of messages that can be sent to the remote domain, how the senders name displays to the recipient, and the column width for message text. These options include: Allow automatic replies. Allow automatic forward. Allow delivery reports. Allow nondelivery reports. Display senders name on messages. Use message text line-wrap at column. Meeting forward notification enabled.
5-30
Message Format Options

Use the Exchange rich-text format settings to determine whether e-mail messages from your organization to the remote domain are sent by using Exchange Rich Text Format (RTF).
Character Sets
The Characters Sets options let you select a MIME character set and a non-MIME character set to use when you send messages to a remote domain.
5-31
Demonstration: How to Configure Accepted and Remote Domains
Key Points
In this demonstration, you will review the default accepted domain configuration, and then see how to configure accepted and remote domains.
Demonstration Steps
1. In Exchange Management Console, expand Microsoft Exchange OnPremises, expand Organization Configuration, and then click Hub Transport. Click the Accepted Domains tab, and then double-click Adatum.com. Click OK. Click New Accepted Domain and create an accepted domain for adatum.local as Internal Relay Domain.
2. 3.
5-32
4. 5.
Click the Remote Domains tab, and review the default remote domain settings. Click OK. Click New Remote Domain, and create a remote domain for contoso.com.
5-33
What Is an SMTP Connector?
Key Points
For a Hub Transport server to send or receive messages using SMTP, at least two SMTP connectors must be available on the server. An SMTP connector is an Exchange Server component that supports one-way SMTP connections that route mail between Hub Transport and Edge Transport servers or between the transport servers and the Internet. You create and manage SMTP connectors from the Exchange Management Console or the Exchange Management Shell. Exchange Server 2010 provides two types of SMTP connectors: SMTP Receive connectors and SMTP Send connectors.
Note: Exchange Server 2010 automatically creates the Send and Receive connectors that intraorganization mail flow requires. These are implicit connectors that are not visible in the Exchange management tools, and you cannot modify them.
5-34
What Are SMTP Receive Connectors?

An Exchange Server 2010 computer requires an SMTP Receive connector to accept any SMTP e-mail. An SMTP Receive connector enables an Exchange Hub Transport or Edge Transport server to receive mail from any other SMTP sources, including SMTP mail programs, such as Windows Mail and SMTP servers on the Internet, Edge Transport servers, or other Exchange Server SMTP servers. You create SMTP Receive connectors on each server running the Hub Transport server role. Use the following naming protocol for the SMTP Receive connectors: Client SERVERNAME Receive connector, which you configure to receive connections from SMTP clients such as Windows Mail; and Default SERVERNAME Receive connector, which you configure to receive authenticated connections from other SMTP servers. The default configuration for the two connectors is almost identical, but with one important difference: you configure the Client SERVERNAME Receive connector to listen on port 587 rather than port 25. As described in RFC 2476, port 587 has been proposed to be used only for message submission from e-mail clients that require message relay.
What Are SMTP Send Connectors?

An Exchange Server 2010 computer requires an SMTP Send connector to send any SMTP e-mail, and to send e-mail to any SMTP server on the Internet or to any SMTP servers in the same Exchange Server organization.
Note: By default, no SMTP Send connectors are configured on Hub Transport servers, except for the implicit SMTP Send connectors. These are created dynamically to communicate with Hub Transport servers in other sites.
How to Manage SMTP Connectors

You can use the Exchange Management Console or the Exchange Management Shell to create, configure, or view SMTP connectors.
Note: Incorrect configuration of SMTP Receive connectors can lead to opened relay on the mail server. Therefore, you must carefully test the configuration.
5-35
Demonstration: How to Configure SMTP Send and Receive Connectors
Key Points
In this demonstration, you will see how to configure SMTP Send and Receive connectors.
Demonstration Steps
1. In Exchange Management Console, expand Microsoft Exchange OnPremises, expand Organization Configuration, and then click Hub Transport. Click the Send Connectors tab and create a New Send Connector. In Exchange Management Console, expand Server Configuration, and then click Hub Transport. Click New Receive Connector and create a Receive connector that allows the anonymous group to send messages.
2. 3. 4.
5-36
What Is Back Pressure?
Key Points
Back pressure is a system-resource monitoring feature of the Microsoft Exchange Transport service that exists on computers that have the Hub Transport server role or Edge Transport server role installed. Back pressure monitors important system resources, such as available hard-disk drive space and available memory. If utilization of a system resource exceeds the specified limit, the Exchange server stops accepting new connections and messages. This prevents the system resources from being completely overwhelmed, and enables the Exchange server to deliver the existing messages. When utilization of the system resource returns to a normal level, the Exchange server accepts new connections and messages.
5-37
Back pressure can be used to: Monitor system resources, such as available hard disk drive space and memory. Restrict new connections and messages if a system resource exceeds a specified level. Prevent the server from being completely overwhelmed.
For each monitored system resource on a Hub Transport server or Edge Transport server, the following three levels of resource utilization are applied: Normal. The resource is not overused. The server accepts new connections and messages. Medium. The resource is slightly overused. Back pressure is applied to the server in a limited manner. Mail from senders in the authoritative domain can flow. However, the server rejects new connections and messages from other sources. High. The resource is severely overused. Full back pressure is applied. All message flow stops, and the server rejects all new connections and messages.
Options for Configuring Back Pressure

All configuration options for back pressure are available in the EdgeTransport.exe.config application configuration file that is located in the C:\Program Files\Microsoft\Exchange Server\Bin directory. The EdgeTransport.exe.config file is an XML application configuration file that is associated with the EdgeTransport.exe file. The Microsoft Exchange Transport service uses the EdgeTransport.exe and MSExchangeTransport.exe executable files. This service runs on every Hub Transport server or Edge Transport server. Exchange Server applies the changes that are saved to the EdgeTransport.exe.config file after the Microsoft Exchange Transport service is restarted.
5-38
Lab: Managing Message Transport
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VANEX2 virtual machines are running: 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-EX2: Exchange 2010 server in the Adatum.com domain
If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1 and VAN-EX2 as Adatum\Administrator, using the password Pa$$w0rd.
5-39
Lab Scenario
You are a messaging administrator in A Datum Corporation., which is a large multinational organization that has offices in London, Tokyo, and Vancouver, which is its headquarters. Your organization has deployed Exchange Server 2010 in two of its sites. However, all Internet messages should flow through the main site in Vancouver. As part of your job responsibilities, you need to set up the message transport to and from the Internet and also ensure that the message flow works within and between the various sites.
5-40
Exercise 1: Configuring Internet Message Transport

Scenario
Your organization has deployed Exchange Server 2010 in two of its sites. However, all Internet messages should flow through the main site. As part of your job responsibilities, you need to set up the message transport to and from the Internet. You also want to configure the Hub Transport server for anti-spam. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure a Send connector to the Internet. Configure a Receive connector to accept Internet messages. Enable anti-spam functionality on the Hub Transport server. Verify that Internet message delivery works.
To prepare for this lab

1. 2. 3. 4. 5. 6. 7. On VAN-EX2, click Start, right-click Network, and click Properties. Click Change adapter settings. Right-click Local Area Connection 2, and click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and click Properties. Change the IP address to 10.10.11.21, and then click OK. Click Close. Click the Start button, and then click Restart. In the Comment field, type Lab restart, and then click OK. After the system is restarted, log on to VAN-EX2 as Adatum\Administrator, using the password Pa$$w0rd.
Note: These preparation steps move VAN-EX2 to a second site defined in AD DS.
5-41
Task 1: Configure a Send connector to the Internet

1. 2. On VAN-EX1, open Exchange Management Console. Create a new Send Connector with the following configuration: Name: Internet Send Connector Use: Internet Address space: * Route all messages through VAN-DC1.adatum.com
Task 2: Configure a Receive connector to accept Internet messages

1. On VAN-EX1, create a new Receive Connector with the following configuration: 2. Name: Internet Receive Connector Use: Custom Local Network Settings: 10.10.0.10
Change the configuration on the Internet Receive Connector to enable anonymous users to send e-mail and to enable verbose logging.
Task 3: Enable anti-spam functionality on the Hub Transport server

1. 2. On VAN-EX1, open the Exchange Management Shell. Switch to the c:\Program Files\Microsoft\Exchange Server\v14\scripts directory and use the install-AntispamAgents.ps1 cmdlet to install the antispam agents on the Hub Transport server Restart the Microsoft Exchange Transport Verify that anti-spam configuration options are now available on VAN-EX1 and at the organization level.
3. 4.
5-42
Task 4: Verify that Internet message delivery works

1. 2. On VAN-EX1, log on to Outlook Web App as Wei, and send a message to Info@Internet.com. From the Toolbox node in the Exchange Management Console, open the Queue Viewer. Check the queues on VAN-EX1 to verify that the message was delivered. On VAN-DC1, use Telnet to verify that VAN-EX1 accepts anonymous messages. Use Telnet to send a message as Info@internet.com to WeiYu@adatum.com.
3.
Results: After this exercise, you should have configured message transport to send and receive messages to and from the Internet using a smart host. You also should have configured anti-spam functionality on a Hub Transport server.
5-43
Exercise 2: Troubleshooting Message Transport

Scenario
You have successfully installed Exchange Server 2010 in two sites. You now need to make sure that mail flow is working correctly. The main tasks for this exercise are as follows: 1. 2. Check the routing log, and verify that mail delivery works correctly. Troubleshoot message transport.
Task 1: Check the routing log, and verify that mail delivery works correctly
1. 2. On VAN-EX1, use the Routing Log Viewer to verify that VAN-EX1 is located in the Default-First-Site-Name site, and the VAN-EX2 is located in the Site2 site. Log on to Outlook Web App as Wei, and send an email to Anna, whose mailbox is on VAN-EX2. Verify that the mail is received and that Anna can respond to the e-mail.
Task 2: Troubleshoot message transport

1. 2. 3. 4. 5. 6. 7. On VAN-EX1, in Exchange Management Shell, run the d:\ labfiles\Lab05Prep1.ps1 script. Send another e-mail from Wei to Anna. Verify that the message is not delivered. Use Queue Viewer to investigate mail flow problems. Use Telnet to check connectivity from VAN-EX1 to VAN-EX2 Re-create the receive connector to make mail flow work correctly. Use Queue Viewer to force an immediate retry of message delivery. Verify that Anna received the message.
Results: After this exercise, you should have used the Routing Log Viewer to get an overview of your routing topology. For troubleshooting, you should have used the Queue Viewer and Telnet to investigate the mail-flow problem.
5-44
Exercise 3: Troubleshooting Internet Message Delivery

Scenario
Your users complain that messages are not sent correctly to the internet. As part of your job responsibilties, you need to track messages to find out why message flow to the Internet is not working correctly. The main tasks for this exercise are as follows: 1. 2. 3. Send a message to the Internet, and track it. Implement user-based message tracking to verify mail delivery. Troubleshoot Internet message delivery.
Task 1: Send a message to the Internet, and track it

On VAN-EX2, log on to Outlook Web App as Anna and send a message to Info@Internet.com.
Task 2: Implement user-based message tracking to verify mail delivery

Connect to the Exchange Control Panel as Anna, and use the Delivery Reports page to track the message she sent. Search for messages sent to Info@Internet.com.
Task 3: Troubleshoot Internet message delivery

1. On VAN-EX1, in Exchange Management Shell, verify that the shell is focused on c:\Program Files\Microsof\Exchange Server\v14\scripts, and run d:\10135\labfiles\Lab05Prep2.ps1. On VAN-EX2, send a second message from Anna to Info@Internet.com. On VAN-EX1, in the Exchange Management Console, in the Toolbox node, access Message Tracking.
2. 3.
5-45
4. 5.
Log on to Exchange Control Panel as Administrator, and track the message that Anna sent. Verify that the message state is pending. Use Mail Flow Troubleshooter to troubleshoot mail problems. When starting the Mail Flow Troubleshooter, choose the option to troubleshoot the Messages are backing up in on one or more queues on a server. Choose VAN-EX1 as the Exchange Server. Review the information on each wizard page, and identify the proposed root cause for the issue. On VAN-DC1, use nslookup to try to locate the MX records for internet.com. Configure a smart host in your Send connector. Verify that the messages are now delivered.
6. 7. 8.
Results: After this exercise, you should have used tools like Mail Flow Troubleshooter, Queue Viewer, Message Tracking, and nslookup to investigate why messages are not delivered to the Internet.

When you finish the lab, revert the virtual machines back to their initial state by completing the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.
5-46
5.
To connect to the virtual machine for the next modules lab, click 10135AVAN-DC1, and then in the Actions pane, click Connect.
6. 7.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.
5-47
Common Issues Related to Managing Message Transport

Identify the causes for the following common issues related to Managing Message Transport, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue You configure a Send Connector to the Internet, but messages cannot be transferred over it. You want to understand over what hops the message has been transferred. Your Exchange Server does not accept messages for the domain adatum-info.com. Troubleshooting tip Use Telnet on the Hub Transport server that is trying to send the mail, and connect to the target SMTP server in the internet to see what the issue is. Many times you cannot reach it because of DNS resolution or firewall settings. Use Message Tracking or view the header of the message in Outlook Web App.
Verify that this domain is part of the Accepted Domains in Organization Configuration under Hub Transport.
Implementing Messaging Security
6-1
Module 6
Contents:
Lesson 1: Deploying Edge Transport Servers Lesson 2: Deploying an Antivirus Solution Lab A: Configuring Edge Transport Servers and Forefront Protection 2010 Lesson 3: Configuring an Anti-Spam Solution Lesson 4: Configuring Secure SMTP Messaging Lab B: Implementing Anti-Spam Solutions 6-4 6-21 6-31 6-37 6-55 6-71
6-2
Module Overview
The Edge Transport server role is designed to be placed directly in a perimeter network, therefore directly in the Internet. Placing a server directly in the Internet can be the cause of numerous security concerns. This module describes how to plan for and deploy a Microsoft Exchange Server 2010 Edge Transport server role, and the security issues related to the deployment. This module describes how to configure secure Simple Mail Transfer Protocol (SMTP) messaging as well as Domain Security, a feature available in Exchange Server 2007 and later versions. The Edge Transport role provides powerful antispam functionalities, and some antivirus features. As the Edge Transport role does not include a virus scanner, you can integrate additional antivirus products such as Microsoft Forefront Protection for Exchange Server. After completing this module, you will be able to: Deploy Edge Transport servers. Deploy an antivirus solution.
6-3
Configure an anti-spam solution. Configure secure SMTP messaging.
6-4
Lesson 1
Deploying Edge Transport Servers
In any Exchange Server deployment, it is important that you do not expose too much information to the Internet. You must ensure critical data such as e-mail messages are protected from unauthorized access from the Internet. The Edge Transport server role provides functionalities that secure this data from unauthorized Internet access. If you are planning to place a server in your perimeter network, you should plan to use an Edge Transport server. This lesson describes features and functionalities of the Edge Transport server role, and explains how you can configure data synchronization between Active Directory directory service and the Edge Transport server. After completing this lesson, you will be able to: Describe the Edge Transport server role. Identify the infrastructure requirements for the Edge Transport server role. Describe the functionality of Active Directory Lightweight Directory Services (AD LDS).
6-5
Configure Edge Transport servers. Describe the purpose and functionality of Edge Synchronization. Explain how Internet message flow works in Exchange Server 2010. Describe the concept of cloned configuration. Configure Edge synchronization. Describe how to secure Edge Transport servers.
6-6
What Is the Edge Transport Server Role?
Key Points
The Edge Transport server role in Exchange Server 2010 provides a secure SMTP gateway for all incoming and outgoing e-mail in an organization. As an SMTP gateway, the Edge Transport servers primary role is to maintain message hygiene, which includes anti-spam and antivirus filtering. You also can use the Edge Transport server to apply messaging policies to messages that are sent to the Internet.
6-7
Edge Transport Server Role Functionality

The Edge Transport server role provides the following functionalities.
Feature Internet message delivery Description The Edge Transport server role accepts all e-mail coming into the Exchange Server 2010 organization from the Internet, and from servers in external organizations. The Exchange Server 2010 Edge Transport server role helps prevent spam messages and viruses from reaching your organizations users by using a collection of agents that provide different layers of spam filtering and virus protection. Edge transport rules control the flow of messages that are sent to, or received from the Internet. Edge transport rules apply actions to messages that meet specified conditions. Address rewriting enables SMTP address modification for any of your organizations message senders or recipients.
Antivirus and antispam protection
Edge transport rules
Address rewriting
Edge Transport Servers Deployment Considerations

