Administration Guide for Exchange Server 2003

Contents
Administration Guide for Exchange Server 2003.............................................................. 25 Preparing to Administer Your Exchange Server 2003 Environment................................. 25 Understanding Exchange Administration Architecture ..................................................... 26 Interacting with Active Directory........................................................................................ 27 Selecting the Right Management Tools ............................................................................ 29 Working with Exchange System Manager ........................................................................ 30 How to Open Exchange System Manager........................................................................ 34 Procedure ......................................................................................................................35 Working with Active Directory Users and Computers ....................................................... 35 How to Open Active Directory Users and Computers....................................................... 37 Before You Begin........................................................................................................... 37 Procedure ......................................................................................................................38 Creating Recipients........................................................................................................... 39 Performing Exchange Tasks............................................................................................. 40 How to Perform an Exchange-Specific Task in Active Directory Users and Computers.. 41 Before You Begin........................................................................................................... 41 Procedure ......................................................................................................................42 Managing Exchange in Multiple Domains......................................................................... 42 How to Manage Exchange in Another Domain................................................................. 42 Before You Begin........................................................................................................... 42 Procedure ......................................................................................................................43 Deciding Where to Manage Exchange ............................................................................. 43 Setting Up a Management Station Using Windows XP Professional SP1 or Later.......... 45 How to Set Up a Management Station Using Windows XP Professional SP1 or Later ... 46 Procedure ......................................................................................................................46 Installing the Windows Administrative Tools Pack............................................................ 47

How to Install the Windows Administrative Tools Pack .................................................... 47 Before You Begin........................................................................................................... 47 Procedure ......................................................................................................................48 For More Information ..................................................................................................... 48 Installing the SMTP Service .............................................................................................. 48 How to Install the SMTP Service ...................................................................................... 49 Before You Begin........................................................................................................... 49 Procedure ......................................................................................................................49 For More Information ..................................................................................................... 49 Installing the Exchange System Management Tools........................................................ 50 Windows Server 2003.................................................................................................... 50 Windows 2000 Professional SP3 or later ...................................................................... 50 Windows 2000 Server SP3 or later ............................................................................... 50 How to Install the Exchange System Management Tools ................................................ 51 Before You Begin........................................................................................................... 51 Procedure ......................................................................................................................51 For More Information ..................................................................................................... 52 Shutting Down SMTP and NNTP Services ....................................................................... 53 Using Custom Consoles.................................................................................................... 53 Creating Custom Consoles ............................................................................................... 54 How to Create Custom Consoles...................................................................................... 55 Procedure ......................................................................................................................55 How to Create a New Instance of MMC............................................................................ 55 Procedure ......................................................................................................................56 For More Information ..................................................................................................... 56 How to Add Snap-Ins to MMC .......................................................................................... 57 Procedure ......................................................................................................................57 Automating Administrative Tasks...................................................................................... 57 Managing an Exchange Server 2003 Organization .......................................................... 58 Promoting an Exchange Server 2003 Organization from Mixed Mode to Native Mode ... 59 Switching from Mixed Mode to Native Mode ................................................................. 59

How to Switch from Mixed Mode to Native Mode ............................................................. 60 Before You Begin........................................................................................................... 60 Procedure ......................................................................................................................60 For More Information ..................................................................................................... 61 Applying Global Settings in an Exchange Server 2003 Organization............................... 62 Associating File Name Extensions with MIME.................................................................. 62 How to Manage Associations for File Name Extensions .................................................. 63 Procedure ......................................................................................................................63 Configuring SMTP Policies to Control Outbound Mail Formatting and Automatic Responses..................................................................................................................... 64 Understanding the Default Policy...................................................................................... 65 Creating a Policy for a New SMTP Domain ...................................................................... 66 How to Create a New Policy for a New SMTP Domain .................................................... 68 Procedure ......................................................................................................................68 Setting Message Formatting Options for a Policy............................................................. 69 How to Set the Message Formats for a Policy.................................................................. 70 Procedure ......................................................................................................................70 Controlling Automatic Replies and Advanced Formatting for a Policy ............................. 71 How to Set Advanced Properties for a Policy ................................................................... 72 Procedure ......................................................................................................................72 Configuring Message Delivery Options............................................................................. 73 How to Access the Message Delivery Properties Dialog Box........................................... 74 Procedure ......................................................................................................................74 Configuring Default Message Size and Recipient Limits .................................................. 74 How to Change the Default Message Delivery Options.................................................... 76 Procedure ......................................................................................................................76 Configuring SMTP Message Filtering Options.................................................................. 78 Configuring Sender Filtering ............................................................................................. 79 How to Enable Sender Filtering ........................................................................................ 79

Procedure ......................................................................................................................79 Configuring Connection Filtering....................................................................................... 81 How to Configure a Connection Filtering Rule.................................................................. 82 Procedure ......................................................................................................................82 For More Information ..................................................................................................... 83 How to Create a List of Exceptions to Connection Filtering Rules ................................... 84 Procedure ......................................................................................................................84 For More Information ..................................................................................................... 85 How to Create Either a Global Accept or Deny List.......................................................... 86 Procedure ......................................................................................................................86 For More Information ..................................................................................................... 87 Configuring Recipient Filtering.......................................................................................... 88 How to Add a Recipient to the Recipient Filtering List...................................................... 89 Procedure ......................................................................................................................89 For More Information ..................................................................................................... 90 Creating and Managing Administrative Groups ................................................................ 91 Understanding Exchange Server 2003 Administrative Models......................................... 92 Understanding the Types of Administrative Models ...................................................... 92 Using a Centralized Administrative Model ........................................................................ 93 Using a Mixed Administrative Model................................................................................. 94 Using a Decentralized Administrative Model .................................................................... 96 Configuring Exchange Server 2003 Administrative Groups ............................................. 97 Displaying Administrative Groups.................................................................................. 97 How to Display Administrative Groups.............................................................................. 97 Procedure ......................................................................................................................98 For More Information ..................................................................................................... 99 Creating Additional Administrative Groups ....................................................................... 99 How to Create a New Administrative Group ...................................................................100 Before You Begin.........................................................................................................100 Procedure ....................................................................................................................100 For More Information ...................................................................................................101

Moving Objects Between Administrative Groups............................................................101 How to Move Objects Between Administrative Groups ..................................................102 Before You Begin.........................................................................................................102 Procedure ....................................................................................................................102 For More Information ...................................................................................................103 Deleting Administrative Groups ......................................................................................103 How to Delete an Administrative Group..........................................................................103 Procedure ....................................................................................................................104 For More Information ...................................................................................................104 Configuring Exchange Server 2003 System Policies .....................................................104 Understanding How System Policies Affect Individual Settings .....................................106 Creating a Server Policy .................................................................................................107 How to Create a System Policy Container......................................................................108 Procedure ....................................................................................................................108 How to Create a Server Policy........................................................................................109 Before You Begin.........................................................................................................109 Procedure ....................................................................................................................110 Handling Policy Conflicts.................................................................................................111 Adding Servers to a Server Policy ..................................................................................112 How to Add Servers to a Server Policy...........................................................................112 Before You Begin.........................................................................................................112 Procedure ....................................................................................................................112 Viewing the Objects Controlled by a System Policy .......................................................113 How to View the Objects That a Policy Controls ............................................................114 Procedure ....................................................................................................................114 How to View the Policies that Exchange Applies to a Particular Object.........................114 Procedure ....................................................................................................................114 Copying System Policies Between Administrative Groups.............................................115 How to Copy Policy Objects Between Administrative Groups ........................................115 Procedure ....................................................................................................................116

Modifying or Removing a Policy......................................................................................116 How to Modify a Policy....................................................................................................117 Procedure ....................................................................................................................117 How to Remove an Object from the Control of a Policy .................................................117 Procedure ....................................................................................................................118 How to Delete a Policy ....................................................................................................118 Procedure ....................................................................................................................118 Managing Exchange Server 2003 Permissions..............................................................119 Understanding Exchange Objects and Exchange System Manager..............................120 Benefiting from Standardized Security Roles in Exchange ............................................121 Benefiting from Exchange Administration Delegation Wizard ........................................123 Benefiting from Support for Inheritance ..........................................................................125 Configuring Exchange Server 2003 Settings..................................................................126 Configuring Server-Specific Settings ..............................................................................126 How to Open a Server's Properties Dialog Box ..............................................................128 Procedure ....................................................................................................................128 Viewing Messages in Message Tracking Center............................................................129 How to Enable a Server's Messages to Appear in Message Tracking Center ...............130 Before You Begin.........................................................................................................131 Procedure ....................................................................................................................131 For More Information ...................................................................................................131 Enabling Message Tracking............................................................................................131 How to Enable Message Tracking ..................................................................................132 Procedure ....................................................................................................................132 For More Information ...................................................................................................133 Managing Message Tracking Log Files ..........................................................................133 Selecting a Location for the Log Files .........................................................................133 Removing Log Files .....................................................................................................133 How to Select a Location for the Message Tracking Log Files.......................................134

Procedure ....................................................................................................................134 How to Specify How Frequently Log Files are Removed ...............................................136 Before You Begin.........................................................................................................136 Procedure ....................................................................................................................136 Designating a Front-End Server .....................................................................................137 Sending Error Information to Microsoft ...........................................................................138 How to Send Error Information to Microsoft....................................................................139 Before You Begin.........................................................................................................139 Procedure ....................................................................................................................139 For More Information ...................................................................................................140 Configuring Language Settings.......................................................................................140 How to Add a Locale to the Server .................................................................................140 Procedure ....................................................................................................................141 Scheduling Mailbox Manager Processes........................................................................142 Defining a Schedule ........................................................................................................144 How to Set a Schedule for Mailbox Management...........................................................144 Before You Begin.........................................................................................................145 Procedure ....................................................................................................................145 For More Information ...................................................................................................145 How to Set a Custom Schedule for Mailbox Management .............................................145 Before You Begin.........................................................................................................146 Procedure ....................................................................................................................146 For More Information ...................................................................................................146 Setting Reporting Options ...............................................................................................147 How to Set Mailbox Management Reporting Options.....................................................147 Before You Begin.........................................................................................................147 Procedure ....................................................................................................................148 For More Information ...................................................................................................148 Configuring Diagnostics Logging on a Server ................................................................148 How to Configure Diagnostics Logging...........................................................................151 Procedure ....................................................................................................................152

Customizing Public Folder Referrals...............................................................................152 How to Specify a Custom List for Public Folder Referrals ..............................................154 Procedure ....................................................................................................................154 For More Information ...................................................................................................155 Assigning Costs on the Public Folder Referrals List.......................................................156 How to Assign Costs on the Public Folder Referrals List ...............................................156 Procedure ....................................................................................................................157 For More Information ...................................................................................................158 Understanding Directory Access Options .......................................................................158 Automatically Constructing a Topology for Directory Access .........................................160 How to Automatically Discover Servers ..........................................................................161 Before You Begin.........................................................................................................162 Procedure ....................................................................................................................162 Manually Constructing a Topology for Directory Access ................................................164 How to Manually Create a Topology for Directory Access .............................................164 Before You Begin.........................................................................................................165 Procedure ....................................................................................................................165 For More Information ...................................................................................................165 Viewing System Policies Applied to the Server ..............................................................166 Setting Server-Specific Permissions...............................................................................167 How to Modify Permissions on a Specific Server ...........................................................170 Before You Begin.........................................................................................................170 Procedure ....................................................................................................................170 For More Information ...................................................................................................171 Configuring System Resource Usage During Full-Text Indexing ...................................172 How to Control Server Performance During Indexing.....................................................172 Procedure ....................................................................................................................173 For More Information ...................................................................................................174 Managing Recipients and Recipient Policies in Exchange Server 2003 ........................175 Understanding Recipients ...............................................................................................175

Understanding Recipient Policies ...................................................................................179 Managing E-Mail Addresses ...........................................................................................179 Example Scenario........................................................................................................180 Managing Mailboxes Using Mailbox Manager ................................................................182 Creating a Recipient........................................................................................................185 Mailbox-Enabled and Mail-Enabled Recipients ..............................................................185 How to Make an Existing Active Directory Object a Recipient........................................188 Procedure ....................................................................................................................189 For More Information ...................................................................................................190 Mail-Enabled Groups ......................................................................................................191 Creating Mail-Enabled Groups........................................................................................191 How to Enable an Existing Group for Mail ......................................................................192 Before You Begin.........................................................................................................192 Procedure ....................................................................................................................193 Expanding Mail-Enabled Groups ....................................................................................194 Using Mail-Enabled Groups in Multi-Domain Environments...........................................195 Understanding Query-Based Distribution Groups ..........................................................196 Query-Based Distribution Groups Described..................................................................196 Modifying Exchange 2000 SP3 Servers for Use with Windows 2000 Global Catalog Servers.........................................................................................................................197 How to Modify Your Exchange 2000 SP3 Servers for Use with Windows 2000 Global Catalog Servers ...........................................................................................................198 Before You Begin.........................................................................................................198 Procedure ....................................................................................................................198 For More Information ...................................................................................................199 How Query-Based Distribution Groups Work .................................................................199 Deployment Recommendations for Query-Based Distribution Groups ..........................200 Guidelines for Creating Query-Based Distribution Groups .............................................202 Creating Query-Based Distribution Groups ....................................................................203

How to Create a Query-Based Distribution Group..........................................................204 Before You Begin.........................................................................................................204 Procedure ....................................................................................................................205 How to Verify That a Query-Based Distribution Group Is Working Correctly .................206 Procedure ....................................................................................................................206 Combining Multiple Query-Based Distribution Groups ...................................................207 How to Add Query-Based Distribution Groups as Members of a Distribution Group .....208 Procedure ....................................................................................................................208 Managing Recipients.......................................................................................................209 Notes for Exchange 5.5 Administrators ..........................................................................209 Managing Recipients with Recipient Policies..................................................................211 Creating a Recipient Policy.............................................................................................211 Select the Property Sheets ..........................................................................................213 Name the New Policy ..................................................................................................213 Create a Filter ..............................................................................................................213 Configure the Settings .................................................................................................214 Set the Priority and Apply the Policy ...........................................................................214 How to Create a Recipient Policy ...................................................................................215 Procedure ....................................................................................................................215 For More Information ...................................................................................................219 Managing Recipient Settings ..........................................................................................219 Configuring Message Settings for Mailbox-Enabled Recipients.....................................219 How to Navigate to the Exchange General Tab .............................................................220 Procedure ....................................................................................................................221 Delivery Restrictions .......................................................................................................222 Delivery Options..............................................................................................................224 Storage Limits .................................................................................................................224 Exchange Advanced Settings for Mailbox-Enabled Recipients ......................................225 Setting Custom Attributes ............................................................................................225 Assigning Mailbox Rights.............................................................................................225

How to Get to the Exchange Advanced Tab...................................................................227 Procedure ....................................................................................................................227 Configuring Message Settings for Mail-Enabled Recipients...........................................228 Distribution Groups .........................................................................................................230 Understanding Address Lists ..........................................................................................231 Address Lists Described .................................................................................................232 Creating Address Lists ....................................................................................................234 How to Create an Address List .......................................................................................236 Before You Begin.........................................................................................................236 Procedure ....................................................................................................................237 Offline Address Lists .......................................................................................................238 How to Populate the Default Offline Address List...........................................................240 Before You Begin.........................................................................................................240 Procedure ....................................................................................................................241 How to View System Public Folders ...............................................................................242 Before You Begin.........................................................................................................243 Procedure ....................................................................................................................243 Customizing the Details Templates ................................................................................243 How to Customize the Details Template.........................................................................246 Procedure ....................................................................................................................247 Recipient Update Service................................................................................................250 How to Create a New Recipient Update Service ............................................................251 Before You Begin.........................................................................................................251 Procedure ....................................................................................................................251 How to Change the Update Interval of the Recipient Update Service............................253 Procedure ....................................................................................................................253 Managing Exchange Clusters in Exchange Server 2003 ...............................................253 Reviewing Exchange Clusters ........................................................................................254 Reviewing the Exchange Resources Associated with Exchange Clusters.....................255

Understanding How Failover Works in an Exchange Cluster .........................................258 Using Cluster Administrator to Manage Exchange Clusters...........................................260 How to Open Cluster Administrator ................................................................................261 Before You Begin.........................................................................................................261 Procedure ....................................................................................................................261 Customizing Your Exchange Cluster Configuration........................................................262 Configuring Exchange Virtual Server Settings................................................................263 How to Access the Properties of an Exchange Virtual Server Using Cluster Administrator .....................................................................................................................................264 Before You Begin.........................................................................................................264 Procedure ....................................................................................................................265 Specifying Preferred Owners ..........................................................................................265 How to Specify a List of Preferred Owners for an Exchange Virtual Server Using Cluster Administrator................................................................................................................267 Before You Begin.........................................................................................................268 Procedure ....................................................................................................................268 Specifying Failover Options ............................................................................................269 How to Specify Failover Options for an Exchange Virtual Server Using Cluster Administrator................................................................................................................270 Before You Begin.........................................................................................................270 Procedure ....................................................................................................................271 Considering Other Factors That Affect Failover .............................................................272 How to Add the MsgHandleThreshold Registry Key Value ............................................273 Before You Begin.........................................................................................................273 Procedure ....................................................................................................................274 Setting Failback Options .................................................................................................274 How to Specify the Failback Options for an Exchange Virtual Server Using Cluster Administrator................................................................................................................276 Before You Begin.........................................................................................................276 Procedure ....................................................................................................................277 Configuring Exchange Cluster Resources ......................................................................278

How to Access the Properties of an Exchange Cluster Resource Using Cluster Administrator................................................................................................................280 Before You Begin.........................................................................................................280 Procedure ....................................................................................................................280 How to Change the IP Address of an Exchange Virtual Server .....................................281 Before You Begin.........................................................................................................281 Procedure ....................................................................................................................281 Specifying Possible Owners ...........................................................................................283 How to Specify the Possible Owners for an Exchange Resource Using Cluster Administrator................................................................................................................285 Before You Begin.........................................................................................................285 Procedure ....................................................................................................................285 Specifying a Separate Resource Monitor .......................................................................286 How to Run an Exchange Resource in a Separate Resource Monitor Using Cluster Administrator................................................................................................................287 Before You Begin.........................................................................................................287 Procedure ....................................................................................................................288 Understanding Resource Dependencies ........................................................................288 Adding Disk Resource Dependencies ............................................................................289 How to Make the Exchange System Attendant Dependent on a New Disk Resource...290 Procedure ....................................................................................................................290 Specifying Service Restart Options ................................................................................292 How to Adjust the Restart Options for an Exchange Resource Using Cluster Administrator................................................................................................................294 Before You Begin.........................................................................................................294 Procedure ....................................................................................................................295 Setting Polling Cluster Resources ..................................................................................296 Setting Pending States....................................................................................................296 How to Change the Length of Time That a Resource Remains Pending Before Failing Using Cluster Administrator .........................................................................................297 Before You Begin.........................................................................................................297 Procedure ....................................................................................................................298

Viewing the Exchange Virtual Server That Connects to a Protocol Resource ...............298 How to View the Exchange Virtual Server That Is Used to Connect the Protocol Resource Using Cluster Administrator .........................................................................................299 Before You Begin.........................................................................................................299 Procedure ....................................................................................................................299 Taking Exchange Virtual Servers or Exchange Resources Offline ................................300 How to Take an Exchange Virtual Server or Exchange Resource Offline Using Cluster Administrator................................................................................................................302 Before You Begin.........................................................................................................302 Procedure ....................................................................................................................303 Adding IMAP4 and POP3 Resources .............................................................................303 How to Add an IMAP4 or POP3 Virtual Server as a Resource to an Exchange Virtual Server ..........................................................................................................................304 Before You Begin.........................................................................................................304 Procedure ....................................................................................................................305 For More Information ...................................................................................................306 Adding a Node ................................................................................................................307 Adding an Exchange Virtual Server ................................................................................307 Removing an Exchange Virtual Server ...........................................................................308 How to Remove an Exchange Virtual Server from an Exchange Cluster.......................310 Before You Begin.........................................................................................................310 Procedure ....................................................................................................................311 For More Information ...................................................................................................312 Moving All Mailboxes and Public Folder Content ...........................................................312 How to Move Mailboxes from One Exchange Virtual Server to Another Server ............313 Procedure ....................................................................................................................313 For More Information ...................................................................................................314 How to Move Public Folder Content from One Exchange Virtual Server to Another Server .....................................................................................................................................314 Procedure ....................................................................................................................315 For More Information ...................................................................................................315 Taking the Exchange System Attendant Resource Offline.............................................315

How to Take the Exchange System Attendant Resource Offline ...................................315 Procedure ....................................................................................................................316 For More Information ...................................................................................................316 Using Cluster Administrator to Remove the Exchange Virtual Server............................316 How to Remove an Exchange Virtual Server Using Cluster Administrator ....................317 Before You Begin.........................................................................................................317 Procedure ....................................................................................................................317 For More Information ...................................................................................................318 Deleting the Remaining Cluster Resources ....................................................................318 How to Delete the Remaining Resources After Removing an Exchange Virtual Server 319 Before You Begin.........................................................................................................319 Procedure ....................................................................................................................319 For More Information ...................................................................................................320 Removing Exchange 2003 from a Cluster Node ............................................................320 How to Remove Exchange 2003 from a Node ...............................................................321 Before You Begin.........................................................................................................321 Procedure ....................................................................................................................322 Migrating an Exchange Cluster Node to a Stand-Alone (Non-Clustered) Server...........323 Monitoring Performance of an Exchange Cluster ...........................................................323 Monitoring Active/Passive Clusters.................................................................................324 Monitoring Active/Active Clusters ...................................................................................324 Monitoring Virtual Memory in a Cluster...........................................................................325 Deciding Which Virtual Memory Counters to Monitor .....................................................326 Enabling Exchange Logging ...........................................................................................329 Disabling MTA Monitoring on Nodes That Are Not Running MTA..................................330 How to Disable MTA Monitoring on an Exchange Virtual Server ...................................330 Before You Begin.........................................................................................................331 Procedure ....................................................................................................................331 Enabling SMTP Logging .................................................................................................332

How to Enable SMTP Logging and Log the Files to a Shared Disk ...............................332 Before You Begin.........................................................................................................332 Procedure ....................................................................................................................333 Tuning Servers in a Cluster ............................................................................................333 Removing Exchange 2000 Tuning Parameters ..............................................................334 Setting the /3GB Switch ..................................................................................................334 Configuring /Userva and System Pages .........................................................................335 Troubleshooting Your Exchange Clusters ......................................................................335 Identifying the Cause of a Failure ...................................................................................336 Performing Disaster Recovery on Your Exchange Clusters ...........................................338 Backing Up Data on an Exchange 2003 Server Cluster Node .......................................338 Recovering an Exchange 2003 Cluster ..........................................................................339 Managing Mailbox Stores and Public Folder Stores.......................................................340 Working with Permissions for Public Folders and Mailboxes .........................................341 Using Exchange Administrative Roles with Exchange Store Components ....................342 Understanding the Types of Permissions That Control Access to Mailboxes and Public Folders .........................................................................................................................344 Using Mailbox Permissions .............................................................................................345 Designating a User as a Mailbox Delegate.....................................................................346 How to Give a User the Ability to Send Mail on Behalf of a Public Folder......................347 Procedure ....................................................................................................................347 Using Public Folder Permissions ....................................................................................348 Understanding the Three Types of Public Folder Permissions.......................................348 Special Considerations for Working with Client Permissions .........................................349 Special Considerations for Coexisting Exchange 2003 and Exchange 5.5 Servers ......352 Designating a User as a Public Folder Delegate ............................................................354

Maintaining the Minimum Permissions Required for Mail-Enabled Public Folders ........354 Maintaining the Minimum Permissions Required for Mailbox Stores and Public Folder Stores...........................................................................................................................355 How to Restore the Permissions that Exchange Requires .............................................356 Procedure ....................................................................................................................356 Managing Storage Groups and Stores ...........................................................................357 Configuring Transaction Logs for a Storage Group ........................................................360 How to Configure Transaction Logs and Choose Other Storage Group Options...........361 Before You Begin.........................................................................................................361 Procedure ....................................................................................................................362 For More Information ...................................................................................................362 Moving Transaction Log Files to a Separate Drive.........................................................363 How to Configure New Locations for the Transaction Logs............................................364 Procedure ....................................................................................................................364 Using Circular Logging....................................................................................................364 Overwriting Deleted Data During Backup .......................................................................365 Adding a Storage Group .................................................................................................365 How to Create a New Storage Group .............................................................................366 Procedure ....................................................................................................................366 Mounting or Dismounting Stores.....................................................................................366 Moving Store Files to a New Directory............................................................................367 Configuring Store Maintenance and Backup Options.....................................................368 Configuring Mailbox Stores.............................................................................................370 Linking Mailbox Stores and Public Folder Stores ...........................................................372 Understanding Single Instance Message Storage..........................................................372 Adding a Mailbox Store ...................................................................................................373 How to Create a New Mailbox Store...............................................................................373 Procedure ....................................................................................................................373

Configuring the Default Mailbox Limits ...........................................................................375 Setting Up Mailbox Store Policies...................................................................................378 How to Apply a Policy to One or More Mailbox Stores ...................................................379 Before You Begin.........................................................................................................379 Procedure ....................................................................................................................379 Monitoring Mailbox Store Activity....................................................................................380 Configuring Public Folder Stores ....................................................................................382 Understanding the Relationship Between Mailbox Stores and Default Public Folder Stores...........................................................................................................................385 Creating a New Public Folder Store for an Existing Public Folder Tree .........................385 How to Create a Public Folder Store on a New Server for an Existing Tree ..................386 Procedure ....................................................................................................................386 Configuring a New Public Folder Tree and Public Folder Store .....................................386 How to Create a New Hierarchy and Public Folder Store...............................................387 Procedure ....................................................................................................................387 For More Information ...................................................................................................389 Configuring the Default Public Folder Limits...................................................................390 Configuring Limits on a Specific Public Folder Replica ..................................................393 How to View Additional Age Limit Settings .....................................................................393 Procedure ....................................................................................................................393 Setting Up Public Folder Store Policies ..........................................................................395 How to Apply a Policy to One or More Public Folder Stores ..........................................396 Procedure ....................................................................................................................396 Monitoring Public Folder Store Activity ...........................................................................397 Managing Mailboxes .......................................................................................................399 Creating a Mailbox ..........................................................................................................399 Deleting a Mailbox...........................................................................................................400 Deleting a Mailbox Without Deleting the User .............................................................400 Deleting a User Without Deleting Mailbox Data ..........................................................401

Recovering a Mailbox......................................................................................................401 How to Recover One or More Mailboxes on One or More Mailbox Stores.....................402 Before You Begin.........................................................................................................402 Procedure ....................................................................................................................402 For More Information ...................................................................................................403 Moving Mailboxes Using Exchange System Manager....................................................403 Managing Public Folders.................................................................................................404 Understanding Types of Public Folders ..........................................................................404 Understanding Public Folders and System Folders........................................................405 Understanding Content Replicas ....................................................................................408 Understanding Mail-Enabled Folders..............................................................................409 Understanding Public Folder Referrals ...........................................................................413 How to Configure a Connector to Allow or Block Referrals from One Routing Group to Another ........................................................................................................................414 Before You Begin.........................................................................................................414 Procedure ....................................................................................................................414 How to Configure an Exchange 2003 Server to Use a Specific List of Servers and Costs for Referrals .................................................................................................................416 Before You Begin.........................................................................................................416 Procedure ....................................................................................................................416 For More Information ...................................................................................................417 Understanding the Basic Process for Referring Clients..................................................418 Understanding Referrals in Mixed-Mode Topologies......................................................419 Referring Outlook Web Access in a Front-end/Back-end Topology ...............................419 Configuring Public Folders..............................................................................................422 Connecting to a Public Folder Store ...............................................................................423 Creating a New Public Folder .........................................................................................424 Propagating Folder Settings ...........................................................................................424 Configuring Individual Public Folder Limits .....................................................................425

Age Limit Settings and System Folders ..........................................................................428 Mail-Enabling a Public Folder .........................................................................................428 Configuring the Address Book Listing and E-Mail Alias..................................................429 Configuring E-Mail Addresses ........................................................................................433 Setting Delivery Restrictions ...........................................................................................435 Configuring a Forwarding Address .................................................................................437 Maintaining Public Folders..............................................................................................440 Viewing Public Folder Status ..........................................................................................440 Viewing Public Folder Content Using Exchange System Manager ................................442 Searching for Public Folders Using Exchange System Manager ...................................443 Moving Public Folders In a Public Folder Tree ...............................................................445 Maintaining the Organizational Forms Library ................................................................445 Understanding and Configuring Message Routing and Transport .................................446 Configuring Routing for Internal Mail Flow......................................................................447 How to Disable Outbound Mail .......................................................................................448 Procedure ....................................................................................................................448 How to Disable a Connector ...........................................................................................449 Procedure ....................................................................................................................449 How to Remove a Connector..........................................................................................449 Procedure ....................................................................................................................450 Understanding Routing Groups ......................................................................................450 How to Create a Routing Group.....................................................................................453 Before You Begin.........................................................................................................453 Procedure ....................................................................................................................454 How to Move a Server Between Routing Groups ...........................................................455 Procedure ....................................................................................................................455 How to Rename a Routing Group...................................................................................456

Procedure ....................................................................................................................457 How to Delete a Routing Group ......................................................................................457 Procedure ....................................................................................................................457 How to Configure the Options for a Routing Group ........................................................457 Procedure ....................................................................................................................458 Procedure ....................................................................................................................458 How to Specify a Remote Bridgehead Server for a Routing Group ...............................459 Before You Begin.........................................................................................................460 Procedure ....................................................................................................................460 Understanding Link State Information.............................................................................462 Understanding Routing Group Masters ..........................................................................463 Using Routing Groups in Native and Mixed Modes ........................................................464 Connecting Routing Groups............................................................................................465 How to Create an SMTP Connector for Internet Mail Delivery .......................................467 Procedure ....................................................................................................................468 How to Create an X.400 Connector ................................................................................472 Procedure ....................................................................................................................472 Connecting to the Internet...............................................................................................474 How to Use a Wizard to Configure Internet Mail.............................................................476 Before You Begin.........................................................................................................476 Procedure ....................................................................................................................476 Defining SMTP Dependencies........................................................................................480 Configuring SMTP...........................................................................................................482 Configuring a Dual-Homed Server Using the Wizard .....................................................483 Manually Configuring the Sending of Internet Mail .........................................................484 Verifying Outbound Settings on SMTP Virtual Servers ..................................................484 How to Verify an Outbound Port for Mail Delivery Is set to Port 25 ................................485 Procedure ....................................................................................................................486 How to Specify an External DNS Server That Is Used by the SMTP Virtual Server ......487

Procedure ....................................................................................................................487 Configuring an SMTP Connector ....................................................................................488 How to Route Mail for Outbound Delivery? .................................................................489 Which Servers to Use as Local Bridgehead Servers? ................................................490 Which Domains Should Be Included in the Address Space?......................................490 What Is Appropriate Scope for the Connector?...........................................................491 How to Enable Anonymous Access for an SMTP Connector .........................................492 Procedure ....................................................................................................................492 Customizing Mail Delivery...............................................................................................493 Verifying DNS Setup for Outbound Mail .........................................................................495 How to Enable Filtering to Control Junk E-Mail ..............................................................496 Procedure ....................................................................................................................496 Manually Configuring the Receipt of Internet Mail ..........................................................497 Configuring Recipient Policies ........................................................................................498 Verifying DNS Setup for Inbound Mail ............................................................................499 How to Verify the Inbound Port and IP Address .............................................................499 Procedure ....................................................................................................................500 Connecting to Exchange 5.5 Servers and Other X.400 Systems...................................501 How to Create an X.400 Protocol Stack .........................................................................502 Procedure ....................................................................................................................502 Customizing the X.400 Protocol......................................................................................505 Understanding X.400 Connectors...................................................................................507 Creating an X.400 Protocol Stack...................................................................................508 Creating an X.400 Connector .........................................................................................508 Configuring Additional Options on the X.400 Connector ................................................512 Overriding X.400 Properties............................................................................................513 Using Queue Viewer to Manage Messages ...................................................................517 How to Use the Find Messages Option ..........................................................................518

Procedure ....................................................................................................................519 Using SMTP Queues to Troubleshoot Message Flow....................................................520 How to Verify an SMTP Virtual Server Is Not Set to Open Relay...................................526 Procedure ....................................................................................................................526 How to Verify an SMTP Virtual Server Is Configured to Allow Anonymous Access.......528 Procedure ....................................................................................................................528 Using X.400 (MTA) Queues to Troubleshoot Message Flow .........................................529 How to Configure Diagnostic Logging for the X.400 Service (MSExchangeMTA) .........531 Procedure ....................................................................................................................531 Configuring Diagnostic Logging for SMTP......................................................................531 How to Enable Debug Level Logging..............................................................................532 Before You Begin.........................................................................................................532 Procedure ....................................................................................................................533 How to Modify Logging Settings .....................................................................................533 Procedure ....................................................................................................................533 Tools That Are Used with Exchange...............................................................................534 Services That Are Used by Exchange ............................................................................551 Configuration Settings for a Four-Node Cluster..............................................................558 Copyright.........................................................................................................................560

25

Administration Guide for Exchange Server 2003

Building on the solid foundation of Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003 Service Pack 1 (SP1) offers new features and improvements in reliability, manageability, and security. This guide will help you make the most of these improvements by explaining the core concepts of Exchange administration.

Preparing to Administer Your Exchange Server 2003 Environment

Before you start managing Microsoft Exchange Server 2003 Service Pack 1 (SP1), it is useful to understand the administration architecture that Exchange Server 2003 uses and how this architecture influences the tools that you can use to manage Exchange. Exchange 2003 interacts with and depends upon data in the Microsoft Active Directory directory service. It also stores and retrieves data from other places, including the mailbox store, the Microsoft Windows registry, and the Exadmin virtual directory. To access and manage Exchange data, there are two Microsoft Management Console (MMC) snap-insExchange System Manager and Active Directory Users and Computerswhere you will spend the majority of your time as an administrator. After understanding Exchange administration architecture and the tools that you can use to interact with Exchange, the next step is to determine how to efficiently use those tools. You might decide to set up a dedicated management station. You can then manage multiple servers in the organization by using this station. You might also decide to create a customized management console that combines separate MMC snap-ins in one console. You may even want to automate additional administrative tasks using the Exchange Software Development Kit (SDK).

26

Understanding Exchange Administration Architecture

Exchange 2003 uses Active Directory to store and share information with Windows. Therefore, all the directory information that you create and maintain in Windows, such as organizational unit structure and groups, can also be used from Exchange. The Active Directory schema can be extended to include custom attributes and object types to centralize and minimize data administration, and also to make data available to applications that can access Active Directory information. In fact, when you install your first Exchange server, Exchange 2003 extends the Active Directory schema to include Exchange-specific information. Extending the schema affects the whole forest and, depending on the size of Active Directory, may take a significant amount of time to complete. Because Active Directory serves as a single-source directory for all the objects in your organization, Exchange uses this information to reduce administrative overhead. With Active Directory, you can store and organize information about users, such as names, email addresses, and phone numbers. This information is stored as attributes of the user object. Exchange and other applications can use this information. For example, the address lists to which a recipient belongs are written as values to the ShowInAddressBook attribute in that recipient's Active Directory object. To create address lists, Exchange performs Lightweight Directory Access Protocol (LDAP) queries on each of these objects and retrieves the information stored in the ShowInAddressBook attributes. Note Because Exchange 2003 relies on Active Directory, make sure that you are familiar and comfortable with Active Directory terminology, structure, and navigation. For a comprehensive overview of Active Directory, review the documentation that came with your copy of Windows. Note Microsoft Exchange Server version 5.5 and earlier do not use Active Directory. If your messaging topology is in mixed mode (contains both Exchange 2003 and Exchange 5.5 or earlier), you can still use Active Directory by using Active

27 Directory Connector (ADC) to replicate directory information between the Exchange 5.5 directory and Active Directory.

Interacting with Active Directory

When you make changes to your Exchange organization or to an individual user account, you frequently interact with data in Active Directory. This interaction occurs through one of two MMC snap-ins, Exchange System Manager or Active Directory Users and Computers. The following figure shows how these two tools interact with Active Directory. Note In addition to Exchange System Manager and Active Directory Users and Computers, there are other tools that are useful for Exchange administration. For more information, see "Tools That Are Used with Exchange." Where Exchange System Manager and Active Directory Users and Computers get information

As this figure shows, all the information that you see (read) and work with (write) using Active Directory Users and Computers is stored in Active Directory. Most, but not all, of the information that Exchange System Manager reads and writes also comes from Active Directory. However, in addition to data in Active Directory, Exchange System Manager draws information from other sources, such as: MAPI Exchange System Manager uses MAPI to gather data from the Exchange store to display mailboxes.

28 Mailbox data gathered using MAPI and displayed in Exchange System Manager

Windows Management Instrumentation (WMI) Exchange System Manager uses the data supplied by WMI to display cached directory information (DSAccess, a cache of directory information that reduces the number of calls to your global catalog server) and queue information. Web Distributed Authoring and Versioning (WebDAV) Exchange System Manager uses the data supplied by WebDAV to display public folders using the Exadmin virtual directory. Note The location of the Exadmin virtual directory is in Internet Information Services (IIS) under the default Web site. If the default Web site service is stopped, you will not be able to display public folder information in Exchange System Manager.

29

Selecting the Right Management Tools

Although both Exchange System Manager and Active Directory Users and Computers provide access to Exchange-related data in Active Directory, typically you do not use them interchangeably. Generally speaking, you: Use Exchange System Manager for configuration data for the server and organization. Use Active Directory Users and Computers for recipient data.

To clarify these usage differences, the following table provides specific examples of when you can use Exchange System Manager, and when you can use Active Directory Users and Computers. Comparing Exchange System Manager and Active Directory Users and Computers
Use Exchange System Manager to Use Active Directory Users and Computers to

Manage your Exchange organization.

Manage Active Directory objects (recipients). Manage users. Move an individual's mailbox from one server to another server. Create distribution groups.

Manage servers. Move all mailboxes from one server to another server. Create public folders.

As this table shows, some tasks can be performed using either Exchange System Manager or Active Directory Users and Computers. For example, you can move mailboxes using either Exchange System Manager or Active Directory Users and Computers. The difference between the two approaches is whether you want to find all the users on a server or only a selected subset. When you want to quickly find all the users on a server, Exchange System Manager is the better choice. When you want to select users based on specific criteria, use Active Directory Users and Computers because by using this snap-in, you can create custom LDAP filters that can filter using virtually any criteria.

30 Tip In newsgroups or conversations with other Exchange administrators, some people refer to Exchange System Manager as ESM. Active Directory Users and Computers may be referred to as ADU&C or DSA (Directory Server Agent). Building on the previous overview of how Exchange System Manager and Active Directory Users and Computers work in the Exchange administration architecture, the next two sections explain Exchange System Manager and Active Directory Users and Computers in more detail. If you are already confident about using these tools, see "Deciding Where to Manage Exchange" for information about whether to use these tools through Remote Desktop, Terminal Server, or a dedicated management station.

Working with Exchange System Manager

Exchange System Manager (Exchange System Manager.msc) is a specialized MMC console that helps you manage your Exchange organization. When you perform a typical installation of Exchange 2003 onto a server, the installation wizard automatically installs the Exchange System Management Tools onto that server, also. Exchange System Manager provides a consistent administrative experience for administrators who deal with all facets of Exchange server management, including public folders, servers, routing, and policies. For detailed instructions, see How to Open Exchange System Manager. As shown in the following figure, the left pane of Exchange System Manager is the console tree.

31 Exchange System Manager hierarchy

The top node of this tree is the root organization node that contains all the Exchange containers. Each of these containers gives you access to specific administrative features in Exchange. The following table describes what you can do with each of these containers. Exchange System Manager containers
Container Description

Global Settings

Includes features to configure system-wide settings. These settings apply to all servers and recipients in an Exchange organization.

32
Container Description

Recipients

Includes features to manage objects and settings for recipients in your organization. You can manage address lists, offline address lists, recipient update services, recipient policies, mailbox management settings, details templates, and address templates. Includes features to manage administrative groups. Each group is a collection of Active Directory objects that are grouped together for permissions management. Each administrative group can contain policies, routing groups, public folder hierarchies, and servers. Note This container only appears if you have created administrative groups for your organization.

Administrative Groups

Servers

Holds server-specific configuration objects, such as Queues, Mailbox stores, Public Folder stores, and Protocols information. Contains policies that affect the system's configuration settings. Policies are collections of configuration settings that are applied to one or more Exchange objects in Active Directory.

System Policies

33
Container Description

Routing Groups

Defines the physical network topology of Exchange servers. An Exchange mail system, or organization, includes one or more servers running Exchange. Unless you plan a small Exchange installation, you will probably have more than one Exchange server. In some organizations, these servers are connected by reliable, permanent connections. Groups of servers that are linked in this way should be organized in the same routing group. Note This container only appears if you have created routing groups for your organization.

Folders

Displays public folder hierarchies. A public folder stores messages or information that can be shared with all designated users in your organization. Public folders can contain different types of information, from simple messages to multimedia clips and custom forms. Contains tools that help you to monitor your Exchange organization, track messages, and recover mailboxes.

Tools

Using Exchange System Manager and its containers, you can: Use Properties of the root node to configure Exchange 2003 to display or not display routing groups and administrative groups in the console tree. Manage your Exchange organization by setting properties on different containers under the root node in the console tree. For example, you can delegate administrative permissions at the organization level in Exchange System Manager, or at an administrative group level using the Exchange Delegation Wizard.

34 Set permissions on a specific server by modifying the permissions settings in the server's Properties dialog box.

How to Open Exchange System Manager

Exchange System Manager helps you manage your Exchange organization. This procedure outlines how to open Exchange System Manager. The following figure shows how Exchange System Manager appears on the screen. Exchange System Manager hierarchy

35

Procedure
To open Exchange System Manager Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.

Working with Active Directory Users and Computers

You use Active Directory Users and Computers to manage recipients. Active Directory Users and Computers is an MMC snap-in that is a standard part of Microsoft Windows Server operating systems. However, when you install Exchange 2003, the setup wizard automatically extends the functionality of Active Directory Users and Computers to include Exchange-specific tasks. Note If the Active Directory Users and Computers snap-in is installed on a computer that does not have Exchange or the Exchange management tools installed, you will not be able to perform Exchange tasks from that computer. You start Active Directory Users and Computers from either an Exchange server or from a workstation that has the Exchange System Management Tools installed. For detailed instructions, see How to Open Active Directory Users and Computers. The following figure shows how Active Directory Users and Computers appears on the screen.

36 Active Directory Users and Computers hierarchy

The left pane of Active Directory Users and Computers is the console tree that shows your fully qualified domain name at the root level. Click the + (plus) sign to expand the root container. Under the root container are several default containers: Builtin Container for built-in user accounts. Computers Default container for computer objects. Domain Controllers Default container for domain controllers. ForeignSecurityPrincipals Container for security principals from trusted external domains. Administrators should not manually change the contents of this container. Users Default container for user objects.

37 In addition to the default containers, you can organize directory objects in logical units by creating containers named organizational units. For example, you can create an organizational unit for your marketing group that holds all the directory objects associated with your company's marketing department. Organizational units are useful for applying Group Policy settings and for organizing objects in a meaningful way. For more information about organizational units, see the Windows documentation. After you have organized the containers in Active Directory Users and Computers, you can then use those containers to: Create recipients. Perform Exchange-specific tasks. Manage multiple Exchange domains.

How to Open Active Directory Users and Computers

Active Directory Users and Computers is an MMC snap-in that is a standard feature of Microsoft Windows Server operating systems. However, when you install Exchange 2003, the setup wizard automatically extends the functionality of Active Directory Users and Computers to include Exchange-specific tasks. Active Directory Users and Computers is used to manage recipients. This procedure outlines how to open Active Directory Users and Computers.

Before You Begin

If the Active Directory Users and Computers snap-in is installed on a computer that does not have Exchange or the Exchange management tools installed, you cannot perform Exchange tasks from that computer. You start Active Directory Users and Computers from either an Exchange server or from a workstation that has the Exchange System Management Tools installed.

38

Procedure
To open Active Directory Users and Computers 1. Click Start, and then click Run. 2. In the Open box, type dsa.msc, and then click OK. or Click Start, point to All Programs, point to Microsoft Exchange, and then click Active Directory Users and Computers.

The following figure shows how Active Directory Users and Computers appears on the screen.

39 Active Directory Users and Computers hierarchy

Creating Recipients
After Exchange has extended Active Directory Users and Computers, you can mailenable or mailbox-enable an object, and thereby turn the Active Directory object into a recipient. However, not all objects can be mail-enabled or mailbox-enabled. For example, you can create a mailbox for a user object or a mail-enabled group object, but you cannot

40 do either for a computer object. Therefore, the Active Directory objects that are of most interest to you as an Exchange administrator are: Users InetOrgPerson objects Contacts Groups Query-based distribution groups

For more information about creating recipients, see "Managing Recipients and Recipient Policies in Exchange Server 2003."

Performing Exchange Tasks

In Active Directory Users and Computers, you can select a user or a group object, and then use the Exchange Task Wizard to perform a variety of tasks that are specific to that object. These tasks depend on the type of object that you select and its current attributes. For example, the Exchange Task Wizard will not allow you to create a mailbox for a contact because contacts can only be mail-enabled, not mailbox-enabled. Likewise, selecting a user who already has a mailbox means that the Exchange Task Wizard allows you to the delete the user's mailbox, but not to create another mailbox. Here is the complete list of Exchange-specific tasks that Exchange Task Wizard can perform: Create mailboxes Move mailboxes Delete mailboxes Designate an e-mail address Configure Exchange features Remove Exchange attributes Delete e-mail addresses Hide group membership

41 Associate external accounts

For detailed instructions on how to use Exchange Task Wizard to perform one of these tasks, see How to Perform an Exchange-Specific Task in Active Directory Users and Computers.

How to Perform an Exchange-Specific Task in Active Directory Users and Computers

You can use the Exchange Task Wizard to perform a variety of tasks that are specific to a user or an object in Active Directory Users and Computers. Exchange Task Wizard performs the following Exchange-specific tasks: Create mailboxes Move mailboxes Delete mailboxes Designate an e-mail address Configure Exchange features Remove Exchange attributes Delete e-mail addresses Hide group membership Associate external accounts

The following procedure outlines how to perform an Exchange-specific task in Active Directory Users and Computers.

Before You Begin

If the Active Directory Users and Computers snap-in is installed on a computer that does not have Exchange or the Exchange management tools installed, you will not be able to perform Exchange tasks from that computer.

42 You start Active Directory Users and Computers from either an Exchange server or from a workstation that has the Exchange System Management Tools installed. For detailed information, see How to Open Active Directory Users and Computers.

Procedure
To perform an Exchange-specific task In Active Directory Users and Computers, right-click a user or group object, and then click Exchange Tasks.

Managing Exchange in Multiple Domains

You can use Active Directory Users and Computers to manage Exchange in more than one domain in a forest. To do this, you must connect to the domain that you want. For detailed instructions, see How to Manage Exchange in Another Domain.

How to Manage Exchange in Another Domain

You can use Active Directory Users and Computers to manage Exchange in more than one domain in a forest. This procedure outlines how to manage Exchange in another domain.

Before You Begin

If the Active Directory Users and Computers snap-in is installed on a computer that does not have Exchange or the Exchange management tools installed, you will not be able to perform Exchange tasks from that computer.

43 You start Active Directory Users and Computers from either an Exchange server or from a workstation that has the Exchange System Management Tools installed. For detailed information, see How to Open Active Directory Users and Computers.

Procedure
To manage Exchange in another domain In Active Directory Users and Computers, right-click the root object in the console tree, and then select Connect to Domain. Note You must have the appropriate permissions for the target domain.

Deciding Where to Manage Exchange

Knowing the basics of how to use Exchange System Manager and Active Directory Users and Computers is just the beginning of managing Exchange 2003. The next step is to decide whether to use these tools at a particular location in your Exchange environment. During a typical installation of an Exchange 2003 server, the setup wizard installs Exchange System Manager and extends Active Directory Users and Computers directly on the server. To use these tools, you log on to the server itself. However, it is a good idea to limit direct interaction with the server to avoid exposure to unwanted practices. For example, you may have to directly log on to a server to move log files, but in doing so, you may accidentally delete system files or inadvertently introduce viruses. To minimize directly logging on to the server, you can use Remote Desktop, Terminal Server, or a dedicated management station. The following table outlines some of the inherent advantages and disadvantages of these various approaches to Exchange management.

44 Administration scenarios
Management scenario Advantages Disadvantages

Logging directly on to the server (Console session)

No extra setup required. No extra hardware required.

Increased risk. Administrators can inadvertently delete files or introduce viruses. Increased risk. Administrators can inadvertently delete files or introduce viruses. Number of remote connections is limited to the number of Terminal Server licenses purchased. Extra setup required. Extra hardware required.

Using Remote Desktop or Terminal Server

No extra setup required. Can manage from outside the data center. Administrators can perform most tasks without leaving their desks.

Using a dedicated management station

Decreased risk. Can put management station in convenient location.

For more information about using a dedicated management station, see Setting Up a Management Station Using Windows XP Professional SP1 or Later. Directly logging on to the server requires no special setup. If you decide to use Remote Desktop or Terminal Server, the best source for setup information is the documentation that came with your copy of Windows.

45

Setting Up a Management Station Using Windows XP Professional SP1 or Later

By installing Exchange System Manager and the Active Directory Users and Computers snap-in on a dedicated management workstation, you can avoid some of the risks outlined in Deciding Where to Manage Exchange. The following checklist summarizes the steps to set up a management station using Windows XP Professional SP1 or later. Management Station Setup Checklist __ Install Microsoft Windows XP Professional SP 1 or later on the workstation. __ Join the workstation to the domain with Exchange 2003. __ Install the Windows Administrative Tools Pack on the workstation. __ Install the Simple Mail Transfer Protocol service (SMTPSVC) on the workstation. This step is not necessary if you are installing the Exchange System Management Tools on a computer running Windows XP Professional SP2 or later. __ Install the Exchange System Management Tools on the workstation. __ Shut down the SMTPSVC service on the workstation. For more information about installing Windows XP Professional SP1 or later and adding the workstation to the domain, see your Windows XP Professional documentation. For detailed instructions on how to perform the steps in the checklist, see How to Set Up a Management Station Using Windows XP Professional SP1 or Later.

46 Note To manage Exchange 2003, the workstation must be joined to the same forest as your Exchange servers. You cannot manage domains in a different forest.

How to Set Up a Management Station Using Windows XP Professional SP1 or Later

To minimize the need to directly log on to the server, you can use a dedicated management station for Exchange management. This procedure describes the steps to set up a management station using Windows XP Professional SP1 or later.

Procedure
To set up a management station 1. Install Microsoft Windows XP Professional SP 1 or later on the workstation. For more information about installing Windows XP Professional SP1 or later and adding the workstation to the domain, see your Windows XP Professional documentation. 2. Join the workstation to the domain with Exchange 2003. To manage Exchange 2003, the workstation must be joined to the same forest as your Exchange servers. You cannot manage domains in a different forest. 3. Install the Windows Administrative Tools Pack on the workstation. For more information, see How to Install the Windows Administrative Tools Pack. 4. Install the Simple Mail Transfer Protocol service (SMTPSVC) on the workstation. For more information, see How to Install the SMTP Service. Note You do not need to install the SMTP service for Windows XP Professional SP2 or later. 5. Install the Exchange System Management Tools on the workstation: For detailed

47 steps, see How to Install the Exchange System Management Tools. 6. Shut down the SMTPSVC service on the workstation. After installing the Exchange System Management Tools, disable the SMTPSVC and NntpSvc services because you only need these services to install the Exchange System Management Tools.

Installing the Windows Administrative Tools Pack

After you have installed Windows XP Professional SP1 onto the workstation, you must install the Windows Administrative Tools Pack. By installing this tools pack, you can use the workstation to remotely manage servers running Windows XP Professional. For detailed information about installing the Windows Administrative Tools Pack, see How to Install the Windows Administrative Tools Pack.

How to Install the Windows Administrative Tools Pack

This procedure outlines how to install the Windows Administrative Tools Pack. By installing the Windows Administrative Tools Pack, you can use the workstation to remotely manage servers running Windows XP Professional.

Before You Begin

You must set up a management station before you install the Windows Administrative Tools Pack. To set up a management station, follow these steps:

48 1. Install Microsoft Windows XP Professional SP 1 or later on the workstation. For more information about installing Windows XP Professional SP1 or later and adding the workstation to the domain, see your Windows XP Professional documentation. 2. Join the Windows XP Professional workstation to the domain that includes the Exchange 2003 organization.

Procedure
To install the Windows Administrative Tools Pack On the dedicated management workstation, locate Microsoft Knowledge Base Article 304718, How to use the Administration Tools Pack to remotely administer computers that are running Windows Server 2003, Windows XP, or Windows 2000, and follow the instructions.

For More Information

For more information, see How to Set Up a Management Station Using Windows XP Professional SP1 or Later.

Installing the SMTP Service

After installing the Windows Administrative Tools Pack, you must install the SMTP service on the workstation. Installing the SMTP service allows you to install the Exchange System Management Tools. For detailed instructions about installing the SMTP Service, see How to Install the SMTP Service. Note If you are installing the Exchange System Management Tools on a computer running Windows XP Professional SP2 or later, you do not need to install the SMTP service.

49

How to Install the SMTP Service

This procedure explains how to install the SMTP service. Installing the SMTP service allows you to install the Exchange System Management Tools. This procedure is not necessary if you are installing the Exchange System Management Tools on a computer running Windows XP Professional SP2 or later.

Before You Begin

Before you install the SMTP service, you must complete the following steps, which are necessary to set up a management station: 1. Install Microsoft Windows XP Professional SP 1 or later on the workstation. 2. Join the workstation to the domain with Exchange 2003. 3. Install the Windows Administrative Tools Pack on the workstation.

Procedure
To install the SMTPSVC service 1. On the dedicated management workstation, open Add or Remove Programs, and then click Add/Remove Windows Components. 2. Select Internet Information Services (IIS), and then click Details. 3. Select the SMTP Service component check box. 4. Click OK, click Next, and then click Finish.

For More Information

For more information, see How to Set Up a Management Station Using Windows XP Professional SP1 or Later.

50

Installing the Exchange System Management Tools

After you install the required prerequisites, you are ready to run Exchange setup. You can also install the management tools on the following operating systems. The following lists include the requirements that you must fulfill before you install the Exchange Management Tools on each operating system. For detailed information about installing the Exchange System Management Tools, see How to Install the Exchange System Management Tools.

Windows Server 2003

Internet Information Services (IIS) Manager

Windows 2000 Professional SP3 or later

Internet Information Services (IIS) snap-in Windows 2000 version of the Administrative Tools Pack

Windows 2000 Server SP3 or later

Internet Information Services (IIS) snap-in SMTPSVC service running Network News Transfer Protocol (NntpSvc) service running

51

How to Install the Exchange System Management Tools

This procedure outlines how to install the Exchange System Management Tools.

Before You Begin

Before you install the Exchange System Management Tools, you must complete the following steps, which are necessary to set up a management station: 1. Install Microsoft Windows XP Professional SP 1 or later on the workstation. 2. Join the workstation to the domain with Exchange 2003. 3. Install the Windows Administrative Tools Pack on the workstation. 4. Install the Simple Mail Transfer Protocol service (SMTPSVC) on the workstation.

Procedure
To install the Exchange System Management Tools 1. On the dedicated management workstation, insert the Exchange 2003 Setup CD into the workstation's CD drive, and then locate <drive>: \setup\i386\setup.exe. 2. On the Component Selection page, do the following: Under Component Name, locate Microsoft Exchange. In the corresponding Action column, select Custom. Under Component Name, locate Microsoft Exchange System Management Tools. In the corresponding Action column, select Install (see figure below). Microsoft Exchange System Management Tools installation option

52

3. Click Next, and continue with the wizard.

For More Information

For more information, see How to Set Up a Management Station Using Windows XP Professional SP1 or Later.

53

Shutting Down SMTP and NNTP Services

After installing the Exchange System Management Tools, disable the SMTP and NNTP services because you only need these services to install the Exchange System Management Tools. Generally, it is a good security practice to shut down any unnecessary services.

Using Custom Consoles

MMC provides a framework for management tools (that is, snap-ins). Although MMC is not a tool itself, snap-in tools cannot be run independent of it. Opening a snap-in at the command prompt or the Start menu automatically causes the snap-in to open in a separate MMC window. As an alternative to opening an MMC snap-in in its own window, you can create a custom console. This custom console is a single instance of MMC that houses all the snap-in tools that you use regularly. As an Exchange administrator, you may want to create a custom console that consolidates Exchange System Manager and Active Directory Users and Computers. For example, The following figure shows a custom console that houses Exchange System Manager, Active Directory Users and Computers, and Event Viewer. Note You can use a custom console regardless of where you decide to manage Exchangeby directly logging onto the server, by using Remote Desktop or Terminal Server, or by using a dedicated management workstation.

54 A custom console that contains Exchange System Manager, Active Directory Users and Computers, and Event Viewer

As shown in this figure, the user interface (UI) of a custom console is the same as that of the individual snap-ins. In the left pane is the console tree. The console tree shows a hierarchical view of the different containers of the various snap-ins. On the right is the details pane, where you can manage the different objects in the containers by rightclicking an object and selecting an appropriate command for that object.

Creating Custom Consoles

In addition to creating a custom console to help you manage Exchange, you can create custom consoles for different administrators or different tasks.

55 To create a custom MMC console, there are two steps. First, you create a new instance of MMC, and then you add the snap-ins that you want to the instance. For detailed instructions, see How to Create Custom Consoles.

How to Create Custom Consoles

You can create a custom console to help you manage Exchange. You also can create custom consoles for different administrators or different tasks. This procedure outlines how to create a custom console.

Procedure
To create a custom MMC console 1. Create a new instance of MMC. For detailed information, see How to Create a New Instance of MMC. 2. Add the snap-ins that you want to the instance of MMC. For detailed information, see How to Add Snap-Ins to MMC.

How to Create a New Instance of MMC

The Microsoft Management Console (MMC) provides a framework for management tools called snap-ins. A custom console is a single instance of MMC that houses all the snap-in tools that you use regularly. This procedure outlines how to create a new instance of MMC.

