Configure Disjoint Namespace

Configure disjoint namespace

Estimated time to complete: 20 minutes

By default, the primary Domain Name System (DNS) suffix portion of a computer's fully qualified domain name (FQDN) is the same as the name of the Active Directory domain where the computer is located. When the primary DNS suffix portion of a computer's FQDN is different from the Active Directory domain where the computer is located, this is known as a disjoint namespace.

To run Exchange 2010 in a disjoint namespace, there are two tasks you must perform:

Configure the DNS suffix search list. Create a list of allowed suffixes by modifying the value for the msDS-

AllowedDNSSuffixes attribute of the domain object container. For more information about the msDS-AllowedDNSSuffixes attribute, download this topic from the Windows Server Help and Support Center: Domain Rename Procedure

How do I configure the DNS suffix search list?

You'll use the Group Policy Management Console (GPMC) to get this task done. If you're running Windows Server 2008, GPMC is installed by default. If you're running Exchange 2003, you can download GPMC from: Group Policy Management Console with Service Pack 1

1. Open the GPMC on a Windows directory server in your domain by clicking Start > Programs > Administrative Tools > Group Policy Management.

2. In Group Policy Management, expand the forest and the domain in which you will apply Group Policy. Right-click Group Policy Objects, and then click New.

3. In New GPO, type a name for the policy, and then click OK.4. Right-click the new policy that you created in Step 3, and then click Edit.5. In Group Policy Object Editor (Group Policy Management Editor in Windows

Server 2008) expand Computer Configuration, (expand Policies in Windows Server 2008), expand Administrative Templates, expand Network, and then click DNS Client.

6. Right-click DNS Suffix Search List, and then click Properties.7. On the DNS Suffix Search List Properties page, select Enabled. In the DNS Suffixes

box, type the primary DNS suffix of the disjoint computer, the DNS domain name, and any additional namespaces for other servers with which Exchange may interoperate, such as monitoring servers or servers for third-party applications. Click OK.

8. In Group Policy Management, expand Group Policy Objects, and then select the policy that you created in Step 3. On the Scope tab, in the Security Filtering area, click Add to scope the policy so that it applies to only the computers that are disjoint.

Install the Client Access server role


The Client Access role is one of five server roles in Exchange 2010. It's also the first server role that must be installed. The Client Access role enables access to mailbox data through a variety of clients, such as Microsoft Office Outlook, Outlook Anywhere, Outlook Web App, POP3, and IMAP4, and it also hosts Exchange Web services, such as the Autodiscover service and the Availability service.

Learn more at: Understanding the Client Access Server Role

Although you can deploy each server role on a single server, we recommend that you deploy multi-role servers in certain scenarios.

Learn more at: Understanding single and multi-role server installations

We recommend installing the latest update rollup for Exchange 2010 on all your servers. Although you can install update rollups on a server after Exchange 2010 has been installed, it's also possible and less time-consuming to incorporate the update rollup into the install server installation process. To do this, copy the contents of the Exchange 2010 DVD to the file system, and then copy or move the downloaded update rollup file to the Updates folder in the installation tree. When you perform the procedure below, the update rollup will be installed as part of the initial installation process.

To download the latest update rollup for Exchange 2010, visit: Microsoft Download Center

Important:

When you upgrade your organization to the RTM version of Exchange 2010, your clients running Outlook 2003 don’t use RPC encryption, and RPC Client Access requires it by default. This can cause connection issues between Exchange 2010 and Outlook 2003. In Exchange 2010 SP1, RPC Client Access doesn't require RPC encryption by default. If you have Outlook 2003 clients within your organization, we recommend that you install Exchange 2010 SP1 to avoid connection issues between Exchange 2010 SP1 and Outlook 2003. For more information, see Understanding RPC Client Access.

How do I do this?

You'll use the Exchange Server 2010 Setup wizard to install the Client Access role.

https://technet.microsoft.com/en-US/Library/ee332317

http://go.microsoft.com/fwlink/p/?LinkId=63955

https://technet.microsoft.com/en-US/Library/hh867551

http://go.microsoft.com/fwlink/?LinkId=320474

Important:

When you install the first Exchange 2010 server role, Exchange 2010 prepares your Windows schema and forest before installing the server role. The amount of time that forest preparation and replication takes depends on your Active Directory site topology.

1. Insert the Exchange 2010 DVD into the DVD drive. When the AutoPlay dialog appears, click Run Setup.exe under Install or run program. If the AutoPlay dialog doesn't appear, navigate to the root of the DVD and double-click Setup.exe. Alternatively, browse to the location of your Exchange 2010 installation files and double-click Setup.exe.

2. The Exchange Server 2010 Setup welcome screen appears. In the Install section, the software listed for Step 1: Install .NET Framework 3.5 SP1 and Step 2: Install Windows PowerShell v2 was installed with the Exchange 2010 prerequisites. If these prerequisites aren't already installed, click the appropriate step to install them.

3. When Step 1, Step 2, and Step 3 are listed as Installed, click Step 4: Install Microsoft Exchange.

Note:

After your installation is complete, you can return to complete Step 5: Get critical updates for Microsoft Exchange.

4. On the Introduction page, click Next.5. On the License Agreement page, review the software license terms. If you agree to the

terms, select I accept the terms in the license agreement, and click Next.6. On the Error Reporting page, select Yes or No to enable the Exchange Error Reporting

feature, and click Next.7. On the Installation Type page, select Custom Exchange Server Installation. For

Exchange 2010 SP2, you can select to automatically install all required Windows roles and features for this server. If you want to change the installation path for Exchange 2010, click Browse, locate the appropriate folder in the folder tree, and then click OK. Click Next.

8. On the Server Role Selection page, select the Client Access Role, (or other server roles you want to install) and click Next. The Management Tools option, which installs the Exchange Management Console and the Exchange Management Shell, will also be selected and installed.

9. Use the Configure Client Access Server external domain page to configure an external fully qualified domain name (FQDN). This is the FQDN that you give to Outlook Web App, Outlook Anywhere, and Exchange ActiveSync users to connect to Exchange 2010. Select the check box, enter your FQDN, and then click Next.

10. On the Customer Experience Improvement Program page, optionally join in the Exchange Customer Experience Improvement Program (CEIP). The CEIP collects anonymous information about how you use Exchange 2010 and any problems that you encounter. To join the CEIP, select Join the Customer Experience Improvement Program, choose the industry that best represents your organization, and then click Next.

11. On the Readiness Checks page, review the Summary to determine if the system and server are ready for the Client Access role to be installed. If all prerequisite checks completed successfully, click Install. If any of the prerequisite checks failed, you must resolve the displayed error before you can proceed with installing Exchange. In many cases, you don't need to exit Setup while you're fixing issues. After you resolve an error, click Retry to run the prerequisite check again. Also, be sure to review any warnings that are reported.

12. The Progress page displays the progress and elapsed time for each phase of the installation. As each phase ends, it's marked completed and the next phase proceeds. If any errors are encountered, the phase will end as incomplete and unsuccessful. If that happens, you must exit Setup, resolve any errors, and then restart Setup.

13. When all phases have finished, the Completion page displays. Review the results, and verify that each phase completed successfully. Clear the check box for Finalize this installation using the Exchange Management Console, and then click Finish to exit Setup.

14. When you're returned to the Setup welcome screen, click Close. On the Confirm Exit prompt, click Yes.

15. Restart the computer to complete the installation of the Client Access role.

Create a Client Access Server Array

If you're installing multiple Client Access servers in one Active Directory site, you can create a Client Access server array. This is a load-balanced group of Client Access server computers that can be accessed through a single URL. Creating a Client Access array reduces the number of fully qualified domain names (FQDN) you need to have on your certificate, and it allows all users in one Active Directory site to access Exchange 2010 through a single URL.

After you've completed the installation of your first Client Access server computer, you can start creating your Client Access server array.

To create a new Client Access server array, run the following command using the Exchange Management Shell.

Copy

New-ClientAccessArray -FQDN ClientArray.contoso.com -Site "YourSite" -Name "clientarray.contoso.com"

There can only be one Client Access array per Active Directory site. After you've created the array, you can manage which Client Access server computers are part of the array through your load balancer configuration.

If you're unfamiliar with the Shell, learn more at: Overview of Exchange Management Shell

How do I know this worked?

The successful completion of the Exchange Setup wizard will be your first indication that the installation process worked as expected. To further verify that the Client Access server role installed successfully, you can run Get-ExchangeServer <server name> | Format-List in the Exchange Management Shell, which you can start from the Exchange Server 2010 program group on the Windows Start Menu. This cmdlet outputs a list of the Exchange 2010 server roles that are installed on the specified server.

