10135a enu companion

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

10135A Configuring, Managing, and Troubleshooting Microsoft® Exchange Server 2010

Companion Content

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2010 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.

Product Number: 10135A

Released: 01/2010

Deploying Microsoft® Exchange Server 2010 1-1

Module 1 Deploying Microsoft® Exchange Server 2010

Contents: Lesson 1: Overview of Exchange Server 2010 Requirements 2

Lesson 2: Installing Exchange Server 2010 Server Roles 10

Lesson 3: Completing an Exchange Server 2010 Installation 12

Module Reviews and Takeaways 18

Lab Review Questions and Answers 20

1-2 Configuring, Managing, and Troubleshooting Microsoft® Exchange Server 2010

Lesson 1

Overview of Exchange Server 2010 Requirements Contents: Question and Answers 3

Additional Reading 6

Detailed Demo Steps 7


Question and Answers Discussion: Reviewing Active Directory Components

Question: What is the definition of a domain?

Answer: An Active Directory domain is a collection of computers that the administrator of a Windows network defines. These computers share a common directory database, security policies, and security relationships with other domains. An Active Directory domain provides access to the centralized user and group accounts that the domain administrator maintains. You can organize computer and user accounts within an Active Directory domain into a hierarchy based on organizational units (OUs). An Active Directory domain is a replication and administrative boundary.

Question: What is the definition of a forest?

Answer: A forest is a set of one or more trees that share common configuration and schema information. A tree is set of domains that share the same DNS namespace. When multiple domains exist in a forest, there is an automatic trust relationship between the domains, which enables users in one domain to access resources in another tree. There can be only one Exchange Server organization per forest. An Active Directory forest is a security boundary. By default, no security accounts outside of a forest have any access in the forest.

Question: Under what circumstances would an organization deploy multiple domains in the same forest?

Answer: Some organizations deploy multiple domains to provide an administrative boundary. They want to be able to have one group of administrators with full control of part of the organization. Other organizations deploy additional domains to isolate replication traffic. In very large organizations, you can minimize the amount of replication traffic that is sent across a slow wide area network (WAN) link by deploying separate domains.

Question: Under what circumstances might an organization deploy multiple forests?

Answer: The primary reason to deploy multiple forests is to ensure that there is a complete security boundary between different parts of the organization’s IT infrastructure. This could happen if an organization has multiple departments or business units that require isolation, or in the event of two organizations merging.

Question: What are trusts?

Answer: Trusts enable users from at trusted domain to authenticate in another trusting domain. In a forest, all domains have trusts (either direct trusts, or transitive trusts) with all other domains in the forest.

Question: What type of information do domains in a forest share?

Answer: All domains in a forest share the same Active Directory configuration information, Active Directory schema information, and a common global catalog.

Question: What is the functionality of a domain controller?


Answer: A domain controller holds a copy of the local domain database, which includes user and computer accounts, and it is responsible for authenticating users and computers. A domain controller has directory information only for the domain of which it is a member. Additionally, domain controllers respond to queries for information in Active Directory.

Question: What is a global catalog server?

Answer: A global catalog server is a domain controller that also holds a subset of information from other domains in the forest. For example, a global catalog server has limited information about all users in a forest. By default, the first domain controller deployed in a forest is a global catalog server, but you also can configure other domain controller as a global catalog server. You use global catalog servers for authentication, global address list (GAL) lookups, and universal group membership lookups.

Question: What is the definition of an Active Directory site?

Answer: The definition of an Active Directory site is one or more IP subnets. Typically, all of the IP subnets in a given physical location are part of the same site. Active Directory sites typically do not encompass more than one physical location. All of the computers within a single site must have a fast network connection, typically 10 megabytes per second (Mbps) or more between them. The Active Directory site configuration should be a logical representation of the physical network deployment.

Question: What is Active Directory replication?

Answer: Active Directory replicates domain information between domain controllers in the same domain and to the forest’s global catalog servers. It also replicates configuration data and the schema between all domain controllers in the same forest.

Question: How do Active Directory sites affect replication?

Answer: Within an Active Directory site, change replication starts within a few seconds of a change occurring on one domain controller. If an Active Directory site contains more than one domain controller, each domain controller also has at least two replication partners. Between Active Directory sites, you can schedule replication. However, by default, it happens every three hours. Additionally, all replication traffic between sites is sent through a bridgehead server that is located in each site.

Demonstration: Integration of Active Directory and Exchange Server 2010

Question: How do you assign permissions in your Exchange organization? How will you assign permissions using the Exchange security groups?

Answer: Answers will vary. Most small organizations might just have one set of administrators who will have full control of the Exchange organization. They can address the permission requirements by adding the group to the Organization Management group. Organizations with more complex security requirements might need to use the other groups, or use custom RBAC management roles.

Question: Which Active Directory partition would you expect to contain the following information?

Answer:

• User’s e-mail address: Domain partition or global catalog


• Exchange connector for sending e-mail to the Internet: Configuration partition

• Exchange Server configuration: The configuration partition contains the Exchange Server-specific configuration information, but the Exchange Server computer object also is also located in the domain partition.


Additional Reading Reviewing Active Directory Partitions • Active Directory Logical Structure and Data Storage

How Exchange Server 2010 Uses Active Directory • Planning Active Directory

• Guidance on Active Directory design for Exchange Server 2007


Detailed Demo Steps Demonstration: Integration of Active Directory and Exchange Server 2010

Detailed demonstration steps

Demonstration steps

1. On a domain controller, open Active Directory Users and Computers.

2. In the Active Directory domain, expand the Microsoft Exchange Security Groups organizational unit.

3. Review the description and membership of the following Active Directory groups:

• Organization Management

• Recipient Management

• View-Only Organization Management

• Discovery Management

4. Open ADSI Edit, and connect to the domain partition. Review the information in the domain partition.

5. Connect to the configuration partition. Review the information in the configuration partition, and in the CN=Services, CN=Microsoft Exchange, CN=Exchangeorganizationname container.

6. Connect to the schema partition. Review the information in the schema partition, and point out the attributes and class objects that begin with ms-Exch.

Demonstration steps

1. On VAN-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. If necessary, expand Adatum.com, and then click the Microsoft Exchange Security Groups organizational unit.

3. Double-click Organization Management, and then click the Members tab. The only default member of this group is the user that installed the first computer running Exchange Server. Members of this group have the necessary permissions to manage any aspect of the Exchange Server organization.

4. Click Cancel.

5. Double-click Recipient Management, and then click the Members tab. Verify that there are no group members. Members of this group are assigned full control permissions to manage the Exchange Server properties of user objects in Active Directory.

6. Click Cancel.

7. Double-click the View-Only Organization Management group, and then click the Members tab. The members of this group are assigned read permissions to the Exchange Server container in the Active Directory configuration partition, and read permission to all domains that have Exchange Server recipients.

8. Click Cancel.


9. Double-click the Discovery Management group, and then click the Members tab. The members of this group have permission to search all mailboxes in the organization for messages or content that meets specific criteria.

10. Click Cancel. Close Active Directory Users and Computers.

11. Click Start, and in the Search box, type adsiedit.msc, and then press ENTER. By default, when you open Active Directory Service Interfaces (ADSI) Edit in Windows Server 2008 R2, it does not display any partitions.

12. Right-click ADSI Edit, and click Connect to.

13. In the Connection Settings dialog box, click OK. This connects ADSI Edit to the domain partition.

14. In the left pane, expand Default naming context [VAN-DC1.Adatum.com], and then click DC=Adatum,DC=com. The domain partition holds user accounts, computer accounts, and other domain specific configuration information. Objects with names that start with an OU are organizational units. Objects with names that start with CN are containers or other objects, such as users. You can verify the object type by looking at the Class column.

15. In the right pane, double-click CN=Users. Notice that in the Users container, there are users and groups.

16. Double-click OU=ITAdmins. Right-click CN=Andreas Herbinger, and then click Properties. This shows the attributes and values that are part of the Andreas Herbinger user object.

17. Click Cancel.


19. In the Connection Settings dialog box, in the Connection Point section, in the Select a well known Naming Context list, click Configuration, and then click OK. This connects ADSI Edit to the configuration partition.

20. In the left pane, expand Configuration[VAN-DC1.ADatum.com], and then click CN=Configuration,DC=Adatum,DC=com. This displays the containers in the configuration partition of Active Directory. The containers contain configuration data used by Active Directory, applications, and services.

21. Double-click CN=Partitions. This container holds a list of the Active Directory partitions.

22. In the left pane, click CN=Sites. This container holds sites and their related configuration objects.

23. Expand CN=Services, expand CN=Microsoft Exchange, and then click CN=AdatumOrg. In the right pane, you can see the containers that hold the various configuration information for Exchange Server.

24. Double-click CN=Address Lists Container. This container stores configuration information for all address lists.

25. In the left pane, click CN=Client Access. This container holds configuration information for the Autodiscover process.

26. In the left pane, expand CN=Administrative Groups, expand CN=Exchange Administrative Group (FYDIBOHF23SPDLT), expand CN=Servers. This container holds the Exchange Server objects.



28. In the Connection Settings dialog box, in the Connection Point section, in the Select a well known Naming Context list, click Schema, and then click OK. This connects ADSI Edit to the schema partition.

29. In the left pane, expand Schema [VAN-DC1.ADatum.com], and then click CN=Schema,CN=Configuration,DC=Adatum,DC=com. The schema container holds a list of classes and attributes that define the objects in Active Directory.

30. In the right page, click CN=ms-Exch-2003-Url, and then scroll down. Notice that many Exchange-specific attributes and classes have been added to the Active Directory schema.

31. Close ADSI Edit.


Lesson 2

Installing Exchange Server 2010 Server Roles Contents: Additional Reading 11


Additional Reading Deployment Options for Exchange Server 2010 • Topologies: Overview

Options for Integrating Exchange Server 2010 and Exchange Online Services • Business Productivity Online

• Migrate to Microsoft Online Services

Considerations for Deploying Exchange Server 2010 as a Virtual Machine • Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization

Environments

• Windows Server Virtualization Validation Program


Lesson 3

Completing an Exchange Server 2010 Installation Contents: Detailed Demo Steps 13


Detailed Demo Steps Verifying an Exchange Server 2010 Installation


Demonstration steps

1. On VAN-EX1, open the Services management console, and review the Microsoft Exchange services that were added during the installation.

2. Open Windows Explorer, and browse to C:\ExchangeSetupLogs.

3. Review the contents of the ExchangeSetup.log file.

4. Describe some of the other files in this folder:

5. Browse to C:\Program Files\Microsoft\Exchange Server\V14. Describe the contents of the folders in this location.

6. Open the Exchange Management Console.

7. Under Server Configuration, verify that the server that you installed is listed.

8. Click Toolbox and review the installed tools.

9. In the left pane, click Recipient Configuration. Create a new mailbox.

10. Open Internet Explorer®, and connect to the Outlook Web App site on a Client Access server. Log on using the credentials for the new mailbox that you created.

11. Send an e-mail to the mailbox that you created. Verify that the message’s delivery.

Demonstration steps

Important: When you start the virtual machines, ensure that you start 10135A-VAN-DC1 first, and that it starts fully before you start other virtual machines. If you receive a notification that one or more services failed to start when starting a virtual machine, open the Services console on the virtual machine, and ensure that all Microsoft Exchange services that are configured to start automatically are running.

1. On VAN-EX1, click Start, point to Administrative Tools, and then click Services.

2. Scroll down to the Microsoft Exchange services, and expand the name column, so that you can read the service names. These are all of the services that Exchange Server installs. The services that Exchange Server installs vary depending on the Exchange Server roles that are installed on the server.

3. Close Services.

4. Click Start, right-click Computer, and then click Open.

5. Browse to C:\ExchangeSetupLogs.

6. Double-click ExchangeSetup.log to open it. This log file contains information about the status of prerequisite and system-readiness checks that Exchange Server performs before the installation


begins. This log also contains information about every task that occurs during the Exchange Server setup, and is the most complete log available for troubleshooting installation errors.

7. Close Notepad.

8. Describe some of the other files in this folder:

• ExchangeSetup.msilog. This file contains information about the extraction of the Exchange Server 2010 code from the installer file.

• Install-AdminToolsRole-[date and time].ps1. Setup generates this file, which contains the steps that Exchange Server uses to install the Exchange administration tools.

• Install-BridegeheadRole-[date and time].ps1. Setup generates this file, which contains the steps that Exchange Server uses to install the Hub Transport server role.

• Install-ClientAccessRole-[date and time].ps1. Setup generates this file, which contains the steps that Exchange Server uses to install the Client Access server role.

• Install-ExchangeOrganization-[date and time].ps1. Setup generates this file, which contains the steps that Exchange Server uses to create the Exchange Server organization.

• Install-MailboxRole-[date and time].ps1. Setup generates this file, which contains the steps that Exchange Server uses to install the Mailbox server role.

• InstallSearch.msilog. This file contains information about the extraction of the Search service that Exchange Server uses.

Note: Other .msilog or .ps1 files may exist in this folder, depending on which roles are installed on this server.

9. Browse to C:\Program Files\Microsoft\Exchange Server\V14. Describe the contents of the folders:

• Bin. Applications and extensions that you can use to manage Exchange Server.

• ClientAccess. Configuration files for the Client Access server role.

• ExchangeOAB. Contains the Exchange Offline Address book files that Exchange Web Services makes available.

• GroupMetrics. Contains information about distribution groups and distribution-group membership that MailTips uses.

• Logging. Various log files.

• Mailbox. Schema files, .dll files, database files, and database log files for the mailbox databases and public folder databases.

• Public. Several .dll and .xml files.

• RemoteScripts. Contains a single script used only by the Exchange Management Console.

• Scripts. Exchange Management Shell scripts that you can use to retrieve anti-spam statistics and perform other tasks.


• Setup. Extensible Markup Language (XML) configuration files and data.

• TransportRoles. Folders and files that the Hub Transport Server role uses.

• Working. Contains an empty folder.

10. Close Windows Explorer.

11. Click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. Click OK to acknowledge that the servers are not licensed.

12. In the left pane, expand Microsoft Exchange On-Premises, and then click Server Configuration. The server you just installed should always appear here, as should the list of roles you installed.

13. In the left pane, click Toolbox. The Toolbox node includes tools that you can use to troubleshoot and repair Exchange Server. During installation, the only relevant tool is the Microsoft Exchange Server Best Practices Analyzer Tool.

14. In the left pane, click Recipient Configuration. This shows all of the users and groups that are mailbox users or mail-enabled.

15. Right-click Recipient Configuration, and then click New Mailbox.

16. Accept the default setting of User Mailbox, and then click Next.

17. Accept the default setting of New user, and then click Next.

18. In the First name box, type TestUser.

19. In the User logon name (User Principal Name) box, type TestUser.

20. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.

21. On the Mailbox Settings page, type TestUser as the Alias, and click Next to accept the default mailbox settings.

22. On the Archive Settings page, click Next.

23. Click New to create the new mailbox.

24. Click Finish.

25. Close the Exchange Management Console.

26. Click Start, point to All Programs, and then click Internet Explorer.

27. In the Address bar, type https://VAN-EX1.adatum.com/owa, and then press ENTER.

28. In the Domain\User name box, type Adatum\TestUser.

29. In the Password box, type Pa$$w0rd, and then click Sign in.

30. Click OK to accept the default configuration for Outlook Web App.

31. Create a new message and send it to TestUser:

• Click New in the toolbar.

• In the To box, type TestUser.

• In the Subject box, type Test Message.

• Click Send.


32. Verify the message was received by clicking Check Messages in the toolbar.

33. Close Internet Explorer.

Demonstration: Verifying an Exchange Server 2010 Installation


Demonstration steps

1. On VAN-EX1, open Exchange Management Console, and click Toolbox.

2. Start the Best Practices Analyzer, and clear the options to check for updates and to join the customer improvement program. Go to the Welcome page.

3. Start a new scan. Choose to perform a Health Check scan to scan the server that you just installed.

4. When the scan finishes, view the following tabs and reports:

• Critical Issues

• All Issues

• Recent Changes

• Informational Items

• Tree reports

• Other reports

Demonstration steps

Demonstrate how the Exchange Server Best Practices Analyzer works by using the following steps.

1. On VAN-EX1, click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

2. In the left pane, click Toolbox.

3. In the middle pane, double-click Best Practices Analyzer.

4. Click Do not check for updates on startup. As a best practice, check for updates on startup to ensure that you have the latest best practices information from Microsoft. However, our virtual machines are limited to local network connectivity.

5. Click I don’t want to join the program at this time. As a best practice, join the customer improvement program so that Microsoft can get anonymous feedback about how you use Exchange Server. This allows Microsoft to make future improvements that more accurately reflect the needs of their customers. However, our virtual machines are limited to local network connectivity.

6. Click Go to Welcome Screen. Notice that this tool can scan a single server or the whole organization.

7. Click Select options for a new scan.

8. If necessary, in the Active Directory Server box, type VAN-DC1, and then click Connect to the Active Directory server. The Exchange Server Best Practices Analyzer uses this server for read-only access to Active Directory. By default, it authenticates as the user who is logged on.


9. In the Enter an identifying label for this scan box, type VAN-EX1 Scan.

10. In the Specify the scope for this scan box, clear the check box for VAN-EX2 and VAN-EX3.

11. If necessary, select Health Check. The Exchange Server Best Practices Analyzer can perform four types of scans:

• Health Check. This test checks for errors, warnings, nondefault configurations, recent changes, and other configuration information. This scan checks the health of your Exchange Server organization, and you can use it for troubleshooting. When you select the Performance check option, a sampling of performance data is taken over a two-hour period

• Permission Check. This test verifies that permissions are properly configured on the selected servers.

• Connectivity Check. This test verifies that network connectivity is available to the selected servers.

• Baseline. This scan allows you to select specific properties, configure baseline values for those properties, and then scan for servers to find deviations from the baseline values.

12. Select Fast LAN (100 mbps or more) as the network speed. This setting does not have any influence on test performance. The estimated scan time is generated based on the network speed selected.

13. Click Start scanning. You also can schedule scans for specific times. This scan gathers performance data or performs a weekly health check. However, to perform a scheduled scan, you must configure credentials under which the scan runs. The credentials are configured in the Connect to Active Directory screen in the advanced logon options. Running this scan will take approximately two minutes.

14. After the scan is complete, click View a report of this Best Practices scan. The first tab displayed is the Critical Issues tab. This tab highlights issues that you should consider addressing immediately.

15. Click the All Issues tab. This tab shows any issues that may be a concern.

16. Click the Informational Items tab. This tab displays configuration information about your Exchange Server organization.

17. Click Tree Reports. This view shows all of the configuration information that the Exchange Server Best Practices Analyzer collects.

18. Click Other Reports. The Run-Time Log displays information generated during the collection and analysis of data by the Exchange Server Best Practices Analyzer.

19. Close the Exchange Server Best Practices Analyzer.

20. Close the Exchange Management Console.


Module Reviews and Takeaways Review questions

1. The installation of Exchange Server 2010 fails. What information sources can you use to troubleshoot the issue?

Answer: The two most important sources of information are the setup logs and the error message that displays when the installation fails. In most cases, these sources of information should indicate clearly why the installation fails. A third option is to review the server-event logs.

2. What factors should you consider while purchasing new servers for your Exchange Server 2010 deployment?

Answer: The most important consideration is that you can install Exchange Server 2010 only on 64-bit hardware, which means that you must buy this type of hardware. Additional considerations include capacity planning and redundancy requirements.

3. How would the deployment of additional Exchange Server 2010 servers vary from the deployment of the first server?

Answer: When you deploy the second server, you do not need to be concerned with the Active Directory prerequisites, as these will already have been configured for the first server installation. Additionally, you are more likely to install specific server roles if you deploy multiple servers.

Common issues related to installing Exchange Server 2010 Identify the causes for the following common issues related to installing Exchange Server 2010 and explain the troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

You start the Exchange installation and get an error message stating that you do not have sufficient permissions.

• Verify that you are logged on to the domain.

• Verify the account has sufficient permissions.

You start the Exchange installation and the prerequisite check fails. • Verify that the server meets the software requirements.

You run setup with /PrepareAD parameter and receive an error message.

• Ensure that you are running setup in the same Active Directory site as the schema master domain controller.

Real-world issues and scenarios

1. An organization has a main office and multiple smaller branch offices. What criteria would you use to decide whether to install an Exchange server in a branch office? What additional factors should you consider if you decide to deploy an Exchange server in the branch office?

Answer: The most important criteria are the number of users in the branch office, and the bandwidth between the branch office and main office. If the number of users is low, and there is enough available bandwidth for the users to have a positive experience with e-mail, you might choose not to deploy Exchange servers in the office. If the branch office has a large number of


users, or if the client connections to Exchange servers in the main office are slow, you may choose to put an Exchange server in the office. If you put an Exchange Server 2010 server in a branch office, you must ensure that you deploy a Mailbox server, Client Access server, and Hub Transport server, and that you deploy a global catalog server in the office.

2. An organization has deployed Active Directory directory services within two different forests. What issues will this organization experience when they deploy Exchange Server 2010?

Answer: Organizations with multiple forests need to decide whether to deploy two Exchange organizations, or a single Exchange organization, and enable user accounts from one forest to access mailboxes in the other forest. If the organization deploys multiple forests, they will need to plan for the replication of information such as free/busy information between the forests.

3. An organization is planning to deploy Exchange Server 2010 servers as virtual machines running on Hyper-V in Windows Server 2008 R2. What factors should the organization consider in their planning?

Answer: Firstly, the organization cannot deploy Unified Messaging servers on virtual machines. Secondly, the organization should consider whether to use Hyper-V to provide high availability for the Exchange servers, or to use the built-in Exchange high availability options. For Mailbox servers, we recommend strongly that you use DAGS. For other Exchange server roles, it is more feasible to use the Hyper-V failover component.

Best practices for deploying Exchange Server 2010 Supplement or modify the following best practices for your own work situations:

• Plan the hardware specifications for your Exchange Server 2010 servers to allow for growth. In most organizations, the amount of e-mail traffic and the size of the user mailboxes are growing rapidly.

• Consider deploying at least two Exchange Server 2010 servers. With two servers, you can provide complete redundancy for the core Exchange server roles.

• When deploying multiple Exchange servers with dedicated server roles for each server, deploy the server roles in the following order:

a. Client Access server

b. Hub Transport server

c. Mailbox server

d. Unified Messaging server

You can deploy the Edge Transport server at any time, but it does not integrate automatically with your organization until you deploy a Hub Transport server.


Lab Review Questions and Answers Question: What issues did you identify in the Exchange Server deployment by using the Exchange Best Practices Analyzer?

Question: How will you use the Exchange Best Practices Analyzer in your organization?

Answers to this question will vary. Some organizations use the Exchange Server Best Practices Analyzer only once, after the initial deployment. Other organizations regularly run the tool. Recommend to the students that they should run the tool regularly, and especially when they are troubleshooting an issue with the Exchange deployment.

Configuring Mailbox Servers 2-1

Module 2 Configuring Mailbox Servers

Contents: Lesson 1: Overview of Exchange Server 2010 Administrative Tools 2

Lesson 2: Configuring Mailbox Server Roles 7

Lesson 3: Configuring Public Folders 13




Lesson 1

Overview of Exchange Server 2010 Administrative Tools Contents: Question and Answers 3



Question and Answers Demonstration: What Is the Exchange Management Console?

Question: Does the Exchange Management Console organization seem logical to you? Why?

Answer: Depending on student experience, answers will vary. However, students should see that the management structure correlates to the server roles.

Question: Does the Exchange Management Console have the same functionality as it did in previous Exchange Server versions? What is different about this version?

Answer: In Exchange Server 2010, you use the Exchange Management Console to configure computers running Exchange Server. Exchange Server organizes all configuration options in the Exchange Management Console logically, into role-based settings.

In versions before Exchange Server 2007, users could configure Exchange Server with the Exchange System Manager. In Exchange System Manager, all options are available in the properties dialog box of the server or the organization. Therefore, the Exchange System Manager is not role-oriented.


Detailed Demo Steps Demonstration: What Is the Exchange Management Console?


Demonstration steps


2. Note the console’s layout: Console Tree on the left, Content pane in the middle, and Actions pane on the right.

3. Notice that the Console Tree has four nodes: Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox.

4. Expand each Console Tree section to view the available nodes.

5. In the Console Tree, expand Organization Configuration, click Mailbox, and then view the information available in the Content pane.

6. In the Console Tree, expand Server Configuration, click Mailbox, and then view the information in the Content pane.

7. In the Console Tree, expand Recipient Configuration, click Mailbox, and then view the information in the Content pane.

Demonstration steps

1. On VAN-EX1, click Start, click All Programs, click Exchange Server 2010, and then click Exchange Management Console.

2. Expand Microsoft Exchange On-Premises. Describe the console’s layout: The Console Tree on the left, the Content pane in the middle, and the Actions pane on the right.

3. Point out that the Console Tree has four nodes: Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox.

4. Expand each of the nodes to view the available information.

5. In the Console Tree, expand Organization Configuration, click Mailbox, and then view the available information in the Content pane.

6. In the Console Tree, expand Server Configuration, click Mailbox, and then view the available information in the Content pane.

7. In the Console Tree, expand Recipient Configuration, click Mailbox, and then view the available information in the Content pane.

Demonstration: Working with the Exchange Management Shell


Demonstration steps The instructor will run the following cmdlets:

• Get-Mailbox


• Get-Mailbox | Format-List

• Get-Mailbox | fl

• Get-Mailbox | Format-Table

• Get-Mailbox | ft Name, Database, IssueWarningQuota

• Get-Help New-Mailbox

• Get-Help New-Mailbox -detailed

• Get-Help New-Mailbox -examples

• $Temp = “Text“

• $Temp

• $password = Read-Host “Enter password“ –AsSecureString

• New-Mailbox -UserPrincipalName [email protected] -Alias Chris -Database “Mailbox Database 1“ -Name ChrisAshton -OrganizationalUnit Users -Password $password -FirstName Chris -LastName Ashton -DisplayName “Chris Ashton“ -ResetPasswordOnNextLogon $true

Demonstration steps

1. On VAN-EX1, click Start, click All Programs, click Exchange Server 2010, and then click Exchange Management Shell.

2. Run Get-Mailbox, and then view the output.

3. Run Get-Mailbox | Format-List, and then view the output.

4. Run Get-Mailbox | fl, and then verify that it is identical to the previous output, since fl is an alias for Format-List.

5. Run Get-Mailbox | Format-Table, and then view the output. Explain that the format is different from the previous output.

6. Run Get-Mailbox | ft Name, Database, IssueWarningQuota. Explain that the table output shows only the fields you specify.

7. Run Get-Help New-Mailbox to view the basic help for New-Mailbox.

8. Run Get-Help New-Mailbox -detailed to view the detailed help for New-Mailbox.

9. Run Get-Help New-Mailbox -examples to view just the examples that the help provides.

10. Create a variable by running $Temp = “Text”

11. Run $Temp to view the variable’s contents .

12. Run $password = Read-Host “Enter password“ –AsSecureString to prompt the user for a password. Emphasize that to assign a password to a new user, you must specify the Read-Host command with the –AsSecureString switch, because you cannot store passwords as simple strings. Type Pa$$W0rd and press ENTER.

13. Run New-Mailbox -UserPrincipalName [email protected] -Alias Chris -Database “Mailbox Database 1“ -Name ChrisAshton -OrganizationalUnit Users -Password $password -FirstName Chris -LastName Ashton -DisplayName “Chris Ashton“ -


ResetPasswordOnNextLogon $true to create a new and secure mailbox for user Chris Ashton.

Note: Assign a password to a new user by specifying the Read-Host cmdlet with the -AsSecureString switch, because passwords cannot be stored as simple strings.


Lesson 2

Configuring Mailbox Server Roles Contents: Question and Answers 8



Question and Answers Demonstration: How to Configure Mailbox Server Role Configuration Options

Question: What additional tasks do you need to perform on the Mailbox server role after the Exchange Server 2010 installation occurs?

Answer: You must complete all of the post-installation steps, including creating and configuring databases, securing the server, and configuring recipients and the offline address book.

Demonstration: Configuring Database Options

Question: When would you need to move the path of the transaction logs or databases?

Answer: You may need to move the database files during the initial configuration to ensure that the files are on the appropriately configured disks.

Question: When might you use circular logging?