56

Procedure
To create a new instance of MMC 1. Click Start, and then click Run. 2. In the Open box, type MMC, and then click OK. This opens a blank MMC window (see the following figure: A new instance of MMC

3. Add the snap-ins that you want to use. For detailed steps, see How to Add Snap-Ins to MMC.

For More Information

For more information, see How to Create Custom Consoles.

57

How to Add Snap-Ins to MMC

This procedure outlines how to add snap-ins to the Microsoft Management Console (MMC). You can help users locate the components they need in the console by arranging items hierarchically or in groups on the console tree.

Procedure
To add snap-ins to MMC 1. In MMC, on the File menu, click Add/Remove Snap-in. 2. Click Add to open the Add Standalone Snap-in window. 3. Select the snap-in that you want to add from the list, and then click Add. For example, you can select Active Directory Users and Computers or Exchange System Manager. 4. Repeat Step 3 until you have added the snap-ins that you want. 5. Click Close, and then click OK.

Automating Administrative Tasks

In addition to Exchange System Manager, Active Directory Users and Computers, and the other tools described in this guide, Exchange Server 2003 provides technologies for accomplishing most administrative tasks programmatically. These technologies include Collaboration Data Objects for Exchange (CDOEX), CDO for Exchange Management (CDOEXM), and a large set of WMI providers. The Exchange SDK contains complete information about writing applications to manage, control, and extend Exchange, including many reusable code samples. You can

58 download the Exchange SDK or view it online from the Exchange developer center on MSDN.

Managing an Exchange Server 2003 Organization

When you install Microsoft Exchange Server 2003, you can join an existing organization or create a new organization, if one does not already exist. An Exchange organization defines your messaging environment. An organization includes all the Exchange servers, domain controllers, global catalog servers, users, and other Microsoft Active Directory directory service objects that function together as a single entity. Exchange organizations can include multiple Active Directory domains, but they cannot span multiple Active Directory forests. Note You cannot change the organization name after it is created. The configuration settings that you apply to an Exchange organization have the potential to affect all components in the organization. This chapter explains the basic administrative tasks that you can use to manage your Exchange organization. Use this chapter to understand what it means to promote an Exchange organization to native mode, how to apply global settings to control message formatting and Simple Mail Transfer Protocol (SMTP) message filtering, how to manage your organization and servers using administrative groups and system policies, and how permissions and standardized security roles work in Exchange.

59

Promoting an Exchange Server 2003 Organization from Mixed Mode to Native Mode
This topic gives you information about promoting an Exchange Server 2003 Organization from Mixed Mode to Native Mode.

Switching from Mixed Mode to Native Mode

Exchange Server 2003 and Exchange 2000 Server both take advantage of Active Directory, and therefore coexist in what is called a native mode organization. However, Exchange Server version 5.5 (and earlier) does not rely on Active Directory. This difference means that, when servers running either Exchange 2003 or Exchange 2000 coexist with servers running Exchange 5.5 (or earlier), the organization must run in what is named mixed mode. Some newer features and functionality in Exchange are unavailable when running in mixed mode. For example, routing groups function differently in mixed and native modes. Note For more information about routing groups, see Understanding and Configuring Message Routing and Transport. By default, a new Exchange 2003 organization runs in mixed mode until it is promoted to native mode. You can only promote an Exchange organization to native mode if there are no servers running Exchange 5.5 (or earlier), and if no instances of Site Replication Service (SRS) are running. Make sure that you have correctly upgraded all servers and any connectors before you switch to native mode. After you switch an organization to native mode, it can never return to mixed mode. This means you cannot add an Exchange 5.5 server to a native mode topology. For detailed instructions, see How to Switch from Mixed Mode to Native Mode.

60

How to Switch from Mixed Mode to Native Mode

By default, a new Exchange 2003 organization runs in mixed mode until it is promoted to native mode. This procedure outlines how to switch your Exchange Server from mixed mode to native mode.

Before You Begin

You can only promote an Exchange organization to native mode if there are no servers running Exchange 5.5 (or earlier), and if no instances of Site Replication Service (SRS) are running. Also, make sure that you have correctly upgraded all servers and any connectors before you switch to native mode. After you switch an organization to native mode, it can never return to mixed mode. This means you cannot add an Exchange 5.5 server to a native mode topology.

Procedure
To switch from mixed mode to native mode 1. In Exchange System Manager, right-click your Exchange organization, and then click Properties. 2. On the General tab (see the following figure), click Change Mode. Change Mode option on the General tab

61

For More Information

For more information about native and mixed modes, see the Exchange Server 2003 Deployment Guide and Planning an Exchange Server 2003 Messaging System.

62

Applying Global Settings in an Exchange Server 2003 Organization

Using global settings, you can configure system-wide settings in your Exchange organization. These settings can apply to all servers and recipients in an Exchange organization. This topic focuses on using global settings to configure the following: How SMTP converts MAPI messages to Multipurpose Internet Mail Extensions (MIME). How policies for SMTP domains control the formatting of messages that are destined for a domain and the types of automatic responses that can be sent to the domains. How Exchange delivers messages organization-wide.

Global settings are also available for Exchange ActiveSync and Microsoft Outlook Mobile Access.

Associating File Name Extensions with MIME

Internet message formats are used when messages are sent to or received from an Internet client. When a user sends mail from a MAPI client, such as Microsoft Outlook, to an Internet client, such as Outlook Express, SMTP converts the message from Microsoft rich text format (RTF) to MIME. The file name extensions that you define for each MIME type enable clients to recognize mail attachments and open them. By default, several content types are associated with file name extensions. Generally, the default associations are sufficient for content conversion. For detailed instructions on manage associations for file name extensions, see How to Manage Associations for File Name Extensions.

63

How to Manage Associations for File Name Extensions

Internet message formats are used when messages are sent to or received from an Internet client. The file name extensions that you define for each MIME type enable clients to recognize mail attachments and open them. By default, several content types are associated with file name extensions. This procedure outlines how you can manage the associations for file name extensions.

Procedure
To manage associations for file name extensions 1. In Exchange System Manager, expand Global Settings, right-click Internet Message Formats, and then click Properties. 2. On the General tab (see the following figure), use the following options: To associate a new file name extension with a MIME type, click Add. To prioritize the associated extension that Exchange uses with each MIME type, click Move Up to move the extension up the list or Move Down to move the extension down the list. If two associated extensions exist for a single MIME type, Exchange uses the extension that appears higher on the list.

List of MIME content types on the General tab

64

Configuring SMTP Policies to Control Outbound Mail Formatting and Automatic Responses
You can use Internet message formats to define SMTP policies that control the format of messages that are sent to the Internet, or to specific external SMTP domains. These policies also control what types of automatic responses, such as out-of-office notifications, can be sent to Internet domains from users in your organization.

65 For each domain that is defined in Internet Message Formats, you can set the following properties: Message formatting options that determine how messages sent to this domain are encoded, and the language character set is used to display these messages. Advanced options that determine when messages are sent in Exchange RTF, how text is formatted, and what types of automatic responses, such as non-delivery reports (NDRs) or out-of-office notifications, are sent to this domain. Important Do not send mail exclusively in RTF because many non-Microsoft mail servers cannot read rich-text messages. Servers that cannot read rich-text messages provide their users with e-mail messages that include a Winmail.dat file attachment. To avoid this problem, make sure that your message settings do not use Exchange RTF exclusively.

Understanding the Default Policy

By default, an SMTP policy exists for the domain *. This domain encompasses all messages that are destined for the Internet. All messages that Exchange sends to the Internet use the settings on this policy. You can view this policy in the details pane when you select Internet Message Formats in Exchange System Manager, as shown in the following figure.

66 Default SMTP policy for all Internet domains

A policy must exist for the * domain. This policy controls how messages are sent to all external domains. You can modify the properties on this policy.

Creating a Policy for a New SMTP Domain

In addition to modifying the policy for the * domain, you can create other policies for specific SMTP domains.

67 Entering a policy name and an associated SMTP domain

For example, you want to communicate with a business partner who has an SMTP domain named contoso.com, and you want to allow out-of-office replies to be sent to this domain, but not to other external domains. You can create a new policy for the contoso.com domain that does exactly that. Because Exchange uses the SMTP policy that most closely matches the SMTP domain, all messages sent to Contoso users use the policy for the Contoso domain, but messages sent to any other SMTP domain use the default policy for the * domain. For detailed instructions, see How to Create a New Policy for a New SMTP Domain.

68

How to Create a New Policy for a New SMTP Domain

You can use Internet message formats to define SMTP policies that control the format of messages that are sent to the Internet, or to specific external SMTP domains. These SMTP policies also control what types of automatic responses, such as out-of-office notifications, can be sent to Internet domains from users in your organization. You can create policies for specific SMTP domains. This procedure outlines how to create a new policy for a new SMTP domain.

Procedure
To create a new policy 1. In Exchange System Manager, expand Global Settings, right-click Internet Message Formats, point to New, and then click Domain. 2. On the General tab (see following figure), enter a policy name and the SMTP domain. Entering a policy name and an associated SMTP domain

69

Setting Message Formatting Options for a Policy

You can control how Exchange formats the messages that are sent to the domain or domains on a particular policy. You can have Exchange format these messages in either MIME or uuencode, so that non-MAPI clients can read these messages. Additionally, you can specify the character set that Exchange uses for outgoing messages. By default, all messages use the American Standard Code for Information Interchange (ASCII)

70 character set. For detailed instructions, see How to Set the Message Formats for a Policy.

How to Set the Message Formats for a Policy

You can control how Exchange formats the messages that are sent to the domain or domains on a particular policy. This procedure outlines how you can set the message formats for a policy.

Procedure
To set the message formats for a policy 1. In Exchange System Manager, right-click the policy, and then click Properties. 2. On the Message Format tab (see the following figure), select the message encoding and character sets that you want to use with this policy. Message Format tab for the Contoso policy

71

Controlling Automatic Replies and Advanced Formatting for a Policy

Beyond specifying the message encoding and character sets to be used with a policy, you can also specify the following options: When the policy uses Exchange rich-text format. Whether messages sent using the policy allow message text word wrapping.

72 What types of auto-responses can be sent to users in the domain or domains on the policy. For security purposes, you can prevent automatic responses to external domains. For example, you may want to prevent out-of-office responses.

For detailed instructions, see How to Set Advanced Properties for a Policy.

How to Set Advanced Properties for a Policy

You can specify advanced properties on a policy such as when the policy uses Exchange rich-text format, domains on the policy, and types of auto-responses that can be sent to users in the domain. This procedure outlines how you can set advanced properties for a policy.

Procedure
To set advanced properties for a policy 1. In Exchange System Manager, right-click the policy, and then click Properties. 2. On the Advanced tab (see the following figure), select the appropriate options. Note Do not select Always use under Exchange rich-text format, unless you are configuring a policy for a domain whose users always use MAPI clients. Advanced tab for the Contoso policy

73

Configuring Message Delivery Options

You can use the Message Delivery Properties dialog box to configure the following message delivery options: Default message delivery options, including message size restrictions for sending and receiving messages, and the maximum number of recipients that a message can have.

74 SMTP message filtering to control unsolicited commercial e-mail (also known as spam), using sender, connection, and recipient filtering.

For detailed instructions, see How to Access the Message Delivery Properties Dialog Box.

How to Access the Message Delivery Properties Dialog Box

You can use the Message Delivery Properties dialog box to configure default message delivery options and SMTP message filtering. This procedure outlines how you can access the Message Delivery Properties dialog box.

Procedure
To access the Message Delivery Properties dialog box In Exchange System Manager, expand Global Settings, right-click Message Delivery, and then click Properties.

Configuring Default Message Size and Recipient Limits

The Defaults tab in the Message Delivery Properties dialog box is where you configure the default restrictions.

75 Defaults tab in the Message Delivery Properties dialog box

For detailed instructions about changing the default message delivery settings, see How to Change the Default Message Delivery Options.

76

How to Change the Default Message Delivery Options

This procedure outlines how you can modify the default message delivery options. Exchange applies the settings for these options globally to all users. However, you can override these settings on a per-user basis in Active Directory Users and Computers. For information about how to override these settings, see Managing Recipients and Recipient Policies in Exchange Server 2003.

Procedure
To change the default message delivery options In the Message Delivery Properties dialog box, on the Defaults tab (see the following figure), select the appropriate options. Defaults tab in the Message Delivery Properties dialog box

77

The maximum message size that can be sent by users This is the Sending message size option, and it defaults to 10240 KB (users can send a message of any size). Based on your available network bandwidth and your user requirements, you may want to limit the maximum message size that is allowed in your organization. If a user tries to send a message that exceeds the specified size limit, the user receives a non-delivery report (NDR) and Exchange will not send the message. The maximum message size that can be received by users This is the Receiving message size option, and it defaults to 10240 KB (users can receive a message of any size). Again, based on network bandwidth and user requirements, you may want to limit the message size. Senders in your organization receive an NDR if they try to send a message to a user who exceeds the specified size limit. Depending on the NDR settings that you

78 configure in Internet Message Formats, external senders may or may not receive an NDR. Note For more information about Internet Message Formats, see Configuring SMTP Policies to Control Outbound Mail Formatting and Automatic Responses. The maximum number of recipients to which a single message can be sent This is the Recipient limits option, and it defaults to 5000 recipients. Recipients include all users on the To, Cc, and Bcc lines, and also expanded distribution lists. Select No limit to allow users to send and receive messages regardless of how many recipients to which the messages are addressed.

Configuring SMTP Message Filtering Options

Although you configure SMTP message filtering options in the Message Delivery Properties dialog box, you must enable the filtering options on the individual SMTP virtual servers where you want to apply the filtering. Exchange applies these filters during the SMTP session when a remote SMTP server connects to the SMTP virtual server. In Exchange 2003, you can configure sender filtering, connection filtering, and recipient filtering. Enabling filtering on an SMTP virtual server causes the virtual server to check the enabled filters when another SMTP server tries to send mail into the organization. Note Exchange applies SMTP message filters only to messages sent from external SMTP servers. Exchange does not apply SMTP message filters when servers send messages between themselves in an Exchange organization. This is because Exchange servers automatically authenticate with each other and filter only mail that is submitted anonymously.

79

Configuring Sender Filtering

By using sender filtering, you can block messages sent by specific senders. This is useful if you receive unsolicited commercial e-mail from particular domains or sender addresses. You can block these messages by enabling sender filtering. For detailed instructions, see How to Enable Sender Filtering.

How to Enable Sender Filtering

You can block messages sent by specific senders by using sender filtering. This approach is useful if you receive unsolicited commercial e-mail from particular domains or sender addresses. This procedure outlines how you can enable sending filtering. Although you configure SMTP message filtering options in the Message Delivery Properties dialog box, you must enable the filtering options on the individual SMTP virtual servers where you want to apply the filtering. Exchange applies these filters during the SMTP session when a remote SMTP server connects to the SMTP virtual server.

Procedure
To enable sender filtering 1. On the Sender Filtering tab of the Message Delivery Properties dialog box (see the following figure), click Add to add the SMTP address of a user or a particular domain from whom you want to block messages. You can block an individual sender, a whole domain, or a display name by entering the display name in quotes. Sender Filtering tab in the Message Delivery Properties dialog box

80

2. To have Exchange save any messages that sender filtering blocks to an archive folder (instead of automatically deleting these filtered messages), select Archive filtered messages. The archive folder is in the <drive>: \Program Files\Exchsrvr\Mailroot\vsi n\archivefolder, where n is the virtual server instance of the SMTP virtual server where sender filtering is enabled. 3. To block messages with a blank sender address (a technique that some senders of unsolicited commercial e-mail messages use), select Filter messages with blank sender. 4. To end the SMTP session when a sender matches an address on the sender filter, select Drop connection if address matches filter. 5. To accept messages from senders on the block list without sending notification to

81 the sender that mail was not delivered, select Accept messages without notifying sender of filtering.

Configuring Connection Filtering

Connection filtering blocks messages based on the Internet Protocol (IP) address of the connecting SMTP server. For connection filtering, you can configure connection filtering rules, configure exceptions, and configure global accept and deny lists. Configuring Connection Filtering Rules You can subscribe to a third-party block list provider and configure a connection filtering rule that checks against the provider's list of specific IP addresses. For detailed instructions, see How to Configure a Connection Filtering Rule. Note Specific configuration of connection filtering rules is dependent upon the block list provider. Configuring Exceptions You can specify whether specific SMTP addresses in your organization are allowed to receive messages from blocked IP addresses. For example, a connection filtering rule blocks a legitimate organization from sending mail to your organization. By entering your postmaster address as an exception to this connection filtering rule, an administrator from the legitimate organization can send an e-mail message to the postmaster in your organization to determine why his or her organization is blocked from sending mail. For detailed instructions, see How to Create a List of Exceptions to Connection Filtering Rules. Configuring Global Accept and Deny Lists If you either always want to accept mail or reject mail from specific IP addresses, you can configure a global accept or deny list. For detailed instructions, see How to Create Either a Global Accept or Deny List. Global accept list This list contains all the IP addresses from which you always want to accept mail. Exchange checks this list before checking any other filters. If the

82 connecting server's IP address appears on the global accept list, Exchange automatically accepts the mail and does not check any additional filters. Global deny list This list contains all the IP addresses from which you always want to reject mail. Exchange checks this list immediately after checking the global accept list. If an IP address appears on the global deny list, Exchange automatically rejects the mail and does not check any additional filters.

How to Configure a Connection Filtering Rule

Connection filtering blocks messages based on the Internet Protocol (IP) address of the connecting SMTP server. You can subscribe to a third-party block list provider and configure a connection filtering rule that checks against the provider's list of specific IP addresses. Specific configuration of connection filtering rules is dependent upon the block list provider. This procedure outlines how you can configure a connection filtering rule.

Procedure
To configure a connection filtering rule On the Connection Filtering tab (see the following figure) of the Message Delivery Properties dialog box, under Block List Service Configuration, click Add. Connection Filtering tab in the Message Delivery Properties dialog box

83

For More Information

For more information about connection filtering and how it works, see "Connection Filtering" in What's New in Exchange Server 2003.

84

How to Create a List of Exceptions to Connection Filtering Rules

You can specify whether specific SMTP addresses in your organization are allowed to receive messages from blocked IP addresses. This procedure outlines how to create a list of exceptions to connection filtering rules.

Procedure
To create a list of exceptions to connection filtering rules On the Connection Filtering tab (see the following figure) of the Message Delivery Properties dialog box, click Exception. Connection Filtering tab in the Message Delivery Properties dialog box

85

For More Information

For more information about connection filtering and how it works, see "Connection Filtering" in What's New in Exchange Server 2003.

86

How to Create Either a Global Accept or Deny List

If you either always want to accept mail or reject mail from specific IP addresses, you can configure a global accept or deny list. The global accept list contains all the IP addresses from which you always want to accept mail. The global deny list contains all the IP addresses from which you always want to reject mail. This procedure outlines how to create either a global accept or deny list.

Procedure
To create either a global accept or deny list On the Connection Filtering tab (see the following figure) of the Message Delivery Properties dialog box, click Accept to add an IP address to the global accept list or click Deny to add an IP address to the global deny list. Connection Filtering tab in the Message Delivery Properties dialog box

87

For More Information

For more information about connection filtering and how it works, see "Connection Filtering" in What's New in Exchange Server 2003What's New in Exchange Server 2003.

88

Configuring Recipient Filtering

Exchange 2003 also supports recipient filtering. Therefore, you can filter e-mail messages that are addressed to users who are not in Active Directory, or e-mail messages that are addressed to recipients who are frequently targeted by distributors of unsolicited commercial e-mail messages. You can use recipient filtering to filter messages that a sender sends to any e-mail address, existent or non-existent, in your organization. If a message is sent to any of the specified recipients, Exchange returns a 500-level error during the SMTP session. By default, Exchange accepts mail addressed to any recipient (invalid or valid), and then Exchange sends NDRs for all invalid recipients. Typically, unsolicited commercial e-mail is sent from invalid addresses. Therefore, Exchange retries delivery of NDRs to nonexistent senders and thereby wastes more resources. Enabling recipient filtering prevents Exchange from wasting resources in this way because you can filter e-mail that is sent to invalid recipients. You can use recipient filtering to reject mail that a sender sends to invalid recipients (recipients that do not exist in Active Directory). However, doing so potentially allows malicious senders to discover valid e-mail addresses. The SMTP virtual server issues different responses for valid and invalid recipients. By comparing the responses issued by the SMTP virtual server for valid and invalid recipients, malicious users can identify valid e-mail addresses in your organization. Note Recipient filtering rules apply only to anonymous connections. Authenticated users and Exchange servers bypass these validations. For detailed instructions on configuring recipient filtering, see How to Add a Recipient to the Recipient Filtering List.

89

How to Add a Recipient to the Recipient Filtering List

Exchange 2003 supports recipient filtering. Therefore, you can filter e-mail messages that are addressed to users who are not in Active Directory or e-mail messages that are addressed to recipients who are frequently targeted by distributors of unsolicited commercial e-mail messages. Recipient filtering rules apply only to anonymous connections. Authenticated users and Exchange servers bypass these validations.

Procedure
To add a recipient to the recipient filtering list On the Recipient Filtering tab (see the following figure) of the Message Delivery Properties dialog box, click Add. Recipient Filtering tab in the Message Delivery Properties dialog box

90

For More Information

For more information about connection filtering and how it works, see "Connection Filtering" in What's New in Exchange Server 2003What's New in Exchange Server 2003.

91

Creating and Managing Administrative Groups

In Exchange 5.5 (and earlier), a site defined both the administrative boundary and the physical routing topology for a group of servers. Exchange 2000 (and later) split the concept of a site into physical and logical components, as follows: Routing groups define the physical network topology of your Exchange servers. Administrative groups define a logical grouping of servers and other objects for the purpose of administration.

For more information about routing groups, see Understanding and Configuring Message Routing and Transport. This topic focuses only on administrative groups. An administrative group can contain any of the following Exchange objects: Servers Policies Routing groups Public folder trees

Administrative groups allow you to delegate specific administrative permissions, and define system policies for the administrative groups and the objects in the group. You can create system policies that control the administration of servers, mailbox stores, and public folder stores in an administrative group. The remainder of this section focuses on the following topics: Understanding the types of administrative models Displaying administrative groups Creating administrative groups Creating a system policy Moving objects between administrative groups Deleting administrative groups

92 Note Use the Exchange Administration Delegation Wizard to assign a specific group permission to manage an administrative group. For more information about the Exchange Administration Delegation Wizard, see Managing Exchange Server 2003 Permissions.

Understanding Exchange Server 2003 Administrative Models

This topic provides you with information about the different types of Administrative models in Exchange Server 2003.

Understanding the Types of Administrative Models

Because administrative groups are logical, you can create administrative groups based on locations, departments, or functions. For example, a global company with branches in different countries can create administrative groups to delegate functional tasks. In a native-mode organization, you could create a single administrative group that contains servers only and use this specialized server administration group to create policies for all the servers in your organization. You can then create another administrative group only for public folder administration, and then have a specialized team administer all public folders trees using this administrative group. However, before creating these various functional administrative groups, you must understand your organization's administrative model, as dictated by your organizational structure and your security policy. When you understand your organization's administrative model, you can then implement administrative groups to accurately reflect this model. This section presents the types of administrative models, and how these models affect your implementation of administrative groups. The administrative models discussed in this section are: Decentralized administrative model

93 Centralized administrative model Mixed administrative model

To illustrate these administrative models, the following sections show how to apply each of these models to a fictitious company named Contoso, Ltd. This fictitious company has global branches in North America, Europe, and Asia, as shown in the following figure. Branches in Contoso, Ltd

Note In a mixed-mode organization, each site becomes a single administrative group, and you cannot use the administrative models discussed in this section.

Using a Centralized Administrative Model

In a centralized model, one or several controlled administrative groups maintain complete control of the Exchange system. For example, the following figure shows how Contoso's administrative group in Seattle has complete control over the Exchange system of the company.

94 Centralized administrative model

This administrative model is similar to a data center where all administration tasks are performed by a single information technology group. This administrative model is typical in small-sized or medium-sized organizations, but can also be used in larger organizations that have high-bandwidth connectivity to all regional offices.

Using a Mixed Administrative Model

In a mixed model, administrative groups reflect both functional and geographic distribution. You create specialized administrative groups to restrict the management of certain functions to specific people, and create other groups to delegate administration along geographical lines. To illustrate this type of model, here are some sample administrative groups that you might want to create: To restrict who can create and maintain policies, you can create an administrative group only for managing policies, a functional task. To manage public folders in a specific region, you can create an administrative group only for managing a region's public folders, a geographical consideration.

95 You typically use the mixed administrative model in larger organizations that have many divisions or offices in many geographical locations. The mixed model can also apply when one company acquires another company. The following figure shows how Contoso applies a mixed administrative model to its organization. To centrally administer public folders and policies, Contoso created one central administrative group for administering public folders and another for administering policies. The remaining administrative groups are regional and allow regional control of other functions, such as routing groups. Mixed administrative model

96

Using a Decentralized Administrative Model

In a decentralized administrative model, complete control over management of the Exchange system is distributed among the company's geographical regions or divisions. In this type of model, each region or division controls its own assets and performs its own system administration. This type of organization probably has at least one administrative group in each division or group. Each location has its own team of Exchange administrators, who have full administrative control over objects in its administrative group. Many companies implement a decentralized model to help each company branch to function autonomously. For example, Contoso's global branches in the United States, Europe, and Asia each have control over an administrative group, a routing group, policies, servers, public folder trees, and other objects that are specific to that branch. Decentralized administrative model

97

Configuring Exchange Server 2003 Administrative Groups

This topic provides you with information about creating and managing Exchange Server 2003 Administrative Groups.

Displaying Administrative Groups

After installing Exchange in an Exchange 2003 or Exchange 2000 organization, Exchange System Manager does not automatically display administrative groups and routing groups. You must configure your Exchange organization to display administrative groups. After you have configured this setting, you can view the Administrative Groups container and create additional administrative groups for your organization. For detailed instructions, see How to Display Administrative Groups. Note If you install Exchange 2000 (or later) in an Exchange 5.5 site, Exchange enables administrative and routing groups by default. In this case, every Exchange 5.5 site appears as an administrative group.

How to Display Administrative Groups

After installing Exchange in an Exchange 2003 or Exchange 2000 organization, Exchange System Manager does not automatically display administrative groups and routing groups. You must configure your Exchange organization to display administrative groups. This procedure outlines how to display administrative groups.

98

Procedure
To display administrative groups 1. In Exchange System Manager, right-click your Exchange organization, and then click Properties. 2. On the General tab (see the following figure), select Display Administrative groups. Displaying administrative groups

3. Restart Exchange System Manager for the changes to apply.

99

For More Information

For more information, see Creating and Managing Administrative Groups.

Creating Additional Administrative Groups

In the default configuration of an Exchange organization, only one administrative group exists. You can either install all servers in this single administrative group, which is useful in a centralized administrative model, or you can create additional administrative groups and install servers in the appropriate administrative groups, based on your administrative model. By default, Exchange installs all servers in the First Administrative Group in the Server container. You can rename First Administrative Group, and add new system containers, but you cannot remove servers from the Server container in this group. For detailed instructions, see How to Create a New Administrative Group. Note In a mixed-mode organization, each Exchange 5.5 site becomes its own administrative group, and the administrative group name matches the site name. You can add servers to an administrative group only during installation. It is best to create the necessary administrative groups on the first Exchange server in your organization, and then install additional servers in the appropriate administrative groups. You can never move servers between administrative groups. New in SP1 You can move mailboxes between administrative groups in mixed mode. It is best to only move mailboxes across administrative groups in mixed mode under certain circumstances; for example, during site consolidation.

100

How to Create a New Administrative Group

In the default configuration of an Exchange organization, only one administrative group exists. You can either install all servers in this single administrative group, which is useful in a centralized administrative model, or you can create additional administrative groups and install servers in the appropriate administrative groups, based on your administrative model. This procedure outlines how to create a new administrative group.

Before You Begin

By default, Exchange installs all servers in the First Administrative Group in the Server container. You can rename First Administrative Group, and add new system containers, but you cannot remove servers from the Server container in this group. Note In a mixed-mode organization, each Exchange 5.5 site becomes its own administrative group, and the administrative group name matches the site name. You can add servers to an administrative group only during installation. It is best to create the necessary administrative groups on the first Exchange server in your organization, and then install additional servers in the appropriate administrative groups. You can never move servers between administrative groups. New in SP1 You can move mailboxes between administrative groups in mixed mode. It is best to only move mailboxes across administrative groups in mixed mode under certain circumstances; for example, during site consolidation.

Procedure
To create a new administrative group In Exchange System Manager, right-click Administrative Groups, point to New, and then click Administrative Group.

101

For More Information

For more information, see Planning an Exchange Server 2003 Messaging System and the Exchange Server 2003 Deployment Guide.

Moving Objects Between Administrative Groups

You can move some of the objects in an administrative group to a different group. However, there are other objects that you cannot move. Objects that you can move between administrative groups are as follows: System policies Public folders Routing group member servers (native mode only) Mailboxes in Exchange Server 2003 SP1 and later. It is best to move mailboxes across administrative groups in mixed mode under certain circumstances; for example, during site consolidation.

Objects that you cannot move between administrative groups are as follows: Servers Containers

You can move objects only between containers of the same type. For example, you can move a system policy from one system policy container to another system policy container in a different administrative group, but you cannot move a system policy into a public folder container. This type of action is blocked by default. For detailed instructions, see How to Move Objects Between Administrative Groups. Note When you are moving or copying objects between administrative groups, click Refresh to see the object in the new container.

102

How to Move Objects Between Administrative Groups

You can move some of the objects in an administrative group to a different administrative group. This procedure outlines how to move objects such as system policies or public folders between administrative groups.

Before You Begin

Objects that you can move between administrative groups are: System policies Public folders Routing group member servers (native mode only) Mailboxes in Exchange Server 2003 SP1 and later. It is best to move mailboxes across administrative groups in mixed mode under certain circumstances; for example, during site consolidation.

However, there are other objects that you cannot move. Objects that you cannot move between administrative groups are: Servers Containers

You can move objects only between containers of the same type. Note When you are moving or copying objects between administrative groups, click Refresh to see the object in the new container.

Procedure
To move system policies or public folders between administrative groups Cut the system policy or public folder from the source container, and paste it into

103 the target container. or Drag the system policy or public folder from the source container to the target container.

For More Information

For more information, see: Planning an Exchange Server 2003 Messaging System Exchange Server 2003 Deployment Guide Creating and Managing Administrative Groups

Deleting Administrative Groups

You can delete only administrative groups that contain no objects. After you have removed all the objects in an administrative group, you can delete it. For detailed instructions, see How to Delete an Administrative Group.

How to Delete an Administrative Group

You can delete only administrative groups that contain no objects. After you have removed all the objects in an administrative group, you can delete it. This procedure outlines how to delete an administrative group.

104

Procedure
To delete an administrative group In Exchange System Manager, expand Administrative Groups, right-click the administrative group that you want to delete, and then click Delete.

For More Information

For more information, see Creating and Managing Administrative Groups.

Configuring Exchange Server 2003 System Policies

A system policy is a collection of configuration settings that you apply to one or more servers, mailbox stores, or public folder stores. For example, to enable message tracking across multiple servers, you can define a single policy, instead of performing the lengthy task of setting individual policies to enable message tracking on each server. After defining and implementing the policies, you can change the configuration of all the servers in the organization by editing the policies and applying the changes. The system policies that you create for an administrative group typically apply to objects in that group. However, a system policy can apply to objects outside its own administrative group. For example, you can implement consistent message tracking options for all servers by creating a server policy in a central administrative group and applying it to all servers in your organization. Policies appear in the System Policies container under an administrative group.

105 System Policies container

There are three types of system policies: Public folder store policies Allow you to configure settings across public folder stores. Mailbox store policies Allow you to configure settings across mailbox stores. Server policies Allow you to enable message tracking options on servers.

Of the three types of system policies, this topic discusses only server policies in more detail.

106

Understanding How System Policies Affect Individual Settings

System policies use an apply-time implementation to affect configuration changes. You can create a policy, define settings for that policy, associate that policy with one or more servers or public folder stores, and then apply the policy. After you apply the policy, the corresponding settings that are specific to that individual object become unavailable and appear dimmed. This is because the policy, not the individual object, now controls those settings. For example, if you create a policy that enables message tracking and apply the policy to an Exchange server, the message tracking options for the server are unavailable. This configuration enables administrators to prevent more changes from being made to settings on individual objects that a policy controls.

107 Message tracking options disabled on a server

Creating a Server Policy

You use a server policy for message tracking and maintenance settings for message tracking log files. When you enable message tracking to track messages, Exchange stores messages in the message tracking log file. By enabling subject logging and display, you store message subjects in Message Tracking Center. You can view the

108 messages using Message Tracking Center. Message tracking and subject logging are explained in more detail in Configuring Exchange Server 2003 Settings. Before you can create a server policy (or, for that matter, any other system policy) in an administrative group, you must add a system policy container. After you have created the system policy container, you can then create a server policy. For detailed instructions about creating a system policy container, see How to Create a System Policy Container. For detailed instructions about creating a server policy, see How to Create a Server Policy.

How to Create a System Policy Container

A system policy is a collection of configuration settings that you apply to one or more servers, mailbox stores, or public folder stores. This procedure outlines how to create a system policy container.

Procedure
To create a system policy container In Exchange System Manager, expand Administrative Groups, right-click the administrative group, point to New, and then click System Policy Container. System Policies container

109

How to Create a Server Policy

You use a server policy for message tracking and maintenance settings for message tracking log files. This procedure outlines how to create a server policy.

Before You Begin

Before you can create a server policy (or, for that matter, any other system policy) in an administrative group, you must add a system policy container. For detailed information on creating a system policy container, see How to Create a System Policy Container. After you create a server policy, you must add servers to the policy. For detailed information on adding servers to a server policy, see How to Add Servers to a Server Policy.

110

Procedure
To create a server policy 1. In Exchange System Manager, expand Administrative Groups, expand the appropriate administrative group, right-click System Policies, point to New, and then click Server policy. 2. On the General (Policy) tab (see the following figure), select the following options: To log the message subject and make this subject visible when messages are tracked, select Enable subject logging and display. To track all messages that flow to and from the server, select Enable message tracking.

Message tracking options on a server policy

111

Handling Policy Conflicts

If you create a new policy that conflicts with settings in an existing policy, Exchange displays a dialog box that notifies you of the conflict. By default, the newer policy replaces an older policy. For example, you create a server policy with specified configurations, and you want to add the policy to a particular server. However, if the server is already under the control of another policy, a dialog box prompts you to verify whether you want to remove the server from the control of the other policy. You can choose to remove the

112 server from the control of the previous policy, or apply the new policy you just created. If you do not resolve the policy conflict, you receive the following message: The objectname (for example, Server1) could not be associated with policy policyname (ServerPolicy) because you refused to remove the object from the control of conflicting policies.

Adding Servers to a Server Policy

After you create a server policy, you must add servers to the policy. For detailed instructions, see How to Add Servers to a Server Policy.

How to Add Servers to a Server Policy

After you create a server policy, you must add servers to the policy. This procedure outlines how to add servers to a server policy.

Before You Begin

You can add servers to existing server policies or you can create a new server policy. For detailed information on creating a server policy, see How to Create a Server Policy.

Procedure
To add servers to a server policy 1. In Exchange System Manager, expand Administrative Groups, expand the administrative group that contains the server policy to which you want to add servers, expand System Policies, right-click the server policy, and then click Add server.

113 2. In the Select the items to place under the control of this policy dialog box (see the following figure), type the server name, and then click OK. Selecting items for a server policy

Note The figure shows the dialog box that appears when you run Exchange 2003 on Microsoft Windows Server 2003. If you run Exchange on Windows 2000 Server, this dialog box offers the same functionality but it looks slightly different.

Viewing the Objects Controlled by a System Policy

Using Exchange System Manager, you can view either the objects that the system policy controls or the policies that Exchange applies to an object: For detailed instruction on how to view the objects that a policy controls, see How to View the Objects That a Policy Controls.

114 For detailed instructions on how to view the policies that Exchange applies to a particular object, see How to View the Policies that Exchange Applies to a Particular Object.

How to View the Objects That a Policy Controls

Using Exchange System Manager, you can view the objects that the system policy controls. This procedure outlines how to view the objects that a policy controls.

Procedure
How to view the objects that a policy controls In Exchange System Manager, click a policy in the System Policies container. The objects appear in the details pane under Policy Applied To.

How to View the Policies that Exchange Applies to a Particular Object

Using Exchange System Manager, you can view the policies that Exchange applies to an object. This procedure outlines how to view the policies that Exchange applies to an object.

Procedure
How to view the objects that a policy controls In Exchange System Manager, click the Policies tab in the server's Properties

115 dialog box.

Copying System Policies Between Administrative Groups

In Exchange 2003, policies can be copied or moved between policy containers that are in different administrative groups. Copying policies helps you to delegate administrative control while maintaining consistent or similar settings in policies across various administrative groups. For example, you can create the server policy one time, and then copy it to the system policy container in each of the other administrative groups that you want. Then, the administrator of each administrative group can customize policies (from this template) to manage objects that are associated with his or her administrative group. For detailed instructions, see How to Copy Policy Objects Between Administrative Groups. Note Remember that you can copy only individual policies between administrative groups. You cannot copy the system policy container from one administrative group to another.

How to Copy Policy Objects Between Administrative Groups

In Exchange 2003, policies can be copied or moved between policy containers that are in different administrative groups. Copying policies helps you to delegate administrative control while maintaining consistent or similar settings in policies across various administrative groups. You can copy only individual policies between administrative groups. You cannot copy the system policy container from one administrative group to another.

116 This procedure outlines how policies can be copied or moved between policy containers that are in different administrative groups

Procedure
To copy policy objects between administrative groups 1. In Exchange System Manager, right-click the policy, click Copy, and then paste the policy in your target container. 2. Right-click the target container, and then click Refresh to view the policy in the container. After you copy a policy, you must apply it to the individual servers, mailbox stores, or public folder stores in the administrative group where you copied the policy.

Modifying or Removing a Policy

You can modify a policy that is applied to one or more objects to change the properties on all the objects. For detailed instructions, see How to Modify a Policy. To change the properties on all the objects individually, you can also remove an object from the control of a policy or delete the policy itself. For detailed instructions on removing an object from the control of a policy, see How to Remove an Object from the Control of a Policy. For detailed instructions on deleting a policy, see How to Delete a Policy. After a policy has been applied, settings associated with that policy remain intact on associated objects, even after an object has been removed from policy control or a policy itself has been deleted. If you want to change the settings that a policy applies, you must change them on the individual server, mailbox store, or public folder store.

117

How to Modify a Policy

You can modify a policy that is applied to one or more objects to change the properties on all the objects. This procedure outlines how to modify a policy.

Procedure
To modify a policy 1. In Exchange System Manager, right-click the policy that you want to modify, click Properties, and then use the tabs to modify the policy. 2. After you have made the necessary modifications, right-click the policy, and then click Apply now to apply the changes.

How to Remove an Object from the Control of a Policy

To change the properties on all the objects individually, you can also remove an object from the control of a policy or delete the policy itself. This procedure outlines how to remove an object from the control of a policy. Note After a policy has been applied, settings associated with that policy remain intact on associated objects, even after an object has been removed from policy control or a policy itself has been deleted. If you want to change the settings that a policy applies, you must change them on the individual server, mailbox store, or public folder store.

118

Procedure
To remove an object from the control of a policy 1. In Exchange System Manager, expand System Policies, and then click the appropriate system policy. 2. In the Policy Applied To column, right-click the object, point to All Tasks, and then click Remove from policy.

How to Delete a Policy

To change the properties on all the objects individually, you can also remove an object from the control of a policy or delete the policy itself. This procedure outlines how to delete a policy. Note After a policy has been applied, settings associated with that policy remain intact on associated objects, even after an object has been removed from policy control or a policy itself has been deleted. If you want to change the settings that a policy applies, you must change them on the individual server, mailbox store, or public folder store.

Procedure
To delete a policy In Exchange System Manager, right-click the policy that you want to delete, and then click Delete.

119

Managing Exchange Server 2003 Permissions

As you manage your Exchange organization, some of your most important security tasks will involve permissions. The correct management of permissions in Exchange 2003 makes sure that users and administrators can successfully complete those tasks that they must perform, while preventing users and administrators from intentionally or inadvertently performing inappropriate tasks. In Exchange 2003, there are three sets of permissions that you can manage: Permissions for Exchange objects. These settings are stored in Active Directory and the Microsoft Internet Information Services (IIS) metabase. Store permissions. File permissions on NTFS file system volumes.

Together, these permissions provide the means to implement security on all elements in an Exchange 2003 installation. This topic focuses on using Exchange System Manager to manage permissions on Exchange objects in Active Directory and the IIS metabase. For detailed information about managing store permissions, see "Managing Mailbox Stores and Public Folder Stores." For detailed information about understanding and managing NTFS permissions, see the Windows documentation and resource kits. Important Use only Exchange System Manager to set permissions on Exchange objects.

120

Understanding Exchange Objects and Exchange System Manager

Most elements in an Exchange installation are represented by objects. For example, the server itself, an SMTP virtual server, and a mailbox store are all represented as objects. Controlling each of these objects is a set of security permissions. Permissions on objects in Exchange 2003 build on permissions that the Windows operating system makes available through Active Directory and IIS. Exchange 2003 uses both Active Directory and the IIS metabase to store permissions information about Exchange objects. To address the fact that information about Exchange objects is in two places, you manage these objects using Exchange System Manager. This tool seamlessly presents objects that are stored in Active Directory and the IIS metabase. Therefore, you can administer objects stored in two places through a single interface. The permissions model that Exchange System Manager exposes builds on the Windows security modelan object-oriented security model, based on the concept of discretionary access control. This means that each Exchange object has its own discrete permissions that govern access to the object, and that these permissions can be administered by anyone who has the appropriate permission level. This permission model makes it possible to implement delegated permission models in which certain roles are assigned varying permissions based on the functional tasks performed by these roles in those environments whose security policy requires that capability. However, the profusion of objects and permissions that enables Exchange to support complex security requirements can also make it seem complex to administer. Fortunately, Exchange System Manager simplifies managing permissions with the following: Support for inheritance Standardized security roles Exchange Administration Delegation Wizard

Together, these features simplify the management of permissions so that most Exchange implementations can implement their security requirements without having to set permissions on individual attributes on individual objects.

121

Benefiting from Standardized Security Roles in Exchange

To help simplify the process of managing permissions, Exchange 2003 provides three predefined security roles that are available in the Exchange Administrative Delegation Wizard. These roles are a collection of standardized permissions that can be applied at either the organization or the administrative group level. Note For information about administrative groups, see "Creating and Managing Administrative Groups" earlier in this chapter. When these roles are applied, the accounts or groups against which they are applied are immediately granted a set of standardized permissions on the object in question. Roles rely strongly on permission inheritance to make sure that permissions are applied consistently. When a role is applied, the standard permissions associated with that role are applied down the object hierarchy using inheritance. Because the roles have been designed to meet the security requirements that are frequently found in an Exchange deployment, try to use these roles as much as possible. The standard security roles that Exchange 2003 provides are: Exchange Full Administrator This role can fully administer Exchange system information and modify permissions. This role is appropriate for those who must be able to modify permissions, and view and administer Exchange configuration information. Exchange Administrator This role can fully administer Exchange system information. This role differs from the Exchange Full Administrator. The primary difference is that this role cannot modify permissions. This role is appropriate for those who must be able to view and administer Exchange configuration information without being able to modify permissions. Exchange View Only Administrator This role can view but cannot administer Exchange configuration information. This role is appropriate for those who must be able to view Exchange configuration information without being able to change that configuration information. As with the Exchange Administrator role, this role cannot modify permissions.

122 Note The Exchange security roles should not be confused with security groups in Active Directory. The roles are a collection of standardized permissions that are applied to users or groups in Active Directory. The roles can best be thought of as a template, instead of as a security group. Because these roles are a set of standardized permissions, unlike security groups, roles inherently supersede one other. Therefore, you do not have to apply both a higher and a lower privileged role. It is sufficient to apply the higher privileged role. Roles differ slightly, depending on whether they are applied to an organization or an administrative group. Therefore, the effective permissions that result when a role is applied can differ slightly. The following tables list the effective permissions, based on the role applied and where it has been applied. These tables help explain how roles supersede each other, and the impact of differences at the organization level and administrative level. Note There is no table that shows the effective role at the organization level from roles applied at the administrative group level. This is because roles applied at the administrative group level apply only to the local administrative group. Because administrative groups are under the organization level in the hierarchy, the administrative group can inherit permissions from the organization, but not vice versa. Effective roles at the administrative group level from roles applied at the administrative group level
Granted Exchange Administrator role View Only Administrator Full Administrator

Exchange View Only Administrator Exchange Administrator Exchange Full Administrator

Yes

No

No

Yes

Yes

No

Yes

Yes

Yes

123 Effective roles at the administrative group level from roles applied at the organization level
Granted Exchange Administrator role View Only Administrator Full Administrator

Exchange View Only Administrator Exchange Administrator Exchange Full Administrator

Yes

No

No

Yes

Yes

No

Yes

Yes

Yes

Effective roles at the organization level from roles applied at the organization level
Granted Exchange Administrator role View Only Administrator Full Administrator

Exchange View Only Administrator Exchange Administrator Exchange Full Administrator

Yes

No

No

Yes

Yes

No

Yes

Yes

Yes

Benefiting from Exchange Administration Delegation Wizard

The Exchange Administration Delegation Wizard applies the standardized security roles at either the organization level or the administrative group level in Exchange System Manager. Remember that the Exchange Administration Delegation Wizard applies well-tested permissions in a consistent manner against objects in the Exchange hierarchy. Because

124 of this consistency in application of permissions, the wizard is the recommended and preferred method of managing permissions in your Exchange environment. Only apply customized permissions to individual objects when your security policy requires you to do so, and after complete testing. Manually creating customized permissions increases the chance of human error. It also increases the chance of creating inappropriate permissions because of a misunderstanding of how permissions work. Additionally, customized security settings will require increased maintenance because they must be documented, and the customized settings must be verified. Although there are instances where customized security is appropriate, you must weigh the risks and costs carefully. You can start the Exchange Administration Delegation Wizard from either the organization level or the administrative group level. As noted in "Benefiting from Standardized Security Roles in Exchange," the permissions associated with the role will then be applied down the hierarchy from the object from which you started the wizard. For example, if you start the wizard at the organization level, the permissions associated with the role will be applied to all objects under the organization in the hierarchy, including all administrative groups. Alternatively, if you start the wizard at an administrative group, the permissions associated with the role will be applied only to the objects in the administrative group. When you start the Exchange Administration Delegation Wizard, it prompts you to specify the users and groups to which you want to apply the security role. Generally, it is recommended that you place your users in security groups, and then use the wizard to apply roles against those groups. Applying permissions to individual users can quickly become difficult to manage. After the wizard is completed, Exchange System Manager applies permissions to the group or the user selected in the hierarchy that the wizard was started from. The permissions are propagated down the hierarchy through inheritance. By using the wizard, you can set all the permissions on the Exchange objects in both Active Directory and the IIS metabase with several clicks. Note For more information about managing store permissions, see "Managing Mailbox Stores and Public Folder Stores."

125

Benefiting from Support for Inheritance

In Windows, inheritance describes the process by which the creation of an object causes the object to assume, by default, the permissions of its parent object. Inheritance simplifies the task of managing permissions in your Exchange system as follows: It eliminates the need to manually apply permissions to child objects as they are created. It makes sure that the permissions attached to a parent object are applied consistently to all child objects. When permissions on all objects in a container must be modified, you change the permissions on the container only one time. The objects inside the container inherit the changes automatically.

For some Exchange objects, you can customize this inheritance. These objects are public folder trees, address lists, and mailbox stores. For these objects, you can specify that the child does not inherit permissions. Or, you can specify that only the following containers or subcontainers inherit permissions: This container only This container and all subcontainers Subcontainers only

Inheritance makes it possible for permissions to be applied consistently in an object hierarchy. In itself, inheritance is an important tool for simplifying the application of permissions.

126

Configuring Exchange Server 2003 Settings

This topic introduces configuring server-specific settings. It gives you information about how to configure settings on individual Exchange servers in your organization. Individual server settings that you can configure include enabling message tracking, configuring language support for clients, scheduling Mailbox Management processes, troubleshooting specific issues with diagnostic logging, using public folder referrals and Directory Access options, and other settings that are important to managing your Exchange server. Although this topic does not cover them, you can also manage protocol settings, services, and backup and restore processes on an individual server basis. For more information about: Configuring protocols, see "Understanding and Configuring Message Routing and Transport." Exchange services, see "Services That Are Used by Exchange." Backup and restore practices, see "Managing Mailbox Stores and Public Folder Stores."

Configuring Server-Specific Settings

When you configure server-specific settings, you use the Properties dialog box that is associated with each server. For detailed instructions, see How to Open a Server's Properties Dialog Box.

127 The Properties dialog box for SERVER01

For information about configuring settings on the Locales tab, see Configuring Language Settings. For information about configuring settings on the Mailbox Management tab, see Scheduling Mailbox Manager Processes. For information about configuring settings on the Directory Access tab, see Understanding Directory Access Options. For information about viewing settings on the Policies tab, see Viewing System Policies Applied to the Server. For information about configuring settings on the Security tab, see Setting ServerSpecific Permissions.

128 For information about configuring settings on the Full-Text Indexing tab, see Configuring System Resource Usage During Full-Text Indexing. For information about configuring settings on the Diagnostic Logging tab, see Configuring Diagnostics Logging on a Server. For information about configuring settings on the Public Folder Referrals tab, see Customizing Public Folder Referrals.

How to Open a Server's Properties Dialog Box

When you configure server-specific settings, you use the Properties dialog box in Exchange System Manager that is associated with each server. This procedure outlines how to open a server's Properties dialog box.

Procedure
To open a server's Properties dialog box In Exchange System Manager, right-click an Exchange server, and then select Properties. Properties dialog box for SERVER01

129

Viewing Messages in Message Tracking Center

Message Tracking Center tracks messages across servers in both mixed- and nativemode Exchange organizations. Message Tracking Center can also track messages that are destined to or arriving from another messaging system, such as Lotus Notes. Through Message Tracking Center, you can search for all kinds of messages, including

130 system messages (alerts that are displayed when problems occur), public folder messages, and e-mail messages. Note To search for a specific system message in Message Tracking Center, search for the Message ID. If you do not know the Message ID, you can find system messages manually by reviewing the message tracking logs. Exchange automatically creates these logs if you have message tracking enabled on a server. To search for other types of messages, you can search by sender, recipient, or server. Before enabling a server's messages to appear in Message Tracking Center, you must enable subject logging on the Exchange server. However, enabling this type of logging causes the subject lines of messages in Simple Mail Transfer Protocol (SMTP) and MAPI queues to be displayed in the Subject column of Queue Viewer. By default, the Subject column is left empty to preserve confidentiality. (For example, some Exchange organizations prefer to keep low-level administrators from viewing message subjects.) Therefore, verify your organization's policy about revealing subject line information before enabling subject logging. For detailed instructions, see How to Enable a Server's Messages to Appear in Message Tracking Center.

How to Enable a Server's Messages to Appear in Message Tracking Center

Message Tracking Center tracks messages across servers in both mixed- and nativemode Exchange organizations. Message Tracking Center can also track messages that are destined to or arriving from another messaging system, such as Lotus Notes. Before enabling a server's messages to appear in Message Tracking Center, you must enable subject logging on the Exchange server. This procedure outlines how to enable a server's messages to appear in Message Tracking Center.

131

Before You Begin

Enabling subject logging causes the subject lines of messages in Simple Mail Transfer Protocol (SMTP) and MAPI queues to be displayed in the Subject column of Queue Viewer. By default, the Subject column is left empty to preserve confidentiality. For example, some Exchange organizations prefer to prevent low-level administrators from viewing message subjects. Therefore, verify your organization's policy about revealing subject line information before enabling subject logging.

Procedure
To enable a server's messages to appear in Message Tracking Center 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the General tab, select the Enable subject logging and display check box. Note If the Enable subject logging and display check box is unavailable or appears dimmed, there is a server policy object applied to this server. You must either enable subject logging and display on the policy, or remove the server from this policy. To view the policies that are applied to this server, view the Policies tab.

For More Information

For more information about server policies, see Managing an Exchange Server 2003 Organization.

Enabling Message Tracking

You can create a server policy to control the message tracking options of a group of servers in an administrative group. However, you can also enable message tracking on an individual server basis. For example, if you do not track messages on all your servers,

132 but users on a specific Exchange server are experiencing mail flow problems, you may want to enable message tracking on the server that is experiencing mail flow problems. Alternatively, you may want to track messages only on your Internet gateway servers. When you enable message tracking on an individual server, messages routed through the server are added to the message tracking logs. These logs are text files that you can review to monitor and troubleshoot message flow. The Exchange System Attendant service on each server maintains these log files. For detailed instructions on enabling message tracking, see How to Enable Message Tracking.

How to Enable Message Tracking

You can create a server policy to control the message tracking options of a group of servers in an administrative group. You can also enable message tracking on an individual server basis. When you enable message tracking on an individual server, messages routed through the server are added to the message tracking logs. These logs are text files that you can review to monitor and troubleshoot message flow. The Exchange System Attendant service on each server maintains these log files. This procedure outlines how to enable message tracking.

Procedure
To enable message tracking 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the General tab, select the Enable message tracking check box. Note If the Enable message tracking check box is unavailable or appears dimmed, there is a server policy object applied to this server. You must either enable message tracking on the policy, or remove the server from this policy.

133

For More Information

For more information about server policies, see Managing an Exchange Server 2003 Organization.

Managing Message Tracking Log Files

If you enable message tracking, you may want to customize how Exchange manages the resulting log files. By default, Exchange stores the message tracking log files in the C:\Program Files\Exchsrvr folder and removes these log files on a seven-day interval. These default settings may or may not fit the requirements of your Exchange environment.

Selecting a Location for the Log Files

To specify a path and folder for message tracking log files, you use the Log file directory text box on the General tab of the server's Properties dialog box. When you change the path of the log file directory, Exchange saves future log files to the new path. However, Exchange does not move existing log files to the new location. You must do this manually. For detailed instructions, see How to Select a Location for the Message Tracking Log Files.

Removing Log Files

If you allow log files to accumulate on the server, they can consume a large part of your disk space and may affect performance. It is a good idea to review and remove log files periodically. However, make sure to leave log files on the server long enough for you to review files if a problem occurs with the message flow. As an additional step, you can move log files to another disk that has the bandwidth to handle larger log files. For detailed instructions, see How to Specify How Frequently Log Files are Removed.

134

How to Select a Location for the Message Tracking Log Files

When you change the path of the log file directory, Exchange saves future log files to the new path. However, Exchange does not move existing log files to the new location. You must do this manually. This procedure outlines how to select a location for the log files.

Procedure
To move message tracking logs 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the General tab, select the Enable Message Tracking check box. The General tab in the <Server Name> Properties dialog box

135

3. In the Log file directory box, click Change to change the log file directory. 4. In Message Tracking Log File Directory, select the directory where you want to store message tracking logs, and then click OK. The Message Tracking Log File Directory dialog box

136

How to Specify How Frequently Log Files are Removed

If you allow log files to accumulate on the server, they can consume a large part of your disk space and may affect performance. It is a good idea to review and remove log files periodically. This procedure outlines how to specify how frequently you want to remove log files from the server.

Before You Begin

Make sure to leave log files on the server long enough for you to review files if a problem occurs with the message flow. As an additional step, you can move log files to another disk that has the bandwidth to handle larger log files.

Procedure
To specify how frequently log files are removed 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the General tab, select Remove log files. 3. In the Remove files older than (days) text box, type the number of days that you want the files to remain on the server before being deleted.

137

Designating a Front-End Server

When you configure a server to be a front-end server, you are typically dedicating the server to receive requests from messaging clients, such as HTTP, Internet Message Access Protocol version 4 (IMAP4), and Post Office Protocol version 3 (POP3), and to relay client requests to the appropriate back-end server. The services that an Exchange front-end server requires depend on the protocols that you use on the server, and whether you will be making configuration changes after the initial setup. The following table lists which Exchange services are required for each protocol or tool that an Exchange front-end server uses. Services required on an Exchange front-end server
Protocol/tool on server Services required

POP3

Exchange POP3 (POP3Svc) Microsoft Exchange System Attendant (MSExchangeSA)

IMAP4

Exchange IMAP4 (IMAP4Svc) MSExchangeSA

SMTP

Microsoft Exchange Information Store (MSExchangeIS) MSExchangeSA

Exchange System Manager Routing Engine

MSExchangeSA Microsoft Exchange Routing Engine (RESvc) Note The routing engine must be running on all Exchange servers, both frontend and back-end servers.

138
Protocol/tool on server Services required

NNTP

Network News Transfer Protocol (NNTP) must be enabled on a server during upgrades. Note You can disable this protocol if you are not offering it to your users.

For detailed instructions on designating a front-end server, see "How to Designate a Front-End Server" in Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topology. After designating a server as a front-end server, remove any nonessential components or disable any unnecessary services on the server. Removing these components or disabling these services allows the front-end server to relay client requests more efficiently and improves security by reducing the number of services or components that are vulnerable to attack. In particular, you can remove public folder stores and storage groups from an Exchange front-end server. Also, if your front-end users are not sending mail using SMTP, you can remove mailbox stores from the frontend server. Important To stop or disable services, use the Services snap-in in Microsoft Management Console (MMC).

Sending Error Information to Microsoft

Microsoft personnel monitor error reports to identify and correct common problems that customers encounter. If you do not enable the automatic error reporting option, a dialog box appears that prompts you to manually send the fatal error report. For detailed instructions, see How to Send Error Information to Microsoft. Important It is recommended that you send fatal error reports to Microsoft. When you send these reports, Microsoft personnel can respond to you with any available fixes for

139 your reported issue. However, before sending information about any fatal service error to Microsoft, confirm that sending this information is permitted under your organization's security policy. When you send error reports to Microsoft, they are sent over Secure HTTP (HTTPS), which is a more encrypted channel than HTTP. Note To send reports, the server must have HTTP access to the Internet. For more information about automatic error reporting, see the "Microsoft Online Crash Analysis" Web site (http://go.microsoft.com/fwlink/?LinkId=18428).

How to Send Error Information to Microsoft

Microsoft personnel monitor error reports to identify and correct common problems that customers encounter. This procedure outlines how to send error information to Microsoft.

