10135a-Enu Trainerhandbook Vol2

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

10135A Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Volume 2

Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.

ii Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2010 Microsoft Corporation. All rights reserved.

Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, Entourage, Excel, Forefront, Hyper-V, InfoPath, Internet Explorer, MS, MSDN, Outlook, PowerPoint, SharePoint, SmartScreen, SQL Server, Windows, Windows Live, Windows Media, Windows Mobile, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Product Number: 10135A

Part Number: X16-25664

Released: 01/2010

MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION – Pre-Release and Final Release Versions These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft

• updates,

• supplements,

• Internet-based services, and

• support services

for this Licensed Content, unless other terms accompany those items. If so, those terms apply.

By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content.

If you comply with these license terms, you have the rights below.

1. DEFINITIONS.

a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.

b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time.

c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course.

d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.

e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or analog device.

f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course.

g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.

h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.

i. “Student Content” means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course.

j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.

k. “Trainer Content” means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.

l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

m. “Virtual Machine” means a virtualized computing experience, created and accessed using Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.

2. OVERVIEW.

Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media.

License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.

3. INSTALLATION AND USE RIGHTS.

a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:

i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR

ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session.

iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.

i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.

ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.

b. Trainers:

i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.

ii. Trainers may also Use a copy of the Licensed Content as follows:

A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session.

B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session.

4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.

c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.

i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement.

ii. Survival. Your duty to protect confidential information survives this agreement.

iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a

protective order or otherwise protect the information. Confidential information does not include information that

• becomes publicly known through no wrongful act;

• you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or

• you developed independently.

d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (“beta term”).

e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version.

f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers:

i. Software.

ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks.

A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply:

Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session.

B. If the Virtual Hard Disks require a product key to launch, then these terms apply:

Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key.

C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements:

o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks.

o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.

o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.

o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them.

o You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.

o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.

o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.

ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.

iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use.

iv. iv Evaluation Software. Any Software that is included in the Student Content designated as “Evaluation Software” may be used by Students solely for their personal training outside of the Authorized Training Session.

b. Trainers Only:

i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.

ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:

• The use of the Academic Materials will be only for your personal reference or training use

• You will not republish or post the Academic Materials on any network computer or broadcast in any media;

• You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below:

Form of Notice:

© 2009 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.

7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not

• install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session;

• allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server;

• copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;

• disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written approval;

• work around any technical limitations in the Licensed Content;

• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation;

• make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation;

• publish the Licensed Content for others to copy;

• transfer the Licensed Content, in whole or in part, to a third party;

• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use;

• rent, lease or lend the Licensed Content; or

• use the Licensed Content for commercial hosting services or general business purposes.

• Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.

8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.

9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as “NFR” or “Not for Resale.”

10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as “Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country.

11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.

12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services.

13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to

• anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and

• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.

Cette limitation concerne:

• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et

• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

Thank you for taking our training! We’ve worked together with our Microsoft Certifi ed Partners for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning experience—whether you’re a professional looking to advance your skills or a student preparing for a career in IT.

■ Microsoft Certifi ed Trainers and Instructors—Your instructor is a technical and instructional expert who meets ongoing certifi cation requirements. And, if instructors are delivering training at one of our Certifi ed Partners for Learning Solutions, they are also evaluated throughout the year by students and by Microsoft.

■ Certifi cation Exam Benefi ts—After training, consider taking a Microsoft Certifi cation exam. Microsoft Certifi cations validate your skills on Microsoft technologies and can help differentiate you when finding a job or boosting your career. In fact, independent research by IDC concluded that 75% of managers believe certifi cations are important to team performance1. Ask your instructor about Microsoft Certifi cation exam promotions and discounts that may be available to you.

■ Customer Satisfaction Guarantee—Our Certifi ed Partners for Learning Solutions offer a satisfaction guarantee and we hold them accountable for it. At the end of class, please complete an evaluation of today’s experience. We value your feedback!

We wish you a great learning experience and ongoing success in your career!

Sincerely,

Microsoft Learningwww.microsoft.com/learning

1 IDC, Value of Certifi cation: Team Certifi cation and Organizational Performance, November 2006

Welcome!

Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010 xiii

Acknowledgement Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.

Siegfried Jagott – Content Developer Siegfried Jagott is a Principal Consultant and Team Lead for the Messaging and Collaboration team in Siemens IT Solutions located in Munich, Germany. He has planned, designed, and implemented some of the world’s largest Windows and Exchange Server infrastructures for international customers. Additionally, he hosted a monthly column for Windows IT Magazine called “Exchange & Outlook UPDATE: Outlook Perspectives.” He writes for international magazines and lectures about Windows and Exchange Server-related topics. He received an MBA from Open University in England, and is a Microsoft Certified Systems Engineer (MCSE) since 1997.

Stan Reimer – Content Developer Stan Reimer is president of S. R. Technical Services Inc, and he works as a consultant, trainer and author. Stan has extensive experience consulting on Active Directory and Exchange Server deployments for some of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft Press, and is currently working on an Exchange Server 2010 Best Practices book, also for Microsoft Press. For the last six years, Stan has been writing courseware for Microsoft Learning, specializing in Active Directory and Exchange Server courses. Stan has been an MCT for 11 years.

Joel Stidley – Content Developer Joel Stidley is an MCITP, MCSE, MCTS, and a Microsoft Exchange MVP with over 13 years of IT experience. Currently, he is a principal systems architect at Terremark Worldwide, Inc., where he works with a variety of directory, storage, virtualization, and messaging technologies. Joel has authored several books and courses on Microsoft Technologies including Windows PowerShell, Microsoft Exchange Server and Windows Server 2008. He also manages an Exchange Server blog and forum site.

xiv Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Damir Dizdarevic – Technical Reviewer Damir Dizdarevic is a manager of the Learning Center at Logosoft d.o.o. (Sarajevo, Bosnia and Herzegovina) and an MCT. He has worked as a subject matter expert and technical reviewer on several MOC courses, and has published more than 350 articles in various IT magazines such as Windows ITPro. He is an MVP for Windows Server Infrastructure Management, and an MCSE, MCTS, and MCITP (Windows Server 2008 and Exchange Server 2007). He specializes in Windows Server and Exchange Server.

Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010 xv

Contents

Module 7: Implementing High Availability

Lesson 1: Overview of High Availability Options 7-3

Lesson 2: Configuring Highly Available Mailbox Databases 7-9

Lesson 3: Deploying Highly Available Non-Mailbox Servers 7-27

Lab: Implementing High Availability 7-34

Module 8: Implementing Backup and Recovery

Lesson 1: Planning Backup and Recovery 8-3

Lesson 2: Backing Up Exchange Server 2010 8-18

Lesson 3: Restoring Exchange Server 2010 8-31

Lab: Implementing Backup and Recovery 8-48

Module 9: Configuring Messaging Policy and Compliance

Lesson 1: Introducing Messaging Policy and Compliance 9-3

Lesson 2: Configuring Transport Rules 9-9

Lesson 3: Configuring Journaling and Multi-Mailbox Search 9-35

Lab: Configuring Transport Rules and Journal Rules and Multi-Mailbox

Search 9-48

Lesson 4: Configuring Messaging Records Management 9-58

Lesson 5: Configuring Personal Archives 9-74

Lab: Configuring Messaging Records Management and Personal

Archives 9-82

Module 10: Securing Microsoft Exchange Server 2010

Lesson 1: Configuring Role Based Access Control 10-3

Lesson 2: Configuring Security for Server Roles in

Exchange Server 2010 10-23

Lesson 3: Configuring Secure Internet Access 10-28

Lab: Securing Exchange Server 2010 10-46

xvi Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module 11: Maintaining Microsoft Exchange Server 2010

Lesson 1: Monitoring Exchange Server 2010 11-3

Lesson 2: Maintaining Exchange Server 2010 11-18

Lesson 3: Troubleshooting Exchange Server 2010 11-29

Lab: Maintaining Exchange Sever 2010 11-37

Module 12: Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010

Lesson 1: Overview of Upgrading to Exchange Server 2010 Overview 12-4

Lesson 2: Upgrading from Exchange Server 2003

to Exchange Server 2010 12-12

Lesson 3: Upgrading from Exchange Server 2007

to Exchange Server 2010 12-34

Appendix A: Implementing Unified Messaging

Lesson 1: Overview of Telephony A-3

Lesson 2: Introducing Unified Messaging A-14

Lesson 3: Configuring Unified Messaging A-33

Lab: Implementing Unified Messaging A-49

Appendix B: Advanced Topics in Exchange Server 2010

Lesson 1: Deploying Highly Available Solutions for Multiple Sites B-3

Lesson 2: Implementing Federated Sharing B-15

Lab Answer Keys Appendix Module 7 Lab: Implementing High Availability L7-77

Module 8 Lab: Implementing Backup and Recovery L8-87

Module 9 Lab A: Configuring Transport Rules, Journal Rules, and

Multi-Mailbox Search L9-97

Module 9 Lab B: Configuring Messaging Records Management and

Personal Archives L9-108

Module 10 Lab: Securing Exchange Server 2010 L10-117

Module 11 Lab: Maintaining Exchange Server 2010 L11-127

Appendix A Lab: Implementing Unified Messaging LA-139

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Implementing High Availability 7-1

Module 7 Implementing High Availability

Contents: Lesson 1: Overview of High Availability Options 7-3

Lesson 2: Configuring Highly Available Mailbox Databases 7-9

Lesson 3: Deploying Highly Available Non-Mailbox Servers 7-27

Lab: Implementing High Availability 7-34

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

7-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Module Overview

Many people rely on messaging environments so that they can perform critical business tasks, and it is extremely important for your messaging solution to be available for an extended time. Thus, many organizations place strict availability requirements on e-mail and other critical applications.

As the Microsoft® Exchange Server product has improved over the last decade, it has become very stable and resilient, even in standalone configurations. To be a truly high availability solution, however, further designing and configuration was required. Not only are technology and configuration crucial, but also the processes and procedures that you use to maintain the messaging system. This module describes the high availability technology built into Exchange Server 2010 and some of the outside factors that affect highly available solutions.

After completing this module, you will be able to:

• Describe high availability options.

• Configure highly available mailbox databases.

• Deploy highly available non-Mailbox servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Overview of High Availability Options

High availability is a commonly used term that refers to a specific technology or configuration that promotes service availability. Although many technologies and configurations can lead to highly available configurations, they are not by themselves truly highly available. Much more effort is required to provide a high availability solution.

In this lesson, you will review high availability, and some of the factors that go into designing and deploying a highly available solution.

After completing this lesson, you will be able to:

• Describe high availability.

• Identify the components of a high availability solution.

• Implement a high availability solution for Mailbox servers.

• Implement a high availability solution for non-Mailbox servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is High Availability?

Key Points High availability is a system design implementation that ensures a high level of operational continuity over a specific time. Although many people attribute high availability to a specific technology, such as failover clustering or load balancing, you can truly achieve high availability only with good design, testing, training, and operational processes.

There are two types of downtime: planned and unplanned. Planned downtime is the result of events you schedule, such as maintenance. By contrast, unplanned downtime is the result of events not within direct control of information technology (IT) administrators. These events can be minor, such as a buggy hardware driver or a processor that fails, or catastrophic, such as flood, fire, or earthquake.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Measuring Availability Availability often is expressed as the percentage of time that a service is available for use. For example, a requirement for 99.9 percent availability over a one-year period allows 8.75 hours of downtime. In complex environments, organizations typically specify availability for a specific service, such as Exchange messaging, which in turn may have availability goals tied to specific features such as Microsoft Outlook® Web App, Simple Mail Transfer Protocol (SMTP) message delivery, and Outlook Anywhere.

For more information on high availability, refer to the CD content.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: Components of a High Availability Solution

Key Points Numerous components can comprise a messaging solution, and you should scrutinize them to ensure that failures will not affect the entire solution’s availability. Once you identify these components, you can mitigate failures.

Question: Which components are important for running a high availability solution?

Question: What are some common single points of failure in a messaging solution?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


High Availability Solution for Mailbox Servers

Key Points Exchange Server 2010 provides a number of improvements for mailbox availability. Although mailbox high availability implementation differs in Exchange Server 2007, the basic concepts are the same. Exchange Server 2010 improves upon many of the Exchange Server 2007 mailbox availability features. For example, one database can have as many as 16 copies on 16 servers, and you can activate it on any of the servers without disconnecting clients. Additionally, to provide increased insurance against corruption, you can set these database copies to not apply transaction logs for up to 14 days. With the appropriate tools, you can use these lag copies to recover database information from a point up to 14 days previously. Details about how mailbox high availability works appears later in this module.

There are no changes to public folder high availability in Exchange Server 2010. Although you should consider the location of the public folder servers, create a high availability environment by adding replicas to multiple servers. Since this requires no additional configuration, this module does not discuss public folder high availability.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


High Availability Solution for Non-Mailbox Servers

Key Points It is as important to have high availability solutions for non-Mailbox server roles as for the Mailbox server roles, because not having them affects connectivity with the Mailbox server. For each of the non-Mailbox server roles, adding redundancy starts with adding multiple servers, and ends with configuring load balancing, whether with configuration, or software or hardware load balancing. If you are familiar with the high availability solutions for non-Mailbox server roles in Exchange Server 2007, these concepts largely hold true in Exchange Server 2010. This module provides details about making each of the non-Mailbox server roles highly available.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Configuring Highly Available Mailbox Databases

Historically, the Mailbox server role was the most complex and critical component in a highly available Exchange Server deployment. Although this remains true, to a degree, Exchange Server 2010 reduces the complexity of deploying a highly available Mailbox server. In doing so, it also reduces the likelihood that administrators will configure an Mailbox server cluster improperly.


• Describe database availability group (DAG).

• Describe Active Manager.

• Describe continuous replication.

• Describe how DAGs protect databases.

• Identify the differences between Exchange Server 2010 and Exchange Server 2007 mailbox availability options.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Configure databases for high availability.

• Create and configure a DAG.

• Describe the transport dumpster.

• Describe the failover process.

• Monitor replication health.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Database Availability Group?

Key Points A DAG is a collection of servers that provides the infrastructure for replicating and activating database copies. The DAG leverages continuous transaction log replication to each of the passive database copies within the DAG, which:

• Requires the failover clustering feature, although all installation and configuration tasks occur with the Exchange Server management tools. Although a DAG requires the failover clustering feature, Exchange Server does not use Windows failover clustering to handle database failover. Instead, it uses Active Manager to control failover.

• Uses an enhanced version of the continuous replication technology that was in Exchange Server 2007. The best continuous replication pieces from Exchange Server 2007 were improved.

• Can be created after you install the Mailbox server. You can set up a Mailbox server to host active mailboxes, and then add it to the DAG later.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Allows you to move a single database between servers in the group without affecting other databases. Failover clustering occurs per mailbox database, not for an entire server, which makes Exchange Server 2010 more flexible than previous Exchange Server versions.

• Allows up to 16 copies of a single database on separate servers. You can add up to 16 servers to a DAG, which allows you to create up to 16 copies of a database. The database copies must be stored in the same path on all servers. For example, if you store Mailbox Database 1 in D:\Mailbox\DB\Mailbox Database 1\ on VAN-EX1, then you must also store it in D:\Mailbox\DB \Mailbox Database 1\ on all other servers that host Mailbox Database 1 copies.

• Defines the boundary for replication since only servers within the DAG can host database copies. You cannot replicate database information to Mailbox servers outside the DAG.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Active Manager?

Key Points Exchange Server 2010 includes a new component called Active Manager. Active Manager replaces the resource model and failover management features that previous Exchange Server versions provided during integration with the cluster service. Exchange Server no longer uses the cluster resource model for high availability. Exchange Server uses a Windows failover cluster, but there are no cluster groups for Exchange Server, and the cluster has no storage resources. In the Failover Cluster Management Console, you will see only the core cluster resources (IP Address and Network Name).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The Active Manager runs on all Mailbox servers that are DAG members and runs as either the primary active manager (PAM) or a standby active manager (SAM). The PAM is the Active Manager in a DAG that decides which copies will be active and passive, and it is responsible for processing topology change notifications and reacting to server failures.

Far from having a passive role, the SAM provides information about which server hosts the active copy of a mailbox database to other components of Exchange Server, such as the RPC Client Access service and the Hub Transport server. The SAM detects local database and local Information Store failures. It reacts to failures by asking the PAM to initiate a failover (if the database is replicated).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Continuous Replication?

Key Points Continuous replication was introduced for Mailbox servers in Exchange Server 2007. This feature creates a passive database copy on another Exchange Server computer in the DAG, and then uses asynchronous log shipping to maintain the copies.

The continuous replication process is as follows:

1. The active log is written, and then closed.

2. The Replication Service replicates the closed log to servers hosting the passive databases.

3. Since each copy of the database is identical, the transaction logs are inspected and then replayed or applied to the database copies. The databases remain in sync.

Question: What other technologies use continuous replication?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Are Databases Protected in a DAG?

Key Points The active database copy uses continuous replication to keep the passive copies in sync based on their lag-time setting. A DAG leverages the Windows Server® operating system failover clustering feature. However, it relies on the Active Manager server to maintain the status of all of the DAG’s hosted databases.

• You can switch or fail over a single database between DAG servers. However, it is only active on one node at a time.

• At any given time, a copy is either the replication source or the replication target, but not both.

• A server may not host more than one copy of a given database.

• Not all databases need to have the same number of copies. In a 16-node DAG, one database can have 16 copies, while another database is not redundant and contains only the one active copy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Database failovers occur when failures cause the active database to go offline. Either a single server failure or something specific to a database may cause the failure. A switchover occurs when an administrator intentionally coordinates moving the active database from one server to another.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Comparing Exchange Server 2010 to Exchange Server 2007 Mailbox Availability Options

Key Points Exchange Server 2010 extends and improves upon the continuous replication technology that Exchange Server 2007 used. The new high availability model using the DAG is a more flexible and resilient solution than previous high availability solutions.

The Exchange Server 2010 database high availability model:

• Has no single point of failure.

• Supports backups.

• Allows up to 16 copies of a database with a 14-day lag time.

• Can have multiple servers roles run on the same server as the mailbox server.

• Allows you to move a single database between servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring Databases for High Availability

Key Points Creating a DAG is only the first step to providing database availability. You must create and configure additional database copies. Not only can you create a database copy initially, but an administrator also can create one at any time. You can distribute database copies across Mailbox servers in a flexible and granular way. You can replicate one, some, or all mailbox databases on a server in several ways.

Specify the following information when creating a mailbox database copy:

• The name of the database you are copying.

• The name of the Mailbox server that will host the database copy.

• The amount of time (in minutes) for log replay delay. This is as the replay lag time, which sets how long to wait before the logs are committed to the database copy. Setting the value for replay lag time to 0 turns off log replay delay.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• The amount of time (in minutes) for log truncation delay. This is truncation lag time, which sets how long to wait before truncating committed transaction logs. Setting the value for truncation lag time to 0 turns off log truncation delay.

• An activation preference number. This is referred to as a preferred list sequence number, and it represents the activation preference order of a database copy after a failure or outage of the active copy.

DAG Networks A DAG network is a collection of one or more subnets that Exchange Server uses for either replication traffic or MAPI traffic. Although Exchange Server supports one network adapter and path, we recommend a minimum of two DAG networks. In a two-network configuration, you typically dedicate one network to replication traffic and the other network to MAPI traffic. You can create additional networks in a DAG and configure them as replication networks for redundancy. We recommend that you do not use Internet SCSI (iSCSI) networks for DAG replication.

Question: How do you plan to use the preferred list sequence number?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Create and Configure a DAG

Key Points In this demonstration, you will review how to create a new database availability group, add member servers to it, and create a copy of a mailbox database.

Demonstration Steps 1. Click Start, click All Programs, click Microsoft Exchange Server 2010, and

then click Exchange Management Shell.

2. Use the New-DatabaseAvailabilityGroup cmdlet to create a Database Availability Group named DAG1 with a WitnessServer on VAN-DC1, and a WitnessDirectory of C:\FSWDAG1. Assign the DAG an IP Address of 10.10.0.25.

3. Use the Add-DatabaseAvailabilityGroupServer cmdlet to add VAN-EX1 as a member.

4. Click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. Use the Manage Database Availability Group Membership Wizard to add VAN-EX2 as a member of DAG1.

6. Use the Add Mailbox Database Copy Wizard to add a copy of Mailbox Database 1 to the second Mailbox server.

Note: Once you create a DAG, you then can create and configure DAG networks for replication or for MAPI traffic. Add additional networks for redundancy or improved throughput.

Question: What information do you need before you can configure a DAG?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is the Transport Dumpster?

Key Points If a failure occurs and some transaction logs are not replicated to the passive copy, you can use the transport dumpster to redeliver any recently delivered e-mail. The transport dumpster operates on the Hub Transport servers within Active Directory® Domain Services (AD DS) or Active Directory directory service. When a database failover occurs, a request will be made to the Hub Transport servers to redeliver the lost e-mail messages. The next section details database failovers.

The transport dumpster only holds e-mail that has been delivered. The local submission queue holds any pending e-mail. Once the transaction logs are replicated to each DAG server, the transport dumpster purges the message.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Understanding the Failover Process

Key Points A failover occurs when the server hosting the active database goes offline or something causes the active database to dismount. A switchover occurs when an administrator moves the active database from one server to another. When a failure affecting the active database occurs, Active Manager uses several sets of selection criteria to determine which database copy to activate. In the process for selecting the best copy to activate, Active Manager:

1. Enumerates the available copies.

2 Ignores all unreachable servers.

3. Sorts available copies by how current they are. The factors considered include the content index, copy queue length, and replay queue length.

4. Uses the activation preference, if a tie breaker is necessary.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Database Failovers Before using the previously mentioned criteria to locate the best copy to activate, a process called attempt copy last logs (ACLL) occurs. ACLL makes parallel remote procedure calls to each DAG Mailbox server that hosts a copy of the mailbox database. This call checks if the server is available and healthy, and to examine the LogInspectorGeneration value for the database copy. The mailbox database copy with the highest LogInspectorGeneration value is the best source for copying log files.

After the ACLL process is complete, and if all missing log files were copied from the selected best source, the database mounts without any data loss. This is known as a lossless failure. If the ACLL process fails, then the configured AutoDatabaseMountDial value is consulted. If the number of lost logs is within the configured AutoDatabaseMountDial value, then Exchange Server mounts the database. If the number of lost logs falls outside the configured AutoDatabaseMountDial value, then Exchange Server does not mount the database until either missing log files are recovered, or an administrator explicitly mounts the database and accepts the larger data loss.

Use the Set-MailboxServer cmdlet to configure the AutoDatabaseMountDial setting for each DAG Mailbox server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Monitor Replication Health

Key Points In this demonstration, you will review how to use the Exchange Management Console and Exchange Management Shell to review the available information regarding database-replication health.

Demonstration Steps 1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange

Server 2010, and then click Exchange Management Console.

2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then expand Mailbox.

3. Review the status of each of the Mailbox Database 1 database.

4. Close Exchange Management Console.

Question: Why is monitoring these statistics important?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Deploying Highly Available Non-Mailbox Servers

Other Exchange Server roles now handle some functionality that was handled by the Mailbox server in previous Exchange Server versions. For example, Microsoft Office Outlook clients no longer directly connect to the Mailbox server, but rather connect to the Client Access server for MAPI-based communication. Additionally, the Mailbox server no longer processes mailbox. The Hub Transport server now performs this task. With the other server roles performing more tasks, they become more important to the messaging environment’s overall health. In this lesson, you will consider providing high availability for these non-mailbox servers.


• Describe and configure high availability for Client Access servers.

• Describe and configure high availability for Hub Transport servers.

• Describe and configure high availability for Edge Transport servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How High Availability Works for Client Access Servers

Key Points A client access array is a load-balanced collection of Client Access servers that is in a single site. Since all client connections, including MAPI, rely on connections to Client Access servers, it is important to provide a redundant server array to improve availability. To create a client access array, you first must deploy multiple Client Access servers. Next, you need to use either hardware or software-based network load balancing to create a cluster. Then, add the name for the network load-balanced cluster into the Domain Name System (DNS). For example, you could add an A record for caa1.contoso.com that points to 10.10.10.25. After adding the DNS record, you can create the client access array and assign it to an Active Directory site using the New-ClientAccessArray cmdlet. Finally, you must assign the client access array to each of the mailbox databases in the site using the Set-MailboxDatabase cmdlet with the –RpcClientAccess parameter.

A client access array can exist only in a single Active Directory site. Therefore, you would need to create a client access array in each Active Directory site that needs to load balance client access servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Shadow Redundancy Provides High Availability for Hub Transport Servers

Key Points Exchange Server 2010 includes the shadow redundancy feature, which provides redundancy for messages for the entire time they are in transit. This is in addition to the transport dumpster. With shadow redundancy, the message deletion from the transport databases is delayed until the transport server verifies that all of the next hops for that message have completed delivery. If any of the next hops fail before reporting successful delivery, the transport server resubmits the message for delivery to that next hop.

In the shadow redundancy scenario, the message flow follows these stages:

1. Hub delivers message to Edge.

a. Hub opens SMTP session with Edge.

b. Edge advertises shadow redundancy support.

c. Hub notifies Edge to track discard status.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


d. Hub submits message to Edge.

e. Edge acknowledges the receipt of message and records the Hub’s name for sending discard information for the message.

f. Hub moves the message to the shadow queue for Edge and marks Edge as the primary server. Hub becomes the shadow server.

2. Edge delivers message to the next hop:

a. Edge submits message to third-party mail server.

b. Third-party mail server acknowledges the message’s receipt.

c. Edge updates the discard status for the message as delivery complete.

3. Hub queries Edge for discard status (success case):

a. At end of each SMTP session with Edge, Hub queries Edge for discard status on messages previously submitted. If Hub has not opened any SMTP sessions with Edge after the initial message submission, it will open an SMTP session with Edge to query for discard status after a specific time.

b. Edge checks local discard status and sends back the list of messages that have been delivered, and removes the discard information.

c. Hub server deletes the list of messages from its shadow queue.

4. Hub queries Edge for discard status and resubmits the message (failure case):

a. If Hub cannot contact Edge, Hub resumes the primary server role and resubmits the messages in the shadow queue.

b. Resubmitted messages are delivered to another Edge server, and the workflow starts from step 1.

Within Exchange Server 2010, the Shadow Redundancy Manager (SRM) is the core component of a Transport server that is responsible for managing shadow redundancy. The SRM is responsible for maintaining the following information for all the primary messages that a server is currently processing:

• The shadow server for each primary message being processed.

• The discard status to be sent to shadow servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The SRM is responsible for the following, for all the shadow messages that a server has in its shadow queues:

• Maintaining the list and checking primary server availability for each shadow message.

• Processing discard notifications from primary servers.

• Removing the shadow messages from the database once it receives all expected discard notifications.

• Deciding when the shadow server should take ownership of shadow messages, thus making it the primary server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How High Availability Works for Edge Transport Servers

Key Points Edge Transport servers provide both inbound and outbound e-mail delivery. For outbound delivery, providing high availability is as simple as deploying multiple Edge Transport servers and creating an Edge subscription. If you have deployed Exchange servers in multiple Active Directory sites, you may need additional redundant Edge Transport servers.

Multiple DNS MX Records The SMTP protocol was created with delivery redundancy in mind. It uses special DNS records called mail exchanger (MX) resource records to locate the authoritative SMTP server for a domain. These records point to the SMTP’s fully qualified domain name, which in this case are the Edge Transport servers. You can create multiple MX records and assign them weights. The protocol uses the lower-weighted records before the higher-weighted records. MX records with the same weight are load balanced in round-robin load fashion. If one of the hosts fails to respond, Exchange Server attempts the next host on the list.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Hardware-Based Load Balancing High availability for inbound e-mail delivery requires multiple load-balanced Edge Transport servers. You can achieve load balancing either with a hardware load balancer or by using multiple DNS records. Using a hardware load balancer balances inbound communication between Edge Transport servers and provides redundancy in case of a server failure.

Like Hub Transport servers, Edge Transport servers also support shadow redundancy. However, shadow redundancy does not cover all scenarios, because most of the messaging servers that the Edge Transport role communicates with do not support shadow redundancy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Implementing High Availability

Lab Setup For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:

1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.

2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and the 10135A-VAN-EX3 virtual machines are running:

• 10135A-VAN-DC1: Domain controller in the Adatum.com domain.

• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain.



3. If required, connect to the virtual machines. Log on to the virtual machines as Adatum\Administrator, using the password Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Scenario You are the messaging administrator for A. Datum Corporation. You have completed the basic installation for three Exchange servers. Now you must complete the configuration so that they are highly available.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Deploying a DAG

Scenario You must complete the Mailbox server high availability configuration by creating a DAG and making the Accounting database highly available.

The main tasks for this exercise are:

1. Create a DAG named DAG1 using the Exchange Management Shell.

2. Create a mailbox database copy of the Accounting database.

3. Verify successful completion of database copying.

4. Suspend the database copy on VAN-EX2.

Task 1: Create a DAG named DAG1 using the Exchange Management Shell 1. On VAN-EX1, open the Exchange Management Shell.

2. Use the New-DatabaseAvailabilityGroup cmdlet to create a DAG with the following information:

• Name: DAG1

• WitnessServer: \\VAN-DC1\FSWDAG1

• WitnessDirectory: C:\FSWDAG1

• IP Address: 10.10.0.80

3. Use the Add-DatabaseAvailabilityGroupServer cmdlet to add VAN-EX1 as a member of DAG1.

4. On VAN-EX2, open the Exchange Management Console.

5. On the Database Availability Groups tab, add VAN-EX2 as a member of DAG1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Create a mailbox database copy of the Accounting database 1. On VAN-EX1, open the Exchange Management Console.

2. On the Database Management tab, add a mailbox database copy of Accounting to VAN-EX2.

Task 3: Verify successful completion of database copying • On VAN-EX1, view the properties of the Accounting database, and ensure its

status is Healthy.

Task 4: Suspend the Accounting database copy on VAN-EX2 • On VAN-EX1, suspend the Accounting database copy on VAN-EX2.

Results: After this exercise, you should have created a DAG and a mailbox database copy of the Accounting database. The Accounting database copy on VAN-EX2 should remain in a suspended state.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Deploying Highly Available Hub Transport and Client Access Servers

Scenario The network team used a hardware load balancer to load balance VAN-EX1 and VAN-EX2 for Client Access connections. They have assigned a load balanced IP address of 10.10.0.30, and have created a DNS record for the name CASArray.adatum.com. Now you must complete the Client Access configuration.


1. Create and configure a client access array for CASArray.adatum.com.

2. Assign the client access array to the databases.

Task 1: Create and configure a client access array for CASArray.adatum.com 1. On VAN-EX1, open Exchange Management Shell.

2. Use the New-ClientAccessArray cmdlet to create a new client access array named CasArray.adatum.com for the Default-First-Site-Name Active Directory site.

Task 2: Assign the client access array to the databases 1. On VAN-EX1, use the Exchange Management Shell to retrieve a list of all of

the databases on VAN-EX1 and VAN-EX2.

2. Use the Set-MailboxDatabase cmdlet to assign each database on VAN-EX1 and VAN-EX2 the CasArray.adatum.com client access array as the RpcClientAccessServer.

Results: At the end of this exercise, you should have created a client access array and assigned it to the databases.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Testing the High Availability Configuration

Scenario You have completed the high availability configuration. You now must verify that the high availability configuration is working properly.


1. Create a SMTP connector associated with VAN-EX1 and VAN-EX2.

2. Stop the SMTP service on VAN-DC1.

3. Send an e-mail to an internal user and an external SMTP address.

4. Use Queue Viewer to locate the message in the queue.

5. Start SMTP service on VAN-DC1 to allow queued message delivery.

6. Verify that the messages were removed from the shadow redundancy queue.

7. Verify the copy status of the Accounting database copy and resume the database copy.

8. Perform a switchover on the Accounting database to make the VAN-EX2 copy active.

9. Simulate a server failure.

Task 1: Create a SMTP connector associated with VAN-EX1 and VAN-EX2 1. On VAN-EX2, if required, open Exchange Management Console.

2. Create an SMTP send connector named Internet Mail, and then configure an address space of “*” for the connector.

3. Add VAN-DC1.adatum.com as the Smart host for the connector, and VAN-EX1 and VAN-EX2 as the source servers.

Task 2: Stop the SMTP server on VAN-DC1 • On VAN-DC1, stop the Simple Mail Transfer Protocol (SMTP) service.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Send an e-mail to an internal user and an external SMTP address 1. On VAN-EX1, log on to Outlook Web App as Adatum\Jason with a password

of Pa$$w0rd.

2. Create and send a new e-mail addressed to [email protected] and [email protected].

Task 4: Use Queue Viewer to locate the message in the queue 1. On VAN-EX2, open Queue Viewer.

2. Connect to VAN-EX1 and VAN-EX2 to locate which server queues the e-mail sent from Jason.

3. Make note of the server where the message is queued.

4. Examine the shadow redundancy queue on VAN-EX3.

Task 5: Start SMTP service on VAN-DC1 to allow delivery of the queued message 1. On VAN-DC1, open Server Manager.

2. Start the SMTP service.

Task 6: Verify that the messages were removed from the shadow redundancy queue 1. On VAN-EX2, open Queue Viewer.

2. Connect to VAN-EX3, where the message was queued in the shadow redundancy queue, and then verify that it is no longer queued.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 7: Verify the copy status of the Accounting database, and resume the database copy 1. On VAN-EX2, open the Exchange Management Console.

2. View the database copy health on the Suspended copy on VAN-EX2.

3. Resume the database copy on VAN-EX2, and wait until the copy status is Healthy.

Task 8: Perform a switchover on the Accounting database to make the VAN-EX2 copy active 1. On VAN-EX2, open the Exchange Management Console.

2. Verify that the active Accounting database is on VAN-EX1.

3. Select the Accounting database on VAN-EX2, and then activate the copy.

Task 9: Simulate a server failure 1. On VAN-EX1, open the Exchange Management Console, and view the status

of the Accounting database.

2. In Hyper-V™ Manager, revert 10135A-VAN-EX2.

3. Verify the Accounting database is now active on VAN-EX1.

Results: After this exercise, you should have verified that the mailbox databases could fail over and switch between DAG servers, and that Hub Transport shadow redundancy is working properly.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


To prepare for the next module When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:

1. On the host computer, start Hyper-V Manager.

2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. In the Virtual Machines pane, click 10135A-VAN-DC1, and then in the Actions pane, click Start.

5. To connect to the virtual machine for the next module’s lab, click 10135A-VAN-DC1, and then in the Actions pane, click Connect.

Important: Start the VAN-DC1 virtual machine first, and ensure that it starts fully before starting the other virtual machines.

6. Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.

7. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Review and Takeaways

Review Questions 1. Besides planning for Exchanger Server failures, what other failures should you

consider?

2. In which scenarios might you use hardware load balancing with Edge Transport servers?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Common Issues Related to Creating High Availability Edge Transport Solutions Identify the causes for the following common issues related to high availability Edge Transport servers, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

Inbound e-mail is not being delivered evenly across all of the Edge Transport servers.

Ensure that the DNS MX records have the same value. If the values are not the same, only the records with the lowest value will be used.

After deploying highly available Edge Transport servers, outbound e-mail is being returned as possible spam.

Verify that your outbound mail servers are configured with a host name that is resolvable on the Internet. Many servers reject e-mail from servers that do not have a name or an IP address that can be resolved on the Internet.

Real-World Issues and Scenarios 1. An organization has several branch offices with a small number of employees.

However, the organization needs to deploy a high availability solution in the remote offices. What configuration can it deploy to meet it business needs?

2. An organization uses a variety of service-level agreements for database availability for different business units. It wants to minimize the number of mailbox servers it deploys. How can it do this?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Best Practices Related to Designing a High Availability Solution Supplement or modify the following best practices for your own work situations:

• Identify all possible failure points before designing a solution. Even the most elaborate and expensive designs can have a simple and crippling failure point.

• Document all of the components to the solutions so that everyone involved in the deployment understands the solution’s configuration how the solution is configured.

• Follow change-management procedures. In some environments, it may be tempting to skip these steps. However, not following proper change-management procedures often leads to extended, unplanned downtime.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Implementing Backup and Recovery 8-1

Module 8 Implementing Backup and Recovery

Contents: Lesson 1: Planning Backup and Recovery 8-3

Lesson 2: Backing Up Exchange Server 2010 8-18

Lesson 3: Restoring Exchange Server 2010 8-31

Lab: Implementing Backup and Recovery 8-48

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

Your Exchange Server databases contain the messages for all of your users. Thus, these databases contain the data that is most important for you to ensure is retained and backing up the databases that contain these messages is one of your key concerns regarding your messaging system. Sometimes users accidentally delete their e-mails, and you, as the administrator, must restore their messages. This can take a long time.

Microsoft® Exchange Server 2010 contains new backup and restore features that you should consider before using the traditional backup-to-tape approach that most organizations use. This module describes the backup and restore features of Exchange Server 2010, and details what you need to consider when you create a backup plan.


• Plan backup and recovery.

• Backup Exchange Server 2010.

• Restore Exchange Server 2010.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Planning Backup and Recovery

Before deciding on which backup type you want to use and which software to buy, you first need to consider your available options. Exchange Server 2010 provides many new options for backing up your databases and restoring single items.

In this lesson, you will learn the important considerations for backing up and restoring Exchange Server 2010, so that you can create a good plan for your organization.


• Describe the importance of planning for disaster recovery.

• Integrate high availability and disaster recovery.

• Identify and mitigate potential Exchange Server 2010 disasters.

• Recover deleted items.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Describe the disaster-recovery options for Mailbox servers.

• Create a point-in-time database snapshot.

• Describe backup and restore scenarios.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: The Importance of Planning for Disaster Recovery

Key Points This discussion details the importance of disaster-recovery planning and of having an understanding of the options that Exchange Server has available should a disaster occur.

Question: Why is it important to plan for a disaster?

Question: What current plan does your organization have for disaster recovery?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Integrating High Availability and Disaster Recovery

Key Points You can integrate your high availability deployment with disaster recovery, especially if you consider the Exchange Server 2010 high availability features sufficient to satisfy your backup requirements.

Link Between High Availability and Disaster Recovery Using Exchange Server 2010 high availability features, such as database availability groups (DAGs), allow you to maintain 16 copies of a message database. Maintaining so many database copies lessens the need for using backup for disaster recovery. You can spread database copies across multiple sites, which allows you to address data-center failures and maintain an off-site copy of a database.

In Exchange Server 2010, high availability and disaster recovery go hand-in-hand. DAGs are the basis of high availability, but you also can use them to recover from a disaster in a quick and reliable way.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


High Availability Provides Options Beyond Traditional Backup and Restore Using DAGs to configure a lagged, or point-in-time, copy of a database allows you to delay committing changes to the database for 14 days. Thus, you always maintain a database at the state of the previous day or week. Therefore, should a logical corruption of your current database occur, you can revert to a lagged database copy and commit the transaction logs to a specific time that you decide.

The point-in-time database feature, together with maintaining many database copies across multiple sites, means that organizations do not have to perform nightly backups. This is particularly true for medium and large-size organizations.

Large Mailbox Considerations Mailboxes that are more than 1 gigabyte (GB) in size require a more flexible backup and restore method, because the amount of data they contain is dramatically more than those with which Exchange Server administrators typically deal. Even though the Exchange Server 2010 database structure handles large mailboxes better than previous versions, you should be aware of the additional data requirements for backup.

The time it takes to restore a backup during disaster recovery skyrockets when you have large mailboxes. When you implement large mailboxes, consider using backup-less Exchange Server and the recoverable items folder in Exchange Server 2010 to recover data. These features provide you with two viable options to move away from traditional backups.

Backup and Restore Requirements in a Highly Available Deployment Even though it may appear that highly available deployments no longer require traditional backups, they are still important. You may want to use existing backup strategies that provide offsite data storage at secure locations. Sometimes backups also serve an archival purpose, and typically, organizations use tape to preserve point-in-time data for extended periods, as compliance requirements mandate.

Additionally, remember that integrating high availability features as an alternative to backups only works for the mailbox database, not for other Exchange Server resources, such as the Hub Transport configuration. You still need to consider using traditional backup for the Hub Transport server.

Question: Why should you back up Exchange Server databases?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Disaster Mitigation Options in Exchange Server 2010

Key Points As you prepare to implement disaster-recovery solutions in Exchange Server 2010, you first must identify the potential risks to the Exchange Server environment, and then identify the options for mitigating those risks. The following table lists potential risks and the Exchange Server 2010 options for mitigating the risks:

Risks Risk mitigation strategies

Loss of a single message

• Configure recoverable items folder and deleted item retention settings

• Recover messages from backup by using the recovery database

Loss of a single mailbox

• Configure mailbox-retention settings to ensure that you can recover most deleted mailboxes before they are deleted permanently

• Configure hold policy, and recover it from there using a discovery mailbox

• Recover mailbox using the recovery database

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)

Risks Risk mitigation strategies

Loss of a database or server

• Create a DAG on another server

• Back up the Exchange Server data, and recover lost mailbox databases from backup

• Install Exchange Server 2010 with /m:RecoverServer

Loss or corruption of a mailbox database

• Create a lagged database copy in a DAG environment

• Back up the Exchange Server data, and recover lost mailbox databases from backup

Loss of a public folder database

• Implement public folder replicas on other computers running Exchange Server

Loss of an Exchange Server computer running the Hub Transport, Client Access, or the Unified Messaging server roles

• Implement redundant computers running Exchange Server for each role

• Back up all information on the computer running Exchange Server, and recover the server from backup

• Install Exchange Server 2010 on a new computer in Recover Server mode

Loss of an Exchange Server computer running the Mailbox server role

• Implement redundant databases using DAGs

• Implement a dial-tone recovery

• Back up all information on the computer running Exchange Server, and recover the server from backup

• Install Exchange Server 2010 on a new server in Recover Server mode

Loss of an Exchange Server computer running the Edge Transport server role

• Implement redundant Exchange servers for each role

• Back up all information on the computer running Exchange Server, and restore the server from backup

• Back up the Edge Transport server configuration using ExportEdgeConfig, and restore from backup

Loss of a supporting service, such as DNS or the Active Directory

• Implement redundant servers for each of the required services

• Implement a disaster-recovery plan for restoring Active Directory® Domain Services (AD DS) or Active Directory directory service from backup

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Recovering Deleted Items

Key Points In this demonstration, you will review how to configure the global hold policy for recoverable items, so that you can recover a deleted folder using the Discovery Search Mailbox.

Demonstration Steps 1. At the Exchange Management Shell prompt, type Set-Mailbox

ScottMacDonald -SingleItemRecoveryEnabled:$true, and then press ENTER.

2. At the Exchange Management Shell prompt, type New-ManagementRoleAssignment -Role ‘Mailbox Import Export’ -User ‘adatum\administrator’, and then press ENTER.

3. In the Exchange Management Console, assign the Administrator account full access permissions to the Discovery Search Mailbox.

4. In Scott MacDonald’s mailbox, create a new folder, populate that folder with messages, and then delete the folder.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. Login to Microsoft Outlook Web App as Administrator to define a Mailbox Search.

6. Open the Discovery Search Mailbox, and verify that it contains the deleted message.

7. Use the Export-Mailbox cmdlet to recover the folder to its original mailbox.

8. Verify that the message was recovered by accessing Scott MacDonald’s mailbox.

Question: What is the benefit of using this feature to recover mailboxes compared to existing brick-level backup solutions?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Disaster-Recovery Options for Mailbox Servers

Key Points Exchange Server 2010 includes new recovery options for mailbox servers.

Disaster Recovery with DAGs The ability to create up to 16 database copies, even on off-site servers, allows you to recover a copy quickly and easily if one is destroyed or unavailable. Failover in the DAG is configured automatically, so the clients should not encounter much disturbance.

Mailbox Servers in a DAG Can Host Other Server Roles Unlike previous Exchange Server versions, each Mailbox server that hosts a DAG also can host other server roles, such as Hub Transport and Client Access servers. Thus, you can deploy all server roles, including the DAG, at a branch office or a remote site that does not have the budget to implement an expensive server environment. All an organization needs is one Exchange server to support both its server and disaster-recovery needs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Point-in-Time Database Snapshot with Lagged Copy of DAG If your organization requires a point-in time copy of mailbox data, use Exchange Server 2010 to create a lagged copy in a DAG environment. You can use lagged database copies in the rare event that a logical corruption replicates across the DAG databases, resulting in a need to return to a previous point in time. For example, you can configure the lagged database to commit log files to a maximum of two weeks. You also can place this database copy on a server at another site.

Recovery Database to Recover Mailboxes, Folders, or Items In Exchange Server 2010, the recovery database replaces the Recovery Storage Group (RSG) found in Exchange Server 2007. The recovery database is an additional database that you mount on your server to recover single messages, folders, or entire mailboxes from an offline or online backup of your Exchange database.

Lower Cost of DAG Backup Compared to Traditional Backup Evaluate the cost of your current backup infrastructure, including hardware, installation, and license costs, as well as the management cost associated with recovering data and maintaining the backups. Depending on your organization’s requirements, a DAG environment may provide lower total cost of ownership (TCO) than a traditional backup environment.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Create a Point-in-Time Database Snapshot

Key Points In this demonstration, you will review how to configure a database copy on a remote server, and how to configure a database copy to be a lagged database. Additionally, you also will see how to disable an active server to prevent accidental activation.

Demonstration Steps 1. At the Exchange Management Shell prompt, type New-

DatabaseAvailabilityGroup –Name DAG1 –WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 –DatabaseAvailabilityGroupIPaddresses 10.10.0.100, and then press ENTER.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: You can only place the witness directory on a Hub Transport server when you are using the Exchange Management Console. However, when using the Exchange Management Shell, you can place the witness directory on any server, including a server that is not running the Exchange server role.

2. On the Exchange Management Console, add VAN-EX1 and VAN-EX2 to DAG1, and then add a copy of the Accounting database to VAN-EX2 with a replay lag time of 7 days.

3. At the Exchange Management Shell prompt, type Set-MailboxServer VAN-EX2 –DatabaseCopyAutoActivationPolicy Blocked, and then press ENTER.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Backup and Restore Scenarios

Key Points Even though Exchange Server 2010 supports backup-less scenarios, there are cases in which your organization may want to maintain its traditional backup methods.

No Available DAGs Organizations that do not use DAGs need to consider traditional ways to back up their databases.

Single Exchange Server Implementation Single Exchange Server implementations are not conducive to DAG usage because it requires adding more server hardware. Traditional backups to disks or tapes are the option to follow here.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Utilize an Existing Backup Environment Your company’s backup strategy might force you to follow other applications if you have an existing backup environment available in which all other applications will back up their data. So even when you maintain multiple copies of your database, you are required to have a copy of it in your backup environment.

Backups Are Governed by Compliance Requirements You typically use tape backups if there is an archival reason to preserve data for an extended time, as governed by compliance requirements. Especially if the storage is long-term, sometimes up to 10 years, you also need to ensure that you can access the data in the future.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Backing Up Exchange Server 2010

Backing up your company’s data is the most serious task in your Exchange Server installation. You cannot recover necessary data if you have not backed it up correctly. In this lesson you will learn the different ways that you can back up data with Exchange Server 2010.


• Describe the backup changes in Exchange Server 2010.

• Describe the backup requirements for Exchange Server 2010.

• Describe backup strategies.

• Describe how a Volume Shadow Copy Service (VSS) backup works.

• Select an Exchange Server backup solution.

• Back up Exchange Server 2010.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Changes to Backup in Exchange Server 2010

Key Points Exchange Server 2010 changes to the backup application-programming interface (API) and the underlying database structure affects how you backup the Exchange Server database.

Removal of ESE Streaming APIs for Backup and Restore Previously, Exchange Server used Extensible Storage Engine (ESE) streaming APIs for backup and restore. Now, Exchange Server 2010 supports only VSS-based backups. To back up and restore Exchange Server 2010, you must use an Exchange Server-aware application that supports the VSS writer, such as Microsoft System Center Data Protection Manager or a third-party Exchange Server-aware, VSS-based application.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Storage Group Removal One significant change in Exchange Server 2010 is the removal of storage groups. In Exchange Server 2010, each database is associated with a single log stream as represented by a series of 1 megabyte (MB) log files. Each Mailbox server can host up to 100 active and passive databases.

Database Not Closely Linked to a Specific Mailbox Server Another significant change for Exchange Server 2010 is that databases no longer link closely to a specific Mailbox server. Database mobility expands the system’s use of continuous replication, by replicating a database to multiple servers. This provides better database protection and increases availability. If failures occur, the other servers with database copies can mount the database.

