Sie sind auf Seite 1von 711

O F F I C I A L

M I C R O S O F T

L E A R N I N G

P R O D U C T

10135B
Configuring, Managing and
Troubleshooting Microsoft
Exchange Server 2010 Service Pack 2

1-1

Module 1
Deploying Microsoft Exchange Server 2010
Contents:
Lesson 1: Overview of Exchange Server 2010 Requirements

1-3

Lesson 2: Installing Exchange Server 2010 Server Roles

1-18

Lab A: Installing Exchange Server 2010

1-38

Lesson 3: Completing an Exchange Server 2010 Installation

1-42

Lab B: Verifying an Exchange Server 2010 Installation

1-51

1-2

Deploying Microsoft Exchange Server 2010

Module Overview

This module describes how to prepare for, and perform, an installation of Microsoft Exchange Server
2010. The most important task in preparing for an Exchange Server 2010 installation is to ensure that the
Active Directory Domain Services (AD DS) environment is ready. Exchange Server 2010 requires an
Active Directory deployment because AD DS stores all configuration and recipient information that
Exchange Server uses.
This module also provides details on the Exchange Server 2010 deployment. To install Exchange
Server 2010 properly for your environment, you must be aware of the server roles that Exchange Server
can install. Additionally, you should be aware of the infrastructure, hardware, and software requirements
for introducing Exchange Server 2010 into a messaging environment. Finally, you should know how to
verify, troubleshoot, and secure the installation.
After completing this module, you will be able to:

Describe the infrastructure requirements to install Exchange Server 2010.

Install Exchange Server 2010 server roles.

Complete an Exchange Server 2010 installation.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-3

Lesson 1

Overview of Exchange Server 2010 Requirements

In this lesson, you will review the requirements for installing Exchange Server 2010. The most important
requirement is the Active Directory deployment, but you also must ensure that you implement the
appropriate Domain Name System (DNS) infrastructure. You also should be aware of the Exchange Server
2010 infrastructure requirements when you perform an installation, and when you need to troubleshoot
deployment issues.
After completing this lesson, you will be able to:

Describe the Active Directory components.

Describe the Active Directory partitions.

Describe how Exchange Server 2010 uses AD DS.

Describe the DNS requirements for Exchange Server 2010.

Prepare AD DS for Exchange Server 2010.

Describe the integration of AD DS and Exchange Server 2010.

1-4

Deploying Microsoft Exchange Server 2010

Reviewing Active Directory Components

AD DS consists of several components. Since Exchange Server deeply integrates with AD DS, it is
important to understand the purpose of each of the following AD DS components:

Domains. An Active Directory domain is a collection of computers that a Microsoft Windows


network administrator defines. These computers share a common directory database, security
policies, and security relationships with other domains. An Active Directory domain provides access to
the centralized user and group accounts that the domain administrator maintains. You can organize
computer and user accounts within AD DS into a hierarchy based on organizational units (OUs).

Forests. A forest is a set of one or more domains that share common configuration and schema
information. A tree is set of domains that share the same Domain Name System (DNS) namespace.
When multiple domains exist in a forest, there is an automatic trust relationship between the
domains, which enables users in one domain to access resources in another domain. There can be
only one Exchange Server organization per forest. An Active Directory forest is a security boundary.
By default, no security accounts outside of a forest have any access in the forest.

Trusts. Trusts enable users from a trusted domain to authenticate in another trusting domain. In a
forest, all domains have trusts (either direct trusts or transitive trusts) with all other domains in the
forest.

Domain controllers and global catalog servers. A domain controller holds a copy of the local domain
database, which includes user accounts and computer accounts. It also is responsible for
authenticating users and computers. Additionally, domain controllers respond to queries for
information in AD DS. A domain controller has directory information only for the domain of which it
is a member; it does not have information about users in other domains. A global catalog server is a
domain controller that also holds a subset of information from other domains in the forest. For
example, a global catalog server has limited information about all users in a forest.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-5

Active Directory sites. Active Directory sites are defined as one or more IP subnets. Typically, all of the
IP subnets in a given physical location are part of the same site. Sites do not typically encompass
more than one physical location. All of the computers within a single site must have a fast network
connection, which is usually 10 megabits per second (Mbps) or more, between them.

Active Directory replication. AD DS replicates information between domain controllers. It replicates


domain information between domain controllers in the same domain and to global catalog servers in
the forest. AD DS also replicates configuration data and the schema between all domain controllers in
the same forest. Within an Active Directory site, replication of changes starts within a few seconds of
the change being made on one domain controller. Between Active Directory sites, replication can be
scheduled, and happens every three hours by default. Also, all replication traffic between sites is sent
through a bridgehead server in each site.

1-6

Deploying Microsoft Exchange Server 2010

Discussion: Reviewing Active Directory Implementations

AD DS is the integrated, distributed directory service that is included with the Windows Server 2008 R2,
Windows Server 2008, Windows Server 2003, and Windows 2000 Server operating systems. Many
applications, such as Exchange Server 2010, integrate with AD DS. This creates a link between user
accounts and applications, which enables single sign-on for applications. Additionally, the Active Directory
replication capabilities enable distributed applications to replicate application-configuration data.

Discussion Questions
Based on your experience, consider the following questions:
Question: Under what circumstances would an organization deploy multiple domains in the
same forest?
Question: Under what circumstances might an organization deploy multiple forests?
Question: What type of information do domains in a forest share?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-7

Reviewing Active Directory Partitions

Active Directory information falls into four types of partitions: domain, configuration, schema, and
application. These directory partitions are the replication units in AD DS.

Domain Partition
A domain partition contains all objects in the domains directory. Domain objects replicate to every
domain controller in that domain, and include user and computer accounts, and groups.
A subset of the domain partition replicates to all domain controllers in the forest that are global catalog
servers. If you configure a domain controller as a global catalog server, it holds a complete copy of its own
domains objects and a subset of attributes for every domains objects in the forest.

Configuration Partition
The configuration partition contains configuration information for AD DS and applications, including
Active Directory site and site link information. Additionally, some distributed applications and services
store information in the configuration partition. This information replicates through the entire forest so
each domain controller has a replica of the configuration partition.
When application developers choose to store application information in the configuration partition, the
developers do not need to create their own mechanism to replicate the information. The configuration
partition stores each type of configuration information in separate containers. A container is an Active
Directory object similar to an OU that you use to organize other objects.

Schema Partition
The schema partition contains definition information for all object types and their attributes that you can
create in AD DS. This data is common to all domains in the forest, and AD DS replicates it to all domain
controllers in the forest. However, only one domain controller maintains a writable copy of the schema. By
default, this domain controller, known as the Schema Master, is the first domain controller installed in an
Active Directory forest.

1-8

Deploying Microsoft Exchange Server 2010

Application Partitions
An administrator or an application during installation creates application partitions manually. Application
partitions hold specific application data that the application requires. The main benefit of application
partitions is replication flexibility. You can specify the domain controllers that hold a replica of an
application partition, and these domain controllers can include a subset of domain controllers throughout
the forest. Exchange Server 2010 does not use application partitions to store information.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-9

How Exchange Server 2010 Uses AD DS

To ensure proper placement of Active Directory components in relation to computers that are running
Exchange Server, you must understand how Exchange Server 2010 communicates with AD DS and uses
Active Directory information to function.
AD DS stores most Exchange Server 2010 configuration information.
Note The Exchange Server 2010 Edge Transport server role is the only Exchange Server
role that does not use AD DS to store configuration information. Instead, the Edge
Transport server role uses Active Directory Lightweight Directory Services (AD LDS) for this
purpose. For more details, see Module 6, Implementing Messaging Security.

Forests
An Exchange Server organization and an Active Directory forest have a one-to-one relationship. You
cannot have an Exchange Server organization that spans multiple Active Directory forests. You also cannot
have multiple Exchange Server organizations within a single Active Directory forest.
Note In Exchange Server 2010, you can add multiple Exchange Server organizations in
different forests to the Exchange Management Console. This enables you to manage
multiple organizations from a single management console, but does not enable the
integration of the two Exchange Server organizations.

1-10

Deploying Microsoft Exchange Server 2010

Schema Partition
The Exchange Server 2010 installation process modifies the schema partition to enable the creation of
Exchange Server-specific objects. The installation process also adds Exchange Server-specific attributes to
existing objects.
For example, the installation process updates user objects with additional attributes to describe storage
quotas and mailbox features.

Configuration Partition
The configuration partition stores configuration information for the Exchange Server 2010 organization.
Because AD DS replicates the configuration partition among all domain controllers in the forest,
configuration of the Exchange Server 2010 organization replicates throughout the forest.
The configuration partition includes Exchange Server configuration objects, such as global settings, email
address policies, transport rules, and address lists.

Domain Partition
The domain partition holds information about recipient objects. This includes mailbox-enabled users, and
mail-enabled users, groups, and contacts. Objects that are mailbox-enabled or mail-enabled have
preconfigured attributes, such as email addresses.

Global Catalog
When you install Exchange Server 2010, the email attributes for mail-enabled and mailbox-enabled
objects replicate to the global catalog. The following is true:

The global address list is generated from the recipients list in an Active Directory forests global
catalog.

Exchange Hub Transport servers access the global catalog to find the location of a recipient mailbox
when delivering messages.

Exchange Client Access servers access the global catalog server to locate the user Mailbox server and
to display the global address list to Microsoft Office Outlook, Microsoft Outlook Web App, or
Exchange ActiveSync clients.
Note Because of the importance of the global catalog in an Exchange Server organization,
you must deploy at least one global catalog serverin each Active Directory site that contains
an Exchange 2010 server. You must deploy enough global catalog servers to ensure
adequate performance.
Note Windows Server 2008 provides a new type of domain controllera read-only
domain controller (RODC). Exchange Server 2010 does not use RODCs or RODCs that you
configure as global catalog servers (ROGC). This means that you should not deploy an
Exchange 2010 server in any site that contains only RODCs or ROGCs.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-11

Reviewing DNS Requirements for Exchange Server 2010

Each computer that is running Exchange Server must use DNS to locate AD DS and global catalog servers.
As a site-aware application, Exchange Server 2010 prefers to communicate with directory servers that are
located in the same site as the computer that is running Exchange Server.

Role of DNS
Exchange Server services use DNS to locate a valid domain controller or global catalog. By default, each
time a domain controller starts the Netlogon service, it updates DNS with service (SRV) records that
describe it as a domain controller and global catalog server, if applicable.
To ensure that the domain controller updates DNS records properly, it is essential that all domain
controllers use an internal DNS server that supports dynamic updates. After DNS records are registered,
computers that are running Exchange Server can use DNS to find domain controllers and global catalog
servers.

SRV Resource Records


SRV resource records are DNS records. These records identify servers that provide specific services on the
network. For example, an SRV resource record can contain information to help clients locate a domain
controller in a specific domain or site.
All SRV resource records use a standard format, which consists of several fields. These fields contain
information that AD DS uses to map a service back to the computer that provides the service.
SRV resource records use the following format:
_Service_.Protocol.Name Ttl Class SRV Priority Weight Port Target

1-12

Deploying Microsoft Exchange Server 2010

The following table describes each field in an SRV resource record.


Field

Description

_Service

Specifies the name of the service, such as Lightweight DirectoryAccess Protocol


(LDAP) or Kerberos, provided by the server that registers this SRV resource
record.

_Protocol

Specifies the transport protocol type, such as transmission control protocol(TCP)


or User Datagram Protocol (UDP).

Name

Specifies the domain name that the resource record references.

Ttl

Specifies the Time to Live (TTL) value in seconds, which is a standard field in
DNS resource records that specifies the length of time that a record is valid.

Class

Specifies the standard class value for the DNS resource record, which usually
is.IN, for the Internet system. This is the only class that Windows Server 2008
DNS supports.

Priority

Specifies the servers priority. Clients attempt to contact the host that has the
lowest priority.

Weight

Denotes a load-balancing mechanism that clients use when selecting a target


host. When the priority field is the same for two or more records in the same
domain, clients randomly choose SRV resource records that have higher weights.

Port

Specifies the port where the server is listening for this service.

Target

Specifies the fully qualified domain name (FQDN) (also called the full computer
name), of the computer that provides the service.

The SRV records for domain controllers and global catalog servers are registered with several different
variations to allow locating domain controllers and global catalog servers in several different ways. One
option is to register DNS records by site name, which enables computers that are running Exchange
Server to find domain controllers and global catalog servers in the local Active Directory site. Exchange
Server always performs DNS resource queries for the local Active Directory site first.
When a computer that is running Exchange Server is a member server, Exchange Server configures it
dynamically with its site each time it authenticates to AD DS. As part of the authentication process, the
registry stores the site name. When the Exchange server queries DNS for domain controller or global
catalog server records, the Exchange server always attempts to connect to domain controllers with the
same site attribute as the Exchange server.

Host Records
Host records provide a host name to IP address mapping. Host records are required for each domain
controller and other hosts that need to be accessible to Exchange Servers or client computers. Host
records can use IPv4 (A records) or IPv6 (AAAA records).

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-13

MX Records
A Mail Exchanger (MX) record is a resource record that allows servers to locate other servers to deliver
Internet email by using the Simple Mail Transfer Protocol (SMTP). An MX record identifies the SMTP server
that will accept inbound messages for a specific DNS domain. Each MX record contains a host name and a
preference value. When you deploy multiple SMTP servers that are accessible from the Internet, you can
assign equal preference values to each MX record to enable load balancing between the SMTP servers.
You also can specify a lower preference value for one of the MX records. All messages are routed through
the SMTP server that has the lower preference-value MX record, unless that server is not available.
Note In addition to SRV, Host, and MX records, you also may need to configure Sender
Policy Framework (SPF) records to support Sender ID spam filtering. Module 6 provides
more information on SPF records. Additionally, some organizations use reverse lookups as
an option for spam filtering, so you should consider adding reverse lookup records for all
SMTP servers that send your organizations email.

1-14

Deploying Microsoft Exchange Server 2010

Preparing AD DS for Exchange Server 2010

To install Exchange Server 2010, you need to run the Exchange Server 2010 setup command for preparing
the Active Directory forest for the installation. You can use the setup command with the following
switches.
Setup switch

Explanation

/PrepareAD
/OrganizationName:
organizationname

Prepares the global Exchange Server objects in Active Directory, creates

/PrepareLegacy
ExchangePermissions

Necessary if the organization contains Exchange Server 2003 servers


Modifies the permissions assigned to the Enterprise Exchange Servers

the Exchange Universal Security Groups in the root domain, and


prepares the current domain
Must be run by a member of the Enterprise Admins group

group to allow the Recipient Update Service to run


Must be run by a member of the Enterprise Admins group
/PrepareSchema

Prepares the schema for the Exchange Server 2010 installation


Must be run by a member of the Enterprise Admins and Schema
Admins groups

/PrepareDomain
/PrepareDomain
domainname
/PrepareAllDomains

Prepares the domain for Exchange Server 2010 by creating a new


global group in the Microsoft Exchange System Objects container
called Exchange Install Domain Servers
Not required in the domain where /PrepareAD is run
Can prepare specific domains by adding the domains fully qualified
domain name (FQDN), or prepare all domains in the forest
Must be run by a member of the Enterprise Admins and Domain
Admins groups

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-15

Note You must prepare the Active Directory forest in the same domain and the same site
as the domain controller that hosts the Schema Master role.

Options for Preparing Active Directory


You have the following options when you prepare AD DS for Exchange Server 2010:

In an organization that is not running an earlier Exchange Server version, and which has a single
domain in the Active Directory forest, you do not need to prepare AD DS before installing the first
Exchange server. In this scenario, you can just install Exchange Server 2010, and all of the Active
Directory schema changes are implemented during the install.

If the user account that you are using to update the schema is a member of the Schema Admins and
the Enterprise Admins group, you do not need to run /PrepareLegacyExchangePermissions and
/PrepareSchema before running /PrepareAD. If your account has the right permissions, the
/PrepareAD process also configures the legacy permissions and makes the required schema changes.

Functions Performed by /PrepareAD


Running Setup with the /PrepareAD parameter performs the following actions:

Prepares the schema if /PrepareSchema has not been run, and the command is run by a Schema
Admins group member.

Prepares the permissions if /PrepareLegacyExchangePermissions has not been run, and the
command is run by an Enterprise Admins group member.

Creates the Microsoft Exchange container in the Configuration partition in Active Directory, and
populates the container with all the child containers required to install Exchange Server 2010
computers.

Creates a new OU in the Active Directory domain named Microsoft Exchange Security Groups, and
then creates the security groups that are used to assign permissions in the Exchange organization.
Note The security groups that are created in the Microsoft Exchange Security Groups OU
are management role groups that use role-based access control (RBAC) to assign
permissions in the Exchange organization. Module 9, Securing Exchange Server 2010
details these groups and RBAC.

1-16

Deploying Microsoft Exchange Server 2010

Demonstration: Integration of AD DS and Exchange Server 2010

In this demonstration, you will review the integration of AD DS and Exchange Server 2010.

Demonstration Steps
1.

On a domain controller, open Active Directory Users and Computers.

2.

In the Active Directory domain, expand the Microsoft Exchange Security Groups organizational
unit.

3.

Review the description and membership of the following Active Directory groups:

Organization Management

Recipient Management

View-Only Organization Management

Discovery Management

4.

Open ADSI Edit, and connect to the domain partition. Review the information in the domain
partition.

5.

Connect to the configuration partition. Review the information in the configuration partition, and in
the CN=Services, CN=Microsoft Exchange, CN=Exchangeorganizationname container.

6.

Connect to the schema partition. Review the information in the schema partition, and point out the
attributes and class objects that begin with ms-Exch.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Question: How do you assign permissions in your Exchange organization? How will you
assign permissions by using the Exchange security groups?
Question: Which Active Directory partition would you expect to contain the following
information?

Users email address

Exchange connector for sending email to the Internet

Exchange Server configuration

1-17

1-18

Deploying Microsoft Exchange Server 2010

Lesson 2

Installing Exchange Server 2010 Server Roles

Before you install Exchange Server 2010, you need to understand the concept of Exchange Server 2010
server roles. Each server role provides a specific set of functionality that an Exchange Server organization
requires.
When you install Exchange Server 2010, you can install all server roles on the same computer, except for
the Edge Transport server role. Alternately, you can distribute the roles across multiple computers. After
you decide which server role to deploy in each Exchange server, you must ensure that the network
infrastructure and servers are ready for the Exchange Server 2010 installation.
After completing this lesson, you will be able to:

Describe the server roles included in Exchange Server 2010.

Describe the options for deploying Exchange Server 2010.

Describe the hardware recommendations for combining server roles in Exchange Server 2010.

Describe the options for integrating Exchange Server 2010 and Exchange Online Services in Microsoft
Office 365.

Describe the infrastructure requirements for installing Exchange Server 2010.

Describe the server requirements for installing Exchange Server 2010.

Describe the considerations for deploying Exchange Server 2010 servers as virtual machines.

Describe the process for installing Exchange Server 2010.

Describe the options for performing an unattended installation.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-19

Overview of Server Roles in Exchange Server 2010

Exchange Server 2010 provides functionality that falls into five separate server roles. When you install
Exchange Server 2010, you can select one or more of these roles for installation on the server. Large
organizations might deploy several servers with each role, whereas a small organization might combine all
server roles except the Edge Transport server role on one computer, because of different configuration
storage it uses, which will be discussed later.
Note Exchange Server 2010 server roles are a logical grouping of features and
components that perform a specific function in the messaging environment. You can install
all server roles, except the Edge Transport server role, on the same physical computer.

Exchange Server 2010 Server Roles


The following server roles are included in Exchange Server 2010:

Hub Transport server role. The Hub Transport server role is responsible for message routing. The Hub
Transport server performs message categorization and routing, and handles all messages that pass
through an organization. You must configure at least one Hub Transport server in each Active
Directory site that contains a Mailbox server or a Unified Messaging server, and the server running the
Hub Transport server role must be a member of an Active Directory domain.

Mailbox server role. The Mailbox server role is responsible for managing mailbox and public folder
databases. Mailboxes and public folders reside on the Mailbox servers. Mailbox servers contain
mailbox and public folder databases. You can enable high availability by adding mailbox servers to a
Database Availability Group (DAG). Because Mailbox servers require Active Directory access, you must
install this role on a member server in an Active Directory domain.

1-20

Deploying Microsoft Exchange Server 2010

Client Access server role. The Client Access server role enables connections from all available client
protocols to the Exchange Server mailboxes. You must assign at least one Client Access server in each
Active Directory site that contains a Mailbox server. Client protocols that connect through a Client
Access server include:

Messaging Application Programming Interface (MAPI) clients

Outlook Web App clients

Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) clients

Outlook Anywhere, which is known as remote procedure call (RPC) over HTTP in Exchange
Server 2003

Exchange ActiveSync clients

Note In previous Exchange Server versions, MAPI clients connect directly to the Mailbox
servers. In Exchange Server 2010, all clients, including MAPI clients, connect to the Client
Access servers. MAPI clients still connect directly to Mailbox servers when accessing public
folders.

Edge Transport server role. The Edge Transport server role is the Simple Mail Transport Protocol
(SMTP) gateway server between your organization and the Internet. To ensure security, you should
deploy the computer that runs the Edge Transport server role in a perimeter network, and it should
not be a member of your internal Active Directory forest. Because the Edge Transport server is not
part of an Active Directory domain, it cannot use AD DS to store configuration information. Instead, it
uses AD LDS on Windows Server 2008 computers to access recipient and configuration information.
On the Edge Transport server, you create connectors to define message-flow paths into, and out of,
your organization. You can define multiple Edge Transport servers to provide load balancing and high
availability.
Note You cannot combine the Edge Transport server role with any other role on the same
computer. The Hub Transport and Edge Transport servers both provide message routing
and delivery capabilities to, and from, the Internet. However, some advanced transport
features are available only on Edge Transport servers.

Unified Messaging server role. The Unified Messaging server role provides the foundation of services
that integrate voice and fax messages into your organizations messaging infrastructure. This role
requires the presence of three server roles: Hub Transport, Client Access, and Mailbox. The Unified
Messaging server provides access to voice messages and faxes.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-21

Deployment Options for Exchange Server 2010

You can deploy the server roles in Exchange Server 2010 in several different scenarios, depending on an
organizations size and requirements. If you are an administrator, it is important to understand the
deployment scenarios when you plan an Exchange Server system.

Exchange Server 2010 Editions


Exchange Server 2010 is available as Standard Edition and Enterprise Edition. The Standard Edition should
meet the messaging needs of small and medium corporations, but also may be suitable for specific server
roles or branch offices. The Enterprise Edition is for large enterprise corporations, and enables you to
create additional databases apart from including other advanced features.
Feature

Standard Edition

Enterprise Edition

Database Support

Five databases

100 databases

Database Storage
Limit

No software storage limit; storage


limit is hardware dependent

No software storage limit; storage limit is


hardware dependent

DAG membership

Supported

Supported

Note If you want to use databases larger than 1TB on Exchange Server 2010 Standard
Edition, you have to enable it in the registry. To learn how to modify the registry for this
purpose, go to http://go.microsoft.com/fwlink/?LinkId=248378.

1-22

Deploying Microsoft Exchange Server 2010

Exchange Server 2010 Client Access Licenses


Exchange Server 2010 has two client-access license (CAL) options:

Exchange Server Standard CAL. Provides access to email, shared calendaring, Outlook Web App, and
ActiveSync.

Exchange Server Enterprise CAL. Requires a standard CAL, and provides access to additional features
such as unified messaging, per-user and per-distribution-list journaling, managed custom email
folders, and Microsoft Forefront Endpoint Protection for Exchange Server.

Deployment Scenarios for a Simple Organization


In a small organization, you can install all the server rolesexcept the Edge Transport server roleon a
single computer. Small organizations might also consider using Exchange Online services.

Deployment Scenarios for a Standard Organization


Medium-sized organizations should consider installing the required services and Exchange server roles on
multiple computers. A typical deployment scenario for a medium-sized organization may include:

Two domain controllers for each domain.

Two Exchange servers configured with the Mailbox server role and other server roles, except the Edge
Transport server role.
Note In Exchange Server 2007, Mailbox servers that were part of a failover cluster could
not run additional Exchange server roles. With Exchange Server 2010, Exchange servers that
are part of a DAG also can host other Exchange server roles, except the Edge Transport
server role.

One Exchange server configured with the Edge Transport server role.
Note You can add only Exchange Server 2010 running on Windows Server 2008 Enterprise
Edition or Datacenter Edition or Windows Server 2008 R2 Enterprise Edition or Datacenter
Edition to a DAG. If a standard organization uses the Windows Server 2008 or Windows
Server 2008 R2 Standard Edition servers, the organization can deploy multiple Mailbox
servers, but cannot configure high availability for the Mailbox server role.

As your organization expands, you should consider adding dedicated servers for roles like the Hub
Transport server, the Client Access server, or the Unified Messaging server. This provides scalability and
redundancy.

Deployment Scenarios for a Large or Complex Organization


A large or complex organization needs to deploy dedicated servers for each server role, and may have to
deploy multiple servers for each role. A typical deployment scenario for a large organization can include:

Two domain controllers and global catalog servers for each organizational domain. If the
organization includes multiple Active Directory sites, and you are deploying Exchange servers in a site,
you should deploy global catalog servers in the site.

One or more Exchange servers configured with the Mailbox server role. You can deploy multiple
Mailbox servers in each Active Directory site.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-23

One or more Exchange servers dedicated to each of the other server roles. You must deploy at least
one Hub Transport server and Client Access server in each Active Directory site that includes a
Mailbox server.

If the organization has a smaller branch office, you can deploy multiple Exchange servers hosting all
the server roles except for the Edge Transport server role, and configure the Mailbox servers to be
part of a DAG.

One or more Exchange servers configured with the Edge Transport server role. Multiple servers
provide redundancy and scalability.

Hybrid Deployment with Office 365


In Exchange Server 2010 Service Pack 2 (SP2), it is possible to create a hybrid deployment between
on-premises Exchange Server and Exchange Online from Office 365. A hybrid deployment offers
organizations the ability to extend the user experience and administrative control they have with their
existing on-premises Microsoft Exchange organization to the Office 365 cloud. A hybrid deployment
provides you with a view of a single Exchange organization between an on-premises organization and a
cloud-based organization. In addition, a hybrid deployment can serve as an intermediate step to moving
completely to a cloud-based Exchange organization.
A hybrid deployment of Exchange Server and Office 365 provides the following features:

Mail routing with a shared domain namespace. For example, both on-premises and cloud-based
organizations use the @contoso.com SMTP domain.

A unified global address list, also called a shared address book. With this address list, users can view
all contacts from both on-premises Exchange and Office 365.

Free/busy and calendar sharing between on-premises and cloud-based organizations.

Centralized control of mail flow. The on-premises organization can control mail flow for the onpremises and cloud-based organizations.

A single Outlook Web App URL for both the on-premises and cloud-based organizations.

The ability to move existing on-premises mailboxes to the cloud-based organization.

Centralized mailbox management using the on-premises Exchange Management Console.

Message tracking, MailTips, and multi-mailbox search between on-premises and cloud-based
organizations.

In Exchange Server 2010 SP2, there is a Hybrid Configuration Wizard that allows you to perform hybrid
deployment and integrate your local Exchange server with Office 365. Before you start deploying
Exchange in a hybrid scenario, you should make sure that you have a proper Office 365 license. Office 365
is examined in greater detail in Module 13.

1-24

Deploying Microsoft Exchange Server 2010

Hardware Recommendations for Combining Server Roles

Small and medium-sized companies, and large organizations that have a small number of users in a single
location, may choose to combine multiple Exchange Server 2010 server roles on a single computer.

Combining Server Roles


You can install all roles, except the Edge Transport server role, on a single computer. When you design the
hardware configuration for servers on which you install multiple server roles, consider the following
recommendations:

You should plan for at least two processor cores, at a minimum, for a server with multiple server roles.
The recommended number of processor cores is eight, while 24 is the maximum recommended
number.

You should design a server with multiple roles to use half of the available processor cores for the
Mailbox role and the other half for the Client Access and Hub Transport roles.

You should plan for the following memory configuration for a server with multiple server roles: 8
gigabytes (GB) and between 2 megabytes (MB) and 10 MB per mailbox. This can vary based on the
user profile and the number of storage groups. We recommend 64 GB as the maximum amount of
memory you need.

To accommodate the Client Access and Hub Transport server roles on the same server as the Mailbox
server role, you should reduce the number of mailboxes per core calculation, based on the average
client profile by 20 percent.

You can deploy multiple Exchange server roles on a mailbox server that is a DAG member. This means
that you can provide full redundancy for the Mailbox, Hub Transport, and Client Access server roles
on just two Exchange servers. Be aware, however, that you cannot use DAG together with NLB on the
same servers; therefore, if you want to achieve full redundancy with just two servers, you will need a
hardware load balancer.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-25

Options for Integrating Exchange Server 2010 and Exchange Online


Services in Office 365

One deployment option available in Exchange Server 2010 is to integrate your messaging system with
Exchange Online Services. Exchange Online Services is part of the Office 365 services that Microsoft offers.

Office 365
Office 365 is a set of Microsoft-hosted messaging and collaboration solutions, including Microsoft
Exchange Online, Microsoft SharePoint Online, Microsoft Office Web Apps, and Microsoft Lync Online.
These services are available on a subscription basis.

Exchange Online Services


When you subscribe to Exchange Online Services in Office 365, you can take advantage of the following
features:

Email and calendar functions. Exchange Online delivers email services, including spam filtering,
antivirus protection, and mobile-device synchronization. Through Microsoft Office Outlook and
Outlook Web App, you can use the advanced email, calendar, contact, and task management features
of Exchange Online.

Email coexistence and migration tools. The Office 365 Suite includes email coexistence and migration
tools. If you have AD DS and Microsoft Exchange Server, the Microsoft Online Services Directory
Synchronization tool synchronizes your user accounts, contacts, and groups from your local
environment to Microsoft Online Services. This tool also makes your Microsoft Exchange Global
Address List (GAL) available in Exchange Online.

1-26

Deploying Microsoft Exchange Server 2010

Exchange Online Services and Exchange Server 2010


Exchange Server 2010 provides additional functionality with Exchange Online Services. With Exchange
Server 2010, you can host some of the mailboxes in an internal Exchange organization, which displays as
the On-Premise Exchange organization in the Exchange Management Console. Additionally, you can host
some of your organizations mailboxes on Exchange Online. You can use the Exchange Management
Console to move mailboxes to the Exchange Online Services and manage those mailboxes.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-27

Infrastructure Requirements for Exchange Server 2010

Before you deploy Exchange Server 2010 in your organization, you need to ensure that your organization
meets AD DS and DNS requirements.

Active Directory Requirements


You must meet the following Active Directory requirements before you can install Exchange Server 2010:

The domain controller that is the schema master must have Windows Server 2003 Service Pack 1
(SP1) or newer, Windows Server 2008, or Windows Server 2008 R2 installed. By default, the schema
master runs on the first Windows domain controller installed in a forest.

In each of the sites where you deploy Exchange Server 2010, at least one global catalog server must
be installed and run Windows Server 2003 SP1 or newer, Windows Server 2008, or Windows Server
2008 R2.

The Active Directory domain and forest functional levels must run Windows Server 2003, at the
minimum.

If you have a resource forest configuration, or multiple forests, and users from different forests need
to access mailboxes in an Exchange 2010 organization, you must configure a trust between the
forests. In this case, the minimum forest functional level must be Windows Server 2003.

DNS Requirements
Before you install Exchange Server 2010, you must configure DNS correctly in your Active Directory forest.
All servers that run Exchange Server 2010 must be able to locate Active Directory domain controllers,
global catalog servers, and other Exchange servers.

1-28

Deploying Microsoft Exchange Server 2010

Server Requirements for Exchange Server 2010

Exchange Server 2010 requires a minimum level of hardware, and specific software, before you can
install it.

Hardware Requirements
You can deploy Exchange Server 2010 only on 64-bit versions of Windows Server 2008 or Windows
Server 2008 R2 that are running on 64-bit hardware.
Resource
Processor

Requirement

x64 architecture-based computer with Intel processor that supports Intel 64


architecture (formerly known as Intel EM64T).
AMD processor that supports the AMD64 platform.
Intel Itanium IA64 processors not supported.

Memory

A minimum of 2 GB of system memory, plus 2 to 6 MB per mailbox. This


recommendation is based on the number of mailbox databases and the user-usage
profile.

Disk

1.2 GB disk space for Exchange Server files and 200 MB of free disk space on the
system drive.

File system

Drives formatted with NTFS file systemfor all Exchange Serverrelated volumes.

Note Exchange Server 2010 is available only in 64-bit versions, which means that you can
install all components, including the Exchange Management tools, only on 64-bit operating
systems.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-29

Exchange Server 2010 Prerequisite Software


All Exchange Server 2010 servers must have the following software installed:

Active Directory Domain Services (AD DS) management tools, which is required on all Exchange
Server 2010 servers, except for Edge Transport servers

Microsoft .NET Framework 3.5 (SP1) or newer

Windows Remote Management (WinRM)

Windows PowerShell Version 2


Note The Net.Tcp Port Sharing Service must be configured to start automatically before
starting the Exchange server installation. This will be configured as a part of the setup
process in Exchange Server 2010 SP1 or later.

On Windows Server 2008 R2 all these software components can be installed from Server Manager.
However, on Windows Server 2008, you should manually download and install them. Exchange Server
2010 SP2 setup provides the appropriate download links for missing software, and also enables automatic
installation of missing software components during Exchange installation.

Server Role Installation Requirements


Each server role in Exchange Server 2010 has slightly different installation requirements. All server roles,
except for the Edge Transport server role, require some Web Server components, such as Internet
Information Services (IIS).
The following table summarizes the requirements for each server role.
Server Role

Software Requirements

Mailbox server role

Client Access server


role

Install the default Web Server (IIS) server role and the following role
services:
ISAPI Extensions
IIS 6 Metabase Compatibility
IIS 6 Management Console
Basic Authentication
Windows Authentication
Digest Authentication
Dynamic Content Compression
.NET Extensibility
Install the Windows Communication Foundation (WCF) HTTP
Activation feature
Install the RPC over HTTP Proxy feature

2010 Office System Converter: Microsoft Filter Pack


Install the default Web Server (IIS) server role along with the following
role services:
IIS 6 Metabase Compatibility
IIS 6 Management Console
Basic Authentication
Windows Authentication
.NET Extensibility

1-30

Deploying Microsoft Exchange Server 2010

(continued)
Server Role

Software Requirements

Hub Transport server


role

Install the default Web Server (IIS) server role and the following role
services:
IIS 6 Metabase Compatibility
IIS 6 Management Console
Basic Authentication
Windows Authentication
.NET Extensibility

Edge Transport server


role

Must have a DNS suffix configured


Install the AD LDS server role

Unified Messaging
server role

Install the Desktop Experience feature. This installs the required


Microsoft Windows Media Player audio/video codecs.
Install the default Web Server (IIS) server role and the following role
services:
IIS 6 Metabase Compatibility
IIS 6 Management Console
Basic Authentication
Windows Authentication
.NET Extensibility

Note Installing Exchange Server 2010 on a Windows Server 2008 computer might add
additional roles or role services to the server. For example, when you perform a typical
installation, the File Server server role is added along with additional Web Server (IIS) role
services.

Installation Requirements for Installing Management Tools on Windows Vista or


Windows 7
You can install the Exchange Server 2010 management tools on computers that are running 64-bit
versions of Windows Vista or Windows 7. Before installing the management tools, you will need to
ensure that the following components are installed:

Microsoft .NET Framework 3.5 Service Pack 1or later

Windows Remote Management (WinRM)

Windows PowerShell Version 2

IIS 6 Management Console

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-31

Considerations for Deploying Exchange Server 2010 As a Virtual Machine

One option with Exchange Server 2010 is to deploy the servers as virtual machines.

Benefits of Using Virtual Machines


Deploying Exchange Server 2010 servers as virtual machines provides the same advantages as deploying
other servers as virtual machines. You can deploy all Exchange Server 2010 SP2 server roles as virtual
machines.
The benefits of deploying Exchange Servers as virtual machines include:

Increases hardware utilization and decreases the number of physical servers. In many organizations,
the servers deployed in data centers have very low hardware utilization. Frequently, servers use less
than 10 percent of the available hardware resources. By deploying multiple virtual machines on a
single physical server, you can increase the hardware utilization, while decreasing the number of
physical servers deployed. This can result in significant cost savings.

Deploying Exchange Servers as virtual machines provides server-management options that are not
available for physical servers. Because virtual machines are just a set of files, you may have additional
management options with virtual machines. For example, to increase a virtual machines hardware
level, you can assign more of the host resources to the virtual machine, or move the virtual machine
files to a more powerful host server.
Note Microsoft supports Exchange Server 2010 running as virtual machines for all
virtualization vendors that are validated through the Windows Server Virtualization
Validation Program. See http://go.microsoft.com/fwlink/?LinkId=248379 for details.

1-32

Deploying Microsoft Exchange Server 2010

Microsoft supports Exchange Server 2010 in production on hardware virtualization software only when all
the following conditions are true:

The hardware virtualization software is running one of the following:

Windows Server 2008 with Hyper-V technology

Windows Server 2008 R2 with Hyper-V technology

Microsoft Hyper-V Server 2008

Microsoft Hyper-V Server 2008 R2

Any third-party hypervisor that has been validated under the Windows Server Virtualization
Validation Program.

The Exchange Server guest virtual machine is running Microsoft Exchange 2010. This includes
Exchange 2010 Hosting Mode, available in Exchange 2010 SP1 or later.

The Exchange Server guest virtual machine is deployed on Windows Server 2008 with SP2 (or later) or
Windows Server 2008 R2 RTM or later.

Considerations for Deploying Exchange Server 2010 Servers as Virtual Machines


While running Exchange Server 2010 as a virtual machine provides some benefits, you also should
consider the following issues:

Exchange servers can be designed to ensure that that the servers fully utilize the available hardware.
For example, in a large organization, you can deploy several thousand mailboxes to a Mailbox server
or deploy a Client Access server with sufficient client connections so that your organization fully
utilizes all hardware resources.

One of the benefits of running virtual machines is that you can configure high availability within the
virtual machine environment. For example, you can deploy Quick Migration in Windows Server 2008
Hyper-V or Live Migration in Windows Server 2008 R2 Hyper-V. However, Microsoft does not support
running both DAGs and a virtual machine-based high availability solution. If you require high
availability, you should use the Exchange Server 2010 solution. DAGs provide failover features that are
not available in virtual machine-based, high-availability solutions. Some of the DAG features include
multiple copies of the database, backing up the database on the passive node, and application-aware
clustering.

The storage used by the Exchange Server guest machine can be virtual storage of a fixed size, SCSI
pass-through storage, or Internet SCSI (iSCSI) storage. Pass-through storage is storage that is
configured at the host level and dedicated to one guest machine. To provide the best performance
for Exchange server storage, use either pass-through disks or fixed-size virtual disks.

You must allocate sufficient storage space for each Exchange Server guest machine on the host
machine for the fixed disk that contains the guest's operating system, any temporary memory storage
files in use, and related virtual machine files that are hosted on the host machine. Additionally, for
each Exchange Server guest machine, you must also allocate sufficient storage for the message
queues on Hub Transport and Edge Transport servers and sufficient storage for the databases and log
files on Mailbox servers. You should host the storage used by Exchange Server in disk spindles that
are separate from the storage that is hosting the guest virtual machine's operating system.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-33

You can deploy only management software such as antivirus software, backup software, virtual
machine management software, and so on, on the physical root machine. You should not install any
other server-based applications such as Exchange Server, Microsoft SQL Server, AD DS, and so on,
on the root machine. The root machine should be dedicated to running guest virtual machines.

Running Exchange servers as virtual machines can complicate performance monitoring. The
performance data between the host and virtual machine is not consistent because the virtual machine
uses only some part of the hosts resources.

One of the most common performance bottlenecks for Mailbox servers is network input/output (I/O).
When you run Mailbox servers in a virtual environment, the virtual machines have to share this I/O
bandwidth with the host machine and other virtual machine servers deployed on the same host. If a
single virtual machine is running on the physical server, the network I/O that is available to the virtual
machine is almost equivalent to the I/O available to a physical server. A heavily utilized Mailbox server
can consume all of the available I/O bandwidth, which makes it impractical to host additional virtual
machines on the physical server.

If you are planning to deploy Exchange Server 2010 as a virtual machine, ensure that you plan the
virtual hardware requirements carefully. Running Exchange Server 2010 as a virtual machine does not
change the Exchange Server hardware requirements. You must assign the same hardware resources to
the Exchange Server virtual machine as you would assign to a physical server that is running the same
workload.

1-34

Deploying Microsoft Exchange Server 2010

Process for Installing Exchange Server 2010

The Exchange Server 2010 graphical setup program guides you through the installation process. The
following steps provide a high-level installation overview:
1.

Install the prerequisite software. For all server roles, you must install Microsoft .NET Framework 3.5, or
later, Windows Remote Management (WinRM) 2.0, and Windows PowerShell version 2. If you install
Exchange Server on Windows Server 2008 R2, the correct versions of Windows PowerShell and
Windows Remote Management are installed already.

2.

To start the installation, run setup.exe from the installation source. The setup program checks to
ensure that the correct software is installed on the computer. If prerequisite software is not installed,
you can use the links provided on the Start page to download and install the software.

3.

The setup program provides the option to install additional language packs that will enable the
Exchange Server 2010 management tools to display in languages other than English.

4.

The setup program provides the option to perform a Typical Exchange Server Installation or a
Custom Exchange Server Installation. The typical installation option installs the Hub Transport
server role, the Client Access server role, the Mailbox server role, and the Exchange Management
tools. The custom installation option allows you to choose the roles you want to install.

Choose this option if you want to install an Edge Transport server or a Unified Messaging server,
or install just the Exchange Management Tools.

5.

If this is the first Exchange Server 2010 server in the deployment, and you do not run setup
/PrepareAD, you are prompted for the Exchange organization name.

6.

If you chose the Mailbox server role, the Exchange setup program prompts you if you have any Office
Outlook 2003 or Entourage clients in the organization. If you choose Yes, Exchange setup creates the
public folders required by these clients for the offline address book and for sharing calendar
information.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7.

1-35

If you choose to install the Client Access server role, you also can configure the external domain name
for the Client Access server. Clients use this external domain name to connect to the server from the
Internet.
Note Exchange Server 2010 supports Office Outlook 2003 SP1 or later clients. The only
Entourage version supported by Exchange Server 2010 is Entourage 2008, Web Services
Edition. This version of Entourage requires public folders.
Exchange Server setup program then checks that the organizational prerequisites and server
prerequisites are met for each server role that you select. If all the prerequisites are met, Exchange
Server 2010 is installed on the computer. If this is the first Exchange server in the organization, and
you have not run /PrepareAD, Exchange Server setup modifies AD DS, and then installs each selected
server role.

You can use the Exchange Server 2010 Service Pack Setup wizard to upgrade your current version of
Exchange Server 2010. If you have the RTM version of Exchange Server 2010 installed, you can upgrade to
either Exchange Server 2010 Service Pack 2 (SP2) or Exchange Server 2010 Service Pack 1 (SP1). If you
have Exchange Server 2010 SP1 installed, you can upgrade to Exchange Server 2010 SP2. We strongly
recommended that you upgrade to Exchange 2010 SP2.

1-36

Deploying Microsoft Exchange Server 2010

Unattended Installation Options

You can use the command line to perform an unattended Exchange Server 2010 installation. When you
use the command line, you can use parameters to install specified roles or configure other setup options.
The table below lists the most commonly used command-line setup parameters.
Parameter

Options

/mode, /m

/roles, /r

The following is the list of valid


role names:
HubTransport, HT, H
ClientAccess, CA, C
EdgeTransport, ET, E
Mailbox, MB, M
UnifiedMessaging, UM, U
ManagementTool, MT, T

/OrganizationName
organizationname

Install
Upgrade
Uninstall
RecoverServer
Default: Install

Explanation
Use this parameter to control what the
setup program does.
You can use the Upgrade mode only to
upgrade from a previous prerelease
version of Exchange Server 2010.
Use this parameter to specify which
roles you want to install. If you specify
multiple roles, separate them with
commas. Note that you cannot
combine the Edge Transport role with
any other.

Use the parameter to specify the name


to give the new Exchange organization.
This parameter is required if you are
installing the first server in an
organization and you have not run
/PrepareAD.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-37

(continued)
Parameter

Options

Explanation

/targetdir, /t

A valid path

Use this parameter to specify in which


folder to install Exchange Server.
Default: %%programfiles%%
\Microsoft\Exchange Server.

/PrepareAD, /p

None

Use this parameter to prepare AD DS


for installation.

/DomainController, /dc

The name of a suitable domain


controller

Use this parameter to specify which


domain controller setup will be read
and written from during installation.

/NewProvisionedServer,
/nprs

Server name

Use this parameter to create a


placeholder server object in AD DS so
that you can delegate setup of a
server.

/ServerAdmin

User or group

Use this parameter to specify an


account that will have permissions to a
provisioned Exchange server.

/Hosting

Use this parameter to install and


enable hosting functionality and
features. For example, to specify the
Hosting mode, specify the following:
Setup.com /roles: Mailbox /Hosting.
This parameter is available for multitenant deployments. It is not available
for on-premises deployments.

Note To run an unattended installation with setup parameters, you must run setup.com or
setup rather than setup.exe. To see all the parameters available for use with setup.com, run
the command with the /? parameter.
The following is the syntax for this command.
Setup.com [/roles:<roles to install>] [/mode:<setup mode>] [/console]
[/?][/targetdir:<destination folder>] [/prepareAD] [/domaincontroller]

For example, if you want to install Exchange Server 2010 into the default path, and specify the roles of
Hub Transport, Client Access, and Mailbox, you would enter the following command.
Setup.com /r:H,M,C

Additionally, you should consider using the /InstallWindowsComponents switch with Setup.com, which
will automatically add required roles and features for Exchange Server. You can use this switch in
Exchange Server 2010 SP1 or later.

1-38

Deploying Microsoft Exchange Server 2010

Lab A: Installing Exchange Server 2010

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 10135B--NYC-DC1, and in the Actions pane, click Start.

10135B- NYC-DC1: Domain controller in the Contoso.com domain.

3.

In the Actions pane, click Connect. Click the CTRL+ALT+DELETE button in the top-left corner of the
Virtual Machine Connection window.

4.

Log on using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Contoso

Repeat these steps to start, and log on to the 10135B-NYC-SVR1 virtual machine.

10135B- NYC-SVR1: Member server in the Contoso.com domain.

Lab Scenario
You are working as a messaging administrator in Contoso Ltd. Your organization is preparing to install its
first Exchange Server 2010 server. Contoso Ltd. is a large multinational organization that includes offices
in Seattle, Washington, in the United States, and in Tokyo, Japan.
Contoso Ltd. does not have a previous version of Exchange Server deployed so you do not have to
upgrade a previous messaging system. Before installing Exchange Server 2010, you must verify that the
Active Directory environment is ready for the installation. You also must verify that all computers that will
run Exchange Server 2010 meet the prerequisites for installing Exchange.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-39

Exercise 1: Evaluating Requirements for an Exchange Server Installation


Scenario
The Active Directory administrators at Contoso Ltd. are testing the Exchange Server 2010 deployment by
deploying a domain controller in a test environment. The server administration team has deployed a
Windows Server 2008 R2 server that you can use to deploy the first Exchange Server 2010 server in the
test organization.
You need to verify that the Active Directory environment and the server meet all prerequisites for
installing Exchange Server 2010. Use the following checklist to verify that the prerequisites are met:
Prerequisite

Achieved?

Active Directory domain controllers: Windows Server 2003


SP2 or later

Yes or No

Active Directory domain and forest functional level:


Windows Server 2003 or higher

Yes or No

DNS requirements

Yes or No

Exchange Server 2010 schema changes

Yes or No

Active Directory Domain Services (AD DS) management


tools

Yes or No

Microsoft .NET Framework 3.5 or later

Yes or No

Windows Remote Management (WinRM)

Yes or No

Windows PowerShell Version 2

Yes or No

2010 Office System Converter: Microsoft Filter Pack

Yes or No

Web Server (IIS) server role along with the following role
services:
ISAPI Extensions
IIS 6 Metabase Compatibility
IIS 6 Management Console
Basic Authentication
Windows Authentication
Digest Authentication
Dynamic Content Compression
.NET Extensibility

Yes or No

Windows Server 2008 features


WCF HTTP Activation
RPC over HTTP Proxy

Yes or No

The main tasks for this exercise are:


1.

Evaluate the Active Directory requirements.

2.

Evaluate the DNS requirements.

3.

Evaluate the server requirements.

1-40

Deploying Microsoft Exchange Server 2010

X Task 1: Evaluate the Active Directory requirements


1.

On NYC-DC1, evaluate whether the domain controller requirements are met.

2.

Evaluate whether the domain and forest functional level requirements are met.

3.

Use Adsiedit.msc to evaluate whether the Exchange schema changes are applied.

X Task 2: Evaluate the DNS requirements

On NYC-SVR1, use Ipconfig, Ping, and NSLookup to evaluate DNS name resolution functionality.

X Task 3: Evaluate the server requirements


1.

On NYC-SVR1, evaluate whether the required Windows Server 2008 features, including the required
AD DS administration tools, are installed.

2.

Evaluate whether the Microsoft Internet Information Services (IIS) components are installed.

3.

Evaluate whether the prerequisite software is installed.

Results: After this exercise, you should have evaluated whether your organization meets the AD DS, DNS,
and server requirements for installing Exchange Server 2010. You should have identified the additional
components that need to be installed or configured to meet the requirements.

Exercise 2: Preparing for an Exchange Server 2010 Installation


Scenario
Now that you have identified which prerequisites are not met in the current AD DS and server
configuration, you need to update the environment to meet them.
The main tasks for this exercise are:
1.

Install the Windows Server 2008 server roles and features.

2.

Prepare AD DS for the Exchange Server 2010 installation.

X Task 1: Install the Windows Server 2008 server roles and features
1.

On NYC-SVR1, in Server Manager, install the prerequisite server roles and features for Exchange
Server 2010.

2.

Configure the Net.Tcp Port Sharing Service to start Automatically.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-41

X Task 2: Prepare AD DS for the Exchange Server 2010 installation


1.

In Hyper-V Manager, connect C:\Program Files\Microsoft Learning


\10135\Drives\Exchange2010SP2.iso as the DVD drive for NYC-SVR1.

2.

From a command prompt, run the Exchange Server setup program with the /PrepareAD parameter.
Configure an Exchange organization name of Contoso.

Results: After this exercise, you should have prepared the AD DS and server configuration for the
Exchange Server 2010 installation.

Exercise 3: Installing Exchange Server 2010


Scenario
After you prepare the environment, continue with the Exchange Server 2010 server installation.
The main task for this exercise is:

Install Microsoft Exchange Server 2010.

X Task 1: Install Microsoft Exchange Server 2010


1.

Start the Exchange Server 2010 installation.

2.

Perform a Typical Exchange Server Installation.

3.

Choose to automatically install required roles and features.

4.

Choose to enable access for Outlook 2003 or Entourage clients.

Results: After this exercise, you should have prepared the AD DS and server configuration for the
Exchange Server 2010 installation.

1-42

Deploying Microsoft Exchange Server 2010

Lesson 3

Completing an Exchange Server 2010 Installation

After you install the necessary server roles in Exchange Server 2010, you should verify the installation
and perform post-installation tasks, including securing Exchange Server 2010 and installing additional
third-party software, if necessary. This lesson describes the post-installation tasks that you should perform.
After completing this lesson, you will be able to:

Verify an Exchange Server 2010 installation.

Verify an Exchange Server 2010 deployment.

Describe how to troubleshoot an Exchange Server 2010 installation.

Describe how to finalize an Exchange Server 2010 installation.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-43

Demonstration: Verifying an Exchange Server 2010 Installation

If all prerequisites are met, the Exchange Server installation should complete successfully. However, you
should verify that the installation was successful.

Demonstration Steps
1.

On VAN-EX1, open the Services management console, and review the Microsoft Exchange services
that were added during the installation.

2.

Open Windows Explorer, and browse to C:\ExchangeSetupLogs.

3.

Review the contents of the ExchangeSetup.log file.

4.

Describe some of the other files in this folder.

5.

Browse to C:\Program Files\Microsoft\Exchange Server\V14. Describe the contents of the folders


in this location.

6.

Open the Exchange Management Console.

7.

Under Server Configuration, verify that the server that you installed is listed.

8.

Click Toolbox and review the installed tools.

9.

In the left pane, click Recipient Configuration. Create a new mailbox.

10. Open Windows Internet Explorer, and connect to the Outlook Web App site on a Client Access
server. Log on using the credentials for the new mailbox that you created.
11. Send an email to the mailbox that you created. Verify that the messages delivery.

1-44

Deploying Microsoft Exchange Server 2010

Additional Tests to Verify Installation


After the Exchange Server 2010 installation finishes, you also can take the following steps to verify that the
installation was successful:

Check the Exchange setup log files. The installation process creates several log files that the
C:\ExchangeSetupLogs directory stores. Review the setup logs for errors that occur during installation.

Ensure that the Exchange Management Console opens and displays the installed Exchange server.

Create a user account with a mailbox and connect to that mailbox by using an Office Outlook client
or Outlook Web App.
Note For detailed information about each of the log files created during the installation,
see Exchange Server Help.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-45

Demonstration: Running the Exchange Best Practices Analyzer

The Microsoft Exchange Server Best Practices Analyzer Tool automatically examines an Exchange Server
deployment and determines whether the configuration meets with Microsoft best practices. Microsoft
performs periodic updates on the definitions that the Exchange Server Best Practices Analyzer uses, so
they typically reflect the latest version of the Microsoft best practices recommendations. We recommend
running the Exchange Server Best Practices Analyzer after you install a new Exchange server, upgrade an
existing Exchange server, or make configuration changes. You can find the Exchange Server Best Practices
Analyzer in the Toolbox node of the Exchange Management Console.
In this demonstration, your instructor will run the Exchange Server Best Practices Analyzer and review the
generated reports.
Note For more information about the Exchange Server Best Practices Analyzer, view the
Exchange Server Best Practices Analyzer Help that is available with the Exchange Server Best
Practices Analyzer Tool.

Demonstration Steps
1.

On VAN-EX1, open Exchange Management Console, and then click Toolbox.

2.

Start the Best Practices Analyzer, and clear the options to check for updates and to join the
customer improvement program. Go to the Welcome page.

3.

Start a new scan. Choose to perform a Health Check scan to scan the server that you just installed.

1-46

Deploying Microsoft Exchange Server 2010

4.

When the scan finishes, view the following tabs and reports:

Critical Issues

All Issues

Recent Changes

Informational Items

Tree reports

Other reports

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-47

Troubleshooting an Exchange Server 2010 Installation

The Exchange Server installation should complete successfully if you meet all prerequisites. However, if the
installation does not complete properly, it is important for you to follow a consistent troubleshooting
process as this ensures that you do not miss steps and problems are resolved quickly.
Your troubleshooting process should include the following best practices:
1.

Identify the problem. Before you begin to apply any fixes to your Exchange Server installation, be sure
that you identify exactly what is the problem. Applying inappropriate fixes could create additional
problems. To identify an installation problem you should check the setup and event logs for errors.

2.

Identify potential fixes for the problem. You cannot always fix problems by using the most obvious
solution. Your search for potential fixes should be methodical and include multiple sources, such as
Microsoft TechNet, the Microsoft Knowledge Base, and suggestions in event logs.
After you identify a list of potential fixes, prioritize them based on how likely they are to fix the
problem and how long implementation will take. In most cases, try quick fixes before long and
involved fixes, even if the longer fix is more likely to resolve the problem.

3.

Test only one fix at a time. It is essential that you test only one fix at a time. Do not implement three
fixes, and then see if the problem is fixed. Implementing one fix at a time ensures that you
understand what solution fixed the problem. When you implement multiple fixes, the first fix may
resolve the problem, but another one may introduce additional problems.
When you implement a fix, be sure to document the changes you make. Then, if the fix does not
resolve the problem, you can undo the changes before trying another solution.

4.

Document the problem resolution. Documentation is an essential part of problem resolution. If the
same problem occurs later, documentation of the previous solution makes it easier to address the
current issue. Disseminating that knowledge to others in the organization may prevent the problem
from occurring again.

1-48

Deploying Microsoft Exchange Server 2010

Potential Problems and Resolutions


Some common installation problems and solutions are:

Net.TCP Port Sharing Service is not set to start automatically. You must set this service to start
automatically.

Insufficient disk space. Your server might not have the necessary disk space to install Exchange Server
2010. To resolve this, either increase your servers disk space or remove unnecessary files to create
more free space.

Missing software components. Your server might not have all of the required software components for
the server roles you want to implement. To resolve this, determine the required software components,
download them if necessary, and install them.

Incorrect DNS configuration. Exchange Server 2010 relies on global catalog servers to perform many
operations, and uses DNS to find global catalog servers. If the DNS configuration is incorrect, your
server might not be able to find a global catalog server. To verify the problem, use the dcdiag tool. To
resolve the problem, ensure that the Exchange server and domain controllers are all using the
appropriate internal DNS servers.

Incorrect domain functional level. All domains with Exchange Server 2010 recipients or servers must be
at Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 functional level. To
resolve this problem, raise the domain functional level to the appropriate functional level.

Insufficient Active Directory permissions. When you install Exchange Server 2010, you need sufficient
permissions to extend the Active Directory schema and modify the Active Directory configuration
partition. To perform the initial schema extension, you must be a member of the Enterprise Admins
and Schema Admins groups.

Insufficient Exchange permissions. To install Exchange Server 2010 into an existing organization, you
must be a member of the Exchange Admins group. You also must run Setup.exe with the
/PrepareLegacyExchangePermissions switch. Wait for replication throughout the Exchange Server
organization before you continue.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-49

Finalizing the Exchange Server Installation

After finishing the Exchange Server installation, you might need to perform additional steps to finalize the
server deployment.

Configuring Exchange Server Security


Security is important for all the servers in your environment. However, security is even more important for
computers that are running Exchange Server. For most organizations, messaging is a critical part of the
network. People rely on messaging to perform their jobs. Sensitive and private information often is sent
through, and stored in, the messaging system. Unlike many other servers, computers that are running
Exchange Server all communicate with the Internet in some way. Even Mailbox servers with no direct
Internet communication are exposed to messages that originally came from the Internet.
Use the following steps to secure computers that are running Exchange Server 2010:

Restrict physical access. Like all servers, physical access to a computer that is running Exchange Server
should be restricted. Any server that you can access physically also can be compromised easily.

Restrict communication. You can use firewalls to restrict the communication between servers, and
between servers and clients. Limiting communication to only specific IP addresses, or ranges of IP
addresses, reduces the risk that a hacker will access or modify the system. An Edge Transport server
must be available to anonymous Internet connections, but firewalls can restrict access to specific
ports.

Reduce the attack surface. To limit software flaws that hackers can use, eliminate unnecessary software
and services from your Exchange servers. In particular, Edge Transport servers should have only the
necessary services and software running because they are exposed to the Internet.

1-50

Deploying Microsoft Exchange Server 2010

Restrict permissions. Evaluate who has permissions to manage Active Directory in your organization.
Users who are domain administrators can add themselves to any group, and so they could manage all
Exchange Server recipients and computers that are running Exchange Server in that domain. Reduce
delegated Active Directory management permissions in a more granular way if you do not want all of
the domain administrators to be capable of managing Exchange Server as well.

Configure Additional Software


Before you install any additional software, ensure that Microsoft certifies it for use with Exchange
Server 2010. Failure to verify certification for Exchange Server 2010 could result in data or availability loss.
Products specifically designed for use with Exchange Server 2010 take advantage of new features.
Some of the additional software you might want to install or configure includes:

Antivirus software. Antivirus software can be used with the Edge Transport server and internal servers.
You can install Forefront Protection for Exchange Server on Exchange Server 2010, or deploy and
configure non-Microsoft antivirus solutions.

Anti-spam software. Anti-spam software can significantly reduce unsolicited commercial email
messages that your users receive, and have to manage. Exchange Server 2010 provides anti-spam
features on the Edge Transport server role and the Hub Transport server role. Most organizations that
deploy anti-spam software on Exchange Server 2010 will deploy it on the Edge Transport server, but
you also can enable and configure anti-spam features on Hub Transport servers. Many organizations
choose to deploy third-party anti-spam solutions.

Backup software. To back up Exchange Server 2010 servers, you must deploy backup software that
uses Volume Shadow Copy Service (VSS) to perform the backup.

Monitoring tools and agents. One example of a monitoring tool is Microsoft System Center
Operations Manager. Operations Manager allows you to proactively monitor and manage your
Exchange servers by installing monitoring agents on them.
Note There are additional tasks that you must perform for each server role. Later modules
cover these tasks.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-51

Lab B: Verifying an Exchange Server 2010 Installation

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

Ensure that the 10135B-NYC-DC1 and the 10135B-NYC-SVR1 virtual machines are running.

3.

10135B- NYC-DC1: Domain controller in the Contoso.com domain.

10135B- NYC-SVR1: Member server in the Contoso.com domain.

If required, connect to the virtual machines.

Lab Scenario
You have completed the installation of the first Exchange Server at Contoso Ltd. You now need to verify
that the installation completed successfully. You also should ensure that the installation meets the best
practices that Microsoft suggests.

Exercise 1: Verifying an Exchange Server 2010 Installation


The main tasks for this exercise are:
1.

View the Exchange Server services.

2.

View the Exchange Server folders.

3.

Create a new user, and send a test message.

4.

Run the Exchange Server Best Practices Analyzer Tool.

1-52

Deploying Microsoft Exchange Server 2010

X Task 1: View the Exchange Server services


1.

Open the Services console.

2.

Review the status for each Exchange Server service.

X Task 2: View the Exchange Server folders.

Using Windows Explorer, browse to C:\Program Files\Microsoft\Exchange Server\v14. This list of


folders includes ClientAccess, Mailbox, and TransportRoles. The three roles were installed as part of
the typical setup.

X Task 3: Create a new user, and send a test message


1.

Open the Exchange Management Console.

2.

Under Recipient Configuration, create a new mailbox with a new user account named TestUser and
a password of Pa$$w0rd.

3.

Using Internet Explorer, open https://NYC-SVR1/owa.

4.

Log on as TestUser, and send a message to Administrator.

5.

Log on to Outlook Web App as Administrator, and verify that the message was delivered.

X Task 4: Run the Exchange Server Best Practices Analyzer tool


1.

Start the Exchange Server Best Practices Analyzer.

2.

Run a Health Check scan with a name of Post-Installation Test. Scan only
NYC-SVR1.

3.

Review the information in the Exchange Server Best Practices Analyzer report.

Results: After this exercise, you should have verified that the Exchange Server 2010 server installation
completed successfully.

X To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1.

On the host computer, start Hyper-V Manager.

2.

Right-click the virtual machine name in the Virtual Machines list, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

In the Virtual Machines pane, click 10135B-VAN-DC1, and then in the Actions pane, click Start.

5.

To connect to the virtual machine for the next modules lab, click 10135B-VAN-DC1, and then in the
Actions pane, click Connect.
Important Start the VAN-DC1 virtual machine first, and ensure that it is fully started
before starting the other virtual machines.

6.

Wait for 10135B-VAN-DC1 to start, and then start 10135B-VAN-EX1. Connect to the virtual machine.

7.

Wait for 10135B-VAN-EX1 to start, and then start 10135B-VAN-EX3. Connect to the virtual machine.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

1-53

Module Review and Takeaways

Review Questions
1.

The installation of Exchange Server 2010 fails. What information sources can you use to troubleshoot
the issue?

2.

What factors should you consider while purchasing new servers for your Exchange Server 2010
deployment?

3.

How would the deployment of additional Exchange Server 2010 servers vary from the deployment of
the first server?

Common Issues Related to Installing Exchange Server 2010


Identify the causes for the following common issues related to installing Exchange Server 2010 and
explain the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue
You start the Exchange installation and
get an error message stating that you
do not have sufficient permissions.
You start the Exchange installation and
the prerequisite check fails.
You run setup with /PrepareAD
parameter and receive an error
message.

Troubleshooting tip

1-54

Deploying Microsoft Exchange Server 2010

Real-World Issues and Scenarios


1.

An organization has a main office and multiple smaller branch offices. What criteria would you use to
decide whether to install an Exchange server in a branch office? What additional factors should you
consider if you decide to deploy an Exchange server in the branch office?

2.

An organization has deployed AD DS within two different forests. What issues will this organization
experience when they deploy Exchange Server 2010?

3.

An organization is planning to deploy Exchange Server 2010 servers as virtual machines running on
Hyper-V in Windows Server 2008 R2. What factors should the organization consider in their planning?

Best Practices for Deploying Exchange Server 2010


Supplement or modify the following best practices for your own work situations:

Plan the hardware specifications for your Exchange Server 2010 servers to allow for growth. In most
organizations, the amount of email traffic and the size of the user mailboxes are growing rapidly.

Consider deploying at least two Exchange Server 2010 servers. With two servers, you can provide
complete redundancy for the core Exchange server roles.

When deploying multiple Exchange servers with dedicated server roles for each server, deploy the
server roles in the following order:

a.

Client Access server

b.

Hub Transport server

c.

Mailbox server

d.

Unified Messaging server

You can deploy the Edge Transport server at any time, but it does not integrate automatically with
your organization until you deploy a Hub Transport server.

2-1

Module 2
Configuring Mailbox Servers
Contents:
Lesson 1: Overview of Exchange Server 2010 Administrative Tools

2-3

Lesson 2: Configuring Mailbox Server Roles

2-16

Lesson 3: Configuring Public Folders

2-33

Lab: Configuring Mailbox Servers

2-41

2-2

Configuring Mailbox Servers

Module Overview

The Microsoft Exchange Server management tools provide a flexible environment that enables
administrators to manage all sizes of Microsoft Exchange Server 2010 messaging deployments. Successful
Exchange Server messaging professionals need to understand where configuration elements reside within
the Exchange Management Console and the basics of the Exchange Management Shell. This module
describes these management tools.
This module also describes the Mailbox server role, some of the new Exchange Server 2010 features, and
the most common Mailbox server role post-installation tasks. The module concludes with a discussion
about public folder configuration and usage.
After completing this module, you will be able to:

Describe the Exchange Server 2010 administrative tools.

Configure mailbox server roles.

Configure public folders.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-3

Lesson 1

Overview of Exchange Server 2010 Administrative Tools

This lesson introduces you to the Exchange Management Console, Exchange Management Shell, and the
Exchange Control Panel (ECP). These tools are the main interfaces that Exchange Server administrators use
daily, so a detailed understanding of when and how to use each interface is vital.
After completing this lesson, you will be able to:

Describe the Exchange Management Console.

Describe Windows PowerShell.

Describe the Exchange Management Shell.

Describe remote Windows PowerShell.

Use Exchange Management Shell cmdlets.

Work with the Exchange Management Shell.

Apply Exchange Manage Shell cmdlet examples.

Describe the Exchange Control Panel.

2-4

Configuring Mailbox Servers

Demonstration: What Is the Exchange Management Console?

In this demonstration, you will review how to navigate the Exchange Management Console, and use it to
manage Exchange Server.

Demonstration Steps
1.

Open the Exchange Management Console.

2.

Note the consoles layout: the Console Tree is on the left; the Content pane is in the middle; and the
Actions pane on the right.

3.

Notice that the Console Tree has four nodes: Organization Configuration, Server Configuration,
Recipient Configuration, and Toolbox.

4.

Expand each Console Tree section to view the available nodes.

5.

In the Console Tree, expand Organization Configuration, click Mailbox, and then view the
information available in the Content pane.

6.

In the Console Tree, expand Server Configuration, click Mailbox, and then view the information in
the Content pane.

7.

In the Console Tree, expand Recipient Configuration, click Mailbox, and then view the information
in the Content pane.

The Exchange Management Console uses the Microsoft Management Console (MMC) 3.0 paradigm of a
four-pane environment. These four components are:

Console Tree. This area provides a hierarchical view of the Exchange Server organization and servers,
which you use to locate the objects that you want to manage. As you navigate the Exchange Server
hierarchy, and select objects in the Console Tree, the three other work panes provide details and
configuration options based on your selection.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-5

Results pane. This area displays the objects available under that which you have select in the Console
Tree. The Results pane updates as you navigate the Console Tree, to reflect your location within the
hierarchy, and you can filter and sort objects there.

Work pane. This area presents child objects of the Results pane. For example, when you select a
Mailbox server in the Results pane, the Work pane displays the databases on that server. You can use
the links in the Actions pane to manage the objects in the Work pane.

Actions pane. This area exposes different administrative tasks in response to your selections within the
Results and Work panes. For example, if you select a recipient object in the Results pane, the Actions
pane contains administrative tasks that enable you to move the mailbox, change its properties, or
disable the selected mailbox. The tasks that the Actions pane list are also available when you rightclick the object in the Results or Work pane.

The Console Tree is a unique feature of the Exchange Management Console, and it has four main nodes:
Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox. These four nodes
have four distinct functions.

Organization Configuration
The Organization Configuration node contains all configuration options for each Exchange server role
that affects the messaging systems functionality. This node allows you to configure database
management, Microsoft Exchange ActiveSync policies, journal and transport rules, message-formatting
options, and email domain management.

Server Configuration
The Server Configuration node contains the configuration options for each Exchange server in the
organization. Settings that you can manipulate include server diagnostic-logging settings, product-key
management, and the per-server configuration of the Microsoft Outlook Web App. You also can
configure server certificates from this node.

Recipient Configuration
The Recipient Configuration node contains the configuration and creation tasks for mailboxes, distribution
groups, and contacts. You also can use it to move or reconnect mailboxes.

Toolbox
The Toolbox node contains utilities and tools that you can use to monitor, troubleshoot, and manage
Exchange Server. These tools include Exchange Best Practices Analyzer, Public Folder Management
Console, link to the Remote Connectivity Analyzer, Messaging Tracking, and Queue Viewer.
You also can use the Exchange Management Console to manage both onsite and hosted Exchange Server
2010 environments, including the Exchange Online deployed as part of an Office 365 implementation.
The Console Trees root node also includes two tabs in the Content pane: Organizational Health and
Customer Feedback. The Organizational Health tab displays a report on the overall status of the Exchange
Server organization that includes information about the number of deployed databases, servers, and
Client Access Licenses. Use the Customer Feedback tab to enable the Customer Experience Improvement
Program and to access Exchange Server documentation.
Question: Does the Exchange Management Console organization seem logical to you? Why?
Question: Does the Exchange Management Console have the same functionality as it did in
previous Exchange Server versions? What is different about this version?

2-6

Configuring Mailbox Servers

What Is Windows PowerShell?

In recent years, Microsoft has prompted Windows PowerShell as a single command line and scripting tool
that can be used to manage almost all Microsoft products. Windows PowerShell is an extensible scripting
and command-line technology that developers and administrators use to automate tasks in a Windows
operating system environment. Windows PowerShell uses a set of small commands called cmdlets that
each performs a specific task. You also can combine multiple cmdlets to perform complex administrative
tasks.
Windows PowerShell is an important underlying tool for Exchange Server 2010. Exchange Server 2010specific cmdlets are enabled in the Exchange Management Shell, and Exchange Management Console
provides GUI access to the Windows PowerShell cmdlets. When you perform an action in Exchange
Management Console, a Windows PowerShell command runs in the background to implement the
changes in the Exchange environment.
Windows PowerShell is accessible directly through a new command shell, called PowerShell.exe. When
you run Windows PowerShell from this command shell, you can perform many of the tasks you could
perform by using the traditional command shell (cmd.exe), plus many more.
Some of the most important features of Windows PowerShell are:

Simple cmdlets. Cmdlets are small executable files, written in Microsoft Visual C# or any other
Microsoft .NET Framework-compliant language, that provide a standard procedure for performing
certain actions. All cmdlets are in format verb-noun, for example: get-user, set-mailbox, and so on.
The syntax is very similar to the English language, so it can be easily adopted.

Aliases. You also can alias cmdlets. If you commonly run a specific cmdlet, you can assign an alias to
the cmdlet to make it easier to remember. These aliases are stored in the default user profile on a
computer or in the user-specific profile. For example, if you want to replace the Get-ChildItem cmdlet
with the show alias, you would run New-Alias show Get-ChildItem.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-7

Variables. As with most programming languages, Windows PowerShell supports the concept of a
variable to which you can assign a value. Variables in Windows PowerShell are named starting with a
dollar sign ($) character; for example, $date and $servername. Variables can have a data type formally
defined. To display the value of a variable, just type the variable name (including the $). You can also
perform normal variable manipulation.

