Exchange Geek's Weblog

I'm a Geek!

Archive for October, 2008

Exchange Server 2007 Setup – 4

Posted by Milind Naphade on 22/10/2008

Okay it’s time to look behind the curtains now. As said in previous couple of posts Exchange Server integrates with several components of Active Directory as well as the local machine where it is installed. This post will cover up some of these changes happening at the locations, AD and local machine.

When Active Directory is prepared to install Exchange Server 2007 the PrepareAD operation does some changes in AD you can see the screen shots below and read between the lines to understand these changes in AD.

Upon running PrepareAD in Exchange Server 2007 native mode organization setup starts extending the schema definitions and they look like above in your schema partition. It would be interesting to know that this operation is done using the simple command line tool ldifde.exe which can be used on any of the Active Directory Server. When setup starts inserting the schema definitions to Active Directory it uses ldifde.exe and the .ldf files from the setup media. These files are located at Drive:\Setup\ServerRoles\Common\Setup\Data. Files stored at this location on your setup medium do contain several .ldf files and they are bifurcated according to the nature of the setup you will be running. For an example if you are running the setup in a mixed mode Exchange 2003 organization the a set of files that will be picked up to extend the schema will appear as PostExchange2003_schemaXXXX.ldf

Now the next step is to setup correct permissions on the objects in Active Directory in order to run the Exchange Server correctly. This is a bit complex process that takes place during the setup because setup program sets a set of permissions of several objects. Few of these are machine accounts, Exchange servers, and Active Directory sites, almost all of the legacy Exchange containers if you are setting up the box in a mixed mode environment. Once these ACEs are set on the required objects correctly; domain naming context also undergoes some more changes, in fact additions. This includes modification in ACEs on AdminSDHolder container, MESO, Exchange Server security groups, etc.

Active Directory Users and Computers snap in looks a little bit similar to the screen shot below. So you can also observe new security groups created in a new OU. These security groups are a part of Exchange 2007 administrative model. I will try posting some more information on this in another post as it becomes difficult to write up everything in a single post and it also increases the length unnecessarily.

It was a brief that what Exchange 2007 setup changes in AD now coming back to the local computer where one or more roles will be deployed. The major changes that occur during the installation on some windows Server 2003 box are into the registry as Exchange 2007 does not completely rely on WMI as Exchange 2003. The location HKLM\Software\Microsoft\Exchange\v8.0\<name of role> is a set of registry values that give information about the role state installed on that particular box. And the values at location HKLM\Software\Microsoft\Exchange will describe the various components installed on that Server.

Again, I forgot to get my dumps from my labs copied to the host operating system and attach them to this post. I will get those dumps tomorrow morning and will post them with some more description on each of the setup phases. If you have any comments on this post please feel free to post them, they will be really helpful to improve on what I have been always missing on.

Advertisements

Posted in Exchange Server 2007, Setup | 1 Comment »

Exchange Server 2007 Setup – 3

Posted by Milind Naphade on 17/10/2008

If you want to install the Exchange Server 2007 on different and dedicated hardware for each Server role the Custom Exchange Server Installation option will help you to choose the role you want to deploy on that particular box. The role selection screen allows you to install the desired Server role, take a look at below screen shot.

Clicking on the Next button will bring up the next screen to allow you to choose the name for your Exchange organization.

Please note that this screen will only appear if you are installing Exchange Server 2007 in a fresh AD environment with no legacy Exchange installation in it. If you already have an Exchange Server 2000 or Exchange Server 2007 organization running in your AD forest the setup will not prompt you to enter any organization name.

Then it comes to selecting the client settings where you can let your Exchange Server 2007 know if you are still using legacy clients like outlook 2000 and outlook 2003. If you have legacy clients running in your company you must select "Yes" and click next.

Once all the required settings and namespace are defined to the setup program it will search for the prerequisites first of all, this check is indeed a part of Exchange Server best practices analyzer integrated with the setup program. These checks include the discovery of Active Directory configuration prerequisites, platform operating system readiness check, and Server role specific requirements check.

After the organization prerequisites checks are passed the setup program proceeds with copying the required files to the temp Directory on the Server. These files are copied from the location <PLATFORM>\Setup\ServerRoles\Common and are stored at location <SYSTEMPATH>\Temp\ExchangeServerSetup on local computer.