Answer: Enabling circular logging allows transaction logs to be overwritten after they are committed to the database. Since Exchange Server does not maintain transaction logs, they are not available for use in recovery. You would use this option when you do not require the need to recover data between full backups. However, we never recommend this option in a single-server production environment.

Discussion: Considerations for Implementing Databases

Question: What should you consider when naming databases?

Answer: Beginning with Exchange Server 2010, databases are no longer children of server objects, and a database can replicate to multiple Mailbox servers if you configure them for high availability. Therefore, as a best practice, you should not leverage the following in database-naming conventions:

• The server name

• The Active Directory site name (for the site resilience case)

• The physical data center name (for the site resilience case)

• The Exchange organization name

Question: When would you want or need to create multiple databases?

Answer: You may discuss a number of reasons, depending on the students. Often organizations create databases to separate users in different departments or geographic regions, or users that require different service levels. Maintaining a database at a manageable size also is important. You should size databases to fit on the available storage, yet still have enough room for growth. Additionally, their size should coincide with the backup and recovery times that you define for the messaging system.

Question: Why would you want to reduce the number of databases?


Answer: You may discuss several reasons, depending on the students. An organization may want to reduce the number of databases it has to reduce licensing needs and the administrative overhead that comes with having multiple databases. Additionally, each mounted database consumes additional memory on the server, so in some instances, it may be beneficial to limit how many databases you have.

Question: What should you consider when planning to build additional Mailbox servers?

Answer: You may need to place Mailbox servers in locations closer to the users to improve performance or reduce bandwidth charges. Adding additional Mailbox servers to the same site may be required to handle additional users or to handle increased usage from current users.


Detailed Demo Steps Demonstration: How to Configure Mailbox Server Role Configuration Options


Demonstration steps


2. In the Console Tree, expand Server Configuration, and then click Mailbox.

3. Note the available options in the Actions pane: Manage Diagnostic Logging Properties, Enter Product Key, and Properties.

4. View the properties of the server and review the options on the General, System Settings, Messaging Records Management, and Customer Feedback Options tabs.

5. View the Manage Diagnostic Logging options.

Demonstration steps

1. On VAN-EX1, click Start, click All Program, click Exchange Server 2010, and then click Exchange Management Console.

2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Mailbox.

3. In the Mailbox pane, select VAN-EX1. Describe the available options in the Actions pane: Manage Diagnostic Logging Properties, Switchover Server, and Properties.

4. In the Actions pane, under VAN-EX1, click Properties.

5. View the properties on the General tab, and then select System Settings.

6. View the options on the System Settings tab, and then select Messaging Records Management.

7. View the options on the Messaging Records Management tab, and then close the Properties dialog box.

8. Click Manage Diagnostic Logging in the Actions pane, and then view the logging options.

Demonstration: Configuring Database Options


Demonstration steps


2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox.

3. Select the Database Management tab, and then view the properties of a mailbox database.

4. View the properties on the General, Maintenance, Limits, and Client Settings tabs.

5. Run the Move Database Path wizard to move the database files.


Demonstration steps

1. On VAN-EX1, if required, click Start, click All Programs, click Exchange Server 2010, and then open Exchange Management Console.


3. Select the Database Management tab, right-click on Mailbox Database 1, and then choose Properties.

4. View the properties on the General tab, and then select the Maintenance tab.

5. View the properties on the Maintenance tab, and then select the Limits tab.

6. View the properties on the Limits tab, and then select the Client Settings tab.

7. Close the Properties dialog box.

8. Select Mailbox Database 1, and then click Move Database Path in the Actions pane.

9. In the Move Database Path wizard, type a new database file path (C:\NewFolder1\DB\Mailbox Database 1.edb) and log folder path (C:\NewFolder1\Logs\), and then click Move.

10. Confirm and complete the move process.

If time permits, demonstrate moving the database files using the Exchange Management Shell:

1. Logon to VAN-EX1 with you administrator account, and then open the Exchange Management Shell.

2. Run Move-DatabasePath -id ’Mailbox Database 1’ -LogFolderPath ’C:\NewFolder2\Logs\’.

3. Run Move-DatabasePath -Id ’Mailbox Database 1’ -EdbFilePath ’C:\NewFolder2\DB\Mailbox Database 2.edb’.

Demonstration: How to Manage Mailbox Size Limits


Demonstration Steps


2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and click Mailbox.

3. Right-click a user mailbox, and click Properties.

4. Click the Mailbox Settings, tab, and double-click Storage Quotas.

5. Unselect Use mailbox database defaults, and modify the value for Prohibit send and receive at (MB).

6. Open Exchange Management Shell.

7. Configure the database limits with the Get-MailboxDatabase cmdlet.

8. Configure just the user mailboxes that are contained in the Marketing department with the Get-Mailbox.


Demonstration steps

1. On VAN-EX1, if required, click Start, click All Program Files, click Exchange Server 2010, and then click Exchange Management Console.

2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then click Mailbox.

3. In the Content pane, right-click Luca Dellamore, and then choose Properties.

4. Select the Mailbox Settings tab, and then double-click on Storage Quotas.

5. Clear the Use mailbox database defaults check box

6. Select the Prohibit send and receive at (MB) check box, and in the text box, type 10. Click OK twice.

7. Open the Exchange Management Shell.

8. To configure the database limits with Exchange Management Shell, run Get-MailboxDatabase -Server VAN-EX1 | Set-MailboxDatabase -IssueWarningQuota 50MB.

9. To configure just the user mailboxes that are contained in the Marketing organizational unit, run Get-Mailbox -OrganizationalUnit Marketing | Set-Mailbox -ProhibitSendQuota 75MB.


Lesson 3

Configuring Public Folders Contents: Question and Answers 14




Question and Answers When to Use SharePoint Instead of Public Folders

Question: For what does your company currently use public folders and SharePoint?

Answer: Answers will vary considerably. Some companies may choose to use public folders for shared mail queues, calendars, document repositories, or discussion groups. Other companies may choose to use SharePoint for the same reasons.


Additional Reading Configuring Public Folder Replication • Exchange Server 2010 Help Understanding Public Folder Replication


Detailed Demo Steps Demonstration: How to Configure Public Folders


Demonstration steps

Use the PFMC to add replicas and set permissions on a public folder 1. Open the Exchange Management Console.

2. Open the PFMC, and then connect to a Mailbox server.

3. Create a new public folder named Sales.

4. View the properties of the Sales public folder, and then view the options on the General, Statistics, Limits, and Replication tabs.

5. Add a replica to the Sales public folder.

Use the Exchange Management Shell to add permissions to a public folder The instructor will run the following cmdlets:

Get-PublicFolderClientPermission \Sales Add-PublicFolderClientPermission \Sales -AccessRights EditAllItems -User Jason

Use Outlook to view and edit public folder permissions 1. Logon to VAN-CL1 as Adatum\Administrator.

2. Open Outlook.

3. View the permissions for the Sales public folder.

Demonstration steps

Use the PFMC to add replicas and set permissions on a public folder 1. On VAN-EX1, if required, click Start, click All Program Files, click Exchange Server 2010, and

then open Exchange Management Console.

2. In the Console Tree, expand Microsoft Exchange On-Premises, and then expand Toolbox.

3. In the Content pane, double-click Public Folder Management Console.

4. If not already connected, in the Actions pane, click Connect to a Server, and then in the Connect to Server dialog box, click Browse.

5. In the Select Public Folder Servers dialog box, select VAN-EX1, click OK, and then click Connect.

6. Select the Default Public Folders node in the Console Tree, and then click New Public Folder in the Actions pane.

7. In the New Public Folder Wizard, type Sales, click New, and then click Finish.

8. In the Content pane, right-click Sales, view the available options, and then click Properties.

9. View the information available on the General tab, and then select the Statistics tab.


10. View the information available on the Statistics tab, and then select the Limits tab.

11. View the information available on the Limits tab, and then select the Replication tab.

12. Click Add, select PF2 on VAN-EX2, and then click OK.

13. Click OK.

Use the Exchange Management Shell to add permissions to a public folder 1. Open the Exchange Management Shell.

2. Run Get-PublicFolderClientPermission \Sales, and then view the results.

3. Run Add-PublicFolderClientPermission \Sales -AccessRights EditAllItems -User Jason.

Use Outlook to view and edit public folder permissions 1. On VAN-CL1, open Outlook.

2. Click Folder List in the Outlook bar.

3. Expand Public Folders, expand All Public Folders, right-click Sales, and then click Properties.

4. Select the Permissions tab, and then view the available options.



1. Which tools can you use to manage Exchange Server 2010?

The Exchange Management Shell and the Exchange Management Console are the two main tools for managing Exchange Server. Additionally, the Exchange Management Console has several other tools that you can use.

2. What customizations can you make on mailbox databases?

Mailbox database-configuration options include mailbox limits, journaling recipients, default public folder databases, maintenance schedules, and circular logging.

3. When can you use public folders?

Exchange Server 2010 supports public folders fully, so you can use a variety of solutions. There are several solutions that work within public folders, but other products and technologies may better server them.

Common issues related to designing mailbox databases Identify the causes for the following common issues related to designing and implementing Exchange Server mailbox databases and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


You are planning to deploy a new Mailbox server on a different server and storage platform.

Use performance-testing tools, such as Exchange Load Generator or Jet Stress, to ensure the Mailbox server will perform adequately.

After applying limits on each of the mailbox databases, some of the users are exceeding these limits.

Verify that the mailboxes are set to inherit limit settings from the database, rather than having to be set separately.

You are migrating from Exchange Server 2003, and none of the users with Exchange Server 2010 mailboxes can access legacy public folders via Outlook Web App.

Verify that a replica of the required public folders exists on an Exchange Server 2010 server.

Real-world issues and scenarios 1. Your organization needs to determine which storage solution to deploy for the new Exchange

Server 2010 messaging environment. What information should you consider when selecting the hardware?

You should consider many facts when choosing storage. Your focus should be on providing enough disk space and throughput that to meet your needs. There are tools that you can use to approximate the requirements and help you make an informed decision.

2. Your organization would like to automate creation of user mailboxes for employees based on their status in your organization’s human-resources system. What can you use to perform this automation?


The Exchange Management Shell provides an interface for scripting administrative tasks, such as user creation and modification. You also can use Exchange Management Shell programmatically from inside other applications.

3. Your organization wants to reduce administrative costs. One suggestion is to give department heads and administrative assistants the necessary access to manage departmental and project-based groups. What can you use to accomplish this task?

You can use the ECP and appropriate RBAC permissions to enable nontechnical personnel to manage groups.

Best practices related to public folder deployment planning Supplement or modify the following best practices for your own work situations:

• Determine the public folder features that your organization needs, such as multiple master replications.

• Determine whether other solutions, such as SharePoint or InfoPath, meet user needs better.

• Define specific age and size limits, so that public folder data does not grow uncontrolled and outdated.

Tools

Tool Use for Where to find it

Exchange Management Console • Configuring the Exchange Server

organization, its servers, and its recipients.

Start menu

Exchange Management Shell

• Configuring the Exchange Server organization, its servers, and its recipients.

• Completing bulk-management tasks.

Start menu

Exchange Control Panel • Managing recipients Outlook Web App


Lab Review Questions and Answers Question: What happens to the database’s status when you move the database files?

Answer: When you move database files, the database is taken offline. This causes the database to be unavailable, which means that end users cannot send and receive e-mail until the database is online again.

Question:When you create a public folder, how many replicas does it have?

Answer: When you create a public folder with the Public Folder Management Console in Outlook, only one replica is created. Therefore, to ensure that the data is redundant, you must add a replica.

Managing Recipient Objects 3-1

Module 3 Managing Recipient Objects

Contents: Lesson 1: Managing Mailboxes 2

Lesson 2: Managing Other Recipients 12

Lesson 3: Configuring E-Mail Address Policies 17

Lesson 4: Configuring Address Lists 21

Lesson 5: Performing Bulk Recipient Management Tasks 26




Lesson 1

Managing Mailboxes Contents: Question and Answers 3




Question and Answers Discussion: Types of Exchange Server Recipients

Question: How is a mail-enabled contact different from a mail-enabled user?

Answer: A mail-enabled contact does not have an Active Directory user account. You use this for people outside your organization that you want to include in the GAL.

Demonstration: How to Manage Mailboxes

Question: What tools do you prefer to use for managing mailbox users?

Answer: Answers will vary. Typically, users prefer the graphical user interface (GUI) for small, nonrepetitive tasks, and then prefer the Exchange Management Shell for larger, repetitive tasks.

Question: How does your organization delegate Exchange and Active Directory management tasks?

Answer: Answers will vary. Usually, the help desk performs basic recipient-management tasks, while specialized Exchange Server administrators perform tasks that pertain to server support.

Configuring Mailbox Settings

Question: Why would you configure mailbox size limits on individual mailboxes?

Answer: By configuring mailbox size limits, you can override the mailbox database defaults for specific users. Typically, this enables a specific user to have a higher storage limit than other users, when necessary.

Demonstration: How to Configure Mailbox Permissions

Question: When would more than one user need to access the same mailbox?

Answer: Providing access to multiple users for the same mailbox is useful for generic mailboxes, such as a help-desk mailbox, that is a queue where all users can access and respond to messages.

Question: What is the difference between Send on behalf of permissions and Send As permissions?

Answer: Send As permissions allow you to impersonate another user. Send on behalf of permissions indicates that you are responding for that person.

Demonstration: How to Move Mailboxes

Question: What is the benefit of scheduling mailbox moves?

Answer: By scheduling mailbox moves, you can move mailboxes during off-peak hours when users are not logged on. Users cannot be logged on when their mailbox moves.

Designing Resource Booking Policies

Question: How will you use resource mailboxes in your environment?


Answer: Answers will vary by student. Many businesses use resource mailboxes to track conference room usage and equipment, such as projectors and video-conference equipment.

Demonstration: How to Manage Resource Mailboxes

Question: How does your organization use resource mailboxes?

Answer: Answers will vary. Many organizations need resource mailboxes to facilitate room bookings.

Question: Which attributes are useful for your resource mailboxes?

Answer: You can use resource capacity to specify the maximum number of people a room can hold. Other properties will vary by the equipment type.


Additional Reading Discussion: Types of Exchange Server Recipients Exchange Server 2010 Help: Understanding Recipients

Reasons for Moving Mailboxes • Exchange Server 2010 Help: Understanding Mailbox Moves

Demonstration: How to Move Mailboxes • Exchange Server 2010 Help: Understanding Mailbox Moves

Demonstration: How to Manage Resource Mailboxes Exchange Server 2010 Help: Create a Room Mailbox


Detailed Demo Steps Demonstration: How to Manage Mailboxes


Demonstration steps

Use the Exchange Management shell to mail-enable an existing user:

1. Open Active Directory Users and Computers, and ensure that Daniel Brunner exists in the Users container.

2. Open Exchange Management Shell, and run the following cmdlets:

• Enable-MailUser “Daniel Brunner“ –externalemailaddress [email protected]

• Disable-MailUser “Daniel Brunner“

3. In Active Directory Users and Computers, verify that the Daniel Brunner user still exists.

4. Create a new mail-enabled user with the Exchange Management Console.

5. Open Exchange Management Console.

6. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox.

7. Run the New Mailbox wizard, and create a new user account and mailbox for Kim Akers. Create the mailbox in the Accounting mailbox database.

Note: Remove-mailbox deletes the specified user account and mailbox, and disable-mailbox removes the mailbox, but leaves the user account enabled.

Demonstration steps

Use the Exchange Management shell to mail-enable an existing user:

1. On VAN-EX1, click Start, click Administrative Tools, and then open Active Directory Users and Computers.

2. In Active Directory Users and Computers, expand Adatum.com, then click Users, and locate Daniel Brunner.

3. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell.

4. Run Enable-MailUser “Daniel Brunner“ –externalemailaddress [email protected], and view the results.

5. Run Disable-MailUser “Daniel Brunner“. Type Y.

6. Close Exchange Management Shell.

7. In Active Directory Users and Computers, verify Daniel Brunner still is present.

8. Close Active Directory Users and Computers.

Use the Exchange Management Console to create a new mail-enabled user:


1. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then click Mailbox.

3. In the Actions pane, click New Mailbox.

4. Choose User Mailbox, and then click Next.

5. Choose New user, and then click Next.

6. Fill in the following information:

• First Name: Kim

• Last Name: Akers

• User logon name (User Principal Name): Kim

• Password: Pa$$w0rd

• Confirm password: Pa$$w0rd

7. Click Next.

8. Type Kim as the Alias.

9. Select the Specify the mailbox database rather than using a database automatically selected check box, and click Browse. Click Accounting, click OK, and then click Next.

10. Click Next.

11. Click New.

12. Click Finish.


Detailed demonstration steps Demonstration steps Assign Wei Yu send as permissions on Kim Akers’s mailbox:



3. In the Results pane, select the Kim Akers mailbox, and then in the Actions pane, click Manage Send As Permission.

4. In the Manage Send As Permission wizard, click Add.

5. In the Select User or Group dialog box, choose Wei Yu, and then click OK.

6. Click Manage.

7. Click Finish.

Assign Wei Yu full access to Kim Akers’s mailbox.


1. Select the Kim Akers mailbox, and then in the Actions pane, click Manage Full Access Permission.

2. In the Manage Full Access Permission wizard, click Add.


4. Click Manage, and then click Finish.

Demonstration steps

Assign Wei Yu Send As permissions on Kim Akers’s mailbox:

1. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.


3. In the Results pane, select the Kim Akers mailbox, and then in the Actions pane, click Manage Send As Permission.

4. In the Manage Send As Permission wizard, click Add. You will notice that the SELF security principal, which enables a user to manage his permissions, already is assigned. It was assigned, by default, when the mailbox was created.


6. Click Manage.

7. Click Finish. Wei Yu now can send e-mail as Kim Akers if he chooses to change the From address when composing a new e-mail message.

Assign Wei Yu full access to Kim Aker’s mailbox:

1. In the Results pane, select the Kim Akers mailbox, and then in the Actions pane, click Manage Full Access Permission.

2. In the Manage Full Access Permission wizard, click Add. You will notice that the SELF security principal, which enables a user to manage his permissions, already is assigned. It was assigned, by default, when the mailbox was created.


4. Click Manage.

5. Click Finish.

Demonstration: How to Move Mailboxes

Detailed demonstration steps Demonstration steps

Move Kim Akers’s mailbox to Mailbox Database 1:




3. Select the Kim Akers mailbox, and then in the Actions pane, click New Local Move Request.

4. In the New Local Move Request wizard, click Browse.

5. Select Mailbox Database 1, and then click OK.

6. Click Next.

7. Verify that Skip the mailbox is selected, and then click Next.

8. Click New.

9. Click Finish.

Demonstration steps Move Kim Akers’s mailbox to Mailbox Database 1:



3. Select the Kim Akers mailbox, and then in the Actions pane, click New Local Move Request.

4. In the New Local Move Request wizard, click Browse.

5. Select Mailbox Database 1, and then click OK.

6. Click Next.

7. Verify that Skip the mailbox is selected, and then click Next. The Skip the corrupted messages option moves the noncorrupt messages to the new database up to the threshold selected. You can use this option to move corrupted mailboxes, while preserving the valid data.

8. Click New.

9. Click Finish.

Note: If the mailbox move fails, and the error indicates that no MRS service is available, start the Microsoft Exchange Mailbox Replication service, and try the mailbox move again.

10. In the Console Tree, expand Recipient Configuration, and then select Move Request to view the status of the move request.


Detailed demonstration steps Demonstration steps




3. Create a new room mailbox with the following information:

• Name: Conference Room 1

• User logon name (User Principal Name): ConferenceRoom1


• Alias: ConferenceRoom1

4. After creating the room mailbox, modify the properties, and enable the resource booking attendant.

5. Open Internet Explorer, and log on to Outlook Web App as Adatum\Administrator with the password of Pa$$w0rd.

6. In Outlook Web App, create a new Meeting Request.

7. In the Untitled Meeting window, type Sales Meeting as the subject, type Administrator in the To field, and type Conference Room 1 in the Location field, and then click the Scheduling Assistant tab.

8. Select a Start time and an End time.

9. Click the down arrow next to Select Rooms, and then click More.

10. In the Address Book window, double-click Conference Room 1, and then click OK.

11. Send the meeting request and verify that the resource accepted the invitation.

Demonstration steps

On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.


2. In the Actions pane, click New Mailbox.

3. In the New Mailbox wizard, select Room Mailbox, and then click Next.

4. Verify New user is selected, and then click Next.

5. Fill in the following information:

• Name: Conference Room 1.

• User logon name (User Principal Name): ConferenceRoom1


• Confirm Password: Pa$$w0rd

6. Click Next.

7. Type ConferenceRoom1 as the Alias, and then click Next.

8. Verify Create an archive mailbox for this account is not selected, and then click Next.

9. Click New.

10. Click Finish.

11. In the Results pane, select Conference Room 1, and in the Actions pane, click Properties.


12. Click the Resource General tab.

13. Select the Enable the Resource Booking Attendant check box. If you do not enable this option, the resource will not process meeting requests, even if you configure other settings.

14. Click OK.

15. On VAN-EX1, click Start, click All Programs, and then click Internet Explorer.

16. Type https://VAN-EX1.adatum.com/owa in the address bar.

17. Log on to Outlook Web App as Adatum\Administrator with the password of Pa$$w0rd.

18. In Outlook Web App, click the down arrow next to New, and then click Meeting Request.

19. In the Untitled Meeting window, type Sales Meeting as the subject, type Administrator in the To field, and type Conference Room 1 in the Location field.

20. Click the Scheduling Assistant tab.

21. Select a Start time and an End time.

22. Click the down arrow next to Select Rooms, and then click More.

23. In the Address Book window, double-click Conference Room 1, and then click OK.

24. Click Send.

25. Close Internet Explorer

26. Close Exchange Management Console.


Lesson 2

Managing Other Recipients Contents: Question and Answers 13



Question and Answers What Are Mail Contacts and Mail Users?

Question: When would you use mail-enabled contacts?

Answer: You can use mail-enabled contacts to display a trusted partner or contract employee in the company address list or add them to a distribution group. You also can use mail-enabled contacts to forward e-mail from a local mailbox to a remote mail account.

Question: Why would you use a mail-enabled contact rather than a mail-enabled user?

Answer: A mail-enabled contact does not support authentication to Active Directory directory services and is useful as a mechanism to add external users to the GAL. Creating mail-enabled users would be a security risk because the Active Directory accounts could be used to log on and access some system resources.

What Are Distribution Groups?

Question: When would your organization use distribution groups?

Answer: Answers will vary. Many organizations create distribution groups for each department and for each special project.

Question: When would your organization use public and moderated groups?

Answer: Answers will vary. Many organizations may allow department or project managers to create and manage public groups to reduce the IT department administrative overhead in managing these groups.

Options for Configuring Distribution Groups

Question: What is the advantage of enforcing a naming convention for distribution groups?

Answer: Answers will vary. Naming conventions allow users to more easily identify distribution groups with their e-mail client.

Demonstration: How to Manage Groups by Using the Exchange Control Panel

Question: When would you use public groups?

Answer: Answers will vary. Some organizations may use public groups to allow users to create nonbusiness-critical or project-based groups so that the business owners can manage the groups.


Detailed Demo Steps Demonstration: How to Manage Groups by Using the Exchange Control Panel


Demonstration steps

Add Kim Akers to the Recipient Management role group.

1. On VAN-EX1, in Active Directory Users and Computers, add Kim Akers to the Recipient Management role group.

Log on to Exchange Control Panel as Kim Akers, and create a new Sales Group.

1. Log on to Exchange Control Panel as Adatum\Kim with the password of Pa$$w0rd.

2. Select Public Groups, and create a new Public Group.

3. In the New Group window, configure the following information:

• Display name: Sales

• Alias: Sales

• Description: Sales Department

4. Add the following members:

• Manoj Syamala

• Rohinton Wadia

• Paul West

5. Expand Membership Approval, and select Owner Approval.

6. Click Save.

7. Sign out of Exchange Control Panel.

Log on to ECP as Wei Yu, and ask to join the Sales group.

1. Log on to Exchange Control Panel as Adatum\Wei with the password of Pa$$w0rd.

2. In the left pane, select Groups.

3. In the Public Groups I Belong to section, click Join.

4. In the All Groups window, select Sales, and then click Join.

5. Click Close.


Approve Wei Yu’s request to be added to the Sales Group.

1. Log on to Outlook Web App as Adatum\Kim with the password of Pa$$w0rd.

2. Double-click the Request to Join Distribution Group message in the inbox.

3. In the Request to Join Distribution Group message pane, click Approve.


4. Close Outlook Web App.

Demonstration Steps Add Kim Akers to the Recipient Management role group.

1. On VAN-EX1, open Active Directory Users and Computers.

2. Expand Adatum.com, and click Microsoft Exchange Security Groups, and then double-click Recipient Management.

3. On the Members tab, add Kim Akers to the role group.

4. Click OK, and close Active Directory Users and Computers.

Log on to Exchange Control Panel as Kim Akers, and create a new Sales Group.

1. On VAN-EX1, click Start, click All Programs, click Internet Explorer.

2. Type https://van-ex1.adatum.com/ecp in the address bar.

3. Log on to Exchange Control Panel as Adatum\kim with the password of Pa$$w0rd. Click OK.

4. Click Public Groups.

5. Under Public Groups, click New.

6. In the New Group window, in the Display Name box, type Sales.

7. Type Sales as the Alias.

8. Type Sales Department as the Description.

9. Expand the Membership section, and then click Add.

10. In the Select Members window, double-click the following mailboxes:

• Manoj Syamala

• Rohinton Wadia

• Paul West

11. Click OK.

12. Expand Membership Approval.

13. Click Owner Approval. This ensures that the group owner approves all requests that are added to the group.

14. Click Save.


16. Log on to Exchange Control Panel as Wei Yu, and send request to join the Sales group.

17. Click Start, click All Programs, and click Internet Explorer.

18. Type https://van-ex1.adatum.com/ecp in the address bar.

19. Log on to Exchange Control Panel as Adatum\Wei with the password of Pa$$w0rd. Click OK.

20. In the left pane, select Groups.

21. In the Public Groups I Belong to section, click Join.

22. In the All Groups window, select Sales, and click Join.


23. Click Close.


Approve Wei Yu’s request to be added to the Marketing Group.

1. Click Start, click All Programs, and click Internet Explorer.

2. Type https://van-ex1.adatum.com/owa in the address bar.

3. Log on to Outlook Web App as Adatum\kim with the password of Pa$$w0rd.

4. Double-click the Request to Join Distribution Group message in the Inbox.

5. In the Request to Join Distribution Group message pane, click Approve.



Lesson 3

Configuring E-Mail Address Policies Contents: Additional Reading 18



Additional Reading What Are E-Mail Address Policies? • Exchange Server 2010 Help: Understanding Accepted Domains

• Exchange Server 2010 Help: Understanding E-mail Address Policies

• Exchange Server 2010 Help: Upgrading Custom LDAP filters to OPATH filters

Demonstration: How to Configure E-Mail Address Policies Exchange Server 2010 Help file: Managing E-mail Address policies.


Detailed Demo Steps Demonstration: How to Configure E-Mail Address Policies


Demonstration steps

Create a new e-mail address policy for Fourth Coffee recipients.


2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then select Hub Transport.

3. Create a new e-mail address policy named with these attributes:

• Name: Fourth Coffee

• Display Name: Fourth Coffee

• Recipient container to apply filter: Adatum.com

• Included recipient types: All Recipient types

4. Use the user Alias as the local part of the e-mail address.

5. Select fourthcoffee.com as the accepted domain.

6. Apply the e-mail address policy immediately.

Verify that the e-mail address policy has been applied.


2. In the Results pane, double-click Jane Dow.

3. View the current E-Mail addresses that have been assigned.

4. Change the Company attribute to Fourth Coffee.

5. View the current e-mail addresses that have been assigned.

Demonstration steps

Create a new E-mail Address Policy for Fourth Coffee recipients.

On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

1. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then select Hub Transport.

2. In the Actions pane, click New E-mail Address Policy.

3. In the New E-Mail Address Policy wizard, type Fourth Coffee as the name of the policy.

4. Click Browse.

5. In the Select Organizational Unit dialog box, select Adatum.com, and then click OK.

6. Verify that All Recipient types is selected, and then click Next.


7. In the Step 1 box, check Recipient is in a Company.

8. In the Step 2 box, click specified.

9. In the Specify Company dialog box, type Fourth Coffee, and then click Add. You can add multiple names to this list, if needed.

