Automate with provisioning tools and services

Following the lead of application service providers (ASPs), you can use a provisioning process to set up and manage a hosted environment for Exchange 2000 Server. Provisioning is just a fancy name for automating the setup and management of a hosted environment. Why automate? The most important benefit of automation isn't saving time or money but rather creating an effective, high-quality environment. Because you define the provisioning process up front rather than case by case, servers and applications are consistently set up properly. Having a properly set up hosting environment reduces the number of deployment problems, helps ensure security, and aids in disaster recovery.

Before you decide to implement the provisioning process, you need to realize that automation doesn't necessarily mean a lower total cost of ownership (TCO). The up-front costs of creating the automation system can offset the savings realized during deployment of the hosted application. In addition, too many exceptions or differences between deployments can offset the savings.

The provisioning process encompasses a wide variety of tasks. For example, provisioning a hosted Exchange 2000 environment might involve the following tasks:

  • installing and configuring the hardware (e.g., BIOS, storage)
  • installing and configuring Windows 2000 Server and related components (e.g., service packs, hotfixes, updated drivers)
  • installing Exchange 2000
  • configuring Exchange 2000 and the hosting environment (e.g., creating user accounts)
  • managing Exchange 2000 and the hosting environment (e.g., managing user accounts, tracking system use for billing purposes)

ASPs that host Exchange 2000 can help you learn about provisioning tools and services. Knowing what's available and where to find it is a good starting point, assuming that you're familiar with Exchange 2000 hosting. If you're unfamiliar with using Exchange 2000 in a hosted environment, see "Exchange 2000 Hosting: The ASP Model," November 2001, InstantDoc ID 22404, and "Exchange 2000 Hosting: The ASP Model, Part 2," December 2001, InstantDoc ID 22895. If you're unfamiliar with ASPs, check out the Microsoft Service Providers Web site (http://www.microsoft.com/serviceproviders).

Installing and Configuring the Hardware
To automate the installation and configuration of hardware, you can use any hardware vendor­provided tools or the Microsoft Automated Purposing Framework. APF is a collection of scripts and utilities for installing and configuring hardware, Windows OSs, and applications on one or more machines. Microsoft designed APF to work with many server vendors' products, but APF isn't a tool that you can just download and use. Instead, you must use Microsoft Consulting Services (MCS) or one of Microsoft's approved partners. For more information about APF, go to http://www.microsoft.com/serviceproviders/deployment/automated_purposingp67545.asp.

Configuring the OS
Manually installing Win2K requires that you answer a few questions, which means you must wait for the installation process to reach that point. Fortunately, you can use APF to eliminate the wait. APF takes advantage of the unattend setup method, which lets you store answers to setup questions in an answer file. Currently, creating the APF answer file requires customizing scripts; however, a GUI designed to create XML files will be available in the near future.

You can use other tools besides APF to rapidly deploy Win2K. For example, you can use the System Preparation (Sysprep) tool with third-party disk-imaging software to clone Win2K Server to other machines. Similarly, you can use Microsoft Remote Installation Services (RIS) to clone Win2K Professional. In addition, Compaq offers Automated Software Installation (ASI) services for deploying Windows OSs and applications.

Installing the Application
Installing Exchange 2000 is the next task in the provisioning process. Unlike Win2K Server, Exchange 2000 doesn't include any rapid deployment tools. However, you can use APF or a third-party solution, such as what Altiris offers. APF has a scripted utility to automate the Exchange installation. One of its most useful features is that you can build infrastructure dependencies into the Exchange deployment. As a result, the additional Exchange servers don't launch their installation until the Exchange setup extends the Active Directory (AD) forest schema. In addition, the cluster nodes wait for their partners to finish installing before they join the cluster.

Configuring and Managing the Application
Configuring Exchange 2000 and the hosting environment is by no means easy. The tasks are many. For example, you must create storage groups (SGs) and mailbox stores and set their drive locations. You must define limits on mailbox size, set retention intervals for deleted items, and set diagnostics logging levels. You must also define the AD structure by creating organizational units (OUs) and configuring the OUs' security settings, then add mailbox-enabled users to the proper OU. Although administrators often perform these tasks manually, you can automate most of these tasks.

