Performing Postinstallation Tasks | Mastering Microsoft Exchange Server 2007 SP1

Exchange 2007 is installed, but your work isn't over. There are several post-installation tasks you have left to complete.

Starting the Exchange Management Console

If you used Setup's graphic mode to install Exchange, then you were given the option to automatically start EMC when the installation was complete. Otherwise, click Start Ø All Programs Ø Microsoft Exchange Ø Exchange Management Console to launch the EMC.

When you first open the EMC, you see a screen much like that shown in Figure 4.5. It contains a list of tasks that you need to accomplish in order to finalize your deployment. This list may be longer or shorter depending on which roles you have in your organization. Each task is a hyperlink that will lead you to specific instructions on how to accomplish it.

image from book
Figure 4.5: Finalizing the deployment

There is also a tab in the MMC that shows you additional, tasks you can do to further improve the usability of your Exchange organization, such as configuring accepted domains. You can see an example of this tab in Figure 4.6.

image from book
Figure 4.6: End-to-end scenarios

Delegating Permissions

One common post-setup task is the delegation of Exchange administrative permissions. By default, Exchange 2007 includes a number of predefined administrator roles that you can use as a basis for delegating management permissions among your staff. These built-in roles are as follows:

Exchange Organization Administrator Users and groups assigned to this role have complete access to all Exchange properties and objects organization-wide. This is the highest level of permission in Exchange 2007.
Exchange Recipient Administrator Users and groups assigned to this role can read all of the Domain Users containers in each Exchange-prepared domain in the Active Directory forest and have write access to the Exchange properties on all user objects in those containers. They can, in short, manage the Exchange properties of any recipient in an Exchange-prepared domain. Note that they do not have the underlying Active Directory permissions to create, manage, or delete the user objects, and if you do not run /PrepareAD for a given domain, they will have no Exchange-granted access to that domain.
Exchange Server Administrator Users and groups assigned to this role are granted the ability to administer server-specific configuration items for the server this role is associated with. This role is granular on a server-by-server basis, allowing you to finely delegate administrative permissions without the use of administrative groups.
Exchange View-Only Administrator Just what it says; users and groups assigned to this role get to peek at organization-wide configuration settings and Domain Users containers in Exchange-prepared domains, but they can't change any settings.

You may have noticed that, by default, these permissions are set up to explicitly enforce a split-permission model between Active Directory and Exchange. This model helps large organizations enforce the difference between Active Directory administrators and Exchange administrators.

Warning

The split-permission model has some subtle implications too. For example, the Exchange extensions to the Active Directory Users and Computers MMC snap-in are a thing of the past. In order to do any recipient management, you must use the Exchange tools.