Before You Begin

It is recommended that you send fatal error reports to Microsoft. When you send these reports, Microsoft personnel can respond to you with any available fixes for your reported issue. However, before sending information about any fatal service error to Microsoft, confirm that sending this information is permitted under your organization's security policy. Also, to send reports, the server must have HTTP access to the Internet.

Procedure
To send error information to Microsoft 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the General tab, select the Automatically send fatal service error

140 information to Microsoft check box.

For More Information

For more information about automatic error reporting, see the Microsoft Online Crash Analysis Web site.

Configuring Language Settings

Different countries and regions have differing conventions for the formatting and presentation of information such as date, time, and currency. To accommodate these differences, you use the Locales tab to define how to display date, currency, and time values, and to define how to control other international settings, such as sorting order. For each locale listed on the Locales tab, the server can supply clients with data sorted and formatted according to the conventions used in that locale. For example, if Hindi appears in the list, Hindi language clients that connect to the server see information sorted and formatted in Hindi. For detailed instructions, see How to Add a Locale to the Server.

How to Add a Locale to the Server

Different countries and regions have differing conventions for the formatting and presentation of information such as date, time, and currency. To accommodate these differences, you use the Locales tab to define how to display date, currency, and time values, and to define how to control other international settings, such as sorting order. This procedure outlines how to add a locale to the server.

141

Procedure
To add a locale to the server 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the Locales tab, click Add. See the "Locales tab" figure. Locales tab

3. In the Add Locale dialog box, select a language, and then click OK. See the "Add Locale dialog box" figure.

142

Add Locale dialog box

Note You can also remove locales by selecting a locale on the Locales tab and then clicking Remove.

Scheduling Mailbox Manager Processes

Exchange Mailbox Manager policies set age and size limits for messages. After you create and configure a recipient policy for Mailbox Manager settings, you must schedule when the Mailbox Manager process runs on a server and whether the process generates a report. When a policy runs, the policy processes messages that exceed its defined limits. For more information about Mailbox Manager and recipient policies, see "Managing Recipients and Recipient Policies in Exchange Server 2003." Important Mailbox Manager works only on local mailboxes on an individual Exchange server. You cannot configure Mailbox Manager on one server to process mailboxes on a different server.

143 To schedule when the Mailbox Manager process runs and whether the process generates a report, you use the Mailbox Management tab in the server's Properties dialog box. Mailbox Management tab

144

Defining a Schedule
In the Start mailbox management process drop-down list, you select when you want the Mailbox Management process to start (on that particular server) according to the rules defined by associated recipient policies. The recipient policies that are associated with the server determine which mailbox or mailboxes that Mailbox Manager cleans. For detailed instructions, see How to Set a Schedule for Mailbox Management. You can also customize the mailbox management schedule to suit your organizational requirements. For example, you can create a custom schedule that runs Mailbox Manager on Saturday at midnight. For detailed instructions, see How to Set a Custom Schedule for Mailbox Management.

How to Set a Schedule for Mailbox Management

Exchange Mailbox Manager policies set age and size limits for messages. After you create and configure a recipient policy for Mailbox Manager settings, you must schedule when the Mailbox Manager process runs on a server and whether the process generates a report. In the Start mailbox management process drop-down list, you select when you want the Mailbox Management process to start (on that particular server) according to the rules defined by associated recipient policies. The recipient policies that are associated with the server determine which mailbox or mailboxes that Mailbox Manager cleans. This procedure outlines how to set a schedule for the Mailbox Management process.

145

Before You Begin

Mailbox Manager works only on local mailboxes on an individual Exchange server. You cannot configure Mailbox Manager on one server to process mailboxes on a different server.

Procedure
To define a schedule 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the Mailbox Management tab, in the Start mailbox management process list, select a schedule, and then click OK. Note You can manually start Mailbox Manager by right-clicking the server object and then selecting Start Mailbox Management Process. If you use this command, Mailbox Manager still runs at its next scheduled interval.

For More Information

For more information about generating reports, see How to Set Mailbox Management Reporting Options. For more information about Mailbox Manager and recipient policies, see Managing Recipients and Recipient Policies in Exchange Server 2003.

How to Set a Custom Schedule for Mailbox Management

Exchange Mailbox Manager policies set age and size limits for messages. After you create and configure a recipient policy for Mailbox Manager settings, you must schedule

146 when the Mailbox Manager process runs on a server and whether the process generates a report. You can also customize the mailbox management schedule to suit your organizational requirements. In the Start mailbox management process drop-down list, you select when you want the Mailbox Management process to start on that particular server according to the rules defined by associated recipient policies. The recipient policies that are associated with the server determine which mailbox or mailboxes that Mailbox Manager cleans. This procedure outlines how to set a custom schedule for the Mailbox Management process.

Before You Begin

Mailbox Manager works only on local mailboxes on an individual Exchange server. You cannot configure Mailbox Manager on one server to process mailboxes on a different server.

Procedure
To define a custom schedule 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the Mailbox Management tab in the server's Properties dialog box, in the Start mailbox management process list, select Use custom schedule, click Customize, and then enter the schedule information. Note You can manually start Mailbox Manager by right-clicking the server object and then selecting Start Mailbox Management Process. If you use this command, Mailbox Manager still runs at its next scheduled interval.

For More Information

For more information about generating reports, see How to Set Mailbox Management Reporting Options.

147 For more information about Mailbox Manager and recipient policies, see Managing Recipients and Recipient Policies in Exchange Server 2003.

Setting Reporting Options

When you schedule Mailbox Manager, you can designate a mailbox that receives Mailbox Manager reports. You can also select the type of report to be generated. The report can include different types of information, such as when Mailbox Manager ran, which mailbox recipient policies were applied, which mailboxes were processed, which folders were processed, the number of messages that were moved or deleted, and the size of messages that were moved or deleted. For detailed instructions, see How to Set Mailbox Management Reporting Options.

How to Set Mailbox Management Reporting Options

Exchange Mailbox Manager policies set age and size limits for messages. After you create and configure a recipient policy for Mailbox Manager settings, you must schedule when the Mailbox Manager process runs on a server and whether the process generates a report. When you schedule Mailbox Manager, you can designate a mailbox that receives Mailbox Manager reports. This procedure outlines how to set mailbox management reporting options.

Before You Begin

Mailbox Manager works only on local mailboxes on an individual Exchange server. You cannot configure Mailbox Manager on one server to process mailboxes on a different server.

148

Procedure
To set reporting options 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the Mailbox Management tab, in the Reporting drop-down list, select the type of report that you want created whenever mailboxes are processed: A summary report that contains basic information, including the total size of all messages that Mailbox Manager moved or deleted. A detailed report that includes the specific policies that Mailbox Manager ran, the specific mailboxes that were processed, and the specific folders in each mailbox that were processed every time that Mailbox Manager runs.

3. In the Administrator text box, click Browse, and then select a mailbox in your organization to receive these reports.

For More Information

For more information about scheduling Mailbox Management, see How to Set a Schedule for Mailbox Managementand How to Set a Custom Schedule for Mailbox Management. For more information about Mailbox Manager and recipient policies, see Managing Recipients and Recipient Policies in Exchange Server 2003.

Configuring Diagnostics Logging on a Server

Diagnostics logging levels determine which additional Exchange events are written to the Application event log in Event Viewer, a Microsoft Windows Server 2003 component that you can use to monitor hardware and software activities. You can use diagnostics logging to record significant events that are related to authentication, connections, and user actions.

149 The first step in configuring diagnostics logging is to decide which services on an Exchange server must be enabled for diagnostics logging. Note You configure diagnostics logging separately for each service on each server. For example, if you enable protocol logging on an individual virtual server, it is the setting on the Exchange server on which the virtual server runs that determines the logging capabilities for the protocol. Diagnostics logging services
Service Description

IMAP4Svc

Allows users to access mailboxes and public folders through Internet Message Access Protocol version 4 (IMAP4). Runs connection agreements if Active Directory Connector is installed. Logs events when the Recipient Update Service updates address lists and e-mail addresses in the Microsoft Active Directory directory service. Allows Exchange access to Active Directory. Allows access to the Exchange store. Allows X.400 connectors to verify whether the message transfer agent (MTA) is being used. Replicates Exchange configuration information changes to the Internet Information Services (IIS) metabase.

MSADC

MSExchangeAL

MSExchangeDSAccess

MSExchangeIS MSExchangeMTA

MSExchangeMU

150
Service Description

MSExchangeSA

Handles many core Exchange tasks, such as mailbox management, e-mail proxy generation, offline address list generation, and monitoring. Note This service is also known as Microsoft Exchange System Attendant.

MSExchangeSRS

Replicates computers that are running Microsoft Exchange 2000 Server (or later) with computers running Microsoft Exchange Server version 5.5. Note This service is also known as Site Replication Service (SRS).

MSExchangeTransport

Controls message routing and transport functions in Exchange. If you experience mail flow problems, set diagnostics logging for this service. Controls the operation of POP3.

POP3Svc

After selecting a service, the next step is to set the logging levels for those services. There are four logging levels of detail. When Exchange generates an event less than or equal to the logging level, the event is logged. Events range from significant events (such as application failures) to moderately important events (such as the receipt of messages across a gateway) to events that are relevant only to debugging. Typically, you log only critical events. However, when problems occur, diagnostics logging helps you to change the logging levels to capture more events in greater detail.

151 Logging levels

Logging levels Description

None

Only critical events, error events, and events with a logging level of zero are logged. Note This is the default level for all services on Exchange servers.

Minimum

Events with a logging level of 1 or lower are logged. Events with a logging level of 3 or lower are logged. Events with a logging level of 5 or lower are logged.

Medium

Maximum

After selecting a logging level, logging begins automatically whenever you start Exchange. You can view the log entries in Event Viewer. For more information about configuring diagnostics logging, see How to Configure Diagnostics Logging.

How to Configure Diagnostics Logging

Diagnostics logging levels determine which additional Exchange events are written to the Application event log in Event Viewer, which is a Microsoft Windows Server 2003 component that you can use to monitor hardware and software activities. You can use diagnostics logging to record significant events that are related to authentication, connections, and user actions. You configure diagnostics logging separately for each service on each server. For example, if you enable protocol logging on an individual virtual server, it is the setting on the Exchange server on which the virtual server runs that determines the logging capabilities for the protocol. This procedure outlines how to configure diagnostics logging.

152

Procedure
To configure diagnostics logging 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the Diagnostics Logging tab, in the Services list, select an Exchange 2003 service on which you want to set category logging levels. 3. In the Categories list, select the categories and logging levels that you want to configure.

Customizing Public Folder Referrals

When a user connects to a public folder store that does not contain a copy of the public folder content that the user is looking for, Exchange redirects or refers the user to another public folder store that does have a copy of the content. By default, Exchange tries to redirect the user to a server in the local routing group. If those servers do not have the required content, Exchange follows the organization's routing group topology to find an appropriate server. Exchange finds an appropriate server based on the most efficient routing path, using costs of connectors between routing groups. Note For additional information about public folder referrals, see "Managing Mailbox Stores and Public Folder Stores." For more information about routing in Exchange, see "Understanding and Configuring Message Routing and Transport." Because Exchange keeps track of available connections between routing groups and uses the most efficient route possible, it is recommended that you use routing groups (the default) to determine how Exchange refers a user to another public folder. However, if you must troubleshoot a specific server, or if you are performing maintenance on part of your network and want to designate specific servers that are available during this maintenance, you can create a custom list of servers for public folder referrals.

153 Note A custom list for public folder referrals is new in Exchange 2003. In Exchange 2000, you can only specify whether to allow public folder referrals among routing groups. To create a custom list of servers for public folder referrals, you use the Public Folder Referrals tab. For detailed instructions, see How to Specify a Custom List for Public Folder Referrals. When you create a custom list of servers, you also assign costs to prioritize the servers in your referral list. Public Folder Referrals tab

154

How to Specify a Custom List for Public Folder Referrals

You can use public folder referrals to control how Exchange redirects users among the public folder servers. You can specify a custom list of specific servers among which referrals are allowed. When you create a custom list of servers, you can also assign costs to prioritize the servers in your referral list. A custom list for public folder referrals is new in Exchange Server 2003. In Exchange 2000, you can only specify whether to allow public folder referrals among routing groups. This procedure outlines how to specify a custom list for public folder referrals.

Procedure
To specify a custom list for public folder referrals 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the Public Folder Referrals tab, in the Public folder referral options list, select Use Custom List. Public Folder Referrals tab

155

3. Click Add to add the appropriate servers.

For More Information

For more information about assigning costs, see How to Assign Costs on the Public Folder Referrals List. For more information about public folder referrals, Managing Mailbox Stores and Public Folder Stores. For more information about routing in Exchange, see Understanding and Configuring Message Routing and Transport.

156

Assigning Costs on the Public Folder Referrals List

Costs are a method of prioritizing servers in the public folder referral list. You define costs for each connector in your organization using network connectivity and available bandwidth as criteria. You then assign the lowest cost to the connectors that have the best network connectivity and the most available bandwidth. Exchange uses higher-cost servers only if lower-cost servers are not available. When you select the Use Custom List option and create a list of servers that are available for referrals, the Public Folder Referrals tab displays both the name of each server in the list and any costs that are associated with those servers. If you want to prioritize the order in which Exchange uses the listed servers, you must change the costs associated with each server, assigning lower costs to those servers that you want Exchange to use first. For detailed instructions, see How to Assign Costs on the Public Folder Referrals List.

How to Assign Costs on the Public Folder Referrals List

You can use public folder referrals to control how Exchange redirects users among the public folder servers. Costs are a method of prioritizing servers in the public folder referral list. You define costs for each connector in your organization by using network connectivity and available bandwidth as criteria. You then assign the lowest cost to the connectors that have the best network connectivity and the most available bandwidth. Exchange uses higher-cost servers only if lower-cost servers are not available. This procedure outlines how to specify assign costs on the public folder referrals list.

157

Procedure
To change a server's priority in a custom public folder referrals list 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the Public Folder Referrals tab, select a server in the list, and then click Modify. 3. In the Modify Referral Cost dialog box, specify a cost for that server. Modify Referral Cost dialog box

158 Note If you want to prioritize the order in which Exchange uses the listed servers, you must change the costs associated with each server, assigning lower costs to those servers that you want Exchange to use first.

For More Information

For information about creating a custom list of public folder referrals, see How to Specify a Custom List for Public Folder Referrals. For additional information about public folder referrals, see Managing Mailbox Stores and Public Folder Stores. For more information about routing in Exchange, see Understanding and Configuring Message Routing and Transport.

Understanding Directory Access Options

As discussed in "Preparing to Administer Your Exchange Server 2003 Environment" and "Managing an Exchange Server 2003 Organization," Exchange is tightly integrated with Active Directory. This integration requires that the core components of Exchange 2003 access directory information in Active Directory. The shared component named Directory Access (DSAccess) controls how most components in Exchange interact with Active Directory. Exchange components dependent on DSAccess
Component Dependency on DSAccess

Exchange Metabase Update (DS2MB)

Directory changes tracked by update sequence number (USN) User and configuration lookups List of global catalog servers in the topology

Exchange Routing Engine (RESVC) SMTP Categorizer (SMTP CAT)

159
Component Dependency on DSAccess

Directory Service Proxy (DSProxy)

List of global catalog servers in the topology User and configuration lookups User and configuration lookups User and configuration lookups

Exchange Information Store WebDAV Message transfer agent (MTA)

In Exchange 2003, DSAccess is the centralized mechanism that determines the Active Directory topology, opens the appropriate Lightweight Directory Access Protocol (LDAP) connections, and works around server failures. DSAccess is responsible for the following functions: Retrieving and writing information from Active Directory, such as configuration data and recipients. Caching information from Active Directory for better performance when querying Active Directory. DSAccess caches configuration and recipient data locally so that this information is available for subsequent queries from other Exchange servers. Caching information locally has the additional benefit of preventing the network traffic that is caused by additional queries to Active Directory. Constructing a list of available domain controllers and global catalog servers that other Exchange components can query. For example: The MTA routes LDAP queries through the DSAccess layer to Active Directory. To connect to databases, the store process uses DSAccess to obtain configuration information from Active Directory. To route messages, the transport process uses DSAccess to obtain information about the connector arrangement.

Of the previously listed functions, the only function that you can control on a server is the one that deals with constructing a list of available domain controllers and global catalog servers. You can have this list constructed automatically by DSAccess, or you can manually create this list for DSAccess to use.

160

Automatically Constructing a Topology for Directory Access

By default, on each Exchange server, DSAccess automatically detects the appropriate domain controllers and global catalog servers in Active Directory for the Exchange server to query. For detailed instructions, see How to Automatically Discover Servers. Directory Access tab

161 Selecting the Automatically discover servers check box enables DSAccess components to automatically discover the following servers in an Exchange organization: Configuration domain controller The single domain controller that reads and writes information in the configuration naming context in Active Directory. DSAccess chooses a domain controller or global catalog server to act as the configuration domain controller. All configuration data is written and read by this configuration domain controller. Working domain controllers As many as ten domain controllers that perform Active Directory lookups for objects in the local domain. These domain controllers are primarily used to update objects in the local domain or read non-configuration data that is not replicated to global catalog servers. Working global catalog servers As many as ten global catalog servers that perform forest-wide queries. All user data is looked up on the global catalog servers.

To discover these servers, Directory Access locates domain controllers and global catalog servers that run Microsoft Windows Server 2003, or Microsoft Windows 2000 Server Service Pack 3 (SP3) or higher. Directory Access then tests these servers and chooses suitable servers for Exchange services to use to perform Active Directory queries. Note Because manually constructed topologies do not update automatically, it is strongly recommended that you use the Automatically discover servers setting.

How to Automatically Discover Servers

By default, on each Exchange server, DSAccess automatically detects the appropriate domain controllers and global catalog servers in Active Directory for the Exchange server to query. This procedure outlines how to enable automatic discovery of servers.

162

Before You Begin

Because manually constructed topologies do not update automatically, it is strongly recommended that you use the Automatically discover servers setting.

Procedure
To automatically discover servers 1. In Exchange System Manager, right-click an Exchange server, and then select Properties.

2. On the Directory Access tab, select the Automatically discover servers checkbox. Directory Access tab

163

Note This checkbox is unavailable when All Domain Controllers is selected in the Show list.

164

Manually Constructing a Topology for Directory Access

To troubleshoot problems with a specific global catalog server or domain controller, you may want to override the automatic discovery of servers by clearing the Automatically discover servers check box. For example, to determine whether queries to a global catalog server are working correctly, you can manually set this server as the only available global catalog server. When you manually create a topology for DSAccess, you no longer have the advantages of automatic failover and load balancing that you have when DSAccess automatically discovers the topology. If a server that you set manually becomes unavailable, the list does not update and Exchange still tries to use the unavailable server, thereby causing Exchange to fail. If you manually set a domain controller or global catalog server on the Directory Access tab in the Properties dialog box of a server that is not running Windows 2000 Server SP3 or later, Exchange will not use the domain controller or global catalog server, and Exchange logs an Event 2116. For detailed instructions, see How to Manually Create a Topology for Directory Access.

How to Manually Create a Topology for Directory Access

To troubleshoot problems with a specific global catalog server or domain controller, you may want to override the automatic discovery of servers by clearing the Automatically discover servers check box. This procedure outlines how to manually create a topology for Directory Access.

165 Note When you manually create a topology for DSAccess, you no longer have the advantages of automatic failover and load balancing that you have when DSAccess automatically discovers the topology.

Before You Begin

If you manually set a domain controller or global catalog server on the Directory Access tab in the Properties dialog box of a server that is not running Windows 2000 Server SP3 or later, Exchange will not use the domain controller or global catalog server, and Exchange logs an Event 2116.

Procedure
To manually create a topology for Directory Access 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the Directory Access tab, in the Show list, select the type of servers that you want to view. Note You cannot clear the Automatically discover servers check box if you select All Domain Controllers in the Show list. 3. Clear the Automatically discover servers check box. This action clears the current list of servers. Caution By default, DSAccess automatically discovers servers. It is strongly recommended that you keep this setting. 4. Click Add to add servers to the topology, or click Remove to remove servers from the topology.

For More Information

For more information about setting automatic discovery of servers, see How to Automatically Discover Servers.

166

Viewing System Policies Applied to the Server

System policies help you to flexibly manage large numbers of Exchange services. A system policy defines settings that you apply to one or more Exchange servers. For example, you can use a system policy to create a consistent method of tracking messages across a group of servers. Because policies affect a group of servers, you can only view the policies that have been applied to a server on the Policies tab in the server's Properties dialog box. You cannot modify or remove those policies using this tab. To modify or remove a system policy that has been applied to a particular server, you must change the policy itself. For more information about system policies, see "Managing an Exchange Server 2003 Organization."

167 Policies tab

Setting Server-Specific Permissions

Permissions control access to Exchange objects. You can set permissions on some Exchange objects individually. These objects include public folder trees, address lists, mailbox stores, protocols, and servers. For these objects, Exchange uses and extends Active Directory permissions. Examples of Active Directory permissions are Read, Write,

168 and List contents. Examples of extended Exchange permissions are Create public folder and View Information Store status. When you view an object's permissions, Active Directory permissions appear first in the list, followed by Exchange extended permissions. Permissions in Exchange are inherited by default. For example, the permissions that you apply to a particular server are inherited by the objects that the server contains, such as the public folder and mailbox stores on that server. Inherited permissions are convenient because you do not have to set the permissions for every object in your Exchange organization manually. Important When setting permissions on Exchange objects, use Exchange System Manager. Do not set permissions on Exchange objects using Windows Server 2003 MMC snap-ins, such as the Active Directory Sites and Services or Active Directory Users and Computers. You can set permissions using the Exchange Delegation Wizard and apply these settings to a whole Exchange organization or to a specific administrative group. Because permissions are inherited, these permissions control who can view or modify settings at the server level. By default, these permissions are configured to support the standard Exchange administrator types (Exchange View Only Administrator, Exchange Administrator, and Exchange Full Administrator). You are strongly advised to use the standard Exchange administrator types and only change the settings if more detailed settings are required by your organization's security policy.

169 Security tab

Note For more information about the Exchange Delegation Wizard, see "Understanding Exchange Objects and Exchange System Manager." For detailed instructions on modifying server-specific permissions, see How to Modify Permissions on a Specific Server.

170

How to Modify Permissions on a Specific Server

Permissions control access to Exchange objects. Permissions in Exchange are inherited by default. You can set permissions using the Exchange Delegation Wizard and apply these settings to a whole Exchange organization or to a specific administrative group. Because permissions are inherited, these permissions control who can view or modify settings at the server level. This procedure outlines how to modify permission on a specific server. Important When setting permissions on Exchange objects, use Exchange System Manager. Do not set permissions on Exchange objects using Windows Server 2003 MMC snap-ins, such as the Active Directory Sites and Services or Active Directory Users and Computers.

Before You Begin

By default, the permissions are configured to support the standard Exchange administrator types, which are Exchange View Only Administrator, Exchange Administrator, and Exchange Full Administrator. Important You are strongly advised to use the standard Exchange administrator types and only change the settings if more detailed settings are required by your organization's security policy.

Procedure
To modify permissions on a specific server 1. In Exchange System Manager, right-click an Exchange server, and then select Properties. 2. On the Security tab, in the Group or user names list, select the group or user

171 name for which you want to modify permissions. Security tab

3. In the Permissions for <selected entry> list, select the appropriate permissions.

For More Information

For more information about the Exchange Administration Delegation Wizard, see Managing an Exchange Server 2003 Organization.

172

Configuring System Resource Usage During Full-Text Indexing

Exchange can create and manage indexes for fast searches and lookups. With full-text indexing, Exchange indexes every word in a database, making faster searching possible. Full-text indexing is a feature that you can configure for individual stores on a server, and optimize on a server-by-server basis across your Exchange organization. For more information about how to configure full-text indexing to support your Exchange organization, see "Managing Recipients and Recipient Policies in Exchange Server 2003" and "Using Exchange Server 2003 Full-Text Indexing" in Working with the Exchange Server 2003 Store. Full-text indexing allows IMAP4 clients and MAPI clients, such as Microsoft Office Outlook, to conduct full-text searches. For Outlook users, the version of Outlook determines what search options the user has: In Outlook 2002, both the Find and Advanced Find options on the Tools menu initiate a full-text search. In Outlook 2000, only the Advanced Find option initiates a full-text search. The Find option initiates a character-based search.

Indexing is a resource-intensive feature that requires a significant number of CPU cycles. Indexing gigabytes of data can take hours or days. Schedule indexing when the server is not being heavily used. For detailed instructions, see How to Control Server Performance During Indexing.

How to Control Server Performance During Indexing

With full-text indexing, Exchange indexes every word in a database, making faster searching possible.

173 Note Indexing is a resource-intensive feature that requires a significant number of CPU cycles. Indexing gigabytes of data can take hours or days. Consider scheduling indexing when the server is not being heavily used. This procedure outlines how to control server performance during indexing.

Procedure
To control server performance during indexing On the Full-Text Indexing tab in the server's Properties dialog box, in the System resource usage list, select a usage level: Minimum, Low, High, or Maximum. Note To limit the CPU resources that the indexing service occupies, set the server usage level to a lower value (Minimum or Low). Full-Text Indexing tab

174

For More Information

For more information about how to configure full-text indexing to support your Exchange organization, see Managing Recipients and Recipient Policies in Exchange Server 2003 and "Using Full-Text Indexing" in Working with the Exchange Server 2003 Store.

175

Managing Recipients and Recipient Policies in Exchange Server 2003

This section explains what recipients and recipient policies are, and how to create and manage recipients. Included here is information about address lists, the Recipient Update Service, and query-based distribution lists.

Understanding Recipients
Central to any messaging system are the people and resources that receive messages. An individual may receive a message from a coworker, or a public folder may receive a message from a participant in a particular discussion. Although messages are received by people, the term recipients refers to Microsoft Active Directory directory service objects, not people. Recipients are Active Directory objects that have messaging capabilities. However, the object itself does not receive messages. The messages are not stored in Active Directory. Instead, they can reside in a mailbox on an Exchange server, in a public folder, or in another messaging system. People access messages that are sent to them by using a client application. Examples of client applications include Microsoft Outlook, Outlook Web Access, and Outlook Mobile Access. Each of these clients receives notification when a new message arrives and receives pointers to the location of the message, so that the message can be opened and read. The following scenario explains the difference between the person who receives e-mail messages and Active Directory objects. Carole, a member of the marketing team, has a user account that prompts her to type her user name and password to log on to her computer and her company's network. After logging on, she has access to several network resources. One of these resources is her Exchange mailbox. Carole accesses her mailbox with an e-mail client, Outlook 2002. Outlook queries her Exchange mailbox and presents Carole a list of messages in her Outlook Inbox. When Carole opens one of

176 these messages, Outlook retrieves the contents of the message from the message store on the Exchange server that houses her mailbox. As shown in the following figure, there is a recipient that is an Active Directory user object named carole. Mail that is addressed to carole is stored in an associated mailbox on an Exchange server. When the correct credentials are sent to the domain controller for user object carole, the contents of the mailbox become available to the e-mail client. Users authenticate to Active Directory and then use mail clients to access the contents of their Exchange mailbox

In Exchange, the term recipient refers to an Active Directory object that is mailboxenabled or mail-enabled. Mailbox-enabled recipients can send, receive, and store messages. Mail-enabled recipients can only receive messages. The following table describes the Active Directory objects that can be Exchange recipients.

177 Exchange recipient objects

Active Directory object Type of recipient Description

Users

Mailbox-enabled Mail-enabled

Users can log on to networks and access domain resources. Users can be added to groups and appear in the global address list (GAL). Mailbox-enabled users can send and receive messages and store messages on their Exchange server. Mail-enabled users can receive messages at an external e-mail address only. They cannot send or store messages on Exchange.

InetOrgPerson

Mailbox-enabled Mail-enabled

A user object that has had its properties extended to improve compatibility with directory services that use the InetOrgPerson object. As a recipient, InetOrgPerson has the same characteristics as a user object. To mail-enable or mailboxenable an InetOrgPerson object, you must have a Microsoft Windows Server 2003 domain controller and an Exchange 2003-only environment (no servers running Exchange 2000 Server or Exchange Server version 5.5).

178
Active Directory object Type of recipient Description

Contacts

Mail-enabled

Contacts are objects that contain information about people or organizations outside the Exchange organization. Mail-enabled contacts can receive e-mail messages at an external email address. They can be added to distribution lists and appear in the GAL. Contacts cannot access network resources. A group is an object that can contain users, InetOrgPerson objects, contacts, public folders, and other groups. Query-based distribution groups are similar to standard distribution groups, except that they use an LDAP query to dynamically build the group membership. The query is run when a message is sent to the query-based distribution group. When you create a query-based distribution group, you select the criteria for the query. Public folders are repositories for messages and other files that can be accessed by users on the network.

Groups

Mail-enabled

Query-based distribution groups

Mail-enabled

Public folders

Mail-enabled

179 Note Although public folders are recipients, they are different from the other recipient types mentioned here. For more information about public folders, see "Managing Mailbox Stores and Public Folder Stores."

Understanding Recipient Policies

To receive letters and packages, a person must have a mailing address to give to senders. This mailing address can be a business address, the physical address of his or her home, or a post office box. Likewise, for a recipient to receive messages in an Exchange mailbox, the recipient must have an e-mail address. To generate e-mail addresses for each recipient in an organization, you use recipient policies. This section focuses on how recipient policies manage these e-mail addresses, and also how recipient policies manage mailboxes using the Mailbox Manager. Note Recipient policies also establish the mail domain for which Exchange accepts incoming mail. For more information, see "Understanding and Configuring Message Routing and Transport."

Managing E-Mail Addresses

A recipient policy that manages e-mail addresses has the following characteristics: It applies to a selected group of recipients. It always contains information about the address types that are to be applied to those recipients. It is given a priority, so that administrators can control which address is applied as the primary address to a recipient that may appear in more than one policy.

180

Example Scenario
The Exchange administrator for Fourth Coffee wants to create three e-mail addresses for recipients in the organization. The first is for the board of directors, the second is for the employees of the company who work in New York, and the third is for the remainder of the employees at the home office. He creates three recipient policies, as shown in the following table. Policies and their priorities
Policy Priority SMTP address

Board of Directors New York Employees Default

1 2 lowest

@board.fourthcoffee.com @newyork.fourthcoffee.com @fourthcoffee.com

The following table shows information for three different users. User information for Fourth Coffee personnel
Name Office Board

Jonathan Haas Yale Li Britta Simon

New York New York Portland

Yes No No

The first recipient policy, Board of Directors, runs and finds Jonathan Haas in the list of board members. His address is set to <alias>@board.fourthcoffee.com. The next policy, New York Employees, runs. It finds Jonathan Haas again. However, because a policy with a higher priority has already been applied to him, no action is taken. The policy continues running and finds Yale Li. No previous policy has applied to Yale, and Yale Li's address becomes <alias>@newyork.fourthcoffee.com. Finally, the default policy runs. Because no previous policy has applied to Britta Simon, her address becomes the default address, <alias>@fourthcoffee.com. You may want to apply more than one address to a group of recipients. In the previous example, if everyone in the company should receive e-mail messages at <alias>@fourthcoffee.com, that address must be included in all three recipient policies. When you have more than one address in a recipient policy, only one address is considered the primary address per address type. This means that you can only have

181 one primary Simple Mail Transfer Protocol (SMTP) address and one primary X.400 address. You can have 10 SMTP addresses for one recipient, but only one of those can be the primary SMTP address. The difference between primary and secondary addresses is that the primary address serves as the return e-mail address. When mail is received from a recipient, the primary address determines which address the mail appears to have come from. Recipients can receive mail sent to any of the addresses associated with them. The following table shows the primary and secondary e-mail addresses of the three people in the scenario. Primary and secondary e-mail addresses
Name (alias) Receive mail sent to Send mail from (primary e-mail address only)

Jonathan Haas [email protected] (Jon) [email protected] Yale Li (Yale) [email protected] [email protected] Britta Simon (Britta) [email protected]

[email protected]

[email protected]

[email protected]

Notice that Jonathan Haas is in the New York office, yet does not have the <alias>@newyork.fourthcoffee.com address. To have this secondary address, it would be necessary to include it in the recipient policy that applies to him. However, the policy with the highest priority that applies to Jonathan is the Board of Directors policy. Because the members of the board of directors all work in different states, the policy does not include <alias>@newyork.fourthcoffee.com. To add <alias>@newyork.fourthcoffee.com to Jonathan, you can manually add a secondary address in Active Directory Users and Computers, or you can programmatically add <alias>@newyork.fourthcoffee.com as a secondary address to all employees in the New York office. Note This example scenario shows how recipient policies are applied. The behavior of recipient policies differs when co-existing with Exchange Server 5.5.

182

Managing Mailboxes Using Mailbox Manager

In addition to generating and assigning addresses to recipients, recipient policies can be used to manage mailboxes using Exchange Mailbox Manager. Mailbox Manager sets age and size limits for messages, and then it finds and processes messages that exceed those limits. There is no default policy that enforces age or size limits for messages. When you create the first such policy, the default limits of 30 days and 1,024 kilobytes (KB) are applied to every folder in a mailbox. A message must exceed both limits before Mailbox Manager will process it. Under the default settings, a 500-KB message will never be processed, regardless of how old it is. Before Mailbox Manager will run, you must start the mailbox management process on the server object in Exchange System Manager. To start the mailbox management process, you use the Mailbox Management tab of the Properties dialog box for the server object. For more information, see "Scheduling Mailbox Manager Processes."

183 Starting the mailbox management process

What occurs when Mailbox Manager processes a message depends on the setting that you select when creating the policy. By default, only a report is generated. No additional action is taken. In addition to the default setting, there are three other options for how Mailbox Manager processes messages that exceed the specified limits. The following table describes all four of these Mailbox Manager options.

184 Mailbox Manager options

Option Description

Generate report only (default)

No messages are moved or deleted, but an administrator report is generated that indicates which mailboxes contain items that exceed the limits defined by the mailbox recipient policy. Messages are moved to the Deleted Items folder in each client mailbox. Messages are handled as if deleted by the client. Users can remove them from the Deleted Items folder if they want to. A partial replica of the folder hierarchy of the mailbox is created under a root folder named System Cleanup. Affected messages are moved to the appropriate subfolder of the System Cleanup folder. This feature gives users a way to recover recently deleted items, without losing information about the original folder location of the items. Messages are immediately deleted from client view without being moved to either the Deleted Items or System Cleanup folder.

Move to Deleted Items folder

Move to System Cleanup folders

Delete immediately

You can use the same limits for every folder that the mailbox recipient policy applies to, or set custom limits on a folder-by-folder basis. Each folder must be configured individually if its limits differ from the default limits.

185

Creating a Recipient
Recipients can either be created manually using Active Directory Users and Computers or programmatically using APIs. This section focuses on manually creating mailboxenabled and mail-enabled objects, including distribution groups. For information about public folder creation, see "Managing Mailbox Stores and Public Folder Stores." For information about programmatically creating recipients, download the Exchange Software Development Kit (SDK) or view it online from the Exchange developer center (http://go.microsoft.com/fwlink/?LinkId=24705).

Mailbox-Enabled and Mail-Enabled Recipients

This section focuses on creating mail-enabled objects with the following notes and exceptions: Public folders are mail-enabled recipients that differ significantly from other recipients. For more information about public folders, see Managing Mailbox Stores and Public Folder Stores. InetOrgPerson objects can be mail-enabled only if you have a Windows Server 2003 domain controller and have only Exchange 2003 servers in your organization. Mail-enabled groups are covered in their own section that follows. Some Active Directory objects, such as computers and printers, cannot be made into recipients.

To create a new Active Directory object that can be mail-enabled or mailbox-enabled, use Active Directory Users and Computers, as shown in the following figure.

186 Creating a recipient using Active Directory Users and Computers

When you create a recipient object on a network where Exchange is already installed, the recipient will be mailbox-enabled or mail-enabled by default. Clear the Create an Exchange mailbox check box if you do not want to mail-enable or mailbox-enable the Active Directory object. Note To see the options that are specific to Exchange, you must have the Exchange system tools installed on the computer that is being used to create users in

187 Active Directory Users and Computers. Users created on computers without Exchange system tools installed will not have mailboxes created by default. Clear the check box for the object not to be a recipient

You can use the Exchange Task Wizard to mail-enable or mailbox-enable an existing user object. For detailed information, see How to Make an Existing Active Directory Object a Recipient.

188 Using Exchange Task Wizard to mail-enable or mailbox-enable an existing user object

How to Make an Existing Active Directory Object a Recipient

Using Active Directory Users and Computers, you can create a new Active Directory object that can be mail-enabled or mailbox-enabled.

189 Creating a recipient using Active Directory Users and Computers

This procedure outlines how to make an Active Directory object into mail-enabled or mailbox-enabled recipient.

Procedure
To make an existing Active Directory object a recipient 1. In Active Directory Users and Computers, right-click the object, and then select Exchange Tasks.

190 2. On the Available Tasks page in the Exchange Task Wizard, select Create Mailbox or Establish E-mail Address. Using Exchange Task Wizard to mail-enable or mailbox-enable an existing user object

Note If Create Mailbox is not available, the object cannot be mailbox-enabled. However, if Delete Mailbox is listed instead, the object already has a mailbox associated with it. Each recipient can have only one Exchange mailbox.

For More Information

For information about programmatically creating recipients, download the Exchange Software Development Kit (SDK) or view it online from the Exchange developer center.

191

Mail-Enabled Groups
Groups are used to assemble Active Directory objects under one name. This reduces the overhead required to manage users, especially those with similar requirements. For example, you may have a network resource, such as a public folder, that everyone on your marketing team must access. You can give each user on the team permissions to that folder, or you could create a security group named "marketing" and add each member of the marketing team to that group. Then, you can give the group permission to the folder. After a group has been established, you can give that group access to other resources, such as additional public folders, without having to locate every member of the marketing team every time. There are two main types of groups: security and distribution. Security groups are security principals in Active Directory. This means that security groups can be set in the access control list (ACL) of a resource, such as a network share or public folder. Distribution groups exist for sending e-mail messages to collections of users. In a Microsoft Windows environment without Exchange, there are limited uses for distribution groups. Both security and distribution groups can be mail-enabled. They cannot be mailbox-enabled because they represent a collection of users.

Creating Mail-Enabled Groups

A mail-enabled group represents a collection of recipient objects. Its purpose is to speed up the distribution of messages to multiple e-mail addresses. Create a group as you would any other recipient object. Notice, however, that Create an Exchange e-mail address is not selected by default for groups. To enable the group for mail, select Create an Exchange e-mail address during the process of creating the group. For detailed instructions, see How to Enable an Existing Group for Mail.

192 Creating a group that is enabled for mail

How to Enable an Existing Group for Mail

A mail-enabled group represents a collection of recipient objects. This procedure outlines how to enable an existing group for mail.

Before You Begin

You must enable the group for mail during the process of creating the group. To enable the group for mail, select Create an Exchange e-mail address.

193 Creating a group that is enabled for mail

Procedure
To enable an existing group for mail 1. In Active Directory Users and Computers, right-click the group, and then click Exchange tasks. 2. On the Available Tasks page in the Exchange Task Wizard, select Establish Email Address on Groups. Using Exchange Task Wizard to enable an existing group for mail

194

Expanding Mail-Enabled Groups

When mail is sent to a mail-enabled group, the group is first expanded, and then mail is sent to each of the recipients in the group. Unless an expansion server (a server that is responsible for expanding distribution groups) is specified, the group will be expanded on the first Exchange server that handles the message. Expansion of large groups can tax system resources on an Exchange server. For large distribution groups, you may want to designate a dedicated expansion server to reduce the workload of the other production servers. Mail sent to large distribution groups will not slow the Exchange servers that your users use to access their mailboxes.

195 There is a drawback to setting a specific server as the expansion server for a group: If that server is unavailable, no member of the distribution group receives the message. However, if you leave the default setting, Any Server in the Organization, most of the users receive their messages if one server fails. Also, if all members of a distribution group are on well-connected servers, setting a specific expansion server may be unnecessary. For information about setting specific expansion servers, see "Managing Recipient Settings."

Using Mail-Enabled Groups in MultiDomain Environments

To expand distribution lists into individual recipients, Exchange contacts a global catalog server. The global catalog server has a copy of all global and universal groups in its domain and a copy of universal groups from other domains, but it does not have a copy of global groups from other domains. This becomes important in multi-domain environments because if a message is destined for a global distribution group in a domain that is separate from the global catalog server, Exchange cannot expand the distribution group on that message. Because the global catalog server does not have copies of the membership of global groups for domains outside its own, it does not contain any information about the distribution list. Therefore, the categorizer cannot expand the distribution list. To avoid this problem, always use universal distribution groups in multi-domain environments. Use global groups in single domains only.

196

Understanding Query-Based Distribution Groups

A query-based distribution group is a new type of distribution group introduced in Exchange 2003. This section explains what a query-based distribution group is, how it works, and how to create one.

Query-Based Distribution Groups Described

A query-based distribution group provides the same functionality as a standard distribution group. However, instead of specifying static user memberships, you can use an LDAP query (for example, "All full-time employees in my company") to dynamically build membership in a query-based distribution group. This reduces administrative costs because of the dynamic nature of the distribution group. However, query-based distribution groups have a higher performance cost for queries whose outcome produces many results. This cost is in terms of server resources, such as high CPU usage and increased memory usage. This increased usage occurs because every time an e-mail message is sent to a query-based distribution group, an LDAP query is executed against Active Directory to determine its membership. Important You cannot view the membership of a query-based distribution group in the GAL because it is dynamically generated every time mail is sent. Query-based distribution groups work reliably in the following topologies: Exchange 2003-only environment (no Exchange servers prior to Exchange 2003) running in native mode. Exchange 2000 Service Pack 3 (SP3) and Exchange 2003 in native mode. If you have Windows 2000 global catalog servers in this scenario, you can modify a registry

197 key on the Exchange 2000 SP3 servers to increase reliability. This modification is covered in the next section. If you are running versions of Exchange prior to Exchange 2000 SP3 in your environment, query-based distribution groups will not work reliably.

Modifying Exchange 2000 SP3 Servers for Use with Windows 2000 Global Catalog Servers
Follow these steps to configure an Exchange 2000 SP3 server for improved reliability in environments where query-based distribution groups will be expanded with Windows 2000 global catalog servers. Caution Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. For detailed instructions, see How to Modify Your Exchange 2000 SP3 Servers for Use with Windows 2000 Global Catalog Servers.

198

How to Modify Your Exchange 2000 SP3 Servers for Use with Windows 2000 Global Catalog Servers
This procedure outlines how to configure an Exchange 2000 SP3 server for improved reliability in environments where query-based distribution groups will be expanded with Windows 2000 global catalog servers.

Before You Begin

This topic contains information about editing the registry. Caution Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

Procedure
To modify your Exchange 2000 SP3 server 1. Start Registry Editor. 2. In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC \Parameters

3. In the details pane, right-click, point to New, and then click DWORD Value. 4. Type DynamicDLPageSize for the name. 5. Right-click DynamicDLPageSize, and then click Modify. 6. Under Base, click Decimal. 7. Under Value Data, type 31 and then click OK.

199 Note You must complete this step only for Exchange 2000 servers that use Windows 2000 global catalog servers.

For More Information

Before you edit the registry, and for information about how to edit the registry, see Microsoft Knowledge Base article 256986, "Description of the Microsoft Windows Registry."

How Query-Based Distribution Groups Work

When a message is submitted to a query-based distribution group, Exchange handles the message slightly differently from messages destined for other recipients. A query-based distribution group flows through Exchange to the correct recipients as follows: 1. E-mail messages are submitted through the Exchange store driver or SMTP to the submission queue. 2. The categorizer, a transport component that is responsible for address resolution, determines that the recipient is a query-based distribution group. 3. The categorizer sends the LDAP query request to the global catalog server. 4. The global catalog server runs the query and returns the set of addresses that match the query. 5. After receiving the complete set of addresses that match the query, the categorizer generates a recipient list containing all the users. The categorizer must have the complete set of recipients before it can submit the e-mail message to routing. Therefore, if an error occurs during the expansion of the query-based distribution group to its individual recipients, the categorizer must restart the process. 6. After the categorizer sends the complete, expanded list of recipients to routing, the standard message delivery process continues, and e-mail messages are delivered to the mailboxes of the recipients.

200 The process differs if a dedicated expansion server is used for query-based distribution groups. In this case, instead of sending a query to the global catalog server for expansion as discussed in Step 3, the e-mail message is first routed to the dedicated expansion server. After the message arrives at the expansion server, the expansion occurs, and the delivery follows the same process as described earlier. The expansion server must be an Exchange 2000 SP3 server or later.

Deployment Recommendations for Query-Based Distribution Groups

The time that Exchange requires to expand a query-based distribution group and run the query depends on several factors, as follows: Type of hardware deployed in your organization The categorizer can require up to 2 KB of memory for each recipient. This is a conservative metric that you can use as a baseline. Using this baseline, if you send an e-mail message to a query-based distribution group of 6,000 users (meaning that the query returns 6,000 records), the categorizer requires 12 megabytes (MB) of RAM only to expand the query-based distribution group. Although this use of memory is temporary, it does occur every time the group is expanded. Similarly, sending an e-mail message to a larger query-based distribution group of 100,000 users, the categorizer requires approximately 200 MB of RAM. The processor speed and amount of available physical memory affects how long it will take to deliver the e-mail messages after the expansion. Global catalog or expansion server availability affects the expansion and delivery of e-mail messages that users send to query-based distribution groups If all global catalog servers are unavailable, the message is placed in retry mode in the categorizer, which means that the complete expansion restarts after one hour. The general recommendation is to divide large query-based distribution groups into combinations of standard distribution groups, and assign different expansion servers for each large distribution group. The following options describe three approaches to doing this. Option 1 Designate an Exchange 2003 server with no mailboxes, such as a public folder replica server or a bridgehead server, as the expansion server for a large query-based distribution group. Because this server has more bandwidth and

201 resources to expand the query-based distribution group, expansion and delivery are more efficient. Option 2 Create a query-based distribution group for every Exchange server, and limit each query-based distribution group to the mailboxes on that Exchange server. Designating this same server as the expansion server optimizes mail delivery. Then, use aggregate standard distribution groups that contain these query-based distribution groups as members. For example, to create a query-based distribution group for all full-time employees, you can create a query-based distribution group on each server for full-time employees, and name them "Server1 Full Time" and "Server2 Full Time." Then, create a distribution group composed of these serverbased groups named "AllFullTime." Note The distribution group that you use to combine the query-based distribution groups cannot itself be a query-based distribution group. Option 3 The following example illustrates a third approach for improved handling of large query-based distribution groups. You want to create a query-based distribution group named "All employees" with 100,000 users. Consider dividing the group into the following smaller query-based distribution groups and combining these groups into a single standard distribution group: "All Temps" 10,000 users "All Vendors" 5,000 users "All Full-Time" 65,000 users "All Interns" 2,000 users "All Contractors" 18,000 users

In this case "All Full-Time" would be a large distribution group, so you may want to assign a specific expansion server to it. The other query-based distribution groups can be assigned an expansion server based on how the users are distributed across your Exchange servers. For example, if all of the interns reside on one Exchange server, you may want to designate the same server as the expansion server for "All Interns." Overall, this proposed approach will perform much better than a single query-based distribution group with 100,000 recipients.

202

Guidelines for Creating Query-Based Distribution Groups

Use the following guidelines when you create query-based distribution groups: Use query-based distribution groups in an Exchange 2003-only environment, or a native mode environment with Exchange 2003 and Exchange 2000 in which all Exchange 2000 servers are running Service Pack 3 or later. Use universal groups in multi-domain environments when you create distribution groups that span domains. Although query-based distribution groups can be added to global distribution groups, domain local groups, and global security groups, and can contain any of these groups, membership in these types of groups is not replicated to global catalog servers in other domains. Universal distribution groups are recommended in situations where distribution will span a multi-domain environment. When you combine query-based distribution groups in an aggregate group, combine them in a universal group. Only universal groups are available on global catalog servers across domains. When you build query-based distribution groups, include only universal groups if the membership is to be available in all the domains in a multi-domain environment.

Index the attributes that you use in the query. Indexing greatly improves the performance of the query, and it reduces the time that Exchange requires to expand the distribution group and deliver the e-mail message to the intended recipients. If the filter string contains incorrect formatting or incorrect LDAP syntax, the global catalog server will not run the query. Using Active Directory Users and Computers to create your query can help prevent you from constructing an incorrect query. You can also use the Preview button to view the result of the query. This will confirm the validity and expected results of the query. If you create a query-based distribution group based on an incorrect LDAP query, when a user sends mail to the query-based distribution group, the user receives a non-delivery report (NDR) with the code 5.2.4. If you enable categorizer logging, Exchange logs one of two events with event identifiers of 6024 or 6025.

203 If the filter string is well-formatted, but produces no results, the sender will not receive an NDR. This is the same outcome that occurs if you send to an empty distribution group. As previously stated, use the Preview button in Active Directory Users and Computers to confirm the expected results of your query. Use Exchange System Manager in a security context where its permissions for reading objects in Active Directory are the same as those of the Exchange server. Exchange System Manager runs in the security context of the user who is currently logged on. If an administrator is running with lower security privileges than the Exchange server, the query might show a subset of the actual results in the preview pane. The preview pane will show only those Active Directory objects that the administrator has permissions to read. When mail is sent to the query-based distribution groups, however, the categorizer will run with the Exchange server permissions. Assuming the Exchange server has permissions for all the objects in the query, the query will return the correct results.

There will be issues when a base distinguished name is deleted. Query-based distribution expansion relies on its base distinguished name referring to a valid container in the directory. If the base distinguished name container for a query-based distribution group is deleted, the categorizer cannot run the query, and the sender receives an NDR with the code 5.2.4. If categorizer logging is enabled, an event ID of 6024 or 6025 is logged. For example, you create a sales container in the users container for all sales employees and build a query-based distribution group using the sales container. If you delete the sales container, the query will no longer work.

Creating Query-Based Distribution Groups

To create a query-based distribution group, you must use the Exchange 2003 version of Exchange System Manager and Active Directory Users and Computers. You cannot create query-based distribution groups without upgrading your administration console. Note It is recommended that you upgrade all your administrative consoles to Exchange 2003 before you deploy query-based distribution groups in your environment.

204 When creating a query-based distribution group, Active Directory Users and Computers provides a way to format the LDAP query using standard attributes, without requiring specific knowledge of LDAP. For example, you can select all mailboxes under the organizational unit, or even customize the query to select all mailboxes under an organizational unit that exist on a particular server. For detailed instructions on creating a query-based distribution group, see How to Create a Query-Based Distribution Group. After you create a query-based distribution group, you can make sure that your query works the way that you intended it to work by using the preview feature. This feature is useful not only for query validation, but also to determine how long it takes a query to run. Based on this time, you can decide whether to divide the query into smaller queries for better performance and faster delivery times. For detailed instructions, see How to Verify That a Query-Based Distribution Group Is Working Correctly.

How to Create a Query-Based Distribution Group

A query-based distribution group is a new type of distribution group introduced in Exchange Server 2003. A query-based distribution group provides the same functionality as a standard distribution group. However, instead of specifying static user memberships, you can use an LDAP query (for example, "All full-time employees in my company") to dynamically build membership in a query-based distribution group. This procedure outlines how to create a query-based distribution group.

Before You Begin

To create a query-based distribution group, you must use the Exchange Server 2003 version of Exchange System Manager and Active Directory Users and Computers. You cannot create query-based distribution groups without upgrading your administration console. Note It is recommended that you upgrade all your administrative consoles to Exchange Server 2003 before you deploy query-based distribution groups in your environment.

205 You should also read the Deployment Recommendations for Query-Based Distribution Groups and Guidelines for Creating Query-Based Distribution Groups topics before you create your query-based distribution groups. After you create a query-based distribution group, you can make sure that your query works the way that you intended it to work by using the preview feature. For detailed information, see How to Verify That a Query-Based Distribution Group Is Working Correctly.

Procedure
To create a query-based distribution group 1. In Active Directory Users and Computers, in the console tree, right-click the container where you want to create the query-based distribution group, point to New, and then click Query-based Distribution Group. 2. In Query-based Distribution Group name, type a name for the query-based distribution group, and then click Next. 3. Under Apply filter to recipients in and below, verify that the parent container shown is the one that you want the query-based distribution group to be run against. If this is not the correct container, click Change to select another container. Note The query returns only recipients in the selected container and its child containers. To get the results that you want, you may have to select a parent container or create multiple queries. 4. Under Filter, select one of the following options: To filter the query based on a set of predefined criteria, click Include in this query-based distribution group, and then select from the following criteria: - Users with Exchange mailboxes - Users with external e-mail addresses - Groups that are mail-enabled - Contacts with external e-mail addresses - Public folders that are mail-enabled To create your own criteria for the query, click Customize filter, and then

206 click Customize. 5. Click Next to see a summary of the query-based distribution group that you are about to create. 6. Click Finish to create the query-based distribution group. The new query-based distribution group appears under the container that you selected in Step 3.

How to Verify That a Query-Based Distribution Group Is Working Correctly

After you create a query-based distribution group, you can make sure that your query works the way that you intended it to work by using the preview feature. This feature is useful not only for query validation, but also to determine how long it takes a query to run. Based on this time, you can decide whether to divide the query into smaller queries for better performance and faster delivery times. This procedure describes how to verify that a query-based distribution group is working correctly.

Procedure
To verify that a query-based distribution group works correctly 1. In Active Directory Users and Computers, right-click the query-based distribution group that you just created, and then click Properties. 2. Select the Preview tab to view the query results, and verify that the correct recipients are included in the distribution group. Note The results that are displayed in the preview pane may vary from the actual results when the query is run, depending on permissions settings.

207

Combining Multiple Query-Based Distribution Groups

In Exchange System Manager, you can create query-based distribution groups based on the AND operator. To create distribution groups based on the OR operator using querybased distribution groups, create multiple query-based distribution groups and combine them in a single distribution group. Consider the following example, in which you want to create a query-based distribution group that includes all employees in the marketing department or all employees in the Paris office. If you create a query-based distribution group using an LDAP query that contains all marketing users and all Paris employees, this query returns only those users who are in both groups. Anyone who is not a member of both groups is excluded. To get OR functionality, and thereby include members of either group, you must do the following: 1. Create a query-based distribution group for all employees in the marketing department, named Marketing. 2. Create a query-based distribution group for all employees in the Paris office, named Paris employees. 3. Create a distribution group (not a query-based distribution group, however) and add the query-based distribution groups, Marketing and Paris employees, as members of this group. When you add query-based distribution groups as members of a distribution group, you cannot do so in the same way that you add users to a group. You must right-click the group, and then select Add Exchange query-based distribution group. For detailed instructions about the process of adding query-based distribution groups as members of a standard distribution group, see How to Add Query-Based Distribution Groups as Members of a Distribution Group.

208

How to Add Query-Based Distribution Groups as Members of a Distribution Group

In Exchange System Manager, you can create query-based distribution groups based on the AND operator. You can also create distribution groups based on the OR operator. To do this, you can create multiple query-based distribution groups and combine them in a single distribution group. When you add query-based distribution groups as members of a distribution group, you cannot do so in the same way that you add users to a group. You must right-click the group, and then select Add Exchange query-based distribution group. This procedure outlines the process of adding query-based distribution groups as members of a standard distribution group.

Procedure
To add query-based distribution groups as members of a distribution group 1. In Active Directory Users and Computers, in the console tree, navigate to the container where the distribution group resides, right-click the distribution list, and then click Add Exchange Query-based Distribution Groups. 2. In Select Exchange Query-based Distribution Groups, under Enter the object names to select, enter the name of the query-based distribution group that you want to add as a member of this group. 3. Click Check Names to verify the entry. 4. Click OK. 5. Repeat Steps 1 through 4 for each query-based distribution group to be added as a member of this distribution group.

209

Managing Recipients
Managing recipients involves assigning e-mail addresses to recipients with recipient policies, and managing settings for recipient objects with Active Directory Users and Computers.

Notes for Exchange 5.5 Administrators

If you have servers running Exchange 5.5 in your Exchange 2003 organization (that is, your organization is in mixed mode), it is still possible to manage recipients using the Exchange 5.5 Administrator Program, and it is recommended that you do so, with the exception of moving mailboxes. When you move mailboxes, use Exchange 2003 System Manager or Active Directory Users and Computers, where Exchange 2003 System Management tools have been installed. Note Before you use Active Directory Users and Computers to move recipients from Exchange 5.5, you must first create a connection agreement between each Exchange 5.5 site and Active Directory. It is strongly recommended that all objects in your Exchange 5.5 directory be represented in Active Directory before you deploy your first Exchange 2003 or Exchange 2000 server. This greatly reduces the risk of future problems. For more information about planning connection agreements, see "Migrating from Exchange Server 5.5 to Exchange Server 2003" in the Exchange Server 2003 Deployment Guide. Exchange objects in Exchange 2003 are different from the Exchange objects in Exchange 5.5. Make sure that you understand how these objects have changed. The following table associates the Exchange objects in Exchange 5.5 with their equivalents in Exchange 2003.

210 Terminology differences between Exchange 5.5 and Exchange 2003

Exchange 5.5 term Exchange 2003 equivalent term

Mailbox

Mailbox-enabled user When a user is mailbox-enabled, the user has an e-mail address and a corresponding mailbox. Mailbox-enabled users can send, receive, and store e-mail messages in an Exchange organization.

Custom recipient

Mail-enabled user When a user is mail-enabled, they have an associated e-mail address external to the Exchange organization, but they do not have an associated Exchange mailbox. Mail-enabled users can receive messages at a specified external address, but they cannot store messages on Exchange servers in your organization. or Mail-enabled contact A mail-enabled contact does not have a Windows logon account or a mailbox. A contact can represent someone outside the Exchange organization, such as a customer or a business partner.

Distribution list

Mail-enabled group E-mail messages that are sent to a group are routed to the e-mail address of each group member.

211

Managing Recipients with Recipient Policies

When Exchange is installed, a default recipient policy is created that applies SMTP and X.400 addresses to all recipients in your Exchange organization. You can modify the default policy or create new policies. However, you cannot delete the default policy. All recipients in an Exchange organization must have both SMTP and X.400 addresses. The default policy is always set to the lowest priority. Priority determines the order in which policies are applied to the recipients specified in the policy. Priority 1 represents the first policy to be applied. In mixed mode, where servers running Exchange 2003 or Exchange 2000 coexist with servers running Exchange 5.5, the Site policy has a priority of highest and is the only policy that Exchange applies, regardless of any other policies that you create. You can reorder recipient policies whenever you choose, except for the default policy, which is always set to lowest. Note The default policy is special in the sense that every user in the organization must be stamped with the same proxy address, so that users can take advantage of features like Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync.