You can also check the Exchange setup log (ExchangeSetup.log), located in <system drive>\ExchangeSetupLogs to verify that the Client Access role was installed as expected.

Learn more at: Verifying an Exchange 2010 Installation



Add digital certificates on the Client Access server


For secure external access to Exchange, you'll need a digital certificate. This certificate will include an exportable private key in X.509 format (DER encoded binary or Base-64 encoded). We recommend you procure, import, and enable a Subject Alternative Name (SAN) certificate that contains the names for the current namespace, a legacy namespace, and the Autodiscover namespace.

The names you need to include in your Exchange certificate are the fully qualified domain names (FQDNs) used by client applications to connect to Exchange. For example, a company named Contoso that uses contoso.com can use just three hostnames for all client connectivity within an Active Directory site:

mail.contoso.com This name can cover nearly all client connections to Exchange, including Microsoft Office Outlook, Outlook Anywhere, offline address book (OAB) downloads (by Outlook), Exchange Web Services (for Outlook 2007 and later, and Entourage 2008), POP3, IMAP4, SMTP (both client and other SMTP server connections), Outlook Web App, the Exchange Control Panel, Exchange ActiveSync, and Unified Messaging.

autodiscover.contoso.com This name is used for Autodiscover, which is used by Outlook 2007 and later, Outlook Anywhere, Exchange ActiveSync, Exchange Web Services clients, and Windows Mobile 6.1 and later.

legacy.contoso.com This name is used to maintain Internet access to an older version of Exchange while you transition to Exchange 2010. This is necessary during transition because some Exchange services (for example, Outlook Web App, Exchange ActiveSync, and services that send configuration information through Autodiscover) tell clients to connect directly with the old Exchange servers if they see requests to access a mailbox on an older version of Exchange.

In addition to these three names, your root domain (for example, contoso.com) will also be added as a name.

There are three steps to adding certificates to your Client Access server(s):

1. If you don't already have a digital certificate, you can use the New Certificate Request Wizard in Exchange 2010 to generate a certificate request file, which you can then submit to your selected Certification Authority.

2. After you have the digital certificate from your Certification Authority, you then complete the certificate request process by importing the certificate into your Client Access server.

3. After the certificate has been imported, you assign one or more client access services to it.

Before proceeding with these steps, we recommend that you review this topic: Understanding Digital Certificates and SSL

In addition, the configuration settings used in the Deployment Assistant assumes that you’re using split DNS for client access. Learn more at: Understanding DNS requirements

Finally, if your Exchange 2003 server isn’t currently configured to use SSL for client access, you’ll need to enable SSL to secure the communications between the client messaging applications and the Exchange front-end server. You’ll also need to install the SSL certificate on the Exchange 2003 front-end server. Learn more at: Exchange Server 2003 Client Access Guide

How do I create a certificate request file for a new certificate?

You can use the New Exchange Certificate wizard to create your certificate request.

1. In the Console tree, click Server Configuration.2. From the Actions pane, click New Exchange Certificate to open the New Exchange

Certificate wizard.3. On the Introduction page, enter a friendly name for the certificate (for example,

Contoso.com Exchange certificate) and then click Next.4. On the Domain Scope page, if you plan on using a wildcard certificate, check the box for

Enable wildcard certificate, enter the root portion of your domain (for example contoso.com or *.contoso.com), and then click Next. If you're not using a wildcard certificate, just click Next.

Note:

It's a best practice to not use wildcard certificates because they represent a potential security risk. Like a SAN certificate, a wildcard certificate (for example, *.contoso.com) can support multiple names. There are security implications to consider because the certificate can be used for any sub-domain, including those outside the control of the actual domain owner. A more secure alternative is to list each of the required domains as Subject Alternative Names in the certificate. By default, this approach is used when certificate requests are generated by Exchange.





5. On the Exchange Configuration page, expand and configure each area as follows:1. Federated Sharing Federated Sharing allows you to enable users to share

information with recipients in external federated organizations by creating organization relationships between two Exchange 2010 organizations, or using a sharing policy to allow users to create sharing relationships on an individual basis. If you plan on using this feature, expand Federated Sharing and select the Public certificate check box.

2. Client Access server (Outlook Web App) Expand this option and select the check box(es) that are appropriate for your Outlook Web App usage (Intranet and/or Internet). If you're using Outlook Web App internally, then in the Domain name you use to access Outlook Web App internally field, remove the existing server names and enter the FQDN you configured for external access to the Client Access server during Setup of the Client Access server (for example, mail.contoso.com). This is the same FQDN that is listed in the domain name field for Outlook Web App on the Internet.

3. Client Access server (Exchange ActiveSync) Exchange ActiveSync should already be selected and the domain name field should be configured with the same FQDN used for Outlook Web App.

4. Client Access server (Web Services, Outlook Anywhere, and Autodiscover) Exchange Web Services, Outlook Anywhere, and Autodiscover on the Internet should already be selected. Outlook Anywhere should already be configured to use two FQDNs: one that is the same FQDN used by Outlook Web App (for example, mail.contoso.com) and one that is the root domain for that FQDN (for example, contoso.com). Autodiscover should already be configured to use a long URL, which should automatically be configured as autodiscover.rootdomain (for example, autodiscover.contoso.com).

5. Client Access server (POP/IMAP) If you plan on using secure POP or secure IMAP internally or over the Internet, expand this option and select the appropriate check box. In the domain name field for each protocol, remove the individual server names and enter the same FQDN you're using for Outlook Web App.

6. Unified Messaging server If you plan on using Unified Messaging (UM) features, you can use a certificate that is self-signed by an Exchange 2010 UM server (which is the default option). If you're integrating UM with Office Communications Server (OCS), you'll need to use a public certificate. We recommend using a separate certificate for UM and OCS integration.

7. Hub Transport server Hub Transport servers can use certificates to secure Internet mail, as well as POP and IMAP client submission. If you plan on using mutual TLS or if you're using POP or IMAP clients and want to secure their SMTP submissions, select the appropriate check box and in the FQDN field, enter the same FQDN you're using for Outlook Web App.

8. Legacy Exchange Server This option is used to add the legacy namespace to the certificate, which will be used only during the period of coexistence between Exchange 2010 and the legacy version(s). Expand this option, select the Use legacy domains check box, and in the FQDN field, enter the FQDN you are using for your legacy namespace.

6. On the Certificate Domains page, review the list of domains that will be added to the certificate. If the names are correct, click Next. If any names are missing or incorrect, you can click Add to add missing names, or select a name and click Edit to modify the name. Click Next.

7. On the Organization and Location page, fill in the Organization, Organization unit, Location, Country/region, City/locality, and State/province fields. Click Browse and browse to the location where you want the certificate request file created. In the File name field, enter a name for the request file (for example, Exchange Certificate Request.req) and click Save. Click Next.

8. On the Certificate Configuration page, review the configuration summary. If any changes need to be made, click Back, and make the necessary changes. If everything is correct, click New to generate the certificate request file.

9. On the Completion page, review the output of the wizard. Click Finish to close the wizard.

10. Transmit the certificate request file to your selected Certification Authority, who will then generate the certificate and transmit it to you. After you have the certificate file, you can use the Complete Pending Request wizard to import the certificate file into Exchange 2010.

11. In the Console tree, click Server Configuration.12. In the Work pane, right-click the certificate request you created and click Complete

Pending Request.13. On the Introduction page, click Browse to select the certificate file provided to you by

your selected Certification Authority. Enter the private key password for the certificate, and then click Complete.

14. On the Completion page, verify that the request completed successfully. Click Finish to close the Complete Pending Request wizard.

How do I assign services to the certificate?

You can use the Assign Services to Certificate wizard to assign the appropriate services to the imported certificate.

1. After the certificate has been successfully imported, you can assign services to it. Select the certificate in the Work pane, and then from the Actions pane, click Assign Services to Certificate to open the Assign Services to Certificate wizard.

2. On the Select Servers page, the Exchange server into which you imported the certificate is shown. Click Next.

3. On the Select Services page, select the check box for each service you want assigned to the selected certificate and then click Next. For example, select the check box for Internet Information Services (IIS) to assign services for Outlook Web App, Exchange ActiveSync, and other Exchange services that are integrated with IIS.

4. On the Assign Services page, review the configuration summary. If any changes need to be made, click Back. If the configuration summary is correct, click Assign to assign the specified services to the selected certificate.

5. On the Completion page, verify that each step completed successfully. Click Finish to close the wizard.

How do I install the certificate on the legacy Exchange server?

In addition to installing the SSL certificate on the Exchange 2010 Client Access server, you'll also need to install the certificate on the Exchange 2007 Client Access server or the Exchange 2003 server so that users with mailboxes on Exchange 2007 or Exchange 2003 can use SSL to connect to their mailboxes.

Note:

If you'll be moving all mailboxes from Exchange 2003 or Exchange 2007 to Exchange 2010 over a short period of downtime, such as a weekend, you can skip these steps.

Before you install the digital certificate on the legacy Exchange server you must first export it from the Exchange 2010 Client Access server. To export your digital certificate, use the following steps.

1. Export the digital certificate to the variable $file using the following command.

Copy

$file = Export-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -BinaryEncoded:$true -Password (Get-Credential).password

2. The following command uses the Set-Content cmdlet to write data stored in the variable $file to the file htcert.pfx.

Copy

Set-Content -Path "c:\certificates\htcert.pfx" -Value $file.FileData -Encoding Byte

To install a digital certificate on an Exchange 2003 server, use the following steps.

1. Copy the exported certificate to a location that can be accessed from the Exchange 2003 server.

2. Click Start, Run, type MMC, and then click OK. 3. In the left hand pane, expand Certificates (Local Computer), and then select the

Personal node.4. Right-click Certificates, click All Tasks, and then click Import to launch the Certificate

Import Wizard. Click Next. 5. Enter the password you used when you exported the PFX file, select the Mark the

private key as exportable check box and then click Next. 6. Select Automatically select the certificate store based on the type of certificate, click

Next, and then click Finish.

To install a digital certificate on an Exchange 2007 server, use the following steps.

1. Copy the exported certificate to a location that can be accessed from the Exchange 2007 server.

2. Using the Exchange Management Shell, run the following command.

Copy

Import-ExchangeCertificate -Path c:\certificates\import.pfx -Password:(Get-Credential).password


The successful completion of the New Exchange Certificate, Complete Pending Request, and Assign Services to Certificate wizards will be your first indication that the certificate request, import, and assignment worked as expected. To further verify that your certificate was imported and assigned correctly, you can perform the following steps from the Exchange 2010 Client Access server computer.

1. In the Console tree, click Server Configuration.2. In the Result pane, select the server that contains the certificate, and then in the Work

pane, select the certificate you want to view. 3. From the Actions pane, click Open. You can view information about the certificate on

the General, Details, and Certification Path pages of the Exchange Certificate dialog box.

Configure Outlook Anywhere


Outlook Anywhere eliminates the need for users in remote offices or mobile users to have to use a VPN to connect to their Exchange servers. Although Outlook Anywhere is an optional component of Exchange 2010, we recommend its use if you have external clients that will connect to Exchange 2010. Outlook Anywhere provides access to a user's mailbox via RPC over HTTPS.

As with any external client access method, there are security implications to consider when deploying Outlook Anywhere. Before making the decision to deploy Outlook Anywhere, you should read: Understanding Security for Outlook Anywhere

Learn more at: Understanding Outlook Anywhere

How do I do this?

The Enable Outlook Anywhere wizard helps you with this task.

1. In the console tree, navigate to Server Configuration > Client Access.2. In the action pane, click Enable Outlook Anywhere.3. On the Outlook Anywhere tab:

o Type the external host name or URL for your organization in External host name. The external host name should be the FQDN you entered when installing the Client Access server role, which is the existing host name. For example, mail.contoso.com.

o Select either Basic authentication or NTLM authentication.

Important:

Don’t select Negotiate Ex authentication. It’s an authentication type that's reserved for future Microsoft use. If you select this setting, authentication will fail.

o If you're using an SSL accelerator and you want to use SSL offloading, select Allow secure channel (SSL) offloading.

Important:

Don't use this option unless you're sure that you have an SSL accelerator that can handle SSL offloading. If you don't have an SSL accelerator that can handle SSL offloading, and you select this option, Outlook Anywhere won't function correctly.

4. Click Enable to apply these settings and enable Outlook Anywhere.




Outlook Anywhere will be enabled on your Client Access server after a configuration period of approximately 15 minutes. To verify that Outlook Anywhere has been enabled, check the application event log on the Client Access server. The following events will be logged in the event log.

EventID 3007 MSExchange RPC over HTTP Autoconfig EventID 3003 MSExchange RPC over HTTP Autoconfig EventID 3004 MSExchange RPC over HTTP Autoconfig EventID 3006 MSExchange RPC over HTTP Autoconfig

You can also use the Exchange Remote Connectivity Analyzer (ExRCA) to verify that Outlook Anywhere has been enabled and configured correctly. ExRCA is a free Web-based tool provided by Microsoft. You can find ExRCA at https://www.testexchangeconnectivity.com

Configure OAB and Web Services virtual directories


To enable Outlook Anywhere clients to discover and automatically connect to Exchange 2010, you must configure the offline address book (OAB) and Exchange Web Services virtual directories. This step is only necessary if you'll be using Exchange Web Services, Outlook Anywhere, or the offline address book. If you haven't enabled Outlook Anywhere, and you don't plan on using Exchange Web Services for programmatic access to Exchange mailbox information, you can skip this step.

Learn more at: Understanding Offline Address Books and Configure External Client Access Namespaces

How do I do this?

You must use the Exchange Management Shell to configure OAB and Exchange Web Services virtual directory settings.

If you're unfamiliar with the Shell, learn more at: Overview of Exchange Management Shell

1. Configure the external URL for the offline address book using the following syntax.





https://www.testexchangeconnectivity.com/

Copy

Set-OABVirtualDirectory -Identity "CAS01\OAB (Default Web Site)" -ExternalUrl https://mail.contoso.com/OAB -RequireSSL:$true

2. Configure the external URL for Exchange Web Services using the following syntax.

Copy

Set-WebServicesVirtualDirectory -Identity "CAS01\EWS (Default Web Site)" -ExternalUrl https://mail.contoso.com/EWS/Exchange.asmx -BasicAuthentication:$True


To verify that these steps were completed successfully, run the following commands to verify the ExternalURL property is set correctly on both virtual directories.

Copy

Get-OABVirtualDirectory -Identity "CAS01\OAB (Default Web Site)" Get-WebServicesVirtualDirectory -Identity "CAS01\EWS (Default Web Site)"

Configure additional virtual directory settings


During the installation of the Client Access server role, virtual directories are created for the Autodiscover service, Exchange ActiveSync, Outlook Web App, the Exchange Control Panel, PowerShell, Exchange Web Services, and public folders. Legacy virtual directories are also created for coexistence. You can configure a variety of settings on those virtual directories, including authentication and SSL. For Active Directory sites that are accessible from outside an external firewall such as Internet Security and Acceleration Server (ISA), you'll also need to configure publishing rules for the various virtual directories that are accessible from the Internet, including the Exchange ActiveSync virtual directory, the Autodiscover service virtual directory, and the Outlook Web App virtual directory.

Learn more at: Understanding virtual directories


How do I do this?

Perform the following steps from the computer that has the Exchange 2010 Client Access server role installed.

1. In the Console tree, navigate to Server Configuration > Client Access.2. In the Result pane, select the Client Access server you want to configure.3. In the Work pane, click the tab that corresponds to the virtual directory whose settings

you want to configure (Outlook Web App, Exchange Control Panel, Exchange ActiveSync), and then click the virtual directory.

4. In the Actions pane, under the virtual directory name, click Properties. 5. Edit any of the settings on the tabs. (If you need more information about the settings,

click F1 while you're on a tab.) Common settings to be configured are:1. External URL This is the URL used to access the Web site from the Internet.

The value for this URL should have been set during installation of the Client Access server role.

2. Authentication You can specify a variety of authentication options, as well as specify the sign-in format and sign-in domain.

3. Direct File Access For Outlook Web App, you can configure direct file access settings for public and private computers.

4. Private Computer File Access For Outlook Web App, you can configure direct file access settings for users who choose the private option when logging in.

6. Click OK to confirm your changes.

Note:

To configure publishing rules for external access to virtual directories, see: Configure External Client Access Namespaces

7. Configure the Exchange2003URL parameter This parameter is only necessary when you have users with mailboxes on Exchange 2003 at the same time as users with mailboxes on Exchange 2010. In that case, set this parameter to the legacy DNS endpoint, for example, http://legacy.contoso.com. This parameter can be set with the following code.

Copy

Set-OWAVirtualDirectory -Identity "CASServer\owa (Default Web Site)" -Exchange2003URL https://legacymail.contoso.com/exchange

This parameter must be configured in the Exchange Management Shell. For more information about the Shell, see Overview of Exchange Management Shell





How you confirm whether your settings were applied varies by the setting.

