Exchange Server 2007 Setup

Contd…

In the recent post on my blog I had tried explaining very basic troubleshooting guidelines for exchange Server 2003 setup troubleshooting. Well, Exchange Server 2007 still works with AD integration and off course WMI as well but it is no more tightly integrated with WMI as Exchange 2003 was. To understand the troubleshooting and setup first of all we need to understand the changes in setup functionality of Exchange Server 2007. I will focus on the changes in the setup options as well the setup architecture of Exchange Server 2007 this time.

Can you imagine a very intelligent setup program which will check for all prerequisites before it installs the entire application? Yes, Exchange Server 2007 does it. Before it starts extending Active Directory schema, setting up permissions and lately setting up binary files on the box it checks for all prerequisites in the setup environment. Microsoft’s official website describes about the prerequisites of Exchange Server 2007. It would be really amazing to know that Microsoft switched over from the C based components to its own .NET framework this time. What I know about this switch is 80% Exchange Server code is written using managed code and remaining 20% is still unmanaged. Let’s not fall into the trouble of managed and unmanaged unless you don’t really understand .NET framework or any other framework. Brad Abrams explains it better! Are you still revolving around the .NET framework and code? Read it sometime when you have enough time and a fresh mood. It’s interesting.

Let’s come back to our world one more time. Now, before talking anything about the Exchange Server 2007 we need to understand that it is no more a single Server based operation. You can actually choose to deploy your single Exchange Server on multiple boxes in the form of different roles yet all they are manageable from a single Server. Great! Isn’t it? So what are these roles and what all the stuff they do individually? Let me clarify one thing first of all. The word ROLE does not mean separate hardware. You can still have multiple roles installed on the same hardware though there are some combinations which need to be considered. For example you cannot install Edge Transport Role on a Server acting as a Mailbox Server. These roles are as follows:

Mailbox Server (MBX)– Backend server that hosts the mailbox store.

Client Access Server (CAS)– Middle tier server that hosts the client protocols.

Unified Messaging Server (UM) – Middle tier server that connects the Private Branch eXchange (PBX) system to Exchange.

Hub Transport Server (HT)– Mail routing server role that routes mail in the Exchange Organization.

Edge Transport Server (ET)– Mail routing server that typically sits at the perimeter of the topology and routes mail in and out of the Exchange Organization. This guy is also responsible for features like message hygiene.

Why would Microsoft decide to split the functionality into different roles? There are some key factors associated with it.

  1. Reduces attack surface by creating a single point to enter the messaging environment where all the security can be implemented. Also, allows implementing message hygiene and security features to avoid DDoS attacks.
  2. Offers flexibility to install and configure the servers the way we want.
  3. Offers simple installation method and customization of Server roles to meet the business requirements.

As I stated earlier in this post there are some limitations of coexistence of these Server roles on the same hardware though the setup allows us to deploy them on the same hardware. The below table describes what are the combinations those can be installed on the same hardware.

 

Mailbox

Client Access

Unified Messaging

Hub Transport

Edge

Mailbox

Yes

Yes

Yes

No

Client Access

Yes

Yes

Yes

No

Unified Messaging

Yes

Yes

Yes

No

Hub Transport

Yes

Yes

Yes

No

Edge

No

No

No

No

If you observe the above table correctly the very first thing you would note is the Edge Transport role cannot be installed with any other Server role. Setup does not even allow choosing you this option even if you wish to install it on the same Server. This guy has to be out of the corporate network and behind the internet facing firewall of your network infrastructure and also can’t be a part of your AD forest. In short, this is totally an isolated role and has to be installed all the way out of your AD security boundaries. So imagine a scenario where this Server is the only point of contact to your messaging environment to the external world do you see any chances of attacks? Indeed there are several but it minimizes those chances by keeping the attackers away from the main course. This role is totally optional and does not need to be necessarily installed yet recommended. To summarize all 4 roles can be installed on the same Server except the Edge Transport Server role.