Administering Exchange 2000

Administering Exchange

You manage Exchange using Microsoft Management Console (MMC). MMC is a tool used to create, save, and open collections of administrative tools, which are called consoles. Consoles contain items such as snap-ins, extension snap-ins, monitor controls, tasks, wizards, and documentation for managing the hardware, software, and networking components of your Windows 2000 system. A snap-in is software that comprises the smallest unit of MMC extension providing administrative functionality. You can add items to an existing MMC console, or you can create new consoles and configure them to administer a specific system component.
MMC provides a hierarchical representation of tools, components, and administrative information logically organized into containers. Containers hold either other containers or objects that you place in the containers using a drag-and-drop operation.
Note You can access the MMC online documentation on any computer that is running Windows 2000 by clicking Start, pointing to Run, and then typing mmc in Open. When MMC starts, click the Help icon.
You manage Exchange using two main snap-ins: System Manager and Active Directory Users and Computers.
System Manager is the Exchange administration component that is installed during Setup if you select Microsoft Exchange System Management Tools on the Component Selection screen of Microsoft Exchange 2000 Installation Wizard. If you install SMTP, you can install System Manager on any computer running Windows 2000 that you use to manage your Exchange organization. This includes any computer running Windows 2000 Professional if Windows 2000 Administration Tools is installed.
Active Directory Users and Computers is installed by default when you promote a Windows 2000 server to a domain controller.

Permissions

Exchange permissions are based on the Windows 2000 permission model. You can assign permissions that a user or group has on an object and on the object’s child objects.
When an object is created in Windows 2000, the object inherits permissions from its parent object. This inheritance feature simplifies managing permissions in the following ways:

• Inheritance eliminates the need to manually apply permissions to child objects as they are created.
• Inheritance ensures the permissions attached to a parent object are applied to all child objects consistently.
• When you need to modify permissions on all objects in a container, you only need to change the permissions once on the parent objects. The child objects inherit those changes.
• The permissions model for Exchange 2000 Server gives you more control over the permissions that users are granted on Exchange containers and objects. For example, you can give an engineer write permission on a container that is read-only for help desk staff.

The Windows 2000 Active Directory security model is extended in Exchange by using extended permissions. In earlier versions of Exchange, after a user is granted access, the user has access to all objects in that container. In Exchange 2000, you can specify user and group access by object class; for example, you can grant administrators permission to view the status of the mailbox store but not the size of a user’s mailbox.

Administering Recipients

With the releases of Windows 2000 Server and Exchange 2000 Server, recipients are defined as objects within Active Directory and can take advantage of Exchange functionality. Recipients include Active Directory objects users, groups, and contacts. You create mailboxes, new users, distribution groups, and perform other related tasks in Active Directory Users and Computers because these objects are contained in and managed by Active Directory.

Interoperability with Earlier Versions of Exchange

Mailbox management includes creating, modifying, and deleting mailboxes, e-mail addresses, and related properties. In Exchange 2000, mailbox management is integrated with Active Directory recipient management. Exchange 2000 Server does not provide a separate mailbox management tool as earlier versions of Exchange do.
The recommended method for managing recipients in a mixed environment with Exchange 2000 Server and earlier versions of Exchange is to use Active Directory Users and Computers. To manage recipients using Active Directory Users and Computers, all recipient information in your existing Exchange organization must be replicated to Active Directory using Active Directory Connector (ADC) and connection agreements.
Note To use Exchange 2000 Server in an organization running earlier versions of Exchange, you must have at least one computer running Exchange 5.5 Service Pack 3 (SP3).
During the upgrade and migration process, you can continue to manage recipients that have not been replicated to Active Directory using the management tools in Windows NT and earlier versions of Exchange.

