Exchange 2010 Sample Admin Pocket Consultant

Exchange
Server 2010
Microsoft
Administrators
Pocket Consultant
William R. Stanek
Author and Series Editor
M
i
c
r
o
s
o
f
t
MicrosoftprePressisearlycontent,straightfromthesource.What
makesitprePress?Thesebookchapterscomefreshfromthe
mindsandlaptopsofourrespectedauthors,andbeforeweve
editedanddebuggedthecontent.Itsagreatwaytogetcutting-
edgeinformationrightnow,justwhenyouneedit!
Thisdocumentsupportsapreliminaryreleaseofasoftwareproductthatmaybe
changedsubstantiallypriortofinalcommercialrelease.Thisdocumentisprovidedfor
informationalpurposesonlyandMicrosoftmakesnowarranties,eitherexpressorimplied,in
thisdocument.Informationinthisdocument,includingURLandotherInternetWebsite
references,issubjecttochangewithoutnotice.Theentireriskoftheuseortheresultsfrom
theuseofthisdocumentremainswiththeuser.Unlessotherwisenoted,thecompanies,
organizations,products,domainnames,e-mailaddresses,logos,people,places,andevents
depictedinexampleshereinarefictitious.Noassociationwithanyrealcompany,
organization,product,domainname,e-mailaddress,logo,person,place,oreventis
intendedorshouldbeinferred.Complyingwithallapplicablecopyrightlawsisthe
responsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthis
documentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmitted
inanyformorbyanymeans(electronic,mechanical,photocopying,recording,or
otherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoft
Corporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orother
intellectualpropertyrightscoveringsubjectmatterinthisdocument.Exceptasexpressly
providedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocument
doesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectual
property.
2009MicrosoftCorporation.Allrightsreserved.
Microsoft,MicrosoftPress,Access,ActiveDirectory,ActiveSync,ActiveX,Forefront,
Outlook,Windows,WindowsPowerShell,WindowsServer,andWindowsVistaare
trademarksoftheMicrosoftgroupofcompanies.
Allothertrademarksarepropertyoftheirrespectiveowners.
Copyright 2009 Microsoft Corporation
1
TableofContents
Chapter1MicrosoftExchangeServer2010AdministrationOverview
ExchangeServer2010andYourHardware
MicrosoftExchangeServer2010Editions
ExchangeServerandWindows
ServicesforExchangeServer
ExchangeServerAuthenticationandSecurity
ExchangeServerSecurityGroups
ExchangeServerandActiveDirectory
UnderstandingHowExchangeStoresInformation
UnderstandingHowExchangeRoutesMessages
UsingtheGraphicalAdministrationTools
UsingtheCommand-LineAdministrationTools
Chapter6MailboxAdministration
CreatingSpecial-PurposeMailboxes
UsingRoomandEquipmentMailboxes
CreatingRoomandEquipmentMailboxes
CreatingLinkedMailboxes
CreatingForwardingMailboxes
CreatingArchiveMailboxes
ManagingMailboxes:TheEssentials
ViewingCurrentMailboxSize,MessageCount,andLastLogon
SettingAlternateMailboxDisplayNamesforMultilanguage
Environments
HidingMailboxesfromAddressLists
DefiningCustomMailboxAttributesforAddressLists
MovingMailboxes
MovingMailboxes:TheEssentials
PerformingOfflineMailboxMoves
PerformingOnlineMailboxMoves
ImportingandExportingMailboxData
2
ConfiguringMailboxDeliveryRestrictions,Permissions,andStorage
Limits
SettingMessageSizeRestrictionsforContacts
SettingMessageSizeRestrictionsonDeliverytoandfrom
IndividualMailboxes
SettingSendandReceiveRestrictionsforContacts
SettingMessageSendandReceiveRestrictionsonIndividual
Mailboxes
PermittingOtherstoAccessaMailbox
ForwardingE-mailtoaNewAddress
SettingStorageRestrictionsonanIndividualMailbox
SettingDeletedItemRetentionTimeonIndividualMailboxes
3
C HA P T E R 1
Microsoft Exchange Server
2010 Administration
Overview
IfyouthoughtExchangeServer2007wasaradicaldeparturefromitspredecessors,
waittillyougetacquaintedwithExchangeServer2010.ExchangeServer2010
completelyredefinestheExchangeServermessagingplatformandrightupfront,you
shouldknowthatExchangeServer2010doesawaywiththeconceptsofstorage
groups,LocalContinuousReplication(LCR),SingleCopyClusters(SCC)andclustered
mailboxservers.
InpreviousreleasesofExchangeServer,youusedstoragegroupstogroup
mailboxandpublicfolderdatabasesintologicalunitsofmanagement.InExchange
Server2010,databasesarenolongerassociatedwithstoragegroups.Formailbox
databases,DatabaseAvailabilityGroupscannowbeusedtogroupdatabasesforhigh
availabilityandmailboxdatabasesaremanagedattheorganizationlevelinsteadof
attheserverlevel.Forpublicfolderdatabases,databasemanagementhasbeen
movedtotheorganizationlevelbutthefunctionalityhasntchangedsinceitwas
implementedinExchangeServer2007.
Tosupporttheseandotherchanges,allstoragegroupfunctionalityhasbeen
movedtothedatabaselevel.Further,mailboxdatabasesarenowpeerstoserversin
theExchangestoreschemaachangewhichremovesthedependencyofmailbox
databasestoserverobjectsandreducestheExchangestoresrelianceonsecondary
indicesmaintainedbytheExtensibleStorageEngine(ESE).
ExchangeServer2010integrateshighavailabilityintothecorearchitectureby
combiningClusterContinuousReplication(CCR)andStandbyContinuousReplication
(SCR)intoasinglehighavailabilitysolutionforbothon-siteandoff-sitedata
replication.ExchangeServer2010alsoaddsautomaticfailoverandrecoveryofany
ExchangeServerrolewhenyoudeploymultipleExchangeservers.Becauseofthese
changes,buildingahighavailabilitysolutionnolongerrequiresclusterhardwareor
advancedclusterconfiguration.Instead,yousimplyinstallmultipleserversrunning
ExchangeServer2010withwhateverrolesyoudliketouseinthesameExchange
organizationandhighavailabilityisenabledautomatically.Whilerolefailoveris
automatic,youmanagefailoverformailboxdatabasesusingDatabaseAvailability
4
Groups.Failoverisautomaticformailboxdatabasesthatarepartofthesame
DatabaseAvailabilityGroup.
TherulesforDatabaseAvailabilityGroupsaresimple.Eachmailboxservercan
haveupto50databases,andeachdatabasecanhaveasmanyas16copies.Asingle
DatabaseAvailabilityGroupcanhaveupto16mailboxserversthatprovide
automaticdatabase-levelrecovery.AnyserverinaDatabaseAvailabilityGroupcan
hostacopyofamailboxdatabasefromanyotherserverintheDatabaseAvailability
Group.
ThisseamlesshighavailabilityfunctionalityismadepossiblebecauseExchange
Server2010disconnectsmailboxdatabasesfromserversandassignedthesame
globallyuniqueidentifier(GUID)toallcopiesofamailboxdatabase.Becausestorage
groupsnolongerexist,continuousreplicationoccursatthedatabaselevel.
TransactionlogsarereplicatedtomembersofaDatabaseAvailabilityGroupand
replayedintothecopyofthemailboxdatabasethatisstoredonaparticularserver.
Failovercanoccurateitherthedatabaselevelortheserverlevel.
WhileIwasdiscussthearchitecturalandadministrationimpactoftheseextensive
changesthroughoutthisandotherchaptersofthisbook,youneedtoknowthis
informationrightupfrontbecauseitradicallychangesthewayyouwillimplement
andmanageyourExchangeorganization.Why?Withthesechanges,youmightnot
needtouseRedundantArraysOfInexpensiveDisks(RAID)foryourExchangedata
andyoumightnotneedtoeverperformroutinebackupsofyourExchangedata.
Althoughbackup-lessandRAID-lessExchangeimplementationsareradicalideas,itis
possible,especiallyifyouimplementdataretentionrulesasmaybenecessaryfor
regulatorycomplianceandremembertorotateExchangedatatooffsitestorage
periodicallytoensureyouareprotectedinextremedisasterrecoveryscenarios.
AsyougetstartedwithExchangeServer2010,youshouldconcentrateonthese
areas:
HowExchangeServer2010workswithyourhardware
WhatversionsandeditionsofExchangeServer2010areavailableandhow
theymeetyourneeds
HowExchangeServer2010workswithWindowsbasedoperatingsystems
HowExchangeServer2010workswithActiveDirectory
Whatadministrationtoolsareavailable
Exchange Server 2010 and Your Hardware