When planning to deploy Edge Transport servers, consider the following factors: You cannot combine the Edge Transport server role with any other Exchange Server 2010 server role. To provide increased security, you must install the Edge Transport server role on a separate computer, which can be virtual or physical. The computer should not be a member of an Active Directory domain.
Note: You should not install the Edge Transport server role on a computer that is a member of the internal Active Directory domain, but you can install it in a perimeter network forest. Even if you install the Edge Transport server role on a member server, the server still uses Active Directory Application Mode (ADAM) or AD LDS to store its configuration and recipient information.
You should deploy the Edge Transport server role in a perimeter network to ensure network isolation from both the internal network and the internal Exchange servers.
6-8
Edge Transport Server Role Infrastructure Requirements
Key Points
The Edge Transport server role is different from any other Exchange Server 2010 server role, because you can install it on servers running the Windows Server 2008 operating system that are not members of the internal Active Directory Domain Services (AD DS). This configuration makes it much easier and more secure to deploy Edge Transport servers in a perimeter network. When deploying Edge Transport servers, consider the following infrastructure requirements: You can install Edge Transport servers either on standalone servers, or on servers that are members of an extranet domain. The computer running the Edge Transport server role must have a fully qualified domain name (FQDN) configured. You must deploy Edge Transport servers in a perimeter network. This configuration provides the highest level of security.
6-9
The firewall configuration required for Edge Transport servers is greatly simplified, because the server does not need to be an internal domain member. The following table describes the firewall configuration requirements.
Firewall External Firewall rule Allow port 25 from all external IP addresses to the Edge Transport server. Allow port 25 to all external IP addresses from the Edge Transport server. Allow port 53 to all external IP addresses from the Edge Transport server. Explanation This rule enables SMTP hosts on the Internet to send e-mail.
External
This rule enables the Edge Transport server to send e-mail to SMTP hosts on the Internet. This rule enables the Edge Transport server to resolve Domain Name System (DNS) names on the Internet. This rule enables the Edge Transport server to send inbound SMTP e-mail to Hub Transport servers. This rule enables the Hub Transport servers to send e-mail to the Edge Transport server. This rule enables the Hub Transport server to replicate information to the Edge Transport servers using Edge Synchronization. This port is not the default Secure LDAP port, but it is used specifically for the Edge Synchronization process. This rule is used for optional remote desktop administration of the Edge Transport server.
External
Internal
Allow port 25 from the Edge Transport server to specified Hub Transport servers.
Internal
Allow port 25 from specified Hub Transport servers to the Edge Transport server. Allow port 50636 for secure Lightweight Directory Access Protocol (LDAP) from specified Hub Transport servers to the Edge Transport server.
Internal
Internal
Allow port 3389 for Remote Desktop Protocol (RDP) from the internal network to the Edge Transport server.
If the Edge Transport server directly routes e-mail to the Internet, you must configure the server with the IP addresses for Domain Name System (DNS) servers that can resolve DNS names on the Internet.
6-10
What Is AD LDS?
Key Points
The Edge Transport server does not use the Active Directory directory service to store its configuration information; instead, Edge Transport servers use AD LDS to store this data.
Note: AD LDS runs only on Windows Server 2008 computers, while the ADAM service can run on Windows Server 2003 computers. AD LDS is an update of ADAM.
What Is AD LDS?
AD LDS is a special mode of the AD DS that stores information for directoryenabled applications. AD LDS is an LDAP-compatible directory service that runs on servers running the Windows Server 2008 operating system. AD LDS is designed to be a standalone directory service. It does not require the deployment of DNS, domains, or domain controllers; instead, it stores and replicates only applicationrelated information.
6-11
How AD LDS Works with Exchange Server 2010 Edge Transport Servers
AD LDS stores configuration and recipient data for the Exchange Server 2010 Edge Transport server role. Before you can install the Edge Transport server role, you must install the AD LDS server role on a Windows Server 2008 computer. AD LDS is then configured automatically when you install the Edge Transport server role. The following types of information are stored in AD LDS: Schema Configuration Recipient information
Managing AD LDS
The AD LDS database is stored in the %programfiles%\Microsoft\Exchange Server\TransportRoles\data\Adam directory. The primary database is adamntds.dit, which is similar to the databases that Exchange Server uses for mailbox stores and mail queue databases. In general, minimal administration is required for the AD LDS instance running on an Edge Transport server. You can make most changes to the AD LDS directory information using Exchange Server 2010 management tools.
Note: Before installing the Edge Transport server role, you must install AD LDS on the computer. However, you do not need to perform any configuration steps in AD LDS before installing the Edge Transport server role.
6-12
Demonstration: How to Configure Edge Transport Servers
Key Points
In this demonstration, you will review the Edge Transport server role default configuration before implementing Edge Synchronization.
Demonstration Steps
1. 2. Open the Exchange Management Console. Review the Edge Transport server roles default configuration settings including the default anti-spam settings, Send and Receive Connectors and Accepted Domains.
6-13
What Is Edge Synchronization?
Key Points
Edge synchronization is a process that replicates information from Active Directory directory service to AD LDS on Edge Transport servers. Because Edge Transport servers are not joined to the internal Active Directory domain, they cannot directly access the Exchange Server organization configuration or recipient information that is stored in Active Directory. EdgeSync enables the shared information to be replicated from Active Directory directory service to AD LDS. You can deploy Edge Transport servers without using EdgeSync, but using EdgeSync can decrease the effort needed to administer the Edge Transport servers. The Active Directory contains much of the configuration information required by the Edge Transport server. For example, if you configure accepted domains on the Hub Transport servers, these accepted domains can be replicated automatically to the Edge Transport servers. To enable any filtering or transport rules that are based on recipients, you must implement EdgeSync to replicate the recipient information to AD LDS.
6-14
Best Practice: When you deploy Edge Transport servers, it is strongly recommended that you also deploy Edge Synchronization.
Information Replicated by Edge Synchronization

After you enable Edge Synchronization, the Edge Synchronization process establishes connections between a Hub Transport server and the Edge Transport server, and synchronizes configuration and recipient information between Active Directory and AD LDS.
Important: The internal Hub Transport servers, and not the Edge Transport servers, always initiate EdgeSync replication. EdgeSync replication traffic is always encrypted using Secure LDAP.
During synchronization, EdgeSync replicates the following data from Active Directory directory service to AD LDS: Accepted domains Recipients (hashed) Safe senders (hashed) Send connectors Hub Transport server list (for dynamic connector generation)
Note: The recipient and the safe senders are hashed using a one-way hash, which prevents an attacker from retrieving recipient information from the Edge Transport server.
6-15
How Internet Message Flow Works
Key Points
The primary function of the Edge Transport server is to secure both inbound and outbound Internet e-mail. After you configure an Edge subscription between your organizations Hub Transport servers and the Edge Transport servers in the perimeter network, both inbound and outbound Internet e-mail is enabled.
6-16
Default Message Transfer

After you enable EdgeSync, e-mail flows through the Exchange server organization using the following steps: 1. A user submits a message through a Client Access server to the Mailbox server. The Hub Transport server retrieves the message from the Mailbox server, and categorizes it for delivery. In this scenario, the message recipient is outside the organization. The Hub Transport server determines that it must use the EdgeSync sitename to Internet Send connector to send e-mail to the Internet. It locates the Edge Transport server that is configured as the bridgehead server for the connector. The Hub Transport server forwards the message to the Edge Transport server, which sends the e-mail message to the Internet using the EdgeSync sitename to Internet Send Connector. For inbound messages, the sending SMTP connector connects to the Edge Transport server. The Edge Transport server accepts this connection using the Default internal receive connector SERVERNAME, which is configured to accept anonymous connections on port 25 from all IP addresses. The Edge Transport server applies all virus and spam-filtering rules. If the message is accepted, the Edge Transport server uses the EdgeSync Inbound to sitename connector to forward the message to a Hub Transport server configured to accept Internet messages. The Hub Transport server uses the Default SERVERNAME connector to receive the message, and then forwards the message to the appropriate Mailbox server.
2.
3.
4.
5.
6.
Note: You can modify the default message flow by creating additional SMTP connectors. For example, you may need to create a new SMTP send connector to send e-mail to a specific destination domain. You can do this by creating a new send connector, and then configuring the destination domain name as the address space for the connector. Finally, configure the connector to support the unique messagerouting requirements for messages sent to the domain.
6-17
Demonstration: How to Configure Edge Synchronization
Key Points
In this demonstration, you will see how to enable Edge synchronization and test its working. You also will see how to configure address rewriting.
Demonstration Steps
1. On the Edge Transport server, in the Exchange Management Shell, run the New-EdgeSubscription -FileName c:\van-edge.xml command on the Edge Transport server. Import the Edge subscription file using the Exchange Management Console on the Hub Transport server. Use Start-EdgeSynchronization and Test-EdgeSynchronization to test Edge synchronization. Review the changes made to the Edge Transport server after Edge Synchronization. Configure address rewriting using the New-addressRewriteEntry command.
2. 3. 4. 5.
6-18
What Is Cloned Configuration?
Key Points
Cloned configuration is the process of configuring multiple Edge Transport servers with identical configurations. The Exchange Server transport services running on Edge Transport servers do not support Windows Failover Clustering. A failover cluster provides high availability by making application software and data available on several servers that are linked together in a cluster configuration. But since failover clustering is not available with Exchange Server transport services, to achieve high availability for messaging transport, you should ensure that multiple Edge Transport servers are available at all times. You can use cloned configuration to ensure that all the Edge Transport servers have the same configuration. You only configure one server, and export the configuration to an XML file that is then imported to the target servers.
6-19
Note: Although AD LDS supports directory replication, Exchange Server 2010 does not provide an option to use directory replication for configuring multiple Edge Transport servers. You must use cloned configuration if you want to automate this process, and you must repeat the edge-cloning steps each time you make a configuration change on one of the servers.
Configuring Cloned Configuration

To configure cloned configuration, use the ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 scripts to export configuration information from one Edge Transport server to an identically configured Edge Transport server. You can also use the tool to test configuration changes and offer rollback assistance or to assist in disaster recovery when you deploy a new Edge Transport server, or replace a failed server. To configure cloned configuration, you must perform the following three steps: 1. During the export configuration phase, export the configuration information from an existing Edge Transport server into an XML file. Use the ExportEdgeConfig.ps1 script to export the information. Validate the configuration on the target server. In this step, you run the ImportEdgeConfig.ps1 script. This script checks the existing information in the intermediate XML file to see whether the exported settings are valid for the target server, and then it creates an answer file. The answer file specifies the server-specific information used during the next step when you import the configuration on the target server. The answer file contains entries for each source server setting that is not valid for the target server. You can modify these settings so that they are valid for the target server. If all settings are valid, the answer file contains no entries. During the import-configuration phase, use the ImportEdgeConfig.ps1 script to import the information from both the intermediate XML file and the answer file, into a new Edge Transport server.
2.
3.
The ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 files are Windows PowerShell scripts, not individual cmdlets. The scripts are located in the %programfiles%\Microsoft\Exchange\v14\Scripts folder on all servers running Exchange Server 2010.
6-20
Discussion: Securing Edge Transport Servers
Key Points
The Edge Transport servers in an organization directly face the Internet, and consequently are most susceptible to unauthorized security attacks. Therefore, it is critical that you secure the Edge Transport servers. You can use the various options available in Exchange Server 2010 to secure Edge Transport servers based on your organizational requirements. Discussion Questions Based on your experience, consider the following questions: Question: Why is it important to secure Edge transport servers? Question: What factors should you consider at the operating system level? Question: How do you secure an Edge Transport server?
6-21
Lesson 2
Deploying an Antivirus Solution
Although Exchange Server 2010 already provides some basic antivirus features, it is important to implement a separate antivirus product such as Forefront Protection 2010 for Exchange Server. This lesson describes the importance of protecting your Exchange Server organization from virus attacks, and also describes the Forefront features Security. After completing this lesson, you will be able to: Describe antivirus solution features. Describe the Forefront Protection 2010 for Exchange Server features. Explain the Forefront Protection 2010 deployment options. Explain the best practices for deploying an antivirus solution. Install and configure Forefront Protection 2010 for Exchange Server.
6-22
Antivirus Solution Features in Exchange Server 2010
Key Points
E-mail is one of the most common ways to spread viruses from one organization to another. One of the primary tasks in protecting your Exchange Server organization is to ensure that all messages containing viruses are stopped at the messaging environments perimeter. Exchange Server 2010 includes the following virus protection features: Continuing support of the Virus Scanning application programming interface (VSAPI). In Exchange Server 2010, Microsoft maintains support for the same VSAPI used in Exchange Server 2003 and Exchange Server 2007.
6-23
Transport agents that filter and scan messages. Exchange Server 2010 introduces the concept of transport agentssuch as the attachment filtering agentto reduce spam and viruses. By enabling attachment filtering on the Edge Transport or Hub Transport servers, you can reduce the spread of malware attachments before they enter the organization. Additionally, thirdparty vendors can create transport agents that specifically scan for viruses. Because all messages must pass through a Hub Transport server, this is an efficient and effective means to scan all messages in transit. Antivirus stamping. Antivirus stamping reduces how often a message is scanned as it proceeds through an organization. It does this by stamping scanned messages with the version of the antivirus software that performed the scan and the scan results. This antivirus stamp travels with the message as it is routed through the organization, and determines whether additional virus scanning must be performed on a message. Integration with Forefront Protection 2010 for Exchange Server. Forefront Protection 2010 for Exchange Server is an antivirus solution from Microsoft that integrates with Exchange Server 2010 to provide advanced protection, optimized performance, and centralized management. This helps customers deploy and maintain a secure messaging environment. Forefront Protection 2010 for Exchange Server provides: Advanced protection against viruses, worms, phishing, and other threats by using up to five antivirus engines simultaneously at each layer of the messaging infrastructure. Optimized performance through coordinated scanning across Edge Transport servers, Hub Transport servers, and Mailbox servers and features, such as in-memory scanning, multithreaded scanning processes, and performance bias settings. Centralized management of remote installation, engine and signature updating, and reporting and alerts through the Forefront Online Server Security Management Console.
6-24
What Is Forefront Protection 2010 for Exchange Server?
Key Points
Forefront Protection 2010 for Exchange Server is a separate antivirus software package that you can integrate with Exchange Server 2010 to provide antivirus protection for the Exchange environment. The following table lists the benefits of implementing Forefront Protection 2010 for Exchange Server.
Service Antivirus scan with multiple engines Full support for VSAPI Description You can automatically scan messages using multiple virus pattern engines, not just a single one. Forefront Protection 2010 for Exchange Server fully supports the Exchange VSAPI.
6-25
(continued)
Service Microsoft IP Reputation Service Description Provides sender reputation information about IP addresses that are known to send spam. This is an IPblock list offered exclusively to Exchange Server. Identifies the most recent spam campaigns. The signature updates are available on a need basis, up to several times a day. Includes automated updates for this filter, available on an as-needed basis, up to several times a day. Automated content filtering updates for Microsoft Smartscreen spam heuristics, phishing Web sites, and other Intelligent Message Filter (IMF) updates.
Spam Signature updates
Premium spam protection
Automated content filtering updates
6-26
Forefront Protection 2010 Deployment Options
Key Points
When you implement Forefront Protection 2010 for Exchange Server, you must consider the various deployment options.
Install Forefront Protection 2010

First, you need to determine the servers on which you plan to install Forefront Protection 2010. The number of servers you install Forefront Protection 2010 on will also depend on financial considerations as you will need to buy as many server licenses. As a baseline, you should at least deploy Forefront Protection 2010 for Exchange Server on all Edge and Hub Transport servers. For full protection, you should deploy Forefront Protection 2010 for Exchange Server on all Edge Transport, Hub Transport, and Mailbox servers.
6-27
You do not need to install Forefront Protection 2010 on the Client Access server role, because Forefront is only needed on the Mailbox, Edge or Hub Transport server roles. As previously mentioned, Forefront Protection 2010 for Exchange scans each e-mail only once, and then stamps it with a special AV Stamp so that other servers do not scan that message again. This also means that you do not need to scan the Mailbox servers, as any message that comes in or leaves the system is eventually scanned by Forefront Protection 2010 when you install it on the Edge and Hub Transport servers. However, it is up to your security team to decide on this matter.
Forefront Protection 2010 Scanning Considerations

After you decide the servers on which you want to deploy Forefront Protection 2010, you must consider how many scan engines you should use to scan a message, and the types of scan engines that you should use. As a best practice, you should use five scanners as this provides an optimum combination with third-party virus scanners. You can also change the selection of the virus scanners later.
6-28
Best Practices for Deploying an Antivirus Solution
Key Points
Although implementing an antivirus solution in Exchange Server is straightforward, there are some factors that you should keep in mind when choosing and configuring an antivirus solution.
Implementing Multiple Antivirus Layers

To provide enhanced security against viruses, you should implement multiple layers of antivirus protection. A virus can enter your organization from the Internet through an e-mail, or from a non-protected client within your company. Thus, it is a best practice to implement several layers of antivirus protection such as a firewall, Edge Transport server, and at the client-computer level.
6-29
Maintaining Regular Antivirus Updates

Installing the antivirus product does not automatically mean that your organization is fully protected. Regular antivirus pattern updates are critical to a well-implemented antivirus solution. You should also monitor that your antivirus patterns are up-to-date frequently. If you have a Microsoft System Center Operations Manager 2007 environment in your organization, you can also use the Forefront Server Security Management Pack to monitor Forefront Protection 2010.
6-30
Demonstration: How to Install and Configure Forefront Protection 2010 for Exchange Server
Key Points
In this demonstration, you will see how to install and configure Forefront Protection 2010 for Exchange Server, and how to manage Forefront Protection 2010.
Demonstration Steps
1. 2. 3. 4. 5. Install Forefront Protection 2010 for Exchange Server. Open the Forefront Protection 2010 administration console. Configure Antimalware - Edge Transport settings. Configure Antispam - Content Filter settings. Configure Global Settings.
6-31
Lab A: Configuring Edge Transport Servers and Forefront Protection 2010
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VANSVR1 virtual machines are running: 3. 4. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-SVR1: Standalone server
If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd. Log on to VAN-SVR1 as Administrator, using the password Pa$$w0rd.
6-32
5. 6. 7. 8. 9.
On the host computer, in Hyper-V Manager, click VANSVR1, and in the Actions pane, click Settings. Click DVD Drive, click Image file, and then click Browse. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso, and then click Open. Click OK. On VAN-SVR1, dismiss the Autoplay dialog box.
Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization. Your organization has deployed Exchange Server 2010 internally, and now must extend it so that everyone within the corporation can send and receive Internet e-mail. As part of your job responsibilities, you need to set up an Edge Transport server, and then install an antivirus solution to scan all mail.
6-33
Exercise 1: Configuring Edge Transport Servers

Scenario
Your organization has internally deployed Exchange Server 2010, and now wants to use the Edge Transport server role to replace an existing smart host. You need to deploy the Edge Transport server role, and verify that Internet message flow is working. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install the Edge Transport Server role. Configure Edge Synchronization. Verify that EdgeSync is working and that AD LDS contains data. Verify that Internet message delivery works.
Task 1: Install the Edge Transport Server role

On VAN-SVR1, install the Edge Transport Server role using the Exchange Management Shell.
Task 2: Configure Edge Synchronization

1. 2. 3. Create a new Edge Subscription on the Edge Transport server by using the New-EdgeSubscription -FileName c:\VAN-SVR1.xml cmdlet. Copy the xml file to the C: drive on VAN-EX1. On VAN-EX1, in the Exchange Management Console, add the edge subscription to the Hub Transport server.
Task 3: Verify EdgeSync is working, and that AD LDS contains data

1. 2. 3. On VAN-EX1, use the Start-EdgeSynchronization cmdlet to force an immediate Edge Synchronization. Use the Test-EdgeSynchronization cmdlet to test Edge Synchronization. Run the Get-User -Identity Wei | ft Name, GUID cmdlet to obtain the globally unique identifier (GUID) for Wei Yu.
6-34
4. 5.
On VAN-SVR1, open LDP and connect to VAN-SVR1 using port 50389. Open the CN=Recipients,OU=MSExchangeGateway container and verify that Wei Yus GUID is listed.

