Parallels Operations Automation 2.9

Transcription

1 Parallels Parallels Operations Automation 2.9 Hosted Exchange Deployment Guide Revision 6.45 (31 July, 2009)

2 2 ISBN: N/A Parallels 660 SW 39th Street Suite 205 Renton, Washington USA Phone: +1 (425) Fax: +1 (425) Copyright 2009, Parallels, Inc. All rights reserved Distribution of this work or derivative of this work in any form is prohibited unless prior written permission is obtained from the copyright holder. { Patented technology protected by U.S.Patents 7,328,225; 7,325,017; 7,293,033; 7,099,948; 7,076,633. Patents pending in the U.S.} Product and service names mentioned herein are the trademarks of their respective owners. Parallels Operations Automation is a registered trademark of Parallels.

3 3 Contents Preface 8 Documentation Conventions... 8 Typographical Conventions... 8 General Conventions...10 Feedback...10 Deploying Hosted Exchange Overview of Hosted Exchange Deployment...13 Network Architecture...13 Hosted Exchange and Active Directory...15 Hosted Exchange and Clustering...16 Number of Global Catalog Servers...16 Limitations...17 Configuring Active Directory...17 Configuring Windows Server 2003 on Nodes...18 Creating Exchange Mailbox Cluster...19 General Configuration of Exchange Mailbox Cluster...19 Creating ClusterAdmin Account...20 Installing Windows Server 2003 Server Cluster...21 Adding Nodes to a Server Cluster...23 Preparing Cluster Nodes for Exchange 2003 Installation...23 Installing First Exchange Mailbox Server...25 Preparing Node for Exchange 2003 Installation...25 Installing All Windows Components Required by Exchange Server...27 Running Microsoft Exchange Installation Wizard...28 Checking Successful Installation of ForestPrep and DomainPrep...29 Installing SP2 for Exchange Installing Additional Exchange Mailbox Servers...31 Creating Exchange Virtual Servers for Clustered Configuration...32 Creating Group to Host Exchange Virtual Server...33 Creating IP Address Resource...34 Creating Network Name Resource...36 Creating Disk Resource...37 Creating Exchange 2003 System Attendant Resource...38 Starting POP3 and IMAP4 Services...40 Creating POP3 Cluster Resource...41 Creating IMAP4 Cluster Resource...42 Configuring Exchange Mailbox Servers...42 Configuring Administrative Groups to be Shown in Exchange System Manager...42 Configuring HTTP Virtual Server in Exchange System Manager...43 Configuring Mailbox Deletion Settings...45 Configuring 'Internet Newsgroups' Public Folder...46 Configuring and Starting IIS Service...46 Securing Default Global Address List...47 Installing and Configuring Exchange Client Access Server...47 Installing Exchange Client Access Server...47

4 4 Contents Assigning Front-End Role to Server...49 Removing Public Stores...50 Removing Mailbox Stores...53 Disabling Exchange Information Store...54 Enabling Network Protocols...57 Configuring and Start IIS Service on Protocols Front-End Servers...60 Enabling Outlook Web Access...61 Customizing Outlook Web Access...67 Enabling Outlook Mobile Access...70 Enabling Exchange ActiveSync Support...70 Configuring Security Settings for Mobile Devices...73 Verifying External DNS for SMTP Virtual Server...75 Installing and Configuring Exchange SMTP Servers...78 Deploying RPC-over-HTTP for Exchange 2003 Server...80 Configuring Global Catalog Servers...80 Installing RPC-over-HTTP Windows Component...81 Configuring Exchange Mailbox Servers as Targets for RPC Proxy Servers...84 Configuring Exchange Client Access Server as RPC Proxy Server...85 Configuring RPC Virtual Directory on RPC Proxy Server...85 Checking that RPC Proxy Server Uses Specified Ports...88 Installing SSL Certificate on RPC Proxy Server...89 Configuring Network Load Balancing for Exchange 2003 Servers...96 Configuring Network Load Balancing...96 Creating Default SMTP Connector Configuring Firewall for Exchange 2003 Services Deploying Exchange Provisioning Configuring ClusterAdmin Account for Clustered Exchange Configuring MPS Server Installing MPF Exchange Provider POA-Related Installation Steps Creating DNS Records for Exchange Client Access Servers Registering Exchange Mailbox Servers in POA Registering Exchange SMTP Servers in POA Registering Exchange Client Access Servers in POA Installing Exchange OAB Service Creating Resource Type Creating Service Template Checking Readiness of Exchange Servers to Provide Configuring AUTD Notification on Windows Mobile Smartphones Deploying BlackBerry Messaging Service for Microsoft Exchange Overview System Requirements Network Requirements Preparing Node for BES Configuring Proxy Server Deploying Microsoft SQL Server for BlackBerry Configuration Database BlackBerry Enterprise Server Pre-Installation Steps Creating Exchange Mailbox Installing BlackBerry Enterprise Server Software Installing BlackBerry Enterprise Server Resource Kit Testing BlackBerry Service Account Registering BlackBerry Enterprise Servers in POA Installing POA Packages Importing Existing BlackBerry Accounts into POA Deploying Good Messaging Server for Microsoft Exchange

5 Contents 5 Overview System Requirements Networks Requirements Preparing Node for GMS Configuring Proxy Server Good Messaging Server Pre-Installation Steps Creating Exchange Mailbox Installing GMS Server Software Adding MPFServiceAcct Account to GMS Testing GMS Service Account Registering GMS Servers in POA Installing POA Packages Importing Existing GMS Accounts into POA Deploying Postini Security Service Installing Postini Security Service Registering Postini Account in POA Exchange 2003 to Exchange 2007 Transition 171 Overview Transition Procedure Deploying New Hardware Deploying Hosted Messaging and Collaboration 4.0 Server Deploying and Configuring Exchange 2007 Servers Updating Exchange 2003 Servers Reconfiguring Wireless Services Registering and Configuring New MPS and Exchange 2007 Nodes Switching Provisioning from HMC 3.5.to HMC Moving / Upgrading System Objects Switching Client Access and SMTP Traffic to Exchange 2007 Servers Migrating Exchange Subscriptions Removing HMC 3.5 and Exchange Deploying Hosted Exchange Deployment Overview Exchange Server Deployment Architectures Supported Storage Technologies High Availability for Exchange Mailbox Servers High Availability for Exchange Hub, Edge and CAS Servers Deploying Hosted Exchange Overview Exchange 2007 Server Installation Configuring Active Directory Preparing Servers for Exchange Deploying Exchange Server 2007 Roles Upgrading to Exchange 2007 Service Pack Installing Update Rollup 1 for Exchange Server 2007 SP Configuring Exchange 2007 Servers Integrating with External AS/AV Mail Gateway Deploying Exchange Provisioning Installing Exchange Server 2007 Management Tools Installing HMC 4.0 Update Rollup 4 for Hosted Exchange...300

6 6 Contents Deploying Hosted Exchange Provisioning POA-Related Installation Steps Overview Installing Exchange CP Package on UI Servers Configuring POA Administrator Account as Exchange Organization Administrator Registering and Configuring Mailbox Servers Registering and Configuring Client Access Server Registering and Configuring Hub Transport Servers Registering and Configuring Edge Transport Server Configuring Exchange 2007 Branding Deployment and Installation Troubleshooting Problems with Mail Delivery to Newly Created Recipient Deploying BlackBerry Enterprise Server for Microsoft Exchange Overview Hardware Requirements System Requirements Network Requirements Deploying Database for BES BlackBerry Enterprise Server Pre-Installation Steps Installing BlackBerry Enterprise Server Software Installing BlackBerry Resource Kit Testing BES Service Account Proper Functioning Registering BES Servers in POA Installing POA Packages for BlackBerry Importing Existing BlackBerry Accounts in POA Deploying Good Messaging Server for Microsoft Exchange Overview Hardware Requirements System Requirements Network Requirements Good Messaging Server Pre-Installation Steps Installing Good Messaging Server and Good Management Server Software Testing GMS Service Account Proper Functioning Registering GMS Servers in POA Installing POA Packages for Good Messaging Importing Existing Good Accounts in POA Managing Messaging Services Deploying Postini Security Service Deploying MessageLabs Security Service Deploying MX Logic Security Service Deploying Global Relay Archiving Service Common Operations 372 Configuring Windows Node Configuring Network Interfaces Reducing Metric of Private Network Interface Renaming Computer Joining Windows Node to Domain Enabling DHCP Client Service Performing DNS Registration Checking Highest Priority of Private Network Interface Installing QoS Packet Scheduler Checking Presence of Sysnative Directory Installing POA Agent...381

7 Contents 7 Upgrading to Windows Server 2003 R Windows Updates Compatibility Installing PPM Packages Adding a Package Installing a Package on the Host Index 414

8 C H A P T E R 1 Preface In This Chapter Documentation Conventions... 8 Feedback Documentation Conventions Before you start using this guide, it is important to understand the documentation conventions used in it. Typographical Conventions The following kinds of formatting in the text identify special information. Formatting convention Type of Information Example Special Bold Italics Items you must select, such as menu options, command buttons, or items in a list. Titles of modules, sections, and subsections. Used to emphasize the importance of a point, to introduce a term or to designate a command line placeholder, which is to be replaced with a real name or value. Navigate to the QoS tab. Read the Basic Administration module. These are the so-called shared VEs. To destroy a VE, type vzctl destroy VEid.

9 Preface 9 Important Note Monospace Preformatted Preformatted Bold CAPITALS KEY+KEY An important note provides information that is essential to the completion of a task. Users can disregard information in a note and still complete a task, but they should not disregard an important note. A note with the heading Note indicates neutral or positive information that emphasizes or supplements important points of the main text. A note supplies information that may apply only in special cases for example, memory limitations, equipment configurations, or details that apply to specific versions of a program. The names of commands, files, and directories. On-screen computer output in your command-line sessions; source code in XML, C++, or other programming languages. What you type, contrasted with on-screen computer output. Names of keys on the keyboard. Key combinations for which the user must press and hold down one key and then press another. Important: The device drivers installed automatically during Setup are required by your system. If you remove one of these drivers, your system may not work properly. Note: If Windows prompts you for a network password at startup, your network is already set up and you can skip this section. Use vzctl start to start a VE. Saved parameters for VE 101 # rpm V virtuozzorelease SHIFT, CTRL, ALT CTRL+P, ALT+F4

10 10 Parallels Operations Automation 2.9 Parallels General Conventions Be aware of the following conventions used in this book. Modules in this guide are divided into sections, which, in turn, are subdivided into subsections. For example, Documentation Conventions is a section, and General Conventions is a subsection. When following steps or using examples, be sure to type double-quotes ("), left singlequotes (`), and right single-quotes (') exactly as shown. The key referred to as RETURN is labeled ENTER on some keyboards. Commands in the directories included into the PATH variable are used without absolute path names. Steps that use commands in other, less common, directories show the absolute paths in the examples. Feedback If you have found a mistake in this guide, or if you have suggestions or ideas on how to improve this guide, please send your feedback using the online form at Please include in your report the guide's title, chapter and section titles, and the fragment of text in which you have found an error.

11 C H A P T E R 2 Deploying Hosted Exchange 2003 Microsoft Exchange Server is the Microsoft software for integrated collaborative messaging features such as scheduling, contact, and task management capabilities. With this easy to manage software, clients can send and receive electronic mail and other forms of interactive communication through computer networks. Exchange Server interacts with the following software client applications: Microsoft Outlook Express - the client that is designed for home users who require only Internet and newsgroup functionality. Microsoft Office Outlook - the client that is designed for business users who need Internet standards-based and discussion group functionality, integrated personal calendars, group scheduling, task, and contact management Other client applications. messages are sent and received through a client device such as a personal computer, workstation, or a mobile device including mobile phones or Pocket PCs. The client typically connects to a network of centralized computer systems comprised of servers where the mailboxes are stored. Exchange Server 2003 runs on Microsoft Windows Server 2003 and Microsoft Windows 2000 Server operating systems. Exchange Server 2003 communicates with clients through Messaging Application Programming Interface (MAPI) that includes powerful messaging and rich collaboration capabilities. Exchange Server also accommodates other client access through the protocols: POP3, IMAP4, SMTP. POA makes the Hosted Exchange usage easier. POA Service Controller responsible for Exchange automatically chooses a less loaded storage for new customer provisioning. POA UI helps Providers perform their tasks in managing Hosted Exchange, while Customers can use their POA Control Panel for handling their mail.

12 12 Parallels Operations Automation 2.9 Parallels In This Chapter Overview of Hosted Exchange Deployment Configuring Active Directory Configuring Windows Server 2003 on Nodes Creating Exchange Mailbox Cluster Installing First Exchange Mailbox Server Installing Additional Exchange Mailbox Servers Creating Exchange Virtual Servers for Clustered Configuration Configuring Exchange Mailbox Servers Installing and Configuring Exchange Client Access Server Installing and Configuring Exchange SMTP Servers Deploying RPC-over-HTTP for Exchange 2003 Server Configuring Network Load Balancing for Exchange 2003 Servers Creating Default SMTP Connector Configuring Firewall for Exchange 2003 Services Deploying Exchange Provisioning POA-Related Installation Steps Configuring AUTD Notification on Windows Mobile Smartphones Deploying BlackBerry Messaging Service for Microsoft Exchange Deploying Good Messaging Server for Microsoft Exchange Deploying Postini Security Service

13 Deploying Hosted Exchange Overview of Hosted Exchange Deployment Network Architecture Before starting to deploy Hosted Exchange, you need to deploy elementary Windows Infrastructure following the steps at POA Windows Hosting Infrastructure Deployment guide. As a result, you will have: Two Domain Controllers; Microsoft Provisioning System Engine server. Typical Hosted Exchange architecture is designed to distribute Exchange hosting tasks among several servers of the following types: Exchange Client Access servers (Front-End servers). These servers accept requests from clients and proxy the requests to appropriate Exchange Mailbox servers for processing. Exchange Client Access servers run Exchange mailbox access services, like RPC Proxy, OWA, OMA, RPC-over-HTTPS, ActiveSync, POP3, IMAP. Exchange Mailbox servers (Back-End servers). These servers host mailbox stores, public folder stores, and OAB. Exchange SMTP servers. These servers run SMTP.

14 14 Parallels Operations Automation 2.9 Parallels Figure 1: Hosted Exchange network architecture

15 Deploying Hosted Exchange The following sample names are used in this chapter: EXBE01 Exchange Mailbox server. EXFE01 Exchange Client Access server. EXSMTP01 Exchange SMTP server. EXVS01 Exchange virtual server. EXCL01 Exchange Mailbox cluster. AD01 First Domain Controller. AD02 Second Domain Controller. MPS01 Microsoft Provisioning System Engine server. DOM Active Directory domain where Exchange and BlackBerry are deployed. DOM.local FQDN name of Active Directory domain where Exchange and BlackBerry are deployed. HostedExchange Exchange organizational unit. Hosted Exchange and Active Directory For Hosted Exchange, you can use one of two Active Directory (AD) models: 1 Single-Forest (Single-Domain) Model The Single-Forest model is the only AD model supported by Microsoft Provisioning System and is recommended for shared and dedicated hosting environments. 2 Multiple-Forests (Super Admin Forest) Model The Multiple-Forests model enables you to implement security policies specially for the Admin forest. These policies will differ from those implemented in the hosted companies and the rest of your organization. In addition, this model ensures data isolation by deploying a different and isolated global catalog in the Admin forest. In practice, the Multiple-Forests model is popular among large hosting companies. Usually, the forests at the service provider are separated according to the organizational lines. One forest is maintained by internal IT organization for the hosting company's internal IT requirements. The other forest, at the hosting company, is maintained by the business unit that is responsible for supporting hosted companies. The Multiple-Forests model provides: Security In the Single-Forest model, the administrators and users share the same forest, so that the compromising of the forest by a user leads to the compromising of the entire network. In the Multiple-Forests model, the administrators and users are in different forests. Therefore, if the security of the shared domain is compromised, the damage is contained. Data isolation The administrators do not share a common global catalog. Therefore, the information disclosure is reduced in the shared domain.

16 16 Parallels Operations Automation 2.9 Parallels Hosted Exchange and Clustering You can extend the capacity of your Exchange server just by adding a new hardware (computer and/or storage). It s the cheapest solution, but it has a grave disadvantage: if a server goes down, customers who are hosted on it will not be able to get access to the system. Clustering helps achieve high availability and high scalability for Exchange server applications. This technique allows to deploy several Exchange Mailbox servers into one cluster. It is recommended to use a five-node server cluster that consist of four active nodes and one passive node. Each active node is configured as an Exchange Virtual Server (EVS); the passive node remains in stand-by mode as a failover server in the event an active node will go offline. Disks are shared among the nodes. Maximum number of nodes in one cluster is eight. The primary benefit of server clusters is that they provide the failover support. If one server in a cluster stops functioning, the failover process automatically shifts the workload of the failed server to another server in the cluster, ensuring continuous availability of Exchange data. Clustering decreases server downtime which can be especially critical when Service License Agreements (SLA) are in place. A failure to meet a specified level of data availability can result not only in financial penalties, but have a long-term negative impact on your reputation as a service provider. Decrease of server downtime is the best solution in this situation. After the POA Agent installation, only active cluster nodes are registered in POA. Number of Global Catalog Servers One global catalog can support about 4000 users. In order to support a bigger number of users, Active Directory is usually installed with two global catalogs. So, theoretically, Exchange Server can support up to 8000 users at a time. But if one of your global catalogs goes down, you can again support only up to 4000 users. It is recommended to deploy one global catalog server per four Exchange servers.

17 Deploying Hosted Exchange Limitations A single Exchange organization cannot exceed the following limits: 1000 Exchange servers 1000 administrative groups 100 domains 150 routing groups. Microsoft generally recommends that you use Direct Access Storage (DAS) or Storage Area Network (SAN) storage array solutions, because this configuration optimizes performance and reliability for Exchange. Microsoft does not support Network-Attached Storage (NAS) solutions. Configuring Active Directory The default configuration of the Global Address Lists (GAL) class object allows only 1000 address lists. To extend this limit, perform the following steps: 1 Log on to AD01 and copy the MakeGalLinked.exe file to a local directory. 2 Execute the following command from the directory to which you have copied MakeGalLinked.exe: makegallinked.exe /dc:%computername% /operation:makegallinked If the above command fails, try to use the following extended form: makegallinked.exe /dc:<domain_controller_name> /domain:<domain_name> /admin:<exchangefulladminaccountname> /adminpwd:prompt /operation:makegallinked 3 Wait until the following message indicates the success of the operation: "globaladdresslist" schema object is a linked attribute with linkid: 4048 Or, you will see two green highlighted areas of text and the LOG_PASS line will read "100%". Important: It is strongly recommended to complete the configuration of the Active Directory schema update before you start to deploy the first Exchange Mailbox server. Otherwise, you may have to rebuild your Hosted Exchange environment again from clean servers.

18 18 Parallels Operations Automation 2.9 Parallels Configuring Windows Server 2003 on Nodes This section describes the actions you need to perform on each node designated to be an Exchange server. Prepare the node so that it can meet the requirements explained at Network Architecture (on page 13) and make the following configurations: 1 Configure the server's registry: a On Windows Server 2003, create the new file updatethreshold.reg. b Into updatethreshold.reg, enter the following text: REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] "HeapDeCommitFreeBlockThreshold"=dword: c Save updatethreshold.reg and execute it to apply registry changes. 2 If the Exchange 2003 server contains more than 1 GB of physical memory, modify the boot.ini file in the following way (example): [boot loader] timeout=3 default=multi(0)disk(0)rdisk(0)partition(1)\windows [operating systems] multi(0)disk(0)rdisk(0)partition(1)\windows="windows Server 2003, Enterprise" /fastdetect /NoExecute=OptOut /3GB /USERVA=3030 After the boot.ini is modified, restart the server. 3 Configure the DNS client. In the BackNet network properties dialog box, do the following: Type the IP address of DC01 server Back-Net interface address into the Preferred DNS server field. Type the IP address of DC02 server Back-Net interface address into the Alternate DNS server field. Leave the DNS client settings of Front-Net interface(s) empty.

19 Deploying Hosted Exchange Creating Exchange Mailbox Cluster General Configuration of Exchange Mailbox Cluster An Exchange Mailbox cluster requires the following resources: One network IP address from the BackNet pool the IP of the Cluster; Additional hub/switch for the HeartBeat network used by physical nodes of the cluster; Note: The HeartBeat network is a special isolated network to which all cluster nodes are connected. With the help of this network, the Cluster Service periodically checks cluster nodes for availability. If one of the cluster nodes stops responding on the HeartBeat network interface, the node is marked as offline and failover starts on an available passive cluster node. One shared cluster storage (Quorum disk). Each physical node of the cluster requires the following resources: One network IP address from the BackNet pool; One network name that should be the same as in not clustered environment; One network IP address from the HeartBeat pool. Each virtual server node of the cluster requires the following additional resources: One "virtual" network IP address from the BackNet pool. This IP address will be used in the all services requests instead of the real server IP; One virtual network name that is resolved in the virtual IP. This name will be used in the all services requests instead of the real server name; One shared storage to store mailboxes. For example, if you are deploying a three-node cluster that includes one passive and two active nodes, you need the following: Six NetBIOS names: EXCL01 cluster name EXBE01, EXBE02, EXBE03 names of physical nodes EXVS01, EXVS02 names of Exchange virtual servers Three IP addresses from the HeartBeat IP pool: one IP for each physical node. Six IP addresses from the BackNet IP pool: One IP address for cluster EXCL01 Three IP addresses for physical nodes EXBE01, EXBE02, EXBE03

20 20 Parallels Operations Automation 2.9 Parallels Two IP addresses for Exchange virtual servers EXVS01, EXVS02. One shared storage for the cluster Quorum Disk. Two shared storages for Exchange virtual servers one per virtual server. Mailboxes will be stored here. Creating ClusterAdmin Account 1 Log on to AD01. 2 Run dsa.msc from the command line. 3 Right-click Users, point to New, and then click User. 4 In the New Object-User dialog box, type "ClusterAdmin" as the First name and enter the User logon name. Click Next to continue. 5 In the New Object User dialog box, click to clear the User must change password at next logon check box. Type the password (twice), and select Password never expires. Click Next to continue. Note: The service account cannot have a blank password or a password that will expire. 6 Check the information you have typed, and then click Finish. 7 From the Start Menu, go to Start > Settings > Control Panel > Administrative Tools > Domain Security Policy. 8 In the left frame, expand the following nodes: Security Settings > Local Policies > User Rights Assignment. 9 In the right frame double-click Add workstations to domain policy name. 10 In the dialog-box opened, select the Define these policy settings checkbox and click on the Add User or Group button. 11 Click Browse and type ClusterAdmin. Click on the Check Names button and, if the name becomes underlined, click OK three times.

21 Deploying Hosted Exchange Installing Windows Server 2003 Server Cluster Steps for cluster installation are performed on an Exchange Mailbox physical node (in our example, EXBE01) with at least two network cards: one plugged into the BackNet network, and the other - into the HeartBeat network. Note: It is possible to use Back-Net network instead of HeartBeat, but it is not recommended for production environments. This condition is met, you can follow these steps: 1 Log on to EXBE01. Use an account that is a member of the Domain Administrators group. 2 In Disk Administrator, format (if needed) the shared storage for Quorum Disk as NTFS. Mount the storage as the Q: letter. 3 Format (if needed) other shared storages as NTFS. 4 From the Start Menu, go to Start > Settings > Control Panel > Administrative Tools > Cluster Administrator. 5 In the Open Connection to Cluster dialog box, select Create New Cluster. 6 Click OK to launch the New Server Cluster Wizard. 7 Click Next. 8 On the Cluster Name And Domain page, confirm the domain name, and enter the unique name for the cluster (EXCL01). Click Next. 9 On the Select Computer page, enter the name of the new computer in the Computer Name field. Click Next. 10 On the Analyzing Configuration page, confirm that the progress bar is displayed, indicating that there are no significant problems. If there are any problems, you should resolve them before you proceed with the cluster creation. Note: If there are some problems at this step, click View Log for detailed information. 11 Click Next. 12 On the IP Address page, assign a new unique IP address (from the BackNet IP pool) to the cluster that will be used by management tools during connecting. Click Next. 13 On the Cluster Service Account page, enter ClusterAdmin for the account name. Enter the account password, and confirm the domain name. This account will be granted local admin privileges on all nodes in the cluster. Click Next. 14 On the Proposed Cluster Configuration page, confirm the information and click Next to start creating the cluster. 15 On the final page of the Cluster Creation Wizard, click Finish to exit the Wizard. The Cluster Administrator application appears, displaying the newly created cluster. 16 Right-click the root of the tree (with the name EXCL01). Select Properties.

22 22 Parallels Operations Automation 2.9 Parallels 17 Switch to the Quorum tab. Set (and change if needed) Quorum Resource to Disk Q. 18 Check that the Quorum disk (Q:) resource is included in Cluster Group. If not, move the resource.

23 Deploying Hosted Exchange Adding Nodes to a Server Cluster 1 Log on to EXBE01. Use an account that is a member of the Domain Administrators group. 2 In the Cluster Administrator application, right-click the root cluster container with the name of your cluster (EXCL01). Click New and then click Node. The Add Node wizard starts. 3 Click Next. 4 On the Select Computer page, do the following: a Type EXBE02 in the Computer Name field. b Click Add to add the name to the Selected Computers list. c Click Next. 5 On the Analyzing Configuration page, confirm that the progress bar is displayed, indicating that there are no significant problems. If there are any problems, you should resolve them before you proceed with the cluster creation. Note: If there are some problems at this step, click View Log for detailed information. 6 Click Next. 7 On the Cluster Service Account page, type the password set for the ClusterAdmin account. Make sure that your domain is selected. Click Next to go on with the Wizard. 8 On the final page of the Cluster Creation Wizard, click Finish to exit the Wizard. Repeat the above steps for other nodes of the cluster. Preparing Cluster Nodes for Exchange 2003 Installation Each node included into the Cluster must meet the following requirements: The Cluster service is running. The Microsoft Distributed Transaction Coordinator (MSDTC) Windows component is installed (the Distributed Transaction Coordinator Windows service is present). Moreover, the following requirements must be met: Your account is a member of a group that has the Exchange Full Administrator role applied at the organization level. Installation drive cannot be the cluster s shared drive. However, you can use this drive as target. The node's FQDN does not match the SMTP proxy domain of any recipient policy. In a cluster with two nodes, one node should be active, the other - passive. If you have more than two nodes, at least one of the nodes must be passive. To initialize and run the Cluster service, follow these steps:

24 24 Parallels Operations Automation 2.9 Parallels 1 Log on to a cluster node. 2 From the Start Menu, go to Start > Administrative Tools > Cluster Administration. 3 In the Open Connection to Cluster dialog box, do the following: a In the Action drop-down list, select Open connection to cluster. b In the Cluster or server name field, enter the cluster name you created previously (in our case, EXCL01). You can select the name in the drop-down list or navigate to the required cluster after clicking on the Browse button. c Click OK. 4 In the Cluster Administrator dialog box, in the Details pane, under State, make all of your cluster nodes Online. Create MSDTC cluster resource: 1 Log on to a cluster node. 2 From the Start Menu, go to Start > Administrative Tools > Cluster Administration. 3 Under Groups, right-click Cluster Group, point to New, and then click Resource. 4 In the New Resource dialog box, in the Name field, type Distributed Transaction Coordinator. 5 In the Resource type list, select Distributed Transaction Coordinator. 6 In the Group list, ensure Cluster Group is selected, and then click Next. 7 Verify that all nodes appear in the Possible owners list, and then click Next. 8 Select Quorum disk (Q:) and Cluster Name resources, and then click Add to add them to the Resource dependencies list. 9 Click Finish. 10 Right-click Cluster Group, and then click Bring Online.

25 Deploying Hosted Exchange Installing First Exchange Mailbox Server The first installation of Exchange Server performs initial Active Directory modification and creates the first Exchange Organization (for example, HostedExchange). All next Exchange Servers installations will use this organization and do not require any parameters. Microsoft Exchange Server 2003 setup requires that the following components and services are installed and enabled on the server:.net Framework; ASP.NET; IIS; World Wide Web Publishing Service; SMTP; NNTP. If you install Microsoft Exchange Server 2003 in a native Windows Server 2003 forest or domain, none of these services is enabled by default. You must enable the services manually before running Exchange Server 2003 Installation Wizard. If you install Exchange on a new server, only the required services are enabled. For example, POP3, IMAP4, and NNTP services are disabled by default on all of your Exchange 2003 servers. You should enable only services that are essential for performing Exchange 2003 tasks. Installing Exchange 2003 on a cluster is similar to installing Exchange 2003 on nonclustered servers. Important: Install Exchange 2003 completely on one node before you install it on another node. Preparing Node for Exchange 2003 Installation Prepare a computer that you want to function as an Exchange Mailbox server. This computer must meet the following requirements: Server Names Description Density Quantity EXBE Exchange Back-End Server. Can be deployed as 4+1 cluster. Runs Exchange mailbox and public folder stores. 5,000 mailboxes Depends on the usage profile To be calculated based on the projected customer base and the density above

26 26 Parallels Operations Automation 2.9 Parallels OS Windows Server 2003 (R2) Enterprise Edition SP2 (x86) Software Supported Virtualization CPU RAM To be installed by the Customer: OS To be installed by Parallels: Exchange Server 2003 Enterprise Edition SP2 (Distribution to be provided by the Customer) Not supported 2 core (3GHz or higher) 4GB Disks Array 1: OS and software - 2 x 36, SCSI RAID 1 Array 2: Disk Partitioning Array 1: NICs Exchange databases and logs - SAN: 28 x 72GB, SCSI, RAID or - 14 x 146GB, SCSI, RAID 1+0 C: 36GB - for OS and software Array 2: E:\Exchsrv (VMP) - 20GB - SMTP Queue, Tracking Log E:\ - 350GB - SG01 Data (5 Mailbox Stores for 2,500 mailboxes of 100MB size limit filled with content to 50-80%) E:\SG1_Logs(VMP) - 55GB - SG01 Transaction Log F:\ - 350GB - SG02 Data (5 Mailbox Stores for 2,500 mailboxes of 100MB size limit filled with content to 50-80%) F:\SG2_Logs(VMP) - 55GB - SG02 Transaction Log G:\ - 110GB - SG03 Data (Public Store providing 5-10MB of public space per mailbox and system space for 1,000 OABs). G:\SG3_Logs(VMP) - 35GB - SG03 Transaction Log Q:\ - 3GB - Quorum and MSDTC * VMP - Volume Mount Point * SG - Storage Group BackNet SAN connectivity

27 Deploying Hosted Exchange Log on to the Windows Server 2003 node you want to install Exchange 2003 on. 2 Make sure that this node has one network card plugged into the Back-Net (see Configuring Windows Server 2003 (on page 18) for details). Important: For clustered configuration, you also need an additional network card for HeartBeat network. 3 Give a name to the node (for example, EXBE01). Refer to the related topic (on page 374). 4 Give an internal IP to the node. 5 Join the node to your Active Directory domain. For this purpose, follow the steps of the related topic (on page 375) (replacing the server name where necessary). Installing All Windows Components Required by Exchange Server 1 Log on to the node. 2 Create the file %TEMP%\prepare_for_exchange.bat with the following off echo [Components]>%TEMP%\exch.inf echo netfx = on>>%temp%\exch.inf echo aspnet = on>>%temp%\exch.inf echo iis_common = on>>%temp%\exch.inf echo iis_inetmgr = on>>%temp%\exch.inf echo iis_smtp = on>>%temp%\exch.inf echo iis_www = on>>%temp%\exch.inf echo iis_nntp = on>>%temp%\exch.inf echo Starting the installation... start /w %SystemRoot%\System32\sysocmgr.exe "/i:%systemroot%\inf\sysoc.inf" "/u:%temp%\exch.inf" /w && echo Installation done... 3 Run %TEMP%\prepare_for_exchange.bat using cmd.exe with at least Local Administrator's credentials. During the installation, you will be prompted to provide the path to the Windows Server 2003 CD-ROM. In this case, browse for the CD-ROM files folder and click OK. Important for clustered installation! Exchange Server 2003 must be installed in the same directory location on all nodes. It means that after you designate the location for the first node, the same location is used for all other nodes. By default, the Exchange program files are installed on the Windows boot drive. For example, if your Windows boot files are on drive C:\, the Exchange Server 2003 will be installed to C:\Program Files\Exchsrvr.

28 28 Parallels Operations Automation 2.9 Parallels Running Microsoft Exchange Installation Wizard 1 Insert the Microsoft Exchange Server 2003 CD into your CD-ROM drive. 2 From the Start Menu, go to Start > Run. 3 Run the following command: E:\setup\i386\setup where E is your CD-ROM drive. 4 On the Welcome to the Microsoft Exchange Installation Wizard page, click Next to go on. 5 On the License Agreement page, read the agreement. If you agree to the terms, click I agree, and then click Next. 6 On the Product Identification page, type your 25-digit product key, and then click Next. 7 On the Component Selection page, in the Action column, use the drop-down arrows to specify the appropriate action for each component, and then click Next. Figure 2: Component Selection 8 On the Installation Type page, click Create a new Exchange Organization, and then click Next.

29 Deploying Hosted Exchange On the Organization Name page, in the Organization Name box, type your new Exchange organization name. The name must contain at least 1 character, but no more than 64 characters. You can use the following characters in your new Exchange 2003 organization name: A through Z; a through z; 0 through 9; space; hyphen or dash. Click Next to go on. 10 On the License Agreement page, read the agreement. If you agree to the terms, click I agree that I have read and will be bound by the license agreements for this product, and then click Next. 11 On the Component Selection page, in the Action column, use the drop-down arrows to specify the appropriate action for each component, and then click Next. 12 On the Installation Summary page, confirm that your Exchange installation choices are correct, and then click Next. 13 On the Completing the Microsoft Exchange Wizard page, click Finish. Now, as you have installed the first Exchange 2003 server, you can install the subsequent Exchange servers. Checking Successful Installation of ForestPrep and DomainPrep Extend the Microsoft Active Directory Schema in order to save Exchange 2003 attributes and classes. For this purpose, you need to run two utilities: ForestPrep. This utility replicates the schema extensions throughout all the domains and sub-domains in your Exchange Organization. DomainPrep. This utility performs the following actions in the domain: Creates Exchange Domain Servers and Exchange Enterprise Servers groups. Nests the global Exchange Domain Servers into the Exchange Enterprise Servers local group. Creates the Exchange System Objects container, which is used for mail-enabled public folders. Sets permissions for the Exchange Enterprise Servers group at the root of the domain, so that Recipient Update Service has the appropriate access to process recipient objects. Modifies the AdminSdHolder template where Windows sets permissions for members of the local Domain Administrator group.

30 30 Parallels Operations Automation 2.9 Parallels Adds the local Exchange Domain Servers group to the Pre-Windows 2000 Compatible Access group. Performs Setup preinstallation checks. During the installation of the first Back-End server, ForestPrep and DomainPrep are automatically installed. To check that the utilities are installed successfully, follow these steps: 1 Run: <CD-ROM Drive Letter>:\support\exdeploy\exdeploy.exe /gc: <global catalog server name> /t:orgprepcheck for example: D:\support\exdeploy\exdeploy.exe /gc:dc01.he.local /t:orgprepcheck 2 View the EXDEPLOY.LOG file in C:\EXDEPLOY LOGS folder to see if the setup completed successfully. In the case of successful setup, you will see two strings with successful results. Installing SP2 for Exchange 2003 With Exchange Server 2003 Service Pack 2 (SP2), you can take advantage of updates and improvements to Exchange Server 2003 such as: Enhanced security; Updated deployment tools to make Exchange Server 5.5 upgrades and site consolidation even easier; New language support for Microsoft Outlook Mobile Access and Microsoft Outlook Web Access spelling checkers; Enhancements to the Outlook Mobile Access user interface that include out-of-office modification, a larger text entry field, search folder support, and improved menu navigation; Co-existence and migration support in a new Active Directory Connector and IBM Lotus Notes R6 Connector; Updates and improvements based on your feedback. To install Service Pack 2 for Microsoft Exchange Server 2003, follow these steps: 1 Log on to the node using an account that is a member of the Domain Administrators group. From the Exchange 2003 SP2 installation media, run E:\setup\i386\update.exe, where E is your CD-ROM drive. 2 On the Welcome page, click Next. 3 On the Component Selection page, make sure that in the Action column, the action is set to Update, then click Next.

31 Deploying Hosted Exchange On the Installation summary page, confirm that your Exchange installation choices are correct, and click Next. 5 When the upgrade completes, click Finish. 6 Click Yes when you are prompted to restart the computer. Installing Additional Exchange Mailbox Servers To install an additional Exchange Mailbox server, follow these steps: 1 Install Windows Server 2003 Enterprise Edition SP1 with one Network card plugged into the back-net (see the Configuring Windows Server 2003 (on page 18) topic for details). 2 Give a name to the computer (for example, EXBE02, EXBE03, EXBE04, etc). 3 Join the host to the Active Directory domain. 4 Log in to the new server as the domain administrator. 5 Run setup.exe of Exchange Server 2003 installation kit and follow the instructions of the Installing Microsoft Exchange Server 2003 (on page 25) section. 6 Install Exchange 2003 Service Pack 2. See the Installing Service Pack 2 for Exchange 2003 (on page 30) topic for details. 7 Reboot the node.

32 32 Parallels Operations Automation 2.9 Parallels Creating Exchange Virtual Servers for Clustered Configuration The final step in configuring Exchange 2003 on a cluster is to create Exchange Virtual Servers (EVS) for all the active nodes in your cluster. Creating an EVS includes the following tasks: 1 Creating the group to host the EVS. 2 Creating an IP Address resource. 3 Creating a Network Name resource. 4 Creating Disk resources. 5 Creating an Exchange 2003 System Attendant resource. 6 Creating POP3 and IMAP4 resources. You need to repeat these tasks for each EVS you want to add to your cluster. Before creating an EVS, make sure that the following requirements are met: If you are creating the first Exchange server in the organization or in the domain, your account belongs to a group that has the Exchange Full Administrator role applied at the organizational level. Otherwise, the Exchange Full Administrator role is applied at the administrative group level. The MDBDATA folder is empty. The FQDN of the EVS does not match the SMTP proxy domain of any recipient policy.

33 Deploying Hosted Exchange Creating Group to Host Exchange Virtual Server 1 Log on to any cluster node. 2 From the Start Menu, go to Start > Settings > Control Panel > Administrative Tools > Cluster Administrator. If you are prompted to specify a cluster, type the cluster name, or browse and select the cluster in which you want to create an EVS. 3 In the Cluster Administrator console tree, right-click Groups, point to New, and then click Group. The New Group Wizard starts. 4 On the New Group Wizard page, in the Name field, type a name for this Exchange cluster group (for example, EXVS01). Click Next to continue.

34 34 Parallels Operations Automation 2.9 Parallels 5 On the Preferred Owners page, select all servers form the Available nodes list, and add them to the Preferred owners list. Click Finish. You will see this new group displayed under Groups in Cluster Administrator. Creating IP Address Resource Each EVS must have its own dedicated static IP address, separate from all other resources (including the quorum disk resource) that are defined in Cluster Administrator. To assign an IP address to your EVS, follow these steps: 1 In the Cluster Administrator console tree, right-click the Exchange cluster group you created in the previous procedure (EXVS01). In the opened menu, point to New, and then click Resource. The New Resource Wizard starts. 2 On the New Resource Wizard page: a Into the Name field, enter the resource name (for example, EXVS01 IP Address). b From the Resource type list, select IP Address. c Check that in the Group list, the name of your EVS (EXVS01) is selected. d Click Next to continue.

35 Deploying Hosted Exchange On the Possible Owners Wizard page, check that all cluster nodes are listed in the Possible owners field. Click Next to continue. 4 On the Dependencies Wizard page, check that no resources are listed in the Resource dependencies field. Click Next to continue. 5 On the TCP/IP Address Parameters Wizard page: a In the Address field, type the static IP address of the EVS. It must be a new IP address from the BackNet s IP pool. b In the Subnet mask field, type the correct subnet mask for the EVS. This subnet mask must be the same as the IP mask of already existing BackNet interface of EXBE01 server. c Check that in the Network list, BackNet is selected. d Make sure that the Enable NetBIOS for this address check box is selected e Click Finish.

36 36 Parallels Operations Automation 2.9 Parallels Creating Network Name Resource The network name identifies the EVS on your network. After you create the System Attendant resource, the EVS will be displayed under this network name in Exchange System Manager. Important: Carefully select the network name, because after creating the EVS, you will not be able cannot rename it. To create the Network Name resource, follow these steps: 1 In the Cluster Administrator console tree, right-click the Exchange cluster group you created (EXVS01). In the opened menu, point to New, and then click Resource. The New Resource Wizard starts. 2 On the New Resource Wizard page: a Into the Name field, enter the resource name (for example, EXVS01 Network Name). b From the Resource type list, select Network Name. c Check that in the Group list, the name of your EVS (EXVS01) is selected. d Click Next to continue.

37 Deploying Hosted Exchange On the Possible Owners Wizard page, check that all cluster nodes are listed in the Possible owners field. Click Next to continue. 4 On the Dependencies Wizard page, in the Available resources field, select the EXVS01 IP Address resource, and click Add. Click Next to continue. Important: When you are creating an EVS, ensure that the network name resource is dependent on a single IP address resource. If you want to associate additional IP addresses with this network name, you can add dependencies after the EVS is created. 5 On the Parameters Wizard page: a In the Name field, type a unique network name for the EVS (for example, EXVS01). b Select the DNS Registration Must Succeed check box. c Click Finish. Select the Enable Kerberos Authentication check box. As a result, clients will be able to use the Kerberos version 5 authentication protocol when making an authenticated connection to this EVS's Network Name resource. Creating Disk Resource You must add a disk resource for each disk that you want to associate with the EVS. To create a new disk resource, follow these steps: 1 Ensure that shared disks you are going to use in the cluster are formatted as NTFS and are accessible on the node (visible in explorer). If a disk is not accessible, check that other Windows servers are not using the disk. Shutdown temporarily all the nodes that currently own shared disks you need. 2 In the Cluster Administrator console tree, right-click the Exchange cluster group you created (EXVS01). In the opened menu, point to New, and then click Resource. The New Resource Wizard starts. 3 On the New Resource Wizard page: a Into the Name field, enter a descriptive name (for example, Disk R: Mailbox Storage, or Disk G: Log Files). b From the Resource type list, select Physical Disk. c Check that in the Group list, the name of your EVS (EXVS01) is selected. d Click Next to continue. 4 On the Possible Owners Wizard page, check that all cluster nodes are listed in the Possible owners field. Click Next to continue. 5 On the Dependencies Wizard page, check that no resources are listed in the Resource dependencies field. Click Next to continue.

38 38 Parallels Operations Automation 2.9 Parallels 6 On the Disk Parameters Wizard page, in the Disk list, select the required disk. If you cannot find the required disk in this list, two reasons are possible: a Another group already has a resource for the disk. In this case, check all groups in Cluster Admin to see if the required disk is listed in one of them. b The disk was not installed successfully. Click Finish. Creating Exchange 2003 System Attendant Resource 1 In the Cluster Administrator console tree, right-click the Exchange cluster group you created (EXVS01). In the opened menu, click Bring Online. 2 Right-click EXVS01. In the opened menu, point to New, and then click Resource. The New Resource Wizard starts. 3 On the New Resource Wizard page: a Into the Name field, type a descriptive name (for example, Exchange System Attendant - EXVS01). b From the Resource type list, select Microsoft Exchange System Attendant. c Check that in the Group list, the name of your EVS (EXVS01) is selected. d Click Next to continue.

39 Deploying Hosted Exchange On the Possible Owners Wizard page, check that all nodes that are running Exchange 2003 are listed in the Possible owners field. Click Next to continue. 5 On the Dependencies Wizard page, under Available resources, select both the Network Name and all Physical Disk resources for this EVS, and then click Add. Click Next to continue. 6 On the Exchange Administrative Group Wizard page, in the Name of administrative group list, select the administrative group that you want the EVS to join. Click Next to continue. Note: This option is available only when you create the first EVS in a cluster. All EVSs must reside in the same administrative group. 7 On the Exchange Routing Group Wizard page, in the Name of routing group list, select the routing group in which you want the EVS created. Click Next to continue. Note: This option is available only when you create the first EVS in a cluster. All EVSs must reside in the same routing group. If a group does not already exist, you are prompted to create one. 8 On the Data Directory Wizard page, check that the data directory location in the Enter path to the data directory field points to the shared clustered physical disk resource assigned to this EVS. Exchange will use the drive you select in this step to store the following files: transaction log files; default public store files; mailbox store files. Click Next to continue. 9 On the Summary Wizard page, read the summary of the action you are about to perform. Click Finish to create the EVS. If the operation was successful, a dialog box appears indicating that you have successfully created the EVS. The EVS you created will now appear in Exchange System Manager. However, if the operation was not successful, a dialog box appears indicating why the process failed. The New Resource Wizard remains open, so it is possible to go back in the wizard, remedy any problems, and then click Finish again. After you successfully create the Exchange System Attendant resource, Exchange System Attendant automatically creates the following additional resources for the EVS: Exchange Information Store Instance; Exchange Message Transfer Agent Instance; Exchange Routing Service Instance; SMTP Virtual Server Instance; Exchange HTTP Virtual Service Instance; Exchange MS Search Instance.

40 40 Parallels Operations Automation 2.9 Parallels Note: The Message Transfer Agent Instance resource is created only for the first EVS added to a cluster. All EVSs in the cluster share the single Message Transfer Agent Instance resource. 10 Right-click the Exchange virtual server Cluster Group EXVS01, and then click Move. Move the virtual server Group to the node that matches the physical server number based on the following rule: EXBE01 => EXVS01. EXBE02 => EXVS02. EXBEnn => EXVSnn. 11 Right-click the EVS Group, and then click Bring Online. Note: Due to the directory replication latency, some resources may not come online at your first attempt. In this case, wait for the replication to occur, and then bring the resources online again. If you want to add resources to the dependencies list when creating the Exchange System Attendant resource, first ensure that the resources you want to add are online. Starting POP3 and IMAP4 Services By default, the POP3 and IMAP4 services are disabled in Exchange So, before creating the POP3 and IMAP4 cluster resource, you need to start the services on all the cluster nodes. 1 Log on to an active cluster node. Note: You will not be able to start the POP3 service on passive cluster nodes. 2 From the Start Menu, go to Start > Administrative Tools > Services. 3 Right-click the Microsoft Exchange POP3 service, and then click Properties. 4 In the Properties dialog-box, in the Startup type drop-down box, select Manual, and then click Apply. 5 Click Start. Click OK. 6 Go to Start > Administrative Tools > Services. 7 Right-click the Microsoft Exchange POP3 service, and then click Properties. 8 In the Properties dialog-box, in the Startup type drop-down box, select Manual, and then click Apply. 9 Click Start. Click OK. 10 Enable IMAP4 by performing the same steps and replacing "POP3" by "IMAP4" where necessary. Repeat these steps on all other Exchange Servers in the cluster.

41 Deploying Hosted Exchange Creating POP3 Cluster Resource Once the POP3 service is started on all the Exchange Mailbox servers in the cluster, you can create the POP3 resource: 1 In the Cluster Administrator console tree, right-click the Exchange cluster group (EXVS01). In the opened menu, point to New, and then click Resource. The New Resource Wizard starts. 2 On the New Resource Wizard page: a Into the Name field, enter a descriptive name (for example, EXVS01 POP3). b From the Resource type list, select Microsoft Exchange POP3 Server. c Check that in the Group list, the name of your EVSr (EXVS01) is selected. d Click Next to continue.

42 42 Parallels Operations Automation 2.9 Parallels 3 On the Possible Owners Wizard page, check that all cluster nodes that will be used as Exchange servers are listed in the Possible owners field. Click Next to continue. 4 On the Dependencies Wizard page, under Available resources, select the Exchange System Attendant resource for the EXVS01 Cluster Group, and then click Add. Click Next to continue. 5 On the Server Instance Wizard page, in the Name list, select Default POP3 Virtual Server. Click Finish. 6 Right-click the EXVS01 POP3 resource, then click Bring Online. Repeat these steps with all other EVSs. Creating IMAP4 Cluster Resource Once the IMAP4 service is started on all the Exchange Mailbox servers in the cluster, you can create the IMAP4 resource. Follow the steps at Creating POP3 Cluster Resource (on page 41), replacing "POP3" by "IMAP4" everywhere. Configuring Exchange Mailbox Servers In this section, all references to EXBE01 as sample name of Exchange Mailbox server should be replaced by EXVS01 (Exchange Virtual Server) in case of clustered Exchange Mailbox configuration. Configuring Administrative Groups to be Shown in Exchange System Manager By default, the Administrative Groups item is not shown in the Exchange System Manager snapin. But you need this item for configuring Exchange Mailbox servers. To enable the item, follow these steps: 1 Log on to EXBE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 Right-click the root node of the tree. In the menu, click Properties. 4 On the panel opened, select Display routing groups and Display administrative groups check boxes. Click on the Apply button.

43 Deploying Hosted Exchange Figure 3: Exchange Properties 5 Switch Operation Mode from default Mixed to Native. Restart Exchange System Manager. Configuring HTTP Virtual Server in Exchange System Manager To support login with the UPN user ID, you need to configure the Exchange and Public default virtual directories. For this purpose, follow these steps: 1 Log on to EXBE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 In the Exchange System Manager snap-in, go to Administrative Groups > First Administrative Group > Servers. Expand EXBE01, go to Protocols > HTTP > Exchange Virtual Server. 4 Right-click the Exchange virtual directory. In the opened menu, select Properties. 5 Switch to the Access tab, and then click on the Authentication button. 6 In the Default domain field, enter a backslash "\" character, and then click OK.

44 44 Parallels Operations Automation 2.9 Parallels Figure 4: Setting Authentication Methods 7 Click OK to close the Properties dialog box. 8 In the Exchange System Manager snap-in, right-click the Public virtual directory, then click Properties. 9 Switch to the Access tab, and then click on the Authentication button. 10 In the Default domain field, enter a backslash "\" character, and then click OK. 11 Make sure that the Integrated Windows Authentication option is selected. 12 Click OK to close the Properties dialog box. Repeat the above instruction on all your Mailbox servers.

45 Deploying Hosted Exchange Configuring Mailbox Deletion Settings By default, deleted mailboxes keep functioning for seven days after the moment of deletion. To delete mailboxes at one stroke and forever, you need to configure mailbox deletion settings. For this purpose, follow these steps: 1 Log on to EXBE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 In the Exchange System Manager snap-in, navigate to Administrative Groups > First Administrative Group > Servers. Then expand the Exchange Mailbox server and navigate to First Storage Group > Mailbox Store. 4 Right-click Mailbox Store. In the opened menu, select Properties. 5 In the Properties dialog box, select the Limits tab. 6 In the Deletion settings area, type 0 (zero) in the Keep deleted mailboxes for (days) field. Figure 5: Mailbox Store Properties

46 46 Parallels Operations Automation 2.9 Parallels 7 Click OK to save the new settings and to close the Properties dialog box. Configuring 'Internet Newsgroups' Public Folder 1 Log on to EXBE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager console opens. 3 Expand Administrative Groups > First Administrative Group > Folders > Public Folders. 4 Right-click the Internet Newsgroups folder and select Properties. 5 In the Internet Newsgroups Properties dialog box, select the Permissions tab and click on the Client permissions button. 6 In the Clients list, select the group with the name Default and uncheck permissions Folder Visible and Read Items. 7 Click OK to close the Properties dialog box. Configuring and Starting IIS Service Note: This procedure described in this section is related to the Back-End servers deployed on the VZWin nodes On the VZWin nodes, the default start type of the IIS service is Manual. You should reconfigure IIS service start type and start it. 1 Log in to the EXBE01 server using the account with administrative privileges. 2 Run windows command shell (cmd.exe). 3 Execute following commands: sc config W3SVC start= auto sc start W3SVC 4 Repeat these steps on all back-ends.

47 Deploying Hosted Exchange Securing Default Global Address List To defend names in Outlook from resolving by users and customers from other organizations, you need to configure security of Global Address List. Note: Perform this operation if you use the version of HMC before 3.5. To set security policies for your Default Global Address List, follow these steps: 1 Log on to EXBE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 Browse to Recipients, expand All Global Address Lists, right-click Default Global Address List, and then click Properties. 4 Open the Security tab, click on the Advanced button. 5 Make sure that the Allow inheritable permissions from parent to propagate to this object option is cleared. If the option is not cleared, click Copy. 6 Click OK to return to the Security dialog box, and then click Yes twice in the security warning dialog boxes. 7 Under Group or user names, select Authenticated Users (if this group exists in list), click Remove. 8 Under Group or user names, select Everyone (if this group exists in list), click Remove. Click OK to close the Properties dialog box. Installing and Configuring Exchange Client Access Server This section describes configurations you need to do with each of your Exchange Client Access servers in order to make it proper for Exchange Hosting. Note: For the configuration of Exchange SMTP servers, refer to Configuring Exchange SMTP Front-End Servers (on page 78). Installing Exchange Client Access Server Prepare a computer that you want to function as an Exchange Client Access server. This computer must meet the following requirements:

48 48 Parallels Operations Automation 2.9 Parallels Server Names EXFE Description Exchange Front-End Protocol Server. Runs Exchange mailbox access services - RPC Proxy, OWA, OMA, ActiveSync, POP3, IMAP. Density Quantity Depends on the usage profile. Minimum 2 are recommended for NLB cluster. An exact number to be calculated based on the projected customer base and the density above. OS Windows Server 2003 (R2) Standard Edition SP2 (x86) Software Supported Virtualization CPU RAM To be installed by the Customer: OS To be installed by Parallels: Exchange Server 2003 Standard Edition SP2 (Distribution to be provided by the Customer) Not supported 2 core (3GHz or higher) 2GB Disks Array 1: Disk Partitioning Array 1: NICs OS, software, and data - 2 x 36GB, SCSI, RAID 1 C: 10GB - for OS and software D: remaining space (26GB) - Logs FrontNet, BackNet 1 Configure the server as it is described in the Configuring Windows Server 2003 (on page 18) topic. 2 Make sure that Windows 2003 Enterprise Edition server has at least two network cards: one plugged into the Back-Net and one into Front-End. 3 Give a name to the computer (for example, EXFE01). 4 Join the host to the Active Directory domain. 5 Log in as Domain Administrator. 6 Run setup.exe of Exchange Server 2003 installation kit and follow the instructions of the Installing Microsoft Exchange Server 2003 (on page 25) section. 7 Install Exchange 2003 Service Pack 2. See the Installing Service Pack 2 for Exchange 2003 (on page 30) topic for details.

49 Deploying Hosted Exchange Assigning Front-End Role to Server 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 Navigate to Administrative Groups > First Administrative Group > Servers. The list of Exchange Servers opens. Figure 6: Servers 4 Right-click the Front-End server and click Properties. 5 On the panel opened, on the General tab, select the This is front-end server option. By this step, you assign the role of Exchange Client Access server to the computer.

50 50 Parallels Operations Automation 2.9 Parallels Figure 7: Front-End Properties 6 Click on the OK button. A message appears to notify you that you should reboot the computer or restart Exchange services. 7 Reboot EXFE01. Repeat the above steps on all your Exchange Client Access servers. Removing Public Stores For hosted messaging and collaboration, it is recommended not to run mailbox or public folder databases on Exchange Client Access servers. To stop and disable the public folder databases, follow these steps: 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens.

51 Deploying Hosted Exchange Navigate to Administrative Groups > First Administrative Group > Servers. The list of Exchange servers opens. 4 Expand EXFE01, and go to First Storage Group. Figure 8: First Storage Group 5 Right-click Mailbox Store (EXFE01). In the opened menu, click Properties. The Mailbox Store (EXFE01) Properties panel opens. 6 To select default public store, click on the Browse button near the Default Public Store field.

52 52 Parallels Operations Automation 2.9 Parallels Figure 9: Mailbox Store Properties 7 The Select Public Store page displays a set of public stores. For EXFE01, select a public folder located on a Back-End server. Click OK. 8 Click OK. 9 Right-click Public Folder Store located on EXFE01 and select Delete. 10 The warning message may appear saying that you must move all replicas from this public folder. To remove replicas from the public folder on EXBE01, perform the following steps: a Click OK in the warning message window. b Right-click the Public Folder Store (EXFE01) folder, and select Move All Replicas. Select an Exchange Mailbox server, and click OK twice. c Expand the Public Folder Store (EXFE01), and select the Public Folder Instances folder. After all the public folders have been replicated on the appropriate Exchange Mailbox server (EXBE01), the list in the right pane will be empty. d Right-click the public store Public Folder Store (EXFE01) physically located on EXFE01, and select Delete.

53 Deploying Hosted Exchange e Confirm your intention to delete the Public Folder Store by clicking OK in the opened warning messages. Repeat the above steps on all your Exchange Client Access servers. Removing Mailbox Stores Exchange Client Access servers do not need to host mailboxes. To remove mailbox storages form your Exchange Client Access server, follow these steps: Important: Do NOT perform this procedure for Exchange Client Access servers running SMTP - they must have Mailbox storage for NDR (Not Delivered Report) messages delivering. 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 Navigate to Administrative Groups > First Administrative Group > Servers. The list of Exchange Servers opens. 4 Expand EXFE01 and go to First Storage Group. 5 Right-click Mailbox Store (EXFE01). In the opened menu, select Delete. 6 Click OK in all the warning messages. 7 Restart the server if you are prompted to. Repeat the above steps on all your Exchange Client Access servers.

54 54 Parallels Operations Automation 2.9 Parallels Disabling Exchange Information Store After removing all the mailbox and public folder databases, you can disable the Microsoft Exchange Information Store service on Exchange Client Access servers. This service does no longer perform any functions for your Hosted Exchange platform. By disabling this service, you will improve system performance and security. To disable the Microsoft Exchange Information Store on an Exchange Client Access server, follow these steps: Important: Do NOT perform this procedure for Exchange Client Access servers running SMTP - they must have Information Store for NDR (Not Delivered Report) messages delivering. 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Settings > Control Panel > Administrative Tools > Computer Management. 3 Select Services and Applications. 4 Select Services. Figure 10: Services and Applications

55 Deploying Hosted Exchange Figure 11: Selecting Services 5 Right-click Microsoft Exchange Information Store. In the menu, click Properties. The Microsoft Exchange Information Store Properties panel opens. 6 On the Microsoft Exchange Information Store Properties panel, in the Startup type drop-down box, select Disabled. Click Stop.

56 56 Parallels Operations Automation 2.9 Parallels Figure 12: MS Exchange Information Store Progress indicator appears to display the percentage of stopping the service. After the stopping completes, click OK. Repeat the above steps on all your Exchange Client Access servers.

57 Deploying Hosted Exchange Enabling Network Protocols By default, the following services are disabled: Microsoft Exchange POP3; Microsoft Exchange IMAP4; SMTP. If you want these protocols to be supported by Exchange, enable them and configure them to start automatically. You can enable the protocols on all the Back-End servers and on the most of the Exchange Client Access servers, depending of theirs roles. For example, you don t need to enable POP3 service on an Exchange Client Access server with OWA only role. To enable network protocols services on an Exchange Client Access server, follow these steps: 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Settings > Control Panel > Administrative Tools > Computer Management. 3 Select Services and Applications. 4 Select Services. Figure 13: Services and Applications

58 58 Parallels Operations Automation 2.9 Parallels Figure 14: Selecting Services 5 Right-click Microsoft Exchange POP3. In the menu, select Properties. 6 In the Properties dialog box, in the Startup type drop-down box, select Automatic. Click Apply. Click Start.

59 Deploying Hosted Exchange Figure 15: Setting Automatic Type Progress indicator appears to display the percentage of starting the service. After the starting completes, click OK. 7 Right-click Simple Mail Transfer Protocol (SMTP). In the menu, select Properties. 8 In the Properties dialog box, in the Startup type drop-down box, select Automatic. Click Apply. Click Start. After the starting completes, click OK. 9 Right-click Microsoft Exchange IMAP4. In the menu, select Properties. 10 In the Properties dialog box, in the Startup type drop-down box, select Automatic. Click Apply. Click Start. After the starting completes, click OK. Repeat the above steps on all your Exchange Client Access servers.

