Exchange Server 2007 Setup – 4

Okay it’s time to look behind the curtains now. As said in previous couple of posts Exchange Server integrates with several components of Active Directory as well as the local machine where it is installed. This post will cover up some of these changes happening at the locations, AD and local machine.

When Active Directory is prepared to install Exchange Server 2007 the PrepareAD operation does some changes in AD you can see the screen shots below and read between the lines to understand these changes in AD.

Upon running PrepareAD in Exchange Server 2007 native mode organization setup starts extending the schema definitions and they look like above in your schema partition. It would be interesting to know that this operation is done using the simple command line tool ldifde.exe which can be used on any of the Active Directory Server. When setup starts inserting the schema definitions to Active Directory it uses ldifde.exe and the .ldf files from the setup media. These files are located at Drive:SetupServerRolesCommonSetupData. Files stored at this location on your setup medium do contain several .ldf files and they are bifurcated according to the nature of the setup you will be running. For an example if you are running the setup in a mixed mode Exchange 2003 organization the a set of files that will be picked up to extend the schema will appear as PostExchange2003_schemaXXXX.ldf

Now the next step is to setup correct permissions on the objects in Active Directory in order to run the Exchange Server correctly. This is a bit complex process that takes place during the setup because setup program sets a set of permissions of several objects. Few of these are machine accounts, Exchange servers, and Active Directory sites, almost all of the legacy Exchange containers if you are setting up the box in a mixed mode environment. Once these ACEs are set on the required objects correctly; domain naming context also undergoes some more changes, in fact additions. This includes modification in ACEs on AdminSDHolder container, MESO, Exchange Server security groups, etc.

Active Directory Users and Computers snap in looks a little bit similar to the screen shot below. So you can also observe new security groups created in a new OU. These security groups are a part of Exchange 2007 administrative model. I will try posting some more information on this in another post as it becomes difficult to write up everything in a single post and it also increases the length unnecessarily.

It was a brief that what Exchange 2007 setup changes in AD now coming back to the local computer where one or more roles will be deployed. The major changes that occur during the installation on some windows Server 2003 box are into the registry as Exchange 2007 does not completely rely on WMI as Exchange 2003. The location HKLMSoftwareMicrosoftExchangev8.0<name of role> is a set of registry values that give information about the role state installed on that particular box. And the values at location HKLMSoftwareMicrosoftExchange will describe the various components installed on that Server.

Again, I forgot to get my dumps from my labs copied to the host operating system and attach them to this post. I will get those dumps tomorrow morning and will post them with some more description on each of the setup phases. If you have any comments on this post please feel free to post them, they will be really helpful to improve on what I have been always missing on.

Exchange Server 2007 Setup – 3

If you want to install the Exchange Server 2007 on different and dedicated hardware for each Server role the Custom Exchange Server Installation option will help you to choose the role you want to deploy on that particular box. The role selection screen allows you to install the desired Server role, take a look at below screen shot.

Clicking on the Next button will bring up the next screen to allow you to choose the name for your Exchange organization.

Please note that this screen will only appear if you are installing Exchange Server 2007 in a fresh AD environment with no legacy Exchange installation in it. If you already have an Exchange Server 2000 or Exchange Server 2007 organization running in your AD forest the setup will not prompt you to enter any organization name.

Then it comes to selecting the client settings where you can let your Exchange Server 2007 know if you are still using legacy clients like outlook 2000 and outlook 2003. If you have legacy clients running in your company you must select "Yes" and click next.

Once all the required settings and namespace are defined to the setup program it will search for the prerequisites first of all, this check is indeed a part of Exchange Server best practices analyzer integrated with the setup program. These checks include the discovery of Active Directory configuration prerequisites, platform operating system readiness check, and Server role specific requirements check.

After the organization prerequisites checks are passed the setup program proceeds with copying the required files to the temp Directory on the Server. These files are copied from the location <PLATFORM>SetupServerRolesCommon and are stored at location <SYSTEMPATH>TempExchangeServerSetup on local computer.

That’s it, once all of the chosen Server roles are installed the next screen confirms the successful installation by showing green signals.

With the next post in this series I will try to focus on the things happen in background whenever the setup program is launched to install a Server role.

