Exchange 2007 Mailbox Security

When you mention Exchange Server 2007 security, many administrators are familiar with the various built-in mechanisms used to harden Exchange. What's often overlooked is that it's just as important to use administrative policies to secure your Exchange organization.

Why you should secure Exchange 2007 using administrative policies
Administrative policies, which vary from company to company, dictate how to configure and run the Exchange organization. Although Microsoft doesn't have any official Exchange Server administrative policy best practices, here are some rules that can benefit most companies
Apply global security settings in an Exchange organization
One important step for securing an Exchange Server 2007 organization is to apply global security settings when possible. Exchange Server 2007 lets you manage security at a more granular level than was possible with previous versions of Exchange. Even so, using granular security settings is not necessarily a good thing.
It seems that the more granular a security policy is, the more difficult it is to manage. Using global security settings prevents an administrator from wondering what settings apply to a particular server or recipient. Setting policies globally is especially important for organizations that are subject to regulatory issues. In such cases, applying security policies at a high level ensures that no objects are missed as might have happened if security was applied at a lower level. It also ensures that the policies are being applied consistently across an entire organization.

Who should have an Exchange mailbox?
Although it seems that email is something everyone has, there are some accounts that should not be mail-enabled. The domain administrator account is a perfect example.
There are several reasons why you shouldn't mail-enable the domain administrator account. First, this account is a favorite target of hackers, spammers and malware authors. Having a mailbox link to the administrator account implies that someone is regularly logging into the domain administrator account. Unfortunately, administrative actions need to be performed at times and doing so requires administrative access.
Don't use the domain administrator account unless it's absolutely necessary. Instead, I recommend creating two separate user accounts for each user who needs administrative access to the system. One account should be granted administrative permissions; the other account should be a basic user account.
This accomplishes a few things. First, it allows administrators to perform day-to-day tasks, such as checking email without being logged on using administrator credentials. Additionally, if a user has to perform an administrative action, the action can be audited to a specific user account so that it's easy to find out who performed it. If the domain administrator account is used for all administrative actions, audit logs would show the actions. It also would be impossible to determine who was responsible for those actions.
In addition, I recommend that you don't associate mailboxes with any account the administrator must access. If a user was to open an infected email message accidentally and the attachment was able to execute, the malicious attachment would run with administrative credentials and would have free reign over the system. Using two separate user accounts for each administrator lets you link the administrator's mailbox to a non-administrative account.
Standardize server builds throughout your Exchange organization
I recommend standardizing server builds. Keep versions of Windows Server and Exchange Server consistent that you're running in your organization. When possible, you should not only run the same version consistently across the organization, but you also should run the same service pack level as well as the same set of patches, drivers and updates.
Consistent server builds ease the management process, and sometimes Microsoft will change the way that a particular setting behaves when it releases a security patch or a service pack. If you aren't running consistent server builds, you may apply the same security settings across all your Exchange servers, but not all servers will receive the same level of protection. This may lead to a false sense of security and will result in the administrative staff needlessly spending hours troubleshooting an issue that would not have existed if all versions were consistent
How to copy and transfer a Microsoft Outlook 2007 auto fill list
Switching PCs can often be as simple as installing Microsoft Windows and loading a few applications, but there also are some user-specific facets to the transfer. Anyone who has used roaming profiles in Microsoft Windows knows that they tend to prolong the logon and logoff processes. For this reason, I don't use them in my organization. I have, however, started copying a user's desktop icons and Internet Explorer (IE) favorites list from the profile to the new PC.
After replacing my own PC, I received an unusual request -- a user wanted her Microsoft Outlook 2007 auto fill list back. The Outlook auto fill list is Microsoft Outlook's email address cache.
Whenever you send an email message to someone, Outlook caches the address. The next time you need to send an email to that recipient, you only need to type the first couple of characters of the recipient's email address, and Outlook fills in the rest.