60 60 Parallels Operations Automation 2.9 Parallels Configuring and Start IIS Service on Protocols Front-End Servers The procedure described in this section is related to the Front-End servers with enabled OWA, ActiveSync and outlook access and which are deployed on the VZWin nodes. On the VZWin nodes, the default start type of the IIS service is Manual. You should reconfigure IIS service start type and start it on the Front-End servers with enabled OWA, ActiveSync and Outlook access. 1 Log in to the EXFE01 server using the account with administrative privileges. 2 Run windows command shell (cmd.exe). 3 Execute following commands: sc config W3SVC start= auto sc start W3SVC 4 Repeat these steps on all required front-ends.

61 Deploying Hosted Exchange Enabling Outlook Web Access To provide users with remote access to Exchange server, you need to enable and configure Outlook Web Access (OWA) on your Exchange Client Access servers. Configuring Forms-Based Authentication and OWA Compression 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 In the Exchange System Manager snap-in, go to Administrative Groups > First Administrative Group > Servers. The list of Exchange Servers opens. 4 Expand the required Exchange Client Access server (in our case, EXFE01). 5 Go to Protocols > HTTP > Exchange Virtual Server. 6 Right-click Exchange Virtual Server, and then click Properties. 7 In the Exchange Virtual Server Properties dialog box, switch to the Settings tab. Select the Enable Forms Based Authentication check box. 8 From the Compression drop-down list, select the required compression level (None, Low, or High).

62 62 Parallels Operations Automation 2.9 Parallels 9 Click Apply, and then click OK. Figure 16: Selecting OWA Compression Level 10 In the security dialog box reminding you about SSL encryption, click OK. Repeat the above steps on all your Exchange Client Access servers. Redirecting OWA Logon Page to Default Website on Exchange Client Access Server You may want an Exchange Client Access server website to automatically open when users enter OWA, even if they type just To redirect the OWA logon page to the default Exchange Client Access server website, follow these steps: 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager.

63 Deploying Hosted Exchange In the Internet Information Services (IIS) Manager snap-in, in the console tree, select the required Exchange Client Access server (in our case, EXFE01), open the Web Sites folder, and then right-click Default Web Site. In the opened menu, select Open. Create empty file Redirect.htm in the root directory of the Default Web Site (by default C:\Inetpub\wwwroot). 4 In Internet Information Services (IIS) Manager, in the console tree, select Default Web Site, right-click Redirect.htm and select Property. 5 On the File tab of the Redirect.htm Properties dialog box, do the following: a Select the A Redirection to a URL option. b Into the Redirect to field, type the OWA Server name with prefix and link to the virtual directory /exchange. For example, c Select the A permanent redirection for this resource check box. Figure 17: Redirecting Logon Page 6 Open the File Security tab. In the Secure communications area, click Edit. 7 In the Secure Communications dialog box, click to clear the Require secure channel (SSL) and Require 128-bit encryption check boxes if they are checked. Click OK.

64 64 Parallels Operations Automation 2.9 Parallels Figure 18: Secure Communications 8 Click Apply and then click OK in the Redirect.htm Properties dialog box. 9 In the Internet Information Services (IIS) Manager snap-in, in the console tree, select the required Exchange Client Access server (in our case, EXFE01), open the Web Sites folder, and then right-click Default Web Site. In the opened menu, select Properties. The Default Web Site Properties dialog box opens. 10 On the Documents tab of the Default Web Site Properties dialog box, do the following: a Click on the Add button. b Type Redirect.htm in the Default content page field. Click OK. c Select the Redirect.htm file in the content page list, and move it to the top of the list by clicking on the Move Up button.

65 Deploying Hosted Exchange Figure 19: Moving Up redirect.htm 11 Open the Directory Security tab. In the Authentication and access control area, click Edit. 12 In the Authentication Methods dialog box, do the following: a Click to select the Enable anonymous access check box if it is not selected. b In the Authenticated access area, click to select the Basic authentication (password is sent in clear text) check box. c Into the Default domain field, enter one backslash \. d Click OK.

66 66 Parallels Operations Automation 2.9 Parallels Figure 20: Specifying Authentication Methods 13 Click Apply in the Default Web Site Properties dialog box. 14 If the Inheritance Override dialog box opens, unselect all nodes in the Child Nodes list and click OK. 15 Click OK in the Default Web Site Properties dialog box. 16 In the Internet Information Services (IIS) Manager snap-in, in the console tree, select the required Exchange Client Access server (in our case, EXFE01), open Web Sites > Default Web Site. Right-click Exchange. In the opened menu, select Properties. The Exchange Properties dialog box opens. 17 On the Directory Security tab of the Exchange Properties dialog box, in the Authentication and access control area, click Edit. 18 In the Authentication Methods dialog box, do the following: a Click to clear the Enable anonymous access check box if it is selected. (It is necessary because RPC over HTTP does not allow anonymous access.) b In the Authenticated access area, click to select the Basic authentication (password is sent in clear text) check box. c Click to clear the Integrated Windows authentication check box if it is selected.

67 Deploying Hosted Exchange d Into the Default domain field, enter one backslash \. e Click OK. 19 On the Directory Security tab of the Exchange Properties dialog box, in the Secure communications area, click Edit. 20 In the Secure Communications dialog box, click to select the Require secure channel (SSL) and Require 128-bit encryption check boxe. Click OK. 21 Click Apply and then click OK in the Exchange Properties dialog box. Repeat the above steps on all your Exchange Client Access servers that will be configured to participate in Network Load Balancing. Customizing Outlook Web Access Customizing OWA Login Screen By default, at the OWA login screen, a user is prompted to enter Domain\user name. Figure 21: OWA login screen before customization

68 68 Parallels Operations Automation 2.9 Parallels Since POA supports UPN logon names that are preferred by the most of users, you need to customize the OWA login screen and associated screens (login error and logout): 1 Log on to EXFE01. 2 From the Start Menu, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. 3 In the Internet Information Services (IIS) Manager snap-in, in the console tree, select the required Exchange Client Access server (in our case, EXFE01), open Web Sites > Default Web Site. 4 In the right pane, right-click ExchWeb. In the opened menu, select Open. 5 Navigate to bin\auth. 6 Select the folder corresponding to the required language (usa for English). 7 Open the logon.asp file with the Notepad program. 8 In the logon.asp file, replace "Domain\user name with UPN Logon Name in the following keys: L_UserName_Text; L_401User_Text (key responsible for error messages); L_LogoffUser_Text (key responsible for the content of the logout screen). Save the logon.asp file.as a result, the OWA login screen will look in the following way:

69 Deploying Hosted Exchange Figure 22: OWA login screen after customization UPN Logon Name will be mentioned in the error message after entering a false UPN Logon Name or password. Repeat these steps on all Exchange Client Access servers. Preventing Correlation of Authorization Data In case OWA is launched from another web application (for example, from POA Control Panel), the correlation of authorization data between OWA and the application may take place. As a result, the logout from OWA will induce the logout from the application. To prevent this correlation, perform the following steps: 1 Log on to a Protocol Exchange Client Access server (EXFE01). 2 From the Start Menu, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. 3 In the Internet Information Services (IIS) Manager snap-in, in the console tree, expand Default Web Site, and right-click the ExchWeb virtual directory. In the opened menu, select Open. 4 In the Notepad, open the following files (for English customization):

70 70 Parallels Operations Automation 2.9 Parallels bin\auth\usa\logon.asp bin\usa\logoff.asp files 5 Type two slash characters (//) in front of the line with the command: document.execcommand("clearauthenticationcache", "false") Repeat these steps on all Protocol Exchange Client Access servers. Enabling Outlook Mobile Access Microsoft Windows mobile devices allow to easy gain mobile access to an Exchange server for messages, schedules, contact information, and tasks lists. Any mobile device or phone equipped with a Web or Wireless Application Protocol (WAP) browser can retrieve information from Exchange server with the help of Microsoft Outlook Mobile Access (OMA) application. By default, OMA application is disabled on Exchange Client Access servers. To enable OMA application, follow these steps: 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 Expand Global Settings, right-click Mobile Services, and then click Properties. 4 In the Mobile Services Properties dialog box, in the Outlook Mobile Access area, click to select the following check boxes: Enable Outlook Mobile Access Enable unsupported devices 5 Click OK. 6 Configure OMA virtual directory: a In the Exchange System Manager, go to Administrative Groups > First Administrative Group > Servers. Expand the Exchange Client Access server (in our case, EXFE01), go to Protocols > HTTP > Exchange Virtual Server > OMA. b Right-click OMA, click Properties, open the Access tab, and then click Authentication. c Into the Default domain field type a single backslash "\" character, and then click OK. d Click OK to close the Properties dialog box. Repeat these steps on other Exchange Client Access servers. Enabling Exchange ActiveSync Support Exchange ActiveSync is a communication protocol that enables mobile client devices, such as Windows Mobile-based Pocket PCs and SmartPhones, to synchronize , calendar, and contacts with a computer that is running Microsoft Exchange Server 2003.

71 Deploying Hosted Exchange Important: Enabling Exchange ActiveSync support is allowed to be performed only once for one Exchange Organization. To enable Exchange ActiveSync support, follow these steps: 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 In the Exchange System Manager snap-in, in the console tree, expand Global Settings, right-click Mobile Services, and then click Properties. Figure 23: Exchange Server Manager 4 In the Mobile Services Properties dialog box, in the Exchange ActiveSync area, select the following check boxes: Enable user initiated synchronization Enable up-to-date notifications via SMTP and Text Messaging Enable notifications to user specified SMTP addresses Enable Direct Push over HTTP(s)

72 72 Parallels Operations Automation 2.9 Parallels 5 Click OK to save the settings. Figure 24: Mobile Services Properties

73 Deploying Hosted Exchange Configuring Security Settings for Mobile Devices Important: This operation is allowed to be performed only once for one Exchange Organization. To configure security settings for mobile devices, follow these steps: 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 In the Exchange System Manager snap-in, in the console tree, expand Global Settings, right-click Mobile Services, and then click Properties. Figure 25: Exchange Server Manager 4 In the Mobile Services Properties dialog box, click on the Device Security button. The Device Security Settings dialog box opens.

74 74 Parallels Operations Automation 2.9 Parallels Figure 26: Mobile Services Properties Device Security 5 In the Device Security Settings dialog box, click to select the Enforce password on device check box to be able to specify the device security options. Configure the following options, by selecting the appropriate checkbox and setting required values: Inactivity time (minutes) Wipe device after failed (attempts) Refresh settings on the device (hours) Allow access to devices that do not fully support password settings

75 Deploying Hosted Exchange Click OK to save the settings. Figure 27: Device Security Settings Verifying External DNS for SMTP Virtual Server 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager console opens. 3 Expand Administrative Groups, and then expand First Administrative Group. Expand Servers, expand Exchange Front-End server, expand Protocols, and then expand SMTP.

76 76 Parallels Operations Automation 2.9 Parallels Figure 28: Default SMTP Virtual Server 4 Right-click Default SMTP Virtual Server and then click Properties.

77 Deploying Hosted Exchange Figure 29: Default SMTP Virtual Server Properties 5 Click the Delivery tab, and then click Advanced. 6 Click Configure.

78 78 Parallels Operations Automation 2.9 Parallels Figure 30: Configuring External DNS Server 7 Make sure that IP address for external DNS server is empty (it will force to use the default DNS resolving configuration) then click OK. 8 Click OK, and then click OK again to close the dialog box. 9 To be sure that SMTP Server could resolve all MX records needed for mail delivery, try to resolve internal AD hosts, external domains registered in POA and some other external domains (you can use nslookup.exe utility). Also following tests utility SMTPDiag could be used: 10 Use external sender address and recipient address (ex. [email protected] and [email protected]). 11 Use internal sender address and external recipient address (ex. [email protected] and [email protected]). 12 Use external sender address and internal recipient address (ex. [email protected] and [email protected]). Installing and Configuring Exchange SMTP Servers Prepare a computer that you want to function as an Exchange SMTP server. This computer must meet the following requirements: Server Names Description EXSMTP Exchange SMTP Front-End Server. Runs Exchange SMTP service

79 Deploying Hosted Exchange Density Quantity Depends on the usage profile Minimum 2 are recommended for NLB cluster. An exact number to be calculated based on the projected customer base and the density above. OS Windows Server 2003 (R2) Standard Edition SP2 (x86) Software Supported Virtualization CPU RAM To be installed by the Customer: OS To be installed by Parallels: Exchange Server 2003 Standard Edition SP2 (Distribution to be provided by the Customer) Not supported 2 core (3GHz or higher) 2GB Disks Array 1: Disk Partitioning Array 1: NICs OS, software, SMTP queue, and logs - 6 x 36GB RAID 1+0 C: 10GB - for OS and software D: remaining space (98GB) - SMTP Queue and Logs FrontNet, BackNet 1 Deploy SMTP server according to the instructions at Installing Exchange Client Access Server (on page 47). Give a name to the computer (for example, EXSMTP01). 2 Assign the role of Front-End Exchange Server to EXSMTP01. Refer to Setting Front- End Role to Exchange 2003 Server (on page 49). 3 Remove public stores from EXSMTP01. Refer to Removing Public Stores from Front- End Servers (on page 50).

80 80 Parallels Operations Automation 2.9 Parallels Deploying RPC-over-HTTP for Exchange 2003 Server RPC-over-HTTP (RPC standing for Remote Procedure Call) is a protocol that allows a computer program running on one host to cause code to be executed on another host without the programmer needing to explicitly code for this. Before deploying RPC-over-HTTP, you need to install Service Pack 1 for Exchange Server 2003 on all Exchange Exchange Client Access servers that will be used as RPC proxy servers. See the Installing Service Pack 1 for Exchange Server 2003 (on page 30) topic for the installation instructions. It is also recommended that you install Service Pack 1 on all your Exchange Mailbox servers. However, you can enable RPC-over-HTTP on Exchange Mailbox servers using Exchange System Manager from another Exchange server that has Service Pack 1 installed. HTTP is built into almost all modern operating systems. That's why HTTP is used as the network protocol to allow various platforms to call the RPC. In the Exchange hosting architecture, an Exchange Client Access server is used as the RPC Proxy server. Exchange Mailbox servers are used as targets for the RPC Proxy server. Before using RPC-over-HTTP, make sure that a Global Catalog server runs on every Windows Server 2003 exposed to the RPC-over-HTTP protocol. Configuring Global Catalog Servers Each Global Catalog server to be used by the RPC-over-HTTP Proxy client, needs to have a single Registry value configuration. Note: Don t set this value on the Global Catalog server with Windows 2003 Service Pack 1 installed. To configure Global Catalog server to be used by the RPC-over-HTTP Proxy client, follow these steps: 1 Log on to the Global Catalog server (AD01). 2 Start Registry Editor. 3 In the Registry Editor dialog box, in the console tree, go to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > NTDS > Parameters. 4 Right-click Parameters. In the menu opened, point to New, select Multi-String Value.

81 Deploying Hosted Exchange Create a multi-string value with the name NSPI interface protocol sequences. 6 Right-click the NSPI interface protocol sequences multi-string value. In the menu opened, select Modify. The Edit Multi-String dialog box opens. Figure 31: Edit Multi-String 7 In the Edit Multi-String dialog box, in the Value data field, type ncacn_http:6004. Click OK. 8 In the Registry Editor dialog box, on the File menu, click Exit to save your settings. Restart your server for the settings to be applied. Installing RPC-over-HTTP Windows Component 1 Log on to one of your Exchange Mailbox servers (no matter, Mailbox server or Client Access server). 2 From the Start Menu, go to Start > Control Panel > Add or Remove Programs. 3 Click on the Add/Remove Windows Components button. The Windows Components Wizard starts. 4 On the Windows Components page of the wizard, in the Components list box, select Networking Services, and then click Details.

82 82 Parallels Operations Automation 2.9 Parallels Figure 32: Windows Component 5 On the Networking Services page of the wizard, select the RPC over HTTP Proxy check box. Click OK.

83 Deploying Hosted Exchange The Windows Components page reopens. Figure 33: Networking Services 6 On the Windows Components page of the wizard, click Next to install the RPC over HTTP Proxy Windows component. As the result of these steps, the RPC-over-HTTP is installed on the Exchange server. 7 Repeat these steps on all your Exchange Mailbox servers and on all your Exchange Client Access servers.

84 84 Parallels Operations Automation 2.9 Parallels Configuring Exchange Mailbox Servers as Targets for RPC Proxy Servers 1 Log on to EXBE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 In the Exchange System Manager snap-in, go to Administrative Groups > First Administrative Group > Servers. 4 Right-click EXBE01. In the menu opened, select Properties. 5 On the RPC-HTTP tab, select the RPC-HTTP back-end server option. The warning message appears: There must be at least one RPC-HTTP front-end server in the Organization before the RPC-HTTP Back-End server can be accessed. Click OK in the message box.

85 Deploying Hosted Exchange Figure 34: RPC-HTTP 1 To save your settings, click Apply, and then click OK. As a result, the Exchange Mailbox server has become a target for the RPC Proxy server. Repeat the above steps on all your Exchange Mailbox servers. Configuring Exchange Client Access Server as RPC Proxy Server 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 In the Exchange System Manager snap-in, go to Administrative Groups > First Administrative Group > Servers. 4 Right-click EXFE01. In the menu opened, select Properties. 5 On the RPC-HTTP tab, select the RPC-HTTP front-end server option. Click OK. 6 A warning message will appear stating that SSL is required for RPC-over-HTTP to work. Click OK. 7 A warning message appears announcing that SSL is required for the proper work of RPC-over-HTTP. Click OK. Repeat the above steps on all your Exchange Client Access servers. Configuring RPC Virtual Directory on RPC Proxy Server 1 Log on to EXFE01. 2 From the Start Menu, go to Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager. 3 In the Internet Information Services (IIS) Manager snap-in, in the console tree, expand the required server. Go to Web Sites > Default Web Site > RPC. 4 Right-click the RPC virtual directory. In the menu opened, click Properties. The RPC Properties dialog box opens. 5 In the RPC Properties dialog box, open the Directory Security tab. 6 On the Directory Security tab, in the Authentication and access control pane, click Edit. The Authentication Methods dialog box opens.

86 86 Parallels Operations Automation 2.9 Parallels Figure 35: RPC Properties 7 In the Authentication Methods dialog box, perform the following actions: Make sure that the Enable anonymous access check box is clear. RPC-over-HTTP does not allow anonymous access. In the Authenticated access pane, click to select the Basic authentication (password is sent in clear text) check box. Make sure that the Integrated Windows authentication check box is clear. In the Default domain field, enter a backslash ( \ ). Click OK. You return to the RPC Properties dialog box.

87 Deploying Hosted Exchange Figure 36: Authentication Methods 8 In the RPC Properties dialog box, in the Secure communications pane, click on the Edit button. The Secure Communications dialog box opens. 9 In the Secure Communications dialog box, select the following check boxes: Require secure channel (SSL) Require 128-bit encryption Click OK.You return to the RPC Properties dialog box.

88 88 Parallels Operations Automation 2.9 Parallels Figure 37: RPC Secure Communications 10 In the RPC Properties dialog box click Apply and then click OK. Repeat the above steps on other Exchange Client Access servers. Checking that RPC Proxy Server Uses Specified Ports 1 Log on to EXFE01. 2 Start Registry Editor. 3 In the Registry Editor dialog box, in the console tree, go to HKEY_LOCAL_MACHINE > Software > Microsoft > Rpc > RpcProxy. 4 Make sure that ValidPorts contains the following valid data: ExchangeServer:6001;ExchangeServerFQDN:6001; ExchangeServer:6004;ExchangeServerFQDN:6004; where: ExchangeServer is the NetBIOS name of your Exchange Back-End server (EXBE01). ExchangeServerFQDN is the FQDN of EXBE01. Repeat the above steps on other Exchange Client Access servers.

89 Deploying Hosted Exchange Installing SSL Certificate on RPC Proxy Server SSL (Secure Socket Layer) certificates enable secure communication between a website and its web customers. Without a certificate, any information sent to a website can be intercepted and viewed by anyone. A certificate shows that a public key stored in the certificate belongs to the person, organization, server, or other entity noted in the certificate. A commonly trusted third party, known as Certificate Authority (CA), is responsible for issuing certificates and for verifying the identity of a requesting entity. To use the SSL Certificate technology, you should do the following: 1 Create SSL certificate request to be sent to an online trusted root Certification Authority (CA), such as Thawte, Verisign, GTE, Entrust.net 2 Install the website SSL certificate on the RPC Proxy Server.

90 90 Parallels Operations Automation 2.9 Parallels Creating Request File for Certificate Authorities 1 Log on to EXFE01. Use an account that is a member of the Domain Administrators group. The account must have full Exchange Administrator permissions. 2 From the Start Menu, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. 3 In the Internet Information Services (IIS) Manager snap-in, in the console tree, expand the required server (in our case, EXFE01). Expand Web Sites, right-click Default Web Site and then click Properties. Figure 38: IIS Manager 4 In the Default Web Site Properties dialog box, open the Directory Security tab. Click on the Server Certificate button. The Web Server Certificate Wizard starts.

91 Deploying Hosted Exchange Figure 39: Default Web Site Properties (SSL) 5 On the Welcome to the Web Server Certificate Wizard page, you can read the introductory wizard information. Click Next to continue.

92 92 Parallels Operations Automation 2.9 Parallels Figure 40: Web Server Certificate Wizard Step 1 6 On the Server Certificate Wizard page, select the Create a new certificate option. Click Next to continue.

93 Deploying Hosted Exchange Figure 41: Web Server Certificate Wizard Step 2 7 On the Delayed or Immediate Request page, select the Prepare the request now, but send it later option. Click Next to continue. Figure 42: Web Server Certificate Wizard Step 3 8 On the Name and Security Settings Wizard page, in the Name field, type the name of the certificate (for example, RPCProxyCertificate). In the Bit length drop-down box, select 1024 as the default length of the encryption key. Click Next to continue.

94 94 Parallels Operations Automation 2.9 Parallels Figure 43: Web Server Certificate Wizard Step 4 9 On the Organization Information page, in the Organization field, enter the name of your organization. In the Organizational unit field, enter the name of your division or department. Click Next to continue. 10 On the Your Site s Common Name page, in the Common name field, enter the fully qualified domain name of your RPC-over-HTTP Proxy Server. Click Next to continue. 11 On the Geographical Information page, enter the information about your company location. For this purpose, select the appropriate item from the Country/Region drop down box and type the official names in the State/province and State/province fields. Click Next to continue. 12 On the Certificate Request File Name page, specify the location and name of the request file that is being created. The certificate request file should be submit on the official online site of a Certificate Authority (such as Thawte, Verisign, GTE, Entrust.net) to issue the SSL certificate. 13 Click Finish and close the IIS Certificate Wizard window.

95 Deploying Hosted Exchange Binding SSL Certificate to Website on RPC Proxy Server 1 Log on to EXFE01. Use an account that is a member of the Domain Administrators group. The account must have full Exchange Administrator permissions. 2 From the Start Menu, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. 3 In the Internet Information Services (IIS) Manager snap-in, in the console tree, expand the required server (in our case, EXFE01). Expand Web Sites, right-click Default Web Site and then click Properties. 4 In the Default Web Site Properties dialog box, open the Directory Security tab. Click on the Server Certificate button. The Web Server Certificate Wizard starts. 5 On the Welcome to the Web Server Certificate Wizard page, you can read the introductory wizard information. Click Next to continue. 6 On the Pending Certificate Request Wizard page, select the Process the pending request and install the certificate option. Click Next to continue. Figure 44: Pending Certificate Request 7 On the Process a Pending Request Wizard page, in the Path and file name field, specify the location to the certificate file with file extension CER. Click Next to continue. 8 Click Finish and close the IIS Certificate Wizard window.

96 96 Parallels Operations Automation 2.9 Parallels Configuring Network Load Balancing for Exchange 2003 Servers Configuring Network Load Balancing To configure NLB for a group of servers, perform these steps: 1 Log in to a server with Domain Administrator's credentials. 2 Run the NLB Manager snap-in by clicking Run > Programs > Administrative Tools > Network Load Balancing Manager or by running the nlbmgr command. 3 In the Cluster menu, click New to create a new NLB cluster. Specify the following parameters of the NLB cluster being created: shared IP address for servers that will comprise the cluster subnet mask for the shared IP address In the Full Internet name field, type in the FQDN for the cluster servers (for example, nlb.provider.com). This parameter must be shared among the NLB cluster servers. 4 Click Next to continue. 5 Click Next again. 6 In the Port Rules dialog box, click Edit. Ensure that the Multiple hosts option is selected in the Filtering mode menu and the Affinity parameter is set to Single. 7 Click Next to continue. 8 In the Host field, type in the server s hostname where NLB should be installed (for example, SERVER01) and click Connect. Select the FrontNet interface from the list at the bottom. 9 Click Next to continue. 10 Click Finish to complete the wizard. The new NLB cluster will be created and displayed in the left tree. So far, the just created NLB cluster contains only one server (in our example, SERVER01). To add a new server to the existing NLB cluster, do the following: 1 Right-click on the cluster name (in our example, nlb.provider.com) in the left tree. Select Add Host to Cluster from the pop-up menu. 2 In the Host field, type in a hostname of the server to be included in the cluster (for example, SERVER02) and click Connect. Select the FrontNet interface from the list at the bottom. 3 Click Next to continue.

97 Deploying Hosted Exchange Click Finish to complete the wizard. The just added server (SERVER02) has become a part of the NLB cluster (nlb.provider.com). Repeat these steps (1 to 4) for each new server to be included in the NLB cluster (for example, SERVER03,and so on). Use these instructions to configure NLB for Exchange 2003 Servers. Configuring NLB on Front-End Protocol Servers To configure NLB on the front-end protocol servers, follow the instructions provided in the Configuring Network Load Balancing section (on page 96) using the following reference names: Full Internet name - exchange.provider.com First server name EXFE01 Other servers names EXFE02 and EXFE03 Configuring NLB on Front-End SMTP Servers To configure NLB on the front-end SMTP servers, follow the instructions provided in the Configuring Network Load Balancing section (on page 96) using the following reference names: Full Internet name - smtp.provider.com First server name EXSMTP01 Second server name EXSMTP02

98 98 Parallels Operations Automation 2.9 Parallels Configuring IIS on Front-End Protocol Servers 1 Log on to EXFE01. 2 From the Start Menu, go to Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. 3 In the Internet Information Services (IIS) Manager snap-in, open the Web Sites folder of EXFE01. Right-click Default Web Sites. In the opened menu, click Properties. The Default Web Site Properties dialog box opens. 4 On the Directory Security tab, under Secure communications, click on the View Certificate button. The Certificate dialog box opens. Figure 45: Directory Security tab 5 In the Certificate dialog box, select the Details tab. 6 On the Details tab, click on the Copy to File button to start the Certificate Export Wizard. 7 Follow the Wizard steps to export certificate with exporting the private key in the Personal Information Exchange PKCS#12 (.PFX) format. Save the certificate in the exprotocol.pfx file.

99 Deploying Hosted Exchange Copy the exprotocol.pfx file on all the SMTP servers that are configured to participate in Network Load Balancing (EXFE02, EXFE03 and so on). 9 Log on to another Front-End protocol server (EXFE02, EXFE03, etc.) 10 Open the Default Web Site Properties dialog box opens. 11 In the Default Web Site Properties dialog box, open the Directory Security tab. 12 On the Directory Security tab, under Secure communications, click on the Server Certificate button to start the Web Server Certificate Wizard. 13 Follow the Wizard steps to import the certificate from the exprotocol.pfx file on the current Default Web Site. 14 Restart IIS on the Front-End server.

100 100 Parallels Operations Automation 2.9 Parallels Creating Default SMTP Connector To enable correspondence between Exchange organization addresses and external addresses, you need to create a default SMTP connector. 1 Log on to EXFE01 or EXSMTP01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 Right-click the root node (HostedExchange). From the opened menu, select Internet Mail Wizard. 4 On the Welcome Wizard page, click Next. Figure 46: Internet Mail Wizard 5 On the Prerequisites for Internet Mail Wizard page, click Next. 6 On the Server Selection Wizard page, from the Server drop-down menu, select the server which will provide all mail delivery from the Exchange organization to Internet (EXSMTP01). Click Next. 7 Wait while the Wizard is running. When the process is over, the Next button is available on the Wizard in Progress Wizard page. Click Next.

101 Deploying Hosted Exchange Follow the other Wizard steps (default actions are acceptable in the most of installation scenarios). 9 Ensure that the new connector has appeared under the Connectors node of the left tree.send test message to some internet and check it is delivered successfully. Configuring Firewall for Exchange 2003 Services Firewall settings for Exchange Servers 2003 as well as for other network infrastructure components can be found in the Firewall Configuration guide. For information on how to publish an Exchange Server 2003 using ISA 2006, refer to the following Microsoft article: Deploying Exchange Provisioning Configuring ClusterAdmin Account for Clustered Exchange If you want to implement clustered configuration of Exchange Mailbox servers, you need to configure the Cluster Admin account. To configure the Cluster Admin account, do the following: 1 Log on to MPS01 as a member of the Domain Administrators group. 2 Start the MPS Deployment Tool. The Provisioning Deployment Tool dialog box opens. 3 In the Provisioning Deployment Tool dialog box, in the Requirements Status pane, under Hosted Exchange, right-click Exchange Service Accounts. Click Install all in this group. 4 Click on the Start Deployment button under the Requirements Status pane.

102 102 Parallels Operations Automation 2.9 Parallels Configuring MPS Server This sections describes the steps you need to perform on your Microsoft Provisioning System Engine server to make it properly functioning in the Hosted Exchange structure. Installing Microsoft Exchange System Management Tools 1 Log on to MPS01. 2 Start Autorun from MS Exchange 2003 CD-ROM 3 In the Welcome window, click Exchange Deployment Tools. 4 On the page opened, click Install Exchange System Management Tools Only link. 5 On the page opened, follow instructions (check that all the requirements are satisfied). 6 Click Run Setup Now link at the bottom of the page. 7 Select installation options as shown below: Click Next to continue. Figure 47: Installing MESMT 8 After the installation completes, install Service Pack 2 for Exchange 2003.

103 Deploying Hosted Exchange Performing Exchange Provisioning Steps Configuring Microsoft Provisioning System Server for Hosted Exchange 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Run the MPS Provisioning Deployment Tool. 3 In the Requirement Status pane, expand Hosted Exchange. Expand Exchange Provisioning, right-click Configure MPS Exchange Security and select Set procedure parameters. 4 Type in the name for your hosting OU and then click OK. 5 Right-click Exchange Provisioning, click Install all in this group. 6 Click on the Start Deployment button. Configuring MPFServiceAccts Group As Exchange Full Administrator 1 Log on to MPS01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 In the console tree, right-click the top node where the name of your Exchange organization is displayed. In the opened menu, click Delegate control to start the Exchange Administration Delegation Wizard. 4 On the Welcome Wizard page, click on the Next button. 5 On the Users and Groups Wizard page, click on the Add button. The Delegate Control dialog box opens. 6 In the Delegate Control dialog box, click on the Browse button. The Select Users, Computers or Groups dialog box opens. 7 In the Select Users, Computers or Groups dialog box, do the following: a under Enter the object name to select, type: MPFServiceAccts b Click on the Check Names button. c When the name resolves correctly, click OK. 8 In the drop-down menu, click Exchange Full Administrator, click OK, click Next, and then click Finish. If prompted with a security dialog box, click OK.

104 104 Parallels Operations Automation 2.9 Parallels Configuring MPSExchangeAccts Group As Exchange Full Administrator 1 Log on to MPS01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager dialog box opens. 3 In the console tree, right-click the top node where the name of your Exchange organization is displayed. In the opened menu, click Delegate control to start the Exchange Administration Delegation Wizard. 4 On the Welcome Wizard page, click on the Next button. 5 On the Users and Groups Wizard page, click on the Add button. The Delegate Control dialog box opens. 6 In the Delegate Control dialog box, click on the Browse button. The Select Users, Computers or Groups dialog box opens. 7 In the Select Users, Computers or Groups dialog box, do the following: a under Enter the object name to select, type: MPSExchangeAccts b Click on the Check Names button. c When the name resolves correctly, click OK. 8 In the drop-down menu, click Exchange Full Administrator, click OK, click Next, and then click Finish. If prompted with a security dialog box, click OK. Important: When a customer subscribes to Exchange hosting or when a customer adds Exchange hosting to his domain, the task Providing initial functionality for domain service may fail with the following error: "The specified directory service attribute or value does not exist" code="0x a" namespace="exchange Provider" procedure="createaddresslist" (To see the error, in Provider's POA CP, go to Top > System Director > Task Manager > Background Tasks > Scheduled tasks. The error is displayed in the Output of last task field.) The error occurs because the MPSExchangeAccts group has not got access rights on the CN=All Address Lists container. To fix this error, remove the MPSExchangeAccts group from Full Exchange Administrator, reset permissions on the Active Directory container and perform Steps 3 and 4 of this chapter again. Configuring All Address Lists Container 1 Log on to MPS01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 In the console tree, expand Recipients node, right-click All Address Lists. In the opened menu, select Properties.

105 Deploying Hosted Exchange In the All Address Lists Properties dialog box, select the Security tab. On the Security tab, click on the Advanced button. The Advanced Security Settings for All Address Lists dialog box opens. 5 In the Advanced Security Settings for All Address Lists dialog box, on the Permissions tab, click on the Add button. The Select Users, Computers or Groups dialog box opens. 6 In the Select Users, Computers or Groups dialog box, under Enter the object name to select, type: MPSExchangeAccts 7 Click OK. The Permission Entry for All Address Lists dialog box opens. 8 In the Permission Entry for All Address Lists dialog box, do the following: In the Apply onto list, select This object and subcontainers. In the Permissions list, allow Full Control. 9 Click OK three times. 10 Run the MPS Provisioning Deployment Tool. 11 Expand Hosted Exchange > Exchange Platform in the left frame. 12 Right-click the Prepare Address List Security sub-node. In the opened menu, select Install. 13 Click on the Start Deployment button at the bottom of the left frame.

106 106 Parallels Operations Automation 2.9 Parallels Adding MPSExchangeAccts Group to Local Administrators 1 Log on to an Exchange Mailbox server using an account that is a member of the Domain Administrators group. 2 Execute the following command: net localgroup administrators %userdomain%\mpsexchangeaccts /add or, perform the following steps: a Form the Start Menu, go to Start > Programs > Administrative Tools > Computer Management. b In the Computer Management dialog box, open Local Users and Groups > Groups folder. c In the right frame, right-click Administrators. In the opened menu, click Add to Group. The Administrators Properties dialog box opens. d In the Administrators Properties dialog box, click on the Add button. The Select Users, Computers or Groups dialog box opens. e In the Select Users, Computers or Groups dialog box, under Enter the object name to select, type: MPSExchangeAccts Click on the Check Names button. When the name resolves correctly, click OK. f Click OK to close the Administrators Properties dialog box. 3 Repeat Step 2 for all Exchange servers in the environment. Enabling Out-of-office Responses, Automatic Replies, and Automatic Forward 1 Log on to MPS01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager dialog box opens. 3 In the console tree, select the top node where the name of your Exchange organization is displayed. Then select Global Settings > Internet Message Formats. 4 In the right pane, right-click the Default format (it is marked with the asterisk (' * ') in the Domain column) to open the Default Properties dialog. 5 Open the Advanced tab and turn following checkboxes On: Allow out of office responses Allow automatic replies Allow automatic forward 6 Click on the OK button to save the changes and to close the dialog.

107 Deploying Hosted Exchange Installing MPF Exchange Provider 1 Log on to MPS01. 2 Switch the desktop resolution to 1024x768 or higher. 3 Run the DeploymentTool.exe program. 4 Select all sub-items of the Hosted Exchange node. Note: In non-clustered Exchange configuration, do not select Exchange Service Accounts. 5 Click on the Start Deployment button at the bottom of the left frame. 6 Be sure that the Hosting Platform > Service Components > Exchange Provider item is installed. If it is not installed, mark it for installation and click on the Start Deployment button at the bottom of the left frame. 7 Select (if they are not installed yet) all sub-items in the Core Platform > Core Configuration node except the following sub-items: Configure MPS SQL Service Account Configure MPS Cluster Admin 8 Click on the Start Deployment button at the bottom of the left frame. 9 Select all sub-items in the Hosted Exchange > Exchange Platform node. 10 Click on the Start Deployment button at the bottom of the left frame. 11 Check that Exchange provider namespace is listed in the Provisioning Manager tool.

108 108 Parallels Operations Automation 2.9 Parallels 12 Reboot MPS01 to finish installation. POA-Related Installation Steps Creating DNS Records for Exchange Client Access Servers Several services require a DNS A-record to be registered in the external DNS (DNS managed by POA). This A-record will point the external IP address of Exchange Client Access server(s) providing the following services: The following table shows services and their sample names that are used in this section: Service Prefix Reference FQDN Exchange MAPI for Microsoft Outlook Access Outlook Web Access (OWA) Outlook Mobile Access (OMA) Exchange ActiveSync RPC-over-HTTP Proxy exchange exchange.provider.com IMAP4 imap imap.provider.com POP3 pop pop.provider.com

109 Deploying Hosted Exchange If the first five services are provided by the same Exchange Client Access server, it is recommended to use the same DNS record (FQDN) for them. This will save the number of SSL certificates required to secure the access to these services. To create DNS record for Exchange service in POA, follow these steps: 1 In POA, go to Top > Operations Director > Domain Manager > Domains. 2 In the domains list, click the name of the domain, that you want to create DNS record for (in our case - provider.com). 3 Open the DNS Management tab. On the tab, click on the Add New DNS Record button. 4 In the DNS record type drop-down box, select A. Click Next to continue. Figure 48: Add DNS Record Type 5 Type the domain name prefix (for example, exchange) and the external IP address of the Exchange Client Access server (EXFE01). Click Finish.

110 110 Parallels Operations Automation 2.9 Parallels Figure 49: Add DNS Record Name IP Now, the new domain name is associated with IP address.

111 Deploying Hosted Exchange Registering Exchange Mailbox Servers in POA To register an Exchange Mailbox server, you need to perform the following operations: 1 Install POA Agent on the Exchange Mailbox server. 2 Configure POA Administrator account as Exchange Full Administrator. 3 Install the Exchange CP on UI server. 4 Install the Exchange service package on the Exchange Mailbox server. 5 Check, that the package store is ready to provide. Below, these steps are described in details. Installing POA Agent on Exchange Mailbox Servers Install POA Agent on Exchange Mailbox servers. The POA Agent installation steps are described in the Installing POA Agent section (on page 381). Configuring POA Administrator Account as Exchange Full Administrator 1 Log on to EXBE01. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > System Manager. The Exchange System Manager snap-in opens. 3 In the console tree, right-click the top node where the name of your Exchange organization is displayed. In the opened menu, click Delegate control. The Exchange Administration Delegation Wizard starts.

112 112 Parallels Operations Automation 2.9 Parallels 4 Click Next. Figure 50: Exchange Delegation Administration Wizard, Step 1 5 On the Users or Groups Wizard page, click Add. The Delegate Control window opens. 6 In the Delegate Control dialog box, click Browse, select pem_admin from the list, and then click OK. 7 In the Role drop-down list, select Exchange Full Administrator, click OK, click Next. Figure 51: Delegating Controle

113 Deploying Hosted Exchange Click on the Finish button. Installing CP Package Install the package exchange (type: cp, platform: any) on the UI Server that you want to use for the Exchange control panel. Before using the just installed Exchange CP package, ensure that Java was restarted on the UI Server. Installing Service Package Install the package MSExchange (type: service) on all the Exchange Mailbox servers you have registered in POA. Set the following package properties: Name Description Example exchange.mailbox.store.name exchange.mailbox.store.size exchange.mailbox.store.path exchange.public.folder.store.size Name of Mailbox store in the Active Directory. To get the name of Mailbox store, follow the instructions at Getting Mailbox Store Name (on page 114). Size of Mailbox storage (in GB). LDAP path to the Public Folder store in the Active Directory. To get the LDAP path to the Public Folders store, follow the instructions at Getting LDAP Path to Public Folders Store (on page 115). Size of Public Folder storage (in GB). 'Mailbox Store (EXBE01)' 'LDAP://CN=Public Folder Store (EXBE01),CN=First Storage Group,CN=InformationStore,C N=EXBE01,CN=Servers,CN=F irst Administrative Group,CN=Administrative Groups,CN=POA Exchange Hosting Organization,CN=Microsoft Exchange,CN=Services,CN=C onfiguration,dc=exchange,dc =local'

114 114 Parallels Operations Automation 2.9 Parallels Note: Before installing Exchange service packages on the Back-End, ensure that.net Framework 2.0 is installed on MPS node. Getting Mailbox Store Name To get the name of Mailbox store, follow these steps: 1 Log on to EXBE01 as Domain Administrator. 2 Run the following command: adsiedit.msc 3 In the left pane of the ADSI Edit dialog box, go to the following node: CN=Configuration > CN=Services > CN=Microsoft Exchange > CN=HostedExchange > CN=Administrative Groups > CN=First Administrative Group > CN=Servers > CN=EXBE01/EXVS01 > CN=InformationStore > CN=First Storage Group. In the right pane, you can see the list of all stores available on the server. 4 Right-click CN=Mailbox Store (EXBE01/EXVS01), click Properties. 5 In the Attributes list box, locate and click the displayname attribute. Figure 52: Mailbox Properties In the String Attribute Editor dialog box, in the Value field, you can see the mailbox store name.

115 Deploying Hosted Exchange Getting LDAP Path to Public Folders Store Figure 53: Display Name To get the LDAP path to the Public Folders store, follow these steps: 1 Log on to EXBE01 as Domain Administrator. 2 Run the following command: adsiedit.msc 3 In the left pane of the ADSI Edit dialog box, go to the following node: CN=Configuration > CN=Services > CN=Microsoft Exchange > CN=HostedExchange > CN=Administrative Groups > CN=First Administrative Group > CN=Servers > CN=EXBE01/EXVS01 > CN=InformationStore > CN=First Storage Group. In the right pane, you can see the list of all stores available on the server. 4 Right-click CN=Public Folder Store (EXBE01/EXVS01). In the menu opened, click Properties. 5 In the Properties dialog box, in the Attributes list box, locate and click the distinguishedname attribute.

116 116 Parallels Operations Automation 2.9 Parallels Figure 54: Public Folder Store Properties In the String Attribute Editor dialog box, in the Value field, you can see the LDAP path to the Public Folders store. Use this value for the corresponding package property. Do not forget to add prefix LDAP:// at the beginning of the string. Checking MSExchange Stores Status After you have installed the MSExchange package on the Exchange Mailbox server, you need to check, that the status of the package stores is Ready to provide. For this purpose, do the following: 1 Log on to POA using the POA Administrator account. 2 Go to Top > Deployment Director > Server Manager > Hardware Nodes. 3 Click the name of the Exchange Mailbox server. 4 Open the Applications tab. 5 Click MSExchange. 6 Open the Store Management tab. Check that the stores are marked with Yes in the Ready to provide column.

117 Deploying Hosted Exchange Figure 55: All stores are "ready to provide" 7 If a store is not marked as Ready to provide, perform the following steps: a Click the name of the store. b Click on the Edit button on the General tab. c Select the Ready to provide check box. d Click on the Submit button. Figure 56: Making store "ready to provide" Note: If you leave a store as Not ready to provide, customers will not be able to create mailboxes/public folders in this store.

118 118 Parallels Operations Automation 2.9 Parallels Registering Exchange SMTP Servers in POA To register an Exchange SMTP server, you need to perform the following operations: 1 Install POA Agent on the Exchange SMTP server. 2 Install the Exchange service package on the Exchange SMTP server. Below, these steps are described in details. Installing POA Agent on Exchange SMTP Servers 1 Log on to EXSMTP01. 2 Install POA Agent on EXSMTP01. The POA Agent installation steps are described at Installing POA Agent (on page 381). Note: To install POA Agent on an Exchange node included into a NLB cluster, follow the instructions for non-cluster Windows node. 3 On EXSMTP01, create the folder C:\SMTPEventSink. 4 Copy all files and subdirectories from Hosted Exchange\SMTP Event Sinks directory of the HMC 3.5 distribution package to C:\SMTPEventSink folder.

119 Deploying Hosted Exchange Installing Service PPM Package on Exchange SMTP Servers Install the package ExchangeSMTP (type: service) on the Exchange SMTP server. Specify the following package properties: External IP address for Exchange SMTP cluster (exchange.smtp.ip) - Specify external IP address of Exchange SMTP cluster or of a stand-alone SMTP server. Specify identical value for all servers of the cluster. Domain ID where A-record pointing to this cluster will be created or domain ID pointing to this cluster (domain prefix should be empty) (exchange.smtp.dns_domain.id). a Specify ID of a domain where A-record pointing to this Exchange SMTP cluster or standalone server will be created. Usually it is provider's domain like provider.com. For detecting domain ID in the POA CP go to Top > Operations Director > Domain Manager > Domains, the number in the column ID is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of a cluster. b Or you can specify the ID of a domain pointing to this cluster or standalone server. In this case you should leave the domain prefix empty (Note that A-record will not be created in this case). Usual it is some domain like smtp.provider.com, which is registered in POA DNS as a domain on the external DNS server. For detecting domain ID in the POA CP go to Top > Operations Director > Domain Manager > Domains, the number in the column ID is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of cluster. Prefix for creating A-record pointing to this cluster (if value is empty, then A-record will not be created) (exchange.smtp.dns_domain.prefix). Prefix for A-record pointing to this Exchange SMTP cluster or standalone server. If the prefix is smtp and a provider's domain is provider.com, the smtp.provider.com FQDN will be registered. You must specify an identical value for all servers of a cluster. If you leave the prefix empty, an A-record will not be registered; domain, which ID is specified in the exchange.smtp.dns_domain.id parameter, will be used as a DNS name for this cluster or standalone server. Full local path to the 'SmtpDomX.dll' file, e.g. 'C:\SMTPEventSink\SmtpDomX.dll' (exchange.smtp.smtpdomx_path) - The full local path to the SMTP Event Sink component. If the SMTP Event Sink has been placed into the C:\SMTPEventSink directory, then type here C:\SMTPEventSink\ SmtpDomX.dll. Full local path to the 'domains.dat' file, e.g.'c:\exchangesmtp' (exchange.smtp.domains_dat_path) - The full path to the file where the SMTP domains list will be placed (domains.dat file). Type here C:\ExchangeSMTP (default value). Domain list refresh interval, in seconds (exchange.smtp.refresh_interval) - Recommended value is 600 seconds (default value). The zero value (0) indicates that the file should never be reloaded.

120 120 Parallels Operations Automation 2.9 Parallels Default SPF record (exchange.smtp.default_spf). This is the value of default SPF record, which will be created on provider s and brand s domains. Default value is v=spf1 a mx. This rule marks as a Safe s coming from the hosts, listed in A and MX records of the domain, and rejects other s. You can specify the stronger rules. For details about SPF records and SPF rules syntax, refer to or to

121 Deploying Hosted Exchange Registering Exchange Client Access Servers in POA 1 Install POA Agent on all Exchange Client Access servers. Note: To install POA Agent on an Exchange node included into a NLB cluster, follow the instructions for non-cluster Windows node. 2 Install the package ExchangePOP3 (type: service) on all Exchange POP3 servers of the cluster. Specify the following package properties: External IP address for Exchange POP3 cluster. (exchange.pop3.ip). - Specify the external IP address of the Exchange POP3 cluster or of the stand-alone POP3 server. This value must be identical for all servers of the cluster. If you want to configure one Client Access cluster, specify an identical external IP address for all Client Access services. DNS zone ID where to create A-record pointing to this Exchange POP3 cluster. (exchange.pop3.dns_domain.id). - Specify the ID of the DNS zone where the A-record pointing to the Exchange POP3 cluster or to the stand-alone server will be created. This value (usually, it is the ID of the provider domain) must be identical for all POP3 servers of the cluster. Note: To obtain the domain ID, in POA, go to Top > Operations Director > Domain Manager > Domains. The number in the ID column is the wanted value. Prefix for A-record pointing to this Exchange POP3 cluster. (exchange.pop3.dns_domain.prefix). - Specify the prefix for the A-record pointing to the Exchange POP3 cluster or to the stand-alone server. If the prefix is pop3, and provider domain is provider.com, then the pop3.provider.com FQDN will be registered. You must specify the identical value for all POP3 servers of cluster. Recommended value for one cluster configuration: exchange. 3 Install the package ExchangeIMAP4 (type: service) on all Exchange IMAP4 servers of cluster. Specify the following package properties: External IP address for Exchange IMAP4 cluster. (exchange.imap4.ip). - Specify the external IP address of the Exchange IMAP4 cluster or of the stand-alone IMAP4 server. This value must be identical for all servers of the cluster. If you want to configure one Client Access cluster, specify an identical external IP address for all Client Access services. DNS zone ID where to create A-record pointing to this Exchange IMAP4 cluster. (exchange.imap4.dns_domain.id). - Specify the ID of the DNS zone where the A-record pointing to the Exchange IMAP4 cluster or to the stand-alone server will be created. This value (usually, it is the ID of the provider domain) must be identical for all IMAP4 servers of the cluster. Prefix for A-record pointing to this Exchange IMAP4 cluster. (exchange.imap4.dns_domain.prefix). - Specify the prefix for the A-record pointing to the Exchange IMAP4 cluster or to the stand-alone server. If the prefix is imap, and provider domain is provider.com, then the imap.provider.com FQDN will be registered. You must specify the identical value for all IMAP4 servers of cluster. Recommended value for one cluster configuration: exchange.

122 122 Parallels Operations Automation 2.9 Parallels 4 Install the package ExchangeProtocol (type: service) on all Exchange Protocols servers of the cluster. Specify the following package properties: External IP address for Exchange Protocols cluster. (exchange.protocols.ip). - Specify the external IP address of the Exchange Protocols cluster or of the stand-alone Exchange Protocols server. This value must be identical for all servers of the cluster. If you want to configure one Client Access cluster, specify an identical external IP address for all Client Access services. DNS zone ID where to create A-record pointing to this Exchange Protocols cluster. (exchange.protocols.dns_domain.id). - Specify the ID of the DNS zone where the A- record pointing to the Exchange Protocols cluster or to the stand-alone server will be created. This value (usually, it is the ID of the provider domain) must be identical for all Exchange Protocols servers of the cluster. Prefix for A-record pointing to this Exchange Protocols cluster. (exchange.protocols.dns_domain.prefix). - Specify the prefix for the A-record pointing to the Exchange Protocols cluster or to the stand-alone server. If the prefix is exchange, and provider domain is provider.com, then the exchange.provider.com FQDN will be registered. You must specify the identical value for all Exchange Protocols servers of cluster. Recommended value for one cluster configuration: exchange. RPC over HTTP authentication type. (exchange.protocols.rpc.auth_type). - Put value 0 here since POA supports basic authorization in OWA and RPC. Outlook Web Access (OWA) virtual directory name. (exchange.protocols.owa.dir). - Type the name of OWA virtual directory. This name will be used for OWA URL creating. For example, you can use OWA as the value of this property. In this case, for the server with the exchange.neverhood.org DNS, OWA URL will be You can leave this field empty. Outlook Mobile Access (OMA) virtual directory name. (exchange.protocols.oma.dir). - Type the name of OMA virtual directory. This name will be used for OMA URL creating. For example, you can use OMA as the value of this property. In this case, for the server with the exchange.neverhood.org DNS, OMA URL will be You can leave this field empty.

123 Deploying Hosted Exchange Installing Exchange OAB Service You can use your Exchange Mailbox servers for storing Offline Address Books (OAB) for your Exchange Organizations. But if the capacity of your Exchange Mailbox servers is filled, you should deploy additional Exchange OAB servers. An Exchange OAB server must meet the following system requirements: Server Names Description Density Quantity EXOAB Exchange Offline Address Book server. Stores and maintains Offline Address Books for Exchange organizations. Initially EXBE servers are used for storing OAB, but if their capacity is filled (1,000 OABs - i.e. 1,000 customer organizations per server) then additional OAB server should be deployed. 1,000 customers (Exchange organizations) Optional initially. Required of number of customer organizations on Exchange back-end server exceed 1,000. OS Windows Server 2003 (R2) Standard Edition SP2 (x86) Software Supported Virtualization CPU RAM To be installed by the Customer: OS To be installed by Parallels: Exchange Server 2003 Enterprise Edition SP2 (Distribution to be provided by the Customer) Not supported 1 core (3GHz or higher) 1GB Disks Array 1: Disk Partitioning Array 1: OS and software - 2 x 36, SCSI RAID 1 C: 10GB - for OS and software D: remaining space (26GB) - OAB Data NICs BackNet

124 124 Parallels Operations Automation 2.9 Parallels If you use an additional Exchange OAB server, configure it as you configure Exchange Mailbox servers. When the Exchange OAB server is registered in POA, install the package ExchangeOAB (type: service) on the server. Specify the following package properties: Name of Public Folder Store ( exchange.oab.pf.store.name ). - Specify the name of the public folder store where OABs will be generated and stored ( Public Folder Store (EXBE01) in default installation configuration). Maximum number of Offline Address Books the server could handle ( exchange.oab.host.capacity ). - Specify the maximum number of Offline Address Books the server can handle. Microsoft guides recommend the limit of 1000 OABs per server. This value will be used for host s capacity Number of Exchange Offline Address Books. Number of Offline Address Books when warning event should be generated ( exchange.oab.host.capacity.warning ). - Specify the number of OABs that, after being reached, invoke the generation of a warning notification. Offline Address Books Bandwidth Threshold, KBps ( exchange.oab.bandwidth.threshold.kbps ). - Specify the maximum bandwidth for Outlook clients. The recommended value is 500 (i.e Mbps).

125 Deploying Hosted Exchange Creating Resource Type The service template for Exchange hosting should include a resource type based on the resource class Hosted Exchange. To create such a resource type, you need to do the following: 1 In POA, go to Top > Service Director > Provisioning Manager > Resource Types. 2 Click on the Add New Resource Type button. 3 Select Hosted Exchange as the base resource class. Figure 57: Entering Resource Type General Parameters 4 Enter the resource type general parameters: name and description. Figure 58: Setting Activation Parameters

126 126 Parallels Operations Automation 2.9 Parallels 5 Set three optional activation parameters: Mail server prefix. Type in this field a string with the server prefix. Instant Access URL prefix template. Type in this field a string with the domain prefix. See Specifying Instant Access URL Prefix Template (on page 127) for details. Default domain id. Type in this field the identifier of provider's domain. 6 Enter limits for sub-resources. See List of Resources (on page 128) for details. 7 Select attributes for the new resource type. 8 Click on the Finish button.

127 Deploying Hosted Exchange Specifying Instant Access URL Prefix Template When a customer buys a domain, it takes some before he/she can start accessing the new domain. This happens because of DNS refresh latency. At the same time, DNS records in Provider s DNS zone are refreshed much faster. Therefore, to enable customers to access newly created websites immediately after the order provisioning, every new webspace can be provided with a record in Provider s DNS zone and with URL based on this record. Such an URL is called Instant Access URL. You may include the following elements into the Instant Access URL prefix template: Symbols (any numbers or letters). Every new Instant Access URL will begin with the symbols you put at the beginning of the prefix template. ${subscription_id}. Instant Access URL will include customer's subscription identifier. ${domain_name}. Instant Access URL will include customer's domain name, where. is replaced with -. Used only during autoprovision. You can add a suffix here: ${domain_name:suffix}. In this case, if a domain name includes a specified suffix, the name will be used in Instant Access URL without this suffix. ${unique}. Include this element into a prefix template for the sake of prefix uniqueness. This property will turn into nothing for the first (auto-unique) prefix, and into -1, -2, -3,.. (and so forth) - for subsequent prefixes. In the table below, you can view some examples of correct Instant Access URL prefix templates. The table shows Instant Access URLs provisioned on the base of these templates with the domain customer.domain.com and by the the subscription Example of Instant Access URL prefix template Instant Access URL for the first web hosting Instant Access URL for the second web hosting ${domain_name}${unique} customer-domain-com-1 customer-domain-com-2 ${domain_name:.info}${unique} customer-domain customer-domain-1 d${subscription_id}${unique} d d

128 128 Parallels Operations Automation 2.9 Parallels List of Resources In the table below, you can see names, descriptions and typical limits of the resources to be included into a Resource Type for Hosted Exchange. Resource Name Description Typical Limit Common resources Disk Space Domains DNS Hosting Hosted Exchange resources Hosted Exchange Amount of storage available for mailboxes and public folders per subscription. Actual usage of storage (total actual size of all mailboxes and public folders) is reported to this resource. Number of domains (without associated hosting service) customer can create per subscription. Number of domains hosted on system DNS servers. Hosted Exchange organization and associated hosting service. If Limit=0, no customer can use Hosted Exchange in subscription. If Limit=1(or any number bigger than 0), single Hosted Exchange organization is created in subscription (1 GB) 3 3 1

129 Deploying Hosted Exchange Domains Number of domains enabled for Hosted Exchange organization. Mailboxes Number of mailboxes per Hosted Exchange organization. Maximum Allowed Mailbox Size Maximum allowed value of mailbox size limit. Outlook Web Access Number of mailboxes for which OWA can be enabled. POP3 Access Number of mailboxes for which POP3 Access can be enabled. IMAP4 Access Number of mailboxes for which IMAP4 Access can be enabled. Outlook Access Number of mailboxes for which Outlook Access (RPC-over-HTTPS) can be enabled. Outlook Mobile Access Number of mailboxes for which OMA can be enabled. ActiveSync Number of mailboxes for which ActiveSync (User Initiated Synchronization) can be enabled. Always Up-To-Date Notifications Number of mailboxes for which Always Up-To- Date Notifications option can be enabled. Public Folders Number of public folders per Hosted Exchange organization. Maximum Allowed Public Folder Size Maximum allowed value of public folder size limit. Contacts Number of contacts per Hosted Exchange organization. Distribution Lists Number of distribution lists per Hosted Exchange organization (100 MB) (100 MB)

130 130 Parallels Operations Automation 2.9 Parallels Creating Service Template 1 Create new Service Template based on the just created resource type (See the Creating Resource Types (on page 125) topic). 2 Enter the following limits: Diskspace (in Megabytes) Traffic (in Megabytes) Domains (in units) Mail Hosting (in units) Addon domains (in units) Below is the screenshot with the typical resources for the Exchange-only Service Template: Figure 59: Exchange Service Template Checking Readiness of Exchange Servers to Provide

131 Deploying Hosted Exchange Make sure that all your Exchange Mailbox servers, Exchange SMTP servers, and Exchange OAB servers are ready to provide services. For this purpose, perform the following steps: 1 Log on to POA. 2 Go to Top > Deployment Director > Server Manager > Hardware Nodes. 3 Select the required host. 4 If the host is ready to provide, you will see Yes in the Ready to Provide field on the General tab. Otherwise, click on the Marked as ready to provide link.

132 132 Parallels Operations Automation 2.9 Parallels Configuring AUTD Notification on Windows Mobile Smartphones Pocket PC Phone Edition devices or Smartphones running either Microsoft Windows Mobile 2003 software or Windows Mobile 2003 Second Edition can be configured for selfupdating, using a companion feature named Always Up-to-Date Notification (AUTD). After completing the operations described in the Enabling Exchange ActiveSync Support (on page 70) and Configuring Security Settings for Mobile Devices (on page 73) topics, you can configure AUTD (Always Up-to-Date Notification) on a Windows Mobile smartphone to automatically synchronize mobile device with a mailbox for reception of new messages. For this purpose, follow these steps: 1 On the Smartphone 2003 Emulator, select Start, select ActiveSync, select Menu, select Options and then select Mobile Schedule. If your account is enabled for AUTD, you see When new items arrive as one of the available options. 2 Use Peak time sync and Off-peak time sync to specify how often you want your device to synchronize during peak times and off-peak times. Figure 60: Figure 16 a To enable AUTD, select When new items arrive from the Off-peak time Sync drop-down list.

133 Deploying Hosted Exchange Figure 61: Figure 17 b Select an interval in minutes from the Peak time sync drop-down list. 3 Select Sync outgoing items as they are sent to force the mobile device to synchronize after you have composed messages. 4 Click Done and go to main menu of the ActiveSync pane. 5 In the ActiveSync pane, select Menu, select Options, select Server Settings, and then select Connection. Figure 62: Figure 15 6 Enter the server name into the Server Name field. Select SMTP Address from the Address device using drop-down list. Enter address into the Device SMS Address field. 7 Click Done and go back to main menu of the ActiveSync pane.