10. Click OK.

11. In the New E-Mail Address Policy dialog box, click Next.

12. Click Add, and then verify that E-mail address local part and Use Alias are selected.

13. Click Select the accepted domain for the e-mail address, click Browse, select fourthcoffee.com, and then click OK. This list of domains comes from the list of accepted domains. To display a new domain in this list, you must add another accepted domain.

14. Click OK.

15. Click Next.

16. Verify Immediately is selected, and then click Next. The schedule allows you to set the policy to not run, run immediately, or run at a later time. You can use this option if the policy affects a large number of recipients or if the change must occur during a defined change window.

17. Click New.

18. Click Finish.

Verify the E-mail Address Policy is being applied.

1. In the Console Tree, expand Recipient Configuration, and then select Mailbox.

2. In the Results pane, double-click Jane Dow.

3. In the Properties dialog box for Jane Dow, click the E-Mail Addresses tab, and then view the current E-Mail addresses assigned.

4. Click the Organization tab.

5. Type Fourth Coffee for the Company, and then click Apply.

6. In the Properties dialog box for Jane Dow, click the E-Mail Addresses tab, and view the current E-Mail addresses assigned. The new fourthcoffee.com e-mail address should have been assigned when the company change was made. Notice that the new addresses were added and the old addresses were not removed.

7. Click OK.



Lesson 4

Configuring Address Lists Contents: Question and Answers 22




Question and Answers Discussion: Reasons for Configuring Address Lists

Question: What are the reasons for creating multiple address lists?

Answer: Although the answers may vary, common reasons are:

• Geographic organization. If a company has multiple physical locations, address lists could be based on country, state, city, or building.

• Departmental organization. A large company may want to create separate address lists for departments such as accounting, marketing, or sales.

• Recipient type organization. To make booking meeting rooms easier, you might organize room mailboxes by physical location.

Question: How do you use address lists in your organization?

Answer: Answers will vary. Typically, users are organized by department or physical location.

Question: How do you use a recipient filter and Active Directory attributes to create address lists? Is the necessary information already in Active Directory accounts?

Answer: Answers will vary. Recipient filters are a flexible way to create address lists, but Exchange Server 2010 does not support them through the GUI. You may need recipient filters to create address lists for individual buildings. The necessary information may not be in Active Directory accounts, depending on the organization.


Additional Reading What Are Address Lists? Exchange 2010 Help file: Understanding Address Lists

Demonstration: How to Configure Address Lists Exchange Server 2010 Help file: Managing Address Lists

Configuring Offline Address Books Exchange Server 2010 Help file: Understanding Offline Address Books

Options for Deploying Offline Address Books Exchange Server 2010 help: Understanding Offline Address Books


Detailed Demo Steps Demonstration: How to Configure Address Lists


Demonstration steps

Create a new E-mail Address list for Fourth Coffee recipients.


2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then select Mailbox.

3. Create a new address list with the following attributes.

• Name: Fourth Coffee

• Display Name: Fourth Coffee

• Container: \

• Recipient container to apply filter: Adatum.com

• Included recipient types: All Recipient types

4. Use the Recipient is in a Company condition to apply this policy to only recipients that list Fourth Coffee for their company attribute.

5. Preview the address list.

6. Apply the e-mail address list immediately.

Verify the new address list is working.

1. Log on to Outlook Web App as Adatum\George with the password of Pa$$w0rd.

2. Open the Address book, and view the members of the Fourth Coffee address list.


Demonstration steps

Create a new address list for Fourth Coffee recipients:


2. In the Console Tree, expand Organization Configuration, and then select Mailbox.

3. In the Results pane, click the Address lists tab.

4. In the Actions pane, click New Address List.

5. Type Fourth Coffee as the Name.

6. Type Fourth Coffee as the Display name.

7. Verify the container is \.

8. Click Next.

9. Click Browse.


10. In the Select Organizational Unit dialog box, select Adatum.com, and then click OK.

11. Verify that All Recipient types is selected, and then click Next.

12. In the Step 1 box, check Recipient is in a Company.

13. In the Step 2 box, click specified.

14. In the Specify Company dialog box, type Fourth Coffee, and then click Add. You can add multiple values to this list.

15. Click OK.

16. Click Preview. This will list the estimated results of using the defined filter.

17. Click OK.

18. Click Next.

19. Verify Immediately is selected, and then click Next. The schedule can allow the policy to not run, run immediately, or run at a later time. You can use this when the policy will affect a large number of recipients or if change window is going to be honored.

20. Click New.

21. Click Finish.

Verify the new address list is working.

1. Log on to Outlook Web App as Adatum\George with the password of Pa$$w0rd.

2. Click the Address book icon in the Outlook Web App toolbar.

3. In the Address Book window, click the Show other address lists button.

4. Click Fourth Coffee. View the members of the Fourth Coffee address list.

5. Close the Address Book window.



Lesson 5

Performing Bulk Recipient Management Tasks Contents: Question and Answers 27



Question and Answers Discussion: Benefits of Managing Recipients in Bulk

Question: Describe situations where you need to create multiple recipients.

Answer: Answers will vary. Some examples include:

• Schools importing users for the new school year.

• Importing contacts from a comma separated values (.csv) file.

• Importing users from a .csv file that you export from another system

Question: Describe situations where multiple recipients need to be modified.

Answer: Answers will vary. Some examples include:

• A department is increasing users’ storage limits

• A new naming standard is created for the organization’s groups.

• You need to remove all subsidiary members because the company has been sold.

Demonstration: How to Manage Multiple Recipients

Question: Which tasks will you automate with PowerShell scripts?

Answer: Answers will vary by student. Some students may express an interest in creating scripts to report on mailbox sizes, or to create new mailboxes through an automated process.


Detailed Demo Steps Demonstration: How to Manage Multiple Recipients


Demonstration steps

1. The instructor will run the following cmdlets

Get-User –filter {Company –eq "Fourth Coffee"} Disable-mailbox Jane Get-User –filter {Company –eq "Fourth Coffee"} | Enable-Mailbox –database "Mailbox Database 1"

2. The instructor will run the following script. The script will create mailboxes based on information provided in a .csv file.

## Section 1 ## Define Database for new mailboxes $db="Mailbox Database 1" ## Define User Principal name $upndom="Adatum.com" ## Section 2 ## Import csv file into variable $users $users = import-csv $args[0] ## Section 3 ## Function to convert password string to secure string function SecurePassword([string]$plainPassword) {

$secPassword = new-object System.Security.SecureString Foreach($char in $plainPassword.ToCharArray()) { $secPassword.AppendChar($char) }

$secPassword } ## Section 4 ## Create new mailboxes and users foreach ($i in $users) {

$sp = SecurePassword $i.password $upn = $i.FirstName + "@" + $upndom $display = $i.FirstName + " " + $i.LastName New-Mailbox -Password $sp -Database $db –DisplayName $display – UserPrincipalName $upn -Name $i.FirstName -FirstName $i.FirstName – LastName $i.LastName -OrganizationalUnit $i.OU

}

3. In Exchange Management Console, verify that the users listed in the .csv file have been created.

Demonstration steps

Demonstrate how to use pipelining:

1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell.

2. Run: Get-User –filter {Company –eq “Fourth Coffee”}.


3. Run Disable-mailbox Jane. Type Y and then press ENTER.

4. Run Get-User –filter {Company –eq “Fourth Coffee”} | Enable-Mailbox –-database “Mailbox Database 1”.

5. Run Notepad D:\ Labfiles\DemoUsers.ps1. Explain each section of the PowerShell script.

• Section 1. Creates a variable named $db that stores the name of the database and a variable named $upndom that stores the name of the UPN.

• Section 2. Imports a CSV file with user information.

• Section 3. Converts the plain text password into a secure stream.

• Section 4. Creates the mailboxes.

6. Run Notepad D:\ Labfiles\DemoUsers.csv. Review the contents of the file.

7. Run: D:\Labfiles\DemoUsers.ps1 D:\Labfiles\Demousers.csv.

8. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.


10. Verify that the users were created successfully.



1. How would you ensure that meeting requests to room mailboxes are validated manually before being approved?

Assign a delegate for the resource, and allow the delegated user to make the decision to approve or deny meeting requests that do not fall into standard policies.

2. How would you give access to allow a user to send messages from another mailbox, without giving them access to the mailbox contents?

Assign the user Send As permissions to the mailbox.

3. What should you consider when configuring offline address book distribution?

You should consider the clients that you will use. Outlook 2003 requires that the offline address book be available in a public folder, whereas Outlook 2007 and newer can access the offline address book in a public folder or through Web distribution.

Common issues related to configuring Offline Address Books Identify the causes for the following common issues related to configuring offline address books, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


The offline address book is not up-to-date with changes made during the day.

Check to make sure that the offline address book is scheduled to be generated more than one time each day.

Outlook 2003 clients are not able to download the offline address book.

Check to make sure the offline address book is being distributed in a public folder.

Real-world issues and scenarios 1. A company that has two large divisions and one Exchange Server organization. Employees in

each division rarely communicate with each other. What can you do to reduce the number of recipients the employees of each division see when they open the Exchange address list?

To make it easier for employees to find recipients who exist only in their division, you can create two new custom address lists. When searching for recipients in their division, these custom address lists allow employees to select only the address list that is specific to their division.

2. An organization has a large number of projects that leverage distribution groups. Managing group members takes considerable time. You need to reduce the time the help desk spends managing groups so that they can work on other issues.

Allow end users to manage their own groups using the Exchange Control Panel. End users may require some training up front, but ultimately, this will result in time savings for the help-desk staff.

3. You employ contractors that need an e-mail address from your company. The company needs to enable the contracts to receive these messages in their current third-party mailboxes.

Create mail-enabled contacts for each of the contractors, and use the contractors’ third party e-mail address as the destination address.


Best practices related to managing recipient objects Supplement or modify the following best practices for your own work situations:

• Define clear naming conventions and adhere to them. Naming conventions help identify location and purpose of recipient objects, and helps both end users and administrators locate recipients easily.

• Test global changes prior to making them in production. Changes to global settings, like e-mail address policies, should be tested in a lab environment before you make changes in production. This avoids configuration errors.


Lab Review Questions and Answers Question: Question: What is the affect of creating an empty address list on the global address list?

Answer: An empty address list can be used to organize other address lists, such as nesting additional address lists below any empty address list.

Question: Question: In your messaging environment, for which activities will you create scripts?

Answer: Answers will vary by student. Some may suggest using scripts to create mailbox size reports or for updating user information based on data exported from a human resources database.

Managing Client Access 4-1

Module 4 Managing Client Access

Contents: Lesson 1: Configuring the Client Access Server Role 2

Lesson 2: Configuring Client Access Services for Outlook Clients 9

Lesson 3: Configuring Outlook Web Access 16

Lesson 4: Configuring Mobile Messaging 23




Lesson 1

Configuring the Client Access Server Role Contents: Question and Answers 3



Question and Answers Demonstration: How to Configure a Client Access Server

Question: Why would you create multiple Outlook Web App Mailbox policies or Exchange ActiveSync polices, rather than just use the default policies?

Answer: If you want different users to have different experiences with Outlook Web App or Exchange ActiveSync, you would need to create additional policies. In Exchange Server 2010, the only way you can control the Outlook Web App and Exchange ActiveSync user experience is by creating policies, and then assigning the policies to users.

Question: Why would you modify the server settings on one Client Access server to be different from those on another Client Access server?

Answer: When you have two Client Access servers with different security or configuration requirements, you will need to modify the server-specific settings. For example, if you have an Internet-accessible Client Access server, and one that is used only for internal access, you might configure the security settings differently.

Demonstration: How to Configure Certificates for Client Access Servers

Question: What would you need to change in this procedure if you were also enabling secure access to IMAP4 using a server name of IMAP4?

Answer: You would need to add the IMAP4 service while running the New Exchange Certificate Wizard, and make sure that you specify IMAP4.adatum.com as the server name. This name then is added to the subject alternative name attribute on the certificate.

Question: How would this process change if you were requesting a certificate from an external, public CA?

Answer: The process would change very little. If the public CA provided a Web site for requesting a certificate, you would connect to the Web site and upload the certificate request file. Many public CAs also support e-mailing the certificate request file. After receiving the certificate, you would import it on your server.


Detailed Demo Steps Demonstration: How to Configure a Client Access Server


Demonstration steps


2. In the Exchange Management Console, expand Microsoft Exchange On Premises, expand Organization Configuration, and then click Client Access. You apply settings to all Client Access servers and mailboxes while in the Organization Configuration node.

3. Review the default polices on the Outlook Web App Mailbox Policies and Exchange ActiveSync Mailbox Policies tabs.

4. In the left pane, expand Server Configuration, and then click Client Access.

5. Examine the properties of one of the listed Client Access servers. These properties display information only, and cannot be used to configure the server settings.

6. In the results pane, review the settings available on each of the tabs. These settings configure the Client Access server settings for the Client Access server virtual directories.

Demonstration steps


2. In the Exchange Management Console, expand Microsoft Exchange On-Premises (van-ex1.adatum.com), expand Organization Configuration, and then click Client Access. You apply client access settings to all Client Access servers and mailboxes while in the Organization Configuration node.

3. In the details pane, click the Outlook Web App Mailbox Policies tab. On this tab, you can define Outlook Web App Mailbox policies that will configure the user experience with Outlook Web App. Notice that Exchange defines a default policy, which it does not assign to any users.

4. In the details pane, click the Exchange ActiveSync Mailbox Policies tab. On this tab, you can define Exchange ActiveSync Mailbox policies that will configure the user experience when they connect to the Exchange servers using a mobile device. Notice that Exchange defines a default policy, which it does not assign to any users.

5. In the left pane, expand Server Configuration, and then click Client Access. In this area, you can configure the settings that are specific to each Client Access server.

6. In the details pane, ensure that VAN-EX1 is selected, and in the Actions pane, click Properties. Click the System Settings tab, and then click the Outlook Anywhere tab. These tabs display information only, and cannot be used to configure the server settings. After you have reviewed these settings, click OK.

7. In the results pane, ensure that the Outlook Web App tab is selected, right-click owa (Default Web Site), and then click Properties. In the owa (Default Web Site) Properties dialog box, you can configure the OWA settings for this server. After you have reviewed these settings, click OK.


8. Click the Exchange Control Panel tab, and then double click ecp (Default Web Site). In this dialog box, you can configure the Exchange Control Panel (ECP) virtual directory settings for this server. After you have reviewed these settings, click OK.

9. Click the Exchange ActiveSync tab, click the Offline Address Book tab, and then click the POP3 and IMAP4 tab. In each of these locations, you can configure the Client Access server-specific settings.

Demonstration: How to Configure Certificates for Client Access Servers


Demonstration steps

By default, the Windows Server 2008 Certification Authority does not issue certificates with multiple subject alternative names, so you will need to modify the server configuration. To enable the CA to issue these certificates, perform the following steps:

1. Run the certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command, and then restart the Certificate Services.

2. In the Exchange Server, open the Exchange Management Console, select Server Configuration, and then click Client Access.

3. Click Configure External Client Access Domain, and configure the external domain name for Client Access servers in the organization.

4. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. This wizard helps you determine what type of certificates you need for your Exchange organization.

5. On the Introduction page, enter a user-friendly name for your certificate.

6. On the Domain Scope page, do not select the Enable wildcarding for this certificate check box.

7. On the Exchange Configuration page, configure the certificate request to include Outlook Web App on the Internet and Intranet, Exchange ActiveSync and Autodiscover.

8. On the Certificate Domains page, accept the names that will be added to the certificate request.

9. On the Organization and Location page, enter information about your Exchange organization. Click the Browse button to select a location for the certificate request file, and enter the desired file name.

10. On the Certificate Completion page, verify that all the information you have entered is correct. If it is, click the New button.

11. On the Completion page, click Finish.

12. Provide the certificate request file to your CA. After the certificate has been issued, complete the certificate installation process.

13. In the Exchange Management Console, select Server Configuration.

14. In the Actions pane, click Complete Pending Request.

15. Import the certnew.cer file.

16. In the Actions pane, click Assign Services to Certificate.


17. Assign the certificate to Internet Information Services on VAN-EX1.

Demonstration steps

1. On VAN-DC1, click Start, in the search box, type cmd.exe, and then press ENTER. By default, the Windows Server 2008 CA does not issue certificates with multiple subject alternative names, so we need to modify the server configuration.

2. At the command prompt, type the following command, and then press ENTER: certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

3. At the command prompt, type net stop certsvc & net start certsvc, and then press ENTER.

4. On VAN-EX1, if required, open the Exchange Management Console.

5. In the left pane, click Server Configuration, and then click Client Access.

6. In the Actions pane, click Configure External Client Access Domain. You can use this feature to configure the external domain name for Client Access servers in the organization.

7. On the Configure External Client Access Domain page, type mail.Adatum.com as the domain name, and then click Add.

8. In the Select Client Access Server dialog box, press Ctrl, click both VAN-EX1 and VAN-EX2, and then click OK.

9. Click Configure. In the Microsoft Exchange dialog box or boxes, click Yes. This dialog box appears when the name that you are configuring as the external client access domain name cannot be resolved in DNS. Click Finish.

10. In the results pane, ensure that VAN-EX1 is selected, and then in the results pane, double-click owa (Default Web Site).

11. On the General tab, verify that the External URL field has been changed to https://mail.adatum.com.owa, then click OK.

12. In the left pane, click Server Configuration.

13. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. This wizard helps you determine what type of certificates you need for your Exchange organization.

14. On the Introduction page, type ADatum Mail Certificate as the friendly name for the certificate, and then click Next.

15. On the Domain Scope page, click Next. You can select the Enable wildcarding for this certificate check box, and enter a root domain if you would like to apply the certificate automatically to all subdomains by creating a wildcard certificate.

16. On the Exchange Configuration page, expand Client Access server (Outlook Web App), and then select both the Outlook Web App is on the Intranet and Outlook Web App is on the Internet check boxes.

17. Expand Client Access server (Exchange ActiveSync), and then select the Exchange Active Sync is enabled check box.

18. Expand Client Access server, (Web Services, Outlook Anywhere, and Autodiscover). Enter mail.adatum.com as the external host name.


19. Ensure that the Autodiscover used on the Internet check box is selected, and that the Long URL option is selected, and then click Next.

20. On the Certificate Domains page, click Next.

21. On the Organization and Location page, enter the following information:

• Organization: A Datum

• Organizational Unit: Messaging

• Country/region: Canada

• City/locality: Vancouver

• State/province: BC

22. Click Browse, type CertRequest as the File name, and then click Save.

23. Click Next, click New, and then click Finish.

24. Click the Folder icon on the task bar, and then click Documents.

25. Right-click CertRequest.req, and then click Open.

26. In the Windows dialog box, click Select a program from a list of installed programs, and then click OK.

27. In the Open with dialog box, click Notepad, and then click OK.

28. In the CertRequest.req – Notepad window, click Ctrl-A to select all the text, and then click Ctrl-C to save the text to the clipboard. Close Notepad.

29. Click Start, click All Programs, and then click Internet Explorer.

30. Connect to http://van-dc1.adatum.com/certsrv.

31. Log on as Adatum\administrator using the password Pa$$w0rd.

32. On the Welcome page, click Request a certificate.

33. On the Request a Certificate page, click advanced certificate request.

34. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded CMC or PKCS#7 file.

35. On the Submit a Certificate Request or Renewal Request page, click in the Saved Request field, and then press CTRL+V to paste the certificate request information into the field.

36. In the Certificate Template list, click Web Server, and then click Submit.

37. On the Certificate Issued page, click Download certificate.

38. In the File Download dialog box, click Save.

39. In the Save As dialog box, click Save. The process for saving the file may take more than a minute.

40. In the Download complete dialog box, click Open.

41. In the Certificate dialog box, on the Details tab, click Subject Alternative Name. Verify that the certificate includes several subject alternative names, and then click OK.


42. In the Exchange Management Console, click Server Configuration.

43. Under VAN-EX1, click Adatum Mail Certificate, and in the Actions pane, click Complete Pending Request.

44. On the Complete Pending Request page, click Browse.

45. Under Favorites, click Downloads.

46. Click certnew.cer and click Open.

47. Click Complete, and then click Finish.

48. In the results pane, click VAN-EX1. In the bottom pane, click Adatum Mail Certificate.

49. In the Actions pane, click Assign Services to Certificate.

50. On the Select Servers page, verify that VAN-EX1 is listed, and then click Next.

51. On the Select Services page, select the Internet Information Services check box, click Next, click Assign, and then click Finish.


Lesson 2

Configuring Client Access Services for Outlook Clients Contents: Question and Answers 10




Question and Answers Demonstration: How to Configure MailTips

Question: Will you leave MailTips enabled in your organization? How will you modify the default configuration?

Answer: Answers will vary. Some organizations will leave the default configuration. Other organizations may choose to disable MailTips, or modify one or more of the specific MailTips.


Additional Reading What Is Autodiscover? • Automatically configure Office Outlook 2007 user accounts

• Autodiscover Response


Detailed Demo Steps Demonstration: How to Configure MailTips


Demonstration steps

1. In Exchange Management Shell, use the Get-OrganizationConfig cmdlet to review the default configuration for MailTips.

2. Use the Set-OrganizationConfig –MailTipsLargeAudienceThreshold 10 cmdlet to modify the large distribution group threshold setting.

3. Use the Set-DistributionGroup Marketing –MailTip ’The marketing team will be at a conference till next week.‛ cmdlet to configure a custom MailTip.

4. Log on to Outlook Web App. Prepare test messages to verify that the default and custom MailTips work as expected.

Demonstration steps

1. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell.

2. At the PS prompt, type Get-OrganizationConfig, and then press ENTER. Review the settings for the following values:

• MailTipsAllTipsEnabled. Indicates that MailTips are enabled for the organization.

• MailTipsMailboxSourcedTipsEnabled. Indicates that internal MailTips are enabled.

• MailTipsExternalRecipientsTipsEnabled. Indicates that external recipient MailTIps are enabled

• MailTipsLargeAudienceThreshold. Defines the minimum size for a distribution group before the MailTip will be triggered.

3. At the PS prompt, type Set-OrganizationConfig –MailTipsLargeAudienceThreshold 10, and then press ENTER.

4. Type Set-OrganizationConfig, and then press ENTER. Verify that the large audience threshold has been updated.

5. At the PS prompt, type Set-DistributionGroup Marketing –MailTip ’The marketing team will be at a conference till next week.’, and then press ENTER.

6. At the PS prompt, type Get-DistributionGroup ’Marketing’ | FL MailTip*, and then press ENTER. Verify that the custom MailTip has been configured.

7. Open Internet Explorer, and connect to https://VAN-EX1.adatum.com/owa.

8. Log on to Outlook Web App as Adatum\Anna using the password Pa$$w0rd,

9. Click New to create a new message.

10. In the Untitled Message dialog box, click To, click Paul, click To, and then click OK. Press CTRL+K. Verify that the MailTip appears indicating that Anna does not have permission to send to this user.


11. Click Remove Recipient.

12. In the To box, type Marketing, and then press CTRL+K. Confirm that the Custom MailTip for the Marketing distribution list appears.

Demonstration: How to Configure Outlook Anywhere


Demonstration steps

1. On the Client Access server, use the following cmdlet to review the Autodiscover configuration:

Get-ClientAccessServer –id VAN-EX1 | FL

2. On the Client Access server, verify that the RPC over HTTP Proxy feature is installed.

3. On the Client Access server, in Exchange Management Console, click Enable Outlook Anywhere, using a host name that is resolvable from the Internet.

4. On the Client Access server, in Internet Information Services (IIS) Manager, verify that the RPC virtual directory is configured to use SSL and that it is configured to accept Basic and Windows Authentication.

5. On the client computer, configure the Outlook account properties to Connect to Microsoft Exchange using HTTP, and then click Exchange Proxy Settings.

6. In the Microsoft Exchange Proxy Settings dialog box, complete the following information:

• Use the URL (https://): external host name for the Client Access server.

• Connect using SSL only: enable (default)

• On fast networks, connect using HTTP first, then connect using TCP/IP: enable

• On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default)

• Proxy authentication setting: NTLM Authentication (default)

7. From the client, open Outlook and connect to the server.

8. Press and hold the CTRL key, and then right-click the Office Outlook icon in the Windows 7 operating system notification area. Click Connection Status. Confirm that the Conn column lists HTTPS as the connection method.

9. Press and hold Ctrl, and then click the Outlook icon in the notification area of the Windows task bar. Click Test E-mail AutoConfiguration.

10. Click Test. View the information displayed on both the Results and Log tabs.

Demonstration steps

1. On VAN-EX1, open the Exchange Management Shell.

2. In the Exchange Management Shell, type Get-ClientAccessServer –id VAN-EX1 | FL, and then press ENTER. Confirm that the AutodiscoverServiceInternalUri parameter is configured to use https://VAN-EX1.adatum.com/Autodiscover/Autodiscover.xml.

3. On VAN-EX1, click Start, point to Administrative Tools, and then click Server Manager.

4. Click Features. In the Features list, verify that the RPC over HTTP Proxy feature is listed.


5. On VAN-EX1, open the Exchange Management Console.

6. In the Exchange Management Console, expand Server Configuration, and then click Client Access.

7. Click VAN-EX1, and in the Actions pane, click Enable Outlook Anywhere.

8. On the Enable Outlook Anywhere page, in the External host name field, type Mail.adatum.com. Under Client authentication method, click NTLM authentication, and then click Enable.


10. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

11. Expand VAN-EX1 (ADATUM\administrator), expand Sites, expand Default Web Site, and then click Rpc.

12. In the center pane, in the IIS section, double-click SSL Settings. Ensure that the Require SSL check box is selected.

13. Click Rpc, and then double-click Authentication. Ensure that Basic Authentication and Windows Authentication are enabled.

14. Close Internet Information Services (IIS) Manager.

15. Close all open windows, and restart VAN-EX1.

Note: You can continue with the following steps while VAN-EX1 restarts.

16. On VAN-CL1, ensure that you are logged on as Adatum\Luca.

17. Click Start, and then click Control Panel. In the Search field, type Mail. Right-click Mail, and then click Open.

18. In the Mail Setup - Outlook dialog box, click E-mail Accounts.

19. In the E-mail Accounts dialog box, click Microsoft Exchange, and then click Change. If you receive a warning that Microsoft Exchange is not available, click Work Offline

20. On the Microsoft Exchange Settings page, click More Settings.

21. In the Microsoft Exchange dialog box, on the Connection tab, select Connect to Microsoft Exchange using HTTP, and then click Exchange Proxy Settings.

22. In the Microsoft Exchange Proxy Settings dialog box, complete the following information:

• Use this URL (https://): VAN-EX1.adatum.com

• Connect using SSL only: enable (default)

• On fast networks, connect using HTTP first, then connect using TCP/IP: enable

• On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default)

• Proxy authentication setting: NTLM Authentication (default)


Note: In this demonstration, you are configuring the Outlook client to try HTTP first for all connections to the Exchange Server. However, in a production environment, you typically would select the option to connect first using HTTP on slow networks. When you use this configuration, the client uses RPC connections for the internal network, and it uses HTTP only for external networks.

23. Click OK, and then click OK again to close the Microsoft Exchange Server dialog box.

24. On the Microsoft Exchange Settings page, click Next.

25. On the Change E-mail Account page, click Finish.

26. On the E-mail Accounts page, click Close, and then again click Close to close the Mail Setup - Outlook dialog box.

27. Wait until VAN-EX1 restarts, and then log on as Administrator using the password Pa$$w0rd.

28. On VAN-CL1, click Start, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2007.

29. If a Microsoft Office Outlook dialog box appears, click No.

30. Verify that the Office Outlook connection indicator states Online with Microsoft Exchange.

31. Press and hold CTRL, and then right-click the Office Outlook icon in the Windows 7 notification area. You may need to click the arrow in the Windows 7 notification area to view the Office Outlook icon.

32. Click Connection Status. Confirm that the Conn column lists HTTPS as the connection method, and then click Close.

33. Press and hold Ctrl, and then click the Outlook icon in the notification area of the Windows task bar. Click Test E-mail AutoConfiguration.