Pipelining. Pipelining enables you to string cmdlets together and make the output of one cmdlet the
input of the next cmdlet. Windows PowerShell provides a pipeline, but instead of passing raw text to
the next cmdlet, it passes managed objects. For example, in one cmdlet, you can use a filter to locate
a set of Exchange Server recipients based on one or more parameters, and then apply an action to
that set of recipients.

Exchange Management Shell also provides a robust and flexible scripting platform that can reduce the
complexity of current Microsoft Visual Basic scripts. Tasks that previously required many lines in Visual
Basic scripts can now be performed by using as little as one line of code.

2-8

Configuring Mailbox Servers

What Is the Exchange Management Shell?

The Exchange Management Shell and the Exchange Management Console run on top of Windows
PowerShell version 2.0 command-line interface. They use cmdlets, which are commands that run within
Windows PowerShell. Each cmdlet completes a single administrative task, and you can combine cmdlets
to perform complex administrative tasks.
In Exchange Management Shell, there are approximately 700 cmdlets that perform Exchange Server
management tasks, and even more non-Exchange Server cmdlets that are in the basic Windows
PowerShell shell design.
Exchange Management Shell is more than just a command-line interface that you can use to manage
Exchange Server 2010. Exchange Management Shell is a complete management shell that offers a
complex and extensible scripting engine that has sophisticated looping functions, variables, and other
programmatic features so that you can create powerful administrative scripts quickly.
When you run cmdlets in the Exchange Management Shell, role-based access control (RBAC) is used to
determine whether you have the required permissions to run the cmdlets. RBAC enables you to assign
granular permissions to administrators, and more closely align the roles that you assign users and
administrators to the actual roles they hold within your organization. Since all Exchange Server 2010
administration tools run Exchange Management Shell cmdlets to make changes to the Exchange
environment, RBAC permissions are consistently applied all administration tools.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-9

What Is Remote Windows PowerShell?

In Exchange Server 2010, if your user account is enabled for remote PowerShell, you can connect to a
session on a remote Exchange Server 2010 computer to perform commands on it. Whether you use
Exchange Management Shell to administer a server you are physically connected to, or to administer a
server across the country, the Windows PowerShell Remoting feature performs the operation in Exchange
Server 2010.

Remote Windows PowerShell Features


Remote Windows PowerShell provides the following new features in Exchange Server 2010:

Client/server management model. With remote PowerShell, all cmdlets run remotely on an Exchange
server rather than from the management client. This allows the server to process the client requests,
thereby reducing their impact on the client. This also allows you to manage multiple servers at the
same time from a single client, and also to run scripts that will configure multiple servers at one time.

Simplified client computer configurations. Since the cmdlets run on the remote server, and not the
client, you only need to install Windows PowerShell 2.0 on the management machine if you do not
need the graphical user interface (GUI) tools. Since Windows PowerShell 2.0 includes both a 32-bit
and 64-bit version, you can use a 32-bit client to manage the Exchange environment. If users only
need to perform a limited set of tasks, you can also write custom graphical user interfaces that run
Windows PowerShell commands when the user applies changes in the GUI.

Standard protocols that allow easier management through firewalls. Remote Windows PowerShell
leverages Windows Remote Management (WinRM) for connectivity through standard HTTPS
connections. Since corporate firewalls often allow HTTPS by default, using Windows PowerShell
requires no additional firewall configuration. Because SSL is required for all WinRM connections by
default, all authentication and shell commands are also encrypted when sent across the network.

2-10 Configuring Mailbox Servers

These new features enable scenarios such as simplified cross-domain management, management from
workstations that do not have installed management tools, management through firewalls, and the ability
to throttle resources that management tasks consume. For example, if you deploy Exchange Online in an
Office 365, you can use Remote PowerShell to manage both the on-premises and online Exchange
environments.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-11

Learning How to Use the Exchange Management Shell

Working with Exchange Management Shell cmdlets and commands can be confusing initially. Here are
some suggestions for optimizing the learning process:

All shell cmdlets start with a verb-noun pairs. A hyphen (-) without spaces separate the verb-noun
pair, and the cmdlet nouns are always singular. Verbs refer to the action that the cmdlet takes. Nouns
refer to the object on which the cmdlet takes action. For example, in the Get-Mailbox cmdlet, the
verb is Get, and the noun is Mailbox. All cmdlets that manage a particular feature share the same
noun.

To get help on any cmdlet, use the Get-Help command followed by the cmdlet name. For example,
Get-Help New-Mailbox will display the information on how you can use the cmdlet New-Mailbox,
and all the parameters that you can modify with the cmdlet. Get-Help cmdletname Examples
displays examples of the cmdlet syntax.

Use Format-List (FL) to list full details about any object. For example, running get-mailbox id Anna
| FL will list full details about Annas mailbox. Running Get-ClientAccessServer | FL will list full details
of all the Client Access servers in the organization.

You can use wild cards with many get cmdlets. For example, you can use the get-excommand get*
to list all of the Exchange cmdlets that start with Get. You can use the Get-Mailbox id Anna | FL
*quota* command to list all parameters in Adams mailbox that have size in the parameter name.

Most cmdlets accept positional parameters in addition to named parameters. You can use positional
parameters to supply values to the cmdlet based on the values location rather than on a parameter
name. For example, Get-Mailbox -Identity Anna returns information about Annas mailbox. The
named parameter in this example is Identity. However, Identity is also a positional parameter for the
Get-Mailbox cmdlet. If you do not specify a name value with Identity, Windows PowerShell uses the
Identity parameter. As an example, Get-Mailbox Anna returns the same information as the previous
example.

2-12 Configuring Mailbox Servers

You can use the Tab key to auto-complete cmdlets and parameters. For example, if you type SetWeb and press the Tab key, the cmdlet will autocomplete to Set-WebServicesVirtualDirectory. If
the cmdlet is ambiguous when you press the Tab key, the autocomplete will display the first
command alphabetically that matches the typed letters. You can press the Tab key repeatedly until
the desired command is displayed. You can also use autocomplete to complete attribute names, but
not values.

Use pipelining to combine cmdlets. Pipelining allows you to chain one cmdlet to another so that the
previous cmdlets results act as input to the next cmdlet. To pipeline information from one cmdlet to
another, specify the pipe character (|) between the cmdlets. You can pipeline more than two cmdlets.
In fact, you can use as many as necessary to achieve the results you desire.
The following example uses two pipelined cmdlets with a filter between them. The first cmdlet,
Get-user, retrieves all users from Active Directory Domain Service (AD DS), and then pipes the
results to the filter. The filter, which is based on the distinguished name, selects among these users,
and leaves only those located in the Sales organizational unit (OU) and its child OUs. These results are
piped to the Enable-Mailbox cmdlet, which will create a mailbox for these users, and then place
them in Mailbox Database 1.
Get-User | Where-Object {$_.distinguishedname ilike "*ou=sales,dc=adatum,dc=com"} |
Enable-Mailbox database Mailbox Database 1"

For More Information Module 3 provides additional information and examples about
how to use pipelining to combine cmdlets to manage multiple recipients simultaneously.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-13

Demonstration: Working with the Exchange Management Shell

In this demonstration, you will see the Exchange Management Shell syntax and examples that are used to
view or modify objects in an Exchange Server 2010 environment.

Demonstration Steps
The instructor will run the following cmdlets:

Get-Mailbox

Get-Mailbox | Format-List

Get-Mailbox | fl

Get-Mailbox | Format-Table

Get-Mailbox | ft Name, Database, IssueWarningQuota

Get-Mailbox | FT Name,*quota

Get-Help New-Mailbox

Get-Help New-Mailbox -detailed

Get-Help New-Mailbox -examples

$Temp = Text

$Temp

$password = Read-Host Enter password AsSecureString

New-Mailbox -UserPrincipalName chris@adatum.com -Alias Chris -Database Mailbox


Database 1 -Name ChrisAshton -OrganizationalUnit Users -Password $password -FirstName
Chris -LastName Ashton -DisplayName Chris Ashton -ResetPasswordOnNextLogon $true
Note Assign a password to a new user by specifying the Read-Host cmdlet with the
-AsSecureString switch, because passwords cannot be stored as simple strings. If you are
providing the password in the .csv file, you also can use the ConvertTo-SecureString
cmdlet to convert the files text into a secure string..

2-14 Configuring Mailbox Servers

Introducing the Exchange Control Panel

The Exchange Control Panel (ECP) is a new feature in Exchange Server 2010. The ECP can be used by
Exchange administrators to manage many of the Exchange organizational and recipient settings. The ECP
can also be used by end users to configure most of their personal mailbox settings.
The ECP runs on the Client Access servers, and is accessible through the URL
https://ClientAccessServerName/ECP. When you connect to the site, the Outlook Web App authentication
page appears. After authenticating, you can either manage your personal mailbox settings, or if you have
permissions in the Exchange organization, you can manage many of the Exchange settings.
Note Like all of the other Exchange management tools, the ECP uses Exchange
Management Shell cmdlets to implement changes to the Exchange environment. This
means that RBAC permissions are applied when you try to view information in the ECP, and
when you try to make changes to the Exchange environment.
The Exchange Control Panel allows all mailbox users to configure most of their mailbox settings, including:

Outlook Web App settings such as email signatures and out of office messages.

Perform message tracking of messages sent or received from their mailbox.

View and manage mobile devices that have connected to their mailboxes.

View group memberships and request to join public groups.

Recover deleted messages.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-15

Exchange administrators can use the Exchange Control Panel to configure many Exchange organization or
recipient settings, including:

Manage existing mailboxes. Administrators can manage most mailbox settings, but cannot create new
mailboxes by using the ECP.

Manage distribution groups. Administrators can create and manage universal distribution groups but
not security groups.

Multi-Mailbox Search. Members of the Discovery Management group can search all user mailboxes
by using the ECP.

Message tracking. Administrators can track all messages sent to and from mailboxes in the Exchange
organization.

Configure RBAC. Administrators can create new management role groups, assign users to
management role groups, and configure other RBAC settings.

Manage Exchange ActiveSync policies and mobile device quarantine. Administrators can manage the
mobile devices that have connected to user mailboxes and configure quarantine policies for new
devices.

2-16 Configuring Mailbox Servers

Lesson 2

Configuring Mailbox Server Roles

This module describes how to configure the Mailbox server after you install it. Since the Mailbox server
stores all of the mailbox and public folder data, it is a critical component in an Exchange Server messaging
system. You also will learn about databases, database storage considerations, and managing the number
and size of databases.
After completing this lesson, you will be able to:

Describe your initial mailbox configuration tasks.

Describe mailbox and public folder databases.

Describe database file types.

Describe the process for updating mailbox databases.

Configure database options.

Identify Exchange Server 2010 storage improvements.

Describe your database storage options.

Describe direct attached storage.

Describe storage area networks.

Manage mailbox size limits.

Identify the criteria to consider when implementing databases.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-17

Initial Mailbox Configuration Tasks

Complete the following steps after deploying the Mailbox server role:

Secure the server. Before deploying mailboxes on the Mailbox server role, you should secure the
server, which includes configuring permissions at the organizational and server levels. This reduces
the Exchange Servers attack surface.

Create and configure databases. Exchange Server 2010 uses mailbox databases or public folder
databases to store messages. As a result, before creating mailboxes on the server, you need to create
the required databases.

Configure high availability. Exchange Server 2010 uses database availability groups (DAGs) to provide
high availability for mailbox databases. It is recommended that the DAGs be configured before
deploying mailboxes on the mailbox databases.

Configure public folders. Although recent Exchange Server versions de-emphasize the role of public
folders, Microsoft continues to support public folders fully, and you must configure them if you have
Outlook 2003 or earlier clients. However, if you are using Office Outlook 2007 or newer clients, public
folders are not required to support offline address-book distribution or calendar information. During
the installation of the first Exchange Server 2010 into a new AD DS forest, you have the option to
support older Office Outlook clients. Exchange Server creates a public folder database if you choose
this option. You also can create public folders after installation if you do not configure them during
setup.

Configure recipients, including resource mailboxes. The Mailbox server role manages all user
mailboxes, so deploying the Mailbox server role includes configuring recipients.

Configure the offline address book. Outlook 2007 (and higher) clients support retrieving offline
address books with HTTP, rather than only with public folders, as in previous Office Outlook versions.

2-18 Configuring Mailbox Servers

What Are Mailbox and Public Folder Databases?

To manage Mailbox servers properly, you need to know how they store mailbox and public folder
contents. Exchange Server 2010 stores mailbox and public folder contents in databases, which enhances
performance and reduces storage utilization.
Mailbox servers can maintain mailbox databases and public folder databases, and each database consists
of a single rich-text database (.edb) file. Exchange Server 2010 mailbox servers store all messages in this
database regardless of which type of client sends or reads the messages.
Mailbox databases store the messages for mailbox-enabled users. Users cannot have a mailbox without a
mailbox database. Public folder databases store the contents of public folders. Unlike previous Exchange
Server versions that required unique database names only within a storage group, Exchange Server 2010
requires unique database names across the entire Exchange Server organization.
In Exchange Server 2010, each database has a single set of transaction logs, which store database changes.
Database changes include all messages sent to or from the database. Transaction logs are an essential part
of disaster recovery if you need to restore a mailbox or public folder database.
By default, all databases and transaction logs are stored in one folder within the Exchange Server
directory (C:\Program Files\Microsoft\Exchange Server\v14\Mailbox). Each database has its own folder.
Although Exchange Server 2010 does not require separating databases and transaction logs, given the
appropriate redundancy, performing this separation increases recoverability. You should consider it if your
organization does not employ other availability options. If the disk storing a database fails, you will need
the transaction logs to recover activity since your last backup. If your transaction logs also are lost, along
with the database, you can recover only to the point of your last back up.
The Exchange Server 2010 database schema was changed significantly to improve its performance
over previous Exchange Server versions. The new database schema now performs larger and moresequential input/output (I/O) transactions, optimizes performance on lower end disk systems, and reduces
the database maintenance that you must perform. These improvements were accomplished by removing
single-instance storage and increasing the page size from 8 kilobytes (KB) to 32 KB.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-19

In Microsoft Exchange Server 2000 and Exchange Server 2003, there was an option to create multiple
databases and have them share a set of transaction logs. This was called a storage group. In Exchange
Server 2007, having multiple databases in a storage group was available only for databases that did not
have high availability features enabled. In Exchange Server 2010, there is no option to have multiple
databases to share a single set of transaction logs.

2-20 Configuring Mailbox Servers

What Are the Database File Types?

A database consists of a collection of file types, each of which performs different functions.

<Log Prefix>.chk. This checkpoint file determines which transactions require processing to move the
checkpoint file from the transaction log file to the database. Each databases log prefix determines its
checkpoint file name. For example, the checkpoint file name for a database with prefix E00 would be
E00.chk. This checkpoint file is several kilobytes in size, and does not grow.

<Log Prefix>.log. This is the databases current transaction log file. An example is E00.log. The
maximum amount of data storage for this file is 1 megabyte (MB). When this file reaches its
maximum storage of 1 MB, Exchange Server renames it and creates a new current transaction log.

<Log Prefix>xxxxxxxx.log. Exchange Server renames and files this transaction log file. Log files use
sequential hexadecimal names. For example, the first log file for the first database on a server would
be E0000000001.log. Each transaction log file is always 1 MB.

<Log Prefix>res00001.jrs to <Log Prefix>res0000A.jrs. These are the reserved transaction logs for the
database. Exchange Server 2010 uses these only as emergency storage when the disk becomes full
and it can write no new transactions to disk. When Exchange Server 2010 runs out of disk space, it
writes the current transaction to disk, using up the space reserved by the 10 reserve transaction logs
and then dismounts the database. The reserved transaction logs ensure minimal loss of data that is in
transit to the database. The reserved transaction logs always are 1 MB each.

Tmp.edb. This temporary workspace is for processing transactions. Exchange Server 2010 deletes the
contents of this file when it dismounts the database or when the Microsoft Exchange Information
Store service stops. This file typically is a few megabytes in size.

<Log Prefix>tmp.log. This is the transaction log file for the temporary workspace. An example is
E00tmp.log. This file does not exceed 1 MB.

<File Name>.edb. This is the rich-text database file that stores content for mailbox and public folder
databases. An example is Database.edb. Each mailbox or public folder database is contained in a
single file. Database files can grow very large, depending on the content that the database stores.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

The Update Process for Mailbox Databases

The following process takes place when a Mailbox server receives a message:
1.

The Mailbox server receives the message.

2.

The Mailbox server writes the message to the current transaction log and memory cache
simultaneously.
Note If the current transaction log reaches 1 MB of storage, Exchange Server 2010
renames it and creates a new current transaction log.

3.

The Mailbox server writes the transaction from memory cache to the appropriate database.

4.

The Mailbox server updates the checkpoint file to indicate that the transaction was committed
successfully to the database.

5.

Clients can access and read the message in the database.

2-21

2-22 Configuring Mailbox Servers

Demonstration: Configuring Database Options

Several configuration options are set at the database level. Three key management tabs contain these
options: Maintenance, Limits, and Client Settings. This demonstration examines how these tabs can be
used to configure your database options.

The Maintenance Tab


Use the Maintenance tab to specify a journal recipient when you are using database journaling. However,
we recommend using journaling rules for journaling in Exchange Server 2010.
The maintenance schedule is the period of time in which Exchange Server performs database
maintenance. In Exchange Server 2010, online defragmentation occurs continually, so you use the
maintenance window primarily to remove deleted items and mailboxes.
The Maintenance tab has a checkbox that you can select to keep the database from mounting at startup.
You typically use this checkbox, and another that allows the database to be overwritten by a restore,
during recovery or database-maintenance tasks. The checkbox for enabling circular logging sets the
transaction-logging mode so that Exchange Server 2010 overwrites the transaction logs after they are
committed to the database. Circular logging does not allow you to recover a database to a point in time
other than when the last full backup was completed. We recommend circular logging only in test
environments or in high availability configurations in which adequate redundancy negates the need for
this type of recovery.

The Limits Tab


Use the Limits tab to set the maximum size for mailboxes that the database stores, and to specify the
notification schedule for sending messages to users who are approaching these limits.
The deletion settings specify how long the database stores deleted items and mailboxes after the user
deletes them. You can recover items that users have deleted and purged from their Deleted Items folder,
without having to perform a restore from a backup.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

The Client Settings Tab


Use the Client Settings tab to configure the default public folder, if necessary, and the default offline
address book for all mailboxes in the database.

Demonstration Steps
1.

Open the Exchange Management Console.

2.

In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization


Configuration, and then click Mailbox.

3.

Select the Database Management tab, and then view the properties of a mailbox database.

4.

View the properties on the General, Maintenance, Limits, and Client Settings tabs.

5.

Run the Move Database Path Wizard to move the database files.
Question: When would you need to move the path of the transaction logs or databases?
Question: When might you use circular logging?

2-23

2-24 Configuring Mailbox Servers

Exchange Server 2010 Storage Improvements

Exchange Server 2010 introduces several significant changes that reduce storage costs and improve
performance, including changes to the database schema, the use of compression, and the change to
32 KB database pages. Additionally, further improvements minimize database fragmentation by writing
data sequentially on disk, which also improves disk performance. Lastly, when you combine the reduced
storage input/output (I/O) requirements with the new database high availability features, you may be able
to leverage inexpensive direct-attached storage for larger Exchange Server deployments.
Since the storage I/O requirements are lower in Exchange Server 2010, more storage options are available.
Still, you should ensure that your storage method meets the business and technical requirements for the
Exchange Server deployment. Tools such as LoadGen and JetStress are available to approximate usage
patterns, and you can use these tools to test various hardware configurations in your environment.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-25

Options for Database Storage

Exchange Server 2010 now supports several disk storage options, including Serial Advanced Technology
Attachment (SATA), Solid-state drive (SSD), and Serial Attached small computer system interface (SCSI), or
SAS. When selecting which storage solution to use, the goal is to ensure that the storage will provide the
performance that your environment requires.

JBOD
Just a bunch of disks (JBOD) is a collection of disks that have no redundancy or fault tolerance. Usually,
JBOD solutions are lower cost than solutions that use redundant array of independent disks (RAID). JBOD
adds fault tolerance by using multiple copies of the databases on separate disks.

RAID
RAID increases disk-access performance and fault tolerance. The most common RAID options are:

RAID 0 (striping). Increases read and write performance by spreading data across multiple disks.
However, it offers no fault tolerance. Performance increases as you add more disks. You add fault
tolerance by using multiple copies of the databases on separate RAID sets.

RAID 1 (mirroring). Increases fault tolerance by placing redundant copies of data on two disks. Read
performance is faster than a single disk, but write performance is slower than RAID 0. Half of the disks
are used for data redundancy.

RAID 5 (striping with parity). Increases fault tolerance by spreading data and parity information across
three or more disks. If one disk fails, the missing data is calculated based on the remaining disks. Read
and write performance for RAID 5 is slower than RAID 0. At most, only one third of the disks are used
to store parity information.

RAID 0+1 (mirrored striped sets). Increases fault tolerance by mirroring two RAID 0 sets. This provides
very fast read and write performance, and excellent fault tolerance.

2-26 Configuring Mailbox Servers

RAID 6 (striping with double parity). Increases fault tolerance by spreading data and parity information
across four or more disks. If up to two disks fail, RAID 6 calculates the missing data based on data and
parity information stored on the remaining disks. Read and write performance for RAID 6 typically is
slower than RAID 0, and RAID 6 does not have a read penalty. The main benefit of RAID 6 is the
ability to rebuild missing data if you have two failures per RAID group, and to reduce the impact of
rebuilding the RAID set when a disk fails.

RAID 1+0 or RAID 10 (mirrored sets in a striped set). Provides fault tolerance and improved
performance, but increases complexity. The difference between RAID 0+1 and RAID 1+0 is that RAID
1+0 creates a striped set from a series of mirrored drives. In a failed disk situation, RAID 1+0 performs
better and is more fault tolerant than RAID 0+1.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-27

Data Storage Options: Direct Attached Storage

Direct attached storage is any disk system that connects physically to your server. This includes hard disks
inside the server or those that connect by using an external enclosure. Some external enclosures include
hardware-based RAID. For example, external disk enclosures can combine multiple disks in a RAID 5 set
that appears to the server as a single large disk.
In general, direct attached storage provides good performance, but it provides limited scalability because
of the units physical size. You must manage direct attached storage on a per-server basis. Exchange
Server 2010 performs well with the scalability and performance characteristics of direct attached storage.
Direct attached storage provides the following benefits:

Lower cost Exchange Server solution. Direct attached storage usually provides a substantially lower
purchase cost than other technologies.

Easy implementation. Direct attached storage typically is easy to manage, and requires very little
training.

Distributed failure points. Each Exchange server has separate disk systems, so the failure of a single
system does not affect the entire Exchange messaging system negatively, assuming that you
configure your Exchange servers for high availability.

2-28 Configuring Mailbox Servers

Data Storage Options: Storage Area Networks

A storage area network (SAN) is a network dedicated to providing servers with access to storage devices.
A SAN provides advanced storage and management capabilities, such as data snapshots, and high
performance. SANs use either Fibre Channel switching or Internet SCSI (iSCSI) to provide fast and reliable
connectivity between storage and applications. Fibre Channel switching or iSCSI allows many servers to
connect to a single SAN.
Fibre Channel is a standard SAN architecture that runs on fiber optic cabling. Most SANs use it because
Fibre Channel is specifically for SANs, and it is the fastest architecture available.
SANs are complex and require specialized knowledge to design, operate, and maintain. Most SANs also
are more expensive than direct attached storage.
SANs provide the following benefits:

A large RAM cache that keeps disk access from becoming a bottleneck. The reduced I/O requirements
of Exchange Server 2010 make it more likely that an iSCSI-based SAN will meet your requirements in
small and medium-sized deployments. However, you should test all hardware configurations
thoroughly before deployment to ensure that they meet your organizations required performance
characteristics.

Highly scalable storage solutions. Messaging systems are growing continually, and require larger
storage over time. As your needs expand, a SAN allows you to add disks to your storage. Most SANs
incorporate storage virtualization, which allows you to add disks and allocate the new disks to your
Exchange server.

Multiple servers attached to a single SAN. If you use a SAN, you can connect multiple computers that
are running Exchange Server, and then divide the storage among them.

Enhanced backup, recovery, and availability. SANs use volume mirroring and snapshot backups.
Because SANs allow multiple connections, you can connect high performance back-up devices to the
SAN. SANs also allow you to designate different RAID levels to different storage partitions.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-29

For cost-conscious SAN implementations, iSCSI may be a viable option. An iSCSI network encapsulates
SCSI commands in TCP/IP packets over standard Ethernet cabling and switches. You should implement
this technology only on dedicated storage networks that are 1 gigabit per second (Gbps) or faster.

2-30 Configuring Mailbox Servers

Demonstration: How to Manage Mailbox Size Limits

In this demonstration, you will review how to use the Exchange Management Console to configure
storage quotas, and how to use the Exchange Management Shell to configure storage quotas in bulk or
simultaneously.
You can enforce size limits either on a specific mailbox or on a database, which applies the settings on all
mailboxes in the database, by default. The three options available to set a limit on mailboxes and on the
database are:

Issue warning at (KB). When a mailbox reaches the size you specify, at a predetermined schedule
(daily by default), mailbox-enabled users receive a message indicating that their mailboxes have
become too large.

Prohibit send at (KB). When a mailbox reaches the size you specify, the user no longer can send
messages and receives a warning message that the mailbox is too large. The mailbox can still receive
messages.

Prohibit send and receive at (KB). When a mailbox reaches the size you specify, the user can no longer
send or receive messages, and receives a warning message that the mailbox is too large. If the
organization uses a Unified Messaging server, prohibiting email reception can result in lost email
messages, voicemail messages, and faxes. Most organizations elect not to use this option.

You also can use mailbox database defaults to set limits on the database. Exchange Server 2010 enables
this by default, and if you use it, the mailbox inherits any settings that you assign to the database that
stores the mailbox.
Deleted item retention settings work similarly to size limits in that you can assign them either on the
mailbox or database. By default, all mailboxes also inherit deleted time retention from the database.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-31

Database Sizes
As a best practice, set limits on all mailboxes by using the Mailbox database settings. Setting limits ensures
that mailboxes do not grow larger than the hardware can support. This reduces the possibility that a
mailbox grows and fills an entire disk on the Exchange server due to a virus, user intent, or an incorrect
configuration.

Demonstration Steps
1.

Open the Exchange Management Console.

2.

In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration,
and click Mailbox.

3.

Right-click a user mailbox, and click Properties.

4.

Click the Mailbox Settings tab, and double-click Storage Quotas.

5.

Unselect Use mailbox database defaults, and modify the value for Prohibit send and receive at
(MB).

6.

Open Exchange Management Shell.

7.

Configure the database limits with the Set-MailboxDatabase cmdlet.

8.

Configure just the user mailboxes that are contained in the Marketing department with the GetMailbox and Set-Mailbox cmdlets.

2-32 Configuring Mailbox Servers

Discussion: Considerations for Implementing Databases

It is important to plan properly for any changes you want to make in the Exchange Server environment.
When considering which sort of storage to use for new databases, note the following:

Give each set of transaction logs its own hard disk. You likely will achieve the best performance when
transaction logs do not share disks with any other data. However, if you do not require high
performance, and there are enough copies of the data, you may not require this.

Use RAID 5 or RAID 6 to enhance performance and fault tolerance for databases. RAID 5 increases
read and write performance for random disk access and fault tolerance.

Use RAID 1 to provide fault tolerance for transaction logs. RAID 1 keeps two complete copies of
transaction logs for fault tolerance, and it provides good write performance for data that is written
serially.

Use a SAN, which provides excellent scalability and manageability for storage in large Exchange
Server organizations. A Fibre Channel SAN provides the best performance, but this high level of
performance may be more than you need to support your organizations requirements. SANs also
add considerable cost and complexity.

Use the prohibit send at storage limit to manage storage growth. This storage limit forces users to
address the size of their mailbox before sending additional messages. Halting message reception is
risky, because important business data might get lost. However, a warning may not be enough
encouragement for users to lower their mailbox size.
Question: What should you consider when naming databases?
Question: When would you want or need to create multiple databases?
Question: Why would you want to reduce the number of databases?
Question: What should you consider when planning to build additional Mailbox servers?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Lesson 3

Configuring Public Folders

This lesson covers public folders, and details how you can configure them. If you have deployed only
Outlook 2007 and later clients, you do not need to implement public folders in Exchange Server 2010.
However, many organizations have implemented public folders for business use in previous Exchange
Server versions, and have migrated these public folders to Exchange Server 2010. It is essential to
understand when to use public folders and how to configure them properly.
After completing this lesson, you will be able to:

Describe public folders.

Configure public folder replication.

Describe how clients access public folders.

Configure public folders.

Identify when to use Microsoft SharePoint 2010 instead of public folders.

2-33

2-34 Configuring Mailbox Servers

What Are Public Folders?

A public folder is a repository for different information types, such as email messages, text documents,
and multimedia files. A public folder database stores public folder contents, which you can share with
Exchange Server organization users.
Organizations typically use public folders as:

A location to store contacts for the entire organization.

Centralized calendars for tracking events.

Discussion groups.

A location in which to receive and store messages for a workgroup, such as the Help desk.

A storage location for custom applications.

Additionally, system public folders support legacy Office Outlook versions for free/busy information,
custom forms, and offline address books.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-35

Configuring Public Folder Replication

Public folder content replication is an email-based process for copying public folder content between
computers that are running Exchange Server. When you modify a public folder or its contents, the public
folder database that contains the replica of the public folder that you change sends a descriptive email
message to the other public folder databases that host a replica of the public folder. To reduce network
traffic, Exchange Server includes information about multiple changes in one email message. If any
message exceeds the specified size limit, that message is sent as a separate replication message. Exchange
Server routes these replication messages the same way that it routes other email messages. By default,
public folder content replicates every 15 minutes, and you cannot set replication to less than every
minute.
Because AD DS and Active Directory store the public folder configuration objects, AD DS and Active
Directory replication must be working correctly to ensure that the configuration is available to all
Exchange servers.
When you create a public folder, only one replica of that public folder exists within the Exchange Server
organization.
Using multiple replicas allows you to place public folder content in the physical server locations where
users are located. This results in faster access to public folder content and reduced communication across
wide area network (WAN) links between physical locations. Public folder replication also provides fault
tolerance for public folders.

2-36 Configuring Mailbox Servers

How Clients Access Public Folders

The public folder connection process for Messaging Application Programming Interface (MAPI)-based
clients is:
1.

If the public folder is located on the user accounts default public folder database, Exchange Server
directs the client to this database for the public folder contents.

2.

If the public folder contents are not stored in the user accounts default public folder database,
Exchange Server redirects the client to a public folder database on a computer that is running
Exchange Server 2010 in the local Active Directory site.

3.

If no computer that is running Exchange Server 2010 or Exchange Server 2007 on the local Active
Directory site has a copy of the public folder contents, Exchange Server redirects the client to the
Active Directory site with the lowest cost site link that does have a copy of the public folder contents.

4.

If there is no computer that is running Exchange Server 2010 or Exchange Server 2007 that has a copy
of the public folder contents, Exchange Server redirects the client to a computer that is running
Microsoft Exchange Server 2003 and that does have a copy of the public folder contents. It does this
by using the cost assigned to the routing group connector(s). Exchange Server 2010 does not enable
this by default. Rather, you must enable it with the Set-RoutingGroupConnector cmdlet.

5.

If no public folder replica exists on the local Active Directory site, a remote Active Directory site, or on
a computer that is running Exchange Server 2003, the client cannot access the contents of the
requested public folder.
Note For Outlook Web App clients to view public folders, a replica of the public folder
must be available on an Exchange Server 2010 mailbox server.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-37

Demonstration: How to Configure Public Folders

In this demonstration, you will review how to use the Public Folder Management Console and Office
Outlook to configure public folders. You will see how to:

Use the Public Folder Management Console to add replicas and set permissions on a public folder.

Use the Public Folder Management Console to add permissions to a public folder.

Open Outlook, and then view the permissions for the public folder.

Demonstration Steps
Use the Public Folder Management Console to add replicas and set permissions on a public folder
1.

Open the Exchange Management Console.

2.

Open the Public Folder Management Console, and then connect to a Mailbox server.

3.

Create a new public folder named Sales.

4.

View the properties of the Sales public folder, and then view the options on the General, Statistics,
Limits, and Replication tabs.

5.

Add a replica to the Sales public folder.

Use the Public Folder Management Console to add permissions to a public folder
1.

Open the Public Folder Management Console.

2.

On the Sales folder properties, click the Permissions tab.

3.

Add Luca Dellamore with Edit All permissions to the folder properties.

2-38 Configuring Mailbox Servers

Use Outlook to view and edit public folder permissions


1.

Logon to VAN-CL1 as Adatum\Administrator.

2.

Open Outlook.

3.

View the permissions for the Sales public folder.


Question: How is public folder management different in Exchange Server 2010 than in
previous Exchange Server versions?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-39

Best Practices for Public Folder Deployment

When planning public folder deployment in Exchange Server 2010, you should consider the following
best practices:

Some organizations make little use of public folders, while others use them extensively, and may have
manual or automated business processes that require public folders. Because of the variation in public
folder use, you should start your public folder design by analyzing your organizations business
requirements for public folders.

If your organization uses public folders extensively, you might need to deploy one or more dedicated
public folder servers. Dedicated public folder servers may have different hardware requirements than
servers that are both Mailbox and public folder servers, depending on both the number of users that
are using the public folders, and the size of the public folder store. Because a Mailbox server can host
only one public folder database, the hardware requirements for the dedicated public folder server are
likely to be significantly less than a Mailbox server that has multiple mailbox databases.

Schedule public folder replication during nonpeak hours. In cases of limited bandwidth, and if users
do not need access to a current copy of the public folder contents, you can schedule public folder
replication to occur during nonbusiness hours.

If the network bandwidth and latency between company locations is not a significant issue, then the
primary considerations for using replication or referrals are server capacity, client performance, and
enabling high availability for public folders. If you have a Mailbox server in a remote site, or if you are
deploying a dedicated public folder server, you should enable public folder replication. This provides
users with a more positive experience as compared to accessing public folders across a WAN
connection. If you do not have a Mailbox server with the capacity to host public folder replicas in the
remote site, then use public folder referrals. If public folder availability is an important consideration
in your organization, then the only way you can provide high availability is through configuring
multiple replicas.

2-40 Configuring Mailbox Servers

If you have Office Outlook 2003, you should enable replication for the system public folders that
these clients require. These folders include the Schedule+ free/busy folders, and the OAB folders. The
OAB folder includes up to three different versions of the OAB. Only replicate the OAB versions that
the Office Outlook clients in your organization require. In a migration scenario, you should enable
replication of these folders from previous versions of Exchange server to Exchange 2010. If you only
have Exchange Server 2010 deployed, you should consider deploying multiple replicas of these
system folders to ensure the folders are high available to clients.
Note For Outlook Web App clients to view public folders, a replica of the public folder
must be available on an Exchange 2010 Mailbox server.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-41

Lab: Configuring Mailbox Servers

Lab Setup
Important If required, start the 10135B-VAN-DC1 virtual machine first, and ensure that it
is fully started before starting the other virtual machines.
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and the 10135B-VAN-EX3 virtual machines are
running.

3.

10135B-VAN-DC1: Domain controller in the Adatum.com domain

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain

10135B-VAN-EX3: Exchange 2010 server in the Adatum.com domain

If required, connect to the virtual machines. Log on to the computers as Adatum\Administrator,


using the password Pa$$w0rd.

Lab Scenario
You are a new messaging administrator at A. Datum Corporation, and your manager has left instructions
indicating that you need to create and configure a database for the executive group, and then move the
existing database for the accounting group to a new location. Additionally, you need to add an additional
public folder database, and then replicate data to it.

2-42 Configuring Mailbox Servers

Exercise 1: Configuring Mailbox Databases


Scenario
You must configure the executives database so that the mailbox does not send or receive messages after
the mailbox size reaches 1,024 MB. Additionally, you should ensure that a warning is sent to users if their
mailbox reaches 850 MB.
The main tasks for this exercise are:
1.

Create a new database for the Executive mailboxes.

2.

Configure the Executive mailbox database with appropriate limits.

3.

Move the existing Accounting database to a new location.

X Task 1: Create a new database for the Executive mailboxes


1.

On VAN-EX1, open the Exchange Management Console.

2.

Create a new database named Executive on VAN-EX1.

3.

Store database files in C:\Mailbox\Executive.

4.

Store log files in C:\Mailbox\Executive.

X Task 2: Configure the Executive mailbox database with appropriate limits

Configure the limits on the Executive database:

Prohibit send and receive: 1024 MB

Issue warning: 850 MB

X Task 3: Move the existing Accounting database to a new location


1.

Move the Accounting database files.

2.

Store database files in C:\Mailbox\Accounting.

3.

Store log files in C:\Mailbox\Accounting.

Results: After this exercise, you should have created a new database, set the specified limits, and moved
the existing Accounting database to a new folder.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2-43

Exercise 2: Configuring Public Folders


Scenario
Before creating a new public folder database and replicating it, you must check the numbers of items and
size in the Executive public folder so that you can later verify that the replication was successful.
The main tasks for this exercise are:
1.

Check Executives public folder statistics.

2.

Create a public folder database on VAN-EX3.

3.

Add a replica of the Executives public folder on VAN-EX3.

4.

Verify replication between VAN-EX1 and VAN-EX3.

X Task 1: Check Executives public folder statistics


1.

On VAN-EX3, open the Exchange Management Console, and in the Toolbox node, open the Public
Folder Management Console.

2.

In the Public Folder Management Console, connect to VAN-EX1, and view the number of items and
size in the Executives public folder on VAN-EX1.

Write down Total Items ______________________

Write down Size (KB) ________________________

X Task 2: Create a public folder database on VAN-EX3

Create a new public folder database on VAN-EX3 named PF-VAN-EX3.

Store database files in C:\Mailbox\PF-VAN-EX3\PF-VAN-EX3.edb.

Store log files in C:\Mailbox\PF-VAN-EX3.

X Task 3: Add a replica of the Executives public folder on VAN-EX3

Add PF-VAN-EX3 as a replica for the Executives public folders, and then wait for replication to
complete.
Note It can take up to 15 minutes for replication to complete.

X Task 4: Verify replication between VAN-EX1 and VAN-EX3

Verify the number and size of items in the Executives public folder on
VAN-EX3.

Results: After this exercise, you should have created a new public folder database on VAN-EX3 and added
replicas for each public folder.

2-44 Configuring Mailbox Servers

X To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1.

On the host computer, start Hyper-V Manager.

2.

Right-click the virtual machine name in the Virtual Machines list, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat this step for every virtual machine that is running.

5.

In the Virtual Machines pane, click 10135B-VAN-DC1, and then in the Actions pane, click Start.

6.

To connect to the virtual machine for the next modules lab, click 10135B-VAN-DC1, and then in the
Actions pane, click Connect.
Important Start the VAN-DC1 virtual machine first, and ensure that it is fully started
before starting the other virtual machines.

7.

Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.

8.

Wait for VAN-EX1 to start, and then start VAN-CL1. Connect to the virtual machine.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Module Review and Takeaways

Review Questions
1.

Which tools can you use to manage Exchange Server 2010?

2.

What customizations can you make on mailbox databases?

3.

When can you use public folders?

Common Issues Related to Designing Mailbox Databases


Identify the causes for the following common issues related to designing and implementing Exchange
Server mailbox databases, and then complete the troubleshooting tips. For answers, refer to relevant
lessons in the module.
Issue
You are planning to deploy a new Mailbox
server on a different server and storage
platform.
After applying limits on each of the
mailbox databases, some of the users are
exceeding these limits.
You are migrating from Exchange Server
2003, and none of the users with Exchange
Server 2010 mailboxes can access legacy
public folders via Outlook Web App.

Troubleshooting tip

2-45

2-46 Configuring Mailbox Servers

Real-Word Issues and Scenarios


1.

Your organization needs to determine which storage solution to deploy for the new Exchange Server
2010 messaging environment. What information should you consider when selecting the hardware?

2.

Your organization would like to automate creation of user mailboxes for employees based on their
status in your organizations human-resources system. What can you use to perform this automation?

3.

Your organization wants to reduce administrative costs. One suggestion is to give department heads
and administrative assistants the necessary access to manage departmental and project-based
groups. What can you use to accomplish this task?

Best Practices Related to Public Folder Deployment Planning


Supplement or modify the following best practices for your own work situations:

Determine the public folder features that your organization needs, such as multiple master
replications.

Determine whether other solutions, such as SharePoint or Microsoft InfoPath, meet user needs
better.

Define specific age and size limits, so that public folder data does not grow uncontrolled and
outdated.

Tools
Tool

Use for

Exchange Management
Console

Configuring the Exchange Server

Exchange Management
Shell

Configuring the Exchange Server

Exchange Control Panel

Managing recipients

Where to find it
Start menu

organization, its servers, and its recipients


Start menu

organization, its servers, and its recipients


Completing bulk-management tasks
Outlook Web App

3-1

Module 3
Managing Recipient Objects
Contents:
Lesson 1: Managing Mailboxes

3-3

Lesson 2: Managing Other Recipients

3-21

Lesson 3: Configuring Email Address Policies

3-28

Lesson 4: Configuring Address Lists and Address Book Policies

3-33

Lesson 5: Performing Bulk Recipient Management Tasks

3-40

Lab: Managing Exchange Recipients

3-46

3-2

Managing Recipient Objects

Module Overview

In any messaging system, you need to create recipients and configure them to send and receive email. As
a Microsoft Exchange Server messaging administrator, you often must create, modify, or delete recipient
objects. Therefore, it is important to have a good understanding of recipient management. In Exchange
Server 2010, you can easily perform bulk management of Exchange Server recipient objects by using the
Exchange Management Shell.
This module describes how you can manage recipient objects, address policies, and address lists in
Exchange Server 2010, and the procedures for performing bulk management tasks in Exchange
Management Shell.
After completing this module, you will be able to:

Manage mailboxes in Exchange Server 2010.

Manage other recipients in Exchange Server 2010.

Configure email address policies.

Configure address lists and address books policies.

Perform bulk recipient management tasks.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-3

Lesson 1

Managing Mailboxes

Apart from creating mailboxes, you may need to modify mailbox options to meet the needs of users and
ensure optimal performance of the messaging environment. Based on your organizations requirements,
and its users, you also may have to move mailboxes to different servers or databases, and configure
resources.
This lesson provides an overview of Exchange Server recipient objects and the available configuration
options. Additionally, this lesson covers the reasons and procedures for moving mailboxes, and explains
how to configure resource mailboxes.
After completing this lesson, you will be able to:

Identify the different recipient object types in Exchange Server 2010.

Manage mailbox user accounts.

Describe how to configure mailbox settings.

Configure mailbox permissions.

Move mailboxes by using the Exchange Management Console.

Describe the purpose and functionality of resource mailboxes.

Describe how to design resource booking policies.

Manage resource mailboxes.

3-4

Managing Recipient Objects

Types of Exchange Server Recipients

In Microsoft Exchange Server 2003, you can use the Active Directory Users and Computers functionality
to perform all individual recipient management tasks. However, in Microsoft Exchange Server 2007, and
subsequently in Exchange Server 2010, you cannot use Active Directory Users and Computers to manage
Exchange Server recipients. You must configure all Exchange Server-specific recipient settings in the
Exchange Management Console or the Exchange Management Shell.
Exchange Server recipients are mail-enabled when they have associated email addresses, but do not
have Exchange mailboxes. For example, a contact that has been mail-enabled becomes a mail contact.
Exchange Server 2010 supports the following recipient types:

User mailboxes. A mailbox that you can assign to an individual user in your Exchange Server
organization. It typically contains messages, calendar items, contacts, tasks, documents, and other
important business data.

Mail users or mail-enabled Active Directory users. These are users outside the Exchange Server
organization that have an external email address. All messages sent to the mail user are routed to this
external email address. A mail user is similar to a mail contact, except that a mail user has Active
Directory logon credentials and can access resources.

Resource mailboxes (Room mailboxes and Equipment mailboxes). A resource mailbox that you can
assign to a meeting location, or to a resource such as a projector. You can include resource mailboxes
as resources in meeting requests, which provides a simple and efficient way of scheduling resource
usage.

Mail contact or mail-enabled contacts. These contacts contain information about people or
organizations that exist outside an Exchange Server organization and that have an external email
address. Exchange Server routes all messages sent to the mail contact to this external email address.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-5

Mail-enabled security and distribution groups. You can use a mail-enabled Active Directory security
group object to grant access permissions to Active Directory resources, and you also can use it to
distribute messages. You can use a mail-enabled Active Directory distribution group object to
distribute messages to a group of recipients.

Dynamic distribution groups. A distribution group that uses recipient filters and conditions to derive
its membership at the time messages are sent.

Linked mailboxes. You can assign a linked mailbox to an individual user in a separate, trusted forest.

Remote mailboxes. Remote mailboxes are mailboxes that are located in the Exchange Online
environment. In a hybrid Exchange Server 2010 deployment, you can create and manage remote
mailboxes in the Exchange Online environment by using the Exchange Management Console.

You can use a mail-enabled user when Exchange Server 2010 is not responsible for sending and receiving
mail for an Active Directory user, but you want that user to appear in the global address list (GAL). You
might do this for remote sales people that prefer to use email based on their own Internet service
providers (ISP).
You can only mail-enable universal security groups and universal distribution groups in Exchange Server
2010, similar to Exchange Server 2007.
Question: How is a mail-enabled contact different from a mail-enabled user?

3-6

Managing Recipient Objects

Demonstration: How to Manage Mailboxes

In this demonstration, you will see how to manage mailboxes by performing common operations such as
creating, deleting, and removing mailbox user accounts.

Demonstration Steps
Use the Exchange Management shell to mail-enable an existing user
1.

Open Active Directory Users and Computers, and ensure that Daniel Brunner exists in the Users
container.

2.

In the Exchange Management Console, create a new mailbox for Daniel Brunner.

3.

Create the mailbox in Mailbox Database 1.

Create a new mail-enabled user with the Exchange Management Console

In the Exchange Management Console, run the New Mailbox Wizard, and create a new user account
and mailbox for Kim Akers. Create the mailbox in the Accounting mailbox database.

Disable a user mailbox


1.

In the Exchange Management Console, disable Daniel Brunners mailbox.

2.

In Active Directory Users and Computers, verify that Daniel Brunners user account still exists.

Remove a user mailbox


1.

In the Exchange Management Console, remove Kim Akerss mailbox.

2.

In Active Directory Users and Computers, verify that Kim Akers user account also has been deleted.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Note Remove-mailbox deletes the specified user account and mailbox, and disablemailbox removes the mailbox, but leaves the user account enabled.
Question: What tools do you prefer to use for managing mailbox users?
Question: How does your organization delegate Exchange and Active Directory
management tasks?

3-7

3-8

Managing Recipient Objects

Configuring Mailbox Settings

Exchange Server 2010 provides several options for configuring a single mailbox. Many of these options
are similar to those available for managing an Active Directory Domain Services (AD DS) environment.
Mailbox configuration options include:

General

User Information

Address and Phone

Organization

Account

Member Of

However, some configuration options are unique to Exchange Server such as:

Mail Flow Settings. There are three mail-flow settings: delivery options, message-size restrictions, and
message-delivery restrictions:

Use the delivery options to set:

Who can send an email message from that mailbox.

A recipient to whom all messages are forwarded.

The maximum number of recipients to which the mailbox can send a single message.

Use the message-size restrictions options to specify the maximum size for the messages that the
mailbox sends or receives.

Use the message delivery restrictions options to control the recipients that can send messages to
the mailbox.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-9

Mailbox Features. Use these options to configure the mailboxs specific features, such as Microsoft
Outlook Web App, Microsoft Exchange ActiveSync, Unified Messaging, Post Office Protocol
version 3 (POP3), Internet Message Access Protocol version 4 (IMAP4), and the Archive mailbox.

Calendar Settings. Use this option to configure how a mailbox processes meeting requests.

Mailbox Settings. There are four mailbox settings: messaging records management, federated sharing,
storage quotas, and archive quota.

E-Mail Addresses. Use this option to configure the e-mail addresses assigned to the mailbox.
Question: Why would you configure mailbox size limits on individual mailboxes?

3-10

Managing Recipient Objects

Demonstration: How to Configure Mailbox Permissions

In Exchange Server 2010, you use the Exchange Management Console and Exchange Management Shell
to configure the Full Access and Send As mailbox permissions. When you grant a user the Full Access
permission to another users mailbox, the delegated user can log on to the mailbox, and view and manage
all messages in the mailbox. Granting Full Access permissions does not grant the delegated user the right
to send mail as the selected mailbox. To allow a user to send mail from a delegated mailbox, you must
configure Send As permissions. When a user with Send As permissions sends a message from the
delegated mailbox, any message sent from the mailbox will appear as if it were sent by the mailbox
owner.
In this demonstration, you will see how to assign Full Access and Send As permissions to a mailbox.
Note In Exchange 2010 Service Pack 1 (SP1), Outlook 2007 and Outlook 2010 clients
automatically download all mailboxes to which the user has full access. If the user has full
access to a large number of mailboxes, this could cause performance issues. In Exchange
2010 SP1, users cannot control this behavior and cannot turn it off. In Exchange 2010 SP2,
administrators can turn off the automapping feature.

Demonstration Steps
Assign Wei Yu send as permissions on Andreas Herbingers mailbox
1.

Open Exchange Management Console.

2.

In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration,
and then select Mailbox.

3.

In the Results pane, select the Andreas Herbinger mailbox, and then in the Actions pane, click
Manage Send As Permission.

4.

In the Manage Send As Permission Wizard, click Add.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5.

In the Select User or Group dialog box, choose Wei Yu, and then click OK.

6.

Click Manage.

7.

Click Finish.

Assign Wei Yu full access to Conor Cunninghams mailbox


1.

Select the Conor Cunningham mailbox, and then in the Actions pane, click Manage Full Access
Permission.

2.

In the Manage Full Access Permission Wizard, click Add.

3.

In the Select User or Group dialog box, choose Wei Yu, and then click OK.

4.

Click Manage, and then click Finish.


Question: When would more than one user need to access the same mailbox?
Question: What is the difference between Send on behalf of permissions and Send As
permissions?

3-11

3-12

Managing Recipient Objects

Demonstration: How to Move Mailboxes

In this demonstration, you will see how to move mailboxes by using the Exchange Management Console.
Exchange Server 2010 uses move requests to move mailboxes. You can initiate a move request by running
the New-MoveRequest cmdlet or by using the New Local Move Request wizard in the Exchange
Management Console. Move requests have the following characteristics:

The Mailbox Replication Service running on a Client Access server carries out the move. The Mailbox
move is asynchronous, which means that the request can run immediately after initiating the move
request, or the request can be queued if other mailboxes are already being moved.

Mailboxes are kept online during the asynchronous moves. While the mailbox is being moved, the
Client Access server that the client is connected to maintains the connection to the source Mailbox
database. When the move is complete, the Client Access server switches the connection to the
destination database.

The mailboxs dumpster moves with the mailbox when you move it between Exchange Server 2010
mailbox servers.

Fast search is available upon completion. As soon as the mailbox begins to move, content indexing
starts to scan the mailbox so that fast searching is available upon the moves completion.

You can configure throttling for each MRS instance, each mailbox database, or each mailbox server.

While the mailbox is being moved, it is listed in the Move Request folder in the Exchange
Management Console. When the mailbox move is complete, the move request continues to be listed
in the Move Request folder until you clear the move request. The mailbox cannot be moved again
until the move request is cleared.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-13

While a move request is in progress, the mailbox stays online, allowing the user to continue sending and
receiving email. You can view the move request status in the Exchange Management Console and
Exchange Management Shell. The request can have one of the following statuses:

Queued for move

Move in progress

Ready to complete

Completing
Note In Exchange Server 2010 SP1 or newer versions, you can configure MRS throttling
policies to control the server resources used by MRS. MRS throttling is controlled by the
configuration file MSExchangeMailboxReplication.exe.config.

Demonstration Steps
Move Conor Cunninghams mailbox to the Accounting database
1.

On VAN-EX1, in the Exchange Management Console, create a new Local Move Request to move
Conor Cunninghams mailbox to the Accounting Mailbox database.

2.

View the move request status in the Move Request node.


Question: What is the benefit of scheduling mailbox moves?

3-14

Managing Recipient Objects

What Are Resource Mailboxes?

Resource mailboxes are specific types of mailboxes that you can use to represent meeting rooms or
shared equipment, and you can include them as resources in meeting requests. The Active Directory user
that is associated with a resource mailbox is a disabled account.

Room mailboxes. These are resource mailboxes that you can assign to meeting locations, such as
conference rooms, auditoriums, and training rooms.

Equipment mailboxes. These are resource mailboxes that you can assign to resources that are not
location-specific, such as portable computer projectors, microphones, or company cars.

You can include both types of resource mailboxes as resources in meeting requests, and thus provide a
simple and efficient way to utilize resources for your users. You can configure resource mailboxes to
automatically process incoming meeting requests based on the resource booking policies that are defined
by the resource owners. For example, you can configure a conference room to automatically accept
incoming meeting requests except recurring meetings, which can be subject to approval by the resource
owner.
You can create a resource mailbox as a room or as equipment. After creating the resource mail box, you
must configure properties such as location and size. Then, you must define the resource booking policy
and enable the resource booking attendant.

Room List Distribution Groups


The process of picking a room mailbox that is available during a selected meeting time can be
complicated. One way for users to see this information is to invite multiple meeting rooms to the meeting,
and then view availability information for each room. In Exchange Server 2010, you can create room-list
distribution groups based on company locations or other attributes. Users then can select the room list to
generate a list of meeting rooms and get information about room availability, without having to add all
rooms manually to the meeting request.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-15

You can create room-list distribution groups only by using Exchange Management Shell commands. For
example, the following command populates the variable $members with all room mailboxes with the
Office attribute equal to NYC Main Office:
$Members=Get-Mailbox -Filter {(RecipientTypeDetails -eq "RoomMailbox") -and (Office -eq
"NYC Main Office")}

The following command creates a new room list distribution group that includes all the room mailboxes in
$members variable:
New-DistributionGroup -Name "NYC-Main Office Conference Rooms" -RoomList -Members
$Members

After you create the room-list distribution groups, Office Outlook 2010 users can use the distribution
groups to easily view available meeting rooms. When users create a new meeting request in Outlook, they
can select the appropriate room-list distribution group, and easily view the availability for all meeting
rooms in the list.

3-16

Managing Recipient Objects

Designing Resource Booking Policies

Exchange Server 2010 provides several optionsor booking policiesthat you can use for configuring
resource mailbox settings and for customizing the resource mailbox to meet your organizations needs.
Booking polices define the automatic scheduling of resources.
A resource booking policy specifies:

Who can schedule a resource.

When the resource can be scheduled.

What meeting information will be visible on the resources calendar.

The response message that meeting organizers will receive.

Options for Configuring Automate Processing Settings


Exchange Server 2010 provides several options that you can use for configuring resource mailbox settings
and to customize it to meet most business needs. There are three values for Automate Processing: None,
Booking Attendant (AutoAccept), and Calendar Attendant (AutoUpdate). By default, the Calendar
Attendant is enabled on each resource mailbox. For the resource mailbox to process and accept meeting
requests, you must enable the Booking Attendant. In Exchange Server 2010, you can use both the
Exchange Management Console and Exchange Management Shell to configure resource mailboxes.
Three common scheduling scenarios used are automatic booking, manual approval by delegates, and
manual approval from the resources.

To enable automatic booking, the booking attendant should be enabled and the policy should be
configured.

To enable manual approval by delegates, the booking attendant should be enabled, and then All
Book In Policy should be disabled. Next the All Request In Policy should be enabled, and the
delegates should be specified.

To enable manual approval from the mailbox, the booking attendant should be left disabled.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-17

You can use the Exchange Management Console, or the Exchange Management Shell to configure
resource booking policies. The following table lists the Set-CalendarProcessing parameters that you can
configure. These options also are available when you access the resource mailbox properties in the
Exchange Management Console.
Setting

Description

AllowConflicts

Specifies whether to allow conflicting meeting requests. The default


configuration is false, which prevents overlapping appointments for
a resource.

AllowRecurringMeetings

Specifies whether to allow meetings that happen regularly. The


default is true, which allows you to books rooms and equipment for
recurring meetings such as weekly status meetings.

AllRequestInPolicy

Specifies whether to allow all users to submit in-policy requests. The


default is true, which allows all users to request appointments with
the resource, if the request meets all specified requirements, such as
no conflicts. A resource mail delegate still must approve all requests,
unless AllBookInPolicy is true.

AllBookInPolicy

Specifies whether to approve in-policy requests automatically


from all users. The default is true, which allows all users to book
appointments with the resource, if the request meets all specified
requirements, such as no conflicts.

AllRequestOutOfPolicy

Specifies whether to allow all users to submit out-of-policy requests.


The default is false, which prevents all users from requesting
appointments that do not meet specified requirements, such as
no conflicts.

BookInPolicy

Specifies a list of users for whom requests that meet the specified
requirements are booked automatically without approval from a
resource mailbox delegate.

ConflictPercentageAllowed

Specifies the maximum percentage of meeting conflicts for new


recurring meeting requests.

DeleteAttachments

Specifies whether to remove attachments from all incoming


messages.

EnableResponseDetails

Specifies the reasons for accepting or declining a meeting request


in the response email message.

ForwardRequestsToDelegates

Specifies whether to forward incoming meeting requests to the


resource delegates.

MaximumConflictInstances

Specifies the maximum number of conflicts for new recurring


meeting requests.

RemoveOldMeetingMessages

Specifies whether to remove old and redundant updates and


responses.

RemovePrivateProperty

Specifies whether to remove the private flag on incoming meeting


requests.

RequestInPolicy

Specifies a list of users who are allowed to submit in-policy meeting


requests.

3-18

Managing Recipient Objects

(continued)
Setting

Description

RequestOutOfPolicy

Specifies a list of users who are allowed to submit appointment


requests that do not meet specified requirements, such as no
conflicts. A resource mailbox delegate still must approve all
requests.

ResourceDelegates

Specifies a list of users who are resource delegates.

ScheduleOnlyDuringWorkHours

Specifies whether to allow meetings to be scheduled outside of


work hours.

TentativePendingApproval

Specifies whether to mark pending requests as tentative on the


calendar. The default is true, which marks appointment requests as
tentative until they are approved. When this value is false, pending
appointments are not displayed on the calendar.

MaximumDurationInMinutes

Specifies the maximum length of the appointment that the resource


will accept.

Considerations for Developing a Resource Booking Policy


When designing the resource booking policy, you must consider:

Who can schedule a resource. You might accept the default settings for most resources in the
organization, but consider restricting who can book heavily used or important resources. For example,
if you use a resource room mailbox to manage the schedule for a large conference room, you may
want to restrict who can book meetings in the conference room.

When users can schedule the resource. You may want to set restrictions on the time of day when
meetings can be booked with a resource, or restrict the meeting length or meeting recurrence.

The automatic acceptance policy for the meeting resource. By default, all resource mailboxes are
configured to accept all new appointment requests as tentative, until a user approves the request.
Because the meeting is set to tentative, this also enables other users to book the meeting resource for
the same time. By changing the Automate Processing attribute for the resource mailbox, you can
modify the default behavior. The default value is configured as Auto Update. If you set the value to
Auto Accept, the resource mailbox accepts all meetings from authorized users automatically, and
prevents other users from booking the resource at the same time.
Question: How will you use resource mailboxes in your environment?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-19

Demonstration: How to Manage Resource Mailboxes

In this demonstration, you will use Exchange Management Console to:

Create and configure a resource mailbox.

Configure a delegate for a resource mailbox.

Configure a room list distribution group.

Demonstration Steps
Create a resource mailbox
1.

On VAN-EX1, in the Exchange Management Console, create a new room mailbox with the following
information:

Name: Conference Room 1

User logon name (User Principal Name): ConferenceRoom1

Alias: ConferenceRoom1

2.

After creating the room mailbox, modify the properties, and enable the resource booking attendant.

3.

Open Windows Internet Explorer, and log on to Outlook Web App as Adatum\Administrator with
the password Pa$$w0rd.

4.

In Outlook Web App, create a new Meeting Request. Invite the Conference Room 1 resource mailbox
to the meeting.

5.

Send the meeting request and verify that the resource accepted the invitation.

3-20

Managing Recipient Objects

Configure a delegate for a resource mailbox


1.

On VAN-EX1, in the Exchange Management Console, access the Conference Room 1 properties.

2.

Add Luca Dellamore as a delegate on the mailbox, and configure the mailbox properties so that all
meeting requests must be approved by the delegate.

3.

Configure Luca Dellamore to have Full Access Permissions for Conference Room 1.

4.

Configure the company name for the mailbox as Fourth Coffee.

5.

Verify that the delegate has to accept the meeting request for the room mailbox.

Configure a room list distribution group


1.

On VAN-EX1, in the Exchange Management Shell , run the following commands to create a room list
distribution group that includes all mailboxes with a company attribute of Fourth Coffee:

$Members=Get-User -Filter {(RecipientTypeDetails -eq "RoomMailbox") -and (Company -eq


"Fourth Coffee")}
New-DistributionGroup -Name "Fourth Coffee Conference Rooms" -RoomList -Members $Members

2.

On NYC-CL1, verify that the room list is available.


Question: How does your organization use resource mailboxes?
Question: Which attributes are useful for your resource mailboxes?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-21

Lesson 2

Managing Other Recipients

Exchange Server also includes other recipient types that provide additional functionality, such as sending
email to an entire company department or sharing email addresses between users, for recipients outside
your company.
In this lesson, you will be introduced to the other recipient types in Exchange Server 2010 such as contacts
and distribution groups.
After completing this lesson, you will be able to:

Describe the functionality of mail contacts and mail users.

Describe the purpose of a distribution group.

Explain the options for configuring distribution groups.

Manage distribution groups by using the Exchange Control Panel.

3-22

Managing Recipient Objects

What Are Mail Contacts and Mail Users?

Mail contacts are mail-enabled Active Directory contacts. These contacts contain information about
people or organizations that exist outside your Exchange Server organization. You can view mail contacts
in the GAL and other address lists, and you can add them as members to distribution groups. Each contact
has an external email address, and all email messages that are sent to a contact are automatically
forwarded to that address.
If multiple people within your organization contact a trusted external person, you can create a mail
contact with the persons email address. This allows Exchange Server users to select that person from the
GAL for sending email.
Mail users are similar to mail contacts. Both have external email addresses, they contain information about
people outside your Exchange Server organization, and you can display them in the GAL and other
address lists. However, unlike a mail contact, mail users have Active Directory logon credentials and can
access resources to which they are granted permission.
If a person external to your organization requires access to resources on your network, you should create
a mail user instead of a mail contact. For example, you may want to create mail users for short-term
consultants who require access to your server infrastructure, but who will use their own external email
addresses.
In another scenario, you can create mail users for whom you do not want to maintain an Exchange Server
mailbox. For example, after an acquisition, the acquired company may maintain its own messaging
infrastructure, but it may also need access to your networks resources. For those users, you might want to
create mail users instead of mailbox users.
Question: When would you use mail-enabled contacts?
Question: Why would you use a mail-enabled contact rather than a mail-enabled user?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-23

What Are Distribution Groups?

You can use mail-enabled groups to allow end users to send email to multiple recipients. Mail-enabled
groups also allow you to assign permissions simultaneously to multiple users for Exchange Server objects,
such as private mailboxes and public folders. In Exchange Server 2010, mail-enabled groups belong to
one of the following four categories:

Universal Security groups. Can be mail-enabled and can be assigned permissions outside of Exchange
Server.

Distribution groups. Are mail-enabled and can only be assigned Exchange Server permissions for
things such as Public folders. The two types of distribution groups are:

Static

Dynamic

Public groups. End users can manage these distribution groups through the Exchange Control Panel.
Within Exchange Control Panel, the end user can add or remove group members, moderate the
group, or even request access to other public groups.

Moderated groups. These are distribution groups that allow the group manager to approve or reject
either all messages sent to the group or from specific users. You can use moderated groups to restrict
the conversations that occur between group members.
Question: When would your organization use distribution groups?
Question: When would your organization use public and moderated groups?

3-24

Managing Recipient Objects

Options for Configuring Distribution Groups

Similar to the options available for configuring mailboxes, there are a number of options available for
configuring mail-enabled groups.
You can configure several options for Exchange Server distribution groups, including:

Group membership. These are the objects that are in the distribution group.

Maximum message size. Use this option to set the maximum size for messages that can be sent to the
distribution group.

Message delivery options. Use these options to configure which users can send messages to the
group.

Address list visibility. Use this option to hide the group from the address list. You can use this option
when the distribution group is used mainly for receiving email from the Internet, and internal users
do not need it.

Delivery of out-of-office messages. Enable this option to send out-of-office messages back to the
message sender, if one of the distribution group recipients has enabled out-of-office notifications.

Non-delivery reports. Use this option to configure non-delivery reports (NDR). You can choose to
send an NDR or specify whether they are sent to the distribution lists manager or to the message
originator.

E-mail addresses for the group. Use this option to configure the distribution groups email address.

Message moderation. Use these options to assign moderators permissions to review all messages that
are sent to the distribution list. You also can configure a list of users that do not require moderation.
Additionally, you can configure notifications to alert the message originators if their message is
approved or not.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Creating and managing distribution groups in the Exchange Control Panel. Users, who have the
permission to create distribution groups that are not security groups, can create and manage these
groups by using the Exchange Control Panel. By default, members of the Recipient Management
or Organization Management group have the required permissions. You can also assign these
permissions to other users by adding the MyDistributionGroups role to each users role assignment.
Note

3-25

Module 10 covers user role assignments in more detail.

Membership approval. With Exchange Server 2010, users can request to join or leave distribution
groups that are not security groups by using the Exchange Control Panel. When you create a
distribution group, you can use the following options to control if and how users can join or leave the
group:

Choose whether owner approval is required to join the group. If you choose Open, users can
join this distribution group without the approval of the distribution group owners. If you choose
Closed, only distribution group owners can add members to the group. Requests to join this
distribution group will be rejected automatically. If you choose owner approval, users can request
membership on this distribution group. The distribution group owner must approve requests to
join the group before the user can join.

Choose whether the group is open to leave. If you choose Open, users can leave this distribution
group without the approval of the distribution group owners. If you choose Closed, only
distribution group owners can remove members from this distribution group. Requests to leave
this distribution group will be rejected automatically.

Question: What is the advantage of enforcing a naming convention for distribution groups?

3-26

Managing Recipient Objects

Demonstration: How to Manage Groups by Using the Exchange


Control Panel

In Exchange Server 2010, you can create and manage distribution groups in the Exchange Control Panel.
When you create a distribution group by using the Exchange Control Panel, it will always be configured as
a distribution group rather than a security group. You cannot modify security groups by using the
Exchange Control Panel.

Demonstration Steps
Add MyDistributionGroups to the default user role assignment
1.

On VAN-EX1, connect to the Exchange Control Panel, and log in as Adatum\Administrator using
the password Pa$$w0rd.

2.

Edit the Default Role Assignment Policy by adding the MyDistributionGroups role.

Create and configure a new distribution group


1.

On VAN-EX1, connect to the Exchange Control Panel, and log in as Adatum\Conor using the
password Pa$$w0rd.

2.

Create a new distribution group with the following configuration:

Display name: Sales

Alias: Sales

Description: Sales Department

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3.

4.

Add the following members:

Manoj Syamala

Rohinton Wadia

Paul West

Configure the Membership Approval as Owner Approval.

Manage distribution group membership


1.

Log on to Exchange Control Panel as Adatum\Wei with the password Pa$$w0rd.

2.

Request to join the Sales group.

3.

Log on to Outlook Web App as Adatum\Conor with the password Pa$$w0rd.

4.

Approve the Request to Join Distribution Group


Question: When would you use public groups?

3-27

3-28

Managing Recipient Objects

Lesson 3

Configuring Email Address Policies

In many messaging systems, you might host multiple Single Mail Transfer Protocol (SMTP) domains, and
thus you would need to manage the email addresses assigned to the Exchange recipients. To ensure that
recipients have appropriate email addresses, you can create and apply email address policies.
In this lesson, you will learn about email address policies and how to configure them.
After completing this lesson, you will be able to:

Describe the purpose and functionality of email address policies.

Configure email address policies.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-29

What Are Email Address Policies?

For a recipient to send or receive email messages, the recipient must have an email address. Email address
policies generate the primary and secondary email addresses for your recipients so they can receive and
send email. You must create an accepted domain so that a domain in an email address policy functions
properly. An accepted domain is an SMTP namespace that you can configure Exchange servers to send
messages to, or from which they can receive messages.
By default, Exchange Server contains an email address policy for every mail-enabled user. This default
policy specifies the recipients alias as the local part of the email address and uses the default accepted
domain. The local part of an email address is the name that appears before the @ symbol. However, you
can configure how your recipients email addresses display. To specify additional email addresses for all
recipients or just a subset, you can modify the default policy or create additional email address policies.

Creating an Email Address Policy


Exchange Server applies an email address policy to recipient group based upon an OPATH filter. OPATH is
a querying language designed to query object-data sources. The filter defines the search scope in the
Active Directory forest and the attributes to match.
The New E-mail Address Policy Wizard provides a standard list of recipient scope filters. These include:

All recipient types. Select this check box if you do not want to filter recipient type.

Users with Exchange mailboxes. Select this check box if you want your email address policy to
apply to users who have Exchange Server 2010, Exchange Server 2007, and Exchange Server 2003
mailboxes. Users with Exchange mailboxes are those that have a user domain account and a mailbox
in the Exchange organization.

3-30

Managing Recipient Objects

Users with external e-mail addresses. Select this check box if you want your email address policy
to apply to users who have external email addresses. Users with external email accounts have user
domain accounts in the Active Directory Domain Services (AD DS), but use email accounts that are
external to the organization. This enables them to be included in the GAL and added to distribution
lists.

Resource mailboxes. Select this check box if you want your email address policy to apply to
Exchange Server resource mailboxes. Resource mailboxes let you administer company resources, such
as a conference room or company vehicle, through a mailbox.

Contacts with external e-mail addresses. Select this check box if you want your email address
policy to apply to contacts with external email addresses. Mail-enabled groups resemble distribution
groups, as messages sent to a mail-enabled group account will go to several recipients.

Mail-enabled groups. Select this check box if you want your email address policy to apply to security
groups or distribution groups that have been mail-enabled.

The second part of the E-mail Address Policy filter has conditions in one of the following categories:

Recipient is in a State or Province. Select this check box if you want the email address policy to
include only recipients from specific states or provinces. The Address and Phone tabs in the recipients
properties contains this information.

Recipient is in a Department. Select this check box if you want the email address policy to include
only recipients in specific departments. The Organization tab in the recipients properties contains this
information.

Recipient is in a Company. Select this check box if you want the email address policy to include only
recipients in specific companies. The Organization tab in the recipients properties contains this
information.

Custom Attribute equals Value. There are 15 custom attributes for each recipient. There is a
separate condition for each custom attribute. If you want the email address policy to include only
recipients that have a specific value set for a specific custom attribute, select the check box that
corresponds to that custom attribute.

When creating an email address policy, you can use the following email address types:

Default SMTP e-mail address. Default SMTP email addresses are commonly used email address types
that Exchange Server provides for you.

Custom SMTP e-mail address. If you do not want to use one of the default SMTP e-mail addresses,
you can specify a custom SMTP email address. When creating a custom SMTP email address, you can
use the variables in the following table to specify alternate values for the local part of the email
address.
Variable

Value

%g

Given name (first name)

%i

Middle initial

%s

Surname (last name)

%d

Display name

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-31

(continued)
Variable

Value

%m

Exchange alias

%xs

Uses the x number of letters of the surname. For example if


x=2, the first two letters of the surname are used

%xg

Uses the x number of letters of the given name. For example,


if x=2, the first two letters of the given name are used

NonSMTP email address. Exchange Server 2010 supports a number of nonSMTP address types.
When you upgrade from Exchange Server 2003, you need to complete an upgrade process to allow
Exchange Server 2010 administrative tools to manage the legacy Recipient policies as E-mail Address
policies.