BeforeyoudeployExchangeServer2010,youshouldcarefullyplanthemessaging
architecture.Aspartofyourimplementationplanning,youneedtolookcloselyat
5
preinstallationrequirementsandthehardwareyouwilluse.ExchangeServerisno
longerthesimplemessagingserverthatitoncewas.Itisnowacomplexmessaging
platformwithmanycomponentsthatworktogethertoprovideacomprehensive
solutionforrouting,delivering,andaccessinge-mails,voicemails,faxes,contacts,
andcalendarinformation.
SuccessfulExchangeServeradministrationdependsonthreethings:
GoodExchangeadministrators
Strongarchitecture
Appropriatehardware
Thefirsttwoingredientsarecovered:youretheadministrator,youresmart
enoughtobuythisbooktohelpyouthroughtheroughspots,andyouveenlisted
ExchangeServer2010toprovideyourhigh-performancemessagingneeds.This
bringsustotheissueofhardware.ExchangeServer2010shouldrunonasystemwith
adequatememory,processingspeed,anddiskspace.Youalsoneedanappropriate
data-and-systemprotectionplanatthehardwarelevel.
KeyguidelinesforchoosinghardwareforExchangeServerareasfollows:
Memory ExchangeServer2010hasbeentestedanddevelopedformaximum
memoryconfigurationsof64gigabytes(GB)forMailboxservers,16GBfor
allotherserverrolesexceptUnifiedMessaging.ForUnifiedMessaging,the
maximumis8GB.Theminimumrandomaccessmemory(RAM)is2GB.In
mostcases,youllwanttohaveatleasttwicetherecommendedminimum
amountofmemory.Theprimaryreasonforthisisperformance.Mostofthe
ExchangeinstallationsIrunuse4GBofRAMasastartingpoint,evenin
smallinstallations.InmultipleExchangeserverinstallations,theMailbox
servershouldhaveatleast2GBofRAMplus5megabytes(MB)ofRAMper
mailbox.ForallExchangeserverconfigurations,thepagingfileshouldbeat
leastequaltotheamountofRAMintheserverplus10MB.
CPU ExchangeServer2010runsonthex64familyofprocessorsfromAMD
andIntel,includingAMD64andIntelExtendedMemory64Technology
(IntelEM64T).ExchangeServer2010providessolidbenchmark
performancewithIntelXeon3.4GHzandhigherorAMDOpteron3.1GHz
andhigher.AnyoftheseCPUsprovidegoodstartingpointsfortheaverage
ExchangeServersystem.Youcanachievesignificantperformance
improvementswithahighlevelofprocessorcache.LookcloselyattheL1,
L2,andL3cacheoptionsavailableahighercachecanyieldmuchbetter
performanceoverall.Lookalsoatthespeedofthefrontsidebus.Thefaster
thebusspeed,thefastertheCPUcanaccessmemory.
ExchangeServer2010runsonlyon64-bithardware.Theprimaryadvantages
of64-bitprocessorsover32-bitprocessorshavetodowithmemory
6
limitationsanddataaccess.Because64-bitprocessorscanexceedthe4-GB
memorylimitof32-bitprocessors,theycanstoregreateramountsofdatain
mainmemory,providingdirectaccesstoandfasterprocessingofdata.In
addition,64-bitprocessorscanprocessdataandexecuteinstructionsetsthat
aretwiceaslargeas32-bitprocessors.Accessing64bitsofdata(versus32
bits)offersasignificantadvantagewhenprocessingcomplexcalculationsthat
requireahighlevelofprecision.
Note At the time of this writing, 64-bit versions do not support Intel Itanium.
SMP ExchangeServer2010supportssymmetricmultiprocessors,andyoull
seesignificantperformanceimprovementsifyouusemultipleCPUs.
MicrosofttestedanddevelopedExchangeServer2010forusewithdual-
coreandmulticoreCPUsaswell.Theminimum,recommended,and
maximumnumberofCPUswhethersinglecore,dualcore,ormulticore
dependsonaserversExchangeroles(seeExchangeServerMessaging
RolesinChapter2,DeployingMicrosoftExchangeServer2010.).Still,if
ExchangeServerissupportingasmallorganizationwithasingledomain,
oneCPUwithmultiplecoresshouldbeenough.Iftheserversupportsa
mediumorlargeorganizationorhandlesmailformultipledomains,you
mightwanttoconsideraddingprocessors.Whenitcomestoprocessor
cores,Iprefertwofour-coreprocessorstoasingle8-coreprocessorgiven
currentprice/performancetradeoffs.Analternativewouldbetodistribute
theworkloadacrossdifferentserversbasedonwhereyoulocateresources.
Diskdrives Thedatastoragecapacityyouneeddependsentirelyonthe
numberandsizeofthedatathatwillpassthrough,bejournaledon,or
storedontheExchangeserver.Youneedenoughdiskspacetostoreall
dataandlogs,plusworkspace,systemfiles,andvirtualmemory.
Input/output(I/O)throughputisjustasimportantasdrivecapacity.Inmost
cases,smallcomputersysteminterface(SCSI)drivesarefasterthan
integrateddeviceelectronics/enhancedintegrateddriveelectronics
(IDE/EIDE)andare,therefore,recommended.Ratherthanuseonelarge
drive,youshoulduseseveraldrives,whichallowyoutoconfigurefault
tolerancewithredundantarrayofindependentdisks(RAID).
Dataprotection Youcanaddprotectionagainstunexpecteddrivefailuresby
usingRAID.Forthebootandsystemdisks,useRAID1oninternaldrives.
However,becauseofthenewhighavailabilityfeatures,youmaynotwant
touseRAIDforExchangedataandlogs.Youalsomaynotwanttouse
expensivediskstoragesystemseither.Instead,youmaywanttodeploy
multipleExchangeserverswitheachofyourExchangeroles.
IfyoudecidetouseRAID,rememberthatstoragearraystypicallyalreadyhave
anunderlyingRAIDconfigurationandyoumighthavetouseatoolsuchas
StorageManagerForSANstohelpyoudistinguishbetweenlogicalunit
7
numbers(LUNs)andphysicaldisks.Fordata,useRAID0orRAID5.Forlogs,
useRAID1.RAID0(diskstripingwithoutparity)offersgoodread/write
performance,butanyfaileddrivemeansthatExchangeServercantcontinue
operationonanaffecteddatabaseuntilthedriveisreplacedanddatais
restoredfrombackup.RAID1(diskmirroring)createsduplicatecopiesofdata
onseparatedrives,andyoucanrebuildtheRAIDunittorestorefull
operations.RAID5(diskstripingwithparity)offersgoodprotectionagainst
singledrivefailure,buthaspoorwriteperformance.Forbestperformanceand
faulttolerance,RAID0+1,whichconsistsofdiskmirroringanddiskstriping
withoutparity,isalsoanoption.
Uninterruptiblepowersupply ExchangeServer2010isdesignedtomaintain
databaseintegrityatalltimesandcanrecoverinformationusing
transactionlogs.Thisdoesntprotecttheserverhardware,however,from
suddenpowerlossorpowerspikes,bothofwhichcanseriouslydamage
hardware.Topreventthis,connectyourservertoanuninterruptiblepower
supply(UPS).AUPSgivesyoutimetoshutdowntheserverorservers
properlyintheeventofapoweroutage.Propershutdownisespecially
importantonserversusingwrite-backcachingcontrollers.Thesecontrollers
temporarilystoredataincache.Withoutpropershutdown,thisdatacanbe
lostbeforeitiswrittentodisk.
Ifyoufollowthesehardwareguidelinesandmodifythemforspecificmessaging
roles,asdiscussedinthenextsection,youllbewellonyourwaytosuccesswith
ExchangeServer2010.
Microsoft Exchange Server 2010 Editions
SeveraleditionsofExchangeServer2010areavailable,includingExchangeServer
2010StandardEditionandExchangeServer2010EnterpriseEdition.Thevarious
servereditionssupportthesamecorefeaturesandadministrationtools,whichmeans
youcanusethetechniquesdiscussedthroughoutthisbookregardlessofwhich
ExchangeServer2010editionyouareusing.Forreference,thespecificfeature
differencesbetweenStandardEditionandEnterpriseEditionareasfollows:
ExchangeServer2010StandardEdition Designedtoprovideessential
messagingservicesforsmalltomedium-sizedorganizationsandbranch
officelocations.Thisservereditionsupportslimitednumberofdatabases.
Eachdatabaseislimitedtoamaximumsizeof16terabytes(TB)limited
onlybyhardware.
ExchangeServer2010EnterpriseEdition Designedtoprovideessential
messagingservicesfororganizationswithincreasedavailability,reliability,
andmanageabilityneeds.Thisservereditionsupportsupto50databasesin
8
totalonaparticularserver.Eachdatabaseislimitedtoamaximumsizeof
16terabytes(TB)limitedonlybyhardware.
Note Throughoutthisbook,IrefertoExchangeServerindifferentways,andeach
hasadifferentmeaning.Typically,IrefertothesoftwareproductasExchangeServer.
Ifyouseethisterm,youcantakeittomeanMicrosoftExchangeServer2010.When
necessary,IuseExchangeServer2010todrawattentiontothefactthatIam
discussingafeaturethatsneworhaschangedinthemostrecentversionofthe
product.Eachofthesetermsmeansessentiallythesamething.IfIrefertoaprevious
versionofExchangeServer,Ialwaysdosospecifically,suchasExchangeServer2007.
Finally,IoftenusethetermExchangeserver(notethelowercasesinserver)toreferto
anactualservercomputer,asinThereareeightExchangeserversinthisrouting
group.
RealWorld Microsoftprovidesasinglebinaryforx64systemsandthesamebinary
filesisusedforboththeStandardandtheEnterpriseeditions.Thelicensekey
providedduringinstallationiswhatdetermineswhicheditionisestablishedduring
installation.
You can use a valid product key to go from a trial edition to a Standard Edition or
Enterprise Edition of Exchange Server 2010 without having to reinstall. Using a valid
product key, you can also upgrade from Standard Edition to Enterprise Edition. You
can also relicense an Exchange Server by entering a new product key for the installed
edition, which is useful if you accidentally used the same product key on multiple
servers and want to correct the mistake.
There are several caveats. When you change the product key on a Mailbox server, you
must restart the Microsoft Exchange Information Store service to apply the change.
When you change the product key on an Edge Transport server, you must resubscribe
the server in the Exchange organization to apply the change. Additionally, you cannot
use product keys to downgrade editions. To downgrade editions, you must uninstall
Exchange Server and then reinstall Exchange Server.
AclientaccessinganExchangeserverrequiresaClientAccessLicense(CAL).With
eitherExchangeServeredition,theclientcanuseaStandardCAL,anEnterpriseCAL,
orboth.TheStandardCALallowsfortheuseofe-mail,sharedcalendaring,contacts,
taskmanagement,OutlookWebAccess,andExchangeActiveSync.TheEnterprise
CALallowsfortheuseofunifiedmessaging,advancedcompliancecapabilities,and
antivirus/antispamprotection.AclientmusthavebothaStandardCALandan
EnterpriseCALtomakefulluseofallExchangeServerfeatures.
BeyondtheeditionsandCALs,ExchangeServer2010hasseveralvariants.
Microsoftofferson-premiseandonlineimplementationsofExchangeServer.Anon-
premisesExchangeServerisonethatyouinstallinyourorganization.Anonline
ExchangeServerisdeliveredasasubscriptionservicefromMicrosoft.InExchange
9
Server2010,youcanmanagebothon-premisesandonlineimplementationsof
ExchangeServerusingthesamemanagementtools.
ExchangeServer2010runsonWindowsServer2008withServicePack2orlater
andWindowsServer2008Release2.ToinstallExchangeServer2010,thesystem
partitionandalldiskpartitionsusedbyExchangemustbeformattedusingtheNTfile
system(NTFS).Additionalpreinstallationrequirementsareasfollows:
ThedomaincontrollerwiththeSchemaMasterrolemustberunningatleast
WindowsServer2003ServicePack1(SP1).
AlldomainsintheActiveDirectoryforestwhereExchangeServer2010willbe
installedorinwhichrecipientswillbehostedmusthavethedomain
functionallevelsettoWindows2000Servernativeorhigher.
Forforest-to-forestdelegationandfree/busyavailabilityselectionacross
forests,youmustestablishatrustbetweentheforeststhathaveExchange
Serverinstalled,andtheminimumforestfunctionallevelfortheseforests
mustbeWindowsServer2003.
ThedomainmustbeconfiguredtousemultiplelabelDNSnames,suchas
cpandl.comoradatum.local,ratherthansingle-labelDNSnames,suchas
cpandloradatum.
Note ThefullinstallationoptionofWindowsServer2008isrequiredforallExchange
2010servers.UsingActiveDirectorywithExchangeServer2010iscoveredinmore
detailintheExchangeServerandActiveDirectorysectionofthischapterandthe
IntegratingExchangeServerRoleswithActiveDirectorysectionofChapter2.
ExchangeServer2010requiresMicrosoftManagementConsole3.0orlater,the
Microsoft.NETFrameworkversion3.5.1,andWindowsPowerShellVersion2.0forthe
ExchangeManagementShellandremotemanagement.ThePowerShellremoting
featuresaresupportedbytheWS-ManagementprotocolandtheWindowsRemote
Management(WinRM)servicethatimplementsWS-ManagementinWindows.
ComputersrunningWindows7,WindowsServer2008Release2andlaterinclude
WinRM2.0orlater.OncomputersrunningearlierversionsofWindows,youllneedto
installWinRM2.0orlaterasappropriate.Otherprerequisitesarerole-specificand
discussedinChapter2.
IfyouwanttomanageExchangeServer2010fromaworkstation,youllneedto
installMicrosoft.NETFrameworkversion3.5.1,WinRM2.0,andWindowsPowerShell
2.0.AsWinRM2.0andPowerShell2.0areusedforremotemanagementwhetheryou
usetheGUIorthecommand-line,youllneedtoenableremotecommandsonthe
workstation.
YoucanverifytheavailabilityofWinRM2.0andconfigureWindowsPowerShell
forremotingbyfollowingthesesteps:
10
1. StartWindowsPowerShellasanadministratorbyrightclickingtheWindows
PowerShellshortcutandselectingRunAsAdministrator.
2. TheWinRMserviceisconfiguredformanualstartupbydefault.Youmust
changethestartuptypetoAutomaticandstarttheserviceoneachcomputer
youwanttoworkwith.AtthePowerShellprompt,youcanverifythatWinRM
serviceisrunningusingthefollowingcommand:
get-service winrm
Asshowninthefollowingexample,thevalueoftheStatuspropertyinthe
outputshouldbeRunning:
Status Name DisplayName
------ ---- -----------
Running WinRM Windows Remote Management
3. ToconfigureWindowsPowerShellforremoting,enterthefollowing
command:
Enable-PSRemoting force
Inmanycases,youwillbeabletoworkwithremotecomputersinotherdomains.
However,iftheremotecomputerisnotinatrusteddomain,theremotecomputer
mightnotbeabletoauthenticateyourcredentials.Toenableauthentication,you
needtoaddtheremotecomputertothelistoftrustedhostsforthelocalcomputer
inWinRM.Todoso,enter:
winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'
whereRemoteComputeristhenameoftheremotecomputer,suchas:
winrm s winrm/config/client '@{TrustedHosts="CorpServer56"}'
Whenyouareworkingwithcomputersinworkgroupsorhomegroups,youmust
eitheruseHTTPSasthetransportoraddtheremotemachinetotheTrustedHosts
configurationsettings.Ifyoucannotconnecttoaremotehost,verifythattheservice
ontheremotehostisrunningandisacceptingrequestsbyrunningthefollowing
commandontheremotehost:
winrm quickconfig
ThiscommandanalyzesandconfigurestheWinRMservice.IftheWinRMserviceis
setupcorrectly,youllseeoutputsimilartothefollowing:
WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine
IftheWinRMserviceisnotsetupcorrectly,youllseeerrorsandwillneedto
respondaffirmativelytoseveralpromptsthatallowyoutoautomaticallyconfigure
11
remotemanagement.Whenthisprocesscompletes,WinRMshouldbesetup
correctly.
TousePowerShellremotingfeatures,youmuststartWindowsPowerShellasan
administratorbyrightclickingtheWindowsPowerShellshortcutandselectingRunAs
Administrator.WhenstartingPowerShellfromanotherprogram,suchasthe
commandprompt(cmd.exe),youmuststartthatprogramasanadministrator.
ExchangeServer2010usestheWindowsInstallerandhasafullyintegrated
installationprocess.ThismeansyoucanconfigureExchangeServer2010muchlike
youcananyotherapplicationyouinstallontheoperatingsystem.Theinstallation
canbeperformedremotelyfromacommandshellaswellaslocally.
Chapter2providesdetailedinstructionsforinstallingExchangeServer2010.With
aninitialinstallation,WindowsInstallerwillfirstcheckthesystemconfigurationto
determinethestatusofrequiredservicesandcomponents,whichincludechecking
theActiveDirectoryconfigurationandtheavailabilityofcomponents,suchasIIS
(InternetInformationServer),aswellasoperatingsystemservicepacks,installation
permissionsforthedefaultinstallpath,memory,andhardware.
Aftercheckingthesystemconfiguration,theinstallerallowsyoutoselecttheroles
toinstall.WhetheryouusetheStandardorEnterpriseEdition,youhavesimilar
options.Youcan:
Installaninternalmessagingserverbyselectingtheindividualserverrolesto
installandcombiningtheMailboxrole,ClientAccessrole,HubTransport
role,andUnifiedMessagingroleasrequiredforyourenvironment.
Generally,youwillnotwantaninternalExchangeservertoalsobe
configuredasadomaincontrollerwithaglobalcatalog.
Note For details on how the various server roles are used, see Chapter 2, which
also provides guidelines for sizing and positioning the various server roles.
InstallaMessagingserverinaperimeterzoneoutsidetheorganizationsmain
networkbyselectingonlytheEdgeTransportrole.EdgeTransportservers
arenotmembersoftheActiveDirectoryforestandarenotconfiguredon
domaincontrollers.
Installthemanagementtools.
SpecifythepathfortheExchangeServerinstallationfiles.
SpecifythepathfortheExchangeServerinstallation.
Ifyouwanttochangetheconfigurationafterinstallation,youcanuseExchange
Server2010maintenancemode,asdiscussedinAdding,Modifying,orUninstalling
ServerRolesinChapter2.
ExchangeServer2010includesthefollowingantispamandantiviruscapabilities:
Connectionfiltering AllowsadministratorstoconfigureIPBlocklistsandIP
12
Allowlists,aswellasproviderswhocansupplytheselists.
Contentfiltering Usesintelligentmessagefilteringtoscanmessagecontent
andidentifyspam.Spamcanbeautomaticallydeleted,quarantined,orfiled
asjunke-mail.
Tip Using the Exchange Server management tools, administrators can manage
messages sent to the quarantine mailbox and take appropriate actions, such as
deleting messages, flagging them as false positives, or allowing them to be
delivered as junk e-mail. Messages delivered as junk e-mail are converted to plain
text to strip out any potential viruses they might contain.
IPReputationService ProvidesExchangeServer2010customerswith
exclusiveaccesstoanIPBlocklistprovidedbyMicrosoft.
OutlookJunkE-mailFilterlistaggregation Allowsthejunke-mailfilterlistsof
individualOutlookuserstobepropagatedtoExchangeservers.
Recipientfiltering Allowsadministratorstoreplicaterecipientdatafromthe
enterprisetotheserverrunningtheEdgeTransportrole.Thisservercan
thenperformrecipientlookupsonincomingmessagesandblockmessages
thatarefornonexistentusers.
SenderIDverification Verifiesthatincominge-mailmessagesarefromthe
Internetdomainfromwhichtheyclaimtocome.Exchangeverifiesthe
senderIDbyexaminingthesendersIPaddressandcomparingittothe
relatedsecurityrecordonthesenderspublicdomainnamesystem(DNS)
server.
Senderreputationscoring Helpstodeterminetherelativetrustworthinessof
unknownsendersthroughsenderIDverificationandbyexaminingmessage
contentandsenderbehaviorhistory.Asendercanthenbeadded
temporarilytotheBlockedSenderslist.
Althoughtheseantivirusandantispamfeaturesarefairlyextensive,theyarenot
comprehensiveinscope.Forcomprehensiveantivirusprotection,youllneedtoinstall
ForefrontSecurityforExchangeServer.ForefrontSecurityforExchangeServerhelps
protectExchangeserversfromviruses,worms,andothermalwareusingmultiple
antivirusscanenginesandfilefilteringcapabilities.ForefrontSecurityprovides
distributedprotectionforExchangeserverswiththeMailboxserver,HubTransport
server,andEdgeTransportserverroles.AlthoughyoucaninstallForefrontSecurity
onExchangeserverswiththeserolestogainsubstantialantivirusprotection,youdo
notneedtoinstallForefrontSecurityonExchangeserverswithonlytheClientAccess
ServerorUnifiedMessagingServerrole.
YoucanusetheForefrontSecuritySetupprogramtoinstalltheserverand
managementcomponents.ThemanagementcomponentsincludetheForefront
ServerSecurityAdministrationConsoleandtheForefrontManagementShell.When
13
youareworkingwiththeconsole,youcanconfigurethewayreal-timeandscheduled
scanningforvirusesandspywareworks.Intheshell,youllfindForefront-specific
cmdletsforperformingsimilartasks.
Exchange Server and Windows
WhenyouinstallExchangeServerandForefrontSecurityforExchangeServerona
serveroperatingsystem,ExchangeServerandForefrontSecuritymakeextensive
modificationstotheenvironment.Thesemodificationsincludenewsystemservices,
integratedauthentication,andnewsecuritygroups.
Services for Exchange Server
WhenyouinstallExchangeServerandForefrontSecurityforExchangeServeron
Windows,multipleservicesareinstalledandconfiguredontheserver.Table1-1
providesasummaryofkeyservices,howtheyareused,andwithwhichserver
componentstheyareassociated.
Table 1-1 Summary of Key Services Used by Exchange Server 2010
SERVICE NAME DESCRIPTION SERVER ROLE
IISAdmin EnablestheservertoadministertheIIS
metabase.TheIISmetabasestores
configurationinformationfortheSMTP
andFTPservices.
ClientAccess
Microsoft
ExchangeActive
Directory
Topology
ProvidesActiveDirectorytopology
informationtoExchangeservices.Ifthis
serviceisstopped,mostExchangeservers
willnotbeabletostart.
Hub
Transport,
Mailbox,
ClientAccess,
Unified
Messaging
Microsoft
Exchange
AddressBook
Managesclientaddressbookconnections
forExchangeServer.
Edge
Transport
Microsoft
ExchangeAnti-
SpamUpdate
MaintainstheantispamdataforForefront
SecurityonanExchangeserver.
14
Microsoft
Exchange
EdgeSync
ProvidesEdgeSyncservicesbetweenHub
andEdgeservers.
Hub
Transport,
Edge
Transport
Microsoft
ExchangeFile
Distribution
DistributesExchangedatatoother
Exchangeservers.
Microsoft
ExchangeIMAP4
ProvidesIMAP4servicestoclients. ClientAccess
Microsoft
Exchange
Information
Store
ManagestheMicrosoftExchange
InformationStore.Thisincludesmailbox
storesandpublicfolderstores.
Mailbox
Microsoft
ExchangeMail
Submission
SubmitsmessagesfromtheMailboxserver
totheHubTransportservers.
Mailbox
Microsoft
Exchange
Mailbox
Assistants
Managesassistantsthatareresponsiblefor
calendarupdatesandbookingresources.
Mailbox
Microsoft
Exchange
Monitoring
Providessupportformonitoringand
diagnostics.
Microsoft
ExchangePOP3
ProvidesPostOfficeProtocolversion3
(POP3)servicestoclients.
ClientAccess
Microsoft
Exchange
Protected
ServiceHost
ProvidessecurehostforExchangeServer
services.
Microsoft
Exchange
Replication
Providesreplicationfunctionsfor
continuousreplication.
Mailbox
15
Microsoft
Exchange
Replication
Service
Providesreplicationfunctionalityusedfor
continuousreplication.
Mailbox
Microsoft
ExchangeRPC
ClientAccess
ManagesclientRPCconnectionsfor
ExchangeServer.
ClientAccess
Microsoft
ExchangeSearch
Indexer
Controlsindexingofmailboxestoimprove
searchperformance.
Mailbox
Microsoft
Exchange
ServiceHost
ProvidesahostforessentialExchange
services.
Microsoft
Exchange
SpeechEngine
Providesspeechprocessingservicesfor
MicrosoftExchange.Ifthisserviceis
stopped,speechrecognitionserviceswill
notbeavailabletoUnifiedMessaging
clients.
Unified
Messaging
Microsoft
Exchange
System
Attendant
Providesmonitoring,maintenance,and
ActiveDirectorylookupservices.
Mailbox,
ClientAccess
Microsoft
Exchange
Throttling
Providesthrottlingfunctionstolimitthe
rateofuseroperations.
ClientAccess
Microsoft
Exchange
Transport
ProvidesmailtransportforExchange
Server.
Hub
Transport,
Edge
Transport
Microsoft
Exchange
TransportLog
Search
ProvidessearchcapabilityforExchange
transportlogfiles.
Hub
Transport,
Edge
Transport
16
Microsoft
Exchange
Unified
Messaging
Enablesvoiceandfaxmessagestobe
storedinExchangeandgivesusers
telephoneaccesstoe-mail,voicemail,
calendar,contacts,oranautomated
attendant.
Unified
Messaging
Microsoft
ForefrontServer
Security
ADO/EWS
Navigator
NavigatestheobjectsinActiveDirectory
forForefrontSecuritybyconnectingwith
ExchangeWebServices(EWS)orExchange
ActiveXDirectoryObjects(ADO)toretrieve
objects.
Forefront
Security
Microsoft
ForefrontServer
Security
Controller
ControlsinteractionbetweenForefront
SecurityandtheMicrosoftExchange
InformationStore.EnsuresthatForefront
initializesproperlywiththeinformation
store.Controllerstartsandstopsscanjobs
andappliesengineupdates.
Forefront
Security
Microsoft
ForefrontServer
Security
EventingService
Processesincidentsandmanages
quarantinelogging,performancelogging
andnotifications.
Forefront
Security
Microsoft
ForefrontServer
Securityfor
Exchange
Registration
Service
EnsurestheForefrontTransportAgentis
registeredwithExchangeServer.
Forefront
Security
Microsoft
ForefrontServer
SecurityMail
Pickup
ProvidesmailpickupservicesforForefront. Forefront
Security
Microsoft
ForefrontServer
SecurityMonitor
Monitorstheinformationstore,SMTP/IMS,
andForefrontprocessestoensurethat
Forefrontprovidescontinuousprotection.
Forefront
Security
17
MicrosoftSearch
(Exchange)
Providessearchservicesformailboxes,
addresslistsandsoon.
Mailbox
SecureSocket
Tunneling
ProtocolService
ProvidessupportforSecureSocket
TunnelingProtocol(SSTP)forsecurely
connectingtoremovecomputers.
ClientAccess
Web
Management
Service
Enablesremoteanddelegated
managementforthewebserver,sitesand
applications.
ClientAccess
Windows
Remote
Management
Service
ImplementstheWS-Management
protocol.Requiredforremote
managementusingtheExchangeconsole
andPowerShell.
WorldWide
WebPublishing
Services
ProvidesWebconnectivityand
administrationfeaturesforIIS.
ClientAccess
Exchange Server Authentication and Security
InExchangeServer2010,e-mailaddresses,distributiongroups,andotherdirectory
resourcesarestoredinthedirectorydatabaseprovidedbyActiveDirectory.Active
DirectoryisadirectoryservicerunningonWindowsdomaincontrollers.Whenthere
aremultipledomaincontrollers,thecontrollersautomaticallyreplicatedirectorydata
witheachotherusingamultimasterreplicationmodel.Thismodelallowsanydomain
controllertoprocessdirectorychangesandthenreplicatethosechangestoother
domaincontrollers.
ThefirsttimeyouinstallExchangeServer2010inaWindowsdomain,the
installationprocessupdatesandextendsActiveDirectorytoincludeobjectsand
attributesusedbyExchangeServer2010.UnlikeExchangeServer2003andearlier
releasesofExchange,thisprocessdoesnotincludeupdatesfortheActiveDirectory
UsersAndComputersSnap-InforMicrosoftManagementConsole(MMC),andyou
donotuseActiveDirectoryUsersAndComputerstomanagemailboxes,messaging
features,messagingoptions,ore-mailaddressesassociatedwithuseraccounts.You
performthesetasksintheExchangeManagementConsoleonly.
ExchangeServer2010fullysupportstheWindowsServersecuritymodelandrelies
onthissecuritymechanismtocontrolaccesstodirectoryresources.Thismeansyou
cancontrolaccesstomailboxesandmembershipindistributiongroupsandyoucan
performotherExchangesecurityadministrationtasksthroughthestandardWindows
18
Serverpermissionset.Forexample,toaddausertoadistributiongroup,yousimply
maketheuseramemberofthedistributiongroupinActiveDirectoryUsersAnd
Computers.
BecauseExchangeServerusesWindowsServersecurity,youcantcreateamailbox
withoutfirstcreatingauseraccountthatwillusethemailbox.EveryExchange
mailboxmustbeassociatedwithadomainaccounteventhoseusedbyExchange
forgeneralmessagingtasks.Forexample,theSMTPandSystemAttendantmailboxes
thatExchangeServerusesareassociatedbydefaultwiththebuilt-inSystemuser.In
theExchangeManagementConsole,youcancreateanewuseraccountaspartofthe
processofcreatinganewmailbox.
Note TosupportcoexistencewithExchange2000ServerandExchangeServer2003,
allExchangeServer2010serversareautomaticallyaddedtoasingleadministrative
groupwhenyouinstallExchangeServer2010.Thisadministrativegroupisrecognized
intheExchangeSystemManagerinExchangeServer2003asExchange
AdministrativeGroup.AlthoughExchange2000ServerandExchangeServer2003use
administrativegroupstogatherExchangeobjectsforthepurposesofdelegating
permissiontomanagethoseobjects,ExchangeServer2007andExchangeServer2010
donotuseadministrativegroups.Instead,youmanageExchangeserversaccordingto
theirrolesandthetypeofinformationyouwanttomanageusingtheExchange
ManagementConsole.YoulllearnmoreaboutthisinChapter5,MicrosoftExchange
Server2010AdministrationEssentials.
Exchange Server Security Groups
LikeExchangeServer2007,ExchangeServer2010usespredefineduniversalsecurity
groupstoseparateadministrationofExchangepermissionsfromadministrationof
otherpermissions.Whenyouaddanadministratortooneofthesesecuritygroups,
theadministratorinheritsthepermissionspermittedbythatrole.
Thepredefinedsecuritygroupshavepermissionstomanagethefollowingtypes
ofExchangedatainActiveDirectory:
OrganizationConfigurationnode Thistypeofdataisnotassociatedwitha
specificserverandisusedtomanagedatabases,policies,addresslists,and
othertypesoforganizationalconfigurationdetails.
ServerConfigurationnode Thistypeofdataisassociatedwithaspecific
serverandisusedtomanagetheserversmessagingconfiguration.
RecipientConfigurationnode Thistypeofdataisassociatedwithmailboxes,
mail-enabledcontacts,anddistributiongroups.
Note InExchangeServer2010,databasehavebeenmovedfromtheServer
ConfigurationnodetotheOrganizationConfigurationnode.Thischangewas
necessarybecausetheExchangeschemawasflattenedandstoragegroupswere
19
removed.Asaresultofthesechanges,allstoragegroupfunctionalityhasbeenmoved
tothedatabaselevel.
Thepredefinedgroupsareasfollows:
ExchangeAllHostedOrganizations Membersofthisgroupincludehosted
organizationmailboxesgroups.ThisgroupisusedtoapplyPassword
Settingobjectstoallhostedmailboxes.
ExchangeOrganizationAdministrators Membersofthisgrouphavefull
accesstoallExchangepropertiesandobjectsintheExchangeorganization.
ExchangePublicFolderAdministrators Membersofthisgroupcanmanage
publicfoldersandperformmostpublicfoldermanagementoperations.
ExchangeRecipientAdministrators Membersofthisgrouphavepermissions
tomodifyExchangeuserattributesinActiveDirectoryandperformmost
mailboxoperations.
ExchangeSelf-ServiceUsers Membersofthisgroupincludeallmailboxesin
theExchangeorganization.ThisgroupisusedtoapplyRBACself-service
permissionstomailboxes.
ExchangeServers MembersofthisgroupareExchangeserversinthe
organization.ThisgroupallowsExchangeserverstoworktogether.
ExchangeTrustedSubsystem MembersofthisgroupareExchangeservers
thatrunExchangecmdletsusingWinRM.Membersofthisgrouphave
permissiontoreadandmodifyallExchangeconfigurationsettingsaswell
asuseraccountsandgroups.
ExchangeWindowsPermissions MembersofthisgroupareExchangeservers
thatrunExchangecmdletsusingWinRM.Membersofthisgrouphave
permissiontoreadandmodifyuseraccountsandgroups.
ExchangeView-OnlyAdministrators Membersofthisgrouphaveread-only
accesstotheentireExchangeorganizationtreeintheActiveDirectory
configurationcontainerandread-onlyaccesstoalltheWindowsdomain
containersthathaveExchangerecipients.
ExchangeLegacyInterop Membersofthisgrouparegrantedsend-toand
receive-frompermissions,whicharenecessaryforroutinggroup
connectionsbetweenExchangeServer2010andExchange2000Serveror
ExchangeServer2003.Exchange2000ServerandExchangeServer2003
bridgeheadserversmustbemademembersofthisgrouptoallowproper
mailflowintheorganization.Formoreinformationoninteroperability,see
Chapter2.

