* Exchange 2007 typical pre-setup steps
- Raise Domain to Native mode (in AD Domains and Trusts)
- Install DotNet framework 2.0 SP1 (Dot.NET Framework 2.0 SP1 -32b- NetFx20SP1_x86.exe)
- Install the TimeZone fix (TimeZone fix - 32b - WindowsServer2003-KB933360-x86-ENU.exe)
- Install PowerShell (for example PowerShell WindowsServer2003.WindowsXP-KB926139-v2-x64-ENU.exe for the 64 bit enviroment)
- Run Ex 2007 SP1 setup, Typical; Org Name: My Company; remember to choose to support Outlook 2003,
and ignore the SMTP/Send Connector warning
- Restart
* Exchange 2007 Edge pre-setup steps
- Install DotNet framework 2.0 SP1 (Dot.NET Framework 2.0 SP1 -32b- NetFx20SP1_x86.exe)
- Install the TimeZone fix (TimeZone fix - 32b - WindowsServer2003-KB933360-x86-ENU.exe)
- install ADAM SP1 (ADAMSP1_x86_English.exe)
- enter DNS suffix for computer name (My Computer Properties) --> for example, HN-EDGE-01.mycompany.com.vn
* To register Exchange 2007 roles with Security Configuration Wizard (SCW)
CD C:\WINDOWS\security\msscw\kbs
copy "c:\program files\microsoft\exchange server\scripts\*.xml
(to copy Exchange2007.xml, Exchange2007Edge.xml, Exchange2007Edge_WinSrv2008.xml, Exchange2007_WinSrv2008.xml)
scwcmd register /kbname:MSExchange2007 /kbfile:exchange2007.xml
scwcmd register /kbname:Ex2007EdgeKB /kbfile:Exchange2007Edge.xml
* Start Outlook 2003
* Clicking SendReceive in Outlook --> 8004010F Exchange object not found
- Exch 2003: Exchange System Mgr, Recipients, Offline Address Lists, right click Default Offline Address List, Rebuild
- Exch 2007: Org Config/Mailbox/Offline Address Book, Update (watch the Status bar for task completion)
Then go to Server Config/Mailbox/First Storage Group/Mailbox DB/Properties/Client Settings:
browse to enter 'Defautl Offline Address List'
- Close, and reopen Outlook
* Create mailboxes for director1, manager1, staff1, staff2; send a welcome message
* OWA publishing:
- hn-srv-01, IIS Mgr, Default WebSite, Directory Prop, View Cert, Copy To, Export private key+Cert chain
- ISA-Server: MMC, Computer Cert, Import cert to Personal folder
- ISA-Server: Publish Exchange Web rule, Exchange 2007, SSL, internal name: www.mycompany.com.vn
- Internet: MMC, Computer Cert, Import hn-srv-01 root cert to Trusted Root folder
* IMPORTANT: OWA from Internet requires logging on 2 times -->
Server Config/Client Access/OWA/Authentication tab: change from "Use form-based" to "Use on or more", Basic
then iisreset /noforce
* OWA from Internet machine: Revocation information for the security certificate for this site is not available
--> Resolution 1: Uninstall the "IE Advanced Security"
--> Resolution 2: http://support.microsoft.com/kb/308087
- Wrong Message Appears When You Visit a Secure Web Site Whose CDP Is Unavailable
IE/Tools/Options/Advanced, Security: uncheck "Check for server certificate revocation (requires restart)"
* Outlook Anywhere:
- ISA-Server: add one path to the OWA rule: /rpc/*
- hn-srv-01: Server Config/ Client Access/ right click hn-srv-01
/Enable Outlook Anywhere (external host: www.mycompany.com.vn)
- hn-srv-01: need to wait 15min (check in app event log)
Event Source: MSExchange RPC Over HTTP Autoconfig, EventID: 3006,
The Outlook Anywhere feature has been enabled. The ValidPorts registry setting has been modified to reflect this change.
