CBT Nuggets-Exchange Server 2003

8/8/2019 CBT Nuggets-Exchange Server 2003

1/47

Exchange Server2003


2/47

Chapter 1

Exchange Server 2003 is total Messaging Collaboration & contact Management Solution.

Objective

Security Reliability and performance Improvements. Administration and Management. Server 2003 and Active Directory. Compatibility Issues.

Exchange Server 2003

Enhanced Security. Improved Manageability. More Reliable. Better Productivity. Lower TCO (Total Cost of Organization)

Exchange 2003 Security

Connection Filtering (Block Junk Mail etc.). Distribution list restriction. OWA Forms-based Authentication. Kerberos Authentication. Privacy Protection. Anti-Virus API 2.5 Enhanced Public Folder Security.

Reliability and Performance

8 Nodes Cluster Support (Which was earlier 2 Nodes support for Exchange 2000) Mailbox Recovery Centre Automatic Error Reporting Virtual Memory Reporting Dr. Watson 2.0 (which is a application troubleshooting tool) Outlook Synchronization Performance. Enhanced DNS-Based Internet mail Delivery.

Administration and Management

Exchange System Manager. Volume shadow copy services. Dynamic Distribution Lists Public Folder Management Move Mailbox Utility Deployment Tools.

Server 2003 and Active Directory


3/47

ADMT 2.0 Replication Improvements. Cross-Forest Trust. Active Directory Manageability Internet Protocol Support.

Compatibility Issues

Exchange 2003 (SP) 3+ can operate in Windows 2003 Active DirectoryEnvironment.

Exchange 2003 runs on either Windows 2003 Server with SP 3 or Windows 2003Operating System.

Although 5.5 and 2000 can be installed on windows 2003 servers, File andPrint servers, Domain Controllers, Global Catalog Serves can all be upgraded

to windows 2003 with no impact on Exchange.

Chapter 2

Installing Exchange 2003

Improvements to setup process. Deployment Tools. Requirements for Exchange 2003. Running FOREST PREP and DOMAIN PREP Running Exchange 2003 setup.

Improvements to Exchange setup

Setup no longer needs full organization permissions. Domain users denied local logon rights on Exchange server itself. The new ChooseDC switch for setup. The default permissions are assigned only at the organizational level. Warning message appears of Exchange groups are moved, deleted or renamed. Mailboxes access permissions. Message Size limits and item size for Public folder set by default (10 MB)

Exchange Server Deployment Tools

Required Tools and documentation. Guide for install, upgrade and migration. Exchange 2003 Tools and updates at www.Microsoft .com Access from Exchange 2003 CD.The Process goes on like this

DCDiag ---- NetDiag ---- ForestPrep ---- DomainPrep ---- Exchange Setup

Requirements for Exchange 2003


4/47

Domain Controllers and global Catalog Servers running Windows 2000 serverwith SP 3 or Windows Server 2003 . Servers are running Windows 2000 SP 3 or

Windows server 2003 Active Directory.

DNS and WINS configured properly in your Windows Site. Disk Partitions must be formatted for NTFS File System.Following services must be running:

.NET Framework ASP .NET Internet Information System (IIS) 6.0. World Wide Web Publishing Service. Simple Mail Transfer Protocol (SMTP) service. Network News Transfer Protocol (NNTP) serviceHardware Requirement:

Intel Pentium or compatible 133 MHz or faster processor. 256 MB of RAM recommended Minimum, 128 Minimum supported. 500 MB of Available Hard Disk space for installation of Exchange. 200 MB of Available disk space on hard drive. CD Rom SVGA or higher resolution monitor.

Scenario:

Make a Service account svc_exchange in 2000 AD and make this account member of Schema Admin, Domain

Admin and Enterprise Admin.

Exchange 2003 Setup Switches:

Setup.exe /ChooseDC : This is used to choose the DC to and from which read and

write Active Directory during the installation process.

/DisasterRecovery : this is used to recover your Exchange installation after you already configure restoration, you

restored from the backup, when use this switch because setup and skip that process of registering with AD you

need to read or write AD reinstall the binary files of Exchange, Basically you reinstall the information from the

backup to map those Databases.

/?: Shows all the Command line options with brief explanation of all the switches.