Creating a Recipient Policy

To start the process of creating a recipient policy, right-click the Recipient Policies container in Exchange System Manager, point to New, and then click Recipient Policy. For detailed instructions on creating a recipient policy, see How to Create a Recipient Policy.

212 Creating a new recipient policy

After you click Recipient Policy, you then start the process of completing the steps that are outlined in the following checklist and described in the following sections. Recipient Policy Checklist __ Select the property sheets (e-mail address or Mailbox Manager settings). __ Name the new policy. __ Create a filter. __ Configure the settings. __ Set the priority of the policy. __ Apply the policy.

213

Select the Property Sheets

The first step in creating a recipient policy is to choose the type of policy to create. A single recipient policy can contain an address policy, a Mailbox Manager policy, or both. Selecting both will add property pages for both address and Mailbox Manager features to one recipient policy. Selecting property pages for a new policy

Name the New Policy

After you select the property pages, give the new policy a name. To help you identify the recipients to which the policy applies, give the policy a descriptive name.

Create a Filter
Initially, there are no filter rules applied to the policy. If you do not create a filter, the policy will not be applied to any recipients.

214 Policy does not apply to anyone because no filter rules are set

Configure the Settings

To customize the recipient policy, switch to either the E-Mail Addresses (Policy) tab or the Mailbox Manager Settings(Policy) tab in the policy's Properties dialog box. Use the settings on these tabs to configure the recipient policy to meet the requirements of the associated recipients. After configuring the settings, click OK to create the policy.

Set the Priority and Apply the Policy

After you create a new recipient policy, the policy and its assigned priority appear in Exchange System Manager.

215

How to Create a Recipient Policy

When Exchange is installed, a default recipient policy is created that applies SMTP and X.400 addresses to all recipients in your Exchange organization. You can modify the default policy or create new policies. Note You cannot delete the default policy. All recipients in an Exchange organization must have both SMTP and X.400 addresses. This procedure outlines the steps to create a recipient policy.

Procedure
To create a recipient policy 1. In Exchange System Manager, right-click the Recipient Policies container, point to New, and then click Recipient Policy. Creating a new recipient policy

216

2. After you click Recipient Policy, complete the following steps, which are outlined in detail in steps 3 through 7: Select the property sheets (e-mail address or Mailbox Manager settings). Name the new policy. Create a filter. Configure the settings. Set the priority of the policy. Apply the policy.

3. Select the Property Sheets: Choose the type of policy to create. A single recipient policy can contain an address policy, a Mailbox Manager policy, or both. Selecting both will add property pages for both address and Mailbox Manager features to one recipient policy. Selecting property pages for a new policy

217

4. Name the New Policy: After you select the property pages, give the new policy a name. To help you identify the recipients to which the policy applies, give the policy a descriptive name. 5. Create a Filter: Initially, there are no filter rules applied to the policy. If you do not create a filter, the policy will not be applied to any recipients. To create the filter using an LDAP query, click Modify on the General tab. Policy does not apply to anyone because no filter rules are set

218

6. Configure the Settings: To customize the recipient policy, switch to either the E-Mail Addresses (Policy) tab or the Mailbox Manager Settings (Policy) tab in the policy's Properties dialog box. Use the settings on these tabs to configure the recipient policy to meet the requirements of the associated recipients. After configuring the settings, click OK to create the policy. 7. Set the Priority and apply the policy: After you create a new recipient policy, the policy and its assigned priority appear in Exchange System Manager. If you want to change the priority of a recipient policy, right-click the policy, select All Tasks, and then move the policy up or down the list of recipient policies that are shown in Exchange System Manager. After you create a new recipient policy, you also must apply the policy by right-clicking the policy in Exchange System Manager, and then clicking Apply Policy Now.

219

For More Information

For more information, see Managing Recipients.

Managing Recipient Settings

Some recipient settings are configured in Exchange System Manager, so that they are applied to all recipients in an organization or to large groups of recipients. Examples include mailbox size (which can be set on a per-store basis), global send and receive limits, and limits on the maximum number of recipients to which users can send. You can configure exceptions to these settings for individual recipients in Active Directory Users and Computers. For example, you may have a user who needs a larger mailbox, or one who needs to be able to send large messages. For information about using Exchange System Manager to set message settings for a whole organization, see "Managing an Exchange Server 2003 Organization." For information about setting mailbox size limits on mailbox stores, see "Managing Mailbox Stores and Public Folder Stores." The following sections explain three of the four Exchange-specific tabs that you see in Active Directory Users and Computers, where Exchange system tools have been installed.

Configuring Message Settings for Mailbox-Enabled Recipients

To set individual message settings for mailbox-enabled recipients, start by navigating to the Exchange General tab. For detailed instructions, see How to Navigate to the Exchange General Tab.

220 Exchange General tab

How to Navigate to the Exchange General Tab

This procedure describes how to navigate to the Exchange General tab.

221

Procedure
To navigate to the Exchange General tab 1. In Active Directory Users and Computers, right-click the object to be modified, and then click Properties. 2. Click the Exchange General tab. Exchange General tab

222

Delivery Restrictions
To maintain system performance and to prevent users from wasting valuable system resources by sending large files through your e-mail infrastructure, message size limits are set at the global level in Exchange System Manager, as explained in "Managing an Exchange Server 2003 Organization." Typically, e-mail messages for legitimate business purposes can be sent under the threshold set at the global level. Use the Delivery Restrictions dialog box to override the global setting for those users who have special requirements and need to send larger files than the global limit allows. Tip Consider setting up users who need to transfer large files with an FTP account, instead of trying to use your Exchange server as though it were an FTP server. In addition to setting message size limits, you can use the Delivery Restrictions dialog box to specify to whom users can send messages and from whom they can receive messages. This is similar to the global setting. Important When you make these changes for individuals, you can only set restrictions that reference other Active Directory objects. Blocking mail from a specific Internet mail source or IP address must be done at the global level.

223 Delivery Restrictions dialog box

You can further restrict delivery of messages to recipients by selecting the From authenticated users only check box. This prevents anyone who is not authenticated by your Windows network from sending mail to this recipient. Selecting this check box effectively stops all Internet mail to this recipient. After selecting this check box, select how messages will further be restricted by choosing to allow messages from everyone (all authenticated users), only from users in the restricted list at the bottom of the Delivery Restrictions dialog box, or from everyone except users in the restricted list. To add users to the restricted list, use the Add button.

224

Delivery Options
One delivery option is the use of delegates. In many organizations, delegates are granted permission to send mail on behalf of someone else. For example, an administrative assistant may send a meeting request on behalf of a manager. You can assign delegates to a mailbox-enabled user in the Delivery Options dialog box. Another delivery option is address forwarding, wherein mail sent to the user is forwarded to another address in the organization. You can also choose to have copies of the message sent to both the forwarding address and the user's mailbox. In this case, deleting one copy of the message does not delete the other. You may want to use forwarding to protect the identity of the actual recipient, or for administrative assistants who help sort e-mail messages for others. Recipient limits control the number of recipients to which a user can send a single message. By default, there is no set limit.

Storage Limits
Individuals in your organization may need more storage space on their Exchange servers than the threshold for the mailbox store allows. You can set storage limits for individual users in the Storage Limits dialog box. Users can be warned as they approach the limit, subsequently denied the ability to send, and then denied the ability to send and receive mail. Also, you can override the setting for deleted item retention that is set on the mailbox store. When a user deletes an item, it appears deleted to the user. However, a copy is kept in the user's mailbox store for a specified time, allowing the item to be recovered if it was unintentionally deleted. Some users in your organization may need extra recovery protection, and you can override the setting in the Storage Limits dialog box. If you choose to override the limit set on the mailbox store, you will also have the choice to not permanently delete an item until the store is backed up, adding even greater recovery opportunities for that user.

225

Exchange Advanced Settings for Mailbox-Enabled Recipients

Navigate to the Exchange Advanced tab to change advanced settings for mailboxenabled recipients. For detailed instructions, see How to Get to the Exchange Advanced Tab.

Setting Custom Attributes

Using the Custom Attributes button on the Exchange Advanced tab, you can assign up to 15 custom values for a recipient. By default, recipients have attributes such as phone number, office number, or manager. If there is information that you want to display in the GAL that does not fit in any of the existing attributes, you can create up to 15 other entries. For example, you may want to include an attribute for the divisions or cost centers of your company.

Assigning Mailbox Rights

Using the Mailbox Rights button on the Exchange Advanced tab, you can assign rights to the mailbox of a recipient to users or to groups, add users to the list, and then allow or deny them the following rights: Delete mailbox storage The mailbox from the mailbox store can be deleted. By default, only administrators have permission to do this. Users cannot delete their own mailboxes. Read permissions The specified user can read the contents of a mailbox. Change permissions The user can modify or delete items in the mailbox. Take ownership The user is granted ownership of a mailbox. Full mailbox access The delegated user has the same access rights as the owner. Associated external account This option is used when a user's Windows account resides in a different forest than the Exchange mailbox.

226 Note Each Exchange mailbox must be associated with an Active Directory object, such as a user, in the same forest as the mailbox. If the intended user account resides outside the forest where Exchange is, Exchange first associates the mailbox with an account in its same Active Directory forest. That account is disabled. Then, the mailbox is associated with the external account. Special permissions Click Advanced to work more granularly with permissions, including changing inheritance.

You assign these rights on the Mailbox Rights tab in the user's Permissions dialog box. Assigning rights to read another user's mailbox

227

How to Get to the Exchange Advanced Tab

You can navigate to the Exchange Advanced tab to change advanced settings for mailbox-enabled recipients. This procedure outlines how to navigate to the Exchange Advanced tab.

Procedure
To navigate to the Exchange Advanced tab 1. In Active Directory Users and Computers, right-click the object that you want to modify, and then click Properties. 2. On the Exchange Advanced tab, select the following options: In Simple display name, set a display name that will be used by systems that cannot interpret all the characters in the typical display name. This situation may occur when more than one language version of Exchange System Manager is used to manage an Exchange organization. For example, the English version of Exchange System Manager cannot display all the characters in the Kanji character set. Because the simple display name takes ASCII characters only, all versions of Exchange System Manager can display the simple display name. To prevent the recipient from being displayed in address lists, select Hide from Exchange address lists. To prevent the recipient from sending mail that is marked high priority to an X.400 mail system, select Downgrade high priority mail bound for X.400. Exchange Advanced tab

228

Configuring Message Settings for MailEnabled Recipients

When you must set individual message settings for mail-enabled recipients, start by navigating to the Exchange General tab for that recipient.

229 General tab for mail-enabled recipients

The Exchange General tab for mail-enabled recipients is slightly different from that for mailbox-enabled recipients. It has fewer features, omitting those features that apply only to mailbox-enabled users. For more information, see "Configuring Message Settings for Mailbox-Enabled Recipients" earlier in this chapter. The Exchange Advanced tab adds one option that is not included for mailbox-enabled users, Use MAPI Rich Text Format (RTF). When you select this option, mail sent to this recipient will be sent using MAPI RTF, overriding the settings configured in Internet Message Formats in Exchange System Manager. Select this option only if you are sure that the recipient can view MAPI-rich text.

230

Distribution Groups
Distribution groups are similar to other mail-enabled recipients, but they have the following unique features on the Exchange Advanced tab. Expansion server Use the Expansion server drop-down list to select the server where the group is expanded. If this is set to any server in the organization, the group is expanded on the first Exchange server in your organization that receives the message. For more information about expansion servers, see "Expanding MailEnabled Groups." Hide group from Exchange address lists Select this check box to prevent this distribution group from appearing in the GAL or any other address list. You may want to do this for groups that you do not want everyone in the company to know about. For example, you may have a team of auditors who are investigating unethical business practices. You may not want to show that such a group exists. Send out-of-office messages to originator When someone sends a message to a group, by default, out-of-office messages are not sent to the sender. Select this check box to enable out-of-office replies from group members. For large groups, outof-office replies may be unnecessary. For example, if the chief security officer of a company sends mail describing new security policies to a group named All Fulltime Employees, out-of-office replies are not necessary. Delivery reports for groups Delivery reports warn about delayed or failed delivery of messages. Choose to send delivery reports to either the owner of the group, the sender of the message, or not at all.

231 Exchange Advanced tab for mail-enabled groups

Understanding Address Lists

When users connect to Exchange with a client, such as Outlook 2003, they expect to communicate with other people in the organization easily. Users need to do more than compose e-mail messages with their messaging client. Whether they want to send an email message, telephone a coworker, look up an office number, or schedule a meeting,

232 they need to find information about another recipient quickly. Address lists help you to organize this type of information in a meaningful way.

Address Lists Described

An address list organizes recipients so that they can be easily found by users who want to contact them. The most familiar address list is the global address list (GAL). By default, the GAL contains all recipients in an Exchange organization. In other words, any mailbox-enabled or mail-enabled object in an Active Directory forest where Exchange 2003 is installed is listed in the GAL. To look up the e-mail address or phone number of a recipient, the user can use the GAL to locate this information. The GAL is organized by name, instead of email addresses, for ease of use. Client applications, such as Outlook 2003, display the available address lists that Exchange provides. Users choose from the available address lists when they search for information. Several address lists, such as the GAL, are created by default. Address lists reside in Active Directory, so mobile users who disconnect from the network are also disconnected from these (server-side) address lists. However, offline address lists can be created for use in a disconnected environment. These offline lists can be downloaded to a user's hard disk drive. Frequently, to conserve resources, the offline lists are subsets of the information in the actual address lists that reside on your servers.

233 Address lists displayed in Outlook 2003

An Exchange organization can contain thousands of recipients. Compiling all your users, contacts, mail-enabled groups, and other recipients can cause many entries. As an administrator, you can create address lists to help users in your organization find what they are looking for more easily. For example, consider a company that has two large divisions and one Exchange organization. One division, named Fourth Coffee, imports and sells coffee beans while the other, Contoso, Ltd, underwrites insurance policies. For most day-to-day activities, the workers in the coffee division have almost no relationship with those in the insurance division. To make it easier for people to find each other, you create two new address listsone for Fourth Coffee and one for Contoso. Users can now choose to use the smaller address lists when looking up people in a certain division, or they can always use the GAL, if they are not sure which division a coworker is part of. Address lists can be sorted by any attribute that is associated with a recipient. City, title, company, office building, or any other attribute that you can filter recipients with can be the basis for a new address list. You can also create subcategories of address lists. For example, you can create an address list for everyone in Manchester and another for everyone in Stuttgart. You can then create an address list under Manchester for everyone who works in research and

234 development. Because the research and development list is under the Manchester list, the research and development list contains only those recipients who are in research and development and in Manchester. Address lists are created dynamically. When new users are added to your organization, they are automatically added to all the appropriate address lists. These updates are one of the primary responsibilities of both the Recipient Update Service and Exchange System Attendant.

Creating Address Lists

Address lists can be useful tools for users, but poorly planned address lists can be frustrating. Before you create address lists, make sure that they will make sense to users. Avoid creating so many address lists that users are not sure where to go to find a recipient. Consider surveying users to learn how they would interpret your proposed address lists. Finally, name your address lists in such a way that when users glance at them, they know immediately whom they can expect to find. If you are not sure, have fewer address lists, and remind users that they can find anyone in your organization by using the global address list. For detailed instructions on creating an address list, see How to Create an Address List. When you plan your address lists, consider whether to use subcategories. For example, you may want address lists for both city and state, with city being a subcategory of state. Notice that both New York and Washington have cities named Auburn. When the query for Auburn, New York runs, it first finds all recipients with the state attribute New York, and then queries the result list (all recipients in New York) for all recipients in Auburn. In this way, you establish different lists for Auburn, New York and Auburn, Washington.

235 Address lists with subcategories

To additionally simplify the user experience and organize your lists, you may want to create an empty address list. Because no query has been created for an empty address list, it returns no recipients, and serves strictly as a parent container that organizes other lists. In the previous example, you may create an empty address list named States.

236 Adding an empty address list

How to Create an Address List

An address list organizes recipients so that they can be found easily by users who want to contact them. This procedure outlines how to create an address list.

Before You Begin

Address lists can be useful tools for users, but poorly planned address lists can be frustrating. Before you create address lists, make sure that you have a thorough understanding of address lists. For more information, see Understanding Address Lists.

237

Procedure
To create an address list 1. In Exchange System Manager, expand the Recipients container. 2. Expand All Address Lists, right-click the node that the new list belongs in, point to New, and then click Address List. 3. On the Create Exchange Address List page (see the following figure ), name your new address list, and then modify the filter rules appropriately. Creating an Exchange address list

You can move address lists to create a new hierarchy, using a drag-and-drop operation. As explained in "Managing Recipient Settings," you can hide recipients from address lists using Active Directory Users and Computers.

238

Offline Address Lists

MAPI clients such as Outlook 2003 can download offline address lists, so users can compose e-mail messages even when they are disconnected from their Exchange server. To make it possible for clients to download these address lists, you must first create the address lists on the server. By default, there is an offline address list named the Default Offline Address List, which contains the global address list. If necessary, you can populate this list with any other address list that you have created. You can also create multiple offline address lists that can be individually associated with each mailbox store in your organization. If the users on your different mailbox stores share something in common, such as all being part of the same division, you might want to provide different offline address lists for each mailbox store. For detailed instructions on populating the default address list, see How to Populate the Default Offline Address List.

239 Default Offline Address List Properties dialog box

Whenever you choose, you can set any offline address list in your Exchange organization as the default offline address list. This new default list is then associated with all newly created mailbox stores. There can be only one default list at a time in your Exchange organization. If you delete the current default list, Exchange does not automatically assign another list as the default. If you want to use a default list after you delete the existing default list, you must manually designate another offline address list as the default.

240 Note When you upgrade Microsoft Exchange 2000 Server to Exchange Server 2003, offline address book replication between your servers might no longer work as you expect. For more information, see Microsoft Knowledge Base article 817377, "Offline Address Book Replication Does Not Work After You Upgrade to Exchange Server 2003." Offline address lists use system public folders to contain the required address list information. Their associated public folders are created during the public store maintenance interval, and the content of the public folder is updated according to the Update interval that you specify on the Properties dialog box of each offline address list. The Offline Address List (System) public folders are hidden from users by default. For detailed instructions on viewing the System public folders, see How to View System Public Folders. In a mixed environment where some users connect to Exchange 2003 or Exchange 2000 servers, and others connect to Exchange 5.5 servers, you must have multiple address lists. Those users who connect to Exchange 5.5 need to use the offline address book that is generated by Exchange 5.5.

How to Populate the Default Offline Address List

MAPI clients such as Microsoft Office Outlook 2003 can download offline address lists, so that users can compose e-mail messages even when they are disconnected from their Exchange server. To make it possible for clients to download these address lists, you must first create the address lists on the server. By default, there is an offline address list named the Default Offline Address List that contains the global address list. If necessary, you can populate this list with any other address list that you have created. This procedure outlines how to populate the default offline address list.

Before You Begin

When you upgrade Microsoft Exchange 2000 Server to Exchange Server 2003, offline address book replication between your servers might no longer work as you expect. For

241 more information, see Microsoft Knowledge Base article 817377, "Offline Address Book Replication Does Not Work after You Upgrade to Exchange Server 2003."

Procedure
To populate the default offline address list 1. In Exchange System Manager, click the Offline Address Lists container, right-click Default Offline Address List, and then click Properties. 2. In the Default Offline Address List Properties dialog box (see the following figure), click Add to add any address list that you have created. You can add as many address lists as you require. Then click OK. Default Offline Address List Properties dialog box

242

How to View System Public Folders

Offline address lists use system public folders to contain the required address list information. Their associated public folders are created during the public store maintenance interval, and the content of the public folder is updated according to the

243 Update interval that you specify on the Properties dialog box of each offline address list. By default, the Offline Address List (System) public folders are hidden from users. This procedure outlines how to view the system public folders.

Before You Begin

In a mixed environment where some users connect to Exchange 2003 or Exchange 2000 servers, and other users connect to Exchange 5.5 servers, you must have multiple address lists. Those users who connect to Exchange 5.5 need to use the offline address book that is generated by Exchange 5.5.

Procedure
To see the System public folders 1. In Exchange System Manager, expand the administrative group, and then expand the folders container. 2. Right-click the Public Folders container, and then click View System Folders.

Customizing the Details Templates

Details templates control the appearance of object properties that are accessed by using address lists in both Microsoft MS-DOS 16-bit and MAPI 32-bit client applications. When a user opens an address list in Outlook, for example, the properties of a particular object are presented as defined by the details template in the Exchange organization. You can use the default details template shown in the following figure.

244 Default details template as viewed from Outlook 2003

You can customize the template to better suit the needs of your users. You can select the language for the template that you want to modify.

245 Selecting English

Then, using the Templates tab, you can modify details such as resizing fields, adding or removing fields, adding or removing tabs, and rearranging the order of the fields. For detailed instructions, see How to Customize the Details Template.

246 Modifying the user details template

How to Customize the Details Template

Details templates control the appearance of object properties that are accessed by using address lists in both Microsoft MS-DOS 16-bit and MAPI 32-bit client applications. When a user opens an address list in Outlook, for example, the properties of a particular object are presented as defined by the details template in the Exchange organization. You can use the default details template or you can customize the template to better suit the needs of your users. This procedure outlines how to customize the details template.

247 Default details template as viewed from Outlook 2003

Procedure
To customize the details template 1. In Exchange System Manager, expand the Recipients container, expand the Detail Templates container, and then select the language for the template that you want to modify. For example, the English language has been selected in the following figure. Selecting English

248

The following languages are supported: Arabic, Basque, Brazilian, Bulgarian, Catalan, Chinese Simplified, Chinese Traditional, Croatian, Czech, Danish, Dutch, German, Greek, English, Estonian, Finnish, French, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, and Ukrainian. Other languages may be supported by the client, but they will not be able to display the Properties pages. 2. In the list of templates displayed in the right-pane, right-click the template to be changed, and then click Properties.

249 3. On the Templates tab, resize fields, add or remove fields, add or remove tabs, and rearrange the order of the fields. Modifying the user details template

4. To see how the changes you made affect the template, click Test. To revert to the original template, click Original.

250

Recipient Update Service

Exchange uses the Recipient Update Service primarily to generate and update default and customized address lists, and to process changes made to recipient policies. This service makes sure that when new recipient policies or address lists are created, their content is applied to the appropriate recipients in the organization. The Recipient Update Service also applies existing policies to new recipients that are created after the policy or address list has already been established. In this way, information is kept current with minimal administrative overhead. You must have at least one Recipient Update Service for each domain in your organization, and it must be run from an Exchange 2003 or Exchange 2000 server. For domains that do not have these Exchange servers, the Recipient Update Service must be run from an Exchange server outside the domain. You can set up more than one Recipient Update Service for a domain, if there are multiple domain controllers. Each Recipient Update Service must read from and write to a unique domain controller. Note If you do not have a Recipient Update Service for a domain, you cannot create recipients in that domain. In situations where you have high network latency in a domain, set up the Recipient Update Service at the local sites. For example, if you have one domain that has sites in Seattle and in Beijing, there might be a long delay before a mailbox that an administrator creates in Beijing is processed by the Recipient Update Service in Seattle. In this case, having a Recipient Update Service on the local domain controller in Beijing will decrease the time the user has to wait to be able to access the mailbox after it has been created. For detailed instructions on creating a new Recipient Update Service, see How to Create a New Recipient Update Service. You can choose to have the Recipient Update Service run at customized intervals. By default, the Recipient Update Service is set to Always Run, and when it runs, only required changes are made. Changes are necessary when a recipient, recipient policy, or address list is changed or created. Any changes that have occurred since the last time the Recipient Update Service ran are applied. For detailed instructions, see How to Change the Update Interval of the Recipient Update Service.

251

How to Create a New Recipient Update Service

Exchange uses the Recipient Update Service primarily to generate and update default and customized address lists and to process changes made to recipient policies. This procedure outlines how to create a new Recipient Update Service.

Before You Begin

You must have at least one Recipient Update Service for each domain in your organization, and it must be run from an Exchange 2003 or Exchange 2000 server. For domains that do not have these Exchange servers, the Recipient Update Service must be run from an Exchange server outside the domain. You can set up more than one Recipient Update Service for a domain, if there are multiple domain controllers. Each Recipient Update Service must read from and write to a unique domain controller. Note If you do not have a Recipient Update Service for a domain, you cannot create recipients in that domain. In situations where you have high network latency in a domain, set up the Recipient Update Service at the local sites. For example, if you have one domain that has sites in Seattle and in Beijing, there might be a long delay before a mailbox that an administrator creates in Beijing is processed by the Recipient Update Service in Seattle. In this case, having a Recipient Update Service on the local domain controller in Beijing will decrease the time the user has to wait to be able to access the mailbox after it has been created.

Procedure
To create a new Recipient Update Service 1. In Exchange System Manager, expand the Recipients container. 2. Right-click the Recipient Update Service container, point to New, and then click Recipient Update Service.

252 The Recipient Update Service wizard starts and guides you through the creation process. The final step in creating a Recipient Update Service

Note If all the domain controllers are currently associated with a Recipient Update Service, you receive an error when you try to create the next Recipient Update Service. You can have only one Recipient Update Service per domain controller.

253

How to Change the Update Interval of the Recipient Update Service

You can choose to have the Recipient Update Service run at customized intervals. By default, the Recipient Update Service is set to Always Run. When it runs, only required changes are made. This procedure outlines how to modify the update interval of the Recipient Update Service.

Procedure
To change the update interval 1. In Exchange System Manager, expand the Recipients container. 2. Right-click the Recipient Update Service to be modified, click Properties, and then change the Update interval option.

Managing Exchange Clusters in Exchange Server 2003

After deploying Microsoft Exchange Server 2003 in a cluster, correct management of that cluster ensures high availability of your servers that are running Exchange. One important part of managing your Exchange Server clusters is the customization of your cluster configuration, including management of your Exchange Virtual Servers and cluster nodes. For example, you may want to add functionality to the default cluster configuration, such as enabling Internet Message Access Protocol version 4 (IMAP4) or Post Office Protocol version 3 (POP3) access for your users. Other important management tasks include monitoring the performance of Exchange 2003 clusters, troubleshooting problems when they occur, and perhaps rebuilding a server or restoring your databases from backup.

254 Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference.

Reviewing Exchange Clusters

Exchange clusters are made up of physical computers (nodes) and logical Exchange Virtual Servers. Exchange Virtual Servers are Microsoft Windows cluster groups with Exchange resources (instances of Exchange services). Exchange Virtual Servers are the basic units of failover for your cluster.

255 Sample Exchange 2003 cluster with four physical nodes and three logical Exchange Virtual Servers

Reviewing the Exchange Resources Associated with Exchange Clusters

For each Exchange Virtual Server in your cluster, there are associated Exchange resources. The following table describes each of these cluster resources, including information about when and how each resource is created. Cluster resource descriptions
Resource Description When created

IP address

Manages the Internet Protocol (IP) address resources in a cluster.

Created manually during initial cluster deployment.

256
Resource Description When created

Network name

Provides an alternative computer name to identify your Exchange cluster. Manages a disk that is on a cluster storage device. Controls the creation and deletion of all resources in the Exchange Virtual Server. Provides mailbox and public folder storage for Exchange Server 2003.

Created manually during initial cluster deployment.

Physical disk

Created manually during initial cluster deployment. Created automatically during initial cluster deployment. Created automatically after the creation of the Exchange System Attendant resource. Created automatically after the creation of the Exchange System Attendant resource. Added manually after initial cluster deployment.

Exchange System Attendant

Exchange store

SMTP

Handles the relay and delivery of e-mail.

IMAP4

Optional component that provides access to e-mail for IMAP4 clients. Optional component that provides access to e-mail for POP3 clients. Provides access to an Exchange mailbox and public folders through HTTP (for example, using Outlook Web Access). Provides content indexing for the Exchange Virtual Server.

POP3

Added manually after initial cluster deployment.

HTTP

Created automatically after the creation of the Exchange System Attendant resource.

Exchange Microsoft Search Instance

Created automatically after the creation of the Exchange System Attendant resource.

257
Resource Description When created

Message transfer agent (MTA)

Handles communication with X.400 systems and interoperation with Exchange Server 5.5. There can be only one MTA per cluster. The MTA is created on the first Exchange Virtual Server. All additional Exchange Virtual Servers depend on this MTA.

Created automatically after the creation of the Exchange System Attendant resource.

Routing service

Builds the link state tables.

Created automatically after the creation of the Exchange System Attendant resource.

The following figure shows the dependency between Exchange 2003 resources. (A resource dependency indicates what other Exchange resources must be brought online before a specific Exchange resource can be brought online.) In the figure, the arrows point to the resource or resources on which a specific resource depends. For example, the arrow from Simple Mail Transfer Protocol (SMTP) points to Exchange System Attendant. Therefore, SMTP depends on Exchange System Attendant. Similarly, Exchange System Attendant has one arrow that points to the network name and one that points to the physical disk. This means that Exchange System Attendant is dependent on both of these resources.

258 Exchange 2003 resources and dependencies

Understanding How Failover Works in an Exchange Cluster

As noted earlier, Exchange Virtual Servers are the basic units of failover for your cluster. However, failover occurs differently in active/passive clusters and active/active clusters. In an active/passive cluster, such as the 3-active/1-passive cluster shown in the following figure, there are three Exchange Virtual Servers: EVS1, EVS2, and EVS3. This configuration can handle a single node failure at a time and still maintain 100 percent availability after a failure occurs. That is, if Node 3 fails, Node 1 still owns EVS1, Node 2 still owns EVS2, and Node 4 takes ownership of EVS3 with all the storage groups mounted after the failure. However, if a second node fails while Node 3 is still down, the Exchange Virtual Server associated with the second failed node remains in a failed state because there is no stand-by node available for failover.

259 Effect of failures on an active/passive cluster

In an active/active cluster as shown in the following figure, there are only two Exchange Virtual Servers: EVS1 and EVS2. This configuration can handle a single node failure at a time and still maintain 100 percent availability after the failure occurs. That is, if Node 2 fails, Node 1 still owns EVS1, and Node 1 also takes ownership of EVS2 with all the storage groups mounted after the failover. However, if Node 1 fails while Node 2 is still down, the whole cluster is in a failed state, because no nodes are available for failover. Effect of failures on an active/active cluster

260

Using Cluster Administrator to Manage Exchange Clusters

As with standard Windows clusters, you perform most of the configuration tasks, and also the management tasks, associated with Exchange clusters using Cluster Administrator. Cluster Administrator is installed by default on servers that have Cluster Service installed and are running one of the following operating systems: Microsoft Windows Server 2003, Microsoft Windows 2000, or Microsoft Windows NT 4.0 Service Pack 3 (or later). Cluster Administrator

You can also use Cluster Administrator to remotely administer a server cluster. Computers that are used to administer a server cluster remotely must be secure and restricted to trusted personnel. For more information, see "Best practices for securing server clusters" in the Windows Server 2003 Enterprise Edition Online Help. For detailed instructions, see How to Open Cluster Administrator.

261

How to Open Cluster Administrator

As with standard Windows clusters, you perform most of the configuration tasks and the management tasks that are associated with Exchange clusters using Cluster Administrator. This procedure outlines how to open Cluster Administrator.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

Procedure
To open Cluster Administrator On a computer that is running Cluster Administrator, click Start, point to Programs, point to Administrative Tools, and then click Cluster Administrator. Cluster Administrator

262

Note As an alternative to Cluster Administrator, you can administer clusters from the command line. For information about using the command line to manage cluster settings, see "Managing a Server Cluster from the Command Line" in the Cluster Administrator Help.

Customizing Your Exchange Cluster Configuration

When you deploy Exchange Server 2003 in a cluster, you must accept many default settings. For example, your Exchange cluster is made up of Exchange Virtual Servers that are created using the New Group Wizard. However, this wizard does not allow you to configure all the possible failover options for your Exchange Virtual Servers. Similarly, the New Resource Wizard, which creates an Exchange System Attendant resource for your

263 Exchange Virtual Server, automatically creates the remaining Exchange resources, like the Exchange store and the MTA, using the default settings for each of these additional resources. Because initial cluster deployment typically involves so many default settings, you may have to customize your cluster configuration settings. This customization is important not only to achieve your cluster objectives, but also to obtain optimal cluster performance. Incorrect cluster configuration is the source of many of the Exchange-related issues handled by Microsoft Product Support Services. Therefore, carefully follow the recommendations in this chapter to make sure that your clusters perform optimally. Note If you upgraded your Exchange cluster from Exchange 2000 to Exchange 2003, you can ignore this section about customizing your cluster configuration because your configuration settings will not have changed. There are two levels of settings that you may want to adjust in your Exchange cluster configuration: Settings for the Exchange Virtual Servers. Settings for the Exchange resources that are associated with a specific Exchange Virtual Server.

For a simplified example of the configuration settings for a four-node cluster, see "Configuration Settings for a Four-Node Cluster."

Configuring Exchange Virtual Server Settings

When you create your Exchange Virtual Servers, the default properties that are applied at that time should allow your Exchange cluster to operate adequately. However, you may want to modify these settings to customize your clusters to accommodate your specific Exchange environment. To change the configuration settings for an Exchange Virtual Server, you use the property settings associated with that Exchange Virtual Server object. These property settings instruct Cluster Service in how to manage your Exchange Virtual Servers. For

264 detailed instructions, see How to Access the Properties of an Exchange Virtual Server Using Cluster Administrator. After you open the Properties dialog box for a specific Exchange Virtual Server, you can use the options on the various tabs to customize the preferred owner, failover, and failback settings.

How to Access the Properties of an Exchange Virtual Server Using Cluster Administrator
When you create Exchange Virtual Servers, the default properties that are applied at that time should allow your Exchange cluster to operate adequately. However, you may want to modify these settings to customize your clusters to accommodate your specific Exchange environment. This procedure outlines how to access the properties of an Exchange Virtual Server using Cluster Administrator.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster," in the Exchange Server 2003 Deployment Guide.

265

Procedure
To access the properties of an Exchange Virtual Server 1. On a computer that is running Cluster Administrator, click Start, point to Programs, point to Administrative Tools, and then click Cluster Administrator. 2. In the console tree, right-click the Exchange Virtual Server that you want to configure, and then click Properties.

Specifying Preferred Owners

During the creation of an Exchange Virtual Server, you have the option of defining a list of preferred cluster nodes or preferred owners for that server. Cluster Service uses this list of preferred owners when assigning the Exchange Virtual Server to a node. Cluster Service first tries to assign the Exchange Virtual Server to the first node in the list. If that node is unavailable, Cluster Service tries the next node in the list. If that node is unavailable, Cluster Service continues down the list, until it can assign the Exchange Virtual Server to a node. If Cluster Service cannot find an available node in the preferred owners list, it tries to fail over to the other available nodes in the cluster that have Exchange installed. By default, you do not have to specify any preferred owners. If you do not specify owners, Cluster Service assigns an Exchange Virtual Server to the next available node that has Exchange installed. However, it is recommended that you specify preferred owners if you have a cluster that hosts multiple applications. In this scenario, the first nodes in the list are those nodes whose resources are best able to handle any existing applications on those nodes, and the Exchange Virtual Server for which Cluster Service is trying to find a node. For detailed instructions, see How to Specify a List of Preferred Owners for an Exchange Virtual Server Using Cluster Administrator.

266 The General tab in the Properties dialog box for an Exchange Virtual Server

The preferred owners list is also important if you configure your Exchange Virtual Server to fail back automatically. With automatic failback enabled, an Exchange Virtual Server that is trying to come back online tries to fail back to the first node in the preferred owners list. Again, this first node should be the node that is best able to accommodate the Exchange Virtual Server. If the Exchange Virtual Server cannot fail back to any of the nodes in the list, the server will not come online, and the mailboxes on that server will not be available for your users. When setting the preferred owners for your Exchange Virtual Servers, follow the rules outlined in the following table.

267 Rules for setting the preferred owners for an Exchange Virtual Server
Setting Rule

Specifying a single node as the preferred owner for each Exchange Virtual Server

Assign a different node to each server. For example, the 4-node/3 Exchange Virtual Server example, shown earlier in Figure 8.1, can have the following preferred owners: EVS1 to Node 1 EVS2 to Node 2 EVS3 to Node 3

Specifying a list of nodes as the preferred owners for each Exchange Virtual Server

Make sure that the first node that is listed for one Exchange Virtual Server is not listed as the first node for any other Exchange Virtual server. For example, the 4-node/3 Exchange Virtual Server example, shown earlier in Figure 8.1, can have the following preferred owner lists: EVS1 to Node 1, Node 2, and Node 3 EVS2 to Node 2, Node 3, and Node 1 EVS3 to Node 3, Node 1, and Node 2

How to Specify a List of Preferred Owners for an Exchange Virtual Server Using Cluster Administrator
During the creation of an Exchange Virtual Server, you have the option of defining a list of preferred cluster nodes or preferred owners for that server. Cluster Service uses this

268 list of preferred owners when assigning the Exchange Virtual Server to a node. Cluster Service first tries to assign the Exchange Virtual Server to the first node in the list. If that node is unavailable, Cluster Service tries the next node in the list. If that node is unavailable, Cluster Service continues through the list, until it can assign the Exchange Virtual Server to a node. If Cluster Service cannot find an available node in the preferred owners list, it tries to failover to the other available nodes in the cluster that have Exchange installed. By default, you do not have to specify any preferred owners. If you do not specify owners, Cluster Service assigns an Exchange Virtual Server to the next available node that has Exchange installed. This procedure outlines how to specify a list of preferred owners for an Exchange Virtual Server using Clustering Administrator.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

Procedure
To specify a list of preferred owners 1. On a computer that is running Cluster Administrator, click Start, point to Programs, point to Administrative Tools, and then click Cluster Administrator. 2. In the console tree, right-click the Exchange Virtual Server that you want to configure, and then click Properties. 3. On the General tab in the Exchange Virtual Server's Properties dialog box,

269 under Preferred owners, click Modify to specify the nodes that are to be preferred owners for this server. The General tab in the Properties dialog box for an Exchange Virtual Server

Specifying Failover Options

When configuring how Cluster Service manages failovers, consider the Threshold and Period options on the Failover tab. The Threshold setting determines the number of times that the Exchange Virtual Server can fail over during the failover Period. If the

270 actual number of failovers exceeds the threshold during the failover period, the Exchange Virtual Server may be in a failed state, and Cluster Service will not bring it online. The default and recommended settings for these failover options are to have Exchange fail over 10 times in a 6-hour period. For detailed instructions, see How to Specify Failover Options for an Exchange Virtual Server Using Cluster Administrator.

How to Specify Failover Options for an Exchange Virtual Server Using Cluster Administrator
This procedure outlines how to specify failover options for an Exchange Virtual Server using Cluster Administrator. Note When configuring how Cluster Service manages failovers, consider the Threshold and Period options on the Failover tab. The Threshold setting determines the number of times that the Exchange Virtual Server can fail over during the failover Period. If the actual number of failovers exceeds the threshold during the failover period, the Exchange Virtual Server may be in a failed state, and Cluster Service will not bring it online. The default and recommended settings for these failover options are to have Exchange fail over 10 times in a 6hour period.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation

271 for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster," in the Exchange Server 2003 Deployment Guide.

Procedure
To specify the failover options for an Exchange Virtual Server On the Failover tab in the Exchange Virtual Server's Properties dialog box, type a value for the Threshold and Period options. Failover tab in the Properties dialog box for an Exchange Virtual Server

272

Considering Other Factors That Affect Failover

The failover options that you set for your Exchange Virtual Servers are only one factor that affects the speed at which an Exchange Server 2003 cluster fails over. In addition to those settings, many other factors can influence failover rates. The following table lists these additional factors. By understanding these factors, you can configure your Exchange clusters for optimal failover. For detailed instructions, see How to Add the MsgHandleThreshold Registry Key Value. Factors that affect failover performance of Exchange 2003 clusters
Factor Description

State of the Exchange store

The state of the Exchange database and logs at the time of startup or shutdown affects failover performance. For example, if Exchange databases were shut down abruptly, there may be lots of log files to roll through before starting the Exchange databases on the new Exchange Virtual Server. Generally, the greater the number of Exchange databases on your Exchange Virtual Server, the longer it takes to move resources to the new Exchange Virtual Server.

Number of storage groups and databases on your servers Number of service connections into the Exchange store

The Exchange store performs cleanup routines before it releases and allows failover to occur. An unloaded server that takes 100 seconds to fail over takes 120 seconds to fail over when that server has 3,000 simultaneous Microsoft Office Outlook Web Access or Microsoft Outlook connections.

273
Factor Description

Size of the SMTP queue

If the SMTP queue size is greater than 1,000 messages, the time to fail over from one cluster node to another can be significant. You can modify this setting by creating and configuring the SMTP Max Handle Threshold registry key value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMTPSVC\Queuing \MsgHandleThreshold

For more information about creating and configuring this registry key, see the procedure following this table.

How to Add the MsgHandleThreshold Registry Key Value

This procedure outlines how to add the MsgHandleThreshold registry key value.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster," in the Exchange Server 2003 Deployment Guide.

274 Caution Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

Procedure
To add the MsgHandleThreshold registry key value 1. Start Registry Editor. 2. In the console tree, navigate to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ SMTPSVC

3. In the console tree, right-click SMTPSVC, point to New, and then click Key. 4. For the key name, type Queuing. 5. Right-click Queuing, point to New, and then click DWORD Value. 6. In the details pane, type MsgHandleThreshold for the registry key value. 7. Right-click MsgHandleThreshold, and then click Modify. 8. Under Base, click Decimal. 9. Enter a value based on the following: To configure your cluster for optimum failover performance, set the value to 1,000. For optimum run-state performance, set the value to 10,000.

Setting Failback Options

Used in conjunction with the Failover tab, the Failback tab helps define what occurs during a failover. On this tab, you have the option of preventing failback from occurring

275 automatically (the default), or allowing failback to occur automatically. For detailed instructions, see How to Specify the Failback Options for an Exchange Virtual Server Using Cluster Administrator. Failback tab in the Properties dialog box for an Exchange Virtual Server

Preventing Failback If you do not allow an Exchange Virtual Server to fail back, an administrator must intervene and manually move the server back to the original, preferred node. This may be your preferred setting because it allows you to control when the failback occurs. For example, you may want to select Prevent failback if you want to take time to troubleshoot or run diagnostics on the failed node before allowing the node to take ownership of the Exchange Virtual Server again.

276 You can also use this setting to minimize downtime for users. For example, consider a scenario where a failover that occurs at 3:00 P.M. causes EVS1 to move from Node 1 to Node 4 (the stand-by node). By preventing failback, you can wait until the end of the work day to manually move EVS1 back to Node 1, and users do not have to experience downtime waiting for the server to come back online after the move. Allowing Failback By allowing an Exchange Virtual Server to fail back to the preferred node automatically, you can also specify when this failback should occur: either immediately or during a specified time interval. This is the preferred setting if you want to have Cluster Service manage the cluster without any manual administrator intervention.

How to Specify the Failback Options for an Exchange Virtual Server Using Cluster Administrator
This procedure outlines how to specify failback options for an Exchange Virtual Server. When used in conjunction with the Failover tab, the Failback tab helps define what occurs during a failover. You have the option of using the default setting that prevents failback from occurring automatically, or allowing failback to occur automatically.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference.

277 Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster," in the Exchange Server 2003 Deployment Guide.

Procedure
To specify the failback options for an Exchange Virtual Server 1. On a computer that is running Cluster Administrator, click Start, point to Programs, point to Administrative Tools, and then click Cluster Administrator. 2. In the console tree, right-click the Exchange Virtual Server that you want to configure, and then click Properties. 3. On the Failback tab in the Exchange Virtual Server's Properties dialog box, select the failback options for the server. Failback tab in the Properties dialog box for an Exchange Virtual Server

278

Configuring Exchange Cluster Resources

Like the configuration settings for your Exchange Virtual Servers, the default configuration settings for the Exchange resources (instances of Exchange services) that are associated with each server will allow your cluster to work adequately. However, there may be specific settings that you want to adjust, based upon your Exchange environment. For each Exchange Virtual Server, you can see its associated Exchange resources in the details pane of Cluster Administrator. In the following figure, the CORP-MSG-O1 server

279 has all the default Exchange resources. Because the CORP-MSG-01 server is the first Exchange Virtual Server in this cluster, this server also has an MTA resource. Exchange resources for the CORP-MSG-01 Exchange Virtual Server

To change the configuration for an Exchange cluster resource, you use the property settings that are associated with the resource. These property settings instruct Cluster Service in how to manage the resource. For detailed instructions, see How to Access the Properties of an Exchange Cluster Resource Using Cluster Administrator. For information on How to Change the IP Address of an Exchange Virtual Server, see How to Change the IP Address of an Exchange Virtual Server.

280

How to Access the Properties of an Exchange Cluster Resource Using Cluster Administrator
Like the configuration settings for your Exchange Virtual Servers, the default configuration settings for the Exchange resources (instances of Exchange services) that are associated with each server allow your cluster to work adequately. However, there may be specific settings that you want to adjust, based upon your Exchange environment. This procedure outlines how to access the properties of an Exchange cluster resource.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

Procedure
To access the properties of an Exchange cluster resource 1. In Cluster Administrator, in the console tree, click the Exchange Virtual Server that contains the resource that you want to configure.

281 2. In the details pane, right-click the resource that you want to configure, and then click Properties.

How to Change the IP Address of an Exchange Virtual Server

This topic provides instructions for changing the IP address of an Exchange Virtual Server. This procedure is typically performed when the physical nodes of the cluster are being physically relocated to a different subnet or network.

Before You Begin

The following procedure illustrates this procedure using a two-node cluster that includes Node1 and Node2.

Procedure
To change the IP address of an Exchange Virtual Server 1. Failover all resources to Node1 and take them offline. To do this: a. Log on to Node1 using an account with Administrator privileges. b. Open Cluster Administrator. c. Move all resource groups to Node1 using the Move Group context menu item for each resource group.

d. Right click all resource groups and take them offline. 2. Change the startup type for the Cluster Service to manual. To do this: a. Logon to Node1. b. Open the Services snap-in. c. Double-click the Cluster Service and change the Startup type to Manual.

d. Repeat steps 2a-2c on Node2.

282 3. Power off both nodes, one at a time, and perform the physical relocation. 4. Change the IP addresses of Node1 and Node2 upon arrival to the new physical location. To do this: a. Power on Node1. b. Log on to Node1 using an account with Administrator privileges. c. Click Start, point to Control Panel, and click Network Connections.

d. Right-click the local area connection that you want to modify and then click Properties. e. Click Internet Protocol (TCP/IP), and then click Properties. The Internet Protocol (TCP/IP) Properties dialog box appears. f. Change the IP address accordingly.

g. Power on Node2 and repeat steps 4b-4f. 5. Change the cluster IP address. To do this: a. On Node1, click Start, and then click Run. In the Open box, type and then press ENTER. b. When you receive the prompt for the cluster name, enter a period "." (without the quotes), and then click Open. c. Take the cluster IP address resource offline.

d. Change the cluster IP address resource using Cluster Administrator and bring the cluster IP address resource online. e. Power on Node2 and test failover the Cluster Group. Note If the subnet mask is changed, Public(1) may appear as a network in Cluster Administrator. When both nodes agree on the subnets, the Public network disappears and the Public(1) network is created. You can rename the network Public(1) to Public. 1. Change the Exchange Virtual Server's IP address. To do this: a. Open Cluster Administrator and double-click each IP Address resource (cluster IP address resource and Exchange virtual server IP address resource) to open its properties. b. On the Parameters tab of each IP Address resource properties, make sure

283 that the Network to Use box contains Public as the network to use. c. Open Exchange System Manager.

d. Locate the Protocols area under the Exchange Virtual Server that you want to modify. Expand the HTTP, IMAP4, SMTP, and POP3 virtual servers. e. Open the properties of each virtual server, and then verify the IP address in the advanced properties at General tab. If necessary, change to the new Exchange virtual server IP address. f. Bring the Exchange resources online and verify connectivity to the Exchange virtual server from a client workstation.

2. Test failover and change the Cluster service startup type to automatic. To do this: a. Open Cluster Administrator and failover each resource group a few times. b. Open the Services snap-in. c. Double-click the Cluster Service and change the Startup type to Automatic.

d. Repeat steps 7a-7c on Node2.

Specifying Possible Owners

You can specify which nodes can run an Exchange resource. Generally, it is a good idea to specify all nodes in the cluster as possible owners for a resource. This enables failover for that resource.

284 General tab in the Properties dialog box for the Exchange Information Store Instance resource

However, you can specify a single node as a possible owner. Although having a single node as a possible owner disables failover for the specified Exchange resource, you still may want to specify a single owner if: The other nodes cannot handle the resource. Maintaining performance is more important than keeping the resource available. You want to control Exchange Virtual Server failover scenarios effectively.

The nodes that you list as possible owners of a resource limit where the Exchange Virtual Server can run. If all the resources on an Exchange Virtual Server have the same possible owners, the server can run on any of the listed nodes. If one of the resources cannot list a node, the Exchange Virtual Server cannot run on that node, even if all the remaining resources list the node as a possible owner. For detailed instructions, see,

285 How to Specify the Possible Owners for an Exchange Resource Using Cluster Administrator.

How to Specify the Possible Owners for an Exchange Resource Using Cluster Administrator
You can specify the nodes that can run an Exchange resource. Generally, it is a good idea to specify all nodes in the cluster as possible owners for a resource. This approach enables failover for that resource. This procedure outlines how to specify the possible owners for an Exchange resource using Cluster Administrator.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster," in the Exchange Server 2003 Deployment Guide.

Procedure
To specify the possible owners for an Exchange resource On the General tab (see the following figure) in the resource's Properties dialog

286 box, under Possible owners, click Modify, and then specify the nodes that you want to be possible owners for this resource. General tab in the Properties dialog box for the Exchange Information Store Instance resource

Specifying a Separate Resource Monitor

By default, an Exchange resource runs in the same resource monitor as the other Exchange resources that are associated with an Exchange Virtual Server. Although it is

287 not recommended, you may want to change this default setting on the General tab and run an Exchange resource in a separate resource monitor when you troubleshoot this cluster resource. For detailed instructions, see How to Run an Exchange Resource in a Separate Resource Monitor Using Cluster Administrator. For more information about the preferred ways of troubleshooting cluster resources, search for "troubleshoot cluster resources" in the Microsoft Product Support Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=18175).

How to Run an Exchange Resource in a Separate Resource Monitor Using Cluster Administrator
By default, an Exchange resource runs in the same resource monitor as the other Exchange resources that are associated with an Exchange Virtual Server. Note Although it is not recommended, you may want to change this default setting on the General tab and run an Exchange resource in a separate resource monitor when you troubleshoot this cluster resource. For more information about the preferred ways of troubleshooting cluster resources, search for "troubleshoot cluster resources" in the Microsoft Product Support Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=18175). This procedure outlines how to run an Exchange resource monitor in a separate resource monitor.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters.

288 Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster," in the Exchange Server 2003 Deployment Guide.

Procedure
To run an Exchange resource in a separate resource monitor 1. In Cluster Administrator, in the console tree, click the Exchange Virtual Server that contains the resource that you want to configure. 2. In the details pane, right-click the resource that you want to configure, and then click Properties. 3. On the General tab in the resource's Properties dialog box, select Run this resource in a separate Resource Monitor.

Understanding Resource Dependencies

Before an Exchange resource can be brought online, there are frequently other Exchange resources that must be brought online before it. This requirement is known as a resource dependency. The Resource dependencies list on a specific Exchange resource object lists the other resources that must be brought online before this resource can be brought online. The following table lists the Exchange 2003 cluster resources and their default dependencies.

289 Exchange 2003 default resource dependencies

Resource Default dependency

System Attendant

Network name resource and shared disk resources Exchange System Attendant Exchange System Attendant Exchange System Attendant Exchange System Attendant Exchange System Attendant Exchange System Attendant Exchange System Attendant Exchange System Attendant

Exchange store SMTP IMAP4 POP3 HTTP Exchange Microsoft Search Instance MTA Routing service

Note Other than to add disk resource dependencies, altering dependencies is not recommended because it can adversely affect your system.

Adding Disk Resource Dependencies

If you are adding disk resources to an Exchange Virtual Server, you must make sure that the Exchange System Attendant resource depends on the new disk resource. For detailed instructions, see How to Make the Exchange System Attendant Dependent on a New Disk Resource.

290

How to Make the Exchange System Attendant Dependent on a New Disk Resource
Before an Exchange resource can be brought online, there are frequently other Exchange resources that must be brought online before it. This requirement is known as a resource dependency. For more information, see Understanding Resource Dependencies. If you are adding disk resources to an Exchange Virtual Server, you must make sure that the Exchange System Attendant resource depends on the new disk resource. This procedure outlines how to make the Exchange System Attendant dependent on a new disk resource.

Procedure
To make the Exchange System Attendant dependent on a new disk resource 1. On the Dependencies tab, in the Exchange System Attendant Properties dialog box, click Modify. Dependencies tab of the Exchange System Attendant Properties dialog box

291

2. In the Modify Dependencies dialog box, in the Available resources list, doubleclick the disk that you want to add, and then click OK. Dependencies for the Exchange System Attendant

292

Specifying Service Restart Options

By default, when a resource experiences a failure, Cluster Service tries to restart the resource three times before trying to move the Exchange Virtual Server to another node. It is strongly recommended that you keep this default option because restarting a service may correct a problem that the node is experiencing. Also, restarting a service takes much less time than moving an Exchange Virtual Server to another node. For detailed instructions, see .How to Adjust the Restart Options for an Exchange Resource Using Cluster Administrator. However, there are additional restart options that you might want to adjust: How many restarts are allowed before the resource fails You can specify the number of resource failures (Threshold) that can occur in a certain length of time (Period) before the resource causes the associated Exchange Virtual Server to fail over. Whether a resource failure causes a failover You can specify whether you want a resource failure (as defined by your Threshold and Period settings) to affect the whole group and force Cluster Service to fail over the associated Exchange Virtual Server to a different node. Because it is a good idea to have failover occur for all required resources on your Exchange Virtual Server, select the Affect the group

293 check box for those resources. For non-required resources (for example, POP3) that affect only several users, you may not want to fail over the server when that resource fails, and you would therefore clear the Affect the group check box for that resource. Advanced tab for an instance of the Exchange store

294

How to Adjust the Restart Options for an Exchange Resource Using Cluster Administrator
By default, when a resource experiences a failure, Cluster Service tries to restart the resource three times before trying to move the Exchange Virtual Server to another node. Note It is strongly recommended that you keep this default option because restarting a service may correct a problem that the node is experiencing. Also, restarting a service takes much less time than moving an Exchange Virtual Server to another node. However, there are additional restart options that you might want to adjust such as how many restarts are allowed before the resource fails and whether a resource failure causes a failover. This procedure outlines how to adjust the restart options for an Exchange resource.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

295

Procedure
To adjust the restart options for an Exchange resource 1. In Cluster Administrator, in the console tree, click the Exchange Virtual Server that contains the resource that you want to configure. 2. In the details pane, right-click the resource that you want to configure, and then click Properties. 3. On the Advanced tab, in the resource's Properties dialog box, select the restart options for the server. Advanced tab for an instance of the Exchange store

296

Setting Polling Cluster Resources

Cluster Service polls Exchange resources using a set of Exchange-specific polling intervals that do not have to be changed. Therefore, configuring the polling intervals "Looks Alive" poll interval and "Is Alive" poll interval on the Advanced tab in the resource Properties dialog box does not affect polling intervals.

Setting Pending States

By default, Cluster Service allows a resource to be in a pending state (online pending or offline pending) for only 180 seconds (3 minutes) before Cluster Service terminates the resource, and the resource enters a failed state. An Exchange 2003 or Windows Server 2003 cluster resource must go offline and come back online during the Pending timeout period. Cluster Service makes an exception to the Pending timeout period for the Microsoft Exchange Information Store instance. Although the Exchange store instance must go offline during that period, the store does not have to come back online in the Pending timeout period. This is because the length of time that the Exchange store takes to restart depends on whether the store shut down correctly. If the Exchange store did not shut down correctly, the store must roll through log files upon restarting, and the number of log files to be rolled through determines the time it takes to bring the store back online. Because of the way that the Exchange store writes log files to an Exchange database, the Exchange store for which you might want to increase the Pending timeout period. Increasing the pending time-out period allows the store more time to shut down correctly. For detailed instructions, see How to Change the Length of Time That a Resource Remains Pending Before Failing Using Cluster Administrator.

297

How to Change the Length of Time That a Resource Remains Pending Before Failing Using Cluster Administrator
By default, Cluster Service allows a resource to be in a pending state (online pending or offline pending) for only 180 seconds (3 minutes) before Cluster Service terminates the resource, and the resource enters a failed state. Because of the way that the Exchange store writes log files to an Exchange database, the Exchange store for which you might want to increase the Pending timeout period. Increasing the pending time-out period allows the store more time to shut down correctly. This procedure outlines how to change the length of time that a resource remains pending before failing.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

298

Procedure
To change the length of time that a resource remains pending before failing 1. In Cluster Administrator, in the console tree, click the Exchange Virtual Server that contains the resource that you want to configure. 2. In the details pane, right-click the resource that you want to configure, and then click Properties. 3. On the Advanced tab in the resource's Properties dialog box, type a value in seconds for Pending timeout.

Viewing the Exchange Virtual Server That Connects to a Protocol Resource

Exchange automatically selects the Exchange Virtual Server that is used to connect the protocol resource to the cluster. For detailed instructions, see How to View the Exchange Virtual Server That Is Used to Connect the Protocol Resource Using Cluster Administrator. Exchange makes this selection based upon the information that you enter when you create the various resources: For an HTTP virtual server instance, Exchange sets the Server Instance option to the Exchange Virtual Server name that you specified in the Group box when creating the Exchange System Attendant resource for that server. For an IMAP4 or POP3 virtual server instance, Exchange sets the Server Instance option to the Exchange Virtual Server name that you specified in the Group box when you created the IMAP4 or POP3 resource. For information about creating an IMAP4 or POP3 virtual server instance on a cluster, see "Adding IMAP4 and POP3 Resources."

299

How to View the Exchange Virtual Server That Is Used to Connect the Protocol Resource Using Cluster Administrator
Exchange automatically selects the Exchange Virtual Server that is used to connect the protocol resource to the cluster. This procedure outlines how to view the Exchange Virtual Server that is used to connect the protocol resource.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

Procedure
To view the Exchange Virtual Server that is used to connect the protocol resource On the Parameters tab of the resource's Properties dialog box, view the Server Instance option. Parameters tab of an instance of the Exchange HTTP resource

300

Note You might not have to modify the Server Instance option.

