Talk to the average computer user, and you might find that he or she has no idea what Exchange Server is. Even after you explain that it's a heavy-duty messaging and collaboration tool, the user still might not get it. But if you say Exchange is for business email, under-standing is usually achieved. Microsoft spends a lot of time touting Exchange as the preferred messaging system for large corporations—bringing to mind glass-walled data centers stuffed with rack-mounted servers serviced by teams of expert administrators.
The reality is somewhat different. Although Microsoft doesn't release precise numbers by customer size, market research data from a number of analyst firms shows that a significant percentage of real-world Exchange seats are in small-to-midsized businesses (SMBs), many of which might have only a handful of servers (or even one!) and just one or two administrators. This article offers help for those lonely, beleaguered administrators who are trying to digest the voluminous information available about Exchange administration but are finding it hard to know what's important.
Tip #1: To Go Forward, You Must Back Up
Large environments often have teams of people tasked with backing up and restoring data from all manner of servers. If you're the only Exchange administrator in your organization, you're probably also responsible for disaster recovery of your Exchange server(s). You shouldn't take this responsibility lightly. You need to thoroughly familiarize yourself with all the prerequisites necessary to recover data on your server:
- Know how to recover individual deleted items. (Enable Deleted Item Retention if you haven't already.)
- Be sure that you know how to restore an accidentally deleted mailbox, even though no one except you should be able to delete mailboxes in the first place.
- Ensure that you're comfortable restoring data with whatever backup tools you use.
- If you're using Exchange Server 2003, know how to use the Recovery Storage Group (RSG) mechanism to allow in-place data recovery.
- If you're using Exchange 2000 Server, you'll need to know how to recover data to an alternate server.
You also need a way to ensure that your backups are happening when they should. You should regularly check the event logs to see what your backup software is logging, either manually or through an automated tool. Most backup programs also keep their own log files, which you should also monitor.
There are few feelings worse than finding out that your backup tapes are empty or unreadable when you need them. As a safety measure, you can always do on-demand backups to disk. I've recently been using Iomega's REV drives (which use 35GB-capacity cartridges) to perform regular Exchange backups, which I then store in a fireproof media vault—a cheap and easy way to incorporate those backups as a supplement to my regular backup processes.
Tip #2: Turn Boring Jobs Over to Robots
Remember those science-fiction movies from the 1950s and 1960s? Here in the 21st century, all our boring and dangerous jobs were supposed to be taken over by friendly, hardworking robots. We haven't achieved that level of technological freedom (well, except for vacuuming), but you can make your life easier by automating some aspects of your Exchange system.
First, consider using some type of alerting tool that scans your event logs and warns you when unusual things happen. Microsoft offers a free tool called EventComb that scans the event log for particular events. (For information about EventComb, see the Windows IT Pro Web-exclusive article "EventComb: It's Free; It's Essential; Get It!" October 2002, http://www.windowsitpro.com, InstantDoc ID 27132.) Other products, such as Ipswitch's WhatsUp Gold and TNT Software's ELM Log Manager, provide automatic notification when specific events occur. Such functionality is obviously valuable, particularly when it gives you immediate notice of a serious error such as -1018 (i.e., when an Exchange database file has been damaged by a failure in the underlying file system or hardware). You might also want to use the built-in monitoring capabilities in Exchange and Windows to notify you when performance thresholds are exceeded. (For more information, see "Simple Exchange Monitoring," December 2005, InstantDoc ID 47897.)
If your server (or any component of it) has automated monitoring software, such as Microsoft Operations Manager (MOM) or HP OpenView, make sure you use it. In addition, most server vendors include tools that automatically monitor the state of your RAID controller and the drives attached to it so that you get an alert when a drive fails—or, better yet, when the controller identifies an impending failure.
Tip #3: Summon the Wizard
SMBs often use Microsoft's Small Business Server (SBS) products because SBS offers a wide range of server capabilities in a small footprint. Unfortunately, SBS is sometimes the butt of jokes from "real" Exchange administrators because the product contains so many wizards. However, the wizards exist for a reason: They automate the setup and configuration of features that are otherwise difficult to get right.
Remember, SBS is more than just a bunch of systems administration products stuffed together on one computer. Microsoft has added a healthy amount of SBS-specific code to each of the products so that they work well together on a single system. Of course, sometimes you'll need to be able to configure something yourself, but you should generally rely on the wizards for your initial setup and for normal operations. For example, the SBS Backup wizard greatly simplifies the process of backing up all your SBS data. Other essential wizards include the Configure E-mail Wizard and Internet Connection Wizard.
