Lesson 1: Post-Installation Considerations | MCSA/MCSE Self-Paced Training Kit (Exam 70-284): Implementing and Managing MicrosoftВ® Exchange Server 2003 (Pro-Certification)

After Exchange Server 2003 is installed, there are additional configuration steps to complete prior to setting up users, connecting routing groups, and performing other server administration tasks. For example, you may need to delegate administrative authority of Exchange Server 2003 to other IT personnel, or you may need to install Microsoft Exchange System Management Tools on a workstation. In this lesson, you will perform a number of post-installation tasks.

After this lesson, you will be able to

Verify the Exchange Server 2003 services are installed and started and configure them to use the service account
Delegate Exchange Full Administrator permissions
Install Microsoft Exchange System Management Tools on a Microsoft Windows XP Professional workstation
Install additional components that were not selected during the initial Exchange Server 2003 installation

Estimated lesson time: 45 minutes

Exchange Server 2003 Services

Several new services are installed as part of the Exchange Server 2003 installation process. Figure 3-1 shows these services and their default configuration for Startup Type, the account the services Log On As, and the current state of the service (started or stopped).

click to expand
Figure 3-1: Exchange Server 2003 services

Table 3-1 lists and describes the services that are installed in a typical installation.

Table 3-1: Exchange Server 2003 Services and Their Function
Service	Description
Microsoft Exchange Event	Monitors folders and fires events for Microsoft Exchange Server 5.5– compatible server applications.
Microsoft Exchange IMAP4	Provides Internet Message Access Protocol 4 (IMAP4) services to clients. If this service is stopped, clients are unable to connect to the computer using the IMAP4 protocol.
Microsoft Exchange Information Store	Manages the Microsoft Exchange Information Store, including mailbox stores and public folder stores. If this service is stopped, mailbox stores and public folder stores on the computer are unavailable.
Microsoft Exchange Management	Provides Exchange management information using Windows Management Instrumentation (WMI). If this service is stopped, Exchange management information is unavailable using WMI.
Microsoft Exchange MTA Stacks	Provides Microsoft Exchange X.400 services. Exchange X.400 services are used for connecting to Exchange 5.5 servers and are used by other connectors (custom gateways). If this service is stopped, Exchange X.400 services are unavailable.
Microsoft Exchange POP3	Provides Post Office Protocol version 3 (POP3) services to clients. If this service is stopped, clients are unable to connect to the computer using the POP3 protocol.
Microsoft Exchange Routing Engine	Provides topology and routing information to Exchange Server 2003 servers. If this service is stopped, optimal routing of messages will not be available.
Microsoft Exchange Site Replication Service	Allows Exchange Server 2003 to coexist in an Exchange Server 5.5 site by presenting the Exchange Server 2003 server as an Exchange Server 5.5 directory service to other Exchange Server 5.5 servers. The Site Replication Service (SRS) is disabled by default and is useful only in mixed-mode organizations.
Microsoft Exchange System Attendant	Provides monitoring, maintenance, and Active Directory lookup services, for example, monitoring of services and connectors, defragmenting the Exchange store, and forwarding Active Directory lookups to a global catalog server. If this service is stopped, monitoring, maintenance, and lookup services are unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Service Dependencies

Troubleshooting problems with Exchange Server 2003 often involves services that have stopped. A problem you are trying to solve might seem as though it is the result of one service failing, when the service in question stopped only because a service it was dependent upon stopped first. For example, if users could not log on to their Exchange Server 2003 server, you check the services and notice that the Information Store service has stopped. While the problem could be related to the Information Store service itself, you might also find that the Information Store service stopped only because the System Attendant service stopped. The System Attendant may have stopped because a service it depends upon stopped, and so on. Table 3-2 lists the dependencies for the Exchange Server 2003 services.

Exam Tip

You can view service dependencies through the Services management console, but for the exam, you should be able to identify the dependencies of each of the Exchange Server 2003 services. You may see scenarios where knowing the service dependencies is essential to determining the real problem and finding the correct answer.

