After an installation, you need to perform a number of routine
At the end of this lesson, you will be able to:
Estimated time to complete this lesson: 90 minutes
During a typical or custom installation, you can install the Exchange 2000 System Management utilities on any computer running Windows 2000 including Windows 2000 Professional. You just need to install the Microsoft Exchange System Management Tools on a workstation PC for flexible administration of distributed Exchange 2000 servers (see Figure 5.6).
Many administrators appreciate the convenience of managing their environment from the desktop. As long as you have administrative access to Active Directory, you can display and change the configuration of most of your resources. Remote procedure call (RPC) communication is also required to use the management tools to their full extent, as
Figure 5.6 Installing the Exchange System Management Tools on Windows 2000 Professional
It might be necessary to install multiple copies of the Exchange System Manager on networks with multiple network segments if routers between links filter RPC communications. You can use the RPCPing utility to test the RPC communication between computers. If RPCPing works fine, the Exchange System Manager will work as well. RPCPing is discussed in Chapter 10, "MAPI-Based Clients in a Novell NetWare Environment."
The Exchange System Management Tools come with a
The Exchange System Manager includes a feature called Exchange Administration Delegation Wizard that
As discussed in Chapter 4, you can organize your system management based on the Exchange organization and its administrative groups. To test this on BLUESKY-SRV1, launch the Exchange System Manager, right-click on the organization object named Blue Sky Airlines (Exchange), choose Properties, and select the Display Administrative Groups check box. This is required to launch the Exchange Administration Delegation Wizard at the level of the First Administrative
When launching the Exchange Administration Delegation Wizard for an administrative group (for example, by right-clicking on First Administrative Group and choosing Delegate Control), you will notice one or more accounts on the Users Or Group wizard screen. These accounts inherited the role of an Exchange administrator and include the account that was used to install the first Exchange 2000 server. If you select one of these accounts and click Remove, an Exchange System Manager dialog box will appear, informing you that the account cannot be edited or deleted because it was inherited from the organization object. To edit or remove these kinds of Exchange administrators, you need to launch the wizard at the organization level.
Permission inheritance simplifies the task of delegating administrative roles and managing permissions for the following reasons:
The inheritance feature allows you to quickly configure permissions and roles, but in some situations you may want to customize the inheritance of security-related permissions. For instance, you may want to prevent one administrator specified at the organization level from managing a particular administrative group without
When you examine the Security property page of a given Exchange 2000 directory object, there is a large list of Windows 2000 and Exchange 2000-related permissions that you can assign to individual
The configuration of Windows 2000 and Exchange 2000-related permissions gives you total control over the individual access privileges of users and groups. However, such fine-grained configuration is seldom required and introduces the risk of configuration problems. Whenever possible, you should use the Exchange Administration Delegation Wizard to specify security-related settings.
Depending on the selected object, Exchange 2000 allows you to define the following extended permissions:
The permissions model of Exchange 2000 is entirely based on the security model for Windows 2000 Active Directory. This implies that you can rely on Windows 2000 security groups for Exchange 2000 administration, which is
In native mode, Windows 2000 allows you to configure the following security groups:
You can find more information about Windows 2000 groups in Chapter 13, "Creating and Managing Recipients."
During a first server installation, the setup routine automatically creates two default group accounts, Exchange Domain Servers and Exchange Enterprise Servers, in the Users container of the domain tree for your organization. The Exchange Domain Servers group is used to grant the LocalSystem account of computers running Exchange 2000 Server full rights in the Exchange 2000 organization.
In this exercise you will check whether the Exchange Administration Delegation Wizard displays correct and complete security information. You will then set a special Registry key for the Exchange System Manager to view more accurate data.
To view a multimedia demonstration that displays how to perform this procedure, launch the EX2CH5*.AVI files, which you can install on your computer by running the self-extracting executable from the \Exercise_Information\Chapter14 folder on the Supplemental Course Materials CD.
To check and countercheck security-related information in Exchange System Manager
Figure 5.7 Granting the Administrator View Only permissions
Although you are listed as an administrator who does not have the permissions to change the configuration, you are able to switch the organization into native mode or perform any other desired management procedure because your account is a member of the Enterprise Admins group.
Figure 5.8 Enterprise Admin permissions at the Services container object
Figure 5.9 Setting the ShowSecurityPage Registry key
The ShowSecurityPage Registry value causes the Exchange System Manager to display the Security tab on all configuration objects. If this value is not present or is set to 0, the Security tab is available only on Address List objects, mailbox and public stores, and top-level public folder hierarchies. According to the HKEY_CURRENT_USER hive, ShowSecurityPage only affects the current user account.