3-32

Managing Recipient Objects

Demonstration: How to Configure Email Address Policies

In this demonstration, you will see how to modify existing email address policies, create new policies, and
configure an alias.

Demonstration Steps
Create a new email address policy for Fourth Coffee recipients
1.

Open the Exchange Management Console.

2.

In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization


Configuration, and then select Hub Transport.

3.

Create a new email address policy named with these attributes:

Name: Fourth Coffee

Display Name: Fourth Coffee

Recipient container to apply filter: Adatum.com

Included recipient types: All Recipient types

4.

Use the user Alias as the local part of the email address.

5.

Select fourthcoffee.com as the accepted domain.

6.

Apply the email address policy immediately.

Verify that the email address policy has been applied


1.

In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration,
and then select Mailbox.

2.

Verify that the updated email address was applied to Paul West and Luca Dellamore.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-33

Lesson 4

Configuring Address Lists and Address Books Policies

Address lists are similar to a telephone book in that they provide a clearing house in which users can
locate, send email to, and find information about, other users. In larger or specialized organizations, you
may need to modify the lists organization.
In this lesson, you will learn about address lists and how to manage them.
After completing this lesson, you will be able to:

Explain the functionality of address lists.

Configure address lists.

Describe how to configure offline address books.

Describe the options for deploying offline address books.

Describe address books policies.

Configure address books policies.

3-34

Managing Recipient Objects

What Are Address Lists?

Address lists are recipient objects that are grouped together based on a Lightweight Directory Access
Protocol (LDAP) query for specific Active Directory attributes. You can use address lists to sort the GAL
into multiple views, which makes it easier to locate recipients. This is especially helpful for very large or
highly segmented organizations.
Similar to configuring email address policies, you can configure address lists with recipient filters that
determine which objects belong in each address list. Address lists are evaluated every time a mail-enabled
account is modified to determine on which address lists it should appear.

Example 1
Consider a company that has two large divisions and one Exchange organization. One division, named
Fourth Coffee, imports and sells coffee beans. The other division, Contoso, Ltd., underwrites insurance
policies and therefore the employees rarely communicate with each other. To make it easier for
employees to find recipients who exist only in their division, you can create two new custom address
lists: one for Fourth Coffee and one for Contoso, Ltd. When searching for recipients in their division,
these custom address lists allow employees to select only the address list that is specific to their division.
However, if an employee is unsure about the division in which the recipient exists, the employee can
search within the GAL, which contains all recipients in both divisions.

Example 2
You can use subcategories of address lists called hierarchical address lists. For example, you can create an
address list that contains all recipients in Vancouver and another that contains all Redmond recipients.
You also can create another list called Research and Development within the Vancouver address-list
container, which contains all employees who work in Vancouvers Research and Development department.
This allows employees to more easily find the information they need.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-35

Demonstration: Configuring Address Lists

In this demonstration, you will see how to create and configure address lists.

Demonstration Steps
Create a new Email Address list for Fourth Coffee recipients
1.

Open Exchange Management Console.

2.

In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization


Configuration, and then select Mailbox.

3.

Create a new address list with the following attributes.

Name: Fourth Coffee

Display Name: Fourth Coffee

Container: \

Recipient container to apply filter: Adatum.com

Included recipient types: All Recipient types

4.

Use the Recipient is in a Company condition to apply this policy to only recipients that list Fourth
Coffee for their company attribute.

5.

Preview the address list.

6.

Apply the email address list immediately.

Verify the new address list is working


1.

Log on to Outlook Web App as Adatum\George with the password Pa$$w0rd.

2.

Open the Address book, and view the members of the Fourth Coffee address list.

3.

Close Outlook Web App.

3-36

Managing Recipient Objects

Configuring Offline Address Books

Exchange Server 2010 provides several configuration options for deploying offline address books. Office
Outlook uses the offline address book when you configure it to use a cached mode Outlook profile, or
when it is in offline mode. The default offline address book contains the entire global address list (GAL),
which includes all recipients in the Exchange organization. You can create additional GALs, which contain
a subset of recipients. By default, these additional GALs are not included in the default offline address
book.
By default, the offline address book generates only once each day. This means that any additions,
deletions, or changes made to mail-enabled recipients are only committed to the offline address book
once each day, unless you modify the schedule to generate the offline address book more often. In many
environments, you would need to modify the offline address book generation schedule to accommodate
the rate of change in a particular Exchange Server organization.
The process of generating and distributing the offline address book consists of the following components:

Offline address book generation process. To create and update the offline address book, the
OABGen service runs on the offline address book generation server, which must be a Mailbox server.

Microsoft Exchange File Distribution service. The Microsoft Exchange File Distribution service runs
on Client Access servers. This service gathers the offline address book and keeps the content
synchronized with the content on the offline address book generation server.

OAB virtual directory. The OAB virtual directory is the distribution point needed by the web-based
distribution used by Microsoft Office Outlook 2007 and newer clients. By default, when you install
Exchange Server, a new virtual directory named OAB is created in the default internal Web site in
Internet Information Services (IIS). For users that work outside your company, you can add an external
website.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-37

Autodiscover service. Autodiscover service was introduced in Exchange Server 2007 as a feature
where Office Outlook 2007 or newer clients, as well as some mobile devices, automatically configure
their profile to access Exchange Server. This service runs on a Client Access server and returns the
correct OAB URL for a specific client connection.

As a best practice, whether you use a single offline address book or multiple offline address books,
consider the following factors as you plan and implement your offline address book strategy:

Size of each offline address book in your organization.

Number of offline address book downloads. How many clients will need to download the offline
address book?

Overall number of changes made to the directory. If a large number of changes are made, the size of
the differential offline address book downloads will be large.

Offline Address Book Size Considerations


In some large organizations that have large directories, or for organizations that have deployed Office
Outlook in cached mode, the size of the offline address book may be a concern. Offline address book
sizes can vary from a few megabytes (MBs) to a few hundred MBs. The following factors can affect the size
of the offline address book:

Usage of certificates in a company. The higher the number of public key infrastructure (PKI)
certificates, the larger the size of the offline address book. PKI certificates range from 1 kilobyte (KB)
to 3 KB. They are the single largest contributor to the offline address book size.

Number of Active Directory mail recipients.

Number of Active Directory distribution groups.

Information that a company adds to AD DS for each mailbox-enabled or mail-enabled object. For
example, some organizations populate the address properties for each user; others do not. The offline
address book size increases as the number of attributes used increases.

Options for Deploying Offline Address Books


Public folder distribution is the distribution method by which Microsoft Office Outlook 2003 accesses the
offline address book. With public folder distribution, the generation process for the offline address book
places the files directly in one of the system public folders, and then, if multiple replicas of the public
folder are configured, Exchange Server store replication copies the data to other public folder distribution
points.
Microsoft Office Outlook 2007 and newer clients that are working in cached mode can also use the public
folder as the source for the OAB. In addition, these clients can use web-based distribution to access the
offline address book. Web-based distribution does not require the use of public folders. Instead, after the
offline address book generates the files, the Client Access server replicates them. Web-based distribution
uses Secure Hypertext Transfer Protocol (HTTPS) and Background Intelligent Transfer Service (BITS). If you
require redundancy, you can use multiple Client Access servers as publishing points.

3-38

Managing Recipient Objects

What Are Address Book Policies?

Some organizations require that certain users be prohibited from seeing all of the other users in the
global address list (GAL). For example, a large investment company may have several divisions that are
competitors in selected markets, and allowing communication between investors in each division may
violate trading laws. Other organizations have extremely large GALs and may want to limit the size of the
offline address book for users. Limiting what users can see in the GAL is called GAL segmentation.
In Exchange 2010 SP2, you can use address book policies to configure GAL segmentation. When
configuring an address book policy, you assign a GAL, an offline address book, a room list, and one or
more address lists to the policy. You can then assign the address book policy to mailbox users, which
means that the users can only see the objects in the GAL that are part of their policy.
Note Address book policies provide a virtual segmentation of the GAL, not a legal
separation. This means that users may sometimes be aware of other recipients in the
organization that are not part of their address book policy. For example, a distribution
group that is included in the address book policy may include recipients from other address
book policies. If one of those recipients has an out of office message configured, the out of
office message will be sent to anyone who sends to the distribution group.
Address book policies are only applied when the users email client connects to the Microsoft Exchange
Address Book service on an Exchange Server 2010 SP2 Client Access server. If you update the address
book policy, the client must reconnect to the Address Book service before the new policy is applied. If a
client accesses the global address list through another means, such as a direct LDAP query to a global
catalog server, the address book policy does not apply.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Demonstration: Configuring Address Books Policies

Address book policies contain the following lists:

One GAL

One offline address book

One room list (for booking purposes)

One or more address lists

In this demonstration, you will perform the following tasks to configure an address book policy for the
Fourth Coffee organization:

Create a global address list for Fourth Coffee users

Create a new offline address book for Fourth Coffee users

Create the address book policy


Question: Does your organization have a requirement for address book policies? If so, how
will you use them?

3-39

3-40

Managing Recipient Objects

Lesson 5

Performing Bulk-Recipient Management Tasks

Managing a large number of recipients can be time consuming. Manual changes are also prone to error.
You can use the Exchange Management Shell to create scripts that automate these management tasks.
In this lesson, you will be introduced to bulk management of recipients and using Exchange Management
Shell to manage multiple recipients.
After completing this lesson, you will be able to:

Describe the benefits of managing recipients in bulk.

Describe examples of Exchange Management Shell cmdlets that manage multiple objects.

Manage multiple recipients.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-41

Discussion: Benefits of Managing Recipients in Bulk

Exchange Management Shell cmdlets are powerful tools that you can use for managing multiple
recipients simultaneously. The cmdlets use features such as pipelining and filtering to sort the results of
one cmdlet and apply the result to another cmdlet. Exchange Management Shell also is a very powerful
scripting tool for managing multiple recipients in bulk. In small organizations, you might not need to
manage multiple recipients at the same time. However, in medium or large organizations, you may often
need to manage multiple users at the same time, and it is useful to know how to use Exchange
Management Shell to do that.
Question: Describe situations where you need to create multiple recipients.
Question: Describe situations where multiple recipients need to be modified.

3-42

Managing Recipient Objects

Exchange Management Shell Examples

You can use Exchange Management Shell commands to manage multiple recipients or other objects at
one time. The primary means to do this are piping and filtering.

Piping Output Between Cmdlets


For relatively simple tasks, pipe output from one cmdlet to another to perform bulk management tasks.
The most common structure is to use one cmdlet to gather a list of recipients or Active Directory objects,
and then pipe that list to a second cmdlet that performs the necessary action.
In the following example, the first cmdlet gathers the list of Marketing organizational unit (OU) users, and
then you pipe that list of users to a second cmdlet that moves those users to a new mailbox database.
Get-User OrganizationalUnit Marketing | Enable-Mailbox VAN-EX1
\Mailbox Database 1

All cmdlets that gather lists of objects for manipulation begin with Get. Some cmdlets that gather a list of
recipients or Active Directory objects are:

Get-User. Gathers a list of user objects from AD DS.

Get-Recipient. Gathers a list of recipients.

Get-Mailbox. Gathers a list of mailboxes.

Get-MailUser. Gathers a list of mail-enabled users.

Get-Contact. Gathers a list of contacts.

Get-Group. Gathers a list of groups from AD DS.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-43

The following example returns all members in the Sales distribution group, configures the mailboxes
to not inherit the default mailbox size limits from the mailbox database, and then assigns a prohibit
send quota of 4 GB:
Get-DistributionGroup Sales | Get-DistributionGroupMember | Set-Mailbox
UseDatabaseQuotaDefaults $false ProhibitSendQuota 4GB

The following example retrieves a list of all mailboxes on VAN-EX1, and then moves these mailboxes
to Mailbox Database 2:
Get-Mailbox -server VAN-EX1 | New-MoveRequest -Local -TargetDatabase "Mailbox
Database 2"

Custom Filters
You must specify a filter string when you run various Exchange Management Shell cmdlets, such as
Get-User, and you want to create a custom filter by using the Filter or RecipientFilter parameter.
Microsoft Windows PowerShell uses OPATH for the filtering syntax. OPATH is a querying language
that queries object data sources. With the Exchange Management Shell, which is built on PowerShell,
you no longer need to use the complicated syntax of Lightweight Directory Access Protocol (LDAP),
which Exchange Server 2003 used, to create filters. Instead, you can create filters by using the more
simple OPath syntax, which the following example shows:
Syntax: -Filter {(attribute operation value) operation (attribute operation value)}

The following cmdlet selects users with the Company attribute defined as Adventure Works, and who are
not working in the IT department.
Get-User -Filter {(Company eq Adventure Works) -and (Department ne IT)}

Common operations are:

-and

-or

-not

-eq (equals)

-ne (does not equal)

-lt (less than)

-gt (greater than)

-like (string comparison)

-notlike (string comparison)

The following example removes all messages with the word Sale in the subject from all message queues:
Get-Message -Filter {Subject -like *Sale*"} | Remove-Message

3-44

Managing Recipient Objects

Demonstration: How to Manage Multiple Recipients

Exchange Management Shell provides several features that you can use to perform bulk recipient
management. For relatively simple tasks, you can pipe output between cmdlets to retrieve a list of
appropriate objects, and then you can modify them. You can use scripting for complex tasks, such as
creating users from a .csv file.

Scripts
Create scripts to perform advanced bulk-management tasks that are not possible with piping. Scripts can
create more complex structures, and consequently enable you to perform more complex tasks.
Using scripts, you can:

Define variables.

Use loops.

Read data files to obtain user names and passwords.

Demonstration Steps
1.

The instructor will run the following cmdlets:


Get-User filter {Company eq "Fourth Coffee"}
Disable-mailbox Scott
Get-User OrganizationalUnit Accounting | Set-Mailbox UseDatabaseQuotaDefaults $false
ProhibitSendQuota 4GB
Get-Mailbox Parna | FL Name,Prohibit*

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2.

The instructor will run the following script. The script will create mailboxes based on information
provided in a .csv file.
## Section 1
## Define Database for new mailboxes
$db="Mailbox Database 1"
## Define User Principal name
$upndom="Adatum.com"
## Section 2
## Import csv file into variable $users
$users = import-csv $args[0]
## Section 3
## Function to convert password string to secure string
function SecurePassword([string]$plainPassword)
{
$secPassword = new-object System.Security.SecureString
Foreach($char in $plainPassword.ToCharArray())
{
$secPassword.AppendChar($char)
}
$secPassword
}
## Section 4
## Create new mailboxes and users
foreach ($i in $users)
{
$sp = SecurePassword $i.password
$upn = $i.FirstName + "@" + $upndom
$display = $i.FirstName + " " + $i.LastName
New-Mailbox -Password $sp -Database $db DisplayName $display -UserPrincipalName
$upn -Name $i.FirstName -FirstName $i.FirstName -LastName $i.LastName OrganizationalUnit $i.OU
}

3.

In Exchange Management Console, verify that the users listed in the .csv file have been created.
Question: Which tasks will you automate with PowerShell scripts?

3-45

3-46

Managing Recipient Objects

Lab: Managing Exchange Recipients

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and 10135B-VAN-CL1 virtual machines are
running.

3.

10135B-VAN-DC1: Domain controller in the Adatum.com domain.

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain.

10135B-VAN-CL1: Windows 7 client computer in the Adatum.com domain.

If required, connect to the virtual machines. Log on to the computers as Adatum\Administrator,


using the password Pa$$w0rd.

Lab Scenario
You are the messaging administrator for A. Datum Corporation. Your company is purchasing a new
company called Adventure Works. Adventure Works recipients will need to maintain a separate email
domain and address list. You also must create new mailboxes for the new departments employees.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-47

Exercise 1: Managing Recipients


Scenario
Your manager wants you to complete several tasks in preparation for the Adventure Works acquisition
project.
The main tasks for this exercise are:
1.

Create and configure a mailbox for called Adventure Works Questions.

2.

Create a resource mailbox and configure auto-accept settings for the Adventure Works Project Room.

3.

Move George Schallers mailbox to VAN-EX1\Mailbox Database 1.

4.

Create and configure a mail-enabled contact for Ian Palangio at Woodgrove Bank.

5.

Create a moderated distribution list for Adventure Works Project, and delegate an administrator.

6.

Create a room list distribution group for the Adventure Works meeting rooms.

7.

Verify that changes were completed successfully.

X Task 1: Create and configure a mailbox called Adventure Works Questions


1.

On VAN-EX1, open the Exchange Management Console.

2.

Create a new mailbox named Adventure Works Questions in the Mailbox Database 1 database.
Configure a user logon name of AdventureWksQ and a password of Pa$$w0rd.

3.

Configure the mailbox with a Company name of Adventure Works.

4.

Assign George Schaller full access to the Adventure Works Questions mailbox.

X Task 2: Create a resource mailbox, and configure auto-accept settings for the
ProjectRoom
1.

In Exchange Management Console, create a new room mailbox named ProjectRoom in the Mailbox
Database 1 database. Configure a user logon name of ProjectRoom.

2.

Enable the Booking Attendant on ProjectRoom.

3.

Configure the ProjectRoom with the Company name of Adventure Works.

X Task 3: Move George Schallers mailbox to VAN-EX1\Mailbox Database 1

In Exchange Management Console, create a new local move request to move George Schallers
mailbox to VAN-EX1\Mailbox Database 1.

X Task 4: Create and configure a mail-enabled contact for Ian Palangio at Woodgrove
Bank

In Exchange Management Console, create a new mail-enabled contact for Ian Palangio, using an
alias of IanPalangioWB and an email address of ian.palangio@woodgrovebank.com.

3-48

Managing Recipient Objects

X Task 5: Create a moderated distribution list for the Adventure Works Project, and
delegate an administrator
1.

In Exchange Management Console, create a new Distribution group called Adventure Works Project
with an alias of AdventureWorksProject.

2.

Add the following recipients to the Adventure Works Project group:

3.

George Schaller

Ian Palangio

Wei Yu

Paul West

Specify George Schaller as the group moderator, and enable moderation of all messages.

X Task 6: Create a room list distribution group for the Adventure Works meeting
rooms
1.

On VAN-EX1, if required, open the Exchange Management Shell.

2.

At the command prompt, type $Members=Get-User -Filter {(RecipientTypeDetails -eq


"RoomMailbox") -and (Company -eq "Adventure Works")} and press Enter.

3.

At the command prompt, type New-DistributionGroup -Name "Adventure Works Conference


Rooms" -RoomList -Members $Members and press Enter.

X Task 7: Verify that changes were completed successfully


1.

Log on to VAN-CL1 as Adatum\Administrator, and open Outlook.

2.

Create and send a new meeting request. Invite the Adventure Works Project group, and select the
Adventure Works Conference Rooms room list. Specify ProjectRoom as the room.

3.

On VAN-EX1, open Outlook Web App, log on as Adatum\George, using the password Pa$$w0rd,
and accept the meeting request message. Send the response now.

Results: After this exercise, you should have completed all of the assigned tasks, which include creating a
mailbox, creating a resource mailbox, moving a mailbox, creating a contact, and creating a moderated
distribution group.

Exercise 2: Configuring Email Address Policies


Scenario
Adventure Works maintains a distinct identity for customers, but some functions, such as accounting, are
integrated with A. Datum Corporation. To ensure that users receive all email properly, they must be able
to receive email at all domains, but use their own domain as the reply-to address.
The main tasks for this exercise are:
1.

Create an email address policy for Adventure Works users.

2.

Verify that addresses were applied to A. Datum users.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-49

X Task 1: Create an email address policy for Adventure Works users


1.

On VAN-EX1, open the Exchange Management Console.

2.

Create a new email address policy with the following configuration:


a.

Apply to all recipients with a company attribute of Adventure Works the Adatum.com domain.

b.

SMTP address: first name.last name@adventure-works.com.

c.

Accepted domain: Adventure-works.com.

X Task 2: Verify that addresses are applied correctly


1.

In the Exchange Management Console, view the properties for George Schaller, and modify his
company description to Adventure Works.

2.

Confirm that George Schaller has an email address that uses the adventure-works.com domain.

Results: After this exercise, you should have created an email address policy for Adventure Works users.

Exercise 3: Configuring Address Lists


Scenario
New address lists and offline address books are necessary to organize the address books for users in the
combined A. Datum and Adventure Works organization. However, each organization requires a separate
address to make it easier to find users. You also must create a new offline address book that includes
those address lists to support sales people with portable computers.
The main tasks for this exercise are:
1.

Create an empty container address list named Companies.

2.

Create a new address list for Adventure Works recipients.

3.

Create a new address list for A. Datum recipients.

4.

Verify the new address list is available in Microsoft Office Outlook.

5.

Create a new offline address book for the Adventure Works address list.

6.

Create a GAL for Adventure Works users.

7.

Create the address book policy for the Adventure Works users.

X Task 1: Create an empty container address list named Companies


1.

On VAN-EX1, open the Exchange Management Console.

2.

In the Mailbox node of the Organization Configuration work center, create a new address list named
Companies with no recipients.

X Task 2: Create a new address list for Adventure Works recipients

Create a new address list Adventure Works in Companies for all recipients with the Company
Adventure Works.

3-50

Managing Recipient Objects

X Task 3: Create a new address list for A. Datum Corporation recipients

Create a new address list A Datum in Companies for all recipients with the Company A. Datum.

X Task 4: Verify the new address list is available in Microsoft Office Outlook
1.

Log on to VAN-CL1 as Administrator, and open Outlook.

2.

Verify that the address book contains the address lists for A. Datum and Adventure Works.

3.

Close Outlook.

X Task 5: Create a new offline address book for the Adventure Works address list
1.

On VAN-EX1, open Exchange Management Console.

2.

Create a new offline address book named Adventure Works with the Adventure Works address list,
and enable distributions through Web-based distribution and public folders. Use the OAB folder on
VAN-EX1 for Web-based distribution.

3.

Close the Exchange Management Console.

X Task 6: Create a global address list for Adventure Works users

At the command prompt, type New-GlobalAddressList Name Adventure Works GAL


IncludedRecipients AllRecipients ConditionalCompany Adventure Works and press Enter.

X Task 7: Create the address book policy for the Adventure Works users

In the Exchange Management Console, create a new address book policy with the following
configuration:

Name: Adventure Works ABP

Global address list: Adventure Works GAL

Offline address book: Adventure Works OAB

Room list: Adventure Works

Address Lists: Adventure Works

Results: After this exercise, you should have created an address list for the A. Datum and Adventure
Works users, and an offline address book for each organization.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-51

Exercise 4: Performing Bulk Recipient Management Tasks


Scenario
Your manager left you a number of recipient management tasks to complete for the new Adventure
Works users:

Add a header line to the .csv file exported from the Human Resources (HR) system.

Modify the CreateUsersLab.ps1 script, and import Adventure Works users from a .csv file.

Define mailbox limits for all users in the Adventure Works company.

The main tasks for this exercise are:


1.

Add a header line to the .csv file exported from the Human Resources (HR) system.

2.

Modify the CreateUsersLab.ps1 script to Adventure Works users from a .csv file.

3.

Create the AdventureWorks Organizational Unit in the Adatum.com domain

4.

Run CreateUsersLab.ps1 to Adventure Works users from a .csv file.

5.

Define mailbox limits for all Adventure Works company users.

X Task 1: Add a header to the .csv file exported from the Human Resources (HR) system
1.

On VAN-EX1, open D:\Labfiles\Users.csv in Notepad.

2.

Add a header line that defines each column:

3.

FirstName

LastName

Password

Save the changes to Users.csv, and close Notepad.

X Task 2: Modify the CreateUsersLab.ps1 script to import Adventure Works users


from a .csv file
1.

Open D:\Labfiles\CreateUsersLab.ps1 in Notepad.

2.

Modify CreateUsersLab.ps1 as required to:

3.

Configure the database to create users as Mailbox Database 1.

Configure the user principal name to be adatum.com.

Place users in the AdventureWorks OU.

Configure the .csv import file to be D:\Labfiles\Users.csv.

Configure the $pwd to be based on the password field in the Users.csv.

Configure the first and last name.

Configure the user principal name (UPN) as first name@adatum.com.

Configure the alias to be the first name and last name, with no space between the names.

Configure the display name to be the first name and last name, with a space between the names.

Save the changes to CreateUsersLab.ps1, and close Notepad.

3-52

Managing Recipient Objects

X Task 3: Create the AdventureWorks Organizational Unit


1.

Open Active Directory Users and Computers.

2.

Create an OU named AdventureWorks.

X Task 4: Run CreateUsersLab.ps1 to import the Adventure Works Users


1.

Open the Exchange Management Shell.

2.

Run D:\Labfiles\CreateUsersLab.ps1.

X Task 5: Configure the Settings for the Adventure Works users


1.

Use the Get-User cmdlet to retrieve all users in the AdventureWorks OU, and then pipe the results to
the Set-User cmdlet to set the Company attribute to Adventure Works.

2.

Run Get-Mailbox cmdlet to retrieve a list of all Adventure Works users:

3.

4.

OrganizationalUnit: AdventureWorks

Set mailbox limits by piping the list of mailboxes to the Set-Mailbox cmdlet:

IssueWarningQuota 4GB

ProhibitSendQuota 5GB

Configure the Adventure Works mailboxes to use the Adventure Works ABP address book policy

Results: After this exercise, you should have created all of the additional Adventure Works users with an
Exchange Management Shell script, and then have set the storage quota.

X To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1.

On the host computer, start Hyper-V Manager.

2.

Right-click the virtual machine name in the Virtual Machines list, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

In the Virtual Machines pane, click 10135B-VAN-DC1, and then in the Actions pane, click Start.

5.

To connect to the virtual machine for the next modules lab, click 10135B-VAN-DC1, and then in the
Actions pane, click Connect.
Note Start the VAN-DC1 virtual machine first, and ensure that it is fully started before
starting the other virtual machines.

6.

Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.

7.

Wait for VAN-EX2 to start, and then start VAN-CL1. Connect to the virtual machine.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

3-53

Module Review and Takeaways

Review Questions
1.

How would you ensure that meeting requests to room mailboxes are validated manually before being
approved?

2.

How would you give access to allow a user to send messages from another mailbox, without giving
them access to the mailbox contents?

3.

What should you consider when configuring offline address book distribution?

Common Issues Related to Configuring Offline Address Books


Identify the causes for the following common issues related to configuring offline address books, and
complete the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue
The offline address book is not up-todate with changes made during the day.
Outlook 2003 clients are not able to
download the offline address book.

Troubleshooting tip

3-54

Managing Recipient Objects

Real-World Issues and Scenarios


1.

A company that has two large divisions and one Exchange Server organization. Employees in each
division rarely communicate with each other. What can you do to reduce the number of recipients
the employees of each division see when they open the Exchange address list?

2.

An organization has a large number of projects that leverage distribution groups. Managing group
members takes considerable time. You need to reduce the time the help desk spends managing
groups so that they can work on other issues.

3.

You employ contractors that need an email address from your company. The company needs to
enable the contracts to receive these messages in their current third-party mailboxes.

Best Practices Related to Managing Recipient Objects


Supplement or modify the following best practices for your own work situations:

Define clear naming conventions and adhere to them. Naming conventions help identify location and
purpose of recipient objects, and helps both end users and administrators locate recipients easily.

Test global changes prior to making them in production. Changes to global settings, like email
address policies, should be tested in a lab environment before you make changes in production. This
avoids configuration errors.

4-1

Module 4
Managing Client Access
Contents:
Lesson 1: Configuring the Client Access Server Role

4-3

Lesson 2: Configuring Client Access Services for Outlook Clients

4-24

Lab A: Configuring Client Access Servers for Outlook Anywhere Access

4-44

Lesson 3: Configuring Outlook Web App

4-48

Lesson 4: Configuring Mobile Messaging

4-57

Lab B: Configuring Client Access Servers for Outlook Web App


and Exchange ActiveSync

4-67

4-2

Managing Client Access

Module Overview

Microsoft Exchange Server 2010 provides access to user mailboxes for many different clients. All
messaging clients access Exchange Server mailboxes through a Client Access server. Because of the
importance of this server role, you must understand how to configure it to support all different client
types. This module provides details on how to implement the Client Access server role in Exchange
Server 2010.
After completing this module, you will be able to:

Configure the Client Access server role.

Configure Client Access services for Microsoft Office Outlook Clients.

Configure Outlook Web App.

Configure mobile messaging.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Lesson 1

Configuring the Client Access Server Role

You can implement the Client Access server role on an Exchange server that has other roles except the
Edge Transport server role. Alternately, you can deploy the Client Access server role on one or more
dedicated servers. In many organizations, the Client Access server is accessible from the Internet, thus
securing the Client Access servers is an important part of deployment. This lesson describes the process
for deploying and securing a Client Access server.
After completing this lesson, you will be able to:

Describe how client access works in Exchange Server 2010.

Describe how client access works with multiple sites.

Describe the Client Access server deployment options.

Configure a Client Access server.

Secure a Client Access server.

Explain Client Access server deployment considerations.

Configure Client Access server certificates.

Describe the configuration options for Post Office Protocol 3 (POP3) and Internet Message Access
Protocol 4 (IMAP4) client access.

Describe how to configure the Client Access server for secure Internet access.

4-3

4-4

Managing Client Access

How Client Access Works

In Exchange Server 2010, all messaging clients connect to a Client Access server when accessing an
Exchange Server mailbox. For users to access their mailbox, you must deploy a Client Access server in the
same site as the Mailbox server.
Important In Microsoft Exchange Server 2007 or earlier Exchange server versions, MAPI
clients such as Microsoft Office Outlook, connect directly to Mailbox servers. In Exchange
Server 2010, with the introduction of the Remote Procedure Call (RPC) Client Access service,
MAPI clients no longer connect directly to the Mailbox servers for mailbox access.

How Client Access Servers Work


The following steps describe what happens when a messaging client connects to the Client Access server:
1.

If the client connects from the Internet using a non-MAPI connection, then the client connects to the
Client Access server using the client protocol. Only the protocol ports for client connections must be
available on the external firewall.

2.

If the client connects from the internal network using Office Outlook configured as a MAPI client,
then the client connects to the Client Access server using MAPI RPC connections.

3.

The Client Access server connects to a Microsoft Active Directory Domain Services (AD DS) domain
controller by using the Kerberos protocol to authenticate the user. Internet Information Services (IIS)
or the RPC Client Access service on the Client Access server performs the authentication. The Client
Access server uses a Lightweight Directory Access Protocol (LDAP) request to a global catalog server
to locate the Mailbox server that manages the users mailbox.
The Client Access server also provides a directory lookup service for all clients. When the client
requests the global address list (GAL), or searches the GAL for a specific recipient, the Client Access
server performs the Active Directory lookup for the client.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4.

4-5

The Client Access server connects to the Mailbox server using a MAPI RPC to submit messages to the
mailbox database, or to read messages.
Note In Microsoft Exchange Server 2003 and earlier versions, the front-end server
accesses the back-end server on behalf of the client using the same protocol as the client
connection. In Exchange Server 2010, the Client Access server role uses a MAPI RPC
connection.

4-6

Managing Client Access

How Client Access Works with Multiple Sites

Deploying Client Access servers in an environment with multiple AD DS sites adds complexity to
deployment planning, particularly when you consider the options for providing Internet access to those
Client Access servers.
In a single-site scenario, the Client Access server communicates directly with Mailbox servers. In a
multiple-site scenario, Exchange Server directs clients to a Client Access server located in the same site as
the Mailbox server, or a Client Access server in a remote site might proxy a request to a Client Access
server in the same site as the Mailbox server. The option you select for a multiple-site scenario depends
on whether clients can connect directly to a Client Access server in the same site as their mailbox.

How Client Access Works with Multiple Internet Access Points


If you have multiple Active Directory sites, you can provide Internet access to each sites Client Access
servers. To enable this option, you must configure an external URL for each Client Access server. You also
must ensure that clients can resolve the URL name in the Domain Name System (DNS) and can connect to
the Client Access server using the appropriate protocol.
When an Internet client connects to the Client Access server from the Internet in this scenario, the Client
Access server authenticates the user, and then queries a global catalog server for the user mailbox
location. At this point, the Client Access server has two options:
1.

If the users mailbox is located in the same site as the Client Access server, then the Client Access
server connects to the mailbox server to fulfill the client request.

2.

If the users mailbox is located in a different site from the Client Access server, the Client Access server
contacts a domain controller to locate the Client Access server in the site where the user mailbox is
located. If you configure the Client Access server with an external URL, then the Client Access server
redirects the client request to the Client Access server in the site that contains the user mailbox.
Exchange Server presents the user with a page that provides the correct URL for the Client Access

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-7

server, so that the user can connect to the appropriate Client Access server in their home site. If you
do not configure an external URL for the Client Access server in the site that contains the user
mailbox, the Client Access server receiving the request proxies the client request to the Client Access
server in the appropriate site.
Note Exchange Server 2010 can redirect only Outlook Web App clients to another Client
Access server in a different site. It proxies all other Client Access server client requests to a
Client Access server in the same site as the user mailbox. To optimize access for nonOutlook Web App clients, you must configure the clients to connect directly to a Client
Access server in the users home site. Exchange Server 2010 Service Pack 2 (SP2) provides a
new technology for silent redirection of Outlook Web App clients, which will be discussed
later in this module.
Important Both redirection and using a proxy will not work for POP3 or IMAP4 clients.
POP3 or IMAP4 messaging clients must connect to a Client Access server in the same
Active Directory site as the user's Mailbox server.

How Client Access Works with a Single Internet Access Point


The Client Access server in the site containing the user mailbox might not be accessible from the Internet,
or it might not have an external URL configured. In this scenario, when the user connects to a Client
Access server in a site that does not contain the user mailbox, the Client Access server proxies the client
request to the Client Access server in the site where the users mailbox is located. This proxy process uses
the same protocol as the client. In the destination site, the Client Access server then uses RPC to connect
to the Mailbox server managing the user mailbox.
For the Client Access server to proxy the client request, you must configure the Client Access servers that
are not accessible from the Internet to use Integrated Windows authentication. By default, the Outlook
Web App virtual directory is configured to use forms-based authentication. You should ensure that you
enable forms-based authentication on the Client Access server that is accessible from the Internet. You
also must configure the other Client Access servers to use Windows-integrated authentication.
Exchange Server supports using a proxy for clients that use Outlook Web App, Microsoft
Exchange ActiveSync, and Exchange Web Services. Exchange Server supports using a proxy from one
Client Access server to another, when the destination Client Access server is running the same Exchange
Server version or an earlier version as the source Client Access server.
Best Practice To optimize user mailbox access, you should enable Internet access to the
Client Access servers in each site. This access is particularly important if you have slow
network connections between Active Directory site locations.

4-8

Managing Client Access

Deployment Options for a Client Access Server

When planning your Client Access server deployment, you must meet certain requirements to ensure a
successful deployment. Additionally, there are options for deploying Client Access servers in scenarios
where servers require higher availability, or you have multiple sites.

Requirements for Client Access Server Deployment


When you deploy Client Access servers, you must meet the following requirements:

You must have at least one Client Access server in each Active Directory site where you have Mailbox
servers deployed.

If your Active Directory forest includes multiple domains, each site must have a Client Access server
for each domain that includes Mailbox servers in that site.Client Access servers should have a fast
network connection to Mailbox servers, to support remote procedure call (RPC) connectivity.

Client Access servers should have a fast network connection to domain controllers and global catalog
servers.

If users need to access their mailboxes from the Internet through the Client Access server, then the
server must be accessible from the Internet using HTTP or HTTPS, IMAP4, or POP3.
Best Practice Because the server running the Client Access server role must be a member
server in an Active Directory domain, you cannot deploy the Client Access server role in a
perimeter network. Instead, use an application layer firewall, such as Microsoft Forefront
Threat Management Gateway, to publish the Client Access server services to the Internet.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-9

Options for Client Access Server Deployment


The Client Access server role performs a critical function in your Exchange Server organization. You have
the following options when deploying the Client Access server role:

You can deploy the Client Access server role on the same computer as all other Exchange Server 2010
server rolesexcept for the Edge Transport server role. Installing all server roles on a single server
does not provide additional availability, and does offer limited scalability.

You can deploy the Client Access server role on a dedicated server. This deployment provides
additional scalability and performance benefits.

You also can deploy multiple servers running the Client Access server role. To provide high availability
for Client Access servers, you can deploy Network Load Balancing, or deploy a hardware network load
balancer to manage connections to the Client Access servers. In Exchange Server 2010, you also can
configure Client Access arrays to provide failover and redundancy. A Client Access array is a container
object used by Exchange Server 2010 Client Access servers. When you deploy database availability
groups (DAGs) Exchange Server 2010 uses Client Access arrays to track which mailbox databases are
located in each Active Directory site, and to manage the client connection failovers to the local
mailbox databases.
Note You can install Client Access servers on Mailbox servers that are DAG members.
However, just adding the Client Access server to a DAG member does not provide high
availability for the Client Access server, because DAG uses Failover Clustering which does
not support Client Access server. To provide high availability for Client Access servers, you
need to implement a Client Access array, and deploy a network load balancing solution. For
more information on Client Access arrays, see Module 7, Implementing High Availability.

4-10

Managing Client Access

Demonstration: How to Configure a Client Access Server

In this demonstration, you will see how to configure the global Client Access server settings, as well as the
settings for each Client Access server in the organization.

Demonstration Steps
1.

Open the Exchange Management Console.

2.

In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand


Organization Configuration, and then click Client Access. You apply settings to all Client Access
servers and mailboxes while in the Organization Configuration node.

3.

Review the default polices on the Outlook Web App Mailbox Policies and Exchange ActiveSync
Mailbox Policies tabs.

4.

In the left pane, expand Server Configuration, and then click Client Access.

5.

Examine the properties of one of the listed Client Access servers. These properties display information
only, and cannot be used to configure the server settings.

6.

In the results pane, review the settings available on each of the tabs. These settings configure the
Client Access server settings for the Client Access server virtual directories.
Question: Why would you create multiple Outlook Web App Mailbox policies or Exchange
ActiveSync polices, rather than just use the default policies?
Question: Why would you modify the server settings on one Client Access server to be
different from those on another Client Access server?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-11

Securing a Client Access Server

In many organizations, the Client Access server is accessible from the Internet for Outlook Anywhere,
Outlook Web App, or Exchange ActiveSync clients. Therefore, it is critical that you ensure that the Client
Access server that faces the Internet is as secure as possible.

Securing Communications Between Clients and Client Access Servers


To encrypt the network traffic between messaging clients and the Client Access server, you must secure
the network traffic using Secure Sockets Layer (SSL). To configure the Client Access server to use SSL,
complete the following steps:
1.

Obtain and install a server certificate on the Client Access server. Ensure that the certificate name
exactly matches the server name that users will use to access the Client Access server. Also ensure that
the certificate that the Certification Authority (CA) issues is trusted by all of the client computers and
mobile devices that will be accessing the server. By default, Exchange Server 2010 has a self-signed
certificate installed. However, because of trust issues, it is not recommended to use this certificate for
external connections in production. If you do not have internal public key infrastructure (PKI), you
might consider buying a commercial certificate from a globally trusted provider. In either way, make
sure the server certificate supports Subject Alternative Names (SAN).

2.

Make sure that Client Access server virtual directories in IIS are configured to require SSL.

3.

Secure the following virtual directories:

Autodiscover

ecp

EWS

Microsoft-Server-ActiveSync

OAB

4-12

Managing Client Access

owa

RPC

RPCWithCert

By default, all these virtual folders are configured to require SSL, after Exchange Server Client Access
Server role is installed. It is not recommended to change this.

Configuring Secure Authentication


Exchange Server 2010 provides several authentication options for clients communicating with the Client
Access server. If the server has multiple authentication options enabled, it negotiates with the client to
determine the most secure authentication method that both support.

Standard Authentication Options


The following standard authentication options are available on the Client Access server:

Integrated Windows authentication. Integrated Windows authentication is the most secure standard
authentication option. When you use Integrated Windows authentication and users log on with a
domain account, users are not prompted for a user name or password. Instead, the server negotiates
with the Windows security packages installed on the client computer to obtain the user name and
password of the logged-on user. Unencrypted authentication information is not transferred across the
network. For Integrated Windows authentication to work from a web browser, the Client Access
server URL must be in the clients Intranet zone.
Important When using a single Internet-accessible Client Access server for all sites, you
must enable Windows Integrated authentication on all of the Client Access servers that are
not Internet accessible. For example, the outward-facing Outlook Web App server can use
forms-based authentication, but the internal Client Access servers must be configured to
allow Integrated Windows authentication.

Digest authentication. Digest authentication secures the password by transmitting it as a hash


value over the network. To use Digest authentication, users must have an account that is stored in
the AD DS.

Basic authentication. Basic authentication transmits passwords in clear text over the network.
Therefore, you should always secure Basic authentication by using SSL encryption. Basic
authentication is the authentication option that is most widely supported by clients. Single sign-on is
not supported, so workstation credentials are never automatically passed over Basic authentication.

Forms-Based Authentication
Forms-based authentication is available only for Outlook Web App and Exchange Control Panel
(ECP). When you use this option, it replaces the other authentication methods. This is the preferred
authentication option for Outlook Web App because it provides enhanced security. When you use formsbased authentication, Exchange Server uses cookies to encrypt the user logon credentials in the client
computer's Web browser. Tracking the use of this cookie allows Exchange Server to time-out inactive
sessions. Automatic time-out of inactive sessions is valuable because it protects user accounts from
unauthorized access if users leave their session logged on while away from their computers.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-13

The time required before an inactive session times out varies depending on the computer type selected
during logon. If you choose a public or shared computer, the session times out after 15 minutes of
inactivity. If you choose a private computer, the session times out after 12 hours of inactivity.
Note You can configure the time-out values for public and private computers by
modifying the Client Access server registry. You can do this by using the Regedit utility, or
the Set-ItemProperty cmdlet. For more information about how to configure these settings,
see the Set the Forms-Based Authentication Private Computer Cookie Time-Out Value
topic in Exchange Server 2010 Help.
Instead of a pop-up screen, forms-based authentication creates a logon Web page for Outlook Web App.
You can modify the logon page by configuring the logon prompt (user name, domain\user name, or user
principal name), language, graphics, and text. User credentials entered into the Outlook Web App logon
page are transmitted in clear text similar to Basic authentication. However, forms-based authentication
requires the use of SSL. SSL encrypts the user credentials as they are transmitted over the network.
Forms-based authentication is enabled by default for Outlook Web App, and for ECP.However, you might
consider changing this to Windows Integrated authentication for Client Access servers that are not
internet facing, because Forms-Based Authentication does not support single-sign on.

Protecting the Client Access Server with an Application Layer Firewall


To provide an additional layer of security for network traffic and to protect the Client Access server,
deploy an application-layer firewall or reverse proxy, such as Forefront Threat Management Gateway,
between the Internet and the Client Access server. Application layer firewalls provide the following
benefits:

You can configure the firewall as the endpoint for the client SSL connection. The firewall can decrypt
the client traffic, apply application-layer filtering, and then re-encrypt the traffic before sending it to
the Client Access server.

You can offload SSL decryption to the firewall. If you do not require all connections on your internal
network to be secure, you can configure the firewall to decrypt the SSL traffic, but not re-encrypt it
before sending the traffic to the Client Access server. This means that the Client Access server
resources are not used to perform single socket layer (SSL) decryption and encryption.

If you use Forefront Threat Management Gateway as the application layer firewall, you can configure
the firewall to pre-authenticate all client connections using forms-based authentication. This means
that only authenticated connections will be allowed into the internal network.
Note If you use certificate-based authentication for Exchange ActiveSync, you must
configure a server-publishing rule that forwards the client traffic to the Exchange Server
computer without decrypting the packets on the TMG Server computer.

4-14

Managing Client Access

Considerations for Implementing Client Access Server Certificates

Because of the importance of using SSL secure network traffic between Client Access servers and
messaging clients, you must ensure that you deploy the appropriate certificates on the Client Access
servers. You can secure all client connections to the Client Access server using SSL.
Note By default, the Client Access server is configured with a self-signed certificate that is
not trusted by clients. You should remove this certificate and install a certificate from a
trusted CA.

Choosing a Certification Authority


One of the most important considerations when planning the use of certificates is identifying the source
of the certificates. Exchange Server 2010 can use self-signed certificates, certificates issued by a public CA,
or certificates issued by a private CA. Each type of certificate has advantages and disadvantages.
CA type
Public CA

Explanation
Advantages:
Client computers already trust the root CA, so certificates can be
chained to the root without further configuration.
The public CA provides full certificate and certificate-revocation
management services.
Disadvantages:
The certificates issues by public CAs are more expensive than self-signed
certificates or certificates issued by internal CAs.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-15

(continued)
CA type

Explanation

Internal CA

Advantages:
Revocation is managed internally, so certificates can be centrally
revoked if a private key is compromised.
By managing your own CA, you have more flexibility in how you
manage certificate distribution.
Disadvantages:
Implementing an internal CA can be complicated, and the complexity
can introduce security problems if incorrectly managed.
While the certificates issued by internal CAs are free, the cost of
implementing and managing a CA implementation can be costlier than
buying certificates from a public CA.
Client computers that are not members of an internal Active Directory
domain do not automatically trust the root CA. Therefore, you must add
certificates for the trusted root to client machines, where necessary.

Self-signed certificates

Advantages:
Self-signed certificates can be deployed without any Public Key
Infrastructure (PKI) infrastructure. When you install Exchange Server
2010, a self-signed certificate is automatically created for each
computer.
Disadvantages:
No centralized revocation lists. If the private key of the certificate is
compromised, each relying party must be notified manually to change
to a new certificate and stop relying on the existing one.
Client computers will not automatically trust the self-signed certificate,
so you must add certificates for the trusted root to client machines
where necessary.

In an Exchange Server 2010 environment, you can use the self-signed certificates for internal
communication, such as for securing Simple Mail Transfer Protocol (SMTP) connections between Hub
Transport servers. You also can use these certificates to secure client connections to Client Access servers.
However, because none of the client computers trusts this certificate, we do not recommend this solution.
Rather, you should consider obtaining a certificate from a public CA or internal CA for all Client Access
servers.
In most cases, you should deploy a certificate issued by a public CA if users access the Client Access server
from the Internet. If users access the Client Access server from the Internet, it is important that the clients
trust this certificate, and that they have access to certificate revocation lists from any location.
If only computers that are members of the internal domain access the Client Access server, you could
consider using an internal, or private, CA. By deploying an Enterprise CA, you can automate the process of
distributing and managing certificates and certificate revocation lists.
Note If you are planning to enable Federated Sharing, you must obtain a certificate for
your Internet-accessible Client Access servers from a public, trusted CA.

4-16

Managing Client Access

Identifying the Required Client Protocols


As you plan the certificate deployment, you need to determine the client protocols that are used to
connect to the Client Access server, and ensure that your certificate is configured for each certificate type.
The following client connections can be protected using SSL or TLS:

POP3 and IMAP4 client access to Exchange

Outlook Web App

Outlook Anywhere

ECP

Exchange ActiveSync

Autodiscover

Planning the Certificate Names


For clients to connect to the Client Access server using SSL without receiving an error message, the names
on the certificate must match the names that the clients use to connect to the server. For example, if your
users connect to the Outlook Web App site using a URL such as https://mail.contoso.com, and they
connect to the IMAP4 server using a name such as IMAP.contoso.com, you need to ensure that the
certificates you use support both server names. Additionally, if you enable Autodiscover access from the
Internet, your certificate also must support a name such as Autodiscover.contoso.com. Autodiscover is
used to configure Outlook and mobile device profile settings automatically. It will be discussed in more
detail in Lesson 2.
You can implement this configuration by using the following options:

Obtain a separate certificate for each client protocol that requires a unique name. This may require
multiple certificates for all Client Access servers. This may also require multiple websites in IIS. This is
the most complicated option to configure.

Configure all clients to use the same server name. For example, you could configure all clients to use
the server name mail.contoso.com, and obtain a certificate for just that one name.

Obtain a certificate with multiple subject alternative names. Most public CAs support the use of
multiple names in the certificates subject alternative name extension. When you use one of these
certificates, clients can connect to the Client Access server using any of the names listed in the subject
alternative name.

Use a certificate with a wildcard name. Most public CAs also support the use of wildcards in the
certificate request. For example, you could request a certificate using the subject of *.contoso.com,
and use that certificate for client connections.
Note Not all clients support wildcard certificates. Microsoft Outlook, Windows Internet
Explorer, and Window Mobile 6 or newer clients support wildcard certificates, but you
need to verify this functionality for all messaging clients that are used in your organization
before deploying these certificates. Deploying wildcard certificates is also considered a
security risk in many organizations because the certificate can be used for any server name
in the domain. If this certificate is compromised, all hosts names for the organization are
also compromised.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-17

Demonstration: How to Configure Certificates for Client Access Servers

In this demonstration, you will see how to configure a Windows Server 2008 Certification Authority to
support certificate requests with multiple subject alternative names. You will then see how to use the New
Exchange Certificate Wizard to request a certificate for a Client Access server, and how to install that
certificate.

Demonstration Steps
1.

In the Exchange Server, open the Exchange Management Console, select Server Configuration, and
then click Client Access.

2.

Click Configure External Client Access Domain, and configure the external domain name for Client
Access servers in the organization.

3.

In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard.
This wizard helps you determine what type of certificates you need for your Exchange organization.

4.

On the Introduction page, enter a user-friendly name for your certificate.

5.

On the Domain Scope page, do not select the Enable wildcard certificate check box.

6.

On the Exchange Configuration page, configure the certificate request to include Outlook Web App
on the Internet and Intranet, Exchange ActiveSync and Autodiscover.

7.

On the Certificate Domains page, accept the names that will be added to the certificate request.

8.

On the Organization and Location page, enter information about your Exchange organization. Click
the Browse button to select a location for the certificate request file, and enter the desired file name.

9.

On the Certificate Completion page, verify that all the information you have entered is correct. If it
is, click the New button.

10. On the Completion page, click Finish.

4-18

Managing Client Access

11. Provide the certificate request file to your CA. After the certificate has been issued, complete the
certificate installation process.
12. In the Exchange Management Console, select Server Configuration.
13. In the Actions pane, click Complete Pending Request.
14. Import the certnew.cer file.
15. In the Actions pane, click Assign Services to Certificate.
16. Assign the certificate to Internet Information Services on VAN-EX1.
Question: What would you need to change in this procedure if you were also enabling
secure access to IMAP4 using a server name of IMAP4?
Question: How would this process change if you were requesting a certificate from an
external, public CA?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-19

Options for Configuring POP3 and IMAP4 Client Access

By default, Exchange Server 2010 supports POP3 and IMAP4 client connections, but the services are set to
start manually. If you want to enable user access for these protocols, you must start the services and
configure them to start automatically.

Configuration Options
If you choose to enable POP3 or IMAP4 access, you can configure the following settings.
Option

Description

Bindings

Enables the configuration of the local server addresses that will be used for
unencrypted or Transport Layer Security (TLS) connections or for SSL
connections.

Authentication

Enables the configuration of supported authentication options. Support options


include basic authentication, Integrated Windows authentication, and secure
logon requiring TLS. The default setting is secure logon.

Connection settings Enables the configuration of server settings, such as time-out settings,
connection limits, and the command relay or proxy target port (used for
connections to an Exchange Server 2003 back-end server).
Retrieval settings

Enables the configuration of the message formats used for these protocols, and
for configuring how clients will retrieve calendar requests.

User access

On each user account, you can enable or disable access for the POP3 and IMAP4
protocols. By default, all users are enabled for access.

4-20

Managing Client Access

Configuring Throttling Policies

Microsoft Exchange Server 2010 uses client throttling policies to manage the performance of your
Exchange organization. These policies are used to limit the number of RPC requests from clients which
could cause performance problems. To achieve this, Exchange tracks the resources that each user
consumes and enforces connection bandwidth limits, as necessary.
You can apply restrictions on concurrent connections to Exchange Web Service, POP3/SMTP, OWA,
ActiveSync, and Windows Remote PowerShell. In Exchange Server 2010 RTM, only the policies limiting
concurrent connections were enabled by default. However, in Exchange 2010 Service Pack 1 (SP1), all
clients throttling policies are enabled by default.
When you first create an Exchange organization, a default throttling policy is automatically created that
implicitly governs all users within that organization. In most cases, this policy is sufficient to manage the
load placed on your Exchange system, but you can customize the default policy or add additional policies
based on the needs of your organization.
In an Exchange organization, you can define an acceptable load on a user-by-user basis. Through policies,
Exchange evaluates how each user employs the system and ensures that the resulting per-user load falls
within acceptable boundaries as defined by the user's policy. The client throttling system tracks system
usage on a per-user basis and uses the throttling policy associated with that user to determine if throttling
should occur.
Exchange Server 2010 SP1 also adds a new feature called Delivery Class Throttling. This enables you to
classify messages based on their characteristics and accordingly assign it a delivery class. Cost can be
assigned to each message based on message size, number of recipients, and frequency. This cost is then
used to assign a delivery class to the messages. Message priority is measured according to their class,
which means the higher the delivery class, the higher the message priority in the connector queue. For
example, delivery class throttling will give high priority to small messages with few recipients over bulk
messages with many recipients in the message queue.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

You must use Exchange Management Shell and the following cmdlets to manage throttling policies.
Cmdlet

Description

New-ThrottlingPolicy

This cmdlet creates a new throttling policy.

Remove-ThrottlingPolicy

This cmdlet removes a throttling policy.

Get-ThrottlingPolicy

This cmdlet lets you view the settings of a throttling policy.

Set-ThrottlingPolicy

This cmdlet modifies all available settings for a throttling policy.

4-21

4-22

Managing Client Access

Configuring the Client Access Server for Internet Access

To enable access to the Client Access server from the Internet, you need to complete the following steps:
1.

Configure the external URLs for each of the required client options. You can configure all of the Client
Access server Web server-based features with an external URL. This URL is used to access the website
from external locations. By default, the external URL is blank. For Internet-facing Client Access servers,
the external URL should be configured to use the name published in DNS for that Active Directory
site. The external URL should also use the same name as the one used for the server certificate. For
Client Access servers that will not have an Internet presence, the setting should remain blank.

2.

Configure external DNS name resolution. For each Client Access server that you are exposing to the
Internet, you need to verify that the host name can be resolved on the Internet. To do this, add a host
record for the Client Access server to the DNS zone on the DNS server that is hosting the Internet
DNS zone for your organization. If you are using different host names for each Client Access server,
then you will need to configure a host record for each host.

3.

Configure access to the Client Access server virtual directories. Each of the client access methods uses
a different virtual directory. If you are using a standard firewall or application layer firewall that filters
client requests based on the virtual directory, you need to ensure that all virtual directories are
accessible through the firewall.

4.

Implement SSL certificates with multiple subject alternative names. If you are using multiple host
names for the Client Access services, or if you are publishing Autodiscover to the Internet, then ensure
that the SSL certificates that you deploy on each Client Access server have the required server names
listed in the subject alternative name extension.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5.

4-23

Plan for Client Access server access with multiple sites. If your organization has multiple locations and
Active Directory sites, and you are deploying Exchange servers in each site, your first decision is
whether you will make the Client Access servers in each site accessible from the Internet. If you
choose not to make the Client Access server accessible, you should not configure an external URL for
it. All client requests to that server can be used as a proxy from an Internet-accessible Client Access
server. If you do decide to make a sites Client Access server accessible from the Internet, you need to
complete the steps listed below for each site.

For each site, you will need to configure a unique external URL for the Client Access servers that
are accessible from the Internet.

You need to ensure that the host records for each site are added to the appropriate DNS zone.

You need to configure the firewalls and SSL certificates for each site.

4-24

Managing Client Access

Lesson 2

Configuring Client Access Services for Outlook Clients

The Client Access servers in Exchange Server 2010 provide several services for Office Outlook clients. For
the most part, these services are enabled by default for Outlook clients on the internal network, but you
may need to modify some of the settings. Additionally, you can make some of these services available to
Outlook clients connecting the Exchange servers from outside the environment. In this case, you need to
enable these features, and ensure that they are configured correctly.
After completing this lesson, you will be able to:

Describe the services provided by a Client Access server for Outlook clients.

Describe the RPC client access services feature.

Describe Autodiscover functionality.

Configure Autodiscover.

Describe the Availability Service, and its purpose.

Explain the MailTips purpose and functionality.

Configure MailTips.

Describe the Outlook Anywhere functionality.

Configure Outlook Anywhere.

Explain how to troubleshoot Outlook client connectivity.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-25

Services Provided by a Client Access Server for Outlook Clients

In Exchange Server 2010, the Client Access server role provides critical services for all messaging clients,
including Office Outlook clients. The following table lists the services provided for Outlook clients.
Service

Description

RPC Client Access


services

Enables MAPI clients such as Outlook to connect to user mailboxes. The client
connects to the Client Access server using a MAPI connection.

Autodiscover

The Autodiscover service configures client computers that are running Outlook
2007 or newer, or supported mobile devices. The Autodiscover process
configures the Outlook client profile, including the mailbox server, Availability
service, and offline address book download locations.

Availability

The Availability service is used to make free/busy information available for


Outlook 2007 and Outlook Web App clients. The Availability service retrieves
free/busy information from Mailbox servers or Public folders, and presents the
information to the clients.

MailTips

The MailTips feature provides notifications for users regarding potential issues
with sending a message, before they send the message.

Offline Address
Book download

The Client Access server makes offline address book available through a Web
service. Only Microsoft Office Outlook 2007 or later clients are capable of
retrieving OABs from a Web service.

ECP

The ECP is a Webbased management interface that can be used to enable self
service for mailbox users, and enables users to perform specific management
tasks without having access to the entire Exchange management interface.

4-26

Managing Client Access

(continued)
Service

Description

Exchange Web
Services

Exchange Web Services enables client applications to communicate with the


Exchange server. You also can access Exchange Web Services programmatically. It
provides access to much of the same data made available through Office
Outlook. Exchange Web Services clients can integrate Outlook data into line-ofbusiness (LOB) applications.

Outlook Anywhere

Outlook Anywhere enables Outlook 2003 or later clients to access the user
mailbox by using RPCs encapsulated in an HTTP or HTTPS packet. This enables
secure access to user mailboxes from clients located on the Internet.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-27

What Is RPC Client Access Services?

One the most significant architectural changes in Exchange Server 2010 is that the Client Access server
supports all client connections, including MAPI client connections from Outlook clients. In previous
Exchange Server versions, Outlook configured as a MAPI client always connects to the Mailbox server
directly, rather than connecting to a front-end or Client Access server. In Exchange Server 2010, all clients
connect to the Client Access server role, regardless of the client protocol used. The only case when clients
are still connecting to Mailbox server is when they access public folders.

How RPC Client Access Services Works


Because of the change in the messaging architecture, the client communication with the mailbox server
has changed in the following way:

In Exchange Server 2010, when a MAPI client starts, it connects to a Client Access server. The client
protocol has not changed, and it remains compatible with older Outlook versions, to Outlook 2003
SP2.

When the client connects to the Client Access server, the Client Access server uses a MAPI RPC
connection to communicate with the Mailbox server.

When the client such as an Outlook Web App client requests the Global Address List (GAL), the Client
Access server role now provides a Name Service Provider Interface (NSPI) service, and it queries the
GAL on behalf of the client. This means that all client connections for address book lookups are now
sent to the Client Access server rather than a Global Catalog server.

4-28

Managing Client Access

Benefits of RPC Client Access Services


RPC Client Access services provide a number of benefits:

All clients now use the same mailbox access architecture.

For organizations that deploy highly available Mailbox servers, client outages have been reduced in
situations where a mailbox database fails over to another server. When a mailbox fails over to another
server, the Client Access server is notified, and the client connections are redirected to the new server
within seconds. In a failover scenario, clients in Exchange Server 2007 would be disconnected for one
to 15 minutes. In Exchange Server 2010, if one Client Access server in a Client Access server array fails,
the client will immediately reconnect to another Client Access server in the array. If a mailbox server
fails, the client is disconnected for 30 seconds.

Mailboxes can now be moved from one Mailbox server to another, even while the user is online and
connected to the mailbox.

The new architecture supports more concurrent client connections to the mailbox server. In Exchange
Server 2007, each mailbox server can handle 64,000 connections. That number increases to 250,000
RPC context handle limit in Exchange 2010.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-29

What Is Autodiscover?

The Autodiscover service in Exchange Server 2010 simplifies Office Outlook 2007, 2010 or later client
configuration. Autodiscover provides configuration information that Outlook requires to create a profile
for the client. Outlook clients can also use the Autodiscover service to repair Exchange Server connection
settings if a profile is corrupted, or if the user mailbox is moved to a different server. The Autodiscover
service uses a users email address and password to provide profile settings to Outlook 2007, 2010 or later
clients, and supported mobile devices.
As part of the profile creation, Autodiscover provides information for the client to locate various Web
services, such as the Availability service, Unified Messaging settings, and offline address books.

How Autodiscover Works


Outlook 2010 connects to Exchange Server 2010 in the following manner:
1.

When you install the Client Access server role, a service connection point (SCP) is configured
automatically in Active Directory for the Client Access server. This SCP includes the Client Access
server URL. Service Connection Point (SCP) is used only by internal clients.

2.

When Outlook 2010 starts for the first time, Outlook uses the user name or the users email address
and password to configure the MAPI profile automatically. Exchange Server uses configuration
information to build an Outlook configuration template. The configuration template includes
information about Active Directory and the Exchange Server 2010 organization and topology.

3.

If Outlook is running on a domain-joined computer, then Outlook also uses the SCP to locate the
Autodiscover service on an Exchange Server 2010 computer with the Client Access server role
installed. The information includes the download location for the Availability Web service and the
Offline Address Book. If you are accessing Exchange Client Access server from outside, or from a
computer that is not joined to your domain, then the client looks for the Autodiscover host in DNS.
After that Outlook is redirected to the Autodiscover virtual folder on CAS.

4-30

Managing Client Access

4.

Outlook downloads the required configuration information from the Autodiscover service.

5.

Outlook then uses the appropriate configuration settings to connect to Exchange Server 2010.

Autodiscover Response Format


The Autodiscover.xml file that downloads to the client during Autodiscover can contain many different
types of information. The following shows one example of the information that might be included in the
file:
<Autodiscover
xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response
xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>First Last</DisplayName>
<LegacyDN>/o=AdatumOrg/ou=First Administrative
Group/cn=Recipients/cn=Gregory</LegacyDN>
<DeploymentId>644560b8-a1ce-429c-8ace-23395843f701</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>LON-EX1.adatum.com</Server>
<ServerDN>/o=ADatumOrg/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=LON-EX1</ServerDN>
<ServerVersion>72008287</ServerVersion>
<MdbDN>/o=ADatumOrg/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=LON-EX1/cn=MailDB</MdbDN>
<ASUrl>https://mail.adatum.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://mail.adatum.com/ews/exchange.asmx</OOFUrl>
<UMUrl>https://mail.adatum.com/unifiedmessaging/service.asmx</UMUrl>
<OABUrl>https://mail.adatum.com/OAB/d29844a9-724e-468c-88200f7b345b767b/</OABUrl>
</Protocol>
</Account>
</Response>
</Autodiscover>

Supported Clients and Protocols


Autodiscover supports the following clients and protocols.
Client application

Protocol

Office Outlook 2010

RPC over TCP/IP

Outlook Anywhere

RPC over HTTP

Exchange ActiveSync

Exchange ActiveSync over HTTP

Entourage 2008, Exchange Web Services Edition

Exchange Web Services (HTTPS)

Note Exchange Server 2010 supports Autodiscover for Exchange ActiveSync Service
clients. However, the Exchange ActiveSync Service client must be running Windows
Mobile 6 to support this feature.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-31

Configuring Autodiscover

By default, the Autodiscover settings for internal clients are automatically configured, and Outlook 2007
or later clients are automatically configured to use the appropriate services. In some cases, you may want
to modify the default settings. For external clients, you need to configure the appropriate DNS settings to
ensure that external clients can locate the Client Access server that is accessible from the Internet.

Configuring the Autodiscover Settings


To enable Autodiscover, you must have at least one Client Access server that is running the Autodiscover
service. When you install the Client Access server role, the Autodiscover virtual directory is created
automatically in IIS.
To manage Autodiscover settings, you must use the following Exchange Management Shell cmdlets:
Task

Exchange Management Shell cmdlet

Configure the Autodiscover SCP

Set-ClientAccessServer

Create a new Autodiscover virtual directory

New-AutodiscoverVirtualDirectory

Remove an Autodiscover virtual directory

Remove-AutodiscoverVirtualDirectory

Configure an Office Outlook provider

Set-OutlookProvider

Locate an Office Outlook provider or providers on the


virtual directory

Get-OutlookProvider

4-32

Managing Client Access

Configuring Autodiscover for Multiple Sites


If your organization has deployed Exchange servers in multiple Active Directory sites, you should consider
configuring site affinity for the Autodiscover service. To use site affinity, you specify which Active Directory
sites are preferred for clients to connect to a particular Autodiscover service instance. Usually
Autodiscover site affinity is used in scenarios when you do not have good connectivity between all of your
sites and you would like Outlook clients to utilize Autodiscover services on a Client Access Server (CAS) to
which the clients have good connectivity. In another scenario, if you have acceptable connectivity
between your sites, you may still prefer that your Outlook clients utilize Autodiscover services on a Client
Access Server in a site that is local to the clients.
To configure site affinity, use a cmdlet as shown in the following example:
Set-ClientAccessServer -Identity "ServerName"
-AutodiscoverServiceInternalURI "https://VAN-EX1/autodiscover/autodiscover.xml"
AutodiscoverSiteScope "HeadOffice"

This cmdlet configures the URI for the Autodiscover service in the HeadOffice site to use the VAN-EX1
server.

Configuring DNS to Support Autodiscover


For external clients to be able to locate the appropriate Client Access servers, you must configure DNS
with the correct information. When the Outlook client attempts to locate the Client Access server, it first
tries to locate the SCP information in the Active Directory directory service. If the client is outside the
network, Active Directory is not available. Therefore, the client queries DNS for a server name based on
the SMTP address that the user provides. Office Outlook queries DNS for the following URLs:

https://autodiscover.e-maildomain/autodiscover/autodiscover.xml

https://<e-maildomain/autodiscover/autodiscover.xml

To enable Autodiscover, you must configure a DNS record on the DNS server that the client uses to
provide name resolution for that request. The DNS record should point to a Client Access server that is
accessible from the Internet, or to reverse proxy server (such as TMG) that is used to publish Client Access
Server

Using the Test E-mail AutoConfiguration Feature in Outlook 2010


You can use the Test E-mail AutoConfiguration feature in Outlook 2010 to test whether Autodiscover is
working correctly. You do it by clicking on the Outlook icon in the notification area, while holding Ctrl
button, and then you click Test E-mail AutoConfiguration.
Note You also can use the Exchange Management Shell cmdlet
Test-OutlookWebServices to test the Autodiscover settings on a Client Access server.
A very useful tool for testing Autodiscover functionality from outside can be found at
https://www.testexchangeconnectivity.com/. This is an official Microsoft testing tool that you can use to
test Autodiscover for ActiveSync and Outlook connectivity. Besides using it for on-premises Exchange
Server, you can also use it to test service availability in Microsoft Office 365.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-33

What Is the Availability Service?

Exchange Server 2010 makes free/busy information available to both Outlook 2007 or later, and Outlook
Web App clients, by using the Availability service. The Availability service replaces the public folder used
to store free/busy information in previous Exchange Server versions.
The Scheduling Assistant uses the Availability service to:

Retrieve live free/busy information for Exchange Server 2007 or Exchange Server 2010 mailboxes.

Retrieve live free/busy information from other Exchange Server 2007 or Exchange Server 2010
organizations.

Retrieve published free/busy information from public folders for mailboxes hosted on Exchange
Server 2003 servers.

View the working hours of attendees.

Show meeting time suggestions.


Note Only Outlook 2007 or later and Outlook Web App use the Availability service.
Outlook 2003 clients continue to use the Schedule+ Free Busy Information public folder.
This folder must be available on an Exchange server for these clients to function.

How the Availability Service Works


The Availability service provides free/busy information by using the following process:
1.

When you start the Scheduling Assistant in Outlook 2007 or Outlook Web App, the client sends a
request to the URL provided to the client during Autodiscover. The request includes all invited users,
including resource mailboxes.

4-34

Managing Client Access

2.

The Client Access server Availability service queries Active Directory to determine the user mailbox
location. For any mailbox in the same site as the Client Access server, the request is sent directly to
the Mailbox server to retrieve the users current free/busy information.

3.

If the mailbox is in a different site than the Client Access server, the request is sent by proxy to a
Client Access server in the site where the user mailbox is located. The Client Access server in the
destination site extracts the availability information from the Mailbox server, and replies to the
requesting Client Access server.

4.

If the mailbox for one of the invited users is on a computer running Exchange Server 2003, Availability
service queries the public folder that contains the free/busy information for the user.

5.

The Availability service combines the free/busy information for all invited users, and presents it to the
Outlook 2007 or Outlook Web App client.

How Free/Busy Information Is Retrieved


When a user creating a meeting request has an Exchange Server 2003 or Exchange 2000 Server mailbox,
free/busy information is always retrieved using public folders. The following table summarizes how
free/busy information is retrieved when the user that creates the meeting request has an Exchange Server
2010 mailbox.
Client

Invitee mailbox

Free/Busy retrieval method

Outlook 2007 or
later

Exchange 2007 or 2010

The Availability service reads from invitee mailbox.

Outlook 2007 or
later

Exchange 2003

The Availability service uses HTTP/HTTPS to read from


/public virtual directory on Exchange 2003 server.

Outlook 2003

Exchange 2007, 2010 or


Exchange 2003

Outlook reads free/busy information from public


folders.

Outlook Web App


(Exchange 2007 or
2010)

Exchange 2007 or 2010

Calls the Availability service application programming


interface (API) This API reads from the invitees
mailbox.

Outlook Web App


(Exchange 2007 or
2010)

Exchange 2003

Calls the Availability service API that uses HTTP/HTTPS


to read from /public virtual directory on Exchange
2003 server.

You also can configure the Client Access server to query the Availability service in a different Exchange
Server 2010 organization. This allows you to share scheduling information between Exchange Server
organizations.

Deploying the Availability Service


The Availability service is deployed by default on all Client Access servers and does not need configuration
except in scenarios where you are integrating the free/busy information from multiple forests.
Autodiscover delivers the service location for the Availability service to Outlook 2007 clients. Availability
service is located at the URL http://servername/EWS.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-35

What Are MailTips?

MailTips are informative messages displayed to users before they send a message. MailTips inform a user
about issues or limitations with the message the user intends to send. Exchange Server 2010 analyzes
the message, including the list of recipients to which it is addressed. If it detects a potential problem, it
notifies the user with MailTips prior to sending the message. With the help of the information provided by
MailTips, senders can adjust the message they compose to avoid undesirable situations or non-delivery
reports (NDRs).

Types of MailTips
Exchange Server 2010 provides several default MailTips, including the following examples:

Mailbox Full. This MailTip displays if the sender adds a recipient whose mailbox is full, and if your
organization has implemented a Prohibit Receive restriction for mailboxes over a specified size.

Recipient Out of Office. This MailTip displays the first 250 characters of the out-of-office reply
configured by the recipient, if a recipient has configured an out-of-office rule.

Restricted Recipient. This MailTip displays if the sender adds a recipient for which delivery restrictions
are configured, and prohibits this sender from sending the message.

External Recipients. This MailTip displays if the sender adds a recipient that is external, or adds a
distribution group that contains external recipients.

Large Audience. This MailTip displays if the sender adds a distribution group that has more than the
large audience size configured in your organization. By default, Exchange Server displays this MailTip
for messages to distribution groups that have more than 25 members.

4-36

Managing Client Access

You can also configure custom MailTips in the Exchange Management Shell. A custom MailTip can be
assigned to any recipient. For example, you could configure a custom MailTip for a recipient who is on an
extended leave or for a distribution group where all members of the group will be out of the office.
Alternately, you can create a custom MailTip for a distribution group that explains the purpose of the
group and thus reduces its misuse. When you configure a custom MailTip, it displays when a user
composes a message for a specified recipient. In Exchange Server 2010 SP2, you can also use Exchange
Control Panel to configure custom mail tips.
Note MailTips are available only in Exchange Server 2010 Outlook Web App, or when
using Microsoft Office Outlook 2010 or later. MailTips are not available in Outlook 2007.