1. 2. Configure EdgeSync Send Connector to use 10.10. 0.10 as a smart host for e-mail delivery. Log on to Microsoft Outlook Web App as Wei, and send a test message to the Internet to verify it is working. If you do not receive a non-delivery report, the message has been sent outside the organization.
Results: After this exercise, you should have installed an Edge Transport server role, and configured Edge Synchronization between a Hub Transport and an Edge Transport server.
6-35
Exercise 2: Configuring Forefront Protection 2010 for Exchange Servers

Scenario
Virus prevention is critical to your organizations security. As the messaging administrator, you are required to install virus scanning software to scan every message and automatically remove viruses. To implement this functionality, you must install antivirus software and configure it accordingly. The main tasks for this exercise are as follows: 1. 2. 3. Install Forefront Protection 2010 for Exchange Server. Configure Forefront Security for Exchange Server. Verify antivirus functionality.
Task 1: Install Forefront Protection 2010 for Exchange Server

1. On host computer, attach the c:\Program Files\Microsoft Learning \10135\Drives\ForeFrontInstall.iso file to the 10135A-VAN-SVR1 virtual machine. Close the Autoplay dialog box. On VAN-SVR1, install Forefront Protection 2010 for Exchange Server. Accept all defaults, except choose to enable anti-spam later.
2.
Task 2: Configure Forefront Protection 2010 for Exchange Server

1. 2. Open the Microsoft Forefront Server Security Administration Console. Configure the following antimalware settings: Scan messages with all engines. Delete messages with viruses. On the Policy Management pane, expand Global Settings, and then click Advanced Options.
6-36
3.
Configure the following global settings: Increase the value of Maximum nested depth compressed files to 10 and Maximum nested attachments to 50. Configure the Intelligent Engine management as manual. Change the update schedule for Norman Virus Control to update at 00:30 every day.
Results: After this exercise, you should have installed Forefront Protection 2010 for Exchange and configured it. You also should have tested the antivirus functionality of Forefront Protection 2010 for Exchange.

Do not shut down the virtual machines and revert them back to their initial state when you finish this lab. The virtual machines are required to complete this modules last lab.
6-37
Lesson 3
Deploying an Anti-Spam Solution
Spam messages can adversely impact the messaging environment of an organization. Therefore, implementing an anti-spam solution is a critical component of maintaining your organizations messaging environment hygiene. Exchange Server 2010 includes several features that you can use to implement anti-spam protection in your organization. This lesson provides an overview of the options available for anti-spam filtering, and describes how you can configure your Edge Transport servers to reduce spam in your organization. After completing this lesson, you will be able to: Describe the spam-filtering features available in Exchange Server 2010. Explain how Exchange Server 2010 applies spam filters. Describe the concept of Sender ID filtering.
6-38
Describe the concept of Sender Reputation filtering. Describe the concept of content filtering. Configure anti-spam options.
6-39
Overview of Spam-Filtering Features
Key Points
The spam-filtering functionality available on the Edge Transport server has a primary advantage when you install it to route all e-mail to and from the Internet. You can implement this anti-spam functionality using a series of Edge Transport server transport agents.
Note: Forefront Protection 2010 for Exchange Server does provide more frequent updates for the anti-spam patterns than Exchange Server 2010 built-in anti-spam features. Typically, the built-in anti spam pattern is updated daily, whereas in Forefront Protection 2010, you can configure the updates to update multiple times a day.
6-40
Edge Transport Server Anti-Spam Agents

The following table lists the anti-spam agents implemented during the default installation of an Edge Transport server:
Agent Connection Filtering Default status Enabled Description Filters messages based on the IP address of the remote server that is trying to send the message. Connection filtering uses IP Block lists and IP Allow lists. Filters messages based on the message contents. This agent uses SmartScreen technology to assess the message contents. It also supports safelist aggregation. Filters messages by verifying the IP address of the sending SMTP server against the purported owner of the sending domain. Filters messages based on the sender in the MAIL FROM: SMTP header in the message. Filters messages based on the recipients in the RCPT TO: SMTP header in the message. Filters messages based on many characteristics of the sender accumulated over a specific period.
Content Filtering
Enabled
Sender ID
Enabled
Sender Filtering Recipient Filtering Sender Reputation Filtering Attachment Filter
Enabled
Enabled
Enabled
Enabled
Filters messages based on attachment file name, file name extension, or file Multipurpose Internet Mail Extensions (MIME) content type.
Note: You can view all the agents installed on the Edge Transport server by using the Get-TransportAgent cmdlet on the Edge Transport server. The default Edge Transport server installation also includes other transport agents, such as the Address Rewriting Inbound Agent, the Address Rewriting Outbound Agent, and the Edge Rule Agent. You cannot use these agents for spam filtering.
6-41
Safelist Aggregation
In Exchange Server 2010, the Content Filter agent on the Edge Transport server uses the Microsoft Office Outlook Safe Senders Lists, Safe Recipients Lists, and trusted contacts to optimize spam filtering. Safelist aggregation is a set of anti-spam functionality that Outlook and Exchange Server 2010 share. This anti-spam functionality collects data from the anti-spam safe lists that Outlook users configure, and makes this data available to the anti-spam agents on the Edge Transport server. You must use the Update-Safelist cmdlet to configure safelist aggregation.
6-42
How Exchange Server 2010 Applies Spam Filters
Key Points
The Edge Transport server role in Exchange Server 2010 uses spam-filtering agents to examine each SMTP connection and the messages sent through it. When an SMTP server on the Internet connects to the Edge Transport server and initiates an SMTP session, the Edge Transport server examines each message using the following sequence: 1. When the SMTP session is initiated, the Edge Transport server applies connection filtering using the following criteria: Connection filtering examines the administrator-defined IP Allow list. Administrators might include the IP addresses for SMTP servers at partner organizations in the IP Allow list. If an IP address is on the administratordefined IP Allow list, the server does not apply any other filtering and accepts the message.
6-43
Connection filtering examines the local IP Block list. Administrators might include the IP addresses for the SMTP servers of known spam writers, or other servers from which the organization does not want to receive e-mail, in the IP Block list. If the connection filtering agent finds the IP address of the sending server on the local IP Block list, the server rejects the message automatically, and other filters are not applied. Connection filtering examines the real-time block list (RBL) of any IP Block List Providers that you have configured. If the agent finds the sending servers IP address on an RBL, the server rejects the message, and other filters are not applied.
2.
The Edge Transport server compares the senders e-mail address with the list of senders configured in sender filtering. If the SMTP address is a blocked recipient or domain, the server may reject the connection, and no other filters are applied. Additionally, you can configure the server to accept the message from the blocked sender, but stamp the message with the blocked sender information and continue processing. The blocked sender information is included as one of the criteria when content filtering processes the message. The Edge Transport server examines the recipient against the Recipient Block list configured in recipient filtering. If Edge Synchronization is enabled, the Edge Transport server can use the information about recipient filtering from Active Directory. If the intended recipient matches a filtered e-mail address, the Edge Transport server rejects the message for that particular recipient. If multiple recipients are listed on the message, and some are not on the Recipient Block list, further processing is done on the message. Exchange Server 2010 applies Sender ID filtering. Depending on how the Sender ID is configured, the server might delete, reject, or accept the message. If the message is accepted, the server adds the Sender ID validation failure to the message properties. The failed Sender ID status is included as one of the criteria when content filtering processes the message. The Edge Transport server applies content filtering and performs one of the following actions: Content filtering compares the sender to the senders in the Safelist aggregation data from Office Outlook users. If the sender is on the recipients Safe Senders List, the message is sent to the users mailbox store. If the sender is not on the recipients Safe Senders List, the message is assigned a spam confidence level (SCL) rating.
3.
4.
5.
6-44
If the SCL rating is higher than one of the configured Edge Transport server thresholds, content filtering takes the appropriate action of deleting, rejecting, or quarantining the message. If the SCL rating is lower than one of the Edge Transport server thresholds, the message is passed to a Hub Transport server for distribution to the Exchange Mailbox server containing the users mailbox.
Tip: You can bypass spam filtering for a specific recipient by setting the AntispamBypassEnabled property to True on the users mailbox. This causes the message to bypass filtering and be delivered directly to the recipients mailbox.
6-45
What Is Sender ID Filtering?
Key Points
The Sender ID Framework is an industry standard that verifies the Internet domain from which each e-mail message originates, based on the senders server IP address. The Sender ID Framework provides protection against e-mail domain spoofing and phishing schemes. By using the Sender ID Framework, e-mail senders can register all e-mail servers that send e-mail from their SMTP domain, and then e-mail recipients can filter e-mail from that domain that does not come from the specified servers.
Sender Policy Framework (SPF) records

To enable Sender ID filtering, each e-mail sender must create a Sender Policy Framework (SPF) record and add it to their domains DNS records. The SPF record is a single text (TXT) record in the DNS database that identifies each domains e-mail servers. SPF records can use several formats, including those in the following examples:
6-46
Adatum.com. IN TXT v=spf1 mx -all. This record specifies that any server that has an MX record for the Adatum.com domain can send e-mail for the domain. Mail IN TXT v=spf1 a -all. This record indicates that any host with an A record can send mail. Adatum.com IN TXT v=spf1 ip4:10.10.0.20 all. This record indicates that a server with the IP address 10.10.0.20 can send mail for the Adatum.com domain.
For more information: Microsoft provides the Sender ID Framework SPF Record Wizard to create your organizations SPF records. You can access the wizard on the Sender ID Framework SPF Record Wizard page on the Microsoft Web site.
Sender ID Configuration
After you configure the SPF records, any destination messaging servers that use the Sender ID features can identify your server using Sender ID. After you enable Sender ID filtering, the following process shows how all e-mail messages are filtered: 1. 2. The sender transmits an e-mail message to the recipient organization. The destination mail server receives the e-mail. The destination server checks the domain that claims to have sent the message, and checks DNS for that domains SPF record. The destination server determines if the IP address of the sending e-mail server matches any of the IP addresses that are in the SPF record. The IP address of the server authorized to send e-mail for that domain is called the purported responsible address (PRA). If the IP addresses match, the destination server authenticates the mail and delivers it to the destination recipient. However, other anti-spam scanners such as content filtering are still applied. If the addresses do not match, the mail fails authentication. Depending on the e-mail server configuration, the destination server might delete the message or forward it with additional information added to its header indicating that it failed authentication.
3.
4.
6-47
What Is Sender Reputation Filtering?
Key Points
The Exchange Server 2010 Sender Reputation feature makes message filtering decisions based on information about recent e-mail messages received from specific senders. The Sender Reputation agent analyzes various statistics about the sender and the e-mail message, to create a Sender Reputation Level (SRL). This SRL is a number between 0 and 9, where a value of 0 indicates that there is less than a 1 percent chance that the sender is a spammer, and a value of 9 indicates that there is more than a 99 percent chance of it. If a sender appears to be the spam source, then the Sender Reputation agent automatically adds the IP address for the SMTP server that is sending the message to the list of blocked IP addresses.
6-48
How Sender Reputation Filtering Works

When the Edge Transport server receives the first message from a specific sender, the SMTP sender is assigned an SRL of 0. As more messages arrive from the same source, the Sender Reputation agent evaluates the messages and begins to adjust the senders rating. The Sender Reputation agent uses the following criteria to evaluate each sender: Sender open proxy test. An open proxy is a proxy server that accepts connection requests from any SMTP server, and then forwards messages as if they originated from the local host. This also is known as an open relay server. When the Sender Reputation agent calculates an SRL, it does so by formatting an SMTP request in an attempt to connect back to the Edge Transport server from the open proxy. If an SMTP request is received from the proxy, the Sender Reputation agent verifies that the proxy is an open proxy and updates that senders open proxy test statistic. HELO/EHLO analysis. The HELO and EHLO SMTP commands are intended to provide the receiving server with the domain name, such as Contoso.com, or the IP address of the sending SMTP server. Spammers frequently modify the HELO/EHLO statement to use an IP address that does not match the IP address from which the connection originated, or to use a domain name that is different from the actual originating domain name. If the same sender uses multiple domain names or IP addresses in the HELO or EHLO commands, there is an increased chance that the sender is a spammer. Reverse DNS lookup. The Sender Reputation agent also verifies that the originating IP address from which the sender transmitted the message matches the registered domain name that the sender submits in the HELO or EHLO SMTP command. The Sender Reputation agent performs a reverse DNS query by submitting the originating IP address to DNS. If the domain names do not match, the sender is more likely to be a spammer, and the overall SRL rating for the sender is adjusted upward. SCL ratings analysis on a particular senders messages. When the Content Filter agent processes a message, it assigns an SCL rating to the message. This rating is attached to the message as an SCL, which is a numerical value between 0 and 9. The Sender Reputation agent analyzes data about each senders SCL ratings, and uses it to calculate SRL ratings. More information on SCL ratings +can be found in the next topic, What is Content Filtering?.
6-49
The Sender Reputation agent calculates the SRL for each unique sender over a specific time. When the SRL rating exceeds the configured limit, the IP address for the sending SMTP server is added to the IP Block list for a specific time.
Sender Reputation Configuration

You can configure the Sender Reputation settings on the Edge Transport server. By using the Exchange Management Console, you can configure the Sender Reputation block threshold, and configure the timeout period for how long a sender will remain on the IP Block list. By default, the IP addresses are blocked for 24 hours.
6-50
What Is Content Filtering?
Key Points
The Content Filter agent uses SmartScreen technology to analyze the content of every e-mail message, to evaluate whether it is spam. The Content Filter agent is similar to the Exchange Server 2003 Intelligent Message Filter feature. When the Edge Transport server receives a message, the Content Filter agent evaluates the messages content for recognizable patterns, and then assigns a rating based on the probability that the message is spam. This rating is attached to the message as an SCL, which is a numerical value between 0 and 9. A rating of 0 indicates that the message is highly unlikely to be spam, whereas a rating of 9 indicates that the message is very likely to be spam. This rating persists with the message when it is sent to other servers running Exchange Server. Depending on how you configure the content filter, if a messages SCL score is greater than or equal to the threshold you configure, then the Content Filter agent rejects, silently deletes, or quarantines the message.
6-51
Content Filtering Configuration

Content filtering is enabled by default on Exchange Server 2010 Edge Transport servers, and is configured to reject all messages with an SCL higher than 7. You can modify the default content filtering settings by using the Exchange Management Console or the Exchange Management Shell. You can modify the following settings in the Exchange Management Console: Configure custom words. You can specify a list of key words or phrases to prevent blocking any message containing those words. This feature is useful if your organization must receive e-mail that contains words that the Content Filter agent normally would block. You also can specify key words or phrases that will cause the Content Filter agent to block a message containing those words. Specify exceptions. You can configure exceptions to exclude any messages to recipients on the exceptions list, from content filtering. Specify actions. You can configure the SCL thresholds and threshold actions. You can configure the Content Filter agent to delete, reject, or quarantine messages with an SCL higher than the value you specify.
Note: When the Content Filter agent rejects a message, it uses the default response of 550 5.7.1 Message rejected due to content restrictions. You can customize this message using the set-ContentFilterConfig cmdlet in the Exchange Management Shell.
Configuring the Quarantine Mailbox

When the SCL value for a specific message exceeds the SCL quarantine threshold, the Content Filter agent sends the message to a quarantine mailbox. Before you can configure this option on the Edge Transport server, you must configure a mailbox as the quarantine mailbox by configuring the quarantinemailbox parameter of the set-contentfilterconfig cmdlet. As a messaging administrator, you should regularly check the quarantine mailbox to ensure that the content filter is not filtering legitimate e-mails.
6-52
Note: Messages are sent to the quarantine mailbox only when the SCL threshold exceeds the value that you configured on the content filter. To see details on all actions that transport agents perform on an Edge Server, use the scripts located in the %programfiles%\Microsoft\Exchange Server\Scripts folder. The GetAgentLog.ps1 script produces a raw listing of all actions that transport agents perform. The folder contains several other scripts that produce formatted reports listing information such as the top blocked sender domains, the top blocked senders, and the top blocked recipients. By default, the transport agent logs are located at %programfiles%\Microsoft\ExchangeServer\TransportRoles \Logs\AgentLog.
The SCL Junk E-Mail Folder Threshold