Taking Exchange Virtual Servers or Exchange Resources Offline

Occasionally, you must take an Exchange Virtual Server or resource offline. For example, you might have to apply a service pack. In that case, you would bring each Exchange Virtual Server offline, and apply the service pack to the associated node.

301 You take Exchange Virtual Servers and Exchange resources offline the same way you do with cluster groups and Windows resources. For detailed instructions, see How to Take an Exchange Virtual Server or Exchange Resource Offline Using Cluster Administrator. Besides being online or offline, Exchange Virtual Servers and Exchange resources can be in other states. The following tables list the various states that are possible for Exchange Virtual Servers and Exchange cluster resources, respectively. Description of Exchange Virtual Server states
Group state Description

Failed

One or more resources in the Exchange Virtual Server cannot be brought online or offline in the allowed time. All resources in the Exchange Virtual Server are online. All resources in the Exchange Virtual Server are offline. One or more resources in the Exchange Virtual Server are online, and one or more are offline. One or more resources in the Exchange Virtual Server are Online Pending or Offline Pending. The state of the whole Exchange Virtual Server cannot be determined.

Online

Offline

Partially Online

Pending

Unknown

Description of Exchange cluster resource states

Resource state Description

Failed

The resource cannot be brought online or offline in the allowed time. The resource is online. The resource is offline. The resource is Online Pending or Offline Pending.

Online Offline Online (Offline) Pending

302
Resource state Description

Unknown

The state cannot be determined.

How to Take an Exchange Virtual Server or Exchange Resource Offline Using Cluster Administrator
Occasionally, you must take an Exchange Virtual Server or resource offline. For example, you might have to apply a service pack. In that case, you would take each Exchange Virtual Server offline, and apply the service pack to the associated node. This procedure outlines how to take an Exchange Virtual Server or Exchange resource offline.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster," in the Exchange Server 2003 Deployment Guide.

303

Procedure
To take an Exchange Virtual Server or Exchange resource offline In Cluster Administrator, right-click the Exchange Virtual Server or Exchange resource that you want to take offline, and then click Take Offline. Important Taking an Exchange Virtual Server or Exchange resource offline stops client connectivity to user mailboxes.

Adding IMAP4 and POP3 Resources

For improved security, the Windows IMAP4 and POP3 protocol services are no longer enabled by default on servers that are running Windows Server 2003. Similarly, the IMAP4 and POP3 protocol resources are no longer created by default upon creation of an Exchange 2003 virtual server. If you want to enable either of those protocols, you must do the following: Enable the Windows IMAP4 or POP3 service on those cluster nodes that will be running the Exchange Virtual Server with the IMAP4 or POP3 resource. To make sure that the service works correctly with clustering, you must also configure the service to start manually. For detailed instructions, see "How to Enable a POP3, IMAP4, or NNTP Virtual Server" in the Exchange Server 2003 Client Access Guide. Manually add the respective IMAP4 or POP3 virtual server as a resource to each Exchange Virtual Server on which you want to enable the selected protocol, and then bring the resource online. For detailed instructions, see How to Add an IMAP4 or POP3 Virtual Server as a Resource to an Exchange Virtual Server.

304

How to Add an IMAP4 or POP3 Virtual Server as a Resource to an Exchange Virtual Server
For improved security, by default, the Windows IMAP4 and POP3 protocol services are no longer enabled on servers that are running Windows Server 2003. Similarly, by default, the IMAP4 and POP3 protocol resources are no longer created upon creation of an Exchange 2003 virtual server. This procedure outlines how to add an IMAP4 or POP3 virtual server as a resource to an Exchange Virtual Server.

Before You Begin

If you want to enable either of those protocols, you must do the following: Enable the Windows IMAP4 or POP3 service on those cluster nodes that will be running the Exchange Virtual Server with the IMAP4 or POP3 resource. To make sure that the service works correctly with clustering, you must also configure the service to start manually. Manually add the respective IMAP4 or POP3 virtual server as a resource to each Exchange Virtual Server on which you want to enable the selected protocol, and then bring the resource online. For detailed steps, see the procedure below.

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference.

305 Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

Procedure
To add an IMAP4 or POP3 virtual server as a resource to an Exchange Virtual Server 1. In Cluster Administrator, right-click the Exchange Virtual Server to which you want to enable IMAP4 or POP3, point to New, and then click Resource. 2. In the New Resource dialog box, do the following: a. In Name, type either one of the following names: If you are adding the IMAP4 resource, type Exchange IMAP4 Virtual Server - (<EVSName>), where EVSName is the name of the selected Exchange Virtual Server. If you are adding the POP3 resource, type Exchange POP3 Virtual Server (<EVSName>), where EVSName is the name of the selected Exchange Virtual Server.

a. In the Resource Type drop-down list, click one of the following options: If you are adding the IMAP4 resource, click Microsoft Exchange IMAP4 Server Instance. If you are adding the POP3 resource, click Microsoft Exchange POP3 Server Instance.

a. Verify that the Group drop-down list contains the name of the selected Exchange Virtual Server, and then click Next. 3. In the Possible Owners dialog box (see the following figure ), verify that all nodes appear in the Possible owners list, and then click Next. Possible Owners dialog box for an IMAP4 Virtual Server Instance

306

4. In the Dependencies dialog box, under Available Resources, double-click the <System Attendant Resource Name> to add the System Attendant to the Resource dependencies list, and then click Next. 5. In the Virtual Server Instance dialog box, in the Server Instance list, select the IMAP4 or POP3 virtual server for the resource, and then click Finish. a. In Cluster Administrator, right-click the IMAP4 or POP3 resource, and then click Bring Online.

For More Information

For additional information about using IMAP4 and POP3 with Exchange 2003, see "Managing Client Access to Exchange" in the Exchange Server 2003 Client Access Guide.

307

Adding a Node
Sometimes you might want to add a node to an existing Exchange cluster. For example, you may decide that you want to upgrade your existing 3-node, 2-active/1-passive configuration to a 4-node, 2-active/2-passive configuration. To add a node, you must install Exchange 2003 on the node. For information about installing Exchange 2003 on a cluster node, see "Deploying Exchange Server 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide. After installing Exchange on the new node in the cluster, consider these settings: Preferred ownership of your Exchange Virtual Servers By default, the new node is not a preferred owner of any Exchange Virtual Server. Therefore, if you want the new node to be listed as a preferred owner you must change the properties on the respective Exchange Virtual Server in Cluster Administrator. Possible ownership of the Exchange resources in an Exchange Virtual Server By default, the new node that you created is added as a possible owner for all the resources for the Exchange Virtual Servers in your cluster. If you do not want the new node to be a possible owner for any of the resources in the Exchange Virtual Servers in your cluster, remove that node from the list of possible owners in Cluster Administrator.

Adding an Exchange Virtual Server

You may want to add an Exchange Virtual Server to an Exchange cluster. For example, you may decide that you want to change your 4-node, 2-active/2-passive configuration into a 4-node, 3-active/1-passive configuration. Although you will have one less node available for failover purposes, the advantage of having an additional Exchange Virtual Server is that you can have more users on your Exchange cluster. The process for adding an Exchange Virtual Server to an existing cluster is the same as that for creating an Exchange Virtual Server when you first deploy the Exchange cluster.

308 For information about how to create an Exchange Virtual Server during deployment, see "Deploying Exchange Server 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide. While you are performing this procedure, you can configure preferred ownership for the Exchange Virtual Server, and also possible ownership for the Exchange resources of that Exchange Virtual Server: Preferred ownership of your Exchange Virtual Servers By default, you do not have to choose a preferred owner when you create a new Exchange Virtual Server. However, if you want to enforce a preferred order in which the Exchange Virtual Server fails over, you can do so. Possible ownership of the Exchange resources in an Exchange Virtual Server When you create an Exchange Virtual Server, the default option is to list all cluster nodes that have Exchange installed as possible owners of the resources. However, you do not have to accept this default setting, and you can customize which nodes can be possible owners for the resources of your new Exchange Virtual Server.

Removing an Exchange Virtual Server

Although it does not occur frequently, you might have to remove an Exchange Virtual Server from an Exchange cluster. In particular, you may have to do this if: You are reconfiguring the cluster from an active/active configuration to an active/passive configuration. That is, you are keeping the same number of nodes in the configuration, but you want one of those nodes to be passive instead of active. You plan to remove Exchange 2003 from a cluster. For more information, see "Removing Exchange 2003 from a Cluster Node."

Regardless of your reasons for removing an Exchange Virtual Server, you must consider the requirements shown in the following table before removing that server.

309 Requirements for removing an Exchange Virtual Server

If the Exchange Virtual Server to be removed Then

Owns the message transfer agent (MTA)

You must remove all other Exchange Virtual Servers before removing the Exchange Virtual Server that owns the MTA resource. The first Exchange Virtual Server created in a cluster owns the MTA resource. All other Exchange Virtual Servers in the cluster depend on this resource. Therefore, the Exchange Virtual Server that owns the MTA resource cannot be removed first.

Is a routing master of a routing group

You must make another Exchange Virtual Server the routing master of that group before removing the server. You must move the postmaster account to another Exchange Virtual Server before removing the server. You must move the contents of that public store to a public store on a different Exchange Virtual Server. You must make another Exchange Virtual Server the owner of the Recipient Update Service. You must designate another server as the bridgehead server before removing the Exchange Virtual Server.

Is the home for the postmaster account

Is the home for the last public store in a mixed-mode administrative group

Is responsible for running the Recipient Update Service

Is a target bridgehead server for any routing group

After you have performed any necessary actions listed in the table to make sure that the Exchange Virtual Server can be removed, you can then remove that server. To remove a single Exchange Virtual Server from a cluster, perform the following steps. For detailed instructions, see How to Remove an Exchange Virtual Server from an Exchange Cluster. 1. Backing up critical data and securing resources hosted by the Exchange Virtual Server.

310 Note For information about how to back up Exchange data, see Disaster Recovery for Microsoft Exchange 2000 Server. 2. Moving all mailboxes and public folder content to another Exchange Virtual Server. 3. Taking the Exchange System Attendant resource offline. 4. Removing the Exchange Virtual Server. 5. Deleting remaining cluster resources. Important Deleting components of an Exchange Virtual Server without removing the whole server can cause interruptions in mail flow. Therefore, it is recommended that you follow all the steps in the procedure when removing an Exchange Virtual Server from a cluster.

How to Remove an Exchange Virtual Server from an Exchange Cluster

Although it does not occur frequently, you might have to remove an Exchange Virtual Server from an Exchange cluster. In particular, you may have to do this if: You are reconfiguring the cluster from an active/active configuration to an active/passive configuration. That is, you are keeping the same number of nodes in the configuration, but you want one of those nodes to be passive instead of active. You plan to remove Exchange 2003 from a cluster.

This procedure outlines to remove an Exchange Virtual Server Exchange Virtual Server from an Exchange cluster.

Before You Begin

Regardless of your reasons for removing an Exchange Virtual Server, you must consider the requirements discussed in Removing an Exchange Virtual Server.

311 Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

Procedure
To remove a single Exchange Virtual Server from a cluster 1. Back up critical data and secure resources hosted by the Exchange Virtual Server. Note For information about how to back up Exchange data, see Disaster Recovery for Microsoft Exchange 2000 Server. 2. Move all mailboxes and public folder content to another Exchange Virtual Server. For detailed steps, see How to Move Mailboxes from One Exchange Virtual Server to Another Server and How to Move Public Folder Content from One Exchange Virtual Server to Another Server. 3. Take the Exchange System Attendant resource offline. For detailed information, see How to Take the Exchange System Attendant Resource Offline. 4. Remove the Exchange Virtual Server. For detailed information, see How to Remove an Exchange Virtual Server Using Cluster Administrator. 5. Delete remaining cluster resources. For detailed information, see How to Delete the Remaining Resources After Removing an Exchange Virtual Server. Important Deleting components of an Exchange Virtual Server without removing the whole server can cause interruptions in mail flow. Therefore, it is

312 recommended that you follow all the steps in the procedure when you remove an Exchange Virtual Server from a cluster.

For More Information

For more information about this procedure, see Managing Mailbox Stores and Public Folder Stores.

Moving All Mailboxes and Public Folder Content

After backing up data, you must move any mailboxes residing on the Exchange Virtual Server to another server in your Exchange organization. Any mailboxes that are not moved to another server must be deleted. If mailboxes remain on an Exchange Virtual Server, you will not be able to completely delete the Exchange Virtual Server, and the server object remains in the Microsoft Active Directory directory service, although you succeeded in deleting the Exchange System Attendant resource. Note For more information about moving mailboxes, see "Managing Mailbox Stores and Public Folder Stores." For information about moving lots of mailboxes, see Microsoft Knowledge Base Article 297393, "HOWTO: Programmatically Move an Exchange 2000 Mailbox Using CDOEXM in Visual C++." For detailed instructions about moving mailboxes, see How to Move Mailboxes from One Exchange Virtual Server to Another Server. In addition to moving mailboxes, you must move all public folder content from the server before removing the server. For detailed instructions, see How to Move Public Folder Content from One Exchange Virtual Server to Another Server.

313

How to Move Mailboxes from One Exchange Virtual Server to Another Server
The following procedure describes how to move mailboxes. You can move mailboxes using Exchange System Manager. You can also move mailboxes using Active Directory Users and Computers. To do so, In Active Directory Users and Computers, right-click the user object, click Exchange Tasks, and then click Move Mailbox. New in SP1 You can now move mailboxes across administrative groups in mixed mode. Before moving a mailbox across administrative groups, consider the implications. For more information about the implications, see the Exchange Server 2003 Deployment Guide.

Procedure
To move mailboxes 1. Click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager. 2. In the console tree, expand Servers, expand the server from which you want to move mailboxes, expand First Storage Group, expand Mailbox Store, and then click Mailboxes. 3. In the details pane, right-click the user or users whose mailboxes you want to move, and then click Exchange Tasks. 4. On the Welcome to the Exchange Task Wizard page, click Next. 5. On the Available Tasks page, click Move Mailbox, and then click Next. If you are running versions of Exchange that are earlier than Exchange Server 2003 SP1, go to step 7. Otherwise, select whether you are moving the mailbox to a store in the same administrative group, or across administrative groups. Then, click Next. The next screen provides any applicable warnings or caveats. When you are

314 finished reading, click Next. 6. On the Move Mailbox page, to specify the new destination for the mailbox, in the Server list, select a server, and then, in the Mailbox Store list, select a mailbox store. Then click Next. 7. Under If corrupted messages are found, click the option you want, and then click Next. Caution If you decide to skip corrupted items, these items are lost permanently when the mailbox is moved. To avoid data loss, back up the source database before moving mailboxes. 8. On the Task Schedule page, in the Begin processing tasks at list, select the date and time for the move. If you want to cancel any unfinished moves at a certain time, in the Cancel tasks that are still running after list, select the date and time. Click Next to start the process. 9. On the Completing the Exchange Task Wizard page, verify that the information is correct, and then click Finish. Note You can run multiple instances of the Move Mailbox wizard.

For More Information

For more information about this procedure, see Managing Mailbox Stores and Public Folder Stores.

How to Move Public Folder Content from One Exchange Virtual Server to Another Server
This procedure describes how to move public folder content from one Exchange Virtual Server to another server.

315

Procedure
To move public folder content from one server to another In your Internet browser, open Microsoft Knowledge Base article 288150, "XADM: How to Rehome Public Folders in Exchange 2000," and follow the instructions.

For More Information

For more information about this procedure, see Managing Mailbox Stores and Public Folder Stores.

Taking the Exchange System Attendant Resource Offline

An Exchange Virtual Server cannot be removed while any of its resources are online. Taking the Exchange System Attendant resource offline takes all a server's dependent resources offline. For detailed instructions, see How to Take the Exchange System Attendant Resource Offline.

How to Take the Exchange System Attendant Resource Offline

You cannot remove an Exchange Virtual Server while any of its resources are online. Taking the Exchange System Attendant resource offline takes all a server's dependent resources offline. This procedure outlines how to take the Exchange System Attendant resource offline.

316

Procedure
To take the Exchange System Attendant resource offline 1. In Cluster Administrator, select the Exchange Virtual Server that you want to remove. 2. In the details pane, right-click System Attendant resource, and then click Take Offline.

For More Information

For more information about this procedure, see Managing Mailbox Stores and Public Folder Stores.

Using Cluster Administrator to Remove the Exchange Virtual Server

In Exchange 2000 Server, you removed an Exchange Virtual Server by deleting the Exchange System Attendant resource. However, this is not how you remove an Exchange Virtual Server in Exchange 2003. To remove an Exchange Virtual Server in Exchange 2003, you must use the appropriate shortcut menu option in Cluster Administrator. Trying to remove the server by just deleting the Exchange System Attendant resource does not work. If you delete the Exchange System Attendant, you must re-create it, and then correctly delete the Exchange Virtual Server. For detailed instructions, see How to Remove an Exchange Virtual Server Using Cluster Administrator.

317

How to Remove an Exchange Virtual Server Using Cluster Administrator

To remove an Exchange Virtual Server in Exchange 2003, you must use the appropriate shortcut menu option in Cluster Administrator. Trying to remove the server by just deleting the Exchange System Attendant resource does not work. If you delete the Exchange System Attendant, you must re-create it, and then correctly delete the Exchange Virtual Server. This procedure describes how to remove an Exchange Virtual Server using Cluster Administrator.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster," in the Exchange Server 2003 Deployment Guide.

Procedure
To remove an Exchange Virtual Server using Cluster Administrator 1. In Cluster Administrator, in the console tree, select Groups. 2. In the details pane, right-click the Exchange Virtual Server that you want to remove, and then click Remove Exchange Virtual Server.

318 3. In the Microsoft Exchange Cluster Administrator Extension dialog box, click Yes to delete the Exchange Virtual Server and all resources that are either directly or indirectly dependent on the Exchange System Attendant resource. Warning when removing an Exchange Virtual Server

Clicking Yes also removes the Exchange Virtual Server information from Active Directory; the physical disk, the IP Address, and Network Name resources remain.

For More Information

For more information about this procedure, see Managing Mailbox Stores and Public Folder Stores.

Deleting the Remaining Cluster Resources

After you delete the Exchange resources of your Exchange Virtual Server, you must manually remove the Windows resources, including the IP Address and Network Name resources. For detailed instructions, see How to Delete the Remaining Resources After Removing an Exchange Virtual Server. If you have followed all the procedures for removing an Exchange Virtual Server, you have deleted this server. After deleting this server, if you want this node to be a passive node in your Exchange cluster, make sure that the possible owner and preferred owner settings are correct.

319 If you want to completely remove the Exchange 2003 installation, see "Removing Exchange 2003 from a Cluster Node."

How to Delete the Remaining Resources After Removing an Exchange Virtual Server
After you delete the Exchange resources of your Exchange Virtual Server, you must manually remove the Windows resources, including the IP Address and Network Name resources. This procedure describes how to delete the remaining resources after removing an Exchange Virtual Server.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

Procedure
To delete the remaining resources after removing an Exchange Virtual Server 1. In Cluster Administrator, select the cluster group that contains the Exchange

320 Virtual Server that you just deleted. 2. In the details pane, right-click IP Address resource, and then click Take Offline. 3. Right-click IP Address resource again, and then click Delete. 4. In the Delete Resources dialog box, click Yes. This deletes both the IP Address and Network Name resources. 5. Move the Physical Disk resource by dragging it to another group that is owned by this node. 6. Delete the cluster group by right-clicking the group in the console tree, and then selecting Delete.

For More Information

For more information about this procedure, see Managing Mailbox Stores and Public Folder Stores.

Removing Exchange 2003 from a Cluster Node

To remove Exchange 2003 from a cluster node, you must uninstall Exchange 2003 as you would from a stand-alone (non-clustered) server. However, only remove Exchange from those nodes that you no longer want Exchange to use. If you want Exchange 2003 to use the node (for example, as a passive node), do not uninstall Exchange 2003 from the node. For detailed instructions, see How to Remove Exchange 2003 from a Node.

321

How to Remove Exchange 2003 from a Node

This procedure describes how to remove Exchange 2003 from a node.

Before You Begin

To remove Exchange 2003 from a cluster node, you must uninstall Exchange 2003 as you would from a stand-alone (non-clustered) server. However, only remove Exchange from those nodes that you no longer want Exchange to use. If you want Exchange 2003 to use the node (for example, as a passive node), do not uninstall Exchange 2003 from the node. Before removing Exchange from a node, do the following: Move all Exchange Virtual Servers that the node owns to another node or perform the steps in the previous section "Removing an Exchange Virtual Server" to remove every Exchange Virtual Server that the node owns. Move any important cluster resources owned by the node to another node before proceeding. If you do not move these resources, Exchange Setup blocks removal of Exchange 2003 from the node.

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

322

Procedure
To remove Exchange 2003 from a node 1. In Control Panel, open Add/Remove Programs. 2. In the Currently Installed Programs list, select Microsoft Exchange 2003. 3. Click Change/Remove. 4. In the Welcome dialog box, click Next. 5. In the Component Selection dialog box, make sure that the action next to Microsoft Exchange 2003 is Remove, and then click Next. 6. In the Component Summary dialog box, verify your installation selections, and then click Next. 7. In the Microsoft Exchange 2003 Installation Wizard dialog box (see the following figure), click Yes if you are removing the last node in the cluster, or click No if it is not the last node. Warning when removing Exchange 2003 from a cluster

If you remove Exchange from the last node in the cluster, Exchange Setup removes Exchange cluster resource types from the cluster. 8. In the Completion dialog box, click Finish.

323

Migrating an Exchange Cluster Node to a Stand-Alone (Non-Clustered) Server

Migrating an Exchange 2003 cluster node (that is, an Exchange Virtual Server) to a stand-alone server is not supported. If you want to migrate a clustered server to a standalone server, you must create a third server, and then move mailboxes to the new server. Similarly, you cannot migrate a stand-alone Exchange 2003 server to an Exchange cluster node.

Monitoring Performance of an Exchange Cluster

Monitoring your Exchange clusters is as important as managing them. By actively monitoring your clusters, you help make sure that your Exchange 2003 clusters perform well. To monitor the performance of the Exchange Virtual Servers in your cluster, use System Monitor. To monitor your Exchange Virtual Servers for errors that may be occurring, use Event Viewer. Note For more information about System Monitor and Event Viewer, see the Windows Server 2003 or Windows 2000 online documentation.

324

Monitoring Active/Passive Clusters

Active/passive clusters are the recommended configuration for Exchange 2003 clusters. Monitor active/passive clusters just as you would stand-alone server deployments. For information about how you can monitor Exchange, see "Better Together: Microsoft Operations Manager and Exchange Server 2003" and the Microsoft Operations Manager 2000 documentation.

Monitoring Active/Active Clusters

Exchange 2003 supports active/active clusters with at most two nodes. However, active/active clusters are not a recommended configuration for Exchange 2003 clusters. If you have an active/active cluster, use a monitoring application (such as System Monitor) to monitor the following: The number of concurrent connections (users) per node If the number of concurrent users per node exceeds 1,900 for more than 10 minutes, move users off of the node. The CPU load for each server in the cluster If the CPU load generated from users exceeds 40 percent for more than 10 minutes, move users off of the server. Note This CPU load restriction applies only to load increases caused by users. Increases in CPU load that result from administrative tasks, such as moving users, are not a problem.

325

Monitoring Virtual Memory in a Cluster

The biggest individual consumer of memory in Exchange 2003 is the Exchange store process (Store.exe). On an active, production Exchange Server 2003 computer, it is not uncommon to notice that the Exchange store process consumes almost all the server memory. Like Exchange Server 5.5, the Store.exe process uses a unique cache mechanism named Dynamic Buffer Allocation (DBA). This process self-governs how much memory it uses; that is, DBA balances the amount of memory it uses against the memory usage of other applications that are running on the server. If Exchange is the only application running, DBA allocates more memory to itself. The memory that the Exchange store needs depends on the number of Exchange databases that you have on a server, the size of those databases, and the number of transactions per each of those databases. Although each server (or cluster node) in Exchange 2003 can handle up to 20 databases (for a maximum of four storage groups and five databases per storage group), the more databases you have, the more memory the server requires. You can reduce the memory requirements by how you configure additional databases. The first database in a storage group consumes the greatest amount of virtual memory. Therefore, wherever possible, fill your storage groups to the maximum number of databases before you create a new storage group. Filling a storage group: Reduces memory consumption Reduces disk overhead

However, there are several disadvantages to filling a storage group with databases before creating another storage group: Only one backup process can occur in a single storage group at a time. Backing up one database in a storage group stops the online maintenance of all other databases in the storage group. The ability to configure circular logging (a feature that automatically deletes log files that are older than a specified checkpoint) for a specific set of user's mailboxes is minimized. This is because you enable circular logging for the storage group, not for individual databases. If all your databases are in a single storage group, circular logging either applies to all the databases or none of them. If you want to apply circular logging to only several databases, you must create a new storage group, add

326 the appropriate databases to the new storage group, and then apply circular logging to the new storage group. For more information about circular logging, see Disaster Recovery for Microsoft Exchange 2000 Server.

Deciding Which Virtual Memory Counters to Monitor

The task of monitoring virtual memory is especially important when you are deploying Exchange 2003 clusters. This section reviews important aspects of Exchange 2003, and how it uses memory. This section also describes the specific virtual memory counters that it is a good idea to monitor closely. Windows Server 2003 and Windows 2000 implement a virtual memory system based on a flat (linear), 32-bit address space. The 32 bits of address space translate into 4 gigabytes (GB) of virtual memory. On most systems, Windows allocates half of this address space (the lower half of the 4-GB virtual address space from x00000000 through x7FFFFFFF) to processes for its unique private storage and the other half (the upper half, addresses x80000000 through xFFFFFFFF) to its own protected operating system memory usage. Note For more information about virtual memory, see the Windows Server 2003 and Windows 2000 Server online documentation. You can also find information about virtual memory in the Microsoft Windows Server resource kits. Monitor the virtual memory on your Exchange 2003 clusters. It is especially important to monitor the virtual memory counters that are listed in the following table.

327 Exchange 2003 virtual memory counters

Virtual memory counter Description

MSExchangeIS\VM Largest Block Size

Displays the size (in bytes) of the largest free block of virtual memory. This counter displays a line that slopes down while virtual memory is consumed. Monitor this counter to make sure that it stays above 32 megabytes (MB). When this counter decreases to below 32 MB, Exchange 2003 logs a warning (Event ID=9582) in the event log. When this counter drops below 16 MB, Exchange logs an error.

MSExchangeIS\VM Total 16 MB Free Blocks

Displays the total number of free virtual memory blocks that are greater than or equal to 16 MB. This counter displays a line that may first increase, but then may eventually fall when free memory becomes more fragmented. It starts by displaying several large blocks of virtual memory and may progress to displaying a greater number of separate, smaller blocks. When these blocks become smaller than 16 MB, the line begins to fall. To predict when the number of 16 MB blocks is likely to drop below 3, monitor the trend on this counter. If the number of blocks drops below 3, restart all the services on the node.

328
Virtual memory counter Description

MSExchangeIS\VM Total Free Blocks

Displays the total number of free virtual memory blocks, regardless of size. This counter displays a line that may first increase, but then may eventually fall, when free memory first becomes fragmented into smaller blocks, and then when these blocks are consumed. Use this counter to measure how much available virtual memory is being fragmented. The average block size is the Process\Virtual Bytes\STORE instance divided by MSExchangeIS\VM Total Free Blocks.

MSExchangeIS\VM Total Large Free Block Bytes

Displays the sum, in bytes, of all the free virtual memory blocks that are greater than or equal to 16 MB. This counter displays a line that slopes down when memory is consumed.

Important The task to update the virtual memory performance counters for the Exchange store does not run until at least one Exchange Virtual Server starts on the node. Therefore, in active/passive cluster scenarios, all Exchange-related virtual memory performance counters are zero (0) on a passive node. These performance counters are zero because the store on the passive node is either not going to be running or the databases will not be mounted. Note Therefore, having performance counters set to zero may interfere with your virtual memory performance baseline. Therefore, when monitoring these performance counters, you can expect large, free virtual memory numbers on the passive nodes. When you monitor the virtual memory counters, the most important counter to monitor is VM Total Large Free Block Bytes, which should always be more than 32 MB. If a node

329 in the cluster drops below 32 MB, fail over the Exchange Virtual Servers, restart all the services on the node, and then fail back the Exchange Virtual Servers. The Exchange store logs the following events if the virtual memory for your Exchange 2003 server becomes excessively fragmented: Warning logged if the largest free block is smaller than 32
EventID=9582 Severity=Warning Facility=Perfmon Language=English The virtual memory necessary to run your Exchange server is fragmented in such a way that performance may be affected. It is highly recommended that you restart all Exchange services to correct this issue.

Warning logged if the largest free block is smaller than 16

EventID=9582 Severity=Error Facility=Perfmon Language=English The virtual memory necessary to run your Exchange server is fragmented in such a way that normal operation may begin to fail. It is highly recommended that you restart all Exchange services to correct this issue.

Enabling Exchange Logging

After you install Exchange 2003 on your cluster nodes and create your Exchange Virtual Server, you may want to configure Exchange logging. Although it is helpful to enable Exchange logging when you troubleshoot message flow issues, it is not recommended that you enable logging at all times. This is because logging reduces Exchange performance.

330 Before enabling logging on an Exchange cluster, disable MTA monitoring on all servers that do not have MTA installed. Then, you can enable SMTP logging on the selected servers.

Disabling MTA Monitoring on Nodes That Are Not Running MTA

By default, an Exchange 2003 server monitors the MTA service. In a cluster environment, MTA runs only on one of the physical nodes (computers). This means that the monitoring process reports that the nodes that are not running MTA are in an error state. This, in turn, can cause problems if Exchange 2003 is installed in a cluster with two or more Exchange Virtual Servers. To prevent the monitoring process from incorrectly reporting that Exchange Virtual Servers that are not running the MTA service are in an error state, disable MTA monitoring on the second Exchange Virtual Server (and if applicable, any other additional Exchange Virtual Servers) of a cluster. You do not have to disable MTA monitoring on the first Exchange Virtual Server of a cluster. For detailed instructions, see How to Disable MTA Monitoring on an Exchange Virtual Server.

How to Disable MTA Monitoring on an Exchange Virtual Server

By default, an Exchange 2003 server monitors the MTA service. In a cluster environment, MTA runs only on one of the physical nodes (computers). To prevent the monitoring process from incorrectly reporting that Exchange Virtual Servers that are not running the MTA service are in an error state, disable MTA monitoring on the second Exchange Virtual Server (and if applicable, any other additional Exchange Virtual Servers) of a cluster. You do not have to disable MTA monitoring on the first Exchange Virtual Server

331 of a cluster. This procedure describes how to disable MTA monitoring on an Exchange Virtual Server.

Before You Begin

Before you start managing your Exchange cluster, you may want to review what constitutes an Exchange Virtual Server and its associated Exchange resources. You may also want to become more familiar with Cluster Administratorthe primary tool used to configure and manage clusters. Note Before performing the cluster administration tasks outlined in this chapter, you must be familiar with the clustering concepts described in "Checklist: Preparation for installing a cluster" in the Microsoft Windows Server 2003 Enterprise Edition Online Help and in the Windows Server 2003 Technical Reference. Also, make sure that you are familiar with "Using Server Clustering" in Planning an Exchange Server 2003 Messaging System and with "Deploying Exchange 2003 in a Cluster" in the Exchange Server 2003 Deployment Guide.

Procedure
To disable MTA monitoring on an Exchange Virtual Server 1. In Exchange System Manager, in the console tree, expand Servers, right-click the appropriate Exchange Virtual Server, and then click Properties. 2. In the <Server Name> Properties dialog box, click the Monitoring tab. 3. On the Monitoring tab, select Default Microsoft Exchange Services from the list of services, and then click Details. 4. In the Default Microsoft Exchange Services dialog box, select Microsoft Exchange MTA Stacks, and then click Remove. 5. Click OK two times.

332

Enabling SMTP Logging

If you want to gather statistical data about server usage, you can enable logging of the SMTP resource. However, be aware that enabling SMTP logging reduces Exchange performance. Unless you are troubleshooting or need statistical data, disable logging (the default setting). When enabled, Internet Information Services (IIS) creates SMTP log files on the system drive of the local computer (for example, C:\Winnt\System32\Logfiles, where C is the location of your Windows Server 2003 or Windows 2000 installation). To reliably configure SMTP logging in a clustered environment, you must change the default location of the log files (that is, the local computer) to a folder on a shared disk. For detailed instructions, see How to Enable SMTP Logging and Log the Files to a Shared Disk.

How to Enable SMTP Logging and Log the Files to a Shared Disk
If you want to gather statistical data about server usage, you can enable logging of the SMTP resource. However, be aware that enabling SMTP logging reduces Exchange performance. Unless you are troubleshooting or need statistical data, disable logging, which is the default setting. This procedure describes how to enable SMTP logging and log the files to a shared disk.

Before You Begin

When enabled, Internet Information Services (IIS) creates SMTP log files on the system drive of the local computer (for example, C:\Winnt\System32\Logfiles, where C is the location of your Windows Server 2003 or Windows 2000 installation). To reliably configure SMTP logging in a clustered environment, you must change the default location of the log files (that is, the local computer) to a folder on a shared disk.

333

Procedure
To enable SMTP logging and log the files to a shared disk 1. In Exchange System Manager, in the console tree, expand Servers, and then expand the server on which you want to enable IIS logging for SMTP. 2. In the console tree, expand Protocols, and then expand SMTP. 3. In the console tree, right-click Default SMTP Virtual Server, and then click Properties. 4. In the Default SMTP Virtual Server Properties dialog box, on the General tab, click Enable logging, and then click Properties. 5. In the Extended Logging Properties dialog box, on the General Properties tab, in Log file directory, change the SMTP log file location to a folder on a shared disk. 6. Click OK two times.

Tuning Servers in a Cluster

Even with thoughtful management and attentive monitoring, it may become necessary to tune the servers in your clusters to maintain high availability. Exchange 2003 requires much less manual tuning than Exchange 2000. In fact, Exchange 2003 performs most necessary tuning automatically. To take advantage of the tuning features in Exchange 2003, consider making the following tuning changes after the initial installation and configuration of your Exchange cluster: Remove Exchange 2000 tuning parameters Configure the /3GB switch Configure the /Userva and SystemsPages options

334

Removing Exchange 2000 Tuning Parameters

If a server in your cluster previously ran Exchange 2000, you may have performed the manual tuning changes that were recommended by previous Exchange documentation. If you have since upgraded that server to run Exchange 2003, then that server no longer needs those manual tuning changes, and it is a good idea to manually remove them from the server.

Setting the /3GB Switch

By default, Windows Server 2003 and Windows 2000 Advanced Server allocate 2 GB of virtual address space to user mode processes, such as the Exchange store process (Store.exe). If a server has 1 GB or more of physical memory, set the /3GB switch in the Boot.ini file to increase the virtual address space. For more information about the /3GB switch, see Microsoft Knowledge Base Article 266096, "XGEN: Exchange 2000 Requires /3GB Switch with More Than 1 Gigabyte of Physical RAMXGEN: Exchange 2000 Requires /3GB Switch with More Than 1 Gigabyte of Physical RAM." Important The /3GB switch is designed for all editions of Windows Server 2003 and for Windows 2000 Advanced Server. Do not set the /3GB switch if you are running Windows 2000 Server.

335

Configuring /Userva and System Pages

If the server is running Windows Server 2003, set the SystemPages value to zero, and set the /Userva=3030 parameter in the Boot.ini file. These settings allow for more system page table entries on the server, which is critical for scale-up systems. If the server is running Windows 2000, set the SystemPages registry key to a value between 24000 and 31000. The location of the SystemPages registry key is as follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\SystemPages

For additional information about the /Userva switch, see Microsoft Knowledge Base article 810371, "Using the /Userva switch on Windows Server 2003-based computers that are running Exchange ServerUsing the /Userva switch on Windows Server 2003-based computers that are running Exchange Server."

Troubleshooting Your Exchange Clusters

Clustering provides a mechanism for moving resources between cluster nodes when problems occur. When a single server fails, clustering moves Exchange 2003 resources from the failed server to another server in the cluster. This failover allows services to remain available to users. By maintaining service availability after a failure occurs, clustering gives you time to diagnose and fix the problem. Diagnosing means not only determining whether the failure is related to a single server or the whole cluster, but also whether the failure is easily repaired or requires more complex disaster recovery steps.

336

Identifying the Cause of a Failure

An important task in disaster recovery processes for Exchange 2003 clusters is identifying what caused a specific resource to fail. When a failure occurs in an Exchange cluster, first determine if the failure is on a single node, which indicates that there are problems with the node's files, or on every node, which indicates that there are problems with the cluster's objects or the shared cluster resources. To determine the cause of the failure: Search the Application Log in Event Viewer Begin by looking for MSExchangeCluster events. The event description should help you determine the cause of the problem. For example, the following figure shows an event description that states that the service for that resource cannot start. Based on this description, focus your troubleshooting efforts on the service startup.

337 MSExchangeCluster event that provides information about the failure

Turn on and configure verbose logging for Cluster Service While server clusters log errors and events to the System Event log, you can perform advanced troubleshooting by having the Cluster Service perform verbose logging to a text file named Cluster.log. For information about this log and how to enable it, see Microsoft Knowledge Base Article 168801, "How to Turn On Cluster Logging in Microsoft Cluster ServerHow to Turn On Cluster Logging in Microsoft Cluster Server." Search for resolutions in the Microsoft Product Support Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=18175) Many cluster-related Knowledge Base articles that apply to Exchange 2000 also apply to Exchange 2003. Therefore, search the Knowledge Base for cluster information related to Exchange 2000 and also Exchange 2003.

338 If you still cannot determine the cause of the failure, you can perform the repair options listed in "Repairing Windows 2000" in Chapter 7, "Repairing Exchange 2000" in Disaster Recovery for Microsoft Exchange 2000 Server. If repairing the node or whole cluster is unsuccessful, you must consider replacing the node or recovering the node, cluster, or resources (such as the quorum disk resource, or Exchange mailbox and public folder stores).

Performing Disaster Recovery on Your Exchange Clusters

After diagnosing the failure and trying to repair the failed node or cluster, it is time to perform disaster recovery on your Exchange cluster. This may involve replacing a damaged cluster node, restoring or rebuilding a cluster node from backups, restoring a shared disk resource from backups, or recovering the whole cluster. Disaster recovery on an Exchange cluster is a complex process that involves devising appropriate data backup and recovery strategies. As such, it is not possible to cover the entire subject of disaster recovery in this guide. You can find detailed conceptual information and step-by-step procedures about backing up and restoring Exchange 2003 clusters in "Backing Up Exchange 2000 Clusters" in Chapter 6, "Backing Up Exchange 2000" and "Restoring Exchange 2000 Clusters" in Chapter 7, "Restoring Exchange 2000" in Disaster Recovery for Microsoft Exchange 2000 Server.

Backing Up Data on an Exchange 2003 Server Cluster Node

Securing the data on your Exchange 2003 clusters requires establishing a correct and thorough backup plan. To back up the important data on the nodes of your Exchange 2003 clusters, you can use Windows 2000 Backup. You can also use third-

339 party backup solutions to meet your backup needs. For information about third-party backup solutions, see the "Exchange Server Partner Products" Web site. To secure the data in your clusters, you must do the following: Back up Windows in each cluster node. Back up the quorum disk resource of each cluster. Back up all Exchange databases on your shared disk resources. Maintain informational records about your cluster configuration.

Recovering an Exchange 2003 Cluster

Recovering from disasters that affect the nodes of your Exchange 2003 clusters can be as simple as replacing a node with a stand-by recovery server, or it can be as difficult as rebuilding a whole cluster from the beginning. If you have a correct and thorough backup plan in place, you can recover from most disasters that affects your Exchange organization. You may must do the following to recover from disasters that affect your Exchange 2003 clusters: Replace damaged cluster nodes. Restore or rebuild a cluster node from backups. Restore shared disk resources. Restore quorum disk resource. Restore Exchange databases. Recover a whole Exchange 2003 cluster.

340

Managing Mailbox Stores and Public Folder Stores

The Microsoft Exchange store is a storage platform that provides a single repository for managing multiple types of unstructured information in one infrastructure. Mailbox stores and public folder stores are two of the components that make up the Exchange store. The Exchange store is also known as the Web Storage System. The following topics provide information about store-related administrative tasks that are more detailed and complex than those included in this chapter: For more information about the components of the Exchange store and identifies the different tools that you can use to manage them, see "" in Working with Exchange Server 2003 Stores (http://go.microsoft.com/fwlink/?LinkId=47595). For information about procedures for configuring replication and about troubleshooting replication issues, see "" in Working with Exchange Server 2003 Stores (http://go.microsoft.com/fwlink/?LinkId=47595). For information about how to set up full-text indexes, and how to optimize and maintain the indexes, see "" in Working with Exchange Server 2003 Stores (http://go.microsoft.com/fwlink/?LinkId=47595). For information about the common problems, events, and messages that are related to managing mailbox and public folder stores, and information about what causes the problems, and possible solutions, see "" in Working with Exchange Server 2003 Stores (http://go.microsoft.com/fwlink/?LinkId=47595).

Note For detailed information about the internal workings of the stores, and for detailed backup and recovery procedures, see Disaster Recovery for Microsoft Exchange 2000 Server. Although existing recovery functionality has not changed, Microsoft Exchange Server 2003 has new recovery features. For more information about the new features, see What's New in Exchange Server 2003What's New in Exchange Server 2003.

341

Working with Permissions for Public Folders and Mailboxes

Managing administrative access to mailbox and public folder stores is similar to managing administrative access to the server itself. This section contains an overview of the permissions that you need to manage public folders and mailboxes. Before you start management tasks on public folders and mailboxes, read the sections that pertain to the tasks that you plan to perform: Using Exchange Administrative Roles with Exchange Store Components This topic explains what access the various Exchange administrative roles (Exchange Full Administrator, Exchange Administrator, and Exchange View Only Administrator) provide to mailbox stores, public folder stores, and public folder trees. Understanding the Types of Permissions That Control Access to Mailboxes and Public Folders, Using Mailbox Permissions, and Using Public Folder Permissions These topics explain how the permissions on store contents mailboxes, public folders, and the messages they storeare much more complex than permissions used elsewhere in Exchange, and provide basic information about how to use these permissions. Important A detailed explanation of how these permissions work is beyond the scope of this topic. For a full explanation of how store permissions work, see Working with Store Permissions in Microsoft Exchange 2000 and 2003. Note If you are doing any troubleshooting with store permissions, or if you must modify permissions in ways other than the delegation methods, it is strongly recommended that you study "Working with Store Permissions in Exchange 2000 and 2003" first. Maintaining the Minimum Permissions Required for Mailbox Stores and Public Folder Stores This section explains the minimum permissions that are required for mailbox stores and public folder stores to function correctly.

342

Using Exchange Administrative Roles with Exchange Store Components

To perform most of the tasks in this topic, you must have at least Exchange Administrator permissions on the administrative group where you are working. For more information about the Exchange administrative roles and the Exchange Administration Delegation Wizard, see "Managing Exchange Server 2003 Permissions." Use the information in this topic to identify what permissions are involved, and how the Exchange store objects inherit these permissions. This will help you to recognize situations where you may need a different administrative role or different permissions. The following table summarizes the permissions for the three Exchange administrative roles on Exchange store objects. Permissions for the Exchange administrative roles on mailbox stores, public folder stores, and public folder trees
Role Allowed Denied

Exchange Full Administrator

Full Control Additional permissions in Active Directory to allow you to work with deleted items and offline address lists

Receive-As Send-As

Exchange Administrator

All except Change Permissions Additional permissions in Active Directory to allow you to work with offline address lists

Receive-As Send-As

343
Role Allowed Denied

Exchange View Only Administrator

Read List object List contents View Information Store Status

None

The following figure summarizes how mailbox stores, public folder stores, and public folder trees inherit permissions. Direction of inheritance of permissions for Exchange Full Administrators, Exchange Administrators, or Exchange View Only Administrators

As Figure 7.1 shows, objects in the Exchange store inherit permissions from their administrative group, with the following exceptions: Delegating Exchange administrative roles on an administrative group gives administrators in those roles limited permissions on mailboxesenough to create or delete mailboxes, and set options such as storage limits. A public folder inherits some administrative permissions from the public folder tree where it resides. It does not inherit permissions from the public folder store. Administrative rights on a public folder include many folder-specific permissions that are not available on the public folder tree. For example, although an Exchange

344 Administrator cannot modify the permissions on a public folder tree, the administrator can modify permissions on a public folder in that tree. Note For an administrator to apply a system policy to a store, the administrator must have the appropriate permissions on both the System Policies container and on the target store. If you are using a distributed administration model with multiple administrative groups that have separate administrators, each administrator will be able to interact only with the stores in that administrator's own administrative group. Important Public folder trees and their public folders can only be administered in the administrative group where they were created, even though you can replicate folders in the tree to multiple administrative groups. If you are using a distributed administration model with multiple administrative groups that have separate administrators, each administrator can work with the public folder stores in that administrator's own administrative group, but may not have access to the public folders that those stores support.

Understanding the Types of Permissions That Control Access to Mailboxes and Public Folders
The access control lists (ACLs) on public folders, mailboxes, and the messages that they contain use Microsoft Windows 2000 permissions to control access (with several additional permissions that are specific to Exchange). This is a change from Microsoft Exchange 5.5, in which the ACLs used MAPI permissions. Exchange 2003 substitutes MAPI permissions for Windows 2000 permissions in the following circumstances: When communicating with MAPI-based client applications, such as Microsoft Outlook. In this case, Exchange converts the permissions to MAPI permissions when displaying them to the user. If the user modifies the permissions, Exchange converts them back to Windows 2000 permissions to save them.

345 When replicating data to Exchange 5.5 servers in a deployment that contains coexisting servers that run Exchange 5.5 and servers that run Exchange 2003. Because Exchange 5.5 servers only use MAPI permissions, Exchange 2003 replicates permissions to them in the MAPI format. When the permissions replicate back to Exchange 2003 servers, Exchange 2003 converts them to the Windows 2000 format before saving them. Note Both of these circumstances apply to mailboxes and to public folders in the Public Folders tree (and all the folders and messages contained in it). Folders and messages in general-purpose public folder trees cannot be accessed by MAPI-based clients and are not replicated to Exchange 5.5 servers. Therefore, Exchange always uses Windows 2000 permissions with these folders and messages. For more information about the differences between the Public Folders tree and general-purpose public folder trees, see "Configuring Public Folder Stores." Exchange handles all conversions between Windows 2000 permissions and MAPI permissions automatically. However, as an administrator, be aware that when you use Exchange System Manager to set permissions, you may have to work with either Windows 2000 permissions or MAPI permissions, depending on the type of object you are securing.

Using Mailbox Permissions

When you create a new mailbox, Exchange uses information from the mailbox store to create the default permissions for the new mailbox. The default folders in the new mailbox inherit permissions from the mailbox itself. Users can modify the permissions on folders in their mailbox using Outlook. Outlook uses MAPI permissions, which Exchange automatically converts to Windows 2000 permissions when it is storing the changes. Although you can use Exchange System Manager to delete or move mailboxes, you cannot use it to access mailbox content or mailbox-related attributes of the user. Use Active Directory Users and Computers to perform administrative tasks on the Exchangerelated attributes of user objects. Additionally, you must use Active Directory Users and Computers to give users permission to access the mailbox itself.

346

Designating a User as a Mailbox Delegate

For administration and troubleshooting purposes, sometimes you have to access a user's mailbox. There also may be occasions where it is appropriate for a second user to have access to a mailbox. This second user is referred to as a mailbox delegate. You can give users delegate permissions for a mailbox by modifying the Active Directory user account that is associated with the mailbox. Use Active Directory Users and Computers for this task. You can give different levels of access to the mailbox: If you give the second user the access level of Full Mailbox Access, Exchange treats that user as the mailbox owner. The second user does not need any other permissions on folders in the mailbox. Important Always use care when modifying permissions. An unscrupulous user with Full Mailbox Access to other users' mailboxes can cause damage to the mailboxes or their contents. If you give the second user an access level other than Full Mailbox Access, the original mailbox owner can use Outlook to set permissions for the second user on folders in the mailbox.

To give someone access to another user's mailbox, you must have the appropriate permissions to modify user objects in Active Directory (see the Windows Help for more information about these permissions). For detailed steps about how to give a user full access to another user's mailbox, see "How to Give a User Full Access to Another User's Mailbox" in Working with the Exchange Server 2003 Store. For detailed steps about how to give a user the ability to send mail on behalf of another user, see "How to Use Outlook to Give a User the Ability to Send Mail on Your Behalf" and "How to Use Active Directory Users and Computers to Give a User the Ability to Send Mail on Behalf of Another User" in Working with the Exchange Server 2003 Store. In this situation, the second user does not need permissions on the mailbox itself or items in the mailbox.

347

How to Give a User the Ability to Send Mail on Behalf of a Public Folder
To give a user the ability to send mail on behalf of a public folder, perform the following procedure.

Procedure
To give a user the ability to send mail on behalf of a public folder 1. In Exchange System Manager, under Folders, right-click the public folder for which you want to give a user the ability to send mail, and then click Properties. 2. Click Exchange General, and then click Delivery Options. 3. Click Add to specify a user. 4. You may have to make additional modifications if the following conditions are true: The user's mailbox resides in a domain that is different from the public folder's domain. The user's mailbox resides on a server that is located in a site that does not contain any domain controllers for the domain that hosts the public folder.

Use one of the following additional steps: Add the Exchange Domain Servers security group of the child domain with Read permissions to the ACL of the Microsoft Exchange System Objects container in the parent domain. This method is the recommended method for working around this problem.

5. Move one domain controller from the parent domain to the user's Exchange 2003 site.

348

Using Public Folder Permissions

Controlling access to public folders is more complex than controlling access to mailboxes. This section presents information that will help you understand: The different types of permissions that can be set on public folders. What you must consider when you work with client permissions. Read this section before you modify client permissions. What you must consider when setting public folder permissions in an environment where Exchange 2003 and Exchange 5.5 servers coexist. How to designate a user as a public folder delegate. The minimum permissions that are required for mail-enabled public folders to function correctly.

Understanding the Three Types of Public Folder Permissions

You can control access to public folders using the following types of permissions: Client permissions These settings control who can use client applications to access folders and messages. By default, all users have permissions to read and write content in the public folder. You can change permissions for all users or create different permissions for specific users. The default client permissions do not include the Exchange administrative roles (Exchange Full Administrators, Exchange Administrators, or Exchange View Only Administrators). Depending on the type of public folder that you are working with, you may see different forms of the client permissions. Folders in the Public Folders tree use MAPI permissions. Folders in general-purpose public folder trees use Windows 2000 permissions.

349 Directory rights These settings are normal Active Directory permissions, and control who can change the e-mailrelated attributes of a mail-enabled public folder. Exchange stores these attributes in Active Directory, in the public folder's directory object in the Microsoft Exchange System Objects container. The default directory permissions include extensive permissions for the domain local Administrators group. Typically, any user who you have assigned to one of the Exchange administrative roles is a member of this group. Administrative rights These settings control who can use Exchange System Manager (or a custom administration program) to change the replication, limits, and other settings for a public folder. Some of these permissions are inherited from the public folder store and include permissions for the Exchange administrative roles. These permissions are Windows 2000 permissions, although they reside only in the public folder store.

If you are working with a public folder tree that has multiple levels of public folders, you can modify client permissions or administrative rights for a single folder, and you can use the Propagate Settings command to propagate the changes to all subfolders of that folder. To propagate client permissions, use Propagate Settings with the Folder rights option. To propagate administrative rights, use Propagate Settings with the Administrative rights option.

Special Considerations for Working with Client Permissions

When you use Exchange System Manager to view client permissions for a public folder, the information that you see can depend on what type of folder tree you are working with. You also have access to different views of the same information. The procedures in this section provide information about how to use and how not to use the different views. Important Always use care when modifying permissions. An unscrupulous user with Owner permissions on a public folder can cause damage to the folder or its content, or can run malicious scripts. For detailed steps about how to give a user full access to view permissions that control client access to a public folder, see "How to View

350 Permissions That Control Client Access to a Public Folder" in Working with Store Permissions in Exchange 2000 and 2003. After clicking Client Permissions, one of two different dialog boxes appears, depending on the type of public folder tree with which you are working: If you are working with a folder in the Public Folders tree, you see a dialog box that contains MAPI permissions and roles. Client Permissions dialog box for a public folder in the Public Folders tree

If you are working with a folder in a general-purpose public folder tree, you see a dialog box that contains Windows 2000 permissions, users, and groups.

351 Permissions dialog box for a public folder in a general-purpose public folder tree

You can also use Exchange System Manager to view the Windows 2000 version of the permissions on a folder in the Public Folders tree. Caution Although you can view the Windows 2000 version of the Public Folders tree permissions, do not try to edit the permissions in this view. The Windows user interface that displays the permissions formats the ACL in such a way that Exchange will no longer be able to convert the permissions to their MAPI form. If this problem occurs, you will no longer be able to use Outlook or the regular Exchange System Manager dialog boxes to edit the permissions.

352 For detailed steps about how to give a user full access to another user's mailbox, see "How to View the Windows 2000 Version of MAPI Permissions" in Working with Store Permissions in Exchange 2000 and 2003.

Special Considerations for Coexisting Exchange 2003 and Exchange 5.5 Servers
If your deployment includes both Exchange 2003 and Exchange 5.5 servers, you have an additional level of complexity to deal with when managing permissions, especially public folder permissions. Although the information that follows is technical, you must know about these details to make sure that your mixed-mode deployment operates smoothly. For a more detailed explanation of how Exchange passes access control information between Exchange 2003 and Exchange 5.5 servers, see Public Folder Permissions in a Mixed-Mode Microsoft Exchange Organization. The important points in the article that relate to managing public folder permissions are the following: Before any data can be replicated between Exchange 2003 and Exchange 5.5 servers, any users or groups that have mailboxes on the Exchange 5.5 servers must have accounts in Active Directory. If the user or group account has only an Active Directory account (not a Microsoft Windows NT 4.0 account), the Active Directory account is an enabledaccount. If the user or group has a Windows NT 4.0 account, the Active Directory account is a disabled account. This disabled account, created using the Active Directory Migration Tool, is a placeholder that associates an Active Directory security identifier (SID) with the existing Windows NT 4.0 account. Important If you plan to maintain user accounts in Windows NT 4.0 for a while and then fully migrate those accounts to Active Directory, you must create disabled accounts that have a SID history. The Active Directory Migration Tool can migrate the Windows NT 4.0 SID into the sidHistory attribute of

353 the newly disabled account in Active Directory. If you enable the accounts at a later date, Exchange can use the SID history information to determine where newly enabled accounts have replaced Windows NT 4.0 accounts in access control entries (ACEs). For more information about this process, see Microsoft Knowledge Base Article 316047, "XADM: Addressing Problems That Are Created When You Enable ADCGenerated Accounts." Exchange 5.5 uses MAPI-based permissions, identifies users and groups by their distinguished names in the Exchange Directory, and uses a property named ptagACLData to store access control information. Exchange 2003 uses two additional properties, ptagNTSD and ptagAdminNTSD, to store access control information. When Exchange 2003 replicates access control information to an Exchange 5.5 server, it does the following: a. Converts the Active Directory security identifiers (SIDs) of users and groups to Exchange Directory distinguished names. b. Converts the Windows 2000 permissions to MAPI permissions. c. Stores the converted access control information in ptagACLData.

d. Replicates ptagNTSD, ptagAdminNTSD, and ptagACLData to the Exchange 5.5 server. When an Exchange 2003 server receives data replicated by an Exchange 5.5 server, it does the following: a. Discards the incoming values of ptagNTSD and ptagAdminNTSD. This step protects against any changes that may have been made to these properties while they were under the control of Exchange 5.5. b. Extracts the user and group distinguished names from ptagACLData and converts them to Active Directory SIDs. c. Extracts the permissions from ptagACLData and converts them to Windows 2000 permissions.

d. Stores the converted access control information in ptagNTSD. (The original value of ptagAdminNTSD remains unaffected.) e. Discards the value of ptagACLData, unless a problem occurred during the conversion in Step b or Step c. If a conversion problem occurs, Exchange 2003 keeps the ptagACLData value.

354 Exchange 5.5 applies permissions to folders. You cannot assign permissions to individual messages (item-level permissions) explicitly, as you can with Exchange 2003. If you are replicating folders and their contents from Exchange 5.5 to Exchange 2003, do not try to set explicit permissions on messages. Exchange 2003 manages permissions so that the messages are secure, but if you try to change the message permissions in this situation, the changes will be lost in the next replication cycle.

Designating a User as a Public Folder Delegate

You can configure a mail-enabled public folder so that a user can send mail on the public folder's behalf. For example, if the folder serves as a shared storage location or workspace for a group of users, one user can send notifications to the group. A custom application can also perform such a function, if you created an account for it to use. For detailed steps about how to give a user the ability to send mail on behalf of a public folder, see "How to Give a User the Ability to Send Mail on Behalf of a Public Folder".

Maintaining the Minimum Permissions Required for Mail-Enabled Public Folders

If you modify the default client permissions and roles on a mail-enabled public folder, make sure you maintain the Contributor role for the Anonymous account. Otherwise, mail sent to the public folder will be returned as undeliverable. When the public folder receives e-mail from a user who has no permissions on the folder, it treats the mail as a message posted using the Anonymous account.

355 Note This is a change from Exchange 5.5, where the default role of the Anonymous account was None.

Maintaining the Minimum Permissions Required for Mailbox Stores and Public Folder Stores
If you modify the default permissions on Exchange Server 2003 mailbox stores and public folder stores, make sure you maintain the following minimum permissions: Administrators group Full Control Authenticated Users group Read and Execute, List Folder Contents, and Read Creator Owner None Server Operators group Modify, Read and Execute, List Folder Contents, Read, and Write System account Full Control

You may experience difficulties in mounting the mailbox stores or public folder stores if you do not maintain these permissions for these groups and accounts. The following error messages and events indicate that the accounts and groups in the previous list do not have the correct permissions: An internal processing error has occurred. Try restarting Exchange System Manager or the Microsoft Exchange Information Store service, or both. MAPI or an unspecified service provider. ID no: 00000476-0000-00000000. Information Store (2520) An attempt to determine the minimum I/O block size for the volume "[drive:\]" containing "[drive:\]Exchsrvr\Mdbdata\" failed with system error 5 (0x00000005): "Access is denied." The operation will fail with error 1032 (0xfffffbf8). Error 0xfffffbf8 starting Storage Group [dn of storage group] on the Microsoft Exchange Information Store.