20
Exchange Server and Active Directory

LikeExchangeServer2007,ExchangeServer2010istightlyintegratedwithActive
Directory.NotonlydoesExchangeServer2010storeinformationinActiveDirectory,
butitalsousestheActiveDirectoryroutingtopologytodeterminehowtoroute
messageswithintheorganization.Routingtoandfromtheorganizationishandled
usingtransportservers.
Understanding How Exchange Stores Information
ExchangestoresfourtypesofdatainActiveDirectory:schemadata(storedinthe
Schemapartition),configurationdata(storedintheConfigurationpartition),domain
data(storedintheDomainpartition),andapplicationdata(storedinapplication-
specificpartitions).InActiveDirectory,schemarulesdeterminewhattypesofobjects
areavailableandwhatattributesthoseobjectshave.Whenyouinstallthefirst
Exchangeserverintheforest,theActiveDirectorypreparationprocessaddsmany
Exchange-specificobjectclassesandattributestotheschemapartitioninActive
Directory.ThisallowsExchange-specificobjects,suchasagentsandconnectors,tobe
created.Italsoallowsyoutoextendexistingobjects,suchasusersandgroups,with
newattributes,suchasthoseattributesthatallowuserobjectstobeusedforsending
andreceivinge-mail.Everydomaincontrollerandglobalcatalogserverinthe
organizationhasacompletecopyoftheSchemapartition.
DuringtheinstallationofthefirstExchangeserverintheforest,Exchange
configurationinformationisgeneratedandstoredinActiveDirectory.Exchange
configurationinformation,likeotherconfigurationinformation,isalsostoredinthe
Configurationpartition.ForActiveDirectory,theconfigurationinformationdescribes
thestructureofthedirectory,andtheConfigurationcontainerincludesallofthe
domains,trees,andforests,aswellasthelocationsofdomaincontrollersandglobal
catalogs.ForExchange,theconfigurationinformationisusedtodescribethe
structureoftheExchangeorganization.TheConfigurationcontainerincludeslistsof
templates,policies,andotherglobalorganization-leveldetails.Everydomain
controllerandglobalcatalogserverintheorganizationhasacompletecopyofthe
Configurationpartition.
InActiveDirectory,theDomainpartitionstoresdomain-specificobjects,suchas
usersandgroups,andthestoredvaluesofattributesassociatedwiththoseobjects.As
youcreate,modify,ordeleteobjects,Exchangestoresthedetailsaboutthoseobjects
intheDomainpartition.DuringtheinstallationofthefirstExchangeserverinthe
forest,Exchangeobjectsarecreatedinthecurrentdomain.Wheneveryoucreatenew
recipientsormodifyExchangedetails,therelatedchangesarereflectedinthe
Domainpartitionaswell.EverydomaincontrollerhasacompletecopyoftheDomain
partitionforthedomainforwhichitisauthoritative.Everyglobalcatalogserverin
21
theforestmaintainsinformationaboutasubsetofeveryDomainpartitioninthe
forest.
Understanding How Exchange Routes Messages
Withintheorganization,HubTransportserversusetheinformationaboutsitesstored
inActiveDirectorytodeterminehowtoroutemessages,andcanalsoroutemessages
acrosssitelinks.TheHubTransportserverdoesthisbyqueryingActiveDirectory
aboutitssitemembershipandthesitemembershipofotherservers,andthenuses
theinformationitdiscoverstoroutemessagesappropriately.Becauseofthis,when
youaredeployinganExchangeServer2010organization,noadditionalconfiguration
isrequiredtoestablishroutingintheActiveDirectoryforest.
Formaildeliverywithintheorganization,additionalroutingconfigurationisonly
necessaryinthesespecificscenarios:
IfyoudeployExchangeServer2010inanexistingExchange2000Serveror
ExchangeServer2003organization,youmustconfigureatwo-wayrouting
groupconnectorfromtheExchangeroutinggrouptoeachExchangeServer
2003routinggroupthatcommunicateswithExchangeServer2010.You
mustalsosuppresslinkstateupdatesforthesame.
IfyoudeployanExchangeServer2010organizationwithmultipleforests,you
mustinstallExchangeServer2010ineachforestandthenconnectthe
forestsusingappropriatecross-foresttrusts.Thetrustallowsuserstosee
addressandavailabilitydataacrosstheforests.
InanExchangeServer2010organization,ifyouwantdirectmailflowbetween
Exchangeserversindifferentforests,youmustconfigureSMTPsend
connectorsandSMTPreceiveconnectorsontheHubTransportserversthat
shouldcommunicatedirectlywitheachother.
TheorganizationsMailTransportservershandlemaildeliveryoutsidethe
organizationandreceiptofmailfromoutsideservers.YoucanusetwotypesofMail
Transportservers:HubTransportserversandEdgeTransportservers.YoudeployHub
Transportserverswithintheorganization.YoucanoptionallydeployEdgeTransport
serversintheorganizationsperimeternetworkforaddedsecurity.
WithHubTransportservers,nootherspecialconfigurationisneededformessage
routingtoexternaldestinations.Youmustconfigureonlythestandardmailsetup,
whichincludesidentifyingDNSserverstouseforlookups.WithEdgeTransport
servers,youcanoptimizemailroutinganddeliverybyconfiguringone-way
synchronizationfromtheinternalHubTransportserverstotheperimeternetworks
EdgeTransportservers.Beyondthis,nootherspecialconfigurationisrequiredfor
mailroutinganddelivery.
22
Using the Graphical Administration Tools

