Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
M I C R O S O F T
L E A R N I N G
P R O D U C T
10135A
Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Companion Content
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2010 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
1-1
Module 1
Deploying Microsoft Exchange Server 2010
Contents:
Lesson 1: Overview of Exchange Server 2010 Requirements Lesson 2: Installing Exchange Server 2010 Server Roles Lesson 3: Completing an Exchange Server 2010 Installation Module Reviews and Takeaways Lab Review Questions and Answers 2 10 12 18 20
1-2
Lesson 1
1-3
1-4
Answer: A domain controller holds a copy of the local domain database, which includes user and computer accounts, and it is responsible for authenticating users and computers. A domain controller has directory information only for the domain of which it is a member. Additionally, domain controllers respond to queries for information in Active Directory. Question: What is a global catalog server? Answer: A global catalog server is a domain controller that also holds a subset of information from other domains in the forest. For example, a global catalog server has limited information about all users in a forest. By default, the first domain controller deployed in a forest is a global catalog server, but you also can configure other domain controller as a global catalog server. You use global catalog servers for authentication, global address list (GAL) lookups, and universal group membership lookups. Question: What is the definition of an Active Directory site? Answer: The definition of an Active Directory site is one or more IP subnets. Typically, all of the IP subnets in a given physical location are part of the same site. Active Directory sites typically do not encompass more than one physical location. All of the computers within a single site must have a fast network connection, typically 10 megabytes per second (Mbps) or more between them. The Active Directory site configuration should be a logical representation of the physical network deployment. Question: What is Active Directory replication? Answer: Active Directory replicates domain information between domain controllers in the same domain and to the forests global catalog servers. It also replicates configuration data and the schema between all domain controllers in the same forest. Question: How do Active Directory sites affect replication? Answer: Within an Active Directory site, change replication starts within a few seconds of a change occurring on one domain controller. If an Active Directory site contains more than one domain controller, each domain controller also has at least two replication partners. Between Active Directory sites, you can schedule replication. However, by default, it happens every three hours. Additionally, all replication traffic between sites is sent through a bridgehead server that is located in each site.
1-5
Exchange connector for sending e-mail to the Internet: Configuration partition Exchange Server configuration: The configuration partition contains the Exchange Serverspecific configuration information, but the Exchange Server computer object also is also located in the domain partition.
1-6
Additional Reading
Reviewing Active Directory Partitions
Active Directory Logical Structure and Data Storage
1-7
Open ADSI Edit, and connect to the domain partition. Review the information in the domain partition. Connect to the configuration partition. Review the information in the configuration partition, and in the CN=Services, CN=Microsoft Exchange, CN=Exchangeorganizationname container. Connect to the schema partition. Review the information in the schema partition, and point out the attributes and class objects that begin with ms-Exch.
Demonstration steps
1. 2. 3. On VAN-DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. If necessary, expand Adatum.com, and then click the Microsoft Exchange Security Groups organizational unit. Double-click Organization Management, and then click the Members tab. The only default member of this group is the user that installed the first computer running Exchange Server. Members of this group have the necessary permissions to manage any aspect of the Exchange Server organization. Click Cancel. Double-click Recipient Management, and then click the Members tab. Verify that there are no group members. Members of this group are assigned full control permissions to manage the Exchange Server properties of user objects in Active Directory. Click Cancel. Double-click the View-Only Organization Management group, and then click the Members tab. The members of this group are assigned read permissions to the Exchange Server container in the Active Directory configuration partition, and read permission to all domains that have Exchange Server recipients. Click Cancel.
4. 5.
6. 7.
8.
1-8
9.
Double-click the Discovery Management group, and then click the Members tab. The members of this group have permission to search all mailboxes in the organization for messages or content that meets specific criteria.
10. Click Cancel. Close Active Directory Users and Computers. 11. Click Start, and in the Search box, type adsiedit.msc, and then press ENTER. By default, when you open Active Directory Service Interfaces (ADSI) Edit in Windows Server 2008 R2, it does not display any partitions. 12. Right-click ADSI Edit, and click Connect to. 13. In the Connection Settings dialog box, click OK. This connects ADSI Edit to the domain partition. 14. In the left pane, expand Default naming context [VAN-DC1.Adatum.com], and then click DC=Adatum,DC=com. The domain partition holds user accounts, computer accounts, and other domain specific configuration information. Objects with names that start with an OU are organizational units. Objects with names that start with CN are containers or other objects, such as users. You can verify the object type by looking at the Class column. 15. In the right pane, double-click CN=Users. Notice that in the Users container, there are users and groups. 16. Double-click OU=ITAdmins. Right-click CN=Andreas Herbinger, and then click Properties. This shows the attributes and values that are part of the Andreas Herbinger user object. 17. Click Cancel. 18. Right-click ADSI Edit, and click Connect to. 19. In the Connection Settings dialog box, in the Connection Point section, in the Select a well known Naming Context list, click Configuration, and then click OK. This connects ADSI Edit to the configuration partition. 20. In the left pane, expand Configuration[VAN-DC1.ADatum.com], and then click CN=Configuration,DC=Adatum,DC=com. This displays the containers in the configuration partition of Active Directory. The containers contain configuration data used by Active Directory, applications, and services. 21. Double-click CN=Partitions. This container holds a list of the Active Directory partitions. 22. In the left pane, click CN=Sites. This container holds sites and their related configuration objects. 23. Expand CN=Services, expand CN=Microsoft Exchange, and then click CN=AdatumOrg. In the right pane, you can see the containers that hold the various configuration information for Exchange Server. 24. Double-click CN=Address Lists Container. This container stores configuration information for all address lists. 25. In the left pane, click CN=Client Access. This container holds configuration information for the Autodiscover process. 26. In the left pane, expand CN=Administrative Groups, expand CN=Exchange Administrative Group (FYDIBOHF23SPDLT), expand CN=Servers. This container holds the Exchange Server objects. 27. Right-click ADSI Edit, and click Connect to.
1-9
28. In the Connection Settings dialog box, in the Connection Point section, in the Select a well known Naming Context list, click Schema, and then click OK. This connects ADSI Edit to the schema partition. 29. In the left pane, expand Schema [VAN-DC1.ADatum.com], and then click CN=Schema,CN=Configuration,DC=Adatum,DC=com. The schema container holds a list of classes and attributes that define the objects in Active Directory. 30. In the right page, click CN=ms-Exch-2003-Url, and then scroll down. Notice that many Exchange-specific attributes and classes have been added to the Active Directory schema. 31. Close ADSI Edit.
1-10
Lesson 2
1-11
Additional Reading
Deployment Options for Exchange Server 2010
Topologies: Overview
Options for Integrating Exchange Server 2010 and Exchange Online Services
1-12
Lesson 3
1-13
10. Open Internet Explorer, and connect to the Outlook Web App site on a Client Access server. Log on using the credentials for the new mailbox that you created. 11. Send an e-mail to the mailbox that you created. Verify that the messages delivery.
Demonstration steps
Important: When you start the virtual machines, ensure that you start 10135A-VAN-DC1 first, and that
it starts fully before you start other virtual machines. If you receive a notification that one or more services failed to start when starting a virtual machine, open the Services console on the virtual machine, and ensure that all Microsoft Exchange services that are configured to start automatically are running.
1. 2.
On VAN-EX1, click Start, point to Administrative Tools, and then click Services. Scroll down to the Microsoft Exchange services, and expand the name column, so that you can read the service names. These are all of the services that Exchange Server installs. The services that Exchange Server installs vary depending on the Exchange Server roles that are installed on the server. Close Services. Click Start, right-click Computer, and then click Open. Browse to C:\ExchangeSetupLogs. Double-click ExchangeSetup.log to open it. This log file contains information about the status of prerequisite and system-readiness checks that Exchange Server performs before the installation
3. 4. 5. 6.
1-14
begins. This log also contains information about every task that occurs during the Exchange Server setup, and is the most complete log available for troubleshooting installation errors. 7. 8. Close Notepad. Describe some of the other files in this folder: ExchangeSetup.msilog. This file contains information about the extraction of the Exchange Server 2010 code from the installer file. Install-AdminToolsRole-[date and time].ps1. Setup generates this file, which contains the steps that Exchange Server uses to install the Exchange administration tools. Install-BridegeheadRole-[date and time].ps1. Setup generates this file, which contains the steps that Exchange Server uses to install the Hub Transport server role. Install-ClientAccessRole-[date and time].ps1. Setup generates this file, which contains the steps that Exchange Server uses to install the Client Access server role. Install-ExchangeOrganization-[date and time].ps1. Setup generates this file, which contains the steps that Exchange Server uses to create the Exchange Server organization. Install-MailboxRole-[date and time].ps1. Setup generates this file, which contains the steps that Exchange Server uses to install the Mailbox server role. InstallSearch.msilog. This file contains information about the extraction of the Search service that Exchange Server uses.
Note: Other .msilog or .ps1 files may exist in this folder, depending on which roles
are installed on this server.
9.
Browse to C:\Program Files\Microsoft\Exchange Server\V14. Describe the contents of the folders: Bin. Applications and extensions that you can use to manage Exchange Server. ClientAccess. Configuration files for the Client Access server role. ExchangeOAB. Contains the Exchange Offline Address book files that Exchange Web Services makes available. GroupMetrics. Contains information about distribution groups and distribution-group membership that MailTips uses. Logging. Various log files. Mailbox. Schema files, .dll files, database files, and database log files for the mailbox databases and public folder databases. Public. Several .dll and .xml files. RemoteScripts. Contains a single script used only by the Exchange Management Console. Scripts. Exchange Management Shell scripts that you can use to retrieve anti-spam statistics and perform other tasks.
1-15
Setup. Extensible Markup Language (XML) configuration files and data. TransportRoles. Folders and files that the Hub Transport Server role uses. Working. Contains an empty folder.
10. Close Windows Explorer. 11. Click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. Click OK to acknowledge that the servers are not licensed. 12. In the left pane, expand Microsoft Exchange On-Premises, and then click Server Configuration. The server you just installed should always appear here, as should the list of roles you installed. 13. In the left pane, click Toolbox. The Toolbox node includes tools that you can use to troubleshoot and repair Exchange Server. During installation, the only relevant tool is the Microsoft Exchange Server Best Practices Analyzer Tool. 14. In the left pane, click Recipient Configuration. This shows all of the users and groups that are mailbox users or mail-enabled. 15. Right-click Recipient Configuration, and then click New Mailbox. 16. Accept the default setting of User Mailbox, and then click Next. 17. Accept the default setting of New user, and then click Next. 18. In the First name box, type TestUser. 19. In the User logon name (User Principal Name) box, type TestUser. 20. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next. 21. On the Mailbox Settings page, type TestUser as the Alias, and click Next to accept the default mailbox settings. 22. On the Archive Settings page, click Next. 23. Click New to create the new mailbox. 24. Click Finish. 25. Close the Exchange Management Console. 26. Click Start, point to All Programs, and then click Internet Explorer. 27. In the Address bar, type https://VAN-EX1.adatum.com/owa, and then press ENTER. 28. In the Domain\User name box, type Adatum\TestUser. 29. In the Password box, type Pa$$w0rd, and then click Sign in. 30. Click OK to accept the default configuration for Outlook Web App. 31. Create a new message and send it to TestUser: Click New in the toolbar. In the To box, type TestUser. In the Subject box, type Test Message. Click Send.
1-16
32. Verify the message was received by clicking Check Messages in the toolbar. 33. Close Internet Explorer.
Demonstration steps
Demonstrate how the Exchange Server Best Practices Analyzer works by using the following steps. 1. 2. 3. 4. On VAN-EX1, click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the left pane, click Toolbox. In the middle pane, double-click Best Practices Analyzer. Click Do not check for updates on startup. As a best practice, check for updates on startup to ensure that you have the latest best practices information from Microsoft. However, our virtual machines are limited to local network connectivity. Click I dont want to join the program at this time. As a best practice, join the customer improvement program so that Microsoft can get anonymous feedback about how you use Exchange Server. This allows Microsoft to make future improvements that more accurately reflect the needs of their customers. However, our virtual machines are limited to local network connectivity. Click Go to Welcome Screen. Notice that this tool can scan a single server or the whole organization. Click Select options for a new scan. If necessary, in the Active Directory Server box, type VAN-DC1, and then click Connect to the Active Directory server. The Exchange Server Best Practices Analyzer uses this server for readonly access to Active Directory. By default, it authenticates as the user who is logged on.
5.
6. 7. 8.
1-17
9.
In the Enter an identifying label for this scan box, type VAN-EX1 Scan.
10. In the Specify the scope for this scan box, clear the check box for VAN-EX2 and VAN-EX3. 11. If necessary, select Health Check. The Exchange Server Best Practices Analyzer can perform four types of scans: Health Check. This test checks for errors, warnings, nondefault configurations, recent changes, and other configuration information. This scan checks the health of your Exchange Server organization, and you can use it for troubleshooting. When you select the Performance check option, a sampling of performance data is taken over a two-hour period Permission Check. This test verifies that permissions are properly configured on the selected servers. Connectivity Check. This test verifies that network connectivity is available to the selected servers. Baseline. This scan allows you to select specific properties, configure baseline values for those properties, and then scan for servers to find deviations from the baseline values.
12. Select Fast LAN (100 mbps or more) as the network speed. This setting does not have any influence on test performance. The estimated scan time is generated based on the network speed selected. 13. Click Start scanning. You also can schedule scans for specific times. This scan gathers performance data or performs a weekly health check. However, to perform a scheduled scan, you must configure credentials under which the scan runs. The credentials are configured in the Connect to Active Directory screen in the advanced logon options. Running this scan will take approximately two minutes. 14. After the scan is complete, click View a report of this Best Practices scan. The first tab displayed is the Critical Issues tab. This tab highlights issues that you should consider addressing immediately. 15. Click the All Issues tab. This tab shows any issues that may be a concern. 16. Click the Informational Items tab. This tab displays configuration information about your Exchange Server organization. 17. Click Tree Reports. This view shows all of the configuration information that the Exchange Server Best Practices Analyzer collects. 18. Click Other Reports. The Run-Time Log displays information generated during the collection and analysis of data by the Exchange Server Best Practices Analyzer. 19. Close the Exchange Server Best Practices Analyzer.
1-18
Issue You start the Exchange installation and get an error message stating that you do not have sufficient permissions. You start the Exchange installation and the prerequisite check fails. You run setup with /PrepareAD parameter and receive an error message.
Troubleshooting tip Verify that you are logged on to the domain. Verify the account has sufficient permissions. Verify that the server meets the software requirements. Ensure that you are running setup in the same Active Directory site as the schema master domain controller.
1-19
users, or if the client connections to Exchange servers in the main office are slow, you may choose to put an Exchange server in the office. If you put an Exchange Server 2010 server in a branch office, you must ensure that you deploy a Mailbox server, Client Access server, and Hub Transport server, and that you deploy a global catalog server in the office. 2. An organization has deployed Active Directory directory services within two different forests. What issues will this organization experience when they deploy Exchange Server 2010? Answer: Organizations with multiple forests need to decide whether to deploy two Exchange organizations, or a single Exchange organization, and enable user accounts from one forest to access mailboxes in the other forest. If the organization deploys multiple forests, they will need to plan for the replication of information such as free/busy information between the forests. 3. An organization is planning to deploy Exchange Server 2010 servers as virtual machines running on Hyper-V in Windows Server 2008 R2. What factors should the organization consider in their planning? Answer: Firstly, the organization cannot deploy Unified Messaging servers on virtual machines. Secondly, the organization should consider whether to use Hyper-V to provide high availability for the Exchange servers, or to use the built-in Exchange high availability options. For Mailbox servers, we recommend strongly that you use DAGS. For other Exchange server roles, it is more feasible to use the Hyper-V failover component.
You can deploy the Edge Transport server at any time, but it does not integrate automatically with your organization until you deploy a Hub Transport server.
1-20
2-1
Module 2
Configuring Mailbox Servers
Contents:
Lesson 1: Overview of Exchange Server 2010 Administrative Tools Lesson 2: Configuring Mailbox Server Roles Lesson 3: Configuring Public Folders Module Reviews and Takeaways Lab Review Questions and Answers 2 7 13 18 20
2-2
Lesson 1
2-3
2-4
Demonstration steps
1. 2. 3. 4. 5. 6. 7. On VAN-EX1, click Start, click All Programs, click Exchange Server 2010, and then click Exchange Management Console. Expand Microsoft Exchange On-Premises. Describe the consoles layout: The Console Tree on the left, the Content pane in the middle, and the Actions pane on the right. Point out that the Console Tree has four nodes: Organization Configuration, Server Configuration, Recipient Configuration, and Toolbox. Expand each of the nodes to view the available information. In the Console Tree, expand Organization Configuration, click Mailbox, and then view the available information in the Content pane. In the Console Tree, expand Server Configuration, click Mailbox, and then view the available information in the Content pane. In the Console Tree, expand Recipient Configuration, click Mailbox, and then view the available information in the Content pane.
