CHAPTER 5
INSTALLING MICROSOFT EXCHANGE 2000 SERVER
The Setup program of Microsoft Exchange 2000 Server is a highly structured utility that
makes the installation task remarkably easy.
Setup records its activities, such as the copying of files, in a specific log file named
EXCHANGE SERVER SETUP PROGRESS.LOG, which you can find in the root
directory (C:\) after an installation.
Lesson 1:
Installation Types
The Setup program of Exchange 2000 Server has a huge job to accomplish, including the
installation of files on your server’s hard disk, the update of registry entries, possibly the
extension of the Active Directory schema, and also the handling of errors (for instance, if
the installation media is removed from the CD-ROM drive during the process of copying
files).
First Server Installation
The NNTP Component of Microsoft Internet Information Services (IIS) Is Not Installed.
To correct the former problem, make sure your server is part of a Windows 2000 domain,
that a domain controller is available, and that you can access Active Directory with the
required permissions.
To correct the latter, install the NNTP service via the Add/Remove Programs program
from the Control Panel and then repeat the Exchange 2000 Server installation. Setup
problems may also be encountered if a \Program Files\Exchsrvr\Mdbdata folder
containing old information store database files exists on the partition where you intend
to install Exchange 2000 Server
Rename this folder or delete the old database files before starting the Setup program again.
Installation Steps
Provided that you did not prepare the Active Directory forest using /ForestPrep
beforehand, Setup needs to extend Active Directory during the first server installation.
It is important to note that the default names are always First Administrative Group and
First Routing Group.
NOTE: The name of your Exchange 2000 organization cannot be changed after the
installation.
=======================================================================
winexc5.html PAGE
2 2002/06/05
Setup Options
When launching the Setup program, you will reach the Components To Install Wizard
screen after the welcome screen, a second page for the end-user license agreement,
which you need to accept to continue the installation, and a third wizard screen where
you need to enter your product key.
Setup offers the following installation options:
Subsequent Server Installations
The installation options (Custom, Minimum and Typical) are the same for first server
and subsequent installations.
In-Place Upgrade
This involves different preparation steps depending on the situation. For instance, if
you are running Exchange Server on Microsoft Windows NT Server 4.0 you will need
to upgrade the operating system to Windows 2000 Server with Service Pack 1 first.
Windows NT Primary Domain Controller
It is very likely that you will encounter a LDAP port configured when you upgrade a
Windows NT PDC running Exchange Server 5.5 to Windows 2000.
NOTE: It is advisable, but not required, to change the port number before upgrading
he operating system to Windows 2000 Server.
After you have changed the LDAP port number and upgraded the operating system to
Windows 2000 Server SP1.
NOTE: Although you cannot change installation options during an in-place upgrade,
you can add or remove components later when launching Setup in maintenance mode.
If Exchange 2000 does not support connectors configured on your existing server, such
as a Professional Office System (PROFS) connector, those connectors will not be
available after the upgrade.
=======================================================================
winexc5.html PAGE
3 2002/06/05
Installation in International Environments
Exchange 2000 Server comes in six different languages, English, French, German, Italian,
Japanese and Spanish.
Choosing a Server Platform
To support multilingual MAPI-based clients, you need to install appropriate language
support on your Global Catalog server (Control Panel, Regional Options, General tab,
and then language).
By default, Active Directory supports English sort orders, which correspond to the
default value called Language 00000408, which is set to the language ID 0X00000409.
Unattended Setup Mode
It is possible to customize the setup process by using a predefined initialization file. No
additional user input is necessary and Setup can run unattended.
Creating an Initialization File
Let’s say you want to generate an initialization file named SETUP.INI. Use the
e:\Setup\I386\SETUP.EXE /CreateUnattend C:\SETUP.INI. where e:\ stands for your
CD\ROM drive.
NOTE: The specified initialization file must not exist prior to launching Setup in
CreateUnattend mode.
Encrypting and Initialization File
This file may contain passwords (such as the Key Management Service password),
which may in this way be disclosed to unauthorized administrators.
=======================================================================
winexc5.html PAGE
4 2002/06/05
Exercise Summary:
generate the file for you. The unattended installation procedure is also essential for
software deployments using Microsoft Systems Management Server (SMS).
Lesson 2:
Postinstallation Considerations
After an installation, you need to perform a number of routine tasks, such as the delegation
of administrative permissions and the protection of server resources and share points
against unauthorized access.
Installing the Exchange 2000 Management Programs
During the typical or custom installation, you can install the Exchange 2000 System
Management utilities on any computer running Windows 2000 including Windows
2000 Professional.
Management Programs on Windows 2000 Professional
You can use the RPCPing utility to test the RPC communication between computers.
If RPCPing works fine, the Exchange System Manager will work as well.
Windows 2000 Tool Extensions
As Setup installs management utilities based on Microsoft Management Console
(MMC), such as the System Manager and related snap-ins, it also extends the Active
Directory Users and computers tool to provide Exchange-specific features.
Management Programs and Outlook 2000
Outlook attempts to replace the newer Exchange 2000 MAPI32.DLL with its older
version, it is not advisable to install Outlook 2000 and the Exchange System Management
Tools on the same workstation.
=======================================================================
winexc5.html PAGE
5 2002/06/05
Assignment of Administrative Roles and Permissions
The Exchange System Manager includes a feature called Exchange Administration
Delegation Wizard that simplifies permission management.