/Password : when it reboots during the setup process it will automaticallyauto log on

/ShowUI: this is used with Un attended mode of installation

/NoEventLog: Prevent any log to be written during installation process in Event viewer Application, Security etc.

/NoErrorLog: It disabled any error logging in event viewer


5/47


6/47


7/47

You can use ADSI Edit tool to rename the Exchange server name, which is very typical process and experienced

Administrators are only responsible for that.


8/47

And the process starts for installation of Exchange server.


9/47

Chapter 3 Upgrading from Exchange 2000 to Exchange 2003

Upgrading and Migration essentials. Front-End servers Vs Back-End Servers. Mixed mode and Native Mode. Post Installation issues. Removing and Exchange 2003 server.

Upgrading and Migration essentials

This will tell you upgrading from Exchange 5.5 to 2003, which is considered to be much easier and much simpler

Some of the things which need to be done prior to the upgrade

There is no support for Cc:Mail and MSFT Mail

First you have to remove following services from Exchange 20001. Instant Messaging2. Microsoft Chat.3. Key Management service.4. Lotus CC: mail connector5. Microsoft mail connector.

We have to just make sure that we have to remove some of the components because server 2003 doest not support

those components but we need to follow and adhere to the following requirements for operating system and

Exchange 2000 server.

Things needs to adhere to

Install Ex 2000 SP3 or later. Install Win 2000 server SP 3 or later. Same Language. Front-End server first.


10/47

Front-End servers that deal with primarily incoming Client connection, Protocol handling,

Where as Back-End servers are specifically for Mail box databases and public folder storage and the matter of fact

dedicated front end server in exchange cant post public folder and mail box databases this is an important

consideration pre deployment. The main benefits of front end and back end servers are:

Front End servers:1. Unified Namespace to the users outside and inside the organization accessing the exchange servers they

dont have to remember the names of the servers. E.g., WWW.Nuggetlab.com gives the Web access to all

over the enterprise.

2. Firewalls: also, firewalls allow placing your front end servers behind the firewalls which prevents severs fromDOS attacks and any other vulnerability from the Internet.

3. Lower SSL overhead: this is used basically for encrypting and decrypting on any activity.

Exchange 2000 overview which is running on Win Advance server 2000


11/47

We have to make sure before upgrading Exchange 2000, not running Exchange management and any other type of

management tool for Exchange 2000. We have to got o following path

We have delete the contents for this folder Bad Mail before we start our upgrade, this folder contains the

undeliverable contents of SMTP stores the undeliverable messages that cant be returned to the sender. These

folders can also some messages from outside users who are trying to SPAM for your exchange organization. We

have to delete the contents for this folder because Exchange 2003 has to re stamp the ACL for all of the exchange

server folders. If this folder contains whole of the bunch of messages your setup will take whole lot longer then the

usual time.

Third Pre installation test which you test and investigate thoroughly, to check for any vendor upgrade all the

compatibility issues and any third party software, any third part programs and Add-ons for Exchange 2000. All the

patches and upgrades are available before the complete step. Also, if there is any third party softwares services are

running you have to manually stop those one before start installation.

To Start the migration:


12/47

Exchange Migration Factoids:

If you are moved from one organization to another:

You must have Administrative permissions into source and target Domains. May need to setup a two way trust between those domains. Can use migration wizard only.


13/47


14/47

For Domain Prep


15/47

Install and Upgrade Exchange


16/47


17/47

Steps for post installation:

If you go back to the Exchange server Deployment Tool Wizard

Click on perform post-installation steps

Change to Native Mode:

System Manager


18/47


19/47

Since we have upgraded Exchange 2000 to 2003 its already in Native mode, otherwise there is an option of making

this from Mixed to Native Mode.

After up gradation all of the mail boxes automatically transferred into Mailbox Store (server name) which is the

Database of the Exchange Server. If we are upgrading other servers we have tool to do that i.e., Deployment Tool

Migration Wizard.


20/47

We have a wide variety of options

If we choose Migrate from Microsoft Exchange that means we are migrating from other Exchange servers. This is

basically migrating from other Exchange server which is not part of this organization/system.


21/47

This step guides you to make sure after Exchange installation all of the services are running and all necessary tools

are installed on the system.

Microsoft Exchange Information Store is very important service if that service stops no mail box stores no folders

are available for the server.

