Beruflich Dokumente
Kultur Dokumente
By David Shackelford
Video 1
Introduction to Video Series
Learning
Exchange
Server 2007
• Hands on coverage of this product
• 24 lessons, each between 35 and 70
minutes in length
• Why Exchange 2007?
1
Instructor
• Who am I?
– Dave Shackelford
– Network/System Engineer
– Owner of Shackelford Consulting, Inc.
• What I bring to the table:
– Ten years of Exchange administration
– Microsoft Exchange MVP from 2004 through 2008
– MCSE and CCNA
– Partnering consultant
– Occasional technical trainer and user group speaker
© Train Signal, Inc., 2002-2007
Areas we’re
going to cover –
Part 1
• Pre-installation prep
• Installation
• Console tour
• Exchange PowerShell
• The Exchange 2007 database
• What it takes to “go live”
• Recipients and mailboxes
• Public folders
• Address lists
• Autodiscover
• Client Access Server role
• Outlook Web Access
Areas we’re
going to cover –
Part 2
• POP3 and IMAP
• Hub Transport Server Role
• Compliance
• Edge Server Role
• Anti-Spam
• Anti-Virus
• Backup
• Recovery
• Transport Layer Security
• Advanced Mailbox Topics
• Exchange Tools
• SharePoint Integration
2
Video 2
Introduction to Exchange
2007
Where we’re
going:
• Our Scenario
• Our Lab Setup
• My approach
Scenario –
Part 1
$ $
$
• Company Name
– Cash Cow Capital Group
• Company Location
– Chicago, IL – main location
– Other small office locations: Albany, NY and
Krakow, Poland
• Domain Name
– cccapitalgroup.com
© Train Signal, Inc., 2002-2007
3
Scenario –
Part 2
• Type of Business
– Cash Cow Capital Group (3CG) has been a small but dynamic presence
in niche foreign exchange markets since 1976. 3CG has historically
been recognized for its expertise in Czech dormitory bonds, but more
recently has experienced rapid growth due to the maturing of its dairy
methane pollution credit exchange market in the European Union. The
company is expanding its operations and has opened 2 other small
satellite offices in the US and Europe. Due to the large volume of mail
generated by trades and research and the importance of giving its field
agents and brokers real-time collaborative access to information, the
company has decided to deploy Exchange 2007.
– The company has far outgrown its ISP-based POP3 mail server and is
eager to move into a twenty-first century solution. The company director
has decided to outsource a technical person who can come in and
install Exchange Server 2007 in the Chicago office and begin to
integrate its new features into the organization's technology platform.
Scenario Diagram
(Pre)
Cash Cow Capital Group
General Network Architecture
PN
dV
N an
Main Chicago Office
W
WA
AN
an
Router
d
VP
Users
N
F irew all
S witch Fa rm U sers
Notes:
U sers
Scenario Diagram
(Post)
Cash Cow Capital Group
General Network Architecture
Krakow Branch
Public Internet Office
W AN and VPN
VP N
and
WA
R outer U sers
dV
PN
Firewall
Users
Switch Farm
Notes: Us ers
4
Lab Setup
Pu bli c D NS Serve r
Public Internet
Vi sta 1
R outer
Firewa ll
Vi sta 2
Mobi le1
3C GMAIL 07 3CG-D C
Excha ng e 20 07 AD and D NS
Video 3
Pre-Installation Preparation
Where we're
going
• Hardware Requirements
• Creating infrastructure.
– Physical Disk configuration
– DNS Setup
– AD Installation (Dcpromo)
– Domain Registration
• Requirements for AD and older Exchange orgs
• AD Schema changes
• Readiness Scan
• Editions and CAL types
• Wrap-up
© Train Signal, Inc., 2002-2007
5
Requirements
• Hardware minimums:
– A 64-bit processor - AMD or Intel (EM64T, not Itanium)
– 2gb of RAM plus 5mb per mailbox (200 users, 3gb RAM) -- more!
