It might be necessary to install multiple copies of the Exchange System Manager on networks with multiple network segments if routers between links filter RPC communications. You can use the RPCPing utility to test the RPC communication between computers. If RPCPing works fine, the Exchange System Manager will work as well. RPCPing is discussed in Chapter 10, "MAPI-Based Clients in a Novell NetWare Environment."

Windows 2000 Tools Extensions

As Setup installs management utilities based on Microsoft Management Console (MMC), such as the System Manager and related snap-ins, it also extends the Active Directory Users and Computers tool to provide Exchange-specific features. The original Windows 2000 Backup utility is replaced with an Exchange 2000 version that allows you to perform online backups of the information store databases, as described in Chapter 20, "Microsoft Exchange 2000 Server Maintenance and Troubleshooting."

Management Programs and Outlook 2000

The Exchange System Management Tools come with a newer version of Messaging Application Protocol Interface (MAPI) components that cause Outlook 2000 to display a warning message because of a version conflict with the MAPI core files, specifically the MAPI32.DLL. Because Outlook attempts to replace the newer Exchange 2000 MAPI32.DLL with its older version, it is not advisable to install Outlook 2000 and the Exchange System Management Tools on the same workstation. That is also the reason why your test environment requires a dedicated workstation in addition to two servers. However, if you want to use both Outlook 2000 and the Exchange System Manager on the same machine, make sure you install Exchange System Manager first. Otherwise , the version conflict may occur, in which case you need to rename MAPI32.DLL and reinstall Outlook 2000.

Assignment of Administrative Roles and Permissions

The Exchange System Manager includes a feature called Exchange Administration Delegation Wizard that simplifies permission management. Similar to the Delegation Wizard of Windows 2000, you can use this tool to delegate appropriate permissions to other Exchange administrators. You used the Exchange Administration Delegation Wizard during Exercise 4 of Chapter 4, "Planning the Microsoft Exchange 2000 Server Installation."

Assigning Administrative Roles

As discussed in Chapter 4, you can organize your system management based on the Exchange organization and its administrative groups. To test this on BLUESKY-SRV1, launch the Exchange System Manager, right-click on the organization object named Blue Sky Airlines (Exchange), choose Properties, and select the Display Administrative Groups check box. This is required to launch the Exchange Administration Delegation Wizard at the level of the First Administrative Group . After you close the Properties dialog box and restart the Exchange System Manager, right-click on Blue Sky Airlines (Exchange) and, from the shortcut menu, select Delegate Control to launch the Exchange Administration Delegation Wizard. Click Next on the welcome screen to reach the Users Or Groups wizard screen, where you can click Add to specify one or more users to whom to delegate the role of an Exchange administrator (that is, Exchange Full Administrator, Exchange Administrator, and Exchange View Only Administrator). The steps are similar when delegating control for the First Administrative Group. You can read more about permissions management in Chapter 19, "Implementing Advanced Security."

Permission Inheritance

When launching the Exchange Administration Delegation Wizard for an administrative group (for example, by right-clicking on First Administrative Group and choosing Delegate Control), you will notice one or more accounts on the Users Or Group wizard screen. These accounts inherited the role of an Exchange administrator and include the account that was used to install the first Exchange 2000 server. If you select one of these accounts and click Remove, an Exchange System Manager dialog box will appear, informing you that the account cannot be edited or deleted because it was inherited from the organization object. To edit or remove these kinds of Exchange administrators, you need to launch the wizard at the organization level.

Permission inheritance simplifies the task of delegating administrative roles and managing permissions for the following reasons:

• Manual assignment of roles and permissions can be concentrated on a single parent object instead of numerous child objects. Child objects inherit the settings automatically.
• Permission changes can be applied easily via the parent object.
• Roles and permissions attached to the parent object are applied consistently to all child objects.