Auto fill list is stored as part of the user's profile in a nickname file (has an .NK2 extension). Once you locate the nickname file, it's fairly easy to transfer it to another PC.
The file's location varies depending on the version of Windows you are using. In Microsoft Windows Vista, it's located in the \Users\user name\Application Data\Microsoft\Outlook folder. Because this is a protected folder, you will need to gain access to the folder before you can make a copy of the nickname file.
The first step in gaining access to the folder is to make it visible. Here's how to do that:
1. Log on as an administrator and then open Windows Explorer.
2. Choose Folder and Search Options commands from the Options menu. Windows will display the Folder Options properties sheet.
3. Deselect the following check boxes:
Hide Extensions for Known File Types
Hide Protected Operating System Files (recommended)
4. You also must select the Show Hidden Files and Folders option, then click OK.
The necessary folders will now be visible, but you still won't have access to them. This is because Windows places an explicit denial on the Application Data folder; this denial overrides any type of permissions that have been granted.
To gain access to the nickname file, you must get rid of the explicit denial. To do so, navigate through Windows Explorer to C:\Users\user name\Application Data. Right-click on the Application Data folder and choose the Properties command from the menu.
When the Application Data properties sheet appears, go to the Security tab and click Advanced, followed by Edit. There is one access control list entry that is set as a specific denial (Figure 1). Select this entry and click Remove.

Figure 1. Eliminate the Microsoft Outlook Deny entry.

Click OK three times and you should be able to gain access to the Application Data folder. Navigate to the Microsoft\Outlook folder beneath the Application Data folder, and copy the .NK2 file to removable media.
Note: The name of the .NK2 file matches the name of Microsoft Outlook's profile. For machines with a single Outlook profile, the filename will be Outlook.nk2. For machines with multiple Outlook profiles, there will be a separate .NK2 file for each profile. Figure 2 shows an example of this type of configuration.

Figure 2. There is a separate .NK2 for each of the user's Outlook profiles.

Copy each of the .NK2 files to removable media. Log onto the new machine using the end user's account and create any necessary Outlook profiles. When you are done, log out and log back in as an administrator.
Use the technique that I demonstrated earlier to gain access to the user's Application Data directory. Finally, find the \Users\user name\Application Data\Microsoft\Outlook folder and replace any existing .NK2 files with the ones you copied from the other machine.

Please let me know if this post was helpful.

Windows 2008 File System

Windows 2008 File Server Terminology

File Server provides mechanism that helps in managing storage, enabling File Replication, managing Shared Folders, ensuring Fast File searching and enabling access for UNIX Client Computer.

• Distributed File Systems (DFS) – It provides tools and services for DFS namespace and DFS replication

• DFS Management – Console for creating and managing DFS Namespace and DFS Replication group

• DFS Namespace – It is a virtual view of shared folders located on different servers in an Organization. Users can navigate the namespace without needing to know the server name or shared folder. When a user views the namespace, the folders appear in a singe, virtual DFS namespace.

• Replication Group – it provides the mechanism for replicating data across the servers of DFS namespace. There are two types of Replication Group
o Multipurpose Replication Group – It configures replication between two or more servers for Publication, content sharing and other Scenarios
o Replication Group for Data Collection – it configures two way replication between servers for data collection, such as Branch Servers and HUB Servers. The HUB server can be used for backing up data collected from the Branch Servers

• Replication Group Topology Selection
o HUB and Spoke – This topology requires three or more servers in the replication group. In this topology, Spoke members are connected to one or more HUB Servers. The data originates for the HUB server and replicates to the spoke servers.
o Full Mesh – In this topology each members replicates with all the members of the replication group. This topology works well when there are Ten or fewer members in replication group.
o No Topology – This topology must be selected if you want to create custom topology. No replication takes place between members until the custom topology is created.