If the SCL value for a specific message exceeds the SCL Junk E-mail folder threshold, then the Mailbox server places the message in the Outlook users Junk E-mail folder. If the SCL value for a message is lower than the SCL delete, reject, quarantine, and Junk E-mail folder threshold values, then the Mailbox server puts the message in the users Inbox.
6-53
Demonstration: How to Configure Anti-Spam Options
Key Points
In this demonstration, you will see how to configure the various anti-spam options available in Exchange Server 2010, such as Connection filters, Sender filters, and Recipient filters. You will also see how to configure the Sender ID, Sender Reputation, and content filtering features.
Demonstration Steps
1. 2. Open Exchange Management Console, and on the Edge Transport server, click the Anti-spam tab. Configure the following Connection filters: IP Allow List IP Block List IP Block List Providers
6-54
3. 4.
Add the zen.spamhaus.org domain to the IP Block List Providers list. Configure the following filtering features: Sender filtering Recipient filtering Sender ID Sender Reputation Content filtering
5.
Configure the Edge Transport server to quarantine messages with a SCL rating greater than 7.
6-55
Lesson 4
Configuring Secure SMTP Messaging
To configure secure SMTP messaging, you can use Transport Layer Security (TLS) in Exchange server or Domain security, which is a new feature in Exchange Server 2007 and Exchange Server 2010. This lesson describes how to secure SMTP messaging by using the available options. After completing this lesson, you will be able to: Describe the common SMTP security issues. Describe the options for securing SMTP e-mail. Configure SMTP security. Explain the concept of Domain Security.
6-56
Explain how Domain Security works. Describe the Domain Security configuration process. Configure Domain Security. Explain how Secure MIME works.
6-57
Discussion: SMTP Security Issues
Key Points
Although SMTP messaging is common in many organizations, there are a few security issues that you must consider. Question: What are the security issues with SMTP? Question: How do you currently secure SMTP?
6-58
SMTP E-Mail Security Options
Key Points
Exchange Server 2010 offers several options to secure SMTP messaging traffic. All these options rely on certificates to encrypt the traffic. The following methods for securing SMTP require that you implement the option both on the source and the target side. Since you most likely will not have access to the target side, the methods listed here have limitations.
IPSec
IPSec provides a set of extensions to the basic IP protocol, and is used to encrypt server-to-server communication. IPSec can be used to tunnel traffic, or peer- topeer, to secure natively all IP communications. Because IPSec operates on the transport layer and is network-based, applications running on Exchange Server 2010 do not need to be aware of IPSec. You use IPSec normally to secure server-toserver or client-to-server communication. You do not need another encryption method when using IPSec.
6-59
VPN
Virtual private network (VPN) also operates on the transport layer, and very often uses IPSec as the underlying protocol. VPN is used for site-to-site or client-to-site connections. Both operate on the transport layer, which can be an advantage over application-layer protocols such as Secure MIME (S/MIME) which does not require the application on both ends to know about the protocol.
TLS
The TLS protocol is the default protocol that is used in an Exchange Server 2010 organization to encrypt server communication. It is a standard protocol that you can use to provide secure Web communications on the Internet or intranet. TLS enables clients to authenticate servers, or optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the SSL protocol. Exchange Server 2010s Domain Security feature uses TLS with mutual authenticationalso known as mutual TLSto provide session-based authentication and encryption. Standard TLS is used to provide confidentiality by encrypting but not authenticating the communication partners. This is typical of SSL, which is the HTTP implementation of TLS.
S/MIME
S/MIME is a standard that you can use to implement public-key encryption, and e-mail message signatures. You can use encryption to protect message contents so that only the intended recipients can read it. If a message is signed, the recipient can verify whether the message has been changed on the way from the sender to the recipient. S/MIME is a client-based encryption and signing protocol that provides end-to-end security, from the sending mailbox to the receiving mailbox. Unlike other encryption protocols that are session-based on the transport layer (such as TLS) the message also remains encrypted and signed within the mailbox. Even administrators cannot decrypt it if their digital certificate does not allow them to do so. By implementing S/MIME, you can perform the following tasks: Use digital signatures as a way to prove to your communication partners that the content was not altered. Authenticate messages, especially for crucial functions, such as when your employer approves your travel requests. Encrypt messages to prevent accidental content disclosure.
6-60
By default, Exchange Server 2010 fully supports S/MIME for message encryption and signatures. Unlike in previous versions, where you must configure every mailbox database, you do not need to configure any server-side setting to support S/MIME. Because S/MIME provides end-to-end security, it is important that the e-mail application you use to read and write S/MIME messages meets the following two requirements: The application must support S/MIME encryption and signatures. You must configure the digital signature in the e-mail application.
Note: When using S/MIME, you can send digitally signed messages to anyone, but you can only encrypt messages to recipients whose certificates are available in the Global Address List (GAL) or in contacts.
Alternate Options for Securing SMTP Traffic

Besides the mentioned options, you can also implement authentication and authorization on SMTP connectors for security. This does not enforce traffic encryption, but can prevent unauthorized users from sending SMTP messages to users in your organization, or relaying SMTP messages to the Internet. Authentication and authorization can be configured based on user login, or on IP addresses or IP ranges.
6-61
Demonstration: How to Configure SMTP Security
Key Points
In this demonstration, you will see how to configure an externally secured SMTP Connector and how to configure an SMTP Connector that requires TLS and authentication.
Demonstration Steps
1. 2. 3. 4. 5. Use the Exchange Management Console to create a new Receive Connector. Configure the Receive Connector to be externally secured. Use Telnet to connect to Receive Connector. Configure the Receive Connector to use TLS and authentication. Use Telnet again to connect to Receive Connector.
6-62
What Is Domain Security?
Key Points
Exchange Server 2010 can use TLS to provide security for SMTP e-mail. In most cases, you cannot use TLS when sending or receiving e-mail because SMTP servers are not configured to use TLS. However, by requiring TLS for all SMTP e-mail sent between your organization and other specified organizations, you can enable a high security level for SMTP e-mail.
What Is Domain Security?

The Domain Security feature in Exchange Server 2010 provides a relatively lowcost alternative to S/MIME or other message-encryption solutions. It uses mutual TLS, where each server verifies the identity of the other server by validating the certificate that is provided by the other server. It is an easy way for administrators to manage secured message paths between domains over the Internet. This means that all connections between the partner organizations are authenticated, and all messages are encrypted while in transit on the Internet.
6-63
TLS with mutual authentication differs from TLS in its usual implementation. Typically, when you implement TLS, the client verifies a secure connection to the intended server by validating the servers certificate, which it receives during TLS negotiation. With mutual TLS, each server verifies the connection with the other server by validating a certificate that the other server provides.
6-64
How Domain Security Works
Key Points
Domain Security works in a manner similar to establishing a TLS connection to an SMTP Receive connector. However, as mutual TLS is used, both the sender and the receiver authenticate one another before they send data. The message takes the following route from one organization to the other when using Domain Security: 1. 2. The Edge Transport server receives the e-mail message from a source Hub Transport server. The Edge Transport server initiates a mutual TLS session to the target Edge Transport server by exchanging and verifying their certificates. This is only established when both the sending and receiving SMTP connector can identify the sending domain. You must set the domain information on the sending side by using the Set-TransportConfig -TLSSendDomainSecureList <domain name> cmdlet. On the receiving side, use the: Set-TransportConfig TLSReceiveDomainSecureList <domain name> cmdlet to set the domain information.
6-65
3. 4.
The message is encrypted and transferred to the target Edge Transport server. The Edge Transport server delivers the e-mail to the target Hub Transport for local delivery. The message is marked as Domain Secure, which will display in Outlook 2007 or later, and in Outlook Web App.
6-66
Process for Configuring Domain Security
Key Points
To configure Domain Security, you need to perform the following process: 1. On the Edge Transport server, generate a certificate request for TLS certificates. You can request the certificate from an internal, private certification authority (CA) or from a commercial CA. The SMTP server in the partner organization must trust the certificate. When you request the certificate, ensure that the certificate request includes the domain name for all internal SMTP domains in your organization, as well as the FQDN of the Edge Server name as Subject Alternative Name (SAN). Import and enable the certificate on the Edge Transport server. After you request the certificate, you must import the certificate on the Edge Transport server, and then enable the certificate for use by the SMTP connectors that are used to send and receive domain-secured e-mail.
2.
6-67
3.
Configure outbound Domain Security. To configure outbound Domain Security, use Exchange Management Shell cmdlets to specify the domains to which you will send domain-secured e-mail, and then configure the SMTP Send connector to use domain-secured e-mail. Configure inbound Domain Security. To configure inbound Domain Security, use Exchange Management Shell cmdlets to specify the domains to which you will receive domain-secured e-mail, and then configure the SMTP Receive connector to use domain-secured e-mail. Notify partner to configure Domain Security Domain Security must be configured on both sides (on the sending and receiving side) thus you also need to contact your partners administrator to configure your domain for Domain Security. Test message flow. Finally, send a message to the partner and vice-versa to verify that domain security is working correctly. You can see an extra icon in Outlook and Outlook Web App.
4.
5.
6.
Note: When you install the Edge Transport server role, a self-signed certificate is issued to the server. No others computers trust this certificate. When you require that the partner organization trust the certificate, you should purchase a certificate from a commercial CA. You also can make cross-forest trust, or import a CAs certificate in the Trusted Root CA store on both sides, if you do not want to purchase a certificate from a commercial CA.
6-68
Demonstration: How to Configure Domain Security
Key Points
In this demonstration, you will see how to configure Domain Security.
Demonstration Steps
1. 2. 3. 4. Verify a computer certificate in the certificate store. Enable Domain Security on the Receive connector. Enable Domain Security on the Send connector. Run Set-TransportConfig -TLSSendDomainSecureList and SetTransportConfig -TLSReceiveDomainSecureList to configure Domain Security partnership. Run Start-EdgeSynchronization to synchronize the changes to the Edge Transport server.
5.
6-69
How S/MIME Works
Key Points
S/MIME is a messaging client-based solution for securing SMTP e-mail. With S/MIME, each client computer must have a certificate, and the user is responsible for signing or encrypting each e-mail.
How S/MIME Secures E-Mail

S/MIME provides e-mail security by using the following options: Digital signatures. When a user chooses to add a digital signature to a message, the senders private key calculates and encrypts the messages hash value, and then appends the encrypted hash value to the message as a digital signature. The users certificate and public key are sent to the recipient. When the recipient receives the message, the senders public key decrypts the hash value and checks it against the message. Digital signatures provide: Authentication. If the public key can decrypt the hash value attached to the message, then the recipient knows that the person or organization who claims to have sent the message did indeed send it.
6-70
Nonrepudiation. Only the private key associated with the public key could be used to encrypt the hash value, so a message that is digitally signed helps to prevent its sender from disowning the message. Data integrity. If the hash value is still valid when the recipient receives it, any alteration of a message that takes place will invalidate the digital signature.
Message encryption. When a user chooses to encrypt a message using S/MIME, the messaging client generates a one-time symmetric session key, and encrypts the entire message using the session key. The session key then is encrypted using the recipients public key, and the encrypted session key is combined with the encrypted message when the message is sent. When the message arrives at the recipient, the recipients private key decrypts the message. Message encryption enhances confidentiality. You can decrypt a message using only the private key associated with the public key that was used to encrypt it. Therefore, only the intended recipient can view the contents.
6-71
Lab B: Implementing Anti-Spam Solutions
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VANSVR1 virtual machines are running. 3. 10135A-VAN-DC1: Domain controller in the Adatum.com domain 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain 10135A-VAN-SVR1: Standalone server
6-72
Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization. After configuring the Edge Transport server and installing an antivirus solution, you must implement an anti-spam solution.
6-73
Exercise 1: Configuring an Anti-Spam Solution on Edge Transport Servers

Scenario
In your organization, users complain that they receive too many spam messages in their inbox, and they want these spam messages automatically moved to the Junk e-mail folder. To limit the number of spam messages received by your organization, you need to increase the SCL junk threshold value for the organization and ensure that junk e-mail above a certain rating is rejected. You also want to configure a Block List Provider. The main tasks for this exercise are as follows: 1. 2. 3. 4. Configure global SCL for junk mail delivery. Configure content filtering to reject junk messages. Configure an IP Allow List. Configure a Block List Provider.
Task 1: Configure DNS for Internet message delivery

1. 2. On VAN-DC1, start DNS Manager In the Adatum.com zone, create an MX record for VAN-SVR1.adatum.com.
Task 2: Configure global SCL for junk mail delivery

1. 2. On VAN-SVR1, configure the content filtering settings to not reject any messages based on SCL values On VAN-EX1, in Exchange Management Shell, use the SetOrganizationConfig -SCLJunkThreshold 6 cmdlet to configure the global SCL levels..
6-74
3.
On VAN-EX1, in the Exchange Management Shell, run d:\labfiles\Lab6Prep.ps1. This script will send 11 messages from VAN-SVR1 with the following SCL ratings:
Mail Sender Msg1@contoso.com Msg2@contoso.com Msg3@contoso.com Msg4@contoso.com Msg5@contoso.com Msg6@contoso.com Msg7@contoso.com Msg8@contoso.com Msg9@contoso.com Msg10@contoso.com Msg11@contoso.com SCL Level 7 8 7 7 8 6 8 7 6 6 8
4.
Log on to Outlook Web App as Wei and verify that three messages were sent to the user mailbox, and that eight messages were sent to the Junk E-Mail folder. View the message details for one of the messages to verify the SCL value assigned to the message.
5.
Task 3: Configure content filtering to reject junk messages

1. 2. 3. On VAN-SVR1, configure content filtering to reject messages that have a SCL rating greater than or equal to 7. On VAN-EX1, run the D:\labfiles\Lab6Prep.ps1 script to send the test messages again. Log on to Outlook Web App on VAN-EX1 as Wei. Verify that three messages are delivered to the Inbox and no messages are delivered to the junk e-mail folder in Weis mailbox. Delete the messages in the Inbox.
6-75
Task 4: Configure an IP Allow List

1. 2. 3. On VAN-SVR1, configure the IP Allow List to accept connections from 10.10.0.10. Run the script to send the test messages again. Verify that all messages are delivered to the Inbox in Weis mailbox. The SCL rating should be -1.
Task 5: Configure a Block List Provider

Configure an IP Block List Provider named Spamhaus that uses zen.spamhaus.org as the lookup domain,
Results: After this exercise, you should have configured different SCL levels, and verified the behavior of junk mail in user mailboxes. You should also have configured a Block List Provider.

6-76
6. 7. 8.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine. Wait for VAN-EX2 to start, and then start VAN-EX3. Connect to the virtual machine.
6-77
Review Questions
1. 2. 3. Is Edge Synchronization a mandatory requirement? Which Exchange Server versions support the Domain Security feature? Does the Edge Transport server role in Exchange Server 2010 include virusscanning capabilities?
6-78
Common Issues Related to Edge Synchronization and Domain Security

Identify the causes for the following common issues related to implementing messaging security. For answers, refer to relevant lessons in the module.
Issue You configured Domain Security with a partner domain, but messages only use TLS for message encryption, not mutual TLS or Domain Security. Edge Synchronization is not working anymore. Troubleshooting tip Ensure both domains trust each others CA. Also, Domain Security must be configured on both the local side and the partner side.
Use Test-EdgeSychronization to verify that the connection is established. If that does not work, try to reestablish the Edge Synchronization. When you use your own account instead of an administrator account to log on to a Windows Server 2008 system, ensure that you always start the Exchange Management Shell in Administrator mode. You sometimes need full access to run a cmdlet.
Youre logged on to your Windows Server 2008 machine using your own account. When you run TestEdgeSynchronization, it shows that the connection is broken.
L1-1

Exercise 1: Evaluating Requirements for an Exchange Server Installation
Task 1: Evaluate the Active Directory directory service requirements
1. 2. On NYC-DC1, click Start, right-click Computer, and then click Properties. On the System page, in the Windows edition section, verify that the domain controller operating system is compatible with Exchange Server 2010 requirements. Close the System page. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click Contoso.com, and then click Properties. In the Contoso.com Properties dialog box, verify that the domain and forest functional levels are compatible with the Exchange Server 2010 requirements. Click OK, and then close Active Directory Users and Computers. Click Start, and in the Search box, type adsiedit.msc, and then press ENTER. Right-click ADSI Edit, and then click Connect to.
3. 4. 5. 6. 7. 8. 9.
10. In the Connection Settings dialog box, in the Connection Point section, in the Select a well known Naming Context list, click Configuration, and then click OK. 11. In the left pane, expand Configuration[NYC-DC1.Contoso.com], and then click CN=Configuration,DC=Contoso,DC=com. 12. Expand CN=Services, and verify that the CN=Microsoft Exchange has not been created. 13. Close ADSI Edit.
L1-2
Task 2: Evaluate the DNS requirements

1. 2. On NYC-SVR2, click Start, and, in the Search box, type cmd, and then press ENTER. At the command prompt, type IPConfig /all, and then press ENTER. Verify that the Domain Name System (DNS) server IP address for the Local Area Connection 2 is 10.10.10.10. At the command prompt, type Ping NYC-DC1.contoso.com. Verify that you have network connectivity with the domain controller. At the command prompt, type Nslookup, and then press ENTER. At the command prompt, type set type=all, and then press ENTER. At the command prompt, type _ldap._tcp.dc._msdcs.Contoso.com, and then press ENTER. Verify that an SRV record is returned. Close the command prompt.
3. 4. 5. 6. 7.
Task 3: Evaluate the server requirements

1. 2. On NYC-SVR2, click Start and point to Administrative Tools, and click Server Manager. In the left pane, click Features. Verify that no Windows Server 2008 features are installed, including the Active Directory Domain Services (AD DS) management tools. In the left pane, click Roles. Verify that no Windows Server 2008 roles are installed. Click Start and point to Administrative Tools. Verify that Internet Information Services (IIS) Management is not listed. Click Start, click All Programs, click Accessories, click Windows PowerShell, and then click Windows PowerShell. At the PS prompt, type help about_windows_powershell, and then press ENTER. Verify that about_Windows_PowerShell_2.0 is listed. It is installed with Windows PowerShell v2.
3. 4. 5. 6. 7.
L1-3
8. 9.
Close Windows PowerShell. Click Start, and then click Control Panel.
10. In the Control Panel, click Programs. 11. In the Programs window, click Programs and Features. Verify that Microsoft Filter Pack 1.0 is installed. Close the Programs and Features window.
Results: After this exercise, you should have evaluated the requirements for Active Directory directory service, DNS, and servers.
L1-4
Exercise 2: Preparing for an Exchange Server 2010 Installation

Task 1: Install the Windows Server 2008 server roles and features
1. 2. On NYC-SVR2, in Server Manager, click Features, and then click Add Features. In the Select Features page, expand Remote Server Administration Tools, expand Role Administration Tools, expand AD DS and AD LDS Tools, expand AD DS Tools, and then select the AD DS Snap-Ins and CommandLine Tools check box. Expand .NET Framework 3.5.1 Features, and then select the .NET Framework 3.5.1 check box. Expand WCF Activation, select the HTTP Activation check box, and then click Add Required Role Services. Select the RPC over HTTP Proxy check box, and then click Add Required Role Services. Click Next. On the Web Server (IIS) page, click Next. On the Select Role Services page, under Security, select the Digest Authentication check box. Under Performance, select the Dynamic Content Compression check box.
3. 4. 5. 6. 7. 8. 9.
10. Under IIS 6 Management Compatibility, select the IIS 6 Management Console check box. 11. Click Next, and then click Install. 12. Click Close. 13. Click Start, point to Administrative Tools, and click Services. 14. In the Services list, double-click Net.Tcp Port Sharing Service. 15. In the Net.TCP Port Sharing Service Properties dialog box, in the Startup type drop down list, click Automatic, then click Apply. 16. Click Start, wait for the service to start, click OK, and then close the Services console.
L1-5
Task 2: Prepare AD DS for Exchange Server 2010 installation

