3. Exchange Server and Windows
When you install Exchange
Server and Forefront Protection for Exchange Server on a server
operating system, Exchange Server and Forefront Protection make
extensive modifications to the environment. These modifications include
new system services, integrated authentication, and new security groups.
3.1. Services for Exchange Server
When you install
Exchange Server and Forefront Protection for Exchange Server on Windows,
multiple services are installed and configured on the server. Table 1 provides a summary of key services, how they are used, and which server components they are associated with.
Table 1. Summary of Key Services Used by Exchange Server 2010
|SERVICE NAME||DESCRIPTION||SERVER ROLE|
the server to administer the IIS metabase. The IIS metabase stores
configuration information for Web applications used by Exchange. All
roles need IIS for WinRM and remote Powershell. CAS needs IIS for OWA
and Web services||Client Access|
|Microsoft Exchange Active Directory Topology||Provides
Active Directory topology information to Exchange services. If this
service is stopped, most Exchange services will not be able to start.||Hub Transport, Mailbox, Client Access, Unified Messaging|
|Microsoft Exchange Address Book||Manages client address book connections for Exchange Server.||Client Access|
|Microsoft Exchange Anti-Spam Update||Maintains the antispam data for Forefront Protection on an Exchange server.||Hub Transport, Edge Transport|
|Microsoft Exchange EdgeSync||Provides EdgeSync services between Hub and Edge servers.||Hub Transport|
|Microsoft Exchange File Distribution||Distributes Exchange data to other Exchange servers.||All|
|Microsoft Exchange Forms Based Authentication||Provides form-based authentication for Outlook Web App and the Web management interface.||Client Access|
|Microsoft Exchange IMAP4||Provides IMAP4 services to clients.||Client Access|
|Microsoft Exchange Information Store||Manages the Microsoft Exchange Information Store. This includes mailbox stores and public folder stores.||Mailbox|
|Microsoft Exchange Mail Submission||Submits messages from the Mailbox server to the Hub Transport servers.||Mailbox|
|Microsoft Exchange Mailbox Assistants||Manages assistants that are responsible for calendar updates and booking resources.||Mailbox|
|Microsoft Exchange Mailbox Replication||Enables online mailbox moves by processing mailbox move requests.||Client Access|
|Microsoft Exchange Monitoring||Provides support for monitoring and diagnostics.||All|
|Microsoft Exchange POP3||Provides Post Office Protocol version 3 (POP3) services to clients.||Client Access|
|Microsoft Exchange Protected Service Host||Provides secure host for Exchange Server services.||All|
|Microsoft Exchange Replication Service||Provides replication functionality used for continuous replication.||Mailbox|
|Microsoft Exchange RPC Client Access||Manages client remote procedure call (RPC) connections for Exchange Server.||Client Access|
|Microsoft Exchange Search Indexer||Controls indexing of mailboxes to improve search performance.||Mailbox|
|Microsoft Exchange Server Extension for Windows Server Backup||Provides extensions for Windows Server Backup that allow you to backup and recover Exchange application data using Windows Server Backup.||All|
|Microsoft Exchange Service Host||Provides a host for essential Exchange services.||All|
|Microsoft Exchange Speech Engine||Provides speech processing services for Microsoft Exchange. If this service is stopped, speech recognition services will not be available to unified messaging clients.||Unified Messaging|
|Microsoft Exchange System Attendant||Provides monitoring, maintenance, and Active Directory lookup services.||Mailbox|
|Microsoft Exchange Throttling||Provides throttling functions to limit the rate of user operations.||Mailbox|
|Microsoft Exchange Transport||Provides mail transport for Exchange Server.||Hub Transport, Edge Transport|
|Microsoft Exchange Transport Log Search||Provides search capability for Exchange transport log files.||Hub Transport, Mailbox|
|Microsoft Exchange Unified Messaging||Enables
voice and fax messages to be stored in Exchange and gives users
telephone access to e-mail, voice mail, the calendar, contacts, or an
automated attendant.||Unified Messaging|
|Microsoft Forefront Server Protection ADO/EWS Navigator||Navigates the objects in Active Directory for Forefront Protection by connecting with Exchange Web Services (EWS) or Exchange ActiveX Data Objects (ADO) to retrieve objects.||Forefront Protection|
|Microsoft Forefront Server Protection Controller||Controls
the interaction between Forefront Protection and the Microsoft Exchange
Information Store. Ensures that Forefront Protection initializes
properly with the information store. The Microsoft Forefront Server
Security Controller starts and stops scan jobs and applies engine
|Microsoft Forefront Server Security Eventing Service||Processes incidents, and manages quarantine logging, performance logging, and notifications.||Forefront Protection|
|Microsoft Forefront Server Security for Exchange Registration Service||Ensures the Forefront Transport Agent is registered with Exchange Server.||Forefront Protection|
|Microsoft Forefront Server Security Mail Pickup||Provides mail pickup services for Forefront Protection.||Forefront Protection|
|Microsoft Forefront Server Security Monitor||Monitors
the information store, SMTP/IMS, and Forefront Protection processes to
ensure that Forefront Protection provides continuous protection.||Forefront Protection|
|Microsoft Search (Exchange)||Provides search services for mailboxes, address lists, and so on.||Hub Transport, Mailbox|
|Secure Socket Tunneling Protocol Service||Provides support for Secure Socket Tunneling Protocol (SSTP) for securely connecting to remote computers.||Client Access|
|Web Management Service||Enables remote and delegated management for the Web server, sites, and applications.||Client Access|
|Windows Remote Management Service||Implements the WS-Management protocol. Required for remote management using the Exchange console and Windows PowerShell.||All|
|World Wide Web Publishing Services||Provides Web connectivity and administration features for IIS.||Client Access|
3.2. Exchange Server Authentication and Security
In Exchange Server 2010,
e-mail addresses, distribution groups, and other directory resources are
stored in the directory database provided by Active Directory. Active
Directory is a directory service running on Windows domain controllers.