Tip #4: Cut the Tether
If you're the only administrator at your company, you're probably on call 24 X 7—even for things that aren't your fault. This situation can quickly get old, but what can you do about it? Apart from hiring someone else to take those late-night calls (or getting some kind of incentive pay to be on call, which is nice if you can get it), your best bet is to make sure that you can remotely access your servers when something goes wrong with them. SBS offers the Remote Web Workplace, the nifty one-stop remote-access portal that Figure 1 shows. However, if you're not using SBS, you have two basic remote-access choices: enable Terminal Services access to your server or use a third-party product.
Terminal Services. I generally enable Terminal Services on all my servers. Because Terminal Services clients are available for Windows, Mac OS X, Linux, and Windows Mobile, the odds that I'll be able to get to a server are pretty good no matter where I am. (It helps that the Windows Mobile device I use—the i-mate JASJAR—has a 640 X 480 screen, which gives me pocket-sized access to my servers from anywhere I can get a cell phone signal.)
Third-party product. Depending on the product you use—Fog Creek Copilot, Symantec pcAnywhere, and Citrix GoToMyPC are good examples—you might be able to remotely access your server without first installing a client program. However, be sure to test your chosen solution before you walk out the door on vacation.
Of course, the time-honored remote-access method of talking over the phone to someone who's in front of the computer is also an option. But, in most cases, this potential solution is much more difficult than just remotely logging on and doing the work yourself.
Tip #5: Form a Posse
In old western movies, one of the first things the new sheriff does is form a posse. In your Exchange environment, you should do the same thing. Even though you might be the only Exchange administrator at your office, you shouldn't be automatically condemned to a life of loneliness. Most industries and regions have some sort of user group that you can join. Or you might even know of other people in your local area who have similar jobs. If not, start looking for them! Suppose your tape drive just broke—wouldn't it be nice to know someone locally who could lend you one?
In addition to forging relationships with other people in your region, be on the lookout for people within your organization who might be valuable additions to your posse. You probably wouldn't feel comfortable turning over administrative access to your servers to anyone else, but having a second person with at least some Exchange knowledge and skill can be a real life-saver when you need to get something done in a hurry. Because Exchange lets you assign view-only administrative access to other users, you can even give your potential deputy the ability to look at—but not change—your Exchange configuration settings so that he or she can get familiar with the details of your Exchange environment.
Don't forget that you can always pay people to be your friends (or at least to help you). When you're stuck, a phone call to Microsoft Customer Service and Support (CSS) can often give you a valuable lifeline. Doing so does cost money, but $249 is peanuts compared with the value of having an experienced professional check your assumptions or help you solve a difficult problem.
Tip #6: Stay Up-to-Date
Of course, you don't have to limit yourself to local relationships. You'll find all sorts of mailing lists, Web forums, and blogs dedicated to Exchange, including the Exchange team's official blog (http://blogs.technet.com/exchange), my blog (http://www.e2ksecurity.com), and many others. These kinds of channels are valuable when you need to research something outside your immediate area of expertise. They're also useful for keeping abreast of new products and changes in the market. Of course, attending industry events such as Microsoft TechEd and Exchange Connections is a great way to stay abreast of new developments and maintain your professional skills.
Tip #7: Use LUAs
Least-Privileged User Accounts (LUAs) are the next big thing in security. That statement might seem a bit odd because you've undoubtedly had a LUA of your own at one time or another. Windows and Windows applications are generally easier to use if you run in the context of the administrator account all the time, but doing so is a terrible idea from a security viewpoint. Whenever possible, you should log on using an ordinary LUA, invoking your administrative credentials only when you need them for some kind of administrative operation. (Check out the RunAs command, which makes it easy for you to launch administrative tasks with the proper credentials. For more information about using RunAs, see the Windows IT Security article "Use Guest Accounts to Fight Malware," December 2005, InstantDoc ID 48300.) Microsoft has said that enabling full LUA access is a key priority for Windows Vista and Longhorn Server, so you might as well get used to it now. Using an LUA limits the amount of damage that can occur if your computer is compromised while you're using it, and it also prevents you from making casual mistakes (e.g., deleting transaction-log files) that you might later regret.
Tip #8: Measure Twice, Cut Once
A midsized company recently asked me to help solve a difficult problem: After the company's administrator made a critical mistake—he ran Eseutil /p, then stopped it, then repeated this cycle several times—the company lost a couple months' worth of mail data, and the administrator didn't have a valid backup. The catastrophe occurred only because the administrator was in a hurry.
Many fields place a high value on quick, decisive action, even if the wrong action is taken. Exchange isn't one of those fields. It's far better to deliberate and take the right action than to speedily do the wrong thing. Of course, if you follow these tips, you can speedily do the right thing. However, if you ever find yourself unsure of what you're doing, that's a good time to back off and think through whatever course of action you're considering taking.