134 C H A P T E R 3 Deploying BlackBerry Messaging Service for Microsoft Exchange 2003 This section describes how to integrate POA with BlackBerry wireless solutions. This integration will allow to use POA control panel for access to a wide range of applications on BlackBerry devices. In This Chapter Overview System Requirements Network Requirements Preparing Node for BES Configuring Proxy Server Deploying Microsoft SQL Server for BlackBerry Configuration Database BlackBerry Enterprise Server Pre-Installation Steps Creating Exchange Mailbox Installing BlackBerry Enterprise Server Software Installing BlackBerry Enterprise Server Resource Kit Testing BlackBerry Service Account Registering BlackBerry Enterprise Servers in POA Installing POA Packages Importing Existing BlackBerry Accounts into POA

135 Deploying Hosted Exchange Overview There are two deployment scenarios for provisioning BlackBerry components in POA: Large Scale Deployment. This scenario is appropriate for high volume deployment schemes where thousands of BlackBerry accounts will be provisioned on multiple servers. Consolidated Deployment scheme. This scenario is appropriate for providers who want to start offering BlackBerry Messaging to a limited number of users and with minimal investments. The following diagram shows the both variants of deployment: Figure 63: Blackberry Deployment Scheme Component Large Scale Deployment Consolidate Deployment BlackBerry Configuration Database BlackBerry API BESUserAdminServic e BlackBerry Enterprise Server (BES) BlackBerry API BESUserAdminClient Parallels s MPS Provider for BES BESSQL01 - dedicated database server that is used by multiple BES servers. Microsoft SQL Server 2000 SP4 or Microsoft SQL Server 2005 is installed. BES01, BES02, - dedicated BlackBerry servers. BES01 - consolidated BlackBerry server. Microsoft SQL Server Desktop Engine 2000 (MSDE 2000) is installed. MPS01 - provisioning server (running Microsoft Provisioning System).

136 136 Parallels Operations Automation 2.9 Parallels Note: The maximum size of an MSDE 2000 database cannot exceed 2 GB. BlackBerry messaging service is provisioned via BlackBerry API. BlackBerry API tools (BESUserAdminService and BESUserAdminClient) are a part of BlackBerry Enterprise Server Resource Kit. The following sample names are used in this section: DOM Active Directory domain where Exchange and BlackBerry are deployed. DOM.local FQDN name of Active Directory domain where Exchange and BlackBerry are deployed. HostedExchange Exchange organizational unit. System Requirements To provide BlackBerry Messaging Service, you need the following servers: BES01 (Consolidated Deployment) - BES that runs BlackBerry Messaging services, Configuration Database and BlackBerry API service. Server Names Description Density Quantity 1 BES (Consolidated Deployment) BlackBerry Enterprise Server. Runs BlackBerry Messaging services, Configuration Database and BlackBerry API service. 500 accounts OS Windows Server 2003 (R2) Standard Edition SP2 (English, French, German, Italian or Spanish) (x86) Software Supported Virtualization CPU RAM To be installed by the Customer: OS To be installed by Parallels (Distribution to be provided by the Customer): BlackBerry Enterprise Server version Blackberry Enterprise Server Resource Kit Microsoft Exchange 2003 System Management Tools (for Microsoft Exchange 2003) - or - Microsoft Exchange Server MAPI Client and Collaboration Data Objects (for Microsoft Exchange 2007) Microsoft SQL Server Desktop Engine or - Microsoft SQL Server 2005 Express Edition Not supported 2 core (3GHz or higher) 4GB

137 Deploying Hosted Exchange Disks Array 1: Disk Partitioning Array 1: NICs OS, software, BES Logs - 2 x 36, SCSI RAID 1 C: 16GB - OS and Software E:\BESLogs - 20GB - BES Logs BackNet BES01 (Large Scale Deployment) - BES that runs BlackBerry Messaging services. Server Names Description Density Quantity BES (Large Scale Deployment) BlackBerry Enterprise Server. Runs BlackBerry Enterprise Server services. 2,000 BlackBerry accounts To be calculated based on the projected number of BlackBerry accounts and the density above. OS Windows Server 2003 (R2) Standard Edition SP2 (English, French, German, Italian or Spanish) (x86) Software Supported Virtualization CPU RAM To be installed by the Customer: OS To be installed by Parallels (Distribution to be provided by the Customer): BlackBerry Enterprise Server version Microsoft Exchange 2003 System Management Tools (for Microsoft Exchange 2003) - or - Microsoft Exchange Server MAPI Client and Collaboration Data Objects (for Microsoft Exchange 2007) Not supported 2 core (3GHz or higher) 4GB Disks Array 1: Disk Partitioning Array 1: NICs OS, software, and BES Logs - 2 x 36, SCSI RAID 1 C: 16GB - OS and Software E:\BESLogs - 20GB - BES Logs BackNet BESSQL01 - MS SQL server that carries BlackBerry Configuration Database. Server Names Description Density BESSQL (Large Scale Deployment) MSSQL server carrying BlackBerry Configuration Database. Up to 10,000 BlackBerry accounts per server depending on the disk usage

138 138 Parallels Operations Automation 2.9 Parallels Quantity 1 per 5 BES servers (BES (Large Scale Deployment)) OS Clustered configuration: Software Supported Virtualization CPU RAM Windows Server 2003 (R2) Enterprise Edition SP2 (x86 or x64) Non-clustered configuration: Windows Server 2003 (R2) Standard Edition SP2 (x86 or x64) To be installed by the Customer: OS only To be installed by Parallels (distribution to be provided by the Customer): Blackberry Enterprise Server Resource Kit MS SQL Server 2000 Standard Edition SP4 - or - Microsoft SQL Server 2005 Standard Edition Not supported 2 core (3GHz or higher) 4Gb Disks Array 1: Disk Partitioning Array 1: NICs OS, software, databases, and logs - 3 x 72 GB, SCSI RAID 5 (hardware impl.) C: - 10 GB - for OS and software Q: - 1 GB - Quorum (for clustered configuration) D: - remaining space - for database and logs BackNet HeartBeatNet (for clustered configuration) SAN connectivity (for clustered configuration)

139 Deploying Hosted Exchange Network Requirements There are the following network requirements: Deploy the BES01 server in the BackNet segment. Verify that you have configured the corporate firewall or proxy to permit the BES to initiate and maintain an outbound connection to the Internet on TCP port 3101 to connect the BlackBerry Infrastructure. Verify that external domain names can be resolved from BES01. Verify that the proxy server is a transparent proxy, if you are using a proxying firewall. Deploy BES01 into the FrontNet segment only if the transparent NAT or HTTPS proxy is not available from the BackNet. In such case, configure the firewall to block all FrontNet traffic, except the outgoing one on the 3101 port. Preparing Node for BES 1 Configure the server as an IIS Web server. Install the IIS snap-in. Refer to Installing IIS (on page 140). 2 Change the computer name (for example, BES01). Refer to the related topic (on page 374). 3 Make BES01 a member of your domain. For this purpose, follow the steps of the related topic (on page 375) (replacing the server name where necessary). Restart the computer when prompted. 4 Install Microsoft Exchange 2003 System Management Tools on the server. Refer to Installing Microsoft Exchange System Management Tools (on page 102). 5 Make external domain names resolved from the server.

140 140 Parallels Operations Automation 2.9 Parallels Installing IIS (for Windows Server 2003) Install IIS on the host. To install IIS, follow these steps: 1 Insert the CD with the IIS distribution package. 2 Go to Start > Control Panel > Add or Remove Programs. 3 Click Add/Remove Windows Components. The Windows Components Wizard starts. 4 On the Windows Components page, select the Application Server checkbox and click on the Details button. 5 In the opened Application Server dialog-box, select the Internet Information Services (IIS) checkbox. 6 Click on the Details button. 7 Select the following checkboxes: File Transfer Protocol (FTP) Service SMTP Service World Wide Web Service Click OK. 8 Click OK. The Windows Components page reopens. 9 On the Windows Components page, click Next. Wait until the components are configured. 10 On the Wizard final page, click Finish. Configuring Proxy Server Configure your proxy server in the following way: 1 Configure the corporate firewall or proxy so that BES could initiate and maintain an outbound connection with BlackBerry Infrastructure over TCP port Make your proxy server transparent (if you use proxy firewall).

141 Deploying Hosted Exchange Deploying Microsoft SQL Server for BlackBerry Configuration Database Install one of the following database programs on the computer where you plan to run the BlackBerry Configuration Database (BESSQL01 or BES01): Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Microsoft SQL Server 2000 SP4 Microsoft SQL Server 2005 (Professional, Enterprise, or Express) Note: If you are installing BlackBerry MDS Services, you cannot use Microsoft SQL Server 2005 Express as your database program. MSDE 2000 is installed during the BES installation if you select this option on the MSDE Option page of BES installer. Microsoft SQL Server installation notes Use the default case-insensitive collation setting. BlackBerry Configuration Database can be installed on a non-default instance. During the installation process, you can specify <servername>\<instancename>. Use the Windows authentication between the BES and the BlackBerry Configuration Database. For this purpose, you need to set the Microsoft SQL Server to run under the Local System account. If the BlackBerry Configuration Database is on a remote computer or if you want to use a remote BlackBerry Manager, you need to enable named pipes and TCP/IP network protocols on BESSQL01 using SQL Server Network Utility.

142 142 Parallels Operations Automation 2.9 Parallels BlackBerry Enterprise Server Pre-Installation Steps Creating BlackBerry Service Account 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Open Microsoft Exchange > Active Directory Users and Computers. 3 In the Active Directory Users and Computers dialog box, expand the node that is named as your domain. Then right-click Users, point to New, and then click User. 4 In the New Object - User dialog box, type the user name "BESAdmin" in the First name and User logon name fields, and then click Next. 5 Click to clear the User must change password at next logon check box. 6 Type the password in the Password field. Retype the password in the Confirm password field. 7 Select the Password never expires check box. 8 Click Next. 9 Click Finish. 10 Make sure that the newly created user (BESAdmin) is a member of the Domain Users group. 11 Right-click on the BESAdmin user, and then click Add to a group. 12 Enter AllUsers@Hosting. Click Check Names. Click OK.

143 Deploying Hosted Exchange Configuring Permissions for BES Service Account 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Run the following command: adsiedit.msc 3 Expand the node named as your domain, right-click the Users container, and then select Properties. 4 Open the Security tab. Click on the Advanced button. 5 Click Add. Enter BESAdmin or the name you have chosen for this account. Click Check Names. 6 Select the BESAdmin domain account and grant the following permissions: List Contents Read All Properties 7 Select This object and all child objects in the Apply Onto drop-down list. Click OK. 8 Click Add. Enter BESAdmin or the name you have chosen for this account. Click Check Names. 9 Select the BESAdmin domain account and grant the List object permission. 10 Select This object only in the Apply Onto drop-down list. 11 Close the opened windows.

144 144 Parallels Operations Automation 2.9 Parallels Preparing Computer for Installation of BlackBerry Enterprise Server 1 Log on to the computer using an account that is a member of the Domain Administrators group. 2 From the Start Menu, go to Start > Programs > Administrative Tools > Local Security Policy. 3 In the console tree, double-click Local Policies, and then click User Rights Assignments. 4 In the details pane, double-click Log on as service. 5 Click Add User or Group, and then add the BlackBerry service account (BESAdmin) to the list of accounts that have the Log on as service right. Click OK. 6 In the details pane, double-click Allow log on locally. 7 Click Add User or Group, and then add BESAdmin account to the list of accounts that have the Allow log on locally right. Click OK. 8 From the Start Menu, go to Start > Programs > Administrative Tools > Computer Management. 9 In the console tree, double-click Local Users and Groups, and then click Groups. 10 Double-click Administrators group. 11 Click Add, and then add BESAdmin account to the list of Members. Click OK.

145 Deploying Hosted Exchange Configuring MS SQL Permissions for BES Service Account Important:You need to perform these steps only for the Large Scale deployment scheme. 1 Log on to BESSQL01 using an account that is a member of the Domain Administrators group. 2 Open Microsoft SQL Server > Enterprise Manager. 3 Expand Microsoft SQL Server > SQL Server Group, and double-click BESSQL01. 4 Double-click Security. Right-click the Logins object and select New Login. 5 Enter DOM\BESAdmin into the Name field. 6 Open the Server Roles tab. Select the System Administrators role. 7 Click OK. Note: This instruction is applicable for MS SQL Configuring Default Global Address List 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Start Microsoft Exchange > Exchange System Manager. 3 Browse to Recipients, expand All Global Address Lists, right-click Default Global Address List, and then click Properties. 4 Open the Security tab, click Advanced. 5 Click on the Add button, and add the BESAdmin domain account. 6 Select the BESAdmin domain account and grant the following permissions: Read Execute Read permissions List contents Read properties Open Address List 7 Select This Object Only in the Apply Onto drop-down list. 8 Close the opened windows.

146 146 Parallels Operations Automation 2.9 Parallels Configuring Exchange Permissions for BlackBerry Service Account Note: You need to perform this step only once. Skip the step if you have already performed it. 1 Log on to MPS01. 2 Make sure that Exchange System Manager is installed on the host. Make the Security tab available in Exchange System Manager since the Security tab is necessary for setting Exchange permissions. 3 Create the new file ex_show_security_page.reg. 4 Copy the following text and paste to ex_show_security_page.reg: REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Exchange\EXAdmin] "ShowSecurityPage"=dword:1 5 Save the file and execute it from the Explorer to apply registry changes. 6 Start Exchange System Manager. 7 Right-click the Organization (Root) object and select Properties. 8 Open the Security tab. 9 On the Security tab, click on the Add button. The Select Users, Computers, or Groups dialog box opens. 10 In the Select Users, Computers, or Groups dialog box, into the Enter the object names to select field, enter the name of the Blackberry service account (BESAdmin). Click Check Names. Click OK. 11 On the Security tab, in the Group or user names list, select the BESAdmin domain account. Grant the following permissions to the BESAdmin: Administer information store Receive as Send as Make sure that no security permissions for the BESAdmin account are set to Deny. Note: By default, the granted permissions will be applied to all the sub-containers of the account. Do not change this setting. 12 Right-click the Organization (Root) object and select Delegate Control. Click Next. 13 Click on the Add button. 14 In the Delegate Control dialog box, click Browse. 15 Enter BESAdmin or the name you have chosen for this account. Click Check Names. Click OK. 16 Select Exchange View Only Administrator in the Role combo box. Click OK. 17 Click Next. Click Finish.

147 Deploying Hosted Exchange Creating Exchange Mailbox 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > Active Directory Users and Computers. 3 In the Active Directory Users and Computers dialog box, expand the node that is named as your domain. Then expand the Users container. 4 Right-click the BESAdmin account, point to Exchange Tasks. 5 Double-click Create Mailbox. Select EXBE01 in the Server drop-down list. Click Next to continue. 6 Click Finish. Configuring Primary Address of BESAdmin Mailbox 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > Active Directory Users and Computers. 3 In the console tree, expand the node that is named as your domain, and then click on the Users. 4 In the details pane, double-click the BESAdmin user. 5 Open the Addresses tab. Click on the New button. 6 Select SMTP Address in the address type list box. Click OK. 7 Enter the [email protected]. 8 Close the opened windows.

148 148 Parallels Operations Automation 2.9 Parallels Configuring showinaddressbook Attribute 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Run the following command: adsiedit.msc 3 Expand the node named as your domain, and then expand the Users container. 4 Right-click BESAdmin, and then click Properties. 5 In the Attributes list box, find and double-click the showinaddressbook property. 6 Into the Value to add field, enter the following: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=<HostedExchange>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DOM>,DC=<local> 7 Click on the Add button. 8 Click OK. Installing BlackBerry Enterprise Server Software 1 Log on to the computer using the BESAdmin account. 2 Run setup.exe from your BES distribution folder. The Installation Wizard starts. 3 Follow the Wizard steps. During the installation process, add the BES to a BlackBerry Domain by specifying the shared BlackBerry Configuration Database (BESSQL01 or BES01). On the Installation Info/Log File Folder Wizard page, specify the folder for BES log files (for example, E:\BESLogs) if you use the Large Scale deployment scheme. For the Consolidated deployment scheme, you can leave the default value in this field. 4 When prompted to restart the computer, click Yes. 5 Log in using the same account that you used for the setup program. 6 After the rebooting, the BlackBerry Enterprise Server Installation Wizard restarts automatically. If the automatic restart does not happen due to some reasons, run setup.exe manually from your BES distribution folder. 7 Complete the instructions.

149 Deploying Hosted Exchange Installing Recent Service Packs and Hot Fixes If you want to renew the version of your BES installation, follow these steps: 1 Download Service Pack 2 Hot Fix #1 from F96369AB93E4F3BB068C22&dl=74A73317EB59A4397C919A1E D. 2 Install the Service Pack on BES01. 3 Open the website 4 In the website, in the combo box, select your current version of the BES software. Click Next. The list of available software for the selected BES software opens. 5 In the list, find the required update or hot fix, and click on the Download link. 6 Run the downloaded file on your BES installation, and follow the upgrade/hotfix instructions from the downloaded installer.

150 150 Parallels Operations Automation 2.9 Parallels Installing BlackBerry Enterprise Server Resource Kit BlackBerry Enterprise Server Resource Kit is required for provisioning of BlackBerry Enterprise Servers via MPF BlackBerry Provider. It also contains BlackBerry API tools: BESUserAdminService and BESUserAdminClient. Installing BESUserAdminService 1 Log on to BESSQL01 or BES01 (depending on the deployment scheme) using the BESAdmin account. 2 From the BES distribution folder, run the following:.\tools\iemstest.exe 3 Click New. Click Next. 4 Type BESAdmin in the Profile Name field. Click Next. 5 Enter the Exchange Back-End server name (EXBE01) in the Microsoft Exchange server field. 6 Enter the BESAdmin mailbox name. Click Next. Click Next. 7 Click Finish. Click OK. 8 If you see the contents of the Global Address List in the left pane, it means that the MAPI profile is properly configured. Click OK. 9 Download the archived brk<version>.exe from the BES Resource Kit distribution folder to the computer on which you plan to run the BESUserAdminService. 10 Double-click the downloaded brk<version>.exe. 11 In the Unzip to folder field, enter the folder from which you plan to run the BESUserAdminService (for example, C:\BESResKit). 12 Click Unzip. 13 In the command prompt, switch to the folder in which the BESUserAdminService.exe file resides (C:\BESResKit). 14 Run the following command: BESUserAdminService -install exchange 15 Fill out the following interactive installation survey: a Do you want the service to run automatically on startup? (Y/N): Type Y to start the service automatically. b Enter the domain\user account the service should log in as: Type DOM\BESAdmin. c Enter the password for this account: Type the password for the BESAdmin account. d If you are installing BESUserAdminService on BES01 host, the installing tool determines the BlackBerry Configuration Database settings automatically, and you will see the following message:

151 Deploying Hosted Exchange Found BlackBerry Manager settings: DB Server: < BES Configuration Database host name>, DB Name: <BES Configuration Database name> (BESMgmt by default). If you are installing BESUserAdminService on SQL01, you will see additional survey for filling the Database server properties: 1. Please enter the SQL server name: Type the host name where Microsoft SQL is located (DOM\SQL01). 2. Please enter the Database Name: Type the BlackBerry Configuration Database name (BESMgmt by default). e Would you like to use SQL Authentication? (Y/N): Type N. f Enter the client password besuseradminclients will use to connect to the service: Type the password for accessing BESUserAdminService. g Retype the client password to confirm: Retype the password determined at the previous step. h To restrict the hosts allowed to run besuseradminclient, enter a comma-seperated list of valid hostnames: Press ENTER. i j Enter the name of the MAPI Profile to connect to the besadmin mailbox: Type BESAdmin. Do you want to restrict access to the service to clients that run as the same user as the service? (Y/N): Type N. 16 In the Services management console, locate the BlackBerry User Administration Service service, and then click on the Start button. Close the dialog.

152 152 Parallels Operations Automation 2.9 Parallels Installing BESUserAdminClient 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Download the archived brk<version>.exe from the BES Resource Kit distribution folder to MPS01. 3 Double-click the downloaded brk<version>.exe. 4 In the Unzip to folder field, enter the folder from which you plan to run the BESUserAdminService (for example, C:\BESResKit). 5 Click Unzip. 6 In the command prompt, switch to the folder in which the BESUserAdminService.exe file resides (C:\BESResKit). Run the following command: cd c:\besreskit 7 Copy the following files into the folder where POA MPS Providers are installed (by default, C:\Program Files\SWsoft\POA\MPF Providers): BESUserAdminClient.exe CE.dll Adding MPFServiceAcct Account to BES Security Subsystem 1 Log on to a BES host (BES01) using the BES Admin account. 2 Run the BES Management console. The following message appears: Profile BlackBerry Manager doesn t exist 3 Click OK in the message box. The MAPI profile dialog appears. 4 In this dialog, enter the NetBIOS name of the Exchange Mailbox Server (EXBE01). 5 The Mailbox field contains the BESAdmin user name by default (if it doesn't, enter the BESAdmin user name). Click Check Name. Click OK. 6 Click on the BlackBerry Domain tree node in the left pane. 7 Open the Role Administration tab. 8 Select the rim_db_admin_security role. 9 Click the Add Administrators hyperlink. 10 Enter DOM\MPFServiceAcct. 11 Click OK.

153 Deploying Hosted Exchange Testing BlackBerry Service Account To check the proper work of BESAdmin account, try to log on to the BESAdmin mailbox via OWA or Outlook. If you manage to log in, the account works properly. Registering BlackBerry Enterprise Servers in POA Install POA Agent on BES servers according to the instructions the instructions of Installing POA on Windows Node (on page 383). Installing POA Packages Note: Make sure that MPFCustomProviders (version or later) is installed on MPS01. Install the package BlackBerry (version or later) on each of your BES nodes. Set the following package properties: Property exchange.bes.host.capacity exchange.bes.host.capacity.warnin g exchange.bes.admin.password exchange.bes.update.interval.minut es exchange.bes.max.accounts.per.tas k exchange.bes.admin.host exchange.bes.default.policy.name Description Maximum number of BlackBerry accounts the server can handle. Number of BlackBerry accounts which will generate warning. Password for BlackBerry Admin Service (BESUserAdminService) access. Interval (in minutes) between account information updates. Maximum number of accounts to process by one periodic task. Hostname of server where BlackBerry Admin Service (BESUserAdminService) runs (in our example, it may be SQL01 or BES01 depending on deployment scheme). Name of existing BlackBerry IT policy. This name will be used by default for all devices. Empty value means "Default policy".

154 154 Parallels Operations Automation 2.9 Parallels Importing Existing BlackBerry Accounts into POA With POA, you can import existing Blackberry accounts which were provisioned manually. For this purpose, perform the following steps: On Linux MN: 1. Log on to the MN. 2. Setup the environment using the following command:. $PLESK_ROOT/bin/setenv.sh 3. Run Exchange_ctl on the MN in the following format: $PLESK_ROOT/bin/Exchange_ctl -f $PLESK_ROOT/etc/pleskd.props importbesaccounts <host_id> On Windows MN: 1. Log on to the MN. 2. Go to the folder where POA is installed (C:\POA). 3. Go to the directory where POA binaries are located: cd bin 4. Run Exchange_ctl on the MN in the following format: Exchange_ctl -f "<full_path_to_poa>\etc\pleskd.props" importbesaccounts <host_id> In the above commands, specify values for the following parameters: <host_id> is the POA ID of the host on which BlackBerry service is installed. <full_path_to_poa> is the full path to the POA installation folder (for example, c:\poa). For example: $PLESK_ROOT/bin/Exchange_ctl f $PLESK_ROOT/etc/pleskd.props importbesaccounts 5 Deploying Good Messaging Server for Microsoft Exchange 2003 Overview There are two deployment scenarios for provisioning Good components in POA: Large Scale Deployment. This scenario is appropriate for high volume deployment schemes where thousands of Good accounts will be provisioned on multiple servers.

155 Deploying Hosted Exchange Consolidated Deployment scheme. This scenario is appropriate for providers who want to start offering Good Messaging to a limited number of users and with minimal investments. The following diagram shows the both variants of deployment: On this diagram: Figure 64: Deployment Scenarios for Good Messaging System GOOD01 - sample name of the Good Messaging Server (GMS). MPS01 - sample name of the Microsoft Provisioning System Engine server Component Large Scale Deployment Consolidate Deployment Good Messaging Server Good Management Server Good API Good Management Console Parallels MPS Provider for GMS GOOD01, GOOD02, - dedicated Good servers. GOOD01 - consolidated Good server. MPS01 - provisioning server (running Microsoft Provisioning System).

156 156 Parallels Operations Automation 2.9 Parallels Good messaging service is provisioned via Good API. Good API tools (set of command-line tools) are a part of Good Management Console. System Requirements For a Good Messaging server, you need a computer that meets the following requirements: Server Names Description Density GOOD Good Messaging Server. Runs Good Messaging services, stores Good accounts information. 600 Good accounts (See details at Quantity To be calculated based on the projected number of Good accounts and the density above. OS Windows Server 2003 (R2) Standard Edition SP2 (x86) Software Supported Virtualization Windows Server 2008 Standard Edition (x86) or higher edition To be installed by the Customer: OS To be installed by Parallels: Good Mobile Messaging for Microsoft Exchange (Hosted Edition recommended) (Distribution to be provided by the Customer) Not supported CPU RAM 2 core (3GHz or higher) 4GB Disks Array 1: OS, software, GMS Logs, GMS Cache - 2 x 72 GB, SCSI RAID 1 Disk Partitioning Array 1: C: 20GB - OS and Software E:\GMSLogs - 10GB - GMS Logs F:\GMSCache - 40Gb - GMS Cache NICs BackNet

157 Deploying Hosted Exchange Networks Requirements There are the following network requirements: Deploy GOOD01 in BackNet segment. Verify that you have configured the corporate firewall or proxy to permit the GMS to initiate and maintain an outbound connection to the Internet on TCP port 443 (secure https) to connect the Good Operations Center. Verify that external domain names can be resolved from GOOD01. Verify that the proxy server is a transparent proxy, if you are using a proxying firewall. Deploy GOOD01 into the FrontNet segment only if the transparent NAT or HTTPS proxy is not available from the BackNet. In such case, configure the firewall to allow FrontNet traffic on port 443. Preparing Node for GMS 1 Configure the server as an IIS Web server. Install the IIS snap-in. Refer to Installing IIS (on page 140). 2 Change the computer name (for example, GOOD01). Refer to the related topic (on page 374). 3 Make GOOD01 a member of your domain. For this purpose, follow the steps of the related topic (on page 375) (replacing the server name where necessary). Restart the computer when prompted. 4 Install Microsoft Exchange 2003 System Management Tools on the server. Refer to Installing Microsoft Exchange System Management Tools (on page 102). 5 Install Microsoft Exchange SP2 on the server. Refer to Installing First Exchange Mailbox Server (on page 28). 6 Make external domain names resolved from the server. Configuring Proxy Server Configure your proxy server in the following way: 1 Configure the corporate firewall or proxy so that GMS could initiate and maintain an outbound connection with Good Messaging Infrastructure over TCP port Make your proxy server transparent (if you use proxy firewall).

158 158 Parallels Operations Automation 2.9 Parallels Good Messaging Server Pre-Installation Steps Creating GMS Service Account 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Go to Start > Programs > Administrative Tools > Microsoft Exchange > Active Directory Users and Computers. 3 In the Active Directory Users and Computers dialog box, expand the node that is named as your domain. Then right-click Users, point to New, and then click User. 4 In the New Object - User dialog box, type the user name ("GoodAdmin") in the First name and User logon name fields, and then click Next. 5 Click to clear the User must change password at next logon check box. 6 Type the password in the Password field. Retype the password in the Confirm password field. 7 Select the Password never expires check box. 8 Click Next. 9 Click Finish. 10 Make sure that the newly created user (GoodAdmin) is a member of the Domain Users group. 11 Right-click the GoodAdmin user, and then click Add to a group. 12 Enter AllUsers@Hosting. Click Check Names. Click OK.

159 Deploying Hosted Exchange Configuring Permissions for GMS Service Account 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Run the following command: adsiedit.msc 3 Expand the node named as your domain, right-click the Users container, and then select Properties. 4 Open the Security tab. Click on the Advanced button. 5 Click Add. Enter GoodAdmin or the name you have chosen for this account. Click Check Names. 6 Select the GoodAdmin domain account and grant the following permissions: List Contents Read All Properties 7 Select This object and all child objects in the Apply Onto drop-down list. Click OK. 8 Click Add. Enter GoodAdmin or the name you have chosen for this account. Click Check Names. 9 Select the GoodAdmin domain account and grant the List object permission. 10 Select This object only in the Apply Onto drop-down list. 11 Close the opened windows.

160 160 Parallels Operations Automation 2.9 Parallels Preparing Computer for Installation of GMS 1 Log on to the computer using an account that is a member of the Domain Administrators group. 2 From the Start Menu, go to Start > Programs > Administrative Tools > Local Security Policy. 3 In the console tree, double-click Local Policies, and then click User Rights Assignments. 4 In the details pane, double-click Log on as service. 5 Click Add User or Group, and then add the GoodAdmin account to the list of accounts that have the Log on as service right. Click OK. 6 In the details pane, double-click Allow log on locally. 7 Click Add User or Group, and then add the GoodAdmin account to the list of accounts that have the Allow log on locally right. Click OK. 8 In the details pane, double-click Back up files and directories. 9 Click Add User or Group, and then add the GoodAdmin account to the list of accounts that have the Back up files and directories right. Click OK. 10 In the details pane, double-click Restore files and directories. 11 Click Add User or Group, and then add the GoodAdmin account to the list of accounts that have the Restore files and directories right. Click OK. 12 In the details pane, double-click Profile system performance. 13 Click Add User or Group, and then add the GoodAdmin account to the list of accounts that have the Profile system performance right. Click OK. 14 Form the Start Menu, go to Start > Programs > Administrative Tools > Computer Management. 15 In the console tree, double-click Local Users and Groups, and then click Groups. 16 Double-click Administrators group. 17 Click Add, and then add GoodAdmin account to the list of Members. Click OK.

161 Deploying Hosted Exchange Configuring Default Global Address List 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Start Microsoft Exchange > Exchange System Manager. 3 Browse to Recipients, expand All Global Address Lists, right-click Default Global Address List, and then click Properties. 4 Open the Security tab, click Advanced. 5 Click on the Add button, and add the GoodAdmin domain account. 6 Select the GoodAdmin domain account and grant the following permissions: Read Execute Read permissions List contents Read properties Open Address List 7 Select This Object Only in the Apply Onto drop-down list. 8 Close all opened windows.

162 162 Parallels Operations Automation 2.9 Parallels Configuring Exchange Permissions for GMS Service Account Note: You need to perform this step only once. Skip the step if you have already performed it. 1 Log on to MPS01. 2 Make sure that Exchange System Manager is installed on the host. Make the Security tab available in Exchange System Manager since the Security tab is necessary for setting Exchange permissions. 3 Create the new file ex_show_security_page.reg. 4 Copy the following text and paste to ex_show_security_page.reg: REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Exchange\EXAdmin] "ShowSecurityPage"=dword:1 5 Save the file and execute it from the Explorer to apply registry changes. 6 Start Exchange System Manager. 7 Right-click the Organization (Root) object and select Properties. 8 Open the Security tab. 9 Click Add. 10 Enter GoodAdmin. Click Check Names. 11 Select the GoodAdmin domain account and grant the following permissions: Read Execute Read permissions List contents Read properties Read metabase properties Administer information store Create named properties in the information store View information store status Receive as Send as 12 Make sure that no security permissions for the GoodAdmin account are set to Deny. 13 Click OK. Note: By default these permissions will be applied to all sub-containers. Do not change this setting. 14 Right-click the Organization (Root) object and select Delegate Control. Click Next.

163 Deploying Hosted Exchange Click on the Add button. 16 In the Delegate Control dialog box, click Browse. 17 Enter GoodAdmin. Click Check Names. Click OK. 18 Select Exchange View Only Administrator in the Role combo box. Click OK. 19 Click Next. Click Finish. 20 Assign the additional Send As permission to all domains and Organizational Units which you want to make Good -enabled: a Run dsa.msc, In the opened snap-in, expand your domain. b Right-click your Hosting Organization Unit. c In the opened menu, select Properties. d Open the Security tab. e f Click Advanced. Click Add, and enter "GoodAdmin", then enter "Check Names" to resolve the name. g In the opened dialog, in the Apply onto field, select User objects. h In the Permissions list, check the Send As permission is in the Allow column. i Click OK three times to apply the changes, and execute the following command to restart the Good Server: net stop "GoodLink Server" && net start "GoodLink Server" Creating Exchange Mailbox 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 From the Start Menu, go to Start > Programs > Microsoft Exchange > Active Directory Users and Computers. 3 In the Active Directory Users and Computers dialog box, expand the node that is named as your domain. Then expand the Users container. 4 Right-click the GoodAdmin account, point to Exchange Tasks. 5 Double-click Create Mailbox. Select EXBE01 in the Server drop-down list. Click Next to continue. 6 Click Finish.

164 164 Parallels Operations Automation 2.9 Parallels Configuring Primary Address of GoodAdmin Mailbox 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Form the Start Menu, go to Start > Programs > Microsoft Exchange > Active Directory Users and Computers. 3 In the console tree, expand the node that is named as your domain, and then click on the Users. 4 In the details pane, double-click the GoodAdmin user. 5 Open the Addresses tab. Click on the New button. 6 Select SMTP Address in the address type list box. Click OK. 7 Enter the GoodAdmin@DOM. 8 Close the opened windows. Configuring showinaddressbook Attribute 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Run the following command: adsiedit.msc 3 Expand the node named as your domain, and then expand the Users container. 4 Right-click GoodAdmin, and then click Properties. 5 In the Attributes list box, find and double-click the showinaddressbook property. 6 Into the Value to add field, enter the following: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=<HostedExchange>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DOM>,DC=<local> 7 Click on the Add button. 8 Click OK.

165 Deploying Hosted Exchange Installing GMS Server Software Installing Good Messaging Server and Good Management Server Software 1 Log on to GOOD01 using the GoodAdmin account. 2 Make sure that Microsoft Exchange 2003 System Management Tools is installed on GOOD01. 3 Run setup.exe from your Good distribution folder. 4 Click Add/Remove for Good Messaging Server. 5 Follow the instructions on the screen. 6 On the Choose Log Directory Installer page, specify the folder for GMS log files (for example, E:\GMSLogs). 7 On the Choose Cache Directory Installer page, specify the folder for GMS cache directory (for example, F:\GMSCache). 8 Click Add/Remove for Good Management Server. 9 Follow the instructions on the screen. Installing Good Management Console Software 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Run setup.exe from your Good distribution folder. 3 Click Add/Remove for Good Management Console. 4 Follow the instructions on the screen.

166 166 Parallels Operations Automation 2.9 Parallels Adding MPFServiceAcct Account to GMS 1 Log on to a GMS host (GOOD01) using the GoodAdmin account. 2 Run Programs > Good Management console. 3 Right-click the Roles tree node in the left pane, and select New Role. 4 On the General tab, in the Name field, type MPFServiceRole. 5 Open the Rights tab, and click to select the Administrator check box. 6 Click on Members tab. Click Add. 7 In the Select user or group from the list dialog box, enter DOM\MPFServiceAcct, and click OK. 8 Click OK. Testing GMS Service Account To check the proper work of GoodAdmin account, try to log on to the GoodAdmin mailbox via OWA or Outlook. If you manage to log in, the account works properly. Registering GMS Servers in POA Install POA Agent on GMS servers according to the instructions the instructions of Installing POA on Windows Node (on page 383). Installing POA Packages Note: Make sure that MPFCustomProviders (version 1.69 or later) is installed on your MPS server (MPS01). Install the package GoodMobile (version or later) on each of your GMS nodes. Set the following package properties: Property exchange.gms.host.capacity exchange.gms.host.capacity.warnin g exchange.gms.update.interval.minut es Description Maximum number of Good Messaging accounts the server can handle. Number of Good Messaging accounts which will generate warning. Interval (in minutes) between account information updates.

167 Deploying Hosted Exchange exchange.gms.max.accounts.per.ta sk exchange.gms.admin.host exchange.gms.default.policy.name exchange.gms.default.software.nam e exchange.gms.default.group.name Maximum number of accounts to process by one periodic task. Hostname of server where Good Management Server runs (GOOD01). Name of existing Good policy group that will be used by default for all accounts. Every new user will be automatically added as a member of this group. If the default group is not specified or does not exist, the user s policy will be inherited from the All Users group. Case must match that displayed in the Good Management Console. Name of existing Good software group that will be used by default for all accounts. Every new user will be automatically added as a member of this group. If the default group is not specified or does not exist, the user's software policies will be inherited from the All Users group. Case must match that displayed in the Good Management Console. Name of existing Good group that will be used by default for all accounts. If the default group is not specified, or does not exist, or is empty, a warning will be logged on GMS node (GOOD01), and the property will be ignored. Case must match that displayed in the Good Management Console.

168 168 Parallels Operations Automation 2.9 Parallels Important: If you enter a custom GMS server name during the installation of Good Messaging service, and if this name differs from the host NetBIOS name, you should manually change the netbios_name field in the DB table exch_gms_servers. Importing Existing GMS Accounts into POA With POA, you can import existing Good Mobile accounts which were provisioned manually. For this purpose, perform the following steps: On Linux MN: 1. Log on to the MN. 2. Setup the environment using the following command:. $PLESK_ROOT/bin/setenv.sh 3. Run Exchange_ctl on the MN in the following format: $PLESK_ROOT/bin/Exchange_ctl -f $PLESK_ROOT/etc/pleskd.props importgoodaccounts <host_id> On Windows MN: 1. Log on to the MN. 2. Go to the folder where POA is installed (C:\POA). 3. Go to the directory where POA binaries are located: cd bin 4. Run Exchange_ctl on the MN in the following format: Exchange_ctl -f "<full_path_to_poa>\etc\pleskd.props" importgoodaccounts <host_id> In the above commands, specify values for the following parameters: <host_id> is the POA ID of the host on which GoodMobile service is installed. <full_path_to_poa> is the full path to the POA installation folder (for example, c:\poa). For example: $PLESK_ROOT/bin/Exchange_ctl f $PLESK_ROOT/etc/pleskd.props importgoodaccounts 5

169 C H A P T E R 4 Deploying Postini Security Service Postini Security is a global online service providing real-time spam and virus filtering, attack blocking, and traffic monitoring. This service is intended for preprocessing s before they reach the recipient s mail server. The traffic is redirected through Postini s global data centers, that are reached by modifying MX records in the DNS zone. After is processed, the Postini server directs it back to the recipient s mail server. You can deploy Postini Security Service to Parallels Operations Automation and provide your customers with this service. To do it, you need to install respective Postini Security Service packages and register Postini account. In This Chapter Installing Postini Security Service Registering Postini Account in POA Installing Postini Security Service To install Postini Security service, perform the following steps: 1 Install the postini package (type: sc) on POA MN. 2 Install the postini package (type: cp) on all your UI servers. Note: For detailed instructions on installing POA packages, refer to the Installing PPM Packages section (on page 404).

170 170 Parallels Operations Automation 2.9 Parallels Registering Postini Account in POA To register Postini account in POA, you have to register credentials corresponding to your account on Postini server thus allowing the system to provision and manage Postini Security service. To register Postini account in POA, follow these steps: 1 Go to Top > Service Director > Postini Security, the Setup tab opens: Figure 65: Registering Postini Account 2 Click on the Register link and enter Postini account credentials: the login and the password. 3 Click Submit. As a result, Postini account is successfully registered in POA.

171 C H A P T E R 5 Exchange 2003 to Exchange 2007 Transition This chapter describes the process of transiting from Exchange 2003 and HMC 3.5 to Exchange 2007 and HMC 4.0 in Hosted Exchange environment provisioned and managed by Parallels Operations Automation. In This Chapter Overview Transition Procedure Overview The transition procedure implements the so-called co-existence scenario. It means that Exchange 2007 and HMC 4.0 are deployed into the same Active Directory domain as Exchange 2003 and HMC 3.5. Both Exchange 2003 and Exchange 2007 function at the same time and hosted organizations move from Exchange 2003 to Exchange 2007 gradually.

172 172 Parallels Operations Automation 2.9 Parallels The co-existence scenario is designed for Parallels Operations Automation customers who: Use HMC 3.5 with Exchange Want to migrate to HMC 4.0 and Exchange Need to migrate existing Exchange 2003 users to Exchange 2007 with minimal impacts. Note: If you do not have Exchange 2003 deployed and looking for upgrade your HMC 3.5 to HMC 4.0, you may use simplified procedure described in the POA Windows Hosting Infrastructure Deployment Guide. The advantages of the co-existence transition scenario are the following: There is no need to deploy additional Active Directory forest. In the co-existence scenario HMC 4.0 and HMC 3.5 share the same Active Directory forest. Provider is able to sell both Exchange 2003 and Exchange 2007 mailboxes at the same time. Provider/reseller is able to gradually transfer existing Exchange 2003 Subscriptions to Exchange During the transition, all existing Exchange objects (mailboxes, distribution lists, contacts, public folders, AL, GAL, OAB) are moved from Exchange 2003 servers to Exchange 2007 servers. This process is handled by Parallels Operations Automation and performed automatically. There is minimal downtime of Exchange services and mailbox access for mailbox users up to zero downtime depending on the current deployment scheme. Transition does not require actions/changes from mailbox users - no reconfiguration of clients (working via OWA, Exchange, ActiveSync protocols), no logins and URLs changes. The only setting is changed for end-users working via POP3/SMTP, IMAP/SMTP outgoing SMTP server address and authorization. Additional mailbox services like BlackBerry, Good Mobile and Postini stay on the same servers and remain correct functioning after transition. Transition Procedure This section provides step-by-step transition procedure for the co-existence scenario. The following check-list provides overview of transition phases described below. # Description 1 Deploying New Hardware (see page 175) 2 Deploying Hosted Messaging and Collaboration 4.0 Server (see page 175) 3 Deploying and Configuring Exchange 2007 Servers (see page 179)

173 Exchange 2003 to Exchange 2007 Transition Updating Exchange 2003 Servers (see page 180) 5 Registering and Configuring New MPS and Exchange 2007 Nodes (see page 181) 6 Switching Provisioning from HMC 3.5.to HMC 4.0 (see page 181) 7 Moving / Upgrading System Objects (see page 183) 8 Switching Client Access and SMTP Traffic to Exchange 2007 Servers (see page 183) 9 Migrating Exchange Subscriptions using POA (see page 184) 10 Removing HMC 3.5 and Exchange 2003 Servers from the Organization (see page 187) The diagram below shows the required initial state and the transition of one Subscription:

174 174 Parallels Operations Automation 2.9 Parallels One-time operations: Replace EXFE by EXCAS servers (one-by-one if NLB or change on Firewall if NAT) Upgrade ExchangeUsers group to universal group Switch all AD servers to use HMC 4.0 provisioning engine Register new servers in POA Install MPFProviders, Exchange2007Mailbox, Exchange2007SMTP, Exchange2007SMTPAuth, Exchange2007OAB services Check that Edge accepts mail on domain serving by Exchange 2003 One Subscription migration operation: Re-select servers for Exchange 2007 using new resource attributes (provide) Rename and move AL, GAL and OAB Upgrade all distribution lists and all Exchange users list to universal security groups Move all mailboxes Change OWA URL and display SMTPAuth information Add Autodiscover A-record Re-set msexchquerybasedn attribute on mailboxes (point to AL)

175 Exchange 2003 to Exchange 2007 Transition 175 Deploying New Hardware HMC 3.5 and Exchange 2003 servers should not be removed until the transition process is finished. Therefore you should prepare new servers for HMC 4.0 (MPS) and for Exchange Exchange 2007 requires 64-bit hardware and 64-bit version of Windows 2003 Server. You cannot reuse the old 32-bit hardware for Exchange But if the hardware used for Exchange 2003 allows you to install 64-bit version of Windows 2003 Server, then potentially this hardware can be reused. Refer to the POA Windows Hosting Infrastructure Deployment Guide for HMC 4.0 hardware requirements and to the Deploying Hosted Exchange 2007 chapter (on page 189) of this guide for Exchange 2007 hardware requirements. Deploying Hosted Messaging and Collaboration 4.0 Server The HMC 4.0 should be deployed on the dedicated server. Since HMC 4.0 does not support SQL Server 2000, the new SQL Server 2005 should be deployed first. To deploy HMC 4.0 in Active Directory domain with already deployed HMC 3.5, the MPS configuration in Active Directory should be updated before HMC 4.0 installation. Preparing MPS Server 1 Install the IIS Manager snap-in component, including Microsoft FrontPage 2002 Server Extensions, Network DTC, and Network COM+ Access. Follow the instructions at Installing IIS (on page 140). 2 Install Microsoft.NET Framework Configure the Network Interfaces of the node. Refer to the related topic (on page 372). 4 Install Windows Server 2003 SP2. 5 Change the computer name (for example, MPS01). Refer to the related topic (on page 374). 6 Make MPS01 a member of your domain. For this purpose, follow the steps of the related topic (on page 375) (replacing the server name where necessary). Restart the computer when prompted. 7 Check if administrative share is enabled on MPS01. Go to Start > Settings > Control Panel > Administrative Tools > Computer Management > Shared Folders > Shares. Administrative shares are those having the "$" sign at the end of the name. If you don't see such shares, enable the administrative share on MPS01 in the following way: a Go to Start > Run... b Type cmd. The command line interface opens. c Type regedit and click Enter.

176 176 Parallels Operations Automation 2.9 Parallels d Go to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > LanManServer > Parameters. e f Right-click on the AutoShareServer. Click Modify. g In the Value data area, enter 1. You can find the details on what is an administrative share and how it can be disabled at ork/disablewindowsntw2kxphiddenadministrativeshares.html. 8 Enable DHCP Client Service on the node. (on page 376) 9 Perform DNS registration of the node. (on page 378) 10 Ensure that the inbound and outbound DTC accesses are enabled on MPS01: a From the Start Menu, go to Start > All Programs > Administrative Tools > Component Services. b Expand Component Services, and then expand Computers. c Right-click My Computer, and then select Properties. d Open the MSDTC tab. e f Click Security Configuration. Make sure that Network DTC Access is selected. Then, in the Transaction Manager Communication section, make sure that the Allow Inbound and Allow Outbound options are selected. Leave all other options as default. Click OK to save the settings. Click Yes if you are prompted to restart the service. Installing SQL Server 2005 Install SQL Server 2005 following the instructions from POA Windows Hosting Infrastructure Deployment Guide: 1 Installing SQL Server 2005 (Deploying MPS Server for HMC 4.0/4.5 > Installing SQL Server 2005), 2 Installing SQL Server 2005 Service Pack 1 (Deploying MPS Server for HMC 4.0/4.5 > Installing SQL Server 2005 Service Pack), 3 Configuring MPS Security (Deploying MPS Server for HMC 4.0/4.5 > Configuring MPS Security). Note: If MPSSQLService account was already created for HMC 3.5 installation, use this account as Microsoft SQL Server service account during SQL Server installation.

177 Exchange 2003 to Exchange 2007 Transition 177 Preparing Active Directory Before installing HMC 4.0 Deployment Tools, the Active Directory should be prepared for installation of MPS with another version. Important: After performing this procedure, you should not run the HMC 3.5 Deployment Tool unless you use the DTMU.EXE utility to restore control to HMC 3.5 Deployment Tool. Run DTMU.EXE h for utility help. To prepare Active Directory: 1 Log on to the HMC 4.0 Provisioning Engine server and install the DTMU.MSI from the Hosted Messaging and Collaboration Migration Toolkit media \Service Provisioning\DTMU directory. 2 From a command prompt, switch to C:\Program Files\Microsoft Provisioning\DTMU, and then run the following command: DTMU.EXE -PrepareAD You will see the following message: Prepare AD operation completed successfully Resetting MPFServiceAcct Password in the HMC 3.5 It is necessary to reset the MPFServiceAcct account password to a specified password in order to install the HMC 4.0 MPS components. In the next step you will configure the HMC 4.0 Deployment Tool to use this password when installing the HMC 4.0 MPS components. To reset the MPFServiceAcct password, perform the following steps: 1 From a command prompt, switch to C:\Program Files\Microsoft Provisioning\DTMU and run the following command: DTMU.EXE ResetPW ConfigDB:<ServerName> [-Password:<password>] Here the <ServerName> is the name of SQL Server used by HMC 3.5 MPS server. This database contains the list of MPS servers in the HMC 3.5 environment. If you do not supply the password, you will be prompted for the password. 2 You should see the following messages: Reset password in AD successfully. Reset password on Engine server... successfully. (Which repeats for each engine server). Reset password on Listener server... successfully. (Which repeats for each listener server). Deploying HMC 4.0

178 178 Parallels Operations Automation 2.9 Parallels First of all, HMC 4.0 Deployment Tool should be installed. To install the Deployment Tool, follow instructions from the Installing MPS Deployment Tool section of POA Windows Hosting Infrastructure Deployment Guide (Deploying MPS Server for HMC 4.0/4.5 > Installing MPS Deployment Tool). Note: If the Select SQL Server dialog box appears, run the Deployment Tool and click Cancel to prevent the deployment tool from detecting HMC 3.5 MPS deployment. Follow these steps to use the new MPFServiceAcct password: 1 Start MPS Deployment Tool. On the File menu, select Passwords. In the MPS Deployment Tool dialog box, double-click MPFServiceAcct. 2 In the Password for MPFServiceAcct dialog box, select Manually enter the password for this account, and then specify the password. 3 Complete the steps, specify the correct host names and SQL Server 2005 instance. To complete the HMC 4.0 Deployment, follow the instructions from POA Windows Hosting Infrastructure Deployment Guide: 1 Deploying Core Platform (Deploying MPS Server for HMC 4.0/4.5 > Deploying Core Platform), 2 Replacing IIS Provider by Provider from HMC 3.5 (Deploying MPS Server for HMC 4.0/4.5 > Replacing IIS Provider by Provider from HMC 3.5), 3 Deploying Hosting Platform (Deploying MPS Server for HMC 4.0/4.5 > Deploying Hosting Platform).

179 Exchange 2003 to Exchange 2007 Transition 179 Deploying and Configuring Exchange 2007 Servers Installation process consists of several phases. During each phase you introduce individual Exchange Server 2007 server role and transport features. After each phase is completed, organization will function in the 'co-existent' Exchange Server 2007 and Exchange Server 2003 mode. Exchange Server 2007 server roles should be installed on separate computers in the following order (recommended): 1 Client Access servers 2 Hub Transport servers 3 Mailbox servers 4 Edge Transport servers Note: If some of existing Exchange 2003 Front-End servers are deployed into NLB cluster, then new appropriate Exchange 2007 servers should be deployed in the same NLB cluster. It allows you later to remove Exchange 2003 servers without end-users impacts. To install and configure Exchange 2007 servers, follow the instructions given in the Deploying Hosted Exchange 2007 chapter of this guide (on page 189). During installation of the first Hub Transport role, you should specify Exchange Server 2003 Simple Mail Transfer Protocol (SMTP) Bridgehead server. Specify this server on the Mail Flow Settings page of the Exchange Server 2007 Setup wizard or add additional commandline parameter: /LegacyRoutingServer:EXSMTP if you use unattended installation. Use the name of the existing Exchange Server 2003 server in the HMC 3.5 organization, which is already configured as an SMTP Bridgehead. In standard deployment it is referenced as EXSMTP server. You can find it in POA PCP by locating the host with installed service/package ExchangeSMTP. Pay attention to the Address Lists container permissions after installing Exchange 2007 servers (Go to HMC 4.0 MPS node, run MPS Deployment Tool and re-execute the "Configuring Exchange Address List Security" and "Preparing Address List Security" procedures placed under the Hosted Exchange > Exchange Provisioning Configuration node): CN=Address Lists Container, CN=HostedExchange, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=dev01, DC=local

180 180 Parallels Operations Automation 2.9 Parallels Updating Exchange 2003 Servers Install the update (KB922817) on all Exchange 2003 Servers. This update resolves issues, which may occur if a server, which runs Exchange Server 2003 Service Pack 2, is used to generate an Offline Address List (also known as Offline Address Book) after Exchange Server 2007 has been deployed. For more information about the update for Exchange Server 2003, see the article # at Reconfiguring Wireless Services POA supports Blackberry Enterprise Server and Good Messaging Server wireless services. These services are tightly integrated with Microsoft Exchange. Therefore if these services are deployed in the hosted environment, you should migrate them to Exchange 2007 and configure provisioning of the services on a new MPS node. Reconfiguring Blackberry Enterprise Server BlackBerry Enterprise Server (BES) should be migrated to Exchange To migrate BlackBerry Enterprise Server to Exchange 2007, follow these steps: 1 Stop all BlackBerry Enterprise Server services. Important: Stopping BlackBerry Enterprise Server services will delay message delivery to BlackBerry smartphones. 2 Move the BES service account (BESAdmin) mailbox from Exchange 2003 mail store to Exchange 2007 mail store. Set the required permissions for the BES in Microsoft Exchange For that, follow the instructions from the Configuring Permissions for BES Service Account section (on page 143). 3 Remove Exchange 2003 Management console from the BlackBerry servers and install Collaboration Data Objects Start all BlackBerry Enterprise Server services. Also new MPS server should be configured for BlackBerry Enterprise Server provisioning. To configure BES provisioning on MPS server, follow the instructions given in the Installing BESUserAdminClient Tools section (on page 333). Reconfiguring Good Messaging Server Good Messaging Server (GMS) should be migrated to Exchange To migrate Good Messaging Server to Exchange 2007, do the following: 1 Stop all Good Messaging Server services.

181 Exchange 2003 to Exchange 2007 Transition 181 Important: Stopping Good Mobile services will delay message delivery. 2 Move the GMS service account (GoodAdmin) mailbox from Exchange 2003 mail store to Exchange 2007 mail store. 3 Set the required permissions for the GMS in Microsoft Exchange 2007 following the instructions from the Configuring Permissions for GMS Service Account section (on page 342). 4 Start all Good Messaging Server services. Also new MPS server should be configured for Good Messaging Server provisioning. To configure GMS provisioning on MPS server, follow the instructions given in the Installing Good Management Console Software section (on page 344). Registering and Configuring New MPS and Exchange 2007 Nodes After all Exchange 2007 servers are deployed and configured, these servers should be registered in POA. To register new MPS server in POA, Install POA Agent (on page 383) and MPFCustomProviders (type: other) package (on page 404) on MPS01. To register Exchange 2007 servers in POA, follow instructions from the Deploying Hosted Exchange 2007 chapter > POA-Related Installation Steps section (on page 304). Exchange 2007 SMTP, Protocols, POP3 and IMAP4 POA services should be deployed into existing NLB clusters with corresponding Exchange 2003 POA services: Exchange2007SMTP service on EXHUB servers with Exchange2003SMTP services on EXSMTP servers; Exchange2007Protocols, Exchange2007POP3, Exchange2007IMAP4, Exchange2007SMTPAuth services on CAS servers with appropriate services on Exchange 2003 Front-End servers. To deploy the service to the existing cluster, specify the following properties for Exchange 2007 service package: External IP, Domain ID and A record prefix, the same values as already used for Exchange 2003 service packages. After a new Exchange 2007 SMTP Service is deployed onto existing Exchange 2003 SMTP service cluster, all domains provisioned to this cluster should be dumped on Exchange 2007 organization as Accepted Domains. It should be performed once for each NLB cluster on any node: In Provider's Control Panel, go to Top > Deployment Director > Server Manager > Hardware Nodes > HUB host > Applications > Exchange2007SMTP and click on the Restore Service Configuration button. Switching Provisioning from HMC 3.5.to HMC 4.0

182 182 Parallels Operations Automation 2.9 Parallels After HMC 4.0 MPS server is installed, configured and registered in POA, the provisioning of Active Directory, and any other services, except Exchange 2003 mailbox services, should be switched from HMC 3.5 to HMC 4.0. This change does not break Exchange or any other service functionality. When a server receives MPF request, it transfers it to MPS node. MPS node, which will be used for processing MPF requests, is configured during POA Agent installation. Important: This operation should be performed on all Service Nodes (including domain controllers) except Exchange 2003 Back-End nodes. To switch provisioning to new HMC 4.0 MPS node, you should change registry value HKEY_LOCAL_MACHINE\SOFTWARE\SWsoft\PEM\remoteEngine to the name (or IP) of HMC 4.0 MPS node. Perform the changing by running the following command (do not forget to replace MPS01 by IP or the name of HMC 4.0 MPS node): reg add HKLM\SOFTWARE\SWsoft\PEM /v remoteengine /t REG_SZ /d MPS01 /f Following reference table describes, which actions should be performed on which servers: Server Purposing Reference Server Name Action to Perform Exchange 2003 Front-End Servers EXFE01 Nothing. Nodes will be unregistered Exchange 2003 SMTP Servers EXSMTP01 Nothing. Nodes will be unregistered Exchange 2003 Back-End Servers EXBE01 Leave HMC 3.5 BlackBerry Servers BES01 Switch to HMC 4.0 Good Mobile Servers GOOD01 Switch to HMC 4.0 Domain Controllers Servers AD01 Switch to HMC 4.0 MPS Server for HMC 3.5 MPS01 Leave HMC 3.5 SQL Server for HMC 3.5 MPSSQL01 Nothing. Not registered in POA SharePoint Servers WSS01 Switch to HMC 4.0 IIS Web Servers WEB01 Switch to HMC 4.0 SQL Servers for Data Hosting SQL01 Switch to HMC 4.0 MSDNS Servers for DNS Hosting Other servers for Windows Shared Hosting MSDNS01 Switch to HMC 4.0 STREAMING01 etc Switch to HMC 4.0

183 Exchange 2003 to Exchange 2007 Transition 183 Moving / Upgrading System Objects These operations should be performed once per domain. On MPS node with HMC 4.0, start Exchange Management Shell and perform the following steps: 1 Convert PEMExchangeUsers group to universal security group: Run the following command: dsa.msc Locate PEMExchangeUsers group (by default it resides in the Hosting / Provider container). Click Properties and switch Group scope from Global to Universal. 2 Upgrade the Default Global Address List (DGAL): To check it is upgraded, see its current properties by running: Get-GlobalAddressList "Default Global Address List" fl Name,*RecipientFilter*,ExchangeVersion If RecipientFilterType is Legacy, or ExchangeVersion is 0.0 ( ), the DGAL is not upgraded to be used by Exchange To upgrade it run following command: Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msexchsystemmailbox' -or ObjectClass -eq 'msexchdynamicdistributionlist' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicfolder'))} Now you can check new properties using the Get-GlobalAddressList cmdlet again. Switching Client Access and SMTP Traffic to Exchange 2007 Servers Exchange 2007 Client Access servers allow you to access mailboxes located on Exchange 2003 Back-End servers. Also Exchange SMTP (Edge Transport or Hub Transport) servers can be used to deliver mail to/from Exchange 2003 mailbox. The best way to redirect Client Access and SMTP traffic to Exchange 2007 Servers is to reconfigure NAT and transfer all connections from External IP to the new Exchange 2007 Edge Transport server (or Hub Transport server, if the deployment is without Edge Transport server). The second way can be used for deployment with NLB configured for client (IMAP/POP3/OWA/RPC-over-HTTPS) and SMTP services. If Exchange 2003 and Exchange 2007 nodes reside in the same network segment, then, to eliminate service downtime, new Exchange 2007 nodes can be added in the existing Exchange 2003 NLB cluster, and after that Exchange 2003 nodes should be removed from NLB cluster. If these servers are placed in different network segments, existing NLB cluster should be destroyed on Exchange 2003 nodes and new NLB cluster with the same NLB name and IP should be created for new Exchange 2007 nodes. This case produces end-user service downtime until a new cluster starts working.