Demonstration: Working with the Exchange Management Shell Detailed demonstration steps
Demonstration steps
The instructor will run the following cmdlets: Get-Mailbox
2-5
Get-Mailbox | Format-List Get-Mailbox | fl Get-Mailbox | Format-Table Get-Mailbox | ft Name, Database, IssueWarningQuota Get-Help New-Mailbox Get-Help New-Mailbox -detailed Get-Help New-Mailbox -examples $Temp = Text $Temp $password = Read-Host Enter password AsSecureString New-Mailbox -UserPrincipalName chris@contoso.com -Alias Chris -Database Mailbox Database 1 -Name ChrisAshton -OrganizationalUnit Users -Password $password FirstName Chris -LastName Ashton -DisplayName Chris Ashton ResetPasswordOnNextLogon $true
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, click Start, click All Programs, click Exchange Server 2010, and then click Exchange Management Shell. Run Get-Mailbox, and then view the output. Run Get-Mailbox | Format-List, and then view the output. Run Get-Mailbox | fl, and then verify that it is identical to the previous output, since fl is an alias for Format-List. Run Get-Mailbox | Format-Table, and then view the output. Explain that the format is different from the previous output. Run Get-Mailbox | ft Name, Database, IssueWarningQuota. Explain that the table output shows only the fields you specify. Run Get-Help New-Mailbox to view the basic help for New-Mailbox. Run Get-Help New-Mailbox -detailed to view the detailed help for New-Mailbox. Run Get-Help New-Mailbox -examples to view just the examples that the help provides.
10. Create a variable by running $Temp = Text 11. Run $Temp to view the variables contents . 12. Run $password = Read-Host Enter password AsSecureString to prompt the user for a password. Emphasize that to assign a password to a new user, you must specify the Read-Host command with the AsSecureString switch, because you cannot store passwords as simple strings. Type Pa$$W0rd and press ENTER. 13. Run New-Mailbox -UserPrincipalName chris@contoso.com -Alias Chris -Database Mailbox Database 1 -Name ChrisAshton -OrganizationalUnit Users -Password $password -FirstName Chris -LastName Ashton -DisplayName Chris Ashton -
2-6
ResetPasswordOnNextLogon $true to create a new and secure mailbox for user Chris Ashton.
2-7
Lesson 2
2-8
Question: When would you want or need to create multiple databases? Answer: You may discuss a number of reasons, depending on the students. Often organizations create databases to separate users in different departments or geographic regions, or users that require different service levels. Maintaining a database at a manageable size also is important. You should size databases to fit on the available storage, yet still have enough room for growth. Additionally, their size should coincide with the backup and recovery times that you define for the messaging system. Question: Why would you want to reduce the number of databases?
2-9
Answer: You may discuss several reasons, depending on the students. An organization may want to reduce the number of databases it has to reduce licensing needs and the administrative overhead that comes with having multiple databases. Additionally, each mounted database consumes additional memory on the server, so in some instances, it may be beneficial to limit how many databases you have. Question: What should you consider when planning to build additional Mailbox servers? Answer: You may need to place Mailbox servers in locations closer to the users to improve performance or reduce bandwidth charges. Adding additional Mailbox servers to the same site may be required to handle additional users or to handle increased usage from current users.
2-10
Demonstration steps
1. 2. 3. 4. 5. 6. 7. On VAN-EX1, click Start, click All Program, click Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Mailbox. In the Mailbox pane, select VAN-EX1. Describe the available options in the Actions pane: Manage Diagnostic Logging Properties, Switchover Server, and Properties. In the Actions pane, under VAN-EX1, click Properties. View the properties on the General tab, and then select System Settings. View the options on the System Settings tab, and then select Messaging Records Management. View the options on the Messaging Records Management tab, and then close the Properties dialog box.
8. Click Manage Diagnostic Logging in the Actions pane, and then view the logging options.
2-11
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, if required, click Start, click All Programs, click Exchange Server 2010, and then open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. Select the Database Management tab, right-click on Mailbox Database 1, and then choose Properties. View the properties on the General tab, and then select the Maintenance tab. View the properties on the Maintenance tab, and then select the Limits tab. View the properties on the Limits tab, and then select the Client Settings tab. Close the Properties dialog box. Select Mailbox Database 1, and then click Move Database Path in the Actions pane. In the Move Database Path wizard, type a new database file path (C:\NewFolder1\DB\Mailbox Database 1.edb) and log folder path (C:\NewFolder1\Logs\), and then click Move.
10. Confirm and complete the move process. If time permits, demonstrate moving the database files using the Exchange Management Shell: 1. 2. 3. Logon to VAN-EX1 with you administrator account, and then open the Exchange Management Shell. Run Move-DatabasePath -id Mailbox Database 1 -LogFolderPath C:\NewFolder2\Logs\. Run Move-DatabasePath -Id Mailbox Database 1 -EdbFilePath C:\NewFolder2\DB\Mailbox Database 2.edb.
2-12
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, if required, click Start, click All Program Files, click Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then click Mailbox. In the Content pane, right-click Luca Dellamore, and then choose Properties. Select the Mailbox Settings tab, and then double-click on Storage Quotas. Clear the Use mailbox database defaults check box Select the Prohibit send and receive at (MB) check box, and in the text box, type 10. Click OK twice. Open the Exchange Management Shell. To configure the database limits with Exchange Management Shell, run Get-MailboxDatabase Server VAN-EX1 | Set-MailboxDatabase -IssueWarningQuota 50MB. To configure just the user mailboxes that are contained in the Marketing organizational unit, run Get-Mailbox -OrganizationalUnit Marketing | Set-Mailbox -ProhibitSendQuota 75MB.
2-13
Lesson 3
2-14
2-15
Additional Reading
Configuring Public Folder Replication
Exchange Server 2010 Help Understanding Public Folder Replication
2-16
Use the Exchange Management Shell to add permissions to a public folder The instructor will run the following cmdlets:
Get-PublicFolderClientPermission \Sales Add-PublicFolderClientPermission \Sales -AccessRights EditAllItems -User Jason
Use Outlook to view and edit public folder permissions 1. Logon to VAN-CL1 as Adatum\Administrator. 2. 3. Open Outlook. View the permissions for the Sales public folder.
Demonstration steps
Use the PFMC to add replicas and set permissions on a public folder 1. On VAN-EX1, if required, click Start, click All Program Files, click Exchange Server 2010, and then open Exchange Management Console. 2. 3. 4. 5. 6. 7. 8. 9. In the Console Tree, expand Microsoft Exchange On-Premises, and then expand Toolbox. In the Content pane, double-click Public Folder Management Console. If not already connected, in the Actions pane, click Connect to a Server, and then in the Connect to Server dialog box, click Browse. In the Select Public Folder Servers dialog box, select VAN-EX1, click OK, and then click Connect. Select the Default Public Folders node in the Console Tree, and then click New Public Folder in the Actions pane. In the New Public Folder Wizard, type Sales, click New, and then click Finish. In the Content pane, right-click Sales, view the available options, and then click Properties. View the information available on the General tab, and then select the Statistics tab.
2-17
10. View the information available on the Statistics tab, and then select the Limits tab. 11. View the information available on the Limits tab, and then select the Replication tab. 12. Click Add, select PF2 on VAN-EX2, and then click OK. 13. Click OK. Use the Exchange Management Shell to add permissions to a public folder 1. Open the Exchange Management Shell. 2. 3. Run Get-PublicFolderClientPermission \Sales, and then view the results. Run Add-PublicFolderClientPermission \Sales -AccessRights EditAllItems -User Jason.
Use Outlook to view and edit public folder permissions 1. On VAN-CL1, open Outlook. 2. 3. 4. Click Folder List in the Outlook bar. Expand Public Folders, expand All Public Folders, right-click Sales, and then click Properties. Select the Permissions tab, and then view the available options.
2-18
You are planning to deploy a new Mailbox server on a different server and storage platform. After applying limits on each of the mailbox databases, some of the users are exceeding these limits. You are migrating from Exchange Server 2003, and none of the users with Exchange Server 2010 mailboxes can access legacy public folders via Outlook Web App.
Verify that a replica of the required public folders exists on an Exchange Server 2010 server.
2-19
The Exchange Management Shell provides an interface for scripting administrative tasks, such as user creation and modification. You also can use Exchange Management Shell programmatically from inside other applications. 3. Your organization wants to reduce administrative costs. One suggestion is to give department heads and administrative assistants the necessary access to manage departmental and projectbased groups. What can you use to accomplish this task? You can use the ECP and appropriate RBAC permissions to enable nontechnical personnel to manage groups.
Tools
Tool Use for Configuring the Exchange Server organization, its servers, and its recipients. Configuring the Exchange Server organization, its servers, and its recipients. Completing bulk-management tasks. Managing recipients Where to find it
Start menu
Start menu
2-20
3-1
Module 3
Managing Recipient Objects
Contents:
Lesson 1: Managing Mailboxes Lesson 2: Managing Other Recipients Lesson 3: Configuring E-Mail Address Policies Lesson 4: Configuring Address Lists Lesson 5: Performing Bulk Recipient Management Tasks Module Reviews and Takeaways Lab Review Questions and Answers 2 12 17 21 26 30 32
3-2
Lesson 1
Managing Mailboxes
Contents:
Question and Answers Additional Reading Detailed Demo Steps 3 5 6
3-3
3-4
Answer: Answers will vary by student. Many businesses use resource mailboxes to track conference room usage and equipment, such as projectors and video-conference equipment.
3-5
Additional Reading
Discussion: Types of Exchange Server Recipients
Exchange Server 2010 Help: Understanding Recipients
3-6
In Active Directory Users and Computers, verify that the Daniel Brunner user still exists. Create a new mail-enabled user with the Exchange Management Console. Open Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Run the New Mailbox wizard, and create a new user account and mailbox for Kim Akers. Create the mailbox in the Accounting mailbox database. Note: Remove-mailbox deletes the specified user account and mailbox, and disablemailbox removes the mailbox, but leaves the user account enabled.
Demonstration steps
Use the Exchange Management shell to mail-enable an existing user: 1. 2. 3. 4. 5. 6. 7. On VAN-EX1, click Start, click Administrative Tools, and then open Active Directory Users and Computers. In Active Directory Users and Computers, expand Adatum.com, then click Users, and locate Daniel Brunner. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. Run Enable-MailUser Daniel Brunner externalemailaddress Daniel@contoso.com, and view the results. Run Disable-MailUser Daniel Brunner. Type Y. Close Exchange Management Shell. In Active Directory Users and Computers, verify Daniel Brunner still is present.
3-7
1. 2. 3. 4. 5. 6.
Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then click Mailbox. In the Actions pane, click New Mailbox. Choose User Mailbox, and then click Next. Choose New user, and then click Next. Fill in the following information: First Name: Kim Last Name: Akers User logon name (User Principal Name): Kim Password: Pa$$w0rd Confirm password: Pa$$w0rd
7. 8. 9.
Click Next. Type Kim as the Alias. Select the Specify the mailbox database rather than using a database automatically selected check box, and click Browse. Click Accounting, click OK, and then click Next.
3-8
1. 2. 3.
Select the Kim Akers mailbox, and then in the Actions pane, click Manage Full Access Permission. In the Manage Full Access Permission wizard, click Add. In the Select User or Group dialog box, choose Wei Yu, and then click OK.
Demonstration steps
Assign Wei Yu Send As permissions on Kim Akerss mailbox: 1. 2. 3. 4. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. In the Results pane, select the Kim Akers mailbox, and then in the Actions pane, click Manage Send As Permission. In the Manage Send As Permission wizard, click Add. You will notice that the SELF security principal, which enables a user to manage his permissions, already is assigned. It was assigned, by default, when the mailbox was created. In the Select User or Group dialog box, choose Wei Yu, and then click OK. Click Manage. when composing a new e-mail message. Assign Wei Yu full access to Kim Akers mailbox: 1. 2. In the Results pane, select the Kim Akers mailbox, and then in the Actions pane, click Manage Full Access Permission. In the Manage Full Access Permission wizard, click Add. You will notice that the SELF security principal, which enables a user to manage his permissions, already is assigned. It was assigned, by default, when the mailbox was created. In the Select User or Group dialog box, choose Wei Yu, and then click OK. Click Manage. Click Finish.
5. 6.
7. Click Finish. Wei Yu now can send e-mail as Kim Akers if he chooses to change the From address
3. 4. 5.
3-9
3. 4. 5. 6. 7. 8.
Select the Kim Akers mailbox, and then in the Actions pane, click New Local Move Request. In the New Local Move Request wizard, click Browse. Select Mailbox Database 1, and then click OK. Click Next. Verify that Skip the mailbox is selected, and then click Next. Click New.
9. Click Finish.
Demonstration steps
Move Kim Akerss mailbox to Mailbox Database 1: 1. 2. 3. 4. 5. 6. 7. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. Select the Kim Akers mailbox, and then in the Actions pane, click New Local Move Request. In the New Local Move Request wizard, click Browse. Select Mailbox Database 1, and then click OK. Click Next. Verify that Skip the mailbox is selected, and then click Next. The Skip the corrupted messages option moves the noncorrupt messages to the new database up to the threshold selected. You can use this option to move corrupted mailboxes, while preserving the valid data. Click New. Click Finish.
8. 9.
Note: If the mailbox move fails, and the error indicates that no MRS service is available, start the Microsoft Exchange Mailbox Replication service, and try the mailbox move again.
10. In the Console Tree, expand Recipient Configuration, and then select Move Request to view
the status of the move request.
3-10
3.
Create a new room mailbox with the following information: Name: Conference Room 1 User logon name (User Principal Name): ConferenceRoom1 Password: Pa$$w0rd Alias: ConferenceRoom1
4. 5. 6. 7.
After creating the room mailbox, modify the properties, and enable the resource booking attendant. Open Internet Explorer, and log on to Outlook Web App as Adatum\Administrator with the password of Pa$$w0rd. In Outlook Web App, create a new Meeting Request. In the Untitled Meeting window, type Sales Meeting as the subject, type Administrator in the To field, and type Conference Room 1 in the Location field, and then click the Scheduling Assistant tab. Select a Start time and an End time. Click the down arrow next to Select Rooms, and then click More.
8. 9.
10. In the Address Book window, double-click Conference Room 1, and then click OK. 11. Send the meeting request and verify that the resource accepted the invitation.
Demonstration steps
On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. 1. 2. 3. 4. 5. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. In the Actions pane, click New Mailbox. In the New Mailbox wizard, select Room Mailbox, and then click Next. Verify New user is selected, and then click Next. Fill in the following information: 6. 7. 8. 9. Name: Conference Room 1. User logon name (User Principal Name): ConferenceRoom1 Password: Pa$$w0rd Confirm Password: Pa$$w0rd
Click Next. Type ConferenceRoom1 as the Alias, and then click Next. Verify Create an archive mailbox for this account is not selected, and then click Next. Click New.
10. Click Finish. 11. In the Results pane, select Conference Room 1, and in the Actions pane, click Properties.
3-11
12. Click the Resource General tab. 13. Select the Enable the Resource Booking Attendant check box. If you do not enable this option, the resource will not process meeting requests, even if you configure other settings. 14. Click OK. 15. On VAN-EX1, click Start, click All Programs, and then click Internet Explorer. 16. Type https://VAN-EX1.adatum.com/owa in the address bar. 17. Log on to Outlook Web App as Adatum\Administrator with the password of Pa$$w0rd. 18. In Outlook Web App, click the down arrow next to New, and then click Meeting Request. 19. In the Untitled Meeting window, type Sales Meeting as the subject, type Administrator in the To field, and type Conference Room 1 in the Location field. 20. Click the Scheduling Assistant tab. 21. Select a Start time and an End time. 22. Click the down arrow next to Select Rooms, and then click More. 23. In the Address Book window, double-click Conference Room 1, and then click OK. 24. Click Send. 25. Close Internet Explorer 26. Close Exchange Management Console.
3-12
Lesson 2
3-13
3-14
Log on to Exchange Control Panel as Kim Akers, and create a new Sales Group. 1. 2. 3. Log on to Exchange Control Panel as Adatum\Kim with the password of Pa$$w0rd. Select Public Groups, and create a new Public Group. In the New Group window, configure the following information: 4. Display name: Sales Alias: Sales Description: Sales Department
Add the following members: Manoj Syamala Rohinton Wadia Paul West
5. 6.
Approve Wei Yus request to be added to the Sales Group. 1. 2. 3. Log on to Outlook Web App as Adatum\Kim with the password of Pa$$w0rd. Double-click the Request to Join Distribution Group message in the inbox. In the Request to Join Distribution Group message pane, click Approve.