– 1.2gb of free space for installation location and 200mb free on system
drive
• Software:
– Windows 2003 SP1 on a domain controller (schema master & global
catalog)
– Windows 2003 x64 with SP1 or R2
– .Net Framework 2.0
– MMC 3.0 (comes with R2)
– PowerShell 1.0
– Internet Information Server (without SMTP or NNTP)
• File System: All locations with NTFS
© Train Signal, Inc., 2002-2007
Planning Disks –
Part 1
• Best Practices
– Hardware RAID solutions
– Spindles, not size, but less critical than with earlier
versions of Exchange
– Separate Exchange databases from the operating
system
– If possible separate out transaction logs from
databases
Planning Disks –
Part 2
6
DNS Setup
Active Directory
Domain
Registration
7
AD Requirements
AD Schema
Changes
Readiness
Check
8
Editions
CAL Types
• Standard CAL
– Standard mailbox access
– Outlook Web Access
– Mobile access (Exchange Active Sync)
• Enterprise CAL (is an add-on)
– Unified Messaging
– Managed Folders
– Advanced Journaling
– ForeFront anti-virus security
© Train Signal, Inc., 2002-2007
Wrap-up
9
Video 4
Installation of Exchange 2007
Where we're
going
Verifying the
Install
• Post-install checks
– New service creation
– Best Practices Analyzer
– Taking care of licensing
10
Finalizing
Deployment
End-to-End
Scenario
• Optional Tasks
– Monitoring
– Anti-Spam settings
– Document Retention/Compliance (MRM)
– And more….
Editing Roles
11
Installing SP1
Wrap-up
Video 5
Exchange Management
Console
12
Where we're
going
• Console Layout
• Architecture
• Role Delegation
• Grand Tour
• Finalization Tasks
• Toolbox and Extras
• 32-bit Edition
© Train Signal, Inc., 2002-2007
Layout of EMC
Architecture Tie-
in – Part 1
13
Architecture Tie-
in – Part 2
AD
Power Shell
via Registry
Management Console Commandlets
Exchange
Databases
Management Shell
Role Delegation
Tour of EMC
14
Toolbox
32-bit edition
Video 6
Exchange Management Shell
15
Where we're
going
Shell Usage
Syntax Help
16
Pipelining
Manage
Mailboxes
Management
17
Wrap-up
Video 7
Exchange 2007 Database
Where we're
going
18
E-2007 Database
Database
Overview – Part 1
Database
Overview – Part 2
19
What's Changed
Replication Settings
Circular Logging
Transaction Logs
C:\P rogram F iles \Exchange S erver \Mail box\First Storage Group \
20
Limitations
• Limitations
– Theoretical size cap is not a practical size cap
– For Standard, there is an artificial 50gb cap
on database sizes (SP1 = 150gb)
– Memory Cost
– Default Mailbox size limit is 2gb (can be
changed)
Best Practices
Wrap-up
21
Video 8
Going Live
What We'll Be
Covering
• Scenario
• Checklist
• Checking DNS
• Checking listening ports
• Testing inbound/outbound email flow
Diagram
A Review of the Basics
Ca sh co wc ap ita lgr ou p.co m
na m e se rve r
MX -R E C O RD
A -R EC O RD 5 E xch an ge Se rve r
rt 2
Po
P ubl ic DN S S e rve r
t 25 N A T Fire w a ll
Po r
In te rn e t
P T R or R D NS Re co rd
R em o te M a il
S e rv er
ISP D N S S er ve r
Em a il Se nd er
22
Going Live
Checklist
Testing Email
Manually sending an email
• Telnet to port 25 on the server: telnet cowmail.cashcowcapitalgroup.com 25
C: HELO trainsignal.com
C: MAIL FROM: <david@trainsignal.com>
C: RCPT TO: <dshack@cashcowcapitalgroup.com>
C: DATA
C: Subject: test message
C: From: david@trainsignal.com
C: To: dshack@cashcowcapitalgroup.com
C:
C: Hello,
C: This is a test.
C: Goodbye.
C: .