Use DAGs for Backup-Less Exchange Server Because you can have multiple database copies hosted on multiple servers, you can also consider maintaining a backup-less Exchange Server organization in which you enable circular logging on your databases. This removes the transaction log files so they do not pile up. Transaction log files are removed when you do a full Exchange Server backup. Circular logging accomplishes the same task in a backup-less environment.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Backup Requirements for Exchange Server 2010

Key Points The backup requirements for Exchange Server 2010 computers differ depending on the Exchange server roles that you install on the computers. The following table lists the information that you need to back up for each Exchange server role:

Exchange server role Backed-up data Purpose

All roles System State of server and Active Directory database on domain controllers

System State includes the local configuration data of the machine

AD DS and Active Directory store most Exchange server configuration information, which is required to rebuild the server using Recover Server mode

Mailbox server Databases and transaction logs

Restore data if a database or storage group is lost

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)

Exchange server role Backed-up data Purpose

Client Access server Server certificates used for Secure Sockets Layer (SSL)

Specific Internet Information Server (IIS) configuration

Restore the server certificate on a new Client Access server

Restore IIS configuration

Hub Transport server, Edge Transport server

Message-tracking logs Restore tracking information for analysis

Edge Transport server Content-filtering database

Restore the content-filtering configuration

Restore the Edge Transport server configuration by enabling edge synchronization

Unified Messaging server

Custom audio prompts Restore audio prompts

The Exchange Server environment includes additional information, such as the Offline Address Book, availability data that a local folder stores, and other configuration data. This information is rebuilt automatically when you rebuild the Exchange Server environment. AD DS and Active Directory store much of the configuration information, which you can restore only if an Active Directory domain controller is available. You must ensure that your disaster-recovery planning includes backing up and restoring AD DS and Active Directory.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Backup Strategies

Key Points You can use Windows Server® Backup in Windows Server 2008 or a third-party Exchange Server-aware backup tool to implement different backup strategies. The backup strategies from which you can choose include full, full plus incremental, full plus differential, copy, and brick-level backup. Each backup strategy has advantages and disadvantages in terms of storage requirements and performance. The backup strategy you select can affect how the restore process occurs.

Full Backups A full backup performs an online backup of both the database files and transaction logs. After successful completion of a full database backup, transaction logs that have been committed to the Exchange Server database are deleted.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: If a backup is not functioning properly, transaction logs on a server can grow quickly and cause a partition to run out of space. When the partition holding the transaction logs is out of space, the databases will dismount and be unavailable for use.

A full backup each day is the preferred strategy. Restoring a full backup is simple, and it requires only one backup set.

Full Plus Incremental Backups An incremental backup captures only the data that changed since the last full or incremental backup. Transaction logs are the only data included in this backup, and committed transaction logs are deleted after a successful incremental backup. If you enable circular logging, this backup option is not available.

Full Plus Differential Backups A differential backup captures only the data that has changed since the last full backup. This backup strategy only backs up the transaction logs. A differential backup never removes the transaction logs. If you enable circular logging, this backup option is not available.

Copy Backups A copy backup is equivalent to a full backup of the databases. However, the transaction logs are not backed up, deleted, or marked in any way. This ensures that the copy does not affect scheduled incremental or differential backups.

Brick-Level Backups Brick-level backups copy every message in all mailboxes. As a result, identical messages stored in several mailboxes all are backed up. This type of backup requires much more storage capacity and time than standard backup strategies, and it results in a backup that is significantly larger than the Exchange Server database.

For a brick-level backup, you need specific third-party backup software that is capable of storing the backed-up data so you have single-item recovery. You use this when a user requests single-item recovery, even though the item is not available in the Deleted Items folder anymore.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Does a VSS Backup Work?

Key Points Exchange Server 2007 and Exchange Server 2003 include two different options for data backup and recovery: ESE streaming backup APIs and support for the VSS backup APIs. ESE streaming APIs are not available in Exchange Server 2010, thus you must back up Exchange Server with VSS backup APIs.

What Is VSS? VSS provides the backup infrastructure for Windows Server 2008, as well as a mechanism for creating consistent point-in-time data copies, which are known as shadow copies.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


VSS produces consistent shadow copies by coordinating with business applications, file-system services, backup applications, fast-recovery solutions, and storage hardware. It includes the following components:

• Writer. The VSS writer that is included with Exchange Server 2010 and that coordinates Exchange Server 2010’s input/output (I/O) with VSS.

• Requestor. Backup or restore application, such as Windows Server Backup.

• Provider. Low-level system or hardware interfaces, such as Storage Area Networks (SANs).

How VSS Backup Works Backup solutions that use VSS create a shadow copy of the disk as the backup process begins. Then, Exchange Server creates the backup with the shadow copy rather than the working disk, so that backup does not interrupt normal operations.

This method offers the following advantages:

• It produces a backup of a volume that reflects that volume’s state when the backup begins, even if the data changes while the backup is in progress. All the data in the backup is internally consistent, and it reflects the volume’s state at a single point in time.

• It notifies applications and services that a backup is about to occur. The services and applications, such as Exchange Server, therefore can prepare for the backup by cleaning up on-disk structures and flushing caches.

Exchange Server Support for VSS Backup To perform a VSS backup, you must enable the VSS on the Exchange server, and the third-party backup solution must support the VSS backup and restore APIs.

Exchange Server 2010 support for VSS has the following limitations:

• VSS support is at the database level.

• VSS support is for normal backups and copy backups, but not for incremental or differential backups.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Selecting an Exchange Server Backup Solution

Key Points When selecting a backup solution for Exchange Server, you must consider your system’s characteristics and those of the software and hardware.

System characteristics to consider include:

• The amount of data you are backing up.

• The time window in which the backup can occur.

• The type of backup you are performing.

• Recovery time requirements.

• Archiving requirements.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Backup Software Selection Criteria The following table provides some basic criteria for selecting backup software. Select the software that best meets the needs of your Exchange Server deployment and disaster-recovery requirements.

Selection criteria Explanation

Backup architecture Your backup software should provide support for any operating systems that you have. Additionally, the backup software should be able to back up Exchange Server to your desired media, either on the local computer or over the network. Windows Server Backup is not capable of backing up to a remote tape drive.

Scheduling Your backup software should support the ability to schedule backups that you require for your organization. Most backup software allows you to schedule jobs at any time you require. However, it is easier to configure in some software packages.

Brick-level backup support

If desired, ensure that your software supports brick-level backups.

Exchange Server VSS API support

Your backup software must support the Exchange Server Backup VSS API to perform online backups successfully.

Tape management Different backup software has varying degrees of flexibility for tape management. This includes automated naming of blank tapes and preventing existing tapes from being overwritten accidentally.

Vendor support Vendor support is essential if you experience any problems during disaster recovery. Ensure that vendor support is available for your backup software.

Disaster-recovery support

Some backup software has a disaster-recovery option that provides complete disaster recovery for a failed server, including Exchange Server.

Hardware support Your backup software must support the technologies that your company uses, including clustering or SANs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Windows Server Backup When you install the Exchange Management Console on a server running Windows Server 2008, it updates Windows Server Backup to support Exchange Server 2010. Windows Server 2008 enables you to perform VSS-based backups of Exchange Server data.

For many smaller organizations, Windows Server Backup provides a sufficient solution. However, larger organizations may require a more robust backup strategy. Windows Server Backup limitations include:

• Backups only performed at volume level. You can only perform full backups, not incremental or differential backups.

• Backup support for active databases but not passive databases.

• Only available for Windows Server 2008 or Windows Server 2008 R2.

• Windows Server Backup command-line tools are not compatible with Exchange Server 2010.

Backup Hardware Selection Criteria The two most common types of backup hardware are tape and disk. Which you use depends on your requirements. The following table lists the characteristics of using either a tape or disk for backup:

Characteristic Tape Disk server Portable disk

Speed Slower Faster Faster

Capacity Up to 400 GB per tape

(Tape libraries allow the use of multiple tapes.)

Large 1+ terabyte (typical) per disk

Off-site storage Yes Typically no Yes

Media durability Excellent Excellent OK

Many organizations use disk-based backup as the first tier, and then utilize tape as a second tier. This allows you to perform primary backups quickly to disk. Typically, any data that you need to archive off site is backed up to tape from the disk backup.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Back Up Exchange Server 2010

Key Points In this demonstration, you will review how to install the Windows Server Backup program and how to use Windows Server Backup to back up Exchange Server 2010. You will also use the Event Viewer to verify that the Exchange Server databases were backed up correctly.

Demonstration Steps 1. In Server Manager, add the Windows Server Backup feature.

2. In Windows Server Backup, create a backup set to back up the C: drive and run the backup.

3. In Event Viewer, verify that the Exchange Server databases are part of the backup and that they have been backed up successfully.

Question: Do you plan to can use Windows Server Backup as your primary Exchange Server backup solution?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Restoring Exchange Server 2010

Another important component in ensuring availability of e-mail services is planning for recovery. Organizations that implement high availability solutions still need to plan for scenarios in which the high availability solutions are not enough. These scenarios might include something as minor as needing to recover a single mailbox or message, to something as catastrophic as losing an entire data center. This lesson discusses how to restore Exchange Server 2010.


• Describe restore strategies.

• Recover data using the recovery database.

• Recover data by using the recovery database.

• Describe dial-tone recovery.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Implement dial-tone recovery.

• Describe database mobility.

• Recover computers that run Exchange Server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Restore Strategies

Key Points You can use several strategies to restore Exchange Server data. The strategy that you select depends upon the data that you need to recover.

Hold Policy and Single Item Recovery This is a new Exchange Server 2010 feature. When you enable the Single Item Recovery feature for a mailbox, it keeps items that are purged from the Deleted Items folder in a new dumpster folder for a specific time. This folder is not accessible to the end user, but it is accessible to administrators assigned to the Discovery Management role. Essentially, you can ensure that items are not deleted for the duration that you typically keep backups.

Deleted Mailbox Retention By default, the mailbox database stores deleted mailboxes for 30 days. Within those 30 days, you can reconnect the mailbox to another account and access its messages. After you connect the mailbox to an account, the deleted mailbox retention period restarts if the mailbox is deleted again.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


You can extend the deleted mailbox retention period on mailbox databases. However, extending the deleted mailbox retention period causes the mailbox database to grow to hold the additional deleted mailboxes.

Database Restores Restoring a database overwrites the existing database with a restored copy of the database. After you restore the database, you can replay the current transaction logs to bring the database to its current state. You typically restore a database when it becomes corrupt or a disk fails.

Recovery Database The recovery database restores databases without affecting current mailboxes. After you restore a database to the recovery database, you can copy messages to a folder or merge them into user mailboxes.

Dial-Tone Recovery Dial-tone recovery is the process of implementing user access to e-mail services without first restoring data to user mailboxes. Dial-tone recovery enables users to send and receive e-mail as soon as possible after a database or server loss. This module discusses dial-tone recovery in more depth later.

Recovery Server A recovery server is a dedicated server for restoring Exchange Server databases. This can be useful to test backups to ensure they are capturing functions properly. However, improvements in recovery-database performance has reduced the requirement to use a recovery server for data recovery.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Recovering Data Using the Recovery Database

Key Points The recovery database is a recovered database that can coexist on the same server that hosts the original database. Users cannot access it directly. Only administrators can access it to recover single items, folders, mailboxes, or complete databases from the recovery database.

The recovery database replaces the recovery storage group from previous Exchange Server versions.

You can use the Exchange Management Shell to create a recovery database.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Recovering Data Using the Recovery Database To recover data using the recovery database, complete the following steps:

1. Use the Exchange Management Shell to create a new recovery database.

2. Restore the database that you want to recover.

3. Mount the recovery database, and merge the data from the recovery database mailbox into the production mailbox. You can use the Exchange Management Shell restore-mailbox cmdlet to perform this task.

When to Use the Recovery Database You can use the recovery database in the following scenarios:

• Dial-tone recovery. When you implement dial-tone recovery, you set up a dial-tone mailbox database on the same server or on an alternate server to provide temporary access to e-mail services. You then use the recovery database to restore the temporary data into the production database after you recover the original database from backup.

• Individual mailbox recovery. You can recover individual mailboxes by restoring the database that holds the mailbox to the recovery database. Then you can extract the data from the deleted mailbox, and copy it to a target folder or mailbox in the production database.

• Specific item recovery. If a message no longer exists in the production database, you can recover the database that held the message to the recovery database. Then you can extract the data from the mailbox and copy it to a target folder or mailbox in the production database. However, you also should consider using hold policy for this situation, as recovering the database might be time consuming.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Recover Data by Using the Recovery Database

Key Points In this demonstration, you will review how to create a recovery database and how to restore data to the recovery database.

Demonstration Steps 1. Use Windows Server Backup to restore the Exchange Server databases to

C:\DBBackup.

2. At the Exchange Management Shell prompt, type New-MailboxDatabase -Name “RecoverDB” -Server VAN-EX1 -EDBFilePath “c:\DBBackup \C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting \Accounting.edb” -Logfolderpath “c:\DBBackup\C_\Program Files \Microsoft\Exchange Server\V14\Mailbox\Accounting” -Recovery, and then press ENTER. This command creates the recovery database using the recovered Accounting database.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Use the eseutil /p “c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox\Accounting\Accounting.edb” command to repair the recovered database.

4. At the Exchange Management Shell prompt, type Mount-Database “RecoverDB”, and then press ENTER.

5. Use the Get-MailboxStatistics -Database “RecoverDB” command to display the mailboxes in the recovery database.

6. At the Exchange Management Shell prompt, type Restore-Mailbox -Identity MichiyoSato -RecoveryDatabase RecoverDB, and then press ENTER.

Question: What is the difference between using Single Item Recovery and performing a restore by using the recovery database?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Dial-Tone Recovery?

Key Points Dial-tone recovery is the process of implementing user access to e-mail services without first restoring data to user mailboxes. Dial-tone recovery enables users to send and receive e-mail as soon as possible after a database or server loss. Users can send and receive e-mail messages, but they do not have access to the historical mailbox data. You then can recover the database or server, and restore the historical mailbox data. After you bring the recovered database back online, you can merge the dial-tone database and the recovered database into a single up-to-date mailbox database.

When to Use Dial-Tone Recovery Use the dial-tone recovery method when it is critical for users to regain messaging functionality quickly after a mailbox server or database fails, and when you cannot restore historical data from a backup quickly enough. The loss may result from hardware failure or database corruption. If the server fails, it will take significant time to rebuild the server and restore the databases. If you have a large database that fails, it may take several hours to restore the database from backup.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


If the original mailbox server remains functional, or if you have an alternative mailbox server available, you can restore messaging functionality within minutes using dial-tone recovery. This enables continued e-mail use while you recover the failed server or database.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Implementing Dial-Tone Recovery

Key Points There are several dial-tone recovery scenarios. However, all scenarios follow the same general steps.

Implementing Dial-Tone Recovery Follow these general steps to implement dial-tone recovery:

1. Create the dial-tone database. For messaging client computers to regain functionality as quickly as possible, create a new database for the client computers. There are two methods for creating the dial-tone database:

• Create the dial-tone database on the same server as the failed database. Use this method if the drive that contained the database failed or if the database is corrupt.

• Create the dial-tone database on a different server than the failed database. Use this method to utilize a different server as a recovery server or if the original server fails.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


2. If necessary, configure the mailboxes that were on the failed database to use the new dial-tone database. You must configure the mailboxes to use the new database if you create the dial-tone database on a different server.

3. If necessary, configure the Microsoft Office Outlook® client profiles:

• If the server with the failed database is operational, you do not need to reconfigure Office Outlook client computers to use the new mailbox database. When the Outlook client computer tries to connect to the mailbox, the client profile reconfigures automatically to use the mailbox database on the original or new Mailbox server.

• If the original server is not available, and you are using AutoDiscover for Outlook 2007 client computers, the user profile updates automatically.

• If you are using previous Outlook client computers, you need to reconfigure the user profiles manually to use the new server.

• If users are using Outlook Web App, they will connect automatically to their mailboxes when they access Outlook Web App on a Client Access server.

Note: At this point, users can connect to their mailboxes in the dial-tone database. The dial-tone database does not contain any data, so the mailboxes will be empty. Additionally, the database does not retain user-specific settings, such as folder hierarchy, Inbox rules, meetings, and contacts. However, users should have messaging functionality. If the client computers are running Outlook 2007 or Outlook 2003, and you configure the client computers to run in cached mode, users receive a prompt to connect or work offline when they connect to the dial-tone database. If users choose to connect to the server, they will see an empty mailbox (local cached copy is replaced with the empty mailbox). If they choose to work offline, they will see all of the historical data stored in the offline folders (.ost) file.

4. Restore the failed databases from backup. After the dial-tone database is operational and you reconfigure the client computers to use the new database, if necessary, you can work on restoring the failed database. If the original server is operational, you can restore the database on the failed server using a recovery database. If the original server is not operational, you can recreate the failed database on another server, and then restore both to the new server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. Merge the data in the two databases. Because you have restored messaging functionality by implementing the dial-tone database, users will be sending and receiving e-mail while you are restoring the original databases. When the recovery is complete, users should be able to access both the original and the dial-tone data. This means that you must merge the contents of the dial-tone database with those of the original database. To do this, you will use the recovery database.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Database Mobility?

Key Points Database mobility disconnects databases from servers, adds support for up to 16 copies of a single database, and provides a native experience for adding database copies to a database. Additionally, DAGs use database mobility to enable database copying between servers. In Exchange Server 2007, the database portability feature enabled you to move a mailbox database between servers. A key distinction between database portability and database mobility, however, is that all copies of a database have the same globally unique identifier (GUID).

Other key characteristics of database mobility are:

• Because Exchange Server 2010 does not use storage groups, continuous replication now operates at the database level. Transaction logs replicate to one or more other Mailbox servers, and replay into a copy of a mailbox database that those servers store.

• A failover or switchover can occur at the database or server level.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Database names for Exchange Server 2010 must be unique within the Exchange Server organization.

• When you configure a mailbox database with one or more database copies, the full path for all database copies must be identical on all Mailbox servers that host a copy.

• You can back up any mailbox database copy (the active or any passive copy) by using an Exchange Server-aware, VSS-based backup application.

Note: Only mailbox databases are mobile. Public folder databases are not portable because replication between public folder databases is controlled by each database being linked to, and accessed through, a specific server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Recovering Computers That Run Exchange Server

Key Points When recovering a failed Exchange Server, you have several options. The option you choose determines the process that you use to restore the server.

Exchange Server Recovery Options When you need to replace a failed server, you have the following options:

• Restore the server. You can restore the server from a full computer backup set, and then restore your Exchange Server information. When you restore a server, you are reproducing the server configuration, including the server security identifier. This option is feasible only if you have a full server backup, including the System State backup, and you have replacement hardware that is very similar to the failed server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Rebuild the server. This option involves performing a new installation of Windows Server and an Exchange Server 2010 installation in Recover Server mode, which gathers the previous settings from AD DS and Active Directory, and then restores your Exchange Server databases.

• Use a standby server. You can use a standby recovery server as part of the Mailbox server recovery strategy. This option involves keeping recovery servers available with the operating system and other software installed. Having available standby recovery servers reduces the time you need to rebuild a damaged server.

What Is Recover Server Mode? If an Exchange server fails, and is unrecoverable and needs replacement, you can perform a server recovery operation. Exchange Server 2010 Setup includes a switch called /m:RecoverServer that you can use to perform the server recovery operation.

Running Exchange Server Setup with the /m:RecoverServer switch causes Setup to read configuration information from AD DS and Active Directory for the server with the same name as that from which you are running Setup. Once you gather the server’s configuration information from AD DS and Active Directory, the original Exchange Server files and services then are installed on the server, and the Exchange server roles and settings that AD DS and Active Directory stored then are applied to the server.

Important: When you run Exchange Server Setup in Recover Server mode, it must be able to connect to AD DS and Active Directory, and read the Exchange Server configuration information that links to the name of the computer that is running Exchange Server. This means that the computer account still must exist in AD DS and Active Directory. If you delete the computer account, you will not be able to restore the Exchange Server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Implementing Backup and Recovery



2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-SVR1 virtual machines are running.

• 10135A-VAN-DC1: Domain controller in the Adatum.com domain

• 10135A-VAN-EX1: Exchange 2010 server in the Adatum.com domain

• 10135A-VAN-SVR1: Standalone server

3. If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd.

4. Log on to VAN-SVR1 as Administrator, using the password Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. In Microsoft Hyper-V™ Manager, click VAN–SVR1, and, in the Actions pane, click Settings.

6. Click DVD Drive, click Image file, and then click Browse.

7. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso and click Open.

8. Click OK.

9. On VAN-SVR1, close the AutoPlay dialog box.

Lab Scenario You are a messaging administrator for A. Datum Corporation. Your organization has deployed Exchange Server 2010. You now want to ensure that all Exchange Server-related data is backed up and that you can restore not only the full server or database, but also a mailbox or mailbox folder.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Backing Up Exchange Server 2010

Scenario You must create a backup of your Exchange Server 2010 mailbox database to ensure that you can restore it when necessary.


1. Populate a mailbox.

2. Perform a backup of the mailbox database using Windows Server Backup.

3. Delete a message and a mailbox.

Task 1: Populate a mailbox 1. On VAN-EX1, log on to Parna’s mailbox by using Outlook Web App. Use the

logon name Adatum\Parna and the password Pa$$w0rd.

2. Send a message to George with the subject Message before Backup.

3. Restart the Microsoft Exchange Information Store service.

Task 2: Perform a backup of the mailbox database using Windows Server Backup 1. Use Server Manager to install Windows Server Backup.

2. Perform a custom backup of the C:\ drive using a VSS full backup. Store the backup files on \\VAN-DC1\Backup.

Task 3: Delete messages in mailboxes 1. Log on to George’s mailbox using the logon name Adatum\George and the

password Pa$$w0rd, and then delete the message from Parna.

2. Log on to Parna’s mailbox using the logon name Adatum\Parna and the password Pa$$w0rd, and then delete all messages from the Sent Items folder.

Results: After this exercise, you should have created a backup of an Exchange Server database, and deleted messages.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Restoring Exchange Server Data

Scenario Some of your users complain that they are missing messages from their mailboxes. You now need to use the backup you created to recover their messages.


1. Restore the database using Windows Backup.

2. Create a recovery database by using the backup files.

3. Recover a mailbox from the recovery database.

Task 1: Restore the database using Windows Backup • On VAN-EX1, using Windows Server Backup, recover the Exchange Server

databases to an alternate location: C:\DBBackup.

Task 2: Create a recovery database by using the backup files 1. On VAN-EX1, create a recovery database using the restored database in

C:\DBBackup. Use the following command to create the recover database:

New-MailboxDatabase -Name “RecoverDB” -Server VAN-EX1 -EDBFilePath “c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14 \Mailbox\Accounting\Accounting.edb” -Logfolderpath “c:\DBBackup \C_\Program Files\Microsoft\Exchange Server\V14\Mailbox \Accounting”-Recovery

2. In Exchange Management Shell, switch to the “c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox\Accounting” directory, enter the following command in the PS prompt, and then press ENTER:

eseutil /R E02 /i /d

3. Mount the recovery database using the Mount-Database “RecoverDB” command.

4. List all mailboxes that are in the recovery database by using the Get-MailboxStatistics -Database “RecoverDB” command.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Recover a mailbox from the recovery database 1. On VAN-EX1, recover a mailbox using the Restore-Mailbox -Identity

ParnaKhot -RecoveryDatabase RecoverDB cmdlet.

2. Verify that you restored the message in the Sent Items folder by logging onto Parna’s mailbox.

3. Use the Remove-Mailboxdatabase -Identity RecoverDB command to remove the RecoverDB database.

Results: After this exercise, you should have created a recovery database, and restored a complete mailbox from the recovery database to their original locations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Restoring Exchange Servers (optional)

Scenario After a hard-disk malfunction, one of your Exchange servers no longer is operational. You have a full backup of the computer and the mailbox databases, so you need to restore everything to a newly installed computer.


1. Shutdown VAN-EX1 and reset the computer account.

2. Prepare VAN-SVR1 as VAN-EX1.

3. Install Exchange Server 2010 with the RecoverServer mode.

4. Recover the mailbox databases from backup.

5. Test the recovery.

Task 1: Shutdown VAN-EX1 and reset the computer account 1. In Hyper-V Manager, revert VAN-EX1 to the previous snapshot.

2. Using Active Directory Users and Computers, reset the VAN-EX1 computer account.

Task 2: Prepare VAN-SVR1 as VAN-EX1 1. Rename VAN-SRV1 to VAN-EX1.

2. Join the computer to ADATUM domain.

Task 3: Install Exchange Server 2010 with the RecoverServer mode 1. On the new VAN-EX1 server, run d:\setup /m:RecoverServer.

2. In Exchange Management Console, change Database Properties to This database can be overwritten by a restore for all databases on the VAN-EX1.

Task 4: Recover the mailbox databases from backup • Use Windows Server Backup to recover the Exchange Server databases.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Test the recovery 1. On the restored VAN-EX1, in the Exchange Management Console, mount the

mailbox databases and public folder database.

2. On VAN-DC1, open Internet Explorer and connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Parna with a password of Pa$$w0rd, and then verify that the mailbox is accessible and that all messages have been restored.

Results: After this exercise, you should have recovered a complete Exchange server by using a different Windows Server, renaming it, installing Exchange Server in /m:RecoverServer mode, and recovering the Exchange Server database from a backup. You have also tested the recovery.







Important: Start the VAN-DC1 virtual machine first, and ensure that it is fully started before starting the other virtual machines.


7. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Review Questions 1. What kind of backup options for Exchange Server 2010 do you find suitable

for your organization?

2. What options does Exchange Server 2010 include for restoring a single item from a mailbox?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Common Issues Related to Recovering Messages Identify the causes for the following common issues related to recovering messages, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


Recover single mailbox items quickly Try using Multi-Mailbox Search before you recover a database.

Restore fails when it is urgent You should try to restore a database regularly, as a practice session, and verify that your backups work as you expect.

Best Practices Related to Backup and Restore Supplement or modify the following best practices for your own work situations:

• Utilize your existing backup solution for Exchange Server backups, as you are already experienced and familiar with it.

• Try always to perform a full backup of your Exchange Server databases if you use a VSS-aware backup solution. This reduces the time you need to recover the database to its most current state.

• If you plan to follow the backup-less method, create one more database copy on cheap hard drives at a different site. This guarantees that you have an additional backup of your database available.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Configuring Messaging Policy and Compliance 9-1

Module 9 Configuring Messaging Policy and Compliance

Contents: Lesson 1: Introducing Messaging Policy and Compliance 9-3

Lesson 2: Configuring Transport Rules 9-9

Lesson 3: Configuring Journaling and Multi-Mailbox Search 9-35

Lab A: Configuring Transport Rules, Journal Rules, and Multi-Mailbox Search 9-48

Lesson 4: Configuring Messaging Records Management 9-58

Lesson 5: Configuring Personal Archives 9-74

Lab B: Configuring Messaging Records Management and Personal Archives 9-82

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

Microsoft® Exchange Server 2010 provides new tools for coping with a growing number of legal, regulatory, and internal policy and compliance requirements that relate to e-mail. Most organizations must be able to filter e-mail delivery based on several criteria, and to manage e-mail retention and deletion. This module describes how to configure the Exchange Server 2010 messaging policy and compliance features.


• Describe messaging policy and compliance.

• Configure transport rules.

• Configure journaling and Multi-Mailbox Search.

• Configure Messaging Records Management (MRM).

• Configure Personal Archives.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Introducing Messaging Policy and Compliance

In most countries, governments have implemented legislation that restricts the storage and movement of certain information. Additionally, many organizations have implemented corporate security policies that limit how to share information within the organization. Because e-mail is a critical business tools in most organizations, it is important that you configure your organization’s messaging system so that it is compliant with government legislation and corporate policies.

Messaging policies in Exchange Server 2010 enable messaging administrators to manage e-mail messages that are in transit and at rest, and ensure that your organization meets compliance requirements. This lesson provides an overview of messaging policies and their use.


• Describe messaging policy and compliance.

• Identify compliance requirements.

• Implement messaging policy and compliance.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Messaging Policy and Compliance?

Key Points Messaging compliance features in Exchange Server 2010 consist of a set of rules and settings that restrict message flow and storage. You can use these features to apply rules to messages as your organization’s users send and receive them. You can use the messaging policy and compliance features to regulate how users store messages, and to search all user mailboxes for messages based on a variety of criteria. You can apply these features to Exchange Server computers running the Edge Transport, Hub Transport, and Mailbox server roles.

Types of Messaging Compliance Features Exchange Server 2010 provides several options for implementing message policies and compliance:

• Transport policies are rules and settings that you apply as messages pass through the Exchange Server transport components. Transport policies restrict message flow or modify message contents based on organizational requirements.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Exchange Server applies MRM policies to folders in users’ inboxes to automate and simplify message retention. For example, you can configure a policy that retains messages in user mailbox folders for a specific time, or you can configure a policy that automatically deletes messages within a specific folder or within all the mailbox folders. Exchange Server 2010 also provides retention tags and autotagging that simplify the process for users who want to apply message retention or deletion policies.

• Journaling policies are rules and settings that enable you to save a copy of all messages that meet specific criteria. For example, you can journal messages sent by a particular user or messages sent to a particular distribution group. You can journal messages that recipients send or receive inside and outside the organization.

• Mailbox searching may be required for audit purposes to determine whether user mailboxes contain specific types of content. With Exchange Server 2010, you can use the Exchange Control Panel (ECP) to search all user mailboxes for messages based on many different criteria.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: Compliance Requirements

Key Points E-mail is a primary means of communication in many organizations, and users typically send a great deal of business information by e-mail. This information may include confidential information, such as customer data or business intelligence. One use of Exchange Server 2010 messaging policies is to provide features that help you comply with legal requirements and corporate messaging policies regarding e-mail messages.

Question: What type of business does your organization conduct? What are some legislated compliance requirements for your organization?

Question: What additional compliance requirements does your organization have?

Question: How are you currently meeting these compliance requirements?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Options for Enforcing Messaging Policy and Compliance

Key Points Exchange Server 2010 provides many options for implementing messaging policies, including the following:

• Transport rules. You can define transport rules on both the Edge Transport and Hub Transport servers. On Edge Transport servers, you can restrict message flow based on message data, such as specific words or text patterns in the message subject, body, header, or From address; the spam confidence level (SCL); and attachment type. On Hub Transport servers, you configure rules that support an extended set of conditions, which allows you to control message flow based on distribution groups, internal or external recipients, message classifications, and message importance.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Rights management integration. Exchange Server 2010 enables integration with Active Directory® Rights Management Service (AD RMS) to apply policies that restrict what recipients can do with their received messages.

• Message journaling. Exchange Server 2010 provides several options for saving copies of messages. For example, you can configure journal rules on Hub Transport servers. You can journal messages according to the message’s distribution scope, and you can define the conditions that trigger the journaling action by specifying as criteria an individual user, the sender, or the recipient’s distribution-list membership. You also can configure message journaling for specific mailbox databases, or implement message journaling as part of a Messaging Records Management deployment.

• Mailbox searching. The Multi-Mailbox Search feature enables users with the appropriate permissions to search all mailboxes for specific content. In Exchange Server 2010, the mailbox search functionality is available through the Multi-Mailbox Search interface in the ECP.

• Message retention and deletion. Administrators can use the MRM features to retain messages that organizations require for business or legal reasons, and to delete unnecessary messages.

• Personal Archives. Exchange Server 2010 allows you to create archive mailboxes for users so they can store the contents of .pst folders and old messages that they want to retain. You can search and manage archive mailboxes like any other mailboxes on the Exchange servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Configuring Transport Rules

You can implement messaging policies and compliance by applying transport rules to messages as users send them within the organization. By implementing transport rules, you ensure that all e-mail messages sent within the organization or to external recipients meet your organization’s compliance requirements. You also can apply rights management policies to messages by using transport rules. This lesson describes how to implement transport rules in Exchange Server 2010.


• Describe transport rules.

• Describe transport rule components.

• Configure transport rules.

• Identify message classifications.

• Describe AD RMS.

• Describe how AD RMS components work together.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Describe AD RMS interaction.

• Configure AD RMS integration.

• Describe options for moderated transport.

• Configure moderated transport.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are Transport Rules?

Key Points Exchange Server applies transport rules to messages as they pass through Edge Transport or Hub Transport servers. The Transport Rule agent applies transport rules on Hub Transport servers, and the Edge Rule agent applies them on Edge Transport servers. Transport rules restrict message flow or content modification while messages are in transit.

Transport Rules on Hub Transport Servers Transport rules configured on one Hub Transport server automatically apply to all other Hub Transport servers in the organization. Exchange Server stores the transport rules in the Configuration container in Active Directory Domain Services (AD DS) or Active Directory directory service, and replicates them throughout the Active Directory forest so that they are accessible to all other Hub Transport servers. This means that Exchange Server applies the same transport rules to all e-mail messages that users send or receive in the organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Transport Rules on Edge Transport Servers Exchange Server applies transport rules that you configure on an Edge Transport server only to e-mail messages that pass through that specific Edge Transport server. The transport rules are stored in Active Directory Lightweight Directory Services (AD LDS), and Exchange Server does not replicate them to other Edge Transport servers. Therefore, you can configure Edge Transport servers to apply distinct transport rules depending on the e-mail messaging traffic that they manage.

If you have more than one Edge Transport server and you want to apply a consistent set of rules across all Edge Transport servers, you must configure each server manually, or export the transport rules from one server and import them into all other Edge Transport servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Transport Rule Components

Key Points All transport rules, whether they apply to Hub Transport or Edge Transport servers, have similar configurations.

Transport Rule Components When configuring transport rules, consider the following components:

• Conditions. Transport rule conditions indicate which e-mail message attributes, headers, recipients, senders, or other parts of the message Exchange Server uses to identify the e-mail messages to which it applies a transport rule action. If the data of the e-mail message that the condition is inspecting matches the condition’s value, Exchange Server applies the rule as long as the condition does not match an exception.

You can configure multiple transport rule conditions to narrow the rule’s scope to very specific criteria. You also can decide not to apply any conditions, which means that the transport rule then applies to all messages. There is no limit to how many conditions you can apply to a single transport rule.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Actions. Exchange Server applies actions to e-mail messages that match the conditions and for which no exceptions are present. Each action affects e-mail messages in a different way, such as redirecting the e-mail message to another address or dropping the message.

• Exceptions. Exceptions determine which e-mail messages to exclude from an action. Transport rule exceptions are based on the same predicates that you use to create transport rule conditions. Transport rule exceptions override conditions and prevent Exchange Server from applying a transport rule action to an e-mail message, even if the message matches all configured transport rule conditions.

You can configure multiple exceptions on a transport rule to expand the criteria for which Exchange Server should not apply a transport rule action.

• Predicates. Conditions and exceptions use predicates to define which part of an e-mail message the conditions and exceptions examine to determine whether Exchange Server should apply the transport rule to that message. Some predicates examine the To: or From: fields, whereas other predicates examine the subject, body, or attachment size. To determine whether Exchange Server should apply a transport rule to a message, most predicates require that you specify a value that the predicates use to test against the message.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Configure Transport Rules

Key Points In this demonstration, you will review how to configure transport rules. You can configure transport rules by using either the Exchange Management Console or the Exchange Management Shell. If you are using the Exchange Management Console on a Hub Transport server, access the Hub Transport container in the Organization Configuration work area.

To configure transport rules using the Exchange Management Shell, run the following cmdlets:

• The Get-TransportRule, New-TransportRule, Remove-TransportRule, Set-TransportRule, Enable-TransportRule, and Disable-TransportRule cmdlets create, remove, and configure transport rules.

• The Get-TransportRuleAction cmdlet retrieves a list of all available transport rule actions.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• The Get-TransportRulePredicate cmdlet retrieves a list of all available rule predicates.

• The Import-TransportRuleCollection and Export-TransportRuleCollection cmdlets import and export a set of transport rules configured on a Hub Transport server or Edge Transport server.

Note: Implementing transport rules with security features, such as digital signatures or encryption, can result in potential issues. For example, if you add a disclaimer to digitally signed messages, the signature becomes invalid. When users open the message, the original message displays as an attachment and only the signature that the transport rule adds is visible in plain text. If users encrypt messages using Secure Multipurpose Internet Mail Extensions (S/MIME) or another encryption tool, the transport rules can access the message envelope headers and process messages based on unencrypted information. Transport rules that require inspection of message content, or actions that may modify content, cannot process with encrypted messages.

Demonstration Steps 1. Open the Exchange Management Console.

2. Under Organization Configuration, in the Hub Transport node, create a new transport rule with the following configuration:

• Name: Type Company Disclaimer HTML.

• Condition: Choose sent to users that are inside the organization.

• Action: Choose append disclaimer text and fallback to action if unable to apply.

• Disclaimer text: Type the following:

<html> <body> &nbsp &nbsp This e-mail and attachments are intended for the individual or group addressed. </body> </html>

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Open the Exchange Management Shell.

4. Type the following cmdlet:

New-TransportRule -Name “Social Insurance Number Block Rule” -SubjectOrBodyMatchesPatterns “\d\d\d-\d\d\d-\d\d\d” -RejectMessageEnhancedStatusCode “5.7.1” -RejectMessageReasonText “This message has been rejected because of content restrictions”

5. To test the transport rules:

• Send a message from one internal user to another. Verify that the HTML disclaimer is attached.

• Send a message from one internal user to another with the string 111-111-111 in the message body. Verify that the sender receives a non-delivery report (NDR).

Note: In a regular expression, the \d pattern string matches any single numeric digit. You can use a variety of pattern strings to search the message contents for a consistent pattern. For example, you can use \s to represent a space, or \w to represent any letter or decimal digit. For detailed information about configuring regular expressions in a transport rule, see the topic “Regular Expressions in Transport Rules” in Exchange Online Help.

Question: What transport policies will you need to implement in your organization?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are Message Classifications?

Key Points Message classifications are Exchange Server 2007 or later and Outlook 2007 (or later) features that enable users or transport rules to mark a message with a label. When a message is classified, the message contains metadata that describes some information about the recipient or sender of the message, or some other information about the message. Outlook 2007 and Outlook Web App then act on this metadata and display the classification’s description to the message’s senders and receivers. In Exchange Server 2010, you also can configure a transport rule that acts on the metadata by applying an action based on the classification.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Managing Message Classifications As an Exchange Server administrator, you can manage message classifications in the following ways:

• Review the message classifications configured on the server. Use the Get-MessageClassification cmdlet to view the message classifications.

• Modify the default message classifications. Exchange Server administrators can customize the sender description for each message classification and locale. Use the Set-MessageClassification cmdlet to configure the message classification on the Exchange server.

• Create new message classifications. Use the New-MessageClassification cmdlet to create new message classifications.

• Enable message classifications for Outlook 2007 clients. By default, Outlook 2007 does not support message classifications. To enable message classifications, you must:

• Export the message classifications to an .xml file. To do this, run the Export-OutlookClassification.ps1 script in the Scripts folder on an Exchange server. The output of this script is an xml file describing all of the classifications available on the server.

• Deploy the .xml file that contains definitions of the message classifications to each client computer that uses these classifications. You must recreate and redeploy this file whenever you update the message classification list on an Exchange server.

• Create a new registry key that enables message classification and references the Classifications.xml file on the client computer.

Note: For detailed information about deploying message classifications for Outlook 2007, see the topic “Deploy Message Classification for Outlook 2007” in Exchange Server Help file.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using Message Classifications There are two options for using message classifications:

• Users can add a message classification to an e-mail when they create it. When using Outlook Web App or Outlook 2007 with the appropriate configuration, users can classify any message.

• Administrators can add a message classification as the result of a transport rule. For example, when the Attachment Filter agent removes an attachment from a message, the Attachment Removed message classification attaches to the message. You also can create a transport rule that adds a message classification to a message based on any conditions in the e-mail message.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is AD RMS?

Key Points AD RMS is an information-protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use.

Restrict Access to an Organization’s Intellectual Property Use AD RMS to restrict access to digital information so that users can view, change, or print documentation only. This protects data by preventing users from forwarding, copying, or otherwise transporting sensitive data outside the company network.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Limit the Actions Users Can Perform on Content Enforce restrictions that limit the specific actions that a user can perform on a document or e-mail message. You can use Microsoft Office Word, Office Excel®, and PowerPoint® as AD RMS-enabled applications. These applications allow you to set rights for viewing, changing, saving, and printing documents, and to set the length of time a particular right is active.

AD RMS used with Outlook helps you protect e-mail content. You can prevent users from forwarding sensitive e-mail messages to other e-mail users, printing e-mail messages, using messages offsite, and giving the messages to unauthorized users.

Limit the Risk of Content Exposure Outside the Organization You can set rights so that users do not have permission to print or forward e-mail content. This means that users cannot forward the messages to recipients outside the organization. These options help reduce the likelihood that an employee will disclose company information either maliciously or accidentally.

AD RMS Components Several components interact with AD RMS. It is important to understand each of these components:

• Author. The user or service that generates the rights-protected document.

• AD RMS-enabled applications. Specific applications are enabled for, and can interact with, AD RMS. Authors can use these applications to create and protect content, and recipients can use them to read protected content and apply the appropriate rights to them.

• Recipient. The user or service that accesses the rights-protected document.

• AD RMS server. The server with an installed AD RMS server role. This server is responsible for providing the licenses that control access to content. When you install the first AD RMS server, Exchange Server creates an AD RMS root cluster. You can add other AD RMS servers to the cluster.

• Database server. AD RMS requires a database service. The Windows Internal Database feature deployed on the same server as the AD RMS server provides this service, as does the Microsoft SQL Server® installed on another computer. The database stores configuration and other AD RMS-related information.

• AD DS and Active Directory. These services authenticate authors and recipients so that Exchange Server applies the appropriate rights to the content.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How AD RMS Works

Key Points The AD RMS components work together to enable secure creation, distribution, and consumption of protected data.

How AD RMS Works The following steps describe how AD RMS components interact to generate and protect rights-protected content:

1. The first time a user tries to rights-protect content using AD RMS, the client application requests a rights account certificate (RAC) and client licensor certificate (CLC) from the AD RMS server. This request only occurs once for each user. It enables the user to publish online or offline, and to consume rights-protected content.

2. The author then creates content using an AD RMS-enabled application. The author can create the file, and then specify user rights. Additionally, the AD RMS server generates the policy license containing the user policies.

3. The author sends the rights-protected content to the recipient.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. The recipient receives the file and opens it using an AD RMS-enabled application or browser. If the recipient’s computer does not contain an account certificate, the client application requests a certificate, and the AD RMS cluster issues one. If this is the first time the recipient has tried to access rights-protected content on the computer, the AD RMS server also issues a RAC.

The application sends a request for a use license to the AD RMS cluster that issued the publishing license. However, if the file was published offline, the application also sends a request to the server that issued the CLC. The request includes both the RAC and the publishing license for the file.

The AD RMS cluster confirms or denies the recipient’s authorization. If the AD RMS cluster denies the user’s authorization, the cluster checks for a named user and then creates a use license for the user. The cluster decrypts the content key using the cluster’s private key and re-encrypts the content key with the recipient’s public key. It then adds the encrypted session key to the use license. This ensures that only the intended recipient can access the file.

5. The AD RMS cluster sends the generated use license to the recipient’s computer. The application examines both the license and the recipient’s account certificate. Exchange Server then grants the user access per the content author’s specifications.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How AD RMS Integration Works

Key Points Exchange Server 2010 integrates with AD RMS to provide several options for ensuring content protection as users send messages through e-mail. To use any of these features in an onsite Exchange Server deployment, Exchange Server 2010 requires an on-premise Windows Server2008 AD RMS deployment.

Enable Users to Protect Content After deploying AD RMS in an organization, Outlook users can control who reads, copies, or forwards messages regardless of where the messages are stored. When users create e-mails, they can set limits on what the message recipients can do with the messages. This functionality does not require any Exchange Server components other than those used for message delivery.

Exchange Server 2010 provides additional functionality, and expands the scenarios by which users and administrators can apply protection to e-mail—both inside and outside the organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Implement AD RMS Prelicensing One of the issues with using the Rights Management Service (RMS) to protect e-mail is that the recipient needs to be able to connect to the AD RMS server to read protected e-mail. This is an issue when users access their e-mail while offline using Outlook Anywhere, read mail using an Exchange ActiveSync® device, or access e-mail through Outlook Web App. AD RMS prelicensing enables offline access to protected mail, and makes it faster to open protected mail from Outlook and other mobile clients. In this scenario, protected messages already contain the recipient’s end-user license, which Exchange Server requires to decrypt and view the message upon delivery.

In Exchange Server 2010, the RMS Prelicensing built-in agent is on all Hub Transport servers, and is enabled by default for the Exchange Server organization. You can disable the prelicensing agent with the Set-IRMConfiguration -PrelicensingEnabled $false cmdlet.

Implement Outlook Protection Rules Outlook Protection Rules allow you to rights-protect messages by applying a RMS template before the message is sent. Outlook Protection Rules automatically trigger the client to apply an RMS template (based on sender/receiver) to mail before it sends it. This feature also enables administrators to allow users to manually add or remove protection policies from a message.

Note: Outlook Protection Rules are only available for Office Outlook 2010 or later clients.

Implement Transport Protection Rules This feature allows you to use transport rules to apply rights protection to messages.

Transport Protection Rules help organizations implement messaging policies by encrypting sensitive e-mail content and using rights-management to control access to the content.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


AD RMS uses XML-based policy templates to allow compatible information rights management (IRM)-enabled applications to apply consistent protection policies. In Windows Server 2008, the AD RMS server is accessible through a Web service that you can use to enumerate and acquire templates. Exchange Server 2010 includes just the Do Not Forward template. When you apply the Do Not Forward template to a message, only the specified recipients can decrypt the message. The recipients cannot forward the message to anyone else, copy content from the message, or print the message.

You can create additional RMS templates in the on-premise AD RMS deployment to meet rights-protection requirements in your organization.

Enable Journal Report Decryption When you enable Journal Report Decryption, you grant permission for the Journaling agent to attach a decrypted copy of a rights-protected message to the journal report. If the rights-protected message contains supported attachments that have been protected by the AD RMS cluster in your organization, the attachments are also decrypted. The Journal Report Decryption agent performs decryption.

Enable Transport Decryption When you enable Transport Decryption, Hub Transport servers can decrypt rights-protected messages to enforce messaging policies. The first Hub Transport server to handle a message in an Active Directory forest performs transport decryption. After decryption, unencrypted content becomes available to other transport agents on that server. For example, the Transport Rule agent on a Hub Transport server can inspect message content and apply transport rules. Any actions specified in the rule, such as applying a disclaimer or modifying the message, can be applied to the unencrypted message. After other transport agents have inspected the message and possibly made modifications to it, the message is encrypted again with the same user rights that it had before being decrypted by the Decryption agent. The message is not decrypted again by other Hub Transport servers in the organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Enable IRM in Outlook Web App After you enable IRM in Outlook Web App, users can use Outlook Web App to:

• Send IRM-protected messages. Outlook Web App users can use the permissions feature when composing a new message and select an applicable policy template to apply to the message. This allows users to send IRM-protected messages from within Outlook Web App. The Client Access server applies IRM protection to messages and message attachments.

• Read IRM-protected messages. Messages protected by senders using your organization’s AD RMS cluster display in the Outlook Web App preview pane, without requiring additional add-ons or that the user’s computer is enrolled in the AD RMS deployment. When you open or view a message in the preview pane, the message is decrypted using the use license added to message by the pre-licensing agent. Once decrypted, the message displays in the preview pane. If a pre-license is not available, Outlook Web App requests one from the AD RMS server before displaying the message.

Important: Before configuring Journal Report Decryption, Transport Decryption, or IRM for Outlook Web App, you must provide Exchange servers with the right to decrypt IRM-protected content .Do this by adding the Federated Delivery Mailbox to the super users group configured on the AD RMS cluster. You must also use the Set-IRMConfiguration cmdlet to enable the required features.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Configure AD RMS Integration

Key Points In this demonstration, you will review how to configure and test AD RMS and Exchange Server 2010 integration. The first part of the demonstration will show you how to protect e-mail messages by using AD RMS. This feature does not require any special Exchange Server functionality. The second part of the demonstration will show you how to configure a transport rule that applies AD RMS protection to a message based on message properties.

Demonstration Steps 1. Open Outlook 2007 and create a new message for an internal recipient.

2. In the Message ribbon, click the Permission icon.

3. In the Windows Security dialog box, log on as the mailbox user.

4. In the Permission dialog box, select the Restrict permission to this document check box.

5. When the message appears, verify that the message now contains the Do Not Forward header. Send the message.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. Log on as the message recipient, open Outlook 2007, open the restricted message, and then log on using the user credentials. Verify that you do not have permission to forward the message.