3-15
Demonstration Steps
Add Kim Akers to the Recipient Management role group. 1. 2. 3. 4. On VAN-EX1, open Active Directory Users and Computers. Expand Adatum.com, and click Microsoft Exchange Security Groups, and then double-click Recipient Management. On the Members tab, add Kim Akers to the role group. Click OK, and close Active Directory Users and Computers.
Log on to Exchange Control Panel as Kim Akers, and create a new Sales Group. 1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, click Start, click All Programs, click Internet Explorer. Type https://van-ex1.adatum.com/ecp in the address bar. Log on to Exchange Control Panel as Adatum\kim with the password of Pa$$w0rd. Click OK. Click Public Groups. Under Public Groups, click New. In the New Group window, in the Display Name box, type Sales. Type Sales as the Alias. Type Sales Department as the Description. Expand the Membership section, and then click Add.
10. In the Select Members window, double-click the following mailboxes: Manoj Syamala Rohinton Wadia Paul West
11. Click OK. 12. Expand Membership Approval. 13. Click Owner Approval. This ensures that the group owner approves all requests that are added to the group. 14. Click Save. 15. Sign out of Exchange Control Panel. 16. Log on to Exchange Control Panel as Wei Yu, and send request to join the Sales group. 17. Click Start, click All Programs, and click Internet Explorer. 18. Type https://van-ex1.adatum.com/ecp in the address bar. 19. Log on to Exchange Control Panel as Adatum\Wei with the password of Pa$$w0rd. Click OK. 20. In the left pane, select Groups. 21. In the Public Groups I Belong to section, click Join. 22. In the All Groups window, select Sales, and click Join.
3-16
23. Click Close. 24. Sign out of Exchange Control Panel. Approve Wei Yus request to be added to the Marketing Group. 1. 2. 3. 4. 5. Click Start, click All Programs, and click Internet Explorer. Type https://van-ex1.adatum.com/owa in the address bar. Log on to Outlook Web App as Adatum\kim with the password of Pa$$w0rd. Double-click the Request to Join Distribution Group message in the Inbox. In the Request to Join Distribution Group message pane, click Approve.
3-17
Lesson 3
3-18
Additional Reading
What Are E-Mail Address Policies?
Exchange Server 2010 Help: Understanding Accepted Domains Exchange Server 2010 Help: Understanding E-mail Address Policies Exchange Server 2010 Help: Upgrading Custom LDAP filters to OPATH filters
3-19
Use the user Alias as the local part of the e-mail address. Select fourthcoffee.com as the accepted domain. Apply the e-mail address policy immediately.
Verify that the e-mail address policy has been applied. 1. 2. 3. 4. 5. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox. In the Results pane, double-click Jane Dow. View the current E-Mail addresses that have been assigned. Change the Company attribute to Fourth Coffee. View the current e-mail addresses that have been assigned.
Demonstration steps
Create a new E-mail Address Policy for Fourth Coffee recipients. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. 1. 2. 3. 4. 5. 6. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then select Hub Transport. In the Actions pane, click New E-mail Address Policy. In the New E-Mail Address Policy wizard, type Fourth Coffee as the name of the policy. Click Browse. In the Select Organizational Unit dialog box, select Adatum.com, and then click OK. Verify that All Recipient types is selected, and then click Next.
3-20
7. 8. 9.
In the Step 1 box, check Recipient is in a Company. In the Step 2 box, click specified. In the Specify Company dialog box, type Fourth Coffee, and then click Add. You can add multiple names to this list, if needed.
10. Click OK. 11. In the New E-Mail Address Policy dialog box, click Next. 12. Click Add, and then verify that E-mail address local part and Use Alias are selected. 13. Click Select the accepted domain for the e-mail address, click Browse, select fourthcoffee.com, and then click OK. This list of domains comes from the list of accepted domains. To display a new domain in this list, you must add another accepted domain. 14. Click OK. 15. Click Next. 16. Verify Immediately is selected, and then click Next. The schedule allows you to set the policy to not run, run immediately, or run at a later time. You can use this option if the policy affects a large number of recipients or if the change must occur during a defined change window. 17. Click New. 18. Click Finish. Verify the E-mail Address Policy is being applied. 1. 2. 3. 4. 5. 6. In the Console Tree, expand Recipient Configuration, and then select Mailbox. In the Results pane, double-click Jane Dow. In the Properties dialog box for Jane Dow, click the E-Mail Addresses tab, and then view the current E-Mail addresses assigned. Click the Organization tab. Type Fourth Coffee for the Company, and then click Apply. In the Properties dialog box for Jane Dow, click the E-Mail Addresses tab, and view the current E-Mail addresses assigned. The new fourthcoffee.com e-mail address should have been assigned when the company change was made. Notice that the new addresses were added and the old addresses were not removed. Click OK. Close Exchange Management Console.
7. 8.
3-21
Lesson 4
3-22
Question: How do you use address lists in your organization? Answer: Answers will vary. Typically, users are organized by department or physical location. Question: How do you use a recipient filter and Active Directory attributes to create address lists? Is the necessary information already in Active Directory accounts? Answer: Answers will vary. Recipient filters are a flexible way to create address lists, but Exchange Server 2010 does not support them through the GUI. You may need recipient filters to create address lists for individual buildings. The necessary information may not be in Active Directory accounts, depending on the organization.
3-23
Additional Reading
What Are Address Lists?
Exchange 2010 Help file: Understanding Address Lists
3-24
Use the Recipient is in a Company condition to apply this policy to only recipients that list Fourth Coffee for their company attribute. Preview the address list. Apply the e-mail address list immediately.
Verify the new address list is working. 1. 2. 3. Log on to Outlook Web App as Adatum\George with the password of Pa$$w0rd. Open the Address book, and view the members of the Fourth Coffee address list. Close Outlook Web App.
Demonstration steps
Create a new address list for Fourth Coffee recipients: 1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Organization Configuration, and then select Mailbox. In the Results pane, click the Address lists tab. In the Actions pane, click New Address List. Type Fourth Coffee as the Name. Type Fourth Coffee as the Display name. Verify the container is \. Click Next. Click Browse.
3-25
10. In the Select Organizational Unit dialog box, select Adatum.com, and then click OK. 11. Verify that All Recipient types is selected, and then click Next. 12. In the Step 1 box, check Recipient is in a Company. 13. In the Step 2 box, click specified. 14. In the Specify Company dialog box, type Fourth Coffee, and then click Add. You can add multiple values to this list. 15. Click OK. 16. Click Preview. This will list the estimated results of using the defined filter. 17. Click OK. 18. Click Next. 19. Verify Immediately is selected, and then click Next. The schedule can allow the policy to not run, run immediately, or run at a later time. You can use this when the policy will affect a large number of recipients or if change window is going to be honored. 20. Click New. 21. Click Finish. Verify the new address list is working. 1. 2. 3. 4. 5. 6. Log on to Outlook Web App as Adatum\George with the password of Pa$$w0rd. Click the Address book icon in the Outlook Web App toolbar. In the Address Book window, click the Show other address lists button. Click Fourth Coffee. View the members of the Fourth Coffee address list. Close the Address Book window. Close Outlook Web App.
3-26
Lesson 5
3-27
Question: Describe situations where multiple recipients need to be modified. Answer: Answers will vary. Some examples include: A department is increasing users storage limits A new naming standard is created for the organizations groups. You need to remove all subsidiary members because the company has been sold.
3-28
2.
The instructor will run the following script. The script will create mailboxes based on information provided in a .csv file.
## Section 1 ## Define Database for new mailboxes $db="Mailbox Database 1" ## Define User Principal name $upndom="Adatum.com" ## Section 2 ## Import csv file into variable $users $users = import-csv $args[0] ## Section 3 ## Function to convert password string to secure string function SecurePassword([string]$plainPassword) { $secPassword = new-object System.Security.SecureString Foreach($char in $plainPassword.ToCharArray()) { $secPassword.AppendChar($char) } $secPassword } ## Section 4 ## Create new mailboxes and users foreach ($i in $users) { $sp = SecurePassword $i.password $upn = $i.FirstName + "@" + $upndom $display = $i.FirstName + " " + $i.LastName New-Mailbox -Password $sp -Database $db DisplayName $display UserPrincipalName $upn -Name $i.FirstName -FirstName $i.FirstName LastName $i.LastName -OrganizationalUnit $i.OU }
3. In Exchange Management Console, verify that the users listed in the .csv file have been created.
Demonstration steps
Demonstrate how to use pipelining: 1. 2. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. Run: Get-User filter {Company eq Fourth Coffee}.
3-29
3. 4. 5.
Run Disable-mailbox Jane. Type Y and then press ENTER. Run Get-User filter {Company eq Fourth Coffee} | Enable-Mailbox -database Mailbox Database 1. Run Notepad D:\ Labfiles\DemoUsers.ps1. Explain each section of the PowerShell script. Section 1. Creates a variable named $db that stores the name of the database and a variable named $upndom that stores the name of the UPN. Section 2. Imports a CSV file with user information. Section 3. Converts the plain text password into a secure stream. Section 4. Creates the mailboxes.
6. 7. 8. 9.
Run Notepad D:\ Labfiles\DemoUsers.csv. Review the contents of the file. Run: D:\Labfiles\DemoUsers.ps1 D:\Labfiles\Demousers.csv. Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Recipient Configuration, and then select Mailbox.
3-30
3-31
3-32
4-1
Module 4
Managing Client Access
Contents:
Lesson 1: Configuring the Client Access Server Role Lesson 2: Configuring Client Access Services for Outlook Clients Lesson 3: Configuring Outlook Web Access Lesson 4: Configuring Mobile Messaging Module Reviews and Takeaways Lab Review Questions and Answers 2 9 16 23 31 34
4-2
Lesson 1
4-3
4-4
3. 4. 5. 6.
Demonstration steps
1. 2. On VAN-EX1, click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Exchange Management Console, expand Microsoft Exchange On-Premises (vanex1.adatum.com), expand Organization Configuration, and then click Client Access. You apply client access settings to all Client Access servers and mailboxes while in the Organization Configuration node. In the details pane, click the Outlook Web App Mailbox Policies tab. On this tab, you can define Outlook Web App Mailbox policies that will configure the user experience with Outlook Web App. Notice that Exchange defines a default policy, which it does not assign to any users. In the details pane, click the Exchange ActiveSync Mailbox Policies tab. On this tab, you can define Exchange ActiveSync Mailbox policies that will configure the user experience when they connect to the Exchange servers using a mobile device. Notice that Exchange defines a default policy, which it does not assign to any users. In the left pane, expand Server Configuration, and then click Client Access. In this area, you can configure the settings that are specific to each Client Access server. In the details pane, ensure that VAN-EX1 is selected, and in the Actions pane, click Properties. Click the System Settings tab, and then click the Outlook Anywhere tab. These tabs display information only, and cannot be used to configure the server settings. After you have reviewed these settings, click OK. In the results pane, ensure that the Outlook Web App tab is selected, right-click owa (Default Web Site), and then click Properties. In the owa (Default Web Site) Properties dialog box, you can configure the OWA settings for this server. After you have reviewed these settings, click OK.
3.
4.
5. 6.
7.
4-5
8.
Click the Exchange Control Panel tab, and then double click ecp (Default Web Site). In this dialog box, you can configure the Exchange Control Panel (ECP) virtual directory settings for this server. After you have reviewed these settings, click OK. Click the Exchange ActiveSync tab, click the Offline Address Book tab, and then click the POP3 and IMAP4 tab. In each of these locations, you can configure the Client Access serverspecific settings.
9.
Demonstration: How to Configure Certificates for Client Access Servers Detailed demonstration steps
Demonstration steps
By default, the Windows Server 2008 Certification Authority does not issue certificates with multiple subject alternative names, so you will need to modify the server configuration. To enable the CA to issue these certificates, perform the following steps: 1. 2. 3. 4. Run the certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 command, and then restart the Certificate Services. In the Exchange Server, open the Exchange Management Console, select Server Configuration, and then click Client Access. Click Configure External Client Access Domain, and configure the external domain name for Client Access servers in the organization. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. This wizard helps you determine what type of certificates you need for your Exchange organization. On the Introduction page, enter a user-friendly name for your certificate. On the Domain Scope page, do not select the Enable wildcarding for this certificate check box. On the Exchange Configuration page, configure the certificate request to include Outlook Web App on the Internet and Intranet, Exchange ActiveSync and Autodiscover. On the Certificate Domains page, accept the names that will be added to the certificate request. On the Organization and Location page, enter information about your Exchange organization. Click the Browse button to select a location for the certificate request file, and enter the desired file name.
5. 6. 7. 8. 9.
10. On the Certificate Completion page, verify that all the information you have entered is correct. If it is, click the New button. 11. On the Completion page, click Finish. 12. Provide the certificate request file to your CA. After the certificate has been issued, complete the certificate installation process. 13. In the Exchange Management Console, select Server Configuration. 14. In the Actions pane, click Complete Pending Request. 15. Import the certnew.cer file. 16. In the Actions pane, click Assign Services to Certificate.
4-6
Demonstration steps
1. On VAN-DC1, click Start, in the search box, type cmd.exe, and then press ENTER. By default, the Windows Server 2008 CA does not issue certificates with multiple subject alternative names, so we need to modify the server configuration. At the command prompt, type the following command, and then press ENTER: certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 At the command prompt, type net stop certsvc & net start certsvc, and then press ENTER. On VAN-EX1, if required, open the Exchange Management Console. In the left pane, click Server Configuration, and then click Client Access. In the Actions pane, click Configure External Client Access Domain. You can use this feature to configure the external domain name for Client Access servers in the organization. On the Configure External Client Access Domain page, type mail.Adatum.com as the domain name, and then click Add. In the Select Client Access Server dialog box, press Ctrl, click both VAN-EX1 and VAN-EX2, and then click OK. Click Configure. In the Microsoft Exchange dialog box or boxes, click Yes. This dialog box appears when the name that you are configuring as the external client access domain name cannot be resolved in DNS. Click Finish.
2. 3. 4. 5. 6. 7. 8. 9.
10. In the results pane, ensure that VAN-EX1 is selected, and then in the results pane, double-click owa (Default Web Site). 11. On the General tab, verify that the External URL field has been changed to https://mail.adatum.com.owa, then click OK. 12. In the left pane, click Server Configuration. 13. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. This wizard helps you determine what type of certificates you need for your Exchange organization. 14. On the Introduction page, type ADatum Mail Certificate as the friendly name for the certificate, and then click Next. 15. On the Domain Scope page, click Next. You can select the Enable wildcarding for this certificate check box, and enter a root domain if you would like to apply the certificate automatically to all subdomains by creating a wildcard certificate. 16. On the Exchange Configuration page, expand Client Access server (Outlook Web App), and then select both the Outlook Web App is on the Intranet and Outlook Web App is on the Internet check boxes. 17. Expand Client Access server (Exchange ActiveSync), and then select the Exchange Active Sync is enabled check box. 18. Expand Client Access server, (Web Services, Outlook Anywhere, and Autodiscover). Enter mail.adatum.com as the external host name.
4-7
19. Ensure that the Autodiscover used on the Internet check box is selected, and that the Long URL option is selected, and then click Next. 20. On the Certificate Domains page, click Next. 21. On the Organization and Location page, enter the following information: Organization: A Datum Organizational Unit: Messaging Country/region: Canada City/locality: Vancouver State/province: BC
22. Click Browse, type CertRequest as the File name, and then click Save. 23. Click Next, click New, and then click Finish. 24. Click the Folder icon on the task bar, and then click Documents. 25. Right-click CertRequest.req, and then click Open. 26. In the Windows dialog box, click Select a program from a list of installed programs, and then click OK. 27. In the Open with dialog box, click Notepad, and then click OK. 28. In the CertRequest.req Notepad window, click Ctrl-A to select all the text, and then click Ctrl-C to save the text to the clipboard. Close Notepad. 29. Click Start, click All Programs, and then click Internet Explorer. 30. Connect to http://van-dc1.adatum.com/certsrv. 31. Log on as Adatum\administrator using the password Pa$$w0rd. 32. On the Welcome page, click Request a certificate. 33. On the Request a Certificate page, click advanced certificate request. 34. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64encoded CMC or PKCS#7 file. 35. On the Submit a Certificate Request or Renewal Request page, click in the Saved Request field, and then press CTRL+V to paste the certificate request information into the field. 36. In the Certificate Template list, click Web Server, and then click Submit. 37. On the Certificate Issued page, click Download certificate. 38. In the File Download dialog box, click Save. 39. In the Save As dialog box, click Save. The process for saving the file may take more than a minute. 40. In the Download complete dialog box, click Open. 41. In the Certificate dialog box, on the Details tab, click Subject Alternative Name. Verify that the certificate includes several subject alternative names, and then click OK.