Permission Inheritance
Permission inheritance simplifies the task of delegating administrative roles and managing
permissions for the following reasons:
Managing assignment of roles and permissions can be concentrated on a single parent
object instead of numerous child objects. Child objects inherit the settings automatically.
Permission changes can be applied easily via the parent object.
Roles and permissions attached to the parent object are applied consistently to all child
objects.
Disabling the Inheritance Feature
The inheritance feature allows you to quickly configure permissions and roles, but in
some situations you may want to customize the inheritance of security-related permissions.
To disable Bluesky-SRV1 server within the First Administrative Group, right-click on it,
and select Properties to display the corresponding Properties dialog box.
NOTE: The configuration of Windows 2000 and Exchange 2000-related permissions
gives you total control over the individual access privileges of users and groups.
**** See the chart on
page 161 ***
Group Accounts and Exchange Administration
The permissions model of Exchange 2000 is entirely based on the security model for
Windows 2000 Active Directory.
=======================================================================
winexc5.html PAGE
6 2002/06/05
In native mode, Windows 2000 allows you to configure the following security groups:
Domain Local. This group type can contain user accounts, global groups, and
Universal groups from any domain as well as domain local groups from the same
domain.
Global. This group type can contain user accounts and global groups from the same
domain.
Universal. This group type is only used in Active Directory forests that contain
multiple domains. It can contain user accounts, global groups, and universal groups
rom any domain.
NOTE: During the first server installation, the setup routine automatically creates two
default group accounts, Exchange Domain Server and Exchange Enterprise Servers,
in the Users container of the Domain tree for your organization.
NOTE: The Show SecurityPage Registry value causes the Exchange System Manager
to display the Security tab on all configuration objects. If this value is not present or is
set to 0, the Security tab is available only on Address Lists objects, mailbox and public
stores, and top-level public folder hierarchies. According to the HKEY_CURRENT_USER
hive, ShowSecurityPage only affects the current user account.
Exercise Summary:
of the Domain Admins or Enterprise Admins group, you inherit management permissions for
the Exchange 2000 organization.
administrative groups via the ShowSecurityPage Registry key, gives detailed and accurate
security information.
Default File Locations and Share Point Permissions
If you accept the default settings, they will be placed under the C:\Program Files\
Exchsrvr directory.
Share Points
Knowing the share point permissions and the processes that need access to them helps to
secure the server appropriately.
=======================================================================
winexc5.html PAGE
7 2002/06/05
The following share points are created automatically on an Exchange 2000 server:
Address. A proxy address generator is typically responsible for the automatic generation
f default e-mail addresses. Each address generator corresponds to a specific e-mail
address type. Examples, are SMTP, X.400, MS Mail, and Lotus cc:Mail.
<SERVER NAME>.LOG. By default, Administrators and services account have Full
Control permissions, and the Everyone account is restricted to Read permission.
Maildat$. By default, Administrators, service accounts and Everyone groups have Full
Control permissions.
TCP Ports
The majority of features that Exchange 2000 Server has to offer rely on Internet Technologies
(such as TCP/IP, DNS, SMTP, NNTP, IMAP4, POP3, HTTP, LDAP, SecureSockets
Layer, Kerberos and so on). Consequently, you need to protect your Internet access
points, preferably with a firewall.
Exercise Summary:
communication based on Windows Sockets (Winsock). You can use a simple TCP port
scanner written in Visual Basic to determine which ports are listening. It is a good idea to
stop Internet services (and thereby the associated ports) nor required in your environment
and protect those that are required (such as TCP port 25 for SMTP) with a firewall.
Exchange 2000 Server Service Dependencies
Exchange 2000 Server needs numerous services functioning in order for the entire system
to work.
LocalSystem Account
This left the system vulnerable because it is not feasible to lock a services account after a
certain number of failed logon attempts. A locked account would prevent communication
between the Exchange Server services.
Service Account Dependencies for Backward Compatibility
Nevertheless, you need to rely on a userlike services account if you need to connect
Exchange 2000 Server to Exchange Server 5.5. Within a single site, all Exchange-related
services have to use a common Site Services account for authentication.
Adding or Repairing components in Maintenance Mode
=======================================================================
winexc5.html PAGE
8 2002/06/05
You can start the Setup program of Exchange 2000 Server at any time. If you run it on a
computer that already has Exchange 2000 installed, it will switch into the maintenance mode.
The maintenance installation is useful for:
Reinstallation and Service Packs
It might be a good idea to reinstall an Exchange 2000 Server if you suspect important files
have been corrupted. The reinstallation can replace these files, thereby repairing any server
components.
Database files and template information will not be overwritten. This means that the
reinstallation is not really risky, but often useful, when Registry entries must be updated or
when files are corrupted and finding out what exactly is broken will be an inordinately time-
consuming job.
Removing an Exchange 2000 Server Installation
To completely remove the server installation, from the Component Selection wizard screen,
under Action, select Remove next to the Microsoft Exchange 2000 entry. You need to
reboot the server to complete the process.
Removing Exchange 2000 Server does not remove the Exchange directory structure on the
server’s hard disk. The \MTAData, and even more important the \MDBData directories
contain files of former messages queue and databases.
Exercise Summary:
It is relatively easy to add or remove Exchange 2000 Server components to an existing
installation. Setup detects the installed server automatically and switches into maintenance
mode, where you can select the desired components on the Component Selection Wizard
screen.
=======================================================================
winexc5.html PAGE
9 2002/06/05
CHAPTER SUMMARY:
and must react to possible error conditions.
you for different information. Subsequent installations need to know the administrative and
routing groups where you want to add the new server.