Disabling the Inheritance Feature

The inheritance feature allows you to quickly configure permissions and roles, but in some situations you may want to customize the inheritance of security-related permissions. For instance, you may want to prevent one administrator specified at the organization level from managing a particular administrative group without affecting other administrative groups. To disable the inheritance feature for a particular directory object, such as the BLUESKY-SRV1 server object within the First Administrative Group, right-click on it, and select Properties to display the corresponding Properties dialog box. Switch to the Security property page, and deselect the Allow Inheritable Permissions From Parent To Propagate To This Object check box. In the Security dialog box that appears, click Copy if you want to copy security-related settings from the parent before adjusting the settings manually. Click Remove to clear all settings, in which case you need to add your accounts and possibly others to the list of accounts with permissions.

Exchange 2000-Related Permissions

When you examine the Security property page of a given Exchange 2000 directory object, there is a large list of Windows 2000 and Exchange 2000-related permissions that you can assign to individual user accounts and groups. The Exchange-related permissions are also called extended permissions because they add extended features to the standard set of Windows 2000 permissions for each Exchange 2000 object.

NOTE

---

The configuration of Windows 2000 and Exchange 2000-related permissions gives you total control over the individual access privileges of users and groups. However, such fine-grained configuration is seldom required and introduces the risk of configuration problems. Whenever possible, you should use the Exchange Administration Delegation Wizard to specify security-related settings.

Depending on the selected object, Exchange 2000 allows you to define the following extended permissions:

• Add PF To Admin Group. Specifies whether the account has the permission to add a public folder to an administrative group.
• Administer Information Store. Specifies whether the account has the permission to manage the information store service.
• Create Named Properties In The Information Store. Specifies whether the account has the permission to create named properties, such as display name, given name, last name deleted item flags, and so forth.
• Create Public Folder. Specifies whether the account has the permission to create a public folder under the currently selected folder.
• Create Top-Level Public Folder. Specifies whether the account has the permission to create top-level public folders.
• Full Store Access. Specifies whether the account has the permission to get full access to the information store databases.
• Mail-Enable Public Folder. Specifies whether the account has the permission to mail-enable a public folder.
• Modify Public Folder ACL. Specifies whether the account has the permission to modify a public folder's access control list (ACL).
• Modify Public Folder Admin ACL. Specifies whether the account has the permission to administer public folder ACLs.
• Modify Public Folder Deleted Item Retention. Specifies whether the account has the permission to modify the length of time (in days) that items deleted from the public folder are retained.
• Modify Public Folder Expiry. Specifies whether the account has the permission to modify the size limit of the public folder.
• Modify Public Folder Quotas. Specifies whether the account has the permission to set public folder quotas.
• Modify Public Folder Replica List. Specifies whether the account has the permission to modify the replica list. To successfully configure public folder replication, this permission is required for both the administrative group and the public database to which the replica should be added.
• Open Mail Send Queue. Specifies whether the account has the permission to open the Mail Send queue used for queuing messages to and from the information store.
• Read All Metabase Properties. Specifies whether the account has the permission to read the Internet Information Services (IIS) metabase, which was covered in Chapter 2, "Integration with Microsoft Windows 2000."
• Remove PF To Admin Group. Specifies whether the account has the permission to remove a public folder from an administrative group.
• View Information Store Status. Specifies whether the account has the permission to view information store status information, such as information about currently logged on users and allocated resources.

Group Accounts and Exchange Administration

The permissions model of Exchange 2000 is entirely based on the security model for Windows 2000 Active Directory. This implies that you can rely on Windows 2000 security groups for Exchange 2000 administration, which is especially advantageous if you are in charge of configuring roles and permissions for numerous administrators. It is much easier to manage group permissions instead of redundant permissions for individual users. For instance, if you define a global security group for the default First Administrative Group and assign this group the required permissions to manage the Exchange 2000 Server resources, you can activate and deactivate Exchange administrators easily by adding and removing them from this group within the Active Directory Users and Computers utility.

In native mode, Windows 2000 allows you to configure the following security groups:

• Domain Local. This group type can contain user accounts, global groups, and universal groups from any domain as well as domain local groups from the same domain.
• Global. This group type can contain user accounts and global groups from the same domain.
• Universal. This group type is only used in Active Directory forests that contain multiple domains. It can contain user accounts, global groups, and universal groups from any domain.

You can find more information about Windows 2000 groups in Chapter 13, "Creating and Managing Recipients."