• File Server Resource Manager (FSRM) – It enables you to generate Storage reports, configure quotas and define File screening policies

• Services for Network File System – It provides UNIX client computers to access files on this server

• Windows Search Services – It permits fast searches on File Servers from clients that are compatible with Windows Search Service. Windows search service are intended for desktop search or small file server scenarios.

Please let me know if this post was helpful.

Windows 2008 Server Core

Windows 2008 Server Core

• What is Windows 2008 Core
o It is stripped out version of Windows Server
o It only requires about 1 GB of Hard disk drive for initial installation
o It has local command line interface only
o It can be managed remotely using MMC
o It only supports 9 Server Roles

• Roles that can be installed on Core are
o Active Directory Directory Service AD DS
o Active Directory Lightweight Directory Service (AD LDS)
o Dynamic Host Configuration Protocol (DHCP) Server service
o Domain Naming Server (DNS) service
o File Server
o Print Server
o Web Server (IIS)
o Streaming Media Services
o Hyper V

• Server core can be used as Web Server but not as an Application Server so it cannot have .Net Framework installed

• Command list for joining the server to the domain
o To get the name of the server, type ‘hostname’
o To get more information of the server type ‘systeminfo’
o To rename a computer, type ‘netdom renamecomputer /newdomain:’
o To join a Domain, type ‘netdom join %computername% /domain: /userD: /password:*’
Where computername is the name of the computer joining the domain.

• Commands for configuring DHCP Service on Server Core
o To install DHCP Server, type ‘start /w OCSetup DHCP Server Core’
o To configure DHCP to start automatically ‘SC config DHCPServer Start=Auto”
o To start DHCP Service, type ‘net start DHCPServer’

• To remotely administer Server core we need to setup Firewall on the local Server as well as we need to install RSAT (Remote Server Administration Tools) on the Remote Server.

To configure local firewall type the below command.
‘netsh advfirewall firewall set rule group=”Remote Administration Group” new enable=yes’. The command will result with updating 3 rules in the local firewall policy

RSAT can be installed on the remote Server by adding ‘Remote Server Administration Tools’ features.

Please let me know if this post was helpful.

Configuring Centralized Auditing of events using Windows 2008

http://www.windowsecurity.com/articles/Centralized-Auditing-here-FREE.html


Please let me know if this post was helpful.

Deploying Exchange 2010

Step by Step Installation of Exchange 2010

Microsoft has released Exchange 2010 beta for testing. It has some cool new features which I would suggest to test out before deploying in the production. Exchange 2010 beta can be downloaded from Microsoft Site. Let’s have a quick look at the pre-requisites for deploying Exchange 2010

Operating System Requirements
Exchange 2010 being 64 bit is only support on Windows Server 2008 64 bit operating system. I would suggest using Windows 2008 R2 operating System which can be downloaded from the Microsoft Site. The Management Tools can be installed on the 64-bit editions of Windows Vista® SP1 or later, or Windows Server 2008 64 bit.

Additional requirements to run Exchange Server 2010 Beta
• Memory - Minimum of 4 gigabytes (GB) of RAM per server plus 5 megabytes (MB) of RAM recommended for each mailbox
• Disk space
o At least 1.2 GB on the drive used for installation
o An additional 500 MB of available disk space for each Unified Messaging (UM) language pack that you plan to install
o 200 MB of available disk space on the system drive
• Drive - DVD-ROM drive, local or network accessible
• File format - Disk partitions formatted as NTFS file systems
• Monitor – Screen resolution 800 x 600 pixels or higher

Exchange Server 2010 Beta Prerequisites
If these required prerequisites are not already installed, the Exchange Server 2010 Beta setup process will prompt and provide links to the installation locations.
• Microsoft .NET Framework 3.5
• Windows PowerShell v2
• Windows Remote Management

Actual requirements will vary based on system configuration and specific features installed. For more detailed system requirements, please refer to the Exchange Server 2010 Technical Documentation Library.


Installing Exchange Server 2010 Beta

Once the system is ready for Exchange 2010, run setup from the Exchange 2010 CD or DVD or from the downloaded location.