4-8
42. In the Exchange Management Console, click Server Configuration. 43. Under VAN-EX1, click Adatum Mail Certificate, and in the Actions pane, click Complete Pending Request. 44. On the Complete Pending Request page, click Browse. 45. Under Favorites, click Downloads. 46. Click certnew.cer and click Open. 47. Click Complete, and then click Finish. 48. In the results pane, click VAN-EX1. In the bottom pane, click Adatum Mail Certificate. 49. In the Actions pane, click Assign Services to Certificate. 50. On the Select Servers page, verify that VAN-EX1 is listed, and then click Next. 51. On the Select Services page, select the Internet Information Services check box, click Next, click Assign, and then click Finish.
4-9
Lesson 2
4-10
4-11
Additional Reading
What Is Autodiscover?
Automatically configure Office Outlook 2007 user accounts Autodiscover Response
4-12
Demonstration steps
1. 2. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell. At the PS prompt, type Get-OrganizationConfig, and then press ENTER. Review the settings for the following values: 3. 4. 5. 6. 7. 8. 9. MailTipsAllTipsEnabled. Indicates that MailTips are enabled for the organization. MailTipsMailboxSourcedTipsEnabled. Indicates that internal MailTips are enabled. MailTipsExternalRecipientsTipsEnabled. Indicates that external recipient MailTIps are enabled MailTipsLargeAudienceThreshold. Defines the minimum size for a distribution group before the MailTip will be triggered.
At the PS prompt, type Set-OrganizationConfig MailTipsLargeAudienceThreshold 10, and then press ENTER. Type Set-OrganizationConfig, and then press ENTER. Verify that the large audience threshold has been updated. At the PS prompt, type Set-DistributionGroup Marketing MailTip The marketing team will be at a conference till next week., and then press ENTER. At the PS prompt, type Get-DistributionGroup Marketing | FL MailTip*, and then press ENTER. Verify that the custom MailTip has been configured. Open Internet Explorer, and connect to https://VAN-EX1.adatum.com/owa. Log on to Outlook Web App as Adatum\Anna using the password Pa$$w0rd, Click New to create a new message.
10. In the Untitled Message dialog box, click To, click Paul, click To, and then click OK. Press CTRL+K. Verify that the MailTip appears indicating that Anna does not have permission to send to this user.
4-13
11. Click Remove Recipient. 12. In the To box, type Marketing, and then press CTRL+K. Confirm that the Custom MailTip for the Marketing distribution list appears.
2. 3. 4.
On the Client Access server, verify that the RPC over HTTP Proxy feature is installed. On the Client Access server, in Exchange Management Console, click Enable Outlook Anywhere, using a host name that is resolvable from the Internet. On the Client Access server, in Internet Information Services (IIS) Manager, verify that the RPC virtual directory is configured to use SSL and that it is configured to accept Basic and Windows Authentication. On the client computer, configure the Outlook account properties to Connect to Microsoft Exchange using HTTP, and then click Exchange Proxy Settings. In the Microsoft Exchange Proxy Settings dialog box, complete the following information: Use the URL (https://): external host name for the Client Access server. Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default)
5. 6.
7. 8.
From the client, open Outlook and connect to the server. Press and hold the CTRL key, and then right-click the Office Outlook icon in the Windows 7 operating system notification area. Click Connection Status. Confirm that the Conn column lists HTTPS as the connection method. Press and hold Ctrl, and then click the Outlook icon in the notification area of the Windows task bar. Click Test E-mail AutoConfiguration.
9.
10. Click Test. View the information displayed on both the Results and Log tabs.
Demonstration steps
1. 2. On VAN-EX1, open the Exchange Management Shell. In the Exchange Management Shell, type Get-ClientAccessServer id VAN-EX1 | FL, and then press ENTER. Confirm that the AutodiscoverServiceInternalUri parameter is configured to use https://VAN-EX1.adatum.com/Autodiscover/Autodiscover.xml. On VAN-EX1, click Start, point to Administrative Tools, and then click Server Manager. Click Features. In the Features list, verify that the RPC over HTTP Proxy feature is listed.
3. 4.
4-14
5. 6. 7. 8.
On VAN-EX1, open the Exchange Management Console. In the Exchange Management Console, expand Server Configuration, and then click Client Access. Click VAN-EX1, and in the Actions pane, click Enable Outlook Anywhere. On the Enable Outlook Anywhere page, in the External host name field, type Mail.adatum.com. Under Client authentication method, click NTLM authentication, and then click Enable. On the Completion page, click Finish.
9.
10. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 11. Expand VAN-EX1 (ADATUM\administrator), expand Sites, expand Default Web Site, and then click Rpc. 12. In the center pane, in the IIS section, double-click SSL Settings. Ensure that the Require SSL check box is selected. 13. Click Rpc, and then double-click Authentication. Ensure that Basic Authentication and Windows Authentication are enabled. 14. Close Internet Information Services (IIS) Manager. 15. Close all open windows, and restart VAN-EX1.
Note: You can continue with the following steps while VAN-EX1 restarts.
16. On VAN-CL1, ensure that you are logged on as Adatum\Luca. 17. Click Start, and then click Control Panel. In the Search field, type Mail. Right-click Mail, and then click Open. 18. In the Mail Setup - Outlook dialog box, click E-mail Accounts. 19. In the E-mail Accounts dialog box, click Microsoft Exchange, and then click Change. If you receive a warning that Microsoft Exchange is not available, click Work Offline 20. On the Microsoft Exchange Settings page, click More Settings. 21. In the Microsoft Exchange dialog box, on the Connection tab, select Connect to Microsoft Exchange using HTTP, and then click Exchange Proxy Settings. 22. In the Microsoft Exchange Proxy Settings dialog box, complete the following information: Use this URL (https://): VAN-EX1.adatum.com Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default)
4-15
Note: In this demonstration, you are configuring the Outlook client to try HTTP first for all connections to the Exchange Server. However, in a production environment, you typically would select the option to connect first using HTTP on slow networks. When you use this configuration, the client uses RPC connections for the internal network, and it uses HTTP only for external networks.
23. Click OK, and then click OK again to close the Microsoft Exchange Server dialog box. 24. On the Microsoft Exchange Settings page, click Next. 25. On the Change E-mail Account page, click Finish. 26. On the E-mail Accounts page, click Close, and then again click Close to close the Mail Setup Outlook dialog box. 27. Wait until VAN-EX1 restarts, and then log on as Administrator using the password Pa$$w0rd. 28. On VAN-CL1, click Start, click All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2007. 29. If a Microsoft Office Outlook dialog box appears, click No. 30. Verify that the Office Outlook connection indicator states Online with Microsoft Exchange. 31. Press and hold CTRL, and then right-click the Office Outlook icon in the Windows 7 notification area. You may need to click the arrow in the Windows 7 notification area to view the Office Outlook icon. 32. Click Connection Status. Confirm that the Conn column lists HTTPS as the connection method, and then click Close. 33. Press and hold Ctrl, and then click the Outlook icon in the notification area of the Windows task bar. Click Test E-mail AutoConfiguration. 34. In the Password field, type Pa$$w0rd. 35. Clear the Use Guessmart and Secure Guessmart Authentication check boxes. Guessmart is used to automate the process of configuring Outlook 2010 as an IMAP4 or POP3 client. 36. Click Test. View the information displayed on the Results tab. 37. Click the Log tab to view how the client completed Autodiscover. 38. Close the Test E-mail AutoConfiguration dialog box. 39. Close Microsoft Outlook, and then log off VAN-CL1.
4-16
Lesson 3
4-17
4-18
4. 5.
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. Expand VAN-EX1 (ADATUM\Administrator), expand Sites, expand Default Web Site, and then click owa. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is required by default. Under Sites, click Default Web Site, and in the Actions pane, click Bindings. In the Site Bindings dialog box, click https, and then click Edit. Verify that the SSL certificate used for the OWA site is the certificate that you obtained in the earlier demonstration. Click OK, click Close, and then close Internet Information Services (IIS) Manager. Click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the console tree, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Client Access.
10. In the work pane, select VAN-EX1, and in the result pane, right-click owa (Default Web Site), and then click Properties. 11. On the General tab, in the External URL box, type https://van-ex1.adatum.com/owa. 12. Click the Authentication tab, and verify that Use forms-based authentication is selected. 13. Under Logon Format, click User name only, and then click Browse. 14. Click Adatum.com, and then click OK.
4-19
15. Click the Segmentation tab, click All Address Lists, and then click Disable. The Segmentation tab allows you to enable and disable features for Outlook Web App users. 16. Click OK, read the Microsoft Exchange Warning dialog box, and then click OK. 17. Click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. 18. Type IISReset /noforce, and then press ENTER. This allows the logon and segmentation changes to take effect. 19. In the Exchange Management Shell, type set-owavirtualdirectory owa (Default Web Site) ForceSaveFileTypes .xls, and then press ENTER. This command forces attachments with a .xls extension to be saved to disk before they can be opened. Any existing ForceSaveFileTypes are overwritten. The attachment control settings for file types and MIME types can be configured by using the Set-OwaVirtualDirectory cmdlet. File attachment control settings include: ActionForUnknownFileAndMIMETypes. Specifies how to handle files that are not included in other file access management lists. Files can be allowed, blocked, or force saved. AllowedFileTypes. Specifies the file extensions of attachments that the user is allowed to save locally, or view from a Web browser. AllowedMIMETypes. Specifies the MIME types of attachments that users can save locally, or view from a Web browser. BlockedFileTypes. Specifies the file extensions of attachments that are blocked. BlockedMIMETypes. Specifies the MIME types of attachments that are blocked. ForceSaveFileTypes. Specifies the file extensions of attachments that the user is forced to save locally, rather than view from a Web browser. ForceSaveMIMETypes. Specifies the MIME types of attachments that the user is forced to save locally, rather than view from a Web browser.
Note: In cases where there is a conflict between management settings for file access, the following precedence applies: Allow overrides Block, and Force Save. Block overrides Force Save. For example, if .you configure the doc files as both a blocked file type and an allowed file type, .doc files will be allowed.
20. Type set-owavirtualdirectory owa (Default Web Site) GzipLevel Off, and then press ENTER. This command disables Gzip compression for Outlook Web App. Gzip compression improves performance over slow network connections by compressing content. Implementing Gzip compression may slow server performance due to increased CPU utilization. Additional valid values for the GzipLevel options are High and Low. The default value is Low. 21. Type Set-OwaVirtualDirectory -identity Owa (Default Web Site) FilterWebBeaconsAndHtmlForms ForceFilter, and then press ENTER. The possible values for FilterWebBeaconsandHtmlforms are as follows: UserFilterChoice. By default, this value blocks Web beacons and HTML forms, but lets the user allow Web beacons and HTML forms on individual messages.
4-20
ForceFilter. This value blocks all Web beacons and HTML forms. DisableFilter. This value allows Web beacons and HTML forms.
22. Type IISReset, and then press ENTER. 23. Close the Exchange Management Shell.
Demonstration: How to Configure Outlook Web App Policies Detailed demonstration steps
Demonstration steps
1. 2. 3. 4. 5. In Exchange Management Console, in the Organization Configuration node, click Client Access. Click New Outlook Web App Mailbox Policy. Provide a name for the policy, and configure the policy settings. After creating the policy, you can configure additional settings by accessing the policy properties. Assign the policy to a user account by accessing the Outlook Web App properties on the Mailbox Features tab. Log on to Outlook Web App as the user, and test the policy application.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. Expand Organization Configuration, and then click Client Access. In the Actions pane, click New Outlook Web App Mailbox Policy. In the New Outlook Web App Mailbox Policy page, type Marketing Policy as the policy name. In the list of features, click Change Password, and then click Disable. Click New, and then click Finish. Right-click Marketing Policy, and then click Properties. On the Public Computer File Access tab, clear all check boxes. On the Private Computer File Access tab, clear all check boxes, and then click OK.
10. Under Recipient Configuration, click Mailbox. 11. In the Mailbox list, double-click Paul West. 12. On the Mailbox Features tab, click Outlook Web App, and then click Properties. 13. Select the Outlook Web App mailbox policy check box, and then click Browse. 14. Click Marketing Policy, and then click OK three times. 15. Click Start, click All Programs, and then click Internet Explorer. 16. In the address field, type https://VAN-EX1.Adatum.com/owa, and then press ENTER. 17. Log on to Outlook Web App as Adatum\Paul using the password Pa$$w0rd.
4-21
18. On the Outlook Web App page, click Options. 19. If prompted for authentication, log on as Adatum\Paul using the password Pa$$w0rd. 20. In the left pane, click Settings, Notice that you do not have the option to change the user password. Close Internet Explorer.
Demonstration: How to Configure User Options Using the ECP Detailed demonstration steps
Demonstration steps
1. 2. 3. 4. On the Client Access server, in IIS Manager, review the settings for the ecp virtual directory. In the Exchange Management Console, review the settings for the ecp (Default Web Site) virtual directory on each Client Access server. As a user, access the ECP by opening Internet Explorer, and accessing https://servername/ecp. Log on to the ECP, and review the settings that can be modified by the user.
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. Expand VAN-EX1 (ADATUM\Administrator), expand Sites, expand Default Web Site, and then click ecp. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is required by default. Close Internet Information Services (IIS) Manager. Click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the console tree, expand Server Configuration, and then click Client Access. In the work pane, select VAN-EX1, and in the result pane, click the Exchange Control Panel tab. Right-click ecp (Default Web Site), and then click Properties. On the General tab, in the External URL box, type https://van-ex1.adatum.com/owa. This URL should match the URL used on the OWA virtual directory.
10. Click the Authentication tab, and verify that Use forms-based authentication is selected. Click OK. 11. On VAN-EX1, click Start, click All Programs, and then click Internet Explorer. 12. In the address field, type https://VAN-EX1.Adatum.com/ecp, and then press ENTER. 13. Log on to the ECP as Adatum\Luca using the password Pa$$w0rd. 14. On the Account tab, click Edit, click Contact Numbers, and in the Work phone field, type 5555555. Click Save, and verify that the updated phone number is listed. 15. In the left pane, click Organize E-Mail. On the Organize E-Mail tab, users can configure Inbox Rules, and view delivery reports.
4-22
16. In the left pane, click Groups. On the Groups tab, users can view the groups to which they belong and manage any groups that they own. 17. In the left pane, click Settings. On the Settings tab, users can configure several options for sending and managing e-mail and calendaring. 18. In the left pane, click Phone. On the Phone tab, users can manage their own mobile devices that have synchronized with Exchange Server 2010. 19. In the left pane, click Block or Allow. On the Block or Allow tab, users can configure their Junk e-mail settings as well as edit their safe recipients list. 20. Close Internet Explorer.
4-23
Lesson 4
4-24
Question: How do you use address lists in your organization? Answer: Answers will vary. Typically, users are organized by department or physical location. Question: How do you use a recipient filter and Active Directory attributes to create address lists? Is the necessary information already in Active Directory accounts? Answer: Answers will vary. Recipient filters are a flexible way to create address lists, but Exchange Server 2010 does not support them through the GUI. You may need recipient filters to create address lists for individual buildings. The necessary information may not be in Active Directory accounts, depending on the organization.
4-25
Additional Reading
Options for Securing Exchange ActiveSync
Sample: How to add root certificates to Windows Mobile 2003 and Windows Mobile 2002 Smartphones System Center Mobile Device Manager TechCenter
4-26
Caution: In a production environment, you should require SSL for the Exchange ActiveSync virtual directory. You are disabling SSL only because the mobile emulator does not trust the server certificate.
2. 3. 4. 5. 6.
In Exchange Management Console, configure authentication and remote file server settings on the Microsoft-Server-ActiveSync virtual directory. On the mobile device emulator, configure the network settings so that the emulator can communicate with the Client Access server. In mobile device emulator, start ActiveSync, and then configure the emulator to connect to the Client Access server using an account that is enabled for Exchange ActiveSync. Synchronize the device. Test ActiveSync by sending a message from another user to the user logged on to the mobile device. Verify that the message arrives, and respond to the message.
Demonstration steps
1. 2. 3. On VAN-EX1, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. Expand VAN-EX1 (ADATUM\Administrator), expand Sites, expand Default Web Site, and then click Microsoft-Server-ActiveSync. In the center pane, and under IIS, double-click SSL Settings. Notice that SSL is required by default. Clear the Require SSL check box, and then click Apply.
Caution: In a production environment, you should require SSL for the Exchange ActiveSync virtual directory. You are disabling SSL only because the mobile emulator does not trust the server certificate.
4. 5. 6.
Close Internet Information Services (IIS) Manager. Click Start, point to All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the console tree, expand Microsoft Exchange On-Premises, expand Server Configuration, and then click Client Access.
4-27
7. 8. 9.
In the result pane, click VAN-EX1, and in the work pane, click the Exchange ActiveSync tab. Right-click Microsoft-Server-ActiveSync, and then click Properties. Review the information on the General tab.
