You are on page 1of 306

What's New in

Exchange Server 2003

Valid Until: Service Pack 1


Product Version: Exchange Server 2003
Reviewed by: Exchange Product Development
Latest Content:

www.microsoft.com/exchange/library
Author: Exchange Documentation Team
What's New in
Exchange Server 2003

Published: May 2003


Updated: October 2003

Applies To: Exchange Server 2003


Copyright
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this
document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results of the use of this document remains with the user. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no
association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or
should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in
this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not
give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2003 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveSync, ActiveX, FrontPage, Outlook, Windows, Windows Server, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contributing Writers: Patricia Anderson, Teresa Appelgate, Susan Hill,


Jon Hoerlein, Aaron Knopf, Jyoti Kulkarni, Michele Martin, Joey Masterson, John Speare,
Randy Treit, Christopher Budd, Tammy Treit

Editors: Brendon Bennett, Lindsay Pyfer, Cathy Anderson

Technical Reviewers: Exchange Product Team

Graphic Design: Kristie Smith

Production: Sean Pohtilla, Joe Orzech


Table of Contents

What's New in Exchange Server 2003.........................................1

What's New in Exchange Server 2003.........................................2


Introduction...............................................................................1
What Is Updated in This Book? ..................................... ............................1
Updated Chapters............................................................... .................1

Chapter 1.....................................................................................3
Overview of Exchange 2003......................................................3
Exchange 2003 Test Environments........................................ ....................3
Operating Systems.............................................................................. .4
Coexistence and Upgrade from Previous Versions................................4
What Features Have Been Removed................................................. .........5
Connectors for Lotus cc:Mail and MS Mail............................................5
Real-Time Collaboration Features.......................................... ...............5
M: Drive................................................................... ............................6
Key Management Service................................................................ .....6

Chapter 2.....................................................................................7
Client Features..........................................................................7
Outlook Improvements...................................................... ........................7
Cached Exchange Mode and Synchronization Improvements .............7
Outlook Performance Monitoring............................................... .........10
RPC over HTTP.......................................................... .........................10
Outlook Web Access Improvements................................................ .........19
Outlook Web Access Versions ...................................................... ......19
Logon and Logoff Improvements............................................... .........29
New User Interface........................................................................... ..32
Support for Rules.................................................. .............................41
Spelling Checker...................................................... ..........................42
Tasks............................................................................... ...................44
Message Signatures......................................................... ..................46
Viewing User Properties........................................... ..........................47
Easier Removal of Recipients....................................... ......................48
Adding a Sender or Recipient to Contacts .........................................48
Selecting a Default Font......................................................... ............49
Reply Header and Body Not Indented................................................49
ii What's New in Exchange Server 2003
Web Beacon Blocking ............................................................... .........49
Blocking Attachments ............................................... ........................50
Junk E-mail Filtering.............................................. .............................51
Sensitivity and Reply/Forward InfoBars..............................................51
Item Window Size........................................................................... ....51
Meeting Requests.............................................................................. .52
Composing Messages to Recipients From the Address Book..............52
Improved Performance............................................................ ...........53
Outlook Web Access Compression..................................................... .53
S/MIME Support......................................................................... .........54
Mobile Services for Exchange.............................................. ....................66
Exchange ActiveSync......................................................... ................67
Outlook Mobile Access .......................................... ............................69

Chapter 3...................................................................................74
Administration Features..........................................................74
New Mail-Enabled Objects for Managing Recipients.................................75
InetOrgPerson............................................................. .......................75
Query-Based Distribution Groups..................................... ..................77
Improved Ability to Restrict Submissions to Users and Distribution Lists
(Restricted Distribution Lists).................................................................. .88
Enhanced Exchange Features on User Properties ...................................90
Moving Mailboxes in Exchange System Manager.....................................92
Enhancements to Queue Viewer.................................................... ..........93
Disabling Outbound Mail................................................ ....................95
Setting the Queue Viewer Refresh Rate ............................................96
Finding Messages.................................................................. .............96
Viewing Additional Information About a Queue..................................98
Viewing Previously Hidden Queues ...................................................99
Improved Public Folder Referral.......................................... ...................101
Improved Public Folder Interfaces.................................................. ........102
Manually Starting Replication ...................................... .........................104
Microsoft Exchange Public Folder Migration Tool....................................105
Mailbox Recovery Center.................................................... ...................106
Improved Message Tracking ................................................................ ..110
Enhanced Control of Message Tracking Logs in Exchange System
Manager................................................................................... ........110
Enhanced Message Tracking Capabilities.........................................111
Including Bcc Recipients in Archived Messages.....................................112
Step 1: Enabling Archiving on a Mailbox Store.................................113
Table of Contents iii
Step 2: Setting the Registry Key .................................................... ..113
Step 3: Restarting Services........................................... ...................114

Chapter 4.................................................................................115
Performance and Scalability Features...................................115
Improved Distribution List Membership Caching............................... .....115
Suppressing Out of Office Messages to Distribution List Members......... 116
Enhanced DNS-Based Internet Mail Delivery....................................... ...116
Improved Outlook Synchronization Performance ..................................117
Improved Outlook Web Access Performance................................ ..........118
Monitoring Outlook Client Performance.................................................118
Link State Improvements.............................................................. .........120
Virtual Address Space Improvements ...................................................120
Changing the MTA File Directory Location Using System Manager.........122
Changing the SMTP Mailroot Directory Location Using System Manager
........................................................................................... ...................122
Tuning Exchange 2003 ..................................................................... .....123
Removing Exchange 2000 Tuning Parameters................................ ..123

Chapter 5.................................................................................127
Reliability and Clustering Features........................................127
Reliability Features................................................... .............................127
Improved Virtual Memory Management...........................................128
Mailbox Recovery Center.................................. ...............................129
Recovery Storage Group.......................................... ........................130
Improved Error Reporting...................................................... ...........130
Clustering Features......................................................................... .......133
Support For Up to Eight-Node Clusters................................... ..........135
Support for Volume Mount Points ................................... .................136
Improved Failover time..................................... ...............................136
Security Improvements..................................................... ...............137
Checking Clustering Prerequisites....................................... .............140
Exchange 2003 Cluster Requirements................................. ..................140
Exchange Server 2003 Setup Requirements....................................140
Upgrading an Exchange 2000 Cluster and Exchange Virtual Server to
Exchange 2003 ......................................................................... ............141

Chapter 6.................................................................................143
Transport and Message Flow Features...................................143
Link State Improvements.............................................................. .........144
Improved Link State Availability ....................................... ...............145
iv What's New in Exchange Server 2003
Link State Improvements for Oscillating Connections......................145
Configuring Cross-Forest SMTP Mail Collaboration.................................145
Enabling Cross-Forest Authentication......................................... ......147
Enabling Cross-Forest Collaboration by Resolving Anonymous Mail. 151
Internet Mail Wizard......................................................................... ......157
Configuring an Exchange Server to Send Internet Mail....................158
Configuring an Exchange Server to Receive Internet Mail................168
Configuring an Exchange Server to Send and Receive Internet Mail 177
Configuring a Dual-Homed Exchange Server for Internet Mail.........190
DSN Diagnostic Logging and DSN Codes...............................................204
Configuring DSN Diagnostic Logging......................................... .......205
DSN Codes Available in Exchange Server 2003................................206
Moving the X.400 (MTA) and SMTP Queue Directory Locations..............208
Connection Filtering.................................................................... ...........210
How Connection-Filtering Rules Work................................. ..............211
How Block List Providers Match Offending IP Addresses...................211
Understanding Block List Provider Response Codes.........................212
Specifying Exceptions to the Connection Filter Rule.........................213
Enabling Connection Filtering...................................................... .....214
Inbound Recipient Filtering............................................ ........................222
Enabling Recipient Filtering................................................... ...........222
Understanding How Enabled Filters Are Applied ...................................225
Improved Ability to Restrict Submissions to an SMTP Virtual Server......228
Improved Ability to Restrict Relaying on an SMTP Virtual Server...........229

Chapter 7.................................................................................231
Storage Features...................................................................231
Shadow Copy Backup .............................................. .............................231
Using Shadow Copy Backup............................................ .................232
Recovery Storage Group.......................................... ........................232
Microsoft Exchange Mailbox Merge Wizard............................................237
Improved Public Folder Store Replication..................................... ..........237
Improved Virus Scanning API ............................................. ...................238

Chapter 8.................................................................................239
Development Features..........................................................239
New Development Technologies...................................... ......................239
Managed Wrappers for SMTP and Transport Sinks............................241
Supported Development Technologies............................................ .......241
Data Access Methods........................................................ ...............241
Table of Contents v
Events and Notifications................................... ...............................242
Application Technologies.................................................... ..............242
Monitoring................................................................................ ........242
Specialized Programs........................................................ ...............242
Developing .NET Applications for Exchange Server 2003......................243
Active Directory Classes and Attributes.................................. ...............243
Deprecated Exchange Development Technologies................................. 243
Deprecated MAPI Technologies......................................... .....................244

Chapter 9.................................................................................245
Deployment Features............................................................245
New Exchange 2003 Deployment Features........................................... .245
Exchange Server Deployment Tools.................................................246
ADC Tools........................................................................ .................246
Microsoft Exchange Public Folder Migration Tool..............................247
Exchange Server 2003 Setup Improvements...................................248
Installing Exchange System Management Tools Only.......................250
Windows Server 2003 Benefits ....................................................... .251
Prerequisites.............................................................................. ............252
Hardware Requirements.............................................................. .....252
File Format Requirements................................................................. 252
Operating System Requirements.....................................................252
Upgrading Front-End Servers................................ ...........................255
Upgrading Active Directory Connector.............................................256
Removing Mobile Information Server Components...........................256
Required Components for Mobility Support......................................257
Removing Instant Messaging, Chat, ccMail, MSMail, and Key
Management Service Components................................................. ..257
Third-Party Software....................................................................... ..257
Installing Exchange 2003 or Upgrading from Exchange 2000................258
Upgrading from Exchange 5.5 to Exchange 2003 .................................258
Appendix

..............................................................................................260

Appendix.................................................................................261
Exchange 2003 Schema Changes.........................................261
Introduction

This document provides important information about using Microsoft® Exchange Server 2003.
The purpose of this document is to outline the new features in Exchange Server 2003 and provide
the basic information necessary to begin using these new features. This is not a comprehensive
document about Exchange, but a guide for getting started with testing and running
Exchange 2003.
This document supplements the release notes document (releasenotes.htm), and should be read
only after reviewing the release notes. The release notes contain critical information about known
issues with Exchange 2003.
This document is designed to benefit Exchange administrators who will be testing and deploying
Exchange 2003. Furthermore, this document assumes that you have an excellent working
knowledge of Exchange 2000 Server. It is structured based on Exchange components;
specifically, each chapter explains what the new component features are and how to begin using
them.
Provide feedback about this document to exchdocs@microsoft.com.

What Is Updated in This


Book?
Since the previous version of this book was released, the following additions, deletions, or
modifications were made.

Updated Chapters
The following chapters are updated:
• Chapter 2 "Client Features." Added clarifications to "Steps to Enable RPC over HTTP"
section. Added information about non-SSL configurations, as well as clarifications to the
"Configuring the RPC Proxy Server to Use Specified Ports" Section.
• Chapter 3, "Administration Features." Updated description of the failed message retry queue.
2 What's New in Exchange Server 2003
• Chapter 4, "Performance and Scalability Features" Updated the "Log Buffers" and "Max
Open Tables" sections. This information clarifies that edits are done using ADSI edit, and
specifies the location of the object to be modified.
• Chapter 5, "Reliability and Clustering Features." Updated the "Exchange 2003 Cluster
Requirements" and "Exchange 2003 Setup Requirements" sections. This information
includes references to more in-depth resources and steps to upgrade an Exchange 2000
cluster and Exchange Virtual Server to Exchange 2003.
• Chapter 7, "Storage Features." Updated the procedure "To restore a mailbox store to the
Recovery Storage Group."
• Chapter 9, "Deployment Features." Expanded the "Exchange Server Deployment Tools"
section. Updated location of the Public Folder Migration Tool. Consolidated the sections
"Windows Server 2003" and "Upgrading Windows 2000 Server to Windows Server 2003"
into a new section "Upgrading the Operating Systems."
C H A P T E R 1

Overview of Exchange 2003

Microsoft® Exchange Server 2003 builds on the Microsoft Exchange 2000 Server code base,
providing many new features and improvements in areas such as reliability, manageability, and
security.
Exchange Server 2003 is the first Exchange release designed to work with Microsoft Windows
Server™ 2003. Running Exchange 2003 on Windows Server 2003 provides several benefits, such
as improved memory allocation, reduced Microsoft Active Directory® directory service
replication traffic, and rollback of Active Directory changes. Running Exchange 2003 on
Windows Server 2003 also allows you to take advantage of new features, such as the Volume
Shadow Copy service and cross-forest Kerberos authentication. Exchange 2003 also runs on
Microsoft Windows® 2000 Server Service Pack 3 (SP3) or later.
Exchange 2003 works with Microsoft Office Outlook® 2003 to provide a range of improvements,
such as cached mode synchronization, client-side performance monitoring, and support for RPC
over HTTP (which allows users to connect directly to their Exchange server over the Internet
without needing to establish a virtual private network (VPN) tunnel).
When combined with Windows Server 2003 and Outlook 2003, Exchange 2003 provides a
robust, feature-rich end-to-end messaging system that is both scalable and manageable.

Exchange 2003 Test


Environments
This section provides information about the test environments that you can use to deploy
Exchange 2003. Keep in mind, however, that because this document is designed to get you up to
speed on new features, it does not provide detailed instructions about how to deploy
Exchange 2003 in a production environment. For basic instructions about how to get
Exchange 2003 up and running in a test environment, see Chapter 9, "Deployment Features."
4 What's New in Exchange Server 2003

Operating Systems
Exchange 2003 runs on Windows Server 2003 and Windows 2000 Server SP3 or later.
Exchange 2003 has been optimized to run on Windows Server 2003; in fact, several
Exchange 2003 features require Windows Server 2003 functionality.
Exchange 2003 is supported in all Active Directory forest environments: native Windows 2000,
native Windows Server 2003, or mixed Windows 2000 and Windows Server 2003 forests. When
running in an environment with Windows 2000 domain controllers and global catalog servers,
the domain controllers and global catalog servers that Exchange 2003 uses must all be running
Windows 2000 SP3 or later. This requirement affects both Exchange 2003 servers and the
Exchange 2003 version of Active Directory Connector (ADC). ADC does not work with domain
controllers or global catalog servers that are running a version of Windows 2000 earlier than SP3.
Note
Although Exchange 2000 SP2 and later is supported in an environment with Windows
Server 2003 domain controllers and global catalog servers, Exchange 2003 is the
first version of Exchange that is supported when running on Windows Server 2003.
Exchange 2000 is not supported on Windows Server 2003.

Coexistence and Upgrade from


Previous Versions
Exchange 2003 can coexist with Exchange 2000 and, when running in Exchange mixed mode,
with Microsoft Exchange Server 5.5 servers.
For Exchange 2000, Exchange 2003 supports in-place upgrades.
In-place upgrades are not supported for Exchange 5.5 servers. To upgrade from Exchange 5.5 to
Exchange 2003, you must join an Exchange 2003 server to the Exchange 5.5 site, then move
Exchange resources, such as mailboxes, to the Exchange 2003 server. Use the Exchange Server
Deployment Tools to migrate from Exchange 5.5 to Exchange 2003. For information about the
Exchange Server Deployment Tools, see "Exchange Server Deployment Tools" in Chapter 9.
Although Exchange 2000 did support in-place upgrades from Exchange 5.5, the "move-
resources" scenario is the recommended Exchange 5.5 to Exchange 2000 upgrade path.
Chapter 1: Overview of Exchange 2003 5

What Features Have Been


Removed
While the bulk of this document discusses what is new in Exchange 2003, there are several
Exchange 2000 features that have either been discontinued or moved to other product lines. The
following features have been removed:

• Connectors for Lotus cc:Mail and MS Mail


• Real-time Collaboration Features
• M: Drive
• Key Management Service

Connectors for Lotus cc:Mail and MS


Mail
The Connector for Lotus cc:Mail and Connector for MS Mail components are not supplied with
Exchange 2003. Using Exchange 2003 System Manager to manage MS Mail or cc:Mail
connectors on Exchange 2000 servers is not supported. If you need to manage these connectors,
use the Exchange 2000 SP3 or later version of System Manager.
If you want to upgrade an existing Exchange 2000 server to Exchange 2003 and either of these
connectors is installed, you must use the Exchange 2000 Setup program to remove the connector
before upgrading. If you want to retain these services in your organization, you should not
upgrade the Exchange 2000 servers that are running these components. Instead, you should
install Exchange 2003 on other servers in your organization.

Real-Time Collaboration Features


Exchange 2000 supports numerous real-time collaboration features such as chat, Instant
Messaging, conferencing (using Microsoft Exchange Conferencing Server), and multimedia
messaging (also known as unified messaging). These features have been removed from
Exchange 2003. A new dedicated real-time communications and collaboration server (currently
under development—code-named Greenwich) will provide these real-time collaboration features.
As with the cc:Mail and MS Mail connectors, you cannot upgrade a server with Exchange 2000
real-time collaboration features installed. You must remove these components prior to upgrading.
6 What's New in Exchange Server 2003

M: Drive
The Exchange store (which uses the \\.\BackOfficeStorage\ namespace) has traditionally been
mapped to the M: drive on an Exchange server. M: drive mapping provided file system access to
the Exchange store. The M: drive is disabled, by default, in Exchange 2003. You can still use the
file system to interact with the Exchange store, but you must enter the path directly using the
\\.\BackOfficeStorage\ namespace. For example, to view the contents of the mailbox store on an
Exchange server in the mail.adatum.com domain, you would type the following at a command
prompt:

dir \\.\BackOfficeStorage\mail.adatum.com\mbx
The reason for removing the M: drive mapping is because, in some cases, the mailbox store
would become corrupted from file system operations, such as running a file-level virus scanner
on the M: drive or running file backup software on the drive. For Exchange 2000, you should
consider disabling the M: drive-mapping feature. For information about how to disable this
feature, see Microsoft Knowledge Base article 305145, "HOW TO: Remove the IFS Mapping for
Drive M in Exchange 2000 Server" (http://support.microsoft.com/?kbid=305145).

Key Management Service


Exchange 2000 includes Key Management Service, which works with Windows 2000 Certificate
Services to create a public key infrastructure (PKI) for performing secure messaging. With PKI
in place, users can send signed and encrypted messages to each other. Exchange 2000 Key
Management Service provides a mechanism for enrolling users in Advanced Security, and
manages key archival and recovery functions.
Exchange 2003 no longer includes Key Management Service. Exchange 2003 supports standard
X.509v3 certificate implementation, and works with PKI solutions that support X.509v3
certificates. For example, you can use the PKI included with Windows Server 2003 in place of
Key Management Service. Specifically, Windows Server 2003 PKI includes the ability to manage
the key archival and recovery tasks that are performed by Key Management Service in
Exchange 2000.
C H A P T E R 2

Client Features

This chapter focuses on the new client features for accessing Microsoft® Exchange Server 2003.
In addition to taking advantage of new Microsoft Office Outlook® 2003 features, Exchange 2003
includes an improved Microsoft Outlook Web Access client, as well as new built-in mobile
device support.

Outlook Improvements
Outlook 2003, in conjunction with Exchange 2003, offers many enhancements. This section
discusses these enhancements, including Outlook 2003 improvements and new features.

Cached Exchange Mode and


Synchronization Improvements
Exchange 2003 and Outlook 2003 allow users to read e-mail or perform other messaging tasks in
low-bandwidth networks and in situations where network connectivity is lost. Request for
information notifications from the Exchange server are eliminated on the user's Outlook client,
thereby allowing the user to work without interruption in low-bandwidth, high-latency networks.
Furthermore, Exchange 2003 and Outlook 2003 significantly improve client performance by
reducing remote procedure calls (RPCs) and conversation between the Outlook client and the
Exchange server. This is accomplished in three ways:
Cached Exchange Mode
When possible, Outlook 2003 uses the local Exchange mailbox data file stored on the users
computer, thereby reducing the number of requests to the server for data and improving
performance for items that are stored in the cache. This new functionality eliminates the
need to inform users of delays when requesting information from Exchange servers.
Kerberos authentication protocol
Exchange 2003 allows Outlook 2003 clients to authenticate to Exchange 2003 servers using
Kerberos authentication.
8 What's New in Exchange Server 2003
Synchronization Improvements
To reduce the amount of information that is sent between the Outlook 2003 client and
Exchange 2003 servers, Exchange 2003 performs data compression. Exchange 2003 also
reduces the total requests for information between the client and server, thereby optimizing
the communication between the client and the server.
The addition of Cached Exchange Mode, coupled with the synchronization and optimization
improvements, significantly enhances the remote end-user's experience with Outlook. For
example, in previous versions of Outlook, dialog boxes would display requests for information
from an Exchange server; however, in Outlook 2003, these requests no longer appear on a user's
Outlook client because the user works primarily from their local Exchange mailbox data file (this
functionality also reduces the total load on your Exchange servers). More importantly, if network
connectivity is lost between the Outlook client and the network, Outlook 2003 will operate
without interruption.

Configuring Cached Exchange Mode


By default, new installations of Outlook 2003 use Cached Exchange Mode. If you are upgrading
from previous versions of Outlook to Outlook 2003, you must manually configure the Outlook
client to use Cached Exchange Mode. To do this, modify a user's profile to use the local copy of
their Exchange mailbox.

To enable Cached Exchange Mode for Outlook 2003 upgrades


1. On the computer running Outlook 2003, click Start and then click Control Panel.
2. In Control Panel, perform one of the following tasks:
• If you are using Category View, in the left pane, under See Also, click Other Control
Panel Options, and then click Mail.
• If you are using Classic View, double-click Mail.
3. In Mail Setup, click E-mail Accounts.
4. In the E-mail accounts wizard, click View or change existing e-mail accounts, and then
click Next.
5. On the E-mail Accounts page, highlight your account, and then click Change.
Chapter 2: Client Features 9

6. On the Exchange Server Settings page, select the Use local copy of Mailbox check box
(Figure 2.1).

Figure 2.1 The Exchange Server Settings page in the E-mail Accounts
wizard
7. Click Next, and then click Finish to save the changes to your local profile.

Kerberos Authentication
Exchange 2003 and Outlook 2003 can now use Kerberos authentication to authenticate users to
Exchange 2003 servers. If your network uses Microsoft Windows Server™ 2003 domain
controllers, your users can authenticate cross-forest to the domain controllers in trusted forests,
thereby allowing user accounts and Exchange servers to exist in different forests.
Exchange 2003 uses Kerberos delegation when sending user credentials between an Exchange
front-end server and Exchange back-end servers. In previous versions of Exchange, when users
used applications such as Outlook Web Access, Exchange used Basic authentication to send the
user's credentials between an Exchange front-end server and Exchange back-end servers. As a
result, companies had to use a security mechanism such as IPSec to encrypt the information.
10 What's New in Exchange Server 2003

Outlook Performance Monitoring


Exchange 2003 now includes the ability to monitor client-side performance with Outlook 2003.
For information about how to monitor client-side performance, see Chapter 4, "Performance and
Scalability Features."

RPC over HTTP


Exchange Server 2003 and Microsoft Outlook 2003 support the use RPC over HTTP feature in
Microsoft Windows® to access Exchange. Using the RPC over HTTP feature eliminates the need
for remote office users to use a virtual private network (VPN) to connect to their Exchange
servers. Users running Outlook 2003 can connect directly to an Exchange server within a
corporate environment over the Internet.
The Windows RPC over HTTP feature provides an RPC client (such as Outlook 2003) with the
ability to establish connections across the Internet by tunneling the RPC traffic over HTTP.
Because standard RPC communication is not designed for use on the Internet and does not work
well with perimeter firewalls, RPC over HTTP makes it possible to use RPC clients in
conjunction with perimeter firewalls. If the RPC client can make an HTTP connection to a
remote computer running Internet Information Services (IIS), the client can connect to any
available server on the remote network and execute remote procedure calls. Moreover, the RPC
client and server programs can connect across the Internet—even if both are behind firewalls on
different networks.

Configuring RPC over HTTP for Outlook 2003


When you deploy RPC over HTTP in your corporate environment, you have two main
deployment options to choose from, based on where you locate your RPC proxy server:

• Option 1 (recommended) Deploy an advanced firewall server such as Internet


Security and Acceleration (ISA) Server in the perimeter network and position your RPC
Proxy server within the corporate network.
Note
When you use ISA Server as your advanced firewall server, you have several
deployment options. For information about how to install ISA Server as an
advanced firewall server, see the book, Using Microsoft Exchange 2000 Front-
End Servers (http://go.microsoft.com/fwlink/?linkid=14575&clcid=0x409).

• Option 2 Position the Exchange 2003 front-end server acting as an RPC Proxy server in
the perimeter network.
For more information about the two options for deploying RPC over HTTP, see Chapter 4 in the
book Planning an Exchange 2003 Messaging System
(http://www.microsoft.com/exchange/library).
Chapter 2: Client Features 11
Option 1: Using ISA Server in the Perimeter Network and Positioning
the RPC Proxy Server in the Corporate Network
This is the recommended option. By using ISA Server in the perimeter network to route RPC
over HTTP requests and positioning the Exchange front-end server in the corporate network, you
only need to open port 80 or port 443 on the internal firewall for Outlook 2003 clients to
communicate with Exchange. Figure 2.2 illustrates this deployment scenario.

Figure 2.2 Deploying RPC over HTTP using ISA Server as a reverse proxy
server in the perimeter network
When located in the perimeter network, the ISA server is responsible for routing RPC over HTTP
requests to the Exchange front-end server acting as an RPC Proxy server. In this scenario, the
RPC Proxy server uses specified ports to communicate with other servers that use RPC over
HTTP.

Option 2: Positioning the RPC Proxy Server in the Perimeter Network


Although not recommended, you can position the Exchange Server 2003 front-end server acting
as the RPC Proxy server inside the perimeter network. In this scenario, you specify a limited
number of ports that the RPC Proxy server needs. Figure 2.3 illustrates this deployment scenario.
Note that in the following example, your Exchange front-end server will still need all of the
standard ports to communicate with the internal corporate network in addition to the ports for
RPC over HTTP.
12 What's New in Exchange Server 2003

Figure 2.3 Deploying RPC over HTTP on the Exchange front-end server in the
perimeter network
For information about how to configure RPC over HTTP deployment options 1 and 2, see
"Deploying RPC over HTTP" later in this chapter. Again, in this scenario, the RPC Proxy server
uses specified ports to communicate with other servers that use RPC over HTTP.

RPC over HTTP System Requirements


To use RPC over HTTP, you must run Windows Server 2003 on the following computers:

• All Exchange 2003 servers that will be accessed with Outlook 2003 clients using RPC over
HTTP.
• The Exchange 2003 front-end server acting as the RPC Proxy server.
• The global catalog server used by Outlook 2003 clients and the Exchange 2003 servers
configured to use RPC over HTTP.
Exchange 2003 must be installed on all Exchange servers that are used by the computer
designated as the RPC proxy server. Additionally, all client computers running Outlook 2003
must also be running Microsoft Windows XP Service Pack 1 (SP1) or later with the "Windows
XP Patch: RPC Updates Needed for Exchange Server 2003 Beta"
(http://go.microsoft.com/fwlink/?LinkId=16687) update installed.

Deploying RPC over HTTP


This section provides detailed steps about how to deploy RPC over HTTP in your
Exchange 2003 organization. Complete the steps in the following order.

1. Configure your Exchange front-end server as an RPC Proxy server.


2. Configure the RPC virtual directory in Internet Information Services (IIS) on the Exchange
front-end server.
Chapter 2: Client Features 13
3. Configure the registry on the Exchange 2003 computer that communicates with the RPC
proxy server to use the specific ports for RPC over HTTP communication.
4. Open the specific ports on the internal firewall for RPC over HTTP, as well as the standard
ports for Exchange front-end communication.
5. Create a profile for each of your users to use with RPC over HTTP.
Each of these steps is detailed in the following sections. After you have completed these steps,
your users can begin using RPC over HTTP to access the Exchange front-end server.

Step 1: Configuring Your Exchange Front-End Server to Use RPC over


HTTP
The RPC Proxy server processes the Outlook 2003 RPC requests that come in over the Internet.
In order for the RPC Proxy server to successfully process the RPC over HTTP requests, you must
install the Windows Server 2003 RPC over HTTP Proxy networking component on your
Exchange front-end server.

To configure your Exchange front-end server to use RPC over HTTP


1. On the Exchange front-end server running Windows Server 2003, click Start, click Control
Panel, and then click Add or Remove Programs.
2. In Add or Remove Programs, click Add/Remove Windows Components in the left pane.
3. In the Windows Components Wizard, on the Windows Components page, highlight
Networking Services, and then click Details.
4. In Networking Services, select the RPC over HTTP Proxy check box, and then click OK.
5. On the Windows Components page, click Next to install the RPC over HTTP Proxy
Windows component.

Step 2: Configuring the RPC Virtual Directory in Internet Information


Services
Now that you have configured your Exchange front-end server to use RPC over HTTP, you must
configure the RPC virtual directory in IIS.

To configure the RPC virtual directory


1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet
Information Services (IIS) Manager.
2. In Internet Information Services (IIS) Manager, in the console tree, expand the server
you want, expand Web Sites, expand Default Web Site, right-click the RPC virtual
directory, and then click Properties.
14 What's New in Exchange Server 2003

3. In RPC Properties, on the Directory Security tab, in the Authentication and access
control pane, click Edit.
Note
RPC over HTTP does not allow anonymous access.

4. Under Authenticated access, select the check box next to Basic authentication (password
is sent in clear text), and then click OK.
5. To save your settings, click Apply, and then click OK.
Your RPC virtual directory is now set to use Basic authentication.
If you plan to use SSL, skip the following procedure For non-SSL configurations, however, the
RPC proxy server must be configured to allow non-SSL sessions to be forwarded. The non-SSL
sessions are able to be forwarded by adding a specific registry value to the server.
Warning
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

To allow non-SSL encrypted traffic with RPC over HTTP


1. On the RPC Proxy server, start Registry Editor (regedit).
2. In the console tree, navigate to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy

3. In the details pane, right-click and add a new DWORD Value named AllowAnonymous,
and then right-click it and choose Modify.
4. In Edit DWORD Value, in the Value data box, enter 1.
The RPC proxy server is now configured to allow requests to be forwarded without the
requirement to first establish an SSL-encrypted session. The setting to enforce authenticated
requests is still controlled in the Authentication and access control settings.
For more information about configuring computers to use RPC over HTTP, see the MSDN®
topic "Configuring Computers for RPC over HTTP"
(http://go.microsoft.com/fwlink/?LinkId=19313).

Step 3: Configuring the RPC Proxy Server to Use Specified Ports


After you enable the RPC over HTTP networking component for IIS, you should configure the
RPC proxy server to use specific port numbers to communicate with the servers in the corporate
network. In this scenario, the RPC proxy server is configured to use specific ports and the
individual computers that the RPC proxy server communicates with are also configured to use
specific ports when receiving requests from the RPC proxy server. When you run Exchange 2003
Setup, Exchange is automatically configured to use the ncacn_http ports listed in Table 2.1.
Step 3 involves the following two procedures.
Chapter 2: Client Features 15
1. Configure the RPC Proxy server to use specified ports for RPC over HTTP requests to
communicate with servers inside the corporate network.
2. Configure the global catalog servers to use specified ports for RPC over HTTP requests to
communicate with the RPC Proxy server inside the perimeter network.
Warning
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

To configure the RPC Proxy server to use the specified default ports for RPC
over HTTP
The following ports are the required ports for RPC over HTTP.

Table 2.1 Required ports for RPC over HTTP

Server Ports (Services)

Exchange back-end 593 (end point


servers mapper)
6001 (Store)
6002 (DS referral)
6004 (DS proxy)

Global catalog server 593 and 6004

1. On the RPC Proxy server, start Registry Editor (regedit).


2. In the console tree, navigate to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
16 What's New in Exchange Server 2003

3. In the details pane, right-click the ValidPorts subkey, and then click Modify (Figure 2.4).

Figure 2.4 The RPCProxy registry settings


4. In Edit String, in the Value data box, type the following information:
ExchangeBEServer:593;ExchangeBEServerFQDN:593;ExchangeBEServer:6001­
6002;ExchangeBEServerFQDN:6001­
6002;ExchangeBEServer:6004;ExchangeBEServerFQDN:6004;
GlobalCatalogServer:593;GlobalCatalogServerFQDN:593;GlobalCatalogServer:60
04;GlobalCatalogServerFQDN:6004

• ExchangeBEServer and GlobalCatalogServer are the NetBIOS names of your Exchange


back-end server and global catalog server.
• ExchangeBEFQDN and GlobalCatalogServerFQDN are the fully qualified domain
names (FQDNs) of your Exchange back-end server and global catalog server.
Chapter 2: Client Features 17

In the registry key, continue to list all servers in the corporate network with which the RPC
Proxy server will need to communicate.
Important
To communicate with the RPC Proxy server, all servers accessed by the Outlook
client must have set ports. If a server, such as an Exchange public folder server,
has not been configured to use the specified ports for RPC over HTTP
communication, the client will not be able to access the server.

To configure the global catalog servers to use specific ports for RPC over
HTTP
1. On the global catalog server, start Registry Editor (regedit).
2. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDS\Parameters

3. From the Edit menu, point to New, and then click Multi-String value.
4. In the details pane, create a multi-string value with the name NSPI interface protocol
sequences.
5. Right-click the NSPI interface protocol sequences multi-string value, and then click
Modify.
6. In Edit String, in the Value data box, type ncacn_http:6004
7. Restart the global catalog server.

Step 4: Create an Outlook Profile to Use With RPC over HTTP


In order for your users to use RPC over HTTP from their client computer, they must create an
Outlook profile that uses the necessary RPC over HTTP settings. These settings enable Secure
Sockets Layer (SSL) communication with Basic authentication, which is necessary when using
RPC over HTTP.
Although optional, it is highly recommended that you use the "Use Cached Exchange Mode"
option for all profiles that will connect to Exchange using RPC over HTTP.

To create an Outlook profile to use with RPC over HTTP


1. Click Start and then click Control Panel.
2. In Control Panel, perform one of the following tasks:
• If you are using Category View, in the left pane, under See Also, click Other Control
Panel Options, and then click Mail.
• If you are using Classic View, double-click Mail.
3. In Mail Setup, under Profiles, click Show Profiles.
4. In Mail, click Add.
18 What's New in Exchange Server 2003
5. In New Profile, in the Profile Name box, type a name for this profile, and then click OK.
6. In the E-mail Accounts wizard, click Add a new e-mail account, and then click Next.
7. On the Server Type page, click Microsoft Exchange Server, and then click Next.
8. On the Exchange Server Settings page, perform the following steps:
a. In the Microsoft Exchange Server box, type the name of your back-end Exchange
server where your mailbox resides.
b. Check the check box next to Use Cached Exchange Mode.
c. In the User Name box, type the user name.
d. Click More Settings.
9. On the Connection tab, in the Exchange over the Internet pane, select the Connect to my
Exchange mailbox using HTTP check box.
10. Click Exchange Proxy Settings.
11. On the Exchange Proxy Settings page, under Connections Settings, perform the following
steps:
a. Enter the fully qualified domain name (FQDN) of the RPC Proxy server in the Use this
URL to connect to my proxy server for Exchange box.
b. Select the Connect using SSL only check box.
c. Select the Mutually authenticate the session when connecting with SSL check box
next.
d. Enter the FQDN of the RPC Proxy server in the Principle name for proxy server box.
Use the format: msstd:FQDN of RPC Proxy Server.
e. As an optional step, you can configure Outlook 2003 to connect to your Exchange
server using RPC over HTTP by default by checking the check box next to On fast
networks, connect to Exchange using HTTP first, then connect using TCP/IP.
12. On the Exchange Proxy Settings page, in the Proxy authentication settings window, in the
Use this authentication when connecting to my proxy server for Exchange list, select
Basic Authentication.
13. Click OK
14. Enable RPC over HTTP by configuring your user's profiles to allow for RPC over HTTP
communication with Outlook 2003. Alternatively, you can instruct your users on how to
manually enable RPC over HTTP for their Outlook 2003 profiles.
Note
If you have configured the client to communicate using SSL, you must add the
complete SSL certificate chain to the Trusted Root Certificate Authorities on the
client machine.

Your users are now configured to use RPC over HTTP.


Chapter 2: Client Features 19

Outlook Web Access


Improvements
The new version of Outlook Web Access in Exchange Server 2003 represents a significant
upgrade from Outlook Web Access in Exchange 2000. The new version is a full-featured e-mail
client, with support for rules, spelling checker, signed and encrypted e-mail, and many other
improvements. The interface is also redesigned to provide an enhanced user experience similar to
that of Outlook 2003, including a new Reading Pane (previously called the Preview Pane in
Outlook) and improved Navigation Pane.

Outlook Web Access Versions


Exchange 2003 now includes two versions of Outlook Web Access:
Outlook Web Access Premium
Outlook Web Access Premium is designed for Microsoft Internet Explorer 5.01 or later.
Outlook Web Access Premium includes all Outlook Web Access features, including the new
enhanced features for Exchange 2003. Microsoft Internet Explorer 6 is required for some
features.
Outlook Web Access Basic
Outlook Web Access Basic is designed to work in browsers that support the HTML 3.2 and the
European Computer Manufacturers Association (ECMA) script standards. It provides a subset of
the features available in Outlook Web Access Premium.
Table 2.2 lists the new Outlook Web Access features, including the version that supports them.

Table 2.2 Summary of new Outlook Web Access features

Feature Description Outlook Web Outlook Web


Access Premium Access Basic

Logon/Logoff Improvements

Logon page New customized form for Yes, with choice of Yes, but only
logging on to Outlook Web using Outlook Web allows use of
Access—includes cookie- Access Basic. Outlook Web
based validation where the Access Basic.
Outlook Web Access cookie
is invalid after user logs out
or is inactive for predefined
amount time.
20 What's New in Exchange Server 2003

Feature Description Outlook Web Outlook Web


Access Premium Access Basic

Clear credentials cache After logoff, all credentials in Yes, in Internet No


on logoff Internet Explorer 6 Service Explorer 6 SP1.
Pack 1 (SP1) credentials
cache are cleared
automatically.

Public or shared To provide organizations with Yes Yes


computer and Private more protection, two logon
computer logon page security options can be
options used. The private option can
be set to provide a longer
period before user is logged
off because of inactivity.

General User Interface Improvements

User interface updates New color scheme, Yes, plus new View Yes, but only
reorganized toolbars. menu, default user one color
interface font, and scheme is
bidirectional available.
support.

Item window sizing During an Outlook Web Yes No


Access session, item
windows open at the last
window size set by the user
instead of always opening at
500x700 pixels.

Item window status A status bar is now available Yes No. Items do
bar on item windows so a user not open in a
can see URL of hyperlinks in separate
e-mail messages. To view the window,
URL, move the pointer over however the
the hyperlink. status bar is still
available.
Chapter 2: Client Features 21

Feature Description Outlook Web Outlook Web


Access Premium Access Basic

View Improvements

Two-line mail view New view orients message Yes No


list vertically instead of
horizontally; works well with
Reading Pane.

Reading Pane Resizable Reading Pane now Yes No


(previously called the appears to right of message
Preview Pane in list by default; attachments
previous versions of can be opened directly from
Outlook Web Access) Pane. Additionally, user has
option to determine if items
are marked items as read
when viewed in Reading
Pane.

Mark as read/unread Command enables users to Yes No


mark unread messages as
read or vice versa.

Quick Flagging Command enables users to Yes No


assign follow-up flag to
messages.

Context Menu Context Menu available in Yes No


mail view; special context
menu also available on quick
flag.

Keyboard shortcuts Common actions such as new Yes No


message, mark as
read/unread, and reply and
forward are available when
focus is in message list.

Items per page Users can determine how Yes Yes


many items appear per page
in E-mail, Contacts, and
Tasks views.
22 What's New in Exchange Server 2003

Feature Description Outlook Web Outlook Web


Access Premium Access Basic

Mail icons Icons display state and type Yes Yes


of messages.

Deferred view update The view is auto-refreshed Yes No


only after 20 percent of
messages are moved or
deleted from a page, not after
each deletion. This results in
increased performance.

Navigation Improvements

New Navigation Pane Unified user interface Yes Shortcuts only


contains module shortcuts,
full folder tree, refresh item
count button, customizable
width.

Search folders Outlook-created search Yes No


folders are displayed in folder
tree. These must be created in
the Outlook Online mode.

Notifications New e-mail and reminder Yes No


notifications are displayed in
Navigation Pane.

Public folders Public folders are displayed Yes No


in new window.

Log Off option on Log Off option is now on the Yes No


toolbar view toolbar, not in the
Navigation Pane.

Mail Workflow Improvements

Spelling checker Spelling checker is provided Yes No


for e-mail messages.

New addressing wells New integrated look; easier Yes No


deletion of recipients.
Chapter 2: Client Features 23

Feature Description Outlook Web Outlook Web


Access Premium Access Basic

Global Address List Property sheets now display Yes. Available in Yes; only
Properties sheets name, address, and phone received items, draft available in
information for resolved items, Check received items
Global Address List (GAL) Names dialog box, and draft items.
users. and Find Names
dialog box.

Add to Contacts Users can add resolved Yes, feature in No


recipients in received mail or Properties sheets or
drafts to main Contacts context menu on
folder. resolved names.

Send mail from Find Users can send new messages Yes No
Names to addresses found in the
Find Names dialog box when
it is opened from an e-mail
view.

Open Find Names Users can open Find Names Already available in Yes
from message from a message and use it to previous versions of
add new recipients to a draft Outlook.
message; also used to add
recipients to a contact
distribution list.

Contacts in Find Users can search main Yes No


Names Contacts folder in Find
Names.

Sorted results in Find The results in Find Names Yes Yes


Names and Check and Check Names now are
Names sorted in alphabetical order.

Auto signature Users can create a signature Yes, HTML-based Yes, plain text
that is automatically included formatting; also on- formatting; no
in e-mail messages. demand insertion. on-demand
insertion.

Default mail editor User-customizable default Yes No


font font is provided for e-mail
editor.
24 What's New in Exchange Server 2003

Feature Description Outlook Web Outlook Web


Access Premium Access Basic

Navigate after delete Users can open the next or Yes No


previous item after deleting
an item.

Read receipts Users can use or ignore read- Yes. Users can also Yes. Users are
receipt requests. send receipts even not able to l
when the option is send receipts
set to ignore when option is
requests. set to ignore
requests.

"Web Beacon" Users can control options for Yes Yes


blocking blocking external content in
e-mail.

Attachment blocking Administrator options restrict Yes Yes


access to some or all
attachments in messages.

Junk mail filtering Options to set up safe- and Yes Yes


blocked-sender lists.

Sensitivity Infobar Sensitivity information is Yes Yes


displayed in Infobar.

Reply/Forward Reply/Forward information is Yes Yes


InfoBar displayed in InfoBar.

No indenting replies The reply header and reply Yes Yes. Outlook
body are no longer indented. Web Access
Basic never
indented.

Reply to When accessing public Yes Yes


messages/posts in folders through a front-end
Public Folders server, users can reply by e-
mail to messages or posts in
public folders.
Chapter 2: Client Features 25

Feature Description Outlook Web Outlook Web


Access Premium Access Basic

Encrypted/signed mail Sending and receiving Yes, Internet No


encrypted and/or signed e- Explorer 6 on
mail is supported. Microsoft
Windows 2000 or
later.

Rules Improvements

Rules Users can create and manage Yes No


server-based e-mail-handling
rules.

Task Improvements

Personal tasks Users can create and manage Yes Yes, but no
personal tasks and receive reminders.
reminders for these items.

Calendar Improvements

Reply/Forward Users can now reply to Yes Yes


Meeting Requests senders of Meeting Requests
and/or forward Meeting
Requests to other users.

Attendee reminder Attendees can set own Yes No


reminder times from received
meeting requests.

View Calendar from a Attendees can open Calendar Yes No


meeting request from a meeting request.

Customized meeting Users can now provide a Yes Yes


cancellation notice response in a meeting
cancellation notice.

Attendee reminder Meeting attendees can set Yes No


their own reminder times
from meeting requests.
26 What's New in Exchange Server 2003

Feature Description Outlook Web Outlook Web


Access Premium Access Basic

View Calendar from Meeting attendees can open Yes Yes


Meeting Request their Calendar from a meeting
request

Performance Improvements

Bytes over the wire Fewer bytes sent over the Yes Yes
wire from server to browser.
Additionally, when data is
sent from the server to
browser during initial logon
has been reorganized to speed
up rendering the Inbox.

Compression support Administrators can configure Yes, when accessed Depends on the
compression support for with Internet browser.
Outlook Web Access and Explorer 6 SP1 +
provide a performance Q328970 or later.
improvement of nearly 50
percent for most actions on
slow network connections.