That’s it, once all of the chosen Server roles are installed the next screen confirms the successful installation by showing green signals.

With the next post in this series I will try to focus on the things happen in background whenever the setup program is launched to install a Server role.

Posted in Exchange Server 2007, Setup | Comments Off on Exchange Server 2007 Setup – 3

Exchange Server 2007 Setup – 2

Posted by Milind Naphade on 08/10/2008

Till last post it was all preparation to install Exchange Server 2007 organization in the AD forest. What are next are the actual setup phases that Exchange Server 2007 installer runs through. Again, there are several changes made in the setup architecture compared to Exchange Server 2003 setup. Once you are through running the Exchange Server 2007 forest and domain preparation which is nothing but as good as running Exchange Server 2003 ForestPrep and DomainPrep but the terms used for these concepts have been changed completely. For Exchange Server 2007 setup they are called /PrepareShema and /PrepareAD. Along with these two setup switches Exchange Server 2007 offers a set of more switches which is described in http://technet.microsoft.com/en-us/library/aa997281(EXCHG.80).aspx rest of the switches available with the Exchange Server 2007 setup can be easily seen by simply running the command setup.com /?

As explained in a previous posts “Installing Exchange Server 2003 (DomainPrep)” and “Installing Exchange Server 2003” Exchange Server 2007 also has to extend the Active Directory schema and also needs to setup permissions on different Active Directory containers in AD. We will take a look what all the changes happen after running setup with these switches. These new command line switches are /PrepareLegacyExchangePermissions, /PrepareSchema, /PrepareAD and few others with their functions during the setup phases. Remember, you need to have all the software prerequisites and AD prerequisites installed and configured correctly before you run any of the phases of Exchange Server 2007 setup, else the setup simply fails.

/PrepareAD

PrepareAD has replaced the typical /ForestPrep and /DomainPrep switches of Exchange Server 2003. During the setup Exchange Server 2007 installer will try to detect if the Active Directory domain it is being run in has already been prepared or not (exactly what Exchange 2003 setup did). The only difference between both the version setup programs is if Exchange Server 2007 is a totally new organization that is being installed fresh running only one switch with setup.com file would work for you and setup will go ahead with installation of Exchange binary files. /PrepareAD can be broken down into several pieces as below;

  1. Preparing permissions for legacy versions of Exchange servers.
  2. Extending AD schema.
  3. Creating Exchange containers in configuration naming context.
  4. Creating Exchange Server related objects in domain naming context. (These objects include creation of Exchange Server 2007 security groups and organizational units. Exchange Server 2007 has an extended permissions model based on the permissions model introduced in legacy Exchange Server versions.)
  5. Assigning permission to these containers created during the previous steps.
  6. Preparation of local domain.

To run all of these operations in just one shot without having much trouble setup facilitates the use of /PrepareAD but to run any of the above you need Enterprise administrator and Schema administrator groups memberships in Active Directory.

To provide more granularities for the administrators or architects managing or designing a complex Exchange organization with several trusted/trustee forests or domains setup.com also provides more switches along with the switch PrepareAD. Okay! Before I write anything else about it, let me clarify that all of the information in paragraph above is based on the SP1 release notes and documentation updates released by Microsoft. Still, you can also try doing all of the above and observe it in your test labs. What all you need to do is to keep observing the changes happening around you in Active Directory (open ADSIEDIT), Registry (REGEDIT), file system (best way to monitor is using filemon though you will need to use your own brains on what to observe. I would have been more than happy to write about it but it does not seem to be very much important at this point. Sometime later! Anyways, I am very lazy guy :-D)

Launching the Exchange 2007 setup in GUI mode does not ask you to run the AD preparation manually, it will do the /PrepareAD itself and then starts with rest of installation. in short, if you are installing the Exchange Server 2007 in a fresh AD then you really don’t need to bother about anything. Just go ahead and double click the setup.exe in the installation medium. The very first screen of Exchange Server 2007 appears on the screen. Once skipped through first three steps of introduction, EULA and Error Reporting screens you will be prompted for selecting the installation type you want.