34. In the Password field, type Pa$$w0rd.

35. Clear the Use Guessmart and Secure Guessmart Authentication check boxes. Guessmart is used to automate the process of configuring Outlook 2010 as an IMAP4 or POP3 client.

36. Click Test. View the information displayed on the Results tab.

37. Click the Log tab to view how the client completed Autodiscover.

38. Close the Test E-mail AutoConfiguration dialog box.

39. Close Microsoft Outlook, and then log off VAN-CL1.


Lesson 3

Configuring Outlook Web Access Contents: Question and Answers 17



Question and Answers What Is Outlook Web App?

Question: What is Outlook Web App for Exchange Server 2010?

Answer: Outlook Web App allows users to access their mailboxes using a Web browser.

Question: What are the benefits of Outlook Web App?

Answer: Users can access their mailboxes using Outlook Web App from any computer with a Web browser, including public-access computers at trade shows, hotels, and internet cafes.

Question: When would you use Outlook Web App instead of Outlook or Windows Mail?

Answer: Outlook Web App is primarily targeted at remote users rather than mobile users. Mobile users are more likely to need cached messages and offline access to their mailboxes.


Detailed Demo Steps Demonstration: How to Configure Outlook Web App


Demonstration steps

1. On the Client Access server, ensure that the Outlook Web App virtual directory is configured to use SSL, and is using the correct server certificate.

2. In the Exchange Management Console, on the owa (Default Web Site) Properties, configure the external URL with the required authentication and segmentation settings.

3. In the Exchange Management Shell, use the set-owavirtualdirectory ’owa (Default Web Site)’ –ForceSaveFileTypes .xls, cmdlet to force attachments with an .xls extension to be saved to disk before they can be opened.

4. Use the set-owavirtualdirectory ’owa (Default Web Site)’ –GzipLevel Off, cmdlet to disable Gzip compression for Outlook Web App.

5. Use the Set-OwaVirtualDirectory -identity “Owa (Default Web Site)“ -FilterWebBeaconsAndHtmlForms ForceFilter cmdlet to block all Web beacons.

Demonstration steps

1. On VAN-EX1, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. Expand VAN-EX1 (ADATUM\Administrator), expand Sites, expand Default Web Site, and then click owa.

3. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is required by default.

4. Under Sites, click Default Web Site, and in the Actions pane, click Bindings.

5. In the Site Bindings dialog box, click https, and then click Edit.

6. Verify that the SSL certificate used for the OWA site is the certificate that you obtained in the earlier demonstration.

7. Click OK, click Close, and then close Internet Information Services (IIS) Manager.

8. Click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

9. In the console tree, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Client Access.

10. In the work pane, select VAN-EX1, and in the result pane, right-click owa (Default Web Site), and then click Properties.

11. On the General tab, in the External URL box, type https://van-ex1.adatum.com/owa.

12. Click the Authentication tab, and verify that Use forms-based authentication is selected.

13. Under Logon Format, click User name only, and then click Browse.

14. Click Adatum.com, and then click OK.


15. Click the Segmentation tab, click All Address Lists, and then click Disable. The Segmentation tab allows you to enable and disable features for Outlook Web App users.

16. Click OK, read the Microsoft Exchange Warning dialog box, and then click OK.

17. Click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell.

18. Type IISReset /noforce, and then press ENTER. This allows the logon and segmentation changes to take effect.

19. In the Exchange Management Shell, type set-owavirtualdirectory ’owa (Default Web Site)’ –ForceSaveFileTypes .xls, and then press ENTER. This command forces attachments with a .xls extension to be saved to disk before they can be opened. Any existing ForceSaveFileTypes are overwritten. The attachment control settings for file types and MIME types can be configured by using the Set-OwaVirtualDirectory cmdlet. File attachment control settings include:

• ActionForUnknownFileAndMIMETypes. Specifies how to handle files that are not included in other file access management lists. Files can be allowed, blocked, or force saved.

• AllowedFileTypes. Specifies the file extensions of attachments that the user is allowed to save locally, or view from a Web browser.

• AllowedMIMETypes. Specifies the MIME types of attachments that users can save locally, or view from a Web browser.

• BlockedFileTypes. Specifies the file extensions of attachments that are blocked.

• BlockedMIMETypes. Specifies the MIME types of attachments that are blocked.

• ForceSaveFileTypes. Specifies the file extensions of attachments that the user is forced to save locally, rather than view from a Web browser.

• ForceSaveMIMETypes. Specifies the MIME types of attachments that the user is forced to save locally, rather than view from a Web browser.

Note: In cases where there is a conflict between management settings for file access, the following precedence applies: Allow overrides Block, and Force Save. Block overrides Force Save. For example, if .you configure the doc files as both a blocked file type and an allowed file type, .doc files will be allowed.

20. Type set-owavirtualdirectory ’owa (Default Web Site)’ –GzipLevel Off, and then press ENTER. This command disables Gzip compression for Outlook Web App. Gzip compression improves performance over slow network connections by compressing content. Implementing Gzip compression may slow server performance due to increased CPU utilization. Additional valid values for the GzipLevel options are High and Low. The default value is Low.

21. Type Set-OwaVirtualDirectory -identity “Owa (Default Web Site)“ -FilterWebBeaconsAndHtmlForms ForceFilter, and then press ENTER. The possible values for FilterWebBeaconsandHtmlforms are as follows:

• UserFilterChoice. By default, this value blocks Web beacons and HTML forms, but lets the user allow Web beacons and HTML forms on individual messages.


• ForceFilter. This value blocks all Web beacons and HTML forms.

• DisableFilter. This value allows Web beacons and HTML forms.

22. Type IISReset, and then press ENTER.

23. Close the Exchange Management Shell.

Demonstration: How to Configure Outlook Web App Policies


Demonstration steps

1. In Exchange Management Console, in the Organization Configuration node, click Client Access.

2. Click New Outlook Web App Mailbox Policy. Provide a name for the policy, and configure the policy settings.

3. After creating the policy, you can configure additional settings by accessing the policy properties.

4. Assign the policy to a user account by accessing the Outlook Web App properties on the Mailbox Features tab.

5. Log on to Outlook Web App as the user, and test the policy application.

Demonstration Steps


2. Expand Organization Configuration, and then click Client Access.

3. In the Actions pane, click New Outlook Web App Mailbox Policy.

4. In the New Outlook Web App Mailbox Policy page, type Marketing Policy as the policy name.

5. In the list of features, click Change Password, and then click Disable.

6. Click New, and then click Finish.

7. Right-click Marketing Policy, and then click Properties.

8. On the Public Computer File Access tab, clear all check boxes.

9. On the Private Computer File Access tab, clear all check boxes, and then click OK.

10. Under Recipient Configuration, click Mailbox.

11. In the Mailbox list, double-click Paul West.

12. On the Mailbox Features tab, click Outlook Web App, and then click Properties.

13. Select the Outlook Web App mailbox policy check box, and then click Browse.

14. Click Marketing Policy, and then click OK three times.

15. Click Start, click All Programs, and then click Internet Explorer.

16. In the address field, type https://VAN-EX1.Adatum.com/owa, and then press ENTER.

17. Log on to Outlook Web App as Adatum\Paul using the password Pa$$w0rd.


18. On the Outlook Web App page, click Options.

19. If prompted for authentication, log on as Adatum\Paul using the password Pa$$w0rd.

20. In the left pane, click Settings, Notice that you do not have the option to change the user password. Close Internet Explorer.

Demonstration: How to Configure User Options Using the ECP


Demonstration steps

1. On the Client Access server, in IIS Manager, review the settings for the ecp virtual directory.

2. In the Exchange Management Console, review the settings for the ecp (Default Web Site) virtual directory on each Client Access server.

3. As a user, access the ECP by opening Internet Explorer, and accessing https://servername/ecp.

4. Log on to the ECP, and review the settings that can be modified by the user.

Demonstration steps


2. Expand VAN-EX1 (ADATUM\Administrator), expand Sites, expand Default Web Site, and then click ecp.

3. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is required by default.



6. In the console tree, expand Server Configuration, and then click Client Access.

7. In the work pane, select VAN-EX1, and in the result pane, click the Exchange Control Panel tab.

8. Right-click ecp (Default Web Site), and then click Properties.

9. On the General tab, in the External URL box, type https://van-ex1.adatum.com/owa. This URL should match the URL used on the OWA virtual directory.

10. Click the Authentication tab, and verify that Use forms-based authentication is selected. Click OK.

11. On VAN-EX1, click Start, click All Programs, and then click Internet Explorer.

12. In the address field, type https://VAN-EX1.Adatum.com/ecp, and then press ENTER.

13. Log on to the ECP as Adatum\Luca using the password Pa$$w0rd.

14. On the Account tab, click Edit, click Contact Numbers, and in the Work phone field, type 555-5555. Click Save, and verify that the updated phone number is listed.

15. In the left pane, click Organize E-Mail. On the Organize E-Mail tab, users can configure Inbox Rules, and view delivery reports.


16. In the left pane, click Groups. On the Groups tab, users can view the groups to which they belong and manage any groups that they own.

17. In the left pane, click Settings. On the Settings tab, users can configure several options for sending and managing e-mail and calendaring.

18. In the left pane, click Phone. On the Phone tab, users can manage their own mobile devices that have synchronized with Exchange Server 2010.

19. In the left pane, click Block or Allow. On the Block or Allow tab, users can configure their Junk e-mail settings as well as edit their safe recipients list.



Lesson 4

Configuring Mobile Messaging Contents: Question and Answers 24




Question and Answers Discussion: Reasons for Configuring Address Lists

Question: What are the reasons for creating multiple address lists?

Answer: Although the answers may vary, common reasons are:

• Geographic organization. If a company has multiple physical locations, address lists could be based on country, state, city, or building.

• Departmental organization. A large company may want to create separate address lists for departments such as accounting, marketing, or sales.

• Recipient type organization. To make booking meeting rooms easier, you might organize room mailboxes by physical location.

Question: How do you use address lists in your organization?

Answer: Answers will vary. Typically, users are organized by department or physical location.

Question: How do you use a recipient filter and Active Directory attributes to create address lists? Is the necessary information already in Active Directory accounts?

Answer: Answers will vary. Recipient filters are a flexible way to create address lists, but Exchange Server 2010 does not support them through the GUI. You may need recipient filters to create address lists for individual buildings. The necessary information may not be in Active Directory accounts, depending on the organization.


Additional Reading Options for Securing Exchange ActiveSync • Sample: How to add root certificates to Windows Mobile 2003 and Windows Mobile 2002

Smartphones

• System Center Mobile Device Manager TechCenter


Detailed Demo Steps Demonstration: How to Configure Exchange ActiveSync


Demonstration steps

1. On the Client Access server, in IIS Manager, clear the option to require SSL for the Exchange ActiveSync virtual directory.

Caution: In a production environment, you should require SSL for the Exchange ActiveSync virtual directory. You are disabling SSL only because the mobile emulator does not trust the server certificate.

2. In Exchange Management Console, configure authentication and remote file server settings on the Microsoft-Server-ActiveSync virtual directory.

3. On the mobile device emulator, configure the network settings so that the emulator can communicate with the Client Access server.

4. In mobile device emulator, start ActiveSync, and then configure the emulator to connect to the Client Access server using an account that is enabled for Exchange ActiveSync.

5. Synchronize the device.

6. Test ActiveSync by sending a message from another user to the user logged on to the mobile device. Verify that the message arrives, and respond to the message.

Demonstration steps


2. Expand VAN-EX1 (ADATUM\Administrator), expand Sites, expand Default Web Site, and then click Microsoft-Server-ActiveSync.

3. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is required by default. Clear the Require SSL check box, and then click Apply.

Caution: In a production environment, you should require SSL for the Exchange ActiveSync virtual directory. You are disabling SSL only because the mobile emulator does not trust the server certificate.



6. In the console tree, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Client Access.


7. In the result pane, click VAN-EX1, and in the work pane, click the Exchange ActiveSync tab.

8. Right-click Microsoft-Server-ActiveSync, and then click Properties.

9. Review the information on the General tab.

10. Click the Authentication tab. Notice that Basic authentication is enabled. This is acceptable, because SSL would normally be used to secure the credentials in transit.

11. Click the Remote File Servers tab. The options on this tab are the same as the Remote File Servers settings for accessing attachments using Outlook Web App, and are used for synchronizing file attachments. However, these options are independent of the Remote File Servers settings for accessing attachments using Outlook Web App. Click OK.

12. On VAN-CL1, click Start, point to All Programs, click Windows Mobile 6 SDK, click Standalone Emulator Images, and under US English, click WM 6.1.4 Professional.

13. While the emulator is booting, in the WM 6.1.4 Professional window, click File, and then click Configure.

14. On the Network tab, select the Enable NE2000 PCMIA network adapter and bind to check box, and then click OK.

15. In Windows Mobile 6 Professional, click Start, and then click Settings.

16. Click the Connections tab, and then double-click Network Cards.

17. On the Configure Network Adapters page, under My network card connects to, click The Internet, and then click NE2000 Compatible Ethernet Driver.

18. Click Use specific IP address, and then type the following settings:

• IP address 10.10.0.70

• subnet mask 255.255.0.0

• default gateway: 10.10.0.1

19. On the Name Servers tab, type 10.10.0.10 as the DNS server address, and then click OK twice. Close the Settings window.

20. In the WM 6.1.4 Professional window, click Start, click Programs, and then click ActiveSync.

21. Read the ActiveSync information, and then click the set up your device to sync with it link.

22. On the Enter Email Address page, in the Email address box, type [email protected], and then click Next. The device will attempt to use Autodiscover to configure the user settings.

23. On the User Information page, type Scott in the User name field, type Pa$$w0rd in the Password field, Adatum in the Domain field, and then click Next.

24. On the Edit Server Settings page, in the Server Address field, type VAN-EX1.adatum.com, and then clear the This server requires an encrypted (SSL) connection check box.

25. In the ActiveSync message window, click OK, and then click Next.

26. In the Choose the data you wish to synchronize box, click Calendar, and then click Settings.

27. In the Synchronize only the past list, click All, and then, in the upper-right corner, click OK.

28. In the Choose the data you wish to synchronize box, click E-mail, and then click Settings.


29. In the Download the past list, click All, and then in the upper-right corner, click OK.

30. Confirm that the Contacts, Calendar, E-mail, and Tasks check boxes are selected, and then click Finish.

31. In the ActiveSync dialog box, click OK. After synchronization is complete, click the X in the upper-right corner to close ActiveSync. Close the Programs window.

32. On VAN-EX1, open Internet Explorer, and connect to https://van-ex1.adatum.com/owa.

33. Log on as adatum\Wei using the password Pa$$w0rd.

34. Click New, in the To field, type Scott, and then press CTRL+K to resolve the name.

35. In the Subject line, type Test Message from Wei.

36. In the message body, type Testing mobile messaging, and then click Send.

37. On VAN-CL1, in Windows Mobile 6 Professional, wait for a minute and then notice the animated Synchronization arrows indicating that the device is synchronizing automatically, triggered by the arrival of a message in Scott’s mailbox. Wait for the Windows Mobile device to complete synchronization.

38. At the bottom of the Today screen, view the notification stating that a new message has arrived. Click the notification and click View.

39. Open the message from the Inbox. Click Reply at the bottom of the message window.

40. In the message body, type Test Reply, and then click Send.

41. Wait until the device finishes synchronizing, and then, on VAN-EX1, in Outlook Web App, click the Check Messages icon or press F5 to refresh the screen, and then confirm that the message from Scott was received.

Demonstration: How to Configure Exchange ActiveSync Policies


Demonstration steps

1. In the Exchange Management Console, access the Organization Configuration node, and then click Client Access.

2. Create New Exchange ActiveSync Mailbox Policy, and then configure the available settings.

3. After creating the policy, access the policy properties and configure the additional settings.

4. Access a user mailbox’s properties. On the Mailbox Features tab, click Exchange ActiveSync, and then click Properties. Assign the appropriate Exchange ActiveSync policy.

5. Confirm that the policy is being applied to the user.

Demonstration steps

1. On VAN-EX1, if required, open the Exchange Management Console.

2. In the console tree, expand Organization Configuration, and then click Client Access.

3. In the Actions pane, click New Exchange ActiveSync Mailbox Policy.

4. In the Mailbox policy name box, type EAS Policy 1.


5. Confirm that the Allow attachments to be downloaded to device option is selected. This option is required for mobile devices to synchronize attachments and store them locally on the device.

6. Select the Require password check box. This forces all accounts that synchronize, to have a password. Any mailboxes without a password cannot be synchronized to a mobile device when this option is enabled. There also are additional password requirements you can enable.

7. Select the Enable password recovery check box. This will enable users to recover their Windows Mobile password through the ECP.

8. Click New to create the mobile mailbox policy.

9. Read the completion summary, and then click Finish. Notice the Exchange Management Shell command that was used to create the new mobile mailbox policy.

10. Right-click EAS Policy 1, and then click Properties. Notice that the General tab has additional options:

11. Click the Password tab. Notice that there is an additional password option list here—Number of failed attempts allowed— that was not available when creating the mobile mailbox policy. This password option wipes the device of all data after the specified number of failed attempts.

12. On the Sync Settings tab, review the configuration options.

13. On the Device tab, review the configuration options.

14. On the Device Applications tab, review the configuration options. To implement these settings, you must have an Enterprise Client Access License for each mailbox.

15. On the Other tab, review the options for allowing or blocking specific applications, and then click OK.

16. In the console tree, expand Recipient Configuration, and then click Mailbox.

17. In the result pane, right-click Scott MacDonald, and then click Properties.

18. Click the Mailbox Features tab, click Exchange ActiveSync, and then click Properties.

19. In the Exchange ActiveSync Properties dialog box, click Browse.

20. Select EAS Policy 1, and then click OK.

21. Click OK twice to save and apply the changes.

22. On VAN-CL1, wait for ActiveSync to synchronize, or click Menu, and click Send/Receive.

23. In the Update Required dialog box, click OK.

24. In the Password and the Confirm Password fields, type 12345, and then click OK.

Demonstration: How to Manage Mobile Devices


Demonstration steps

1. As a user, connect to the ECP site on a Client Access server.

2. Log on and access the Phone tab on the user Properties page.


3. As an Exchange administrator, access the user in the Exchange Management Console Mailbox container, and then click OK.

4. In the Actions pane, click Manage Mobile Device.

5. On the Manage Mobile Device page, view the options available to manage the mobile device, including wiping the device.

Demonstration steps

1. On VAN-CL1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp.

2. Log on as Adatum\Scott using the password Pa$$w0rd.

3. Click Phone. Notice the PocketPC listed in the Device list.

4. On VAN-EX1, in the Exchange Management Console, under Recipient Configuration, click Mailbox.

5. In the result pane, click Scott MacDonald.

6. In the action pane, click Refresh.

7. In the action pane, click Manage Mobile Phone.

8. On the Manage Mobile Phone page, click Perform a remote wipe to clear mobile phone data, and then click Clear.

9. In the Microsoft Exchange warning message, click Yes, and then click Finish.

10. In Windows Mobile 6 Professional, wait for the device to synchronize. You can also force synchronization by opening Exchange ActiveSync, and then clicking Sync. Confirm that the device is wiped. If the device goes blank, it is rebooting after performing the remote wipe.

11. On the Windows Mobile 6 Professional window File menu, click Exit.



1. You need to ensure that users from the Internet can connect to a Client Access server by using Outlook Anywhere. How will you configure the firewall between the Internet and the Client Access server?

Answer: You need to enable port 443 access to the Client Access server, and enable access to the \RPC virtual directory.

2. You need to ensure that the same Exchange ActiveSync policies are assigned to all users, with the exception of the Executives group. This group requires higher security settings. What should you do?

Answer: You should configure the default Exchange ActiveSync Mailbox policy with the settings for all users. You should then create a new policy for the Executive group, and assign the policy to all members of the Executive group.

3. You have deployed an Exchange Server 2010 server in an organization that includes several Exchange Server 2003 servers. How will Exchange Server 2010 obtain free\busy information for user mailboxes on the Exchange Server 2003 servers?

Answer: The Client Access server will query the Schedule+ Free\Busy folder on an Exchange Server 2003 server.

Common issues related to client connectivity to the Client Access server Identify the causes for the following common issues related to client connectivity to the Client Access server, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


Users using Web browsers other than Internet Explorer may have trouble authenticating.

Although Exchange Server 2010 supports most Web browsers, your Web browser may not support forms-based authentication or Windows Integrated Authentication. As a last resort, you can use Basic Authentication with SSL.

Clients receive certificate-related errors when they connect to the Client Access server.

Ensure that the certificate configured on the Client Access server is trusted by all clients. The best way to do this is to obtain a certificate from a trusted Public CA.

Users from the Internet are not able to connect to the Client Access server.

Use a tool such as Microsoft Exchange Server Remote Connectivity Anaylzer to identify the issue. Many components must be functioning to enable connectivity. The Remote Connectivity Anaylzer tool will check information such as DNS records, authentication, certificate issues, and Autodiscover.

Real-world issues and scenarios 1. Your organization has two locations with an Internet connection in each location. You need to

ensure that when users access their e-mail using Outlook Web App from the Internet, they will always connect to the Client Access server in their home office.


First, configure an external URL for each Client Access server. The external URL will be the name that the clients use to connect to the server. Next, ensure that you have configured a DNS host record for each Client Access server using the external URL.

2. You are planning on enabling Outlook Web App, Outlook Anywhere, and Exchange ActiveSync access to your Client Access server. You want to ensure that all client connections are secure by using SSL, and that none of the clients receives errors when they connect to the Client Access server. You plan on requesting a certificate from a Public CA. What should you include in the certificate request?

You should request a certificate with multiple subject alternative names so that all client connections are supported using the protocol specific server name. You should also include the Autodiscover in the subject alternative name, if you are enabling Autodiscover to the Internet.

3. You have deployed two Client Access servers in the same Active Directory site. When one of the Client Access servers shuts down, users can no longer access their e-mail. What should you do?

You should configure the Client Access servers in an array to ensure redundancy.

Best practices related to planning the Client Access server deployment Supplement or modify the following best practices for your own work situations.

When designing the Client Access server configuration, consider the following recommendations:

• The recommended processor configuration for Client Access servers is eight processor cores, and the maximum recommended number of processor cores is 12. You should deploy at least two processor cores for Client Access servers—even in small organizations—because of the addition of the RPC Client Access service on the Client Access server.

• As a general guideline, you should deploy three Client Access server processor cores in an Active Directory site for every four Mailbox server processor cores.

• The recommended memory configuration for Client Access server is 2 gigabytes (GB) per processor core, with a maximum of 8 GB.

• Deploying Client Access servers on a perimeter network is not a supported scenario. The Client Access server must be deployed on the internal network. The Client Access server role must be installed on a member server, and it must have access to a domain controller and global catalog server, as well as the Mailbox servers inside the organization.

Tools

Tool Use for Where to find it

Microsoft Exchange Server Remote Connectivity Anaylzer

• Troubleshooting Internet connectivity for messaging clients.

http://go.microsoft.com/fwlink/?LinkId=179969

Test E-Mail AutoConfiguration

• Troubleshooting Outlook Connectivity to the Client Access server.

Open Outlook, press and hold CTRL, right-click the Outlook connection object, and then click Test E-Mail AutoConfiguration.


Internet Information Server (IIS) Manager

• Configuring SSL settings for Client Access server virtual directories.

Administrative Tools


Lab Review Questions and Answers Question: You need to ensure that users from the Internet can connect to a Client Access server by using Outlook Anywhere. How will you configure the firewall between the Internet and the Client Access server?

Answer: You need to enable port 443 access to the Client Access server, and enable access to the \RPC virtual directory.

Question: You need to ensure that the same Exchange ActiveSync policies are assigned to all users, with the exception of the Executives group. This group requires higher security settings. What should you do?

Answer: You should configure the default Exchange ActiveSync Mailbox policy with the settings for all users. You should then create a new policy for the Executive group, and assign the policy to all members of the Executive group.

Question: You have deployed an Exchange Server 2010 server in an organization that includes several Exchange Server 2003 servers. How will Exchange Server 2010 obtain free\busy information for user mailboxes on the Exchange Server 2003 servers?

Answer: The Client Access server will query the Schedule+ Free\Busy folder on an Exchange Server 2003 server.

Managing Message Transport 5-1

Module 5 Managing Message Transport

Contents: Lesson 1: Overview of Message Transport 2

Lesson 2: Configuring Message Transport 7




Lesson 1

Overview of Message Transport Contents: Question and Answers 3




Question and Answers Discussion: Overview of Message Flow

Question: What is SMTP?

Answer: SMTP is a TCP/IP-based message transfer protocol that governs the exchange of electronic mail between message transfer agents.

Question: What are the various message-flow scenarios?

Answer: There are four message-flow scenarios:

• Inbound mail flow. Refers to e-mail that comes into an Exchange Server 2010 organization from the Internet. In this scenario, a gateway server, which can be an Edge Transport server or a Hub Transport server, accepts mail from the Internet, and routes it to the internal Exchange Server 2010 organization.

• Outbound mail flow. Refers to e-mail that travels from an Exchange Server 2010 organization to the Internet. After a Hub Transport server processes the mail and identifies it as outbound mail, the server routes it to the Internet, either directly or through a gateway server. The gateway server can be an Edge Transport server.

• Local mail flow. Refers to e-mail that a Hub Transport server processes in an Exchange Server 2010 organization and then delivers to a mailbox on the same Active Directory site.

• Remote mail flow. Refers to e-mail that a Hub Transport server processes in an Exchange Server 2010 organization and then delivers to a mailbox on a different Active Directory site from the source mailbox.

Question: What type of message-flow scenarios do most organizations implement?

Answer: Most organizations implement inbound, outbound, and local mail flow. An organizations typically use remote mail flow only if it has multiple Active Directory sites with Mailbox servers. Many smaller companies do not use remote mail flow. Also, large companies that have centralized their Mailbox servers in a single data center might not use remote mail flow.


Detailed Demo Steps Demonstration: How to Troubleshoot SMTP Message Delivery

Demonstration steps

1. Open the Command Prompt window.

2. To start the Telnet tool, at the command prompt, type Telnet VAN-EX1 SMTP, and try to send a mail using Telnet.

3. In Exchange Management Console, from the Toolbox pane in Exchange Management Console, start the Queue Viewer tool.

4. Suspend and resume the Submission queue.

5. Close Queue Viewer.

Demonstration steps

1. On VAN-DC1, click Start, point to All Programs, point to Accessories, and then click Command Prompt.

Explain that we now will use Telnet to check if the Exchange Server responds correctly.

2. At the command prompt, type Telnet VAN-EX1 SMTP, and then press ENTER.

Telnet is a tool to directly communicate with an IP port. You can use the port number or the service name. Here we type in SMTP, which will use port 25.

Once the Exchange server responds, explain to students that the connection is working, and that the server does respond to our request. Therefore, there is no problem with a firewall. You also can tell the students that if the response does not include the information shown, there is something wrong. Most likely, it is a firewall issue or the Microsoft Exchange Transport service is not started on the Exchange server.

3. At the command prompt, type helo, and then press ENTER.

4. At the command prompt, type help, and press ENTER.

Explain that here the students see the services that the Exchange Server offers. For example, the STARTTLS indicates that TLS is available for secure communication.

5. Type mail from:[email protected], and press ENTER.

After you press ENTER, the connection will be lost and you will receive a “client not authenticated” message. This means that the Exchange Server expects authentication before being able to send messages. Also, this indicates that anonymous users are not enabled for this receive connector.

6. Type exit, and press ENTER.

7. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console.

8. In Exchange Management Console, expand Microsoft Exchange On-Premises, and then click Toolbox.

9. In the Toolbox pane, scroll down to Mail flow tools, and then double-click Queue Viewer.


Explain that the Queue Viewer tool looks into the message queues of the local server. Therefore, you will see immediately if a message is not correctly delivered. It would be good to have a mail in the queue so you can show the students the error message and also the properties, like retry.

10. Right-click Submission queue, and then click Suspend.

This will stop the queue so that it delivers no more messages. Thus, you can manually stop specific queues on an Exchange Server using the Queue Viewer. If you write a new mail, it remains in the queue until the administrator decides to resume the queue.