This task requires that the Exchange Server 2010 iso be attached to the NYC-SVR2 virtual machine as a DVD drive. Complete the following steps to attach it: 1. 2. 3. 4. 5. 6. 7. In the 10135A-NYC-SVR2 on localhost Virtual Machine Connection window, on the File menu, click Settings. Click DVD Drive, and then click Image File. Click Browse, and browse to C:\Program Files\Microsoft Learning \10135\Drives. Click EXCH201064.iso, and click Open. Click OK. On NYC-SVR2, click Close to close the AutoPlay dialog box. On NYC-SVR2, open a Command Prompt. Type D:\setup.com /PrepareAD /OrganizationName:Contoso, and then press ENTER. Close the command prompt window when the task is complete.
Results: After this exercise, you should have installed the Windows Server 2008 server roles and features, and prepared AD DS for an Exchange Server 2010 installation.
L1-6
Exercise 3: Installing Exchange Server 2010

Task 1: Install Microsoft Exchange Server 2010
1. Click Start, click Run, type D:\setup.exe, and then click OK. Steps 1 and 2 are unavailable because they are already complete. If the components were not installed, Exchange Server provides links to download the necessary software. 2. 3. 4. 5. 6. 7. Click Step 3: Choose Exchange language option. Click Install only languages from the DVD. Click Step 4: Install Microsoft Exchange. The installation begins copying files. Click Next to begin Exchange Server 2010 Setup. On the License Agreement page, click I accept the terms in the license agreement, and then click Next. On the Error Reporting page, click No to disable error reporting, and then click Next. You are disabling error reporting because your virtual machine does not have access to the Internet. On the Installation Type page, click Typical Exchange Server Installation, and then click Next. On the Client Settings page, click Yes to configure Exchange Server for Outlook 2003 or Entourage clients, and then click Next.
8. 9.
10. On the Configure Client Access server external domain page, click Next. 11. On the Customer Experience Improvement Program page, click I dont wish to join the program at this time, and click Next. A readiness check takes place to ensure that Exchange is ready to install on the server. This check takes several minutes to complete. 12. Click Install. The installation begins, and takes approximately 15-20 minutes to complete.
L1-7
13. Click Finish. 14. Click Close and Yes to exit Exchange Server 2010 Setup. You are not obtaining the critical updates for Exchange Server 2010 because the virtual machine does not have Internet connectivity.
Results: After this exercise, you should have installed Exchange Server 2010.
L1-8

Exercise 1: Verifying an Exchange Server 2010 Installation
Task 1: View the Exchange Server services
1. 2. 3. 4. On NYC-SVR2, click Start, point to Administrative Tools, and then click Services. Scroll down the list of services, and click the Microsoft Exchange Active Directory Topology service. Review the service description. Review the status of the remaining Exchange Server services. Ensure that all services that are set for automatic startup are running. Close Services.
Task 2: View the Exchange Server folders

1. 2. Click Start, and then click Computer. Browse to C:\Program Files\Microsoft\Exchange Server\V14. This list of folders includes ClientAccess, Mailbox, and TransportRoles. These three roles were installed as part of the typical setup. Open TransportRoles. The Hub Transport server role uses these folders. Close Windows Explorer.
3. 4.
Task 3: Create a new user, and send a test message

1. 2. If necessary, click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the left pane, click Microsoft Exchange On-Premises. Wait for the initialization to finish, and then click OK to acknowledge that the server is unlicensed. Click Recipient Configuration. Notice that a mailbox for the Administrator and a Discovery Search Mailbox are the only mailboxes created by default. Right-click Recipient Configuration, and then click New Mailbox. Wait for the New Mailbox wizard to start.
3. 4.
L1-9
5. 6. 7. 8. 9.
Click Next to accept the User Mailbox option. Click Next to accept the New user option. In the First name box, type TestUser. In the User logon name box, type TestUser. In the Password and Confirm password boxes, type Pa$$w0rd.
10. Click Next. 11. On the Mailbox Settings page, in the Alias box, type TestUser, and then click Next to accept the mailbox settings. 12. On the Archive Settings page, click Next. 13. Click New to create the new mailbox. 14. Click Finish. 15. Click Start, point to All Programs, and then click Internet Explorer. 16. In the Address bar, type https://NYC-SVR2/owa, and then press ENTER. 17. Click Continue to this website (not recommended) to proceed. 18. Log on as Contoso\TestUser with a password of Pa$$w0rd. 19. Click OK to accept the default Outlook Web App settings. 20. Click New to create a new message. 21. Click Continue to this website (not recommended). 22. In the To box, type Administrator. 23. In the Subject box, type Test Message, and then click Send. 24. Close Internet Explorer. 25. Click Start, point to All Programs, and then click Internet Explorer. 26. In the Address bar, type https://NYC-SVR2/owa and press ENTER. 27. Click Continue to the website (not recommended) to proceed. 28. Log on as Contoso\Administrator with a password of Pa$$w0rd. 29. Click OK to accept the default Outlook Web App settings. 30. Double-click the message from TestUser to read it. Click Continue to this website (not recommended).
L1-10
31. Close the message from TestUser. 32. Close Internet Explorer.
Task 4: Run the Exchange Server Best Practices Analyzer tool

1. 2. 3. 4. 5. 6. 7. 8. 9. In Exchange Management Console, in the left pane, click Toolbox. In the center pane, double-click Best Practices Analyzer. Click Do not check for updates on startup. You do this because your virtual machine does not have Internet access. Click I dont want to join the program at this time. Click Go to the Welcome screen. Click Select options for a new scan. Click Connect to the Active Directory server. In the Enter an identifying label from this scan box, type Post-Installation Test. Review the options, and then click Start scanning.
10. When the scan is complete, click the View a report of this Best Practices scan link. 11. On the Critical Issues tab, click Unrecognized Exchange signature. This gives you the option to get information about how to fix the problem or hide the message. 12. Click Tell me more about this issue and how to resolve it. This opens the Microsoft Exchange Server Best Practices Analyzer Help, and provides specific information about the warning and troubleshooting it. 13. Close Exchange Server Best Practices Analyzer Help. 14. Close the Exchange Server Best Practices Analyzer Tool.
Results: After this exercise, you should have verified the successful installation of Exchange Server 2010 by viewing the Exchange Server services and folders. You should also have created a new user and sent a test message to that user. Finally, you should have used the Exchange Server Best Practices Analyzer tool to view information about any installation issues.
L1-11

6. 7.
L2-13

Exercise 1: Configuring Mailbox Databases
Task 1: Create a new database for the Executive mailboxes
1. 2. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. In the Content pane, select the Database Management tab. In the Actions pane, click New Mailbox Database. In the New Mailbox Database Wizard, type Executive in the Mailbox database name field, and then click Browse. In the Select Mailbox Server dialog box, select VAN-EX1, and then click OK. Click Next. In the Database file path field, type C:\Mailbox\Executive\Executive.edb. In the Log folder path field type C:\Mailbox\Executive.
3. 4. 5. 6. 7. 8. 9.
10. Click Next. 11. Click New. 12. Click Finish.
L2-14
Task 2: Configure the Executive mailbox database with appropriate limits

1. 2. 3. 4. 5. 6. In the Content pane, select the Database Management tab, right-click on the Executive database, and then click Properties. Click the Limits tab. Type 850000 for Issue warning at (KB). Uncheck Prohibit send at (KB). Type 1024000 for Prohibit send and receive at (KB). Click OK.
Task 3: Move the existing Accounting database to a new location

1. 2. 3. 4. 5. 6. 7. 8. In the Content pane, select the Database Management tab, and then select the Accounting database. In the Actions pane, click Move Database Path. In the Move Database Path Wizard, in the Database file path field, type C:\Mailbox\Accounting\Accounting.edb. In the Log folder path field type C:\Mailbox\Accounting\. Click Move. Click Yes. Click Finish. Close the Exchange Management Console.
Results: After this exercise, you should have created a new database, set the specified limits, and moved the existing Accounting database to a new folder.
L2-15
Exercise 2: Configuring Public Folders

Task 1: Check Executives public folder statistics
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX3, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange, expand Microsoft Exchange On-Premises, and then click Toolbox. In the Content pane, double-click Public Folder Management Console. If you are not connected, then in the Actions pane, click Connect to a Server, and then in the Connect to Server dialog box, click Browse. In the Select Public Folder dialog box, select VAN-EX1, click OK, and then click Connect. In the Console Tree, expand Public Folders, and then select Default Public Folders. In the Content pane, right-click Executives, and then choose Properties. On the General tab, note the Total Items and Size of the items in the public folder. Click OK.
10. Leave the Public Folder Management Console running.
Task 2: Create a public folder database on VAN-EX3

1. 3. 4. 5. 6. 7. 8. On VAN-EX3, in the Exchange Management Console, expand Organization Configuration, and then click Mailbox. In the Content pane, select the Database Management tab. In the Actions pane, click New Public Folder Database. On the New Public Folder Database page, type PF-VAN-EX3 in the Public Folder database name field, and then click Browse. In the Select Mailbox Server dialog box, select VAN-EX3, and then click OK. Click Next. In to Database file path field, type C:\Mailbox\PF-VAN-EX3 \PF-VAN-EX3.edb.
L2-16
9.
In the Log folder path field, type C:\Mailbox\PF-VAN-EX3\, and then click OK.
Task 3: Add a replica of the Executives public folder on VAN-EX3

1. 2. 3. 4. 5. In the Console Tree for the Public Folder Management Console, expand Public Folders, and then select Default Public Folders. In the Content pane, right-click Executives, and then choose Properties. Click the Replication tab. Under Replicate content to these public folder databases, click Add. Select PF-VAN-EX3, and then click OK.
Note: It can take up to 15 minutes for replication to complete.
Task 4: Verify replication between VAN-EX1 and VAN-EX3

1. 2. 3. 4. 5. 6. Click Public Folders, in the Actions pane, click Connect to a Server, and then in the Connect to Server dialog box, click Browse. In the Select Public Folder Servers dialog box, select VAN-EX3, click OK, and then click Connect. In the Console Tree, expand Public Folders, and then select Default Public Folders. In the Content pane, right-click Executives, and then choose Properties. On the General tab, note the Total Items and Size of the items in the public folder. Click OK.
L2-17
7. 8.
Close the Public Folder Management Console. Close the Exchange Management Console.
Results: After this exercise, you should have created a new public folder database on VAN-EX3 and added replicas for each public folder.

6. 7.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.
Module 3: Managing Exchange Recipients
L3-19

Exercise 1: Managing Recipients
Task 1: Create and configure a mailbox called Adventure Works Questions
1. 2. 3. 4. 5. 6. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the console tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then click Mailbox. In the Actions pane, click New Mailbox. Choose User Mailbox, and then click Next. Choose New user, and then click Next. Fill in the following information: 7. 8. Name: Adventure Works Questions User logon name (User Principal Name): AdventureWksQ Password: Pa$$w0rd Confirm password: Pa$$w0rd
Click Next. Type AdventureWksQ as the Alias. Select the Specify the mailbox database rather than using a database automatically selected check box, and click Browse. Click Mailbox Database 1, click OK, and then click Next.
9.
L3-20
13. In the Results pane, select the Adventure Works Questions mailbox, and then in the Actions pane, click Manage Full Access Permission. 14. In the Manage Full Access Permission Wizard, click Add. 15. In the Select User or Group dialog box, choose George Schaller, and then click OK. 16. Click Manage. 17. Click Finish.
Task 2: Create resource mailboxes, and configure auto-accept settings for the ProjectRoom
1. 2. 3. 4. 5. In the console tree, under Recipient Configuration, click Mailbox. In the Actions pane, click New Mailbox. In the New Mailbox Wizard, select Room Mailbox, and then click Next. Verify New user is selected, and then click Next. Fill in the following information: 6. 7. Name: ProjectRoom User logon name (User Principal Name): ProjectRoom Password: Pa$$w0rd Confirm Password: Pa$$w0rd
Click Next. Type ProjectRoom as the Alias. Select the Specify the mailbox database rather than using a database automatically selected check box, and then click Browse. Click Mailbox Database 1, click OK, and then click Next. Verify that the Create an archive mailbox for this account check box is not selected, and then click Next.
8. 9.
10. Click New, and then click Finish. 11. In the Results pane, click ProjectRoom, and in the Actions pane, click Properties.
L3-21
12. Click the Resource General tab. 13. Select the Enable the Resource Booking Attendant check box. If you do not enable this option, the resource will not process meeting requests, even if you configure other settings. 14. Click OK.
Task 3: Move George Schallers mailbox to the VAN-EX1\Mailbox Database 1

1. 2. 3. 4. 5. 6. 7. 8. 9. In the console tree, under Recipient Configuration, click Mailbox. Click the George Schaller mailbox, and then in the Actions pane, click New Local Move Request. In the New Local Move Request Wizard, click Browse. Click Mailbox Database 1, and then click OK. Click Next. Verify that Skip the mailbox is selected, and then click Next. Click New. Click Finish. In the console tree, click Move Request to verify the move request is complete.
Note: If the mailbox move fails, and the error indicates that no MRS service is available, start the Microsoft Exchange Mailbox Replication service, and try the mailbox move again.
L3-22
Task 4: Create and configure a mail-enabled contact for Ian Palangio at Woodgrove Bank
1. 2. 3. 4. 5. In the console tree, under Recipient Configuration, click Mail Contact. In the Actions pane, click New Mail Contact. Verify that New contact is selected. Click Next. Fill in the following information: 6. 7. 8. 9. First Name: Ian Last name: Palangio Alias: IanPalangioWB
To set the e-mail address, click Edit. In the E-mail address box, type ian.palangio@woodgrovebank.com, and then click OK. Click Next. Click New.
10. Click Finish.
Task 5: Create a moderated distribution list for the Adventure Works Project, and delegate an administrator
1. 2. 3. 4. 5. 6. In the console tree, under Recipient Configuration, click Distribution Group. In the Actions pane, click New Distribution Group. Verify New group is selected. Click Next. Under Group Type, verify that Distribution is selected. Fill in the following information: Name: Adventure Works Project Alias: AdventureWorksProject
L3-23
7. 8. 9.
Click Next. Click New. Click Finish.
10. In the Work pane, select the Adventure Works Project group. 11. In the Actions pane, click Properties. 12. Click the Members tab. 13. Click Add, and then select the following users by holding down CTRL: George Schaller Ian Palangio Wei Yu Paul West
14. Click OK. 15. Click the Mail Flow Settings tab. 16. Select Message Moderation, and then click Properties. 17. Select the Messages sent to this group have to be approved by a moderator check box. 18. In the Specify group moderators section, click Add. 19. Select George Schaller, and then click OK. 20. Click OK. 21. Click OK.
Task 6: Verify that changes were completed successfully

1. 2. 3. On VAN-CL1, verify that you are logged in as Administrator. Open Microsoft Office Outlook 2007. In the toolbar, click the down arrow next to New, and then click Meeting Request.
L3-24
4.
Click the To button.
Note: If you receive an error message when you click To, click Cancel. Start or restart the Microsoft Exchange Address Book Service on VAN-EX1, and then try this step again.
5. 6. 7. 8. 9.
Select the Adventure Works Project group, and then click Required. Select the ProjectRoom, and then click Resources. Click OK. Select a time. Type Project Kickoff as the subject.
10. Click Send. 11. Close Outlook. 12. Log off from VAN-CL1. 13. On VAN-EX1, click Start, click All Programs, and then click Internet Explorer. 14. Type https://VAN-EX1.Adatum.com/OWA in the address bar. 15 Log on to Microsoft Outlook Web App as Adatum\George with a password of Pa$$w0rd. Click OK. 16. Double-click the message with the subject of Project Kickoff. 17. Click Accept. Choose to send the response now. 18. Close Windows Internet Explorer.
Results: At the end of this exercise, you will have completed all of the assigned tasks, including creating a mailbox, creating a resource mailbox, moving a mailbox, creating a contact, and creating a moderated distribution group.
L3-25
Exercise 2: Configuring E-Mail Address Policies

Task 1: Create an e-mail address policy for Adventure Works users
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in the Exchange Management Console, expand Organization Configuration, and then select Hub Transport. In the Actions pane, click New E-mail Address Policy. In the New E-Mail Address Policy Wizard, type Adventure Works as the policy name. Click Browse. Click Adatum.com in the Select Organizational Unit dialog box, and then click OK. Verify that All Recipient types is selected, and then click Next. In the Step 1 box, select the Recipient is in a Company check box. In the Step 2 box, click specified. In the Specify Company dialog box, type Adventure Works, and then click Add.
10. Click OK. 11. In the New E-Mail Address Policy dialog box, click Next. 12. Click Add. In the SMTP E-mail Address dialog box, click First name.last name (john.smith). 13. Click Select the accepted domain for the e-mail address, click Browse, click Adventure-works.com, and then click OK. 14. Click OK. 15. Click Next. 16. Verify Immediately is selected, and then click Next. 17. Click New. 18. Click Finish.
L3-26
Task 2: Verify that addresses are applied correctly

1. 2. 3. 4. 5. 6. In the console tree, under Recipient Configuration, click Mailbox. In the Results pane, double-click George Schaller. In the Properties dialog box for George Schaller, click the E-Mail Addresses tab, and view the current e-mail addresses that are assigned. Click the Organization tab. Type Adventure Works for the Company, and then click Apply. Click the E-Mail Addresses tab, and view the current e-mail addresses that are assigned. Microsoft Exchange should have assigned the new adventureworks.com e-mail address when the company change was made. Click OK.
7.
Results: At the end of this exercise, you will have created an e-mail address policy for Adventure Works users.
L3-27
Exercise 3: Configuring Address Lists

Task 1: Create an empty-container address list named Companies
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in Exchange Management Console, under Organization Configuration, click Mailbox. In the Results pane, click the Address lists tab. In the Actions pane, click New Address List. In the Name box, type Companies. Click Next. Select None under Include these recipient types. Click Next. Click New. Click Finish.
Task 2: Create a new address list for Adventure Works recipients