NOTE

---

During a first server installation, the setup routine automatically creates two default group accounts, Exchange Domain Servers and Exchange Enterprise Servers, in the Users container of the domain tree for your organization. The Exchange Domain Servers group is used to grant the LocalSystem account of computers running Exchange 2000 Server full rights in the Exchange 2000 organization.

Exercise 2: Verifying Incorrect Security Information

In this exercise you will check whether the Exchange Administration Delegation Wizard displays correct and complete security information. You will then set a special Registry key for the Exchange System Manager to view more accurate data.

To view a multimedia demonstration that displays how to perform this procedure, launch the EX2CH5*.AVI files, which you can install on your computer by running the self-extracting executable from the \Exercise_Information\Chapter14 folder on the Supplemental Course Materials CD.

Prerequisites

• Complete Exercise 1, earlier in this chapter.
• Log on as Administrator to BLUESKY-SRV1.

To check and countercheck security-related information in Exchange System Manager

1. Start the Exchange System Manager from the Microsoft Exchange program group.
2. Right-click on Blue Sky Airlines (Exchange) and then select Delegate Control.
3. In the welcome screen of the Exchange Administration Delegation Wizard, click Next.
4. In the Users Or Groups wizard screen, verify that BLUESKY-INC-10\Administrator is listed as an Exchange Full Administrator.
5. Select BLUESKY-INC-10\Administrator and then click Edit.
6. In the Delegate Control dialog box, select Exchange View Only Administrator, and then click OK.
7. Verify that BLUESKY-INC-10\Administrator is now listed as an Exchange View Only Administrator in the Users Or Groups wizard screen (see Figure 5.7). Click Next.
8. In the final screen of the Exchange Administration Delegation Wizard, click Finish. Though it seems as if you should lose the ability to change the Exchange 2000 configuration, you will soon discover otherwise.
9. Right-click on Blue Sky Airlines (Exchange) again and select Properties.
10. Click on the Change Mode button. Confirm the Exchange System Manager dialog box informing you that this is an irreversible process by clicking OK. Verify that the change was accomplished successfully, and then click OK.
11. Right-click on Blue Sky Airlines (Exchange) again, select Delegate Control, confirm the welcome screen by clicking on the Next button, and then, in the Users Or Groups wizard screen, verify that BLUESKY-INC-10\Administrator is indeed listed as an Exchange View Only Administrator. Click Cancel.

    

    Figure 5.7 Granting the Administrator View Only permissions

    Although you are listed as an administrator who does not have the permissions to change the configuration, you are able to switch the organization into native mode or perform any other desired management procedure because your account is a member of the Enterprise Admins group.

12. Click the Start button, point to Programs, then to Administrative Tools, and then select Active Directory Sites and Services.
13. Open the View menu and select the Show Services Node option.
14. In the console tree, expand the Services container, expand the Microsoft Exchange child container, and note that the organization object called Blue Sky Airlines is located underneath.
15. Right-click on the Services container, and then, from the shortcut menu, select Properties.
16. Switch to the Security tab, select Enterprise Admins (BLUESKY-INC-10\Enterprise Admins), and then, under Permissions, verify that this security group has inherited Full Control for this object (see Figure 5.8). These permissions in turn are further inherited by all child containers including the Exchange 2000 organization, which is the reason why you are able to manage the environment (although the Exchange Administration Delegation Wizard displays you as a view only administrator).

    

    Figure 5.8 Enterprise Admin permissions at the Services container object

17. Click OK and close Active Directory Sites and Services.
18. Switch back to the Exchange System Manager, right-click Blue Sky Airlines (Exchange), select Properties, and verify that a Security tab is not provided.
19. Close the Exchange System Manager.
20. Click the Start button, point to Run, and, in the Run dialog box, type Regedit , and then click OK.
21. Open the following key in the Registry Editor: HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin.
22. Open the Edit menu, point to New, and select DWORD Value. Name the new value ShowSecurityPage , double-click on it, type 1 under Value Data (see Figure 5.9), and then click OK. Close the Registry Editor.