184 184 Parallels Operations Automation 2.9 Parallels Perform switching of CAS/SMTP traffic in the following way: 1 If NAT is used for transferring all incoming traffic, re-configure firewall NAT rules to transfer the Exchange Front-End and SMTP traffic to appropriate (CAS and Hub/Edge) Exchange 2007 servers. 2 If NAT is not used, but servers are load-balanced, perform adding of new servers into existing NLB as described above. 3 Remove Exchange 2003 servers from the NLB. These both ways do not require any configuration changes on client side if a client uses OWA or Outlook Anywhere protocol for accessing mailbox. But after switching SMTP traffic to Exchange 2007 Edge Transport servers (or Hub Transport, if the Edge Transport is not deployed in the organization), clients using POP3 and IMAP4 will be unable to use servers as outgoing SMTP Server. For outgoing mail these clients should use new Hub Transport server and reconfigure POP and IMAP mail clients: new outgoing SMTP server name. Provider should decide if he wants to force all his/her users using secured connection for outgoing SMTP (the default Exchange 2007 configuration); or just allow secure connection but do not require it. Configuring SMTP servers does not require secure connection: perform instructions from the Configuring Hub Servers section (on page 271). After replacing all Exchange 2003 Front-End and SMTP servers by new Exchange 2007 CAS and Hub/Edge servers, old Exchange 2003 Front-End and Exchange SMTP hosts should be marked as Not Ready to provide; all Exchange services should be uninstalled from these hosts in PCP. Warning: You should not turn off or uninstall Exchange 2003 from the SMTP server which is used as the target/source transport server of the Routing Group Connectors between Exchange 2003 and Exchange 2007 servers. This server was specified during installation of the first Exchange 2007 Hub Transport role as Exchange Server 2003 SMTP Bridgehead server (see the Deploying and Configuring Exchange 2007 Servers section (on page 179)). Otherwise, the mail delivery to mailboxes located on Exchange 2003 Back-End servers will be broken. Customers will still be able to subscribe both Exchange versions 2007 as well as 2003; all customers using Exchange 2003 will be served by Exchange 2007 CAS servers they support both Exchange 2003 and Exchange 2007 mailboxes. Migrating Exchange Subscriptions You should upgrade existing Subscriptions with Exchange 2003 to Service Templates with Exchange During Subscription upgrade all mailboxes are moved from Exchange 2003 Back-End to Exchange 2007 Mailbox server, other necessary operations are performed as well.

185 Exchange 2003 to Exchange 2007 Transition 185 The main difference between Subscriptions with two different versions of Exchange is the Exchange Server version activation parameter s value specified in the Service Template. Exchange 2007 servers should have at least the same attributes as appropriate Exchange 2003 servers. It allows you to use the same Resource Types (with assigned provisioning attributes) for both Exchange versions and minimize the difference between servers abilities before and after transition (for example, if a customer had been provisioned on Resource Type with the Journaling attribute set in Exchange 2003, it will be migrated on Exchange 2007 server, which also has the Journaling attribute). To create new Service Template (ST), do the following: 1 Clone existing Exchange 2003 Service Template: In POA go to Top > Service Director > Provisioning Manager > Service Templates, select the existing Service Template and click on the Create a Copy button. 2 Rename the Service Template. 3 Adjust the limits: if a resource is never used in Exchange 2003 and will not be used in Exchange 2007, set the zero limit; for others - set unlimited. 4 Move to the Parameters tab, click on the Edit button and change the Exchange Server version value to Check other Service Template parameters and make the template as active by clicking on the Activate button. 6 Assign provisioning attributes used by the Resource Type of new Service Template on appropriate Exchange 2007 hosts. Warning: If new Service Template has the limit equal to 0 on some (sub-) resource, it will be unprovided during Service Template migration, if the original Subscription had non-zero limit on this resource. Do not set zero limits in new ST if any of source Subscriptions have this limit not equal to 0, and it is not needed to disable the resource for Exchange 2007 Subscriptions. Warning: If new Service Template has the non-zero limit on some (sub-) resource, it will be provided during Service Template migration, if the original Subscription had zero limit on this resource. Do not set non-zero limits in new ST if all source Subscriptions have this limit equal to 0, and it is not needed to increase the limit for Exchange 2007 Subscriptions. POA PCP/RCP Guidance There is no way to adjust resource limits during Service Template changing, so it is possible to lose some of the provisioned resources if resource limits in a new Service Template are greater than the current usage. Perform the following steps to migrate Subscription from Exchange 2003 Service Template to the new one Exchange 2007: 1 Enter the current Subscription limits. You can view them at Top > Operations Director > Customer Manager > Customers > Customer name > Subscriptions > Resources tab. 2 Move to the General tab and click on the Change service template button.

186 186 Parallels Operations Automation 2.9 Parallels 3 Select the target Exchange 2007 Service Template and click on the Submit button to start migration. 4 Move to the Resources tab, click Edit and restore limits entered at the first step. 5 Click Submit to apply the limits. POA BSS Guidance The following procedure is suggested to perform graceful upgrade of existing Exchange 2003-based Subscriptions to new Exchange 2007-based ones. For each existing Service Plan with Exchange 2003-based hosting, perform the following steps: 1 Go to Product Director > Plan Manager > Service Plans and click on the Clone Existing Plan button. 2 Select the row with the source Exchange 2003 Service Plan. 3 Select the Copy Upgrade/Downgrade checkbox and click Continue. 4 Specify the name of a new Service Plan and assign the Exchange 2007 Service Template, cloned from Exchange 2003 ST earlier. Click on the Add Plan button. 5 Edit the cloned resource rates ( included limits) according to appropriate Exchange 2003 Service Plan. 6 Create new resource rates on all resources of the Service Plan to specify the Included limits for overriding unlimited amount of Service Template. 7 Add the new Service Plan into the Allowed Upgrades/Downgrades tab of existing Exchange 2003 Service Plan. Now it is possible to switch Service Plan in the Subscription: 1 Select a Subscription and move to the General tab. 2 Click on the Switch plan button. 3 Finish the wizard to place the order. After the order is opened, the actual upgrade starts for the Subscription.

187 Exchange 2003 to Exchange 2007 Transition 187 Removing HMC 3.5 and Exchange 2003 You need to perform this step if you do not have active Subscriptions in Exchange 2003 and there is no ability to subscribe a customer to Exchange 2003 via PBA CP or Online Store. To view the list of all mailboxes located on a particular server, execute the following command from Exchange Management Shell on MPS node with HMC 4.0: Note: Replace the <ExchangeServerName> by actual the Exchange 2003 Back-End server name. Get-Mailbox Server <ExchangeServerName> If this command does not show mailboxes on the server, this server is ready to be removed. Uninstalling Exchange 2003 Back-End Servers Uninstall all service packages on Exchange 2003 Back-End server though PCP. Typically it has following packages installed: ExchangeOAB MSExchange MPFProviderClients.NET2. If packages are failed to uninstall because they are used by some customer services, check which customer services are served by it (in PCP, check the content of the Dependent customer services tab of the service application). Resolve these services (migrate them if they are needed or delete - if they are not needed), and try again to remove packages. Uninstall POA Agents from the server using the Add/Remove programs snap-in and remove the server from hosts registered in POA (in PCP, click Delete on the Summary screen of the host at Top > Deployment Director > Server Manager > Hardware Nodes > Node). Uninstalling HMC 3.5 MPS Server You need to perform this step only after all Exchange 2003 servers are removed from POA. 1 From PCP uninstall all packages on MPS server. 2 Uninstall POA Agents from the MPS server using the Add/Remove programs snap-in. 3 Remove the MPS server from hosts registered in POA (in PCP, click Delete on the Summary screen of the host at Top > Deployment Director > Server Manager > Hardware Nodes > Node).

188 188 Parallels Operations Automation 2.9 Parallels 4 There is no need to uninstall HMC 3.5 from MPS node. This node can be simply switched off. Removing Exchange 2003 Servers from Active Directory Exchange should be uninstalled on all Exchange 2003 Servers. For information on how to remove Exchange Server 2003 servers, refer to the following article: To remove the last Exchange Server 2003 server from the organization, the following operations should be completed: 1 Moving public folder replicas. 2 Removing the public folder databases. 3 Moving the public folder hierarchy. 4 Moving the offline address book (OAB) generation server. 5 Deleting routing group connectors. 6 Deleting the recipient update service. 7 Verifying the mail flow, protocols, and recipient policies. Please find the detailed instructions on How to Remove the Last Legacy Exchange Server from an Organization at

189 C H A P T E R 6 Deploying Hosted Exchange 2007 In This Chapter Deployment Overview Deploying Hosted Exchange Deploying Exchange Provisioning POA-Related Installation Steps Deployment and Installation Troubleshooting Deploying BlackBerry Enterprise Server for Microsoft Exchange Deploying Good Messaging Server for Microsoft Exchange Managing Messaging Services

190 190 Parallels Operations Automation 2.9 Parallels Deployment Overview After Parallels Operations Automation MN and UI Nodes as well as Windows infrastructure are deployed, you can start deploying Hosted Exchange. This guide contains recommended deployment architectures for Parallels Automation Hosted Exchange 2007 solution and hardware configurations for the servers to be used. Exchange Server 2007 In Exchange Server 2007 the functionality provided by Exchange servers is divided into five separate server roles. Depending on the size of your organization, you can install one or more of these roles on one server or deploy several servers with each role. Note: More detailed information about Exchange Server 2007 can be found at Microsoft website ( Exchange 2007 Role-Based Deployment A server role logically organizes features and components into groups. A server role performs a specific function in the messaging environment. Each server role can function alone on an Exchange server and communicate with other Exchange servers performing other roles to create a complete messaging system. The server roles for Exchange Server 2007 are the following: Mailbox server role. This is a back-end server that hosts mailboxes and public folders. Client Access server role. This is a middle-tier server that enables connections from a variety of client protocols to the Exchange Server mailboxes, such as Microsoft Outlook Web Access, Post Office Protocol 3 (POP3), Internet Message Access Protocol 4 (IMAP4), Outlook Anywhere (called RPC over HTTP in Exchange Server 2003), EAS clients. Note: Messaging Application Programming Interface (MAPI)-based clients, such as Outlook 2003, connect directly to Mailbox servers. Unified Messaging server role. This is the middle-tier server that connects a Private Branch exchange (PBX) system to Exchange Hub Transport server role. This is the mail routing server that routes mail within the Exchange organization. Edge Transport server role. This is the mail server designed to be the Simple Mail Transport Protocol (SMTP) gateway server between your organization and the Internet. It typically sits at the perimeter of the topology and routes mail in and out of the Exchange organization.

191 Deploying Hosted Exchange Important: All Exchange Server 2007 roles can be installed on the same server, except the Edge Transport server role, which must be installed on a separate machine. Message Routing in Exchange 2007 Organization When message is addressed to a recipient in the same Exchange Server organization and is sent between Active Directory sites, the following steps occur: 1 When a message is submitted for delivery, the Mailbox server notifies the Hub Transport server that the message awaits pickup. After that the Hub Transport server retrieves the message from the mail server for delivery to the destination Active Directory site. 2 The Hub Transport server uses Active Directory site link information to determine the lowest cost route to the destination Active Directory site. However, by default, the Hub Transport server delivers the message directly to a Hub Transport server in the destination site. 3 If an Active Directory site is configured as an Exchange Server hub site along the lowest cost route, the message is delivered to a Hub Transport server in the Exchange Server hub site. The Hub Transport server in the Exchange Server hub site is responsible for delivery to either the destination Active Directory site or the next Exchange Server hub site. 4 If no Active Directory site along the lowest cost route is configured as an Exchange Server hub site and a Hub Transport server in the remote Active Directory site is unavailable, the Hub Transport delivers the message to a Hub Transport server that is in the site closest to the destination Active Directory site along the lowest cost route. The Hub Transport server in that Active Directory site is responsible for delivering the message to the destination Active Directory site. 5 After the message is received by a Hub Transport server in the destination Active Directory site, the message is forwarded to the appropriate Mailbox server in the destination Active Directory site.

192 192 Parallels Operations Automation 2.9 Parallels Exchange 2007 Hardware and Software Requirements Before installing Hosted Exchange 2007 server roles, you need to ensure that the network and servers infrastructure suit to hardware and software requirements. There are three main factors you need to consider while selecting hardware for deploying Microsoft Exchange Server They are the following: Processor Amount of memory Disk Storage The primary hardware difference between previous versions of Microsoft Exchange Server and Microsoft Exchange 2007 is the move from a 32-bit platform to a 64-bit one. Although both 32-bit and 64-bit versions of Exchange 2007 will be available, only the 64-bit version of Exchange 2007 running on the x64-based version of Microsoft Windows 2003 Server is supported in production environments. The 32-bit version is being made available for lab, demo, and training environments. The change from a 32-bit platform to a 64-bit platform requires a new approach to choosing server hardware for Exchange 2007, especially with respect to the processor and memory. Selecting Processor For production environments, you must choose a processor that will work with x64-based version of Windows Server These include Intel processors that support Intel Extended Memory 64 Technology or AMD processors that support AMD64. For more information, refer to Intel 64 Architecture ( and AMD Opteron Processors ( Intel Itanium processors cannot be used with x64-based versions of Windows Server Therefore, Itanium processors cannot be used with Exchange Exchange 2007 is designed to run only on x64-capable processors such as those listed previously, and it will not run on Itanium-based systems. Extensive testing on dual-core processors has shown that Exchange Server benefits significantly when using multi-core processor technology. Today, multi-core processors are an attractive option for Exchange 2007 based on price and performance. The table in this section provides viable processor configurations for Exchange Note: Processor Core recommendations are based on the following processor revision: AMD Opteron GHZ dual-core Exchange 2007 server role Minimum Recommended Maximum Edge Transport 1 x processor core 2 x processor cores 4 x processor cores

193 Deploying Hosted Exchange Exchange 2007 server role Minimum Recommended Maximum Hub Transport 1 x processor core 4 x processor cores 8 x processor cores Client Access 1 x processor core 4 x processor cores 4 x processor cores Unified Messaging 1 x processor core 4 x processor cores 4 x processor cores Mailbox 1 x processor core 4 x processor cores 8 x processor cores Multiple server roles (combinations of Hub Transport, Client Access, Unified Messaging) 1 x processor core 4 x processor cores 4 x processor cores Selecting Memory Configuration As a result of moving to a 64-bit architecture, Exchange 2007 enables much better memory utilization than previous versions of Exchange Server. Exchange 2007 can use 32 GB of memory and more. Note: 32 GB is not a physical limitation, but rather it is currently the most cost-efficient maximum memory configuration. Exchange 2007 server role Minimum per server Recommended Maximum per server Edge Transport 2 GB 1 GB per core (2 GB minimum) Hub Transport 2 GB 1 GB per core (2 GB minimum) Client Access 2 GB 1 GB per core (2 GB minimum) Unified Messaging 2 GB 1 GB per core Mailbox Multiple roles (combinations of Hub Transport, Client Access, Unified Messaging, and Mailbox server roles) 2 GB; also depends on number of storage groups (see below) 2 GB; also depends on number of storage groups (see below) (2 GB minimum) 2 GB; plus from 2 MB through 5 MB per mailbox (see below) 4 GB; plus from 2 MB through 5 MB per mailbox (see below) 16 GB 16 GB 8 GB 4 GB 32 GB 8 GB

194 194 Parallels Operations Automation 2.9 Parallels Selecting Disk Storage Capacity and performance are often at odds with each other when it comes to selecting a storage solution, and both must be considered before making a purchase. Generally, the decision involves the following factors: 1 Making sure there will be enough space to store all of the data. Determining your capacity needs is a relatively straightforward process. 2 Making sure the solution provides acceptable disk latency and a responsive user experience. This is determined by measuring or predicting transactional input/output (I/O) delivered by the solution. 3 Making sure that non-transactional I/O has both enough time to complete and enough disk throughputs to meet your service level agreements (SLAs). Once you have your capacity, transactional, and non-transactional I/O requirements, you can apply them to a proposed hardware design. For storage, the transactional I/O requirements have been reduced, and with continuous replication, high availability no longer means having to use expensive Fiber Channel storage (though that is still a very good solution). Exchange 2007 supports following storage technologies: Serial ATA - Serial ATA (SATA) is a serial interface for ATA and IDE drives that are typically found in desktop computers. They are generally slower than SCSI and Fiber Channel disks, but they do come in large sizes. These highly reliable disks are designed to run at peak load, 24 hours a day, everyday. Disks with a faster rotational speed, such as 10,000 RPM disks, may be needed to meet your I/O requirements Serial Attached SCSI - Serial attached SCSI (SAS) storage uses enterprise-class, highperformance hard disks. The throughput on many SAS arrays far surpasses both SATA and traditional SCSI. iscsi - iscsi is the only network-based storage that is supported by Exchange Although iscsi connects a server to storage over Ethernet, it is important to treat it as your storage connection and completely isolate your iscsi storage network from all other network traffic. Fibre Channel - Fibre Channel is a network technology often using fiber optic cables in storage area networks (SANs). It is a gigabit speed network that is high performing and excellent for storage consolidation and management. Note: One storage change is that Exchange 2007 does not support Network Attached Storage (NAS). The Exchange 2007 Mailbox role is most critical to disk storage. Having sufficient capacity and performance is extremely critical for this role. Edge and Hub roles are critical to disk storage performance. These roles should properly maintain message queue growth and route mail as fast as possible. In Exchange 2007 Client Access role has a small disk I/O footprint and therefore not critical to disc storage. The scenario where disk I/O becomes an issue for Client Access servers is one where the users access mailbox data through either POP3 or IMAP4 protocols

195 Deploying Hosted Exchange Hardware Requirements for Hosted Exchange 2007 Server Roles This section provides recommended hardware and software requirements for Hosted Exchange 2007 servers. Server Names Description Density EXEDGE Exchange Edge Transport Server. Handle all Internet-facing, inbound and outbound mail flow, and provide protection against spam and viruses. 20,000 mailbox users. It depends on the usage profile. Quantity Minimum 2 are recommended for NLB cluster. An exact number to be calculated based on the projected customer base and the density above. OS Windows Server 2003 (R2) Standard Edition SP2 (x64) Software Supported Virtualization Windows Server 2008 Standard Edition (x64) or higher edition To be installed by the Customer: OS To be installed by Parallels: Exchange Server 2007 Standard Edition SP1 Update Rollup 2 (Distribution to be provided by the Customer) Not supported CPU RAM 4 core (3GHz or higher) 4GB Disks Array 1: OS, software, and queue database transaction logs - 2 x 72 GB, SCSI, RAID 1 Array 2: Queue database data, protocol and message tracking logs, and antivirus quarantine - 4 x 72 GB SCSI RAID 1+0 Disk Partitioning Array 1: C: 20GB - for OS and software D: remaining space (52GB) - queue database transaction logs Array 2: E: 142GB - queue database data, protocol and message tracking logs, and antivirus quarantine NICs EdgeNet (perimeter network)

196 196 Parallels Operations Automation 2.9 Parallels Server Names Description Density EXHUB Exchange Hub Transport Servers. Provide all mail transfer inside the organization, apply mail flow routing rules and transport rules, and are responsible for delivering messages to a recipient's mailbox. Carry SMTP for POP3/IMAP clients. 20,000 mailbox users. Depends on the usage profile. Quantity Minimum 2 are recommended for high availability. An exact number to be calculated based on the projected customer base and the density above. OS Windows Server 2003 (R2) Standard Edition SP2 (x64) Software Supported Virtualization Windows Server 2008 Standard Edition (x64) or higher edition To be installed by the Customer: OS To be installed by Parallels: Exchange Server 2007 Standard Edition SP1 Update Rollup 2 (Distribution to be provided by the Customer) Not supported CPU RAM 4 core (2GHz or higher) 4GB Disks Array 1: OS, software, and queue database transaction logs - 2 x 72 GB, SCSI, RAID 1 Array 2: Queue database data, protocol and message tracking logs, and antivirus quarantine - 4(6) x 72 GB SCSI RAID 1+0 Disk Partitioning Array 1: C: 20GB - for OS and software D: remaining space (52GB) - queue database transaction logs Array 2: E: 142(216)GB - queue database data, protocol and message tracking logs, and antivirus quarantine NICs FrontNet, BackNet

197 Deploying Hosted Exchange Server Names Description Density EXCAS Exchange Client Access Server. Runs Exchange mailbox access services - RPC Proxy, OWA, ActiveSync, POP3, IMAP, Exchange Web services. 15,000 mailbox users. It depends on the usage profile. Quantity Minimum 2 are recommended for NLB cluster. An exact number to be calculated based on the projected customer base and the density above. OS Windows Server 2003 (R2) Standard Edition SP2 (x64) Software Supported Virtualization Windows Server 2008 Standard Edition (x64) or higher edition To be installed by the Customer: OS To be installed by Parallels: Exchange Server 2007 Standard Edition SP1 Update Rollup 2 (Distribution to be provided by the Customer) Not supported CPU RAM 4 core (2GHz or higher) 4GB Disks Array 1: OS, software, and data - 2 x 72GB SCSI (80GB SATA), RAID 1 Disk Partitioning Array 1: C: 20GB - for OS and software D: remaining space - IIS data and Logs NICs FrontNet, BackNet Server Names Description EXMBX Exchange Mailbox Servers. Can be deployed as CCR or SCC cluster. Runs Exchange mailbox and public folder stores. Stores and maintains Offline Address Books for Exchange organizations. Density Quantity 6,000 mailboxes. Depends on the storage requirements and usage profile. To be calculated based on the projected customer base and the density above.

198 198 Parallels Operations Automation 2.9 Parallels OS Clustered configuration Software Supported Virtualization CPU RAM Windows Server 2003 (R2) Enterprise Edition SP2 (x64) or higher edition Windows Server 2008 Enterprise Edition (x64) or higher edition Non-clustered configuration Windows Server 2003 (R2) Standard Edition SP2 (x64) or higher edition Windows Server 2008 Standard Edition (x64) or higher edition To be installed by the Customer: OS To be installed by Parallels: Exchange Server 2007 Standard Edition SP1 Update Rollup 2 (Distribution to be provided by the Customer) Not supported 4 core (3GHz or higher) 12GB Disks Array 1: Depends on the usage profile and mailbox number. OS and software - 2 x 36, SCSI RAID 1 Array 2: Exchange databases - DAS or SAN Array 3: Disk Partitioning Array 1: Exchange database logs - DAS or SAN 14 x 146GB, SCSI, RAID x 146GB, SCSI, RAID 1+0

199 Deploying Hosted Exchange C: 34GB - for OS and software E: 1GB - anchor partition for Mailbox Data VPM F: 1GB - anchor partition for Mailbox Transaction Log VPM Array 2: E:\SG01DB E:\SG07DB (VMP) - 7 x 120GB (840GB) - SG01-SG07 Data (7 SGs with one Mailbox Store per SG for 5,000 mailboxes of 100MB size limit) E:\SG08DB (VMP) - 180GB - SG08 Data (Public Store providing 15-20MB of public space per mailbox and system space for 1,000 OABs). Q:\ - 2GB - Quorum and MSDTC (for SCC) Array 3: F:\SG01LOG F:\SG07LOG (VMP) - 7 x 35GB (245GB) - SG01-SG07 Transaction Log F:\SG08LOG (VMP) - 45GB - SG08 Transaction Log * VMP - Volume Mount Point * SG - Storage Group NICs BackNet SAN connectivity (for SCC) Server Names Description Density Quantity EXOAB Exchange Mailbox server for Offline Address Book. Stores and maintains Offline Address Books for Exchange organizations. Initially EXMBX servers are used for storing OAB, but if their capacity is filled (1,000 OABs - i.e. 1,000 customer organizations per server) then additional OAB server should be deployed. 1,000 customers (Exchange organizations) Optional. Required if number of customer organizations on Exchange back-end server exceed 1,000. OS Windows Server 2003 (R2) Standard Edition SP2 (x64) Software Supported Virtualization Windows Server 2008 Standard Edition (x64) or higher edition To be installed by the Customer: OS To be installed by Parallels: Exchange Server 2007 Standard Edition SP1 Update Rollup 2 (Distribution to be provided by the Customer) Not supported CPU 2 core (2GHz or higher)

200 200 Parallels Operations Automation 2.9 Parallels RAM 2GB Disks Array 1: OS and software - 2 x 72, SCSI RAID 1 Disk Partitioning Array 1: C: 20GB - for OS and software D: remaining space (52GB) - OAB Data NICs BackNet

201 Deploying Hosted Exchange Exchange Servers 2007 Software Requirements Basic software requirements for deploying Hosted Exchange 2007 server roles are the following: Windows Server 2003 x64 w/sp1 or R2, or SP2 Microsoft.NET Framework 2.0 Windows PowerShell 1.0 Microsoft Management Console (MMC) 3.0 Hotfixes/Updates _intl_x64_zip.exe (Edge) NDP20-KB x64.exe (.NET update) WindowsServer2003.WindowsXP-KB x64-ENU.exe (WSU) Windowsmedia 10-kb x64-intl.exe (UM).NET Framework 2.0 Service Pack 1 or Hotfix from Role Software Deployment Guidelines Client Access server role (CAS) Unified Messaging server role (UM) IIS 6.0 components WWW Publishing Service ASP.Net 2.0 Outlook Anywhere, Install RPC/HTTP proxy Windows Media Encoder 9*64 Microsoft Windows Media Audio Voice Codec MSXML 6.0 Min. 1 CAS per AD site where Mailbox server resides Deploy CAS first Using Exchange 2003 FE with Exchange 2007 Mailbox is not supported Submits messages to Hub server; does not use legacy bridgeheads Supports Exchanges 2007 mailboxes only Mailbox server role Windows Server 2003 Enterprise (CCR) IIS 6.0 components WWW Network COM + Access IIS service Multi-Role (Hub Transport, CAS, UM, Mailbox) IIS 6.0 components WWW Publishing Service Network COM + Access

202 202 Parallels Operations Automation 2.9 Parallels Edge Transport server role Hub Transport server role ADAM Hotfix: _intl_x64_zip.exe None Uses ADAM to store configuration and recipient information

203 Deploying Hosted Exchange Deployment Architectures This section describes the configuration and the required number of Exchange 2007 servers. Each architecture level requires different number of servers and specific combination of Exchange Client Access, Unified Messaging, Hub, Edge, and Mailbox roles which should installed on servers. Note that Unified Messaging now is not supported by POA and should not be installed. Entry Level Up to 1,000 mailboxes No redundancy The Entry Tier architecture is designed to support up to 1,000 mailbox users. It includes single server running Mailbox role, and single server combining several roles Hub Transport, Client Access and Unified Messaging. There is no server running Edge Transport role, message filtering is performed at Hub Transport. This architecture is appropriate for customers looking for a lower total cost of ownership (TCO) solution, but at the same time it is a lower Service Level Agreement (SLA) solution as it does not provide redundancy and fail-over abilities. Standard Level Up to 5,000 mailboxes Redundant The Standard Level architecture is designed to support up to 5,000 mailbox users. Two servers running Mailbox role are clustered using Cluster Continuous Replication (CCR). Two front-end servers combining several roles Hub Transport, Client Access and Unified Messaging - are load-balanced to provide redundancy and high-availability. Two servers running Edge Transport role handle all Internet-facing inbound and outbound mail flow, and provide message filtering. Edge servers are load-balanced to provide redundancy and high-availability. This architecture is appropriate for customers starting Hosted Exchange services, and wishing to provide high Service Level Agreement (SLA) from the start. Carrier Level Up to 20,000 mailboxes Redundant and scalable

204 204 Parallels Operations Automation 2.9 Parallels The Carrier Level architecture is designed to support up to 20,000 mailbox users. Six servers running Mailbox role are clustered using Cluster Continuous Replication (CCR). Two client access servers running Client Access and Unified Messaging roles are loadbalanced to provide redundancy and high-availability. Hub transport role is carried by two separate Hub servers to guarantee that client access load does not affect mail routing and delivery of messages to recipients mailboxes. Also Hub servers provide SMTP service for POP3/IMAP clients (load-balanced to provide high-availability for SMTP). Two servers running Edge Transport role handle all Internet-facing inbound and outbound mail flow, and provide message filtering. Edge servers are load-balanced to provide redundancy and high-availability. The Carrier Level architecture is scalable by adding more servers to the infrastructure without reconfiguration of existing servers. This architecture is appropriate for customers having (or anticipating) large client base on Hosted Exchange services, providing high Service Level Agreement (SLA), and wishing to easily scale as their client base growing. Supported Storage Technologies Exchange Server 2007 supports the following storage technologies: SATA - Serial ATA SAS - Serial attached SCSI iscsi - Internet SCSI Fibre Channel Note: Exchange Server 2007 does not support Network Attached Storage (NAS). Regardless of the storage technology you choose, all storage solutions used with Exchange 2007 must be listed on the Windows Server Catalog of Tested Products. In addition, single copy cluster (SCC) solutions must have the entire solution listed in the Cluster Solutions category of the Windows Server Catalog of Tested Products, and geographically dispersed SCC solutions must have the entire solution listed in the Geographically Dispersed Cluster Solutions category of the Windows Server Catalog of Tested Products. For more details, refer to the Planning Storage Configurations article at High Availability for Exchange Mailbox Servers Exchange Server 2007 provides several options for high availability of the Mailbox server. Technologies for Mailbox Servers in Exchange Server 2007 that provide high availability and quick recovery and prevent critical data loss in case of system failure are the following:

205 Deploying Hosted Exchange Local Continuous Replication (LCR) Cluster Continuous Replication (CCR) Single Copy Cluster (SCC)

206 206 Parallels Operations Automation 2.9 Parallels Local Continuous Replication LCR is a single-server solution for providing high availability of Exchange Server data. It uses built-in asynchronous log shipping technology to create and maintain a copy of a storage group on a second set of disks. The disks are connected to the same server as the production storage group. LCR provides log shipping, log replay, and a quick manual switch to a secondary copy of the data. Cluster Continuous Replication Figure 66: Local Continuous Replication This is similar to LCR because you create and maintain a second copy of the Exchange Server data. However, the storage group copy is stored on another computer running Exchange The server with the storage group can be located in the same data center or in a different data center. CCR provides both high availability and site resilience.

207 Deploying Hosted Exchange Figure 67: Cluster Continuous Replication Single Copy Clusters SCC is a clustered solution that is based on Windows failover cluster. SCC uses one storage group copy located on the storage that is shared between the nodes in the cluster. SCC is very similar to the clustering in previous versions of Exchange Server, with some changes and improvements. While selecting shared storage for SCC solution, check the entire solution is listed in the Cluster Solutions category of the Windows Server Catalog of Tested Products.

208 208 Parallels Operations Automation 2.9 Parallels Figure 68: Single Copy Clusters High Availability for Exchange Hub, Edge and CAS Servers High availability for the Hub Transport, Edge Transport, and Client Access server roles is achieved through a combination of server redundancy and network load balancing, as well as proactive server, service, and infrastructure management. Client Access deploy multiple Client Access servers and configure Network Load Balancing or use a third-party hardware-based network load-balancing device. Hub Transport deploy multiple Hub Transport servers for internal transport high availability. Also Hub Transport servers usually run SMTP service for POP3/IMAP clients. To provide high availability for SMTP service, configure Network Load Balancing on external network interface (NLB on servers running HUB role is supported since Exchange 2007 SP1) or use a third-party hardware-based network load-balancing device. Edge Transport deploy multiple Edge Transport servers and configure Network Load Balancing or use a third-party hardware-based network load-balancing device. Deploying Hosted Exchange 2007 Overview This section provides step by step instructions for Hosted Exchange 2007 deployment. Here and later we assume that there is single-domain single-forest Active Directory installed, the username and password of domain administrator is provided (here and below user Administrator is assumed). The main steps to be performed are the following: 1 Install and configure all Windows Server 2003 nodes where Exchange Servers to be installed. 2 Prepare Active Directory for Hosted Exchange. 3 Install Exchange 2007 Prerequisites on all nodes where Exchange Servers to be installed 4 Deploy the Exchange Server 2007 Server Roles. 5 Configure each Exchange server.

209 Deploying Hosted Exchange Exchange 2007 Server Installation This section describes general process of Exchange Server 2007 deployment. Exchange Server 2007 Distribution Packages Only Exchange Server bit version supported for production environment. Exchange Server bit version supported for testing environment and also 32 bit version of Exchange Server 2007 Management Tools supported on production environment for remotely administer Exchange Server. Exchange Server 2007 is offered in two server editions (Standard and Enterprise). Both editions can be installed from one distributive and activated by product key after installation. Before entering product key Exchange Server works in 120 day evaluation mode. Microsoft Exchange Server 2007 Service Pack 1 the latest version of Exchange Server. Microsoft Exchange Server 2007 SP1 introduces many new features and technologies that were not available in the release to manufacturing (RTM) version of Exchange Server These new features and technologies will help to increase productivity and reduce administrative overhead. For more information about the new features and technologies in Exchange 2007 SP1, see the What's New in Exchange Server 2007 SP1 article at Microsoft Exchange Server 2007 SP1 delivered as full functional distributive. This distributive can be used for initial Exchange Server installation or for upgrade existing servers with Exchange Server 2007 RTM installed. For upgrade instructions refer to the Upgrading to Exchange 2007 Service Pack 1 (on page 257) section. List of Exchange Server 2007 Distribution Packages and updates is the following: Media Download location Notes Exchange Server 2007 (64- bit) Exchange Server 2007 Management Tools (32-bit) KB (32-bit and 64- bit) Exchange Server 2007 Service Pack 1 ads/details.aspx?familyid=6be b- 76e9c677e802&displaylang=en Update Rollup 4 for Exchange Server 2007: ads/details.aspx?familyid=e56f C52A-216E-4225-BF2F- F082C20B7B21&displaylang=en ads/details.aspx?familyid=44c66 AD6-F185-4A1D-A9AB- 473C C&displaylang=en This update is required for Hosted Exchange 2007 working properly (not required for Exchange Server 2007 SP1). SP1 contains all fixes from previous Update Rollups for Exchange 2007.

210 210 Parallels Operations Automation 2.9 Parallels Exchange Server 2007 Media Prerequisites The list of Prerequisites for Exchange 2007 RTM or SP1 on Windows 2003 is the following: Media Download location Notes Windows Server 2003 Service Pack 2 Windows PowerShell KB Microsoft Management Console (MMC) 3.0 KB KB KB KB Microsoft.NET Framework 2.0 Service Pack Update for Windows Server 2003 SP1- based server clusters: Update for Windows Server 2003 x64 Edition: Update for Windows Server 2003 x64 Edition: August 2007 cumulative time zone update for Microsoft Windows operating systems: Update (x64): Update (x32): SP1 (x64): 8A99-3C61D19A4C5A&displaylang=en Included in Microsoft Windows Server 2003 SP2 Included in Microsoft Windows Server 2003 SP2 Included in Microsoft Windows Server 2003 SP2 Included in Microsoft Windows Server 2003 SP2 This hotfix is not discoverable on Microsoft.com Included in Microsoft.NET Framework 2.0 SP 1.NET 2.0 SP1 (x32): AACF-A7633F706BA5&displaylang=en

211 Deploying Hosted Exchange Windows Server 2003 Active Directory Application Mode Microsoft Core XML Services (MSXML) 6.0 ExchangeRollup_ hotfix A3E5-2A2A57B5C8E4&displaylang=en BE21-27E85E1857B1&displaylang=en Included in Microsoft Windows Server 2003 R2 and can be installed through "Optional Component Manager" This HMC4.0 hotfix is provided by Microsoft via Support All Prerequisites for Exchange 2007 SP1 on Windows 2008 are included in Windows Server 2008 distribution. The list of Prerequisites for Exchange 2007 Provisioning that should be installed on MPS node: Media Download location Notes HMC 4.0 HMC 4.0 Update Rollup 4 for the Hosted Exchange HMC 4.5 Microsoft Solution for Hosted Messaging and Collaboration version 4.0: AC B665EB8&displaylang=en Microsoft Solution for Hosted Messaging and Collaboration 4.5: AF5E-F49E7C701CF4&displaylang=en This HMC4.0 Update Rollup 4 is provided by Microsoft via Support

212 212 Parallels Operations Automation 2.9 Parallels Installing Exchange 2007 Server Roles in Unattended Mode This topic explains how to use Setup from a Command Prompt window to install Microsoft Exchange Server 2007 in unattended mode. To perform an unattended setup, you must install Exchange 2007 from the command prompt. To install Exchange 2007 in unattended mode, perform the following steps: 1 Log on to the server on which you want to install Exchange Insert the Exchange 2007 DVD into the DVD drive. From a command prompt, navigate to the DVD drive. 3 From a command prompt, run the following command: Setup.com /mode:<setup mode> /roles:<server roles to install> [OrganizationName:<name for the new Exchange organization>] /mode, or /m <setup mode> You must use the /mode parameter to specify the setup mode. If you do not specify a mode, Setup uses the default Install mode. Select one of the following modes: Install Upgrade Uninstall RecoverServer /roles, or /r <server roles to install> You must use the /roles parameter to specify which server roles to install. Select from one or more of the following roles, in a comma-separated list: ClientAccess (or CA, or C) EdgeTransport (or ET, or E) HubTransport (or HT, or H) Mailbox (or MB, or M) UnifiedMessaging (or UM, or U) ManagementTools (or MT, or T) [/OrganizationName, or /on <organization name>] Use the /OrganizationName parameter to specify the name to give the new Exchange organization. This parameter is required if you are installing the first server in an organization and you are not configuring Active Directory for Exchange with /PrepareAD command. If you are installing a server in an existing Exchange organization, you cannot use this parameter. Verifying Exchange Server 2007 Installation

213 Deploying Hosted Exchange After you install Microsoft Exchange Server 2007, we recommend that you verify the installation and review the server setup logs. If the setup process fails or errors occur during installation, you can use the setup logs to track down the source of the problem. Verify a successful installation in the following way: 1 Open the Exchange Management Shell on installed server 2 Run the following command: get-exchangeserver 3 The list of all Exchange Server 2007 server roles that are installed in the organization will be displayed. If setup failed for any reason, you can review the Setup log files. By default, the logging method is set to verbose. These log files contain a history of actions that the system takes during setup and any errors that have occurred. Note that the setup log files contain a huge amount of detailed information, so you may need to search for keywords. Review the Setup Log Files in the following way: 1 Open the following file: <system drive>\exchangesetuplogs\exchangesetup.log 2 Review the setup information, and search for any keywords that relate to error messages you received during setup. Alternative way to review the Setup Log Files is the following: 1 Open the Exchange Management Shell on installed server 2 Run the following command: get-setuplog Review the command output for any error messages. Configuring Active Directory Exchange Server 2007 places information into Active Directory's domain, configuration, and scheme partition. The data in Active Directory includes information about the messaging organization. The configuration information that Active Directory stores also controls how messages are routed within an Exchange Server organization and how they are delivered to, and received from, the Internet. Extending Maximum Number of Global Address Lists The default configuration of the GAL class object supports only 1000 address lists. In this section the MakeGalLinked tool is described, which is used to extend this limit.

214 214 Parallels Operations Automation 2.9 Parallels Important: You must complete this procedure before you install the Exchange Server 2007 Schema extensions. If you do not, you may have to build your Hosted Exchange environment again from clean servers. Execute the Active Directory Schema Extension in the following way: 1 Log on to the Schema Master Flexible Single Master Operations (FSMO) server (AD01) and copy the makegallinked.exe file from the \Hosted Exchange\makeGalLinked directory from your solution distribution to a local directory. Execute the following command from the directory to which you copied makegallinked.exe: makegallinked.exe /dc:%computername% /operation:makegallinked If the command above fails, try to use the following (extended) form: makegallinked.exe /dc:<domain_controller_name> /domain:<domain_name> /admin:<exchangefulladminaccountname> /adminpwd:prompt /operation:makegallinked Using reference names it should be: makegallinked.exe /dc:ad01 /domain:he.local /admin:administrator /adminpwd:prompt /operation:makegallinked 2 Look for the following in the output that indicates the operation was successful: "globaladdresslist" schema object is not a linked attribute "globaladdresslist" schema object is a linked attribute with linkid: 4048

215 Deploying Hosted Exchange Preparing Active Directory for Exchange 2007 Installation Important: If the user who installs Exchange is a member of the EnterpriseAdmin and SchemaAdmin groups, /PrepareSchema and /PrepareAD will be automatically executed during first Exchange 2007 server installation and you should not perform this step. Most deployment scenarios require you to run /PrepareSchema and /PrepareAD for successful Exchange 2007 installation. As a general rule, keep in mind that when the administrator (or user used for perform Exchange installation) does not have EnterpriseAdmin and SchemaAdmin permissions, you must run /PrepareSchema and /PrepareAD manually under account with corresponding privileges. Preparing for Active Directory Initializations Before you extend your Active Directory service schema to support Exchange Server 2007, you need to install PowerShell 1.0 on AD01. The Exchange Server 2007 PrepareSchema command will not run without it. /PrepareSchema and /PrepareAD commands should run on a computer that is in the same domain and the same Active Directory site as the Schema Master. Running PrepareSchema Run /PrepareSchema to extend the Active Directory schema to include Exchangespecific classes and attributes. The /PrepareSchema also creates the container object for the Exchange organization in the Active Directory. Note: Be aware that after /PrepareSchema starts, you cannot cancel the process. To run Exchange Server 2007 /PrepareSchema, do the following: 1 Log on to AD01 using an account that has both Enterprise and Schema Administrator privileges. 2 Open a command prompt. Change the directory to the location of your Exchange 2007 installation media, and then execute following command: Setup.com /PrepareSchema Running PrepareAD After the /PrepareSchema, run /PrepareAD to create the groups and permissions necessary for Exchange servers to read and modify user attributes. The Exchange 2007 /PrepareAD performs the following actions in the domain: Creating the Exchange organization in the Active Directory. Creating the Microsoft Exchange System Objects container for the domain. Creating the following Universal Security Groups (USGs) for Exchange: Exchange Organization Administrators, Exchange Recipient Administrators,

216 216 Parallels Operations Automation 2.9 Parallels Exchange View-Only Administrators, Exchange2003Interop. Setting permissions on the global Exchange configuration container, the Microsoft Exchange System Objects container, and the USGs. Initializing domain permissions by setting permissions for users, contacts, and groups to enable Exchange servers and Exchange administrators to access and manage needed attributes. Important: After you run /PrepareSchema, be sure to allow enough time for the schema extensions to replicate throughout all the domains and subdomains in your organization. Depending on the geography of your organization and the speed of your network connections between Windows 2003 sites or domains, this could take some time. You should run /PrepareAD only after you re ensured that the Exchange-specific information has been replicated across your organization. To run Exchange Server 2007 /PrepareAD: 1 Log on to AD01 using an account that has Enterprise Administrator privileges. 2 Open a command prompt. Change directory to the location of your Exchange 2007 installation media, and then execute following command: Setup.com /PrepareAD /OrganizationName:HostedExchange Where the /OrganizationName is the name of the Exchange organization container. Preparing Servers for Exchange 2007 Exchange 2007 RTM can be installed on Windows Server 2003 SP2 or Windows Server 2003 R2 SP2. Exchange 2007 SP1 can also be installed on Windows Server Preparing Windows Server 2003 Servers To install Windows Server 2003 or Windows Server 2003 R2: 1 Perform the default installation of Windows Server 2003 Standard Edition with Service Pack 1 using the CD boot method. Use appropriate naming conventions for your environment. Important: Step 2 should be performed only if you installing Windows Server 2003 R2. 2 After the Windows Server 2003 with SP1 Setup is complete, log on to the computer as an administrator. Insert the Disc 2 into your CD-ROM drive. Setup for Disc 2 should start automatically. If it does not start automatically, browse to Disk 2 (or to the shared folder that contains the Setup files) and click Setup2.exe in the \Cmpnents\R2 folder. Follow the instructions on your screen to upgrade to R2. To prepare the server, do the following: 1 Install Windows Server 2003 SP2 (required).

217 Deploying Hosted Exchange Install.NET Framework 2.0. Open the Control Panel > Add/Remove Programs, click on the Add/Remove Windows Components, select Microsoft.NET Framework Install.NET Framework 2.0 Service Pack 1 (optional for Exchange Server 2007 RTM and required for Exchange Server 2007 SP1). 4 Install.NET 2.0 update KB (required only if NET Framework 2.0 SP1 is not installed). 5 Install the Microsoft Management Console (MMC) Install Microsoft PowerShell. 7 Enable Remote Desktop. Click Start, open the Control Panel, click System, move to the Remote tab, select the Enable Remote Desktop on this computer. 8 Install Support Tools from the Support Tools directory on the Windows Server 2003 CD. 9 Configure DNS on the local network interface. for servers deployed inside Active Directory domain, use the IP Addresses of AD01 and AD02 as Preferred and Alternative DNS server, for servers deployed outside Active Directory domain (Exchange 2007 Edge servers), use IP Address of External DNS server DNS01 as Preferred DNS server and, if it exists, the DNS02 as Alternative DNS server. Important: Step 10 should not be performed on servers deployed outside Active Directory domain (Exchange 2007 Edge servers). 10 Join the host to Active Directory domain. 11 Here and below log as domain administrator (on servers that are the members of AD domain) or as local administrator (on servers that are not members of AD domain). 12 Apply any released updates to Windows Server 2003 by using SUS or Microsoft Update. The PowerShell creates two Event logs during installation - PowerShell and Windows PowerShell). The PowerShell log has 512 KB maximum log size and very often the log size reaching this limit with annoying error messages. We recommend you to increase the maximum log size of the PowerShell log to 16 MB after PowerShell installation. You can do it in the following way: 1 Log on to the server, where PowerShell is installed, using an account that is a member of the Domain Administrators group. 2 Start the Event Viewer (open Start > Run, enter the eventvwr.msc command and press OK). 3 Right-click on the PowerShell log, and then click Properties. 4 On the PowerShell Properties dialog window, increase the Maximum log size from 512 KB to KB (16 MB) and press OK.

218 218 Parallels Operations Automation 2.9 Parallels Preparing Windows Server 2008 Servers To install Windows Server 2008: Perform a default installation of Windows Server 2008 ("Standard Edition" is assumed by default) by using the CD boot method. Use the appropriate naming conventions for your environment. To prepare the server: 1 Install Windows PowerShell by running the following command: ServerManagerCmd -i PowerShell 2 Enable Remote Desktop. Click Start, go to Control Panel, click System, and then click Remote settings. On the Remote tab of the System Properties dialog, select Allow connections from computers running any version of Remote Desktop or Allow connections only from computers running Remote Desktop with Network Level Authentication. 3 Install the Active Directory Domain Services remote management tools by running the following command: ServerManagerCmd -i RSAT-ADDS 4 Configure DNS on the local network interface: for servers deployed inside the Active Directory domain use the IP Addresses of AD01 and AD02 as Preferred and Alternative DNS servers for servers deployed outside the Active Directory domain (Exchange 2007 Edge servers) use the IP Address of External DNS server DNS01 as Preferred DNS server and, if exist, DNS02 as Alternative DNS server Important: Step 5 should not be performed on servers deployed outside the Active Directory domain (Exchange 2007 Edge servers). 5 Join the host to Active Directory domain. 6 Here and below log in as domain administrator (on servers that are members of AD domain) or as local administrator (on servers that are not members of AD domain). 7 Apply any released updates to Windows Server 2008 by using SUS or Microsoft Update.

219 Deploying Hosted Exchange Deploying Exchange Server 2007 Roles This section provides detailed steps for deploying Microsoft Exchange Server roles. Exchange Server roles should be deployed in the following order: 1 Client Access Server (EXCAS01). 2 Hub Transport Server (EXHUB01). 3 Edge Transport Server (EXEDGE01). 4 Cluster continuous replication (CCR) two-node Mailbox cluster (EXMBX01). 5 Standalone Mailbox server (EXMBX02). Deploying Client Access Role The Exchange 2007 Client Access is the role that should be installed in the first place. Installing Exchange Server 2007 Prerequisites Installing Exchange Server 2007 Prerequisites for Windows Server 2003 Note: The list of distribution packages and their download location can be found in the Exchange Server 2007 Distribution Packages (on page 209) and Exchange Server 2007 Media Prerequisites (on page 210) sections. To install Exchange Server 2007 Prerequisites for the Client Access server role, perform the following steps: 1 Install Application Server components. To do that, open Control Panel, double-click Add / Remove Programs, click Add/Remove Windows Components, and select: Application Server > Enable Network COM+ access Application Server > Internet Information Services (IIS) > Common Files, Internet Information Services Manage Application Server > Internet Information Services (IIS) > World Wide Web Service > World Wide Web Service 2 Install the RPC over HTTP Proxy Windows networking component. Refer to the Installing RPC-over-HTTP Windows Component (on page 81) section. 3 Install Microsoft Core XML Services (MSXML) Install the cumulative time zone update for Microsoft Windows operating systems - KB (required for Exchange 2007 SP1).

220 220 Parallels Operations Automation 2.9 Parallels Installing Exchange Server 2007 Prerequisites for Windows 2008 Server To install Exchange 2007 Prerequisites for Client Access role, perform the following steps: 1 Install the necessary Web Server (IIS) prerequisites by running the following commands in the order in which they are listed: ServerManagerCmd -i Web-Server ServerManagerCmd -i Web-ISAPI-Ext ServerManagerCmd -i Web-Metabase ServerManagerCmd -i Web-Lgcy-Mgmt-Console ServerManagerCmd -i Web-Basic-Auth ServerManagerCmd -i Web-Digest-Auth ServerManagerCmd -i Web-Windows-Auth ServerManagerCmd -i Web-Dyn-Compression 2 Install the RPC over HTTP proxy feature by running the following command: ServerManagerCmd -i RPC-over-HTTP-proxy Running Exchange Server 2007 Setup Run Exchange Server 2007 Setup to install the Exchange Server 2007 Client Access Server (CAS) role. 1 Log on to EXCAS01 using an account that is a member of the Domain Administrators group. 2 Open a command prompt, and navigate to the Exchange Server 2007 installation files. 3 Run the following command: Setup.com /mode:install /roles:ca [/OrganizationName: HostedExchange] Important: You must specify the /OrganizationName parameter if you skip the Preparing Active Directory for Exchange 2007 Installation (on page 215) step. 4 Setup copies the setup files locally to the computer on which you are installing Exchange Server Setup checks the prerequisites, including all prerequisites specific to the server roles that you are installing. If you have not met all of the prerequisites, Setup fails and returns an error message that explains the reason for the failure. If you have met all of the prerequisites, Setup installs Exchange Server 2007.

221 Deploying Hosted Exchange Verifying Exchange Server 2007 Installation Refer to the Verifying Exchange Server 2007 Installation section (on page 212) to process this step. Deploying Hub Transport Role Hub Transport server role should be installed after the Client Access server role is installed. You should repeat the following steps for all Hub servers planned for using in Hosted Exchange solution. Installing Exchange Server 2007 Prerequisites Installing Exchange Server 2007 Prerequisites for Windows Server 2003 Note: The list of distribution packages and their download location can be found in the Exchange Server 2007 Distribution Packages (on page 209) and Exchange Server 2007 Media Prerequisites (on page 210) sections. To install Exchange Server 2007 Prerequisites for the Hub Transport server role, perform the following steps: 1 Install the cumulative time zone update for Microsoft Windows operating systems - KB (required for Exchange 2007 SP1). Installing Exchange Server 2007 Prerequisites for Windows 2008 Server If you want to manage Client Access servers from Servers with Hub Transport role installed then you should install the following Exchange 2007 Prerequisites for Hub Transport role: 1 Install the necessary IIS management components by running the following commands in the order in which they are listed: ServerManagerCmd -i Web-Metabase ServerManagerCmd -i Web-Lgcy-Mgmt-Console Running Exchange Server 2007 Setup Run Exchange Server 2007 Setup to install the Exchange Server 2007 Hub Transport Server roles. 1 Log on to EXHUB01 using an account that is a member of the Domain Administrators group. 2 Open a command prompt, and navigate to the Exchange Server 2007 installation files. 3 Run the following command: Setup.com /mode:install /roles:ht 4 Setup copies the setup files locally to the computer on which you are installing Exchange Server Setup checks the prerequisites, including all prerequisites specific to the server roles that you are installing. If you have not met all of the prerequisites, Setup fails and returns an error message that explains the reason for the failure. If you have met all of the prerequisites, Setup installs Exchange Server 2007.

222 222 Parallels Operations Automation 2.9 Parallels Verifying Exchange Server 2007 Installation Refer to the Verifying Exchange Server 2007 Installation section (on page 212) to process this step. Deploying Edge Transport Server If your Hosted Exchange solution includes the Edge Transport server role, it is recommend to install this role right after the Hub Transport server. But actually, the Edge Transport server role can be installed at any time during the deployment phase. Repeat the following steps on all the Exchange Edge servers in your Hosted Exchange solution. Important: The Edge Transport server should be deployed outside the Exchange organization in the Edge (Perimeter) network. Installing Exchange Server 2007 Prerequisites Installing Exchange Server 2007 Prerequisites for Windows Server 2003 Note: The list of distribution packages and their download location can be found in the Exchange Server 2007 Distribution Packages (on page 209) and Exchange Server 2007 Media Prerequisites (on page 210) sections. To install Exchange 2007 Prerequisites for the Edge Transport server role, perform the following steps: 1 Install Active Directory Application Mode (ADAM) SP1. 2 Install the cumulative time zone update for Microsoft Windows operating systems - KB (required for Exchange 2007 SP1). Installing Exchange Server 2007 Prerequisites for Windows 2008 Server To install Exchange 2007 Prerequisites for Edge Transport role: 1 Install Active Directory Lightweight Directory Services (AD LDS) by running the following command: ServerManagerCmd -i ADLDS

223 Deploying Hosted Exchange Configuring DNS Suffix A server with the Edge Transport role should be resolved from all other Exchange servers. For this purpose, you need to configure the DNS suffix on the server before installing the Edge Transport server role. All other DNS configuration tasks should be performed during the Configuration stage. To configure the DNS suffix, perform the following steps: 1 Log on to EXEDGE01 as a member of the local Administrators group. 2 Click Start > Control Panel, and then double-click System to open the System Properties. 3 Click the Computer Name tab. 4 Click Change. 5 On the Computer Name Changes page, click More. 6 In the Primary DNS suffix of this computer: field, type a FQDN name of AD domain (he.local). 7 Click OK three times. Running Exchange Server 2007 Setup Run Exchange Server 2007 Setup to install the Exchange Server 2007 Edge Transport Server role. 1 Log on to EXEDGE01 using an account that is a member of the local Administrators group. 2 Open a command prompt, and navigate to the Exchange Server 2007 installation files. 3 Run the following command: Setup.com /mode:install /roles:et 4 Setup copies the setup files locally to the computer on which you are installing Exchange Server Setup checks the prerequisites, including all prerequisites specific to the server roles that you are installing. If you have not met all of the prerequisites, Setup fails and returns an error message that explains the reason for the failure. If you have met all of the prerequisites, Setup installs Exchange Server 2007.

224 224 Parallels Operations Automation 2.9 Parallels Verifying Exchange Server 2007 Installation Refer to the Verifying Exchange Server 2007 Installation section (on page 212) to process this step. Deploying Cluster Continuous Replication Mailbox Servers Exchange Server 2007 Mailbox Server is configured for the Cluster Continuous Replication (CCR), which allows increasing availability by using replication in an active/passive cluster. This server hosts mailbox and public folder databases. Two servers (EXMBX01-Node1 and EXMBX01-Node2) are used for Exchange CCR cluster (EXMBX01). Planning for Cluster Continuous Replication Hardware Requirements - When using a Majority Node Set (MNS) quorum with the file share witness on Windows Server 2003, only two nodes can exist in the cluster. We recommend using identical servers that host the Mailbox server roles in one cluster. Software Requirements - Both nodes in the cluster must have the Windows Server 2003 Enterprise Edition SP2 operating system or Windows Server 2008 Enterprise Edition SP1 operating system installed. Exchange 2007 Enterprise Edition is required. Only the Mailbox server role can be installed in a CCR cluster. Network Requirements - Each node must have at least two network adapters available for Windows Clustering. Clients and other servers only have to be able to access the nodes from one of the two network adapters. The other network adapters are used for intracluster communication only. Storage Requirements Each nodes of CCR cluster should have dedicated volumes but the location of the storage groups and databases must be identical on all cluster nodes. Public Folders Configuration If CCR cluster host Public Folder Database then no one single or clustered Mailbox server should not host additional Public Folder Databases. In other words, if more than one Mailbox server in the Exchange organization has a public folder database this public folder databases should not be hosted in CCR environments. OAB Generation Only one node in the CCR cluster can generate OAB. By default OAB generation perform on first node deployed in the cluster. If this node becomes offline OAB generation stopped. Cluster Network Configuration Each CCR server has two network interfaces: one plugged into BackNet network, another - into special HeartBeatNet network. The HeartBeatNet network is a special isolated network where nodes of the cluster are connected. The main purpose of this network is the periodical checking of nodes for health and availability.

225 Deploying Hosted Exchange You must have a sufficient number of static IP addresses available when you create clustered mailbox servers in a two-node CCR configuration. IP addresses are required for both the BackNet and HeartBeatNet networks, and the HeartBeatNet network must be on a different subnet than the BackNet network. Requirements related to HeartBeatNet and BackNet addresses are the following: HeartBeatNet addresses - Each node requires one static IP address for each network adapter that is used for the cluster HeartBeatNet network. You must use static IP addresses that are not on the same subnet or network as the BackNet network. BackNet addresses - Each node requires one static IP address for each network adapter that is used for the cluster BackNet network. Additionally, static IP addresses are required for the failover cluster and for the clustered mailbox server so that they can be accessed by clients and administrators. You must use static IP addresses that are not on the same subnet as the HeartBeatNet network. To configure the public network connections for a clustered mailbox server, perform the following steps: 1 Open the Network Connections console. Windows Server 2003: Control Panel > Network Connections. Windows Server 2008: Control Panel > Network and Sharing Center > Manage network connection task (in the left frame). 2 Right-click <Network connection name> (where <Network connection name> is a name of your public network connection), and then click Rename. 3 In the Name field, enter a meaningful name, such as BackNet. 4 In the Network Connections, right-click BackNet, and then click Properties. 5 In the <BackNet> Properties > the General tab > This connection uses the following items, make sure that the following services are selected: Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks. Then, select Internet Protocol (TCP/IP) on Windows Server 2003 or Internet Protocol Version 4 (TCP/IPv4) on Windows Server Click OK to save changes, and then click Close to exit Properties. To configure private network connections for a clustered mailbox server, perform these steps: 1 Right-click <Network connection name> (where <Network connection name> is the name of your private network connection), and then click Rename. 2 In the Name field, enter a meaningful name, such as HeartBeatNet. 3 In the Network Connections, right-click HeartBeatNet, and then click Properties. 4 In <HeartBeatNet> Properties, on the General tab, select Client for Microsoft Networks service. Then, select Internet Protocol (TCP/IP) on Windows Server 2003 or Internet Protocol Version 4 (TCP/IPv4) on Windows Server 2008, and click Properties. 5 In Internet Protocol (TCP/IP) or Internet Protocol Version 4 (TCP/IPv4) Properties dialog, select Use the following IP address and configure a static IP address and subnet mask for the connection. Select Use the following DNS server addresses, and leave blank the IP address fields for Preferred DNS server and Alternate DNS server, then click Advanced. 6 In the Advanced TCP/IP Settings dialog, on the DNS tab, verify the following information:

226 226 Parallels Operations Automation 2.9 Parallels Under DNS server addresses, in the order of use, ensure that no addresses are listed. Ensure that the Register this connection's addresses in DNS check box is clear. 7 On the WINS tab, ensure that Disable NetBIOS over TCP/IP option is selected. 8 Click OK twice to save changes, and then click Close to exit Properties. To configure the network connection order for a clustered mailbox server, perform the following steps: 1 In Network Connections in the Advanced menu, click the Advanced Settings. 2 In the Advanced Settings > Adapters and Bindings tab > Connections, ensure that your connections appear in the following order: BackNet HeartBeatNet Remote access connections 3 Click OK to save changes. Installing Exchange Server 2007 Prerequisites Installing Exchange Server 2007 Prerequisites for Windows Server 2003 Note: The list of distribution packages and their download location can be found in the Exchange Server 2007 Distribution Packages (on page 209) and Exchange Server 2007 Media Prerequisites (on page 210) sections. Prerequisites should be installed on each cluster node (EXMBX01-Node1, EXMBX01- Node2) before the cluster creation. To install Exchange 2007 Prerequisites for the Clustered Mailbox role, perform the following steps: 1 Install Application Server components. To do that, open Control Panel, double-click Add / Remove Programs, click Add/Remove Windows Components, and select: Application Server > Enable Network COM+ access Application Server > Internet Information Services (IIS) > Common Files, Internet Information Services Manage Application Server > Internet Information Services (IIS) > World Wide Web Service > World Wide Web Service 2 Install Windows Server 2003 x64 edition update KB Install Windows Server 2003 x64 edition update KB Install the Majority Node Set File Share Witness Hotfix KB Install the cumulative time zone update for Microsoft Windows operating systems - KB (required for Exchange 2007 SP1).