ITBLOG7.BLOGSPOT.COM 1


On the Welcome page click on “Step 4: Install Microsoft Exchange”. Click on “next” on the next screen.

ITBLOG7.BLOGSPOT.COM 2


Next you will be prompted for choosing the language files. You will need to provide the location of the Language file if you want to select language other than English otherwise you may select on “Continue Setup without Language files” and click “next”.

ITBLOG7.BLOGSPOT.COM 3



ITBLOG7.BLOGSPOT.COM 4

Click on “Next” for Language Confirmation



ITBLOG7.BLOGSPOT.COM 5


Select “I accept” on the License Agreement page and click on “Next” for Language Confirmation


ITBLOG7.BLOGSPOT.COM 6


On the Error reporting page you may choose to provide feedback to Microsoft about the errors or issues being generated on your Exchange Server. Microsoft collects this information to further improve their products. Since I am doing in the LAB environment, I am selecting “No” here.


ITBLOG7.BLOGSPOT.COM 7


This page is similar to Exchange 2007 Setup. There are some improvements in Exchange 2010 which will help you in designing your Exchange 2010 Infrastructure.

Earlier versions of Exchange required Windows Clustering for High Availability. Exchange 2010 no longer requires windows based clustering. Exchange 2010 comes with a new feature named as DAG (Database accessibility Group” for high availability. DAG is the successor of CCR’s and SCR’s log shipping technology used in Exchange and can provide 16 copies of the database across multiple servers. You may refer to the link if you are interested in knowing about the new features on Exchange 2010.

Now we don’t need HUB and CAS role deployed separately to the Mailbox role in High Availability design.


ITBLOG7.BLOGSPOT.COM 8


The Exchange 2010 Beta edition is not supported to be installed along with earlier versions of Exchange. You will be required to install Exchange 2010 in a New Exchange Organization.


ITBLOG7.BLOGSPOT.COM 9


Outlook clients 2003 and earlier and Entourage requires Public folders to access information such as Free Busy wheras Outlook 2007 accesses this information using CAS Server. If you clients older than Outlook 2003 or Entourage than select on “Yes” for Exchange 2010 to create Public folder store for them. Otherwise you may select on “No”


ITBLOG7.BLOGSPOT.COM 10



Here you can select the type of industry that best suits your Organization. Click on “Next” to perform prerequisite checks


ITBLOG7.BLOGSPOT.COM 11


On this screen it display about any missing pre-requisites, if any. It will provide the link to perform corrective actions.

After getting success on all the pre-requisites you can click on the “Install” to start the installation.

Once the installation is completed click on “Finish” to finalize the installation.


Please provide me the feedback if I was able to help you with this article.


Happy Installation ;)

Installing Virtual Server 2005 R2 on Vista RC1 / RC2

Installing Virtual Server 2005 R2 on Vista RC1 / RC2

There are two main parts.

First you need to configure IIS correctly. To do this you will need to enable to following subcomponents of IIS:

Under Web Management Tools enable:
IIS Management Console

Under IIS 6 Management Compatibility enable:
IIS Metabase and IIS6 configuration compatibility

Under Application Development Features enable:
CGI

Under Common Http Features enable:
Default Document
Directory Browsing
HTTP Errors
Static Content

Under Health and Diagnostics enable:
HTTP Logging
Request Monitor

Under Performance Features enable:
Static Content Compression

Under Security enable:
Windows Authentication

N.B. Just checking the top level entry for IIS will *not* install all of these components. You need to select them individually.

The second part is that you need to run Internet Explorer 'as administrator' by right clicking on it and selecting 'Run as administrator'.

N.B. The 'Run as administrator' option is not available on the Internet Explorer shortcut on the start menu, but it is available on the one under 'All Programs' and the one on the quick start toolbar.