10. Click the Authentication tab. Notice that Basic authentication is enabled. This is acceptable, because SSL would normally be used to secure the credentials in transit. 11. Click the Remote File Servers tab. The options on this tab are the same as the Remote File Servers settings for accessing attachments using Outlook Web App, and are used for synchronizing file attachments. However, these options are independent of the Remote File Servers settings for accessing attachments using Outlook Web App. Click OK. 12. On VAN-CL1, click Start, point to All Programs, click Windows Mobile 6 SDK, click Standalone Emulator Images, and under US English, click WM 6.1.4 Professional. 13. While the emulator is booting, in the WM 6.1.4 Professional window, click File, and then click Configure. 14. On the Network tab, select the Enable NE2000 PCMIA network adapter and bind to check box, and then click OK. 15. In Windows Mobile 6 Professional, click Start, and then click Settings. 16. Click the Connections tab, and then double-click Network Cards. 17. On the Configure Network Adapters page, under My network card connects to, click The Internet, and then click NE2000 Compatible Ethernet Driver. 18. Click Use specific IP address, and then type the following settings: IP address 10.10.0.70 subnet mask 255.255.0.0 default gateway: 10.10.0.1
19. On the Name Servers tab, type 10.10.0.10 as the DNS server address, and then click OK twice. Close the Settings window. 20. In the WM 6.1.4 Professional window, click Start, click Programs, and then click ActiveSync. 21. Read the ActiveSync information, and then click the set up your device to sync with it link. 22. On the Enter Email Address page, in the Email address box, type ScottMacdonald@adatum.com, and then click Next. The device will attempt to use Autodiscover to configure the user settings. 23. On the User Information page, type Scott in the User name field, type Pa$$w0rd in the Password field, Adatum in the Domain field, and then click Next. 24. On the Edit Server Settings page, in the Server Address field, type VAN-EX1.adatum.com, and then clear the This server requires an encrypted (SSL) connection check box. 25. In the ActiveSync message window, click OK, and then click Next. 26. In the Choose the data you wish to synchronize box, click Calendar, and then click Settings. 27. In the Synchronize only the past list, click All, and then, in the upper-right corner, click OK. 28. In the Choose the data you wish to synchronize box, click E-mail, and then click Settings.
4-28
29. In the Download the past list, click All, and then in the upper-right corner, click OK. 30. Confirm that the Contacts, Calendar, E-mail, and Tasks check boxes are selected, and then click Finish. 31. In the ActiveSync dialog box, click OK. After synchronization is complete, click the X in the upper-right corner to close ActiveSync. Close the Programs window. 32. On VAN-EX1, open Internet Explorer, and connect to https://van-ex1.adatum.com/owa. 33. Log on as adatum\Wei using the password Pa$$w0rd. 34. Click New, in the To field, type Scott, and then press CTRL+K to resolve the name. 35. In the Subject line, type Test Message from Wei. 36. In the message body, type Testing mobile messaging, and then click Send. 37. On VAN-CL1, in Windows Mobile 6 Professional, wait for a minute and then notice the animated Synchronization arrows indicating that the device is synchronizing automatically, triggered by the arrival of a message in Scotts mailbox. Wait for the Windows Mobile device to complete synchronization. 38. At the bottom of the Today screen, view the notification stating that a new message has arrived. Click the notification and click View. 39. Open the message from the Inbox. Click Reply at the bottom of the message window. 40. In the message body, type Test Reply, and then click Send. 41. Wait until the device finishes synchronizing, and then, on VAN-EX1, in Outlook Web App, click the Check Messages icon or press F5 to refresh the screen, and then confirm that the message from Scott was received.
Demonstration steps
1. 2. 3. 4. On VAN-EX1, if required, open the Exchange Management Console. In the console tree, expand Organization Configuration, and then click Client Access. In the Actions pane, click New Exchange ActiveSync Mailbox Policy. In the Mailbox policy name box, type EAS Policy 1.
4-29
5.
Confirm that the Allow attachments to be downloaded to device option is selected. This option is required for mobile devices to synchronize attachments and store them locally on the device. Select the Require password check box. This forces all accounts that synchronize, to have a password. Any mailboxes without a password cannot be synchronized to a mobile device when this option is enabled. There also are additional password requirements you can enable. Select the Enable password recovery check box. This will enable users to recover their Windows Mobile password through the ECP. Click New to create the mobile mailbox policy. Read the completion summary, and then click Finish. Notice the Exchange Management Shell command that was used to create the new mobile mailbox policy.
6.
7. 8. 9.
10. Right-click EAS Policy 1, and then click Properties. Notice that the General tab has additional options: 11. Click the Password tab. Notice that there is an additional password option list hereNumber of failed attempts allowed that was not available when creating the mobile mailbox policy. This password option wipes the device of all data after the specified number of failed attempts. 12. On the Sync Settings tab, review the configuration options. 13. On the Device tab, review the configuration options. 14. On the Device Applications tab, review the configuration options. To implement these settings, you must have an Enterprise Client Access License for each mailbox. 15. On the Other tab, review the options for allowing or blocking specific applications, and then click OK. 16. In the console tree, expand Recipient Configuration, and then click Mailbox. 17. In the result pane, right-click Scott MacDonald, and then click Properties. 18. Click the Mailbox Features tab, click Exchange ActiveSync, and then click Properties. 19. In the Exchange ActiveSync Properties dialog box, click Browse. 20. Select EAS Policy 1, and then click OK. 21. Click OK twice to save and apply the changes. 22. On VAN-CL1, wait for ActiveSync to synchronize, or click Menu, and click Send/Receive. 23. In the Update Required dialog box, click OK. 24. In the Password and the Confirm Password fields, type 12345, and then click OK.
4-30
3. 4. 5.
As an Exchange administrator, access the user in the Exchange Management Console Mailbox container, and then click OK. In the Actions pane, click Manage Mobile Device. On the Manage Mobile Device page, view the options available to manage the mobile device, including wiping the device.
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-CL1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp. Log on as Adatum\Scott using the password Pa$$w0rd. Click Phone. Notice the PocketPC listed in the Device list. On VAN-EX1, in the Exchange Management Console, under Recipient Configuration, click Mailbox. In the result pane, click Scott MacDonald. In the action pane, click Refresh. In the action pane, click Manage Mobile Phone. On the Manage Mobile Phone page, click Perform a remote wipe to clear mobile phone data, and then click Clear. In the Microsoft Exchange warning message, click Yes, and then click Finish.
10. In Windows Mobile 6 Professional, wait for the device to synchronize. You can also force synchronization by opening Exchange ActiveSync, and then clicking Sync. Confirm that the device is wiped. If the device goes blank, it is rebooting after performing the remote wipe. 11. On the Windows Mobile 6 Professional window File menu, click Exit.
4-31
Users from the Internet are not able to connect to the Client Access server.
4-32
First, configure an external URL for each Client Access server. The external URL will be the name that the clients use to connect to the server. Next, ensure that you have configured a DNS host record for each Client Access server using the external URL. 2. You are planning on enabling Outlook Web App, Outlook Anywhere, and Exchange ActiveSync access to your Client Access server. You want to ensure that all client connections are secure by using SSL, and that none of the clients receives errors when they connect to the Client Access server. You plan on requesting a certificate from a Public CA. What should you include in the certificate request? You should request a certificate with multiple subject alternative names so that all client connections are supported using the protocol specific server name. You should also include the Autodiscover in the subject alternative name, if you are enabling Autodiscover to the Internet. 3. You have deployed two Client Access servers in the same Active Directory site. When one of the Client Access servers shuts down, users can no longer access their e-mail. What should you do? You should configure the Client Access servers in an array to ensure redundancy.
Tools
Tool Microsoft Exchange Server Remote Connectivity Anaylzer Use for Troubleshooting Internet connectivity for messaging clients. Troubleshooting Outlook Connectivity to the Client Access server. Where to find it
http://go.microsoft.com/fwlink/?LinkId=179969
Open Outlook, press and hold CTRL, rightclick the Outlook connection object, and then click Test E-Mail AutoConfiguration.
4-33
Administrative Tools
4-34
5-1
Module 5
Managing Message Transport
Contents:
Lesson 1: Overview of Message Transport Lesson 2: Configuring Message Transport Module Reviews and Takeaways Lab Review Questions and Answers 2 7 12 13
5-2
Lesson 1
5-3
Question: What type of message-flow scenarios do most organizations implement? Answer: Most organizations implement inbound, outbound, and local mail flow. An organizations typically use remote mail flow only if it has multiple Active Directory sites with Mailbox servers. Many smaller companies do not use remote mail flow. Also, large companies that have centralized their Mailbox servers in a single data center might not use remote mail flow.
5-4
Demonstration steps
1. On VAN-DC1, click Start, point to All Programs, point to Accessories, and then click Command Prompt. Explain that we now will use Telnet to check if the Exchange Server responds correctly. 2. At the command prompt, type Telnet VAN-EX1 SMTP, and then press ENTER. Telnet is a tool to directly communicate with an IP port. You can use the port number or the service name. Here we type in SMTP, which will use port 25. Once the Exchange server responds, explain to students that the connection is working, and that the server does respond to our request. Therefore, there is no problem with a firewall. You also can tell the students that if the response does not include the information shown, there is something wrong. Most likely, it is a firewall issue or the Microsoft Exchange Transport service is not started on the Exchange server. 3. 4. At the command prompt, type helo, and then press ENTER. At the command prompt, type help, and press ENTER. Explain that here the students see the services that the Exchange Server offers. For example, the STARTTLS indicates that TLS is available for secure communication. 5. Type mail from:admin@contoso.com, and press ENTER. After you press ENTER, the connection will be lost and you will receive a client not authenticated message. This means that the Exchange Server expects authentication before being able to send messages. Also, this indicates that anonymous users are not enabled for this receive connector. 6. 7. 8. 9. Type exit, and press ENTER. On VAN-EX1, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange On-Premises, and then click Toolbox. In the Toolbox pane, scroll down to Mail flow tools, and then double-click Queue Viewer.
5-5
Explain that the Queue Viewer tool looks into the message queues of the local server. Therefore, you will see immediately if a message is not correctly delivered. It would be good to have a mail in the queue so you can show the students the error message and also the properties, like retry. 10. Right-click Submission queue, and then click Suspend. This will stop the queue so that it delivers no more messages. Thus, you can manually stop specific queues on an Exchange Server using the Queue Viewer. If you write a new mail, it remains in the queue until the administrator decides to resume the queue. 11. Right-click Submission queue, and then click Resume. 12. Close Queue Viewer.
5-6
Additional Reading
Tools for Troubleshooting SMTP Message Delivery
Microsoft Exchange Analyzers Helpfile: Use Telnet to Test SMTP Communication
5-7
Lesson 2
5-8
5.
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, if required, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. On the Global Settings tab, double-click Transport Settings. In the Transport Settings Properties dialog box. click the Message Delivery tab. Click OK. In Exchange Management Console, expand Server Configuration, and then click Hub Transport. In the Hub Transport pane, right-click VAN-EX1, and then click Properties. In the VAN-EX1 Properties dialog box, click the Log Settings tab. Click the Limits tab. Click OK. Click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Shell.
10. At the command prompt, type Get-TransportServer -I van-ex1 |fl, and then press ENTER.
5-9
5.
Click New Remote Domain, and create a remote domain for contoso.com.
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, if required, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. Click the Accepted Domains tab. In the Accepted Domains pane, double-click Adatum.com. Click OK. In the Actions pane, click New Accepted Domain. In the New Accepted Domain window, in the Name box, type adatum.local, and in the Accepted Domain box, type adatum.local. Click Internal Relay Domain, and then click New. Explain what is required to create a new internal relay domain. Click the Finish button.
10. Click the Remote Domains tab. First, explain what the * default settings in remote domains means. 11. Double-click Default, and review the settings available on the default remote domain. These settings will apply to all messages sent outside the organization. Click OK. 12. In the Actions pane, click New Remote Domain. 13. In the New Remote Domain window, in the Name box, type contoso.com, and in the Domain name box, type contoso.com. 14. Click New, then click Finish. 15. In the Remote Domains pane, double-click contoso.com. Review the configuration options. 16. Click Cancel.
Demonstration steps
1. On VAN-EX1, if required, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console.
5-10
2. 3. 4. 5. 6. 7. 8. 9.
In Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Hub Transport. Click the Send Connectors tab. In the Actions pane, click New Send Connector. In the New Send Connector window, in the Name box, type contoso.com. In the Select the intended use for this Send connector list, click Internet, and then click Next. In the Address space pane, click Add. In the SMTP Address Space dialog box, in the Address box, type contoso.com, and then click OK. Click Next.
10. In the Network settings pane, click Use domain name system (DNS) MX records to route mail automatically, and click Next. 11. In the Source Server pane, click Next. 12. In the New Connector pane, click New, and then click Finish. 13. In the Send Connectors pane, double-click contoso.local. 14. Click Cancel. 15. Expand Server Configuration, and then click Hub Transport. 16. In the VAN-EX1 pane, click New Receive Connector. 17. In the New Receive Connector window, in the Name box, type Anonymous Receive. 18. In the Select the intended use for this Receive connector list, click Internet, and then click Next. 19. In the Local Network settings pane, click Edit. 20. In the Edit Receive Connector Binding window, in the Port box, type 2525, click OK, and then click Next. 21. In the Completion pane, click Finish.
5-11
Additional Reading
What Is a Remote Domain?
Additional Character Sets
5-12
Use Message Tracking or view the header of the message in Outlook Web App.
Verify that this domain is part of the Accepted Domains in Organization Configuration under Hub Transport.
5-13
6-1
Module 6
Implementing Messaging Security
Contents:
Lesson 1: Deploying Edge Transport Servers Lesson 2: Deploying an Antivirus Solution Lesson 3: Deploying an Anti-Spam Solution Lesson 4: Configuring Secure SMTP Messaging Module Reviews and Takeaways Lab Review Questions and Answers 2 7 11 15 20 21
6-2
Lesson 1
6-3
6-4
Demonstration steps
1. 2. On VAN-EDG, click Start, point to All Programs, point to Microsoft Exchange Server 2010, and then click Exchange Management Console. In Exchange Management Console, in the left pane, click Edge Transport. Note that the console is focused just on an Edge Transport server, and that there is no organization node. You must manage each Edge Transport server individually. Review the configuration options on the Anti-spam tab. These settings will be covered in detail later in the module. Click the Receive Connectors tab, and then double-click Default internal receive connector VAN-EDG. Review the receive connector properties. This connector will accept SMTP connections from all IP addresses and will accept anonymous connections. If you are using this server as a SMTP gateway server, you do not need to configure any other receive connectors to enable the server to accept messages. Click Cancel. Click the Send Connectors tab. Note that no Send Connectors are configured on the server. In order to send e-mail, either to the internal network or to the Internet, you will need to configure a Send Connector. Click the Transport Rules tab. Note that no transport rules are configured by default. You can use transport rules to apply actions to messages as they pass through the Edge Transport server. Click the Accepted Domains tab. Note that no accepted domains are configured. This means that you would need to configure an accepted domain before the Edge Transport server will accept any messages.
3. 4. 5.
6.
7. 8.
6-5
7. 8. 9.
6-6
10. On VAN-EX1, in the Exchange Management Console, in the Organization Configuration work area, click Hub Transport. On the Send Connectors tab, confirm that the EdgeSync DefaultFirst-Site-Name to Internet connector is displayed. 11. Double-click the connector. On the Source Server tab, confirm that VAN-EDG 12. is listed as the source server. Click OK.
2.
6-7
Lesson 2
6-8
10. On the Antispam Configuration page, click Enable antispam later, and then click Next. 11. On the Microsoft Update page, click I dont want to use Microsoft Update, and then click Next. 12. On the Customer Experience Improvement Program page, click Next. 13. On the Confirm Settings page, click Next. Wait for the installation to finish. It will take about five minutes. 14. On the Installation Results page, click Finish. Close Windows Explorer.
6-9
4. 5. 6. 7. 8. 9.
In the Policy Management pane, expand Antimalware, and then click Edge Transport. In the Antimalware Edge Transport pane, in the Engines and Performance section, select the Scan with a dynamically chosen subset of engines check box. In the Additional Options section, verify that the Optimize for performance by not rescanning messages already virus scanned check box is selected. Click Save. In the Policy Management pane, expand Antispam, and then click Configure. In the Antispam Configure pane, click the Enable Antispam Filtering button.
10. In the Service Restart Required window, click Yes. 11. Select the Enable content filtering check box. Under SCL Thresholds and Actions, in the Suspected spam drop-down list, select SCL 5 to 7. Explain the impact of this setting to the students and explain the other options to reject or delete messages above this SCL level. 12. Click Save. 13. In the Policy Management pane, expand Global Settings, and then click Scan Options. Explain the options that you can configure here. 14. Under Global Settings, click Engine Options. Explain the options that you can configure here. 15. Under Global Settings, click Advanced Options. Explain the options that you can configure here. Focus mainly on Threshold Levels and Intelligent Engine Management.