Use of Browser Language


When using Internet Explorer 5 or later to access Outlook Web Access, new installations and
upgrades of Exchange 2003will use the browser' language settings to determine the character set
to encode information such as e-mail messages and meeting requests.
Chapter 2: Client Features 27

If you upgrade an Exchange 2000 server that was modified to use a browser's language setting,
Exchange 2003 will continue to function in the same manner. Table 2.3 lists the language groups
and respective character sets.

Table 2.3 Outlook Web Access language group and character sets

Language Group Character


Set

Arabic Windows 1256

Baltic iso-8859-4

Chinese (simplified) Gb2131

Chinese (Traditional) Big5

Cyrillic koi8-r

Eastern European iso-8859-2

Greek iso-8859-7

Hebrew windows-1255

Japanese iso-2022-jp

Korean ks_c_5601-
1987

Thai windows-874

Turkish iso-8859-9

Vietnamese windows-1258

Western European iso-8859-1

If you expect Outlook Web Access users in your organization to send mail frequently, you can
modify registry settings so that users who are running Internet Explorer 5 or later can use UTF-8
encoded UNICODE characters to send mail.
Warning
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.
28 What's New in Exchange Server 2003

To modify the default language setting for Outlook Web Access


1. Start Registry Editor (regedit).
2. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSExchangeWEB\OWA\UseRegionalCharset

3. Create a DWORD value called UseRegionalCharset.


4. Right click on the UseRegionalCharset DWORD value, and then click Modify.
5. In Edit DWORD Value, in the Value data box, type 1,and then click OK.
6. Close Registry Editor to save your changes.

Selecting an Outlook Web Access Version


If users are running Windows Internet Explorer 5.01, the logon page will allow them to select
Outlook Web Access Premium or Basic. Premium will be the default selection. For users who
have a slow network connection and simply want to accomplish tasks such as checking their
Inbox or searching for an appointment, the Outlook Web Access Basic client may be a preferable
option. However, Outlook Web Access Basic does lack useful features available in the Outlook
Web Access Premium.

Browser Support
Outlook Web Access Basic supports any browser that is fully compliant with the HTML 3.2 and
European Computer Manufacturers Association (ECMA) script standards. However, because
some browsers are not fully compliant with these standards, it is recommended that you use
Internet Explorer 5.01 or later, or Netscape Navigator 4.7 or later. These browsers have been
tested with Outlook Web Access.
In addition, Outlook Web Access has been optimized for screen resolutions of 800x600.
Using Pocket Outlook with Microsoft Exchange Server ActiveSync® and/or Outlook Mobile
Access is recommended for devices with a small screen size, such as the Pocket PC 2002 device.
Using Outlook Mobile Access is recommended for hand-held mobile devices with limited screen
sizes. For more information about Outlook Mobile Access and built-in mobile device support for
Exchange, see "Mobile Services for Exchange" later in this chapter.
Chapter 2: Client Features 29

Logon and Logoff Improvements


You can enable a new logon page for Outlook Web Access that will store the user's name and
password in a cookie instead of in the browser. When a user closes their browser, the cookie is
cleared. Additionally, after a period of inactivity, the cookie is cleared automatically. The new
logon page requires users to enter their domain \user name and password or their full user
principal name (UPN) e-mail address and password to access their e-mail (Figure 2.5).

Figure 2.5 Outlook Web Access logon page


This logon page represents more than a cosmetic change; it offers several new features. To enable
the Outlook Web Access logon page, you must enable forms-based authentication on the server.
The following procedure describes how to enable forms-based authentication.

To enable forms-based authentication


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
30 What's New in Exchange Server 2003
2. In the console tree, expand Servers.
3. Expand the server for which you want to enable forms-based authentication, and then
expand Protocols.
4. Expand HTTP, right-click Exchange Virtual Server, and then click Properties.
5. In Exchange Virtual Server Properties, on the Settings tab, select the Enable Forms
Based Authentication for Outlook Web Access check box.
6. Click Apply, and then click OK.

Cookie Authentication Timeout


Outlook Web Access user credentials are now stored in a cookie. When the user logs out from
Outlook Web Access, the cookie is cleared and is no longer valid for authentication. Additionally,
by default, the public computer cookie is set to expire automatically after fifteen minutes of user
inactivity.
The automatic timeout is valuable because it helps to protect a user's account from unauthorized
access. However, although the automatic timeout greatly reduces the risk of unauthorized access,
it does not completely eliminate the possibility that an unauthorized user could access an Outlook
Web Access account if a session is left running on a public computer. Therefore, it is important
that you educate your users about these risks and take precautions to avoid them.

Logon Page Security Options


The Outlook Web Access logon page allows the user to select the security option that best fits
their needs. The Public or shared computer option (selected by default) provides a short
default timeout option of 15 minutes. Users should select the Private computer option only if
the user is the sole operator of the machine, and the machine adheres to that user's organizational
security policies. When selected, the Private computer option allows for a much longer period
of inactivity before automatically ending the session—its internal default value is 24 hours.
Essentially, this option is intended to benefit Outlook Web Access users who are using personal
computers in their office or home.
To match the security needs of your organization, an administrator can configure the inactivity
timeout values.
Note
The default value for the public computer cookie timeout is fifteen minutes. If you
want to change this, you must modify the registry settings on the server.
Chapter 2: Client Features 31

Warning
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

To set the Outlook Web Access Forms Based Authentication public cookie
timeout value
1. Start Registry Editor (regedit).
2. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSExchangeWeb\OWA

3. From the Edit menu, point to New, and then click DWORD Value.
4. In the details pane, name the new value PublicClientTimeout.
5. Right-click the PublicClientTimeout Dword value, and then click Modify.
6. In Edit DWORD Value, under Base, click Decimal.
7. In the Value Data box, type a value (in minutes) between 1 and 432000.
8. Click OK.
To set the Outlook Web Access Forms Based Authentication trusted
computer cookie timeout value
1. Start Registry Editor (regedit).
2. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSExchangeWeb\OWA

3. From the Edit menu, point to New, and then click DWORD Value.
4. In the details pane, name the new value TrustedClientTimeout
5. Right-click the TrustedClientTimeout Dword value, and then click Modify.
6. In Edit DWORD Value, under Base, click Decimal.
7. In the Value Data box, type a value (in minutes) between 1 and 432000.
8. Click OK.

Clearing the Credentials Cache at Logoff


For users who do not access Outlook Web Access through the new logon page, Outlook Web
Access logoff functionality is now more secure if the users are running Windows Internet
Explorer 6 SP1. With Internet Explorer 6 SP1, the browser's credentials cache is cleared upon
32 What's New in Exchange Server 2003
logoff from Outlook Web Access. Users no longer have to close the browser window to clear the
credentials cache.

New User Interface


Outlook Web Access now more closely matches the Outlook 2003 user interface (Figure 2.6).
This section provides detailed information about the new user interface features and options.

Figure 2.6 New Outlook Web Access interface (Outlook Web Access
Premium)
Chapter 2: Client Features 33

Selecting a Color Scheme


Outlook Web Access now allows users to select a color scheme for their Outlook Web Access
experience. Figure 2.7 shows the available color schemes.

Figure 2.7 Outlook Web Access color schemes


• Olive Green
• Burgundy
• Silver
• Dark Blue
• Default (Blue)
To change the color scheme for Outlook Web Access
1. In Outlook Web Access, in the Navigation Pane, click the Options icon.
2. Under Appearance, select a color from the drop down list.
3. Click Save and Close to save your color scheme.

Reading Pane
The improved Reading Pane (previously called the Preview Pane in Outlook) displays the e-mail
message in the right pane. Essentially, the Reading Pane enhances readability and provides the
user with more information on the page.
Users can easily switch to the classic bottom Reading Pane or turn the pane off entirely. Reading
Pane options are accessed on the Toolbar by clicking the Show/Hide Reading Pane button.
Note
The Reading Pane is not available with Outlook Web Access Basic.
34 What's New in Exchange Server 2003

New Two-Line View


Outlook Web Access in Exchange Server 2003 includes a new view for listing the messages in a
folder. This new Two-Line view (Figure 2.8) displays the message information on two different
lines, which allows more information to be displayed for each message without being cut off.
This is especially useful when using the new Reading Pane.
The following message information is displayed in Two-Line view:

• From
• Subject
• Received
• Importance
• Attachments

Figure 2.8 The Two-Line View


To select the Two-Line View
1. In Outlook Web Access, click the View drop-down list. This list shows the currently selected
view and is located above the Toolbar next to the folder name.
2. Click Two-Line View.
Chapter 2: Client Features 35

Message Flagging
In Outlook Web Access, you can now flag messages for follow-up. The new flag column appears
to the right of the message list and allows users to flag a message, mark a flag as complete, or
clear a flag. Six flag colors are supported (Figure 2.9).

Figure 2.9 Message flagging


You cannot set a reminder for these follow-up flags. These flags simply provide a visual indicator
of which items in the mailbox a user has marked as needing further action.
Note
This feature is not available with Outlook Web Access Basic.

To flag a message for follow-up


1. Click the flag next to the message you want. The flag turns red, indicating that the message
has been flagged.
2. To mark a flag as complete, click it again.
3. Alternatively, you can right-click the flag to display a shortcut menu with more options. Use
the shortcut menu to select a different flag color, clear a flag, or mark a flag as complete.
Note
You must use the shortcut menu to clear a flag.
36 What's New in Exchange Server 2003

Shortcut Menus
Shortcut menus are now available in Outlook Web Access. You can right-click on messages,
folders, and other objects to display shortcut menus from which you can select relevant
commands (Figure 2.10).
Note
This feature is not available with Outlook Web Access Basic.

Figure 2.10 Message shortcut menu


The following sections list the new commands featured in the message and folder shortcut
menus.
Chapter 2: Client Features 37

Message Shortcut Menu


When you right-click a message in the message list, the following commands are available:

• Open
• Reply
• Reply to all
• Forward
• Follow Up
• Flag Complete
• Clear Flag
• Mark as Unread
• Create Rule
• Delete
• Move/Copy to Folder

Folder Shortcut Menu


When you right-click a folder in the folder list, the following commands are available:

• Update Folder
• Open
• Open in New
• Move/Copy
• Delete
• Rename
• New Folder

Setting the Number of Messages Displayed per Page


Exchange 2003 Outlook Web Access users can specify how many items are listed in a view, such
as the number of messages listed when viewing a mail folder. By default, twenty-five items are
listed. You can view as few as five to as many as one hundred items at a time. For users
connecting to Outlook Web Access using a dial-up modem, the number of items should be set to
25 or fewer to maximize performance.
This option also affects the number of contacts and tasks that display per page.
38 What's New in Exchange Server 2003
To set the number of items listed in a view
1. In Outlook Web Access, in the Navigation Pane, click Options.
2. Under Messaging Options, in the Number of items to display per page list, select the
number of messages that you want to appear in a view.
3. Click Save and Close.

Deferred Refresh of Views


With the version of Outlook Web Access that shipped with Exchange 2000, every time a user
deletes, moves, or copies a message, the server refreshes the entire view. For example, if a user
has twenty-five messages in their Inbox, and the user then deletes a message, Outlook Web
Access deletes the message, and then refreshes the view so that twenty-five messages are again
listed.
With the version of Outlook Web Access that ships with Exchange 2003, deleted or moved items
are still removed from the message list, but the refresh of the entire list (in other words, the
addition of new items to the view) is deferred until a twenty percent of the items are deleted or
moved. Reducing the number of refresh requests helps to reduce network traffic and enhances the
overall user experience.
The twenty percent threshold is based on the total number of items set to display per page (as set
by the user in Outlook Web Access Options), not the actual messages count on a page.
For example, if a user requests one hundred messages to display per page, the message list does
not automatically refresh until twenty-one messages are deleted.
Note
This feature is not available with Outlook Web Access Basic.

Accessing Search Folders (Saved Searches)


In Outlook 2003, you can create special Search Folders that are saved searches for specific
content in your mailbox. For example, you can perform a search that finds messages from a
particular sender, and then save the search results as a Search Folder for later use. Search
Folders appear in a special section of the Outlook Folder List.
In Outlook Web Access, Search Folders appears in the Folders pane. Search folders only appear
in Outlook Web Access if a user creates them while running Outlook 2003 in online mode against
an Exchange 2003 server. You cannot create search folders in Outlook Web Access.
Note
This feature is not available with Outlook Web Access Basic.
Chapter 2: Client Features 39

Notifications
If you configured Outlook Web Access to notify you of new e-mail or reminders, the Navigation
Pane now notifies you when new items arrive in your Inbox or active reminders are waiting to be
dismissed or set to snooze. To configure notifications, click Options, and then select the
appropriate options under Messaging Options and Reminder Options.
Note
This feature is not available with Outlook Web Access Basic.

Public Folders
Public folders are now displayed in their own window. In the Navigation Pane, click Public
Folders to launch a new browser window that contains only public folders.
Note
This feature is not available with Outlook Web Access Basic.

Log Off
The Log Off feature has been moved from the Navigation Pane. It is now located on the right
side of the toolbar.

Keyboard Shortcuts
Outlook Web Access now supports more keyboard shortcuts. Table 2.4 lists the supported
shortcuts.
Note
This feature is not available with Outlook Web Access Basic.

Table 2.4 Keyboard shortcuts for Outlook Web Access

Command Keyboard Shortcut

Inbox View

Open a new message window CTRL+N

Mark selected message as read CTRL+Q

Mark selected message as unread CTRL+U

Reply to selected message CTRL+R

Reply all to selected message CTRL+SHIFT+R


40 What's New in Exchange Server 2003

Command Keyboard Shortcut

Forward selected message CTRL+SHIFT+F

Message Read Form

Reply to selected message CTRL+R

Reply-all to selected message CTRL+SHIFT+R

Forward selected message CTRL+SHIFT+F

View the next message in the list CTRL+>

View the previous message in the list CTRL+<

Message Compose Form

Save the message CTRL+S

Send the message CTRL+ENTER

Check spelling F7

Check names CTRL+K or ALT+K in


S/MIME

Tasks View

Create a new task CTRL+N

Public Folders View

Create a new post CTRL+N

Reply to a post CTRL+R


Chapter 2: Client Features 41

Right-to-Left Layout
Outlook Web Access now supports right-to-left layouts in the Arabic and Hebrew versions of the
client. Note that the only Internet Explorer 6 and later supports both Arabic and Hebrew.
Note
This feature is not available with Outlook Web Access Basic.

Support for Rules


In Outlook Web Access, you can now create and manage server-based rules for the most common
mail-management scenarios, such as moving e-mail from a particular sender or with a particular
subject to a specific folder.
Outlook Web Access allows users to edit simple server-side rules created in any version of
Outlook. If an Outlook-created rule is too complex for Outlook Web Access to render it properly,
the rule appears shaded in the Outlook Web Access user interface for rules management.
Although these rules cannot be edited, they still function.
One or more of the following criteria are used to define the rule in Outlook Web Access:

• Who the message is from


• The message subject
• The importance of the message
• Who the message was sent to
Based on these criteria, the following actions can be specified:

• Move the message to a specified folder


• Copy the message to a specified folder
• Delete the message
• Forward the message to a specified recipient
In addition to creating a new rule, users can create a rule from within an e-mail message, which
creates the rule parameters with information from the message, such as the subject and sender
information. This allows uses to quickly and easily create rules.
Warning
Because of interoperability limitations with Outlook, before an Outlook Web Access
user can create or modify any rules, Outlook Web Access deletes any rules that have
been disabled through Outlook. This does not happen automatically. When you
modify a rule, you receive a warning indicating that disabled rules will be deleted if
you proceed.
42 What's New in Exchange Server 2003
If you modify rules from Outlook Web Access, the next time you use Outlook, you may be
prompted to choose between client and server-side rules. To retain the rules that you created in
Outlook Web Access, select server-side rules.
Note
This feature is not available with Outlook Web Access Basic.

To create a new rule from Outlook Web Access


1. In Outlook Web Access, in the Navigation Pane, click Rules. If the Navigation Pane is
collapsed, click the Go to rules button.
2. On the Rules page, click New.
3. On the Edit Rule page, fill out the criteria and desired action for the rule.
4. Click Save and Close.
To create a new rule from within a message
1. With a message opened, click the Create Rule icon. Alternatively, you can right-click a
message in the message list, and then click Create Rule.
2. On the Edit Rule page, some criteria are filled in automatically based on the message
contents. Modify the criteria and select a desired action for the rule.
3. Click Save and Close.

Spelling Checker
Outlook Web Access now includes a spelling checker. The spelling checker is built into
Exchange 2003, so users do not need to run any client-side code or download additional
software.
The spelling checker feature is available whenever users compose a message. The following
languages are supported for Exchange 2003:

• English (Australia)
• English (Canada)
• English (United Kingdom)
• English (United States)
• French
• German (post-reform)
• German (pre-reform)
Chapter 2: Client Features 43

• Italian
• Korean
• Spanish
Users select the language for the spelling checker to use. When spelling checker is first run, users
are prompted to select the preferred language. The language can also be configured at any time.
Note
This feature is not available with Outlook Web Access Basic.

To set the spelling checker language


1. In Outlook Web Access, in the Navigation Pane, click Options. If the Navigation Pane is
collapsed, click the Go to options button (Figure 2.11).

Figure 2.11 The Go to options button


2. Under Spelling Options, in the Select the language of the dictionary to use while
checking spelling list, select the preferred language.
3. Click Save and Close.
44 What's New in Exchange Server 2003

To check the spelling in a message


1. When composing a message, click the Spelling button (Figure 2.12).

Figure 2.12 The Spelling button


2. As with other spelling checker software, you are prompted about words that are not found in
the spelling checker dictionary. Choose whether to ignore the word in question, change it
manually, or select from a list of suggested alternatives.

Tasks
The version of Outlook Web Access that shipped with Exchange 2000 did not support tasks.
Although you could view existing tasks, they were displayed as e-mail messages and could not
be edited. In Exchange 2003, Outlook Web Access now supports tasks (Figure 2.13). You can
create and manage new tasks or manage tasks that have already been created in Outlook.
Chapter 2: Client Features 45

Figure 2.13 Outlook Web Access Tasks view


Some of the task features that are now available include:

• Support for recurring tasks


• Mark tasks complete
• Modify percent complete
• Task status
• Due date
• Attachments
• Priority
• Start date
• Mileage
• Billing information
• Work hours
To work with tasks in Outlook Web Access
1. In Outlook Web Access, in the Navigation Pane, click Tasks. If the Navigation Pane is
collapsed, click the Go to tasks button.
2. Click New to create a new task, or right-click an existing task and click Open.
3. On the Task page, edit the desired fields, and then click Save and Close.
If you have worked with tasks in Microsoft Outlook, the new task support in Outlook Web
Access should be very familiar.
46 What's New in Exchange Server 2003

Deleting and Skipping Tasks


In Outlook, when a user attempts to delete a recurring task, the user must decide whether to
delete a single occurrence or the entire recurring series.
In Outlook Web Access, the delete command always deletes the entire task series. However, you
can skip an individual occurrence by clicking the Skip Occurrence button on the Task toolbar.

Task Requests Not Supported


In Outlook, you can use the Task Request feature to assign tasks to other users. Outlook Web
Access does not support this feature. Furthermore, in Outlook Web Access, users cannot process
Task Requests sent from Outlook or update any delegated tasks they have already accepted in
Outlook.
Outlook Web Access does allow you to delete Task Requests or previously accepted delegated
tasks; however, the task assigner does not receive notification that the deletion occurred.

Message Signatures
With Outlook Web Access for Exchange Server 2003, you can create a personal signature that
can be added to outgoing messages automatically or inserted into individual messages manually.
To customize your signature, you can modify the font color, style, and alignment.
Note
You can only have text for signatures in Outlook Web Access Basic.

To create your signature


1. In Outlook Web Access, in the Navigation Pane, click Options. If the Navigation Pane is
collapsed, click the Go to options button.
2. Under Messaging Options, click Edit Signature.
3. On the Signature page, edit the signature text and style.
4. Click Save and Close.
To add your signature to all outgoing messages automatically
1. In Outlook Web Access, in the Navigation Pane, click Options. If the Navigation Pane is
collapsed, click the Go to options button.
2. Under Messaging Options, select the Automatically include my signature on outgoing
messages check box.
3. Click Save and Close.
To insert your signature into a specific message
• With the desired message open, on the toolbar, click the Insert Signature button.
Chapter 2: Client Features 47

Viewing User Properties


Outlook Web Access now allows you to view user name properties that were resolved from the
Exchange global address list (GAL). The property information is a subset of what is displayed in
Microsoft Outlook.
The following properties are displayed in Outlook Web Access:

• First Name
• Initials
• Last Name
• Display Name
• Alias
• Address
• City
• State
• Postal Code
• Country/Region
• Title
• Company
• Department
• Office
• Phone
• Mobile Phone
• Whether the user has a valid Digital ID for receiving encrypted messages (available when
S/MIME is installed)
Simple SMTP addresses or addresses from the Contacts folder still display the same information
(display name and SMTP address) that was available in previous versions of Outlook Web
Access.
48 What's New in Exchange Server 2003

To view a resolved user's properties


There are several methods you can use to view a user's properties:

• Right-click the resolved user name and choose Properties.


• Double-click the resolved user name – even in the Reading Pane.
• (This method is available only in Outlook Web Access Premium.) Click the Address Book
button to search for users in the GAL. This will open the Find Names dialog box. After
locating the user you want, click the user name, and then click Properties.

Easier Removal of Recipients


In the version of Outlook Web Access that shipped with Exchange 2000, to remove a recipient
from an e-mail you were composing, you had to double-click the user name, which opened a
dialog box, and then click Remove.
This process is simplified in Exchange 2003. Now, you can highlight the resolved user name and
then press the DELETE key. Alternatively, you can right-click the resolved user name and then
click Remove.
Note
This feature is not available with Outlook Web Access Basic.

Adding a Sender or Recipient to


Contacts
In Outlook Web Access, it is now easy to add a sender or recipient of an e-mail message to your
Contacts folder; you no longer need to enter the address manually. For information about using
other methods to create contacts, see "Creating New Contacts" in the Outlook Web Access online
Help.
Note
This feature is not available with Outlook Web Access Basic.

To add a sender or recipient of an e-mail message to your Contacts folder


1. In Outlook Web Access, open an e-mail that contains a sender or recipient that you want to
add to your Contacts folder.
2. In the upper pane of the e-mail message, right-click the name you want, and then click Add
to Contacts.
3. In Untitled Contact, on the General tab, in the Last Name and First Name boxes, type the
last name and first name of the new contact. Then, on both the General and Details tabs, use
the remaining boxes to fill in any other information you want to include about the contact.
Chapter 2: Client Features 49

4. Click Save and Close.


Note
You can also use the user name Properties dialog box to add the contact to your
Contacts folder.

Selecting a Default Font


Outlook Web Access allows you to select the default font type, size, and color you want to use
for new e-mail mail messages. Instead of the browser's default font, Outlook Web Access uses
Arial 10 pt. by default (in the U.S. user interface).

To change the default font for new messages


1. In Outlook Web Access, in the Navigation Pane, click Options. If the Navigation Pane is
collapsed, click the Go to options button.
2. Under Messaging Options, click Choose Font.
3. In Font, select the font and any other options you want, and then click OK.
4. On the Options page, click Save and Close.

Reply Header and Body Not Indented


Many users find their names added to an e-mail thread that already contains many messages. In
these cases, the users usually scroll through the thread to understand the history of the issue that
is being discussed. However, as they reach the beginning of the thread, it becomes difficult to
read the messages. The earliest message contents are often illegible because each reply indents
the previous message body, thereby consolidating the earliest message text.
Outlook Web Access no longer indents the messages in an e-mail thread (although other e-mail
clients may do so). Instead of an indentation, a horizontal line offsets the reply header and body
from the new content.

Web Beacon Blocking


In Exchange 2003, Outlook Web Access makes it more difficult for people who send junk e-mail
messages to use beacons to retrieve e-mail addresses. Now an incoming message with any
content that could be used as a beacon, regardless of whether the message actually contains a
beacon, prompts Outlook Web Access to display the following warning message:

To help protect your privacy, links to images, sounds, or other external content in
this message have been blocked. Click here to unblock content.
50 What's New in Exchange Server 2003
If users know that message is legitimate, they can click Click here to unblock content. Users
can delete a message without triggering beacons that alert a sender of junk mail to send more
junk mail.
To disable this option, on the Options page, under Privacy and Junk E-mail Prevention, clear
the Block external content in HTML e-mail messages check box.

Blocking Attachments
Outlook Web Access now provides the following attachment-blocking features:
Blocking Outlook Web Access users from accessing certain file type
attachments
This feature is particularly useful in stopping Outlook Web Access users from opening
attachments at public Internet terminals, which could potentially compromise corporate
security. Furthermore, to allow Outlook Web Access users who are working in their offices
or connected to the corporate network from home to open and read attachments,
administrators can allow full intranet access to attachments.
If an attachment is blocked, a warning message indicating that the user cannot open the
attachment appears in the InfoBar of the e-mail message.
By default, blocking certain file types attachments is enabled on all new Exchange 2003
installations.
Blocking Outlook Web Access users from sending or receiving attachments
with specific file extensions that could contain viruses.
This feature matches attachment-blocking functionality in Outlook. For received messages, a
warning message indicating that an attachment is blocked appears in the InfoBar of the e-
mail message. For sent messages, Outlook Web Access does not allow users to upload any
files with extensions that appear on the block list.
Warning
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

To enable attachment blocking


1. Start Registry Editor (regedit).
2. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSExchangeWeb\OWA

3. From the Edit menu, point to New, and then click DWORD Value.
4. In the details pane, name the new value DisableAttachments.
5. Right-click DisableAttachments, and then click Modify.
Chapter 2: Client Features 51
6. In Edit DWORD Value, under Base, click Decimal.
7. In the Value data box, type one of the following numbers:
• Enter the value 0 if you want to allow all attachments.
• Enter the value 1 if you want to disallow all attachments.
• Enter the value 2 if you want to allow attachments from only back-end servers.
8. Click OK.

Junk E-mail Filtering


Outlook Web Access on Exchange 2003 allows you to manage your Junk E-mail safe senders,
safe recipients and block senders lists that are also created by Outlook 2003. Both Outlook Web
Access and Outlook 2003 create a special folder in your mailbox called Junk E-mail. The
Exchange 2003 junk e-mail rule uses information in your block senders list to move junk e-mail
to this folder.

Sensitivity and Reply/Forward InfoBars


The following information now appears on the InfoBar of an e-mail message:

• Sensitivity settings, such as Confidential.


• The date and time a user replied to or forwarded a received message.

Item Window Size


Whether a user wants to read an item or create an item, the version of Outlook Web Access that
shipped with Exchange 2000 launches all windows at the set size of 500x700 pixels. Even if the
user resized the item window, the next window would still open at 500x700.
With Exchange 2003, during a session, if a user resizes an item window, Outlook Web Access
retains that size and opens all future item windows at that size. This works for all item windows
opened within a session, including e-mail messages, Calendar, Contacts, or Tasks. However, the
new window size is not persisted to future Outlook Web Access sessions.
Note
This feature is not available with Outlook Web Access Basic.
52 What's New in Exchange Server 2003

Meeting Requests
Outlook Web Access includes several new meeting request features.

Setting Reminders
You can now set reminders on meeting requests you have received. With a meeting request open,
select the Reminder check box, select the length of time from the Reminder list, and then click
Save and Close.
Note
This feature is not available with Outlook Web Access Basic.

Forward Meeting Requests


Outlook Web Access now allows you to forward meeting requests. You can also reply to the
meeting organizer, or reply to the meeting organizer and all recipients.

To forward or reply to a meeting request


1. In Outlook Web Access, open the meeting request.
2. Do one of the following:
• To reply to the meeting organizer only, click the Reply icon. In your reply, the To line is
preaddressed to the meeting organizer.
• To reply to the meeting organizer and all recipients, click the Reply to all icon. In your
reply, the To and Cc lines are preaddressed to the meeting organizer and all recipients.
• To forward the meeting request, click the Forward icon. Fill in the address fields, just
as when you address a new message.

Composing Messages to Recipients


From the Address Book
Using Outlook Web Access with Exchange Server 2003, you can now open the Address Book,
select a recipient, and then compose an e-mail message to that person.
Note
This feature is not available with Outlook Web Access Basic.

To create a new e-mail message from the Address Book


1. On the Outlook Web Access toolbar, click the Address Book button.
Chapter 2: Client Features 53
2. In Find Names, search for the desired recipient.
3. In the details pane, select the recipient you want, and then click New Message. The
recipient's name will appear in the To line of a new message window.

Improved Performance
By reducing the amount of information that must travel from the server to the browser, the speed
of Outlook Web Access has been increased. Also, to speed up the logon experience, the order in
which scripts and other essential files for Outlook Web Access are downloaded to the browser at
first logon has been improved.
Overall, even with the enhanced user interface and multitude of new features, Outlook Web
Access should seem faster, especially over slow connections, and appear far more responsive to
user interactions.

Outlook Web Access Compression


Outlook Web Access supports data compression, which is optimal for slow network connections.
Depending on the compression setting you use, Outlook Web Access compression works by
compressing static and/or dynamic Web pages
Table 2.5 lists the compression settings that are available in Exchange Server 2003 for Outlook
Web Access.

Table 2.5 Available compression settings for Outlook Web Access

Compression Description
Setting

High High compression compresses both static and dynamic


pages.

Low Low compression compresses only static pages.

None No compression is used.

Using data compression, your users can see performance increases of up to fifty percent on
slower network connections, such as traditional dial-up access.
54 What's New in Exchange Server 2003

Requirements for Outlook Web Access Compression


To use data compression for Outlook Web Access in Exchange Server 2003, you must verify that
you have the following prerequisites:

1. The Exchange server that users authenticate against for Outlook Web Access must be
running Windows Server 2003.
2. Your user's mailboxes must be on Exchange 2003 servers. (If you have a mixed deployment
of Exchange mailboxes, you can create a separate virtual server on your Exchange server
just for Exchange 2003 users and enable compression on it.)
3. Client computers must be running Internet Explorer version 6 or later; the computers must
also be running Windows XP or Windows 2000, with the following security update installed:
328970, "Cumulative Patch for Internet Explorer"
(http://go.microsoft.com/fwlink/?LinkId=16694).
Note
If a user does not have a supported browser for compression, the client will still
behave normally.

4. You may need to enable HTTP 1.1 support through proxy servers for some dialup
connections. (HTTP 1.1 support is required for compression to function properly.)
To enable data compression
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the details pane, expand Servers, expand the server you want, and then expand Protocols.
3. Expand HTTP, right-click Exchange Virtual Server, and then click Properties.
4. In Exchange Virtual Server Properties, on the Settings tab, under Outlook Web Access,
use the Compression list to select the compression level you want (None, Low, or High).
5. Click Apply, and then click OK.

S/MIME Support
Secure/Multipurpose Internet Mail Extensions (S/MIME) increases the security of Internet e-mail
by enabling digital signing of messages as well as message encryption. Digital signatures
provide authentication, non-repudiation, and data integrity. Message encryption provides
confidentiality and data integrity.
Outlook Web Access in Exchange 2000 did not support signed and encrypted e-mail. Now, with
the new Microsoft Outlook Web Access S/MIME ActiveX® control, users can digitally sign and
encrypt e-mail messages. The S/MIME control works in conjunction with any X.509v3-based
public key infrastructure (PKI) to provide the signing and encryption capabilities.
Chapter 2: Client Features 55
In most cases, before enabling S/MIME support with Outlook Web Access, you should have a
good understanding of cryptography and PKI, for example Windows 2000 or Windows
Server 2003 PKI. For information about cryptography and Windows PKI, see the technical article
Cryptography and PKI Basics (http://go.microsoft.com/fwlink/?LinkId=15060).

Outlook Web Access S/MIME Architecture


When Outlook Web Access handles an S/MIME message, various public certificates must be
retrieved from Microsoft Active Directory® directory service or from the Personal Contacts
folder on the Exchange server. After these digital certificates are retrieved, they are parsed and
verified against the certificate revocation list (CRL) and the trust chain. This process could
potentially involve a lot of traffic between the Outlook Web Access client and the PKI.
Therefore, to reduce this traffic, the public key parsing, CRL look up, and trust chain verification
are all performed on the Exchange server rather than on the Outlook Web Access client
(Figure 2.14). Processing certificate validity on the server makes Internet-based access faster and
more reliable, and can also greatly reduce bandwidth requirements.

Figure 2.14 Outlook Web Access architecture

Handling Private Keys


Another important consideration in Outlook Web Access design is security. At no time does a
private key, in any form, get passed between the user's computer and the Exchange server. In
fact, the Outlook Web Access S/MIME control that runs in Internet Explorer does not directly
handle the private key either, leaving all private key parsing and handling to the Windows
CryptoAPI (CAPI). The Outlook Web Access S/MIME control transfers a message to the CAPI,
which then transfers the encrypted message back to the Outlook Web Access client. For a more
secure S/MIME solution, this separation and isolation of the private key is critical, especially
because the client and the server communication may span the Internet. It is also important to
note that the public key is used for encryption, while the private key is used for decryption and
signing.
Note
In regard to private key separation and isolation, the full Outlook client, including
Outlook Express, operates in the same way as Outlook Web Access.
56 What's New in Exchange Server 2003

Signing and Encrypting E-mail


This section explains, at a high level, the process of signing and encrypting mail with S/MIME.
Specifically, you will learn how an S/MIME client uses certificates.

Signing E-mail Messages


In Outlook Web Access, all messages are Multipurpose Internet Mail Extensions (MIME)
messages. When a message is signed, the e-mail client uses the body of that MIME message to
generate a hash value by applying the appropriate signing algorithm, which is found on the user's
private key (the private key is stored either on a smart card or in the certificates store on the local
computer). Using the sender's private key, the hash value is then encrypted and appended to the
message. The result is referred to as a digital signature. The message is then sent—sometimes a
copy of the sender's public key is included in the message.
When the recipient opens the message, in accordance with the signing algorithm on the sender's
public key, another hash value is generated from the message contents. The hash value of the
original message is decrypted using the sender's public key. The two hash values are then
compared with each other. If they match, the signature is considered valid.

Encrypting E-mail Messages


When a message is encrypted, the data is encrypted using a session key. Next, that session key is
encrypted using the recipient's public key. The message is then sent as a MIME message with no
body and a Public Key Cryptography Standards #7 (PKCS-7) attachment. PKCS-7, developed by
the Rivest-Shamir-Adleman (RSA) cryptography system, defines cryptographic syntax as it
applies to messaging.
To send an encrypted message, the sender must be able to retrieve the recipient's public key; the
public key must also be associated with a valid certificate.
When the recipient opens an encrypted message, their private key (either stored locally or on a
smart card) is used to decrypt the message.

Certificate Validation with Outlook Web Access


For some organizations, such as legal organizations, the most important feature of S/MIME is the
ability to ensure non-repudiation and authenticity of the sender. To guarantee these two aspects,
the certificate that signs the recipient's e-mail must be proven valid. In this context, that means
the sender's certificate cannot have been revoked, and it cannot be expired; it must be a certificate
that is intended for signed e-mail messages, and the Exchange server must trust the certification
authority (CA) that issued the sender's certificate. These same attributes are also important to
validate certificates for encryption.

Certificate Revocation Check


Each certificate may have a CRL Distribution Point (CDP) attribute. In cases where the issuer
does not revoke certificates, the CDP may not be present on the certificate. This attribute points
Chapter 2: Client Features 57
to a URL, generally an LDAP string or HTTP path; to access the Certificate Revocation List
(CRL) for the given certificate, the requesting client needs to query this URL. For the requesting
client to successfully retrieve the CRL, the CDP must be accessible. In most cases, this means the
CDP must be accessible across the Internet. If the CDP is not network-accessible, any attempts to
automatically retrieve the CRL will fail. In this situation, the administrator must retrieve and
distribute the CRL manually.
Each certification authority (CA) and intermediate CA manages a CRL for its domain. As the
name implies, the CRL of a given CA contains a list of certificates that were revoked by that CA.
To ensure that the certificate of the CA itself was not revoked, client software must query the
CRL of the parent CA that originally issued the given CA's certificate, and so on, until the root
CA is reached.
Depending on the complexity of the PKI, this process can be time consuming. For this reason,
caching mechanisms are generally used during CRL verification. Outlook and Outlook Express
stores the CRL until it expires (expiry information is included with the CRL).
In Outlook Web Access, the Exchange server stores the CRL on behalf of the clients for the
duration of its validity. Exchange attempts to authenticate to the CDP by using the Exchange
server's LocalSystem account by means of Integrated Windows authentication. You should
configure the CDPs throughout your organization to allow access by the appropriate Exchange
servers. Alternatively, if you do not want to configure your CDPs to allow Exchange access by
means of the LocalSystem account, it may be easier to simply configure your CDPs to allow
anonymous access. This will enable Exchange to access the CRL on behalf of Outlook Web
Access users. If Exchange cannot validate the CRL, Outlook Web Access displays a warning
message.
In the case where a CDP is offline or otherwise inaccessible, Exchange will not continually check
the inaccessible CDP to abate incoming requests until a specific time has passed. The retry
interval is a sliding scale that begins at 15 seconds and increases towards 30 minutes each time a
client requests a CRL verification from the CDP.

Time Validity Verification


When a CA creates a certificate, the certificate is marked with a validity period. The validity
period is specified by two attributes on the certificate: Valid to and Valid from.
Typically, the mail client validates these attributes. In Outlook Web Access, the Exchange server
validates the expiry information. If the certificate has expired, or the date precedes the Valid
from attribute, Outlook Web Access displays a warning message to the client.
58 What's New in Exchange Server 2003

Trust Verification
Trust verification refers to the act of determining whether a public certificate comes from a
trusted source. There are two ways a trust is established between a sender and a recipient:

• The first is by virtue of having the certificate issued by the same trusted root CA. In this
scenario, the trust chain, or hierarchy, on the sender's certificate is derived from the same
root CA as the recipient's issuing CA.
• The second is by means of an explicit trust. In this scenario, a user opens a public certificate
and selects an option to trust the issuing CA explicitly.
Outlook and Outlook Express perform trust verifications from the user's desktop. For Outlook
Web Access clients, however, the Exchange servers perform the verification on behalf of the
clients. In both cases, the logic is the same: in cases where the trust chain is included in the mail,
on some public certificates, the trust chain (or hierarchy) is specified; in cases where the trust
chain is not specified, trust verification is done while traversing the CRL hierarchy.
Because the Exchange server performs the trust validation on behalf of Outlook Web Access
S/MIME clients, for each CA with which users interact, you may have to add the appropriate
trusted CAs to the machine account certificate store on the Exchange server .If users exchange
S/MIME e-mail messages through Outlook Web Access in the following cases, you must add
trusted CAs to the Exchange server computer's certificate store:

• Between different Active Directory forests.


• If there are multiple root CAs in your organization.
• If S/MIME mail is sent between separate organizations with different CAs.
If the Exchange server does not trust a CA, users will receive warning messages when opening
signed e-mail and when attempting to send encrypted e-mail.
Setting up a CA trust must be done on each back-end Exchange mailbox server where Outlook
Web Access S/MIME users reside. You can manually add the trusted CAs to each Exchange
certificate store, or you can use a group policy. In general, to ensure consistency across all
servers, it is advisable to use group policies to manage trusted roots throughout an organization.

Handling Public Keys


When sending an encrypted message, Outlook, Outlook Express, and Outlook Web Access search
Active Directory, the personal certificate store, or the Contacts folder for a recipient's public
certificate. User settings determine where the client searches for the certificate. By default,
Outlook and Outlook Web Access search Active Directory first. If the recipient does not exist in
Active Directory, or if the Active Directory user or contact object does not have a key associated
with it, then the sender's personal contacts are searched. In Outlook and Outlook Web Access, the
personal contacts are stored on the sender's Exchange mailbox. Outlook Express stores the
contacts locally. If a public certificate, suitable for encryption, is stored on the contact, then that
certificate may be used for sending the encrypted e-mail. In addition, if the sender of the
encrypted message is replying to a message that was signed, and the signed message includes the
signer's public key, that key can be used to encrypt the reply.
Chapter 2: Client Features 59
Both Outlook and Outlook Express allow the user to specify LDAP directories in which user
information (including public certificates) can be accessed. In Outlook, the default directory in
which user information is gathered is the local (log on) Active Directory; additional directories
can be specified for each profile. For Outlook Express, you can specify generic LDAP search
directories for each account. Outlook Web Access uses Exchange to proxy Active Directory
searches on its behalf. Outlook Web Access can only search for recipients and certificates that
exist in Active Directory and user's contacts.

Certificate Enrollment
For users to be able to sign or encrypt outgoing messages, they must first be issued certificates,
referred to as digital IDs, which support the signature and encryption security functions. A single
certificate may provide both functions, or a separate certificate may provide each function. The
necessary certificates are issued by a CA, which generates the necessary public and private key
pair needed for encryption and decryption. The public key is then stored in Active Directory,
which allows other users to encrypt messages intended for the user, while the private key is
typically stored locally on the user's computer or on a smart card. The process of obtaining a
certificate from a CA is called "enrollment."

Configuring Outlook Web Access S/MIME


This section provides the basic steps necessary to configure S/MIME support for Outlook Web
Access. Specifically, the following scenario and corresponding steps show you how to use the
Windows Server 2003 Certification Authority console to get S/MIME support up and running—
this is one of the simplest methods. Use these steps as a guide to test the new S/MIME
functionality. Do not use these steps in an attempt to deploy a secure messaging infrastructure in
your production environment. The Outlook Web Access S/MIME control does not require
Windows Server 2003 certificates—any X.509v3 certificate can be used. Deploying a
production PKI and more secure messaging infrastructure requires careful planning and
consideration of topics such as CA topologies, key archival and recovery strategies, auto-
enrollment, smart cards, and so on. Although these topics are outside the scope of this document,
they are discussed in the Windows Server 2003 documentation
Note
Several of the following steps also apply to using S/MIME with Microsoft Outlook. If
your users are already using encryption and signing with Outlook, you can skip to the
Outlook Web Access configuration steps.
60 What's New in Exchange Server 2003

Existing Topology
This procedure assumes that you have the following topology configured:

• At least one Windows Server 2003 domain controller


• At least one Exchange 2003 server
Perform the following steps to deploy S/MIME with Outlook Web Access:

1. Install Windows Server 2003 certification authority (CA).


2. Configure the CA as an enterprise root.
3. Have users enroll.
4. Install the Outlook Web Access S/MIME control.
5. Configure default secure messaging settings.
6. Send test messages.
Each of these steps is detailed in the following sections.

Step 1: Installing a Windows Server 2003 Enterprise Certification


Authority
You must install a certification authority on your network that can issue the necessary certificates
to users. To provide the greatest ease of deployment, it is recommended that you deploy a
Windows Server 2003 Server CA. Although you could use a Windows 2000 certificate server,
Windows Server 2003 offers some important additional features, including auto enrollment
through group policy and key archival and recovery capabilities.
An Enterprise CA (as opposed to a stand-alone CA) facilitates deployment because it integrates
with Active Directory for public key storage. Storing the public keys in Active Directory allows
users to automatically look up another user's public key when encrypting a message.

To install a Windows Server 2003 enterprise CA


1. On a computer running Windows Server 2003, click Start, point to Control Panel, and then
click Add or Remove Programs.
2. In Add or Remove Programs, click Add/Remove Windows Components.
3. In the Windows Components Wizard, under Components, select Certificate Services.
4. Read the warning about domain membership, and then click Yes.
5. Click Next.
6. On the CA Type page, click Enterprise root CA, and then click Next.
7. On the CA Identifying Information page, in the Common name for this CA box, type a
name for the CA.
8. Complete the remaining steps in the wizard.
Chapter 2: Client Features 61
Step 2: Configuring the CA
After installing the CA, you may want to change the default settings. For testing purposes, you
can use the default settings, but you may want to change some of the following configuration
settings:
Recovery agents
To archive users' private keys and retrieve them in case they are lost, you must configure a
recovery agent. The recovery agent is used to recover an archived key. To configure a
recovery agent, you must install a recovery agent certificate on the CA.
Certificate templates
After you install the enterprise CA, a number of default certificate templates are available.
For Outlook Web Access S/MIME purposes, the standard User certificate template offers
both encryption and signature functions, and is therefore sufficient for message signing and
encryption. However, you may want to require separate certificates for signing and
encryption. To do this, create two new templates, one for signature and one for encryption.
Request handling
With the default settings on the CA, certificates are issued automatically upon request,
unless the certificate template specifically requires an administrator to grant the request. The
User certificate does not require administrator approval. If you want an administrator to
approve each certificate request, you can configure Request Handling to require
administrator approval before a certificate is issued.

Step 3: Allowing Users to Enroll


After the CA is configured, users can request the certificate (or certificates) necessary for
message signing and encryption. The following procedure assumes you are using the standard
User certificate template, which offers both signing and encryption functions. If you configured
your own certificate templates, users will need to issue an advanced certificate request and
request the custom certificates.
Important
By default, the user certificate template allows for the exporting of digital certificates
and does not have strong key protection. In a production environment, you should be
aware of this. If this does not conform to your security policy, consider creating
custom certificate templates that do conform to your security requirements.

To request a certificate
1. Browse to http://ca-server/certsrv where ca-server is the name of the Windows Server 2003
Enterprise CA.
Note
You can also use the Certificates snap-in in Microsoft Management Console
(MMC) to request a certificate.