Table 3-2: Exchange Server 2003 Service Dependencies
Service	Dependencies
Microsoft Exchange System Attendant	Event Log NTLM Security Support Provider Remote Procedure Call (RPC) RPC Locator Server Workstation
Microsoft Exchange Information Store	Microsoft Exchange System Attendant Exchange Installable File System (EXIFS)
Microsoft Exchange IMAP4	Internet Information Service (IIS) Admin Service
Microsoft Exchange POP3	IIS Admin Service
Microsoft Exchange MTA Stacks	Microsoft Exchange System Attendant
Microsoft Exchange Management	RPC WMI
Microsoft Exchange Routing Engine	IIS Admin Service
Microsoft Exchange Event	Microsoft Exchange Information Store

Tip

There can be multiple levels of dependencies, where one service depends on another, which depends on another, and so forth. There are additional dependencies, as well, outside of the Exchange-specific services, such as the services that the IIS Admin Service depends on, and the services RPC depends on, and so on. When troubleshooting a service, first ensure that there are no other service dependencies in a stopped state.

Service Logon Accounts

In Figure 3-1, in the Log On As column, notice that by default Exchange Server 2003 uses the Local System account to start each of the services. The Local System account is a built-in account that has full administrative rights; most services are associated with this account by default. Applications such as Exchange Server 2003 use it automatically because it is a known account with the correct permissions. However, when you have multiple services sharing the same logon account, troubleshooting security can be more difficult. Therefore, it is recommended that you use a dedicated service account for your Exchange Server 2003 services. You will configure the services to use your dedicated service account later in this lesson.

Real World: Microsoft Exchange Server 2003 Services and Server Reboots

Anyone who has administered a version of Microsoft Exchange Server in the real world knows that rebooting a server running Exchange Server, whether on Microsoft Windows NT 4, Windows 2000 Server, or Windows Server 2003, can take much longer than normal. Exchange Server 2003 is no different, and if it is installed on a Windows Server 2003 server that functions as a global catalog server, the server can take as long as 10 minutes to reboot. If Exchange Server 2003 is installed on a member server, the process is not as lengthy, but it can still take significantly longer than rebooting a non-Exchange server.

A common workaround for this problem is to stop the Exchange services prior to initiating the server restart. To automate the process, many administrators use a batch file to stop the Exchange Server 2003 services and use the Shutdown.exe program (found in the Windows NT 4, Windows 2000 Server, or Windows Server 2003 Resource Kits) to completely script the reboot process. By doing so, the reboot process is dramatically sped up.

Delegation of Authority

Another post-installation consideration with Exchange Server 2003 is identifying the user accounts to which you will delegate administrative authority for the Exchange organization. When you installed Exchange Server 2003, the user account used was automatically given Exchange Full Administrator rights, which includes the ability to administer all configuration details of the Exchange organization and the ability to modify permissions. No other accounts are given rights to administer the Exchange organization. This means that any future administration has to be performed under the security context of the account that installed Exchange Server 2003. This is impractical and largely undesirable for a few reasons. First, if you have multiple Exchange administrators, you want to be able to track the activity of each administrator through the Security log. If all administrators use the same user account, it will be much more difficult to accomplish this. Another reason is that it will be necessary to distribute the service account password to every administrator, which will compromise security. In addition, each administrator will have the same level of permissions to the Exchange organization, which isn't desirable either.

The best practice is to delegate authority to the groups or individual users that need to administer the Exchange organization. The standard practice in system administration is to use security groups wherever possible for assigning permissions and to assign permissions to individual users only when absolutely necessary. By following these practices, an administrator is better able to manage and maintain security in an enterprise environment.

Exchange Server 2003 supports three administrative roles that can be delegated using Exchange System Manager: Exchange Full Administrator, which can manage anything in the organization including permissions; Exchange Administrator, which can manage everything in the organization except permissions; and Exchange View Only Administrator, which has read-only administrative access to the Exchange organization.

Security Alert

Authority to administer Exchange Server 2003 can be delegated in one of two places: at the organization level (which grants the permissions to the entire organization) or at the administrative group level (which grants the permissions only to that administrative group). In a decentralized administrative model, you can delegate administrative rights to a division to manage their own administrative group without allowing them to have rights to any other administrative groups. And in a centralized administrative model, you can delegate administrative rights to the entire organization so that you don't have to repeat the delegation process for every administrative group that is added.

Administration from Client Workstations

Exchange administration tasks, including delegating authority, should not be performed directly from the server consoles. Secure environments strictly limit the ability to log on locally to a server, perhaps to only the Administrator account. Allowing regular user accounts to log on locally to servers, especially domain controllers, is not a recommended security practice.