7. On VAN-DC1, modify the permissions on the C:\inetpub\wwwroot \_wmcs\certification\servercertification.asmx file to grant Read and Execute access to the Exchange Servers group and the anonymous Internet Information Services (IIS) user account.

8. Restart the IIS.

9. On an Exchange server, at the PS prompt, type the following cmdlet, and press ENTER. This cmdlet enables AD RMS encryption on the Hub Transport server: set-irmconfiguration –InternalLicensingEnabled:$true.

10. Use the test-irmconfiguration cmdlet to test the IRM configuration.

11. In the Exchange Management console, create a new transport rule named AD RMS Test Rule, which applies the Do Not Forward AD RMS template for all messages sent between two specified users.

12. Send a message from one of the specified users to the other. Verify that the Do Not Forward template is applied to the message.

Question: Does your organization have AD RMS deployed? Are you planning to deploy AD RMS?

Question: How will Exchange Server 2010 make it easier to deploy AD RMS?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Options for Configuring Moderated Transport

Key Points The Exchange Server 2010 moderated transport feature enables you to require moderator approval for all e-mail messages sent to specific recipients, and you can specify any type of recipient as a moderator. The Hub Transport servers ensure that all messages sent to those recipients go through an approval process.

You can also use transport rules to enforce moderation. For example, you could configure a transport rule that sends a message for moderation based on any of the available criteria.

How Moderated Transport Works When you configure a recipient as a moderated recipient, all messages sent to the recipient go through the following process:

1. The sender creates a new message and sends it to the moderated recipient.

2. The categorizer intercepts the message, marks it for moderation, and then reroutes it to the arbitration mailbox.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. The store driver stores the message in the arbitration mailbox and sends an approval request to the moderator.

4. The moderator uses the buttons in the approval request to either accept or reject the message.

5. The store driver marks the moderator’s decision on the original message stored in the arbitration mailbox.

6. The Information Assistant reads the approval status on the message stored in the arbitration mailbox, and then processes the message based upon the moderator’s decision:

• If the moderator approves the message, the Information Assistant resubmits the message to the submission queue, and the message is delivered to the recipient.

• If the moderator rejects the message, the Information Assistant deletes the message from the arbitration mailbox, and then notifies the sender that the moderator rejected the message.

Note: Previous Exchange Server versions do not support moderated recipients. If a message sent to a moderated distribution group is expanded on a Hub Transport server that is running Exchange Server 2007, it will be delivered to all members of that distribution group, and bypass the moderation process. If you have Exchange Server 2007 Hub Transport servers in your Exchange Server 2010 organization, and you want to use moderated distribution groups, you must designate an Exchange Server 2010 Hub Transport server as the expansion server for the moderated distribution groups. Doing this ensures that all messages sent to the distribution group are moderated.

For more information about moderation, refer to the CD content.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Configure Moderated Transport

Key Points In this demonstration, you will review how to configure a distribution list for moderation and how to configure a transport rule that enforces moderation for all messages sent to a distribution list.

Note: In this demonstration, you will configure a distribution list by using the Exchange Management Console. If you need to enable a mailbox or contact for moderation, you will need to use the set-mailbox cmdlet with the –moderationenabled:$true and –moderationedby parameters.

Demonstration Steps 1. In the Exchange Management Console, under Recipient Configuration, click

Distribution Group.

2. In the middle pane, right-click a distribution list, and then click Properties.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. On the Mail Flow Settings tab, double-click Message Moderation.

4. In the Message Moderation dialog box, select the Messages sent to this group have to be approved by a moderator check box. Add the group moderators and add any users who do not require moderation to send to the group.

5. Create a new transport rule that forwards any message sent to a distribution list for moderation. Choose a moderator for the rule, and then configure any exceptions that are required.

6. Send a message to the distribution group configured for moderation.

7. Send a message to the distribution group configured for moderation in the transport rule.

8. Open the mailbox of a moderator configured for both the distribution group and transport rule. Approve both messages.

Question: Will you deploy moderated transport in your organization? If so, where would you use it?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Configuring Journaling and Multi-Mailbox Search

Message journaling and Multi-Mailbox Search, second only to transport rules, are important components for enforcing messaging compliance. Message journaling allows you to archive all messages automatically that meet criteria that you specify. You can archive journaled messages to any SMTP address, including an Exchange mailbox, Microsoft SharePoint® document library, or a third-party archiving solution. In addition to message journaling, Exchange Server 2010 also includes the Multi-Mailbox Search feature, which enables an authorized user to search all of the organization’s mailboxes based on specific criteria. This lesson describes how to configure and manage message journaling and Multi-Mailbox Search in Exchange Server 2010.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



• Describe message journaling options.

• Configure message journaling.

• Manage the message journal mailbox.

• Describe Multi-Mailbox Search.

• Configure Multi-Mailbox Search.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Message Journaling Options

Key Points Journaling enables you to save copies of all e-mail messages in a collection mailbox when they are sent to, or from, specified mailboxes, contacts, or distribution-group members. You also can configure journaling based on messages sent to, or received from, mailboxes in a mailbox database, or configure journaling as part of a messaging-records management rule.

Messages that meet the journaling criteria are sent to the collection mailbox as a journal report. This report includes detailed information such as the recipient’s address, the sender’s address, and the message’s subject.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Journal Rules Work When you create a journal rule, the Journaling agent, which runs only on Hub Transport servers, monitors all messages sent through the server. When a message matches the journal rule criteria, the server forwards a copy of the message to a journal mailbox. You can configure the journal mailbox using any Exchange Server recipient. The recipient address can refer to another mailbox in the Exchange Server organization, a document library on a Microsoft Windows SharePoint Services site, or an address used by other third-party message-archival solutions.

Journal rules are based on message recipients and message senders. When you configure a journal rule, you can choose any Exchange Server recipient including mailbox users, contacts, or distribution groups. The Journaling agent sends to the journal mailbox a copy of all messages that the recipient sends or receives.

You also can configure the following three journal rule scopes to limit which messages the Journaling agent sends to the journal mailbox.

Scope Description

Internal Rules with this scope process messages sent and received by recipients inside the organization.

External Rules with this scope process messages sent to recipients or from senders outside the organization.

Global Rules with this scope process all messages that pass through a computer that has a Hub Transport server. These include messages that journal rules processed previously in the Internal and External scopes.

Journal rules configured on a Hub Transport server apply to the entire Exchange Server organization.

How Mailbox Database Journaling Works You can also configure a journal mailbox for a mailbox database. When you assign a journal recipient for a mailbox database, all messages sent to or received from recipients with mailboxes in the database also are sent to the journal recipient.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Messaging Records Management Journaling Works When you configure MRM, you can configure managed content settings that apply policies that are located in user mailboxes. These managed content settings can specify retention or deletion time limits and specify actions to take when you reach the time limit. When you configure managed content settings, you can also configure a journal recipient so that all messages that match the criteria specified in the managed content settings also are sent to the journal mailbox.

Note: Mailbox database journaling is a standard journaling option and is the only option available for organizations with an Exchange Standard Client Access Licenses (CAL). Journaling rules and MRM journaling are premium journaling options. To use premium journaling, you must have the Exchange Enterprise CALs.

Journal Reports When a message meets the journal criteria, a journal report is sent to the SMTP address that the rule lists. The journal report is a new e-mail message that includes the original message, unaltered, as an attachment.

The information that the journal report contains is organized so that every value in each header field has its own line. The Journaling agent captures as much detail as possible about the original message. This information is important in determining the message’s intent, its recipients, and its senders. For example, how the message identifies recipients (directly addressed in the To field or the Cc field, or included in a distribution list) may determine how the recipient is involved in the discussion occurring in the message.

For more information about the journal report, refer to the CD content.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Configure Message Journaling

Key Points In this demonstration, you will review how to configure a message journaling rule using the Exchange Management Console. You can configure journaling rules by using either the Exchange Management Console or the Exchange Management Shell.

To configure transport rules with the Exchange Management Shell, use the following commands:

• Enable-JournalRule

• Disable-JournalRule

• Get-JournalRule

• Set-JournalRule

• New-JournalRule

• Remove-JournalRule

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration Steps 1. In Exchange Management Console, under Organization Configuration, click

Hub Transport.

2. Create a new journal rule. Specify a name for the rule, and a journal mailbox. A copy of all messages that the rule affects will be sent to the journal mailbox.

3. Specify the journal rule scope and recipients. The scope defines whether only internal or only external messages, or both, will be journaled. All messages that the recipient sends or receives are journaled.

4. Send a test message to a journal recipient. Log on to the journal recipient mailbox, and then reply to the message.

5. Log on to the journal mailbox and confirm that the journal mailbox contains a journal report for both the sent message and the reply message.

Question: What are the advantages and disadvantages of using the Exchange Server 2010 message journaling feature?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Managing the Message Journal Mailbox

Key Points In a large organization or if you configure journaling for a large number of users, the journal mailbox can grow very rapidly. Additionally, the journal mailbox may contain highly confidential information that should not be accessible to most users. This means that you will need to develop policies for managing the journal mailbox.

Using a SharePoint Document Library for Journaling You can configure SharePoint document libraries with SMTP addresses that will accept e-mail messages. In Exchange Server, you can configure a custom recipient using the SharePoint document library e-mail address, and then configure journaling to use the custom recipient as the journal recipient.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Managing the Journal Mailbox Size When configuring a journaling mailbox to accept journal reports, you must determine the maximum size of the journaling mailbox. As with any other mailbox, the maximum size depends on the data that the mailbox will store, the hardware resources that are available, and the disaster-recovery capabilities for the server that contains the journaling mailbox. Additionally, you also must consider what will occur if a journaling mailbox exceeds the configured mailbox quota.

Avoid using the Prohibit send and receive at (KB) option to set the journaling mailbox’s storage limit. When the mailbox exceeds the specified quota, it stops accepting journaling reports. When this happens, NDRs are not sent to users or administrators, but rather are queued on Hub Transport servers. To reduce the possibility that your journaling mailbox will reject journal reports because it has reached the configured storage quota, either avoid configuring this option or configure your journaling mailbox’s storage quota to the maximum size allowable for your hardware resources and disaster-recovery capabilities. If you are backing up the mailbox on a daily basis, consider specifying a MRM rule to remove backed-up messages regularly.

Considerations for Managing Journal Mailbox Security Security is an important consideration when managing the journal mailbox. Journaling mailboxes may contain sensitive information. You must secure journaling mailboxes because they collect messages that your organization’s recipients send and receive, and those messages may be part of legal proceedings or subject to regulatory requirements. Create policies that govern who can access your organization’s journaling mailboxes and limit access to only those individuals who have a direct need for access. Ensure that legal representatives approve your plan to ensure that your journaling solution complies with all the laws and regulations that apply to your organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Multi-Mailbox Search?

Key Points Many organizations need to be able to search mailboxes for specific content while performing compliance audits. By using the Exchange Server 2010 Multi-Mailbox Search feature, organizations can now easily search all user mailboxes.

How Multi-Mailbox Search Works In Exchange Server 2010, the mailbox search functionality is now available through the Multi-Mailbox Search feature in the ECP. The Multi-Mailbox Search feature allows you to search multiple mailboxes for mailbox items (including e-mail, attachments, Calendar items, Tasks, and Contacts) across both primary and archive mailboxes. Advanced filtering capabilities include: sender, receiver, expiry policy, message size, sent/receive date, cc/bcc, and regular expressions.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Multi-Mailbox Search uses the content indexes that Exchange Search creates. Having a single content-indexing engine ensures no additional resources are utilized for crawling and indexing mailbox databases when information technology (IT) departments receive discovery requests.

Discovery Management Role

A user who is a member of the Discovery Management role group can perform a Multi-Mailbox Search. The Discovery Management role group is a universal security group that you configure in AD DS or Active Directory during the Exchange Server 2010 installation. The Discovery Management role group is assigned to the Mailbox Search management role, which has permission to search all mailboxes in the organization.

Note: Exchange Server 2010 uses Role Based Access Control (RBAC) to define what actions users can perform in the Exchange Server organization. RBAC uses management roles and management role groups to manage these permissions. For more information on management roles and management role groups, see Module 10.

Viewing Search Results Multi-Mailbox Search copies the search results to the Discovery Search Mailbox. It creates a new folder in the target mailbox that bears the same name as the search, with a subfolder for each source mailbox that was searched. Additionally, it copies messages that the search returns to the corresponding folder in the target mailbox.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Configure Multi-Mailbox Search

Key Points In this demonstration, you will review how to configure Multi-Mailbox Search. To use Multi-Mailbox Search feature, you must add the users who will perform the search to the Mailbox Search management role. The easiest way to do this is to add the user to the Discovery Management universal security group in AD DS or Active Directory. The user then can use the ECP to search for messages based on multiple criteria.

Demonstration Steps 1. In Active Directory Users and Computers, add the user or group that will

perform Discover searches to the Discovery Management group.

2. Send a message with a key word or phrase in it. You will be searching on this key word or phrase.

3. Connect to the Exchange Control Panel on a Client Access server using the account that will perform the search.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. On the Reporting tab, under Multi-Mailbox Search, configure the search parameters.

5. Select the Send me an e-mail when the search is done check box, and then start the search.

6. Open the e-mail indicating the search is finished, and then click the Discovery Search Mailbox link.

7. Review the messages located by the search.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab A: Configuring Transport Rules, Journal Rules, and Multi-Mailbox Search


1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-CL1 virtual machines are running:



• 10135A-VAN-CL1: Client computer in the Adatum.com domain.

3. If required, connect to the virtual machines. Log on to VAN-DC1, and VAN-EX1 as Adatum\Administrator using the password Pa$$w0rd.

4. Log on to VAN-CL1 as Adatum\Luca using the password Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Scenario You are a messaging administrator in A. Datum Corporation. Your organization has deployed Exchange Server 2010.

The legal and audit departments at A. Datum provided you with several requirements for implementing messaging policy and compliance. These requirements include applying rights protection to some messages sent inside and outside the organization, restricting message flow based on message classifications, and restricting which messages are sent to critical distribution lists. You also must ensure that you establish a separate and secure mailbox in which to retain all messages that the legal department sends and receives.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Configuring Transport Rules

Scenario A. Datum Corporation is completing its Exchange Server 2010 deployment and is preparing to implement messaging policies to manage e-mail messages in transit and in user mailboxes. The project sponsors have developed the following requirements for transport rules:

• All messages sent to users on the Internet must have a disclaimer that the legal department approves.

• Messages with an “Internet Confidential” classification must not be sent to the Internet.

• The transport rule should apply the Do Not Forward AD RMS template to all messages with the words “confidential” or “private” in the subject.

• A member of the Marketing group must approve all messages sent to the All Company distribution list before the message is delivered.


1. Create a transport rule that adds a disclaimer to all messages sent to the Internet.

2. Enable message classifications for Outlook 2007 clients.

3. Create a transport rule that blocks all messages with an Internet Confidential classification from being sent to the Internet.

4. Enable AD RMS integration for the organization.

5. Configure a transport rule that applies the Do Not Forward AD RMS template to all messages with the words “confidential” or “private” in the subject.

6. Configure a moderated group.

7. Test the transport rule configuration.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


To start the lab, complete the following steps 1. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange


2. Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport.

3. In the Actions pane, click New Send Connector.

4. On the Introduction page, type Internet Connector as the connector name. In the Select the intended use for this Send connector drop-down list, click Internet, and then click Next.

5. On the Address space page, click Add.

6. In the Address field, type *, click OK, and then click Next.

7. On the Network settings page, click Route mail through the following smart hosts, and click Add.

8. In the IP address field, type 10.10.0.10, click OK, and then click Next.

9. On the Configure smart host authentication settings page, click Next.

10. On the Source Server page, click Next, click New, and then click Finish.

Task 1: Create a transport rule that adds a disclaimer to all messages sent to the Internet • On VAN-EX1, create a new transport rule with the following settings:

• Name: Internet E-Mail Disclaimer

• Conditions: Sent to users outside the corporation

• Actions: Add a disclaimer

• Disclaimer text: This e-mail is intended solely for the use of the individual to whom it is addressed

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Configure and enable message classifications for Outlook 2007 clients 1. On VAN-EX1, use the new-messageclassification -Name

CompanyConfidential -displayname”Company Confidential” -senderdescription “Do not forward to the Internet” cmdlet to configure a new message classification.

2. Use the Export-Classification.ps1 script in the c:\Program Files \Microsoft\Exchange Server\v14\scripts folder to export the message classifications to the C:\Classifications.xml file.

3. Copy the Classifications.xml file to drive C on VAN-CL1.

4. On VAN-CL1, import the EnableClassifications.reg file from \\van-ex1\d$\Labfiles.

Task 3: Create a transport rule that blocks all messages with a Company Confidential classification from being sent to the Internet • Create a new transport rule with the following settings:

• Name: Company Confidential Rule

• Condition: Marked with classification Company Confidential

• Actions: Send rejection message to sender with enhanced status code

• Rejection message text: Company confidential e-mail messages cannot be sent to the Internet

• Enhanced status code: 5.7.1

Task 4: Enable AD RMS integration for the organization 1. On VAN-DC1, grant the Exchange Servers group and the IIS_IUSRS read and

execute permission to the C:\inetpub\wwwroot\_wmcs\certification\ servercertification.asmx file.

2. Restart IIS on VAN-DC1.

3. On VAN-EX1, use the set-irmconfiguration –InternalLicensingEnabled:$true cmdlet to enable AD RMS encryption.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Configure a transport rule that applies the Do Not Forward AD RMS template to all messages with the words “confidential” or “private” in the subject • Create a new transport rule with the following settings:

• Name: Confidential E-Mail Rule

• Condition: Where the subject contains the words Confidential or Private

• Actions: protect the message with the Do not Forward template

Task 6: Configure a moderated group 1. On VAN-EX1, configure the All Company distribution group to require

moderation.

2. Configure Andreas Herbinger as the group’s moderator.

Task 7: Test the transport rule configuration

1. On VAN-CL1, verify that you are logged on as Adatum\Luca, and then open

Office Outlook 2007.

2. Send two messages to [email protected]. The first message should contain no settings, and the second message should have the Internet Confidential message classification assigned.

3. On VAN-DC1, open Windows Explorer. Browse to the C:\inetpub\mailroot \queue folder. Open the EML file with Notepad. Scroll to the middle of the message, and verify that the disclaimer has been added to the message.

4. On VAN-CL1, confirm that Luca received a message from the postmaster account stating that the second message could not be delivered.

5. In Outlook, create a new message, and send it to the All Company distribution group.

6. Connect to the Outlook Web App site on VAN-EX1. Log on as Andreas. Approve the message.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. In Outlook, verify that the message to the All Company distribution list has arrived.

8. In Outlook Web App, logged on as Andreas, create a new message with a subject of Private. Send the message to Luca.

9. In Outlook, verify that Luca received the message and that it has the Do Not Forward template applied. Verify that the Forward option is not available on the message.

Results: After this exercise, you should have configured a transport rule that ensures that all messages sent to users on the Internet includes a disclaimer of which the legal department approves. Additionally, you should have configured a transport rule that ensures that messages with an “Company Confidential” classification are not sent to the Internet, and you should have configured a transport rule that applies the Do Not Forward AD RMS template to all messages with the words “confidential” or “private” in the subject. Lastly, you should have configured a moderated group using the All Company distribution group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring Journal Rules and Multi-Mailbox Search

Scenario In addition to requirements restricting message flow, the project sponsors at A. Datum Corporation also have the following requirements for saving messages and enabling auditors to search all mailboxes:

• A copy of all messages sent to and from the Executives group will be saved. The journal mailbox should be accessible only with a special auditor account.

• Implement an auditor account that has permission to search all user mailboxes and access the journaled Executive messages.


1. Create a mailbox for the Executives department journaling messages.

2. Create a journal rule that saves a copy of all messages sent to and from Executives department members.

3. Create and configure the MailboxAuditor account.

4. Test the journal rule and Multi-Mailbox Search configuration.

Task 1: Create a mailbox for the Executives department journaling messages • Create a new recipient with the following attributes:

• First name: Executives Journal Mailbox

• User Logon name (User Principal Name): ExecutivesJournal

• Password: Pa$$w0rd

• Create the mailbox in Mailbox Database 1

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Create a journal rule that saves a copy of all messages sent to and from Executives department members • Create a new journal rule with the following attributes:

• Rule name: Executives Department Message Journaling

• Journal mailbox: Executives Journal Mailbox

• Scope: Global

• Recipient: Executives distribution group

Task 3: Create and configure the MailboxAuditor account 1. Create a new recipient with the following attributes:

• First name: Mailbox Auditor

• User Logon name (User Principal Name): MailboxAuditor


• Create the mailbox in Mailbox Database 1

2. Grant the Mailbox Auditor account full access to the Executives Journal Mailbox and Discovery Management Mailbox mailboxes.

3. Add the Mailbox Auditor account to the Discovery Management Active Directory group.

Task 4: Test the journal rule and Multi-Mailbox Search configuration 1. On VAN-CL1, if required, open Outlook.

2. Create a new message, and then send it to Marcel Truempy. Marcel is a member of the Executives group.

3. Connect to Outlook Web App as Marcel, and confirm that the message was delivered. Reply to the message.

4. Connect to Outlook Web App as MailboxAuditor. Right-click Mailbox Auditor, and then click Open Other User’s Inbox. Open the Executives Journal Mailbox and verify that the two journaled messages are in the Inbox.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. In Outlook, send a message with the following properties:

• To: George; [email protected]

• Subject: Customer Order

• Message body: Here is the order for Carol at Contoso. Her customer number is 1111-1111.

6. Connect to the Exchange Control Panel as the MailboxAuditor.

7. Create a new search named Customer Number Discovery. Configure the search to look for the phrase “customer number” in George Schaller and Luca Dellamore’s mailboxes.

8. Wait until the search finishes, and then in the bottom right pane, click the Open link. In Outlook Web App, verify that the discovery folder named Customer Number Discovery contains two subfolders and contains the discovered messages.

Results: After this exercise, you should have created a mailbox for the Executives department journaling messages, and then created a journal rule that saves a copy of all messages sent to and from Executives department members. You also should have created and configured the MailboxAuditor account.

To prepare for the next lab • Do not shut down the virtual machines and revert them to their initial state

when you finish this lab. The virtual machines are required to complete this module’s last lab.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 4 Configuring Messaging Records Management

An important requirement for many organizations is managing the e-mail stored in users’ mailboxes. In some cases, organizations may need to retain some messages while deleting others after a specified time. Exchange Server 2010 uses MRM to implement this functionality through retention policies and managed folders. This lesson describes how to implement MRM in Exchange Server 2010.


• Describe Retention Tags and retention policies.

• Configure Retention Tags and retention policies.

• Describe managed folders.

• Deploy managed folders.

• Implement managed custom folders and content settings.

• Identify options for implementing MRM.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are Retention Tags and Retention Policies?

Key Points In Exchange Server 2010, you use Retention Tags to tag messages or folders for retention or deletion. Each Retention Tag is associated with one or more managed content settings, which define the time for which items are retained, and what will happen when the retention period expires. You can associate multiple Retention Tags with a retention policy, which then is assigned to a user mailbox.

Retention Tags Use Retention Tags to apply retention settings to mailbox folders and individual items. The following types of Retention Tags are available:

• Retention Policy Tags: Retention Policy Tags are applied to default mailbox folders such as Inbox, Deleted Items, and Junk Mail. A Retention Policy Tag has one or more Managed Content Settings associated with it for retaining messages of different types. It may have an additional Managed Content Settings associated with journaling settings.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Default Policy Tag: A Default Policy Tag can be associated with a retention policy and applies to all items in the mailbox that do not have a Retention Tag explicitly applied to them, or that do not inherit a tag from the folder they reside in. A Default Policy Tag can have more than one Managed Content Settings associated with it for different item types such as e-mail messages, voice mail, and Contacts. Additionally, it can also have a Content Settings with journaling settings. You cannot have more than one Default Policy Tag associated with a retention policy.

• Personal Tags: Personal Tags are Retention Tags available to users as part of their retention policy. A user can opt-in to use additional Personal Tags using the ECP, and can apply them to folders or items in the mailbox. Personal Tags can have only one managed content setting for expiry of all message types.

Managed Content Settings Managed content settings define settings for message retention and journaling. They are associated with Retention Tags. The content settings specify how long a message remains in a mailbox folder, and the action that Exchange Server should take when the message reaches the specified retention age.

You can also configure journal settings to ensure that all message copies with the associated Retention Tag are sent to another recipient.

Retention Policies Retention policies group one or more Retention Tags and apply the tags to mailboxes. A Retention policy consists of one or more Retention Policy Tags, a maximum of one Default Policy Tag, and any number of Personal Tags. You can link or unlink tags from a retention policy at any time.

You can apply Retention policies to mailboxes using the Exchange Management Shell or the ECP. A mailbox cannot have more than one retention policy.

Retention Policy Tags and Mailbox Folders Retention Policy Tags apply to default folders as specified in the retention policy. Users cannot change the Retention Policy Tags associated with default folders. However, users can apply a different tag to an item in a default folder, thereby causing the item to have a different retention setting than the folder in which it resides. Similarly, an item in a user-created folder can also have a different tag than the folder within which it resides.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is AutoTagging?

Key Points AutoTagging is an Exchange Server 2010 feature that optimizes the use of Retention Tags by automatically applying Retention Tags to items based on past user behavior.

Based on User Behavior AutoTagging uses a machine-learning algorithm that tracks users’ tagging behavior. Given a sampling that is large enough for it to learn, AutoTagging can predict the user’s tagging behavior from the sampling. The user must have manually tagged a minimum of 500 e-mail messages for AutoTagging to start learning. The AutoTagging algorithm inspects message characteristics, content, and the user-assigned Retention Tags, and creates a model to predict the user’s tagging behavior. Once learning is complete, AutoTagging automatically assigns the appropriate Retention Tags to new items as they arrive.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


User Management of AutoTagging Users can enable AutoTagging from the ECP. The mailbox should have at least 500 messages tagged before AutoTagging is enabled. You also can use cmdlets to enable or disable AutoTagging for one or more mailboxes, and to determine the AutoTagging status of users.

Users can disable AutoTagging at any time. They also can override the Retention Tag automatically applied to a message by applying a different tag that may be more appropriate, or they can move a message to a folder to which a tag is applied. User-applied tags always take precedence, and AutoTagging never alters them.

Administrative Control Regardless of whether a user or administrator enables AutoTagging on a mailbox, Exchange Server 2010 lets the administrator control AutoTagging functionality, as necessary. Administrators can enable or disable AutoTagging for a mailbox. To do this, use the Set-MailboxComplianceConfiguration -Identity user -RetentionAutoTaggingEnabled cmdlet to assign a value of $true or $false.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Configure Retention Tags and Policies

Key Points In this demonstration, you will review how to configure the three types of Retention Tags, and how to configure content settings for the Retention Tags. Then you will see how to combine the Retention Tags into a retention policy and how to assign the retention policy to a user.

Demonstration Steps Use the following cmdlets to configure Retention Tags and policies:

• New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent -RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction PermanentlyDelete –isprimary:$true

This cmdlet creates a new default Retention Policy Tag that applies to all folders named DefaultTag. The retention policy content settings will apply to all messages that do not have another Retention Tag assigned to them, and will permanently delete all messages after 365 days.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:* -AgeLimitForRetention:30 -RetentionEnable:$True -RetentionAction:MovetoDeletedItems

This cmdlet sets a Retention Tag for the Inbox folder and configures a content setting to move all messages to the Deleted Items folder after 30 days.

• New-RetentionPolicyTag “Business Critical” -Type:Personal -MessageClass:* -AgeLimitForRetention:1100 -RetentionEnable:$True -RetentionAction:MoveToArchive

This cmdlet creates a Personal Tag named Business Critical that sets a retention period of about three years and moves the messages to the user archive mailbox when the retention period expires.

• New-RetentionPolicy AllTagsPolicy -RetentionPolicyTagLinks:DefaultTag,InboxTag,”Business Critical

This cmdlet creates a new retention policy named AllTagsPolicy, and adds all of the Retention Tags to the policy.

• Set-Mailbox Luca -RetentionPolicy AllTagsPolicy

Question: Do you think you will implement retention policies?

Question: Which MRM option are you more likely to implement: managed custom or default folders, or retention policies?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are Managed Folders?

Key Points In addition to retention policies, you can implement MRM by configuring managed folders. When you configure managed folders, you can configure managed content settings that specify how long to retain messages in specified e-mail folders. You can apply managed content settings to the default e-mail folders or to managed custom folders that you create in user mailboxes. You then can create managed folder mailbox policies that apply the content settings for a folder or group of folders to specified users.

Note: Exchange Server 2007 introduced managed folders, and Exchange Server 2010 supports managed folders that are configured in Exchange Server 2007.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Managed Folder Options Use the following options when configuring managed folders:

• Configure content settings for the default folders that are created in all user mailboxes. When configuring content settings for the default folders, set restrictions on how long the folder retains messages. You can also use the Exchange Management Console to apply content settings to the entire Mailbox folder. The content settings applied to this folder will apply to all folders in the user mailbox, including folders they have created.

• Configure custom managed folders and then apply content settings to the custom folders. When creating a custom managed folder, you can add that folder the user mailbox. You then can configure content settings to apply to that folder. This is a useful option when users require the same folder, and you need to manage the messages in the folder identically for all users.

Managed Content Setting Options When you configure managed content settings, use the following options for configuring how users manage messages:

• Configure retention periods, which enable you to define how long content will remain in users’ mailboxes. You can configure these policies by content age and message type, such as voice mail or appointments.

• Configure what action occurs when the retention period expires. For example, you can configure messages to be deleted permanently, moved to the Deleted Items folder, or moved to anther folder.

• Configure journal settings to ensure copies of all messages in the specified folder are sent to another recipient.

Managed Folder Mailbox Policies Managed folder mailbox policies enable you to group managed folders and assign the managed folder settings to user accounts. For example, you might have created a managed content setting for the Inbox and the Sent Items folders, and a custom managed folder for a sales project. To apply these settings to users, you need to create a managed folder mailbox policy and assign the Inbox, Sent Items, and the custom managed folders to the policy. You then assign the policy to all of the users in the Sales department.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


User Interaction with Messaging Records Management When you create custom managed folders, users have to move e-mail messages from their Inbox to the appropriate folders. MRM policies are applied automatically to messages that users have moved. User also can sort messages into appropriate folders by using Outlook rules.

If you apply content settings to default folders in a user mailbox, no user interaction is necessary for the settings to apply to the folders.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Deploying Managed Folders

Key Points To implement MRM, you must complete the following steps:

1. Specify the folders to which you want to apply MRM. You can apply managed content settings to default folders in user mailboxes, or you can create managed custom folders in user mailboxes.

2. Specify the managed content settings for selected folders. When you configure content settings, you can configure options that define the message types you want to manage, how long to retain the messages, and what action to take when messages expire. You also can configure journaling settings that will save a copy of all messages in the folder.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Create a managed folder mailbox policy. You can use mailbox policies to group multiple managed folders.

4. Apply the managed folder mailbox policy to users’ mailboxes. By default, no managed folder mailbox policies are created or applied to user mailboxes.

5. Schedule the managed folder assistant to apply the changes to users’ mailboxes. The managed folder assistant creates managed folders in users’ mailboxes and applies managed content settings to them. By default, the managed folder assistant runs from 1 A.M. to 5 A.M. everyday.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Implement Managed Custom Folders and Content Settings

Key Points In this demonstration, you will review how to configure a managed custom folder, and then apply a content setting to the custom folder. You also will see how to configure a managed folder mailbox policy and apply it to a user account.

Demonstration Steps 1. In the Exchange Management Console, in the Organization Configuration

work area, click Mailbox.

2. Create a new managed custom folder using the following configuration:

• Name: Contoso Project

• Comment: All items related to Contoso Project should be posted here and will be retained for 2 years

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Right-click the Contoso Project folder, and then create a new managed content setting with the following configuration:

• Name: Contoso Project Content Settings

• Message type: All Mailbox Content

• Length of retention period: 731

• Retention period starts: When item is moved to the folder

• Action to take at the end of the retention period: Permanently delete

• Journaling: Disabled

4. In the Actions pane, click New Managed Folder Mailbox Policy, and then create a new managed folder mailbox policy named Accounting Department Policy that includes the Contoso Project folder.

5. Assign the Accounting Department Policy to all users in the Accounting OU.

6. On the Mailbox server properties, schedule the Managed Folder Assistant to run during the current time.

7. Restart the Microsoft Exchange Mailbox Assistants service.

8. Use Outlook Web App to check the mailbox of an Accounting department member. Verify that the Contoso Project folder was created in the user’s mailbox.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Implementing Messaging Records Management

Key Points MRM policies deal primarily with other message retention issues. By implementing MRM policies, you can ensure that certain messages are deleted in user mailboxes and that certain messages are retained for an extended period.

Note: MRM requires an Exchange Enterprise CAL for each mailbox on which it is enabled.

• Ensure that you have business and legal approval before configuring MRM policies. This is particularly important if you are configuring policies that will delete messages from user mailboxes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• You can use retention policies and managed folder mailbox polices to group a collection of folders with associated Retention Tags or content settings. If different user groups in your organization have different requirements for MRM, you can create a unique policy for each user group that includes just the folders that should apply to those users.

• If your organization requires messages to be retained or managed based on projects, consider using managed custom folders to apply messaging records management policies. With managed custom folders, you can create the required folders in the mailboxes for all users associated with the projects, and then ensure appropriate management of the folder’s messages.

• If you want to automate the MRM process for all users, consider using retention policies and AutoTagging. With retention policies, you can set default tags that will be assigned to all folders, while providing users with the option of overriding the tags. With AutoTagging, you can further automate the process for managing Retention Tags to the extent that users no longer have to manage the tags.

• If you need to ensure that copies of some messages are retained for extended periods, consider using journaling as part of a content setting to ensure message retention. When you configure a content setting, you can add a journal location so that all messages that the content setting covers also are moved automatically to the journal location. With this as an option, you can consider deleting messages from user mailboxes.

• Use MRM policies to limit mailbox sizes. You can use MRM policies to remove old messages from folders such as the Deleted Items folder, or the Sent Items folder.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 5 Configuring Personal Archives

A compliance issue that many organizations must solve is that much of the information users receive by e-mail is not stored within the e-mail system. Because of mailbox size limits, many users move messages from their mailboxes to personal storage table (PST) files, where the messages are not backed up regularly, and where the messages are not available for discovery or indexing.

Exchange Server 2010 introduces Personal Archives as an option for ensuring that all messages are stored in a mailbox on an Exchange server. This lesson describes how to configure and manage Personal Archives in Exchange Server 2010.


• Describe options for implementing mailbox archiving.

• Describe how Personal Archives work in Exchange Server 2010.

• Configure Personal Archives.

• Identify options for implementing Personal Archives.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: Options for Implementing Mailbox Archiving

Key Points Some organizations have implemented mailbox archiving by using third-party products. These products provide different types of functionality and implement the functionality in different ways. In this discussion, you will review the mailbox archiving solutions that organizations have implemented.

Question: Do you have any archiving or journaling requirements in your organization?

Question: How are you currently meeting these requirements?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Personal Archives Work in Exchange Server 2010

Key Points Exchange Server 2010 provides Personal Archives as a feature that enables users to move their PST files back into the Exchange Server database. To implement a Personal Archive, create a second mailbox that the user can use to store messages that are no longer current, but which they may need to retain. The user can access this archive mailbox in Outlook 2010 or Microsoft Outlook Web App just like any other folder in the user mailbox.

How Personal Archives Works To implement Personal Archives, the Exchange Server administrator creates a new archive mailbox for the users. You must create this mailbox in the same mailbox database as the user’s primary mailbox. You can create the archive mailbox when you create the primary mailbox, or add the archive mailbox later.

The archive mailbox appears as a folder in the user’s regular mailbox when the user accesses their mailbox by using Outlook 2010 or Outlook Web App. Users can the move their PST folders, or any other messages, into the archive mailbox simply by dragging and dropping e-mail into an archive folder.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


One of the differences between the primary mailbox and the archive mailbox is that the archive mailbox is not cached on the client computer when you configure Outlook in cache mode. This decreases the mailbox cache size on the client, but also means that the user can access the mail in the mailbox only when connected to the Exchange server.

You can manage the archive mailbox through MRM policies. For example, you can configure retention policies that will move messages from the primary mailbox to the secondary mailbox based on the Retention Tags assigned to the primary mailbox folders. You can also configure retention policies for folders located in the archive mailbox.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: How to Configure Personal Archives

Key Points In this demonstration, you will review how to configure a Personal Archives mailbox for a user account. You will also see how to access the mailbox by using Outlook Web App.

Demonstration Steps 1. On VAN-EX1, in the Exchange Management Console, click Recipient

Management, and then click Mailbox.

2. Right-click a mailbox, and then click Enable Archive.

3. On the mailbox properties, review the archive quota settings.

4. Use the get-mailbox cmdlet to view the mailbox settings. Review the ArchiveName and ArchiveQuota settings.

5. Verify that you cannot view the archive mailbox in Outlook 2007, but can see it through Outlook Web App.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: Will you implement Personal Archives in Exchange Server 2010?

Question: What are the benefits and disadvantages of the Personal Archives feature?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Implementing Personal Archives

Key Points Personal Archives provides an excellent opportunity for organizations to ensure that all messages in the e-mail system are stored in a location where the messages can be managed and accessed. However, deploying Personal Archives will also require careful planning to ensure that the implementation is a success.

In many organizations, some users may have several gigabytes of data stored in PST files. If all of these messages are moved into archive mailboxes, the amount of storage required for the mailbox databases will increase dramatically.

Some considerations for managing the implementation for Personal Archives include:

• Consider an incremental implementation for Personal Archives. If your storage infrastructure cannot handle implementing Personal Archives for all users, start by identifying the users that will benefit most from Personal Archives. This may include users with the most critical information currently stored in PST files, or it may include all executives in the organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• With the decrease in disk input/output (IO) per mailbox and the option of using database availability groups (DAGs) for high availability, Exchange Server 2010 enables some important new options for implementing storage. Because of the decrease in disk IO, it is now feasible to store mailbox databases on lower performance and less expensive disk arrays using SATA drives. Additionally, rather than depending on redundant disk arrays and backup to provide high availability, you can use DAGs to provide the required level of availability.

• You can also use MRM policies to manage the archive mailboxes. By configuring retention tags for the primary mailbox, you can ensure that messages are moved into the archive mailbox on a regular basis. You can also use retention tags to manage the messages in the archive mailbox.

• After you implement Personal Archives, you should consider removing the option for users to use PST files. You can start moving users away from using PST files by creating a Group Policy object that prevents new items from being added to existing PST files. Making PST files read-only gives users access to the PST files they may already have while encouraging them to keep the messages that they want to keep in their mailboxes. Eventually, you may want to create a GPO to remove access to PST files altogether.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab B: Configuring Messaging Records Management and Personal Archives



2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-CL1 virtual machines are running.



• 10135A-VAN-CL1: Client computer in the Adatum.com domain.

3. If required, connect to the virtual machines.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Scenario You are the messaging administrator for A. Datum Corporation. Your organization has deployed Exchange Server 2010.

The legal and audit departments at A. Datum provided you with several requirements for implementing messaging policy and compliance. These requirements include configuring rules that will ensure that some messages are retained for an extended period, while other messages are deleted when they expire. Finally, you must enable Personal Archives for all of the users in the Executives department.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Configuring Messaging Records Management

Scenario A. Datum Corporation also wants to ensure proper management of messages in the user mailboxes. The project sponsors have provided the following requirements:

• For all users, all messages in the default mailbox folders must be deleted after 90 days.

• All members of the Finance department require a custom folder in their mailbox that contains confidential messages related to finance. The messages in these custom folders must be retained for 180 days, after which the messages must be marked in Outlook as expired.

A. Datum Corporation would like to automate message management in user mailboxes. To test this implementation, the executives have approved a pilot project to use retention policies for the ITAdmins group.


1. Create a managed custom mailbox folder named Executives Confidential.

2. Configure content settings for the Executives Confidential folder.

3. Configure content settings for all mailbox folders.

4. Configure a managed folder mailbox policy that applies to all users.

5. Configure a managed folder mailbox policy that applies to the Executives department.

6. Start the managed folder assistant process.

7. Test the managed custom folder implementation.

8. Configure Retention Tags and a retention policy.

9. Apply the retention policy to the Marketing group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 1: Create a managed custom mailbox folder named Executives Confidential • Create a new managed custom folder with the following attributes:

• Name: Finance Confidential.

• Comment: All confidential items related to Finance should be posted here. Messages in this folder are valid for 180 days.

• Do not allow users to minimize the comment in Outlook.

Task 2: Configure content settings for the Executives Confidential folder • Create a new managed content settings object with the following attributes:

• Name: Executives Confidential Content Settings.

• Message type: All Mailbox Content.

• Messages are retained for 180 days after they have been moved to the managed folder.

• After the retention period ends, the messages should be marked in Outlook as past retention limit.

Task 3: Configure content settings for all mailbox folders • Configure a new mailbox content setting object that applies to all folders in

the default mailbox with the following attributes:

• Name: Mailbox Content Settings.

• Message type: All Mailbox Content.

• Messages will be retained for 90 days.

• Retention period starts when messages are delivered.

• Delete messages, and allow recovery.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Configure a managed folder mailbox policy that applies to all users 1. Create a new managed folder mailbox policy with this attribute:

• Name: Default Policy – All Users

2. Associate the Entire Mailbox with the policy.

3. Use the following command to assign the policy to all users: Get-Mailbox | Set-Mailbox –ManagedFolderMailboxPolicy ‘Default Policy – All Users’.

Task 5: Configure a managed folder mailbox policy that applies to the Executives department 1. Create a new managed folder mailbox policy with the following attribute:

• Name: Executives Department Policy

2. Associate the Entire Mailbox and the Executives Confidential mailbox to this policy.

3. Use the following command to assign the new policy to the users in the Finance OU: Get-Mailbox | where-object {$_.distinguishedname -ilike ‘*ou=executives,dc=adatum,dc=com’} | Set-Mailbox –ManagedFolderMailboxPolicy ‘Executives Department Policy’

Task 6: Start the managed folder assistant process 1. Create a custom schedule for the managed folder assistant process to run from

Monday 6:00 A.M. to Friday 6:00 P.M.

2. Stop and then start the Microsoft Exchange Mailbox Assistants service.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 7: Confirm that the managed custom folder is created for the Executives department users 1. In the Exchange Management Console, confirm that the managed folder

mailbox policy is assigned to Marcel Truempy.

2. On VAN-EX1, open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa.

3. Log on as Adatum\Marcel with the password of Pa$$w0rd. Confirm that the Finance Confidential folder was created in Marcel’s mailbox.

Task 8: Configure Retention Tags and retention policies • Use the following cmdlets to configure the Retention Tags and retention

policy.

• New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent -RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction PermanentlyDelete –isprimary:$true

• New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:* -AgeLimitForRetention:30 -RetentionEnable:$True -RetentionAction:MovetoDeletedItems

• New-RetentionPolicyTag “Retain for Records” -Type:Personal -MessageClass:* -AgeLimitForRetention:1100 -RetentionEnable:$True -RetentionAction:MoveToArchive

• New-RetentionPolicy AllTagsPolicy -RetentionPolicyTagLinks:DefaultTag,InboxTag,”Retain for Records”

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 9: Apply the retention policy to the Marketing group 1. Use the following cmdlet to apply the retention policy to all users in the

Marketing OU: Get-Mailbox | where-object {$_.distinguishedname -ilike ‘*ou=Marketing,dc=adatum,dc=com’} |Set-Mailbox -RetentionPolicy AllTagsPolicy.

2. Run the Start-ManagedFolderAssistant cmdlet.

3. Log on to Outlook Web App, and log on as Manoj. Verify that the retention policy tags are applied.

Results: After this exercise, you should have configured a managed folder policy that ensures that all messages in the default mailbox folders are deleted after 90 days. You also will have configured a custom managed folder to ensure that all members of the Executives department have a custom folder in their mailbox that will contain confidential messages. You also should have configured Retention Tags and retention policies for the Marketing group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring Personal Archives

Scenario A. Datum Corporation is also concerned about the number of e-mails that some users are storing in PST files. In particular, some members of the Executives group have several gigabytes (GB) of data stored in PST files. To provide these users with larger mailboxes, the project team has agreed to provide the members of the Executives group with archive mailboxes. You need to configure the mailboxes for these users.


1. Create an archive mailbox for all members of the Marketing group.

2. Verify that the archive mailbox was created for members of the Marketing group.

Task 1: Create an archive mailbox for all members of the Marketing group • On VAN-EX1, in the Exchange Management Console, under Recipient

Management, click Mailbox. Sort the mailbox list by organizational unit, select all of the users in the Marketing OU, and then create an archive mailbox for them.

Task 2: Verify that the archive mailbox was created for members of the Marketing group • Log on to Outlook Web App as Manoj, and then verify that the archive

mailbox was created.

Results: After this exercise, you should have configured archive mailboxes for all members of the Marketing group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



1. On the host computer, start Hyper-V™ Manager.







7. Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Review Questions 1. You need to ensure that a copy of all messages sent to a particular distribution

group is saved. You only want copies of messages sent to the distribution group, not copies of all messages sent to individual members of the group. What should you configure?

2. You need to ensure that a user can search all Exchange Server organization mailboxes for specific content. What should you do? What user training will you need to provide?

3. You need to ensure that all messages related to a particular project are retained for three years. Users in your organization use both Outlook 2007 and Outlook 2010. What should you do?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Common Issues Related to Implementing Messaging Policies Identify the causes for the following common issues related and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


Transport rules that use regular expressions are not applied consistently

If you are using a transport rule to check for information such as customer identification numbers or some other regular pattern of characters, ensure that your rule also checks for variations on the regular pattern. For example, if the customer identification number usually has dashes, you might also want to add the pattern without dashes to the rule.

Message recipients report that they are receiving error messages when they receive digitally signed messages from other users in the organization.

If you have a transport rule in place that modifies the message content, any digital signature attached to the message will be invalid and users will get an error message when they open the message. To avoid this, consider instructing users to add a disclaimer to all messages as part of their signature, and remove the transport rule.

After you implement a transport rule, users report that some of the messages they send to Internet recipients are not delivered and they do not receive notification of why the messages were not delivered.

Ensure that when you implement a transport rule that might affect message delivery, you configure an action in the transport rule that informs the user if the message cannot be delivered. Normally, you would do this with a bounce message.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Real-World Issues and Scenarios 1. The Exchange Server administrators at Contoso, Ltd., have implemented a

custom message classification on the Exchange servers, but they notice that the custom classification is not available on the Outlook 2007 clients in the organization. What do they need to do?

2. A. Datum Corporation has deployed an AD RMS server, and users are using it to protect e-mail. However, users report that when they protect e-mail messages, users outside the organization cannot read the messages. What should A. Datum messaging administrators do?

3. Woodgrove Bank has implemented message journaling for all messages sent to and from the legal and compliance teams. These messages need to be available to auditors for seven years. The mailboxes used for journaling are growing rapidly. What should the messaging administrators at Woodgrove Bank do?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Best Practices Related to a Particular Technology Area in this Module Supplement or modify the following best practices for your own work situations:

• Implementing messaging policies in Exchange Server 2010 can be complicated and the optimal configuration will be different in every organization. However, it is critical that you start thinking about this issue now in order to implement the policies and configurations that will meet your organizations legal requirements.

• Implement messaging policies only after extensive testing in a lab environment. If you configure messaging policies incorrectly, you could potentially delete messages that should be retained, or disrupt message delivery. Additionally, some messaging policies may have unintended consequences. Because of this, be sure to test all messaging policies thoroughly, and implement the policies in the production environment incrementally.

• Planning messaging policies always involves discussions with legal and compliance personnel who may not understand how you can use Exchange Server to enforce messaging policies. Be prepared to explain what Exchange Server can and cannot do in terms that people who are not messaging experts can understand.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Securing Microsoft® Exchange Server 2010 10-1

Module 10 Securing Microsoft® Exchange Server 2010

Contents: Lesson 1: Configuring Role Based Access Control 10-3

Lesson 2: Configuring Security for Server Roles in Exchange Server 2010 10-23

Lesson 3: Configuring Secure Internet Access 10-28

Lab: Securing Exchange Server 2010 10-46

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

In many organizations, Microsoft Exchange Server 2010 provides a critical business function for both internal and external users. Additionally, many organizations expose at least a few of their Exchange servers to the Internet. For these reasons, it is important that you do what you can to secure the Exchange Server deployment. There are two components to securing your Exchange Server deployment: configuring administrative permissions appropriately and securing the Exchange Server configuration. This module describes how to configure permissions and secure Exchange Server 2010.


• Configure role based access control (RBAC) permissions.

• Configure security for Exchange Server 2010 server roles.