2. After authenticating (if necessary), click Request a certificate.


3. On the Request a Certificate page, click User Certificate.
4. On the User Certificate - Identifying Information page, click Submit.
62 What's New in Exchange Server 2003
5. The CA Web site will request a certificate on your behalf. In Potential Scripting Violation,
click Yes.
6. On the Certificate Issued page, click Install this certificate.
7. In the remaining dialog boxes, click Yes after reviewing the information.
The certificate is now installed on the local computer from which the user requested the
certificate. You must install this same certificate on any computer from which the user will use
S/MIME in Outlook Web Access. To install the certificate on other computers, the user must
export the certificate and then import it on the other computers.

To export a certificate
Note
Key Management Service certificates are commonly used in Outlook for S/MIME.
Because Key Management Service certificates can only be exported in the Outlook
format, Outlook must be installed.

1. On the computer that has the certificate installed, open Microsoft Management Console
(MMC): At a command prompt, type MMC.
2. Click File, and then click Add/Remove Snap-in.
3. In Add/Remove Snap-in, on the Standalone tab, click Add.
4. In Add Standalone Snap-in, click Certificates, and then click Add.
5. In Certificates Snap-in, click My user account, and then click Finish.
6. In MMC, expand Certificates - Current User, expand Personal, and then click
Certificates.
Chapter 2: Client Features 63

7. In the details pane, right-click the certificate you want, point to All Tasks, and then click
Export (Figure 2.15).

Figure 2.15 Exporting the user certificate


8. On the Welcome to the Certificate Export Wizard page, click Next.
9. On the Export Private Key page, select Yes, export the private key. This is necessary to
read encrypted messages from the computer where the key will be imported.
10. On the Export File Format page, leave the default settings, and then click Next.
11. On the Password page, type a password for the private key.
12. On the File to Export page, type the path and name for the exported certificate file. This is
the file that will be imported on other computers.
13. Complete the remaining steps in the wizard.
The file is saved as a .pfx extension with the name you specified. The next step is to import the
certificate to the other computers.

To import a certificate
1. From the computer on which the certificate is to be installed, browse to the .pfx file that was
exported (for example on a floppy disk). Right-click the file, and then click Install PFX.
2. On the Welcome to the Certificate Import Wizard page, click Next.
3. On the File to Import page, click Next.
4. On the Password page, in the Password box, type the password for the private key, and then
click Next. Because you already have an exported copy, you do not have to make the key
exportable.
64 What's New in Exchange Server 2003
5. On the Certificate Store page, select Automatically select the certificate store based on
the type of certificate, and then click Next.
6. Complete the remaining steps in the wizard.
The certificate is now installed on the new computer.

Step 4: Installing the Outlook Web Access S/MIME Control


Next, to provide signing and encryption functionality, you must install the S/MIME control used
by Outlook Web Access. This step must be performed on each computer from which the user
uses Outlook Web Access to encrypt or sign e-mail.
The Outlook Web Access S/MIME control requires Windows 2000 or later and Internet Explorer
6 or later to be installed.

To install the Outlook Web Access S/MIME control


1. On a computer with Windows 2000 or later and Internet Explorer 6 or later installed, log on
to Outlook Web Access.
2. In Outlook Web Access, in the Navigation Pane, click Options. If the Navigation Pane is
collapsed, click the Go to options button.
3. On the Options page, under E-Mail Security, click Download.
4. If any security warnings appear, click Yes.
The S/MIME control will be downloaded from the Exchange server to the local computer.

Step 5: Configuring Default E-mail Security Settings


After the S/MIME control is installed, the following two check boxes appear on the Options
page under E-Mail Security:

• Encrypt contents and attachments for outgoing messages


• Add digital signature to outgoing messages
When a message is composed using Outlook Web Access, these options represent the default
settings. Even if neither default is selected, users can encrypt or sign individual messages from
within the message. Similarly, the default options can be disabled for individual messages.
Chapter 2: Client Features 65

To configure the default e-mail security settings


1. Select the Encrypt contents and attachments for outgoing messages check box if you
want encryption turned on by default when composing a message.
2. Select the Add digital signature to outgoing messages check box if you want message
signatures turned on by default when composing a message.
3. Click Save and Close.

Step 6: Testing Encryption and Signing


At this point, Outlook Web Access users should be able to send signed or encrypted messages. To
ensure that both signing and encryption are functioning properly, you should send test messages
between two users.

To send a signed message


1. Log on to Outlook Web Access as a user who has a certificate and the S/MIME control
installed.
2. Click New to compose a new message.
3. Add a recipient for the test message and fill out the message fields.
4. On the toolbar, there are two new icons: one for encrypting and one for signing. Ensure that
the Add digital signature to this message button is selected. Because you just want to test
digital signing this time, ensure that that the Encrypt message contents and attachments
button is not selected (Figure 2.16).

Figure 2.16 The Add digital signature to this message button


5. Click Send.
66 What's New in Exchange Server 2003
6. Log on as the recipient of the test message and open the message. The message should
contain the digital signature of the sender.
To send an encrypted message
1. Log on to Outlook Web Access as a user who has a certificate and the S/MIME control
installed.
2. Click New to compose a new message.
3. Add a recipient for the test message and fill out the message fields. The recipient's public
key is required to encrypt the message contents. Therefore the recipient must have already
enrolled in a certificate that supports encryption.
4. On the toolbar, ensure that the Encrypt message contents and attachments button is
selected. Because you just want to test encryption this time, ensure that that the Add digital
signature to this message button is not selected (Figure 2.17).

Figure 2.17 The Encrypt message contents and attachments button


5. Click Send.
6. Log on as the recipient of the test message. The message should be encrypted and only
viewable by the recipient from a computer with the user's encryption certificate installed.

Mobile Services for Exchange


Exchange Server 2003 supports mobile access using the synchronization and browse capabilities
of mobile devices. You can deploy mobile services to provide your users with the ability to
access their Exchange information from mobile devices such as the Microsoft Pocket PC 2002
Phone Edition device or any mobile device with a mobile browser.
Chapter 2: Client Features 67

Exchange ActiveSync
Exchange 2003 now includes the ability to use Pocket PC 2002 devices to synchronize Exchange
data with Exchange ActiveSync. By default, when you install Exchange, all of your users are
enabled for synchronization.
By synchronizing a device to an Exchange server, your users can access their Exchange
information without having to be constantly connected to a mobile network. Specifically, users
can use their mobile carrier connection to synchronize their Exchange information to their Pocket
PC Phone Edition or Smartphone device and then access this information while offline.

Configuring Exchange 2003 for Synchronization


Access
By default, when you install Exchange, synchronization access is enabled for all users. You can
also use Active Directory Users and Computers to enable individual users for synchronization
access. Synchronization access to Exchange also includes the following features:

• Up-to-date notifications
• Delivery to user-specified SMTP addresses

Up-to-Date Notifications
Future mobile devices will be able to receive notifications that are sent to the device. These
notifications will be able to initiate synchronization between a user's device and their Exchange
mailbox.

Delivery to User-Specified SMTP Addresses


When the Enable notifications to user specified SMTP addresses feature is enabled in
Exchange, users can use any mobile carrier with the synchronization feature of Exchange. With
this feature enabled, when a new message arrives in a user's mailbox, up-to-date notifications
allow a synchronization to occur on a user's device. Enable this feature if you have users who are
using mobile devices to synchronize, and you do not want to specify the carrier.
The following procedure describes how to configure synchronization access for your users.

To configure your Exchange 2003 organization for synchronization access


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. Expand Global Settings, right-click Mobile Services, and then click Properties (Figure
2.18).
68 What's New in Exchange Server 2003

Figure 2.18 The Mobile Services Properties dialog box


3. Under Exchange ActiveSync, select from the following check boxes:
• Select the Enable user initiated synchronization check box next to allow users to use
Pocket PC 2002 devices to synchronize their Exchange data.
• Select the Enable up-to-date notifications check box to allow users to receive
notifications that are sent from the Exchange server to devices that are designed to allow
notifications.
• Select the Enable notifications to user specified SMTP addresses check box to allow
users to use their own SMTP carrier for notifications.
4. Click Apply, and then click OK.

Configuring Mobile Devices for Synchronization


Access
The following procedure shows you how to configure your mobile device to use Exchange
ActiveSync.

To configure your Pocket PC Phone Edition device to use Exchange


ActiveSync
1. On your mobile device, from the Today screen, tap Start and then tap ActiveSync.
2. Tap Tools, tap Options, and then tap the Server tab.
Chapter 2: Client Features 69
3. Select the check box next to each type of information that you want to synchronize with the
server.
4. To configure synchronization options for each type of information, select the type of
information, and then tap Settings.
5. In the Server Name field, enter the address or name of the server to connect to when
synchronizing Exchange data.
6. Tap Advanced.
7. On the Connection tab, enter your user name, password, and domain name.
8. On the Rules tab, select the rule that best applies to you, for how you want synchronization
to work whenever information on your device and your Exchange server have both been
changed.
9. Tap OK to accept the changes you made to ActiveSync.

Outlook Mobile Access


Exchange 2003 now includes the Outlook Mobile Access application, which allows users to use
mobile devices to access their e-mail, Contacts, Calendar, and Tasks folders. Users can use
Outlook Mobile Access with a mobile device that has a mobile browser. The mobile browser
needs to support one of the following markup languages: HTML, xHTML or cHTML. To deploy
your Exchange server to use Outlook Mobile Access, follow the same steps involved in
deploying an Exchange server to use Outlook Web Access.
By default, the Outlook Mobile Access application is installed on Exchange servers and all of
your users are enabled, however, Outlook Mobile Access as an application is disabled. When you
install Exchange, Microsoft .NET Framework 1.1, a necessary component for Outlook Mobile
Access, is installed automatically for you.
Important
Outlook Mobile Access uses Basic Authentication as the authentication method on
the Outlook Mobile Access virtual directory in Internet Information Services (IIS). If
you change the authentication method for the Outlook Mobile Access virtual
directory, Outlook Mobile Access not function properly.

For more information about how to install Exchange, see Chapter 9, "Deployment Features."

Browsing Exchange with a Supported Mobile Device


If your mobile device users want to use Outlook Mobile Access to browse their Exchange data,
they must use a device that is supported for Outlook Mobile Access. Table 2.6 lists the supported
mobile devices for using Outlook Mobile Access.
70 What's New in Exchange Server 2003
Table 2.6 Supported devices for Outlook Mobile Access

Device Rendering
Language

Casio Cassiopeia E-2000 HTML

Compaq iPAQ 3630 HTML

Microsoft Pocket PC Phone Edition HTML

Microsoft SmartPhone HTML

NEC N503is cHTML

Panasonic P503is cHTML

Panasonic P504i cHTML

Fujistu F504i cHTML

Mitsubishi D503iS cHTML

Sony SO503iS cHTML

Mitsubishi D503iS cHTML

NEC N504i cHTML

Sony Ericsson T68i xHTML

Sanyo A3011SA xHTML-mp


(WAP2.0)

Toshiba C5001T xHTML-mp


(WAP2.0)

Sharp J-SH51 MML MML (HTML)

Toshiba J-T51 MML (HTML)

Configuring Unsupported Mobile Device Settings


Outlook Mobile Access provides mobile access to Exchange from devices that are not supported.
Because these devices are unsupported, they may behave unexpectedly or fail to work properly.
Chapter 2: Client Features 71
You should inform your users that such devices are not officially supported and may have
unexpected results when using Outlook Mobile Access. To configure your organization's
unsupported device settings, use Mobile Services Properties in Exchange System Manager.

To configure unsupported device settings


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. Expand Global Settings, right-click Mobile Services, and then click Properties (Figure
2.19).

Figure 2.19 The Mobile Services Properties dialog box


3. In Mobile Services Properties, under Outlook Mobile Access, select or clear the Enable
unsupported devices check box.
4. Click Apply, and then click OK.
72 What's New in Exchange Server 2003

Configuring Exchange 2003 to Use Outlook Mobile


Access
Perform the following steps to enable your Exchange 2003 users to use Outlook Mobile Access.

1. Configure your Exchange 2003 front-end server for Outlook Mobile Access.
2. Configure user devices to use a mobile connection.
3. Inform your users how to use Outlook Mobile Access.
Each of these steps is detailed in the following sections.

Step 1: Configuring Exchange 2003 for Outlook Mobile Access


By default, the Outlook Mobile Access virtual directory (which allows your users to access
Exchange from a mobile device) is installed with Exchange 2003. This virtual directory has the
same capabilities and configuration settings as the Outlook Web Access virtual directory. When
you configure a server to use Outlook Mobile Access, you should configure the server in the
same way that you configure a server for Outlook Web Access. For complete details about how to
configure your Exchange 2000 servers to use Outlook Web Access, see the book Using Microsoft
Exchange 2000 Front-End Servers
(http://go.microsoft.com/fwlink/?linkid=14575&clcid=0x409).

Step 2: Configuring Users' Devices to Use a Mobile Connection


In order for your users to access Exchange 2003 using Outlook Mobile Access, they must have a
mobile device from a mobile operator who has an established data network for mobile data.
Before your users connect to Exchange 2003 and use Outlook Mobile Access or Exchange
ActiveSync over a mobile connection, you should instruct them how to configure their devices to
use a mobile network, or at least provide them with resources that explain how to do so.

Step 3: Instructing Your Users How to Use Outlook Mobile Access


Now that you have configured Exchange 2003 for Outlook Mobile Access, and your users have
mobile devices that can use a mobile network to access Exchange 2003 servers, your users need
to know how to access their Exchange server and use Outlook Mobile Access. The following
procedure describes how to use Outlook Mobile Access on a Pocket PC Phone Edition device.

To configure a Pocket PC Phone Edition device to use Outlook Mobile Access


1. On your device, from the Today screen, tap Start, and then tap Internet Explorer.
2. On the Internet Explorer screen, tap View, and then tap Address Bar to open the address
bar in your browser window.
Chapter 2: Client Features 73
3. Tap anywhere inside the address bar, enter the following URL, and then tap the Go button:
https://ExchangeServerName/oma, where ExchangeServerName is the name of your
Exchange server running Outlook Mobile Access.
Note
If a connection bubble does not appear, you may have to connect to your
network manually.

4. At the Network Log On screen, enter your user name, password, and domain in the spaces
provided, and then tap OK.
The Outlook Mobile Access home page opens, and you can select to read, reply, or forward e-
mail, view calendar appointments, and browse or create contacts and tasks. Additionally, from
the Outlook Mobile Access home page, you can also select options under preferences, such as
default language and time zone.
C H A P T E R 3

Administration Features

Microsoft® Exchange Server 2003 includes several new features that make Exchange
administration easier and more efficient. From new recipient management features to an
improved Queue Viewer, Exchange 2003 offers significant improvements over previous versions
of Exchange.
Table 3.1 lists the Exchange 2003 feature enhancements discussed in this chapter.

Table 3.1 Exchange 2003 administration - feature enhancements

Feature Description

Recipient • Two new mail-enabled objects in recipient management—


management InetOrgPerson and Query-based Distribution groups.
• Exchange Features tab of the user Properties includes Wireless
Services and Protocols features.
• You can now run multiple instances of the Exchange Task Wizard
simultaneously in a single console.
• You can use the Exchange Task Wizard in Exchange System Manager
to move mailboxes.

Queue Viewer • Improved Queue Viewer functionality provides visibility to more


message queues.
• You can view both SMTP and X.400 queues from Queue Viewer rather
than from their separate nodes.
• You can disable outbound mail from all SMTP queues.
• You can set the refresh rate for queues.
• Improved Find Messages option to search for messages within a queue.
• You can use the Additional queue information pane to view additional
information about a particular queue.
• Hidden queues exposed, such as Failed message retry queue and
display in Queue Viewer.
Chapter 3: Administration Features 75

Feature Description

Public Folders • New and improved public folder administration interface such as the
Status tab and the Replication tab. Improved search capability to
search all public folders.
• You can create a list of specific servers among which public folder
referrals are allowed.
• Microsoft Exchange Public Folder Migration Tool (pfMigrate) is a new
Microsoft Windows® script file (.wfs) that allows you to create replicas
of your system folders and public folders on the new Exchange 2003
server.

Mailbox • Using the new Mailbox Recovery Center, you can perform recovery or
Recovery Center export operations on multiple disconnected mailboxes at one time.

Message • You have greater control in Exchange System Manager over your
Tracking Center message tracking log files.
• You can now track messages after categorization.

Exchdump.exe • Exchdump.exe is a command line utility that collects and reports


utility Exchange configuration information from various sources such as
Microsoft Active Directory® directory service, the registry, and so on.

New Mail-Enabled Objects for


Managing Recipients
Recipients are Active Directory objects. Users can either be mailbox-enabled or mail-enabled.
Contacts, groups, and public folders can only be mail-enabled. These designations determine
what tasks users can perform in Exchange. Exchange 2003 introduces two new recipient objects
—InetOrgPerson and Query-based Distribution Group.

InetOrgPerson
The InetOrgPerson object is used in several non-Microsoft LDAP and X.500 directory services to
represent people within an organization. Support for InetOrgPerson in Exchange 2003 makes
migrations from other LDAP directories to Active Directory more efficient. InetOrgPerson
objects in Active Directory can be either mailbox-enabled or mail-enabled.
The InetOrgPerson object in Active Directory is derived from the user class; it functions like a
user object and conforms to the LDAP standard. Furthermore, InetOrgPerson can be used as a
76 What's New in Exchange Server 2003
security principal, just like the user class. Active Directory now includes InetOrgPerson in
queries for users. Active Directory provides support for the InetOrgPerson object class, as well as
its associated attributes, which are defined in RFC 2798. For more information about RFC 2798,
see http://www.ietf.org/.
Note
You can create an InetOrgPerson only if you are running a Microsoft Windows
Server™ 2003 domain controller. InetOrgPerson can be mail-enabled or mailbox-
enabled only in a native Exchange 2003 topology.

Creating an InetOrgPerson
The procedures to create a mailbox-enabled or mail-enabled InetOrgPerson are the same as
creating a user object. The following procedure describes how to create an InetOrgPerson.

To create an InetOrgPerson
1. Click Start, point to All Programs, point to Microsoft Exchange, and then click Active
Directory Users and Computers.
2. In the console tree, navigate to the container where you want to create the InetOrgPerson,
right-click the container, point to New, and then click InetOrgPerson.
Chapter 3: Administration Features 77

3. In New Object – InetOrgPerson, complete the remaining steps.


Note
Other than Step 2 above, create an InetOrgPerson the same way you would
create a standard user account.

Query-Based Distribution Groups


A query-based distribution group is a new type of distribution group introduced in
Exchange 2003. This section explains what a query based distribution group is, how these groups
work, and how to create them.

What Is a Query-Based Distribution Group?


A query-based distribution group provides the same functionality as a standard distribution
group; however, instead of specifying static user memberships, a query-based distribution group
allows you to use an LDAP query to dynamically build membership in the distribution group (for
example "All full-time employees in my company"). Using query-based distribution groups
allows for a much lower administrative cost, given the dynamic nature of the distribution group.
However, query-based distribution groups require higher performance cost for queries that
produce a large number of results. This cost is equated with server resources (such as high CPU
and increased working set) because every time an e-mail message is sent to a query-based
distribution group, an LDAP query is executed against Active Directory to determine its
membership.
Important
You cannot view the membership of a query-based distribution group in the global
address list, because membership is dynamically generated each time mail is sent.

How Does a Query-Based Distribution Group Work?


When a message is submitted to a query-based distribution group, Exchange handles the message
in a slightly different manner than messages that are destined for other recipients. A query-based
distribution group flows through Exchange to the proper recipients in the following manner:

1. An e-mail message is submitted to the submission queue through the Exchange store driver
or through SMTP.
2. The categorizer, a transport component responsible for address resolution, determines that
the recipient is a query-based distribution group.
3. The categorizer sends the LDAP query request to the global catalog server.
4. The global catalog server executes the query and returns the set of addresses that match the
query.
78 What's New in Exchange Server 2003
5. After receiving the complete set of addresses matching the query, the categorizer generates a
recipient list containing all the users.
Note
The categorizer must have the complete set of recipients before it can submit
the message to routing; therefore if an error occurs during the expansion of the
query-based distribution group to its individual recipients, the categorizer must
restart the process.

6. After the categorizer sends the complete, expanded list of recipients to routing, the standard
message delivery process continues, and the e-mail message is delivered to the users'
mailboxes.
If a dedicated expansion server (a single server responsible only for expanding distribution
groups) is used for query-based distribution groups, the process is slightly different. In this case,
rather than sending a query to the global catalog server for expansion (as in Step 4), the message
is first routed to the dedicated expansion server. After the message arrives at the expansion
server, the expansion takes place, and the delivery follows the same process described above.

Creating Query-Based Distribution Groups


Query-based distribution works reliably in a pure Exchange 2003 deployment or in a native
Exchange 2000 and Exchange 2003 deployment in which all Exchange 2000 servers are running
Service Pack 3 (SP3) with Windows Server 2003 global catalog servers. If your global catalog
servers are running Windows 2000 Server, you can modify a registry key on your Exchange 2000
SP3 servers to achieve greater reliability. You do not need to add this registry key to your
Exchange 2003 servers, because, by default, Exchange 2003 expands query-based distribution
groups reliably with Windows 2000 and Windows Server 2003 global catalog servers. If you are
running versions of Exchange earlier than Exchange 2000 SP3 in your organization, query-based
distribution groups will not work reliably.

Modifying Exchange 2000 SP3 Servers For Use With Windows 2000
Global Catalog Servers
Use the following procedure to configure an Exchange 2000 SP3 server for improved reliability
in organizations where query-based distribution groups will be expanded with Windows 2000
global catalogs.
Warning
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.
Chapter 3: Administration Features 79

To modify your Exchange 2000 SP3 server


1. Start Registry Editor (regedit).
2. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SMTPSVC\Parameters

3. In the details pane, right-click, point to New, and then click DWORD Value.
4. Type DynamicDLPageSize for the name.
5. Right-click DynamicDLPageSize, and then click Modify.
6. In Edit DWORD Value, under Base, click Decimal.
7. Under Value Data, type 31, and then click OK

Creating a Query-Based Distribution Group


To create a query-based distribution group, you must use the Exchange 2003 version of
Exchange System Manager and Active Directory Users and Computers. You cannot create query-
based distribution groups without upgrading your administration console. Use the following
procedure to create a query-based distribution group.
Note
It is recommended that you upgrade all your administrative consoles to
Exchange 2003 before deploying query-based distribution groups in your
environment.

To create a query-based distribution group


1. Click Start, point to All Programs, point to Microsoft Exchange, and then click Active
Directory Users and Computers.
2. In the console tree, navigate to the container where you want to create the query-based
distribution group.
3. Right-click the container, point to New, and then click Query-based Distribution Group.
80 What's New in Exchange Server 2003

4. In New Object – Query-based Distribution Group, in the Query-based Distribution


Group name box, type a name for the query-based distribution group, and then click Next
(Figure 3.1).

Figure 3.1 The Query-based Distribution Group name box


Chapter 3: Administration Features 81

5. In the Apply filter to recipients in and below box, the parent container that the query-based
distribution group will be run against is displayed. If necessary, click Change to select
another container (Figure 3.2).

Figure 3.2 The Apply filter to recipients in and below box


Note
The query only returns recipients in the selected container and its child
containers. To achieve the desired results, you may need to select a parent
container or create multiple queries.

6. Under Filter, select one of the following options:


• To select from pre-defined criteria for membership in the query-based distribution
group, click Include in this query-based distribution group, and then click each item
you want. The following criteria are pre-defined:
- Users with Exchange mailbox
- Users with external e-mail addresses
- Mail-enabled Groups
- Contacts with external e-mail addresses
- Mail-enabled Public folders

• To create your own criteria for the query, click Customize filter, and then click
Customize. Some attributes available for selection in the query are not replicated to the
global catalog server. Because the query executes against available attributes on the
global catalog server, if you pick attributes that do not exist on the global catalog server,
the query returns an empty set of this attribute. The following attributes are not available
on the global catalog server:
82 What's New in Exchange Server 2003
- Assistant
- Comment
- Direct Reports
- Division
- E-Mail Address (Others)
- Employee ID
- Generational Suffix
- Home Address
- Home Drive
- Home Folder
- ILS Settings
- International ISDN Number
- International ISDN Number (Others)
- Logon Workstations
- Member Of
- Middle Name
- Telex Number
- Telex Number (others)
- Title

7. Click Next to see a summary of the query-based distribution group you are about to create.
8. Click Finish to create the query-based distribution group. The new query-based distribution
group displays under the container you selected in Step 5.
9. Right-click the query-based distribution group you just created, and then click Properties.
Chapter 3: Administration Features 83

10. To view the query results, click the Preview tab and then verify that the correct recipients
are included in the distribution group.
Important
Using the Preview tab is strongly recommended. Some attributes available for
inclusion in the query are not replicated to the global catalog server. When you
click the Preview tab, the query executes against the available attributes on the
global catalog server. You can use the tab to ensure that all attributes you select
are available on the global catalog server. If the attributes are not available on
the global catalog server, the query returns an empty preview pane.
Note
To execute the query, the Preview tab uses the security context of the user that
is currently logged on. When the query based distribution group forms its
membership, it uses the security context of the Exchange server account. For
this reason, the results displayed on the Preview tab may vary from the actual
results when the query is run.

Active Directory Users and Computers provides an easy way to format the LDAP query with
standard attributes, without requiring specific knowledge of LDAP. For example, you can select
all mailboxes under the organizational unit or even customize the query to select all mailboxes
under the organizational unit that exist on a particular server.
Additionally, after you construct a query, the Preview tab in the query's Properties provides the
information necessary to ensure that your query functions properly. As mentioned earlier, you can
ensure that all attributes selected for the query are available on the global catalog server. You can
also use the Preview tab to learn how long a query takes to execute and, based on this time, you
can if you want to break up the query into smaller queries for better performance and faster
delivery times.

Guidelines for Creating Query-Based Distribution


Groups
Use the following guidelines when creating query-based distribution groups:

• You can only use query-based distribution groups in a pure Exchange 2003 environment or
in a native mode environment with Exchange 2000 and Exchange 2003, where all
Exchange 2000 servers are running Service Pack 3.
• When creating distribution groups that span domains, use universal groups in multi-domain
environments. Although you can add query-based distribution groups to global distribution
groups, domain local and global security groups and can contain any of these groups;
membership in these types of groups is not replicated to global catalog servers in other
domains. Use universal distribution groups in situations where distribution spans a multi-
domain environment.
• When combining query-based distribution groups into an aggregate group, combine
them in a universal group. Only universal groups are available on global catalog servers
across domains.
84 What's New in Exchange Server 2003
• When building query-based distribution groups, you should only include universal
groups if you want the membership to be available in all domains in a multi-domain
environment.
• Index the attributes used in the query. Indexing greatly improves the performance of the
query and reduces the time required to expand the distribution group and deliver the e-mail
message to the intended recipients. For more information about indexing attributes, see
Microsoft Knowledge Base article, 313992, "HOW TO: Add an Attribute to the Global
Catalog in Windows 2000" (http://support.microsoft.com/?kbid=313992).
• If the filter string contains bad formatting or incorrect LDAP syntax, then the global catalog
server will not execute the query. Use Active Directory Users and Computers to create your
query, which can help prevent you from constructing an incorrect query. You can also use the
Preview tab in the query's Properties to view the result of the query; this will confirm the
validity and desired results of the query. If you create a query-based distribution group based
on an incorrect LDAP query, a user who sends a message to the query-based distribution
group will receive a non-delivery report (NDR) with the code 5.2.4; furthermore, if
categorizer logging is enabled, one of two events are logged with event identifiers of 6024 or
6025.
• Always use the Preview tab to ensure that the attributes you include in your query are
available on the global catalog server.
• If the filter string is well formatted but no results are produced, then the sender will not
receive an NDR. This is the same behavior that results when a message is sent to an empty
distribution group. As mentioned earlier, use the Preview tab in Active Directory Users and
Computer to confirm the desired result of your query.
• Use Exchange System Manager in a security context that has the same permissions for
reading objects in Active Directory as the Exchange server. It is important to note that
Exchange System Manager runs in the security context of the user who is currently logged
in. If an administrator is running Exchange System Manager and has lower security
privileges than the Exchange server, it is possible that the query will show a subset of the
actual results on the Preview tab. The preview pane only shows the Active Directory objects
that the administrator has permission to read. When a message is sent to the query-based
distribution group, however, the categorizer runs with the Exchange server permissions.
Assuming the Exchange server has permissions for all of the objects in the query, the query
returns the correct results.
• Issues arise when a base distinguished name is deleted. Query-based distribution expansion
relies on its base distinguished name referring to a valid container in the directory. If a
query-based distribution group's base distinguished name container is deleted, the
categorizer cannot execute the query, and the sender receives an NDR with the code 5.2.4. If
categorizer logging is enabled, an event ID of 6024 or 6025 is logged. For example, suppose
you created a Sales container within the Users container for all Sales employees and then
used the Sales container to build a query-based distribution group. If you deleted the Sales
container, the query would no longer work.
Chapter 3: Administration Features 85

Combining Multiple Query-Based Distribution Groups


In Exchange System Manager, you can create query-based distribution groups based on the AND
operator. This means you can create a query using two attribute values; the query includes results
that meet both of the specified conditions. For example, if you create a query that includes users
on mailbox store 1 and users located in Seattle, the results include only users who are on mailbox
store 1 and also located in Seattle. To create distribution groups based on the OR operator using
query-based distribution groups, create multiple query-based distribution groups and combine
them in a single distribution group. For example, if you want to include users who are on
mailbox store 1 or located in Seattle, you would need to create on query-based distribution group
for users in Seattle and a second query-based distribution group for users residing on mailbox
store 1. Then you would create a standard distribution group and include these two query-based
distribution groups as members.
Note
The distribution group you use to combine the query-based distribution groups
cannot itself be a query-based distribution group.

For example, assume you want to create a query-based distribution group that includes all
Marketing employees or all employees located in the Paris office. If you create a query-based
distribution group with an LDAP query that contains all Marketing employees and all Paris
employees, the query only returns users who are in both groups—any user who is not a member
of both groups is excluded. To achieve OR functionality (thereby including members of either
group), you must create two query-based distribution groups, one for Marketing employees and
one for Paris employees; then you must combine the two groups to create a new distribution
group (not a query-based distribution group) that contains the two groups as members. To do this,
you would perform the following steps:

1. Create a query-based distribution group called Marketing for all Marketing employees.
2. Create a query-based distribution group called Paris employees for all employees in the
Paris office.
3. Create a distribution group and add the query-based distribution groups—Marketing and
Paris employees—as members of this group.
Important
You cannot add query-based distribution groups as members of a distribution
group the same way you add users to a group. You must right-click the
distribution group, and then click Add Exchange Query-based Distribution
Groups.

Use the following procedure to add query-based distribution groups as members of a standard
distribution group.
86 What's New in Exchange Server 2003

To add query-based distribution groups as members of a distribution group


1. Click Start, point to All Programs, point to Microsoft Exchange, and then click Active
Directory Users and Computers.
2. In the console tree, navigate to the container where the distribution group resides.
3. In the details pane, right-click the distribution group, and then click Add Exchange Query-
based Distribution Groups.
4. In Select Exchange Query-based Distribution Groups, under Enter the object names to
select, type the name of the query-based distribution group that you want to add.
5. Click Check Names to verify the entry.
6. Click OK.
7. Repeat Steps 3 through 6 for each query-based distribution group you want to add to this
distribution group.

Deployment Recommendations for Query-Based


Distribution Groups
The following factors influence the amount of time it takes to expand and execute a query-based
distribution group:
Hardware
The categorizer can require up to 2 KB of memory for each recipient. Use this conservative
metric as a baseline. Using this baseline, if you send an e-mail message to a query-based
distribution group of 6,000 users (meaning that the query returns 6,000 records), the
categorizer requires 12 MB of RAM just to expand the query-based distribution group.
Similarly, if you send an e-mail message to a larger query-based distribution group of
100,000 users, the categorizer requires approximately 200 MB of RAM. The processor speed
and amount of available physical memory affects the time it takes to deliver the messages
after the expansion.
Global catalog availability
If you send a message to a query-based distribution group and all global catalog servers are
unavailable, the message is placed in retry mode in the categorizer. This means that the
complete expansion will restart after one hour.
The general recommendation is to separate large query-based distribution groups into
combinations of standard distribution groups, and then assign different expansion servers for
each large distribution group. When expanding distribution groups, consider one of the
following three options for designating and configuring expansion servers and global catalog
servers:
Option 1
Designate an Exchange 2003 server with no mailboxes, such as a public folder replica server
or a bridgehead server, as the expansion server for a large query-based distribution group.
Chapter 3: Administration Features 87
Because this server has more bandwidth and resources to expand the query-based
distribution group, expansion and delivery are more efficient.
Option 2
Create a query-based distribution group for every Exchange server and limit each query-
based distribution group to the mailboxes on that server. Assigning this same server as the
expansion server optimizes mail delivery. Then, use aggregate standard distribution groups
that contain these query-based distribution groups as members. For example, if you wanted
to create a query-based distribution group for all full-time employees, you could create a
query-based distribution group on each server for full-time employees, name them Server1
Full Time and Server2 Full Time, and then create a standard distribution group called
AllFullTime that is comprised of the two server-based groups.
Note
The distribution group you use to combine the query-based distribution groups
cannot itself be a query-based distribution group.

Option 3
Instead of using a single large query-based distribution group, create smaller query-based
distribution groups and combine them in a standard distribution group.
Suppose you want to create a query-based distribution group called All employees with one
hundred thousand users. Divide the group into the following smaller query-based
distribution groups, and then combine these groups into a single standard distribution group:

• All Temps, 10,000 users


• All Vendors, 5,000 users
• All Full-Time, 65,000 users
• All Interns, 2,000 users
• All Contractors, 18,000 users
In this scenario All Full-Time is a large distribution group, so you may want to assign a
specific expansion server to it. The other query-based distribution groups can be assigned an
expansion server, based on how the users are distributed across your Exchange servers. For
example, if all the interns reside on one Exchange server, you may want to have the same
server as expansion server for All Interns. Overall, this approach performs much better than
a single query-based distribution group with 100,000 recipients.
88 What's New in Exchange Server 2003

Improved Ability to Restrict


Submissions to Users and
Distribution Lists (Restricted
Distribution Lists)
In Exchange 2003, you can restrict who can send e-mail messages to an individual user or a
distribution list. Submissions can be restricted to a limited number of security principles though
the standard Windows discretionary access control list (DACL). Restricting submissions on a
distribution list prevents non-trusted senders, such as unauthorized Internet users, from sending
mail to an internal-only distribution list. For example, an All Employees distribution list should
not be available to anyone outside the company (by spoofing or otherwise).
Note
Restricted distribution lists and submission restrictions for users only function on the
bridgehead servers or SMTP gateway servers running Exchange Server 2003.

Use the following procedures to set submission restrictions on users and distribution lists
respectively.

To set restrictions on a user


1. Click Start, point to All Programs, point to Microsoft Exchange, and then click Active
Directory Users and Computers.
2. Expand your organizational unit container, and then click Users or the container in which the
user resides.
3. In the details pane, right-click user for which you want to restrict submissions, and then click
Properties.
4. Click the Exchange General tab, and then click Delivery Restrictions.
5. Under Message Restrictions, under Accept messages, select one of the following options:
a. Click From authenticated users only to allow only authenticated users to send mail to
this user. When you select From authenticated users, this option affects how the other
options are implemented.
- Click From everyone to allow anyone that is an authenticated user to send mail to this
user.
- Click Only from to specify a select set of authenticated users or groups that can send
mail to this user. Click Add to specify the users or groups you want.
- Click From everyone except to allow everyone but a select set of authenticated users
or groups to send to this distribution group. Click Add to specify the list of users or
Chapter 3: Administration Features 89
groups that you want. Any user or group you select must be authenticated to send to this
user.

b. Leave From authenticated users only cleared. If you leave this check box cleared, the
following options are implemented as such:
- Click From everyone to allow anyone to send to this user. This includes anonymous
users from the Internet.
- Click Only from to specify a select set of users or groups that can send to this user.
Click Add to specify the users or groups you want.
- Click From everyone except to allow everyone but a select set of users or groups to
send to this user. Click Add to specify the list of users or groups you want. These users
or groups can be authenticated users or anonymous users.

To set restrictions on a distribution list


1. Click Start, point to All Programs, point to Microsoft Exchange, and then click Active
Directory Users and Computers.
2. Expand your organizational unit container, and then click Users or the container in which the
distribution list resides.
3. In the details pane, right-click the distribution list for which you want to restrict submissions,
and then click Properties.
4. In <Distribution List> Properties, click the Exchange General tab.
5. Under Message Restrictions, under Accept messages, select one of the following options:
a. Select the From authenticated users only check box to allow only authenticated users
to send mail to this distribution list. If you select this check box, the following options
are implemented as such:
- Click From everyone to allow authenticated users to send mail to this distribution list.
- Click Only from to specify a select set of authenticated users or groups that can send
mail to this group. Click Add to specify the users or groups you want.
- Click From everyone except to allow everyone but a select set of authenticated users
or groups to send mail to this distribution group. Click Add to specify the list of users or
groups you want. Any user or group you select must be authenticated to send to this
distribution list.

b. Leave From authenticated users only cleared. If you leave this check box cleared, the
following options are implemented as such:
- Click From everyone to allow anyone to send to this distribution list. This includes
anonymous users from the Internet.
- Click Only from to specify a select set of users or groups that can send to this group.
Click Add to specify the users or groups you want.
90 What's New in Exchange Server 2003
- Click From everyone except to allow everyone but a select set of users or groups to
send to this distribution group. Click Add to specify the list of users or groups you
want. These users or groups can be authenticated users or anonymous users.

Enhanced Exchange Features


on User Properties
The Exchange Features tab in the user Properties now includes the Mobile Services and
Protocols features. These Exchange features provide added functionality for your mailbox-
enabled users. You can enable or disable the user's Mobile Services options (such as Outlook
Mobile Access), or Protocols (such as Outlook Web Access). For more information about
Outlook Mobile Access and Outlook Web Access, see Chapter 2, "Client Features."

To enable or disable Exchange features for a single user


1. Click Start, point to All Programs, point to Microsoft Exchange, and then click Active
Directory Users and Computers.
2. In the console tree, expand the container where you want to enable or disable Exchange
features, and then click Users.
3. In the details pane, right-click the user you want to modify, and then click Properties.
4. In <User Name> Properties, click the Exchange Features tab (Figure 3.3).
Chapter 3: Administration Features 91

Figure 3.3 The Exchange Features tab


5. Under Features, select a feature, and then click Enable or Disable.
Note
You can also use the Configure Exchange Features page in the Exchange
Task Wizard to enable or disable Exchange features for a user. See the
following procedure for information about how to do this.

To enable or disable Exchange Features for multiple users


1. Click Start, point to All Programs, point to Microsoft Exchange, and then click Active
Directory Users and Computers.
2. In the console tree, expand the container where you want to enable or disable Exchange
features, and then click Users.
3. In the details pane, right-click the users you want to modify, and then click Exchange Tasks.
4. In the Exchange Task Wizard, on the Available Tasks page, click Configure Exchange
Features, and then click Next.
5. On the Configure Exchange Features page, under Features, select a feature, click Enable
or Disable, and then click Next (Figure 3.4).
92 What's New in Exchange Server 2003

Figure 3.4 The Configure Exchange Features page


Note
The default setting for modifying multiple users is Do Not Modify. If you want to
enable or disable multiple users, click Enable or Disable for the individual
feature you are selecting.

6. On the Task Summary page, click Finish to complete the wizard.

Moving Mailboxes in
Exchange System Manager
Exchange Task Wizard provides an improved method for moving mailboxes. You can now select
as many mailboxes as you want and then, using the task scheduler, schedule the move to occur at
some point in the future. You can also use the scheduler to cancel any unfinished moves at a
selected time. For example, you can schedule a large move to start at midnight on Friday and
automatically terminate at 6:00 A.M. on Monday, thereby ensuring that your server's resources
are not being tapped during regular business hours. Using the wizard's multithreaded capabilities,
you can move up to four mailboxes simultaneously.
Note
The following procedure describes how to move mailboxes from Exchange System
Manager. You can also move mailboxes from Active Directory Users and Computers.

To move mailboxes
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
Chapter 3: Administration Features 93
2. In the console tree, expand Servers, expand the server from which you want to move
mailboxes, expand First Storage Group, expand Mailbox Store, and then click Mailboxes.
3. In the details pane, right-click the user or users you want, and then click Exchange Tasks.
4. On the Welcome to the Exchange Task Wizard page, click Next.
5. On the Available Tasks page, click Move Mailbox, and then click Next.
6. On the Move Mailbox page, to specify the new destination for the mailbox, in the Server
list, select a server, and then, in the Mailbox Store list, select a mailbox store. Then click
Next.
7. Under If corrupted messages are found, click the option you want, and then click Next.
Note
If you decide to skip corrupted items, these items are lost permanently when the
mailbox is moved. To avoid data loss, back up the source database before
moving mailboxes.

8. On the Task Schedule page, in the Begin processing tasks at list, select the date and time
for the move. If you want to cancel any unfinished moves at a certain time, in the Cancel
tasks that are still running after list, select the date and time. Click Next to start the
process.
9. On the Completing the Exchange Task Wizard page, verify that the information is correct,
and then click Finish.
Note
You can also run multiple instances of the Move Mailbox wizard.

Enhancements to Queue
Viewer
In Exchange 2003, Queue Viewer is enhanced to improve the monitoring of message queues. For
example, you can now view X.400 and STMP queues in Queue Viewer, rather than from their
respective protocol nodes. Other enhancements include:

• Disabling outbound mail Queue Viewer includes a new option called Disable Outbound
Mail, which allows you to disable outbound mail from all SMTP queues.
• Setting the refresh rate You can use the Settings option to set the refresh rate of the
queues.
• Finding messages You can search for messages based on the sender, recipient, and
message state using Find Messages.
• Viewing additional information You can click a specific queue to view additional
information about that queue.
94 What's New in Exchange Server 2003
• Viewing previously hidden queues Queue Viewer in Exchange 2003 exposes three queues
that were not visible in Exchange 2000: DSN messages pending submission, Failed
message retry queue, and Messages queued for deferred delivery
Each of these enhancements is discussed later in this section.
Chapter 3: Administration Features 95

Figure 3.5 illustrates the new and improved Queue Viewer.

Figure 3.5 Queue Viewer

Disabling Outbound Mail


The Disable Outbound Mail option allows you to disable outbound mail from all SMTP queues.
For example, this can be useful if a virus is active in your organization.
Note
The Disable Outbound Mail option does not disable the MTA or System queues.

To disable outbound mail for all SMTP queues


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. Navigate to Queue Viewer by performing one of the following steps:
• If you do not have routing or administrative groups defined: Expand Servers, expand
the server you want, and then click Queues.
• If you have administrative groups defined: Expand Administrative Groups, expand
<Administrative Group Name>, expand Servers, expand the server you want, and then
click Queues.
3. In the details pane, click Disable Outbound Mail to disable mail from all SMTP queues.
96 What's New in Exchange Server 2003
4. A warning message appears asking Are you sure you want to disable outbound mail?
Click Yes. Outbound mail is now disabled for all queues.
5. To re-enable SMTP queues that have been disabled, click Enable Outbound Mail, and then
click Yes.
Note
If you want to prevent outbound mail from being sent to a specific remote queue
instead of disabling all SMTP queues, you can freeze the messages in that queue.
To freeze all the messages in a particular queue, right-click the queue, and then
click Freeze To unfreeze the queue, right-click the queue, and then click
Unfreeze.

Setting the Queue Viewer Refresh


Rate
The Settings option allows to you determine the frequency at which the all the queues are
refreshed. The default rate at which the queues are refreshed is every 2 minutes. You can set the
refresh rate to 1 minute, 5 minutes, 10 minutes, or Never refresh.

To modify Queue Viewer refresh rate settings


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. Navigate to Queue Viewer by performing one of the following steps:
• If you do not have routing or administrative groups defined: Expand Servers, expand
the server you want, and then click Queues.
• If you have administrative groups defined: Expand Administrative Groups, expand
<Administrative Group Name>, expand Servers, expand the server you want, and then
click Queues.
3. In the details pane, click Settings.
4. In Settings, in the Refresh queue rate list, select the refresh rate you want.
5. Click OK.

Finding Messages
You can use the Find Messages option to search for messages by specifying search criteria such
as the sender or recipient, and the message state (such as frozen). You can also specify the
number of messages you want your search to return.
Chapter 3: Administration Features 97
To find messages
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. Navigate to Queue Viewer by performing one of the following steps:
• If you do not have routing or administrative groups defined: Expand Servers, expand
the server you want, and then click Queues.
• If you have administrative groups defined: Expand Administrative Groups, expand
<Administrative Group Name>, expand Servers, expand the server you want, and then
click Queues.
3. In the details pane, click the queue in which you want to search for messages, and then click
Find Messages (Figure 3.6).