To verify that the external URL has been configured correctly for Exchange ActiveSync or Outlook Web App, you can use the Exchange Remote Connectivity Analyzer (ExRCA), a free Web-based tool provided by Microsoft.

You can find ExRCA at https://www.testexchangeconnectivity.com

To verify that authentication has been configured correctly for Exchange ActiveSync or Outlook Web App, you can also use ExRCA.

To verify that direct file access has been configured correctly for Outlook Web App, log on as a user to Outlook Web App using the public computer option and then try to access and save a file attached to an e-mail message

Install the Hub Transport server role


The Hub Transport server role is responsible for internal mail flow for the Exchange organization. It handles all mail flow inside the organization, applies transport rules, applies journaling policies, and delivers messages to recipient mailboxes.

Learn more at: Overview of the Hub Transport Server Role

You can install the Hub Transport server role on dedicated hardware, or you can install it on the same server where you installed the Client Access server role.





https://www.testexchangeconnectivity.com/

How do I install the Hub Transport server role on dedicated hardware?

The Exchange Server 2010 Setup wizard helps you install the Hub Transport role:




Note:





Exchange 2010 SP1, you can select to automatically install all required Windows roles and features for this server. To optionally change the installation path for Exchange 2010, click Browse, locate the appropriate folder in the folder tree, and then click OK. Click Next.

8. On the Server Role Selection page, select the Hub Transport Role, and click Next. The Management Tools option, which installs the Exchange Management Console and the Exchange Management Shell, will also be selected and installed.

9. On the Readiness Checks page, review the Summary to determine if the system and server are ready for the Hub Transport role to be installed. If all prerequisite checks completed successfully, click Install. If any of the prerequisite checks failed, you must resolve the displayed error before you can proceed with installing the Hub Transport role. In many cases, you don't need to exit Setup while you're fixing issues. After you resolve an error, click Retry to run the prerequisite check again. Also, be sure to review any warnings that are reported.




13. Restart the computer to complete the installation of the Hub Transport role.

How do I add the Hub Transport server role to my Client Access server?

You can also use the Exchange Server 2010 Setup wizard to add the Hub Transport role to your existing Client Access server.

1. In Control Panel, start Programs and Features.2. Select Microsoft Exchange Server 2010 from the list of installed programs, and then

click Change.3. The Exchange Server 2010 Setup wizard starts in Exchange Maintenance Mode. Click

Next.4. On the Server Role Selection page, select the check box for Hub Transport Role and

then click Next.5. On the Readiness Checks page, review the Summary to determine if the system and

server are ready for the Hub Transport role to be installed. If all prerequisite checks completed successfully, click Install. If any of the prerequisite checks failed, you must resolve the displayed error before you can proceed with installing the Hub Transport role. In many cases, you don't need to exit Setup while you're fixing issues. After you resolve an error, click Retry to run the prerequisite check again. Also, be sure to review any warnings that are reported.

6. The Progress page will display the progress and elapsed time for each phase of the installation. As each phase ends, it will be marked completed and the next phase will proceed. If any errors are encountered, the phase will end as incomplete and unsuccessful. In this event, you must exit Setup, resolve any errors, and then restart Setup in Maintenance Mode.

7. When all phases have finished, the Completion page will be displayed. Review the results and verify that each phase completed successfully. Click Finish to exit Setup.

8. Restart the computer to complete the installation of the Hub Transport role.


The successful completion of the Exchange Setup wizard will be your first indication that the installation process worked as expected. To further verify that the Hub Transport server role installed successfully, you can run Get-ExchangeServer <server name> | Format-List in the Exchange Management Shell, which can be launched from the Exchange Server 2010 program group on the Windows Start Menu. This cmdlet outputs a list of the Exchange 2010 server roles that are installed on the specified server.

You can also review the contents of the Exchange setup log file (ExchangeSetup.log), located in <system drive>\ExchangeSetupLogs to verify that the Hub Transport role was installed as expected.



Install the Unified Messaging server role


The Unified Messaging server role provides connectivity between your internal telephony system and Exchange. Clients can access their mailbox from a telephone and receive voice mail messages in their mailbox, among other capabilities.

Learn more at: Overview of Unified Messaging

You can install the Unified Messaging server role on dedicated hardware, or you can install it on a server that's already running Exchange 2010.



How do I install the Unified Messaging server role on dedicated hardware?

The Exchange Server 2010 Setup wizard helps you install the Unified Messaging role.






Note:



software license terms, select I accept the terms in the license agreement, and click Next.

6. On the Error Reporting page, select Yes or No to enable the Exchange Error Reporting feature, and click Next.

7. On the Installation Type page, select Custom Exchange Server Installation. For Exchange 2010 SP2, you can select to automatically install all required Windows roles and features for this server. To optionally change the installation path for Exchange 2010, click Browse, locate the appropriate folder in the folder tree, and then click OK. Click Next.

8. On the Server Role Selection page, select the Unified Messaging Role, and click Next. The Management Tools option, which installs the Exchange Management Console and the Exchange Management Shell, will also be selected and installed.

9. On the Readiness Checks page, review the Summary to determine if the system and server are ready for the Unified Messaging role to be installed. If all prerequisite checks completed successfully, click Install. If any of the prerequisite checks failed, you must resolve the displayed error before you can proceed with installing the Unified Messaging role. In many cases, you don't need to exit Setup while you're fixing issues. After you resolve an error, click Retry to run the prerequisite check again. Also, be sure to review any warnings that are reported.




13. Restart the computer to complete the installation of the Unified Messaging role.

How do I add the Unified Messaging server role to an existing Exchange 2010 server?

You can also use the Exchange Server 2010 Setup wizard to add the Unified Messaging role to an existing Exchange 2010 server.



Next.4. On the Server Role Selection page, select the check box for Unified Messaging Role

and then click Next.5. On the Readiness Checks page, review the Summary to determine if the system and

server are ready for the Unified Messaging role to be installed. If all prerequisite checks completed successfully, click Install. If any of the prerequisite checks failed, you must resolve the displayed error before you can proceed with installing the Unified Messaging role. In many cases, you don't need to exit Setup while you're fixing issues. After you resolve an error, click Retry to run the prerequisite check again. Also, be sure to review any warnings that are reported.

6. The Progress page displays the progress and elapsed time for each phase of the installation. As each phase ends, it will be marked completed and the next phase will proceed. If any errors are encountered, the phase will end as incomplete and

unsuccessful. In this event, you must exit Setup, resolve any errors, and then restart Setup in Maintenance Mode.


8. Restart the computer to complete the installation of the Unified Messaging role.


The successful completion of the Exchange Setup wizard will be your first indication that the installation process worked as expected. To further verify that the Unified Messaging server role installed successfully, you can run Get-ExchangeServer <server name> | Format-List in the Exchange Management Shell, which can be launched from the Exchange Server 2010 program group on the Windows Start Menu. This cmdlet outputs a list of the Exchange 2010 server roles that are installed on the specified server.

You can also review the contents of the Exchange setup log file (ExchangeSetup.log), located in <system drive>\ExchangeSetupLogs to verify that the Unified Messaging role was installed as expected.


Configure and enable Unified Messaging

Estimated time to complete: 45 minutes to 90 minutes

Note:

This estimated time to complete takes into account the time required to complete both the required and optional tasks in this checklist.

After the Unified Messaging (UM) server role has been installed, your next step is to create and configure the UM directory objects necessary for UM features and then enable your users for UM. Specifically, you'll need to:

A: Create and configure a UM dial plan UM dial plans are integral to the operation of UM servers and are required to successfully deploy UM in your organization.

B: Create and configure one or more UM gateways A UM IP gateway represents either an IP gateway or an IP PBX. The combination of the UM IP gateway object and a UM hunt group object establishes a logical link between an IP gateway hardware device and a UM dial plan.


C: Create and configure one or more UM mailbox policies UM mailbox policies are required when you enable users for Unified Messaging. The mailbox of each UM-enabled user must be linked to a single UM mailbox policy. After you create a UM mailbox policy, you link one or more UM-enabled mailboxes to the UM mailbox policy. This lets you control PIN security settings such as the minimum number of digits in a PIN or the maximum number of logon attempts for the UM-enabled users who are associated with the UM mailbox policy.

D: Add your Unified Messaging server to a dial plan Dial plans enable you stop call processing so that a UM server can be taken offline in a controlled way. After you add a UM server to a dial plan, the UM server can then start answering incoming calls that are forwarded from an IP gateway.

E: Enable users for Unified Messaging When you enable a user for UM, a default set of UM properties are applied to the user, and the user will be able to use UM features.

After these core tasks are done, you may also want to do some other things, such as:

Installing language packs on the UM server For a specific language that's supported, UM language packs allow a UM server to speak additional languages to callers and recognize other languages when callers use Automatic Speech Recognition (ASR) or when voice messages are transcribed.

Creating and configuring auto attendants and UM hunt groups UM auto attendants can be used to create a voice menu system for an organization that lets external and internal callers move through the UM auto attendant menu system to locate and place or transfer calls to company users or departments in an organization. Hunt group is a term that's used to describe a group of PBX or IP PBX resources or extension numbers that are shared by users. Hunt groups are used to efficiently distribute calls into or out of a given business unit.

Enabling Exchange 2010 for use with a Fax Partner server Exchange 2010 UM forwards incoming fax calls to a dedicated partner fax solution, which then establishes the fax call with the fax sender and receives the fax on behalf of the UM-enabled user. However, to allow UM-enabled users to receive fax messages in their mailbox, you must configure the Fax Partner server.

Learn more at: Deploy a New Exchange 2010 RTM UM Environment

How do I do this?

You'll use several wizards in the Exchange Management Console to get these tasks done.

A: Create the UM dial plan

1. In the Console tree, navigate to Organization Configuration > Unified Messaging.


2. In the Actions pane, click New UM Dial Plan.3. In the New UM Dial Plan wizard, complete the following fields:

o Name Type the name of the dial plan. A UM dial plan name is required and must be unique. However, it's used only for display. If you want to change the display name of the dial plan after it's been created, you must first delete the existing UM dial plan and then create another dial plan that has the appropriate name. If your organization uses multiple UM dial plans, we recommend that you use meaningful names for your UM dial plans. The maximum length of a UM dial plan name is 64 characters, and it can include spaces. However, it can't include any of the following characters: " / \ [ ] : ; | = , + * ? < >.

Important:

Although the field for the name of the dial plan can accept 64 characters, the name of the dial plan can't be longer than 49 characters. This is the case because when you create a dial plan, a default UM mailbox policy is also created that has the name <DialPlanName> Default Policy. The name parameter for both the UM dial plan and UM mailbox policy can be 64 characters.

o Number of digits in extension numbers Enter the number of digits for the dial plan. The number of digits for extension numbers is based on the telephony dial plan created on a Private Branch eXchange (PBX). For example, if a user associated with a telephony dial plan dials a four-digit extension to call another user in the same telephony dial plan, you select 4 as the number of digits in the extension.

This is a required field that has a value range from 1 through 20. The typical extension length is from 3 through 7. If your existing telephony environment includes extension numbers, you must specify a number of digits that matches the number of digits in those extensions.

When you create a Session Initiation Protocol (SIP) or an E.164 dial plan and associate a UM-enabled user with the dial plan, you must still input an extension number to be used by the user. This number is used by Outlook Voice Access users when they access their Exchange 2010 mailbox.

o Dial plan type A Uniform Resource Identifier (URI) is a string of characters that identifies or names a resource. The main purpose of this identification is to enable VoIP devices to communicate with other devices over a network using specific protocols. URIs are defined in schemes that define a specific syntax and format and the protocols for the call. In simple terms, this format is passed from the IP PBX or PBX. After you create a UM dial plan, you won't be able to change the URI type without deleting the dial plan, and then re-creating the dial plan to include the correct URI type. You can select one of the following URI types for the dial plan:

Telephone extension This is the most common URI type. The calling and called party information from the VoIP gateway or IP Private Branch eXchange (PBX) is listed in one of the following formats: Tel:512345 or 512345@<IP address>. This is the default URI type for dial plans.

SIP URI Use this URI type if you must have a Session Initiation Protocol (SIP) URI dial plan such as an IP PBX that supports SIP routing or if you're integrating Microsoft Office Communications Server 2007 R2 or Microsoft Lync Server and Unified Messaging. The calling and called party information from the VoIP gateway. IP PBX, or Communications Server 2007 R2 or Lync Server is listed as a SIP address in the following format: sip:<username>@<domain or IP address>:Port.

E.164 E.164 is an international numbering plan for public telephone systems in which each assigned number contains a country code, a national destination code, and a subscriber number. The calling and called party information sent from the VoIP gateway or IP PBX is listed in the following format: Tel:+14255550123.

Warning:

After you create a dial plan, you will be unable to change the URI type without deleting the dial plan, and then re-creating the dial plan to include the correct URI type.

o VoIP security mode Use this drop-down list to select the VoIP security setting for the UM dial plan. You can select one of the following security settings for the dial plan:

Unsecured By default, when you create a UM dial plan, it is set to not encrypt the SIP signaling or RTP traffic. In unsecured mode, the Client Access and Mailbox servers associated the UM dial plan send and receive data from VoIP gateways, IP PBXs, SBCs and other Client Access and Mailbox servers using no encryption. In unsecured mode, neither the Realtime Transport Protocol (RTP) media channel nor the SIP signaling information is encrypted.

SIP secured When you select SIP secured, only the SIP signaling traffic is encrypted, and the RTP media channels still use TCP, which isn't encrypted. With SIP secured, Mutual Transport Layer Security (TLS) is used to encrypt the SIP signaling traffic and VoIP data.

Secured When you select Secured, both the SIP signaling traffic and the RTP media channels are encrypted. Both the secure signaling media channel that uses Secure Realtime Transport Protocol (SRTP) and the SIP signaling traffic use mutual TLS to encrypt the VoIP data.

o Country/Region code Use this field to type the country/region code number used for outgoing calls. This number will precede the telephone number dialed. This field accepts from 1 through 4 digits. For example, in the United States, the country/region code is 1. In the United Kingdom, it's 44.

4. On the Completion page, confirm whether the dial plan was successfully created:o A status of Completed indicates that the wizard completed the task successfully.

o A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

5. Click Finish to complete the New UM Dial Plan wizard.

B: Create a UM IP gateway

1. In the console tree, navigate to Organization Configuration > Unified Messaging.2. In the Result pane, click the UM IP Gateways tab.3. In the Actions pane, click New UM IP Gateway.4. In the New UM IP Gateway wizard, in the Name section, type the name of the UM IP

gateway. This is the display name for the UM IP gateway.5. In the IP Address section, type the IP address for the UM IP gateway, and then click

New.

Note:

Alternatively, you can enter an FQDN for the UM IP gateway. If you choose to use an FQDN, you must add the appropriate host records with the correct IP addresses to the DNS zone. If you're configuring a UM IP gateway that will be associated with a dial plan that's operating in secure mode, you must create the UM IP gateway with an FQDN.

6. On the New UM IP Gateway page, click New.7. On the Completion page, click Finish.

C: Create a UM mailbox policy

1. In the Console tree, navigate to Organization Configuration > Unified Messaging.2. In the Work pane, click the UM Mailbox Policies tab.3. In the Actions pane, click New UM Mailbox Policy.4. In the New UM Mailbox Policy wizard, complete the following fields:

o Name Use this text box to specify a unique name for the UM mailbox policy. This is a display name that appears in the EMC. If you must change the display name of the UM mailbox policy after it's been created, you must first delete the existing UM mailbox policy, and then create another UM mailbox policy that has the appropriate name. To delete the UM mailbox policy, there mustn't be any UM-enabled users who are associated with the UM mailbox policy.

The UM mailbox policy name is required, but it's used for display purposes only. Because your organization may use multiple UM mailbox policies, we recommend that you use meaningful names for your UM mailbox policies. The maximum length of a UM mailbox policy name is 64 characters, and it can

include spaces. However, it cannot include any of the following characters: " / \ [ ] : ; | = , + * ? < >.

o Select associated dial plan Click Browse to select the UM dial plan that will be associated with the UM mailbox policy. You must associate a UM mailbox policy with at least one UM dial plan. A single UM mailbox policy must be associated with at least one UM dial plan. However, you can also associate multiple UM mailbox policies with a single dial plan.

5. On the Completion page, confirm whether the UM mailbox policy was successfully created.

6. Click Finish to complete the New UM Mailbox Policy wizard.

D: Add the UM server to the dial plan

1. In the Console tree, click Server Configuration.2. In the Result pane, select the UM server.3. In the Actions pane, click Properties.4. On the UM Settings > Associated Dial Plans, click Add.5. In the Select Dial Plan window, select the dial plan you want to add from the list of

available dial plans, and then click OK.

E: Enable users for UM

1. In the Console tree, click Recipient Configuration.2. In the Result pane, select the user mailbox that you want to enable for Unified

Messaging.3. In the Actions pane, click Enable Unified Messaging.4. In the Enable Unified Messaging wizard, on the Introduction page, complete the

following fields:o Unified Messaging Mailbox Policy Use this text field to select the UM mailbox

policy that you want to associate with a user's mailbox. UM mailbox policies define settings such as PIN policies, dialing restrictions, and message text for Unified Messaging messages sent to the user. Each UM-enabled user is required to be associated with at least one UM mailbox policy. However, the UM-enabled user can be associated with only one UM mailbox policy.

o Automatically generate PIN to access Outlook Voice Access Click this button to automatically generate a PIN for the UM-enabled user. This is the default setting. If this option is selected, a PIN is automatically generated based on the PIN policies configured on the UM mailbox policy associated with the recipient. We recommend that you use this setting to help protect the user's PIN.

o Manually specify PIN Click this button to manually specify a PIN that a recipient will use to access the Unified Messaging system. The PIN must comply with the PIN policy settings configured on the UM mailbox policy associated with this recipient. For example, if the UM mailbox policy is configured to accept only

PINs that contain seven or more digits, the PIN you enter in this text box must be at least seven digits.

o Require user to reset PIN on first telephone logon Select this check box to force the user to reset a Unified Messaging PIN when the user accesses the Unified Messaging system from a telephone. It's a security best practice to force UM-enabled users to change their PIN at their first logon to help protect against unauthorized access to their data and Inbox. This is the default setting.

5. In the Enable Unified Messaging wizard, on the Extension Configuration page, complete the following fields:

o Automatically generated mailbox extension Click this button if you want the extension number for the user's mailbox to be automatically generated from the telephone number specified in the Active Directory directory service and used to populate the field. By default, this setting is enabled. This option will be unavailable if the user is being associated with a SIP URI or E.164 dial plan.

For the user's extension number to populate this field, you can enter the telephone number in the Business field on the Address and Phone tab in the user properties in the Exchange Management Console. You can also configure a telephone number for a user by configuring the Telephone number field on the General tab on the user account using Active Directory Users and Computers.

If you select this option, the extension number generated automatically for the user will comply with the number of digits specified for the dial plan with which the UM mailbox policy that you selected is associated. For example, if the dial plan is configured to use 5-digit extension numbers, the Unified Messaging server will take the last 5 digits of the user's telephone number and use those digits to populate this field. UM dial plans are typically configured to have extensions three through seven digits long.

o Manually entered mailbox extension Click this button if you want to manually configure the extension number for the user's mailbox.

If you select this option, you must provide a valid extension number for the user and must match the number of digits specified on the dial plan. You can configure this field to contain a value range of numeric characters or digits from 1 through 20. The typical extension number is from 3 through 7 digits and is configured on the dial plan with which the UM mailbox policy is associated.

If your existing telephony environment includes extension numbers, you must specify a number of digits that matches the number of digits in those extensions. The number of digits that you specify is the default setting after a UM mailbox policy is selected.

o Automatically generated SIP resource identifier Click this button if you want the SIP resource identifier or SIP address for the user's mailbox to be automatically generated. If you have deployed Microsoft Office Communications

Server 2007, the user's SIP address is taken from the msRTCSIP-PrimaryUserAddress attribute in Active Directory. If this attribute isn't populated, the user's primary SMTP address will be used for the SIP address. By default, this setting is enabled, for example, [email protected].

This option is available only if the user that you enable for Unified Messaging is associated with a SIP URI dial plan. This option will be unavailable if you configure a user's mailbox to be associated with an E.164 dial plan.

If you associate a user with a SIP URI dial plan, you must also manually enter a mailbox extension for the user. This extension number is used when users use Outlook Voice Access to access their Exchange 2010 mailbox. The number of digits that you configure in this field must match the number of digits configured on the SIP URI or E.164 dial plan.

This option will not be available if the user is being associated with a telephone extension dial plan.

o Manually entered SIP resource identifier Click this button if you want to manually enter the SIP or E.164 address for the user. This option is available if the user that you enable for Unified Messaging is associated with either a SIP URI or E.164 dial plan. If you deployed Communications Server 2007, the user's SIP address is taken from the msRTCSIP-PrimaryUserAddress attribute in Active Directory. If this attribute isn't populated, the user's primary SMTP address is used for the SIP address, for example, [email protected]. This option isn't available if the user is associated with a telephone extension dial plan.

If you associate the user with an E.164 dial plan, you must manually enter an E.164 address for the user. The number entered must be in the correct E.164 format, for example, +14255551234.

If you associate the user with a SIP or E.164 dial plan, you must also manually enter a mailbox extension number for the user. This extension number is used when users use Outlook Voice Access to access their Exchange 2010 mailbox. The number of digits that you configure in this field must match the number of digits configured on the SIP URI or E.164 dial plan.

6. On the Enable Unified Messaging page, review your configuration settings. Click Enable to enable the user for Unified Messaging. Click Back to make configuration changes.

7. On the Completion page, confirm whether the user was successfully enabled for Unified Messaging.

8. Click Finish to complete the Enable Unified Messaging wizard.


The successful completion of each wizard will be your first indication that the necessary UM objects were created successfully. In addition, users with mailboxes on Exchange 2010 should now be able to use UM functionality.

How do I do the optional tasks?

Depending on the task, you'll use a wizard in the Exchange Management Console and you'll also use the Exchange Management Shell.

Install a UM language pack

1. Download the language-specific UM language pack file into a local folder on the UM server. Get the language pack here: Microsoft Download Center

2. Double-click the UMLanguagePack.<CultureCode>.exe file. For example, for the German UM language pack, download the file named UMLanguagePack.de-DE.exe.

3. In the Setup wizard, on the License Agreement page, read the terms of the agreement, select I accept the terms in the license agreement, and then click Next.

4. On the Unified Messaging Language Pack page, verify that the correct language is listed in the The following Unified Messaging Language Pack(s) will be installed window, and then click Install.

5. On the Completion page, confirm whether the UM language pack was successfully installed.

6. Click Finish to complete the installation of the UM language pack.

Create a UM hunt group

1. In the Console tree, navigate to Organization Configuration > Unified Messaging.2. In the Work pane, click the UM IP Gateways tab.3. In the Result pane, select a UM IP gateway.4. In the Actions pane, click New UM Hunt Group.5. In the New UM Hunt Group wizard, view or complete the following fields:

o Associated UM IP gateway This display-only field shows the name of the UM IP gateway that will be associated with the UM hunt group.

o Name Use this text box to create the display name for the UM hunt group. A UM hunt group name is required and must be unique, but it's used only for display purposes in the EMC and the Shell.

o Dial plan Click the Browse button to select the dial plan that will be associated with the UM hunt group. Associating a hunt group with a dial plan is required. A


UM hunt group can be associated with only one UM IP gateway and one UM dial plan.

o Pilot identifier Use this text box to specify a string that uniquely identifies the pilot identifier or pilot ID configured on the PBX or IP PBX.

An extension number or a Session Initiated Protocol (SIP) Uniform Resource Identifier (URI) can be used in this field. Alphanumeric characters are accepted in this field. For legacy PBXs, a numeric value is used as a pilot identifier. However, some IP PBXs can use SIP URIs.

6. On the Completion page, confirm whether the UM hunt group was successfully created.7. Click Finish to complete the New UM Hunt Group wizard.

Create a UM auto attendant

1. In the Console tree, navigate to Organization Configuration > Unified Messaging.2. In the Work pane, click the UM Auto Attendants tab.3. In the Actions pane, click New UM Auto Attendant.4. In the New UM Auto Attendant wizard, complete the following fields:

o Name Use this text box to create the display name for the UM auto attendant. A UM auto attendant name is required and must be unique. The maximum length of a UM auto attendant name is 64 characters, and it can include spaces.

o Select associated dial plan Click Browse to select the UM dial plan to associate with this UM auto attendant. Selecting and associating a UM dial plan with the auto attendant is required. A UM auto attendant can be associated with only one UM dial plan.

o Extension numbers Use this field to enter the extension number that callers will use to reach the auto attendant. Type an extension number in the box, and then click Add to add the number to the list. The number of digits in the extension number that you provide doesn't have to match the number of digits for an extension number configured on the associated UM dial plan. This is because direct calls are allowed to UM auto attendants.

You can edit or remove an existing extension number. To edit an existing extension number, click Edit. To remove an existing extension number from the list, click Remove.

o Create auto attendant as enabled Select this option to enable the auto attendant to answer incoming calls when you complete the New UM Auto Attendant wizard. By default, a new auto attendant is created as disabled.