11. Right-click Submission queue, and then click Resume.

12. Close Queue Viewer.


Additional Reading Tools for Troubleshooting SMTP Message Delivery

• Microsoft Exchange Analyzers

• Helpfile: Use Telnet to Test SMTP Communication


Lesson 2

Configuring Message Transport Contents: Detailed Demo Steps 8



Detailed Demo Steps Demonstration: How to Configure Hub Transport Servers

Demonstration steps

1. On VAN-EX1, if required, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console.

2. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport.

3. On the Global Settings tab, double-click Transport Settings and review the options on the Message Delivery tab.

4. In Exchange Management Console, expand Server Configuration, and then click Hub Transport. Open Hub Transport server properties and review the options on the Log Settings tab and Limits tab.

5. At the Exchange Management Shell command prompt, type Get-TransportServer -I van-ex1 |fl, and then press ENTER.

Demonstration steps



3. On the Global Settings tab, double-click Transport Settings.

4. In the Transport Settings Properties dialog box. click the Message Delivery tab. Click OK.

5. In Exchange Management Console, expand Server Configuration, and then click Hub Transport.

6. In the Hub Transport pane, right-click VAN-EX1, and then click Properties.

7. In the VAN-EX1 Properties dialog box, click the Log Settings tab.

8. Click the Limits tab. Click OK.

9. Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell.

10. At the command prompt, type Get-TransportServer -I van-ex1 |fl, and then press ENTER.

Demonstration: How to Configure Accepted and Remote Domains

Demonstration steps


2. Click the Accepted Domains tab, and then double-click Adatum.com. Click OK.

3. Click New Accepted Domain and create an accepted domain for adatum.local as Internal Relay Domain.

4. Click the Remote Domains tab, and review the default remote domain settings. Click OK.


5. Click New Remote Domain, and create a remote domain for contoso.com.

Demonstration steps



3. Click the Accepted Domains tab.

4. In the Accepted Domains pane, double-click Adatum.com.

5. Click OK.

6. In the Actions pane, click New Accepted Domain.

7. In the New Accepted Domain window, in the Name box, type adatum.local, and in the Accepted Domain box, type adatum.local.

8. Click Internal Relay Domain, and then click New. Explain what is required to create a new internal relay domain.

9. Click the Finish button.

10. Click the Remote Domains tab. First, explain what the “*” default settings in remote domains means.

11. Double-click Default, and review the settings available on the default remote domain. These settings will apply to all messages sent outside the organization. Click OK.

12. In the Actions pane, click New Remote Domain.

13. In the New Remote Domain window, in the Name box, type contoso.com, and in the Domain name box, type contoso.com.

14. Click New, then click Finish.

15. In the Remote Domains pane, double-click contoso.com. Review the configuration options.

16. Click Cancel.

Demonstration: How to Configure SMTP Send and Receive Connectors

Demonstration steps


2. Click the Send Connectors tab and create a New Send Connector.

3. In Exchange Management Console, expand Server Configuration, and then click Hub Transport.

4. Click New Receive Connector and create a Receive connector that allows the anonymous group to send messages.

Demonstration steps




3. Click the Send Connectors tab.

4. In the Actions pane, click New Send Connector.

5. In the New Send Connector window, in the Name box, type contoso.com.

6. In the Select the intended use for this Send connector list, click Internet, and then click Next.

7. In the Address space pane, click Add.

8. In the SMTP Address Space dialog box, in the Address box, type contoso.com, and then click OK.

9. Click Next.

10. In the Network settings pane, click Use domain name system (DNS) “MX“ records to route mail automatically, and click Next.

11. In the Source Server pane, click Next.

12. In the New Connector pane, click New, and then click Finish.

13. In the Send Connectors pane, double-click contoso.local.

14. Click Cancel.

15. Expand Server Configuration, and then click Hub Transport.

16. In the VAN-EX1 pane, click New Receive Connector.

17. In the New Receive Connector window, in the Name box, type Anonymous Receive.

18. In the Select the intended use for this Receive connector list, click Internet, and then click Next.

19. In the Local Network settings pane, click Edit.

20. In the Edit Receive Connector Binding window, in the Port box, type 2525, click OK, and then click Next.

21. In the Completion pane, click Finish.


Additional Reading What Is a Remote Domain?

• Additional Character Sets

What Is Back Pressure? • You find additional information how to configure back pressure in the Exchange Server 2010

helpfile.


Module Reviews and Takeaways Common issues related to Managing Message Transport Identify the causes for the following common issues related to Managing Message Transport, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


You configure a Send Connector to the Internet, but messages cannot be transferred over it.

Use Telnet on the Hub Transport server that is trying to send the mail, and connect to the target SMTP server in the internet to see what the issue is. Many times you cannot reach it because of DNS resolution or firewall settings.

You want to understand over what hops the message has been transferred.

Use Message Tracking or view the header of the message in Outlook Web App.

Your Exchange Server does not accept messages for the domain adatum-info.com.

Verify that this domain is part of the Accepted Domains in Organization Configuration under Hub Transport.


Lab Review Questions and Answers Question: Question: What would you need to configure to enable outbound Internet e-mail from each of Adatum‘s location?

Answer: You must ensure that local Internet connectivity is available at every location, and you then need to configure a SMTP send connector at every site.

Question: Question: A user reports that she sent a message to a user in another company two hours ago, and the message has not arrived. How would you troubleshoot this?

Answer: Use Message Tracking to see if the e-mail left A. Datum., and then use Queue Viewer to verify that the e-mail is not stuck in any queues.

Question: Question: After A. Datum bought some new locations, you want to make sure that all e-mail messages are passed through the main site in Vancouver. How would you do that?

Answer: Possible answers include:

• Configure hub sites to add additional hops to the message delivery

• Configure Exchange-specific routing costs to override the IP site-link costs

• Configure expansion servers for distribution groups

Implementing Messaging Security 6-1

Module 6 Implementing Messaging Security

Contents: Lesson 1: Deploying Edge Transport Servers 2

Lesson 2: Deploying an Antivirus Solution 7

Lesson 3: Deploying an Anti-Spam Solution 11

Lesson 4: Configuring Secure SMTP Messaging 15




Lesson 1

Deploying Edge Transport Servers Contents: Question and Answers 3



Question and Answers Discussion: Securing Edge Transport Servers

Question: Why is it important to secure Edge transport servers?

Answer: The Edge Transport server role performs a number of functions such as routing messages between the Exchange Server organization and the Internet, and providing antivirus and anti-spam protection. You typically install this server role in the perimeter network. This location makes the Edge Transport server role more vulnerable than the other servers on your protected network. Therefore, you must perform certain additional tasks to secure this server role.

Question: What factors should you consider at the operating system level?

Answer: Answers can vary, from implementing a firewall solution, implementing restrictive password policies, to enforcing very strong passwords. However, the best tool around is the Security Configuration Wizard (SCW) that is part of Windows Server 2003 and newer versions. The Windows Server 2008 Administrative Tools includes the SCW. SCW is an easy-to-use wizard that allows you to quickly create and apply security templates to servers. It provides a user-friendly interface to configure your Windows servers not only for the Edge Transport role, but also for other products.

Question: How do you secure an Edge Transport server?

Answer: The Edge Transport server includes certain security settings by default. For example, you can configure secure Transport Layer Security (TLS) for SMTP communication. All these features will be discussed later in this module.


Detailed Demo Steps Demonstration: How to Configure Edge Transport Servers

Demonstration steps


2. Review the Edge Transport server role’s default configuration settings including the default anti-spam settings, Send and Receive Connectors and Accepted Domains.

Demonstration steps

1. On VAN-EDG, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console.

2. In Exchange Management Console, in the left pane, click Edge Transport. Note that the console is focused just on an Edge Transport server, and that there is no organization node. You must manage each Edge Transport server individually.

3. Review the configuration options on the Anti-spam tab. These settings will be covered in detail later in the module.

4. Click the Receive Connectors tab, and then double-click Default internal receive connector VAN-EDG.

5. Review the receive connector properties. This connector will accept SMTP connections from all IP addresses and will accept anonymous connections. If you are using this server as a SMTP gateway server, you do not need to configure any other receive connectors to enable the server to accept messages. Click Cancel.

6. Click the Send Connectors tab. Note that no Send Connectors are configured on the server. In order to send e-mail, either to the internal network or to the Internet, you will need to configure a Send Connector.

7. Click the Transport Rules tab. Note that no transport rules are configured by default. You can use transport rules to apply actions to messages as they pass through the Edge Transport server.

8. Click the Accepted Domains tab. Note that no accepted domains are configured. This means that you would need to configure an accepted domain before the Edge Transport server will accept any messages.

Demonstration: How to Configure Edge Synchronization

Demonstration steps

• On the Edge Transport server, in the Exchange Management Shell, run the New-EdgeSubscription -FileName “c:\van-edge.xml” command on the Edge Transport server.

• Import the Edge subscription file using the Exchange Management Console on the Hub Transport server.

• Use Start-EdgeSynchronization and Test-EdgeSynchronization to test Edge synchronization.

• Review the changes made to the Edge Transport server after Edge Synchronization.

• Configure address rewriting using the New-addressRewriteEntry command.


Demonstration steps - Enable Edge Synchronization

1. On VAN-EDG, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell.

2. In Exchange Management Shell, at the command prompt, type New-EdgeSubscription -FileName “c:\van-edg.xml” and press ENTER.

3. In the Confirm text dialog box, enter Y.

4. Click Start, and in the Search box, type \\VAN-EX1\c$ and press ENTER. Copy c:\van-edg.xml to the server \\VAN-EX1\c$

Best Practice: Remember that in real-world scenarios, it would be a security violation if you were able to copy the EdgeSubscription file directly from the Edge Transport server to the Hub Transport server. Normally, you should use an USB device or other means to copy the file.



7. In the Hub Transport pane, click the Edge Subscriptions tab.

8. In the Actions pane, click New Edge Subscription.

9. In the New Edge Subscription window, select Default-First-Site-Name as Active Directory site, and C:\VAN-EDGE.XML as Subscription file, and then click New.


Demonstration steps - Test Edge Synchronization

1. Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and click Exchange Management Shell.

2. In Exchange Management Shell, at the PS prompt, type Start-EdgeSynchronization, and then press ENTER. Verify that the synchronization was successful.

3. In Exchange Management Shell, at the PS prompt, type Test-EdgeSynchronization, and then press ENTER.

4. On VAN-EDG, in the Exchange Management Console, click Edge Transport.

5. On the Receive Connectors tab, confirm that no new receive connectors have been added. The default connector is configured to receive e-mail from all source addresses on port 25.

6. Click the Send Connectors tab, and click Refresh. Confirm that a new connector named EdgeSync – Default-First-Site-Name to Internet has been created. Double-click EdgeSync – Default-First-Site-Name to Internet.

7. On the Address Space tab, confirm that an address space of * is configured.

8. On the Network tab, confirm that the connector will use DNS to route e-mail. Click OK.

9. On the Accepted Domain tab, confirm that the internal domains are listed as authoritative domains.


10. On VAN-EX1, in the Exchange Management Console, in the Organization Configuration work area, click Hub Transport. On the Send Connectors tab, confirm that the EdgeSync – Default-First-Site-Name to Internet connector is displayed.

11. Double-click the connector. On the Source Server tab, confirm that VAN-EDG

12. is listed as the source server. Click OK.

Demonstration steps - Configure address rewriting

1. On VAN EDG, if required, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. When you configure address rewriting, Exchange rewrites all e-mail messages with the domain name Adatum.com to display a domain name of Bdatum.com when they leave the organization. This feature is useful when an organization requires different mail domain names internally and externally.

2. In Exchange Management Shell, at the command prompt, type New-addressRewriteEntry -Name “Bdatum.com” -InternalAddress adatum.com -ExternalAddress bdatum.com, and then press ENTER.


Lesson 2

Deploying an Antivirus Solution Contents: Detailed Demo Steps 8



Detailed Demo Steps Demonstration: How to Configure Forefront Protection 2010 for Exchange Server

Demonstration steps

1. Install Forefront Protection 2010 for Exchange Server.

2. Open the Forefront Protection 2010 administration console.

3. Configure Antimalware - Edge Transport settings.

4. Configure Antispam - Content Filter settings.

5. Configure Global Settings.

Demonstration steps - Install Forefront Protection 2010 for Exchange Server

1. In the 10135A-VAN-EDG on localhost – Virtual Machine Connection window, on the File menu, click Settings.

2. Click DVD Drive, and then click Image File.

3. Click Browse, and browse to C:\Program Files\Microsoft Learning\10135\Drives. Click ForeFrontInstall.iso, and click Open. Click OK.

4. On VAN-EDG, click Start, in the Search field, type D:\, and then press ENTER.

5. In Windows Explorer, double-click forefrontexchangesetup.exe.

6. In the Setup Wizard Window, on the License Agreement page, click I agree to the terms of the license agreement and privacy statement, and then click Next.

7. On the Service Restart page, click Next.

8. On the Installation Folders page, click Next.

9. On the Proxy Information page, click Next.

10. On the Antispam Configuration page, click Enable antispam later, and then click Next.

11. On the Microsoft Update page, click I don’t want to use Microsoft Update, and then click Next.

12. On the Customer Experience Improvement Program page, click Next.

13. On the Confirm Settings page, click Next. Wait for the installation to finish. It will take about five minutes.

14. On the Installation Results page, click Finish. Close Windows Explorer.

Demonstration steps - Configure Forefront Protection 2010 for Exchange Server

1. Click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Protection for Exchange Server Console.

2. In the Evaluation License Notice dialog box, click OK.

3. In Forefront Protection 2010 for Exchange Server Administrator Console, in the left pane, click Policy Management.


4. In the Policy Management pane, expand Antimalware, and then click Edge Transport.

5. In the Antimalware – Edge Transport pane, in the Engines and Performance section, select the Scan with a dynamically chosen subset of engines check box.

6. In the Additional Options section, verify that the Optimize for performance by not rescanning messages already virus scanned check box is selected.

7. Click Save.

8. In the Policy Management pane, expand Antispam, and then click Configure.

9. In the Antispam – Configure pane, click the Enable Antispam Filtering button.

10. In the Service Restart Required window, click Yes.

11. Select the Enable content filtering check box. Under SCL Thresholds and Actions, in the Suspected spam drop-down list, select SCL 5 to 7. Explain the impact of this setting to the students and explain the other options to reject or delete messages above this SCL level.

12. Click Save.

13. In the Policy Management pane, expand Global Settings, and then click Scan Options. Explain the options that you can configure here.

14. Under Global Settings, click Engine Options. Explain the options that you can configure here.

15. Under Global Settings, click Advanced Options. Explain the options that you can configure here. Focus mainly on Threshold Levels and Intelligent Engine Management.

Demonstration steps - Manage Forefront Protection 2010

1. In Forefront Protection 2010 for Exchange Server Administrator Console, in the left pane, click Monitoring.

2. In the Monitoring pane, under Server Security Views, click Incidents. Explain what kind of incidents you would see here. For example, a message that has a virus detected will appear here.

3. In the Monitoring pane, under Server Security Views, click Quarantine. Explain that the items that were configured for Quarantine based on the SCL level are found here

4. In the Monitoring pane, under Server Security Views, click Dashboard. Explain the different Monitors available on this page.

5. In the Monitoring pane, under Configuration, click Notifications. Explain some of the available notifications and their use. For example, you should consider carefully whether to use Engine Update failed, because it is important for keeping your engines updated to prevent virus attacks. Ask the students if they find a Virus found notification useful, especially in large organizations that detect dozens of viruses every day. Typically, a Virus notification would not be useful permanently. It just makes sense to control that viruses are found correctly for the first couple of hours.


Additional Reading What Is Forefront Protection 2010 for Exchange Server?

• Protecting Your Microsoft Exchange Organization with Microsoft Forefront Protection 2010 for Exchange Server

Forefront Protection 2010 Deployment Options • Forefront Protection 2010 for Exchange Server Best Practices - Deployment considerations


Lesson 3

Deploying an Anti-Spam Solution Contents: Detailed Demo Steps 12


Detailed Demo Steps Demonstration: How to Configure Anti-Spam Options

Demonstration steps

1. Open Exchange Management Console, and on the Edge Transport server, click the Anti-spam tab.

2. Configure the following Connection filters:

• IP Allow List

• IP Block List

• IP Block List Providers

3. Add the zen.spamhaus.org domain to the IP Block List Providers list.

4. Configure the following filtering features:

• Sender filtering

• Recipient filtering

• Sender ID

• Sender Reputation

• Content filtering

5. Configure the Edge Transport server to quarantine messages with a SCL rating greater than 7.

Demonstration steps - Configure connection filters

1. On VAN-EDG, if required, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console.

2. In Exchange Management Console, click Edge Transport.

3. In the Edge Transport pane, click the Anti-spam tab.

4. In the VAN-EDG pane, double-click IP Allow List.

5. On the Allowed Addresses tab, click Add. In the Add Allowed IP Address- CIDR dialog box, type 10.10.0.11, and then click OK twice. Adding this entry means that all messages from this IP address will be accepted without any additional content filtering.

6. In the VAN-EDG pane, double-click IP Block List.

7. On the Blocked Addresses tab, click Add. In the Add Blocked IP Address- CIDR dialog box, type 10.10.0.12, and then click OK twice. Adding this entry means that all SMTP connections from this IP address will be rejected.

8. In the VAN-EDG pane, double-click IP Block List Providers.

9. In the IP Block List Providers Properties dialog box, click the Providers tab, and then click Add.

10. Type Spamhaus in the Provider name box, type zen.spamhaus.org in the Lookup Domain box, and then click OK twice. After adding this entry, the Edge Transport server will query the IP


block list provider whenever a SMTP server attempts to make a connection. If the SMTP server IP address is on the block list, the connection will be dropped.

Demonstration steps - Configure sender and recipient filters

1. In the VAN-EDG pane, double-click Recipient Filtering.

2. On the Blocked Recipients tab, select the Block messages sent to the following recipients check box.

3. In the Block messages sent to the following recipients text box, type [email protected], and then click Add. Click OK.

4. On the Anti-spam tab, right-click Sender Filtering, and then click Properties.

5. On the Blocked Senders tab, click Add.

6. In the Add Blocked Senders dialog box, under Individual e-mail address, type [email protected], and click OK twice.

Demonstration steps - Configure sender ID and sender reputation filters

1. On VAN-DC1, open the DNS management console.

2. Expand Forward Lookup Zones, and then click Adatum.com.

3. Right-click Adatum.com, and then click Other New Records.

4. In the Resource Record Type dialog box, click Text (TXT), and then click Create Record.

5. In the New Resource Record dialog box, in the Text box, type v=spf1 ip4:10.10.0.40 –all, and then click OK. This record configures the Sender ID filter to accept connections only from 10.10.0.40 for the Adatum.com domain. Normally, you would configure this entry on the DNS server that is responsible for your domain on the Internet.

6. In the Resource Record Type dialog box, click Done.

7. On VAN-EDG, in Exchange Management Console, on the Anti-spam tab, right-click Sender ID, and then click Properties.

8. In the Sender ID Properties dialog box, on the Action tab, click Reject Message, and then click OK.

9. In the VAN-EDG pane, double-click Sender Reputation.

10. On the Action tab, move the slider two stops to the left, and then click OK.

Demonstration steps - Configure content filtering

1. On VAN-EDG, in the Exchange Management Shell, type set-contentfilterconfig –quarantinemailbox [email protected], and then press ENTER.

2. On VAN-EDG, in the Exchange Management Console, on the Anti-spam tab, right-click Content Filtering, and then click Enable.

3. Right-click Content Filtering, and then click Properties.

4. On the Custom Words tab, in the Messages containing these words or phrases box, type Mortgages, and then click Add.

5. In the Block messages containing these words or phrases box, type poker, and then click Add.


6. On the Exceptions tab, in the Don’t filter messages sent to the following recipients box, type [email protected], and then click Add.

7. On the Action tab, select the Quarantine messages that have an SCL rating greater than or equal to check box, and set the value to 7.

8. Set the Reject messages that have an SCL rating greater than or equal to value to 9. Click OK.


Lesson 4

Configuring Secure SMTP Messaging Contents: Question and Answers 16



Question and Answers Discussion: SMTP Security Issues

Question: What are the security issues with SMTP?

Answer: SMTP was primarily designed around the idea of enabling cooperation and trust between servers. It is designed to accept any mail and forward it to its destination. This is called relaying, and this can cause security issues. Additionally, SMTP is not encrypted by default.

Question: How do you currently secure SMTP?

Answer: Answers may vary. Some organizations may use encryption methods such as TLS, IPSec, VPN, and so on. Some organizations might also implement authentication and authorization to prevent relaying.


Detailed Demo Steps Demonstration: How to Configure SMTP Security

Demonstration steps

1. Use the Exchange Management Console to create a new Receive Connector.

2. Configure the Receive Connector to be externally secured.

3. Use Telnet to connect to Receive Connector.

4. Configure the Receive Connector to use TLS and authentication.

5. Use Telnet again to connect to Receive Connector.

Demonstration steps - Configure an externally secured SMTP connector

1. On VAN-EX1, click Start, point to All Programs, point to Exchange Server 2010, and then click Exchange Management Console.

2. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click on Hub Transport. In the Hub Transport pane, select VAN-EX1.

3. In the Actions pane, click New Receive Connector.

4. In the New Receive Connector window, in the Name box, type Externally Secured Connector, click Internal in the Select the intended use for this Receive connector list, and then click Next.

5. In the Remote Network settings pane, click Remove, and then click Add.

6. In the Add IP Addresses of Remote Servers window, enter 10.10.0.10 in Address or address range field, click OK, click Next, click New, and then click Finish.

7. In Exchange Management Console, in the Receive Connectors pane, double-click Externally Secured Connector, and then click the Authentication tab.

8. Clear the Exchange Server authentication check box, select the Externally Secured (for example, with IPsec) check box, and then click OK.


10. At the command prompt, type Telnet van-ex1 smtp, and then press ENTER.

11. Enter the following sequence:

a. Helo

b. Mail from: [email protected]

c. Rcpt to: [email protected]

d. Quit

12. Note that you can relay through the server when using the externally trusted connector. You need to ensure that this option is only enabled for connections from highly trusted sources.


Demonstration Steps - Configure an SMTP Connector that Requires TLS and Authentication

1. Switch to VAN-EX1.

2. In Exchange Management Console, in the Receive Connectors pane, double-click Externally Secured Connector, and then click the Authentication tab.

3. Clear the Externally Secured (for example, with IPSec) check box, and select the following:

• Basic Authentication

• Offer Basic authentication only after starting TLS

4. Click the Permission Groups tab, select the Exchange users check box, and then click OK.


6. At the command prompt, type Telnet van-ex1 smtp.

7. Enter the following sequence:

a. Helo

b. Mail from: [email protected] response: 530 5.7.1 client was not authenticated

Demonstration: How to Configure Domain Security

Demonstration steps

1. Verify a computer certificate in the certificate store.

2. Enable Domain Security on the Receive connector.

3. Enable Domain Security on the Send connector.

4. Run Set-TransportConfig -TLSSendDomainSecureList and Set-TransportConfig -TLSReceiveDomainSecureList to configure Domain Security partnership.

5. Run Start-EdgeSynchronization to synchronize the changes to the Edge Transport server.

Demonstration steps - Verify certificate and check receive connector

1. On VAN-EDG, open Microsoft Management Console, and then add the Certificates snap-in.

2. In the Certificates snap-in window, click Computer account, click Next, and then click Finish.

3. In the Add or Remove Snap-ins window, click OK.

4. In the Console window, expand Certificates (Local Computer), expand Personal, and then click Certificates.

5. Open the VAN-EDG certificate. This certificate is the self-signed certificate installed on the server when the Edge Transport server role was installed. In a production environment, you would need to obtain a certificate from a public CA or exchange root certificates with other organizations in order to enable domain security.

6. Click OK, and then close Console 1 without saving changes.

7. Click Start, point to All Programs, point to Exchange Server 2010, and then click Exchange Management Console.


8. In Exchange Management Console, click Edge Transport. In the Edge Transport pane, click VAN-EDG, and then click the Receive Connectors tab in the VAN-EDG pane.

9. On the Receive Connectors tab, double-click Default internal receive connector VAN-EDG.

10. On the Authentication tab, ensure that both the Transport Layer Security (TLS) and Enable Domain Security (Mutual Auth TLS) check boxes are selected, and then click OK. You can mention here that in a real-world implementation of Domain Security, you might want to add one dedicated Receive Connector for Domain Security connections only as a best practice recommendation.

Demonstration steps - Configure Domain Security



3. Click the Send Connectors tab, and then double-click EdgeSync - Defaut-First-Site-Name to Internet.

4. On the Network tab, ensure that Enable Domain Security (Mutual Auth TLS) is selected, and then click OK.

5. Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell.

6. In Exchange Management Shell, at the command prompt, type Set-TransportConfig -TLSSendDomainSecureList contoso.com, and then press ENTER.

7. At the command prompt, type Set-TransportConfig -TLSReceiveDomainSecureList contoso.com, and then press ENTER.

8. At the command prompt, type Get-TransportConfig |FL, and then press ENTER.

9. At the command prompt, type Start-EdgeSynchronization, and then press ENTER.



1. Is Edge Synchronization a mandatory requirement? No, you can use Edge Synchronization to configure the Edge Transport server so you can manage most of the settings from your Exchange Server organization. However, you can also have a stand-alone Edge Transport server.

2. Which Exchange Server versions support the Domain Security feature? You can use Domain Security or mutual TLS only when both the sending and receiving domains have Exchange Server 2007 or Exchange Server 2010 installed.

3. Does the Edge Transport server role in Exchange Server 2010 include virus-scanning capabilities? The Edge Transport server role includes only some basic antivirus features. For virus scanning capabilities, you need to use a third-party software such as Forefront Protection 2010 for Exchange or other similar products.

Common issues related to Edge Synchronization and domain security Identify the causes for the following common issues related to implementing messaging security. For answers, refer to relevant lessons in the module.


You configured Domain Security with a partner domain, but messages only use TLS for message encryption, not mutual TLS or Domain Security.

Ensure both domains trust each other’s CA. Also, Domain Security must be configured on both the local side and the partner side.

Edge Synchronization is not working anymore.

Use Test-EdgeSychronization to verify that the connection is established. If that does not work, try to reestablish the Edge Synchronization.

You’re logged on to your Windows Server 2008 machine using your own account. When you run Test-EdgeSynchronization, it shows that the connection is broken.

When you use your own account instead of an administrator account to log on to a Windows Server 2008 system, ensure that you always start the Exchange Management Shell in Administrator mode. You sometimes need full access to run a cmdlet.


Lab Review Questions and Answers Question: What anti-spam agents are available in Exchange Server 2010?

Answer: Anti-spam agents include: Connection Filtering, Content Filter, Sender ID, Sender Filter, Recipient Filter, Protocol Analysis, and Attachment Filter.

Question: What is the purpose of the SCL threshold?

Answer: The SCL threshold is the threshold value that specifies whether a message is seen as spam, or a valid message.

Question: What are the possible issues in implementing Domain Security for your partner domains?

Answer: Domain Security needs to be configured on both sides, on a by-domain basis.

Implementing High Availability 7-1

Module 7 Implementing High Availability

Contents: Lesson 1: Overview of High Availability Options 2

Lesson 2: Configuring Highly Available Mailbox Databases 5




Lesson 1

Overview of High Availability Options Contents: Question and Answers 3



Question and Answers Discussion: Components of a High Availability Solution

Question: What are some common single points of failure in a messaging solution?

Answer: Answers will vary. Some of the common failure points are Internet connectivity; server hardware failures with hard drives, fans, and power supplies; and environmental factors, such as power and cooling.


Additional Reading What Is High Availability?

• Microsoft High Availability White Paper


Lesson 2

Configuring Highly Available Mailbox Databases Contents: Question and Answers 6



Question and Answers

What Is Continuous Replication?

Question: What other technologies use continuous replication?

Answer: Exchange Server 2007, Microsoft SQL Server®, and perhaps others familiar to the students.

Configuring Databases for High Availability

Question: How do you plan to use the preferred list sequence number?

Answer: Answers may vary. However, many students will prefer to spread out the activity to multiple servers. Rotating the preference for the databases through all available servers allows each server to be actively serving client requests.

Demonstration: How to Create and Configure a DAG

Question: What information do you need before you can configure a DAG?

Answer: At minimum, the administrator needs to know within which network the DAG will reside and the servers that will participate.