When there are multiple domain controllers, the controllers
automatically replicate directory data with each other using a
multimaster replication model. This model allows any domain controller
to process directory changes and then replicate those changes to other
The first time you install Exchange Server 2010 in a Windows domain, the installation process updates and extends Active Directory to include objects and attributes used by Exchange Server 2010. Unlike Exchange Server 2003 and earlier releases of Exchange, this process does not include updates for the Active
Directory Users And Computers Snap-In for Microsoft Management Console
(MMC), and you do not use Active Directory Users And Computers to manage
mailboxes, messaging features, messaging options, or e-mail addresses
associated with user accounts. You perform these tasks using the
Exchange Management tools.
Exchange Server 2010 fully
supports the Windows Server security model and relies on this security
mechanism to control access to directory resources. This means you can
control access to mailboxes and membership in distribution groups and
you can perform other Exchange security administration tasks through the
standard Windows Server permission set. For example, to add a user to a
distribution group, you simply make the user a member of the
distribution group in Active Directory Users And Computers.
Because Exchange Server uses Windows Server security, you can't create a mailbox without first creating
a user account that will use the mailbox. Every Exchange mailbox must
be associated with a domain account—even those used by Exchange for
general messaging tasks. For example, the SMTP and System Attendant
mailboxes that Exchange Server uses are associated by default with the
built-in System user. In the Exchange Management Console, you can create
a new user account as part of the process of creating a new mailbox.
To support coexistence
with Exchange Server 2003, all Exchange Server 2010 servers are
automatically added to a single administrative group when you install
Exchange Server 2010. This administrative group is recognized in the
Exchange System Manager in Exchange Server 2003 as "Exchange
Administrative Group." Although Exchange Server 2003 uses administrative
groups to gather Exchange objects for the purposes of delegating
permission to manage those objects, Exchange Server 2007 and Exchange
Server 2010 do not use administrative
groups. Instead, you manage Exchange servers according to their roles
and the type of information you want to manage using the Exchange
3.3. Exchange Server Security Groups
Like Exchange Server 2007, Exchange Server 2010 uses predefined universal security groups to separate administration of Exchange permissions
from administration of other permissions. When you add an administrator
to one of these security groups, the administrator inherits the
permissions permitted by that role.
The predefined security groups have permissions to manage the following types of Exchange data in Active Directory:
Organization Configuration node
This type of data is not associated with a specific server and is used
to manage databases, policies, address lists, and other types of
organizational configuration details.
Server Configuration node This type of data is associated with a specific server and is used to manage the server's messaging configuration.
Recipient Configuration node This type of data is associated with mailboxes, mail-enabled contacts, and distribution groups.
Server 2010, databases have been moved from the Server Configuration
node to the Organization Configuration node. This change was necessary
because the Exchange schema was flattened and storage groups were
removed. As a result of these changes, all storage group functionality
has been moved to the database level.
The predefined groups are as follows:
Delegated Setup Members of this group have permission to install and uninstall Exchange on provisioned servers.
Discovery Management Members of this group can perform mailbox searches for data that meets specific criteria.
Exchange All Hosted Organizations
Members of this group include hosted organization mailbox groups. This
group is used to apply Password Setting objects to all hosted mailboxes.
Exchange Servers Members of this group are Exchange servers in the organization. This group allows Exchange servers to work together.
Exchange Trusted Subsystem
Members of this group are Exchange servers that run Exchange cmdlets
using WinRM. Members of this group have permission to read and modify
all Exchange configuration settings as well as user accounts and groups.
Exchange Windows Permissions
Members of this group are Exchange servers that run Exchange cmdlets
using WinRM. Members of this group have permission to read and modify
user accounts and groups.
ExchangeLegacyInterop Members of this group are granted send-to and receive-from permissions,
which are necessary for routing group connections between Exchange
Server 2010 and Exchange Server 2003. Exchange Server 2003 bridgehead
servers must be made members of this group to allow proper mail flow in
Members of this group can view any property or object within the
Exchange organization and have limited management permissions, including
the right to change and reset passwords.