• Configure secure Internet access.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Configuring Role Based Access Control

Exchange Server 2010 uses the RBAC permissions model to restrict which administrative tasks users can perform on the Mailbox, Hub Transport, Unified Messaging, and Client Access server roles. With RBAC, you can control the resources that administrators can configure and the features that users can access. This lesson describes how to implement RBAC permissions in Exchange Server 2010, and how to configure permissions on Edge Transport servers.


• Describe RBAC and management role groups.

• Identify Exchange Server 2010 built-in management role groups.

• Manage RBAC permissions.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Configure custom management role groups.

• Describe management role assignment policies.

• Work with management role assignment policies.

• Manage permissions on Edge Transport servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Role Based Access Control?

Key Points RBAC is the new permissions model in Exchange Server 2010. With RBAC, you do not have to modify and manage access control lists (ACLs) on Exchange Server or Active Directory® Domain Services (AD DS) and Active Directory directory services objects. In Exchange Server 2010, RBAC controls the administrative tasks that users can perform and the extent to which they can administer their own mailbox and distribution groups.

When you configure RBAC permissions, you can define precisely which Exchange Management Shell cmdlets a user can run and which objects and attributes the user can modify.

All Exchange Server administration tools, including Exchange Management Console, Exchange Management Shell, and Exchange Control Panel (ECP), use RBAC to determine user permissions. Therefore, permissions are consistent regardless of which tool you use.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


RBAC Options RBAC assigns permissions to users in two primary ways, depending on whether the user is an administrator or end user:

• Management role groups. RBAC uses management role groups to assign permissions to administrators. These administrators may require permissions to manage the Exchange Server organization or some part of it. Some administrators may require limited permissions to manage specific Exchange Server features, such as compliance or specific recipients.

To use management role groups, add users to the appropriate built-in management role group, or to a custom management role group. RBAC assigns each role group one or more management roles that define the precise permissions that RBAC grants to the group.

• Management role assignment policies. Management role assignment policies are used to assign end-user management roles. Role assignment policies consist of roles that control what users can do with their mailboxes or distribution groups. These roles do not allow management of features with which users are not associated directly.

Note: You also can use direct role assignment to assign permissions. Direct role assignment is an advanced method for assigning management roles directly to a user or Universal Security Group, without the need to use a role group or role assignment policy. Direct role assignments are useful when you need to provide a granular set of permissions to a specific user only. However, we recommend that you avoid using direct role assignment, as it is significantly more complicated to configure and manage.

Question: What requirements does your organization have for assigning Exchange Server permissions? Does your organization use a centralized or decentralized administration model? What special permissions will you need to configure?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are Management Role Groups?

Key Points Use management role groups to assign administrator permissions to groups of users. To understand how management role groups work, you need to understand their components.

Management Role Group Components Management role groups use several underlying components to define how RBAC assigns permissions as assigned:

• Role holder. A role holder is a user or security group that you can add to a management role group. When a user becomes a management role-group member, RBAC grants it all of the permissions that the management roles provide. You can either add user accounts to the group in AD DS or Active Directory, or use the Add-RoleGroupMember cmdlet.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Management role group. The management role group is a universal security group that contains users or groups that are role-group members. Management role groups are assigned to management roles. The combination of all the roles assigned to a role group defines everything that users added to a role group can manage in the Exchange Server organization.

• Management role. A management role is a container for a group of management role entries. These entries define the tasks that users can perform if RBAC assigns them the role using management role assignments.

• Management role entries. A management role entry is a cmdlet, including its parameters, which you add to a management role. By adding cmdlets to a role as management role entries, you are granting rights to manage or view the objects associated to that cmdlet.

• Management role assignment. A management role assignment assigns a management role to a role group. Once you create a management role, you must assign it to a role group so that the role holders use it. Assigning a management role to a role group grants the role holders the ability to use the cmdlets that the management role defines.

• Management role scope. A management role scope is the scope of influence or impact that the role holder has once RBAC assigns a management role. When assigning a management role, use management scopes to target which objects that role controls. Scopes can include servers, organizational units, recipient objects, and more.

For more information about management role groups, refer to the CD content.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Built-In Management Role Groups

Key Points Exchange Server 2010 includes several built-in role groups that you can use to provide varying levels of administrative permissions to user groups. You can add users to, or remove them from, any built-in role group. You also can add or remove role assignments to or from most role groups.

Role group Description

Organization Management

Role holders have access to the entire Exchange Server 2010 organization and can perform almost any task against any Exchange Server object.

View-Only Organization Management

Role holders can view the properties of any object in the organization.

Recipient Management Role holders have access to create or modify Exchange 2010 recipients within the Exchange Server organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


(continued)

Role group Description

UM Management Role holders can manage the Unified Messaging features within the organization, such as Unified Messaging server configuration, properties on mailboxes, prompts, and auto-attendant configuration.

Discovery Management Role holders can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.

Records Management Role holders can configure compliance features, such as retention policy tags, message classifications, transport rules, and more.

Server Management Role holders have access to Exchange server configuration. They do not have access to administer recipient configuration.

Help Desk Role holders can perform limited recipient management.

Public Folder Management

Role holders can manage public folders and databases on Exchange servers.

Delegated Setup Role holders can deploy previously provisioned Exchange servers.

Note: All of these role groups are located in the Microsoft Exchange Security Groups OU in AD DS or Active Directory. This OU contains several other universal security groups that grant permissions to the Exchange server computer accounts.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Managing Permissions Using the Built-In Role Groups

Key Points In this demonstration, you will review how to manage RBAC permissions in Exchange Server 2010 by using the built-in role groups. You will see how to add users to the built-in role groups and how RBAC assigns the resulting permissions to the user accounts.

Demonstration Steps 1. In Active Directory Users and Computers, add a user or security group to the

Recipient Management group.

2. Log on to an Exchange server using the delegated user account. Open the Exchange Management Console and the Exchange Management Shell.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Verify that the user has read access to the Exchange Server organization configuration.

4. Verify that the user cannot modify the settings on the Mailbox databases.

5. Verify that the user can modify the settings for mailboxes and distribution groups. Verify that the user account has permission to move mailboxes to another server.

6. In the Exchange Management Shell, use the get-exchangeserver | FL cmdlet to verify that the user has Read permission to the Exchange server information.

7. Use the Set-User cmdlet to verify that user has permission to modify the Active Directory account.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Configuring Custom Role Groups

Key Points In addition to the built-in role groups, you also can create custom role groups to delegate specific permissions within the Exchange Server organization. Use this option when your ability to limit permissions is beyond the scope of the built-in role groups.

Configuring a Custom Management Role Group RBAC enables complete flexibility in how you assign permissions in an Exchange Server 2010 environment. For example, RBAC enables you to assign permissions to a group of administrators in a branch office who only need to manage recipient tasks for branch-office users and mailboxes on branch office Mailbox servers. To implement this scenario, you would:

1. Create a new role group, and add the branch office administrators to the role group. You can use the New-RoleGroup cmdlet to create the group. When you create the group, you must specify the management roles. Additionally, you also can specify the management scope for the role.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


2. Assign management roles to the branch office administrators. To delegate permissions to a custom role group, you can use one or more of the default built-in management roles, or you can create a custom management role that is based on one of the built-in management roles. Exchange Server 2010 includes approximately 70 built-in management roles that provide granular levels of permissions.

Note: You also can configure a new management role rather than use one of the existing management roles. To do this, use the New-ManagementRole cmdlet to create a custom management role based on one of the existing management roles. You can then add and remove management role entries as needed. By default, the new management role inherits all of the permissions assigned to the parent role. You can remove permissions from the role, as necessary, by using the Remove-managementroleentry cmdlet. However, it can be complicated to create a new management role and remove unnecessary management role entries, so we recommend that you use one of the existing roles whenever possible.

3. Identify the management scope for the management role. For example, in the branch office scenario, you could create a role assignment with an OU scope that is specific to the branch office OU.

4. Create the management role group using the information that you collect. Use the New-RoleGroup cmdlet to create the link between the role group, the management roles, and the management scope.For example, consider the following command:

New-RoleGroup – Name BranchOfficeAdmins –roles “Mail Recipients”, “Distribution Groups”, “Move Mailboxes”, “Mail Recipient Creation” –User BranchOfficeAdmins – RecipientOrganizationalUnitScope Contoso.com/BranchOffice.

It does the following:

• Creates a new role group named BranchOfficeAdmins.

• Assigns the Mail Recipients, Distribution Groups, Move Mailboxes, and Mail Recipient Creation management roles to the BranchOfficeAdmins role group.

• Configures a management role scope limited to the BranchOffice OU in the Contoso.com domain.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Configuring Custom Role Groups

Key Points In this demonstration, you will review how to create a custom role group and how to assign management roles to the group. You also will verify that the correct permissions are assigned to the user accounts.

Demonstration Steps 1. On VAN-EX1, open the Exchange Management Shell.

2. Create a new management scope that will limit the tasks that can be performed by using the following command:

New-ManagementScope –Name MarketingMailboxes –recipientroot “adatum.com/Marketing” -RecipientRestrictionFilter {RecipientType -eq “UserMailbox”}

3. Create a new management role group that uses the custom management scope by using the following command:

New-RoleGroup –Name MarketingAdmins –roles “Mail Recipients”, “Mail Recipient Creation “ -CustomRecipientWriteScope MarketingMailboxes

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. Add a user to the management role group by using the following command:

Add-rolegroupmember –id MarketingAdmins –member Andreas

5. In Active Directory Users and Computers, verify that the group has been created in the Microsoft Exchange Security Groups OU and that the user has been added to the group.

6. Open the Exchange Management Console as the delegated user account. Verify that the user can modify mailboxes and create new mailboxes only in the Marketing OU.

Question: Will you implement custom management roles in your organization? If so, how will you configure the management roles?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Are Management Role Assignment Policies?

Key Points Management role-assignment policies associate end-user management roles with users. You do not configure administrative permissions with management role-assignment policies. Rather, you use management role assignment policies to configure what changes users can make to their mailbox settings and to distribution groups that they own.

Role Assignment Components Role assignment policies consist of the following components that define what users can do with their mailboxes:

• Mailbox. Mailboxes are assigned a single role assignment policy. When a mailbox is assigned a role assignment policy, the policy is applied to the mailbox. This grants the mailbox all of the permissions that the management roles provide.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Management role assignment policy. The management role-assignment policy is an object in Exchange Server 2010. Users are associated with a role assignment policy when you create their mailboxes or change the role assignment policy on their mailboxes. The combination of all the roles included in a role assignment policy defines everything that associated users can manage on their mailboxes or distribution groups.

• Management role assignment. Management role assignments link management roles and role assignment policies. Assigning a management role to a role assignment policy grants users the ability to use the cmdlets in the management role. When you create a role assignment, you cannot specify a scope. The scope that the assignment applies is based on the management role, and is either Self or MyGAL.

• Management role. A management role is a container for a group of management role entries. Roles define the specific tasks that users can do with their mailboxes or distribution groups.

• Management role entry. A management role entry is a cmdlet, script, or special permission that enables users to perform a specific task. Each role entry consists of a single cmdlet and the parameters that the management role can access.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Working With Management Role Assignment Policies

Key Points Exchange Server 2010 includes a default role assignment policy that provides end users with the most commonly used permissions. For most organizations, you do not need to modify the configuration. However, you can change the management role assignment policy if your organization has specific requirements regarding how users can interact with their mailboxes or groups.

Note: To view the default management role assignment policy configuration, use the Get-ManagementRoleAssignment –RoleAssignee “Default Role Assignment Policy” cmdlet. This cmdlet lists all the management roles that are assigned to the default role assignment policy. To view the details of each management role, use the get-managementrole rolename | FL cmdlet. For example, executing the get-managementrole Mybaseoptions | FL cmdlet displays all management role entries associated with the Mybaseoptions management role.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Working with Assignment Policies You can modify the default role-assignment configuration in several ways:

• Change the default permissions on the default role assignment policy by adding or removing management roles. For example, if you want to enable users to perform additional tasks on their mailboxes, you can identify the management role that grants them the necessary permissions, and add the role to the Default Role Assignment Policy.

• Define a new role assignment, and then configure that role assignment to be the default for all mailboxes. Use the Set-RoleAssignmentPolicy cmdlet to replace the built-in default role assignment policy with your own. When you do this, RBAC assigns the role assignment policy that you specify to new mailboxes, by default.

Note: When you change the default role assignment policy, RBAC does not assign the new default role assignment policy automatically. You will need to use the Set-Mailbox cmdlet to update previously created mailboxes to the new default role assignment policy.

• Configure additional role assignment policies and assign the policies to a mailbox manually by using the RoleAssignmentPolicy parameter on the New-Mailbox, Set-Mailbox, or Enable-Mailbox cmdlets. When you assign an explicit role assignment policy, the new policy takes effect immediately and replaces the previously assigned explicit role assignment policy. If you have many different user groups with special needs, you can create role assignment policies for each group.

Question: How will you configure role assignment policies in your organization?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Managing Permissions on Edge Transport Servers

Key Points You deploy the Edge Transport server role in an organization’s perimeter network, either as a stand-alone server or as a member of a perimeter Active Directory domain.

No Exchange Server-specific groups are created when you install an Edge Transport server role. The Administrators local group is granted full control of the Edge Transport server, which includes an instance of Active Directory Lightweight Directory Service (AD LDS).

You can administer Edge Transport servers remotely by using Remote Desktop. The Administrators local group is granted remote logon permissions automatically when you enable Remote Desktop.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Permissions Required to Administer the Edge Transport Server The following table lists common administrative tasks that users perform on the Edge Transport server and the group memberships necessary to complete each task successfully.

Task Required group membership

Backup and restore Backup Operators

Enable and disable agents Administrators

Configure connectors Administrators

Configure anti-spam policies Administrators

Configure IP Block and Allow lists Administrators

View queues and messages Users

Manage queues and messages Administrators

Create an Edge Subscription file Administrators

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Configuring Security for Server Roles in Exchange Server 2010

The second component to configuring Exchange Server 2010 security is to secure the Exchange Server deployment as much as is possible. To do this, you should understand the security risks for which you need to prepare, and then you need to configure your Exchange Server security settings appropriately.


• Identify the Exchange Server security risks.

• Implement best practices security measures.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: What Are the Exchange Server Security Risks?

Key Points To prepare for Exchange Server security, you first must understand the security risks that threaten the Exchange server environment.

Question: What security risks do you need to protect against when deploying Exchange Server?

Question: What risks are the most serious?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exchange Server Security Guidelines

Key Points The design of Exchange Server 2010 makes it secure when you deploy it. Many of its features, such as server roles, Kerberos authentication, and self-signed certificates ensure that the servers present a minimal attack surface and facilitate encryption for most network traffic sent to and from Exchange servers.

To maintain Exchange Server security, implement regular processes to monitor and validate the Exchange Server configuration.

Apply Security and Software Updates One of the most critical components for maintaining Exchange Server security is to install all security updates as soon as possible after their release. Be sure to apply both the operating-system updates and the Exchange Server updates.

Before update installation, test the deployment of all software updates on your Exchange servers. To do this, you need a test environment that emulates your production environment.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Run the Exchange Best Practices Analyzer Tool Regularly The Exchange Best Practices Analyzer automatically examines your Exchange Server deployment and determines whether the configuration is set according to Microsoft best practices. Use the Exchange Best Practices Analyzer as part of a proactive health check, which can expose availability or scalability issues that pertain to your Exchange Server installations. You also can use it as a reactive troubleshooting tool for problem diagnosis and identification.

For most environments, we recommend running the Exchange Best Practices Analyzer at least once per quarter. However, it is a best practice to run this tool once a month on all servers installed with Exchange Server.

Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer (MBSA) is a security scanning and analysis tool that you can use to check Exchange Server for a wide range of faulty configurations or security issues. You can configure MBSA to scan a single machine or multiple machines within a range of IP addresses to which you have administrator access.

Avoid Running Additional Software on Exchange Servers One way to reduce an Exchange server’s attack surface is to avoid running unnecessary software on the server. Ideally, you should dedicate the Exchange server to Exchange server roles, and the only additional software that you should install are utilities, such as anti-virus software and server-management tools.

Install and Maintain Anti-Virus Software Virtually all organizations deploy anti-virus software to guard against malicious e-mail. You also should deploy file-level, anti-virus software on the Exchange servers to ensure that the servers are secure from virus attacks.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Enforce Strong Passwords in Your Organization If you enable remote access to your Exchange Server organization, attackers from outside the organization can use brute force password attacks to attempt to compromise user accounts. Therefore, it is very important that you define and enforce password policies for all user accounts. This includes mandating the use of strong passwords. A password is strong if it meets several requirements for complexity that make it difficult for attackers to figure out. These password requirements include rules for password length and character categories. By establishing strong password policies for your organization, you can help prevent an attacker from impersonating users, and thereby prevent the loss, exposure, or corruption of sensitive information.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Configuring Secure Internet Access

Exchange Server 2010 provides access to user mailboxes from a wide variety of clients. In many cases, these clients may be located outside the corporate network and may be accessing the user mailboxes through an Internet connection. Because the Exchange servers cannot provide this functionality without being accessible from the Internet, it is important that the connections from the Internet be as secure as possible. This lesson describes how to configure secure access to the Exchange servers from the Internet.


• Describe secure Internet access components.

• Deploy Exchange Server 2010 for Internet access.

• Secure Client Access server traffic from the Internet.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Secure SMTP connections to the Internet.

• Describe reverse proxy.

• Configure secure access.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Secure Internet Access Components

Key Points Exchange Server 2010 enables users to access their mailboxes from many different types of messaging clients and from almost anywhere. To provide secure access for the messaging clients, you need to understand what types of access each client type requires.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Client Access to Exchange Servers The following table lists the access requirement for clients when connecting to the Exchange servers from the Internet.

Client Access requirements

Outlook Anywhere Access to the remote procedure call (RPC), Exchange Web Services (EWS), and online address book virtual directories on a Client Access server

Access to the Autodiscover virtual directory on a Client Access server if Autodiscover is enabled

Protocol requirements: HTTPS

Microsoft Outlook® Web App

Access to Outlook Web App and ECP virtual directories on a Client Access server


Exchange ActiveSync® Access to the Microsoft-Server-ActiveSync virtual directory on a Client Access server

Access to the Autodiscover virtual directory on a Client Access server if Autodiscover is enabled


Internet Message Access Protocol version 4rev1 (IMAP4)

Access to the IMAP4 service on a Client Access server

Access to a SMTP Receive connector on either a Hub Transport server, a Edge Transport server, or another SMTP server

Protocol requirements: IMAP4, SMTP (Port 25 or 587)

Post Office Protocol 3 (POP3)

Access to the POP3 service on a Client Access server

Access to a SMTP Receive connector on either a Hub Transport server, a Edge Transport server, or another SMTP server

Protocol requirements: POP3, SMTP (Port 25 or 587)

Note: In addition to the Client Access components, you also need to configure the environment to support secure sending and receiving of SMTP e-mail. In most cases, this includes deploying an Edge Transport server in the perimeter network.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Options for Configuring Internet Access There are several options available to provide the necessary access to the Client Access and transport servers. The most common options include:

• Virtual Private Network (VPN). Some organizations require that all clients use a VPN to connect to the internal network. The VPN gateway may be a Windows Server 2008 Routing and Remote Access server, or a third-party solution. By enabling VPN access, users can access all resources on the internal network, including the Exchange servers.

• Firewall configuration. Virtually all organizations have firewalls that protect their internal networks from unwanted Internet access. You can configure these firewalls to enable users to connect to the required virtual directories and services on the Client Access server, and to provide access to an SMTP server for IMAP4 and POP3 clients.

Implementing a firewall solution means that messaging clients need to be configured to use a server name that resolves to an external IP address on the firewall. If users connect to the Exchange servers from both inside and outside the organization, this can complicate the messaging client configuration. For example, users may connect to the Exchange servers from the internal network using the actual server name, but may need to use a more generic name, such as mail.contoso.com, when connecting to the server from the Internet. You may need to instruct users to use the two server names, or you may need to configure the internal DNS zone to provide name resolution to the more generic name.

• Reverse proxy configuration. As an alternative to the standard firewall, you can use a reverse proxy, or application layer firewall, to enable access to the internal Exchange servers. When you configure a reverse proxy, it terminates all client connections and scans all network packets for malicious code. The reverse proxy then initiates a new connection to the Client Access server and forwards the traffic to the internal network.

When you use a reverse proxy, you must configure messaging clients to use a server name that resolves to an external IP address on the firewall.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Deploying Exchange Server 2010 for Internet Access

Key Points When deploying Exchange Server 2010 so that it is accessible from the Internet, you must deploy all server roles on the internal network, except for the Edge Transport server role. You should deploy the Edge Transport server role in the perimeter network, and it should run on a server that is not an internal domain member.

The recommended deployment for Exchange Server 2010 Internet access includes two firewalls in a back-to-back firewall scenario, which enables you to implement a perimeter network between the two. An external firewall faces the Internet and protects the perimeter network. You then deploy an internal firewall between the perimeter and internal networks.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring External Firewalls for Internet Access The Internet facing or external firewall in this deployment protects the perimeter network. You configure the firewall to accept packets based on source and destination IP addresses and ports. To support the Exchange Server deployment, you need to configure the external firewall with the firewall rules that the following table lists:

Destination port Address

25 Source address: All

Destination address: Edge Transport server

May also need to configure the external IP address of the internal firewall as a destination address, if POP3 and IMAP4 clients are using port 25 to relay messages through a Hub Transport server

80, 443 Source address: All

Destination address: External IP address of the internal firewall



Only required for POP3 access



Only required for IMAP4 access

587 Source address: All


Only required if POP3 and IMAP4 clients are using the SMTP client submission port to send SMTP e-mail

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring Internal Firewalls for Internet Access The internal firewall may be another standard firewall or reverse proxy. To support the Exchange Server deployment, configure the internal firewall with the following firewall rules:

Destination port Address

25 Source address: Edge Transport server

Destination address: Hub Transport server

May also need to configure the internal IP address of external hosts as a source address, if POP3 and IMAP4 clients are using port 25 to relay messages through a Hub Transport server

80, 443 Source address: Internal IP address of the external firewall

Destination address: Client Access server

110, 993 Source address: External IP addresses


Only required for POP3 access

143, 995 Source address: External IP addresses


Only required for IMAP4 access

587 Source address: External IP addresses

Destination address: Hub Transport server

Only required if POP3 and IMAP4 clients are using the SMTP client submission port to send SMTP e-mail

50636 Source address: Hub Transport servers on the internal network


Required for the Hub Transport server to replicate information to the Edge Transport servers using EdgeSync

3389 Source address: Administrator computers on the internal network


Required if you want to use Remote Desktop to administer the Edge Transport server remotely

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: Edge Transport servers also listen on port 50389 for unencrypted LDAP connections. This port is used only for administering the AD LDS instance on the Edge Transport server using standard LDAP tools. However, this port does not have to be open on the internal firewall.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Securing Client Access Traffic from the Internet

Key Points To ensure that the client connections are as secure as possible, implement the following recommendations:

• Create and configure a server certificate. By default, all Client Access servers are configured with self-signed certificates during Exchange Server 2010 installation. Because clients do no trust this certificate, you should replace the certificate with one from a public Certification Authority (CA) or from an internal CA. If you use an internal enterprise CA, the certificates will be trusted by computers that are the internal domain’s members, but not by other client computers.

• Require Secure Sockets Layer (SSL) for all virtual directories. With Exchange Server 2010, you can configure all of the Client Access server virtual directories to require SSL.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Enable only required client access methods. You should enable access to only the client access options that your organization requires. For example, if your organization only requires Exchange ActiveSync and Outlook Web App connectivity from the Internet, then only allow access to those virtual directories through the firewall.

• Require secure authentication. Forms-based authentication is the most secure authentication mechanism for Outlook Web App. Other client access options, such as Outlook Anywhere or Exchange ActiveSync, cannot use forms-based authentication, and may need to use authentication by Microsoft Windows NTLAN) Manager, also known as NTLM, or use basic authentication. If you configure the virtual directories to require SSL, the network traffic that authenticates the user is encrypted.

• Require TLS/SSL for IMAP4 and POP3 access. To help secure communications between your POP3 and IMAP4 clients and the Client Access server, configure the Client Access server to use a certificate for these protocols, and then force all clients to use Transport Layer Security (TLS) or SSL to encrypt all authentication and message access traffic.

• Implement an application layer firewall or reverse proxy. To provide additional security, place an application layer firewall or reverse proxy between the Internet and the Client Access server. This firewall can decrypt all network traffic between the client and the Client Access server, and inspects the traffic for malicious code.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Securing SMTP Connections from the Internet

Key Points If you enable POP3 and IMAP4 connections from the Internet to your Client Access servers, you must provide a means by which those clients can send e-mail using SMTP. As part of ensuring security for your client-access deployment, you also need to ensure secure SMTP connectivity.

Providing SMTP Connectivity for POP3 and IMAP4 Clients You can use POP3 and IMAP4 only to retrieve, not send, messages from user mailboxes. To enable clients to send e-mail, you must configure the clients to use an SMTP server that relays the messages to both internal and external recipients.

To enable the POP3 and IMAP4 clients to send e-mail, you must configure a Hub Transport server SMTP Receive connector to accept SMTP connections from the Internet. Configure the SMTP Receive connector to require authentication, so that only users with valid accounts in the Exchange Server organization can relay messages through the server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: If you accept anonymous SMTP connections from the Internet on the Hub Transport server, using the Default SMTP Receive connector, you need to create an additional SMTP Receive connector for the POP3 and IMAP4 clients, and configure the new connector to required authenticated connections. Note: You cannot use an Edge Transport server to accept authenticated SMTP connections, and then use it to relay SMTP messages from POP3 and IMAP4 clients. You can configure a SMTP Receive connector on an Edge Transport server that uses port 587, and you can configure the Receive connector to accept authenticated connections. However, you cannot configure the connector to authenticate the client connections using the user’s internal Active Directory account.

Securing SMTP Connections To secure the SMTP connections to the Hub Transport server, complete the following steps:

1. Enable TLS for SMTP client connections. You can configure the SMTP Receive connector on the Hub Transport server to require TLS security or to enable basic authentication, only after you initiate a TLS session. If you have a trusted certificate assigned to the SMTP service, you should enable these options, and then configure all clients to use TLS.

2. Use the Client Receive connector (port 587), and configure the Hub Transport servers with two Receive connectors. The Default Receive connector is configured to use port 25, while the Client Receive connector is configured to use port 587. By default, both connectors are configured to require TLS security and to allow users to connect to the connector. However, by using the Client Receive connector, you can avoid using the default SMTP port for client connections. As described in RFC 2476, port 587 was proposed only for message submission use from e-mail clients that require message relay.

3. Ensure that anonymous relay is disabled. Both Receive connectors block anonymous relays, and you should not modify this option on any Receive connector that is accessible from the Internet. If you enable anonymous relay, anyone can use your server to relay spam.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: In some cases, you may need to enable anonymous relay to allow internal applications to send SMTP e-mail through the Exchange server. If you require this functionality, then configure restrictions on the Receive connector so that only the IP addresses that you specify can relay through the server.

4. Enable IMAP4 and POP3 selectively. If only some users in your organization require POP3 and IMAP4 access, then disable this option on all other mailboxes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Reverse Proxy?

Key Points You may want to use a reverse proxy server to manage incoming requests to a Client Access server. A reverse proxy server provides the following advantages over a direct connection to a Client Access server:

• Security. The reverse proxy server provides an extra protective layer between the network and external computers. This is because the reverse proxy server is the endpoint for all client connections. The reverse proxy server then creates a new connection to the internal server.

• Application layer filtering. Most reverse proxy servers also can operate as application layer firewalls. Application layer filtering enables the proxy to open up the entire TCP/IP packet and inspect the application data for unacceptable commands and data. For example, an HTTP filter intercepts communication on port 80 and inspects it to verify that the commands are authorized before passing the communication to the destination server. Firewalls that are capable of application-layer filtering can stop dangerous code at the network’s edge before it does any damage.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• SSL bridging. If you must encrypt communication between the reverse proxy server and the Client Access server, do this by ending the SSL session between the Web browser and reverse proxy server. You then establish a new SSL session between the reverse proxy server and the Client Access server. This protects the Client Access server from direct access from the Internet, enables the reverse proxy server to filter the data packets before they reach the Client Access server, and encrypts the data along the whole path between the Web browser and the Client Access server.

• Load balancing. A reverse proxy server can distribute the traffic that is destined for a single URL to a group of servers. You automatically implement Web load-balancing features when you publish Outlook Web App and Outlook Anywhere. Outlook Web App automatically selects a rule by using cookie-based load balancing. With cookie-based load balancing, the reverse proxy server forwards all requests that relate to the same session (the same unique cookie provided by the server in each response) to the same server. Outlook Anywhere uses source-IP-based load balancing. With source-IP-based load balancing, the reverse proxy server forwards all requests from the same client (source) IP address to the same server. Other Exchange services and features, such as Exchange ActiveSync, must use cookie-based load balancing. This also includes the Exchange services, such as the offline address book and the Availability Service.

• SSL offloading. Instead of configuring the Client Access server to provide SSL encryption, you can offload that function to the reverse proxy server. Not only does it encrypt data that is sent between the Web browser and the Client Access server, but it also enables the reverse proxy server to inspect the data packets and apply filters before they reach the Client Access server. If you offload SSL encryption to a proxy server, data that is sent between the reverse proxy server and the Client Access server will not be encrypted unless you use SSL bridging.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Configuring Threat Management Gateway for Outlook Web App

Key Points In this demonstration, you will review how to create an Outlook Web App publishing rule in Forefront TMG.

Note: Forefront TMG is an upgrade of Microsoft Internet Security and Acceleration (ISA) Server 2006.

Demonstration Steps 1. On VAN-TMG, open the Forefront TMG Management console.

2. In the Firewall Policy node, create an Exchange Server publishing rule by using the New Exchange Publishing Rule Wizard. Configure the rule with the following settings:

• Name: OWA Access Rule

• Exchange version: Exchange Server 2010

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Service: Outlook Web App

• Server Connection Security: Use SSL to connect the published Web server or server farm

• Internal site name: VAN-EX1.Adatum.com

• Public Name Details page: mail.Adatum.com

3. Create a new Web Listener with the following settings:

• Name: HTTP Listener

• Client Connection Security: Do not require SSL secure connections from clients

• Web Listener IP Addresses: External

• Authentication Settings: HTML Form Authentication

• Single Sign-On (SSO) Settings: Enabled

• SSO domain name: ADatum.com

4. On the Authentication Delegation page, click Basic authentication.

5. Accept the default User Sets configuration, finish the wizard, and then apply the changes.

Question: Has your company deployed a reverse proxy? If so, what kind? How does your reverse proxy compare to the TMG?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Securing Exchange Server 2010



2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX2 virtual machines are running.

• 10135A-VAN-DC1: Domain controller in the Adatum.com domain



3. If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-EX2 at this point.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Scenario A. Datum Corporation has deployed Exchange Server 2010. The company security officer has provided you with a set of requirements to ensure that the Exchange Server deployment is as secure as possible. The specific concerns included in the requirements include:

• Exchange Server administrators should have minimal permissions, which means that, whenever possible, you should delegate Exchange Server management permissions.

• Ensure that client connections to the Client Access servers are as secure as possible by deploying a TMG server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Configuring Exchange Server Permissions

Scenario A. Datum Corporation has completed the Exchange Server 2010 deployment, and now is working on integrating Exchange Server and recipient management with their current management practices. To meet the management requirements, you need to ensure that:

• Members of the ITAdmins group can administer individual Exchange servers, but they should not be able to modify any of the Exchange Server organization settings.

• Members of the HRAdmins group must be able to manage mail recipients throughout the entire organization. They should not be able to manage distribution groups and should not be able to create new mailboxes.

• Members of the SupportDesk group should be able to manage mailboxes and distribution groups for users in the organization. They should also be able to create new mailboxes.

The main tasks for this exercise are as follows:

1. Configure permissions for the ITAdmins group.

2. Configure permissions for the Support Desk and HRAdmins groups.

3. Verify the permissions.

Task 1: Configure permissions for the ITAdmins group • On VAN-EX1, in Active Directory Users and Computers, add the ITAdmins

group to the Server Management group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Configure permissions for HRAdmins and Support Desk groups 1. On VAN-EX1, open the Exchange Management Shell. Use the following

command to create the HRAdmins role group:

New-RoleGroup –Name HRAdmins –roles “Mail Recipients”

2. Use the following command to create the SupportDesk role group:

New-RoleGroup –Name SupportDesk –roles “Mail Recipients”, “Mail Recipient Creation”, “Distribution Groups”

3. On VAN-EX1, open the Exchange Management Console. Access the Role Based Access Control (RBAC) User Editor from the Exchange Management Console Toolbox node. Log on as Adatum\administrator using a password of Pa$$w0rd

4. Add Anna Lidman to the SupportDesk group.

5. Add Paul West to the HRAdmins group.

Task 3: Verify the permissions 1. On VAN-EX2, log on as Shane. Shane is a member of the ITAdmins group.

Open Exchange Management Console and verify that the account has the following permissions:

• Can modify the Issue warning at (KB) setting for the Accounting mailbox database.

• Cannot modify Hub Transport settings at the organization level. For example, try to modify the accepted domain settings.

• Cannot modify recipient settings. For example, try modifying any properties on one of the mailboxes.

2. Log off VAN-EX2.

3. On VAN-EX1, open Internet Explorer and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Anna, and verify that the account has the following permissions:

• Can modify mailbox settings for users by using the Exchange Control Panel. For example, try modifying the department attribute for Andreas Herbinger.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Can modify distribution groups using the Exchange Control Panel. For example, add a group description for the Accounting group.

Note: You cannot create or delete user accounts and mailboxes in Exchange Control Panel. If you want to test whether Anna can create user accounts and mailboxes, add Anna to the local Administrators account on VAN-EX2, and log on to VAN-EX2 as Anna. Then open Exchange Management Console and verify that you can create a mailbox. In a production environment, you could install the Exchange Management tools on a Windows 7 client computer.

4. Close Internet Explorer, and open it again and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Paul, and verify that the account has the following permissions:

• Can modify mailbox settings for users by using the Exchange Control Panel.

• Cannot modify distribution groups using the Exchange Control Panel.

To prepare for the next exercise 1. On the host computer, in Hyper-V™ Manager, right-click 10135A-VAN-EX2,

click Revert, and then click Revert.

2. Start the VAN-TMG and VAN-CL1 virtual machines.

3. Log on to VAN-TMG as Adatum\Administrator using the password Pa$$w0rd. Do not log on to VAN-CL1 at this point.

Results: After this exercise, you should have configured and verified permissions in the Exchange Server deployment.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring a Reverse Proxy for Exchange Server Access

Scenario A. Datum Corporation has decided to enable users to access their mailboxes remotely by using Outlook Web App. To provide maximum security for the external clients, A. Datum wants to deploy a Forefront TMG server as a reverse proxy. You must encrypt all connections to the TMG server, and all connections from the TMG server to the Client Access server.


1. Prepare the Windows Server 2008 CA to issue certificates with multiple SANs.

2. Request a server certificate with multiple SANs on the Client Access server.

3. Export the certificate from the Client Access server.

4. Import the certificate on the TMG server.

5. Configure an Outlook Web Access publishing rule.

6. Configure the Client Access server.

7. Test the Outlook Web App publishing rule.

Task 1: Prepare the Windows Server 2008 CA to issue certificates with multiple SANs 1. On VAN-DC1, use the certutil -setreg policy\EditFlags

+EDITF_ATTRIBUTESUBJECTALTNAME2 command to configure the CA to issue certificates with multiple SANs.

2. Stop and restart the Certificate Services service.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Request a server certificate with multiple SANs on the Client Access server 1. On VAN-EX1, run the New Exchange Certificate Wizard using the following

configuration options:

• Friendly name: Adatum Mail Certificate

• Outlook Web App: Outlook Web App is on the intranet and uses a host name of VAN-EX1.adatum.com

• Outlook Web App: Outlook Web App is on the Internet and uses a host name of mail.adatum.com

• Exchange ActiveSync: Enabled and uses a host name of mail.adatum.com

• Autodiscover: Used on the Internet

• Long URL: Used for AutoDiscover with a host name of Autodiscover.adatum.com

• Organization: A Datum

• Organizational Unit: Messaging

• Country/region: Canada

• City/locality: Vancouver

• State/province: BC

2. Save the file using the name CertRequest.req.

3. Copy the text of the certificate request file to the clipboard.

4. Connect to http://van-dc1.adatum.com/certsrv, and create an advanced certificate request using a certificate request file. Paste the contents of the certificate request file into the Saved Request field. Request a Web server certificate.

5. Download the certificate and save it to the C: drive.

6. In the Exchange Management Console, use the Complete Pending Request Wizard to import the Adatum Mail certificate.

7. In the Exchange Management Console, use the Assign Services to Certificate Wizard to assign the Adatum Mail certificate to IIS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Export the certificate from the Client Access server • On VAN-EX1, in Exchange Management Console, export the certificate to

C:\CertExport.pfx.

Task 4: Import the certificate on the TMG server • On VAN-TMG, use the Certificates MMC to import \\VAN-EX1

\c$\CertExport.pfx into the Computer Personal store.

Task 5: Configure an Outlook Web Access publishing rule 1. On VAN-TMG, open the Forefront TMG Management console.

2. In the Firewall Policy node, use the New Exchange Publishing Rule Wizard to create an Exchange Server publishing rule. Configure the rule with the following settings.

• Name: OWA Rule

• Exchange version: Exchange Server 2010

• Service: Outlook Web Access

• Server Connection Security: Use SSL to connect the published Web server or server farm

• Internal site name: VAN-EX1.Adatum.com

• Public Name Details page: mail.Adatum.com

3. Create a new Web Listener with the following settings:

• Name: HTTPS Listener

• Client Connection Security: Require SSL secured connections with clients

• Web Listener IP Addresses: External

• Listener SSL Certificates: mail.adatum.com

• Authentication Settings: HTML Form Authentication

• Single Sign On Settings: Enabled

• SSO domain name: Adatum.com

4. Configure Authentication Delegation to use Basic authentication.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Configure the Client Access server 1. On VAN-EX1, in the Exchange Management Console, configure the owa

(Default Web Site) and ecp (Default Web Site) to use the following configuration

• External URL: https://mail.adatum.com/owa or https://mail.adatum.com/ecp

• Basic authentication

Note: During this task, click OK to dismiss any messages that indicate that VAN-EX2 is not accessible.

2. Use the IISReset command to restart the IIS service.

Task 7: Test the Outlook Web App publishing rule 1. On the host computer, in Hyper-V Manager, modify the 10135A-VAN-CL1

settings to connect the network adapter to Private Network 2.

2. On VAN-CL1, log on as Adatum\Administrator and modify the network adapter settings to use an IP address of 131.107.0.50, and a default gateway of 131.107.0.1.

3. Open the c:\windows\system32\drivers\etc\hosts file and add the following line to the file:

131.107.1.1 mail.adatum.com

4. Open Internet Explorer, and connect to https://mail.adatum.com/owa.

5. Log on as adatum\administrator using a password of Pa$$w0rd. Verify that you access the user mailbox.

6. In the Outlook Web App window, click Options. Verify that you can connect to the Exchange Control Panel.

Results: After this exercise, you should have configured a Forefront Threat Management Gateway server to enable access to Outlook Web App on the Client Access server. You will also have verified that the access is configured correctly.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED










MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Review Questions 1. You need to enable members of the Human Resources department to

configure user mailboxes for the entire organization. What should you do?

2. Users in your organization are using POP3 clients from the Internet. These users report that they can receive, but not send, e-mail. What should you do?

3. Your organization has deployed Forefront TMG. You need to ensure that remote users can access the Client Access server inside the organization by using cellular mobile clients. What should you do?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Common Issues Related to Configuring Exchange Server Publishing Rules on a Reverse Proxy Identify the causes for the following common issues related to configuring Exchange Server publishing rules on a reverse proxy, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


Clients cannot connect to the published sites, and they receive internal server errors.

Normally, these errors occur when the reverse proxy cannot connect to the internal site. Verify that the reverse proxy can connect to the virtual directories on the Client Access server.

Clients cannot connect to the published sites, and they receive certificate errors.

When configuring a reverse proxy to use SSL bridging, you need to ensure that the configuration is correct for certificates on both the reverse proxy and the Client Access server. Check information such as whether the certificates are trusted and whether the names the certificates use match the names that the clients use when connecting to the site.

Clients cannot connect to the published sites, and they receive site-not-found errors.

Normally, this type is error displays when there is a problem connecting to the reverse proxy from the Internet. Verify that DNS name resolution is working correctly and that the external firewall is not blocking access to the reverse proxy.

Real-World Issues and Scenarios 1. Your organization has configured an SMTP Receive connector on an Edge

Transport server to enable IMAP4 users to relay messages. However, you discover that your Edge Transport server is being used to relay spam to other organizations. What should you do?

2. You have added the ServerAdmins group in your organization to the Exchange Server 2010 Server Management group in AD DS or Active Directory. All the members of the ServerAdmins group report that they receive errors when they start the Exchange Management Console. What should you do?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Your organization is planning to deploy Forefront TMG to enable access to a Client Access server from the Internet. The organization is concerned about the cost of acquiring multiple certificates to enable access, but also wants to ensure that users do not receive certificate related errors. What should you do?

Best Practices Related to Configuring Exchange Server Permissions Supplement or modify the following best practices for your own work situations:

• When you configure permissions in the Exchange Server organization, ensure that users have the minimal permissions required for them to perform their tasks. Add only highly trusted users to the Organization Management role group, as it has full control of the entire organization.

• Whenever possible, use the built-in role groups to assign permission in the Exchange Server organization. Creating custom role groups with customized permissions is more complicated and may lead to users having too many, or too few, permissions.

• Ensure that you document all permissions that you assign in the Exchange Server organization. If users are unable to perform required tasks, or if they are performing tasks to which they should not have access, you should be able to identify the reason by referring to your documentation.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Maintaining Microsoft Exchange Server 2010 11-1

Module 11 Maintaining Microsoft Exchange Server 2010

Contents: Lesson 1: Monitoring Exchange Server 2010 11-3

Lesson 2: Maintaining Exchange Server 2010 11-18

Lesson 3: Troubleshooting Exchange Server 2010 11-29

Lab: Maintaining Exchange Sever 2010 11-37

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

Once you deploy Microsoft® Exchange Server 2010, you must ensure that it continues to run optimally by maintaining a stable environment. To maintain a stable environment, you must monitor Exchange Server performance, and make adjustments as required. This module describes how to monitor and maintain your Exchange Server environment.

This module also describes troubleshooting techniques. From time to time, problems arise that need to be fixed. Although troubleshooting problems can be complex, using a troubleshooting methodology can help you pinpoint the problem and then determine the proper method to use to fix the problem.


• Monitor Exchange Server 2010.

• Maintain Exchange Server 2010.

• Troubleshoot Exchange Server 2010.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Monitoring Exchange Server 2010

Monitoring practices typically are an afterthought, and people often configure them after deploying the solution. However, having a well-tuned and consistently used monitoring solution can greatly improve your ability to identify, troubleshoot, and repair issues before end users notice them. Reducing end-user problems and preventing more-serious problems are worth the additional thought and effort that it requires to design a comprehensive monitoring solution for your Exchange Server organization.

In this lesson, you will review the basic monitoring tools as well as the metrics that you should monitor.


• Describe the importance of performance monitoring.

• Identify key monitoring metrics for monitoring Exchange Server 2010.

• Collect performance data for the Exchange server.

• Collect performance data for the Mailbox server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Collect performance data for the Hub Transport and Edge Transport servers.

• Collect performance data for the Client Access server.

• Use the collected performance data.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Why Is Performance Monitoring Important?

Key Points Monitoring the Exchange Server environment is important for the following reasons:

• Identifying performance issues. When problems arise, you can pinpoint and repair them without relying on users to report the problems.

• Identifying growth trends to improve plans for upgrades. As the system grows and usage patterns change, hardware modifications may be required to accommodate these changes. Identifying trends also allows you to forecast future changes that might be necessary.

• Measuring performance against service level agreements. Demonstrating whether Exchange Server meets performance-based service level agreements and measuring the end-user experience shows the value that Exchange Server administrators are providing.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Identifying security issues and denial-of-service attacks. When performance and other metrics stray from the established baselines, you can correlate these incidents to identify and mitigate the source.

Since Exchange Server 2010 is complex, you need to monitor several aspects. Primarily, you should gather and monitor metrics from the processor, memory, disk, and the Exchange services. You may monitor additional information, depending on the Exchange Server roles that you install.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Tools for Monitoring Exchange Server

Key Points Most enterprise environments already use monitoring and alerting systems across their IT infrastructures. In cases where a monitoring solution does not exist, Microsoft System Center Operations Manager 2007 or System Center Essentials (with the Exchange Server 2010 management pack) provide an easily deployable Exchange Server monitoring solution.

Enterprise-class monitoring solutions also allow you to customize the data you want to collect, which can be helpful when tracking down specific problems, or when default monitoring sets do not collect the appropriate data. Since each deployment is unique, adjustments are required to fit particular usage and hardware scenarios.

In instances where a problem exists on a single or limited number of servers, you can use the Performance and Reliability Monitor to collect additional performance data that standard monitors might not capture.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Collecting Performance Data for the Exchange Server

Key Points When monitoring Exchange servers, you should know which performance aspects are most important. You can use the common counters and threshold values detailed in this lesson to identify potential issues proactively, and help identify the root cause of issues when troubleshooting.

Since these values are general guidelines, it is important to trend and perhaps adjust these values to meet the needs of the specific environment. You can determine values that work in a specific environment by documenting normal operating values to create a baseline. After creating the baseline, set thresholds so that when performance metrics are not met, you know that the server is not operating optimally.

For more information about the performance counters, refer to the CD content.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Processor The processor is one of the fundamental components that you need to monitor to ensure server health on all Exchange Server roles. Standard counters include the total percentage of processor time, the percentage of user-mode processor time, and the percentage of privilege-mode processor time.

An additional counter related to processor performance is the processor queue length. If a processor queue’s length is greater than the specified threshold value, this may indicate that there is more work available than the processor can handle. If this number is greater than 10, per processor core, this is a strong indicator that the processor is at capacity, particularly when coupled with high CPU utilization. Although you typically do not use processor queue length for capacity planning, you can use it to identify whether systems within the environment are capable of running the loads, or whether you should purchase faster processors for future servers.

Memory Another key performance indicator is the memory counter. Tracking the available memory and how much memory has to be written to the page file can tell you when you need to increase server memory, or reduce server load.

MSExchange ADAccess Domain Controllers Exchange Server relies heavily on Active Directory® Domain Services (AD DS) and Active Directory directory service for information. Therefore, it is essential to measure the response time and connection health.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Collecting Performance Data for the Mailbox Server

Key Points When you collect performance data about Mailbox servers, you may focus on disk-response time and the speed with which the server responds to requests. The average response time for reading data should be under 20 milliseconds (ms) and the average write response time should be less than 100 ms on average. If the disk queue length begins to grow, this is another indicator that the disk system is not meeting demand. All of these may require you to purchase additional or faster disks, or to modify the disk configuration.

There are many performance counters for Mailbox servers for which you can trend, depending on your messaging environment. However, the following counters are crucial and are a good place to begin when collecting performance data for the Mailbox server.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Logical Disk Logical Disk counters determine whether disk performance is meeting demands. As disk latency increases, database reads and writes take more time.

MSExchangeIS Mailbox and MSExchangeIS Public When messages are being queued for submission to the local Hub Transport server, it may indicate a problem with connectivity to the transport server.

MSExchangeIS The Client Access and transport servers use Microsoft Remote Procedure Call (RPC) to communicate with Mailbox servers, thus it is important to monitor the response time for RPC requests, to be sure that the mailbox server is responding quickly enough to support the load.

Question: If any of these performance counters measured outside its normal range, what is the most likely cause?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Collecting Performance Data for the Hub Transport and Edge Transport Servers

Key Points The transport servers store message queue information to disk. The average response time for reading data should be less than 20 ms, and the average write-response time should be less than 100 ms on average. Another indicator that the disk system is not keeping up with demand is if the disk queue length starts to grow. All of these may require you to purchase additional or faster disks, or modify the disk configuration.



MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


MSExchange Database ==> Instances Transport servers store message queue information in databases. Therefore, monitoring database performance will help you identify issues with reading or storing queue information in the databases.

MSExchange Transport Queues Additionally, you also should monitor the transport server queues to ensure delivery of e-mail messages.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Collecting Performance Data for the Client Access Server

Key Points The Client Access server role performs many of the key client connectivity functions for Exchange Server clients. Disk performance is important for determining overall server health. Additionally, you should monitor the response time for services used by Client Access servers to ensure proper performance.



MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


ASP.NET Services and Applications Microsoft Outlook® Web App and the Exchange Web Services rely heavily on the Microsoft .NET Framework and ASP.NET files, which are read, processed, and rendered for the end users. Monitoring the response time and the number of times the application has had to restart can help you verify the overall health of the services.

MSExchange Web Services Additionally, Outlook Web App, the Outlook Anywhere (RPC/HTTP) Proxy, Microsoft Exchange ActiveSync®, Offline Address Book downloads, and the Availability Service response times are valuable metrics to monitor.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using the Collected Performance Data

Key Points To determine which thresholds denote an existing problem, set a monitoring baseline by reviewing monitoring data over a full business cycle. Business cycles vary for each company, and your cycle should include both busy and slow periods. For some businesses, busy periods might correlate with the end-of-month accounting close process or periods with notably high sales figures. Gathering a broad data set will provide sufficient data to determine the appropriate operating thresholds.

To use the collected performance data:

1. Create a monitoring baseline by averaging performance metrics from a properly operating system:

• Monitor performance for a full business cycle.

• Note any peaks or troughs in the data.

2. Set warning and error level thresholds.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Review growth trends regularly to:

• Adjust thresholds.

• Adjust server configurations.

It is important that you review your thresholds periodically, so you can adjust the servers—or the thresholds themselves—to ensure proper monitoring.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Maintaining Exchange Server 2010

Maintaining the Exchange Server messaging solution is an ongoing process that requires discipline, not only for the administrator but also for the organization. Using change management techniques to control change has many benefits as described in this lesson.

Change management often includes controlling which software updates are applied, how the updates are applied, and when the updates are applied. It also includes managing your hardware upgrades.

In this lesson, you will review the importance of change management, and techniques you can use to perform upgrades to your Exchange Server computers.


• Describe change management.

• Describe the change management process.

• Describe software updates.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Deploy software updates.

• Determine when to upgrade your hardware.

• Implement hardware upgrades.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: What Is Change Management?

Key Points The change management process controls environmental change through a framework—such as the Microsoft Operations Framework—that includes change management components. Change management is important, as it can lead to better application availability, better educated IT staff, and a more predictable infrastructure. Planning which changes to deploy, and how and when to deploy them, falls into the purview of a change management framework.

Question: How does your organization address change management?

Question: Are there some situations where change management is more important?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: What are the benefits of having a formal change management process?

Question: Are there situations in which you cannot follow the normal change process?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Managing Change

Key Points The change management process varies widely from organization to organization. The basic components for managing change are as follows:

1. Adopt a process model like the Microsoft Operations Framework. A number of well-defined frameworks are available. Adopting an established framework may make educating employees easier, because they already may be familiar with the framework.

2. Define a process and use it consistently. Once you have a process, ensure that everyone involved understands why it was adopted, and how to follow the process.

3. Support the change management process. If you do not support the process properly, it will not be as effective as possible. It is essential that everyone work to support the process.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: What Are Software Updates?

Key Points Software requires continuous improvement, whether to fix software bugs, mitigate security risks, add features, or improve performance. Every month Microsoft releases relevant security updates for affected products. These updates are usually important updates that reduce security vulnerabilities. Additionally, Microsoft product groups periodically release hotfixes (interim updates), update rollups, and service packs.

Question: What is the difference between a hotfix and an update?

Question: Why should your organization deploy software updates?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Deploying Software Updates

Key Points You should adopt an update deployment strategy that suits your organization’s requirements. Some businesses choose to deploy updates only at set intervals, while others deploy all updates as they become available. Once you adopt a strategy, the process for deploying it is:

1. Determine which updates are required. This step relies heavily on you deployment strategy for software updates.

2. Test and document the update in a compatible environment. Testing updates before you place them in production is an essential step to ensure that the changes do not cause other problems. The testing process should include installing the update, as well as verifying that all related software still functions as expected. Testing updates often is done in a lab environment that is configured similar to the production environment. Many companies have adopted a virtualized platform such as Hyper-V™ to create a flexible and inexpensive test environment.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Test and document the back-out plan. Update deployments can fail for many reasons: updates can fail to install, can cause server failure, or can alter software behavior in an unexpected way.

4. Back up the server. Before applying an update, ensure that you can recover the server data and configuration in the event of an unsuccessful update. Performing a full backup of all data unique to the server is an essential step in deploying an update.

5. Schedule and install the software update. You can install updates in a variety of ways: you can use tools such as Windows Server Update Services or System Center Configuration Manager to complete the installation, or in smaller and more restrictive environments, you can manually install the updates.

6. Verify and monitor the software update installation. After installation, test the updated application to ensure the updates completed successfully. At times, this includes verifying that the proper file versions are present, and that the software is behaving as if the update was applied.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Determining the Need for Hardware Upgrades

Key Points Exchange Server 2010 uses hardware more efficiently than previous Exchange Server versions, which means there may be less need than in the past to upgrade hardware. In particular, Exchange Server 2010 reduces disk activity. Disk capacity is one of the most commonly required hardware upgrades.

Proactively monitoring hardware performance—processor, memory, disk, or network—is the best way to determine whether bottlenecks exist in the environment. Another valid trigger for researching hardware issues is gathering and examining user feedback. You should not rely solely on user feedback as the first indication of issues, but it can help you pinpoint particular user issues with the hardware.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Implementing Hardware Upgrades

Key Points Hardware upgrades are more difficult to test than software upgrades. Many organizations do not use exactly the same hardware in a test environment as they do in a production environment. However, to the extent possible, test your hardware upgrades on non-production hardware. The upgrade process works as follows:

1. Determine which upgrades are required. After reviewing the monitoring data to determine the bottleneck, you will know which hardware changes or upgrades you need to deploy.

2. Test and document the upgrade in a test environment. Testing and documenting updates in a test lab reduces the likelihood of running into problems during hardware deployment.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Test and document the back-out plan. Sometimes the upgrade does not go as planned, so documenting the steps required to return the server to the pre-upgraded state is essential. Although this may seem like extra work, when problems arise during a change and you must complete or back out the change within a limited amount of time, it is best to have the steps already worked out.

4. Back up the server. Before applying the upgrade, ensure that you can recover the server data and the configuration should your upgrade be unsuccessful. Performing a full backup of all data unique to the server is an essential step in deploying an update.

5. Schedule and install the hardware upgrade. Working within the change management process, schedule the upgrade and then assign a qualified person to complete the documented steps.

6. Verify and monitor the hardware upgrade. After completing the upgrade, monitor the hardware for basic functionality and to ensure that it performs as you would expect.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Troubleshooting Exchange Server 2010

Even in a well-maintained Exchange Server organization, problems can arise that you must identify and repair. Although general troubleshooting guidelines exist, often experience and an analytical attitude provide the best tools for successfully discovering the problem’s source and fixing it.


• Develop a troubleshooting methodology.

• Identify troubleshooting tools that you can use.

• Troubleshoot Mailbox servers.

• Troubleshoot Client Access servers.

• Troubleshoot Message Transport servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Developing a Troubleshooting Methodology

Key Points The goal of troubleshooting is to identify and diagnose problems, and then determine and execute the necessary repair. There are many troubleshooting methods, and they vary by type of problem that you are trying to resolve. Implementing a repeatable troubleshooting process is important so that you can quickly resolve problems. A common troubleshooting method is as follows:

1. Clearly define the problem. Obtain an accurate description of the problem by verifying the reported problem, including when you noticed it and how you can reproduce it.

2. Gather information related to the problem. Turn up logging, review event logs, and try to reproduce the problem.

3. List the potential cause of the problem. With the problem statement and gathered data, you can enumerate all potential problem causes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. Rank the possible causes by probability, and define their solutions. Create a list of either solutions or additional troubleshooting that is required to address each potential cause. Search your knowledge base, product support documentation, and the Internet for information about possible resolutions.

5. Rank solutions by ease of resolution and impact to complete.

6. Try the most probable and easily implemented resolutions first. Work through the list of solutions, one at a time, until you resolve the issue, or gather additional information that changes the definition of the problem.

7. Reduce logging to normal.

8. Document resolution and root cause for future reference. Although you may remember details of the solution later, documenting the root cause and the resolution will reduce resolution times in the future.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Troubleshooting Tools

Key Points Over the years, a number of useful Exchange Server troubleshooting tools have been introduced. Each tool has a specific use, but they all use detailed product knowledge and information about your environment to suggest potential problem solutions.

• Exchange Best Practices Analyzer (ExBPA). This invaluable tool enables you to identify potential issues based on deviations from best practices, and for gathering a great deal of information about the Exchange Server organization that you can use for reference and for troubleshooting problems.

• Performance Troubleshooter. This tool helps you locate and identify performance-related issues that could affect Exchange servers. You diagnose problems by selecting the symptoms observed. Based on the symptoms, the tool walks you through the correct troubleshooting path. Performance Troubleshooter identifies possible bottlenecks and suggests corrective actions.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• The Exchange Mail Flow Troubleshooter. This tool helps provide easy access to various data sources that are required to troubleshoot problems with mail flow, such as non-delivery reports, queue backups, and slow deliveries. The tool then automatically diagnoses the retrieved data, presents an analysis of the possible root causes, and suggests corrective actions.

Other tools such as the Performance and Reliability Monitor check the health of the Exchange Server processes. You can use the Queue Viewer to view the message status in transport queues. Tools such as Network Monitor and Telnet can help you troubleshoot network issues and message tracking, and the routing log viewer can help you troubleshoot message delivery issues.

For information about other troubleshooting tools, refer to the CD content.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: Troubleshooting Mailbox Servers

Key Points You can apply standard troubleshooting techniques to the unique problems that can occur with Mailbox servers. Use tools such as the Database Troubleshooter and the Event Viewer to identify the problem and work toward a resolution.

Question: A database has gone offline. What process can you use to troubleshoot the problem?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: Troubleshooting Client Access Servers

Key Points You can apply standard troubleshooting techniques to the unique problems that can occur with Client Access servers. Use tools such as the Exchange Best Practices Analyzer and the Event Viewer to identify the problem and work toward a resolution.

Question: Outlook users can no longer connect to the system. What process can you use to troubleshoot the problem?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: Troubleshooting Message Transport Servers

Key Points You can apply standard troubleshooting techniques to the unique problems that can occur with transport servers. Use tools such as the Queue Viewer, message tracking system, and Mail Flow Troubleshooter to identify the problem, and then work toward a resolution.

Question: Users are reporting non-deliverable and slow-to-deliver outbound e-mail. What process can you use to troubleshoot the problem?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Maintaining Exchange Server 2010



2. Ensure that the 10135A-VAN-DC1 and the 10135A-VAN-EX1 virtual machines are running:




MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Scenario You are the messaging administrator at A. Datum Corporation. You need to configure basic monitoring by using the Performance and Reliability Monitor. You also must troubleshoot issues with a mailbox database and a Client Access server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Monitoring Exchange Server 2010

Scenario You are the messaging administrator at A. Datum Corporation. You need to configure basic monitoring using the Performance and Reliability Monitor. Before implementing Microsoft Systems Center Operations Manager to monitor your Exchange Server 2010 computers, you must create a data collector set to monitor key performance components that are running on your Mailbox server.


1. Create a new data collector set named Exchange Monitoring.

2. Create a new performance-counter data collector set for monitoring basic Exchange Server performance.

3. Create a new performance-counter data collector set for monitoring Mailbox server role performance.

4. Verify that the data collector set works properly.

Task 1: Create a new data collector set named Exchange Monitoring • On VAN-EX1, open the Performance Console, and create a data collector set

named Exchange Monitoring.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Create a new performance counter data collector set for monitoring basic Exchange Server performance 1. Create a performance data collector set named Base Exchange Monitoring.

2. Add the following performance counters to monitor basic Exchange Server performance on VAN-EX1:

Object Counter

Processor % Processor Time

% User Time

% Privileged Time

Memory Available Megabytes (MB)

Page Reads/sec

Pages Input/sec

Pages/sec

Pages Output/sec

Pool Paged Bytes

Transition Pages Repurposed/sec

MSExchange ADAccss Domain Controllers

LDAP Read Time

LDAP Search Time

LDAP Searches timed out per minute

Long running LDAP operations/Min

System Processor Queue Length

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Create a new performance counter data collector set for monitoring Mailbox server role performance 1. Create a performance data collector set named Mailbox Role Monitoring.

2. Add the following performance counters to monitor basic Exchange Server performance on VAN-EX1:

Object Counter

LogicalDisk Avg.Disk sec/Read

Avg.Disk sec/Transfer

Avg.Disk sec/Write

MSExchangeIS RPC Averaged Latency

RPC Num Slow Packets

RPC Operations/sec

RPC Requests

MSExchangeIS Mailbox Messages Queued for Submission

MSExchangeIS Public Messages Queued for Submission

Task 4: Verify that the data collector set works properly 1. Start the Exchange Monitoring data collector set and let it run for five

minutes.

2. Stop the Exchange Monitoring data collector set, and then review the latest report.

Results: After this exercise, you should have created a data collector set for monitoring VAN-EX1 that uses the performance counters that this module recommends.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Troubleshooting Database Availability

Scenario You are the messaging administrator for A. Datum Corporation. After recovering from a hardware failure, your monitoring software reports that one of the mailbox databases is not mounted. You must troubleshoot and repair the database problem.


1. Identify the scope of the problem.

2. Review the event logs.

3. Run the Best Practices Analyzer.

4. List the probable causes of the problem, and rank the possible solutions if multiple options exist.

5. Review the database configuration.

6. Reconfigure and mount the database.

Preparation Before you begin this exercise, complete the following steps:

1. On VAN-EX1, open a Exchange Management Shell. At the prompt, type d:\ Labfiles\Lab11Prep2.ps1, and then press ENTER.

2. When prompted, type N, and press ENTER.

3. Close the Exchange Management Shell.

Task 1: Identify the scope of the problem 1. On VAN-EX1, open Exchange Management Console.

2. Identify which, if any, mailbox databases are not mounted.

3. List the database(s) that are dismounted.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Review the event logs 1. On VAN-EX1, attempt to mount MailboxDB100. Review the warning message,

and then click No.

2. Open the Event Viewer. In the Application Log and System Log, review the events generated, and make note of any errors.

Task 3: Run the Best Practices Analyzer 1. On VAN-EX1, run Exchange Best Practices Analyzer. Perform a Health Check

scan of just VAN-EX1.

2. Review the ExBPA report, and note issues identified by the scan that may have an impact on the scenario.

Task 4: List the probable causes of the problem, and rank the possible solutions if multiple options exist • List the problems and possible solutions:

Problem Possible solution

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Review the database configuration 1. On VAN-EX1, open Exchange Management Console and review the database

configuration.

2. Open Windows Explorer, and locate the database files.

Task 6: Reconfigure and mount the database 1. On VAN-EX1, open Exchange Management Shell and reconfigure the database

using the Move-DatabasePath cmdlet with the –ConfigurationOnly parameter.

2. Mount the database.

Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Mailbox server problem.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Troubleshooting Client Access Servers

Scenario You are the messaging administrator for A. Datum Corporation. Users report that they cannot log on to Outlook Web App. You need to determine and then repair the problem.


1. Verify the problem by attempting to reproduce the problem.

2. Review the event logs.

3. Use the Test cmdlets to verify server health.

4. List the probable causes of the problem, and rank possible solutions if multiple options exist.

5. Check the Outlook Web App configuration.

6. Verify that you resolved the problem.


1. On VAN-EX1, open Exchange Management Shell. At the prompt, type d:\ Labfiles\Lab11Prep3.ps1, and then press ENTER.


Task 1: Verify the problem by attempting to reproduce the problem 1. Attempt to log on to https://van-ex1.adatum.com/owa as Administrator

using the password Pa$$w0rd.

2. Make note of the error displayed:

Task 2: Review the event logs 1. On VAN-EX1, open Event Viewer, and then review any errors listed in the

Application and System logs.

2. Make note of any errors.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Use the Test cmdlets to verify server health 1. On VAN-EX1, open the Exchange Management Shell, and run the Test-

ServiceHealth cmdlet.

2. Run the Test-OwaConnectivity –URL https://VAN-EX1.adatum.com/OWA -TrustAnySSLCertificate cmdlet to test Outlook Web App connectivity. Log on as Adatum\administrator.

3. Review the results of the cmdlets, and then make note of any errors.



Task 5: Check the Outlook Web App configuration 1. Open Exchange Management Console, and then review the Outlook Web App

configuration on VAN-EX1.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


2. Take the necessary actions to fix the problem. Run IISReset after fixing the problem.

Task 6: Verify that you resolved the problem • Attempt to log on to https://van-ex1.adtum.com/owa as

Adatum\Administrator with a password of Pa$$w0rd.

Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Client Access server problem.










MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Review Questions 1. Users are reporting issues with sending e-mail to a remote domain. You need

to determine the problem and then resolve it. What should you do?

2. Recent organizational growth has resulted in two issues. It has caused several memory thresholds to exceed recommended issues, as well as the average read-latency threshold for the logical disk that stores the page file. What issue should you address first?

3. After reviewing the trend information retrieved from the monitoring system, you noticed that the processor usage for one of the four Mailbox servers is higher than average. What should you do?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Common Issues Related to Troubleshooting Exchange Server Problems Identify the causes for the following common issues related to troubleshooting Exchange server problems, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


Outbound e-mail messages are queuing on the Hub Transport server.

Always start with the most common problem causes, such as network connectivity and DNS name resolution.

Multiple sources are simultaneously reporting different problems.

Gather as much information as possible about each of the reported problems. Although there might be multiple issues, it is likely that you will find a connection between the multiple reported problems.

Users are reporting slowness or other subjective problems.

As always, take each report seriously and try to gather as much objective information about the problem as possible. Only then will you reach a suitable and objective solution.

Real-World Issues and Scenarios 1. A company has recently experienced growth because of a popular new

product. The company has had numerous Mail server outages and downtime due to undocumented changes. What should the company invest in to ensure that it can support continued growth?

2. A database has gone offline, and the organization needs to troubleshoot the problem. A number of impatient users have mailboxes stored in the offline database. What is the best way to address the situation?

3. An Exchange Server service pack was recently released, and the company has decided to deploy it. What should you do before scheduling the deployment?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Best Practices Related to Troubleshooting Exchange Server Problems Supplement or modify the following best practices for your own work situations:

• Follow the same steps each time you troubleshoot a problem. This way you get into a habit of making good decisions and finding the answers quickly.

• Be diligent about separating facts about the issue from feelings or other subjective information. A single person’s subjective observation could cause you to troubleshoot the wrong problem and delay resolution of the actual issue.

• Ask a lot of questions about the problem before starting to troubleshoot. If you have not properly defined the problem, you cannot properly target your troubleshooting steps.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 12-1

Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010

Contents: Lesson 1: Overview of Upgrading to Exchange Server 2010 Overview 12-4

Lesson 2: Upgrading from Exchange Server 2003 to Exchange Server 2010 12-12

Lesson 3: Upgrading from Exchange Server 2007 to Exchange Server 2010 12-34

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

Many organizations already use Microsoft® Exchange Server 2003 or Microsoft Exchange Server 2007 to provide messaging services. When these organizations choose to implement Microsoft Exchange Server 2010, they can upgrade the existing Exchange Server organization to Exchange Server 2010. Alternately, they can deploy a parallel Exchange Server organization, and then move mailboxes and other data from one organization to the other.

Most organizations might choose to perform an upgrade because it is significantly easier and results in minimal disruption for the messaging users. This module provides an overview of the options that organizations have when they choose to implement Exchange Server 2010. This module also provides details on how to upgrade an existing Exchange Server 2003 or Exchange Server 2007 organization to Exchange Server 2010.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



• Describe the general Microsoft Exchange Server 2010 upgrade scenarios and strategies.

• Upgrade from Microsoft Exchange Server 2003 to Exchange Server 2010.

• Upgrade from Microsoft Exchange Server 2007 to Exchange Server 2010.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Overview of Upgrading to Exchange Server 2010

When you decide to implement an Exchange Server 2010 messaging system in your organization, you may need to maintain both your previous messaging system and Exchange Server 2010 until you ensure the new implementation works correctly. While you upgrade the system, users will need to send e-mail and schedule meetings. The Exchange Server 2010 implementation should disrupt normal business processes minimally, if at all.

This lesson describes the options that are available for upgrading existing messaging systems to Exchange Server 2010, and it provides recommendations for when to use each approach.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



• Describe the upgrade options for Exchange server.

• Describe the upgrade scenarios that are supported in Exchange Server 2010.

• Explain the various upgrade strategies.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Upgrade Options for Exchange Server

Key Points Exchange Server 2010 supports several different options for upgrading from other messaging systems.

Exchange Server Upgrade Terminology The following terminology describes the various upgrade scenarios:

• Upgrade. In this scenario, you upgrade an existing Exchange Server organization to Exchange Server 2010. This is the easiest and least disruptive scenario for integrating Exchange Server-based messaging systems, because the different Exchange Server versions share configuration and recipient information automatically. However, you can implement this option only if your organization is running Exchange Server 2003 or Exchange Server 2007 currently.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Migration. In this scenario, you upgrade from a non-Exchange Server messaging system to Exchange Server 2010 or from an existing Exchange Server organization to a new Exchange Server organization, without retaining any of the existing organization’s Exchange configuration data.

If you use a migration scenario, it becomes significantly more complicated to configure interoperability, as opposed to configuring coexistence in an upgrade. By default, the two messaging systems share no information. Therefore, you must configure all connections between the systems.

Note: Exchange Server 2010 does not provide any migration tools or connectors to other messaging systems such as Novell GroupWise or Lotus Domino. You can configure Simple Mail Transfer Protocol (SMTP) connectivity between Exchange Server 2010 and messaging systems by using SMTP Send and Receive connectors. However, Exchange Server 2010 does not provide any tools for enabling coexistence or for migrating mailboxes to Exchange Server 2010.

Important: When you perform a migration from one Exchange Server organization to another, you also need to deploy a second Active Directory® Domain Services (AD DS) forest, and then migrate all user accounts to the second forest. Each Exchange Server organization requires a unique Active Directory forest.

• In-Place Upgrade. In this scenario, you upgrade a single computer that is running a previous Exchange Server version to a newer Exchange Server version. Exchange Server 2010 does not support in-place upgrades.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Supported Upgrade Scenarios

Key Points Upgrading an Exchange Server organization to Exchange Server 2010 is usually the easiest option. Therefore, most organizations choose this path for upgrading their existing Exchange Server deployments. However, this option has several prerequisites.

AD DS Requirements for Upgrading to Exchange Server 2010 To upgrade from a previous Exchange Server version to Exchange Server 2010, you must meet the following AD DS requirements:

• The schema master must be running the Windows Server®°2003 operating system Service Pack 2 or newer.

• At least one global catalog server in each site must be running the Windows Server°2003 operating system Service Pack 2 or newer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• The Active Directory forest must be at Windows Server°2003 forest-functional level or higher.

• Each Active Directory site must have at least one domain controller and one global catalog server with a writeable AD DS copy. Exchange Server 2010 cannot use the Windows Server 2008 operating system read-only domain controllers (RODCs) or read-only global catalog servers (ROGCs).

Supported Upgrade Deployments When upgrading an existing Exchange Server organization to Exchange Server 2010, Microsoft supports the following upgrade deployments:

Exchange Server version Exchange organization upgrade

Microsoft Exchange Server 2000 Not supported

Exchange Server 2003 Service Pack 2 or newer Supported

Exchange Server 2007 Service Pack 2 or newer Supported

Mixed Exchange Server 2007and Exchange Server 2003 organization

Supported

Note: When upgrading from Exchange Server 2007, you must upgrade all of your organization’s Exchange Server 2007 servers to Service Pack 2. Note: Before you install Exchange Server 2010 servers into an existing Exchange Server 2003 organization, you must configure the organization to run in native mode.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Upgrade Strategies

Key Points When planning an Exchange Server 2010 upgrade, you can choose between several options for the upgrade process. Choosing the best option for your organization depends on your current environment, your organization’s requirements for data migration, and your project timeline.

Choosing a Single-Phase or Multiphase Upgrade Your first choice when planning the upgrade is to decide whether to use a single-phase or multiphase upgrade:

• Single-phase upgrade. In a single-phase upgrade, you replace your existing messaging system with Exchange Server 2010, and move all required data and services to the new system. In a single-phase migration, you do not need to plan for an extended period of coexistence between the two systems.

While this upgrade is the fastest option, it also introduces a significant risk if the upgrade fails. This scenario is feasible only for small organizations that must replace just a few servers and there are only a small number of users to migrate.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Multiphase upgrade with coexistence. In a multiphase upgrade, you upgrade one server or site at a time to Exchange Server 2010. Because you spread this incremental upgrade over a longer period, you decrease your organization’s risk. However, in this scenario, you also must plan for coexistence or interoperability. This is the best approach for medium to large organizations because of their complex messaging requirements.

Coexistence Components In most coexistence scenarios, you must ensure that users with mailboxes on both messaging systems have access to the following:

• E-mail message flow. When you run two messaging systems, users must be able to send e-mail to other organizational users, and to and from users on the Internet. Message flow should be transparent to users. Users do not need to know, nor should it matter, which messaging system contains the recipient’s mailbox.

• Global Address List (GAL).To simplify the process of sending messages between messaging systems, you must ensure that you synchronize the GAL between the messaging systems.

• Calendar information. To facilitate scheduling of meetings between the two messaging systems, you must ensure that Free/Busy information replicates between the two messaging systems.

• Public folder contents. If the organization stores important information in public folders, you may need to replicate the public-folder contents between the messaging systems.

Note: If you implement an upgrade to Exchange Server 2010, the design of the upgrade process ensures the maintenance of these coexistence components throughout the coexistence.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Upgrading from Exchange Server 2003 to Exchange Server 2010

Many organizations still use Exchange Server 2003 for their messaging system, and they might not have any plans of upgrading to Exchange Server 2007. Microsoft supports an upgrade from Exchange Server 2003 to Exchange Server 2010 for these organizations. This lesson describes how to upgrade an Exchange Server 2003 organization to Exchange Server 2010.


• Describe how to prepare an Exchange Server 2003 organization for Exchange Server 2010.

• Explain the process for installing Exchange Server 2010 in an Exchange Server 2003 organization.

• Describe how client access works during coexistence.

• Describe how to implement client access.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Describe the considerations for Microsoft Office Outlook® client coexistence.

• Describe the considerations for message transport coexistence.

• Describe the considerations for administration coexistence.

• Describe the process for removing Exchange Server 2003 from an organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Preparing the Exchange Server 2003 Organization for Exchange Server 2010

Key Points Before you start the upgrade process, you must prepare the Active Directory directory service and AD DS for the Exchange Server 2010 deployment. To do this, you must run Exchange Server 2010 setup using the /PrepareLegacyExchangePermissions parameter and the /PrepareAD parameter.

Changes Made by the PrepareLegacyExchangePermissions Setup Parameter You must run the setup /PrepareLegacyExchangePermissions command so that the Exchange Server 2003 Recipient Update Service functions correctly after you update the Active Directory schema for Exchange Server 2010. In Exchange Server 2003, the Recipient Update Service updates some mailbox attributes, such as the proxy address, on mail-enabled user objects. It could do this because the computer account for the server on which the Recipient Update Service runs is in the Exchange Enterprise Servers group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


When you extend the Active Directory schema in preparation for Exchange Server 2010, the schema is modified so that the server running Recipient Update Services no longer has the required permissions to update the recipient properties. Running setup with the /PrepareLegacyExchangePermissions parameter modifies the permissions to ensure that the server can continue to modify recipient properties.

Note: For more information on the /PrepareLegacyExchangePermissions setup parameter, see the “Preparing Legacy Exchange Permissions” page on the Microsoft TechNet Web site. Note: You can run Exchange Server 2010 setup with the /PrepareLegacyExchangePermissions parameter on a computer running Windows Server 2008 or newer, or on a computer running the Windows Vista® operating system with SP2 or newer. You must install the prerequisite software on the computer where you run setup. The prerequisite tools are Microsoft .NET Framework 3.5 SP1 or newer, AD DS management tools, and Microsoft Windows PowerShell™ version 2. The Remote Server Administration Tools for Windows Vista includes the AD DS management tools. If you run the command from a computer running Windows Server 2008 R2, all the prerequisite components are installed already, except for Microsoft .NET Framework 3.5 and the Active Directory management tools.

Changes Made by the PrepareAD Command After running setup with the PrepareLegacyExchangePermissions parameter, you should run setup with the /PrepareAD command. This command makes the following changes to enable coexistence between Exchange Server versions:

• Creates the Active Directory universal security group, ExchangeLegacyInterop. This group receives permissions that allow the Exchange Server 2003 servers to send e-mail to the Exchange Server 2010 servers.

• Creates the Exchange Server 2010 Administrative Group, which is called Exchange Administrative Group (FYDIBOHF23SPDLT).

• Creates the Exchange Server 2010 Routing Group, which is called Exchange Routing Group (DWBGZMFD01QNBJR).

The PrepareAD command also extends the schema to include the Exchange Server 2010 schema objects and attributes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Installing Exchange Server 2010 in an Exchange Server 2003 Organization

Key Points When deploying Exchange Server 2010 in a supported Exchange Server organization, you must follow a specific process.

Installing Exchange Server 2010 If an organization has only a single Active Directory site, use the following process for deploying Exchange Server 2010:

1. Install the Exchange Server 2010 Client Access server. After you install the Client Access server, you should use this as the primary connection point for all client connections.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


2. Install Exchange Server 2010 Hub Transport server. When you install the Hub Transport server in an Exchange Server 2003 environment, it prompts you for the name of an Exchange Server 2003 computer that will be the routing-group bridgehead server between the Exchange Server 2003 routing group and the Exchange Server 2010 routing group.

3. Install the Exchange Server 2010 Mailbox servers. After the rest of the infrastructure is in place, you can deploy the Exchange Server 2010 Mailbox servers, and start moving mailboxes and public folders to the new servers.

Note: If you deploy Exchange Server 2010 in a small or medium organization, and plan to deploy only one or two Exchange Server 2010 servers, you can perform a typical installation and install the Client Access server role, Hub Transport server role, and the Mailbox server role simultaneously.

4. Install Exchange Server 2010 Unified Messaging servers.

5. For organizations with multiple sites, there are typically two types of Active

Directory sites: Internet-accessible sites and non-Internet accessible sites. A single Exchange Server organization may have one or more Internet-accessible sites. When upgrading Active Directory sites, you should upgrade Internet-accessible sites before non-Internet accessible sites.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Client Access Works During Coexistence

Key Points The Client Access server role provides the functionality that a front-end server provided in Exchange Server 2003, and it includes additional functionalities. All client connectivity, including Microsoft Office Outlook MAPI connectivity, now goes through the Client Access server role. You must deploy the Client Access server role in every Active Directory site that includes an Exchange Server 2010 Mailbox server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Client Access During Coexistence To implement coexistence, you must configure all clients to connect to the Exchange Server 2010 Client Access server. If you have been using an external URL, such as https://mail.contoso.com, to connect to an Exchange Server 2003 front-end server, you should modify the Domain Name System (DNS) or firewall configuration to forward connections to the Exchange Server 2010 Client Access server’s URL:

• When a Microsoft Outlook Web App client connects to the Client Access server and the user mailbox is located on an Exchange Server 2003 back-end server, the client redirects to the Exchange Server 2003 URL configured on the Client Access server.

• When an Outlook Web App client connects to the Client Access server and the user mailbox is located on an Exchange Server 2010 Mailbox server, the Client Access server communicates with the Mailbox server to provide access to the user mailbox.

• When an Exchange ActiveSync® client connects to the Client Access server and the user mailbox is located on an Exchange Server 2003 back-end server, the Client Access server connects to the Exchange Server 2003 server using HTTP and provides access to the user mailbox.

• When an Exchange ActiveSync client connects to the Client Access server and the user mailbox is located on an Exchange Server 2010 Mailbox server, the Client Access server connects to the Mailbox server using remote procedure call (RPC) and provides access to the user mailbox.

• When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange Server 2003 back-end server, the RPC proxy service on the Client Access server connects to the back end server using RPC.

• When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange Server 2010 Mailbox server, the RPC proxy service on the Client Access server connects to the Mailbox server using RPC.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Client Access During Coexistence When implementing client access during coexistence, consider the following:

• Whether a user sees the Outlook Web App client of Exchange Server 2003 or Exchange Server 2010 depends on the location of the user’s mailbox. For example, if the user’s mailbox is located on an Exchange Server 2003 back-end server and the Client Access server is running Exchange Server 2010, the user will see the Exchange Server 2003 version of Outlook Web Access.

• The version of Exchange ActiveSync that clients use also depends on the server version that hosts the user’s mailbox. The user’s mailbox must be located on a server that is running Exchange Server 2003 Service Pack 2 or Exchange 2010 to have Direct Push enabled for Exchange ActiveSync.

• You cannot use an Exchange Server 2003 front-end server to access mailboxes on Exchange Server 2010 Mailbox server.

• The Outlook Web App URL used to access Outlook Web App depends on whether the user’s mailbox is located on an Exchange Server 2003 back-end server or on an Exchange Server 2010 Mailbox server. If the users connect to the /owa virtual directory on the Client Access server, and their mailbox is located on an Exchange Server 2003 server, Exchange Server 2010 redirects their Web browser to the /exchange virtual directory on the Exchange Server 2003 front-end server. If users connect to the /exchange virtual directory on the Client Access server, and their mailbox is located on an Exchange Server 2010 mailbox server, Exchange Server 2010 redirects the client request to the /owa virtual directory.

Important: If you have multiple Exchange Server 2003 servers, you must have an Exchange Server 2003 front-end server deployed. For each Exchange Server 2010 Client Access server, you can only configure one Outlook Web Access 2003 URL for redirection. You can accomplish this with a single Exchange Server 2003 front-end server or a load balanced array of Exchange Sever 2003 front-end servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Implementing Client Access Coexistence

Key Points During coexistence, you need to ensure that users have access to their mailboxes on both the Exchange Server 2003 back-end servers and Exchange Server 2010 Mailbox servers. The following steps describe how to enable this:

1. Obtain the required server certificates. To support external client coexistence with the Exchange Server 2010 Client Access server and legacy Exchange server, you may need to acquire a new certificate. You should request a certificate that supports at least the following subject alternative names:

• The primary URL used to access the Exchange 2010 Client Access server.

• The AutoDiscover server name.

• An alternate name for the URL that connects to the Exchange Server 2003 front-end server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


2. Install and configure the Exchange 2010 Client Access server. You should configure the following settings:

• Configure the external name space during or after setup by using the Exchange Management Console or Exchange Management Shell (EMS).

• Configure the Client Access server virtual directories to meet your company requirements.

• Configure the Exchange 2003 URL for Outlook Web App redirection. To do this, use the Set-OWAVirtualDirectory -Exchange2003URL cmdlet. For example, you could use a cmdlet such as set-owavirtualdirectory “LON-EX3\owa*” –Exchange2003Url “https://legacy.contoso.com/exchange”.

Note: The Exchange Server 2003 URL must refer to an Exchange Server 2003 front end server or a load balanced array of front end servers if you have multiple Exchange Server 2003 servers that host mailboxes.

3. Configure DNS. To configure DNS, you should:

• Create the legacy host record, such as legacy.contoso.com, in your external DNS infrastructure, and configure it to reference the Exchange Server 2003 front-end server. This record is required to ensure that the client computers on the Internet can locate the Exchange Server 2003 front-end server when they are redirected to the legacy URL.

• Create the host record for Autodiscover, which is Autodiscover.contoso.com, and configure it to reference the Exchange Server 2010 Client Access server.

• Create or modify the host record for the primary URL, which is mail.contoso.com, and configure it to reference the Exchange Server 2010 Client Access server.

4. If you are using RPC over HTTPS on the Exchange Server 2003 servers, configure the Exchange Server 2003 front-end server to not participate in an Exchange managed RPC-HTTP topology. This is because the Exchange 2010 Client Access server operates as the RPC over HTTPS proxy server rather than the Exchange Server 2003 front-end server. To disable this setting in Exchange System Manager, select the Not part of an Exchange managed RPC-HTTP topology option on the RPC-HTTP tab of the front-end server’s properties.

5. Test all client scenarios, and ensure they function correctly.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Outlook Client Coexistence

Key Points Exchange Server 2003 and Outlook 2003 or earlier clients require system public folders to provide access to free\busy information and to enable offline clients to download the offline address book. Exchange Server 2010 and Outlook 2007 or newer clients do not use public folders to provide this functionality. As you upgrade your Exchange Server organization, you need to ensure that all messaging clients continue to have access to the services they require.

Maintaining Free\Busy Information Exchange Server 2003 collects free\busy information from all mailboxes, and stores in the SCHEDULE+ FREE BUSY system public folder. In Exchange Server 2010, the Availability service collects availability information from Exchange Server 2010 Mailbox servers and from the Exchange Server 2003 system public folders.

Outlook 2003 or earlier clients require the system public folders to access the free\busy information. Outlook 2007 or newer clients can use the availability service on a Client Access server to access this information.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


If your organization includes Outlook 2003 clients, you need to retain the SCHEDULE+ FREE BUSY system public folder for these clients. When you install the first Exchange Server 2010 Mailbox server in an organization that includes Exchange Server 2003 servers, you configure a public-folder database on the server. You then can replicate the SCHEDULE+ FREE BUSY system public folder to the Exchange Server 2010 server.

Maintaining Access to Offline Address List Another difference between Exchange Server 2003 and Exchange Server 2010 is the method that they use to distribute offline address book to Outlook 2007 clients. In Exchange Server 2003, a system folder stores the offline address book, and clients must connect to the folder to download it. Outlook 2007 clients connecting to an Exchange Server 2007 Client Access server use a Web service to download the offline address book.

In an Exchange Server 2003 organization, one of the Exchange servers performs daily updates of the offline address book. When you deploy an Exchange Server 2010 Mailbox server in your organization, you can use the Exchange Server 2010 management tools to move this role to a server running Exchange Server 2010. You will also need to configure the offline address book so that it is distributed through the Exchange Web service.

If your organization includes Outlook 2003 clients, you need to ensure that you create a replica, on the Exchange Server 2010 mailbox server, of the system folders for the offline address book.

Maintaining Public Folder Availability Another issue that may arise in a coexistence scenario is public-folder access. You must consider how users access public folders and provide access between Active Directory sites when designing the access solution for public folders.

In Exchange Server 2010, public folders are accessible only to users with an Outlook client using MAPI or Outlook Web App. Also, public folder contents for users with Exchange Server 2010 mailboxes are only accessible through Outlook Web App if a replica of the public folder is located on an Exchange 2010 Mailbox server. Previous Exchange Server versions provided access to public folders to MAPI, Outlook Web Access, Internet Message Access Protocol version 4rev1 (IMAP4), and Network News Transfer Protocol (NNTP) clients. If you have users that access public folders using these clients, maintain a replica of the public folders on an Exchange 2003 server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Another consideration when designing a coexistence strategy for public folders is providing access to public-folder replicas between Active Directory sites. When you install a server running Exchange Server 2003, the default configuration includes a public-folder store. When you install an Exchange Server 2010 Mailbox server, it does not configure a public-folder database by default.

If users require access to public folders in an Active Directory site that does not contain any Exchange Server 2003 servers, then configure at least one of the site’s Mailbox servers with a public-folder database. After adding the public-folder database to the Exchange 2010 server, you can replicate any public folder between servers running Exchange Server 2003 and the Exchange Server 2010 Mailbox server.

Exchange Server 2010 by default enables public-folder referrals between Active Directory sites for MAPI clients. It also enables public-folder referrals across the routing-group connector that is created by default when you install the organization’s first Hub Transport server. You can enable or disable public-folder referrals across the connectors as you create additional routing-group connectors.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Message Transport Coexistence

Key Points To support coexistence between different Exchange versions, all servers running Exchange Server 2010 are added automatically to a single routing group when you install Exchange Server 2010. The Exchange System Manager in Exchange Server 2003 or Exchange 2000 Server recognizes the Exchange Server 2010 routing group as Exchange Routing Group (DWBGZMFD01QNBJR) within Exchange Administrative Group (FYDIBOHF23SPDLT). The Exchange Server 2010 routing group includes all Exchange Server 2010 servers, regardless of the Active Directory site in which they reside.

Important: You never should modify the default configuration for the Exchange Server 2010 routing group. Exchange Server 2010 does not support moving servers from this routing group to another, renaming the Exchange Server 2010 routing group, or manually adding Exchange 2003/2000 Servers to the Exchange Server 2010 routing group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Installing Exchange Server 2010 Hub Transport Servers When you install the first Exchange Server 2010 Hub Transport server in an existing Exchange organization, you must specify an Exchange Server 2003 bridgehead server that will operate as the first routing-group connector’s bridgehead server. The routing-group connector links the routing group where the Exchange Server 2003 resides with the Exchange Server 2010 routing group.

The Hub Transport server that you are installing, and the Exchange Server 2003 bridgehead that you select, are configured as the source and target servers on two reciprocal routing-group connectors. This routing-group connector creates a single connection point between Exchange Server 2003 and Exchange Server 2010.

Message Flow During Coexistence When you have mailboxes located on both Exchange Server 2010 and Exchange Server 2003 servers, all messages that you send between the Exchange Server versions travel across the routing-group connector that is created when you install the first Hub Transport Server. For example, if a user with a mailbox on an Exchange Server 2003 server sends a message to a user with a mailbox on an Exchange Server 2010 server, the message is sent using the following process:

1. The Exchange 2003 server that hosts the mailbox sends the message to the Exchange Server 2003 bridgehead server that you configure on the routing-group connector.

2. The Exchange 2003 bridgehead server sends the message to the Exchange Server 2010 Hub Transport server that is the bridgehead server on the routing-group connector.

3. The Exchange Server 2010 Hub Transport server sends the message to the Exchange 2010 Mailbox server hosting the user mailbox.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Optimizing Message Routing Between the Messaging Systems When you install the first Hub Transport server in the existing Exchange organization, this enables message routing between the two messaging systems. However, all messages flow through the single routing-group connector that you configure during installation. When configuring the message routing topology, you should consider:

• Adding additional Hub Transport and Exchange Server 2003 servers as bridgehead servers to the default routing-group connector.

• If your organization has multiple locations and multiple routing groups, you should create additional routing-group connectors to optimize message routing.

To optimize message routing, consider creating a new routing-group connector in each routing group as you deploy a Hub Transport server in the corresponding Active Directory sites. This enables you to send messages between the messaging systems, without routing them to another company location. You must use Exchange Management Shell to manage routing-group connectors.

• If you implement multiple routing-group connectors between the two Exchange Server versions, you also must suppress link-state updates on Exchange Server 2003. Servers running Exchange Server 2003 maintain a link-state routing table that determines a message’s routing inside the organization. If a particular routing group is inaccessible by using the lowest cost route, the routing group master updates the link-state table to show the link’s state as down.

Exchange Server 2010 Hub Transport servers do not use link-state routing, and Exchange Server 2010 cannot propagate link-state updates.

You should suppress link-state updates for each server running Exchange Server 2003 or Microsoft Exchange 2000 Server. This enables the servers that are running Exchange Server 2003 to queue at the failure point rather than recalculating the route.

Note: For more information on configuring link-state updates, see the “How to Suppress Link State Updates” page on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Administration Coexistence

Key Points As you perform the upgrade to Exchange Server 2010, you also must plan for continued administration of the organization.

Comparing Administrator Delegation Exchange Server 2003 provides predefined security roles for delegating Exchange administrative permissions. These roles are a collection of standardized permissions that you can apply at either the organizational or administrative group level. In Exchange Server 2003, there is no clear separation between administration of users and groups by the Windows Active Directory administrators and Exchange recipient administrators.

Exchange Server 2010 uses Role-Based Access Control (RBAC) to assign permissions. You can use RBAC to restrict the EMS cmdlets that users can run and the attributes that they can modify. RBAC provides you with significantly more flexibility in assigning permissions than what was available in Exchange Server 2003.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Replicating Exchange Administrative Designs Due to the design differences of administrative permissions in Exchange Server 2010 compared to previous Exchange versions, you cannot directly replicate the Exchange Server 2003 administrative design in Exchange Server 2007. One of the main differences that you need to plan for is that Exchange Server 2010 does not use administrative groups for delegating permissions.

The following table describes some options for creating an Exchange Server 2010 administrative design that emulates an Exchange Server 2003 design:

Exchange Server 2003 administrative option Exchange Server 2010 equivalent

Assign Exchange Full Administrator role at the organization level.

Add users or groups to the Exchange Organization Administrator role group.

Assign Exchange Administrator role at the organization level.

Exchange Server 2010 does not have a role group equivalent to the Exchange Administrator role. You can create a role group and assign the required permissions through RBAC.

Assign Exchange View Administrator role at the organization level.

Add users or groups to the Exchange View-Only Administrator role.

Assign Exchange Full Administrator role at the administrative group level.

Create a new role group that is assigned all management roles, but with a limited scope.

Assign Exchange View Administrator role at the administrative group level.

Create a new role group with View-Only permissions and a limited scope.

Assign recipient administrators with Exchange View Administrator role and Active Directory permissions.

Add users and groups to the Exchange Recipient Administrator role group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using Administrative Tools in a Coexistence Scenario In addition to planning permissions delegation in Exchange Server 2010, you also must consider the administrative tools for the different Exchange Server versions. You must use Exchange Server 2010 administration tools to manage all Exchange Server 2010 settings. After installing an Exchange Server 2010 server, you should configure any global settings using Exchange Server 2010 tools.

To manage Exchange Server 2003 settings, you need to use the Exchange System Manager. You also can manage recipients with mailboxes on Exchange Server 2003 servers by using Active Directory Users and Computers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Removing Exchange Server 2003 from the Organization

Key Points After you deploy the Exchange Server 2010 servers in the Exchange Server 2003 organization, you can start moving the mailboxes and other resources from the existing servers to the Exchange 2010 servers. Then you can start removing the Exchange 2003 servers.

Moving Resources to Exchange Server 2010 Servers After you deploy the Exchange Server 2010 servers, you can move the following resources to the new servers:

• Mailboxes. You can move mailboxes from Exchange Server 2003 SP2 to Exchange Server 2010. Perform the move using the Exchange Management Console or EMS move request cmdlets. You cannot use the Exchange System Manager on the Exchange Server 2003 server to move the mailbox. When you perform the move, the mailbox will be offline and end users will not be able to access their mailboxes. Exchange Server 2003 does not have resource mailboxes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Public folders. If you require system folders or other public folders after the upgrade, create replicas of the public folders on the Exchange 2010 server hosting the public-folder database. Wait for replication to complete, and then remove the replicas on the Exchange Server 2003 servers.

• Message transport connectors. When you deploy Exchange Server 2010 servers in the Exchange Server 2003 organization, all Internet messages continue to flow through the Exchange Server 2003 SMTP connectors. To move this functionality to the Exchange Server 2010 servers, create new SMTP Send and Receive connectors on the Exchange Server 2010 Hub Transport servers. Then modify the cost for the Exchange Server 2003 SMTP connectors so that the Exchange Server 2010 Send connectors have a lower cost. Also, configure the external MX records, or the SMTP gateway server to forward all messages to the Exchange Server 2010 Hub Transport server. Test the message flow using the new connectors, and then remove the SMTP connectors on the Exchange Server 2003 servers.

• Offline Address Book generation server. You can use the Exchange Management Console to configure the Exchange 2010 Mailbox server as the offline address book generation server. You also should enable Web distribution of the offline address book.

Removing Exchange Server 2003 Servers As you move mailboxes and message delivery to the Exchange Server 2010 servers, you can start removing the previous Exchange Server versions. We recommend the following process for removing Exchange Server 2003 servers:

1. Remove back-end servers first.

2. Remove the Exchange Server 2003 bridgehead servers. After you remove the last mailbox server in a routing group, you also can remove the routing group’s bridgehead servers.

To send e-mail to the Exchange Server 2010 Mailbox servers, you must configure at least one Exchange Server 2003 server as the routing-group connector’s bridgehead server between Exchange 2003 and the Exchange 2010 routing group. Do not remove this server until the last user and required system mailboxes are moved to the Exchange Server 2010 servers.

3. Remove the Exchange Server 2003 front-end servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Upgrading from Exchange Server 2007 to Exchange Server 2010

The second scenario for upgrading to Exchange Server 2010 is for organizations that are running Exchange Server 2007 currently. This scenario’s upgrade process is similar to upgrading from Exchange Server 2003, but there are some important differences. This lesson describes how to complete the upgrade from Exchange Server 2007 to Exchange Server 2010.


• Explain the process for installing Exchange Server 2010 in an Exchange Server 2007 organization.

• Describe how client access works during coexistence.

• Describe how to implement client access.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Describe the considerations for message transport coexistence.