356 The MAPI call 'OpenMsgStore' failed with the following error: The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server computer is down for maintenance. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-052600000000.

Problems may occur when mounting public folder stores if you have cleared the Allow inheritable permissions from parent to propagate to this object option for the public folder hierarchy. The following error messages indicate that you have cleared this option: The store could not be mounted because the Active Directory information was not replicated yet. The Microsoft Exchange Information Store service could not find the specified object. ID no: c1041722

For detailed steps about how to restore the permissions that Exchange requires, see"How to Restore the Permissions that Exchange Requires".

How to Restore the Permissions that Exchange Requires

Modifying the default permissions on Exchange Server 2003 mailbox stores and public folder stores can cause errors. To restore the permissions that Exchange requires, perform the following procedure.

Procedure
To restore the permissions that Exchange requires 1. In Exchange System Manager, right-click the public folder tree, and then click Properties. 2. In the Properties dialog box, click the Security tab, click Advanced, and then select Allow inheritable permissions from parent to propagate to this object.

357 3. Wait for Active Directory to replicate the change to all the domain controllers. 4. Right-click the public folder store, and then click Mount Store.

Managing Storage Groups and Stores

The Exchange store uses two types of databases: Mailbox stores Public folder stores

These databases (or stores) are organized into storage groups. All the databases in a storage group share a single set of transaction log files, a single backup schedule, and a single set of logging and backup-related settings. Exchange System Manager lists the storage groups for each server, and the mailbox stores and public folder stores in those storage groups. To view stores and storage groups in Exchange System Manager, expand the server node in the Exchange System Manager console tree. The following figure shows the mailbox and public folder stores in the First Storage Group of a single server.

358 Store information in Exchange System Manager

If you are using Exchange Server 2003 Standard Edition, each Exchange server can have one storage group, which contains one mailbox store and one public folder store. If you are using Exchange Server 2003 Enterprise Edition, each server can have up to four storage groups, each of which up to five databases (either mailbox stores or public folder stores). Using either Exchange Server 2003 Standard Edition or Exchange Server 2003 Enterprise Edition, you can create a Recovery Storage Group in addition to your other storage groups. Use this special storage group to recover mailbox data when restoring data from a backup. For more information about how to configure and use a Recovery Storage Group, see "Setting Up a Recovery Storage Group" in Using Recovery Storage Groups in Exchange Server 2003. You can use multiple mailbox stores to increase the reliability and recoverability of your Exchange organization. If the users are spread across multiple mailbox stores, the loss of a single store affects only a subset of the users instead of the whole organization.

359 Additionally, reducing the number of users per store reduces the time that you need to recover a damaged store from a backup. Note Increasing the number of mailbox stores on a server can increase the server resources consumed relative to the resources consumed for the same number of users in a single store. However, the benefits of using multiple stores typically outweigh the resource costs. You can use multiple public folder stores to spread public folders across multiple servers. You can put multiple replicas of the same folder on several servers, to increase the system's ability to handle user traffic. If you have multiple routing groups, you may want to distribute folders among the routing groups so that users have easy access to the folders that they use most frequently. This section includes information about the following: For each storage group, how to configure settings for the transaction logs. For each storage group, how to overwrite deleted data during backups. How to add new storage groups. How to mount or dismount stores. For each store, how to move the database files out of the system directory. This task is the same for mailbox stores and public folder stores. For each store, how to configure maintenance and backup options. These tasks are the same for mailbox stores and public folder stores. How to create and configure mailbox stores. These tasks are specific to the type of store that you are working with. How to create and configure public folder stores. These tasks are specific to the type of store that you are working with.

360

Configuring Transaction Logs for a Storage Group

The most important aspect of a storage group is its transaction logs. Even if you use only the default First Storage Group, you must consider your transaction log configuration to make sure that you can recover data if the stores are damaged. In the standard transaction logging that Exchange uses, each store transaction (such as creating or modifying a message) in a storage group is written to a log file and then to the store. When it is written to the log file, each transaction is labeled with an identifier that Exchange uses to associate the transaction with a particular store. In this manner, all the stores in a storage group share a single set of transaction logs. This process ensures that records of transactions exist if a store is damaged between backups. In many cases, recovering a damaged store means restoring the store from a backup, replaying any backed-up log files, and then replaying the most recent log files to recover transactions that were made after the last backup. Note For detailed information about how transaction logs work and how to recover store data in a variety of circumstances, see Disaster Recovery for Microsoft Exchange 2000 Server. Although existing functionality has not changed, Exchange Server 2003 has new recovery features. For more information about the new recovery features, see What's New in Exchange Server 2003What's New in Exchange Server 2003. When a log file reaches 5 megabytes (MB), it is renamed and a new log file is started. As the number of transactions grows, a set of log files is created. The set continues to grow until you run a full backup (also named a normal backup) or an incremental backup. As part of the backup process, old transaction logs are removed and the current log file becomes the first file of a new log file set. You can control the size of the log file set by using a regular schedule of backups. Using the Windows 2000 backup utility or a thirdparty backup product, you can back up any storage group or database whenever you prefer. You can perform four types of online backups on the Exchange store:

361 Full backup A full backup (named a normal backup in Windows Backup) backs up the store and transaction log files. After the backup, transaction log files in which all transactions are complete are deleted. Copy backup A copy backup backs up the store and transaction log files, but leaves the transaction logs in place. Incremental backup An incremental backup backs up the transaction logs and removes all transaction logs in which all transactions are completed. Differential backup A differential backup backs up the transaction logs, but leaves them in place. Important You can perform an incremental or differential backup only if you have previously performed a normal backup. If you must recover a store, you must recover the store itself from the last normal backup, and then you can recover log files from an incremental or differential backup. For detailed steps about how to configure transaction logs and choose other storage group options, see "How to Configure Transaction Logs and Choose Other Storage Group Options"

How to Configure Transaction Logs and Choose Other Storage Group Options
To configure transaction logs and choose other storage group options, perform the following procedure.

Before You Begin

Modifications to transaction log and storage group options can affect your ability to recover data. You should understand this impact before you make any configuration changes to transaction log or storage group options.

362

Procedure
To configure transaction logs and choose other storage group options In Exchange System Manager, right-click the storage group, and then click Properties. This figure shows the options that are available for configuring a storage group. The storage group Properties dialog box

For More Information

For detailed information about how transaction logs work and how to recover store data in a variety of circumstances, see Disaster Recovery for Microsoft Exchange 2000

363 Server. Although existing functionality has not changed, Exchange Server 2003 has new recovery features. For more information about the new recovery features, see What's New in Exchange Server 2003What's New in Exchange Server 2003.

Moving Transaction Log Files to a Separate Drive

When you install Exchange, Setup creates transaction log files and database files on the same drive. You can significantly improve the performance and fault tolerance of an Exchange server by placing its transaction log files and database files on separate drives. Because these files are critical to the operation of a server, the drives must be protected against failure, ideally by hardware mirroring using redundant array of independent disks (RAID). It is recommended that you use RAID 1, RAID 0+1, or RAID 10. Use the NTFS file system for transaction log drives. For optimum performance, the set of transaction logs for each storage group must be placed on a separate drive. Because each storage group has its own set of transaction logs, the number of dedicated transaction log drives for your server should equal the number of planned storage groups. Although you can put multiple sets of transaction logs on the same drive, if you do so server performance may decline significantly. Tip Distribute your database drives across many Small Computer System Interface (SCSI) channels or controllers, but configure them as a single logical drive to minimize SCSI bus saturation. An example disk configuration is as follows: C:\ System and boot (mirror set) D:\ Pagefile E:\ Transaction logs for storage group 1 (mirror set) F:\ Transaction logs for storage group 2 (mirror set) G:\ Database files for both storage groups (multiple drives configured as hardware stripe set with parity)

364 For detailed steps about how to configure new locations for the transaction logs, see "How to Configure New Locations for the Transaction Logs."

How to Configure New Locations for the Transaction Logs

To optimize Exchange server performance by relocating the set of transaction logs for each storage group on a separate drive, perform the following procedure.

Procedure
To configure new locations for the transaction logs 1. In Exchange System Manager, right-click the storage group, and then click Properties. 2. On the General tab, specify a new location for the files. For example, if the E:\ drive will contain only log files for this storage group, in Transaction log location, click Browse, and then choose the E:\ drive..

Using Circular Logging

Circular logging overwrites and reuses a single log file after the data that it contains has been written to the database. Circular logging is disabled by default. By enabling circular logging, you reduce drive storage space requirements. However, you cannot recover anything more recent than the last full (normal) backup, because the transaction logs no longer contain all the transactions that were completed since the last backup. Therefore, in a normal production environment, circular logging is not recommended.

365 Caution Using the Enable circular logging option prevents you from creating a set of log files, and you can restore only from your last backup. Reserve this option for storage groups that support Network News Transfer Protocol (NNTP) folders (in public folder stores), which do not require log files.

Overwriting Deleted Data During Backup

As with most applications, data that Exchange deletes is not actually removed from the disk. Although Exchange treats it as deleted data, it typically remains until it is overwritten by more recent data. If you want to make sure that deleted data is overwritten regularly, use the Zero out deleted database pages option. When this option is enabled, Exchange overwrites chunks of deleted data during the online backup process. Important Enabling the Zero out deleted database pages option can slow backup performance and increase the size of the database files. The option is turned off by default.

Adding a Storage Group

A storage group includes between one and five databases (mailbox stores and public folder stores) and one set of transaction log files for those databases. You may want to add a storage group when the following conditions are true: You want to have more than five databases on a particular server. For example, to improve the backup or recovery time for each mailbox store, you increase the number of mailbox stores and put fewer users in each store.

366 You have databases with different backup or restore requirements. For example, you have one database that you cannot afford to have offline for more than several hours, even if it must be completely reconstructed.

For detailed steps about how to create a new storage group, see "How to Create a New Storage Group."

How to Create a New Storage Group

To create a storage group in an Exchange server, perform the following procedure.

Procedure
To create a new storage group 1. In Exchange System Manager, right-click the server where the new storage group will reside, point to New, and then click Storage Group. 2. When prompted, type a name for the storage group. Exchange provides default values for Transaction log location and System path location. You can change the defaults now, or you can change these values later.

Mounting or Dismounting Stores

A mounted store is a store that is operating normally and is available for user and administrator access. If the store is dismounted or offline, no users can access it and you may not be able to view or change all the store properties. Typically, Exchange mounts and dismounts stores automatically, if necessary. For example, if you move a store's database files to a new directory, the store will be dismounted automatically until the move is complete.

367 Under certain conditions, you may have to mount or dismount stores manually. For example, you can configure stores so that, if the server restarts, the store must be mounted manually. That way you can check the server for problems before allowing users to access the store again. For more information, see "Configuring Store Maintenance and Backup Options". The Mount Store and Dismount Store commands are available in the Action menu for each store that appears in Exchange System Manager. Note If you do not have permissions on a particular store, the store may appear to be dismounted in Exchange System Manager when it is actually running. This may occur if you are using a distributed administration model, with multiple administrative groups with separate administrators. Each administrator will only be able to interact with the stores in that administrator's own administrative group.

Moving Store Files to a New Directory

When you install Exchange, Setup creates database files on the same drive as the Exchange program files. To obtain better performance and more storage space, you can move the Exchange databases (mailbox stores and public folder stores) out of the default drive or directory. The stores are dismounted automatically during the move, and will not be available to users. Tip Distribute your database drives across many SCSI channels or controllers, but configure them as a single logical drive to minimize SCSI bus saturation. When you move a store, remember the following: Use Exchange System Manager on the server on which the stores reside to move the .edb and .stm database files of the stores. Moving these files requires that you specify new file locations on the Database tab of the Properties dialog box (see Figure 7.9 in the next section). Perform a normal backup when the move is complete. This process backs up and removes existing transaction log files, and simplifies future recovery operations.

368 For more information about recovery operations and transaction log files, see Disaster Recovery for Microsoft Exchange 2000 Server.

Configuring Store Maintenance and Backup Options

The maintenance processes and backup options are the same for mailbox stores and public folder stores. You can check and configure these options on the Database tab of the store that you want to check or configure.

369 The Database tab for a mailbox store

The Database tab for a mailbox store includes the following maintenance and backup options. Maintenance interval Specifies the schedule for the automatic database maintenance process. This process: Checks that none of the storage limit settings have been exceeded on any mailbox or public folder. Sends mail to the administrator or the mailbox owner if storage limits have been exceeded. Checks for deleted items that have been retained for the time configured for the store.

370 Checks for and deletes expired items in the folders if age limits have been set on any public folders. Because this process can consume significant server resources, it is a good idea to schedule it to run during off-peak hours. Note For more information about the settings that the maintenance process enforces, see "Configuring the Default Mailbox Limits," "Configuring the Default Public Folder Limits," and "Configuring Limits on a Specific Public Folder Replica." Do not mount this store at start-up When this option is selected, the mailbox store does not mount automatically when Exchange is started. By default, this check box is cleared. This database can be overwritten by a restore Do not use this option for normal restore operations. Select this option only if a restore operation fails with an error that indicates the database cannot be overwritten. By default, this option is not selected.

Configuring Mailbox Stores

Mailboxes are the delivery location for all incoming mail messages for a designated owner. A mailbox can contain messages, message attachments, folders, documents, and other files. Information in a user's mailbox is stored in a mailbox store on an Exchange server. The following figure shows a list of the mailboxes on a single mailbox store.

371 Mailbox store information in Exchange System Manager

Mailboxes inherit many of their properties (such as storage limits) from the mailbox store. You can create different mailbox stores for different groups of users. For example, you may put mailboxes for workers in one store and mailboxes for executives in another store, and give the executives double the normal storage limits by configuring the store instead of configuring the individual mailboxes. This section describes the following: The relationship between a mailbox store and its associated public folder store. Single instance storage of messages (when it applies and when it does not). How to add a mailbox store. How to configure the default mailbox storage limits and the length of time that deleted items and mailboxes will be retained. How to control mailbox store settings with system policies. Interfaces to use for monitoring mailbox store activity.

372 For information about configuring the store for full-text indexing updates, see "Using Exchange Server 2003 Full-Text Indexing" in Working with the Exchange Server 2003 Store.

Linking Mailbox Stores and Public Folder Stores

Each mailbox store must be associated with a public folder store. You specify the public folder store when you create a mailbox store. The public folder store that is installed by default on each server supports the Public Folders tree (also named the MAPI public folder tree). You can have only one Public Folders tree in your Exchange organization, and it is associated with each server's default public folder store. Note Using the default public folder store on the same server as the mailbox store may improve performance when users access public folders, and may make it easier to troubleshoot public folder access problems. For more information about public folder trees and the default public folder store, see Configuring Public Folder Stores and Managing Public Folders.

Understanding Single Instance Message Storage

To help control the size of the mailbox stores, Exchange supports single instance message storage. This means that when a message is sent to more than one mailbox in the same store, only one instance of the message is stored, in one mailbox. The other mailboxes contain pointers to the stored message.

373 If the message is sent to mailboxes in a different mailbox store, the message is written one time to each mailbox store. Single instance storage may not be maintained when a mailbox that contains a message is moved to a server that contains a mailbox store with the same message. Tip To maximize single instance message storage, put similar users in the same mailbox store, such as users in the same department who use Reply All or users who send large attachments to one another frequently.

Adding a Mailbox Store

For detailed steps about how to create a new mailbox store, see "How to Create a New Mailbox Store." For more information about creating mailboxes, see Managing Mailboxes.

How to Create a New Mailbox Store

To create a new mailbox store on an Exchange server, perform the following procedure.

Procedure
To create a new mailbox store 1. In Exchange System Manager, right-click the storage group where the new store will reside, point to New, and then click Mailbox Store. 2. When prompted, type a name for the mailbox store. Exchange automatically selects a default public store (associated with the Public Folders tree) and offline address book (which users will download for offline use)

374 for your new mailbox store. You can modify these options now or later by right-clicking the mailbox store and clicking Properties. The following figure shows the properties of a mailbox store. The General tab for a mailbox store

375

Configuring the Default Mailbox Limits

Using the limits settings in the Limits tab, you can control the maximum size of mailboxes in the mailbox store and control how deleted items are handled. You can access the limits settings on the Limits tab of the mailbox store's Properties dialog box. The Limits tab for a mailbox store

376 Note For an individual user, you can override the store's limits settings by using Active Directory Users and Computers to configure limits settings for the user. The following table describes the possible limits that can be set for a mailbox store. By default, no limits are set. Options available on the Limits tab for a mailbox store
Option Description

Issue warning at (KB)

When a user's mailbox exceeds the specified size limit, the user receives an email alert to delete messages from the mailbox. By default, this option is not selected. When a user's mailbox exceeds the specified size limit, the user receives an email alert to delete messages from the mailbox. Additionally, the user cannot send e-mail messages until the mailbox size is reduced below the specified limit. By default, the option is not selected. When a user's mailbox exceeds the specified size limit, the user receives an email alert to delete messages from the mailbox. Additionally, the user cannot send e-mail messages until the mailbox size is reduced below the specified limit, and incoming e-mail messages are returned to the sender with a non-delivery report (NDR).

Prevent send at (KB)

Prevent send and receive at (KB)

377
Option Description

Warning message interval

Use this drop-down list to schedule when warning messages are generated. You can select one of the standard maintenance schedules, or click Customize to set up your own schedule. This process is CPU-intensive and diskintensive, and can slow server performance. It is a good idea to schedule maintenance of this type at off-peak times.

Keep deleted items for (days)

You can designate the number of days that deleted items (such as e-mail messages) remain on the server before they are removed permanently. You can type a number from 0 to 24855. If you type 0, deleted items are removed from the server immediately. As long as deleted items remain on the server, Outlook users can retrieve them using Outlook's Recover Deleted Items function.

Keep deleted mailboxes for (days)

You can designate the number of days that deleted mailboxes remain on the server before they are removed permanently. After this value is set, you have the specified number of days to recover mailboxes that were deleted by accident. You can type a number from 0 to 24855. If you type 0, deleted mailboxes are removed from the server immediately.

Do not permanently delete mailboxes and items until the store has been backed up

You can keep deleted mailboxes and items on the server until a backup is performed. After a backup is performed, mailboxes and items are deleted, according to the settings that you specified.

378

Setting Up Mailbox Store Policies

You can create policies to manage mailbox stores in the same way that you create other system policies. For detailed information about all types of system policies, see Using System Policies. You can set the following options using policies: General tab Default public store Offline address list Archive all messages sent or received by mailboxes on this store Clients support S/MIME signatures Display plain text messages in a fixed-size font

Database tab Maintenance interval

Limits tab Issue warning at (KB) Prevent send at (KB) Prevent send and receive at (KB) Warning message interval Keep deleted items for (days) Keep deleted mailboxes for (days) Do not permanently delete mailboxes and items until the store has been backed up

Full-Text Indexing tab Update interval

379 Use the System Policies node in Exchange System Manager to create and apply policies. After you create a mailbox store policy, you can apply that policy to one or more mailbox stores on any server. Note You can only apply a policy to a store if you have permissions to modify that store. If you are using a distributed administration model, with multiple administrative groups that have separate administrators, each administrator will only be able to interact with the stores in that administrator's own administrative group. For detailed steps about how to apply a policy to one or more mailbox stores, see "How to Apply a Policy to One or More Mailbox Stores"

How to Apply a Policy to One or More Mailbox Stores

To apply a policy to one or more mailbox stores, perform the following procedure.

Before You Begin

You can only apply a policy to a store if you have permissions to modify that store. If you are using a distributed administration model, with multiple administrative groups that have separate administrators, each administrator will only be able to interact with the stores in that administrator's own administrative group.

Procedure
To apply a policy to one or more mailbox stores 1. In Exchange System Manager, right-click the policy, and then click Add Mailbox Store. 2. Select the appropriate stores. 3. After you have applied the policy, the options that the policy controls are no

380 longer available in the mailbox store's Properties dialog box. This design prevents local settings from overriding the policy. For a list of all the policies that are applied to a particular mailbox store, view that mailbox store's Policies tab.

Monitoring Mailbox Store Activity

Exchange System Manager provides up-to-date information about items in the mailbox store. You can use this information for troubleshooting system problems, or evaluating whether the system requires tuning or reconfiguring. For example, the following figure shows the list of mailboxes in a mailbox store, the users who have been accessing those mailboxes, and the size of the mailboxes. Except where noted, Exchange View Only Administrators can access this information. Mailbox store information in Exchange System Manager

381 The following table lists the status information that is available for each of the nodes under the mailbox store. To display different columns of information in the right pane, click the node that you want to view. On the View menu, click Add/Remove columns, and then select the types of information that you want to display. For a detailed listing of the available columns, see "Administer a Mailbox Store" in the Exchange Server 2003 Help. Status information for a mailbox store
Node Status Information

Logons

Users who are currently logged on to their mailboxes, and their activities. Use this information to look for mailbox users who are atypically active or inactive. The Total Ops column is especially useful for this purpose. You must be at least an Exchange Administrator to view this information.

Mailboxes

Current mailboxes in the store. Although this node provides information about mailboxes, it does not provide access to the messages in the mailboxes. You must be at least an Exchange Administrator to view this information.

Full-Text Indexing

Status of current full-text indexes.

You can also use the Windows Performance application to monitor activity related to the mailbox store. The following counters (available on the MSExchangeIS Mailbox performance object) provide especially useful information: Average Delivery Time Local delivery rate Logon Operations/sec Folder opens/sec Message Opens/sec

382 Message Delivered/min Messages Sent/min Message Submitted/min Receive Queue Size

For more information about how to use these counters, see the Windows Performance Help.

Configuring Public Folder Stores

A public folder store holds information associated with a particular public folder tree, such as how the tree is structured and what folders the tree contains. It also holds public folder content. Each new Exchange server has one default public folder store (named Public Folder Store). This store supports the Exchange default public folder tree, which is named Public Folders in Exchange System Manager and All Public Folders in Outlook, and is sometimes named the MAPI public folder tree. Users can access this tree with MAPIbased clients, such as Outlook, and with HTTP-based clients, such as Microsoft Outlook Web Access. There is only one Public Folders tree in each Exchange organization, and all the default public folder stores replicate this tree and its content among themselves. You can create new public folder trees, named general-purpose public folder trees, (also named non-MAPI public folder trees). Users can access folders in general-purpose trees using Web-based clients, NNTP clients, and standard Windows applications in which the folders are mapped as network drives using WebDAV. Use general-purpose public folder trees as file repositories for departments, groups, or projects. For more information, see Configuring a New Public Folder Tree and Public Folder Store. If you create a new public folder tree, you can then create an additional public folder store to support that tree. Each server can only have one store for each public folder tree. In other words, the server can have multiple public folder stores if each store supports a different public folder tree. For more information, see Creating a New Public Folder Store for an Existing Public Folder Tree.

383 The following figure shows an example of a set of public folder servers that support multiple trees: Each server has a Public Folder Store, which supports the Public Folders tree. Two servers also support a second public folder tree. These servers run one public folder store per tree.

Multiple public folder trees, each spread across multiple servers

If you try to create a public folder store without an available public folder tree, you receive the following error message: All the public folder trees already have an associated public store on the server. You must create a new public folder tree before creating this new public folder store. The following figure shows where to find public folder store information in Exchange System Manager.

384 Public folder store information in Exchange System Manager

This section describes the following: Functions of the Public Folder Store, especially when it is associated with a mailbox store. How to add a public folder store when you work with an existing public folder tree. How to configure a new public folder tree and public folder store. How to configure the default public folder storage limits: Maximum size of public folders and of individual items in the folders. Length of time deleted items are retained. Age limits for items in public folders.

How to control public folder store settings with system policies. Interfaces to use for monitoring public folder store activity.

For information about configuring the store's options for the default public folder replication interval, see "Controlling Exchange Server 2003 Public Folder Replication" in Working with the Exchange Server 2003 Store.

385

Understanding the Relationship Between Mailbox Stores and Default Public Folder Stores
Each mailbox store is associated with a default public folder store, either on the local server or another server. For each mailbox-enabled user who is supported by a particular mailbox store, the associated public folder store is the user's homepublic folder store. If you can, use the default public folder store on the same server as the mailbox store. This improves performance when users access public folders, and may make it easier to troubleshoot public folder access problems.

Creating a New Public Folder Store for an Existing Public Folder Tree
A tree can have multiple stores when each store exists on a separate server. In such a configuration, Exchange replicates information among the stores to keep the tree consistent. For detailed steps about how to create a public folder store on a new server for an existing tree, see "How to Create a Public Folder Store on a New Server for an Existing Tree".

386

How to Create a Public Folder Store on a New Server for an Existing Tree
To create a public folder store on a new server for an existing public folder tree, perform the following procedure.

Procedure
To create a public folder store on a new server for an existing tree 1. In Exchange System Manager, on a server that does not already have a store for the tree with which you are working, right-click a storage group, point to New, and then click Public Store. 2. When prompted, select the existing tree that you want to use for this store, and then finish creating the store. 3. In Exchange System Manager, under the Folders node, locate the tree that you are working with and configure the folders that you want to replicate to the new store.

Configuring a New Public Folder Tree and Public Folder Store

In Exchange System Manager, each new public folder tree exists at the same level as the Public Folders tree. You must create the tree first, and then create the store. If you want multiple servers to support this tree, first create the tree, create a store associated with that tree on each server, and then configure folders to replicate. For more information, see "Controlling Exchange Server 2003 Public Folder Replication" in Working with the Exchange Server 2003 Store.

387 For detailed steps about how to create a new hierarchy and public folder store, see How to Create a New Hierarchy and Public Folder Store. When you have finished configuring this virtual server, Exchange automatically configures a corresponding Web site using Microsoft Internet Information Services (IIS). Users access the public folder with Outlook Web Access using this Web site. For more information about configuring HTTP virtual servers and IIS Web sites, see "Configuring Exchange 2003 for Client Access" in the Exchange Server 2003 Deployment Guide.

How to Create a New Hierarchy and Public Folder Store

To create a new public folder hierarchy and a new public folder store, perform the following procedure.

Procedure
To create a new hierarchy and public folder store 1. In Exchange System Manager, right-click the Folders node, point to New, and then click Public Folder Tree. 2. In the Properties dialog box (see the following figure), in the Name box, type a name for the new tree. The Properties dialog box for a new public folder tree

388

3. In Exchange System Manager, on the server that you want to host the new store, right-click a storage group, point to New, and then click Public Store. 4. On the new store's General tab (see the following figure), type a name for the new store and then, under Associated public folder tree, click Browse. The General tab for a new public folder store

389

5. In the Select a Public Folder Tree dialog box, choose a public folder tree. 6. In Exchange System Manager, under the node for the server that holds the new store, double-click Protocols, right-click HTTP, point to New, and then click HTTP Virtual Server. 7. When prompted, provide a name for the virtual server and select the new public folder tree.

For More Information

For more information, see "Controlling Exchange Server 2003 Public Folder Replication" in Working with the Exchange Server 2003 Store.

390

Configuring the Default Public Folder Limits

Use the limits settings to control the maximum size of public folders in the public folder store, the maximum size of messages in the public folders, and how deleted items are handled. You can access the limits settings on the Limits tab of the public folder store's Properties dialog box. The Limits tab for a public folder store

391 The following table describes the options that you can set on the Limits tab for a public folder store. Caution Do not set an age limit on folders that contain Contact or Calendar items. Note You can also set limits on individual public folders that override the store settings. If you use only the store settings, the same folder may have different limits on different servers. If you use individual folder settings, the limits are the same for all replicas of the folder. Options available on the Limits tab for a public folder store
Option Description

Issue warning at (KB)

When a folder exceeds the specified size limit, the administrator receives an e-mail alert to delete messages from the folder. You can type a number from 0 to 2097151. By default, this option is not selected.

Prevent post at (KB)

When a folder exceeds the specified size limit, the administrator receives an e-mail alert to delete messages from the folder. Additionally, no users can post messages to the folder until the folder size is reduced below the specified limit. You can type a number from 0 to 2097151. By default, this option is not selected.

Maximum item size (KB)

The maximum size for individual messages that can be posted to the folder. You can type a number from 0 to 2097151.

392
Option Description

Warning message interval

Use this drop-down list to schedule when warning messages are generated. You can select one of the standard maintenance schedules, or click Customize to set up your own schedule. This process is CPU-intensive and diskintensive, and can slow server performance. It is a good idea to schedule maintenance of this type at off-peak times.

Keep deleted items for (days)

You can designate the number of days that deleted items (such as messages in a folder) remain on the server, before they are removed permanently. You can type a number from 0 to 24855. If you type 0, deleted items are removed from the server immediately. Because items deleted from public folders are not held in a Deleted Items folder, if you set this option, you can recover deleted items without having to use a backup of the public folder.

Do not permanently delete items until the store has been backed up

You can keep deleted items on the server until a backup is performed. After a backup is performed, items are deleted, according to the settings that you specified. You can use this setting for folders that contain important information. For other folders, such as Newsgroup folders, you may want to leave this setting cleared to save storage space.

Age limit for all folders in this store (days)

The number of days after which items in this folder will be deleted automatically if they have not been modified.

393

Configuring Limits on a Specific Public Folder Replica

You can set additional age limits, which affect only a specific public folder replica. These limits override limits set on the folder (using the folder's Properties dialog box), but only in the public folder store where you set them. Other replicas of the public folder (on other servers) are not affected. For detailed steps about how to view these additional age limit settings, see "How to View Additional Age Limit Settings."

How to View Additional Age Limit Settings

To view or set age limits which affect only a specific public folder replica, perform the following procedure.

Procedure
To view additional age limit settings 1. In Exchange System Manager, under the public folder store node, click Public Folder Instances. 2. In the right pane, right-click the folder you want, and then click Replica Properties. The Replica Properties dialog box appears The Replica Properties dialog box for a public folder on a specific store

394

This dialog box lists all the limits that are applied to this folder instance: Age limit of all replicas of this folder (days) This is the limit (if any) that is set in the public folder's properties. Age limit of all folders on this public store (days) This is the limit (if any) that is set in the public folder store's properties. Effective age limit of this folder on this public store (days) This is the final value of the age limit for this replica.

3. To set a specific age limit for this folder replica, click Age limit of this folder on this public store (days) and type a value. Exchange automatically updates Effective age limit of this folder on this public store (days).

395

Setting Up Public Folder Store Policies

You can create policies to manage public folder stores in the same way that you create other system policies. You can set the following options using policies: General tab Clients support S/MIME signatures Display plain text messages in a fixed-size font

Database tab Maintenance interval

Replication tab Replication interval Replication interval for always (minutes) Replication message size limit (KB)

Limits tab Issue warning at (KB) Prevent send at (KB) Prevent send and receive at (KB) Warning message interval Keep deleted items for (days) Do not permanently delete items until the store has been backed up Age limit for all folders in this store (days)

Full-Text Indexing tab Update interval

For detailed steps about how to apply a policy to one or more public folder stores, see "How to Apply a Policy to One or More Public Folder Stores".

396 After you have applied the policy, the options that the policy controls are no longer available in the public folder store's Properties dialog box. For a list of all the policies that are applied to a particular public folder store, view that store's Policies tab. Note You can only apply a policy to a store if you have permissions to modify that store. If you are using a distributed administration model, with multiple administrative groups that have separate administrators, each administrator will be able to interact only with the stores in that administrator's own administrative group.

How to Apply a Policy to One or More Public Folder Stores

To simplify public folder store administration by applying public folder store policies, perform the following procedure.

Procedure
To apply a policy to one or more public folder stores 1. Use the System Policies node in Exchange System Manager to create and apply policies. After you create a public folder store policy, you can apply that policy to one or more public folder stores on any server. 2. In Exchange System Manager, right-click the policy, and then click Add Public Store. 3. Select the appropriate stores.

397

Monitoring Public Folder Store Activity

Exchange System Manager provides up-to-date information about items in the public folder store. You can use this information for troubleshooting system problems, or for evaluating whether the system must be tuned or reconfigured. For example, the following figure shows the list of public folders in a public folder store, and the location of each folder in the public folder tree. Except where noted later in this section, Exchange View Only Administrators can access this information. Public folder store information in Exchange System Manager

The following table lists the status information that is available in Exchange System Manager for a public folder store. To display different columns of information in the right pane, click the node that you want to view, click Add/Remove columns on the View menu, and select the types of information that you want to display. For a detailed listing of the columns that are

398 available for you to view, see "Administer a Public Folder Store" in the Exchange Server 2003 Help. Status information for a public folder store
Node Status Information

Logons

Users who are currently logged on to the public folders. Use this information to look for users who are atypically active or inactive. The Total Ops column is especially useful for this purpose. You must be at least an Exchange Administrator to view this information.

Public Folder Instances

Current public folder replicas in the store, and their replication configuration. Current public folders in the store. Although this node provides information about the folders, it does not provide access to messages in the folders.

Public Folders

Replication

Replication status of the public folders in this store. Status of current full-text indexes.

Full-Text Indexing

You can also use the Windows Performance application to monitor activity related to the public folder store. The following counters (available on the MSExchangeIS Public performance object) provide especially useful information: Average Delivery Time Folder opens/sec Message Opens/sec Message Delivered/min Receive Queue Size

For more information about how to use these counters, see the Windows Performance Help.

399

Managing Mailboxes
Mailbox information resides both in Active Directory (in mailbox-enabled user objects) and in mailbox stores. Although this section mentions ways to work with mailbox-enabled users in Active Directory, it focuses on the storage aspects of mailboxes: Creating a mailbox by mailbox-enabling a user in Active Directory Deleting mailboxes and removing them from the mailbox store Recovering deleted mailboxes Moving mailboxes from one store to another

Detailed procedures for working with mailbox-enabled users in Active Directory are described in Managing Recipients and Recipient Policies in Exchange Server 2003.

Creating a Mailbox
This section describes what occurs in the mailbox store when you create a mailbox. To create mailboxes, use Active Directory Users and Computers. You can create mailboxes in two ways: Create a new user You can create the mailbox as part of the process of creating a user. Create a mailbox for an existing user You can right-click a user, and then click Exchange Tasks to start the Exchange Task Wizard. Creating a mailbox is one of the tasks you can perform with this wizard.

The mailbox is not immediately accessible. Although Active Directory attributes for the mailbox are configured immediately, the attributes for the mailbox in the Exchange store are not configured completely until one of the following occurs: The user tries to access the mailbox.

400 Exchange receives a message that is addressed to the new mailbox. You may want to automatically send new e-mail users an introductory or hello message after their accounts have been configured, especially if the users may not be using Outlook.

Either of these events will trigger Exchange to finish configuring the mailbox in the store.

Deleting a Mailbox
There are two ways to make an Exchange mailbox unusable: Use Exchange System Manager to delete the mailbox. Delete a mailbox-enabled user from Active Directory. This makes the mailbox unowned. The mailbox still exists, but no user can access it.

Deleting a Mailbox Without Deleting the User

Use the Exchange Task Wizard to delete mailboxes. This wizard is available in both Exchange System Manager (right-click the mailbox to access the wizard) and Active Directory Users and Computers (right-click the user to access the wizard). The mailbox is not removed from the store immediately. The next time the mailbox management process runs, it marks the mailbox as deleted. The mailbox remains in the store, viewable using Exchange System Manager, for the length of time that is specified by the mailbox store settings Keep deleted mailboxes for (days) and Do not permanently delete mailboxes and items until the store has been backed up. After this time has passed (or after the store has been backed up), the mailbox will be purged automatically. After a mailbox has been marked as deleted, you can also purge it manually. In the mailbox listing, right-click the mailbox, and then click Purge. For more information, see the Exchange Server 2003 Help. Important After a mailbox has been purged, you cannot recover it, except from a backup of the mailbox store.

401

Deleting a User Without Deleting Mailbox Data

If you use Active Directory Users and Computers to delete a user, the mailbox information in the mailbox store is not deleted. The next time the mailbox management process runs, it marks the mailbox as unowned. Unowned mailboxes are purged automatically according to the store's Keep deleted mailboxes and items for setting. The default value is 30 days. You can also purge the mailbox from the store manually. For more information about purging mailboxes, see the Exchange Server 2003 Help.

Recovering a Mailbox
Deleted mailboxes can be recovered only by restoring them from a backup. However, mailboxes that belong to users who were deleted from Active Directory can be recovered by associating them with existing users who do not have mailboxes. This is named reconnecting the mailbox. When you reconnect a mailbox, Exchange presents a list of users from which you can choose. Even if you have re-created the original deleted user, the re-created user object has a different security ID (SID) and will not be recognized as the original user. The selected user becomes the new owner of the mailbox. Note In specific disaster recovery circumstances, you may have to remove Exchange attributes from a user object before reconnecting the Exchange mailbox. If Exchange-related attributes are present, Exchange may assume that the user already has a mailbox, and leave the user off of the list of possible users who you can associate with the mailbox. There are two methods for recovering mailboxes: Recover a single mailbox on a single mailbox store. Use the Reconnect command, which is available when you select the mailbox in Exchange System Manager. During the reconnect process, select the user who you want to associate with the mailbox. Use Mailbox Recovery Center to recover one or more mailboxes on one or more mailbox stores. You can export the mailbox properties to a file, and you can associate the mailboxes with users in Active Directory and reconnect the mailboxes.

For detailed instructions, see "How to Recover One or More Mailboxes on One or More Mailbox Stores".

402 For more detailed information about recovering mailboxes, including how to remove the mailbox stores from the Mailbox Recovery Center, see the Exchange Server 2003 Help.

How to Recover One or More Mailboxes on One or More Mailbox Stores

There are two methods for recovering mailboxes: Recover a single mailbox on a single mailbox store. Use the Reconnect command, which is available when you select the mailbox in Exchange System Manager. During the reconnect process, select the user who you want to associate with the mailbox. Use Mailbox Recovery Center to recover one or more mailboxes on one or more mailbox stores. You can export the mailbox properties to a file, and you can associate the mailboxes with users in Active Directory and reconnect the mailboxes.

To recover a mailbox by reconnecting it to an Active Directory account, perform the following procedure.

Before You Begin

A re-created Active Directory account has a different security ID (SID) and will not be recognized as the original account. Also, in specific disaster recovery circumstances, you may have to remove Exchange attributes from a user object before reconnecting the Exchange mailbox. If Exchange-related attributes are present, Exchange may assume that the user already has a mailbox, and leave the user off of the list of possible users who you can associate with the mailbox.

Procedure
To recover one or more mailboxes on one or more mailbox stores 1. In Exchange System Manager, expands Tools. 2. To choose a mailbox store to work with, right-click Mailbox Recovery Center and then click Add Mailbox Store.

403 3. If you want to export the mailbox properties, right-click the mailbox that you want to export, and then click Export. This is a useful way to store the mailbox properties if you do not intend to associate the mailbox with a user. 4. If you want a user to be able to access the mailbox, do the following to reconnect the mailbox: a. To associate a user with a mailbox, right-click the mailbox that you want to match to a user (or group), and then click Find Match. If a mailbox matches more than one user (or if no match exists), right-click the mailbox, and then click Resolve Conflicts. Follow the instructions in the Mailbox Conflict Resolution Wizard to identify a single matching user. b. To reconnect the mailbox, select the mailbox, right-click the selected mailbox, and then click Reconnect. 5. When you have finished reconnecting mailboxes, remove the mailbox stores from the Mailbox Recovery Center.

For More Information

For more detailed information about recovering mailboxes, including how to remove the mailbox stores from the Mailbox Recovery Center, see the Exchange Server 2003 Help.

Moving Mailboxes Using Exchange System Manager

You can move a mailbox to another store if necessary. Using Exchange Task Wizard select as many mailboxes as you want to move and then, using the task scheduler, schedule the move to occur at some time in the future. You can also use the scheduler to cancel any unfinished moves at a selected time. For example, you can schedule to move a large number of mailboxes at midnight on Friday and automatically end at 6:00 A.M. on Monday, thereby preventing your server's resources from being depleted during regular

404 business hours. Using the wizard's multithreaded capabilities, you can move up to four mailboxes at the same time. Note The following procedure describes how to move mailboxes using Exchange System Manager. You can also move mailboxes using Active Directory Users and Computers. For detailed instructions, see "How to Move Mailboxes from One Exchange Virtual Server to Another Server"

Managing Public Folders

This topic presents an overview of how Exchange classifies public folders and what those classifications mean when you are working with the folders. It provides detailed information about how you can configure public folders, and how you can tune public folder settings to make the best use of your system storage and performance capabilities.

Understanding Types of Public Folders

Depending on context, public folders can be referred to in different ways: Public folders or system folders Content replicas Mail-enabled or non-mail-enabled folders

405

Understanding Public Folders and System Folders

Each public folder tree contains two subtrees: Public folders (also known as the IPM_Subtree) Users can access these folders directly with client applications like Outlook. In its default configuration, Exchange System Manager displays these folders when you expand a public folder tree. System folders (also known as the Non IPM_Subtree) Users cannot access these folders directly. Client applications like Outlook use these folders to store information such as free and busy data, offline address lists, and organizational forms. Other system folders hold configuration information that is used by custom applications or by Exchange itself. The Public Folders tree contains extra system folders, such as the EFORMS REGISTRY folder, that do not exist in general-purpose public folder trees.

By default, Exchange System Manager displays public folders instead of system folders.

406 The Folders node in Exchange System Manager

Under normal operating conditions, you do not have to interact with system folders frequently. In Exchange System Manager, you can view the system folders for a specific public folder tree by right-clicking the public folder tree node and clicking View System folders.

407 Folders node in Exchange System Manager that displays the system folders

System folders include the following: EFORMS REGISTRY and Events Root By default, one content replica of each of these folders resides in the default public folder store on the first Exchange 2003 or Exchange 2000 server that is installed in the first administrative group. Site folders (OFFLINE ADDRESS BOOK and SCHEDULE+ FREE BUSY) In most respects, these folders function in the same manner as other public folders, with the following additions: Site folders exist only in the Public Folders tree. The OFFLINE ADDRESS BOOK folder and the SCHEDULE+ FREE BUSY folder automatically contain a subfolder for each administrative group (or site) in your topology. By default, a content replica of a specific administrative group folder resides on the first server that is installed in the administrative group. Each administrative group has a Site Folder Server, identified in the administrative group's object in Active Directory. By default, the first server in the site is a Site Folder Server. This server is responsible for making sure that site

408 folders exist. If you have to remove the Site Folder Server from the site, first make sure that the site folders have been replicated to a new server that can take over as the Site Folder Server. OWAScratchPad folders Each public folder store has an OWAScratchPad folder, which is used to temporarily store attachments that are being accessed with Outlook Web Access. Do not modify these folders. StoreEvents folders Each public folder store has a StoreEvents folder, which holds registration information for custom store events. Do not modify these folders. Other folders To support internal store operations, a tree may contain several other system folders. Do not modify these folders.

Understanding Content Replicas

Public folder stores replicate two types of public folder information: Hierarchy Properties of the folders and organizational information about the folders (including the tree structure). All stores that support a tree have a copy of the hierarchy information. For a specific folder, the store can use hierarchy information to identify the following: Permissions on the folder Servers that hold content replicas of the folder The folder's position in the public folder tree (including its parent and child folders, if any)

Content The messages that form the content of the folders. To replicate content, you must configure a folder to replicate its content to a specific public folder store or list of stores. Only the stores that you specify will have copies of the content. A copy of the folder that includes content is named a content replica.

When a client such as Outlook connects to a store and requests a folder (for example, when an Outlook user opens a folder): 1. The store checks that the client has the correct permissions to access the folder.

409 2. If the client has sufficient permissions, the store determines whether it has a content replica of the folder that it can connect the client to. 3. If the store has only the folder properties, it uses the properties to identify another public folder store that has a content replica, and then refers the client to that store. 4. The new public folder store checks that the client has correct permissions to access the folder, and then locates the content replica. Additional permissions checks occur when the client accesses individual content items. The previous scenario is simplified. For more information about how Exchange routes clients among the public folder stores, see Understanding Public Folder Referrals. For more information about permissions and access checks, see Working with Permissions for Public Folders and Mailboxes.

Understanding Mail-Enabled Folders

Mail-enabling a public folder provides an extra level of functionality to users. In addition to being able to post messages to the folder, users can send e-mail to, and sometimes receive e-mail from, the folder. If you are developing custom applications, you can use this feature to move messages or documents into or out of public folders. A mail-enabled folder is a public folder that has an e-mail address. Depending on how the folder is configured, it may appear in Address Book. Each mail-enabled folder has an object in Active Directory that stores its e-mail address, Address Book name, and other mail-related attributes. For more information about configuring mail-enabled folders, see Mail-Enabling a Public Folder. In Exchange 5.5, all public folders were mail-enabled. By default, their Exchange Directory objects were hidden and created in the Recipients container. In Exchange 2003, folders can be mail-enabled or not mail-enabled, depending on whether the Exchange organization is in mixed mode or native mode. The following table summarizes the default settings for public folders, depending on the type of configuration that you have.

410 Default mail-enabled settings

Tree Defaults in mixed mode Defaults in native mode

Public Folders tree

Mail-enabled. Hidden from Address Book.

Not mail-enabled. Can be mail-enabled, and is visible to Address Book by default. Not mail-enabled. Can be mail-enabled, and is visible to Address Book by default.

General-purpose trees

Not mail-enabled. Can be mail-enabled, and is visible to Address Book by default.

Note The mixed-mode defaults for the Public Folders tree support backward compatibility with Exchange 5.5. The Exchange 5.5 Administrator program requires a directory object for each public folder, and without one you cannot administer the folder from Exchange 5.5. If you mail-disable a folder in this tree, or if the Active Directory object is accidentally deleted or damaged, you will not be able to view the folder with Exchange 5.5 Administrator. You can mail-enable the folder again. Because mail goes directly to the public folder store instead of to a mailbox in the mailbox store, Exchange routes e-mail messages using a method that is slightly different from the method that it uses for e-mail messages that go to a regular mailbox. When it is choosing an initial public folder store, Exchange tries to determine which public folder store is "closest" to the server that has the incoming message. Exchange determines which public folder store is the "closest," based on the following order of preference: 1. The store on the local server. 2. A store on an Exchange 2003 or Exchange 2000 server in the local routing group. 3. A store on an Exchange 2003 or Exchange 2000 server in the local administrative group. 4. If the folder is in the Public Folders tree, a store on an Exchange 5.5 server in the local administrative group or site. 5. The store on the Exchange 2003 or Exchange 2000 server that appears first in the tree's list of servers. This will probably be the server that was added most recently.

411 6. If the folder is in the Public Folders tree, the store on the Exchange 5.5 server that appears first in the tree's list of servers. This situation is rare, and would only occur in a newly configured mixed-mode topology where configuration information may not have replicated completely. Note When it is selecting a public folder store, Exchange avoids selecting a public folder store that is less than two days old unless no other public folder store is available. In this way, Exchange avoids using a store to which all the hierarchy or content information has not yet replicated. This feature is new in Exchange 2003. If Exchange cannot locate an appropriate public folder store, it sends a non-delivery report (NDR) to the sender of the message. After the e-mail message has been delivered to a public folder store and the public folder store has retrieved the hierarchy information for the folder, Exchange determines the closest content replica using the following order of preference: 1. The content replica in the local public folder store. 2. A content replica in a store in the same routing group. 3. A content replica in a store with the lowest routing cost (as determined by the routing engine). If Exchange must use a store outside the local routing group, it also takes into account other routing properties, such as link state information. This feature is new in Exchange 2003. The closest content replica is the final destination of the message. If Exchange cannot locate a content replica of the folder, it sends an NDR to the sender of the message. The following figure provides an overview of how Exchange delivers e-mail messages to public folders.

412 A simplified example of how Exchange routes an e-mail message to a public folder

The following process occurs: 1. A message addressed to a public folder is submitted to Exchange. The message arrives first at ExFront01. 2. ExFront01 looks up recipients in Active Directory and finds the mail-enabled folder object for the public folder. 3. From the mail-enabled folder object's attributes, ExFront01 identifies the public folder tree to which the folder belongs. 4. ExFront01 looks up the public folder tree object in Active Directory, and identifies the public folder stores that support the tree. 5. ExFront01 selects a public folder store from the list, and sends the message to that store. 6. ExPF01 looks up the hierarchy information for the requested folder in its local public folder store.

413 7. Using the hierarchy information, ExPF01 determines that its public folder store does not contain a content replica of the requested folder, but that the public folder store on ExPF02 does. 8. ExPF01 sends the message to ExPF02. 9. ExPF02 looks up the hierarchy information for the requested folder in its local public folder store. 10. ExPF02 identifies the content replica of the requested folder and delivers the message to it.

Understanding Public Folder Referrals

When a user connects to a public folder store that does not contain a copy of the content that the user is looking for, the user is redirected to another store that has a copy of the content. You can use public folder referrals to control this redirect traffic. Referrals perform the function that public folder affinities performed in Exchange 5.5, although in a slightly different manner. (If you need information about Exchange 5.5 affinities, see the Exchange 5.5 documentation.) Note To work with public folder referrals, you must understand your organization's routing structure. For more information about routing, routing groups, routing costs, and routing group connectors, see Understanding and Configuring Message Routing and Transport. Using the default referral configuration, Exchange 2003 follows the organization's routing group structure to find an appropriate server. However, to modify the flow of user traffic, you can override this configuration by specifying whether to allow referrals over certain connectors. For Exchange 2003 servers, you can also specify a list of referral servers and assign routing costs to each server. For example, you can limit referrals to a single routing group, or only allow referrals between certain servers in each routing group. Use the following methods to configure referrals. For detailed steps about how to configure a connector to allow or block referrals from one routing group to another, see "How to Configure a Connector to Allow or Block Referrals from One Routing Group to Another."

414 For detailed steps about how to configure an Exchange 2003 server to use a specific list of servers and costs for referrals, see "How to Configure an Exchange 2003 Server to Use a Specific List of Servers and Costs for Referrals."

How to Configure a Connector to Allow or Block Referrals from One Routing Group to Another
To control client public folder redirection traffic by configuring public folder referrals, perform the following procedure.

Before You Begin

To work with public folder referrals, you must understand your organization's routing structure. For more information about routing, routing groups, routing costs, and routing group connectors, see Understanding and Configuring Message Routing and Transport.

Procedure
To configure a connector to allow or block referrals from one routing group to another 1. In Exchange System Manager, in the Connectors container, right-click the connector that you want to configure, and then click Properties. 2. In Routing Group Connector Properties, select or clear the Do not allow public folder referrals option (see the following figure) according to the following criteria: For a connector between Exchange 2003 or Exchange 2000 routing groups, the Do not allow public folder referrals option is not selected by default. You may want to select this option if the connector uses a slow network connection, or if one of the connected routing groups does not have public folder information.

415 For a connector between an Exchange 2003 or Exchange 2000 routing group, and a routing group that contains Exchange 5.5 servers, the Do not allow public folder referrals option is selected by default. The default setting is appropriate for such a connector if users access public folders primarily with Outlook Web Access. Outlook Web Access users cannot view public folder content that resides on Exchange 5.5 servers, so allowing referrals serves almost no purpose. However, if users access public folders primarily with Outlook, you can allow referrals to distribute user traffic to the Exchange 5.5 servers. The General properties tab for a routing group connector

416

How to Configure an Exchange 2003 Server to Use a Specific List of Servers and Costs for Referrals
To control this client public folder redirection traffic by configuring preferred public folder servers and costs, perform the following procedure.

Before You Begin

To work with public folder referrals, you must understand your organization's routing structure. For more information about routing, routing groups, routing costs, and routing group connectors, see Understanding and Configuring Message Routing and Transport.

Procedure
To configure an Exchange 2003 server to use a specific list of servers and costs for referrals 1. In Exchange System Manager, right-click the server, and then click Properties. 2. Use the Public Folder Referrals tab to set up your referral list. The Public Folder Referrals properties tab for a server (Exchange 2003 only)

417

For More Information

For detailed instructions about how to use the Public Folder Referrals tab, see the Exchange Server 2003 Help.

418

Understanding the Basic Process for Referring Clients

When a user connects to Exchange and requests access to a public folder with Outlook (or another MAPI-based client), Exchange locates a content replica of the public folder using information supplied by the public folder store that is associated with the user's mailbox store. The public folder store retrieves the replica list of the requested folder, and if necessary, retrieves routing and cost information from the routing engine. Exchange uses the following process to locate a content replica: 1. Determine whether a content replica exists in this public folder store. If so, connect the user to the local replica. 2. Determine whether a content replica exists on another public folder store on a server in the local routing group. If so, refer the user to the appropriate server. 3. If the user must be referred to another routing group, use the routing engine to determine how to connect the user to the store on the server with the lowest routing cost. If you have created a custom list of referral servers and costs, Exchange uses this information instead of the server and cost information that the routing engine provides. To reduce calls to the routing engine, Exchange caches the cost information that the routing engine returns for one hour. Note If multiple servers meet the criteria for a referral, Exchange uses a hashing algorithm to select one preferred server for the user. Using this algorithm, Exchange can load balance users among the public folder stores while consistently sending a specific user to a specified store. If at any point in this process the selected server is down or unreachable, Outlook tries to reach the next most appropriate server.

419

Understanding Referrals in Mixed-Mode Topologies

If the user's mailbox resides on an Exchange 2003 or Exchange 2000 server, the user will be routed according to the Exchange 2003 or Exchange 2000 public folder referral configuration (as set for that server and routing group). Additionally, Exchange 2003 or Exchange 2000 routing group connectors will only refer users to routing groups that contain Exchange 5.5 servers if you explicitly configure them to do so. If the user's mailbox resides on an Exchange 5.5 server, the user will be routed according to the Exchange 5.5 public folder affinity configuration. Important Outlook Web Access cannot view public folder content replicas that reside on Exchange 5.5 servers.

Referring Outlook Web Access in a Frontend/Back-end Topology

Using a front-end Exchange server to proxy incoming client requests increases the fault tolerance and load balancing capability of your topology, as compared with allowing clients to access the back-end servers directly. The following figure how a front-end server (ExFront01) handles an incoming request for a folder in the Public Folders tree. The front-end server queries Active Directory for information about the user, queries the user's public folder store for the location of the content replica, and queries another public folder store for the replica itself.

420 An example of how Exchange routes an Outlook Web Access user to a public folder in the Public Folders tree

The details of this process are as follows: 1. An authenticated user who has a mailbox in this Exchange organization tries to view the contents of a public folder in the Public Folders tree. Outlook Web Access sends the following request:
HTTP GET "http://<virtdir_front>/public/<folder>"

2. The front-end server ExFront01 receives the GET request, and contacts the global catalog server. ExFront01 looks up the user in Active Directory and retrieves the value of the user's msExchHomePublicMDB attribute. This value identifies the default public folder store that is associated with the user's mailbox store. In the example shown in Figure 1, this store is on the server ExBack01. This example depicts a specific case. Under other circumstances (for example, a server is down, the user is anonymous, or the requested folder is not in the Public Folders tree), ExFront01 would perform one of the following actions in Step 2 instead of the action described: If the server with the user's associated public folder store is not available or is an Exchange 5.5 server, the front-end server sends a GET request to another server in the local routing group. The store on that server follows the basic referral process, outlined earlier in this section, to locate a content replica.

421 If the user is anonymous (using the IIS Anonymous account), the front-end server uses a hashing algorithm to select a server in the local routing group, and sends a GET request to that server. Because anonymous users have a single account, in this step they will always be sent to the same server. If the public folder is in a general-purpose public folder tree, the front-end server uses a hashing algorithm to select a server in the local routing group, and sends a GET request to that server. The store on that server follows the basic referral process, outlined earlier in this section.
GET "HTTP://ExBack01/public/<folder>"

3. ExFront01 sends the request HTTP ExBack01.

to

4. ExBack01 accesses its hierarchy information for the Public Folders tree, and finds that the closest available content replica is on the server ExBack02. ExBack01 sends the location of the content replica to ExFront01 in the form of the message:
HTTP 305 "HTTP://ExBack02/public/<folder>"

5. ExFront01 sends the request HTTP ExBack02.

GET "HTTP://ExBack02/public/<folder>"

to

6. ExBack02 returns the requested content and an HTTP 200 OK message to ExFront01. 7. ExFront01 forwards the content and an HTTP 200 OK message to Outlook Web Access. Using this process, the Outlook Web Access user remains unaware of the topology behind the front-end server. If you do not use a front-end server, users would have to know the name of at least one of your public folder servers to use Outlook Web Access with public folders. To speed up repeated client access to folders while minimizing network traffic, Exchange caches much of the information that it needs during the process. This information, including routing costs, replica locations, and server-down status, is cached for 10 minutes.

422

Configuring Public Folders

In Exchange System Manager, public folder trees that are native to a specific administrative group are listed under the Folders node for that administrative group. From this location, you can work with the properties of the public folder tree or with the individual folders, regardless of which stores hold replicas of the folders. The Details tab for a public folder

Important Because Exchange regards public folder administration and public folder store administration as separate tasks, you can configure your administrative group topology so that some Exchange administrators have access to the public folder stores, but not to the public folders.

423 Note For example, consider a topology with public folder servers grouped into two administrative groups, each of which has its own Exchange Administrator. Martin is the Exchange Administrator for AG1, and Sam is the Exchange Administrator for AG2. Each of the public folder servers has a default public folder store, which supports the Public Folders tree. As expected, Martin can administer the default public folder stores on the servers in AG1, and Sam can administer the default public folder stores on the servers in AG2. However, note that the Public Folders tree was created in AG1, which was the first administrative group in the topology. Therefore, only Martin can administer folders in the Public Folders tree. As the AG2 administrator, Sam can administer only public folder trees created in AG2. Note For more information about this and other permissions issues, see Using Exchange Administrative Roles with Exchange Store Components.

Connecting to a Public Folder Store

Because public folder trees are not limited to single servers, you can view the properties of the tree or its folders by connecting to any of the servers that support the tree. By default, the information in the Folders node of Exchange System Manager comes from the public folder store on the server that is running Exchange System Manager, or from a store that is hosting the public folder tree that you used most recently. If you have a mailbox, Exchange System Manager connects to the server that runs the default public store that is associated with your mailbox. If the Exchange System Manager server does not have a public folder store for the public folder tree that you want to connect to, use the Connect to command to connect Exchange System Manager to a public folder store on another server. The Connect to commands are available on the Action menu for each public folder tree that appears in Exchange System Manager. Exchange View Only Administrators can use the Connect to command.