The reason for this second step is that the Virtual Server COM interfaces are secured to only allow authorized users to access them. If you do not run Internet Explorer 'as administrator' it will not provide your full credentials to Virtual


Please let me know if this post was helpful.

Workaround for running Virtual Server 2005 R2 on Windows 7 RC

As we know Virtual Server or Virtual PC doesn't work on Windows 7. But there is a workaround to get it working.

Here’s how to run Virtual server on windows 7;

PCA is always blocking the vssrvc.exe (Virtual Server service). First you should block PCA. I did that by the following way: In the Group Policy go to the Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\ and enable all of the Turn off xxx entries. I think if you enable only the "Turn off Application Compatibility Engine" it would be enough but I wanted to be sure and enabled everything, later we are going to restore the original settings. Then go to the "Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics\"and disable all of the entries so that we don't come across any DCOM or driver related error.

IIS have to be prepared as well. Requirements are same as in Vista take a look at this link.

Restart your computer and then you are ready to install the Virtual Server 2005 R2 SP1. Afterwards Virtual Server (VS) should be running and you can check it by Virtual Server Administration Website.

Next restore all settings what you changed in Group Policy and restart your computer. Unfortunately Application Compatibility Engine will detect Virtual server services and block that again. So you have to go to the Virtual Server directory (Usually C:\Program Files\Microsoft Virtual Server\) and rename the vssrvc.exe to something else (example: vssrvc_newname.exe). Open the registry editor and replace all entry which contains "vssrvc.exe" to vssrvc_newname.exe (path, DCOM object details, etc)
Finally restart your computer and enjoy Virtual server 2005 at Windows 7 RC :)


Please let me know if this post was helpful.

Link for Microsoft Technet Evaluation Center

Please let me know if this post was helpful.

Using ISA to block file extensions

1. Right click on your Rule, then click on Configure HTTP. The Configure HTTP Policy page will open as per the screen shot below



2. Click on the Extensions Tab, then from the drop down list choose Block specified extensions (allow all others).



3. Click on the Add button



4. In this page, start adding the extension you desire to block, such as wmv, avi and so on.




5. After you finish from filling the extensions you desire to block , click on OK




6. Click the Apply button to save the changes and update the firewall policy.



Please let me know if this post was helpful

Exchange 2007 memory and hardware configuration best practices

A commonly repeated adage about Exchange Server memory is "more is better." The more memory you have, the less likely Exchange Server will experience bottlenecks and the faster things will run.


Exchange 2007 memory and hardware configuration best practices
Exchange 2007 is all the more powerful on systems with more than 4 GB of RAM, thanks to its 64-bit architecture. So it would seem to make sense to throw as much memory as is physically possible at a given 64-bit Exchange installation, right?
That's the theory, but the practice especially when it comes to Exchange Server 2007 is a little different.
In Microsoft's article about Exchange Server 2007 hardware, "Planning processor and memory configurations," there are a number of surprises regarding the best memory configurations for a 64-bit Exchange installation. One is the revelation that 32 GB is the most cost-effective memory configuration for Exchange 2007 boxes.
This is not a limitation of Exchange 2007, but an observation about how cost-effective that much memory in a given Exchange Server will be, and how expensive it is to buy the required hardware.
An Exchange 2007 system's memory bus architecture may impose speed limits based on how much memory is installed. A system with 16 GB of PC3200 memory can support 32 GB of memory, but only at PC2700 speeds (so having more memory may be offset by the fact that it's slower).
Another hardware consideration is that a given Exchange 2007 server may work better when more memory slots are filled vs. having denser memory modules in fewer slots.
Microsoft breaks down recommended memory allocations for Exchange 2007 servers based on their roles. For example, a mail server will probably need 2 GB plus 2 MB to 5 MB per mailbox, with a recommended maximum of 32 GB.