    

    Figure 5.9 Setting the ShowSecurityPage Registry key

    NOTE

    ---

    The ShowSecurityPage Registry value causes the Exchange System Manager to display the Security tab on all configuration objects. If this value is not present or is set to 0, the Security tab is available only on Address List objects, mailbox and public stores, and top-level public folder hierarchies. According to the HKEY_CURRENT_USER hive, ShowSecurityPage only affects the current user account.

23. In the Microsoft Exchange program group, click Exchange System Manager.
24. Right-click on the organization object Blue Sky Airlines (Exchange), and then select Properties.
25. In the Blue Sky Airlines Properties dialog box, click the Security tab.
26. Select the Administrator (BLUESKY-INC-10\Administrator) entry under Name, and, under Permissions, examine the individual permissions granted. These permissions correspond to the set of rights for a view only administrator (see Figure 5.10).

    

    Figure 5.10 Assigned and inherited permissions for an Exchange 2000 organization

27. Select the Enterprise Admins (BLUESKY-INC-10\Enterprise Admins). You will be able to determine that this security group has inherited Full Control for the organization (with the Receive As and Send As rights explicitly denied ).
28. Click OK and close the Exchange System Manager without changing the security settings.

Exercise Summary

Exchange 2000 is entirely based on the Windows 2000 security model. Hence, as a member of the Domain Admins or Enterprise Admins group, you inherit management permissions for the Exchange 2000 organization. Keep in mind that settings inherited from higher-level configuration containers in Active Directory are not displayed in the Exchange Administration Delegation Wizard. Nevertheless, this wizard remains your primary tool to delegate administrative permissions because it prevents you from revoking administrators and system processes essential access rights.

The Security property sheet, on the other hand, which you can enable for organization and administrative groups via the ShowSecurityPage Registry key, gives detailed and accurate security information. If possible, refrain from using it to manage access rights and roles because it does not prevent you from setting permissions incorrectly. For instance, if you deny Exchange 2000 services access to configuration information in Active Directory, you will experience serious server problems that may even require you to reinstall the entire system. You can read more about securing your Exchange 2000 resources in Chapter 19, "Implementing Advanced Security."

Default File Locations and Share Point Permissions

During the installation, Setup creates the directory structure to host the files of Exchange 2000 Server. If you accept the default settings, they will be placed under the C:\Program Files\Exchsrvr directory.

Exchange 2000 Directory Structure

Depending on the options selected during the installation, Setup creates the directories listed in Table 5.2 on the server computer (see Figure 5.11).

Figure 5.11 Directories and shares created on an Exchange 2000 server

Table 5.2 Directories Created by Setup

Share Points

As indicated in Table 5.2, Setup shares specific directories for network access. It's a good idea to restrict access to these share points to increase the security of the server-based resources. Knowing the share point permissions and the processes that need access to them helps to secure the server appropriately.

The following share points are created automatically on an Exchange 2000 server:

• Address. Corresponds to the \Exchsrvr\Address directory and provides access to proxy address generation DLLs. A proxy address generator is typically responsible for the automatic generation of default e-mail addresses. Each address generator corresponds to a specific e-mail address type. Examples are SMTP, X.400, MS Mail, and Lotus cc:Mail. Addresses of these types will be generated by default for every mailbox, but it is also possible to install additional proxy address generators along with third-party messaging connectors. By default, Administrators and services account have Full Control permissions, and the Everyone account is restricted to Read permission.
• <SERVER NAME>.LOG. Corresponds to the \Exchsrvr\<SERVER NAME>.LOG directory and provides access to log files writing by Exchange 2000 services. By default, Administrators and services account have Full Control permissions, and the Everyone account is restricted to Read permission.
• Maildat$. Corresponds to the \Exchsrvr\Connect\Msmcon\Maildata directory and provides a hidden network share point for the MS Mail Connector. It represents the MS Mail Connector postoffice. By default, Administrators, services account, and Everyone have Full Control permissions.

TCP Ports

The majority of features that Exchange 2000 Server has to offer rely on Internet technologies (such as TCP/IP, DNS, SMTP, NNTP, IMAP4, POP3, HTTP, LDAP, Secure Sockets Layer, Kerberos, and so forth). Consequently, you need to protect your Internet access points, preferably with a firewall. You can read more about Internet-based client access in Chapter 11, "Internet-Based Client Access."