Hygiene Management Members of this group can manage the antispam and antivirus features of Exchange.
Organization Management Members of this group have full access to all Exchange properties and objects in the Exchange organization.
Public Folder Management Members of this group can manage public folders and perform most public folder management operations.
Recipient Management Members of this group have permissions to modify Exchange user attributes in Active Directory and perform most mailbox operations.
Members of this group can manage compliance features, including
retention policies, message classifications, and transport rules.
Members of this group can manage all Exchange servers in the
organization but do not have permission to perform global operations.
Members of this group can manage all aspects of unified messaging,
including unified messaging server configuration and unified messaging
View-Only Organization Management
Members of this group have read-only access to the entire Exchange
organization tree in the Active Directory configuration container and
read-only access to all the Windows domain containers that have Exchange recipients.
4. Exchange Server and Active Directory
Like Exchange Server
2007, Exchange Server 2010 is tightly integrated with Active Directory.
Not only does Exchange Server 2010 store information
in Active Directory, but it also uses the Active Directory routing
topology to determine how to route messages within the organization.
Routing to and from the organization is handled using transport servers.
4.1. Understanding How Exchange Stores Information
Exchange stores four types of data in Active Directory: schema data (stored in the Schema partition), configuration data (stored in the Configuration partition), domain data (stored in the Domain partition), and application
data (stored in application-specific partitions). In Active Directory,
schema rules determine what types of objects are available and what
attributes those objects have. When you install the first Exchange
server in the forest, the Active Directory preparation process adds many
Exchange-specific object classes and attributes to the schema partition
in Active Directory. This allows Exchange-specific objects, such as
agents and connectors, to be created. It also allows you to extend
existing objects, such as users and groups,
with new attributes, such as attributes that allow user objects to be
used for sending and receiving e-mail. Every domain controller and
global catalog server in the organization has a complete copy of the Schema partition.
During the installation of the first Exchange server in the forest, Exchange configuration information is generated and stored in Active Directory. Exchange configuration information,
like other configuration information, is also stored in the
Configuration partition. For Active Directory, the configuration
information describes the structure of the directory, and the
Configuration container includes all of the domains, trees, and forests,
as well as the locations of domain controllers and global catalogs. For
Exchange, the configuration information is used to describe the
structure of the Exchange organization. The Configuration container
includes lists of templates, policies, and other global
organization-level details. Every domain controller and global catalog
server in the organization has a complete copy of the Configuration
In Active Directory, the Domain
partition stores domain-specific objects, such as users and groups, and
the stored values of attributes associated with those objects. As you
create, modify, or delete objects, Exchange stores the details about
those objects in the Domain partition. During the installation of the
first Exchange server in the forest, Exchange objects are created in the
current domain. Whenever you create new recipients or modify Exchange
details, the related changes are reflected in the Domain partition as
well. Every domain controller has a complete copy of the Domain
partition for the domain for which it is authoritative. Every global
catalog server in the forest maintains information about a subset of
every Domain partition in the forest.
4.2. Understanding How Exchange Routes Messages
organization, Hub Transport servers use the information about sites
stored in Active Directory to determine how to route messages, and they
can also route messages across site links. The Hub Transport server does
this by querying Active Directory about its site membership and the
site membership of other servers, and then it uses the information it
discovers to route messages appropriately. Because of this, when you are
deploying an Exchange Server 2010 organization, no additional
configuration is required to establish routing in the Active Directory forest.
For mail delivery within the organization, additional routing configuration is necessary only in these specific scenarios:
If you deploy
Exchange Server 2010 in an existing Exchange Server 2003 organization,
you must configure a two-way routing group connector from the Exchange
routing group to each Exchange Server 2003 routing group that
communicates with Exchange Server 2010. You must also suppress link
state updates for the same.
you deploy an Exchange Server 2010 organization with multiple forests,
you must install Exchange Server 2010 in each forest and then connect
the forests using appropriate cross-forest trusts. The trust allows users to see address and availability data across the forests.
an Exchange Server 2010 organization, if you want direct mail flow
between Exchange servers in different forests, you must configure SMTP
send connectors and SMTP receive connectors on the Hub Transport servers
that should communicate directly with each other.
The organization's Mail
Transport servers handle mail delivery outside the organization and
receipt of mail from outside servers. You can use two types of Mail
Transport servers: Hub Transport servers and Edge Transport servers. You
deploy Hub Transport servers within the organization. You can
optionally deploy Edge Transport servers in the organization's perimeter
network for added security. Typically a perimeter network is a secure
network set up outside the organization's private network.
With Hub Transport servers, no other special configuration is needed for message routing
to external destinations. You must configure only the standard mail
setup, which includes identifying DNS servers to use for lookups. With
Edge Transport servers, you can optimize mail routing and delivery by
configuring one-way synchronization from the internal Hub Transport
servers to the perimeter network's Edge Transport servers. Beyond this,
no other special configuration is required for mail routing and