Figure 3.6 The Find Messages dialog box


4. In Find Messages - <Queue Name>, select from the following search criteria:
• To search for a particular sender, click Sender, and then, in Select Sender, specify your
search criteria.
• To search for a particular recipient, click Recipient, and then, in Select Recipient,
specify your search criteria.
• To specify the number of messages returned by the search, in the Number of messages
to be listed in the search list, select the number of messages (for example, 500) you
want listed in the search.
98 What's New in Exchange Server 2003
• To search for messages in a particular state, in the Show messages whose state is list,
select from the following states.
- All Messages This option shows all the messages, regardless of their state.
- Frozen This option shows messages that are in frozen state. This does not mean that
the entire queue is frozen—a single message can also be frozen.
- Retry This option shows the messages that are awaiting another delivery attempt.
Messages in the retry state have failed one or more delivery attempts.

5. Click Find Now to begin the search. The results of the search are displayed under Search
Results.
6. To stop a search, click Stop. To begin a new search, click New Search (this resets the Find
Messages dialog box to its default settings).

Viewing Additional Information About


a Queue
The Additional queue information pane (located at the bottom of the Queue Viewer pane)
contains information about a particular queue, including:

• Troubleshooting information
• Information about errors returned from Exchange specific extensions to the SMTP
service, (for example, errors due to remote server connection problems)
• Information about queue availability (for example, if the SMTP service has not started)
To view additional information about a queue
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. Navigate to Queue Viewer by performing one of the following steps:
• If you do not have administrative groups defined: Expand Servers, expand the server
you want, and then click Queues.
• If you have administrative defined: Expand Administrative Groups, expand
<Administrative Group Name>, expand Servers, expand the server you want, and then
click Queues.
3. In the details pane, click the queue you want. Any additional information for that queue
appears under Additional queue information at the bottom of the details pane.
Chapter 3: Administration Features 99

Viewing Previously Hidden Queues


Several queues that were hidden in Exchange 2000 are now visible in Exchange System
Manager.
Note
The X.400 queues and the SMTP queues now appear in Queue Viewer rather than
under their respective protocol nodes.

Table 3.2 lists the new queues, their descriptions, and possible reasons for message accumulation
in each queue.

Table 3.2 New queues in Exchange 2003

Queue Description Causes for Message Accumulation


Name

DSN Contains delivery Messages can accumulate in this queue if the Microsoft
messages status notifications Exchange Information Store service is unavailable or not
pending (DSN), also known as running, or if problems exist with IMAIL Exchange store
submission non-delivery reports, component, which is the component that performs
that are ready to be message conversion.
delivered by
Check the event log for possible errors with the Microsoft
Exchange.
Exchange Information Store service.
Note
The following
operations are
unavailable for this
queue:

• Delete All
Messages (no
NDR)
• Delete All
Messages (NDR)
100 What's New in Exchange Server 2003

Queue Description Causes for Message Accumulation


Name

Failed Contains messages Possible causes for failed messages are:


message that failed some sort
retry queue of queue submission, • Corrupted messages.
often before any other • Third-party programs or event sinks may be
processing has taken interfering with message queuing or fidelity.
place. By default,
messages in this • Low system resources causing the system to respond
queue are reprocessed slowly or indicates performances issues. Restarting
in 60 minutes. IIS temporarily may temporarily improve resource
issues. but the root cause should be determined.

Messages Contains messages Possible causes for message accumulation are:


queued for that are queued for
deferred delivery at a later • If a message is sent to a user's mailbox while the
delivery time, including mailbox is being moved, messages can be queued
messages that were here.
sent by older versions • When the user does not yet have a mailbox and no
of Microsoft Office master account Security ID (SID) exists for the user.
Outlook®. (You can For more information, see Microsoft Knowledge
set this option on Base article 316047, "XADM: Addressing Problems
Outlook client That Are Created When You Enable ADC-Generated
computers) Accounts"
Previous versions of (http://support.microsoft.com/?kbid=3160
Outlook depend on 47).
the message transfer • The message may be corrupted or the recipient may
agent (MTA) for not be valid.
message delivery.
Now, SMTP, not the • To determine if a message is corrupted, check its
MTA, handles properties. If some messages are not accessible, this
message delivery. can indicate a corrupted message. You can also check
Therefore, messages that the recipient is valid.
sent by older versions
of Outlook treat
deferred delivery
differently.
These messages
remain in this queue
until their scheduled
delivery time.
Chapter 3: Administration Features 101

Improved Public Folder


Referral
In Exchange 2000 Server, you could specify whether or not to allow public folder referrals
among routing groups. Exchange 2003 provides a richer interface, which you can use to create a
list of specific servers among which referrals are allowed.
When a user connects to a public folder store that does not contain a copy of the content the user
is looking for, the user is redirected to another store that has a copy of the content. You can use
public folder referrals to control this redirect traffic (this is similar to public folder affinity in
Exchange 5.5).
Using the default configuration, Exchange attempts to redirect the user to a server within the
local routing group. If none of those servers has the required content, Exchange follows the
organization's routing group structure to search for an appropriate server.
In Exchange Server 2003, you can create a list of specific servers among which referrals are
allowed. For example, you can limit referrals to a single routing group, or only allow referrals
between certain servers in each routing group. You can also assign "costs" to prioritize the
servers in your referral list.

To specify a list of referral servers


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. If administrative groups are displayed, expand Administrative Groups, and then expand the
group you want to work with.
3. Expand Servers, right-click the server for which you want to customize referral information,
and then click Properties.
4. In <Server Name> Properties, click the Public Folder Referrals tab.
5. In the Public folder referral options list, click Use custom list.
6. To specify a server for the referral list, click Add, and then select a server from the list of
available servers. Click OK to return to the Public Folder Referrals tab.
Note
To remove a server from the referral list, click the server, and then click
Remove.

Use costs to prioritize servers in the referral list. Higher-cost servers are used only if lower-cost
servers are not available.

To specify relative costs for servers in the referral list


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
102 What's New in Exchange Server 2003
2. If administrative groups are displayed, expand Administrative Groups, and then expand the
group you want to work with.
3. Expand Servers, right-click the server for which you want to customize referral information,
and then click Properties.
4. In <Server Name> Properties, click the Public Folder Referrals tab.
5. Click a server in the list, and then click Modify.
6. Specify a cost for the server, and then click OK to return to the Public Folder Referrals tab.

Improved Public Folder


Interfaces
To make public folders easier to manage, Exchange 2003 includes several new public folder
interfaces. To view these new interfaces, in Exchange System Manager, expand Folders and then
select a public folder (or in some cases, a public folder hierarchy). The following new tabs are
displayed in the details pane (Figure 3.7).

Figure 3.7 New tabs available for viewing public folder information
Content tab
Use this tab to view the contents of a public folder in Exchange System Manager. You no
longer have to open a separate client application to view public folder content.
Chapter 3: Administration Features 103
Find tab
Use this tab to search for public folders within the selected public folder or public folder
hierarchy. You can specify a variety of search criteria, such as the folder name or age.
Note
The Find tab is available at the top-level hierarchy level as well as the folder
level.
Status tab
Use this tab to view the status of a public folder, including information about servers that
have a replica of the folder and the number of items in the folder.
Replication tab
Use this tab to view replication information about the folder.
To view the content of a public folder using Exchange System Manager
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. If administrative groups are displayed, expand Administrative Groups, and then expand the
group you want to work with.
3. Expand Folders, expand the appropriate top-level hierarchy, and then click the public folder
whose content you want to view.
4. In the details pane, click the Content tab.
5. If prompted for a user name and password, type the user name and password of an account
that has permission to view the folder contents. The folder contents, displayed in a manner
similar to Outlook Web Access, will be listed in the details pane.
To search for a public folder
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. If administrative groups are displayed, expand Administrative Groups, and then expand the
group you want to work with.
3. Expand Folders, expand the appropriate top-level hierarchy, and then click the public folder
that may contain the folder that you want.
4. In the details pane, click the Find tab.
5. To identify the folder you want, fill in the appropriate criteria:
• If you know part of the folder name, you can type that information in the Name
contains box.
• If you know that a particular user or group has certain permissions on the folder, click
Permissions, and then fill in the user or group name and specify the permissions. Then
click OK to return to the Find tab.
• If you know that the folder is replicated to certain servers, click Replicated to, and then
select the appropriate server. Then click OK to return to the Find tab.
104 What's New in Exchange Server 2003

• If you know that the folder was created or modified within a certain date range, in the
Specify folder list, click Modified or Created, and then use the Begin date and End
date lists to specify the date range.
• If you know when the folder was created, in the Folder Age list, click days or older,
days or newer, or days, and then, in the Folder age box, type the appropriate number
of days.
6. Click Find Now.
To view the server and public folder store information for a public folder, or
the size and number of items the folder contains
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. If administrative groups are displayed, expand Administrative Groups, and then expand the
group you want to work with.
3. Expand Folders, expand Public Folders (or the hierarchy you want to work with), and then
click the public folder whose status you want to view.
4. In the details pane, click the Status tab to view the information.
To view the replication information for a public folder
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. If administrative groups are displayed, expand Administrative Groups, and then expand the
group you want to work with.
3. Expand Folders, expand Public Folders (or the hierarchy you want to work with), and then
click the public folder whose status you want to view.
4. In the details pane, click the Replication tab to view the information.

Manually Starting Replication


If you want to ensure that public folders replicate without waiting for the normal replication
interval, you can start replication manually. Using the Send Contents or Send Hierarchy
commands on a public folder, you can replicate changes from one specified server to another.
The range of changes to replicate starts the specified number of days in the past and ends at the
last replication cycle. For example, you can replicate all changes made over the past two days
except for any changes made since the last replication cycle.

To manually replicate a public folder hierarchy


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
Chapter 3: Administration Features 105
2. If administrative groups are displayed, expand Administrative Groups, and then expand the
group you want to work with.
3. Expand Folders, and then expand the appropriate top-level hierarchy.
4. Right-click the public folder whose hierarchy you want to replicate (you can select the top-
level hierarchy for this purpose), and then click Send Hierarchy.
5. In Send Hierarchy, under Source Servers, select the check box next to the server or servers
that have the appropriate version of the hierarchy. Then, under Destination Servers, select
the check box next to the server or servers to which you want to replicate.
6. In the Resend changes made in the last (days) box, type an appropriate number of days.
7. Click OK. When asked to confirm that you want to start replication, click Yes. Replication
starts at this time.
To manually replicate public folder content
1. Start Exchange System Manager: Click Start, point to Programs, point to Microsoft
Exchange, and then click System Manager.
2. If administrative groups are displayed, expand Administrative Groups, and then expand the
group you want to work with.
3. Expand Folders, and then expand the appropriate top-level hierarchy.
4. Right-click the public folder whose content you want to replicate, and then click Send
Contents.
5. In Send Contents, under Source Servers, select the check box next to the server or servers
that have the appropriate version of the content. Then, under Destination Servers, select the
check box next to the server or servers to which you want to replicate.
6. In the Resend changes made in the last (days) box, type an appropriate number of days.
7. Click OK. When asked to confirm that you want to start replication, click Yes. Replication
starts at this time.

Microsoft Exchange Public


Folder Migration Tool
Microsoft Exchange Public Folder Migration Tool (pfMigrate) is a new Windows Installation
script (.wfs) that allows you to create replicas of your system folders and public folders on new
Exchange 2003 servers. After the system folders and public folders have replicated, you can use
the pfMigrate tool to remove replicas from the source server. Unlike Microsoft Exchange Server
version 5.5, you do not need to set a home server for a public folder in Exchange 2003. Any
replica acts as the primary replica of the data it holds, and any public folder server can be
removed from the replica list. To determine how many folders must be replicated, you can use
106 What's New in Exchange Server 2003
the pfMigrate tool to generate a report before you replicate folders. To determine whether the
folders replicated successfully, you can generate the same report after you replicate folders.
To use the pfMigrate tool, the source server and the target server you specify must be in the same
routing group. The pfMigrate tool does not allow you to create replicas of your system folders
and public folders across routing groups. This is because, in mixed mode, moving folders across
routing groups could prevent e-mail delivery to public folders.
The pfMigrate tool is located in the ExDeploy folder on the Exchange 2003 compact disc (under
Support Tools). You can run the tool at the command prompt, either on a server or from the
administrative console.

Mailbox Recovery Center


Using the new Mailbox Recovery Center, you can simultaneously perform recovery or export
operations on multiple disconnected mailboxes. This is a significant improvement over
Exchange 2000 Server, where such operations had to be performed individually on each
disconnected mailbox (a disconnected mailbox is a mailbox that is not associated with a user in
Active Directory, usually because the user has been deleted).
Use Mailbox Recovery Center to recover one or more mailboxes on one or more mailbox stores.
You can export the mailbox properties, and you can associate the mailboxes with users in Active
Directory and reconnect the mailboxes. To do this, perform the following steps:

1. Start Exchange System Manager.


2. Specify a mailbox store to work with.
3. If appropriate, export the mailbox properties.
4. If appropriate, do the following to reconnect the mailboxes:
a. Associate users with the mailboxes.
b. Reconnect the mailboxes.
5. When finished, remove the mailbox stores from the Mailbox Recovery Center.
Each of these steps is detailed in the following procedures.
Note
Some procedures are different for Windows 2000 Server and Windows Server 2003.

To specify a mailbox store to work with if you are running Exchange System
Manager on Windows 2000 Server
1. Start Exchange System Manager: Click Start, point to Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Tools, right-click Mailbox Recovery Center (Figure 3.8), and
then click Add Mailbox Store.
Chapter 3: Administration Features 107
3. In Add mailbox store(s), click the mailbox store you want, and then click Add. You can add
multiple mailbox stores in this manner.
4. Click OK to add the store. After the store has been added, the details pane will list any
disconnected mailboxes in that store.

Figure 3.8 The Mailbox Recovery Center in Exchange System Manager


To specify a mailbox store to work with if you are running Exchange System
Manager on Windows Server 2003
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Tools, right-click Mailbox Recovery Center, and then click
Add Mailbox Store.
108 What's New in Exchange Server 2003

3. In Add mailbox store(s), specify the following criteria for identifying the mailbox store and
the mailboxes you want to work with:
• In the Enter the object names to select box, type the name of the mailbox store you
want to work with.
• To limit the search to a certain part of Active Directory, click Locations, select a
directory container, and then click OK to return to the Add mailbox store(s) dialog
box.
Note
If you are unsure about which mailbox store you need, click Advanced, specify
the criteria, and then click Find now to locate the mailbox store. Select the
appropriate mailbox store, and then click OK to return to the Add mailbox
store(s) dialog box.

4. Click OK to add the store. After the store has been added, the details pane lists any
disconnected mailboxes in that store.
To export mailbox properties
1. After adding the appropriate mailbox store to the Mailbox Recovery Center, in the details
pane, right-click the mailbox you want to export, and then click Export. You can select
multiple mailboxes simultaneously.
2. To identify the information you want to export, as well as the destinations to which you want
to export it, follow the instructions in the Mailbox Export wizard.
To associate users with the mailboxes
1. After adding the appropriate mailbox store to the Mailbox Recovery Center, in the details
pane, right-click the mailbox you want to match to a user (or group), and then click Find
Match. You can select multiple mailboxes simultaneously.
2. In the Mailbox Matching wizard, click Next, and then click Finish to identify and accept
matches.
3. If a mailbox matches more than one user (or if no match exists), right-click that mailbox, and
then click Resolve Conflicts. Follow the instructions in the Mailbox Conflict Resolution
wizard to identify a single matching user.
Note
When resolving conflicts, you can only select one mailbox at a time.

To reconnect the mailboxes


1. After the mailboxes to be reconnected have been matched to users, select the mailboxes.
2. Right-click the selected mailboxes, and then click Reconnect.
3. Follow the instructions in the Mailbox Reconnect wizard to reconnect the mailboxes.
Chapter 3: Administration Features 109
To specify a mailbox store to remove if you are running Exchange System
Manager on Windows 2000 Server
1. Start Exchange System Manager: Click Start, point to Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Tools, right-click Mailbox Recovery Center, and then click
Remove Mailbox Store.
3. In Remove mailbox store(s), click the mailbox store you want, and then click Remove. You
can remove multiple mailbox stores in this manner.
4. Click OK to remove the mailbox store.
To specify a mailbox store to remove if you are running Exchange System
Manager on Windows Server 2003
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. Expand Tools, right-click Mailbox Recovery Center, and then click Remove Mailbox
Store.
3. In Remove mailbox store(s), specify the following criteria for identifying the appropriate
mailbox store:
• In the Enter the object names to select box, type the name of the mailbox store you
want to remove.
• To limit the search to a certain part of Active Directory, click Locations, select a
directory container, and then click OK to return to the Remove mailbox store(s) dialog
box.
Note
If you are unsure about which mailbox store you need, click Advanced,
specify criteria, and then click Find now to locate the mailbox store. Select
the appropriate mailbox store, and then click OK to return to the Remove
mailbox store(s) dialog box.

4. Click OK to remove the mailbox store.


110 What's New in Exchange Server 2003

Improved Message Tracking


Exchange 2003 enhances message-tracking capabilities in two ways:

• When using Exchange System Manager, you have greater control over your message
tracking log files. Exchange 2003 automatically creates a shared directory to the
message tracking logs and allows you to change the location of the message tracking
logs.
• You can now track messages after categorization (which is the phase where users are
located and distribution groups are expanded into individual recipients) and during the
routing process.

Enhanced Control of Message Tracking


Logs in Exchange System Manager
To provide flexibility when viewing and managing message tracking logs, Exchange 2003 allows
you to use Exchange System Manager to change the location of your message tracking logs.
Exchange 2003, like Exchange 2000, uses the format \\<server name>\<server name>.log to
automatically create a path to a shared folder for message tracking. The individual message log
file names are date specific, using the format YYYYMMDD. For example, 20021022.log is the
log file for October 22, 2002. Ensure that any users who you want to monitor the log files have
remote access to this share.
In Exchange 2003, you can use Exchange System Manager to move your message tracking logs.
You no longer need to use directory modification tools to change the location of your message
tracking logs on a server.
Use the following procedure to change the file location of the message tracking logs on an
Exchange server.

To move message tracking logs


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Servers, right-click the server from which you want to move
message tracking logs, and then click Properties.
Chapter 3: Administration Features 111

3. In <Server Name> Properties, on the General tab, select the Enable Message Tracking
check box (Figure 3.9).

Figure 3.9 The General tab in the <Server Name> Properties dialog
box
4. In the Log file directory box, click Change to change the log file directory.
5. In Message Tracking Log File Directory, select the directory where you want to store
message tracking logs, and then click OK (Figure 3.10).

Figure 3.10 The Message Tracking Log File Directory dialog box

Enhanced Message Tracking


Capabilities
In Exchange 2003, you can now track a message beyond the categorization phase. Categorization
is the phase during which the recipient address is verified in Active Directory and its route is
determined. You can now track the message through post-categorization and during the routing
process.
112 What's New in Exchange Server 2003
To track a message
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Tools, and then click Message Tracking Center.
3. In the details pane, specify your search criteria, and then click Find Now.
The following new categories are available:

• Messages categorized and queued for routing (enqueue for routing)


• Messages routed and queued for local delivery (enqueue for local delivery)
• Messages routed and queued for remote delivery (enqueue for remote delivery)
• Messages queued for categorization retry
• Messages queued for local delivery retry
• Messages queued for routing retry

Including Bcc Recipients in


Archived Messages
When you enable archiving on a mailbox store, a copy of all messages sent or received by
mailboxes on this store is sent to the mailbox you specify for archiving. In previous versions of
Exchange, any recipients on the Bcc line were not archived. In Exchange Server 2003, you can
enable a registry key to configure mailbox store archiving to include Bcc recipients. When you
enable archiving to include the Bcc recipients, all message recipients are listed on the Bcc list
(not just those on the Bcc line).
Note
To view the recipients on the Bcc list, you must use the Outlook client to access the
archive mailbox. You cannot use Outlook Web Access to view the Bcc recipients.

To include Bcc recipients in archived messages, perform the following steps.

1. Enable archiving on the mailbox store.


2. Set the registry key on each server for which you want archiving to include Bcc recipients.
Chapter 3: Administration Features 113

3. On each server that you set the registry key, restart the following services:
• IIS Admin Service (IISADMIN)
• Microsoft Exchange MTA Stacks service (MSExchangeMTA)
• Microsoft Exchange Information Store service (MSExchangeIS)
Each of these steps is detailed in the following sections.

Step 1: Enabling Archiving on a


Mailbox Store
To enable archiving on a mailbox store
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Servers, expand the server you want, expand <Storage Group
Name>, right-click the mailbox store mailbox store for which you want to enable archiving,
and then click Properties.
3. In <Mailbox Store Name> Properties, on the General tab, select the Archive all messages
sent or received by mailboxes on this store check box, and then click Browse to specify
the mailbox store you want.

Step 2: Setting the Registry Key


To configure mailbox archiving to include Bcc recipients, you must change the value of the
following registry key to 1:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSExchangeTransport\Parameters\JournalBCC.
Warning
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

To enable Bcc recipient archiving on a mailbox store


1. Start Registry Editor (regedit).
2. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSExchangeTransport\
114 What's New in Exchange Server 2003
3. If necessary, create a registry key named Parameters: In the console tree, right-click
MSExchangeTransport, point to New, and then click Key.
4. Type Parameters for the key name.
5. Right-click Parameters, point to New, then click DWORD Value.
6. In the details pane, type JournalBCC.
7. Right-click JournalBCC, and then click Modify.
8. In Edit DWORD Value, under Value Data, type 1, and then click OK.

Step 3: Restarting Services


For the registry key settings to take affect, you must restart the following services: IIS Admin
Service (IISADMIN), Microsoft Exchange MTA Stacks service (MSExchangeMTA), and
Microsoft Exchange Information Store service (MSExchangeIS).

To restart the necessary services


1. Click Start, point to All Programs, point to Administrative Tools, and then click Services.
2. In Services, in the details pane, right-click each of the following services, and then click
Restart:
• IIS Admin Service
• Microsoft Exchange Information Store
• Microsoft Exchange MTA Stacks
The archive mailbox now displays the Bcc recipients of any messages sent to or received from
this mailbox store. All recipients, including recipients on the To and Cc lines, are displayed in the
Bcc line of messages in the archive mailbox.
Note
Remember to use an Outlook client to access this mailbox and view the Bcc
recipients. You cannot use Outlook Web Access to view the Bcc recipients.
C H A P T E R 4

Performance and Scalability


Features

To enhance the performance and scalability of your Exchange organization, Microsoft® Exchange
Server 2003 provides the following new or improved features:

• Improved distribution list caching


• Suppression of Out of Office messages to distribution list members
• Enhanced DNS-based Internet mail delivery
• Improved Microsoft Office Outlook® synchronization performance
• Improved Outlook Web Access performance
• Monitoring Outlook client performance
• Link state improvements
• Virtual Address Space improvements
• Changing the MTA file directory location using Exchange System Manager
• Changing the SMTP mailroot directory location using Exchange System Manager
• Tuning Exchange Server 2003
This chapter discusses each of these topics in detail.
For information about improvements to reliability, a closely related topic, see Chapter 5,
"Reliability and Clustering Features."

Improved Distribution List


Membership Caching
Exchange 2000 Server and Exchange Server 2003 use a rules cache to look up distribution list
memberships prior to sending messages. In Exchange 2003, the rules cache has been optimized.
As a result, the processing time that is required to look up the membership of a distribution list
116 What's New in Exchange Server 2003
has been reduced. This new functionality improves performance by redesigning the cache so that
lookups, insertions, and expirations can be completed more efficiently, thereby resulting in a
sixty percent reduction of distribution list-related Microsoft Active Directory® directory service
queries.
The net benefit of the redesigned cache is a small reduction in Active Directory usage
(distribution list lookups are only a small percentage of overall Active Directory lookups).

Suppressing Out of Office


Messages to Distribution List
Members
In previous versions of Exchange, if you create an Out of Office message, that message is sent to
all members of any distribution lists that appear on the To or Cc lines. In Exchange 2003, the Out
of Office message is not sent to the entire membership of a distribution list appearing on the To
or Cc lines. Instead, Out of Office messages are sent only to individual user names that have
been specified on the To or Cc lines of incoming messages.
This change was implemented after determining that users who send e-mail messages to
distribution lists frequently do not want to receive Out of Office messages from distribution list
members. This change provides a minor performance benefit to Exchange servers; specifically,
CPU usage is minimally reduced.

Enhanced DNS-Based Internet


Mail Delivery
Domain Name System (DNS)-based Internet mail delivery has been enhanced for
Exchange 2003. Specifically, load balancing of DNS-based Internet mail is now more efficient.
In addition, Exchange 2003 provides improved tolerance to network and host unavailability, as
well as to unresponsive external DNS servers.
This change provides a performance benefits to Exchange servers; specifically, DNS-based
Internet mail is delivered more reliably.
Chapter 4: Performance and Scalability Features 117

Improved Outlook
Synchronization Performance
Exchange 2003 improves the end-user experience for Outlook 2003 users. For detailed
information about how Exchange 2003 improves performance for Outlook 2003, see "Outlook
Improvements" in Chapter 2.
The following are improvements to Exchange Server 2003 and Outlook 2003 communication:

• The number of change notifications is reduced.


• Exchange 2003 detects the native format of messages (for example, HTTP) to be
synchronized and only sends messages in that format to the client.
• Improvements to the conditions in which Outlook clients request synchronizations that
include nested folder hierarchies.
• Users now receive a message indicating the number and size of messages to be downloaded.
• Exchange 2003 performs data compression to reduce the amount of information sent
between the Outlook 2003 client and the Exchange 2003 servers.
• Exchange 2003 reduces the total number of requests for information sent between the user
with Outlook 2003 and the Exchange server.
Exchange 2003 improves the Outlook synchronization performance for users working in Cached
Exchange Mode. For more information about using Outlook in Cached Exchange Mode and
other Outlook improvements, see "Outlook Improvements" in Chapter 2.
The following is a list of enhancements that relate to Outlook clients running in Cached
Exchange Mode:

• The number of change notifications is reduced.


• Exchange 2003 detects the native format of messages (for example, HTTP) to be
synchronized and only sends messages in that format to the client.
• Improvements to the conditions in which Outlook clients request synchronizations that
include nested folder hierarchies.
• Users now receive a message indicating the number and size of messages to be downloaded.
Users can select which messages they want to download.
• Exchange 2003 performs data compression to reduce the amount of information sent
between the Outlook 2003 client and the Exchange 2003 servers.
• Exchange 2003 reduces the total requests for information between the client and server,
whether or not an Outlook 2003 client is working in cached mode, thereby optimizing client
and server communication.
118 What's New in Exchange Server 2003
These changes provide a reduction in CPU usage on the Exchange server. Specifically, the server
uses less processing power as a result of fewer and less intensive client requests from Outlook
clients.

Improved Outlook Web Access


Performance
Exchange Server 2003 improves the end user experience for Outlook Web Access users by
reducing the total amount of information sent between the computer running Outlook Web
Access and the Exchange server. For more information about Outlook Web Access performance
improvements, see "Outlook Web Access Compression" in Chapter 2.
Outlook Web Access client performance is improved in Exchange 2003 . For example, Outlook
Web Access users will notice that their Inboxes load more quickly. They will also notice that
tasks will be more responsive, especially over slow connections. A primary reason for this is
because Exchange 2003 provides a reduction in the amount of bytes that must travel from the
server to the browser.
For more information about new Outlook Web Access performance and functionality, see
"Outlook Web Access Improvements" in Chapter 2.

Monitoring Outlook Client


Performance
Previous versions of Exchange could not monitor the end-user performance experience for
Outlook users. However, with Exchange 2003 and Outlook 2003, administrators can analyze
performance for their users.
Exchange 2003 servers record both RPC latency and errors on client computers running
Outlook 2003. An administrator can use this information to determine the overall experience
quality for their users, as well as to monitor the Exchange server for errors.
Outlook clients send RPC data (for example, latency data or error code) to the Exchange 2003
server on a subsequent successful RPC calls.
Note
RPC data sent from the client computers to the Exchange server are not the primary
method for detecting individual real time errors.
Chapter 4: Performance and Scalability Features 119

Table 4.1 lists the RPC-related operations that you can monitor using Microsoft Operations
Manager. For information about using Microsoft Operations Manager, see
http://www.microsoft.com/mom and http://www.microsoft.com/exchange/mom.

Table 4.1 Client-side performance monitors using Microsoft Operations


Manager

Counter Description

Client: RPCs attempted The total number of RPC requests attempted by the users (since
the Exchange store was started).

Client: RPCs succeeded The total number of successful RPC requests sent by the Outlook
client (since the Exchange store was started).

Client: RPCs failed The total number of failed RPC requests (since the Exchange
store was started).

Client: RPCs failed: Server The number of failed RPC requests (since the Exchange store was
unavailable started) due to the "Server Unavailable" RPC error.

Client: RPCs failed: Server The number of failed RPC requests (since the Exchange store was
too busy started) due to the "Server Too Busy" RPC error.

Client: RPCs failed: all The number of failed RPC requests (since the Exchange store was
other errors started) due to all other RPC errors.

Client: RPCs attempted / The rate of RPC requests attempted by the user.
sec

Client: RPCs succeeded / The rate of successful RPC requests.


sec

Client: RPCs failed / sec The rate of failed RPC requests.

Client: RPCs failed / sec: The rate of failed RPC requests (since the Exchange store was
Server unavailable started) due to the "Server Unavailable" RPC error.

Client: RPCs failed / sec: The rate of failed RPC requests (since the Exchange store was
Server too busy started) due to the "Server Too Busy" RPC error.

Client: RPCs failed / sec: all The rate of failed RPC requests (since the Exchange store was
other errors started) due to all other RPC errors.
120 What's New in Exchange Server 2003

Counter Description

Client: Total reported The total latency (in seconds) for all RPC requests (since the
latency Exchange store was started).

Client: Latency > 2 sec The rate of successful RPC requests with latencies > 2 seconds.
RPCs / sec

Client: Latency > 5 sec The rate of successful RPC requests with latencies > 5 seconds.
RPCs / sec

Client: Latency > 10 sec The rate of successful RPC requests with latencies > 10 seconds.
RPCs / sec

Link State Improvements


Exchange 2003 reduces the amount of link state traffic by suppressing link state information
when no alternate path exists or a connection is oscillating. (An oscillating connection is a
connection that fluctuates between available and unavailable). In both cases, the link state
remains available, and therefore reduces the amount of link state traffic that is propagated.
For more information about link state improvements, see "Link State Improvements" in
Chapter 6.

Virtual Address Space


Improvements
With Exchange 2000, administrators may have experienced issues regarding virtual address
space management. To address these issues, Exchange 2003 presents the following
improvements:

• Multiple improvements to remove many small memory allocations made by Exchange


components.
• Multiple improvements to ensure that memory allocations are efficient. For example,
requesting a 32 KB buffer instead of 17 KB buffer and not wasting the remaining memory.
• At start-up, Epoxy now allocates a large 190 MB contiguous portion of memory, instead of
allocating a smaller portion and then gradually requesting more memory. You can use
DSAccess settings to change this Expoxy memory allocation.
• The Store.exe process thread stack size is reduced from 512 KB to 256 KB.
Chapter 4: Performance and Scalability Features 121
• Depending on a server's configuration, the Store.exe process now allocates a suitable
Extensible Storage Engine (ESE) cache buffer size, instead of using a hard-coded value. For
a server that has the /3GB option set, a cache size of 896 MB is set (for example, 28 pieces
of 32 MB). If the /3GB option is not set, the cache size is set to 576 MB (for example, 18
pieces of 32 MB). For information about setting the /3GB option, see Microsoft Knowledge
Base article 266096, "XGEN: Exchange 2000 Requires /3GB Switch With More Than 1
Gigabyte of Physical RAM" (http://support.microsoft.com/?kbid=266096).
• If available virtual memory reaches 32 MB, Exchange 2003 sends a one-time request to the
ESE buffer cache to increase by 64 MB (default). This 64 MB portion becomes available for
message processing and provides the administrator with more time before it is necessary to
start the Store.exe process.
• Exchange performs an optimal memory configuration check when the Exchange store
process starts. If the memory settings are not optimal, event 9665 will appear in Event
Viewer. This message appears in the following instances:
• The server is running Microsoft Windows® 2000 Server and the SystemPages value in
the registry is set outside the range of 24000 to 31000.
• The server has 1 GB of memory or more and does not have the /3GB switch.
• The server is running Microsoft Windows Server™ 2003, has 1 GB of memory or more,
and the /3GB switch is set, but the /USERVA setting is not present or is outside the
range of 3030 to 2970.
If you see this event, check the SystemPages and HeapDeCommitFreeBlockThreshold
settings in the registry, as well as the /3GB switch and the USERVA setting in the boot.ini
file.
Note
If you want to turn off the memory configuration check, you can create the
following registry key.

HKEY_LOCAL_MACHINE\SYSTEM\
Path CurrentControlSet\Services\
MSExchangeIS\ParametersSystem\

Suppress Memory Configuration


Parameter
Notification

Type REG_DWORD

Setting 1
122 What's New in Exchange Server 2003

Changing the MTA File


Directory Location Using
System Manager
By default, the Exchange MTA database and run directories are located under the folder where
Exchange 2003 is installed (<drive>:\Program Files\Exchsrvr\ MTADATA). On some servers,
especially where Exchange is functioning as a bridgehead server, you can positively impact
performance by relocating the MTA database on a fast disk array, such as a RAID 0+1 partition.
Note
When you modify the location of the queue directory, you are modifying only the MTA
database path and moving only the database files (.dat files); you are not moving
any of the run files or the run directory.
Do not attempt to relocate the MTA run directory as this can cause performance
problems.

In Exchange 2003, you can now use Exchange System Manager to change the location of the
MTA database. To do this, use the General tab in the X.400 Properties dialog box. For more
information about how to change the location of the MTA database, see "Moving the X.400
(MTA) and SMTP Queue Directory Locations" in Chapter 6.

Changing the SMTP Mailroot


Directory Location Using
System Manager
In Exchange 2003, when messages arrive through SMTP, the data is written to a disk in the form
of a Microsoft Windows NT® File System (NTFS) file (specifically, an .eml file). By default,
these files are written to a directory (<drive>:\Program Files\Exchsrvr\Mailroot) on the same disk
partition where the Exchange 2003 binary files are installed.
In some scenarios, such as configuring a bridgehead or relay server, relocating the SMTP
Mailroot directory to a faster disk partition may positively impact performance.
In Exchange 2003, you can now use Exchange System Manager to move the Mailroot directory.
To do this, use the Messages tab in the SMTP Virtual Server Properties dialog box. For more
information about how to move the Mailroot directory, see "Moving the X.400 (MTA) and SMTP
Queue Directory Locations" in Chapter 6.
Chapter 4: Performance and Scalability Features 123

Tuning Exchange 2003


Upon installation, Exchange 2003 performs very well and does not require much tuning.
However, in situations where you are coexisting with previous versions of Exchange or
implementing large scale-up Exchange 2003 servers, some manual tuning may be required.
Although this section does not provide a complete list of tuning recommendations, it does
recommend tuning changes when upgrading an Exchange 2000 server to Exchange 2003.

Removing Exchange 2000 Tuning


Parameters
Many Exchange 2000 tuning parameters [for example, those parameters listed in the technical
article Microsoft Exchange 2000 Internals: Quick Tuning Guide
(http://go.microsoft.com/fwlink/?linkid=1712)], are no longer applicable in
Exchange 2003; in fact, some of these parameters cause problems. If you previously tuned your
Exchange 2000 servers by adding any of the settings listed in this section, you must manually
remove them on your servers running Exchange 2003. The tools you use to remove those settings
are Registry Editor, Internet Information Services Manager, and ADSI Edit. For information
about how to use Registry Editor, Internet Information Services Manager, and ADSI Edit, see
Windows Server Help.
Warning
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

Initial Memory Percentage


The Initial Memory Percentage registry key no longer works with Exchange 2003. Therefore,
use Registry Editor to delete the following registry parameter when Exchange 2003 is installed.
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSExchangeIS\ParametersSystem
Parameter: Initial Memory Percentage (REG_DWORD)
124 What's New in Exchange Server 2003

Extensible Storage System Heaps


The optimum number of heaps is now automatically calculated with Exchange 2003. Therefore,
use Registry Editor to delete the following registry parameter when Exchange 2003 is installed.
Location: HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\ESE98\Global\OS\Memory
Parameter: MPHeap parallelism (REG_SZ)

DSAccess MaxMemoryConfig Key


If you previously tuned DSAccess performance by adding a MaxMemoryConfig key, that key is
no longer recommended. Therefore, you should use Registry Editor to remove the following
registry parameter when Exchange 2003 is installed.
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSExchangeDSAccess\Instance0
Parameter: MaxMemoryConfig (REG_DWORD)

DSAccess Memory Cache Tuning


If you previously tuned the user cache in DSAccess, you can now remove your manual tuning.
Exchange 2000 had a default user cache of 25 MB, whereas Exchange 2003 defaults to 140 MB.
Therefore, you should use Registry Editor to remove the following registry parameter when
Exchange 2003 is installed.
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSExchangeDSAccess\Instance0
Parameter: MaxMemoryUser (REG_DWORD)
Chapter 4: Performance and Scalability Features 125

Cluster Performance Tuning


If you previously added the following registry parameters, use Registry Editor to remove them
when Exchange 2003 is installed.
Location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SMTPSVC\Queuing
Parameter: MaxPercentPoolThreads (REG_DWORD)
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SMTPSVC\Queuing
Parameter: AdditionalPoolThreadsPerProc (REG_DWORD)

Outlook Web Access Content Expiration


You should not disable content expiry for the \Exchweb virtual directory. The default expiration
setting of 1 day should be used in all scenarios. You can view and modify this setting in Internet
Information Services Manager.

Log Buffers
If you previously tuned the msExchESEParamLogBuffers parameter manually [for example, to
9000 (an Exchange 2000 SP2 recommendation), or 500 (an Exchange 2000 SP3
recommendation)], clear the manual tuning. Exchange 2003 uses a default value of 500.
Previously, Exchange 2000 used a default value of 84.
To return this setting to the default setting of <Not Set>, open the following parameter in ADSI
Edit, and then click Clear.
Location: CN=Configuration/CN=Services/CN=Microsoft Exchange/CN=<Exchange
Organization Name>/CN=Administrative Groups/CN=<Administrative Group
Name>/CN=Servers/CN=<Server Name>/CN=Information Store>/CN=<Storage
Group Name>
Parameter: msExchESEParamLogBuffers
126 What's New in Exchange Server 2003

Max Open Tables


If you tuned the msExchESEParamMaxOpenTables parameter manually, you should clear the
manual tuning. When the value of the parameter is cleared, Exchange 2003 automatically
calculates the correct value for you; for example, on an eight-processor server, a value of 27600
is used.
To return this setting to the default setting of <Not Set>, open the following parameter in ADSI
Edit, and then click Clear.
Location: CN=Configuration/CN=Services/CN=Microsoft Exchange/CN=<Exchange
Organization Name>/CN=Administrative Groups/CN=<Administrative Group
Name>/CN=Servers/CN=<Server Name>/CN=Information Store>/CN=<Storage
Group Name>
Parameter: msExchESEParamMaxOpenTables
C H A P T E R 5

Reliability and Clustering


Features

This chapter provides information about some of the significant updates related to Microsoft®
Exchange Server 2003 reliability and clustering. For complete information about how to ensure
your Exchange 2003 environment is reliable with or without implementing Exchange clustering,
see "Planning for Reliability" in the book Planning an Exchange Server 2003 Messaging System
(http://www.microsoft.com/exchange/library).

Reliability Features
To increase the reliability of your Exchange organization, Exchange 2003 offers the following
new or improved features:
Virtual memory management
The virtual memory improvements to Exchange 2003 reduce memory fragmentation and
increase server availability.
Mailbox Recovery Center
The new Mailbox Recovery Center makes it easy to perform simultaneous recovery or
export operations on multiple disconnected mailboxes.
Recovery Storage Group
The new Recovery Storage Group is a specialized storage group that can exist alongside the
regular storage groups in Exchange. Essentially, the Recovery Storage Group provides
flexibility in restoring mailboxes and mailbox databases.
Error reporting
The error-reporting component is improved in Exchange 2003. Exchange error reporting
allows you to send information about any failures that may occur to Microsoft. Microsoft
then uses that information to determine and prioritize potential updates to future product
versions.
This section discusses each of these features in detail.
128 What's New in Exchange Server 2003

Improved Virtual Memory


Management
In Exchange 2003, the virtual memory management process is improved. Specifically, Exchange
is much more efficient in the way it reuses blocks of virtual memory. These design improvements
reduce fragmentation and increase availability for higher-end servers that have a large number of
users.
Virtual memory management for clustered Exchange servers is also improved. In previous
versions of Exchange, the Microsoft Exchange Information Store service (MSExchangeIS)
continues to run on a passive node. As a result, if an Exchange Virtual Server is moved manually
or failed back automatically to a node that failed, MSExchangeIS service runs on the server with
fragmented virtual memory.
In Exchange 2003, when an Exchange Virtual Server is either moved manually or failed over to
another node, the MSExchangeIS service on that node is stopped. Then, when an Exchange
Virtual Server is moved or failed back to that node, a new MSExchangeIS service is started and,
consequently, a fresh block of virtual memory is allocated to the service.
Even with these improvements to virtual memory, it is still important that you monitor virtual
memory performance. Table 5.1 lists the MSExchangeIS counters used to monitor virtual
memory performance.

Table 5.1 Performance monitors for virtual memory

Counter Description

VM Largest Displays the size (in bytes) of the largest free block of virtual memory. This
Block Size counter is a line that slopes downward as virtual memory is consumed. When this
counter drops below 32 MB, Exchange 2000 logs a warning in the event log
(Event ID=9582) and logs an error if it drops below 16 MB. It is important to
monitor this counter to ensure that it stays above 32 MB.

VM Total Displays the total number of free virtual memory blocks that are greater than or
16MB Free equal to 16 MB. This line forms a pyramid as you monitor it. It starts with one
Blocks block of virtual memory greater than 16 MB and progresses to smaller blocks
greater than 16 MB. Monitoring the trend on this counter should allow a system
administrator to predict when the number of 16 MB blocks is likely to drop
below 3, at which point restarting all the services on the node is recommended.

VM Total Displays the total number of free virtual memory blocks, regardless of size. This
Free Blocks line forms a pyramid as you monitor it. This counter can be used to measure the
degree to which available virtual memory is being fragmented. The average block
size is the Process\Virtual Bytes\STORE instance divided by MSExchangeIS\VM
Total Free Blocks.
Chapter 5: Reliability and Clustering Features 129

Counter Description

VM Total Displays the sum (in bytes) of all the free virtual memory blocks that are greater
Large Free than or equal to 16 MB. This line slopes downward as memory is consumed.
Block Bytes

When you monitor these counters, pay close attention that VM Total Large Free Block Bytes
always exceeds 32 MB. For non-clustered servers, if VM Total Large Free Block Bytes drops
below 32 MB, restart the services on that server. For clustered servers, if a node in the cluster
drops below 32 MB, fail over the Exchange Virtual Servers, restart all of the services on the
node, and then fail back the Exchange Virtual Servers.
If the virtual memory for your Exchange 2003 server becomes excessively fragmented, the
MSExchangeIS service logs the following events (Examples 1 and 2).

Example 1 Warning that is logged if the largest free block is smaller than 32
MB.
EventID=9582
Severity=Warning
Facility=Perfmon
Language=English
The virtual memory necessary to run your Exchange server is fragmented in such 
a way that performance may be affected. It is highly recommended that you 
restart all Exchange services to correct this issue.

Example 2 Error that is logged if the largest free block is smaller than 16
MB.
EventID=9582
Severity=Error
Facility=Perfmon
Language=English
The virtual memory necessary to run your Exchange server is fragmented in such 
a way that normal operation may begin to fail. It is highly recommended that 
you restart all Exchange services to correct this issue.

For more information about System Monitor and Event Viewer, see the Microsoft Windows
Server™ 2003 online documentation.

Mailbox Recovery Center


Using the new Mailbox Recovery Center, you can perform simultaneous recovery or export
operations on multiple disconnected mailboxes. This is a significant improvement over
Exchange 2000, where such operations had to be performed individually on each disconnected
mailbox. With this new feature, you can quickly restore Exchange mailboxes, and thereby reduce
130 What's New in Exchange Server 2003
downtime. For more information about how to use Mailbox Recovery Center, see "Mailbox
Recovery Center" in Chapter 3.

Recovery Storage Group


With the addition of the Recovery Storage Group, Exchange 2003 provides added flexibility in
restoring mailboxes and storage groups. With this new feature, you can quickly restore Exchange
data, and thereby reduce downtime. For more information about using the Recovery Storage
Group feature, see "Recovery Storage Groups" in Chapter 7.

Improved Error Reporting


Although error reporting was included in Exchange 2000 SP2 and SP3, its implementation is
improved in Exchange 2003.
Error reporting allows server administrators to easily report errors to Microsoft. Microsoft
collects the error reports, and then uses the information to improve product functionality. By
default, when fatal application errors occur in Exchange System Manager or an Exchange-related
operation of Active Directory Users and Computers, a warning message notifies administrators of
the error. Specifically, the message states that the application must close and provides an option
to send an error report to Microsoft (Figure 5.1).