By those calculations, a 32 GB mail server could comfortably support over 6,000 users. Assuming heavy usage, 32 GB may be overkill for many organizations.
There are two caveats:
1. These estimates don't take into account third-party applications that might be running on the same Exchange server.
2. It assumes fairly sane mailbox usage i.e., you're not allowing people to have 5 GB mailboxes or something equally absurd.
For my own edification, I went to Dell's site to spec two separate servers: one that scaled to 64 GB of RAM and another that only scaled to 32 GB. The first had memory speeds that topped out at 400 MHz (DDR2). The second went up to 667 MHz (DDR2) and started at far less of a price.
Exchange Server memory management with /3GB, /USERVA and /PAE
Exchange Server is notorious for devouring server memory. In this tip, I explain how the /3GB switch, /USERVA switch and /PAE switch can help you manage Exchange Server 2003 memory and performance. I also share best practices you should employ so you don't cannibalize Windows Server 2003's memory in the process.

/3GB switch
By default, Windows Server 2003 can address up to 4 GB of memory. The server doesn't actually need to have 4 GB of RAM installed though. Virtual memory allows Windows Server 2003 to address a full 4 GB, even if there is considerably less memory installed.
Also by default, Windows splits the 4 GB of addressable memory right down the middle. It reserves 2 GB of memory space to the Windows operating system and 2 GB for user-mode processes (applications).
The /3GB switch alters the balance of address space allocation. If the /3GB switch is applied, Windows will only allocate 1 GB of address space for the operating system, and leave a full 3 GB of address space for user-mode processes.
Conventional wisdom has long stated that you should apply the /3GB switch to the BOOT.INI file for any server that has 1 GB or more of physical RAM. However, Exchange Server can be a demanding application, so the 1 GB rule may not always be what's best for Exchange Server.
According to Microsoft, you should only use the /3GB switch on Exchange servers that are hosting mailboxes or public folders. If an Exchange server is simply acting as a front-end server, bridgehead server, or performing some other role that doesn't involve hosting mailboxes or public folders, it's best to allow the operating system access to the full 2 GB memory address space. (Microsoft did make the default 2 GB for a reason.)
Some people at Microsoft have even suggested that the /3GB switch is best avoided unless Exchange Server is hosting more than 20 mailboxes.
Microsoft also discourages the use of the /3GB switch if you are running Exchange Server on Windows 2003 Small Business Server, or if Exchange Server is running on a domain controller (running Exchange Server on a domain controller is not recommended).
The primary reason for not using the /3GB switch in some situations is that the Windows operating system makes page table entries (PTEs) for allocating memory. Windows has a finite amount of space that it can use for PTEs, and using the /3GB switch significantly reduces the space available for them.
If PTE space drops below a certain level, Windows has a tendency to become unstable. So it's often wise to provide the operating system with the full 2 GB of address space, unless Microsoft Exchange is the server's sole application and Exchange Server is hosting mailboxes and/or public folders.

/USERVA switch
You can provide Windows with more PTE space while still using the /3GB switch through the use of a BOOT.INI switch available in Windows Server 2003 called /USERVA.
The /USERVA switch can be used in conjunction with the /3GB switch to increase the available PTE space. For example, using the /USERVA switch with a value of 3030 (/USERVA=3030) will allocate an additional 42 MB of space to the PTEs.
It's worth pointing out though that Microsoft does not support arbitrary /USERVA values. Some applications actually have a documented /USERVA setting, but Exchange Server does not. That being the case, you will have to determine the appropriate /USERVA value by monitoring the Free System Page Table Entries counter in Performance Monitor.
With the /USERVA switch, lower numbers create more PTE space. Therefore, a value of 3,000 would create more PTE space than a value of 3,030. 3,030 is a good starting point, but if the System Page Table Entries counter drops below 7,000, it means that the system is not stable and there aren't enough PTEs available. You will then have to set the /USERVA value to a lower number to correct the problem.
According to Microsoft, the absolute lowest number that you can use as a /USERVA value is 2,800. But Microsoft also reports that it has yet to see an Exchange Server installation require a /USERVA value of lower than 2,900.