Exchange Server 2007 Setup – 2

Till last post it was all preparation to install Exchange Server 2007 organization in the AD forest. What are next are the actual setup phases that Exchange Server 2007 installer runs through. Again, there are several changes made in the setup architecture compared to Exchange Server 2003 setup. Once you are through running the Exchange Server 2007 forest and domain preparation which is nothing but as good as running Exchange Server 2003 ForestPrep and DomainPrep but the terms used for these concepts have been changed completely. For Exchange Server 2007 setup they are called /PrepareShema and /PrepareAD. Along with these two setup switches Exchange Server 2007 offers a set of more switches which is described in http://technet.microsoft.com/en-us/library/aa997281(EXCHG.80).aspx rest of the switches available with the Exchange Server 2007 setup can be easily seen by simply running the command setup.com /?

As explained in a previous posts “Installing Exchange Server 2003 (DomainPrep)” and “Installing Exchange Server 2003” Exchange Server 2007 also has to extend the Active Directory schema and also needs to setup permissions on different Active Directory containers in AD. We will take a look what all the changes happen after running setup with these switches. These new command line switches are /PrepareLegacyExchangePermissions, /PrepareSchema, /PrepareAD and few others with their functions during the setup phases. Remember, you need to have all the software prerequisites and AD prerequisites installed and configured correctly before you run any of the phases of Exchange Server 2007 setup, else the setup simply fails.

/PrepareAD

PrepareAD has replaced the typical /ForestPrep and /DomainPrep switches of Exchange Server 2003. During the setup Exchange Server 2007 installer will try to detect if the Active Directory domain it is being run in has already been prepared or not (exactly what Exchange 2003 setup did). The only difference between both the version setup programs is if Exchange Server 2007 is a totally new organization that is being installed fresh running only one switch with setup.com file would work for you and setup will go ahead with installation of Exchange binary files. /PrepareAD can be broken down into several pieces as below;

  1. Preparing permissions for legacy versions of Exchange servers.
  2. Extending AD schema.
  3. Creating Exchange containers in configuration naming context.
  4. Creating Exchange Server related objects in domain naming context. (These objects include creation of Exchange Server 2007 security groups and organizational units. Exchange Server 2007 has an extended permissions model based on the permissions model introduced in legacy Exchange Server versions.)
  5. Assigning permission to these containers created during the previous steps.
  6. Preparation of local domain.

To run all of these operations in just one shot without having much trouble setup facilitates the use of /PrepareAD but to run any of the above you need Enterprise administrator and Schema administrator groups memberships in Active Directory.

To provide more granularities for the administrators or architects managing or designing a complex Exchange organization with several trusted/trustee forests or domains setup.com also provides more switches along with the switch PrepareAD. Okay! Before I write anything else about it, let me clarify that all of the information in paragraph above is based on the SP1 release notes and documentation updates released by Microsoft. Still, you can also try doing all of the above and observe it in your test labs. What all you need to do is to keep observing the changes happening around you in Active Directory (open ADSIEDIT), Registry (REGEDIT), file system (best way to monitor is using filemon though you will need to use your own brains on what to observe. I would have been more than happy to write about it but it does not seem to be very much important at this point. Sometime later! Anyways, I am very lazy guy :-D)

Launching the Exchange 2007 setup in GUI mode does not ask you to run the AD preparation manually, it will do the /PrepareAD itself and then starts with rest of installation. in short, if you are installing the Exchange Server 2007 in a fresh AD then you really don’t need to bother about anything. Just go ahead and double click the setup.exe in the installation medium. The very first screen of Exchange Server 2007 appears on the screen. Once skipped through first three steps of introduction, EULA and Error Reporting screens you will be prompted for selecting the installation type you want.

The default installation type does not select the edge transport Server role for installation on the box where all other 4 roles are installed. Custom installation option is useful to choose while deploying advanced Exchange Server setup. As you can see in below figure it provides options to install clustered mailbox servers but the clustered mailbox Server role cannot have any other role installed on it. Setup will automatically gray out the options to select the other Server roles if either of the clustered mailbox Server options is selected.

You can recall Exchange Server 2003 setup asked for the organization name as well. But it is during the binary installation phase. Till then it creates a child container for organization name under CN=Microsoft Exchange in config partition and leaves it without having a human understandable name. Exchange 2007 setup has a change in this plan as well. It will prompt you to enter the organization name before it starts running AD preparation. If you already have an Exchange Server 2003 organization running in your AD then the setup will never ask you to provide the organization name and you will never see that setup screen.