Demonstration: How to Monitor Replication Health

Question: Why is monitoring these statistics important?

Answer: As previously discussed, high availability is more than just redundant software and hardware. It is a crucial tool for identifying and reacting to problems quickly and effectively. Monitoring the statistics can help you do this.


Detailed Demo Steps Demonstration: How to Create and Configure a DAG

Demonstration steps

1. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell.

2. Use the New-DatabaseAvailabilityGroup cmdlet to create a Database Availability Group named DAG1 with a WitnessServer on VAN-DC1, and a WitnessDirectory of C:\FSWDAG1. Assign the DAG an IP Address of 10.10.0.25

3. Use the Add-DatabaseAvailabilityGroupServer cmdlet to add VAN-EX1 as a member.

4. Click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

5. Use the Manage Database Availability Group Membership wizard to add VAN-EX2 as a member of DAG1.

6. Use the Add Mailbox Database Copy wizard to add a copy of Mailbox Database 1 to the second Mailbox server.

Demonstration steps


2. At the Exchange Management Shell prompt, type New-DatabaseAvailabilityGroup –Name DAG1 –WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 –DatabaseAvailabilityGroupIpAddress 10.10.0.25, and then press ENTER.

We recommend using the local Hub Transport server to act as the file share witness. A two-node DAG configuration requires a file share witness, since it requires a majority of votes at all times to maintain quorum. In a two-node cluster without a file share witness, when one of the nodes is rebooted, a majority of votes cannot be obtained and the cluster fails. You can specify the Hub Transport server and the local directory to be configured as the file share witness when you create a DAG. As a best practice, you should add the file share witness to other clusters too. Clusters with even numbers of nodes use the file share witness as a tie-breaker vote in establishing quorum.

3. At the Exchange Management Shell prompt, type Add-DatabaseAvailabilityGroupServer DAG1 –MailboxServer VAN-EX1, and then press ENTER.

4. Click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.


6. In the Results pane, click the Database Availability Groups tab.

7. In the Work pane on the Database Availability Groups tab, right-click DAG1, and then click Manage Database Availability Group Membership from the context menu.

8. In the Manage Database Availability Group Membership wizard, click Add.


9. In the Select Mailbox Server dialog box, click VAN-EX2, and then click OK.

10. In the Manage Database Availability Group Membership wizard, click Manage to complete the changes, and then click Finish to close the wizard.

11. In the Results pane, click the Database Management tab.

12. In the Results pane, click Mailbox Database 1, and then in the Actions pane, click Add Mailbox Database Copy.

13. In the Add Mailbox Database Copy wizard, click Browse to select the server to which to add the copy.

14. In the Select Mailbox Server dialog box, click VAN-EX2, and then click OK.

15. In the Add Mailbox Database Copy wizard, click Add to create the copy of Mailbox Database 1.

16. Review the results, and then click Finish.

Note: Once you create a DAG, you then can create and configure DAG networks for replication or for MAPI traffic. Add additional networks for redundancy or improved throughput.

Demonstration: How to Monitor Replication Health

Demonstration steps

1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then expand Mailbox.

3. Review the status of each of the Mailbox Database 1 database.


Demonstration steps

1. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.

2. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then expand Mailbox.

3. In the Results pane, click the Database Management tab.

4. In the Results pane, click Mailbox Database 1, and then in the Actions pane, in the bottom Mailbox Database 1 area, click Properties.

5. Review the information on the General tab:

• The database status might be Healthy, Initializing, Failed, Mounted, Dismounted, Disconnected, Suspended and Failed, Suspended, Resynchronizing, Seeding

• Describe Copy queue length (logs) and Replay queue length (logs).

6. Click OK to close.



1. Besides planning for Exchanger Server failures, what other failures should you consider?

Exchange Server high availability configurations protect against software and server failures, and database corruption. It is important to consider larger issues, such as local network failures, Internet connectivity issues, and data center power and cooling failures.

2. In which scenarios might you use hardware load balancing with Edge Transport servers?

In high utilization scenarios requiring hundreds of Edge Transport servers, it may make more sense to use a hardware load balancer than to create hundreds of DNS MX records. Doing this also may reduce the number of public IP addresses required.

Common issues related to creating high availability Edge Transport solutions Identify the causes for the following common issues related to high availability Edge Transport servers, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


Inbound e-mail is not being delivered evenly across all of the Edge Transport servers.

Ensure that the DNS MX records have the same value. If the values are not the same, only the records with the lowest value will be used.

After deploying highly available Edge Transport servers, outbound e-mail is being returned as possible spam.

Verify that your outbound mail servers are configured with a host name that is resolvable on the Internet. Many servers reject e-mail from servers that do not have a name or an IP address that can be resolved on the Internet.

Real-world issues and scenarios 1. An organization has several branch offices with a small number of employees. However, the

organization needs to deploy a high availability solution in the remote offices. What configuration can it deploy to meet it business needs?

It may be possible to deploy two servers and install the Mailbox, Hub Transport, and Client Access server roles on both. The organization can create a DAG and use a hardware load balancer to load balance client access connectivity.

2. An organization uses a variety of service-level agreements for database availability for different business units. It wants to minimize the number of mailbox servers it deploys. How can it do this?

Deploy all Mailbox servers in a single DAG, and then configure each of the business unit’s mailbox databases with the appropriate number of copies to meet the service level.

Best practices related to designing a high availability solution Supplement or modify the following best practices for your own work situations:


• Identify all possible failure points before designing a solution. Even the most elaborate and expensive designs can have a simple and crippling failure point.

• Document all of the components to the solutions so that everyone involved in the deployment understands the solution’s configuration how the solution is configured.

• Follow change-management procedures. In some environments, it may be tempting to skip these steps. However, not following proper change-management procedures often leads to extended, unplanned downtime.


Lab Review Questions and Answers Question: When might you choose to initiate a database switchover?

You can initiate database switchovers to move databases off a DAG member for maintenance tasks, such as applying software updates.

Question: If you deploy only two Hub Transport servers in an Active Directory site, would shadow redundancy protect messages between mailboxes in the same site?

Shadow redundancy does not protect messages delivered within the same site, because the messages will not have traversed more than one Hub Transport server. However, you can recover these messages using the transport dumpster functionality.

Implementing Backup and Recovery 8-1

Module 8 Implementing Backup and Recovery

Contents: Lesson 1: Planning Backup and Recovery 2

Lesson 2: Backing Up Exchange Server 2010 8

Lesson 3: Restoring Exchange Server 2010 12



8-2 `Configuring, Managing, and Troubleshooting Microsoft® Exchange Server 2010

Lesson 1

Planning Backup and Recovery Contents: Question and Answers 3



Question and Answers Discussion: The Importance of Planning for Disaster Recovery

Question: Why is it important to plan for a disaster?

Answer: It is important for the students to know how to plan for a recovery so that a disaster does not cause database issues and data loss. The key is to practice the database or server-restore process, so that you will be able to perform the tasks should the stressful situation of a corrupt or damaged database occur, and you must resolve issues and recover data quickly.

Question: What current plan does your organization have for disaster recovery?

Answer: Answers may include various options, such as maintaining guidelines, performing regularly scheduled restores (such as every month), and conducting drills to increase administrators’ experience with the restore process. Additionally, interesting discussion points include how the students teach disaster-recovery processes to new employees or how they ensure the plan remains up-to-date.

Integrating High Availability and Disaster Recovery

Question: Why should you back up Exchange Server databases?

Answer: Back up Exchange Server databases so that you can recover from a disaster, recover items from mailboxes, and perform other back-up actions. For these reasons, consider the new high availability features because they might be able to replace the backup software.

Demonstration: Recovering Deleted Items

Question: What is the benefit of using this feature to recover mailboxes compared to existing brick-level backup solutions?

Answer: This feature is quicker than existing brick-level backup solutions, because you do not need to recover the data from the backup device.


Detailed Demo Steps Demonstration: Recovering Deleted Items

Demonstration steps

1. At the Exchange Management Shell prompt, type Set-Mailbox ScottMacDonald -SingleItemRecoveryEnabled:$true, and then press ENTER.

2. At the Exchange Management Shell prompt, type New-ManagementRoleAssignment -Role ’Mailbox Import Export’ -User ’adatum\administrator’, and then press ENTER.

3. In the Exchange Management Console, assign the Administrator account full access permissions to the Discovery Search Mailbox.

4. In Scott MacDonald’s mailbox, create a new folder, populate that folder with messages, and then delete the folder.

5. Login to Microsoft Outlook Web App as Administrator to define a Mailbox Search.

6. Open the Discovery Search Mailbox, and verify that it contains the deleted message.

7. Use the Export-Mailbox cmdlet to recover the folder to its original mailbox.

8. Verify that the message was recovered by accessing Scott MacDonald’s mailbox.

Demonstration steps


2. At the Exchange Management Shell prompt, type Set-Mailbox ScottMacDonald -SingleItemRecoveryEnabled:$true, and then press ENTER.

3. At the Exchange Management Shell prompt, type New-ManagementRoleAssignment -Role ’Mailbox Import Export’ -User ’adatum\administrator’, and then press ENTER. Close Exchange Management Shell.

4. Open the Exchange Management Console. Expand Microsoft Exchange On-Premises, expand Recipient Configuration, and click Mailbox.

5. Right-click Discovery Search Mailbox, and click Manage Full Access Permission.

6. Add the Administrator account, and click Manage. Click Finish



9. Log on as Adatum\Scott with a password of Pa$$w0rd.

10. Click OK to accept the default Outlook Web App settings.

11. On left pane, right-click Scott MacDonald, click Create New Folder, and then type Personal Items as the folder name.

12. Create and send a message to Scott. When the message arrives, move it to the Personal Items folder.

13. Right-click the Personal Items folder, and then click Delete.


14. In the Delete dialog box, click Yes. When you delete a folder, the folder’s items will now be available in Recover Deleted Items.

15. Right-click Deleted Items, click Empty Deleted Items, and then click Yes.

16. Right-click Deleted Items, and then click Recover Deleted Items.

17. In the Recover Deleted Items window, click the Purge Selected Items icon.

18. In the Message from webpage dialog box, click OK, and then close the Recover Deleted Items window.

19. Close Internet Explorer, and then open it again and connect to https://VAN-EX1.adatum.com/owa.

20. Log on as Adatum\Administrator with a password of Pa$$w0rd. Click OK.

21. In Outlook Web App, click Options.

22. In the Select what to manage drop-down list, select My Organization.

23. On the left pane, click Users & Groups, and then click the Administrator Roles tab.

24. On the Role Groups pane, double-click Discovery Management.

25. In the Role Group window, under Members, click Add.

26. In the Select Members window, under Members, click Add.

27. In Select Members window, select Administrator, click Add, click OK, and then click Save.

28. Close Internet Explorer, and then open it again and connect to https://VAN-EX1.adatum.com/owa.

29. Log on as Adatum\Administrator with a password of Pa$$w0rd.

30. In Outlook Web App, click Options.

31. Under Select what to manage, select My Organization.

32. On the left pane, click Reporting, and then click Mailbox Searches.

33. On the Multi-Mailbox Search pane, click New.

34. In New Mailbox Search window, expand Mailboxes to Search, click Add. Add Scott MacDonald’s mailbox, and then click OK.

35. Expand Search Name and Storage Location, and then click Browse.

36. In the Select Discovery Mailbox window, select Discovery Search Mailbox, and then click OK.

37. On the Search Name and Storage Location pane, type Purged Mailbox Items in the Search name box, select the Send me an e-mail when the search is done check box, and then click Save. Point out that mailbox search is now processed.

38. On the upper right corner, click My Mail.

39. In the upper right corner, click Administrator, and then, in the Open Other Mailbox dialog box, in the Select mailbox field, type Discovery Search Mailbox, and then click Open twice. Click OK.

40. In the Discovery Search Mailbox window, in the Mail pane, expand Purged Mailbox Items, expand Scott MacDonald…, expand Primary Mailbox, expand Recoverable Items, and then


click Purges. Point out that these are the items that were deleted previously. Mention that the folder name was not preserved.

41. Write down the full MAPI path so that it is available for the next step. The full path will be something like:

42. \Purged Mailbox Items\Scott MacDonald-6/26/2009 7:10:19 AM\Primary Mailbox\Recoverable Items\Purges.


44. Open the Exchange Management Shell. At the Exchange Management Shell prompt, type Export-Mailbox -Identity “Discovery Search Mailbox” -TargetMailbox “ScottMacDonald” -IncludeFolders “fullMAPIpath” -Targetfolder “Personal Items (restored)”, and then press ENTER.



47. Log on as Adatum\Scott with a password of Pa$$w0rd.

48. On the left pane, expand Personal Items (restored), and then expand the folders beneath until you see the Purges folder. Click the Purges folder.

49. Verify that all messages are restored to the Purges folder.

Demonstration: How to Create a Point-in-Time Database Snapshot

Demonstration steps

1. At the Exchange Management Shell prompt, type New-DatabaseAvailabilityGroup –Name DAG1 –WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 –DatabaseAvailabilityGroupIPaddresses 10.10.0.100, and then press ENTER.

Note: You can only place the witness directory on a Hub Transport server when you are using the Exchange Management Console. However, when using the Exchange Management Shell, you can place the witness directory on any server, including a server that is not running the Exchange server role.

2. On the Exchange Management Console, add VAN-EX1 and VAN-EX2 to DAG1, and then add a copy of the Accounting database to VAN-EX2 with a replay lag time of 7 days.

3. At the Exchange Management Shell prompt, type Set-MailboxServer VAN-EX2 –DatabaseCopyAutoActivationPolicy Blocked, and then press ENTER.

Demonstration steps

1. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell.

2. At the Exchange Management Shell prompt, type New-DatabaseAvailabilityGroup –Name DAG1 –WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 –DatabaseAvailabilityGroupIPaddresses 10.10.0.100, and then press ENTER.

3. If required, open the Exchange Management Console.



5. In the Results pane, on the Database Availability Groups tab, click DAG1.

6. In the Actions pane, click Manage Database Availability Group Membership.

7. In the Manage Database Availability Group Membership wizard, click Add.

8. In the Select Mailbox Server dialog box, hold down CTRL, click VAN-EX1 and VAN-EX2, and then click OK. Click Manage, and then click Finish.

9. In the Results pane, with the Database Management tab showing, right-click Accounting, and then select Add Mailbox Database Copy.

10. In the Add Mailbox Database Copy window, click Browse.

11. In Select Mailbox Server dialog box, click VAN-EX2, and then click OK. Click Add, than then click Finish.

12. In the Exchange Management Shell, type Set-MailboxDatabaseCopy –id Accounting\VAN-EX2 –replaylagtime 7.0:0:0, and then press ENTER. This command delays the commitment of the transaction logs to the Accounting database on VAN-EX2 for 7 days.

13. At the Exchange Management Shell prompt, type Set-MailboxServer VAN-EX2 –DatabaseCopyAutoActivationPolicy Blocked, and then press ENTER. This cmdlet blocks the automatic activation of the database copy on VAN-EX2.


Lesson 2

Backing Up Exchange Server 2010 Contents: Question and Answers 9




Question and Answers Demonstration: How to Back Up Exchange Server 2010

Question: Do you plan to can use Windows Server Backup as your primary Exchange Server backup solution?

Answer: Windows Server Backup is a solution for small- to medium-sized businesses that do not have the budget for a third-party backup solution. You can use Windows Server Backup to backup Exchange Server data to a file share.


Detailed Demo Steps Demonstration: How to Back Up Exchange Server 2010

Demonstration steps

1. In Server Manager, add the Windows Server Backup feature.

2. In Windows Server Backup, create a backup set to back up the C: drive and run the backup.

3. In Event Viewer, verify that the Exchange Server databases are part of the backup and that they have been backed up successfully.

Demonstration steps

1. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and then click Server Manager.

2. In Server Manager, click Features, and then on the Features Summary pane, click Add Features.

3. In the Add Features Wizard, expand Windows Server Backup Features, click Windows Server Backup, and then click Next.

4. On the Confirm Installation Selections page, click Install, and then after the installation finishes, click Close.

5. Click Start, click All Programs, click Administrative Tools, and then click Windows Server Backup.

6. In Windows Server Backup, on the Actions pane, click Backup Once.

7. In the Backup Once Wizard, on the Backup Options page, click Different options, and then click Next.

8. On the Select Backup Configuration page, select Custom, and then click Next.

9. On the Select Items for Backup page, click Add items, select Local disk (C:) in the Select Items window, and then click OK.

10. On the Select Items for Backup page, click Advanced Settings, click the VSS Settings tab, select VSS full Backup, click OK, and then click Next.

11. On the Specify Destination Type page, select Local drives, and then click Next.

12. On the Select Backup Destination page, in Backup destination, select Allfiles (D:), and then click Next.

13. On the Confirmation page, click Backup. The backup will take about 20 minutes. When the backup finishes, click Close, and then close Windows Server Backup.

14. Click Start, click Administrative Tools, and then click Event Viewer.

15. In Event Viewer, expand Windows Logs, and then click Application.

16. In Event Viewer, on the Application log, locate the event items labeled Source MSExchangeIS and EventID 9811.

17. Wait until the backup is finished, then in Event Viewer, on the Application pane, locate the event items labeled Source MSExchangeIS and EventID 9780.


Additional Reading How Does a VSS Backup Work?

• Further information about VSS


Lesson 3

Restoring Exchange Server 2010 Contents: Question and Answers 13



Question and Answers Demonstration: How to Recover Data by Using the Recovery Database

Question: What is the difference between using Single Item Recovery and performing a restore by using the recovery database?

Answer: The Single Item Recovery stores the items in the mailbox database on the Exchange server, so the data still occupies space in the Exchange Server database. A recovery database is stored on a secondary device that provides a cheaper way to store data, like a hard drive or tape drive. Using Single Item Recovery, you can restore the items or mailboxes more quickly than you can by using a recovery database. However, some administrators may want to use recovery databases, because they performed mailbox restorations by using this method in previous Exchange Server versions.


Detailed Demo Steps Demonstration: How to Recover Data by Using the Recovery Database

Demonstration steps

1. Use Windows Server Backup to restore the Exchange Server databases to C:\DBBackup.

2. At the Exchange Management Shell prompt, type New-MailboxDatabase -Name “RecoverDB” -Server VAN-EX1 -EDBFilePath “c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting\Accounting.edb” -Logfolderpath “c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting” -Recovery, and then press ENTER. This command creates the recovery database using the recovered Accounting database.

3. Use the eseutil /p “c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox\Accounting\Accounting.edb“ command to repair the recovered database.

4. At the Exchange Management Shell prompt, type Mount-Database “RecoverDB”, and then press ENTER.

5. Use the Get-MailboxStatistics -Database “RecoverDB” command to display the mailboxes in the recovery database.

6. At the Exchange Management Shell prompt, type Restore-Mailbox -Identity MichiyoSato -RecoveryDatabase RecoverDB, and then press ENTER.

Demonstration steps

1. On VAN-EX1, click Start, click Programs, click Administrative Tools, and then click Windows Server Backup.

2. In Windows Server Backup, on the Actions pane, click Recover.

3. In the Recovery Wizard, on the Getting Started page, select This Server (VAN-EX1), and then click Next.

4. On the Select Backup Date page, click Next.

5. On the Select Recovery Type page, select Applications, and then click Next.

6. On the Select Application page, select Exchange, and then click Next.

7. On the Specify Recovery Options page, click Recover to another location, click Browse, expand Computer, click Local Disk (C:), click Make New Folder, enter DBBackup, click OK, and then click Next.

8. On the Confirmation page, click Recover.

9. On the Recovery Progress page, click Close. Close Windows Server Backup.

10. On VAN-EX1, click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell.

11. At the Exchange Management Shell prompt, type New-MailboxDatabase -Name “RecoverDB” -Server VAN-EX1 -EDBFilePath “c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting\Accounting.edb” -Logfolderpath


“c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting” -Recovery, and then press ENTER.

12. At the Exchange Management Shell prompt, type the command and press ENTER cd “c:\Program Files\Microsoft\Exchange Server\v14\bin”

13. At the Exchange Management Shell prompt, type the command and press ENTER eseutil /p “c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox\Accounting\Accounting.edb“.

14. In the Warning dialog box, click OK.

15. At the Exchange Management Shell prompt, type Mount-Database “RecoverDB”, and then press ENTER.

16. At the Exchange Management Shell prompt, type Get-MailboxStatistics -Database “RecoverDB”, and then press ENTER. This cmdlet displays all mailboxes within the recovery database.

17. At the Exchange Management Shell prompt, type Restore-Mailbox -Identity MichiyoSato -RecoveryDatabase RecoverDB, and then press ENTER.

18. At the Confirm prompt, type Y, and then press ENTER.



1. What kind of backup options for Exchange Server 2010 do you find suitable for your organization?

Exchange Server 2010 provides you with various options for backing up your Exchange Server environment, from the traditional Windows Server Backup to a backup-less environment that uses multiple database copies and a lagged database.

2. What options does Exchange Server 2010 include for restoring a single item from a mailbox?

You can use hold policy and the Deleted Items folder to restore items from a mailbox. Alternatively, you can restore the database to a restore database, and then access the mailbox to recover items.

Common issues related to recovering messages Identify the causes for the following common issues related to recovering messages, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


Recover single mailbox items quickly

Try using Multi-Mailbox Search before you recover a database.

Restore fails when it is urgent

You should try to restore a database regularly, as a practice session, and verify that your backups work as you expect.

Best practices related to backup and restore Supplement or modify the following best practices for your own work situations:

• Utilize your existing backup solution for Exchange Server backups, as you are already experienced and familiar with it.

• Try always to perform a full backup of your Exchange Server databases if you use a VSS-aware backup solution. This reduces the time you need to recover the database to its most current state.

• If you plan to follow the backup-less method, create one more database copy on cheap hard drives at a different site. This guarantees that you have an additional backup of your database available.


Lab Review Questions and Answers Question: What backup options can you use to recover a single mailbox?

You can use hold policy and the Deleted Items folder to restore items from a mailbox. You can recover a deleted mailbox using deleted mailbox retention. However, if the deleted mailbox is older than your deleted mailbox-retention setting, you need to use a recovery database to restore the mailbox.

Question: Which Exchange Server 2010 technology would you use to create a database backup at a remote site?

You can use DAGs to create a database backup at a remote site.

Question: What is VSS?

VSS is a snapshot-based backup system.

Question: What is dial-tone recovery?

Dial-tone recovery is the process that enables you to implement access to e-mail without restoring data after a disaster.

Configuring Messaging Policy and Compliance 9-1

Module 9 Configuring Messaging Policy and Compliance

Contents: Lesson 1: Introducing Messaging Policy and Compliance 2

Lesson 2: Configuring Transport Rules 4

Lesson 3: Configuring Journaling and Multi-Mailbox Search 12

Lesson 4: Configuring Messaging Records Management 17

Lesson 5: Configuring Personal Archives 23




Lesson 1

Introducing Messaging Policy and Compliance Contents: Question and Answers 3


Question and Answers Discussion: Compliance Requirements

Question: What type of business does your organization conduct? What are some legislated compliance requirements for your organization?

Answer: Answers will vary depending on the business the organization conducts. Some examples of legislation restricting how organizations manage information include:

• United States:

• Sarbanes-Oxley Act of 2002 (SOX)

• Gramm-Leach-Bliley Act (Financial Modernization Act)

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act)

• Canada:

• The Personal Information Protection and Electronic Documents Act

• Australia:

• Federal Privacy Act

• Europe:

• European Union Data Protection Directive (EUDPD)

• Japan:

• Japan’s Personal Information Protection Act

Question: What additional compliance requirements does your organization have?

Answer: Organizations might have additional requirements for managing e-mail. For example, the organization might want to add legal disclaimers to outgoing communications or require that certain messages require an intellectual property disclosure disclaimer. The organization also might have message-retention requirements that mandate that certain messages be retained and others deleted after a specified time.

Question: How are you currently meeting these compliance requirements?

Answer: Answers will vary. Quite a few organizations have implemented some type of archiving solution. If organizations have deployed Microsoft Exchange Server 2007, they might have taken advantage of some of its messaging compliance features. Many organizations have written policies regarding messaging compliance, but have not been able to enforce the rules except through conducting audits.


Lesson 2

Configuring Transport Rules Contents: Question and Answers 5



Question and Answers Demonstration: How to Configure Transport Rules

Question: What transport policies will you need to implement in your organization?

Answer: Answers will vary. Transport rules provide many different options to restrict message flow and modify messages as they pass through the Hub Transport servers.

Demonstration: How to Configure AD RMS Integration

Question. Does your organization have AD RMS deployed? Are you planning to deploy AD RMS?

Answers will vary. Not many organizations have deployed AD RMS. The organizations that have deployed it tend to have stringent requirements for managing access to content.

Question. How will Exchange Server 2010 make it easier to deploy AD RMS?

The Exchange Server 2010 features overcome two important limitations of previous AD RMS deployments. First, by using transport rules, you can apply AD RMS even if users have chosen not to do so. In previous versions, the user had to apply the protection. Secondly, the AD RMS Prelicensing Agent will make the AD RMS integration easier to use for mobile clients.

Demonstration: How to Configure Moderated Transport

Question: Will you deploy moderated transport in your organization? If so, where would you use it?

Answer: Answers will vary. Because this is a new feature in Exchange Server 2010, many students may not have considered this option. Ask them to describe scenarios where they need to restrict who can send to a recipient, and then ask them to consider if moderated transport would be the best option for enabling the restrictions.

Detailed Demo Steps Demonstration: How to Configure Transport Rules

Demonstration steps


2. Under Organization Configuration, in the Hub Transport node, create a new transport rule with the following configuration:

• Name: Type Company Disclaimer HTML.

• Condition: Choose sent to users that are inside the organization.

• Action: Choose append disclaimer text and fallback to action if unable to apply.

• Disclaimer text: Type the following:

<html> <body> &nbsp &nbsp This e-mail and attachments are intended for the individual or group addressed. </body> </html>

3. Open the Exchange Management Shell.

4. Type the following cmdlet:

5. New-TransportRule -Name “Social Insurance Number Block Rule“ -SubjectOrBodyMatchesPatterns “\d\d\d-\d\d\d-\d\d\d“ -RejectMessageEnhancedStatusCode “5.7.1“ -RejectMessageReasonText “This message has been rejected because of content restrictions“

6. To test the transport rules:

• Send a message from one internal user to another. Verify that the HTML disclaimer is attached.

• Send a message from one internal user to another with the string 111-111-111 in the message body. Verify that the sender receives a non-delivery report (NDR).

Note: In a regular expression, the \d pattern string matches any single numeric digit. You can use a variety of pattern strings to search the message contents for a consistent pattern. For example, you can use \s to represent a space, or \w to represent any letter or decimal digit. For detailed information about configuring regular expressions in a transport rule, see the topic “Regular Expressions in Transport Rules” in Exchange Online Help.

Demonstration steps


2. Under Organization Configuration, click Hub Transport.

3. In the Actions pane, click New Transport Rule.

4. On the Introduction page, in the Name field, type Company Disclaimer HTML.

5. Verify that Enable Rule is selected, and then click Next.

6. On the Conditions page, under Step 1, select send to users that are inside or outside the organization, or partners, and then click Next.

7. On the Actions page, under Step 1, select append disclaimer text and fallback to action if unable to apply.

8. Under Step 2, click the disclaimer text link.

9. In the Specify disclaimer text box, type the following text, ensuring that you press ENTER at the end of each line:

<html> <body> &nbsp &nbsp This e-mail and attachments are intended for the individual or group addressed. </body> </html>

10. Click OK, and then click Next.

11. Click Next, and then click New to create the new HTML disclaimer.



14. At the PS prompt, type the following cmdlet, and then press ENTER:

New-TransportRule -Name "Social Insurance Number Block Rule" -SubjectOrBodyMatchesPatterns "\d\d\d-\d\d\d-\d\d\d" -RejectMessageEnhancedStatusCode "5.7.1" -RejectMessageReasonText "This message has been rejected because of content restrictions"

15. To test the transport rules, switch to VAN-CL1, and then open Office Outlook 2007.

16. Click New, and then create a message with the following properties:

• To: Administrator

• Subject: Disclaimer Test

• Content: Testing the HTML disclaimer

17. Send the message.

18. On VAN-EX1, open Windows® Internet Explorer®, and connect to https://VAN-EX1.adatum.com/owa.

19. Log on to Microsoft Outlook Web App as Adatum\Administrator with a password of Pa$$w0rd. Click OK.

20. Verify that the message from Luca Dellamore includes the HTML disclaimer.

21. On VAN-CL1, create a new message with the following properties:

• To: Administrator


• Subject: Transport Rule Test

• Content: Testing the Social insurance number block rule. 111-111-111

22. Send the message.

23. Verify that the user receives a NDR with the rejected message text that you configured.

Demonstration: How to Configure AD RMS Integration

Demonstration steps

1. Open Outlook 2007 and create a new message for an internal recipient.

2. In the Message ribbon, click the Permission icon.

3. In the Windows Security dialog box, log on as the mailbox user.

4. In the Permission dialog box, select the Restrict permission to this document check box.

5. When the message appears, verify that the message now contains the Do Not Forward header. Send the message

6. Log on as the message recipient, open Outlook 2007, open the restricted message, and then log on using the user credentials. Verify that you do not have permission to forward the message.