ExchangeServer2010providesseveraltypesoftoolsforadministration.The
graphicaltoolsaretheonesyoullusemostfrequently.ExchangeServerand
ForefrontSecurityforExchangehaveseparatemanagementconsoles.Ifyoufollow
theinstructionsforinstallingExchangeServerinChapter2,youllbeabletoaccess
theExchangetoolsbyselectingStart,choosingAllPrograms,andthenusingthe
MicrosoftExchangeServer2010menu.ToaccesstheForefrontSecuritytools,select
Start,chooseAllPrograms,andthenusetheMicrosoftForefrontServerSecurity
menu.
ExchangeServer2010hasseveralgraphicaltoolsthatreplaceorcombinefeatures
ofthegraphicaltoolsinExchangeServer2003andearliereditions.TheExchange
ManagementConsole,showninFigure1-1,replacesExchangeSystemManager.As
discussedfurtherinChapter15,MicrosoftExchangeServer2010Maintenance,
Monitoring,andQueuing,andChapter16,BackingUpandRestoringMicrosoft
ExchangeServer2010,theToolboxnodeintheExchangeManagementConsole
providesaccesstoasuiteofrelatedtools,including:
Figure1-1 TheExchangeManagementConsole.
BestPracticesAnalyzer Checkstheconfigurationandhealthofyour
Exchangeorganizationtoensurethatitcomplieswithcurrentbestpractices
recommendedbyMicrosoft.Becausebestpracticesareperiodically
updated,thetoolincludesanupdatefacilitytoensurethatthemostcurrent
bestpracticesareinplace.
23
DatabaseRecoveryManagement Assistsadministratorsinrestoringserver
availability.Alsoprovidesstep-by-steprecoveryprocedures,
DatabaseTroubleshooter Helpstroubleshootproblemsrelatedtomounting
datastoresaswellasotherproblemsrelatedtoExchangedatabasesand
transactionlogsthatpreventrecovery.
DetailsTemplatesEditor Helpsadministratorscustomizeclient-sideGUI
presentationofobjectpropertiesaccessedthroughaddresslists.Youcan
usethistooltocustomizethepresentationofcontacts,users,groups,public
folders,andmoreintheclientinterface.
MailFlowTroubleshooter Helpstroubleshootproblemsrelatedtomailflow
andtransportconfigurationbyprovidingsuggestedresolutionsfor
symptomsobservedbyadministrators.
MessageTracking Allowsadministratorstotrackmessagesastheyarerouted
throughtheExchangeorganization.
PublicFolderManagementConsole Allowsadministratorstomanagepublic
foldersusingagraphicalinterfaceratherthanthecommandline.
QueueViewer Allowsadministratorstotrackmessagequeuesandmailflow.
Alsoallowsadministratorstomanagemessagequeuingandremove
messages.
PerformanceMonitor Allowsadministratorstographsystemperformance.
Alsoallowsadministratorstocreateperformancelogsandalerts.Wide
arraysofExchangeperformanceobjectsareavailablefortracking
performance.
PerformanceTroubleshooter Helpstroubleshootproblemsrelatedto
performancebyidentifyingpossiblebottlenecksandprovidingsuggested
solutions.
RoutingLogViewer Helpsadministratorstroubleshootroutingproblemson
transportserversbyprovidinginformationaboutroutingtopology.
OtheradministrationtoolsthatyoumightwanttousewithExchangeServerare
summarizedinTable1-2.
Table 1-2 Quick Reference Administration Tools to Use with Exchange Server 2010
ADMINISTRATIVE
TOOL PURPOSE
Computer
Management
Startandstopservices,managedisks,andaccessother
systemmanagementtools.
24
ConfigureYour
Server
Add,remove,andconfigureWindowsservicesforthe
network.WindowsServer2003only.
DNS ManagetheDNSservice.
EventViewer Manageeventsandlogs.
IISManager ManageWebserversusedbyExchangeaswellasthe
managementserviceconfiguration.
MicrosoftNetwork
Monitor
Monitornetworktrafficandtroubleshootnetworking
problems.
ServerManager Add,remove,andconfigureroles,roleservices,and
features.WindowsServer2008only.
YouaccessmostofthetoolslistedinTable1-2fromtheAdministrativeTools
programgroup.ClickStart,pointtoProgramsorAllPrograms,andthenpointto
AdministrativeTools.
Using the Command-Line Administration Tools
ThegraphicaltoolsprovidejustabouteverythingyouneedtoworkwithExchange
Server.Still,therearemanytimeswhenyoumightwanttoworkfromthecommand
line,especiallyifyouwanttoautomateinstallation,administration,ormaintenance
withscripts.Tohelpwithallyourcommand-lineneeds,ExchangeServerincludesthe
ExchangeManagementShell.
TheExchangeManagementShellisanextensionshellforWindowsPowerShell
thatincludesawidearrayofbuilt-incommandsforworkingwithExchangeServer.
PowerShellcommandsarereferredtoascmdlets(pronouncedcommandlets)to
differentiatethesecommandsfromlesspowerfulcommandsbuiltintothecommand
promptandfrommorefull-featuredutilityprogramsthatcanbeinvokedatthe
commandprompt.
Note Foreaseofreadingandreference,Illusuallyrefertocommandprompt
commands,commandshellcmdlets,andcommand-lineinvokedutilitiessimplyas
commands.
TheExchangeManagementShell,showninFigure1-2,isaccessiblebyselecting
Start,choosingProgramsorAllPrograms,choosingMicrosoftExchangeServer2010,
andthenchoosingExchangeManagementShellorExchangeManagementShell
(LocalPowerShell).YoullusethelocalPowerShelloptionwhenyouareloggedonto
25
theExchangeserver.Youllusethestandardoptionwhenyouareloggedontoyour
managementcomputerandwanttoremotelymanageExchangeservers.
Figure1-2 TheExchangeManagementShell.
ThebasicsofworkingwiththeExchangeManagementShellarefairly
straightforward:
Typeget-commandtogetafulllistofallavailablecmdletsontheserver.
Typeget-excommandtogetafulllistofallExchange-specificcmdlets
available.
TypehelpcmdletNametogethelpinformation,wherecmdletNameisthe
nameofthecommandyouarelookingup.
YoullfindacomprehensivediscussionoftheExchangeManagementShelland
WindowsPowerShellinChapter4,UsingExchangeManagementShell,aswellas
examplesofusingcmdletsforExchangeServermanagementthroughoutthebook.
LikeExchangeServer,ForefrontSecurityforExchangehasamanagementconsole
andamanagementshell.YouusetheForefrontServerSecurityAdministration
consoletomanageForefrontSecurityusingagraphicalinterface.Youllusethe
ForefrontManagementShelltomanageForefrontSecurityfromthecommandline.
ThisshellisaccessiblebyselectingStart,choosingProgramsorAllPrograms,
choosingMicrosoftForefrontServerSecurity,andthenchoosingForefront
ManagementShell.
ForefrontManagementShellloadsextensionsthatallowyoutomanagethe
configurationofForefrontSecurityforExchange.Thebasicsofworkingwiththe
ForefrontManagementShellarefairlystraightforward:
Typeget-commandtogetafulllistofallavailablecmdletsontheserver.
26
Typeget-command*fse*togetafulllistofallForefront-specificcmdlets
available.
TypehelpcmdletNametogethelpinformation,wherecmdletNameisthe
nameofthecommandyouarelookingup.
AsForefrontManagementShelldoesnotloadtheExchangeServercmdlets,you
cannotaccesstheExchange-specificcmdletsfromthisshellbydefault.Asthe
ExchangeManagementShelldoesnotloadtheForefront-specificcmdletseither,you
cannotaccesstheForefront-specificcmdletsfromtheExchangeManagementShell
bydefault.
27
C HA P T E R 6
Mailbox Administration
ThedifferencebetweenagoodMicrosoftExchangeadministratorandagreatoneis
theattentionheorshepaystomailboxadministration.Mailboxesareprivatestorage
placesforsendingandreceivingmail,andtheyarecreatedaspartofprivatemailbox
databasesinExchange.Mailboxeshavemanypropertiesthatcontrolmaildelivery,
permissions,andstoragelimits.Youcanconfiguremostmailboxsettingsonaper-
mailboxbasis.However,youcannotchangesomesettingswithoutmovingmailboxes
toadifferentmailboxdatabaseorchangingthesettingsofthemailboxdatabase
itself.Forexample,yousetthestoragelocationonthefilesystem,thedefaultpublic
folderdatabaseforthemailbox,andthedefaultofflineaddressbookonaper-
mailbox-databasebasis.Keepthisinmindwhenperformingcapacityplanningand
whendecidingwhichmailboxdatabasetouseforaparticularmailbox.
Creating Special-Purpose Mailboxes
ExchangeServer2010makesiteasytocreateseveralspecial-purposemailboxtypes,
including:
Roommailbox Aroommailboxisamailboxforroomscheduling.
Equipmentmailbox Anequipmentmailboxisamailboxforequipment
scheduling.
Linkedmailbox Alinkedmailboxisamailboxforauserfromaseparate,
trustedforest.
Forwardingmailbox Aforwardingmailboxisamailboxthatcanreceivemail
andforwarditoff-site.
Archivemailbox Anarchivemailboxisusedtostoreauser'soldmessages,
suchasmayberequiredforexecutivesandneededbysomemanagers.
Thesectionsthatfollowdiscusstechniquesforworkingwiththesespecial-purpose
mailboxes.
Using Room and Equipment Mailboxes
Youuseroomandequipmentmailboxesforschedulingpurposesonly.Youllfind
that:
Roommailboxesareusefulwhenyouhaveconferencerooms,trainingrooms,
28
andotherroomsforwhichyouneedtocoordinatetheuse.
Equipmentmailboxesareusefulwhenyouhaveprojectors,mediacarts,or
otheritemsofequipmentforwhichyouneedtocoordinatetheuse.
Everyroomandequipmentmailboxmusthaveaseparateuseraccountassociated
withit.Althoughtheseaccountsarerequiredsothatthemailboxescanbeusedfor
scheduling,theaccountsaredisabledbydefaultsothattheycannotbeusedfor
logon.Toensurethattheresourceaccountsdonotgetenabledaccidentally,youll
needtocoordinatecloselywithotheradministratorsinyourorganization.
Note TheExchangeManagementConsoledoesntshowtheenabledordisabled
statusofuseraccounts.Theonlywaytocheckthestatusistousedomain
administrationtools.
Becausethenumberofscheduledroomsandequipmentgrowsasyour
organizationgrows,youllwanttocarefullyconsiderthenamingconventionsyouuse
withroomsandequipment:
Withrooms,youlltypicallywanttousedisplaynamesthatclearlyidentifythe
roomsphysicallocations.Forexample,youmighthaveroomsnamed
ConferenceRoom28onFifthFloororBuilding83Room15.
Withequipment,youlltypicallywanttoidentifythetypeofequipment,the
equipmentscharacteristics,andtheequipmentsrelativelocation.For
example,youmighthaveequipmentnamedNECHDProjectoratSeattle
Officeor5
th
FloorMediaCart.
Aswithstandardusermailboxes,roomandequipmentmailboxeshavecontact
informationassociatedwiththem.Tomakeiteasiertofindroomsandequipment,
youshouldprovideasmuchinformationaspossible.Specifically,youcanmake
roomseasierforuserstoworkwithbyusingthesetechniques:
Ifaroomhasaconferenceorcall-inphone,enterthisphonenumberasthe
businessphonenumberontheAddressAndPhonetaboftheMailbox
Propertiesdialogbox.
SpecifythelocationdetailsintheOfficetextboxontheOrganizationtabof
theMailboxPropertiesdialogbox.
SpecifytheroomcapacityintheResourceCapacitytextboxontheResource
InformationtaboftheMailboxPropertiesdialogbox.
Thebusinessphone,location,andcapacityaredisplayedinMicrosoftOffice
Outlook.
Afteryouvesetupmailboxesforyourroomsandequipment,schedulingthe
roomsandequipmentisfairlystraightforward.InExchange,roomandequipment
availabilityistrackedusingfree/busydata.InOutlook,auserwhowantstoreserve
29
rooms,equipment,orbothsimplymakesameetingrequestthatincludestherooms
andequipmentthatarerequiredforthemeeting.
Thestepstoscheduleameetingandreserveequipmentareasfollows:
1. InOutlook2007,clickNew,andthenselectMeetingRequest.Orpress
Ctrl+Shift+Q.
2. IntheTotextbox,invitetheindividualswhoshouldattendthemeetingby
typingtheirdisplaynames,Exchangealiases,ore-mailaddresses,as
appropriate(seeFigure6-1).
Figure6-1 Youcanscheduleameetingthatincludesareservedroomandequipment.
3. Typethedisplayname,Exchangealias,ore-mailaddressforanyequipment
youneedtoreserve.
4. ClicktheRoomsbuttontotherightoftheLocationtextbox.TheSelect
Roomsdialogboxappears,asshowninFigure6-2.Bydefault,theSelect
RoomsdialogboxusestheAllRoomsaddressbook.Roomsareaddedtothis
addressbookautomaticallywhenyoucreatethem.
5. Double-clicktheroomyouwanttouse.ThisaddstheroomtotheRoomslist.
ClickOKtoclosetheSelectRoomsdialogbox.
6. IntheSubjecttextbox,typethemeetingsubject.
7. UsetheStartTimeandEndTimeoptionstoschedulethestartandendtimes
forthemeeting.
8. ClickSchedulingAssistanttoviewthefree/busydatafortheinvitedusersand
theselectedresources.
9. Afteryoutypeamessagetoaccompanythemeetingrequest,clickSend.

30
Figure6-2 Selectaroomtouseforthemeeting.
Creating Room and Equipment Mailboxes
IntheExchangeManagementConsole,youcancreateroomandequipment
mailboxesbycompletingthefollowingsteps:
1. InExchangeManagementConsole,expandtheRecipientConfigurationnode
andthenselecttherelatedMailboxnode.
Note Ifyouwanttocreatetheuseraccountfortheroomorequipmentmailboxina
domainotherthanthecurrentone,youllfirstneedtosetthescopefortheMailbox
node,asdiscussedintheFindingExistingMailboxes,Contacts,andGroupssection
ofChapter5,UserandContactAdministration.
2. Right-clicktheMailboxnode,andthenselectNewMailbox.Thisstartsthe
NewMailboxWizard.
3. OntheIntroductionpage,selecteitherRoomMailboxorEquipmentMailbox,
asappropriate,andthenclickNext.
4. OntheUserTypepage,verifythatNewUserisselected,andthenclickNext.
Eachroomorequipmentmusthaveaseparateuseraccount.Thisisnecessary
totracktheuniquefree/busydatafortheroomorequipment.
5. OntheMailboxInformationpage,theOrganizationalUnittextboxshows
whereinActiveDirectorytheuseraccountwillbecreated.Bydefault,thisis
theUserscontainerinthecurrentdomain.Asyoullusuallyneedtocreate
roomandequipmentaccountsinaspecificorganizationalunitratherthanthe
Userscontainer,clickBrowse.UsetheSelectOrganizationalUnitdialogboxto
choosethelocationinwhichtostoretheaccount,andthenclickOK.
6. TypeadescriptivedisplaynameintheNametextbox.
7. IntheUserLogonNametextbox,typethelogonname.Usethedrop-down
31
listtoselectthedomainwithwhichtheaccountistobeassociated.Thissets
thefullyqualifiedlogonname.
8. Thefirst20charactersofthelogonnameareusedtosetthepre-Microsoft
Windows2000logonname,whichmustbeuniqueinthedomain.If
necessary,changethepre-Windows2000logonname.
9. Typeandthenconfirmthepasswordfortheaccount.Eventhoughthe
accountisdisabledbydefault,thispasswordmustfollowtheconventionsof
yourorganizationspasswordpolicy.
10. ClickNext.OntheMailboxSettingspage,theExchangealiasissettothe
logonnamebydefault.Youcanchangethisvaluebyenteringanewalias.The
Exchangealiasisusedtosettheuserse-mailaddress.
11. ClicktheBrowsebuttontotherightoftheMailboxDatabasetextbox.Inthe
SelectMailboxDatabasedialogbox,choosethemailboxdatabaseinwhich
themailboxshouldbestored.Mailboxdatabasesarelistedbynameaswellas
byassociatedserver.
12. ClickNext,andthenclickNewtocreatetheaccountandtherelatedmailbox.
Ifanerroroccursduringaccountormailboxcreation,neithertheaccountnor
therelatedmailboxwillbecreated.Youwillneedtocorrecttheproblemand
repeatthisprocedure.
13. ClickFinish.Forallmailbox-enabledaccounts,aSimpleMailTransferProtocol
(SMTP)e-mailaddressisconfiguredautomatically.
IntheExchangeManagementShell,youcancreateauseraccountwithamailbox
forroomsandequipmentusingtheNew-Mailboxcmdlet.Sample6-1providesthe
syntaxandusage.Althoughtheaccountisdisabledbydefault,youmustentera
securepasswordfortheaccountwhenprompted.
Note Notethatforrooms,youmustusetheRoomparameter.Forequipment,you
mustusetheEquipmentparameter.Bydefault,whenyouuseeitherparameter,the
relatedvalueissetas$true.
Sample6-1 CreatingRoomandEquipmentMailboxes
Syntax
New-Mailbox -Name 'DisplayName' -Alias 'ExchangeAlias'
-OrganizationalUnit 'OrganizationalUnit'
-UserPrincipalName 'LogonName' -SamAccountName 'prewin2000logon'
-FirstName '' -Initials '' -LastName ''
-Database 'Server\MailboxDatabase'
[-Room <$false|$true> | -Equipment <$false|$true> ]
Usage
New-Mailbox -Name 'Conference Room 27' -Alias 'room27'
32
-OrganizationalUnit 'cpandl.com/Sales'
-UserPrincipalName 'room27@cpandl.com' -SamAccountName 'room27'
-FirstName '' -Initials '' -LastName ''
-Database 'Sales Primary'
-Room
Creating Linked Mailboxes
Alinkedmailboxisamailboxthatisaccessedbyauserinaseparate,trustedforest.
Typically,youlluselinkedmailboxeswhenyourorganizationsmailboxserversarein
aseparateresourceforestandyouwanttoensurethatuserscanaccessfree/busy
dataacrosstheseforests.
Alllinkedmailboxeshavetwouseraccountassociations:
AuniqueuseraccountinthesameforestastheMailboxserver.Thesame
forestuseraccountisdisabledautomaticallysothatitcannotbeusedfor
logon.
Auniqueuseraccountinaseparateforestforwhichyouarecreatingalink.
Theseparateforestuseraccountisenabledsothatitcanbeusedforlogon.
IntheExchangeManagementConsole,youcancreatealinkedmailboxby
completingthefollowingsteps:
2. Right-clicktheMailboxnode,andthenselectNewMailbox.Thisstartsthe
NewMailboxWizard.
3. OntheIntroductionpage,selectLinkedMailbox,andthenclickNext.
4. OntheUserTypepage,verifythatNewUserisselected,andthenclickNext.
5. OntheMailboxInformationpage,theOrganizationalUnittextboxshows
whereinActiveDirectorytheuseraccountwillbecreated.Bydefault,thisis
theUserscontainerinthecurrentdomain.ClickBrowsetocreatethenewuser
accountinadifferentcontainer.UsetheSelectOrganizationalUnitdialogbox
tochoosethelocationinwhichtostoretheaccount,andthenclickOK.
6. Typetheusersfirstname,middleinitial,andlastnameinthetextboxes
provided.ThesevaluesareusedtocreatetheNameentry,whichistheusers
displayname.
7. IntheUserLogonNametextbox,typetheuserslogonname.Usethedrop-
downlisttoselectthedomainwithwhichtheaccountistobeassociated.This
setsthefullyqualifiedlogonname.
8. Thefirst20charactersofthelogonnameareusedtosetthepre-Windows
2000logonname,whichmustbeuniqueinthedomain.Ifnecessary,change
thepre-Windows2000logonname.
33
9. Typeandthenconfirmthepasswordfortheaccount.Althoughtheaccount
willnotbeusedforlogon,thispasswordmustfollowtheconventionsofyour
organizationspasswordpolicy.
10. ClickNext.TheExchangealiasissettothelogonnamebydefault.Makesure
thealiasmatchestheoneusedintheresourceforest.
SelectMailboxDatabasedialogbox,choosethemailboxdatabaseinwhich
themailboxshouldbestored.Mailboxdatabasesarelistedbynameaswellas
byassociatedserver.
12. ClickNext.OntheMasterAccountpage,clickBrowsetotherightofthe
LinkedForesttextbox.IntheSelectTrustedForestOrDomaindialogbox,
selectthelinkedforestordomaininwhichtheusersoriginalaccountis
located,andthenclickOK.
13. Ifyouneedadditionaladministrativepermissionstoaccessthelinkedforest,
selecttheUseTheFollowingWindowsAccountcheckbox.Thentypetheuser
nameandpasswordforanadministratoraccountinthisforest.
14. ClicktheBrowsebuttontotherightoftheLinkedDomainControllertextbox.
IntheSelectDomainControllerdialogbox,selectadomaincontrollerinthe
linkedforest,andthenclickOK.
15. ClicktheBrowsebuttontotherightoftheLinkedMasterAccounttextbox.
UsetheoptionsintheSelectUserdialogboxtoselecttheoriginaluser
accountinthelinkedforest,andthenclickOK.
16. ClickNext,andthenclickNewtocreatetheaccountandtherelatedmailbox.
Ifanerroroccursduringaccountormailboxcreation,neithertheaccountnor
therelatedmailboxwillbecreated.Youwillneedtocorrecttheproblemand
repeatthisprocedure.
17. ClickFinish.Forallmailbox-enabledaccounts,anSMTPe-mailaddressis
configuredautomatically.
IntheExchangeManagementShell,youcancreateauseraccountwithalinked
mailboxusingtheNew-Mailboxcmdlet.Sample6-2providesthesyntaxandusage.
Youllbepromptedfortwosetsofcredentials:oneforthenewuseraccountandone
foranadministratoraccountinthelinkedforest.
Sample6-2 Creatinglinkedmailboxes
Syntax
New-Mailbox -Name 'DisplayName' -Alias 'ExchangeAlias'
-OrganizationalUnit 'OrganizationalUnit'
-Database 'Database'
-UserPrincipalName 'LogonName' -SamAccountName 'prewin2000logon'
-FirstName 'FirstName' -Initials 'Initial' -LastName 'LastName'
34
-ResetPasswordOnNextLogon State
-LinkedDomainController 'LinkedDC'
-LinkedMasterAccount 'domain\user'
-LinkedCredentials 'domain\administrator'
Usage
New-Mailbox -Name 'Wendy Richardson' -Alias 'wendyr'
-OrganizationalUnit 'cpandl.com/Sales'
-Database 'Corporate Services Primary'
-UserPrincipalName 'wendyr@cpandl.com' -SamAccountName 'wendyr'
-FirstName 'Wendy' -Initials '' -LastName 'Richardson'
-ResetPasswordOnNextLogon $true
-LinkedDomainController 'CohoDC58'
-LinkedMasterAccount 'coho\wrichardson'
-LinkedCredentials 'coho\williams'
Creating Forwarding Mailboxes
Customrecipients,suchasmail-enabledusersandcontacts,dontnormallyreceive
mailfromusersoutsidetheorganizationbecauseacustomrecipientdoesnthavean
e-mailaddressthatresolvestoaspecificmailboxinyourorganization.Attimes,
though,youmightwantexternalusers,applications,ormailsystemstobeableto
sendmailtoanaddresswithinyourorganizationandthenhaveExchangeforward
thismailtoanexternalmailbox.
Tip Inmyorganization,Ivecreatedforwardingmailboxesfortext-messagingand
pageralerts.Thissimplesolutionletsmanagers(andmonitoringsystems)withinthe
organizationquicklyandeasilysendtextmessagestoITpersonnel.Here,Ivesetup
mail-enabledcontactsforeachtextmessaginge-mailaddress,suchas
8085551212@adatum.com,andthencreatedamailboxthatforwardse-mailtothe
customrecipient.Generally,thedisplaynameofthemail-enabledcontactisinthe
formAlertUserName,suchasAlertWilliamStanek.Thedisplaynameande-mail
addressforthemailboxareintheformZLastNameandAE-MailAddress@myorg.com,
suchasZStanekandAWilliamS@adatum.com,respectively.Afterward,Ihidethe
mailboxsothatitisntdisplayedintheglobaladdresslistorinotheraddresslists,so
userscanseeonlytheAlertWilliamStanekmailbox.
Tocreateauseraccounttoreceivemailandforwarditoffsite,followthesesteps:
1. UsingExchangeManagementConsole,createamail-enabledcontactforthe
user.NamethecontactAlertUser Name,suchasAlertWilliamStanek.Besure
toestablishanexternale-mailaddressforthecontactthatreferstotheusers
Internetaddress.
2. UsingExchangeManagementConsole,createamailbox-enableduseraccount
inthedomain.Nametheaccountwiththeappropriatedisplayname,suchas
35
ZWilliamStanek.BesuretocreateanExchangemailboxfortheaccount,but
dontgrantanyspecialpermissiontotheaccount.Youmightwanttorestrict
theaccountsothattheusercantlogontoanyserversinthedomain.
3. UsingExchangeManagementConsole,accessthePropertiesdialogboxfor
theusersmailbox.
4. OntheMailFlowSettingstab,selectDeliveryOptions,andthenclick
Properties.
5. IntheDeliveryOptionsdialogbox,selecttheForwardTocheckbox,andthen
clickBrowse.
6. IntheSelectRecipientdialogbox,selectthemail-enabledcontactyoucreated
earlier,andthenclickOKthreetimes.Youcannowusetheuseraccountto
forwardmailtotheexternalmailbox.
Creating Archive Mailboxes