Administering Servers

In earlier versions of Exchange, the Administrator program had to be connected to an Exchange server to extract configuration information from the directory service and make changes. With Active Directory, you can use System Manager to connect to any Windows 2000 domain controller and extract information from Active Directory.
Depending on the changes you are making, the administrative model, and the user’s permissions, the changes you make may be restricted to the single Exchange server. Active Directory can replicate changes across the entire Exchange organization, giving you the ability to perform administration across the forest from a single point of control. On the other hand, by combining and applying permissions, access control, and Windows security group functionality, you can fine-tune access and control to objects. This provides you with a new level of flexibility not possible with earlier versions of Exchange.

System Manager

In Exchange 2000 Server you administer all facets of Exchange configuration centrally through System Manager. System Manager is a saved console file that is launched from the Start menu after Exchange is installed. You can configure servers, connectors, public folders, address lists, protocols, and policies in System Manager.
By default, System Manager connects to the closest available domain controller to obtain the appropriate configuration information and populate the snap-ins.

Administrative Groups and Routing Groups

In Exchange 2000 there are two ways to organize servers: administrative groups, which are based on a logical grouping of servers for administration; and routing groups, which are based on a physical grouping of servers for routing. In earlier versions of Exchange, the concept of a site represented the boundary for administrative topology and routing topology.
Administrative Groups
An administrative group is a collection of Active Directory objects that are grouped together for the purpose of permissions management. An administrative group can contain policies, routing groups, public folder hierarchies, servers, and chat networks. The content of an administrative group depends on choices you make during installation. Unless Exchange 2000 is installed into an existing Exchange organization, administrative groups are disabled in System Manager. You can enable administrative groups if you need to divide the administration of your Exchange organization.
A typical reason you create an administrative group is to define the scope of permissions for the objects in the administrative group. For example, if your organization has two sets of administrators that manage two sets of Exchange servers, you can create two administrative groups that contain these two sets of servers. To establish permissions, you can add the appropriate Windows 2000 users and groups to the security settings on the two administrative groups. Then, Active Directory propagates these settings to all the configuration objects within the administrative group.
An administrative group can contain multiple servers and multiple routing groups, but you cannot move servers between administrative groups. The administrative group is similar to a folder in which you can organize Exchange system management tools. This is similar to the way you can use folders to organize files in Windows Explorer.
Note Administrative groups function differently in a mixed environment with earlier versions of Exchange and Exchange 2000 Server.
Routing Groups
A routing group is a collection of Exchange servers that have full-time, reliable connections. Messages sent between any two servers within a routing group go directly from source to destination. Similar to administrative groups, routing groups are optional and are not visible in System Manager unless you enable them.
The primary reason you create routing groups is to define single-hop routing within your Exchange organization; however, you can also create routing groups between servers to manage messages and control the flow of messages across administrative boundaries.

Interoperability with Earlier Versions of Exchange

Exchange 2000 operates in mixed mode when you first install it. Mixed mode allows Exchange 2000 servers and servers running earlier versions of Exchange to coexist in the same organization. It allows interoperability between versions by limiting functionality to features that both products share.
If your entire organization is running only Exchange 2000 Server and you do not intend to join earlier versions of Exchange into your organization, you can switch to native mode. Native mode means you have a pure Exchange 2000 Server organization and it allows you take full advantage of Exchange 2000 Server functionality. Native mode offers the following benefits:

• Although a server can belong to an administrative group for management purposes, that server does not have to belong to one of the routing groups within that administrative group. An administrative group does not have to contain any routing groups.
• A single administrative group can contain all routing groups within the organization.
• You can move mailboxes between servers in the organization.

Important If you change the operation mode of an Exchange 2000 Server organization from mixed mode to native mode, you cannot reverse the change and the organization is no longer interoperable with earlier versions of Exchange. It is important to consider this in your planning.