If you have a workstation that meets the criteria, you can install Microsoft Exchange System Management Tools and administer the Exchange organization from there. Table 3-3 lists the system requirements necessary to install Microsoft Exchange System Management Tools. The requirements for non-Exchange servers are given, as well, in case you need to install the tools on a server that isn't running Exchange Server 2003. If a service pack level is given, the service pack is part of the requirements, and the tools cannot be installed on a system that isn't at that service pack level or later. A basic requirement for any management workstation is that it is a member of the same domain and forest as the Exchange organization.

Table 3-3: System Requirements for Running Microsoft Exchange System Management Tools
Operating system	Requirements
Windows XP Professional SP1	IIS snap-in component Simple Mail Transfer Protocol (SMTP) service component (disable SMTP service after installation; it is needed only for the snap-in and poses a security threat if left running) World Wide Web (WWW) service (required by SMTP; should be disabled after installation) Windows Server 2003 AdminPack (for Network News Transfer Protocol (NNTP) and Active Directory Users And Computers snap-ins)
Windows XP Professional SP2	IIS snap-in component IIS Manager component (provides SMTP now) Windows Server 2003 AdminPack
Windows 2000 Professional SP3	IIS snap-in component Windows 2000 Server AdminPack (provides SMTP, NNTP, and Active Directory Users And Computers snap-ins)
Windows 2000 Server SP3	IIS snap-in component SMTP service component (disable after installation) NNTP service component (disable after installation)
Windows Server 2003	IIS Manager component

The Microsoft Exchange System Management Tools installation is very similar to the Exchange Server 2003 installation. When your management workstation meets all the requirements, run Setup from the Exchange Server 2003 installation CD. The Microsoft Exchange Installation Wizard will start, and you will go to the Component Selection page and perform a Custom installation. The only component you need to select is Microsoft Exchange System Management Tools; however, if you will be managing any Exchange Server 5.5 servers, as well, you can also install the Microsoft Exchange 5.5 Administrator. Once Setup completes, you will be able to start Active Directory Users And Computers and Exchange System Manager and complete tasks using the rights that you have been delegated.

Adding and Removing Exchange Server 2003 Components

There might be times when you need to add or remove an Exchange Server 2003 component. Perhaps you installed the Microsoft Exchange Connector for Novell GroupWise as part of the process of migrating GroupWise to Exchange Server 2003, and with that process now complete, you want to remove the connector component. Or perhaps your company has recently acquired a company that has an Exchange 5.5 organization, and you need to install the Microsoft Exchange 5.5 Administrator in order to administer that site. Whatever the circumstance, the process of adding or removing an Exchange Server 2003 component involves re-running Exchange Server 2003 Setup and changing the selections on the Component Selection page of the Microsoft Exchange Installation Wizard.

Important

When planning to remove a component, it is necessary that you ensure the component is no longer in use in the organization. With connectors, that means making sure there are no existing connection agreements that utilize the connector (connection agreements are discussed in Chapter 4). If you attempt to remove a component that is currently in use, Setup will block the removal, and Setup will fail.

Usually adding or removing a component is as simple as running the Microsoft Exchange Installation Wizard. However, if the installation wizard won't allow you to add or remove a component and you know there shouldn't be a problem with it, there are ways to accomplish the task manually.

Practice: Post-Installation Considerations

In this practice, you will configure the Exchange Server 2003 services to use the service account you created in Chapter 2, create security groups for the administrative roles of Exchange Server 2003, and delegate authority to those groups. You will run Exchange Server 2003 Setup again and add the Microsoft Exchange 5.5 Administrator program to your first Exchange Server 2003 installation.

Exercise 1: Modify the Exchange Server 2003 Services

From the Start menu, point to All Programs, then point to Administrative Tools and start Services. Scroll down to the services that begin with Microsoft Exchange.
Double-click the Microsoft Exchange System Attendant service to bring up the properties, and then click the Log On tab.
Select the This Account option and browse to your service account.
Type the password for your service account and then confirm it. Click OK to return to Services.
Repeat the process for each of the Exchange Server 2003 services.
Restart the Microsoft Exchange System Attendant service, choosing Yes to restart all the other services in the process. Confirm that the services restart correctly using the service account rather than the Local System account.