How MailTips Work


MailTips are implemented as a Web service in Exchange Server 2010. When a sender composes a
message, the client software makes an Exchange Web service call to Exchange Server 2010 server with the
Client Access server role installed, to get the list of MailTips. The Exchange Server 2010 server responds
with the list of MailTips that apply to that message, and the client software displays the MailTips to the
sender.
The following actions by the sender trigger MailTips to be evaluated or updated:

Adding a recipient

Adding an attachment

Replying to the sender, or replying to All

Opening a message from the Drafts folder, which is already addressed to recipients

When the Client Access server is queried, it compiles the list of applicable MailTips, and returns all of them
at one time. This way, all MailTips are displayed to the user at the same time.The Client Access server uses
the following process to compile MailTips for a specific message:
1.

The mail client queries the Web service on the Client Access server for MailTips that apply to the
recipients in the message.

2.

The Client Access server gathers MailTip data:

3.

The Client Access server queries the AD DS and reads group metrics data.

The Client Access server queries the Mailbox server to gather the Recipient Out-of-Office and
Mailbox Full MailTips. If the recipient's mailbox is on another site, then the Client Access server
requests MailTips information from the Client Access server in the remote site.

The Client Access server returns MailTips data back to the client.
Note Several MailTips are available when the Outlook client is offline. To enable this
functionality, the redesign of the structure of the offline address book now includes some of
the information that MailTips requires. MailTips that require current information from Active
Directory or the user mailbox are the only MailTips that will not work while the Outlook
client is offline. MailTips that will not work offline are the Invalid Internal Recipient, the
Mailbox Full, and the Recipient Out-of-Office MailTips.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-37

Limitations on MailTips
MailTips are subject to the following restrictions:

When a message is addressed to a distribution group, the MailTips for individual recipients that are
members of that distribution group are not evaluated. However, if any of the members is an external
recipient, the External Recipients MailTip is displayed, which shows the sender the number of external
recipients in the distribution group.

If the message is addressed to more than 200 recipients, MailTips for individual mailboxes are not
evaluated due to performance reasons.

Custom MailTips are limited to 250 characters.

4-38

Managing Client Access

Demonstration: How to Configure MailTips

In this demonstration, you will see how to review and configure default MailTips for an Exchange
Server 2010 organization, and how to configure custom MailTips. You will also confirm that the MailTips
functions as expected.

Demonstration Steps
1.

In Exchange Management Shell, use the Get-OrganizationConfig cmdlet to review the default
configuration for MailTips.

2.

Use the Get-OrganizationConfig MailTipsLargeAudienceThreshold 10 cmdlet to modify the


large distribution group threshold setting.

3.

Use the Set-DistributionGroup Marketing MailTip The marketing team will be at a conference
till next week. cmdlet to configure a custom MailTip.

4.

Log on to Outlook Web App. Prepare test messages to verify that the default and custom MailTips
work as expected.
Question: Will you leave MailTips enabled in your organization? How will you modify the
default configuration?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-39

What Is Outlook Anywhere?

When you enable Outlook Anywhere, an Outlook 2003 or later client can connect to a server running
Exchange Server 2010 or Exchange Server 2007 using RPCs encapsulated in an HTTP or HTTPS packet. This
feature is a secure option for connecting to the Exchange server from the Internet while using a MAPI
client.

How Does Outlook Anywhere Work?


To deploy Outlook Anywhere, you need to deploy the Outlook 2007 or Outlook 2003 client and the RPC
proxy service running on Windows Server 2008. The following is a description of the communication
process between all components in an RPC-over-HTTP configuration:
1.

All communication between the Outlook client and the Client Access server is sent using HTTPS. The
client establishes a connection to the Client Access server for each RPC request that it sends, and then
establishes a second connection for responses from the Client Access server.

2.

When the client connects, the Client Access server authenticates the user by forwarding the
authentication request to a domain controller.

3.

After the user is authenticated, the Client Access server uses an RPC connection to communicate with
the Mailbox server hosting the user mailbox.

4.

If the client requests a Global Address List lookup, the NSPI component on the Client Access server
will send a Lightweight Directory Access Protocol (LDAP) query to a global catalog server.

4-40

Managing Client Access

Demonstration: How to Configure Outlook Anywhere

When configuring Outlook Anywhere, you must configure the Exchange Client Access server, and then
configure the Outlook clients.

Implementing Outlook Anywhere


To configure Outlook Anywhere on Exchange Server 2010, you must perform the following high-level
steps:
1.

Configure a computer running Windows Server 2008 as the RPC proxy server by installing the RPC
over HTTP Proxy feature in Server Manager. When you select this feature, the required Web Server
(IIS) role services are installed on the server. You should install the RPC over HTTP Proxy feature on
the Client Access server.

2.

Install a server certificate on the RPC proxy server. By default, Outlook Anywhere requires SSL
encryption. Configure the RPC virtual directory to require SSL.

3.

Enable Outlook Anywhere in the Exchange Management Console. When you enable RPC over HTTP,
you must configure both an external host name and authentication method.

4.

Configure the Outlook 2010, Outlook 2007 or Outlook 2003 profile on the client to use RPC over
HTTP to connect to the Client Access server.

Demonstration Steps
1.

On the Client Access server, use the following cmdlet to review the Autodiscover configuration:
Get-ClientAccessServer id VAN-EX1 | FL

2.

On the Client Access server, verify that the RPC over HTTP Proxy feature is installed.

3.

On the Client Access server, in Exchange Management Console, click Enable Outlook Anywhere,
using a host name that is resolvable from the Internet.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-41

4.

On the Client Access server, in Internet Information Services (IIS) Manager, verify that the RPC virtual
directory is configured to use SSL and that it is configured to accept Basic and Windows
Authentication.

5.

On the client computer, configure the Outlook account properties to Connect to Microsoft
Exchange using HTTP, and then click Exchange Proxy Settings.

6.

In the Microsoft Exchange Proxy Settings dialog box, complete the following information:

Use the URL (https://): external host name for the Client Access server

Connect using SSL only: enable (default)

On fast networks, connect using HTTP first, then connect using TCP/IP: enable

On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default)

Proxy authentication setting: NTLM Authentication (default)

7.

From the client, open Outlook and connect to the server.

8.

Press and hold the Ctrl key, and then right-click the Office Outlook icon in the Windows 7
operating system notification area. Click Connection Status. Confirm that the Conn column lists
HTTPS as the connection method.

9.

Press and hold Ctrl, and then click the Outlook icon in the notification area of the Windows task bar.
Click Test E-mail AutoConfiguration.

10. Click Test. View the information displayed on both the Results and Log tabs.

4-42

Managing Client Access

Troubleshooting Outlook Client Connectivity

To troubleshoot Outlook with MAPI connectivity to an Exchange server, use the following steps:
1.

Identify network connectivity issues. If the Outlook client or the Exchange server experiences
problems connecting to the network, Outlook shows a status of Disconnected, and no new messages
can be transferred between the client and the server.

2.

Identify name resolution issues. Outlook clients must be able to resolve the name of the Exchange
server to which they are connecting. By default, Outlook 2007 clients use DNS host-name resolution
to resolve the name of the Exchange server to its IP address. If DNS servers are not available on the
network, or if the records in DNS are incorrect, Outlook clients are unable to connect to the Exchange
server.

3.

Identify client configuration issues. A client configuration issue can occur in Outlook or Windows
configurations. An improperly configured client can prevent the computer from connecting to the
Exchange server, or create intermittent connectivity problems. You may need to troubleshoot the
client computer to rule out any configuration errors before investigating a server-based issue.

4.

Identify server configuration or service-availability issues. A configuration error can prevent some or
all users from connecting to the Exchange server. Based on the symptom that the user is
experiencing, you can verify configuration by using the Exchange Server Best Practices Analyzer Tool,
or examine server properties by using the Exchange Management Console.

5.

If the client computer is using Outlook Anywhere to connect to the Client Access server, it may be a
Client Access server certificate issue. Outlook Anywhere relies on valid server certificates to provide
secure communication with the server. Invalid names on certificates, expired certificates, or nontrusted certificates can cause connectivity issues between these clients and a Client Access server.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-43

Tip To ensure that a valid server certificate is trusted and can be used for connecting with
Outlook Anywhere, you should connect from a Web browser to the RPC virtual directory on
the Exchange server. If the user receives a prompt with a warning message about the
certificate authenticity, then there is an issue with the certificate configuration. This will lead
to problems with Outlook Anywhere, Autodiscover, and Exchange ActiveSync.
6.

You can use the Test E-Mail AutoConfiguration Wizard in Outlook 2007 to test whether Autodiscover
is configured correctly. When you run the wizard, it will provide information whether the client could
connect to the Autodiscover service on a Client Access server, and it will display the information that
it received through the Autoconfiguration process.

4-44

Managing Client Access

Lab A: Configuring Client Access Servers for Outlook


Anywhere Access

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, 10135B-VAN-EX2, and the 10135B-VAN-CL1


virtual machines are running.

3.

10135B-VAN-DC1: Domain controller in the Adatum.com domain

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain

10135B-VAN-EX2: Exchange 2010 server in the Adatum.com domain

10135B-VAN-CL1: Client computer in the Adatum.com domain

If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1, and VAN-EX2 as
Adatum\Administrator, using the password Pa$$w0rd. Do not log on to VAN-CL1 at this point.

Lab Scenario
You are working as a messaging administrator in A. Datum Corporation. Your organization has decided to
deploy Client Access servers so that the servers are accessible from the Internet for a variety of messaging
clients. To ensure that the deployment is as secure as possible, you must secure the Client Access server,
and configure a certificate on the server that will support the messaging client connections. You also need
to configure the server to support Outlook Anywhere connections.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-45

Exercise 1: Configuring Client Access Servers


Scenario
As a messaging administrator in A. Datum Corporation, you have deployed the Exchange Server
environment, and you are now working on configuring the Client Access servers. The organization has
decided to use a certificate from the internal CA to secure all client connections to the server. You need to
enable this configuration, and then you need to ensure that Outlook clients can still connect to the server.
The main tasks for this exercise are:
1.

Configure an External Client Access Domain for VAN-EX2.

2.

Prepare a Server Certificate request for VAN-EX2.

3.

Request the certificate from the CA.

4.

Import and assign the IIS Exchange service to the new certificate.

5.

Verify Outlook connectivity to the Exchange Server.

X Task 1: Configure an External Client Access Domain for VAN-EX2


1.

On VAN-EX2, open the Exchange Management Console and configure an External Client Access
Domain named mail.Adatum.com.

2.

Apply the external domain name just to VAN-EX2.

3.

Verify that the External Client Access Domain was applied to the owa (Default Web Site) virtual
directory.

X Task 2: Prepare a Server Certificate request for VAN-EX2


1.

2.

On VAN-EX2, run the New Exchange Certificate Wizard using the following configuration options:

Friendly name: ADatum Mail Certificate

Outlook Web App is on the intranet

mail.adatum.com as the server name for all services

Outlook Web App is on the Internet

Exchange ActiveSync is enabled

Autodiscover is used on the Internet

Long URL is used for AutoDiscover

Organization: A Datum

Organization Unit: Messaging

Country/region: Canada

City/locality: Vancouver

State/province: BC

Save the file using the name CertRequest.req.

4-46

Managing Client Access

X Task 3: Request the certificate from the CA


1.

Copy the text of the certificate request file to the clipboard.

2.

Connect to https://van-dc1.adatum.com/certsrv and create a new certificate request using the


contents of the certificate request file. Use an advanced certificate request using a base-64-encoded
CMC or PKCS#10 file. Copy and paste the contents of the CertRequest.req file into the Saved
Request field. Request a Web server certificate.

3.

Download the certificate and save it.

4.

View the certificate. Verify that the certificate includes several subject alternative names, and then
click OK.

X Task 4: Assign the IIS Exchange Service to the new certificate


1.

In the Exchange Management console, use the Complete Pending Request Wizard to import the
Adatum Mail certificate.

2.

In the Exchange Management console, use the Assign Services to Certificate Wizard to assign the
Adatum Mail certificate to the Internet Information Services service.

X Task 5: Verify Outlook connectivity to the Exchange Server


1.

On VAN-CL1, log on as Molly using the password Pa$$w0rd.

2.

Open Microsoft Outlook 2010, and verify that a profile is automatically created for Molly.

3.

In Microsoft Outlook, click File, and then click Account Settings. Verify that the Outlook profile is
configured to use VAN-EX2 as the mailbox server.

Results: After this exercise, you should have configured the security settings for VAN-EX2 by using the
Security Configuration Wizard, and installed a server certificate from the internal CA on the server. You
should have also verified Outlook client connectivity to the Exchange server.

Exercise 2: Configuring Outlook Anywhere


Scenario
A. Datum Corporation has several users who are frequently out of the office. These users all have laptop
computers, and they want to use Office Outlook to connect to their Exchange Server mailboxes while in
the office or out of the office. You need to configure the Client Access server to enable Outlook
Anywhere, and then configure a client to connect to the server using RPC over HTTPS. Finally, you need to
verify that the connection works.
The main tasks for this exercise are:
1.

Configure a DNS record for Mail.Adatum.com.

2.

Configure Outlook Anywhere on VAN-EX2.

3.

Configure the Outlook profile to use Outlook Anywhere.

4.

Verify Outlook Anywhere connectivity.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-47

X Task 1: Configure a DNS record for Mail.Adatum.com

On VAN-DC1, create a new host record for Mail.adatum.com using an IP address of 10.10.0.21.

X Task 2: Configure Outlook Anywhere on VAN-EX2


1.

On VAN-EX2, verify that the RPC over HTTP Proxy feature is installed.

2.

In the Exchange Management Console, enable Outlook Anywhere for VAN-EX2.

3.

Configure an external host name of Mail.adatum.com, and choose NTLM authentication.

4.

Restart VAN-EX2 and log back on as Administrator with the password Pa$$w0rd.

X Task 3: Configure the Outlook profile to use Outlook Anywhere


1.

On VAN-CL1, ensure that you are logged on as Adatum\Molly.

2.

Modify the profile for Molly to connect to Microsoft Exchange using HTTP.

3.

Configure the Exchange Proxy server settings as follows:

4.

Use this URL (https://): mail.adatum.com

Connect using SSL only: enable (default)

On fast networks, connect using HTTP first, then connect using TCP/IP: enable

On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default)

Proxy authentication setting: NTLM Authentication (default)

Close Outlook.

X Task 4: Verify Outlook Anywhere connectivity


1.

On VAN-CL1, open Outlook and verify that you are connected to the Exchange server.

2.

Press and hold Ctrl, and then right-click the Office Outlook icon in the Windows 7 notification area.
Confirm that the Conn column lists HTTPS as the connection method. You may need to click the up
arrow in the Windows 7 notification area to view the Office Outlook icon.

3.

Use the E-mail AutoConfiguration tool to review the settings Autodiscover provided to the client.

4.

Log off VAN-CL1.

Results: After this exercise, you should have enabled Outlook Anywhere on VAN-EX2, and configured a
client profile to use Outlook Anywhere. You also verified the Outlook Anywhere functionality.

X To prepare for the next lab

Do not shut down the virtual machines and revert them to their initial state when you finish this lab.
This modules last lab requires the virtual machines for completion.

4-48

Managing Client Access

Lesson 3

Configuring Outlook Web App

Exchange Server 2010 uses Outlook Web App to provide access to user mailboxes through a Web
browser. Many organizations provide users with access to Outlook Web App from the Internet. Some
organizations also use Outlook Web App internally. In both scenarios, deploying Outlook Web App is
quite easy because only a Web browser is required as a client. This lesson describes how to configure
Outlook Web App for Exchange Server 2010.
After completing this lesson, you will be able to:

Describe Outlook Web App features.

Identify Outlook Web App configuration options.

Describe the file and data access options in Outlook Web App.

Configure Outlook Web App.

Configure Outlook Web App policies.

Configure user options using the ECP.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-49

What Is Outlook Web App?

Outlook Web App allows users to access their mailboxes through a Web browser. The feature set in
Outlook Web App closely mimics features available in Outlook 2010, and may provide features that are
not available in previous Outlook versions. In some cases, it may be possible to use Outlook Web App in
place of Outlook 2010.

Features of Outlook Web App


Outlook Web App provides most features that are available when using the full Outlook 2010 client. Some
of these features enable users to:

Read and respond to messages.

Book meetings and view the Calendar.

Create and edit Contacts and Tasks.

Read attachments that have been rendered into HTML content on the server.

Configure personal settings such as signatures, out of office messages and junk email settings.

Change passwords.

Configure mobile device settings.

Create and edit server-side rules.

Access public folders.

Use Secure/Multipurpose Internet Mail Extensions (S/MIME) to sign and encrypt email and to read
signed and encrypted email.

Recover deleted items.

Create and edit personal distribution lists.

4-50

Managing Client Access

Outlook Web App has been redesigned in Exchange Server 2010 to include features such as chat, text
messaging, mobile phone integration, and enhanced conversation view. In Exchange Server 2010, these
features are accessible from an expanded set of Web browsers, including Microsoft Internet Explorer 6.0
or later, Firefox, Safari, and Google's Chrome.

Benefits of Outlook Web App


Outlook Web App provides many important benefits for an organization. These include:

All communication between the Outlook Web App client and the Client Access server is sent using
HTTP. You can easily secure this information using SSL. This also means that it is easy to configure
firewalls or reverse proxies to enable Internet access to Outlook Web App, as only a single port is
required.

Outlook Web App does not require that you deploy or configure a messaging client; all client
computers, including computers that run Linux or Macintosh, have a Web browser available. This
means that users can access their mailbox from any client that can access the Client Access servers
URL.

Outlook Web App in Exchange Server 2010 also provides access to some features that are only
available through Outlook Web App or Outlook 2010. For example, features such as the archive
mailbox or conversation view can be accessed through Outlook Web App without deploying Outlook
2010.

Limitations of Outlook Web App


Outlook Web App cannot provide offline access to mailboxes. If the Exchange server hosting Outlook
Web App is offline, users cannot read or send messages. If offline access to files is required, you must
select another remote-access method to the Exchange server. Outlook 2007 using Outlook Anywhere,
POP3, and IMAP clients can cache messages to provide offline access.
Question: What is Outlook Web App for Exchange Server 2010?
Question: What are the benefits of Outlook Web App?
Question: When would you use Outlook Web App instead of Outlook or Windows Mail?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-51

Configuration Options for Outlook Web App

Although Outlook Web App is available automatically on Client Access servers, you must configure
Outlook Web App to support your users specific requirements.

Configuration Tasks for Outlook Web App


When configuring Outlook Web App, you need to complete the following tasks:

Install and configure a server certificate to enable SSL for all client connections.

Configure the Outlook Web App virtual directory. When you install the Client Access server role, an
Outlook Web App virtual directory is configured in the default IIS website on the Client Access server.
In most cases, you might not need to modify the Outlook Web App virtual directory settings, other
than configuring the default website to use a CA certificate for SSL, and to set the authentication
options.

Configure segmentation settings. You can enable or disable specific Outlook Web App features for
Exchange Server 2010 Outlook Web App users. Access the Outlook Web App virtual directory
properties in the Exchange Management Console to configure the segmentation settings.

Modify the attachment handling settings. You can configure the attachment settings by configuring
the WebReady Document Viewing settings on the Outlook Web App virtual directory.
You can also use the Exchange Management Shell set-OWAVirtualDirectory cmdlet with the
parameters AllowedFileTypes, AllowedMimeTypes, BlockedFileTypes, BlockedMIMETypes,
ForceSaveFileTypes, and ForceSaveMIMETypes.

Configure GNU zip (GZIP) compression settings. Gzip enables data compression, which is optimal for
slow network connections. You can use the Exchange Management Shell to configure Gzip
compression. Use the set-OWAVirtualDirectory cmdlet with the parameter GzipLevel.

4-52

Managing Client Access

Configure Web beacon settings. A Web beacon is a file objectsuch as a transparent graphic
or an imagethat is put on a website or in an email message. Web beacons are typically used
together with HTML cookies to monitor user behavior on a website, or to validate a recipient's email
address when an email message containing a Web beacon is opened. Web beacons and HTML forms
also can contain harmful code, and can be used to circumvent email filters. By default, Web beacons
and HTML forms are set to UserFilterChoice. This blocks all Web beacons and HTML forms, but lets
the user unblock them on individual messages. You can use the Exchange Management Shell to
change the type of filtering that is used for Web beacon and HTML form content in Outlook Web
App. If you change the setting to ForceFilter, this blocks all Web beacons and HTML forms. If you
change the setting to DisableFilter, this allows all Web beacons and HTML forms.

Configure Cross-site silent redirection. This feature is specific to Exchange 2010 SP2. When this
feature is enabled, a user with a mailbox in one Active Directory site who accesses the Outlook Web
App URL in another Active Directory site will be silently redirected to the Outlook Web App URL
for his or her Active Directory. Cross-site silent redirection prevents users from having to learn a
secondary Outlook Web App URL. If the authentication method for the Outlook Web App virtual
directory on both the source and target Client Access servers is set to forms-based authentication,
the user will only have to enter his or her credentials once. If the authentication methods differ on
the source and target Client Access servers, the user may have to enter his or her credentials a second
time. When using forms-based authentication, you must require SSL on both the source and target
Outlook Web App virtual directories. To configure cross-site silent redirection, the administrator must
use the new CrossSiteRedirectType parameter that has been added to the Set-OWAVirtualDirectory
cmdlet. You can configure totally silent redirection, or you can let users know that they are being
redirected.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-53

What Is File and Data Access for Outlook Web App?

File and data access provide Outlook Web App users different levels of access to files that are attached to
messages. This feature lets users open files that are attached to email messages and files that are stored in
Windows file shares. You can manage direct file access for Microsoft Office Outlook Web App in Microsoft
Exchange Server 2010 for both public and private computers.

Configuring File and Data Access


You can configure the following settings when configuring file and data access for Outlook Web App
users:

Enable WebReady Document Viewing or force WebReady Document Viewing. When you enable
WebReady Document Viewing, and a user attempts to open a file in the message window, the file is
converted to HTML, and then displayed in the Web browser. This enables users to view the files on
the local computer even if the native application for the file is not installed on the computer. If only
WebReady Document Viewing is enabled, users cannot save the document to the local hard disk or
view the document in its native application. By default, only a limited number of file types can be
viewed through WebReady Document Viewing.

Direct file access. Direct file access lets users open files that are attached to email messages and files
that are stored in Windows SharePoint Services document libraries and in Windows file shares.

Configure different settings for public or private computers. When users connect to Outlook Web
App, they can choose whether they are connecting from public or private computers. You can
configure different direct file access and WebReady Document Viewing settings for each option. The
customization settings available for public and private computer access are shared between the two
tabs. For example, if a file extension is blocked for public computer access it is also blocked for private
computer access.

Restrict or enable access. You can configure how users interact with files by using the Allow, Block, or
Force Save options for direct file access and by configuring the file extensions for WebReady
Document Viewing.

4-54

Managing Client Access

Demonstration: How to Configure Outlook Web App

In this demonstration, you will see how to configure several different Outlook Web App aspects. As you
will see in this demonstration, you may need to use several different tools to configure Outlook Web App.

Demonstration Steps
1.

On the Client Access server, ensure that the Outlook Web App virtual directory is configured to use
SSL, and is using the correct server certificate.

2.

In the Exchange Management Console, on the owa (Default Web Site) Properties, configure the
external URL with the required authentication and segmentation settings.

3.

In the Exchange Management Shell, use the set-owavirtualdirectory owa (Default Web Site)
ForceSaveFileTypes .xls, cmdlet to force attachments with an .xls extension to be saved to disk
before they can be opened.

4.

Use the set-owavirtualdirectory owa (Default Web Site) GzipLevel Off, cmdlet to disable Gzip
compression for Outlook Web App.

5.

Use the Set-OwaVirtualDirectory -identity Owa (Default Web Site) FilterWebBeaconsAndHtmlForms ForceFilter cmdlet to block all Web beacons.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-55

Demonstration: How to Configure Outlook Web App Policies

One of the new features in Exchange Server 2010 is the option to configure multiple Outlook Web App
policies for users. In previous Exchange Server versions, all users receive the same settings when they
connect to Outlook Web App. With Exchange Server 2010 Outlook Web App policies, you can configure
unique policies and assign them to users.

Demonstration Steps
1.

In Exchange Management Console, in the Organization Configuration node, click Client Access.

2.

Click New Outlook Web App Mailbox Policy. Provide a name for the policy, and configure the
policy settings.

3.

After creating the policy, you can configure additional settings by accessing the policy properties.

4.

Assign the policy to a user account by accessing the Outlook Web App properties on the Mailbox
Features tab.

5.

Log on to Outlook Web App as the user, and test the policy application.

4-56

Managing Client Access

Demonstration: How to Configure User Options Using the ECP

Another new feature in Exchange Server 2010 is the ECP. You can use the ECP to perform several different
administrative functions, but users also can use the ECP to modify their mailbox settings. In this
demonstration, you will see how you can configure the ECP virtual directory and view some of the
available ECP configuration options.

Demonstration Steps
1.

On the Client Access server, in IIS Manager, review the settings for the ecp virtual directory.

2.

In the Exchange Management Console, review the settings for the ecp (Default Web Site) virtual
directory on each Client Access server.

3.

As a user, access the ECP by opening Internet Explorer, and accessing https://servername/ecp.

4.

Log on to the ECP, and review the settings that can be modified by the user.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-57

Lesson 4

Configuring Mobile Messaging

Exchange Server 2010 supports mobile devices as a messaging client. With Exchange Server 2010, you
can synchronize mailbox content and perform most of the same tasks with mobile devices as you can with
other messaging clients. Exchange Server 2010 also provides administrative options for managing mobile
devices. This lesson describes how to implement and manage mobile access for Exchange Server 2010.
After completing this lesson, you will be able to:

Describe the purpose and functionality of Exchange ActiveSync.

Configure Exchange ActiveSync.

Identify security options for Exchange ActiveSync.

Configure Exchange ActiveSync policies.

Manage mobile devices.

4-58

Managing Client Access

What Is Exchange ActiveSync?

Exchange ActiveSync (EAS) is an XML-based protocol that enables mobile devices to communicate
over HTTP (or HTTPS) with Exchange Server. EAS is designed for the synchronization of email, contacts,
calendar, tasks, and notes from an Exchange server to a mobile device with a supported operating
system. ActiveSync protocol also provides mobile device management and policy controls. The Exchange
ActiveSync communication process is optimized to function over high-latency and low-bandwidth
networks. By default, Exchange ActiveSync is available for all users after you install a Client Access server.
ActiveSync has gone through many versions in last 10 years. The first version of Exchange ActiveSync
protocol (it was called AirSync at the time) was a part of Mobile Information Server (MIS) 2002 and it
provided connection between mobile devices and Exchange Server 2000. However, the first version of
ActiveSync protocol that supported management policies was introduced in Exchange Server 2003.

Exchange ActiveSync Features in Exchange Server 2010


Some features of Exchange ActiveSync in Exchange Server 2010 are:

Access to mail messages, calendars, contacts, and tasks.

Offline access to mail messages, calendars, contacts, and tasks.

Server-side searching to include messages not on the device.

Out-of-Office configuration.

Selfservice devicewipe and device password reset. Administrators and users can remotely wipe a
device of all data if it is lost or stolen. Users can perform this task, as well as recover their mobile
device password, through Outlook Web App.

Administrative reporting, including:

The number of messages sent and received.

The number of attachments downloaded.

The bandwidth consumed by a particular user or server.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-59

The latest version of ActiveSync protocol that is included in Exchange Server 2010 SP2 is 14.1. Besides
having all features from previous versions, this version of the protocol added several new features such as:

GAL photos. Images stored in an Active Directory server of the user who has sent the email.

Message Diffs. A means of sending only the new portion of an email and avoiding redundant
information.

Information Rights Management (IRM) over EAS. A method to apply digital rights management
control and encryption to email messages that are sent and received.

Exchange ActiveSync has been licensed to many different mobile operating system manufacturers. You
can use ActiveSync to connect your mobile device to Exchange Server, on Windows Phone 7 (or later), iOS
4 (or newer), and Android version 2 (and newer) based mobile devices. However, not all devices support
the same set of ActiveSync features. Exchange ActiveSync features are dependent on the operating system
version running on the mobile device. You will need to verify which features are supported on your
mobile device.
Note Because most tablet devices run a mobile operating system, they also use
ActiveSync protocol to connect to Exchange server.

How Exchange ActiveSync Works


When users connect to the Client Access server with a mobile device, the following process occurs:
1.

The Exchange ActiveSync client connects using HTTPS, to the Microsoft Server ActiveSync virtual
directory on the Client Access server. The Client Access server authenticates the client.

2.

If the users mailbox is on a Mailbox server in the same site as the Client Access server, then the Client
Access server connects to the users Mailbox server using an RPC connection. If the Mailbox server is
in a different site, then the Client Access server proxies the client request to a Client Access server in
the appropriate site.

3.

If Exchange Active Sync is supported from the operating system on the mobile device, it can use
Direct Push technology to ensure that messages are delivered to the mobile client when they connect
to the Exchange server. With Direct Push technology, the mobile device maintains a constant HTTPS
connection to the Client Access server, resulting in instant message retrieval and real-time access to
email. All current mobile device operating systems that support ActiveSync also support Direct Push
technology.

Direct Push
Direct Push allows the Client Access server to notify mobile clients when new items have arrived. The
client then initiates synchronization to download the new items. Direct Push uses the following steps:
1.
2.

3.

4.

The mobile device issues a long-standing HTTPS request to the server. This request is known as a
PING. The PING leaves an HTTPS connection open with the server.
If new items arrive, or items are changed, the server sends a response to the device that includes the
folders containing the new or changed items. If there are no new or changed items in the specified
folders during the PING requests lifetime, the server sends an empty response to the device.
If the response is not empty, the mobile device issues a synchronization request, synchronizes with
the server, and then sends a new PING request. If the response is empty, the mobile device sends a
new PING request.
When the user makes a change on the mobile device, the device uses the existing HTTPS connection
to send the updates to the Client Access server.

4-60

Managing Client Access

Demonstration: How to Configure Exchange ActiveSync

In this demonstration, you will see how to configure the Exchange ActiveSync settings on a Client Access
server and how to configure a Windows Mobile device to use ActiveSync to synchronize with the
Exchange server.

Demonstration Steps
1.

On the Client Access server, in IIS Manager, verify that SSL for the Exchange ActiveSync virtual
directory is required.

2.

In Exchange Management Console, configure authentication and remote file server settings on the
Microsoft-Server-ActiveSync virtual directory.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-61

Options for Securing Exchange ActiveSync

Mobile clients such as Exchange ActiveSync clients are difficult to secure. Because the devices are
small and portable, they are susceptible to being lost or stolen. At the same time, they may contain
highly confidential information. The storage cards that fit into mobile device expansion slots can store
increasingly large amounts of data. While this data-storage capacity is important to the mobile-device
user, it also heightens the concern about data falling into the wrong hands.
Mobile clients also are difficult to manage using centralized policies because the devices might rarely, or
never, connect to the internal network. The devices also do not require Active Directory accounts, so you
cannot use Group Policy Objects (GPOs) to manage the client settings.

Implementing Exchange ActiveSync Policies


Exchange ActiveSync policies provide one option for securing mobile devices. When you apply the policy
to a user, the mobile device automatically downloads the policy the next time the device connects to the
Client Access server.
Exchange ActiveSync lets you force password requirements to a mobile device, configure the amount of
data that will synchronize from Inbox and calendar, and allow or prohibit synchronization while roaming.
In addition, with these policies you can control some basic application usage on the device (for example,
browser and email clients), as well as some hardware capabilities such as Bluetooth, wireless, camera, and
storage card access. In general, these settings provide the most important features for managing mobile
devices. All these settings are mandatory, which means that if they are applied, users cannot change them
from the client side.
Active Sync polices are applied on a per-user basis, which means you can create different policies for
different users. However, the policies can be applied only to the level that the mobile device supports.
Policy settings that the mobile platform does not support on the client side are ignored.
To ensure that mobile devices are as secure as possible, you should configure Exchange ActiveSync
policies that require device passwords, and encrypt the data stored on the mobile device.

4-62

Managing Client Access

Note Encryption of data stored on the mobile device is currently supported only on the
Windows Mobile 6.5 operating system. The next release of Windows Phone 7 will support
encryption policies.

Managing Mobile Devices


You can manage mobile devices using either the Exchange Management Console or the Exchange
Management Shell. With these tools, you can perform the following tasks:

View a list of all mobile devices that any enterprise user is using.

Send or cancel remote wipe commands to mobile devices. Performing a remote wipe is useful when
an end user loses his or her mobile device, or if the device is stolen and there is a risk that personal or
confidential information could be accessed.

View the status of pending remote-wipe requests for each mobile device.

View a transaction log that indicates which administrators have issued remote-wipe commands, and
the mobile devices to which those commands pertain.

Delete an old or unused partnership between devices and users.


Note The option to manage a mobile device for a user mailbox in the Exchange
Management Console is available only after the user has synchronized with the Exchange
Server from a mobile device. You also can manage mobile devices in the Exchange
Management Shell by using the Remove-ActiveSyncDevice and the
Clear-ActiveSyncDevice cmdlets.

Configuring Self-Service Mobile Device Management


Users also can manage their own mobile devices by accessing the ECP. One of the options available is the
Phone tab. From this tab, users can wipe a device that they have configured, and can delete partnerships
for devices that they no longer use.
Self-service management is enabled by default for all users who are assigned to a
Microsoft Exchange ActiveSync mailbox policy.
Note In Exchange Server 2010, the request originator receives a confirmation message
when the device acknowledges the remote wipe request. If the user originates the request
through Outlook Web App, they will receive a confirmation email. If the administrator
originates the request, both the administrator and the user will receive a confirmation email.

Enabling SSL for the Mobile Device Connections


To ensure that the communication between the mobile device and the Client Access server is secure, you
should ensure that the Microsoft Server ActiveSync virtual directory is configured to require SSL.

Installing CA Root Certificates on Mobile Devices


Just like desktop computers, mobile devices are configured to trust the root certificates for most public
CAs. However, if you choose to use an internal CA to provide certificates for your Client Access servers,
you must configure the mobile devices to trust the root CAs by installing the root certificates on the
device. All mobile operating systems that support ActiveSync also support installation of root CA
certificates. Usually, it will be easiest to send a .cer file to a mobile device by email or transfer it using
desktop synchronization software.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-63

Mobile Device Quarantine in Exchange Server 2010

Microsoft Exchange Server 2010 SP1 and later, with the latest version of ActiveSync protocol, offer some
new features in the field of mobile device management for both users and administrators.
As an administrator, you can create allow lists, block lists, and quarantine lists that specify which mobile
devices are allowed to access your Exchange mailboxes. This allows you to identify the devices that users
can connect to the Exchange Sever. For example, you can specify that only devices that are running
Windows Phone 7 operating system can connect to the Exchange Server.
This is achieved by defining the device access state for each mobile device that connects to Exchange
Server. A device access state is the status of a particular device. You can control device access states in
several ways and a mobile device will behave differently in each access state. The access state of a device
can be one of the following:

Allowed. In the allow access state, a mobile device can synchronize through Exchange ActiveSync and
connect to the Exchange server to retrieve email and manipulate calendar information, contacts,
tasks, and notes. This will continue as long as the device complies with the Exchange ActiveSync
configured mailbox policies. This is the default state for all devices, because Exchange Server does not
have any quarantine policies defined.

Blocked. If defining ActiveSync Access rules are blocking a mobile device, it cannot connect to the
Exchange server, and receives an HTTP 403 Forbidden error. You can block a device based on device
family or you can block some specific model of device. The user will receive an email message from
the Exchange server telling them that the mobile device was blocked from accessing their mailbox. A
mobile device may also be blocked because it fails to apply the Exchange ActiveSync mailbox policies.
If this is the case, the user cannot receive an email message that tells them that the mobile device was
blocked from accessing their mailbox. However, the mobile device information displayed in Outlook
Web App show that it is blocked due to the failure by the device to apply the Exchange ActiveSync
mailbox policies.

4-64

Managing Client Access

Quarantined. When a mobile device is in a quarantined state, it is allowed to connect to the Exchange
server, but with limited access to data. The user can add content to their own Calendar, Contacts,
Tasks, and Notes folders but the server will not allow the device to retrieve any content from the
user's mailbox. The user will receive a single email message that tells him or her that the mobile
device is quarantined. This message will be received by the device and will also be available in the
user's mailbox. You can add customized text to this message to provide instructions for users whose
devices are quarantined. A device will remain in quarantined state until the administrator decides
whether it will be blocked or allowed to connect.

You can create and manage device access rules by using Exchange Control Panel or Exchange
Management Shell. You can manage both ActiveSync device policy and ActiveSync Access policy from
these interfaces.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-65

Demonstration: How to Configure Exchange ActiveSync Policies

One of the features in Exchange Server 2010 is that you can manage mobile users and devices with
Exchange ActiveSync mailbox policies. When you create a policy, you can configure the following options:

Allow or block nonprovisionable devices. This option permits you to specify whether devices that do
not fully support the device security settings can synchronize with the Exchange Server computer.

Enable, disable, or limit attachment downloads. This option allows you to enable or disable
attachment downloads, and configure a maximum attachment download size.

Configure devices to require passwords. If you choose to require passwords, you also can configure
the following attributes:

Minimum password length.

A requirement for alphanumeric passwords.

Inactivity time before the password is required.

The option to enable password recovery.

A requirement for device encryption.

Number of failed attempts allowed. This option specifies whether you want the device memory
wiped after a specific number of failed logon attempts.

Options for disabling removable storage, cameras, Wi-Fi, or Bluetooth.

Options for configuring synchronization settings such as message size limits.

Options for enabling additional mobile device applications such as Web browsers, unsigned
applications, or for defining allowed and blocked applications.
Note Some of these features were implemented with Windows Mobile 5.0 devices. Some
features, such as encryption on the local device, and Windows SharePoint Services and
Windows File Shares integration, are available only with Windows Mobile 6 or later. Some
settings also require an Enterprise Client Access License for each mailbox.

4-66

Managing Client Access

In this demonstration, you will see how to configure Exchange ActiveSync policies.

Demonstration Steps
1.

In the Exchange Management Console, access the Organization Configuration node, and then click
Client Access.

2.

Create New Exchange ActiveSync Mailbox Policy, and then configure the available settings.

3.

After creating the policy, access the policy properties and configure the additional settings.

4.

Access a user mailboxs properties. On the Mailbox Features tab, click Exchange ActiveSync, and
then click Properties. Assign the appropriate Exchange ActiveSync policy.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-67

Lab B: Configuring Client Access Servers for Outlook Web


App and Exchange ActiveSync

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, 10135B-VAN-EX2, and the 10135B-VAN-CL1


virtual machines are running:

3.

10135B-VAN-DC1: Domain controller in the Adatum.com domain.

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain.

10135B-VAN-EX2: Exchange 2010 server in the Adatum.com domain.

10135B-VAN-CL1: Client computer in the Adatum.com domain.

If required, connect to the virtual machines.

Lab Scenario
To enable client access to the server, your organization has decided to enable both Outlook Web App and
Exchange ActiveSync for its users. However, the security officer at A. Datum Corporation has defined
security requirements for the Outlook Web App and Exchange ActiveSync deployment. Therefore, you
need to enable the security features for both Outlook Web App and Exchange ActiveSync.

4-68

Managing Client Access

Exercise 1: Configuring Outlook Web App


Scenario
A. Datum Corporation has several users who work regularly from outside the office. These users should be
able to check their email from any client computer, including client computers located in public areas. To
provide this functionality, you must configure the server settings for Outlook Web App, and configure
Outlook Web App policies. You also need to verify that the settings have been successfully applied.
The main tasks for this exercise are:
1.

Configure IIS to use the Internal CA certificate.

2.

Configure Outlook Web App settings for all users.

3.

Configure an Outlook Web App Mailbox Policy for the Branch Managers.

4.

Verify the Outlook Web App configuration.

X Task 1: Configure IIS to use the Internal CA certificate


1.

On VAN-EX2, in Internet Information Services (IIS) Manager, verify that the owa virtual directory
under the Default Web Site is configured to require SSL.

2.

Verify that the Default Web Site is configured to use the Adatum Mail Certificate.

X Task 2: Configure Outlook Web App settings for all users


1.

On VAN-EX2, in Exchange Management Console, verify that the owa virtual directory is configured to
use forms-based authentication. Modify the forms-based authentication to use the user name only
and to use the Adatum.com domain automatically.

2.

Disable the Tasks and Rules display for all users.

3.

Use the set-owavirtualdirectory owa (Default Web Site) ForceSaveFileTypes .doc cmdlet to
force all users to save Word documents before opening them.

4.

Use the set-owavirtualdirectory owa (Default Web Site) GzipLevel Off cmdlet to disable GZip
compression.

5.

Use the Set-OwaVirtualDirectory -identity Owa (Default Web Site) FilterWebBeaconsAndHtmlForms ForceFilter cmdlet to block all Web beacons and HTML forms.

6.

Use the IISReset /noforce command to restart IIS.

X Task 3: Configure an Outlook Web App Mailbox Policy for the branch managers
1.

Create a new Outlook Web App Mailbox policy, and configure the policy with the name Branch
Managers Policy.

2.

Configure the policy to prevent branch managers from changing their password.

3.

Apply the policy to all users in the Branch Managers organization unit (OU).

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-69

X Task 4: Verify the Outlook Web App configuration


1.

On VAN-EX1, connect to https://mail.Adatum.com/owa.

2.

Log on to Outlook Web App as Adatum\Sharon using the password Pa$$w0rd. Sharon is not in the
Branch Managers OU.

3.

Verify that the Tasks folder is not displayed in the user mailbox, and that Sharon cannot configure a
new Inbox rule in the ECP.

4.

Connect to OWA again, and log on as Adatum\Johnson using the password Pa$$w0rd. Johnson is
in the Branch Managers OU.

5.

Verify that the Tasks folder is listed in the user mailbox, but that Johnson is not able to change his
password.

Results: After this exercise, you should have configured Outlook Web App on VAN-EX2. This
configuration includes assigning the internal CA certificate to the Default Web Site, and configuring
Outlook Web App settings for all users, as well as for specific users. You also should have verified the
Outlook Web App settings.

Exercise 2: Configuring Exchange ActiveSync


Scenario
A. Datum Corporation has several users who use Windows Mobile devices to access their mail. You need
ensure that these users can access their mailboxes using Exchange ActiveSync. To ensure that the client
connection is secure, you must configure an Exchange ActiveSync policy, and apply it to a user account.
You will also install a root certificate on the mobile device, and configure SSL security. Lastly, you need to
manage the mobile device as both an administrator and a user using ECP.
The main tasks for this exercise are:
1.

Verify the Exchange ActiveSync virtual directory configuration.

2.

Create a new Exchange ActiveSync mailbox policy.

X Task 1: Verify the Exchange ActiveSync virtual directory configuration

On VAN-EX2, in Exchange Management Console, review the configuration for the Microsoft Server
ActiveSync virtual directory on VAN-EX2.

4-70

Managing Client Access

X Task 2: Create a new Exchange ActiveSync mailbox policy


1.

On VAN-EX2, in Exchange Management Console, create a new Exchange ActiveSync Mailbox policy
with the following configuration:

Name: EAS Policy 1

Enable unprovisionable devices

Enable attachments to be downloaded to the device

Require passwords

Enable password recovery

2.

Review the other Exchange ActiveSync Mailbox policy settings.

3.

Apply the Exchange ActiveSync Mailbox policy to Scott MacDonald.

Results: After this exercise, you should have configured the Exchange server environment to support
Exchange ActiveSync. You first verified that Exchange ActiveSync worked, and then enhanced the security
configuration by creating a more secure Exchange ActiveSync Mailbox policy, and by enabling SSL for all
Exchange ActiveSync connections.

X To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1.

On the host computer, start Microsoft Hyper-V Manager.

2.

Right-click the virtual machine name in the Virtual Machines list, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

In the Virtual Machines pane, click 10135B-VAN-DC1, and then in the Actions pane, click Start.

5.

To connect to the virtual machine for the next modules lab, click 10135B-VAN-DC1, and then in the
Actions pane, click Connect.
Important Start the VAN-DC1 virtual machine first, and ensure that it is fully started
before starting the other virtual machines.

6.

Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.

7.

Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

4-71

Module Review and Takeaways

Review Questions
1.

2.
3.

You need to ensure that users from the Internet can connect to a Client Access server by using
Outlook Anywhere. How will you configure the firewall between the Internet and the Client Access
server?
You need to ensure that the same Exchange ActiveSync policies are assigned to all users, with the
exception of the Executives group. This group requires higher security settings. What should you do?
You have deployed an Exchange Server 2010 server in an organization that includes several Exchange
Server 2003 servers. How will Exchange Server 2010 obtain free\busy information for user mailboxes
on the Exchange Server 2003 servers?

Common Issues Related to Client Connectivity to the Client Access Server


Identify the causes for the following common issues related to client connectivity to the Client Access
server, and complete the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue
Users using Web browsers
other than Internet Explorer
may have trouble
authenticating.
Clients receive certificaterelated errors when they
connect to the Client Access
server.
Users from the Internet are
not able to connect to the
Client Access server.

Troubleshooting tip

4-72

Managing Client Access

Real-World Issues and Scenarios


1.

Your organization has two locations with an Internet connection in each location. You need to ensure
that when users access their email using Outlook Web App from the Internet, they will always connect
to the Client Access server in their home office.

2.

You are planning on enabling Outlook Web App, Outlook Anywhere, and Exchange ActiveSync access
to your Client Access server. You want to ensure that all client connections are secure by using SSL,
and that none of the clients receives errors when they connect to the Client Access server. You plan
on requesting a certificate from a Public CA. What should you include in the certificate request?

3.

You have deployed two Client Access servers in the same Active Directory site. When one of the Client
Access servers shuts down, users can no longer access their email. What should you do?

Best Practices Related to Planning the Client Access Server Deployment


Supplement or modify the following best practices for your own work situations.
When designing the Client Access server configuration, consider the following recommendations:

The recommended processor configuration for Client Access servers is eight processor cores, and the
maximum recommended number of processor cores is 12. You should deploy at least two processor
cores for Client Access serverseven in small organizationsbecause of the addition of the RPC
Client Access service on the Client Access server.

As a general guideline, you should deploy three Client Access server processor cores in an Active
Directory site for every four Mailbox server processor cores.

The recommended memory configuration for Client Access server is 2 gigabytes (GB) per processor
core, with a maximum of 8 GB.

Deploying Client Access servers on a perimeter network is not a supported scenario. The Client Access
server must be deployed on the internal network. The Client Access server role must be installed on a
member server, and it must have access to a domain controller and global catalog server, as well as
the Mailbox servers inside the organization.

Use Device Access Rules and quarantine options to control mobile devices.

Tools
Tool

Use for

Microsoft Exchange Server


Remote Connectivity
Anaylzer

Troubleshooting Internet

Test E-Mail
AutoConfiguration

Troubleshooting Outlook

Internet Information Server


(IIS) Manager

Configuring SSL settings for

connectivity for messaging


clients.
Connectivity to the Client
Access server.

Client Access server virtual


directories.

Where to find it
http://go.microsoft.com/fwlink
/?LinkId=179969
Open Outlook, press and hold Ctrl,
right-click the Outlook connection
object, and then click Test E-Mail
AutoConfiguration.
Administrative Tools

5-1

Module 5
Managing Message Transport
Contents:
Lesson 1: Overview of Message Transport

5-3

Lesson 2: Configuring Message Transport

5-18

Lab: Managing Message Transport

5-33

5-2

Managing Message Transport

Module Overview

This module describes how to manage message transport in Microsoft Exchange Server 2010. To
implement message transport in Exchange Server 2010, it is important to understand the components of
message transport, how Exchange Server 2010 routes messages, and how you can troubleshoot messagetransport issues.
This module also provides details on deploying the Exchange Server 2010 Hub Transport server, and the
options that you can configure.
After completing this module, you will be able to:

Describe message transport in Exchange Server 2010.

Configure message transport.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-3

Lesson 1

Overview of Message Transport

In this lesson, you will review message flow and the components that message transport requires,
especially when you implement multiple Exchange Server 2010 Hub Transport servers. To understand
message flow, you should know how message routing works within an Exchange Server organization, and
how Exchange Server routes messages between Active Directory Domain Services (AD DS) sites or
outside the Exchange Server organization. Exchange Server 2010 provides several tools for
troubleshooting Simple Mail Transfer Protocol (SMTP) message delivery, and this lesson describes how
you can use these troubleshooting tools.
After completing this lesson, you will be able to:

Describe the components of message transport.

Describe how an Exchange Server organization routes messages.

Describe message routing between Active Directory sites.

Describe options for modifying the default message flow.

Describe the tools for troubleshooting SMTP message delivery.

Troubleshoot SMTP message delivery.

5-4

Managing Message Transport

Components of Message Transport

Message transport in Exchange Server 2010 consists of several components that work together to route
messages. These components include the SMTP Receive connector through which messages from inside
or outside the organization enter the transport pipeline, and Agent delivery, which is a non-Microsoft
agent that directly submits messages. Other message transport components include:

Submission queue

Categorizer

Store driver

Microsoft Exchange Mail Submission service

Pickup and Replay directories

Submission Queue
When the Microsoft Exchange Transport service starts, the categorizer creates one submission queue on
each Edge Transport server and Hub Transport server. The submission queue stores all messages on a disk
until the categorizer processes them for delivery. The categorizer cannot process a message until the
transport server promotes it to the submission queue. During the time that the categorizer processes a
message, a copy of the message remains in the submission queue. After successful processing, the
message is removed from both the categorizer and the submission queue.
Messages can enter the submission queue in several ways:

Messages received by an SMTP Receive connector. This is used for inbound messages from the
Internet or from a client using Post Office Protocol version 3 (POP3) or Internet Message Access
Protocol version 4 (IMAP4).

Messages placed in the Pickup directory. This method is used for troubleshooting and legacy
applications.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-5

Messages submitted by a transport agentsuch as a non-Microsoft connectorto a foreign


messaging system.

Messages submitted by the store driver. This method is used to retrieve messages from the senders
Outbox. This queue exists only on Hub Transport servers and not on Edge Transport servers, because
Edge Transport servers do not communicate with Mailbox servers.

Messages resubmitted after failed delivery. The categorizer resubmits messages that are not delivered
on the first attempt. You also can manually resubmit messages.

Delivery Queue
Delivery queues contain messages that the Exchange Server has yet to deliver. Messages are placed in one
of two delivery queuesmailbox delivery queue or remote delivery queuedepending on their intended
delivery route.

Mailbox delivery queues hold messages that are being delivered to Mailbox servers located in the
same site. Messages are delivered by using encrypted Remote Procedure Calls (RPCs). Mailbox
delivery queuesone queue for each databaseexist only on Hub Transport servers.

Remote delivery queues contain messages that are being delivered to a remote server by using SMTP.
Remote delivery queues can exist on both Hub Transport servers and Edge Transport servers, and
more than one remote delivery queue can exist on each server. On Edge Transport servers, these
destinations are external SMTP domains or SMTP connectors. On Hub Transport servers, these
destinations may refer to Hub Transport servers in remote Active Directory sites, Edge Transport
servers, or non-Exchange Server SMTP connections.
Note Exchange Server 2010 has additional queues. These include the Poison message
queue, which is a queue that is used to isolate messages that could be potentially harmful
to the Exchange Server 2010 system after a server failure. This queue is typically empty, and
if no poison messages exist, the queue does not appear in the queue-viewing interfaces.
The Unreachable queue contains messages that cannot be routed to their destinations.
Typically, an unreachable destination is caused by configuration changes that have modified
the routing path for delivery.

Categorizer
The categorizer retrieves one message at a time from the submission queue, and it always picks the oldest
message first. On an Edge Transport server, categorization of an inbound message is a short process in
which the categorizer verifies the recipient SMTP address and places the message directly into the delivery
queue. From the delivery queue, it routes the message to a Hub Transport server or an Internet SMTP
server.
On a Hub Transport server, the categorizer performs the following tasks:

Identifies and verifies recipients. All messages must have a valid SMTP address.

Bifurcates messages that have multiple recipients. Expanding the distribution lists enables
identification of individual recipients who belong to the distribution lists. Additionally, the categorizer
processes the return path for distribution-list delivery status notifications (DSNs), and it determines
whether out-of-office messages or automatically generated replies are sent to the sender of the
original message.

5-6

Managing Message Transport

Determines routing paths. As part of determining the routing path, the categorizer identifies the
destination. The possible destinations could be a users mailbox, a public folder, or an expansion
server for distribution groups. If the categorizer cannot determine a valid destination, it generates a
non-delivery report (NDR).

Converts content format. The categorizer converts messages to an appropriate format for recipients
who require varying formats. Within the Exchange Server organization, the recipient format is stored
in AD DS. Messages routed to the Internet are sent in the Multipurpose Internet Mail Extensions
(MIME) or Secure Multipurpose Internet Mail Extensions (S/MIME) format.

Applies organizational message policies. You can use organizational policies to control message size,
permissions for sending messages to specific users, the number of message recipients, and other
message characteristics.

Store Driver
The store driver is a software component that is present on each Hub Transport server. The store driver
retrieves messages from the senders Outbox and then submits them to the submission queue. The
responding store driver mechanism places a copy of the message into the Hub Transport servers
submission queue so that the categorizer can later process the message. After the store driver adds the
messages successfully to the submission queue, it moves the message from the senders Outbox to the
senders Sent Items folder.
Messages in the Outbox are stored in Messaging Application Programming Interface (MAPI) format. The
store driver must convert them to Summary Transport Neutral Encapsulation Format (STNEF) before
placing them in the submission queue. The store driver performs this conversion to ensure successful
delivery of messages despite the format that was used to create the messages. A TNEF-encoded message
contains a plain text version of the message, and a binary attachment that contains various other parts of
the original message. Some Microsoft Outlook 2010 features require TNEF encoding to be understood
correctly by an Internet email recipient who also uses Outlook. For example, when you send a message
with voting buttons to a recipient over the Internet, if TNEF is not enabled for that recipient, the voting
buttons will not be received. If the store driver cannot convert the content, it generates an NDR.

Microsoft Exchange Mail Submission Service


The Microsoft Exchange Mail Submission service is a notification service that runs on Mailbox servers. It
notifies a Hub Transport server role in the local Active Directory site when a message is available for
retrieval from a senders Outbox. The store driver on the notified Hub Transport server role picks up the
message from the senders Outbox. If there are multiple Hub Transport servers in the Active Directory site,
the Microsoft Exchange Mail Submission service attempts to distribute notifications evenly between the
Hub Transport servers, and will use the first Hub Transport server that responds.

Pickup and Replay Directories


Most messages enter the message transport pipeline through SMTP Receive connectors, or by submission
through the store driver. However, messages can also enter the message transport pipeline by being
placed in the Pickup or Replay directory on a Hub Transport server or an Edge Transport server.
After a message is placed in the Pickup directory, the store driver adds the message to the submission
queue. The store driver then deletes the message from the Pickup directory. Messages from the Pickup
directory must be text files that comply with the basic SMTP message format and have configured read
and write permissions.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-7

The Pickup directory allows the Hub Transport server to process and deliver a properly formatted text file.
This can be useful for validating mail flow in an organization, replaying specific messages, or returning
recovered email to the message-transport pipeline. Additionally, some legacy applications may place
messages directly into the Pickup directory for delivery, rather than communicate directly with Exchange
Server SMTP Receive connectors.

5-8

Managing Message Transport

How Are Messages Routed in an Exchange Server Organization?

In an Exchange Server messaging environment, you must deploy a Hub Transport server role in each
Active Directory site where a Mailbox server role or a Unified Messaging server is installed. Hub Transport
servers deliver all messages in an Exchange Server 2010 organization, including messages sent between
two recipients with mailboxes located in the same Mailbox database, on the same site, and between
Active Directory sites.
The following process describes how a Hub Transport server delivers mail within a single Active Directory
site:
1.

The message flow begins when a message is submitted to the message store on an Exchange Server
2010 Mailbox server role.
If the client is a Microsoft Office Outlook client, the message is submitted using MAPI, and the
message is written directly to the Outbox in the users mailbox.

2.

When the Microsoft Exchange Mail Submission service detects that a message is available and waiting
in an Outbox, it picks an available Hub Transport server and submits a new message notification to
the store driver.

3.

The store driver retrieves the message from the Mailbox server role. The store driver uses MAPI to
connect to the users Outbox and collect any messages that are awaiting delivery. The store driver
submits the messages to the categorizer submission queue, for processing, and also moves a copy of
the message from the users Outbox to the users Sent Items folder.
Note While the message is passing through the Hub Transport server role, the server can
use transport agents to modify the message or the message flow. For example, transport
agents can apply custom routing or journaling rules, or perform antivirus filtering.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-9

4.

For messages destined to arrive at a Mailbox server on the same Active Directory site, the store driver
places the message in a local delivery queue and delivers the message through MAPI to the Mailbox
server role.

5.

For messages destined to arrive at a Mailbox server on another Active Directory site, the Hub
Transport server uses the Active Directory site-link information to determine the route to the
destination site. After determining the path, the Hub Transport server connects directly to the server
on the remote site. If no Hub Transport server on the destination site is available, the store driver
routes the message to a Hub Transport server that is closer to the destination site.

6.

For messages destined for the Internet, the Hub Transport server delivers the message to an Edge
Transport server, which delivers the message to the appropriate Internet email server. If the
organization does not use an Edge Transport server, a Hub Transport server delivers the message
directly to the appropriate Internet email server using SMTP.

Message-Flow Characteristics
In an organization with multiple sites, message flow has the following characteristics:

Direct relay routing. The Hub Transport server delivers messages directly to a Hub Transport server on
the remote site, unless there is a communication problem or hub sites are enabled.

Queue at point of failure. The Hub Transport server uses the site-link cost assignment to determine
a routing topology only when direct communication with a Hub Transport server role on the
destination site fails. If no Hub Transport server on the destination site responds, the Hub Transport
server uses IP site-link costs to determine the closest site at which to queue the message.

Using hub sites to control message routing. If you configure a hub site along the least cost path for
message delivery, the message is delivered to a Hub Transport server on the hub site rather than
using direct relay routing. The Hub Transport server on the hub site delivers the message to a Hub
Transport server on the next hub site or the destination Active Directory site.

Delayed fan-out. As the Hub Transport server delivers messages throughout the Exchange Server
organization, the Hub Transport server delays expansion of distribution lists and message bifurcation
until messages reach a fork in the routing topology. Delayed fan-out applies when you use hub sites
to control message routing, and it overrides direct relay routing when appropriate to minimize wide
area network (WAN) utilization.

Shadow redundancy. This feature provides redundancy for messages for the entire time they are in
transit. The solution involves a technique similar to the Transport Dumpster. The Transport Dumpster
stores recent messages that are redelivered in the case of a Mailbox server failure. With shadow
redundancy, a messages deletion from the transport databases is delayed until the transport server
verifies that all of the messages next hops have completed delivery. If any of the next hops fail before
reporting that a successful delivery has occurred, it resubmits the message for delivery to that next
hop.

5-10 Managing Message Transport

How Are Messages Routed Between Active Directory Sites?

For remote mail-flow scenarios, the initial steps, in which the message passes from the Mailbox server to
the Hub Transport server, are identical to those of the local mail-flow scenario.

Understanding Remote Mail Flow


When a message is addressed to a recipient in the same Exchange Server organization, but in a different
Active Directory site, the following process takes place:
1.

The local Mailbox server uses Active Directory site-membership information to determine which Hub
Transport servers are located in the same Active Directory site as the Mailbox server. The Mailbox
server submits the message to the local Hub Transport server. If more than one Hub Transport server
exists in the site, the Mailbox server will load-balance message delivery to all available Hub Transport
servers.

2.

The Hub Transport server performs recipient resolution and queries AD DS to match the recipient
email address to a recipient account. The recipient account information includes the fully qualified
domain name (FQDN) of the users Mailbox server. The FQDN determines the Active Directory site of
the users Mailbox server.

3.

In a default configuration, the local Hub Transport server opens an SMTP connection to the remote
Hub Transport server in the destination site, and then delivers the message. After a Hub Transport
server in the destination Active Directory site receives the message, it forwards the message to the
appropriate Mailbox server in the destination Active Directory site.

4.

If the message has multiple recipients whose mailboxes are in different Active Directory sites,
Exchange Server uses delayed fan-out to optimize message delivery. If the recipients share a portion
of the path, or the entire path, Exchange Server sends a single copy of the message with these
recipients until the bifurcation point. Exchange Server then bifurcates and sends a separate copy to
each recipient.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-11

For example, if the least-cost routes from Site1 to Site3 and Site4 both pass through Site2, Exchange
Server sends a single copy of a message intended for recipients in Site3 and Site4 to a Hub Transport
server in Site2. Then, the Hub Transport server in Site2 sends two copies of the message: one each to
a Hub Transport server in Site3 and Site4.

How Exchange Server 2010 Deals with Message-Delivery Failure


If a Hub Transport server cannot deliver a message to a Hub Transport server in the destination site, the
Hub Transport server uses the least-cost routing path to deliver the message as close as possible to the
destination site. The source Hub Transport server attempts to deliver the message to a Hub Transport
server in the last site before the destination site, along the least-cost routing path. The Hub Transport
server continues to trace the path backward until it makes a connection to a Hub Transport server. The
Hub Transport server queues the messages in that Active Directory site, and the queue is in a retry state.
If Hub Transport servers are not available in any site along the least-cost route, the message is queued on
the local Hub Transport server. This behavior is called queue at point of failure.

5-12 Managing Message Transport

Options for Modifying the Default Message Flow

In some cases, you may want to modify the default message routing configuration. You can do this by
configuring specific Active Directory sites as Hub sites, and by assigning Exchange Server-specific routing
costs to Active Directory site links. Hub sites are central sites that you define to route messages.
By default, Hub Transport servers in one site will try to deliver messages to a recipient in another site by
establishing a direct connection to a Hub Transport server in the remote Active Directory site. However,
you can modify the default message-routing topology in three ways.

Configuring Hub Sites


You can configure one or more Active Directory sites in your organization as hub sites. When a hub site
exists along the least-cost routing path between two Hub Transport servers, the messages are routed to a
Hub Transport server in the hub site for processing before they are relayed to the destination server.
Note The Hub Transport server routes a message through a hub site only if it exists along
the least-cost routing path. The originating Hub Transport server always calculates the
lowest cost route first, and then checks if any of the sites on the route are hub sites. If the
lowest cost route does not include a hub site, the Hub Transport server will attempt a direct
connection. Use the Set-ADSite Identity sitename HubSiteEnabled $true cmdlet to
configure a site as hub site.

Configuring Exchange-Specific Routing Costs


You also can modify the default message-routing topology by configuring an Exchange-specific cost to an
Active Directory IP site link. If you assign an Exchange-specific cost to the site link, the Hub Transport
server determines the least-cost routing path by using this attribute rather than the Active Directoryassigned cost.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-13

Note Use the Set-AdSiteLink Identity ADsitelinkname ExchangeCost value cmdlet


to assign Exchange specific routing costs. You also can use the Set-AdSiteLink Identity
ADsitelinkname MaxMessageSize value cmdlet to assign a maximum message size limit
for messages sent between Active Directory sites.

Configuring Expansion Servers for Distribution Groups


You also can modify the default routing topology by assigning expansion servers for distribution groups.
By default, when a message is sent to a distribution group, the first Hub Transport server that receives the
message expands the distribution list and calculates how to route the messages to each recipient in the
list. If you configure an expansion server for the distribution list, all messages sent to the distribution list
are sent to the specified Hub Transport server, which then expands the list and distributes the messages.
For example, you can use expansion servers for location-based distribution groups to ensure that the local
Hub Transport server resolves them.
Note You might need to review the Active Directory site design when you deploy
Exchange Server 2010 to adjust the IP site links and site-link costs so that you optimize
delayed fan-out and instead queue at the point of failure.

5-14 Managing Message Transport

Tools for Troubleshooting SMTP Message Delivery

Similar to Exchange Server 2007, Exchange Server 2010 also provides several tools for troubleshooting
SMTP message delivery.
Note Exchange Server 2010 relies on the Active Directory site configuration for message
routing. Therefore, to troubleshoot a message-routing issue, you might need to use Active
Directory tools to validate or modify site, site link, or IP subnet information, and to verify
Active Directory replication. You can use the Active Directory Sites and Services tool to view
IP subnets and site links.

Using Exchange Server Best Practices Analyzer


The Exchange Server Best Practices Analyzer is a tool that you can use to check the Exchange server
configuration and the health of your Exchange server topology. This tool automatically examines an
Exchange server deployment and determines whether the configuration is in line with Microsoft best
practices. You should run the Best Practices Analyzer after you install a new Exchange server, upgrade an
existing Exchange server, or make configuration changes.

Using the Mail Flow Troubleshooter


The Mail Flow Troubleshooter tool assists Exchange Server administrators in troubleshooting common
mail-flow problems.
When you launch the Mail Flow Troubleshooter, you are prompted to select from the symptoms that
describe the message-flow issue. Based on the symptoms, the tool suggests a troubleshooting path. The
tool also shows an analysis of possible root causes and provides suggestions for corrective actions.
The Mail Flow Troubleshooter is available in the Exchange Management Console Toolbox.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-15

Using the Queue Viewer


Like previous Exchange Server versions, messages waiting to be processed or delivered reside in message
queues on the Exchange Server Hub Transport servers. However, unlike Exchange Server versions before
2007, all message queues reside in a local Exchange Server database on the server. The message queues
provide a very useful diagnostic tool to locate and identify messages that have not been delivered. To
manage queues, you can use either the Exchange Queue Viewer or the Exchange Management Shell.
Exchange Server 2010 features simplified queues. Hub Transport servers maintain five queues:

Submission queue. Contains messages that the Categorizer is processing.

Remote delivery queue. There is one queue for each outbound SMTP domain to which the Hub
Transport server routes mail.

Poison message queue. Contains messages that could cause the server to crash.

Mailbox delivery queue. There is one queue for each Mailbox server to which the Hub Transport server
can deliver messages.

Unreachable queue. Contains messages that Hub Transport servers cannot route to their destinations.

You can view the queues on a Hub Transport server by accessing the Exchange Queue Viewer in the
Toolbox node in the Exchange Management Console.
To manage message queues from the Exchange Management Shell, use the following cmdlets:

Get-Queue

Get-Message

Additionally, you can perform the following tasks on queues and messages in queues from the Exchange
Management Shell:

Suspend-Queue and Resume-Queue

Retry-Queue

Suspend-Message and Resume-Message

Remove-Message
Note For more information on the queues that Exchange Server 2010 uses, and the
process for troubleshooting message flow, see the Managing Queues page on the Microsoft
Technet Web site.

Using Message Tracking and Tracking Log Explorer


You also can use message tracking to troubleshoot message flow. By default, message tracking is enabled
on Hub Transport servers, and all message-tracking logs are stored in the
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking folder. The messagetracking logs are retained for 30 days, with a maximum size for all log files of 250 megabytes (MB). You
can use the set-TransportServer cmdlet in the Exchange Management Shell to modify the default
settings.

5-16 Managing Message Transport

Note To view the message-tracking logs, use the Message Tracking and Tracking Log
Explorer tools available in the Exchange Management Console Toolbox. In Exchange Server
2010, users also can track their messages using the Exchange Control Panel. The Message
Tracking tool does not provide the level of detail that the Tracking Log Explorer provides.
For example, sending a message between two Exchange servers that are in the same Active
Directory site does not show the Exchange server names in Message Tracking whereas
Tracking Log Explorer provides you with this information.

Using the Routing Log Viewer


You can use the routing log viewer to open a routing log file that contains information about how the
routing topology appears to the server. You can use this information when you troubleshoot message
routing within the organization or to the Internet. To use the Routing Log Viewer, start it from the Tools
folder in Exchange Management Console, and then open the routing log files on a specific server. You can
open the current log file or previous ones.

Using Protocol Logging


You also can configure protocol logging to provide detailed information for troubleshooting message
flow. Protocol logging is enabled on the SMTP Send connector or SMTP Receive connector properties,
and the log files are stored in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs
\ProtocolLog folder.

Using Telnet
You can use Telnet to check if the SMTP port responds, or to directly send a SMTP mail to a connector
to see if the connector accepts it. Telnet is a Windows Server 2008 feature, and you use it from the
command line using the following syntax: telnet <servername> SMTP or Port #. For example, you can use
either TELNET VAN-EX1 SMTP or TELNET VAN-EX1 25, both being basically the same.

TestExchangeConnectivity Website
This website, available at http://go.microsoft.com/fwlink/?LinkId=248382, enables you to test connectivity
to various Exchange services from the Internet, and also test the functionality of these services. In context
of SMTP, you can test inbound and outbound email traffic that is using the SMTP protocol. You can use
this TestExchangeConnectivity web site to test both an on-premises Exchange Server as well as Exchange
Online in Office 365. To use this tool, you must enter the credentials of a working account from the
Exchange domain you want to test. To avoid the risk of your working credentials being exploited and
compromising the security of your Exchange Server environment, we strongly recommend that you create
a test account for the purpose of using this tool, and delete this account immediately after you have
completed the connectivity testing.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-17

Demonstration: How to Troubleshoot SMTP Message Delivery

In this demonstration, you will see how to use Telnet and Queue Viewer to troubleshoot SMTP message
delivery.

Demonstration Steps
1.

Open the Command Prompt window.

2.

To start the Telnet tool, at the command prompt, type Telnet VAN-EX1 SMTP, and try to send a mail
using Telnet.

3.

In Exchange Management Console, from the Toolbox pane in Exchange Management Console, start
the Queue Viewer tool.

4.

Suspend and resume the Submission queue.

5.

Close Queue Viewer.

5-18 Managing Message Transport

Lesson 2

Configuring Message Transport

To configure message transport in an Exchange Server organization, you must first configure the Hub
Transport servers. It is important to understand the various message-transport concepts and components,
such as accepted and remote domains and SMTP connectors. This lesson also describes the various tasks
of configuring a Hub Transport server and message routing.
After completing this lesson, you will be able to:

Describe the process for configuring Hub Transport Servers.

Configure Hub Transport Servers.

Describe the options for configuring message transport.

Describe accepted domains.

Describe remote domains.

Configure accepted and remote domains.

Describe an SMTP connector.

Configure SMTP Send and Receive connectors.

Describe the purpose and functionality of back pressure.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-19

Process for Configuring Hub Transport Servers

By default, when you install a Hub Transport server in an Exchange Server 2010 organization, this enables
message routing within the organization. However, you might need to configure additional options on
the Hub Transport server role.
To configure a Hub Transport server, use the following process:
1.

Configure server-specific settings. These settings include internal Domain Name System (DNS)
configuration and connection limits.

2.

Configure authoritative domains and email address policies. An authoritative domain is one for which
the Exchange Server organization accepts messages and has mailboxes. You first must configure an
authoritative domain before you can configure email address policies to apply email addresses to
recipients and accept inbound SMTP messages for those recipients.

3.

Configure a postmaster mailbox. For each accepted domain, you should configure a postmaster
mailbox. The postmaster mailbox must meet the requirements of RFC 2822, and to receive NDRs and
DSNs. You can create a new mailbox, or you can add the postmaster alias to an existing mailbox user.

4.

Configure Internet message flow. If you are not deploying an Edge Transport server, you will need to
configure the Hub Transport server to enable inbound and outbound mail flow. To enable inbound
mail flow, configure an SMTP Receive connector to accept anonymous connections on port 25 using
a network interface that is accessible from the Internet. To enable outbound email flow, configure an
SMTP Send connector with an address space of *that can use DNS or a smart host to send messages
to the Internet.

5-20 Managing Message Transport

5.

If you are using the Hub Transport server to send and receive email from the Internet, you should
configure antivirus and anti-spam agents on the Hub Transport server.
Note We strongly recommend that you use an Edge Transport server role or some other
SMTP relay server to send and receive messages from the Internet. If you are using an SMTP
gateway server other than an Exchange Server 2010 Edge Transport server role, you still will
need to configure the SMTP Send connector and SMTP Receive connector. The only
difference is that you should configure the SMTP gateway server as the smart host on the
SMTP Send connector and accept only connections from the SMTP gateway server on the
SMTP Receive connector. As an alternative to managing your own Edge Transport server
role, you should also consider Exchange Hosted Services.