The next screen asks to select a setting to let Exchange know if you are running a legacy outlook client in your organization. Here you can select the option accordingly. Selecting this option incorrectly will stop your outlook clients from displaying free/busy data to other users in the same organization. This is because outlook 2003 and earlier version query the Schedule+Free/Busy public folder on your Exchange Server 2003 to populate the free/busy data. However, Exchange Server 2007 no more stores this data in public folders. This data will be stored in the individual mailboxes now. But there is a catch on how other user would be able to see another user’s mailbox data unless he delegates the permissions to view his calendar to others. This task has been assigned to a new service introduced in Exchange Server 2007. This service is Availability Service. It will logon to the mailbox in picture, will fetch the information and then pass it over to the requestor. So if you still have outlook 2003 clients you should enable the support for them while installing Exchange. For more information on Availability Service you can refer http://technet.microsoft.com/en-us/library/bb232134.aspx . This article on Microsoft Technet describes the functionality of Availability Service.

In the next post I will cover up the rest of setup stages and their details. I have gather

ed some more data by running more tools while Exchange Server 2007 setup is running on a Windows Server 2003 based computer so I will try to share all of those things in the next post as well.

Exchange Server 2007 Setup – 1


A simplest exchange organization having all the roles deployed on separate physical servers will look like above. Above diagram describes the placement of ET role specifically. To be very precise this role does not require any kind of interaction with Active Directory for operations. It communicates directly to the HT Server role in your Exchange organization. Another major drastic change in the architecture is the Client Access Server (CAS) Role which has replaced the Exchange Front End concept does not sit in DMZ anymore. It can be installed within the enterprise network now. That eliminates the need to open the ports used by Active Directory services on any of the firewalls. That explains the reduced surface attack concept. “Lesser the number of ports open on firewall, lesser is the chance of attacks.” If the above is the network diagram of your Exchange organization what all you need on your device firewalls is just few well known ports open and that’s it. Ports for services like SMTP, SSL, HTTP on the internet facing device and few ports for the services like HTTP, EdgeSync (50636), DNS,RPC, etc on your internal firewall would do work for you fine.

In the recent post I have already described what each of these Server roles does in the Exchange organization. A step ahead the next phase is to understand the installation part. I will divide this part into following different stages instead of just saying “Installation”. There are few prerequisites those need to be installed on the Server you will be installing exchange Server roles. Few of these software prerequisites are role dependant as well. So my understanding of installation phase is if I want to proceed with installation of Exchange Server roles on separate servers I will classify the installation pre considerations as below:

  1. Requirements on Active Directory servers and DNS servers.
  2. Hardware.
  3. Operating system.
  4. Software.
  5. Permission required for deployment.

Requirements of Active Directory servers and DNS servers:

  • Must have at least one Global Catalog Server in each Active Directory site where exchange Server roles will be installed.
  • For the optimal performance on GC related queries and outlook client the standard ratio of 4:1 should always be maintained. (For 1 Core CPU of an Exchange box there should be 4 cores or 1X4 Global Catalogs must be available. This ratio plays a very important role in large environments like 20000 mailboxes and above.)
  • The Active Directory Schema Master should have Windows Server 2003 SP1 applied at least.
  • The Active Directory Domain Functional Level (DFL) should be Windows 2000 Server native or higher. This condition also applies to the Active Directory domains or forests hosting exchange recipients also.
  • If you already have an Exchange Server 2003 organization in your AD forest it should be running in Native Mode.
  • Domain Name System (DNS) is configured correctly in your Active Directory forest.
  • During the primary steps of installation exchange Server setup tries to contact the schema master role in Active Directory so it must be reachable from the computer you are running Exchange Server forest preparation and domain preparation.
  • Use of x64 bit Active Directory servers. This provides the flexibility to install and support more than 1 GB RAM over the 32 bit Active Directory servers.

Hardware:

Choosing a correct hardware is always a trouble; it is always followed by your company policies, budget and other hell and unfortunately there is a twist in the entire setup architecture this time though its good and is more powerful the 32 bit operating systems. What has been changed is the use of x64 bit architecture based hardware as well the operating system strictly, though exchange Server 2007 is also available in 32 bit version from Microsoft website but it is not supported at all. It’s for your labs and evaluation. Below are the minimum recommendations for choosing a right hardware for your servers.

