Administering a Server with System Manager

Previous page
Table of content
Next page

Most of the chapters in this book discuss some element of administering an Exchange server, group , or organization. Much of this management happens inside the System Manager snap-in and, if you ‚ ve been following along with the exercises in this book so far, you ‚ re probably already pretty comfortable with the tool. This section offers a closer look at using System Manager.

Microsoft Management Console

Microsoft Management Console (MMC) provides a common environment for the management of system and network resources. MMC is a framework application in which modules called snap-ins are run. (System Manager is the snap-in used for managing Exchange Server 2003.) Snap-ins provide all the real functionality of MMC, and you can run multiple snap-ins inside a single instance of MMC, often called a console . This allows administrators to create custom management consoles that are geared toward a specific administrative function or administrator. For example, you might have an administrator who manages an Exchange server and is also responsible for various other aspects of management on that server. You could create a custom console that contains the System Manager snap-in and any other snap-ins that this administrator might need.

Figure 10.1 shows MMC with the System Manager snap-in loaded.


Figure 10.1: The main MMC window with the System Manager loaded

MMC menu bar The primary MMC menu bar always holds certain menu items, regardless of any snap-ins that are loaded: File, Action, View, Favorites, Window, and Help.

MMC toolbar The MMC toolbar appears below the MMC menu bar and provides quick access to common commands.

Snap-in action bar The snap-in action bar merges with the MMC menu bar and holds menus that pertain to the snap-in loaded in the console. If a console window contains multiple snap-ins, the action bar changes according to whatever snap-in you are viewing. Most action bars sport three menus : Action, View, and Favorites. The Action menu contains commands that apply to whatever object you have selected in the console. This means that many of the commands found on that menu will change as you select different objects. The View menu is used to control how information is displayed in the console. The Favorites menu lets you add items to a list of favorites and organize that list into categories. The Favorites list can include shortcuts to tools, items in the console, or tasks . The Favorites tab in the Scope pane lets you view items on your Favorites list.

Scope pane The Scope pane (not present in all consoles) is on the left-hand side of the main MMC window. It shows a hierarchy of containers referred to as a console tree. Some containers are displayed as unique icons that graphically represent the type of items that they contain. Others are displayed as folders, simply indicating that other objects are held inside.

Results pane The Results pane is on the right-hand side of the console. This pane changes to show the contents of whatever container is selected in the Scope pane. In other words, the Results pane shows the results of the currently selected scope. The Results pane can display information in a number of different views. The standard views ‚ large or small icon, list, and detail ‚ are accessed through the View menu.

Containers and objects All of the items you see in both panes of the console window are called objects. These objects are the primary management tools of a snap-in, and you will use them by opening their property pages, selecting them to view data in the Results pane, or right-clicking them to access pertinent commands. Objects come in two types. Container objects hold other objects, even other container objects. They are used to arrange objects into an administrative hierarchy. All container objects form the expandable tree that you see in the Scope pane of a console. Leaf objects differ from container objects only in that they cannot hold other objects.

Using the System Manager Snap-In

In previous chapters, you have seen how the System Manager snap-in is used to create and manage recipients; build routing, administrative, and storage groups; and configure protocol usage. This section discusses how it can be used to manage other Exchange activities relating to organization and server management.

When System Manager is started, its default action is to try to connect to a domain controller that exists on the same subnet as the computer running System Manager. If no domain controller exists on the same subnet, System Manager tries to find one in the same Windows site. Once System Manager finds a domain controller, it queries Active Directory to fill the console with the current Exchange organization objects.

Note ‚  

You can direct System Manager to connect to a specific computer by adding the snap-in to a blank MMC console rather than starting System Manager from the Microsoft Exchange folder. To do this, select the Run command from the Start menu and type MMC into the Run box. When the blank console opens, use the File menu to add a snap-in, and choose the Exchange System Manager snap-in from the list of available snap-ins. When you add the snap-in, you will be prompted to supply the name of a specific domain controller. You can save the console at this point so that you don ‚ t lose any selections.

Figure 10.2 shows the now familiar System Manager.


Figure 10.2: The hierarchy of an Exchange organization

Organization The Organization container appears at the top of the hierarchy and is named for the organization itself (MCSE World in Figure 10.2). The property pages for this object hold options for displaying administrative and routing groups and for changing your organization from mixed mode to native mode. These properties were discussed in detail in Chapter 8, ‚“Building Administrative and Routing Groups. ‚½

Global Settings The Global Settings container holds objects governing settings that apply to your entire organization. The container itself has no property pages associated with it, but inside the container you will find three objects. The first, Internet Message Formats, defines the formatting for SMTP messages sent over the Internet. The second object in the Global Settings container, Message Delivery, is used to configure message defaults for your organization. Open the property pages for this object (shown in Figure 10.3) to set message limit defaults that filter down to the information stores on your servers and to configure filters for handling messages from particular SMTP addresses. The final object in the Global Settings container, Mobile Services, is used to control the default settings for Outlook Mobile Access.


Figure 10.3: Configuring Message Delivery settings for an organization

Recipients The Recipients container is used to manage server settings that apply to recipients in your organization. You can define recipient policies, manage address lists, and even modify address templates. Recipient policies are covered later in this chapter. You can find information on managing address lists in Chapter 5, ‚“Creating and Managing Recipients. ‚½

Administrative Groups The Administrative Groups container holds all configured administrative groups. Each Administrative Groups container holds the following containers: Servers, System Policies, Routing Groups, and Folders.

Servers Servers containers hold configuration objects for managing the protocols, connectors, and storage groups configured on a server. You can find information on configuring these specific objects throughout this book.

System Policies The System Policies container holds the system policies that you have configured for mailbox stores, public folder stores, and servers.

Routing Groups The Routing Groups container holds all routing groups that exist within the selected administrative group. Within each individual Routing Groups container exist the Connectors and Members containers. The Connectors container holds configuration items for each of the connectors available within the routing group. The objects within the Connectors container represent connectors between routing groups in your organization and to foreign messaging systems. The Members container simply lists all members of the specific routing group.

Folders The Folders container holds the public folders hierarchy and properties but not their contents. It also contains the system folders, a list of folders that Exchange users do not see. The system folders hold the Offline Address Book and other system configuration objects.

Tools The Tools container holds objects that help you manage your Exchange organization. You ‚ ll find three containers within the Tools container. The Site Replication Services container lets you configure replication with existing Exchange 5.5 sites using the Active Directory Connector. This is covered in Chapter 12, ‚“Coexisting with and Upgrading from Exchange 2000 Server. ‚½ The Message Tracking Center object is actually a shortcut for opening the Message Tracking Center (MTC) , which lets you track specific messages in your organization. The MTC is discussed in detail later in this chapter. The Monitors container holds objects that let you monitor the status of servers and connections in your organization. Both of these are covered later in this chapter.

Customizing a Console

System Manager is actually a saved console file that connects to a Windows Server 2003 domain controller in order to get configuration information regarding your Exchange organization. While all Exchange administrative functionality can be controlled from the System Manager, there are reasons why you might want to create a custom console.

For example, you could create a custom System Manager console that provides specialized taskpad views for helping new Exchange administrators get used to the system or that always connects to a specific server in another organization.

In addition to the full System Manager snap-in, there is one additional Exchange- related snap-in you can use to create a custom console:

  • The Exchange Message Tracking Center snap-in creates a console that displays only the message-tracking features.

Managing Administrative Security

Administrative access to Exchange objects can be configured. An administrator can assign permissions to specific users or groups at different levels of the Exchange hierarchy in order to determine who has what type of access to what information. To understand how permissions are assigned, you must understand the types of permissions available and the way that permissions are inherited by objects from their parent objects.

Types of Permissions

Exchange Server 2003 uses the Windows Server 2003 security model to manage access to objects. All Exchange objects are secured with a discretionary access control list (DACL) and individual Access Control Entries (ACEs) that give users and groups specific permissions on an object. In System Manager, you will configure permissions for an object using the Security property page for that object (see Figure 10.4).


Figure 10.4: Assigning permissions to an object

For the most part, the Security page is common across all objects. You select a user or group from the list (you can add more by clicking the Add button) and then either allow or deny each permission for that user or group.

Note ‚  

If you do not specifically allow or deny a permission, the state of the permission is inherited from the parent container. Read on for more on permissions inheritance.

There are two types of permissions available to you. Standard permissions are part of the default permissions that come with Windows Server 2003. Extended permissions are added when Exchange Server 2003 is installed. Extended permissions change depending on the object you are viewing. For example, many recipient objects have the extended permissions Send As and Receive As. Server objects have an Administer Information Store permission that is used to specify the users and groups that can administer stores on the server.

Table 10.1 lists the standard permissions available to you. These are the permissions you should really be familiar with on the job ‚ and on the exam.

Table 10.1: Standard Permissions for Administrative Objects

Permission

Description

Full Control

Give full permissions on the object.

Read

View the object in System Manager.

Write

Make changes to the object.

Delete

Delete the object.

Read Permissions

View the Security page for the object.

Change Permissions

Modify the permissions for the object.

Take Ownership

Take ownership of the object.

Create Children

Create child objects inside the object.

Delete Children

Delete child objects from the object.

List Contents

View the contents of a container object.

Read Properties

View the properties of the object.

Write Properties

Modify the properties of the object.

List Object

View the objects in a container object.

Permissions Inheritance

By default, child objects in System Manager always inherit permissions from their parent objects. For the most part, this is a good thing, because it eliminates the need to manually assign permissions to every object, letting System Manager do much of the work for you. However, there will be times when you want to override this functionality. You can do so in two ways:

  • Modify the permissions by specifically allowing or denying the permission to the appropriate user or group.

  • Disable the Allow Inheritable Permissions From Parent To Propagate To This Object option from the Advanced Security Settings dialog.

You can also prevent permissions from being inherited in the first place by visiting the parent object ‚ s Security page and clicking the Advanced button. In the Advanced dialog that opens, you can specify whether the permissions for each access control setting should or should not propagate to child objects.

Exercise 10.1 outlines the steps for assigning permissions to an object and preventing that object from propagating permissions to any of its child objects.

Note ‚  

For safety ‚ s sake do not perform Exercise 10.1 on a production server. As well, you might want to undo your changes after completing the exercise.

EXERCISE 10.1: Modifying Permissions on an Object in System Manager

  1. Click Start > Programs > Exchange > System Manager.

  2. Double-click the Servers container to expand it.

  3. Right-click a server object and select the Properties command.

  4. Click the Security tab.

  5. Select the Domain Admins group from the list.

  6. Click the Deny option for the Full Control permission.

  7. Click the Advanced button.

  8. Select the Deny Domain Admins Full Control entry from the list.

  9. Click the View/Edit button.

  10. From the drop-down list, select This Object Only.

  11. Click OK three times to return to System Manager.

 

The Exchange Administration Delegation Wizard

All users who will function as Exchange administrators must be granted the appropriate permissions on objects they will need to administer. Fortunately, System Manager provides a tool that makes the task of delegating administrative permissions in Exchange a good bit easier than having to assign them manually.

The Exchange Administration Delegation Wizard lets you select a user or group and assign them a specific administrative role. You can start the wizard either from the organization object (right-click and choose the Delegate Control command) or from a specific administrative group. Where you start the wizard defines the scope of permissions that are assigned to the user or group. For example, if you start the wizard from the organization object, the permissions assigned propagate all the way down through the hierarchy of objects. If you start the wizard from a specific administrative group, permissions propagate down through that group only. However, read-only permissions also propagate upward along the hierarchy so that the administrators can view, at least, the objects in the full hierarchy.

Note ‚  

The Exchange Administration Delegation Wizard is a separate utility from the Delegation of Control Wizard available in Active Directory Users and Computers.

In addition, to start the wizard, you must have full administrative control yourself. Full administrative control is granted to the user who installed the first Exchange server in an organization.

There are three roles that you can assign using the Exchange Administration Delegation Wizard:

  • The Exchange Full Administrator role gives full administrative capability. Administrators can add, delete, and rename objects as well as modify permissions on objects.

  • The Exchange Administrator role gives the same full administrative capability as the Exchange Full Administrator role but does not give administrators permission to modify permissions for objects.

  • The Exchange View-Only Administrator role lets administrators view Exchange configuration information but not modify it in any way. This role is often useful to assign to administrators who might need to see the way an organization is structured but do not perform any actual administration.



Previous page
Table of content
Next page
MCSA[s]MCSE
MCSA[s]MCSE
ISBN: 735621527
EAN: N/A
Year: 2004
Pages: 160
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Inside Network Security Assessment: Guarding Your IT Infrastructure
The .NET Developers Guide to Directory Services Programming
Snort Cookbook
Junos Cookbook (Cookbooks (OReilly))
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy