Exchange Server Config

WIPRO – I2 Confidential Page 1 of 123

Implementation of Microsoft Exchange Server 2007

Prepared For:

I2 Technologies

Bangalore

Submitted By: Wipro InfoTech # 30, Divya Sree,

Mission Road Bangalore


Table of Contents

Architectural Overview ............................................................................................................................... 4

Active Directory & Exchange 2007 Implementation Summary............................................................... 9

I2 POC Architecture .................................................................................................................................. 10

Active Directory 2008 Implementation .................................................................................................... 12

Configure DNS for Active Directory ........................................................................................................ 19

Check the Health of the Domain Controller. ........................................................................................... 23

AD Sites & Subnets Management ........................................................................................................... 24

Additional Domain Controller Setup. ...................................................................................................... 28

Configure Failover Clustering in Windows 2008 ................................................................................... 35

Exchange 2007 implementation .............................................................................................................. 46

Installing Exchange server 2007 ............................................................................................................. 50

Exchange 2007 CCR Implementation ...................................................................................................... 55

Installation of Edge Transport Server Role ............................................................................................ 65

Installation and Configuration of Certificate Services .......................................................................... 74

ISA 2006 Installation and Configuration ................................................................................................. 96

Conclusion ............................................................................................................................................... 122


Document Management Information

Document Title: Project Document for Implementation of Exchange Server 2007

Document Status: Approved Wipro/In Review- I2/Approved by Customer.

Document Publication History

Version

Number

Date Author(s) Remark

1.0 25-Nov-2008 Binil Project Document for Implementation of Exchange Server

2007

Document Review and Approval History

Version

Number

Date Reviewer and

Approver

Remarks

1.0 05-Dec-2008 Sathya Prakash Exchange Server 2007 Project Document

reviewed

Customer Review and Approval

1.0 Manoj

Document Distribution List

Sr. No. Name and Company Purpose

1 I2 Exchange Server 2007 Project Document


Architectural Overview

As a messaging system that is widely used in both large corporations and small businesses,

Exchange Server has always been scalable in both directions. However, new demands on

messaging – such as compliance, security, and disaster recovery – have created new

challenges for delivering a messaging system that works great in small businesses and large

enterprises alike. To rise to these new challenges, the architecture of Exchange Server 2007

has been updated to take advantage of 64-bit hardware, simplified administration and

routing, and to enable an Exchange server to host one or more server roles.


Server Roles

The following figure shows the some of the features for each Exchange 2007 server

role.


Exchange Server provides a complete messaging system that can run on a single server –

meaning that all Exchange services reside on one server, as with the Microsoft Small Business

Server product. However, there are significant gains in deployment, management, and

security that come from having a flexible, modular system that can be installed across more

than one machine. This concept was first introduced in Exchange 2000 Server; where a front-

end server could be configured to proxy inbound Internet client protocols to the appropriate

mailbox server. Front-end servers are optional and can reduce the load on mailbox servers

and simplify Microsoft Office Outlook® Web Access (OWA) and Exchange ActiveSync (EAS) user

access. Having front-end servers in medium-size and large organizations made Exchange more

scalable by concentrating particular tasks on a limited number of servers.

In Exchange Server 2007, role-based deployment has been expanded, allowing you to assign

predefined roles to specific servers. These roles allow organizations to control mail flow,

increase security, and distribute services, as shown in the following illustration.

Client Access role. Similar to the front-end server in earlier versions of Exchange, this server proxies Internet client traffic to the correct mailbox server.

Mailbox role. This role hosts user mailboxes stored in databases that can be replicated or clustered.

Hub Transport role. This role provides internal routing of all messages – from Edge servers, Unified Messaging (UM) servers, or between two users on the same mailbox database. The Hub Transport role is also where messaging policy is enforced for messages moving within and outside the organization.

Unified Messaging role. This role enables PBX integration to allow voice mail and fax messages delivered to Exchange mailboxes and provide voice dial-in capabilities to Exchange Server. This role and its services are explained in more detail later in this paper.


Edge Transport role. This server resides outside your internal network and provides on-premise e-mail security, antivirus, and anti-spam services for Exchange. Off-premise filtering can be provided by Exchange Hosted Filtering, discussed later.

Administrative Groups and Routing Groups

Administration is simplified and more flexible in Exchange Server 2007. In previous versions of

Exchange, administrative groups were administrative boundaries that contained servers and

other objects. While administrative groups could be created to segregate administration

within your IT organization, once created they were not very flexible. (You can‟t move

servers between administrative groups.) Exchange Server 2007 overcomes this limitation by

eliminating administrative groups. Administrative rights can now be delegated from the

organization down to the server. Whether your organization uses a centralized or

decentralized administrative model, you can delegate permissions to more closely match that

model and easily adapt to new models as your organization changes.

Routing groups have been integrated with Active Directory sites. Because the design criteria

for Active Directory site boundaries are similar to the design criteria for routing groups, and

are the same in most organizations, Exchange now assumes a routing topology based on Active

Directory site lines. Maintaining a separate Exchange routing topology and Active Directory

site topology is no longer necessary.

Storage Groups and Information Stores

Exchange Server 2007 Enterprise Edition supports up to 50 storage groups and 50 databases

per server. You can configure up to five databases per storage group, up to a maximum of 50

databases. Now mailbox data can be distributed across more databases, and mailbox

databases can be distributed across more storage groups, than in earlier versions of Exchange

Server. Exchange Server Standard Edition supports up to five storage groups and five

databases per server. Both Enterprise Edition and Standard Edition have an unlimited

database size limit.


Exchange Management Console


Active Directory & Exchange 2007 Implementation Summary

The following is a high-level summary of the Exchange 2007 Server implementation for I2. The

Summary is spelled out in detail in the rest of this document.

Active Directory Topology: Windows Server 2008 based Single Forest, single Domain architecture–

Active Directory Sites Structure: Single Site named as Bangalore.

Local Domain: “ jdatest.com ”

Domain Controllers: POCJDARDC,POCJDAADC

Exchange Organization: “ i2Exchange ”

Exchange 2007 Architecture: Two Mailbox Servers Configured as Cluster Continuous Replication.

Two HUB & CAS Servers on a F5 Load Balancer and one Edge Transport Server for Internet Mail

Relay.

SMTP Domain name: i2technologies.com

Administrative Model: Centralized server management, distributed recipient management

Administration Groups: Single Administrative Group.

Routing Groups: Single Routing group.

Storage Groups: Multiple storage groups are created in Exchange 2007.

Database backup: CCR is configured for all the storage groups.

SMTP Relay: Currently internet mails are getting relayed through Exchange 2007 Edge Transport

Server.

Reverse Proxy: ISA 2006 is configured to Publish Outlook Web Access.

Client Support: Microsoft Office System Outlook 2007/2003 is installed as supported mail client.

OWA Url: https://webmail.i2technologies.com

Outlook Anywhere: Server is enabled for Outlook Anywhere.


I2 POC Architecture


I2 Domain Controllers

Server Name IP Address Role FQDN

POCJDARDC

POCJDAADC

10.156.220.100

10.156.220.101

RDC

ADC

POCJDARDC.JDATEST.COM

POCJDAADC.JDATEST.COM

Exchange 2007 Servers


POCJDAEXGHC01

POCJDAEXGHC02

POCJDAEXGMBX01

POCJDAEXGMBX02

POCJDAEDG01

10.156.220.102

10.156.220.103

10.156.220.102

10.156.220.102

10.157.34.13

HUB & CAS

HUB & CAS

Mailbox

Mailbox

Edge Transport

POCJDAEXGHC01.JDATEST.COM

POCJDAEXGHC02.JDATEST.COM

POCJDAEXGMBX01.JDATEST.COM

POCJDAEXGMBX02.JDATEST.COM

POCJDAEDG01.JDATEST.COM

Windows 2008 Cluster

Name IP Address Role FQDN

WINCLUSTER

POCJDAMBX

10.156.220.200

10.156.220.210

Windows Cluster

Exchange Virtual Server

WINCLUSTER.JDATEST.COM

POCJDAMBX.JDATEST.COM

ISA 2006 Servers


POCJDAISA 10.156.220.106 Reverse Proxy POCJDAISA.JDATEST.COM


Active Directory 2008 Implementation

1. In Windows 2008 Server go to command prompt and type “dcpromo.exe”.

2. Click next on the welcome screen


3. Select Create new Domain in a new forest and click next.


4. Type the Domain name as JDATEST.COM and click next.

5. Select the forest functional Level as Windows Server 2003 and click next.


6. Select the Domain functional Level as Windows Server 2003 and click next.

7. Select DNS Server to be installed on the Server and click next.


8. Click yes on the delegation window and click next.

9. Select the Directory for storing the Active Directory Database files and click next.


10. Type the Recovery Mode Password and click next.

11. Review the Summary and click next to start the Active Directory installation.


12. Click finish and restart the Server.


Configure DNS for Active Directory

1. Open DNS Management console in the Domain Controller.

2. Right Click on the Reverse Lookup Zone and select new Zone.

3. Select Primary zone and click next, Store the zone in Active Directory must be selected to enable


4. Select the Replication to All the DNS Servers and click next.


5. Type the Subnet of the Domain Controller and click next.


6. Click finish to complete the zone creation.

7. Once the zone is created, open forward lookup zone and right click on the Host record of the

Domain controller and select properties. Put the tick mark on the Update Associated Pointer

option and click OK. This will automatically create a Pointer record in the reverse lookup zone.


Check the Health of the Domain Controller.

1. Verify all the Active Directory Roles are functioning properly by running the „Netdom‟ query.

2. Verify the SRV records in DNS.


AD Sites & Subnets Management

1. Open Sites and services in Active Directory. Right click the site and select new Site.

2. Name it as Bangalore and select the Default Site Link. Click OK and the site gets created.


3. Associate a subnet to the Bangalore Site. Right click on Subnets and select new Subnet.


4. Type the Subnet of the Domain Controllers with the Mask and associate it with Bangalore site

and click OK.


5. Once the Subnet has been attached to the site, move the Domain Controller to the new Site. In

the AD Sites and Services windows Right click on the Domain Controller and Select Move.

6. Select Bangalore site and click OK.


Additional Domain Controller Setup.

1. Run DCPROMO command in the Server designated to be promoted as ADC.

2. Click next in the welcome screen.


3. Select the option Add a Domain Controller in an existing Domain and click next.

4. Type the Domain and click next.



5. Select the Site to which the Domain Controller has to be installed.

6. Select the DNS and Global Catalog Roles and click next.




7. Click finish and restart the Server.


Configure Failover Clustering in Windows 2008

1. Before Configuring the Windows Cluster we need to configure the Network Adapters on the

Server.

2. We need to have two Network Adapters in each Server.

3. One Network card must be configured as Internal Network. Second card must be configured

with a Private rage of network. This card will be used for Heartbeat communication between

the Servers.

4. Attach separate SAN storage to each Server for the Exchange Database.

5. Join the machines to jdatest.com Domain.

6. Open Failover Cluster Management in the first node.

7. Select create a cluster option in the Action pane.


8. Click next to Continue.

9. Select both node1 and node2 to the cluster and click next.


10. Select yes to run the Cluster validation tests and click next.



11. Click finish to complete the Validation check.

12. Give a name and IP Address for the Cluster and click next.



13. Click finish to create the Windows Failover Cluster.


14. Once the Cluster is created, we need to configure the Quorum.

15. Exchange 2007 CCR supports File Witness Quorum.

16. Open the Failover Cluster Management; right click on the Windows Cluster we have created and

Select Configure Cluster Quorum settings in the More Actions.


17. Select Node and File Share Majority and click next.


18. We need to select a shared folder that will act as File Share Majority. Before selecting the

option create a folder in the Server where you will be installing the Exchange 2007 HUB

Transport Role.


19. Click finish to configure the Quorum settings.


Exchange 2007 implementation

INSTALLATION OF EXCHANGE 2007 SERVER System Wide Requirements

Exchange 2007 has a certain set of requirements that must be met before we proceed with the

installation and these requirements can be spilt into two types, system-wide and server-specific.

System-wide requirements ensure that your Active Directory is ready to accept Exchange 2007 servers

and server-specific requirements ensure that the server that Exchange 2007 will be installed on can

support.

One of the bigger requirements is that

1. Exchange 2007 requires the domain functional level to be at Windows 2000 native mode.

2. On top of that Exchange 2007 also requires that the Schema master and the Global Catalog

servers run Windows Server 2003 with SP1 applied.

3. It goes without saying that you also need a functional DNS infrastructure in place.

4. If you are installing Exchange 2007 into an existing organization, the Exchange mode must be

set to native-mode. This means no Exchange 5.5 servers anywhere in the Exchange

organization. If you still have any Exchange 5.5 servers, you will need to upgrade them to

Exchange 2000/2003 or remove them completely before proceeding with the installation of

Exchange 2007.

5. Exchange 2000 and 2003, the forest and domain needs to be prepared with schema

extensions. However, unlike the previous versions, Active Directory does not need to be

prepped beforehand, it is done automatically during setup, but the option does exist to allow

for manual schema upgrades.

6. During the setup process the server will connect to the Schema Master in an effort to update

the schema and this requires that the Schema Master is available and that the account you are

running setup with has permissions to modify the schema.

7. You can prep the domain manually with the /PrepareAD switch on any server in the same

domain that the Schema Master is in but it is recommended to do this on the Schema

Master. Once you have completed this, you will have to wait for the schema updates to

replicate throughout the forest before you install any additional Exchange 2007 servers in the

organization.

8. Finally, as with all Exchange installations, you require certain administrative rights in order to

install an Exchange 2007 server. The following is a list of required permissions required to

install an Exchange 2007 server into a new or existing organization.

a. Local Administrator on the server


b. Enterprise Administrator

c. Domain Administrator

d. Schema Administrator (only required to extend the Schema)

e. You complete Exchange 2007 installation by performing several tasks. You can complete all these tasks at the same time, or you can perform some of the tasks before you start Exchange 2007 server role installation. To complete installation, follow these steps

Pre-requisites for Exchange Server 2007 Hub/CAS/Mailbox Role

Microsoft .NET Framework 2.0 (x64 bit)

Microsoft Management Console 3.0 (x64 bit

Windows Power Shell V1.0

IIS 6.0


Prepare Active Directory for Exchange 2007

1. Run the following commands in the Domain controller where the schema master role is running.


2. Once it is completed successfully, we can start the Exchange setup. Note: If you have Large AD infrastructure, you need to wait until the schema changes are replicated to all the Domain Controllers.


Installing Exchange server 2007

Installation of Exchange 2007 HUB and CAS

1. Exchange 2007 Setup Splash Screen, click on Install Microsoft Exchange to start the

setup.


3. Exchange Server 2007 Setup Wizard Introductory Page

4. Select I Accept License agreement then Click Next


5. Error Reporting Page click next.

6. Select Custom Exchange Server Installation and click next


7. Select Client Access Role and Hub Transport Role and click next


8. Click finish to complete the setup.


Exchange 2007 CCR Implementation

Active Clustered Mailbox role installation

1. Run the setup.exe in the first node



2. Select Custom installation and click next.

3. Select Active Clustered Mailbox role and click next.


4. Select Cluster Continuous Replication and type the Clustered Mailbox Server name as POCJDAMBX. This is the Virtual Exchange cluster name. Select Mailbox role location and click next.

5. Give an IP address for the Exchange Virtual Server and click next.





Passive Clustered Mailbox role installation

1. Run the Setup in the Passive node.



2. Select Passive Clustered Mailbox Role and click next.




Installation of Edge Transport Server Role

1. Prerequisites for installing Edge Transport Server. a. The Edge Trans port Server role must be installed in DMZ zone. b. The operating system must be configured in Workgroup environment. c. The DNS suffix must be added to the Network properties. Right click

My computer->Properties->Change Settings->Change->More->Add JDATEST.COM in the primary DNS suffix

d. Active Directory Application Mode must be installed. e. Host record of the HUB transport server must be added in the host file of the Edge Server.

2. Ports must be opened between Edge Transport Server and HUB Transport Servers.

Network

interface Open port Protocol Note

Between Edge and Internet

25/TCP SMTP This port must be open for mail flow to and from the Internet.

Between Edge and HUB

25/TCP SMTP This port must be open for mail flow to and from the Exchange organization.

Local only 50389/TCP LDAP This port is used to make a local connection to ADAM.

HUB to Edge 50636/TCP Secure LDAP

This port must be open for EdgeSync synchronization.

Inbound from the internal

network

3389/TCP RDP Opening this port is optional. It provides more flexibility in managing the Edge Transport servers from inside the internal network by

letting you use a remote desktop connection to manage the Edge Transport server.

Edge to

Internal DNS Servers

53/UDP DNS This port provides DNS communication between

Edge and HUB transport Servers. This port is optional since you can have a host record for the communication

Between Edge and internet

53/UDP DNS This port provides DNS communication between Edge and internet.


Install Edge transport Server

1. Run the Exchange 2007 setup.



2. Select Edge Transport server role and click next.




Configure Edge Subscription 1. Open the Exchange Management Shell in Edge transport Server and run the following

command. “New-EdgeSubscription -filename "C:\EdgeSubscriptionInfo.xml"

2. The file will get saved in c drive. Copy the file to HUB transport Server. 3. After the file is copied, open Exchange management console in HUB transport Server. 4. Under Organization configuration->Hub Transport->Edge Subscription. 5. Click on new Edge Subscription.


6. Select the Active Directory site and click on browse to select the Edge Subscription xml file created in the Edge Transport Server and click New.


7. Click finish to complete the subscription in HUB transport Server.


8. Once it is created we need to start the Edge Synchronization. Open Exchange Management shell in Hub Transport Server and execute the following command.

“Start-Edgesynchronization”


Installation and Configuration of Certificate Services 1. We will configure the Certificate Services in Additional Domain Controller. 2. Open Server Manager in ADC and click on ADD Roles.


3. Select Certificate Authority and click next.

4. Select Enterprise CA and click next.


5. Select Root CA since this is the first CA we are installing in the Domain.


6. Give a name for the Certificate Authority. We will give JDATEST CA


7. We can set the validity period for the certificates generated by this CA.



8. Click install to start the CA installation.

9. Close when the installation is complete.


10. Once the CA has been installed, open the IIS console in the Client Access Server and double click on Certificate option. Click on Create certificate request.

11. Give the common name as “webmail.i2technologies.com” and give other details.


12. Specify a location and give the file name to save the certificate request file.



13. Once completed connect to Certificate Authority by the following URL. http://pocjdaadc/certsrv

14. Click on Advanced certificate request.

http://pocjdaadc/certsrv


15. Click on Submit a certificate request by using a base 64


16. Open the Certificate request text file which was created earlier.

17. Copy the entire contents of the file and paste it in the Saved request box in the Certificate request console. Select Web Server certificate.


18. Click on Download certificate to download the certificate generated by CA.


19. Once the certificate is downloaded. Open the IIS console in Exchange CAS Server. Open Server certificate option and click on Complete Certificate Request.


20. Select the Certificate downloaded from the CA and give any friendly name.


21. Click ok to install the certificate in CAS Server.

22. After the certificate is installed, we need to enable the certificate in Exchange. Open the certificates installed and copy the thumbprint from the certificate.