424 Tip After creating a public folder store, you may have to refresh the information in Exchange System Manager to enable the Connect to command.

Creating a New Public Folder

After you create a public folder hierarchy, you can create the folders and subfolders to hold content. You can create public folders using either Exchange System Manager or a client, such as Outlook or Outlook Web Access. In Exchange System Manager, the New Public Folder command is available on the Action menu for public folders and public folder trees. In Outlook and Outlook Web Access, the New Folder command is available on the context menu for the Public Folder node (in Outlook, the node is named All Public Folders) and all folders below that node. When you create a new folder, the only attribute that you must supply is the folder name. After the folder has been created, you can mail-enable it and configure other folder properties.

Propagating Folder Settings

The Propagate settings command is available only for folders that have subfolders. Use this command to apply the options that you set for a parent folder to all its subfolders. In this way, you can make sure that all the subfolders have the same settings as their parent folder, without configuring each folder individually. After the parent's settings are applied, you can still change the subfolder's settings. Changing the settings on the subfolders does not affect the settings on the parent or other subfolders. Use the Propagate settings command in Exchange System Manager by right-clicking the parent folder and clicking Propagate settings. You can then specify which settings to apply.

425

Configuring Individual Public Folder Limits

Size and age limits help you to control the size of your public folder stores by limiting the amount of content and by removing old content. As discussed previously in this chapter, you can set size and age limits on public folders three different ways. For information about configuring limits on a specific public folder store or a specific replica on a store, see Configuring Public Folder Stores. This topic discusses folder-level limits settings. The following figure shows the Limits tab for a public folder.

426 The Limits tab for a public folder

You can use the Limits tab of the public folder Properties dialog box to control the maximum size of folders, set the length of time that deleted messages will be retained, and set message age limits. Setting age limits on message storage can help you conserve disk space. Unless you set limits at the folder level, all settings use the limits that are set on the public folder store. Clear the Use public store defaults check box to set folder-level limits. The following table describes the possible limits that can be set for a public folder. By default, if no limits are set on the folder, any limits that have been set on the public folder store will be used.

427 Options available on the Limits tab for a public folder

Option Description

Use public store defaults

When this option is selected, the options in the respective group (Storage limits, Deletion settings, and Age limits) use the values that are set in the public folder store, and cannot be configured for individual folders. You can set this option separately for each option group. The first size limit on a public folder. When the public folder reaches this size, a warning is sent to the administrator automatically. You can type a number from 0 to 2097151. The second size limit on a public folder. When the public folder reaches this size, users can no longer post items to the public folder. You can type a number from 0 to 2097151. The maximum size of any individual item that is posted to a public folder. You can type a number from 0 to 2097151. The number of days before deleted items are removed from the public folder permanently. The value can range from 1 to 24855. The number of days that replicated items can remain on the server. The value can range from 1 to 24855. Replicated items are tracked separately from items that are posted to this public folder. When an item is posted to this public folder, the age limit does not apply until the item has been replicated.

Issue warning at (KB)

Prevent post at (KB)

Maximum item size (KB)

Keep deleted items for (days)

Age limit for replicas (days)

428

Age Limit Settings and System Folders

Age limit settings affect some system folders, and also regular public folders. Age limit settings can have the following effects: Free/Busy folder Outlook typically publishes three months of a user's free/busy data at a time, and updates this information every time the user modifies his or her calendar. As long as the age limit is large enough (for example, 90 days), and the user modifies his or her calendar regularly, the age limit removes only information that is out-of-date. Offline Address List folder Exchange rebuilds this folder regularly, based on a schedule that is set in Exchange System Manager. Make sure that the update interval is shorter than the age limit. System Configuration folder This folder is not affected by the public folder store's age limit settings. Do not set age limits on the System Configuration folder. Application Configuration folder This folder is not affected by the public folder store's age limit settings. Do not set age limits on the Application Configuration folder.

Mail-Enabling a Public Folder

You can allow users to send mail to a public folder by mail-enabling the folder and displaying the name of the folder in Address Book. Note Folders created in native-mode Exchange Server 2003 must be mail-enabled manually. To mail-enable a folder manually, right-click the folder, point to All Tasks, and then click Mail Enable. Folders that you migrate from Exchange 5.5 are mail-enabled by default. Exchange creates an Address Book entry for each mail-enabled public folder. However, by default, the folder is hidden from users until you make the entry visible and specify a

429 display name. For more information about configuring specific settings for mail-enabled public folders, see the sections that follow. For information about configuring permissions for a mail-enabled public folder, including how to specify a user who can send mail on behalf of a public folder, see Using Public Folder Permissions.

Configuring the Address Book Listing and E-Mail Alias

Users can address mail to a public folder by using the folder's full name from Address Book (also named the address list name) or by using an alias (typically an abbreviation of the folder's full name). By default, both the address list name and the alias are the same as the public folder name. You can also configure an American National Standards Institute (ANSI)-only form of the public folder name for Address Book to use, which may be required by older e-mail client software. You can define custom attributes for the public folder, and if you do not want the public folder to be listed in Address Book, you can hide it. These options may be useful if you are developing custom applications to work with your public folders. If you are working with a folder in the Public Folders tree and Exchange is in mixed mode, you must clear the hidden attribute of the folder before it will be visible in Address Book. You can configure the address list name on the General tab of the public folder's Properties dialog box.

430 The General tab for a mail-enabled public folder

Select one of the following options for Address list name: Same as folder name Displays the folder in Address Book as it is displayed in Exchange System Manager. Use this name Displays the folder in Address Book using the name that you enter.

You can configure the alias using the Exchange General tab of the public folder's Properties dialog box.

431 The Exchange General tab for a mail-enabled public folder

If the public folder name contains non-ANSI characters, you can also provide a simple display name for Address Book to use. This name can only include ANSI characters, which can be read by any computer. You can configure the simple display name using the Exchange Advanced tab of the public folder's Properties dialog box.

432 The Exchange Advanced tab for a mail-enabled public folder

When the Hide from Exchange address lists check box is selected, the public folder is not visible in Address Book. In mixed mode, this check box is selected by default for folders in the Public Folders tree. To create custom attributes for the public folder, click Custom Attributes. A standard dialog box for creating attributes in Active Directory will appear. You can define up to 15 custom attributes. Note If a particular folder in Address Book is hidden, users can still post messages to the folder if they know its address and type it in the To box of a message. However, if you designate a delegate for the public folder who can send mail on

433 the folder's behalf, the folder must not be hidden. If the folder is hidden, the delegate will not be able to send mail on the folder's behalf. Note For more information about sending mail on behalf of a public folder, see Designating a User as a Mailbox Delegate.

Configuring E-Mail Addresses

By default, Exchange uses the Recipient Update Service to use recipient policies to configure e-mail addresses for mail-enabled public folders automatically. The required recipient policies are created automatically when you mail-enable the folder. For more information about how recipient policies work, see Managing Recipients and Recipient Policies in Exchange Server 2003. Most of the time, recipient policies provide an efficient and consistent mechanism for configuring e-mail addresses. If you want to configure more than one address for mailenabled public folders, you can do so by using recipient policies instead of by configuring a new address for each folder. If you want to modify e-mail addresses on a small number of folders, you can do so by using the E-mail Addresses tab of each folder's Properties dialog box. This feature may be useful if you are designing custom applications to work with your public folders.

434 The E-mail Addresses tab for a mail-enabled public folder

By default, the Automatically update e-mail addresses based on recipient policy check box is selected. This allows recipient policies to override explicitly configured addresses that are set on individual folders. If you must modify the list of e-mail addresses for a folder, for detailed instructions, see the Exchange Server 2003 Help. Note The folder's primary e-mail address is the address to which replies will be sent when an e-mail message is sent on behalf of the public folder.

435

Setting Delivery Restrictions

Because e-mail messages sent to or from a public folder are routed as e-mail and not as messages posted directly to the folder, Exchange provides an additional set of size and access restrictions for mail-enabled public folders. These options help you control e-mail traffic to and from the public folders. To limit the size of both incoming and outgoing messages for a public folder, or to choose to accept or reject messages from specific users for the public folder, click Delivery Restrictions on the Exchange General tab of the public folder's Properties dialog box. You can then set message limits in the Delivery Restrictions dialog box. Note You can set delivery restrictions only if Exchange is in native mode.

436 The Delivery Restrictions dialog box for a mail-enabled public folder

In the Delivery Restrictions dialog box, you can set the following options: Sending message size Limits the size of messages that are sent using the e-mail alias of the public folder. You can use the default size limit, or you can type a maximum message size in the Maximum KB box. The maximum message size for outgoing messages can be a value from 1 to 2097151. Note Specifying too large a value for Sending message size can increase traffic on your network. Additionally, large messages can take a long time to download over slower network connections. Use a value that is appropriate for your network's usage pattern. Receiving message size Limits the size of messages that are sent to the public folder. You can use the default size limit, or you can type a maximum message size

437 in the Maximum KB box. The maximum message size for incoming messages can be a value from 1 to 2097151. Note Specifying too large a value for Receiving message size can increase traffic on your network. Additionally, large messages can take a long time to download over slower network connections. Use a value that is appropriate for your network's usage pattern. Message restrictions Specifies who can and cannot send e-mail to the folder. Choose from the following options: From authenticated users only Regardless of the type of restriction that you apply (From everyone, Only from, or From everyone except), the public folder will only accept e-mail messages from authenticated users. From everyone The public folder will accept all incoming e-mail messages. Important If you select the From everyone message restriction, any user will be able to send e-mail messages to the public folder. Use this option only when no security restrictions are required. Only from The public folder will only accept e-mail messages from the specified users. Click Add to specify a list of users. From everyone except The public folder will refuse to accept e-mail messages from the specified users. Click Add to specify a list of users.

Configuring a Forwarding Address

You can configure a public folder to send a copy of incoming mail to a user's mailbox or to another public folder (or to multiple destinations) using the Exchange General tab.

438 The Exchange General tab for a mail-enabled public folder

To configure a forwarding address for a public folder, click Delivery Options on the Exchange General tab of the public folder's Properties dialog box. The Delivery Options dialog box appears.

439 The Delivery Options dialog box for a mail-enabled public folder

In the Delivery Options dialog box, you can set up a forwarding address by configuring the following options: Forwarding address Specifies an e-mail address (other than that of the public folder) where messages that are addressed to the public folder will be delivered. Specify one of the following: None Messages will only be delivered to the public folder. This is the default setting. Forward to Forwards all e-mail messages that are addressed to the public folder to a designated user. To create a list of users, click Modify.

Deliver messages to both forwarding address and folder When this check box is selected, all e-mail messages that are addressed to this public folder are delivered

440 to both the public folder and a user who you specify. If this check box is not selected, only the user will receive the e-mail messages.

Maintaining Public Folders

Much of the actual maintenance work on public folders (such as removing expired or deleted messages, or notifying you if the public folders become too large) occurs automatically when Exchange runs its public folder maintenance process. This process runs on a regular schedule, typically during off-peak hours. (For more information about the Exchange automated folder maintenance process, see Configuring Store Maintenance and Backup Options.) You can fine-tune this process by setting size limits and age limits on the public folder stores or on individual public folders, as described in Configuring the Default Public Folder Limits, Configuring Limits on a Specific Public Folder Replica, and Configuring Individual Public Folder Limits. Exchange also provides several ways to view status information about public folders that may be helpful in troubleshooting public folder issues. For information about viewing the status of folders in a specific public folder store, see Configuring Public Folder Stores. For information about viewing the replication status of public folders, see "Configuring Replicas" in "Controlling Exchange Server 2003 Public Folder Replication" in Working with the Exchange Server 2003 Store. The rest of this section describes the other status views of public folders that are available.

Viewing Public Folder Status

Exchange System Manager provides multiple tabs for viewing public folder information. The Details tab displays basic information about the selected folder. Exchange View Only Administrators can access information in the Details tab and the Status tab.

441 The Details tab for a public folder

For actively updated information about public folders, use the Status tab. The Status tab lists all the content replicas of the folder, the servers and where they reside, and statistics about the folder content.

442 The Status tab of a public folder

Viewing Public Folder Content Using Exchange System Manager

When you troubleshoot public folder issues, you may have to verify that messages have been added to or deleted from a public folder as expected. You can use the Content tab to view what a user who is connecting to the folder using Outlook Web Access would see. Important To display the Content tab, Exchange System Manager must be able to log on to an IIS virtual directory for the public folder in question, the same way Outlook Web Access would. The virtual directories must be configured on the server running Exchange System Manager, and the World Wide Web Service must be running. To view the contents of a general-purpose public folder tree, make sure

443 that you have created a virtual directory for that tree. For more information about IIS and the World Wide Web Service, see the Windows Help. Note Depending on your security settings, you may have to provide credentials to view the content of the folder. Exchange View Only Administrators can access this information. Content tab of a public folder

Searching for Public Folders Using Exchange System Manager

Use the Find tab to search for public folders in the selected public folder or public folder hierarchy. The Find tab is available at the top of the public folder tree, and also at the folder level. Exchange View Only Administrators can use the Find tab.

444 Find tab of a public folder

You can specify a variety of search criteria, such as the folder name or age. The following table lists the different options and criteria that you can use when searching. Options you can use when searching for a public folder
Option Description

Name contains Permissions Replicated to

All or part of the folder name. Permissions for a specific user or group. The name of the server that holds a replica of the folder. The folder was created or modified in a certain date range. Select either Modified or Created, and then use the Begin date and End date lists to specify the date range. The age of the folder, in a certain range. Click days or older, days or newer, or days, and then specify the age in days.

Specify folder

Folder age

445

Moving Public Folders In a Public Folder Tree

You can move a public folder to a new location in the same public folder tree by cutting and pasting the folder in the left pane of Exchange System Manager. You can also copy the folder or move a group of folders in a folder tree. Important You cannot move, copy, or paste a folder from one public folder tree to another. Moving a public folder in a tree is considered a change to the hierarchy of the tree, and this action differs from placing content replicas of folders on new public folder stores. For more information about configuring content replicas, see "Configuring Replicas" in "Controlling Exchange Server 2003 Public Folder Replication" in Working with the Exchange Server 2003 Store.

Maintaining the Organizational Forms Library

An organization's forms library is a repository for forms that are generally accessed by all users in a company. Forms are templates that help users to enter and view information. For example, a standard supply request form can be stored in an organizational forms library. You can create new forms libraries using Exchange System Manager, and you can create new forms using Outlook. After a form is created, it is saved in the organizational forms library. You can use the system folders to create libraries for other languages, set permissions for libraries, and replicate libraries.

446 Tip For more information about creating a form, see the documentation that included in Microsoft Outlook. An organizational forms library is a special type of public folder that is listed only with system folders. When you create an organizational forms library, you assign a language to it. By default, clients logged on to Exchange search for forms in the library that matches their language. Therefore, you must create individual libraries to hold forms that you want to be available to non-English language clients. If there is no language-specific organizational forms library, the client defaults to the library on the server. You can have only one organizational forms library for each language. Exchange stores these libraries in the EFORMS REGISTRY system folder. Note You can only create organizational forms libraries in the system folders subtree of the Public Folders tree. Even if you have created new public folder hierarchies to work with the organizational forms libraries, only the Public Folders tree supports the EFORMS REGISTRY system folder. For instructions about how to create and modify organizational forms libraries, see "Maintain the Organizational Forms Library" in the Exchange Server 2003 Help.

Understanding and Configuring Message Routing and Transport

Together, message routing and transport are responsible for message delivery internally and externally. Message routing is the way that messages flow between servers in the organization and to other servers outside the organization. Your routing topology, based on the routing groups and connectors you define, dictates the path these messages take to reach their final destination. Transport determines the way that messages are delivered. Simple Mail Transfer Protocol (SMTP) is the transport protocol that Exchange servers use to communicate with each other and send messages using the routing topology. SMTP is part of the Microsoft Windows Server 2003 or Microsoft Windows 2000 Server operating system. When you install Microsoft Exchange on a server running

447 Windows Server 2003 or Windows 2000 Server, Exchange extends SMTP to support additional SMTP commands for additional functionality. This functionality includes the ability to communicate the link state status, available messaging routes status, and other Exchange functionality.

Configuring Routing for Internal Mail Flow

Because routing is the path messages travel from a sender to a recipient, a well-planned routing topology is required for efficient mail flow in your Exchange organization. Carefully evaluate your existing network infrastructure, before you plan your routing topology. Note Although this section focuses on the components of your routing topology and how they affect message flow in your organization, it does not discuss all the planning considerations and various routing topologies in detail. In its default state, Exchange Server 2003, like Exchange 2000 Server, functions as though all servers in an organization are part of a single, large routing group. That is, any Exchange server can send mail directly to any other Exchange server in the organization. However, in environments with varying network connectivity and geographical distribution, you can increase message flow efficiency by creating routing groups and routing group connectors in accordance with your network infrastructure. By creating routing groups and routing group connectors, servers in a routing group still send messages directly to each other, but they use the routing group connector on those servers with the best network connectivity to communicate with servers in another group. This section discusses what routing groups are and how to create and configure routing groups and routing group connectors to manage internal mail flow. Then, because network topologies and environments change, this section also covers how to make adjustments to your routing topology, such as moving servers between routing groups, renaming routing groups, and deleting routing groups.

448 Note If you are operating Exchange on a single server, most of the topics about routing groups do not apply to your organization. However, you may find these topics useful if you plan to expand your messaging system to support multiple servers. For detailed instructions, see How to Disable Outbound Mail. For detailed instructions, see How to Disable a Connector. For detailed instructions, see How to Remove a Connector.

How to Disable Outbound Mail

Using the Disable Outbound Mail option, you can disable outbound mail from all SMTP queues. For example, disabling outbound mail can be useful if a virus is active in your organization. The Disable Outbound Mail option does not disable the MTA or system queues. System queues are default queues for each protocol that hold messages only while certain required routing tasks are performed, such as content conversion and address resolution. If you find messages in your system queues for extended periods, it means that one or more basic routing functions are failing somewhere in your Exchange organization. For more information about working with message accumulation in queues, see Using SMTP Queues to Troubleshoot Message Flow and Using X.400 (MTA) Queues to Troubleshoot Message Flow.

Procedure
To disable outbound mail In Queue Viewer, click Disable Outbound Mail. If you want to prevent outbound mail from a particular remote queue, instead of disabling all SMTP queues, you can freeze messages in a particular queue: To freeze all the messages in a particular queue, in Queue Viewer, right-click the queue, and then click Freeze.

449 To unfreeze a queue, in Queue Viewer, right-click the queue, and then click Unfreeze.

How to Disable a Connector

If necessary, you can disable or remove existing connectors in your organization. You can disable a connector that you do not want Exchange to use by setting the connection schedule to Never. Disabling a connector instead of deleting it helps you to retain the configuration settings if you want to enable it again in the future.

Procedure
To disable a connector 1. In Exchange System Manager, right-click a connector, and then click Properties. 2. Select one of the following options: For an X.400 connector, click the Schedule tab, and then click Never. For an SMTP connector or a routing group connector, click the Delivery Options tab. Under Specify when messages are sent through this connector, in Connection time, select Never run from the drop-down list.

How to Remove a Connector

You can remove a connector that you no longer use by deleting it. You can remove a connector whenever you prefer. When you remove a connector, you are not warned of the connections you are breaking. For example, you may be breaking an established connection between two routing groups. However, you are prompted to verify that you want to remove the connector.

450

Procedure
To remove a connector In Exchange System Manager, right-click the connector that you want to remove, and then click Delete.

Understanding Routing Groups

A routing group is a logical collection of servers used to control mail flow and public folder referrals. In a routing group, all servers communicate and transfer messages directly to one another. In a routing group, all servers communicate and transfer messages directly to one another, as follows: 1. A user in your Exchange organization uses a mail client to send mail to another user. 2. Using SMTP, the sender's client submits this mail to the SMTP virtual server on the Exchange server on which the client's mailbox resides. 3. The Exchange server looks up the recipient of the mail message to determine which server the recipient's mailbox resides on. 4. One of two things occurs: If the recipient's mailbox is on the same Exchange server, Exchange delivers the message to the recipient's mailbox. If the recipient's mailbox is on another Exchange server, the first Exchange server sends the message to the recipient's home mailbox server, and it is the recipient's home mailbox server that delivers the message to the recipient's mailbox.

Although all servers communicate with each other directly in a routing group, this is not the case when a server in one routing group must communicate with a server in another routing group. To allow servers to communicate with servers in other routing groups, you must create a routing group connector. Although you can use an X.400 connector or an SMTP connector to connect routing groups, the routing group connector is specifically designed for this purpose and is the preferred method of connecting routing groups.

451 By default, all servers in a routing group can send mail over the routing group connector. Servers that can send mail over a routing group connector are bridgehead servers. These bridgehead servers are each a combination of an SMTP virtual server and an Exchange server responsible for delivering all messages through a connector. When creating a routing group connector, you have the option of keeping all the servers as bridgehead servers for that connector or of specifying that only a selected set of servers act as bridgehead servers for that connector. The following table compares the advantages of each approach. Number of bridgehead servers in a routing group
Number of bridgehead servers Advantages

All servers in a routing group

Provides more efficient message flow because all the servers in the routing group can directly deliver messages to other routing groups. Takes advantage of those configurations where all the servers in a routing group have the same network connectivity to the servers in other routing groups. Makes troubleshooting message flow easier because there are limited points of contact between routing groups. Distributes messaging if you anticipate heavy message flow between routing groups. Makes mail flow more reliable and efficient in those configurations where some servers have better network connectivity than others.

Only a select few servers in a routing group

The following figure illustrates the basic components of routing discussed thus far. This figure shows message flow between servers in a routing group and between routing groups. It also illustrates a topology that uses only a single bridgehead server in each routing group.

452 Communication in and between routing groups

When a topology is as simple as that shown in Figure 5.1, you do not have to consider how to best route messages between routing groups. As topologies become more complex, with large numbers of routing groups spread over varying geographical distances, message routing among groups becomes critical. You configure routing among routing groups by assigning costs to the routing group connectors that are used by these groups. When a user on a server in one routing group sends mail to a user on a server in another routing group, Exchange uses these costs (part of the link state information maintained by Exchange) to determine the most efficient route. Exchange always uses the route with the lowest cost unless a connector or server in that route is unavailable. So that every routing group knows what the various costs are for each connector and the status of those connectors, each routing group has a routing group master that updates and coordinates this information with all the other servers in a routing group. For detailed instructions about working with routing groups, see the following procedures: "How to Create a Routing Group" in the Exchange Server 2003 Transport and Routing Guide How to Move a Server Between Routing Groups How to Rename a Routing Group How to Delete a Routing Group How to Configure the Options for a Routing Group How to Specify a Remote Bridgehead Server for a Routing Group

453

How to Create a Routing Group

By design, Exchange functions as though all servers are connected by high-speed reliable networks. When your servers do not share this type of network connectivity, you can group servers with reliable network connectivity into routing groups to enable Exchange to maximize message flow efficiency. By default, all servers in a native-mode Exchange organization are placed in a single routing group, named First Routing Group, and these servers communicate directly with one another. In mixed mode (where some servers are running Exchange 5.5 or earlier), each Exchange 5.5 site becomes a routing group. Note To understand the difference between routing groups in mixed and native mode, see Using Routing Groups in Native and Mixed Modes. After installation, you can create additional routing groups in your Exchange organization. When you install additional Exchange servers in an existing organization, you can then designate the appropriate routing groups where these servers belong. After installation, you can also move servers between routing groups. When you create a routing group, two containers display under the routing group: Connectors Displays any connectors installed on the servers in the routing group. This list includes any connectors to third-party mail systems, such as the Lotus Notes or Novell GroupWise connector, and also any routing group connectors, X.400 connectors, and SMTP connectors that you configure. Members Displays the servers in this routing group. By default, the routing group master is the first server added to a routing group.

Before You Begin

Before you can create routing groups, you must configure your Exchange organization to display routing groups. In Exchange System Manager, right-click your Exchange organization, click Properties, and then select the Display routing groups check box.

454

Procedure
To create a routing group 1. In Exchange System Manager, right-click Routing Groups, point to New, and then select Routing Group. 2. On the General tab (see the following figure), in the Name box, enter a name for the routing group, and then click OK. General tab for routing group

455

How to Move a Server Between Routing Groups

You can only add a server to a routing group during installation. However, you can move servers between routing groups whenever you prefer. Moving servers between routing groups is useful if your network topology changes, and you must combine servers with reliable connections into different routing groups. You might have to move servers between routing groups if you are consolidating your physical sites and moving more servers to a central location. In native mode, you can move servers between routing groups that exist in different administrative groups. In mixed mode, you can only move servers between routing groups in the same administrative group. Note You cannot move a server that is configured as the bridgehead server for any connectors. You must first designate a new bridgehead server, or remove the connectors before you can move the server.

Procedure
To move servers between routing groups 1. In Exchange System Manager, expand the routing group that currently has the server to be moved, and then expand the Members folder in that routing group. 2. Expand the routing group that will be the new location for the server, and then expand the Members folder in that routing group. 3. In the Members folder of the routing group that currently has the server to be moved, use one of the following methods: Select the server and drag it to the Members folder of the routing group that will be the new location for the server. or Right-click the server, and then click Cut. In the Members folder of the

456 routing group that will be the new location for the server, right-click, and then click Paste.

How to Rename a Routing Group

You might have to rename a routing group if you are consolidating routing groups or expanding a routing group to include more regions and want to change the name to reflect the new membership. If any servers in a routing group are bridgehead servers for an X.400 connector, make sure that no messages are in the Exchange message transfer agent (MTA) queue. Messages are submitted to this queue if they are destined for an X.400 system or an Exchange 5.5 server. If messages are in the Exchange MTA queue when you rename a routing group, wait 15 minutes for Exchange to apply these changes, and then restart the Microsoft Exchange MTA Stacks service. Messages in other queues are not affected when you rename a routing group. You can use Queue Viewer to verify that no messages are in the Exchange MTA queue. The following figure shows the Exchange MTA queue with no messages. Exchange MTA queue in Queue Viewer

457

Procedure
To rename a routing group In Exchange System Manager, right-click the routing group, click Rename, and then type a new name for the group.

How to Delete a Routing Group

Before you can delete a routing group, you must move all member servers to another routing group. After you remove the servers from the routing group, you can delete the group.

Procedure
To delete a routing group In Exchange System Manager, right-click the routing group, and then click Delete.

How to Configure the Options for a Routing Group

To configure a routing group, you must specify the following options: The name of the routing group connector The routing groups to which you want to connect The cost for the connector

458 Whether any or all servers in the routing group will function as bridgehead servers Whether public folders can be accessed locally by users of the routing group

Procedure
Before you begin, read Understanding and Configuring Message Routing and Transport.

Procedure
To configure the options for a routing group connector 1. In Exchange System Manager, expand the routing group, right-click Connectors, point to New, and then click Routing Group Connector. 2. On the General tab (see the following figure), select from the following options: For the name of the routing group connector, it is a common practice to use the two routing groups it connects. For example, you can use the name ParisToSeattle to define a connector connecting your Paris routing group to your Seattle routing group. In Connects this routing group with, select the routing groups to which you want to connect. In Cost, assign a cost for the connector. To have all servers in the local routing group function as bridgehead servers, select Any local server can send mail over this connector. To specify which servers in the local routing group can function as bridgehead servers for this connector, select These servers can send mail over this connector, and then click Add to add the appropriate servers to the list. To prevent users from accessing public folders that are not available locally using this connector, select Do not allow public folder referrals. General tab of the Routing Group Connector Properties dialog box

459

How to Specify a Remote Bridgehead Server for a Routing Group

A remote bridgehead server is a server in a connected routing group that receives all messages destined for that particular routing group. A remote bridgehead server also sends link state information to the bridgehead servers for a routing group connector.

460

Before You Begin

Before you begin, see Understanding and Configuring Message Routing and Transport.

Procedure
To specify a remote bridgehead server for a routing group connector 1. In the Routing Group Connector Properties dialog box, on the Remote Bridgehead tab (see the following figure), click Add, and then select the remote bridgehead server from the list of servers in the routing group to which you are connecting. Note You must specify a remote bridgehead server. For redundancy, specify more than one remote bridgehead server, if you can. Remote Bridgehead tab in the Routing Group Connector Properties dialog box

461

2. If you are creating a routing group connector between routing groups that includes Exchange 5.5 servers, in Override connection credentials for Exchange 5.x, click Modify, and then enter the Exchange 5.5 service account credentials for the Exchange 5.5 server to which you are connecting. 3. Click Apply to create the connector. 4. When a message appears that prompts you with the question of whether you want to create a routing group connector in the remote routing group, click Yes. After you click Yes, Exchange creates a routing group connector in the remote routing group. This new routing group connector permits the remote routing group to send messages to the local routing group. When creating this new routing group connector, Exchange does the following: Exchange designates the bridgehead servers for the remote routing group

462 connector as those servers listed on the Remote Bridgehead tab of the local routing group connector. Note When Exchange designates servers in this way, only those servers listed on the Remote Bridgehead tab become bridgehead servers for the new connector. If you would rather have all the servers in the remote routing group (not just those listed) function as bridgehead servers for the new connector, you must manually select the Any local server can send mail over this connector option on the General tab of the new connector. Exchange designates the remote bridgehead servers for the remote routing group connector as those servers listed as bridgehead servers on the General tab of the local routing group.

Understanding Link State Information

Exchange 2003, like Exchange 2000, uses link state information to determine the most effective route for delivering messages. The link state table contains information about the routing topology and whether each connector in the topology is available or unavailable. Additionally, the link state table contains costs associated with each available connector. Exchange uses this information to determine the route with the lowest cost. If a connector along the lowest cost route is unavailable, Exchange determines the best alternative route, based on cost and connector availability. To understand how link state information and connector costs work, consider the routing topology shown in the following figure, in which four routing groups exist: Seattle, Brussels, London, and Tokyo. The connectors exist between each routing group and are assigned costs based on the network speed and available bandwidth.

463 Routing topology and costs

If all connections between the routing groups are available, a server in the Seattle routing group always sends a message to the Brussels routing group by sending the message first through the London routing group. This route has a cost of 20, the lowest cost route available. But, if the bridgehead server in London is unavailable, messages originating in Seattle and destined for Brussels travel over the higher cost route, the one that goes through the Tokyo routing group.

Understanding Routing Group Masters

When you create a routing group, the first server in that routing group is assigned the role of routing group master. The routing group master keeps track of the link state information and propagates it to the other servers in the routing group, and other servers communicate back any changes in link state. For example, if a member server tries to contact another server over a connector, and this link is unavailable, the member server immediately notifies the routing group master. Likewise, when a non-master receives new link state information, it immediately transfers the link state information to the master, so that other servers can receive the information about the routing change. In a routing group, the routing group master and the other Exchange servers communicate link state information over TCP/IP port 691 using SMTP. However, communication of link state information between routing groups is different. If the routing group master is not a bridgehead server for the routing group, the routing group master

464 sends the link state information to the group's bridgehead server over TCP/IP port 691. The bridgehead server then forwards this information (over TCP/IP port 25 using SMTP) to the bridgehead servers of other routing groups. If you do not want the first server installed in the routing group to be the routing group master (the default setting), you can change the routing group master to another server. For detailed information about changing the routing group master, see "How to Change Which Server Is the Routing Group Master" in the Exchange Server 2003 Transport and Routing Guide. Important There is no automatic failover for routing group masters. If a routing group master fails, you must manually configure a new routing group master in Exchange System Manager. If a routing group master fails, the other servers in the routing group use the last known link state information until a routing group master becomes available or another routing group master is designated.

Using Routing Groups in Native and Mixed Modes

In Exchange 2003 and Exchange 2000, the administrative and routing functions are split into different units: Administrative groups define the logical administrative boundary for Exchange servers. Routing groups define the physical routes that messages travel over the network.

If your Exchange organization is in native mode, where all servers are running Exchange 2000 or later, this split between administrative groups and routing groups helps you to create routing groups that span administrative groups, and move servers between routing groups that exist in different administrative groups. This functionality also helps you to separate routing and administrative functions. For example, you can administer servers in two central administrative groups, placing servers from each administrative group in different routing groups, based on your network topology.

465 However, the functionality of routing groups in mixed mode, where some servers are running Exchange 2003 or Exchange 2000 while others are running Exchange 5.5, is different from native mode. In mixed mode, you: Cannot have a routing group that spans multiple administrative groups. Cannot move servers between routing groups that exist in different administrative groups.

This is because the routing topology in Exchange 5.5 is defined by siteslogical combinations of servers connected by a high-bandwidth reliable network. Sites provide the functionality of both the administrative group and routing group in Exchange 2003 and Exchange 2000. This difference in routing topology limits routing groups in mixed mode. Note For more information about native and mixed mode Exchange organizations, see "Managing an Exchange Server 2003 Organization."

Connecting Routing Groups

When you create a routing group, you designate a group of servers that can communicate directly with one another. As discussed earlier, for servers in different routing groups to communicate with each other, you must connect the routing groups. You can connect routing groups with an SMTP connector or an X.400 connector. However, using these types of connectors is typically not recommended. The preferred connection method is a routing group connector because this connector is designed and intended specifically for connecting routing groups. Routing group connectors are one-way routes for outgoing messages, which means messages travel outbound to the connected routing group. For two routing groups to communicate, a routing group connector must exist in each routing group to send messages outbound to the other routing group. When you create a connector to a routing group, Exchange displays a message that prompts you with the question of whether you want to create a routing group connector in the remote routing group so that you can send messages from the remote routing group to the routing group where you are creating the first connector.

466 Before you create and configure a routing group connector, think about the following questions: To which routing group does this connector deliver messages? This information is critical. Identifying the routing group to which the connector delivers messages establishes the relationship between the sending and receiving routing groups and the rest of your topology. You must know how the sending and receiving routing groups fit into your topology to intelligently assign a cost for the associated connector. What cost should this connector have? Cost is the variable Exchange uses to determine the most efficient messaging route. Exchange considers the lowest cost route the most efficient. Exchange uses a more expensive route only if a server or connector is unavailable on the route with the lowest cost. Assign the lowest costs to the routes with the highest available network bandwidth. Which servers in the routing group can act as bridgehead servers? Only designated bridgehead servers can send messages across the connector to the connected routing group. The default and preferred setting is to have any of the servers in the local routing group send mail using this connector. Use this default option when all servers in the routing group can connect directly over the network to the remote bridgehead server. Connecting directly to the remote bridgehead servers provides more efficient message flow. However, you may have better direct network connectivity between specific servers in the local routing group and the designated remote bridgehead server. For example, Server A has a direct connection of 56 kilobits per second (Kbps) to a remote bridgehead server, while Server B and Server C each have a direct connection of 10 megabits per second (Mbps) to the same remote bridgehead server. In this case, you would want to specify the servers that have the better direct network connectivity (that is, Server B and Server C) as the bridgehead servers, and you would add those specific servers to a list of permitted bridgehead servers. Should users access public folders that are not available locally using this connector? By default, public folder referrals are enabled across connectors connecting routing groups. However, network traffic increases when users access a public folder in a remote routing group. If your routing groups are connected by slow network connectivity or if your network may not be able to handle the additional traffic, disable public folder referrals. For more information about public folder referrals, see "Understanding Public Folder Referrals." What are the remote bridgehead servers to which this connector can send messages? The remote bridgehead servers are the servers in the connected

467 routing group that receive all messages destined for this routing group. The remote bridgehead servers also send link state information to the bridgehead servers for the connector. After considering these questions, you answer the first four by setting the configurations options on the General tab in the Routing Group Connector Properties dialog box. You can answer the last question by specifying remote bridgehead servers on the Remote Bridgehead tab. For detailed instructions about working with connectors, see the following topics: How to Create an SMTP Connector for Internet Mail Delivery How to Create an X.400 Connector How to Disable a Connector How to Remove a Connector

How to Create an SMTP Connector for Internet Mail Delivery

After you have thought about the configuration requirements for the SMTP connector and know what your configuration decisions are, you are ready to create and configure an SMTP connector. The first step is to configure the settings on which you have decided. For detailed instructions, see the procedure below. Then you must enable anonymous access for outbound connections because other servers on the Internet expect your SMTP server to connect anonymously. For detailed instructions, see How to Enable Anonymous Access for an SMTP Connector. After creating and configuring the connector, your SMTP connector is ready to send mail to the Internet. However, these procedures do not cover all the configuration settings for the connector. There are additional configuration settings that control how the connector delivers mail to the Internet. For more information about configuring these additional settings, see Customizing Mail Delivery.

468

Procedure
To configure a connector for Internet mail delivery 1. In Exchange System Manager, expand the routing group, right-click Connectors, point to New, and then click SMTP Connector. The Properties dialog box for the new connector appears. See the following figure. Properties dialog box for a newly created SMTP connector

2. On the General tab, select one of the following options: To use the DNS settings configured on the SMTP virtual server that is

469 hosting the connector, select Use DNS to route to each address space on this connector. The SMTP connector uses DNS to resolve the IP address of the remote SMTP server, and then it delivers the mail. To route mail to a Windows SMTP server or another server in your perimeter network (also known as a screened subnet), select Forward all mail through this connector to the following smart hosts. The SMTP connector then routes mail to the selected server, which handles DNS resolution and delivers the mail. 3. On the General tab, click Add, and add at least one bridgehead server and one SMTP virtual server. The servers that you add appear in the Local bridgeheads list on the General tab. 4. Click the Address Space tab. 5. On the Address Space tab, click Add. 6. In the Add Address Space dialog box, in the Select an address type list, click SMTP, and then click OK. See the following figure. Add Address Space dialog box

7. In the Internet Address Space Properties dialog box (see the following figure),

470 select the following options: In the E-mail domain box, type an e-mail domain for the connector. Important In the E-mail domain box, there is a default value of * that represents all addresses. At least one connector in your organization must have this address space to make sure that all external domains are routed to the Internet. In the Cost box, assign an appropriate cost. By default, the cost is 1. Internet Address Space Properties dialog box

8. Click OK to return to the Address Space tab. See the following figure.

471

Address Space tab

9. On the Address Space tab, under Connector scope, select one of the following options: To allow all servers in your Exchange organization to use this connector, select Entire organization. To allow only servers in the routing group to use this connector to send Internet mail, select Routing group. Note If you select Routing group, make sure that you have another way

472 for servers in different routing groups to send Internet mail.

How to Create an X.400 Connector

You can create an X.400 connector to connect to another X.400 system after you create a TCP X.400 or X.25 X.400 transport stack.

Procedure
To create an X.400 connector 1. In Exchange System Manager, right-click Connectors, point to New, and then click X.25 X.400 Connector or TCP X.400 Connector. 2. On the General tab (see the following figure), in the Name box, type the connector name. General tab of the Properties dialog box for an X.400 connector

473

3. On the General tab, under Remote X.400 name, click Modify. 4. In Remote Connection Credentials, in Remote X.400 name, type the name of the remote X.400 connector on the remote server. (The remote connector name defaults to the remote server name.) In the Password box, type the password for the remote X.400 connector. In the Confirm password box, type the password again. 5. Select one of the following options: On the Address Space tab, click Add, select an address type, and then, in the Address Properties box, type all required information, including cost. On the Connected Routing Groups tab, click Add. On the General tab, in the Organization box, type the name of the organization that contains the

474 routing group to which you want to connect, and then in the Routing Group box, type the name of the routing group to which you want to connect. Note The organization must exist on an Exchange server so that the naming conventions are known. Optionally, you can type address space information and cost on the Routing Address tab. By default, the address space is created from the organization and routing group names, and the cost is 1. 6. If the remote system is not an Exchange server, on the Advanced tab, clear the Allow Exchange contents check box. If you do not clear the check box, addresses on messages are in domain name form and not in X.400 form, and replies are not possible. 7. On the Stack tab for an X.25 X.400 connector, in the X.121 address box, type the X.121 address of the remote server as specified in the X.25 network service setup. or On the Stack tab for a TCP X.400 connector, choose one of the following options: Select Remote host name, and then, in the Address box, type the fully qualified domain name (FQDN). Select IP Address, and then, in the Address box, type the remote server's IP address.

Connecting to the Internet

Internet connectivity depends on SMTP and Domain Name System (DNS), and some other components. As stated earlier, SMTP is the protocol that is used by Exchange to deliver mail internally and to the Internet. To enable Internet mail delivery in your Exchange organization, you manage the SMTP protocol by configuring SMTP virtual servers and connectors. Additionally, you must make sure that DNS is correctly

475 configured because DNS is responsible for locating mail servers outside the organization, so that SMTP can deliver mail to them. Note Before connecting to the Internet, configure your Exchange server in accordance with your company's security policy. After you install Exchange, you can send and receive mail using the default configuration of an SMTP virtual server on an Exchange server if the following conditions are true: You have a direct connection to the Internet. Note Dial-up connectivity requires some additional configuration. For more information, see Configuring SMTP in Microsoft Exchange 2000 Server. You have DNS configured correctly to resolve Internet names and to send mail to your Exchange server. Specific DNS settings are discussed later in this section.

This section describes how to configure Internet mail delivery. It includes: Understanding SMTP dependencies and how to configure SMTP Exchange relies on SMTP to deliver mail internally and externally. Because of this reliance, you must understand on which components SMTP depends and correctly configure them to support SMTP. After you have set up these components correctly, you must know how to control the configuration of SMTP. Using a wizard to configure Internet mail delivery Internet Mail Wizard is intended primarily for small and medium companies with less complex environments than large or enterprise companies. Manually configuring Internet mail delivery In large or enterprise environments, you may have to manually configure Internet mail delivery, in accordance with your organization's policies. When manually configuring Internet mail, there is a separate set of tasks associated with configuring Exchange to send Internet mail and to receive Internet mail. Controlling junk mail using filters Exchange supports connection, recipient, and sender filtering. Using these various filtering options helps you control the junk mail your users receive. Note For detailed information about large or enterprise environments and common deployment scenarios for those environments, see Configuring SMTP in Microsoft Exchange 2000 Server.

476 For detailed instructions, see How to Use a Wizard to Configure Internet Mail.

How to Use a Wizard to Configure Internet Mail

Exchange Server 2003 implements a new version of Internet Mail Wizard that helps you configure Internet mail connectivity with Exchange Server 2003 or Exchange 2000 Server. Using Internet Mail Wizard, you can configure an Exchange server to send Internet mail, receive Internet mail, or send and receive Internet mail. Additionally, using Internet Mail Wizard means that you do not have to configure the SMTP connector and SMTP virtual server manually. Internet Mail Wizard automatically creates the required SMTP connector for outgoing Internet mail and configures your SMTP virtual server to accept incoming mail.

Before You Begin

If you have already set up SMTP connectors, modified the IP address or port number of your default SMTP server, or created additional SMTP virtual servers on your Exchange server, you cannot run Internet Mail Wizard. However, if you reset your server configuration to its default state, you can then run Internet Mail Wizard. Important Internet Mail Wizard is intended primarily for small and medium companies with less complex environments than large enterprise companies. If you have a complex or enterprise messaging environment, you must manually configure Exchange for Internet mail delivery.

Procedure
To start Internet Mail Wizard 1. In Exchange System Manager, right-click your Exchange organization, and then click Internet Mail Wizard.

477 Note To run Internet Mail Wizard, you must use the version of Exchange System Manager that is included in Exchange Server2003. 2. Follow the instructions in the wizard to perform the configuration tasks (see the following tables) required to configure Internet mail delivery. Using Internet Mail Wizard to configure the sending of mail
Task Description

Select an Exchange server in your organization that will send Internet mail

You cannot run the wizard on a server on which you have already set up SMTP connectors or created additional SMTP virtual servers. You can only use the wizard to designate Exchange 2000 or later servers. This is both the Exchange server and the SMTP virtual server on this server. The wizard creates an SMTP connector on the selected SMTP virtual server and Exchange server. The outbound bridgehead server handles all mail sent through this connector.

Designate a bridgehead server

478 Configure an SMTP connector to send Internet mail Internet Mail Wizard guides you through the process of configuring your SMTP connector. You can allow Internet mail delivery to all external domains, or you can restrict Internet mail delivery to specific domains. You can specify whether the SMTP connector sends outbound mail using DNS to resolve external domain names, or whether it uses a smart host that assumes responsibility for resolving external names and delivering mail.

Verify that your SMTP virtual server is With open relaying, external users can not open for relaying use your server to send unsolicited commercial e-mail, which might cause other legitimate servers blocking mail from your Exchange server. If your server is secured for relay, only authenticated users can send mail to the Internet using your server.

Using Internet Mail Wizard to configure the receiving of mail

Task Description

Select an Exchange server in your organization that will receive Internet mail

You cannot run the wizard on a server on which you have already set up SMTP connectors or created additional SMTP virtual servers. You can only use the wizard to designate Exchange 2000 or later servers.

479 Configure your SMTP server to receive Internet mail To receive incoming Internet e-mail messages, the server must have only one SMTP virtual server, and that virtual server must have a default IP address of All Unassigned and an assigned TCP port of 25. If more than one SMTP virtual server exists on the Exchange server, or if the IP address or the port assignment is different from the default settings, the wizard will not continue. You can then either restore the Exchange server to its default configuration and rerun the wizard, or you can use Exchange System Manager to configure Exchange manually. Other servers on the Internet expect to connect anonymously to your SMTP virtual server. Therefore, anonymous access must be permitted on your SMTP virtual server. If anonymous access is not configured, the wizard guides you through enabling anonymous access.

Verify that your SMTP virtual server allows anonymous access

480 Configure your recipient policies with the SMTP domains for which you want to receive inbound mail The SMTP domains for which you want to receive Internet mail are configured in Exchange System Manager in Recipient Policies. You must have a recipient policy configured for every SMTP domain for which you want to accept Internet mail, and Exchange must be authoritative for this domain. If your default recipient policy contains the correct mail domain for your organization, use this policy. If you have created multiple recipient policies in Exchange System Manager, you cannot use the wizard to create additional recipient policies. In this case, to add or modify your recipient policies, you must use Exchange System Manager. To configure recipient policies manually, see Configuring Recipient Policies. You must configure MX records in DNS for all mail domains. If you do not have an MX record for your mail domain, DNS cannot accept messages for your domain.

Defining SMTP Dependencies

As discussed earlier in this chapter, Exchange relies on SMTP to deliver mail internally and externally. This means that, for Internet mail delivery, Exchange depends on SMTP. However, before configuring Exchange for Internet mail delivery, you must understand the components on which SMTP depends: Internet Information Services (IIS)

481 As mentioned earlier, the SMTP service is installed as part of the Windows Server 2003 or Windows 2000 Server operating system. SMTP is a component of IIS and runs under a process named Inetinfo.exe. If you remove IIS from a server running Exchange, mail flow stops working. IIS provides a framework process for Internet services such as HTTP, SMTP, and Network News Transfer Protocol (NNTP). Do not confuse IIS with HTTP because several other services, such as SMTP, depend on IIS to function. After you install Exchange, the management of SMTP virtual servers moves to Exchange System Manager, even though the service itself continues to run in IIS. Because of this integration between Exchange and IIS, both the IIS component and the SMTP service that runs in IIS are required for Exchange and SMTP to function correctly. Active Directory Exchange Server 2003 is tightly integrated with the Microsoft Active Directory directory service. Exchange stores all its configuration information in Active Directory, including information about recipient policies, SMTP virtual server configuration, and user mailboxes. However, SMTP reads its settings from the IIS metabase. Therefore, to supply IIS with the information it requires for SMTP functionality, Exchange System Attendant, using a component named DS2MB (directory service to metabase), replicates the configuration information from Active Directory to the IIS metabase. DNS SMTP depends on DNS to determine the Internet protocol (IP) address of its next internal or external destination server. Typically, internal DNS names are not published on the Internet. Therefore, SMTP must be able to contact a DNS server that can resolve external DNS names to send Internet mail, and also a DNS server that can resolve internal DNS names for delivery in the organization. Additionally, for your Exchange servers to receive Internet mail, your DNS server must contain a mail exchange (MX) resource record that points to the A record with the IP address of the SMTP virtual server on your Exchange server that receives Internet mail for your organization. If you are supporting multiple domains, an MX record must exist for each of these domains for DNS to accept mail for the domain. Recipient Policies Recipient policies establish the default e-mail addresses that use a specific protocol (such as SMTP) for a set of users. E-mail addresses define the valid formats for addressing inbound e-mail messages to the Exchange system. The default recipient policy sets the mail domain for which the virtual server accepts incoming e-mail messages. It specifies the default SMTP and X.400 addresses for all Exchange-

482 based mailbox-enabled objects. You can also create additional recipient policies if your organization receives mail for multiple domains, or if your default domain is used strictly for internal purposes and you use a different external mail domain. Any SMTP domain specified in the recipient policies is replicated into the IIS metabase and set as authoritative local domains. Setting these domains as authoritative local domains means that SMTP accepts inbound mail for these domains and is responsible for sending all non-delivery reports for this domain. The only time an SMTP address is not considered local is when you add the address to the recipient policy because you clear the This Exchange Organization is responsible for all mail delivery to this address check box in the SMTP Address Properties dialog box. Installing and correctly configuring the previous components ensures that SMTP functions correctly with Exchange. With SMTP functioning correctly, you can focus on configuring SMTP to meet your organization's needs.

Configuring SMTP
In Exchange, you use SMTP virtual servers and SMTP connectors to control the configuration of SMTP. SMTP virtual servers Essentially, an SMTP virtual server is an SMTP stack (a process or server that both receives e-mail messages and acts as a client for sending e-mail). Each SMTP virtual server represents an instance of the SMTP service on a server. Therefore, a single physical server can host many virtual servers. An SMTP virtual server is defined by a unique combination of an IP address and port number. The IP address is the address on which the SMTP virtual server listens for incoming SMTP connections. The default IP address is All Unassigned, which means that the SMTP virtual server listens on any of the available IP addresses. The port number is the port through which the SMTP virtual server receives communications. The default port number for inbound connections to an SMTP virtual server is port 25.

483 You use Exchange System Manager to control most of the SMTP settings. The property settings of the SMTP virtual server control inbound mail and, to a lesser degree, outbound mail settings. SMTP connectors An SMTP connector designates an isolated route for mail. You can use SMTP connectors to establish a gateway for Internet mail or to connect to a specific domain or mail system. Connectors help you to define specific options for the designated mail route. Although you can send and receive Internet mail using an SMTP virtual server, most companies configure an SMTP connector to route Internet mail. Using an SMTP connector is recommended because it provides an isolated route for mail destined to the Internet. Additionally, more configuration options are available on an SMTP connector than on the SMTP virtual server. Because of the benefits of an SMTP connector, the following sections that describe both the Internet Mail Wizard and the manual procedure for configuring Exchange to send Internet mail include information about creating and configuring an SMTP connector to route Internet mail.

Configuring a Dual-Homed Server Using the Wizard

When you use Internet Mail Wizard to configure Internet mail delivery on a dual-homed server (a server configured with two or more network addresses, typically with two network interface cards), the wizard performs the required configuration steps. The wizard also creates an additional SMTP virtual server on the Exchange server. It configures Internet mail delivery in the following ways: To configure a server to send Internet mail, the wizard guides you through the process of assigning the intranet IP address to the default SMTP virtual server on which it creates the SMTP connector to send outbound mail. You assign the intranet IP address to this virtual server so that only internal users on your intranet can send outbound mail. To configure a server to receive Internet mail, the wizard guides you through the process of assigning the Internet IP address to the Internet SMTP virtual server. You

484 assign an Internet IP address to this virtual server because external servers must be able to connect to this SMTP virtual server to send Internet mail. Additionally, you must have an MX record on your DNS server that references this server and the IP address of the Internet SMTP virtual server. Important To increase the security on a dual-homed server, use Internet Protocol security (IPSec) policies to filter ports on the Internet network interface card and strictly limit the users who you permit to log on to this server. For more information about IPSec, see your Windows documentation.

Manually Configuring the Sending of Internet Mail

If your messaging environment is large or complex, you cannot use Internet Mail Wizard to configure Exchange to send Internet mail. Instead, you must manually configure Exchange to handle outbound messaging over the Internet. Configuring Exchange to send Internet mail involves: Verifying that your SMTP virtual server uses the standard port for SMTP (port 25). Configuring an SMTP connector through which Internet mail is routed. Verifying that your DNS server can resolve external names, so that SMTP can deliver messages.

Verifying Outbound Settings on SMTP Virtual Servers

Most of the outbound settings that SMTP uses are configured on the SMTP connector. However, you cannot configure the SMTP connector to control the ports and IP

485 addresses through which Exchange sends outbound mail. To control these ports and IP addresses, you must configure the SMTP virtual server. SMTP connectors configured on the virtual server inherit these settings. Two of the SMTP virtual server properties relate directly to configuring Exchange to send Internet mail: The outbound TCP port You make sure that the outbound port is set to port 25 (the default setting). Of the two settings related to sending Internet mail, this is the setting that you must verify. For detailed instructions, see How to Verify an Outbound Port for Mail Delivery Is set to Port 25. Note Changing the default settings on your default SMTP virtual server can cause mail flow problems. The use of an external DNS server To send Internet mail, the DNS server Exchange uses must be able to resolve external (Internet) names. Two common methods for configuring DNS to resolve external names include: Configuring Exchange to point to an internal DNS server that uses forwarders to an external DNS server (this is the easiest and most common method). Configuring Exchange to point to an internal DNS server that does not have a forwarder to an external DNS server, and then configuring an external DNS server on the SMTP virtual server that is responsible for sending external mail.

For detailed instructions, see How to Specify an External DNS Server That Is Used by the SMTP Virtual Server.

How to Verify an Outbound Port for Mail Delivery Is set to Port 25

To control the ports and IP addresses through which Exchange sends outbound mail, you must configure the SMTP virtual server. SMTP connectors configured on the virtual server inherit these settings. Two of the SMTP virtual server properties relate directly to configuring Exchange to send Internet mail:

486 The outbound TCP port Make sure that the outbound port is set to port 25 (the default setting). Of the two settings related to sending Internet mail, this is the setting that you must verify. The following procedure describes how to verify that the outbound TCP port is set to 25. Note Changing the default settings on your default SMTP virtual server can cause mail flow problems. The use of an external DNS server To send Internet mail, the DNS server Exchange uses must be able to resolve external (Internet) names. For detailed instructions, see How to Specify an External DNS Server That Is Used by the SMTP Virtual Server.

Procedure
To verify that the outbound port used to deliver mail is set to 25 1. In Exchange System Manager, expand Servers, expand <server_name>, expand Protocols, expand SMTP, right-click Default SMTP Virtual Server, and then click Properties. 2. On the Delivery tab, click Outbound connections. 3. In the Outbound Connections dialog box, verify that the TCP port is set to 25. See the following figure. Outbound Connections dialog box

487 Note Remote servers on the Internet expect your server to use TCP port25. Changing this setting is not recommended because other SMTP servers typically accept connections on port25 only.

How to Specify an External DNS Server That Is Used by the SMTP Virtual Server
To control the ports and IP addresses through which Exchange sends outbound mail, you must configure the SMTP virtual server. SMTP connectors configured on the virtual server inherit these settings. Two of the SMTP virtual server properties relate directly to configuring Exchange to send Internet mail: The outbound TCP port Verify that the outbound port is set to port 25, which is the default setting. For detailed instructions, see How to Verify an Outbound Port for Mail Delivery Is set to Port 25. The use of an external DNS server To send Internet mail, the DNS server Exchange uses must be able to resolve external (Internet) names. Two common methods for configuring DNS to resolve external names include: Configuring Exchange to point to an internal DNS server that uses forwarders to an external DNS server. This method is the easiest and most common approach, and it is outlined in the following procedure. Configuring Exchange to point to an internal DNS server that does not have a forwarder to an external DNS server, and then configuring an external DNS server on the SMTP virtual server that is responsible for sending external mail.

Procedure
To specify an external DNS server that is used by the SMTP virtual server 1. In the Default SMTP Virtual Server Properties dialog box, on the Delivery tab,

488 click Advanced. 2. In the Advanced Delivery dialog box, click Configure. 3. In the Configure dialog box (see the following figure), click Add to enter the IP address of an external DNS server. If you are using more than one external DNS server, use the Move Up and Move Down buttons to set the order of preference for the DNS servers. Configure dialog box for external DNS servers

Configuring an SMTP Connector

The primary uses of an SMTP connector are to connect to the Internet or to other mail systems and to define additional options on an SMTP Internet gateway. Because an SMTP connector creates an isolated route for Internet mail, it eases administration and troubleshooting if mail flow problems occur.

489 This section focuses on the connector's use as a connection method to deliver Internet mail. To configure an SMTP connector to deliver Internet mail, you first must consider the following configuration requirements.

How to Route Mail for Outbound Delivery?

When you configure a connector, you can either use DNS to route all outgoing mail through the connector, or you can specify a smart host to which the connector routes all mail. Using DNS to route all outgoing mail through the connector If you use DNS to route outgoing mail, the SMTP connector uses DNS to resolve the IP address of the remote SMTP server, and then it delivers the mail. If you select this routing method, verify the following information: Verify that your DNS server can successfully resolve names on the Internet. If you use an external DNS server to resolve names, and this server is configured at the SMTP virtual server level (that is, using a different DNS server than the one specified on your network connection), make sure that this external DNS server can resolve names on the Internet.

Specifying a smart host The smart host handles DNS resolution and delivers the mail. Although you can specify a smart host on an SMTP virtual server, it is a good idea to set the smart host on the connector itself. The smart host setting on the SMTP connector overrides any smart hosts configured on the SMTP virtual server. If you select this routing method, you specify an IP address or name for the smart host. The IP address and name for the smart host must meet the following requirements: If you specify an IP address for the smart host Enclose the IP address in brackets (for example, [10.0.0.1]), and make sure that the IP address is not the IP address of the Exchange server. If you specify a name for the smart host Ensure that the name is a fully qualified domain name (FQDN). (For example, "Server Name" is not an FQDN. However, servername.contoso.com is an FQDN.) Also, make sure that the name is not the FQDN of the Exchange server.

If you do not have a smart host in your network, contact your Internet service provider (ISP) to determine what IP address or FQDN to use for the smart host. After you have the

490 IP address or FQDN, make sure that the IP address or FQDN meets the previous requirements.

Which Servers to Use as Local Bridgehead Servers?