1. 2. 3. 4. 5. 7. 8. 9. In the console tree, under Organization Configuration, click Mailbox. In the Results pane, click the Address Lists tab. In the Actions pane, click New Address List. In the Name box, type Adventure Works. Click Browse. In the Select Address List dialog box, select Companies, and then click OK. Click Next. Verify that All Recipient types is selected, and then click Next.
10. In the Step 1 box, select the Recipient is in a Company option. 11. In the Step 2 box, click specified. 12. In the Specify Company dialog box, type Adventure Works, and then click Add. 13. Click OK. 14. Click Preview, and then click OK.
L3-28
15. Click Next. 16. Verify Immediately is selected, and then click Next. 17. Click New. 18. Click Finish.
Task 3: Create a new address list for A. Datum Corporation recipients

1. 2. 3. 4. 5. 6. 7. 8. 9. In the console tree, under Organization Configuration, click Mailbox. In the Results pane, click the Address lists tab. In the Actions pane, click New Address List. In the Name box, type A. Datum. In the Display name box, type A. Datum. Click Browse. In the Select Address dialog box, click Companies, and then click OK. Click Next. Verify that All Recipient types is selected, and then click Next.
10. In the Step 1 box, check Recipient is in a Company. 11. In the Step 2 box, click specified. 12. In the Specify Company dialog box, type A. Datum, and then click Add. 13. Click OK. 14. Click Preview, and then click OK. 15. Click Next. 16. Verify Immediately is selected, and then click Next. 17. Click New. 18. Click Finish.
L3-29
Task 4: Verify the new address list is available in Microsoft Office Outlook
1. 2. 3. 4. On VAN-CL1, log on as Administrator with a password of Pa$$w0rd. Open Office Outlook 2007. Click the Tools menu, and then click Address Book. Under Address Book, click the down arrow to display the options. You can see that under All Address Lists, the Companies container is listed and includes the address lists Adventure Works and A. Datum. Close all open windows, and log off VAN-CL1.
5.
Task 5: Create a new offline address book for the Adventure Works address list to support both Office Outlook 2003 and Outlook 2007 clients
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in Exchange Management Console, under Organization Configuration, click Mailbox, and then click the Offline Address Book tab. In the Actions pane, click New Offline Address Book. In the Name box, type Companies. Click Browse, select VAN-EX1, and then click OK. Clear the Include the default Global Address List check box. Select the Include the following address lists check box. Click Add, expand Companies, click Adventure Works, and then click OK. Click Add, expand Companies, click A. Datum, and then click OK. Click Next.
10. Select Enable Web-based Distribution and Enable public folder distribution.
L3-30
11. Click Add, and in the Microsoft Exchange dialog box, click OK. 12. Click OAB (Default Web Site), click OK, and then click Next. 13. Click New, and then click Finish.
Results: At the end of this exercise, you will have created an address list for the A. Datum and Adventure Works users, and an offline address book for each organization.
L3-31
Exercise 4: Performing Bulk Recipient Management Tasks

Task 1: Add a header to the .csv file exported from the Human Resources (HR) system
1. 2. 3. 4. 5. On VAN-EX1, click Start, point to All Programs, click Accessories, and then click Notepad. Click the File menu, click Open. Change the Files of Type to All Files. Browse to D:\Labfiles\Users.csv, and then click Open. At the top of the file, replace Add Header Here with FirstName,LastName,Password. The Import-CSV cmdlet uses this header to name each column of imported information. You then can reference these names to view and manipulate information. Click the File menu, and then click Save. Close Notepad.
6. 7.
Task 2: Modify the CreateUsersLab.ps1 script to import Adventure Works users from a .csv file
1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to All Programs, click Accessories, and then click Notepad. Click the File menu, click Open. Change the Files of Type to All Files. Select D:\Labfiles\CreateUsersLab.ps1, and then click Open. In Section 1, define $db as Mailbox Database 1. In Section 1, define $upndom as adatum.com. In Section 1, define $ou as Adventureworks. In Section 1, define $csvFile as D:\Labfiles\Users.csv. In Section 4, replace all instances of property1 with firstname.
10. In Section 4, replace all instances of property2 with lastname. 11. In Section 4, replace property3 with password.
L3-32
12. Click the File menu, and then click Save. 13. Close Notepad.
Task 3: Create the AdventureWorks Organizational Unit

1. 2. 3. 4. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers. In the Console tree right-click Adatum.com, expand New and click Organizational Unit. In the New Object Organizational Unit dialog in the Name box type AdventureWorks. Click OK.
Task 4: Run CreateUsersLab.ps1 to import the Adventure Works Users

1. 2. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. Type D:\Labfiles\CreateUsersLab.ps1 and press ENTER.
Task 5: Set mailbox limits for all Adventure Works users

1. 2. In Exchange Management Shell run, Get-Mailbox OrganizationalUnit Adventureworks. Run: Get-Mailbox OrganizationalUnit Adventureworks | Set-Mailbox IssueWarningQuota 100MB ProhibitSendQuota 150MB.
Results: After this exercise, you should have created all of the additional Adventure Works users with an Exchange Management Shell script and set the storage quota.
L3-33

6. 7.
Important: If you are using Windows Server 2008 R2 as the host operating system, complete the following steps before starting VAN-CL1. 1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135A-VAN-CL1, and click Settings. 2. Click Network Adapter, and select the Enable spoofing of MAC addresses check box. Click OK. This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network.
8.
Wait for VAN-EX2 to start, and then start VAN-CL1. Connect to the virtual machine.
L4-35

Exercise 1: Configuring Client Access Servers
Task 1: Prepare the Windows Server 2008 CA to issue certificates with multiple SANs
1. 2. 3. On VAN-DC1, click Start, in the search box type cmd.exe, and then press ENTER. At the command prompt, type certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2, and then press ENTER. At the command prompt, type net stop certsvc & net start certsvc, and then press ENTER.
Task 2: Configure an external client access domain for VAN-EX2

1. 2. 3. 4. 5. 6. 7. 8. On VAN-EX2, open the Exchange Management Console. Expand Microsoft Exchange On-Premises. In the left pane, expand Server Configuration, and then click Client Access. In the Actions pane, click Configure External Client Access Domain. On the Configure External Client Access Domain page, type mail.Adatum.com as the domain name, and then click Add. In the Select Client Access Server dialog box, click VAN-EX2, and then click OK. Click Configure. In the Microsoft Exchange dialog box, click Yes, and then click Finish. In the results pane, click VAN-EX2, and then in the work pane, double-click owa (Default Web Site). On the General tab, verify that the External URL field has been changed to https://mail.adatum.com/owa, and then click OK.
L4-36
Task 3: Prepare a Server Certificate request for VAN-EX2

1. 2. 3. 4. 5. In the left pane, click Server Configuration. In the results pane, click VANEX2. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. On the Introduction page, type Adatum Mail Certificate as the friendly name for the certificate, and then click Next. On the Domain Scope page, click Next. On the Exchange Configuration page, expand Client Access server (Outlook Web App), and then select both the Outlook Web App is on the Intranet and Outlook Web App is on the Internet check boxes. Verify that Mail.adatum.com is displayed in the second text box. Expand Client Access server (Exchange ActiveSync), and then verify that Exchange Active Sync is enabled check box is selected. Expand Client Access server (Web Services, Outlook Anywhere, and Autodiscover). Enter mail.adatum.com as the external host name. Ensure that both the Autodiscover used on the Internet check box and the Long URL option are selected, and then click Next. In the Autodiscover URL to use field, delete all entries except for autodiscover.adatum.com, and then click Next. On the Certificate Domains page, click Next.
6. 7. 8.
9.
10. On the Organization and Location page, enter the following information: Organization: A Datum Organizational Unit: Messaging Country/region: Canada City/locality: Vancouver State/province: BC
11. Click Browse, type CertRequest as the File name, and then click Save. 12. Click Next, click New, and then click Finish.
L4-37
Task 4: Request the certificate from the CA

1. 2. 3. 4. 5. Click the Folder icon in the task bar, and click Documents. Right-click CertRequest.req, and then click Open. In the Windows dialog box, click Select a program from a list of installed programs, and then click OK. In the Open with dialog box, click Notepad, and then click OK. In the CertRequest.req Notepad window, click Ctrl+A to select all the text, and then click Ctrl+C to copy and save the text to the clipboard. Close Notepad. Click Start, click All Programs, and then click Internet Explorer. Connect to https://van-dc1.adatum.com/certsrv. Log on as Administrator using a password of Pa$$w0rd. On the Welcome page, click Request a certificate.
6. 7. 8. 9.
10. On the Request a Certificate page, click advanced certificate request. 11. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded CMC or PKCS#7 file. 12. On the Submit a Certificate Request or Renewal Request page, click in the Saved Request field, and then press CTRL+V to paste the certificate request information into the field. 13. In the Certificate Template drop-down list box, click Web Server, and then click Submit. Click Yes. 14. On the Certificate Issued page, click Download certificate. 15. In the File Download dialog box, click Save. 16. In the Save As dialog box, click Save. 17. In the Download complete dialog box, click Open. 18. In the Certificate dialog box, on the Details tab, click Subject Alternative Name. Verify that the certificate includes several Subject Alternative Names (SANs), and then click OK.
L4-38
Task 5: Import and assign the IIS Exchange Service to the New Certificate
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Exchange Management console, click Server Configuration. Click ADatum Mail Certificate, and in the Actions pane, click Complete Pending Request. On the Complete Pending Request page, click Browse. Under Favorites, click Downloads. Click certnew.cer and click Open. Click Complete, and then click Finish. In the Exchange Management console, click Server Configuration. In the results pane, click VAN-EX2. In the bottom pane, click Adatum Mail Certificate. In the Actions pane, click Assign Services to Certificate.
10. On the Select Servers page, verify that VAN-EX2 is listed, and then click Next. 11. On the Select Services page, select the Internet Information Services check box, click Next, click Assign, and then click Finish.
Task 6: Verify Outlook connectivity to the Exchange Server

1. 2. 3. 4. 5. On VAN-CL1, log on as Molly using the password Pa$$w0rd. Click Start, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2007. On the Outlook 2007 Startup page, click Next. On the E-Mail Accounts page, click Next. On the Auto Account Setup page, click Next.
L4-39
6.
On the Configuring page, click Finish.
Note: If Microsoft Office Outlook cannot connect to the server, ensure that all of the Microsoft Exchange Server services on VAN-EX2 that are set to Automatic start are started. Start all services that have not started, and try connecting again.
7. 8. 9.
In the User Name dialog box, click OK. On the Privacy Options page, clear all check boxes, and then click Next. On the Sign up for Microsoft Update page, click I dont want to use Microsoft Update, and then click Finish.
10. In the Microsoft Office Outlook dialog box, click No. 11. In Office Outlook, click Tools, and then click Account Settings. 12. Click MollyDempsey@adatum.com, and then click Change. 13. Verify that the user mailbox is located on VAN-EX2, click Cancel, and then click Close. 14. Close Outlook.
L4-40
Exercise 2: Configuring Outlook Anywhere

Task 1: Configure a DNS record for Mail.Adatum.com
1. 2. 3. 4. 5. On VAN-DC1, click Start, point to Administrative Tools, and then click DNS. In DNS Manager, in the left pane, expand Forward Lookup Zones, and then expand Adatum.com. Right-click Adatum.com, and then click New Host(A or AAAA). In the New Host dialog box, in the Name box, type mail. In the IP Address box, type 10.10.0.21, and then click Add Host. Click OK to close the prompt, and then click Done. Close DNS Manager.
Task 2: Configure Outlook Anywhere on VAN-EX2

1. 2. 3. 4. 5. 6. On VAN-EX2, click Start, point to Administrative Tools, and then click Server Manager. Click Features. In the Features list, verify that the RPC over HTTP Proxy feature is listed. On VAN-EX2, if required, open the Exchange Management Console. In the Exchange Management Console, expand Server Configuration, and then click Client Access. Click VAN-EX2, and in the Actions pane, click Enable Outlook Anywhere. On the Enable Outlook Anywhere page, in the External host name field, type Mail.adatum.com. Under Client authentication method, click NTLM authentication, and then click Enable. On the Completion page, click Finish. Close all open windows, and then restart VAN-EX2.
7. 8.
Task 3: Configure the Outlook profile to use Outlook Anywhere

1. 2. On VAN-CL1, ensure that you are logged on as Adatum\Molly. Click Start, and then click Control Panel. In the Search field, type Mail. Rightclick Mail, and then click Open.
L4-41
3. 4. 5. 6. 7.
In the Mail Setup - Outlook dialog box, click E-mail Accounts. In the E-mail Accounts dialog box, click MollyDempsey@adatum.com, and then click Change. On the Microsoft Exchange Settings page, click More Settings. In the Microsoft Exchange dialog box, on the Connection tab, select Connect to Microsoft Exchange using HTTP, and then click Exchange Proxy Settings. In the Microsoft Exchange Proxy Settings dialog box, complete the following information: Use this URL (https://): mail.adatum.com Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default)
8. 9.
Click OK, and then click OK again to close the Microsoft Exchange dialog box. On the Microsoft Exchange Settings page, click Next.
10. On the Change E-mail Account page, click Finish. 11. On the E-mail Accounts page, click Close, and then click Close again to close the Mail Setup - Outlook dialog box.
Task 4: Verify the Outlook Anywhere connectivity

1. 2. 3. Wait until VAN-EX2 finishes restarting, and then log on as Administrator using the password Pa$$w0rd. On VAN-CL1, open Office Outlook 2007. If an Outlook dialog box appears, click No.
L4-42
4.
Verify that the Outlook connection indicator states Connected to Microsoft Exchange.
Note: If Outlook cannot connect to the server, ensure that all of the Exchange Server services on VAN-EX2 that are set to Automatic start are started. Start all services that have not started, and try connecting again.
5.
Press and hold CTRL, and then right-click the Office Outlook icon in the Windows 7 operating system notification area. You may need to click the up arrow in the Windows 7 notification area to view the Office Outlook icon. Click Connection Status. Confirm that the Conn column lists HTTPS as the connection method. Click Close. Press and hold CTRL, and then click the Outlook icon in the Windows task bar notification area. Click Test E-mail AutoConfiguration. In the Password field, type Pa$$w0rd.
6. 7. 8. 9.
10. Clear the Use Guessmart and Secure Guessmart Authentication check boxes. 11. Click Test. View the information displayed on the Results tab. 12. Click the Log tab to view how the client completed Autodiscover. 13. Close the Test E-mail AutoConfiguration dialog box. 14. Close Microsoft Outlook, and then log off VAN-CL1.

Do not shut down the virtual machines or revert them to their initial state when you finish this lab. The virtual machines are required to complete the last lab in this module.
L4-43
Exercise 1: Configuring Outlook Web App
Task 1: Configure IIS to use the Internal CA certificate
1. 2. 3. 4. 5. 6. 7. On VAN-EX2, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. Expand VAN-EX2 (ADATUM\Administrator), expand Sites, expand Default Web Site, and then click owa. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is required by default. Under Sites, click Default Web Site, and in the Actions pane, click Bindings. In the Site Bindings dialog box, click https, and then click Edit. In the SSL Certificate drop-down list, verify that Adatum Mail Certificate is selected Click OK, click Close, and then close the Internet Information Services (IIS) Manager.
Task 2: Configure Outlook Web App settings for all users

1. 2. 3. 4. 5. 6. Click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the console tree, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Client Access. In the work pane, select VAN-EX2, and in the result pane, right-click owa (Default Web Site), and then click Properties. Click the Authentication tab, and verify that Use forms-based authentication is selected. Under Logon Format, click User name only, and then click Browse. Click Adatum.com, and then click OK.
L4-44
7. 8.
Click the Segmentation tab, click Tasks, and then click Disable. Click Rules, and then click Disable. Click OK twice. Open the Exchange Management Shell. At the PS prompt, type set-owavirtualdirectory owa (Default Web Site) ForceSaveFileTypes .doc, and then press ENTER. Type set-owavirtualdirectory owa (Default Web Site) GzipLevel Off, and then press ENTER.
9.
10. Type Set-OwaVirtualDirectory -identity Owa (Default Web Site) FilterWebBeaconsAndHtmlForms ForceFilter, and then press ENTER. 11. Type IISReset /noforce, and then press ENTER. If you get a message that the service did not start, open the Services Microsoft Management Console (MMC), and start the World Wide Web Publishing Service. 12. Close the Exchange Management Shell.
Task 3: Configure an Outlook Web App Mailbox Policy for the Branch Managers
1. 3. 4. 5. 6. 7. 8. 9. On VAN-EX2, in Exchange Management Console, expand Organization Configuration, and then click Client Access. In the Actions pane, click New Outlook Web App Mailbox Policy. In the New Outlook Web App Mailbox Policy page, type Branch Managers Policy as the policy name. In the list of features, click Change Password, and then click Disable. Click New, and then click Finish. Right-click Branch Managers Policy, and then click Properties. On the Public Computer File Access tab, clear all check boxes. On the Private Computer File Access tab, clear all check boxes, and then click OK.
10. Under Recipient Configuration, click Mailbox. 11. Click the Organizational Unit column heading to sort the view by organizational units (OU). 12. Select all the users in the Branch Managers OU, right-click, and then click Properties.
L4-45
13. On the Mailbox Features tab, click Outlook Web App, and then click Properties. 14. Select the Outlook Web App mailbox policy check box, and then click Browse. 15. Click Branch Managers Policy, and then click OK four times.
Task 4: Verify the Outlook Web App configuration

1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, open Internet Explorer. In the address field, type https://mail.Adatum.com/owa, and then press ENTER. Log on to Outlook Web App as Adatum\Sharon using the password Pa$$w0rd. Sharon is not in the Branch Managers OU. Click OK. Verify that the Tasks folder is not displayed in the user mailbox. On the Outlook Web App page, click Options. On the Organize E-Mail tab, verify that you cannot create a new Inbox rule. Close Microsoft Internet Explorer. Open Internet Explorer. In the address field, type https://mail.Adatum.com/owa, and then press ENTER. Log on to Outlook Web App as Adatum\Johnson using the password Pa$$w0rd. Johnson is in the Branch Managers OU. Click OK.
10. Verify that the Tasks folder is listed in the user mailbox. 11. On the Outlook Web App page, click Options. 12. In the left pane, click Settings. Notice that you do not have an option to change passwords. Close Internet Explorer.
L4-46
Exercise 2: Configuring Exchange ActiveSync