7. On VAN-DC1, modify the permissions on the C:\inetpub\wwwroot\_wmcs\certification\servercertification.asmx file to grant Read and Execute access to the Exchange Servers group and the anonymous Internet Information Services (IIS) user account.

8. Restart the IIS.

9. On an Exchange server, at the PS prompt, type the following cmdlet, and press ENTER. This cmdlet enables AD RMS encryption on the Hub Transport server: set-irmconfiguration –InternalLicensingEnabled:$true.

10. Use the test-irmconfiguration cmdlet to test the IRM configuration.

11. In the Exchange Management console, create a new transport rule named AD RMS Test Rule, which applies the Do Not Forward AD RMS template for all messages sent between two specified users.

12. Send a message from one of the specified users to the other. Verify that the Do Not Forward template is applied to the message.

Demonstration steps

1. On VAN-CL1, open Outlook 2007.

2. Create a new message with the following properties:

• To: Administrator.

• Subject: Testing AD RMS integration

• Content: This is a protected e-mail.

1. In the Message ribbon, click the Permission icon.

2. In the Windows Security dialog box, log on as Luca using the password Pa$$w0rd. Wait while Luca’s credentials are prepared.


3. When the message appears, verify that the message now contains the Do Not Forward header. Click Send, close Outlook, and then log off.

4. Log on to VAN-CL1 as Adatum\Administrator using the password Pa$$w0rd.

5. Open Outlook 2007, and then open the message from Luca Dellamore.

6. In the Windows Security dialog box, log on as Administrator using a password of Pa$$w0rd. Click OK.

7. When the message opens, verify that you do not have permission to forward the message. Close the message.

8. On VAN-DC1, open Windows Explorer, browse to C:\inetpub\wwwroot\_wmcs\certification, right-click servercertification.asmx, and then click Properties.

9. In the Server Certification.asmx Properties dialog box, click the Security tab, and then click Edit.

10. In the Permissions for Server Certification.asmx dialog box, click Add.

11. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types, select the Computers check box, and then click OK.

12. In the Enter the object names to select field, type Exchange Servers, and then click OK.

13. Click Add. In the Enter the object names to select field, type IIS_IUSRS, and then click OK twice.

14. On VAN-DC1, open a command prompt, type IISReset, and then press ENTER. Wait for the service to restart, and then close the command prompt.

15. On VAN-EX1, in the Exchange Management Shell, type get-irmconfiguration, and then press ENTER. This cmdlet displays the default AD RMS integration configuration for the Exchange Server organization.

16. At the PS prompt, type set-irmconfiguration –InternalLicensingEnabled:$true, and then press ENTER. This cmdlet enables AD RMS encryption on the Hub Transport server.

17. At the PS prompt, type test-irmconfiguration –sender [email protected], and then press ENTER. This cmdlet tests the AD RMS configuration.

18. On VAN-EX1, in the Exchange Management Console, under Organization Configuration, click Hub Transport.


20. On the Introduction page, in the Name field, type AD RMS Test Rule.

21. Verify that Enable Rule is selected, and then click Next.

22. On the Conditions page, under Step 1, select from people.

23. Under Step 2, click the people link. In the Specify senders dialog box, click Add, click Administrator, and then click OK twice.

24. On the Conditions page, under Step 1, select sent to people.

25. Under Step 2, click the people link. In the Specify recipients dialog box, click Add, click Luca Dellamore, and then click OK twice.

26. Click Next.


27. On the Actions page, under Step 1, select rights protect message with RMS template.

28. Under Step 2, click the RMS Template link.

29. In the Select RMS template dialog box, click Do Not Forward, and then click OK.

30. Click Next twice, and then click New. Click Finish.

31. On VAN-CL1, ensure that you are logged on as Administrator. Create a new message with a subject of Transport Rule ADRMS test, and send it to Luca.

32. Log off VAN-CL1, and then log on as Luca.

33. Open Outlook and verify that Luca received the message entitled “Transport Rule ADRMS test” and that the Do Not Forward template is protecting the message. You will need to authenticate again to open the message.

Demonstration: How to Configure Moderated Transport

Demonstration steps

1. In the Exchange Management Console, under Recipient Configuration, click Distribution Group.

2. In the middle pane, right-click a distribution list, and then click Properties.

3. On the Mail Flow Settings tab, double-click Message Moderation.

4. In the Message Moderation dialog box, select the Messages sent to this group have to be approved by a moderator check box. Add the group moderators and add any users who do not require moderation to send to the group.

5. Create a new transport rule that forwards any message sent to a distribution list for moderation. Choose a moderator for the rule, and then configure any exceptions that are required.

6. Send a message to the distribution group configured for moderation.

7. Send a message to the distribution group configured for moderation in the transport rule.

8. Open the mailbox of a moderator configured for both the distribution group and transport rule. Approve both messages.

9. Demonstration steps


11. Under Recipient Configuration, click Distribution Group.

12. In the middle pane, right-click Marketing, and then click Properties.

13. On the Mail Flow Settings tab, double-click Message Moderation.

14. In the Message Moderation dialog box, select the Messages sent to this group have to be approved by a moderator check box.

15. Under Specify group moderators, click Add.

16. In the Select Recipient – Entire Forest dialog box, click Luca Dellamore, and then click OK.

17. Under Specify senders who don’t require message approval, click Add.

18. In the Select Recipient dialog box, click Marketing, and then click OK three times.


19. Under Organization Configuration, click Hub Transport.


21. On the Introduction page, in the Name field, type ITAdmins Group Moderation. Verify that Enable Rule is selected, and then click Next.

22. Under Conditions in Step 1, select sent to a member of distribution list.

23. Under Step 2, click the distribution list link.

24. In the Specify recipient distribution group dialog box, click Add.

25. In the Select Mail Enabled Group window, select ITAdmins, click OK, and then click OK again.

26. Click Next.

27. Under Actions in Step 1, select forward the message to addresses for moderation.

28. Under Step 2, click the addresses link.

29. In the Specify recipients window, click Add.

30. In the Select Recipient User or Contact window, click Luca Dellamore, click OK, and then click OK again.

31. Click Next.

32. On the Exceptions page, under Step 1, select except when the message is from a member of distribution list.

33. Under Step 2, click the distribution list link.

34. In the Specify sender distribution list window, click Add.

35. In the Select Mail Enabled Group window, select ITAdmins, click OK, and then click OK.

36. Click Next, and then click New.


38. Open Internet Explorer, and then connect to https://VAN-EX1.Adatum.com/owa.

39. Log on to Outlook Web App as Adatum\Administrator with a password of Pa$$w0rd.

40. In the Inbox, click New.

41. In the To field, type ITAdmins.

42. Type a subject and a short message, and then click Send.


44. In the To field, type Marketing.

45. Type a subject and a short message, and then click Send.

46. On VAN-CL1, verify that you are logged in as Luca, open Outlook, and then verify that there are two messages waiting for Luca’s approval.

47. Double-click the first e-mail message, and then on the Vote menu, click Approve. Close the message.

48. Double-click the second e-mail message, and then on the Vote menu, click Approve. Close the message.


Lesson 3

Configuring Journaling and Multi-Mailbox Search Contents: Question and Answers 13



Question and Answers Demonstration: How to Configure Message Journaling

Question: What are the advantages and disadvantages of using the Exchange Server 2010 message journaling feature?

Answer: Answers will vary depending on what tool the organization has deployed. Exchange Server 2010 journaling has one advantage--it enables you to specify any archival location for messages, and you can filter journaling based on recipients rather than at a database level. However, Exchange Server 2010 does not provide any automated tools for managing the journal mailbox, so you will need to implement a manual management process.


Detailed Demo Steps Demonstration: How to Configure Message Journaling

Demonstration steps

1. In Exchange Management Console, under Organization Configuration, click Hub Transport.

2. Create a new journal rule. Specify a name for the rule, and a journal mailbox. A copy of all messages that the rule affects will be sent to the journal mailbox.

3. Specify the journal rule scope and recipients. The scope defines whether only internal or only external messages, or both, will be journaled. All messages that the recipient sends or receives are journaled.

4. Send a test message to a journal recipient. Log on to the journal recipient mailbox, and then reply to the message.

5. Log on to the journal mailbox and confirm that the journal mailbox contains a journal report for both the sent message and the reply message.


7. On VAN-EX1, in the Exchange Management Console, under Organization Configuration, click Hub Transport.

8. In the Actions pane, click New Journal Rule to start the New Journal Rule wizard.

9. On the New Journal Rule page, in the Rule name field, type Executives Message Journaling.

10. Beside Send Journal reports to e-mail address, click Browse.

11. In the Select Recipient dialog box, click Luca Dellamore, and then click OK.

Important: In this demonstration, you are choosing another user’s mailbox as the destination for the journaled messages. In a production environment, choose a mailbox that you can dedicate as a journal mailbox.

12. Under Scope, click Internal – internal messages only.

13. Select the Journal messages for recipient check box, and then click Browse.

14. In the Select Recipient dialog box, click Executives, and then click OK.

15. On the New Journaling Rule page, click New, and then click Finish.

16. On VAN-EX1, open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Administrator with a password of Pa$$w0rd.

17. Create a new message, and then send it to Scott MacDonald. Scott is a member of the Executives group. Close Internet Explorer.

18. Open a new instance of Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Scott with the password Pa$$w0rd.

19. Confirm that the message from the Administrator arrived. Reply to the message, and then close Internet Explorer.


20. On VAN-CL1, verify that you are logged in as Luca, open Outlook, and then confirm that the journal mailbox contains both a journal report for the message sent to Scott and the reply message.

Demonstration: How to Configure Multi-Mailbox Search

Demonstration steps

1. In Active Directory Users and Computers, add the user or group that will perform Discover searches to the Discovery Management group.

2. Send a message with a key word or phrase in it. You will be searching on this key word or phrase.

3. Connect to the Exchange Control Panel on a Client Access server using the account that will perform the search.

4. On the Reporting tab, under Multi-Mailbox Search, configure the search parameters.

5. Select the Send me an e-mail when the search is done check box, and then start the search.

6. Open the e-mail indicating the search is finished, and then click the Discovery Search Mailbox link.

7. Review the messages located by the search.


9. On VAN-DC1, open Active Directory Users and Computers, and then in the Microsoft Exchange Security Groups organizational unit (OU), double-click the Discovery Management group.

10. In the Discovery Management Properties dialog box, on the Members tab, click Add, type Luca, and then click OK twice.

11. On VAN-EX1, in Exchange Management Console, under Recipient Configuration, click Mailbox.

12. In the recipient list, click Discovery Search Mailbox, and then click Manage Full Access Permission.

13. On the Manage Full Access Permission page, click Add, click Luca Dellamore, click OK, click Manage, and then click Finish.

14. On VAN-CL1, if required, open Outlook.


16. In the To field, type Manoj;Wei, and then press CTRL+K to resolve the names.

17. In the Subject field, type New Inventory.

18. In the message box, type We’ve received the new ProjectX items in inventory., and then click Send.

19. Open Internet Explorer, and then connect to https://VAN-EX1.Adatum.com/ecp.

20. Log on to the ECP as Adatum\Luca with a password of Pa$$w0rd.

21. In the Select what to manage drop-down list, ensure that My Organization is listed.

22. In the left pane, click Reporting. Under Multi-Mailbox Search, click New.

23. In the Keywords box, type ProjectX.


24. Expand Mailboxes to Search.

25. Under Select the mailboxes to search, click Add. In the Select Mailbox window, click Manoj Syamala, and then click Add. Click Luca Dellamore, and then click Add. Click Wei Yu, click Add, and then click OK.

26. Expand Search Name and Storage Location.

27. In the Search name field, type ProjectX Discovery.

28. Next to Select a mailbox in which to store the search results, click Browse.

29. In the Select Mailbox window, click Discovery Search Mailbox, and then click OK.

30. Click Save. Wait until the search status changes to Succeeded.

31. In the Internet Explorer window, in the top right corner, click My Mail.

32. In the top right corner, click Luca Dellamore, and then in the Select mailbox field, type Discovery. Click Open twice. In the Outlook Web App window, click OK.

33. In the Navigation pane, notice the new discovery folder named ProjectX Discovery. Expand the ProjectX Discovery folder.

34. Note the three folders created that correspond to the mailboxes added to the search criteria.

35. Expand Luca Dellamore, expand Primary Mailbox, and then expand Sent Items. Verify that the e-mail was discovered using the search criteria.

36. Expand Manoj Syamala, expand Primary Mailbox, and then expand Inbox.

37. Close Outlook Web App and Outlook.


Lesson 4

Configuring Messaging Records Management Contents: Question and Answers 18



Question and Answers Demonstration: How to Configure Retention Tags and Policies

Question: Do you think you will implement retention policies?

Answer: Answers will vary. Many organizations do not have specific e-mail retention requirements, so they are unlikely to implement retention policies. Other organizations may choose to use retention policies as a way to help users manage the contents of their mailboxes.

Question: Which MRM option are you more likely to implement: managed custom or default folders, or retention policies?

Answer: Answers will vary. Organizations that are using MRM to manage project-related messages may be more likely to use managed custom folders. Organizations are more likely to use retention policies if the goal is automating the process of tagging e-mail.


Detailed Demo Steps Demonstration: How to Configure Retention Tags and Policies

Demonstration steps

Use the following cmdlets to configure Retention Tags and policies:

New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent -RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction PermanentlyDelete –isprimary:$true

This cmdlet creates a new default Retention Policy Tag that applies to all folders named DefaultTag. The retention policy content settings will apply to all messages that do not have another Retention Tag assigned to them, and will permanently delete all messages after 365 days.

New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:* -AgeLimitForRetention:30 -RetentionEnable:$True -RetentionAction:MovetoDeletedItems

This cmdlet sets a Retention Tag for the Inbox folder and configures a content setting to move all messages to the Deleted Items folder after 30 days.

New-RetentionPolicyTag “Business Critical“ -Type:Personal -MessageClass:* -AgeLimitForRetention:1100 -RetentionEnable:$True -RetentionAction:MoveToArchive

This cmdlet creates a Personal Tag named Business Critical that sets a retention period of about three years and moves the messages to the user archive mailbox when the retention period expires.

New-RetentionPolicy AllTagsPolicy -RetentionPolicyTagLinks:DefaultTag,InboxTag,“Business Critical

This cmdlet creates a new retention policy named AllTagsPolicy, and adds all of the Retention Tags to the policy.

Set-Mailbox Luca -RetentionPolicy AllTagsPolicy

Demonstration steps

1. On VAN-EX1, if required, open the Exchange Management Shell.

2. At the PS prompt, type the following, and press ENTER:

New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent -RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction PermanentlyDelete –isprimary:$true

3. At the PS prompt, type the following, and then press ENTER:

New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:* -AgeLimitForRetention:30 -RetentionEnable:$True -RetentionAction:MovetoDeletedItems


New-RetentionPolicyTag “Business Critical“ -Type:Personal -MessageClass:* -AgeLimitForRetention:1100 -RetentionEnable:$True -RetentionAction:MoveToArchive



New-RetentionPolicy AllTagsPolicy -RetentionPolicyTagLinks:DefaultTag,InboxTag,“Business Critical“


Set-Mailbox Andreas -RetentionPolicy AllTagsPolicy

7. Read the confirmation statement, and then press ENTER.


Start-ManagedFolderAssistant -Mailbox Andreas

9. Open Internet Explorer, and connect to https://van-ex1.adatum.com/owa.

10. Log on as Adatum\Andreas using a password of Pa$$w0rd.

11. Click a message in the Inbox, and then in the reading pane, point out the expiration time for the message.

12. Right-click the message and review the options under the Retention Policy and Archive Policy menu items.

Demonstration: How to Implement Managed Custom Folders and Content Settings

Demonstration steps

1. In the Exchange Management Console, in the Organization Configuration work area, click Mailbox.

2. Create a new managed custom folder using the following configuration:

• Name: Contoso Project

• Comment: All items related to Contoso Project should be posted here and will be retained for 2 years

3. Right-click the Contoso Project folder, and then create a new managed content setting with the following configuration:

• Name: Contoso Project Content Settings

• Message type: All Mailbox Content

• Length of retention period: 731

• Retention period starts: When item is moved to the folder

• Action to take at the end of the retention period: Permanently delete

• Journaling: Disabled

4. In the Actions pane, click New Managed Folder Mailbox Policy, and then create a new managed folder mailbox policy named Accounting Department Policy that includes the Contoso Project folder.

5. Assign the Accounting Department Policy to all users in the Accounting OU.

6. On the Mailbox server properties, schedule the Managed Folder Assistant to run during the current time.

7. Restart the Microsoft Exchange Mailbox Assistants service.


8. Use Outlook Web App to check the mailbox of an Accounting department member. Verify that the Contoso Project folder was created in the user’s mailbox.

Demonstration steps

1. On the VAN-EX1 computer, in the Exchange Management Console, in the Organization Configuration work area, click Mailbox.

2. In the Actions pane, click New Managed Custom Folder to start the New Managed Custom Folder wizard.

3. On the New Managed Custom Folder page, in the Name field, type Contoso Project.

4. In the Display the following comment when the folder is viewed in Outlook text box, type All items related to Contoso Project should be posted here and will be retained for 2 years.

5. Select the Do not allow users to minimize this comment in Outlook check box, and then click New.

6. On the Completion page, review the completion report, and then click Finish.

Note: After creating the managed custom folder, you can assign content settings to it. You also can assign content settings to any default folders.

7. Right-click the Contoso Project folder, and then click New Managed Content Settings.

8. On the Introduction page, in the Name of the managed content settings to be displayed in the Exchange Management Console box, type Contoso Project Content Settings.

9. In the Message type list, ensure that All Mailbox Content is selected.

10. Select the Length of retention period (days) check box, and then type 731 in the text box.

11. In the Retention period starts list, click When item is moved to the folder. You also can configure the retention period to start when the message is delivered to the user mailbox.

12. In the Action to take at the end of the retention period list, click Permanently delete. You also can configure the message to move to another managed custom folder or to be deleted with the option to recover the message.

13. On the Introduction page, click Next.

14. On the Journaling page, select the Forward copies to check box, and then click Browse. Notice that you can send a copy of the message to any valid recipient, including a custom recipient with an SMTP address referring to a SharePoint document library, or a third-party archiving application.

15. Click Cancel.

16. Clear the Forward copies to check box, and then click Next.

17. On the New Managed Content Settings page, review the summary, click New, and then click Finish.

18. On the Managed Custom Folders tab, expand Contoso Project. The managed content setting is linked to the managed custom folder.

19. On the Managed Default Folders tab, right-click Inbox, and then click the New Managed Content Settings option. You can apply the same content settings to any default folders. Click Cancel, and then click Yes.


20. Point out the Entire Mailbox item on the Managed Default Folders tab. If you apply content settings to this item, the settings are applied to all default folders in the user mailboxes.

21. In the Actions pane, click New Managed Folder Mailbox Policy to start the New Managed Folder Mailbox Policy wizard.

22. On the New Mailbox Policy page, in the Managed folder mailbox policy name box, type Accounting Department Policy.

23. In the Specify the managed folders that you want to link to this policy section, click Add.

24. In the Select Managed Folder dialog box, click Contoso Project, and then click OK. Notice that you can add additional managed folders to the policy.

25. On the New Mailbox Policy page, click New, and then click Finish.

26. In the Exchange Management Console, click the Recipient Configuration node, and then click Mailbox. In the Results pane, click the Organization Unit heading to sort the mailbox list by OU.

27. Select all of the mailboxes in the Accounting OU, right-click, and then click Properties.

28. On the Mailbox Settings tab, click Messaging Records Management, and then click Properties. Select the Managed folder mailbox policy check box, and then click Browse. Click Accounting Department Policy, and then click OK.

29. In the Messaging Records Management dialog box, enable a retention hold for the user mailbox. Click OK three times, and then click Yes at the Microsoft Exchange confirmations.

When you apply the retention hold, Exchange Server does not apply the retention settings for the user mailbox folders during the time you specify. This is useful if a user is on vacation or on extended leave, and you do not want to delete unread e-mail messages.

30. In the Server Configuration work area, click Mailbox.

31. In the Results pane, right-click VAN-EX1, and then click Properties.

32. On the Messaging Records Management tab, in the Schedule the Managed Folder Assistant list, click Use Custom Schedule, and then click Customize.

33. In the Schedule dialog box, select the times from Monday 6:00 A.M. to Friday 6:00 P.M., and then click OK twice.

34. Open the Services console from the Administrative Tools menu, and then restart the Microsoft Exchange Mailbox Assistants service. Close the Services console.

35. On VAN-EX1, open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Parna with a password of Pa$$w0rd. Parna is a member of the Accounting department.

36. On the Microsoft Office Outlook Web App page, click OK.

37. Expand Managed Folders, and confirm that the Contoso Project folder has been created in the user mailbox. Click the folder, and point out the comment describing the folder that is displayed in the top-right pane. Close Internet Explorer.


Lesson 5

Configuring Personal Archives Contents: Question and Answers 24



Question and Answers Discussion: Options for Implementing Mailbox Archiving

Question: Do you have any archiving or journaling requirements in your organization?

Answer: Answers will vary. Many organizations have requirements for archiving certain messages. For example, an organization may require that messages with business-transaction information be archived for several years.

Question: How are you currently meeting these requirements?

Answer :Most organizations that have implemented an archiving solution do so using third-party applications. Previous Exchange Server versions only enabled journaling at the mailbox store level, where all messages sent and received from that store were archived.

If students have implemented a third-party archiving tool, ask them to describe how the archiving tools works and what types of functionality the tool provides.

If none of the students currently uses an archiving product, you should be prepared to describe how most archiving products work. There are three primary architectures for archiving products:

• Some archive messages immediately as they are sent to or from an Exchange server.

• Some archive messages by using an agent to scan mailbox contents and messages are archived based on predefined criteria.

• Some archive solutions integrate with Exchange Server 2007 or Exchange Server 2010 journaling. With this model, the archive product monitors the journal mailbox and archives messages from the journal mailbox.

Almost all archive solutions have two other features:

• They enable using cheaper storage for archived messages

• They retain a stub of the archived message in the user mailbox so that the user can access archived messages.

Demonstration: How to Configure Personal Archives

Question: Will you implement Personal Archives in Exchange Server 2010?

Answer: Answers will vary. In some organizations, PST files store a great deal of critical information, and these organizations may have an urgent requirement to manage those PST files more effectively. Organizations with limited storage space for the Exchange servers are not likely to implement Personal Archives because of the significant increase in database size that this requires.

Question: What are the benefits and disadvantages of the Personal Archives feature?

Answer: Benefits include:

• You can enable it per mailbox

• Provides users with easy access and searching of archived content


• Requires very little user training because the UI is familiar to the users

Disadvantages include:

• Significantly increases the storage requirements for the organization

• Does not provide the option of moving the archive mailbox to cheaper, slower storage


Detailed Demo Steps Demonstration: How to Configure Personal Archives

Demonstration steps

1. On VAN-EX1, in the Exchange Management Console, click Recipient Management, and then click Mailbox.

2. Right-click a mailbox, and then click Enable Archive.

3. On the mailbox properties, review the archive quota settings.

4. Use the get-mailbox cmdlet to view the mailbox settings. Review the ArchiveName and ArchiveQuota settings.

5. Verify that you cannot view the archive mailbox in Outlook 2007, but can see it through Outlook Web App.

Demonstration steps

1. On VAN-EX1, in the Exchange Management Console, click Recipient Management, and then click Mailbox.

2. Right-click Luca Dellamore, click Enable Archive, and then click Yes.

3. Right-click Luca Dellamore, and then click Properties.

4. On the Mailbox Settings tab, click Archive Quota, and then click Properties. Notice that you can configure a mailbox quota for the archive mailbox. Click Cancel.

5. In the Exchange Management Shell, type get-mailbox Luca | FL, and then press ENTER. Review the ArchiveName and ArchiveQuota settings.

6. On VAN-CL1, verify that you are logged on as Luca, open Outlook, and then verify that you do not see the archive mailbox.

7. Open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Luca with a password of Pa$$w0rd. Verify that the archive mailbox is visible through Outlook Web App.



1. You need to ensure that a copy of all messages sent to a particular distribution group is saved. You only want copies of messages sent to the distribution group, not copies of all messages sent to individual members of the group. What should you configure?

Configure a transport rule that sends a copy of all messages to a mailbox. If you set up a journaling rule, all messages sent to members of the distribution group also will be saved.

2. You need to ensure that a user can search all Exchange Server organization mailboxes for specific content. What should you do? What user training will you need to provide?

Add the user to the Discovery Manager security group in AD DS or Active Directory. This will give the user the required permissions. Then you need to show the user how to use the ECP to perform mailbox searches.

3. You need to ensure that all messages related to a particular project are retained for three years. Users in your organization use both Outlook 2007 and Outlook 2010. What should you do?

Configure a custom managed folder, configure the content settings for the folder, and then create a managed folder mailbox policy for all users who are working on the project. Because users are using Outlook 2007 and Outlook 2010, you cannot use Retention Tags, as these are not accessible in Outlook 2007.

Common issues related to implementing messaging policies. Identify the causes for the following common issues related and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


Transport rules that use regular expressions are not applied consistently

If you are using a transport rule to check for information such as customer identification numbers or some other regular pattern of characters, ensure that your rule also checks for variations on the regular pattern. For example, if the customer identification number usually has dashes, you might also want to add the pattern without dashes to the rule.

Message recipients report that they are receiving error messages when they receive digitally signed messages from other users in the organization.

If you have a transport rule in place that modifies the message content, any digital signature attached to the message will be invalid and users will get an error message when they open the message. To avoid this, consider instructing users to add a disclaimer to all messages as part of their signature, and remove the transport rule.

After you implement a transport rule, users report that some of the messages they send to Internet recipients are not delivered and they do not receive notification of why the messages were not delivered.

Ensure that when you implement a transport rule that might affect message delivery, you configure an action in the transport rule that informs the user if the message cannot be delivered. Normally, you would do this with a bounce message.


Real-world issues and scenarios 1. The Exchange Server administrators at Contoso, Ltd., have implemented a custom message

classification on the Exchange servers, but they notice that the custom classification is not available on the Outlook 2007 clients in the organization. What do they need to do?

To make the custom message classification available on the client, export the classification file on the server, and then provide it to all clients. You also need to configure a registry setting on each client that points them to the classification file.

2. Datum Corporation has deployed an AD RMS server, and users are using it to protect e-mail. However, users report that when they protect e-mail messages, users outside the organization cannot read the messages. What should A. Datum messaging administrators do?

To read AD RMS-protected e-mails, users must have an account in the Active Directory forest. In most cases, users outside the organization will not have an account in the organization’s forest. This means that users are unable to send AD RMS-protected e-mail to external users. If this is a requirement and the other organization also runs AD RMS, you can integrate the AD RMS environments.

3. Woodgrove Bank has implemented message journaling for all messages sent to and from the legal and compliance teams. These messages need to be available to auditors for seven years. The mailboxes used for journaling are growing rapidly. What should the messaging administrators at Woodgrove Bank do?

If the organization does not have the capacity to retain the messages in the journaling mailboxes, they will need to investigate options to store the messages elsewhere. One of the easiest ways to manage this is to ensure that the journal mailboxes are backed up regularly, and then to delete messages from the mailboxes after they have been backed up. The organization could also consider using a SharePoint site as the message journal location.