6.

Configure messaging policies. By default, messaging policies are not applied to messages passing
through the Hub Transport server role. As part of the Hub Transport server role deployment, you
must configure your organizations transport and journaling rules.

7.

Configure administrative permissions. As part of the Hub Transport server role deployment, you can
choose to delegate permissions to configure and monitor the server.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-21

Demonstration: How to Configure Hub Transport Servers

In this demonstration, you will review the options for configuring Hub Transport servers.

Demonstration Steps
1.

On VAN-EX1, if required, click Start, point to All Programs, point to Microsoft Exchange Server
2010, and then click Exchange Management Console.

2.

In Exchange Management Console, expand Microsoft Exchange On-Premises, expand


Organization Configuration, and then click Hub Transport.

3.

On the Global Settings tab, double-click Transport Settings and review the options on the
Message Delivery tab.

4.

In Exchange Management Console, expand Server Configuration, and then click Hub Transport.
Open Hub Transport server properties and review the options on the Log Settings tab and the
Limits tab.

5.

At the Exchange Management Shell command prompt, type


Get-TransportServer -I van-ex1 |fl, and then press Enter.

5-22 Managing Message Transport

What Are Accepted Domains?

As part of the Hub Transport server-configuration process, you should configure the domains for which
the Hub Transport server will accept email, and configure users with alternate email addresses.

Configuring Accepted Domains


The accepted domain property specifies one or more SMTP domain names for which the Exchange server
receives mail. If an SMTP Receive connector on the Exchange Server 2010 Hub Transport server receives a
message that is addressed to a domain that is not on the accepted domain list, it rejects the message and
sends an NDR.
To configure an accepted domain, access the Organization Configuration node, and then click Hub
Transport. You can view the current accepted domains in the Accepted Domains tab, and you can
create additional domains by clicking New Accepted Domain in the Actions pane.
When you create a new accepted domain, you have three options for the domain type you want to
create:

Authoritative Domain. Select this option if the recipients using this domain name have mailboxes in
the Exchange Server organization.

Internal Relay Domain. Select this option if the Hub Transport or Edge Transport server should accept
the email, but relay it to another messaging organization in another Active Directory forest. The
recipients in an internal relay domain do not have mailboxes in this Exchange organization, but do
have contacts in the global address list (GAL). When messages are sent to the contacts, the Hub
Transport server or Edge Transport server forwards them to another SMTP server.

External Relay Domain. Select this option if the Hub Transport or Edge Transport server should accept
the email, but relay it to an alternate SMTP server. In this scenario, the transport server receives the
messages for recipients in the external relay domain, and then routes the messages to the email
system for the external relay domain. This requires a Send connector from the transport server to the
external relay domain.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Note To configure accepted domains using the Exchange Management Shell, use the
New-AcceptedDomain or Set-AcceptedDomain cmdlet.

5-23

5-24 Managing Message Transport

What Are Remote Domains?

Remote domains define SMTP domains that are external to your Exchange organization. You can create
remote domain entries to define the settings for message transfer between the Exchange Server 2010
organization and domains outside your AD DS forest. When you create a remote domain entry, you
control the types of messages that are sent to that domain. You also can apply message-format policies
and acceptable character sets for messages that are sent from your organizations users to the remote
domain. The settings for remote domains determine the Exchange organizations global configuration
settings.
Note In Exchange Server 2010 Service Pack 2 (SP2), it is possible to define an Office 365
infrastructure as your remote domain. If the new remote domain you are creating
represents the part of your organization that is hosted on Office 365, you should use the
Office 365 Tenant Domain tab in the of Remote Domain Properties dialog box.

Creating Remote Domain Entries


You can create remote domain entries to define the mail-transfer settings between the
Exchange Server 2010 organization and a domain that is outside your Active Directory forest. When you
create a domain entry, you provide a name to help the administrator identify the entrys purpose when
they view configuration settings.
This name is limited to 64 characters. You also provide the domain name to which this entry and the
associated settings will apply. You can use a wildcard character in the domain name to include all
subdomains. The wildcard character must appear at the start of the domain name entry. The SMTP
domain name is limited to 256 characters.

Configuring Remote Domain Settings


The configuration for a remote domain determines the out-of-office message settings for email that is
sent to the remote domain and the message format settings for email that is sent to the remote domain.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-25

Out-of-Office Message Settings


The out-of-office message settings control the messages that are sent to recipients in the remote domain.
The types of out-of-office messages that are available in your organization depend on both the Microsoft
Office Outlook client version and the Exchange Server version on which the users mailbox is located.
An out-of-office message is set on the Outlook client but is sent by the Exchange server. Exchange Server
2010 supports three out-of-office message classifications: external, internal, and legacy.

Message Format Options Including Acceptable Character Sets


You can configure multiple message format options to specify message delivery and formatting policies
for the messages that are sent to recipients in the remote domain.
The first set of options on the Message Format tab apply restrictions to the types of messages that can
be sent to the remote domain, how the senders name displays to the recipient, and the column width for
message text. These options include:

Allow automatic replies.A client email program may have a rule set to reply automatically to
messages that are sent to a particular distribution group. If you select this option, automatic replies
are sent to the remote domain. By default, this option is not selected, and automatic replies are not
sent to any recipient in any remote domain.

Allow automatic forward. A client email program may have a rule set to automatically forward
particular messages to another email address. If you select this option, automatic forwards are sent to
the remote domain. By default, this option is not selected, and automatic forwards are not sent to any
recipient in any remote domain.

Allow delivery reports. You can configure a client email program to notify the sender when the
message is delivered or is read by the recipient. By default, this option is selected, and delivery reports
are sent to all recipients in any remote domain. If you clear this option, delivery reports are not sent
to any recipient in the remote domain.

Allow nondelivery reports. When a message cannot be delivered to a recipient in the Exchange
organization, the Hub Transport server generates an NDR and sends it to the messages sender. By
default, this option is selected, and NDRs are sent to all email addresses in any remote domain. If you
clear this option, NDRs are not sent to any email address in the remote domain.

Display senders name on messages. A user who has a mailbox on a Mailbox server in the Exchange
organization has both an email address and a display name that is associated with their user account.
By default, this option is selected, and the users display name is visible to the messages recipient. If
you clear this option, the email alias is visible to the recipient. We recommend that you leave this
option selected.

Use message text line-wrap at column. To use line-wrap in message text for outgoing messages,
select this option. Then type the line-wrap size, between 0 and 132 characters, in the text box. To set
the value to unlimited, leave the field blank. The default value is unlimited (blank). If you select this
option, the text of all email messages that are sent from your organization to the remote domain are
displayed with the message text width that you specify.
If you do not set a value for this option, the client email application settings determines the message
text width. Some earlier versions of email clients require that a line break is positioned after the
seventy-sixth or seventy-seventh character. If you do not configure this setting, those email clients will
only view the first 76 characters of each line. Therefore, parts of the message may not appear.

5-26 Managing Message Transport

Meeting forward notification enabled. This setting is available only when you use the Exchange
Management Shell. To configure this option, use the Set-RemoteDomain cmdlet with the
MeetingForwardNotificationEnabled parameter. By default, this setting is set to $true, and meeting
requests that are forwarded to recipients in the remote domain generate a meeting-forward
notification to the meeting organizer. When this parameter is set to $false, meeting requests that are
forwarded to recipients in the remote domain do not generate a meeting-forward notification.

Message Format Options


Use the Exchange Rich-Text Format (RTF) settings to determine whether email messages from your
organization to the remote domain are sent by using Exchange RTF.
Exchange RTF displays colors, fonts, and formatting in the email message. Exchange Server 2010 uses
RTF for messages that are delivered between Outlook clients. However, you can read Exchange RTF
only by using Outlook. The Exchange 2010 RTF format differs from the RTF format that word-processing
programs, such as Office Word, use. If recipients in a remote domain receive a file attachment named
Winmail.dat in their email, that remote domain is incompatible with Exchange RTF. To work around this
issue, you can configure the remote domain to never use Exchange RTF.

Character Sets
The Characters Sets options let you select a MIME character set and a non-MIME character set to use
when you send messages to a remote domain. The character sets used on the Internet are registered with
the Internet Assigned Names Authority (IANA). The most frequently used character sets are US ASCII and
Western European (ISO-8859-1). Other character sets are used to support language settings.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-27

Demonstration: How to Configure Accepted and Remote Domains

In this demonstration, you will review the default accepted domain configuration, and then see how to
configure accepted and remote domains.

Demonstration Steps
1.

In Exchange Management Console, expand Microsoft Exchange On-Premises, expand


Organization Configuration, and then click Hub Transport.

2.

Click the Accepted Domains tab, and then double-click Adatum.com. Click OK.

3.

Click New Accepted Domain and create an accepted domain for adatum.local as Internal Relay
Domain.

4.

Click the Remote Domains tab, and review the default remote domain settings. Click OK.

5.

Click New Remote Domain, and create a remote domain for contoso.com.

5-28 Managing Message Transport

What Is an SMTP Connector?

For a Hub Transport server to send or receive messages using SMTP, at least two SMTP connectors
must be available on the server. An SMTP connector is an Exchange Server component that supports
one-way SMTP connections that route mail between Hub Transport and Edge Transport servers or
between the transport servers and the Internet. You create and manage SMTP connectors from the
Exchange Management Console or the Exchange Management Shell. Exchange Server 2010 provides
two types of SMTP connectors: SMTP Receive connectors and SMTP Send connectors.
Note Exchange Server 2010 automatically creates the Send and Receive connectors that
intra-organization mail flow requires. These are implicit connectors that are not visible in
the Exchange management tools, and you cannot modify them.

What Are SMTP Receive Connectors?


An Exchange Server 2010 computer requires an SMTP Receive connector to accept any SMTP email. An
SMTP Receive connector enables an Exchange Hub Transport or Edge Transport server to receive mail
from any other SMTP sources, including SMTP mail programs, such as Windows Mail and SMTP servers
on the Internet, Edge Transport servers, or other Exchange Server SMTP servers.
You create SMTP Receive connectors on each server running the Hub Transport server role. Use the
following naming protocol for the SMTP Receive connectors: Client SERVERNAME Receive connector,
which you configure to receive connections from SMTP clients such as Windows Mail; and Default
SERVERNAME Receive connector, which you configure to receive authenticated connections from other
SMTP servers. The default configuration for the two connectors is almost identical, but with one important
difference: you configure the Client SERVERNAME Receive connector to listen on port 587 rather than
port 25. As described in RFC 2476, port 587 has been proposed to be used only for message submission
from email clients that require message relay.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-29

You can configure multiple SMTP Receive connectors with different parameters on a single Exchange
server. In large organizations, there can be multiple SMTP Receive connectors on a single server or on
multiple servers. In small to medium-sized organizations, as few as two connectors (a Send and a Receive
connector) could serve the entire organization.
Note You must configure each SMTP Receive connector with a port on which the
connector will receive connections, local IP addresses that will be used for incoming
connections, and a remote IP subnet that can send mail to this SMTP Receive connector.
The combination of these three properties must be unique across every SMTP Receive
connector in the organization.

What Are SMTP Send Connectors?


An Exchange Server 2010 computer requires an SMTP Send connector to send any SMTP email, and to
send email to any SMTP server on the Internet or to any SMTP servers in the same Exchange Server
organization.
Note By default, no SMTP Send connectors are configured on Hub Transport servers,
except for the implicit SMTP Send connectors. These are created dynamically to
communicate with Hub Transport servers in other sites.

How to Manage SMTP Connectors


You can use the Exchange Management Console or the Exchange Management Shell to create, configure,
or view SMTP connectors. In the Exchange Management Console, you configure SMTP Receive connectors
for each Hub Transport server, while you configure Send connectors in the Organization Configuration
node. To manage connectors using the Exchange Management Shell, use the Set-ReceiveConnector and
Set-SendConnector cmdlets.
Note Incorrect configuration of SMTP Receive connectors can lead to opened relay on the
mail server. Therefore, you must carefully test the configuration.

5-30 Managing Message Transport

Demonstration: How to Configure SMTP Send and Receive Connectors

In this demonstration, you will see how to configure SMTP Send and Receive connectors.

Demonstration Steps
1.

In Exchange Management Console, expand Microsoft Exchange On-Premises, expand


Organization Configuration, and then click Hub Transport.

2.

Click the Send Connectors tab and create a New Send Connector.

3.

In Exchange Management Console, expand Server Configuration, and then click Hub Transport.

4.

Click New Receive Connector and create a Receive connector that allows the anonymous group to
send messages.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-31

What Is Back Pressure?

Back pressure is a system-resource monitoring feature of the Microsoft Exchange Transport service that
exists on computers that have the Hub Transport server role or Edge Transport server role installed.
Back pressure monitors important system resources, such as available hard-disk drive space and available
memory. If utilization of a system resource exceeds the specified limit, the Exchange server stops
accepting new connections and messages. This prevents the system resources from being completely
overwhelmed, and enables the Exchange server to deliver the existing messages. When utilization of the
system resource returns to a normal level, the Exchange server accepts new connections and messages.
Back pressure can be used to:

Monitor system resources, such as available hard disk drive space and memory.

Restrict new connections and messages if a system resource exceeds a specified level.

Prevent the server from being completely overwhelmed.

For each monitored system resource on a Hub Transport server or Edge Transport server, the following
three levels of resource utilization are applied:

Normal. The resource is not overused. The server accepts new connections and messages.

Medium. The resource is slightly overused. Back pressure is applied to the server in a limited manner.
Mail from senders in the authoritative domain can flow. However, the server rejects new connections
and messages from other sources.

High. The resource is severely overused. Full back pressure is applied. All message flow stops, and the
server rejects all new connections and messages.

5-32 Managing Message Transport

Options for Configuring Back Pressure


All configuration options for back pressure are available in the EdgeTransport.exe.config application
configuration file that is located in the C:\Program Files\Microsoft\Exchange Server\Bin directory.
The EdgeTransport.exe.config file is an XML application configuration file that is associated with the
EdgeTransport.exe file. The Microsoft Exchange Transport service uses the EdgeTransport.exe and
MSExchangeTransport.exe executable files. This service runs on every Hub Transport server or Edge
Transport server. Exchange Server applies the changes that are saved to the EdgeTransport.exe.config file
after the Microsoft Exchange Transport service is restarted.
Back pressure is turned on with the predefined default settings. There are various options you
can configure in back pressure, such as the PercentageDatabaseDiskSpaceUsedHighThreshold or
PercentagePrivateBytesUsedHighThreshold. However, Microsoft does not recommend modifying the
default back pressure configuration, so you should do it only when absolutely necessary. Incorrect
configuration of back pressure can affect system performance and functionality.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-33

Lab: Managing Message Transport

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and the 10135B-VAN-EX2 virtual machines are
running:

3.

10135B-VAN-DC1: Domain controller in the Adatum.com domain

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain

10135B-VAN-EX2: Exchange 2010 server in the Adatum.com domain

If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1 and VAN-EX2 as
Adatum\Administrator, using the password Pa$$w0rd.

Lab Scenario
You are a messaging administrator in A Datum Corporation., which is a large multinational organization
that has offices in London, Tokyo, and Vancouver, which is its headquarters. Your organization has
deployed Exchange Server 2010 in two of its sites. However, all Internet messages should flow through the
main site in Vancouver. As part of your job responsibilities, you need to set up the message transport to
and from the Internet and also ensure that the message flow works within and between the various sites.

5-34 Managing Message Transport

Exercise 1: Configuring Internet Message Transport


Scenario
Your organization has deployed Exchange Server 2010 in two of its sites. However, all Internet messages
should flow through the main site. As part of your job responsibilities, you need to set up the message
transport to and from the Internet. You also want to configure the Hub Transport server for anti-spam.
The main tasks for this exercise are:
1.

Configure a Send connector to the Internet.

2.

Configure a Receive connector to accept Internet messages.

3.

Enable anti-spam functionality on the Hub Transport server.

4.

Verify that Internet message delivery works.

X To prepare for this lab


1.

On VAN-EX2, click Start, right-click Network, and then click Properties.

2.

Click Change adapter settings.

3.

Right-click Local Area Connection, and then click Properties.

4.

Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

5.

Change the IP address to 10.10.11.21, and then click OK. Click Close.

6.

Click the Start button, and then click Restart. In the Comment field, type Lab restart, and then
click OK.

7.

After the system is restarted, log on to VAN-EX2 as Adatum\Administrator, using the password
Pa$$w0rd.
Note These preparation steps move VAN-EX2 to a second site defined in AD DS.

X Task 1: Configure a Send connector to the Internet


1.

On VAN-EX1, open Exchange Management Console.

2.

Create a new Send Connector with the following configuration:

Name: Internet Send Connector

Use: Internet

Address space: *

Route all messages through VAN-DC1.adatum.com

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-35

X Task 2: Configure a Receive connector to accept Internet messages


1.

2.

On VAN-EX1, create a new Receive Connector with the following configuration:

Name: Internet Receive Connector

Use: Custom

Local Network Settings: 10.10.0.10

Change the configuration on the Internet Receive Connector to enable anonymous users to send
email and to enable verbose logging.

X Task 3: Enable anti-spam functionality on the Hub Transport server


1.

On VAN-EX1, open the Exchange Management Shell.

2.

Switch to the c:\Program Files\Microsoft\Exchange Server\v14\scripts directory and use the


install-AntispamAgents.ps1 cmdlet to install the anti-spam agents on the Hub Transport server.

3.

Restart the Microsoft Exchange Transport.

4.

Verify that anti-spam configuration options are now available on VAN-EX1 and at the organization
level.

X Task 4: Verify that Internet message delivery works


1.

On VAN-EX1, log on to Outlook Web App as Wei, and then send a message to Info@Internet.com.

2.

From the Toolbox node in the Exchange Management Console, open the Queue Viewer. Check the
queues on VAN-EX1 to verify that the message was delivered.

3.

On VAN-DC1, use Telnet to verify that VAN-EX1 accepts anonymous messages. Use Telnet to send a
message as Info@internet.com to WeiYu@adatum.com.

Results: After this exercise, you should have configured message transport to send and receive messages
to and from the Internet using a smart host. You also should have configured anti-spam functionality on a
Hub Transport server.

Exercise 2: Troubleshooting Message Transport


Scenario
You have successfully installed Exchange Server 2010 in two sites. You now need to make sure that mail
flow is working correctly.
The main tasks for this exercise are:
1.

Check the routing log, and verify that mail delivery works correctly.

2.

Troubleshoot message transport.

5-36 Managing Message Transport

X Task 1: Check the routing log, and verify that mail delivery works correctly
1.

On VAN-EX1, use the Routing Log Viewer to verify that VAN-EX1 is located in the Default-First-SiteName site, and the VAN-EX2 is located in the Site2 site.

2.

Log on to Outlook Web App as Wei, and send an email to Anna, whose mailbox is on VAN-EX2.
Verify that the mail is received and that Anna can respond to the email.

X Task 2: Troubleshoot message transport


1.

On VAN-EX1, in Exchange Management Shell, run the d:\ labfiles\Lab05Prep1.ps1 script.

2.

Send another email from Wei to Anna. Verify that the message is not delivered.

3.

Use Queue Viewer to investigate mail flow problems.

4.

Use Telnet to check connectivity from VAN-EX1 to VAN-EX2.

5.

Re-create the receive connector to make mail flow work correctly.

6.

Use Queue Viewer to force an immediate retry of message delivery.

7.

Verify that Anna received the message.

Results: After this exercise, you should have used the Routing Log Viewer to get an overview of your
routing topology. For troubleshooting, you should have used the Queue Viewer and Telnet to investigate
the mail-flow problem.

Exercise 3: Troubleshooting Internet Message Delivery


Scenario
Your users complain that messages are not sent correctly to the internet. As part of your job
responsibilities, you need to track messages to find out why message flow to the Internet is not working
correctly.
The main tasks for this exercise are:
1.

Send a message to the Internet, and track it.

2.

Implement user-based message tracking to verify mail delivery.

3.

Troubleshoot Internet message delivery.

X Task 1: Send a message to the Internet, and track it

On VAN-EX2, log on to Outlook Web App as Anna and send a message to Info@Internet.com.

X Task 2: Implement user-based message tracking to verify mail delivery

Connect to the Exchange Control Panel as Anna, and use the Delivery Reports page to track the
message she sent. Search for messages sent to Info@Internet.com.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

5-37

X Task 3: Troubleshoot Internet message delivery


1.

On VAN-EX1, in Exchange Management Shell, verify that the shell is focused on


c:\Program Files\Microsoft\Exchange Server\v14\scripts, and run
d:\10135\labfiles\Lab05Prep2.ps1.

2.

On VAN-EX2, send a second message from Anna to Info@Internet.com.

3.

On VAN-EX1, in the Exchange Management Console, in the Toolbox node, access Message
Tracking.

4.

Log on to Exchange Control Panel as Administrator, and track the message that Anna sent. Verify
that the message state is pending.

5.

Use Mail Flow Troubleshooter to troubleshoot mail problems. When starting the Mail Flow
Troubleshooter, choose the option to troubleshoot the Messages are backing up in on one or more
queues on a server. Choose VAN-EX1 as the Exchange Server. Review the information on each wizard
page, and identify the proposed root cause for the issue.

6.

On VAN-DC1, use nslookup to try to locate the MX records for internet.com.

7.

Configure a smart host in your Send connector.

8.

Verify that the messages are now delivered.

Results: After this exercise, you should have used tools like Mail Flow Troubleshooter, Queue Viewer,
Message Tracking, and nslookup to investigate why messages are not delivered to the Internet.

X To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state by completing the following
steps:
1.

On the host computer, start Hyper-V Manager.

2.

Right-click the virtual machine name in the Virtual Machines list, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

In the Virtual Machines pane, click 10135B-VAN-DC1, and then in the Actions pane, click Start.

5.

To connect to the virtual machine for the next modules lab, click 10135B-VAN-DC1, and then in the
Actions pane, click Connect.
Important Start the VAN-DC1 virtual machine first, and ensure that it is fully started
before starting the other virtual machines.

6.

Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.

7.

Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.

5-38 Managing Message Transport

Module Review and Takeaways

Common Issues Related to Managing Message Transport


Identify the causes for the following common issues related to Managing Message Transport, and
complete the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue
You configure a Send Connector to the
Internet, but messages cannot be
transferred over it.
You want to understand over what hops
the message has been transferred.
Your Exchange Server does not accept
messages for the domain adatuminfo.com.

Troubleshooting tip

6-1

Module 6
Implementing Messaging Security
Contents:
Lesson 1: Deploying Edge Transport Servers

6-3

Lesson 2: Deploying an Antivirus Solution

6-18

Lab A: Configuring Edge Transport Servers and


Forefront Protection 2010 for Exchange Server

6-25

Lesson 3: Configuring an Anti-Spam Solution

6-29

Lesson 4: Configuring Secure SMTP Messaging

6-41

Lab B: Implementing Anti-Spam Solutions

6-52

6-2

Implementing Messaging Security

Module Overview

The Edge Transport server role is designed to be placed directly in a perimeter network, therefore directly
in the Internet. Placing a server directly in the Internet can be the cause of numerous security concerns.
This module describes how to plan for and deploy a Microsoft Exchange Server 2010 Edge Transport
server role, and the security issues related to the deployment.
This module describes how to configure secure Simple Mail Transfer Protocol (SMTP) messaging as well as
Domain Security, a feature available in Exchange Server 2007 and later versions. The Edge Transport role
provides powerful anti-spam functionalities, and some antivirus features. Because the Edge Transport role
does not include a virus scanner, you can integrate additional antivirus products such as Microsoft
Forefront Protection for Exchange Server.
After completing this module, you will be able to:

Deploy Edge Transport servers.

Deploy an antivirus solution.

Configure an anti-spam solution.

Configure secure SMTP messaging.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-3

Lesson 1

Deploying Edge Transport Servers

In any Exchange Server deployment, it is important that you do not expose too much information to the
Internet. You must ensure critical data such as email messages are protected from unauthorized access
from the Internet. The Edge Transport server role provides functionalities that secure this data from
unauthorized Internet access. If you are planning to place a server in your perimeter network, you should
plan to use an Edge Transport server.
This lesson describes features and functionalities of the Edge Transport server role, and explains how you
can configure data synchronization between Active Directory Domain Services (AD DS) and the Edge
Transport server.
After completing this lesson, you will be able to:

Describe the Edge Transport server role.

Identify the infrastructure requirements for the Edge Transport server role.

Describe the functionality of Active Directory Lightweight Directory Services (AD LDS).

Configure Edge Transport servers.

Describe the purpose and functionality of Edge Synchronization.

Explain how Internet message flow works in Exchange Server 2010.

Describe the concept of cloned configuration.

Configure Edge synchronization.

Describe how to secure Edge Transport servers.

6-4

Implementing Messaging Security

What Is the Edge Transport Server Role?

The Edge Transport server role in Exchange Server 2010 provides a secure SMTP gateway for all incoming
and outgoing email in an organization. As an SMTP gateway, the Edge Transport servers primary role is
to maintain message hygiene, which includes anti-spam and antivirus filtering. You also can use the Edge
Transport server to apply messaging policies to messages that are sent to the Internet.

Edge Transport Server Role Functionality


The Edge Transport server role provides the following functionalities.
Feature

Description

Internet message delivery

The Edge Transport server role accepts all email coming into the
Exchange Server 2010 organization from the Internet, and from servers
in external organizations. The Edge Transport server role routes all
accepted inbound messages to a Hub Transport server inside the
organization. It also routes all outbound messages to the Internet.

Antivirus and anti-spam


protection

The Exchange Server 2010 Edge Transport server role helps prevent
spam messages and viruses from reaching your organizations users by
using a collection of agents that provide different layers of spam
filtering and virus protection. It uses these agents to filter email
messages based on the source or destination recipients, source SMTP
server, attachments, and message contents.
Exchange Server 2010 does not include antivirus software. You must use
third-party software that integrates with Exchange Server 2010 to
provide antivirus protection.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-5

(continued)
Feature

Description

Edge transport rules

Edge transport rules control the flow of messages that are sent to, or
received from the Internet. Edge transport rules apply actions to
messages that meet specified conditions. The Edge transport rule
conditions are based on data, such as specific words or text patterns in
the message subject, body, header, or From address, the spam
confidence level (SCL), or attachment type. Actions determine how the
message is processed when a specified condition is true. Possible actions
include quarantining a message, dropping or rejecting a message,
appending additional recipients, or logging an event.

Address rewriting

Address rewriting enables SMTP address modification for any of your


organizations message senders or recipients. Address rewriting can be
useful in scenarios where an organization wants to hide internal
domains, to enable multiple organizations to appear as a single
organization, or to integrate services that a third-party provides to an
organization.

Edge Transport Servers Deployment Considerations


When planning to deploy Edge Transport servers, consider the following factors:

You cannot combine the Edge Transport server role with any other Exchange Server 2010 server role.
To provide increased security, you must install the Edge Transport server role on a separate computer,
which can be virtual or physical.

The computer should not be a member of an Active Directory domain.


If you allow Active Directory communications through the firewall that protects the internal network
from the perimeter network, it can cause security issues such as allowing an unauthorized user to
retrieve all your email addresses directly from the AD DS to use it for spam. Instead, the Edge
Transport server role uses AD LDS to store configuration and recipient information. The AD LDS does
not contain all the information from the AD DS, but synchronizes only the required information such
as email addresses.
Note You should not install the Edge Transport server role on a computer that is a
member of the internal Active Directory domain, but you can install it in a perimeter
network forest. Even if you install the Edge Transport server role on a member server, the
server still uses Active Directory Application Mode (ADAM) or AD LDS to store its
configuration and recipient information.

You should deploy the Edge Transport server role in a perimeter network to ensure network isolation
from both the internal network and the internal Exchange servers. You must configure the external
firewall on the perimeter network to allow inbound and outbound SMTP traffic to and from the Edge
Transport server role. The internal firewall must allow SMTP traffic between the Edge Transport server
role and one or more internal Hub Transport servers. The firewall also must allow outbound traffic
towards the perimeter network for Active Directory to AD LDS synchronization.

6-6

Implementing Messaging Security

Infrastructure Requirements for the Edge Transport Server Role

The Edge Transport server role is different from any other Exchange Server 2010 server role, because you
can install it on servers running the Windows Server 2008 and the Windows Server 20008 R2 operating
systems that are not members of the internal Active Directory Domain Services (AD DS). This configuration
makes it much easier and more secure to deploy Edge Transport servers in a perimeter network. When
deploying Edge Transport servers, consider the following infrastructure requirements:

You can install Edge Transport servers either on standalone servers, or on servers that are members of
an extranet domain. The computer running the Edge Transport server role must have a fully qualified
domain name (FQDN) configured and must be able to resolve the FQDNs of the Hub Transport
servers as well as vice-versa.

You must deploy Edge Transport servers in a perimeter network. This configuration provides the
highest level of security.

The firewall configuration required for Edge Transport servers is greatly simplified, because the server
does not need to be an internal domain member. The following table describes the firewall
configuration requirements.
Firewall

Firewall rule

Explanation

External

Allow port 25 from all external IP


addresses to the Edge Transport
server.

This rule enables SMTP hosts on the Internet


to send email.

External

Allow port 25 to all external IP


addresses from the Edge Transport
server.

This rule enables the Edge Transport server


to send email to SMTP hosts on the Internet.

External

Allow port 53 to all external IP


addresses from the Edge Transport
server.

This rule enables the Edge Transport server


to resolve Domain Name System (DNS)
names on the Internet.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-7

(continued)
Firewall

Firewall rule

Explanation

Internal

Allow port 25 from the Edge


Transport server to specified Hub
Transport servers.

This rule enables the Edge Transport server


to send inbound SMTP email to Hub
Transport servers.

Internal

Allow port 25 from specified Hub


Transport servers to the Edge
Transport server.

This rule enables the Hub Transport servers


to send email to the Edge Transport server.

Internal

Allow port 50636 for secure


Lightweight Directory Access
Protocol (LDAP) from specified Hub
Transport servers to the Edge
Transport server.

This rule enables the Hub Transport server


to replicate information to the Edge
Transport servers by using Edge
Synchronization. This port is not the default
Secure LDAP port, but it is used specifically
for the Edge Synchronization process.

Internal

Allow port 3389 for Remote


Desktop Protocol (RDP) from the
internal network to the Edge
Transport server.

This rule is used for optional remote


desktop administration of the Edge
Transport server.

If the Edge Transport server directly routes email to the Internet, you must configure the server with
the IP addresses for Domain Name System (DNS) servers that can resolve DNS names on the Internet.

6-8

Implementing Messaging Security

What Is AD LDS?

Edge Transport servers do not use the AD DS service to store their configuration information; instead, they
use AD LDS to store this data.
Note AD LDS runs only on Windows Server 2008 or Windows Server 2008 R2 computers,
while the ADAM service can run on Windows Server 2003 computers. AD LDS is an update
of ADAM.

What Is AD LDS?
AD LDS is a special mode of the AD DS that stores information for directory-enabled applications. AD LDS
is an LDAP-compatible directory service that runs on servers running the Windows Server 2008 or
Windows Server 2008 R2 operating system. AD LDS is designed to be a stand-alone directory service. It
does not require the deployment of DNS, domains, or domain controllers; instead, it stores and replicates
only application-related information.

How AD LDS Works with Exchange Server 2010 Edge Transport Servers
AD LDS stores configuration and recipient data for the Exchange Server 2010 Edge Transport server
role. Before you can install the Edge Transport server role, you must install the AD LDS server role on a
Windows Server 2008 or Windows Server 2008 R2 computer. AD LDS is then configured automatically
when you install the Edge Transport server role. The following types of information are stored in AD LDS:

Schema. AD LDS requires schema information that defines the types of objects and attributes that can
be created. The AD LDS version installed on an Edge Transport server contains a schema that defines
the Exchange Serverrelated information.

Configuration. The Configuration partition is similar to the Configuration partition in AD DS, and
provides a container to hold the Microsoft Exchange Services configuration information.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-9

Recipient information. Recipient information can be synchronized from AD DS to AD LDS. Recipient


data that is synchronized from the Exchange Server organization is stored in the MSExchangeGateway
organizational unit (OU). Edge Transport servers use the recipient information when processing rules
such as recipient-filtering and transport rules.

Managing AD LDS
The AD LDS database is stored in the %programfiles%\Microsoft\Exchange Server\TransportRoles
\data\Adam directory. The primary database is adamntds.dit, which is similar to the databases that
Exchange Server uses for mailbox stores and mail queue databases.
In general, the AD LDS instance running on an Edge Transport server requires minimal administration. You
can make most changes to the AD LDS directory information by using Exchange Server 2010
management tools.
Note Before installing the Edge Transport server role, you must install AD LDS on the
computer. However, you do not need to perform any configuration steps in AD LDS before
installing the Edge Transport server role. In Exchange 2010 Service Pack 1 (SP1) or newer,
you can also use the SETUP.COM /InstallWindowsFeatures switch to add AD LDS
automatically to the computer.

6-10

Implementing Messaging Security

Demonstration: How to Configure Edge Transport Servers

In this demonstration, you will review the Edge Transport server roles default configuration before
implementing Edge Synchronization.

Demonstration Steps
1.

On VAN-EDG, open the Exchange Management Console.

2.

Review the Edge Transport server roles default configuration settings including the default anti-spam
settings, Send and Receive Connectors and Accepted Domains.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-11

What Is Edge Synchronization?

Edge synchronization is a process that replicates information from AD DS to AD LDS on Edge Transport
servers. Because Edge Transport servers are not joined to the internal Active Directory domain, they
cannot directly access the Exchange Server organization configuration or recipient information that is
stored in AD DS. EdgeSync enables the shared information to be replicated from AD DS to AD LDS.
You can deploy Edge Transport servers without using EdgeSync. However, it is strongly recommended
that you deploy EdgeSync along with Edge Transport servers, because EdgeSync can decrease the effort
needed to administer the Edge Transport servers. The Active Directory contains much of the configuration
information required by the Edge Transport server. For example, if you configure accepted domains on
the Hub Transport servers, these accepted domains can be replicated automatically to the Edge Transport
servers.
To enable any filtering or transport rules that are based on recipients, you must implement EdgeSync to
replicate the recipient information to AD LDS.

Information Replicated by Edge Synchronization


After you enable Edge Synchronization, the Edge Synchronization process establishes connections
between a Hub Transport server and the Edge Transport server, and synchronizes configuration and
recipient information between AD DS and AD LDS.
In Exchange Server 2007, EdgeSync replicates all of the configuration and recipient information in its
entirety. This takes a long time, particularly in organizations with a large number of recipients. Exchange
Server 2010 introduces incremental updates for EdgeSync. After the initial synchronization, only changes
to the objects in AD DS, such as the change in an email address, are synchronized to the Edge Transport
server.
Note The internal Hub Transport servers, and not the Edge Transport servers, always
initiate EdgeSync replication. EdgeSync replication traffic is always encrypted by using
Secure LDAP.

6-12

Implementing Messaging Security

During synchronization, EdgeSync replicates the following data from AD DS to AD LDS:

Accepted domains

Recipients (hashed)

Safe senders (hashed)

Send connectors

Hub Transport server list (for dynamic connector generation)


Note The recipient and the safe senders are hashed by using a one-way hash, which
prevents an attacker from retrieving recipient information from the Edge Transport server.
Question: Can you deploy Edge Transport servers without using EdgeSync?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-13

How Internet Message Flow Works

The primary function of the Edge Transport server is to secure both inbound and outbound Internet
email. After you configure an Edge subscription between your organizations Hub Transport servers and
the Edge Transport servers in the perimeter network, both inbound and outbound Internet email is
enabled.

Default SMTP Connectors


When you install the first Hub Transport server in an Exchange Server 2010 organization, two SMTP
Receive connectors are created. When you install an Edge Transport server, just an SMTP Receive
connector is created. When you enable Edge Subscription, two additional SMTP Send connectors are
created. The following table lists all of these connectors.
Connector name

Connector type

Description

Client
<SERVERNAME>

SMTP Receive connector

Created on each Hub Transport server


Accepts connections from all remote IP addresses
on port 587 for message relay
Does not accept anonymous connections

Default
<SERVERNAME>

SMTP Receive connector

Created on each Hub Transport server


Accepts connections from all remote IP addresses
on port 25
Does not accept anonymous connections

Default internal
receive connector
<SERVERNAME>

SMTP Receive connector

Created on each Edge Transport server


Accepts connections from all remote IP addresses
on port 25
Accepts anonymous connections

6-14

Implementing Messaging Security

(continued)
Connector name

Connector type

Description

EdgeSync Inbound to
<sitename>

SMTP Send connector

Created on the Edge Transport server by Edge


Subscription
Created in AD DS, and then replicated to the Edge
Transport server by Edge Synchronization
Settings such as smart hosts and address space are
defined by the Edge Subscription

EdgeSync
<sitename> to
Internet

SMTP Send connector

Created on the site that is defined by Edge Subscription


Created in AD DS, and then replicated to the Edge
Transport server by Edge Synchronization
Source server is the Edge Transport server on which
Edge Subscription is enabled
Address space of *
Uses DNS to locate SMTP servers on the Internet

Default Message Transfer


After you enable EdgeSync, email flows through the Exchange server organization using the following
steps:
1.

A user submits a message through a Client Access server to the Mailbox server. The Hub Transport
server retrieves the message from the Mailbox server, and categorizes it for delivery. In this scenario,
the message recipient is outside the organization.

2.

The Hub Transport server determines that it must use the EdgeSync sitename to Internet Send
connector to send email to the Internet. It locates the Edge Transport server that is configured as the
bridgehead server for the connector.

3.

The Hub Transport server forwards the message to the Edge Transport server, which sends the email
message to the Internet by using the EdgeSync sitename to Internet Send Connector.

4.

For inbound messages, the sending SMTP connector connects to the Edge Transport server. The Edge
Transport server accepts this connection using the Default internal receive connector SERVERNAME,
which is configured to accept anonymous connections on port 25 from all IP addresses. The Edge
Transport server applies all virus and spam-filtering rules.

5.

If the message is accepted, the Edge Transport server uses the EdgeSync Inbound to sitename
connector to forward the message to a Hub Transport server configured to accept Internet messages.

6.

The Hub Transport server uses the Default SERVERNAME connector to receive the message, and then
forwards the message to the appropriate Mailbox server.
Note You can modify the default message flow by creating additional SMTP connectors.
For example, you may need to create a new SMTP send connector to send email to a
specific destination domain. You can do this by creating a new send connector, and then
configuring the destination domain name as the address space for the connector. Finally,
configure the connector to support the unique message-routing requirements for messages
sent to the domain.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-15

Demonstration: How to Configure Edge Synchronization

In this demonstration, you will see how to enable Edge synchronization and test its functionality.

Demonstration Steps
1.

On VAN-EDG, in the Exchange Management Shell, run the New-EdgeSubscription -FileName


c:\van-edge.xml command on the Edge Transport server.

2.

Import the Edge subscription file by using the Exchange Management Console on the Hub Transport
server.

3.

Use Start-EdgeSynchronization and Test-EdgeSynchronization -FullCompareMode to test Edge


synchronization.

4.

Review the changes made to the Edge Transport server after Edge Synchronization.

6-16

Implementing Messaging Security

What Is Cloned Configuration?

Cloned configuration is the process of configuring multiple Edge Transport servers with identical
configurations. To achieve high availability for messaging transport, you should ensure that multiple Edge
Transport servers are available at all times.
You can use cloned configuration to ensure that all Edge Transport servers have the same configuration.
You only configure one server, and export the configuration to an XML file that is then imported to the
target servers. Additionally, you can use the cloned configuration to restore the Edge Transport server
configuration quickly during a disaster recovery scenario.
The XML file includes the following configuration information:

Transport server file paths and all log files paths (such as the message tracking log path)

Transport agents, including status and priority

All Send and Receive connectorrelated settings (including Send connector passwords encrypted with
a default encryption key)

Accepted Domain information

Anti-spam features and configuration settings


Note Although AD LDS supports directory replication, Exchange Server 2010 does not
provide an option to use directory replication for configuring multiple Edge Transport
servers. You must use cloned configuration if you want to automate this process, and you
must repeat the edge-cloning steps each time you make a configuration change on one of
the servers.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-17

Configuring Cloned Configuration


To configure cloned configuration, use the ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 scripts to
export configuration information from one Edge Transport server to an identically configured Edge
Transport server. You can also use the tool to test configuration changes and offer rollback assistance, or
to assist in disaster recovery when you deploy a new Edge Transport server, or replace a failed server.
To configure cloned configuration, you must perform the following three steps:
1.

During the export configuration phase, export the configuration information from an existing Edge
Transport server into an XML file. Use the ExportEdgeConfig.ps1 script to export the information.

2.

Validate the configuration on the target server. In this step, you run the ImportEdgeConfig.ps1
script. This script checks the existing information in the intermediate XML file to verify whether the
exported settings are valid for the target server, and then it creates an answer file. The answer file
specifies the server-specific information to be used during the next step when you import the
configuration on the target server. The answer file contains entries for each source server setting that
is not valid for the target server. You need to modify these settings so that they are valid for the
target server. If all settings are valid, the answer file contains no entries. Only then you can import it.

3.

During the import-configuration phase, use the ImportEdgeConfig.ps1 script with the IsImport
$true parameter to import the information from both the intermediate XML file and the answer file,
into a new Edge Transport server.

The ExportEdgeConfig.ps1 and ImportEdgeConfig.ps1 files are Windows PowerShell command-line


interface scripts, and not individual cmdlets. The scripts are located in the %programfiles%\Microsoft
\Exchange\v14\Scripts folder on all servers running Exchange Server 2010.

Cloning Transport Rules


Cloned configuration does not clone any transport rule from an Edge Transport server. To ensure that all
transport rules are also cloned, use the following cmdlet to export all transport rules.
$file = Export-TransportRuleCollection
Set-Content Path c:\tmp\EdgeRuleCollection.xml Value $file.FileData Encoding Byte

On the target Edge Transport server, you then need to use the following command to import the
transport rules.
[Byte[]]$Data = Get-Content -Path "C:\tmp\EdgeRuleCollection.xml"
-Encoding Byte -ReadCount 0
Import-TransportRuleCollection -FileData $Data

Question: When using cloned configuration with your Edge Transport servers, what extra
fact should you consider?

6-18

Implementing Messaging Security

Lesson 2

Deploying an Antivirus Solution

Although Exchange Server 2010 includes some basic antivirus features, it is important to implement a
separate antivirus product such as Microsoft Forefront Protection 2010 for Exchange Server. This lesson
describes the importance of protecting your Exchange Server organization from virus attacks, and also
describes the Forefront features Security.
After completing this lesson, you will be able to:

Describe antivirus solution features.

Describe the Forefront Protection 2010 for Exchange Server features.

Explain the Forefront Protection 2010 deployment options.

Explain the best practices for deploying an antivirus solution.

Install and configure Forefront Protection 2010 for Exchange Server.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-19

Antivirus Solution Features in Exchange Server 2010

Email is one of the most common ways to spread viruses from one organization to another. One of the
primary tasks in protecting your Exchange Server organization is to ensure that all messages containing
viruses are stopped at the messaging environments perimeter.
Exchange Server 2010 includes the following virus protection features:

Continuing support of the Virus Scanning application programming interface (VSAPI). In Exchange
Server 2010, Microsoft maintains support for the same VSAPI used in Exchange Server 2003 and
Exchange Server 2007.

Transport agents that filter and scan messages. Exchange Server 2010 introduces the concept of
transport agentssuch as the attachment filtering agentto reduce spam and viruses. By enabling
attachment filtering on the Edge Transport or Hub Transport servers, you can reduce the spread of
malware attachments before they enter the organization. Additionally, third-party vendors can create
transport agents that specifically scan for viruses. Because all messages must pass through a Hub
Transport server, this is an efficient and effective means to scan all messages in transit.

Antivirus stamping. Antivirus stamping reduces how often a message is scanned as it proceeds
through an organization. It does this by stamping scanned messages with the version of the antivirus
software that performed the scan and the scan results. This antivirus stamp travels with the message
as it is routed through the organization, and determines whether additional virus scanning must be
performed on a message.

6-20

Implementing Messaging Security

Integration with Forefront Protection 2010 for Exchange Server. Forefront Protection 2010 for
Exchange Server is an antivirus solution from Microsoft that integrates with Exchange Server 2010 to
provide advanced protection, optimized performance, and centralized management. This helps
customers deploy and maintain a secure messaging environment. Forefront Protection 2010 for
Exchange Server provides:

Advanced protection against viruses, worms, phishing, and other threats by using up to five
antivirus engines simultaneously at each layer of the messaging infrastructure.

Optimized performance through coordinated scanning across Edge Transport servers, Hub
Transport servers, and Mailbox servers and features, such as in-memory scanning, multithreaded
scanning processes, and performance bias settings.

Centralized management of remote installation, engine and signature updating, and reporting
and alerts through the Forefront Online Server Security Management Console.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-21

What Is Forefront Protection 2010 for Exchange Server?

Forefront Protection 2010 for Exchange Server is a separate antivirus software package that you can
integrate with Exchange Server 2010 to provide antivirus protection for the Exchange environment.
The following table lists the benefits of implementing Forefront Protection 2010 for Exchange Server.
Service

Description

Antivirus scan with multiple


engines

You can automatically scan messages using multiple virus pattern


engines, not just a single one.

Full support for VSAPI

Forefront Protection 2010 for Exchange Server fully supports the


Exchange VSAPI.

Microsoft IP Reputation Service

Provides sender reputation information about IP addresses that are


known to send spam. This is an IP-block list offered exclusively to
Exchange Server.

Spam Signature updates

Identifies the most recent spam campaigns. The signature updates are
available on a need basis, up to several times a day.

Premium spam protection

Includes automated updates for this filter, available on an as-needed


basis, up to several times a day.

Automated content filtering


updates

Automated content filtering updates for Microsoft SmartScreen


spam heuristics, phishing Web sites, and other Intelligent Message
Filter (IMF) updates.

6-22

Implementing Messaging Security

Deployment Options for Forefront Protection 2010

When you implement Forefront Protection 2010 for Exchange Server, you must consider the various
deployment options.

Install Forefront Protection 2010


First, you need to determine the servers on which you plan to install Forefront Protection 2010. The
number of servers you install Forefront Protection 2010 on will also depend on financial considerations as
you will need to buy as many server licenses.

As a baseline, you should at least deploy Forefront Protection 2010 for Exchange Server on all Edge
and Hub Transport servers.

For full protection, you should deploy Forefront Protection 2010 for Exchange Server on all Edge
Transport, Hub Transport, and Mailbox servers.

You do not need to install Forefront Protection 2010 on the Client Access server role, because Forefront is
only needed on the Mailbox, Edge or Hub Transport server roles.
As previously mentioned, Forefront Protection 2010 for Exchange scans each email only once, and then
stamps it with a special antivirus stamp so that other servers do not scan that message again. This also
means that you do not need to scan the Mailbox servers, as any message that comes in or leaves the
system is eventually scanned by Forefront Protection 2010 when you install it on the Edge and Hub
Transport servers. However, it is up to your security team to decide on this matter.

Forefront Protection 2010 Scanning Considerations


After you decide the servers on which you want to deploy Forefront Protection 2010, you must consider
how many scan engines you should use to scan a message, and the types of scan engines that you should
use.
As a best practice, you should use five scanners as this provides an optimum combination with third-party
virus scanners. You can also change the selection of the virus scanners later.
Question: What is an antivirus stamp?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-23

Best Practices for Deploying an Antivirus Solution

Although implementing an antivirus solution in Exchange Server is straightforward, there are some factors
that you should keep in mind when choosing and configuring an antivirus solution.

Implementing Multiple Antivirus Layers


To provide enhanced security against viruses, you should implement multiple layers of antivirus
protection. A virus can enter your organization from the Internet through an email, or from a nonprotected client within your company. Thus, it is a best practice to implement several layers of antivirus
protection such as a firewall, Edge Transport server, and at the client-computer level.

Maintaining Regular Antivirus Updates


Installing the antivirus product does not automatically mean that your organization is fully protected.
Regular antivirus pattern updates are critical to a well-implemented antivirus solution. You should also
monitor your antivirus patterns frequently to ensure they are up-to-date.
If you have a Microsoft System Center Operations Manager 2007 environment in your organization, you
can also use the Forefront Server Security Management Pack to monitor Forefront Protection 2010.

6-24

Implementing Messaging Security

Demonstration: How to Install and Configure Forefront Protection 2010


for Exchange Server

In this demonstration, you will see how to install and configure Forefront Protection 2010 for Exchange
Server, and how to manage Forefront Protection 2010.

Demonstration Steps
1.

Install Forefront Protection 2010 for Exchange Server.

2.

Open the Forefront Protection 2010 Administration Console.

3.

Configure the Antimalware - Edge Transport settings.

4.

Configure the Antispam - Content Filter settings.

5.

Configure global settings.

6.

Review the monitoring options available in Forefront.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-25

Lab A: Configuring Edge Transport Servers and Forefront


Protection 2010 for Exchange Server

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and the 10135B-VAN-SVR1 virtual machines are
running:

10135B-VAN-DC1: Domain controller in the Adatum.com domain

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain

10135B-VAN-SVR1: Standalone server

3.

If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as


Adatum\Administrator, using the password Pa$$w0rd.

4.

Log on to VAN-SVR1 as Administrator, using the password Pa$$w0rd.

5.

On the host computer, in Hyper-V Manager, click VANSVR1, and in the Actions pane, click Settings.

6.

Click DVD Drive, click Image file, and then click Browse.

7.

Browse to C:\Program Files\Microsoft Learning\10135\Drives, click EXCHANGE2010SP2.ISO, and


then click Open.

8.

Click OK.

9.

On VAN-SVR1, dismiss the Autoplay dialog box.

6-26

Implementing Messaging Security

Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization.
Your organization has deployed Exchange Server 2010 internally, and now must extend it so that
everyone within the corporation can send and receive Internet email.
As part of your job responsibilities, you need to set up an Edge Transport server, and then install an
antivirus solution to scan all mail.

Exercise 1: Configuring Edge Transport Servers


Scenario
Your organization has internally deployed Exchange Server 2010, and now wants to use the Edge
Transport server role to replace an existing smart host. You need to deploy the Edge Transport server role,
and verify that Internet message flow is working.
The main tasks for this exercise are:
1.

Install the Edge Transport Server role.

2.

Configure Edge Synchronization.

3.

Verify that EdgeSync is working and that Active Directory Lightweight Directory Services contains
data.

4.

Verify that Internet message delivery works.

X Task 1: Install the Edge Transport Server role


1.

On VAN-SVR1, install the Edge Transport Server role by using the command d:\Setup /mode:install
/role:EdgeTransport in Command Prompt.

2.

Restart VAN-SRV1, logon as Administrator, using the password Pa$$w0rd, and then open Exchange
Management Console.

X Task 2: Configure Edge Synchronization


1.

Create a new Edge Subscription on the Edge Transport server by using the New-EdgeSubscription FileName c:\VAN-SVR1.xml cmdlet.

2.

Copy the xml file to C:\ on VAN-EX1.

3.

On VAN-EX1, in the Exchange Management Console, add the edge subscription to the Hub Transport
server by using the following configuration:

Active Directory Site: Default-First-Site-Name

Subscription file: c:\van-svr1.xml

Automatically create a Send connector for this Edge Subscription: checked

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-27

X Task 3: Verify that EdgeSync is working and that Active Directory Lightweight
Directory Services contains data
1.

On VAN-EX1, use the Start-EdgeSynchronization cmdlet to force an immediate Edge


Synchronization.

2.

Use the Test-EdgeSynchronization -FullCompareMode cmdlet to test Edge Synchronization.

3.

Run the Get-User -Identity Wei | ft Name, GUID cmdlet to obtain the globally unique identifier
(GUID) for Wei Yu.

4.

On VAN-SVR1, open LDP, and then connect to VAN-SVR1 using port 50389.

5.

Open the CN=Recipients,OU=MSExchangeGateway container and verify that Wei Yus GUID is
listed.

X Task 4: Verify that Internet message delivery works


1.

On VAN-EX1, use Exchange Management Console to configure EdgeSync - Default-First-SiteName to Internet Send Connector to use 10.10. 0.10 as a smart host for email delivery.

2.

Log on to Microsoft Outlook Web App as Adatum\Wei, and send a test message to the Internet to
verify it is working. If you do not receive a non-delivery report, the message has been sent outside the
organization.

Results: After this exercise, you should have installed an Edge Transport server role, and configured Edge
Synchronization between a Hub Transport and an Edge Transport server.

Exercise 2: Configuring Forefront Protection 2010 for Exchange Server


Scenario
Virus prevention is critical to your organizations security. As the messaging administrator, you are
required to install virus scanning software to scan every message and automatically remove viruses. To
implement this functionality, you must install antivirus software and configure it accordingly.
The main tasks for this exercise are:
1.

Install Forefront Protection 2010 for Exchange Server.

2.

Configure Forefront Protection 2010 for Exchange Server.

3.

Verify antivirus functionality.

X Task 1: Install Forefront Protection 2010 for Exchange Server


1.

On host computer, attach the c:\Program Files\Microsoft Learning\10135\Drives


\ForeFrontInstall.iso file to the 10135B-VAN-SVR1 virtual machine. Close the Autoplay dialog box.

2.

On VAN-SVR1, install Forefront Protection 2010 for Exchange Server. Accept all defaults, except
choose to enable anti-spam later.

6-28

Implementing Messaging Security

X Task 2: Configure Forefront Protection 2010 for Exchange Server


1.

Open the Microsoft Forefront Server Security Administration Console.

2.

Configure the following antimalware settings:

Scan messages with all engines.

Delete messages with viruses.

3.

On the Policy Management pane, expand Global Settings, and then click Advanced Options.

4.

Configure the following global settings:

Increase the value of Maximum nested depth compressed files to 10 and Maximum nested
attachments to 50.

Configure the Intelligent Engine management as manual.

Change the update schedule for Norman Virus Control to update at 00:30 every day.

Results: After this exercise, you should have installed Forefront Protection 2010 for Exchange Server and
configured it.

X To prepare for the next lab

Do not shut down the virtual machines and do not revert them to their initial state when you finish
this lab. The virtual machines are required to complete this modules last lab.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-29

Lesson 3

Deploying an Anti-Spam Solution

Spam messages can adversely impact the messaging environment of an organization. Therefore,
implementing an anti-spam solution is a critical component of maintaining your organizations messaging
environment hygiene. Exchange Server 2010 includes several features that you can use to implement antispam protection in your organization.
This lesson provides an overview of the options available for anti-spam filtering, and describes how you
can configure your Edge Transport servers to reduce spam in your organization.
After completing this lesson, you will be able to:

Describe the spam-filtering features available in Exchange Server 2010.

Explain how Exchange Server 2010 applies spam filters.

Describe the concept of Sender ID filtering.

Describe the concept of Sender Reputation filtering.

Describe the concept of content filtering.

Configure anti-spam options.

6-30

Implementing Messaging Security

Overview of Spam-Filtering Features

The spam-filtering functionality available on the Edge Transport server has a primary advantage when you
install it to route all email to and from the Internet. You can implement this anti-spam functionality by
using a series of Edge Transport server transport agents.
Note Forefront Protection 2010 for Exchange Server does provide more frequent updates
for the anti-spam patterns than Exchange Server 2010 built-in anti-spam features. Typically,
the built-in anti-spam pattern is updated daily, whereas in Forefront Protection 2010, you
can configure the updates to update multiple times a day.

Edge Transport Server Anti-Spam Agents


The following table lists the anti-spam agents implemented during the default installation of an Edge
Transport server.
Agent

Default status

Description

Connection
Filtering

Enabled

Filters messages based on the IP address of the remote server


that is trying to send the message. Connection filtering uses IP
Block lists and IP Allow lists.

Content
Filtering

Enabled

Filters messages based on the message contents. This agent


uses SmartScreen technology to assess the message contents. It
also supports safelist aggregation.

Sender ID

Enabled

Filters messages by verifying the IP address of the sending


SMTP server against the purported owner of the sending
domain.

Sender
Filtering

Enabled

Filters messages based on the sender in the MAIL FROM: SMTP


header in the message.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-31

(continued)
Agent

Default status

Description

Recipient
Filtering

Enabled

Filters messages based on the recipients in the RCPT TO: SMTP


header in the message.

Sender
Reputation
Filtering

Enabled

Filters messages based on many characteristics of the sender


accumulated over a specific period.

Attachment
Filter

Enabled

Filters messages based on attachment file name, file name


extension, or file Multipurpose Internet Mail Extensions (MIME)
content type.

Note You can view all the agents installed on the Edge Transport server by using the GetTransportAgent cmdlet on the Edge Transport server. The default Edge Transport server
installation also includes other transport agents, such as the Address Rewriting Inbound
Agent, the Address Rewriting Outbound Agent, and the Edge Rule Agent. You cannot use
these agents for spam filtering.

Safelist Aggregation
In Exchange Server 2010, the Content Filter agent on the Edge Transport server uses the Microsoft Office
Outlook Safe Senders Lists, Safe Recipients Lists, and trusted contacts to optimize spam filtering. Safelist
aggregation is a set of anti-spam functionality that Outlook and Exchange Server 2010 share. This antispam functionality collects data from the anti-spam safe lists that Outlook users configure, and makes this
data available to the anti-spam agents on the Edge Transport server. You must use the Update-Safelist
cmdlet to configure safelist aggregation.

6-32

Implementing Messaging Security

How Exchange Server 2010 Applies Spam Filters

The Edge Transport server role in Exchange Server 2010 uses spam-filtering agents to examine each SMTP
connection and the messages sent through it. When an SMTP server on the Internet connects to the Edge
Transport server and initiates an SMTP session, the Edge Transport server examines each message by
using the following sequence:
1.

2.

When the SMTP session is initiated, the Edge Transport server applies connection filtering by using
the following criteria:

Connection filtering examines the administrator-defined IP Allow list. Administrators might


include the IP addresses for SMTP servers at partner organizations in the IP Allow list. If an IP
address is on the administrator-defined IP Allow list, the server does not apply any other filtering
and accepts the message.

Connection filtering examines the local IP Block list. Administrators might include the IP
addresses for the SMTP servers of known spam writers, or other servers from which the
organization does not want to receive email, in the IP Block list. If the connection filtering agent
finds the IP address of the sending server on the local IP Block list, the server rejects the message
automatically, and other filters are not applied.

Connection filtering examines the real-time block list (RBL) of any IP Block List Providers that you
have configured. If the agent finds the sending servers IP address on an RBL, the server rejects
the message, and other filters are not applied.

The Edge Transport server compares the senders email address with the list of senders configured in
sender filtering. If the SMTP address is a blocked recipient or domain, the server may reject the
connection, and no other filters are applied. Additionally, you can configure the server to accept the
message from the blocked sender, but stamp the message with the blocked sender information and
continue processing. The blocked sender information is included as one of the criteria when content
filtering processes the message.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-33

3.

The Edge Transport server examines the recipient against the Recipient Block list configured in
recipient filtering. If Edge Synchronization is enabled, the Edge Transport server can use the
information about recipient filtering from Active Directory. If the intended recipient matches a filtered
email address, the Edge Transport server rejects the message for that particular recipient. If multiple
recipients are listed on the message, and some are not on the Recipient Block list, further processing
is done on the message.

4.

Exchange Server 2010 applies Sender ID filtering. Depending on how the Sender ID is configured, the
server might delete, reject, or accept the message. If the message is accepted, the server adds the
Sender ID validation failure to the message properties. The failed Sender ID status is included as one
of the criteria when content filtering processes the message.

5.

The Edge Transport server applies content filtering and performs one of the following actions:

Content filtering compares the sender to the senders in the Safelist aggregation data from Office
Outlook users. If the sender is on the recipients Safe Senders List, the message is sent to the
users mailbox store. If the sender is not on the recipients Safe Senders List, the message is
assigned a spam confidence level (SCL) rating.

If the SCL rating is higher than one of the configured Edge Transport server thresholds, content
filtering takes the appropriate action of deleting, rejecting, or quarantining the message.

If the SCL rating is lower than one of the Edge Transport server thresholds, the message is passed
to a Hub Transport server for distribution to the Exchange Mailbox server containing the users
mailbox.

Note You can bypass spam filtering for a specific recipient by setting the
AntispamBypassEnabled property to True on the users mailbox. This causes the message
to bypass filtering and be delivered directly to the recipients mailbox.

6-34

Implementing Messaging Security

What Is Sender ID Filtering?

The Sender ID Framework is an industry standard that verifies the Internet domain from which each
email message originates, based on the senders server IP address. The Sender ID Framework provides
protection against email domain spoofing and phishing schemes. By using the Sender ID Framework,
email senders can register all email servers that send email from their SMTP domain, and then email
recipients can filter email from that domain that does not come from the specified servers.

Sender Policy Framework (SPF) Records


To enable Sender ID filtering, each email sender must create a Sender Policy Framework (SPF) record and
add it to their domains DNS records. The SPF record is a single text (TXT) record in the DNS database that
identifies each domains email servers. SPF records can use several formats, including those in the
following examples:

Adatum.com. IN TXT v=spf1 mx -all. This record specifies that any server that has an MX record for
the Adatum.com domain can send email for the domain.

Mail IN TXT v=spf1 a -all. This record indicates that any host with an A record can send mail.

Adatum.com IN TXT v=spf1 ip4:10.10.0.20 all. This record indicates that a server with the IP
address 10.10.0.20 can send mail for the Adatum.com domain.
Note Microsoft provides the Sender ID Framework SPF Record Wizard to create your
organizations SPF records. You can access the wizard on the Sender ID Framework SPF
Record Wizard page on the Microsoft Web site.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-35

Sender ID Configuration
After you configure the SPF records, any destination messaging servers that use the Sender ID features
can identify your server by using Sender ID.
After you enable Sender ID filtering, the following process shows how all email messages are filtered:
1.

The sender transmits an email message to the recipient organization. The destination mail server
receives the email.

2.

The destination server checks the domain that claims to have sent the message, and checks DNS for
that domains SPF record. The destination server determines if the IP address of the sending email
server matches any of the IP addresses that are in the SPF record. The IP address of the server
authorized to send email for that domain is called the purported responsible address (PRA).

3.

If the IP addresses match, the destination server authenticates the message and delivers it to the
destination recipient. However, other anti-spam scanners such as content filtering are still applied.

4.

If the addresses do not match, the mail fails authentication. Depending on the email server
configuration, the destination server might delete the message or forward it with additional
information added to its header indicating that it failed authentication.

6-36

Implementing Messaging Security

What Is Sender Reputation Filtering?

The Exchange Server 2010 Sender Reputation feature makes message filtering decisions based on
information about recent email messages received from specific senders. The Sender Reputation agent
analyzes various statistics about the sender and the email message, to create a Sender Reputation Level
(SRL). This SRL is a number between 0 and 9, where a value of 0 indicates that there is less than a 1
percent chance that the sender is a spammer, and a value of 9 indicates that there is more than a 99
percent chance of it. If a sender appears to be the spam source, then the Sender Reputation agent
automatically adds the IP address for the SMTP server that is sending the message to the list of blocked
IP addresses.

How Sender Reputation Filtering Works


When the Edge Transport server receives the first message from a specific sender, the SMTP sender is
assigned an SRL of 0. As more messages arrive from the same source, the Sender Reputation agent
evaluates the messages and begins to adjust the senders rating. The Sender Reputation agent uses the
following criteria to evaluate each sender:

Sender open proxy test. An open proxy is a proxy server that accepts connection requests from any
SMTP server, and then forwards messages as if they originated from the local host. This also is known
as an open relay server. When the Sender Reputation agent calculates an SRL, it does so by
formatting an SMTP request in an attempt to connect back to the Edge Transport server from the
open proxy. If an SMTP request is received from the proxy, the Sender Reputation agent verifies that
the proxy is an open proxy and updates that senders open proxy test statistic.

HELO/EHLO analysis. The HELO and EHLO SMTP commands are intended to provide the receiving
server with the domain name, such as Contoso.com, or the IP address of the sending SMTP server.
Spammers frequently modify the HELO/EHLO statement to use an IP address that does not match the
IP address from which the connection originated, or to use a domain name that is different from the
actual originating domain name. If the same sender uses multiple domain names or IP addresses in
the HELO or EHLO commands, there is an increased chance that the sender is a spammer.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-37

Reverse DNS lookup. The Sender Reputation agent also verifies that the originating IP address from
which the sender transmitted the message matches the registered domain name that the sender
submits in the HELO or EHLO SMTP command. The Sender Reputation agent performs a reverse DNS
query by submitting the originating IP address to DNS. If the domain names do not match, the sender
is more likely to be a spammer, and the overall SRL rating for the sender is adjusted upward.

SCL ratings analysis on a particular senders messages. When the Content Filter agent processes a
message, it assigns an SCL rating to the message. This rating is attached to the message as an SCL,
which is a numerical value between 0 and 9. The Sender Reputation agent analyzes data about each
senders SCL ratings, and uses it to calculate SRL ratings. More information on SCL ratings can be
found in the next topic, What is Content Filtering?.

The Sender Reputation agent calculates the SRL for each unique sender over a specific time. When the SRL
rating exceeds the configured limit, the IP address for the sending SMTP server is added to the IP Block
list for a specific time.

Sender Reputation Configuration


You can configure the Sender Reputation settings on the Edge Transport server. By using the Exchange
Management Console, you can configure the Sender Reputation block threshold, and configure the
timeout period for how long a sender will remain on the IP Block list. By default, the IP addresses are
blocked for 24 hours.

6-38

Implementing Messaging Security

What Is Content Filtering?

The Content Filter agent uses SmartScreen technology to analyze the content of every email message, to
evaluate whether it is spam. The Content Filter agent is similar to the Exchange Server 2003 Intelligent
Message Filter feature.
When the Edge Transport server receives a message, the Content Filter agent evaluates the messages
content for recognizable patterns, and then assigns a rating based on the probability that the message is
spam. This rating is attached to the message as an SCL, which is a numerical value between 0 and 9. A
rating of 0 indicates that the message is highly unlikely to be spam, whereas a rating of 9 indicates that
the message is very likely to be spam. This rating persists with the message when it is sent to other servers
running Exchange Server.
Depending on how you configure the content filter, if a messages SCL score is greater than or equal to
the threshold you configure, then the Content Filter agent rejects, silently deletes, or quarantines the
message.

Content Filtering Configuration


Content filtering is enabled by default on Exchange Server 2010 Edge Transport servers, and is configured
to reject all messages with an SCL higher than 7. You can modify the default content filtering settings by
using the Exchange Management Console or the Exchange Management Shell. You can modify the
following settings in the Exchange Management Console:

Configure custom words. You can specify a list of key words or phrases to prevent blocking any
message containing those words. This feature is useful if your organization must receive email that
contains words that the Content Filter agent normally would block. You also can specify key words or
phrases that will cause the Content Filter agent to block a message containing those words.

Specify exceptions. You can configure exceptions to exclude any messages to recipients on the
exceptions list, from content filtering.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-39

Specify actions. You can configure the SCL thresholds and threshold actions. You can configure the
Content Filter agent to delete, reject, or quarantine messages with an SCL higher than the value you
specify.
Note When the Content Filter agent rejects a message, it uses the default response of 550
5.7.1 Message rejected due to content restrictions. You can customize this message by
using the set-ContentFilterConfig cmdlet in the Exchange Management Shell.

Configuring the Quarantine Mailbox


When the SCL value for a specific message exceeds the SCL quarantine threshold, the Content Filter agent
sends the message to a quarantine mailbox. Before you can configure this option on the Edge Transport
server, you must configure a mailbox as the quarantine mailbox by configuring the quarantinemailbox
parameter of the set-contentfilterconfig cmdlet. As a messaging administrator, you should regularly
check the quarantine mailbox to ensure that the content filter is not filtering legitimate emails.
Note Messages are sent to the quarantine mailbox only when the SCL threshold
exceeds the value that you configured on the content filter. To see details on all actions that
transport agents perform on an Edge Server, use the scripts located in the %programfiles%
\Microsoft\Exchange Server\Scripts folder. The Get-AgentLog.ps1 script produces a raw
listing of all actions that transport agents perform. The folder contains several other scripts
that produce formatted reports listing information such as the top blocked sender domains,
the top blocked senders, and the top blocked recipients. By default, the transport agent
logs are located at %programfiles%\Microsoft\ExchangeServer\TransportRoles
\Logs\AgentLog.

The SCL Junk E-mail Folder Threshold


If the SCL value for a specific message exceeds the SCL Junk E-mail folder threshold, then the Mailbox
server places the message in the Outlook users Junk E-mail folder. If the SCL value for a message is lower
than the SCL delete, reject, quarantine, and Junk E-mail folder threshold values, then the Mailbox server
puts the message in the users Inbox.

6-40

Implementing Messaging Security

Demonstration: How to Configure Anti-Spam Options

In this demonstration, you will see how to configure the various anti-spam options available in Exchange
Server 2010, such as Connection filters, Sender filters, and Recipient filters. You will also see how to
configure the Sender ID, Sender Reputation, and content filtering features.

Demonstration Steps
1.

Open Exchange Management Console, and on the Edge Transport server, click the Anti-spam tab.

2.

Configure the following Connection filters:

IP Allow List

IP Block List

IP Block List Providers

3.

Add the zen.spamhaus.org domain to the IP Block List Providers list.

4.

Configure the following filtering features:

5.

Sender filtering

Recipient filtering

Sender ID

Sender Reputation

Content filtering

Configure the Edge Transport server to quarantine messages with a SCL rating greater than 7.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Lesson 4

Configuring Secure SMTP Messaging

To configure secure SMTP messaging, you can use Transport Layer Security (TLS) in Exchange server.
Additionally, you can configure Domain security, which is a new feature in Exchange Server 2007 and
Exchange Server 2010. This lesson describes how to secure SMTP messaging by using the available
options.
After completing this lesson, you will be able to:

Describe the common SMTP security issues.

Describe the options for securing SMTP email.

Configure SMTP security.

Explain the concept of Domain Security.

Explain how Domain Security works.

Describe the Domain Security configuration process.

Configure Domain Security.

Explain how Secure MIME works.

6-41

6-42

Implementing Messaging Security

Discussion: SMTP Security Issues

Although SMTP messaging is common in many organizations, there are a few security issues that you
must consider.
Question: What are the security issues with SMTP?
Question: How do you currently secure SMTP?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-43

SMTP Email Security Options

Exchange Server 2010 offers several options to secure SMTP messaging traffic. All these options rely on
certificates to encrypt the traffic.
The following methods for securing SMTP require that you implement the option both on the source and
the target side. Since you most likely will not have access to the target side, the methods listed here have
limitations.

IPSec
IPSec provides a set of extensions to the basic IP protocol, and you can use it to encrypt server-toserver communication. You can use IPSec to tunnel traffic, or peer- to-peer, to secure natively all IP
communications. Because IPSec operates on the transport layer and is network-based, applications
running on Exchange Server 2010 do not need to be aware of IPSec. You use IPSec normally to secure
server-to-server or client-to-server communication. You do not need another encryption method when
using IPSec.

VPN
Virtual private network (VPN) also operates on the transport layer, and very often uses IPSec as the
underlying protocol. VPN is used for site-to-site or client-to-site connections. Both operate on the
transport layer, which can be an advantage over application-layer protocols such as Secure MIME
(S/MIME) which does not require the application on both ends to know about the protocol.

TLS
The TLS protocol is the default protocol that is used in an Exchange Server 2010 organization to
encrypt server communication. It is a standard protocol that you can use to provide secure Web
communications on the Internet or intranet. TLS enables clients to authenticate servers, or optionally,
servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is
the latest version of the Secure Sockets Layer (SSL) protocol.

6-44

Implementing Messaging Security

Exchange Server 2010s Domain Security feature uses TLS with mutual authenticationalso known as
mutual TLSto provide session-based authentication and encryption. Standard TLS is used to provide
confidentiality by encrypting but not authenticating the communication partners. This is typical of SSL,
which is the HTTP implementation of TLS.

S/MIME
S/MIME is a standard that you can use to implement public-key encryption, and email message
signatures. You can use encryption to protect message contents so that only the intended recipients can
read it. If a message is signed, the recipient can verify whether the message has been changed on the way
from the sender to the recipient.
S/MIME is a client-based encryption and signing protocol that provides end-to-end security, from the
sending mailbox to the receiving mailbox. Unlike other encryption protocols that are session-based on the
transport layer (such as TLS) the message also remains encrypted and signed within the mailbox. Even
administrators cannot decrypt it if their digital certificate does not allow them to do so. By implementing
S/MIME, you can perform the following tasks:

Use digital signatures as a way to prove to your communication partners that the content was not
altered.