227 Deploying Hosted Exchange Installing Exchange Server 2007 Prerequisites for Windows Server 2008 Prerequisites should be installed on each cluster node (EXMBX01-Node1, EXMBX01- Node2) before cluster creation. To install Exchange 2007 Prerequisites for Clustered Mailbox role, perform the following steps: 1 Install the necessary Web Server (IIS) prerequisites by running the following commands in the order in which they are listed: ServerManagerCmd -i Web-Server ServerManagerCmd -i Web-ISAPI-Ext ServerManagerCmd -i Web-Metabase ServerManagerCmd -i Web-Lgcy-Mgmt-Console ServerManagerCmd -i Web-Basic-Auth ServerManagerCmd -i Web-Windows-Auth 2 Install the Failover Clustering feature by running the following command: ServerManagerCmd -i Failover-Clustering

228 228 Parallels Operations Automation 2.9 Parallels Creating New Cluster Creating New Cluster in Windows Server 2003 Before you begin, you should create the cluster service account: 1 Log on to AD01 as a member of the Domain Administrators group. 2 Run Active Directory Users and Computers. 3 In the Users OU, create a new user named "ClusterAdmin". Set the password on this account to Never Expires. 4 Make the ClusterAdmin user a member of the Windows-based Hosting Service Accounts group To create a new cluster with the server cluster wizard, follow these steps: 1 Log on to the first cluster node (EXMBX01-Node1) as a member of the Domain Administrators group. 2 Open a command prompt, and run the following command: cluster /create /wizard 3 The New Server Cluster wizard appears. Verify that you have the necessary information to continue with the configuration, and then click Next to continue. 4 In the Domain field, select the name of the domain in which the cluster will be created. In the Cluster name field, enter a unique name for the cluster. The name length should not exceed 15 characters (for example, EXCLUS01). 5 On the Select Computer page, verify or type the name of the computer that you plan to use. 6 On the Analyzing Configuration page, the wizard analyzes the node for possible hardware or software issues that can cause installation problems. Review any warnings or error messages that appear. Click Details to obtain more information about each warning or error message. Note: The bulleted list in the beginning of this section evolves into the status information tree as the analysis is completed. The tree can be expanded to view a specific status. Items with check icons can be ignored. Items with yellow triangle icons are warnings. Items with red icons are blocking errors and must be corrected. The wizard warns you if it does not find a shared storage for a quorum. This warning is expected and can be ignored. 7 If the green bar is present and the only warnings are due to the lack of a shared quorum, click Next. 8 On the IP Address page, type the unique, valid cluster IP address, and then click Next. The wizard automatically associates the cluster IP address with the BackNet network by using the subnet mask to select the correct network. The cluster IP address should be used for administrative purposes only and not for client connections. 9 On the Cluster Service Account page, type "ClusterAdmin" and the password of the ClusterAdmin service account. In the Domain field, select the domain name, and then click Next. The wizard verifies the user account and password.

229 Deploying Hosted Exchange On the Proposed Cluster Configuration page, click Quorum. Select Majority Node Set from the drop-down box. Click OK, and then click Next. 11 On the Creating the Cluster page, review any warnings or error messages that appear while the cluster is being created. For more information about warnings or errors, click to expand each warning or error message. To continue, click Next. 12 Click Finish to complete the cluster configuration. To add a second node in the cluster, follow these steps: 1 Log on to the first cluster node (EXMBX01-Node1) as a member of the Domain Administrators group. 2 Open a command prompt, and run the following command: cluster /cluster:exclus01 /add /wizard 3 After the Add Nodes wizard appears, click Next to continue. 4 In the Domain list, click the domain where the server cluster is located, enter the server cluster name in the Cluster name box, and then click Next. Note: This is the name you've entered while creating a cluster. 5 In the Computer name field, type the name of the node (EXMBX01-Node2) that you want to add to the cluster, click Add, and then click Next. 6 After the Add Nodes wizard has analyzed the cluster configuration successfully, click Next. 7 On the Cluster Service Account page, in the Password field, type the password for the Cluster service account. Make sure that the correct domain for this account appears in the Domain list, and then click Next. 8 On the Proposed Cluster Configuration page, view the configuration details to verify that the server cluster IP address and the networking information are correct, and then click Next. 9 After the cluster is configured successfully, click Next, and then click Finish.

230 230 Parallels Operations Automation 2.9 Parallels Creating New Cluster in Windows Server 2008 Before you begin you should create the cluster service account: 1 Log into AD01 as a member of Domain Admins. 2 Run Active Directory Users and Computers. 3 In the Users OU, create a new user named "ClusterAdmin". Set the password on this account to Never Expires. 4 Make the ClusterAdmin user a member of the Windows-based Hosting Service Accounts group. To create a new cluster with the server cluster wizard follow these steps: 1 Log on to the first cluster node (EXMBX01-Node1) as a member of the Domain Administrators group. 2 Open the Failover Cluster Management tool. 3 In the right-hand Actions pane, click Create a Cluster to start the wizard. 4 Click the Next button and skip the Before You Begin page. 5 On the Select Servers page add both EXMBX01-NODE1 and EXMBX01-NODE2 to the select servers list. 6 On the Validation Warning page accept running the configuration validation tests (select Yes. When I click Next, run configuration validation tests, and then return to the process of creating the cluster, usually it is selected by default) and click the Next button. The Validate a Configuration Wizard will start. 7 In the Validate a Configuration Wizard skip the Before You Begin page clicking the Next button. On the Testing Options page select Run only test I selected and click the Next button. On the Test Selection page, clear the Inventory and Storage check boxes (including all child nodes) and press the Next button. Press the Next button on the Confirmation page and start validation. After the validation completes, review the report, and resolve any errors before proceeding with cluster installation. Then press the Finish button and returns into the Create Cluster Wizard. 8 Now on the Validation Warning page select No. I do not require support from Microsoft for this cluster, and therefore do not want to run the validation tests. When I click Next, continue creating the cluster and click the Next button. 9 On the Access Point for Administering the Cluster page, in the Cluster Name field, type the NetBIOS name for the failover cluster (for example, EXCLUS01). This is the name that you use to connect to and administer the cluster. In the list of Networks, identify the BackNet network subnet. In the Address field of that network, type a unique, valid cluster IP address appropriate for the BackNet network segment. This cluster IP address will be used for administrative purposes only and not for client connections. Ensure that the check box is selected next to the BackNet network. Clear the check box next to any remaining networks (such as the HeartBeatNet network) and press the Next button.

231 Deploying Hosted Exchange On the Confirmation page check cluster s configuration, press the Next button and wait for complete of cluster creation. 11 Press the Finish button. Validating Cluster and Configuring Cluster Networks Validating Cluster and Configuring Cluster Networks for Windows Server 2003 You should verify that the cluster service is running and the cluster is operational. To validate the cluster configuration: 1 Log on to the first cluster node (EXMBX01-Node1) as a member of Domain Administrators group. 2 Open the Command Prompt window, and execute the following command: cluster group 3 The Status of the cluster group should be displayed as Online. To configure the cluster networks for the cluster heartbeat: 1 Open Cluster Administrator. 2 In the console tree, double-click the cluster node, and then click Networks. Locate the HeartBeatNet and BackNet networks. They have the same names as a corresponding physical networks BackNet and HeartBeatNet. 3 In the details pane, right-click the HeartBeatNet network that you want to enable, then click Properties. 4 Select the Enable this network for cluster use check box. In the This network performs the following role in the cluster field, select Internal cluster communications only (private network), then click OK. 5 In the details pane, right-click the BackNet network that you want to enable, then click Properties. 6 Select the Enable this network for cluster use check box. In the This network performs the following role in the cluster field, select All communications (mixed network), then click OK. To configure cluster network priority order: 1 Open Cluster Administrator. 2 In the console tree, right-click the name of your cluster, then click Properties. 3 Click the Network Priority tab. 4 In Networks used for internal cluster communications, select the HeartBeatNet network. Increase its priority using the Move Up button until the HeartBeatNet network is listed at the top of the priority list. Always make sure that HeartBeatNet networks have higher priority than mixed or client-only networks. 5 When you finish, click OK.

232 232 Parallels Operations Automation 2.9 Parallels Validating Cluster and Configuring Cluster Networks for Windows 2008 Server You should verify that the cluster service is running and the cluster is operational. To validate the cluster configuration: 1 Log on to the first cluster node (EXMBX01-Node1) as a member of Domain Administrators group. 2 Open the Command Prompt window, and execute the following command: cluster group 3 The Status of the cluster group should be displayed as Online. To configure the cluster networks for the cluster heartbeat: 1 Open the Failover Cluster Management tool. 2 In the console tree, double-click the cluster node, and then click Networks. 3 Locate the HeartBeatNet and BackNet networks. They have names Cluster Network 1 and Cluster Network 2. Select the Cluster Network 1 and check the physical networks included into rename the Cluster Network 1 correspondingly (into the BackNet or HeartBeatNet). Repeat this operation for Cluster Network 2. 4 In the details pane, right-click the HeartBeatNet network that you want to enable, and then click Properties. 5 Select the Allow the cluster to use this network check box and leave unchecked the Allow clients to connect through this network check box. Press the OK button. 6 In the details pane, right-click the BackNet network that you want to enable, and then click Properties. 7 Select both check-boxes: the Allow the cluster to use this network and the Allow clients to connect through this network. Press the OK button.

233 Deploying Hosted Exchange Configuring File Share Witness Configuring File Share Witness for Windows Server 2003 After the cluster has been formed and configured, the file share witness must be configured. CCR uses the file share witness on a third computer to avoid network partitioning within the cluster (known as a split brain syndrome). A split brain syndrome occurs when all networks designated to carry internal cluster communications fail, and nodes cannot receive heartbeat signals from each other. The file share for the file share witness can be hosted on any server running Microsoft Windows operating system. However, we recommend that you use a Hub Transport server in the AD server site containing the cluster nodes to host it. To create and secure the file share for the file share witness, perform the following steps: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Create a directory that will be used for the share by running the following command at a command prompt: mkdir C:\<Share Directory> 3 Create the share by running the following command: net share <Share Name>=C:\<Share Directory> /GRANT:<NetBIOS name of AD domain>\cluster Admin,FULL 4 Assign permissions to the share by running the following command: cacls C:\<Share Directory> /G BUILTIN\Administrators:F <NetBIOS name of AD domain>\cluster Admin:F 5 Verify that the share is viewable from the first cluster node. Run the following command: NET VIEW \\EXHUB01. In case of success, you will see your share directory listed. To configure the MNS quorum for using the file share witness, do the following: 1 Log on to the first cluster node (EXMBX01-Node1) as a member of the Domain Administrators group. 2 To set the property, run the following command from a command prompt: Cluster res "Majority Node Set" /priv MNSFileShare="\\EXHUB01\<Share Name>" 3 As a result, you will receive a message stating that "the properties were stored but not all changes will take effect until the next time the resource is brought online". 4 Run the following command to restart the resource by moving the cluster group to the second cluster node: Cluster group "Cluster Group" /move 5 Repeat the command in Step 4 to complete the configuration and return the cluster group to the first node. 6 To check the value of the file share property, run the following command: Cluster res "Majority Node Set" /priv

234 234 Parallels Operations Automation 2.9 Parallels Ensure that the Cluster service is running on each node: 1 On EXMBX01-Node1, start the Cluster Administrator. If prompted to specify a cluster, type the cluster name you created previously in the console tree, and then select the cluster name under the root container. 2 In the Details pane, under State, ensure that all of your cluster nodes are Online.

235 Deploying Hosted Exchange Configuring File Share Witness for Windows Server 2008 After the cluster has been formed and configured, the file share witness must be configured. CCR uses the file share witness on a third computer to avoid network partitioning within the cluster. The file share for the file share witness can be hosted on any server running Microsoft Windows operating system. However, we recommend that you use a Hub Transport server in the AD server site containing the cluster nodes to host it. To create and secure the file share for the file share witness, perform the following steps: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Create a directory that will be used for the share by running the following command at a command prompt: mkdir C:\<Share Directory> 3 Create the share by running the following command: net share <Share Name>=C:\<Share Directory> /GRANT:<NetBIOS name of AD domain>\<cluster Name>$,FULL 4 Assign permissions to the share by running the following command: cacls C:\<Share Directory> /G BUILTIN\Administrators:F <NetBIOS name of AD domain>\<cluster Name>$:F 5 Verify that the share is viewable from the first cluster node. Run the following command from EXMBX01-NODE1: NET VIEW \\EXHUB01. In case of success, you will see your share directory listed. To configure a Node and File Share Majority quorum, do the following: 1 Log on to the first cluster node (EXMBX01-Node1) as a member of the Domain Administrators group. 2 Open the Failover Cluster Management tool. 3 Right-click the cluster node, select More Actions, and then select Configure Cluster Quorum Settings to start the Configure Cluster Quorum Wizard. 4 Skip the Before You Begin page by pressing the Next button. 5 On the Select Quorum Configuration page select the Node and File Share Majority quorum type and press the Next button. 6 On the Configure File Share Witness page in the Share Folder Path field type the UNC path to the file share that you created (\\EXHUB01\<Share Name>) and press the Next button. 7 Confirm your choice on the Confirmation page by clicking the Next button. 8 When configuration of the cluster quorum completes press the Finish button. To ensure that all Cluster Nodes are Online, do the following actions:

236 236 Parallels Operations Automation 2.9 Parallels 1 In the Failover Cluster Management tool running on the EXMBX01-Node1, expand the cluster name, and then navigate to Nodes. 2 Under the Status column, ensure that all cluster nodes are listed as Up.

237 Deploying Hosted Exchange Installing Mailbox Server Role on Active Node Once you have installed all of the prerequisites and prepared the cluster, you can install the Mailbox Server role on the Active cluster node. Important: Install Exchange Server 2007 completely on one node before you install it on another node. Configure domain permissions for the Cluster Service Account (for Window Server 2003 only): 1 Log on to AD01 as a member of the Domain Administrators group. 2 Open the Active Directory Users and Computers. 3 In the left-hand column, click on the Microsoft Exchange Security Groups. 4 In the right-hand pane, double-click on the Exchange Organization Administrators. 5 Move to the Members tab. 6 Add the HE\ClusterAdmin to the group, and click OK. * HE - Domain Name. Here - Hosted Exchange. It is a sample value individual for each deployment and should be replaced by actual value. To run Exchange Setup on the Active Node: 1 Log on to EXMBX01-Node1 as a member of the Domain Administrators group. 2 Open a command prompt, and navigate to the Exchange Server 2007 installation files. 3 Run the following command: Setup.com /mode:install /roles:mb Setup verifies that the Active Directory directory service schema is updated, and then it copies the Mailbox server role files onto the computer and installs the Mailbox server role. 4 After setup completes, open a command prompt and navigate to the Program Files directory, and then navigate to the bin directory under the Exchange program files. By default, the installation file location is <systemdrive>:\program Files\Microsoft\Exchange Server\bin. 5 Run the following command to create the clustered mailstore: ExSetup /newcms /CMSname:EXMBX01 /CMSIPAddress:<ClusteredMailboxServerIPAddress> EXMBX01 is a virtual server, and the IP address should be a unique IP in the subnet. Both CMSname and CMSIPaddress are required parameters and should be different from the Cluster Name and IP address: CMSname is the name of the clustered mailbox server. CMSIPAddress is the IP address of the clustered mailbox server, resolvable by DNS.

238 238 Parallels Operations Automation 2.9 Parallels Configuring Storage and Volume Mount Points There is no shared storage between the cluster nodes in Exchange Server 2007 CCR. Each node has dedicated volumes (LUNs), and log shipping is used to replicate data between the nodes. For CCR clustering it is recommended to prepare the storage in the following way: Divide the storage into individual LUNs on the hardware level. Note: Do not create multiple logical partitions of a LUN within the operating system. Separate transaction logs and databases and house them on a separate physical disks to increase fault tolerance. Separate the active and passive LUNs on entirely different storage arrays so that the storage is not a single point of failure. Each Exchange storage group can only contain a single database when using CCR, so each copy of the database will require four LUNs. In other words, each database copy will be in its own storage group, which will need a separate log and database LUN for the active copy, and a separate log and database LUN for the passive copy. For example: Transaction Log volume on the Active cluster node. Transaction Log volume on the Passive cluster node. Database volume on the Active cluster node. Database volume on the Passive cluster node. With a maximum of 50 Storage Groups, it would be easily possible to run out of available drive letters. You can take advantage of the Volume Mount Points feature of Windows Server 2003 in order to surpass the 26-drive-letter limitation. By using volume mount points, you can graft, or mount a target partition into a folder on another physical disk. Important: Logs and Data volume mount points on the Passive cluster node should be an exact mirror for the ones on the Active cluster node. To create Mount Points for the Transaction Logs, perform the following steps: 1 Log on to the Active cluster node as a member of the Domain Administrators group. 2 Open the Disk Management: a From the Start Menu, go to Start > Run. b Run the following command: diskmgmt.msc 3 Select the high-performance disk volume on which you would like to create a mount point for transaction logs. 4 Right-click the free space on the disk, and then click New Partition. 5 Create Primary Partition, and then click Next. 6 Set the size of the partition.

239 Deploying Hosted Exchange Select Mount in the following empty NTFS folder, click Browse to browse to the directory in which you would like the mount point to be created, or create a new directory in the root (for example, C:\MountPoints) and then click New Folder. Give the name the folder (for example, MBX01SG1Logs). Click the newly created folder, click OK, and then click Next. 8 Format the partition using the NTFS File System. 9 Repeat Steps from 1 to 8 on the Passive cluster node. To create Mount Points for the Mailstore Databases, perform the following steps: 1 On the Active cluster node, select the high-performance disk volume on which you would like to create a mount point for the database. 2 Right-click the free space on the disk, and then click New Partition. 3 Create Primary Partition, and then click Next. 4 Set the size of the partition. 5 Select Mount in the following empty NTFS folder, click Browse to browse to the directory in which you would like the mount point to be created, or create a new directory in the root (for example, C:\MountPoints) and then click New Folder. Give the name the folder (for example, MBX01SG1Logs). Click the newly created folder, click OK, and then click Next. 6 Format the partition using the NTFS File System. 7 Repeat Steps from 1 to 6 on the Passive cluster node. For Exchange 2007, log files, system files, and database files of the first storage group can be moved to an alternate location (mount points prepared in previous steps). Instead of this operation, you can create a new storage group with mailbox database in prepared mount points, and then delete the existing default First Storage Group. For Excahnge 2007 SP1 the 2nd solution (removes First Storage Group and create new SG01 group) is only possible. Important: Any storage configuration including First Storage Group moving must be done before installation of the Passive cluster node. When any storage group or database file is moved, the database in the storage group is dismounted. While moving the database file to an alternate location, you must physically move the file, and then update its location using the Move-DatabasePath cmdlet. To move a default First Storage Group to an alternate location, perform the following steps (for Exchange 2007 without SP1 only): 1 Open Exchange Management Shell. 2 Run the following command: Move-StorageGroupPath -Identity:"EXMBX01\First Storage Group" - LogFolderPath:C:\MountPoints\MBX01SG1Logs - SystemFolderPath:C:\MountPoints\MBX01SG1Logs -ConfigurationOnly:$true

240 240 Parallels Operations Automation 2.9 Parallels 3 Confirmation message appears that asks you to confirm that you want to perform the move action. Type Y, and then press ENTER. 4 Another confirmation message appears that indicates that the database in the storage group must be dismounted in order to perform moving. Type Y and then press ENTER. 5 After you perform this procedure, the database is in a dismounted state. If you want to move the default location for the database file, leave the database dismounted, and perform the procedure below. To move a Mailbox Database to an alternate location prior installing the passive node, do the following (for Exchange 2007 without SP1 only): 1 Use Windows Explorer to move the original default database (Mailbox Database.edb) from its original location to its new location. The default location of the First Storage Group is a subdirectory of the Exchange installation directory, such as C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group. The target directory is the Mount Point at C:\MountPoints\MBX01SG1Data. 2 After the move is complete, open Exchange Management Shell. 3 Run the following command: Move-DatabasePath -Identity:"EXMBX01\First Storage Group\Mailbox Database" -EdbFilePath:"C:\MountPoints\MBX01SG1Data\Mailbox Database.edb" -ConfigurationOnly:$true 4 A confirmation message appears that asks you to confirm that you want to perform the move action. Type Y, and then press ENTER. 5 Open the Exchange Management Console. 6 In the console tree, expand Server Configuration, and then click Mailbox. 7 In the result pane, select the clustered mailbox server (EXMBX01). 8 In the work pane, expand First Storage Group, and then select Mailbox Database. In the action pane, click Mount database.

241 Deploying Hosted Exchange Installing Mailbox Server Role on Passive Node After installing Exchange on the active node, and configuring storage groups and databases, the Mailbox Server role can be installed on the passive node. Important: Completely install Exchange Server 2007 on one node before you install it on another node. To run Exchange Setup on the Passive Node: 1 Log on to the passive node (EXMBX01-Node2) as a member of the Domain Administrators group. 2 Open a command prompt, and then navigate to the Microsoft Exchange installation files. 3 Run the following command: Setup.com /mode:install /roles:mb This command makes sure that the Active Directory directory service schema is updated, and then it copies the Mailbox server role files on to the computer. Cluster Verification All storage groups defined for the clustered Mailbox server must be seeded on the new passive node. Seeding is the process of making available a baseline copy of a database on the current passive node. Automatic seeding should take place as a result of installing Mailbox server role on the passive node. In this procedure you will verify that automatic seeding has taken place. To verify that the automatic seeding has occurred on the passive node, do the following: 1 Log on to the passive node (EXMBX01-Node2) as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Run the following command: Get-StorageGroupCopyStatus 4 If all storage groups have Healthy status, then automatic seeding has occurred successfully. If the automatic seeding has not taken place, refer to the Exchange Server 2007 Help file, and search for the How to Seed a Cluster Continuous Replication Copy section. After you complete the installation of a CCR solution, or you make significant configuration changes, we recommend you to verify that both nodes are correctly configured to support the clustered Mailbox server. The recommended way to verify both nodes are able to bring the clustered Mailbox server online is to use the Move-ClusteredMailboxServer cmdlet to move the clustered Mailbox server between the cluster nodes. To verify the ability to move a clustered Mailbox server between the nodes in the cluster, do the following:

242 242 Parallels Operations Automation 2.9 Parallels 1 Log on to the passive node (EXMBX01-Node2) as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Run the following command: Move-ClusteredMailboxServer -Identity EXMBX01 4 In the TargetMachine field enter the name of the passive node. 5 Leave a comment in the MoveComment field. 6 Click Y to confirm settings. 7 To move the clustered Mailbox server back to the original node, repeat this command. If the clustered Mailbox server fails to come online when you try and move it between nodes, then the database may have failed to seed properly. Carefully examine any errors you receive after issuing the Move-ClusteredMailboxServer command. Review the Application Event Log. If the error messages lead you to suspect that there may be a problem with seeding, refer to the Exchange Server 2007 Help file, and search for How to Seed a Cluster Continuous Replication Copy section or refer to Exchange Server TechCenter article - How to Seed a Cluster Continuous Replication Copy. Deploying Single Copy Cluster Mailbox Servers Exchange Server 2007 Mailbox server is configured for a Single Copy Cluster (SCC), which provides increased availability by using active/passive nodes and shared storage for all cluster nodes. This server hosts mailbox and public folder databases. Planning for Single Copy Cluster Hardware Requirements At least one active and one passive node should exist in the cluster. We recommend to use identical servers that host the Mailbox server roles. Software Requirements - All nodes in the cluster must have the Windows Server 2003 Enterprise Edition SP2 or Windows Server 2008 Enterprise Edition operating system installed. Exchange 2007 Enterprise Edition is required. Only the Mailbox server role can be installed in a SCC cluster. Network Requirements - Each node must have at least two network adapters available for Windows Clustering. Clients and other servers only have to be able to access the nodes from one of the two network adapters. The other network adapters are used for intracluster communication only. Storage Requirements Each nodes of SCC cluster should connect to same shared storage (SAN). OAB Generation If SCC cluster used for generation of Offline Address Books then OAB data should be placed on shred storage. In case of failover, OAB data moved to passive node and OAB generation continue. Cluster Network Configuration

243 Deploying Hosted Exchange Each SCC server has two network interfaces: the first one is plugged into the BackNet network, and the second one - into the special HeartBeatNet network. The HeartBeatNet network is an isolated network where the cluster nodes are connected. The main purpose of this network is periodical checking of nodes for health and availability. You must have a sufficient number of static IP addresses available when you create clustered Mailbox servers in a multiple node SCC configuration. IP addresses are required for both BackNet and HeartBeatNet networks, and the HeartBeatNet network must be on a different subnet than the BackNet network. Requirements related to HeartBeatNet and BackNet addresses are as follows: HeartBeatNet addresses - Each node requires one static IP address for each network adapter that is used for the cluster HeartBeatNet network. You must use static IP addresses that are not on the same subnet or network as the BackNet network. BackNet addresses - Each node requires one static IP address for each network adapter that is used for the cluster BackNet network. Additionally, one static IP address is required for the failover cluster and one static IP address is required per each virtual Mailbox server so that they can be accessed by clients and administrators. You must use static IP addresses that are not on the same subnet as the HeartBeatNet network. For example, if you deploy the three-node 'active/active/passive' cluster, you need: 6 NETBIOS names (EXCLUS01 cluster name, EXMBX01, EXMBX02, EXMBX03 for physical nodes + EXMBXVS01, EXMBXVS02 for Exchange Mailbox Virtual servers). 3 IP addresses from HeartBeatNet IP pool (1 IP for EXMBX01, EXMBX02, EXMBX03). 6 IP addresses from BackNet IP pool (1 IP for cluster EXCLUS01, 3 IP for physical nodes EXMBX01, EXMBX02, EXMBX03 and 2 IP for Exchange Mailbox Virtual servers EXMBXVS01, EXMBXVS02). To configure the public network connections for a clustered Mailbox server, do the following: 1 Open the Network Connections console. Windows Server 2003: Control Panel > Network Connections. Windows Server 2008: Control Panel > Network and Sharing Center > Manage network connection task (in the left frame). 2 Right-click the <Network connection name> (where <Network connection name> is the name of your public network connection), and then click Rename. 3 In the Name field, enter any meaningful name, such as BackNet. 4 In the Network Connections, right-click BackNet, and click Properties. 5 In <BackNet> Properties, on the General tab, under This connection uses the following items, make sure that the following services are selected: Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks. Then, select Internet Protocol (TCP/IP) on Windows Server 2003 or Internet Protocol Version 4 (TCP/IPv4) on Windows Server Click OK to save changes, and then click Close to exit Properties. To configure private network connections for a clustered Mailbox server, do the following:

244 244 Parallels Operations Automation 2.9 Parallels 1 Right-click the <Network connection name> (where <Network connection name> is the name of your private network connection), and then click Rename. 2 In the Name field, enter any meaningful name, such as HeartBeatNet. 3 In the Network Connections, right-click HeartBeatNet, and then click Properties. 4 In <HeartBeatNet> Properties, on the General tab, select the Client for Microsoft Networks service. Select Internet Protocol (TCP/IP) on Windows Server 2003 or Internet Protocol Version 4 (TCP/IPv4) on Windows Server 2008, then click Properties. 5 In Internet Protocol (TCP/IP) or Internet Protocol Version 4 (TCP/IPv4) Properties dialog, select Use the following IP address, and then configure a static IP address and subnet mask for the connection. Also select Use the following DNS server addresses, and leave blank the IP address fields for Preferred DNS server and Alternate DNS server, and then click Advanced. 6 In the Advanced TCP/IP Settings dialog, on the DNS tab, verify the following information: Under DNS server addresses, in order of use, ensure that no addresses are listed. Make sure that the Register this connection's addresses in DNS check box is clear. 7 On the WINS tab, ensure that Disable NetBIOS over TCP/IP is selected. 8 Click OK twice to save changes, and then click Close to exit Properties. To configure network connection order for a clustered Mailbox server, do the following: 1 In Network Connections in the Advanced menu, click Advanced Settings. 2 In Advanced Settings, on the Adapters and Bindings tab under Connections ensure that your connections appear in the following order: BackNet HeartBeatNet Remote access connections 3 Click OK to save changes.

245 Deploying Hosted Exchange Storage Configuration SCC uses a shared storage for both the quorum disk and the Mailbox Virtual server (storage groups and databases). This storage should be configured prior to cluster forming on each node that will be part of the cluster. If the storage is correctly configured, the installation is simplified because the disks are automatically detected and incorporated into the resource model. It is mandatory that the quorum disk is configured and available to all nodes in the cluster prior to cluster forming. The cluster forming will fail if the quorum shared disk is not available. Important: Storage for a specific clustered Mailbox server must be accessible from all nodes that can host it. Storage for the quorum resource for a cluster must be accessible from all nodes in the cluster. For SCC clustering at least one shared storage per one virtual Exchange Mailbox server should be configured. Nevertheless, it is strongly recommended to configure two shared storages per each Storage Group (one for Logs and another for Data), and configure separate Storage Group for each Mailbox or Public Folder databases as well. For example, if you deploy a three-node (active/active/passive) cluster, you need: One shared storage for a cluster Quorum Disk. Four shared storages for Mailbox Virtual servers two (for Logs and Data) per each virtual server with one Storage Group. With a maximum of 50 Storage Groups, it would be easily possible to run out of available drive letters. You can take advantage of the Volume Mount Points feature of Windows Server 2003 to surpass the 26-drive-letter limitation. By using volume mount points, you can graft, or mount a target partition into a folder on another physical disk. Installing Exchange Server 2007 Prerequisites Installing Exchange Server 2007 Prerequisites for Windows Server 2003 Note: The list of distribution packages and their download location can be found in the Exchange Server 2007 Distribution Packages (on page 209) and Exchange Server 2007 Media Prerequisites (on page 210) sections. It is recommended to install prerequisites on each cluster node (EXMBX01, EXMBX02, EXMBX03) before the cluster creation. To install Exchange 2007 Prerequisites on a Clustered Mailbox role, perform the following steps: 1 Install Application Server components. To do that, open Control Panel, double-click Add / Remove Programs, click Add/Remove Windows Components, and select: Application Server > Enable Network COM+ access Application Server > Internet Information Services (IIS) > Common Files, Internet Information Services Manage

246 246 Parallels Operations Automation 2.9 Parallels Application Server > Internet Information Services (IIS) > World Wide Web Service > World Wide Web Service 2 Install the Windows Server 2003 x64 edition update KB Install the Windows Server 2003 x64 edition update KB Install the cumulative time zone update for Microsoft Windows operating systems - KB (required for Exchange 2007 SP1).

247 Deploying Hosted Exchange Installing Exchange Server 2007 Prerequisites for Windows 2008 Server We recommend to install the prerequisites on each cluster node (EXMBX01, EXMBX02, EXMBX03) before cluster creation. To install Exchange 2007 Prerequisites for Clustered Mailbox role, perform the following actions: 1 Install the necessary Web Server (IIS) prerequisites by running the following commands in the order in which they are listed: ServerManagerCmd -i Web-Server ServerManagerCmd -i Web-ISAPI-Ext ServerManagerCmd -i Web-Metabase ServerManagerCmd -i Web-Lgcy-Mgmt-Console ServerManagerCmd -i Web-Basic-Auth ServerManagerCmd -i Web-Windows-Auth 2 Install the Failover Clustering feature by running the following command: ServerManagerCmd -i Failover-Clustering Creating New Cluster Creating New Cluster in Windows Server 2003 Before you start to create a new cluster, you have to create a cluster service account: 1 Log in to AD01 as a member of the Domain Administrator group. 2 Run Active Directory Users and Computers. 3 In the Users OU, create a new user named ClusterAdmin. Set a password to this account as "Never Expires". 4 Make the ClusterAdmin user a member of the Windows-based Hosting Service Accounts group To create a new cluster with the server cluster wizard, do the following: 1 Log on to the first cluster node (EXMBX01) as a member of the Domain Administrators group. 2 Open a Command Prompt window, and run the following command: cluster /create /wizard The New Server Cluster wizard appears. 3 Verify that you have the necessary information to continue with the configuration, and then click Next. 4 In the Domain field, select the name of the domain in which the cluster will be created. In the Cluster name field, enter a unique name for the cluster that is less than 15 characters in length (for example, EXCLUS01). 5 On the Select Computer page, verify or type the name of the computer that you plan to use. 6 On the Analyzing Configuration page, the wizard analyzes the node for possible hardware or software issues that can cause installation problems. Review any warnings or error messages that appear. Click Details to obtain more information about each warning or error message.

248 248 Parallels Operations Automation 2.9 Parallels Note: The bulleted list at the top of the page evolves into a tree of status information as the analysis is completed. The tree can be expanded to view specific status. Items with check icons can be ignored. Items with yellow triangle icons are warnings. Items with red icons are blocking errors and must be corrected. 7 If the green bar is present click Next. If there are errors, take steps to resolve the errors and continue with the installation. 8 On the IP Address page, type the unique, valid cluster IP address, and then click Next. The wizard automatically associates the cluster IP address with the BackNet network by using the subnet mask to select the correct network. The cluster IP address should be used for administrative purposes only and not for client connections. 9 On the Cluster Service Account page, type the ClusterAdmin and the password of the ClusterAdmin service account. In the Domain field, select the domain name, and then click Next. The wizard verifies the user account and password. 10 On the Proposed Cluster Configuration page, click Quorum. Select the physical disk designated to be the Quorum from the drop-down box. Click OK, and then click Next. 11 On the Creating the Cluster page, review any warnings or error messages that appear while the cluster is being created. For more information about warnings or errors, click to expand each warning or error message. To continue, click Next. 12 Click Finish to complete the cluster configuration. To add subsequent nodes in the cluster, do the following: 1 Log on to the first cluster node (EXMBX01) as a member of the Domain Administrators group. 2 Open a Command Prompt window, and run the following command: cluster /cluster:exclus01 /add /wizard 3 After the Add Nodes wizard appears, click Next to continue. 4 In the Domain list, click the domain where the server cluster is located, enter the server cluster name in the Cluster name box, and then click Next. Note: This is the name that you have entered while creating the cluster. 5 In the Computer name field, type the name of the node (EXMBX02) that you want to add to the cluster, click Add, and then click Next. 6 After the Add Nodes wizard has analyzed the cluster configuration successfully, click Next. 7 In the Password field on the Cluster Service Account page, type the password for the Cluster service account. Make sure that the correct domain for this account appears in the Domain list, and then click Next. 8 On the Proposed Cluster Configuration page, view the configuration details to verify that the server cluster IP address and the networking information are correct, and then click Next. 9 After the cluster is configured successfully, click Next, and then click Finish. 10 Repeat steps 2-9 on each additional cluster nodes (EXMBX03, ).

249 Deploying Hosted Exchange You should verify that the cluster service is running and the cluster is functioning. To validate the cluster configuration, follow these steps: 1 Log on to the first cluster node (EXMBX01) as a member of Domain Administrators group. 2 Open a Command Prompt window, and run the following command: cluster group 3 The Status of the cluster group should be displayed as Online. To configure the cluster networks for the cluster heartbeat: 1 Open the Cluster Administrator. 2 In the console tree, double-click the Cluster Configuration, and then click Networks. 3 In the details pane, right-click the HeartBeatNet network that you want to enable, and then click Properties. 4 Select the Enable this network for cluster use check box. 5 In the This network performs the following role in the cluster field, select Internal cluster communications only (private network), and then click OK. 6 In the details pane, right-click the BackNet network that you want to enable, and then click Properties. 7 Select the Enable this network for cluster use check box. 8 In the This network performs the following role in the cluster field, select All communications (mixed network), and then click OK. To configure cluster network priority order: 1 Open Cluster Administrator. 2 In the console tree, right-click the name of your cluster, and then click Properties. 3 Click the Network Priority tab. 4 In Networks used for internal cluster communications, select the HeartBeatNet network. Increase its priority using the Move Up button until the HeartBeatNet network is listed at the top of the priority list. Always make sure that HeartBeatNet networks have higher priority than mixed or client-only networks. 5 When you finish, click OK.

250 250 Parallels Operations Automation 2.9 Parallels Creating New Cluster in Windows 2008 Server Before you begin you should create the cluster service account: 1 Log in to AD01 as a member of Domain Administrators group. 2 Run Active Directory Users and Computers. 3 In the Users OU, create a new user named ClusterAdmin. Set a password for this account to Never Expires. 4 Make the ClusterAdmin user a member of the Windows-based Hosting Service Accounts group. To create a new cluster using the server cluster wizard: 1 Log on to the first cluster node (EXMBX01) as a member of the Domain Administrators group. 2 Open the Failover Cluster Management tool. 3 In the right-hand Actions pane, click Create a Cluster to start the wizard. 4 Click the Next button and skip the Before You Begin page. 5 On the Select Servers page add both EXMBX01 and EXMBX02 to the selected servers list. 6 On the Validation Warning page accept running the configuration validation tests (select Yes. When I click Next, run configuration validation tests, and then return to the process of creating the cluster, usually it is selected by default) and click on the Next button the Validate a Configuration Wizard starts. 7 In the Validate a Configuration Wizard skip the Before You Begin page clicking the Next button. On the Testing Options page select Run all tests (recommended) and click the Next button. Press the Next button on the Confirmation page and start validation. After the validation completes, review the report, and resolve any errors before proceeding with cluster installation. Then press the Finish button and return into the Create Cluster Wizard. 8 On the Access Point for Administering the Cluster page, in the Cluster Name field, type the NetBIOS name for the failover cluster (for example, EXCLUS01). This is the name that you use to connect to and administer the cluster. In the list of Networks, identify the BackNet network subnet. In the Address field of that network, type a unique, valid cluster IP address appropriate for the BackNet network segment. This cluster IP address will be used for administrative purposes only and not for client connections. Ensure that the check box is selected opposite the BackNet network. Clear the check box next to any remaining networks (such as the HeartBeatNet network) and press the Next button. 9 On the Confirmation page check cluster configuration, press the Next button and wait for complete of cluster creation. 10 Press the Finish button. You should verify that the cluster service is running and the cluster is operational. To validate the cluster configuration, perform the following actions: 1 Log in to the first cluster node (EXMBX01) as a member of Domain Administrators group.

251 Deploying Hosted Exchange Open a Command Prompt window, and run the following command: cluster group 3 The Status of the cluster group should be displayed as Online. To configure the cluster networks for the cluster heartbeat: 1 Open the Failover Cluster Management tool. 2 In the console tree, double-click the cluster node, and then click Networks. 3 Locate the HeartBeatNet and BackNet networks. In Windows Server 2008 they have names Cluster Network 1 and Cluster Network 2. Select the Cluster Network 1 and check the physical networks included into rename the Cluster Network 1 correspondingly (into BackNet or HeartBeatNet). Repeat this operation for Cluster Network 2. 4 In the details pane, right-click the HeartBeatNet network that you want to enable, and then click Properties. 5 Select the Allow the cluster to use this network check box and leave unchecked the Allow clients to connect through this network check box. Then, press the OK button. 6 In the details pane, right-click the BackNet network that you want to enable, and then click Properties. 7 Select both check-boxes: the Allow the cluster to use this network and the Allow clients to connect through this network. Then, press the OK button. Configuring Domain Permissions For Cluster Service Account To configure domain permissions for the Cluster Service Account, follow these steps: 1 Log on to AD01 as a member of the Domain Administrators group. 2 Run Active Directory Users and Computers. 3 In the left-hand column, click Microsoft Exchange Security Groups. 4 In the right-hand pane, double-click Exchange Organization Administrators. 5 Select the Members tab. 6 Add HE\ClusterAdmin to the group, and click OK. * HE - Domain Name. Here - Hosted Exchange. It is a sample value individual for each deployment and should be replaced by actual value.

252 252 Parallels Operations Automation 2.9 Parallels Installing Mailbox Server Role on Active Node Once you have installed all of the prerequisites and prepared the cluster, you can install the Mailbox Server role on the Active cluster node. Important: Completely install Exchange Server 2007 on one node before you install it on another node. To run Exchange Setup on the Active Node: 1 Log on to EXMBX01 as a member of the Domain Administrators group. 2 Open a command prompt, and navigate to the Exchange Server 2007 installation files. 3 Run the following command: Setup.com /mode:install /roles:mb Setup verifies that the Active Directory directory service schema is updated, and then it copies the Mailbox server role files onto the computer and installs the Mailbox server role. 4 After setup completes, open a command prompt and navigate to the Program Files directory, and then navigate to the bin directory under the Exchange program files. By default, the installation file location is <systemdrive>:\program Files\Microsoft\Exchange Server\bin. 5 Run the following command to create the clustered Mailbox Virtual server: ExSetup /newcms /CMSname:<NameofClusteredMailboxServer> /CMSIPAddress:<ClusteredMailboxServerIPAddress> /CMSSharedStorage /CMSDataPath:<PathToSharedStorageForDatabase> CMSname, CMSIPaddress should be different from the Cluster Name and IP address and should be a unique in the subnet CMSname - the name of the clustered mailbox virtual server (EXMBXVS01 for example), CMSIPAddress - the IP address of the clustered mailbox virtual server, resolvable by DNS, CMSDataPath - the path to shared storage. After creating the second or successive clustered Mailbox Virtual Server of Exchange 2007 Single Copy Cluster, the MTA Active Directory object should be manually created to allow mailbox creation on this server. 1 Log on to AD01 as a member of the Domain Administrators group. 2 Run the following command: ADSIEDIT.MSC Note: ADSIEDIT.MSC - Active Directory editor MMC snap-in from Windows Server 2003 Support Tools.

253 Deploying Hosted Exchange Expand Configuration [AD01.he.local] in the left pane and navigate it into the following node: Configuration > Services > Microsoft Exchange > HostedExchange > Administrative Groups > Exchange Administrative Group (FYDIBOHF23SPDLT) > Servers. 4 Right-click on the name of the second or successive clustered mailbox server on which you want to enable mailbox creation, point to New, and then click Object. 5 In Create Object, click MTA, and then click Next. 6 On the Attribute: cn page, in the Value box, type Microsoft MTA, and then click Next. 7 On the Attribute: transtimeoutmins page, in the Value box, type 20 to set the transtimeoutmins attribute value to 20 minutes, and then click Next. 8 On the Attribute: transretrymins page, in the Value box, type 5 to set the transretrymins attribute value to 5 minutes, and then click Next. 9 On the Attribute: mtalocaldesig page, in the Value box, to set the mtalocaldesig attribute value, type the host name of the second or successive clustered mailbox server on which you want to enable mailbox creation, and then click Next. 10 Click Finish to create the MTA object. 11 In the ADSI Edit, right-click the new MTA object, and then click Properties. 12 In the CN=Microsoft MTA Properties dialog box, select the Attribute Editor tab, select the legacyexchangedn attribute, and then click Edit. 13 In String Attribute Editor, in the Value box, type the legacy distinguished name (DN) in the following format: /o=<exchange organization name>/ou=exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=<CMS name>/cn=microsoft MTA CMS name - the name of the clustered mailbox virtual server (for example, EXMBXVS02). Exchange organization name - the name of the Exchange organization (for example, HostedExchange). 14 Click OK twice, and then exit ADSI Edit.

254 254 Parallels Operations Automation 2.9 Parallels Installing Mailbox Server Role on Passive Node After installing Exchange on the active node, the Mailbox Server role can be installed on the passive node. Important: Completely install Exchange Server 2007 on one node before you install it on another node. To run Exchange Setup on the Passive Node: 1 Log on to the passive node (EXMBX02) as a member of the Domain Administrators group. 2 Open a command prompt, and then navigate to the Microsoft Exchange installation files. 3 Run the following command: Setup.com /mode:install /roles:mb This command makes sure that the Active Directory directory service schema is updated, and then it copies the Mailbox server role files on to the computer. After adding second (passive) node to SCC cluster you should add all other active (EXMBX03+EXMBXVS02, ) and passive cluster nodes to complete the cluster installation. Cluster Verification After you have completed the installation of a SCC solution, or after you have made significant configuration changes, we recommend that you verify that both nodes are correctly configured to support the clustered mailbox server. The recommended way to verify that both nodes are able to bring the clustered Mailbox server online is to use the Move-ClusteredMailboxServer cmdlet to move the clustered Mailbox server between the cluster nodes. To verify the ability to move a clustered Mailbox server between the nodes in the cluster, do the following: 1 Log on to the passive node (EXMBX02) as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Run the following command: Move-ClusteredMailboxServer -Identity EXMBX01 4 In the TargetMachine field, enter the name of the passive node. 5 In the MoveComment field, enter a comment. 6 Click Y to confirm settings. 7 Repeat this command to move the clustered Mailbox server back to the original node. If the clustered Mailbox server fails to come online, examine the errors you have received after running the Move-ClusteredMailboxServer command. Also, review the Application Event Log.

255 Deploying Hosted Exchange After installation of all clustered Virtual Mailbox servers, you should check the process of OAB generation. Carefully examine any errors in the Application Event Log related to "OAL Generator", especially with Event ID: For information about how to resolve the problem with OAB generation, refer to this article ( Deploying Standalone Mailbox Server Exchange Standalone Mailbox server role is the last role that should be installed in Hosted Exchange solution. This server hosts mailbox and public folder databases. It also generates the offline address book (OAB). Installing Exchange Server 2007 Prerequisites Installing Exchange Server 2007 Prerequisites for Windows Server 2003 Note: The list of distribution packages and their download location can be found in the Exchange Server 2007 Distribution Packages (on page 209) and Exchange Server 2007 Media Prerequisites (on page 210) sections. To install Exchange 2007 Prerequisites for the Mailbox server role, perform the following steps: 1 Install Network COM+, Internet Information Server, and World Wide Web. 2 Install Windows Server 2003 x64 edition update KB Install Windows Server 2003 x64 edition update KB Install the cumulative time zone update for Microsoft Windows operating systems - KB (required for Exchange 2007 SP1).

256 256 Parallels Operations Automation 2.9 Parallels Installing Exchange Server 2007 Prerequisites for Windows 2008 Server To install Exchange 2007 Prerequisites for Mailbox role. perform the following steps: 1 Install the necessary Web Server (IIS) prerequisites by running the following commands in the order in which they are listed: ServerManagerCmd -i Web-Server ServerManagerCmd -i Web-ISAPI-Ext ServerManagerCmd -i Web-Metabase ServerManagerCmd -i Web-Lgcy-Mgmt-Console ServerManagerCmd -i Web-Basic-Auth ServerManagerCmd -i Web-Windows-Auth Running Exchange Server 2007 Setup Run Exchange Server 2007 Setup to install the Exchange Server 2007 Mailbox Server role. 1 Log on to EXMBX02 using an account that is a member of the Domain Administrators group. 2 Open a command prompt, and navigate to the Exchange Server 2007 installation files. 3 Run the following command: Setup.com /mode:install /roles:mb [/EnableLegacyOutlook] Important: You must specify the /EnableLegacyOutlook parameter for first mailbox server installation 4 Setup copies the setup files locally to the computer on which you are installing Exchange Server Setup checks the prerequisites, including all prerequisites specific to the server roles that you are installing. If you have not met all of the prerequisites, Setup fails and returns an error message that explains the reason for the failure. If you have met all of the prerequisites, Setup installs Exchange Server 2007.

257 Deploying Hosted Exchange Verifying Exchange Server 2007 Installation Refer to the Verifying Exchange Server 2007 Installation section (on page 212). Upgrading to Exchange 2007 Service Pack 1 Servers with installed Exchange Server 2007 RTM can be upgraded to Exchange Server 2007 SP1. To perform the upgrade, you need the Exchange Server 2007 SP1 distribution package. Important: It is impossible to upgrade your operating system to Windows Server 2008 and then upgrade it to Exchange 2007 SP1, and vice versa. You can install Exchange 2007 SP1 on a Windows Server 2008-based computer that does not have Exchange installed. It is recommended that you install Exchange 2007 SP1 on multiple Exchange 2007 servers in the following order: 1 Client Access Servers 2 Hub Transport Servers 3 Edge Transport Servers 4 Standalone Mailbox Servers 5 Clustered Mailbox Servers 6 Servers with only Management Tools installed

258 258 Parallels Operations Automation 2.9 Parallels Installing Exchange Server 2007 SP1 Prerequisites Note: The list of distribution packages and their download location can be found in the Exchange Server 2007 Distribution Packages (on page 209) and Exchange Server 2007 Media Prerequisites (on page 210) sections. To install Exchange 2007 SP1 Prerequisites on all Exchange nodes, install Cumulative time zone update for Microsoft Windows operating systems (see the following Microsoft KB article: Before installing Exchange Server 2007 SP1, the.net Framework 2.0 SP1 should be installed. To install.net Framework 2.0 SP1: Important: Reboot is required after the.net Framework 2.0 SP1 installation. 1 Log on to server using an account that is a member of the Local Administrators group. 2 Run.NET Framework 2.0 SP1 installation. 3 Accept License Agreement and click Install button. 4 After installation was completed, click Exit button. 5 Agree with reboot suggestion by clicking Restart Now button.

259 Deploying Hosted Exchange Running Upgrade to Exchange Server 2007 SP1 During upgrade of the first Exchange 2007 RTM server (with the Client Access, Hub Transport, or Mailbox server roles installed) to Exchange 2007 SP1, the installer updates the AD schema and performs other AD domain configurations. Therefore, you must use the account that is a member of the local Administrators, Domain Admins, Schema Admins and Enterprise Admins groups on that computer. To upgrade an Exchange Service Node that has the Client Access, Hub Transport, or standalone Mailbox server role installed: Important: Performing this procedure results in an outage during the upgrade process. Therefore, we recommend that you upgrade Exchange Servers one at a time. This allows other servers to serve clients requests during one server upgrade. 1 Log on to the server on which you want to install Exchange 2007 SP1 using an account with permission described above. 2 Stop any services that have open handles to performance counters. Known services that should be stopped include Performance Logs and Alerts and any Microsoft Operations Manager agents. 3 Stop, and then start the Remote Registry service. 4 Open a command prompt, and navigate to the Exchange Server 2007 SP1 installation files. 5 Run the following command: Setup.com /mode:upgrade Important: Setup sometimes fails at the preparation step and leaves Exchange services and some System services in the disabled state. Therefore, before starting Setup you need to dump the state of services (for example by the following PowerShell command: gwmi win32_service select Name,State,StartMode and manually restore service state in case of Setup failure before restarting Setup. 6 Setup copies the setup files locally to the computer on which you are installing Exchange Server 2007 SP1. Setup performs Exchange 2007 SP1 upgrade prerequisite check and, after that, Setup upgrades server to Exchange 2007 SP1. If SP1 Setup fails for some reason (for example, you have not met all of the prerequisites), then it returns the error message that explains the reason for the failure. Resolve the problem explained in error message and start Setup again. 7 The first Setup performs active directory upgrade and restores the following address lists: Public Folders, All Contacts, All Groups, All Rooms and All Users. It breaks HMC security so they must be deleted and Default Address List must be secured again right after the first Exchange 2007 SP1 is installed. To perform it, go on MPS node, open the MPS Deployment Tool and re-execute the Configure Exchange Address Lists security placed under Hosted Exchange > Exchange Provisioning Configuration node.

260 260 Parallels Operations Automation 2.9 Parallels Upgrading Clustered Mailbox Server to Exchange 2007 SP1 Two CCR Mailbox Cluster nodes or Multiple SCC Mailbox Cluster nodes should be upgraded after all other Exchange servers are upgraded. We recommend that you make complete backups of the Clustered Mailbox server: one before and one after upgrade to Exchange Server 2007 SP1. The following procedure performs upgrade of a two-node Active-Passive cluster (CCR or SCC). The designations of the active and passive node change. From now on, the original active node will be referred to as EXMBX01, the original passive node will be EXMBX02, and the original clustered (virtual) mailbox server will be EXMBXVS01. If you upgrade an SCC cluster that has more than two nodes, Steps 9-20 should be repeated multiple times for each clustered mailbox servers and on all active nodes. To upgrade passive and active nodes of clustered mailbox server to Exchange 2007 SP1: Important: Performing this procedure results in a brief outage during the upgrade process. Exchange upgrade should be run only on the passive node in the cluster. Clustered mailbox server upgrade must be run on the active node and cluster mailbox server should be stopped (offline). You must upgrade the both nodes to Exchange 2007 SP1 one at a time. 1 Prepare EXMBX02 to be upgraded by moving all cluster resource groups to EXMBX01. The clustered mailbox server can be left in the online (running) state during the first part of this procedure; however, during this procedure it will be taken offline and moved between nodes in the cluster. Perform Steps 2 12 on EXMBX02. 2 Start the Windows Firewall/Internet Connection Sharing (ICS) service. This service is disabled by default in Windows, and you must set its Startup type to Manual or Automatic for the service to be started. After the clustered mailbox server has been upgraded, you can stop and disable this service. Note: Starting this service is necessary to allow Setup to add Windows Firewall exceptions for Exchange services. 3 Stop any services that have open handles to performance counters. Known services that should be stopped include Performance Logs and Alerts and any Microsoft Operations Manager agents. 4 Stop, and then restart the Remote Registry service. 5 Open a Command Prompt window, and then navigate to the Exchange 2007 SP1 installation files. 6 Run the following command: Setup.com /mode:upgrade Setup performs Exchange 2007 SP1 upgrade prerequisite checks and, after those are complete, Setup upgrades EXMBX02 to Exchange 2007 SP1. 7 Restart EXMBX02 after Setup has completed the upgrade to Exchange 2007 SP1.

261 Deploying Hosted Exchange After the restart process is complete, log on to EXMBX02 and open the Exchange Management Shell. 9 Stop the clustered mailbox server by the following command: Stop-ClusteredMailboxServer EXMBXVS01 -StopReason "Upgrade to SP1" 10 Move the clustered mailbox server from EXMBX01 to EXMBX02. This cmdlet must be run from EXMBX02: Move-ClusteredMailboxServer EXMBXVS01 -TargetMachine EXMBX02 -MoveComment "Upgrade to SP1" 11 Open Control Panel > Administrative Tools > Cluster Administrator menu and manually move the "Cluster Group" group and all other existing groups to EXMBX02 server. 12 In a Command Prompt, navigate to the Exchange 2007 SP1 installation files. 13 Run the following command to upgrade the clustered mailbox server that is now owned by EXMBX02: Setup.com /upgradecms Setup performs the clustered mailbox server prerequisite checks and, after those are complete, Setup upgrades the clustered mailbox server and brings it online. 14 On EXMBX01, start the Windows Firewall/Internet Connection Sharing (ICS) service. This service is disabled by default in Windows, and you must set its Startup type to Manual or Automatic for the service to be started. After the clustered mailbox server has been upgraded, you can stop and disable this service. 15 Stop any services that have open handles to performance counters. Known services that should be stopped include Performance Logs and Alerts and any Microsoft Operations Manager agents. 16 Stop, and then restart the Remote Registry service. 17 Open the Command Prompt window and navigate to the Exchange 2007 SP1 installation files. Run the following command on EXMBX01 to upgrade it to Exchange 2007 SP1: Setup.com /m:upgrade Setup performs Exchange 2007 SP1 upgrade prerequisite check and, after that, Setup upgrades EXMBX01 to Exchange 2007 SP1. 18 Restart EXMBX01 after Setup has completed the upgrade to Exchange 2007 SP1. 19 Stop and disable the Windows Firewall/Internet Connection Sharing (ICS) service on EXMBX01. This step is optional. 20 Stop and disable the Windows Firewall/Internet Connection Sharing (ICS) service on EXMBX02. This step is optional. 21 The clustered mailbox server has now been upgraded to Exchange 2007 SP1. Move the clustered mailbox server back to EXMBX01 by the following command: Move-ClusteredMailboxServer EXMBXVS01 -TargetMachine EXMBX01 -MoveComment "Upgrade to SP1 Finished" Verifying Exchange Server 2007 SP1 Installation

262 262 Parallels Operations Automation 2.9 Parallels To verify the Exchange Server 2007 SP1 installation, use instructions provided in the Verifying Exchange Server 2007 Installation section (on page 212). Installing Update Rollup 1 for Exchange Server 2007 SP1 Update Rollup 1 should be installed after upgrading to Exchange 2007 SP1. It resolves several major issues affecting end-customers: 1 Impossibility to use autodiscover feature and download OAB in Outlook Issue of possible merging of two mailboxes if they are moved in the same time. 3 OWA and Good Mobile address list lookup results do not match the results in Outlook. Update Rollup 1 is available at following link: A88F-7500C4BD3D31&displaylang=en After applying the update on all Exchange 2007 servers, default policy of setting msexchquerybasedn attribute on mailbox objects in Active Directory should be applied. The detailed description can be found at If POA hotifx02 or later is installed, execute the following command: For Linux Management node: cd /usr/local/pem./bin/setenv.sh./bin/exchange_ctl -f etc/pleskd.props sc dumpmsexchquerybasedn 0 GAL For Windows Management node: cd C:\Program Files\SWSoft\PEM bin/exchange_ctl -f etc\pleskd.props sc dumpmsexchquerybasedn 0 GAL Wait until all Set "msexchquerybasedn" attribute to GAL for NN mailboxes tasks will be processed. Configuring Exchange 2007 Servers After having installed the Exchange Server 2007 server roles, you need to perform some configuration tasks described below. Entering Exchange Product Key Before configuring servers with installed Exchange Server 2007, the Product Key should be entered on each server. To enter the Product Key, perform the following steps: 1 Log on to EXCAS01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell.

263 Deploying Hosted Exchange Type the following commands: Set-ExchangeServer -Identity EXCAS01 -ProductKey <key symbols> 4 Repeat steps 1-3 on each Exchange 2007 Server. Installing Exchange Server 2007 Updates Install all Exchange Server 2007 updates listed in the Exchange Server 2007 Distribution Packages section (on page 209). Configuring Exchange Server 2007 Client Access Server Configuring POP and IMAP Services POP3 and IMAP4 services are disabled by default in Exchange Server If you plan to offer POP and IMAP access to Exchange 2007 mailboxes, you need to enable and configure POP3 and IMAP4 services. Configure POP and IMAP services to start automatically in the following way: 1 Log on to EXCAS01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: Set-service msexchangepop3 -startuptype automatic Set-service msexchangeimap4 -startuptype automatic Start-service msexchangepop3 Start-service msexchangeimap4 4 Repeat steps 1-3 on each Exchange 2007 Client Access Server. To allow to log in to POP3 server for users with long UPN (more than 35 symbols), the POP3 command size should be increased: 1 Log on to EXCAS01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: Set-PopSettings -MaxCommandSize Repeat steps 1-3 on each Exchange 2007 Client Access Server. To secure communications between your POP3 and IMAP4 clients and the Exchange 2007 server that has the Client Access server role installed, it is strongly recommended that you use the Secure Sockets Layer (SSL). By default POP3 and IMAP4 services in Exchange 2007 are configured to use SSL or TLS connections and the following ports are configured for accessing these services: Protocol IMAP4/SSL IMAP4 with or without TLS Default Port 993 (TCP) 143 (TCP)

264 264 Parallels Operations Automation 2.9 Parallels POP3/SSL POP3 with or without TLS 995 (TCP) 110 (TCP) If you want to allow non-secure connections for POP3 and IMAP4 services, you should configure the corresponding Authentication Method for these services. To allow a plain text login for POP3 and IMAP4 services: 1 Log on to EXCAS01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: Set-PopSettings -LoginType PlainTextLogin Set-ImapSettings -LoginType PlainTextLogin 4 Repeat steps 1-3 on each Exchange 2007 Client Access Server. Exchange 2007 configures the default self-signed CAS certificate for POP3 and IMAP4 services during installation. Therefore, you should request new SSL certificate from Certification Authorities and configure this certificate for POP3 and IMAP4 services. Usually a single hostname, IP address and SSL certificate are used for all CAS protocols. But we recommend you to configure a certificate for POP3 and IMAP4 services after installing the certificate for web-based Exchange protocols (see the Installing SSL Certificate from Certification Authorities section (on page 266)). To configure right certificate for POP3 and IMAP4 services: 1 Log on to EXCAS01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: Set-PopSettings -X509CertificateName <CertificateName> Set-ImapSettings -X509CertificateName <CertificateName> 4 CertificateName - is the parameter that specifies the hostname in the SSL certificate from the Associated Subject field. Also a certificate with such name should be registered in the system. Important: Nodes from one NLB cluster should be configured with the same certificate. 5 Repeat steps 1-3 on each Exchange 2007 Client Access Server.