After you've completed the configurations, someone needs to manage the hosted Exchange 2000 environment. One goal of provisioning is to create tools that let others perform minor administrative tasks (e.g., updating users' personal information). ASPs typically use an automated, Web-based tool to delegate minor administrative tasks to customers. In a company, the IT organization might use such a tool to delegate minor administrative tasks to the end user.

To accomplish application configuration and management tasks, you have five options. These options provide varying degrees of automation, ranging from no automation (the first option) to extensive automation (the last option):

  • Manually perform the tasks with such tools as Exchange 2000's Exchange System Manager (ESM), Win2K Server's Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, and Win2K Server's MMC ADSI Edit snap-in.
  • Create and use scripts that incorporate tools and technologies such as Win2K Server's LDAP Data Interchange Format Data Exchange (LDIFDE) utility, Win2K Server's Comma Separated Value Data Exchange (CSVDE) utility, and Microsoft Active Directory Service Interfaces (ADSI).
    • Use the Web Admin tool.
    • Use the Exchange 2000 Hosting Pack.
    • Purchase a third-party provisioning tool, such as Xevo's XevoWorks.

Let's take a closer look at Web Admin and the Hosting Pack. With these tools, you can achieve a high level of automation without having to purchase a product.

Web Admin
The Microsoft Network Solutions Group created Web Admin to illustrate how to use AD-created shared services. Web Admin provides Web-based administrative functions that you can use to manage Exchange 2000 data in AD. However, Microsoft doesn't support Web Admin. The tool comes with the warning Please note that this code sample is provided "as is" without warranty or product support of any kind. Although you can't get support from Microsoft Product Support Services (PSS) if a problem arises, you can join the MSN Web Admin Tool Update Community to learn about users' experiences and find helpful scripts. You can find links to download Web Admin and join the MSN Web Admin Tool Update Community at http://www.microsoft.com/serviceproviders/downloads/webadmin_overview.asp.

Exchange 2000 Hosting Pack
The Hosting Pack, which is part of the Microsoft Provisioning Framework (MPF), is the most extensive provisioning tool that you can use without purchasing a third-party product. (APF is part of MPF.) Although Microsoft designed the Hosting Pack to add OUs and users to a hosted Exchange 2000 environment, you can use it to add OUs and users to a hosted Exchange 2000 environment in a corporation, university, or other organization.

The Hosting Pack's underlying engine is the Microsoft Administration and Provisioning System 5.x (MAPS 5.x), which includes the Resource Manager. MAPS, which was formerly called the MCIS Administration and Provisioning System, runs on Microsoft SQL Server 7.0 Service Pack 2 (SP2) or later. MAPS is transactional, which means that it rolls back a failed transaction. Thus, a transaction either succeeds or fails, so failed partial transactions never occur. Since version 4.0, MAPS has used Service Configuration Objects (SCOs), which are provisioning's core modules. Exchange is just one of the services that you can provision with SCOs.

A paper that describes the Hosting Pack is available at http://www.microsoft.com/serviceproviders/whitepapers/exchange_2000_hosting_packp63283.asp. The Hosting Pack has been available for download, but it's currently not on Microsoft Service Providers Web site. Look for it to resurface in the near future with a revamped structure and capabilities. In the meanwhile, let's look at what the provisioning tools can do.

How the Tools Compare
How do Web Admin and the Hosting Pack compare with each other? These two provisioning tools differ in several ways. First, as I mentioned previously, Microsoft doesn't support Web Admin but does support the Hosting Pack. Second, the Hosting Pack is a more comprehensive provisioning tool than Web Admin. For example, unlike Web Admin, the Hosting Pack has the Resource Manager, which lets you track the availability of resources (e.g., storage for mailbox stores) and allocate resources between organizations and users. Finally, as I mentioned previously, the Hosting Pack is transactional; Web Admin isn't.