Figure 5.10 Assigned and inherited permissions for an Exchange 2000 organization
Exchange 2000 is entirely based on the Windows 2000 security model. Hence, as a member of the Domain Admins or Enterprise Admins group, you inherit management permissions for the Exchange 2000 organization. Keep in mind that settings inherited from higher-level configuration containers in Active Directory are not displayed in the Exchange Administration Delegation Wizard. Nevertheless, this wizard remains your primary tool to delegate administrative permissions because it
The Security property sheet, on the other hand, which you can enable for organization and administrative groups via the ShowSecurityPage Registry key, gives detailed and accurate security information. If possible, refrain from using it to manage access rights and roles because it does not prevent you from setting permissions incorrectly. For instance, if you deny Exchange 2000 services access to configuration information in Active Directory, you will experience serious server problems that may even require you to reinstall the entire system. You can read more about securing your Exchange 2000 resources in Chapter 19, "Implementing Advanced Security."
During the installation, Setup creates the directory structure to host the files of Exchange 2000 Server. If you accept the default settings, they will be placed under the C:\Program Files\Exchsrvr directory.
Depending on the options selected during the installation, Setup creates the directories listed in Table 5.2 on the server computer (see Figure 5.11).
Figure 5.11 Directories and shares created on an Exchange 2000 server
Table 5.2 Directories Created by Setup
|Folder Name||This Directory Contains|
|Address (shared as Address)||E-mail Proxy DLLs that are necessary for address generation in Exchange Server. By default, MS Mail, SMTP, cc:Mail, and X.400 Proxy DLLs can be found.|
Important Exchange 2000 program binaries. For example, the image files of Exchange 2000 services (such as MAD.EXE for the System Attendant (SA)) and the management utilities are
|Ccmcdata||Directory and temporary storage location for the Lotus cc:Mail Connector.|
|Conferencing||Directory for video conferencing services.|
|Conndata||Directory and temporary storage location for the Lotus Notes and Novell GroupWise Connectors.|
|Connect||Exchange Connector components. Default components for the MS Mail Connector and Schedule+ Free/Busy Connector will be copied into this directory.|
|Connect\Msmcon\ shared as Maildat$)||
MS Mail Connector post office also known as MS Mail Interchange
|Dxadata||Database for the directory synchronization with MS Mail.|
|ExchangeServer_<Server Name>||Contains support index files for the search engine.|
|Exchweb||Default components for Outlook Web Access will be copied into this directory.|
|Kmsdata||Key Management database and corresponding log files.|
|Mailroot||The mail drop directory of the SMTP service, which is moved to this location during the registration of SMTP extensions.|
|Mdbdata||Mailbox and public stores and associated transaction log files.|
The directory for the Message Transfer Agent (MTA). Contains log files and configuration information as well as messages that are currently
|Res||Event message DLLs for the Information Store, MTA, and other components.|
|Schema||Extensible Markup Language (XML) files for schema attributes and classes required for Exchange OLE DB and ActiveX Data Objects (ADO).|
|Srsdata||Database files for Site Replication Service.|
|<SERVER NAME>.LOG (shared as <SERVER NAME>.LOG)||Log files for Exchange 2000 services, such as the message tracking center and conferencing services.|
As indicated in Table 5.2, Setup shares specific directories for network access. It's a good idea to restrict access to these share points to increase the security of the server-based resources. Knowing the share point permissions and the processes that need access to them helps to secure the server appropriately.
The following share points are created automatically on an Exchange 2000 server:
The majority of features that Exchange 2000 Server has to offer rely on Internet technologies (such as TCP/IP, DNS, SMTP, NNTP, IMAP4, POP3, HTTP, LDAP, Secure Sockets Layer, Kerberos, and so forth). Consequently, you need to protect your Internet access points, preferably with a firewall. You can read more about Internet-based client access in Chapter 11, "Internet-Based Client Access."
In this exercise you will check which TCP ports are open on your test machine to handle incoming connections. Knowledge of these TCP ports is especially important when connecting Exchange 2000 Server to the Internet, which requires extra security measures as outlined in Chapter 19, "Implementing Advanced Security."
To view a multimedia demonstration that displays how to perform this procedure, run the EX3CH5.AVI files from the \Exercise_Information\Chapter5 folder on the Supplemental Course Materials CD.
To identify available TCP ports
At this point, you should be able to scroll through the Ports In Use list and verify that all of the important TCP ports for Internet-based client connections are available (see Figure 5.12).