265 Deploying Hosted Exchange Configuring and Starting IIS Service Note: The procedure described in this section is related to the Client Access Servers deployed on the VZWin nodes. On the VZWin nodes, the default start type of the IIS service is Manual. You should reconfigure IIS service start type and start it. 1 Log in to the EXCAS01 server using the account with administrative privileges. 2 Run windows command shell (cmd.exe). 3 Execute following commands: sc config W3SVC start= auto sc start W3SVC 4 Repeat these steps on all Client Access Servers. Configuring Outlook Web Access (OWA) Default "owa" virtual directory on "Default Web Site" will be automatically configured during installing POA Protocols service (see chapter Registering and Configuring the Client Access Server in POA (see page 308)). By default OWA is installed into the /owa virtual directory of the Default Web Site and is accessed by the URL, like where FQDN is the domain name of the Protocols service (exchange.provider.com), which you provide during Registering and Configuring Client Access Server in POA (see page 308). If you want to simplify this URL and allow an access to OWA by the URL, the request that is sent to the root of the Web server should be redirected to the OWA virtual directory. To configure redirection in the Internet Information Services (IIS) Manager: 1 Log on to EXCAS01 as a member of the local Administrators group. 2 Open IIS Manager, and then navigate to Web Sites/Default Web Site. Right-click on the Default Web Site, and then click Properties. 3 Move to the Home Directory tab, and then click on the A redirection to a URL option. 4 In the Redirect to, type /owa name (or /exchange if your Exchange organization have mailboxes located on Exchange 2003 servers). 5 In The client will be sent to list, select the A directory below URL entered.

266 266 Parallels Operations Automation 2.9 Parallels Configuring Outlook Anywhere Client Access server roles can provide the Outlook Anywhere access to clients that are running Microsoft Office Outlook 2007, or the RPC-over-HTTP access to clients that are running Outlook To configure Outlook Anywhere, you must verify that the Windows RPC over HTTP Proxy network component has been installed on the Client Access Server. To verify that the Windows RPC-over-HTTP Proxy network component is installed, perform the following steps: 1 Log on to EXCAS01 as a member of the Domain Administrators group. 2 From the Start Menu, go to Start > Control Panel > Add / Remove Programs. 3 Click Add/Remove Windows Components. 4 Highlight Networking Services, and then click Details. 5 Make sure that RPC over HTTP Proxy is selected. 6 Click OK twice. Outlook Anywhere will be automatically configured during installing POA Protocols service (see chapter Registering and Configuring the Client Access Server in POA (see page 308)). Configuring AutoDiscover Service Autodiscover service will be automatically configured during installing POA Protocols service (see chapter Registering and Configuring the Client Access Server in POA (see page 308)). Correct External URLs will be configured for web-based Exchange services (OWA, ActiveSync, EWS, OAB). Autodiscover Redirect site and Autodiscover Proxy virtual directories will be also automatically configured. Installing SSL Certificate from Certification Authorities Certificate request should be created to obtain SSL certificate from online Trusted Root Certification Authorities (CA), such as Thawte, Verisign, GTE, Entrust.net SSL. The following steps must be performed for creating request file for Certificate Authorities: 1 Log on to the Exchange Client Access server (EXCAS01), using Domain Administrators account with Full Exchange Administrator permissions. 2 Go to Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. 3 In the console tree in the Internet Information Services (IIS) Manager snap-in expand the required server, then expand Web Sites, right-click Default Web Site, and then click Properties. 4 In the Default Web Site Properties dialog, open the Directory Security tab, and then click Server Certificate. 5 In the IIS Certificate Wizard, select Create a new certificate, and then click Next. 6 On the Delayed or Immediate Request Wizard page, select Prepare the request now, but send it later, and click Next.

267 Deploying Hosted Exchange On the Name and Security Setting Wizard page, in the Name field, type the name of the certificate, and leave the default length of the encryption key (1024 bit). Click Next. 8 On the Organization Information Wizard page, enter the name of your hosting organization in the Organization field. Type "Support" in the Organizational Unit field. Click Next. 9 On the Your Site s Common Name Wizard page, enter the FQDN for the required service. 10 On the Geographical Information Wizard page, select your country/region from the dropdown list, and then type the reliable information into the State/province and City/locality fields. 11 On the Certificate Request File Name Wizard page, specify the location and name of the request file, which will be submitted to Trusted Root Certification Authority. 12 Submit the certificate request file on the official online website of a CA (such as Thawte, Verisign, GTE, Entrust.net) to issue the SSL certificate. Perform the following steps to bind the SSL certificate issued by an official CA with the website on the Client Access server: 1 In the console tree in the Internet Information Services (IIS) Manager snap-in expand the server you want, expand Web Sites, right-click Default Web Site, and then click Properties. 2 In the Default Web Site Properties dialog, open the Directory Security tab, and then click Server Certificate. The IIS Certificate Wizard starts. 3 On the Pending Certificate Request Wizard page, select Process the pending request and install the certificate. Click Next. 4 On the Process a Pending Request Wizard page, specify the location of the certificate file in the Base-64 encoded X.509 field. The file extension is *.CER. Click Next. 5 Click Finish and close the IIS Certificate Wizard window. 6 Open Default Web Site Properties again, click on the Advanced button near the IP address field. Ensure that only Front-Net (NLB) IP and BackNet IP are selected for binding in both top (HTTP) and bottom (HTTPS) lists. Click on the appropriate Edit button to change it if needed. Note: Front-Net IP used for the Autodiscover-redirect site should not have HTTPS binging.

268 268 Parallels Operations Automation 2.9 Parallels Configuring SSL Certificate on Client Access Servers SSL certificate installed on first Client Access Server from one NLB Cluster should be configured on all other servers from this NLB Cluster. 1 On the Exchange Client Access server (EXCAS01), click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2 In the Default Web Site Properties, on the Directory Security tab, in the Secure communications pane, click the View Certificate button. 3 In the Certificate dialog box, on the Details tab, click the Copy to File button. 4 Export certificate with exporting private key in the Personal Information Exchange PKCS#12 (.PFX) format and save certificate in the file with name exprotocol.pfx. 5 Copying exprotocol.pfx file on all Client Access Servers that are configured to participate in Network Load Balancing (EXCAS02, EXCAS03 etc). 6 Go on the Exchange Client Access server (EXCAS02, EXCAS03 etc). 7 In the Default Web Site Properties, on the Directory Security tab, in the Secure communications pane, click the Server Certificate button. 8 Import certificate from exprotocol.pfx file on current Default Web Site and restart IIS.

269 Deploying Hosted Exchange Configuring Data Location on Transport Servers Exchange 2007 Hub Transport and Edge Transport servers store various types of data on local hard drives: 1 Message Queue Database - temporary holding the location for messages that are awaiting to enter the next stage of the process. 2 Transport Logs various logs related to transport functionality: a Connectivity log the record of the Simple Mail Transfer Protocol (SMTP) connection activity of the outbound message delivery queues to the destination Mailbox server, smart host, or domain. Connectivity logging is available on Hub Transport servers and Edge Transport servers. b Protocol log the record of the SMTP activity between messaging servers as part of message delivery. This SMTP activity occurs on Send connectors and Receive connectors that are configured on Hub Transport servers and Edge Transport servers. c Message tracking log the detailed log of all message activities as messages are transferred to and from a computer that is running Exchange. Message tracking is available on Hub Transport servers, Edge Transport servers, and Mailbox servers. d Routing table log periodically records of a snapshot of the routing table that is used by Hub Transport servers and Edge Transport servers to deliver messages. e Pipeline Tracing log the record of messages as they move through the transport pipeline on computers that have the Microsoft Exchange Server 2007 Hub Transport server role or Edge Transport server role installed. By default all data on the Transport servers are stored in the directory where Exchange 2007 is installed. But we recommend you to relocate this data to other location to increase Exchange Transport subsystem performance. it is recommended to configure two additional partitions (better on the separate disks), one partition for Message Queue Database data and Transport Logs and another one for Message Queue Database transaction logs. To relocate Message Queue Database data and transaction logs: 1 Log on to the Transport server as a member of the local Administrators group. 2 Create the directory where you want to keep the queue database data (for example, E:\Queue\Data) and transaction log (for example, D:\Queue\Logs). 3 Apply the following permission to these directories: a Network Service: Full Control. b System: Full Control. c Administrators: Full Control. 4 Open the following file using the Notepad: C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe.config

270 270 Parallels Operations Automation 2.9 Parallels 5 Modify the QueueDatabasePath parameter from the <appsettings> section (back up the old value of this parameter): <add key="queuedatabasepath" value="e:\queue\data" /> 6 Modify the QueueDatabaseLoggingPath parameter from the <appsettings> section (backup the old value of this parameter): <add key="queuedatabaseloggingpath" value="d:\queue\logs" /> 7 Save and close the EdgeTransport.exe.config file. 8 Stop the Microsoft Exchange Transport service. 9 Copy the Mail.que and Trn.chk data files from the original location (old value of the QueueDatabasePath parameter) to the new location (E:\Queue\Data). 10 Copy the Trn.log, Trntmp.log, Trnnnnn.log, Trnres00001.jrs, Trnres00002.jrs and Temp.edb transaction log files from the original location (old value of the QueueDatabaseLoggingPath parameter) to the new location (D\Queue\Logs). 11 Start the Microsoft Exchange Transport service. 12 Remove the unused data files Mail.que and Trn.chk from the original location. 13 Remove the unused transaction log files Trn.log, Trntmp.log, Trnnnnn.log, Trnres00001.jrs, Trnres00002.jrs and Temp.edb from the original location. 14 Repeat steps 1-13 on necessary Exchange 2007 Hub Transport or Edge Transport Servers. To relocate Transport Logs to new location: 1 Log on to Transport server as a member of the local Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: For relocate Connectivity log: Set-TransportServer identity ServerName -ConnectivityLogPath "E:\TransportLogs\Connectivity" For relocate Receive Protocol log: Set-TransportServer identity ServerName -ReceiveProtocolLogPath "E:\TransportLogs\ProtocolLog\SmtpReceive" For relocate Send Protocol log: Set-TransportServer identity ServerName -SendProtocolLogPath h "E:\TransportLogs\ProtocolLog\SmtpSend" For relocate Message tracking log: Set-TransportServer identity ServerName -MessageTrackingLogPath "E:\TransportLogs\MessageTrackin" For relocate Routing table log: Set-TransportServer identity ServerName -RoutingTableLogPath "E:\TransportLogs\Routing" For relocate Pipeline Tracing log:

271 Deploying Hosted Exchange Set-TransportServer identity ServerName -PipelineTracingPath "E:\TransportLogs\PipelineTracing" 4 Repeat steps 1-3 on necessary Exchange 2007 Hub Transport or Edge Transport Servers. Configuring Hub Servers The Hub Transport server is used for local mail delivery and as outgoing SMTP server (Authenticated Relay) for POP3 and IMAP clients. In deployment configurations without Edge servers, the Hub Transport server can be also configured to accept messages from the Internet. All incoming mail flow on the Exchange Hub servers is handled via the Receive Connectors, and all outgoing mail flow is controlled by the Send Connectors. Receive Connectors should be configured on each Hub server. Send Connector is not linked to any Hub server, and is configured for the whole Exchange Organization. After installing a new Hub server, there are two Receive Connectors ("Default *" and "Client *") already configured on the server. Send Connector is not automatically created even during the first Hub server installation. There are two possible deployment configurations exist that can affect Hub server settings: With Edge servers - all Internet mail flow is handled by Edge servers, mail flow from authenticated clients is handled by Hub servers. Without Edge servers all Internet mail flow and mail flow from authenticated clients are handled by Hub servers. In both deployment configurations it is not recommended to modify the Default * Receive Connector because Exchange server authentication is configured on this connector and it is used for incoming mail flow from Edge servers and from other Exchange organizations. The following configurations or Receive connectors allowed on Hub Servers: Connector type Host names FrontNet IP addresses BackNet IP addresses SSL certificates Comments With Edge Servers: Default 0 server NETBIOS name used 1 dedicated IP address, NLB IP address not supported self-signed certificate on NETBIOS name used (generated during installation) Used to communicate with Edge Server and other Exchange organizations Client 1 1 NLB or dedicated IP address 0 1 optional but strongly recommended Used for connection from authenticated clients

272 272 Parallels Operations Automation 2.9 Parallels Total: or 1 Without Edge Servers: Default Internet optional 0 - server NETBIOS name used 1 optional (required if connection to other Exchange organization will be configured) 1 1 NLB or dedicated IP address Client 1 1 NLB or dedicated IP address self-signed certificate on NETBIOS name used (generated during installation) 0 1 optional but strongly recommended 0 1 optional but strongly recommended Used to communicate with other Exchange organizations Used for connection from Internet Used for connection from authenticated clients Total: 1 or 2 1, 2 or 3 1 0, 1 or 2 Minimum configuration: One Host Name and one IP for configuration without Default connector and with one connector for none secure Client and Internet access. Full configuration: One IP address per connector (Default, Internet and Client). Two host names and two SSL certificates for secure Client and Internet access.

273 Deploying Hosted Exchange For handling SMTP mail flow from authenticated clients (POP3 and IMAP4 clients) it is recommended to use the Client * Receive Connector. This connector should be configured with binding on particular FrontNet IP address. Note that in configurations with Edge servers this IP Address should be the second IP address on FrontNet adapter because the first IP address will be used for "Default *" connector, but on configuration without Edge servers "Default *" connector does not need own FrontNet IP address. Also if you plan to secure SMTP mail flow from POP3 and IMAP4 clients (recommended and is configured by default), then the SSL certificate should be configured for this connector (see the Configuring SSL Certificate for SMTP Service on Transport Servers (on page 278) section for details). To configure "Client *" Receive Connector bindings: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: Get-ReceiveConnector -Server EXHUB01 where {$_.identity -like "*Client*"} Set-ReceiveConnector Bindings <SMTPAuthIP>:25, <SMTPAuthIP>:587 -Fqdn <FQDN> SMTPAuthIP IP Address (dedicated or NLB) for authenticated client access. This IP address should be later configured on Exchange2007SMTPAuth POA package (see the Installing Exchange2007SMTPAuth Service Package section (on page 314)); FQDN host name which will be provided in response to HELO or EHLO commands and will be used for certificate selection (for secure connections). This host name should later be configured on Exchange2007SMTPAuth POA package (see the Installing Exchange2007SMTPAuth service package section (on page 314)). 4 Repeat steps 1-3 on Exchange 2007 Hub servers, which will handle SMTP messages from POP3 and IMAP4 clients. If you plan to enable Custom Address feature in POA, then special permission should be configured on the "Client *" Receive connector on Hub Servers. To configure permission on Receive connectors: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: Get-ReceiveConnector -Server EXHUB01 where {$_.identity -like "*Client*"} Add-ADPermission -user AU -extendedrights ms-exch-smtp- Accept-Any-Sender ; Restart-Service MSExchangeTransport 4 Repeat steps 1-3 on Exchange 2007 Hub Servers, which will handle SMTP messages from POP3 and IMAP4 clients.

274 274 Parallels Operations Automation 2.9 Parallels In the deployment configurations without Edge Servers, the Hub servers should be additionally configured to handle all inbound Internet SMTP mail flow. To establish mail flow from the Internet through a Hub Transport servers, follow instructions below. If you plan to use one hostname, IP address and SSL certificate for handling SMTP mail flow from authenticated clients (POP3 and IMAP4 clients) and from Internet, then the "Client *" connector should be configured to allow anonymous connections. Note that in such configuration the same IP Address and host name should later be used in the Exchange2007SMTPAuth POA package properties (see the Installing Exchange2007SMTPAuth Service Package section (on page 314)) and in Exchange2007SMTP package properties (see the Installing Exchange2007SMTP Service Package section (on page 316)). To modify the "Client *" Receive connector to allow anonymous connections: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: Get-ReceiveConnector -Server EXHUB01 where {$_.identity -like "*Client*"} Set-ReceiveConnector -PermissionGroups "AnonymousUsers, ExchangeUsers" 4 Repeat steps 1-3 on necessary Exchange 2007 Hub servers, which will be used for receive from the Internet If you plan to use a dedicated hostname, IP address and SSL certificate for handling SMTP messages from the Internet, then new connector should be created. To create new Receive Connector for inbound Internet mail flow: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: New-ReceiveConnector -Server EXHUB01 -Name "Internet EXHUB01" -Usage Internet -Bindings <SMTPIP>:25 -Fqdn <FQDN> SMTPIP - IP Address (dedicated or NLB) for inbound SMTP traffic from Internet. This IP should later be configured on Exchange2007SMTP POA package (see the Installing Exchange2007SMTP Service Package section (on page 316)); FQDN host name which will be provided in response to HELO or EHLO commands and will be used for certificate selection (for secure connections). This host name should later be configured on Exchange2007SMTP POA package (see Installing Exchange2007SMTP Service Package section (on page 316)). 4 Repeat steps 1-3 on necessary Exchange 2007 Hub Servers, which will be used for receiving from the Internet.

275 Deploying Hosted Exchange In deployment configurations with Edge Servers, the pair of Send Connectors are created automatically during creating of Edge Subscription. These connectors are used to send messages from Hub to the Internet and receive messages from Internet for Hub servers through the subscribed Edge Transport servers (see the Configuring EdgeSync section (on page 277)). In the deployment configurations without Edge Servers, a new Send connector should be created to enable mail flow from Hub server to the Internet. To create a new Send connector: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: New-SendConnector -Name "Internet" -Usage Internet -AddressSpaces "*" - SourceTransportServers HubServersList -Fqdn <FQDN> HubServersList (for example, EXHUB01,EXHUB02) the list of Hub servers associated with this connector and which will be used for sending to the Internet. FQDN host name which will be provided in response to HELO or EHLO commands, Then messages will be sent to external mail servers. Ordinary this name equal to host name configured on first Exchange2007SMTP POA package ( Installing Exchange2007SMTP service package (on page 316) section). Note that correct PTR record should be configured for this host name. Configuring Edge Servers Since the Edge Transport server role is deployed outside the Exchange organization, in the Edge (Perimeter) network, you should verify that the network firewall that separates the Edge Transport server(s) from the Exchange Server 2007 Hub Transport server(s) is configured to enable communications through the correct ports. Note: The Edge Transport server role uses custom LDAP ports. The following ports are needed to be opened for the correct communication between Edge Transport servers and Hub Transport servers, and External DNS: LDAP: Port 50389/TCP/UDP Secure LDAP: Port 50636/TCP/UDP SMTP: Port 25/TCP DNS: Port 53/TCP/UDP

276 276 Parallels Operations Automation 2.9 Parallels Configuring Domain Name Resolving Edge Transport servers should be resolved from Hub Transport servers and Hub Transport servers should be resolved from Edge Transport servers. For this purpose, a DNS suffix equal to the Active Directory domain name should be configured on Edge Transport servers during the installation. Also DNS records for Edge Transport servers should be added on internal AD DNS server, and records for Hub Transport servers should be added in host configuration file on Edge Transport servers. To create a Host record for the Edge Server on AD01, perform the following steps: 1 Log on to AD01. 2 Go to Start > Administrative Tools > DNS. 3 Expand AD01, expand Forward Lookup Zones, and then right-click your domain zone. 4 Select New Host (A). 5 In the New Host dialog enter EXEDGE01 into the Name field. 6 Enter the IP Address of EXEDGE01 into the IP Address field. 7 Click Add Host. 8 Click Done. 9 Repeat Steps from 3 to 8 on all other Edge servers. To create records in the host file on the EXEDGE01 server, perform the following steps: 1 Log on to EXEDGE01. 2 Open the file %SystemRoot%\system32\drivers\etc\hosts. 3 For each Hub server, append the following line at the end of file: <IP> <NAME> Where: <NAME> is the FQDN name of the Hub server; <IP> is the IP address of the Hub server. 4 Repeat the above steps on all other Edge servers. To verify name resolution between the Hub Transport server and Edge Transport server, perform the following steps: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open a command prompt. Important: The Hub Transport server must be able to resolve the fully qualified domain name (FQDN) of the Edge Server or the Edge Subscription will not work correctly. 3 Ping the fully qualified domain name (FQDN) of the Edge Transport server (EXEDGE01.he.local). Do not proceed until you are certain that the Hub Transport server can resolve the FQDN of the Edge Transport server.

277 Deploying Hosted Exchange Configuring EdgeSync EdgeSync should be configured on each computer that has the Edge Transport server role installed to enable replication of recipient and configuration information from the Active Directory service to the Active Directory Application Mode (ADAM) instance. To export the EdgeSync subscription file, perform the following steps: 1 Log on to EXEDGE01 as a member of the local Administrators group. 2 Open the Exchange Management Shell. 3 Run the following command: New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml" Note: If you've configured a Network Load Balancing cluster on the Edge Server before exporting Edge Subscription configuration, then the incorrect value of the EdgeServerFQDN parameter will be recorded in the configuration file of the Edge Subscription. Instead of the real server's FQDN, the full Internet name of NLB cluster will be recorded. To solve this problem open the EdgeSubscriptionInfo.xml file and change the EdgeServerFQDN value to the correct value of the Edge Server FQDN (EXEDGE01.he.local). 4 Copy the Edge Subscription file from the Edge Transport server to the Hub Transport server (EXHUB01). Note: It is recommended to delete the Edge Subscription file from the Edge Transport server after you have copied the file to the Hub Transport server. To create the EdgeSync Subscription on the Hub Transport Server, do the following: 1 Open the Exchange Management Shell on EXHUB01. 2 Navigate to the Edge Subscription file. 3 Run the following command: New-EdgeSubscription -filename "C:\EdgeSubscriptionInfo.xml" - CreateInternetSendConnector $true -site "Default-First-Site-Name" 4 Review the response to make sure the Edge Subscription was created. Note: It is recommended to delete the Edge Subscription file from the Hub Transport server after you have successfully imported the file. After configuring EdgeSync for all Edge servers it is recommended manually start Edge Synchronization: 1 Open the Exchange Management Shell on EXHUB01. 2 Run the following command: Start-EdgeSynchronization After creating of Edge Subscription correct FQDN should be configured on automatically created pair of Send connectors (common names of connectors "edgesync - default-firstsite-name to internet" and "edgesync - inbound to default-first-site-name").

278 278 Parallels Operations Automation 2.9 Parallels To configure FQDN on Send connectors, do the following: 1 Open the Exchange Management Shell on EXHUB01. 2 Navigate to the Edge Subscription file. 3 Run the following command: Get-SendConnector Set-SendConnector Fqdn "<FQDN>" FQDN host name which will be provided in response to HELO or EHLO commands then messages will be sent to external mail servers or Hub servers. Ordinary this name equal to host name configured on first Exchange2007SMTP POA package (see the Installing Exchange2007SMTP Service Package (on page 316) section). Note that correct PTR record should be configured for this host name. Configuring Anti-Spam Filtering Exchange Server 2007 offers anti-spam features that can help you detect spam messages. The anti-spam engine relies on a content filtering agent, which is the next generation Exchange Intelligent Message Filter. The Intelligent Message Filter is based on a patented machine-learning technology from Microsoft Research. Intelligent Message Filter evaluates inbound messages and assesses the probability that an inbound message is legitimate or spam. Unlike many other filtering technologies, Intelligent Message Filter uses characteristics from a statistically significant sample of messages. Spam filtering is included in Exchange Edge role by default. You need to configure Spam Filtering Agents after the Edge role installation. Pay more attention to the Content Filtering Agent settings and configure Spam Confidence Level (SCL) Thresholds and corresponding actions. Important: By default, the SCL reject threshold is enabled and configured with SCL value 7. As a result, all messages stamped with an SCL value greater than or equal to 7 will be rejected. Configuring SSL Certificate for SMTP Service on Transport Servers It is recommended to secure SMTP mail flow from authenticated clients and from Internet on Transport (Hub and Edge) Servers. All SMTP traffic is delivered to Transport Servers via Receive Connectors. By default the Receive Connectors on Transport Servers are already configured for secure SMTP communication but connectors use the default selfsigned certificate generated during Exchange 2007 installation and issued to Transport Server name (for example, EXHUB01.he.local or EXEDGE01.he.local). Therefore, you should request a new SSL certificate from Certification Authorities and configure this certificate for SMTP service. In configuration with Edge Servers, the "Client *" Receive Connector on Hub servers is usually used for handling SMTP traffic from authenticated clients (from POP3 and IMAP4 clients) and the "Default *" Receive Connector on Edge servers is used for handling SMTP traffic from the Internet. It is recommended to secure both mail flows and configure FQDN and corresponding SSL certificate on Hub Servers ("Client *" Receive Connectors) and Edge Servers ("Default *" Receive connectors)

279 Deploying Hosted Exchange In configurations without Edge servers, the Hub Servers should handle mail flow from the Internet. If one "Client*" connector is used on Hub servers for handling mail flow from authenticated clients and from Internet, the single FQDN and SSL certificate can be used. If Internet mail flow is handled by dedicated "Internet *" connector on Hub Servers, then it is recommended to use two FQDNs and SSL certificates. New SSL certificates should be requested for FQDNs that will be used for connections from POP3 and IMAP4 clients to Hub Servers and for connections from Internet to Edge or Hub Servers. Corresponding FQDNs should later be used in Exchange2007SMTPAuth POA package properties (see the Installing Exchange2007SMTPAuth Service Package (on page 314) section) and in Exchange2007SMTP package properties (see the Installing Exchange2007SMTP Service Package (on page 316) section). Note that Exchange 2007 selects the SSL certificate for SSL or TLS communication by FQDN property of the Receive Connector. To configure certificate for SMTP service: 1 Log on to Hub Server (EXHUB01) as a member of the Domain Administrators group or log on to Edge Server (EXEDGE01) as a member of the Local Administrators group. 2 Import certificate to local Windows certificate storage. PFX certificate can be imported by the following command: Import-ExchangeCertificate -Path <CertFilePath> Password:(Get- Credential).password The Get-Credential cmdlet will prompt you for a user name and password, but only the password field is used to import the certificate. 3 Type the following command to get the list of SSL certificates registered in the local Windows certificate storage and obtain thumbprint ID for the certificate: Get-ExchangeCertificate 4 Type the following command to enable certificate for SMTP service: Enable-ExchangeCertificate Services SMTP Thumbprint <thumbprint id> thumbprint id the thumbprint ID of SSL certificate that obtained on previous step. Important: If you are prompted to Overwrite existing default SMTP certificate, you must select [N] No. Otherwise the Edge Synchronization can be broken on the Edge servers; internal secure communication between transport servers can be broken on the Hub servers. 5 Type the following command to set the correct FQDN on Receive Connector: Get-ReceiveConnector -Server <server name> where {$_.identity -like "*<connector name>*"} Set-ReceiveConnector Fqdn <FQDN> server name the name of the Transport server (for example, EXHUB01 or EXEDGE01), connector name the name of the necessary Receive Connector. Client or Internet for the "Client *" and "Internet *" Receive Connectors on Hub servers, Default for the "Default *" Receive connector on Edge servers.

280 280 Parallels Operations Automation 2.9 Parallels FQDN - parameter that specifies the host name. It should be equal to the Associated Subject field of the SSL certificate registered in a local certificate storage and enabled for SMTP service on previous steps. 6 Repeat steps 1-5 on necessary Exchange 2007 Transport Servers, which will handle client and Internet SMTP traffic. Configuring Mailbox Servers LCR can be configured for a standalone Mailbox server on per a storage group basis. LCR has the same requirements to the storage like CCR (refer to the Configuring Storage and Volume Mount Points section (on page 238)). But the disk LUNs for Active and Passive copy should be connected to the same server. To enable LCR for an existing storage group, open the Exchange Management Shell: 1 Log in to EXMBX01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Run the following commands: Enable-DatabaseCopy -Identity EXMBX01\<StorageGroup>\<Database> - CopyEDBFilePath:<FullPathIncludingDatabaseFileName> Enable-StorageGroupCopy -Identity EXMBX01\<StorageGroup> - CopyLogFolderPath:<FullPath> -CopySystemFolderPath:<FullPath> 4 To verify that the automatic seeding has occurred, run the following command: Get-StorageGroupCopyStatus 5 If all storage groups have a Healthy status, then automatic seeding has occurred successfully. If for some reason Automatic Seeding has not taken place, refer to the Exchange Server 2007 Help file, and look for "How to Seed a Local Continuous Replication Copy" or refer to the Exchange Server TechCenter article "How to Seed a Local Continuous Replication Copy" (

281 Deploying Hosted Exchange Configuring and Starting IIS Service Note: The procedure described in this section is related to the Mailbox Servers deployed on the VZWin nodes. On the VZWin nodes, the default start type of the IIS service is Manual. You should reconfigure IIS service start type and start it. 1 Log in to the EXMBX01 server using the account with administrative privileges. 2 Run windows command shell (cmd.exe). 3 Execute following commands: sc config W3SVC start= auto sc start W3SVC 4 Repeat these steps on all Mailbox Servers. Configuring Network Load Balancing for Exchange 2007 Servers Client Access server roles, Hub Transport server roles and Edge Transport server roles can be load-balanced via Windows Network Load Balancing or a third-party hardwarebased network load-balancing device. NLB Overview Network Load Balancing cluster technology included in Windows Server 2003 provides cost effective solution for enhanced scalability and availability of server applications. NLB cluster can be configured on servers with one or multiple Network Interface Controllers (NICs). One NIC can participate in one NLB cluster. Therefore, if you want to use several dedicated NLB clusters for different services, the corresponding number of NICs should be present in the system. It is also recommended to assign IP addresses from separate subnets for NICs connected to different network segments. For server with two or more NICs, it is not recommended to enable NLB on NIC connected to the BackNet network to allow server-to-server communication. Below is the sample configuration for two NICs servers: FrontNet (NLB) NIC ( \24) Server 1 Server 2 IP Subnet Gateway DNS NLB mode Unicast NLB Cluster IP NLB Cluster Subnet

282 282 Parallels Operations Automation 2.9 Parallels NLB Additional IP (optional) BackNet (communication) NIC ( \24) IP Subnet Gateway N/A DNS For server with one NIC, it is recommended to use the Multicast NLB mode to allow server-to-server communication. Below is the sample configuration: Server 1 Server 2 BackNet (NLB and communication) NIC ( \24) IP Subnet Gateway DNS NLB mode Multicast NLB Cluster IP NLB Cluster Subnet NLB Additional IP (optional)

283 Deploying Hosted Exchange For step-by-step instructions on how to configure Network Load Balancing (NLB Cluster), refer to the Configuring Network Load Balancing section. Configuring NLB for CAS Servers The Client Access server role supports web based clients (OWA, Outlook Anywhere, Exchange ActiveSync, Autodiscover), POP3 clients and IMAP4 clients. These protocols can share the same or use a dedicated hostname, IP address and SSL certificate (for details, see the Configuring Exchange Server 2007 Client Access Server section (on page 263)). For CAS servers NLB should be configured on FrontNet adapters. One adapter can participate in one NLB cluster. Therefore, if you want to use a dedicated NLB cluster for each Exchange client protocol, the corresponding number of FrontNet adapters should be present in the system. Also, dedicated virtual IP addresses for Exchange client protocols can be configured on one NLB cluster. It is recommended to configure one NLB cluster for CAS servers and share the same hostname, IP address and SSL certificate for all Exchange protocols. One additional virtual IP address should be configured on NLB cluster for Autodiscover Redirect Site. Use the two NICs sample provided in the NLB Overview section (on page 281) to configure NLB on CAS FrontNet adapter with the following parameters: Full Internet name - exchange.provider.com Cluster operation mode Unicast Servers EXCAS01, EXCAS02, Configuring NLB for HUB Servers The Hub Transport server role used as outgoing SMTP server for POP3 and IMAP clients. Starting from Exchange Server 2007 SP1, several Hub Transport servers can be load balanced to provide scalable and fail-over SMTP access. For Hub Transport server roles NLB should be configured on FrontNet adapters. It is recommended to configure one NLB cluster for all Hub Transport servers and share the same hostname, IP address and SSL certificate. Use the NICs sample provided in the NLB Overview section (on page 281) to configure NLB on Hub FrontNet adapter with the following parameters: Full Internet name auth.provider.com Cluster operation mode Unicast Servers EXHUB01, EXHUB02,

284 284 Parallels Operations Automation 2.9 Parallels Configuring NLB for EDGE Servers Exchange Server 2007 Edge Transport server role handles all Internet-facing, inbound and outbound SMTP mail flow, and provides protection against spam and viruses. Several Edge Transport servers can be load balanced to provide scalable and fail-over external SMTP access. For Edge Transport servers with single EdgeNet adapter per server, NLB can be configured only in the Multicast mode. To configure NLB in the Unicast mode, one additional adapter connected to the Edge Network (and the same subnet) should be added to each Edge Transport server. It is recommended to configure one NLB cluster for all Edge Transport servers and share the same hostname and IP address. Use corresponding example provided in the NLB Overview section (on page 281) to configure NLB on Edge Transport servers with one or two adapters with following parameters: Full Internet name smtp.provider.com Cluster operation mode Multicast for single adapter and two adapters configurations Servers EXEDGE01, EXEDGE02,

285 Deploying Hosted Exchange Configuring Firewall To configure Exchange-specific ports as well as other infrastructure on the Firewall, please refer to Integrating with External AS/AV Mail Gateway To protect Exchange infrastructure by filtering incoming and outgoing SMTP traffic using an external AS/AV gateway deployed in front of Exchange 2007 Hub Transport servers some additional configuration should be done on Exchange 2007 servers and POA. Configuring Incoming Mail Delivery All incoming SMTP traffic should be processed by AS/AV gateway and routed to Exchange Hub Servers. The following configuration steps should be performed to configure Incoming Mail Delivery: 1 Exchange Hub Servers should be configured to accept incoming SMTP traffic from AS/AV gateway 2 AS/AV gateway should be configured to route incoming SMTP traffic for domains accepted by Exchange to Exchange Hub servers. MX records for domains hosted by Exchange should point to IP address of AS/AV gateway. Diagram below illustrates incoming mail delivery.

286 286 Parallels Operations Automation 2.9 Parallels Messages sent by external mail servers (MTA) using info from MX records: 1 Message is sent to AS/AV gateway. 2 AS/AV gateway after checking the message sends it to Hub servers. 3 Message is delivered to the recipient s mailbox.

287 Deploying Hosted Exchange Configuring Exchange Hub Transport Servers to Accept Incoming SMTP Traffic from AS/AV Gateway Two Receive connectors are already configured on Exchange Hub Servers after installing Exchange Hub Transport role. In scenarios without external AS/AV Gateway the only one connector is used (for example, Default EXHUB01) for incoming SMTP traffic and for Authenticated Client (outgoing SMTP for POP3 and IMAP4 clients) access. Second connector (for example, Client EXHUB01) can be used for Authenticated Client access on port 587, but this connector is not used in most cases. In scenarios with external AS/AV Gateway we recommend you to use the Client* connectors with binding to 25 port and first dedicated IP address for Authenticated Client access, and use the Default* connectors with binding to 25 port and second dedicated IP address for incoming SMTP traffic from AS/AV Gateway. To modify the Client* Receive connector, do the following: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: Get-ReceiveConnector -Server EXHUB01 where {$_.identity -like "*Client*"} Set-ReceiveConnector -Bindings <SMTPAuthIP>:25 - PermissionGroups ExchangeUsers -AuthMechanism Tls,BasicAuth,BasicAuthRequireTLS,Integrated SMTPAuthIP IP Address for Authenticated Client access. This IP should be configured in Exchange2007SMTPAuth POA package (refer to the Installing Exchange2007SMTPAuth service package section). You can use NLB IP address, but in such case you need to provide the same IP address for all servers from one NLB Cluster. 4 Repeat steps 1-3 on Exchange 2007 Hub Transport Servers, which will be used for handling the SMTP traffic from POP3 and IMAP4 clients. To modify the Default* Receive connector, do the following: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: Get-ReceiveConnector -Server EXHUB01 where {$_.identity -like "*Default*"} Set-ReceiveConnector -Bindings <SMTPIP>:25 - PermissionGroups AnonymousUsers -AuthMechanism Tls,BasicAuth,BasicAuthRequireTLS,Integrated SMTPIP - IP Address for incoming SMTP traffic from AS/AV Gateway. AS/AV Gateway should route incoming SMTP traffic to Exchange using this IP address. You can use NLB IP Address but in such case you need to provide the same IP Address for all servers from one NLB Cluster. 4 Repeat steps 1-3 on Exchange 2007 Hub Transport Servers, which will be used for receiving from AS/AV Gateway.

288 288 Parallels Operations Automation 2.9 Parallels Configuring AS/AV Gateway to Route Incoming SMTP Traffic to Exchange Hub Transport Servers In most cases AS/AV gateways require the list of accepted domains the list of domains the gateway is authoritative for, for example, it handles mail delivery for recipients in the domain. The list of accepted domains at AS/AV gateway could be maintained to up-to-date by the following way: 1 Service provider uses its own system. 2 Get the list of accepted domains by calling POA OpenAPI method "pem.exchange.get domains". 3 Query the list of accepted domains directly from Active Directory (see the example of the script in the Get List of Accepted Domains section (on page 289)).

289 Deploying Hosted Exchange Get List of Accepted Domains The list of accepted domain can be queried directly from AD by following script: Option Explicit Dim argsobj Set argsobj = WScript.Arguments Dim fso Set fso = CreateObject("Scripting.FileSystemObject") If argsobj.length <> 1 Then Wscript.Echo "Specify output file name as first script parameter" WScript.Quit(0) End If Dim outfile Set outfile = fso.createtextfile(argsobj(0), True) 'Getting Configuration DN Dim objrootdse Set objrootdse = GetObject("LDAP://RootDSE") Dim strconfigurationcontainer strconfigurationcontainer = objrootdse.get("configurationnamingcontext") Const ADS_SCOPE_SUBTREE = 2 'Connect to Active Directory Provider Dim objconnection Set objconnection = CreateObject("ADODB.Connection") objconnection.provider = "ADSDSOObject" objconnection.open "ADs Provider" 'Search Accepted Domains Dim objcommand Set objcommand = CreateObject("ADODB.Command") Set objcommand.activeconnection = objconnection objcommand.commandtext = "Select Name from 'LDAP://CN=Microsoft Exchange,CN=Services," & strconfigurationcontainer & "' " _ & "Where objectcategory='msexchaccepteddomain'" objcommand.properties("page Size") = 1000 objcommand.properties("searchscope") = ADS_SCOPE_SUBTREE Dim objrecordset Set objrecordset = objcommand.execute If objrecordset.eof Then Wscript.Echo "No one Accepted Domain found" Else Do Until objrecordset.eof outfile.writeline( objrecordset.fields("name").value ) objrecordset.movenext Loop End If

290 290 Parallels Operations Automation 2.9 Parallels Configuring MX Records to Point to AS/AV Gateway IP Address External mail servers delivered mail messages based on MX records for domains. Therefore for filter all incoming messages via External AS/AV gateway MX records should point to IP address of AS/AV gateway. After processing incoming messages, External AS/AV gateway should route this messages to Exchange Hub Servers. MX Records can be configured in POA by following ways 1 By setting IP address and hostname of AS/AV gateway in the configuration of Exchange2007SMTP service package (see Installing Exchange2007SMTP Service package section). This way is recommended in most cases. 2 By configuring custom MX records activation parameter in the service template. This way is appropriate when AS/AV filtering needs to be enabled only for customers subscribed to certain service template.

291 Deploying Hosted Exchange Configuring Outgoing Mail Delivery All outgoing SMTP traffic from Exchange Hub Servers should be processed by AS/AV gateway. The following configuration steps should be performed to configure Outgoing Mail Delivery: 1 Exchange Hub Servers should be configured to route outgoing SMTP traffic to AS/AV gateway 2 AS/AV gateway should be configured to accept outgoing mail traffic from Exchange Hub Servers. Diagram below illustrates outgoing mail delivery.

292 292 Parallels Operations Automation 2.9 Parallels Messages submitted by Outlook, OWA and ActiveSync clients to Exchange CAS servers 1 Message is sent to CAS servers by Outlook, OWA or ActiveSync client. 2 Message is delivered to the sender s mailbox. 3 Message is routed for outgoing delivery. 4 Message is sent via AS/AV gateway. 5 AS/AV gateway after checking the message sends it mail server pointed by MX records (or another SMTP smarthost depending of the gateway configuration). Messages sent by authenticated POP3/IMAP clients to Exchange Hub Servers (via SMTP) 6 Message is sent to Hub server by POP3/IMAP client (authentication is required). 3 Message is routed for outgoing delivery. 4 Message is sent via AS/AV gateway. 5 AS/AV gateway after checking the message sends it mail server pointed by MX records (or another SMTP smarthost depending of the gateway configuration). Configuring Exchange Hub Servers to Route Outgoing SMTP Traffic to AS/AV Gateway There are no Send Connectors existing in Exchange 2007 organization in the configurations without Edge Transport servers. To route outgoing SMTP traffic to AS/AV gateway the new smarthost Send Connector should be configured. To create a Send connector to the External AS/AV Gateway, do the following: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: New-SendConnector -Name "Outgoing to External AS/AV Mail Gateway" -Usage Internet -AddressSpaces * -SmartHosts GW_FQDN -SmartHostAuthMechanism None -SourceTransportServers HubServersList GW_FQDN - External AS/AV Gateway FQDN or IP address (IP address should be enclosed in parentheses). HubServersList (for example, EXHUB01,EXHUB02) the list of all Hub Transport Servers in the organization. Configuring Exchange Servers to Route Locally Delivered Messages via AS/AV Gateway

293 Deploying Hosted Exchange When Exchange user sends a message to recipient housed in the same Exchange infrastructure, the message is delivered locally within Exchange infrastructure instead of going through the AS/AV gateway pointed by MX records in the recipient s domain. Messages send by POP3 and IMAP4 clients to Exchange Hub Servers to recipient housed in the same Exchange infrastructure also delivered locally instead of going through the AS/AV gateway. To protect Exchange customers hosted on the same Exchange infrastructure from sending each other messages with viruses or spam, locally delivered messages should be rerouted via AS/AV gateway. To configure Exchange Servers to route locally delivered messages via external gateway the several new Send Connectors should be created and Routing Override Transport Agent, provided with POA distribution, should be installed. The diagram shows the required flow for locally delivered messages:

294 294 Parallels Operations Automation 2.9 Parallels Messages submitted by Outlook, OWA and ActiveSync clients to Exchange CAS servers 1 Message is sent to CAS servers by Outlook, OWA or ActiveSync client. 2 Message is delivered to the sender s mailbox. 3 Message is routed for local delivery to recipient s mailbox. 4 Message is re-routed via AS/AV gateway (instead of local delivery) by Parallels Routing Override Transport Agent. 5 AS/AV gateway after checking the message sends it to Hub servers. 6 Message is delivered to the recipient s mailbox. Messages sent by authenticated POP3/IMAP clients to Exchange Hub Servers (via SMTP) 7 Message is sent to Hub server by POP3/IMAP client (authentication is required). 4 Message is re-routed via AS/AV gateway (instead of local delivery) by linked Send Connectors. 5 AS/AV gateway after checking the message sends it to Hub servers. 6 Message is delivered to the recipient s mailbox.

295 Deploying Hosted Exchange Creating Send Connectors to External AS/AV Gateway for Local Delivered Messages Messages from the sender s mailbox locally delivered to recipient mailbox are rerouted by Routing Override Transport Agent to a special domain. New Send Connector should be created for this domain to route all messages to External AS/AV Gateway. To create a Send connector to the External AS/AV Gateway for local delivered messages re-routed by Routing Override Transport Agent, perform these steps: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: New-SendConnector -Name "Local Delivery to External AS/AV Mail Gateway" - Usage Custom -AddressSpaces d56f4dee-c52e-4ae b788e22775f.local - SmartHosts GW_FQDN -SmartHostAuthMechanism None -MaxMessageSize unlimited -SourceTransportServers HubServersList GW_FQDN - External AS/AV Gateway FQDN or IP address (IP address should be enclosed in parentheses) HubServersList (for example, EXHUB01,EXHUB02) the list of all Hub Servers in organization. d56f4dee-c52e-4ae b788e22775f.local domain where the Routing Override Transport Agent re-routes all local delivered messages. Messages send by POP3 and IMAP4 clients that are locally delivered to recipient mailbox should be re-routed to External AS/AV Gateway. All incoming SMTP traffic from POP3 and IMAP4 clients delivered via separate client receive connectors (Client*) that is configured on all Exchange Hub Transport Servers. To re-route all messages from the client receive connectors to External AS/AV Gateway this connectors should be linked to corresponding Send Connectors. To create linked Send Connectors to the External AS/AV Gateway for local delivered messages from POP3 and IMAP4 clients, do the following: 1 Log on to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: New-SendConnector -Name "Client EXHUB01 to External AS/AV Mail Gateway" - LinkedReceiveConnector "EXHUB01\Client EXHUB01" -SmartHosts GW_FQDN - SmartHostAuthMechanism None -MaxMessageSize unlimited - SourceTransportServers EXHUB01 GW_FQDN - External AS/AV Gateway FQDN or IP address (IP address should be enclosed in parentheses) EXHUB01 Exchange Hub server with receive connector which will be linked to this Send Connector. Client EXHUB01 name of the client connector on EXHUB01 server

296 296 Parallels Operations Automation 2.9 Parallels 4 Repeat steps 1-3 on Exchange 2007 Hub Transport Servers, which will be used for handle SMTP traffic from POP3 and IMAP4 clients. Installing Routing Override Transport Agent Routing Override Transport Agent is available by the following path in the distribution package: Exchange2007Agents/RoutingOverrideAgent.exe. This agent should be installed on all Exchange 2007 servers with Hub Transport role. To install the transport agent on one Hub Transport Server, perform the following steps: 1 Log in to the Hub Transport Server as a member of the Domain Administrators group. 2 Copy the RoutingOverrideAgent.exe file to the local directory. 3 Double-click on.exe file to start the installation. 4 Follow the instructions on your screen to install Address Rewriter Agent. 5 Repeat steps 1-4 on all Hub Transport Servers. Note: The MSExchangeTransport service will be re-started during the Agent installation but this does not affect services downtime if more than one Hub Transport Server is installed. The installation will be performed one-after-one.

297 Deploying Hosted Exchange Delivering Messages Marked by AS/AV Gateway as Spam into Junk Folder Messages marked by AS/AV gateway as spam should be delivered to the Junk Folder of the recipient s mailbox. Messages passed through AS/AV gateway are usually marked with special X-header defining spam confidence level. Exchange 2007 is able to move messages to user s Junk Folder based on X-MS-Exchange-Organization-SCL x-header value and the Junk Folder threshold value configured for the user object in Active Directory (find details at To use the Junk Folder feature in conjunction with external AS/AV gateway the AS/AV gateway-specific indicator(s) that the message is spam should be converted to X-MS- Exchange-Organization-SCL value. Note, that Exchange 2007 does not allow to set X-MS- Exchange-Organization-SCL value externally, for example, if a message has X-MS- Exchange-Organization-SCL x-header containing a value, it will be reset once the message is accepted by Exchange for delivery. Therefore, it only possible to set X-MS- Exchange-Organization-SCL by means of Exchange Transport Rules or custom Exchange Transport Agent converting AS/AV gateway-specific spam indicators into X-MS-Exchange- Organization-SCL value. To configure Exchange Transport Rule, follow these steps: 1 Log in to EXHUB01 as a member of the Domain Administrators group. 2 Open the Exchange Management Console. 3 In the console tree, expand Organization Configuration and then click Hub Transport. 4 In the Hub Transport pane, select the Transport Rules tab. 5 In the Actions pane, click the New Transport Rule. 6 On the Introduction page, fill out the Name field (for example, the Set SCL Value) and click Next. 7 On the Conditions page, in the Step 1 section, select "when a message header contains specific words", "when a message header contains text patterns" or any other appropriate condition. In the Step 2 section fill out the parameters of selected conditions and click Next. 8 On the Actions page, in the Step 1 section, select the "set spam confidence level to value" action. In the Step 2 section, fill out the spam confidence level value (integer from 0 to 9) and click Next. 9 On the Exceptions page, click Next. 10 On the Create Rule page, verify the selected rule configuration and click New. 11 On the Completion page, verify the command execution status and click Finish.

298 298 Parallels Operations Automation 2.9 Parallels To configure Junk Folder threshold for mailboxes created by POA the new activation parameter "Default value of SCL Junk Threshold (0-9)" is to be configured in the respective Service Template in POA CP. Empty value (default one) means that SCL Junk Threshold is not set and functionality to automatically filter messages to Junk folder is not enabled. Important: Messages marked as spam will be successfully delivered to Junk Folder only if SCL Junk Threshold configured in the Service Template will be less then SCL value set by Transport Rule or custom Transport Agent. Note, that even if SCL Junk Threshold is configured for Exchange mailbox, the messages marked as spam will be moved in the Junk Folder only if a hidden Junk Rule is created and enabled for a mailbox. This rule is created automatically on the fist logon to a mailbox via Outlook or can be created and enabled via OWA (Options > Junk > Automatically filter junk ). POA can automatically initialize Exchange 2007 mailbox and enable Junk option. To perform this initialization, the new activation parameter "Initialize Exchange 2007 Mailbox and Configure Junk option (0/1)" should be set to value "1". Also the "Internal OWA URL" parameter of Exchange2007Mailstore service (see section Installing Exchange2007Mailstore Service PPM Package) should be configured with valid OWA URL accessed from BackNet network. Before enabling the Junk option, mailbox should be initialized with default language and time zone. For a mailbox initialization POA uses the language configured for corresponding POA Account and time zone configured on Exchange Servers. Deploying Exchange Provisioning This section describes deployment of the components that are necessary to provision Microsoft Exchange Server 2007 services. Components for Exchange provisioning are included in HMC 4.0 and HMC 4.5. HMC 4.0 can be used with Exchange 2007 and Exchange 2007 SP1 but HMC 4.5 can be used only with Exchange 2007 SP1. Installing Exchange Server 2007 Management Tools In order to perform Exchange Server 2007 provisioning tasks, each Provisioning Engine server must have the Exchange Server 2007 Management Tools installed. Important: Since 32-bit version of Windows Server 2003 installed on Provisioning server you should install 32-bit versions of prerequisites and use 32-bit version of Exchange 2007 Management Tools.

299 Deploying Hosted Exchange Installing Exchange Server 2007 Prerequisites Note: The list of distribution packages and their download location can be found in the Exchange Server 2007 Distribution Packages section (on page 209). To install Exchange Server 2007 Management Tools Prerequisites on the Provisioning Engine server (MPS01), perform the following steps: 1 Install Microsoft Management Console (MMC) Install Microsoft PowerShell. 3 Install.NET 2.0 update KB Install Cumulative time zone update for Microsoft Windows operating systems KB (required for Exchange 2007 SP1). Running Exchange Server 2007 Setup Perform the following steps to install Exchange Server 2007 Management Tools: 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Open a command prompt, and navigate to the Exchange Server 2007 installation files. 3 Run the following command: Setup /mode:install /roles:mt 4 Setup copies the setup files locally to the computer on which you are installing Exchange Server Setup checks the prerequisites, including all prerequisites specific to the server roles that you are installing. If you have not met all of the prerequisites, Setup fails and returns an error message that explains the reason for the failure. If you have met all of the prerequisites, Setup installs Exchange Server 2007.

300 300 Parallels Operations Automation 2.9 Parallels Installing HMC 4.0 Update Rollup 4 for Hosted Exchange To resolve various problems related to Hosted Exchange services in HMC 4.0, the Update Rollup 4 for the Hosted Exchange services should be installed. HMC 4.0 Update Rollup 4 for the Hosted Exchange services can be applied either during the first deployment of Hosted Exchange provisioning or the existing HMC 4.0 installation with already deployed Hosted Exchange provisioning can be upgraded. To install this Update Rollup 4, follow these steps. Old components (namespaces and providers) should be uninstalled. To uninstall old components, do the following: 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Start the MPS Deployment Tool. 3 Expand the Core Platform and then the Core MPF Install; right-click on the Managed Helpers and then click Uninstall. 4 Expand the MPF Core Namespaces, right-click on the Managed AD, and then click Uninstall. Important: Step 5 should be performed only if you upgrade an existing HMC 4.0 installation with already deployed Hosted Exchange provisioning. 5 Expand the Hosted Exchange, then expand the Exchange Provisioning, right-click on the following components: Exchange 2007 Hosted Exchange 2007 Hosted Unified Messaging Exchange 2007 Managed Exchange 2007 Managed Unified Messaging Exchange 2007 Mobility Provider Exchange 2007 OAB Resource Manager Exchange 2007 Provider Exchange 2007 Resource Manager Exchange 2007 Unified Messaging Provider Hosted Mobility 2007 Namespace Managed Mobility 2007 Namespace Click Uninstall. 6 Click Start Deployment. Copy the new installation files in the following way:

301 Deploying Hosted Exchange Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Open the MSIShare folder. Note: To find the path to the MSIShare folder, click on the File menu in the MPS Deployment Tool, and then click File Locations. 3 Back up the old content of the MSIShare folder. 4 Copy the following installation files from the Update Rollup 4 archive into the MSIShare directory, overwriting the old files: The Service Provisioning/MPS/NamedProcedures directory: ManagedHelpers.msi ManagedActiveDirectory/ManagedADNS.msi Exchange2007OABResourceManager/Exchange2007OABResourceManager NS.msi Exchange2007ResourceManager/Exchange2007ResourceManagerNS.msi Hosted 2007/Hosted 2007NS.msi HostedMobility2007/HostedMobility2007.msi HostedUnifiedMessaging2007/HostedUnifiedMessaging2007NS.msi Managed 2007/Managed 2007NS.msi ManagedMobility2007/ManagedMobility2007.msi ManagedUnifiedMessaging2007/ManagedUnifiedMessaging2007NS.msi The Service Provisioning/MPS/Providers directory: Exchange2007MobilityProvider.msi Exchange2007Provider.msi UnifiedMessaging2007Provider.msi New components (namespaces and providers) should be installed. To install the new components, do the following: 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Start the MPS Deployment Tool. 3 Expand the Core Platform and then expand the Core MPF Install; right-click on the Managed Helpers, and then click Install. 4 Expand the MPF Core Namespaces, right-click on the Managed AD, and then click Install. Important: Step 5 should be performed only if you upgrade an existing HMC 4.0 installation with already deployed Hosted Exchange provisioning. 5 Right-click on the Hosted Exchange, and then click on the Install all in this group.

302 302 Parallels Operations Automation 2.9 Parallels 6 Click Start Deployment. New namespace versions should be initialized. To initialize namespaces, do the following: 1 Log on to MPS01 using an account that is a member of the Domain Administrators group. 2 Start the MPS Deployment Tool. 3 Expand the Hosting Platform and then expand the Initialize Default Services; right-click on the Initialize Namespace security, and then click Execute > Initialize Namespace Security. Important: Steps 4, 5 and 6 should be performed only if you upgrade an existing HMC 4.0 installation with already deployed Hosted Exchange provisioning. 4 Expand the Hosted Exchange and then expand the Exchange Provisioning Configuration; right-click on the Initialize Exchange 2007 Resource Manager, and then click Execute > Initialize Exchange 2007 Resource Manager. 5 Right-click on the Initialize Hosted 2007, and then click Execute > Initialize Hosted Right-click on the Initialize Managed 2007, and then click Execute > Initialize Managed Click Start Deployment.

303 Deploying Hosted Exchange Deploying Hosted Exchange Provisioning Run MPS Deployment Tool to deploy Exchange Server 2007 Providers, Namespaces, and then configure the Exchange security. To deploy Hosted Exchange Provisioning, perform the following steps: 1 Log on tomps01. 2 Open the Deployment Tool. 3 In the Requirements Status pane, expand Hosted Exchange, and then right-click the Exchange Provisioning component. 4 Select Install all in this group. 5 Click Start Deployment to start the execution of the selected procedures. 6 Monitor the deployment session on the Install Details tab. To configure Hosted Exchange Provisioning, perform the following steps: 1 Log on to MPS01. 2 Open the Deployment Tool. 3 In the Requirements Status pane, expand Hosted Exchange, and then right-click the Exchange Provisioning Configuration component. 4 Select Install all in this group. 5 Click Start Deployment to start the execution of the selected procedures. 6 Monitor the deployment session on the Install Details tab. To configure the MPSExchangeAccts group, perform the following steps: 1 Open the Exchange Management Shell on MPS01. 2 Run the following command: Add-ExchangeAdministrator -Role OrgAdmin -Identity HE\MPSExchangeAccts * HE - Domain Name. Here - Hosted Exchange. It is a sample value individual for each deployment and should be replaced by actual value.

304 304 Parallels Operations Automation 2.9 Parallels POA-Related Installation Steps Overview After Exchange Server 2007 server roles deployment succeeds, all Exchange Servers should be registered in POA. So, you need to perform the following steps: 1 Register all Exchange Server nodes in the POA. 2 Install exchange CP on UI Servers. 3 Install Exchange PPM packages. Create Resource Types and Service Template(s) and perform test provisioning. Note: Before installing Exchange service packages on the Back-end, ensure that.net Framework 2.0 is installed on MPS node.

305 Deploying Hosted Exchange Installing Exchange CP Package on UI Servers Install the package cp-any-any-any-exchange (type: cp) on UI Servers where Exchange Control Panel is planned to be used. Before using the newly installed Exchange CP, ensure that Java was restarted on UI Server. Configuring POA Administrator Account as Exchange Organization Administrator Important: This step assumes that at least one node from AD domain is already registered in POA and pem_admin account is already created. To configure the pem_admin account, follow the steps: 1 Open the Exchange Management Shell on any Exchange 2007 server. 2 Run the following command: Add-ExchangeAdministrator -Role OrgAdmin -Identity HE\pem_admin Registering and Configuring Mailbox Servers Registering Standalone Mailbox Servers Install POA Agent on your Exchange Mailbox servers. POA Agent installation steps are described in the Installing POA Agent section (on page 381). Note: To install POA Agent on Standalone Exchange Mailbox Server the instructions of the Installing POA Agent on Non-Cluster Node sub-section (on page 383) should be used. Registering Clustered Mailbox Servers Install POA Agent on all nodes of Clustered Mailbox Servers. POA Agent installation steps are described in the Installing POA Agent section (on page 381). Note: To install POA Agent on Active Cluster Node the instructions of the Installing POA Agent on Active Cluster Node sub-section (on page 385) should be used. To install POA Agent on Passive Cluster Node the instructions of the Installing POA Agent on Passive Cluster Node sub-section (on page 387) should be used. Installing Exchange2007Mailstore Service PPM Package Install the package Exchange2007Mailstore (type: service) on all Mailbox servers you have registered in POA. Set the following package properties:

306 306 Parallels Operations Automation 2.9 Parallels 1 Name of Mailbox store in the Active Directory. Specify here the name of the first Mailbox store located on the Exchange Mailbox server. To get the name of the MailBox Store, perform the following steps: a Log on to MPS01 under the Domain Administrators account. b Open the Exchange Management Shell. c Run the following command: Get-MailboxDatabase Server EXMBX01 Format-List -Property ServerName, StorageGroupName, Name, DistinguishedName d In the command output, you will see the list of all mail stores available on the server. Locate the Name property for the appropriate store (usually, Mailbox Database), copy the value into clipboard and paste as the value of the package property. 2 Size of Mailbox storage (in GB). Specify here the size of the first Mailbox storage located on the Exchange Mailbox server. This space should not exceed the disk space on the Exchange server dedicated for Mailbox stores. 3 Size of Public Folder storage (in GB). Specify here the size of first public folder storage in gigabytes for registration process in the POA. This space should not exceed the disk space on the Exchange server dedicated for Public Folder stores. Since POA this property is optional and may be left empty if there is no Public Folder store on the server. 4 LDAP path to the Public Folder store in the Active Directory (not mandatory). Specify here the LDAP path to first Public Folders store located on the Exchange Mailbox. To get the Public Folder Store LDAP path, perform the following steps: a Log on to MPS01 under the Domain Administrators account. b Open the Exchange Management Shell. c Run the following command: Get-PublicFolderDatabase Server EXMBX01 Format-List -Property ServerName, StorageGroupName, Name, DistinguishedName d In the command output, you will see the list of all public folder stores available on the server. Locate the DistinguishedName property for the appropriate store (usually, Public Folder Database), copy the value into clipboard and paste as the value of the package property. Add the "LDAP://" prefix.o 5 Internal OWA URL (Usually it is equal to (exchange.owa.internal_url). This optional parameter is used for Exchange 2007 Mailbox Initialization via OWA. This URL should be resolved from the BackNet network subnet. Do not forget to configure Exchange 2007 Client Access Web Site for accessing from BackNet network.

