When you install Exchange Server and Forefront Security for Exchange Server on a server operating system, Exchange Server and Forefront Security make extensive modifications to the environment. These modifications include new system services, integrated authentication, and new security groups.
When you install Exchange Server and Forefront Security for Exchange Server on Windows, multiple services are installed and configured on the server. Table 1-1 provides a summary of key services, how they are used, and with which server components they are associated.
Service Name | Description | Server Role |
---|---|---|
AntigenIMC | Connects to the Simple Mail Transfer Protocol (SMTP) stack to ensure that messages are scanned by the AntigenInternet process. | Forefront Security |
AntigenMonitor | Monitors the information store, SMTP/IMS, and Antigen processes to ensure that Antigen provides continuous protection. | Forefront Security |
AntigenService | Coordinates all real-time, manual, IMC, and SMTP scanning activities and is the agent to which the Forefront Security admininstrator connects. | Forefront Security |
AntigenStore | Ensures that Antigen initializes properly with the information store. AntigenStore starts and stops with the information store. | Forefront Security |
HTTP SSL | Provides the secure Hyptertext Transfer Protocol (HTTPS) using the Secure Socket Layer (SSL). | Client Access |
IIS Admin | Enables the server to administer Web services. Required to support HTTP SSL and World Wide Web publishing services. | Client Access |
Microsoft Exchange Active Directory Topology | Provides Active Directory topology information to Exchange services. If this service is stopped, most Exchange servers will not be able to start. | Hub Transport, Mail-box, Client Access, Unified Messaging |
Microsft Exchange ADAM | Maintains the Active Directory ADAM data store. | Edge Transport |
Microsoft Exchange EdgeSync | Provides EdgeSync services between Hub and Edge servers. | Hub Transport, Edge Transport |
Microsoft Exchange IMAP4 | Provides IMAP4 services to clients. | Client Access |
Microsoft Exchange Information Store | Manages the Microsoft Exchange Information Store. This includes mailbox stores and public folder stores. | Mailbox |
Microsoft Exchange Mail Submission Service | Submits messages from the Mailbox server to the Hub Transport servers. | Mailbox |
Microsoft Exchange Mailbox Assistants | Manages assistants that are responsible for calendar updates and booking resources. | Mailbox |
Microsoft Exchange POP3 | Provides Post Office Protocol version 3 (POP3) services to clients. | Client Access |
Microsoft Exchange Replication Service | Provides replication functionality used for continuous replication. | Mailbox |
Microsoft Search (Exchange) | Provides search services for mailboxes, address lists, and so on. | Mailbox |
Microsoft Exchange Speech Engine | Provides speech processing services for Microsoft Exchange. If this service is stopped, speech recognition services will not be available to Unified Messaging clients. | Unified Messaging |
Microsoft Exchange System Attendant | Provides monitoring, maintenance, and Active Directory lookup services. | Mailbox, Client Access |
Microsoft Exchange Unified Messaging | Enables voice and fax messages to be stored in Exchange and gives users telephone access to e-mail, voice mail, calendar, contacts, or an automated attendant. | Unified Messaging |
World Wide Web Publishing Services | Provides Web connectivity and administration features for IIS. | Client Access |
In Exchange Server 2007, e-mail addresses, distribution groups, and other directory resources are stored in the directory database provided by Active Directory. Active Directory is a directory service running on Windows domain controllers. When there are multiple domain controllers, the controllers automatically replicate directory data with each other using a multimaster replication model. This model allows any domain controller to process directory changes and then replicate those changes to other domain controllers.
The first time you install Exchange Server 2007 in a Windows domain, the installation process updates and extends Active Directory to include objects and attributes used by Exchange Server 2007. Unlike previous releases of Exchange, this process does not include updates for the Active Directory Users And Computers Snap-In for Microsoft Management Console (MMC), and you no longer use Active Directory Users And Computers to manage mailboxes, messaging features, messaging options, or e-mail addresses associated with user accounts. You now perform these tasks in the Exchange Management Console only.
Exchange Server 2007 fully supports the Windows Server security model and relies on this security mechanism to control access to directory resources. This means you can control access to mailboxes and membership in distribution groups and you can perform other Exchange security administration tasks through the standard Windows Server permission set. For example, to add a user to a distribution group, you simply make the user a member of the distribution group in Active Directory Users And Computers.
Because Exchange Server uses Windows Server security, you can't create a mailbox without first creating a user account that will use the mailbox. Every Exchange mailbox must be associated with a domain account-even those used by Exchange for general messaging tasks. For example, the SMTP and System Attendant mailboxes that Exchange Server uses are associated by default with the built-in System user. In Exchange Management Console, you can create a new user account as part of the process of creating a new mailbox.
To support coexistence between Exchange 2000 Server or Exchange Server 2003 and Exchange Server 2007, all Exchange Server 2007 servers are automatically added to a single administrative group when you install Exchange Server 2007. This administrative group is recognized in the Exchange System Manager in Exchange Server 2003 as "Exchange Administrative Group." Although Exchange 2000 Server and Exchange Server 2003 use administrative groups to gather Exchange objects for the purposes of delegating permission to manage those objects, Exchange Server 2007 does not use administrative groups. Instead, you manage Exchange servers according to their roles and the type of information you want to manage using Exchange Management Console. You'll learn more about this in Chapter 5, "Microsoft Exchange Server 2007 Essentials."
In Exchange Server 2003, the Delegation Wizard allowed you to create security roles for Exchange Full Administrators, Exchange Administrators, and Exchange View-Only Administrators. Exchange Server 2007 uses predefined universal security groups to separate administration of Exchange permissions from administration of other permissions. When you add an administrator to one of these security groups, the administrator inherits the permissions permitted by that role.
The predefined security groups have permissions to manage the following types of Exchange data in Active Directory:
Organization Configuration node This type of data is not associated with a specific server and is used to manage policies, address lists, and other types of organizational configuration details.
Server Configuration node This type of data is associated with a specific server and is used to manage the server's messaging configuration.
Recipient Configuration node This type of data is associated with mailboxes, mail-enabled contacts, and distribution groups.
The predefined groups are as follows:
Exchange Organization Administrators Members of this group have full access to all Exchange properties and objects in the Exchange organization.
Exchange Recipient Administrators Members of this group have permissions to modify any Exchange property on an Active Directory user, contact, group, dynamic distribution list, or public folder object. Members of this group can also manage unified messaging mailbox settings and client access mailbox settings.
Exchange Server Administrators Members of this group have access to only local server Exchange configuration data, either in Active Directory or on the physical computer on which Exchange 2007 is installed. This allows members to administer a particular server but not to perform operations that have global impact in the Exchange organization.
Exchange View-Only Administrators Members of this group have read-only access to the entire Exchange organization tree in the Active Directory configuration container and read-only access to all the Windows domain containers that have Exchange recipients.
Exchange2003Interop Members of this group are granted sent-to and receive-from permissions, which are necessary for routing group connections between Exchange Server 2007 and Exchange 2000 Server or Exchange Server 2003. Exchange 2000 Server and Exchange Server 2003 bridgehead servers must be made members of this group to allow proper mail flow in the organization. For more information on interoperability, see Chapter 2.