Microsoft Exchange management: this is basically for WMI; if this service stops WMI is not available.

MTA Stacks: this is for X.400 services.

Routing Engine: this is also one of the core services for Exchange this provides the routing information Topologyinformation to all 2003 servers for optimal routing of messages.

Site Replication Service: If you are in 5.5 environments you have SMS or SRS is disabled for 2003 only used in 5.5

servers.

Exchange System Attendant: This service provides 5 things that it handles. Those are

Monitoring, Monitoring your Connectors, Monitoring your Services, Maintainace like defragmenting your Exchange

store your database, connectors or monitoring connectors forwarding AD lookups to GC servers AD functions.

All these particular services have dependencies


22/47

This will tell you the core services on which the specific service depends on.

Removing Exchange server 2003

Best Practice: The Wiz

Move all mailboxes first (or Remove)

Transfer roles of Bridgehead server or Routing group master

No Connection Agreement or Installed Connectors.

TIP: Delete Mailbox for Administrator

Chapter4 Configuring Exchange 2003 for Proactive Management

Delegation of Authority. Administering from Client Workstation The Magic MMC Tour. Administrative; Routing groups in Nutshell.

Delegating Authority (Organization level or Administrative group level):

Install user account given full Admin rights. Need to track/audit each exchange Admin. Delegate Authority to user and groups.

Permissions which can be applied on Organization level or Administrative group level

Exchange Full Administrator: have the ability to do everything in Exchange organization including modifying

permissions.

Exchange Administrator: they can also do everything except for modifying permissions.

Exchange View only Administrator: This is only fro view only or read only role.

Make All the above Global Security groups in AD


23/47

Delegation of control to the groups:


24/47

Only Exchange Full Administrator having the full control on Exchange Organization by default. After Clicking ADD you

can get the three roles in that:

Select the group and ADD the Exchange Full Admin in this way you can delegate the control for any user or Group.

Administering from Client WorkStation

Shouldnt Administer Via server console May limit logon locally rights Install Exchange System management Tool. Workstation must be in same Forest/Domain.

XP Pro SP1, SP2, SP3, Win 2000 server with SP3, Windows server 2003

How to Install System Management Tool on XP Machine:

First you need windows server 2003 Admin pack installed on that Machine for viewing AD users and computers.

Install that from i386/adminpak.msi


25/47

Insert Exchange server disk

Click on Exchange System management tools only.


26/47

Magical MMC

Start Runmmc

Which is used as Exchange and Windows administrator

Save this Console on your desktop. This MMC will be the combination for your Windows as well as your Exchange

Administration.


27/47

Administrative Groups in Nutshell:

Sites were limited and inflexible Administrative Groups define the Administrative Topology Separated from physical (SITE) structure Administrative Groups contain: servers, policies, routing groups, public

folder trees

A collection of objects for simpler control

To build up Administrative or routing groups:


28/47

We can create Administrative groups for each of the locations


29/47


30/47

Internet connection firewall (ICF) Using MAPI (Messaging API) through firewall (RPC over HTTP) Virus protection measures

Connecting Exchange over Firewall

Firewalls are designed in this way to stop malicious intruders and other attackers to get inside into our internal

Network. A firewall is one or more systems combined with each other which is generally a combination of hardware

or Software. By Definition a firewall is a security mechanism that prevents unauthorized Access into trustednetworks and un-trusted networks and generally it is a line of defense between Exchange organization between

Internal System and Internet. The firewall is a primary tool that will in act the overall security policy of the network.

Prevents External users from accessing your internal network

A Combo of Hardware and Software

First Line of defense to the Internet

Packet filtering: Firewall look into all the data packets that comes into the edge of your organization or it leaves the

network at the edge of your organization and you can basically permit or deny packets based on wide variety like

resource, IP Address or even port numbers (TCP\UPD).

Scanning: It is also use to scan viruses which is combined with other softwares to scan worms viruses and malicious

code.

Proxy Server (NAT): it is also used as Proxy server to hide the internal network list and only expose only one single

Address on the internet filtering packets like web pages and accept only those which is according to business needs.

A firewall has to protect our back end Exchange server that keeps our Public folder stores, our Mailbox store, and

our Mailbox databases. Also we have to protect our Front end servers e.g., Exchange Server, web Server, AD etc.