If you decide to create the UM auto attendant as disabled, you can use the EMC action pane or the Shell to enable the auto attendant after you finish the wizard.

o Create auto attendant as speech-enabled Select this check box to speech-enable the UM auto attendant. By speech-enabling the auto attendant, callers can respond to the system or custom prompts used by the UM auto attendant using touchtone or voice inputs. By default, the auto attendant won't be speech-enabled when it's created.

For callers to use a speech-enabled auto attendant, you must install the appropriate Unified Messaging language pack that contains Automatic Speech Recognition (ASR) support and configure the properties of the auto attendant to use this language.

5. On the Completion page, confirm whether the UM auto attendant was successfully created.

6. Click Finish to complete the New UM Auto Attendant wizard.

Enable integration with a Fax Server partner

1. Install and configure the Fax Partner server or servers in your organization. There are specific steps that you must take to successfully integrate the fax partner server with UM. The steps you perform will vary based on the solution. For detailed information, refer to the partner's Web site:

o Concord Fax Online o Sagem-Interstar

2. Enable faxing on the UM server.

1. In the Console tree, navigate to Organization Configuration > Unified Messaging.

2. On the UM Dial Plans tab, select the UM dial plan for which you want to allow users associated with the dial plan to receive fax messages, and then in the Actions pane, click Properties.

3. On the dial plan Properties page, on the General tab, select the check box for Allow users to receive faxes.

4. Click OK to save the changes.5. In the Exchange Management Shell, configure the UM mailbox policy for faxing.

The UM mailbox policy must be configured to allow incoming faxes, with the fax partner's URI, and that the fax partner's server's name. The FaxServerURI must use the following form: sip:<fax server URI>:<port>;<transport>, where FaxServerURI is either an FQDN or an IP address of the partner fax server. Port is the port on which the fax server listens for incoming fax calls and transport is the transport protocol that is used for the incoming fax (UDP, TCP or TLS). For example, you might configure fax as follows:

Copy

http://www.sagem-interstar.com/

http://www.concordfax.com/

Set-UMMailboxPolicy MyUMMailboxPolicy -AllowFax $true -FaxServerURI "sip:faxserver.contoso.com:5060;transport=tcp"

3. Configure authentication between the UM server and the Fax Partner server. Fax messages sent to a UM server from a fax partner server must be authenticated and any unauthenticated messages claiming to have come from a fax partner server will not be processed by the UM server. The receive connector should be deployed on the Hub Transport server used by the fax partner fax server to submit SMTP fax messages and must be configured with the following values:

o AuthMechanism: ExternalAuthoritativeo PermissionGroups: ExchangeServers, PartnersFaxo RemoteIPRanges: {Fax server's IP address}o RequireTLS: Falseo EnableAuthGSSAPI: Falseo LiveCredentialEnabled: False

7. In the Console tree, navigate to Server Configuration > Hub Transport.8. In the Work pane, select the Receive Connectors tab, and then double-click the

Receive connector you want to configure.9. On the Permission Groups tab, make sure Exchange Servers and Partners are

checked.10. On the Authentication tab, make sure that only Externally Secured (for

example, with IPSec) is checked.11. Click OK to save the changes.

Install the Mailbox server role


The Mailbox server role hosts mailbox and public folder databases, and it generates the offline address book (OAB). Mailbox servers also provide services that enforce e-mail address policies and managed folders.

Learn more at: Overview of the Mailbox Server Role

You can install the Mailbox server role on dedicated hardware, or you can install it on a server that is already running Exchange 2010.

We recommend installing the latest update rollup for Exchange 2010 on all your servers. Although you can install update rollups on a server after Exchange 2010 has been installed, it's also possible and less time-consuming to incorporate the update rollup into the install server installation process. To do this, copy the contents of the Exchange 2010 DVD to the file system,


and then copy or move the downloaded update rollup file to the Updates folder in the installation tree. When you perform the procedure below, the update rollup will be installed as part of the initial installation process.


How do I install the Mailbox server role on dedicated hardware?

The Exchange Server 2010 Setup wizard helps you install the Mailbox role.




Note:





Exchange 2010 SP2, you can select to automatically install all required Windows roles and features for this server. To optionally change the installation path for Exchange 2010, click Browse, locate the appropriate folder in the folder tree, and then click OK. Click Next.

8. On the Server Role Selection page, select the Mailbox Role, and click Next. The Management Tools option, which installs the Exchange Management Console and the Exchange Management Shell, will also be selected and installed.


Important:

If you're installing the Mailbox server role, the Task Scheduler must be enabled and running. In addition, if the Mailbox server will be a member of a DAG and host replicated databases, it’s required that the script is scheduled and run automatically.

9.

10. On the Client Settings page, select Yes if your organization has client computers running either Microsoft Outlook 2003 or Microsoft Entourage 2004 or earlier. Select No if you don't.

11. On the Readiness Checks page, review the Summary to determine if the system and server are ready for the Mailbox role to be installed. If all prerequisite checks completed successfully, click Install. If any of the prerequisite checks failed, you must resolve the displayed error before you can proceed with installing the Mailbox role. In many cases, you don't need to exit Setup while you're fixing issues. After you resolve an error, click Retry to run the prerequisite check again. Also, be sure to review any warnings that are reported.


13. When all phases have finished, the Completion page displays. Review the results, and verify that each phase completed successfully. Clear the check box for Finalize this

installation using the Exchange Management Console, and then click Finish to exit Setup.

14. When you are returned to the Setup welcome screen, click Close. On the Confirm Exit prompt, click Yes.

15. Restart the computer to complete the installation of the Mailbox role.

How do I add the Mailbox server role to an existing Exchange 2010 server?

You can also use the Exchange Server 2010 Setup wizard to add the Mailbox role to an existing Exchange 2010 server.



Next.4. On the Server Role Selection page, select the check box for Mailbox Role and then

click Next.5. On the Readiness Checks page, review the Summary to determine if the system and

server are ready for the Mailbox role to be installed. If all prerequisite checks completed successfully, click Install. If any of the prerequisite checks failed, you must resolve the displayed error before you can proceed with installing the Mailbox role. In many cases, you don't need to exit Setup while you're fixing issues. After you resolve an error, click Retry to run the prerequisite check again. Also, be sure to review any warnings that are reported.

6. The Progress page will display the progress and elapsed time for each phase of the installation. As each phase ends, it will be marked completed and the next phase will proceed. If any errors are encountered, the phase will end as incomplete and unsuccessful. In this event, you must exit Setup, resolve any errors, and then restart Setup in Maintenance Mode.


8. Restart the computer to complete the installation of the Mailbox role.


The successful completion of the Exchange Setup wizard will be your first indication that the installation process worked as expected. To further verify that the Mailbox server role installed successfully, you can run Get-ExchangeServer <server name> | Format-List in the

Exchange Management Shell, which can be launched from the Exchange Server 2010 program group on the Windows Start Menu. This cmdlet outputs a list of the Exchange 2010 server roles that are installed on the specified server.

You can also review the contents of the Exchange setup log file (ExchangeSetup.log), located in <system drive>\ExchangeSetupLogs to verify that the Mailbox role was installed as expected.


Configure public folders

Public folders are an optional feature in Exchange 2010. If all client computers in your organization are running Microsoft Office Outlook 2007 or later, public folders are an optional feature. However, if Outlook 2003 clients are in use, public folders are required. In addition, if you're currently using public folders for collecting, organizing, or sharing documents and other information and you want to continue doing so, you can use public folder replication to move your public folder data to Exchange 2010.

Learn more at: Understanding Public Folders

How do I do this?

You can use the Exchange Management Console to perform this task.

1. In the console tree, navigate to Organization Configuration > Mailbox.2. In the result pane, click the Database Management tab, and then select the public folder

database you want to configure.3. In the action pane, click Properties.4. Use the General tab to view or configure the properties of a public folder database, to

change its name, and to customize its maintenance schedule.o Name This unlabeled box at the top of the tab displays the name of the public

folder database. You can modify this name.o Database path This read-only field displays the full path to the Exchange

database (.edb) file for the selected public folder database. To view the entire path, you may have to click the path and use the RIGHT ARROW key.

You can't use this field to change the path. To change the location of the database files, close Properties, right-click the public folder database, and then click Move Database Files.



o Last full backup This read-only field displays the date and time of the last complete backup of the public folder database.

o Last incremental backup This read-only field displays the date and time of the last incremental backup of the public folder database.

o Status This read-only field displays whether the public folder database is mounted or dismounted.

o Modified This read-only field displays the last date and time that the public folder database was modified.

o Maintenance schedule Use this list to select one of the preset maintenance schedules.