Figure 5.1 Warning message that displays after a fatal Exchange System
Manager error occurs
Similarly, when fatal service-related errors occur that relate to Exchange, a dialog box appears
that provides and option to send a report to Microsoft (Figure 5.2).
Chapter 5: Reliability and Clustering Features 131

Figure 5.2 The Microsoft Event Reporting dialog box that displays after
service-related errors occur
Note
By default, a service-related fatal error does not immediately initiate an error
reporting prompt. Instead, the prompt for service-related errors appears the next
time you log on to the server.

The error report is sent to Microsoft over a secure HTTPS connection, and usually consists of a
10 to 50 KB compressed file. The error report is known as a minidump file. For detailed
technical information about how the information in a minidump file is gathered and sent, see the
technical article Using Dr. Watson (http://go.microsoft.com/fwlink/?LinkId=15183).
For general information about error reporting, see the technical article Find Solutions to Office
XP Errors with Microsoft Error Reports
(http://go.microsoft.com/fwlink/?LinkId=15186).
Exchange 2000 SP2 and SP3 supported the standard error reporting dialog box that provided
administrators with the option to send error reports to Microsoft. Exchange 2003 supports the
same error reporting functionality included in Exchange 2000 SP3, including the following new
features:

• Exchange service-related errors (that occur close to each other in time), are queued and then
presented to the administrator in a single list.
Note
For information about how you can configure Exchange to automatically send
service-related errors to Microsoft without requiring the administrator to use the
error reporting dialog box, see "Configuring Exchange to Automatically Send
Service-Related Error Reports" later in this section.
132 What's New in Exchange Server 2003
• Corporate Error Reporting (CER) is now supported. CER is a tool designed for
administrators to manage error reports created by the Microsoft Windows® Error Reporting
client, as well as error-reporting clients shipped with applications. For information about
installing and using CER, see the Corporate Error Reporting page of the Windows Online
Crash Analysis Web site (http://go.microsoft.com/fwlink/?LinkId=15195).
• Additional support for Exchange Setup errors (including queuing the errors so they are all
presented to the administrator in a single list after Setup completes).
• Improved support for errors relating to the Recipient Update Service. In Exchange 2003,
critical errors relating to the Recipient Update Service (for example, access violations that
occur when Recipient Update Service attempts to update a recipient object) now
immediately generate a Microsoft Error Reporting error message that allows you to send
information about the error to Microsoft. This is important, because RUS-related errors leave
the System Attendant in an unstable state.
These Recipient Update Service-related error reports are a significant improvement over
Exchange 2000. In Exchange 2000, any Recipient Update Service-related errors resulted in
an event being written to the Event Log. As a result, administrators were not immediately
notified of the errors.

Configuring Exchange to Automatically Send


Service-Related Error Reports
If you do not want to view the standard error reporting dialog box, you can configure Exchange
to automatically send service-related error reports to Microsoft. This configuration is useful if
you do not want to be interrupted when logging on after an error has occurred (for example, if
you already check the Event Log at a specific time each day).

To enable automatic service-related error reporting


1. Start System Manager: Click Start, point to All Programs, point to Microsoft Exchange,
and then point to System Manager.
2. In the console tree, expand Servers, right-click the server on which you want to enable
automatic error reporting, and then click Properties.
Chapter 5: Reliability and Clustering Features 133

3. In <Server Name> Properties>, On the General tab, select the Automatically send fatal
service errors information to Microsoft check box (Figure 5.3).

Figure 5.3 The Automatically send fatal service errors information to


Microsoft check box
4. In the confirmation dialog box that appears, click Yes (Figure 5.4).

Figure 5.4 Dialog box confirming that you want to automatically send
service-related fatal error information to Microsoft.

Clustering Features
This section provides information about some of the significant updates related to
Exchange 2003 clustering. For complete information about Exchange 2003 clustering, see the
134 What's New in Exchange Server 2003
following references available in the Exchange Server 2003 Technical Documentation Library
(http://www.microsoft.com/exchange/library):

• For planning information, read the section "Using Server Clusters" in the book Planning an
Exchange Server 2003 Messaging System.
• For deployment information, see "Deploying Exchange 2003 in a Cluster" in the book
Exchange Server 2003 Deployment Guide.
• For administration information, see "Managing Exchange Server Clusters" in the book
Exchange Server 2003 Administration Guide.
Exchange 2003 provides the following new or improved clustering features:
Support for up-to eight nodes
Exchange has added support for up to 8-node active/passive clusters when using Windows
Server 2003 Enterprise Edition or Windows Server 2003 Datacenter Edition.
Support for volume mount points
Exchange has added support for the use of volume mount points when using Windows
Server 2003 Enterprise Edition or Windows Server 2003 Datacenter Edition.
Improved failover performance
Exchange has improved clustering performance by reducing the amount of time it takes a
server to failover to a new node
Improved security
Exchange cluster servers are now more secure. For example, the Exchange 2003 permissions
model has changed.
Improved prerequisite checking
Exchange performs more prerequisite checks to help ensure your cluster servers are
deployed and configured properly.
This section discusses each of these features in detail.
Chapter 5: Reliability and Clustering Features 135

Support For Up to Eight-Node Clusters


Exchange 2003 enhances clustering capabilities by introducing support for eight-node Exchange
clusters. Eight-node clusters are supported only when running Windows Server 2003 Enterprise
Edition or Windows Server 2003 Datacenter Edition. Another requirement for eight-node clusters
is that at least one node must be passive.
Note
All Exchange 2003 clustering recommendations are for active/passive cluster
configurations. Active/active clustering will continue to be supported on two nodes.

Windows and Exchange Version Requirements


Specific versions of Windows Server and Exchange Server are required to create
Exchange clusters. Table 5.2 lists these requirements.

Table 5.2 Windows and Exchange version requirements

Windows version Exchange version Cluster


nodes
available

Any server in the Windows 2000 Exchange Server 2003, Standard Edition None
Server or Window Server 2003
families

Windows 2000 Server or Windows Exchange Server 2003, Standard Edition None
Server 2003, Standard Edition or Exchange Server 2003, Enterprise
Edition

Windows 2000 Advanced Server Exchange Server 2003, Enterprise Up to two


Edition

Windows 2000 Datacenter Server Exchange Server 2003, Enterprise Up to four


Edition

Windows Server 2003, Enterprise Exchange Server 2003, Enterprise Up to eight


Edition Edition

Windows Server 2003, Datacenter Exchange Server 2003, Enterprise Up to eight


Edition Edition
136 What's New in Exchange Server 2003

Support for Volume Mount Points


Volume mount points are now supported on shared disks when the nodes of your cluster are
running Window Server 2003 Enterprise Edition or Datacenter Edition with four or more nodes.
Volume mount points are directories that point to specified disk volumes in a persistent manner
(for example, you can configure C:\Data to point to a disk volume). Mount points bypass the
need to associate each disk volume with a drive letter, thereby surpassing the 26 drive letter
limitation.
For more information about mounted drives, see the Windows Server 2003 documentation.

Improved Failover time


For clustering in Exchange 2003, the amount of time it takes to failover to another node is
reduced, thereby improving overall performance. This section provides information about these
improvements to failover times.

Improved Dependency Hierarchy for Exchange


Services
To decrease the amount of time it takes to failover a server, Exchange 2003 provides an improved
dependency hierarchy for Exchange services. Specifically, the Exchange protocol services, which
were previously dependent on the Microsoft Exchange Information Store service, are now
dependent on the Microsoft Exchange System Attendant service (Figures 5.5 and 5.6).

Figure 5.5 Hierarchy of Exchange dependencies in Exchange 2000


Chapter 5: Reliability and Clustering Features 137

Figure 5.6 Hierarchy of Exchange dependencies in Exchange 2003


Note
In Exchange 2003, the IMAP4 and POP3 resources are not created automatically
when you create a new Exchange Virtual Server.

If a failover occurs, this improved hierarchy allows the Exchange mailbox stores, public folder
stores, and Exchange protocol services to start simultaneously. As a result, all Exchange
resources (except the System Attendant service) can now start and stop simultaneously, thereby
improving failover time. Additionally, if the Exchange store stops, it is no longer dependent on
other services to restart.
Another benefit is the reduction of downtime resulting from an Exchange Virtual Server failover.
This reduction can save several minutes, which is significant when you consider that the average
failover time for an Exchange Virtual Server running on Windows 2000 was only three to eight
minutes (depending on the number of users hosted by the Exchange Virtual Server).

Improved Detection of Available Nodes


When running Exchange 2003 on Windows Server 2003, the speed at which Exchange detects an
available node and then fails over to that node is reduced. Therefore, for both planned and
unplanned failovers, downtime is reduced.

Security Improvements
Exchange 2003 clustering includes the following security features:

• Permission improvements
• Kerberos enabled by default
138 What's New in Exchange Server 2003

• IPSec support for front-end and back-end servers


• IMAP4 and POP3 services no longer included when creating Exchange Virtual Servers
This section discusses each of these features in detail.

Clustering Permission Model Changes


The permissions needed to create, delete, or modify an Exchange Virtual Server are modified in
Exchange 2003. The best way to understand these modifications is to compare the
Exchange 2000 permissions model with the new Exchange 2003 permissions model.

Exchange 2000 Permissions Model


For an Exchange 2000 cluster administrator to create, delete, or modify an Exchange Virtual
Server, the cluster administrator and the Cluster Service account require the following
permissions:

• If the Exchange Virtual Server is the first Exchange Virtual Server in the Exchange
organization, the cluster administrator's account and the Cluster Service account must each
be a member of a group that has the Exchange Full Administrator role applied at the
organization level.
• If the Exchange Virtual Server is not the first Exchange Virtual Server in the organization,
the cluster administrator's account and the Cluster Service account must each be a member
of a group that has the Exchange Full Administrator role applied at the administrative group
level.

Exchange 2003 Permissions Model


In Exchange 2003, the permissions model has changed. The Windows Cluster Service account no
longer requires that the Exchange Full Administrator role be applied to it, neither at the Exchange
organization level nor at the administrative group level. The Windows Cluster Service account
requires no Exchange-specific permissions. Its default permissions in the forest are sufficient for
it to function in Exchange 2003. Only the logon permissions of the cluster administrator are
required to create, modify, and delete Exchange Virtual Servers.
As with Exchange 2000, the cluster administrator requires the following permissions:

• If the Exchange virtual server is the first Exchange Virtual Server in the organization, the
cluster administrator must be a member of a group that has the Exchange Full Administrator
role applied at the organization level.
• If the Exchange virtual server is not the first Exchange Virtual Server in the organization,
you must use an account that is a member of a group that has the Exchange Full
Administrator role applied at the administrative group level.
However, depending on the mode in which your Exchange organization is running (native mode
or mixed mode), and depending on your topology configuration, your cluster administrators must
have the following additional permissions:
Chapter 5: Reliability and Clustering Features 139
• When your Exchange organization is in native mode, if the Exchange virtual server is in a
routing group that spans multiple administrative groups, then the cluster administrator must
be a member of a group that has the Exchange Full Administrator role applied at all the
administrative group levels that the routing group spans. For example, if the Exchange
Virtual Server is in a routing group that spans the First Administrative Group and Second
Administrative Group, the cluster administrator must use an account that is a member of a
group that has the Exchange Full Administrator role applied at First Administrative Group
and must also be a member of a group that has the Exchange Full Administrator role applied
at Second Administrative Group.
Note
Routing groups in Exchange native-mode organizations can span multiple
administrative groups. Routing groups in Exchange mixed-mode organizations
cannot span multiple administrative groups.

• In topologies such as parent/child domains where the cluster server is the first Exchange
server in the child domain, the cluster administrator must be a member of a group that has
the Exchange Administrator role or greater applied at the organization level to be able
specify the server responsible for Recipient Update Service in the child domain.

Kerberos Enabled By Default on Exchange Virtual


Servers
The Kerberos authentication protocol is a security protocol that verifies data to help ensure that
both user and network services are safe. In Exchange 2000, the default authentication for
Exchange Virtual Servers was the NTLM protocol. This is because the Windows Cluster service
did not support Kerberos enablement of a cluster group until Windows 2000 Service Pack 3
(SP3).
In Exchange 2003, the Kerberos authentication protocol is enabled by default when you create an
Exchange Virtual Server on a server running Windows Server 2003 or Windows 2000 SP3.

IPSec Support for Front-End and Back-End Cluster


Configurations
You can use Internet Protocol security (IPSec) if a secure channel is required between front-end
and back-end cluster servers. This configuration is fully supported when both the front-end
servers and back-end servers are running Exchange 2003 on Windows Server 2003.

IMAP4 and POP3 Resources Not Added By Default


Because IMAP4 and POP3 protocols are not needed on all Exchange servers, the IMAP4 and
POP3 protocol resources are no longer created when you create an Exchange Virtual Server.
140 What's New in Exchange Server 2003

Checking Clustering Prerequisites


Exchange 2003 performs more prerequisite checks on clusters than previous versions of
Exchange. For example, Exchange performs more preinstallation checks on the nodes of your
cluster to help ensure that Exchange is installed on your cluster nodes correctly. Similarly,
Exchange 2003 performs more checks on your cluster when creating and removing Exchange
Virtual Servers to help ensure that your Exchange Virtual Servers are configured correctly.

Exchange 2003 Cluster


Requirements
There are important requirements you must consider when planning your upgrade or installing
Exchange 2003 on a Windows 2000 Server or Windows Server 2003 cluster. These requirements
include:

• System-wide requirements that define how you should configure Domain Name System
(DNS).
• Server-specific requirements that define which Windows operating systems are supported
with specific types of cluster deployments.
• Network configuration requirements that help ensure proper communication between the
nodes of your cluster.
For complete information about these requirements, see "Cluster Requirements" in the book
Exchange Server 2003 Deployment Guide
(http://www.microsoft.com/exchange/library).

Exchange Server 2003 Setup


Requirements
There are a number of requirements that must be met before upgrading or installing
Exchange 2003 on Windows 2000 Server or Windows Server 2003. Many of these requirements
are the same as the ones you must follow to install Exchange 2003 on a stand-alone (non-
clustered) server. For example, you must ensure that Internet Information Services and other
Windows services are running before you run Exchange Server 2003 Setup on the nodes of your
cluster. Similarly, you must ensure that Active Directory® is prepared for Exchange 2003.
There are also additional requirements to consider when running Exchange Server 2003 Setup on
the nodes of your cluster. For example, you must first install Microsoft Distributed Transaction
Coordinator (MSDTC) on the cluster.
Chapter 5: Reliability and Clustering Features 141
For the requirements and procedures for installing Exchange 2003 in a cluster, see "Deploying a
New Exchange 2003 Cluster" or "Upgrading an Exchange 2000 Cluster to Exchange 2003" in the
book Exchange Server 2003 Deployment Guide
(http://www.microsoft.com/exchange/library).

Upgrading an Exchange 2000


Cluster and Exchange Virtual
Server to Exchange 2003
To upgrade a cluster from Exchange 2000 to Exchange 2003, you must first run Exchange
Server 2003 Setup to upgrade the nodes of your cluster, and then use Cluster Administrator to
upgrade the Exchange Virtual Servers. It is recommended that you upgrade one Exchange cluster
node at a time.
When you upgrade each node, it is recommended that you move the Exchange Virtual Server
from the node you are upgrading to another node. This procedure enables users to access their e-
mail messages through the relocated Exchange Virtual Server during the Exchange 2003 upgrade
process.
The Table 5.3 and Table 5.4 explain the requirements for upgrading Exchange 2000 cluster nodes
and Exchange Virtual Servers to Exchange 2003.
Note
For information about how to upgrade your Exchange 2000 cluster to Exchange
2003, see "Upgrading an Exchange 2000 Cluster to Exchange 2003" in the book
Exchange Server 2003 Deployment Guide
(http://ww.microsoft.com/exchange/library).

Table 5.3 Requirements for upgrading a cluster node


Area Requirements
Permissions • Account must be a member of a group that has the Exchange Full
Administrator role applied at the administrative group level.
Cluster • No cluster resources can be running on the node you are upgrading
resources because Exchange Setup will need to recycle the Cluster service. One-
node clusters are exempt.
• The MSDTC resource must be running on one of the nodes in the cluster.
142 What's New in Exchange Server 2003

Area Requirements
Other • Only servers running Exchange 2000 SP3 or later can be upgraded to
Exchange 2003. If your servers are running previous versions of
Exchange, you must first upgrade to Exchange 2000 SP3 or later.
• You must upgrade your cluster nodes one at a time.
• The Cluster service must be initialized and running.
• If there are more than two nodes, the cluster must be active/passive. If
there are two nodes or fewer, active/active is allowed.
If running • Windows 2000 SP4 or Windows 2000 SP3 with hotfix 329938 is
Windows 2000 required.
To obtain Windows 2000 SP4, go to the Windows 2000 Service Packs
Web site (http://go.microsoft.com/fwlink/?LinkId=18353).

• To obtain the Windows 2000 SP3 hotfix, see the Microsoft Knowledge
Base article 329938, "Cannot Use Outlook Web Access to Access an
Exchange Server Installed on a Windows 2000 Cluster Node"
(http://support.microsoft.com/?kbid=329938).

Table 5.4 Requirements for upgrading an Exchange Virtual Server


Area Prerequisites
Permissions • If the Exchange Virtual Server is the first server to be upgraded in the
organization or is the first server to be upgraded in the domain, the account
must be a member of a group that has the Exchange Full Administrator role
applied at the organization level.
• If the Exchange Virtual Server is not the first server to be upgraded in the
organization or the first Exchange server to be upgraded in the domain, the
account only needs to be a member of a group that has the Exchange Full
Administrator role applied at the administrative group level.
Cluster • The Network Name resource must be online.
resources
• The Physical Disk resources must be online.
• The System Attendant resource must be offline.
Other • The version of Exchange on the computer running Cluster Administrator
must be the same version as the node that owns the Exchange Virtual Server.
• You must upgrade your Exchange Virtual Servers one at a time.
C H A P T E R 6

Transport and Message Flow


Features

Microsoft® Exchange Server 2003 introduces several new features and functionality to improve
transport and message flow. This chapter explains the following topics:
Link state improvements
This section explains how link state improvements reduce the amount of link state
information that is replicated throughout the Exchange organization, thereby reducing
performance impact.
Cross-forest authentication configuration
Because Exchange 2003 prevents spoofing or forging e-mail addresses, you must perform
specific configuration steps to enable cross-forest authentication. This section shows you
how to enable cross-forest authentication.
Internet Mail Wizard
Exchange 2003 provides a new version of Internet Mail Wizard to guide you through the
process of configuring Internet mail delivery in your organization. This section explains how
to use the wizard to set up Internet mail delivery.
Delivery status notification (DSN) diagnostic logging and codes
Exchange 2003 now provides diagnostic logging for delivery status notifications (DSNs) and
implements some new DSN codes. This section explains how to configure DSN diagnostic
logging and explains the new DSN codes available in Exchange 2003.
Support for moving X.400 (MTA) and SMTP queue directories
In Exchange 2003, you can use Exchange System Manager to change the location where
your SMTP and X.400 queue data is stored. This section explains how to use Exchange
System Manager to move your queue directory.
Connection filtering
Exchange 2003 supports connection filtering based on block lists. This section explains how
connection filtering works, and how you can set it up on your Exchange server.
Recipient filtering
Exchange 2003 also supports recipient filtering so you can filter e-mail messages that are
addressed to users who are not in the Microsoft Active Directory® directory service or e-mail
messages that are addressed to well-defined recipients indicative of unsolicited commercial
mail.
144 What's New in Exchange Server 2003
How enabled filters are applied
This section explains how filters and restrictions are applied during an SMTP session.
Improved ability to restrict submission to an SMTP virtual server
This section explains how you can restrict submissions based on security groups in
Exchange 2003.
Improved ability to restrict relaying on an SMTP virtual server
This section explains how you can restrict relaying based on security groups in
Exchange 2003.
Exchange 2003 also provides the following other features that enhance transport and mail flow:

• A new type of distribution group called query-based distribution groups allow you to use an
LDAP query to dynamically build membership in the distribution groups. For more
information, see "Query-Based Distribution Groups" and "Improved Message Tracking" in
Chapter 3.
• You can now set restrictions on who can send mail to a distribution list. For more
information, see "Improved Ability to Restrict Submissions to Users and Distribution Lists
(Restricted Distribution Lists)" in Chapter 3.
• You can now track messages after categorization (which is the phase where users are located
and distribution groups are expanded into individual recipients) and during the routing
process. You can also use Exchange System Manager to move message-tracking logs. For
more information, see "Improved Message Tracking" in Chapter 3.
• Improvements to Queue Viewer. More queues are exposed, so you can more easily diagnose
problems with mail flow. For more information, see "Enhancements to Queue Viewer" in
Chapter 3.
• With the archiving feature available on a mailbox store, you can archive all recipients,
including those on the Bcc line. For more information, see "Including Bcc Recipients in
Archived Messages" in Chapter 3.

Link State Improvements


Exchange uses link state routing to determine the best method for sending messages between
servers, based on the current status of messaging connectivity and cost.If no alternate path for the
message exists, or if there is an oscillating connection (a connection that is intermittently
available and unavailable), Exchange 2003 improves how link state information is
communicated. Specifically, Exchange 2003 reduces link state traffic by attempting to determine
if the connector state is oscillating or if no alternate path exists; if either of these conditions
exists, Exchange suppresses the link state information.
Chapter 6: Transport and Message Flow Features 145

Improved Link State Availability


In Exchange 2003, even if no alternate path exists for a link, the link state is always marked as up
(in service). Exchange no longer changes the link state to unavailable if no alternate path exists.
Instead, Exchange simply queues mail for delivery and sends it when the route becomes
available. This change enhances performance because it reduces the propagation of link state
information.

Link State Improvements for


Oscillating Connections
Another significant improvement to link state routing is how Exchange 2003 handles oscillating
connections. Exchange 2003 reviews the link state queue, and if there are multiple conflicting
state changes in a given interval for a connector, the connector is considered an oscillating
connection, and its link state remains up (in service). It is better to leave an oscillating connector
up than to continually change the link state. This reduces the amount of link state traffic that is
replicated between servers.

Configuring Cross-Forest
SMTP Mail Collaboration
To prevent spoofing (forging identities) Exchange 2003 requires authentication before a sender's
name is resolved to its display name in the global address list (GAL). Therefore, in an
organization that spans two forests, a user who sends mail from one forest to another forest is not
authenticated; furthermore, the user's name is not resolved to a display name in the GAL, even if
the user exists as a contact in the destination forest.
To enable cross-forest mail collaboration in Exchange 2003, additional configuration steps are
required to resolve contacts outside your organization to their display names in Active Directory.
You have two options to enable the resolution of these contacts:

• Option 1 (recommended) Use authentication so that users who send mail from one forest
to another are authenticated users, and their names are resolved to their display names in the
GAL.
• Option 2 Restrict access to the SMTP virtual server that is used for cross-forest
collaboration, and then configure Exchange to resolve anonymous e-mail. This
configuration is supported, but not recommended. By default, in this configuration, the
Exch50 message properties, which are the extended properties of a message, are not
persisted when mail is sent from one forest to another.
146 What's New in Exchange Server 2003
To understand the benefits of configuring cross-forest mail collaboration, consider the following
scenarios of anonymous mail submission and cross-forest authenticated mail submission.
Scenario: Anonymous Mail Submission
E-mail addresses are not resolved if the submission is anonymous. Therefore, when an
anonymous user who attempts to spoof (forge) an internal user's identity sends mail, the return
address does not resolve to its display name in the global address list (GAL).
Example:
Kim Akers is a legitimate internal user at Northwind Traders. Her display name in the GAL is
Kim Akers, and her e-mail address is kim@northwindtraders.com.
To send mail, Kim must be authenticated. Because she is authenticated, the intended recipients of
Kim's mail see that the sender is Kim Akers. In addition, the properties of Kim Akers are
displayed as her GAL entry. However, if Ted Bremer attempts to forge Kim's address by using
kim@northwindtraders.com in the From line and then sending the mail to the Exchange 2003
server at Northwind Traders, the e-mail address is not resolved to Kim's display name because
Ted did not authenticate. Therefore, when this e-mail message displays in Microsoft Office
Outlook®, the sender address appears as kim@northwindtraders.com; it does not resolve to
Kim Akers, as authenticated mail from Kim does.
Scenario: Cross-Forest Mail Delivery
Consider a company that spans two forests: the Adatum forest and the Fabrikam forest. Both
these forests are single domains forests with domains of adatum.com and fabrikam.com
respectively. To allow cross-forest mail collaboration, all users in the Adatum forest are
represented as contacts in the Fabrikam forest's Active Directory. Likewise, all users in the
Fabrikam forest are represented as contacts in Adatum forest's Active Directory.
If a user in the Adatum forest sends mail to Fabrikam forest, and the mail is submitted over an
anonymous connection, the sender's address is not resolved, despite the fact the sender exists as a
contact in the Active Directory and in the Outlook GAL. This is because a user in the Adatum
forest is not an authenticated user in Fabrikam forest.
Example:
Kim Akers is a mail user in the Adatum forest—her e-mail address is kim@adatum.com, and her
Outlook GAL display name is Kim Akers. Adam Barr is a user in the Fabrikam forest—his e-
mail address is abarr@fabrikam. com, and his Outlook GAL display name is Adam Barr. Because
Adam is represented as an Active Directory contact in the Adatum forest, Kim can view Adam's
e-mail address and resolve it to the display name of Adam Barr in the Outlook GAL. When Adam
receives mail from Kim, Kim's address is not resolved; instead of seeing Kim's display name as it
appears in the GAL, Adam sees her unresolved e-mail address of kim@adatum.com. Because
Kim sent mail as an anonymous user, her e-mail address did not resolve. Although Kim is
authenticated when sending mail, the connection between the two forests is not authenticated.
Chapter 6: Transport and Message Flow Features 147

To ensure that senders in one forest can send mail to recipients in another forests, and to ensure
that their e-mail addresses resolve to their display names in the GAL, you should enable cross-
forest mail collaboration. The following sections explain the two options available for
configuring mail collaboration between two forests.

Enabling Cross-Forest Authentication


To enable cross-forest SMTP authentication, you must create connectors in each forest that uses
an authenticated account from the other forest. By doing this, any mail that is sent between the
two forests by an authenticated user resolves to the appropriate display name in the GAL. This
section explains how to enable cross-forest authentication.
Using the example of the Adatum forest and the Fabrikam forest (see the"Cross-Forest Mail
Delivery" scenario in the previous section), perform the following steps to set up cross-forest
authentication:

1. Create an account in the Fabrikam forest that has Send As permissions. (For all users in the
Adatum forest, a contact exists in the Fabrikam forest as well; therefore this account allows
Adatum users to send authenticated mail.) Configure these permissions on all Exchange
servers that will accept incoming mail from Adatum.
2. On an Exchange server in the Adatum forest, create a connector that requires authentication
using this account to send outbound mail.
Similarly, to set up cross-forest authentication from the Fabrikam forest to Adatum forest, repeat
these steps, creating the account in Adatum and the connector in Fabrikam.

Step 1: Creating a User Account in the Destination


Forest with Send As Permissions
Before you set up your connector in the connecting forest, you must create an account in the
destination forest (the forest to which you are connecting) that has Send As permissions.
Configure these permissions on all servers in the destination forest that will accept inbound
connections from the connecting forest. The following procedures show you how to set up an
account in the Fabrikam forest and a connector in the Adatum forest, thereby allowing users in
the Adatum forest to send mail to the Fabrikam forest with resolved e-mail addresses.

To create the account used for cross-forest authentication


1. In the destination forest (in this case, the Fabrikam forest), create a user account in Active
Directory Users and Computers. This account must be an active account, but it does not
require the following permissions: log on locally, log on through terminal server.
148 What's New in Exchange Server 2003

2. On each Exchange server that will accept incoming connections from the connecting forest,
configure Send As permissions for this account.
Note
Be careful when creating the password policy. If you set the password to expire,
ensure that you have a policy in place that changes the password before its
expiration date. If the password for this account expires, cross-forest
authentication will fail.

a. Start Exchange System Manager: Click Start, point to All Programs, point to
Microsoft Exchange, and then click System Manager.
b. In the console tree, expand Servers, right-click an Exchange server that will accept
incoming connections from the connecting forest, and then click Properties.
c. In <Server Name> Properties, on the Security tab, click Add.
d. In Select Users, Computers, or Groups, add the account you just created, and then
click OK.
e. On the Security tab, under Group or user names, select the account.
f. Under Permissions, next to Send As, select the Allow check box (Figure 6.1).

Figure 6.1 Allowing the Send As permission


Chapter 6: Transport and Message Flow Features 149

Step 2: Creating a Connector in the Connecting


Forest
After creating the account with the proper permissions in the destination forest, create a
connector in the connecting forest and require authentication using the account you just created.
In the following procedure, assume that you are creating a connector on an Exchange server in
the Adatum forest that connects to the Fabrikam forest.

To configure a connector and require authentication for cross-forest


authentication
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, right-click Connectors, point to New, and then click SMTP Connector.
3. On the General tab, in the Name box, type a name for the connector.
4. Click Forward all mail through this connector to the following smart hosts, and then
type the fully qualified domain or IP address of the receiving bridgehead server.
5. Click Add to select a local bridgehead server and SMTP virtual server to host the connector
(Figure 6.2).

Figure 6.2 The General tab in an SMTP virtual server's Properties


6. On the Address Space tab, click Add, select SMTP, and then click OK.
150 What's New in Exchange Server 2003
7. In Internet Address Space Properties, type the domain of the forest to which you want to
connect, and then click OK. In this example, because the connector is sending from the
Adatum forest to the Fabrikam forest, the address space matches the domain for the forest,
fabrikam.com (Figure 6.3).

Figure 6.3 The Internet Address Space Properties dialog box


Exchange will now route all mail destined to fabrikam.com (the Fabrikam forest) through
this connector.

8. On the Advanced tab, click Outbound Security.


9. Click Integrated Windows Authentication (Figure 6.4).

Figure 6.4 The Integrated Windows Authentication button in the


Outbound Security dialog box
10. Click Modify.
Chapter 6: Transport and Message Flow Features 151
11. In Outbound Connection Credentials, in the Account, Password, and Confirm password
boxes, specify an account and password in the destination forest (in this case, Fabrikam) that
has Send As permissions and is an authenticated Fabrikam account (Figure 6.5). Use the
following format for the account name: domain\username, where:
• domain is a domain in the destination forest.
• username represents an account in the destination forest with Send As permissions on
all Exchange servers in the destination forest that will accept mail from this connector.

Figure 6.5 The Outbound Connection Credentials dialog box


12. Click OK.

Enabling Cross-Forest Collaboration by


Resolving Anonymous Mail
Another way you can configure Exchange to resolve contacts outside your organization to their
display names in Active Directory is to configure Exchange to resolve anonymous e-mail.
Assume that your company spans two forests, from the Adatum forest to the Fabrikam forest.
Important
Configuring Exchange servers to resolve anonymous mail submissions allows
unscrupulous users to submit messages with a falsified return address. Recipients
are not be able to differentiate between authentic mail and spoofed mail. To
minimize this possibility, ensure that you restrict access to the SMTP virtual server to
the IP addresses of your Exchange servers.

Perform the following steps to resolve contacts for Adatum users to their display names in the
Fabrikam forest:

1. Create a connector in the Adatum forest that connects to the Fabrikam forest.
2. On the receiving bridgehead server in the Fabrikam forest, restrict access to the SMTP
virtual server by IP address. By doing this, you can ensure that only servers from the Adatum
forest can send mail to this server.
3. On the SMTP virtual server that hosts the connector, enable the Resolve anonymous e-mail
setting.
152 What's New in Exchange Server 2003
4. Change a registry key to ensure that the extended message properties (Exch50 properties)
are persisted across the forests. Otherwise, you can lose important message information.
After you complete these steps, all users who send mail from the Adatum forest to the Fabrikam
forest will resolve to their display names in the Fabrikam GAL. Next, you need to repeat steps 1
through 3 for the Fabrikam forest.
The following procedures show you how to:

• Set up a connector in the Adatum forest to Fabrikam.


• Restrict access to the receiving bridgehead server in the Fabrikam forest
• Enable anonymous e-mail resolution on the SMTP virtual server on the receiving bridgehead
server to resolve Adatum contacts in the Fabrikam forest.
In a production environment, you would then repeat this process to configure the resolution of
Fabrikam contacts in the Adatum forest.

Step 1: Creating a Connector in the Connecting


Forest
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, right-click Connectors, point to New, and then click SMTP Connector.
3. On the General tab, in the Name box, type a name for the connector.
4. Click Forward all mail through this connector to the following smart hosts, and then
type the fully qualified domain or IP address of the receiving bridgehead server.
Chapter 6: Transport and Message Flow Features 153

5. Click Add to select a local bridgehead server and SMTP virtual server to host the connector
(Figure 6.6).

Figure 6.6 The General tab on an SMTP virtual server Properties


6. On the Address Space tab, click Add, select SMTP, and then click OK.
154 What's New in Exchange Server 2003

7. In Internet Address Space Properties, type the domain of the forest to which you want to
connect, and then click OK. In this example, because the connector is sending from the
Adatum forest to the Fabrikam forest, the address space matches the domain for the forest,
fabrikam.com (Figure 6.7).

Figure 6.7 The Internet Address Space Properties dialog box


Exchange will now route all mail destined to fabrikam.com (the Fabrikam forest) through
this connector.

Step 2: Restricting IP Addresses on the Receiving


Bridgehead Server
After you create the connector in the Adatum forest (the connecting forest) you must restrict
access to the receiving bridgehead server. You do this by allowing only the IP address of the
connecting servers in the Adatum forest to send mail to the receiving bridgehead server in the
Fabrikam forest.

To restrict access by IP address on the receiving bridgehead server


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Servers, expand < Bridgehead Server Name >, expand
Protocols, and then expand SMTP.
3. Right-click the SMTP virtual server you want, and then click Properties
4. On the Access tab, click Connection.
5. In Connection, click All except the list below to restrict access to a specified list of IP
addresses.
Chapter 6: Transport and Message Flow Features 155

6. Click Add, and then perform one of the following steps:


• Click Single Computer, and in the IP address box, type the IP address of the
connecting Exchange server in the Adatum forest (the connecting forest). Repeat this
step for each computer in the Adatum forest.
• Click Group of computers, and in the Subnet address and Subnet mask boxes, type
the subnet address and subnet masks for the group of computers that host connectors to
the Fabrikam forest.

Step 3: Resolving Anonymous Mail on the SMTP


Virtual Server
After you have restricted access to the receiving bridgehead server, you must configure the
SMTP virtual server on this bridgehead to resolve anonymous e-mail addresses.

To configure an SMTP virtual server to resolve anonymous e-mail addresses


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Servers, expand < Bridgehead Server Name >, expand
Protocols, and then expand SMTP.
3. Right-click the SMTP virtual server you want, and then click Properties.
4. On the Access tab, click Authentication.
5. In Authentication, ensure that the Anonymous access check box is selected, and then select
the Resolve anonymous e-mail check box.

Step 4: Enabling Registry Key to Persist Message


Properties Across Forests
As explained earlier, when messages are sent anonymously across forests, the extended message
properties on a message are not transmitted. For single companies that implement a cross-forest
scenario, these message properties must be transmitted because information about the message
can be lost. For example, the SCL property, an extended Exchange property contains a spam
rating that is generated by third-party solutions. This property is not transmitted when mail is sent
anonymously. So if a third-party anti-spam solution is deployed in the Adatum forest, and a
message received in this forest is destined to a recipient in the Fabrikam forest, the third party
solution stamps the SCL property on the message; however, when the message is delivered to the
Fabrikam forest, the extended property containing the spam rating is not persisted.
To ensure that the extended message properties are transmitted across forests when you send mail
anonymously, you must enable a registry key on the receiving bridgehead server.
156 What's New in Exchange Server 2003

To configure Exchange to accept the extended message properties, you can enable a registry key
on the receiving bridgehead server or on the SMTP virtual server that resides on the bridgehead.
Enabling the registry key on the Exchange server configures all SMTP virtual servers on the
Exchange server to accept extended properties.

Configuring the Exchange Server to Accept Extended Message


Properties on Anonymous Connections
Use the following procedure to configure the Exchange server to accept extended properties on
anonymous connections. If your Exchange server functions solely as the bridgehead server for
cross-forest communication, you may want to configure this setting at the server level. If you
have other SMTP virtual servers on this Exchange server, consider setting this registry key on the
SMTP virtual server only.
Note
If you enable this registry key on an Exchange server, the setting applies to all SMTP
virtual servers on the Exchange server. If you want to configure a single SMTP virtual
server with this setting, enable the registry key on the SMTP virtual server.
Warning
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

To enable an Exchange server to accept message extended properties sent


anonymously
1. Start Registry Editor (regedit).
2. In the console tree, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SMTPSVC\XEXCH50

3. Right-click XEXCH50, point to New, and then click DWORD Value.


4. In the details pane, type Exch50AuthCheckEnabled for the value name.
5. By default, the value data is 0, which indicates that the XEXCH50 properties are transmitted
when mail is sent anonymously.

Configuring an SMTP Virtual Server to Accept Extended Message


Properties Sent Anonymously
Use the following procedure to configure the SMTP virtual server on the Exchange server to
accept extended properties

To enable an SMTP virtual server to accept message extended properties


sent anonymously
1. Start Registry Editor (regedit).
Chapter 6: Transport and Message Flow Features 157
2. In the console tree, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SMTPSVC\XEXCH50

3. Right-click XEXCH50, point to New, and then click Key.


4. Type the number of the SMTP virtual server instance as the key value. For example, the
default SMTP virtual server instance is 1, while the second SMTP virtual server created on a
server is 2.
5. Right-click the key you just created, point to New, and click DWORD Value.
6. In the details pane, type Exch50AuthCheckEnabled for the value name.
7. By default, the value data is 0, which indicates that the XEXCH50 properties are transmitted
when mail is sent anonymously.

Internet Mail Wizard


In Exchange Server version 5.5, Internet Mail Wizard guided administrators through the process
of setting up Internet mail. Exchange 2003 implements a version of Internet Mail Wizard to help
you configure Internet mail connectivity with Exchange 2000 Server or Exchange Server 2003.
Internet Mail Wizard is intended primarily for small and medium companies with less complex
environments than large enterprise companies.
The wizard guides you through the process of configuring your Exchange server to send and
receive Internet mail. It creates the necessary SMTP connector for outgoing Internet mail and
configures your SMTP virtual server to accept incoming mail. If you already set up SMTP
connectors or created additional SMTP virtual servers on your Exchange server, you cannot run
Internet Mail Wizard unless you revert your server configuration to its default state.
Note
Internet Mail Wizard can only configure Internet mail for Exchange 2000 or later. If
you are running previous versions of Exchange, these servers can still send mail to or
receive mail from the Internet, but you cannot use Internet Mail Wizard to configure
them for Internet mail.

When Internet Mail Wizard runs, it creates a log file (Exchange Internet Mail Wizard.log) of all
the configuration changes it makes, including whether or not these changes were successful. The
wizard saves this log file to the My Documents folder of the user who runs the wizard.
158 What's New in Exchange Server 2003

The following sections explain how to use Internet Mail Wizard to:

• Configure an Exchange server to send Internet mail.


• Configure an Exchange server to receive Internet mail.
• Configure an Exchange server or servers to send and receive Internet mail.
• Configure a dual-homed Exchange server for Internet mail.

Configuring an Exchange Server to


Send Internet Mail
Use the following procedure to configure Exchange to send Internet mail. When you configure
an Exchange server to send Internet mail, Internet Mail Wizard configures the selected server as
an outbound bridgehead server. It creates a connector on this server to send mail to the Internet
addresses you specify.

To run Internet Mail Wizard and configure your server to send Internet mail
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, right-click your Exchange organization, and then click Internet Mail
Wizard. The Welcome page appears (Figure 6.8).

Figure 6.8 The Welcome to the Internet Mail Wizard page


3. Click Next.
Chapter 6: Transport and Message Flow Features 159

4. On the Prerequisites for Internet Mail page, read the requirements, ensure that you have
completed the tasks listed, and then click Next (Figure 6.9).

Figure 6.9 The Prerequisites for Internet Mail page


Your server must satisfy the following conditions:

• You have registered your company's SMTP domain or domains with an Internet
registrar.
• The Exchange server that you want to configure for Internet e-mail has an Internet IP
address assigned to it.
• DNS is correctly configured. Your DNS server must have a mail exchanger (MX) record
pointing to the Internet IP address of your Exchange server and your DNS server must
be able to resolve external Internet names.
Note
For information about how to configure DNS, see Microsoft Knowledge Base
article 315982, "HOW TO: Configure DNS Records for Your Web Site in
Windows 2000" (http://support.microsoft.com/?kbid=315982).
160 What's New in Exchange Server 2003

5. On the Server Selection page, in the Server list, select the Exchange server you want to
configure to send Internet e-mail (Figure 6.10).

Figure 6.10 The Server Selection page


Note
Only servers running Exchange 2000 Server and later are available for selection.
As stated earlier, you cannot run the wizard on earlier versions of Exchange.

As noted on the Server Selection page, you cannot run Internet Mail Wizard if any of the
following conditions exist on your server:

• Your server is part of a Microsoft Windows® cluster.


• Your server is part of a Network Load Balancing cluster.
• Your server has multiple network interface cards configured with separate networks in
which IP routing is enabled between the networks.
6. Click Next.
Chapter 6: Transport and Message Flow Features 161

7. On the Wizard in Progress page, Internet Mail Wizard checks your server configuration to
ensure that the server meets all necessary prerequisites. After the wizard checks these
conditions, the results display under Report (Figure 6.11).

Figure 6.11 The Wizard in Progress page


Select the appropriate option:

• If your server meets the necessary conditions, click Next.


• If your server does not meet the necessary conditions, review the report, and then click
Back to select another server, or click Cancel to exit the wizard.
162 What's New in Exchange Server 2003

8. On the Internet E-mail Functions page, you can specify whether you want this server to
send Internet e-mail, receive Internet e-mail, or send and receive Internet e-mail. To
configure your server to send Internet mail, select the Send Internet e-mail check box
(Figure 6.12).

Figure 6.12 The Internet E-mail Functions page


Note
When using Internet Mail Wizard to configure your Exchange server to send
outgoing Internet mail, the server cannot already be configured as a bridgehead
for any SMTP connectors in the Exchange organization.

9. Click Next.
Chapter 6: Transport and Message Flow Features 163

10. On the Outbound Bridgehead Server page, under SMTP virtual server, ensure that the
Exchange server and SMTP virtual server designated as the bridgehead are displayed
(Figure 6.13). By default, the Internet Mail Wizard creates an SMTP connector on this server
with the address space that you specify so that all mail destined to this address space is
routed through this connector.

Figure 6.13 The Outbound Bridgehead Server page


11. Click Next.
164 What's New in Exchange Server 2003

12. If the Open Relay Configuration page displays, your server is configured to allow open
relay (Figure 6.14). With open relaying, external users can use your server to send
unsolicited commercial mail, which may result in other legitimate servers blocking mail
from your Exchange server.
Note
This page displays only if your SMTP virtual server is configured to allow open
relay. If your SMTP virtual server does not allow open relay, this page does not
display.

Figure 6.14 The Open Relay Configuration page


13. Click Disable open relay to secure your server, and then click Next.
14. On the Outbound Mail Configuration page (Figure 6.15), select one of the following
options to configure how you want Exchange to send outgoing Internet mail:
• Click Use domain name system (DNS) to send mail if you want Exchange to use DNS
to resolve all Internet addresses and then send mail.
• Click Yes if your DNS server can resolve Internet addresses.
Chapter 6: Transport and Message Flow Features 165

• Click No if your DNS server cannot resolve Internet (external addresses).


The wizard then guides you through the process of configuring an external DNS server
that your SMTP virtual server will use to resolve external addresses.

• Click Route all mail through the following smart host if you want to send mail to a
smart host that assumes responsibility for DNS resolution and mail delivery. Then, in
the Host name or IP address of the smart host box, type either a fully qualified
domain name or an IP address for the smart host.

Figure 6.15 The Outbound Mail Configuration page


15. Click Next.
16. Select one of the following options:
• If you configured Exchange to use a smart host to send outbound mail, proceed to Step
19.
• If you configured Exchange to use DNS for outbound mail and your DNS server can
resolve Internet address, proceed to Step 19.
• If you configured Exchange to use DNS and the DNS server Exchange uses cannot
resolve Internet addresses, proceed to Step 17.
166 What's New in Exchange Server 2003

17. On the External Domain Name System (DNS) page (Figure 6.16), configure your SMTP
virtual server to use an external DNS server: Click Add, and then, in Enter an IP address,
type the IP address of the external DNS server you want to use.
Important
The external DNS server must have the ability to resolve external or Internet
addresses.