/PAE switch
Some higher end servers support using more than 4 GB of RAM. If you have such a server and you are running Windows Server 2003 Enterprise Edition or Datacenter Edition, you can use the /PAE switch with the BOOT.INI file.
The /PAE switch tells Windows Server 2003 to use page translation to allow a 32-bit system to address more than 4 GB of memory (this is not necessary on 64-bit servers).
Using the /PAE switch allows more memory to be allocated to Exchange Server. But like the /3GB switch, the /PAE option also consumes PTE space.

The /3GB and the /PAE switches should never be used together under any circumstances.


Please let me know if this post was helpful.

Microsoft Office Groove 2007

Exchanging Contact Information—Sending Your Contact to Others
You can send your Microsoft Office Groove 2007 contact to others right from the Common Tasks pane on the Contacts tab in the Launchbar.
1. Click Send My Contact via E-mail.
2. Type the e-mail addresses of the people whom you want to receive your contact.
3. Recipients receive an e-mail message with a hyperlink that automatically adds your contact to their list in the Groove Launchbar.


Please let me know if this post was helpful.

Office Project Server

Multiple Level Undo, Change Highlighting, and Task Drivers
In Microsoft Office Project Professional 2007, project managers can visualize the impact of changes and trace back their steps. To turn the Change Highlighting feature on or off, click the View menu, and then click Hide Change Highlighting or Show Change Highlighting. While the feature is enabled, all levels of tasks affected as a result of a change are highlighted with a color as a visual indicator. Using this feature together with the Multiple Level Undo feature, project managers can do "what-if analysis" by trying a set of changes and then reversing unwanted changes. If further analysis of a task's schedule is needed, the project manager can use Task Drivers on the Project menu to determine the factors (such as task dependency, calendar constraints, schedule date, or vacation time) that are driving a task's start date.


Please let me know if this post was helpful.

Active Directory Rights Management Server

ITBLOG7.BLOGSPOT.COM 1


ITBLOG7.BLOGSPOT.COM 2

Active Directory Rights Management Services (AD RMS) is an information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorised use within the orgsanization and within the Federated identities. Content owners can define who can open, modify, print, forward or take any other action with the information.

By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.

An AD RMS system includes a Windows Server® 2008-based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows Vista® operating system. The deployment of an AD RMS system provides the following benefits to an organization:

· Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as "confidential - read only" that can be applied directly to the information.

· Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.

· Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.


ITBLOG7.BLOGSPOT.COM 3


ITBLOG7.BLOGSPOT.COM 4


ITBLOG7.BLOGSPOT.COM 5


ITBLOG7.BLOGSPOT.COM 6


ITBLOG7.BLOGSPOT.COM 7


ITBLOG7.BLOGSPOT.COM 8


ITBLOG7.BLOGSPOT.COM 9


ITBLOG7.BLOGSPOT.COM 10


ITBLOG7.BLOGSPOT.COM 11


ITBLOG7.BLOGSPOT.COM 12


ITBLOG7.BLOGSPOT.COM 13


ITBLOG7.BLOGSPOT.COM 14


ITBLOG7.BLOGSPOT.COM 15


ITBLOG7.BLOGSPOT.COM 16


ITBLOG7.BLOGSPOT.COM 17


ITBLOG7.BLOGSPOT.COM 18


Please let me know if this post was helpful.

Exchange 2010 First Look

Exchange 2010 can provide
- High availability and site resilience which is native to exchange
- Usability of less expensive and less complex storage.
- Simplify Administration and reduce support costs

High Availability Feature names
- Mailbox resiliency: Name of Unified High availability and Site Resiliency Solution
- Database Availability Group: A group of upto
mailbox server that host a set of replicated databases
- Mailbox Database Copy - A mailbox databse (.edb and Logs) that is either active or passive.
- Database Mobility: The ability of a single mailbox database to be replicated to and mounted on other mailbox servers
- RPC CAS: Cas feature that provides a MAPI endpoint for Outlook clients
- Shadow Redundancy: A transport feature that provides redundancy for messages for the entire time they are in transit
- Incremental Deployment: The availbility to deploy high availability / site resilience after Exchange is installed
- Exchange Third Party Replication API: An Exchange provided API that enables use of third party replication for a DAG in lieu of continuous replication.