New value: HN-SRV-01:6001-6002;HN-SRV-01:6004;hn-srv-01.mycompany.com.vn:6001-6002;hn-srv-01.mycompany.com.vn:6004
- Test for all users
* Disable Screen Saver for all users on Client02
* Client02: Display\Themes\Browse to use the built-in Luna.theme at C:\WINDOWS\Resources\Themes, background: Azul
(need to start the Theme service first)
* Install ForeFront for Exchange SP1, run SCW
* To configure AntiSpam agent (Content Filtering) on the Hub Transport
SOURCE: Book Online: mk:@MSITStore:C:\Program%20Files\Microsoft\Exchange%20Server\bin\exchhelp.chm::/html/5683549a-4f48-429d-b353-cc2b7c784e29.htm
- close Exchange Mgmt Console
- Open "Exchange Management Shell", change to "C:\Program Files\Microsoft\Exchange Server\Scripts"
and type "install-AntispamAgents.ps1", then restart "Exchange Transport" service
- Set-OrganizationConfig -SCLJunkThreshold:9
- launch Exchange Mgmt Console
- For demo purpose: Org Config/Hub Transport/AntiSpam: turn off 'Content Filtering'
* Room Mailbox Auto Accept setting:
Set-MailboxCalendarSettings MeetingRoom2 -AutomateProcessing:AutoAccept
* To receive mails from Internet, on Exchange 2007 MMC:
. Server Config/Hub Transport/Manage Hub Transport/Receive Connectors/<Default SERVERNAME>/Props
Permission Groups and select "Anonymous users" (Note: do not select <Client SERVERNAME> receive connector)
- Publish SMTP Server thru ISA (Publish Mail Servers command, server to server comm)
* To send mails to Internet:
. Org Config/Hub Transport/Send Connectors/Create New Send Connector
Name: 'My SMTP Send Connector to Internet', Intended use: Internet
Add Address Space: Address: *, 'Use DNS MX...', no need to select 'Use external DNS on Transport server'
(whose settings can be configured in Server Config/Hub Transport/hn-srv-01/Prop/External DNS lookups
- In ISA, 'Create Access Rule' command to allow outgoing SMTP, DNS
* To allow OWA users to open File Shares:
. Server Config/Client Access/owa/Prop/Remote File Servers/Allow: enter 'hn-srv-01'
* /AccountingWeb/*, /hrWeb/*, /ResetPwdWeb/* --> in HN-SRV-01/IIS Mgr, folder prop, DirSec, Auth: change to Basic
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
. Enroll RMS
. Activate RMS (MS Word, Restricted Permission As...) for all users in HN-SRV-01 & CLIENT02
. Create test RMS-protected doc on \\hn-srv-01\shared\reports
- Copy sample virus files to all machines
- ForeFront set to 2 engines (Kapersky & Sophos) for (Transport/Realtime/Manual scan)
- create ISA rule for EAS
- Ex 2007 console: modify device policy to enforce device password
- server config/client access/EAS: add hn-srv-01 to Allow List
- create shared doc for accessing from within OWA and Windows Mobile
************************ OTHER INFO *************************************
* Group Policy not processed at Client01: Source: Userenv Event ID: 1053,
test using netdiag and dcdiag, then restart hn-srv-01
* Error Code: 404 Not Found. The requested item could not be located. (12028)
--> Resolution: run SCW on hn-srv-01 again
* * Security Configuration Wizard (SCW) Update for Internet Security and Acceleration (ISA) Server 2006 Standard Edition and Enterprise Edition
http://www.microsoft.com/downloads/details.aspx?familyid=2748A927-BD3C-4D87-80FA-8687D5E2AB35&displaylang=en
************** RCP/HTTP EXCHANGE 2003 +DC CO-LOCATED SETUP BEGIN ****************
* hn-srv-01, Exch System Mgr, RPC/HTTP tab, back end server, OK, OK, do not reboot
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy]
"Enabled"=dword:00000001
"ValidPorts"="hn-srv-01:6001-6002;hn-srv-01.mycompany.com.vn:6001-6002;hn-srv-01:6004;hn-srv-01.mycompany.com.vn:6004;"
* configure RPC folder in IIS, basic auth, SSL required
* ISA-Server: create RPC path in OWA publishing rule
* Outlook RPC/HTTP on client (on public Internet) will virtually work immediately.
* Restart hn-srv-01 to make sure the changes are in effect
* user staff1 initially cannot be used with RPC/HTTP. Reason: Outlook Profile/Connection Tab/Use HTTP... check box is not selected.
Resolution: Delete Windows profile for staff1
************** RCP/HTTP EXCHANGE 2003 +DC CO-LOCATED SETUP END **************
* publish hrweb, accountingweb, pwdresetweb: Basic auth, require SSL in IIS, Form Based auth in ISA
Error Code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022)
--> Resolution: rule prop, To tab, This rule applies to this published site: enter 'www.mycompany.com.vn', Path tab, change from "/hrWeb" to "/hrWeb/*"
* disable: System Event Notification (sens) on hn-srv-01
* Edge Subscription
- IP: 203.162.1.201, DNS: 203.162.1.1
- ISA 2006 Std between Hub and Edge servers
- In the Edge server: configure FQDN name;
- Install the pre-requisites, then Ex 2007 Edge role
- CD C:\WINDOWS\security\msscw\kbs; copy "c:\program files\microsoft\exchange server\scripts\*.xml; scwcmd register /kbname:Ex2007EdgeKB /kbfile:Exchange2007Edge.xml; Run Security Configuration Wizard
- Create a record in HOSTS file, pointing to the external NIC of ISA server: 203.162.1.200 hn-srv-01.mycompany.com.vn
- In HN-SRV-01, DNS, create a record for Edge: 203.162.1.201 hn-edge-01.mycompany.com.vn
- In ISA: allow outgoing DNS/SMTP and a custom protocol 50636 (Edge Sync) TCP only from Internal to External;
- From Hub, telnet hn-edge-01.mycompany.com.vn 25;
- From Hub, telnet hn-edge-01.mycompany.com.vn 50636;
- In ISA: publish SMTP server of the Hub
- From Edge: telnet hn-srv-01.mycompany.com.vn 25
- In Edge, Exchange Shell: New-EdgeSubscription –filename c:\edgesub.xml
- In Hub, New Edge Subscription
- No need to modify the Hub, including Anonymous user support in Default Receive connector, and Smart Host (--) in the "Edge Sync - Inbound to Default-First-Site-Name"
- From ISP, email to user@mycompany.com.vn, in Edge Queue Viewer, error: 500 5.5.1 Unrecognized command. Solution: disable SMTP filter (Configuration/Add-in) in ISA. More info: Message Queue on an Edge Transport Server with 500 5.1.1 Unrecognized Command Error, and How to Add SMTP Verb Commands to ISA Server 2006
* ForeFront Protection 2010 for Exchange
- Prerequisites: MSXML 6.0, dotnet framework 3.0, dotnet framework 3.0 SP1
- Sample EICAR virus string:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
- Sample Gtube string for spam email testing (from http://spamassassin.apache.org/gtube/)
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X