Although the Hosting Pack's additional features make the tool appealing, they also have a downside: The systems that provide those features make the Hosting Pack more difficult to set up and maintain than Web Admin. With Web Admin, you don't have to deploy SQL Server or create SCOs. In addition, the Hosting Pack requires that you have Win2K Advanced Server and Exchange 2000 Enterprise Server. For Web Admin, you need to have only Win2K Server and Exchange 2000.

Now, let's look at the two provisioning tools' similarities. Both Web Admin and the Hosting Pack require that you set AD to native mode. This mode is necessary because the hosted design uses nested universal security groups. Thus, backward compatibility with Windows NT 4.0 domains is impossible. In addition, both tools require Microsoft IIS to run.

When you set up a hosted Exchange environment, you need to prevent users from improperly accessing resources. To do so, you must create security groups, assign users to those groups, and keep permissions up-to-date. Both Web Admin and the Hosting Pack have built-in functions to perform these tasks. If you perform them manually, problems might arise because consistency is essential in a hosted Exchange environment.

Web Admin and the Hosting Pack both log information for monitoring and tracking purposes. For example, Web Admin logs the changes that are made through its browser interface, and the Hosting Pack uses MAPS to log all provisioning transactions, which lets you track and base billings or chargebacks on system use. Both tools offer the option of storing log data in SQL Server databases.

Setting Up Web Admin
Because Web Admin is easier to set up than the Exchange 2000 Hosting Pack, let's explore how to install and configure Web Admin. Here are the steps you follow:

  1. Change AD to native mode, if necessary.
  2. Install Web Admin. I recommend that you install it on a front-end Exchange server for two reasons. First, that configuration allows single sign-on with Basic authentication and, second, it provides the Exchange 2000 components that Web Admin requires.
  3. If you don't install Web Admin on an Exchange server, you must install the Microsoft Exchange System Management Tools and the Microsoft Collaboration Data Objects (CDO) 1.21 library on the machine on which you've installed Web Admin. To install the tools, run the Microsoft Exchange 2000 Installation Wizard, which you'll find on the Exchange 2000 CD-ROM, and select Microsoft Exchange System Management Tools from the Components Selection list. The CDO library (cdo.dll) is on the Exchange 2000 CD-ROM in the setup\i386\exchange\bin directory. Copy cdo.dll to the \%systemroot%\system32\ folder on the Web Admin machine, then register the DLL with the command

    regsvr32.exe %systemroot%\system32\cdo.dll

    If you install Web Admin on a domain controller (DC), you also need to add Domain Users to the Log on locally policy in the Domain Controller Security Policy. Otherwise, end users won't be able to use Web Admin to administer their mailboxes.

  4. Configure the virtual directory for Web Admin to use basic authentication and set the domain to a backslash (\). Here's why you need to make these configurations: When you use an unqualified user logon, IIS searches only the local computer's user database and the domain in which the server is a member. By setting the domain to a backslash, you tell IIS to search against all trusted domains to validate the unqualified user logon.
  5. If you run Web Admin on an Exchange server, open ESM, expand the Protocols node, and expand HTTP. Under Exchange Virtual Server, find the virtual server called Exchange, right-click it, and select Properties. Click the Access tab, then select Authentication to open the Authentication Methods dialog box, which Figure 1 shows. By default, the Basic authentication and Integrated Windows Authentication check boxes are selected. Leave the Basic authentication check box selected and enter a backslash in its Default domain text box. Then, clear the Integrated Windows Authentication check box and click OK.

    If you're not running Web Admin on an Exchange server, open the MMC Internet Information Services snap-in, right-click Default Web Site, and select Properties. Click the Directory Security tab. In the Anonymous access and authentication control section, click Edit. Select the Basic authentication check box if it's not already selected. A pop-up message box will remind you to use Secure Sockets Layer (SSL) if you plan to perform authentication over an unsecured network. Because you're using clear text for authentication, you should enable SSL if you plan to use Web Admin in a production environment. (See the IIS documentation for information about how to configure SSL.) Click Edit, then enter a backslash in the Select a default domain text box. For this change to take effect, you must restart the IIS services, which is easiest to do by rebooting the server. However, don't reboot the server yet.