307 Deploying Hosted Exchange Installing Exchange2007OAB Service Package Install the package Exchange2007OAB (type: service) on the Exchange Mailbox server you want to use as an Offline Address Book (OAB) server. The best practice is to have a number of dedicated OAB servers, but it is possible to assign this role to some of existing Mailbox servers. Set the following package properties: 1 NetBIOS Computer Name of OAB Storage Server ("exchange.oab.pf.store.server"). Specify the NetBIOS name of OAB storage server which hosts Public Folders. It should be filled when server where the package is being installed does not contain Public Folder store or this store should not be used for OAB storage and/or distribution. Empty value means storage is placed on local server. 2 Name of Public Folder Store ( exchange.oab.pf.store.name ). Specify the name of the public folder store where OABs will be generated and stored. To get the Public Folder Store LDAP path, perform the following steps:. a Log on to MPS01 under the Domain Administrators account. b Open the Exchange Management Shell. c Run the following command: Get-PublicFolderDatabase Server EXMBX01 Format-List -Property ServerName, StorageGroupName, Name, DistinguishedName d In the command output, you will see the list of all public folder stores available on the server. Locate the Name property for the appropriate store (usually, Public Folder Database), copy the value into clipboard and paste as the value of the package property. 3 Maximum number of Offline Address Books the server could handle ( exchange.oab.host.capacity ). Specify here the maximum number of OABs the server could handle. This value will be used for the host s capacity Number of Exchange Offline Address Books. Note: Microsoft guides don't recommend that one Exchange server handles more than 1000 OABs. 4 Number of Offline Address Books when warning event should be generated ( exchange.oab.host.capacity.warning ). Specify the number of OABs that, if reached, will start the warning notification event. 5 Offline Address Books Bandwidth Threshold, KBps ( exchange.oab.bandwidth.threshold.kbps ). Specify the maximum bandwidth the Outlook client server will serve. You should leave the recommended value 500 (i.e Mbps).

308 308 Parallels Operations Automation 2.9 Parallels Registering and Configuring Client Access Server Client Access Servers Configurations Client Access servers can be standalone or NLB-clustered. The most common configuration of Exchange Client Access servers is to run POP3, IMAP and Exchange Protocols (OWA, RPC-over-HTTPS, ActiveSync) on the same servers sharing the same hostname, IP address and SSL certificate. If more than one Client Access server configured they are usually clustered with NLB. This configuration provides fail-over, scalability, load-balancing while cost effective because it requires a single hostname, IP address and SSL certificate. Alternative NLB clusters configurations are the following: 1 Separate NLB clusters for each service POP3 cluster, IMAP4 cluster, Exchange Protocols cluster. 2 Combination of both configurations, for example: POP3 cluster for POP3 service and another Client Access cluster for IMAP4 and Exchange Protocols services. All these configurations are supported. Registering All Exchange Client Access Servers Install POA Agent on all Client Access servers. POA Agent installation steps are described in the Installing POA Agent section (on page 381). Note: To install POA Agent on an Exchange node included into a NLB cluster, follow the instructions for non-cluster Windows node. Important: You must specify shared FronNet IP address of the NLB server as a node s shared IP address during POA Agent installation on the NLB server.

309 Deploying Hosted Exchange Installing Exchange2007POP3 Service Package Install Exchange2007POP3 service package on all Client Access servers, which supply POP3 connectivity. There are the following package properties: 1 External IP address for Exchange POP3 cluster (exchange.pop3.ip) - Specify an external IP address of Exchange POP3 cluster or standalone POP3 server. You must specify identical value for all servers of a cluster (If you want to configure one Client Access cluster, specify an identical external IP address for all Client Access services). 2 Domain ID where A-record pointing to this cluster will be created or domain ID pointing to this cluster (domain prefix should be empty) (exchange.pop3.dns_domain.id): a Specify the ID of a domain where A-record pointing to this Exchange POP3 cluster or standalone server will be created. Usually it is a provider's domain like provider.com. For detecting domain ID in POA CP go to Top > Operations Director > Domain Manager > Domains, the number in the ID column is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of the cluster. b Specify the ID of the domain pointing to this cluster or standalone server. In this case you should leave the domain prefix empty. (Note, that A-record will not be created in this case). Usuallly it is some domain like pop3.provider.com, which is registered in POA DNS as a domain on the external DNS server. For detecting domain ID in the POA CP go to Top > Operations Director > Domain Manager > Domains, the number in the ID column is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of cluster. 3 Prefix for creating of A-record pointing to this cluster (if value is empty, then A-record will not be created) (exchange.pop3.dns_domain.prefix) - Prefix for A-record pointing to this Exchange POP3 cluster or standalone server. If the prefix is pop3 and the provider's domain is provider.com, then the pop3.provider.com FQDN will be registered. You must specify an identical value for all POP3 servers of a cluster. Recommended value for one cluster configuration: exchange. If you leave the prefix empty, an A-record will not be registered; domain, which ID is specified in the exchange.pop3.dns_domain.id parameter, will be used as a DNS name for this cluster or standalone server.

310 310 Parallels Operations Automation 2.9 Parallels Installing Exchange2007IMAP4 Service Package Install the package Exchange2007IMAP4 (type: service) on all IMAP4 Client Access servers. Set the following package properties: 1 External IP address for Exchange IMAP4 cluster ("exchange.imap4.ip"). Specify an external IP address of Exchange IMAP4 cluster or standalone IMAP4 server. You must specify an identical value for all servers of a cluster. If you want to configure only one Client Access cluster, specify an identical external IP address for all the Client Access services. 2 Domain ID where A-record pointing to this cluster will be created or domain ID pointing to this cluster (domain prefix should be empty) (exchange.imap4.dns_domain.id): a Specify the ID of the domain where A-record, pointing to this Exchange IMAP4 cluster or standalone server, will be created. Usually it is a provider's domain like provider.com. For detecting domain's ID in POA CP go to Top > Operations Director > Domain Manager > Domains, the number in the ID column is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of cluster. b Specify the ID of the domain pointing to this cluster or standalone server. In this case you should leave the domain prefix empty (Note, that A-record will not be created in this case). Usuallly it is some domain like imap.provider.com, which is registered in POA DNS as a domain on the external DNS server. For detecting domain's ID in POA CP go to Top > Operations Director > Domain Manager > Domains the number in the ID column is the domain ID. Locate the requisite domain and copy ID into this property. You must specify identical value for all servers of cluster. 3 Prefix for creating of A-record pointing to this cluster (if value is empty, then A-record will not be created). (exchange.imap4.dns_domain.prefix). Prefix for A-record pointing to this Exchange IMAP4 cluster or standalone server. If a prefix is imap and provider's domain is provider.com, the imap.provider.com FQDN will be registered. You must specify an identical value for all IMAP4 servers of cluster. Recommended value for one cluster configuration: exchange. If you leave the prefix empty, an A-record will not be registered; domain, which ID is specified in the exchange.imap4.dns_domain.id parameter, will be used as a DNS name for this cluster or standalone server.

311 Deploying Hosted Exchange Installing Exchange2007 Protocols Service Package Install the package Exchange2007Protocols (type: service) on all Client Access servers, which supply Exchange Protocols connectivity. Set the following package properties: 1 External IP address for the Exchange Protocols cluster ("exchange.protocols.ip"). Specify an external IP address of the Exchange Protocols cluster or standalone Exchange Protocols server. You must specify an identical value for all the servers of a cluster. If you want to configure only one Client Access cluster, specify an identical external IP address for all the Client Access services. 2 Domain ID where A-record pointing to this cluster will be created or domain ID pointing to this cluster (domain prefix should be empty) (exchange.protocols.dns_domain.id): a Specify the ID of domain where A-record, pointing to this Exchange Protocols cluster or standalone server, will be created. Usually it is a provider's domain like provider.com. For detecting domain ID in POA CP go to Top > Operations Director > Domain Manager > Domains, the number in the ID column is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of cluster. b Specify the ID of the domain pointing to this cluster or standalone server. In this case you should leave the domain prefix empty (Note, that A-record will not be created in this case). Usually, it is some domain like exchange.provider.com, which is registered in POA DNS as a domain on the external DNS server. For detecting domain ID in POA CP go to Top > Operations Director > Domain Manager > Domains the number in the ID column is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of cluster. 3 Prefix for A-record pointing to this Exchange Protocols cluster ("exchange.protocols.dns_domain.prefix"). Specify a prefix for A-record pointing to this Exchange Protocols cluster or standalone server. If a prefix is exchange and a provider's domain is provider.com, the exchange.provider.com domain name will be registered. You must specify an identical value for all Exchange Protocols servers of a cluster. Recommended value for one cluster configuration is exchange. 4 RPC over HTTP authentication type ("exchange.protocols.rpc.auth_type"). Place the value 0 here since POA supports the basic authorization in OWA and RPC. 5 Outlook Web Access (OWA) virtual directory name ("exchange.protocols.owa.dir"). Type the name of OWA virtual directory. This name will be used for creating the OWA URL. For example, if you specify the OWA value, the server with DNS exchange.neverhood.org OWA URL will get URL. This value can be empty.

312 312 Parallels Operations Automation 2.9 Parallels Installing Exchange2007Autodiscover Service Package Install Exchange2007Autodiscover service package to the Client Access Servers, which supply Exchange Autodiscover connectivity. At least one Autodiscover service (standalone or clustered) needs to be configured per one Exchange organization. Autodiscover service is responsible to redirection of Autodiscover requests to the appropriate web site configured for Exchange web-based protocols. There are set of package properties which should be explained: 1 Front-Net IP address bound to cluster of specially created IIS Virtual site used for redirecting of AutoDiscovery requests from Outlook 2007 clients. (exchange.autodiscover.ip). Specify here the external IP address to stand-alone or clustered specially created IIS Virtual site used for redirecting of AutoDiscovery requests from Outlook 2007 clients. You must specify identical value for all servers of cluster (If you want to configure one Client Access cluster, specify identical external IP address for all Client Access services). 2 Domain ID where A-record pointing to this cluster will be created or domain ID pointing to this cluster (domain prefix should be empty). (exchange.autodiscover.dns_domain.id). Specify the ID of domain where A-record pointing to this Exchange Autodiscover Redirect cluster or stand-alone server will be created. Usually it is a provider domain like provider.com. For detecting domain ID in the POA CP go to Top > Operations Director > Domain Manager > Domains. The number in the ID column is the domain ID. Locate the requisite domain and copy its ID into this property. You must specify identical value for all servers of the cluster. Or you can specify the ID of domain pointing to this cluster or stand-alone server. In this case you should leave the domain prefix empty (Note that A-record will not be created in this case). Usually, it is a domain like exchange.provider.com, which is registered in POA DNS as a domain on the external DNS server. For detecting domain ID in the POA CP go to Top > Operations Director > Domain Manager > Domains. The number in the ID column is the domain ID. Locate the requisite domain and copy its ID into this property. You should specify the identical value for all servers of the cluster. 3 DNS prefix of A-record pointing to this cluster (if value is empty, then A-record will not be created) (exchange.autodiscover.prefix). Prefix for A-record pointing to this Exchange Autodiscover Redirect cluster or stand-alone server. If prefix is autodiscover-redirect and provider domain is provider.com, the autodiscover-redirect.provider.com FQDN will be registered. You should specify the identical value for all servers from one cluster. Recommended value for "one cluster" configuration: autodiscover-redirect. If you leave the prefix empty, an A-record will not be registered; domain, which ID is specified in the exchange. autodiscover.dns_domain.id parameter, will be used as a DNS name for this cluster or stand-alone server.

313 Deploying Hosted Exchange Registering and Configuring Hub Transport Servers Registering All Hub Transport Servers Install POA Agent on all Hub Transport servers. POA Agent installation steps are described in the Installing POA Agent section (on page 381). Note: To install POA Agent on an Exchange node included into a NLB cluster, follow the instructions for non-cluster Windows node. Important: You must specify shared FrontNet IP address of the NLB server as a node s shared IP address during POA Agent installation on the NLB server.

314 314 Parallels Operations Automation 2.9 Parallels Installing Exchange2007SMTPAuth Service Package Install the package Exchange2007SMTPAuth (type: service) on the Hub Transport server, which will be used as outgoing SMTP server for POP3 and IMAP clients. The respective Hub Transport server should be deployed and be ready for receiving the mail. The service registers A-record which points to this server. Hostname of the registered A-record is displayed in the CCP on the POP3 Setup Information and IMAP Setup Information pages as outgoing SMTP server. During installation set the following package properties: 1 External IP address for Exchange SMTP Auth cluster ("exchange.smtp.ip"). Specify an external IP address of Exchange SMTP Auth cluster or standalone SMTP Auth server. You must specify an identical value for all servers of a cluster. 2 Domain ID where A-record pointing to this cluster will be created or domain ID pointing to this cluster (domain prefix should be empty) (exchange.smtp.dns_domain.id). a Specify the ID of domain where A-record pointing to this Exchange SMTP Auth cluster or standalone server will be created. Usually it is a provider's domain like provider.com. For detecting domain ID in POA go to Top > Operations Director > Domain Manager > Domains, the number in the ID column is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of cluster. b Specify the ID of domain pointing to this cluster or standalone server. In this case you should leave the domain prefix empty (Note, that A-record will not be created in this case). Usuallly, it is some domain like auth.provider.com, which is registered in POA DNS as a domain on the external DNS server. For detecting domain ID in POA CP go to Top > Operations Director > Domain Manager > Domains the number in the ID column is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of cluster. 3 Prefix for creating of A-record pointing to this cluster (if value is empty, then A-record will not be created) (exchange.smtp.dns_domain.prefix). Prefix for A-record pointing to this Exchange SMTP Auth cluster or standalone server. If prefix is auth and provider domain is provider.com, the auth.provider.com FQDN will be registered. You must specify identical value for all servers of cluster. If you leave the prefix empty, an A-record will not be registered; domain, which ID is specified in the exchange.smtp.dns_domain.id parameter, will be used as a DNS name for this cluster or standalone server.

315 Deploying Hosted Exchange Installing Address Rewriter Transport Agent Since POA version 51.26_hotfix02, the transport agent is included into POA distribution. It resolves Exchange 2007 issue with strange addresses in the To field of mails, sent to contacts. It is available by following path: Exchange2007Agents/AddressRewriterAgent.exe. This agent should be installed on all Exchange 2007 servers with Hub Transport server role. To install the transport agent on the Hub Transport server role, do the following: 1 Log in to server with Hub Transport server role installed as a member of the Domain Administrators group. 2 Copy the AddressRewriterAgent.exe file to the local directory. 3 Double-click on the.exe file to start the installation. 4 Follow the Address Rewriter Agent installation steps. 5 Repeat steps 1-4 on all Hub Transport server roles Important: The MSExchangeTransport service will be restarted during the Agent installation, and this can cause a short mail delivery downtime.

316 316 Parallels Operations Automation 2.9 Parallels Registering and Configuring Edge Transport Server Installing Exchange2007SMTP Service Package Note: Since the Edge Transport servers can't be registered in POA, the package Exchange2007SMTP (type: service) should be installed on Hub Transport server. Install the package Exchange2007SMTP (type: service) on all Edge (Hub) Transport servers. Set the following package properties: 1 External IP address for Exchange EDGE cluster ("exchange.smtp.ip"). Specify an external IP address of Exchange Edge cluster or standalone Edge server. You must specify an identical value for all servers of a cluster. 2 Domain ID where A-record pointing to this cluster will be created or domain ID pointing to this cluster (domain prefix should be empty) (exchange.smtp.dns_domain.id). a Specify the ID of domain where A-record pointing to this Exchange Edge cluster or standalone server will be created. Usually it is a provider's domain like provider.com. For detecting domain ID in POA CP go to Top > Operations Director > Domain Manager > Domains the number in the ID column is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of cluster. b Specify the ID of domain pointing to this cluster or standalone server. In this case you should leave the domain prefix empty (Note, that A-record will not be created in this case). Usually, it is some domain like smtp.provider.com, which is registered in POA DNS as a domain on the external DNS server. For detecting domain ID in POA CP go to Top > Operations Director > Domain Manager > Domains the number in the ID column is the domain ID. Locate the requisite domain and copy ID into this property. You must specify an identical value for all servers of cluster. 3 Prefix for creating A-record pointing to this cluster (if value is empty, then A-record will not be created) (exchange.smtp.dns_domain.prefix). Prefix for A-record pointing to this Exchange Edge cluster or standalone server. If prefix is smtp and provider domain is provider.com, the smtp.provider.com FQDN will be registered. You must specify identical value for all servers of cluster. If you leave the prefix empty, an A-record will not be registered; domain, which ID is specified in the exchange.smtp.dns_domain.id parameter, will be used as a DNS name for this cluster or standalone server. 4 Default SPF record (exchange.smtp.default_spf). This is the value of the default SPF record, which will be created on provider s and brand s domains. The default value is v=spf1 a mx. This rule marks s coming from the hosts, listed in A and MX records of the domain as a Safe, and rejects other s. You can also specify the stronger rules. For details about SPF records and SPF rules syntax, refer to or to

317 Deploying Hosted Exchange Configuring Exchange 2007 Branding Branding can be configured for following Exchange 2007 services: Protocols (OWA, Outlook, ActiveSync) Autodiscover SMTP SMTP Authentication POP3 IMAP4 Note: It is impossible to configure several brands for "POP3" and "IMAP4" services on one Exchange CAS Server. For details see chapter Configuring Branding for POP3 and IMAP4 Services (on page 317). POA automatically configures all the necessary Exchange 2007 objects for the following services: "Protocols (OWA, Outlook, ActiveSync)", "Autodiscover" and "SMTP Authentication". "SMTP" service is also configured automatically in deployment configurations without Edge serves. In deployment configurations with Edge servers the manual deployment steps should be performed (see topic Internet SMTP Branding (on page 317)). Also "POP3" and "IMAP4" services should be configured manually (see topic Configuring Branding for POP3 and IMAP4 Services (on page 317)). POA can automatically assign new IP addresses for branded Exchange services. Therefore before configuring branded access points in Branding Manager, the corresponding IP pool should be configured. IP pool can be configured via Top > Operations Director > IP Manager > IP Pools in POA CP. IP pool should be available for "Branding configuration" purpose, assigned to required Exchange CAS and Hub servers and "Front Net" network interfaces. For successful configuration of Exchange Branding under Reseller account this IP Pool should be assigned to the Reseller's account (you can also make this IP Pool as Pool available for: Everyone). Note: To obtain the detailed instructions on how to configure a brand for Exchange 2007, refer to POA Provider's Guide, Marketing Operations > Branding in Parallels Operations Automation > Configuring Brand > Branding Exchange > Branding Exchange 2007 section. Configuring Branding for POP3 and IMAP4 Services Several brands for POP3 and IMAP4 services cannot be configured on one Client Access Server. All brands should use the same neutral provider host names and SSL certificates associated with POP3 and IMAP services. Dedicated CAS server can be used for branding of POP3 and IMAP4 services. Internet SMTP Branding

318 318 Parallels Operations Automation 2.9 Parallels It is recommended to provide an ability to use TLS authentication for Internet SMTP access. Internet SMTP access to Exchange 2007 provided by Receive Connectors is configured on the Edge or, in configuration without Edge servers, on Hub servers. There are two possible configurations of Internet Access branding exist. In deployment configuration without Edge servers, POA automatically configures Receive Connectors for internet SMTP branding when branding is configured for Exchange 2007 "SMTP" service. For details see Configure Exchange 2007 Branding section (on page 317). In configurations with Edge servers the branded Internet SMTP access should be provided by dedicated Receive Connector configured on Edge servers. In such configurations dedicated hostname on branding domain, IP address and SSL certificate should be used for Internet SMTP branding. Receive Connectors on Edge servers should be configured manually. To create new Receive Connector for branded Internet SMTP access. To create the Receive Connector for branded Internet SMTP access, follow these steps: 1 Log in to the Edge server which will be used for SMTP branding (for example, EXEDGE01) as a member of the Administrators group. 2 Open the Exchange Management Shell. 3 Type the following commands: New-ReceiveConnector -Server <Server Name> -Name "Internet reseller.com" -Usage Internet -Bindings <SMTPIP>:25 -Banner "220 <Banner>" -Fqdn <FQDN> Server Name Edge (EXEDGE01) server name, reseller.com branding domain name, SMTPIP IP Address for internet access, Banner text for 220 (Service ready) SMTP response. FQDN host name (for example mail.reseller.com) which will be provided in response to HELO or EHLO commands and will be used for certificate selection (for secure connections). This host name should later be configured for branding of Exchange2007SMTP POA service (see Configure Exchange 2007 Branding section (on page 317)). 4 Install SSL certificate for a new connector. To Install SSL certificate, refer to the instructions provided in the Configuring SSL Certificate for SMTP Service on Transport Servers (on page 278). During certificate configuration use a host name of the branding domain (for example, mail.reseller.com) as FQDN parameter of Receive Connector. Repeat steps 1-4 on all Exchange 2007 Edge servers from the same NLB cluster (if NLB cluster is configured). Configuring Branded Access Points in Branding Manager To configure the branded access points for Exchange services via POA CP, follow these steps:

319 Deploying Hosted Exchange In PCP/RCP, go to Top > Marketing Director > Branding Managers > Brands. The list of available brands opens. 2 Click on the name of the required Brand. On the Exchange Branding screen all available access points should be listed. 3 Move to the Service Branding tab, Exchange Branding subtab. 4 Click on the name of the required branded access point and then click on the Edit button. 5 In the Edit screen area, select the Branding On option button and then select the On System DNS option button. 6 Specify the correct prefix for the Hostname. By default the provider prefix is suggested, in most cases it is acceptable choice. 7 In the IP address combo-box select the Public IP address or select New to assign new IP address from available IP Pool. 8 To configure SSL certificate, click Assign new certificate on branding access point View screen. New certificate can be assigned only for Exchange 2007 "Protocols (OWA, Outlook, ActiveSync)", "SMTP" and "SMTP Authentication" services. 9 Click Submit. 10 Repeat steps 3 8 for all branded access points.

320 320 Parallels Operations Automation 2.9 Parallels Branding Verification To verify that branding was enabled for a specified brand and for a specified service, follow these steps: 1 Check the brand s domain (for example, brand.com) in the DNS: it must contain the A record with the <prefix>.brand.com name, which points to the IP address specified during branding enabling. 2 Select the Subscription, which was created under the specified brand and which was provided to the specified service (create such Subscription if it does not exist). 3 Log in to CCP under the Subscription owner. Go to Hosting > Configuration & Administration > Exchange > Mailboxes. Create a mailbox and enable an access type, which corresponds to the specified service. Wait until the mailbox will get the Ready status. 4 Open a mailbox and check the corresponding access information: For OWA Access, check the login URLs they should be located on the <prefix>.brand.com. For IMAP4 Access and POP3 Access open the Setup info, find the Incoming mail server it should be <prefix>.brand.com. For ActiveSync open the Setup info, find the name of ActiveSync CAS server it should be <prefix>.brand.com. For SMTP Access open the Setup info of the IMAP4 or POP3, find the Outgoing mail server it should be <prefix>.brand.com. 5 Check MX records on the customer s domain. Note: If MX records on the customer s domain are not branded, ensure that the Service Template, which was used for a Subscription creation has a reseller s domain specified in the Default Domain's Identifier activation parameter.

321 Deploying Hosted Exchange Deployment and Installation Troubleshooting Problems with Mail Delivery to Newly Created Recipient In Exchange Server 2007 environment, when you use an Exchange 2007 Edge Transport server after a new recipient is created, you may experience a more than four-hour delay before the recipient can receive messages. This issue occurs because of the following behavior: Recipient information must be synchronized from AD to the ADAM database on the Edge Transport server. By default, this synchronization takes place every four hours. You enable Recipient Validation in the Recipient Filter agent and the Edge Transport server must update its recipient cache. By default, update happens every four hours. To reduce the synchronization delay between AD and ADAM, POA performs additional synchronization periodically. The synchronization interval can be configured by setting the SMTP Configuration > SMTP domains refresh interval property of POA Exchange2007SMTP service. Important: It is not recommended to perform synchronization more frequently than every hour. To reduce the mail acceptance delay caused by Edge Transport recipient cache timeout when Recipient Validation is enabled, use the following solution: 1 Disable Recipient Validation in the Recipient Filter agent. 2 Leave it as a known issue. 3 Completely disable a recipient cache. To perform this operation, execute the following command in the Exchange Management Shell on all Edge servers: Set-TransportServer Identity EXEDGE01 -RecipientValidationCacheEnabled $false ; Restart-Service MSExchangeTransport Important: You may experience a decrease in performance of the Edge Transport servers if you turn off the recipient cache, especially on the high load servers. Deploying BlackBerry Enterprise Server for Microsoft Exchange 2007 Overview

322 322 Parallels Operations Automation 2.9 Parallels There are two deployment scenarios for provisioning BlackBerry components in POA: Large Scale Deployment. This scenario is appropriate for high volume deployment schemes where thousands of BlackBerry accounts will be provisioned on multiple servers. Consolidated Deployment scheme. This scenario is appropriate for providers who want to start offering BlackBerry Messaging to a limited number of users and with minimal investments. The following diagram shows the both variants of deployment: Figure 69: Deployment scenarios for BlackBerry messaging system Component Large Scale Deployment Consolidate Deployment BlackBerry Configuration Database BlackBerry API BESUserAdminServic e BlackBerry Enterprise Server (BES) BlackBerry API BESUserAdminClient Parallels s MPS Provider for BES BESSQL01 - dedicated database server that is used by multiple BES servers. Microsoft SQL Server 2000 SP4 or Microsoft SQL Server 2005 is installed. BES01, BES02, - dedicated BlackBerry servers. BES01 - consolidated BlackBerry server. Microsoft SQL Server Desktop Engine 2000 (MSDE 2000) is installed. MPS01 - provisioning server (running Microsoft Provisioning System).

323 Deploying Hosted Exchange Note: The maximum size of an MSDE 2000 database cannot exceed 2 GB. BlackBerry messaging service is provisioned via BlackBerry API. BlackBerry API tools (BESUserAdminService and BESUserAdminClient) are a part of BlackBerry Enterprise Server Resource Kit. The following sample names are used in this section: DOM Active Directory domain where Exchange and BlackBerry are deployed. DOM.local FQDN name of Active Directory domain where Exchange and BlackBerry are deployed. HostedExchange Exchange organizational unit. Hardware Requirements This section provides hardware and software requirements for installing BlackBerry Enterprise Server for Microsoft Exchange Server Names Description Density Quantity 1 BES (Consolidated Deployment) BlackBerry Enterprise Server. Runs BlackBerry Messaging services, Configuration Database and BlackBerry API service. 500 accounts OS Windows Server 2003 (R2) Standard Edition SP2 (English, French, German, Italian or Spanish) (x86) Software Supported Virtualization CPU RAM To be installed by the Customer: OS To be installed by Parallels (Distribution to be provided by the Customer): BlackBerry Enterprise Server version Blackberry Enterprise Server Resource Kit Microsoft Exchange 2003 System Management Tools (for Microsoft Exchange 2003) - or - Microsoft Exchange Server MAPI Client and Collaboration Data Objects (for Microsoft Exchange 2007) Microsoft SQL Server Desktop Engine or - Microsoft SQL Server 2005 Express Edition Not supported 2 core (3GHz or higher) 4GB Disks Array 1:

324 324 Parallels Operations Automation 2.9 Parallels OS, software, BES Logs - 2 x 36, SCSI RAID 1 Disk Partitioning Array 1: C: 16GB - OS and Software E:\BESLogs - 20GB - BES Logs NICs BackNet Server Names Description Density Quantity BES (Large Scale Deployment) BlackBerry Enterprise Server. Runs BlackBerry Enterprise Server services. 2,000 BlackBerry accounts To be calculated based on the projected number of BlackBerry accounts and the density above. OS Windows Server 2003 (R2) Standard Edition SP2 (English, French, German, Italian or Spanish) (x86) Software Supported Virtualization CPU RAM To be installed by the Customer: OS To be installed by Parallels (Distribution to be provided by the Customer): BlackBerry Enterprise Server version Microsoft Exchange 2003 System Management Tools (for Microsoft Exchange 2003) - or - Microsoft Exchange Server MAPI Client and Collaboration Data Objects (for Microsoft Exchange 2007) Not supported 2 core (3GHz or higher) 4GB Disks Array 1: Disk Partitioning Array 1: OS, software, and BES Logs - 2 x 36, SCSI RAID 1 C: 16GB - OS and Software E:\BESLogs - 20GB - BES Logs NICs BackNet Server Names Description Density BESSQL (Large Scale Deployment) MSSQL server carrying BlackBerry Configuration Database. Up to 10,000 BlackBerry accounts per server depending on the disk usage

325 Deploying Hosted Exchange Quantity 1 per 5 BES servers (BES (Large Scale Deployment)) OS Clustered configuration: Software Supported Virtualization CPU RAM Windows Server 2003 (R2) Enterprise Edition SP2 (x86 or x64) Non-clustered configuration: Windows Server 2003 (R2) Standard Edition SP2 (x86 or x64) To be installed by the Customer: OS only To be installed by Parallels (distribution to be provided by the Customer): Blackberry Enterprise Server Resource Kit MS SQL Server 2000 Standard Edition SP4 - or - Microsoft SQL Server 2005 Standard Edition Not supported 2 core (3GHz or higher) 4Gb Disks Array 1: Disk Partitioning Array 1: NICs OS, software, databases, and logs - 3 x 72 GB, SCSI RAID 5 (hardware impl.) C: - 10 GB - for OS and software Q: - 1 GB - Quorum (for clustered configuration) D: - remaining space - for database and logs BackNet HeartBeatNet (for clustered configuration) SAN connectivity (for clustered configuration)

326 326 Parallels Operations Automation 2.9 Parallels System Requirements Install Microsoft Exchange Server MAPI Client and Collaboration Data Objects on a computer on which you plan to install BlackBerry Enterprise Server (BES01). Requirements for a Large Scale Deployment scheme are the following: a Install Microsoft Exchange Server MAPI Client and Collaboration Data Objects on a computer where BlackBerry User Administration Tool will be installed (BESSQL01). b Install Microsoft XML Parser and SDK 4.0 SP2 package on a computer where BlackBerry User Administration Tool will be installed. (BESSQL01). The package is located in the.\tools\ folder of the BlackBerry Enterprise Server distribution package. Network Requirements Note, BES01 should be deployed in the BackNet segment. Verify the following parameters: Firewall or proxy has to be configured to permit the BES to initiate and maintain an outbound connection to the Internet on TCP port 3101 to connect BlackBerry Infrastructure. External domain names can be resolved from the BES01 host. Proxy server should have a transparent proxy in case you use a proxying firewall. BES01 should be deployed into the FrontNet segment only if transparent NAT or HTTPS proxy is not available from the BackNet. In such case, configure firewall to block all FrontNet traffic except outgoing one on port 3101.

327 Deploying Hosted Exchange Deploying Database for BES Deploying Microsoft SQL Server for BES Configuration Database Install one of the following database programs on the computer where you plan to run BlackBerry Configuration Database (BESSQL01 or BES01): For Consolidated Deployment: Microsoft SQL Server Desktop Engine 2000 (MSDE 2000) or Microsoft SQL Server 2005 Express Edition. For Large Scale Deployment: Microsoft SQL Server 2000 SP4 or Microsoft SQL Server 2005 Standard Edition. Note: If you install BlackBerry MDS Services, you cannot use Microsoft SQL Server 2005 Express as your database program. MSDE 2000 will be installed during BES installation in case you've selected the respective option on the MSDE Option page of BES installer. Microsoft SQL Server installation notes: Use default settings. BlackBerry Configuration Database can be installed in a custom mode. During the installation process, you can specify <servername>\<instancename>. Use Windows authentication between BES and BlackBerry Configuration Database. You have to set up Microsoft SQL Server to be able to run under the Local System account. If BlackBerry Configuration Database is located on a remote computer or you want to use a remote BlackBerry Manager, you must enable the named pipes and TCP/IP network protocols on BESSQL01 using SQL Server Network Utility. BlackBerry Enterprise Server Pre-Installation Steps Creating BES Service Account 1 Log in to Microsoft Provisioning System host (MPS01) using an account that is a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following command: New-Mailbox DomainController AD01.DOM.local -Name BESAdmin Database "EXMBX01\First Storage Group\Mailbox Database" -UserPrincipalName [email protected] -OrganizationalUnit Users Add-ExchangeAdministrator -DomainController AD01.DOM.local -Role ViewOnlyAdmin

328 328 Parallels Operations Automation 2.9 Parallels 4 Press Enter and type the password, then press Enter again. 5 Be sure that newly created user (BESAdmin) is a member of the Domain Users group. 6 From the command line run dsa.msc snap-in. 7 Expand the node named as your domain, and then expand the Users container. 8 Right-click on a newly created user (BESAdmin), and then click Add to a group. 9 Enter AllUsers@Hosting. Click Check Names. Click OK. Configuring Permissions for BES Service Account 1 Log on to the Microsoft Provisioning System host (MPS01) using an account that is a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following command: Get-OrganizationConfig Add-AdPermission DomainController AD01.DOM.local -user BESAdmin -accessrights GenericRead -extendedrights ms-exch-store-admin,"receive as","send as" 4 Press Enter. 5 Type the following command: Add-AdPermission Identity "DC=DOM,DC=local" DomainController AD01.DOM.local -user BESAdmin extendedrights "Receive as","send as" - InheritanceType Descendents -InheritedObjectType User 6 Press Enter. 7 Type the following command: Add-AdPermission Identity "CN=Users,DC=DOM,DC=local" DomainController AD01.DOM.local -user BESAdmin -accessrights GenericRead -InheritanceType SelfAndChildren 8 Press Enter. 9 Restart the Microsoft Exchange Information Store service on the affected Exchange mailbox server (EXMBX01).

329 Deploying Hosted Exchange Configuring Servers for BES Perform the following steps on each computer where you plan to install BES (BES01 and so on). Note: For a Large Scale Deployment scheme the following steps also must be performed on the SQL01 host. 1 Log on to BES host (BES01) using an account that is a member of the Domain Administrators group. 2 On the taskbar, click Start > Programs > Administrative Tools > Computer Management. 3 In the console tree, double-click Local Users and Groups, and then click Groups. 4 Double-click Administrators group. 5 Click Add, and then add BESAdmin account to the Members list. Click OK.

330 330 Parallels Operations Automation 2.9 Parallels Configuring MS SQL Permissions for BES Service Account Note: The steps described below are required for Large Scale Deployment scheme only. 1 Log on to the database server where BlackBerry Configuration Database will be deployed (SQL01) using an account that is a member of the Domain Administrators group. 2 Open Microsoft SQL Server > Enterprise Manager. 3 Expand the Microsoft SQL Servers node > SQL Server Group, and double-click the SQL server where your BlackBerry Configuration Database will be deployed. 4 Double-click Security. Right-click Logins and select New Login. 5 Enter DOM\BESAdmin in the Name field. 6 Select the Server Roles tab. Check System Administrators. 7 Click OK. Note: This instruction is applicable for MS SQL Configuring Default Global Address List To set up the security policies for the Default Global Address List: do the following: 1 Log in to Microsoft Provisioning System host (MPS01) using an account that is a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following command: Get-GlobalAddressList DomainController AD01.DOM.local "Default Global Address List" Add-ADPermission DomainController AD01.DOM.local -User BESAdmin -AccessRights GenericRead -ExtendedRights "Open Address List" - InheritanceType None 4 Press Enter. Note: Setup of the default Global Address List permissions can fail because the security list has a non-canonical ordering. In this case you should set up permissions manually via adsiedit.msc. Installing BlackBerry Enterprise Server Software Note: Microsoft Exchange Server MAPI Client and Collaboration Data Objects should be installed on a computer on which you plan to install BlackBerry Enterprise Server Add BlackBerry Enterprise Servers to the BlackBerry Domain specifying the shared BlackBerry Configuration Database (BESSQL01 or BES01) during the installation process:

331 Deploying Hosted Exchange Log in to BES host (BES01) using BESAdmin account. 2 Run setup.exe from your BES distribution folder. 3 For Large Scale Deployment scheme - on the main page of the Installation Info/Log File Folder specify the folder for BES log files (E:\BESLogs). For Consolidated Deployment schema - you can leave a default value. 4 Follow the instructions on the screen. 5 When it is prompted, click Yes to restart the computer. 6 Log in again. 7 After reboot BlackBerry Enterprise Server Installation will be executed automatically. If it does not start, run setup.exe manually from the BES distribution folder. 8 Complete the instructions on the screen. Installing Recent Service Packs and Hot Fixes 1 Go to and find the latest updates for BlackBerry Enterprise Server Software. 2 In the combo box select the version of BES software that you use (for example, BlackBerry Enterprise Server v4.1 for Microsoft Exchange). Click Next. 3 Find a required update or hotfix in the list and click Download. 4 Run the installation file.

332 332 Parallels Operations Automation 2.9 Parallels Installing BlackBerry Resource Kit Installing BESUserAdminService For the Large Scale Deployment scheme the Microsoft XML Parser 4.0 SP2 package must be installed on a computer where BESUserAdminService will run. 1 Log in to SQL01 or BES01 (depending on the deployment scheme) using BESAdmin account. 2 From the BES distribution folder, run the following:.\tools\iemstest.exe 3 Click New and then again Next. 4 Type BESAdmin in the Profile Name field. Click Next. 5 Enter the Exchange Back-End server name (EXBE01) in the Microsoft Exchange server field. 6 Enter the BESAdmin mailbox name. Click Next. 7 Click Finish and then OK. 8 If you see the contents of the Global Address List in the left pane of the Select Mailbox dialog box, it means that the MAPI profile is properly configured. Click OK. 9 Download BlackBerry User Administration Tool <brk-besuseradmin exe> from the distribution package, to the computer from which you plan to run the BESUserAdminService (SQL01 or BES01). 10 Double-click on the.exe file that you downloaded. 11 In the Unzip to folder field enter the folder name from where you plan to run BESUserAdminService (for example, C:\BESResKit). 12 Click Unzip. 13 In the command prompt, switch to the folder where BESUserAdminService.exe file resides. 14 Run the following command BESUserAdminService -install exchange 15 Fill out the following interactive installation survey: a Do you want the service to run automatically on startup? (Y/N): Type Y to start the service automatically. b Enter the domain\user account the service should log in as: Type DOM\BESAdmin. c Enter the password for this account: Type the password for BESAdmin account. d If you install BESUserAdminService on BES01 host, the installation tool determines BlackBerry Configuration DB settings by itself and you will see the following message:

333 Deploying Hosted Exchange Found BlackBerry Manager settings: DB Server: < BES Configuration Database host name>, DB Name: <BES Configuration Database name> (BESMgmt by default) In other cases, if you install BESUserAdminService on a different host (SQL01), you will see additional survey about Database server properties: Please enter the SQL server name: Type the host name where Microsoft SQL is located (DOM\SQL01). Please enter the Database Name: Type BES Configuration Database name (by default, BESMgmt). e Would you like to use SQL Authentication? (Y/N): Type N. f Enter the client password besuseradminclients will use to connect to the service: Type password for accessing BESUserAdminService. g Retype the client password to confirm: Retype the password. h To restrict the hosts allowed to run besuseradminclient, enter a comma-separated list of valid hostnames: Press the Enter key. i j Enter the name of the MAPI Profile to connect to the besadmin mailbox: Type BESAdmin. Do you want to restrict access to the service to clients that run as the same user as the service? (Y/N): Type N. 16 Start BESUserAdminService with services.msc. 17 In the Services management console locate the BlackBerry User Administration Service service and click Start. Note: Use the corresponding versions of BESUserAdminService and BESUserAdminClient (from the same BlackBerry User Administration Tool package). Installing BESUserAdminClient Tools 1 Log on to the Microsoft Provisioning System host (MPS01) using an account that is a member of the Domain Administrators group. 2 Download BlackBerry User Administration Tool archive <brkbesuseradmin exe> from the distribution package on the MPS01 computer. 3 Double-click the.exe file. 4 In the Unzip to folder field enter the folder name from where you plan to run BESUserAdminService (for example, C:\BESResKit). 5 Click Unzip. 6 On the command prompt switch to the folder (C:\BESResKit\BESUserAdmin) where the BlackBerry User Administration Tool (BESUserAdminClient.exe file) resides.

334 334 Parallels Operations Automation 2.9 Parallels 7 These tools consist of two files: BESUserAdminClient.exe and CE.dll. Copy these files to the folder where POA MPS Providers reside (by default, C:\Program Files\Parallels\POA\MPF Providers). Note: If you want to install BESUserAdminClient to another location, refer to Parallels KB article: Adding MPFServiceAcct Account to BES MPFServiceAcct should be added to BES security subsystem via BES Management console: 1 Log on to BES01 using BESAdmin account. 2 Run BES Management console. 3 The Profile BlackBerry Manager doesn t exist message will appear. Click OK. 4 The MAPI profile dialog box opens. Enter Exchange back-end server NetBIOS name (EXBE0). 5 In the Mailbox field enter BESAdmin user name (the name should exist by default). Click Check Name. Click OK. 6 Click on the BlackBerry Domain located in the left pane. 7 Select the Role Administration tab. 8 Select rim_db_admin_security role. 9 Click on the Add Administrators hyperlink. 10 Enter DOM\MPFServiceAcct 11 Click OK button.

335 Deploying Hosted Exchange Testing BES Service Account Proper Functioning For checking if the BESAdmin account works properly try to log in to the BESAdmin mailbox via OWA or Outlook. Registering BES Servers in POA Install POA Agent on BES servers according to the instructions Installing POA Agent (on page 381). Installing POA Packages for BlackBerry Note: Ensure that MPFCustomProviders (version or later) is installed on MPS server (MPS01). Install the package BlackBerry (version or later) package on each BES node (BES01). Set the following package properties: Property exchange.bes.host.capacity exchange.bes.host.capacity.warning exchange.bes.admin.password Description Maximum number of BlackBerry accounts the server can handle. Number of BlackBerry accounts which will generate warning. Password for BlackBerry Admin Service (BESUserAdminService) access. This password must be the same as the password for BESUserAdminService exchange.bes.update.interval.minutes exchange.bes.max.accounts.per.task exchange.bes.admin.host exchange.bes.default.policy.name Interval (in minutes) between account information updates. Maximum number of accounts to process by one periodic task. Hostname of server where BlackBerry Admin Service (BESUserAdminService) runs (in our example, it may be SQL01 or BES01 depending on deployment scheme). Name of existing BlackBerry IT policy. This name will be used by default for all devices. Empty value means "Default policy".

336 336 Parallels Operations Automation 2.9 Parallels Importing Existing BlackBerry Accounts in POA POA supports importing of the existing Blackberry accounts which were provisioned manually. To import existing Blackberry accounts follow these steps: On Linux Management Node: 1. Log on to the Management Node. 2. Set up the environment using the following command:. $PLESK_ROOT/bin/setenv.sh 3. Run Exchange_ctl on POA MN in the following format: $PLESK_ROOT/bin/Exchange_ctl -f $PLESK_ROOT/etc/pleskd.props importbesaccounts <host_id> On Windows Management Node: 1. Log on to the Management Node. 2. Go to the folder where POA resides (C:\POA) 3. Change the directory where POA binaries are located: cd bin 4. Run Exchange_ctl on POA MN in the following format: Exchange_ctl -f "<full_path_to_poa>\etc\pleskd.props" importbesaccounts <host_id> Where parameters are: <host_id> is a host id in POA where BlackBerry service is installed. <full_path_to_poa> is a full path to POA installation folder (for example, C:\POA) Example: $PLESK_ROOT/bin/Exchange_ctl f $PLESK_ROOT/etc/pleskd.props importbesaccounts 5 Importing Process Diagram

337 Deploying Hosted Exchange

338 338 Parallels Operations Automation 2.9 Parallels Output Format for Importing Results Here is the sample of the output illustrating possible responses. C:\PSAWin\bin>exchange_ctl.exe -f "c:\psawin\etc\pleskd.props" importbesaccounts 5 Preparation for importing... Get import information from POA BlackBerry accounts are found on server BES01: - 3 to be imported (not registered in POA but associated with mailboxes registered in POA); - 1 to be ignored during import (already registered in POA); - 0 to be ignored during import (associated with mailboxes not registered in POA). Importing progress: Importing account 1 of 3: [email protected]: John Smith: OK: The account is imported into subscription: 1 Importing account 2 of 3: [email protected]: Jane Cutler: ERROR: Resource limit of BlackBerry Messaging is reached. Can not import the account into subscription: 1 Importing account 3 of 3: [email protected]: Margaret Mills: ERROR: Capacity of the BES01 is reached. Can not import the account into subscription: 1 Import completed: 1 of 3 accounts are imported; Result message of account importing has the following format: Importing account <num> of <total>: < address>: <display name>: <status>: <status message>: <subscription id> The elements of the result message are subdivided with ":" symbols which allow to import results into MS Excel application easily. Deploying Good Messaging Server for Microsoft Exchange 2007 Important: This chapter is relevant for POA and later versions. Do not execute these steps deploying earlier versions of POA. Overview There is a deployment scenario for provisioning Good components in POA:

339 Deploying Hosted Exchange Figure 70: Deployment Scenarios for Good Messaging System Component Good Messaging Server Good Management Server Good API Good Management Console Parallels MPS Provider for GMS Servers GOOD01, GOOD02, - dedicated Good servers. MPS01 - provisioning server (server running Microsoft Provisioning System). Good Messaging Service is provisioned via Good API. Good API tools (set of commandline tools) are a part of Good Management Console. Hardware Requirements Server Names Description Density GOOD Good Messaging Server. Runs Good Messaging services, stores Good accounts information. 600 Good accounts (See details at Quantity To be calculated based on the projected number of Good accounts and the density above. OS Windows Server 2003 (R2) Standard Edition SP2 (x86) Windows Server 2008 Standard Edition (x86) or higher edition

340 340 Parallels Operations Automation 2.9 Parallels Software Supported Virtualization CPU RAM To be installed by the Customer: OS To be installed by Parallels: Good Mobile Messaging for Microsoft Exchange (Hosted Edition recommended) (Distribution to be provided by the Customer) Not supported 2 core (3GHz or higher) 4GB Disks Array 1: Disk Partitioning Array 1: OS, software, GMS Logs, GMS Cache - 2 x 72 GB, SCSI RAID 1 C: 20GB - OS and Software E:\GMSLogs - 10GB - GMS Logs F:\GMSCache - 40Gb - GMS Cache NICs BackNet System Requirements Install Microsoft Exchange Server MAPI Client and Collaboration Data Objects on a computer where you plan to install Good Messaging Server (GOOD01). Network Requirements GOOD01 should be deployed on the BackNet segment. Firewall or proxy has to be configured to permit the GMS to initiate and maintain an outbound connection to the Internet on TCP port 443 (secure https) to connect the Good Operations Center. External domain names can be resolved from GOOD01. Proxy server should have a transparent proxy in case you use a proxying firewall. BES01 should be deployed into the FrontNet segment only if transparent NAT or HTTPS proxy is not available from the BackNet. In such case, configure firewall to block all FrontNet traffic except outgoing one on port 3101.

341 Deploying Hosted Exchange Good Messaging Server Pre-Installation Steps Creating GMS Service Account 1 Log on to the Microsoft Provisioning System host (MPS01) using an account that is a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following command: New-Mailbox DomainController AD01.DOM.local -Name GoodAdmin Database "EXMBX01\First Storage Group\Mailbox Database" -UserPrincipalName [email protected] -OrganizationalUnit Users Add-ExchangeAdministrator -DomainController AD01.DOM.local -Role ViewOnlyAdmin 4 Press Enter and type the password. Press Enter. 5 Ensure that newly created user (GoodAdmin) is a member of the Domain Users group. 6 From the command line run dsa.msc snap-in. 7 Expand the node named as your domain, and then expand the Users container. 8 Right-click on a newly created user (GoodAdmin), and then click Add to a group. 9 Enter AllUsers@Hosting. Click Check Names. Click OK.

342 342 Parallels Operations Automation 2.9 Parallels Configuring Permissions for GMS Service Account 1 Log on to the Microsoft Provisioning System host (MPS01) using an account that is a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following command: Get-OrganizationConfig Add-AdPermission -user GoodAdmin DomainController AD01.DOM.local -accessrights GenericRead -extendedrights "Read metabase properties","create named properties in the information store","view information store status","administer information store","receive as","send as" 4 Press Enter. 5 Type the following command: Add-AdPermission Identity "DC=DOM,DC=local" DomainController AD01.DOM.local -user GoodAdmin extendedrights "Receive as","send as" - InheritanceType Descendents -InheritedObjectType User 6 Press Enter. 7 Type the following command: Add-AdPermission Identity "CN=Users,DC=DOM,DC=local" DomainController AD01.DOM.local -user GoodAdmin -accessrights GenericRead -InheritanceType SelfAndChildren 8 Press Enter. 9 Restart the Microsoft Exchange Information Store service on the affected Exchange mailbox server (EXMBX01). You will also need to assign an additional Send As permission to all domains and organizational units, which you want to make Good-enabled. Configuring Servers for GMS Perform the following steps on each computer where you plan to install GMS (for example, GOOD01). 1 Log on to the GMS host (GOOD01) using an account that is a member of the Domain Administrators group. 2 Click Start > Programs > Administrative Tools > Local Security Policy. 3 In console tree double-click Local Policies, and then click User Rights Assignments. 4 In the details pane double-click Log on as service. 5 Click Add User or Group, then add the GoodAdmin account to the list of accounts that have the Log on as service right. Click Ok. 6 Click Start > Programs > Administrative Tools > Computer Management. 7 In console tree double-click Local Users and Groups, and then click Groups. 8 Double-click the Administrators group.

343 Deploying Hosted Exchange Click Add and add the GoodAdmin account to the Members list. Click Ok. Configuring Default Global Address List To set the security policies for the Default Global Address List: 1 Log on to the Microsoft Provisioning System host (MPS01) using an account that is a member of the Domain Administrators group. 2 Open the Exchange Management Shell. 3 Type the following command: Get-GlobalAddressList DomainController AD01.DOM.local "Default Global Address List" Add-ADPermission DomainController AD01.DOM.local -User GoodAdmin -AccessRights GenericRead -ExtendedRights "Open Address List" - InheritanceType None 4 Press Enter. Important: Default Global Address List permissions setup could be failed because security list has non-canonical ordering. At this case, you should set the permissions manually via adsiedit.msc. For a detailed information, refer to the Resetting Incorrectly Ordered Permissions on DGAL in Active Directory section (on page 343). Resetting Incorrectly Ordered Permissions on DGAL in Active Directory It is recommended to back up the current permissions on the address list. Execute the following command after substituting sample values with the appropriate values on Active Directory Domain Controller server. Run the following command to save permissions list into the DGAL-backup.txt file: dsacls "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=HostedExchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=hosting,DC=local" > DGALbackup.txt Run the following command to reset permissions to their default values: dsacls "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=HostedExchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=hosting,DC=local" /S

344 344 Parallels Operations Automation 2.9 Parallels Installing Good Messaging Server and Good Management Server Software Ensure that Microsoft Exchange Server MAPI Client and Collaboration Data Objects is installed on the computer on which you plan to install the Good Messaging Server (GOOD01) 1 Log on to the GMS host (GOOD01) using GoodAdmin account. 2 Run setup.exe from your Good distribution package. 3 Click Add/Remove for Good Messaging Server. 4 Complete the instructions on the screen. 5 At the Installer page Choose Log Directory specify folder for GMS log files to: E:\GMSLogs. 6 At the Installer page Choose Cache Directory specify folder for GMS cache directory to: F:\GMSCache. 7 Click Add/Remove for Good Management Server. 8 Complete the instructions on the screen. Installing Good Management Console Software 1 Log on to the Microsoft Provisioning System host (MPS01) using an account that is a member of the Domain Administrators group. 2 Run setup.exe from your Good distribution folder. 3 Click Add/Remove for Good Management Console. 4 Complete the instructions on the screen. Adding MPFServiceAcct Account to GMS MPFServiceAcct must be added to GMS security subsystem via Good Management Console: 1 Log on to the GMS host (GOOD01) using GoodAdmin account. 2 Run Programs > Good Management console. 3 Right-click on Roles tree node in the left pane and select New Role. 4 In field Name of General tab type MPFServiceRole. 5 Click on the Rights tab and select the Administrator checkbox. 6 Click on the Members tab. Click Add. 7 In the Select user or group from the list dialog box enter DOM\MPFServiceAcct and click OK. 8 Click OK.

345 Deploying Hosted Exchange Testing GMS Service Account Proper Functioning For checking GoodAdmin account works properly try to log in at the GoodAdmin mailbox via OWA or Outlook. Registering GMS Servers in POA Install POA Agent on GMS servers according to the instructions of Installing POA Agent (on page 381). Installing POA Packages for Good Messaging Note: Ensure that MPFCustomProviders (version 1.69 or later) is installed on your MPS server (MPS01). Install the GoodMobile package (version or later) on each of your GMS nodes. Set the following package properties: Property exchange.gms.host.capacity exchange.gms.host.capacity.warning exchange.gms.update.interval.minutes exchange.gms.max.accounts.per.task exchange.gms.admin.host exchange.gms.default.policy.name exchange.gms.default.software.name Description Maximum number of Good Messaging accounts the server can handle. Number of Good Messaging accounts which will generate warning. Interval (in minutes) between account information updates. Maximum number of accounts to process by one periodic task. Hostname of server where Good Management Server runs (GOOD01). Name of existing Good policy group that will be used by default for all accounts. Every new user will be automatically added as a member of this group. If the default group is not specified or does not exist, the user s policy will be inherited from the All Users group. Case must match that displayed in the Good Management Console. Name of existing Good software group that will be used by default for all accounts. Every new user will be automatically added as a member of this group. If the default group is not specified or does not exist, the user's software policies will be inherited from the All Users group. Case must match that displayed in the Good Management Console.

346 346 Parallels Operations Automation 2.9 Parallels exchange.gms.default.group.name Name of existing Good group that will be used by default for all accounts. If the default group is not specified, or does not exist, or is empty, a warning will be logged on GMS node (GOOD01), and the property will be ignored. Case must match that displayed in the Good Management Console.

347 Deploying Hosted Exchange Important: If you enter a custom GMS server name during the installation of Good Messaging service, and if this name differs from the host NetBIOS name, you should manually change the netbios_name field in the DB table exch_gms_servers. Importing Existing Good Accounts in POA POA supports the import of the existing Good mobile accounts which were provisioned manually. It can be done in following way: One runs Exchange_ctl on POA MN in the following format: On Linux Management Node: 1 Log on to the Management Node. 2 Setup environment using the following command:. $PLESK_ROOT/bin/setenv.sh 3 Run Exchange_ctl on POA MN in the following format: $PLESK_ROOT/bin/Exchange_ctl -f $PLESK_ROOT/etc/pleskd.props importgoodaccounts <host_id> On Windows Management Node: 1 Log on to the Management Node. 2 Go to folder where POA is installed (C:\POA) 3 Change directory where POA binaries are located: cd bin 4 Run Exchange_ctl on POA MN in the following format: Exchange_ctl -f "<full_path_to_poa>\etc\pleskd.props" importgoodaccounts <host_id> Where parameters are: <host_id> is a host id in POA where GoodMobile service is installed. <full_path_to_poa> is a full path to POA installation folder. (for example, C:\POA) Example: $PLESK_ROOT/bin/Exchange_ctl f $PLESK_ROOT/etc/pleskd.props importgoodaccounts 5 Importing Process Diagram

348 348 Parallels Operations Automation 2.9 Parallels

349 Deploying Hosted Exchange Output Format For Importing Results Here is the sample of the output illustrating possible responses. C:\PSAWin\bin>exchange_ctl.exe -f "c:\psawin\etc\pleskd.props" importgoodaccounts 5 Preparation for importing... Get import information from POA Good Mobile accounts are found on server GOOD01: - 3 to be imported (not registered in POA but associated with mailboxes registered in POA); - 1 to be ignored during import (already registered in POA); - 0 to be ignored during import (associated with mailboxes not registered in POA). Importing progress: Importing account 1 of 3: [email protected]: John Smith: OK: The account is imported into subscription: 1 Importing account 2 of 3: [email protected]: Jane Cutler: ERROR: Resource limit of Good Mobile Messaging is reached. Can not import the account into subscription: 1 Importing account 3 of 3: [email protected]: Margaret Mills: ERROR: Capacity of the GOOD01 is reached. Can not import the account into subscription: 1 Import completed: 1 of 3 accounts are imported; Result message of an account importing has the following format: Importing account <num> of <total>: < address>: <display name>: <status>: <status message>: <subscription id> The elements of the message are subdivided with ":" symbols which allow easy importing the results into MS Excel application. Managing Messaging Services Deploying Postini Security Service Postini Security is a global online service providing real-time spam and virus filtering, attack blocking, and traffic monitoring. This service is intended for preprocessing s before they reach the recipient s mail server. The traffic is redirected through Postini s global data centers, that are reached by modifying MX records in the DNS zone. After is processed, the Postini server directs it back to the recipient s mail server.

350 350 Parallels Operations Automation 2.9 Parallels You can deploy Postini Security Service to Parallels Operations Automation and provide your customers with this service. To do it, you need to install respective Postini Security Service packages and register Postini account. Installing Postini Security Service To install Postini Security service, perform the following steps: 1 Install the postini package (type: sc) on POA MN. 2 Install the postini package (type: cp) on all your UI servers. Note: For detailed instructions on installing POA packages, refer to the Installing PPM Packages section (on page 404).