Figure 6.16 The External Domain System (DNS) page


18. Click Next.
19. On the Outbound SMTP Domain Restrictions page (Figure 6.17), select from the
following options to specify whether you want to send Internet e-mail to all external
addresses or restrict delivery to a specified set of domains:
• Click Allow delivery to all e-mail domains to allow outbound Internet mail for all
external domains.
• Click Restrict delivery to the following e-mail domains(s) to restrict outbound
Internet mail to specific domains, and then click Add to enter the domain to which you
want to allow mail. If you want to enter a specific domain, type the domain name, for
example example.com. If you want to allow e-mail to all domains with a specific
extension, for example .edu, type *.edu.
Important
Do not proceed the domain name with the at sign (@).
Chapter 6: Transport and Message Flow Features 167

Figure 6.17 The Outbound SMTP Domain Restrictions page


20. Click Next.
21. The Configuration Summary page displays the configuration options you selected, as well
as the location of the Internet mail log file where the configuration settings will be saved
(Figure 6.18). Review these options carefully.

Figure 6.18 The Configuration Summary page


22. Click Next to start the configuration.
168 What's New in Exchange Server 2003

23. When the Completing the Internet Mail Wizard page displays, select the View detailed
report when this wizard closes check box to view the log file, and then click Finish
(Figure 6.19).
Note
Internet Mail Wizard writes the log file to the My Documents folder of the user
running the wizard. The exact location displays on the Completing the
Internet Mail Wizard page.

Figure 6.19 The Completing the Internet Mail Wizard page

Configuring an Exchange Server to


Receive Internet Mail
Use the following procedure to configure Exchange to receive Internet mail. After you run
Internet Mail Wizard, the Exchange server will accept all Internet mail for the SMTP domains
that you specify.

To run Internet Mail Wizard and configure your server receive Internet mail
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
Chapter 6: Transport and Message Flow Features 169

2. In the console tree, right-click your Exchange organization, and click Internet Mail
Wizard. The Welcome to the Internet Mail Wizard page appears (Figure 6.20).

Figure 6.20 The Welcome to the Internet Mail Wizard page


3. Click Next.
4. On the Prerequisites for Internet Mail page, read the requirements, ensure that you have
completed the tasks listed, and then click Next (Figure 6.21).

Figure 6.21 The Prerequisites for Internet Mail page


170 What's New in Exchange Server 2003

Your server must satisfy the following conditions:

• You have registered your company's SMTP domain or domains with an Internet
registrar.
• The Exchange server that you want to configure for Internet e-mail has an Internet IP
address assigned to it.
• DNS is correctly configured. Your DNS server must have a mail exchanger (MX) record
pointing to the Internet IP address of your Exchange server and your DNS server must
be able to resolve external Internet names.
Note
For information about how to configure DNS, see Microsoft Knowledge Base
article 315982, "HOW TO: Configure DNS Records for Your Web Site in
Windows 2000" (http://support.microsoft.com/?kbid=315982).

5. On the Server Selection page, under Server, select the Exchange server you want to
configure to receive Internet e-mail (Figure 6.22).

Figure 6.22 The Server Selection page


Note
Only servers running Exchange 2000 Server and later are available for selection.
As stated earlier, you cannot run the wizard on earlier versions of Exchange.
Chapter 6: Transport and Message Flow Features 171

As noted on the Server Selection page, you cannot run Internet Mail Wizard if any of the
following conditions exist on your server:

• Your server is part of a Windows cluster.


• Your server is part of a Network Load Balancing cluster.
• Your server has multiple network interface cards configured with separate networks in
which IP routing is enabled between the networks.
6. Click Next.
7. On the Wizard in Progress page, Internet Mail Wizard checks your server configuration to
ensure that the server meets all necessary prerequisites. After the wizard checks these
conditions, the results display under Report (Figure 6.23).

Figure 6.23 The Wizard in Progress page


Select the appropriate option:

• If your server meets the necessary conditions, click Next.


• If your server does not meet the necessary conditions, review the report, and then click
Back to select another server, or click Cancel to exit the wizard.
172 What's New in Exchange Server 2003

8. On the Internet E-mail Functions page, you can specify whether you want this server to
send Internet e-mail, receive Internet e-mail, or send and receive Internet e-mail. To
configure your server to receive Internet mail, select the Receive Internet e-mail check box
(Figure 6.24).

Figure 6.24 The Internet Mail Functions page


Note
To receive incoming Internet e-mail, the server must have only one SMTP virtual
server with a default IP address of "All Unassigned" and an assigned TCP port of
25. The default IP address is the address on which the SMTP virtual server listens
on port 25 for incoming SMTP connections. A value of "All Unassigned" means
that the SMTP virtual server listens on any of the available IP addresses. If more
than one SMTP virtual server exists on the Exchange server, or if the IP
information or TCP port assignments are different, the wizard will not continue.
However, you can restore the Exchange server to its default configuration and
rerun the wizard, or you can use Exchange System Manager to configure
Exchange manually.

9. Click Next.
Chapter 6: Transport and Message Flow Features 173

10. To accept Internet mail, your SMTP virtual server must allow anonymous access. If your
server is not configured to allow anonymous access, the Anonymous Access Configuration
page displays (Figure 6.25). If this page displays, leave the default option, Enable
anonymous access, so your server can accept incoming mail from the Internet.
Note
This page displays only if your SMTP virtual server is not configured to allow
anonymous access. If your SMTP virtual server allows anonymous access, this
page does not display.

Figure 6.25 The Anonymous Access Configuration page


11. Click Next.
12. On the SMTP Domains for Inbound Mail page, under SMTP domains, all the existing
domains in your Exchange organization are displayed (Figure 6.26). Ensure that all the
SMTP domains for which you want to accept Internet mail are displayed.
The address displayed in bold is the primary SMTP address. This address displays as the
return address on your users' outgoing mail.
174 What's New in Exchange Server 2003

The SMTP domains for which you want to receive Internet mail are configured in Exchange
System Manager in Recipient Policies. You must have a recipient policy configured for
every SMTP domain for which you want to accept Internet mail, and Exchange must be
authoritative for this domain. If you created multiple recipient policies in Exchange System
Manager, you cannot use the wizard to create additional recipient policies. In this case, if
you need to add or modify recipient policies, you must use Exchange System Manager.

Figure 6.26 The SMTP Domains for Inbound Mail page


13. Select from the following options:
• If all the SMTP domains for which you want to accept incoming Internet mail are listed,
click Next.
• If you have not modified your recipient policies and an SMTP domain for which you
want to receive Internet mail does not display, click Add, and then add the proper SMTP
domain. Click Set as From Address if you want this address to display as your user's
return address in their outgoing e-mails.
• If you created multiple recipient policies in Exchange System Manager and an SMTP
domain for which you want to receive Internet mail does not exist, exit the wizard, and
then use Exchange System Manager create or edit a recipient policy for the SMTP
domain and make it authoritative. To ensure an SMTP domain is authoritative, on your
recipient policy, edit or create the SMTP address, and then click the This Exchange
Organization is responsible for all mail delivery to this address check box in SMTP
Address Properties.
Chapter 6: Transport and Message Flow Features 175

14. If the Open Relay Configuration page displays, your server is configured to allow open
relay (Figure 6.27). With open relaying, external users can use your server to send
unsolicited commercial mail, which may result in other legitimate servers blocking mail
from your Exchange server.
Note
This page displays only if your SMTP virtual server is configured to allow open
relay. If your SMTP virtual server does not allow open relay, this page does not
display.

Figure 6.27 The Open Relay Configuration page


15. Click Disable open relay to secure your server, and then click Next.
176 What's New in Exchange Server 2003

16. The Configuration Summary page displays the configuration options you selected, as well
as the location of the Internet mail log file where the configuration settings will be saved
(Figure 6.28). Review these options carefully.

Figure 6.28 The Configuration Summary page


17. Click Next to start the configuration.
Chapter 6: Transport and Message Flow Features 177

18. When the Completing the Internet Mail Wizard page displays, select the View detailed
report when this wizard closes check box to view the log file, and then click Finish
(Figure 6.29).
Note
Internet Mail Wizard writes the log file to the My Documents folder of the user
running the wizard. The exact location displays on the Completing the
Internet Mail Wizard page.

Figure 6.29 The Completing the Internet Mail Wizard page

Configuring an Exchange Server to


Send and Receive Internet Mail
Use the following procedure to configure an Exchange server to send and receive Internet mail.
After you run Internet Mail Wizard, the Exchange server will send and receive all Internet mail
according to the configuration you specify.

To run the Internet Mail Wizard and configure your server to send and
receive Internet mail
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
178 What's New in Exchange Server 2003

2. In the console tree, right-click your Exchange organization, and then click Internet Mail
Wizard. The Welcome to the Internet Mail Wizard page appears (Figure 6.30).

Figure 6.30 The Welcome to the Internet Mail Wizard page


3. Click Next.
4. On the Prerequisites for Internet Mail page, read the requirements, ensure that you have
completed the tasks listed, and then click Next (Figure 6.31).

Figure 6.31 The Prerequisites for Internet Mail page


Chapter 6: Transport and Message Flow Features 179

Your server must satisfy the following conditions:

• You have registered your company's SMTP domain or domains with an Internet
registrar.
• The Exchange server that you want to configure for Internet e-mail has an Internet IP
address assigned to it.
• DNS is correctly configured. Your DNS server must have a mail exchanger (MX) record
pointing to the Internet IP address of your Exchange server and your DNS server must
be able to resolve external Internet names.
Note
For information about how to configure DNS, see Microsoft Knowledge Base
article 315982 "HOW TO: Configure DNS Records for Your Web Site in
Windows 2000" (http://support.microsoft.com/?kbid=315982).

5. On the Server Selection page, under Server, select the Exchange server that you want to
configure to send and receive Internet e-mail (Figure 6.32).

Figure 6.32 The Server Selection page


Note
Only servers running Exchange 2000 Server and later are available for selection.
As stated earlier, you cannot run the wizard on earlier versions of Exchange.
180 What's New in Exchange Server 2003

As noted on the Server Selection page, you cannot run Internet Mail Wizard if any of the
following conditions exist on your server:

• Your server is part of a Windows cluster.


• Your server is part of a Network Load Balancing cluster.
• Your server has multiple network interface cards configured with separate networks in
which IP routing is enabled between the networks.
6. Click Next.
7. On the Wizard in Progress page, Internet Mail Wizard checks your server configuration to
ensure that the server meets all necessary prerequisites. After the wizard checks these
conditions, the results display under Report (Figure 6.33).

Figure 6.33 The Wizard in Progress page


Select the appropriate option:

• If your server meets the necessary conditions, click Next.


• If your server does not meet the necessary requirements, review the report, and then
click Back to select another server, or click Cancel to exit the wizard.
Chapter 6: Transport and Message Flow Features 181

8. On the Internet E-mail Functions page, you can specify whether you want the server to
send Internet e-mail, receive Internet e-mail, or send and receive Internet e-mail
(Figure 6.34). To configure your server to send and receive e-mail, select both the Receive
Internet e-mail and Send Internet e-mail check boxes. The wizard creates an SMTP
connector so you can send mail to all external address or to specified addresses.

Figure 6.34 The Internet E-mail Functions page


Important
To receive incoming Internet e-mail, the server must have only one SMTP virtual
server with a default IP address of "All Unassigned" and an assigned TCP port of
25. The default IP address is the address on which the SMTP virtual server listens
on port 25 for incoming SMTP connections. A value of "All Unassigned" means
that the SMTP virtual server listens on any of the available IP addresses. If more
than one SMTP virtual server exists on the Exchange server, or if the IP
information or the TCP port assignments are different, the wizard will not
continue. However, you can restore the Exchange server to its default
configuration and rerun the wizard, or you can use Exchange System Manager to
configure Exchange manually.
To send outgoing Internet e-mail, the Exchange server cannot already be
configured as a bridgehead for any SMTP connectors in the Exchange
organization.

9. Click Next.
182 What's New in Exchange Server 2003

10. To accept Internet mail, your SMTP virtual server must allow anonymous access. If your
server is not configured to allow anonymous access, the Anonymous Access Configuration
page displays. (Figure 6.35). If this page displays, leave the default option, Enable
anonymous access, so your server can accept incoming mail from the Internet.
Note
This page displays only if your SMTP virtual server is not configured to allow
anonymous access. If your SMTP virtual server allows anonymous access, this
page does not display.

Figure 6.35 The Anonymous Access Configuration page


11. Click Next.
12. On the SMTP Domains for Inbound Mail page, under SMTP domains, all the existing
domains in your Exchange organization are displayed (Figure 6.36). Ensure that all the
SMTP domains for which you want to accept Internet mail are displayed.
The address displayed in bold is the primary SMTP address and this address displays as the
return address on your users' outgoing mail.
The SMTP domains for which you want to receive Internet mail are configured in Exchange
System Manager in Recipient Policies. You must have a recipient policy configured for
every SMTP domain for which you want to accept Internet mail and Exchange must be
authoritative for this domain.
Chapter 6: Transport and Message Flow Features 183

If you have created multiple recipient policies in Exchange System Manager, you cannot use
the wizard to create additional recipient policies. In this case, if you need to add or modify
your recipient policies, you must use Exchange System Manager.

Figure 6.36 The SMTP Domains for Inbound Mail page


13. Select from the following options:
• If all the SMTP domains for which you want to accept incoming Internet mail are listed,
click Next.
• If you have not modified your recipient policies and an SMTP domain for which you
want to receive Internet mail is not displayed, click Add, and then add the proper SMTP
domain. Click Set as From Address if you want this address to display as your user's
return address in their outgoing e-mails.
• If you created multiple recipient policies in Exchange System Manager and an SMTP
domain for which you want to receive Internet mail does not exist, exit the wizard, and
then use Exchange System Manager to create or edit a recipient policy for the SMTP
domain and make it authoritative. To ensure an SMTP domain is authoritative, on your
recipient policy, edit or create the SMTP address, and then click the This Exchange
Organization is responsible for all mail delivery to this address check box in SMTP
Address Properties.
184 What's New in Exchange Server 2003

14. On the Outbound Bridgehead Server page, ensure that the Exchange server and SMTP
virtual server designated as the bridgehead are displayed (Figure 6.37). Internet Mail Wizard
will create an SMTP connector on this server with the address space of *, so that all mail
destined to Internet addresses is routed through this connector.

Figure 6.37 The Outbound Bridgehead Server page


15. Click Next.
16. If the Open Relay Configuration page displays, your server is configured to allow open
relay (Figure 6.38). With open relaying, external users can use your server to send
unsolicited commercial mail, which may result in other legitimate servers blocking mail
from your Exchange server.
Note
This page displays only if your SMTP virtual server is configured to allow open
relay. If your SMTP virtual server does not allow open relay, this page does not
display.
Chapter 6: Transport and Message Flow Features 185

Figure 6.38 The Open Relay Configuration page


17. Click Disable open relay to secure your server, and then click Next
18. On the Outbound Mail Configuration page (Figure 6.39), select one of the following
options to configure how you want Exchange to send outgoing Internet mail:
• Click Use domain name system (DNS) to send mail if you want Exchange to use DNS
to resolve all Internet addresses and then send mail.
• Click Yes if your DNS server can resolve Internet addresses.
• Click No if your DNS server cannot resolve Internet (external addresses). The wizard
then guides you through the process of configuring an external DNS server that your
SMTP virtual server will use to resolve external addresses.
186 What's New in Exchange Server 2003

• Click Route all mail through the following smart host if you want to send mail to a
smart host that assumes responsibility for DNS resolution and mail delivery. Then, in
the Host name or IP address of the smart host box, type either a fully qualified
domain name or an IP address for the smart host.

Figure 6.39 The Outbound Mail Configuration page


19. Click Next.
20. Select one of the following options:
• If you configured Exchange to use a smart host to send outbound mail proceed to the
Step 23.
• If you configured Exchange to use DNS for outbound mail and your DNS server can
resolve Internet address, proceed to Step 23.
• If you configured Exchange to use DNS, and the DNS server Exchange uses cannot
resolve Internet addresses, proceed to Step 21.
Chapter 6: Transport and Message Flow Features 187

21. On the External Domain Name System (DNS) page (Figure 6.40), configure your SMTP
virtual server to use an external DNS server: Click Add, and then, in Enter an IP address,
type the IP address of the external DNS server you want to use.
Important
The external DNS server must have the ability to resolve external or Internet
addresses.

Figure 6.40 The External Domain Name System (DNS) page


22. Click Next.
23. On the Outbound SMTP Domain Restrictions page (Figure 6.41), select from the
following options to specify whether you want to send Internet e-mail to all external
addresses or restrict delivery to a specified set of domains:
• Click Allow delivery to all e-mail domains to allow outbound Internet mail for all
external domains.
188 What's New in Exchange Server 2003

• Click Restrict delivery to the following e-mail domains(s) to restrict outbound


Internet mail to specific domains, and then click Add to enter the domain to which you
want to allow mail. If you want to enter a specific domain, type the domain name, for
example example.com. If you want to allow e-mail to all domains with a specific
extension, for example .edu, type *.edu.
Important
Do not proceed the domain name with the at sign (@).

Figure 6.41 The Outbound SMTP Domain Restrictions page


24. Click Next.
Chapter 6: Transport and Message Flow Features 189

25. The Configuration Summary page displays the configuration options you selected, as well
as the location of the Internet mail log file where the configuration settings will be saved
(Figure 6.42). Review these options carefully.

Figure 6.42 The Configuration Summary page


26. Click Next to start the configuration.
190 What's New in Exchange Server 2003

27. When the Completing the Internet Mail Wizard page displays, select the View detailed
report when this wizard closes check box to view the log file, and then click Finish
(Figure 6.43).
Note
Internet Mail Wizard writes the log file to the My Documents folder of the user
running the wizard. The exact location displays on the Completing the
Internet Mail Wizard page.

Figure 6.43 The Completing the Internet Mail Wizard page

Configuring a Dual-Homed Exchange


Server for Internet Mail
Use the following procedure to configure a dual-homed Exchange server with two SMTP virtual
servers to send and receive Internet mail. After you run Internet Mail Wizard, the Exchange
server will send and receive all Internet mail according to the configuration you specify.

To run the Internet Mail Wizard on a dual-homed server


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
Chapter 6: Transport and Message Flow Features 191

2. In the console tree, right-click your Exchange organization, and then click Internet Mail
Wizard. The Welcome to the Internet Mail Wizard page appears (Figure 6.44).

Figure 6.44 The Welcome to the Internet Mail Wizard page


3. Click Next.
4. On the Prerequisites for Internet Mail page, read the requirements, ensure that you have
performed the tasks listed, and then click Next (Figure 6.45).

Figure 6.45 The Prerequisites for Internet Mail page


192 What's New in Exchange Server 2003

Your server must satisfy the following conditions:

• You have registered your company's SMTP domain or domains with an Internet
registrar.
• The Exchange server that you want to configure for Internet e-mail has an Internet IP
address assigned to it.
• DNS is correctly configured. Your DNS server must have a mail exchanger (MX) record
pointing to the Internet IP address of your Exchange server and your DNS server must
be able to resolve external Internet names.
Note
For information about how to configure DNS, see Microsoft Knowledge Base
article 315982, "HOW TO: Configure DNS Records for Your Web Site in
Windows 2000" (http://support.microsoft.com/?kbid=315982).

5. On the Server Selection page, under Server, select the Exchange server that you want to
configure to send and receive Internet e-mail (Figure 6.46).

Figure 6.46 The Server Selection page


Note
Only servers running Exchange 2000 Server and later are available for selection.
As stated earlier, you cannot run the wizard on earlier versions of Exchange.

As noted on the Server Selection page, you cannot run Internet Mail Wizard if any of the
following conditions exist on your server:

• Your server is part of a Windows cluster.


• Your server is part of a Network Load Balancing cluster.
• Your server has multiple network interface cards configured with separate networks in
which IP routing is enabled between the networks.
Chapter 6: Transport and Message Flow Features 193
6. Click Next.
7. On the Wizard in Progress page, Internet Mail Wizard checks your server configuration to
ensure that the server meets all necessary prerequisites. After the wizard checks these
conditions, the results display under Report (Figure 6.47).

Figure 6.47 The Wizard in Progress page


Select the appropriate option:

• If your server meets the necessary conditions, click Next.


• If your server does not meet the necessary requirements, review the report, and then
click Back to select another server, or click Cancel to exit the wizard.
194 What's New in Exchange Server 2003

8. On the Internet E-mail Functions page, you can specify whether you want this server to
send Internet e-mail, receive Internet e-mail, or send and receive Internet e-mail
(Figure 6.48). To configure your server to send and receive e-mail, select both the Receive
Internet e-mail and Send Internet e-mail check boxes. The wizard creates an SMTP
connector so you can send mail to all external address or to specified addresses.

Figure 6.48 The Internet E-mail Functions page


Important
To receive incoming Internet e-mail, the server must have only one SMTP virtual
server with a default IP address of "All Unassigned" and an assigned TCP port of
25. The default IP address is the address on which the SMTP virtual server listens
on port 25 for incoming SMTP connections. A value of "All Unassigned" means
that the SMTP virtual server listens on any of the available IP addresses. If more
than one SMTP virtual server exists on the Exchange server, or if the IP
information or the TCP port assignments are different, the wizard will not
continue. However, you can restore the Exchange server to its default
configuration and rerun the wizard, or you can use Exchange System Manager to
configure Exchange manually.
To send outgoing Internet e-mail, the Exchange server cannot already be
configured as a bridgehead for any SMTP connectors in the Exchange
organization.

9. Click Next.
Chapter 6: Transport and Message Flow Features 195

10. On the Configure Your Server page, under Configure the dual-homed Internet gateway
topology, click Yes to configure a dual-homed gateway server (Figure 6.49). Internet Mail
Wizard then configures one SMTP virtual server to accept incoming mail using the Internet
IP address and a second SMTP virtual server to send mail using an intranet IP address.
Note
To configure a server as a dual-homed gateway, your server must have static IP
addresses assigned to each network interface card. Otherwise, the Yes button is
unavailable.

Figure 6.49 The Configure Your Server page


11. Click Next.
196 What's New in Exchange Server 2003

12. On the Create two SMTP virtual servers page, create two SMTP virtual servers and assign
each one the proper IP address (Figure 6.50).

Figure 6.50 The Create Two SMTP virtual servers page


Select the correct IP addresses for each SMTP virtual server:

• In the Internet SMTP virtual server IP list, assign an Internet IP address to the SMTP
virtual server that accepts incoming Internet e-mail. To send mail to your users, external
SMTP servers must be able to connect to your SMTP virtual server that accepts
incoming Internet mail; therefore you must assign an Internet IP address to your SMTP
virtual server.
• In the Default SMTP virtual server IP (Intranet IP) list, assign an intranet IP to the
SMTP virtual server that sends Internet mail. You must assign an intranet IP address to
this server to allow only your authenticated internal users to send Internet mail using the
SMTP virtual server.
13. Click Next
14. On the SMTP Domains for Inbound Mail page, under SMTP domains, all the existing
recipient policies for SMTP addresses configured in your Exchange organization are
displayed (Figure 6.51). Ensure that all the SMTP domains for which you want to accept
Internet mail are displayed.
The address displayed in bold is the primary SMTP address, and this address displays as the
return address on your users' outgoing mail.
Chapter 6: Transport and Message Flow Features 197

The SMTP domains for which you want to receive Internet mail are configured in Exchange
System Manager in Recipient Policies. You must have a recipient policy configured for
every SMTP domain for which you want to accept Internet mail, and Exchange must be
authoritative for this domain.
If you created multiple recipient policies in Exchange System Manager, you cannot use the
wizard to create additional recipient policies. In this case, if you need to add or modify your
recipient policies, you must use Exchange System Manager.

Figure 6.51 The SMTP Domains for Inbound Mail page


15. Select from the following options:
• If all the SMTP domains for which you want to want to accept incoming Internet mail
are listed, click Next.
• If you have not modified your recipient policies and an SMTP domain for which you
want to receive Internet mail is not displayed, click Add, and then add the proper SMTP
domain. Click Set as From Address if you want this address to display as your user's
return address in their outgoing e-mails.
• If you created multiple recipient policies in Exchange System Manager and an SMTP
domain for which you want to receive Internet mail does not exist, exit the wizard, and
then create or edit a recipient policy for the SMTP domain and make it authoritative. To
ensure an SMTP domain is authoritative, on your recipient policy, edit or create the
SMTP address, and then click the This Exchange Organization is responsible for all
mail delivery to this address check box in SMTP Address Properties.
198 What's New in Exchange Server 2003

16. On the Outbound Bridgehead Server page, under SMTP virtual server, ensure that the
Exchange server and SMTP virtual server designated as the bridgehead are displayed
(Figure 6.52). By default, the Internet Mail Wizard creates an SMTP connector on this server
with an address space of *, so that all mail destined to Internet addresses is routed through
this connector.

Figure 6.52 The Outbound Bridgehead Server page


Chapter 6: Transport and Message Flow Features 199

17. If the Open Relay Configuration page displays, your server is configured to allow open
relay (Figure 6.53). With open relaying, external users can use your server to send
unsolicited commercial mail, which may result in other legitimate servers blocking mail
from your Exchange server.
Note
This page displays only if your SMTP virtual server is configured to allow open
relay. If your SMTP virtual server does not allow open relay, this page does not
display.

Figure 6.53 The Open Relay Configuration page


18. Click Disable open relay to secure your server, and then click Next.
19. On the Outbound Mail Configuration page (Figure 6.54), select one of the following
options to configure how you want Exchange to send outgoing Internet mail:
• Click Use domain name system (DNS) to send mail if you want Exchange to use DNS
to resolve all Internet addresses and then send mail.
• Click Yes if your DNS server can resolve Internet addresses.
200 What's New in Exchange Server 2003

• Click No if your DNS server cannot resolve Internet (external addresses). The wizard
then guides you through the process of configuring an external DNS server that your
SMTP virtual server will use to resolve external addresses.
• Click Route all mail through the following smart host if you want to send mail to a
smart host that assumes responsibility for DNS resolution and mail delivery. Then, in
the Host name or IP address of the smart host box, type either a fully qualified
domain name or an IP address for the smart host.

Figure 6.54 The Outbound Mail Configuration page


20. Click Next.
21. Select one of the following options:
• If you configured Exchange to use a smart host to send outbound mail proceed to Step
24.
• If you configured Exchange to use DNS for outbound mail, and your DNS server can
resolve Internet address, proceed to Step 24.
• If you configured Exchange to use DNS, and the DNS server Exchange uses cannot
resolve Internet addresses, proceed to Step 22.
Chapter 6: Transport and Message Flow Features 201

22. On the External Domain Name System (DNS) page (Figure 6.55), configure your SMTP
virtual server to use an external DNS server: Click Add, and then, in Enter an IP address,
type the IP address of the external DNS server you want to use.
Important
The external DNS server must have the ability to resolve external or Internet
addresses.

Figure 6.55 The External Domain Name System (DNS) page


23. Click Next.
24. On the Outbound SMTP Domain Restrictions page (Figure 6.56), select from the
following options to specify whether you want to send Internet e-mail to all external
addresses or restrict delivery to a specified set of domains:
• Click Allow delivery to all e-mail domains to allow outbound Internet mail for all
external domains.
202 What's New in Exchange Server 2003

• Click Restrict delivery to the following e-mail domains(s) to restrict outbound


Internet mail to specific domains, and then click Add to enter the domain to which you
want to allow mail. If you want to enter a specific domain, type the domain name, for
example example.com. If you want to allow e-mail to all domains with a specific
extension, for example .edu, type *.edu.
Important
Do not proceed the domain name with the at sign (@).

Figure 6.56 The Outbound SMTP Domain Restrictions page


25. Click Next.
Chapter 6: Transport and Message Flow Features 203

26. The Configuration Summary page displays the configuration options you selected, as well
as the location of the Internet mail log file where the configuration settings will be saved
(Figure 6.57). Review these options carefully.

Figure 6.57 The Configuration Summary page


27. Click Next to start the configuration.
204 What's New in Exchange Server 2003

28. When the Completing the Internet Mail Wizard page displays, select the View detailed
report when this wizard closes check box to view the log file, and then click Finish
(Figure 6.58).
Note
Internet Mail Wizard writes the log file to the My Documents folder of the user
running the wizard. The exact location displays on the Completing the
Internet Mail Wizard page.

Figure 6.58 The Completing the Internet Mail Wizard page

DSN Diagnostic Logging and


DSN Codes
In Exchange 2003, the following improvements have been made to delivery status notifications
(DSNs).

• A new DSN logging category is available.


• New DSN codes are included to help troubleshoot message flow issues.
Chapter 6: Transport and Message Flow Features 205

Configuring DSN Diagnostic Logging


You can now configure diagnostic logging for DSNs, also known as non-delivery reports
(NDRs).

To configure diagnostic logging for DSN


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Servers.
3. Right-click the server you want, and then click Properties.
4. In <Server Name> Properties, click the Diagnostics Logging tab.
5. Under Services, click MSExchangeTransport.
6. Under Categories, click NDR.
7. Under Logging level, click None, Minimum, Medium, or Maximum. Click Maximum for
troubleshooting purposes.
206 What's New in Exchange Server 2003

DSN Codes Available in Exchange


Server 2003
Table 6.1 lists the DSN messages implemented in Exchange 2003 for transport and routing.

Table 6.1 New delivery status notifications available in Exchange 2003

DSN Cause Solution


Cod
e

4.2.2 In Exchange 2000, this delivery status notification is Check the mailbox storage and
generated when the recipient's mailbox exceeds its the queue storage quota limit.
storage limit.
On Windows 2000 and Microsoft Windows
Server™ 2003, this message is generated when the
storage size of the drop directory (a directory where
messages can be placed for delivery) exceeds the
SMTP virtual server disk quota. The disk quota of the
SMTP virtual server is 11 times the maximum
message size on the virtual server. If no maximum
size is specified, the disk quota defaults to 22 MB. If
the disk space is within one maximum message size of
the quota or if the disk space reaches 2 MB is no
maximum message is defined, Exchange assumes that
the incoming message will exceed the disk quota, and
then issues the DSN.
Chapter 6: Transport and Message Flow Features 207

DSN Cause Solution


Cod
e

4.4.9 This indicates a temporary routing error or bad Routing detects these
routing configuration. Possible causes are: situations, and Exchange
returns DSNs.
• Someone configured an SMTP connector using
DNS (rather than a smarthost) and added a non- • To remedy the first
SMTP address space, such as an X.400 address, scenario, configure the
to this connector. SMTP connector to use a
smarthost, instead of DNS,
• Someone created a routing group, and a recipient
to resolve the non-SMTP
in this routing group was supposed to receive
address space.
mail. A routing group connector using DNS was
used to bridge the routing group, and then this • To remedy second
administrative or routing group was removed. scenario, ensure that you
Therefore, any mail sent to this routing group was moved all users in the
sent in the MSGWIA.X500 format (the address removed administrative
encapsulation used for non-SMTP addresses); group or routing group to a
DNS does not recognize this format. valid group.

5.3.0 Exchange 2003 can operate without the message Check your routing topology.
transfer agent (MTA). If mail was mistakenly sent to Use the Winroute tool to ensure
the MTA, then Exchange returns this DSN to the that the routes are properly
sender. This condition is enforced only if you have replicated between servers and
disabled the MTA service and used specific registry routing groups.
settings to disable the MTA/StoreDriver. A default
configuration strands the misrouted mail on the MTA
queues.
208 What's New in Exchange Server 2003

DSN Cause Solution


Cod
e

5.7.1 General access denied, sender access denied—The Check system privileges and
sender of the message does not have the privileges attributes for the contact and
necessary to complete delivery. retry the message. Also, for
other potential known issues,
Possible causes include:
ensure that you are running
• The sender of the message does not have the Exchange 2000 Service Pack 1
privileges necessary to complete delivery. or later.
In Exchange 2003, check the
• You are trying to relay your mail through another permissions on the distribution
Exchange 2000 server, and the server does not list to see if it is a restricted
permit you to relay. The remote server returns a distribution list.
5.7.1 code.
• The recipient may have mailbox delivery
restrictions enabled (for example, if a recipient's
mailbox delivery restriction is configured to
receive mail from a distribution list only, non-
member's mail is rejected, and this DSN code is
returned).
• New in Exchange 2003: An anonymous user
attempted to send mail to recipients or
distribution list that accept mail only from an
authenticated SMTP session.

Moving the X.400 (MTA) and


SMTP Queue Directory
Locations
Exchange 2003 allows you to change the queue directory locations for SMTP virtual servers and
the X.400 protocol.

To move X.400 (MTA) queue data


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. Expand Servers, expand the server you want, expand Protocols, right-click X.400, and then
click Properties.
Chapter 6: Transport and Message Flow Features 209

3. In X.400 Properties, under Message Queue Directory, click Modify (Figure 6.59).

Figure 6.59 The X.400 Properties dialog box


4. In Message Queue Directory, type the path where you want to store X.400 queue data
(Figure 6.60).

Figure 6.60 The Message Queue Directory dialog box


Note
When you modify the location of the X.400 queue directory, you are modifying
only the MTA database path and moving only the database files (.dat files); you
are not moving any of the run files or the run directory. The database files are
the core files required for starting the MTA, queue files, and message files.

To move SMTP queue data


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. Expand Servers, expand the server you want, expand Protocols, and then expand SMTP.
3. Right-click the SMTP virtual server whose queue directory you want to move, and then click
Properties.
4. In <SMTP Virtual Server> Properties, click the Messages tab (Figure 6.61).
210 What's New in Exchange Server 2003

Figure 6.61 The Messages tab


5. On the Messages tab, under Queue directory, click Browse, and then select a new location
for the queue data.

Connection Filtering
Exchange Server 2003 supports connection filtering based on block lists. Connection filtering
leverages external-based services that list known sources of unsolicited e-mail sources, dial-up
user accounts, and servers open for relay (based on IP addresses). Connection filtering
compliments third-party content filter products. This feature allows you to check an incoming IP
address against a block list provider's list for the categories you want to filter. If a match is found
on the block list provider's list, SMTP issues a "550 5.x.x" error in response to the RCPT TO
command, and a customized error response is issued to the sender. (The RCPT TO command is
the SMTP command that the connecting server issues to identify the intended message recipient.)
Furthermore, you can use several connection filters and prioritize the order in which each filter is
applied.
With connection filtering, you can do the following:

• Set up connection filtering rules that check with a block list service provider for the
following:
• IP addresses of known senders of unsolicited commercial e-mail
• Servers configured for open relay
• Dial-up user account lists
Chapter 6: Transport and Message Flow Features 211
• Configure global accept and deny lists. A global accept list is a list of IP addresses from
which you will always accept mail. A global deny list is a list of IP addresses from which
will always deny mail. You can use global accept and deny lists with or without using a
block list service provider.
• Configure a recipient address as exception to all connection filtering rules. You can
configure a recipient address as an exception to all connection-filtering rules. When mail is
sent to this address, it is automatically accepted, even if the sender appears on a block list.

How Connection-Filtering Rules Work


When you create a connection-filtering rule, SMTP uses this rule to perform a DNS lookup to a
list provided by a third-party block list service. The connection filter matches each incoming IP
address against the third-party block list. The block list provider issues one of two responses:

• host not found Indicates that the IP address is not present on its block list
• 127.0.0.x A response status code indicating that a match for the IP address was found in the
list of offenders. The x varies, depending on your block list provider.
If the incoming IP address is found on the block list, SMTP returns a 5.x.x error in response to the
RCPT TO command (The RCPT TO command is the SMTP command that the connecting server
issues to identify the intended message recipient.)
You can customize the response that is returned to the sender. Additionally, because block list
providers usually contain different offender categories, you can specify the matches you want to
reject. Most block list providers screen for three types of offenders:

• Sources of unsolicited commercial e-mail. These lists are generated from scanning
unsolicited commercial e-mails and adding the source address to the list
• Known open relay servers. These lists are calculated by identifying open relay SMTP servers
on the Internet. The most common reason for an open relay server is mis-configuration by
the system administrator.
• Dial-up user lists. These lists are created from either existing Internet service provider (ISP)
lists that contain IP addresses with dial-up access, or from inspection of addresses that
indicate a probable dial-up connection.

How Block List Providers Match


Offending IP Addresses
After you set up your connection filter, when an e-mail message is sent to your organization,
Exchange contacts the block list provider. The provider checks for the existence of an A (host)
record in its DNS. Exchange queries for this information in a specific format. For example, if the
connecting address is 192.168.5.1, and the block list provider's organization is contoso.com, then
Exchange queries for the existence of the following record:
212 What's New in Exchange Server 2003

<reverse IP address of the connecting server>.<dns name for the block list  
organization> IN A 127. 0.0.x 

which, in this case, is:


1.5.168.192..contoso.com

If this IP address is found on the provider's list, the provider returns a 127.0.0.x status code that
indicates an offending IP address and the type of offense. All block list providers return a
response code of 127.0.0.x, where x indicates the type of offense. This number varies, depending
on the block list provider.

Understanding Block List Provider


Response Codes
As mentioned earlier, if a block list provider finds a match, the provider always returns a status
code of 127.0.0.x. The status code is either an explicit return code or a bit mask, which is multi-
functional return. If your block list provider returns a value, you can specify which values you
want to filter against. However, if your block list provider returns a bit mask, you must
understand how a bit mask works to specify the matches you want to filter.
A bit mask is a method used for verifying that a particular bit is set for an entry. A bit mask
differs from a traditional mask in that it checks for a specific bit value, as opposed to a subnet
mask, which checks for a range of values. Consider the following example.
For each match in its block list, assume a block list provider returns the status codes listed in
Table 6.2.

Table 6.2 Block list status code examples

Category Returned status


code

Known source of unsolicited e- 127.0.0.3


mail

Dial-up user account 127.0.0.2

Known relay server 127.0.0.4

However, if an IP address is a member of two lists, the block list provider adds the values of the
last octet. Therefore, if an IP address is on the list of known relay servers and known sources of
unsolicited e-mails, the block list provider returns a status code of 127.0.7, where 7 is the
combined values of the last octet returned for known sources of unsolicited commercial e-mail
and known relay servers.
Chapter 6: Transport and Message Flow Features 213
If you want to filter against only known sources of unsolicited commercial e-mail, enter a bit
mask value of 0.0.0.3; the block list then filters against any of the possible values, in this case,
127.0.0.3, 127.0.0.5, and 127.0.0.7, and 127.0.0.9.
Table 6.3 lists the bit mask values associated with each of the example status codes.

Table 6.3 Block list status code and corresponding bit mask examples

Category Returned status Bit


code mask

Known source of unsolicited e-mail 127.0.0.3 0.0.0.3

Dial-up user account 127.0.0.2 0.0.0.2

Known relay server 127.0.0.4 0.0.0.4

Known relay server and dial-up user 127.0.0.6 0.0.0.6


account

In the last example ("Known relay server and dial-up user account"), the bit mask 0.0.0.6 returns
a match for an IP address only if it appears on both the known relay server and dial-up user
account lists. It does not return a match if the IP address appears on only one of the two lists. You
cannot use a bit mask to check for a single match in multiple lists.
Note
A bit mask checks only against a single value. If you set a bit mask value that is
returned when an IP address appears on two lists, the mask will match only IP
addresses that appear on both lists. If you want to check for an IP address on either
of two lists, enter the status codes for these settings.

Specifying Exceptions to the


Connection Filter Rule
You can allow message delivery to specific recipients, regardless of whether they appear on a
block list. This is useful if you want to allow legitimate organizations to communicate with your
administrators by contacting the postmaster account. For example, if a legitimate company has a
server inadvertently configured to allow open relaying, e-mail messages from this company to
your users would be blocked. However, if you configured connection filtering to allow message
delivery to the postmaster account in your organization, then the administrator in the blocked
company could send mail your postmaster account to communicate their situation or inquire as to
why their mail was rejected.
214 What's New in Exchange Server 2003

Enabling Connection Filtering


To enable connection filtering, perform the following steps:

1. Create the connection filter using the Connection Filtering tab in the Message Delivery
Properties dialog box.
2. Apply the filter at the SMTP virtual server level.
Each of these steps is detailed in the following sections.

Step 1: Configuring Connection Filtering


To configure connection filtering, perform the following tasks:

• Create global accept and deny lists.


• Create connection filtering rules.
• Create exceptions to the connection filtering rules.

Creating Global Accept and Deny Lists


Connection filtering allows you to create global accept and deny lists. You can use these lists to
always accept or always reject mail sent from specific IP addresses, regardless of whether or not
you use a block list service provider. Any IP address that appears on the global accept list is
automatically accepted, and any connection filtering rules are bypassed. Similarly, any IP address
that appears on the global deny list is automatically rejected.
Entries in the global accept list take precedence over the entries in the global deny list. Exchange
checks the global accept list before the global deny list; so, if you wanted to reject connections
from a specific subnet and mask, but accept connections from a single IP address within this
range, you would:

• Enter the IP address from which you want to accept connections on the global accept list.
• Enter the subnet and mask for the range of IP addresses from which you want to reject
connections on the global deny list.
When the connecting IP address you added to the global accept list attempts to connect to your
Exchange server, Exchange checks the global accept list first. Because Exchange finds a match
for this IP address, the connection is accepted, and Exchange performs no additional connection
filtering checks.
Chapter 6: Transport and Message Flow Features 215

To create a global accept list


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Global Settings, right-click Message Delivery, and then click
Properties.
3. Click the Connection Filtering tab.
4. Click Accept. The Accept List dialog box displays (Figure 6.62).

Figure 6.62 The Accept List dialog box


5. Click Add.
6. In IP Address (Mask), select one of the following options:
• Click Single IP Address to add a single IP address to the global accept list for this
connection filter rule.
• Click Group of IP Addresses to add a subnet address and mask to the global accept list.
7. Click OK.
To create a global deny list
1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Global Settings, right-click Message Delivery, and then click
Properties.
3. Click the Connection Filtering tab.
216 What's New in Exchange Server 2003
4. Click Deny. The Deny List dialog box displays (Figure 6.63).

Figure 6.63 The Deny List dialog box


5. Click Add.
6. In IP Address (Mask), select one of the following options:
• Click Single IP Address to add a single IP address to the global deny list for this
connection filter rule.
• Click Group of IP Addresses to add a subnet address and mask to the global deny list.
7. Click OK.

Creating a Connection Filtering Rule


Use the following procedure to create a connection filter.

To create a connection filter


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Global Settings, right-click Message Delivery, and then click
Properties.
3. Click the Connection Filtering tab (Figure 6.64).
Chapter 6: Transport and Message Flow Features 217

Figure 6.64 The Connection Filtering tab


218 What's New in Exchange Server 2003

4. To create a connection filter rule, click Add. The Connection Filtering Rule dialog box
displays (Figure 6.65).

Figure 6.65 The Connection Filtering Rule dialog box


5. In the Display Name box, type a name for the connection filter.
6. In the DNS Suffix of Provider box, type the DNS suffix that the provider appends to the IP
address.
7. In the Custom Error Message to Return (default error message will be used if left
blank) box, if desired, type the custom error message to return to the sender. Leave this box
blank to use the following default error message:
<IP address> has been blocked by <Connection Filter Rule Name>
You can use the following variables to generate a custom message:

• %0 – connecting IP address
• %1 – connection filter rule name
• %2 – the block list provider
For example, if you wanted your custom message to read:
The IP address <IP address> has been blocked by the following block list provider
<block list provider name>
type the following in the customer error message:
The IP address %0 was rejected by block list provider %2.
Chapter 6: Transport and Message Flow Features 219

Exchange replaces %0 with the connecting IP address and %2 with the block list provider.
Note
If you want to include a percent sign (%) in your error message, you must enter
the percent sign twice (%%).

8. To configure which return status codes received from the block list provider you want to
match in this connection filter, click Return Status Code. The Return Status Code dialog
box displays (Figure 6.66).

Figure 6.66 The Return Status Code dialog box


9. Select one of the following options.
• Click Match Filter Rule to Any Return Code (this connection filter rule is matched
to any return status code received from the provider service) to set the default value
that matches the connection filter to any return status.
• Click Match Filter Rule to the Following Mask (this connection filter rule is
matched to return status codes received from the provider by using a mask to
interpret them), and then type the mask you want to filter against the masks used by
your providers.
Note
A bit mask checks only against a single value. If you set a bit mask value
that is returned when an IP address appears on two lists, the mask will
match only IP addresses that appear on both lists. If you want to check for
an IP address on either of two lists, enter the status codes for these settings.

• Click Match Filter Rule to Any of the Following Responses (this connection filter
rule is matched to returned status codes received from the provider service by
220 What's New in Exchange Server 2003
using the specific values of the return status codes below). Click Add, and in Return
Status Code, type the status code you want to match. For each additional status codes,
click Add, type the code, and then click OK.
10. Click OK.
You can create exceptions to the connection filter rule. Specifically, you can allow message
delivery to specific recipients (for example, to the postmaster), regardless of whether the
connecting IP address is on a block list.

To specify an exception to a connection rule


1. In Message Delivery Properties, on the Connection filtering tab, click Exception. The
Block List Service Configuration Settings dialog box displays (Figure 6.67)

Figure 6.67 The Block List Service Configuration Settings dialog box
2. Click Add.
3. In Add Recipient, type the SMTP address of the recipient for whom you want to accept all
messages, regardless of whether the connecting IP address appears on a block list.
4. Click OK twice.
Chapter 6: Transport and Message Flow Features 221

Step 2: Applying the Connection Filter to the


Appropriate SMTP Virtual Servers
After creating the connection filter, you must apply it to the appropriate SMTP virtual servers.
Usually, you apply the connection filter on the SMTP virtual servers that exist on your gateway
servers that accept inbound Internet e-mail. Use the following procedure to apply a connection
filter to an SMTP virtual server.