  6. Register adstype.dll by running the command
    regsvr32 X:\webadmin\comadstype\adstype.dll
  7. where X is the appropriate drive. Adstype.dll is an ActiveX component that lets you view access control entry (ACE) objects, which wouldn't be possible if you were using VBScript with Web Admin. This DLL is already on your computer, but you still need to register it.

  8. Create the Web Admin Web site. Run the MMC Internet Services Manager snap-in and select the Web site in which you want to create the virtual directory for Web Admin. Don't use the Default Web Site because it contains sample code and Help documentation. If you put the WebAdmin virtual directory, sample code, and Help documentation together all on the same Web site, you might have trouble later uninstalling and upgrading IIS. Right-click the target Web site and select New, Virtual Directory to invoke the Virtual Directory Creation Wizard. Enter WebAdmin as the virtual directory alias. (Any other name works, but it might hinder future upgrades.) As Figure 2 shows, enter the path to the webadmin\html directory, then click Next. Leave all entries at their default settings, and click Next, Finish. After the Virtual Directory Creation Wizard finishes, right-click the new WebAdmin virtual directory, select Properties, and click the Directory Security tab. In the Anonymous access and authentication control section, click Edit and clear the Anonymous access check box. You need to remove anonymous access so that only administrators can change the Web Admin Web site's configurations.


  9. Configure the Web Admin Web tool. Open your Web browser and enter the URL
    http://localhost/webadmin

    where localhost is the name of your IIS computer. In the Web Admin opening page, which Figure 3 shows, click the Go Setup link in the Web Admin Setup Wizard box to launch the 90-second setup process. After you read the information that the wizard displays, click Next. The wizard then prompts you for an account and password. Because the default domain (i.e., \) you configured in Step 3 doesn't take effect until you restart the IIS services, enter

    DOMAIN\Administrator

    for the account, where DOMAIN is the name of your domain.

    In the next screen, which Figure 4 shows, you tell the wizard how to set up AD. Assuming that you've already installed Exchange 2000, select the Set Security Settings on Exchange Configuration Container check box. Leave all the other check boxes selected.

    At the bottom of the screen in Figure 4, notice the statement The Web Admin is currently in: Service Provider Mode. Web Admin lets you delegate the management of AD. You can choose one of four administrative roles:

    • Service Provider—manages the entire domain (i.e., manages all users, groups, and servers). Acts as the top-level domain administrator.
    • Reseller—creates and manages new hosted customers. Acts as a multi-organizational administrator.
    • Organizational Administrator—manages users and groups in a particular organization.
    • End User—manages his or her own personal information (e.g., address, phone, title) and resets his or her own passwords.

The role you select determines the scope of responsibility enabled during tool use. Leave the default role of Service Provider. Finally, click Next, then click Finish to complete the Web Admin setup. After you reboot the server, Web Admin will be ready to use in your provisioning process.

Build in Quality
Setting up and managing a hosted Exchange environment is a complex undertaking that involves many tasks. By using provisioning tools and services, you can automate these tasks so that you repeatedly produce the same result—properly built and configured servers and applications—throughout the hosted environment. Knowing which provisioning tools and services to use and knowing where to find them is the first step.

Microsoft is committed to delivering automated provisioning tools in the context of an overall framework (i.e., MPF). In the immediate future, Microsoft plans to release the next generation of tools. These tools will be based on APF, Web Admin, and the Hosting Pack.

Corrections to this Article:
  • Since the publication of this article, Microsoft has stopped providing the Exchange 2000 Hosting Pack. The company recommends that you visit the Microsoft Service Providers Web site (http://www.microsoft.com/serviceproviders) for relevant hosting information.