Task 1: Disable SSL for Exchange ActiveSync
1. 2. On VAN-EX2, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In Internet Information Services (IIS) Manager, expand VAN-EX2 (ADATUM\administrator), expand Sites, expand Default Web Site, and then click Microsoft-Server-ActiveSync. In the center pane, double-click SSL settings. Clear the Require SSL check box, and then click Apply. Close the Internet Information Services (IIS) Manager.
3. 4.
Task 2: Verify the Exchange ActiveSync virtual directory configuration

1. 2. 3. 4. 5. On VAN-EX2, in the Exchange Management Console, expand Server Configuration, and then click Client Access. In the result pane, click VAN-EX2, and in the work pane, click the Exchange ActiveSync tab. Right-click Microsoft-Server-ActiveSync, and then click Properties. Review the information on the General tab. Click the Authentication tab. Notice that Basic authentication is enabled. This is acceptable, because you typically would use SSL to secure the credentials in transit. Click OK.
6.
Task 3: Connect to the server using Exchange ActiveSync

1. 2. On VAN-CL1, log on as Adatum\Administrator. Click Start, point to All Programs, click Windows Mobile 6 SDK, click Standalone Emulator Images, and under US English, click WM 6.1.4 Professional. While the emulator is booting, in the WM 6.1.4 Professional window, click File, and then click Configure.
3.
L4-47
4. 5. 6. 7. 8.
On the Network tab, select the Enable NE2000 PCMIA network adapter and bind to check box, and then click OK. In Windows Mobile 6 Professional, click Start, and then click Settings. Click the Connections tab, and then double-click Network Cards. On the Configure Network Adapters page, under My network card connects to, click The Internet, and then click NE2000 Compatible Ethernet Driver. Click Use specific IP address, and then enter the following settings: IP address: 10.10.0.51 Subnet mask: 255.255.0.0 Default gateway: 10.10.0.1
9.
On the Name Servers tab, type 10.10.0.10 as the Domain Name System (DNS) server address, and then click OK twice. Close the Settings window.
10. In Windows Mobile 6 Professional, click Start, click Programs, and then click ActiveSync. 11. Read the Microsoft ActiveSync information, and then click the set up your device to sync with it link. 12. On the Enter Email Address page, in the Email address box, type ScottMacDonald@adatum.com, and then click Next. The device will attempt to use Autodiscover to configure the user settings. 13. On the User Information page, type Scott in the User Name field, type Pa$$w0rd in the Password field, and Adatum in the Domain field, and then click Next. 14. On the Edit Server Settings page, in the Server Address field, type VANEX2.adatum.com. Clear the This server requires an encrypted (SSL) connection check box. In the ActiveSync message, click OK, and then click Next. 15. In the Choose the data you wish to synchronize box, click Calendar, and then click Settings. 16. In the Synchronize only the past list, click All, and in the upper-right corner, click OK. 17. In the Choose the data you wish to synchronize box, click E-mail, and then click Settings.
L4-48
18. In the Download the past list, click All, and in the upper-right corner, click OK. 19. Confirm that the Contacts, Calendar, E-mail, and Tasks check boxes are selected, and then click Finish. 20. In the ActiveSync dialog box, click OK. After synchronization is complete, click the X in the upper-right corner to close ActiveSync. Close the Programs window. 21. On VAN-CL1, open Internet Explorer, and connect to https://mail.adatum.com/owa. 22. Log on as Adatum\Wei using the password Pa$$w0rd. Click OK. 23. Click New, and then in the To field, type Scott, and then press CTRL+K to resolve the name. 24. In the Subject line, type Test Message from Wei. 25. In the message body, type Testing mobile messaging, and then click Send. 26. On VAN-CL1, in Windows Mobile 6 Professional, wait for a minute and then notice the animated Synchronization arrows indicating that the device is synchronizing automatically, triggered by the arrival of a message in Scotts mailbox. Wait for the Windows Mobile device to complete synchronization. 27. At the bottom of the Today screen, view the notification stating that a new message has arrived. Click View. 28. Open the message. Click Reply at the bottom of the message window. 29. In the message body, type Test Reply, and then click Send. 30. Wait until the device finishes synchronizing, and then, on VAN-EX1, in Outlook Web App, click the Check Messages icon or press F5 to refresh the screen, and then confirm that the message from Scott was received. Close Internet Explorer.
L4-49
Task 4: Create a new Exchange ActiveSync mailbox policy

1. 2. 3. 4. 5. 6. 7. On VAN-EX2, if required, open the Exchange Management Console. In the console tree, expand Organization Configuration, and then click Client Access. In the Actions pane, click New Exchange ActiveSync Mailbox Policy. In the Mailbox policy name box, type EAS Policy 1. Select the Allow non-provisionable devices check box. Confirm that the Allow attachments to be downloaded to device option is selected. Select the Require password check box. Select the Enable password recovery check box. This will enable users to recover their Windows Mobile password through the Exchange Control Panel (ECP). Click New to create the mobile mailbox policy. Read the completion summary, and then click Finish. Notice the Exchange Management Shell command that was used to create the new mobile mailbox policy.
8. 9.
10. Right-click EAS Policy 1, and then click Properties. Notice that the General tab has additional options. 11. Click the Password tab. Notice the additional password-option list that was not available when creating the mobile mailbox policy. 12. On the Sync Settings tab, review the configuration options. 13. On the Device tab, review the configuration options. 14. On the Device Applications tab, review the configuration options. To implement these settings, you must have an Enterprise Client Access License for each mailbox. 15. On the Other tab, review the options for allowing or blocking specific applications, and then click OK. 16. In the console tree, expand Recipient Configuration, and then click Mailbox. 17. In the result pane, right-click Scott MacDonald, and then click Properties. 18. Click the Mailbox Features tab, click Exchange ActiveSync, and then click Properties.
L4-50
19. In the Exchange ActiveSync Properties dialog box, click Browse. 20. Select EAS Policy 1, and then click OK. 21. Click OK twice to save and apply the changes.
Task 5: Validate the Exchange ActiveSync mailbox policy

1. 2. 3. On VAN-CL1, wait for ActiveSync to synchronize, or click Menu, and then click Send/Receive. In the Update Required dialog box, click OK. In the Password and Confirm Password fields, type 12345, and then click OK.
Task 6: Install a root CA on the mobile device

1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-CL1, click Start, click All Programs, and then click Internet Explorer. Connect to http://van-dc1/certsrv. On the Welcome page, click Download a CA certificate, certificate change, or CRL. On the Download a CA certificate, certificate change, or CRL page, click Download CA certificate chain. In the File download dialog box, click Save. In the Save As dialog box, click Save. Close Internet Explorer, and open it again. Connect to https://mail.adatum.com/owa. Log on as adatum\administrator. Create a new message, with Scott as the recipient. Type a subject of Root Certificate. Attach the certnew.p7b file from the Downloads folder. In Windows Mobile 6 Professional, wait for a minute, and then notice the animated Synchronization arrows. These indicate that the device is synchronizing automatically, and that the arrival of a message in Scotts mailbox triggered the synchronization. Wait for the Windows Mobile device to complete synchronization.
L4-51
10. At the bottom of the Today screen, view the notification stating that a new message has arrived. Click View. 11. In the message window, double-click certnew.p7b. 12. In the Certificate Installer dialog box, click OK. 13. On VAN-EX2, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 14. In Internet Information Services (IIS) Manager, expand VAN-EX2 (ADATUM\administrator), expand Sites, expand Default Web Site, and then click Microsoft-Server-ActiveSync. 15. In the center pane, double-click SSL settings. 16. Select the Require SSL check box, and then click Apply. Close the Internet Information Services (IIS) Manager. 17. On VAN-CL1, in the Windows Professional emulator, click Menu, click Tools, and then click Options. 18. Click Outlook E-mail, and then select the The server requires an encrypted (SSL) connection check box. 19. Click Next two times, and then click Finish. 20. Click Menu, click Send\Receive, and verify that synchronization is successful. If prompted for the password, type Pa$$w0rd.
Task 7: Wipe the mobile device

1. 2. 3. 4. 5. 6. 7. 8. On VAN-CL1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp. Click Continue to the website (not recommended). Log on as Adatum\Scott using the password Pa$$w0rd. Click Phone. Notice the PocketPC listed in the Device list. On VAN-EX1, in the Exchange Management Console, under Recipient Configuration, click Mailbox. In the result pane, click Scott Macdonald. In the action pane, click Refresh. In the action pane, click Manage Mobile Phone.
L4-52
9.
On the Manage Mobile Phone page, click Perform a remote wipe to clear mobile phone data, and then click Clear.
10. In the Microsoft Exchange warning message, click Yes, and then click Finish. 11. In Windows Mobile 6 Professional, and wait for the device to synchronize. You can also force synchronization by opening Exchange ActiveSync, and then clicking Sync. Confirm that the device is wiped. If the device goes blank, it is rebooting after performing the remote wipe. 12. On the Windows Mobile 6.1.4 Professional window, click File, and then click Exit.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. 5. On the host computer, start Microsoft Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start. To connect to the virtual machine for the next modules lab, click 10135AVAN-DC1, and then in the Actions pane, click Connect.
6. 7.
L5-53

Exercise 1: Configuring Internet Message Transport
To prepare for this lab
1. 2. 3. 4. 5. 6. 7. On VAN-EX2, click Start, right-click Network, and click Properties. Click Change adapter settings. Right-click Local Area Connection 2, and click Properties. Click Internet Protocol Version 4 (TCP/IPv4) and click Properties. Change the IP address to 10.10.11.21, and then click OK. Click Close. Click the Start button, and then click Restart. In the Comment field, type Lab restart, and then click OK. After the system is restarted, log on to VAN-EX2 as Adatum\Administrator, using the password Pa$$w0rd.
Note: These preparation steps move VAN-EX2 to a second site defined in AD DS.
Task 1: Configure a Send connector to the Internet

1. 2. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange OnPremises, expand Organization Configuration, and then click Hub Transport. In the Hub Transport pane, click the Send Connectors tab. In the Actions pane, click New Send Connector. In the New Send Connector window, in the Name box, type Internet Send Connector.
3. 4. 5.
L5-54
6. 7. 8. 9.
In the Select the intended use for this Send connector list, click Internet, and then click Next. On the Address space page, click Add. In the Address field, type *, click OK, and then click Next. On the Network settings page, click Route mail through the following smart hosts, click Add, and then click Fully qualified domain name (FQDN).
10. In the Fully qualified domain name (FQDN) box, type van-dc1.adatum.com, click OK, and then click Next. 11. On the Configure smart host authentication settings page, click Next. 12. On the Source Server page, ensure that VAN-EX1 is listed, and then click Next. 13. On the New Connector page, click New, and then click Finish.
Task 2: Configure a Receive connector to accept Internet messages

1. 2. 3. 4. 5. 6. 7. 8. 9. In Exchange Management Console, expand Server Configuration, click Hub Transport, and then in the Hub Transport pane, click VAN-EX1. In the Actions pane, click New Receive Connector. In the New Receive Connector window, in the Name box, type Internet Receive Connector. In the Select the intended use for this Receive connector list, click Custom, and then click Next. On the Local Network Settings page, click Next. On the Remote Network Settings page, click the red X to delete the entry, and then click Add. In the Address or address range box, type 10.10.0.10, click OK, and then click Next. On the New Connector page, click New, and then click Finish. In the VAN-EX1 pane, double-click Internet Receive Connector.
10. In the Internet Receive Connector window, on the General tab, in the Protocol logging level list, click Verbose. 11. On the Permission Groups tab, select the Anonymous users check box, and then click OK.
L5-55
Task 3: Enable anti-spam functionality on the Hub Transport server

1. 2. 3. 4. 5. 6. 7. In Exchange Management Console, expand Server Configuration, click Hub Transport, and then click VAN-EX1 in the Hub Transport pane. In the VAN-EX1 pane, verify that only the Receive Connectors tab is available. Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. At the PS prompt, type cd c:\Program Files\Microsoft\Exchange Server \v14\scripts and press ENTER. At the PS prompt, type .\install-AntispamAgents.ps1, and then press ENTER. Type Restart-Service MSExchangeTransport, and then press ENTER. Wait for the Transport Service to finish restarting. In Exchange Management Console, expand Server Configuration, click Hub Transport, click Refresh in Hub Transport Actions pane, and then click VANEX1 in the Hub Transport pane. In the content pane, click the Anti-Spam tab. Expand Organization Configuration, click Hub Transport, and then click the Anti-spam tab.
8. 9.

1. 2. 3. 4. 5. 6. 7. On VAN-EX1, start Microsoft Internet Explorer, and connect to https://VAN-EX1.Adatum.com/OWA. Log on as Adatum\Wei with the password Pa$$w0rd. On the Microsoft Outlook Web App page, click OK. Create and send a new e-mail to Info@Internet.com with the subject Test Mail to Internet. Close Internet Explorer. Switch to Exchange Management Console. On the left pane, expand Microsoft Exchange On-Premises, and then click Toolbox. In the Toolbox pane, double-click Queue Viewer.
L5-56
8.
On the Queues tab, verify that the VAN-DC1.adatum.com queue has a Message Count of 0.
Note: If the VAN-DC1.adatum.com message queue is not empty, verify that the Simple Mail Transfer Protocol (SMTP) service is running on VAN-DC1.
9.
On VAN-DC1, click Start, point to All Programs, point to Accessories, and then click Command Prompt.
10. At the command prompt, type telnet van-ex1 smtp, and then press ENTER. 11. Type helo, and press ENTER. 12. Type mail from:info@internet.com, and press ENTER. Response: 250 2.1.0 Sender OK 13. Type rcpt to:WeiYu@adatum.com, and press ENTER. Response: 250 2.1.5 Recipient OK 14. Type data, and press ENTER. Response: 354 Start mail input; end with <CRLF>.<CRLF> 15. Type Subject: Test from Internet, and press ENTER. 16. Press the PERIOD key, and then press ENTER. 17. Type Quit, and press ENTER. 18. On VAN-EX1, start Internet Explorer, and connect to https://VANEX1.adatum.com/OWA. 19. Log on as Adatum\Wei with the password Pa$$w0rd. 20. Verify that the mail with the subject Test from Internet mail has arrived in the Junk E-Mail folder. Close Internet Explorer.
Results: After this exercise, you should have configured Internet message transport by configuring Send and Receive connectors, enabling anti-spam functionality, and verifying Internet message delivery.
L5-57
Exercise 2: Troubleshooting Message Transport

Task 1: Check the routing log, and verify that mail delivery works correctly
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in Exchange Management Console, click Toolbox. In the Toolbox pane, under Mail flow tools, double-click Routing Log Viewer. In the Routing Log Viewer window, select the File menu, and then click Open log file. In the Open Routing Table Log File dialog box, click Browse server files. In the Open dialog box, select the latest RoutingConfig#... file, and then click Open. On the Active Directory Sites & Routing Groups tab, expand the Active Directory sites until you see the Exchange Servers in their respective sites. Start Internet Explorer, and connect to https://VAN-EX1.adatum.com/OWA. Log on as Adatum\Wei with the password Pa$$w0rd. Create and send a new e-mail to Anna, with the subject Test Mail to VAN-EX2.
10. On VAN-EX2, start Internet Explorer, and connect to https://VANEX2.adatum.com/OWA. 11. Log on as Adatum\Anna with the password Pa$$w0rd. 12. On the Microsoft Outlook Web App page, click OK. 13. Reply to the mail Test Mail to VAN-EX2 from Wei. 14. Switch back to VAN-EX1, and check the Inbox in Microsoft Outlook Web App to see if the mail has arrived.
L5-58
Task 2: Troubleshoot message transport

1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, in Exchange Management Shell, type d: \labfiles\Lab05Prep1.ps1, and then press ENTER. On VAN-EX1, in Internet Explorer, create and send a new e-mail to Anna with the subject Another Test Mail to VAN-EX2. Close Internet Explorer. Switch to VAN-EX2, and in Outlook Web App, check the Inbox to see if the mail has arrived. Switch to VAN-EX1, and in Exchange Management Console, click Toolbox. In the Toolbox pane, under Mail flow tools, double-click Queue Viewer. On the Queues tab, double-click site2 to open the queue. Verify that the message that Wei sent to Anna is listed in the queue. Then click the Queues tab. On the Queues tab, click Site2, and scroll to the right to view the Last Error column. Read the Last Error message of that Queue.
10. Click Start, point to All Programs, point to Accessories, and then click Command Prompt. 11. At the command prompt, type telnet van-ex2 smtp, and press ENTER. Verify that you receive a Connect failed error. 12. On VAN-EX2, open the Exchange Management Console. Expand Microsoft Exchange On-Premises, expand Server Configuration, click Hub Transport, and then click VAN-EX2 in the Hub Transport pane. 13. On the Receive Connectors tab, notice that only the Client VAN-EX2 connector exists. This is the reason the server does not accept a port 25 connection. 14. In the Actions pane, click New Receive Connector. 15. In the New Receive Connector window, in the Name box, type Internal VAN-EX2. 16. In the Select the intended use for this Receive connector list, click Internal, and then click Next. 17. On the Remote Network settings page, click Next.
L5-59
18. On the New Connector page, click New, and then click Finish. 19. Switch to VAN-EX1, and in Exchange Management Console, click Toolbox. 20. In the Toolbox pane, under Mail flow tools, click Queue Viewer. 21. Right-click site2, and then click Retry to force an immediate retry of the message delivery. Verify that the queue now has a message count of 0. 22. Switch to VAN-EX2, and check Annas Inbox in Outlook Web App to see that the message is now delivered.
Results: After this exercise, you should have verified routing logs, and used the other troubleshooting tools in Exchange Server to troubleshoot message transport.
L5-60
Exercise 3: Troubleshooting Internet Message Delivery

Task 1: Send a message to the Internet, and track it
On VAN-EX2, open Outlook Web App, and from Annas mailbox, create and send a new e-mail to Info@Internet.com with the subject Test Mail to Internet from VAN-EX2.
Task 2: Implement user-based message tracking to verify mail delivery

1. 2. 3. 4. 5. On VAN-EX2, in Outlook Web App, click Options to open the Exchange Control Panel. On the left pane, click Organize E-Mail, and then click the Delivery Reports tab. Click Search. In the Search Results pane, select the message you sent to Info@Internet.com, and click Details. Verify that is the message was sent to a server outside the organization. Close Internet Explorer.
Task 3: Troubleshoot Internet message delivery