To apply a connection filter to an SMTP virtual server


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Servers, expand the server you want, expand Protocols, and then
expand SMTP.
3. Right-click the SMTP virtual server on which you want to apply the filter, and then click
Properties.
4. In <SMTP Virtual Server> Properties, on the General tab, click Advanced.
5. In Advanced, select the IP address for which you want to apply the filter, and then click
Edit.
6. In Identification, select the Apply Connection Filter check box to apply the filter that you
previously set (Figure 6.68).

Figure 6.68 The Identification dialog box


7. If you have multiple virtual servers, repeat Steps 3 through 6 for each virtual server on
which you want to apply the filter.
222 What's New in Exchange Server 2003

Inbound Recipient Filtering


With recipient filtering, you can block mail that is destined to all invalid recipients. You can also
block mail to any recipients who are specified in a recipient filter list, whether they are valid or
invalid.
The recipient filter blocks mail destined to invalid recipients by filtering inbound mail (based on
Active Directory lookups) for each intended recipient. You can filter mail based on the following
criteria:

• If the recipient does not exist in Active Directory.


• If the sender does not have the appropriate permissions.
Any incoming mail matching these criteria is rejected, and the SMTP virtual server returns a 550
5.x.x error during the SMTP session.
Note
Exchange only performs Active Directory lookups and blocks invalid recipients for
incoming mail destined to a domain for which it is authoritative. This setting is
configured in recipient policies.

You can also configure recipient filtering to filter messages sent to specified e-mail address (valid
or invalid) within your organization If a message is sent to any of the specified recipients,
Exchange returns a 5.x.x level error during the SMTP session.
By default, Exchange accepts mail that is destined for any recipient (invalid or valid) and then
sends non-delivery reports (NDRs) for all invalid recipients. Additionally, because unsolicited
mail is typically sent from invalid addresses, Exchange attempts to re-deliver NDRs to non-
existent senders, thereby expending more resources. If you enable recipient filtering, Exchange
no longer expends resources in this manner because invalid recipients are filtered. However,
enabling recipient filtering to resolve recipients in Active Directory can potentially allow
malicious senders to resolve valid e-mail addresses; this is because SMTP sessions issue different
responses for valid and invalid recipients.
Note
Recipient filter rules apply only to anonymous connections. Authenticated users and
Exchange servers bypass these validations.

Enabling Recipient Filtering


To enable recipient filtering, perform the following steps:

1. Create the recipient filter using the Recipient Filtering tab in the Message Delivery
Properties dialog box.
2. Apply the filter at the SMTP virtual server level.
Each of these steps is detailed in the following sections.
Chapter 6: Transport and Message Flow Features 223

Step 1: Creating a recipient filter


Use the following procedure to create a recipient filter.

To create a recipient filter


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Global Settings, right-click Message Delivery, and then click
Properties.
3. In Message Delivery Properties, click the Recipient Filtering tab (Figure 6.69).

Figure 6.69 The Recipient Filtering tab


4. To add the address of a specific recipient, click Add, and then, in Add Recipient, type the
recipient address, and then click OK. The recipient address must meet the following criteria:
• The recipient address must contain an at sign (@).
• Display names must be entered in quotes with the @ sign immediately following.
Ensure that there are no spaces between the quotes and the @ symbol For example, if
you wanted to filter mail for a recipient with the display name of Ted Bremer in the
northwindtraders.com domain, you would enter:
"Ted Bremer"@northwindtraders.com
224 What's New in Exchange Server 2003
• Use an asterisk (*) to denote all members of a domain or simply enter @domain. For
example, to filter e-mail sent to all users with the domain suffix of
northwindtraders.com, enter either:
*@northwindtraders.com
@northwindtraders.com

5. To filter mail that is sent to users who do not exist in Active Directory, select the Filter
recipients who are not in the Directory check box.
Note
Selecting the Filter recipients who are not in the Directory check box can
potentially allow malicious senders to discover valid e-mail addresses in your
Exchange organization.

Step 2: Applying the Recipient Filter to the


Appropriate SMTP Virtual Servers
After creating the recipient filter, you must apply it to the appropriate SMTP virtual servers.
Usually, you apply the recipient filter on the SMTP virtual servers that exist on your gateway
servers that accept inbound Internet e-mail. Use the following procedure to apply a recipient
filter to an SMTP virtual server.

To apply a recipient filter to an SMTP virtual server


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Servers, expand the server you want, expand Protocols, and then
expand SMTP.
3. Right-click the SMTP virtual server on which you want to apply the filter, and then click
Properties.
4. In <SMTP Virtual Server> Properties, on the General tab, click Advanced.
5. In Advanced, select the IP address for which you want to apply the filter, and then click
Edit.
Chapter 6: Transport and Message Flow Features 225

6. In Identification, select the Apply Recipient Filter check box to apply the filter that you
previously set (Figure 6.70).

Figure 6.70 The Identification dialog box


7. If you have multiple virtual servers, repeat Steps 3 through 6 for each virtual server on
which you want to apply the filter.

Understanding How Enabled


Filters Are Applied
Exchange Server 2003 supports the following filters:

• Connection filtering
• Recipient filtering
• Sender filtering
• IP restrictions on a virtual server basis
Although connection filtering, recipient filtering, and sender filtering are all configured in
Message Delivery Properties, they must be enabled on individual SMTP virtual servers. In
contrast, IP restrictions are configured directly on each SMTP virtual server.
This section shows the order in which these filters, when configured and enabled, are checked
during an SMTP session. Filtering and IP restrictions are checked in the following manner.

1. An SMTP client attempts to connect to the SMTP virtual server.


226 What's New in Exchange Server 2003

2. The IP address of the connecting client is checked against the SMTP virtual server's IP
restrictions (configured on the Access tab of the SMTP virtual server Properties):
• If the connecting IP address is on the list of restricted IPs, the connection is immediately
dropped.
• If the connecting IP address is not on the list of restricted IPs, the connection is
accepted.
3. The SMTP client issues an EHLO or HELO command.
4. The SMTP client issues a MAIL FROM: command, similar to the following:
MAL FROM: dylanm@contoso.com

5. The IP address of the SMTP client is then checked against the global accept list (configured
in Exchange System Manager on the Connection Filtering tab in the Message Delivery
Properties dialog box).
• If the connecting IP address is on the global accept list, the global deny list is not
checked. Proceed to Step 7.
• If the connecting IP address is not on the list global accept list, Steps 6 and 7 are
performed.
6. The IP address of the SMTP client is checked against the global deny list (configured in
Exchange System Manager on the Connection Filtering tab in the Message Delivery
Properties dialog box).
• If the IP address of the SMTP client is on the global deny list, the connection is dropped.
• If the IP address of the SMTP client is not on the global deny list, the session continues.
7. Sender filtering checks the sender specified in the MAIL FROM command against its list of
blocked senders (configured in Exchange System Manager on the Sender Filtering tab in
the Message Delivery Properties dialog box).
• If the sender appears on the blocked senders list, one of two things happen, depending
on how sender filtering is configured:
- If sender filtering is configured to drop the connection, the connection is dropped.
- If sending filtering is configured to accept messages without notifying the sender, the
session continues; however, mail is sent to the Badmail directory and not delivered to
the intended recipient.

• If the sender does not appear on the sender-filtering list, the SMTP virtual server issues
a response similar to the following.
250 2.1.0 dylanm@contoso.com...Sender OK
Chapter 6: Transport and Message Flow Features 227

8. The connecting SMTP server issues a RCPT TO command similar to the following:
RCPT TO: kim@example.com

9. The connection filtering rules check the connecting IP address against any block lists
provided by their block list service providers.
• If the IP address of the SMTP client is in the accept list, the connection filter rules are
bypassed. Proceed to Step 10.
• If the IP address of the SMTP client is on a block list service provider's block list, the
SMTP virtual server returns an error code and then sends the customized error message
configured for the connection filtering rule.
• If the IP address of the SMTP client is not on a block list service provider's block list,
the session continues.
10. Connection filtering checks to see if the intended recipient is on the connection filtering
exception list.
• If the recipient is on this list, the communication is accepted, and no other checks are
applied at the RCPT TO command. Proceed to Step 13.
• If the recipient does not appear on the exception list, the recipient is checked against
other filters.
11. If the recipient does not appear on the exception list configured in connection filtering, the
recipient is then checked against any blocked recipients configured in recipient filtering.
• If the recipient is a blocked recipient, the SMTP virtual server returns an invalid
recipient error.
• If the recipient is not a blocked recipient, the session continues.
12. If the recipient is not a blocked recipient, then Active Directory is checked to ensure that the
intended recipient exists in Active Directory.
• If the intended recipient is not a valid recipient that exists in Active Directory, the SMTP
virtual server returns an invalid recipient error.
• If the recipient is a valid recipient that exists in Active Directory, the session continues.
13. For each additional recipient specified in a RCPT TO command, Steps 10 through 12 are
applied.
14. The connecting server then issues a DATA command similar to the following
DATA
To: Kim Akers
From: dylanm@contoso.com<Dylan Miller>
Subject: Mail Message
228 What's New in Exchange Server 2003

15. Sender filtering then checks that the From address does not match a blocked sender.
• If the sender specified in the DATA command is a blocked sender, one of two things
happen:
- If sender filtering is configured to drop the connection, then the SMTP virtual server
returns a 5.1.0 "Sender Denied" error and drops the connection.
- If sending filtering is configured to accept messages without notifying the sender, the
session continues; however, mail is sent to the Badmail directory and not delivered to
the intended recipient.

• If the sender specified in the DATA command is not a blocked sender, the message is
accepted and queued for delivery.

Improved Ability to Restrict


Submissions to an SMTP
Virtual Server
In Exchange Server 2003, you can restrict submissions to an SMTP virtual server to a limited
number of security principles though the standard Windows 2000 Server or
Windows Server 2003 Discretionary Access Control List (DACL). This allows you to specify
groups of users who can submit mail to a virtual server.
Note
Do not restrict submissions on SMTP virtual servers that accept Internet mail.

To restrict submissions to an SMTP server based on a security group


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Servers, expand the server you want, expand Protocols, and then
expand SMTP.
3. Right-click the SMTP virtual server on which you want to restrict submissions, and then
click Properties.
4. In <SMTP Virtual Server> Properties, click the Access tab, and then click Authentication.
5. In Authentication, clear the Anonymous Access check box, and then click Users to specify
a subset of users for whom you want to grant submit permissions on this SMTP virtual
server.
6. In Permissions for Submit and Relay, to remove a group or user, select the group or user,
and then click Remove.
Chapter 6: Transport and Message Flow Features 229
7. To add a group or user, click Add, and then select the group or users for which you want to
specify permissions. Select from one of the following options:
• On Windows Server 2003, in Select Users, Computers, or Groups, under Enter the
object name to select, type the name of the user or the group. If you want to search for
the user or group, click Advanced, search for the user or group name, and then click
Check Names to validate your entry.
Tip
Click the examples link to view the acceptable formats for your entries.

• On Windows 2000 Server, in Select Users, Computers, or Groups, select the group or
user that you want to grant submit permissions, and then click Add.
8. Click OK to return to the Permissions for Submit and Relay dialog box.
9. Under Group or user names, select the group you just added.
10. Under Permissions for <Selected Group>, next to Submit Permission, if necessary, click
Allow to allow the selected user or group to submit mail through this SMTP virtual server.
11. Click OK.

Improved Ability to Restrict


Relaying on an SMTP Virtual
Server
In Exchange 2003, you can restrict relaying to a limited number of security principles though the
standard Windows 2000 Discretionary Access Control List (DACL). This allows you to specify
groups of users who can relay through a virtual server.
Restricting relaying on virtual servers is useful if you want to allow a group of users to relay mail
to the Internet, but deny relay privileges for a different group.
Important
To apply relay restrictions, you must disable anonymous access on the SMTP virtual
server (on the Access tab, click Authentication).

To restrict relaying based on a security group


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. In the console tree, expand Servers, expand the server you want, expand Protocols, and then
expand SMTP.
230 What's New in Exchange Server 2003
3. Right-click the SMTP virtual server on which you want to apply relay restrictions, and then
click Properties.
4. In <SMTP Virtual Server> Properties, click the Access tab, and then click Relay.
5. In Relay Restrictions, clear the Allow all computers which successfully authenticate to
relay, regardless of the list below check box, and then click Users to specify a subset of
users that you want to grant relay permissions on this SMTP virtual server.
6. In Permissions for Submit and Relay, to remove a group or user, select the group or user,
and then click Remove.
7. To add a group or user, click Add, and then select the group or users for which you want to
specify permissions. Select from one of the following options:
• On Windows Server 2003, in Select Users, Computers or Groups, under Enter the
object name to select, type the name of the user or the group. If you want to search for
the user or group, click Advanced, search for the user or group name, and then click
Check Names to validate your entry.
Tip
Click the examples link to view the acceptable formats for your entries.

• On Windows 2000 Server, in Select Users, Computers or Groups, select the group or
user that you want to grant submit permissions, and then click Add.
8. Click OK to return to the Permissions for Submit and Relay dialog box.
9. Under Group or user names list, select the group you just added.
10. Under Permissions for <selected group>, next to Submit Permission, if necessary, select
the check box under Allow to allow the selected user or group to submit mail through this
SMTP virtual server.
11. Next to Relay Permissions, select the check box under Allow to permit the selected object
to relay through this SMTP virtual server, or select the check box under Deny to prevent the
selected object from relaying through this connector.
Note
You must allow Submit Permissions if you want to allow Relay Permissions.

12. Click OK.


C H A P T E R 7

Storage Features

Microsoft® Exchange Server 2003 includes many improvements the Exchange store. In general,
these improvements focus on making disaster recovery operations easier and faster and on
streamlining internal processes such as public folder replication.
Specifically, the improvements include the following:

• Support for the new Volume Shadow Copy service, which is available as part of the
Microsoft Windows Server™ 2003 backup API.
• A new type of storage group (the Recovery Storage Group) provides a temporary location
for restored mailbox data. After restoring the mailbox data to the Recovery Storage Group,
you can then merge the data you need with the original mailbox store, whether that means
restoring the entire mailbox store or a few individual mailboxes.
• The Microsoft Mailbox Merge Wizard (Exmerge) is now available for download at the
Exchange Downloads Web site
(http://www.microsoft.com/exchange/2003/updates).
• Public folder replication processes are overhauled and streamlined for more efficient use of
bandwidth.
• The Exchange Virus Scanning Application Programming Interface (VSAPI) is enhanced and
expanded.

Shadow Copy Backup


Exchange Server 2003 supports the new backup infrastructure implemented in Windows
Server 2003. Backup programs (including Microsoft Windows® Backup) can use either the
existing Microsoft Windows 2000 backup and restore APIs, or the new APIs. The new APIs use
the Windows Volume Shadow Copy service to create a shadow copy (also known as a snapshot)
of the disk at the beginning of the backup process. Exchange then uses the shadow copy (rather
than the working disk) to create the actual backup, therefore normal operation can continue. This
method offers the following advantages over previous methods:

• A backup of a volume is produced. This backup reflects the state of that volume at the
instant the backup started, even if the data changes while the backup is in progress. All the
232 What's New in Exchange Server 2003
backup data is internally consistent and reflects the state of the volume at a single point in
time.
• Applications and services are notified that a backup is about to occur. The services and
applications can then prepare for the backup by cleaning up on-disk structures and by
flushing caches and log files.
Important
Exchange supports the Volume Shadow Copy service for normal backups and copy
backups, but not for incremental or differential backups.

Using Shadow Copy Backup


The Exchange API provides support for shadow copy backups.
You can still use the Windows Server 2003 Backup utility to back up Exchange Server 2003
databases (mailbox stores and public folder stores); however, this method uses the existing API's
for non-shadow copy backups. Windows Server 2003 Backup supports backing up your
Windows file system using the Volume Shadow Copy service, but it does not support the
Exchange Volume Shadow Copy service APIs. To use the new shadow copy APIs to back up
databases, you must use a third-party solution.

Recovery Storage Group


To provide greater flexibility when restoring mailboxes and mailbox stores, Exchange 2003
provides a Recovery Storage Group feature. The Recovery Storage Group is a specialized storage
group that can exist alongside the regular storage groups in Exchange (even if the server already
has four regular storage groups). You can restore mailbox stores from any regular storage group
that meets the following conditions:

• The server housing the storage group is running Exchange 2000 SP3 or later.
• The server housing the storage group is in the same Administrative group as the server
housing the Recovery Storage Group.
• If you are restoring multiple mailbox stores simultaneously, they must all be from a single
storage group.
After you restore a mailbox store to the Recovery Storage Group, use the Exmerge utility to
move the recovered mailbox data from the Recovery Storage Group to the regular storage group.
With this method, you can recover an entire mailbox store (all of the database information,
including the log data) or just a single mailbox. Mailboxes in the Recovery Storage Group are
disconnected and are not accessible to users with mail clients.
Note
You can only use the Recovery Storage Group to recover mailbox stores, not public
folder stores.
Chapter 7: Storage Features 233

Using a Recovery Storage Group


The following procedures represent a simple restore scenario; these procedures assume that you
have already backed up your storage groups.
Before you begin these procedures, ensure that you are logged in with an account such as Backup
Operators that has Receive As and Send As permissions on all of the Exchange mailboxes. If
these permissions are denied, the restore process does not complete.
If you restore mailbox stores without creating a Recovery Storage Group, the data is restored
directly to the original mailbox stores, as in previous versions of Exchange.
The process of using a Recovery Storage Group to restore mailbox data consists of three main
steps:

1. Set up the Recovery Storage Group.


2. Restore a mailbox store to the Recovery Storage Group.
3. Merge the recovered mailbox data with regular user mailboxes.
Each of these steps is detailed in the following procedures.

To set up the Recovery Storage Group


1. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft
Exchange, and then click System Manager.
2. Expand Administrative Groups, expand the appropriate administrative group, expand
Servers, right-click the server on which you want to create the Recovery Storage Group,
point to New, and then click Recovery Storage Group.
234 What's New in Exchange Server 2003

3. In Recovery Storage Group Properties, ensure that the file locations specified in the
Transaction log location box and the System path location box are appropriate, and then
click OK. The new Recovery Storage Group will appear in the server's list of storage groups
(Figure 7.1).

Figure 7.1 Exchange System Manager lists the Recovery Storage


Group along with the other storage groups on the same server
4. Right-click Recovery Storage Group, and then click Add Database to Recover.
5. In Select database to recover, click a mailbox store, and then click OK. You can select only
one mailbox store at a time.
6. In Mailbox Store Properties, review the mailbox store's properties, and then click OK. The
default settings are suitable for most cases; however, you can assign the mailbox store a
different name.
7. To add more mailbox stores to the Recovery Storage Group, repeat Steps 4-6 (remember, if
you are restoring multiple databases simultaneously, they must all be from a single storage
group).
Note
By default, the mailbox stores in the Recovery Storage Group (also called
recovery databases) are not mounted when they are created. You should not
mount them until after you have restored the data, as described in the next
procedure.
Chapter 7: Storage Features 235
To restore a mailbox store to the Recovery Storage Group
1. After configuring the Recovery Storage Group, start your backup and restore application (for
the purposes of this procedure, use Windows Backup: click Start, click Run, type
ntbackup, and then click OK).
If Windows Backup starts in Wizard mode, on the Welcome screen, click Advanced Mode.

2. Click Restore and Manage Media, expand the File list, expand the backup file you want to
use, click the appropriate storage group, and then click the database and log files that you
want to restore.
Important
Make sure that you select only mailbox stores and/or log files. Do not select the
entire storage group, especially if the storage group contains public folder stores.
The restore operation will not succeed if public folder stores are selected.

Figure 7.2 When selecting items to restore, make sure that only
mailbox stores and log files are selected.
3. Click Start Restore.
4. In Restoring Database Store, type the name of a temporary file directory in the Temporary
location box and, if this is the last backup to be restored, select Last Restore Set.
5. Click OK. When the restore process is complete, click Close.
6. In Exchange System Manager, right-click the mailbox store in the Recovery Storage Group,
and then click Mount Store. In the warning dialog box, click Yes.
To merge recovered mailbox data with regular user mailboxes
Note
To complete this procedure, you need the Microsoft Exchange Mailbox Merge Wizard
236 What's New in Exchange Server 2003
(Exmerge). You can download Exmerge from the Exchange Downloads Web site
(http://www.microsoft.com/exchange/2003/updates).

1. After restoring the appropriate mailbox store to the Recovery Storage Group, start Exmerge.
You can start Exmerge from a command prompt by typing %path%\exmerge.
2. Follow the instructions in the wizard to specify the export method, the source server, and the
destination server (when the Recovery Storage Group is on the same server as the original
mailbox store with which you are working, the source server and destination server are the
same).
3. On the Database Selection page, select only the mailbox stores that are in the Recovery
Storage Group, and then click Next.
4. On the Mailbox Selection page, select the mailboxes to restore. You can select individual
mailboxes or multiple mailboxes. When finished, click Next.
5. Specify the appropriate locale (if necessary), and then click Next.
6. On the Target Directory page, click Change Folder. Use the Browse for Folder dialog box
to specify a temporary folder, and then click OK. Click Next.
7. Follow the remaining instructions to finish the wizard and move the mailbox data. The
wizard will copy data from mailboxes in the restored mailbox store and merge it with data in
the corresponding mailboxes in the original mailbox store.

Overriding the Recovery Storage Group


As mentioned in the previous section, if you restore mailbox stores without creating a Recovery
Storage Group, the data will be restored directly to the original mailbox stores, as in previous
versions of Exchange. If you already created a Recovery Storage Group, you can restore directly
to the original mailbox stores if you set the override registry key.
Warning
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

To set the Recovery Storage Group Override registry key


1. Start Registry editor (regedit).
2. In Registry Editor, navigate to the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
3. Create a new DWORD value Recovery SG Override = 1. After this key has been set, you
can restore mailbox stores to their original locations, even though the Recovery Storage
Group exists.
Chapter 7: Storage Features 237

Microsoft Exchange Mailbox


Merge Wizard
Previously, the Microsoft Exchange Mailbox Merge Wizard (Exmerge) was available as an
Exchange Resource Kit tool. Now, the wizard is available for download at the Exchange
Downloads Web site (http://www.microsoft.com/exchange/2003/updates). With this
wizard, you can move data between identical mailboxes that exist in different mailbox stores; for
example, to restore a mailbox from a backup, restore the mailbox store to the Recovery Storage
Group, and then use the wizard to merge the restored mailbox data with the original mailbox. For
detailed information about how to perform this procedure, see "Using a Recovery Storage
Group" earlier in this chapter.

Improved Public Folder Store


Replication
In Exchange 2003, the public folder replication algorithms have been refined for greater
efficiency when backfilling. ("Backfilling" is when a server determines that it has not received all
of the updates for a replicated folder and must retrieve the missing updates from another server.)
To select a server (or servers) to use as a backfill source, Exchange first creates a list of all of the
servers that have some portion of the necessary content, and then sorts the list as follows:

1. Sorts the list according to the lowest transport cost (servers in the same site have priority
over servers in remote sites).
2. For servers with the same transport cost, sorts again according to newest Exchange version.
In previous versions of Exchange, servers running newer Exchange versions are selected
over servers running older versions, regardless of the transport cost. For example, a server in
a remote site running Exchange 2000 would be selected over a local server running
Microsoft Exchange Server version 5.5. In Exchange 2003, transport cost now has greater
importance in the selection criteria.
3. For servers with the same transport cost and Exchange version, sort again according to the
largest number of necessary changes available on the server. In previous versions of
Exchange, a server holding all of the necessary updates is chosen over a server holding only
some of the updates, regardless of transport cost. In Exchange 2003, this preference has been
changed so that if some updates are available on a server with a lower transport cost, that
server is selected to backfill those updates, even if the rest of the updates must be obtained
from other (higher-cost) servers.
As an example of how the new behavior differs from that of all Exchange 2000 Server versions,
consider an Exchange 5.5 deployment of several sites (with multiple servers per site, all
replicating public folders) that must be upgraded to Exchange 2003. Add one Exchange 2003
238 What's New in Exchange Server 2003
server to each site. In each site, the Exchange 2003 server will backfill its public folders from the
local Exchange 5.5 servers, rather than search for a newer server in one of the remote sites.

Improved Virus Scanning API


Exchange 2000 SP1 delivered the Virus Scanning API (VSAPI) version 2.0, which provided
improved support for scanning Internet content and reporting on the sender and receiver of the
virus. Exchange 2003 improves the VSAPI by allowing antivirus vendor products to run on
Exchange servers that do not have resident Exchange mailboxes (for example, gateway servers or
bridgehead servers). The Exchange 2003 VSAPI version 2.5 allows antivirus vendor products to
delete an infected message and send a notification message to the sender of the infected message.
The vendor products can also create additional virus status messages to allow clients to indicate
the infection status of a particular message. For more information about antivirus applications
that use the new VSAPI features, contact your antivirus manufacturer.
C H A P T E R 8

Development Features

Microsoft® Exchange Server 2003 contains important changes and additions for developers. You
can find complete information about these changes in the Microsoft Exchange Server 2003
Software Development Kit (SDK). In addition, the following sections briefly describe the major
changes.

New Development
Technologies
The following are new development technologies for Exchange Server 2003.
The Windows Management Instrumentation (WMI) providers and classes that ship with
Exchange 2000 Server provide operational status about Exchange servers, queues, links, and so
on, and are intended for use in applications that monitor Exchange.
Exchange Server 2003 includes many new and improved WMI classes that are designed for use
in Exchange management scripts and operator consoles. The new object classes support
managing Exchange stores, public folders, user mailboxes, connectors, queues, links, and so on.
Table 8.1 lists the new WMI classes.

Table 8.1 New WMI Classes

WMI class Changes

ExchangeClusterResource Class No change.

ExchangeConnectorState Class No change.

ExchangeLink Class No change. Additional capabilities are provided in the


new Exchange_Link class.

ExchangeQueue Class No change. Additional capabilities are provided in the


new Exchange_Queue class.
240 What's New in Exchange Server 2003

WMI class Changes

ExchangeServerState Class No change. Additional capabilities are provided in the


new Exchange_Server class.

Exchange_DSAccessDC Class No changes.

Exchange_FolderTree Class New class.

Exchange_Link Class New class.

Exchange_Logon Class New class.

Exchange_Mailbox Class New class.

Exchange_MessageTrackingEntry Additional message tracking entry type values were


Class added to provide more detailed tracking of internal
message-transfer events.

Exchange_PublicFolder Class New class.

Exchange_Queue Class New class.

Exchange_QueueCacheReloadEvent New class.


Class

Exchange_QueueData Class New class.

Exchange_QueuedMessage Class New class.

Exchange_QueuedSMTPMessage New class.


Class

Exchange_QueuedX400Message Class New class.

Exchange_QueueSMTPVirtualServer New class.


Class

Exchange_QueueVirtualServer Class New class.

Exchange_QueueX400VirtualServer New class.


Class

Exchange_ScheduleInterval Class New class.


Chapter 8: Development Features 241

WMI class Changes

Exchange_Server Class New class.

Exchange_SMTPLink Class New class.

Exchange_SMTPQueue Class New class.

Exchange_X400Link Class New class.

Exchange_X400Queue Class New class.

Managed Wrappers for SMTP and


Transport Sinks
You can find the code for the managed wrappers, along with the accompanying technical article,
Writing Managed Sinks for SMTP and Transport Events, at
http://go.microsoft.com/fwlink/?LinkId=16141.

Supported Development
Technologies
The following development technologies are supported on Exchange Server 2003.

Data Access Methods


• CDO for Exchange 2000 (CDOEX). CDOEX cannot be used remotely.
• ADO access using the Exchange OLEDB provider (ExOLEDB). ExOLEDB cannot be used
remotely.
• ADO access using Microsoft Data and Internet Publishing Provider (MSDAIPP). MSDAIPP
can be used anywhere that it is installed, except for on an Exchange Server 2003 computer.
MSDAIPP is not supported for use on the Exchange server itself.
• CDO for Exchange Management (CDOEXM). CDOEXM can only be used on a computer
running the full installation of Exchange Server 2003 or a computer running the Admin-only
installation of Exchange Server 2003.
• CDO 1.2x, both server and client.
242 What's New in Exchange Server 2003

• HTTP and WebDAV.


• MAPI (extended MAPI). For deprecated MAPI technologies, see "Deprecated MAPI
Technologies" later in this chapter.

Events and Notifications


• Exchange Server version 5.5 event agent service. This service is supported, but disabled by
default in Exchange Server 2003.
• ExOLEDB store events.
• Transport events.
• MAPI notifications.
• WebDAV notifications.
• Incremental Change Synchronization (ICS).

Application Technologies
• Exchange Web Forms.
• Exchange 2000 Server workflow.
• Exchange 5.5 routing engine. Samples provided in the Exchange 5.5 Exchange Development
Kit (EDK) are not supported.

Monitoring
• Exchange 2000 Server WMI providers.

Specialized Programs
• Virus Scanning API (VSAPI) version 2.5.
• Backup and Restore API.
Chapter 8: Development Features 243

Developing .NET Applications


for Exchange Server 2003
For information about what is supported and not supported for developing .NET applications for
Exchange Server 2003, see Microsoft Knowledge Base article 813349, "Support Policy for
Microsoft Exchange APIs with .NET Framework Applications"
(http://support.microsoft.com?kbid=813349).

Active Directory Classes and


Attributes
The installer for Exchange Server 2003 makes numerous changes to the Microsoft Active
Directory® directory service classes and attributes to support the new features of Exchange
Server 2003. For information about these changes, see the Exchange Server 2003 SDK.

Deprecated Exchange
Development Technologies
The following Exchange 2000 Server application development-related technologies and features
are removed and are not supported in Exchange Server 2003:

• Microsoft FrontPage® Extensions for Web Storage System Forms


• Exchange Instant Messaging.
• Programmatic access to the Exchange store using the M: drive via custom code.
• SQL Create Index command.
• Exchange store schema properties for versioning.
• MSDAIPP on the computer running Exchange Server 2003. Remote access continues to be
supported.
244 What's New in Exchange Server 2003

Deprecated MAPI
Technologies
The following MAPI technologies, which formerly shipped with Exchange 2000 Server, are not
available in Exchange Server 2003:
Simple MAPI
Simple MAPI is a wrapper around 12 high-level Extended MAPI functions that enable a
client application to send, address, receive, and reply to messages. On the client, Simple
MAPI is used by Microsoft Office to send mail directly from the application. It is only
intended for use in the Microsoft Windows® environment and offers limited functionality.
Anything that can be done with Simple MAPI can also be done with Extended MAPI.
Common Messaging Calls (CMC)
CMC is a wrapper around 10 Extended MAPI functions and was created to abstract the
complexities of MAPI and to create an API standard that was supported across platforms.
The CMC API was developed in conjunction with the X.400 API Association (XAPIA)
standards organization and is only accessible to C/C++ client developers. Anything that can
be done with CMC can also be done with Extended MAPI.
CDOHTML
Also referred to as CDO 1.2.1 Rendering, this API exposes a set of objects that can be used
by Internet Information Services (IIS) to render CDO 1.2x objects and properties into HTML
output. CDO 1.2.1 Rendering (CDOHTML.DLL) was intended for server-side use only.
C H A P T E R 9

Deployment Features

Whether you are installing a new Exchange organization or upgrading an existing organization,
Microsoft® Exchange Server 2003 introduces several new features that make deployment easier.
Aside from summarizing these new features (including the new deployment tools and setup
features), this chapter provides information about required prerequisites for deploying
Exchange 2003. Furthermore, you will learn how to perform the basic steps necessary for
deploying or upgrading to Exchange Server 2003. For more information about deploying
Exchange 2003 in your organization, see the book Exchange Server 2003 Deployment Guide
(http://www.microsoft.com/exchange/library).

New Exchange 2003


Deployment Features
To help you successfully deploy Exchange in your organization, Exchange 2003 provides the
following new or improved features (each of these features is discussed later in this section):

• Exchange Server 2003 Deployment Tools


• Active Directory Connector (ADC) Tools
• Microsoft Exchange Public Folder Migration Tool
• Exchange 2003 Setup improvements
• Running Exchange System Manager from computers running Microsoft Windows®
Along with these new or improved features, Exchange 2003 also takes advantage of Microsoft
Windows Server™ 2003 improvements, such as Microsoft Active Directory® directory service
and memory allocation enhancements.
246 What's New in Exchange Server 2003

Exchange Server Deployment Tools


Exchange Server 2003 is designed to coexist with Microsoft Exchange 2000 Server and
Microsoft Exchange Server version 5.5. Establishing coexistence between Exchange 2003 and
Exchange 2000 is fairly straightforward, simplified by the fact that both Exchange 2000 and
Exchange 2003 rely on the Microsoft Active Directory® directory service for directory services.
However, Exchange 5.5 contains its own directory service, which means that you must
synchronize the Exchange 5.5 directory with Active Directory, and then ensure that objects
continue to properly replicate between the two directories.
A new Exchange 2003 feature, the Exchange Server Deployment Tools, significantly eases the
process of upgrading from Exchange 5.5 to Exchange Server 2003. The Exchange Server
Deployment Tools consist of a series of tools and documentation that lead you through the
following process:

1. Planning your deployment


2. Preparing Active Directory by using ForestPrep and DomainPrep
3. Installing Active Directory Connector (ADC) and running ADC Tools (described in the next
section)
4. Installing Exchange
5. Completing deployment and moving mailboxes and public folders
The tools, which you can run directly from the documentation, check such things as naming
consistency, permissions conversion, and directory replication. Because some of the Exchange
Server Deployment Tools run automatically during Exchange setup, you may not be able to
install Exchange unless these tools have been run successfully. By running the tools in advance,
you can identify and correct problems before you run Setup.

ADC Tools
The Active Directory Connector (ADC) management console now contains an ADC Tools
option. ADC Tools is a collection of wizards and tools that help you set up connection
agreements. Specifically, ADC Tools scans your current Active Directory and Exchange 5.5
directory and organization, and then automatically creates the recommended connection
agreements. The following wizards are included in ADC Tools.
Resource Mailbox Wizard
This wizard identifies Active Directory accounts that match more than one Exchange 5.5
mailbox. Using this wizard, you can match the appropriate primary mailbox to the Active
Directory account and stamp other mailboxes with the NTDSNoMatch attribute, which
designates the mailboxes as resource mailboxes. You can either make these changes online
or export a comma-separated value (.csv) file that you can update and import into the
Exchange 5.5 directory.
Chapter 9: Deployment Features 247
Connection Agreement Wizard
This wizard recommends public folder connection agreements and recipient connection
agreements based on your Exchange 5.5 directory and Active Directory configuration. You
can review the list of recommended connection agreements and select those you want the
wizard to create.
The Exchange Server Deployment Tools lead you through the process of installing Active
Directory Connector and running ADC Tools.

Microsoft Exchange Public Folder


Migration Tool
The Microsoft Exchange Public Folder Migration Tool (pfMigrate) is a new tool that allows you
to migrate both system folders and public folders to the new server. You can use the tool to create
system folder and public folder replicas on the new server and, after the folders have replicated,
remove replicas from the source server. Unlike Exchange 5.5, you do not need to set a home
server for a public folder in Exchange Server 2003. Any replica acts as the primary replica of the
data it contains, and any public folder server can be removed from the replica list.
To determine how many system folders or public folders need to be replicated, you can use the
Microsoft Exchange Public Folder Migration Tool to generate a report before you run the tool. To
determine whether the folders replicated successfully, you can generate the same report after you
run the tool.

To run pfMigrate
1. In Exchange Server Deployment Tools, on the Welcome to the Exchange Server
Deployment Tools page, click Deploy the first Exchange 2003 server.
2. On the Deploy the First Exchange 2003 Server page, in the Follow this process column,
click Coexistence with Exchange 5.5.
3. On the Coexistence with Exchange 5.5 page, click Phase 3.
4. On the Phase 3. Installing Exchange Server 2003 on the Initial Server page, click Next.
5. On the Install Exchange 2003 on Additional Servers page, click Next.
6. On the Post-Installation Steps page, under Moving System Folders and Public Folders,
click move system folders and public folders, and then follow the steps listed to complete
your public folder migration.
Note
After you run pfMigrate, only the hierarchy of the system folders and public folders is
migrated immediately. You must wait for replication to occur before the contents of
the system folders and public folders are migrated. Depending on the size and
number of system and public folders, as well as your network speed, replication
could take a considerable amount of time.
248 What's New in Exchange Server 2003

Exchange Server 2003 Setup


Improvements
The following new Exchange 2003 Setup features make it easier for you to install and upgrade
Exchange.
Identical schema files in ADC and Exchange
In Exchange 2000, ADC schema files were a subset of the Exchange 2000 core schema files.
In Exchange 2003, the schema files that are imported during the upgrade of Active Directory
Connector are identical to the core Exchange Server 2003 schema; therefore, you only need
to update the schema once.
Exchange Setup does not require full organization permissions
In Exchange 2000, the user account that was used to run Setup was required to have
Exchange Full Administrator rights at the organization level. In Exchange 2003, although a
user who has Exchange Full administrator rights at the organization level must install the
first server in a domain, you can now install additional servers if you have Exchange Full
Administrator rights at the administrative group level.
Exchange Setup no longer contacts the schema FSMO role
In Exchange 2000, the Setup or Update program contacted the schema Flexible Single
Master Operations (FSMO) role each time it ran. In Exchange Server 2003, Setup does not
attempt to contact the schema FSMO role.
ChooseDC Switch in Setup
Exchange 2003 Setup includes the new /ChooseDC switch. You can enter the fully qualified
domain name of an Active Directory domain controller to force Setup to read and write all
data from the specified domain controller. When installing multiple Exchange 2003 servers
simultaneously, forcing each server to communicate with the same Active Directory domain
controller ensures that replication latencies do not interfere with Setup and cause installation
failures.
Default permissions at the organization level are only stamped once
Exchange 2003 Setup stamps default permissions on the Exchange Organization object once
(during the first server installation or upgrade) and does not re-stamp permissions during
subsequent installations. Previously, Exchange 2000 Setup re-stamped Exchange
Organization permissions during each server installation. This action overwrote any custom
changes to the permissions structure; for example, if you allowed all users to create top-level
public folders, these permissions were removed.
Warning message appears if Exchange Groups are moved, deleted, or
renamed
Exchange 2003 Setup ensures that the Exchange Domain Servers and Exchange Enterprise
Servers groups are intact. If the administrator moves, deletes, or renames these groups, Setup
stops, and a warning message appears.
Permissions to access mailboxes
Exchange 2003 Setup locks down security on the database objects; therefore Exchange
administrators cannot open other user's mailboxes.
Chapter 9: Deployment Features 249
Outlook Mobile Access and Microsoft Exchange Server ActiveSync®
components installed by Setup
By default, Exchange 2003 includes support for mobile devices. The services that enable
these devices are called Outlook Mobile Access and Exchange Server ActiveSync.
Previously, to use these services, you had to install Microsoft Mobile Information Server.
Now, the built-in mobile device support in Exchange 2003 supersedes the Mobile
Information Server product.
Note
Outlook Mobile Access is part of the typical Setup and is therefore installed on all
servers. This component also requires the .NET Framework to be installed.
Automatic installation of required Windows Server 2003 services on Microsoft
Windows 2000
If you are installing Exchange 2003 on a server running Windows 2000, Exchange Setup
automatically installs and enables .NET Framework and ASP.NET.
Automatic configuration of Internet Information Services (IIS) 6.0
In Windows Server 2003, IIS 6.0 introduces a new "worker process isolation mode," which
offers greater reliability and security to Web servers. Worker process isolation mode ensures
that all of the authentication, authorization, Web application processes, and ISAPI extensions
that are associated with a particular application are isolated from all other applications. To
take advantage of these benefits, when you install Exchange Server 2003 on
Windows Server 2003, Exchange Setup automatically sets IIS 6.0 to worker process
isolation mode.
Exchange Setup also enables certain ISAPI extensions. By default, during
Windows Server 2003 installation, ISAPI extensions are not allowed to load. However,
Exchange 2003 requires certain ISAPI extensions for features such as Microsoft Outlook
Web Access, WebDAV, and Exchange Web Forms; therefore, Exchange 2003 enables the
required ISAPI extensions during setup. No action is necessary; Exchange Setup
automatically configures the ISAPI extensions.
The IsapiRestrictionList metabase key controls the ISAPI extension behavior. Exchange
Setup sets the metabase key appropriately so that the ISAPI extensions can load; however, if
the key is modified after Exchange is installed, certain parts of Exchange may not function
correctly.
Automatic IIS 6.0 Configuration during Windows 2000 to
Windows Server 2003 upgrade
If you install Exchange 2003 on Windows 2000 and subsequently upgrade to
Windows Server 2003, Exchange System Attendant automatically sets the IIS 6.0 mode to
worker process isolation mode. Event Viewer will contain an event indicating that this mode
change has occurred.
After the upgrade, you may find that some of the ISAPI extensions for other applications do
not function properly in worker process isolation mode. Although you can set the IIS 6.0
mode to "IIS 5 isolation mode" to ensure compatibility with your ISAPI extensions, it is
recommended that you continue to run IIS 6.0 in worker process isolation mode;
Exchange 2003 features such as Outlook Web Access, WebDAV, and Web forms, will not
work in IIS 5 isolation mode.
250 What's New in Exchange Server 2003

Installing Exchange System


Management Tools Only
To administer Exchange servers from a computer running Windows XP, Windows Server 2003,
or Windows 2000 Server SP3, you can use Exchange Setup to install only Microsoft Exchange
System Management Tools.
Note
If you have not installed an Exchange 2003 server in your organization, you must
first run ForestPrep. ForestPrep extends the Active Directory schema to include
Exchange-specific classes and attributes and creates the container object for the
Exchange organization in Active Directory.

To install Exchange System Management Tools


1. Ensure that the computer meets the following requirements:
• The computer is running Windows XP, Windows Server 2003, Windows 2000
Professional, or Windows 2000 Server SP3.
• The computer name does not contain unsupported characters.
• The language version matches any previous installation of Exchange 2000 System
Management Tools (except for upgrades from English to Korean, Traditional Chinese,
or Simplified Chinese).
2. Log onto the domain with an account that has local machine administrator permissions.
3. Depending on the version of Windows that is running on the computer, install the required
services (Table 9.1).
Table 9.1 Required services for Windows

Windows version Required services

Windows XP Service • Internet Information Services Snap-In component


Pack 1 (SP1) (In Control Panel, click Add/Remove Programs, and then
click Add/Remove Windows Components)
• SMTP Service component
• World Wide Web Service
• Windows Server 2003 Administration Tools Pack,
AdminPak.msi (located on the Windows Server 2003 compact
disc in the \i386 folder)
Chapter 9: Deployment Features 251

Windows version Required services

Windows XP SP2 • Internet Information Services Snap-In component


• Windows Server 2003 Administration Tools Pack,
AdminPak.msi (located on the Windows Server 2003 compact
disc in the \i386 folder)

Windows Server 2003 Internet Information Services Manager component

Windows 2000 • Internet Information Services Snap-In component


Professional SP3
• Windows Server 2003 Administration Tools Pack,
AdminPak.msi (located on the Windows Server 2003 compact
disc in the \i386 folder)

Windows 2000 Server • Internet Information Services Snap-In component


SP3
• SMTP Service component
• NNTP Service component

4. Run Exchange Setup. On the Component Selection page, set the installation action to
Custom, and then select Microsoft Exchange System Management Tools.
5. After running Setup, disable SMTP Service, World Wide Web Publishing Service, or
NNTP Service if you do not intend to run them on the computer.

Windows Server 2003 Benefits


Exchange Server 2003 takes advantage of the following new Windows Server 2003 features,
which greatly improve administration and performance:
Active Directory Improvements
Exchange Server 2003 benefits from the following improvements to Active Directory in
Windows Server 2003:
• Reduced traffic between replicas
• Ability to create a branch office replica from CD
• Ability to roll back Active Directory changes
252 What's New in Exchange Server 2003

Memory Allocation
Exchange Server 2003 benefits from an improved memory allocator in
Windows Server 2003, which decreases the likelihood of running into situations that result in
Virtual Machine (VM) fragmentation. In addition, Exchange customers who have more than
1 GB of memory no longer need to purchase the Advanced Server SKU, which previously
supported the /3GB switch.

Prerequisites
Before you install or upgrade to Exchange Server 2003, ensure that your network and servers
meet the prerequisites described in this section.

Hardware Requirements
The following are the minimum hardware requirements for computers running Exchange
Server 2003:

• Intel Pentium or compatible 133 MHz or faster processor


• 256 MB of RAM recommended minimum; 128 MB supported minimum
• 500 MB of available disk space on the drive on which you install Exchange
• 200 MB of available disk space on the system drive
• CD-ROM drive
• VGA or higher-resolution monitor

File Format Requirements


To install Exchange Server 2003, disk partitions must be formatted for NTFS and not FAT. This
requirement applies to the following:

• System partition
• Partition that stores Exchange binaries
• Partitions containing transaction log files
• Partitions containing database files
• Partitions containing other Exchange files

Operating System Requirements


Exchange Server 2003 is supported on the following operating systems:
Chapter 9: Deployment Features 253
• Windows 2000 Service Pack 3 (SP3) or later
• Windows Server 2003

Windows 2000 Server


If you intend to install Exchange Server 2003 on a server running Windows 2000, you must
download and install Windows 2000 SP3 or later. Otherwise, the Exchange Server 2003 Setup
program will stop the installation.
Windows 2000 SP3 or later is also a prerequisite for running the Exchange Server 2003 Active
Directory Connector.
For more information about Windows 2000 service packs, see the Windows 2000 Service Packs
Web site (http://go.microsoft.com/fwlink/?LinkId=18353).