6-10
Additional Reading
What Is Forefront Protection 2010 for Exchange Server?
Protecting Your Microsoft Exchange Organization with Microsoft Forefront Protection 2010 for Exchange Server
6-11
Lesson 3
6-12
Add the zen.spamhaus.org domain to the IP Block List Providers list. Configure the following filtering features: Sender filtering Recipient filtering Sender ID Sender Reputation Content filtering
5.
Configure the Edge Transport server to quarantine messages with a SCL rating greater than 7.
6. 7.
8. 9.
10. Type Spamhaus in the Provider name box, type zen.spamhaus.org in the Lookup Domain box, and then click OK twice. After adding this entry, the Edge Transport server will query the IP
6-13
block list provider whenever a SMTP server attempts to make a connection. If the SMTP server IP address is on the block list, the connection will be dropped.
6. 7. 8. 9.
10. On the Action tab, move the slider two stops to the left, and then click OK.
6-14
6. 7. 8.
On the Exceptions tab, in the Dont filter messages sent to the following recipients box, type jeff@adatum.com, and then click Add. On the Action tab, select the Quarantine messages that have an SCL rating greater than or equal to check box, and set the value to 7. Set the Reject messages that have an SCL rating greater than or equal to value to 9. Click OK.
6-15
Lesson 4
6-16
6-17
5. 6. 7. 8. 9.
10. At the command prompt, type Telnet van-ex1 smtp, and then press ENTER. 11. Enter the following sequence: a. b. c. d. Helo Mail from: test@Contoso.com Rcpt to: kim@woodgrovebank.com Quit
12. Note that you can relay through the server when using the externally trusted connector. You need to ensure that this option is only enabled for connections from highly trusted sources.
6-18
Demonstration Steps - Configure an SMTP Connector that Requires TLS and Authentication
1. 2. 3. Switch to VAN-EX1. In Exchange Management Console, in the Receive Connectors pane, double-click Externally Secured Connector, and then click the Authentication tab. Clear the Externally Secured (for example, with IPSec) check box, and select the following: 4. 5. 6. 7. Basic Authentication Offer Basic authentication only after starting TLS
Click the Permission Groups tab, select the Exchange users check box, and then click OK. On VAN-DC1, click Start, point to All Programs, point to Accessories, and then click Command Prompt. At the command prompt, type Telnet van-ex1 smtp. Enter the following sequence: a. b. Helo Mail from: test@contoso.com response: 530 5.7.1 client was not authenticated
6. 7.
6-19
8. 9.
In Exchange Management Console, click Edge Transport. In the Edge Transport pane, click VAN-EDG, and then click the Receive Connectors tab in the VAN-EDG pane. On the Receive Connectors tab, double-click Default internal receive connector VAN-EDG.
10. On the Authentication tab, ensure that both the Transport Layer Security (TLS) and Enable Domain Security (Mutual Auth TLS) check boxes are selected, and then click OK. You can mention here that in a real-world implementation of Domain Security, you might want to add one dedicated Receive Connector for Domain Security connections only as a best practice recommendation.
6-20
2.
3.
Ensure both domains trust each others CA. Also, Domain Security must be configured on both the local side and the partner side. Use Test-EdgeSychronization to verify that the connection is established. If that does not work, try to reestablish the Edge Synchronization. When you use your own account instead of an administrator account to log on to a Windows Server 2008 system, ensure that you always start the Exchange Management Shell in Administrator mode. You sometimes need full access to run a cmdlet.
6-21
7-1
Module 7
Implementing High Availability
Contents:
Lesson 1: Overview of High Availability Options Lesson 2: Configuring Highly Available Mailbox Databases Module Reviews and Takeaways Lab Review Questions and Answers 2 5 9 11
7-2
Lesson 1
7-3
7-4
Additional Reading
What Is High Availability?
Microsoft High Availability White Paper
7-5
Lesson 2
7-6
7-7
3. 4. 5. 6.
Demonstration steps
1. 2. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. At the Exchange Management Shell prompt, type New-DatabaseAvailabilityGroup Name DAG1 WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 DatabaseAvailabilityGroupIpAddress 10.10.0.25, and then press ENTER. We recommend using the local Hub Transport server to act as the file share witness. A two-node DAG configuration requires a file share witness, since it requires a majority of votes at all times to maintain quorum. In a two-node cluster without a file share witness, when one of the nodes is rebooted, a majority of votes cannot be obtained and the cluster fails. You can specify the Hub Transport server and the local directory to be configured as the file share witness when you create a DAG. As a best practice, you should add the file share witness to other clusters too. Clusters with even numbers of nodes use the file share witness as a tie-breaker vote in establishing quorum. 3. 4. 5. 6. 7. 8. At the Exchange Management Shell prompt, type Add-DatabaseAvailabilityGroupServer DAG1 MailboxServer VAN-EX1, and then press ENTER. Click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox. In the Results pane, click the Database Availability Groups tab. In the Work pane on the Database Availability Groups tab, right-click DAG1, and then click Manage Database Availability Group Membership from the context menu. In the Manage Database Availability Group Membership wizard, click Add.
7-8
9.
In the Select Mailbox Server dialog box, click VAN-EX2, and then click OK.
10. In the Manage Database Availability Group Membership wizard, click Manage to complete the changes, and then click Finish to close the wizard. 11. In the Results pane, click the Database Management tab. 12. In the Results pane, click Mailbox Database 1, and then in the Actions pane, click Add Mailbox Database Copy. 13. In the Add Mailbox Database Copy wizard, click Browse to select the server to which to add the copy. 14. In the Select Mailbox Server dialog box, click VAN-EX2, and then click OK. 15. In the Add Mailbox Database Copy wizard, click Add to create the copy of Mailbox Database 1. 16. Review the results, and then click Finish. Note: Once you create a DAG, you then can create and configure DAG networks for replication or for MAPI traffic. Add additional networks for redundancy or improved throughput.
Demonstration steps
1. 2. 3. 4. 5. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then expand Mailbox. In the Results pane, click the Database Management tab. In the Results pane, click Mailbox Database 1, and then in the Actions pane, in the bottom Mailbox Database 1 area, click Properties. Review the information on the General tab: 6. The database status might be Healthy, Initializing, Failed, Mounted, Dismounted, Disconnected, Suspended and Failed, Suspended, Resynchronizing, Seeding Describe Copy queue length (logs) and Replay queue length (logs).
Click OK to close.
7-9
Ensure that the DNS MX records have the same value. If the values are not the same, only the records with the lowest value will be used.
Verify that your outbound mail servers are configured with a host name that is resolvable on the Internet. Many servers reject e-mail from servers that do not have a name or an IP address that can be resolved on the Internet.
7-10
Identify all possible failure points before designing a solution. Even the most elaborate and expensive designs can have a simple and crippling failure point. Document all of the components to the solutions so that everyone involved in the deployment understands the solutions configuration how the solution is configured. Follow change-management procedures. In some environments, it may be tempting to skip these steps. However, not following proper change-management procedures often leads to extended, unplanned downtime.
7-11
8-1
Module 8
Implementing Backup and Recovery
Contents:
Lesson 1: Planning Backup and Recovery Lesson 2: Backing Up Exchange Server 2010 Lesson 3: Restoring Exchange Server 2010 Module Reviews and Takeaways Lab Review Questions and Answers 2 8 12 16 17
8-2
Lesson 1
8-3
8-4
Demonstration steps
1. 2. 3. On VAN-EX1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. At the Exchange Management Shell prompt, type Set-Mailbox ScottMacDonald SingleItemRecoveryEnabled:$true, and then press ENTER. At the Exchange Management Shell prompt, type New-ManagementRoleAssignment -Role Mailbox Import Export -User adatum\administrator, and then press ENTER. Close Exchange Management Shell. Open the Exchange Management Console. Expand Microsoft Exchange On-Premises, expand Recipient Configuration, and click Mailbox. Right-click Discovery Search Mailbox, and click Manage Full Access Permission. Add the Administrator account, and click Manage. Click Finish Click Start, point to All Programs, and then click Internet Explorer. In the Address bar, type https://VAN-EX1.adatum.com/owa, and then press ENTER. Log on as Adatum\Scott with a password of Pa$$w0rd.
4. 5. 6. 7. 8. 9.
10. Click OK to accept the default Outlook Web App settings. 11. On left pane, right-click Scott MacDonald, click Create New Folder, and then type Personal Items as the folder name. 12. Create and send a message to Scott. When the message arrives, move it to the Personal Items folder. 13. Right-click the Personal Items folder, and then click Delete.
8-5
14. In the Delete dialog box, click Yes. When you delete a folder, the folders items will now be available in Recover Deleted Items. 15. Right-click Deleted Items, click Empty Deleted Items, and then click Yes. 16. Right-click Deleted Items, and then click Recover Deleted Items. 17. In the Recover Deleted Items window, click the Purge Selected Items icon. 18. In the Message from webpage dialog box, click OK, and then close the Recover Deleted Items window. 19. Close Internet Explorer, and then open it again and connect to https://VANEX1.adatum.com/owa. 20. Log on as Adatum\Administrator with a password of Pa$$w0rd. Click OK. 21. In Outlook Web App, click Options. 22. In the Select what to manage drop-down list, select My Organization. 23. On the left pane, click Users & Groups, and then click the Administrator Roles tab. 24. On the Role Groups pane, double-click Discovery Management. 25. In the Role Group window, under Members, click Add. 26. In the Select Members window, under Members, click Add. 27. In Select Members window, select Administrator, click Add, click OK, and then click Save. 28. Close Internet Explorer, and then open it again and connect to https://VANEX1.adatum.com/owa. 29. Log on as Adatum\Administrator with a password of Pa$$w0rd. 30. In Outlook Web App, click Options. 31. Under Select what to manage, select My Organization. 32. On the left pane, click Reporting, and then click Mailbox Searches. 33. On the Multi-Mailbox Search pane, click New. 34. In New Mailbox Search window, expand Mailboxes to Search, click Add. Add Scott MacDonalds mailbox, and then click OK. 35. Expand Search Name and Storage Location, and then click Browse. 36. In the Select Discovery Mailbox window, select Discovery Search Mailbox, and then click OK. 37. On the Search Name and Storage Location pane, type Purged Mailbox Items in the Search name box, select the Send me an e-mail when the search is done check box, and then click Save. Point out that mailbox search is now processed. 38. On the upper right corner, click My Mail. 39. In the upper right corner, click Administrator, and then, in the Open Other Mailbox dialog box, in the Select mailbox field, type Discovery Search Mailbox, and then click Open twice. Click OK. 40. In the Discovery Search Mailbox window, in the Mail pane, expand Purged Mailbox Items, expand Scott MacDonald, expand Primary Mailbox, expand Recoverable Items, and then
8-6
click Purges. Point out that these are the items that were deleted previously. Mention that the folder name was not preserved. 41. Write down the full MAPI path so that it is available for the next step. The full path will be something like: 42. \Purged Mailbox Items\Scott MacDonald-6/26/2009 7:10:19 AM\Primary Mailbox\Recoverable Items\Purges. 43. Close Internet Explorer. 44. Open the Exchange Management Shell. At the Exchange Management Shell prompt, type Export-Mailbox -Identity Discovery Search Mailbox -TargetMailbox ScottMacDonald IncludeFolders fullMAPIpath -Targetfolder Personal Items (restored), and then press ENTER. 45. Click Start, point to All Programs, and then click Internet Explorer. 46. In the Address bar, type https://VAN-EX1.adatum.com/owa, and then press ENTER. 47. Log on as Adatum\Scott with a password of Pa$$w0rd. 48. On the left pane, expand Personal Items (restored), and then expand the folders beneath until you see the Purges folder. Click the Purges folder. 49. Verify that all messages are restored to the Purges folder.
Demonstration steps
1. 2. On VAN-EX1, if required, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. At the Exchange Management Shell prompt, type New-DatabaseAvailabilityGroup Name DAG1 WitnessServer VAN-DC1 -WitnessDirectory C:\FSWDAG1 DatabaseAvailabilityGroupIPaddresses 10.10.0.100, and then press ENTER. If required, open the Exchange Management Console. In the Console Tree, expand Microsoft Exchange On-Premises, expand Organization Configuration, and then click Mailbox.
3. 4.
8-7
5. 6. 7. 8. 9.
In the Results pane, on the Database Availability Groups tab, click DAG1. In the Actions pane, click Manage Database Availability Group Membership. In the Manage Database Availability Group Membership wizard, click Add. In the Select Mailbox Server dialog box, hold down CTRL, click VAN-EX1 and VAN-EX2, and then click OK. Click Manage, and then click Finish. In the Results pane, with the Database Management tab showing, right-click Accounting, and then select Add Mailbox Database Copy.
10. In the Add Mailbox Database Copy window, click Browse. 11. In Select Mailbox Server dialog box, click VAN-EX2, and then click OK. Click Add, than then click Finish. 12. In the Exchange Management Shell, type Set-MailboxDatabaseCopy id Accounting\VANEX2 replaylagtime 7.0:0:0, and then press ENTER. This command delays the commitment of the transaction logs to the Accounting database on VAN-EX2 for 7 days. 13. At the Exchange Management Shell prompt, type Set-MailboxServer VAN-EX2 DatabaseCopyAutoActivationPolicy Blocked, and then press ENTER. This cmdlet blocks the automatic activation of the database copy on VAN-EX2.
8-8
Lesson 2
8-9
8-10
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, click Start, click All Programs, click Administrative Tools, and then click Server Manager. In Server Manager, click Features, and then on the Features Summary pane, click Add Features. In the Add Features Wizard, expand Windows Server Backup Features, click Windows Server Backup, and then click Next. On the Confirm Installation Selections page, click Install, and then after the installation finishes, click Close. Click Start, click All Programs, click Administrative Tools, and then click Windows Server Backup. In Windows Server Backup, on the Actions pane, click Backup Once. In the Backup Once Wizard, on the Backup Options page, click Different options, and then click Next. On the Select Backup Configuration page, select Custom, and then click Next. On the Select Items for Backup page, click Add items, select Local disk (C:) in the Select Items window, and then click OK.
10. On the Select Items for Backup page, click Advanced Settings, click the VSS Settings tab, select VSS full Backup, click OK, and then click Next. 11. On the Specify Destination Type page, select Local drives, and then click Next. 12. On the Select Backup Destination page, in Backup destination, select Allfiles (D:), and then click Next. 13. On the Confirmation page, click Backup. The backup will take about 20 minutes. When the backup finishes, click Close, and then close Windows Server Backup. 14. Click Start, click Administrative Tools, and then click Event Viewer. 15. In Event Viewer, expand Windows Logs, and then click Application. 16. In Event Viewer, on the Application log, locate the event items labeled Source MSExchangeIS and EventID 9811. 17. Wait until the backup is finished, then in Event Viewer, on the Application pane, locate the event items labeled Source MSExchangeIS and EventID 9780.
8-11
Additional Reading
How Does a VSS Backup Work?
Further information about VSS
8-12
Lesson 3
8-13
8-14
3.
4. 5. 6.
Demonstration steps
1. 2. 3. 4. 5. 6. 7. On VAN-EX1, click Start, click Programs, click Administrative Tools, and then click Windows Server Backup. In Windows Server Backup, on the Actions pane, click Recover. In the Recovery Wizard, on the Getting Started page, select This Server (VAN-EX1), and then click Next. On the Select Backup Date page, click Next. On the Select Recovery Type page, select Applications, and then click Next. On the Select Application page, select Exchange, and then click Next. On the Specify Recovery Options page, click Recover to another location, click Browse, expand Computer, click Local Disk (C:), click Make New Folder, enter DBBackup, click OK, and then click Next. On the Confirmation page, click Recover. On the Recovery Progress page, click Close. Close Windows Server Backup.
8. 9.
10. On VAN-EX1, click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. 11. At the Exchange Management Shell prompt, type New-MailboxDatabase -Name RecoverDB -Server VAN-EX1 -EDBFilePath c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting\Accounting.edb -Logfolderpath
8-15
c:\DBBackup\C_\Program Files\Microsoft\Exchange Server\V14\Mailbox\Accounting Recovery, and then press ENTER. 12. At the Exchange Management Shell prompt, type the command and press ENTER cd c:\Program Files\Microsoft\Exchange Server\v14\bin 13. At the Exchange Management Shell prompt, type the command and press ENTER eseutil /p c:\dbbackup\c_\Program Files\Microsoft\Exchange Server\v14\Mailbox\Accounting\Accounting.edb. 14. In the Warning dialog box, click OK. 15. At the Exchange Management Shell prompt, type Mount-Database RecoverDB, and then press ENTER. 16. At the Exchange Management Shell prompt, type Get-MailboxStatistics -Database RecoverDB, and then press ENTER. This cmdlet displays all mailboxes within the recovery database. 17. At the Exchange Management Shell prompt, type Restore-Mailbox -Identity MichiyoSato RecoveryDatabase RecoverDB, and then press ENTER. 18. At the Confirm prompt, type Y, and then press ENTER.
