You've installed the new software—here's what to do next
After you install Microsoft Exchange Server 2007, you still have a lot of configuration to do before the server is completely functional. Configuration tasks vary considerably depending on the existing Exchange Server organization (e.g., how many servers you have, what jobs those servers are performing) and on the roles installed on the server.
Rather than discussing every potential configuration setting, I'll instead focus on general configuration tasks and the initial configuration of the Mailbox, Client Access, and Hub Transport server roles because they're the most commonly used. For a checklist of the tasks, see the sidebar, "Server Configuration Steps for Exchange 2007".
General Configuration Tasks
One aspect of Exchange 2007 that's particularly useful is that you don't have to guess about which configuration tasks to perform after installation. You can easily find a list of post-installation deployment tasks by opening Exchange Management Console and clicking the Microsoft Exchange container, which displays the Exchange Server 2007 Finalize Deployment page. As Figure 1 shows, most of these tasks are organized by server role. However, the first two tasks on the list apply to all Exchange 2007 servers, regardless of the roles they're hosting.
Enter a product key. Although the first configuration task listed for all Exchange 2007 servers is entering a product key, I recommend saving this task for later. Exchange 2007 will run in a fully functional state without a product key for 120 days. Each time you open Exchange Management Console, Exchange tells you how many days you have until a product key is required. Microsoft products typically can be activated only a certain number of times; Exchange 2007 doesn't use a true activation, but it does use a similar online validation. Waiting to enter a product key lets you work out any kinks in your system without wasting your validations should you need to reinstall Exchange a few times or if you decide to run Exchange on different hardware.
Run the Best Practices Analyzer. The next task on the list is to run the Exchange Server Best Practices Analyzer (ExBPA), a tool that helps you make sure your Exchange server is configured for optimum performance and security. ExBPA is included in Exchange 2007, but you can also download it separately from Microsoft's Web site (http://www.microsoft.com/downloads/details.aspx?FamilyID=dbab201f-4bee-4943-ac22e2ddbd258df3). As Figure 2 shows, ExBPA even lets you perform an Exchange 2007 readiness check on your existing organization and network infrastructure before installation.
It's a good idea to run ExBPA immediately after installation as Microsoft recommends. ExBPA's report might point out more inadequacies than you'd care to see, but this is partially because the server hasn't been fully configured yet. You can use the report to help you with the configuration process. To learn more about how ExBPA can assist in your Exchange configuration, see "ExBPA: Analyze This!" January 2005, InstantDoc ID 44709, and the Exchange & Outlook Administrator article "The Exchange Best Practices Analyzer," February 2005, InstantDoc ID 44793. After you've finished configuring the server, you can run ExBPA again to see whether you've caught all the problems.
Configuring the Mailbox Server
The first task for the Mailbox server is configuring Offline Address Book (OAB) distribution for Microsoft Office Outlook 2007 clients. Because you can host an OAB on a Client Access server, which is accessible from the Web, the OAB can be distributed to any Outlook 2007 client with an Internet connection.
Assuming you have a Client Access server in your organization, you enable Web distribution of the OAB by navigating through the Exchange Management Console tree to Organization Configuration\Mailbox. Click the Mailbox container, then click the Offline Address Book tab in the detail pane to display a link for the default OAB. Right-click the link and choose Properties from the shortcut menu. In the Properties sheet, click the Distribution tab, then select the Enable Web-based distribution check box. Click the Add button, then select an OAB virtual directory. An OAB virtual directory is created automatically when you deploy your Client Access server.
The last step in the process is to associate a URL with the OAB virtual directory so that Outlook 2007 clients can access the OAB. Navigate through the console tree to Server Configuration\Client Access. When you click the Client Access container, the detail pane displays a list of Client Access servers. Select the server that's hosting the OAB virtual directory, and the bottom half of the detail pane displays several tabs for this server. Select the Offline Address Book Distribution tab, and you should see a listing for the OAB URL. Right-click the URL and choose Properties from the shortcut menu. In the OAB Properties sheet, click the URLs tab, which will already contain an internal URL. You'll need to enter an external URL that Outlook 2007 clients can use to access the OAB.