Eachusercanhaveanalternatemailboxforarchives.Anarchivemailboxisusedto
storeauser'soldmessages,suchasmayberequiredforexecutivesandneededby
somemanagers.InOutlook,OutlookWebAccessandotherclients,userscanaccess
archivemailboxesinmuchthesamewayastheyaccesstheirregularmailbox.
InExchangeManagementShell,thecommandsyoucanusetocreateandwork
witharchivemailboxesinclude:
Get-AlternateMailbox Getsthepropertiesassociatedwithanalternate
mailbox.
Get-AlternateMailbox [-Identity Identity]
[-DomainController FullyQualifiedName]
New-AlternateMailbox Createsanalternatemailboxforanexistingmailbox
user.Themailboxcanbeforanarchiveofoldmessagesorsubscriptions.
New-AlternateMailbox -Name NewMailboxName -Mailbox CurrentMailboxId
-Type <"Archive" | "Subscription"> [-DomainController
FullyQualifiedName]
[-RetentionPolicyEnabled <$true | $false>] [-UserDisplayName
DisplayName]
Remove-AlternateMailbox Removesaspecifiedalternatemailbox.
Remove-AlternateMailbox -Identity Identity
[-DomainController FullyQualifiedName]
Set-AlternateMailbox Modifiesthepropertiesofanalternatemailbox.
Set-AlternateMailbox -Identity Identity [-DomainController
36
FullyQualifiedName]
[-Name MailboxName] [-RetentionPolicyEnabled <$true | $false>]
[-UserDisplayName DisplayName]
YoucreatearchivemailboxesusingNew-AlternateMailbox.Thiscommandhas
threerequiredparameters:
Name Setsthenameofthealternatemailbox.
Mailbox Specifiesthemailboxtoassociatethearchivewith.
-Type Setsthetypeofthealternatemailbox.
Inthefollowingexample,youcreateanarchivemailboxforDanielEscapawhose
mailboxaliasisdaniele:
new-alternatemailbox name "Dan's Archive" mailbox "daniele" type
"archive"
Aseachusercanhaveonlyonearchivemailbox,yougetanerroriftheuser
alreadyhasanarchivemailbox.Onceyoucreateanarchivemailboxforauser,you
cangetinformationaboutthearchivemailboxusingtheGet-AlternateMailbox
command.Inthefollowingexample,yougetinformationaboutDaniel'sarchive
mailbox:
get-alternatemailbox identity "daniele"
Managing Mailboxes: The Essentials
Youoftenneedtomanagemailboxesthewayyoudouseraccounts.Someofthe
managementtasksarefairlyintuitiveandothersarent.Ifyouhavequestions,besure
toreadthesectionsthatfollow.
Youcanworkwithmultiplerecipientsatatime.Toselectmultipleresourcesnotin
sequence,holddowntheCTRLkeyandthenclicktheleftmousebuttononeach
resourceyouwanttoselect.Toselectaseriesofresourcesatonce,holddownthe
SHIFTkey,selectthefirstresource,andthenclickthelastresource.
Theactionsyoucanperformonmultipleresourcesdependonthetypesof
recipientsyou'veselected.Generally,you'llwanttoworkwithrecipientsofthesame
type,suchaseitherusermailboxesorroommailboxesbutnotbothtypesatthesame
time.Theactionsyoucanperformonmultiplemailboxesinclude:
Disable
ExportMailbox
ImportMailbox
MoveMailbox
37
NewMoveRequest
Remove
SendMail
VerifyMoveReadiness
Youalsocaneditthepropertiesofmultiplerecipientsatthesametime.Todothis,
selecttherecipientsyouwanttoworkwith,right-clickandthenselectProperties.Just
aboutanypropertythatcanbesetforanindividualrecipientcanbesetformultiple
recipients.
Tip IfthePropertiesoptionisn'tavailablewhenyourightclick,you'veprobably
selectedoneormorerecipientsofdifferenttypes.Forexample,youmayhave
intendedtoselectonlyusermailboxesbutmayhaveselectedaroommailboxaswell.
Viewing Current Mailbox Size, Message Count, and Last
Logon
YoucanusetheExchangeManagementConsoletoviewwholastloggedontoa
mailbox,lastlogondateandtime,mailboxsize,andmessagecountbycompleting
thesesteps:
2. Double-clickthemailboxwithwhichyouwanttowork.
3. OntheGeneraltab,theLastLoggedOnBytextboxshowswholastloggedon
tothemailboxandthelastlogondateandtime(seeFigure6-3).
4. OntheGeneraltab,theTotalItemsandSize(KB)areasshowthenumberof
messagesinthemailboxandthecurrentmailboxsizeinkilobytes,
respectively.
38
Figure6-3 Viewmailboxstatistics.
Ifyouwanttoviewsimilarinformationforallmailboxesonaserver,theeasiest
wayistousetheGet-MailboxStatisticscmdlet.Sample6-3showsexamplesusingthis
cmdlet.
Sample6-3 Gettingstatisticsformultiplemailboxes
Syntax
Get-MailboxStatistics [-Server 'Server' | -Identity 'Identity'
| -Database 'Database']
Usage
Get-MailboxStatistics -Server 'corpsvr127'

Get-MailboxStatistics -Database 'Engineering Primary'

Get-MailboxStatistics Identity 'cpandl\williams'
WhenyouareworkingwithExchangeManagementShell,thestandardoutput
won'tnecessarilyprovidealltheinformationyouarelookingfor.Often,you'llneedto
formattheoutputasatableorlistusingFormat-ListorFormat-Tablerespectivelyto
gettheadditionalinformationyouarelookingfor.Format-Listcomesinhandywhen
youareworkingwithasmallsetofresourcesorwanttoviewallthepropertiesthat
areavailable.Onceyouknowwhatpropertiesareavailableforaparticularresource,
youcanformattheoutputasatabletoviewspecificproperties.Forexample,ifyou
39
formattheoutputofGet-MailboxStatisticsasalist,youseeallthepropertiesthatare
availableformailboxesasshowninthisexampleandsampleoutput:
get-mailboxstatistics -identity "cpandl\daniele" | format-list
AssociatedItemCount : 2655
DeletedItemCount : 121
DisconnectDate :
DisplayName : Daniel Escapa
ItemCount : 2451
LastLoggedOnUserAccount : NT AUTHORITY\SYSTEM
LastLogoffTime : 6/15/2010 12:58:18 PM
LastLogonTime : 6/15/2010 12:58:14 PM
LegacyDN : /O=FIRST ORGANIZATION/OU=EXCHANGE
ADMINISTRATIVE GROUP
(FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=DANIEL ESCAPA
MailboxGuid : d3f6ce55-fe3d-4beb-ae65-9c9f7edaf995c
ObjectClass : Mailbox
StorageLimitStatus : BelowLimit
TotalDeletedItemSize : 97 KB (97,235 bytes)
TotalItemSize : 1155.11 KB (1,155,445 bytes)
Database : Customer Service Primary
ServerName : CORPSERVER45
DatabaseName : Customer Service Primary
MoveHistory :
Identity : d3f6ce44-fe0c-4beb-ae79-9c9f8eaf123c
IsValid : True
OriginatingServer : corpserver45.cpandl.com
Onceyouknowtheavailableproperties,youcanformattheoutputasatableto
getexactlytheinformationyouwanttosee.Inthisexample,yougetinformation
aboutallthemailboxesintheEngineeringPrimarydatabaseandformattheoutput
asatable:
Get-MailboxStatistics -Database 'Engineering Primary' | format-table
DisplayName, TotalItemSize, TotalDeletedItemSize, Database, ServerName
Setting Alternate Mailbox Display Names for Multilanguage
Environments
Insomecases,thefulldisplaynameforamailboxwontbeavailablefordisplay.This
canhappenwhenmultiplelanguageversionsoftheExchangesnap-inareinstalled
onthenetworkorwhenmultiplelanguagepacksareinstalledonasystem.Here,the
systemcannotinterpretsomeorallofthecharactersinthedisplaynameand,asa
result,doesntshowthedisplayname.Tocorrectthisproblem,youcansetan
alternatedisplaynameusingadifferentcharacterset.Forexample,youcoulduse
40
CyrillicorKanjicharactersinsteadofstandardANSIcharacters.
Youcansetanalternatedisplaynameforamailboxbyfollowingthesesteps:
1. OpenthePropertiesdialogboxforthemailbox-enableduseraccountby
double-clickingtheusernameinExchangeManagementConsole.
2. OntheUserInformationtab,typethealternatedisplaynameintheSimple
DisplayNametextbox,andthenclickOK.
Hiding Mailboxes from Address Lists

Occasionally,youmightwanttohideamailboxsothatitdoesntappearintheglobal
addresslistorotheraddresslists.Onereasonfordoingthisisifyouhave
administrativemailboxesthatyouuseonlyforspecialpurposes.Tohideamailbox
fromtheaddresslists,followthesesteps:
2. OntheGeneraltab,selecttheHideFromExchangeAddressListscheckbox,
andthenclickOK.
Defining Custom Mailbox Attributes for Address Lists