C: QUIT
Wrap-up
23
Video 9
Working with Recipients
Where we're
going
• Configuring mailboxes
• Working with contacts
• Creating and using distribution groups
• Working with rooms and equipment
mailboxes
• Using recipient filtering
Scenario
• Management requests:
– Set storage quota of 1gb for all users
– Configure Clive with send-as for Henry
– Reject mail to Dot from Lance
– Disable OWA for Sui and Terra
– Create mail-enabled contacts for two contractors
– Create four security/distribution groups
– Set something up for conference room & portable
projector reservations
24
Configuring
Mailboxes
Mail Contacts
Distribution
Groups
• Task:
– Create three security/distribution groups
• Security groups are extended distribution groups
• There's no great reason not to use security groups for
everything
• By default, mail-enabled groups not available from internet
• To change this:
– Set-distributiongroup Brokers -RequireSenderAuthenticationEnabled
$False
Or to change it on all security groups:
– Get-distributiongroup | set-distributiongroup -
RequireSenderAuthenticationEnabled $False
25
Rooms and
Equipment
Wrap-up
Video 10
Configuring Public Folders
26
Where we're
going
PF Architecture
Scenario
Management Requests
• New Public Folders need to be created and mail-enabled:
– Info
– InboundFax
– Research
– ClientSupport
– TradeConfirmations
• Clive needs to be able to create subfolders & assign
permissions on:
– Info
– Client Support
• Gandalf needs to have admin control over Research
• Data Entry group needs to have admin control over:
– InboundFax
– Trade Confirmations
© Train Signal, Inc., 2002-2007
27
PF Management
Tools
Creating Public
Folders
Assigning PF
Permissions
28
Mail-enabling
PFs
Wrap-up
Video 11
Configuring Address Lists
29
Where we're
going
Address Lists
Global Address
Book
30
Offline Address
Books
Dynamic
Distribution
Groups
• Working with dynamic groups
– Groups can be built based on AD properties like Department, State or
Company
– Especially useful for location-specific communications
– Can't be used as security groups
– Create them in the Groups sub-node of the Recipient node
– Non-wizard filtering criteria can be used if you use the New-
DynamicDistributionGroup cmdlet.
• Example:
– New-DynamicDistributionGroup -Name "CashCowCapital Company"
-Alias "3CG_Company" -IncludedRecipients
"MailboxUsers,MailContacts"
-OrganizationalUnit "3CG.local/Users" -ConditionalCompany "3CG"
Best Practices
• Recommendations
– Address Lists:
• Don't create any unless you really need them, then keep it
simple.
• Make list names clearly descriptive of contents
– Global Address Books:
• Stick with the default one if at all possible
• Create new ones only for client-base isolation
– Dynamic Distribution Lists:
• Don't forget about the value of non-wizarded dynamic lists
31
Wrap-up
Video 12
Configuring Outlook -
AutoDiscover
Where we're
going
• What is Autodiscover?
• How does it work?
• How do I set it up?
• How do I set up Outlook?
• Best Practices
32
Intro to
Autodiscover
• Autodiscover was built to:
– streamline Outlook configuration (both MAPI and Outlook Anywhere)
– Allow simpler access to the Offline Address Book (OAB) for external
users
– Facilitates access to the Availability service that handles Free/Busy data
– Simplifies setup for Unified Messaging
• Autodiscover requires some setup
• The services that work with it also need to be configured
• Autodiscover cannot provide services to Outlook client
versions before 2007
Autodiscover
Architecture
Internal
Autodiscover –
Part 1
• Process Outline
1. Client queries AD for the SCP object
2. AD hands back Autodiscover service URL
3. Client connects to Autodiscover virtual directory
using HTTPS
4. Autodiscover hands back addresses and information
for available services
After this, client is able to connect to the needed
resources.
© Train Signal, Inc., 2002-2007
33
Internal
Autodiscover –
Part 2
1
AD
2
3
4 MBox
Outloo k 2 00 7
Clien t
C AS
External
Autodiscover –
Part 1
• Process Outline
1. Client fails to connect to AD to query SCP
information
2. Client uses its primary SMTP address to query DNS
for an "autodiscover" record.