You can also configure a custom schedule. To configure a custom schedule, in the Maintenance schedule list, select Use Custom Schedule, and then click Customize.

o Enable background database maintenance (24 x7 ESE scanning) Select this check box to enable background database maintenance. If you select this check box, the Extensible Storage Engine (ESE) performs the database maintenance, and the public folder database reads the object during database mount and initializes the database to perform the background database maintenance. If you don't select this check box, the public folder database reads the object during database mount and initializes the database without the option to perform the background database maintenance.

o Do not mount this database at startup Select this check box to prevent Exchange from mounting this public folder database when it starts.

o This database can be overwritten by a restore Select this check box to allow the public folder database to be overwritten during a restore process.

o Enable circular logging Click this check box to enable circular logging. Circular logging overwrites and reuses a single log file after the data it contains has been written to the database. Circular logging is disabled by default. By enabling circular logging, you reduce drive storage space requirements. However, you can't recover anything more recent than the last full (normal) backup because the transaction logs no longer contain all the transactions that were completed since the last backup. Therefore, in a normal production environment, circular logging isn't recommended.

5. Use the Replication tab to specify the public folder database replication interval and the replication message size limit.

o Replication interval Use this list to set the interval at which replication of public folders or content updates may occur.

To schedule a custom replication interval, select Use Custom Schedule from the list, and then click Customize. Use the Schedule dialog box to customize the replication schedule, and then click OK to return to the Replication tab.

o Replication interval for "Always Run" (minutes) If you set the replication interval to Always Run, this box displays the time interval (in minutes) during

which replication of public folders or contents may occur. You can modify this interval. The value range is from 1 through 2,147,483,647 minutes.

o Replication message size limit (KB) This box displays the size limit in kilobytes (KB) of a replication message. Small items may be aggregated into a single replication message that can be as large as this setting, but items larger than this setting are replicated with messages larger than this size. You can modify this size limit. The value range is from 1 through 2,097,151 KB.

6. Use the Limits tab to specify the storage limits, warning message interval, deletion settings, and age limits for all public folders in the selected public folder database.

o Issue warning at (KB) Select this check box to automatically warn public folder owners that the public folder is approaching its storage limit.

To specify the storage limit, select the check box, and then specify in kilobytes (KB) how much content can be stored in the public folder before a warning e-mail message is sent to the folder's owner. You can enter a value between 0 and 2,147,483,647 KB (2.1 terabytes).

o Prohibit post at (KB) Select this check box to prevent posting to the public folders in the database after the size of folder reaches the specified limit.

To specify this limit, select the check box, and then specify the size of the public folder in kilobytes (KB) at which you want to prohibit posting. You can enter a value between 0 and 2,147,483,647 KB (2.1 terabytes).

o Maximum item size Select this check box to limit the maximum size of items that users can post to the public folders in the database.

To specify the size, select the check box, and then specify the maximum size of items in kilobytes (KB) that users can post to the public folders. You can enter a value between 0 and 2,097,151 KB.

Warning message interval Use this list to display the interval at which you want warning messages to be generated. To select one of the default intervals, click the list, and then select one of the following:

Run daily at midnight

Run daily at 1:00 A.M.

Run daily at 2:00 A.M.

Use Custom Schedule

If you select Use Custom Schedule, you must click Customize to set the schedule.

o Keep deleted items for (days) Use this box to set the numbers of days that deleted items are retained in a public folder. You can enter a value between 0 and 24,855 days.

o Don't permanently delete items until the database has been backed up Select this check box to prevent items from being permanently deleted until after the public folder database is backed up.

o Age limit for all folders in this public folder database (days) Select this check box to limit the age of all folders in this public folder database. Use the text box to specify the age limit in days. You can enter a value between 0 and 24,855 days.

7. Use the Public Folder Referral tab to configure the folder replica that will be accessed by the client application. To learn more, see: Understanding Public Folder Referrals

o Use Active Directory site costs Click this button to specify that Exchange uses the cost data from the Active Directory site to compute the connection cost for public folder referrals. This is the default option.

Note:

If the custom list contains public folder referrals, and you click Use Active Directory site costs, the list is unavailable and is cleared when this tab is refreshed.

o Use custom list Click this button to create a custom list of public folder referrals and the associated costs.

When you click Use custom list, the following features are made available:

Note:

If you click Use Active Directory site costs, these features are unavailable.

o Add Click this button to open the Server Referral Cost dialog box.o Click Browse to open the Select Referral Server dialog box. Use this dialog box

to select the referral server from the list of available servers that contain a public folder database and click OK.

o In the Cost box, assign a cost number between 1 and 100. The number 1 represents the lowest cost, which means that Exchange routing is more likely to use this as the replica server. The number 100 represents the highest cost, which means that Exchange routing is less likely to use this as the replica server.

o Edit Select a server from the list, and then click this button to edit a public folder referral. This button is disabled if no servers are listed in the custom list.

o Remove Click this button to remove a public folder referral from the custom list. This button is disabled if no servers are listed in the custom list.



You can use the Get-PublicFolder cmdlet in the Exchange Management Shell to verify replicas on the Exchange 2010 public folder database. For example, to determine the replicas for all public folders in the public folder tree, run the following command:

Copy

Get-PublicFolder -Recurse | Format-List Name,Replicas

To determine the replicas for all system folders, run the following command:

Copy

Get-PublicFolder \NON_IPM_SUBTREE | Format-List Name,Replicas

Learn more about the cmdlet at: Get-PublicFolder

Install the Edge Transport server role


The Edge Transport server performs anti-spam and antivirus filtering, and it also applies messaging and security policies to messages in transport. The Edge Transport server role can't coexist on the same computer with any other Exchange server role. You must deploy the Edge Transport server role in the perimeter network and outside the secure Active Directory forest.

Learn more at: Overview of the Edge Transport Server Role



How do I do this?




The Exchange Server 2010 Setup wizard helps you install the Edge Transport role.




Note:




feature, and click Next.7. On the Installation Type page, select Custom Exchange Server Installation. To

optionally change the installation path for Exchange 2010, click Browse, locate the appropriate folder in the folder tree, and then click OK. Click Next.

8. On the Server Role Selection page, select the Edge Transport Role, and click Next. The Management Tools option, which installs the Exchange Management Console and the Exchange Management Shell, will also be selected and installed.

Subscribe the Edge Transport server


You can use the Exchange Management Shell or the Exchange Management Console on the Hub Transport server to configure Internet mail flow when your organization sends and receives Internet e-mail by using a subscribed Edge Transport server.

To establish Internet mail flow, you subscribe the Edge Transport server to an Active Directory site. This process automatically creates the following Send connectors, which are required for Internet mail flow:

A Send connector configured to send e-mail to all Internet domains. A Send connector configured to send e-mail from the Edge Transport server to the Hub

Transport server.

Before you complete these steps, ensure that network communications over the secure LDAP port 50636/TCP are enabled through the firewall that separates the perimeter network containing the Edge Transport server from the internal Exchange organization.

Learn more at: Understanding Edge Subscriptions


How do I do this?

Use the following steps to subscribe the Edge Transport server to an Active Directory site:

1. On the Edge Transport server, run the following command in the Shell.

Copy

New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml"

2. Copy the resulting XML file to a Hub Transport server in the Active Directory site to which you want to subscribe the Edge Transport server.

3. On the Hub Transport server, open the EMC, navigate to Organization Configuration > Hub Transport, and select the Edge Subscriptions tab.

4. In the Actions pane, click New Edge Subscription to start the New Edge Subscription wizard.

5. In the Active Directory site field on the New Edge Subscription page, click Browse to select the Active Directory site to which you want to subscribe the Edge Transport server.

6. In the Subscription file field, click Browse to select the EdgeSubscriptionInfo.xml file that was copied to the Hub Transport server in Step 2.

7. Leave as selected the Automatically create a Send connector for this Edge Subscription check box, and click New to create the Edge Subscription.

8. On the Completion page, review the task results and verify that the subscription was successfully created. The wizard will display a warning indicating that the Hub Transport servers in the subscribed site must be able to resolve the IP address for the Edge Transport server and to connect to TCP port 50636 on the Edge Transport server. Before proceeding with the next step, we recommend you verify this connectivity.

9. On the Hub Transport server, run the following command in the Shell.

Copy

Start-EdgeSynchronization

For more information, see: Import an Edge Subscription File to an Active Directory Site

For detailed syntax and parameter information, see: New-EdgeSubscription or Start-EdgeSynchronization






After you create a new Edge Subscription, the Edge Transport server referenced in the Edge Subscription file is associated with the Hub Transport servers in an Active Directory site.

To verify that replication of the new Edge Subscription was successful, you can run Get-EdgeSubscription in the Shell.

Documents

Configure Disjoint Namespace