Clients running Microsoft Office Outlook 2003 and earlier will be unable to access the OAB using a Web link. For these clients, you'll have to create a public folder in which to host the OAB. I'm assuming that your server already contains a public folder store; if it doesn't and you don't know how to create one, then you can click the Configure Offline Address Book (OAB) distribution for Outlook 2003 and earlier clients link in the tasks list for instructions.
Next, navigate through the console tree to Organization Configuration\Mailbox, then select the Offline Address Book tab in the detail pane. Right-click the Default Offline Address List and choose Properties from the short-cut menu. In the Default Offline Address List Properties sheet, click the Distribution tab. As Figure 3 shows, you must select which legacy clients you want to support, then select the Enable public folder distribution check box.
Configuring the Client Access Server
The Client Access portion of the post-installation tasks list includes two tasks: configuring Secure Sockets Layer (SSL) encryption and configuring Exchange ActiveSync (EAS). However, depending on how your Exchange organization is configured, these tasks might not be necessary.
Configuring SSL Encryption. An SSL certificate is required for encryption when a Microsoft Outlook Web Access (OWA) client connects to the Client Access server. The only time an SSL certificate wouldn't be required on a Client Access server is when you offload SSL encryption to another device to conserve resources on your Exchange server.
The good news is that Exchange 2007 is flexible in the types of certificates it lets you use. You can use an Exchange 2007 self-signed certificate, purchase an SSL certificate from a Certificate Authority (CA), or get a certificate from a public key infrastructure (PKI) CA. The advantage of using a self-signed certificate is that it's free and easy to deploy. However, no one outside your organization will acknowledge the self-signed certificate as having come from a credible source. A certificate from a commercial CA caries credibility but can be expensive to purchase.
To use a self-signed certificate, you generate the certificate by using the Exchange Management Shell's New-ExchangeCertificate cmdlet, as follows:
-domainname <yourdomain.com> `
-FriendlyName <yourdomain.com> `
In the previous command, you'd replace yourdomain.com with the name of your domain. You can enter multiple domains separated by commas if you want. FriendlyName is the name that's displayed for the certificate being generated; it must be fewer than 64 characters. Figure 4 shows an example of this command and its output.
Regardless of how you obtain an SSL certificate, the procedure for installing the certificate is basically the same. Open Exchange Management Shell and enter the following command, where c:\newcert.cer is the path and filename for the certificate you're importing:
Now, copy a digest, or thumbprint, of the certificate data to the Clipboard by using the following command:
Dir cert\LocalMachine\My |fl
If multiple certificates are displayed, select the appropriate certificate by its friendly name. Next, use the information from the Clipboard to enable the certificate on the default Web site by using the following command:
<the value stored in the Clipboard> `
The last step in the process is to verify that Microsoft IIS is configured to require SSL encryption for virtual directories. Choose Internet Information Services (IIS) Manager from the Administrative Tools menu. In the IIS Manager console tree, navigate to your Default Web site and expand the container to reveal a list of the virtual directories in the default Web site. For each of these directories, right-click the directory and choose Properties from the shortcut menu. In the Properties sheet, click the Directory Security tab, then click Edit in the Secure Communications section to display the Secure Communications dialog box. Select the Require Secure Channel check box and the Require 128-Bit Encryption check box. Click OK twice and move on to the next virtual directory. When you're done, you'll need to restart the POP3 and IMAP services.
Configuring EAS. You'll need to configure EAS only if some users in your organization use mobile devices to send and receive email. For this article, I'll assume that all your mobile users have devices running Windows Mobile 5.0; older versions aren't supported.