Address Lists

Exchange address lists provide a mechanism to partition mail-enabled objects in Active Directory for the benefit of specific groups of users. For example, if your organization is spread across a wide geographical area, you can specify an address list that extracts mail-enabled objects according to location. For a user who searches for users, groups, and contacts that reside within a common geographical area, providing a condensed version of Active Directory specific to location streamlines the user’s search. Exchange address lists support Microsoft Outlook 2000, Outlook 98, and Outlook 97, but not Outlook Express.
Types of Address Lists
There are two types of address lists: default and custom.
Default address lists are created automatically based on the values of specific attributes of Active Directory objects. These address lists are available to Exchange users without any administrator action. The following table describes each default address list.

You create custom address lists to help users who need a custom view of recipients within the Exchange organization. For example, you can create an address list that includes only employees in North America, or you can create an address list that includes only employees in the marketing department.
Address List Management
You create and manage address lists using System Manager. Managing address lists is simple because you do not need to add individual members to default or custom address lists. Address list memberships change dynamically and are based on Active Directory queries that are specified for each address list. When you create or modify address lists, Recipient Update Service updates the recipient object.

Policies

A policy is a collection of configuration settings that you apply to one or more Exchange configuration objects. Policies simplify the administration of Exchange by controlling the configuration of settings across servers or other objects in an Exchange organization. After you define and implement policies, editing the policy and applying the changes alters the configuration of all servers and objects the policy covers.
There are two types of policies: system policies and recipient policies.
System Policies
System policies affect Exchange configuration objects that are typically thought of as server-side objects, such as mailbox stores, public folder stores, and servers.
You create a system policy, define the settings the policy implements, associate the policy with one or more objects of the same class, and then apply the policy using System Manager. System policies apply configuration settings to items in the Windows 2000 Configuration container, which is replicated to every domain controller and optimized to apply settings to hundreds of objects.
Recipient Policies
You apply recipient policies to mail-enabled objects to generate e-mail addresses. You can define them to apply to thousands of users, groups, and contacts in Active Directory using a Lightweight Directory Access Protocol (LDAP) query interface in a single operation.
Recipient policies are for objects typically thought of as user-side, such as users, groups, and contacts. Exchange 2000 Server includes a single recipient policy that automatically generates e-mail addresses for mail-enabled Exchange objects, such as users, groups, contacts, public folders, mailbox stores, and public folder stores.

Real-Time Collaboration

You can use System Manager to manage real-time collaboration components such as Chat Service and Instant Messaging.

System Maintenance

A critical element of Exchange administration is maintaining your system. Before you install Exchange, you should create a plan for system maintenance.
Maintaining your system involves:

• Backing up and restoring your servers and consistently monitoring how well your servers are functioning.
• Monitoring performance and setting up appropriate notifications.

Exchange 2000 Server uses the Windows 2000 Backup utility to back up and restore the Information Store. This utility enables you to protect data from accidental loss or hardware failure. It uses a storage device to back up and restore information located on any local server in your organization or over the network. Windows 2000 provides a System Monitor snap-in and a Performance Logs and Alerts snap-in you can use to measure the performance of computers on your network.
System Monitor and Performance Logs and Alerts provide detailed data about the resources used by specific components of the operating system and server programs, such as Exchange. Graphs provide a display for performance monitoring data; logs provide recording capabilities for the data. Alerts send notifications to users by means of the Messenger service when a counter value reaches, rises above, or falls below a defined threshold.
Microsoft Technical Support often uses the results of performance monitoring to diagnose problems; therefore, Microsoft recommends that you monitor system performance as part of your administrative routine.

Administrative Models

The examples in this section illustrate models of administrative groups and routing groups that relate to different organizational configurations. You can use these administrative group and routing group implementations as examples when planning your Exchange deployment.
Distributed Management
The distributed management model shows complete control over management of the Exchange organization distributed to company regions or divisions. This model is similar to the site model in earlier versions of Exchange. It is often used by organizations that have branch offices operating independently.
Typically, a central group manages standards and guidelines but not administration. In this model, there is at least one administrative group for each region or division. In a mixed environment with Exchange 2000 and previous versions of Exchange, administrative groups and routing groups are automatically arranged in this way because existing Exchange sites are mapped one-to-one to administrative groups and routing groups when you upgrade to Exchange 2000 Server.
The following illustration shows an Exchange 2000 Server organization with four administrative groups for four different regions. Each administrative group has one or more routing groups and one or more servers running Exchange. Each location has its own group of administrators, which the administrative groups define, and the administrators are restricted to their respective administrative groups.