1. 2. 3. 4. 5. 6. 7. On VAN-EX1, in Exchange Management Shell, type d:\ labfiles\Lab05Prep2.ps1, and then press ENTER. On VAN-EX2, start Internet Explorer, and connect to https://VANEX2.adatum.com/owa. Log on as Adatum\Anna with the password Pa$$w0rd. Create and send a new e-mail to Info@Internet.com with the subject Another Mail to Internet from VAN-EX2. On VAN-EX1, in Exchange Management Console, click Toolbox. In the Toolbox pane, under Mail flow tools, double-click Message Tracking. An Internet Explorer window opens with Outlook Web App running. Log on as adatum\administrator with the password Pa$$w0rd. If the Choose the language you want to use page appears, click OK.
L5-61
8. 9.
In the Select what to manage drop down list, click My Organization. Click Reporting. On the Delivery Reports tab, in the Mailbox to search field, click Browse, select Anna Lidman in the Select Mailboxes to Search window, and then click OK.
10. Click Search. 11. In the Search Results window, select the message with the subject Another Mail to Internet from VAN-EX2, and then click Details. 12. In the middle pane of the Delivery Report window, notice that the Status of the message is Pending. 13. Review the Delivery Report pane as it lists every route the message has taken in the Exchange Organization. At the end of the list, you will see the reason why the message is pending. 14. Click Close in the Delivery Report pane. 15. In Exchange Management Console, click Toolbox. 16. In the Toolbox pane, under Mail flow tools, double-click Mail Flow Troubleshooter. 17. On the Updates and Customer Feedback page, click Do not check for updates on startup and I dont want to join the program at this time. Click Go to Welcome Screen. 18. On the Exchange Mail Flow Troubleshooter page, in the Enter an identifying label for this analysis text box, type Internet Message Delivery Failure. 19. Under What symptoms are you seeing?, click Messages are backing up in one or more queues on a server. Click Next. 20. On the Enter Server and User Information page, enter the following information, and then click Next: Exchange Server Name: VAN-EX1 Global Catalog Server Name: VAN-DC1
21. On the Basic Server Information page, review the information, and then click Next. 22. On the Initial Queue Analysis Results page, click the displayed item, review the information, and then click Next.
L5-62
23. On the Remote Delivery Queue(s) Initial Analysis Results page, review the information, scroll down, and then click Next. 24. On the DNS Availability Check Results, review the information, and then click Next. 25. On the DNS Record Analysis Results, review the information, and then click Next. 26. On the Remote Delivery Queue(s) DNS Records Analysis Results, notice that the wizard has identified a possible root cause, and then click Next. 27. On the Remote Delivery Queue(s) Connectivity Test Results page, review the information, and then click Next. 28. On the Remote Delivery SMTP Instance Configuration Analysis Results page, click Next. 29. On the Remote SMTP Service Diagnosis Results page, click Next. 30. On the Remote Delivery Queue(s) Message Tracking Log Analysis Results page, click Next. 31. On the Remote Delivery Queue(s) SMTP Commands Analysis Results page, click Next. 32. On the Third-Party Application Analysis Results, click Next. 33. On the View results page, click the Root Causes tab, review the displayed information, and then close the Troubleshooting Assistant. 34. Switch to VAN-DC1, click Start, point to All Programs, point to Accessories, and then click Command Prompt. 35. At the command prompt, type nslookup, and then press ENTER. 36. Type set querytype=MX, and press ENTER. 37. Type internet.com, and press ENTER. The query will timeout, which indicates that the domain name cannot be resolved. This means that the host cannot directly resolve a Domain Name System (DNS) domain and has to use a smart host to send a message to the internet. 38. On VAN-EX1, in Exchange Management Console, expand Organization Configuration, and then click Hub Transport. 39. On the Send Connectors tab, double-click Internet Send Connector. 40. Click the Network tab, select Route mail through the following smart hosts, and then click Add.
L5-63
41. In the Add smart host dialog box, in the Fully qualified domain name (FQDN) box, type van-dc1.adatum.com, click OK, and then click OK again. 42. In Exchange Management Console, click Toolbox. 43. In the Toolbox pane, under Mail flow tools, double-click Queue Viewer. 45. Right-click internet.com, and then click Retry to force message delivery retry.
Results: After this exercise, you should have identified and resolved issues in Internet message delivery by using the Exchange Server troubleshooting tools such as Message Tracking and Mail Flow Troubleshooter.

6. 7.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.
L6-65

Exercise 1: Configuring Edge Transport Servers
Task 1: Install the Edge Transport Server role
1. 2. On VAN-SVR1, click Start, point to All Programs, point to Accessories, and then click Command Prompt. At the command prompt, type d:\Setup /mode:install /role:EdgeTransport, and then press ENTER. Wait for the installation to finish. The installation will take approximately eight to 10 minutes. At the command prompt, type Exit, and press ENTER. Restart VAN-SVR1 and logon as Administrator, using the password Pa$$w0rd. Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Microsoft Exchange window, click OK. In Exchange Management Console, in the left pane, click Edge Transport.
3. 4. 5. 6. 7.
Task 2: Configure Edge Synchronization

1. 2. On VAN-SVR1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. In Exchange Management Shell, at the command prompt, type New-EdgeSubscription -FileName c:\VAN-SVR1.xml, and then press ENTER. In the Confirm text box, enter Y, and then press ENTER. Click Start, and in the search box, type \\van-ex1\c$, and then press ENTER.
3.
L6-66
4.
Copy c:\VAN-SVR1.xml to the VAN-EX1\c$. Remember, that in real-world scenarios, it would be a security violation if you are able to copy the EdgeSubscription file directly from the Edge Transport server to the Hub Transport server. Normally, you would use a universal serial bus (USB) device or other means to copy the file. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange OnPremises, expand Organization Configuration, and then click Hub Transport. In the Hub Transport pane, click the Edge Subscriptions tab. In the Actions pane, click New Edge Subscription. In the New Edge Subscription window, beside Active Directory Site, click Browse. Select Default-First-Site-Name as Active Directory Domain Services site, and then click OK.
5. 6.
7. 8. 9.
10. Beside Subscription file, click Browse. Browse to the C:\ click VAN-SVR1.XML click Open, and then click New. 11. On the Completion page, click Finish.
Task 3: Verify that EdgeSync is working and that Active Directory Lightweight Directory Services contains data
1. 2. 3. 4. 5. 6. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. In Exchange Management Shell, at the command prompt, type Start-EdgeSynchronization, and then press ENTER. At the command prompt, type Test-EdgeSynchronization, and then press ENTER. Ensure that the result displayed includes SyncStatus: Normal, otherwise you need to wait for another minute and run Test-EdgeSynchronization again. At the command prompt, type Get-User -Identity Wei | ft Name, GUID, and then press ENTER. Write down the first eight characters of the globally unique identifier (GUID) in your notes.
L6-67
7. 8. 9.
Switch to VAN-SVR1, click Start, point to All Programs, point to Accessories, and then click Command Prompt. At the command prompt, type LDP, and then press ENTER. In the LDP window, click Connection on the menu bar, and then click Connect.
10. In the Connect window, type VAN-SVR1 in the Server box, type 50389 in the Port box, and then click OK. 11. Click Connection on the menu bar, and then click Bind. 12. In the Bind window, in the Bind type pane, click Bind as currently logged on user, and then click OK. 13. Click View on the menu bar, and then click Tree. 14. In the Tree View dialog box, clear any entry in the BaseDN field, and then click OK. 15. In the LDP window, in the left pane, double-click OU=MSExchangeGateway to expand it. 16. Double-click CN=Recipients,OU=MSExchangeGateway. 17. By using the GUID you entered in previous steps, you can locate the recipient. It starts with CN=<GUID>. After you find it, double-click the recipient GUID, and review the data that is available for this recipient. Close LDP.

1. 2. 3. 4. 5. 6. On VAN-EX1, in Exchange Management Console, expand Organization Configuration, and then click Hub Transport. Click the Send Connectors tab. Double-click EdgeSync - Default-First-Site-Name to Internet. Click the Network tab, click Route mail through the following smart hosts, and then click Add. In the IP address field, type 10.10.0.10, and then click OK twice. In Exchange Management Shell, type Start-EdgeSynchronization, and then press ENTER.
L6-68
7. 8. 9.
At the command prompt, type Exit, and then press ENTER. Start Windows Internet Explorer, and connect to https://VANEX1.adatum.com/owa. Log on as Adatum\Wei using the password Pa$$w0rd.
10. On the Microsoft Outlook Web App page, click OK. 11. Create and send a new e-mail to Info@Internet.com with the subject Test Mail to Internet. 12. Verify that you do not get a non-delivery report message.
Results: After this exercise, you should have installed an Edge Transport server role, and configured Edge Synchronization between a Hub Transport and an Edge Transport server.
L6-69
Exercise 2: Configuring Forefront Protection 2010 for Exchange Servers

Task 1: Install Microsoft Forefront Protection 2010 for Exchange Server
1. On the host computer, in the Hyper-V Manager Microsoft Management Console (MMC), right-click the 10135A-VAN-SVR1 virtual machine, and then click Settings. In the Settings for 10135A-VAN-SVR1 dialog box, in the Hardware section, expand IDE Controller 1, and then click DVD Drive. In the details pane, click Image file, and type C:\Program Files\Microsoft Learning\10135\Drives\ForeFrontInstall.iso in the field, and click OK. On VAN-SVR1, close the Autoplay dialog box. Click Start, in the Search field, type D:\, and then press ENTER. In Windows Explorer, double-click forefrontexchangesetup.exe. In the Setup Wizard Window, on the License Agreement page, click I agree to the terms of the license agreement and privacy statement, and then click Next. On the Service Restart page, click Next. On the Installation Folders page, click Next. On the Proxy Information page, click Next.
2. 3. 4. 5. 6.
7. 8. 9.
10. On the Antispam Configuration page, click Enable antispam later, and then click Next. 11. On the Microsoft Update page, click I dont want to use Microsoft Update, and then click Next. 12. On the Customer Experience Improvement Program page, click Next. 13. On the Confirm Settings page, click Next. Wait for the installation to finish. It will take about five minutes. 14. On the Installation Results page, click Finish. Close Windows Explorer.
L6-70
Task 2: Configure Forefront Protection 2010 for Exchange Server

1. On VAN-SVR1, click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Protection for Exchange Server Console. In the Evaluation License Notice window, click OK. In the Forefront Protection 2010 for Exchange Server Administrator Console window, in the left pane, click Policy Management. In the Policy Management pane, under Antimalware, click Edge Transport. On the Antimalware - Edge Transport page, in the Engines and Performance pane, select the Scan with all engines option. In the Scan Actions pane, click Delete in the Virus list. On the Antimalware - Edge Transport page, click Save. In the Policy Management pane, expand Global Settings, and then click Advanced Options. On the Global Settings - Advanced Options page, in the Threshold Levels pane, increase the value of Maximum nested depth compressed files to 10 and Maximum nested attachments to 50.
2. 3. 4. 5. 6. 7. 8. 9.
10. Under Intelligent Engine Management, select Manual in the Engine management drop-down list. 11. In the Update scheduling table, click Norman Virus Control, and then click Edit Selected Engines button. 12. In the Edit Selected Engine dialog box, in the Update frequency pane, verify that the Check for updates every check box is selected, type 00:30 in the box, and then click Apply and Close. 13. On the Global Settings - Advanced Options page, click Save.
Results: After this exercise, you should have installed Forefront Protection 2010 for Exchange and configured it. You also should have tested the antivirus functionality of Forefront Protection 2010 for Exchange.
L6-71

Do not shut down the virtual machines and revert them back to their initial state when you finish this lab. The virtual machines are required to complete this modules last lab.
L6-72

Exercise 1: Configuring an Anti-Spam Solution on Edge Transport Servers
Task 1: Configure Domain Name System (DNS) for Internet message delivery
1. 2. 3. 4. 5. On VAN-DC1, click Start, point to Administrative Tools, and click DNS. Expand Forward Lookup Zones, and then click Adatum.com. Right-click Adatum.com, and then click New Mail Exchanger (MX). In the New Resource Record dialog box, in the Fully qualified domain name (FQDN) of mail server box, type VAN-SVR1.Adatum.com. Click OK, and close DNS Manager.
Task 2: Configure global SCL for junk mail delivery

1. 2. 3. 4. 5. 6. 7. 8. On VAN-SVR1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, click Edge Transport. In the Edge Transport pane, select VAN-SVR1, and then click the Anti-spam tab. In the Anti-spam pane, double-click Content Filtering. In the Content Filtering Properties window, click the Action tab. In the Action tab, clear the Reject messages that have an SCL rating greater than or equal to check box, and then click OK. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. In Exchange Management Shell, type Set-OrganizationConfig SCLJunkThreshold 6, and then press ENTER.
L6-73
9.
At the PS prompt, type D:\labfiles\Lab6Prep.ps1, and then press ENTER. This will send 11 messages with the following spam confidence level (SCL) ratings:
Mail sender Msg1@contoso.com Msg2@contoso.com Msg3@contoso.com Msg4@contoso.com Msg5@contoso.com Msg6@contoso.com Msg7@contoso.com Msg8@contoso.com Msg9@contoso.com Msg10@contoso.com Msg11@contoso.com SCL level 7 8 7 7 8 6 8 7 6 6 8
10. On VAN-EX1, start Internet Explorer, and connect to https://VANEX1.adatum.com/OWA. 11. Log on as Adatum\Wei using the password Pa$$w0rd. 12. In the Mail pane, click Inbox. You should see three new messages in the Inbox. If not, wait for another minute until they arrive. 13. In the Inbox pane, double-click the message from Msg10@contoso.com. 14. In the message window, click Message Details on the toolbar. 15. In the Message details window, identify the SCL level of this message by looking for X-MS-Exchange-Organization-SCL in the Internet Mail Headers box. Then click Close to close Message Details. Close the message window.
L6-74
16. In the Mail pane, click Junk E-Mail. You should see eight new messages in the Junk E-Mail folder that have been identified as junk mail as their SCL level was more than six. You can verify this by looking at the Message Details of the messages. 17. Delete all messages in the Inbox and Junk E-Mail folders.
Task 3: Configure content filtering to reject junk messages

1. 2. 3. 4. 5. 6. 7. On VAN-SVR1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, click Edge Transport. In the Edge Transport pane, select VAN-SVR1, and then click the Anti-spam tab. In the Anti-spam pane, double-click Content Filtering. In the Content Filtering Properties window, click the Action tab. In the Action tab, select the Reject messages that have an SCL rating greater than or equal to check box, configure it to 7, and then click OK. On VAN-EX1, in Exchange Management Shell, type: D:\labfiles\Lab6Prep.ps1 and then press ENTER. This will send the 11 messages again, but notice that the Content Filter agent rejects all messages as spam if they have a SCL level of 7 or more. Thus, only three messages will reach Weis Inbox, and the other messages should not be delivered to the users Junk E-Mail folder. On VAN-EX1, start Internet Explorer, and connect to https://VANEX1.adatum.com/OWA. Log on as Adatum\Wei using the password Pa$$w0rd.
8. 9.
10. In the Mail pane, click Inbox. Notice the three new messages in the Inbox. 11. To delete all messages in the Inbox, select them, and then click Delete.
Task 4: Configure an IP Allow List

1. 2. 3. On VAN-SVR1, in Exchange Management Console, click the Anti-spam tab. In the Anti-spam pane, double-click IP Allow List. In the IP Allow List Properties window, click the Allowed Addresses tab.
L6-75
4. 5. 6. 7. 8. 9.
On the Allowed Addresses tab, click Add. In Add Allowed IP Address window, type 10.10.0.10 in the Address or address range box, and then click OK. On the Allowed Address tab, click OK. On VAN-EX1, in Exchange Management Shell, type: D:\ labfiles\Lab6Prep.ps1, and then press ENTER. On VAN-EX1, start Internet Explorer, and connect to https://VAN-EX1/OWA. Log on as Adatum\Wei using the password Pa$$w0rd.
10. In the Mail pane, click Inbox. You should see 11 new messages in the Inbox. 11. Double-click one message, and review the Message Detail. The SCL rating should be -1. When the sending SMTP server is added to the IP Allow List, content filtering is not applied to the messages. 12. To delete all messages in the Inbox, select them, and then click Delete.
Task 5: Configure a Block List Provider

1. 2. 3. 4. 5. On VAN-SVR1, in Exchange Management Console, click the Anti-spam tab. In the Anti-spam pane, double-click IP Block List Providers. In the IP Block List Properties window, click the Providers tab. On the Providers tab, click Add. In the Add IP Block List Provider window, type Spamhaus in the Provider name box, type zen.spamhaus.org in the Lookup domain box, and then click OK twice.
Results: After this exercise, you should have configured different SCL levels, and verified the behavior of junk mail in user mailboxes. You should also have configured a Block List Provider.
L6-76

6. 7. 8.
Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine. Wait for VAN-EX2 to start, and then start VAN-EX3. Connect to the virtual machine.

10135A-ENU - TrainerHandbook - Vol1 исправленный

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

10135A-ENU - TrainerHandbook - Vol1 исправленный

Enviado por

Direitos autorais:

Formatos disponíveis

OFFICIAL

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Module 2: Configuring Mailbox Servers

Module 3: Managing Recipient Objects

Module 4: Managing Client Access

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Module 5: Managing Message Transport

Module 6: Implementing Messaging Security

Lab Answer Keys Appendix

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Virtual Machine Environment

Virtual Machine Configuration

10135A-VAN-Exchange Server 2003 10135A-VAN-SVR1

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Course Hardware Level

MCT USE ONLY. STUDENT USE PROHIBITED

Deploying Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Deploying Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Overview of Exchange Server 2010 Requirements

Deploying Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Discussion: Reviewing Active Directory Components

Deploying Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing Active Directory Partitions

Deploying Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

How Exchange Server 2010 Uses Active Directory

Deploying Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Deploying Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED

Reviewing DNS Requirements for Exchange Server 2010

SRV Resource Records

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

MCT USE ONLY. STUDENT USE PROHIBITED