• Describe the considerations for administration coexistence.

• Describe the process for removing Exchange Server 2007 from an organization.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Installing Exchange Server 2010 in an Exchange Server 2007 Organization

Key Points Complete the following steps to deploy Exchange Server 2010 servers in an Exchange Server 2007 organization:

1. Update all of the Exchange Server 2007 servers to Service Pack 2. Exchange Server 2010 setup checks the server versions of all Exchange servers and the requirement checks fail if a server is not upgraded. Exchange Server 2007 SP2 includes several schema updates that are required for interoperability with Exchange Server 2010.

If an organization only has a single Active Directory site, use the following process for deploying Exchange Server 2010.

2. Install the Exchange Server 2010 Client Access server. After you complete this installation, you should use this as the primary connection point for all client connections. This means that you should modify the AutoDiscover settings, both internally and externally, to point to the Exchange Server 2010 Client Access server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: Later sections of this lesson include more information on how to configure the client-access settings, including the Autodiscover settings.

3. Install the Exchange Server 2010 Hub Transport server. Both Exchange Server 2007 and Exchange Server 2010 Mailbox servers must use a Hub Transport server that is the same version as the Mailbox server for routing messages in the same site.

4. Install Exchange Server 2010 Unified Messaging servers. If you have deployed Unified Messaging in Exchange Server 2007, add the Exchange Server 2010 UM Server to one of your organization’s dial plans.

5. Install the Exchange Server 2010 Mailbox servers. After the rest of the infrastructure is in place, you can deploy the Exchange Server 2010 Mailbox servers, and start moving mailboxes and public folders to the new servers.

6. Install the Exchange Server 2010 Edge Transport servers. Exchange Server 2010 Edge Transport servers can synchronize only with Exchange Server 2010 Hub Transport servers.

For organizations with multiple sites, there typically are two types of Active Directory sites: Internet-accessible sites, and non-Internet accessible sites. A single Exchange Server organization may have one or more Internet-accessible sites. When upgrading Active Directory sites, you must begin your upgrade by upgrading Internet-accessible sites first, followed by non-Internet accessible sites.

You should follow the same process for deploying Exchange 2010 servers in both Internet accessible and non-Internet accessible sites. Before deploying any Exchange Server 2010 Mailbox server in a site, you must deploy Exchange Server 2010 Client Access and Hub Transport servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Client Access Works During Coexistence

Key Points The Client Access server role in Exchange Server 2010 has changed significantly from the Client Access server in Exchange Server 2007. The most important change is that all client connectivity, including Outlook MAPI connectivity, now goes through the Client Access server role.

Client Access During Coexistence After you deploy the Exchange Server 2010 Client Access and Mailbox servers, the process for when non-MAPI clients access the user mailboxes depends on the type of client you are using, and on the location of the user mailbox.

To implement coexistence, you must configure all clients to connect to the Exchange Server 2010 Client Access server. If you have been using an external URL, such as https://mail.contoso.com, to connect to an Exchange Server 2007 Client Access server, you should modify the DNS or firewall configuration to forward connections to the Exchange Server 2010 Client Access server’s URL.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• When an Outlook Web App client connects to the Client Access server, and the user mailbox is located on an Exchange 2007 Mailbox server, the Autodiscover service on the Exchange Server 2010 Client Access server redirects the client to the external URL that you configure on the Exchange Server 2007 Client Access server.

• When an Exchange ActiveSync client connects to the Client Access server, and the user mailbox is located on an Exchange 2007 Mailbox server, the process will depend on whether the mobile devices supports Autodiscover:

• If the device does not support Autodiscover, the Exchange Server 2010 Client Access server proxies the client request to the Exchange Server 2007 Client Access server using HTTPS, and then the Exchange Server 2007 Client Access server connects to the Exchange Server 2007 Mailbox server and provides access to the user mailbox.

• If the Mobile client does support Autodiscover, the Autodiscover service on the Exchange Server 2010 Client Access server redirects the client to use the external URL configured on the Exchange Server 2007 Client Access server.

• When an Exchange ActiveSync client connects to the Client Access server, and the user mailbox is located on an Exchange 2010 Mailbox server, the Client Access server connects to the Mailbox server using RPC and provides access to the user mailbox.

• When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange Server 2007 Mailbox server, the RPC proxy service on the Client Access server connects to the back-end server using RPC.

• When an Outlook Anywhere client connects to the Client Access server, and the user mailbox is located on an Exchange 2010 Mailbox server, the RPC proxy service on the Client Access server connects to the back-end server using RPC.

• If the user mailbox is on an Exchange Server 2007 Mailbox server in a different Active Directory site, the Exchange Server 2010 Client Access server always proxies the client requests. For Outlook Web App and Exchange ActiveSync clients, the Client Access server proxies the requests using HTTP to an Exchange Server 2007 Client Access server. For Outlook Anywhere clients, the Client Access server proxies the request using RPC to an Exchange Server 2007 Mailbox server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• When a MAPI client connects to the user mailbox, and the user mailbox is on an Exchange Server 2007 server, the MAPI client connects directly to the Mailbox server. If the user mailbox is on an Exchange Server 2010 server, the MAPI client connects to an Exchange 2010 Client Access server.

Note: When you move a user mailbox from an Exchange Server 2007 Mailbox server to an Exchange Server 2010 Mailbox server, the client profile is configured automatically to use the Exchange Server 2010 Client Access server for MAPI connectivity. You do not need to modify the client profile manually.

Considerations for Client Access During Coexistence When implementing client access during coexistence, consider the following:

• Whether a user sees the Outlook Web App client of Exchange Server 2007 or Exchange Server 2010 depends on the location of the user’s mailbox. For example, if the user’s mailbox is located on an Exchange Server 2007 Mailbox server and the Client Access server is running Exchange 2010, the user sees the Exchange Server 2007 version of Outlook Web Access.

• You cannot use an Exchange Server 2007 Client Access server to access mailboxes on Exchange Server 2010 Mailbox server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Implementing Client Access Coexistence

Key Points During coexistence, you need to ensure that users with mailboxes on both Exchange Server 2007 Mailbox servers and Exchange Server 2010 Mailbox servers can access their mailboxes. The following steps describe how to enable this:

1. Obtain the required server certificates. To support external client coexistence with the Exchange Server 2010 Client Access server and legacy Exchange servers, you may need to acquire a new certificate. You should request a certificate that supports at least the following Subject Alternative Names:

• The primary URL to use to access the Exchange 2010 Client Access server.

• The AutoDiscover server name.

• An alternate name for the URL to use to connect to the Exchange 2007 Client Access server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: The Exchange Server 2010 Client Access server requires this certificate, but you also might install the same certificate on the Exchange 2007 Client Access server. The Exchange Server 2007 Client Access server requires a certificate with subject alternative names that include the alternate name, legacy.contoso.com, and the Autodiscover server name.

2. Install and configure the Exchange Server 2010 Client Access server. You should configure external name space during or after setup by using the Exchange Management Console or EMS.

3. Modify the external URLs on the Exchange Server 2007 Client Access server to use the alternate name. If you are using legacy.contoso.com as the alternate name, configure this as the external URL for the Outlook Web App, Offline Address Book, Unified Messaging, Web Services and Exchange ActiveSync virtual directories.

4. Configure DNS. To configure DNS, you should:

• Create the legacy host record, which is legacy.contoso.com, in your external DNS infrastructure, and configure it to reference the Exchange Server 2007 Client Access server.

• Create or modify the host record for Autodiscover, which is Autodiscover.contoso.com, and configure it to reference the Exchange 2010 Client Access server.

• Create or modify the host record for the primary URL, which is mail.contoso.com, and configure it to reference the Exchange Server 2010 Client Access server.

5. If you use Outlook Anywhere on the Exchange Server 2007 servers, disable Outlook Anywhere on the Exchange Server 2007 Client Access server. When you implement Outlook Anywhere on the Exchange Server 2010 Client Access server, it proxies the Outlook Anywhere client requests directly to the Exchange Server 2007 Mailbox server.

6. Test all client scenarios, and ensure they function correctly.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Message Transport Coexistence

Key Points A second coexistence component between the two Exchange Server versions is message transport. Message transport coexistence is configured automatically, as long as the correct versions of Hub Transport servers are available.

Message Routing During Coexistence As you deploy Exchange Server 2010 Hub Transport and Mailbox servers in an Exchange 2007 organization, message transport works as follows:

• Each version of Exchange Mailbox server must use an equivalent version of the Hub Transport server when routing messages within the same site.

• If you have both Exchange Server 2007 and Exchange Server 2010 servers deployed in a site, messages will flow from the Exchange 2010 Mailbox server, to the Exchange Server 2010 Hub Transport server, to the Exchange Server 2007 Hub Transport server, and then to the Exchange Server 2007 Mailbox server. Messages sent from an Exchange Server 2007 mailbox would follow the reverse route.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Message routing between Active Directory sites can use Hub Transport servers on either Exchange Server version. If you installed an Exchange Server 2010 Hub Transport server in one site, it can send messages to Exchange Server 2007 Hub Transport servers in another site.

• Message routing to and from the Internet can use either Exchange Server 2007 or Exchange Server 2010 Hub Transport servers. If your current deployment uses Exchange Server 2007 Edge Transport servers for inbound e-mail, you can continue to have the Edge Transport servers forward all messages to the Exchange Server 2007 Hub Transport server. As you deploy Exchange Server 2010 Hub Transport servers, you can add them to the edge subscription or configure the Exchange Server 2007 Edge Transport servers to forward messages to the Exchange Server 2010 Hub Transport servers. For outbound messages, you can add Exchange Server 2010 Hub Transport servers to the SMTP Send connector that is responsible for sending messages to the Internet. This enables outbound messages to be sent through either Exchange Server 2007 or Exchange Server 2010 Hub Transport servers.

Note: In Exchange Server 2010, you can view message-tracking information using the Exchange Management Console or the Exchange Control Panel. If an administrator or user views the message-tracking information in Exchange Control Panel, the message can be tracked only on Exchange Server 2010 Hub Transport servers. Administrators can track messages on both Exchange Server 2010 and Exchange Server 2007 Hub Transport servers by using the Message Tracking tool in Exchange 2007 and the Tracking Log Explorer tool in Exchange Server 2010.

Edge Transport Server Coexistence If you deploy the Exchange Server 2007 Edge Transport server role, you can retain or replace the server with an Exchange Server 2010 Edge Transport server.

You can implement edge synchronization between Exchange Server 2010 Hub Transport servers and Exchange Server 2007 Edge Transport servers, but you cannot configure edge synchronization between Exchange Server 2007 Hub Transport servers and Exchange Server 2010 Edge Transport servers. This means that if you are using edge synchronization, you should not deploy an Exchange Server 2010 Edge Transport server before deploying at least one Exchange Server 2010 Hub Transport server in the adjacent Active Directory site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Administration Coexistence

Key Points When implementing Exchange Server 2010 in an Exchange Server 2007 organization, you also need to plan for administrative coexistence. In this scenario, you need to consider how you will use the Exchange Server management tools and how you will delegate permissions.

Management Console Coexistence The Exchange Management Console is available in both Exchange Server 2007 and Exchange Server 2010. You can perform the following tasks and actions using the different Exchange Management Consoles:

• You can perform actions that create new objects, such as new mailboxes or a new offline address book, on a version of the Exchange Management Console that is the same as the target object. For example, you must create a new mailbox on an Exchange Server 2007 Mailbox server by using the Management Console in Exchange Server 2007.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• You cannot manage Exchange Server 2007 Mailbox databases from the Exchange Server 2010 Management Console, although you can view these databases.

• You cannot enable or disable Exchange Server 2007 Unified Messaging mailboxes from the Exchange Server 2010 Management Console.

• You cannot use the Exchange Server 2010 Management Console to manage mobile devices for users that have mailboxes on an Exchange Server 2007 Mailbox server.

• You can perform actions that require management on Exchange Server 2007 objects from the Exchange Management Console in Exchange Server 2010. You cannot perform these actions from the Management Console in Exchange 2007 on Exchange Server 2010 objects.

• You can use any Exchange Management Console version to perform actions that require viewing of any version of Exchange Server objects, with the following exceptions:

• You can view only Exchange Server 2007 and Exchange Server 2010 transport rule objects from the corresponding version of the Exchange Management Console.

• You can view only Exchange Server 2007 and Exchange Server 2010 servers from their corresponding version of the Exchange Management Console.

• The Queue Viewer tool in Exchange Server 2010 Management Console cannot connect to an Exchange Server 2007 server to view queues or messages.

Delegating Administration During Coexistence The model for delegating administrative permissions has changed significantly in Exchange Server 2010. Exchange 2007 setup creates several Active Directory groups with designated permissions in Active Directory and in the Exchange organization. To delegate permissions, you just add users to the appropriate Active Directory groups.

RBAC replaces this model in Exchange Server 2010, where you will use role groups to configure permissions.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


When you install Exchange Server 2010 servers in an Exchange Server 2007 organization, this adds the Exchange Server 2010 role groups to Active Directory, and the Exchange Server 2007 groups are retained. When assigning permissions on Exchange Server 2007 servers, use the Exchange Server 2007 groups. When assigning permissions on the Exchange Server 2010 servers, use the Exchange Server 2010 role groups.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Removing Exchange Server 2007 from the Organization

Key Points After deploying the Exchange Server 2010 servers, you can start moving resources to the Exchange Server 2010 servers and removing the Exchange Server 2007 servers.

Moving Resources to Exchange Server 2010 Servers Before removing the Exchange Server 2007 servers, you should move all required functionality and data to the Exchange Server 2010 servers:

• Transport connectors. You can add Exchange Server 2010 Hub Transport servers as source servers on Send connectors created in Exchange Server 2007. To upgrade message-transport functionality, add the Exchange Server 2010 Hub Transport servers to the Send connectors, and then remove the Exchange Server 2007 servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Mailboxes. You can move mailboxes from Exchange Server 2007 SP2 to Exchange Server 2010. This move occurs online, and end users can access their mailboxes during the move. You must perform the move from the Exchange Server 2010 server using the move request cmdlets in the EMS, or by using the New Local Move Request option in the Exchange Management Console. You cannot use the Move-Mailbox functionality on the Exchange Server 2007 server to move mailboxes to Exchange 2010 servers.

• Public folders. If you require system folders or other public folders after the upgrade, create replicas of the public folders on an Exchange Server 2010 server hosting the public-folder database. Wait for replication to complete, and then remove the replicas on the Exchange Server 2007 servers.

Removing Exchange 2007 Servers As you move mailboxes and message delivery to the Exchange Server 2010 servers, you can start removing the previous Exchange Server versions. We recommend the following process for removing Exchange Server 2007 servers:

1. Remove Mailbox servers first.

2. Remove the Exchange Server 2007 Unified Messaging server role.

3. Remove the Exchange Server 2007 Hub Transport servers.

4. Remove the Exchange Server 2007 Client Access Servers.

After you remove the last mailbox and public folder from the Exchange Server 2007 Mailbox server, you may remove all other Exchange Server 2007 servers in the Active Directory site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Review Questions 1. Your organization is deploying Exchange Server 2010 in an Exchange 2003

organization. You have made the changes to Active Directory. What is the first Exchange 2010 server role that you should deploy? How will this deployment change the user experience?

2. Why do you need to configure a new external URL on Exchange Server 2007 Client Access servers when you deploy Exchange Server 2010 Client Access servers?

3. Your organization includes two locations and Active Directory sites. You have deployed Exchange Server 2007 servers in both sites. You now are deploying Exchange Server 2010 servers in one of the sites and removing the Exchange Server 2007 servers. When can you remove the last Exchange 2007 Hub Transport server in the site?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Common Issues Related to Upgrading to Exchange 2010 Identify the causes for the following common issues related to upgrading to Exchange Server 2010. For answers, refer to relevant lessons in the module.


When you try to remove an Exchange Server 2003 server, you receive an error message that you cannot remove the server because it is a bridgehead server for a routing-group connector. You have upgraded all external message routing to Exchange Server 2010.

The Exchange Server 2003 server may be the designated routing-group bridgehead server for the routing-group connector between the Exchange Server 2003 routing group and the Exchange Server 2010 routing group. If this is the last Exchange Server 2003 server, you can remove it from the routing-group connector. If you have other Exchange Server 2003 servers deployed, you will need to designate one of them as the routing-group connector’s bridgehead server.

You are upgrading your Exchange Server 2007 organization to Exchange Server 2010, and you have configured Client Access servers for Internet access. Users with mailboxes on Exchange Server 2010 Mailbox servers can access their mailbox using Outlook Web App from the Internet, but users with mailboxes on the Exchange Server 2007 Mailbox servers cannot.

Check the DNS configuration to ensure that users from the Internet can resolve the host name for the alternate or legacy URL that you have configured. Also, check the reverse proxy or firewall configuration to ensure that all client requests to the legacy URL are directed to the Exchange Server 2007 Client Access server.

You have deployed Exchange Server 2010 servers in your Exchange Server 2007 organization. You need to modify the settings on both Exchange Server 2007 and Exchange Server 2010 servers, but you cannot see both servers in the Exchange Management Console.

You have to use the same version of the Exchange Management Console as the server that you are managing.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Real-World Issues and Scenarios 1. A. Datum has three office locations and three Active Directory sites. They have

deployed Exchange Server 2003 servers in all offices, but have enabled Internet access to the servers only in the main office. What high-level process should A. Datum use to upgrade to Exchange Server 2010?

2. Your organization has deployed Forefront Threat Management Gateway (TMG) to secure access to the Client Access server deployment. You have completed all of the steps required to enable access to both the Exchange 2010 Client Access server and the Exchange 2007 Client Access server. What changes do you need to make on the TMG server?

3. Your organization is deploying Exchange Server 2010 in an Exchange Server 2003 organization. Your organization does not provide Internet access to messaging clients, and all users are located in a single office. You deploy an Exchange Server 2010 server using a standard installation. What else do you need to do before you start moving mailboxes to the Exchange Server 2010 server? Users need to be able to access their mailboxes by using Outlook Web App and Outlook 2003.

Best Practices Related to Upgrading to Exchange Server 2010 Supplement or modify the following best practices for your own work situations:

• If your Exchange Server 2003 organization has multiple routing groups, consider creating additional routing-group connectors between each of the routing groups and an Exchange 2010 Hub Transport server in each office location. By doing this, you can ensure that all messages are sent from the Exchange Server 2003 servers to the Exchange Server 2010 servers without crossing the wide area network (WAN) links between the routing groups.

• Plan to increase the number of Client Access servers as you upgrade to Exchange Server 2010. For Exchange Server 2003 and Exchange Server 2007 deployments, we recommended a one-to-four ratio of Client Access server or front-end server processor cores to Mailbox server or back-end server cores. In Exchange Server 2010, we recommend a three-to-four ratio.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Use certificates with subject alternative names rather than using wildcard certificates when you obtain certificates for the Client Access servers. Wildcard certificates are less secure, because they can be used to secure connections to any server name. If an attacker obtains a copy of the certificate, they can use it to secure connections to any server name while using your domain name.

Tools

Tool Use for Where to find it

Remote Connectivity Analyzer

• Testing client access connections during the upgrade to Exchange Server 2010

http://go.microsoft.com/fwlink /?LinkId=179969

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your learning experience.

Please work with your training provider to access the course evaluation form.

Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Implementing Unified Messaging A-1

Appendix A Implementing Unified Messaging

Contents: Lesson 1: Overview of Telephony A-3

Lesson 2: Introducing Unified Messaging A-14

Lesson 3: Configuring Unified Messaging A-33

Lab: Implementing Unified Messaging A-49

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

A-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Appendix Overview

Unified Messaging combines voice and e-mail messaging into one location, accessible from a telephone and a computer. Microsoft® Exchange Server 2010 Unified Messaging integrates Exchange Server with telephony networks and makes the Unified Messaging features available in the user mailbox. This module describes how Unified Messaging works with your telephony system and Exchange Server environment, and how to configure Unified Messaging.


• Describe telephony systems.

• Describe Unified Messaging features and integration with Exchange Server 2010.

• Configure Unified Messaging.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Overview of Telephony

Unified Messaging enables you to integrate telephony systems with Exchange Server 2010. You must have an understanding of core telephony concepts to understand how Unified Messaging works and how to implement it.

In this lesson, you will learn the basics about a telephony system and what protocols Unified Messaging provides.


• Describe types of telephone systems.

• Describe telephony-system components.

• Describe types of Private Branch Exchange (PBX) phone systems.

• Describe Voice over IP (VoIP) gateway.

• Describe Unified Messaging protocols.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Types of Telephone Systems

Key Points There are three general types of business telephone systems: Centrex, Key Telephone System, and PBX. You can integrate each of these phone systems with Unified Messaging.

Centrex Phone System Phone companies lease a Centrex phone system (also know as Central Office Telephone Exchange) to businesses. The Centrex phone system uses the phone company’s central office (CO) exchange to route internal calls to an extension.

A new Centrex version, called IP Centrex, is available. With IP Centrex, the organization does not rent phone lines from the telephone company’s CO. Instead, the CO sends the phone calls through a VoIP gateway, which routes them through the Internet. At the organization’s office, another VoIP gateway translates the call to a traditional circuit-switched call.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Key Telephone System A Key Telephone System is similar to the Centrex system in that the organization leases several phone lines from the telephone company’s CO. However, with the Key Telephone System, each phone line connects to multiple telephones in the organization. When someone calls the company, all phones ring that are associated with that line. Businesses with Key Telephone Systems often arrange for someone to answer incoming calls, and then announce the call to the correct recipient.

PBX Business Phone Systems PBX systems are different from Centrex or Key Telephone Systems in that they typically have only a single connection to the CO, and all call switching happens on the organization’s premises. The connection to the CO usually occurs through a T1 or E1 line, both of which provide multiple channels to enable multiple calls over the same line. Trunk lines is another name for these lines.

The PBX routes internal phone calls, and those between external and internal users. In a PBX system, each user has a telephone extension. When an internal user places a call to another internal user, they use just the extension number, and the PBX routes the call to the appropriate extension.

Users make external telephone calls through a PBX by dialing 9 or 0, and then the external number. You can configure the external access number configure-on the PBX, which automatically selects an outgoing trunk line to complete the call. The PBX accepts incoming calls and automatically forwards them to the appropriate organizational extension.

In larger organizations, PBXs make it possible for users to reach other users in different locations just by dialing an extension number. This may involve networking multiple PBXs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Components of a Telephony System

Key Points Telephony administrators use specialized terminology to describe many of the features and concepts that relate related to PBXs. When deploying Unified Messaging servers, you need to understand these terms and how they relate to Unified Messaging.

Direct Inward Dialing A Direct Inward Dialing (DID) phone number is a unique number that an organization assigns to a person. It lets that individual receive calls directly from an external phone without having to transfer the call. The DID is a combination of company-specific phone number and the user’s extension. If the organization has implemented a PBX, the PBX uses a mapping of DID numbers to internal extensions to route calls to the correct phone.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Dial Plan A dial plan consists of the rules that a PBX uses to determine what action to take when it receives a set of dialed numbers. For example, a “9” often triggers call setup to an outside line, so that users can call external phone numbers. When “9” is not the first number, the PBX needs to know how many numbers to collect before taking action. If internal extension numbers are three digits long, it waits for just three numbers before taking action.

Hunt Group A hunt group is a collection of extensions. In most cases, a hunt group represents a set of identical resources that an application or a group shares. This provides more-efficient access to applications, like voice mail, an auto attendant, or even a call center, so that callers do not experience a busy signal. Instead, the PBX hunts for an open line to which to connect them.

Pilot Number A pilot number is the address or label that the PBX uses to identify a hunt group. It is an unused extension, meaning it is not associated with a person or phone.

For example, there may be a specific extension number 3900 for the telesales team, which may be the pilot number for the hunt group of telesales extension numbers. When a call comes into the 3900 sales number, the PBX recognizes it as a pilot number and searches for an available line within the sales hunt group. The PBX then delivers the call to an available sales extension number.

Coverage Path A PBX uses a set of directions that you configure for each extension, and it tells the PBX where to route unanswered calls and calls that receive busy signals. The set of directions is a coverage path. If a DID call arrives at the Unified Messaging server via a user’s desktop phone, and the line is busy or not answered within a certain number of rings, the PBX knows to send the call to the pilot number for the hunt group that attaches to the VoIP gateway. The PBX routes the call through the VoIP gateway to the Unified Messaging server, where the caller can record a voice message. The Unified Messaging server sends the voice message to the Unified Messaging user’s mailbox.

Call Transfer Users transfer calls routinely from one extension to another. An unsupervised transfer occurs when a user transfers a call to the next extension without determining whether the extension’s user answers the call. For example, consider when a user transfers a call to voice mail when a phone is not answered or is busy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Types of PBXs

Key Points The PBX system is the most common type that medium- and large-size organizations use. There are several types of PBX systems available.

Analog PBX Analog PBX systems send voice and signaling information, like the touch tones of dialed phone numbers, as actual analog sound. Analog PBX systems never digitize the sound. To direct the call, the PBX and the phone company’s CO listens for the signaling information.

Digital PBX Digital PBXs encode analog sound into a digital format. They typically encode the voice using a standard industry audio codec, G.711. Once digital PBXs encode the sound, they send the digitized voice on a channel using circuit switching.

The process of circuit switching establishes an end-to-end, open connection, and leaves the channel open for the call’s duration and for the call’s users only. Some PBX manufacturers have proprietary signaling methods for call setup.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


IP PBX IP PBXs carry voice-over data networks. The IP phone contains a Network Interface Card (NIC), so it is part of the network. The phone converts voice into digitized packets, which it then places on the data network. The network sends the voice packets via packet switching, a technique that enables a single network channel to handle multiple calls.

The IP PBX also acts as a gateway between the internal packet-switched network and the external circuit-switched networks that telephone companies use. In this situation, external phone calls arrive at the IP PBX on the normal public phone lines, and the IP PBX converts the phone call to packets sent on the internal IP-based network.

Hybrid PBX Hybrid PBXs provide both digital and IP PBX capabilities. This hybrid approach enables a customer to run a mixture of digital and IP-based phones. Most modern PBXs are in this hybrid category.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a VoIP Gateway?

Key Points Telephony and computer systems traditionally use different types of networks to enable communication between attached devices. A telephony system typically uses a circuit-switching network, while the computer system traditionally uses a packet-switching network. You may need to deploy a VoIP gateway to translate data between a circuit-switched network and the data-switched network.

Circuit-Switched Networks A circuit-switched network uses a dedicated connection between two network devices. For example, you pick up the telephone receiver and dial a phone number. By answering the call, the recipient completes the circuit. After the two nodes establish a call between them, only these two nodes may use the connection. When one of the nodes ends the call, this cancels the connection.

Circuit-switched networks, such as the Public Switched Telephone Network (PSTN), transmit multiple calls across the same transmission medium. Frequently, the medium that a PSTN uses is copper. However, it also may use fiber optic cable.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Packet-Switched Networks Packet switching is a technique that divides a data message into smaller units called packets. The network sends the packets to their destination by the best route available, and then reassembles them at the receiving end.

VoIP VoIP is a technology that enables an IP-based network to act as the transmission medium for telephone calls. It sends voice data in IP packets rather than by circuit-switched telephone lines. Translating a call from a circuit-switched network to a packet-switched network is complicated because the underlying network connections are so different.

VoIP Gateway A VoIP gateway is a third-party hardware device or product that converts traditional phone-system or circuit-switching protocols into data-networking or packet-switched protocols. The VoIP gateway connects a telephone network with a data network.

Unified Messaging servers can connect only to packet-switched data networks. This means that organizations with a traditional PBX must deploy a VoIP gateway to communicate between the PBX and the Unified Messaging server.

The following table lists the types of telephony systems, and explains when a VoIP gateway is required:

Types of telephony system VoIP gateway requirement

Traditional Centrex VOIP gateway required

IP Centrex VOIP gateway may not be required

Key Telephone System VOIP gateway required, and some systems are not supported

Traditional PBX VOIP gateway required

IP or hybrid PBX VOIP gateway may not be required

Note: For a list of VoIP gateways and IP/PBX systems that Unified Messaging supports, see the Exchange Server TechCenter.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Unified Messaging Protocols

Key Points There are a number of voice-related, IP-based protocols. A Unified Messaging environment with Exchange Server 2010 uses the following:

• Session Initiation Protocol (SIP). SIP is a real-time signaling protocol that creates, manipulates, and tears down interactive communication sessions on an IP network. You can use SIP in conjunction with Transport Layer Security (TLS) to provide security. Exchange Server Unified Messaging uses SIP mapped over Transmission Control Protocol (TCP) and supports TLS for secured SIP environments.

SIP clients, such as IP/VoIP gateways and IP/PBXs, can use TCP port 5060 or port 5061 (for Secure SIP) to connect to SIP servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Real-Time Transport Protocol (RTP). RTP is for voice transport between the IP gateway and the Unified Messaging server. RTP provides high-quality, real-time, streaming voice delivery. One of the issues with sending voice messages over an IP network is that voice requires real-time transport with specific quality requirements to ensure that the voice sounds normal. If the protocol uses large packets, listeners must wait for the entire packet to arrive before they can respond. Any delay in packet delivery can produce undesirable periods of midstream silence. Packet loss can cause voice garbling.

For more information: Request for Comment (RFC) 3550 (which updates RFC 1889) describes RTP), while RFC 3261 (which updates RFC 2543) describes SIP.

• Real-Time Facsimile or T.38. Real-Time Facsimile or T.38 is an Internet fax-transport protocol. T.38 sets procedures for fax transmission when a portion of the path includes an IP network. The Unified Messaging system uses it to relay a fax that a user originally sends, via voice line across an IP network, in real time.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Introducing Unified Messaging

Unified Messaging enables users to receive e-mail, voice, and fax services in their Exchange Server inbox, and allows users to access mailbox contents by phone. This simplifies the experience for users, because they must access and manage only one location for all message types. This also provides more functionality for users because they can use traditional messaging clients to access voice or fax messages, and they can use telephone technology to access e-mail messages. Unified Messaging also simplifies administrators’ workloads because they must manage this data in one location only.

This lesson introduces the features and requirements for Exchange Server 2010 Unified Messaging.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



• Describe Unified Messaging.

• Describe Unified Messaging communication.

• Describe server communications for Unified Messaging.

• Describe Unified Messaging call-answering features.

• Describe Microsoft Office Outlook® Voice Access features.

• Describe how Unified Messaging works with a VoIP gateway.

• Integrate Unified Messaging with Office Communications Server (OCS) 2007 R2.

• Describe international Unified Messaging requirements.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Unified Messaging?

Key Points Unified Messaging provides the convergence of voice and e-mail messaging into one store, accessible from a phone, a computer running an e-mail client, and mobile devices.

Most users and information technology (IT) departments manage their voice mail separately from their e-mail. Usually, voice messages and e-mail exist as separate inboxes on separate servers, and users access them with different clients. Frequently, each communication tool requires a separate address list, which can make it difficult to keep all address lists synchronized. Unified Messaging brings these tools together, and it offers an integrated store and user experience for all Exchange Server message types.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Unified Messaging Features Unified Messaging provides the following core features:

• Call answering. Call answering enables the system to answer the telephone and record a message when the user is unavailable.

• Outlook Voice Access. Exchange Server Unified Messaging provides users with full access to their Exchange Server mailbox from any phone. Outlook Voice Access enables users to use the phone to retrieve their e-mail, voice mail, calendar, and personal contacts.

• Play on Phone. This feature lets a Unified Messaging-enabled user listen to a voice message using a telephone instead of playing it over their computer speakers or headphones.

• Voice-mail preview. The Unified Messaging role uses Automatic Speech Recognition (ASR) on newly created voice messages. When users receive voice mails, they receive messages that contain the voice recordings and clear text that Unified Messaging creates from recordings.

• Protected voice mail. Unified Messaging provides this functionality so that users can send private mail, which Microsoft Rights Management Services (RMS) protects. However, Unified Messaging restricts users to only forwarding, copying, or extracting the voice file from mail.

• Call-answering rules (Personal Auto Attendant). The Unified Messaging role allows Unified Messaging-enabled users to create and customize call-answering rules to enhance their callers’ call-answering experience.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Overview of Unified Messaging Communications

Key Points Unified Messaging combines voice and e-mail messaging in the Exchange Server store, and it integrates telephony networks into Exchange Server 2010.

Phone calls enter the organization through an IP PBX or a legacy PBX. Legacy PBX needs a Unified Messaging IP Gateway to talk to a Unified Messaging protocol, such as SIP, whereas most of the IP PBX already support this feature.

The Unified Messaging role communicates with the regular phones or PSTN using the PBX. The public telephone network that connects to the PBX communicates using Time Division Multiplex (TDM). TDM is a technique of transmitting multiple digitized data, voice, and video signals simultaneously over one communication media. It does this by interleaving pulses representing bits from different channels or time slots.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Unified Messaging handles all internal communications, as follows:

• It connects to Active Directory® Domain Services (AD DS) and Active Directory directory services using Lightweight Directory Access Protocol (LDAP).

• It connects to the Mailbox server using MAPI.

• It accepts requests from that Client Access server as RPC.

• In the case of OCS 2007 integration, it accepts SIP request from the OCS server for missed call notifications.

As usual, any Exchange Server client computer using Outlook 2007, Outlook 2010, or Outlook Web App communicates to the Client Access server role. In Exchange Server 2010, Outlook 2007, and Outlook 2010 access the Client Access server for Unified Messaging release Web-services requests. However, there is no separate Unified Messaging virtual directory as there was in Exchange Server 2007.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Server Communications for Unified Messaging

Key Points To install Unified Messaging servers, you also must have the Mailbox, Hub Transport, and Client Access server roles installed in the same Active Directory site. The Unified Messaging servers cannot provide full functionality unless they can communicate with all of these server roles.

Unified Messaging Server Communication with Domain Controllers The Unified Messaging server performs AD DS directory lookups for recipient information. You must add each Unified Messaging-enabled user to a dial plan and then assign each user an extension number in AD DS. This provides the user mailbox with a unique identifier.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The Unified Messaging server performs AD DS directory lookups in several different scenarios, including:

• Locating the Mailbox server that hosts the user mailbox so that the Unified Messaging server can send voice messages or faxes to the mailbox, or extracting the user’s personal greeting from the Mailbox server.

• Locating users’ prerecorded spoken names from AD DS.

• Locating subscriber extensions and other attributes, such as department names or e-mail addresses, when users call the auto attendant.

Unified Messaging Server Communication with Other Server Roles The Unified Messaging server must communicate with all other Exchange Server 2010 server roles, except the Edge Transport server role:

• Communication with the Mailbox server role. The Unified Messaging server communicates with the Mailbox server role to access user-mailbox contents. This happens in two scenarios. The Mailbox server stores the personal greetings that users create to play for their callers. The Unified Messaging server retrieves these greetings from the Mailbox server and plays them when applicable.

When Unified Messaging subscribers call the Unified Messaging server to access their mailbox contents via Outlook Voice Access, the Unified Messaging server directly accesses the Mailbox server to extract the mailbox contents. All communications between the Unified Messaging server and the Mailbox server use MAPI.

• Communication with the Hub Transport server role. The Unified Messaging server communicates with the Hub Transport server role to send messages to the Mailbox server. When a caller leaves a voice mail for a Unified Messaging subscriber or sends a fax to a Unified Messaging subscriber, the Unified Messaging server attaches the voice mail or fax to a message and forwards it to the Hub Transport server using Simple Mail Transfer Protocol (SMTP).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Communication with the Client Access server role. The Unified Messaging server communicates with the Client Access server role when a subscriber uses the Play on Phone feature or when they reset their personal identification number (PIN) through Outlook Web App. Using Play on Phone, a Unified Messaging subscriber can use Outlook 2007 or Outlook Web App to instruct the Unified Messaging server to send a voice mail to a telephone number. When the user does this, the client communicates with Unified Messaging Web Services, which you install on a Client Access server. Unified Messaging Web Services then uses SIP to communicate with the Unified Messaging server, which instructs the VoIP gateway to place the phone call.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Call-Answering Features of Unified Messaging

Key Points Call handling describes how an Exchange Server 2010 Unified Messaging server answers and handles incoming calls. The Unified Messaging server can handle a variety of incoming calls.

Voice Calls The Unified Messaging server uses voice-call handling when an internal or external user leaves a voice message for Exchange Server 2010 Unified Messaging system user. The Unified Messaging server creates Multipurpose Internet Mail Extensions (MIME) messages from incoming calls, and then submits them to a Hub Transport server using SMTP. The Hub Transport server submits the message to the user’s Mailbox server. The Unified Messaging server always uses SMTP to send voice messages, even if the mailbox resides on the same computer on which you install the Unified Messaging server role.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Outlook Voice Access To access their Exchange Server 2010 mailbox using Outlook Voice Access, users must dial a subscriber access number that is on a Unified Messaging dial plan. A dial plan consists of the rules that a PBX uses to determine what action to take when it receives a set of dialed numbers. A welcome message and a series of telephone user-interface voice prompts enable the user to listen to messages in the mailbox or manipulate mailbox contents. These voice prompts help the user navigate and interact with the Unified Messaging system using touch-tone or speech inputs.

Unified Messaging Auto Attendants When anonymous or unauthenticated users call into an organization, voice prompts assist them in placing calls to Unified Messaging-enabled users. Additionally, when you want to make an internal call, Unified Messaging automatically places the call when you say the person’s name that you are calling. Unified Messaging auto attendant is a series of voice prompts comprised of WAV files that callers hear instead of a human operator. The Unified Messaging auto attendant lets callers navigate the menu system, place calls, or locate users using DTMF or voice inputs.

When you configure a Unified Messaging auto attendant, you can create custom WAV files and replace the default prompts to meet your organization’s needs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Outlook Voice Access Features

Key Points Outlook Voice Access enables Unified Messaging users to access their Exchange Server 2010 mailbox using mobile devices or an analog, digital, or wireless telephone.

What Users Can Do with Outlook Voice Access When accessing their Exchange Server 2010 mailbox, users can:

• Listen to new and saved e-mail and voice-mail messages.

• Forward, reply, save, and delete e-mail and voice messages.

• Interact with their calendars, including:

• Listening to daily calendar appointments and meeting details.

• Accepting or declining meeting requests.

• Sending an “I’ll be late” message to meeting participants.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Reply to meeting requests using voice inputs to send messages to meeting participants.

• Decline or cancel meetings.

• Interact with their global address list (GAL) and their personal contact list. These interactions can include:

• Locating a person in the GAL or personal contact list.

• Inputting a telephone extension number to leave a message.

• Sending voice messages.

• Change their personal identification number (PIN), spoken name, or greetings.

Outlook Voice Access is central to the Unified Messaging infrastructure because it allows users to access their mailboxes through universally accessible telephones.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Unified Messaging Works with a VoIP Gateway

Key Points The following steps describe the communication flow for an organization’s incoming phone calls when it deploys Exchange Server 2010 Unified Messaging:

1. A caller dials a user’s number in the organization. This caller could be inside or outside the organization. Unified Messaging connects the call to the PBX. The PBX uses the call recipient’s extension number to route the call to the appropriate desk phone, which then rings. If the recipient does not answer the call, the PBX checks its configuration to see where to route the unanswered call. In this case, the PBX routes the unanswered calls for this phone to the number associated with the VoIP gateway.

2. The VoIP gateway converts the circuit-switched protocols to packet-switched protocols. It uses the information about the Exchange Server Unified Messaging environment, which you configure during the VoIP gateway installation, to route the call to the appropriate Unified Messaging server. The Unified Messaging server receives the now VoIP-based, packet-switched call.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. The Unified Messaging server contacts AD DS to retrieve the recipient information. This Active Directory lookup occurs using the combination of dial plan plus extension number, which provides a unique identifier for each mailbox. The Unified Messaging server uses this information to contact the user’s mailbox to play the individual’s greeting. Then the Unified Messaging server answers the call and captures the voice message.

4. The Unified Messaging server packages the message into a voice message for Exchange Server. It then uses SMTP to route the message to a Hub Transport server in the same site. The Hub Transport server routes the voice message to the user’s Exchange Server mailbox, where it is stored. The message is accessible to the Unified Messaging subscriber through Outlook Voice Access, Outlook, Outlook Web App, or Exchange ActiveSync.

Note: These steps describe the communication flow when Exchange Server 2010 Unified Messaging answers a call. The process is similar when you use other systems, such as Outlook Voice Access or auto attendant access. For example, when using Outlook Voice Access, the user calls a number that you configure the PBX to forward automatically to the VoIP gateway. The gateway then forwards the call to the Unified Messaging server, which checks AD DS for the user mailbox location. It then uses MAPI to connect to the appropriate Mailbox server. When you use an auto attendant, the PBX forwards the phone number through the VoIP gateway to the Unified Messaging server, which locates the requested information in AD DS and Active Directory.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Integrating Unified Messaging with OCS 2007 R2

Key Points Exchange Server 2010 Unified Messaging provides OCS 2007 R2 with the voice mailbox feature. Only Unified Messaging supports this feature. Additionally, since Unified Messaging utilizes existing IP PBX that is configured with OCS 2007 R2, you do not need additional hardware to connect Unified Messaging to your PBX if OCS 2007 R2 is installed already.

OCS 2007 R2 also provides other features that integrate into Unified Messaging, such as instant messaging, presence information, Web conferencing, and VoIP telephony:

• Instant messaging. The OCS 2007 R2 client provides instant messaging (IM) functionality that the OCS hosts. The solution provides IM features, such as group IM, and extends the internal IM infrastructure to external IM providers.

• Presence information. OCS 2007 R2 tracks presence information for all OCS users, and it provides this information to the OCS 2007 R2 client and other applications, such as Outlook 2007.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Web conferencing. OCS 2007 R2 can host on-premise conferences, which you can schedule or reschedule, and they can include IM, audio, video, application sharing, slide presentations, and other forms of data collaboration.

• Audio conferencing. Users can join OCS 2007-based audio conferences using any desk or mobile phone. When connecting to an audio conference using a Web browser, users can provide a telephone number that the audio-conferencing services calls.

• VoIP telephony. Enterprise Voice enables OCS 2007 R2 users to place calls from their computers by clicking an Outlook or Communicator contact. Users receive calls simultaneously on all their registered user endpoints, which may be a VoIP phone, mobile phone, or OCS 2007 R2 client. The OCS 2007 R2 Attendant is an integrated call-management client application that enables a user, such as a receptionist, to manage many conversations simultaneously.

• Response Group service. This service enables administrators to create and configure one or more small response groups for routing and queuing incoming phone calls to one or more designated agents. Typical scenarios include an internal help desk or customer-service desks.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


International Requirements for Unified Messaging

Key Points Unified Messaging provides language packs to satisfy international Unified Messaging requirements. In multiple language environments, you should install the applicable Unified Messaging language packs, because some Unified Messaging users prefer their voice prompts in a different language or because they receive e-mail messages in multiple languages that they need to access using OVA. If you do not install the Unified Messaging language pack for a particular language, e-mail messages in that language will be illogical and incoherent when they relayed to the user.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Several key components rely on Unified Messaging language packs to enable users and callers to interact effectively with Exchange Server 2010 Unified Messaging in multiple languages. Each language pack includes:

• A Text-to-Speech (TTS) engine to read and convert messages when Outlook Voice Access users access their inboxes.

• The prerecorded prompts used to configure Unified Messaging dial plans and auto attendants.

• ASR support for speech-enabled Unified Messaging dial plans and auto attendants.

To install a language pack, use Setup.com /AddUMLanguagePack found in the Exchsrvr\Bin directory of the Exchange Server installation.

Once you install your language packs, you can change the default language configured for each dial plan. Users automatically use the default language if their configured language setting in Outlook Web App is not available as a language pack. For example, if you install only the English and German language packs, and the English language pack is the default on the dial plan, a user with the French language configuration in Outlook Web App will hear English prompts.

In Exchange Server 2007, each language pack included the TTS engine but only supported ASR for US English. In Exchange Server 2010, all available language packs contain ASR support.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Configuring Unified Messaging

To enable Unified Messaging in Exchange Server 2010, you first need to understand how Exchange Server 2010 implements Unified Messaging. Then you need to configure the Unified Messaging server role and its required components.

This lesson describes the basic Exchange Server 2010 Unified Messaging components.


• Describe the process for installing Unified Messaging.

• Implement a Unified Messaging dial plan.

• Implement a Unified Messaging IP gateway.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Implement a Unified Messaging hunt group.

• Implement a Unified Messaging mailbox policy.

• Create a Unified Messaging auto attendant.

• Configure call-answering rules.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Process for Installing Unified Messaging

Key Points Complete the following steps to install Unified Messaging:

1. Install the Unified Messaging server role. You must install a Mailbox server, a Hub Transport server, and a Client Access server before you can install the Unified Messaging server role. You can install the Unified Messaging role on the same computer that runs these prerequisite roles or on a separate computer.

Note: Before you install the Unified Messaging server role on a Windows Server® 2008 computer, you must install the Desktop Experience feature. This feature provides the Windows® Media Encoder and Windows Media® Audio Voice Codec that the Unified Messaging server requires.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


2. Create a Unified Messaging dial plan. A dial plan is the telephony extension-numbering plan. All users within a dial plan have a unique extension number, and the combination of dial plan and the user extension uniquely identifies each Unified Messaging user. After creating the Unified Messaging dial plan, you need to associate it with a Unified Messaging server.

3. Create a Unified Messaging IP gateway. A Unified Messaging IP gateway object represents a physical VoIP gateway (with an IP address) from which a Unified Messaging server can receive calls. The Unified Messaging server requires this information to connect to the VoIP gateway and the PBX.

4. Create a Unified Messaging hunt group. A hunt group groups phone numbers together for specific purposes. An IP gateway object contains hunt groups. You can associate one or more hunt groups with an IP gateway. A default hunt group is created automatically if you create an IP gateway and associate it with a Unified Messaging dial plan. You can customize that hunt group or create additional ones.

5. Configure a Unified Messaging mailbox policy. A Unified Messaging mailbox policy is created by default each time you create a Unified Messaging dial plan. You can configure that mailbox policy or create a new one. When you configure the policy, you can specify policy properties, such as the maximum greeting length, the number of unsuccessful login attempts before the Unified Messaging server resets the password, the minimum digits that a PIN requires, and international calling restrictions.

6. Enable mailboxes for Unified Messaging. You must enable mailboxes to allow the mailboxes to access Unified Messaging services. You must associate each user mailbox with a Unified Messaging mailbox policy and a unique extension number.

7. Create a Unified Messaging auto attendant object. The auto attendant feature is an optional component. To enable the auto attendant, you must create and configure an associated dial plan.

Note: These steps describe the process of installing Unified Messaging in an Exchange Server 2010 environment. To complete this installation in a production environment, you also must configure the PBX and the VoIP gateway to route calls to the Unified Messaging servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Unified Messaging Dial Plan?

Key Points The Unified Messaging dial plan is the basic Unified Messaging administrative unit. It is the telephony extension-numbering plan. Within Unified Messaging, the dial plan, plus the extension number, provides the unique identifier for each Unified Messaging user. The dial plan also controls the numbering scheme and the outbound dialing plan.

How Unified Messaging Uses Dial Plans The Unified Messaging dial plan is an Active Directory container object that is a logical representation of a telephony dial plan that you configure on a PBX. The dial plan establishes a link from an Exchange Server 2010 recipient’s telephone extension number in AD DS to a Unified Messaging-enabled mailbox.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Unified Messaging uses dial-plan information, such as the number of digits an extension has. When you configure Unified Messaging, you enter the extension length. You also can configure many other dial-plan settings, including:

• Access numbers for subscriber of this dial plan.

• Default greetings that uses when dial-plan subscribers call into the Unified Messaging server.

• Dial codes for dialing external phone numbers and international numbers.

• Features such as whether subscribers can transfer callers to other users and whom callers can contact.

• Time limits for calls, messages, and idle timeouts.

• Default language for voice prompts.

• The audio codec format for voice messages, such as MP3.

Note: You need at least one Unified Messaging dial plan, and that dial plan requires a Unified Messaging server and an associated Unified Messaging IP gateway.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Unified Messaging IP Gateway?

Key Points The Unified Messaging IP gateway is an Active Directory container object that logically represents a physical IP gateway hardware device that translates between the circuit-switched telephone network and an IP or packet-switched network. The Unified Messaging IP gateway can represent either a VoIP gateway or an IP-PBX.

The Unified Messaging IP gateway contains one or more Unified Messaging hunt-group objects and other Unified Messaging IP gateway-configuration settings, including the actual IP gateway object. The combination of the IP gateway object and a Unified Messaging hunt-group object establishes a logical link between an IP gateway hardware device and a Unified Messaging dial plan.