Upgrading the Operating Systems


If you plan to upgrade your Exchange 2000 servers running Windows 2000 SP3 or later to
Windows Server 2003, you must first upgrade those servers to Exchange 2003. This upgrade
sequence is required because Exchange 2000 is not supported on Windows Server 2003.

Active Directory
Exchange 2003 Setup must be able to contact at least one Active Directory server running
Windows 2000 SP3 or later, or Windows Server 2003 within the local Active Directory Site.
Domain controllers and global catalog servers must be running Windows 2000 SP3 or later or
Windows Server 2003 for Exchange Server 2003 to recognize them.

Permissions
In Exchange 2000, the user account that was used to run Setup was required to have Exchange
Full Administrator rights at the organization level. In Exchange Server 2003, although a user with
Exchange Full administrator rights at the organization level must install the first server in a
domain, you can now install additional servers if you have Exchange Full Administrator rights at
the administrative group level.
Although this change allows for a more decentralized administrative model, there are still
instances where higher-level permissions are required. A domain administrator with the
appropriate privileges must manually add the machine account for the server on which you plan
to install Exchange Server 2003 to the Exchange Domain Servers group. In addition, an
administrator with Exchange Full Administrator rights at the organization level must still perform
the following installations and upgrades:

• The first Exchange 2003 server in the organization.


• The first Exchange 2003 server in an Active Directory domain.
254 What's New in Exchange Server 2003
• Exchange 2000 servers acting as bridgehead servers for Directory Replication Connectors.
• Exchange 2003 servers with Site Replication Services (both installation and removal).
• The first instance of a Lotus Notes or Novell GroupWise connector.
Note
The Exchange administrator roles in Exchange Server 2003 are equivalent to those in
Exchange 2000. For example, anyone to whom you have delegated Exchange Full
Administrator permissions in Exchange 2000 can install and fully administer
Exchange 2003 servers.

In addition, if you are upgrading an Exchange 5.5 organization to Exchange Server 2003, you are
no longer required to be an Exchange 5.5 Administrator; this is because the option to join an
existing Exchange 5.5 organization occurs during Setup instead of during ForestPrep.
Table 9.2 lists the permissions required to run ForestPrep and DomainPrep and to install
Exchange 2003.

Table 9.2 Permission requirements for Setup tasks

Task Required permissions or roles

Run ForestPrep for the first time • Enterprise Administrator


in the forest (updates the
schema) • Schema Administrator
• Domain Administrator
• Local Machine Administrator

Run ForestPrep thereafter • Exchange Full Administrator at the organization level


• Local Machine Administrator

Run DomainPrep • Domain Administrator


• Local Machine Administrator

Install Exchange Server 2003 on • Full Exchange Administrator at the organization level
the first server in a domain
• Exchange 5.5 Administrator under the organization,
site, and configuration nodes (if installing into an
Exchange 5.5 site)
• Local Machine Administrator
Chapter 9: Deployment Features 255

Task Required permissions or roles

Install Exchange Server 2003 on • Full Exchange Administrator at the administrative group
additional servers in the domain level
• Exchange 5.5 Site Administrator (if installing into an
Exchange 5.5 site)
• Local Machine Administrator

Install ADC • Domain Administrator


• Enterprise Administrator
• Local Machine Administrator

Install Exchange Server 2003 on • Exchange Full Administrator at the organization level
a server with SRS enabled
• Local Machine Administrator

Upgrading Front-End Servers


You must upgrade all front-end servers in an Administrative Group before you can upgrade or
install Exchange Server 2003 on any other servers in the Administrative Group. Setup ensures
that front-end servers are upgraded before back-end servers, such as bridgehead servers, public
folder servers, and mailbox servers. Otherwise, Setup stops.
Note
Exchange 2003 servers are compatible with Exchange 2000. Therefore, users can
access information that is located on Exchange 2000 servers through an
Exchange 2003 front-end server.

In addition, ensure that the required services are running before you upgrade. For Exchange 2003
Setup to run, you must install and enable the following services:

• Network News Transfer Protocol (NNTP) service (NntpSvc)


• Simple Mail Transfer Protocol (SMTP) service (SMTPSVC)
• World Wide Web Publishing Service (W3SVC)
• IIS Admin Service (IISADMIN)
256 What's New in Exchange Server 2003

If the following services are disabled, Setup still runs; however, Setup enables these services
automatically:

• Microsoft Exchange MTA Stacks service (MSExchangeMTA)


• Microsoft Exchange IMAP4 service (IMAP4SVC)
• Microsoft Exchange POP3 service (POP3SVC)
• Microsoft Exchange Information Store service (MSExchangeIS)

Upgrading Active Directory Connector


You must upgrade all versions of Active Directory Connector (ADC) in the organization to the
version provided with Exchange Server 2003. Setup retrieves information about the ADC
versions that are running in the organization. If all ADC versions have been upgraded to the
Exchange 2003 version, Setup will proceed. However, if older versions of ADC exist, Setup will
stop and identify the servers that are running the older ADC versions.

Removing Mobile Information Server


Components
If you previously installed the Microsoft Mobile Information Server Exchange Event Sink
component on an Exchange 2000 server, you must remove the component before you can install
or upgrade to Exchange Server 2003. If you want to retain Mobile Information Server
functionality, do not upgrade the Exchange 2000 servers that are running Mobile Information
Server. Instead, upgrade to Exchange 2003 on other servers in your organization.

To remove Mobile Information Server components from a server


1. Verify that you have the proper permissions to uninstall Mobile Information Server. To
uninstall Mobile Information Server, you must be a member of the Microsoft Mobility
Admins group, as well as a member of the local Administrators group on the computer from
which you are uninstalling Mobile Information Server.
2. On the server with Mobile Information Server installed, click Start, click Settings, and then
click Control Panel.
3. Double-click Add/Remove Programs.
4. On the Change or Remove Programs screen, select Mobile Information Server.
5. Click Remove.
6. Click Yes to confirm that you want to remove Mobile Information Server.
7. On the warning about wireless enabled users, click Yes.
Chapter 9: Deployment Features 257
Mobile Information Server is now removed from the computer. The Mobile Information Server
-specific server instance is removed from Active Directory, and the computer will no longer
display as a server running Mobile Information Server in Exchange System Manager.

Required Components for Mobility


Support
The Outlook Mobile Access component included with Exchange Server 2003 requires
.NET Framework. Because the Outlook Mobile Access component is part of the typical server
installation, you must install .NET Framework on the server before running Setup.

Removing Instant Messaging, Chat,


ccMail, MSMail, and Key Management
Service Components
The Instant Messaging service, Chat service, Key Management Service, MSMail connector, and
ccMail connector components are not supplied with Exchange Server 2003. If you want to
upgrade an existing Exchange 2000 server to Exchange 2003, and one or more of these
components are installed, you must use Exchange 2003 Setup to remove the components before
upgrading.
Note
If you want to retain these services in your organization, you should not upgrade the
Exchange 2000 servers running these components. Instead, you should install
Exchange Server 2003 on other servers in your organization.

Third-Party Software
As part of your planning, you should ensure that all third-party software you want to use is
compatible with Exchange Server 2003. Specifically, you should determine whether any
compatibility issues could result from the following new Exchange 2003 features:

• Exchange-aware Antivirus Software New features have been added to the Exchange
Virus Scanning Application Programming Interface (VSAPI) in Exchange 2003.
• Exchange-aware Backup and Restore Software New features have been added to
Backup (such as Restore Groups and Snapshot) in Exchange 2003.
• Exchange-aware Enterprise Management New features and WMI providers have been
added in Exchange 2003.
258 What's New in Exchange Server 2003

Installing Exchange 2003 or


Upgrading from
Exchange 2000
After planning your installation or upgrade and ensuring that your environment meets all of the
prerequisites listed in this chapter, you can run the Exchange Server Deployment Tools to install
Exchange 2003 on a new server or upgrade an Exchange 2000 server. The Exchange Server
Deployment Tools consist of tools and documentation that lead you through the entire installation
or upgrade process, including running ForestPrep and DomainPrep and ensuring that all of the
required tools and services are installed and run properly.
Important
For information about upgrading from an Exchange 5.5 organization, see "Upgrading
from Exchange 5.5 to Exchange 2003" later in this chapter.

To start the Exchange Server Deployment Tools


1. Insert the Exchange Server 2003 CD into your CD-ROM drive.
2. On the Welcome to Exchange Server 2003 Setup page, click Exchange Deployment
Tools.
3. If the Welcome to Exchange Server 2003 Setup page does not appear after you insert your
CD, double-click Setup.exe, and then click Exchange Deployment Tools to begin.
4. Follow the step-by-step instructions in the Exchange Server Deployment Tools
documentation.
After you complete the Exchange Server Deployment Tools, Exchange 2003 is installed on the
server.

Upgrading from Exchange 5.5


to Exchange 2003
Unlike Exchange 2000 servers, Exchange 5.5 servers cannot be directly upgraded to
Exchange 2003. However, you can join a new Exchange 2003 server to an existing Exchange 5.5
organization. As part of this upgrade process, you must set up Active Directory Connector (ADC)
and ensure that objects replicate properly between the Exchange 5.5 directory and Active
Directory. To simplify this process, use the Exchange Server Deployment Tools, which consists
of tools and documentation that lead you through the entire upgrade process, including running
ForestPrep and DomainPrep, installing ADC, creating connection agreements, and installing
Exchange 2003.
Chapter 9: Deployment Features 259
The Exchange Server Deployment Tools are a prerequisite for Setup when you are joining a
server to an Exchange 5.5 organization. When you choose to join an existing Exchange 5.5
organization, Setup checks Active Directory for markers that indicate that the deployment tools
have been run.
You can use the Exchange Server Deployment Tools to ensure that all of the required tools have
been run. First, install the Exchange 2003 version of ADC. Then start the Exchange Server
Deployment Tools.

To start the Exchange Server Deployment Tools


1. Insert the Exchange Server 2003 CD into your CD-ROM drive.
2. On the Welcome to Exchange Server 2003 Setup page, click Exchange Deployment Tools
3. If the Welcome to Exchange Server 2003 Setup page does not appear after you insert your
CD, open the Support folder, double-click Setup.exe, and then click Exchange
Deployment Tools to begin.
4. Follow the step-by-step instructions in the Exchange Server Deployment Tools
documentation.
After you complete the Exchange Server Deployment Tools, Active Directory Connector is set
up, and Exchange 2003 is installed on the server.
Appendix
A P P E N D I X

Exchange 2003 Schema


Changes

This appendix (specifically, the output from an LDF file) lists the Microsoft® Active Directory®
directory service schema changes between Exchange 2000 Server and Exchange Server 2003.
dn: CN=ms­Exch­AuthMailDisposition,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­AuthMailDisposition
adminDisplayName: ms­Exch­AuthMailDisposition
attributeID: 1.2.840.113556.1.4.5061
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchAuthMailDisposition
name: ms­Exch­AuthMailDisposition
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: 97bPVywePk2W30AghiS6/w==
searchFlags: 0

dn: CN=ms­Exch­Authorization­Persistence,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Authorization­Persistence
adminDisplayName: ms­Exch­Authorization­Persistence
attributeID: 1.2.840.113556.1.4.7000.102.15011
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchAuthorizationPersistence
262 What's New in Exchange Server 2003

name: ms­Exch­Authorization­Persistence
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: a2Gu1sUWzkSycouSOuvjNQ==
searchFlags: 0

dn: CN=ms­Exch­Bar­Message­Class,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Bar­Message­Class
adminDisplayName: ms­Exch­Bar­Message­Class
attributeID: 1.2.840.113556.1.4.7000.102.1064
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchBarMessageClass
name: ms­Exch­Bar­Message­Class
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: SeVDz+EqD0G4lgLkC5NDcw==
searchFlags: 0

dn: CN=ms­Exch­Chat­Max­Connections­Per­IP,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Chat­Max­Connections­Per­IP
adminDisplayName: ms­Exch­Chat­Max­Connections­Per­IP
attributeID: 1.2.840.113556.1.4.7000.102.8049
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchChatMaxConnectionsPerIP
name: ms­Exch­Chat­Max­Connections­Per­IP
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: a37FKjf3QU6DhnKV3b4F5g==
searchFlags: 0
Appendix: Exchange 2003 Schema Changes 263

dn: CN=ms­Exch­Chat­Max­Octets­To­Mask,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Chat­Max­Octets­To­Mask
adminDisplayName: ms­Exch­Chat­Max­Octets­To­Mask
attributeID: 1.2.840.113556.1.4.7000.102.8050
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchChatMaxOctetsToMask
name: ms­Exch­Chat­Max­Octets­To­Mask
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: I3vjPYkn9021H/kgzlREWA==
searchFlags: 0

dn: CN=ms­Exch­Default­Load­File,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Default­Load­File
adminDisplayName: ms­Exch­Default­Load­File
attributeID: 1.2.840.113556.1.4.7000.102.15010
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchDefaultLoadFile
name: ms­Exch­Default­Load­File
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: fGZnYjTPfUC6EXzIzGjKGw==
searchFlags: 0

dn: CN=ms­Exch­Dynamic­DL­BaseDN,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Dynamic­DL­BaseDN
adminDisplayName: ms­Exch­Dynamic­DL­BaseDN
264 What's New in Exchange Server 2003

attributeID: 1.2.840.113556.1.4.7000.102.12543
attributeSyntax: 2.5.5.1
isMemberOfPartialAttributeSet: TRUE
isSingleValued: TRUE
lDAPDisplayName: msExchDynamicDLBaseDN
name: ms­Exch­Dynamic­DL­BaseDN
oMSyntax: 127
oMObjectClass:: KwwCh3McAIVK
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: +Q49dpK9+UGrNH4ynbdu4w==
searchFlags: 0

dn: CN=ms­Exch­Dynamic­DL­Filter,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Dynamic­DL­Filter
adminDisplayName: ms­Exch­Dynamic­DL­Filter
attributeID: 1.2.840.113556.1.4.7000.102.12544
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: TRUE
lDAPDisplayName: msExchDynamicDLFilter
name: ms­Exch­Dynamic­DL­Filter
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: LNO24axr2kijEytYrhxFzg==
searchFlags: 0

dn: CN=ms­Exch­Encrypted­Anonymous­Password,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Encrypted­Anonymous­Password
adminDisplayName: ms­Exch­Encrypted­Anonymous­Password
attributeID: 1.2.840.113556.1.4.7000.102.15009
attributeSyntax: 2.5.5.10
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchEncryptedAnonymousPassword
Appendix: Exchange 2003 Schema Changes 265

name: ms­Exch­Encrypted­Anonymous­Password
oMSyntax: 4
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: /FXAXT9cb0qjSk28to4q0A==
searchFlags: 0

dn: CN=ms­Exch­Folder­Affinity­Custom,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Folder­Affinity­Custom
adminDisplayName: ms­Exch­Folder­Affinity­Custom
attributeID: 1.2.840.113556.1.4.7000.102.11090
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchFolderAffinityCustom
name: ms­Exch­Folder­Affinity­Custom
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: eiVwULeF1E6y4lH3JmhMWA==
searchFlags: 0

dn: CN=ms­Exch­Folder­Affinity­List,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Folder­Affinity­List
adminDisplayName: ms­Exch­Folder­Affinity­List
attributeID: 1.2.840.113556.1.4.7000.102.11089
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchFolderAffinityList
name: ms­Exch­Folder­Affinity­List
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: gLySNRcRYkmqUDjG5pu7kQ==
searchFlags: 0
266 What's New in Exchange Server 2003

dn: CN=ms­Exch­Mailbox­Folder­Set,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Mailbox­Folder­Set
adminDisplayName: ms­Exch­Mailbox­Folder­Set
attributeID: 1.2.840.113556.1.4.7000.102.11091
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: TRUE
isSingleValued: TRUE
lDAPDisplayName: msExchMailboxFolderSet
name: ms­Exch­Mailbox­Folder­Set
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: ukEp19D/jk27hZdxNEDIow==
searchFlags: 0

dn: CN=ms­Exch­Max­Restore­Storage­Groups,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Max­Restore­Storage­Groups
adminDisplayName: ms­Exch­Max­Restore­Storage­Groups
attributeID: 1.2.840.113556.1.4.7000.102.11095
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchMaxRestoreStorageGroups
name: ms­Exch­Max­Restore­Storage­Groups
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: DqjyPoLqG0KKYqElQ8NBQQ==
searchFlags: 0

dn: CN=ms­Exch­Oma­Admin­Extended­Settings,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Admin­Extended­Settings
adminDisplayName: ms­Exch­Oma­Admin­Extended­Settings
Appendix: Exchange 2003 Schema Changes 267

attributeID: 1.2.840.113556.1.6.20.1.126
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
lDAPDisplayName: msExchOmaAdminExtendedSettings
name: ms­Exch­Oma­Admin­Extended­Settings
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: DegK5sl6YU6bw5jLwHJqmQ==
searchFlags: 0

dn: CN=ms­Exch­Oma­Admin­Wireless­Enable,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Admin­Wireless­Enable
adminDisplayName: ms­Exch­Oma­Admin­Wireless­Enable
attributeID: 1.2.840.113556.1.6.20.1.124
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: TRUE
isSingleValued: TRUE
lDAPDisplayName: msExchOmaAdminWirelessEnable
name: ms­Exch­Oma­Admin­Wireless­Enable
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: vr+nwWsRN0eM2dKe9bNpDg==
searchFlags: 0

dn: CN=ms­Exch­Orig­MDB,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Orig­MDB
adminDisplayName: ms­Exch­Orig­MDB
attributeID: 1.2.840.113556.1.4.7000.102.11093
attributeSyntax: 2.5.5.1
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchOrigMDB
name: ms­Exch­Orig­MDB
268 What's New in Exchange Server 2003

oMSyntax: 127
oMObjectClass:: KwwCh3McAIVK
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: J2m29yZ3Zk6eqO/fSNZSAQ==
searchFlags: 0

dn: CN=ms­Exch­Other­Authentication­Flags,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Other­Authentication­Flags
adminDisplayName: ms­Exch­Other­Authentication­Flags
attributeID: 1.2.840.113556.1.4.7000.102.2017
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchOtherAuthenticationFlags
name: ms­Exch­Other­Authentication­Flags
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: Z/7HtCO1Lk21bqxXtobH4w==
searchFlags: 0

dn: CN=ms­Exch­Preferred­Backfill­Source,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Preferred­Backfill­Source
adminDisplayName: ms­Exch­Preferred­Backfill­Source
attributeID: 1.2.840.113556.1.4.7000.102.11094
attributeSyntax: 2.5.5.1
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchPreferredBackfillSource
name: ms­Exch­Preferred­Backfill­Source
oMSyntax: 127
oMObjectClass:: KwwCh3McAIVK
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: VOYDXl3YCEmDoWFBBIxcYg==
Appendix: Exchange 2003 Schema Changes 269

searchFlags: 0

dn: CN=ms­Exch­Recip­Turf­List­Names,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Recip­Turf­List­Names
adminDisplayName: ms­Exch­Recip­Turf­List­Names
attributeID: 1.2.840.113556.1.4.7000.102.5070
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchRecipTurfListNames
name: ms­Exch­Recip­Turf­List­Names
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: 4WgKLte9mUiLstbqAHVYxw==
searchFlags: 0

dn: CN=ms­Exch­Recip­Turf­List­Options,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Recip­Turf­List­Options
adminDisplayName: ms­Exch­Recip­Turf­List­Options
attributeID: 1.2.840.113556.1.4.7000.102.5071
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchRecipTurfListOptions
name: ms­Exch­Recip­Turf­List­Options
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: szYLhzXQLUC4c87Qexc3Yw==
searchFlags: 0

dn: CN=ms­Exch­RequireAuthToSendTo,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­RequireAuthToSendTo
270 What's New in Exchange Server 2003

adminDisplayName: ms­Exch­RequireAuthToSendTo
attributeID: 1.2.840.113556.1.4.5062
attributeSyntax: 2.5.5.8
isMemberOfPartialAttributeSet: TRUE
isSingleValued: TRUE
lDAPDisplayName: msExchRequireAuthToSendTo
name: ms­Exch­RequireAuthToSendTo
oMSyntax: 1
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: O+sz9Vv3s0+y+wjNU3qE0Q==
searchFlags: 0

dn: CN=ms­Exch­Restore,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Restore
adminDisplayName: ms­Exch­Restore
attributeID: 1.2.840.113556.1.4.7000.102.11092
attributeSyntax: 2.5.5.8
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchRestore
name: ms­Exch­Restore
oMSyntax: 1
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: TMvtoUVcSk2xKIgDkuncxg==
searchFlags: 0

dn: CN=ms­Exch­SASL­Mechanisms,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­SASL­Mechanisms
adminDisplayName: ms­Exch­SASL­Mechanisms
attributeID: 1.2.840.113556.1.4.7000.102.2018
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchSASLMechanisms
Appendix: Exchange 2003 Schema Changes 271

name: ms­Exch­SASL­Mechanisms
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: tHE12ZrJ/Eyqui2An9aOeQ==
searchFlags: 0

dn: CN=ms­Exch­Server­Bindings­Filtering,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Server­Bindings­Filtering
adminDisplayName: ms­Exch­Server­Bindings­Filtering
attributeID: 1.2.840.113556.1.4.7000.102.5072
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchServerBindingsFiltering
name: ms­Exch­Server­Bindings­Filtering
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: +t+uYbQ0cEGLq7h5Thy09A==
searchFlags: 0

dn: CN=ms­Exch­Smtp­Connection­Rules­Priority,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Smtp­Connection­Rules­Priority
adminDisplayName: ms­Exch­Smtp­Connection­Rules­Priority
attributeID: 1.2.840.113556.1.4.7000.102.5064
attributeSyntax: 2.5.5.10
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchSmtpConnectionRulesPriority
name: ms­Exch­Smtp­Connection­Rules­Priority
oMSyntax: 4
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: jE/ChpslGU+IuZyURZNhIQ==
searchFlags: 0
272 What's New in Exchange Server 2003

dn: CN=ms­Exch­Smtp­Connection­Turf­List­Display,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Smtp­Connection­Turf­List­Display
adminDisplayName: ms­Exch­Smtp­Connection­Turf­List­Display
attributeID: 1.2.840.113556.1.4.7000.102.5065
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchSmtpConnectionTurfListDisplay
name: ms­Exch­Smtp­Connection­Turf­List­Display
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: rAT7c9SyTUqFIHV908kmGg==
searchFlags: 0

dn: CN=ms­Exch­Smtp­Connection­Turf­List­DNS,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Smtp­Connection­Turf­List­DNS
adminDisplayName: ms­Exch­Smtp­Connection­Turf­List­DNS
attributeID: 1.2.840.113556.1.4.7000.102.5067
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchSmtpConnectionTurfListDNS
name: ms­Exch­Smtp­Connection­Turf­List­DNS
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: 5n3uP+XTy0OEWfegcq43iQ==
searchFlags: 0

dn: CN=ms­Exch­Smtp­Connection­Turf­List­Mask,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Smtp­Connection­Turf­List­Mask
adminDisplayName: ms­Exch­Smtp­Connection­Turf­List­Mask
Appendix: Exchange 2003 Schema Changes 273

attributeID: 1.2.840.113556.1.4.7000.102.5069
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchSmtpConnectionTurfListMask
name: ms­Exch­Smtp­Connection­Turf­List­Mask
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: r0ECvDidQEyELlHYAlBt5Q==
searchFlags: 0

dn: CN=ms­Exch­Smtp­Connection­Turf­List­Options,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Smtp­Connection­Turf­List­Options
adminDisplayName: ms­Exch­Smtp­Connection­Turf­List­Options
attributeID: 1.2.840.113556.1.4.7000.102.5066
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchSmtpConnectionTurfListOptions
name: ms­Exch­Smtp­Connection­Turf­List­Options
oMSyntax: 2
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: YCPmWgURi02KHqLHk7TVfQ==
searchFlags: 0

dn: CN=ms­Exch­Smtp­Connection­Turf­List­Response,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Smtp­Connection­Turf­List­Response
adminDisplayName: ms­Exch­Smtp­Connection­Turf­List­Response
attributeID: 1.2.840.113556.1.4.7000.102.5068
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchSmtpConnectionTurfListResponse
name: ms­Exch­Smtp­Connection­Turf­List­Response
274 What's New in Exchange Server 2003

oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: j9nd7gHay06mXl8Bbx2AMg==
searchFlags: 0

dn: CN=ms­Exch­Smtp­Connection­Whitelist,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Smtp­Connection­Whitelist
adminDisplayName: ms­Exch­Smtp­Connection­Whitelist
attributeID: 1.2.840.113556.1.4.7000.102.5063
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchSmtpConnectionWhitelist
name: ms­Exch­Smtp­Connection­Whitelist
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: OkbPhx5WzkWgum1SjxEdIw==
searchFlags: 0

dn: CN=ms­Exch­SubmitRelaySD,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­SubmitRelaySD
adminDisplayName: ms­Exch­SubmitRelaySD
attributeID: 1.2.840.113556.1.4.5060
attributeSyntax: 2.5.5.15
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchSubmitRelaySD
name: ms­Exch­SubmitRelaySD
oMSyntax: 66
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: zPvO4sHcpUW6uNX0vXiITQ==
searchFlags: 0
Appendix: Exchange 2003 Schema Changes 275

dn:
changetype: modify
replace: schemaUpdateNow
schemaUpdateNow: 1
­

dn: CN=ms­Exch­Oma­User,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­User
adminDisplayName: ms­Exch­Oma­User
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:S:
governsID: 1.2.840.113556.1.6.20.2.31
lDAPDisplayName: msExchOmaUser
name: ms­Exch­Oma­User
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 3
rDNAttID: cn
schemaIdGuid:: dqmgNo3drUqB/aG11AFsqA==
subClassOf: top
mayContain: msExchOmaAdminExtendedSettings
mayContain: msExchOmaAdminWirelessEnable

dn: CN=ms­Exch­Smtp­Connection­Turf­List,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Smtp­Connection­Turf­List
adminDisplayName: ms­Exch­Smtp­Connection­Turf­List
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:S:
governsID: 1.2.840.113556.1.5.7000.62.12010
lDAPDisplayName: msExchSmtpConnectionTurfList
name: ms­Exch­Smtp­Connection­Turf­List
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 1
rDNAttID: cn
276 What's New in Exchange Server 2003

schemaIdGuid:: 6X3qfp4xikCEYONeLJ2jiQ==
subClassOf: top
possSuperiors: msExchSMTPTurfList
mayContain: msExchSmtpConnectionRulesPriority
mayContain: msExchSmtpConnectionWhitelist

dn:
changetype: modify
replace: schemaUpdateNow
schemaUpdateNow: 1
­

dn: CN=ms­Exch­Smtp­Connection­Turf­List­Rule,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Smtp­Connection­Turf­List­Rule
adminDisplayName: ms­Exch­Smtp­Connection­Turf­List­Rule
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:S:
governsID: 1.2.840.113556.1.5.7000.62.12011
lDAPDisplayName: msExchSmtpConnectionTurfListRule
name: ms­Exch­Smtp­Connection­Turf­List­Rule
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 1
rDNAttID: cn
schemaIdGuid:: rd+6avbi202YIA2pxH2jLA==
subClassOf: top
possSuperiors: msExchSmtpConnectionTurfList
mayContain: msExchSmtpConnectionTurfListDisplay
mayContain: msExchSmtpConnectionTurfListDNS
mayContain: msExchSmtpConnectionTurfListMask
mayContain: msExchSmtpConnectionTurfListOptions
mayContain: msExchSmtpConnectionTurfListResponse

dn:
changetype: modify
replace: schemaUpdateNow
Appendix: Exchange 2003 Schema Changes 277

schemaUpdateNow: 1
­

dn: CN=User,<SchemaContainerDN>
changetype: modify
add: auxiliaryClass
auxiliaryClass: msExchOmaUser
­

dn: CN=ms­Exch­Dynamic­Distribution­List,<SchemaContainerDN>
changetype: modify
replace: defaultHidingValue
defaultHidingValue: FALSE
­

dn: CN=ms­Exch­Dynamic­Distribution­List,<SchemaContainerDN>
changetype: modify
replace: defaultSecurityDescriptor
defaultSecurityDescriptor: D:(A;;RP;;;AU)
­

dn: CN=ms­Exch­Dynamic­Distribution­List,<SchemaContainerDN>
changetype: modify
add: possSuperiors
possSuperiors: builtinDomain
­

dn: CN=ms­Exch­Dynamic­Distribution­List,<SchemaContainerDN>
changetype: modify
add: possSuperiors
possSuperiors: domainDNS
­

dn: CN=ms­Exch­Dynamic­Distribution­List,<SchemaContainerDN>
278 What's New in Exchange Server 2003

changetype: modify
add: possSuperiors
possSuperiors: organizationalUnit
­

dn: CN=Text­Country,<SchemaContainerDN>
changetype: modify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
­

dn: CN=ms­Exch­Other­Authentication­Flags,<SchemaContainerDN>
changetype: modify
replace: lDAPDisplayName
lDAPDisplayName: msExchOtherAuthenticationFlags
­

dn: CN=Mail­Recipient,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchAssistantName
­

dn: CN=Mail­Recipient,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchAssistantName
­

dn: CN=Mail­Recipient,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchLabeledURI
­
Appendix: Exchange 2003 Schema Changes 279

dn: CN=Mail­Recipient,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchLabeledURI
­

dn: CN=Mail­Recipient,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchMailboxFolderSet
­

dn: CN=Mail­Recipient,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchRequireAuthToSendTo
­

dn: CN=ms­Exch­Admin­Group,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: domainDefAltRecip
­

dn: CN=ms­Exch­Calendar­Connector,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchEncryptedPassword
­

dn: CN=ms­Exch­Calendar­Connector,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchNotesNotesINI
280 What's New in Exchange Server 2003

dn: CN=ms­Exch­Calendar­Connector,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchNotesNotesServer
­

dn: CN=ms­Exch­Chat­User­Class,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchChatMaxConnectionsPerIP
­

dn: CN=ms­Exch­Chat­User­Class,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchChatMaxOctetsToMask
­

dn: CN=ms­Exch­Dynamic­Distribution­List,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: managedBy
­

dn: CN=ms­Exch­Dynamic­Distribution­List,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchDynamicDLBaseDN
­

dn: CN=ms­Exch­Dynamic­Distribution­List,<SchemaContainerDN>
changetype: modify
Appendix: Exchange 2003 Schema Changes 281

add: mayContain
mayContain: msExchDynamicDLFilter
­

dn: CN=ms­Exch­Dynamic­Distribution­List,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchPurportedSearchUI
­

dn: CN=ms­Exch­Exchange­Server,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchFolderAffinityCustom
­

dn: CN=ms­Exch­Exchange­Server,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchFolderAffinityList
­

dn: CN=ms­Exch­Information­Store,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchMaxRestoreStorageGroups
­

dn: CN=ms­Exch­Mail­Gateway,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchBarMessageClass
­
282 What's New in Exchange Server 2003

dn: CN=ms­Exch­Organization­Container,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: heuristics
­

dn: CN=ms­Exch­Private­MDB,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchOrigMDB
­

dn: CN=ms­Exch­Private­MDB,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchRestore
­

dn: CN=ms­Exch­Protocol­Cfg­HTTP­Server,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchAuthorizationPersistence
­

dn: CN=ms­Exch­Protocol­Cfg­HTTP­Server,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchDefaultLoadFile
­

dn: CN=ms­Exch­Protocol­Cfg­HTTP­Server,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchEncryptedAnonymousPassword
­
Appendix: Exchange 2003 Schema Changes 283

dn: CN=ms­Exch­Protocol­Cfg­IMAP­Container,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchSASLMechanisms
­

dn: CN=ms­Exch­Protocol­Cfg­IMAP­Server,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchOtherAuthenticationFlags
­

dn: CN=ms­Exch­Protocol­Cfg­POP­Container,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchSASLMechanisms
­

dn: CN=ms­Exch­Protocol­Cfg­POP­Server,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchOtherAuthenticationFlags
­

dn: CN=ms­Exch­Protocol­Cfg­SMTP­Server,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchAuthMailDisposition
­

dn: CN=ms­Exch­Protocol­Cfg­SMTP­Server,<SchemaContainerDN>
changetype: modify
add: mayContain
284 What's New in Exchange Server 2003

mayContain: msExchServerBindingsFiltering
­

dn: CN=ms­Exch­Protocol­Cfg­SMTP­Server,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchSubmitRelaySD
­

dn: CN=ms­Exch­Public­MDB,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchPreferredBackfillSource
­

dn: CN=ms­Exch­SMTP­Turf­List,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchRecipTurfListNames
­

dn: CN=ms­Exch­SMTP­Turf­List,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchRecipTurfListOptions
­

dn: CN=ms­Exch­Storage­Group,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchRestore
­

dn: CN=Organizational­Person,<SchemaContainerDN>
Appendix: Exchange 2003 Schema Changes 285

changetype: modify
add: mayContain
mayContain: employeeNumber
­

dn: CN=Organizational­Person,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchHouseIdentifier
­

dn: CN=Organizational­Person,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchHouseIdentifier
­

dn:
changetype: modify
replace: schemaUpdateNow
schemaUpdateNow: 1
­

dn: CN=ms­Exch­BackEnd­VDir­URL,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­BackEnd­VDir­URL
adminDisplayName: ms­Exch­BackEnd­VDir­URL
attributeID: 1.2.840.113556.1.4.7000.102.15012
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchBackEndVDirURL
name: ms­Exch­BackEnd­VDir­URL
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
286 What's New in Exchange Server 2003

schemaIdGuid:: toOytD8MWUqeUL6QJiKCMQ==
searchFlags: 0

dn: CN=ms­Exch­Oma­Carrier­Address,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Carrier­Address
adminDisplayName: ms­Exch­Oma­Carrier­Address
attributeID: 1.2.840.113556.1.6.20.1.139
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchOmaCarrierAddress
name: ms­Exch­Oma­Carrier­Address
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: uFjoq689fkCxpjoyPtMzSw==
searchFlags: 0

dn: CN=ms­Exch­Oma­Carrier­Type,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Carrier­Type
adminDisplayName: ms­Exch­Oma­Carrier­Type
attributeID: 1.2.840.113556.1.6.20.1.145
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchOmaCarrierType
name: ms­Exch­Oma­Carrier­Type
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: rSSzH6MtSEWPWvNEV/ivSg==
searchFlags: 0

dn: CN=ms­Exch­Oma­Carrier­Url,<SchemaContainerDN>
changetype: add
Appendix: Exchange 2003 Schema Changes 287

adminDescription: ms­Exch­Oma­Carrier­Url
adminDisplayName: ms­Exch­Oma­Carrier­Url
attributeID: 1.2.840.113556.1.6.20.1.146
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchOmaCarrierUrl
name: ms­Exch­Oma­Carrier­Url
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: jYegrPGJ9UWkj2gLflUFcw==
searchFlags: 0

dn: CN=ms­Exch­Oma­Configuration,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Configuration
adminDisplayName: ms­Exch­Oma­Configuration
attributeID: 1.2.840.113556.1.6.20.1.137
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchOmaConfiguration
name: ms­Exch­Oma­Configuration
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: xyvh14hCZki8kfDuGJZcFQ==
searchFlags: 0

dn: CN=ms­Exch­Oma­Deliverer,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Deliverer
adminDisplayName: ms­Exch­Oma­Deliverer
attributeID: 1.2.840.113556.1.6.20.1.144
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
288 What's New in Exchange Server 2003

lDAPDisplayName: msExchOmaDeliverer
name: ms­Exch­Oma­Deliverer
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: nwAxovKdPUCfvZmAkElyLQ==
searchFlags: 0

dn: CN=ms­Exch­Oma­Delivery­Provider­DN,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Delivery­Provider­DN
adminDisplayName: ms­Exch­Oma­Delivery­Provider­DN
attributeID: 1.2.840.113556.1.6.20.1.138
attributeSyntax: 2.5.5.1
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchOmaDeliveryProviderDN
name: ms­Exch­Oma­Delivery­Provider­DN
oMSyntax: 127
oMObjectClass:: KwwCh3McAIVK
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: aRoOHyzWBUGZHayv9LB9cQ==
searchFlags: 0

dn: CN=ms­Exch­Oma­Device­Capability­DN,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Device­Capability­DN
adminDisplayName: ms­Exch­Oma­Device­Capability­DN
attributeID: 1.2.840.113556.1.6.20.1.133
attributeSyntax: 2.5.5.1
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchOmaDeviceCapabilityDN
name: ms­Exch­Oma­Device­Capability­DN
oMSyntax: 127
oMObjectClass:: KwwCh3McAIVK
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
Appendix: Exchange 2003 Schema Changes 289

objectClass: attributeSchema
schemaIdGuid:: xL0QBRmbZ02ToY3aBMFVaA==
searchFlags: 0

dn: CN=ms­Exch­Oma­Extended­Properties,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Extended­Properties
adminDisplayName: ms­Exch­Oma­Extended­Properties
attributeID: 1.2.840.113556.1.6.20.1.143
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchOmaExtendedProperties
name: ms­Exch­Oma­Extended­Properties
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: fFO+noL4PUeYC85SICp12A==
searchFlags: 0

dn: CN=ms­Exch­Oma­Formatter,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Formatter
adminDisplayName: ms­Exch­Oma­Formatter
attributeID: 1.2.840.113556.1.6.20.1.135
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchOmaFormatter
name: ms­Exch­Oma­Formatter
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: as0n6Dy2RE2WGngaZ5SaNg==
searchFlags: 0

dn: CN=ms­Exch­Oma­Translator,<SchemaContainerDN>
290 What's New in Exchange Server 2003

changetype: add
adminDescription: ms­Exch­Oma­Translator
adminDisplayName: ms­Exch­Oma­Translator
attributeID: 1.2.840.113556.1.6.20.1.136
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchOmaTranslator
name: ms­Exch­Oma­Translator
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: iljy0B5wSUaTeQYsYrk+9g==
searchFlags: 0

dn: CN=ms­Exch­Oma­Validater,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Validater
adminDisplayName: ms­Exch­Oma­Validater
attributeID: 1.2.840.113556.1.6.20.1.134
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: FALSE
isSingleValued: FALSE
lDAPDisplayName: msExchOmaValidater
name: ms­Exch­Oma­Validater
oMSyntax: 64
objectCategory: CN=Attribute­Schema,<SchemaContainerDN>
objectClass: attributeSchema
schemaIdGuid:: QAx9qL3LoU26LnBIMvylsQ==
searchFlags: 0

dn:
changetype: modify
replace: schemaUpdateNow
schemaUpdateNow: 1
­
Appendix: Exchange 2003 Schema Changes 291

dn: CN=ms­Exch­Oma­Carrier,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Carrier
adminDisplayName: ms­Exch­Oma­Carrier
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:(A;;LCLORPRC;;;AU)
governsID: 1.2.840.113556.1.6.20.2.37
lDAPDisplayName: msExchOmaCarrier
name: ms­Exch­Oma­Carrier
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 1
rDNAttID: cn
schemaIdGuid:: TNMSh+UnskGXbkgq2MlU5w==
subClassOf: container
mayContain: msExchOmaCarrierAddress
mayContain: msExchOmaCarrierType
mayContain: msExchOmaCarrierUrl
mayContain: msExchOmaConfiguration
mayContain: msExchOmaDeliveryProviderDN
mayContain: msExchOmaExtendedProperties
mayContain: msExchOmaTranslator

dn: CN=ms­Exch­Oma­Configuration­Container,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Configuration­Container
adminDisplayName: ms­Exch­Oma­Configuration­Container
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:(A;;LCLORPRC;;;AU)
governsID: 1.2.840.113556.1.6.20.2.32
lDAPDisplayName: msExchOmaConfigurationContainer
name: ms­Exch­Oma­Configuration­Container
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 1
rDNAttID: cn
schemaIdGuid:: u5oP23AHCU+6ZHmT2RUXtw==
subClassOf: container
mayContain: msExchOmaAdminWirelessEnable
292 What's New in Exchange Server 2003

mayContain: msExchOmaExtendedProperties

dn: CN=ms­Exch­Oma­Container,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Container
adminDisplayName: ms­Exch­Oma­Container
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:S:
governsID: 1.2.840.113556.1.6.20.2.38
lDAPDisplayName: msExchOmaContainer
name: ms­Exch­Oma­Container
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 1
rDNAttID: cn
schemaIdGuid:: IKs9hkD7pEOl4YJbIHEFDw==
subClassOf: container
mayContain: msExchOmaExtendedProperties

dn: CN=ms­Exch­Oma­Data­Source,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Data­Source
adminDisplayName: ms­Exch­Oma­Data­Source
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:(A;;LCLORPRC;;;AU)
governsID: 1.2.840.113556.1.6.20.2.35
lDAPDisplayName: msExchOmaDataSource
name: ms­Exch­Oma­Data­Source
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 1
rDNAttID: cn
schemaIdGuid:: TYqj3SqXokSSRArLSx000Q==
subClassOf: container
mayContain: msExchOmaConfiguration
mayContain: msExchOmaDeliveryProviderDN
mayContain: msExchOmaDeviceCapabilityDN
mayContain: msExchOmaExtendedProperties
Appendix: Exchange 2003 Schema Changes 293

mayContain: msExchOmaValidater

dn: CN=ms­Exch­Oma­Delivery­Provider,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Delivery­Provider
adminDisplayName: ms­Exch­Oma­Delivery­Provider
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:S:
governsID: 1.2.840.113556.1.6.20.2.36
lDAPDisplayName: msExchOmaDeliveryProvider
name: ms­Exch­Oma­Delivery­Provider
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 1
rDNAttID: cn
schemaIdGuid:: DRO/zeLHckWUsPyb5+75Uw==
subClassOf: container
mayContain: msExchOmaConfiguration
mayContain: msExchOmaDeliverer
mayContain: msExchOmaDeviceCapabilityDN
mayContain: msExchOmaExtendedProperties

dn: CN=ms­Exch­Oma­Device­Capability,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Device­Capability
adminDisplayName: ms­Exch­Oma­Device­Capability
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:(A;;LCLORPRC;;;AU)
governsID: 1.2.840.113556.1.6.20.2.34
lDAPDisplayName: msExchOmaDeviceCapability
name: ms­Exch­Oma­Device­Capability
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 1
rDNAttID: cn
schemaIdGuid:: 3/R63xjzLE6sQ75bSJRxHA==
subClassOf: container
mayContain: msExchOmaExtendedProperties
294 What's New in Exchange Server 2003

mayContain: msExchOmaFormatter

dn: CN=ms­Exch­Oma­Device­Type,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Device­Type
adminDisplayName: ms­Exch­Oma­Device­Type
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:(A;;LCLORPRC;;;AU)
governsID: 1.2.840.113556.1.6.20.2.33
lDAPDisplayName: msExchOmaDeviceType
name: ms­Exch­Oma­Device­Type
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
objectClassCategory: 1
rDNAttID: cn
schemaIdGuid:: s496ytAhp06vP9FcbffAlA==
subClassOf: container
mayContain: msExchOmaDeviceCapabilityDN
mayContain: msExchOmaExtendedProperties

dn:
changetype: modify
replace: schemaUpdateNow
schemaUpdateNow: 1
­

dn: CN=ms­Exch­Oma­Connector,<SchemaContainerDN>
changetype: add
adminDescription: ms­Exch­Oma­Connector
adminDisplayName: ms­Exch­Oma­Connector
defaultHidingValue: TRUE
defaultSecurityDescriptor: D:S:
governsID: 1.2.840.113556.1.6.20.2.39
lDAPDisplayName: msExchOmaConnector
name: ms­Exch­Oma­Connector
objectCategory: CN=Class­Schema,<SchemaContainerDN>
objectClass: classSchema
Appendix: Exchange 2003 Schema Changes 295

objectClassCategory: 1
rDNAttID: cn
schemaIdGuid:: sdDJTUxZfkCn0kJubCDauw==
subClassOf: msExchConnector
mayContain: legacyExchangeDN
mayContain: deliveryMechanism
mayContain: msExchOmaCarrierUrl
mayContain: msExchSourceBridgeheadServersDN

dn:
changetype: modify
replace: schemaUpdateNow
schemaUpdateNow: 1
­

dn: CN=ms­Exch­Restore,<SchemaContainerDN>
changetype: modify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
­

dn: CN=ms­Exch­Protocol­Cfg­HTTP­Virtual­Directory,<SchemaContainerDN>
changetype: modify
add: mayContain
mayContain: msExchBackEndVDirURL
­

dn:
changetype: modify
replace: schemaUpdateNow
schemaUpdateNow: 1
­

For more information about Exchange, see http://www.microsoft.com/exchange/.


296 What's New in Exchange Server 2003
To download a self-extracting executable of all Exchange Product Team technical articles and
online books, see http://go.microsoft.com/fwlink/?LinkId=10687.

You might also like