First, create a new EAS mailbox policy. Navigate through Exchange Management Console to Organization Configuration\Client Access. Now, click the New Exchange ActiveSync Mailbox Policy link in the Actions pane. Exchange Management Console opens a screen that lets you enter the particulars for your mailbox policy. As Figure 5 shows, you must enter a name for the policy you're creating, and you can set a number of security requirements, most of which are related to the device's password. Select the requirements appropriate for your organization, then click New to create the policy.
Keep in mind that merely creating a policy doesn't activate it; an EAS policy must be assigned to one or more mailboxes to be effective. Therefore, you can create multiple EAS policies and assign different policies to different users.
To assign an EAS policy to a mailbox, click the Exchange Management Console's Recipient Configuration container to display a list of all the mailboxes in the Exchange organization. Display the Properties sheet for the mailbox you want to apply the policy to and click the Mailbox Features tab. Choose the Exchange ActiveSync option from the list of mailbox features, then click Properties to display the Exchange ActiveSync Properties dialog box. Select the Apply an Exchange ActiveSync Mailbox Policy check box, then click Browse to locate and select the policy you want. Click OK twice to associate the policy with the mailbox.
Configuring the Hub Transport Server
You might need to perform as many as three post-installation tasks on servers hosting the Hub Transport role: configuring the domains for which you'll accept email, subscribing to an Edge Transport server, and creating a postmaster mailbox. Depending on the specifics of your Exchange organization, any or all of these tasks might be optional.
Configuring the domains for which you'll accept email. Your Exchange server will be configured automatically to accept mail for your forest root domain, but you might need to configure it to accept mail from external SMTP domains as well. For example, my network is divided into two domains: production.com and test.com. My Exchange server was configured by default to accept mail for production. com, but my email comes through an external domain, brienposey.com. I therefore had to configure my Exchange server to accept mail from this external domain.
To add a domain, navigate through the console tree to Organization Configuration\Hub Transport. Click the Hub Transport container, click the Accepted Domains tab in the detail pane, then click the New Accepted Domain link in the Actions pane to add the domain to the list. As Figure 6 shows, you need to enter the domain's Fully Qualified Domain Name (FQDN) and a display name. You must also specify whether the domain is authoritative, an internal relay domain, or an external relay domain. Click New, and the domain will be added to the list.
Subscribing the Edge Transport server. Setting up an Edge Subscription is required only if your organization uses an Edge Transport server. An Edge Subscription is basically a one-way trust with the Active Directory (AD) database that lets the Edge Transport server receive AD information without compromising the AD database in the process. First, you create an XML file on the Edge Transport server by using the New-EdgeSubscription cmdlet. Then, copy the XML file to your Hub Transport server. For security reasons, be sure to erase the file from the Edge Transport server. Navigate through the console to Hub Transport, click the Edge Subscription tab, then click the New Edge Subscription link in the Actions pane. Now, click Browse to locate the XML file, verify that the Automatically create a Send connector for this Edge Subscription check box is selected, then click New to import the XML file and create the Edge Subscription. For more detailed instructions for configuring an Edge Subscription, click the Subscribe Edge Transport Server link in the list of post-installation configuration tasks.
Creating a Postmaster Mailbox. The last step in the configuration process is to configure a mailbox to act as the postmaster. If there are other Exchange servers in your organization, this step might not be necessary, but you need to be sure. Open Exchange Management Shell and enter the following command:
Look at the ExternalPostmasterAddress column in the results and verify that an address for the postmaster exists. If an address doesn't exist, you'll need to specify a postmaster address by entering the following command:
<postmaster email address>
As you can see, this command requires you to enter a server name and the email address for the postmaster account. You can create a dedicated mailbox to act as a postmaster mailbox, or you can send postmaster messages to a user who already has a mailbox.
Finishing What You Start
As you can see, installing Exchange 2007 is only half the fun. You'll still need to complete these important configuration tasks before you can use your Exchange 2007 server. Keep in mind that your actual configuration tasks will vary depending on your servers' roles and on your Exchange organization's existing configuration. The post-installation tasks list in Exchange Management Console should help you finish what you started and get your servers ready to run.