Note: Before an IP gateway can process calls, a Unified Messaging IP gateway must be associated with at least one Unified Messaging dial plan.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Implementing Unified Messaging IP Gateways You can create a Unified Messaging IP gateway using the Exchange Management Shell or Exchange Management Console. When you create a new Unified Messaging IP gateway object, you enable Unified Messaging servers to connect to the VoIP gateway or IP PBX.

By default, IP gateways remain in an enabled state after you create them. However, you can enable or disable the Unified Messaging IP gateway. If you disable a Unified Messaging IP gateway, it can be in one of two disabled modes. The first disabled mode forces all associated Unified Messaging servers to drop existing calls. The second disabled mode forces the Unified Messaging server associated with the Unified Messaging IP gateway to stop handling any new calls that the IP gateway presents. You can enable or disable an IP gateway from the Exchange Management Console or the Exchange Management Shell.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Unified Messaging Hunt Group?

Key Points The Unified Messaging hunt group is a logical representation of an existing PBX or IP PBX hunt group. When the hunt group’s pilot number receives a call, the PBX or IP PBX looks for the next available extension number to deliver the call. When the call’s recipient does not answer an incoming call, or the line is busy because the recipient is on another call, the PBX or IP PBX routes the call to the Unified Messaging server. Unified Messaging hunt groups act as a connection or link between the Unified Messaging IP gateway and the Unified Messaging dial plan. Therefore, you must associate a single Unified Messaging hunt group with at least one Unified Messaging IP gateway and one Unified Messaging dial plan.

Unified Messaging hunt groups locate the PBX hunt group from which the incoming call was received. A pilot number that is specified for a hunt group in the PBX also must be specified within the Unified Messaging hunt group. The pilot number enables the Unified Messaging server to associate the call with the correct dial plan so that it can route the call correctly.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Implementing Unified Messaging Hunt Groups When you create a new hunt-group object, you enable Unified Messaging servers in the specified dial plan to communicate with the IP gateway object. When creating a new hunt-group object, you need to specify the dial plan, and the pilot identifier or pilot number, that you want it to use with the new hunt group.

Question: Is it possible to create a Unified Messaging hunt group without an available Unified Messaging IP gateway?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Unified Messaging Mailbox Policy?

Key Points Unified Messaging mailbox policies apply and standardize Unified Messaging configuration settings for Unified Messaging-enabled users. You can create Unified Messaging mailbox policies, and then add the policy to Unified Messaging-enabled mailboxes to apply a common set of policies or security settings.

Unified Messaging mailbox policies are required before you can enable users to use Unified Messaging.

Implementing Unified Messaging Mailbox Policies Create Unified Messaging mailbox policies in the Active Directory Configuration container, using either the Exchange Management Shell or Exchange Management Console. When you create a dial plan, a single, default Unified Messaging mailbox policy is created for it. However, you can create additional Unified Messaging mailbox policies based on your organization’s needs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


When you create a Unified Messaging mailbox policy, you can configure the following settings:

• Dial plan (required)

• Maximum greeting length

• Number of unsuccessful login attempts before it resets the password

• Minimum number of digits that a PIN requires

• Number of days until users must create a new PIN

• Number of previous passwords that it does not allow

• Restrictions on in-country/region or international calling

• Protected voice-mail settings

Each Unified Messaging-enabled user’s mailbox must link to only one Unified Messaging mailbox policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is a Unified Messaging Auto Attendant?

Key Points A Unified Messaging auto attendant is an optional component of the Unified Messaging server. It creates a voice-menu system that enables external and internal callers to navigate through voice menus to locate and place, or transfer, calls to company users or organizational departments.

When anonymous or unauthenticated users call an external business telephone number, or when internal callers call a specified extension number, voice prompts help them place a call to a user, or locate and call a user.

The Unified Messaging auto attendant uses a series of WAV files that callers hear instead of a human operator. The Unified Messaging auto attendant lets callers navigate the menu system, place calls, or locate users using DTMF or voice inputs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


A Unified Messaging auto attendant provides:

• Corporate or informational greetings, such as business hours or directions to a

location.

• Custom corporate menus that you can customize to have more than one level.

• A directory search function that enables callers to search the organization’s

name directory.

• The ability for callers to connect to the telephone of, or leave a message for,

organizational members.

Creating Auto Attendants Each Unified Messaging auto attendant that you create is represented as an Active Directory object. There is no limit to how many Unified Messaging auto attendants you can create, and each auto attendant can support an unlimited number of extensions. However, you should design menu systems for auto attendants carefully to ensure that the user has a positive experience. If you design them incorrectly, it can be very frustrating to users if the time it takes to connect correctly is lengthy or it is difficult to navigate through the system.

A Unified Messaging auto attendant can reference only one Unified Messaging dial plan. However, Unified Messaging auto attendants can reference or link to other Unified Messaging auto attendants.

When you create an auto attendant, you must provide the associated dial plan and extension numbers. After creating the auto attendant, you can configure alternative greetings by specifying the WAV files to use. You also can configure different settings for work and nonwork hours, and features such as call transferring.

Create auto attendants in the Exchange Management Console or by running the New-UMAutoAttendant cmdlet in the Exchange Management Shell.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Rules for Call Answering

Key Points Call-answering rules, also known as Personal Auto Attendants, allow users to create and customize rules to enhance the experience that callers have when their calls are answered. For example, the call-answering rules can include features such as special greetings by contact or time of the day.

Using call answering rules, the caller can decide to:

• Leave a voice message for the Unified Messaging-enabled user.

• Transfer to an alternate contact of the Unified Messaging-enabled user.

• Transfer to an alternate contact’s voice mail.

• Transfer to other phone numbers that the Unified Messaging-enabled user configures.

• Use the Find-Me feature or locate the Unified Messaging-enabled user via a supervised transfer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Call-answering rules consist of conditions, a greeting and menu, and actions. You can configure call-answering rules in Outlook Web App or Outlook 2010.

Condition The following conditions are available:

• If the caller is: calling from a phone number, this specific contact, or in my contacts folder.

• If it is during this period: working hours or nonworking hours to a specific time defined.

• If the user’s schedule shows a status of: free, tentative, busy, away.

• If you turn on automatic replies, such as when you turn on an automatic Out of Office message.

Greeting and Menu Greeting and Menu is the area where the caller can take specific actions that users predefine. For example, after hearing a greeting that you previously recorded, you can provide a prompt so that the caller can dial you at home.

Actions Actions define the tasks that occur when callers choose specific menu selections. You can select the following actions:

• Find me at the following numbers: Defines a recording text, the number key to press to transfer, and enables you to call two phone numbers for a specific time.

• Transfer the call to: Defines a recording text, the number key to press to transfer, and either a phone number or a contact, or indicates that the call should transfer directly to voice mail.

• Leave a voice message. Directly transfers the caller to voice mail.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Implementing Unified Messaging



2. Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-EX2 virtual machines are running:





MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Scenario You are a messaging administrator for A. Datum Corporation. Your organization has deployed Exchange Server 2010. Your users expect to have voice access to their mailboxes, so you must enable this feature and configure Unified Messaging.

Additionally, many native German speakers work at A. Datum, so you need to install the German language pack so that they also can use Unified Messaging.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Installing and Configuring Unified Messaging Features The main tasks for this exercise are:

1. Install the Desktop Experience feature.

2. Install the Unified Messaging role.

3. Install the German language pack.

4. Create a dial plan.

5. Create a Unified Messaging IP gateway and hunt group.

6. Change the default Unified Messaging mailbox policy.

7. Associate the Unified Messaging server with the dial plan.

8. Verify that the default dial-plan language is German.

Lab preparation 1. On the host computer, open Hyper-V™ Manager.

2. Right-click 10135A-VAN-EX2, and then click Settings.


4. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso.iso, and then click Open.

5. Click OK.

Task 1: Install the Desktop Experience feature 1. On VAN-EX2, close the AutoPlay dialog box.

2. In Server Manager, add the Desktop Experience feature and other required features.

3. When prompted, restart the computer.

4. After the computer restarts, log on as Adatum\Administrator.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Install the Unified Messaging role 1. Use Programs and Features in Control Panel to open Microsoft Exchange

Server 2010 Setup.

2. Install the Unified Message server role.

Task 3: Install the German language pack 1. In the Hyper-V management console, attach the UMLanguagePack_DE.iso file

to 10135A-VAN-EX2.

2. Install the German language pack.

Task 4: Create a dial plan 1. On VAN-EX2, create a new dial plan using the Exchange Management

Console.

2. Configure the dial plan with following settings:

• Name: DP-VAN-5digit

• VoIP security: Unsecured

• Country/Region code: 1604

Task 5: Create a Unified Messaging IP gateway and hunt group 1. Create a Unified Messaging IP gateway named IPTestPhone using Exchange

Management Console, and then configure an IP address of 10.10.0.10, and use DP-VAN-5digit as the dial plan.

2. Create a Unified Messaging hunt group named HG-VAN-5digits for the IP gateway, and then configure a Pilot identifier of 90000.

Task 6: Change the default Unified Messaging mailbox policy 1. Configure message text for the Unified Messaging mailbox policy that reads

“Welcome to the Unified Messaging Server VAN-EX2” to be sent to users when their mailboxes are enabled for Unified Messaging.

2. Configure the PIN policies for the mailbox policy so that they never expire.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 7: Associate the Unified Messaging server with the dial plan 1. Open the VAN-EX2 server properties in Exchange Management Console.

2. Add an associated dial plan to the server.

Task 8: Verify that the default dial-plan language is German 1. In the Organization Configuration, Unified Messaging node, double-click the

DP-VAN-5digit dial plan to open it.

2. In the Settings tab, verify that the default language was changed to German.

Results: After this exercise, you should have installed the Unified Messaging role and configured the basic server-side settings for Unified Messaging, namely a dial plan, an IP gateway, a hunt group, and a mailbox policy. You also will have assigned the dial plan to a Unified Messaging server.

To revert the virtual machines When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:




MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Review Questions 1. If your company already implemented Microsoft Office Communication Server

2007 R2 and connected OCS to the PBX, do you need an additional IP PBX for Exchange Server 2010 Unified Messaging?

2. Users want to ensure that private voice mails are protected. Does Exchange Server 2010 Unified Messaging have a feature to do this?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Common Issues Related to Unified Messaging Identify the causes for the following common issues related to implementing Unified Messaging, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


You are unable to enable Unified Messaging in mailbox properties on the Mailbox Features tab. It is unavailable.

This is a common mistake. Do not enable Unified Messaging in the mailbox properties. Instead, select Enable Unified Messaging on the Actions pane in Recipient Configuration.

Best Practices Related to Implementing Unified Messaging Supplement or modify the following best practices for your own work situations:

• Once you install the Unified Messaging server role, check the event log to make sure the service is operational and no error messages appear.

• After installing the Unified Messaging server role, configure a dial-plan, and Unified Messaging IP gateway, hunt group, and Unified Messaging mailbox policy, and then associate it to the Unified Messaging server. Then use the Exchange Unified Messaging Test Phone to see if the configuration is working, before you configure your IP PBX or PBX to communicate with the Exchange server.

Tools

Tool Use for Where to find it

Exchange Server Unified Messaging Test Phone

Connect to your Unified Messaging server via voice access to your mailbox.

Exchange Server\bin\ ExchangeUMTestPhone.exe

http://go.microsoft.com/fwlink /?LinkId=179981

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Advanced Topics in Exchange Server 2010 B-1

Appendix B Advanced Topics in Exchange Server 2010

Contents: Lesson 1: Deploying Highly Available Solutions for Multiple Sites B-3

Lesson 2: Implementing Federated Sharing B-15

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

B-2 Configuring, Managing and Troubleshooting Microsoft® Exchange Server 2010

Appendix Overview

Microsoft® Exchange Server 2010 offers several advanced features that organizations with special requirements may find interesting. These features include the ability to deploy a highly available Exchange Server across multiple data centers and deploy Federated Sharing, which enables sharing of availability and contact information between organizations. This appendix provides an overview of how to deploy these two features.

After completing this appendix, you will be able to:

• Implement high availability solutions for multiple sites.

• Implement Federated Sharing.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1 Deploying Highly Available Solutions for Multiple Sites

Multiple site recovery is an important concern for many companies because of the natural disasters that have affected many organizations and resulted in increased regulatory-compliance requirements. Exchange Server 2010 greatly simplifies creating a multiple-site, high-availability solution, and it enables organizations to adopt the solution more easily than previous Exchange versions.

This lesson provides an overview of how to apply single-site, high availability concepts to a multiple-site configuration.


• Describe scenarios for deploying multiple-site, high-availability solutions.

• Describe the challenges of creating a multiple-site database availability group (DAG).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Describe the challenges of implementing high availability across multiple sites for nonmailbox roles.

• Describe the data center failover process.

• Describe the best practices for implementing a multiple-site, high-availability solution.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: High Availability for Multiple Sites

Single-site availability enables you to host your company’s Exchange Server environment in many different scenarios. You also can use a secondary site for maintenance events or in cases where the primary site experiences a level of failure that your organization cannot sustain.

Although Exchange Server 2010 simplifies multisite configuration, it still requires ample planning and configuration to implement and maintain a multisite configuration successfully.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: What are some common multisite high availability scenarios?

Question: Does your company have a warm disaster-recovery site or is it planning to have one?

Question: After mail services successfully fail over to the second site, what other issues might you still need to address?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using Cross-Site DAGs

Key Points Exchange Server 2010 enables a multisite deployment of the Exchange Server infrastructure that reduces the requirements you must meet compared to previous Exchange Server versions. In earlier Exchange Server versions, multisite clustering requires complicated hardware and is difficult to configure. For example, creating a multisite an Exchange Server 2007 mailbox cluster on Windows Server 2003 requires a complicated network configuration to span a subnet, and the Active Directory® directory service site, between the two sites. Exchange Server 2007 Service Pack 1 introduced a failover method called Standby Continuous Replication (SCR). However, as the name suggests, it does not take advantage of clustering and only provides a standby copy of the data, which requires a manual activation process. With Exchange Server 2010 combined with Windows Server® 2008 failover clustering, you can create a cross-site DAG without any need for special network hardware, a single subnet spanned, or a shared Active Directory site between the two locations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


However, you need to meet a number of requirements to configure and maintain a cross-site DAG configuration:

• Less than 250 milliseconds (ms) latency between all DAG nodes. To maintain the cluster operation properly, there should be minimal latency as each node communicates with the other nodes.

• Reestablishing of cluster quorum after site failure. If the majority of the nodes are not available because a failure occurs at the initial site, you should reconfigure the DAG manually to reestablish quorum, by using the Exchange Management Shell.

• Supporting nonmailbox roles in each site. To provide mail delivery and client access to the second site’s DAG members, you must ensure that the appropriate Exchange server roles are available.

• At least one domain controller in each site. In any configuration, Exchange Server requires that each Active Directory site into which you deploy Exchange Server have a domain controller available. To provide redundancy, you should deploy at least two domain controllers per site.

Question: Why should you not implement an automatic data center failover, even if it is possible?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Challenges of Implementing Cross-Site, Nonmailbox Servers

Key Points When you deploy nonmailbox servers to support a cross-site failover, you might come across several issues, including:

• You have to change Domain Name System (DNS) entries for Microsoft Outlook® Web App, Outlook Anywhere, and Autodiscover to reflect the secondary site’s IP addresses. If you do not change these entries quickly, it may increase the time that it takes users to reconnect to the secondary site’s Exchange server. You also can handle these changes by deploying DNS servers in multiple locations or by using third-party global-server load balancing to provide traffic only to the active site.

• Certificates should include all possible service names in both data centers. However, each separate certificate that you use in each data center should have the same principal name.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• You must redirect external services to the secondary site, so that Exchange can accept inbound connections and you can restore service. This would include changing the weight of mail exchanger (MX) resource records for inbound e-mail, or reconfiguring hosted anti-spam, antivirus, and archiving services.

• A standard configuration requires users to log off and then log on to their client, since it must switch to the remote procedure call (RPC) client-access array to which it is connected. You need to notify or train users that this is expected behavior. Alternatively, using the same server certificate in both RPC client-access arrays, and then pointing the DNS record for the primary RPC client-access array to the secondary RPC client-access array, will remove this requirement for Outlook 2007 and newer clients. However, Outlook 2003 clients require that you repair the MAPI profile manually to complete the failover.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Failover Process for Data Centers

Key Points To prepare for failure activation, you must enable datacenter activation coordination (DAC) mode on the DAG. This allows an administrator to activate the site, even if a majority of DAG members remains unavailable in the failed site, and it prevents split-brain scenarios.

The failover process includes the following steps:

1. The primary data center fails.

2. Adjust DNS records, if necessary, for Simple Mail Transfer Protocol (SMTP), Outlook Web App, Autodiscover, Outlook Anywhere, and any legacy protocols. You can make adjustments manually or use third-party, global-server load balancing to make changes automatically.

3. Reconfigure the DAG to remove the primary site’s servers from the Windows Failover Cluster, but retain them in the DAG.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. Reconfigure the DAG to use an alternative file-share witness and restore the functionality in the Secondary site.

5. The remaining Active Managers coordinate mounting databases in Site B.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Best Practices for Multisite Failover

Key Points By implementing certain best practices, you can ensure a successful highly available, multiple-site configuration. To begin, reduce failover time by using low Time to Live (TTL) on DNS records for the Client Access server array, Client Access server URLs, and SMTP records. Using a low TTL enables the DNS clients to discover DNS entries more quickly that point to the secondary site.

If a failure occurs, it is important to ensure that everything works as designed. Therefore, you should continually monitor and verify that all messaging-system components are functioning properly. To do this, you should first monitor all aspects of the Exchange Server environment to ensure that it is functioning normally, and that mailbox data is successfully replicating to the secondary site in a timely manner. Next, you can schedule periodic failover tests to provide an additional level of preparation and to validate the configuration and operation of the cross-site failover process.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


You also should follow a change-management process to ensure that each Mailbox server in the DAG, each Client Access server, and each Hub Transport server are configured identically and have the same updates applied. Doing this reduces the possibility of incompatibilities and unexpected behavior if a failover occurs.

Finally, we recommend that you follow the Windows Server Failover Clustering best practice of having each node connected to multiple networks. These multiple networks provide communication redundancy between cluster nodes, however, to reduce network congestion and potential communications problems, you should not allow them to perform cluster heartbeat communications.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2 Implementing Federated Sharing

Federated Sharing enables organizations to share availability and contact information, and send secure messages, to other organizations that also are running Exchange Server 2010. Federated Sharing enables a user to share information transparently with users in other Exchange Server organizations. Information that they can share includes free or busy data or Calendar details. After you configure Federated Sharing, your users can book meetings with a partner organization’s users by utilizing exactly the same steps as booking meetings with users inside your organization.


• Define Federated Sharing.

• Describe the components that are required for Federated Sharing.

• Describe how Federated Sharing works.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Describe how Federated message delivery works.

• Describe how to configure a Federated Trust.

• Describe how to configure organizational relationships and sharing policies.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What Is Federated Sharing?

Key Points Federated Sharing uses standard federation technologies to allow organizations to establish trusted relationships with each other. To establish federation trust, organizations exchange certificates with public keys, or with a trusted third party, and use those certificates to authenticate and secure all communications between them.

In Exchange Server 2010, you use the Microsoft Federation Gateway to establish the federation. The Microsoft Federation Gateway is an identity service that runs over the Internet and works as a trust broker for Federated Sharing. To enable Federated Sharing, the organization must register with the Microsoft Federation Gateway, and then configure a federated sharing relationship with another organization that also registers with the Federation Gateway.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The Federation Gateway then acts as a hub for all connections that the organizations make to each other. For example, in a Federated Sharing scenario, the Client Access servers in each organization should be able to establish an authenticated and secure connection with each other to enable the exchange of availability information or to enable calendar sharing. The Client Access servers use the federated trust that you configure with the Federation Gateway to verify the other organization’s Client Access servers and to encrypt all traffic sent between the organizations.

You also can use the federated sharing relationship to send encrypted and authenticated e-mail between the organizations.

Note: The Federation Gateway only provides a broker service to establish the communication between the organizations. The Federation Gateway does not authenticate individual users or require any user accounts from either organization. Although the Federation Gateway uses Windows Live as the authentication mechanism, it shares no user accounts with Windows Live™.

In a Federation Sharing scenario, each organization only needs to manage its trust relationship with the Federation Gateway, and to manage only its user accounts. After the organization establishes the trust relationship with the Federation Gateway, you can configure other trusted organizations with which you want to share information, and the types of information that you want to share.

When you enable Federation Sharing, all communications between organizations is sent through the organization’s Exchange Server 2010 servers. This communication is transparent to the messaging clients. This means that the feature works with any client that can connect to Exchange Server 2010, including Outlook Web App, Outlook 2003, and Outlook 2007.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Components of Federated Sharing

Key Points To set up federation, you must configure three major components in Exchange Server 2010.

Federation Trust This establishes a trust with Microsoft Federation Gateway. The federation trust configures the Microsoft Federation Gateway as a federation partner with the Exchange Server organization. This means that Exchange Web Services on the Client Access servers can validate all Microsoft Federation Gateway authentication requests.. You establish the federation trust by submitting the organization’s public key and certificate to Microsoft Federation Gateway and downloading Window Microsoft Federation Gateway public key and certificate.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Organization Identifier The organization identifier defines which of the Exchange organization’s authoritative accepted domains is available for federation. If an organization supports multiple SMTP domains, you can include one or all of the domain names in the organization identifier. Users can participate in Federated Sharing only if they have e-mail addresses in the domains that you configure with the organization identifier.

The first domain that you specify with the organization identifier is the Account namespace. Microsoft Federation Gateway creates federated users identifiers within this account namespace when the Client Access server requests a delegation token for an Exchange Server organization user. This process is transparent to the Exchange Server organization.

Organization Relationships An organization relationship allows you to establish a federated sharing relationship with another federated organization for the purpose of sharing availability (free/busy) information, or enabling federated delivery of e-mail. Organization relationships are one-to-one relationships established between two organizations. To configure an organization relationship, you must establish a single Federation Trust with the Microsoft Federation Gateway, and configure the Organization Identifier.

When you create an organization relationship with an external organization, it allows users in the external organization to access your users’ availability information, allowing them to schedule meetings easily with your users. No replication of Global Address List (GAL) information is required. Outlook 2010 and Outlook Web App allow users to enter the SMTP address of an external recipient when scheduling meetings. For users in your organization to have similar access to availability information of users in the external organization, the administrator in the external organization must also create an organization relationship with your organization.

Sharing Relationships You can use sharing policies to enable users to share calendar and contact information that resides in the respective folders with users in external federated organizations. After configuring the sharing relationship, a user can send a sharing invitation to an external recipient to share his/her calendar or contact folder. Using sharing policies, you control the domains with which your users share information with, and the extent of sharing. You can also disable a sharing policy for a user or a group of users to deny any sharing for those users.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Sharing policies are assigned to mailbox users. A default sharing policy applies to users by default, and allows sharing of their calendar to the extent of availability information with all external domains. After you create a Federation Trust with the MFG, and configure the Federated Organization Identifier (OrgID), users can send sharing invitations to share their availability information with users in any external organization.

Note: Although organization relationships and sharing policies allow sharing of availability information with external users, they are intended for different scenarios. Organization relationships are created to collaborate with external organizations, and include the capability to enable Federated Delivery of e-mail between the two organizations. Sharing policies govern what your users can share on an ad-hoc basis with users in external organizations, including organizations with which an organization relationship does not exist.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Federated Sharing Works for Availability Information Access

Key Points One of the options when configuring a sharing relationship is to enable users from one organization to view availability information for another organization’s users. The following steps describe the communication flow when you configure this option, and a user in one organization invites another organization’s user to a meeting.

1. A user in the Contoso.com organization invites a user in the Adatum.com organization to a meeting. This meeting request is sent to the Exchange Web Service on the Client Access server at Contoso.

2. The Contoso Client Access server checks with a Contoso.com domain controller to verify that the user has permission to utilize the sharing relationship to request availability information and that a sharing relationship is configured with Adatum.com. If both verifications succeed, the Client Access server continues with the next step.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. The Contoso Client Access server connects to the Microsoft Federation Gateway and requests a security token for the Contoso user. Because you configure Contoso.com in the organization identifier, the Federation Gateway issues the token.

4. The Contoso Client Access server sends a request for the availability information for the user to the Adatum Client Access server. The Contoso Client Access server includes the security token with the request.

5. The Adatum Client Access server validates the security token and then checks with a domain controller in the Adatum.com domain to verify that the organization has a sharing relationship with Contoso.com.

6. The Adatum Client Access server retrieves the user’s availability information from the user’s Mailbox server.

7. The Adatum Client Access server sends the availability information to the Contoso Client Access server.

8. The Contoso Client Access server provides the availability information to the Contoso user.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


How Federated Message Delivery Works

Key Points The second option you can use when configuring a sharing relationship is to enable Federated Delivery. When you enable this option, users from one organization can send encrypted and authenticated e-mail to users in the other organization. The following steps describe the communication flow when you configure this option, and a user in one organization sends an e-mail to a user in the other organization:

1. A user in the Contoso.com organization sends an e-mail to a user in the Adatum.com organization. The message is sent through the Mailbox server to a Hub Transport server at Contoso.

2. The Hub Transport server at Contoso checks with a Contoso.com domain controller to verify that the user has permission to send messages across the sharing relationship, and to verify that a sharing relationship is configured with Adatum.com. If both verifications succeed, the Client Access server continues with the next step.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. The Contoso Hub Transport server connects to the Microsoft Federation Gateway and requests a security token for the Contoso user. Because Contoso.com is configured in the organization identifier, the Federation Gateway will issue the token.

4. The Contoso Hub Transport server encrypts the message and sends the message to the Adatum.com Hub Transport server. The Contoso Hub Transport server encrypts the message using a key that the security token includes. The security token is encrypted using the Federation Gateway public key, and is sent to the Adatum.com Hub Transport server.

5. The Adatum Hub Transport server validates the security token, and then checks with a domain controller in the Adatum.com domain to verify that the organization has a sharing relationship with Contoso.com.

6. The Adatum Hub Transport server decrypts the security token and extracts the encryption key. The Hub Transport server then decrypts the message and forwards it to the user’s mailbox server.

Note: When you configure a sharing relationship with another organization and enable Federated Delivery, all messages sent by users with the appropriate permissions to use the sharing relationship are encrypted automatically. Users do not need to have certificates installed locally, and do not need to choose the option to send encrypted e-mail in Outlook.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring a Federation Trust

Key Points Before you can configure a sharing relationship with another organization, both organizations must configure a federation trust with the Microsoft Federation Gateway.

Prerequisites for Configuring a Federation Trust Before configuring the federation trust, you must ensure that your organization meets the following prerequisites:

• Obtain a trusted certificate. Setting up a federation trust with the Federation Gateway requires a certificate from a public certificate authority (CA) that the Federation Gateway server trusts. The certificate requires a private/public key pair that is both a client and server certificate, and requires a Subject Key Identifier. This certificate must be deployed on all Exchange Server 2010 Client Access servers. The associated name of the certificate is not relevant to federation, so you can reuse an existing certificate on the Client Access server if the certificate is trusted.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The private/ public key pair associated with the certificate signs and decrypts delegation tokens that the Federation Gateway issues.

• Configure the authoritative domains. You must configure all SMTP domain names that you want to use for Federated Sharing as authoritative accepted domains in Exchange.

• Configure external DNS records. To enable Federated Sharing, you need to ensure that servers from other organizations can resolve your servers’ names on the Internet. Additionally, you need to configure DNS with a text (TXT) resource record that provides proof-of-ownership for your domain name. The Federation Gateway uses the proof-of-ownership record to ensure that your servers are authoritative for the domain name that you provide. To create this proof-of-ownership record, you need to:

1. Obtain the application identifier that is created when you create a federation trust. You can obtain this identifier by running the Get-FederationTrust –Identity ‘FederationTrustName’ | fl ApplicationIdentifier cmdlet.

2. Create a new TXT record on the DNS server that is accessible from the Internet. The TXT record should include the following information: domainname IN TXT AppID=ApplicationIdentifier.

Establishing the Federation Trust with Microsoft Federation Gateway You can set up and mange the federation trust by using the Exchange Management Console or the Exchange Management Shell. On the machine where you run these tasks, you should deploy the certificates that federation should use. The machine also needs to have Internet connectivity to reach Microsoft Federation Gateway.

If you are using the Exchange Management Console, click the Organization Configuration node, and then click New Federation Trust to start the New Federation Trust wizard. When you run the wizard, you must configure a certificate that will validate the trust. When you use the Exchange Management Console to create the federation trust, it receives the name “Microsoft Federation Gateway” automatically.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


If you are using the Exchange Management Shell, run the New-FederationTrust –Name TrustName -Thumbprint <org-cert-thumbprint> cmdlet.

Note: When you use the Exchange Management Console to configure the federation trust, you can browse to locate a valid certificate. If you are using the Exchange Management Shell, you can use the Get-ExchangeCertificate cmdlet to obtain the certificate thumbprint.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring Organizational Relationships and Sharing Policies

Key Points After you create the federated trust, the next steps are to configure the organizational relationships and sharing policies that will enable your organization’s users to share information with other organizations.

Configuring Organizational Relationships Organizational relationships define with which other domains you want to share information, and what types of information you will share.

To configure organizational relationships in the Exchange Management Console, click the Organization Management node, and then click New Organizational Relationship. When configuring the organizational relationship, you can configure the following:

• Name. Use a descriptive name.

• Enable or disable the organizational relationship.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Enable the sharing of free/busy information. If you enable this option, you can configure the following levels of free/busy access:

• No Calendar sharing.

• Calendar sharing with free/busy information only.

• Calendar sharing with free/busy information, plus subject and location.

• Specify a security distribution group. If you specify this option, the free/busy information only for users in the group is accessible through the organizational relationship.

• Enable Federated Delivery. When you enable Federated Delivery, you also must configure the SMTP address for a valid mailbox in the destination domain.

• Configure the information for the external organization. You can configure the Exchange Server to discover the external organization’s configuration information automatically. When you do this, the Exchange server contacts the Microsoft Federation Gateway to locate this information. Alternatively, you can enter the external organization’s information manually, including the domain names, application uniform resource identifier (URI), and Autodiscover endpoint.

Configuring Sharing Policies Sharing policies define which users in your organization can share information with other organizations, and what types of information those users can share.

The Default Sharing Policy is created by default when you install Exchange Server 2010. This policy enables sharing with all domains, but enables only calendar sharing with free/busy information. The policy is assigned to no mailboxes. You can modify all settings for the Default Sharing Policy.

If you want to enable users to participate in Federated Sharing, you can add the mailboxes to the Default Sharing Policy or create a new sharing policy. When you create a new sharing policy, you can configure:

• The domain name for the external domain.

• The sharing actions that are permitted under the policy. Options include:

• Calendar sharing with free/busy information only.

• Calendar sharing with free/busy, subject and location.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Calendar sharing with free/busy, subject, location, and body.

• Contacts sharing.

• Calendar sharing with free/busy information only and contacts sharing.

• Calendar sharing with free/busy, subject and location, and contacts sharing.

• Calendar sharing with free/busy, subject, location and body, and contacts sharing.

• The mailboxes to which the sharing policy will be assigned.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Module 7: Implementing High Availability L7-77

Module 7: Implementing High Availability

Lab: Implementing High Availability Exercise 1: Deploying a DAG

Task 1: Create a DAG named DAG1 using the Exchange Management Shell 1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange

Server 2010, and then click Exchange Management Shell.

2. At the PS prompt, type New-DatabaseAvailabilityGroup –Name DAG1 –WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 -DatabaseAvailabilityGroupIPAddress 10.10.0.80, and then press ENTER.

3. At the PS prompt, type Add-DatabaseAvailabilityGroupServer DAG1 –MailboxServer VAN-EX1, and then press ENTER.

4. On VAN-EX2, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

5. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox.

6. In the Results pane, click the Database Availability Groups tab.

7. In the Work pane, on the Database Availability Groups tab, right-click DAG1, and then click Manage Database Availability Group Membership from the context menu.

8. In the Manage Database Availability Group Membership Wizard, click Add.

9. In the Select Mailbox Server dialog box, click VAN-EX2, and then click OK.

10. In the Manage Database Availability Group Membership Wizard, click Manage to complete the changes, wait for the installation to finish, and then click Finish to close the wizard.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L7-78 Lab: Implementing High Availability

Task 2: Create a mailbox database copy of the Accounting database 1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange



3. In the Results pane, click the Database Management tab.

4. In the Results pane, click Accounting, and then in the Actions pane, click Add Mailbox Database Copy.

5. In the Add Mailbox Database Copy Wizard, click Browse to select the server to which to add the copy.

6. In the Select Mailbox Server dialog box, click VAN-EX2, and then click OK.

7. In the Add Mailbox Database Copy Wizard, click Add to create the copy of the Accounting mailbox database.

8. Review the results, and then click Finish.

Task 3: Verify successful completion of database copying 1. In the Results pane, click the Database Management tab, and then click

Accounting.

2. In the bottom Work pane, view the Copy Status column for each database copy.

3. Click the Accounting entry that has a Healthy copy status, right-click it, and then choose Properties from the context menu.

4. View the Status, Copy queue length, and Replay queue length on the General tab, and then click on the Status tab.

5. On the Status tab, view the Seeding, Latest available log time, Last inspected log time, Last copied log time, and Last replayed log time properties, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Suspend the Accounting database copy on VAN-EX2 1. In the Results pane, on the Database Management tab, click Accounting.

2. In the bottom Work pane, view the Copy Status column for each database copy.

3. Click the Accounting entry that has a Healthy copy status, right-click on it, and then choose Suspend Database Copy from the context menu.

4. In the Suspend Mailbox Database Copy dialog box, type Software Updates being applied, and then click Yes.

5. In the bottom Work pane, view the Copy Status column for each database copy. The copy status will turn to Suspended.

Results: After this exercise, you should have created a DAG and a mailbox database copy of the Accounting database. The Accounting database copy on VAN-EX2 should remain in a suspended state.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Deploying Highly Available Hub Transport and Client Access Servers

Task 1: Create and configure a client access array for CASArray.adatum.com • On VAN-EX1, in the Exchange Management Shell, at the PS prompt, type

New-ClientAccessArray –FQDN casarray.adatum.com –Name “CASArray.adatum.com” –Site Default-First-Site-Name, and then press ENTER.

Task 2: Assign the client access array to the databases 1. At the PS prompt, type Get-MailboxDatabase, and then press ENTER.

2. At the Exchange Management Shell prompt, type Get-MailboxDatabase |Set-MailboxDatabase –RpcClientAccessServer casarray.adatum.com, and then press ENTER.

Results: At the end of this exercise, you should have created a client access array and assigned it to the databases.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Testing the High Availability Configuration

Task 1: Create a SMTP connector associated with VAN-EX1 and VAN-EX2 1. On VAN-EX2, click Start, click All Programs, click Microsoft Exchange


2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click on Hub Transport.

3. Click the Send Connectors tab, and then in the Actions pane, click New Send Connector.

4. In the Name box, type Internet Mail.

5. In the Select the intended use for this Send connector drop-down menu, select Internet, and then click Next.


7. In the SMTP Address space dialog box, in the Address box, type *, click OK, and then click Next on the Address space page.

8. On the Network Settings page, click Route mail through the following smart hosts, and then click Add.

9. In the Add smart host dialog box, click Fully qualified domain name (FQDN).

10. In the Fully qualified domain name (FQDN) box, type van-dc1.adatum.com, and then click OK.

11. On the Network settings page, click Next.

12. On the Configure smart host authenticates settings page, ensure None is selected, and then click Next.

13. On the Source server page, click Add.

14. On the Select Hub Transport or Subscribed Edge Transport Server dialog box, hold the CTRL key, click VAN-EX1 and VAN-EX2, and then click OK.

15. On the Source server page, click Next.

16. Click New to create the connector, and then click Finish to close the wizard.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Stop the SMTP server on VAN-DC1 1. On VAN-DC1, click Server Manager from the quick launch bar.

2. In the Console Tree, expand Configuration, and then click Services.

3. In the Results pane, click Simple Mail Transfer Protocol (SMTP), and then in the Actions pane, under Simple Mail Transfer Protocol (SMTP) click More Actions, and then click Stop.

Task 3: Send an e-mail to an internal user and an external SMTP address 1. On VAN-EX1, open Windows® Internet Explorer®, and connect to

https://VAN-EX1.adatum.com/owa.

2. Log on as Adatum\Jason with a password of Pa$$w0rd. Jason’s mailbox is on VAN-EX3. Click OK.

3. Click New to create a new e-mail message.

4. In the To box, type [email protected]; [email protected];.

5. In the Subject box, type Shadow Redundancy.

6. In the message body, type Test email, and then click Send.

7. Close Internet Explorer.

Task 4: Use Queue Viewer to locate the message in the queue 1. On VAN-EX2, in the Exchange Management Console, click Toolbox.

2. In the Results pane, double-click Queue Viewer.

3. On the Queues tab, locate the entry with van-dc1.adatum.com as the next hop domain. If the message is not visible, then complete the following steps:

a. Click Connect to Server in the Actions pane.

b. On the Connect to Server dialog box, click Browse.

c. On the Select Exchange Server dialog box, click VAN-EX1, click OK, and then click Connect.

d. On the Queues tab, locate the entry with the van-dc1.adatum.com as the next hop domain.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. In the Actions pane, click Connect to Server.

5. On the Connect to Server dialog box, click Browse.

6. On the Select Exchange Server dialog box, click VAN-EX3, click OK, and then click Connect.

7. Click the Queues tab, and then click Create Filter.

8. In the first drop-down menu, select Delivery Type.

9. In the second drop-down menu, select Equals.

10. In the third drop-down menu, select Shadow Redundancy.

11. Click Apply Filter.

12. Examine the shadow-redundancy queue contents.

13. Click on the Messages tab, and then click Create Filter.

14. In the first drop-down menu, select From Address.

15. In the second drop-down menu, select Equals.

16. In the third drop-down menu, type [email protected].

17. Click Apply Filter.

18. Examine the message in the VAN-EX3\Shadow queue.

Task 5: Start SMTP service on VAN-DC1 to allow delivery of the queued message 1. On VAN-DC1, in Server Manager, expand Configuration, and then click on

Services.

2. In the Results pane, click Simple Mail Transport Protocol (SMTP), and then in the Actions pane, under Simple Mail Transfer Protocol (SMTP), click More Actions, and then click Start.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Verify that the messages were removed from the shadow redundancy queue 1. On VAN-EX2, in the Queue Viewer, verify that you are connected to VAN-EX3.

2. Click the Queues tab, and verify that the Shadow Redundancy filter is still being applied.

3. Examine the contents of the shadow redundancy queue.

Note: You may need to wait a few minutes for the message to be removed from the Shadow redundancy queue.

Task 7: Verify the copy status of the Accounting database, and resume the database copy 1. On VAN-EX1, in the Exchange Management Console, locate the Console Tree,

expand Organization Configuration, and then click Mailbox.

2. In the Results pane, click the Database Management tab, and then click Accounting.

3. In the bottom Work pane, view the Copy Status column for each database copy, click the Accounting entry that has a Suspended copy status, right-click on it, and then choose Properties from the context menu.

4. View the Status, Copy queue length, and Replay queue length on the General tab, and then click on the Status tab.

5. On the Status tab, view the Seeding, Latest available log time, Last inspected log time, Last copied log time, and Last replayed log time properties, and then click OK.

6. Click the Accounting entry that has a Suspended copy status, right-click on it, and then choose Resume Database Copy from the context menu.

7. On the Resume Mailbox Database Copy dialog box, click Yes.

8. Wait until the copy status of the Accounting database copy on VAN-EX2 is Healthy. You may need to refresh the display.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 8: Perform a switchover on the Accounting database to make the VAN-EX2 copy active 1. In the bottom Work pane, view the Copy Status column for each database

copy, click the Accounting entry that has a Healthy copy status, right-click on it, and then choose Activate Database Copy from the context menu.

2. In the Activate Database Copy dialog box, verify None is selected, and then click OK.

Task 9: Simulate a server failure 1. On VAN-EX1, in the Results pane, click the Database Management tab. Wait

until the Accounting database copy status for VAN-EX1 is Healthy.

2. In Hyper-V Manager, select 10135A-VAN-EX2, and then click Revert in the Actions pane. In the Revert Virtual Machine dialog box, click Revert.

3. View the status of the Accounting database in the Results pane. The database copy on VAN-EX1 will change to a Mounted status, and the database copy on VAN-EX2 will have a ServiceDown status.

Results: After this exercise, you should have verified that the mailbox databases could fail over and switch between DAG servers, and that Hub Transport shadow redundancy is working properly.




MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED







7. Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Module 8: Implementing Backup and Recovery L8-87

Module 8: Implementing Backup and Recovery

Lab: Implementing Backup and Recovery Exercise 1: Backing Up Exchange Server 2010

Task 1: Populate a mailbox 1. On VAN-EX1, click Start, point to All Programs, and then click Internet

Explorer.

2. In the Address bar, type https://VAN-EX1.adatum.com/owa, and then press ENTER.

3. Log on as Adatum\Parna with a password of Pa$$w0rd.

4. Click OK to accept the default Microsoft® Outlook® Web App settings.

5. Click New to create a new message.

6. In the To box, type George.

7. In the Subject box, type Message before Backup, and then click Send.

8. Close Windows® Internet Explorer®.

9. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell.

10. At the PS prompt, type Restart-Service MSExchangeIS, and then press ENTER.

Task 2: Perform a backup of the mailbox database using Windows Server Backup 1. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and

then click Server Manager.

2. In Server Manager, click Features, and then on the Features Summary pane, click Add Features.

3. In the Add Features Wizard, expand Windows Server Backup Features, click Windows Server Backup, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L8-88 Lab: Implementing Backup and Recovery

4. On the Confirm Installation Selections page, click Install. When the installation finishes, click Close.

5. Click Start, click All Programs, click Administrative Tools, and then click Windows Server Backup.

6. In Windows Server Backup, on the Actions pane, click Backup Once.

7. In the Backup Once Wizard, on the Backup Options page, select Different options, and then click Next.

8. On the Select Backup Configuration page, select Custom, and then click Next.

9. On the Select Items for Backup page, click Add items, check Local disk (C:) in the Select Items window, and then click OK.

10. On the Select Items for Backup page, click Advanced Settings, click on the VSS Settings tab, select VSS full Backup, click OK, and then click Next.

11. On the Specify Destination Type page, select Remote shared folder, and then click Next.

12. On the Specify Remote Folder page, in the Location field, type \\VAN-DC1\Backup, and then click Next.

13. On the Confirmation page, click Backup. The backup will take approximately 15 to 20 minutes

14. On the Backup Progress page, click Close.

Task 3: Delete messages in mailboxes 1. Click Start, point to All Programs, and then click Internet Explorer.


3. Log on as Adatum\George with a password of Pa$$w0rd.

4. Click OK to accept the default Outlook Web App settings.

5. Right-click the message with the subject Message before Backup, and then click Delete.

6. In the left pane, right-click Deleted Items, and then click Empty Deleted Items.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. In Empty Deleted Items box, click Yes.


9. Open Internet Explorer and connect to https://VAN-EX1.adatum.com/owa, and then press ENTER.


11. Click Sent Items, and delete all messages in the folder.

12. In the left pane, right-click Deleted Items, and then click Empty Deleted Items.

13. In the Empty Deleted Items box, click Yes.


Results: After this exercise, you should have created a backup of an Exchange Server database, and deleted messages.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Restoring Exchange Server Data

Task 1: Restore the database using Windows Backup 1. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and

then click Windows Server Backup.

2. In Windows Server Backup, on the Actions pane, click Recover.

3. In the Recovery Wizard, on the Getting Started page, select This Server (VAN-EX1), and then click Next.

4. On the Select Backup Date page, click Next.

5. On the Select Recovery Type page, select Applications, and then click Next.

6. On the Select Application page, select Exchange, and then click Next.

7. On the Specify Recovery Options page, click Recover to another location, click Browse, expand Computer, click Local Disk (C:), click Make New Folder, enter DBBackup, click OK, and then click Next.

8. On the Confirmation page, click Recover.

9. On the Recovery Progress page, click Close. Close Windows Server Backup.

Task 2: Create a recovery database by using the backup files 1. On VAN-EX1, at the Exchange Management Shell prompt, type New-

MailboxDatabase -Name “RecoverDB” -Server VAN-EX1 -EDBFilePath “c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting\Accounting.edb” -Logfolderpath “c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting”-Recovery, and then press ENTER.

2. At the Exchange Management Shell prompt, type cd “c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox\Accounting”, and then press ENTER.

3. At the Exchange Management Shell prompt, type eseutil /R E02 /i /d and then press ENTER.

4. At the Exchange Management Shell prompt, type Mount-Database “RecoverDB”, and then press ENTER.

5. At the Exchange Management Shell prompt, type Get-MailboxStatistics -Database “RecoverDB”, and then press ENTER.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Recover a mailbox from the recovery database 1. At the Exchange Management Shell prompt, type Restore-Mailbox -Identity

ParnaKhot -RecoveryDatabase RecoverDB, and then press ENTER.

2. At the Confirm prompt, type Y, and then press ENTER.

3. Click Start, point to All Programs, and then click Internet Explorer.



6. Verify that the deleted message is available in the Sent Items folder.


8. At the Exchange Management Shell prompt, type Remove-Mailboxdatabase -Identity RecoverDB, and then press ENTER. Type Y, and then press ENTER.

Results: After this exercise, you should have created a recovery database, and restored a complete mailbox from the recovery database to their original locations.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Restoring Exchange Servers (optional)

Task 1: Shutdown VAN-EX1, and reset the computer account 1. On the host computer, open Hyper-V Manager, right-click 10135A-VAN-EX1,

and then click Revert.


3. On VAN-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

4. Under Adatum.com, click Computers.

5. In the right pane, right-click VAN-EX1, click Reset Account, and then in the Active Directory Domain Services dialog box, click Yes, and then click OK.

6. Close Active Directory Users and Computers.

Task 2: Prepare VAN-SVR1 as VAN-EX1 1. On VAN-SVR1, click Start, right-click Computer, and then click Properties.

2. In the System window, in the Computer name, domain, and workgroup settings pane, click Change settings.

3. On the Computer Name tab, click Change.

4. In the Computer Name/Domain Changes dialog box, in the Computer name field, type VAN-EX1, and then click OK.

5. In the System Properties dialog box, click OK, click Close, and then click Restart Now to restart the computer.

6. After the computer restarts, log on as Administrator using a password of Pa$$w0rd.

7. Click Start, right-click Computer, and then click Properties.

8. In the System window, in the Computer name, domain, and workgroup settings pane, click Change settings.

9. On the Computer Name tab, click Change.

10. Under Member of, click Domain, type Adatum.com, and then click OK.

11. In the Computer Name Changes dialog box, in the User name field, type Administrator.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


12. In the Password field, type Pa$$w0rd, and then click OK.

13. In the Computer Name/Domain Changes dialog box, click OK, and then click OK again.

14. In the System Properties dialog box, click OK, click Close, and then click Restart Now to restart the computer.

15. After the computer restarts, log on as adatum\Administrator using a password of Pa$$w0rd.

Task 3: Install Exchange Server 2010 with the RecoverServer mode 1. On VAN-SRV1, click Start, click Run, and then in the Open box, type

d:\setup /m:RecoverServer, and then press ENTER. The installation takes approximately 15 minutes.

2. Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console.

3. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox.

4. In the Mailbox pane, on the Database Management tab, right-click Accounting, and then click Properties.

5. In Accounting Properties, click on the Maintenance tab, click This database can be overwritten by a restore, and then click OK.

6. Repeat steps 4 and 5 for Mailbox Database 1.

7. In the Mailbox pane, on the Database Management tab, right-click Public Folder Database 1, and then click Properties.

8. In Public Folder Database 1 Properties, on the General tab, click This database can be overwritten by a restore, and then click OK.

Task 4: Recover the mailbox databases from backup 1. On VAN-SVR1, click Start, click All Programs, click Administrative Tools,

and then click Windows Server Backup.

2. In Windows Server Backup, on the Actions pane, click Recover.

3. In the Recovery Wizard, on the Getting Started page, select A backup stored on another location, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. On the Specify Location Type page, click Remote Shared Folder, and then click Next.

5. On the Specify Remote Folder page, type \\van-dc1\backup, and then click Next.

6. On the Select Backup Date page, click Next.

7. On the Select Recovery Type page, select Applications, and then click Next.

8. On the Select Application page, select Exchange, and then click Next.

9. On the Specify Recovery Options page, click Recover to original location, and then click Next.

10. On the Confirmation page, click Recover.

11. On the Recovery Progress page, click Close.

Task 5: Test the recovery 1. On VAN-EX1, in Exchange Management Console, under Organization

Configuration, click Mailbox.