Addresslists,suchastheglobaladdresslist,makeiteasierforusersand
administratorstofindavailableExchangeresources,includingusers,contacts,
distributiongroups,andpublicfolders.ThefieldsavailableforExchangeresourcesare
basedonthetypeofresource.Ifyouwanttoaddadditionalvaluesthatshouldbe
displayedorsearchableinaddresslists,suchasanemployeeidentificationnumber,
youcanassignthesevaluesascustomattributes.
Exchangeprovides15customattributes,labeledCustomerAttribute1,Custom
Attribute2,andsoon,throughCustomAttribute15.Youcanassignavaluetoa
customattributebycompletingthefollowingsteps:
2. OntheGeneraltab,clickCustomAttributes.TheCustomAttributesdialogbox
appears.
3. Enterattributevaluesinthetextboxesprovided,andclickOKtwice.
Moving Mailboxes
Tocompleteanupgrade,balancetheserverload,managedrivespaceorrelocate
mailboxeswhenusersmovetoadifferentlocation,youcanmovemailboxesfrom
41
oneserverordatabasetoanotherserverordatabase.ExchangeServer2010supports
bothofflineandonlinemailboxmoves.Typically,you'llperformbulkmailboxmoves
offlinewhileperformingonlinemovesofselectmailboxes.
Thesectionsthatfollowdiscusshowtoperformbothofflineandonlinemailbox
movesaswellashowtoperformrelatedtasks.
Moving Mailboxes: The Essentials
Movingmailboxeswhiletheyareactivelybeingusedisntagoodidea,asitcauses
somedisruptiontotheaffectedusers.Forthisreason,ExchangeServer2010gives
youtwooptionsformovingmailboxes.Youcan:
Performanoffline,synchronousmove Withanofflinemove,Exchange
logsintoboththesourcedatabaseandthedestinationdatabaseandmoves
themailboxfromonelocationtoanother.Asusersmaynotbeableto
accesstheiremailaccountduringthemove,youllwanttoperformoffline
movesatatimewhenmailboxesarelesslikelytobeinuse.Youcanusethe
moveschedulingfeaturesinExchangeServer2010todothiswhenyouuse
theExchangeManagementConsole.
Performanonline,asynchronousmove Withanonlinemove,Exchange
performsthemoveoperationasaseriesofstepsthatallowthemailboxto
remainavailabletoauserwhilethemoveoperationisbeingcompleted.
Whenthemoveiscompleted,theuserbeginsaccessingthemailboxinthe
newlocation.Asuserscancontinuetoaccesstheiremailaccountduring
themove,youperformonlinemovesatanytime.
Thedestinationdatabaseforanofflineoronlinemovecanbeonthesameserver,
onadifferentserver,inadifferentdomain,inadifferentActiveDirectorysite,orin
anotherforest.However,somecaveatsapply.Withofflinemoves,keepthefollowing
inmind:
WhenyoursourceanddestinationMailboxserversarerunningExchange
Server2010andareinthesameforest,youcanusetheExchange
ManagementConsoleortheMove-Mailboxcmdlettoperformanoffline
mailboxmove.Thismightbenecessarywhenyouareseekingtobalance
theloadonaparticularserver.
WhenyoursourceserversarerunningExchange2000Server,ExchangeServer
2003,orExchangeServer2007andyourdestinationserversarerunning
ExchangeServer2010,youcanusetheMove-Mailboxcmdlettoperform
anofflinemailboxmove.Thismightbenecessarywhenyouareupgrading
toExchangeServer2010.
Server2010andareinthedifferentforests,youcanusetheMove-Mailbox
cmdlettoperformanofflinemailboxmove.Thismightbenecessaryifyou
42
areimplementinganExchangeresourceforestorestablishinganewforest.
Withonlinemoves,keepthefollowinginmind:
Server2010andareinthesameforest,youcanusetheNew-MoveRequest
cmdlettoperformanonlinemailboxmove.Thismightbenecessarywhen
youareseekingtomovemailboxeswhiletheyarebeingused.
Server2010andareindifferentforests,youcanusetheExchange
ManagementConsoleortheNew-MoveRequestcmdlettoperforman
onlinemailboxmove.Thismightbenecessarywhenyouaremoving
mailboxesbetweenanon-premisesandon-lineExchangeorganization.
WhenyoursourceserversarerunningExchange2000Server,ExchangeServer
2003,orExchangeServer2007andyourdestinationserversarerunning
ExchangeServer2010,youcannotperformanonlinemailboxmove.You
willneedtoperformanofflinemailboxmoveinstead.
Performingonlinemovesisamulti-stepprocessthatisinitiatedwithaMove
MailboxrequestthatissenttotheMailboxReplicationServicerunningonaClient
Accessserverinthesourceforest.TheMailboxReplicationServicequeuestherequest
forprocessing,handlingallrequestsonafirst-infirst-outbasis.Whenarequestisat
thetopofthequeue,thereplicationservicebeginsreplicatingmailboxdatatothe
destinationdatabase.Whenthereplicationservicefinishesitsinitialreplicationofa
mailbox,itmarksthemailboxasReadyToCompleteandperiodicallyperformsdata
synchronizationbetweenthesourceanddestinationdatabasetoensurethecontents
ofamailboxareuptodate.Onceamailboxhasbeenmoved,youcancompletethe
moverequestandfinalizethemove.
Whenyoumovemailboxesfromoneservertoanother,oreventoadifferent
databaseonthesamesever,keepinmindthattheExchangepoliciesofthenew
mailboxdatabasemaybedifferentfromtheoldone.Becauseofthis,considerthe
followingissuesbeforeyoumovemailboxestoanewserverordatabase:
Generalpolicy Changestowatchoutforincludethoseinthedefaultpublic
folderdatabase,theofflineaddressbook,andmessagesettings.Theriskis
thattheuserswhosemailboxesyoumovecouldloseorgainaccessto
publicfolders.Theymighthaveadifferentofflineaddressbook,which
mighthavedifferententries.Thisaddressbookwillalsohavetobe
downloadedinitsentiretythefirsttimetheusersmailclientconnectsto
Exchangeafterthemove.
Databasepolicy Changestowatchoutforpertaintothemaintenance
intervalandautomaticmounting.IfExchangeperformsmaintenancewhen
theseusersareaccessingtheirmail,theymighthaveslowerresponsetimes.
Ifthemailboxdatabaseisconfiguredsothatitisntmountedatstartup,
43
restartingtheExchangeservicescouldresultintheusersnotbeingableto
accesstheirmailboxes.
Limits Changestowatchoutforpertaintostoragelimitsanddeletion
settings.Usersmightbeprohibitedfromsendingandreceivingmailiftheir
mailboxexceedsthestoragelimitsofthenewmailboxdatabase.Users
mightnoticethatdeleteditemsstayintheirDeletedItemsfolderlongeror
aredeletedsoonerthanexpectediftheKeepDeletedItemssettingis
different.
Performing Offline Mailbox Moves

WhenyoursourceanddestinationMailboxserversarerunningExchangeServer2010
andareinthesameforest,youcanmovemailboxesbycompletingthesesteps:
2. Right-clickthemailbox,andthenselectMoveMailbox.ThisstartstheMove
MailboxWizard,asshowninFigure6-4.
Tip You can select and move multiple mailboxes at the same time. To select
multiple users individually, hold down the Ctrl key, and then click each user
account that you want to select. To select a sequence of accounts, hold down the
Shift key, select the first user account, and then click the last user account.
Figure6-4 UsetheMoveMailboxWizardtomovemailboxes.
44
SelectMailboxDatabasedialogbox,choosethemailboxdatabasetowhich
themailboxshouldbemoved.Mailboxdatabasesarelistedbynameaswell
asbyassociatedserver.
4. ClickNext.Ifcorruptedmessagesarefoundinamailbox,specifyhowyoud
likethosemessagestobehandled(seeFigure6-5).Toskipthemailboxif
corruptedmessagesarefound,selectSkipTheMailbox.Toskipthecorrupted
messagesiftheyarefoundbutstillmovethemailbox,selectSkipThe
CorruptedMessages.
5. Ifyouelectedtoskipcorruptedmessages,youmustalsospecifythemaximum
numberofcorruptedmessagestoskip.Ifthisvalueisexceeded,themailbox
willnotbemoved.
6. Optionally,selecttheGlobalCatalogandDomainControllercheckboxesand
thenusetheBrowsebuttonstosettherelatedserverstouseforthismailbox
move.
Figure6-5 Settheoptionsformovingthemailbox.
7. ClickNext.Ifyouwanttomovethemailboxesrightaway,selectImmediately.
Toschedulethemailboxmove,selectAtTheFollowingTime,andthensetthe
movedateandtime.
8. Tospecifythemaximumlengthoftimethatthemailboxmovecanrun,select
theCancelTasksThatAreStillRunningAfter(Hours)checkbox,andthenset
themaximumnumberofhoursthemovetaskcanrun.
45
Note Cancelling a move after a maximum number of hours is designed to ensure

that move tasks that are blocked or not proceeding as expected are cancelled.
Most move operations should be completed in eight hours or less, but the exact
duration depends on the number of mailboxes being moved, the size of the
mailboxes, and the connection speed of the link connecting the source and
destination mail servers.
9. WhenyouclickNextandthenclickMove,ExchangeServerattemptstomove
themailbox.Ifaproblemoccurs,youllseeanErrordialogboxthatletsyou
retryorcanceltheoperation.
Note IntheExchangeManagementConsole,youcantmovemailboxesbetween
forests.Tomovemailboxesamongservers,theserversmustbeinthesameforest.
IntheExchangeManagementShell,youcanmoveindividualmailboxesusingthe
Move-Mailboxcmdlet.Sample6-4providesthesyntaxandusageforusingMove-
Mailboxtomoveaspecificmailboxfromoneserverordatabasetoanother.Because
theIdentityparameteracceptsinputfromthepipeline,youcaneitherexplicitly
specifytheidentityyouareworkingwithorpassinoneormoreidentitiesfromthe
pipelineasshowninthesecondexample.
Sample6-4 Movingindividualmailboxes
Syntax
Move-Mailbox -Identity Identity [-IgnoreRuleLimitErrors {$true | $false}]
[-Arbitration {$true | $false}] [-OnlineMove {$true | $false}]
{AddtlParams}

Move-Mailbox -Identity Identity -ConfigurationOnly {$true | $false}
[-Arbitration {$true | $false}] {AddtlParams}

Move-Mailbox -Identity Identity {AddtlParams} {ExtendedParams}

{AddtlParams}
[-BadItemLimit Limit] [-DomainController FullyQualifiedName]
[-GlobalCatalog FullyQualifiedName] [-IgnorePolicyMatch {$true | $false}]
[-MaxThreads MaxThreads] [-ReportFile LocalPath] [-TargetDatabase
DatabaseId]
[-ValidateOnly {$true | $false}]

{ExtendedParams}
[-AllContentKeywords Keywords] [-AllowMerge {$true | $false}] [-
AttachmentFilenames
Files] [-BadItemLimit Limit] [-ContentKeywords Keywords] [-EndDate
DateTime]
[-ExcludeFolders MapiFolderPaths] [-IgnoreRuleLimitErrors {$true |
46
$false}]
[-IncludeFolders MapiFolderPaths] [-Locale Locale] [-NTAccountOU OUName]
[-OnlineMove {$true | $false}] [-PreserveMailboxSizeLimit {$true |
$false}]
[-RecipientKeywords Keywords] [-RetryInterval TimeSpan] [-RetryTimeout
TimeSpan]
[-SenderKeywords Keywords] [-SourceForestCredential Credential]
[-SourceForestGlobalCatalog FullyQualifiedName] [-
SourceMailboxCleanupOptions <None |
DeleteSourceMailbox | DeleteSourceNTAccount | MailEnableSourceAccount |
CreateSourceContact>] [-StartDate DateTime] [-SubjectKeywords Keywords]
[-TargetForestCredential Credential]
Usage
Move-Mailbox Identity 'cpandl\daniele'
-TargetDatabase 'Corporate Services'
-BadItemLimit 50 -IgnorePolicyMatch $true
-RetryTimeout '8:00:00' -RetryInterval '5:00'

'cpandl.com/users/Charlie Keen' | Move-Mailbox -TargetDatabase
'Engineering Primary'
Ifyouwanttomoveallmailboxesfromonedatabasetoanother,youcanusethe
Get-MailboxandMove-Mailboxcmdletstogether,asshowninSample6-5.
Sample6-5 Movingallmailboxesinadatabase
Syntax
Get-Mailbox -Database Database | Move-Mailbox -TargetDatabase DatabaseId
Usage
Get-Mailbox -Database 'Technology Primary' | Move-Mailbox
-TargetDatabase 'Engineering Primary'
Ifyouaremovingmailboxesbetweendomains,youllwanttospecifyadomain
controllerandGlobalCatalogtouseinthetargetdomain,asshowninSample6-6.
Thisensuresthatperformanceandreplicationissuesdontcauseproblemswhen
movingmailboxesacrossdomains.
Sample6-6 Movingmailboxesacrossdomains
Syntax
47
Move-Mailbox -Identity Identity -TargetDatabase Database

[-DomainController TargetDCName] [-GlobalCatalog TargetGCName]
[-BadItemLimit Number] [-DomainController DCName]
[-IgnorePolicyMatch {$true | $false}] [-RetryTimeout TimeSpan]
[-RetryInterval TimeSpan]
Usage
Move-Mailbox Identity 'cpandl\williams' -TargetDatabase 'Engineering
Primary'
-DomainController 'CorpServer65.cpandl.com' -GlobalCatalog '
CorpServer37.cpandl.com '
Ifyouaremovingmailboxesacrossforests,youmustspecifyGlobalCatalogsto
useinboththesourceandtargetforests,asshowninSample6-7.Youmustalso
specifytheNTaccountorganizationalunit.Whenyouperformthemovemailbox
task,youllbepromptedforadministratorcredentialstoconnecttothetarget
databaseinthetargetforest.Youmustprovidetheaccountnameandpasswordfor
anadministratoraccountinthetargetforest.
Sample6-7 Movingmailboxesacrossforests
Syntax
Move-Mailbox -Identity Identity -TargetDatabase Database
[-DomainController TargetDCName] [-GlobalCatalog TargetGCName]
[-BadItemLimit Number] [-IgnorePolicyMatch {$true | $false}]
[-SourceForestCredential Credential] [-SourceForestGlobalCatalog
FullyQualifiedName]
[-SourceMailboxCleanupOptions <None | DeleteSourceMailbox |
DeleteSourceNTAccount |
MailEnableSourceAccount | CreateSourceContact>] [-StartDate DateTime]
[-SubjectKeywords Keywords] [-TargetForestCredential Credential]
[-RetryTimeout TimeSpan] [-RetryInterval TimeSpan]
Usage
Move-Mailbox Identity 'cpandl\kathyh' -TargetDatabase 'Engineering
Primary'
-DomainController 'Server14.adatum.com' -GlobalCatalog
'Server12.adatum.com'
-SourceForestGlobalCatalog 'CorpServer32.cpandl.com' -BadItemLimit 5
-IgnorePolicyMatch $true
Performing Online Mailbox Moves
Withanonlinemove,Exchangeperformsthemoveoperationasaseriesofstepsthat
48
allowthemailboxtoremainavailablewhilethemoveoperationisbeingcompleted.
Withonlinemoves,youcanmovemailboxesbetweendatabasesonthesameserver.
Youalsocanmovemailboxesfromadatabaseononeservertoadatabaseon
anotherserverregardlessofwhethertheserversareinadifferentActiveDirectory
siteorinanotherActiveDirectoryforest.
Normally,whenyouperformonlinemoves,themoveprocesslookslikethis:
1. Youcreateanewmoverequestforthemailboxormailboxesthatyouwantto
moveusingeitherExchangeManagementConsoleorExchangeManagement
Shell.
2. ThemoverequestissenttotheMailboxReplicationServicerunningona
ClientAccessserverinthecurrentActiveDirectorysite.Thisserveractsasthe
MailboxReplicationServiceproxy.
3. ThereplicationserviceaddsthemailboxestotheMoveRequestqueueand
assignsthestatusQueuedForMovetoeachmailbox.Thisindicatesthemove
hasbeenrequestedbutthemovehasnotstarted.
4. Whenamoverequestisatthetopofthequeue,thereplicationservicebegins
replicatingtherelatedmailboxtothedestinationdatabaseandassignsthe
MoveInProgressstatustomailboxesbeingmoved.Bydefault,thereplication
servicecanmoveupto5mailboxesonasingledatabaseatonetimeandup
to50mailboxesatatimeintotal.
5. Whenthereplicationservicefinishesitsinitialreplicationofthemailbox,the
serviceassignstheReadyToCompletestatustothemailboxandperiodically
performsincrementalsynchronizationbetweenthesourceanddestination
databasetoensurethecontentsareuptodate.Bydefault,thereplication
serviceperformsincrementalsynchronizationapproximatelyevery5minutes.
6. ThemailboxremainsintheReadyToCompletestateuntilyouoranother
administratorspecifiesthatyoueitherwanttocompletethemoverequestor
cancelthemoverequest.Ifyoucompletethemoverequest,thereplication
servicesassignstheCompletingstatuswhileitperformsafinaldata
synchronizationandthenmarksthemoveascompleted.
7. Whenthemoveiscompleted,themailboxormailboxesareavailableinthe
newlocation.Asuserscancontinuetoaccesstheiremailaccountduringa
move,youcanperformonlinemovesatanytime.
TheMailboxReplicationServiceproxyrunsasaWebapplicationonaClient
AccessServerandisinstalledaspartoftheClientAccessrole.Theproxytrackstwo
differenttypesofmoves:
Initialmoves Aninitialmoveoccurswhentheproxybeginsreplicatingdata
andthemailboxhasastatusofMoveInProgess.
Incrementalmoves Incrementalmovesoccurwhentheproxysynchronizes
themailboxdataafteraninitialmoveandthemailboxhasastatusofReady
49
ToComplete.
Theconfigurationsettingsfortheservicecomefromthe
Microsoft.Exchange.ServiceHost.exe.configfile.Youcanmodifythedefaultsettingsby
editingthisfileandchangingthevalueofthefollowingproperties:
MaxOngoingInitialMovesPerMDB Setsthenumberofinitialmailboxmoves
onasingledatabaseatonetime.Thedefaultvalueis5concurrentmoves.
MaxOngoingInitialMovesPerMRSInstance Setsthenumberofinitialmailbox
movesbyasingleinstanceoftheMailboxReplicationService.Thedefault
valueis50concurrentmoves.
MaxOngoingTotalMovesPerMDB Setsthetotalnumberofinitialand
incrementalmovesonasingledatabaseatonetime.Thedefaultvalueis5
concurrentmoves.
MaxOngoingTotalMovesPerMRSInstance Setstotalnumberofinitialand
incrementalmovesbyasingleinstanceoftheMailboxReplicationService.
Thedefaultvalueis50concurrentmoves.
MinIncrementalSyncInterval Setstheminimumintervalbetweenincremental
synchronizationsforamailbox.Defaultis5minutes.Minimumis1minute.
0indicatesnevertoperformincrementalsynchronizations(andinwhich
casethemailboxwillbesynchronizedonlyaspartofthemovefinalization
process).
ThesesettingsaredesignedtoensuretheClientAccessserveractingastheproxy
cancontinuetoperformotheractivitieswhilemovingdatabases.Beforeyouchange
anyoftheconfigurationsettings,youshouldcarefullyevaluatecurrentserverloads
andperformcapacityplanning.Theaveragesizeofmailboxesinyourorganization
andnetworkbandwidthavailabilityshouldalsobeapartofyourdecisionmaking
process.Ifmostmailboxesinyourorganizationareover500Megabytes,you'lllikely
wanttorestrictthenumberofconcurrentandtotalmovesevenfurtherthanthe
defaultsettings.Ifmostmailboxesinyourorganizationareunder100Megabytes,
you'lllikelywanttoincreasethenumberofconcurrentandtotalmovesallowed.
However,youwouldneedtoensurenetworkbandwidthisavailableandthatyou
don'tsaturatethenetwork.
OnewaytoperformonlinemailboxmoveswithinthesameExchangeforestusing
ExchangeManagementShell.Thecommandsforperformingonlinemailboxmoves
include:
Get-MoveRequest Viewthedetailedstatusofanon-goingmailboxmove
thatwasinitiatedusingtheNew-MoveRequestcmdlet.
Get-MoveRequest -Identity Identity [-MRSServer FullyQualifiedName]
[-DomainController FullyQualifiedName] [-IncludeReport {$true |
$false}]
50
New-MoveRequest Startamailboxmove.Youalsocanverifyreadinessto
movebyusingtheWhatIfparameter.UsetheProtectparameterto
protectthemoverequestfortenantadministrators.
New-MoveRequest -Identity Identity -Local {$true | $false} [-
TargetDatabase DatabaseId] [-MRSServer FullyQualifiedName] [-
Protect {$true | $false}]
[-BadItemLimit Limit] [-DomainController FullyQualifiedName]