3. DNS provides the IP of the Autodiscovery server
4. Client contacts the Autodiscover virtual directory on
the CAS
5. CAS Autodiscover service provides the client with
information needed to connect to various Exchange
services
External
Autodiscover –
Part 2
Public
Private
Internet
D NS Network
2
F
3
I
1 R
E
AD
W
4 A
L
5 L
MBox
Outlook 200 7
Clien t
C AS
34
The Query
Autodiscover
Setup
• Implementing AutoDiscover:
– Check on the virtual server
– Set up the DNS
– Obtain an SSL certificate
– Install and configure the cert
– Configure the virtual server
– Configure for OAB
– Configure for Outlook Anywhere
– Configure for Availability
The Certificate
35
Setting up
Outlook
Best Practices
• Recommendations:
– Use a SAN UCC cert to reduce complexity
– Don't try to use a self-signed cert, use a commercial cert
– Use a tool like Digicert's to make sure your cert request is
correct
– Leave punctuation out of the Subject Name fields of your cert
request
– Work slowly, don't make changes to IIS unless you know what
you're doing
– Use the Test Email Autoconfig Tool to troubleshoot Autodiscover
– Use Test-OutlookWebServices to help narrow down problems
Wrap-up
36
Video 13
Configuring the Client Access
Server
Where we're
going
CAS Role
37
IIS Virtual
Directories –
Part 1
• Most of the CAS functionality is based in IIS:
– These virtual directories in the default web Site run
CAS services:
• OWA (connects to Exchange 2007 mailbox servers)
• RPC
• RPCwithCerts
• Microsoft-Server-ActiveSync
• OAB
• EWS
• Autodiscover
• UnifiedMessaging
© Train Signal, Inc., 2002-2007
IIS Virtual
Directories –
Part 2
• For OWA connections to Exchange 2003/2000 servers:
– Exchange
– Public (used for both legacy and 2007 PF access)
– Exadmin
– Exchweb
– All these directories are encrypted with the cert
installed on the root site
– To create a new CAS website, you'd use the New-
OWAVirtualDirectory cmdlet to create the requisite
virtual directories
Outlook
Anywhere
Architecture
• How Outlook Anywhere works:
– HTTPS tunnel created between client and CAS
– Standard MAPI/RPC traffic passed through tunnel to appropriate
Mailbox server
– Traffic is encrypted with cert installed on Default Web site
– Connection from client can be made from anywhere that HTTPS
is allowed
– Allows use of all "fat" client features that can be used internally
– .ost file caches data, keeping an offline copy of server-side
mailbox
38
Setting up
Outlook
Anywhere
• Configuring Outlook Anywhere
– Install certificate
– Make sure SSL is enabled on default web site (it is by default)
– Add the RPC over HTTP Proxy via Add/Remove Windows Components
– Enable Outlook Anywhere via the EMC (or EMS with Enable-
OutlookAnywhere)
• Set URL
• Set Authentication method (NTLM if you have ISA proxy, or Basic if not)
– Configure Outlook Anywhere on Outlook 2007
• Accounts -> profile properties -> More Settings -> Connection Tab
• URL: same URL you configured above (ex:
cowmail.cashcowcapitalgroup.com)
• Principal name: "msstd:cowmail.cashcowcapitalgroup.com"
• Auth: needs to match what was set on server
Active-Sync
Architecture
New Features
39
Setting up
Active-Sync
• Configuration
On the server:
– Determine the external URL
– Determine the auth method
– Determine which file resources should be made available
– Set up a policy if desired
On the mobile device:
– Setting up the device
– Managing the device
– Managing devices via OWA
Best Practices
• Recommendations
– Use a cert with Subject Alternative Names (SAN) and stick with
the default site
– For Outlook Anywhere, use NTLM authentication if possible
– To use NTLM, you will need an advanced firewall like ISA 2006
– Use cached-mode with Outlook Anywhere
– Watch the HTTP timeout interval on your firewalls for the sake of
ActiveSync
– Only allow SSL connections for ActiveSync
– Create and deploy a Windows Mobile password policy
Wrap-up
40
Video 14
Outlook Web Access
Where we're
going
OWA Features
41
Scenario
Light/Premium
Client
Authentication
Options
42
Accessing
Server Files
Changing the
URL
Wrap-up
43
Video 15
Working with POP and IMAP
Where we're
going
• Protocol architecture
• Management requests
• Settings on the CAS server
• Settings on the Hub Transport server
• User-specific permissions
• Setting up the client
• Best practices
Note: We're talking about servers that have
SP1 installed
© Train Signal, Inc., 2002-2007
Architecture
44
Scenario
• Management requests:
– Chumnus needs a separate secure POP3
mailbox set up
– Gandalf recently got an iPhone and wants to
set up secure IMAP access to it
– No other users should be able to access