Exercise 2: Delegate Administrative Authority

Start the Active Directory Users And Computers console and create the following Windows security groups:
- ExchangeFullAdmins
- ExchangeAdmins
- ExchangeViewAdmins
From the Start menu, point to All Programs, and then point to Microsoft Exchange. Start Exchange System Manager.
Right-click on the organization name and click Properties. Select the check box to Display Administrative Groups, if it is not already selected. Click OK. Quit and reopen Exchange System Manager, if prompted.
Right-click the organization name and notice that Delegate Control is an option on the shortcut menu. Right-click an administrative group and notice the same option.
Right-click the organization name, and click Delegate Control. This will start the Exchange Administration Delegation Wizard. Click Next, and notice that only the account you used to install Exchange Server 2003 (and the account specified to be the Exchange Full Administrator during the installation, if they are not the same) has any permissions (Exchange Full Administrator).
Complete the wizard to add the ExchangeFullAdmins security group and assign it the role of Exchange Full Administrator.
Repeat the process and assign the ExchangeAdmins security group the role of Exchange Administrator and assign the ExchangeViewAdmins security group the role of Exchange View Only Administrator.
When finished, start Active Directory Users And Computers and create a personal user account for yourself. Make it a member of the ExchangeFullAdmins security group.

Exercise 3: Add Additional Exchange Server 2003 Components

On your first Exchange Server 2003 server, insert the Exchange Server 2003 installation CD and start Setup.
On the Component Selection page, check marks appear next to the installed components. Click the check mark next to the Microsoft Exchange component, and select Change from the drop-down list.

Tip
You have to select Change at each component level or you will receive an error. You cannot set a child component to Change or Install without selecting its parent first.
In the Action column for Microsoft Exchange System Management Tools, click the check mark (which shows that the component is installed) and select Change from the drop-down list.
Click the Action column next to Microsoft Exchange 5.5 Administrator, and click Install.
Finish the wizard, and then verify that the Microsoft Exchange 5.5 Administrator is installed. You can find the program in the Microsoft Exchange menu, which is on the All Programs menu of the Start menu.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and then try the question again. You can find answers to the questions in the "Questions and Answers" section at the end of this chapter.

You are the Exchange administrator for your organization. On Monday morning, users call to report that they are unable to open Microsoft Outlook; they receive an error message indicating that Exchange Server is unavailable. You check to see if the services are running and find that the Information Store service is stopped. You attempt to start it from Services and it fails, generating an error. Where do you begin troubleshooting?
Which of the following Microsoft operating systems meet the minimum requirements to install Microsoft Exchange System Management Tools?
1. Windows XP Home SP2
2. Windows XP Professional
3. Windows XP Professional SP1
4. Windows 98 SE
5. Windows NT Workstation 4.0 SP6a
6. Windows 2000 Professional SP2
7. Windows 2000 Professional SP3
8. Windows Millennium Edition (Windows Me)
You have been assigned the task of designing a more streamlined administrative structure for your Exchange Server 2003 organization. Your organization currently consists of 15 administrators who have various levels of administrative control of Exchange, assigned individually at the administrative group level as well as the organizational level, in some cases. What would be your best approach to this task?
You are an Exchange administrator for an organization that has five Exchange administrators who perform various tasks. There are no additional Exchange administration roles delegated outside of the service account that Exchange Server 2003 was installed with. You are trying to convince the senior Exchange administrator, who is more management-oriented than IT-oriented, to delegate administrative control to the individual administrators or, at a minimum, to create security groups and delegate control to the groups, but he is reluctant. His reasoning is that it is more secure if only a single user account has the Exchange Full Administrator role for the organization. How would you counter his argument?

Lesson Summary

Services are often dependent on other services to run, so to effectively troubleshoot Exchange Server 2003, it is important to know which services rely on each other.
Ideally, administrative control should be delegated to security groups rather than to individuals. Delegation of control is one of the first tasks that needs to be performed after installation in an organization that has multiple Exchange administrators.
Microsoft Exchange System Management Tools can be installed on a client workstation that meets the operating system and component requirements.
Administrative control can be delegated at either the organization level or the administrative group level.
Exchange Server 2003 components can be added or removed by re-running Setup and changing the installed components.