New-MoveRequest -Identity Identity -Remote {$true | $false}
RemoteHostName
HostName [-MRSServer FullyQualifiedName] [-RemoteCredential
Credential]
[-TargetDatabase DatabaseId] [-BadItemLimit Limit] [-
DomainController
FullyQualifiedName] [-Protect {$true | $false}]
Complete-MoveRequest FinisharequestthatwasinitiatedbyusingtheNew-
MoveRequestcommand.IfthemoverequestwasinitiatedwiththeProtect
parameter,youmustusetheProtectparametertocompletethemove
request.
Complete-MoveRequest -Identity Identity [-MRSServer
FullyQualifiedName]
[-DomainController FullyQualifiedName] [-RemoteDomainController
FullyQualifiedName] [-Protect {$true | $false}]
Remove-MoveRequest CancelsamailboxmoveinitiatedusingtheNew-
MoveRequestcmdlet.YoucanusetheRemove-MoveRequestcommand
anytimeafterinitiatingthemove,butbeforecompletingthemovewith
theComplete-MoveRequestcommand.Ifthemoverequestwasinitiated
withtheProtectparameter,youmustusetheProtectparametertocancel
themoverequest.
Remove-MoveRequest -Identity Identity [-MRSServer
FullyQualifiedName]
[-DomainController FullyQualifiedName] [-Protect {$true | $false}]
Moving Mailboxes Within Forests
YouperformonlinemailboxmoveswithinforestsusingExchangeManagement
Shell.Toverifymovereadiness,useNew-MoveRequestwiththeWhatIfparameter
foreachmailboxyouplantomove.Thefollowingexamplesshowtwodifferentways
youcouldverifywhetherGarrettVargas'smailboxcanbemoved:
New-MoveRequest -Identity 'garrettv' Local -TargetDatabase "Engineering
Primary"
51
-WhatIf

'cpandl.com/users/Garrett Vargas' | New-MoveRequest -Local
-TargetDatabase 'Engineering Primary' -WhatIf
Toinitiateanonlinemove,youuseNew-MoveRequestforeachmailboxyouwant
tomove.ThefollowingexamplesshowtwodifferentwaysyoucouldmoveGarrett
Vargas'smailbox:
New-MoveRequest -Identity 'garrettv' Remote RemoteHost
'mailserver17.cpandl.com'
-mrsserver 'caserver21.cpandl.com' -TargetDatabase "Engineering Primary"

'cpandl.com/users/Garrett Vargas' | New-MoveRequest Remote RemoteHost
'mailserver17.cpandl.com' -mrsserver 'caserver21.cpandl.com' -
TargetDatabase
Onceyouinitiateamove,youcancheckthestatusoftheonlinemoveusingGet-
MoveRequest.Asshowninthefollowingexample,thekeyparameterstoprovideis
theidentifyofthemailboxyouwanttocheck:
Get-MoveRequest Identity 'garrettv'
Bydefault,basicinformationaboutthemoverequest.Togetmoredetailed
information,addtheIncludeReportparameterasshowninthisexample:
Get-MoveRequest Identity 'garrettv' -IncludeReport
WhenthemailboxormaiboxesareintheReadyToCompletestate,youcan
finalizethemoveusingComplete-MoveRequest.Anexamplefollows:
Complete-MoveRequest Identity 'garrettv'
YoucancancleamoveatanytimepriortorunningComplete-MoveRequest.To
dothis,runRemove-MoveRequestandspecifytheidentifyofthemailboxthat
shouldn'tbemoved.Anexamplefollows:
Remove-MoveRequest Identity 'garrettv'
Moving Mailboxes Between Forests
YoucanperformonlinemailboxmovesbetweendifferentExchangeforestsusingthe
ExchangeManagementConsoleorExchangeManagementShell.Whenyouare
movingmailboxesbetweenforests,you'llwanttoverifythatmailboxesarereadyto
bemovedbeforeyousubmitamoverequest.Toverifyreadiness,theMailbox
52
ReplicationServiceproxyinthesourceforestchecksthestatusofeachmailboxyou
aremovingandalsoensuresyouhavethepermissionsrequiredtomovethe
mailboxesfromthesourceforesttothetargetforest.Ifauserhasanarchivemailbox
orsubscriptions,youwilllikelyneedtoremovethearchivemailbox,thesubscriptions
orbothbeforeyouareabletomovethemailbox.
VERIFYING MOVE READINESS
YoucanverifymovereadinessinExchangeManagementConsolebyfollowing
thesesteps:
1. InExchangeManagementConsole,selectthemailboxormailboxesthatyou
areplanningonmoving.Right-clickandthenselectVerifyMoveReadiness.
ThisstartstheVerifyMoveReadinesswizard.
2. OntheVerifyMoveReadinesspage,themailboxesyouselectedarelistedas
theonesthatwillbeverified,asshowninFigure6-6.Thesourceforestisthe
currentforestyoutowhichyouareconnected.
Figure6-6 Verifythemailboxesarereadytobemoved.
3. IntheTargetForestlist,selecttheforesttowhichyouaremovingmailboxes.
4. Inthetextboxprovided,enterthefullyqualifieddomainnameofaClient
Accessserverinthesourceforestthatwillactastheproxyserver.
5. Ifyouwanttoprovidealternatecredentialsforthesourceforest,selectthe
UseTheFollowingSourceForest'sCredential,entertheusername,andthen
typethepasswordfortheaccount.
53
6. WhenyouclickVerifytobegintheverificationprocess,Exchange
ManagementConsolerunsNew-MoveRequestwiththeWhatIfparameter
foreachmailboxyouselectedanddisplaystheresultsontheCompletion
page.Noteanyerrorsandcorrectiveactionsthatarerequired.Forexample,
youmayneedtoremoveauser'sarchivemailboxbeforeyoucanperforman
onlinemove.YoucancopytheresultstotheWindowsclipboardforpasting
intoadocumentbypressingCtrl+C.ClickFinish.
YoucanverifymovereadinessinExchangeManagementShellusingNew-
MoveRequestwiththeWhatIfparameterforeachmailboxyouplantomove.The
followingexamplesshowtwodifferentwaysyoucouldverifywhetherCharlieKeen's
mailboxcanbemoved:
New-MoveRequest -Identity 'charliek' Remote RemoteHost
-WhatIf

'cpandl.com/users/Charlie Keen' | New-MoveRequest Remote RemoteHost
TargetDatabase
'Engineering Primary' -WhatIf
PERFORMING THE MOVE BETWEEN FORESTS
YoucanperformonlinemailboxmovesbetweenforestsinExchangeManagement
Consolebyfollowingthesesteps:
1. InExchangeManagementConsole,selectthemailboxormailboxesthatyou
wanttomove.Right-clickandthenselectNewMoveRequest.Thisstartsthe
NewMoveRequestwizard.
2. OntheNewMoveRequestpage,themailboxesyouselectedarelistedasthe
onesthatwillbemoved.Thesourceforestisthecurrentforestyoutowhich
youareconnected.
3. IntheTargetForestlist,selecttheforesttowhichyouaremovingmailboxes.
4. Inthetextboxprovided,enterthefullyqualifieddomainnameofaClient
Accessserverinthesourceforestthatwillactastheproxyserver.
5. Ifyouwanttoprovidealternatecredentialsforthesourceforest,selectthe
UseTheFollowingSourceForest'sCredential,entertheusername,andthen
typethepasswordfortheaccount.
6. WhenyouclickNewtoinitiatethemoverequest,ExchangeManagement
ConsolerunsNew-MoveRequestforeachmailboxyouselected.Movingthe
mailboxescantakeseveralhours,dependingonthesizeofthemailboxesyou
aremoving.
54
7. Whenthemoveiscompleted,youcaneither:
Completethemoverequestandfinalizethemove.Themailboxor
mailboxesyoumovedarethenavailableinthenewlocation.
Cancelthemoverequestandvoidthemove.Themailboxormailboxes
youmovedarethenavailableintheoriginallocation.
YoucanperformonlinemovesinExchangeManagementShellusingNew-
MoveRequestforeachmailboxyouplantomove.Thefollowingexamplesshowtwo
differentwaysyoucouldmoveBrunoDenuit'smailbox:
New-MoveRequest -Identity 'brunod' Remote RemoteHost

'cpandl.com/users/Bruno Denuit' | New-MoveRequest Remote RemoteHost
TargetDatabase
Onceyouinitiateamove,youcancheckthestatusoftheonlinemoveusingGet-
MoveRequest.Asshowninthefollowingexample,thekeyparameterstoprovideare
theidentifyofthemailboxyouwanttocheckandthenameoftheproxyserver:
Get-MoveRequest Identity 'brunod' -mrsserver 'caserver21.cpandl.com'
Bydefault,basicinformationaboutthemoverequest.Togetmoredetailed
information,addtheIncludeReportparameterasshowninthisexample:
Get-MoveRequest Identity 'brunod' -mrsserver 'caserver21.cpandl.com'
IncludeReport
WhenthemailboxormaiboxesareintheReadyToCompletestate,youcan
finalizethemoveusingComplete-MoveRequest.Anexamplefollows:
Complete-MoveRequest Identity 'brunod' -mrsserver
'caserver21.cpandl.com'
AtanytimepriortorunningComplete-MoveRequest,youcancancelthemoveby
runningRemove-MoveRequestandspecifyingtheidentifyofthemailboxthat
shouldn'tbemoved,suchas:
Remove-MoveRequest Identity 'brunod' -mrsserver 'caserver21.cpandl.com'
Importing and Exporting Mailbox Data
AsdiscussedindetailinChapter17,ManagingMicrosoftExchangeServer2010
55
Clients,Exchangemailcanbeconfiguredtousethefollowing:servermailboxes,
servermailboxeswithlocalcopies,orpersonalfolders.Userswhotraveloftenmay
prefertohavepersonalfolderswheretheirmailisstoredlocallyin.pstfiles.However,
fromanadministrationperspective,youllfindthatmailboxesareeasiertomanage
andprotectwhenusershaveeitherservermailboxesorservermailboxeswithlocal
copies.
WhenyouareworkingwiththeExchangeManagementShell,youcanusethe
Import-Mailboxcmdlettoimportmailboxdatafroma.pstfileandtheExport-
Mailboxcmdlettoexportmailboxdatatoa.pstfile.Importandexportoperationsare
similartomailboxmoveoperations.
Sample6-8showsthesyntaxandusageforImport-Mailbox.Theonlyrequired
parametersareIdentityandPstFolderPath.Mostotherparametersservetolimitwhat
youareimporting.Forimportoperations,youlltypicallywanttocreateacopyofthe
users.pstfileandmakethiscopyaccessibleonadesktoprunninga32-bitoperating
systemwherethe32-bitExchangemanagementtoolsareinstalled.Onceyouve
installedthe32-bitExchangemanagementtoolsonadesktopcomputerrunninga
32-bitoperatingsystem,youcanaccesstheExchangeManagementShellonthe
usersdesktopandrunthiscmdlet.WithWindowsVista,thedefaultlocationofa.pst
fileis%LocalAppData%\Microsoft\Outlook,where%LocalAppData%isauser-specific
environmentvariablethatpointstoauserslocalapplicationdata.
Sample6-8 Import-Mailboxcmdletsyntaxandusage
Syntax
Import-Mailbox -Identity DestMailboxIdentifier
-PSTFolderPath PSTLocalPath
[-AllowContentKeywords AllowedValues]
[-AllowDuplicates {$true | $false}]
[-AttachmentFilenames AllowedValues]
[-BadItemLimit Limit] [-ContentKeywords BodyOrAttachmentValues]
[-EndDate DateTime] [-ExcludeFolders MapiFoldePath]
[-GlobalCatalog GCName] [-IncludeFolders MapiFolderPath]
[-Locale Value] [-MaxThreads Num]
[-RecipientKeywords Values] [-ReportFile LocalPath]
[-SenderKeywords Values] [-StartDate DateTime]
[-SubjectKeywords Values] [-ValidateOnly <$false|$true>]
Usage
Import-Mailbox -Identity 'cpandl.com/Engineering/williams'
-PSTFolderPath 'c:\temp\william.pst'
Sample6-9showsthesyntaxandusageforExport-Mailbox.Theonlyrequired
parametersareIdentityandPstFolderPath.Mostotherparametersservetolimitwhat
56
youareexporting.Whenyouareexportingtoa.pstfile,youllwanttorunthe
commandonadesktoprunninga32-bitoperatingsystemwherethe32-bit
Exchangemanagementtoolsareinstalled.Onceyouveinstalledthe32-bitExchange
managementtoolsonadesktopcomputerrunninga32-bitoperatingsystem,you
canaccesstheExchangeManagementShellontheusersdesktopandrunthis
cmdlettostoretheexporteddataina.pstfile.
Sample6-9 Export-Mailboxcmdletsyntaxandusage
Syntax
Export-Mailbox -Identity SourceMailboxIdentifier -PSTFolderPath
PSTLocalPath
{AddtlParams}

{AddtlParams}
[-AllowContentKeywords AllowedValues] [-AttachmentFilenames
AllowedValues]
[-DeleteAssociatedMessages <$false|$true>] [-DeleteContent
<$false|$true>]
[-EndDate DateTime] [-ExcludeFolders MapiFoldePath] [-GlobalCatalog
GCName]
[-IncludeAssociatedMessages {$true | $false}] [-IncludeFolders
MapiFolderPath]
[-Locale Value] [-MaxThreads Num] [-RecipientKeywords Values] [-
ReportFile LocalPath]
[-SenderKeywords Values] [-StartDate DateTime] [-SubjectKeywords Values]
[-ValidateOnly <$false|$true>]
Usage
Export-Mailbox -Identity 'cpandl.com/Engineering/williams'
-PSTFolderPath 'c:\temp\william.pst'
Export-Mailboxhasalternativesyntaxthatallowsyoutoexportamailboxora
subsetofmailorfoldersandimportitdirectlyintoaRecoveredDatasubfolderofa
specifiedfolderinaspecifiedmailbox.Forexample,youcouldusethistechniqueto
exportthemailinAndyCarotherssmailboxintoaSavedMailfolderinScottySeelys
mailbox.Forthistypeofexportoperation,youdonothavetorunthecmdletona
desktoprunninga32-bitoperatingsystemwherethe32-bitExchangemanagement
toolsareinstalled.Sample6-10providesthesyntaxandusageforanexport/import.
Sample6-10 ExportingandthenimportingMailboxdata
Syntax
Export-Mailbox -Identity SourceMailboxIdentifier -TargetFolder LocalPath
57
-TargetMailbox TargetMailboxId [-AllowMerge {$true | $false}]