High Availability Solution
- Uses enhanced CCR and SCR Technology
- Can be deployed on wide range of storage option
- Clustering is native to Exchange and Does not depend on Windows based clustering.
- Reduces the need of SAN infrastructure

Improvements in Exchaneg 2010
- All clients connecty to CAS Server
- Database level failover
- Failover is managed by Exchange
- Use of Database Access Group provides database level failover

High Availbility Terminology
- High availbility: Provides data availbility, service availbility and automatic recovery from failures
- Disaster recovery: Process to provide manual recovery from failure
- Site Resiliency: DR solution used for recovery from site failure
- *over: Short for switchover / failover.
- Switchover: It is a manual activation of one or more database after a failure.
- Failover: It is an automatic activation of database after a failure.

Exchange 2010 possible *overs
- Database or Servers within a Datacenter
- Datacenter level switchover

Exchange 2007 brought forward concepts
- Extensible Storage Engine (ESE)
* Database and log files
- Continuous replication
* Log shipping and replay
* Database seeding
* Store service and Replication Service
* Database health and status monitoring
* Divergence
* Automatic database mount behavior
- Concepts of quorum and witness
- Concepts of *overs

Exchange 2007 dropped concepts
- Storage Groups
- Databases are global objects and are no longer identified by Server names
- Clustered Mailbox Server no longer exists
- Two high availbility copy limits (now 16 copies of mailbox database are available)
- Private and public Networks

High Availability Fundamentals
- Database Availability Group: It is a base component of HA and site resilience. It provides a group of up to 16 servers that hosts a set of replicated databases. It defines the boundaru for Mailbox database replicatio, Database and Server *overs, and Active Manager. It manages membership and proivdes heartbeat of DAG member servers

- Mailbox Database replication: It Provides continuous replication of mailbox databases. It supports encryption and compression and supports multiple replication networks

- Active Manager: It is an Exchange component that manages *overs. It runs on every server in DAG and selects best available copy on failovers. It keeps track of where the database is active and provides this information to other Exdchange component such as RPC CAS and HUB Transport. Active Manager has two roles
* Primary Active Manager (PAM): It runs on the node that owns the cluster group. it gets the topology change notifications and reacts to the server failures by selecting the best database copy on *overs.
* Standby Active Manager (SAM): It runs on every other copy of DAG. It responds to the query about which server hosts the active copy.
Both the roles are necessary for automatic recovery.

Transition Steps
- Verify the pre requisites are met for deploying Exchange 2010
- Deploy Exchange 2010
- Use Exchange 2010 mailbox move feature to move mailboxes from Exchange 2007 to Exchange 2010


Unsuported Transitions
- In place upgrade to Exchange 2010
- Using database protability between Exchange 2010 and non-exchange 2010
- Backup and restore of earlier versions of Exchange to Exchange 2010
- Using Continuous replication between Exchange 2010 and 2007


Exchange 2010 improvements
- Onlive Move Mailbox: It supports moving mailboxes Between Exchange 2007 SP2 and Exchange 2010 without causing downtime to the users. Move is performed asynchronously by a new service called Microsoft Exchange Mailbox Replication Service (MRS) running on CAS

- RPC CAS: It replaces RPC endpoint client access on the Mailbox role to the CAS role. It does not replace for Public folders. Clients connect directly to the Public Folder store to access Public Folder databases

- Shadow Redundancy: It helps HUB and Edge Transport Servers in keeping the copy of items until it is delivered to the next hop. It also helps in upgrade or maintenance.

Please let me know if this post was helpful.