IMAP or POP3
CAS Settings
Hub Transport
Settings
45
User Settings
• Access rights
– Use a PowerShell cmdlet to disallow permissions to
all users
• Get-CASmailbox | Set-CASmailbox -POPenabled $False -
IMAPEnabled $False
– Use mailbox properties to give a user permission to
access IMAP or POP3
• Use the GUI
• Set-CASMailbox -Identity cboviphlatian -POPenabled $True -
IMAPEnabled $True
Client Setup
Best Practices
• Recommendations:
– Use Outlook Anywhere or OWA instead, if possible
– Always use SSL encryption
– Use the default security settings
– Use a 3rd-party cert to make things easier
– Lower the MaxConnections value for IMAP
– Disallow access to all users and provide it explicitly
– Provide screenshots to users to facilitate setup
46
Wrap-up
Video 16
Looking at Hub Transport
Where we're
going
47
Hub Transport
Architecture –
Part 1
• How mail gets around
– New SMTP stack: MSExchangeTransport
– Sent via send connector, received via receive
connector
– Hub transports route mail to other hub transports for
remote mailbox servers
– Mail routing is not done with routing connectors &
routing groups anymore
– Mail routing uses AD site link topologies
© Train Signal, Inc., 2002-2007
Hub Transport
Architecture –
Part 2 Public
Internet
a il
M
FIREWALL
und
Private
bo
In
Network
Site B
SM
T T
Site A ED GE LS P/
RPC
SMT P/TLS
RP C
C
RP RP MBox
C HUB HUB
M Box
Outlook 2 007
Ou tl ook 2007
Client
Clien t
Scenario
• Management Requests
– Extra email addresses for each user like
clive.lewis@cashcowcapitalgroup.com
– Set maximum message size to 50mb
– Set max number of recipients to 200
– Add a disclaimer to all outbound email
– Filter mail with "guarantee" or "promise" in it, bcc to
Chumnus
– Send AOL mail out through ISP smarthost
© Train Signal, Inc., 2002-2007
48
Domains and
Addresses
Transport Rules
Send
Connectors
49
Receive
Connectors
Setting Limits
Working with
Queues
50
Wrap-up
Video 17
Meeting Compliance
Requirements with
Exchange 2007
Where we're
going
• Management requests
• Intro to journaling
• Planning and implementing journaling
• 3rd party products
• Other compliance issues
51
Scenario
• Management Requests
– Archive all Broker and Executive messages
– Disallow between Brokers and Research
except in emergencies
Journaling Intro
• What is Journaling?
– Capturing and archiving mail traffic across Hub Transports
– Mail can be journaled (archived) to several different types of locations:
• Local mailbox
• Distribution group
• External hosting service
• 3rd party archiving database
– There are "store-level journaling" and "Journaling with rules"
– Mail can be captured based on criteria like group membership or
individual mailbox
– Journaling anything less than on a Global level requires Enterprise
CALs
– Journaling takes advantage of Single Instance Storage (SIS) for space
efficiency
Planning
Journaling
52
3rd Party
Products
• General Benefit and Architecture of 3rd Party products
– Examples: Quest's Archive Manager and GFI's Mail Archiver
– Both bring:
• Greatly enhanced searchability and discovery export features
• Reduced load on mail stores over time
• Ease of restorability
– Quest's Archive Manager:
• Requires SQL
• Web, Outlook and mobile to archives, including offline access for Outlook
• Ties into other applications, can archive Live Communication Server
• Efficient backfill process
– GFI's Mail Archiver:
• Uses SQL or open-source database format on NTFS partition
• Simplest setup
More
Compliance
Wrap-up
53
Video 18
Edge Transport Role
Where we're
going
• Management requests
• A look at Edge Transport
• Edge setup requirements
• Installing the Edge role
• Securing the Edge server
• Best Practices
Scenario
• Management Requests
– Force all traffic to internal servers to
authenticate
– Implement inbound relay for port 25 traffic
– Implement some anti-spam system
– Set up new Edge Transport server
54
Basic Edge –
Part 1
Basic Edge –
Part 2
Internet
Public
Internet
In
bo
un
dM
FIREWALL
ai l
DMZ
Network
SM T
EDG E
FIREWALL
P /TL
S
R PC
Internal
Network
M B ox HU B
Edge Facts –
Part 1
• Edge Architecture
– Edge Transport servers are never domain members
– Edge Transport role cannot coexist on same server with any other role
– Edge can function without other Exchange 2007 server roles existing
– Keeps its own queuing database (ESE, same type as mailbox db)
• EdgeSync
– Edge uses information from the AD to make intelligent decisions about
filtering
– Edge receives updates about AD info via a one-way communication
with Hub
– Active Directory Application Mode (ADAM) component facilitates this AD