  • x64 architecture based processor that supports Intel EM64T.
  • 2 GB of RAM (Minimum Recommended). As per few articles written by experts there having 2 GB plus 10 MB per mailbox of RAM is good.
  • At least 2.5 GB of disk space on available on the partition where the exchange Server binaries will be installed.
  • Bifurcating disk partitions according to
    • System partition
    • Partition that stores Exchange binaries
    • Partitions containing storage group file, including transaction log files
    • Partitions containing database files
    • Partitions containing other Exchange files; is good from performance perspective.

Operating System:

No talk is required on this topic! It should be Windows Server 2003 with Service Pack 1 (SP1) or Windows Server 2003 R2, Standard or Enterprise editions else, Windows Server 2003 x64 or Windows Server 2003 x64 R2, Standard or Enterprise editions.

Software:

As I stated earlier in this post there are some Server role specific requirements as well as the requirements which are compulsory for all the Server roles. To install any of the Exchange Server roles on Windows Server 2003 based Server you need at least following set of software installed on that Server. Following requirements does not apply for a Windows Server 2008 Server as there are many things pre-included into Windows Server 2008 SP1 such as .NET framework, MSXML log parser, MMC 3.0 and the very important Powershell 1.0

  • Microsoft .NET Framework 2.0
  • Microsoft .NET Framework hotfix 926776
  • Windows PowerShell™ 1.0
  • Microsoft Management Console (MMC) 3.0
  • For 64-bit systems, hotfix 918980

Minimum software requirements per Server role are as follows (An Exchange Server should have all of the above components installed. Below are the Server specific);

Mailbox Server Role

  1. Network COM+ Access
  2. IIS
  3. WWW Service.

CAS Server Role

  1. WWW Service.
  2. RPC over HTTP Windows networking component.
  3. ASP.NET 2.0

UM Sever Role

  1. MS Speech service. Exchange Server setup installs it automatically though not installed prior.
  2. Windows Media Encoder.
  3. MSXML 6.0

HT Server Role

    All of the required and common components but SMTP and NNTP cannot be installed on the Server running this Server role.

Edge Transport Server Role

  1. Active Directory Application Mode (ADAM)
  2. Edge Transport servers must have a Domain Name System (DNS) suffix configured, and you must be able to perform name resolution from an Edge Transport server to any Hub Transport servers.

Permissions:

The user account that you use to install Exchange Server 2007 must meet certain permission requirements. Make sure that you are logged on by using an account that has the following group memberships:

  1. If you’re installing the first server in the

    forest AND you haven’t run /PrepareSchema, then Schema Administrator and Enterprise Administrator group memberships are required.

  2. If you’re installing the first server in the forest and you have run /PrepareSchema, but /PrepareAD has not been run, Enterprise Administrator group memberships are required.
  3. If you’re installing the first server in the forest and /PrepareSchema and /PrepareAD have been run, then Local Administrator group membership is required as well as the Exchange Organization Administrator role.

Exchange Server 2007 Setup

Contd…

In the recent post on my blog I had tried explaining very basic troubleshooting guidelines for exchange Server 2003 setup troubleshooting. Well, Exchange Server 2007 still works with AD integration and off course WMI as well but it is no more tightly integrated with WMI as Exchange 2003 was. To understand the troubleshooting and setup first of all we need to understand the changes in setup functionality of Exchange Server 2007. I will focus on the changes in the setup options as well the setup architecture of Exchange Server 2007 this time.

Can you imagine a very intelligent setup program which will check for all prerequisites before it installs the entire application? Yes, Exchange Server 2007 does it. Before it starts extending Active Directory schema, setting up permissions and lately setting up binary files on the box it checks for all prerequisites in the setup environment. Microsoft’s official website describes about the prerequisites of Exchange Server 2007. It would be really amazing to know that Microsoft switched over from the C based components to its own .NET framework this time. What I know about this switch is 80% Exchange Server code is written using managed code and remaining 20% is still unmanaged. Let’s not fall into the trouble of managed and unmanaged unless you don’t really understand .NET framework or any other framework. Brad Abrams explains it better! Are you still revolving around the .NET framework and code? Read it sometime when you have enough time and a fresh mood. It’s interesting.

Let’s come back to our world one more time. Now, before talking anything about the Exchange Server 2007 we need to understand that it is no more a single Server based operation. You can actually choose to deploy your single Exchange Server on multiple boxes in the form of different roles yet all they are manageable from a single Server. Great! Isn’t it? So what are these roles and what all the stuff they do individually? Let me clarify one thing first of all. The word ROLE does not mean separate hardware. You can still have multiple roles installed on the same hardware though there are some combinations which need to be considered. For example you cannot install Edge Transport Role on a Server acting as a Mailbox Server. These roles are as follows:

Mailbox Server (MBX)– Backend server that hosts the mailbox store.