Figure 6.1 Distributed management model in an Exchange organization

The following illustration shows how the distributed management model appears in System Manager.

Figure 6.2 Distributed management model as it appears in System Manager

Centralized Management
In a centralized management model, a single central group maintains complete control of administration. In this model, there is only one administrative group, but there can be many routing groups.
The following illustration shows an Exchange 2000 Server organization with a centralized administration model. A single administrative group administers routing groups in six regions.

Figure 6.3 Centralized management in a single administrative group containing multiple routing groups

The following illustration shows how the centralized management model appears in System Manager. Note that the CorporateHQ administrative group contains all of the routing groups.

Figure 6.4 Centralized management model as it appears in System Manager

Mixed Distributed and Centralized Management
Mixing distributed and centralized management is the most common scenario in organizations with multiple divisions or offices dispersed geographically. In this environment, you can use special administrative groups for one or both of the following:

• Centralized routing management
• Centralized policy management

Centralized Routing Management
Because of the importance and complexity of routing topology, you may restrict routing management to a special group of professionals, who usually belong to the central group of administrators. This is typical when the central group is responsible for the messaging backbone and regional administrators are responsible for day-to-day administration of servers and other services.
Centralized Policy Management
A central group of administrators is responsible for the policies that enforce standard configuration across the organization. The regional administrators are responsible for day-to-day management and monitoring of servers. A variation on this scenario is to have the central group define some organization-wide policies, and have the regional administrators control the remaining policies.

Hardware Considerations

Another aspect of administering servers in Exchange is understanding the different hardware components and the considerations associated with them. You can install and run Exchange in a variety of physical configurations. Server capabilities and Exchange requirements can determine how you allocate your hardware resources.
Using Performance Monitor is an important method of determining the effectiveness of your hardware. You can use System Monitor to set up and monitor the loads placed on your servers. Performing regular system monitoring should be an important part of your planning.
Setting up monitoring on your servers is the first step in determining the efficiency of your hardware. After you set up System Monitor, you can examine the usage levels of the following server areas.
Processor
All Exchange 2000 services and server functions use a computer’s processor. One of the most effective methods of determining the efficiency of your hardware is to monitor the usage level of the processor. If the results indicate the processor is close to maximum output for an extended period of time, increasing the number of users on this server will cause slower overall performance and degrade performance further for all users on the server. You should upgrade a processor that is constantly at maximum usage.
Disk I/O
As your Exchange server continuously reads and writes information to the hard drive, the amount of disk input and output (I/O) increases. Disk I/O traffic is created by Exchange, Windows 2000, and other applications you install on the server. Slow disk I/O can increase the time required for applications such as Exchange to access information stored on the hard drive. Performance monitoring gives you information about the effectiveness of your physical storage and how quickly it responds to requests.
Memory
Monitoring how much RAM the applications on your server consume helps you determine whether the amount of RAM currently installed is adequate for the current level of usage.
If RAM usage is high and the amount of RAM is inadequate, your Windows 2000 servers not only run slowly, but require paging of memory to compensate for the lack of RAM. When memory is paged, it not only uses physical storage space, it increases disk I/O and processor usage. Having adequate RAM is important to the efficiency of your Windows 2000 servers and the applications you install on them.
Physical Storage
Applications such as Exchange use physical storage to store users’ mail. As the number of users on your server increases, the amount of available physical storage decreases and the demands of Exchange increase. You should monitor your available hard disk space regularly to ensure that disk space is available when you add additional users.