It is recommended that we may keep our front end server in a DMZ Zone and or you may also call it as perimeter

network. Exchange itself is not a firewall product but it can be defined as application proxy server this is because

exchange comprehends protocols like mail protocols depends on data type and they can figure out the data sourcethat you doing to be acceptable or even corrupted, and if you have set Exchange 2003 properly you wont need a

separate proxy server you dont need a firewall.

TCP Port Filtering:

SMTP : 25 this is the mail protocol which we are using to transfer mail and routing mail to different

systems.

HTTP : 80 for Web Access


31/47

Kerberos : 88 this handles the Authentication system/ Ticketing System.

MTA-X.400 over TCP/IP : 102 Message transport Agent.

POP3 : 110 this is used to store/retrieve messaged over internet.

NNTP : 119 news protocol

RPC Exchange : 135

IMAP4 : 143 new protocols for client access to exchange.

LDAP : 389 which are used to do the queries of AD Global catalog servers.

HTTP with SSL : 443

NNTP with SSL : 563

LDAP with SSL : 636

IMAP with SSL : 993

POP3 with SSL : 995

Lookups in AD

Global Catalog : 3268 & 3269

TCP is allowing two separate hosts to establish an connection allowing two separate connections to exchange data

and lot of the services will be user with internet specifically are using different ports from the TCP port so this is

important for us what ports we want to leave open and what port we want to close off.

Internet Connection firewall (ICF):

Used under secure


32/47


33/47


34/47


35/47

You can add any other services to this.

Configuring Exchange 2003 for RPC over HTTP

1. Setup Front end server as RPC proxy server.2. Enable basic authentication in IIS for RPC virtual directory.3. hack the registry to open ports4. Open the same ports in firewall to Back end servers5. Create a profile on outlook clients

Let us configure Front End Server (nugget1) to use RPC over HTTP.

Start Control panel Add Remove Programs Add Remove windows ComponentsNetworking Services

RPC over HTTP Proxy

To configure RPC virtual Directory.

Start Administrative Tools IIS


36/47

Web Sites Default Web Site RPC Right Click Properties Directory Security Authentication and

access control Disable Anonymous Access Basic Authentication Yes OK

Hacking the Registery

Start run regedit HKEY_Local_Machine SOFTWARE Microsoft RPC Rpc Proxy Valid Ports

Modify

To enhance knowledge you can download Ex2k3RPC_HTTP_Deploy.exe document.

Virus Protection Measures:

Virus:

- Chunk of Executable code that latches on to files or applications. It replicates and proliferates from host tohost over the network.

- Require a Host computer and can also deliver and payload. Usually it consumes bandwidth, memory, andDisk storage.

Worm:

- Replicates like a virus but doesnt need a host program. Usually does its damage when the operating systemor program copies data.

Trojan horse:

- A program that masquerades (hide himself) as something harmless (System Tool or Game) but is potentiallydangerous. Generally comes through E mail or Floppy but does not replicate like worm or Virus.

Anti Virus Protections:

1. Install updated software.2. Educate users.3. Verify compatibility Vendor support.4. Performance Affect?5. Safeguard all threats?6.

Inbound: Outbound scanning.7. Automatic Updates?

8. Client, Information Store, Transport, Firewall.Chapter 6: Exchange server 2003 Security Part 2

Exchange Mailbox Security. Digital Signatures and Encryption Disabling Unnecessary Services. Protocol Logging.


37/47

Securing mailboxes in Exchange 2003

Message filtering matches established rules to E mail headers and body text. OWA and Outlook 2003 have a Junk E mail tool. For exchange 2003 filtering configure properties of the Global message delivery object to generate global

filters.

SMTP virtual server is setup to use filters.Client Side Junk E mail Feature Tool:


38/47


39/47

Relay Blocking Lists (RBL)

Published lists of known sources of Junk E mail and Spam

www.Mail-Abuse.org

Not 100% foolproof!!

Exchange 2003 connection filtering can subscribe to RBL

Configuring Connection Filtering: We are going to configure that our DNS lookups will see the Relay Blocking lists.


40/47


41/47


42/47


43/47


44/47


45/47

To block manually a Spammer or nay Junk E mail provider for the entire Domain.


46/47


47/47

CBT Nuggets-Exchange Server 2003

Documents

Transcript of CBT Nuggets-Exchange Server 2003