Exchange 2000 Server relies heavily on Internet technologies and consequently prefers a communication based on Windows Sockets (Winsock). Winsock binds an application to a specific port number, which is used to identify network traffic sent to and from the application. You can use a simple TCP port scanner written in Visual Basic to determine which ports are listening. It is a good idea to stop Internet services (and thereby the associated ports) not required in your environment and protect those that are required (such as TCP port 25 for SMTP) with a firewall.
Figure 5.12 Checking available TCP ports
As outlined in Chapter 3, Exchange 2000 Server consists of numerous services that need to communicate with each other to form a functioning messaging and collaboration platform. This communication requires authentication using the Kerberos protocol.
In much the same way you log on to Windows 2000 by providing a user name and password, active Exchange 2000 services need to log on to the system by using a special services account. In previous versions of Exchange Server, this was a normal user account. This left the system vulnerable because it is not
The good news is that you don't need to specify a userlike services account for Exchange 2000 services. Instead, these services are happy with the LocalSystem account of Windows 2000, greatly reducing susceptibility to a successful password-guessing attack against your system. You don't even need to change the password for this services account because Windows 2000 automatically changes it for you every seven days. Even better, the password is very secure because it consists of a random string of
Nevertheless, you need to rely on a userlike services account if you need to connect Exchange 2000 server to Exchange Server 5.5. Within a single site, all Exchange-related services have to use a common Site Services account for authentication.
Exchange 2000 servers use the account name and password set on the administrative group object in the Exchange System snap-in when authenticating against Exchange Server 5.5 services. When communicating with other Exchange 2000 servers, the LocalSystem account is preferred.
You can start the Setup program of Exchange 2000 Server at any time. If you run it on a computer that already has Exchange 2000 installed, it will switch into the maintenance mode. Using this mode, you have the ability to add and remove components (Change and Remove action) or to reinstall the entire Exchange 2000 Server (Reinstall action). You will specify the desired action on the Component Selection screen of the Exchange 2000 Installation Wizard.
Setup will detect the presence of any Exchange 2000 Server installation by reading the following Registry key:
HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Exchange \Setup
The maintenance installation is useful for:
It might be a good idea to reinstall an Exchange 2000 Server if you suspect important files have been corrupted. The reinstallation can replace these files, thereby repairing any server components. Setup will check the current version of the installed software before it overwrites the server files. Files with newer version
Database files and template information will not be overwritten. This means that the reinstallation is not really risky, but often useful, when Registry entries must be updated or when files are corrupted and finding out what exactly is broken will be an inordinately
To completely remove the server installation, from the Component Selection wizard screen, under Action, select Remove next to the Microsoft Exchange 2000 entry. You need to reboot the server to complete the process.
Removing Exchange 2000 Server does not remove the Exchange directory structure on the server's hard disk. The \MTAData, and even more important, the \MDBData directories contain files of former message queues and databases. This is important because you will not be able to install Exchange 2000 Server again if an \MDBData directory with an old database file is found on the computer. If you are certain that you don't need to keep the old database files, delete the entire \MDBData directory from the hard disk; otherwise, you should rename it.
It is also important to note that removing an Exchange 2000 Server installation does not affect the configuration objects in Active Directory. In other words, if you have installed a test system in your production environment using the organization name of your future Exchange organization, simply removing the test server doesn't clean the environment. If you install Exchange 2000 Server at a later time on the same server, the old configuration settings will be applied because the organization object in Active Directory will not be overwritten. To start from scratch, use the ADSI Edit utility, and manually delete the CN=Microsoft Exchange node, which you can find in the Configuration container of your domain (CN=Configuration, DC=BlueSky-inc-10, DC=com), under the node labeled CN=Services (see Exercise 2 earlier in this lesson).
In this exercise you will add all available components to your existing server installation. To accomplish this task, you will start the Setup program in maintenance mode. However, you will not be able to install the Key Management Service (KMS) yet because this component requires a certification authority. The KMS is covered in detail in Chapter 19, "Implementing Advanced Security."
To view a multimedia demonstration that displays how to perform this procedure, run the EX4CH5.AVI files from the \Exercise_Information\Chapter5 folder on the Supplemental Course Materials CD.
To launch the Setup program in maintenance mode and add Exchange 2000 Server components
At this point, you have installed Exchange 2000 Server with all possible components excluding the KMS (see Figure 5.13).
Figure 5.13 Adding additional components to an Exchange 2000 installation
It is relatively easy to add or remove Exchange 2000 Server components to an existing installation. Setup detects the installed server automatically and switches into maintenance mode, where you can select the desired components on the Component Selection wizard screen. The component selection might seem a little confusing because you need to set the Action for the parent category (for instance, Microsoft Exchange 2000) to Change first; otherwise, no choice is available for the individual child components. However, this mechanism helps prevent accidental component deletion.