The default installation type does not select the edge transport Server role for installation on the box where all other 4 roles are installed. Custom installation option is useful to choose while deploying advanced Exchange Server setup. As you can see in below figure it provides options to install clustered mailbox servers but the clustered mailbox Server role cannot have any other role installed on it. Setup will automatically gray out the options to select the other Server roles if either of the clustered mailbox Server options is selected.

You can recall Exchange Server 2003 setup asked for the organization name as well. But it is during the binary installation phase. Till then it creates a child container for organization name under CN=Microsoft Exchange in config partition and leaves it without having a human understandable name. Exchange 2007 setup has a change in this plan as well. It will prompt you to enter the organization name before it starts running AD preparation. If you already have an Exchange Server 2003 organization running in your AD then the setup will never ask you to provide the organization name and you will never see that setup screen.

The next screen asks to select a setting to let Exchange know if you are running a legacy outlook client in your organization. Here you can select the option accordingly. Selecting this option incorrectly will stop your outlook clients from displaying free/busy data to other users in the same organization. This is because outlook 2003 and earlier version query the Schedule+Free/Busy public folder on your Exchange Server 2003 to populate the free/busy data. However, Exchange Server 2007 no more stores this data in public folders. This data will be stored in the individual mailboxes now. But there is a catch on how other user would be able to see another user’s mailbox data unless he delegates the permissions to view his calendar to others. This task has been assigned to a new service introduced in Exchange Server 2007. This service is Availability Service. It will logon to the mailbox in picture, will fetch the information and then pass it over to the requestor. So if you still have outlook 2003 clients you should enable the support for them while installing Exchange. For more information on Availability Service you can refer http://technet.microsoft.com/en-us/library/bb232134.aspx . This article on Microsoft Technet describes the functionality of Availability Service.

In the next post I will cover up the rest of setup stages and their details. I have gather

ed some more data by running more tools while Exchange Server 2007 setup is running on a Windows Server 2003 based computer so I will try to share all of those things in the next post as well.

Posted in Exchange Server 2007, Setup | Comments Off on Exchange Server 2007 Setup – 2

Exchange Server 2007 Setup – 1

Posted by Milind Naphade on 04/10/2008


A simplest exchange organization having all the roles deployed on separate physical servers will look like above. Above diagram describes the placement of ET role specifically. To be very precise this role does not require any kind of interaction with Active Directory for operations. It communicates directly to the HT Server role in your Exchange organization. Another major drastic change in the architecture is the Client Access Server (CAS) Role which has replaced the Exchange Front End concept does not sit in DMZ anymore. It can be installed within the enterprise network now. That eliminates the need to open the ports used by Active Directory services on any of the firewalls. That explains the reduced surface attack concept. “Lesser the number of ports open on firewall, lesser is the chance of attacks.” If the above is the network diagram of your Exchange organization what all you need on your device firewalls is just few well known ports open and that’s it. Ports for services like SMTP, SSL, HTTP on the internet facing device and few ports for the services like HTTP, EdgeSync (50636), DNS,RPC, etc on your internal firewall would do work for you fine.

In the recent post I have already described what each of these Server roles does in the Exchange organization. A step ahead the next phase is to understand the installation part. I will divide this part into following different stages instead of just saying “Installation”. There are few prerequisites those need to be installed on the Server you will be installing exchange Server roles. Few of these software prerequisites are role dependant as well. So my understanding of installation phase is if I want to proceed with installation of Exchange Server roles on separate servers I will classify the installation pre considerations as below:

  1. Requirements on Active Directory servers and DNS servers.
  2. Hardware.
  3. Operating system.
  4. Software.
  5. Permission required for deployment.