8-16
You should try to restore a database regularly, as a practice session, and verify that your backups work as you expect.
8-17
9-1
Module 9
Configuring Messaging Policy and Compliance
Contents:
Lesson 1: Introducing Messaging Policy and Compliance Lesson 2: Configuring Transport Rules Lesson 3: Configuring Journaling and Multi-Mailbox Search Lesson 4: Configuring Messaging Records Management Lesson 5: Configuring Personal Archives Module Reviews and Takeaways Lab Review Questions and Answers 2 4 12 17 23 27 29
9-2
Lesson 1
9-3
Question: What additional compliance requirements does your organization have? Answer: Organizations might have additional requirements for managing e-mail. For example, the organization might want to add legal disclaimers to outgoing communications or require that certain messages require an intellectual property disclosure disclaimer. The organization also might have message-retention requirements that mandate that certain messages be retained and others deleted after a specified time. Question: How are you currently meeting these compliance requirements? Answer: Answers will vary. Quite a few organizations have implemented some type of archiving solution. If organizations have deployed Microsoft Exchange Server 2007, they might have taken advantage of some of its messaging compliance features. Many organizations have written policies regarding messaging compliance, but have not been able to enforce the rules except through conducting audits.
9-4
Lesson 2
9-5
9-6
<html> <body> <br> </br> <br> </br> <b><font color=red>This e-mail and attachments are intended for the individual or group addressed.</font></b> </body> </html>
3. 4. 5.
Open the Exchange Management Shell. Type the following cmdlet: New-TransportRule -Name Social Insurance Number Block Rule SubjectOrBodyMatchesPatterns \d\d\d-\d\d\d-\d\d\d RejectMessageEnhancedStatusCode 5.7.1 -RejectMessageReasonText This message has been rejected because of content restrictions To test the transport rules: Send a message from one internal user to another. Verify that the HTML disclaimer is attached. Send a message from one internal user to another with the string 111-111-111 in the message body. Verify that the sender receives a non-delivery report (NDR).
6.
Note: In a regular expression, the \d pattern string matches any single numeric digit. You can use a variety of pattern strings to search the message contents for a consistent pattern. For example, you can use \s to represent a space, or \w to represent any letter or decimal digit. For detailed information about configuring regular expressions in a transport rule, see the topic Regular Expressions in Transport Rules in Exchange Online Help.
Demonstration steps
1. 2. 3. On VAN-EX1, open the Exchange Management Console. Under Organization Configuration, click Hub Transport. In the Actions pane, click New Transport Rule.
9-7
4. 5. 6. 7. 8. 9.
On the Introduction page, in the Name field, type Company Disclaimer HTML. Verify that Enable Rule is selected, and then click Next. On the Conditions page, under Step 1, select send to users that are inside or outside the organization, or partners, and then click Next. On the Actions page, under Step 1, select append disclaimer text and fallback to action if unable to apply. Under Step 2, click the disclaimer text link. In the Specify disclaimer text box, type the following text, ensuring that you press ENTER at the end of each line:
<html> <body> <br> </br> <br> </br> <b><font color=red>This e-mail and attachments are intended for the individual or group addressed.</font></b> </body> </html>
10. Click OK, and then click Next. 11. Click Next, and then click New to create the new HTML disclaimer. 12. On the Completion page, click Finish. 13. On VAN-EX1, open the Exchange Management Shell. 14. At the PS prompt, type the following cmdlet, and then press ENTER:
New-TransportRule -Name "Social Insurance Number Block Rule" SubjectOrBodyMatchesPatterns "\d\d\d-\d\d\d-\d\d\d" RejectMessageEnhancedStatusCode "5.7.1" -RejectMessageReasonText "This message has been rejected because of content restrictions"
15. To test the transport rules, switch to VAN-CL1, and then open Office Outlook 2007. 16. Click New, and then create a message with the following properties: To: Administrator Subject: Disclaimer Test Content: Testing the HTML disclaimer
17. Send the message. 18. On VAN-EX1, open Windows Internet Explorer, and connect to https://VANEX1.adatum.com/owa. 19. Log on to Microsoft Outlook Web App as Adatum\Administrator with a password of Pa$$w0rd. Click OK. 20. Verify that the message from Luca Dellamore includes the HTML disclaimer. 21. On VAN-CL1, create a new message with the following properties: To: Administrator
9-8
Subject: Transport Rule Test Content: Testing the Social insurance number block rule. 111-111-111
22. Send the message. 23. Verify that the user receives a NDR with the rejected message text that you configured.
8. 9.
10. Use the test-irmconfiguration cmdlet to test the IRM configuration. 11. In the Exchange Management console, create a new transport rule named AD RMS Test Rule, which applies the Do Not Forward AD RMS template for all messages sent between two specified users. 12. Send a message from one of the specified users to the other. Verify that the Do Not Forward template is applied to the message.
Demonstration steps
1. 2. On VAN-CL1, open Outlook 2007. Create a new message with the following properties: 1. 2. To: Administrator. Subject: Testing AD RMS integration Content: This is a protected e-mail.
In the Message ribbon, click the Permission icon. In the Windows Security dialog box, log on as Luca using the password Pa$$w0rd. Wait while Lucas credentials are prepared.
9-9
3. 4. 5. 6. 7. 8. 9.
When the message appears, verify that the message now contains the Do Not Forward header. Click Send, close Outlook, and then log off. Log on to VAN-CL1 as Adatum\Administrator using the password Pa$$w0rd. Open Outlook 2007, and then open the message from Luca Dellamore. In the Windows Security dialog box, log on as Administrator using a password of Pa$$w0rd. Click OK. When the message opens, verify that you do not have permission to forward the message. Close the message. On VAN-DC1, open Windows Explorer, browse to C:\inetpub\wwwroot\_wmcs\certification, right-click servercertification.asmx, and then click Properties. In the Server Certification.asmx Properties dialog box, click the Security tab, and then click Edit.
10. In the Permissions for Server Certification.asmx dialog box, click Add. 11. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types, select the Computers check box, and then click OK. 12. In the Enter the object names to select field, type Exchange Servers, and then click OK. 13. Click Add. In the Enter the object names to select field, type IIS_IUSRS, and then click OK twice. 14. On VAN-DC1, open a command prompt, type IISReset, and then press ENTER. Wait for the service to restart, and then close the command prompt. 15. On VAN-EX1, in the Exchange Management Shell, type get-irmconfiguration, and then press ENTER. This cmdlet displays the default AD RMS integration configuration for the Exchange Server organization. 16. At the PS prompt, type set-irmconfiguration InternalLicensingEnabled:$true, and then press ENTER. This cmdlet enables AD RMS encryption on the Hub Transport server. 17. At the PS prompt, type test-irmconfiguration sender LucaDellamore@adatum.com, and then press ENTER. This cmdlet tests the AD RMS configuration. 18. On VAN-EX1, in the Exchange Management Console, under Organization Configuration, click Hub Transport. 19. In the Actions pane, click New Transport Rule. 20. On the Introduction page, in the Name field, type AD RMS Test Rule. 21. Verify that Enable Rule is selected, and then click Next. 22. On the Conditions page, under Step 1, select from people. 23. Under Step 2, click the people link. In the Specify senders dialog box, click Add, click Administrator, and then click OK twice. 24. On the Conditions page, under Step 1, select sent to people. 25. Under Step 2, click the people link. In the Specify recipients dialog box, click Add, click Luca Dellamore, and then click OK twice. 26. Click Next.
9-10
27. On the Actions page, under Step 1, select rights protect message with RMS template. 28. Under Step 2, click the RMS Template link. 29. In the Select RMS template dialog box, click Do Not Forward, and then click OK. 30. Click Next twice, and then click New. Click Finish. 31. On VAN-CL1, ensure that you are logged on as Administrator. Create a new message with a subject of Transport Rule ADRMS test, and send it to Luca. 32. Log off VAN-CL1, and then log on as Luca. 33. Open Outlook and verify that Luca received the message entitled Transport Rule ADRMS test and that the Do Not Forward template is protecting the message. You will need to authenticate again to open the message.
5. 6. 7. 8. 9.
10. On VAN-EX1, open the Exchange Management Console. 11. Under Recipient Configuration, click Distribution Group. 12. In the middle pane, right-click Marketing, and then click Properties. 13. On the Mail Flow Settings tab, double-click Message Moderation. 14. In the Message Moderation dialog box, select the Messages sent to this group have to be approved by a moderator check box. 15. Under Specify group moderators, click Add. 16. In the Select Recipient Entire Forest dialog box, click Luca Dellamore, and then click OK. 17. Under Specify senders who dont require message approval, click Add. 18. In the Select Recipient dialog box, click Marketing, and then click OK three times.
9-11
19. Under Organization Configuration, click Hub Transport. 20. In the Actions pane, click New Transport Rule. 21. On the Introduction page, in the Name field, type ITAdmins Group Moderation. Verify that Enable Rule is selected, and then click Next. 22. Under Conditions in Step 1, select sent to a member of distribution list. 23. Under Step 2, click the distribution list link. 24. In the Specify recipient distribution group dialog box, click Add. 25. In the Select Mail Enabled Group window, select ITAdmins, click OK, and then click OK again. 26. Click Next. 27. Under Actions in Step 1, select forward the message to addresses for moderation. 28. Under Step 2, click the addresses link. 29. In the Specify recipients window, click Add. 30. In the Select Recipient User or Contact window, click Luca Dellamore, click OK, and then click OK again. 31. Click Next. 32. On the Exceptions page, under Step 1, select except when the message is from a member of distribution list. 33. Under Step 2, click the distribution list link. 34. In the Specify sender distribution list window, click Add. 35. In the Select Mail Enabled Group window, select ITAdmins, click OK, and then click OK. 36. Click Next, and then click New. 37. On the Completion page, click Finish. 38. Open Internet Explorer, and then connect to https://VAN-EX1.Adatum.com/owa. 39. Log on to Outlook Web App as Adatum\Administrator with a password of Pa$$w0rd. 40. In the Inbox, click New. 41. In the To field, type ITAdmins. 42. Type a subject and a short message, and then click Send. 43. In the Inbox, click New. 44. In the To field, type Marketing. 45. Type a subject and a short message, and then click Send. 46. On VAN-CL1, verify that you are logged in as Luca, open Outlook, and then verify that there are two messages waiting for Lucas approval. 47. Double-click the first e-mail message, and then on the Vote menu, click Approve. Close the message. 48. Double-click the second e-mail message, and then on the Vote menu, click Approve. Close the message.
9-12
Lesson 3
9-13
9-14
4. 5. 6. 7. 8. 9.
10. Beside Send Journal reports to e-mail address, click Browse. 11. In the Select Recipient dialog box, click Luca Dellamore, and then click OK. Important: In this demonstration, you are choosing another users mailbox as the destination for the journaled messages. In a production environment, choose a mailbox that you can dedicate as a journal mailbox. 12. Under Scope, click Internal internal messages only. 13. Select the Journal messages for recipient check box, and then click Browse. 14. In the Select Recipient dialog box, click Executives, and then click OK. 15. On the New Journaling Rule page, click New, and then click Finish. 16. On VAN-EX1, open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Administrator with a password of Pa$$w0rd. 17. Create a new message, and then send it to Scott MacDonald. Scott is a member of the Executives group. Close Internet Explorer. 18. Open a new instance of Internet Explorer, and then connect to https://VANEX1.adatum.com/owa. Log on as Adatum\Scott with the password Pa$$w0rd. 19. Confirm that the message from the Administrator arrived. Reply to the message, and then close Internet Explorer.
9-15
20. On VAN-CL1, verify that you are logged in as Luca, open Outlook, and then confirm that the journal mailbox contains both a journal report for the message sent to Scott and the reply message.
10. In the Discovery Management Properties dialog box, on the Members tab, click Add, type Luca, and then click OK twice. 11. On VAN-EX1, in Exchange Management Console, under Recipient Configuration, click Mailbox. 12. In the recipient list, click Discovery Search Mailbox, and then click Manage Full Access Permission. 13. On the Manage Full Access Permission page, click Add, click Luca Dellamore, click OK, click Manage, and then click Finish. 14. On VAN-CL1, if required, open Outlook. 15. In the Inbox, click New. 16. In the To field, type Manoj;Wei, and then press CTRL+K to resolve the names. 17. In the Subject field, type New Inventory. 18. In the message box, type Weve received the new ProjectX items in inventory., and then click Send. 19. Open Internet Explorer, and then connect to https://VAN-EX1.Adatum.com/ecp. 20. Log on to the ECP as Adatum\Luca with a password of Pa$$w0rd. 21. In the Select what to manage drop-down list, ensure that My Organization is listed. 22. In the left pane, click Reporting. Under Multi-Mailbox Search, click New. 23. In the Keywords box, type ProjectX.
9-16
24. Expand Mailboxes to Search. 25. Under Select the mailboxes to search, click Add. In the Select Mailbox window, click Manoj Syamala, and then click Add. Click Luca Dellamore, and then click Add. Click Wei Yu, click Add, and then click OK. 26. Expand Search Name and Storage Location. 27. In the Search name field, type ProjectX Discovery. 28. Next to Select a mailbox in which to store the search results, click Browse. 29. In the Select Mailbox window, click Discovery Search Mailbox, and then click OK. 30. Click Save. Wait until the search status changes to Succeeded. 31. In the Internet Explorer window, in the top right corner, click My Mail. 32. In the top right corner, click Luca Dellamore, and then in the Select mailbox field, type Discovery. Click Open twice. In the Outlook Web App window, click OK. 33. In the Navigation pane, notice the new discovery folder named ProjectX Discovery. Expand the ProjectX Discovery folder. 34. Note the three folders created that correspond to the mailboxes added to the search criteria. 35. Expand Luca Dellamore, expand Primary Mailbox, and then expand Sent Items. Verify that the e-mail was discovered using the search criteria. 36. Expand Manoj Syamala, expand Primary Mailbox, and then expand Inbox. 37. Close Outlook Web App and Outlook.
9-17
Lesson 4
9-18
9-19
Demonstration steps
1. 2. On VAN-EX1, if required, open the Exchange Management Shell. At the PS prompt, type the following, and press ENTER: New-RetentionPolicyTag DefaultTag -Type:All -MessageClass AllMailboxContent RetentionEnabled $true -AgeLimitForRetention 365 -RetentionAction PermanentlyDelete isprimary:$true 3. At the PS prompt, type the following, and then press ENTER: New-RetentionPolicyTag InboxTag -Type:Inbox -MessageClass:* AgeLimitForRetention:30 -RetentionEnable:$True -RetentionAction:MovetoDeletedItems 4. At the PS prompt, type the following, and then press ENTER: New-RetentionPolicyTag Business Critical -Type:Personal -MessageClass:* AgeLimitForRetention:1100 -RetentionEnable:$True -RetentionAction:MoveToArchive 5. At the PS prompt, type the following, and then press ENTER:
9-20
New-RetentionPolicy AllTagsPolicy RetentionPolicyTagLinks:DefaultTag,InboxTag,Business Critical 6. At the PS prompt, type the following, and then press ENTER: Set-Mailbox Andreas -RetentionPolicy AllTagsPolicy 7. 8. Read the confirmation statement, and then press ENTER. At the PS prompt, type the following, and then press ENTER: Start-ManagedFolderAssistant -Mailbox Andreas 9. Open Internet Explorer, and connect to https://van-ex1.adatum.com/owa.
10. Log on as Adatum\Andreas using a password of Pa$$w0rd. 11. Click a message in the Inbox, and then in the reading pane, point out the expiration time for the message. 12. Right-click the message and review the options under the Retention Policy and Archive Policy menu items.
Right-click the Contoso Project folder, and then create a new managed content setting with the following configuration: Name: Contoso Project Content Settings Message type: All Mailbox Content Length of retention period: 731 Retention period starts: When item is moved to the folder Action to take at the end of the retention period: Permanently delete Journaling: Disabled
4.
In the Actions pane, click New Managed Folder Mailbox Policy, and then create a new managed folder mailbox policy named Accounting Department Policy that includes the Contoso Project folder. Assign the Accounting Department Policy to all users in the Accounting OU. On the Mailbox server properties, schedule the Managed Folder Assistant to run during the current time. Restart the Microsoft Exchange Mailbox Assistants service.
5. 6. 7.
9-21
8.
Use Outlook Web App to check the mailbox of an Accounting department member. Verify that the Contoso Project folder was created in the users mailbox.