Best practices related to a particular technology area in this module Supplement or modify the following best practices for your own work situations:

• Implementing messaging policies in Exchange Server 2010 can be complicated and the optimal configuration will be different in every organization. However, it is critical that you start thinking about this issue now in order to implement the policies and configurations that will meet your organizations legal requirements.

• Implement messaging policies only after extensive testing in a lab environment. If you configure messaging policies incorrectly, you could potentially delete messages that should be retained, or disrupt message delivery. Additionally, some messaging policies may have unintended consequences. Because of this, be sure to test all messaging policies thoroughly, and implement the policies in the production environment incrementally.

• Planning messaging policies always involves discussions with legal and compliance personnel who may not understand how you can use Exchange Server to enforce messaging policies. Be prepared to explain what Exchange Server can and cannot do in terms that people who are not messaging experts can understand.


Lab Review Questions and Answers Lab A: Configuring Transport Rules and Journal Rules and Multi-Mailbox Search

Question: In this lab, you implemented a transport rule that added a disclaimer to all messages sent to users outside the organization. What other option do you have for implementing this type of disclaimer?

You could configure the transport rule on an Edge Transport server, and configure it to apply the disclaimer to all messages as they are sent from the organization.

Question: How can you verify that the Executives journal rule that you enabled in this lab is working properly?

One option for verifying that the rule is working is to send a message to a group member and verify that the message appears in the journal mailbox. Another option would be to use an account with Discovery Management permissions to search an Executive mailbox for all messages sent and received during a specified time. You then could validate that a copy of each message is in the journal mailbox.

Lab B: Configuring Messaging Records Management and Personal Archives

Question: Which of the following two approaches is better for ensuring that you retain a copy of specific e-mail messages: journaling rules or retention policies?

Use journaling rules to ensure that you retain a copy of specific e-mail messages. Users can bypass retention policies easily by deleting the messages.

Question: How can you ensure that users move their PST files in to their archive mailbox?

It is difficult to ensure that users are moving their PST files into the archive mailboxes, but you can use Group Policy to prevent users from using PST files with Outlook. If you tell users that you are applying this policy, they are more likely to move the PST file into the archive mailbox.

Securing Microsoft® Exchange Server 2010 10-1

Module 10 Securing Microsoft® Exchange Server 2010

Contents: Lesson 1: Configuring Role Based Access Control 2

Lesson 2: Configuring Security for Server Roles in Exchange Server 2010 7

Lesson 3: Configuring Secure Internet Access 9




Lesson 1

Configuring Role Based Access Control Contents: Question and Answers 3



Question and Answers What Is Role Based Access Control?

Question: What requirements does your organization have for assigning Exchange Server permissions? Does your organization use a centralized or decentralized administration model? What special permissions will you need to configure?

Answer: Answers will vary. In most organizations, a central team of Exchange Server administrators likely will maintain full control of the Exchange Server environment, while another team may need permissions to create mailboxes. Other organizations may have complicated administrative scenarios in which different groups need many different permission levels.

Demonstration: Configuring Custom Role Groups

Question: Will you implement custom management roles in your organization? If so, how will you configure the management roles?

Answer: Answers will vary. Most organizations probably do not need custom management roles. Large organizations that have complicated administrative processes may require several custom management roles.

Working with Management Role Assignment Policies

Question: How will you configure role assignment policies in your organization?

Answer: Answers will vary, but for most organizations, the default configuration should suffice. Organizations normally change the default configuration only when there is a specific requirement to change how users interact with their mailboxes.


Detailed Demo Steps Demonstration: Managing Permissions Using the Built-In Role Groups

Demonstration steps

1. In Active Directory Users and Computers, add a user or security group to the Recipient Management group.

2. Log on to an Exchange server using the delegated user account. Open the Exchange Management Console and the Exchange Management Shell.

3. Verify that the user has read access to the Exchange Server organization configuration.

4. Verify that the user cannot modify the settings on the Mailbox databases.

5. Verify that the user can modify the settings for mailboxes and distribution groups. Verify that the user account has permission to move mailboxes to another server.

6. In the Exchange Management Shell, use the get-exchangeserver | FL cmdlet to verify that the user has Read permission to the Exchange server information.

7. Use the Set-User cmdlet to verify that user has permission to modify the Active Directory account.

Demonstration steps


2. Expand Adatum.com, click Microsoft Exchange Security Groups, and then double-click Recipient Management.

3. On the Members tab, click Add.

4. In the Enter the object names to select field, type Conor, and then press OK twice.

5. On VAN-EX2, ensure that you are logged on as Conor.

6. Open the Exchange Management Console and the Exchange Management Shell.

7. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration. Point out that Conor has Read access to the Exchange Server organization configuration because the Recipient Management group has been granted implicit Read permission to the organization.

8. Click Mailbox, and in the Results pane, verify that you do not have sufficient permissions to view the data.

9. Expand Recipient Configuration, click Mailbox, and then double-click Axel Delgado.

10. In the Axel Delgado Properties dialog box, click the Organization tab, verify that you can modify the user properties, and then click OK.

11. Right-click Axel Delgado, and then click New Local Move Request.

12. On the Introduction page, click Browse. In the Select Mailbox Database dialog box, click Mailbox Database 1, click OK, click Next two times, click New, and then click Finish.

Note: If you get an error that no MRS servers are available, verify that the Microsoft


Exchange Mailbox Replication service is running on both VAN-EX1 and VAN-EX2.

13. In the Exchange Management Shell, type get-exchangeserver | FL, and then press ENTER. The user account has Read permission to the Exchange server information.

14. At the PS prompt, type Set-User Axel -Title Manager, and then press ENTER. Verify that Conor has permission to modify the Active Directory account.

15. Log off VAN-EX2.

Demonstration: Configuring Custom Role Groups

Demonstration steps


2. Create a new management scope that will limit the tasks that can be performed by using the following command:

3. New-ManagementScope –Name MarketingMailboxes –recipientroot “adatum.com/Marketing“ -RecipientRestrictionFilter {RecipientType -eq “UserMailbox“}

4. Create a new management role group that uses the custom management scope by using the following command:

5. New-RoleGroup –Name MarketingAdmins –roles “Mail Recipients”, “Mail Recipient Creation “ -CustomRecipientWriteScope MarketingMailboxes

6. Add a user to the management role group by using the following command:

7. Add-rolegroupmember –id MarketingAdmins –member Andreas

8. In Active Directory Users and Computers, verify that the group has been created in the Microsoft Exchange Security Groups OU and that the user has been added to the group.

9. Open the Exchange Management Console as the delegated user account. Verify that the user can modify mailboxes and create new mailboxes only in the Marketing OU.

Demonstration steps


2. At the PS prompt, type the following command, and then press ENTER.

3. New-ManagementScope –Name MarketingMailboxes –recipientroot “adatum.com/Marketing“ -RecipientRestrictionFilter {RecipientType -eq “UserMailbox“}

4. Create a new management role group that uses the custom management scope by using the following command:

5. New-RoleGroup –Name MarketingAdmins –roles “Mail Recipients”, “Mail Recipient Creation “ -CustomRecipientWriteScope MarketingMailboxes

6. In the Exchange Management Shell, type the following command, and then press ENTER:

7. Add-rolegroupmember –id MarketingAdmins –member Andreas


9. Click Microsoft Exchange Security Groups and verify that the MarketingAdmins group was created and that Andreas is a member of the group.


10. On VAN-EX2, log on as Adatum\Andreas using a password of Pa$$w0rd.


12. In the Exchange Management Console, expand Microsoft Exchange On-Premises, and then expand Recipient Configuration.

13. Click Mailbox, and then double-click Axel Delgado.

14. In the Axel Delgado Properties dialog box, click the Organization tab, modify one of the properties, and then click OK. Verify that the change is not saved.

15. Double-click Manoj Syamala.

16. In the Manoj Syamala Properties dialog box, click the Organization tab, modify one of the properties, and then click OK. Verify that the change is saved.

17. Click New Mailbox. Create a new mailbox in the default Users container. Verify that the user cannot create mailboxes in the Users container.

18. Click New Mailbox. Create a new mailbox in the Marketing OU. Verify that the user can create mailboxes in the Marketing OU.


Lesson 2

Configuring Security for Server Roles in Exchange Server 2010 Contents: Question and Answers 8


Question and Answers Discussion: What Are the Exchange Server Security Risks?

Question: What security risks do you need to protect against when deploying Exchange Server?

Answer: Answers will vary, but students should mention threats, including:

• Malicious e-mail, such as viruses and phishing e-mails.

• SMTP-based attacks on Simple Mail Transfer Protocol (SMTP) servers that your organization exposes to the Internet.

• Web-based attacks on Client Access servers.

• Compromised user credential, either when user credentials are submitted in clear text or are captured on an unsecure kiosk.

• Compromised data, such as when mobile devices are lost or stolen, or when users access attachments through Microsoft Outlook® Web App from unsecure client computers.

Question: What risks are the most serious?

Answer: The most serious threat to most Exchange Server organizations relates to malicious e-mails. Although most organizations now use excellent anti-virus and antiphishing applications, new types of malicious software still pose a serious threat.

Additionally, when users access e-mail from unsecure mobile clients or public computers, such as kiosks, this poses an additional, more-serious threat in most organizations.


Lesson 3

Configuring Secure Internet Access Contents: Question and Answers 10



Question and Answers Demonstration: Configuring Threat Management Gateway for Outlook Web Access

Question: Has your company deployed a reverse proxy? If so, what kind? How does your reverse proxy compare to the TMG?

Answer: Answers will vary. Many companies have deployed Internet Security and Acceleration (ISA) Server 2006 and are using it to secure messaging client connections. Other companies have deployed hardware-based reverse proxies. Most of the reverse proxies provide the same functionality, but the process for configuring the settings may be very different.


Detailed Demo Steps Demonstration: Configuring Threat Management Gateway for Outlook Web Access

Demonstration steps

1. On VAN-TMG, open the Forefront TMG Management console.

2. In the Firewall Policy node, create an Exchange Server publishing rule by using the New Exchange Publishing Rule Wizard. Configure the rule with the following settings:

• Name: OWA Access Rule

• Exchange version: Exchange Server 2010

• Service: Outlook Web App

• Server Connection Security: Use SSL to connect the published Web server or server farm

• Internal site name: VAN-EX1.Adatum.com

• Public Name Details page: mail.Adatum.com

3. Create a new Web Listener with the following settings:

• Name: HTTP Listener

• Client Connection Security: Do not require SSL secure connections from clients

• Web Listener IP Addresses: External

• Authentication Settings: HTML Form Authentication

• Single Sign-On (SSO) Settings: Enabled

• SSO domain name: ADatum.com

4. On the Authentication Delegation page, click Basic authentication.

5. Accept the default User Sets configuration, finish the wizard, and then apply the changes.

Demonstration steps

1. On VAN-TMG, click Start, point to All Programs, click Microsoft Forefront TMG, and then click Forefront TMG Management.

2. Expand Forefront TMG, and then click Firewall Policy.

3. On the Firewall Policy Tasks pane, on the Tasks tab, click Publish Exchange Web Client Access.

4. On the Welcome to the New Exchange Publishing Rule Wizard page, type OWA Access Rule, and then click Next.

5. On the Select Services page, in the Exchange version list, click Exchange Server 2010, select the Outlook Web Access check box, and then click Next.

6. On the Publishing Type page, click Next.

7. On the Server Connection Security page, ensure that Use SSL to connect the published Web server or server farm is configured, and then click Next. When you configure this option, the TMG server re-encrypts all network traffic sent to the Client Access server.


8. On the Internal Publishing Details page, in the Internal site name text box, type VAN-EX1.Adatum.com, and then click Next.

9. On the Public Name Details page, ensure that This domain name (type below) is configured in the Accept requests for drop-down list. In the Public name box, type mail.Adatum.com, and then click Next.

10. On the Select Web Listener page, in the Web Listener drop-down list, click New. Web listeners are configuration objects on the TMG server that define how the server accepts client connections.

11. On the Welcome to the New Web Listener Wizard page, type HTTP Listener, and then click Next.

12. On the Client Connection Security page, click Do not require SSL secure connections from clients, and then click Next.

Important: In a production environment, you always should use the option to Require SSL secured connections with clients. In this demonstration, the server is not configured with a server certificate, so HTTPS connections are not possible.

13. On the Web Listener IP Addresses page, select the External check box, and then click Next.

14. On the Authentication Settings page, accept the default of HTML Form Authentication, and then click Next.

15. On the Single Sign On Settings page, type Adatum.com as the SSO domain name, click Next, and then click Finish. Click OK.

16. Click Edit, and then on the Authentication tab, click Advanced.

17. Select the Allow client authentication over HTTP check box, and then click OK three times.

18. On the Select Web Listener page, click Next.

19. On the Authentication Delegation page, accept the default of Basic authentication, and then click Next.

20. On the User Sets page, accept the default, and then click Next.

21. On the Completing the New Exchange Publishing Rule Wizard page, click Finish.

22. Click Apply twice to apply the changes, and then click OK once the changes are applied.



1. You need to enable members of the Human Resources department to configure user mailboxes for the entire organization. What should you do?

In most cases, you can accomplish this by just adding the members of the Human Resources department to the Recipient Management role group in AD DS or Active Directory. If the Recipient Management role group has more permissions than necessary, you may need to create a custom role group.

2. Users in your organization are using POP3 clients from the Internet. These users report that they can receive, but not send, e-mail. What should you do?

You will need to provide the users with a SMTP server that they can use to send e-mail. You should configure a Hub Transport server Receive Connector.

3. Your organization has deployed Forefront TMG. You need to ensure that remote users can access the Client Access server inside the organization by using cellular mobile clients. What should you do?

You will need to configure an Exchange ActiveSync publishing rule in TMG that enables access to the required virtual directories on the Client Access server.

Common issues related to configuring Exchange server publishing rules on a reverse proxy Identify the causes for the following common issues related to configuring Exchange Server publishing rules on a reverse proxy, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


Clients cannot connect to the published sites, and they receive internal server errors.

Normally, these errors occur when the reverse proxy cannot connect to the internal site. Verify that the reverse proxy can connect to the virtual directories on the Client Access server.

Clients cannot connect to the published sites, and they receive certificate errors.

When configuring a reverse proxy to use SSL bridging, you need to ensure that the configuration is correct for certificates on both the reverse proxy and the Client Access server. Check information such as whether the certificates are trusted and whether the names the certificates use match the names that the clients use when connecting to the site.

Clients cannot connect to the published sites, and they receive site-not-found errors.

Normally, this type is error displays when there is a problem connecting to the reverse proxy from the Internet. Verify that DNS name resolution is working correctly and that the external firewall is not blocking access to the reverse proxy.


Real-world issues and scenarios 1. Your organization has configured an SMTP Receive connector on an Edge Transport server to

enable IMAP4 users to relay messages. However, you discover that your Edge Transport server is being used to relay spam to other organizations. What should you do?

When you configured the Edge Transport server to relay messages for IMAP4 users, you enabled anonymous relaying for all users. You will need to disable message relaying on the Edge Transport server, and enable authenticated relaying on a Hub Transport server.

2. You have added the ServerAdmins group in your organization to the Exchange Server 2010 Server Management group in AD DS or Active Directory. All the members of the ServerAdmins group report that they receive errors when they start the Exchange Management Console. What should you do?

You need to enable all of the members of the ServerAdmins group to run remote Windows PowerShell™ cmdlets.

3. Your organization is planning to deploy Forefront TMG to enable access to a Client Access server from the Internet. The organization is concerned about the cost of acquiring multiple certificates to enable access, but also wants to ensure that users do not receive certificate related errors. What should you do?

To ensure that users do not receive certificate errors, you will need to purchase a certificate from a public CA. You can request a certificate with multiple SANs or use a wildcard certificate to ensure that the one certificate can be used for all client connections. You then can use the same certificate on the Client Access server, or use a certificate from a private CA on the Client Access server.

Best practices related to configuring Exchange server permissions Supplement or modify the following best practices for your own work situations:

• When you configure permissions in the Exchange Server organization, ensure that users have the minimal permissions required for them to perform their tasks. Add only highly trusted users to the Organization Management role group, as it has full control of the entire organization.

• Whenever possible, use the built-in role groups to assign permission in the Exchange Server organization. Creating custom role groups with customized permissions is more complicated and may lead to users having too many, or too few, permissions.

• Ensure that you document all permissions that you assign in the Exchange Server organization. If users are unable to perform required tasks, or if they are performing tasks to which they should not have access, you should be able to identify the reason by referring to your documentation.


Lab Review Questions and Answers Question: In the lab, you configured Exchange Server permissions by using a custom role. How did you limit the types of tasks the delegated administrators could perform and on what objects they could perform the tasks?

You limited the types of tasks the delegated administrators could perform by removing some of the management role entries assigned to the OrganizationAdministrators management role. You limited what objects the delegated administrators could manage by limiting the management role scope to only specific Exchange Server cmdlets.

Question: How would the TMG configuration in the lab change if you were enabling access for an IMAP4 client?

You would need to configure a server-publishing rule to publish the IMAP4 protocol on the Client Access server. You also need to configure a server-publishing rule to publish a SMTP server on a Hub Transport server.

Maintaining Microsoft Exchange Server 2010 11-1

Module 11 Maintaining Microsoft Exchange Server 2010

Contents: Lesson 1: Monitoring Exchange Server 2010 2

Lesson 2: Maintaining Exchange Server 2010 4

Lesson 3: Troubleshooting Exchange Server 2010 7




Lesson 1

Monitoring Exchange Server 2010 Contents: Question and Answers 3


Question and Answers Collecting Performance Data for the Mailbox Server

Question: If any of these performance counters measured outside its normal range, what is the most likely cause?

Answer: Slow client response will cause most of the mailbox performance-counter data to be outside the normal range, whether the client is Microsoft Office Outlook® Live or the full Microsoft Office Outlook client.

Collecting Performance Data for the Hub Transport and Edge Transport Servers


Answer: Slow e-mail delivery will result in many of the transport counters being outside the normal range.

Collecting Performance Data for the Client Access Server


Answer: Most of the measurements that are outside the normal range result from slow response from Outlook Live, Outlook clients, Internet Message Access Protocol (IMAP) Post Office Protocol (POP) clients, Exchange Web Services, or the Autodiscover service.


Lesson 2

Maintaining Exchange Server 2010 Contents: Question and Answers 5


Question and Answers Discussion: What Is Change Management?

Question: How does your organization address change management?

Answer: Answers will vary. Some organizations have a formal change management process, but these are typically larger organizations. Students from smaller organizations may not have a formal process.

Question: Are there some situations where change management is more important?

Answer: Change management is important in all situations, to prevent unintended consequences. However, for those changes that are likely to affect many users or high-profile users, change management is even more critical. Changes to mission-critical software, such as a messaging system, also tend to be more critical than changes to noncritical software, such as software for a backup server.

Question: What are the benefits of having a formal change management process?

Answer: Benefits include:

• Other organizational stakeholders are aware of changes, and can gauge the impact on their systems and staff.

• Multiple changes are coordinated to ensure that they do not conflict.

• Formalizing the change process ensures that it is consistent, so mistakes are not made.

• Change management provides additional reviews, and allows time for additional planning, if required. Changes without a formal review often are thought out poorly. Not every alternative is considered.

• As an IT professional, using the change management process can help deflect blame in situations where there are problems during a change.

• You can improve recovery times from change problems by including a formal back-out plan as part of the change management process.

Question: Are there situations in which you cannot follow the normal change process?

Yes, there are emergencies in which services are broken, and you cannot follow the full change management process. However, there should be an emergency change process in place to handle those situations. For example, if a critical service is down, it is not realistic to document and approve a detailed plan to solve the problem. The first priority is repairing the failed service. However, you should document and evaluate the changes that you make when you repair the service to ensure that there are no negative effects on other services.

Discussion: What Are Software Updates?

Question: What is the difference between a hotfix and an update?

Answer: A hotfix is a limited-release fix for a specific problem. To receive a hotfix, customers must have a support agreement with Microsoft, and cannot redistribute the hotfix outside of their


organizations. An update is a broadly released fix for a specific problem, and can include security fixes.

Question: Why should your organization deploy software updates?

Answer: For security updates specifically, it is essential to apply the latest software updates. Exchange servers often are externally-facing, and are at risk of being compromised by unfixed security problems. Microsoft packages periodic Exchange Server security and nonsecurity updates into “update rollups”. These rollups contain numerous changes that have been regression-tested together, that may change functionality, but should address common problems. You should test these rollups thoroughly and apply them to ensure the Exchange servers work optimally.


Lesson 3

Troubleshooting Exchange Server 2010 Contents: Question and Answers 8


Question and Answers Discussion: Troubleshooting Mailbox Servers

Question: A database has gone offline. What process can you use to troubleshoot the problem?

Answer: Answers may vary. The following is one suggested answer:

1. Identify those databases that have the problem.

2. Review logs, and run the Database Troubleshooter tool.

3. Review the probable causes of the problem.

4. Rank causes by probability, and review possible solutions.

5. Rank solutions by ease of resolution and impact to complete.

6. Try the most probable and easily implemented resolutions until you resolve the problem.

Discussion: Troubleshooting Client Access Servers

Question: Outlook users can no longer connect to the system. What process can you use to troubleshoot the problem?


1. Identify which users are experiencing the problem, and when the problem began.

2. Review logs for any involved Client Access servers.

3. Run the Exchange Best Practices Analyzer.



6. Rank solutions by their ease of resolution and impact to complete.

7. Try the most obvious and easily implemented resolutions until you resolve the problem.

Discussion: Troubleshooting Message Transport Servers

Question: Users are reporting non-deliverable and slow-to-deliver outbound e-mail. What process can you use to troubleshoot the problem?


1. Identify which users are experiencing the problem, and when the problem started.

2. Use the Mail Flow Troubleshooter, message tracking system, Queue Viewer, Routing Log Viewer, and Telnet to pinpoint the problem.



5. Rank solutions by ease of resolution and impact to complete.

6. Try the most probable and easily implemented resolutions until you resolve the problem.



1. Users are reporting issues with sending e-mail to a remote domain. You need to determine the problem and then resolve it. What should you do?

Use the Mail Flow Troubleshooter and the Queue Viewer to review the queued messages and the status of the queues.

2. Recent organizational growth has resulted in two issues. It has caused several memory thresholds to exceed recommended issues, as well as the average read-latency threshold for the logical disk that stores the page file. What issue should you address first?

First, add memory to the server. When there is not enough available memory, memory is paged out to the page file, which can lead to an increased amount of input/output (I/O) on the disk where the page file is stored.

3. After reviewing the trend information retrieved from the monitoring system, you noticed that the processor usage for one of the four Mailbox servers is higher than average. What should you do?

Determine which processes are using up the additional processor time, and check for changes in mailbox usage on the servers. To solve the problem, you may be able to move mailboxes to other Mailbox servers, or add additional processing capabilities to the current server.

Common issues related to troubleshooting Exchange server problems Identify the causes for the following common issues related to troubleshooting Exchange server problems, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.


Outbound e-mail messages are queuing on the Hub Transport server.

Always start with the most common problem causes, such as network connectivity and DNS name resolution.

Multiple sources are simultaneously reporting different problems.

Gather as much information as possible about each of the reported problems. Although there might be multiple issues, it is likely that you will find a connection between the multiple reported problems.

Users are reporting slowness or other subjective problems.

As always, take each report seriously and try to gather as much objective information about the problem as possible. Only then will you reach a suitable and objective solution.

Real-world issues and scenarios 1. A company has recently experienced growth because of a popular new product. The company

has had numerous Mail server outages and downtime due to undocumented changes. What should the company invest in to ensure that it can support continued growth?

To control downtime and constant changes that are required to keep the company growing, the company should adopt a change management process.

2. A database has gone offline, and the organization needs to troubleshoot the problem. A number of impatient users have mailboxes stored in the offline database. What is the best way to address the situation?


Follow a proven troubleshooting technique. Stressful situations make it even more important to stick to a proven methodology.

3. An Exchange Server service pack was recently released, and the company has decided to deploy it. What should you do before scheduling the deployment?

Thoroughly test and document the deployment and server backup. Testing should include functionality and compatibility testing with the company’s systems.

Best practices related to troubleshooting Exchange server problems Supplement or modify the following best practices for your own work situations:

• Follow the same steps each time you troubleshoot a problem. This way you get into a habit of making good decisions and finding the answers quickly.

• Be diligent about separating facts about the issue from feelings or other subjective information. A single person’s subjective observation could cause you to troubleshoot the wrong problem and delay resolution of the actual issue.

• Ask a lot of questions about the problem before starting to troubleshoot. If you have not properly defined the problem, you cannot properly target your troubleshooting steps.


Lab Review Questions and Answers Question: Was the Exchange Best Practices Analyzer helpful in troubleshooting the database error? When might using Exchange Best Practices Analyzer be a better fit?

Exchange Best Practices Analyzer did not help you identify database errors. The Best Practices Analyzer is best used when troubleshooting intermittent errors, configuration errors, and proactively to ensure best practices are being applied.

Question: Why do you need to run IISReset after reconfiguring Outlook Web App?

After making the configuration change, the Exchange Management Console instructs you to restart IIS so that the new configuration options can be applied.

Configuring, Managing, and Troubleshooting Microsoft® Exchange Server 2010 R-1

Resources Contents: Microsoft Learning 2

Technet and MSDN Content 3

Communities 4

R-2 Configuring, Managing, and Troubleshooting Microsoft® Exchange Server 2010

Microsoft Learning This section describes various Microsoft Learning programs and offerings.

• Microsoft Learning

Describes the training options available through Microsoft — face-to-face or self-paced

• Microsoft Certification Program

Details how to become a Microsoft Certified Professional, Microsoft Certified Database Administrators, and more

• Microsoft Learning Support

• To provide comments or feedback about the course, send e-mail to [email protected].

• To ask about the Microsoft Certification Program (MCP), send e-mail to [email protected]


Technet and MSDN Content This section includes content from Microsoft TechNet that provides in-depth discussion on technical topics related to this course.

• Active Directory Logical Structure and Data Storage

• Planning Active Directory

• Topologies: Overview

• Business Productivity Online

• Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments

• Understanding the Active Directory Logical Model

• Understanding Active Directory Site Topology

• Overview

• Microsoft Exchange Analyzers

• Microsoft Script Repository

• Automatically configure Office Outlook 2007 user accounts

• System Center Mobile Device Manager TechCenter

• Protecting Your Microsoft Exchange Organization with Microsoft Forefront Protection 2010 for Exchange Server

• Forefront Protection 2010 for Exchange Server Best Practices - Deployment considerations

• Microsoft’s Antivirus Defense-in-Depth Guide

• White Paper: Domain Security in Exchange 2007

• Further information about VSS

This section includes content from MSDN related to this course.

• Autodiscover Response

• Cmdlet verb names

R-4 Configuring, Managing, and Troubleshooting Microsoft® Exchange Server 2010

Communities This section includes content from Communities for this course.

• Guidance on Active Directory design for Exchange Server 2007

• Migrate to Microsoft Online Services

• Windows Server Virtualization Validation Program

• Recipient Management in Exchange 2007 – Overview

• How to Create and configure a meeting room mailbox with Exchange Server 2007

• Microsoft Exchange Server Remote Connectivity Anaylzer

• Sample: How to add root certificates to Windows Mobile 2003 and Windows Mobile 2002 Smartphones

• Additional Character Sets

• Additional references

• High availability white paper

• Updated Exchange Public Folder (vs. SharePoint) Guidance


Send Us Your Feedback You can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before submitting feedback. Search using either the course number and revision, or the course title.

Note Not all training products will have a Knowledge Base article – if that is the case, please ask your instructor whether or not there are existing error log entries.

Courseware Feedback Send all courseware feedback to [email protected]. We truly appreciate your time and effort. We review every e-mail received and forward the information on to the appropriate team. Unfortunately, because of volume, we are unable to provide a response but we may use your feedback to improve your future experience with Microsoft Learning products.

Reporting Errors When providing feedback, include the training product name and number in the subject line of your e-mail. When you provide comments or report bugs, please include the following:

• Document or CD part number

• Page number or location

• Complete description of the error or suggested change

Please provide any details that are necessary to help us verify the issue.

Important All errors and suggestions are evaluated, but only those that are validated are added to the product Knowledge Base article.