data sync
– The EdgeSync service is responsible for pushing data to the Edge
server
55
Edge Facts –
Part 2
EdgeSync Process
Internal Network DMZ Network
Current Network
Main Chicago Office
R oute r
Public Internet
Firew all
INTERNAL
Network with
Edge
Main Chicago Office
Public Internet
DMZ Router
C3GED GE
Exchange 2007 Firewall
C 3DB C 3D C C3MAIL07
SQL DC, D NS Exchange 2007
TRUSTED
56
Edge
Requirements
• Install requirements
– OS: W2K3 Standard R2 or W2K3 Standard
SP1 installed as a standalone
– One or two network adapters
– DNS Suffix and name resolution configuration
– ADAM
– .Net Framework and PowerShell
– Exchange 2007 media
© Train Signal, Inc., 2002-2007
Edge
Subscription –
Part 1
• Kicking off EdgeSync
– Create an EdgeSubscription file using EMS
• New-EdgeSubscription - file "path"
• This creates an ADAM account on the Edge server
• Clears the deck for config import from Exchange org
• Local Edge interface will be locked for Edge Transport objects
– Import the EdgeSubscription file on a Hub Transport
• EMC -> Org -> Hub -> Edge Subscriptions
• This will create the EdgeSync relationship
• This will auto-generate needed connectors between Hub and Edge
• Restart the Exchange EdgeSync service on the hub server
Edge
Subscription –
Part 2
• Data replication will begin
– Recipient data
– Accepted domains
– Remote domains
– Safe Senders
– Send Connector configuration
• Verify EdgeSync is working:
– do a Get-Accepted Domain
– check Send Connectors
– Config data will sync each hour, recipient data every
four hours
– To manually initiate full synchronization: Start-
EdgeSynchronization
© Train Signal, Inc., 2002-2007
57
Securing the
Edge
Best Practices
• Recommendations
– Create a postmaster mailbox
– Use a dual-NIC Edge server
– Consider the one-forest limitations of
EdgeSync
– Use EdgeSync rather than setting up all
connectors manually
Wrap-up
58
Video 19
Configuring Edge Anti-Spam
Components
Where we're
going
• Architecture
• Installing the edge anti-spam filters on the hub transport
• Connection filtering
• Sender filtering
• Recipient filtering
• SenderID filtering
• SPF records
• Content filtering
• Attachment filters
• Transport rules
• Address rewrite agent
• Safelist aggregation
• Best practices
Scenario
• Management Requests
– Set up and configure spam filters
– Block mail from a particular spammer network
– Ensure local compliance with best practices
– Copy any mail from the "eustocktradernetwork.com"
domain to Chumnus
– Rewrite outbound mail addresses from
orders@cashcowcapitalgroup.com to be from
orders@eustocktradernetwork.com
© Train Signal, Inc., 2002-2007
59
Anti-Spam
Architecture
• How the Anti-Spam filter system is designed
– Mail is processed by filters before delivery
– Filters are processed in a particular order
• Connection filter
• Address Rewrite agent
• Edge Transport Rule agent
• SenderID filter
• Recipient/Sender filter
• Content filter
• Attachment filter
• Virus scan
– The order of the filters in the GUI is the order of processing
– Some filters rely on outside verification, others on EdgeSync data
Hygiene on Hub
Connection
Filtering
60
Sender Filtering
Recipient
Filtering
SenderID
Filtering
Sender
Dolph@strangecastle.com
Edge Server H ub/Mailbox
Server
Foreign
Mail S erver
mail.strangecastle.com
61
SPF Records
Content Filtering
Attachment
Filtering
62
Transport Rules
Address Rewrite
Safelist
Aggregation –
Part 1
• Using Safelists
– Safelists are created by users in Outlook
– Safelists are applied as part of the content filter
– Safelists are stored on a per-mailbox basis
– Safelists can be gathered and synced up to the Edge
Transport server
– Safelists have to be updated with the update-safelist
cmdlet
– Schedule a nightly update of all safelists
• At 22:00 /every:M,T,W,Th,F,S,Su cmd /c
"C:\updatesafelists.bat"
63
Safelist
Aggregation –
Part 2
– Contents of the batch file:
– "C:\WINDOWS\system32\windowspowershell\v1.0\
powershell.exe"
-psconsolefile "C:\Program
Files\Microsoft\Exchange Server\bin\exshell.psc1"
-command "get-mailbox | where {$_.RecipientType -
eq
[Microsoft.Exchange.Data.Directory.Recipient.Recip
ientType]::UserMailbox } | update-safelist"
Best Practices
• Recommendations
– Disable all filtering initially and enable filters one by
one
– At least initially, choose to mark spam rather than
reject/delete it
– The fewer the filters you can use, the simpler
troubleshooting will be
– Use an external IP block list provider, don't roll your
own
• Expect more latency when using an external list provider
• Sometimes the providers are wrong--is it worth it?