{AddtlParams}

{AddtlParams}
[-AllowContentKeywords AllowedValues] [-AttachmentFilenames
AllowedValues]
[-DeleteAssociatedMessages <$false|$true>] [-DeleteContent
<$false|$true>]
[-EndDate DateTime] [-ExcludeFolders MapiFoldePath] [-GlobalCatalog
GCName]
[-IncludeFolders MapiFolderPath] [-Locale Value] [-MaxThreads Num]
[-RecipientKeywords Values] [-ReportFile LocalPath] [-SenderKeywords
Values]
[-StartDate DateTime] [-SubjectKeywords Values] [-ValidateOnly
<$false|$true>]
Usage
Export-Mailbox -Identity 'cpandl.com/Engineering/andyc'
-TargetFolder 'SavedMail' -TargetMailbox
' cpandl.com/Engineering/andyc'
Configuring Mailbox Delivery Restrictions, Permissions,
and Storage Limits
Youusemailboxpropertiestosetdeliveryrestrictions,permissions,andstoragelimits.
Tochangetheseconfigurationsettingsformailboxes,followthetechniquesdiscussed
inthissection.
Setting Message Size Restrictions for Contacts
Yousetmessagesizerestrictionsforcontactsinmuchthesamewaythatyousetsize
restrictionsforusers.Followthestepslistedinthesectionofthischapterentitled
SettingMessageSizeRestrictionsonDeliverytoandfromIndividualMailboxes.
Setting Message Size Restrictions on Delivery to and from
Individual Mailboxes
UsingtheWhenTheSizeOfAnyAttachmentIsGreaterThanOrEqualToLimit
transportrulecondition,youcansetrestrictionsregardingthesizeofmessage
attachmentsandspecifywhatactiontotakeshouldamessagehaveanattachment
thatexceedsthislimit.Sometimes,you'llneedtosetexceptionsforspecificusers.For
example,someusersmayneedtobeabletosendlargefilesaspartoftheirjob.
Yousetindividualdeliveryrestrictionsbycompletingthefollowingsteps:
58
2. OntheMailFlowSettingstab,double-clickMessageSizeRestrictions.As
showninFigure6-7,youcannowsetthefollowingsendandreceive
restrictions:
Figure6-7 Youcanapplyindividualdeliveryrestrictionsonaper-userbasis.
SendingMessageSize Setsalimitonthesizeofmessagestheusercan
send.ThevalueissetinKilobytes.Ifanoutgoingmessageexceedsthe
limit,themessageisntsentandtheuserreceivesanondeliveryreport
(NDR).
ReceivingMessageSize Setsalimitonthesizeofmessagestheuser
canreceive.ThevalueissetinKilobytes.Ifanincomingmessageexceeds
thelimit,themessageisntdeliveredandthesenderreceivesanNDR.
3. ClickOK.Therestrictionsthatyousetoverridetheglobaldefaultsettings.
Setting Send and Receive Restrictions for Contacts
Yousetmessagesendandreceiverestrictionsforcontactsinthesamewaythatyou
settheserestrictionsforusers.Followthestepslistedinthesectionofthischapter
entitledSettingMessageSendandReceiveRestrictionsonIndividualMailboxes.
Setting Message Send and Receive Restrictions on Individual
Mailboxes
Bydefault,usermailboxesareconfiguredtoacceptmessagesfromanyone.To
overridethisbehavior,youcan:
Specifythatonlymessagesfromthelistedusers,contacts,orgroupsbe
accepted.
Specifythatmessagesfromspecificusers,contacts,orgroupslistedbe
rejected.
Specifythatonlyauthenticatedusersmeaninguserswhohaveloggedonto
theExchangesystemorthedomainbeaccepted.
Yousetmessagesendandreceiverestrictionsbycompletingthefollowingsteps:
59
2. OntheMailFlowSettingstab,double-clickMessageDeliveryRestrictions.As
showninFigure6-8,youcannowsetmessageacceptancerestrictions.
3. Ifyouwanttoensurethatmessagesareacceptedonlyfromauthenticated
users,selecttheRequireThatAllSendersAreAuthenticatedcheckbox.
4. Toacceptmessagesfromalle-mailaddressesexceptthoseontherejectlist,
underAcceptMessagesFrom,selectAllSenders.
Figure6-8 Youcanapplysendandreceiverestrictionsonmessagesonaper-userbasis.
5. Tospecifythatonlymessagesfromthelistedusers,contacts,orgroupsbe
accepted,selecttheOnlySendersInTheFollowingListoption,andthenadd
acceptablerecipients:
ClickAddtodisplaytheSelectRecipientdialogbox.
Selectarecipient,andthenclickOK.Repeatasnecessary.
Tip You can select multiple recipients at the same time. To select multiple
recipients individually, hold down the Ctrl key and then click each recipient that
you want to select. To select a sequence of recipients, hold down the Shift key,
select the first recipient, and then click the last recipient.
6. Tospecifythatnorecipientsshouldberejected,underRejectMessagesFrom,
selectNoSenders.
7. Torejectmessagesfromspecificrecipients,underRejectMessagesFrom,
selectSendersInTheFollowingList,andthenaddunacceptablerecipients.
ClickAddtodisplaytheSelectRecipientsdialogbox.
Selectarecipient,andthenclickOK.Repeatasnecessary
8. ClickOK.

60
Permitting Others to Access a Mailbox

Occasionally,userswillneedtoaccesssomeoneelsesmailbox,andincertain
situations,youshouldallowthis.Forexample,ifJohnisSusansmanagerandSusanis
goingonvacation,Johnmightneedaccesstohermailboxwhileshesaway.Another
situationinwhichsomeonemightneedaccesstoanothermailboxiswhenyouveset
upspecial-purposemailboxes,suchasamailboxforWebmaster@domain.comora
mailboxforInfo@domain.com.
Youcangrantpermissionsforamailboxintwoway:
Youcangrantaccesstoamailboxanditscontent.
Youcangranttherighttosendmessagesasthemailboxowner.
IfyouwanttograntaccesstoamailboxanditscontentsbutnotgrantSendAs
permissions,usetheManageFullAccessPermissionWizard.IntheExchange
ManagementConsole,right-clickthemailboxyouwanttoworkwithandthenselect
ManageFullAccessPermission.IntheManageFullAccessPermissionWizard,click
Add,andthenusetheSelectRecipientdialogboxtochoosetheuseroruserswho
shouldhaveaccesstothemailbox.Torevoketheauthoritytoaccessthemailbox,
selectanexistingusernameintheSecurityPrincipallistboxandthenclickRemove.
ClickManagetosetthedesiredaccesspermissions.
IfyouwanttograntSendAspermissions,usetheManageSendAsPermission
Wizard.IntheExchangeManagementConsole,right-clickthemailboxyouwantto
workwithandthenselectManageSendAsPermission.IntheManageSendAs
PermissionWizard,clickAdd,andthenusetheSelectRecipientdialogboxtochoose
theuseroruserswhoshouldhavethispermission.Torevokethispermission,select
anexistingusernameintheSecurityPrincipallistboxandthenclickRemove.Click
ManagetosetthedesiredSendAspermissions.
IntheExchangeManagementShell,youcanusetheAdd-MailboxPermissionand
Remove-MailboxPermissioncmdletstomanagefullaccesspermissions.Samples6-11
and6-12showexamplesofusingthesecmdlets.Intheseexamples,theAccessRights
parameterissettoFullAccesstoindicateyouaresettingfullaccesspermissionson
themailbox.
Sample6-11 Addingfullaccesspermissions
Syntax
Add-MailboxPermission Identity UserBeingGrantedPermission
User UserWhoseMailboxIsBeingConfigured AccessRights 'FullAccess'
Usage
Add-MailboxPermission Identity 'CN=Jerry
Orman,OU=Engineering,DC=cpandl,DC=com'
User 'CPANDL\boba' AccessRights 'FullAccess'
61
Sample6-12 Removingfullaccesspermissions
Syntax
Remove-MailboxPermission Identity 'UserBeingGrantedPermission'
User 'UserWhoseMailboxIsBeingConfigure' AccessRights 'FullAccess'
InheritanceType 'All'
Usage
Remove-MailboxPermission Identity 'CN=Jerry Orman,
OU=Engineering,DC=cpandl,DC=com'
User 'CPANDL\boba' AccessRights 'FullAccess' InheritanceType 'All'
Ifyouwanttoallowanotherusertosendmessagesasthemailboxowner,youcan
dothisusingtheManageSendAsPermissionWizard.IntheExchangeManagement
Console,right-clickthemailboxyouwanttoworkwithandthenselectManageSend
AsPermission.IntheManageSendAsPermissionWizard,clickAdd,andthenusethe
SelectRecipientdialogboxtochoosetheuseroruserswhoshouldhaveSendAs
permissiononthemailbox.TorevokeSendAspermission,selectanexistinguser
nameintheSecurityPrincipallistbox,andthenclickRemove.ClickManagetoset
thedesiredaccesspermissions.
IntheExchangeManagementShell,youcanusetheAdd-ADPermissionand
Remove-ADPermissioncmdletstomanageSendAspermissions.Sample6-13and6-
14showexamplesusingthesecmdlets.Intheseexamples,theExtendedRights
parameterissettoSend-AstoindicateyouaresettingSendAspermissionsonthe
mailbox.
Sample6-13 AddingSendAspermissions
Syntax
Add-ADPermission Identity UserBeingGrantedPermission
User UserWhoseMailboxIsBeingConfigured ExtendedRights 'Send-As'
Usage
Add-ADPermission Identity 'CN=Jerry
User 'CPANDL\boba' ExtendedRights 'Send-As'
Sample6-14 RemovingSendAspermissions
Syntax
Remove-ADPermission Identity UserBeingRevokedPermission
User UserWhoseMailboxIsBeingConfigured ExtendedRights 'Send-As'
InheritanceType 'All' ChildObjectTypes $null
InheritedObjectTypes $null -Properties $null
62
Usage
Remove-ADPermission Identity 'CN=Jerry
User 'CPANDL\boba' ExtendedRights 'Send-As' InheritanceType 'All'
ChildObjectTypes $null InheritedObjectTypes $null
-Properties $null
Note Anotherwaytograntaccesspermissionstomailboxesistodosothrough
Outlook.UsingOutlook,youhavemoregranularcontroloverpermissions.Youcan
allowausertologonasthemailboxowner,delegatemailboxaccess,andgrant
variouslevelsofaccess.Formoreinformationonthisissue,seethesectionsofChapter
17,ManagingMicrosoftExchangeServer2010Clients,entitledAccessingMultiple
ExchangeServerMailboxesandGrantingPermissiontoAccessFoldersWithout
DelegatingAccess.
Forwarding E-mail to a New Address
Anymessagessenttoausersmailboxcanbeforwardedtoanotherrecipient.This
recipientcouldbeanotheruseroramail-enabledcontact.Youcanalsospecifythat
messagesshouldbedeliveredtoboththeforwardingaddressandthecurrent
mailbox.
Toconfiguremailforwarding,followthesesteps:
2. OntheMailFlowSettingstab,double-clickDeliveryOptions.
3. Toremoveforwarding,intheForwardingAddresspanel,cleartheForwardTo
checkbox.
4. Toaddforwarding,selecttheForwardTocheckbox,andthenclickBrowse.
UsetheSelectRecipientdialogboxtochoosethealternaterecipient.
5. Ifmessagesshouldgotoboththealternaterecipientandthecurrentmailbox
owner,selecttheDeliverMessagesToBothForwardingAddressAndMailbox
checkbox(seeFigure6-9).ClickOK.
63
Figure6-9 UsingtheDeliveryOptionsdialogbox,youcanspecifyalternaterecipientsfor
mailboxesanddelivermailtothecurrentmailboxaswell.
Setting Storage Restrictions on an Individual Mailbox

Youcansetstoragerestrictionsonmultiplemailboxesusingglobalsettingsforeach
mailboxdatabaseoronindividualmailboxesusingper-userrestrictions.Global
restrictionsareappliedwhenyoucreateamailboxandarereappliedwhenyou
definenewglobalstoragerestrictions.Per-userstoragerestrictionsareset
individuallyforeachmailboxandoverridetheglobaldefaultsettings.
Note Storagerestrictionsapplyonlytomailboxesstoredontheserver.Theydont
applytopersonalfolders.Personalfoldersarestoredontheuserscomputer.
YoulllearnhowtosetglobalstoragerestrictionsinChapter12,Mailboxand
PublicFolderDatabaseAdministration.Seethesectionofthatchapterentitled
SettingMailboxDatabaseLimitsandDeletionRetention.
Yousetindividualstoragerestrictionsbycompletingthefollowingsteps:
2. OntheMailboxSettingstab,double-clickStorageQuotas.Thisdisplaysthe
StorageQuotasdialogbox,showninFigure6-10.
64
Figure6-10 UsingtheStorageQuotasdialogbox,youcanspecifystoragelimitsanddeleted
itemretentiononaper-userbasiswhennecessary.
3. Tosetmailboxstoragelimits,intheStorageQuotaspanel,cleartheUse
MailboxDatabaseDefaultscheckbox.Thensetoneormoreofthefollowing
storagelimits:
IssueWarningAt(KB) Thislimitspecifiesthesize,inkilobytes,thata
mailboxcanreachbeforeawarningisissuedtotheuser.Thewarning
tellstheusertocleanoutthemailbox.
ProhibitSendAt(KB) Thislimitspecifiesthesize,inkilobytes,thata
mailboxcanreachbeforetheuserisprohibitedfromsendinganynew
mail.Therestrictionendswhentheuserclearsoutthemailboxandthe
mailboxsizeisunderthelimit.
ProhibitSendAndReceiveAt(KB) Thislimitspecifiesthesize,in
kilobytes,thatamailboxcanreachbeforetheuserisprohibitedfrom
sendingandreceivingmail.Therestrictionendswhentheuserclearsout
themailboxandthemailboxsizeisunderthelimit.
Caution Prohibiting send and receive might cause the user to lose e-mail. When
someone sends a message to a user who is prohibited from receiving messages, an
NDR is generated and delivered to the sender. The original recipient never sees the
e-mail. Because of this, you should rarely prohibit send and receive.
4. ClickOKtwice.
Setting Deleted Item Retention Time on Individual

Mailboxes
WhenauserdeletesamessageinMicrosoftOfficeOutlook2007,themessageis
placedintheDeletedItemsfolder.ThemessageremainsintheDeletedItemsfolder
untiltheuserdeletesitmanuallyorallowsOutlooktoclearouttheDeletedItems
folder.Withpersonalfolders,themessageisthenpermanentlydeletedandyoucant
restoreit.Withserver-basedmailboxes,themessageisntactuallydeletedfromthe
65
Exchangeinformationstore.Instead,themessageismarkedashiddenandkeptfora
specifiedperiodoftimecalledthedeleted item retention period.
Defaultretentionsettingsareconfiguredforeachmailboxdatabaseinthe
organization.Youcanchangethesesettings,asdescribedinthesectionofChapter
12entitledSettingMailboxDatabaseLimitsandDeletionRetention,oroverridethe
settingsonaper-userbasisbycompletingthesesteps:
2. OntheMailboxSettingstab,double-clickStorageQuotas.Thisdisplaysthe
StorageQuotasdialogbox,shownpreviouslyinFigure6-10.
3. IntheDeletedItemRetentionpanel,cleartheUseMailboxDatabaseDefaults
checkbox.
4. IntheKeepDeletedItemsFor(Days)textbox,enterthenumberofdaysto
retaindeleteditems.Anaverageretentionperiodis14days.Ifyousetthe
retentionperiodto0,messagesarentretainedandcantberecovered.
5. Youcanalsospecifythatdeletedmessagesshouldnotbepermanently
removeduntilthemailboxdatabasehasbeenbackedup.Thisoptionensures
thatthedeleteditemsarearchivedintoatleastonebackupset.ClickOK
twice.
RealWorld Deleteditemretentionisconvenientbecauseitallowstheadministrator
thechancetosalvageaccidentallydeletede-mailwithoutrestoringausersmailbox
frombackup.Istronglyrecommendthatyouenablethissetting,eitherinthemailbox
databaseorforindividualmailboxes,andconfiguretheretentionperiodaccordingly.

Exchange 2010 Sample Admin Pocket Consultant

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Exchange 2010 Sample Admin Pocket Consultant

Загружено:

Авторское право:

Доступные форматы

Exchange

Exchange Server 2010 and Your Hardware

Copyright 2009 Microsoft Corporation

Exchange Server and Active Directory

Using the Graphical Administration Tools

Copyright 2009 Microsoft Corporation

Creating Archive Mailboxes

Hiding Mailboxes from Address Lists

Defining Custom Mailbox Attributes for Address Lists

Performing Offline Mailbox Moves

Note Cancelling a move after a maximum number of hours is designed to ensure

Move-Mailbox -Identity Identity -TargetDatabase Database

-TargetMailbox TargetMailboxId [-AllowMerge {$true | $false}]

Copyright 2009 Microsoft Corporation

Permitting Others to Access a Mailbox

Setting Storage Restrictions on an Individual Mailbox

Setting Deleted Item Retention Time on Individual

Copyright 2009 Microsoft Corporation

Вам также может понравиться