23. Remove the space between the numbers in the thumb print.

24. Open Exchange management console and run following command.


25. Give the Service name as IIS and press Enter.


26. Paste the thumb print which was copied earlier and press enter.

27. This will enable the Webmail certificate created in the Exchange.


Enable Outlook Anywhere in Client Access Server

1. To enable Outlook Anywhere in Client Access Server, we need to install the RPC over http proxy from the Server manager.

2. Open Server Manager in CAS Server->Add features->Select RPC over http proxy and click install.

3. After the RPC over http installation, open Exchange Management Console, under Server configuration->right click on the CAS Server and Select Enable Outlook Anywhere.


4. Type the external host name through which the Outlook Anywhere will be accessed. Usually it will be the same name you access OWA from internet. Select basic Authentication and click Enable.

5. This will enable the Outlook Anywhere in the CAS Server.


ISA 2006 Installation and Configuration 1. Following are the prerequisites for installing ISA Server 2006.

a. Windows 2003 with SP1 and above. b. Two network Adapters (Public and Private networks) c. Domain Membership (We will install the ISA Server as Member Server) d. Configure one adapter to Public Network IP and other one to internal network

IP. e. Join the machine to jdatest.com Domain.

2. After completing the prerequisites, double click the ISA 2006 setup. 3. Click next to continue



4. Select Install both ISA Server services and Configuration Storage server and click next.


5. Select the installation directory and click next.

6. Select create a new ISA Server Enterprise and click next.


7. Click on Add to select the internal network and Add the IP address rages in the network.


8. Click next to continue.



9. Click install to start the installation.


Install the Webmail Certificate in ISA Server. 1. We need to install the Webmail Certificate issued to CAS server in ISA Server.

ISA will use this Certificate to authenticate the Client Requests. 2. Open MMC in ISA Server->Add Computer Certificates->Personal Certificate 3. Right click on the Certificates->All Tasks->Select Import.


4. Click browse and Select the Webmail certificate ( Export the Certificate from CAS server and copy it to ISA Server before this step)



5. Click finish to complete the Certificate import wizard.


ISA 2006 Configuration

1. By Default there will be one rule Deny any to any traffic rule will be created in

ISA Server.


Publish Outlook Web Access in ISA 2006

1. To Publish OWA, open ISA console->Firewall Policies->Click on Publish

Exchange Web Client Access. Give a name for the rule and click next.

2. In the Exchange Version select Exchange 2007 and select Outlook Web Access in the Web Client mail services.


3. Use Publish a single web site option and click next.


4. Type the name of the internal web site that is publishing and select the CAS server name and click next.

5. Type the external OWA url in the Public name and click next.


6. The Web Listener page appears. We need to create a new Listener for the OWA Publishing. Click on New in the Web Listener window.

7. Give the name as Exchange Listener.


8. We need to have SSL connection when clients connect to the Server. Select the

option and click next.

9. Select the External network and add the IP subnets for that.


10. Also select the internal network and add the IP subnets.


11. The Certificate screen appears. Select the webmail certificate for both the networks.



12. Select Form based authentication for the client communication and select Active Directory for the client credential verification.

13. Type the Public Domain name and click next.


14. This completes the Listener configuration. Click next


15. Select Basic Authentication and click next.

16. Select Authenticated Users and click next.


17. Click finish to complete the OWA publishing wizard.

18. Click Apply to affect the settings.


Redirect Http requests to Https in ISA 2006

1. Open the Web Listener properties and click on connections. 2. Select Redirect authenticated traffic from http to https.


Receive Connector Settings

1. Verify the receive connector settings.

Conclusion

Installation and configuration of Exchange 2007 has been completed successfully. Exchange mailbox Servers are installed on a CCR setup and client Access Server are configured on a Hardware Load balancer. Exchange Internet Access has been published through ISA 2006.

-----End of the Document-----


Documents

Exchange Server Config