2. In the Mailbox pane, on the Database Management tab, right-click Accounting, and then click Mount Database.

3. Mount Mailbox Database 1 and Public Folder Database 1.

4. On VAN-DC1, click Start, point to All Programs, and then click Internet Explorer.


6. Click Continue to this website (not recommended).

7. Log on as Adatum\Parna with a password of Pa$$w0rd, and then click OK.

8. Verify that the mailbox is accessible.

Results: After this exercise, you should have recovered a complete Exchange server by using a different Windows Server, renaming it, installing Exchange Server in /m:RecoverServer mode, and recovering the Exchange Server database from a backup. You have also tested the recovery.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



1. On the host computer, start Microsoft Hyper-V™ Manager.







7. Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Module 9: Configuring Messaging Policy and Compliance L9-97

Module 9: Configuring Messaging Policy and Compliance

Lab A: Configuring Transport Rules, Journal Rules, and Multi-Mailbox Search Exercise 1: Configuring Transport Rules

To start the lab, complete the following steps 1. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange


2. Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport.

3. In the Actions pane, click New Send Connector.

4. On the Introduction page, type Internet Connector as the connector name. In the Select the intended use for this Send connector drop-down list, click Internet, and then click Next.


6. In the Address field, type *, click OK, and then click Next.

7. On the Network settings page, click Route mail through the following smart hosts, and click Add.

8. In the IP address field, type 10.10.0.10, click OK, and then click Next.

9. On the Configure smart host authentication settings page, click Next.

10. On the Source Server page, click Next, click New, and then click Finish.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L9-98 Lab A: Configuring Transport Rules, Journal Rules, and Multi-Mailbox Search

Task 1: Create a transport rule that adds a disclaimer to all messages sent to the Internet 1. On VAN-EX1, in the Exchange Management Console, expand Organization

Configuration, click Hub Transport, and then click New Transport Rule.

2. On the Introduction page, in the Name box, type Internet E-Mail Disclaimer, and then click Next.

3. On the Conditions page, in the Step 1: Select condition(s) area, select the sent to users that are inside or outside the organization, or partners check box.

4. In the Step 2: Edit the rule description by clicking an underlined value area, click Inside the organization.

5. In the Select scope dialog box, under Scope, click Outside the organization, and then click OK.

6. On the Conditions page, click Next.

7. On the Actions page, in the Step 1: Select Action(s) area, select append disclaimer text and fallback to Action if unable to apply.

8. In the Step 2: Edit the rule description by clicking an underlined value area, click disclaimer text.

9. In the Specify disclaimer text box, type This e-mail is intended solely for the use of the individual to whom it is addressed., and then click OK.

10. On the Actions page, click Next.

11. On the Exceptions page, click Next, review the rule description, click New, and then click Finish.

Task 2: Configure and enable message classifications for Outlook 2007 clients 1. On VAN-EX1, open the Exchange Management Shell.

2. At the PS prompt, type new-messageclassification -Name CompanyConfidential -displayname”Company Confidential” -senderdescription “Do not forward to the Internet”, and then press ENTER.

3. At the PS prompt, type cd “c:\Program Files\Microsoft\Exchange Server \v14\scripts”, and then press ENTER.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. At the PS prompt, type .\Export-OutlookClassification.ps1 > c:\classifications.xml, and then press ENTER.

5. On VAN-CL1, click Start, type \\van-ex1\c$, and then press ENTER.

6. Copy the \\VAN-EX1\c$\classifications.xml file to the C: drive. Provide the administrator credentials to complete the copy.

7. Click Start, type \\van-ex1\d$\Labfiles, and then press ENTER.

8. Double-click EnableClassification.reg. Click Yes, and then click OK.

9. Close Windows Explorer.

Task 3: Create a transport rule that blocks all messages with a Company Confidential classification from being sent to the Internet 1. On VAN-EX1, in the Exchange Management Console, in the Actions pane,

click New Transport Rule.

2. On the Introduction page, in the Name box, type Company Confidential Rule, and then click Next.

3. On the Conditions page, in the Step 1: Select condition(s) area, select the marked with classification check box.

4. In the Step 2: Edit the rule description by clicking an underlined value area, click classification.

5. In the Select message classification dialog box, click Company Confidential, and then click OK.

6. On the Conditions page, click Next.

7. On the Actions page, in the Step 1: Select Action(s) area, select the send rejection message to sender with enhanced status code check box.

8. In the Step 2: Edit the rule description by clicking an underlined value area, click rejection message.

9. In the Specify rejection message dialog box, type Company confidential e-mails cannot be sent to the Internet, and then click OK.

10. Click enhanced status code, type 5.7.1, and then click OK.

11. On the Actions page, click Next.

12. On the Exceptions page, click Next, review the rule description, click New, and then click Finish.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Enable AD RMS integration for the organization 1. On VAN-DC1, open Windows® Explorer, browse to

C:\inetpub\wwwroot\_wmcs\certification, right-click servercertification.asmx, and then click Properties.

2. In the Server Certification.asmx Properties dialog box, on the Security tab, click Edit.

3. In the Permissions for Server Certification.asmx dialog box, click Add.

4. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types, select the Computers check box, and then click OK.

5. In the Enter the object names to select field, type Exchange Servers , and then click OK.

6. Click Add. In the Enter the object names to select field, type IIS_IUSRS, and then click OK three times.

7. On VAN-DC1, open a command prompt, type IISReset, and then press ENTER. Wait for the service to restart, and then close the command prompt.

8. On VAN-EX1, in the Exchange Management Shell, at the PS prompt, type set-irmconfiguration –InternalLicensingEnabled $true, and then press ENTER. This cmdlet enables AD RMS encryption for messages sent inside the organization.

Task 5: Configure a transport rule that applies the Do Not Forward AD RMS template to all messages with the words “confidential” or “private” in the subject 1. On VAN-EX1, in the Exchange Management Console, under Organization

Configuration, click Hub Transport.

2. In the Actions pane, click New Transport Rule.

3. On the Introduction page, in the Name field, type Confidential E-Mail Rule.

4. Verify that Enable Rule is selected, and then click Next.

5. On the Conditions page, under Step 1, select the when the Subject field contains specific words check box.

6. Under Step 2, click the specific words link.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. In the Specify words dialog box, type Confidential, click Add, type Private, click Add, and then click OK.

8. Click Next.

9. On the Actions page, under Step 1, select rights protect message with RMS template.

10. Under Step 2, click the RMS Template link.

11. In the Select RMS template dialog box, click Do not Forward, and then click OK.

12. Click Next twice, click New, and then click Finish.

Task 6: Configure a moderated group 1. On VAN-EX1, in the Exchange Management Console, under Recipient

Configuration, click Distribution Group.

2. In the middle pane, right-click All Company, and then click Properties.

3. On the Mail Flow Settings tab, double-click Message Moderation.

4. In the Message Moderation dialog box, select the Messages sent to this group have to be approved by a moderator check box.

5. Under Specify group moderators, click Add.

6. In the Select Recipient – Entire Forest dialog box, click Andreas Herbinger, and then click OK three times.

Task 7: Test the transport rule configuration 1. On VAN-CL1, open Microsoft® Office Outlook® 2007.

2. Create a new message, and then send it to [email protected].

3. Create another message to Carol, click the drop-down arrow next to the Permission icon, click Company Confidential, and then send the message.

4. On VAN-DC1, open Windows Explorer. Browse to C:\inetpub\mailroot \queue folder. Double-click the EML file in the folder.

5. In the Windows dialog box, click Select a program from a list of installed programs, and then click OK. Click Notepad, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. Scroll to the middle of the message, and verify that the disclaimer has been added to the message.

7. Confirm that the second message did not arrive.

8. On VAN-CL1, confirm that Luca received a message from the postmaster account stating that the second message could not be delivered.

9. In Outlook, create a new message, and then send it to the All Company distribution group.

10. Open Windows Internet Explorer®, and connect to https://van-ex1.adatum.com/owa. Log on as Adatum\Andreas using a password of Pa$$w0rd. Click OK.

11. Double-click the e-mail message to open it, and click Approve.

12. In Outlook, verify that the message to the All Company distribution list has arrived.

13. In Outlook Web App, create a new message with a subject of Private. Send the message to Luca.


15. In Outlook, verify that Luca received the message with the subject Private. If prompted for credentials, enter Luca as the user name and Pa$$w0rd as the password. Verify that the message has the Do Not Forward template applied. Verify that the Forward option is not available on the message.

Results: After this exercise, you should have configured a transport rule that ensures that all messages sent to users on the Internet includes a disclaimer of which the legal department approves. Additionally, you should have configured a transport rule that ensures that messages with a “Company Confidential” classification are not sent to the Internet, and you should have configured a transport rule that applies the Do Not Forward AD RMS template to all messages with the words “confidential” or “private” in the subject. Lastly, you should have configured a moderated group using the All Company distribution group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring Journal Rules and Multi-Mailbox Search

Task 1: Create a mailbox for the Executives department journaling messages 1. On VAN-EX1, in the Exchange Management Console, click Recipient

Configuration.

2. In the Actions pane, click New Mailbox to start the New Mailbox Wizard.

3. On the Introduction page, ensure that User Mailbox is selected, and then click Next.

4. On the User Type page, click Next.

5. On the User Information page, type the following information:

• First name: Executives Journal Mailbox

• User Logon name (User Principal Name): ExecutivesJournal


• Confirm password: Pa$$w0rd

6. Click Next.

7. On the Mailbox Settings page, type ExecutivesJournal as the Alias.

8. Select the Specify the mailbox database rather than using a database automatically accepted check box, click Browse, click Mailbox Database 1, click OK, and then click Next.

9. On the Archive Settings page, click Next.

10. On the New Mailbox page, click New, and then click Finish.

Task 2: Create a journal rule that saves a copy of all messages sent to and from Executives department members 1. In the Exchange Management Console, in the Organization Configuration

work area, click Hub Transport.

2. In the Actions pane, click New Journal Rule to start the New Journal Rule Wizard.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. On the New Journal Rule page, in the Rule name box, type Executives Department Message Journaling.

4. Beside Send Journal reports to e-mail address, click Browse, click Executives Journal Mailbox, and then click OK.

5. Under Scope, ensure Global – all messages is selected.

6. Select the Journal messages for recipient check box, and then click Browse.

7. In the Select Recipient dialog box, click Executives, and then click OK.

8. On the New Journal Rule page, click New, and then click Finish.

Task 3: Create and configure the MailboxAuditor account 1. On VAN-EX1, in the Exchange Management Console, click Recipient

Configuration.

2. In the Actions pane, click New Mailbox to start the New Mailbox Wizard.

3. On the Introduction page, ensure that User Mailbox is selected, and then click Next.

4. On the User Type page, click Next.

5. On the User Information page, type the following information:

• First name: Mailbox Auditor

• User Logon name (User Principal Name): MailboxAuditor


• Confirm password: Pa$$w0rd

6. Click Next.

7. On the Mailbox Settings page, type MailboxAuditor as the Alias.

8. Select the Specify the mailbox database rather than using a database automatically accepted check box, click Browse, click Mailbox Database 1, click OK, and then click Next.

9. On the Archive Settings page, click Next.

10. On the New Mailbox page, click New, and then click Finish.

11. In the recipient list, click Executives Journal Mailbox, and then click Manage Full Access Permission.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


12. On the Manage Full Access Permission page, click Add, click Mailbox Auditor, and then click OK.

13. Click Manage, and then click Finish.

14. On VAN-DC1, open Active Directory Users and Computers, and then in the Microsoft Exchange Security Groups OU, double-click the Discovery Management group.

15. In the Discovery Management Properties dialog box, on the Members tab, click Add.

16. Type Mailbox Auditor, and then click OK twice.

Task 4: Test the journal rule and Multi-Mailbox Search configuration 1. On VAN-CL1, if required, open Outlook.

2. Create a new message, and then send it to Marcel Truempy. Marcel is a member of the Executives group.

3. Open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Marcel with the password Pa$$w0rd. Confirm that the message from Luca arrived. Reply to the message, and then close Internet Explorer.

4. Open a new instance of Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\MailboxAuditor with the password Pa$$w0rd.

5. In the left pane, right-click Mailbox Auditor, and click Open Other User’s Inbox.

6. Type Executives Journal Mailbox and click OK twice. Under Executives Journal Mailbox, click Inbox. Verify that the two journaled messages are in the mailbox.

7. In Outlook, create and send a new message with the following configuration:

• To: George; [email protected]

• Subject: Customer Order

• Message body: Here is the order for Carol at Contoso. Her customer number is 1111-1111.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


8. In the Microsoft Outlook Web App session where you are logged on as MailboxAuditor, click Options.

9. In the Select what to manage drop-down list, ensure that My Organization is listed.

10. In the left pane, click Reporting, and then under Multi-Mailbox Search, click New.

11. In the Keywords box, type Customer Number.

12. Expand Mailboxes to Search.

13. Under Select the mailboxes to search, click Add. In the Select Mailbox window, click Luca Dellamore and click Add. Click George Schaller, click Add, and then click OK.

14. Expand Search Name and Storage Location.

15. In the Search name field, type Customer Number Discovery.

16. Next to Select a mailbox in which to store the search results, click Browse.

17. In the Select Mailbox window, click Discovery Search Mailbox, and then click OK.

18. Select the Send me an e-mail when the search is done check box, and then click Save.

19. Wait until the search finishes, and then in the bottom right pane, click the Open link.

20. In the Outlook Web App window, click OK.

21. In the Navigation pane, notice the new discovery folder named Customer Number Discovery. Expand the folder.

22. Note the two folders created that correspond to the mailboxes added to the search criteria.

23. Expand Luca Dellamore, expand Primary Mailbox, expand Sent Items, and then verify that the e-mail was discovered using the search criteria.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


24. Expand George Schaller, expand Primary Mailbox, expand Inbox, and then verify that the e-mail was discovered using the search criteria.


Results: After this exercise, you should have created a mailbox for the Executives department journaling messages, and then created a journal rule that saves a copy of all messages sent to and from Executives department members. You also should have created and configured the MailboxAuditor account.

To prepare for the next lab • Do not shut down the virtual machines and revert them back to their initial

state when you finish this lab. The virtual machines are required to complete this module’s last lab.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L9-108 Lab B: Configuring Messaging Records Management and Personal Archives

Lab B: Configuring Messaging Records Management and Personal Archives Exercise 1: Configuring Messaging Record Management

Task 1: Create a managed custom mailbox folder named Executives Confidential 1. On VAN-EX1, in the Exchange Management Console, and then in the

Organization Configuration work area, click Mailbox.

2. In the Actions pane, click New Managed Custom Folder to start the New Managed Custom Folder Wizard.

3. On the New Managed Custom Folder page, in the Name box, type Executives Confidential.

4. In the Display the following comment when the folder is viewed in Outlook box, type All confidential items related to Executives group should be posted here. Messages in this folder are valid for 180 days.

5. Select the Do not allow users to minimize this comment in Outlook check box, and then click New.

6. On the Completion page, review the completion report, and then click Finish.

Task 2: Configure content settings for the Executives Confidential folder 1. Right-click the Executives Confidential managed custom folder, and then

click New Managed Content Settings.

2. On the Introduction page, in the Name of the managed content settings to be displayed in the Exchange Management Console box, type Executives Confidential Content Settings.

3. In the Message type list, ensure that All Mailbox Content is selected.

4. Select the Length of retention period (days) check box, and then type 180 in the text box.

5. In the Retention period starts list, click When item is moved to the folder.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. In the Actions to take at the end of the retention period list, click Mark as Past Retention Limit, and then click Next.

7. On the Journaling page, click Next.

8. On the New Managed Content Settings page, review the summary, click New, and then click Finish.

Task 3: Configure content settings for all mailbox folders 1. On the Managed Default Folders tab, right-click Entire Mailbox, and then

click New Managed Content Settings.

2. On the Introduction page, in the Name of the managed content settings to be displayed in the Exchange Management Console box, type Mailbox Content Settings.

3. In the Message type list, ensure All Mailbox Content is selected.

4. Select the Length of retention period (days) check box, and then type 90 in the text box.

5. In the Retention period starts list, accept the default of When delivered, end date for calendar and recurring tasks.

6. In the Actions to take at the end of the retention period list, click Delete and Allow Recovery.

7. On the Introduction page, click Next.

8. On the Journaling page, click Next.

9. On the New Managed Content Setting page, review the summary, click New, and then click Finish.

Task 4: Configure a managed folder mailbox policy that applies to all users 1. In the Actions pane, click New Managed Folder Mailbox Policy to start the

New Managed Folder Mailbox Policy Wizard.

2. On the New Mailbox Policy page, in the Managed Folder mailbox policy name box, type Default Policy – All Users.

3. In the Specify the managed folders that you want to link to this policy section, click Add.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. In the Select Managed Folder dialog box, click Entire Mailbox, and then click OK.

5. On the New Mailbox Policy page, click New, and then click Finish.

6. Open the Exchange Management Shell.

7. At the prompt, type Get-Mailbox | Set-Mailbox –ManagedFolderMailboxPolicy ‘Default Policy – All Users’, and then press ENTER.

8. As the confirmation, type A, and then press ENTER. This command links the policy to all users in the organization.

Task 5: Configure a managed folder mailbox policy that applies to the Executives department 1. In the Exchange Management Console, in the Organization Configuration

work area, click Mailbox.

2. In the Actions pane, click New Managed Folder Mailbox Policy to start the New Managed Folder Mailbox Policy Wizard.

3. On the New Mailbox Policy page, in the Managed folder mailbox policy name box, type Executives Department Policy.


5. In the Select Managed Folder dialog box, click Executives Confidential, and then click OK.


7. In the Select Managed Folder dialog box, click Entire Mailbox, and then click OK.

8 On the New Managed Folder Mailbox Policy page, click New, and then click Finish.

9. In the Exchange Management Shell, type Get-Mailbox | where-object {$_.distinguishedname -ilike ‘*ou=Executives,dc=adatum,dc=com’} | Set-Mailbox –ManagedFolderMailboxPolicy ‘Executives Department Policy’, and then press ENTER. This command links the policy to all users in the Executives organizational unit (OU).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Start the managed folder assistant process 1. In the Exchange Management Console, expand the Server Configuration

node, and then click Mailbox.

2. In the Results pane, right-click VAN-EX1, and then click Properties.

3. On the Messaging Records Management tab, in the Schedule the Managed Folder Assistant list, select Use Custom Schedule, and then click Customize.

4. In the Schedule dialog box, select the times from Monday 6:00 A.M. to Friday 6:00 P.M., and then click OK twice.

5. In the Exchange Management Shell, type stop-service msexchangemailboxassistants, and then press ENTER to stop the Microsoft Exchange Mailbox Assistants service.

6. At the prompt, type start-service msexchangemailboxassistants, and then press ENTER to start the Microsoft Exchange Mailbox Assistants service.

Task 7: Confirm that the managed custom folder is created for the Executives department users 1. In the Exchange Management Console, click the Recipient Configuration

node.

2. In the Results pane, right-click Marcel Truempy, and then click Properties.

3. On the Mailbox Settings tab, click Messaging Records Management, and then click Properties. Confirm that the Managed folder mailbox policy check box is selected, and that the Executives Department Policy is assigned to the mailbox. Click OK twice.

4. On VAN-EX1, open Internet Explorer and connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Marcel with a password of Pa$$w0rd. Click OK.

5. Confirm that the Executives Confidential folder was created in Marcel’s mailbox under the Managed Folders node. Close Internet Explorer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 8: Configure Retention Tags and retention policies 1. On VAN-EX1, if required, open the Exchange Management Shell.

2. At the PS prompt, type the following cmdlet, and then press ENTER:

New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent -RetentionEnabled $true -AgeLimitForRetention 365 –RetentionAction PermanentlyDelete –isprimary:$true

3. At the PS prompt, type the following, and then press ENTER:

New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:* -AgeLimitForRetention:30 -RetentionEnable:$True -RetentionAction:MovetoDeletedItems


New-RetentionPolicyTag "Retain for Records" -Type:Personal -MessageClass:* -AgeLimitForRetention:1100 -RetentionEnable:$True -RetentionAction:MoveToArchive


New-RetentionPolicy AllTagsPolicy -RetentionPolicyTagLinks:DefaultTag,InboxTag,"Retain for Records"

Task 9: Apply the retention policy to the Marketing group 1. At the PS prompt, type the following, and then press ENTER:

Get-Mailbox | where-object {$_.distinguishedname -ilike '*ou=Marketing,dc=adatum,dc=com'} |Set-Mailbox -RetentionPolicy AllTagsPolicy

2. Read the confirmation statement, type A, and then press ENTER.


Start-ManagedFolderAssistant

4. Open Internet Explorer, and connect to https://van-ex1.adatum.com/owa.

5. Log on as Adatum\Manoj using a password of Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. Click a message in the Inbox, and then in the reading pane, point out the expiration time for the message.

7. Right-click the message, and review the options under the Retention Policy and Archive Policy menu items. Close Internet Explorer.

Results: After this exercise, you should have configured a managed folder policy that ensures that all messages in the default mailbox folders are deleted after 90 days. You also will have configured a custom managed folder to ensure that all members of the Executives department have a custom folder in their mailbox that will contain confidential messages. You also should have configured Retention Tags and retention policies for the Marketing group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring Personal Archives

Task 1: Create an archive mailbox for all members of the Marketing group 1. On VAN-EX1, in the Exchange Management Console, click Recipient

Management, and then click Mailbox.

2. In the Results pane, click the Organization Unit heading to sort the mailbox list by OU.

3. Select all of the mailboxes in the Marketing OU, right-click, click Enable Archive, and then click Yes.

Task 2: Verify that the archive mailbox was created for members of the Marketing group • Open Internet Explorer, and then connect to https://VAN-

EX1.adatu.com/owa. Log on as Adatum\Manoj with a password of Pa$$w0rd. Click OK. Verify that the archive mailbox is visible through Outlook Web App.

Results: After this exercise, you should have configured archive mailboxes for all members of the Marketing group.





MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED







MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Module 10: Securing Microsoft® Exchange Server 2010 L10-117

Module 10: Securing Microsoft® Exchange Server 2010

Lab 10: Securing Exchange Server 2010 Exercise 1: Configuring Exchange Server Permissions

Task 1: Configure permissions for the ITAdmins group 1. On VAN-EX1, open Active Directory Users and Computers.

2. Click Microsoft Exchange Security Groups, and then double-click Server Management.

3. On the Members tab, click Add.

4. In the Enter the object names to select field, type ITAdmins, and then click OK twice.

Task 2: Configure permissions for HRAdmins and Support Desk groups 1. On VAN-EX1, open the Exchange Management Shell. In the Exchange

Management Shell, at the PS prompt, type the following command, and then press ENTER:

New-RoleGroup –Name HRAdmins –roles “Mail Recipients”

2. At the PS prompt, type the following command, and then press ENTER:

New-RoleGroup –Name SupportDesk –roles “Mail Recipients”, “Mail Recipient Creation”, “Distribution Groups”

3. On VAN-EX1, open the Exchange Management Console.

4. Expand Microsoft Exchange On-Premises, and click Toolbox.

5. Double-click Role Based Access Control (RBAC) User Editor.

6. Log on as Adatum\administrator using a password of Pa$$w0rd, and then click OK.

7. Click SupportDesk, and then click Details.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L10-118 Lab 10: Securing Exchange Server 2010

8. Under Members, click Add.

9. Add Anna Lidman to the group, and then click OK.

10. Click Save.

11. Click HRAdmins, and then click Details.

12. Under Members, click Add.

13. Add Paul West to the group, click OK, and then click Save.

14. Close Windows® Internet Explorer®

Task 3: Verify the permissions 1. On VAN-EX2, log on as Shane using a password of Pa$$w0rd.

2. Open the Exchange Management Console, and then click Yes.

3. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, click Mailbox, and in the Results pane, double-click the Accounting mailbox database.

4. On the Limits tab, clear the Issue warning at (KB) check box, and then click OK.

5. Under Organization Configuration, click Hub Transport. Verify that many of the tabs normally shown in this view are not available. On the Accepted Domains tab, double-click Adatum.com. Verify that you cannot modify the settings, and then click Cancel.

6. Expand Recipient Configuration, click Mailbox, double-click one of the mailboxes, verify that you cannot modify the mailbox properties, and then click Cancel.

7. Log off on VAN-EX2.

8. On VAN-EX1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp.

9. Log on as Adatum\Anna using a password of Pa$$w0rd, and then click OK.

10. On the Mailboxes tab, click Andreas Herbinger, and then click Details.

11. Click Organization, in the Department field, type IT, and then click Save.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


12. Click Public Groups. Click Accounting, and then click Details. Verify that you can modify the group properties by typing a group description, and then clicking Save. Close Internet Explorer.

Note: You cannot create or delete user accounts and mailboxes in Exchange Control Panel. If you want to test whether Anna can create user accounts and mailboxes, add Anna to the local Administrators account on VAN-EX2, and log on to VAN-EX2 as Anna. Then open Exchange Management Console and verify that you can create a mailbox. In a production environment, you could install the Exchange Management tools on a Windows 7 client computer.

13. On VAN-EX1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp.

14. Log on as Adatum\Paul using a password of Pa$$w0rd, and then click OK.

15. On the Mailboxes tab, click Franz Kohl, and then click Details.

16. Click Organization, in the Department field, type Customer Service, and then click Save.

17. Verify that the Groups tab is not visible. Close Internet Explorer.

To prepare for the next exercise 1. On the host computer, in Hyper-V™ Manager, right-click 10135A-VAN-EX2,

click Revert, and then click Revert.

2. Start the VAN-TMG and VAN-CL1 virtual machines.

3. Log on to VAN-TMG as Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-CL1 at this point.

Results: After this exercise, you should have configured and verified permissions in the Exchange Server deployment.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring a Reverse Proxy for Exchange Server Access

Task 1: Prepare the Windows Server 2008 CA to issue certificates with multiple SANs 1. On VAN-DC1, click Start, in the search box, type cmd.exe, and then press

ENTER.

2. At the command prompt, type certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2, and then press ENTER.

3. At the command prompt, type net stop certsvc & net start certsvc, and then press ENTER.

Task 2: Request a server certificate with multiple SANs on the Client Access server 1. On VAN-EX1, in the Exchange Management Console, click Server

Configuration.

2. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard.

3. On the Introduction page, type Adatum Mail Certificate as the friendly name for the certificate, and then click Next.

4. On the Domain Scope page, click Next.

5. On the Exchange Configuration page, expand Client Access server (Outlook Web App), select the Outlook Web App is on the Intranet check box, and then type VAN-EX1.adatum.com in the domain name box.

6. Select the Outlook Web App is on the Internet check box, and then type Mail.adatum.com in the second text box.

7. Expand Client Access server (Exchange ActiveSync), and then verify that the Exchange Active Sync is enabled check box is selected. Type mail.adatum.com as the domain name.

8. Expand Client Access server, (Web Services, Outlook Anywhere, and Autodiscover), and then enter mail.adatum.com as the external host name.

9. Ensure that both the Autodiscover used on the Internet check box and the Long URL option are selected. In the Autodiscover URL to use field, delete all entries except for autodiscover.adatum.com, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


10. On the Certificate Domains page, click Next.

11. On the Organization and Location page, enter the following information:

• Organization: A Datum

• Organizational Unit: Messaging

• Country/region: Canada

• City/locality: Vancouver

• State/province: BC

12. Click Browse, type CertRequest as the File name, and then click Save.

13. Click Next, click New, and then click Finish.

14. Click the Folder icon in the task bar, and then click Documents.

15. Right-click CertRequest.req, and then click Open.

16. In the Windows dialog box, click Select a program from a list of installed programs, and then click OK.

17. In the Open with dialog box, click Notepad, and then click OK.

18. In the CertRequest.req – Notepad window, select CTRL+A to select all of the text, select CTRL+C to save the text to the clipboard, and then close Notepad.

19. Click Start, click All Programs, and then click Internet Explorer.

20. Connect to https://van-dc1.adatum.com/certsrv.

21. Log on as Adatum\administrator using a password of Pa$$word.

22. On the Welcome page, click Request a certificate.

23. On the Request a Certificate page, click advanced certificate request.

24. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded CMC or PKCS#7 file.

25. On the Submit a Certificate Request or Renewal Request page, click in the Saved Request field, and then press CTRL+V to paste the certificate request information into the field.

26. In the Certificate Template drop-down list, click Web Server, and then click Submit.

27. In the Web Access Confirmation dialog box, click Yes.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


28. On the Certificate Issued page, click Download certificate.

29. In the File Download dialog box, click Save.

30. In the Save As dialog box, browse to the C: drive, and then click Save.

31. In the Download complete dialog box, click Close.

32. In the Exchange Management Console, click Adatum Mail Certificate, and

then click Complete Pending Request.

33. On the Complete Pending Request page, click Browse.

34. Browse to the C: drive, click certnew.cer, click Open, click Complete, and

then click Finish.

35. On the Exchange Certificates tab, click Adatum Mail Certificate, and then

click Assign Services to Certificate.

36. On the Select Servers page, click Next.

37. On the Select Services page, select the Internet Information Services check

box, click Next, click Assign, and then click Finish.

Task 3: Export the certificate from the Client Access server 1. On VAN-EX1, right-click Adatum Mail Certificate, and then click Export

Exchange Certificate.

2. On the Introduction page, click Browse, and then browse to drive C.

3. Type CertExport.pfx as the file name, and then click Save.

4. In the Password field, type Pa$$w0rd, click Export, and then click Finish.

Task 4: Import the certificate on the TMG server 1. On VAN-TMG, click Start. In the Search box, type MMC, and then press

ENTER.

2. On the File menu, click Add/Remove Snap-in.

3. On the Add or Remove Snap-ins page, click Certificates, and then click Add.

4. Click Computer account, click Next, click Finish, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. Expand Certificates, right-click Personal, point to All Tasks, and then click Import.

6. On the Certificate Import Wizard page, click Next.

7. On the File to Import page, type \\VAN-EX1\C$\CertExport.pfx, and then click Next.

8. On the Password page, type Pa$$w0rd in the Password field, and then click Next.

9. On the Certificate Store page, click Next, and then click Finish.

10. Click OK, and then close Console1 without saving changes.

Task 5: Configure an Outlook Web Access publishing rule 1. On VAN-TMG, click Start, point to All Programs, click Microsoft Forefront

TMG, and then click Forefront TMG Management.

2. Expand Forefront TMG (VAN-TMG), and then click Firewall Policy.

3. On the Firewall Policy Tasks pane, on the Tasks tab, click Publish Exchange Web Client Access.

4. On the Welcome to the New Exchange Publishing Rule Wizard page, type OWA Rule, and then click Next.

5. On the Select Services page, in the Exchange version list, click Exchange Server 2010, select the Outlook Web Access check box, and then click Next.

6. On the Publishing Type page, click Next.

7. On the Server Connection Security page, ensure that Use SSL to connect the published Web server or server farm is configured, and then click Next.

8. On the Internal Publishing Details page, in the Internal site name text box, type VAN-EX1.Adatum.com, and then click Next.

9. On the Public Name Details page, ensure that This domain name (type below) is configured in the Accept requests for drop-down list. In the Public name box, type mail.Adatum.com, and then click Next.

10. On the Select Web Listener page, click New.

11. On the Welcome to the New Web Listener Wizard page, type HTTPS Listener, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


12. On the Client Connection Security page, ensure that Require SSL secured connections with clients is selected, and then click Next.

13. On the Web Listener IP Addresses page, select the External check box, and then click Next.

14. On the Listener SSL Certificates page, click Select Certificate.

15. In the Select Certificate dialog box, click mail.adatum.com, click Select, and then click Next.

16. On the Authentication Settings page, accept the default of HTML Form Authentication, and then click Next.

17. On the Single Sign On Settings page, type Adatum.com as the single sign-on (SSO) domain name, click Next, and then click Finish.

18. On the Select Web Listener page, click Next.

19. On the Authentication Delegation page, accept the default of Basic authentication, and then click Next.

20. On the User Sets page, accept the default, and then click Next.

21. On the Completing the New Exchange Publishing Rule Wizard page, click Finish.

22. Click Apply twice to apply the changes, and then click OK when the changes have been applied.

Task 6: Configure the Client Access server 1. On VAN-EX1, in the Exchange Management Console, expand Server

Configuration, and click Client Access.


2. On the Outlook Web App tab, double-click owa (Default Web Site).

3. In the External URL box, type https://mail.adatum.com/owa.

4. On the Authentication tab, click Use one or more standard authentication methods, select the Basic Authentication (password is sent in clear text) check box, and click OK twice.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. On the Exchange Control Panel tab, double-click ecp (Default Web Site).

6. In the External URL box, type https://mail.adatum.com/ecp.

7. On the Authentication tab, click Use one or more standard authentication methods, select the Basic Authentication (password is sent in clear text) check box, and click OK twice.

8. Open the Exchange Management Shell. At the PS prompt, type IISReset, and then press ENTER.

Note: If you receive a message stating that the service did not start, start the World Wide Web service in the Services console.

Task 7: Test the Outlook Web App publishing rule 1. On the host computer, in Hyper-V Manager, right-click 10135A-VAN-CL1, and

then click Settings.

2. Click Network Adapter, and in the Network drop-down list, click Private Network 2, and then click OK.

3. On VAN-CL1, log on as Adatum\Administrator using a password of Pa$$w0rd.

4. Open the Control Panel, and then click View network status and tasks.

5. Click Change adapter settings.

6. Right-click Local Area Connection 3, and then click Properties.

7. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

8. Change the IP address to 131.107.0.50, change the Default Gateway to 131.107.0.1, click OK, and then click Close. Close the Control Panel.

9. Click Start, and in the search field, type notepad c:\windows\system32 \drivers\etc\hosts, and then press ENTER.

10. At the bottom of the hosts file, type 131.107.1.1 mail.adatum.com, and then save and close the file.

11. Open Internet Explorer, and then connect to https://mail.adatum.com/owa.

12. Log on as adatum\administrator using a password of Pa$$w0rd, click OK, and then verify that you access the user mailbox.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


13. In the Microsoft Outlook Web App window, click Options. Verify that you can connect to the Exchange Control Panel.


Results: After this exercise, you should have configured a Forefront® Threat Management Gateway server to enable access to Outlook Web App on the Client Access server. You also will have verified that the access is configured correctly.









MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Module 11: Maintaining Microsoft® Exchange Server 2010 L11-127

Module 11: Maintaining Microsoft® Exchange Server 2010

Lab: Maintaining Exchange Server 2010 Exercise 1: Monitoring Exchange Server 2010

Task 1: Create a new data collector set named Exchange Monitoring 1. On VAN-EX1, click Start, click Administrative Tools, and then click

Performance Monitor.

2. In the Navigation pane, expand Data Collector Sets, and then click User Defined.

3. Click on the Action menu, click New, and then click Data Collector Set.

4. In the Create new Data Collector Set Wizard, in the Name box, type Exchange Monitoring, select Create manually (Advanced), and then click Next.

5. Select the Performance Counter check box, and then click Finish.

Task 2: Create a new performance counter data collector set for monitoring basic Exchange Server performance 1. In the Performance Monitor, in the Navigation pane, expand Data Collector

Sets, expand User Defined, click Exchange Monitoring, click the Action menu, click New, and then click Data Collector.

2. In the Create New Data Collector Wizard, in the Name box, type Base Exchange Monitoring, select Performance counter data collector, and then click Next.

3. Click Add.

4. In the Available counters object list, expand Processor, and then click % Processor Time. Press and hold the CTRL key, click % User Time, click % Privileged Time, and then click Add.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L11-128 Lab: Maintaining Exchange Server 2010

5. In the Available counters object list, expand Memory, and then click Available Mbytes. Press and hold the CTRL key, click Page Reads/sec, click Pages Input/sec, click Pages/sec, click Pages Output/sec, click Pool Paged Bytes, click Transition Pages Repurposed/sec, and then click Add.

6. In the Available counters object list, expand MSExchange ADAccess Domain Controllers, and then click LDAP Read Time. Press and hold the CTRL key, and click LDAP Search Time, click LDAP Searches timed out per minute, click Long running LDAP operations/Min, and then click Add.

7. In the Available counters object list, expand System, click Processor Queue Length, and then click Add.

8. Click OK.

9. In the Create New Data Collector Wizard, in the Sample interval box, type 1, and then in the Units dropdown menu, select Minutes and click Finish to create the data collector set.

Task 3: Create a new performance counter data collector set for monitoring Mailbox server role performance 1. In the Reliability and Performance Monitor, in the Navigation pane, click

Exchange Monitoring, click the Action menu, click New, and then click Data Collector.

2. In the Create New Data Collector Wizard, in the Name box, type Mailbox Role Monitoring, select Performance counter data collector, and then click Next.

3. Click Add.

4. In the Available counters object list, expand LogicalDisk, and then click Avg.Disk sec/Read. Press and hold the CTRL key, and click Avg.Disk sec/Transfer, click Avg.Disk sec/Write, and then click Add.

5. In the Available counters object list, expand MSExchangeIS, and then click RPC Averaged Latency. Press and hold the CTRL key, and click RPC Num Slow Packets, click RPC Operations/sec, click RPC Requests, and then click Add.

6. In the Available counters object list, expand MSExchangeIS Mailbox, click Messages Queued for Submission, and then click Add.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. In the Available counters object list, expand MSExchangeIS Public, click Messages Queued for Submission, and then click Add.

8. Click OK.

9. In the Create New Data Collector Wizard, in the Sample interval box, type 1, and in the Units drop-down menu, select Minutes, and then click Finish to create the data collector set.

Task 4: Verify that the data collector set works properly 1. In the Reliability and Performance Monitor, in the Navigation pane, click

Exchange Monitoring, click the Action menu, and then click Start.

2. After at least five minutes, click the Action menu, and then click Stop.

3. In the Navigation pane, expand Reports, expand User Defined, expand Exchange Monitoring, click VAN-EX1_DateTime, and then review the report.

4. Close the Performance Monitor.

Results: After this exercise, you should have created a data collector set for monitoring VAN-EX1 that uses the performance counters that this module recommends.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Troubleshooting Database Availability


1. On VAN-EX1, open an Exchange Management Shell. At the prompt, type d:\ Labfiles\Lab11Prep2.ps1, and then press ENTER.

2. When prompted, type N, and then press ENTER.


Task 1: Identify the scope of the problem 1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange



3. In the Work pane, click the Database Management tab, and then view the list of databases, noting that MailboxDB100 is dismounted.

Task 2: Review the event logs 1. In the Work pane, right-click MailboxDB100, and click Mount database.

Review the warning message, and then click No.

2. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and then click Event Viewer.

3. In Event Viewer, in the Navigation pane, expand Windows Logs, click on Application, and then in the Content pane, review recent events. Click recent events that have a source from one of the MSExchange services, and then review the details of the error in the lower half of the Content pane.

4. In the Navigation pane, click on System, and then in the Content pane, review recent events. No notable events are present.

5. Close Event Viewer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Run the Best Practices Analyzer 1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange


2. In the Console Tree, expand Microsoft Exchange On-Premises, and then expand Toolbox.

3. In the Work pane, double-click Best Practices Analyzer.

4. In the Microsoft Exchange Best Practice Analyzer, if prompted, select Do not check for updates on startup, select I don’t want to join the program at this time, and then click Go to the Welcome screen.

5. On the Welcome to the Exchange Best Practices Analyzer page, click Select options for a new scan.

6. On the Connect to Active Directory page, click Connect to the Active Directory server.

7. On the Start a new Best Practices scan page, in the Enter an indentifying label for this scan box, type VAN-EX1 Scan, and then click Unselect all.

8. In the Specify the scope for this scan box, select VAN-EX1, verify that Health Check is selected, and then click Start scanning to start the best practices scan process.

9. On the Scanning completed page, click View a report of this Best Practices scan. Verify that there are no errors listed that may have caused this issue.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: List the probable causes of the problem, and rank the possible solutions, if multiple options exist • List the problems and possible solutions:


Disk errors are preventing access to the database.

Replace disks and restore from backup.

Database path is incorrect because of storage changes.

Change storage or database configuration.

Task 5: Review the database configuration 1. On VAN-EX1, in Exchange Management Console, under Organization

Configuration, click Mailbox.

2. In the Work pane, click the Database Management tab, click on MailboxDB100.

3. Expand the Database File Path column, and then identify the database file location.

4. Click Start, click All Programs, click Accessories, and then click Windows Explorer.

5. In the Navigation pane, expand Computer, expand Local Disk (C:), expand Program Files, expand Microsoft, expand Exchange Server, expand V14, expand Mailbox. Verify that the MailboxDB100-NewPath folder does not exist.

6. In the Navigation pane, click MailboxDB100 and locate the database files. This is the actual location of the database files. The configuration is pointing to the wrong path.

7. Close Windows® Explorer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Reconfigure and mount the database 1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange


2. In the Exchange Management Shell, type the follow cmdlet, and then press ENTER.

Move-DatabasePath MailboxDB100 –LogFolderPath “C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\MailboxDB100” –EdbFilePath “C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\MailboxDB100\MailboxDB100.edb” –ConfigurationOnly –force

3. Type Y, and then press ENTER.

4. In the Exchange Management Shell, type Mount-Database MailboxDB100, and then press ENTER.

5. Close Exchange Management Shell.

Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Mailbox server problem.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Troubleshooting Client Access Servers


1. On VAN-EX1, open Exchange Management Shell. At the prompt, type d:\ Labfiles\Lab11Prep3.ps1, and then press ENTER.


Task 1: Verify the problem by attempting to reproduce the problem 1. On VAN-EX1, open Windows Internet Explorer®, and connect to

https://VAN-EX1.adatum.com/owa.

2. Note the error displayed in the browser: HTTP Error 401.2 – Unauthorized.

Task 2: Review the event logs 1. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and

then click Event Viewer.

2. In Event Viewer, in the Navigation pane, expand Windows Logs, click Application, and then in the Content pane, review recent events. There is nothing substantial to point to the problem.

3. In the Navigation pane, click System, and then in the Content pane, review recent events.

4. Close Event Viewer.

Task 3: Use the Test cmdlets to verify server health 1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange


2. In the Exchange Management Shell, type Test-ServiceHealth, and then press ENTER. Verify that the output does not return any errors.

3. In the Exchange Management Shell, type Test-OwaConnectivity –URL https://VAN-EX1.adatum.com/OWA -TrustAnySSLCertificate, and then press ENTER.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. In the Windows PowerShell Credential Request dialog box, in the User name box, type Adatum\Administrator, and in the Password box, type Pa$$w0rd, and then click OK.

5. Note the authentication errors.

6. Close Exchange Management Shell.



Internet Information Server (IIS) Configuration is not configured correctly.

Modify the IIS configuration.

Microsoft Outlook® Web App authentication is not configured correctly.

Modify Outlook Web App authentication configuration.

Task 5: Check the Outlook Web App configuration 1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange


2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Client Access.


3. In the upper portion of the Work pane, click VAN-EX1, and then in the lower portion of the Work pane, select the Outlook Web App tab. Right-click owa (Default Web Site), and then click Properties.

4. In the owa (Default Web Site) Properties dialog box, click the Authentication tab, select Use forms-based authentication, and then click OK.

5. Review the Microsoft Exchange Warning, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. Click Start, click Program, click Accessories, and then click Command Prompt.

7. At the command prompt, type iisreset, and then press ENTER.

Note: If you receive an error indicating that the service did not start, start the World Wide Web Service in Services management console.

8. Close the command prompt.

Task 6: Verify that you resolved the problem 1. Open Internet Explorer, and connect to https://VAN-EX1.adatum.com/owa.

2. Log on to Outlook Web App as Adatum\Administrator using the password Pa$$w0rd.

3. Confirm that Administrator can now access Outlook Web App, and then close Internet Explorer.

Results: After this exercise, you should have used a troubleshooting technique to identify and fix a Client Access server problem.





MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED







MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Appendix A: Implementing Unified Messaging LA-139

Appendix A: Implementing Unified Messaging

Lab: Implementing Unified Messaging Exercise 1: Installing and Configuring Unified Messaging Features

Lab preparation 1. On the host computer, open Hyper-V™ Manager.

2. Right-click 10135A-VAN-EX2, and then click Settings.


4. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCH201064.iso, and then click Open.

5. Click OK.

Task 1: Install the Desktop Experience feature 1. On VAN-EX2, close the AutoPlay dialog box.

2. Open Server Manager, click Features, and then click Add Features.

3. On the Select Features page, select the Desktop Experience check box, click Add required features, click Next, and then click Install.

4. Click Close, and then when prompted, click Yes to restart the computer.

5. After the computer restarts, log on as Adatum\Administrator. Wait for the installation to finish, and then click Close.

Task 2: Install the Unified Messaging role 1. On VAN-EX2, click Start, and then click Control Panel.

2. In Control Panel, click Programs, and then click Programs and Features.

3. In Control Panel, on the Programs and Features page, select Microsoft Exchange Server 2010, and then click Change.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

LA-140 Lab: Implementing Unified Messaging

4. In Exchange Server 2010 Setup, click Next.

5. On the Server Role Selection page, click Unified Messaging Role, and then click Next.

6. On the Readiness Checks page, click Install.

7. On the Completion page, click Finish.

Task 3: Install the German language pack 1. On the host computer, in Hyper-V Manager, right-click 10135A-VAN-EX2, and

then click Settings.


3. Browse to C:\Program Files\Microsoft Learning\10135\Drives, click UMLanguagePack_DE.iso, and then click Open.

4. Click OK.

5. On VAN-EX2, close the AutoPlay dialog box. Open Windows® Explorer, browse to D:\, and then double-click UMLanguagePack.de-DE.exe.

6. In Exchange Server 2010 Setup, on the License Agreement page, click I accept the terms in the license agreement, and then click Next.

7. On the Unified Messaging Language Pack page, click Install. Wait for the installation to finish, and then click Finish. Close all open Windows.

Task 4: Create a dial plan 1. On VAN-EX2, click Start, click All Programs, click Microsoft Exchange


2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Unified Messaging.

3. In the Actions pane, click New UM Dial Plan.

4. In the New UM Dial Plan Wizard, on the New UM Dial Plan page, in the Name field, type DP-VAN-5digit.

5. Select Telephone Extension from the URI type drop-down list, and then select Unsecured from the VoIP security drop-down list.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Appendix A: Implementing Unified Messaging LA-141

6. In the Country/Region code field, type 1604, and then click New.


Task 5: Create an Unified Messaging IP gateway and hunt group 1. In the Exchange Management Console, in the Actions pane, click New UM IP

Gateway.

2. In the New UM IP Gateway Wizard, on the New UM IP Gateway page, type IP Test Phone in the Name field.

3. In the IP address field, type 10.10.0.10 so that VAN-DC1 runs the UM Test Phone tool, and then click Browse, select DP-VAN-5digit in the Select Dial Plan window, click OK, and then click New.


5. In the Exchange Management Console, on the UM IP Gateways tab, in the IP Test Phone Actions pane, click New UM Hunt Group.

6. In the New UM Hunt Group Wizard, type HG-VAN-5digits in the Name field, click Browse, select DP-VAN-5digit in the Select Dial Plan window, and then click OK.

7. In the Pilot identifier field, enter 90000, and then click New.


Task 6: Change the default Unified Messaging mailbox policy 1. In the Exchange Management Console, click the UM Mailbox Policies tab.

2. In the Details pane, double-click DP-VAN-5digit Default Policy.

3. On the DP-VAN-5digit Default Policy Properties page, click the Message Text tab, and then type Welcome to the Unified Messaging Server VAN-EX2 in the Text to send when UM mailbox is enabled field.

4. On the DP-VAN-5digit Default Policy Properties page, click the PIN Policies tab, uncheck PIN lifetime (days), and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

LA-142 Lab: Implementing Unified Messaging

Task 7: Associate the Unified Messaging server with the dial plan 1. In the Exchange Management Console, expand Microsoft Exchange On-

Premises, expand Server Configuration, and then click Unified Messaging.

2. In the Details pane, right-click VAN-EX2, and then click Properties.

3. On the VAN-EX2 Properties page, click the UM Settings tab.

4. On the Associated Dial Plans pane, click Add, select DP-VAN-5digit in the Select Dial Plan window, and then click OK twice.

Task 8: Verify that the default dial-plan language is German 1. In the Exchange Management Console, under Organization Configuration,

click Unified Messaging.

2. On the UM Dial Plans tab, double-click DP-VAN-5digit.

3. On the DP-VAN-5digit Properties page, click the Settings tab, verify that German (Germany) is selected in the Default language drop-down list, and then click OK.

Results: After this exercise, you should have installed the Unified Messaging role and configured the basic server-side settings for Unified Messaging, namely, a dial plan, an IP gateway, a hunt group, and a mailbox policy. You also will have assigned the dial plan to a Unified Messaging server.

To revert the virtual machines When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: