Appendix A -- Questions and Answers
Appendix A
Questions and Answers
Chapter 1
Lesson 2: Benefits of Exchange 2000 Server for the Enterprise
Activity: Evaluating the Business Benefits of Exchange 2000 Server
Scenario: Wide World Importers
1. Which messaging-related benefits can Wide World Importers better achieve with Exchange 2000 Server compared with Exchange Server 5.5?
| Technological Benefit | Assumptions and Comments | Superiority of Exchange 2000 |
|---|---|---|
| Enhanced client functionality | MAPI-based and Internet mail clients are supported in Exchange Server 5.5, but there is no support for native Windows applications through a file system driver. | 2 |
| Enterprise-wide directory | Exchange Server 5.5 supports LDAP and can be synchronized with Active Directory using the ADC. However, ADC configuration and maintenance creates administrative overhead that can be eliminated with Exchange 2000 Server. | 1 |
| Flexible system administration | Exchange Server 5.5 does not support the option of recovering deleted mailboxes without the need for backups. For seamless integration with Active Directory, ADC must be configured. Other important administration features are available. | 2 |
| High-end Information Store architecture | Exchange Server 5.5 performs database maintenance automatically and supports online backups and the single-instance storage feature, but does not allow splitting of the Information Store into multiple separate databases that can be maintained individually. Furthermore, clustering is only supported in an active/passive configuration. | 3 |
| Seamless Internet connectivity | Exchange Server 5.5 supports MIME and all other popular Internet mail standards, but does not integrate as tightly with IIS, as does Exchange 2000 Server. FE/BE server configurations are not supported for Internet mail clients. Unsolicited commercial e-mail can be blocked. | 2 |
| Interoperability with foreign messaging systems | Exchange Server 5.5 is based on the 1988 X.400 standard, but also provides a powerful SMTP connector (Internet Mail Service), as well as a variety of other connectors, beyond the capabilities of Exchange 2000 Server (PROFS and SNADS connectors are not available in Exchange 2000 Server). | –2 |
| Advanced messaging security | Exchange Server 5.5 contains a KMS, and supports S/MIME, X.509 version 3 certificates similar to Exchange 2000 Server. | 0 |
2. Summarizing the situation for Wide World Importers, what is the total potential for improvements with Exchange 2000 Server in this environment?
| Business Benefit | Maximum Possible Score | Effective Score | Potential for Improvements |
|---|---|---|---|
| Increased competitiveness | 50 | 31 | 62% |
| Increased productivity | 75 | 36 | 48% |
| Lower TCO | 20 | 8 | 40% |
| Reduced system administration overhead | 25 | 5 | 20% |
| Provides reliable communication services | 35 | 8 | 23% |
| User-friendly work environment | 45 | 24 | 53% |
| Secured messaging environment | 10 | 1 | 10% |
3. Is it reasonable for Wide World Importers to engage in project planning? Why?
Almost certainly. An evaluation of migration costs may still be required to complete the analysis, however, the benefits of Exchange 2000 show that Wide World Importers can gain more momentum in their ability to enhance their productivity and competitiveness and potentially lower long-term operational and maintenance costs.
Review
1. What are important messaging features that Exchange 2000 Server provides?
Important messaging features are support for MAPIand Internet-based messaging clients, integration with Active Directory for flexible system administration, transaction-oriented Information Store architecture, support for seamless connectivity to the Internet and foreign messaging systems, and advanced messaging security based on the X.509 version 3 standard and S/MIME.
2. What are the key characteristics of Exchange 2000 Server’s high-end Information Store architecture?
One key feature is the single-instance storage feature, which results in high-speed message delivery on a single server system and saved disk space. Furthermore, the databases of the Enterprise Edition are not limited in size and can grow up to the maximum capacity of the server’s hard disks. It is possible to configure the Information Store with multiple databases to reduce the size of each individual database. The Information Store performs database maintenance automatically at scheduled intervals to ensure their integrity. Databases can be backed up online and restored individually without affecting users with mailboxes in other databases. For maximum fault tolerance, Exchange 2000 Server supports active/active clustering.
3. How does Exchange 2000 Server enable you to build a user-friendly messaging environment?
Outlook 2000 and OWA are user-friendly messaging clients, and users may use Internet mail clients, such as Outlook Express, to compose and read messages. The integration of Exchange 2000 Server with Active Directory and Windows 2000 security mechanisms simplifies access to messaging resources. You can also implement knowledge management and instant groupware solutions, as well as Web-based workgroup and workflow systems, to build a future-oriented workplace. Real-time communication services, such as Instant Messaging, are also available to open new communication channels.
4. How can Exchange 2000 Server help to lower your organization’s TCO?
Integration with Windows 2000 and Active Directory is the basis for a unification of the network and messaging administration, which can help to lower maintenance and training costs. In addition, the architecture of the Information Store allows consolidating more users on fewer servers, which can help to reduce hardware and software costs. For maximum scalability, Internet services can be partitioned across FE/BE systems.
5. What are the differences between the Standard and Enterprise Editions of Exchange 2000 Server?
Standard and Enterprise Editions provide the same functionality and features with the exception of active/active clustering, support for multiple unlimited Information Store databases, FE/BE configuration, and the Chat Service, which are only available in the Enterprise Edition.
6. Peter Waxman, Head of Communications Technology at Wide World Importers, Inc., is currently considering a migration to Exchange 2000 Server. All users work with Outlook 2000 in an Exchange Server 5.5 organization. Waxman wants to deploy Exchange 2000 to provide Instant Messaging as well as data and videoconferencing services. Which server licenses are required?
Wide World Importers has to purchase server licenses for Exchange 2000 and Conferencing Server.
Chapter 2
Lesson 2: Building a Solid Project Foundation
Activity: Preparing a Deployment Project
Scenario: Consolidated Messenger
1. Assign each key player one or multiple appropriate roles in the project team.
| Role | Name and Title |
|---|---|
| Project sponsor | Jonathan Perera, President and CEO |
| Product manager | Gregory J. Erickson, Senior IT Administrator |
| Program manager | Richard Carey, Network Administrator |
| Operations development | Eva Corets, System Support Specialist |
| Testing and quality assurance | Gregory J. Erickson, Senior IT Administrator |
| User training and documentation | Gregory J. Erickson, Senior IT Administrator |
| Logistics management | Richard Carey, Network Administrator |
2. Answer the following questions to develop an appropriate vision statement for Consolidated Messenger.
1. Is the organization planning to standardize their entire messaging environment on Exchange 2000 Server?
Yes
2. Is the organization planning to upgrade from an earlier version of Exchange Server?
No
3. Does the organization intend to replace foreign messaging systems with Exchange 2000 Server?
Yes
4. Which foreign messaging systems do you intend to replace?
Microsoft Mail
5. In how many locations are you planning to deploy Exchange 2000 Server?
One location
6. What are the names of the locations where Exchange 2000 Server will be deployed?
Portland, Oregon
7. Are you planning to deploy Outlook 2000 as part of the project?
No
8. How many users do you want to support?
1500
9. When is the deployment project supposed to begin?
Q3/2001
3. Formulate a vision statement for Consolidated Messenger.
Consolidated Messenger is planning to standardize their entire messaging environment on Exchange 2000 Server, which will be deployed in the single site of Portland, Oregon. Our existing messaging and collaboration systems, including Microsoft Mail, will be migrated to the new platform. The Exchange 2000 organization will support 1500 users. The project will begin Q3/2001.
4. Identify three compelling objectives for the deployment of Exchange 2000 Server at Consolidated Messenger. (Refer to the functional gap analysis CONSOLIDATED_MESSENGER.XLS that you can find in the \Chapter01\ Examples directory on the Supplemental Course Materials CD.)
| Business Objective | Achieved Through | |
|---|---|---|
| Increased productivity | | |
| Lower TCO | | |
| User-friendly work environment | | |
5. Answer the following questions to determine relevant project constraints.
1. Are the necessary funds available to fully deploy Exchange 2000 Server in the network infrastructure?
Yes
2. Do you have to meet an aggressive deadline with your deployment of Exchange 2000 Server?
No
3. Can you ensure through training and other measures that the project team has the required knowledge to fully deploy Exchange 2000 Server?
Yes
6. Describe the resulting project scope.
Budget, time, and manpower are sufficiently available to carry out the deployment of Exchange 2000 Server to its full extent.
7. Propose a high-level solution for Consolidated Messenger.
Consolidated Messenger will replace their entire Microsoft Mail environment with one Exchange 2000 server. The migration from MS Mail requires the temporary configuration of a Connector to MS Mail and automatic directory synchronization. To minimize administrative and maintenance overhead, all migrated users will be placed on the same server. Consolidated Messenger should purchase a high-end server machine with fault-tolerant disk subsystems. The exact server configuration will be determined as part of this project. Users will continue to use Outlook 2000 for messaging and collaboration. They only need to connect to the Exchange 2000 server instead of their old MS Mail postoffices. At project completion, all users of Consolidated Messenger will work with Outlook 2000 in a native Exchange 2000 Server organization and the MS Mail environment can be retired.
8. List three high-level risks and possible mitigation strategies.
| Risk | Mitigation Strategy |
|---|---|
| Project team has no experience or limited experience with project management. | Provide training to ensure all project managers have the required skills to handle the project. |
| Team members have insufficient knowledge of Windows 2000, Active Directory, and Exchange 2000 Server. | Develop a training plan to ensure all team members receive appropriate training on Windows 2000 and Exchange 2000 Server. |
| Project schedule or budget is exceeded. | Add a reserve of 30% to the estimated project budget and schedule to provide a reasonable buffer. |
Review
1. The MSF process model divides infrastructure deployment projects into several key phases. What are the names of these phases and what are their purposes?
The four key phases are called envisioning, planning, development, and deployment. During the envisioning phase, the project team prepares the project and the project sponsor approves it. In the planning phase, the project team defines the functional specifications and produces various planning documents, which are verified in the development phase. The project team can then use the deployment plans for the Exchange 2000 Server rollout during the deployment phase.
2. What are the deliverables of the envisioning phase?
Project team structure, vision and scope document, and risk management plan.
3. What are the responsibilities of the product manager?
The product manager is responsible for the entire project, including timely delivery within budget constraints and reporting progress and project status to the project sponsor.
4. What are the responsibilities of the program manager?
The program manager is responsible for the functional specifications that outline the features, functionality, network design, and infrastructure of the Exchange 2000 organization. The program manager also assists the product manager in formulating strategic goals for the project and addressing project risks.
5. What are the tasks in the planning phase?
You need to assess the current infrastructure and develop the functional specifications for the future environment, including the physical and logical design of the Exchange 2000 organization. The project team develops a master project plan and establishes the project schedule. Furthermore, you must continuously reassess project risks.
6. What are the two major activities that you need to accomplish in the development phase?
You need to validate the project plans and system designs in a test lab and in the real environment. Correspondingly, the two major activities are verifying deployment plans in a test lab and performing a pilot rollout with a limited number of technically skilled users.
7. What is the last step in the deployment phase?
The last step in the deployment phase is usually the transfer of the new infrastructure to daily operations for ongoing system administration. Optionally, a project review can be conducted to identify possible improvements or additional functionality that may be implemented in future projects.
Chapter 3
Lesson 2: The Impact of Exchange 2000 Server on Active Directory Directory Service
Activity: Evaluating Active Directory Environments
Scenario: Coho Vineyard & Winery
1. List two advantages of the current approach for Coho Vineyard & Winery.
Any changes on user accounts and configuration information in Active Directory are effective immediately and don’t generate replication traffic. The costs of implementing and maintaining Active Directory are kept at a minimum.
2. List the most important disadvantage of the current approach for Coho Vineyard & Winery.
Domain controller redundancy does not exist. If the domain controller ZEUS shuts down for any reason, the Active Directory environment is out of order.
3. List three possible improvements for the Active Directory environment of Coho Vineyard & Winery.
Coho Vineyard & Winery should invest in a second domain controller to provide a sufficient level of fault tolerance. The second domain controller should be configured as an additional GC server. Coho Vineyard & Winery should switch their domain cohovineyardandwinery.com into native mode.
Scenario: Woodgrove Bank
1. Name one critical issue in Woodgrove Bank’s Active Directory environment.
There are no GC servers at the Cayman Islands site.
2. Which approach would you choose and why?
You should configure CAY-01-DC as a GC server to provide the users in the Cayman Islands with a fast and reliable connection to a GC.
Lesson 3: Exchange 2000 Server and the Windows 2000 Security Architecture
Activity: Analyzing Administrative Active Directory Structures
Scenario: Coho Vineyard & Winery
1. Which administrative roles will Paul West and Don Funk automatically receive in the Exchange 2000 organization?
Paul West will receive the Exchange Full Administrator role; Don Funk will receive both the Exchange Administrator and Mailbox Administrator roles.
2. Who will be able to prepare the Active Directory forest for Exchange 2000 Server?
Paul West
Scenario: Woodgrove Bank
1. Which administrative roles will the administrators of Woodgrove Bank automatically receive in the Exchange 2000 organization?
| Windows 2000 Administrators | Domains and OUs | Exchange Roles |
|---|---|---|
| Luis Bonifaz | All domains and OUs | Exchange Full Administrator |
| Scott Fallon | woodgrovebank.com | Exchange Administrator |
| Michael Emanuel | Basel.woodgrovebank.com (all OUs) | Mailbox Administrator |
| Kari Hensien | Bern.woodgrovebank.com (all OUs) | Mailbox Administrator |
| Charles Fitzgerald | Zurich.woodgrovebank.com (all OUs) | Mailbox Administrator |
| Gabriele Dickmann | Frankfurt.woodgrovebank. com (all OUs) | Mailbox Administrator |
| Greg Chapman | London.woodgrovebank. com (all OUs) | Mailbox Administrator |
| David M. Bradley | NewYork.woodgrovebank. com (all OUs) | Mailbox Administrator |
| Shane S. Kim | HongKong.woodgrovebank. com (all OUs) | Mailbox Administrator |
| Patricia M. Cook | Cayman.woodgrovebank. com (all OUs) | Mailbox Administrator |
| Fukiko Ogisu | Tokyo.woodgrovebank. com (all OUs) | Mailbox Administrator |
2. Who will be able to prepare the Active Directory forest for Exchange 2000 Server?
Luis Bonifaz
Review
1. What are the advantages of a centralized deployment of Exchange 2000 servers?
A centralized server deployment simplifies system administration and maintenance, and user management can still be delegated to individual administrators in the departments, business units, or geographical locations of your enterprise. Additionally, centralized server resources make it easy to coordinate backup and disaster recovery strategies.
2. What are the advantages of a decentralized deployment of Exchange 2000 servers?
In a decentralized deployment scenario, servers are installed in each geographical location, which eliminates or reduces the need for client/server communication over WAN connections. This provides better server response times due to the high net-available bandwidth in the LANs. Users can also continue to work with their local mailboxes and other resources even if WAN connections are down. The decentralized server deployment also gives you great control over the server-to-server communication in the WAN, which can be scheduled for hourly transfer of messages. This allows you to optimally use dial-on-demand WAN links in a low-bandwidth environment.
3. The following diagram shows an Active Directory forest with a single domain that spans three sites. What do you need to change in the Active Directory environment to optimally support Exchange 2000 Server and Outlook 2000?
You need to promote the domain controllers in each site to GC servers.
4. You want to install the first Exchange 2000 server in your Active Directory forest. However, you are unable to complete the installation because your user account, which is a member of the local domain’s Domain Admins group, does not have the required permissions to perform the forest preparation. Who do you need to ask to perform the preparation for you and where must the preparation take place?
You need to ask the schema administrator to perform the forest preparation, which requires running Setup /ForestPrep in the domain of the schema master.
5. The following diagram shows an Active Directory forest with three domains and several OUs. Which roles will the current Windows 2000 administrators inherit in the future Exchange 2000 organization?
| Windows 2000 Administrators | Domains and OUs | Exchange Roles |
|---|---|---|
| Stephanie Conroy | All domains and OUs | Exchange Full Administrator |
| Brad Sutton | alpineskihouse.com | Exchange Administrator |
| Bill Sornsin | alpineskihouse.com | Exchange Administrator |
| Andreas Berglund | bigmountain.alpineskihouse.com (all OUs in this domain) | Mailbox Administrator |
| Jim Stewart | bigmountain.alpineskihouse.com (OU General Management) | Mailbox Administrator |
| Shane S. Kim | bigmountain.alpineskihouse.com (OU Human Resources) | Mailbox Administrator |
| Randy Reeves | bigmountain.alpineskihouse.com (OU Accounting) | Mailbox Administrator |
| Alan Steiner | smallmountain.alpineskihouse.com (all OUs in this domain) | Mailbox Administrator |
| Jeremy Los | smallmountain.alpineskihouse.com (all OUs in this domain) | Mailbox Administrator |
Chapter 4
Lesson 1: Assessing the Current Messaging Infrastructure
Activity: Evaluating Messaging Environments
Scenario: Coho Vineyard & Winery
1. Are there any known problems in the current infrastructure?
No, according to Paul West, the "UNIX-like environment works great."
2. Would you recommend a consolidation of messaging resources?
No. All 250 users work with the same messaging server.
3. Which connector could Coho Vineyard & Winery use to connect Exchange 2000 Server to MDaemon PRO?
MDaemon PRO version 3, as well as Exchange 2000 Server, are native SMTP systems. Installation of an explicit messaging connector between them is not required. Both systems can instantly communicate with each other if the DNS configuration is correct. Alternatively, Coho Vineyard & Winery may evaluate the option of installing an explicit SMTP connector.
4. Do you need to install additional components in the production environment to support the connectivity components?
No. Exchange 2000 Server is a native SMTP system and can communicate with MDaemon PRO without further messaging connectors.
Scenario: Woodgrove Bank
1. Are there any known problems in the current infrastructure?
No. The messaging environment operates reliably.
2. Would you recommend consolidation of messaging resources in their Swiss locations?
Yes. A single Exchange 2000 server can host all 600 mailboxes. The same server or a separate server may be used to connect the site to the messaging backbone.
3. Which connector should Woodgrove Bank use to connect Exchange 2000 Server to the messaging backbone and to the MS Mail postoffices?
Woodgrove Bank should use the MS Mail Connector to connect Exchange 2000 Server directly to postoffices and an SMTP connector to connect to the messaging backbone.
4. Do you need to install additional components in the production environment to support the connectivity components?
No. Neither the SMTP nor the MS Mail Connector requires additional components in the production environment.
Lesson 2: Directory Synchronization with Foreign Messaging Systems
Activity: Evaluating Options for Directory Synchronization
Scenario: Coho Vineyard & Winery
1. Is it possible to connect Exchange 2000 Server to Alt-N Technologies MDaemon using a connector that supports directory synchronization?
No. A direct connector to MDaemon does not exist, and an SMTP Connector must be used, which does not support directory synchronization.
2. Which directory synchronization option would you recommend and why?
Coho Vineyard & Winery should investigate whether MDaemon’s LDAP-based export features can be utilized for an export of recipient information to Active Directory. If this is not possible, a manual export into a .csv file and semiautomated directory synchronization are the only options for Coho Vineyard & Winery.
Scenario: Woodgrove Bank
1. Is it possible to connect Exchange 2000 Server to Woodgrove Bank’s MS Mail environment using a connector that supports directory synchronization?
Yes. The MS Mail Connector supports directory synchronization between Exchange 2000 Server and MS Mail.
2. Is it necessary to change the existing directory synchronization topology to integrate Exchange 2000 Server?
No. The MS Mail Connector allows integration of Exchange 2000 Server into the existing directory synchronization environment.
Lesson 3: Preparing the Client Base for Exchange 2000 Server
Activity: Evaluating Client Installations
Scenario: Coho Vineyard & Winery
1. Are all operating systems capable of running Outlook 2000?
No. The UNIX users require a separate PC, preferably running Windows 2000 Professional, or a terminal server solution.
2. Does the current hardware meet the requirements of Outlook 2000?
Yes. The PCs are able to run Outlook 2000.
3. Do you need to provide end-user training on Outlook 2000?
Yes. End-user training on Outlook 2000 must be provided prior to or during the migration to Exchange 2000 Server.
Scenario: Woodgrove Bank
1. Are all operating systems capable of running Outlook 2000?
Yes. All workstations run Windows 2000 Professional.
2. Does the current hardware meet the requirements of Outlook 2000?
Yes. The PCs are able to run Outlook 2000.
3. Do you need to provide end-user training on Outlook 2000 prior to the migration of the MS Mail environment in Switzerland?
No. The MS Mail users are already familiar with Outlook 2000. The client base in Switzerland is ready for migration.
4. Is it possible to deploy Outlook 2000 in all locations of Woodgrove Bank prior to the migration to Exchange 2000 Server?
Yes. Woodgrove Bank has the option to install appropriate MAPI transport drivers for Lotus cc:Mail, Lotus Notes, and Novell GroupWise. Appropriate MAPI drivers must be purchased from Lotus and Novell.
Review
1. You plan to migrate a Lotus cc:Mail network to Exchange 2000 Server. Which connector should you install to integrate Exchange 2000 Server with cc:Mail and why?
You should use the Connector to Lotus cc:Mail because this connector provides direct messaging connectivity between both systems and supports the synchronization of address information for seamless system integration.
2. You plan to integrate Exchange 2000 Server into a Novell GroupWise environment using the Connector to Novell GroupWise. Which component do you need to install in the GroupWise environment to support this connector?
You need to deploy a Novell GroupWise API Gateway version 4.1 with Novell GroupWise Patch 2 for API.
3. When migrating to Exchange 2000 Server, why is it important to implement directory synchronization?
Directory synchronization is the process of copying recipient information from one directory into another and vice versa. Via directory synchronization, all directories in a heterogeneous environment contain complete and correct address information, which is especially important in migration projects where address information is constantly changing.
4. You plan to migrate a complex Pegasus Mail environment to Exchange 2000 Server. For message transfer, you decide to configure an SMTP connector. How can you best synchronize the directories of Pegasus Mail and Exchange 2000 Server with each other?
The SMTP connector does not support automated directory synchronization. You should check the features of Pegasus Mail to export address information into a text file, and then import this information into Active Directory using LDIFDE or CSVDE. You may need to format the import file manually or by using an Excel macro prior to the import.
5. You plan to migrate a complex Lotus Domino/Notes environment to Exchange 2000 Server. You estimate that the migration may take up to a year due to the number of users and the required conversion of groupware applications. How can you familiarize the users with Outlook 2000 prior to the installation of Exchange 2000 Server?
You can obtain a MAPI transport driver for Lotus Domino from Lotus Development Corporation and deploy Outlook 2000 in the Lotus Domino/Notes environment.
Chapter 5
Lesson 1: The Administrative Infrastructure of Exchange 2000 Server
Activity: Designing an Administrative Topology for Exchange 2000 Server
Scenario: Consolidated Messenger, Inc.
1. How many administrative groups do you need to implement?
You need to implement two administrative groups: one for the servers of the Video department and a second for the servers of the remaining business units.
2. What do you need to accomplish to prevent the administrators from managing each other’s messaging resources?
You need to block inherited permissions at the administrative group level. Create two security groups, call them Denied at Video and Denied at Consolidated, and then deny these groups the Full Control permission at the Video department’s administrative group, respectively, and the administrative group of the remaining business units. You can then add the administrators as members to these groups according to their IT department.
3. What should you recommend in addition?
Consolidated Messenger should carefully test the security configuration in a lab to ensure that the system remains fully operational with denied permissions for selected administrators.
Lesson 2: The Routing Infrastructure of Exchange 2000 Server
Activity: Designing Routing Group Topologies
Scenario: Consolidated Messenger, Inc.
1. How many routing groups are required in Consolidated Messenger’s Exchange 2000 organization?
Because all servers are part of the same high-speed network environment, only one routing group is required.
2. For political reasons, the Video department requests full control to the routing infrastructure. How would you structure the Exchange 2000 organization to give all messaging administrators of Consolidated Messenger full permissions to the routing topology?
You need to configure a separate administrative group, create the routing group for Consolidated Messenger in it, grant all administrators full access to this administrative group, and place all servers in the routing group. You may first need to switch the Exchange 2000 organization into native mode. In mixed mode, for backward compatibility reasons, servers can only be placed in routing groups of their local administrative group.
Scenario: Litware, Inc.
1. How many routing groups would you implement?
You need to implement two routing groups: one for Washington, DC and one for Los Angeles.
2. How many RGCs would you install for highly reliable messaging connectivity?
You should configure two RGCs in each routing group: one for the Internet connection and one to communicate over the satellite link, which should be used as a backup path.
3. Which RGC type would you choose to connect the routing groups?
You should use SMTP connectors for both the Internet and the satellite connections because this connector provides more control over the communication, which will help to avoid problems on the WAN links.
Lesson 3: Dedicated Servers in an Exchange 2000 Organization
Activity: Designing Server Infrastructures
Scenario: Consolidated Messenger, Inc.
1. How many mailbox servers should you install in Consolidated Messenger’s Exchange 2000 organization, and to which administrative groups should they belong?
You should install two mailbox servers. Add one to the administrative group AG Consolidated Messenger and the other to AG Video Department.
2. How many public folder servers should you install in Consolidated Messenger’s Exchange 2000 organization, and to which administrative groups should they belong?
No dedicated public folder servers are necessary because Consolidated Messenger does not plan to implement workgroup or workflow solutions in the foreseeable future.
3. How many connector servers should you install in Consolidated Messenger’s Exchange 2000 organization, and to which administrative groups should they belong?
To provide the 1500 users of Consolidated Messenger with powerful, redundant Internet mail connectivity, you should install two connector servers and add both to the administrative group AG Routing Environment.
Scenario: Litware, Inc.
1. How many mailbox servers should you install in the routing group RG Los Angeles?
You should deploy two mailbox servers (750 mailboxes each).
2. How many mailbox servers should you install in the routing group RG Washington DC?
You should deploy two mailbox servers (1000 mailboxes each).
3. How many connector servers should you install in Litware’s Exchange 2000 organization?
You should install one connector server in each routing group to host both the Routing Group and the SMTP connectors. The SMTP connector will transfer all messages between the routing groups. The RoutingGroup connector via the satellite link is solely a backup line to stand by in case there is a problem with the Internet connection. Under normal circumstances, the Routing Group connector will not transfer any messages and, therefore, does not require an explicit connector server.
Lesson 4: Public Folder Access Strategies
Activity: Developing Public Folder Strategies
Scenario: Consolidated Messenger, Inc.
1. Which top-level folder strategy would you recommend for Consolidated Messenger?
You should create a separate security group for the users from the Video department, grant this group rights similar to those granted to the Everyone account, and then clear the Create Top Level Folders right for the Everyone account in the Security tab of the organization object.
2. Where should you place the MAPI-based public folder hierarchy?
You should move the MAPI-based public folder hierarchy to the administrative group of the Video department.
3. Would you recommend creating an alternate public folder hierarchy for the Video department?
No, there is no need for an alternate public folder hierarchy.
Scenario: Litware, Inc.
1. Which top-level folder strategy would you recommend for Litware, Inc.?
You should remove the Create Top Level Folders right from the Everyone account in the Security tab of the organization object.
2. How should you configure the public folder of the project documentation library to allow the users from Los Angeles and Washington, DC read access to the documents with optimal response times?
You should replicate the folder to the mailbox servers in both locations.
Review
1. What is the difference between the Exchange Administrator and Exchange Full Administrator roles?
Exchange Full Administrators are Exchange Administrators, but in addition they can delegate administrative permissions to other users and configure security settings on information store databases, public folder hierarchies, and address lists.
2. You want to grant a group of department administrators full control to only a subset of servers, and all remaining administrators must be able to manage allservers in the messaging environment. How should you design the administrative topology?
You need to create a separate administrative group and place all those servers in that group that the department administrators are supposed to manage. Use this administrative group to delegate the Exchange Administrator role to the department administrators. Grant all remaining administrators the permissions of Exchange Administrators at the organization level.
3. Two business units that generally manage their server resources separately require full control permissions to a central public server. For this reason, you plan to add the public server to the administrative groups of both departments. How can you achieve the desired configuration?
A server cannot belong to two administrative groups. You should create a separate administrative group for the public server, add the server to it, and grant the administrators of both business units full control to this group.
4. You want to grant a mailbox administrator the minimum right to create and manage mailbox resources. Which role should you delegate to this administrator, and on what level?
You need to grant this administrator the rights of an Exchange View Only Administrator at the organization level.
5. You are planning to implement two administrative groups in an environment with fast and reliable network connections. How should you structure the routing group topology, and what do you need to accomplish to implement it?
You should place all servers in the same routing group. Because the servers belong to different administrative groups, you must switch the organization into native mode.
6. Between routing groups, communication does not take place without explicit configuration of messaging connectors. Which three connectors can you use to connect routing groups together, and which should you prefer in a corporate network?
You can use the Routing Group connector, SMTP connector, or X.400 connector to connect routing groups together. The Routing Group connector is more powerful than the others and should be preferred in a low-latency network.
7. Which routing group topology prevents Exchange 2000 Server from rerouting messages?
The hub-spoke or hierarchical topology prevents rerouting of messages because alternative paths do not exist between any two routing groups.
8. You are planning the routing group topology for an environment with three LANs interconnected in a global WAN with a bandwidth of 256 Kbps. How many routing groups should you implement?
You should create three routing groups, one for each LAN.
9. Why is it important to have reliable network connections to all servers in a routing group?
All servers must be able to communicate with the routing group master to ensure that LSI is propagated properly. Without LSI, message routing may be inefficient.
10. You have implemented a separate routing group for each geographical location of your company. You want to prevent client traffic on the WAN connections, and for this reason, you want to block access to public folders in remote routing groups. How can you achieve the desired configuration?
You need to enable the Do Not Allow Public Folder Referrals check box in the properties of all RGCs.
11. How can you prevent your users from creating folders at all levels of the public folder hierarchy?
You need to remove the Create Top Level Folders right from the Everyone account.
Chapter 6
Lesson 1: Integrating Microsoft Exchange Server 5.5 with Windows 2000 Server
Activity: Developing Directory Integration Strategies
Scenario: Adventure Works
1. Do you need to configure intraor interorganizational CAs?
You need to configure intraorganizational CAs because all recipients and users belong to the same environment.
2. Which version of the ADC do you need to install?
You need to install the ADC that comes with Exchange 2000 Server.
3. How should you prepare the Active Directory forest to minimize GC rebuilds and related replication traffic over the wide area network (WAN) connections?
You should run the Exchange 2000 Setup program in ForestPrep mode.
4. In which domain should you place the distribution groups that the ADC creates for Exchange distribution lists?
You should place the distribution groups in the root domain adventure-works.com because this is the only domain operating in native mode.
5. How many ADCs should you install provided that it is only necessary to synchronize recipient information in the local sites?
You should install three ADC instances: one in North America, one in South Africa, and one in Australia.
6. How should you configure the CAs for all ADCs, provided that it is only necessary to synchronize recipient information in the local sites?
Configure one primary one-way CA from the Exchange organization to the Active Directory forest to create and synchronize directory objects in the root domain adventure-works.com. Configure two nonprimary, two-way CAs in North America for the domains us.adventure-works.com and ca.adventure-works.com and let them synchronize information with the site North America. In both CAs, enable the This Is A Primary Connection Agreement For The Connected Exchange Organization check box. Configure one nonprimary, two-way CA in South Africa for the domain adventure-works.co.za and let it synchronize information with the site South Africa. Enable the This Is A Primary Connection Agreement For The Connected Exchange Organization check box. Configure one nonprimary, two-way CA in Australia for the domain adventure-works.com.au and let it synchronize information with the site Australia. Enable the This Is A Primary Connection Agreement For The Connected Exchange Organization check box.
7. What do you have to accomplish on the Exchange servers before you can configure any CAs?
You have to change the LDAP port number for the Exchange Directory to an available TCP port, such as port 390.
8. Which Exchange servers should you specify in the CAs’ Connections tab?
The servers VAC-02-EX, JHB-01-EX, and MLB-01-EX.
9. Optional question: Which Windows 2000 servers should you specify in the CAs’ Connections tab (see Figure 3.15)?
Each of the Global Catalog servers: VAC-01-DC, VAC-02-DC, SEA-01-DC, JHB-01-DC or JHB-02-DC, MLB-01-DC or MLB-02-DC.
Lesson 2: Integrating Exchange 2000 Server with Exchange Server 5.5
Activity: Developing an Exchange/Exchange 2000 Server Coexistence Strategy
Scenario: Adventure Works
1. Adventure Works has not yet installed Exchange 2000 Server. For political reasons, the company intends to delegate the management of mailboxes to individual administrators in each domain. Would you recommend moving all Exchange servers into the same Exchange site to consolidate the server resources?
No, it is not necessary to move all servers into the same site. The systems in each site can be upgraded separately. Any resource consolidation that Adventure Works deems appropriate may be performed once the organization operates in native mode.
2. Adventure Works intends to install Exchange 2000 Server in the site of North America first. How many public folder CAs do you need to configure to fully synchronize public folder directory objects with Active Directory?
You need to configure three public folder CAs: one for each site (North America, South Africa, and Australia).
3. Adventure Works intends to upgrade the server VAC-02-EX. This server currently runs an IMS, which will be upgraded to an SMTP Connector. What else do you need to configure to allow the users in the Exchange organization to send and receive messages to and from the Internet?
Nothing: All users will be able to use the SMTP Connector to send and receive messages to and from the Internet.
4. VAC-02-EX holds OABs for the site of North America. DMZ-01-SMTP is an OWA server. What do you have to configure on both systems before you can install Exchange 2000 Server on VAC-02-EX?
You need to move the OABs to another server in the site of North America, such as VAC-01-EX. No configuration changes are required on DMZ-01-SMTP.
5. Adventure Works does not utilize public folders very heavily. Only a few public folders exist on VAC-01-EX. You want to verify that public folder permissions are upgraded correctly. What do you have to accomplish after you install Exchange 2000 Server?
You need to replicate the public folders to the Exchange 2000 server and use the Event Viewer and Exchange System Manager snap-in to check the client permissions applied to the public folders on this server.
Lesson 3: Upgrading Exchange Server 5.5 to Exchange 2000 Server
Activity: Designing Upgrade Plans
Scenario: Adventure Works
1. Adventure Works has upgraded VAC-02-EX and is now planning to consolidate the remaining mailbox resources on a single Exchange 2000 server. Which upgrade strategy should Adventure Works use?
Adventure Works should use the indirect upgrade method to move the existing mailboxes from SEA-01-EX and VAC-01-EX to a new Exchange 2000 server.
2. Adventure Works plans to keep the management of mailbox resources separated for each geographical location. How can you separate the mailbox resources for Canada and the United States if they are all on a single Exchange 2000 server?
Adventure Works can implement separate mailbox stores for the mailboxes from Canada and the United States.
3. Adventure Works intends to use VAC-02-EX for the purposes of message traffic only. What do you need to accomplish to configure VAC-02-EX as a dedicated bridgehead server?
You need to move the public folders to another Exchange 2000 server in North America.
4. Adventure Works uses a dual-processor system with 512 MB of RAM in the location of South Africa. Which upgrade method would you recommend for the server JHB-01-EX?
Adventure Works should use the direct upgrade method to update the server JHB-01-EX to Exchange 2000 Server.
5. Adventure Works uses a dual-processor system with 512 MB of RAM in the location of Australia. Which upgrade method would you recommend for the server MLB-01-EX?
Adventure Works should use the direct upgrade method to update the server MLB-01-EX to Exchange 2000 Server.
6. For security reasons, the server DMZ-01-SMTP is not part of the internal Exchange organization. Do you need to upgrade DMZ-01-SMTP to switch the Exchange organization into native mode?
No, DMZ-01-SMTP can continue to run Exchange Server 5.5 and the IMS. VAC-02-EX will communicate with DMZ-01-SMTP as if it were a foreign SMTP-based messaging system.
Review
1. Why should you configure nonprimary CAs between all domains and Exchange sites to fully synchronize recipient and user account information in both directories?
User account information is not replicated across domain boundaries, and Exchange directory information from remote Exchange sites is read-only. For this reason, you need to connect to a domain controller in every Windows 2000 domain where directory objects reside and to a server in each Exchange site that has recipients. You should configure the CAs as nonprimary CAs to prevent the creation of duplicated directory objects.
2. You are planning to upgrade to Exchange 2000 Server. For this reason, you intend to implement the Exchange ADC in an Active Directory environment with multiple domains in a single forest deployed worldwide. How do you need to prepare the domain before installing the ADC?
You need to extend the Active Directory schema in the root domain by running the Exchange 2000 Setup program in ForestPrep mode.
3. In your Exchange organization, approximately 700 mailboxes are used for conference rooms, pool cars, and other resources. What do you have to change in these mailboxes before configuring CAs, and how can you accomplish it most conveniently?
You need to set the custom attribute 10 on all these mailboxes to NTDSNoMatch to avoid their synchronization with existing user accounts. You can perform the adjustments most conveniently using the NTDSNOMATCH utility, which is available from Microsoft Product Support Services.
4. Why should you switch the domain of your ADC into native mode?
The ADC creates universal distribution groups in Active Directory for Exchange distribution lists. Exchange Server 5.5 uses distribution lists to specify access permissions, such as those for public folders. Exchange 2000 Server uses universal security groups for the same purpose. Consequently, Exchange 2000 attempts to convert the universal distribution groups created by the ADC. This conversion will fail if the groups’ domain is not in native mode. Hence, permission assignments would be inconsistent between both environments. For this reason, you should switch the ADC domain into native mode.
5. You plan to add an Exchange 2000 server to an Exchange 5.5 site that currently consists of exactly one server. The Exchange server is a member server in a Windows NT domain with no trust relationships to any other domains. You do not plan to upgrade the Exchange server directly. What do you have to accomplish before you can install Exchange 2000 Server?
You have to upgrade the PDC in this Windows NT domain to Windows 2000 Server because the Site Services Account must exist within a Windows 2000 active directory. Otherwise, Exchange 2000 Server cannot use this account to communicate with the existing Exchange server.
6. You have successfully installed a first Exchange 2000 server in an Exchange 5.5 organization. What do you have to configure next?
You have to configure public folder CAs for every site in the organization.
7. You plan to directly upgrade an Exchange server. What should you do to prevent loss of data in the event of an upgrade failure?
You should perform a full backup of the current system.
8. You have directly upgraded an Exchange server to Exchange 2000. Users report that they are now unable to display public folders. What do you have to accomplish?
You need to launch the Exchange System Manager snap-in to verify and correct the client permissions for the public folders.
9. Your company has been operating an Exchange organization since 1996. You plan to replace outdated server platforms with new machines running Exchange 2000 Server. Which upgrade strategy would you use for these systems?
You must use the indirect upgrade method to replace the server hardware.
10. Your company runs an Exchange organization with 25,000 users in 100 Exchange sites. You plan to upgrade the directory replication bridgehead servers. Why should you perform a direct upgrade of these systems?
Using the direct upgrade, the current replication bridgehead can continue to replicate directory information with other sites. The indirect upgrade method is less suitable because it requires you to move the directory replication bridgehead to another server, which resets the intersite directory replication. In an environment with 100 sites, this will result in a substantial amount of replication traffic, which you can avoid by using the direct upgrade approach.
Chapter 7
Lesson 1: Single-Phase Migration Strategies
Activity: Developing a Single-Phase Migration Strategy
Scenario: Coho Vineyard & Winery
1. Currently, Paul West, Information Technology Administrator at Coho Vineyard & Winery, is considering a migration to Exchange 2000 Server in multiple stages. What is the most significant disadvantage of this approach in comparison to the single-phase migration?
A migration in multiple stages requires coexistence between MDaemon PRO and Exchange 2000 Server. The single-phase migration is quicker and involves less administrative overhead than the multiphase approach.
2. Is it possible to migrate Coho Vineyard & Winery’s 250 users in one step?
Yes, it is possible to migrate Coho Vineyard & Winery’s messaging environment in a single step.
3. What would you recommend to facilitate the migration of user data?
Deploy Outlook 2000 prior to migration and configure the client to access the messaging system using the POP3 transport driver. Store all messages in .pst files on the client PCs.
4. Do you need to use the Migration Wizard to migrate the users?
No, users can continue to use their .pst files in the Exchange 2000 organization.
5. Which is the best approach to transfer the recipient information from MDaemon PRO to Active Directory?
Export the recipient information into a text file and use the semiautomated approach based on LDIFDE or CSVDE to create mailbox-enabled user accounts in Active Directory.
Lesson 2: Multiphase Migration Strategies
Activity: Developing Multiphase Migration Strategies
Scenario: Coho Vineyard & Winery
1. What is Coho Vineyard & Winery facing if West decides to migrate in multiple steps (assume that Coho Vineyard & Winery’s users currently communicate with Internet users)?
To migrate the existing environment in multiple steps, Coho Vineyard & Winery must connect Exchange 2000 Server with MDaemon PRO, develop a directory synchronization strategy, change the message routing topology to allow all migrated and nonmigrated users to communicate with each other and with the Internet, retain existing external e-mail addresses and route incoming Internet messages through the Exchange 2000 organization, and develop a strategy to handle distribution lists during the migration.
2. Comparing the advantages and disadvantages of single-phase and multiphase migrations, which approach would you recommend to West?
The single-phase migration is accomplished more quickly, with less effort, and lower costs, but if West insists on a migration in multiple steps for any reason, it can be accomplished.
Scenario: Woodgrove Bank
1. Woodgrove Bank intends to replace the X.400 backbone with a global SMTP-based network. Correspondingly, the bank plans to use the MS Mail connector to connect Exchange 2000 Server directly to the MS Mail environment and an SMTP connector to connect to the messaging backbone. Woodgrove Bank wants to consolidate all 600 mailboxes on a single Exchange 2000 server in Zurich. Assuming that you want to connect the Exchange 2000 organization to only one MS Mail postoffice, which postoffice should you choose for the Connector to MS Mail?
You should choose ZUR-01-MS, because this postoffice is in the same location as the Exchange 2000 server and functions as the central hub postoffice for the MS Mail environment.
2. Assuming that you connected the Exchange 2000 server to both the MS Mail environment and the SMTP messaging backbone, how should you perform the directory synchronization?
Configure the MS Mail directory synchronization using the MS Mail connector, but do not include external gateway addresses. Perform semiautomated directory synchronization based in import files to separately create recipient objects in Active Directory for users on other messaging systems. Make sure no references to Swiss MS Mail recipients are in the directory import files.
3. You need to ensure that replies to existing messages always work. How should you migrate the postoffices to Exchange 2000 Server?
Migrate entire postoffices at one time, retain the existing MS Mail addresses, and route messages for migrated postoffices to the Exchange 2000 Server.
4. You want to migrate existing MS Mail distribution lists. Which strategy should you use to migrate the distribution lists most conveniently?
Migrate the distribution lists before the users.
Review
1. What are the advantages of the single-phase migration strategy?
All users are migrated in a single process, which brings very quick results, and there is no need for messaging connectivity or directory synchronization between the foreign system and Exchange 2000 Server. To simplify the actual migration and familiarize all users with new messaging clients, you can deploy Outlook 2000 prior to the migration.
2. What are the advantages of the multiphase migration strategy?
You can optimally provide training to the end-user community while preparing their migration to Exchange 2000 Server. Multiphase migration also allows you to minimize system downtime per migration step. You can migrate heterogeneous messaging environments to Exchange 2000 Server without the need to consolidate the resources in the old environment prior to migration. You can migrate large organizations in a coordinated way by department, business unit, or team, and you can reuse old hardware for new systems. Furthermore, it is possible to support complex workgroup applications on the old system until new versions are available for Exchange 2000.
3. Your company is planning a migration from an SMTP-based messaging system to Exchange 2000 Server. Which messaging connector would you use to switch the platforms together, and which utilities should you use to synchronize the address lists, containing 12,000 addresses, with each other?
You can connect Exchange 2000 Server to the SMTP-based messaging system using an SMTP connector. To perform directory synchronization, use LDIFDE.EXE or CSVDE.EXE.
4. Why should you prefer direct gateway connectors to indirect connectivity solutions based on SMTP or X.400 to connect Exchange 2000 Server to foreign messaging systems?
Direct gateway connectors support automated directory synchronization, which is unavailable over indirect SMTP or X.400 connectors.
5. You intend to migrate a Lotus Domino R5 server to Exchange 2000 Server. What should you accomplish right before and right after the migration?
You should perform maintenance routines before the migration and a full backup of both systems before and after the migration.
6. You plan to implement different naming and address standards in the Exchange 2000 organization. Why should you retain the display names of the users?
The Migration Wizard retains the display name of message originators and recipients in migrated messages. Replies to migrated messages will work as long as the display names are the same in the foreign messaging system and Active Directory.
7. You have connected your Exchange 2000 organization to a complex Lotus Domino/Notes environment. You have implemented three messaging bridgeheads, each running an instance of the Connector to Lotus Notes. How can you distribute the inbound and outbound message traffic across all connectors without restricting the connector scope?
Configure detailed address spaces for each connector to spread the outbound message traffic across all three connectors. Split the Exchange 2000 organization into three proxy Notes environments and configure the Lotus Notes routing topology to deliver inbound messages to these proxy systems via individual connector instances.
8. You want to use Exchange 2000 Server as a central messaging switch to connect numerous foreign messaging systems. What do you have to ensure for message transfer between all systems to work?
You need to ensure that all recipients are in Active Directory.
9. Why should you strive to migrate entire post offices in one migration cycle?
You can retain the old e-mail addresses and ensure that replies to existing messages are delivered to the new Exchange 2000 mailboxes. You might have to change the message routing in the foreign environment to route all messages sent to a migrated post office to the Exchange 2000 organization.
10. What is the most significant advantage of migrating distribution lists to Active Directory prior to the users?
The Migration Wizard is able to automatically convert external contacts into mailbox-enabled user accounts and update the distribution list membership if the administrator who runs the Migration Wizard has full access to the OU in which the distribution groups reside.
Chapter 8
Lesson 1: Front-End/Back-End Configurations
Activity: Designing FE/BE Environments
Scenario: Humongous Insurance
1. Which FE server strategy would you suggest to Humongous Insurance and why?
In this scenario, front-end servers are not required. Instead, configure three A (host) records in DNS. Use the same host name and assign the IP addresses of the three public folder servers. Choose a host name that best describes the HTTP virtual servers configured on your public servers and specify this host name in the public folder URL of the Web-based tracking solution. Enable DNS round robin to distribute the workload across all three servers. When a particular public folder server is unavailable, the clients will be able to connect to the claim-tracking forum through the remaining two systems.
Scenario: Proseware, Inc.
1. To maximize the utilization of high-end server hardware, Proseware, Inc. plans to place 5000 mailboxes on each information store server. How many FE servers would you have to implement according to Microsoft’s recommendations?
Given a ratio of one FE server per four BE systems, Proseware should implement at least 28 FE servers.
2. Proseware wishes to have a single namespace (for example, http:// www.proseware.com/Mail ) in which all users can reach their mailboxes. The company wants to avoid bottlenecks and single points of failure. Can you use Windows 2000 NLB to configure a load-balancing cluster of FE servers?
Yes, Windows 2000 Advanced Server and Windows 2000 Datacenter Server support NLB.
3. Which load-balancing solution should you implement to achieve maximum system performance?
You should implement hardware load balancing.
4. What hardware configuration would you recommend for the FE servers if you consider SSL-based encryption for incoming client connections?
Each server has to handle approximately 1250 users, for which a dual-processor machine with 256 MB of RAM and one 100-Mbps network card per FE server should be sufficient. If performance tests show unacceptable response times, up to four processors, more memory, and an additional network card or gigabit Ethernet card may be considered.
5. Which Exchange 2000-related services do you need to run on the FE servers at minimum?
Proseware, Inc. needs to run only the WWW Publishing Service and dependencies on the FE servers.
Lesson 2: Establishing Virtual Exchange 2000 Organizations
Activity: Designing Hosted Environments
Scenario: Northwind Traders
1. How should Northwind Traders configure its Active Directory environment, provided that the organization operates in native mode?
Northwind Traders should create a separate top-level OU for each trading center, create two universal security groups for the users and administrators in each OU, and configure access permissions to allow the users to access only their own parent OUs.
2. Northwind Traders intends to provide a partial OAB to each virtual organization and structure the mailbox administration so that the account administrators can only create mailboxes in the mailbox store of their own virtual organizations. How many servers does Northwind Traders need, at minimum, to support all 150 trading centers?
At the very minimum, Northwind Traders needs eight servers.
3. Would you recommend the development of custom administration tools? Why?
Development of custom administration tools in the environment of Northwind Traders is strongly recommended because manual configuration of 150 virtual organizations is very burdensome and error-prone.
4. How can Northwind Traders split recipient information so that users can obtain address information from only their local virtual organizations?
Create 150 recipient policies to assign the users the correct e-mail addresses based on an appropriate LDAP filter. After that, delete the default GAL and address lists and configure partial address lists for each organization. Assign appropriate security settings for the address lists to the virtual organizations to which they belong.
5. You have created 150 OABs and configured the security settings correctly. What do you have to accomplish next to allow users to download the correct OAB to their clients?
Associate the correct OABs with the virtual organizations’ mailbox stores.
6. Northwind Traders must prevent public folder access across the boundaries of virtual organizations. How can you accomplish this?
Restrict the right to create top-level folders to the system administrators, and then create a top-level folder for each virtual organization. Set the security permissions for these pseudo-root folders so that only the users in the local organization can see their top-level folder.
7. The trading centers of Northwind Traders will use OWA for messaging. What do you have to accomplish to properly support the clients in an FE/BE scenario?
On the FE systems, create an HTTP virtual server for each virtual organization, and, beneath it, a virtual directory to access mailbox resources. Specify the virtual organization’s Internet domain as the default domain, and repeat the configuration on the BE servers. Set the msExchQueryBaseDN attribute for each individual user to the OU that represents the user’s virtual organization.
Lesson 3: Implementing Instant Communication Services
Activity: Designing an Instant Messaging Environment
Scenario: Proseware, Inc.
1. How many IM domains should Proseware implement in its hosted environment?
Proseware should implement a single IM domain namespace for all of its customers.
2. How many IM router servers should Proseware install at a minimum, considering that the ASP’s customers will send instant messages frequently?
Proseware should install an IM router for every 20,000 users, which is a total of 18 IM router instances.
3. How many IM home servers should Proseware install and where should they reside?
Proseware should install a separate IM home server for every 10,000 users, which would total 35 servers. All of these servers should be placed in the DMZ to be accessible via HTTP/RVP. For communication with Active Directory through the internal firewall, IPSec must be enabled on all IM servers.
4. To provide an adequate level of security for users, which feature should Proseware enable for all InstMsg virtual directories?
Proseware should enable digest authentication to secure user names and passwords when they are transferred across the Internet.
5. Which IP address ranges should Proseware identify as protected by their firewalls to support communication with other IM domains?
Proseware does not need to specify any IP address ranges because all IM home servers are directly accessible from the Internet and all users are outside the internal network.
Review
1. What are the main advantages of FE/BE configurations?
FE/BE configurations are perfectly suited for environments that want to provide messaging services to users over public networks across firewalls and perimeter networks. Among other things, FE servers allow you to provide a single point of access to messaging resources, while distributing the workload over multiple FEs in a load-balancing cluster. Furthermore, you encrypt the client communication without impact on the servers where mailboxes and public folders reside. FE servers may also help to support IMAP4-based clients with access to public folders.
2. You plan to support 40,000 users by means of a central arrangement of FE servers. All of the users use Outlook 2000 and the Microsoft Exchange Server transport service to access mailboxes and public folders. How do you need to configure the FE servers to support these users?
There is no need to configure anything extra on the FE server because users of MAPI-based clients cannot benefit from FE/BE configurations.
3. You are designing an FE/BE environment for 10,000 IMAP4 users. You plan to provide all required services for message sending and retrieval directly on the FE systems. Which messaging-related services do you need to run on the FE servers?
You need to run the IMAP4 service, the SMTP service, the System Attendant, and the Information Store service.
4. You are a messaging consultant hired to establish a hosted Exchange 2000 organization for an ASP that plans to support three independent companies through virtual organizations. Administrators within these companies are supposed to manage their own user accounts and mailbox settings. How do you need to configure the ASP’s Active Directory environment to achieve the desired functionality?
You need to implement a top-level OU for each virtual organization in Active Directory and delegate administrative permissions selectively to split the user account and mailbox management. To facilitate this task, use Windows 2000 security groups for users and administrators. You alsoneed to grant all account administrators who are supposed to create and manage mailboxes the Exchange View Only Administrator role for the entire Exchange 2000 organization. It may be a good idea to create three mailbox stores, one for each customer, and configure the permission settings so that only the administrators of a particular company have access to their mailbox store.
5. To support independent companies in an Exchange 2000 environment you need to assign the users correct and company-specific SMTP addresses and split the GAL accordingly. How can you achieve this in a single Exchange 2000 organization?
You need to configure one or more recipient policies for each company to assign its users correct SMTP address information. To split the address books, delete all default address lists and then configure filtered address lists to display only the users from one virtual organization in each list. Do not forget to configure security settings to prevent the users from accessing address information that does not belong to their own virtual organization.
6. You have deployed two IM routers in a load-balancing cluster to provide reliable IM services to your users. Users do not communicate with external organizations. How do you need to configure the DNS environment to allow your users to log on to Instant Messaging using their SMTP addresses?
You need to add an A resource record for the IM domain name assigned to your IM routers to the internal DNS zone and specify the cluster’s IP address in this record. You also need to configure an _rvp SRV record referencing the A resource record to provide your users with a unified SMTP/IM domain name.
7. You have deployed three IM routers and five IM home servers in your environment. Direct communication via HTTP and RVP is possible over the computer network, but your users are unable to log on to Instant Messaging using the MSN Messenger client. What do you have to configure to allow your users to participate in IM?
You need to enable your users with Instant Messaging using the Exchange Tasks Wizard in the Active Directory Users and Computers console.
8. Your users want to exchange instant messages over the Internet with users in partner organizations. To protect your internal network and control the outgoing communication, you have implemented a DMZ containing several Web proxies in a load-balancing cluster. What do you have to configure in Instant Messaging to support the desired form of communication?
You need to configure global Instant Messaging settings in the Exchange System Manager snap-in and specify the ranges of internal IP addresses protected by your firewalls. You also need to identify the Web proxy to relay outgoing HTTP communication. It is a good idea to specify the name of the load-balancing cluster.
Chapter 9
Lesson 1: Securing Internet Access in Hosted Environments
Activity: Designing Security for Internet Access Points
Scenario: Northwind Traders
1. According to Harrington, only a limited budget is available for firewalls. Which configuration would you recommend?
A single firewall with three network cards may be used to establish a DMZ for Northwind Traders.
2. Does Northwind Traders need to support MAPI-based clients over the Internet?
No, the trading centers will use OWA for messaging.
3. Northwind Traders has deployed FE servers and SMTP relay hosts in the DMZ. How do you need to configure the World Wide Web Publishing Service, IMAP4, POP3, and SMTP services on the FE servers?
Disable all but the World Wide Web Publishing Service.
4. The trading centers of Northwind Traders operate independent LAN environments connected to the Internet through dial-up connections to a local ISP. Windows 2000 Server with RRAS is used as dial-up router. How can you best connect the trading centers to the FE servers in the data center?
Deploy VPN servers in the DMZ and provide access to the FE servers via router-to-router VPN connections.
5. Do you need to enable TLS on the SMTP relay hosts in the DMZ?
No, OWA handles SMTP communications on behalf of the users.
6. Northwind Traders intends to provide the trading centers with a simple URL for mailbox access. How do you need to configure the systems in the DMZ and internal network to achieve this without opening RPC-based ports on the inner firewall?
Northwind Traders must enable IPSec on the FE and BE servers and allow inbound and outbound AH and ESP traffic to pass through the inner firewall.
Scenario: Proseware, Inc.
1. How does Proseware have to configure the FE servers in this scenario?
Because access to internal DNS servers is not possible, Proseware must specify DCs and GCs on the FE servers in DSAccess Registry parameters and provide IP addresses for DCs, GCs, and BE servers in the HOSTS file. Furthermore, authentication must be disabled on FE servers and anonymous access to these systems must be allowed.
Lesson 2: Deploying a Public-Key Infrastructure for Exchange 2000 Server
Activity: Designing PKI for Exchange 2000 Server
Scenario: Northwind Traders
1. Taking into consideration that the users of Northwind Traders primarily use OWA, which advanced security strategy would you recommend?
Because the trading centers of Northwind Traders use OWA for messaging, advanced security features, such as message signing and sealing, are unavailable to users. Northwind Traders might consider providing the trading centers with the ability to use IMAP4-based clients instead of OWA, but as long as OWA is used for messaging, there is no need to deploy a PKI for Exchange 2000 Server. However, Northwind Traders might find it advantageous to deploy Certificate Services as a root CA to create server certificates, which are required to enable SSL-based encryption of client connections on the FE servers.
Scenario: Woodgrove Bank
1. Do all Swiss users of Woodgrove Bank work with a client that supports advanced security features?
All users in Switzerland use Outlook 2000, which fully supports X.509 version 3 certificates and S/MIME encryption technology. If the users in the other locations use client software that supports S/MIME as well, all users can exchange encrypted messages.
2. Woodgrove Bank has not yet deployed a PKI. According to upper management, the bank must remain independent of external entities under all circumstances. How should Woodgrove Bank establish the required PKI for Exchange 2000 Server?
Woodgrove Bank should install Certificate Services as an enterprise root CA on a Windows 2000 server in the central location of Zurich. Subordinate CAs can then be deployed at the various locations of Woodgrove Bank to establish a hierarchy of CAs. Because all CAs belong to the same Active Directory forest, it is not necessary to configure CTLs. All users will be able to enroll X.509 certificates using the Web interface of Certificate Services.
3. Is Woodgrove Bank able to use strong encryption technology in Switzerland?
No, because export laws prohibit the availability of strong encryption technology in the international version of Exchange 2000 Server. Woodgrove Bank should evaluate whether 40-bit encryption technology can provide the desired level of security, and the bank might want to test alternative security products from third-party vendors.
4. Do Woodgrove Bank’s users need to exchange encrypted messages with users in other organizations?
Yes, users must communicate in a secure environment with governmental institutions. Woodgrove Bank should ask each of these institutions for its root CA’s certificate and add it to its CTL. Woodgrove Bank should also investigate opportunities to provide the required sealing certificates via a central LDAP-based directory.
5. Where should Woodgrove Bank install the KMS of Exchange 2000 Server?
Woodgrove Bank should install the KMS in Zurich, either on one of the central Exchange 2000 servers or in the Switzerland administrative group.
6. Should Woodgrove Bank consider distributing the KMS administration?
Not at the moment, but in the future, when Woodgrove Bank migrates additional sites to Exchange 2000 Server, KMS management might be distributed according to the administrative group infrastructure.
7. Does Woodgrove Bank require a high level of security for KMS administration?
Most likely. As a financial institution with high security requirements, Woodgrove Bank should appoint multiple KM Server administrators and implement multiple-password policies. It is vital to keep the KM Server password in a secure place where only authorized persons can access it.
Review
1. Your organization is planning to provide HTTP-based access to mailboxes and public folders over the Internet. Accordingly, you have deployed firewalls, established a DMZ, and configured FE servers. Which TCP port or ports do you need to open on the firewall on the Internet side, provided that user credentials must be protected?
You need to open TCP port 443 to support HTTP-based communication over SSL.
2. You want to support users over the Internet in a secure manner. Which connectivity solution should you implement?
I f your users are located in many different locations, you should establish secure virtual servers using SSL over POP3 or IMAP4 and TLS over SMTP. If your users are located in a small number of remote offices, it is simpler to create a VPN based on PPTP or L2TP/IPSec to support remote users over the Internet. VPNs provide the required level of security through encryption of the communication channel.
3. You have established a sophisticated FE/BE configuration protected by firewalls. FE and BE servers communicate over an internal firewall. Which ports do you have to open on this firewall to support the full functionality ofFE servers, including client authentication and SMTP-based message transfer, provided that you don’t want to use IPSec?
You need to open the default ports of the Internet mail protocols that your users use to communicate with the FE systems (i.e., port 80 for HTTP, port 110 for POP3, and port 143 for IMAP4), and you need to open TCP port 25 to support SMTP. You also must allow TCP and UDP ports 53 for communication with internal DNS servers, as well as TCP ports 389 and 3269, so that the FE servers can contact DCs and GCs via LDAP. TCP and UDP ports 88 are required for Kerberos authentication. To support the authentication of users on the FE systems, you also need to open TCP port 445 for the Netlogon service, TCP port 135 for the RPC endpoint mapper, and all client ports above port number 1024. You may assign a static port number to Active Directory for RPC-based communication, in which case you don’t need to support all client ports.
4. Your firewall administrator has informed you that it is not possible to open the TCP port for the RPC endpoint mapper on the internal firewall and it is not possible to enable IPSec. How do you need to configure the FE server to support this firewall configuration?
You need to disable the user authentication on the FE servers. This is not a security risk because the BE servers challenge the users for their credentials, which the FE server can pass back to the clients.
5. To provide all users with the ability to send and receive encrypted e-mail messages, you plan to implement Exchange 2000 KMS in your PKI, which doesn’t use Windows 2000 Certificate Services. What do you need to accomplish to integrate KMS into this PKI?
You need to install Windows 2000 Certificate Services as an enterprise subordinate CA within the existing PKI, install the Enrollment Agent (Computer), Exchange User, and Exchange Signature Only templates, and grant the computer account of the KMS the Manage permissions to the CA.
6. You are the messaging consultant for an ASP that plans to implement Exchange 2000 KMS for advanced security and provide each customer the ability to manage its own security environment. The customers of this ASP work with Outlook 2000 in virtual organizations appropriately configured in Active Directory and Exchange 2000 Server. The organization consists of a single administrative group. What do you have to accomplish to achieve the desired functionality?
Only one administrative group exists; hence, you can install only one KM Server. You need to grant all mailbox administrators the rights to perform key management tasks, such as enrolling users and revoking or recovering security keys. In other words, you need to specify them as KM Server administrators. No further configuration is required. Because the account administrators have access only to their own OUs, they cannot enroll or manage users from other virtual organizations.
Chapter 10
Lesson 1: Designing the Information Store of Exchange 2000 Server
Activity: Designing Information Store Architectures
Scenario: Consolidated Messenger
1. Upper management of Consolidated Messenger has requested maximum fault tolerance for the hard disk subsystem of the Exchange 2000 server. You decide to separate the disks by operating system/system files, paging file, transaction logs, and databases. You intend to use RAID technology to eliminate single points of failure in the disk subsystem and provide the best possible fault tolerance. Which RAID technology should you use for the four separate disk drives?
RAID-1 for the three disk drives of the operating system and system files, the paging file, and the transaction log files and RAID-0+1 for the drive of the databases.
2. The IT administrators at Consolidated Messenger must be able to restore the mailboxes of upper management and supervisors before the resources of any other users. How do you need to structure the mailbox store to achieve this without increasing system overhead?
You need to create a separate mailbox store for upper management and supervisors in the existing storage group and move the mailboxes of the appropriate individuals into it. Back up the entire storage group in one session. Restore operations can then be performed sequentially beginning with this mailbox store.
Scenario: Woodgrove Bank
1. Bonifaz stated that the Exchange 2000 server should not lose messaging data even if more than one disk fails. How do you need to change the RAID configuration to achieve this goal, and what is the limit of this configuration?
You need to implement RAID-0+1 for the databases and the transaction log files. However, if the two disks in a single mirror set within the RAID-0+1 fail, the server may still lose messaging data. To minimize the chances of two disks in a single mirror set failing, you should add a drive as a hot spare, which will replace the first failed drive.
2. How do you need to configure the database storage to minimize the impact of disk problems on the user community?
You need to implement a separate RAID-0+1 drive for each mailbox store.
Lesson 2: Designing Clustered Exchange 2000 Servers
Activity: Designing Clustered Environments
Scenario: Woodgrove Bank
1. Woodgrove Bank does not have a SAN in place. Which technology would you recommend, taking into consideration that Woodgrove Bank is only planning to implement a server cluster for Exchange 2000 Server?
To implement a single cluster for Exchange 2000 Server, a shared SCSI bus is sufficient.
2. Which Windows 2000 software package should Woodgrove Bank use to install the server cluster?
Woodgrove Bank should use Windows 2000 Advanced Server to install a cluster with two nodes.
3. How many Exchange 2000 virtual servers does Woodgrove Bank need to configure to adequately support the users with acceptable response times?
Only one virtual server is required to support all 600 users.
4. Single-node failures or system maintenance must not lead to a performance reduction. How should Woodgrove Bank configure the cluster to achieve this goal?
Woodgrove Bank should use one of the nodes to run the Exchange 2000 virtual server and the other node as a hot spare.
Scenario: Humongous Insurance
1. On an average, fewer than 250 users work in the various offices of Humongous Insurance. SANs do not exist. How many nodes and which disk technology should Humongous Insurance use for the server clusters in each location?
Humongous Insurance should install two-node clusters with a shared SCSI bus.
2. Which Windows 2000 software package should Humongous Insurance install on the cluster nodes?
Humongous Insurance should install Windows 2000 Advanced Server.
3. How many virtual servers should Stephanie Bourne configure in each cluster to adequately support the Exchange 2000 users in each location?
Per cluster, only one Exchange 2000 virtual server is required to support 250 users.
4. Humongous Insurance wants to maximize hardware utilization by running Microsoft SQL Server on the cluster in addition to Exchange 2000 Server. How should Stephanie Bourne distribute the workload?
She should configure one node as the preferred owner of the Exchange 2000 virtual server and one as the preferred owner of the SQL 2000 virtual server.
Review
1. You plan to implement a mailbox server for 200 users. Because of organizational policies, you want to create a separate mailbox store for managers and supervisors. Which edition of Exchange 2000 Server do you need to use to install the server?
You need to use the Enterprise Edition of Exchange 2000 Server because the Standard Edition does not support the configuration of multiple mailbox stores.
2. Due to limited disk capacities, you need to limit the amount of messaging data stored on the server. Which strategy would you recommend to keep the size of the mailbox stores under control?
You should configure mailbox quotas for the mailbox stores individually or in a mailbox store policy.
3. What basic measure should you take to increase the fault tolerance of any Exchange 2000 server that holds mailbox or public folder data?
You should separate the transaction logs from the database files and place them on separate physical disks.
4. What is the advantage of RAID-0+1 over RAID-5?
RAID-0+1 uses mirrored disks to achieve fault tolerance. RAID-5 must calculate a checksum. In a RAID-0+1 volume, more than one disk can break without causing loss of data. Using RAID-5, data is lost if more than one disk fails. RAID-0+1 offers higher performance and better reliability than RAID-5.
5. You expect the databases of your mailbox store to grow to a size of 64 GB. How much free disk space should you reserve for this mailbox store on the database drive?
You should reserve twice the amount of the database size, which is 128 GB.
6. You want to install Exchange 2000 Server in a two-node cluster. What do you have to accomplish before the users can connect to their mailboxes?
Install Exchange 2000 Server on one node and then install on the second node using the same configuration parameters and installation directories. Reboot the cluster nodes, and then configure an Exchange 2000 resource group. Add an IP address resource, network name, disk resource, and the Exchange System Attendant resource, and verify that all other Exchange 2000 resources are created automatically. When this is accomplished, bring the virtual server online using the Cluster Administrator console.
7. What do you have to configure to enable failback for an Exchange 2000 virtual server?
You need to specify a preferred owner for the resources of the Exchange 2000 resource group in the Cluster Administrator console.
Chapter 11
Lesson 1: Backup Planning for Exchange 2000 Server
Activity: Developing Backup Strategies
Scenario: Woodgrove Bank
1. Bonifaz has separated the mailbox resources according to the geographical locations of Basel, Bern, and Zurich by means of three mailbox stores, which all belong to the default storage group of the Exchange 2000 server. Approximately 200 mailboxes reside in each store. According to organizational policies, you must be able to restore an individual database in less than 4 hours. Is it necessary to redesign the mailbox stores to support fast database restore operations?
No, it is not necessary to redesign the mailbox stores. With an average mailbox size of 100 MB, the maximum mailbox store size should not exceed 20 GB. With an estimated restore rate of 15 GB per hour (half the transfer rate), a database can be recovered in less than 90 minutes.
2. Woodgrove Bank does not plan to restrict the mailbox sizes of its users. With an average mailbox size of 100 MB, the Exchange 2000 server must be able to maintain up to 60 GB of messaging data. Would you recommend using more powerful backup hardware or software?
The existing backup system is able to back up all of the messaging data in 2 to 3 hours and the Windows 2000 Backup utility, extended through the Exchange 2000 Setup program, is able to perform online backups. There is no explicit need for Woodgrove Bank to purchase a new backup solution.
3. Woodgrove Bank is a classic office-oriented environment. Swiss business hours are from 9:00 A.M. to 4 P.M. Some managers may work longer, but after 11:00 P.M., the offices are usually empty. Which backup types and schedule should Woodgrove Bank use to back up the Exchange 2000 server?
Woodgrove Bank’s backup solution is capable of backing up the entire Exchange 2000 server to a single data cartridge in less than 3 hours. Allowing another 3 hours for backup verification, the entire process is completed in less than 6 hours. Consequently, Woodgrove Bank should perform daily full online backups after 11 P.M. and rotate the data cartridges according to month, week, and day, or another scheme that fits the bank’s needs.
Scenario: Humongous Insurance
1. The office workers of Humongous Insurance rely heavily on their messaging infrastructure. They often send Microsoft Office documents in e-mail messages and frequently use Web-based workgroup and workflow solutions implemented in public folders. The average mailbox size is 200 MB and the public folder store holds 2 GB of data. Which backup types and schedule would you use to save the data of the Exchange 2000 server?
With an average mailbox size of 200 MB, the Exchange 2000 server’s mailbox store is approximately 50 GB in size. This size exceeds the capacity of the DLT tape and requires manually changing the backup media. To minimize space requirements, Humongous Insurance should perform differential backups on weekdays and a weekly full backup using two DLT tapes.
Lesson 2: Developing Recovery Strategies
Activity: Developing Disaster Recovery Strategies
Scenario: Woodgrove Bank
1. Woodgrove Bank wants to enable its users to recover deleted items within 2 weeks of their deletion. What do you have to configure to enable this recovery strategy?
You need to enable the delete items retention time for the three mailbox stores of the Exchange 2000 server and set it to 14 days.
2. Woodgrove Bank does not want to perform file-based backups on a regular basis. Online backups are prepared daily and the system state is included in these backups. How does this backup strategy affect the disaster recovery options of Woodgrove Bank?
Woodgrove Bank is not able to perform a complete disaster recovery based on online backups only. To recover a server entirely, you need to reinstall the operating system and then run the Exchange 2000 Setup program in /DisasterRecovery mode. After that, the online backups can be used to restore the databases.
Review
1. Your server’s only mailbox store is currently 15 GB in size. You expect it to double within the next 12 months, but the capacity of your corporate standard DLT tape is only 20 GB, with compression. Nevertheless, you want to continue performing full backups on a daily basis without changing the tapes during the operation and without setting quotas on the mailboxes of your users. How do you need to configure the system to achieve the backup functionality you want?
You need to configure two mailbox stores in separate storage groups and distribute your mailboxes so that both mailbox stores do not exceed the 15-GB size limit. Connect a second DLT drive to the server so you are ready to back up both storage groups simultaneously using two parallel backup sessions.
2. Which two general options do you have to back up mailbox and public folder stores?
You can perform offline and online backups.
3. What is the most significant advantage of the normal online backup compared to other online backup types?
Normal online backups do not depend on any previous backups, so they are more reliable and faster than the other types.
4. What are the disadvantages of normal online backups?
Normal online backups include the databases and their transaction log files. For this reason, they require more backup time and storage space than any other online backup type. Furthermore, normal online backups do not include the files of the operating system or binary files of Exchange 2000 Server. You need to save these files explicitly using a file-based backup.
5. You wish to back up mailboxes individually. Which utility should you use to perform these backups?
You should use the Microsoft Exchange Mailbox Merge Wizard to extract the user data from the mailboxes into .pst files.
6. You want to back up the configuration of your Exchange 2000 server. Which type of information do you need to include in your backup?
You need to include the system state, which includes the Active Directory information.
7. What should you accomplish to ensure that you can restore an Exchange 2000 server from a backup?
You should always verify that the backup operation completed successfully, check the integrity of system state information, and validate backup sets periodically by restoring a production system on a test server that is not part of the production Active Directory environment.
8. You want your IMAP4 users to be able to recover deleted items within 7 days after their deletion. How do you need to configure the Exchange 2000 server to achieve the functionality you want?
IMAP4 users are unable to recover deleted items.
9. Six months ago, you implemented a new backup plan to perform weekly offline and daily normal online backups. Yesterday, a virus entirely destroyed your server system. The virus tampered with the partition tables on all of your hard drives. How can you most quickly recover the most recent server state?
You should perform a complete disaster recovery using the most recent offline backup. After that, restore the most recent online backup to play back the remaining messaging data.
10. An administrator of a partner company calls you to ask for help. A disk controller failure corrupted the one and only mailbox store of your business partner’s Exchange 2000 server. Unfortunately, the partner company never performed a server backup. What would you to recommend your colleague?
Move the corrupted database files to a secure location and mount the mailbox store to provide users with access to their mailboxes as quickly as possible. Copy the corrupted database to a recovery server and attempt to fix the database files using ESEUTIL and ISINTEG. Restore the fixed database on the recovery server, reconnect the mailboxes to accounts in the recovery environment, extract the user data into .pst files, and play back the messages into the production server. Develop a reliable backup and disaster recovery plan.
EAN: 2147483647
Pages: 89