Exercise 3: Checking Active TCP Ports

In this exercise you will check which TCP ports are open on your test machine to handle incoming connections. Knowledge of these TCP ports is especially important when connecting Exchange 2000 Server to the Internet, which requires extra security measures as outlined in Chapter 19, "Implementing Advanced Security."

To view a multimedia demonstration that displays how to perform this procedure, run the EX3CH5.AVI files from the \Exercise_Information\Chapter5 folder on the Supplemental Course Materials CD.

Prerequisites

• Log on as Administrator to BLUESKY-SRV1 running Exchange 2000 Server.
• Insert the Supplemental Course Materials CD in your CD-ROM drive.

To identify available TCP ports

1. Copy the files MSWINSCK.OCX and VBPORTSCAN.EXE from the \Exercise_Information\Chapter5\VBPortScan folder on the Supplemental Course Materials CD into your \Winnt\System32 directory.
2. Click Start, and then select Run to display the Run dialog box, where you need to type regsvr32 mswinsck.ocx , and then click OK.
3. A RegSvr32 dialog box will appear to confirm that the component was registered successfully. Click OK.
4. Click Start, and then select Run to display the Run dialog box, where you need to type vbportscan.exe , and then click OK.
5. The Windows Sockets - Port Tester application is launched. Click Check.

   At this point, you should be able to scroll through the Ports In Use list and verify that all of the important TCP ports for Internet-based client connections are available (see Figure 5.12).

6. Click Exit to close the port tester program.

Exercise Summary

Exchange 2000 Server relies heavily on Internet technologies and consequently prefers a communication based on Windows Sockets (Winsock). Winsock binds an application to a specific port number, which is used to identify network traffic sent to and from the application. You can use a simple TCP port scanner written in Visual Basic to determine which ports are listening. It is a good idea to stop Internet services (and thereby the associated ports) not required in your environment and protect those that are required (such as TCP port 25 for SMTP) with a firewall.

Figure 5.12 Checking available TCP ports

Exchange 2000 Server Service Dependencies

As outlined in Chapter 3, Exchange 2000 Server consists of numerous services that need to communicate with each other to form a functioning messaging and collaboration platform. This communication requires authentication using the Kerberos protocol.

LocalSystem Account

In much the same way you log on to Windows 2000 by providing a user name and password, active Exchange 2000 services need to log on to the system by using a special services account. In previous versions of Exchange Server, this was a normal user account. This left the system vulnerable because it is not feasible to lock a services account after a certain number of failed logon attempts. A locked account would prevent communication between the Exchange Server services. Password-guessing computer criminals prefer to attack services accounts where the account lockout is most likely disabled.

The good news is that you don't need to specify a userlike services account for Exchange 2000 services. Instead, these services are happy with the LocalSystem account of Windows 2000, greatly reducing susceptibility to a successful password-guessing attack against your system. You don't even need to change the password for this services account because Windows 2000 automatically changes it for you every seven days. Even better, the password is very secure because it consists of a random string of characters , putting an effective end to ambitions in password cracking.

Service Account Dependencies for Backward Compatibility

Nevertheless, you need to rely on a userlike services account if you need to connect Exchange 2000 server to Exchange Server 5.5. Within a single site, all Exchange-related services have to use a common Site Services account for authentication.

NOTE

---

Exchange 2000 servers use the account name and password set on the administrative group object in the Exchange System snap-in when authenticating against Exchange Server 5.5 services. When communicating with other Exchange 2000 servers, the LocalSystem account is preferred.

Adding or Repairing Components in Maintenance Mode

You can start the Setup program of Exchange 2000 Server at any time. If you run it on a computer that already has Exchange 2000 installed, it will switch into the maintenance mode. Using this mode, you have the ability to add and remove components (Change and Remove action) or to reinstall the entire Exchange 2000 Server (Reinstall action). You will specify the desired action on the Component Selection screen of the Exchange 2000 Installation Wizard.

Setup Registry Key

Setup will detect the presence of any Exchange 2000 Server installation by reading the following Registry key:

HKEY_LOCAL_MACHINE

 \SOFTWARE

  \Microsoft

   \Exchange

    \Setup

The maintenance installation is useful for:

• Adding or removing additional Exchange 2000 components.
• Repeating the entire Exchange 2000 installation without losing directory and configuration information.
• Removing Exchange 2000 Server.

Reinstallation and Service Packs

It might be a good idea to reinstall an Exchange 2000 Server if you suspect important files have been corrupted. The reinstallation can replace these files, thereby repairing any server components. Setup will check the current version of the installed software before it overwrites the server files. Files with newer version numbers than those on the installation CD will not automatically be replaced. To replace those files with files from the appropriate version, you must also reinstall any previously installed service packs. Besides refreshing disk directories and files, Setup also renews Windows NT Registry settings of installed components.

Database files and template information will not be overwritten. This means that the reinstallation is not really risky, but often useful, when Registry entries must be updated or when files are corrupted and finding out what exactly is broken will be an inordinately time-consuming job.

Removing an Exchange 2000 Server Installation

To completely remove the server installation, from the Component Selection wizard screen, under Action, select Remove next to the Microsoft Exchange 2000 entry. You need to reboot the server to complete the process.

Removing Exchange 2000 Server does not remove the Exchange directory structure on the server's hard disk. The \MTAData, and even more important, the \MDBData directories contain files of former message queues and databases. This is important because you will not be able to install Exchange 2000 Server again if an \MDBData directory with an old database file is found on the computer. If you are certain that you don't need to keep the old database files, delete the entire \MDBData directory from the hard disk; otherwise, you should rename it.

It is also important to note that removing an Exchange 2000 Server installation does not affect the configuration objects in Active Directory. In other words, if you have installed a test system in your production environment using the organization name of your future Exchange organization, simply removing the test server doesn't clean the environment. If you install Exchange 2000 Server at a later time on the same server, the old configuration settings will be applied because the organization object in Active Directory will not be overwritten. To start from scratch, use the ADSI Edit utility, and manually delete the CN=Microsoft Exchange node, which you can find in the Configuration container of your domain (CN=Configuration, DC=BlueSky-inc-10, DC=com), under the node labeled CN=Services (see Exercise 2 earlier in this lesson).

Exercise 4: Adding Components to an Exchange 2000 Installation

In this exercise you will add all available components to your existing server installation. To accomplish this task, you will start the Setup program in maintenance mode. However, you will not be able to install the Key Management Service (KMS) yet because this component requires a certification authority. The KMS is covered in detail in Chapter 19, "Implementing Advanced Security."

To view a multimedia demonstration that displays how to perform this procedure, run the EX4CH5.AVI files from the \Exercise_Information\Chapter5 folder on the Supplemental Course Materials CD.

Prerequisites

• Log on as Administrator to BLUESKY-SRV1 running Exchange 2000 Server.
• Insert the Exchange 2000 Enterprise Server CD into the CD-ROM drive (E drive) of BLUESKY-SRV1.

To launch the Setup program in maintenance mode and add Exchange 2000 Server components

1. Start the Exchange 2000 Setup program from the \Setup\i386 directory on the installation CD.
2. On the Welcome To The Microsoft Exchange 2000 Installation Wizard screen, click Next.
3. On the Component Selection wizard screen, under Action, in every row that contains a check mark, select Change, and then for all available rows that are not displaying any actions, select Install (with the exception of the Microsoft Exchange Key Management Service).
4. Click Next, and, on the Licensing Agreement wizard screen, select I Agree That, and click Next.
5. On the Component Summary wizard screen, click Next again.
6. When the final wizard screen appears informing you that the installation is complete, click Finish.

   At this point, you have installed Exchange 2000 Server with all possible components excluding the KMS (see Figure 5.13).

   

   Figure 5.13 Adding additional components to an Exchange 2000 installation

Exercise Summary

It is relatively easy to add or remove Exchange 2000 Server components to an existing installation. Setup detects the installed server automatically and switches into maintenance mode, where you can select the desired components on the Component Selection wizard screen. The component selection might seem a little confusing because you need to set the Action for the parent category (for instance, Microsoft Exchange 2000) to Change first; otherwise, no choice is available for the individual child components. However, this mechanism helps prevent accidental component deletion.