Authenticate messages, especially for crucial functions, such as when your employer approves your
travel requests.

Encrypt messages to prevent accidental content disclosure.

By default, Exchange Server 2010 fully supports S/MIME for message encryption and signatures. Unlike in
previous versions, where you must configure every mailbox database, you do not need to configure any
server-side setting to support S/MIME.
Because S/MIME provides end-to-end security, it is important that the email application you use to read
and write S/MIME messages meets the following two requirements:

The application must support S/MIME encryption and signatures.

You must configure the digital signature in the email application.


Note When using S/MIME, you can send digitally signed messages to anyone, but you can
only encrypt messages to recipients whose certificates are available in the Global Address
List (GAL) or in contacts.

Alternate Options for Securing SMTP Traffic


Besides the mentioned options, you can also implement authentication and authorization on SMTP
connectors for security. This does not enforce traffic encryption, but can prevent unauthorized users
from sending SMTP messages to users in your organization, or relaying SMTP messages to the Internet.
Authentication and authorization can be configured based on user login, or on IP addresses or IP ranges.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-45

Demonstration: How to Configure SMTP Security

In this demonstration, you will see how to configure an externally secured SMTP Connector and how to
configure an SMTP Connector that requires TLS and authentication.

Demonstration Steps
1.

Use the Exchange Management Console to create a new Receive Connector.

2.

Configure the Receive Connector to be externally secured.

3.

Use Telnet to connect to Receive Connector.

4.

Configure the Receive Connector to use TLS and authentication.

5.

Use Telnet again to connect to Receive Connector.

6-46

Implementing Messaging Security

What Is Domain Security?

Exchange Server 2010 can use TLS to provide security for SMTP email. In most cases, you cannot use
TLS when sending or receiving email because SMTP servers are not configured to use TLS. However, by
requiring TLS for all SMTP email sent between your organization and other specified organizations, you
can enable a high security level for SMTP email.

What Is Domain Security?


The Domain Security feature in Exchange Server 2010 provides a relatively low-cost alternative to
S/MIME or other message-encryption solutions. It uses mutual TLS, where each server verifies the identity
of the other server by validating the certificate that is provided by the other server. It is an easy way for
administrators to manage secured message paths between domains over the Internet. This means that all
connections between the partner organizations are authenticated, and all messages are encrypted while in
transit on the Internet.
TLS with mutual authentication differs from TLS in its usual implementation. Typically, when you
implement TLS, the client verifies a secure connection to the intended server by validating the servers
certificate, which it receives during TLS negotiation. With mutual TLS, each server verifies the connection
with the other server by validating a certificate that the other server provides.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-47

How Domain Security Works

Domain Security works in a manner similar to establishing a TLS connection to an SMTP Receive
connector. However, as mutual TLS is used, both the sender and the receiver authenticate one another
before they send data. The message takes the following route from one organization to the other when
using Domain Security:
1.

The Edge Transport server receives the email message from a source Hub Transport server.

2.

The Edge Transport server initiates a mutual TLS session to the target Edge Transport server by
exchanging and verifying their certificates. This is only established when both the sending and
receiving SMTP connector can identify the sending domain. You must set the domain information on
the sending side by using the Set-TransportConfig -TLSSendDomainSecureList <domain name>
cmdlet. On the receiving side, use the: Set-TransportConfig -TLSReceiveDomainSecureList
<domain name> cmdlet to set the domain information.

3.

The message is encrypted and transferred to the target Edge Transport server.

4.

The Edge Transport server delivers the email to the target Hub Transport for local delivery. The
message is marked as Domain Secure, which will display in Outlook 2007 or newer, and in Outlook
Web App.

6-48

Implementing Messaging Security

Process for Configuring Domain Security

To configure Domain Security, you need to perform the following process:


1.

On the Edge Transport server, generate a certificate request for TLS certificates. You can request the
certificate from an internal, private certification authority (CA) or from a commercial CA. The SMTP
server in the partner organization must trust the certificate. When you request the certificate, ensure
that the certificate request includes the domain name for all internal SMTP domains in your
organization, as well as the FQDN of the Edge Server name as Subject Alternative Name (SAN).

2.

Import and enable the certificate on the Edge Transport server. After you request the certificate, you
must import the certificate on the Edge Transport server, and then enable the certificate for use by
the SMTP connectors that are used to send and receive domain-secured email.

3.

Configure outbound Domain Security. To configure outbound Domain Security, use Exchange
Management Shell cmdlets to specify the domains to which you will send domain-secured email, and
then configure the SMTP Send connector to use domain-secured email.

4.

Configure inbound Domain Security. To configure inbound Domain Security, use Exchange
Management Shell cmdlets to specify the domains to which you will receive domain-secured email,
and then configure the SMTP Receive connector to use domain-secured email.

5.

Notify partner to configure Domain Security. Domain Security must be configured on both sides (on
the sending and receiving side). Thus you also need to contact your partners administrator to
configure your domain for Domain Security.

6.

Test message flow. Finally, send a message to the partner and vice-versa to verify that domain
security is working correctly. You can see an extra icon in Outlook and Outlook Web App.
Note When you install the Edge Transport server role, a self-signed certificate is issued to
the server. No others computers trust this certificate. When you require that the partner
organization trust the certificate, you should purchase a certificate from a commercial CA.
You also can make cross-forest trust, or import a CAs certificate in the Trusted Root CA
store on both sides, if you do not want to purchase a certificate from a commercial CA.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-49

Demonstration: How to Configure Domain Security

In this demonstration, you will see how to configure Domain Security for the external domain
CONTOSO.COM. As Domain Security requires configuration on both sides, on the local and remote side,
this demonstration will only show your local configuration.

Demonstration Steps
1.

Verify a computer certificate in the certificate store.

2.

Enable Domain Security on the Receive connector.

3.

Enable Domain Security on the Send connector.

4.

Run Set-TransportConfig TLSSendDomainSecureList Contoso.com and Set-TransportConfig


TLSReceiveDomainSecureList Contoso.com to configure Domain Security partnership.

5.

Run Start-EdgeSynchronization to synchronize the changes to the Edge Transport server.

6-50

Implementing Messaging Security

How S/MIME Works

S/MIME is a messaging client-based solution for securing SMTP email. With S/MIME, each client computer
must have a certificate, and the user is responsible for signing or encrypting each email.

How S/MIME Secures Email


S/MIME provides email security by using the following options:

Digital signatures. When a user chooses to add a digital signature to a message, the senders private
key calculates and encrypts the messages hash value, and then appends the encrypted hash value to
the message as a digital signature. The users certificate and public key are sent to the recipient.
When the recipient receives the message, the senders public key decrypts the hash value and checks
it against the message. Digital signatures provide:

Authentication. If the public key can decrypt the hash value attached to the message, the
recipient knows that the person or organization who claims to have sent the message did indeed
send it.

Nonrepudiation. Only the private key associated with the public key could be used to encrypt the
hash value. Therefore, a message that is digitally signed helps to prevent its sender from
disowning the message.

Data integrity. If the hash value is still valid when the recipient receives it, any alteration of a
message that takes place will invalidate the digital signature.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-51

Message encryption. When a user chooses to encrypt a message by using S/MIME, the messaging
client generates a one-time symmetric session key, and encrypts the entire message by using the
session key. The session key then is encrypted by using the recipients public key, and the encrypted
session key is combined with the encrypted message when the message is sent. When the message
arrives at the recipient, the recipients private key decrypts the message.
Message encryption enhances confidentiality. You can decrypt a message by using only the private
key associated with the public key that was used to encrypt it. Therefore, only the intended recipient
can view the contents.

When to Use S/MIME


S/MIME is a fairly complicated way to provide security for SMTP email because S/MIME:

Requires a client certificate on each computer that sends secure email. Distributing client certificates
for users that do not understand the technology takes significant administrative time.

Requires that a sender get access to the recipients public key before the sender can send an
encrypted email. Normally, this is accomplished by sending a digitally signed email.

Is a user-based security model. The user has to take the action to sign or encrypt the message. Users
may forget or not realize which email messages to secure.

Requires certificate backups. The certificates must be backed up, because if one is lost, the user will
not be able to decrypt messages that were encrypted with the public key associated with the
certificate.

Introduces another complication. Because the messages entering or leaving the organization are
encrypted, and the messages remain encrypted in the user mailbox, the messages cannot be scanned
for policy compliance, viruses, or spam.

Despite these issues, S/MIME remains the best option for securing individual email messages. To set up a
secure channel, all other solutions require some level of agreement between messaging administrators in
the two organizations. If users need to send secure email to recipients in many different organizations,
S/MIME is the most feasible option.

6-52

Implementing Messaging Security

Lab B: Implementing Anti-Spam Solutions

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and the 10135B-VAN-SVR1 virtual machines are
running.

3.

10135B-VAN-DC1: Domain controller in the Adatum.com domain

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain

10135B-VAN-SVR1: Standalone server

If required, connect to the virtual machines.

Lab Scenario
You are a messaging administrator in A. Datum Corporation, which is a large multinational organization.
After configuring the Edge Transport server and installing an antivirus solution, you must implement an
anti-spam solution.

Exercise 1: Configuring an Anti-Spam Solution on Edge Transport Servers


Scenario
In your organization, users complain that they receive too many spam messages in their inbox, and they
want these spam messages automatically moved to the Junk email folder. To limit the number of spam
messages received by your organization, you need to increase the SCL junk threshold value for the
organization and ensure that junk email above a certain rating is rejected. You also want to configure a
Block List Provider.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

6-53

The main tasks for this exercise are:


1.

Configure Domain Name System (DNS) for Internet message delivery.

2.

Configure global SCL for junk mail delivery.

3.

Configure content filtering to reject junk messages.

4.

Configure an IP Allow List.

5.

Configure a Block List Provider.

X Task 1: Configure Domain Name System (DNS) for Internet message delivery
1.

On VAN-DC1, start DNS Manager.

2.

In the Adatum.com zone, create an MX record for VAN-SVR1.adatum.com.

X Task 2: Configure global SCL for junk mail delivery


1.

On VAN-SVR1, configure the content filtering settings to not reject any messages based on
SCL values.

2.

On VAN-EX1, in Exchange Management Shell, use the Set-OrganizationConfig -SCLJunkThreshold 6


cmdlet to configure the global SCL levels.

3.

On VAN-EX1, in the Exchange Management Shell, run d:\labfiles\Lab6Prep.ps1. This script will send
11 messages from VAN-SVR1 with the following SCL ratings.
Mail Sender

SCL Level

Msg1@contoso.com

Msg2@contoso.com

Msg3@contoso.com

Msg4@contoso.com

Msg5@contoso.com

Msg6@contoso.com

Msg7@contoso.com

Msg8@contoso.com

Msg9@contoso.com

Msg10@contoso.com

Msg11@contoso.com

4.

Log on to Outlook Web App as Wei and verify that three messages were sent to the user mailbox,
and that eight messages were sent to the Junk E-mail folder.

5.

View the message details for one of the messages to verify the SCL value assigned to the message.

6-54

Implementing Messaging Security

X Task 3: Configure content filtering to reject junk messages


1.

On VAN-SVR1, configure content filtering to reject messages that have a SCL rating greater than or
equal to 7.

2.

On VAN-EX1, run the D:\labfiles\Lab6Prep.ps1 script to send the test messages again.

3.

Log on to Outlook Web App on VAN-EX1 as Wei. Verify that three messages are delivered to the
Inbox and no messages are delivered to the - folder in Weis mailbox. Delete the messages in the
Inbox.

X Task 4: Configure an IP Allow List


1.

On VAN-SVR1, configure the IP Allow List to accept connections from 10.10.0.10.

2.

Run the script to send the test messages again.

3.

Verify that all messages are delivered to the Inbox in Weis mailbox. The SCL rating should be -1.

X Task 5: Configure a Block List Provider

Configure an IP Block List Provider named Spamhaus that uses zen.spamhaus.org as the lookup
domain.

Results: After this exercise, you should have configured different SCL levels, and verified the behavior of
junk mail in user mailboxes. You should also have configured a Block List Provider.

X To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1.

On the host computer, start Hyper-V Manager.

2.

Right-click the virtual machine name in the Virtual Machines list, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

In the Virtual Machines pane, click 10135B-VAN-DC1, and then in the Actions pane, click Start.

5.

To connect to the virtual machine for the next modules lab, click 10135B-VAN-DC1, and then in the
Actions pane, click Connect.
Important Start the VAN-DC1 virtual machine first, and ensure that it is fully started
before starting the other virtual machines.

6.

Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.

7.

Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.

8.

Wait for VAN-EX2 to start, and then start VAN-EX3. Connect to the virtual machine.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Module Review and Takeaways

Review Questions
1.

Is Edge Synchronization a mandatory requirement?

2.

Which Exchange Server versions support the Domain Security feature?

3.

Does the Edge Transport server role in Exchange Server 2010 include virus-scanning capabilities?

Common Issues Related to Edge Synchronization and Domain Security


Identify the causes for the following common issues related to implementing messaging security. For
answers, refer to relevant lessons in the module.
Issue
You configured Domain Security with
a partner domain, but messages only
use TLS for message encryption, not
mutual TLS or Domain Security.
Edge Synchronization is not working
anymore.
Youre logged on to your Windows
Server 2008 machine using your own
account. When you run TestEdgeSynchronization, it shows that
the connection is broken.

Troubleshooting tip

6-55

7-1

Module 7
Implementing High Availability
Contents:
Lesson 1: Overview of High Availability Options

7-3

Lesson 2: Configuring Highly Available Mailbox Databases

7-6

Lesson 3: Deploying Highly Available Non-Mailbox Servers

7-26

Lesson 4: Deploying High Availability with Site Resilience

7-33

Lab: Implementing High Availability

7-43

7-2

Implementing High Availability

Module Overview

Many people rely on messaging environments so that they can perform critical business tasks, and it is
extremely important for your messaging solution to be available for an extended time. Thus, many
organizations place strict availability requirements on email and other critical applications.
For a messaging system to be a truly high availability solution, not only are technology and configuration
crucial, but also the processes and procedures that you use to maintain the messaging system. This
module describes the high availability technology built into Microsoft Exchange Server 2010 and some
of the outside factors that affect highly available solutions.
After completing this module, you will be able to:

Describe high availability options.

Configure highly available mailbox databases.

Deploy highly available non-Mailbox servers.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-3

Lesson 1

Overview of High Availability Options

High availability is a commonly used term that refers to a specific technology or configuration that
promotes service availability. Although many technologies and configurations can lead to highly available
configurations, they are not by themselves truly highly available. Much more effort is required to provide
a high availability solution.
In this lesson, you will review high availability, and some of the factors that go into designing and
deploying a highly available solution.
After completing this lesson, you will be able to:

Describe high availability.

Identify the components of a high availability solution.

7-4

Implementing High Availability

What Is High Availability?

High availability is a system design implementation that ensures a high level of operational continuity
over a specific time. Although many people attribute high availability to a specific technology, such as
failover clustering or load balancing, you can truly achieve high availability only with good design, testing,
training, and operational processes.
There are two types of downtime: planned and unplanned. Planned downtime is the result of events you
schedule, such as maintenance. By contrast, unplanned downtime is the result of events not within direct
control of information technology (IT) administrators. These events can be minor, such as a buggy
hardware driver or a processor that fails, or catastrophic, such as flood, fire, or earthquake.

Measuring Availability
Availability often is expressed as the percentage of time that a service is available for use. For example, a
requirement for 99.9 percent availability over a one-year period allows 8.75 hours of downtime. In
complex environments, organizations typically specify availability for a specific service, such as Exchange
messaging, which in turn may have availability goals tied to specific features such as Microsoft Outlook
Web App, Simple Mail Transfer Protocol (SMTP) message delivery, and Outlook Anywhere.

Achieving High Availability


Creating a high availability solution requires good design, planning, training, operational discipline, and
ongoing preventative maintenance. Applying a structured operations methodology, such as Microsoft
Operations Framework, results in a foundation for building and maintaining highly available solutions.
Using appropriate high quality and redundant hardware provides the proper infrastructure. Lastly,
deploying software with redundancy, such as Windows failover clustering or Network Load Balancing
(NLB), can help you protect and recover from a variety of hardware and software failures.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-5

Discussion: Components of a High Availability Solution

Numerous components can comprise a messaging solution, and you should scrutinize them to ensure
that failures will not affect the entire solutions availability. Once you identify these components, you can
mitigate failures.
Question: Which components are important for running a high availability solution?
Question: What are some common single points of failure in a messaging solution?

7-6

Implementing High Availability

Lesson 2

Configuring Highly Available Mailbox Databases

Historically, the Mailbox server role was the most complex and critical component in a highly available
Exchange Server deployment. Although this remains true, to a degree, Exchange Server 2010 reduces the
complexity of deploying a highly available Mailbox server. In doing so, it also reduces the likelihood that
administrators will configure a Mailbox server cluster improperly.
After completing this lesson, you will be able to:

Describe database availability group (DAG).

Describe the Quorum selection process.

Describe Active Manager.

Describe continuous replication.

Describe how DAGs protect databases.

Configure a Database Availability Group.

Configure databases for high availability.

Create and configure a DAG.

Describe the transport dumpster.

Describe the failover process.

Describe how you can perform DAG monitoring and management.

Monitor replication health.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-7

What Is a Database Availability Group?

A DAG is a collection of servers that provides the infrastructure for replicating and activating database
copies. The DAG uses continuous replication to each of the passive database copies within the DAG,
which:

Requires the Windows Server 2008 failover-clustering feature, although all installation and
configuration tasks occur with the Exchange Server 2010 management tools. Even though a DAG
requires the failover-clustering feature, Microsoft Exchange Server 2010 does not use Windows
failover clustering to handle database failover; instead, it uses Active Manager to control failover.
Additionally, you can use it for some failure-detection scenarios, such as a server failure. A later
section of this module describes the Active Manager in detail.

Uses an improved version of the continuous replication technology that Exchange Server 2007
introduced. The improvements support the new high availability features, such as database copies
and database mobility. A later section of this module describes continuous replication in detail.
Note

DAGs can also use third-party replication instead of continuous replication.

Allows you to add and remove Mailbox servers at any time. You do not need to decide on the DAG
membership during installation.

Allows you to move a single database between servers in the DAG, without affecting other databases.

Allows up to 16 copies of a single database on separate servers. You can add up to 16 servers to a
DAG, which allows you to create up to 16 copies of a database. The database copies must be stored in
the same path on all servers. For example, if you store Mailbox Database 1 in D:\Mailbox\DB\Mailbox
Database 1\ on NYC-EX10, then you must also store it in D:\Mailbox\DB\Mailbox Database 1\ on all
other servers that host Mailbox Database 1 copies.

Defines the boundary for replication, because only servers within the DAG can host database copies.
You cannot replicate database information to Mailbox servers outside the DAG.

7-8

Implementing High Availability

Because DAGs use the failover clustering feature, Exchange Server 2010 must be installed on Windows
Server 2008 or Windows Server 2008 R2 Enterprise Edition or Data Center Edition. You cannot add an
Exchange Server 2003 or Exchange Server 2007 databases to an Exchange Server 2010 DAG.
Question: During installation, do you need to decide if you want to join a server to a DAG?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-9

What Is Quorum?

The failover cluster quorum configuration that the Exchange Server 2010 DAG uses determines the
number of failed nodes, or failed storage and network components, that the cluster can sustain while
continuing to function. Quorum prevents two sets of nodes from operating simultaneously as the failover
cluster. Simultaneous operation could happen when network problems prevent one set of nodes from
communicating with another set of nodes. Without a quorum mechanism, each set of nodes could
continue to operate as a failover cluster, resulting in a partition within the cluster.
To prevent problems that a split in the cluster may cause, failover clusters use a voting algorithm to
determine whether the cluster has enough votes to maintain quorum. Because a given cluster has a
specific set of nodes and a specific quorum configuration, the cluster determines how many votes are
required. If the number of votes drops below the majority, the cluster cannot start. Nodes continue to
listen for the presence of other nodes, in case another appears on the network, but the nodes will not
function as a cluster until a consensus is reached.
For example, if there are five votes in the cluster, the cluster continues to function as long as there are at
least three available votes. The source of the votes in Exchange Server 2010 can be a node or a witness file
share. When a majority of votes is not available, including when half the votes are available, the cluster
will not start.

7-10

Implementing High Availability

Windows Server 2008 Quorum Options


The following table lists the quorum options in Windows Server 2008:
Quorum mode

Description

Exchange Server 2007

Exchange Server
2010

Node Majority

Only nodes in the cluster


have a vote.
Quorum is maintained
when more than half the
nodes are online.

Supported and recommended


because the node and disk
majority, and node and file
majority, provide an additional
vote to enable maintaining
quorum if half the nodes fail.

Not supported

Node and File


Share Majority

The nodes in the cluster


and a witness file share
have a vote.
Quorum is maintained
when more than half the
votes are online.

Supported and recommended


for cluster continuous
replication (CCR).

Supported

Node and Disk


Majority

The nodes in the cluster


and a witness disk have a
vote.
Quorum is maintained
when more than half the
votes are online.

Supported and recommended


for single copy clusters.

Not supported

No Majority:
Disk Only

Only the quorum shared


disk has a vote.
Quorum is maintained
when the shared disk is
online.

Supported but not


recommended for single copy
clusters because the quorum
shared disk is a single point of
failure.

Not supported

Question: Your DAG has two Mailbox servers (nodes) and one witness server. When will you
lose quorum and not be able to mount the databases automatically anymore?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-11

What Is Active Manager?

To manage mailbox database replication and activation, Exchange Server 2010 includes a new
component called Active Manager, which runs as a function of the Microsoft Exchange Replication service
(MSExchangeRepl.exe). Active Manager replaces the resource model and failover management features
integrated into Windows failover clustering and used in Exchange Server 2003 and Exchange Server 2007.
To simplify the architecture, Active Manager runs on all Mailbox servers, even if the server is not part of a
DAG.
Active Manager runs as either the Primary Active Manager (PAM) or a Standby Active Manager
(SAM) on all of the DAG members. The PAM is the Active Manager in a DAG that controls which copies
will be active and which will be passive. It is responsible for processing topology change notifications
and reacting to server failures. The DAG member acting as the PAM is always the member that
currently owns the default cluster group. To identify the PAM, it is recommended to use the
Get-DatabaseAvailabilityGroup <DAG Name> -Status | Format-List Name, PrimaryActiveManager
cmdlet, rather than using the Windows Failover Clustering tools. If the server that owns the default cluster
group fails, the PAM function automatically moves to the server that takes ownership of the default
cluster group.
Far from having a passive role, the SAM function provides information about which server hosts the active
copy of a mailbox database. The SAM detects local database and Microsoft Exchange Information Store
failures, and reacts to them by requesting that the PAM initiate a failover when a copy is available. A SAM
does not determine a failover target, nor does it update a databases location state for the PAM. Each
SAM accesses the state of the active database copy so that it can redirect Hub Transport and Client Access
server requests. The PAM also performs the functions of the SAM role on the local system.
Question: On what Exchange servers does Active Manager run?

7-12

Implementing High Availability

What Is Continuous Replication?

Continuous replication was introduced for Mailbox servers in Exchange Server 2007. Exchange Server 2010
continued to use continuous replication. Since Exchange Server 2010 Service Pack 1 (SP1), two options for
continuous replication are available: continuous replication file mode and continuous replication block
mode.

Continuous ReplicationFile Mode


Continuous replication creates a passive database copy on another Exchange Server computer in the DAG,
and then uses asynchronous log shipping to maintain the copies.
The continuous replication-file mode, or log shipping process, is as follows:
1.

The Mailbox server role with the active database writes the active log, and then closes it.

2.

The Replication Service replicates the closed log to servers hosting the passive databases.

3.

The transaction logs are inspected, and then replayed or applied to the database copies, since each
copy of the database is identical. The databases remain synchronized.

In Exchange Server 2007, Microsoft Exchange Replication service performed this functionality, which
Microsoft Exchange Information Store service now performs. Replaying the log files to the passive
database occurs continuously, which results in a warm state, which is a database cache. In Exchange Server
2007, when the Mailbox server activates the passive copy, the database cache that was built by the
Microsoft Exchange Replication service as a result of replay activity is lost when the Microsoft Exchange
Information Store service mounts the database. This behavior places the database cache in a cold state.
The improvement in Exchange Server 2010 continuous replication reduces read input/output (I/O)
operations significantly during database activation.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-13

Additionally, seeding no longer requires that you to use the active copy as the seeds source. In Exchange
Server 2010, you also can perform seeding from passive databases. If a healthy copy of the database is
available on any server, the Exchange Server can replay the transaction logs against a common, valid data
set. You can seed the data:

Automatically.

Manually, from the active or passive copies, by using the Update-MailboxDatabaseCopy cmdlet.

Manually, by copying the database files.

Continuous replication occurs over TCP sockets, as opposed to using the Exchange Server 2007 file-share
method. Continuous replication occurs when:
1.

The target, or passive node, tells the active instance which transaction logs it expects to receive.

2.

The source responds with the required transaction log files.

3.

After Exchange Server 2010 copies the log files, and then places them in the target inspector directory
for processing.

4.

The log-inspection process verifies that the data is correct and inspects the header. If the log passes
inspection, Exchange Server 2010 places it in the target log directory. If the log does not pass
inspection, Exchange Server 2010 requests it from the source up to three times before failing.

5.

Once Exchange Server 2010 saves the transaction log to the target log directory, the information
store validates the logs to ensure that they are valid, that none are missing, and that the database
requires them.

Continuous ReplicationBlock Mode


Exchange Server 2010 SP1 included continuous replicationblock mode, and you could implement it to
reduce your exposure to data loss on failover. This is achieved by replicating Extensible Storage Engine
(ESE) log buffer writes to the passive database copies in parallel to writing them locally. Block mode
automatically becomes active when continuous replication file mode is up to date with the database
copies. The continuous replication block mode process is as follows:
1.

Once in block mode, any block of data written to the ESE log buffer on the Exchange server that hosts
the active database is automatically copied to the replication log buffer all passive copies of the active
databases.

2.

When the ESE log buffer is full, the final block is sent to the passive databases, and a transactional log
file is written to the Exchange server that hosts the active database. Then the ESE log buffer is
emptied.

3.

When the Exchange servers hosting the passive databases receive the final block that fills up their
replication log buffer, they also save the buffer to a transaction log file with the same log generation
sequence number. After that, the buffer is emptied and the process starts again.

4.

When the Exchange server with the active database fails, but the replication log buffer is not yet full,
then the buffer on the server hosting the passive copy of the database is saved to a new transactional
log file.

Replication transport is the same when file mode is enabled or disabled. The benefit of block mode is that
it can reduce the differences between the active copy and the passive copy, while also reducing the
possibility of data loss during a failover and the time it takes to perform a switchover.

7-14

Implementing High Availability

How Are Databases Protected in a DAG?

The active database copy uses continuous replication to keep the passive copies synchronized based on
their replay lag-time setting. A DAG leverages the Windows Server operating system failover clustering
feature. However, it relies on the Active Manager server to maintain the status of all of the DAGs hosted
databases. Database characteristics are:

A single database can failover or switchover between DAG servers. However, it is only active on one
server at a time.

At any given time, a copy is either the replication source or the replication target, but not both.

A server may not host more than one copy of a given database.

Not all databases need to have the same number of copies. In a 16-node DAG, one database can
have 16 copies, while another database is not redundant and contains only the one active copy.

Database failovers occur when failures cause the active database to go offline. Either a single server failure
or something specific to a database may cause the failure. A switchover occurs when an administrator
intentionally coordinates moving the active database from one server to another.
Question: Can you have one database copied three times and another database copied only
one time?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-15

Configuring a Database Availability Group

To configure a DAG you must understand the different settings that are available. Some of these settings
are required for every configuration, such as the DAG IP address; others can be considered to fine-tune
your DAG configuration, such as network compression settings.
In order to plan your DAGs correctly, you need to understand the purpose of each available configuration
setting in order to decide if you require it for your own Exchange organization.
In the EMC the following settings are available:

Witness Server. The server that you want to use as witness server. As a best practice it is
recommended to use a Hub Transport server outside the DAG as the witness server.

Witness Directory. The directory that will be used to store file share witness data.

Alternative Witness Server. The server that you can use in another data center to be enabled when the
first witness server is not available anymore.

Alternative Witness Directory. The directory that will be used to store file share witness data on the
alternative witness server.

Database availability group IP addresses. One or more IP addresses assigned to the DAG. You can
configure it by using a static IP addresses, or use a Dynamic Host Configuration Protocol (DHCP)
server to get an IP address automatically. Besides the DAG name, this is the only required setting;
therefore, you must either configure an IP address or have a DHCP server available to retrieve one. If
no IP address can be retrieved, the DAG cluster service will not start.

7-16

Implementing High Availability

DAG Networks
A DAG network is a collection of one or more subnets that Exchange Server uses for either replication
traffic or Messaging Application Programming Interface (MAPI) traffic. Although Exchange Server
supports one network adapter and path, it is recommended a minimum of two DAG networks. In a twonetwork configuration, you typically dedicate one network to replication traffic and the other network to
MAPI traffic.
You configure replication in the EMC. To enable the DAG network to replication traffic, you must enable
the Enable replication check box. Clear the check box to prevent replication from using the DAG network.
Note If you disable replication on a DAG network to preserve it for MAPI traffic,
replication traffic will still use that DAG network when no other network is available.
When implementing a DAG across multiple sites, you do need to configure the DAG networks. A DAG
supports having multiple subnets on the MAPI network as well as on the replication network. Therefore,
subnets do not need to span a wide area network (WAN) link.
When configuring the multisite DAG, you need to collapse the networks that Exchange Server enumerates
automatically when you add servers to the DAG into one MAPI network and one or more replication
networks. However, there can be no routing between the MAPI network and the replication network, nor
can there be routing between replication networks when you configure multiple networks.

DAG Network Compression


DAGs provide built-in compression for network traffic. This is based on the XPRESS algorithm, which is the
Microsoft implementation of the LZ77 algorithm. This is the same type of compression used for example
in MAPI RPC compression between Microsoft Outlook and Exchange. To configure DAG network
compression, you have the following options:

Disabled. Network traffic is not compressed.

Enabled. Compression is used for replication and seeding.

InterSubnetOnly. If the same subnet traffic is not compressed, this is the default setting where
compression is used when replicating across different subnets only.

SeedOnly. Compression is used only for seeding.

You can configure DAG network compression by using the following cmdlet:
Set-DatabaseAvailabilityGroup <DAG name> -NetworkCompression <Option>

DAG Network Encryption


You can configure DAG network communication encryption in the following ways:

Disabled. Network traffic is not encrypted.

Enabled. Network traffic for replication and seeding is always encrypted.

InterSubnetOnly. If the same subnet traffic is not encrypted, this is the default setting where network
traffic is encrypted when replicating across different subnets only.

SeedOnly. Network traffic is only encrypted for seeding.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-17

You can configure DAG network encryption by using the following cmdlet:
Set-DatabaseAvailabilityGroup <DAG name> -NetworkEncryton <Option>

Third-Party Replication Mode


By default, a DAG uses the built-in continuous replication feature to replicate mailbox databases among
DAG servers. If your organization uses a third-party data replication solution that supports the Third Party
Replication API in Exchange 2010, you can also configure the DAG to use it rather than the built-in
replication feature. You can do this by using the New-DatabaseAvailabilityGroup cmdlet, and you can
disable it only by removing and recreating the DAG.

7-18

Implementing High Availability

Configuring Databases for High Availability

Creating a DAG is only the first step to providing database availability. You must create and configure
additional database copies. Not only can you create a database copy initially, but an administrator also
can create one at any time. You can distribute database copies across Mailbox servers in a flexible and
granular way. You can replicate one, some, or all mailbox databases on a server in several ways.
To create a database copy, you must use the Add Mailbox Database Copy Wizard in the Exchange
Management Console, or the Add-MailboxDatabaseCopy cmdlet in the Exchange Management Shell.
Specify the following information when creating a mailbox database copy:

The name of the database that you are copying.

The name of the Mailbox server that will host the database copy.

The amount of time (in minutes) for log replay delay. This is the replay lag time, which sets how long
to wait before the logs are committed to the database copy. You can turn off log replay delay by
setting the value for it to 0.

The amount of time (in minutes) for log truncation delay. This is the truncation lag time, which sets
how long to wait before truncating committed transaction logs. You can turn off log truncation delay
by setting the value for it to 0.

An activation preference number. This is a preferred list sequence number, and it represents the order
of activation preference for a database copy after the active copy fails or experiences an outage.
Question: How do you plan to use the preferred list sequence number?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-19

Demonstration: How to Create and Configure a DAG

In this demonstration, you will review how to create a new DAG, add member servers to it, and create a
copy of a mailbox database.

Demonstration Steps
1.

Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange
Management Console.

2.

In the console tree, expand Microsoft Exchange On-Premises, expand Organization


Configuration, and then click Mailbox.

3.

Use the New Database Availability Group Wizard to create a DAG with the following settings:

Name: DAG1

Witness Server: VAN-DC1

Witness Directory: C:\FSWDAG1

4.

Right-click DAG1, click Properties and configure 10.10.0.25 as the IP Address on the IP Address tab.

5.

Use the Manage Database Availability Group Membership Wizard to add


VAN-EX1 and VAN-EX2 as members to DAG1.

6.

In the Results pane, click the Database Management tab.

7.

Use the Add Mailbox Database Copy Wizard to add a copy of Mailbox Database 1 to the second
Mailbox server.
Note Once you create a DAG, you then can create and configure DAG networks for
replication or for MAPI traffic. Add additional networks for redundancy or improved
throughput.
Question: What information do you need before you can configure a DAG?

7-20

Implementing High Availability

What Is the Transport Dumpster?

If a failure occurs and some transaction logs are not replicated to the passive copy, you can use the
transport dumpster to redeliver any recently delivered email. The transport dumpster operates on the Hub
Transport servers within Active Directory Domain Services (AD DS) or Active Directory directory service.
When a database failover occurs, a request will be made to the Hub Transport servers to redeliver the lost
email messages. The next section details database failovers.
The transport dumpster only holds email that has been delivered. The local submission queue holds any
pending email. Once the transaction logs are replicated to each DAG server, the transport dumpster
purges the message.
The transport dumpster is configured by default. You can view the transport dumpster settings by running
the Get-TransportConfig cmdlet. You can control the transport dumpster with the following two
settings:

MaxDumpsterSizePerStorageGroup. This setting defines the maximum size of the transport


dumpster queue per database. This is a universal setting for all databases in the organization. The
recommended size is 1.5 times the maximum message size that can be sent. For example, if the
maximum size for messages is 10 megabytes (MB), you should configure this parameter with a value
of 15 MB.

MaxDumpsterTime. This setting defines the amount of time an email remains in the transport
dumpster queue. This is the time for which the transport dumpster retains a message if the dumpster
does not force it out because it reaches its maximum size. We recommend that you set the time to
seven days.

You also can modify the transport dumpster settings by accessing the Hub Transport server settings in the
Organization Configuration node, and then modifying the Transport Settings located on the Global
Settings tab.
If you implement a multisite DAG, you can mount the mailbox database in more than one Active
Directory site. If a database fails over to a second Active Directory site, Mailbox servers request redelivery
of messages from Hub Transport servers in both the databases original and new Active Directory sites.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-21

Understanding the Failover Process

A failover occurs when service to the existing active database copy is compromised in some way. This
can occur when the server hosting the active database goes offline, when something causes the active
database to dismount, or when the server loses network connectivity. A switchover occurs when an
administrator manually moves the active database from one server to another. The main difference
between the failover process and the switchover process is that the failover process occurs automatically
when the service fails, while the switchover is a manual process. During a switchover, you can choose
which database will be mounted, or let Active Manager choose the best copy to mount. During a failover,
the Active Manager makes this decision.
When a failure affecting the active database occurs, Active Manager uses several sets of selection criteria
to determine which database copy to activate. When selecting the best copy to activate, Active Manager:
1.

Creates a list of database copies that are potential candidates for activation.

2.

Ignores and removes from the list any database copies that are unreachable or are blocked
administratively from activation.

3.

Sorts the resulting list by using the copy-queue length as the primary key. In Exchange Server
2010 SP1 or later, if the servers are configured with an automatic database mount dial value of
Lossless, Active Manager sorts the resulting list in ascending order by using the value for
ActivationPreference as the primary key.

4.

Attempts to locate a mailbox database copy on the list that has a status of Healthy,
DisconnectedAndHealthy, DisconnectedAndResynchronizing, or SeedingSource, and then evaluates
the activation potential of each of the copies on the list by using an ordered set of ten criteria. These
criteria include various combinations of settings such as content indexing status, copy queue length,
and replay queue length.

7-22

Implementing High Availability

Database Failovers
When a highly available mailbox database failure occurs, the PAM attempts to perform a failover of the
database. Before attempting to select a suitable copy to activate, the Attempt Copy Last Logs (ACLLs)
process occurs. ACLL makes remote procedure calls (RPCs) to the server that hosted the active copy of the
mailbox database that is being activated. The RPCs request confirmation that the servers are available and
healthy, and they determine the LogInspectorGeneration value for the database copy. The last active
mailbox database copy is used to copy any missing log files to the copy selected by Active Manager for
activation.
After the ACLL process completes, the configured AutoDatabaseMountDial value is consulted. The
AutoDatabaseMountDial value has the following three potential settings:

BestAvailability. This value allows the database to be automatically mounted if the copy queue length
is less than or equal to 12. The copy queue length is the number of logs that have not been replicated
to the target Mailbox server. When Active Manager identifies the target server, Exchange Server 2010
attempts to replicate the remaining logs to the passive copies and mount the database. This is the
default value.

GoodAvailability. This value allows the database to be automatically mounted immediately after a
failover if the copy queue length is less than or equal to six. When Active Manager identifies the
target server, Exchange Server 2010 attempts to replicate the remaining logs to the passive copy and
mount the database.

Lossless. This value does not allow a database to mount automatically until all logs generated on the
active copy have been copied to the passive copy.

If the number of lost logs is within the configured AutoDatabaseMountDial value, Active Manager
issues a mount request to the store. If the number of lost logs falls outside the configured
AutoDatabaseMountDial value, Exchange Server 2010 evaluates the next mailbox database copy in
the sorted list and repeats the evaluation. If no databases meet the configured AutoDatabaseMountDial
setting, an administrator must manually mount the database and accept that the loss of data is larger
than the AutoDatabaseMountDial setting. You use the Set-MailboxServer cmdlet to configure the
AutoDatabaseMountDial setting for each DAG node.
It may seem counterintuitive to list the Best Availability as allowing for 12 missing transaction logs, and
Good Availability as only allowing 6. In this case, availability refers to the database being mounted and
available, not to the possibility of lost data. In most cases, data loss is less acceptable than the loss of
service. You must decide whether to keep the database available by allowing it to mount despite potential
data loss, or to leave it unavailable and wait for manual recovery of missing log files.
In Exchange Server 2010 SP1 or newer, the Active Manager behaves differently when you configure a
lossless setting. In this case, it sorts the resulting list in ascending order by using the ActivationPreference
value as the primary key. If you use any value other than lossless for the AutoDatabaseMountDial, the
Active Manager sorts by using the copy queue length, which is the default behavior in Exchange Server
2010.
Question: Suppose you want to ensure that databases are not mounted if any transaction
logs have not been replicated. What AutoDatabaseMountDial setting do you need to
configure?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-23

Designing Monitoring and Management for a DAG

In larger organizations, DAG management is likely to be restricted to a relatively small group of


administrators. This group understands all of the design parameters that need to be considered when
creating and managing DAGs and database copies. You can delegate these permissions by using rolebased access control (RBAC).
To create and manage DAGs, you must be part of either the Organization Management role group, or the
Database Availability Groups management role. To create and manage database copies, you must be part
of either the Organization Management role group, or the Database Copies management role.

Monitoring
One of the unique challenges when managing DAGs is that in a well-designed system, you may not notice
the failover of a database from one DAG member to another. One way you can monitor DAG members is
by using Microsoft System Center Operations Manager 2012. System Center Operations Manager 2012
proactively monitors servers, and can notify administrators when errors and events occur.
Exchange Server 2010 SP1 or newer provides the following options for monitoring DAG status:

CheckDatabaseRedundancy.ps1. This script checks the redundancy of replicated databases, and it


generates events if database resiliency is found to be in a compromised state.

Get-MailboxDatabaseCopyStatus. Use this cmdlet to view status information about a specific


mailbox database copy, all copies of a database, or all mailbox database copies on a server or in the
organization.

Test-ReplicationHealth. Use this cmdlet to perform a variety of tests, and to report back status for
various replication components.

CollectOverMetrics.ps1. This script collects statistics and information about switchovers and
failovers. The data reported is based on past events. This script was enhanced in Exchange Server
2010 SP1 to include metrics for continuous replication block mode, and more details from the
replication and replay pipeline. Additionally, it also features enhanced reporting.

7-24

Implementing High Availability

CollectReplicationMetrics.ps1. This script collects statistics about replication in real time while the
script is running.

Event logs. In addition to events in Windows logs, there are also Exchange Serverspecific event logs
located in the Applications and Services node. The two specific logs that are of interest for high
availability are the High Availability and MailboxDatabaseFailureItems logs.

Exchange Server 2010 SP1 or newer also includes the following DAG management scripts. These scripts
also work in the RTM release of Exchange Server 2010:

StartDagServerMaintenance.ps1. Use this script if you want to enable maintenance mode on a


server. This script moves all active databases including the PAM role to a different server and blocks
the server from receive any database activations requests.

StopDagServerMaintenance.ps1. Use this script if you want to take the DAG member server out of
maintenance mode. This script removes all blocks from a server and enables databases to be activated
on the server.
Note For examples on how to use the monitoring tools included in Exchange Server 2010,
see Monitoring High Availability and Site Resilience at
http://go.microsoft.com/fwlink/?LinkId=213763.
Question: Which users in your organization will have permission to manage DAGs?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-25

Demonstration: How to Monitor Replication Health

In this demonstration, you will review how to use the Exchange Management Console and Exchange
Management Shell to review the available information regarding database-replication health.

Demonstration Steps
1.

On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click
Exchange Management Console.

2.

In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization


Configuration, and then click Mailbox.

3.

Review the status of each of the Mailbox Database 1 database.

4.

Close Exchange Management Console.

5.

Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange
Management Shell. Run the following cmdlets to verify database replication.

6.

Test-ReplicationHealth

Get-MailboxDatabaseCopyStatus

Run the following script to verify replication and activation health (can be found in: C:\Program Files
\Microsoft\Exchange Server\V14\Scripts:

.\CheckDatabaseRedundancy.ps1 MaiboxDatabaseName Mailbox Database 1

Question: Why is monitoring these statistics important?

7-26

Implementing High Availability

Lesson 3

Deploying Highly Available Non-Mailbox Servers

High availability for non-Mailbox servers varies depending on the server role. As in Exchange 2007, each
server role in Exchange 2010, has a unique method for providing high availability. To enable redundant
message routing between Exchange servers, Hub Transport servers require no configuration other than
the addition of a second Hub Transport server. Client Access servers require you to create a client access
array and to configure some type of load balancing. Edge Transport servers require the proper
configuration of mail exchanger (MX) records in Domain Name System (DNS).
After completing this lesson, you will be able to:

Describe and configure high availability for Client Access servers.

Describe and configure high availability for Hub Transport servers.

Describe and configure high availability for Edge Transport servers.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-27

How High Availability Works for Client Access Servers

A client access array is a load-balanced collection of Client Access servers that are in a single site. Because
all MAPI clients now rely on connections to Client Access servers, it is important to provide a redundant
server array to improve availability.
To enable high availability for Client Access servers, you first must deploy multiple Client Access servers.
Next, you need to configure either hardware-based NLB or software-based NLB (such as the Windows
Server 2008 NLB feature). You can also create multiple DNS A records in DNS for your Client Access
servers and configure round-robin DNS. Round-robin DNS enables you to distribute network connections
across the different Client Access servers, but it does not provide load balancing or automatic failover.
Then, add the name for the load-balanced array to the DNS. For example, you could add an A record for
casarray.contoso.com that points to 10.10.10.25. After adding the DNS record, you can create the client
access array, and then assign it to an Active Directory site by using the New-ClientAccessArray cmdlet.
Additionally, you must do the following:

Use the Set-MailboxDatabase cmdlet to assign the name of the client access array name to the
RpcClientAccessServer parameter for each mailbox database.

Use the Set-ClientAccessServer cmdlet to assign the name of the client access array name to the
AutoDiscoverServiceInternalUri parameter on each Client Access server that is part of the client
access array.

Use the Set-WebServicesVirtualDirectory -Identity EWS* cmdlet with the InternalUrl parameter
on each Client Access server that is part of the client access array.

Change the InternalURI in the Exchange Control Panel, offline address book, and Microsoft Exchange
ActiveSync. Do this in the Exchange Management Console, under Server Management, for each
Client Access server that is part of the client access array.

Additionally, you can configure the Kerberos authentication protocol for Client Access server NLBs to
increase security or if your organization has Apple Macintosh computer clients.

7-28

Implementing High Availability

Note Only one client access array can exist in one Active Directory site. Therefore, you
need to create a client access array in each Active Directory site that needs to load-balance
Client Access servers.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-29

How Shadow Redundancy Provides High Availability for Hub Transport


Servers

Key Points
Exchange Server 2010 includes a new shadow redundancy feature, which provides redundancy for
messages during the entire time they are in transit. This message redundancy is in addition to the
transport dumpster. With shadow redundancy, message deletion from the transport queue is delayed
until the transport server verifies that all of the next hops for that message have completed delivery. If any
of the next hops fail before reporting successful delivery, the transport server resubmits the message for
delivery to that next hop. If the next-hop server does not support shadow redundancywhich is the case
for Exchange 2003 servers and Exchange 2007 serversthe message is sent to the next hop and a shadow
copy of the message is not retained.
Shadow redundancy provides the following benefits:

It reduces the reliance on the state of the transport server queues. If redundant message paths exist
and a transport server fails, you can simply remove it from production without worrying about
emptying its queues or losing messages currently in transit.

It allows the transport server to be taken offline for maintenance tasks, without the risk of losing
messages in transit.

It reduces the need for hardware redundancy for transport servers for messages in transit.

It consumes less bandwidth than other forms of redundancy that create duplicate copies of messages
on multiple servers. With shadow redundancy, the only added network traffic is the discard status
being communicated between transport servers.

It provides resilience and simplifies recovery from a transport server failure because messages still in
transit within the Exchange Server 2010 organization are protected by the previous Exchange 2010
transport server.

7-30

Implementing High Availability

Note The messages in the transport dumpster are also stored in the transport server
queue. In the event of a Hub Transport server failure, these messages are not protected by
the shadow redundancy feature.
Exchange Server 2010 implements shadow redundancy by extending the SMTP. These service extensions
allow SMTP hosts to negotiate shadow redundancy support, and communicate the discard status for
shadowed messages.
As an example, shadow redundancy message flow follows these stages, where Hub is a Hub Transport
server and Edge is an Edge Transport server:
1.

2.

3.

4.

Hub delivers message to Edge.


a.

Hub opens SMTP session with Edge.

b.

Edge advertises shadow redundancy support.

c.

Hub notifies Edge to track discard status.

d.

Hub submits message to Edge.

e.

Edge acknowledges the receipt of message, and records the Hubs name for sending discard
information for the message.

f.

Hub moves the message to the shadow queue for Edge, and marks Edge as the primary server.
Hub becomes the shadow server.

Edge delivers message to the next hop:


a.

Edge submits message to third-party mail server.

b.

Third-party mail server acknowledges the messages receipt.

c.

Edge updates the discard status for the message as delivery complete.

Hub queries Edge for discard status (success case):


a.

At end of each SMTP session with Edge, Hub queries Edge for discard status on messages
previously submitted. If Hub has not opened any SMTP sessions with Edge after the initial
message submission, it will open an SMTP session with Edge to query for discard status after a
specific time.

b.

Edge checks local discard status and sends back the list of messages that have been delivered,
and removes the discard information.

c.

Hub server deletes the list of messages from its shadow queue.

Hub queries Edge for discard status and resubmits the message (failure case):
a.

If Hub cannot contact Edge, Hub resumes the primary server role and resubmits the messages in
the shadow queue.

b.

Resubmitted messages are delivered to another Edge server, and the workflow starts from step 1.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-31

Within Exchange Server 2010, the Shadow Redundancy Manager is the core component of a transport
server that is responsible for managing shadow redundancy. The Shadow Redundancy Manager is
responsible for maintaining the following information for all the primary messages that a server is
currently processing:

The shadow server for each primary message being processed.

The discard status to be sent to shadow servers.

For all the shadow messages that a server has in its shadow queues, the Shadow Redundancy Manager is
responsible for the following:

Maintaining the queue and checking primary server availability for each shadow message.

Processing discard notifications from primary servers.

Removing the shadow messages from the database once it receives all expected discard notifications.

Deciding when the shadow server should take ownership of shadow messages, thus making it the
primary server.

In addition to the shadow redundancy implemented at the SMTP protocol level, shadow redundancy also
enables the following features:

Delayed acknowledgement. Exchange 2010 transport servers use delay acknowledgement when
receiving messages from SMTP servers other than Exchange 2010 servers. In this case, the transport
server delays acknowledging a received message until it verifies that the message was successfully
delivered to the next hop. This way, if the Exchange 2010 server fails, the sending mail server will
assume that the message was never delivered and will attempt delivery again.

Shadow redundancy promotion. With Exchange Server 2010 SP1 or newer, shadow redundancy
promotion provides an additional level of protection when receiving messages from a non-Exchange
2010 SMTP server. Rather than just sending a delayed acknowledgement when the next hop cannot
be verified, the transport servers now forward the message to another Hub Transport server so that
the message is protected by shadow redundancy.

7-32

Implementing High Availability

How High Availability Works for Edge Transport Servers

Edge Transport servers provide both inbound and outbound email delivery. For outbound delivery,
providing high availability is as simple as deploying multiple Edge Transport servers and creating an Edge
subscription. If you have deployed Exchange servers in multiple Active Directory sites, you may need
additional redundant Edge Transport servers.

Multiple DNS MX Records


The SMTP protocol was created with delivery redundancy in mind. It uses special DNS records called MX
resource records to locate the authoritative SMTP server for a domain. These records point to the SMTPs
fully qualified domain name, which in this case are the Edge Transport servers. You can create multiple
MX records and assign them weights. The protocol uses the lower-weighted records before the higherweighted records. MX records with the same weight are load balanced in round-robin load fashion. If one
of the hosts fails to respond, Exchange Server attempts the next host on the list.

Hardware-Based Load Balancing


High availability for inbound email delivery requires multiple load-balanced Edge Transport servers. You
can achieve load balancing either with a hardware load balancer or by using multiple DNS records. Using
a hardware load balancer balances inbound communication between Edge Transport servers and provides
redundancy in case of a server failure.
Like Hub Transport servers, Edge Transport servers also support shadow redundancy. However, shadow
redundancy does not cover all scenarios, because most of the messaging servers that the Edge Transport
role communicates with do not support shadow redundancy.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-33

Lesson 4

Deploying High Availability with Site Resilience

Site resilience allows you to extend high availability for your Exchange servers beyond a single data
center. Exchange Server 2010 supports site resilience for mailbox databases that are protected in a DAG.
In Exchange Server 2003, the only option for implementing site resilience was to implement storage
replication. In Exchange Server 2007, you could use continuous cluster continuous replication or standby
continuous replication to provide site resilience. With the implementation of DAGs, configuring site
resilience in Exchange Server 2010 is significantly easier.
After completing this lesson, you will be able to:

Describe requirements for creating a multiple site DAG.

Describe Datacenter Activation Coordination Mode.

Deploying Exchange 2010 for site resilience.

Describe the switchover and switchback process with site resilience.

Understand best practices for site resilient solutions.

7-34

Implementing High Availability

Requirements for Creating a Multiple Site DAG

You can extend a DAG to one or more data centers in a configuration that provides site resilience for one
or multiple data centers. Such a configuration produces several design challenges that you must take into
account before implementing a multiple site DAG.

One Mailbox Server at Each Site


To configure a DAG for site resilience, the DAG must have at least one member in an alternate data
center. Then databases can be replicated to the member in the alternate data center. No other specific
configuration is required for the Mailbox servers, or for the databases.
When implementing a DAG across multiple sites, you do need to configure the DAG networks. A DAG
supports having multiple subnets on the MAPI network and multiple subnets on a replication network.
Therefore, subnets do not need to span a wide area network (WAN) link. When configuring the multisite
DAG, you need to collapse the networks that are automatically enumerated when you add servers to the
DAG into one MAPI network and one or more replication networks. However, there can be no routing
between the MAPI network and the replication network or between replication networks if you configure
multiple networks. The WAN link must support separate routes for all networks.

Round-Trip Network Latency Time


Each member of the DAG must have round-trip network latency no greater than 500 milliseconds
between each other member, regardless of the physical location of the DAG member.

Other Server Roles Must Be Available in Each Site


In addition to the Mailbox server in the alternate data center and the basic Active Directory servers such
as domain controllers and DNS servers, you also need to install a Client Access server and a Hub Transport
server. To reduce hardware requirements in the alternate data center, you can place the Client Access
server and Hub Transport server roles on the same computer as the Mailbox server role. However, you
should do so only if the computer has sufficient processing capacity to run all three roles at the same
time.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-35

Datacenter Activation Coordination Mode


Use the Datacenter Activation Coordination mode for DAGs that span multiple locations. This mode
prevents database copies from experiencing split-brain syndrome, which occurs when more than one DAG
member mounts the same database. This is a problem because there is no way to reconcile the different
content in the two mounted databases. Datacenter Activation Coordination mode is described in greater
detail in the next topic.

7-36

Implementing High Availability

What Is Datacenter Activation Coordination Mode?

Datacenter Activation Coordination mode is a DAG property that prevents split-brain syndrome, which is
the mounting of the same database at two different Active Directory sites that cannot communicate with
one another. Datacenter Activation Coordination (DAC) mode prevents split-brain syndrome in a multiActive Directory site DAG implementation.
Suppose you have two data centers, each with two DAG members. The witness server for the DAG is in
the first data center. A power outage occurs, and as the administrator, you activate the DAG at the second
data center. Because you do not have majority quorum in the second data center, you can do this by
configuring an alternative witness server or by configuring the DAG to use a different quorum mode. As
long as the first data center stays offline, no problem occurs. Split-brain syndrome occurs when the first
data center is powered back up, but WAN connectivity between the two data centers is not immediately
restored. If DAC mode is not enabled, the first data center could mount the databases and achieve
majority quorum because it still does not know that the second data center already has the databases
mounted. This results in the same database being active at two different sites, which causes split-brain
problems when WAN connectivity is restored.
To prevent split-brain syndrome, Datacenter Activation Coordination mode uses a protocol called
Datacenter Activation Coordination Protocol (DACP). This protocol configures a bit in memory for each
Active Manager hosted on every Exchange server that is a DAG member, and has the following options:

Local database is not allowed to be mounted.

Local database is allowed to be mounted.

The DACP protocol is:

During Active Manager start up, DACP is set at 0.

In Datacenter Activation Coordination mode, the server tries to communicate with all other Exchange
servers that are members of the DAG to find a member that has its DACP bit set at 1.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-37

If it finds a DAG member with a DACP of 1, the server sets its DACP bit to 1 and mounts its active
databases. Alternatively, if the server contacted all DAG members successfully, it also sets its DACP to
1 and mounts the database.

If the server cannot reach a server that has a DACP of 1, it cannot automatically mount its active
database.

DAC mode differs in the Exchange Server 2010 versions in the following way:

In Exchange Server 2010, DAC mode is limited to DAGs with at least three members that have two or
more members in the primary data center. When you enable DAC mode, you can use Exchange
Server cmdlets rather than the failover cluster tools to perform a data center switchover.

Exchange Server 2010 SP1 or newer supports two-member DAGs that have each member in a
separate data center. Two-member DAGs in DAC mode use the witness server boot time to provide a
weighted vote for mounting. DAC mode in Exchange Server 2010 SP1 or newer supports DAGs that
have all members deployed in a single Active Directory site, including single Active Directory sites that
have been extended to multiple locations.

Two-Member DAGs in DAC Mode


A two-member DAG in DAC mode may have difficulty achieving majority quorum when it relies on the
DACP setting alone. For this reason, the Datacenter Activation Coordination uses the DAGs witness server
boot time to help determine whether a database should be mounted. The Active Manager compares the
boot time of the witness server to the time when the DACP was set to 1. This provides the following
scenarios:

If the DACP setting was set earlier than the witness boot time, the DAG member is not allowed to
mount databases.

If the DACP setting was set later than the witness boot time, the DAG member is permitted to mount
databases.

You can enable DAC mode with the following cmdlet:


Set-DatabaseAvailabilityGroup -Identity <DAG Name>
-DatacenterActivationMode DagOnly

Question: When should you consider configuring the Datacenter Activation Coordination
mode?

7-38

Implementing High Availability

Deploying Exchange 2010 for Site Resilience

To deploy Exchange 2010 for site resilience, you need to understand that not only Mailbox servers are
required in the other physical site, but also the following roles of servers:

Active Directory Domain Controller

Hub Transport server

Client Access server

Edge Transport server (if used)

The easy part is that for those servers you do not need special configuration to provide site resilience;
those roles must exist in the remote data center.

Active Directory Domain Controller


Every Exchange Server role requires a local Domain Controller (DC) to communicate with. If you do not
have a local DC available, Exchange services cannot start. Make sure you have at least one local DC
controller available for the remote site and that the physical location is defined in Active Directory (AD)
as an AD site.

Hub Transport Server


Message transport is performed based on Active Directory sites. Each Active Directory site with a Mailbox
server must have a Hub Transport server as well. When a database is activated in the alternate data center,
it uses the Hub Transport server in the alternate data center. No specific configuration is required to
enable message routing between Exchange servers.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-39

If you have applications or non-MAPI clients that are configured to use a specific Hub Transport server for
relaying messages, you need to direct those applications to a new Hub Transport server. If the application
is configured to use the IP address of the Hub Transport server, you must reconfigure the application to
use the IP address of a Hub Transport server in the alternate data center. If the application is configured
to use the hostname of the Hub Transport server, you can modify the host record for the Hub Transport
server to use the IP address of the Hub Transport server in the alternate data center.
You should ensure that the Hub Transport servers in the alternate data center have sufficient capacity to
handle the volume of message processing that is expected when the alternate data center is used.

Client Access Server


You cannot span a client access array over multiple Active Directory sites. Therefore, similar to a Hub
Transport server, you need to include a Client Access server in the Active Directory site in the alternate
data center.
If the client access array in the original site is still available, it can continue to provide services for clients,
and access the active database in the alternate data center. This is a good solution if the alternate data
center will be used for a short time.
If the alternate data center will be used for a long time such as for a couple of weeks and not only for a
day or two, you should consider modifying the DNS record for the Client Access servers or the client
access array to reference the Client Access server in the alternate data center.
Outlook Anywhere and Exchange ActiveSync clients locate a Client Access server accessible on the
Internet by using DNS records. If the original client access array is unavailable, you need to change the
host record for the external client access to point to the Client Access server in the alternate data center.
A potential concern is caching DNS records. If the client computer caches the hostname of the Client
Access server, you can clear the cache on the client computer by specifying ipconfig /flushdns, or by
restarting the client. However, many Internet DNS servers cache resolved hostnames for 24 hours. To
ensure that clients can access the Client Access servers in the alternate data center quickly, you must
provide clients with an alternate hostname to access services or configure a short time to live (TTL) on
the DNS records.

Edge Transport Server


To provide site resilience for Edge Transport servers, you must have an Internet connection at the
alternate data center. The simplest way to configure site resiliency is by having the Edge Transport servers
already active and able to receive messages.
Incoming messages are directed to an Edge Transport server based on MX records in DNS. The MX
records are a pointer to the hostname of the Edge Transport server. To have messages automatically
redirected to the alternate data center when the primary location is unavailable, you can configure
multiple MX records.
The priority number for MX records determines the order in which they are used. An MX record with a
lower priority number is contacted first. The MX record for the alternate data center has a higher priority
number than the MX record for the primary data center. With this configuration, SMTP mail servers
attempt delivery to the primary data center first, and if the primary data center is unavailable, the
messages are delivered to the alternate data center.
Messages transported through the alternate data center automatically use the Edge Transport server in
the alternate data center for message delivery, because it is the closest Edge Transport server.

7-40

Implementing High Availability

Switchover and Switchback Process with Site Resilience

Failover for databases within an Active Directory site is always automatic, and may not be noticed by
clients. You can also failback mailbox databases in the same site with no disruption in services. However,
switchover and switchback between sites is a manual process that will result in a short service outage.

The Switchover Process with Site Resilience


To access the site resilience cmdlets, you must enable DAC mode on the DAG before the failure occurs.
When the primary data center fails, the switchover process includes the following steps:
1.

Reconfigure the DAG to remove the primary sites servers from the Windows Failover Cluster, but
retain them in the DAG. There are two options for configuring the DAG. If some Mailbox servers in
the primary site are still running but with not enough servers to maintain quorum, you need to stop
the DAG on the running servers. You can accomplish this by running the following cmdlet in the
Exchange Management Shell on a server in the primary data center:
Stop-DatabaseAvailabilityGroup <DAG Name> ActiveDirectorySite <Primary Site Name>

If all of the Mailbox servers in the primary site are unavailable, or if Active Directory replication with
the secondary data center has failed, you need to stop the DAG in the primary data center from an
Exchange server in the secondary data center. You can accomplish this by running the following
cmdlet in the Exchange Management Shell on a server in the secondary data center:
Stop-DatabaseAvailabilityGroup <DAG Name> ActiveDirectorySite <Primary Site Name>
-ConfigurationOnly

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

2.

7-41

Reconfigure the DAG to use an alternative file-share witness, and restore the functionality in the
secondary site. To do this, first stop the cluster service on each of the secondary sites DAGs servers,
and then run the following cmdlet:

Restore-DatabaseAvailabilityGroup <DAG Name> -ActiveDirectorySite <Secondary Site Name>


-AlternateWitnessServer <Secondary Site Witness Server>

3.

Start the cluster service on each of the servers in the DAG in the secondary site.

4.

If you have blocked activation on any Mailbox servers in the secondary data center, you need to
remove the activation block. Available Active Managers will then mount the mailbox databases in the
secondary site.

5.

If the database does not automatically mount, you need to manually move and activate the database
by using the following cmdlet:

Move-ActiveMailboxDatabase <database name> -SkipLagChecks -MountDialOverride:BestEffort


-SkipClientExperienceChecks -SkipHealthChecks -ActivateOnServer <Server Name>

6.

Adjust DNS records, if necessary, for SMTP, Outlook Web App, Autodiscover, Outlook Anywhere, and
any legacy protocols. You can make adjustments manually, or use a third-party global-server DNS
server to make changes automatically.

The Switchback Process with Site Resilience


In most instances, after you recover the primary site, you need to perform a switchback to the primary
site. The switchback process includes the following steps:
1.

Verify that the primary data center is capable of hosting Exchange services.

2.

Reconfigure the DAG to add primary data center servers back into the switchover cluster. To do this,
run the following cmdlet:
Start-DatabaseAvailabilityGroup <DAG Name> ActiveDirectorySite <Primary Site Name>

3.

If required, reconfigure the DAG to use the primary sites witness server. To do this, run the following
cmdlet:
Set-DatabaseAvailabilityGroup <DAG Name> WitnessServer <Primary Site Witness Server>

4.

Manually reseed or allow replication to update the primary data centers database copies.

5.

Schedule downtime for the mailbox databases, and then dismount them.

6.

Adjust DNS records for SMTP, Outlook Web App, Autodiscover, Outlook Anywhere, and any legacy
protocols. You can accomplish this manually, or you can take advantage of third-party global-server
DNS server that performs the change automatically, and points it back to the primary data center.

7.

Move the active databases back to primary data center by running the following cmdlet, and then
mount the databases in primary data center.
Move-ActiveMailboxDatabase <Database> ActivateOnServer <Server in Primary Site>

7-42

Implementing High Availability

Best Practices for Site Resilient Solutions

By implementing certain best practices, you can ensure a successful, highly available, multiple-site
configuration. To begin, reduce failover time by using a TTL of five minutes or less on DNS records for all
relevant namespaces. Using a low TTL enables the DNS clients to more quickly discover DNS entries that
point to the secondary site.
If a failure occurs, it is important to ensure that the system works as designed. Therefore, you should
continually monitor and verify that all messaging-system components are functioning properly. To do
this, monitor all aspects of the Exchange Server 2010 environment to ensure that it is functioning
normally, and that mailbox data is successfully replicating to the secondary site in a timely manner. Next,
you can schedule periodic failover tests to provide an additional level of preparation, and to validate the
configuration and operation of the cross-site failover process.
You also should follow a change management process to ensure that each Mailbox server in the DAG,
each Client Access server, and each Hub Transport server are configured correctly and have the same
updates applied. This reduces the possibility of incompatibilities and unexpected behavior if a failover
occurs.
Finally, it is recommended that you follow the Windows Server Failover Clustering best practice of having
each node connected to multiple networks. Separating the MAPI and replication networks provides
enhanced performance. In some cases, you might also create multiple replication networks to provide
redundancy. However, to avoid network crosstalk, the MAPI and replication networks must not be able to
route to each other.
Question: In your organization, do you regularly perform disaster recovery activities such as
recovering a backup in Exchange Server?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-43

Lab: Implementing High Availability

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, 10135B-VAN-EX2, and the 10135B-VAN-EX3


virtual machines are running:

3.

10135B-VAN-DC1: Domain controller in the Adatum.com domain.

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain.

10135B-VAN-EX2: Exchange 2010 server in the Adatum.com domain.

10135B-VAN-EX3: Exchange 2010 server in the Adatum.com domain.

If required, connect to the virtual machines. Log on to the virtual machines as


Adatum\Administrator, using the password Pa$$w0rd.

Lab Scenario
You are the messaging administrator for A. Datum Corporation. You have completed the basic installation
for three Exchange servers. Now you must complete the configuration so that they are highly available.

7-44

Implementing High Availability

Exercise 1: Deploying a DAG


Scenario
You must complete the Mailbox server high availability configuration by creating a DAG and making the
Accounting database highly available.
The main tasks for this exercise are:
1.

Create a DAG named DAG1 by using the Exchange Management Shell.

2.

Create a mailbox database copy of the Accounting database.

3.

Verify successful completion of database copying.

4.

Suspend the database copy on VAN-EX2.

X Task 1: Create a DAG named DAG1 by using the Exchange Management Shell
1.

On VAN-EX1, open the Exchange Management Shell.

2.

Use the New-DatabaseAvailabilityGroup cmdlet to create a DAG with the following information:

Name: DAG1

WitnessServer: \\VAN-DC1\FSWDAG1

WitnessDirectory: C:\FSWDAG1

IP Address: 10.10.0.80

3.

Use the Add-DatabaseAvailabilityGroupServer cmdlet to add VAN-EX1 as a member of DAG1.

4.

On VAN-EX2, open the Exchange Management Console.

5.

On the Database Availability Groups tab, add VAN-EX2 as a member of DAG1.

X Task 2: Create a mailbox database copy of the Accounting database


1.

On VAN-EX1, open the Exchange Management Console.

2.

On the Database Management tab, add a mailbox database copy of Accounting to VAN-EX2.

X Task 3: Verify successful completion of database copying

On VAN-EX1, view the properties of the Accounting database, and ensure its status is Healthy.

X Task 4: Suspend the Accounting database copy on VAN-EX2

On VAN-EX1, suspend the Accounting database copy on VAN-EX2.

Results: After this exercise, you should have created a DAG and a mailbox database copy of the
Accounting database. The Accounting database copy on VAN-EX2 should remain in a suspended state.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-45

Exercise 2: Deploying Highly Available Hub Transport and Client Access


Servers
Scenario
The network team used a hardware load balancer to load balance VAN-EX1 and VAN-EX2 for Client
Access connections. They have assigned a load balanced IP address of 10.10.0.30, and have created a DNS
record for the name CASArray.adatum.com. Now you must complete the Client Access configuration.
The main tasks for this exercise are:
1.

Create and configure a client access array for CASArray.adatum.com.

2.

Assign the client access array to the databases.

X Task 1: Create and configure a client access array for CASArray.adatum.com


1.

On VAN-EX1, open Exchange Management Shell.

2.

Use the New-ClientAccessArray Fqdn casarray.adatum.com Name CASArray.adatum.com


Site Default-First-Site-Name cmdlet to create a new client access array named
CasArray.adatum.com for the Default-First-Site-Name Active Directory site.

X Task 2: Assign the client access array to the databases


1.

On VAN-EX1, use the Exchange Management Shell to retrieve a list of all of the databases with the
Get-MailboxDatabase | ft Name, Server, RPC* cmdlet.

2.

Use the Get-MailboxDatabase |Set-MailboxDatabase RpcClientAccessServer


casarray.adatum.com cmdlet to assign each database on VAN-EX1 and VAN-EX2 the
CasArray.adatum.com client access array as the RpcClientAccessServer.

3.

At the PS prompt, use the Get-MailboxDatabase | ft Name, Server, RPC* cmdlet to verify the
correct setting.

Results: At the end of this exercise, you should have created a client access array and assigned it to the
databases.

7-46

Implementing High Availability

Exercise 3: Testing the High Availability Configuration


Scenario
You have completed the high availability configuration. You now must verify that the high availability
configuration is working properly.
The main tasks for this exercise are:
1.

Create a SMTP connector associated with VAN-EX1 and VAN-EX2.

2.

Stop the SMTP service on VAN-DC1.

3.

Send an email to an internal user and an external SMTP address.

4.

Use Queue Viewer to locate the message in the queue.

5.

Start SMTP service on VAN-DC1 to allow queued message delivery.

6.

Verify that the messages were removed from the shadow redundancy queue.

7.

Verify the copy status of the Accounting database copy and resume the database copy.

8.

Perform a switchover on the Accounting database to make the VAN-EX2 copy active.

9.

Simulate a server failure.

X Task 1: Create a SMTP connector associated with VAN-EX1 and VAN-EX2


1.

On VAN-EX2, if required, open Exchange Management Console.

2.

Create an SMTP send connector named Internet Mail, and then configure an address space of * for
the connector.

3.

Add VAN-DC1.adatum.com as the Smart host for the connector, and VAN-EX1 and VAN-EX2 as the
source servers.

X Task 2: Stop the SMTP server on VAN-DC1

On VAN-DC1, stop the Simple Mail Transfer Protocol (SMTP) service.

X Task 3: Send an email to an internal user and an external SMTP address


1.

On VAN-EX1, log on to Outlook Web App as Adatum\Jason with the password Pa$$w0rd.

2.

Create and send a new email addressed to terry@contoso.com and jane@adatum.com.

X Task 4: Use Queue Viewer to locate the message in the queue


1.

On VAN-EX2, open Queue Viewer.

2.

Connect to VAN-EX1 and VAN-EX2 to locate which server queues the email sent from Jason.

3.

Make note of the server where the message is queued.

4.

Examine the shadow redundancy queue on VAN-EX3.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7-47

X Task 5: Start SMTP service on VAN-DC1 to allow delivery of the queued message
1.

On VAN-DC1, open Server Manager.

2.

Start the SMTP service.

X Task 6: Verify that the messages were removed from the shadow redundancy queue
1.

On VAN-EX2, open Queue Viewer.

2.

Connect to VAN-EX3, where the message was queued in the shadow redundancy queue, and then
verify that it is no longer queued.

X Task 7: Verify the copy status of the Accounting database, and resume the database
copy
1.

On VAN-EX2, open the Exchange Management Console.

2.

View the database copy health on the Suspended copy on VAN-EX2.

3.

Resume the database copy on VAN-EX2, and wait until the copy status is Healthy.

X Task 8: Perform a switchover on the Accounting database to make the VAN-EX2


copy active
1.

On VAN-EX2, open the Exchange Management Console.

2.

Verify that the active Accounting database is on VAN-EX1.

3.

Select the Accounting database on VAN-EX2, and then activate the copy.

X Task 9: Simulate a server failure


1.

On VAN-EX1, open the Exchange Management Console, and view the status of the Accounting
database.