Requirements of Active Directory servers and DNS servers:

  • Must have at least one Global Catalog Server in each Active Directory site where exchange Server roles will be installed.
  • For the optimal performance on GC related queries and outlook client the standard ratio of 4:1 should always be maintained. (For 1 Core CPU of an Exchange box there should be 4 cores or 1X4 Global Catalogs must be available. This ratio plays a very important role in large environments like 20000 mailboxes and above.)
  • The Active Directory Schema Master should have Windows Server 2003 SP1 applied at least.
  • The Active Directory Domain Functional Level (DFL) should be Windows 2000 Server native or higher. This condition also applies to the Active Directory domains or forests hosting exchange recipients also.
  • If you already have an Exchange Server 2003 organization in your AD forest it should be running in Native Mode.
  • Domain Name System (DNS) is configured correctly in your Active Directory forest.
  • During the primary steps of installation exchange Server setup tries to contact the schema master role in Active Directory so it must be reachable from the computer you are running Exchange Server forest preparation and domain preparation.
  • Use of x64 bit Active Directory servers. This provides the flexibility to install and support more than 1 GB RAM over the 32 bit Active Directory servers.

Hardware:

Choosing a correct hardware is always a trouble; it is always followed by your company policies, budget and other hell and unfortunately there is a twist in the entire setup architecture this time though its good and is more powerful the 32 bit operating systems. What has been changed is the use of x64 bit architecture based hardware as well the operating system strictly, though exchange Server 2007 is also available in 32 bit version from Microsoft website but it is not supported at all. It’s for your labs and evaluation. Below are the minimum recommendations for choosing a right hardware for your servers.

  • x64 architecture based processor that supports Intel EM64T.
  • 2 GB of RAM (Minimum Recommended). As per few articles written by experts there having 2 GB plus 10 MB per mailbox of RAM is good.
  • At least 2.5 GB of disk space on available on the partition where the exchange Server binaries will be installed.
  • Bifurcating disk partitions according to
    • System partition
    • Partition that stores Exchange binaries
    • Partitions containing storage group file, including transaction log files
    • Partitions containing database files
    • Partitions containing other Exchange files; is good from performance perspective.

Operating System:

No talk is required on this topic! It should be Windows Server 2003 with Service Pack 1 (SP1) or Windows Server 2003 R2, Standard or Enterprise editions else, Windows Server 2003 x64 or Windows Server 2003 x64 R2, Standard or Enterprise editions.

Software:

As I stated earlier in this post there are some Server role specific requirements as well as the requirements which are compulsory for all the Server roles. To install any of the Exchange Server roles on Windows Server 2003 based Server you need at least following set of software installed on that Server. Following requirements does not apply for a Windows Server 2008 Server as there are many things pre-included into Windows Server 2008 SP1 such as .NET framework, MSXML log parser, MMC 3.0 and the very important Powershell 1.0

  • Microsoft .NET Framework 2.0
  • Microsoft .NET Framework hotfix 926776
  • Windows PowerShell™ 1.0
  • Microsoft Management Console (MMC) 3.0
  • For 64-bit systems, hotfix 918980

Minimum software requirements per Server role are as follows (An Exchange Server should have all of the above components installed. Below are the Server specific);

Mailbox Server Role

  1. Network COM+ Access
  2. IIS
  3. WWW Service.

CAS Server Role

  1. WWW Service.
  2. RPC over HTTP Windows networking component.
  3. ASP.NET 2.0

UM Sever Role

  1. MS Speech service. Exchange Server setup installs it automatically though not installed prior.
  2. Windows Media Encoder.
  3. MSXML 6.0

HT Server Role

    All of the required and common components but SMTP and NNTP cannot be installed on the Server running this Server role.

Edge Transport Server Role

  1. Active Directory Application Mode (ADAM)
  2. Edge Transport servers must have a Domain Name System (DNS) suffix configured, and you must be able to perform name resolution from an Edge Transport server to any Hub Transport servers.

Permissions:

The user account that you use to install Exchange Server 2007 must meet certain permission requirements. Make sure that you are logged on by using an account that has the following group memberships:

  1. If you’re installing the first server in the

    forest AND you haven’t run /PrepareSchema, then Schema Administrator and Enterprise Administrator group memberships are required.

  2. If you’re installing the first server in the forest and you have run /PrepareSchema, but /PrepareAD has not been run, Enterprise Administrator group memberships are required.
  3. If you’re installing the first server in the forest and /PrepareSchema and /PrepareAD have been run, then Local Administrator group membership is required as well as the Exchange Organization Administrator role.

Posted in Exchange Server 2007, Setup | Comments Off on Exchange Server 2007 Setup – 1