Wrap-up
• Where we've been:
– Architecture
– Filters on the hub transport
– Connection filtering
– Sender filtering
– Recipient filtering
– SenderID filtering
– SPF records
– Content filtering
– Attachment filters
– Transport rules
– Address rewrite agent
– Safelist aggregation
– Best practices
© Train Signal, Inc., 2002-2007
64
Video 20
Anti-Virus and Exchange 2007
Where we're
going
• Architecture
• Supported vendors
• ForeFront overview
• Installing ForeFront
• Testing AV
• Best Practices
AntiVirus
Architecture
65
Vendors
Installing
ForeFront
Best Practices –
Part 1
• Recommendations
– Run AV on all desktops as well as on the mail
gateway
– Kick off a full background scan after first installing the
AV to check existing mail
– Schedule off-hours background scanning in addition
to basic on-access scanning
• Set scan to RE-scan mail received during last 48-72 hours
– For ForeFront, use the Scan on Scanner Update
option to rescan with new definitions
– during outbreaks
66
Best Practices –
Part 2
Wrap-up
Video 21
Configuring Backups
67
Where we're
going
• Database/backup architecture
• Knowing what to back up
• Using NTBackup
• Volume Shadow Copy
• Local Continuous Replication
• Standby Cluster Replication
• Recommendations
© Train Signal, Inc., 2002-2007
Backup
Essentials
What to back up
68
Using NTBackup
VSS
Setting up LCR
• How to configure Local Continuous Replication for
data protection
– LCR creates a passive copy of the active databases
• An initial "seeding" copies the existing DB
• Transaction logs copied to the LCR directory are applied to the
passive DB
– Configure LCR to create the database copy on another drive
(internal or external)
– Replicating Storage Groups can only contain a single database
– Public folder stores cannot be replicated with this method
– Consider using mount points to make recovery simpler
• Moving the database files
• Setting up the NTFS volume mount points
– LCR will increase your processor overhead due to log/database
activity
© Train Signal, Inc., 2002-2007
69
SCR Basics
Best Practices
• Recommendations
– Set up LCR for cheap additional protection, but use a separate
disk or set of disks
– Do "Exchange-aware" backups!
– Protect your logs
– Don't spurn NTBackup
– Don't forget system state backups
– Look at a VSS-aware backup application if budget allows
– Test your backups by doing practice recoveries
– Don't back up your databases on the file level at all, unless
offline or with VSS
– Take daily backups unless you have LCR set up, in which case
you can do them weekly
© Train Signal, Inc., 2002-2007
Wrap-up
70
Video 22
Disaster Recovery
Where we're
going
Scenario
71
Recovering
Deletions
Recovering a
mailbox
Recovering a
Corrupt Store –
Part 1
• Recovering the store
– Two options for recovery
• LCR/SCR copy of the database
• Restore database from an Exchange-aware backup
– LCR Recovery
• Take corrupted store offline if needed
• Run Restore-StorageGroupCopy -Identity "First Storage
Group"
– Swap mount points to make LCR copy the live one
– Or--use the -ReplaceLocations parameter
• Mount the database copy
© Train Signal, Inc., 2002-2007
72
Recovering a
Corrupt Store –
Part 2
– Recovery from backup to original server
• Dismount the target database
• Set the database for overwriting
• Select the Exchange-aware restore and run it
Database
Portability
Recovering a
server – Part 1
73
Recovering a
server – Part 2
Best Practices
• Recommendations
– Document your configuration completely for disaster recovery
purposes
– Use the Database Troubleshooter tool if you have databases
which fail to mount
– Learn to use ESEUTIL to do VERY occasional offline defrags
and repairs
• It's found in the Exchange Server\Bin directory
• Many of the ESEUTIL operations are integrated into the Recovery
Tool wizards
– Delete RSG files when you are done with them
– DO PROPER BACKUPS!