2.

In Hyper-V Manager, revert 10135B-VAN-EX2.

3.

Verify the Accounting database is now active on VAN-EX1.

Results: After this exercise, you should have verified that the mailbox databases could fail over and switch
between DAG servers, and that Hub Transport shadow redundancy is working properly.

7-48

Implementing High Availability

X To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1.

On the host computer, start Hyper-V Manager.

2.

Right-click the virtual machine name in the Virtual Machines list, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

In the Virtual Machines pane, click 10135B-VAN-DC1, and then in the Actions pane, click Start.

5.

To connect to the virtual machine for the next modules lab, click 10135B-VAN-DC1, and then in the
Actions pane, click Connect.
Important Start the VAN-DC1 virtual machine first, and ensure that it starts fully before
starting the other virtual machines.

6.

Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.

7.

Wait for VAN-EX1 to start, and then start VAN-SVR1. Connect to the virtual machine.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Module Review and Takeaways

Review Questions
1.

What are the requirements for using the Datacenter Activation Coordination mode?

2.

Which Exchange Server 2010 feature provides fault tolerance for message delivery?

3.

In which scenarios might you use hardware load balancing with Edge Transport servers?

4.

Besides planning for Exchanger Server failures, what other failures should you consider?

5.

In which scenarios might you use hardware load balancing with Edge Transport servers?

6.

To make a highly available Exchange Server 2010 organization, which components must be highly
available?

7.

How many networks should you use for a DAG?

Common Issues Related to Creating High Availability Edge Transport Solutions


Identify the causes for the following common issues related to high availability Edge Transport servers,
and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue
Inbound email is not being
delivered evenly across all of the
Edge Transport servers.
After deploying highly available
Edge Transport servers, outbound
email is being returned as
possible spam.

Troubleshooting tip

7-49

7-50

Implementing High Availability

Real-World Issues and Scenarios


1.

An organization has several branch offices with a small number of employees. However, the
organization needs to deploy a high availability solution in the remote offices. What configuration
can it deploy to meet it business needs?

2.

An organization uses a variety of service-level agreements for database availability for different
business units. It wants to minimize the number of mailbox servers it deploys. How can it do this?

Best Practices Related to Designing a High Availability Solution


Supplement or modify the following best practices for your own work situations:

Identify all possible failure points before designing a solution. Even the most elaborate and expensive
designs can have a simple and crippling failure point.

Document all of the components to the solution so that everyone involved in the deployment
understands how the solution is configured.

Follow change-management procedures. In some environments, it may be tempting to skip these


steps. However, not following proper change-management procedures often leads to extended,
unplanned downtime.

Use a client access array and load-balancing to make client access highly available.

If a Client Access server is also a member of a DAG, then use hardware-based load-balancing.

Ensure that Internet-accessible sites that proxy Client Access for multiple sites are highly available,
because their outage will affect many users.

When a mailbox database fails over to an alternate site for a short period of time, allow the clients to
continue using the client access array in the original site.

8-1

Module 8
Implementing Backup and Recovery
Contents:
Lesson 1: Planning Backup and Recovery

8-3

Lesson 2: Backing Up Exchange Server 2010

8-12

Lesson 3: Restoring Exchange Server 2010

8-22

Lab: Implementing Backup and Recovery

8-35

8-2

Implementing Backup and Recovery

Module Overview

Your Microsoft Exchange Server databases contain the messages for all of your users. Thus, these
databases contain the data that is most important for you to ensure is retained and backing up the
databases that contain these messages is one of your key concerns regarding your messaging system.
Sometimes users accidentally delete their emails, and you, as the administrator, must restore their
messages. This can take a long time.
Microsoft Exchange Server 2010 contains new backup and restore features such as Exchange Native Data
Protection that you should consider before using the traditional backup-to-tape approach that most
organizations use nowadays. This module describes backup and restore features of Exchange Server 2010,
and details what you need to consider when you create a backup plan.
After completing this module, you will be able to:

Plan backup and recovery.

Backup Exchange Server 2010.

Restore Exchange Server 2010.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Lesson 1

Planning Backup and Recovery

Before deciding on which backup type you want to use and which software to buy, you first need to
consider your available options. Exchange Server 2010 provides many new options for backing up your
databases and restoring single items.
In this lesson, you will learn the important considerations for backing up and restoring Exchange Server
2010, so that you can create a good plan for your organization.
After completing this lesson, you will be able to:

Describe the importance of planning for disaster recovery.

Describe what you need to consider for highly available mailbox databases.

Explain what Exchange Native Data Protection is.

Identify and mitigate potential Exchange Server 2010 disasters.

Recover deleted items.

Describe backup and restore scenarios.

8-3

8-4

Implementing Backup and Recovery

Discussion: The Importance of Planning for Disaster Recovery

This discussion details the importance of disaster recovery planning and reviews your organizations
current disaster recovery plans.
Question: What current plan does your organization have for disaster recovery?
Question: What issues have you seen with your current disaster recovery process?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-5

Considerations for Highly Available Mailbox Databases

Before you can decide on what backup solution to use for Exchange 2010, it is important that you plan
your mailbox databases and storage solutions carefully. When planning a mailbox database deployment,
an organizations first critical decision is whether it should deploy database availability groups (DAGs) or
choose to implement standalone servers without any high availability solution. This decision will have a
significant impact on how the database and storage solution will be implemented.

Planning Mailbox Database Deployments Without DAGs


When organizations choose not to implement DAGs, the planning process for mailbox database
deployment is similar to the planning process for non-high available deployments in previous Exchange
server versions. With this type of deployment, organizations must understand that any type of failure will
result in downtime to their messaging solution, and they will have to restore their data and services by
using carefully planned backup procedures and strategies.
If your company chooses not to implement DAGs, then the following recommendations apply:

Backup policies. Because you only have one copy of the database, backup and restore becomes your
primary means of recovering from a database failure. This means that consistently backing up the
database is critical.

Mailbox database size. The maximum database size should be determined by the capacity of the
backup and restore process and the service level agreement (SLA) for recovering databases. The
Exchange 2010 Mailbox Server Role Requirements Calculator recommends 200 GB limit for databases
without DAGs.

Database and transaction log locations. With a single copy of the database, it is important that the
database and transaction logs be stored on separate drives, for performance and recovery reasons.

8-6

Implementing Backup and Recovery

Storage solution. With a single copy of the database, providing redundancy at the storage level is very
important. You should use SANs with high levels of redundancy to remove a single point of failure.
Use redundant array of independent disks (RAID) 5 to enhance performance and fault tolerance for
databases, RAID 1 to provide fault tolerance for transaction logs and databases, and RAID 10 for
transaction logs if there is high demand for performance.

Considerations for Planning Mailbox Database Deployments with DAGs


The planning process for the mailbox database deployment changes when organizations choose to
implement DAGs. When databases are stored on multiple servers, users may not even be aware of a server
or database failure. These companies might choose not to perform backup and use Exchange Native Data
Protection (described in the next topic) to protect their data. If your company chooses to deploy DAGs,
then the following recommendations apply:

Backup policy. With DAGs, high availability is provided by having multiple database copies, so backup
and restore becomes much less important. With a sufficient number of databases, companies can
consider performing backups on larger time intervals or can even remove backup procedures
completely.

Mailbox database size. Because of the decreased importance of backup and recovery, the primary
consideration for database size becomes how long it would take to reseed the database if one
copy is lost. As such, the databases can be much larger. The Exchange 2010 Mailbox Server Role
Requirements Calculator recommends up to 2 terabytes (TB) for databases when DAGs are used.

Database and transaction log locations. With multiple database copies, separating the databases and
transaction log files is less important. Companies may still choose to do so for performance reasons,
but it is not required for redundancy and recovery reasons. If backup is not performed in the
organization, you should enable circular logging to prevent transaction logs from filling up the disks.

Storage solution. With multiple database copies that provide redundancy, it is less important to
consider an expensive disk system, such as SAN. You will more likely use DAS because of its lower
cost. Furthermore, if your organization has three or more copies of the databases, then you will more
likely use Just a bunch of disks (JBODs).
Question: When would you want or need to create multiple databases?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-7

What Is Exchange Native Data Protection?

Compared to the previous Exchange Server versions, Exchange Server 2010 enables a much tighter
integration of high availability with disaster recovery, especially if the new Exchange Server 2010 high
availability features are sufficient to satisfy your backup requirements.
Exchange Server 2010 includes a new feature called Exchange Native Data Protection that allows you to
reduce or completely remove your traditional backup solutions for mailboxes and Exchange servers. You
should carefully consider whether this feature meets your disaster recovery requirements. Exchange
Native Data Protection includes the following features:
1.

High availability minimizes downtime and data loss. If Exchange Server 2010 DAGs are the primary
means of disaster recovery, their high availability features allow you to minimize downtime and data
loss in the event of a mailbox database or Mailbox server failure. With DAGs, you can spread database
copies across multiple data centers or Active Directory Domain Services (AD DS) sites, which allows
you to address data center failures, and maintain offsite copies of a database. In some cases, it can be
less expensive to provide multiple copies of databases than it is to backup up very large databases.

2.

Single item recovery and litigation hold policies for recovering deleted messages. In Exchange Server
2010, single item recovery ensures that all deleted and modified items are preserved so that you can
recover them. Users can no longer completely purge items from their mailboxes. Legal (or litigation)
hold preserves electronically stored information such as email messages so that users cannot delete
them. This feature replaces the necessity of performing a restore when a user deletes messages from
a mailbox when a compliance requirement requires investigating that mailbox.

3.

Point-in-time database recovery with lagged copies of mailbox databases. When you configure a
mailbox database copy, you can configure the database copy to delay replaying the log files for as
many as 14 days. Thus, you continuously maintain a database in the state it was in during the
previous days or weeks. This means that if you have an issue with your current database, such as a
script changing many items at once, you can revert to a lagged database copy and commit the
transaction logs to a specific time.

8-8

Implementing Backup and Recovery

4.

Archive mailboxes, retention and archive policies, and Multi-Mailbox Search for managing large
mailboxes. By configuring archive mailboxes, you can provide users with a storage location for old
messages. You can also automate the process of managing messages in user mailboxes, including
moving messages into the archive mailbox, by configuring retention and archive policies. All of the
messages are available to the user, and can also be accessed through Multi-Mailbox Search.

As you consider implementing these features, you should evaluate the cost of your current backup
infrastructure, including hardware, installation, and license costs, and the management cost associated
with recovering data and maintaining the backups. Additionally, you should determine the SLAs for
protecting against and recovering from data lose or service failures. Depending on your organizations
backup requirements and SLAs, Exchange Server 2010 Native Data Protection may provide lower total
cost of ownership (TCO) than a traditional backup environment while at the same time ensuring that you
comply with the SLAs.
Even though it may appear that highly available deployments no longer require traditional backups, you
may still require them in your environment. Integrating high availability features as an alternative to
backups only works for the mailbox database, not for other Exchange Server resources, such as the Hub
Transport configuration. You still may need to consider using traditional backup for your other Exchange
2010 server roles.
Question: Would Exchange Native Data Protection be an option for your organization?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-9

Disaster Mitigation Options in Exchange Server 2010

As you prepare to implement disaster-recovery solutions in Exchange Server 2010, you first must identify
the potential risks to the Exchange Server environment, and then identify the options for mitigating those
risks. The following table lists potential risks and the Exchange Server 2010 options for mitigating the risks.
Risks
Loss of a single
message

Risk mitigation strategies

Loss of a single mailbox

Loss of a database or
server

Configure single item recovery by using the Recoverable Items folder.


This option is described in the topic Options for Recovering Mailbox
Data and Databases later in this module.
Recover messages from backup by using the recovery database.
Configure mailbox-retention settings to ensure that you can recover
most deleted mailboxes before they are deleted permanently.
Recover mailbox by using the recovery database.
Create a DAG on another server.
Back up the Exchange Server 2010 data, and recover lost mailbox
databases from backup.
Install Exchange Server 2010 with /m:RecoverServer.

Loss or corruption of a
mailbox database

Create a lagged database copy in a DAG environment.


Back up the Exchange Server 2010 data, and recover lost mailbox
databases from backup.

Loss of a public folder


database

Implement public folder replicas on other computers running Exchange


Server 2010.

Question: What mitigation strategy can you follow to be able to recover single messages for
a mailbox?

8-10

Implementing Backup and Recovery

Demonstration: Recovering Deleted Items

In this demonstration, you will review how to configure the global hold policy for recoverable items, so
that you can recover a deleted folder by using the Discovery Search Mailbox.

Demonstration Steps
1.

On VAN-EX1, at the Exchange Management Shell prompt, type


Set-Mailbox Scott SingleItemRecoveryEnabled $true, and then press Enter.

2.

At the Exchange Management Shell prompt, type New-ManagementRoleAssignment -Role


Mailbox Import Export -User adatum\administrator, and then press Enter.

3.

In the Exchange Management Console, assign the Administrator account full access permissions to
the Discovery Search Mailbox.

4.

In Scott MacDonalds mailbox, create a new folder, populate that folder with messages, delete the
folder, purge them from the Deleted Items folder, and clean the Recover Deleted Items.

5.

Login to Microsoft Outlook Web App as Administrator, change to Options and in the Select what
to manage drop-down list, select My Organization.

6.

In the Administrator Roles tab, add Administrator to the Discovery Management role.

7.

Logout and login to Outlook Web App as Administrator, change to Options and in the Select what
to manage drop-down list, select My Organization.

8.

Define a Mailbox Search with the following settings:

Mailboxes to Search: Scott MacDonald

Search name: Scott Recovery

Copy the search results to the destination mailbox: Checked

Select a mailbox in which to store the search results: Discovery Mailbox

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9.

Enable deduplication: Unchecked

Send me an email when the search is done: Checked

Open the Discovery Search Mailbox, and verify that it contains the deleted message.

10. Use the Search-Mailbox Discovery Search Mailbox -TargetMailbox Scott -TargetFolder
Restored Items cmdlet to recover the deleted items to its original mailbox.
11. Verify that the message was recovered by accessing Scott MacDonalds mailbox.
Question: What is the benefit of using this feature to recover mailboxes compared to
existing brick-level backup solutions?

8-11

8-12

Implementing Backup and Recovery

Lesson 2

Backing Up Exchange Server 2010

Backing up your companys data is the most serious task in your Exchange Server installation. You cannot
recover necessary data if you have not backed it up correctly. In this lesson you will learn the different
ways that you can back up data with Exchange Server 2010.
After completing this lesson, you will be able to:

Describe the backup changes in Exchange Server 2010.

Describe the backup requirements for Exchange Server 2010.

Describe how a Volume Shadow Copy Service (VSS) backup works.

Select an Exchange Server backup solution.

Back up Exchange Server 2010.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-13

Changes to Backup in Exchange Server 2010

Exchange Server 2010 changes to the backup application-programming interface (API) and the underlying
database structure affects how you backup the Exchange Server database.

Removal of ESE Streaming APIs for Backup and Restore


Previously, Exchange Server used Extensible Storage Engine (ESE) streaming APIs for backup and restore.
Now, Exchange Server 2010 supports only VSS-based backups. To back up and restore Exchange Server
2010, you must use an Exchange Server-aware application that supports the VSS writer, such as Microsoft
System Center Data Protection Manager or a third-party Exchange Server-aware, VSS-based application.

Storage Group Removal


One significant change in Exchange Server 2010 is the removal of storage groups. In Exchange Server
2010, each database is associated with a single log stream as represented by a series of 1 megabyte (MB)
log files. Each Mailbox server can host up to 100 active and passive databases.

Database Not Closely Linked to a Specific Mailbox Server


Another significant change for Exchange Server 2010 is that databases no longer link closely to a specific
Mailbox server. Database availability groups expand the systems use of continuous replication, by
replicating a database to multiple servers. This provides better database protection and increases
availability. If failures occur, the other servers with database copies can mount the database.

Use DAGs to Implement Exchange Native Data Protection


Because you can have multiple database copies hosted on multiple servers, you also should consider using
Exchange Native Data Protection for your Exchange Server organization in which you enable circular
logging on your databases. This removes the transaction log files so they do not pile up. Transaction log
files are removed when you do a full Exchange Server backup. Circular logging accomplishes the same
task when using Exchange Native Data Protection.

8-14

Implementing Backup and Recovery

Backup Requirements for Exchange Server 2010

The backup requirements for Exchange Server 2010 computers differ depending on the Exchange server
roles that you install on the computers. The following table lists the information that you need to back up
for each Exchange server role:
Exchange server role

Backed-up data

Purpose

All roles

System State of server and


AD DS domain controllers

System State includes the local


configuration data of the machine
AD DS stores most Exchange Server
configuration information, which is required
to rebuild the server using Recover Server
mode

Mailbox server

Databases and transaction


logs

Restore data if a database or storage group


is lost

Client Access server

Server certificates used for


Secure Sockets Layer (SSL)
Specific Internet
Information Server (IIS)
configuration

Restore the server certificate on a new Client


Access server
Restore IIS configuration

Hub Transport server,


Edge Transport server

Message-tracking logs

Restore tracking information for analysis

Edge Transport server

Content-filtering database

Restore the content-filtering configuration


Restore the Edge Transport server
configuration by enabling edge
synchronization

Unified Messaging
server

Custom audio prompts

Restore audio prompts

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-15

The Exchange Server environment includes additional information, such as the Offline Address Book,
availability data that a local folder stores, and other configuration data. This information is rebuilt
automatically when you rebuild the Exchange Server environment. AD DS store much of the
configuration information, which you can restore only if an AD DS is available. You must ensure that your
disaster-recovery planning includes backing up and restoring AD DS.

8-16

Implementing Backup and Recovery

How Does a VSS Backup Work?

Microsoft Exchange Server 2007 and Microsoft Exchange Server 2003 include two different options
for data backup and recovery: ESE streaming backup APIs and support for the VSS backup APIs. ESE
streaming APIs are not available in Exchange Server 2010, thus you must back up Exchange Server with
VSS backup APIs.

What Is VSS?
VSS provides the backup infrastructure for Windows Server 2008, as well as a mechanism for creating
consistent point-in-time data copies, known as shadow copies.
VSS produces consistent shadow copies by coordinating with business applications, file-system services,
backup applications, fast-recovery solutions, and storage hardware. It includes the following components:

Writer. The VSS writer that is included with Exchange Server 2010 and that coordinates Exchange
Server 2010s input/output (I/O) with VSS.

Requestor. Backup or restore application, such as Windows Server Backup.

Provider. Low-level system or hardware interfaces, such as Storage Area Networks (SANs).

How VSS Backup Works


Backup solutions that use VSS create a shadow copy of the disk as the backup process begins. Then,
Exchange Server creates the backup with the shadow copy rather than the working disk, so that backup
does not interrupt normal operations.
This method offers the following advantages:

It produces a backup of a volume that reflects that volumes state when the backup begins, even if
the data changes while the backup is in progress. All the data in the backup is internally consistent,
and it reflects the volumes state at a single point in time.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-17

It notifies applications and services that a backup is about to occur. The services and applications,
such as Exchange Server, therefore can prepare for the backup by cleaning up on-disk structures and
flushing caches.

Exchange Server Support for VSS Backup


To perform a VSS backup, you must enable the VSS on the Exchange server, and the third-party backup
solution must support the VSS backup and restore APIs.
Exchange Server 2010 support for VSS has the following limitations:

VSS support is at the database level.

VSS support is for normal backups and copy backups, but not for incremental or differential backups.

8-18

Implementing Backup and Recovery

Selecting an Exchange Server Backup Solution

When selecting a backup solution for Exchange Server, you must consider your systems characteristics
and those of the software and hardware.

System Characteristics
System characteristics to consider include:

The amount of data you are backing up.

The time window in which the backup can occur.

The type of backup you are performing.

Recovery time requirements.

Archiving requirements.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-19

Backup Software Selection Criteria


The following table provides some basic criteria for selecting backup software. Select the software that
best meets the needs of your Exchange Server deployment and disaster-recovery requirements.
Selection criteria

Explanation

Backup architecture

Your backup software should provide support for any operating systems that
you have. Additionally, the backup software should be able to back up
Exchange Server to your desired media, either on the local computer or over
the network. Windows Server Backup is not capable of backing up to a remote
tape drive.

Scheduling

Your backup software should support the ability to schedule backups that you
require for your organization. Most backup software allows you to schedule
jobs at any time you require. However, it is easier to configure in some software
packages.

Brick-level backup
support

If desired, ensure that your software supports brick-level backups.

Exchange Server VSS


API support

Your backup software must support the Exchange Server Backup VSS API to
perform online backups successfully.

Tape management

Different backup software has varying degrees of flexibility for tape


management. This includes automated naming of blank tapes and preventing
existing tapes from being overwritten accidentally.

Vendor support

Vendor support is essential if you experience any problems during disaster


recovery. Ensure that vendor support is available for your backup software.

Disaster-recovery
support

Some backup software has a disaster-recovery option that provides complete


disaster recovery for a failed server, including Exchange Server.

Hardware support

Your backup software must support the technologies that your company uses,
including clustering or SANs.

Windows Server Backup


When you install the Exchange Management Console on a server running Windows Server 2008, it
updates Windows Server Backup to support Exchange Server 2010. Windows Server 2008 enables you to
perform VSS-based backups of Exchange Server data.
For many smaller organizations, Windows Server Backup provides a sufficient solution. However, larger
organizations may require a more robust backup strategy. Windows Server Backup limitations include:

Backups only performed at volume level. You can only perform full backups, not incremental or
differential backups.

Backup support for active databases but not passive databases.

Only available for Windows Server 2008 or Windows Server 2008 R2.

Windows Server Backup command-line tools are not compatible with Exchange Server 2010.

8-20

Implementing Backup and Recovery

Backup Hardware Selection Criteria


The two most common types of backup hardware are tape and disk. Which you use depends on your
requirements. The following table lists the characteristics of using a tape or disk for backup:
Characteristic

Tape

Disk server

Portable disk

Speed

Slower

Faster

Faster

Capacity

Up to 400 GB per tape


(Tape libraries allow the use of multiple tapes.)

Large

1+ terabyte (typical)
per disk

Off-site storage

Yes

Typically no Yes

Media
durability

Excellent

Excellent

OK

Many organizations use disk-based backup as the first tier, and then utilize tape as a second tier. This
allows you to perform primary backups quickly to disk. Typically, any data that you need to archive off site
is backed up to tape from the disk backup.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-21

Demonstration: How to Back Up Exchange Server 2010

In this demonstration, you will review how to install the Windows Server Backup program and how to use
Windows Server Backup to back up Exchange Server 2010. You will also use the Event Viewer to verify that
the Exchange Server databases were backed up correctly.

Demonstration Steps
1.

In Server Manager, add the Windows Server Backup feature.

2.

In Windows Server Backup, create a backup set to back up the C: drive and run the backup.

3.

In Event Viewer, verify that the Exchange Server databases are part of the backup and that they have
been backed up successfully.
Question: Do you plan to can use Windows Server Backup as your primary Exchange Server
backup solution?

8-22

Implementing Backup and Recovery

Lesson 3

Restoring Exchange Server 2010

Another important component in ensuring availability of email services is planning for recovery.
Organizations that implement high availability solutions still need to plan for scenarios in which the high
availability solutions are not enough. These scenarios might include something as minor as needing to
recover a single mailbox or message, to something as catastrophic as losing an entire data center. This
lesson discusses how to restore Exchange Server 2010.
After completing this lesson, you will be able to:

Repair an Exchange database corruption.

Describe restore strategies.

Describe the process to recover data by using the recovery database.

Recover data by using the recovery database.

Describe dial-tone recovery.

Implement dial-tone recovery.

Recover computers that run Exchange Server.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-23

Repairing Exchange Database Corruption

In Exchange Server 2003 and Exchange Server 2007, you can repair a mailbox or a public folder with the
Information Store Integrity Checker (Isinteg.exe) tool. To repair mailboxes, you need to dismount the
mailbox database on which that mailbox resides, and run the fixes while the database is offline.
Exchange Server 2010 does not use Isinteg.exe. Instead, you use the New-MailboxRepairRequest cmdlet
to detect and repair a corrupted mailbox while leaving the mailbox database online. This cmdlet was
introduced with Exchange Server 2010 Service Pack 1 (SP1). For public folders, you need to use the NewPublicFolderDatabaseRepairRequest cmdlet to detect and correct replication issues in the public folder
database.
Note Once you use these cmdlets to begin the repair process, you can stop the process
only by dismounting the database.

The New-MailboxRepairRequest Cmdlet


Use the New-MailboxRepairRequest cmdlet to detect and fix mailbox corruptions. You can run this
cmdlet against a mailbox or against a database. During the repair process, only the current mailbox being
repaired is inaccessible; all other mailboxes in the database remain operational.
The New-MailboxRepairRequest cmdlet detects and fixes the following types of mailbox corruptions.
Corruption type

Description

SearchFolder

Detects and fixes Search folder corruptions.

AggregateCounts

Detects and fixes aggregate counts on folders that are not reflecting the correct
values.

FolderView

Detects and fixes views on folders that are not returning the correct contents.

ProvisionedFolder

Detects and fixes provisioned folders that are pointing incorrectly into parent
folders that are not provisioned.

8-24

Implementing Backup and Recovery

For example, the following cmdlet detects and repairs all corrupt items for user Christines mailbox:
New-MailboxRepairRequest -Mailbox Christine -CorruptionType
ProvisionedFolder,SearchFolder,AggregateCounts,Folderview

The New-PublicFolderDatabaseRepairRequest Cmdlet


The New-PublicFolderDatabaseRepairRequest cmdlet detects and fixes replication issues in public
folder databases. This cmdlet always runs against a public folder database. During the repair process, only
the public folder currently being repaired is inaccessible. The public folder database itself is available.
The New-PublicFolderDatabaseRepairRequest cmdlet detects and fixes replication state corruptions
(ReplState).
For example, the following cmdlet detects and repairs all corrupt items for the Public Folder Database 1
public folder database:
New-PublicFolderDatabaseRepairRequest Database Public Folder Database 1
CorruptionType ReplState

Question: In your Exchange Server environment, you experience corrupt mailbox items.
What can you do to remove these corrupt items from the mailboxes?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-25

Restore Strategies

You can use several strategies to restore Exchange Server data. The strategy that you select depends upon
the data that you need to recover.

Hold Policy and Single Item Recovery


This is a new Exchange Server 2010 feature. When you enable the Single Item Recovery feature for a
mailbox, it keeps items that are purged from the Deleted Items folder in a new dumpster folder for a
specific time. This folder is not accessible to the end user, but it is accessible to administrators assigned to
the Discovery Management role. Essentially, you can ensure that items are not deleted for the duration
that you typically keep backups.

Deleted Mailbox Retention


By default, the mailbox database stores deleted mailboxes for 30 days. Within those 30 days, you can
reconnect the mailbox to another account and access its messages. After you connect the mailbox to an
account, the deleted mailbox retention period restarts if the mailbox is deleted again.
You can extend the deleted mailbox retention period on mailbox databases. However, extending the
deleted mailbox retention period causes the mailbox database to grow to hold the additional deleted
mailboxes.
You can permanently delete mailboxes with the Removemailbox Permanent True cmdlet.

Database Restores
Restoring a database overwrites the existing database with a restored copy of the database. After you
restore the database, you can replay the current transaction logs to bring the database to its current state.
You typically restore a database when it becomes corrupt or a disk fails.
This type of restore affects all user mailboxes in the database. It is not suitable for recovering a mailbox or
deleted items, because replaying the transaction logs deletes the items again. Additionally, replaying the
transaction logs can take a long time.

8-26

Implementing Backup and Recovery

Recovery Database
The recovery database restores databases without affecting current mailboxes. After you restore a
database to the recovery database, you can copy messages to a folder or merge them into user mailboxes.
This type of restore recovers mailbox content for a single mailbox, without affecting other users. However,
the recovery database has the following requirements and characteristics:

The server must have enough free disk space to restore the database. Effectively, there must be
enough total storage space on the server to store two database copies simultaneouslythe live
version and the restored version.

The server does not support public folder databases.

Dial-Tone Recovery
Dial-tone recovery is the process of implementing user access to email services without first restoring data
to user mailboxes. Dial-tone recovery enables users to send and receive email as soon as possible after a
database or server loss. This module discusses dial-tone recovery in more depth later.

Recovery Server
A recovery server is a dedicated server for restoring Exchange Server databases. This can be useful to test
backups to ensure they are capturing functions properly. However, improvements in recovery-database
performance reduces the requirement to use a recovery server for data recovery.
You install a recovery server in a completely separate forest from your production Exchange Server
organization. When you install the recovery server, you must configure it the same as the original server,
including the organization name, storage group name, and logical database name. Between the original
server and the recovery server, the LegacyExchangeDN attribute also must match.
Note For more information about the LegacyExchangeDN attribute, see the Microsoft
Knowledge Base article XADM: How to Use Legacydn.exe to Correct Exchange
Organization or Administrative Group Name.
After you restore a database to the recovery server, you can connect mailboxes on the recovery server to
users, and then save messages to a personal folder (.pst) file. Then you can import the PST file into a
mailbox on the production Exchange server.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-27

Process for Recovering Data by Using the Recovery Database

The recovery database is a recovered database that can coexist on the same server that hosts the original
database. Users cannot access it directly. Only administrators can access it to recover single items, folders,
mailboxes, or complete databases from the recovery database.
The recovery database replaces the recovery storage group from previous Exchange Server versions.
You can use the Exchange Management Shell to create a recovery database.

Recovering Data by Using the Recovery Database


To recover data by using the recovery database, complete the following steps:
1.

Restore the database that you want to recover.

2.

Use the Exchange Management Shell to create a new recovery database.

3.

Mount the recovery database, and merge the data from the recovery database mailbox into the
production mailbox. You can use the Exchange Management Shell restoremailbox cmdlet to
perform this task.

When to Use the Recovery Database


You can use the recovery database in the following scenarios:

Dial-tone recovery. When you implement dial-tone recovery, you set up a dial-tone mailbox database
on the same server or on an alternate server to provide temporary access to email services. You then
use the recovery database to restore the temporary data into the production database after you
recover the original database from backup.

Individual mailbox recovery. You can recover individual mailboxes by restoring the database that
holds the mailbox to the recovery database. Then you can extract the data from the deleted mailbox,
and copy it to a target folder or mailbox in the production database.

8-28

Implementing Backup and Recovery

Specific item recovery. If a message no longer exists in the production database, you can recover the
database that held the message to the recovery database. Then you can extract the data from the
mailbox and copy it to a target folder or mailbox in the production database. However, you also
should consider by using hold policy for this situation, as recovering the database might be time
consuming.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-29

Demonstration: How to Recover Data by Using the Recovery Database

In this demonstration, you will review how to create a recovery database and how to restore data to the
recovery database.

Demonstration Steps
1.

Use Windows Server Backup to restore the Exchange Server databases to C:\DBBackup.

2.

At the Exchange Management Shell prompt, type New-MailboxDatabase


-Name RecoverDB -Server VAN-EX1 -EDBFilePath c:\DBBackup
\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting
\Accounting.edb -Logfolderpath c:\DBBackup\C_\Program Files
\Microsoft\Exchange Server\V14\Mailbox\Accounting -Recovery, and then press Enter. This
command creates the recovery database using the recovered Accounting database.

3.

Use the eseutil /p c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox


\Accounting\Accounting.edb command to repair the recovered database.

4.

At the Exchange Management Shell prompt, type Mount-Database RecoverDB, and then press
Enter.

5.

Use the Get-MailboxStatistics -Database RecoverDB command to display the mailboxes in the
recovery database.

6.

At the Exchange Management Shell prompt, type New-MailboxRestoreRequest -Identity


MichiyoSato -RecoveryDatabase RecoverDB, and then press Enter.
Question: What is the difference between using Single Item Recovery and performing a
restore by using the recovery database?

8-30

Implementing Backup and Recovery

What Is Dial-Tone Recovery?

Dial-tone recovery is the process of implementing user access to email services without first restoring data
to user mailboxes. Dial-tone recovery enables users to send and receive email as soon as possible after a
database or server loss. Users can send and receive email messages, but they do not have access to the
historical mailbox data. You then can recover the database or server, and restore the historical mailbox
data. After you bring the recovered database back online, you can merge the dial-tone database and the
recovered database into a single up-to-date mailbox database.

When to Use Dial-Tone Recovery


Use the dial-tone recovery method when it is critical for users to regain messaging functionality quickly
after a mailbox server or database fails, and when you cannot restore historical data from a backup
quickly enough. The loss may result from hardware failure or database corruption. If the server fails, it will
take significant time to rebuild the server and restore the databases. If you have a large database that
fails, it may take several hours to restore the database from backup.
If the original mailbox server remains functional, or if you have an alternative mailbox server available, you
can restore messaging functionality within minutes by using dial-tone recovery. This enables continued
email use while you recover the failed server or database.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-31

Process for Implementing Dial-Tone Recovery

There are several dial-tone recovery scenarios. However, all scenarios follow the same general steps.

Implementing Dial-Tone Recovery


Follow these general steps to implement dial-tone recovery:
1.

Create the dial-tone database. For messaging client computers to regain functionality as quickly as
possible, create a new database for the client computers. There are two methods for creating the dialtone database:
a.

Create the dial-tone database on the same server as the failed database. Use this method if the
drive that contained the database failed or if the database is corrupt.

b.

Create the dial-tone database on a different server than the failed database. Use this method to
utilize a different server as a recovery server or if the original server fails.

2.

If necessary, configure the mailboxes that were on the failed database to use the new dial-tone
database. You must configure the mailboxes to use the new database if you create the dial-tone
database on a different server.

3.

If necessary, configure the Microsoft Office Outlook client profiles:

If the server with the failed database is operational, you do not need to reconfigure Office
Outlook client computers to use the new mailbox database. When the Outlook client computer
tries to connect to the mailbox, the client profile reconfigures automatically to use the mailbox
database on the original or new Mailbox server.

If the original server is not available, and you are using AutoDiscover for Outlook 2007 client
computers, the user profile updates automatically.

If you are using previous Outlook client computers, you need to reconfigure the user profiles
manually to use the new server.

8-32

Implementing Backup and Recovery

If users are using Outlook Web App, they will connect automatically to their mailboxes when
they access Outlook Web App on a Client Access server.

Note At this point, users can connect to their mailboxes in the dial-tone database. The
dial-tone database does not contain any data, so the mailboxes will be empty. Additionally,
the database does not retain user-specific settings, such as folder hierarchy, Inbox rules,
meetings, and contacts. However, users should have messaging functionality. If the client
computers are running Outlook 2007 or Outlook 2003, and you configure the client
computers to run in cached mode, users receive a prompt to connect or work offline when
they connect to the dial-tone database. If users choose to connect to the server, they will
see an empty mailbox (local cached copy is replaced with the empty mailbox). If they
choose to work offline, they will see all of the historical data stored in the offline folders
(.ost) file.
4.

Restore the failed databases from backup. After the dial-tone database is operational and you
reconfigure the client computers to use the new database, if necessary, you can work on restoring the
failed database. If the original server is operational, you can restore the database on the failed server
by using a recovery database. If the original server is not operational, you can recreate the failed
database on another server, and then restore both to the new server.

5.

Merge the data in the two databases. Because you have restored messaging functionality by
implementing the dial-tone database, users will be sending and receiving email while you are
restoring the original databases. When the recovery is complete, users should be able to access both
the original and the dial-tone data. This means that you must merge the contents of the dial-tone
database with those of the original database. To do this, you will use the recovery database.

Best Practice
You should merge the dial-tone database into the original database. Be sure to initiate the merge in the
correct direction. The dial-tone database is likely to be much smaller than the original database, so the
merge will happen relatively fast. Not all of the features from the original mailbox will be available in the
dial-tone database. For example, any rules or forms that the user configured will not be available. For a
full list of features that you cannot recover during a dial-tone recovery, see the article Considerations and
best practices when resetting an Exchange mailbox database on the Microsoft Help and Support website.
This article also provides suggestions on how to recover these features. Note, however, that these client
features are restores if you merge the dial-tone database into the original database.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-33

Process for Recovering Computers That Run Exchange Server

When recovering a failed Exchange Server, you have several options. The option you choose determines
the process that you use to restore the server.

Exchange Server Recovery Options


When you need to replace a failed server, you have the following options:

Restore the server. You can restore the server from a full computer backup set, and then restore
your Exchange Server information. When you restore a server, you are reproducing the server
configuration, including the server security identifier. This option is feasible only if you have a full
server backup, including the System State backup, and you have replacement hardware that is very
similar to the failed server. You would also use this option when you have an Exchange 2010 server
that has many custom configurations to it such as a Client Access Server (CAS) server role that uses
Windows Load Balancing for high availability, and also includes certificates with Outlook Web Access
redirection settings.

Rebuild the server. This option involves performing a new installation of Windows Server and an
Exchange Server 2010 installation in Recover Server mode, which gathers the previous settings
from AD DS and then you can restore your Exchange Server databases. This option is used most
often to recover standardized Exchange servers such as Mailbox or Hub Transport servers as their
configuration is mainly stored in AD DS. Additionally, we recommend that you use this method, which
the next section details, to recover a server.

Use a standby server. You can use a standby recovery server as part of the Mailbox server recovery
strategy. This option involves keeping recovery servers available with the operating system and other
software installed. Having available standby recovery servers reduces the time you need to rebuild a
damaged server.
Note We recommend that you do not use the restore server option for recovering
Exchange servers. Instead, you should rebuild the server by using the Recover Server
installation mode.

8-34

Implementing Backup and Recovery

What Is Recover Server Mode?


If an Exchange server fails, and is unrecoverable and needs replacement, you can perform a server
recovery operation. Exchange Server 2010 Setup includes a switch called /m:RecoverServer that you can
use to perform the server recovery operation.
Running Exchange Server Setup with the /m:RecoverServer switch causes Setup to read configuration
information from AD DS for the server with the same name as that from which you are running Setup.
Once you gather the servers configuration information from AD DS, the original Exchange Server files and
services are installed on the server, and the Exchange server roles and settings that AD DS stored then are
applied to the server.
Important When you run Exchange Server Setup in Recover Server mode, it must be able
to connect to AD DS, and read the Exchange Server configuration information that links to
the name of the computer that is running Exchange Server. This means that the computer
account still must exist in AD DS. If you delete the computer account, you will not be able to
restore the Exchange Server.

Restoring a Server by Using Recover Server Mode


The steps for restoring a member server running Exchange Server 2010 are:
1.

Install Windows Server 2008 on the computer that you are rebuilding. Use the same computer name
as the failed server. On the server that you are rebuilding, install any Windows Server 2008 service
packs and software updates that the damaged server was running.

2.

Reset the AD DS computer account for the failed server. After resetting the account, join the
computer to the domain.

3.

Install Exchange Server on the computer by running Exchange Server 2010 Setup in Recover Server
mode. To do this, run Setup /mode:RecoverServer from the Exchange Server installation files.

4.

If you are recovering a Mailbox server, and the drives that contain the Exchange Server database files
and log files were lost, restore the Exchange Server 2010 databases and transaction logs to the server.
If you are recovering another server role, recover the role-specific information.
Note The Recover Server mode installation can recover only server configuration data that
AD DS stores. This means that the rebuild may not preserve every custom setting, or restore
data, such as custom scripts, that may have existed on the failed server. Therefore, you
should be prepared to recreate any Exchange Server configuration settings or files that you
cannot recover from AD DS.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-35

Lab: Implementing Backup and Recovery

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and the 10135B-VAN-SVR1 virtual machines are
running:

10135B-VAN-DC1: Domain controller in the Adatum.com domain

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain

10135B-VAN-SVR1: Standalone server

3.

If required, connect to the virtual machines. Log on to VAN-DC1 and VAN-EX1 as


Adatum\Administrator, using the password Pa$$w0rd.

4.

Log on to VAN-SVR1 as Administrator, using the password Pa$$w0rd.

5.

In Microsoft Hyper-V Manager, click VANSVR1, and, in the Actions pane, click Settings.

6.

Click DVD Drive, click Image file, and then click Browse.

7.

Browse to C:\Program Files\Microsoft Learning\10135\Drives, click Exchange2010SP2.iso, and


then click Open.

8.

Click OK.

9.

On VAN-SVR1, close the AutoPlay dialog box.

8-36

Implementing Backup and Recovery

Lab Scenario
You are a messaging administrator for A. Datum Corporation. Your organization has deployed Exchange
Server 2010. You now want to ensure that all Exchange Server-related data is backed up and that you can
restore not only the full server or database, but also a mailbox or mailbox folder.

Exercise 1: Backing Up Exchange Server 2010


Scenario
You must create a backup of your Exchange Server 2010 mailbox database to ensure that you can restore
it when necessary.
The main tasks for this exercise are:
1.

Populate a mailbox.

2.

Perform a backup of the mailbox database by using Windows Server Backup.

3.

Delete a message and a mailbox.

X Task 1: Populate a mailbox


1.

On VAN-EX1, log on to Parnas mailbox by using Outlook Web App. Use the logon name
Adatum\Parna and the password Pa$$w0rd.

2.

Send a message to George with the subject Message before Backup.

3.

Restart the Microsoft Exchange Information Store service.

X Task 2: Perform a backup of the mailbox database by using Windows Server Backup
1.

Use Server Manager to install Windows Server Backup.

2.

Perform a custom backup of the C:\ drive by using a VSS full backup. Store the backup files on
\\VAN-DC1\Backup.

X Task 3: Delete messages in mailboxes


1.

Log on to Georges mailbox by using the logon name Adatum\George and the password Pa$$w0rd,
and then delete the message from Parna.

2.

Log on to Parnas mailbox by using the logon name Adatum\Parna and the password Pa$$w0rd,
and then delete all messages from the Sent Items folder.

Results: After this exercise, you should have created a backup of an Exchange Server database, and
deleted messages.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-37

Exercise 2: Restoring Exchange Server Data


Scenario
Some of your users complain that they are missing messages from their mailboxes. You now need to use
the backup you created to recover their messages.
The main tasks for this exercise are:
1.

Restore the database by using Windows Backup.

2.

Create a recovery database by using the backup files.

3.

Recover a mailbox from the recovery database.

X Task 1: Restore the database by using Windows Backup

On VAN-EX1, using Windows Server Backup, recover the Exchange Server databases to an alternate
location: C:\DBBackup.

X Task 2: Create a recovery database by using the backup files


1.

On VAN-EX1, create a recovery database by using the restored database in C:\DBBackup. Use the
following command to create the recover database:
New-MailboxDatabase -Name RecoverDB -Server VAN-EX1 -EDBFilePath
c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14
\Mailbox\Accounting\Accounting.edb -Logfolderpath c:\DBBackup
\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox
\Accounting-Recovery

2.

In Exchange Management Shell, switch to the c:\dbbackup\c_\Program Files\Microsoft


\Exchange Server\v14\Mailbox\Accounting directory, enter the following command in the PS
prompt, and then press Enter:
eseutil /R E02 /i /d

3.

Mount the recovery database by using the Mount-Database RecoverDB command.

4.

List all mailboxes that are in the recovery database by using the Get-MailboxStatistics -Database
RecoverDB command.

X Task 3: Recover a mailbox from the recovery database


1.

On VAN-EX1, recover a mailbox by using the Restoremailbox -Identity Parna -RecoveryDatabase


RecoverDB cmdlet.

2.

Verify that you restored the message in the Sent Items folder by logging onto Parnas mailbox.

3.

Use the Removemailboxdatabase -Identity RecoverDB command to remove the RecoverDB


database.

Results: After this exercise, you should have created a recovery database, and restored a complete
mailbox from the recovery database to their original locations.

8-38

Implementing Backup and Recovery

Exercise 3: Restoring Exchange Servers (optional)


Scenario
After a hard-disk malfunction, one of your Exchange servers no longer is operational. You have a full
backup of the computer and the mailbox databases, so you need to restore everything to a newly
installed computer.
The main tasks for this exercise are:
1.

Shutdown VAN-EX1 and reset the computer account.

2.

Prepare VAN-SVR1 as VAN-EX1.

3.

Install Exchange Server 2010 with the RecoverServer mode.

4.

Recover the mailbox databases from backup.

5.

Test the recovery.

X Task 1: Shutdown VAN-EX1, and reset the computer account


1.

In Hyper-V Manager, revert VAN-EX1 to the previous snapshot.

2.

Using Active Directory Users and Computers, reset the VAN-EX1 computer account.

X Task 2: Prepare VAN-SVR1 as VAN-EX1


1.

Rename VAN-SRV1 to VAN-EX1.

2.

Join the computer to ADATUM domain.

X Task 3: Install Exchange Server 2010 with the RecoverServer mode


1.

On the new VAN-EX1 server, run d:\setup /m:RecoverServer.

2.

In Exchange Management Console, change Database Properties to This database can be


overwritten by a restore for all databases on the VAN-EX1.

X Task 4: Recover the mailbox databases from backup

Use Windows Server Backup to recover the Exchange Server databases.

X Task 5: Test the recovery


1.

On the restored VAN-EX1, in the Exchange Management Console, mount the mailbox databases and
public folder database.

2.

On VAN-DC1, open Internet Explorer and connect to https://VAN-EX1.adatum.com/owa. Log on


as Adatum\Parna with the password Pa$$w0rd, and then verify that the mailbox is accessible and
that all messages have been restored.

Results: After this exercise, you should have recovered a complete Exchange server by using a different
Windows Server, renaming it, installing Exchange Server in /m:RecoverServer mode, and recovering the
Exchange Server database from a backup. You have also tested the recovery.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

8-39

X To prepare for the next module


When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1.

On the host computer, start Hyper-V Manager.

2.

Right-click the virtual machine name in the Virtual Machines list, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

In the Virtual Machines pane, click 10135B-VAN-DC1, and then in the Actions pane, click Start.

5.

To connect to the virtual machine for the next modules lab, click 10135B-VAN-DC1, and then in the
Actions pane, click Connect.
Important Start the VAN-DC1 virtual machine first, and ensure that it is fully started
before starting the other virtual machines.

6.

Wait for VAN-DC1 to start, and then start VAN-EX1. Connect to the virtual machine.

7.

Wait for VAN-EX1 to start, and then start VAN-EX2. Connect to the virtual machine.

8.

Wait for VAN-EX2 to start, and then start VAN-CL1. Connect to the virtual machine.

8-40

Implementing Backup and Recovery

Module Review and Takeaways

Review Questions
1.

What kind of backup options for Exchange Server 2010 do you find suitable for your organization?

2.

What options does Exchange Server 2010 include for restoring a single item from a mailbox?

Common Issues Related to Recovering Messages


Identify the causes for the following common issues related to recovering messages, and complete the
troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue

Troubleshooting tip

Recover single mailbox items


quickly
Restore fails when it is urgent

Best Practices Related to Backup and Restore


Supplement or modify the following best practices for your own work situations:

Utilize your existing backup solution for Exchange Server backups, as you are already experienced
and familiar with it.

Try always to perform a full backup of your Exchange Server databases if you use a VSS-aware backup
solution. This reduces the time you need to recover the database to its most current state.

If you plan to implement Exchange Native Data Protection, create one more database copy on cheap
hard drives at a different site. This guarantees that you have an additional backup of your database
available.

9-1

Module 9
Configuring Messaging Policy and Compliance
Contents:
Lesson 1: Introducing Messaging Policy and Compliance

9-3

Lesson 2: Configuring Transport Rules

9-9

Lesson 3: Configuring Journaling and Multi-Mailbox Search

9-30

Lab A: Configuring Transport Rules, Journal Rules, and Multi-Mailbox


Search

9-41

Lesson 4: Configuring Personal Archives

9-47

Lesson 5: Configuring Messaging Records Management

9-54

Lab B: Configuring Personal Archives and Retention Policies

9-66

9-2

Configuring Messaging Policy and Compliance

Module Overview

Microsoft Exchange Server 2010 provides new tools for coping with a growing number of legal,
regulatory, and internal policy and compliance requirements that relate to email. Most organizations must
be able to filter email delivery based on several criteria, and to manage email retention and deletion. This
module describes how to configure the Exchange Server 2010 messaging policy and compliance features.
After completing this module, you will be able to:

Describe messaging policy and compliance.

Configure transport rules.

Configure journaling and Multi-Mailbox Search.

Configure Personal Archives.

Configure messaging records management.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-3

Lesson 1

Introducing Messaging Policy and Compliance

In most many countries, governments have implemented legislation that restricts the storage and
movement of certain information. Additionally, many organizations have implemented corporate security
policies that limit how to share information within the organization. Because email is a critical business
tools in most organizations, it is important that you configure your organizations messaging system so
that it is compliant with government legislation and corporate policies.
Messaging policies in Exchange Server 2010 enable messaging administrators to manage email messages
that are in transit and at rest, and ensure that your organization meets compliance requirements. This
lesson provides an overview of messaging policies and their use.
After completing this lesson, you will be able to:

Describe messaging policy and compliance.

Identify compliance requirements.

Implement messaging policy and compliance.

9-4

Configuring Messaging Policy and Compliance

What Is Messaging Policy and Compliance?

Messaging compliance features in Exchange Server 2010 consist of a set of rules and settings that restrict
message flow and storage. You can use these features to apply rules to messages as your organizations
users send and receive them. You can use the messaging policy and compliance features to regulate how
users store messages, and to search all user mailboxes for messages based on a variety of criteria. You can
apply these features to Exchange Server computers that are running the Edge Transport, Hub Transport,
and Mailbox server roles.

Types of Messaging Compliance Features


Exchange Server 2010 provides several options for implementing message policies and compliance:

Transport policies are rules and settings that you apply as messages pass through the Exchange
Server transport components. Transport policies restrict message flow or modify message contents
based on organizational requirements. For example, you can set restrictions on which users can send
email to each other and on message flow based on message contents. You also can apply legal
disclaimers to specific messages. You can configure transport rules on Hub Transport and Edge
Transport servers.

Exchange Server applies messaging records management policies to folders in users inboxes to
automate and simplify message retention. For example, you can configure a policy that retains
messages in user mailbox folders for a specific time, or you can configure a policy that automatically
deletes messages within a specific folder or within all the mailbox folders. Exchange Server 2010 also
provides retention tags that simplify the process for users who want to apply message retention or
deletion policies.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-5

Journaling policies are rules and settings that enable you to save a copy of all messages that meet
specific criteria. For example, you can journal messages sent by a particular user or messages sent to a
particular distribution group. You can journal messages that recipients send or receive inside and
outside the organization.When you configure journaling, the messages are sent to a specified Simple
Mail Transfer Protocol (SMTP) address as a journal report. The journal report is an email message that
includes the Subject, Message ID, Sender, and Recipient of the original message together with an
attachment containing the original message.

Mailbox searching may be required for audit purposes to determine whether user mailboxes contain
specific types of content. With Exchange Server 2010, you can use the Exchange Control Panel to
search all user mailboxes for messages based on many different criteria.

9-6

Configuring Messaging Policy and Compliance

Discussion: Compliance Requirements

Email is a primary means of communication in many organizations, and users typically send a great deal
of business information by email. This information may include confidential information, such as customer
data or business intelligence. One use of Exchange Server 2010 messaging policies is to provide features
that help you comply with legal requirements and corporate messaging policies regarding email
messages.
Question: What type of business does your organization conduct?
Question: What are some legislated compliance requirements for your organization?
Question: What additional compliance requirements does your organization have?
Question: How are you currently meeting these compliance requirements?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-7

Options for Enforcing Messaging Policy and Compliance

Exchange Server 2010 provides many options for implementing messaging policies, including the
following:

Transport rules. You can define transport rules on both the Edge Transport and Hub Transport
servers. On Edge Transport servers, you can restrict message flow based on message data, such as
specific words or text patterns in the message subject, body, header, or From address; the spam
confidence level (SCL); and attachment type. You can configure the transport rules to quarantine
messages, drop or reject a message, append additional recipients to a message, and log an event. On
Hub Transport servers, you configure rules that support an extended set of conditions, which allows
you to control message flow based on distribution groups, internal or external recipients, message
classifications, and message importance.

Rights management integration. Exchange Server 2010 enables integration with Active Directory
Rights Management Service (AD RMS) to apply policies that restrict what recipients can do with their
received messages. For example, you can restrict users from printing or forwarding messages. You
also can use Microsoft Office Outlook or transport rules to enforce AD RMS templates, so that the
Office Outlook client or the Hub Transport server will apply the template based on specified message
criteria.

Message journaling. Exchange Server 2010 provides several options for saving copies of messages. For
example, you can configure journal rules on Hub Transport servers. You can journal messages
according to the messages distribution scope, and you can define the conditions that trigger the
journaling action by specifying as criteria an individual user, the sender, or the recipients distributionlist membership. You also can configure message journaling for specific mailbox databases, or
implement message journaling as part of a messaging records management deployment.

9-8

Configuring Messaging Policy and Compliance

Mailbox searching. The Multi-Mailbox Search feature enables users with the appropriate permissions
to search all mailboxes for specific content. In Exchange Server 2010, the mailbox search functionality
is available through the Multi-Mailbox Search interface in the ECP.The Multi-Mailbox Search interface
allows you to conduct searches across multiple mailboxes for items, including email, attachments,
Calendar items, Tasks, and Contacts. You can search across both primary mailboxes and archive
mailboxes.

Message retention and deletion. Administrators can use the messaging records management features
to retain messages that organizations require for business or legal reasons, and to delete unnecessary
messages. You can apply retention policies to folders that the administrator creates, and also to
default mailbox folders, such as the Inbox or Sent Items folders. When a message reaches a specified
retention limit, administrators can configure the messaging records management features to archive,
delete, or log the message, or flag it for user attention.

Personal Archives. Exchange Server 2010 allows you to create archive mailboxes for users so they can
store the contents of .pst folders and old messages that they want to retain. You can search and
manage archive mailboxes like any other mailboxes on the Exchange servers.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-9

Lesson 2

Configuring Transport Rules

You can implement messaging policies and compliance by applying transport rules to messages as users
send them within the organization. By implementing transport rules, you ensure that all email messages
sent within the organization or to external recipients meet your organizations compliance requirements.
You also can apply rights management policies to messages by using transport rules. This lesson describes
how to implement transport rules in Exchange Server 2010.
After completing this lesson, you will be able to:

Describe transport rules.

Describe transport rule components.

Configure transport rules.

Describe AD RMS.

Describe the AD RMS components.

Describe how AD RMS components work together.

Describe AD RMS interaction.

Configure AD RMS integration.

Describe options for moderated transport.

Configure moderated transport.

9-10 Configuring Messaging Policy and Compliance

What Are Transport Rules?

Exchange Server applies transport rules to messages as they pass through Edge Transport or Hub
Transport servers. The Transport Rule agent applies transport rules on Hub Transport servers, and the
Edge Rule agent applies them on Edge Transport servers. Transport rules restrict message flow or content
modification while messages are in transit. With transport rules, you can:

Prevent specified users from sending or receiving email from other specified users.

Prevent inappropriate content from entering or leaving the organization.

Apply restrictions based on message classifications to restrict the flow of confidential organization
information.

Track or journal messages that specific individuals send or receive.

Redirect incoming and outgoing messages for inspection before delivery.

Apply disclaimers to messages as they pass through the organization.

Apply AD RMS templates to the messages based on message criteria.

Transport Rules on Hub Transport Servers


Transport rules configured on one Hub Transport server automatically apply to all other Hub Transport
servers in the organization. Exchange Server stores the transport rules in the Configuration container in
Active Directory Domain Services (AD DS), and replicates them throughout the Active Directory forest so
that they are accessible to all other Hub Transport servers. This means that Exchange Server applies the
same transport rules to all email messages that users send or receive in the organization.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-11

Transport Rules on Edge Transport Servers


Exchange Server applies transport rules that you configure on an Edge Transport server only to email
messages that pass through that specific Edge Transport server. The transport rules are stored in Active
Directory Lightweight Directory Services (AD LDS), and Exchange Server does not replicate them to other
Edge Transport servers. Therefore, you can configure Edge Transport servers to apply distinct transport
rules depending on the email messaging traffic that they manage.
If you have more than one Edge Transport server and you want to apply a consistent set of rules across all
Edge Transport servers, you must configure each server manually, or export the transport rules from one
server and import them into all other Edge Transport servers.
Note Although the process for creating transport rules on Hub Transport servers and
Edge Transport servers is similar, the options available when creating the rules are not
identical. For example, when configuring the recipients to whom a rule will apply on a Hub
Transport server, you can configure specific recipients based on the Global Address List
(GAL). On the Edge Transport server, you can configure recipients based on text patterns in
the SMTP addresses rather than on specific GAL recipients.

9-12 Configuring Messaging Policy and Compliance

Transport Rule Components

All transport rules, whether they apply to Hub Transport or Edge Transport servers, have similar
configurations.

Transport Rule Components


When configuring transport rules, consider the following components:

Conditions. Transport rule conditions indicate which email message attributes, headers, recipients,
senders, or other parts of the message Exchange Server uses to identify the email messages to which
it applies a transport rule action. If the data of the email message that the condition is inspecting
matches the conditions value, Exchange Server applies the rule as long as the condition does not
match an exception.
You can configure multiple transport rule conditions to narrow the rules scope to very specific
criteria. You also can decide not to apply any conditions, which means that the transport rule then
applies to all messages. There is no limit to how many conditions you can apply to a single transport
rule.
Note If you configure multiple conditions on the same transport rule, all the conditions
must be met for the transport rule to apply to a particular email message. When you specify
multiple values on a single condition, the condition is satisfied if at least one of the values is
met.

Actions. Exchange Server applies actions to email messages that match the conditions and for which
no exceptions are present. Each action affects email messages in a different way, such as redirecting
the email message to another address or dropping the message.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-13

Exceptions. Exceptions determine which email messages to exclude from an action. Transport rule
exceptions are based on the same predicates that you use to create transport rule conditions.
Transport rule exceptions override conditions and prevent Exchange Server from applying a transport
rule action to an email message, even if the message matches all configured transport rule conditions.
You can configure multiple exceptions on a transport rule to expand the criteria for which Exchange
Server should not apply a transport rule action.
Note If you configure multiple exceptions on the same transport rule, only one exception
must match for the transport rule action to be cancelled. When you specify multiple values
on a single exception, the exception is satisfied if at least one of the values is met.

Predicates. Conditions and exceptions use predicates to define which part of an email message the
conditions and exceptions examine to determine whether Exchange Server should apply the transport
rule to that message. Some predicates examine the To: or From: fields, whereas other predicates
examine the subject, body, or attachment size. To determine whether Exchange Server should apply a
transport rule to a message, most predicates require that you specify a value that the predicates use
to test against the message.

9-14 Configuring Messaging Policy and Compliance

Demonstration: How to Configure Transport Rules

In this demonstration, you will review how to configure transport rules. You can configure transport rules
by using either the Exchange Management Console or the Exchange Management Shell. If you are using
the Exchange Management Console on a Hub Transport server, access the Hub Transport container in the
Organization Configuration work area.
To configure transport rules by using the Exchange Management Shell, run the following cmdlets:

The Get-TransportRule, New-TransportRule, Remove-TransportRule, Set-TransportRule,


Enable-TransportRule, and Disable-TransportRule cmdlets create, remove, and configure transport
rules.

The Get-TransportRuleAction cmdlet retrieves a list of all available transport rule actions.

The Get-TransportRulePredicate cmdlet retrieves a list of all available rule predicates.

The Import-TransportRuleCollection and Export-TransportRuleCollection cmdlets import and


export a set of transport rules configured on a Hub Transport server or Edge Transport server.
Note Implementing transport rules with security features, such as digital signatures or
encryption, can result in potential issues. For example, if you add a disclaimer to digitally
signed messages, the signature becomes invalid. When users open the message, the original
message displays as an attachment and only the signature that the transport rule adds is
visible in plain text. If users encrypt messages by using Secure Multipurpose Internet Mail
Extensions (S/MIME) or another encryption tool, the transport rules can access the message
envelope headers and process messages based on unencrypted information. Transport rules
that require inspection of message content, or actions that may modify content, cannot
process with encrypted messages.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-15

Regular Expressions in Transport Rules


Transport rules can use simple expressions or regular expressions when evaluating messages. A simple
expression is a specific value that must be matched exactly in a message. Predicates that use simple
expressions match specific words or strings. For example, a simple expression could be the title of a
document that your organization does not want distributed outside the organization, such as Yearly Sales
Forecast.doc. A piece of data in an email message must match a simple expression exactly to satisfy a
condition or exception in transport rules. If the previous title is changed to YearlySalesForecast.doc (spaces
removed), it will no longer match the transport rule.
Instead of specifying all possible variations for simple expressions, you can configure the transport rule
predicate to search for a text pattern that uses regular expressions. A regular expression is a flexible way to
find patterns of text in a message. The notation consists of two basic character types:

Literal characters. Text that must exist in the target string. These are normal characters, as typed.

Metacharacters. One or more special characters that are not interpreted literally. These indicate how
the text can vary in the target string.

You can use regular expressions to parse email messages to find specific text patterns in different parts of
a message. This enables you to detect messages with specific types of content, such as social security
numbers (SSNs), patent numbers, and phone numbers.
The following code sample demonstrates how to create a transport rule that uses a regular expression to
prevent sending messages that contain social security numbers. The regular expression used here is
\d\d\d-\d\d-\d\d\d\d. The portion \d\d\d requires that exactly three numeric digits appear in the first
segment, then two digits in the second, and four in the third segment.
New-TransportRule -Name "Social Security Number Block Rule" SubjectOrBodyMatchesPatterns '\d\d\d-\d\d-\d\d\d\d' -RejectMessageEnhancedStatusCode
"5.7.1" -RejectMessageReasonText "This message has been rejected because of content
restrictions"

Demonstration Steps
1.

Open the Exchange Management Console.

2.

Under Organization Configuration, in the Hub Transport node, create a new transport rule with
the following configuration:

Name: Type Company Disclaimer HTML.

Condition: Choose sent to users that are inside the organization.

Action: Choose append disclaimer text and fallback to action if unable to apply.

Disclaimer text: Type the following:


<html>
<body>
<br>&nbsp</br>
<br>&nbsp</br>
<b><font color=red>This e-mail and attachments are intended for the individual or
group addressed.</font></b>
</body>
</html>

9-16 Configuring Messaging Policy and Compliance

3.

4.

Create another transport rule in the Exchange Management Console with the following configuration:

Name: Social Insurance Number Block Rule.

Condition: The message subject or body contains numbers in the following pattern 111-111111.

Action: Choose send a rejection message.

To test the transport rules:

Send a message from one internal user to another. Verify that the HTML disclaimer is attached.

Send a message from one internal user to another with the string 111-11-1111 in the message
body. Verify that the sender receives a non-delivery report (NDR).

Note In a regular expression, the \d pattern string matches any single numeric digit. You
can use a variety of pattern strings to search the message contents for a consistent pattern.
For example, you can use \s to represent a space, or \w to represent any letter or decimal
digit. For detailed information about configuring regular expressions in a transport rule, see
the topic Regular Expressions in Transport Rules in Exchange Online Help.
Question: What transport policies will you need to implement in your organization?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-17

What Is AD RMS?

AD RMS is an information-protection technology that works with AD RMS-enabled applications to help


safeguard digital information from unauthorized use.

Restrict Access to an Organizations Intellectual Property


Use AD RMS to restrict access to digital information so that users can view, change, or print
documentation only. This protects data by preventing users from forwarding, copying, or otherwise
transporting sensitive data outside the company network.

Limit the Actions Users Can Perform on Content


Enforce restrictions that limit the specific actions that a user can perform on a document or email
message. You can use Microsoft Office Word, Office Excel, and PowerPoint as AD RMS-enabled
applications. These applications allow you to set rights for viewing, changing, saving, and printing
documents, and to set the length of time a particular right is active. Depending on the application that
you are using, you can limit the action on content to the following restrictions:

View-only

Prevent change

Prevent print

Set expiration times on the content

AD RMS used with Outlook helps you protect email content. You can prevent users from forwarding
sensitive email messages to other email users, printing email messages, using messages offsite, and giving
messages to unauthorized users.

Limit the Risk of Content Exposure Outside the Organization


You can set rights so that users do not have permission to print or forward email content. This means that
users cannot forward the messages to recipients outside the organization. These options help reduce the
likelihood that an employee will disclose company information either maliciously or accidentally.

9-18 Configuring Messaging Policy and Compliance

AD RMS Components

Several components interact with AD RMS. The following table lists these components.
Component

Function

AD RMS
Certification
Server Cluster

It is used for AD RMS administration and configuration and handles all of the major
AD RMS functions, including licensing, publishing, account certification, and recovery.
There is a limit of one AD RMS Certification Server Cluster per AD DS forest.

AD DS

AD DS is an AD RMS prerequisite and is used to store users and groups used within
AD RMS. Clients query AD DS for the service connection point (SCP) to discover
registered AD RMS services.

Microsoft SQL
Server

The AD RMS database stores the configuration and log data. A Windows Internal
Database can be used in place of SQL but it is not supported in a production
environment.

AD RMS clients
and
applications

The client, which comes built-in to Windows Vista, Windows 7 and Windows
Server 2008, is a free download for earlier Windows versions. There is also an addon client for Internet Explorer. It serves as the client component and interacts with the
AD RMS Certificate Server Cluster to encrypt and decrypt data.
Specific applications are enabled for, and can interact with, AD RMS. Authors can use
these applications to create and protect content, and recipients can use them to read
protected content and apply the appropriate rights to them.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-19

(continued)
Component

Function

Certificates and
licenses

The AD RMS components use certificates and licenses to establish identity and allow
clients to work with protected content. A variety of certificates and licenses are issued
to both the computer and user, and to both the content author and the content
consumer.

Rights policy
templates

Rights policy templates are used to control the rights of users and groups to rightsprotected content. They can include various conditions, such as specific recipients or
AD DS groups. Some other conditions are the period for which a use license for the
content remains valid and the period for which after publication the content can be
consumed. The use rights available include Full Control, View, Edit, Save, Print,
Forward, and Reply.

9-20 Configuring Messaging Policy and Compliance

How AD RMS Works

The AD RMS components work together to enable secure creation, distribution, and consumption of
protected data.

How AD RMS Works


The following steps describe how AD RMS components interact to generate and protect rights-protected
content:
1.

The first time a user tries to protect content by using AD RMS, the client application requests a rights
account certificate (RAC) and client licensor certificate (CLC) from the AD RMS server. This request
only occurs once for each user. It enables the user to publish online or offline, and to consume rightsprotected content.

2.

The author then creates content by using an AD RMS-enabled application. The author can create the
file, and then specify user rights. Additionally, the AD RMS server generates the policy license
containing the user policies.

3.

The author sends the rights-protected content to the recipient.

4.

The recipient receives the file, and then opens it by using an AD RMS-enabled application or browser.
If the recipients computer does not contain an account certificate, the client application requests a
certificate, and the AD RMS cluster issues one. If this is the first time the recipient has tried to access
rights-protected content on the computer, the AD RMS server also issues a RAC.
a.

The application sends a request for a use license to the AD RMS cluster that issued the publishing
license. However, if the file was published offline, the application also sends a request to the
server that issued the CLC. The request includes both the RAC and the publishing license for the
file.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

b.

5.

9-21

The AD RMS cluster confirms or denies the recipients authorization. If the AD RMS cluster denies
the users authorization, the cluster checks for a named user and then creates a use license for the
user. The cluster decrypts the content key by using the clusters private key and re-encrypts the
content key with the recipients public key. It then adds the encrypted session key to the use
license. This ensures that only the intended recipient can access the file.

The AD RMS cluster sends the generated use license to the recipients computer. The application
examines both the license and the recipients account certificate. Exchange Server then grants the
user access per the content authors specifications.

9-22 Configuring Messaging Policy and Compliance

How AD RMS Integration Works

Exchange Server 2010 integrates with AD RMS to provide several options for ensuring content protection
as users send messages through email. To use any of these features in an onsite Exchange Server
deployment, Exchange Server 2010 requires an on-premise Windows Server 2008 AD RMS deployment.

Enable Users to Protect Content


After deploying AD RMS in an organization, Outlook users can control who reads, copies, or forwards
messages regardless of where the messages are stored. When users create emails, they can set limits on
what the message recipients can do with the messages. This functionality does not require any Exchange
Server components other than those used for message delivery.
Exchange Server 2010 provides additional functionality, and expands the scenarios by which users and
administrators can apply protection to emailboth inside and outside the organization.

Implement AD RMS Prelicensing


One of the issues with using the Rights Management Service (RMS) to protect email is that the recipient
needs to be able to connect to the AD RMS server to read protected email. This is an issue when users
access their email while offline by using Outlook Anywhere, read mail by using a Microsoft Exchange
ActiveSync device, or access email through Outlook Web App. AD RMS prelicensing enables offline
access to protected mail, and makes it faster to open protected mail from Outlook and other mobile
clients. In this scenario, protected messages already contain the recipients end-user license, which
Exchange Server requires to decrypt and view the message upon delivery.
In Exchange Server 2010, the RMS Prelicensing built-in agent is on all Hub Transport servers, and is
enabled by default for the Exchange Server organization. You can disable the prelicensing agent with the
Set-IRMConfiguration -PrelicensingEnabled $false cmdlet.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-23

Implement Outlook Protection Rules


Outlook Protection Rules allow you to rights-protect messages by applying an RMS template before the
message is sent. Outlook Protection Rules automatically trigger the client to apply an RMS template
(based on sender/receiver) to mail before it sends it. This feature also enables administrators to allow
users to manually add or remove protection policies from a message.
Note

Outlook Protection Rules are only available for Office Outlook 2010 or later clients.

Implement Transport Protection Rules


This feature allows you to use transport rules to apply rights protection to messages. Transport Protection
Rules help organizations implement messaging policies by encrypting sensitive email content and by
using rights-management to control access to the content.
AD RMS uses XML-based policy templates to allow compatible information rights management (IRM)enabled applications to apply consistent protection policies. In Windows Server 2008, the AD RMS
server is accessible through a Web service that you can use to enumerate and acquire templates.
Exchange Server 2010 includes just the Do Not Forward template. When you apply the Do Not Forward
template to a message, only the specified recipients can decrypt the message. The recipients cannot
forward the message to anyone else, copy content from the message, or print the message.
You can create additional RMS templates in the on-premise AD RMS deployment to meet rightsprotection requirements in your organization.

Enable Journal Report Decryption


When you enable Journal Report Decryption, you grant permission for the Journaling agent to attach a
decrypted copy of a rights-protected message to the journal report. If the rights-protected message
contains supported attachments that have been protected by the AD RMS cluster in your organization,
the attachments are also decrypted. The Journal Report Decryption agent performs decryption.

Enable Transport Decryption


When you enable Transport Decryption, Hub Transport servers can decrypt rights-protected messages to
enforce messaging policies. The first Hub Transport server to handle a message in an Active Directory
forest performs transport decryption. After decryption, unencrypted content becomes available to other
transport agents on that server. For example, the Transport Rule agent on a Hub Transport server can
inspect message content and apply transport rules. Any actions specified in the rule, such as applying a
disclaimer or modifying the message, can be applied to the unencrypted message. After other transport
agents have inspected the message and possibly made modifications to it, the message is encrypted again
with the same user rights that it had before being decrypted by the Decryption agent. The message is not
decrypted again by other Hub Transport servers in the organization.

9-24 Configuring Messaging Policy and Compliance

Enable IRM in Outlook Web App


After you enable IRM in Outlook Web App, users can use Outlook Web App to:

Send IRM-protected messages. Outlook Web App users can use the permissions feature when
composing a new message and select an applicable policy template to apply to the message. This
allows users to send IRM-protected messages from within Outlook Web App. The Client Access server
applies IRM protection to messages and message attachments.

Read IRM-protected messages. Messages protected by senders using your organizations AD RMS
cluster display in the Outlook Web App preview pane, without requiring additional add-ons or that
the users computer is enrolled in the AD RMS deployment. When you open or view a message in the
preview pane, the message is decrypted using the use license added to message by the pre-licensing
agent. Once decrypted, the message displays in the preview pane. If a pre-license is not available,
Outlook Web App requests one from the AD RMS server before displaying the message.
Note Before configuring Journal Report Decryption, Transport Decryption, or IRM for
Outlook Web App, you must provide Exchange servers with the right to decrypt IRMprotected content. Do this by adding the Federated Delivery Mailbox to the super users
group configured on the AD RMS cluster. You must also use the Set-IRMConfiguration
cmdlet to enable the required features.