Demonstration steps
1. 2. 3. 4. 5. 6. On the VAN-EX1 computer, in the Exchange Management Console, in the Organization Configuration work area, click Mailbox. In the Actions pane, click New Managed Custom Folder to start the New Managed Custom Folder wizard. On the New Managed Custom Folder page, in the Name field, type Contoso Project. In the Display the following comment when the folder is viewed in Outlook text box, type All items related to Contoso Project should be posted here and will be retained for 2 years. Select the Do not allow users to minimize this comment in Outlook check box, and then click New. On the Completion page, review the completion report, and then click Finish. Note: After creating the managed custom folder, you can assign content settings to it. You also can assign content settings to any default folders. 7. 8. 9. Right-click the Contoso Project folder, and then click New Managed Content Settings. On the Introduction page, in the Name of the managed content settings to be displayed in the Exchange Management Console box, type Contoso Project Content Settings. In the Message type list, ensure that All Mailbox Content is selected.
10. Select the Length of retention period (days) check box, and then type 731 in the text box. 11. In the Retention period starts list, click When item is moved to the folder. You also can configure the retention period to start when the message is delivered to the user mailbox. 12. In the Action to take at the end of the retention period list, click Permanently delete. You also can configure the message to move to another managed custom folder or to be deleted with the option to recover the message. 13. On the Introduction page, click Next. 14. On the Journaling page, select the Forward copies to check box, and then click Browse. Notice that you can send a copy of the message to any valid recipient, including a custom recipient with an SMTP address referring to a SharePoint document library, or a third-party archiving application. 15. Click Cancel. 16. Clear the Forward copies to check box, and then click Next. 17. On the New Managed Content Settings page, review the summary, click New, and then click Finish. 18. On the Managed Custom Folders tab, expand Contoso Project. The managed content setting is linked to the managed custom folder. 19. On the Managed Default Folders tab, right-click Inbox, and then click the New Managed Content Settings option. You can apply the same content settings to any default folders. Click Cancel, and then click Yes.
9-22
20. Point out the Entire Mailbox item on the Managed Default Folders tab. If you apply content settings to this item, the settings are applied to all default folders in the user mailboxes. 21. In the Actions pane, click New Managed Folder Mailbox Policy to start the New Managed Folder Mailbox Policy wizard. 22. On the New Mailbox Policy page, in the Managed folder mailbox policy name box, type Accounting Department Policy. 23. In the Specify the managed folders that you want to link to this policy section, click Add. 24. In the Select Managed Folder dialog box, click Contoso Project, and then click OK. Notice that you can add additional managed folders to the policy. 25. On the New Mailbox Policy page, click New, and then click Finish. 26. In the Exchange Management Console, click the Recipient Configuration node, and then click Mailbox. In the Results pane, click the Organization Unit heading to sort the mailbox list by OU. 27. Select all of the mailboxes in the Accounting OU, right-click, and then click Properties. 28. On the Mailbox Settings tab, click Messaging Records Management, and then click Properties. Select the Managed folder mailbox policy check box, and then click Browse. Click Accounting Department Policy, and then click OK. 29. In the Messaging Records Management dialog box, enable a retention hold for the user mailbox. Click OK three times, and then click Yes at the Microsoft Exchange confirmations. When you apply the retention hold, Exchange Server does not apply the retention settings for the user mailbox folders during the time you specify. This is useful if a user is on vacation or on extended leave, and you do not want to delete unread e-mail messages. 30. In the Server Configuration work area, click Mailbox. 31. In the Results pane, right-click VAN-EX1, and then click Properties. 32. On the Messaging Records Management tab, in the Schedule the Managed Folder Assistant list, click Use Custom Schedule, and then click Customize. 33. In the Schedule dialog box, select the times from Monday 6:00 A.M. to Friday 6:00 P.M., and then click OK twice. 34. Open the Services console from the Administrative Tools menu, and then restart the Microsoft Exchange Mailbox Assistants service. Close the Services console. 35. On VAN-EX1, open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Parna with a password of Pa$$w0rd. Parna is a member of the Accounting department. 36. On the Microsoft Office Outlook Web App page, click OK. 37. Expand Managed Folders, and confirm that the Contoso Project folder has been created in the user mailbox. Click the folder, and point out the comment describing the folder that is displayed in the top-right pane. Close Internet Explorer.
9-23
Lesson 5
9-24
Almost all archive solutions have two other features: They enable using cheaper storage for archived messages They retain a stub of the archived message in the user mailbox so that the user can access archived messages.
9-25
Requires very little user training because the UI is familiar to the users
Disadvantages include: Significantly increases the storage requirements for the organization Does not provide the option of moving the archive mailbox to cheaper, slower storage
9-26
Demonstration steps
1. 2. 3. 4. 5. 6. 7. On VAN-EX1, in the Exchange Management Console, click Recipient Management, and then click Mailbox. Right-click Luca Dellamore, click Enable Archive, and then click Yes. Right-click Luca Dellamore, and then click Properties. On the Mailbox Settings tab, click Archive Quota, and then click Properties. Notice that you can configure a mailbox quota for the archive mailbox. Click Cancel. In the Exchange Management Shell, type get-mailbox Luca | FL, and then press ENTER. Review the ArchiveName and ArchiveQuota settings. On VAN-CL1, verify that you are logged on as Luca, open Outlook, and then verify that you do not see the archive mailbox. Open Internet Explorer, and then connect to https://VAN-EX1.adatum.com/owa. Log on as Adatum\Luca with a password of Pa$$w0rd. Verify that the archive mailbox is visible through Outlook Web App.
9-27
Transport rules that use regular expressions are not applied consistently
Message recipients report that they are receiving error messages when they receive digitally signed messages from other users in the organization. After you implement a transport rule, users report that some of the messages they send to Internet recipients are not delivered and they do not receive notification of why the messages were not delivered.
Ensure that when you implement a transport rule that might affect message delivery, you configure an action in the transport rule that informs the user if the message cannot be delivered. Normally, you would do this with a bounce message.
9-28
9-29
10-1
Module 10
Securing Microsoft Exchange Server 2010
Contents:
Lesson 1: Configuring Role Based Access Control Lesson 2: Configuring Security for Server Roles in Exchange Server 2010 Lesson 3: Configuring Secure Internet Access Module Reviews and Takeaways Lab Review Questions and Answers 2 7 9 13 15
10-2
Lesson 1
10-3
10-4
Demonstration steps
1. 2. 3. 4. 5. 6. 7. On VAN-EX1, open Active Directory Users and Computers. Expand Adatum.com, click Microsoft Exchange Security Groups, and then double-click Recipient Management. On the Members tab, click Add. In the Enter the object names to select field, type Conor, and then press OK twice. On VAN-EX2, ensure that you are logged on as Conor. Open the Exchange Management Console and the Exchange Management Shell. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration. Point out that Conor has Read access to the Exchange Server organization configuration because the Recipient Management group has been granted implicit Read permission to the organization. Click Mailbox, and in the Results pane, verify that you do not have sufficient permissions to view the data. Expand Recipient Configuration, click Mailbox, and then double-click Axel Delgado.
8. 9.
10. In the Axel Delgado Properties dialog box, click the Organization tab, verify that you can modify the user properties, and then click OK. 11. Right-click Axel Delgado, and then click New Local Move Request. 12. On the Introduction page, click Browse. In the Select Mailbox Database dialog box, click Mailbox Database 1, click OK, click Next two times, click New, and then click Finish. Note: If you get an error that no MRS servers are available, verify that the Microsoft
10-5
Exchange Mailbox Replication service is running on both VAN-EX1 and VAN-EX2. 13. In the Exchange Management Shell, type get-exchangeserver | FL, and then press ENTER. The user account has Read permission to the Exchange server information. 14. At the PS prompt, type Set-User Axel -Title Manager, and then press ENTER. Verify that Conor has permission to modify the Active Directory account. 15. Log off VAN-EX2.
Demonstration steps
1. 2. 3. 4. 5. 6. 7. 8. 9. On VAN-EX1, open the Exchange Management Shell. At the PS prompt, type the following command, and then press ENTER. New-ManagementScope Name MarketingMailboxes recipientroot adatum.com/Marketing -RecipientRestrictionFilter {RecipientType -eq UserMailbox} Create a new management role group that uses the custom management scope by using the following command: New-RoleGroup Name MarketingAdmins roles Mail Recipients, Mail Recipient Creation -CustomRecipientWriteScope MarketingMailboxes In the Exchange Management Shell, type the following command, and then press ENTER: Add-rolegroupmember id MarketingAdmins member Andreas On VAN-EX1, open Active Directory Users and Computers. Click Microsoft Exchange Security Groups and verify that the MarketingAdmins group was created and that Andreas is a member of the group.
10-6
10. On VAN-EX2, log on as Adatum\Andreas using a password of Pa$$w0rd. 11. Open the Exchange Management Console. 12. In the Exchange Management Console, expand Microsoft Exchange On-Premises, and then expand Recipient Configuration. 13. Click Mailbox, and then double-click Axel Delgado. 14. In the Axel Delgado Properties dialog box, click the Organization tab, modify one of the properties, and then click OK. Verify that the change is not saved. 15. Double-click Manoj Syamala. 16. In the Manoj Syamala Properties dialog box, click the Organization tab, modify one of the properties, and then click OK. Verify that the change is saved. 17. Click New Mailbox. Create a new mailbox in the default Users container. Verify that the user cannot create mailboxes in the Users container. 18. Click New Mailbox. Create a new mailbox in the Marketing OU. Verify that the user can create mailboxes in the Marketing OU.
10-7
Lesson 2
10-8
Question: What risks are the most serious? Answer: The most serious threat to most Exchange Server organizations relates to malicious e-mails. Although most organizations now use excellent anti-virus and antiphishing applications, new types of malicious software still pose a serious threat. Additionally, when users access e-mail from unsecure mobile clients or public computers, such as kiosks, this poses an additional, more-serious threat in most organizations.
10-9
Lesson 3
10-10
10-11
Create a new Web Listener with the following settings: Name: HTTP Listener Client Connection Security: Do not require SSL secure connections from clients Web Listener IP Addresses: External Authentication Settings: HTML Form Authentication Single Sign-On (SSO) Settings: Enabled SSO domain name: ADatum.com
4. 5.
On the Authentication Delegation page, click Basic authentication. Accept the default User Sets configuration, finish the wizard, and then apply the changes.
Demonstration steps
1. 2. 3. 4. 5. 6. 7. On VAN-TMG, click Start, point to All Programs, click Microsoft Forefront TMG, and then click Forefront TMG Management. Expand Forefront TMG, and then click Firewall Policy. On the Firewall Policy Tasks pane, on the Tasks tab, click Publish Exchange Web Client Access. On the Welcome to the New Exchange Publishing Rule Wizard page, type OWA Access Rule, and then click Next. On the Select Services page, in the Exchange version list, click Exchange Server 2010, select the Outlook Web Access check box, and then click Next. On the Publishing Type page, click Next. On the Server Connection Security page, ensure that Use SSL to connect the published Web server or server farm is configured, and then click Next. When you configure this option, the TMG server re-encrypts all network traffic sent to the Client Access server.
10-12
8. 9.
On the Internal Publishing Details page, in the Internal site name text box, type VANEX1.Adatum.com, and then click Next. On the Public Name Details page, ensure that This domain name (type below) is configured in the Accept requests for drop-down list. In the Public name box, type mail.Adatum.com, and then click Next.
10. On the Select Web Listener page, in the Web Listener drop-down list, click New. Web listeners are configuration objects on the TMG server that define how the server accepts client connections. 11. On the Welcome to the New Web Listener Wizard page, type HTTP Listener, and then click Next. 12. On the Client Connection Security page, click Do not require SSL secure connections from clients, and then click Next. Important: In a production environment, you always should use the option to Require SSL secured connections with clients. In this demonstration, the server is not configured with a server certificate, so HTTPS connections are not possible. 13. On the Web Listener IP Addresses page, select the External check box, and then click Next. 14. On the Authentication Settings page, accept the default of HTML Form Authentication, and then click Next. 15. On the Single Sign On Settings page, type Adatum.com as the SSO domain name, click Next, and then click Finish. Click OK. 16. Click Edit, and then on the Authentication tab, click Advanced. 17. Select the Allow client authentication over HTTP check box, and then click OK three times. 18. On the Select Web Listener page, click Next. 19. On the Authentication Delegation page, accept the default of Basic authentication, and then click Next. 20. On the User Sets page, accept the default, and then click Next. 21. On the Completing the New Exchange Publishing Rule Wizard page, click Finish. 22. Click Apply twice to apply the changes, and then click OK once the changes are applied.
10-13
Common issues related to configuring Exchange server publishing rules on a reverse proxy
Identify the causes for the following common issues related to configuring Exchange Server publishing rules on a reverse proxy, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Issue Clients cannot connect to the published sites, and they receive internal server errors. Clients cannot connect to the published sites, and they receive certificate errors. Clients cannot connect to the published sites, and they receive site-not-found errors. Troubleshooting tip
Normally, these errors occur when the reverse proxy cannot connect to the internal site. Verify that the reverse proxy can connect to the virtual directories on the Client Access server.
When configuring a reverse proxy to use SSL bridging, you need to ensure that the configuration is correct for certificates on both the reverse proxy and the Client Access server. Check information such as whether the certificates are trusted and whether the names the certificates use match the names that the clients use when connecting to the site.
Normally, this type is error displays when there is a problem connecting to the reverse proxy from the Internet. Verify that DNS name resolution is working correctly and that the external firewall is not blocking access to the reverse proxy.
10-14
10-15
11-1
Module 11
Maintaining Microsoft Exchange Server 2010
Contents:
Lesson 1: Monitoring Exchange Server 2010 Lesson 2: Maintaining Exchange Server 2010 Lesson 3: Troubleshooting Exchange Server 2010 Module Reviews and Takeaways Lab Review Questions and Answers 2 4 7 9 11
11-2
Lesson 1
11-3
Collecting Performance Data for the Hub Transport and Edge Transport Servers
Question: If any of these performance counters measured outside its normal range, what is the most likely cause? Answer: Slow e-mail delivery will result in many of the transport counters being outside the normal range.
11-4
Lesson 2
11-5
Question: Are there situations in which you cannot follow the normal change process? Yes, there are emergencies in which services are broken, and you cannot follow the full change management process. However, there should be an emergency change process in place to handle those situations. For example, if a critical service is down, it is not realistic to document and approve a detailed plan to solve the problem. The first priority is repairing the failed service. However, you should document and evaluate the changes that you make when you repair the service to ensure that there are no negative effects on other services.
11-6
organizations. An update is a broadly released fix for a specific problem, and can include security fixes. Question: Why should your organization deploy software updates? Answer: For security updates specifically, it is essential to apply the latest software updates. Exchange servers often are externally-facing, and are at risk of being compromised by unfixed security problems. Microsoft packages periodic Exchange Server security and nonsecurity updates into update rollups. These rollups contain numerous changes that have been regression-tested together, that may change functionality, but should address common problems. You should test these rollups thoroughly and apply them to ensure the Exchange servers work optimally.
11-7
Lesson 3
11-8
11-9
Always start with the most common problem causes, such as network connectivity and DNS name resolution. Gather as much information as possible about each of the reported problems. Although there might be multiple issues, it is likely that you will find a connection between the multiple reported problems. As always, take each report seriously and try to gather as much objective information about the problem as possible. Only then will you reach a suitable and objective solution.
11-10
Follow a proven troubleshooting technique. Stressful situations make it even more important to stick to a proven methodology. 3. An Exchange Server service pack was recently released, and the company has decided to deploy it. What should you do before scheduling the deployment? Thoroughly test and document the deployment and server backup. Testing should include functionality and compatibility testing with the companys systems.
11-11
R-1
Resources
Contents:
Microsoft Learning Technet and MSDN Content Communities 2 3 4
R-2
Microsoft Learning
This section describes various Microsoft Learning programs and offerings. Microsoft Learning Describes the training options available through Microsoft face-to-face or self-paced Microsoft Certification Program Details how to become a Microsoft Certified Professional, Microsoft Certified Database Administrators, and more Microsoft Learning Support To provide comments or feedback about the course, send e-mail to support@mscourseware.com. To ask about the Microsoft Certification Program (MCP), send e-mail to mcphelp@microsoft.com
R-3
This section includes content from MSDN related to this course. Autodiscover Response Cmdlet verb names
R-4
Communities
This section includes content from Communities for this course. Guidance on Active Directory design for Exchange Server 2007 Migrate to Microsoft Online Services Windows Server Virtualization Validation Program Recipient Management in Exchange 2007 Overview How to Create and configure a meeting room mailbox with Exchange Server 2007 Microsoft Exchange Server Remote Connectivity Anaylzer Sample: How to add root certificates to Windows Mobile 2003 and Windows Mobile 2002 Smartphones Additional Character Sets Additional references High availability white paper Updated Exchange Public Folder (vs. SharePoint) Guidance
R-5
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort. We review every e-mail received and forward the information on to the appropriate team. Unfortunately, because of volume, we are unable to provide a response but we may use your feedback to improve your future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your email. When you provide comments or report bugs, please include the following: Document or CD part number Page number or location Complete description of the error or suggested change
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are added to the product Knowledge Base article.