Wrap-up
74
Video 23
Transport Layer Security
Where we're
going
• Management Requests
• TLS Architecture
• Setting up TLS
• Recommendations
Scenario
• Management Request
– A partner company,
EUStockTradersNetwork.com, needs to
encrypt all email between
our network and theirs
75
TLS Architecture
TLS Types –
Part 1
TLS Types –
Part 2
– Mutual TLS
• Requires setup
• Both servers authenticate each-other's certs
• MTLS is the foundation of "Domain Security"
– Direct Trust
• What EdgeSync sets up to allow TLS between Hub and
Edge
• Certs are stored in AD and ADAM
• Also used to encrypt inter-org Exchange org traffic
76
Implementing
TLS
Best Practices
• Recommendations
– Turn on protocol logging for aid in troubleshooting:
• Set-ReceiveConnector Inet -ProtocolLoggingLevel Verbose
• Set-SendConnector Inet -ProtocolLoggingLevel Verbose
– Use 3rd-party certs, not the default self-signed cert
– Check EHLO feedback to verify TLS is active
Wrap-up
77
Video 24
Advanced Mailbox Topics
Where we're
going
• Management requests
• Delegating mailboxes
• Linked mailbox architecture
• Using linked mailboxes
• Managed folder architecture
• Setting up managed folder policies
• Recommendations
© Train Signal, Inc., 2002-2007
Scenario
• Management Requests:
– Give Clive full access to Henry's mailbox
– Allow server to host mailboxes for users from
a trusted domain
– Auto-delete mail that's been in deleted items
more than seven days
– Create a special folder for payment
information that is deleted after 45 days
© Train Signal, Inc., 2002-2007
78
Delegation
Linked
Mailboxes
Managed
Folders – Part 1
79
Managed
Folders – Part 2
Folder Policies
Best Practices
• Recommendations:
– Let the work processes drive the managed
folder policy, not visa versa
– Let the law dictate your message/document
retention policy
80
Wrap-up
Video 25
Exchange 2007 Tools
Where we're
going
• Management Requests
• Mail Flow TroubleShooter
• Message Tracking Center
• Best Practices Analyzer
• Performance Monitor
• ESEUTIL
81
Scenario
• Management Requests
– Defrag mail database after downsizing
– Troubleshoot messages that were delayed
– Find out who Dave Shackelford emailed this month
– See if there are any easily discoverable
misconfigurations with our org
– Figure out why Outlook is timing out and giving RPC
error to some users
Mail Flow
Message
Tracking
82
ExBPA
Perf Monitor
• Using PerfMon
– Same as general Windows PerfMon, with some Exchange
counters displayed
– Use CTL+H to highlight a particular counter on the graph
– Used in conjuction with troubleshooting performance problems
• Using the Performance Troubleshooter
– Uses the Exchange Troubleshooting Assistant engine
– Uses a counter gathering session to follow-up on complaints
– Uses performance figures to suggest solutions to RPC issues
ESEUTIL –
Part 1
83
ESEUTIL –
Part 2
Other Resources
Wrap-up
84
Video 26
Integrating SharePoint
Where we're
going
• Management requests
• Enabling SharePoint as a mail
destination
• Migrating content from public folders
• Accessing SharePoint via OWA and
Outlook
• Best Practices
© Train Signal, Inc., 2002-2007
Scenario
• Management Requests:
– Integrate 3CGSHAREPOINT server into network as a
mail destination
– Allow inbound mail from researchers to be collected
in a SharePoint library
– Add SharePoint library contacts to Exchange
– Move data from Public Folders to SharePoint
document libraries
– Manage SharePoint document libraries in Outlook
2007
– Access SharePoint data from OWA
© Train Signal, Inc., 2002-2007
85
Adding Mail to
SharePoint
Migrating
Content
Folder Access
86
Best Practices
• Recommendations
– Don't learn in production, build a test system
– Work with someone knowledgeable in
SharePoint
– Be meticulous about documenting
permissions used
– Don't expect perfection - metadata transfer
not always seamless
© Train Signal, Inc., 2002-2007
Wrap-up
87