IRM Enhancements in Exchange Server 2010 SP1


IRM functionality in Exchange Server 2010 Service Pack 1 (SP1) includes the following features:

WebReady Document Viewing of IRM-protected attachments. In Exchange Server 2010 SP1, IRM
in Microsoft Office Outlook Web App supports WebReady Document Viewing of supported
IRM-protected attachments. This allows users to view IRM-protected attachments without having
to download them. Users can preview IRM-protected documents on computers that do not have
Microsoft Office installed. Along with the cross-browser and cross-platform support in Outlook
Web App, this functionality extends the reach of IRM to various browsers and operating systems.

IRM in Exchange ActiveSync. IRM in Exchange ActiveSync allows users with supported devices to
access IRM-protected messages without first having to activate the device for IRM, or by attaching
the device to a computer.

Cross-organization support. Exchange Server 2010 SP1 IRM features are supported in crossorganization topologies, which provides for easier collaboration between two organizations through
Outlook Web App.

IRM logging. In Exchange Server 2010 SP1, you can enable logging of IRM features on the
Mailbox, Hub Transport, Client Access, and Unified Messaging server roles. IRM logs contain detailed
transaction and error information, allowing administrators to easily monitor and troubleshoot IRM
features.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-25

Demonstration: How to Configure AD RMS Integration

In this demonstration, you will review how to configure and test AD RMS and Exchange Server 2010
integration. The first part of the demonstration will show you how to protect email messages by using
AD RMS. This feature does not require any special Exchange Server functionality. The second part of the
demonstration will show you how to configure a transport rule that applies AD RMS protection to a
message based on message properties.

Demonstration Steps
1.

Open Outlook 2010 and create a new message for an internal recipient.

2.

In the Message ribbon, click the Permission icon.

3.

In the Windows Security dialog box, log on as the mailbox user.

4.

In the Permission dialog box, select the Restrict permission to this document check box.

5.

When the message appears, verify that the message now contains the Do Not Forward header. Send
the message.

6.

Log on as the message recipient, open Outlook 2010, open the restricted message, and then log on
by using the user credentials. Verify that you do not have permission to forward the message.

7.

On VAN-DC1, modify the permissions on the C:\inetpub\wwwroot\_wmcs\certification


\servercertification.asmx file to grant Read and Execute access to the Exchange Servers group and
the anonymous Internet Information Services (IIS) user account.

8.

Restart IIS.

9.

On an Exchange server, at the PS prompt, type the following cmdlet, and then press Enter. This
cmdlet enables AD RMS encryption on the Hub Transport server:
set-irmconfiguration InternalLicensingEnabled:$true.

9-26 Configuring Messaging Policy and Compliance

10. Use the test-irmconfiguration cmdlet to test the IRM configuration.


11. In the Exchange Management console, create a new transport rule named AD RMS Test Rule, which
applies the Do Not Forward AD RMS template for all messages sent between two specified users.
12. Send a message from one of the specified users to the other. Verify that the Do Not Forward
template is applied to the message.
Question: Does your organization have AD RMS deployed? Are you planning to deploy AD
RMS?
Question: How will Exchange Server 2010 make it easier to deploy AD RMS?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-27

Options for Configuring Moderated Transport

The Exchange Server 2010 moderated transport feature enables you to require moderator approval for all
email messages sent to specific recipients, and you can specify any type of recipient as a moderator. The
Hub Transport servers ensure that all messages sent to those recipients go through an approval process.
In any type of organization, you may need to restrict access to specific recipients. The most common
scenario is the need to control messages sent to large distribution groups. Depending on your
organizations requirements, you may also need to control messages sent to executive mailboxes or
partner contacts. You can use moderated recipients to accomplish these tasks.
You can also use transport rules to enforce moderation. For example, you could configure a transport rule
that sends a message for moderation based on any of the available criteria.

How Moderated Transport Works


When you configure a recipient as a moderated recipient, all messages sent to the recipient go through
the following process:
1.

The sender creates a new message and sends it to the moderated recipient.

2.

The categorizer intercepts the message, marks it for moderation, and then reroutes it to the
arbitration mailbox.

3.

The store driver stores the message in the arbitration mailbox and sends an approval request to the
moderator.

4.

The moderator uses the buttons in the approval request to either accept or reject the message.

5.

The store driver marks the moderators decision on the original message stored in the arbitration
mailbox.

9-28 Configuring Messaging Policy and Compliance

6.

The Information Assistant reads the approval status on the message stored in the arbitration mailbox,
and then processes the message based upon the moderators decision:

If the moderator approves the message, the Information Assistant resubmits the message to the
submission queue, and the message is delivered to the recipient.

If the moderator rejects the message, the Information Assistant deletes the message from the
arbitration mailbox, and then notifies the sender that the moderator rejected the message.

Note Previous Exchange Server versions do not support moderated recipients. If a


message sent to a moderated distribution group is expanded on a Hub Transport
server that is running Exchange Server 2007, it will be delivered to all members of that
distribution group, and bypass the moderation process. If you have Exchange Server 2007
Hub Transport servers in your Exchange Server 2010 organization, and you want to
use moderated distribution groups, you must designate an Exchange Server 2010 Hub
Transport server as the expansion server for the moderated distribution groups. Doing
this ensures that all messages sent to the distribution group are moderated.

Bypassing Moderation
Exchange Server delivers messages from certain senders to the moderated recipient immediately,
bypassing the approval process, and considers the following senders as trusted senders.

Moderators. By definition, a moderator has the authority to determine what messages are
appropriate for a moderated recipient.

Senders that Exchange Server specifically allows to send messages. For each moderated recipient, you
can specify a list of senders for whom Exchange Server bypasses the approval workflow. Exchange
Server explicitly allows these senders to send to this recipient, and therefore trusts them.

Because these senders are considered trusted senders, messages from them do not go through the
approval process.. Exchange Server does not treat owners of distribution groups and dynamic distribution
groups automatically as trusted senders, and messages from these senders are subject to the approval
process. Additionally, the owner of a distribution group can be responsible for managing the distribution
group membership, but may not be able to moderate messages sent to it. To bypass moderation for
owners, you must either designate them as moderators or add them to the list of senders that are
explicitly allowed to send messages to the moderated recipient.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-29

Demonstration: How to Configure Moderated Transport

In this demonstration, you will review how to configure a distribution list for moderation and how to
configure a transport rule that enforces moderation for all messages sent to a distribution list.
Note In this demonstration, you will configure a distribution list by using the Exchange
Management Console. If you need to enable a mailbox or contact for moderation, you will
need to use the set-mailbox cmdlet with the moderationenabled:$true and
moderationedby parameters.

Demonstration Steps
1.

In the Exchange Management Console, under Recipient Configuration, click Distribution Group.

2.

In the middle pane, right-click a distribution list, and then click Properties.

3.

On the Mail Flow Settings tab, double-click Message Moderation.

4.

In the Message Moderation dialog box, select the Messages sent to this group have to be
approved by a moderator check box. Add the group moderators and add any users who do not
require moderation to send to the group.

5.

Create a new transport rule that forwards any message sent to a distribution list for moderation.
Choose a moderator for the rule, and then configure any exceptions that are required.

6.

Send a message to the distribution group configured for moderation.

7.

Send a message to the distribution group configured for moderation in the transport rule.

8.

Open the mailbox of a moderator configured for both the distribution group and transport rule.
Approve both messages.
Question: Will you deploy moderated transport in your organization? If so, where would you
use it?

9-30 Configuring Messaging Policy and Compliance

Lesson 3

Configuring Journaling and Multi-Mailbox Search

Message journaling and Multi-Mailbox Search are important components for enforcing messaging
compliance. Message journaling allows you to archive all messages automatically that meet criteria that
you specify. You can archive journaled messages to any SMTP address, including an Exchange mailbox,
Microsoft SharePoint document library, or a third-party archiving solution. In addition to message
journaling, Exchange Server 2010 also includes the Multi-Mailbox Search feature, which enables an
authorized user to search all of the organizations mailboxes based on specific criteria. This lesson
describes how to configure and manage message journaling and Multi-Mailbox Search in Exchange Server
2010.
After completing this lesson, you will be able to:

Describe message journaling options.

Configure message journaling.

Manage the message journal mailbox.

Describe Multi-Mailbox Search.

Describe legal hold.

Configure Multi-Mailbox Search.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-31

Message Journaling Options

Journaling enables you to save copies of all email messages in a collection mailbox when they are sent to,
or from, specified mailboxes, contacts, or distribution-group members. You also can configure journaling
based on messages sent to, or received from, mailboxes in a mailbox database, or configure journaling as
part of a managed folder content setting.
Messages that meet the journaling criteria are sent to the collection mailbox as a journal report. This
report includes detailed information such as the recipients address, the senders address, and the
messages subject.

How Journal Rules Work


When you create a journal rule, the Journaling agent, which runs on Hub Transport servers, monitors all
messages sent through the server. When a message matches the journal rule criteria, the server forwards a
copy of the message to a journal mailbox. You can configure the journal mailbox by using any Exchange
Server recipient. The recipient address can refer to another mailbox in the Exchange Server organization, a
document library on a Microsoft Windows SharePoint Services site, or an address used by other thirdparty message-archival solutions.
Journal rules are based on message recipients and message senders. When you configure a journal rule,
you can choose any Exchange Server recipient including mailbox users, contacts, or distribution groups.
The Journaling agent sends to the journal mailbox a copy of all messages that the recipient sends or
receives.

9-32 Configuring Messaging Policy and Compliance

You also can configure the following three journal rule scopes to limit which messages the Journaling
agent sends to the journal mailbox.
Scope

Description

Internal

Rules with this scope process messages sent and received by recipients inside the
organization.

External

Rules with this scope process messages sent to recipients or from senders outside the
organization.

Global

Rules with this scope process all messages that pass through a computer that has a Hub
Transport server. These include messages that journal rules processed previously in the
Internal and External scopes.

Journal rules configured on a Hub Transport server apply to the entire Exchange Server organization.

How Mailbox Database Journaling Works


You can also configure a journal mailbox for a mailbox database. When you assign a journal recipient for
a mailbox database, all messages sent to or received from recipients with mailboxes in the database also
are sent to the journal recipient.
Note You can also configure message journaling when you configure managed content
settings for a managed folder. With this option, any message that meets the managed
content settings criteria will also be journaled to a journal address.
Note Mailbox database journaling is a standard journaling option and is the only option
available for organizations with an Exchange Standard Client Access Licenses (CAL).
Journaling rules that apply pre-recipient journaling are premium journaling options that
require Exchange Enterprise CALs.

Journal Reports
When a message meets the journaling criteria, a journal report is sent to the SMTP address that the rule
lists. The journal report is a new email message that includes the original message, unaltered, as an
attachment.
The information that the journal report contains is organized so that every value in each header field has
its own line. The Journaling agent captures as much detail as possible about the original message. This
information is important in determining the messages intent, its recipients, and its senders. For example,
how the message identifies recipients (directly addressed in the To field or the Cc field, or included in a
distribution list) may determine how the recipient is involved in the discussion occurring in the message.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-33

Demonstration: How to Configure Message Journaling

In this demonstration, you will review how to configure a message journaling rule by using the Exchange
Management Console. You can configure journaling rules by using either the Exchange Management
Console or the Exchange Management Shell.
To configure transport rules with the Exchange Management Shell, use the following commands:

Enable-JournalRule

Disable-JournalRule

Get-JournalRule

Set-JournalRule

New-JournalRule

Remove-JournalRule

Demonstration Steps
1.

In Exchange Management Console, under Organization Configuration, click Hub Transport.

2.

Create a new journal rule. Specify a name for the rule, and a journal mailbox. A copy of all messages
that the rule affects will be sent to the journal mailbox.

3.

Specify the journal rule scope and recipients. The scope defines whether only internal or only external
messages, or both, will be journaled. All messages that the recipient sends or receives are journaled.

4.

Send a test message to a journal recipient. Log on to the journal recipient mailbox, and then reply to
the message.

5.

Log on to the journal mailbox and confirm that the journal mailbox contains a journal report for both
the sent message and the reply message.
Question: What are the advantages and disadvantages of using the Exchange Server 2010
message journaling feature?

9-34 Configuring Messaging Policy and Compliance

Considerations for Managing the Message Journal Mailbox

In a large organization or if you configure journaling for a large number of users, the journal mailbox
can grow very rapidly. Additionally, the journal mailbox may contain highly confidential information that
should not be accessible to most users. This means that you will need to develop policies for managing
the journal mailbox.

Using a SharePoint Document Library for Journaling


You can configure SharePoint document libraries with SMTP addresses that will accept email messages. In
Exchange Server, you can configure a custom recipient by using the SharePoint document library email
address, and then configure journaling to use the custom recipient as the journal recipient. Using a
SharePoint document library as the journal recipient has several advantages:

You configure a location outside of Exchange Server in which to store your messages, which reduces
the size of the Exchange Server databases.

You can index the SharePoint document libraries to enhance the search experience.

You can specify security on SharePoint document lists to ensure that only authorized users can view
the journaled messages.

Considerations for Managing the Journal Mailbox Size


When configuring a journaling mailbox to accept journal reports, you must determine the maximum
size of the journaling mailbox. As with any other mailbox, the maximum size depends on the data that
the mailbox will store, the hardware resources that are available, and the disaster-recovery capabilities for
the server that contains the journaling mailbox. Additionally, you also must consider what will occur if a
journaling mailbox exceeds the configured mailbox quota.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-35

Avoid using the Prohibit send and receive at (KB) option to set the journaling mailboxs storage limit.
When the mailbox exceeds the specified quota, it stops accepting journaling reports. When this happens,
NDRs are not sent to users or administrators, but rather are queued on Hub Transport servers. To reduce
the possibility that your journaling mailbox will reject journal reports because it has reached the
configured storage quota, either avoid configuring this option or configure your journaling mailboxs
storage quota to the maximum size allowable for your hardware resources and disaster-recovery
capabilities. If you are backing up the mailbox on a daily basis, consider specifying a retention policy to
remove backed-up messages regularly.

Considerations for Managing Journal Mailbox Security


Security is an important consideration when managing the journal mailbox. Journaling mailboxes may
contain sensitive information. You must secure journaling mailboxes because they collect messages that
your organizations recipients send and receive, and those messages may be part of legal proceedings or
subject to regulatory requirements. Create policies that govern who can access your organizations
journaling mailboxes and limit access to only those individuals who have a direct need for access. Ensure
that legal representatives approve your plan to ensure that your journaling solution complies with all the
laws and regulations that apply to your organization.

9-36 Configuring Messaging Policy and Compliance

What Is Multi-Mailbox Search?

Many organizations need to be able to search mailboxes for specific content while performing compliance
audits. By using the Exchange Server 2010 Multi-Mailbox Search feature, organizations can now easily
search all user mailboxes.

How Multi-Mailbox Search Works


In Exchange Server 2010, the mailbox search functionality is now available through the Multi-Mailbox
Search feature in the ECP. The Multi-Mailbox Search feature allows you to search multiple mailboxes for
mailbox items (including email, attachments, Calendar items, Tasks, and Contacts) across both primary
and archive mailboxes. Advanced filtering capabilities include: sender, receiver, expiry policy, message
size, sent/receive date, cc/bcc, and regular expressions.
Multi-Mailbox Search uses the content indexes that Exchange Search creates. Having a single contentindexing engine ensures no additional resources are utilized for crawling and indexing mailbox databases
during the mailbox search.
Discovery Management Role
A user who is a member of the Discovery Management role group can perform a Multi-Mailbox Search.
The Discovery Management role group is a universal security group that is created in AD DS during the
Exchange Server 2010 installation. The Discovery Management role group is assigned to the Mailbox
Search management role, which has permission to search all mailboxes in the organization.
Note Exchange Server 2010 uses role based access control (RBAC) to define what actions
users can perform in the Exchange Server organization. RBAC uses management roles and
management role groups to manage these permissions. For more information on
management roles and management role groups, see Module 10.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-37

Viewing Search Results


All search results are stored in a special mailbox called Discovery Search Mailbox. It is not possible to store
results in any other mailbox. The Discovery Search Mailbox is always created during Exchange Server 2010
installation, and cannot be used for standard purposes such as sending and receiving email, because
delivery restrictions are applied to it. The user account associated with the Discovery Search Mailbox is
disabled, so no one can log on to this mailbox without being explicitly granted rights to do so. The
Discovery Management group has full access rights to the Discovery Search Mailbox.
Because the Discovery Search Mailbox should be able to store a large amount of data, it is assigned a 50gigabyte (GB) storage quota on creation. If you have multiple teams or individuals that perform discovery
searches and you do not want them to see results from other searches, you will need to create additional
Discovery Search Mailboxes. This can be done by using the Exchange Management Shell.
After you perform a search, a new folder is created in the Discovery Search Mailbox that bears the same
name as the search. Within that folder, a subfolder is created for each source mailbox that was searched.
Additionally, messages that the search returns are copied to the corresponding folder in the target
mailbox.

Multi-Mailbox Search Enhancements in Exchange Server 2010 SP1


The Multi-Mailbox Search functionality in Exchange Server 2010 SP1 includes the following new features:

Multi-Mailbox Search results preview. In Exchange Server 2010 SP1, discovery managers can
determine the number of items that will be returned by a discovery search, before the items are
copied to the selected discovery mailbox. Discovery managers are users who are members of the
Discovery Management role group. This functionality allows discovery managers to view the number
of hits the specified keywords return, and then modify the search queryif requiredbefore
messages returned by the search are copied to the discovery mailbox.

Annotations. Discovery managers can also add annotations to messages returned by the discovery
search.

Data deduplication. Multi-Mailbox Search includes the optional data deduplication feature. When
selected, Multi-Mailbox Search copies only a single instance of a message returned across multiple
folders within the same mailbox, or across different mailboxes. However, you should not select
deduplication if you want to see each instance of a message and its location.

9-38 Configuring Messaging Policy and Compliance

What Is Legal Hold?

Besides searching the contents of users mailboxes, you can also perform Multi-Mailbox Searches on items
that users have deleted. Under some circumstancessuch as a court order or lawsuitit may be
necessary to retrieve items that users intentionally delete.
Legal hold, which is also known as litigation hold, is an option in Exchange Server 2010 that can be
applied to user mailboxes to achieve this result.

Dumpster 2.0
In previous versions of Exchange Server, the dumpster was a view that was stored per folder. Using this
approach, items in the dumpster remained in the folder from where they were soft-deleted either by
pressing the SHIFT+DELETE keys in any folder, or by clicking Delete from within the Deleted Items folder.
However, they were marked with the ptagDeletedOnFlag flag. These marked items were excluded from
normal Outlook views and quotas. In addition, data that was marked with this flag could not be searched
or indexed. These items were recoverable by end users by using the Recover Deleted Items tool accessible
through Outlook Web Access (OWA); however, the user was also able to delete these items permanently.
In Exchange Server 2010, Dumpster 2.0 functions differently. Dumpster 2.0 has now become a base
structure to the legal hold feature. Unlike version 1.0, Dumpster 2.0 is now a folder called Recoverable
Items. This folder is located inside the user's mailbox in the Non-IPM subtree, and it is not viewable
through the user interface. The Recoverable Items folder is indexed, can be searched, and you can prevent
deletions from this folder by implementing legal hold.

Using Legal Hold


Legal hold is enabled on a per-mailbox basis, and it is virtually transparent to the end user because
retention policies continue to operate. By enabling legal hold, you preserve almost all mailbox items from
both the primary mailbox and Personal Archive, even if the user deletes something, and you can perform
discovery searches on these items too.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-39

In Exchange Server 2010, when a user deletes an item, the item is no longer marked with a
ptagDeletedOnFlag flag. Instead, it goes to the Deletions subfolder within the Recoverable Items folder.
From this folder, a user can retrieve items that were deleted. However, the user is no longer able to
permanently delete items from this folder. If a user deletes an item from Recoverable Items, it goes to the
Purges subfolder. The user can no longer access this item, but an administrator can, which prevents users
from intentionally hiding or destroying items.
You can use the legal hold feature to:

Place a hold on users' mailboxes and keep mailbox items in an unaltered state.

Preserve mailbox items that users attempt to delete or modify after the hold is placed.

Preserve mailbox items that are automatically deleted based on messaging records management
retention policies.

Keep the legal hold transparent from users by not having to suspend messaging records
management.

Enable discovery searches of items placed on hold.

Items in the Recoverable Items folder are not calculated toward the user's mailbox quota. The
Recoverable Items folder has its own quota, and two parameters apply to this quota:
RecoverableItemsWarningQuota and RecoverableItemsQuota. The default
RecoverableItemsWarningQuota and RecoverableItemsQuota values are 20 GB and 30 GB,
respectively. If these quotas are reached, an event is logged in the application log of the Mailbox server,
so it is important to monitor this event log. If you want to modify quota values for a mailbox database,
use the Set-MailboxDatabase cmdlet. If you want to modify quota values for an individual mailbox, use
the Set-Mailbox cmdlet.
To enable legal hold on a user mailbox, use the following command in Exchange Management Shell:
Set-Mailbox user@contoso.com -LitigationHoldEnabled $true

In Exchange Server 2010 SP1, it is also possible to use Exchange Management Console and Exchange
Control Panel to enable legal hold by modifying the properties of a users mailbox.
Authorized users that have been added to the Discovery Management RBAC role group or assigned the
legal hold management role can place mailbox users on legal hold. You can delegate the task to records
managers, compliance officers, or attorneys in your organization's legal department, while assigning the
least privileges.
Question: In which scenarios is it appropriate to use legal hold?

9-40 Configuring Messaging Policy and Compliance

Demonstration: How to Configure Multi-Mailbox Search

In this demonstration, you will review how to configure Multi-Mailbox Search and legal hold. To use the
Multi-Mailbox Search feature, you must add the users who will perform the search to the Mailbox Search
management role. The easiest way to do this is to add the user to the Discovery Management universal
security group in AD DS or Active Directory. The user then can use the Exchange Control Panel to search
for messages based on multiple criteria. If a users mailbox is configured with legal hold, the search results
will include all messages in the mailbox, including purged messages.

Demonstration Steps
1.

In Active Directory Users and Computers, add the user or group that will perform Discover searches to
the Discovery Management group.

2.

Send a message with a key word or phrase in it. You will be searching on this key word or phrase.

3.

Send a second message with a key word or phrase in it.

4.

Connect to the destination mailbox and purge the second message from the mailbox and Deleted
Items folder.

5.

Connect to the Exchange Control Panel on a Client Access server by using the account that will
perform the search.

6.

On the Reporting tab, under Multi-Mailbox Search, configure the search parameters.

7.

Select the Send me an e-mail when the search is done check box, and then start the search.

8.

Open the email indicating the search is finished, and then click the Discovery Search Mailbox link.

9.

Review the messages located by the search.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-41

Lab A: Configuring Transport Rules, Journal Rules, and


Multi-Mailbox Search

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, 10135B-VAN-EX2, and the 10135B-VAN-CL1


virtual machines are running:

10135B-VAN-DC1: Domain controller in the Adatum.com domain.

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain.

10135B-VAN-EX2: Exchange 2010 server in the Adatum.com domain.

10135B-VAN-CL1: Client computer in the Adatum.com domain.

3.

If required, connect to the virtual machines. Log on to VAN-DC1, VAN-EX1, and VAN-EX2 as
Adatum\Administrator using the password Pa$$w0rd.

4.

Log on to VAN-CL1 as Adatum\Luca using the password Pa$$w0rd.

Lab Scenario
You are a messaging administrator in A. Datum Corporation. Your organization has deployed Exchange
Server 2010.

9-42 Configuring Messaging Policy and Compliance

The legal and audit departments at A. Datum provided you with several requirements for implementing
messaging policy and compliance. These requirements include applying rights protection to some
messages sent inside and outside the organization, restricting message flow based on information in
message subjects, and restricting which messages are sent to critical distribution lists. You also must
ensure that you establish a separate and secure mailbox in which to retain all messages that the legal
department sends and receives. Additionally, an auditor must be able to retrieve all messages sent and
received by users with legal hold enabled.

Exercise 1: Configuring Transport Rules


Scenario
A. Datum Corporation is completing its Exchange Server 2010 deployment and is preparing to implement
messaging policies to manage email messages in transit and in user mailboxes. The project sponsors have
developed the following requirements for transport rules:

All messages sent to users on the Internet must have a disclaimer that the legal department approves.

External messages with the term customer in the message subject or body must be copied to the
CustomerService distribution group unless a member of the CustomerService group sent the
message.

All messages with the words confidential or private in the subject must have the Do Not Forward
AD RMS template applied.

A member of the Marketing group must approve all messages sent to the All Company distribution
list before the message is delivered.

The main tasks for this exercise are:


1.

Create a transport rule that adds a disclaimer to all messages sent to the Internet.

2.

Create a transport rule that for the CustomerService distribution group Enable AD RMS integration
for the organization.

3.

Configure a transport rule that applies the Do Not Forward AD RMS template to all messages with the
words confidential or private in the subject.

4.

Configure a moderated group.

5.

Test the transport rule configuration.

X To start the lab, complete the following steps


1.

On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and
then click Exchange Management Console.

2.

Expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click
Hub Transport.

3.

In the Actions pane, click New Send Connector.

4.

On the Introduction page, type Internet Connector as the connector name. In the Select the
intended use for this Send connector drop-down list, click Internet, and then click Next.

5.

On the Address space page, click Add.

6.

In the Address field, type *, click OK, and then click Next.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

7.

On the Network settings page, click Route mail through the following smart hosts, and then
click Add.

8.

In the IP address field, type 10.10.0.10, click OK, and then click Next.

9.

On the Configure smart host authentication settings page, click Next.

9-43

10. On the Source Server page, click Next, click New, and then click Finish.

X Task 1: Create a transport rule that adds a disclaimer to all messages sent to the
Internet

On VAN-EX1, create a new transport rule with the following settings:

Name: Internet E-Mail Disclaimer

Conditions: Sent to users outside the corporation

Actions: Add a disclaimer

Disclaimer text: This e-mail is intended solely for the use of the individual to whom it is
addressed

X Task 3: Create a transport rule for the CustomerService distribution group

Use the following settings to create a new transport rule that sends a copy of all messages sent to the
Internet with the term customer in the message body or subject to the CustomerService distribution
group:

Name: Customer Service Tracking

Condition: Sent to users outside the organization, and where the subject or message body
contain the word customer

Actions: Send a copy of the message to the CustomerService group

Exceptions: If the message is sent by a member of the CustomerService group

X Task 4: Enable AD RMS integration for the organization


1.

On VAN-DC1, grant the Exchange Servers group and the IIS_IUSRS read and execute permission to
the C:\inetpub\wwwroot\_wmcs\certification\ servercertification.asmx file.

2.

Restart IIS on VAN-DC1.

3.

On VAN-EX1, use the set-irmconfiguration InternalLicensingEnabled:$true cmdlet to enable


AD RMS encryption.

X Task 5: Configure a transport rule that applies the Do Not Forward AD RMS template
to all messages with the words confidential or private in the subject

Create a new transport rule with the following settings:

Name: Confidential E-Mail Rule

Condition: Where the subject contains the words Confidential or Private

Actions: protect the message with the Do not Forward template

9-44 Configuring Messaging Policy and Compliance

X Task 6: Configure a moderated group


1.

On VAN-EX1, configure the All Company distribution group to require moderation.

2.

Configure Andreas Herbinger as the groups moderator.

X Task 7: Test the transport rule configuration


1.

On VAN-CL1, verify that you are logged on as Adatum\Luca, and then open Office Outlook 2007.

2.

Send two messages to Carol@contoso.com. The first message should contain no settings, and the
second message should have the term customer in the subject.

3.

On VAN-DC1, open Windows Explorer. Browse to the C:\inetpub\mailroot\queue folder. Open the
first EML file with Notepad. Scroll to the middle of the message, and verify that the disclaimer has
been added to the message.

4.

On VAN-CL1, connect to the Outlook Web App site on VAN-EX1. Log on as Anna. Verify that the
member of the CustomerService group was copied on the message sent by Luca.

5.

In Outlook, create a new message, and send it to the All Company distribution group.

6.

Connect to the Outlook Web App site on VAN-EX1. Log on as Andreas. Approve the message.

7.

In Outlook, verify that the message to the All Company distribution list has arrived.

8.

In Outlook Web App, logged on as Andreas, create a new message with a subject of Private. Send
the message to Luca.

9.

In Outlook, verify that Luca received the message and that it has the Do Not Forward template
applied. Verify that the Forward option is not available on the message.

Results: After this exercise, you should have configured a transport rule that ensures that all messages
sent to users on the Internet includes a disclaimer of which the legal department approves. Additionally,
you should have configured a transport rule that ensures that messages with a Company Confidential
classification are not sent to the Internet, and you should have configured a transport rule that applies the
Do Not Forward AD RMS template to all messages with the words confidential or private in the
subject. Lastly, you should have configured a moderated group by using the All Company distribution
group.

Exercise 2: Configuring Journal Rules and Multi-Mailbox Search


Scenario
In addition to requirements restricting message flow, the project sponsors at A. Datum Corporation also
have the following requirements for saving messages and enabling auditors to search all mailboxes:

A copy of all messages sent to and from the Executives group will be saved. The journal mailbox
should be accessible only with a special auditor account.

Implement an auditor account that has permission to search all user mailboxes and access the
journaled Executive messages.

Verify that legal hold can be applied to user mailboxes and that messages deleted from mailboxes on
legal hold can be recovered through a discovery search.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-45

The main tasks for this exercise are:


1.

Create a mailbox for the Executives department journaling messages.

2.

Create a journal rule that saves a copy of all messages sent to and from Executives department
members.

3.

Create and configure the MailboxAuditor account.

4.

Configure legal hold on a mailbox.

5.

Test the journal rule, Multi-Mailbox Search, and legal hold configuration.

X Task 1: Create a mailbox for the Executives department journaling messages

Create a new recipient with the following attributes:

First name: Executives Journal Mailbox

User Logon name (User Principal Name): ExecutivesJournal

Password: Pa$$w0rd

Create the mailbox in Mailbox Database 1

X Task 2: Create a journal rule that saves a copy of all messages sent to and from
Executives department members

Create a new journal rule with the following attributes:

Rule name: Executives Department Message Journaling

Journal mailbox: Executives Journal Mailbox

Scope: Global

Recipient: Executives distribution group

X Task 3: Create and configure the MailboxAuditor account


1.

Create a new recipient with the following attributes:

First name: Mailbox Auditor

User Logon name (User Principal Name): MailboxAuditor

Password: Pa$$w0rd

Create the mailbox in Mailbox Database 1

2.

Grant the Mailbox Auditor account full access to the Executives Journal Mailbox and Discovery
Management Mailbox mailboxes.

3.

Add the Mailbox Auditor account to the Discovery Management Active Directory group.

X Task 4: Configure legal hold on a mailbox

On VAN-EX1, in the Exchange Management Console, enable legal hold for George Schallers mailbox.

9-46 Configuring Messaging Policy and Compliance

X Task 5: Test the journal rule and Multi-Mailbox Search configuration


1.

On VAN-CL1, if required, open Outlook.

2.

Create a new message, and then send it to Marcel Truempy. Marcel is a member of the Executives
group.

3.

Connect to Outlook Web App as Marcel, and confirm that the message was delivered. Reply to the
message.

4.

Connect to Outlook Web App as MailboxAuditor. Right-click Mailbox Auditor, and then click Open
Other Users Inbox. Open the Executives Journal Mailbox and verify that the two journaled
messages are in the Inbox.

5.

In Outlook, send a message with the following properties:

To: George; Carol@contoso.com

Subject: Customer Order

Message body: Here is the order for Carol at Contoso. Her customer number is 1111-1111.

6.

Connect to Outlook Web App as George Schaller and purge the message from Luca.

7.

Connect to the Exchange Control Panel as the MailboxAuditor.

8.

Create a new search named Customer Number Discovery. Configure the search to look for the
phrase customer number in George Schaller and Luca Dellamores mailboxes.

9.

Wait until the search finishes, and then in the bottom right pane, click the Open link. In Outlook Web
App, verify that the discovery folder named Customer Number Discovery contains two subfolders
and contains the discovered messages, including the messages deleted by George.

Results: After this exercise, you should have created a mailbox for the Executives department journaling
messages, and then created a journal rule that saves a copy of all messages sent to and from Executives
department members. You also should have created and configured the MailboxAuditor account.

X To prepare for the next lab

Do not shut down the virtual machines and revert them to their initial state when you finish this lab.
The virtual machines are required to complete this modules last lab.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-47

Lesson 4

Configuring Personal Archives

A compliance issue that many organizations must solve is that much of the information users receive by
email is not stored within the email system. Because of mailbox size limits, many users move messages
from their mailboxes to personal storage table (PST) files, where the messages are not backed up
regularly, and where the messages are not available for discovery or indexing.
Exchange Server 2010 introduces Personal Archives as an option for ensuring that all messages are stored
in a mailbox on an Exchange server. This lesson describes how to configure and manage Personal Archives
in Exchange Server 2010.
After completing this lesson, you will be able to:

Describe options for implementing mailbox archiving.

Describe how Personal Archives work in Exchange Server 2010.

Configure Personal Archives.

Identify options for implementing Personal Archives.

9-48 Configuring Messaging Policy and Compliance

Discussion: Options for Implementing Mailbox Archiving

Some organizations have implemented mailbox archiving by using third-party products. These products
provide different types of functionality and implement the functionality in different ways. In this
discussion, you will review the mailbox archiving solutions that organizations have implemented.
Question: Do you have any archiving or journaling requirements in your organization?
Question: How are you currently meeting these requirements?

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-49

How Personal Archives Work in Exchange Server 2010

Exchange Server 2010 provides Personal Archives as a feature that enables users to move their PST files
back into the Exchange Server database. To implement a Personal Archive, create a second mailbox that
the user can use to store messages that are no longer current, but which they may need to retain. The
user can access this archive mailbox in Outlook 2010 or Microsoft Outlook Web App just like any other
folder in the user mailbox.

How Personal Archives Works


To implement Personal Archives, the Exchange Server administrator creates a new archive mailbox for
the users. This mailbox can be on the same database as the primary mailbox, or on another database if
Exchange Server 2010 SP1 is installed. If you have configured a hybrid Exchange Online deployment, the
archive mailbox can also be located on Exchange Online while the primary mailbox is on-premises. You
can create the archive mailbox when you create the primary mailbox, or add the archive mailbox later.
The archive mailbox appears as a folder in the users regular mailbox when the user accesses their mailbox
by using Outlook 2007, Outlook 2010 or Outlook Web App. Users can the move their PST folders, or any
other messages, into the archive mailbox simply by dragging and dropping email into an archive folder.
You can also use archive policies to automatically move messages into the Archive mailbox based on a
retention setting.One of the differences between the primary mailbox and the archive mailbox is that the
archive mailbox is not cached on the client computer when you configure Outlook in cache mode. This
decreases the mailbox cache size on the client, but also means that the user can access the mail in the
mailbox only when connected to the Exchange server.
You can manage the archive mailbox through retention policies. For example, you can configure archive
policies that will move messages from the primary mailbox to the secondary mailbox based on the
Retention Tags assigned to the primary mailbox folders. Retention policies that delete messages after a
specified retention period are also applied to messages when they are moved into the archive mailbox.

9-50 Configuring Messaging Policy and Compliance

Personal Archives in Exchange 2010 SP1


The Personal Archives functionality in Exchange Server 2010 SP1 includes the following:

Provision personal archive on a different mailbox database. You can provision a user's personal
archive on a mailbox database different from the one where the user's primary mailbox resides. This
capability allows you to implement a tiered storage topology. You can also store a personal archive
mailbox on Exchange Online services.

Import historical mailbox data to archive. You can import historical mailbox data from .pst files
directly to the user's personal archive by using the New-MailboxImportRequest cmdlet in the
Exchange Management Shell. You can also import data from .pst files to the user's primary mailbox,
and both the personal archive and the primary mailbox can be exported to .pst files by using the
New-MailboxExportRequest cmdlet in the Exchange Management Shell.

Delegate access to archive. Delegates can access the delegating user's archive mailbox by using
Outlook 2010.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-51

Demonstration: How to Configure Personal Archives

In this demonstration, you will review how to configure a Personal Archive mailbox for a user account.
You will also see how to access the mailbox by using Outlook Web App.

Demonstration Steps
1.

On VAN-EX1, in the Exchange Management Console, click Recipient Management, and then click
Mailbox.

2.

Right-click a mailbox, and then click Enable Archive.

3.

On the mailbox properties, review the archive quota settings.

4.

Use the get-mailbox cmdlet to view the mailbox settings. Review the ArchiveName and
ArchiveQuota settings.

5.

Verify that you cannot view the archive mailbox in Outlook 2007, but can see it through Outlook
Web App.
Question: Will you implement Personal Archives in Exchange Server 2010?
Question: What are the benefits and disadvantages of the Personal Archives feature?

9-52 Configuring Messaging Policy and Compliance

Considerations for Implementing Personal Archives

Personal Archives provides an excellent opportunity for organizations to ensure that all messages in the
email system are stored in a location where the messages can be managed and accessed. However,
deploying Personal Archives will also require careful planning to ensure that the implementation is a
success.
In many organizations, some users may have several gigabytes of data stored in PST files. If all of these
messages are moved into archive mailboxes, the amount of storage required for the mailbox databases
will increase dramatically. Exchange Server 2010 enables you to manage very large mailboxes, but
organizations may not have sufficient storage or other infrastructure components, such as backup
capacity, to increase the size of the Exchange Server data store greatly.
Some considerations for managing the implementation for Personal Archives include:

Consider an incremental implementation for Personal Archives. If your storage infrastructure cannot
handle implementing Personal Archives for all users, start by identifying the users that will benefit
most from Personal Archives. This may include users with the most critical information currently
stored in PST files, or it may include all executives in the organization.

Because of the decrease in disk I/O, it is now feasible to store mailbox databases on lower
performance and less expensive disk arrays by using SATA drives. Additionally, rather than depending
on redundant disk arrays and backup to provide high availability, you can use database availability
groups (DAGs) to provide the required level of availability. With Exchange Server 2010 SP1, you can
also consider creating mailbox databases that will contain only archive mailboxes and configure less
expensive storage for the database, or configure fewer copies of the database within the DAG.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-53

To manage the size of the archive mailboxes, you can configure archive mailboxes with an archive
warning quota and an archive quota. When an archive mailbox exceeds the specified archive warning
quota, a warning event is logged in the Application event log. When an archive mailbox exceeds the
specified archive quota, messages are no longer moved to the archive, a warning event is logged in
the Application event log, and a quota message is sent to the mailbox user. By default, in Exchange
Server 2010 SP1, the archive warning quota is set to 45 GB, and the archive quota is set to 50 GB.

After you implement Personal Archives, you should consider removing the option for users to use PST
files. You can start moving users away from using PST files by creating a Group Policy object (GPO)
that prevents new items from being added to existing PST files. Making PST files read-only gives users
access to the PST files they may already have while encouraging them to keep the messages that they
want to keep in their mailboxes. Eventually, you may want to create a GPO to remove access to PST
files altogether.

9-54 Configuring Messaging Policy and Compliance

Lesson 5

Configuring Messaging Records Management

An important requirement for many organizations is managing the email stored in users mailboxes. In
some cases, organizations may need to retain some messages while deleting others after a specified time.
Exchange Server 2010 uses messaging records management to implement this functionality through
retention policies and managed folders. This lesson describes how to implement messaging records
management in Exchange Server 2010.
After completing this lesson, you will be able to:

Describe Retention Tags and retention policies.

Configure Retention Tags and retention policies.

Describe managed folders.

Deploy managed folders.

Implement managed custom folders and content settings.

Identify options for implementing messaging records management.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-55

Messaging Records Management Options

Personal Archives provide organizations with one option for managing the content of user mailboxes.
Messaging records management provides a second option. With messaging records management, you
can define rules that determine how long messages are retained, at what point messages are moved into
the personal archive or another folder, and at what point messages are deleted.
Messaging records management in Exchange 2010 enables flexible management of the messages in user
mailboxes. With messaging records management, you can configure different policies that provide unique
message retention options for different business units or levels of management within your organization.
Exchange Server 2010 provides the following two options for configuring messaging records
management:

Retention policies. Retention policies were first introduced in Exchange Server 2010. To configure
retention policies, you configure retention policy tags that set different rules about how long
messages will be retained. You then collect one or more retention policy tags into a retention policy
and apply the policy to user mailboxes. The retention policy then applies default retention settings to
messages in the user mailbox, but also provides users with options for changing the default settings
for individual messages or folders.

Managed folders. Managed folders were first introduced in Exchange Server 2007, but the
functionality is also available in Exchange Server 2010. To configure managed folders, you first create
managed folder content settings which define the retention period for messages. You can then link
these managed folder content settings to the default mailbox folders or create custom managed
folders in user mailboxes. The managed content settings are linked to a managed folder mailbox
policy, and the policy is applied to user mailboxes. The managed content settings are applied to
messages in the user mailbox depending on the message location. Users can manage message
retention by moving messages into appropriate folders.

9-56 Configuring Messaging Policy and Compliance

Note In Exchange Server 2010, you had to manage retention policy tags and retention
polices by using Exchange Management Shell cmdlets. You could configure managed
folders in the Exchange Management Console, or by using Exchange Management Shell
cmdlets. With Exchange Server 2010 SP1, the management options have been reversed.
You can now manage retention policies in the Exchange Management Console and the
Exchange Management Shell, but you can only configure managed folders in the Exchange
Management Shell.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-57

What Are Retention Tags and Retention Policies?

In Exchange Server 2010, you use retention tags to tag messages or folders for retention or deletion. Each
retention tag is associated with one or more managed content settings, which define the time for which
items are retained, and what will happen when the retention period expires. You can associate multiple
retention tags with a retention policy, which then is assigned to a user mailbox.
Messages are processed based on the retention tags and their associated content settings. When a
message reaches a retention limit, Exchange Server archives or deletes it, or flags it for user attention.

Retention Tags
Retention tags are the building blocks for retention policies. Each retention tag defines a folder or set of
folders that the tag can be applied to and defines the settings for message retention. Retention tags
specify how long a message remains in a mailbox folder, and the action that Exchange Server should take
when the message reaches the specified retention age.
The following types of retention tags are available:

Retention policy tag. Retention policy tags are applied to default mailbox folders such as Inbox,
Deleted Items, and Junk Mail. For example, you can set a retention policy tag that applies to the
Deleted Items folder that deletes all of the messages in the folder after 30 days, but allows users to
still recover the messages.

Default Policy Tag. A default policy tag can be associated with a retention policy and applies to all
items in the mailbox that do not have a retention tag explicitly applied to them, or that do not inherit
a tag from the folder they reside in. To create a default policy tag, you create a retention tag that
applies to all other folders in the user mailbox. You cannot have more than one default policy tag
associated with a retention policy.

9-58 Configuring Messaging Policy and Compliance

Personal Tags. Personal tags are retention tags available to users as part of their retention policy. A
user can opt-in to use additional personal tags by using the Exchange Control Panel, and can apply
them to folders or items in the mailbox. Personal tags can have only one setting for expiry of all
message types.

Archive Tags
You can configure a retention tag with an action to move messages to the personal archive mailbox when
the retention period expires. Tags that perform this action are named archive tags. When the retention
period expires on a message, the message is moved to the archive mailbox into a folder that has the
same name and is in the same hierarchy as the primary mailbox. You can only associate archive tags with
default policy tags and personal tags. You cannot create an archive tag that is assigned to a specific
mailbox folder.

Retention Policies
Retention policies group one or more retention tags and apply the tags to mailboxes. A retention policy
consists of one or more retention policy tags, a maximum of one default policy tag, and any number of
personal tags. You can link or unlink tags from a retention policy at any time.
You can apply retention policies to mailboxes by using the Exchange Management Shell, the Exchange
Management Console, or the Exchange Control Panel. A mailbox cannot have more than one retention
policy.

Retention Tags and Mailbox Folders


Retention policy tags apply to default folders as specified in the retention policy. Users cannot change the
retention policy tags associated with default folders. However, users can apply a different tag to an item in
a default folder, thereby causing the item to have a different retention setting than the folder in which it
resides. Similarly, an item in a user-created folder can also have a different tag than the folder within
which it resides.
Any individual message can have a maximum of one retention tag and a maximum of one archive tag
assigned to it. The archive tag dictates when the message will be moved to the archive mailbox, and the
retention tag dictates when the message will be deleted from either the primary mailbox or the archive
mailbox.
A mailbox item moved from one folder to another inherits any tags applied to the folder to which it
moves. If an item moves to a folder that does not have a tag assigned to it, the default policy tag applies
to it. If the item has a tag explicitly assigned to it, the tag moves with the item and always takes
precedence over any folder-level tags or the default tag.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-59

Demonstration: How to Configure Retention Tags and Policies

In this demonstration, you will review how to configure the three types of retention tags, and how to
configure content settings for the retention tags. Then you will see how to combine the retention tags
into a retention policy and how to assign the retention policy to a user.

Demonstration Steps
1.

On VAN-EX1, in the Exchange Management Console, click Organization Management, and then
click Mailbox.

2.

Create new retention policy tag that removes deleted items from mailboxes after 30 days.

3.

Create new retention policy and link the new retention policy tag to it. Link other retention policy
tags to the policy as required.

4.

Apply the retention policy to users in the ITAdmins OU.

5.

Start the managed folder assistant for Lucas mailbox and verify that the retention tags are available
in Outlook.
Question: Do you think you will implement retention policies?
Question: Which messaging records management option are you more likely to implement:
managed custom or default folders, or retention policies?

9-60 Configuring Messaging Policy and Compliance

What Are Managed Folders?

In addition to retention policies, you can implement messaging records management by configuring
managed folders. When you configure managed folders, you can configure managed content settings
that specify how long to retain messages in specified email folders. You can apply managed content
settings to the default email folders or to managed custom folders that you create in user mailboxes. You
then can create managed folder mailbox policies that apply the content settings for a folder or group of
folders to specified users.
Note Exchange Server 2007 introduced managed folders, and Exchange Server 2010
supports managed folders that are configured in Exchange Server 2007.

Managed Folder Options


Use the following options when configuring managed folders:

Configure content settings for the default folders that are created in all user mailboxes. When
configuring content settings for the default folders, set restrictions on how long the folder retains
messages. For example, the managed content settings that you apply to a users Inbox folder could
specify that its contents be automatically deleted or moved to another folder after 60 days. You can
also use the Exchange Management Console to apply content settings to the entire Mailbox folder.
The content settings applied to this folder will apply to all folders in the user mailbox, including
folders they have created.

Configure custom managed folders and then apply content settings to the custom folders. When
creating a custom managed folder, you can add that folder the user mailbox. You then can configure
content settings to apply to that folder. This is a useful option when users require the same folder,
and you need to manage the messages in the folder identically for all users. For example, several
users might be working on a special project that requires that all email messages related to the
project be stored for a set period. You can create a managed custom folder in the user Inbox
specifically for that project.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-61

Managed Content Setting Options


When you configure managed content settings, use the following options for configuring how users
manage messages:

Configure retention periods, which enable you to define how long content will remain in users
mailboxes. You can configure these policies by content age and message type, such as voice mail or
appointments.

Configure what action occurs when the retention period expires. For example, you can configure
messages to be deleted permanently, moved to the Deleted Items folder, or moved to another folder.

Configure journal settings to ensure copies of all messages in the specified folder are sent to another
recipient.

Managed Folder Mailbox Policies


Managed folder mailbox policies enable you to group managed folders and assign the managed folder
settings to user accounts. For example, you might have created a managed content setting for the Inbox
and the Sent Items folders, and a custom managed folder for a sales project. To apply these settings to
users, you need to create a managed folder mailbox policy and assign the Inbox, Sent Items, and the
custom managed folders to the policy. You then assign the policy to all of the users in the Sales
department.

User Interaction with Custom Managed Folders


When you create custom managed folders, users have to move email messages from their Inbox to the
appropriate folders. Managed content settings are applied automatically to messages that users have
moved. User also can sort messages into appropriate folders by using Outlook rules.
If you apply content settings to default folders in a user mailbox, no user interaction is necessary for the
settings to apply to the folders.

9-62 Configuring Messaging Policy and Compliance

Process for Deploying Managed Folders

To implement managed folders, you must complete the following steps:


1.

Specify the folders to which you want to apply managed content settings. You can apply managed
content settings to default folders in user mailboxes, or you can create managed custom folders in
user mailboxes.

2.

Specify the managed content settings for selected folders. When you configure content settings, you
can configure options that define the message types you want to manage, how long to retain the
messages, and what action to take when messages expire. You also can configure journaling settings
that will save a copy of all messages in the folder.

3.

Create a managed folder mailbox policy. You can use mailbox policies to group multiple managed
folders.

4.

Apply the managed folder mailbox policy to users mailboxes. By default, no managed folder mailbox
policies are created or applied to user mailboxes.

5.

Schedule the managed folder assistant to apply the changes to users mailboxes. The managed folder
assistant creates managed folders in users mailboxes and applies managed content settings to them.
By default, the managed folder assistant runs from 1 A.M. to 5 A.M. every day.

Managed Folder Assistant


The Managed Folder Assistant is a process that runs on Mailbox servers, and applies managed folder and
retention settings to mailboxes located on that server. The assistant retrieves the list of managed folders
associated with a policy, provisions managed folders in mailboxes, and processes items in those folders.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-63

In Exchange Server 2010, the Managed Folder Assistant also applies retention policies for messaging
records management. If you modify the Managed Folder Assistant schedule, it affects both messaging
records management features. In Exchange Server 2010, the Managed Folder Assistant is a schedulebased assistant that is scheduled to run from 01:00 through 09:00 (1:00 A.M. through 9:00 A.M.) every
day. You can modify the Managed Folder Assistant schedule to ensure there is minimal user impact. You
can also start and stop the assistant manually by using the Exchange Management Shell.
In Exchange Server 2010 SP1, the Managed Folder Assistant is a throttle-based assistant. Throttle-based
assistants do not run on a schedule; instead, they are configured to process all mailboxes on a Mailbox
server within a certain period of time known as a work cycle. Additionally, at a specified interval known as
the work cycle checkpoint, the Managed Folder Assistant refreshes the list of mailboxes to be processed.
During the refresh, the assistant adds newly created or moved mailboxes to the queue. It also reprioritizes
existing mailboxes that have not been processed successfully for a while because of failures, and moves
them higher in the queue so they can be processed during the same work cycle.
To start the Managed Folder Assistant on Exchange Server 2010 SP1, you use the Exchange Management
Shell. If you want to run the Managed Folder Assistant for one specific mailbox, run the following cmdlet.
Start-ManagedFolderAssistant -Identity Sten@contoso.com

The preceding command will apply all retention policies or managed folders to a specific mailbox.

9-64 Configuring Messaging Policy and Compliance

Considerations for Implementing Messaging Records Management

Messaging records management policies deal primarily with other message retention issues. By
implementing messaging records management policies, you can ensure that certain messages are deleted
in user mailboxes and that certain messages are retained for an extended period.
Note Remember that messaging records management requires an Exchange Enterprise
CAL for each mailbox on which it is enabled.

Ensure that you have business and legal approval before configuring messaging records management
policies. This is particularly important if you are configuring policies that will delete messages from
user mailboxes.

You can use retention policies and managed folder mailbox polices to group a collection of folders
with associated retention tags or content settings. If different user groups in your organization have
different requirements for messaging records management, you can create a unique policy for each
user group that includes just the folders that should apply to those users.

If your organization requires messages to be retained or managed based on projects, consider using
managed custom folders to apply messaging records management policies. With managed custom
folders, you can create the required folders in the mailboxes for all users associated with the projects,
and then ensure appropriate management of the folders messages.

If you want to automate the messaging records management process for all users, consider using
retention policies. With retention policies, you can set default tags that will be assigned to all folders,
while providing users with the option of overriding the tags.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-65

Consider the default retention policy configuration. By default, no retention policies are applied to
any user mailboxes. However, when you enable a personal archive for a mailbox, the Default Archive
and Retention Policy is automatically assigned to the user mailbox. This default policy moves all
messages more than two years old to the archive mailbox. You can modify this default behavior
ensuring that the default policy is not applied when you enable a personal archive, or by changing
the default policy.

Use retention policies to limit mailbox sizes. You can use retention policy tags to remove old
messages from folders such as the Deleted Items folder, or the Sent Items folder.

Consider migrating managed folder settings to retention policies. In Exchange Server 2010 SP1, you
can use the Port Managed Folder wizard in the Exchange Management Console to migrate managed
folders to retention tags, thereby maintaining the same retention settings as the managed folder.
When you run the wizard, the retention tags created by porting managed folders contain the
managed folder name in the LegacyManagedFolder property. After you port or create retention
tags, you must link the tags to a retention policy and apply the policy to a mailbox. When the
Managed Folder Assistant processes the mailbox and finds a managed folder that matches a ported
retention tag, the assistant applies the retention tag to the managed folder. The ported retention tag
must be linked to the user's retention policy for this to occur.

9-66 Configuring Messaging Policy and Compliance

Lab B: Configuring Personal Archives and Retention


Policies

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and the 10135B-VAN-CL1 virtual machines are
running:

3.

10135B-VAN-DC1: Domain controller in the Adatum.com domain.

10135B-VAN-EX1: Exchange 2010 server in the Adatum.com domain.

10135B-VAN-EX2: Exchange 2010 server in the Adatum.com domain.

10135B-VAN-CL1: Client computer in the Adatum.com domain.

If required, connect to the virtual machines.

Lab Scenario
You are the messaging administrator for A. Datum Corporation. Your organization has deployed Exchange
Server 2010.
The legal and audit departments at A. Datum provided you with several requirements for implementing
messaging policy and compliance. First, you must enable Personal Archives for all of the users in the
Marketing department. Additional requirements include configuring rules that will ensure that some
messages are retained for an extended period, while other messages are deleted when they expire.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-67

Exercise 1: Configuring Personal Archives


Scenario
A. Datum Corporation is also concerned about the number of emails that some users are storing in PST
files. In particular, some members of the Executives and Marketing group have several gigabytes (GB) of
data stored in PST files. To provide these users with larger mailboxes, the project team has agreed to
provide the members of the Executives and Marketing group with archive mailboxes. You need to
configure the mailboxes for these users.
The main tasks for this exercise are:
1.

Create an archive mailbox for all members of the Marketing and Executives groups.

2.

Verify that the archive mailbox was created for members of the Marketing group.

X Task 1: Create an archive mailbox for all members of the Marketing group

On VAN-EX1, in the Exchange Management Console, under Recipient Management, click Mailbox.
Sort the mailbox list by organizational unit, select all of the users in the Executives and Marketing
OUs, and then create an archive mailbox for them.

X Task 2: Verify that the archive mailbox was created for members of the Marketing
group

Log on to Outlook Web App as Manoj, and then verify that the archive mailbox was created.

Results: After this exercise, you should have configured archive mailboxes for all members of the
Marketing group.

Exercise 2: Configuring Retention Policies


Scenario
A. Datum also wants to ensure proper management of messages in the user mailboxes, and automate
message management in user mailboxes. The project sponsors have provided the following requirements:

Items in a users Deleted Items mailbox folder must be permanently deleted after 30 days.

Items in a users mailbox that have no other retention tag applied must be moved to archive after 365
days.

Users in Executives groups must be able to apply a Business Critical tag to specific items in their
mailboxes. These items should be moved to archive after 3 years.

To test this implementation, the executives have approved a pilot project to use retention policies for the
Marketing and Executives groups.
The main tasks for this exercise are:
1.

Create and configure retention tags.

2.

Create and configure retention policies for the Marketing group.

3.

Create and configure retention policies for the Executives group.

9-68 Configuring Messaging Policy and Compliance

X Task 1: Create and configure retention tags


1.

Use the Exchange Management Console to create a retention tag named Adatum Deleted Items,
that removes items from Deleted Items folder after 30 days.

2.

Use the Exchange Management Console to create a retention tag named Adatum
DefaultMoveToArchive that moves items to Archive after 365 days, if they are not tagged with
another retention tag.

3.

Create a retention tag for Personal folders that can be applied to personal items, and that retains
messages for 3 years before moving to archive. Name the tag Adatum BusinessCritical.

X Task 2: Create and configure retention policies for the Marketing group
1.

Create a new retention policy by using the Exchange Management Console. Name the retention
policy Marketing Group Retention.

2.

Add the Adatum Deleted Items and Adatum DefaultMoveToArchive retention tags to the
Marketing Group Retention policy.

3.

Apply the Marketing Group Retention policy to mailboxes in the Marketing OU.

X Task 3: Create and configure retention policies for the Executives group
1.

Create a new retention policy by using the Exchange Management Console. Name the retention
policy Executive Group Retention.

2.

Use the Exchange Management Console to add the Adatum Deleted Items, Adatum
BusinessCritical, and Adatum DefaultMoveToArchive retention tags to the retention policy.

3.

Apply the Executive Group Retention policy to mailboxes in the Executives OU.

Results: After this exercise, you should have configured Retention Tags and retention policies for the
Marketing and Executives groups.

X To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1.

On the host computer, start Hyper-V Manager.

2.

Right-click the virtual machine name in the Virtual Machines list, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

In the Virtual Machines pane, click 10135B-VAN-DC1, and then in the Actions pane, click Start.

5.

To connect to the virtual machine for the next modules lab, click 10135B-VAN-DC1, and then in the
Actions pane, click Connect.
Important Start the 10135B-VAN-DC1 virtual machine first, and ensure that it is fully
started before starting the other virtual machines.

6.

Wait for 10135B-VAN-DC1 to start, and then start 10135B-VAN-EX1. Connect to the virtual machine.

7.

Wait for 10135B-VAN-EX1 to start, and then start 10135B-VAN-EX2. Connect to the virtual machine.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

9-69

Module Review and Takeaways

Review Questions
1.

You need to ensure that a copy of all messages sent to a particular distribution group is saved. You
only want copies of messages sent to the distribution group, not copies of all messages sent to
individual members of the group. What should you configure?

2.

You need to ensure that a user can search all Exchange Server organization mailboxes for specific
content. What should you do? What user training will you need to provide?

Common Issues Related to Implementing Messaging Policies


Identify the causes for the following common issues related and fill in the troubleshooting tips. For
answers, refer to relevant lessons in the module.
Issue
Transport rules that use regular
expressions are not applied consistently.
Message recipients report that they are
receiving error messages when they
receive digitally signed messages from
other users in the organization.
After you implement a transport rule,
users report that some of the messages
they send to Internet recipients are not
delivered and they do not receive
notification of why the messages were
not delivered.

Troubleshooting tip

9-70 Configuring Messaging Policy and Compliance

Real-World Issues and Scenarios


1.

A. Datum Corporation has deployed an AD RMS server, and users are using it to protect email.
However, users report that when they protect email messages, users outside the organization cannot
read the messages. What should A. Datum messaging administrators do?

2.

Woodgrove Bank has implemented message journaling for all messages sent to and from the legal
and compliance teams. These messages need to be available to auditors for seven years. The
mailboxes used for journaling are growing rapidly. What should the messaging administrators at
Woodgrove Bank do?

Best Practices Related to a Particular Technology Area in this Module


Supplement or modify the following best practices for your own work situations:

Implementing messaging policies in Exchange Server 2010 can be complicated and the optimal
configuration will be different in every organization. However, it is critical that you start thinking
about this issue now in order to implement the policies and configurations that will meet your
organizations legal requirements.

Implement messaging policies only after extensive testing in a lab environment. If you configure
messaging policies incorrectly, you could potentially delete messages that should be retained, or
disrupt message delivery. Additionally, some messaging policies may have unintended consequences.
Because of this, be sure to test all messaging policies thoroughly, and implement the policies in the
production environment incrementally.

Planning messaging policies always involves discussions with legal and compliance personnel who
may not understand how you can use Exchange Server to enforce messaging policies. Be prepared to
explain what Exchange Server can and cannot do in terms that people who are not messaging experts
can understand.

10-1

Module 10
Securing Microsoft Exchange Server 2010
Contents:
Lesson 1: Configuring Role-Based Access Control

10-3

Lesson 2: Configuring Audit Logging

10-26

Lesson 3: Configuring Secure Internet Access

10-34

Lab: Securing Exchange Server 2010

10-52

10-2 Securing Microsoft Exchange Server 2010

Module Overview

In many organizations, Microsoft Exchange Server 2010 provides a critical business function for both
internal and external users. Additionally, many organizations expose at least a few of their Exchange
servers to the Internet. For these reasons, it is important that you do what you can to secure the Exchange
Server deployment. There are several components to securing your Exchange Server deployment:
configuring administrative permissions appropriately and securing the Exchange Server configuration. This
module describes how to configure permissions and secure Exchange Server 2010.
After completing this module, you will be able to:

Configure role-based access control (RBAC) permissions.

Configure audit logging.

Configure secure Internet access.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

10-3

Lesson 1

Configuring Role-Based Access Control

Exchange Server 2010 uses the RBAC permissions model to restrict which administrative tasks users can
perform on the Mailbox, Hub Transport, Unified Messaging, and Client Access server roles. With RBAC,
you can control the resources that administrators can configure and the features that users can access.
This lesson describes how to implement RBAC permissions in Exchange Server 2010, and how to configure
permissions on Edge Transport servers.
After completing this lesson, you will be able to:

Describe RBAC.

Describe management role groups.

Identify Exchange Server 2010 built-in management role groups.

Manage RBAC permissions.

Configure custom management role groups.

Describe management role assignment policies.

Work with management role assignment policies.

Describe Exchange Server split permissions.

Configure RBAC split permissions.

Configure Active Directory Domain Services (AD DS) split permissions.

10-4 Securing Microsoft Exchange Server 2010

What Is Role-Based Access Control?

RBAC is the new permissions model in Exchange Server 2010. With RBAC, you do not have to modify and
manage access control lists (ACLs) on Exchange Server or (AD DS) objects. In Exchange Server 2010, RBAC
controls the administrative tasks that users can perform and the extent to which they can administer their
own mailbox and distribution groups.
When you configure RBAC permissions, you can define precisely which Exchange Management Shell
cmdlets a user can run and which objects and attributes the user can modify.
All Exchange Server administration tools, including Exchange Management Console, Exchange
Management Shell, and Exchange Control Panel (ECP), use RBAC to determine user permissions.
Therefore, permissions are consistent regardless of which tool you use.
If RBAC allows the cmdlet to run, the cmdlet actually runs in the security context of the Exchange Trusted
Subsystem and not the user's context. The Exchange Trusted Subsystem is a highly privileged universal
security group that has read/write access to every Exchange Serverrelated object in the Exchange
organization. It is also a member of the Administrators local security group and the Exchange Windows
Permissions universal security group, which enables Exchange Server 2010 to create and manage AD DS
objects.

RBAC Options
RBAC assigns permissions to users in two primary ways, depending on whether the user is an
administrator or end user:

Management role groups. RBAC uses management role groups to assign permissions to
administrators. These administrators may require permissions to manage the Exchange Server
organization or some part of it. Some administrators may require limited permissions to manage
specific Exchange Server features, such as compliance or specific recipients.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

10-5

To use management role groups, add users to the appropriate built-in management role group,
or to a custom management role group. RBAC assigns each role group one or more
management roles that define the precise permissions that RBAC grants to the group.

Management role assignment policies. Management role assignment policies are used to assign enduser management roles. Role assignment policies consist of roles that control what users can do with
their mailboxes or distribution groups. These roles do not allow management of features with which
users are not associated directly.
Note You also can use direct role assignment to assign permissions. Direct role
assignment is an advanced method for assigning management roles directly to a user or
Universal Security Group, without the need to use a role group or role assignment policy.
Direct role assignments are useful when you need to provide a granular set of permissions
to a specific user only. However, it is recommended that you avoid using direct role
assignment, as it is significantly more complicated to configure and manage.
Question: What requirements does your organization have for assigning Exchange Server
permissions? Does your organization use a centralized or decentralized administration
model? What special permissions will you need to configure?

10-6 Securing Microsoft Exchange Server 2010

What Are Management Role Groups?

A management role group is a universal security group that simplifies the process for assigning
management roles to a group of users. All members of a role group are assigned the same set of roles.
Role groups are assigned administrator and specialist roles that define major administrative tasks in
Exchange Server 2010, such as organization management, and recipient management. Role groups enable
you to more easily assign a broader set of permissions to a group of administrators or specialist users.
Use management role groups to assign administrator permissions to groups of users. To understand how
management role groups work, you need to understand their components.

Components of Management Role Groups


Management role groups use several underlying components to define how RBAC assigns permissions as
assigned:

Role holder. A role holder is a user or security group that you can add to a management role group.
When a user becomes a management role-group member, RBAC grants it all of the permissions that
the management roles provide. You can either add user accounts to the group in AD DS, or use the
Add-RoleGroupMember cmdlet.

Management role group. The management role group is a universal security group that contains users
or groups that are role-group members. Management role groups are assigned to management roles.
The combination of all the roles assigned to a role group defines everything that users added to a
role group can manage in the Exchange Server organization.

Management role. A management role is a container for a group of management role entries. These
entries define the tasks that users can perform if RBAC assigns them the role using management role
assignments.

Management role entries. A management role entry is a cmdlet, including its parameters, which you
add to a management role. By adding cmdlets to a role as management role entries, you are granting
rights to manage or view the objects associated to that cmdlet.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

10-7

Management role assignment. A management role assignment assigns a management role to a role
group. Once you create a management role, you must assign it to a role group so that the role
holders use it. Assigning a management role to a role group grants the role holders the ability to use
the cmdlets that the management role defines.

Management role scope. A management role scope is the scope of influence or impact that the role
holder has once RBAC assigns a management role. When assigning a management role, use
management scopes to target which objects that role controls. Scopes can include servers,
organizational units, recipient objects, and more.

Examples of Management Role Groups


Management role groups define who can perform specific tasks and the scope within which
administrators can perform those tasks. For example, you can use RBAC to assign permissions as the
following table shows:
Role
holder

Management
role group

Management role

Management role
entries

Management role
scope

Gregory

Organization
Management

Organization
Management

All Exchange cmdlets

Organization

Alice

Help Desk

HelpDesk

Cmdlets related to
mailbox and user
account management

Organization

Jason

Sales Admins

SalesAdminRole

Cmdlets related to
Recipient
management only

Sales department
organization unit (OU) in
AD DS or Active Directory

10-8 Securing Microsoft Exchange Server 2010

Built-In Management Role Groups

Exchange Server 2010 includes several built-in role groups that you can use to provide varying levels of
administrative permissions to user groups. You can add users to, or remove them from, any built-in role
group. You also can add or remove role assignments to or from most role groups.
Role group

Description

Organization
Management

Role holders have access to the entire Exchange Server 2010 organization
and can perform almost any task against any Exchange Server object.

View-Only Organization
Management

Role holders can view the properties of any object in the organization.

Recipient Management

Role holders have access to create or modify Exchange 2010 recipients


within the Exchange Server organization.

UM Management

Role holders can manage the Unified Messaging features within the
organization, such as Unified Messaging server configuration, properties on
mailboxes, prompts, and auto-attendant configuration.

Discovery Management

Role holders can perform searches of mailboxes in the Exchange


organization for data that meets specific criteria.

Records Management

Role holders can configure compliance features, such as retention policy


tags, message classifications, transport rules, and can also export audit logs.

Server Management

Role holders have access to Exchange server configuration. They do not


have access to administer recipient configuration.

Help Desk

Role holders can perform limited recipient management.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

10-9

(continued)
Role group

Description

Public Folder
Management

Role holders can manage public folders and databases on Exchange servers.

Delegated Setup

Role holders can deploy previously provisioned Exchange servers.

Note All of these role groups are located in the Microsoft Exchange Security Groups OU in
AD DS.

10-10

Securing Microsoft Exchange Server 2010

Demonstration: Managing Permissions Using the Built-In Role Groups

In this demonstration, you will review how to manage RBAC permissions in Exchange Server 2010 by using
the built-in role groups. You will see how to add users to the built-in role groups and how RBAC assigns
the resulting permissions to the user accounts.

Demonstration Steps
1.

On VAN-EX1, in Active Directory Users and Computers, add a user or security group to the Recipient
Management group.

2.

On VAN-EX2, log on using the delegated user account. Open the Exchange Management Console
and the Exchange Management Shell.

3.

Verify that the user has read access to the Exchange Server organization configuration.

4.

Verify that the user cannot modify the settings on the Mailbox databases.

5.

Verify that the user can modify the settings for mailboxes and distribution groups. Verify that the user
account has permission to move mailboxes to another server.

6.

In the Exchange Management Shell, use the get-exchangeserver | FL cmdlet to verify that the user
has Read permission to the Exchange server information.

7.

Use the Set-User cmdlet to verify that user has permission to modify the Active Directory account.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

10-11

Process for Configuring Custom Role Groups

In addition to the built-in role groups, you also can create custom role groups to delegate specific
permissions within the Exchange Server organization. Use this option when your ability to limit
permissions is beyond the scope of the built-in role groups.

Configuring a Custom Management Role Group


RBAC offers a variety of ways in which you can assign permissions in an Exchange Server 2010
environment. For example, RBAC enables you to assign permissions to a group of administrators in a
branch office who only need to manage recipient tasks for branch-office users and mailboxes on branch
office Mailbox servers. To implement this scenario, you would:
1.

Create a new role group, and add the branch office administrators to the role group. You can use the
New-RoleGroup cmdlet to create the group or create the group using the ECP. When you create the
group, you must specify the management roles. Additionally, you also can specify the management
scope for the role.

2.

Assign management roles to the branch office administrators. To delegate permissions to a custom
role group, you can use one or more of the default built-in management roles, or you can create a
custom management role that is based on one of the built-in management roles. Exchange Server
2010 includes approximately 70 built-in management roles that provide granular levels of
permissions. To view a complete list of all the management roles, use the get-managementrole
cmdlet. To view detailed information about a management role, type get-managementrole
rolename | FL, and then press Enter. You can also view this information in the Exchange Control
Panel.

10-12

Securing Microsoft Exchange Server 2010

Note You also can configure a new management role rather than use one of the existing
management roles. To do this, use the New-ManagementRole cmdlet to create a custom
management role-based on one of the existing management roles. You can then add and
remove management role entries as needed. By default, the new management role inherits
all of the permissions assigned to the parent role. You can remove permissions from the
role, as necessary, by using the Remove-managementroleentry cmdlet. However, it can
be complicated to create a new management role and remove unnecessary management
role entries, so we recommend that you use one of the existing roles whenever possible.
3.

Identify the management scope for the management role. For example, in the branch office scenario,
you could create a role assignment with an OU scope that is specific to the branch office OU.

4.

Create the management role group using the information that you collect. You can use the ECP or
the New-RoleGroup cmdlet to create the link between the role group, the management roles, and
the management scope.For example, consider the following command:
New-RoleGroup Name BranchOfficeAdmins roles Mail Recipients, Distribution Groups,
Move Mailboxes, Mail Recipient Creation RecipientOrganizationalUnitScope
Adatum.com/BranchOffice

5.

It does the following:

Creates a new role group named BranchOfficeAdmins.

Assigns the Mail Recipients, Distribution Groups, Move Mailboxes, and Mail Recipient Creation
management roles to the BranchOfficeAdmins role group.

Configures a management role scope limited to the BranchOffice OU in the Adatum.com


domain.

10135B: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

10-13

Demonstration: Configuring Custom Role Groups

In this demonstration, you will review how to create a custom role group and how to assign management
roles to the group. You also will verify that the correct permissions are assigned to the user accounts.

Demonstration Steps
1.

On VAN-EX1, open the Exchange Control Panel. Log in as Adatum\administrator.

2.

Create a new group in Active Directory Users and Computers, verify that the group has been created
in the Microsoft Exchange Security Groups OU and that the user has been added to the group.

3.

Log on to the Exchange Server using the delegated user account, and open the Exchange
Management Console. Verify that the user can modify mailboxes and create new mailboxes only in
the Marketing OU.
Question: Will you implement custom management roles in your organization? If so, how
will you configure the management roles?

10-14

Securing Microsoft Exchange Server 2010

What Are Management Role Assignment Policies?

Management role assignment policies associate end-user management roles with users. You do not
configure administrative permissions with management role-assignment policies. Rather, you use
management role assignment policies to configure what changes users can make to their mailbox settings
and to distribution groups that they own. Every user with an Exchange Server 2010 mailbox receives a role
assignment policy, by default. You can:

Decide which role assignment policy to assign by default.

Choose what to include in the default role assignment policy.

Override the default po