An SMTP virtual server hosts a connector. When you create a connector, you designate at least one Exchange server and one SMTP virtual server as bridgehead servers. The connector inherits size restrictions and other settings from the SMTP virtual server. However, you can override these settings on the connector. You can also designate multiple bridgehead servers for load balancing, performance, and redundancy. To send outbound mail, the connector uses the outbound port configured on the SMTP virtual server. If your organization sends lots of mail externally, it is a good idea to designate dedicated Exchange servers and SMTP virtual servers as gateway servers or bridgehead servers receiving Internet mail. Using dedicated servers as gateway servers means that other mailbox servers do not have to assume the additional overhead of a gateway server.

Which Domains Should Be Included in the Address Space?

The address space defines the mail addresses or domains for the e-mail messages that you want routed through a connector. For example, an address space of * (asterisk) encompasses all external domains. A connector with this address space is can route all external e-mail messages. Exchange routes messages through a connector based on the closest match to an address space. If you had a connector with the * address space and then created a second connector with an address space of *.net, Exchange would route all mail sent to a domain with a .net extension through the second connector. This routing difference occurs because Exchange selects the connector that has the most similar address space to the outbound mail. On connectors with an identical address space, costs work the same way as they do on routing group connectors. For example, you create two SMTP connectors to the Internet, Connector1 and Connector2, and each has the address space of *. Because Connector1 has better network connectivity, you always want to use this connector (unless it becomes unavailable) to send mail to the Internet, and you give Connector1 a cost of 1. Then, you give Connector2 a cost of 2. As long as Connector1 is operating correctly,

491 Exchange always sends messages through that connector because it has the lowest cost. If Connector1 becomes unavailable, Exchange uses the connector with the next lowest cost, Connector2. Important Do not list your inbound domains on an SMTP address space for a connector. Your inbound domains are listed in your recipient policies. (For more information, see "Configuring Recipient Policies.") If you list some or all your inbound domains in the SMTP address space, you may receive non-delivery reports (NDRs) that indicate a mail loop. (These NDRs may have the diagnostic code 5.3.5.) By specifying domains on the Address Space tab in the connector's Properties dialog box, you can configure these domains as routable domains.

What Is Appropriate Scope for the Connector?

You can select either a whole organization or a routing group for the connector's scope. For example, you have two routing groups and each routing group has a server that has an SMTP connector to send mail to the Internet. For this configuration, you may choose to specify a routing group scope for each of the connectors. Specifying a routing group scope forces the servers in each routing group to use the connector in that routing group. However, a routing group scope also means that, if the group's SMTP connector becomes unavailable, messages queue in the routing group until the connector becomes available again. Because of the restrictions imposed by a routing group scope, you would most likely set an SMTP connector to this scope if it is acceptable to have messages queuing when a connector becomes unavailable, or if the network cannot handle the extra traffic from one routing group sending Internet mail through an SMTP connector of another routing group. Otherwise, you must assign the connector an organization-wide scope and permit users in your whole organization to use any acceptable SMTP connector. For detailed instructions, see How to Create an SMTP Connector for Internet Mail Delivery. For detailed instructions, see How to Enable Anonymous Access for an SMTP Connector.

492

How to Enable Anonymous Access for an SMTP Connector

After you have configured the settings for an SMTP connector, you must enable anonymous access for outbound SMTP connections. This is because other servers receiving your organization's outbound mail will expect your SMTP server to connect anonymously.

Procedure
To enable anonymous access 1. In the Properties dialog box for your SMTP connector, on the Advanced tab, click Outbound Security. 2. In the Outbound Security dialog box, select Anonymous access. See the following figure. Outbound Security dialog box

493

Customizing Mail Delivery

One advantage to using an SMTP connector for outbound mail, instead of using an SMTP virtual server, is that you can specify additional configuration settings to affect how mail is delivered. Whether you must adjust the default values for these settings depends on how you want your SMTP connector to deliver mail.

494 Additional configuration settings for an SMTP connector

Settings Description

Delivery restrictions

Restricts who can send mail through a connector. By default, the connector accepts mail from everyone. You configure these settings on the DeliveryRestrictions tab of the SMTP connector's Properties dialog box.

Content restrictions

Specifies what types of messages are delivered through a connector. You configure these settings on the Content Restrictions tab of the SMTP connector's Properties dialog box.

Delivery options

If you connect to a network service provider to retrieve your mail, configure a connector to run on a specified schedule, and implement advanced queuing and dequeuing features. You configure these settings on the Delivery Options tab of the SMTP connector's Properties dialog box.

SMTP communication

Controls how the connector uses SMTP to communicate with other SMTP servers. Specifically, you can specify whether the connector uses SMTP or Extended Simple Mail Transfer Protocol (ESMTP) commands to initiate a conversation with another server and control the use of the ERTN and TURN commands. (These commands request that another SMTP server sends the e-mail messages that it has.) You configure these settings on the Advanced tab of the SMTP connector's Properties dialog box.

495
Settings Description

Outbound security

Ensures that any mail flowing through the connector is authenticated. This setting is useful if you want to establish a more secure route for communicating with a partner company. With this setting, you can establish an authentication method and require Transport Layer Security (TLS) encryption. You configure these settings on the Advanced tab of the SMTP connector's Properties dialog box.

Verifying DNS Setup for Outbound Mail

To send Internet mail using DNS instead of forwarding mail to a smart host, the Exchange server resolves the receiving domain and IP address of the recipient's SMTP server. The server then uses SMTP over TCP port 25 to establish a conversation with the recipient's SMTP server, and deliver the mail. When you use DNS, the most important thing to remember is that all DNS servers that an Exchange server uses must be able to resolve external domains (also referred to as Internet domains). There are two methods that you can use to configure DNS for outbound mail: Method 1 You can configure Exchange to rely on your internal DNS servers. These servers resolve external names on their own or use a forwarder to an external DNS server. Method 2 You can configure Exchange to use a dedicated external DNS server. (For more information about external DNS servers, see "How to Specify an External DNS Server That Is Used by the SMTP Virtual Server.")

For more information about how to configure and verify your DNS configuration, see Configuring SMTP in Microsoft Exchange 2000 Server.

496

How to Enable Filtering to Control Junk E-Mail

Exchange Server 2003 supports three types of filters: connection filtering, recipient filtering, and sender filtering. These filters are useful in reducing the junk e-mail messages that users receive. You configure filtering in Message Delivery Properties under Global Settings. However, you must enable these filters on each SMTP virtual server to which you want to apply the filters. Typically, it is a good idea to enable filtering on your Internet gateway servers because filtering is applied only to mail submitted from external users. On Exchange servers designated for internal mail, you do not have to enable filtering.

Procedure
To enable filtering 1. On the General tab of the SMTP virtual Properties dialog box, click Advanced. 2. Select an IP address, and then click Edit. 3. In the Identification dialog box, enable the filters that you want applied on this virtual server. The following figure shows a virtual server with sender, recipient, and connection filtering enabled. Identification dialog box

497

Manually Configuring the Receipt of Internet Mail

Manually configuring Exchange to receive Internet mail involves: Creating the correct recipient policies, so that your Exchange server receives mail for all e-mail domains that are used by your company. Configuring inbound SMTP virtual server settings to allow anonymous access, so that other SMTP servers can connect and send mail to your SMTP virtual server. Verifying that the correct MX records exist in DNS, so that other servers on the Internet can locate your server to deliver mail.

498

Configuring Recipient Policies

Exchange uses recipient policies to determine which messages must be accepted and internally routed to mailboxes in your organization. Recipient policies that are configured incorrectly can disrupt message flow for some or all recipients in your messaging system. Recipient policies are configured in Exchange System Manager under the Recipients container in Recipient Policies. To make sure that your recipient policies are configured correctly, verify the following: That recipient policies do not contain an SMTP address that matches the fully qualified domain name (FQDN) of any Exchange server in your organization. For example, if you have an Exchange server with an FQDN of server01.contoso.com and you also have this same FQDN (@server01.contoso.com) listed as an SMTP address and as a domain name on any recipient policy, this entry prevents mail from routing to other servers in the routing group. That the domain for which you want to receive SMTP mail is listed on a recipient policyeither on the default policy or another recipient policy. By verifying this information, you make sure that your users can receive mail from other SMTP domains. That you configured the required SMTP e-mail addresses to receive e-mail messages for additional domains. If you are not receiving e-mail messages for all your SMTP domains, you might have to configure additional SMTP addresses for your recipients. For example, some of your users may currently receive e-mail messages addressed to contoso.com, but you also want them to receive e-mail messages addressed to adatum.com. In this situation, the SMTP address of @adatum.com and the SMTP address of @contoso.com must exist on a recipient policy for your Exchange organization.

For more information about recipient policies, see "Managing Recipients and Recipient Policies in Exchange Server 2003."

499

Verifying DNS Setup for Inbound Mail

To receive Internet mail, the following DNS settings are required: Your DNS server must be configured correctly. Your external DNS servers must have an MX record pointing to an A record with the IP address of your mail server. The IP address must match the IP address configured on your SMTP virtual server that receives Internet mail. For external DNS servers to resolve your mail server's MX record and contact your mail server, your mail server must be accessible from the Internet. Your Exchange server must be configured to use a DNS server that can resolve external DNS names.

To make sure that your MX records are configured correctly, you can use the Nslookup utility. To verify that your server is accessible on port 25 to other servers on the Internet, you can use Telnet. Note For more information about how to configure and verify your DNS configuration, see Configuring SMTP in Microsoft Exchange 2000 Server and your Windows documentation. For detailed instructions, see How to Verify the Inbound Port and IP Address.

How to Verify the Inbound Port and IP Address

To configure your SMTP virtual server to receive Internet mail, you must perform the following tasks:

500 Configure the inbound port as 25 and specify the IP address Other servers on the Internet expect to connect to your SMTP virtual server on port 25. By default, all SMTP virtual servers use this port. For detailed instructions, see the procedure below. Verify that your SMTP virtual server allows anonymous access To receive Internet mail, your SMTP virtual server must permit anonymous access. Other servers on the Internet expect to communicate anonymously with your SMTP virtual server to send Internet mail to your users. For detailed instructions, see How to Verify an SMTP Virtual Server Is Configured to Allow Anonymous Access. Verify that default relay restrictions are configured on your SMTP virtual server By default, the SMTP virtual server allows only authenticated users to relay e-mail messages. This setting prevents unauthorized users from using your Exchange server to send e-mail messages to external domains. For detailed instructions, see How to Verify an SMTP Virtual Server Is Not Set to Open Relay.

Procedure
To configure or verify the inbound port and IP address In Exchange System Manager, in the Properties dialog box of the SMTP virtual server, on the General tab, click Advanced. The Advanced dialog box appears (see the following figure). By default, your SMTP virtual server uses an IP address of All Unassigned, which means that the virtual server listens for requests on all available IP addresses. You can keep the default IP address, or click Edit to change the address. By default, your SMTP virtual server uses TCP port 25. It is recommended that you do not modify the default port assignment. Advanced dialog box

501

Connecting to Exchange 5.5 Servers and Other X.400 Systems

This section focuses on using the X.400 protocol and X.400 connectors to connect to Exchange 5.5 servers or other third-party X.400 mail systems. The X.400 connector relies on the X.400 protocol and its accompanying transport stack to provide the underlying transport functionality. Three components control the behavior of the X.400 protocol on an Exchange server: X.400 protocol An X.400 node appears under the Protocols container in Exchange System Manager on an Exchange server. Properties that are configured on the X.400 protocol determine how the protocol works on an individual server. X.400 transport stacks An X.400 transport stack contains configuration information about network software, such as TCP/IP network services, and information about hardware, such as an X.25 port adapter or dial-up connection on the computer that is

502 running Exchange. Each X.400 connector requires a transport stack on which to run and communicates using the configuration information in that stack. You can create either an X.400 TCP transport stack or an X.400 X.25 transport stack. X.400 connectors X.400 connectors provide a mechanism for connecting Exchange servers with other X.400 systems or Exchange 5.5 servers outside the Exchange organization. An Exchange 2003 server can then send messages using the X.400 protocol over this connector. Important X.400 connectors are only available in ExchangeServer2003 Enterprise Edition. For detailed instructions, see How to Create an X.400 Connector. For detailed instructions, see How to Create an X.400 Protocol Stack.

How to Create an X.400 Protocol Stack

You must create a protocol stack on the Exchange server that will host the connector before you create an X.400 connector. The protocol stack is created on individual Exchange servers and provides the underlying functionality for the connector to transport messages.

Procedure
To create a transport stack 1. In Exchange System Manager, expand Protocols, right-click X.400, point to New, and then select either TCP/IP X.400 Service Transport Stack or X.25 X.400 Service Transport Stack. 2. On the General tab, type a name for this transport stack. The following names are the default names: X.25<server name> TCP <server name>

503 3. (Optional) Under OSI address information, select the character set and the selector information if other applications use this transport stack. The following figure shows the General tab of the Properties dialog box for a TCP/IP X.400 transport stack. On this tab, you can configure the transport stack. Any connectors that you configure to use this transport stack appear on the Connectors tab. Note When you first create the connector, the Connectors tab does not list any connectors. General tab of the Properties dialog box for a TCP/IP X.400 transport stack

4.

(Optional) On the General tab of an X.25 transport stack (see the following

504 figure ), set the following X.25-specific configuration options: Based on the information supplied by your X.400 service provider, type the appropriate values for Call user data, Facilities data, and the X.121 address of the remote X.25 provider. For I/O port, type the port number that is used by the X.25 adaptor. (If you have multiple X.25 X.400 transport stacks on a single server, each stack must use a different port number.) General tab of the Properties dialog box for an X.25 protocol stack

505

Customizing the X.400 Protocol

The X.400 protocol provides the underlying functionality that is used by X.400 connectors and protocol stacks. The X.400 service message transfer agent (MTA) stack, located in the Protocols container under your Exchange server in Exchange System Manager, provides addressing and routing information for sending messages from one server to another. Use the X.400 Properties dialog box to configure basic settings and messaging defaults that are used by the X.400 protocol on your server. Any X.400 transport stacks and X.400 connectors that you create on this server inherit these settings by default, although you can override this configuration on individual connectors.

506 The General tab on the X.400 Properties dialog box

The following general properties can be set on the X.400 protocol. The entry in the LocalX.400 name box identifies the X.400 account that Exchange uses when it connects to the remote system. This name identifies the MTA to other mail systems. By default, this name is the name of the server where the X.400 service is installed. You can change the local X.400 name by using the Modify button. You can also set a local X.400 password. Third-party systems use this password when connecting to the X.400 service. The Expand remote distribution lists locally option makes a remote distribution list available to users in your organization. When this option is selected and a user sends a message to a remote distribution list, the distribution list expands locally (on the server to which the user is currently connected). Exchange finds the best routing for the message, based on the location of recipients in the list. This method ensures the

507 most efficient message handling. However, note that processing large distribution lists can affect server performance. The Convert incoming messages to Exchange contents option changes the address and contents of incoming messages to a format compatible with MAPI clients, such as Microsoft Outlook and Exchange. Do not select this option if your users do not use a MAPI client. The Modify button in Message queue directory allows you to change the location of the X.400 message queue directory. Note When you modify the location of the queue directory, you are modifying only the MTA database path and moving only the database (.dat) files. You are not moving any of the run files or the run directory. The database files are the core files that are required for starting the MTA, queue files, and message files.

Understanding X.400 Connectors

Typically, you use X.400 connectors in the following situations: If your environment has an existing X.25 network. If you are connecting to an X.400 system or an Exchange 5.5 server outside your organization. Note Although you can use X.400 connectors to connect routing groups in Exchange, the routing group connector is recommended. You can create two types of connectors on Exchange Server 2003 Enterprise Edition: TCP X.400 connectors and X.25 X.400 connectors. The TCP connector enables connectivity over a TCP/IP network, and the X.25 connector enables connectivity using X.25. To configure an X.400 connector, follow these steps: 1. Create an X.400 protocol stack.

508 2. Create an X.400 connector.

Creating an X.400 Protocol Stack

Before you create an X.400 connector, you must create a protocol stack on the Exchange server that will host the connector. The protocol (or transport) stack is created on individual Exchange servers and provides the underlying functionality for the connector to transport messages. The server on which you create the protocol stack processes all messages that are sent by connectors that use this stack. You create a transport stack using TCP or X.25, based on your network and the system to which you are connecting. Creating a transport stack involves the same steps for either protocol. For detailed instructions, see How to Create an X.400 Protocol Stack.

Creating an X.400 Connector

After you create a TCP X.400 or X.25 X.400 transport stack, you can create an X.400 connector to connect to another X.400 system. Remember that connectors send mail in only one direction, so the X.400 connector enables mail to flow from your system to the remote system or routing group. If you are connecting to a remote system, the administrator of that system must also create a connector to send mail to your organization. The following table lists the configuration settings that are available for an X.400 connector. These settings are available in the Properties dialog box for an X.400 connector.

509 General tab of the Properties dialog box for an X.400 connector

Configuration settings for an X.400 connector

Settings Description

Remote X.400 name

When you configure an X.400 connector, you must specify a valid account and password for the remote X.400 system to which you are connecting. You configure these settings on the General tab of the X.400 connector's Properties dialog box.

510
Settings Description

Address space

The address space defines the mail addresses or domains for the e-mail messages that you want routed through a connector. You can specify the X.400 address of a third-party X.400 system or an Exchange 5.5 server to which you are connecting, so that all mail destined to the specified X.400 system is routed through this connector. You configure these settings on the Address Space tab of the X.400 connector's Properties dialog box.

Transport address information for the remote system

You must specify transport address information for the remote X.400 system to which you are connecting. You configure these settings on the Stack tab of the X.400 connector's Properties dialog box.

Content restrictions

You can specify what types of messages are delivered through a connector. You configure these settings on the Content Restrictions tab of the X.400 connector's Properties dialog box.

511
Settings Description

Scope

You can select either a whole organization or a routing group for the connector's scope. For example, if you create an X.400 connector to send mail to an X.400 system on a server in one routing group, and an X.400 connector exists on a server in another routing group, you may choose to specify a routing group scope for these connectors so that servers in each routing group are forced to use the connector. If an X.400 connector that is set to a routing group scope becomes unavailable, messages queue in the routing group until the connector becomes available. If your user requirements permit this, you can implement the connectors with a routing group scope. You configure these settings on the Address Space tab of the X.400 connector's Properties dialog box.

Override options

By default, the X.400 connector inherits the settings that are configured on the X.400 protocol. To override these settings, you use the Override tab of the X.400 connector's Properties dialog box.

Delivery restrictions

You can restrict who can send mail through a connector. By default, mail is accepted from everyone. You configure these settings on the Delivery Restrictions tab of the X.400 connector's Properties dialog box.

For detailed instructions, see How to Create an X.400 Connector.

512

Configuring Additional Options on the X.400 Connector

You can also use the General tab of the X.400 connector to configure public folder referrals and specify how messages are delivered by this connector. These additional options include: The Message text word-wrap option controls whether text wraps at a specific column in a message. The Remote clients support MAPI option causes Exchange sending messages through the connector in rich text format. Do not select this option if clients do not support MAPI because it can cause problems with message formatting on non-MAPI clients. The Do not allow public folder referrals option prevents public folder referrals when you connect to another routing group. Public folder referrals help users in a connected routing group or a remote system to access public folders through this connector.

513 General tab of the Properties dialog box for an X.400 connector

Overriding X.400 Properties

By default, each X.400 connector inherits the settings that are configured on the X.400 protocol. You can use the Override tab on the X.400 connector to override the options that are set on the X.400 protocol.

514 Override tab

The configuration options that are available on the Override tab are as follows: The name entered in the Local X.400 Service name box overrides the local X.400 name of the X.400 transport stack. Some X.400 systems do not support certain characters. If your local X.400 name contains characters that are not supported by the remote system to which you are connecting, use this option to connect to the remote X.400 service using a name that it can support. The Maximum open retries option sets the maximum number of times that the system tries to open a connection before it sends a non-delivery report (NDR). The default is 144.

515 The Maximum transfer retries option sets the maximum number of times that the system tries to transfer a message across an open connection. The default is 2. The Open interval (sec) option sets the number of seconds that the system waits after a message transfer fails. The default is 600. The Transfer interval (sec) option sets the number of seconds the system waits after a message transfer fails before resending a message across an open connection. The default is 120.

Tip To restore Exchange default values, click Reset Default Value. To set additional override values, you use the Additional Values dialog box. To open this dialog box, click the Additional Values button on the Override tab in the X.400 connector's Properties dialog box.

516 Additional Values dialog box

In the Additional Values dialog box, you can set these options: The options under RTS values set the Reliable Transfers Service (RTS) values. RTS values determine message reliability parameters, such as the checkpoints to include in data and the amount of unacknowledged data that can be sent. You can use the options on an X.400 connectors' Override tab to override the default X.400 service attributes, such as RTS values. The options under Association parameters determine the number and duration of connections to the remote system. Each X.400 connector uses the association parameters that are configured on the X.400 protocol, but you can configure association parameters on each connector to override the settings. The options under Transfer timeouts determine how long the X.400 connector waits before sending an NDR for urgent, normal, and not urgent messages. Each X.400

517 connector uses the transfer timeout values that are configured on the X.400 MTA, but you can configure specific transfer timeout values on each connector that override these settings.

Using Queue Viewer to Manage Messages

Queue Viewer is a feature in Exchange System Manager that helps you to monitor your organization's messaging queues, and also the messages that are contained in those queues. Queue Viewer works at a server level. In Exchange System Manager, you expand the server and then click Queues to open Queue Viewer and display the messaging queues associated with the server. Queue Viewer in Exchange 2003

In Exchange Server 2003, Queue Viewer is enhanced to improve the monitoring of message queues. In Exchange 2003, you can view all the messaging queues for a

518 specific server from the Queues node under each server. This is an improvement over Exchange 2000, where each protocol virtual server has its own Queues node, and you cannot view all queues on a server from a central location. For example, using Exchange 2003, you can now use Queue Viewer to view both the X.400 and SMTP queues on a server (as in Figure 5.24), rather than having to view each of these queues separately in each of their respective protocol nodes. Other enhancements to Queue Viewer in Exchange 2003 include: Disabling outbound mail You can use a new option named Disable Outbound Mail to disable outbound mail from all SMTP queues. Setting the refresh rate You can use the Settings option to set the refresh rate of Queue Viewer. Finding messages You can use Find Messages to search for messages based on the sender, recipient, and message state. This option is similar to enumerating messages in Queue Viewer in Exchange 2000. For detailed instructions, see How to Use the Find Messages Option. Viewing additional information You can click a specific queue to view additional information about that queue. Viewing previously hidden queues Queue Viewer in Exchange 2003 exposes three queues that were not visible in Exchange 2000: DSN messages pending submission, Failed message retry queue, and Messages queued for deferred delivery.

The remainder of this section highlights two of these new enhancements, disabling outbound mail and finding messages, and also provides guidelines for how to use the SMTP and X.400 queues shown in Queue Viewer to troubleshoot message flow.

How to Use the Find Messages Option

You can use the Find Messages option to search for messages by specifying search criteria (such as the sender or recipient) or the message state (such as frozen). You can also specify the number of messages that you want your search to return. Using Find Messages in Exchange Server 2003 is similar to the Enumerate messages option in Exchange 2000.

519

Procedure
To search for messages by a particular sender (or recipient) In Queue Viewer, click Find Messages, click Sender (or Recipient), and then search by typing the name or using the search criteria.

To specify the number of messages that you want returned by a search In Queue Viewer, click Find Messages, click the Number of messages to be listed in the search list, and select the number of messages (for example, 500) that you want listed in the search.

To search for messages in a particular state 1. In Queue Viewer, click Find Messages, click the Show messages whose state is list, and select from the following options: All Messages This option shows all the messages in the list regardless of the state that they are in. Frozen This option shows the messages that are in a frozen state. Besides freezing all messages in a specific queue, a single message can also be frozen. If a single message or several messages in a queue are frozen, other messages can still flow into or out of this queue. The whole queue is not frozen. Retry This option shows the messages that are awaiting another delivery attempt. Messages in the retry state have failed one or more delivery attempts.

2. After you have specified your search criteria, click Find Now to start the search. The results of the search appear under Search Results.

520

Using SMTP Queues to Troubleshoot Message Flow

During message categorization and delivery, all mail is sent through the SMTP queues of an SMTP virtual server. If there is a problem delivering the message at any point in the process, the message remains in the queue where the problem occurred until the problem is remedied. Use the SMTP queues to isolate possible causes of mail flow issues. If a queue is in a Retry status, in Queue Viewer, select the queue and check the properties of the queue to determine the cause. For example, if the queue properties display a message that is similar to "An SMTP error has occurred," review your server's event logs to locate any SMTP errors. If there are no events in the log, increase the SMTP logging level, by rightclicking the Exchange server, clicking Properties, clicking the Diagnostics Logging tab, and then selecting MSExchangeTransport. The following table lists the SMTP queues, their descriptions, and troubleshooting information for message accumulation in each queue.

521 SMTP queues

Queue name Description Causes of message accumulation

DSN messages pending submission

Contains delivery status notifications, also known as non-delivery reports (NDRs), which are ready to be delivered by Exchange. Note The following operations are unavailable for this queue: Delete All Messages (no NDR) and Delete All Messages (NDR).

Messages can accumulate in this queue if the store service is unavailable or not running, or if problems exist with the IMAIL Exchange store component, which is the store component that performs message conversion. Check the event log for possible errors with the store service.

Failed message retry queue

Contains messages that Exchange did not deliver, but that the serve try to send again. Note The following operations are unavailable for this queue: Delete All Messages (no NDR) and Delete All Messages (NDR).

Messages can accumulate in this queue if a problem exists with DNS or SMTP. Check the event log to determine whether an SMTP problem exists. Verify your DNS configuration using NSlookup or another utility. On rare occasions, a corrupted message can remain in this queue. To determine whether a message is corrupted, try to view its properties. If some properties are not accessible, this can indicate message corruption.

522
Queue name Description Causes of message accumulation

Messages queued for deferred delivery

Contains messages queued for delivery later, including messages sent by earlier versions of Outlook clients. (You can set this option in Outlook clients.) Messages sent by earlier versions of Outlook treat deferred delivery slightly differently. Earlier versions of Outlook depend on the MTA for message delivery because SMTP, not the MTA, now handles message delivery. These messages remain in this queue until their scheduled delivery time.

Possible causes of message accumulation include: Messages are sent to a user's mailbox while the mailbox is being moved. The user does not yet have a mailbox created, and no master account security identifier (SID) exists for the user. For more information, see Microsoft Knowledge Base Article 316047, "XADM: Addressing Problems That Are Created When You Enable ADC-Generated Accounts." The message may be corrupted, or the recipient may not be valid.

To determine if a message is corrupted, verify its properties. If some properties are not accessible, this can indicate a corrupted message. Also, verify that the recipient is valid.

523
Queue name Description Causes of message accumulation

Local delivery

Contains messages that are queued on the Exchange server for local delivery to an Exchange mailbox.

Messages can accumulate in this queue if the Exchange server is not accepting messages for local delivery. Slow or sporadic message delivery can indicate a looping message or a performance problem. This queue is affected by the Exchange store. Increase diagnostic logging for the Exchange store as described in "Configuring Diagnostic Logging for SMTP."

Messages awaiting directory lookup

Contains messages addressed to recipients who have not yet been resolved against Active Directory. Messages are also held here while distribution lists are expanded.

Typically, messages accumulate in this queue because the advanced queuing engine cannot categorize the message. The advanced queuing engine may not be able to access the global catalog servers and access recipient information, or the global catalog servers are unreachable or performing slowly. The categorizer affects this queue. Increase diagnostic logging for the categorizer as described in "Configuring Diagnostic Logging for SMTP."

524
Queue name Description Causes of message accumulation

Messages waiting to be routed

Holds messages until their next-destination server is determined, and then moves them to their respective link queues.

Messages accumulate in this queue if Exchange routing problems exist. Message routing may be experiencing problems. Increase diagnostic logging for routing as described in "Configuring Diagnostic Logging for SMTP."

[Connector name | Server name | Remote domain]

Holds messages destined for a remote delivery. The name of the queue matches the remote delivery destination, which may be a connector, a server, or a domain.

If messages accumulate in this queue, you must first identify the status of the queue. If the queue status is Retry, check the queue properties to determine the reason that it is in this state. For DNS issues, use Nslookup and Telnet to troubleshoot. If the host is unreachable, use Telnet to make sure that the remote server is responding.

525
Queue name Description Causes of message accumulation

Final destination currently unreachable

Contains messages for which the final destination server cannot be reached. For example, Exchange cannot determine a network path of the final destination.

Messages can accumulate in this queue if no route exists for delivery. Additionally, when a connector or a remote delivery queue is unavailable or in Retry for a while, and no alternative route exists to the connector or remote destination, new messages queue here. Messages can remain in this queue until an administrator fixes the problem or defines an alternative route. To get new messages to flow to their remote destination queue, helping you to force a connection and get a Network Monitor (NetMon) trace, restart the SMTP virtual server. Messages that are accumulating constantly may indicate a performance problem. Occasional peaks in performance can cause messages to appear in this queue intermittently. Message accumulation in this queue can also indicate problems with a custom event sink or a third-party event sink.

Pre-submission

Holds messages that have been acknowledged and accepted by the SMTP service. The processing of these messages has not begun.

526 For detailed instructions, see the following topics: How to Verify an SMTP Virtual Server Is Not Set to Open Relay How to Verify an SMTP Virtual Server Is Configured to Allow Anonymous Access How to Verify the Inbound Port and IP Address

How to Verify an SMTP Virtual Server Is Not Set to Open Relay

To configure your SMTP virtual server to receive Internet mail, you must perform the following tasks: Configure the inbound port as 25 and specify the IP address Other servers on the Internet expect to connect to your SMTP virtual server on port 25. By default, all SMTP virtual servers use this port. For detailed instructions, see How to Verify the Inbound Port and IP Address. Verify that your SMTP virtual server allows anonymous access To receive Internet mail, your SMTP virtual server must permit anonymous access. Other servers on the Internet expect to communicate anonymously with your SMTP virtual server to send Internet mail to your users. For detailed instructions, see How to Verify an SMTP Virtual Server Is Configured to Allow Anonymous Access. Verify that default relay restrictions are configured on your SMTP virtual server By default, the SMTP virtual server allows only authenticated users to relay e-mail messages. This setting prevents unauthorized users from using your Exchange server to send e-mail messages to external domains. For detailed instructions, see the procedure below.

Procedure
To verify that your SMTP virtual server is not set to open relay 1. In Exchange System Manager, in the Properties dialog box of the SMTP virtual server, on the Access tab, click Relay.

527 2. In the Relay Restrictions dialog box (see the following figure), select Only the list below (if it is not already selected), click Add, and follow the instructions to add only those hosts that you want to allow to relay mail to the list. Note If you select All except the list below, unauthorized users might access your server to distribute unsolicited e-mail messages on the Internet. Relay Restrictions dialog box

3. Select Allow all computers which successfully authenticate to relay, regardless of the list above (if it is not already selected). This setting allows you to deny relay permissions to all users who do not authenticate. Any remote Internet Message Access Protocol version 4 (IMAP4) and Post Office Protocol version 3 (POP3) users who access this server will authenticate to send mail. If you do not have users who access this server

528 through IMAP4 or POP3, you can clear this check box to prevent relaying completely, thereby increasing security. You can also designate a specific server for IMAP4 and POP3 users, and then clear this check box on all other Internet gateway servers.

How to Verify an SMTP Virtual Server Is Configured to Allow Anonymous Access

To configure your SMTP virtual server to receive Internet mail, you must perform the following tasks: Configure the inbound port as 25 and specify the IP address Other servers on the Internet expect to connect to your SMTP virtual server on port 25. By default, all SMTP virtual servers use this port. For detailed instructions, see How to Verify the Inbound Port and IP Address. Verify that your SMTP virtual server allows anonymous access To receive Internet mail, your SMTP virtual server must permit anonymous access. Other servers on the Internet expect to communicate anonymously with your SMTP virtual server to send Internet mail to your users. For detailed instructions, see the procedure below. Verify that default relay restrictions are configured on your SMTP virtual server By default, the SMTP virtual server allows only authenticated users to relay e-mail messages. This setting prevents unauthorized users from using your Exchange server to send e-mail messages to external domains. For detailed instructions, see How to Verify an SMTP Virtual Server Is Not Set to Open Relay.

Procedure
To verify that your SMTP virtual server is configured to allow anonymous access 1. In Exchange System Manager, in the Properties dialog box of the SMTP virtual server, on the Access tab, click Authentication. 2. In the Authentication dialog box, select the Anonymous access check box if it

529 is not already selected. See the following figure. Authentication dialog box

Using X.400 (MTA) Queues to Troubleshoot Message Flow

Exchange Server 2003 uses the X.400 queues to submit mail to and receive mail from Exchange 5.5 servers and to send mail through connectors to other mail servers. If you experience mail flow problems when you are sending mail to an Exchange 5.5 or earlier server, or to another mail system to which you are connecting using X.400, check the

530 X.400 queues on the Exchange server. If you experience mail flow problems when sending mail to servers that are running Exchange 5.5 or earlier, it is a good idea to also check the MTA queues on those servers. For detailed instructions, see How to Configure Diagnostic Logging for the X.400 Service (MSExchangeMTA). The following table the X.400 queues, their descriptions, and troubleshooting information for message accumulation in each queue. X.400 queues
Queue name Description Causes of message accumulation

PendingRerouteQ

Contains messages that are waiting to be rerouted after a temporary link outage.

Messages can accumulate in this queue if a route to a connector, to a different mail system, or to an Exchange 5.5 server is unavailable. Messages can accumulate in this queue when Exchange 2003 experiences problems sending to another mail system, to an Exchange 5.5 server, or through an X.400 link. Increase diagnostic logging for the X.400 service as described in "How to Configure Diagnostic Logging for the X.400 Service (MSExchangeMTA)."

Next hop MTA

Contains messages destined to one of the following: Another gateway, such as a connector for Lotus Notes or Novell GroupWise. An X.400 link to an Exchange 5.5 site or a destination outside the organization. An Exchange MTA over the LANfor example, destined to an Exchange 5.5 server in a mixedmode environment.

531

How to Configure Diagnostic Logging for the X.400 Service (MSExchangeMTA)

This procedure explains how to configure diagnostic logging for the X.400 service (MSExchangeMTA) on Exchange Server 2003. If you have to troubleshoot mail flow problems for servers running Exchange 5.5 and earlier, for other mail systems, or for X.400 connectors, it is useful to increase the logging level for MSExchangeMTA.

Procedure
To configure logging for MSExchangeMTA 1. In the console tree, expand Servers, right-click <server name>, and then click Properties. 2. Click the Diagnostics Logging tab. 3. Under Services, click MSExchangeMTA. 4. Under Categories, click X.400 Service to troubleshoot delivery problems to servers running Exchange 5.5 and earlier, and other systems. 5. Under Logging level, click None, Minimum, Medium, or Maximum. Click Maximum for troubleshooting purposes.

Configuring Diagnostic Logging for SMTP

To help you determine the cause of a transport issue, you can view events that relate to MSExchangeTransport. If you experience problems with Exchange message flow, immediately increase the logging levels relating to MSExchangeTransport. Logging levels

532 control the amount of data that is logged in the application log. The more events that are logged, the more transport-related events that you can view in the application log. Therefore, you have a better chance of determining the cause of the message flow problem. The SMTP log file is located in the Exchsrvr\Server_name.log folder. As discussed in "Using SMTP Queues to Troubleshoot Message Flow" and "Using X.400 (MTA) Queues to Troubleshoot Message Flow," issues with specific routing and transport components can cause messages to accumulate in a queue. If you are having problems with a specific queue, increase the logging level for the component that is affecting the queue. For detailed instructions, see the following procedures: How to Enable Debug Level Logging How to Modify Logging Settings

How to Enable Debug Level Logging

If you are experiencing mail flow issues in Exchange Server 2003 and want to view all events as part of your troubleshooting effort, you can modify a registry key to set event logging to level 7, the debugging level, which is the highest level.

Before You Begin

This topic contains information about editing the registry. Caution Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems caused by not editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

533

Procedure
To enable logging at the debugging level 1. Start Registry Editor. 2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ MSExchangeTransport\Diagnostics\SMTP Protocol

3. Set the value to 7, and then click OK.

How to Modify Logging Settings

The following procedure explains how to modify diagnostic logging related to MSExchangeTransport. Caution If you increase the logging levels for Exchange services, you will experience some performance degradation. It is recommended that you increase the size of the application log to contain all the data produced. If you do not increase the size of the application log, you will receive frequent reminders that the application log is full.

Procedure
To modify logging settings for MSExchangeTransport 1. In the console tree, expand Servers, right-click <server name>, and then click Properties. 2. Click the Diagnostics Logging tab. 3. Under Services, click MSExchangeTransport. 4. Under Categories, click the category for which you want to configure the logging level:

534 To troubleshoot routing issues, select Routing Engine/Service. Increase the logging level for this component if messages are accumulating in the Messages waiting to be routed SMTP queue. To troubleshoot problems with address resolution in Active Directory, distribution list expansion, and other categorizer issues, select Categorizer. Increase the logging level for this component if messages are accumulating in the Messages waiting to be routed SMTP queue. To troubleshoot issues with dial-up and virtual private network connectivity through Connection Manager, select Connection Manager. To troubleshoot problems with the queuing engine, select Queuing Engine. Increase the logging level for this component if you are experiencing mail flow problems, and mail is not accumulating in any of the queues. To troubleshoot issues with the Exchange store driver, select Exchange Store Driver. Increase the logging level for this component if messages are accumulating in the local delivery SMTP queue, the X.400 queues, or if you have problems receiving mail from Exchange 5.x servers or other mail systems. To troubleshoot general SMTP issues, select SMTP Protocol. Increase the logging level for this component if messages are accumulating in the Remote delivery SMTP queue to determine if SMTP errors are causing the bottleneck. To troubleshoot issues with the NTFS store driver, select NTFS Store Driver. Increase the logging level for this category if messages are accumulating in the local delivery SMTP queue.

5. Under Logging level, click None, Minimum, Medium, or Maximum. Click Maximum for troubleshooting purposes.

Tools That Are Used with Exchange

In addition to Microsoft Management Console (MMC) snap-ins, Exchange System Manager, and Active Directory Users and Computers, there are a host of tools that you can use to manage and troubleshoot a Microsoft Exchange Server 2003 organization.

535 Some of these tools are installed with Microsoft Windows, some with Exchange, and others can be found at the "Downloads for Exchange 2003" Web site (http://go.microsoft.com/fwlink/?LinkId=25097). The following table lists these tools. However, be aware that not all tools are supported. Note Some tools can cause serious, sometimes irreversible, problems if used incorrectly. Before using tools in your production environment, always familiarize yourself with them on test servers first. Make sure to read the documentation associated with any tool and familiarize yourself with the risks involved. Exchange Tools
Tool name Description Run from Install from

Active Directory Account Cleanup Wizard (adclean.exe)

Use to find and merge multiple accounts in Active Directory that refer to the same person.

Start | All Programs | Microsoft Exchange | Deployment | Active Directory Account Cleanup Wizard Start | All Programs | Microsoft Exchange | Active Directory Connector Start | All Programs | Microsoft Exchange | Active Directory Users and Computers

Installed during Exchange setup.

Active Directory Connector Services (adcadmin.msc)

Use to replicate Exchange 5.5 directory objects to Active Directory. Use this MMC snap-in to manage mail recipients and other Active Directory objects.

Exchange CD <drive>:\ADC\i386\setup.e xe

Active Directory Users and Computers (dsa.msc)

Installed during Exchange setup.

536
Tool name Description Run from Install from

Address Rewrite (Exarcfg.exe)

Use to rewrite return e-mail addresses on outgoing messages routed from non-Exchange mail systems to Exchange and destined outside the organization. Use for low level editing of Active Directory. Use to package and deploy Exchange store applications on the Exchange store.

Command prompt http://go.microsoft.com/fwli nk/?LinkId=25097

ADSI Edit (adsiedit.msc)

<drive>:\Program Files\Support Tools

Windows Server 2003 CD <drive>:\support\tools\supt ools.msi http://go.microsoft.com/fwli nk/?LinkId=18614

Application Deployment Wizard (exapppacker.exe)

Start | All Programs | Exchange SDK | Exchange SDK Development Tools | Application Deployment Wizard <drive>:\Program Files\Exchange SDK\SDK\Sample s\Security

Application Security Module

Use to access and modify XML content provided by the security descriptor.

Download the Exchange 2003 SDK Documentation and Samples March 2004 at http://go.microsoft.com/fwli nk/?LinkId=28056

537
Tool name Description Run from Install from

ArchiveSink (archivesink_setup.v bs)

Use to archive message and log information about messages sent to or received by an Exchange server. Use to force a restored directory database to replicate to other servers after restoring from a backup. Use this tool only when Microsoft Product Support Services asks you to do so. Use to configure, control, and monitor clusters.

Command prompt http://go.microsoft.com/fwli nk/?LinkId=25097

Authoritative Restore (Authrest.exe)

Command prompt http://go.microsoft.com/fwli nk/?LinkId=25097 Must be installed to \exchsrvr\bin

Cluster Administrator (cluadmin.exe)

Start | All Programs | Administrative Tools | Cluster Administrator

In Windows Server 2003, installed by default In Windows 2000 Server, installed when Cluster Service component is selected during setup.

538
Tool name Description Run from Install from

Disable Certificate Verification (Certchk.exe) Not recommended for production environments.

Install and run on http://go.microsoft.com/fwli Use in test environments to the mobile device. nk/?LinkId=25097 disable certificate authentication for Microsoft Outlook Mobile Access. Use to troubleshoot Domain Name System (DNS) issues. The tool simulates the Simple Mail Transfer Protocol (SMTP) service's internal codepath and prints diagnostic messages that indicate how the DNS resolution is proceeding. Command prompt http://go.microsoft.com/fwli nk/?LinkId=25097 Must be installed to <drive>:\windows\ system32\inetsrv

DNS Resolver (DNSDiag) (Dnsdiag.exe)

539
Tool name Description Run from Install from

DSACLS (dsacls.exe)

DSACLS is a Command prompt Windows Server 2003 CD command-line <drive>:\support\tools\supt tool that you ools.msi can use to query and change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows 2000 Server Active Directory snapin tools such as Active Directory Users and Computers and Active Directory Sites and Services. For more information about DSACLS, see Microsoft Knowledge Base article 281146, "How to Use Dsacls.exe in Windows 2000" (http://go.micro soft.com/fwlink/ ?linkid=3052&k bid=281146)

540
Tool name Description Run from Install from

Error Code Look-up Use to determine error (Err.exe) values from decimal and hexadecimal error codes in Windows products. Event Viewer (eventvwr.msc) Use this MMC snap-in to view logged events, such as errors and warnings. Use to monitor the performance, availability, and security of Microsoft Exchange Server 2003, alerting you to events that have a direct effect on server availability, while filtering out events that require no action.

Command Prompt http://go.microsoft.com/fwli nk/?LinkId=25097

Start | All Programs | Administrative Tools | Event Viewer Microsoft Operations Manager

Installed during Windows setup.

Exchange 2003 Management Pack (Exchange Management Pack.akm)

http://go.microsoft.com/fwli nk/?LinkId=25097 Requires Microsoft Operations Manager. For more information about Microsoft Operations Manager, see http://www.microsoft.com/ mom/

541
Tool name Description Run from Install from

Exchange Explorer (ExchExplorer.exe)

Use to explore Exchange store folders, items, and their property values. Create property and content class definitions and configure their schema scope.

Start | All Programs | Exchange SDK | Exchange SDK Development Tools | Exchange Explorer

http://go.microsoft.com/fwli nk/?LinkId=18614

Exchange Server Database Utilities (eseutil.exe)

Use to perform <drive>:\Program offline database Files\Exchsrvr\bin procedures, such as defragmentatio n and integrity checking. Use this guide to review the recommended steps and tools that help you successfully install Exchange Server 2003. Use to migrate user accounts to Exchange 2003. Run from Exchange CD

Installed during Exchange setup.

Exchange Deployment Tools (exdeploy.chm)

Exchange CD <drive>:\support\ExDeploy or http://go.microsoft.com/fwli nk/?LinkId=25097

Exchange Server Migration Wizard (mailmig.exe)

Start | All Programs | Microsoft Exchange | Migration Wizard

Installed during Exchange setup.

542
Tool name Description Run from Install from

Exchange Store Event Sink Wizard (mxeswiz.dll)

Use to create a Microsoft Visual Basic project for a Component Object Model (COM) class of correctly implemented event interfaces, and a module of functions and routines that use event sink support interfaces. Use to display a hierarchical list of node objects that corresponds to folders in the Exchange store.

Microsoft Visual Basic development system

http://go.microsoft.com/fwli nk/?LinkId=18614 (Use the Add-In Manager in Visual Basic to make the Event Sink Wizard available on the Visual Basic Add-Ins menu.)

Exchange Store TreeView Control (Extreeview.ocx)

<drive>:\Program Files\Exchange SDK\Tools\ExchE xplorer

http://go.microsoft.com/fwli nk/?LinkId=18614 Run ExchTools.msi after downloading.

543
Tool name Description Run from Install from

Exchange Stress and Performance 2003

Use to test stress and performance. This tool simulates large numbers of client sessions, by concurrently accessing one or more protocol servers.

Command prompt 2003 version: http://go.microsoft.com/fwli nk/?LinkId=25097 2000 version: http://go.microsoft.com/fwli nk/?LinkId=1709

Exchange System Manager (exchange system manager.msc)

Use this MMC snap-in to provide a graphical view of an Exchange organization where you can perform many administrative tasks.

Start | All Programs | Microsoft Exchange | System Manager

Installed during Exchange setup.

Exchange Workflow Use Configuration wfsetup.vbs to Scripts configure the server for (wfsetup.vbs; correct addwfrole.vbs) workflow functionality. Use addwfrole.vbs to add users to workflow event sink security roles.

Command prompt http://go.microsoft.com/fwli nk/?LinkId=18614

544
Tool name Description Run from Install from

GUIDGen (GUIDGEN.EXE)

Use to generate Command prompt http://go.microsoft.com/fwli globally unique nk/?LinkId=25097 identifiers (GUIDs). Use to find and remove errors in the public and private information store databases. Intended for disaster recovery situations and not for routine maintenance. Command prompt Exchange CD <drive>:\setup\i386\exchan ge\bin

Information Store Integrity Checker (isinteg.exe)

545
Tool name Description Run from Install from

Information Store Viewer (MDBVU32) (mdbvu32.exe)

Use to view or set details about a user's message storage files. These files are the private information store, the personal folder file (.pst file), and the offline folder file (.ost file). This tool browses storage, address book, and other MAPI providers by executing MAPI calls specified by a user.

Command prompt http://go.microsoft.com/fwli nk/?LinkId=25097

Internet Information Use to Services (IIS) configure Manager Outlook Web Access (iis.msc) settings.

Start | All Programs | Administrative Tools | Internet Information Services (IIS) Manager

Add/Remove Programs | Add/Remove Windows Components

546
Tool name Description Run from Install from

Inter-Organization Replication (exscfg.exe; exssrv.exe)

Use to replicate public folder information (including free/busy information) between Exchange organizations. Can be used between forests. Use for stress testing the Exchange database engine and storage subsytem. Use to perform Lightweight Directory Access Protocol (LDAP) searches against Active Directory. Use as a benchmarking tool to test the response of servers to mail loads.

Command prompt http://go.microsoft.com/fwli nk/?LinkId=25097

Jetstress (JetStress.exe)

Command prompt http://go.microsoft.com/fwli nk/?LinkId=25097

LDP (ldp.exe)

<drive>:\Program Files\Support Tools

Windows Server 2003 CD <drive>:\support\tools

Load Simulator (LoadSim) (loadsim.exe)

For setup and installation instructions, see http://go.microsoft .com/fwlink/?LinkI D=1710.

2003 version: http://go.microsoft.com/fwli nk/?LinkId=25097 2000 version: http://go.microsoft.com/fwli nk/?LinkId=1710

547
Tool name Description Run from Install from

Mailbox Merge Wizard (ExMerge) (ExMerge.exe)

Command prompt http://go.microsoft.com/fwli Use to extract data from nk/?LinkId=25097 mailboxes on an Exchange server, and then merge that data into mailboxes on another Exchange server. Use in managed Windows applications to display a hierarchical list of nodes that correspond to a mail or public folder hierarchy. Add, delete, and move folders in the Exchange store. Use to scan local or remote systems for common misconfiguratio ns and to verify security best practices. <drive>:\Program Files\Exchange SDK\Tools\ExchT reeViewControl http://go.microsoft.com/fwli nk/?LinkId=18614 To use this tool, you must add a reference to it in a Microsoft Visual Studio .NET project, and then add it to the toolbox in the project.

Managed Exchange TreeView Control (ExchangeTreeView Control.dll)

Microsoft Baseline Security Analyzer (MBSA) GUI: (MBSA.exe) Command Line: (mbsacli.exe)

Command prompt http://go.microsoft.com/fwli nk/?LinkId=25097

548
Tool name Description Run from Install from

Importer for Lotus cc:Mail Archives (ccmarch.exe)

Command prompt http://go.microsoft.com/fwli Use to import Lotus cc:Mail nk/?LinkId=25097 archive files to folders in an Exchange 2003 mailbox store or to one or more .pst files. Use when MTA will not start, because of corruption or suspected corruption in the MTA database. This tool provides a soft recovery of a corrupted MTA database. Command prompt http://go.microsoft.com/fwli nk/?LinkId=25097

MTA Check (Mtacheck.exe)

Network Monitor (netmon.exe)

Use to diagnose issues with server connectivity. Use for establishing a baseline of performance and for troubleshooting performance issues.

Start | All Programs Administrative Tools | Network Monitor Start | All Programs | Administrative Tools | Performance

Add/Remove Programs | Add/Remove Windows Components

Performance Monitor (perfmon.msc)

Installed during Windows setup.

549
Tool name Description Run from Install from

PFMigrate (pfmigrate.wsf)

Use to migrate Command prompt Exchange CD public folders <drive>:\support\ExDeploy from Exchange 5.5 to Exchange 2003. Can also be used to move the offline address book, Schedule+ Free/Busy folder, and organization forms. Command prompt http://go.microsoft.com/fwli Use to confirm the RPC nk/?LinkId=18615 connectivity between the computer that is running Microsoft Exchange Server and any of the client workstations on the network.

RPC Ping utility (rpings.exe and rpingc.exe)

550
Tool name Description Run from Install from

SMTP Internet Protocol Restriction and Accept/Deny List Configuration ExIpsec.dll)

Use to programmaticall y set Internet Protocol (IP) restrictions on an SMTP virtual server. Programmatical ly add IP addresses on the global accept and deny lists for connection filtering. Use to troubleshoot Exchange mail flow.

Running exipsec.exe installs the required DLL so that you can access the COM object from the script you create.

http://go.microsoft.com/fwli nk/?LinkId=25097

Telnet (telnet.exe)

Command prompt Installed during Windows setup.

WinRoute (winroute.exe)

Use to connect Command prompt http://go.microsoft.com/fwli nk/?LinkId=25097 to the link state port (TCP/IP 691) on an Exchange server and extract the link state information for an organization.

551

Services That Are Used by Exchange

Services are application types that run in the system background. Services provide core operating system features, such as Web serving, event logging, file serving, help and support, printing, cryptography, and error reporting. To provide core system features to its users, Microsoft Exchange Server 2003 provides a number of services (see Table B.1) that run on an Exchange server. Note To manage services on local or remote computers, use the Microsoft Management Console (MMC) Services snap-in. Services snap-in

552 Exchange services

Service display name/abbreviation Default startup type Description and dependencies

Microsoft Exchange Calendar Connector (MSExchangeCalCon)

Manual

Allows sharing of Lotus Notes and Novell GroupWise Free/Busy Information. Dependencies: Event Log, Microsoft Exchange Information Store, Microsoft Exchange Connectivity Controller

Microsoft Exchange Connectivity Controller (MSExchangeCoCo)

Manual

Provides support services for Microsoft Exchange connectors. Dependencies: Event Log

Microsoft Exchange Connector Manual for Lotus Notes (LME-NOTES)

Allows sharing of mail traffic with Lotus Notes systems. Dependencies: Event Log, Microsoft Exchange Connectivity Controller

Microsoft Exchange Connector Manual for Novell GroupWise (LMEGWISE)

Allows sharing of mail traffic with Novell GroupWise systems. Dependencies: Event Log, Microsoft Exchange Connectivity Controller, Microsoft Exchange Router for Novell GroupWise

553
Service display name/abbreviation Default startup type Description and dependencies

Microsoft Exchange Event (MSExchangeES)

Manual

Monitors folders and triggers events for server applications compatible with Exchange Server 5.5. Dependencies: Microsoft Exchange Information Store

Microsoft Exchange IMAP4 (IMAP4Svc)

Disabled

Provides Internet Message Access Protocol version 4 (IMAP4) services to clients. If this service is stopped, clients cannot connect to this computer using IMAP4. Dependencies: IIS Admin Service

Microsoft Exchange Information Store (MSExchangeIS)

Automatic

Manages the Exchange store. The service makes mailbox stores and public folder stores available. If this service is stopped, mailbox stores and public folder stores on this computer are unavailable. If this service is disabled, any services that explicitly depend on it cannot start. Dependencies: Microsoft Exchange System Attendant

554
Service display name/abbreviation Default startup type Description and dependencies

Microsoft Exchange Management (MSExchangeMGMT)

Automatic

Provides Exchange management information using Windows Management Instrumentation (WMI). If this service is stopped, WMI providers implemented to work in Microsoft Exchange Management, like message tracking and Directory Access, will not work. Dependencies: Remote procedure call (RPC), WMI

Microsoft Exchange MTA Stacks (MSExchangeMTA)

Automatic

Provides Exchange X.400 services. You use Exchange X.400 services to connect to Exchange 5.5 servers and other connectors (custom gateways). If this service is stopped, Exchange X.400 services are unavailable. Dependencies: Microsoft Exchange System Attendant

Microsoft Exchange POP3 (POP3Svc)

Disabled

Provides Post Office Protocol version 3 (POP3) services to clients. If this service is stopped, clients cannot connect to this computer using POP3. Dependencies: IIS Admin Service

555
Service display name/abbreviation Default startup type Description and dependencies

Microsoft Exchange Router for Novell GroupWise (MSExchangeGWRtr)

Manual

Provides support for scheduling collaboration with Novell GroupWise systems. Dependencies: None

Microsoft Exchange Routing Engine (RESvc)

Automatic

Provides topology and routing information to servers running Exchange 2003. If this service is stopped, optimal routing of messages will not be available. Dependencies: IIS Admin Service

556
Service display name/abbreviation Default startup type Description and dependencies

Microsoft Exchange Site Replication Service (MSExchangeSRS)

Disabled

Provides directory interoperability between Exchange 5.5 and Exchange 2000 Server or Exchange 2003. Site Replication Service (SRS) acts as a directory replication bridgehead server for an Exchange site. SRS runs on Exchange 2000 and serves as a modified Exchange 5.5 directory. SRS uses Lightweight Directory Access Protocol (LDAP) to communicate to both the Active Directory directory service and the Exchange 5.5 directory. To Exchange 5.5, SRS looks similar to another Exchange 5.5 configuration/recipients replication partner. Note Enabled by default on computers that have Active Directory Connector (ADC). Dependencies: Microsoft Exchange System Attendant

557
Service display name/abbreviation Default startup type Description and dependencies

Microsoft Exchange System Attendant (MSExchangeSA)

Automatic

Provides monitoring, maintenance, and Active Directory lookup services (for example, monitoring of services and connectors, proxy generation, Active Directory to metabase replication, publication of free/busy information, offline address book generation, mailbox maintenance, and forwarding Active Directory lookups to a global catalog server). If this service is stopped, monitoring, maintenance, and lookup services are unavailable. If this service is disabled, any services that explicitly depend on it cannot start. Dependencies: Event Log, NTLM Security Support Provider, Remote Procedure Call (RPC), Server, Workstation

Note The following Exchange services are set to manual, if installed on a cluster: IMAP4Svc, MSExchangeMTA, MSExchangeSA, MSExchangeIS, SMTPsvc, NNTPsvc, REsvc, MSExchangeMGMT. You must enable the following Microsoft Windows services before you run Exchange Setup: World Wide Web service Simple Mail Transfer Protocol (SMTP) service Network News Transfer Protocol (NNTP) service

558

Configuration Settings for a Four-Node Cluster

As shown in the following figure, the recommended configuration for a four-node Microsoft Exchange Server 2003 cluster contains three active nodes and one passive node, where each of the active nodes contains one Exchange Virtual Server (EVS). This configuration is useful because it gives you the capacity of running three active Exchange servers, while maintaining the failover security provided by one passive server. Recommended configuration of a four-node Exchange cluster

Note All four nodes of this cluster are running Microsoft Windows Server 2003 Enterprise Edition and Microsoft Exchange Server 2003 Enterprise Edition. The recommended four-node cluster can handle a single node failure at a time and maintain 100 percent availability after the failover has occurred. A second failure during

559 this period leaves the cluster in a partially up state. To illustrate this concept, here is an example: First failure If Node 1 fails, Node 2 still owns EVS2, Node 3 still owns EVS3, and Node 4 takes ownership of EVS1 with all the storage groups mounted after the failover. Second failure If another node fails while Node 1 is still recovering from the failure, the Exchange Virtual Server on the second failed node tries to fail over to a node not hosting an Exchange Virtual Server. Because failover is not possible, the second Exchange Virtual Server remains in a failed state.

The following tables list the recommended configuration settings for this four-node cluster. Exchange Virtual Server settings
Properties dialog box Tab Recommended settings

EVS1 EVS2 EVS3 EVS1, EVS2, EVS3

General General General Failback

Preferred Owners Node 1 Preferred Owners Node 2 Preferred Owners Node 3 Prevent Failback This default option disables failback on each ESV. The administrator can move the server back at an appropriate time.

Exchange resource settings

Properties dialog box Tab Recommended settings

Exchange Resource

General

Possible Owners All nodes are possible owners.

560
Properties dialog box Tab Recommended settings

Exchange Resource

Advanced

Restart This default option enables Cluster Service to try to restart the resource after the initial failure of the resources. To enable Restart, select the Affect the group check box with a threshold of 3 and a period of 900 seconds. Pending Timeout 3 minutes (default) As mentioned in "Setting Pending States," the Exchange store instance is not restricted by this setting when coming online.

Copyright
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means

561 (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. 2006 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Active Directory, ActiveSync, ActiveX, Entourage, Excel, FrontPage, Hotmail, JScript, Microsoft Press, MSDN, MSN, Outlook, SharePoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows Mobile, Windows NT, and Windows Server System are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.