Client Access Server (CAS)– Middle tier server that hosts the client protocols.

Unified Messaging Server (UM) – Middle tier server that connects the Private Branch eXchange (PBX) system to Exchange.

Hub Transport Server (HT)– Mail routing server role that routes mail in the Exchange Organization.

Edge Transport Server (ET)– Mail routing server that typically sits at the perimeter of the topology and routes mail in and out of the Exchange Organization. This guy is also responsible for features like message hygiene.

Why would Microsoft decide to split the functionality into different roles? There are some key factors associated with it.

  1. Reduces attack surface by creating a single point to enter the messaging environment where all the security can be implemented. Also, allows implementing message hygiene and security features to avoid DDoS attacks.
  2. Offers flexibility to install and configure the servers the way we want.
  3. Offers simple installation method and customization of Server roles to meet the business requirements.

As I stated earlier in this post there are some limitations of coexistence of these Server roles on the same hardware though the setup allows us to deploy them on the same hardware. The below table describes what are the combinations those can be installed on the same hardware.

 

Mailbox

Client Access

Unified Messaging

Hub Transport

Edge

Mailbox

Yes

Yes

Yes

No

Client Access

Yes

Yes

Yes

No

Unified Messaging

Yes

Yes

Yes

No

Hub Transport

Yes

Yes

Yes

No

Edge

No

No

No

No

If you observe the above table correctly the very first thing you would note is the Edge Transport role cannot be installed with any other Server role. Setup does not even allow choosing you this option even if you wish to install it on the same Server. This guy has to be out of the corporate network and behind the internet facing firewall of your network infrastructure and also can’t be a part of your AD forest. In short, this is totally an isolated role and has to be installed all the way out of your AD security boundaries. So imagine a scenario where this Server is the only point of contact to your messaging environment to the external world do you see any chances of attacks? Indeed there are several but it minimizes those chances by keeping the attackers away from the main course. This role is totally optional and does not need to be necessarily installed yet recommended. To summarize all 4 roles can be installed on the same Server except the Edge Transport Server role.

Exchange Server Setup

I have intentionally chosen a generic name for this post. In stead of writing different posts for the similar topics in different versions of Exchange Server it would be a good idea to cover up then in parallel so that the differences between two versions can be compared easily though the so called legacy exchange versions have a very different architecture as well as setup methodologies than the Exchange Server 2007. Yet, I will try to give out the best explanation.

Exchange Server 2003:
Basically, recent two posts were posted with an idea to cover up the general understanding of Exchange Server installation. As I stated previously the changes in Active Directory Configuration Naming Context appear as in below picture. When the ForestPrep and DomainPrep are run and finished inserting exchange schema as well as permission in AD the services container in configuration partition looks like below (The container marked in red is the exchange 2007 administrative group):


The container selected and appearing in blue color is the server name of Exchange Server where the Exchange Server binary files are installed. This container is created after installing Exchange Server binaries on some windows based box. This part of setup still interacts with the Active Directory to insert the server specific configurations in AD.

The next step is to integrate with WMI. WMI is Windows Management Instrumentation a very vast and interesting topic itself every administrator should know. Let me try out to write up something about the WMI in some other post. It is tough to write a detailed explanation about WMI though. So, what happens with WMI repository and structure when exchange binaries are installed on a windows server box?

Yes, Exchange Server setup adds its own classes to WMI repository and whole stuff works around the RPC and Remote Registry services on your exchange box. However the above figure does not apply to Exchange Server 2007 installed on Windows Server 2003. To troubleshoot some problems it’s always better to have a good understanding of WMI as well. If you are interested to know more about it you can read more at http://en.wikipedia.org/wiki/Windows_Management_Instrumentation . They have tried explaining WMI really very good. Troubleshooting exchange installation problems also includes looking at the setup progress log file. This is always a good option after event log to see where it is failing. The file is located at the C: by default and named as Exchange Server Setup Progress.log This is the best place to start troubleshooting exchange installations. For Exchange Server 2007 there is a little modification made in setup logs. Now the Exchange Server 2007 setup creates different file under a folder C:ExchangeSetupLogs