351 Deploying Hosted Exchange Registering Postini Account in POA To register Postini account in POA, you have to register credentials corresponding to your account on Postini server thus allowing the system to provision and manage Postini Security service. To register Postini account in POA, follow these steps: 1 Go to Top > Service Director > Postini Security, the Setup tab opens: Figure 71: Registering Postini Account 2 Click on the Register link and enter Postini account credentials: the login and the password. 3 Click Submit. As a result, Postini account is successfully registered in POA. Deploying MessageLabs Security Service MessageLabs Security service - is an integrated solution providing reliable and confident security services ( MessageLabs Security service is intended for preprocessing s before they reach the recipient s mail server. The traffic is redirected to MessageLabs global data centers by modifying MX records in the DNS zone. After is processed, the MessageLabs server directs it back to the recipient s mail server. You can deploy MessageLabs Security Service to Parallels Operations Automation and provide your customers with this service. To do it, you need to install respective MessageLabs Security Service packages, create a Resource Type on the basis of the MessageLabs Security Resource Class, and register MessageLabs account. Installing MessageLabs Security Service Packages

352 352 Parallels Operations Automation 2.9 Parallels To install MessageLabs Security service, perform the following steps: 1 Install the MessageLabs package (type: sc) on POA MN. 2 Install the PrivilegesMessageLabs package (type: other) on POA MN. 3 Install the message_labs package (type: cp) on all your UI servers. Note: For detailed instructions on installing POA packages, refer to the Installing PPM Packages section (on page 404). Creating 'MessageLabs Security' Resource Type To provide MessageLabs service to your subscribers/resellers, you need to add the MessageLabs resource to a Service Template. To do it, first you need to create the MessageLabs Security Resource Type based on the MessageLabs Security Resource Class. To create the MessageLabs Security Resource Type, follow the steps: 1 In POA CP, go to Top > Service Director > Provisioning Manager > Resource Types. 2 Click on the Add New Resource Type button. 3 Click on the MessageLabs Security Resource Class in the list of existing Resource Classes. 4 Specify the general parameters for the Resource Type based on the MessageLabs Security Resource Class. Click Next. 5 Enter activation parameters values for a new Resource Type: Autoprotect all recipients (0/1) - Type 1 to auto-protect all mail recipients with MessageLabs Security service. The service will be activated during provisioning, and all the domains will be protected with MessageLabs Security service. All newly created domains will be protected too. MX records for protected domains (comma-separated list of MX records) - Specify the comma-separated list of MX records, which will be created on the protected domains (for example, 10 cluster8.eu.messagelabs.com, 20 cluster8a.eu.messagelabs.com). Find information about MX records creation in the Hosted Exchange Activation Parameters > Examples of Using "Custom MX records template" Activation Parameter sections. Click Next. 6 Skip the wizard where it is required to enter the provisioning attributes. Click Next. 7 Check Resource Type parameters carefully. Click Finish. As a result, the MessageLabs Security Resource Type is created. You can view it in the list of existing Resource Types. Registering MessageLabs Security Service in POA

353 Deploying Hosted Exchange To register MessageLabs Security service in POA, you have to register MessageLabs account credentials in POA PCP. To do it, follow these steps: Note: If you do not have MessageLabs account, please contact MessageLabs representative and sign up. 1 Go to Top > Service Director > MessageLabs, the Setup tab opens: Figure 72: Registering MessageLabs Account 2 Click on the Register link and enter required MessageLabs account information:

354 354 Parallels Operations Automation 2.9 Parallels Figure 73: Specifying MessageLabs Account Information In the Web Service Credentials area, enter the login information: Login - Specify the MessageLabs account login name. Password - Specify the MessageLabs account access password. Confirm password - Type the password once again. In the Account Templates area, specify the following templates: Note: The templates are to be supplied to you by the MessageLabs provider. Customer organization template - This template is used for creating a new customer organization in the MessageLabs account. There are three types of template identifications, for example: - "Parallels Customer Template" - the template created by organization's name, - "123" - the template created by organization's ID,

355 Deploying Hosted Exchange "PAR003" - the template created by the account name. Customer domain template - This template is used for creating a domain for a customer in the MessageLabs account (for example: templatedomain001.parallels.com). Reseller organization template - This template is used for creating a new Reseller organization in the MessageLabs account (examples of the template name: 'Parallels Reseller Template', 'PAR001', '213'). Reseller domain template - This template is used for creating a domain for a reseller in the MessageLabs account (example of the template name: templatedomain002.parallels.com). The templates can be changed later by clicking on the Change template accounts link provided in the Account Templates area (at the Setup tab) after registering MessageLabs service in POA. 3 Click Submit to save specified parameters. As a result, MessageLabs account is successfully registered in POA. To unregister MessageLabs account, do the following: Note: After unregistering the MessageLabs account from the system, you will not be able to manage MessageLabs service via POA any more. 1 Go to Top > Service Director > MessageLabs. 2 Move to the Setup tab: Figure 74: Unregistering MessageLabs Security Service 3 In the Web Service Credentials area, click on the Unregister link. 4 Confirm unregistering the service by clicking OK. MessageLabs account is not registered in POA anymore. Deploying MX Logic Security Service

356 356 Parallels Operations Automation 2.9 Parallels MX Logic Security service is the service providing an effective and reliable protection from spam, viruses and other threats. MX Logic Security works at the network perimeter to identify, quarantine, block and strip suspect messages before they can enter your messaging infrastructure ( MX Logic Security service is intended for preprocessing s before they reach the recipient s mail server. The traffic is redirected to MX Logic global data centers by modifying MX records in the DNS zone. After an is processed, the MX Logic server directs it back to the recipient s mail server. You can deploy MX Logic Security service to Parallels Operations Automation and provide your customers with this service. To do it, you need to install respective MX Logic Security service packages, create a Resource Type based on the MXLogic Security Resource Class, register MX Logic account in POA, and to add the appropriate Resource Type to the Service Template with Hosted Exchange resource included. Before registering MX Logic account in POA, the following information should be provided to you by the MX Logic representative: Reseller ID. MX Logic API URL, that will allow POA to manage MX Logic service. Login and password for API calls. MX records of MX Logic SMTP servers (MX records pointing to MX Logic incoming servers). Codes of licensed products for Defense System (EDS). Client certificate for MXLogic SSL connections. Note, at most cases the client certificate is provided in the.p12 (PKCS#12) format. In that case it must be converted to.pem (Privacy Enhanced Mail) base64 encoded certificate by the following command: openssl pkcs12 -in <input p12 certificate file> -clcerts -out mxlogic_parallels.pem

357 Deploying Hosted Exchange Verifying Prerequisites Before installing the MXLogic component, check the following: POA Privacy Proxy component is installed and configured as described in Windows/Linux Platform Deployment guide. SSL client certificate is installed on MN to $PLESK_ROOT/etc/mxlogic_parallels.pem Note: The certificate is to be provided to you by MX Logic. Where $PLESK_ROOT: On Linux: /usr/local/pem On Windows: c:\program files\swsoft\pem Note: If the certificate has a password, please contact POA support team in order to update required configuration parameter. FrontNet IP address of Privacy Proxy host is registered by MXLogic.Inc as trusted IP address for Web Services API access.

358 358 Parallels Operations Automation 2.9 Parallels Installing MX Logic Security Service Packages To install MX Logic Security service, perform the following steps: 1 Install the MXLogic package (type: sc) on POA MN. 2 Install the PrivilegesMXLogic package (type: other) on POA MN. 3 Install the mx_logic package (type: cp) on all your UI servers. Note: Restart Java right after installing mx_logic (type: cp) package. Note: For detailed instructions on installing POA packages, refer to the Installing PPM Packages section (on page 404). Creating 'MXLogic Security' Resource Type To provide MXLogic Security service to your subscribers/resellers, you need to add the MXLogic Security resource to a Service Template. To do it, first you need to create the MXLogic Security Resource Type based on the MXLogic Security Resource Class. To create the MXLogic Security Resource Type, follow the steps: 1 In POA CP, go to Top > Service Director > Provisioning Manager > Resource Types. 2 Click on the Add New Resource Type button. 3 Click on the MXLogic Security Resource Class in the list of Resource Classes. 4 Specify the name and description (optional) for the Resource Type being created (for example, MXLogic Security). Click Next. 5 Enter activation parameters values for a new Resource Type: Advanced EDS product codes - Comma-delimited codes of licensed products for Defense System (EDS), for example, 10011,10010 (to be provided to you by MX Logic). This parameter will allow you to upgrade resource in the Subscription from the basic MXLogic protection to the advanced MXLogic security protection without needing to migrate the Subscription to another Service Template. Autoprotect all domains (0/1) - indicates that all domains should be protected automatically. Default value is 1, all domains will be protected automatically. Basic EDS product codes - Comma-delimited codes of licensed products for Defense System (EDS), for example, 10011,10010 (to be provided to you by MX Logic). This parameter provides the basic MXLogic security protection for the Subscription. Inbound servers list - Comma-delimited list of FrontNet hosts for Exchange Hub Transport servers with port numbers (for example, smtp.parallels.com 25, smtp2.parallels.com 25).

359 Deploying Hosted Exchange Click Next. 6 Skip the wizard where it is required to enter provisioning attributes. Click Next. 7 Check Resource Type parameters carefully. Click Finish. As a result, the MXLogic Security Resource Type is created. You can view it in the list of existing Resource Types. Now you can add it to the Service Template. Registering MX Logic Security Service in POA To register MX Logic Security Service in POA, you have to register MX Logic account credentials in POA PCP. To do it, follow these steps: Note: If you do not have MX Logic account, please contact MX Logic representative and sign up. 1 Go to Top > Service Director > MXLogic Security. The following screen will open: 2 Click on the Register link. Figure 75: Registering MX Logic Account in POA 3 Specify MX Logic account parameters:

360 360 Parallels Operations Automation 2.9 Parallels Figure 76: Entering MX Logic Account Parameters Login - Specify the MX Logic account login name. Password - Specify the MX Logic account login password. Confirm password - Type the password once again. Reseller ID - You ID provided to you by MX Logic. MX Logic API URL - API URL, that will allow POA to manage MX Logic service. MX records of MX Logic SMTP servers - MX records pointing to MX Logic incoming servers. This parameter is to be provided to you by MX Logic. 4 Click Submit to register MX Logic account in POA. The registration process assumes creating MX Logic organization and checking API functionality. After these operations are successfully performed, MX Logic account registration in POA will be completed. After MX Logic account is registered in POA, you need to create the Resource Type based on MXLogic Security Resource Class, add it to Service Template, and provide this service to your customers. Deploying Global Relay Archiving Service

361 Deploying Hosted Exchange Global Relay Archiving is an external archiving and storage service, which captures, serializes, time-dates and indexes customer's messages and stores them securely in the service provider's data centers. All incoming, internal and outgoing received by POA Exchange servers are copied to the Archiving service on a periodical basis, with secure end-to-end encryption. Each message is replicated in the two Global Relay's data centers, where it is concurrently stored on primary SAN and secondary NOS WORM storage systems. For details, refer to Global Relay website ( Preparing POA Hosted Exchange for Global Relay Integration Prior to deploying the Global Relay Archiving integration, it is necessary to prepare your Hosted Exchange configuration for working with Global Relay. These preparations include creating a system mailbox (name: grarchiving), creating a group (name: PEMGRJournalingUsers) and setting a journaling rule for mail archiving. To configure Hosted Exchange, perform the following operations: 1 Create a Global Relay Archiving mailbox. a Log in to Exchange server as a member of the Domain Administrators group. b Start the Exchange Management Shell and run the following commands: $grpassword = Read-Host "Enter password" -AsSecureString New-Mailbox -Name "grarchiving" -database "{Mailbox Database Name}" -OrganizationalUnit "{yourdomain.com}/users" -password $grpassword -UserPrincipalName "grarchiving@{yourdomain.com}" - alias "grarchiving" -displayname "grarchiving" -firstname "Global Relay" -lastname "Archiving" -resetpasswordonnextlogon $false Where: {Mailbox Database Name} - is the name of the mailbox database (in POA CP, Mailbox Store) where the archiving mailbox will be located. To view the list of POA mailbox databases (Mailbox Stores), run the following command in the Exchange Management Shell: Get-MailboxDatabase fl Name,Identity Output example: Name : MB02 Identity : EXMBX02\SG03\MB02 Specify the Identity of the desired mailbox database (EXMBX02\SG03\MB02) as the {Mailbox Database Name}. Note: You can specify the Name of the mailbox database (MB02), if you are sure that this name is unique in POA (that there are no mailbox databases with the same name on other Exchange servers).

362 362 Parallels Operations Automation 2.9 Parallels {yourdomain.com} - is the FQDN of the Active Directory domain 1 Create a Global Relay Archiving group. a Log in to Exchange server as a member of the Domain Administrators group. b Start the Exchange Management Shell and run the following commands: New-DistributionGroup -Name "PEMGRJournalingUsers" -Type "Distribution" -OrganizationalUnit "{yourdomain.com}/hosting/provider" -SamAccountName "PEMGRJournalingUsers" -Alias "PEMGRJournalingUsers" Where: {yourdomain.com} - is the FQDN of Active Directory domain 2 Create a Global Relay Archiving Journaling Rule. a Log in to Exchange server as a member of the Domain Administrators group. b Start the Exchange Management Shell and run the following commands: New-JournalRule -Name "GR Journaling Rule" -Journal Address "{yourdomain.com}/users/grarchiving" -Scope "Global" -Enabled $true -Recipient "PEMGRJournalingUsers@{yourdomain.com}" Where: {yourdomain.com} - is the FQDN of the Active Directory domain 3 Configure your firewall to accept only inbound connections to POA Exchange servers (with CAS role) from the Global Relay IP ranges over port 993 (Secure IMAP). The Global Relay IP Ranges are: /22. If you have local firewalls configured on your Hosted Exchange servers, make sure to perform the same operation on each CAS. Important: Having completed all the steps, contact a Global Relay representative to test the configuration and start the archiving process.

363 Deploying Hosted Exchange Deploying Global Relay Archiving Integration To integrate POA with Global Relay Archiving, you need to perform the following actions: 1 Install the Global Relay Archiving service packages on appropriate POA hosts. 2 Create a Resource Type based on the Global Relay Archiving Resource Class. 3 Register the Global Relay Archiving service in POA. Having performed these steps, you can create a Service Template for service provisioning and configure POA for working with the Global Relay control panel. Note: To register the Global Relay Archiving service in POA, you need to have a working Global Relay Archiving account. If you do not have one, please contact a Global Relay representative and sign up. You will also need support from Global Relay on the stage of preparing your Hosted Exchange servers (see page 361). Installing Global Relay Archiving Packages To deploy Global Relay Archiving integration, perform the following steps: 1 Install the following packages on POA MN: GlobalRelay (type: sc) PrivilegesGlobalRelay (type: other) 2 Install the global_relay package (type: cp) on all POA UI servers. Note: For detailed instructions on installing POA packages, refer to the Installing PPM Packages section (on page 404).

364 364 Parallels Operations Automation 2.9 Parallels Creating 'Global Relay Archiving' Resource Type To integrate POA with Global Relay Archiving, you need to create a Resource Type based on the Global Relay Archiving Resource Class. Later you can add this Resource Type to appropriate Service Templates (the ones containing a Resource Type based on the Hosted Exchange Resource Class), and start providing the Global Relay Archiving service to your customers. To create the Global Relay Archiving Resource Type, follow the steps: 1 In POA CP, go to Top > Service Director > Provisioning Manager > Resource Types. 2 Click on the Add New Resource Type button. 3 Select the Global Relay Archiving Resource Class in the list of Resource Classes. 4 Specify the name (for example, Global Relay Archiving) and description (optional) for the Resource Type being created. Click Next. 5 Enter the activation parameter values for a new Resource Type: a Enable archiving for all recipients (0/1): Enable automatic archiving with the Global Relay Archiving service. - If this parameter is set to 1, the messages processed by all subscribers' mailboxes are automatically submitted to the Global Relay Archiving service. - If this parameter is set to 0, subscribers manually add the mailboxes they wish to archive. b Import existing Global Relay customer (0/1): - If this parameter is set to 1, a subscriber can import an existing Global Relay Archiving account to his or her POA CP (with no possibility to create one). - When this parameter is set to 0, a customer can create a Global Relay Archiving account (with no possibility to import one). Figure 77: Setting Limits for the Global Relay Archiving Resource Type Skip the wizard where it is required to enter provisioning attributes. Click Next. 6 Check Resource Type parameters carefully. Click Finish.

365 Deploying Hosted Exchange As a result, the Global Relay Archiving Resource Type is created. You can see it in the list of existing Resource Types. 7 Re-log in to POA. Note: After re-logging in, you will see the Top > Service Director > Global Relay Archiving menu item in POA Navigation pane.

366 366 Parallels Operations Automation 2.9 Parallels Registering Global Relay Archiving Service in POA To register the Global Relay Archiving service in POA, you need to specify the credentials of your existing Global Relay Archiving account in POA PCP. Note: If you do not such an account, please contact a Global Relay representative and sign up. To specify your Global Relay Archiving credentials, follow these steps: 1 Go to Top > Service Director > Global Relay Archiving. 2 Click on the Set Credentials link on the page. 3 Specify the parameters of your Global Relay Archiving account: Login - Specify the Global Relay Archiving account login name. Password - Specify the Global Relay Archiving account login password. Confirm password - Type the password once again. Provider's contact person and Provider's contact person name - The and contact person's name for communication with Global Relay. From this address provisioning requests will be submitted from POA to Global Relay. 4 Click Submit. Figure 78: Entering Your Global Relay Archiving Account Details A request is submitted to the Global Relay server. The Status turns to Registering. If registration fails because of invalid credentials (the Status turns to Failed, and an error message is displayed), click on the Change Credentials link, correct the login information and click Submit.

367 Deploying Hosted Exchange After the Global Relay Archiving service is registered, the Status becomes Ready. Now you can add the Global Relay Archiving Resource Type to the appropriate Service Templates (the ones containing a Resource Type based on the Hosted Exchange Resource Class), and start providing the service to your customers. For details on setting up Service Templates, refer to POA Provider's Guide.

368 368 Parallels Operations Automation 2.9 Parallels Creating Service Template Containing Global Relay Archiving Service A Service Template used for provisioning the Global Relay Archiving service must necessarily contain a Resource Type based on the Hosted Exchange Resource Class. To add the Global Relay Archiving Resource Type to such a Service Template, perform the following steps: 1 Go to Top > Service Director > Provisioning Manager > Service Templates. The list of existing Service Templates appears (if you have any). 2 Select the Service Template to add Global Relay Archiving service to. Move to the Resources tab. 3 Click on the Add resources button. The list of available Resource Types opens. 4 Select the Global Relay Archiving Resource Type. Click Submit. 5 Set the limit for Global Relay Archiving service. The resource can be either unlimited or limited by a certain number of units. Figure 79: Setting Limits for the Global Relay Resource The number of units is the number of mailboxes which can be archived using the Global Relay Archiving service in a single Subscription. 6 Click Submit to save the changes. 7 If necessary, edit the Activation parameters for the Global Relay Archiving service on the Parameters tab:

369 Deploying Hosted Exchange a Enable archiving for all recipients (0/1): Enable automatic archiving with the Global Relay Archiving service. - If this parameter is set to 1, the messages processed by all subscribers' mailboxes are automatically submitted to the Global Relay Archiving service. - If this parameter is set to 0, subscribers manually add the mailboxes they wish to archive. b Import existing Global Relay customer (0/1): - If this parameter is set to 1, a subscriber can import an existing Global Relay Archiving account to his or her POA CP (with no possibility to create one). - If this parameter is set to 0, a customer can create a Global Relay Archiving account (with no possibility to import one). Figure 80: Setting Activation Parameters for the Global Relay Service

370 370 Parallels Operations Automation 2.9 Parallels Configuring POA to Work with Global Relay Control Panel Global Relay Archiving gives you and your customers the ability to reply, forward, and create new messages directly from the Global Relay web-based control panel, which they use for managing their mail archive and message retrieval. To enable customers to send s from your Global Relay Archiving control panel on behalf of your domain, it is necessary to re-configure the SPF DNS records in POA to accept mail from the Global Relay server. By default, POA SPF records are configured to accept incoming mail from all servers. You have an option to configure SPF records to protect you and your customers from SPAM by accepting mail from selected trusted domains only (in most cases, this means "from POA Hosted Exchange servers"). If your SPF records are configured this way, you will need to allow communication with Global Relay server by setting up a special SPF record. To set an SPF record for communication with Global Relay server, perform these steps: 1 In all Service Templates including the Global Relay Resource Type, specify a custom SPF record containing Global Relay IP ranges: a Click on the name of the Service Template containing the Global Relay Resource Type. b Go to the Parameters tab and click Edit. The tab opens in edit mode. c In the Hosted Exchange parameters area, find the Custom SPF record parameter and specify the following custom value: v=spf1 ip4: /24 ip4: /22 include:<vendor_domain>. Where: <vendor_domain> - is the domain on which the DNS records for Hosted Exchange mail services are registered (for example, provider.com). For Provider, this is the Provider' domain or the domain of the currently used brand; for Reseller - the domain of the currently used brand. 2 For the FQDN of AD domain used for provisioning parameter, specify a custom value: the name of a Windows domain the Hosted Exchange servers belong to (for example, johndoe.com). 3 Click Submit to save the changes.

371 Deploying Hosted Exchange Note: If there are several Active Directory domains used for service provisioning, or several domains storing DNS records for Exchange servers, you will have to create a separate Service Template for each "Provisioning domain - DNS record domain" combination. 4 Update the SPF records for already provisioned domains by running the Exchange_ctl utility on POA MN: On Linux Management Node: a Log on to the Management Node. b Set up the environment using the following command: c. $PLESK_ROOT/bin/setenv.sh Where: $PLESK_ROOT - is a path to POA installation folder (by default, /usr/local/pem) Run Exchange_ctl on POA MN in the following format: $PLESK_ROOT/bin/Exchange_ctl -f $PLESK_ROOT/etc/pleskd.props sc rebuilddns Where: $PLESK_ROOT - is a path to POA installation folder (by default, /usr/local/pem) On Windows Management Node: a Log in as admin to the Management Node and launch cmd: Start > Run > cmd. b Go to the folder where POA resides: cd <full_path_to_poa> Where: <full_path_to_poa> - is a path to POA installation folder (by default, C:\Program Files\SWsoft\PEM) c Change the directory where POA binaries are located: cd bin d Run Exchange_ctl on POA MN in the following format: Exchange_ctl -f "<full_path_to_poa>\etc\pleskd.props" sc rebuilddns Where: <full_path_to_poa> - is a path to POA installation folder (by default, C:\Program Files\SWsoft\PEM)

372 C H A P T E R 7 Common Operations In This Chapter Configuring Windows Node Installing PPM Packages Configuring Windows Node Configuring Network Interfaces Configure the Network Interfaces of the Hardware Node in the following way: 1 From the Start Menu, go to Start > Control Panel > Network Connections. 2 In the Network Connections dialog-box, right-click the public network interface (connection to the Internet), and select Rename. 3 Rename the public network interface, (for example, to FrontNet). 4 Right-click the FrontNet item, and select Properties. 5 On the General tab, disable all protocols, except TCP/IP. Click OK. 6 In the Network Connections dialog-box, right-click the private network interface (connection to the Management Node), and select Rename. 7 Rename the private network interface, (for example, to BackNet). 8 Right-click the BackNet item, and select Properties. 9 On the General tab, select TCP/IPv4, and click Properties. 10 In the Preferred DNS server field, enter the internal IP Address of the First Domain Controller. 11 In the Alternative DNS server field, enter the internal IP Address of the Second Domain Controller. 12 Close all opened windows by clicking OK.

373 Common Operations 373 Reducing Metric of Private Network Interface 1 From the Start Menu, go to Start > Control Panel > Network Connections. Right-click BackNet, and select Properties. 2 Open the TCP/IP protocol properties and click Advanced. 3 Clear the Automatic metric checkbox. Into the Interface metric field, enter any number that is less than metrics of other interfaces. Figure 81: Specifying interface metric Note: To see the metrics of other interfaces, run the route print command, and examine the route metrics. The route metrics are built on the basis of interface metrics. 4 Close all opened windows by clicking OK.

374 374 Parallels Operations Automation 2.9 Parallels Renaming Computer 1 On the computer desktop, right-click the My Computer folder. In the opened menu, select Properties. The System Properties dialog-box opens. 2 In the System Properties dialog-box, open the Computer Name tab. 3 Click on the Change button. 4 In the Computer Name Changes dialog-box, enter new name into the Computer name field. Note: Microsoft recommends using computer names that are shorter than 16 bytes. 5 Click OK. The message box appears with the following message: You must restart this computer for the changes to take effect. 6 Click OK in the message box. 7 Click OK in the System Properties dialog-box. The message box appears with the following message: You must restart your computer before the new settings will take effect. Do you want to restart your compute now? 8 Click Yes. The computer restarts.

375 Common Operations 375 Joining Windows Node to Domain Perform the following steps to make the computer a member of domain created during the deployment of Active Directory: 1 On that computer, open the System properties dialog using one of the following methods: From the Start Menu, go to Start > Control Panel, and then double-click System. On the computer desktop, right-click the My Computer folder. In the opened menu, select Properties. Run the following command line: runas /user:<computername>\administrator "rundll32.exe shell32.dll,control_rundll sysdm.cpl" Where <computername> is the name of your computer. 2 On the Computer Name tab, click Change. 3 Under Member of, click Domain, and enter the name of your domain into the nearby field. Click OK. 4 The system asks you to provide a name and a password before joining the computer to the domain. Click OK without entering anything. 5 The system asks you to restart your computer to apply your changes. Click OK. Close all the dialog boxes and restart the computer.

376 376 Parallels Operations Automation 2.9 Parallels Enabling DHCP Client Service 1 From the Start Menu, go to Start > Run. Execute the following command: services.msc 2 In the Services management console, right-click the DHCP Client service. Figure 82: Selecting DHCP Client in "Services" console 3 In the opened menu, select Properties. The DHCP Client Properties dialog box opens. 4 In the Startup type drop-down box select Automatic.

377 Common Operations 377 Figure 83: Setting DHCP Client Properties 5 Click on the Apply button. The Start button becomes active. 6 Click on the Start button. 7 After the indication bar disappears, click OK to close the dialog box.

378 378 Parallels Operations Automation 2.9 Parallels Performing DNS Registration If DNS records were not created, perform the DNS registration. For this purpose: 1 From the Start Menu, go to Start > Run and execute the following command: ipconfig.exe /registerdns 2 Wait some time for DNS registration to be performed. Make sure that DNS record for the host is created in your domain: a Log on to the First Domain Controller as Domain Administrator. b Run dnsmgmt.msc. c In the left pane of the dnsmgmt management console, open the First Domain Controller folder, open the Forward Lookup Zones item, click the domain zone node. d In the right pane of the dnsmgmt management console, check that the Host (A) record for the IIS Web server exists and points to its internal IP address. 3 If the Host (A) record does not exist, create it manually: a Right-click the domain zone node. b Click New Host (A). c In the New Host dialog, enter the name of the computer and its internal IP address, click Add Host, and then click Done to cancel creation of next host records.

379 Common Operations 379 Checking Highest Priority of Private Network Interface Ensure that BackNet is configured with highest priority: 1 From the Start Menu, go to Start > Control Panel > Network Connections. 2 In the menu of the Network Connections dialog-box, select Advanced > Advanced Settings. 3 Make sure that BackNet is the first in the Connections list. If it is not, use the arrowbuttons near the Connections list to move BackNet to the top of the list. 4 Click OK. Installing QoS Packet Scheduler Figure 84: Order of connections 1 Log on to the IIS Web server as a member of the Administrators group. 2 From the Start Menu, go to Start > Control Panel > Network Connections. 3 Right-click FrontNet. In the menu appeared, click Properties. 4 Click Install, click Service, and then click Add.

380 380 Parallels Operations Automation 2.9 Parallels Figure 85: Select-Network-Component-Type 5 Click QoS Packet Scheduler, and then click OK. 6 Close all opened windows by clicking OK. Figure 86: Select Network Service

381 Common Operations 381 Checking Presence of Sysnative Directory Note: This step is required for nodes running Windows Server 2003 x64 only. The Sysnative directory is required for correct POA operation on the node. To check the presence of the Sysnative directory, perform these steps: 1 Log on to the node and go to Start > Run. 2 Enter %SystemRoot%\SysWOW64\cmd.exe and click OK. The 32-bit command line shell opens. 3 In the shell window, enter: dir %SystemRoot%\Sysnative and press ENTER. If the directory does not exists, an error message is displayed. If the Sysnative directory is not found, perform these steps: 1 Install the Windows Server 2003 hotfix available from 2 Restart the computer. 3 Repeat the procedure above to verify that the Sysnative directory has appeared in your system. Installing POA Agent This section is intended to give you a detailed description of the POA Agent installation on different types of Windows nodes: non-cluster nodes or cluster nodes. After performing the pre-installation steps, follow the instructions of one of three subsections that describe POA Agent installation Wizard. Your choice will depend on the type of hosting you are deploying. After-installation steps are common for all three node types. Important: Administrative shares should not be disabled on Windows servers managed by POA as they are required for provisioning operations.

382 382 Parallels Operations Automation 2.9 Parallels Obtaining Host Initial Data File Host-initial-data file is required for new host installation and contains information about the Management Node where POA is installed. This file is generated when you choose Hardware Node Resource Type. To obtain the host-initial-data follow the steps: 1 Go to Top > Deployment Director > Server Manager > Hardware Nodes. The list of registered Hardware Nodes appears. 2 Click on the Add New Host button. The Add New Host wizard starts. 3 Select the Windows host type and click on the Next button. The list of Resource Types based on Hardware nodes Resource Class appears. 4 Choose the Hardware Nodes Resource Type by clicking on it. The host initial data file screen appears. 5 Click on the Download button to download the host-initial-data file. You will be required to supply this file later, when registering the Hardware Node in the system. 6 Save the file under a desired name.

383 Common Operations 383 Installing POA Agent on Non-Cluster Node 1 Log on to the Windows node as Domain Administrator. 2 Run the POA Agent installer from the POA distribution folder: install_win_sn.exe /V"/l*v c:\poa-agent-installation.log" The POA Agent Installation Wizard starts. 3 On the Welcome Wizard page, click Next to continue. 4 On the License Agreement Wizard page, select the I accept the terms in the license agreement option. Click Next to continue. 5 On the Host type selection Wizard page select the type of host: Select the Regular host option to install POA Agent on the Hardware Node or VPS created by hand. Select the Virtuozzo for Windows option to install POA Agent on the Windows Shared VPS. 6 On the Clustering Configuration Type Wizard page, the non-cluster configuration is detected automatically. Click Next to continue. 7 On the Destination Folder Wizard page, specify the path to the destination folder. Click Next to continue. 8 On the Log files settings Wizard page: Leave the default directory where log files will be stored or specify another directory using the Change button. Specify the maximum size of one log file before rotating by entering a value into the Maximum size of one log file (MB) field. Specify the maximum number of pieces for log rotating by entering a value into the Number of storing log files field. Click Next to continue. 9 On the Authentication Information Wizard page, enter the login name and password to be authenticated in the POA system. Click Next to continue. 10 On the Network Information Wizard page, select the IP address, subnet mask, and the port number that are bound to the network interface to be used for communication with the POA Management Node. Click Next to continue. 11 Select the shared IP address that is bound to the network interface to be used for IP sharing. Click Next to continue. 12 On the Host-initial-data file location Wizard page, specify the path to the Host-Initial-Data file (on page 382). Click Next to continue. Note: This Wizard page is omitted if the Virtuozzo for Windows option is selected on step 5.

384 384 Parallels Operations Automation 2.9 Parallels 13 On the User credentials Wizard page, enter passwords for the psa_admin and psa_domain users. Click Next to continue. The installer sends an MPF request to test the MPF connectivity. This can take a minute at most. 14 If the test succeeds, you are prompted to proceed with the installation. Otherwise, an additional dialog box opens where you should specify the exact name of the MPS Engine computer. After that, the test is repeated. The installation cannot continue until the MPF connectivity test is passed. If the MPF connectivity test fails, the MPF security needs to be properly configured. 15 Click Finish to complete the POA Agent Installation Wizard.

385 Common Operations 385 Installing POA Agent on Active Cluster Node 1 Log on to the Windows node as Domain Administrator. 2 Run the POA Agent installer from the POA distribution folder: install_win_sn.exe /V"/l*v c:\psa-agent-installation.log" The POA Agent Installation Wizard starts. 3 On the Welcome Wizard page, click Next to continue. 4 On the License Agreement Wizard page, select the I accept the terms in the license agreement option. Click Next to continue. 5 On the Host type selection Wizard page select the type of host: Select the Regular host option to install POA Agent on the Hardware Node or VPS created by hand. Select the Virtuozzo for Windows option to install POA Agent on the Windows Shared VPS. 6 On the Clustering Configuration Type Wizard page, make sure that the Install POA Agent for cluster checkbox is selected. Then, specify the required cluster node type: Active node (Active-Passive cluster configuration) This option is used if POA Agent is installed on the Active node of the Active-Passive cluster. Active node (Active-Active cluster configuration) This option is used if POA Agent is installed on the Active node of the Active-Active cluster. Click Next to continue. Note: You cannot change the cluster configuration if POA Agent is already installed. So, if you need the cluster configuration to be enabled, but still don't have a cluster configured, please, stop the installer, configure a cluster, and restart the installer again. 7 On the Cluster group Wizard page, select the cluster group where the POA Agent cluster resource will be registered. Such a group must contain Network Name and IP Address cluster resources. Usually this group also contains resources of specified hosting service. 8 On the Destination Folder Wizard page, specify the path to the destination folder. Click Next to continue. Note: For the cluster configuration, you can enter a path only for the first instance of POA Agent in the cluster. All other instances will use the same path. 9 On the Log files settings Wizard page, select the Log enabled check box if you want to enable logging. For the enabled logging, specify the log general parameters: Leave the default directory where log files will be stored or specify another directory using the Change button. Specify the maximum size of one log file before rotating by entering a value into the Maximum size of one log file (MB) field. Specify the maximum number of pieces for log rotating by entering a value into the Number of storing log files field.

386 386 Parallels Operations Automation 2.9 Parallels Click Next to continue. 10 On the Authentication Information Wizard page, enter the login name and password to be authenticated in the POA system. Click Next to continue. 11 On the Network Information Wizard page, select the IP address, subnet mask, and the port number that are bound to the network interface to be used for communication with the POA Management Node. Click Next to continue. 12 Select the shared IP address that is bound to the network interface to be used for IP sharing. Click Next to continue. 13 On the Host-initial-data file location Wizard page, specify the path to the Host-Initial-Data file (on page 382). Click Next to continue. Note: This Wizard page is omitted if the Virtuozzo for Windows option is selected on step On the User credentials Wizard page, enter passwords for the psa_admin and psa_domain users. Click Next to continue. The installer sends an MPF request to test the MPF connectivity. This can take a minute at most. 15 If the test succeeds, you are prompted to proceed with the installation. Otherwise, an additional dialog box opens where you should specify the exact name of the MPS Engine computer. After that, the test is repeated. The installation cannot continue until the MPF connectivity test is passed. If the MPF connectivity test fails, the MPF security needs to be properly configured. 16 Click Finish to complete the POA Agent Installation Wizard.

387 Common Operations 387 Installing POA Agent on Passive Cluster Node 1 Log on to the Windows node as Domain Administrator. 2 Run the POA Agent installer from the POA distribution folder: install_win_sn.exe /V"/l*v c:\psa-agent-installation.log" The POA Agent Installation Wizard starts. 3 On the Welcome Wizard page, click Next to continue. 4 On the License Agreement Wizard page, select the I accept the terms in the license agreement option. Click Next to continue. 5 On the Host type selection Wizard page select the type of host: Select the Regular host option to install POA Agent on the Hardware Node or VPS created by hand. Select the Virtuozzo for Windows option to install POA Agent on the Windows Shared VPS. 6 On the Clustering Configuration Type Wizard page, make sure that the Install POA Agent for cluster check box and the Passive node option are selected. If the node type is detected as active, select the Passive node option. Click Next to continue. Note: You cannot change the cluster configuration if POA Agent is already installed. So, if you need the cluster configuration to be enabled, but still don't have a cluster configured, please, stop the installer, configure a cluster, and restart the installer again. 7 On the Destination Folder Wizard page, specify the path to the destination folder. Click Next to continue. Note: For the cluster configuration, you can enter a path only for the first instance of POA Agent in the cluster. All other instances will use the same path. 8 On the User credentials Wizard page, enter passwords for the psa_admin and psa_domain users. Click Next to continue. The installer sends an MPF request to test the MPF connectivity. This can take a minute at most. 9 If the test succeeds, you are prompted to proceed with the installation. Otherwise, an additional dialog box opens where you should specify the exact name of the MPS Engine computer. After that, the test is repeated. The installation cannot continue until the MPF connectivity test is passed. If the MPF connectivity test fails, the MPF security needs to be properly configured. 10 Click Finish to complete the POA Agent Installation Wizard.

388 388 Parallels Operations Automation 2.9 Parallels After-Installation Steps Check that POA Agent is successfully installed: 1 Open the Registry Editor. 2 In the Registry Editor dialog box, go to HKEY_LOCAL_MACHINE > SOFTWARE > Parallels > POA. Check that the remoteengine parameter is set to the name of the MPS Engine computer entered during the installation. 3 If the remoteengine parameter is not set to the name of the MPS Engine or does not exist at all, create the parameter. Assign the name of the MPS Engine computer to the remoteengine parameter. 4 Form the Start Menu, go to Start > Programs > Administrative Tools and run the Computer Management tool. 5 In the left pane, expand the Local Users and Groups component. In the Groups category find the Distributed COM Users group. 6 Click Distributed COM Users. Check that psa_admin domain user account is a member of the Distributed COM Users group. 7 Restart the POA Agent service: net stop pem net start pem Important: Perform this step only on an active cluster node. Configuring Log Files Parameters You can change log files parameters after POA Agent is installed on the node. For this purpose, do the following: 1 Open the Win32 registry. 2 Find the registry key HKLM\Software\SWsoft\PEM\Log 3 Configure the following registry values: Enabled value "1" logging is enabled LogPath any other value logging is disabled. Full path to directory where log files will be placed. LogPieces MaxLogSize Number of stored log files before log will be rotated. Maximum size of one log file in bytes.

389 Common Operations 389 Upgrading to Windows Server 2003 R2 This section provides the instruction to upgrade Windows Server 2003 to Windows Server 2003 R2. The instruction is applicable to all Windows servers. The transition to R2 is optional, so this instruction should be used only if you need to upgrade your Windows servers to Windows Server 2003 R2. Note that each node upgraded to R2 finally needs to be rebooted once. Service Downtime Summary Below is the service downtime information that should be used to properly apply the upgrade instruction to minimize service downtime. The key point is that a node being upgraded to R2 needs to be rebooted once. This fact should be taken into account when planning the order of server upgrade. Procedure Approximate Duration (min) Service Downtime 1. Preparing AD for Windows Server 2003 R2 (on page 390). 2. Upgrading to Windows Server 2003 R2 (on page 391) - Steps Upgrading to Windows Server 2003 R2 (on page 391) - Step Upgrading to Windows Server 2003 R2 (on page 391) - Step Upgrading to Windows Server 2003 R2 (on page 391) - Step 16 (Rebooting the node) 5 No downtime 10 No downtime Depends on the number of updates No downtime 15 No downtime Depends on hardware resources Downtime during node reboot

390 390 Parallels Operations Automation 2.9 Parallels Preparing Active Directory for Windows Server 2003 R2 1 Log on to AD01 (with a schema master role) as a member of the Domain Administrators group. 2 Insert the Windows Server 2003 R2 disc into your CD-ROM drive. 3 From the Start Menu, go to Start > Run, and then type: E:\cmpnents\r2\adprep\adprep.exe /Forestprep where E is your CD-ROM drive. 4 In the ADPREP WARNING window, type C and then press ENTER to continue the ForestPrep process.

391 Common Operations 391 Upgrading to Windows Server 2003 R2 1 Log on to AD01 as a member of the Domain Administrators group. 2 For domain member computers, open the command prompt and run the following command: gpupdate /force This will force the replication of the domain policy template information. Note: Check the local system event log and confirm that no errors were generated during the gpupdate process. If errors occur, resolve them prior to proceeding with the Windows Server 2003 R2 upgrade. 3 Form the Start Menu, go to Start > All Programs > Administrative Tools > Services. 4 From the Services list, right-click Distributed Transaction Coordinator, and then click Properties. 5 On the General tab, ensure the Startup type is set to either Manual or Automatic. If it is set to Disabled, change it to Manual. Click OK. Note: The Windows Server 2003 R2 update requires that the Microsoft Distributed Transaction Coordinator (MSDTC) service be enabled and available to start. By setting this to manual or automatic, the service pack installation is able to properly use this service. 6 Insert the Windows Server 2003 R2 disc into your CDROM drive to begin the upgrade process. Setup should start automatically. If it does not start automatically, connect to Disk 2 (or the shared folder that contains the Setup files) and click R2AUTO.exe. 7 On the Welcome to the Windows Server 2003 R2 page, click Continue Windows Server 2003 R2 Setup. 8 On the Welcome to the Windows Server 2003 R2 Setup Wizard page, click Continue Windows Server 2003 R2 Setup, and then click Next to begin the installation. 9 On the Product Key page, enter the product key, and click Next to continue. Note: You may receive a warning message stating: "The Product Key you entered is valid, but may require you to reactivate the operating system at the next logon. You will need to reactivate the operating system if it has already been activated and the activation period has expired." Click Yes to continue and use this Product Key, or click No and enter a different Product Key. 10 On the End-User License Agreement page, review the license agreement, and then select I accept the terms in the license agreement. Click Next to continue. 11 On the Setup Summary page, click Next to continue. 12 After the upgrade completes, click Finish. 13 Click Exit to leave the setup page. 14 Apply any released updates to Windows Server 2003 by using Windows Update.

392 392 Parallels Operations Automation 2.9 Parallels 15 From the Start Menu, go to Start > Control Panel, and click Add or Remove Programs. Click Add/Remove Windows Components, and select the check box to install Microsoft.NET Framework 2.0. Click Next. After installation completes, click Finish. 16 Reboot AD01 to complete the upgrade process. 17 Repeat the above steps on all remaining systems in the environment, starting with the remaining domain controllers. Note: You do not need to perform Step 2 on servers that are not members of the domain. Windows Updates Compatibility The following table describes Windows Server 2003 updates compatibility with HMC and hosted services provisioned using POA hosting automation platform. Severity Date Time Requires Update ID TechNet KB ( t.microsoft.co m/kb/914961) MS KB ( t.microsoft.co m/kb/928843) MS KB ( t.microsoft.co m/kb/926436) MS KB ( t.microsoft.co m/kb/918118) MS KB ( t.microsoft.co m/kb/927779) Description Windows Server 2003 Service Pack 2 Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution by Microsoft issued Service Pack March 13, 2007 Critical Security Update Important Security Update Important Security Update Critical Security Update February 14, 2007 February 14, 2007 February 14, 2007 February 14, 2007 to install reboot ~ 15 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart

393 Common Operations 393 MS KB ( t.microsoft.co m/kb/924667) MS KB ( t.microsoft.co m/kb/923723) MS KB ( t.microsoft.co m/kb/928090) MS KB ( t.microsoft.co m/kb/928255) KB ( t.microsoft.co m/kb/931836) KB ( t.microsoft.co m/kb/925720) KB ( t.microsoft.co m/kb/911829) KB ( t.microsoft.co m/kb/926874) KB ( t.microsoft.co m/kb/924881) KB ( t.microsoft.co m/kb/928416) Vulnerability in Microsoft MFC Could Allow Remote Code Execution Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution Cumulative Security Update for Internet Explorer ver 6.0 and 7.0 Vulnerability in Windows Shell Could Allow Elevation of Privilege February 2007 cumulative time zone update for Microsoft Windows operating systems Windows CardSpace hotfix rollup package Problem with Microsoft Outlook Web Access by using Microsoft Internet Explorer 6 or a later version of Internet Explorer Windows Internet Explorer 7.0 for Windows Server 2003 Windows SharePoint Services Microsoft.NET Framework 3.0 x86 Important Security Update Important Security Update Critical Security Update Important Security Update Important Update Important Update Updates February 14, 2007 February 14, 2007 February 14, 2007 February 14, 2007 February 14, 2007 February 14, 2007 December 05, 2006 Updates January 17, 2007 Updates January 30, 2007 Updates January 30, 2007 ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart

394 394 Parallels Operations Automation 2.9 Parallels KB ( t.microsoft.co m/kb/925876) no KB KB ( t.microsoft.co m/kb/909915) KB ( t.microsoft.co m/kb/926666) KB ( t.microsoft.co m/kb/890830) KB ( t.microsoft.co m/kb/917275) no-kb KB ( t.microsoft.co m/kb/910437) MS KB ( t.microsoft.co m/kb/929969) MS KB ( t.microsoft.co m/kb/923689) KB ( t.microsoft.co m/kb/911897) Remote Desktop Connection 6.0 client update Microsoft Root Certificate update Microsoft products do not reflect Australian daylight saving time changes for the year 2006 Update for daylight saving time changes in 2007 for Exchange 2003 Windows Malicious Software Removal Tool - January 2007 Microsoft Windows Rights Management Services Client with Service Pack 2 Windows Internet Explorer 7.0 for Windows Server 2003 When Windows Automatic Updates tries to download updates on a Windows Server 2003-based or Windows XP-based computer, an access violation error may occur Vulnerability in Vector Markup Language Could Allow Remote Code Execution Vulnerability in Windows Media Format Could Allow Remote Code Execution Files are corrupted on a Windows Server 2003-based computer when you try to use the local UNC path to copy the files Updates January 30, 2007 Updates February 01, 2007 Updates October 30, 2006 Updates February 12, 2007 Updates January 10, 2007 Updates January 10, 2007 Updates January 17, 2007 Updates January 10, 2007 Security Updates, Critical Security Updates, Critical Updates January 10, 2007 January 10, 2007 December 13, 2006 ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Request restart

395 Common Operations 395 KB ( t.microsoft.co m/kb/928388) KB ( t.microsoft.co m/kb/929120) KB ( t.microsoft.co m/kb/925876) MS KB ( t.microsoft.co m/kb/926247) MS KB ( t.microsoft.co m/kb/926255) MS KB ( t.microsoft.co m/kb/923694) MS KB ( t.microsoft.co m/kb/923689) MS KB ( t.microsoft.co m/kb/925454) MS KB ( t.microsoft.co m/kb/922760) 2007 time zone update for Microsoft Windows operating systems Windows Server 2003-based computers and Windows XPbased computers that are set to the West Australia time zone do not change to daylight saving time on December 3, 2006 Remote Desktop Connection 6.0 client update for Windows Server 2003 Vulnerability in SNMP Could Allow Remote Code Execution A privilege elevation vulnerability exists in the way that Microsoft Windows starts applications with specially crafted file manifests Cumulative Security Update for Outlook Express Vulnerability in Windows Media Format Could Allow Remote Code Execution Cumulative Security Update for Internet Explorer Cumulative security update for Internet Explorer Updates Updates Updates Security Updates, Important Security Updates, Important Security Updates, Important Security Updates, Important Security Updates, Critical Security Updates, Critical December 13, 2006 December 13, 2006 November 29, 2006 December 13, 2006 December 13, 2006 December 13, 2006 December 13, 2006 December 13, 2006 November 21, 2006 ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 2 min Can request restart

396 396 Parallels Operations Automation 2.9 Parallels MS KB ( t.microsoft.co m/kb/914961) MS KB ( t.microsoft.co m/kb/914961) MS KB ( t.microsoft.co m/kb/927977) MS KB ( t.microsoft.co m/kb/927978) MS KB ( t.microsoft.co m/kb/923980) MS KB ( t.microsoft.co m/kb/920213) KB ( t.microsoft.co m/kb/829019) KB ( t.microsoft.co m/kb/917275) KB ( t.microsoft.co m/kb/926874) KB ( t.microsoft.co m/kb/907747) Vulnerability in Exchange Server 2003 and in Exchange 2000 Server can allow remote code execution Vulnerability in Vector Markup Language could allow remote code execution Security update for Microsoft XML Core Services 6.0 Security update for Microsoft XML Core Services 4.0 Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution Vulnerability in Microsoft Agent could allow remote code execution Microsoft.NET Framework 2.0 Language Pack Windows Rights Management Services Client with Service Pack 2 Windows Internet Explorer 7 for Windows Server 2003 Update for Intelligent Message Filter for Exchange Server 2003 Security Updates, Critical Security Updates, Moderate Security Updates, Critical Security Updates, Critical Security Updates, Low Security Updates, Moderate Language Pack Feature release Feature release September 27, 2006 September 27, 2006 November 15, 2006 November 15, 2006 November 15, 2006 November 15, 2006 March 01, 2006 November 29, 2006 November 29, 2006 Updates October 05, 2006 ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 1 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart

397 Common Operations 397 KB ( t.microsoft.co m/kb/925876) KB ( t.microsoft.co m/kb/889101) KB ( t.microsoft.co m/kb/904942) KB ( t.microsoft.co m/kb/829019) MS KB ( t.microsoft.co m/kb/922770) MS KB ( t.microsoft.co m/kb/923191) MS KB ( t.microsoft.co m/kb/925673) MS KB ( t.microsoft.co m/kb/925673) & KB ( t.microsoft.co m/kb/925672) MS KB ( t.microsoft.co m/kb/924191) Remote Desktop Connection (Terminal Service Client 6.0) for Windows Server 2003 Windows Server 2003 Service Pack 1. New build is available. Authentication fails when you use Outlook or Outlook Express to try to log on to a HTTP-based mail server if you use Internet Explorer version 7.0. New version Microsoft.NET Framework 2.0 Security Update for Microsoft.NET Framework, Version 2.0 (Vulnerability in ASP.NET 2.0 Could Allow Information Disclosure) Vulnerability in Windows Explorer Could Allow Remote Execution Security update for Microsoft XML Core Services 6.0 Security update for Microsoft XML Core Services 4.0 SP2 Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution Feature release Service Packs November 29, 2006 July 12, 2006 ~ 5 min ~ 1 min Can request restart Can request restart Updates May 24, 2006 ~ 5 min Can request restart Updates May 24, 2006 ~ 5 min Can request restart Security Updates, Moderate Security Updates, Moderate Security Updates, Critical Security Updates, Critical Security Updates, Critical October 11, 2006 October 11, 2006 October 11, 2006 October 11, 2006 October 11, 2006 ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart

398 398 Parallels Operations Automation 2.9 Parallels MS KB ( t.microsoft.co m/kb/923414) MS KB ( t.microsoft.co m/kb/922819) MS KB ( t.microsoft.co m/kb/924496) MS KB ( t.microsoft.co m/kb/918899) MS KB ( t.microsoft.co m/kb/920685) MS KB ( t.microsoft.co m/kb/921883) KB ( t.microsoft.co m/kb/922582) KB ( t.microsoft.co m/kb/923432) MS KB ( t.microsoft.co m/kb/921883) Vulnerability in Server Service Could Allow Denial of Service and Remote Code Execution Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service Vulnerability in Windows Object Packager Could Allow Remote Execution Cumulative Security Update for Internet Explorer (new version of old update) Vulnerability in Indexing Service Could Allow Cross- Site Scripting Vulnerability in Server Service Could Allow Remote Code Execution Error message when you try to update a Microsoft Windows-based computer: "0x " Update for Windows Small Business Server 2003 R2: Update to Exchange Server 2003 SP2 Vulnerability in Server Service Could Allow Remote Code Execution Security Updates, Important Security Updates, Low Security Updates, Moderate Security Updates, Critical Security Updates, Moderate Security Updates, Critical Technical update October 11, 2006 October 11, 2006 October 11, 2006 September 13, 2006 September 13, 2006 September 13, 2006 September 13, 2006 Update August 03, 2006 Security Updates, Critical August 09, 2006 ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart

399 Common Operations 399 MS KB ( t.microsoft.co m/kb/921398) MS KB ( t.microsoft.co m/kb/920214) MS KB ( t.microsoft.co m/kb/917422) MS KB ( t.microsoft.co m/kb/922616) MS KB ( t.microsoft.co m/kb/920683) MS KB ( t.microsoft.co m/kb/920670) MS KB ( t.microsoft.co m/kb/918899) MS KB ( t.microsoft.co m/kb/914388) Vulnerability in Windows Explorer Could Allow Remote Code Execution Security Update for Outlook Express for Windows Server 2003 (Remote Code Execution) Vulnerability in Windows Kernel Could Result in Remote Code Execution Vulnerability in HTML Help Could Allow Remote Code Execution Vulnerabilities in DNS Resolution Could Allow Remote Code Execution Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution Cumulative Security Update for Internet Explorer Vulnerability in DHCP Client Service Could Allow Remote Code Execution Win2003SP1 Windows Server 2003 Service Pack 1 (SP1). New build is available. Security Updates, Moderate Security Updates, Critical Security Updates, Critical Security Updates, Critical Security Updates, Critical Security Updates, Important Security Updates, Critical Security Updates, Critical Service Packs August 09, 2006 August 09, 2006 August 09, 2006 August 09, 2006 August 09, 2006 August 09, 2006 August 09, 2006 July 12, 2006 ~ 5 min July 12, 2006 ~ 25 min ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart Can request restart Can request restart

400 400 Parallels Operations Automation 2.9 Parallels MS KB ( t.microsoft.co m/kb/917537) MS KB ( t.microsoft.co m/kb/917283) MS KB ( t.microsoft.co m/kb/917159) KB ( t.microsoft.co m/kb/916803) KB ( t.microsoft.co m/kb/904942) KB ( t.microsoft.co m/kb/913090) KB ( t.microsoft.co m/kb/919004) KB ( t.microsoft.co m/kb/911829) KB ( t.microsoft.co m/kb/917953) KB ( t.microsoft.co m/kb/916281) Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution. Vulnerability in ASP.NET Could Allow Information Disclosure. Vulnerability in Server Service Could Allow Remote Code Execution. Vulnerability in Microsoft Exchange Could Allow Remote Code Execution Authentication fails when you use Outlook or Outlook Express to try to log on to a HTTP-based mail server if you use Internet Explorer version 7.0 Microsoft SQL Server 2005 Service Pack 1 Windows Server Update Services Service Pack 1 You receive an error message when you try to perform any editing tasks, or you must click to enable the compose frame in Outlook Web Access Vulnerability in TCP/IP Could Allow Remote Code Execution Cumulative Security Update for Internet Explorer for Windows Server 2003 Security Updates Security Updates, Important Security Updates, Critical Critical, Security Updates July 12, 2006 ~ 5 min July 12, 2006 ~ 5 min July 12, 2006 ~ 5 min May 11, 2006 ~ 5 min Can request restart Can request restart Can request restart Can request restart Updates May 11, 2006 ~ 2 min Can request restart Service Packs Service Packs Service Packs Security Updates Security Updates June 08, 2006 June 08, 2006 June 08, 2006 June 14, 2006 June 14, 2006 ~ 5 min Can request restart ~ 5 min Can request restart ~ 5 min Can request restart ~ 2 min Can request restart ~ 2 min Can request restart

401 Common Operations 401 KB ( t.microsoft.co m/kb/911280) KB ( t.microsoft.co m/kb/918439) KB ( t.microsoft.co m/kb/914961) KB ( t.microsoft.co m/kb/914389) KB ( t.microsoft.co m/kb/917734) KB ( t.microsoft.co m/kb/912442) KB ( t.microsoft.co m/kb/891957) KB ( t.microsoft.co m/kb/912944) KB ( t.microsoft.co m/kb/916803) Vulnerability in Routing and Remote Access Could Allow Remote Code Execution Vulnerability in ART Image Rendering Could Allow Remote Code Execution Vulnerability in Microsoft JScript Could Allow Remote Code Execution Vulnerability in Server Message Block Could Allow Elevation of Privilege A remote code execution vulnerability exists in Windows Media Player due to the way it handles the processing of PNG images Vulnerability in Microsoft Exchange Server could allow script injection when Exchange Server runs Outlook Web Access Update is available that fixes various Volume Shadow Copy Service issues in Windows Server 2003 An updated Storport storage driver (version ) is available for Windows Server 2003 A security issue has been identified that could affect your Exchange 2003 system in the following way: 1. Denial of Service 2. Elevation of Privilege. Security Updates Security Updates Security Updates Security Updates Security Updates Security Updates Security Updates Security Updates Security Updates June 14, 2006 June 14, 2006 June 14, 2006 June 14, 2006 June 14, 2006 June 15, 2006 December 21, 2005 June 9, 2006 ~ 5 min May 11, 2006 ~ 10 min ~ 2 min Can request restart ~ 2 min Can request restart ~ 2 min Can request restart ~ 2 min Can request restart ~ 2 min Can request restart ~ 5 min Can request restart ~ 2 min Can request restart Can request restart Can request restart

402 402 Parallels Operations Automation 2.9 Parallels KB ( t.microsoft.co m/kb/913580) KB ( t.microsoft.co m/kb/908531) KB ( t.microsoft.co m/kb/911927) KB ( t.microsoft.co m/kb/911562) KB ( t.microsoft.co m/kb/908981) KB ( t.microsoft.co m/kb/904942) KB ( t.microsoft.co m/kb/912812) KB ( t.microsoft.co m/kb/911567) KB ( t.microsoft.co m/kb/914961) A security issue has been identified in the Microsoft Distributed Transaction Controller service that could allow an attacker to compromise your Windowsbased system and gain control over it. Not needed if Windows 2003 Server SP1 installed Vulnerability in Windows Explorer Could Allow Remote Code Execution Vulnerability in Web Client Service Could Allow Remote Code Execution Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting Authentication fails when you use Outlook or Outlook Express to try to log on to a HTTP-based mail server if you use Internet Explorer version 7.0 Cumulative Security Update for Internet Explorer Cumulative Security Update for Outlook Express Permissive Windows Services DACLs Could Allow Elevation of Privilege Security Updates Security Updates Security Updates Security Updates Security Updates May 10, 2006 ~10 min April 26, 2006 (update of version from April 12) February 15, 2006 April 12, 2006 April 12, 2006 Updates April 12, 2006 Security Updates Security Updates Security Updates April 12, 2006 April 12, 2006 March 15, 2006 Can request restart ~10 min Request restart ~1 min Can request restart ~1 min Can request restart ~1 min Can request restart ~1 min Can request restart ~5 min Can request restart ~1 min Can request restart ~1 min Can request restart

403 Common Operations 403 KB ( t.microsoft.co m/kb/912475) KB ( t.microsoft.co m/kb/896424) KB ( t.microsoft.co m/kb/905915) KB ( t.microsoft.co m/kb/908519) KB ( t.microsoft.co m/kb/908521) KB ( t.microsoft.co m/kb/910437) KB ( t.microsoft.co m/kb/912919) KB ( t.microsoft.co m/kb/913446) Australia has changed the regularly scheduled end of Daylight Saving Time in five Australian states from March 2006 to the first Sunday of April 2006 due to the 2006 Commonwealth Games. Install this update to enable your computer to automatically adjust the computer clock on the correct date. Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution Cumulative Security Update for Internet Explorer Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution The problem in the RPC engine (Rpcrt4.dll) When Windows Automatic Updates tries to download updates on a Windows Server 2003-based or Windows XP-based computer, an access violation error may occur Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution Vulnerability in TCP/IP Could Allow Denial of Service Critical Updates Critical Critical March 15, 2006 November 09, 2005 December 14, 2005 Critical January 11, 2006 Critical Critical November 09, 2005 December 14, 2005 Critical January 06, 2006 Security Updates February 15, 2006 ~ 5 min Can request restart ~1 min Can request restart ~1 min Can request restart ~1 min Can request restart ~1 min Must restart ~1 min Can request restart ~1 min Can request restart ~1 min Can request restart

404 404 Parallels Operations Automation 2.9 Parallels Installing PPM Packages This section describes the following operations: Adding a Package Manifest to the Packages Repository. Adding a Package Tarball to the Packages Repository Mirror. Installing a Package on the host.

405 Common Operations 405 Adding a Package Prior to installing a Package on the host, the following actions should be performed: 1 A Package Manifest should be added to the Packages Repository. 2 A Package Tarball should be placed to the Packages Repository Mirror. Note: Typically, a Package has a Manifest (file having pdl.asc extension) and a Tarball (file having tgz extension). But, in some cases, a Package has a Manifest only. OS specific Packages Manifests and Packages Tarballs are available by the following location: POA_DISTRIBUTION_DIRECTORY/os/OS_TYPE/OS_VERSION/packages/ where: POA_DISTRIBUTION_DIRECTORY - Directory where POA distribution is located. OS_TYPE - Type of Operating System, for example: Win32, RHES. OS_VERSION - Version of Operating System. Common Packages Manifests and Packages Tarballs are available by the following location: POA_DISTRIBUTION_DIRECTORY/common/ Adding a Package Manifest to the Packages Repository There are the following options available how to add Package Manifest to the Packages Repository: Adding Package Manifest from local workstation. To do this, perform the following steps: 1. Deliver Package Manifest from POA distribution to the local workstation. 2. In POA Control Panel, go to Top > Deployment Director > Applications Manager > Packages Repository. The Packages tab opens.

406 406 Parallels Operations Automation 2.9 Parallels Figure 87: Packages Repository - Packages List Screen 3. Click on the Add new package button. The input box appears prompting you for the name of the file. Figure 88: Packages Repository - Add New Package Screen 4. Enter the absolute path to the Package Manifest into the provided File text input field. You can also use the Browse... button to find the desired Package Manifest by means of the standard dialog window. 5. Click on the Submit button to import the selected Package Manifest into the Package Repository. Note: To check that Package Manifest is added to the Package Repository, the following options are available: 1. Go to Top > Deployment Director > Applications Manager > Packages Repository, switch to the Packages tab, and check that Package is present in the list of Packages. 2. Use the Notification system. Notification system is described in the POA Provider's Guide, Monitoring System > Managing Notifications section. Adding Package Manifest by specifying the Package Manifest location URL. To do this, perform the following steps: 1. Deliver Package Manifest to the Web or FTP server. 2. In POA Control Panel, go to Top > Deployment Director > Applications Manager > Packages Repository. The Packages tab opens.

407 Common Operations 407 Figure 89: Packages Repository - Packages List Screen 3. Click on the Add new package from URL button. Figure 90: Packages Repository - Add New Package from URL Screen 4. Enter the URL address of the Package Manifest into the provided URL text input field. 5. Click on the Submit button to import the selected Package Manifest into the Package Repository. Note: To check that Package Manifest is added to the Package Repository, the following options are available: 1. Go to Top > Deployment Director > Applications Manager > Packages Repository, switch to the Packages tab, and check that Package is present in the list of Packages. 2. Use the Notification system. Notification system is described in the POA Provider's Guide, Monitoring System > Managing Notifications section. Adding a Package Tarball to the Packages Repository Mirror / Initial POA Tarballs Storage

408 408 Parallels Operations Automation 2.9 Parallels Linux-based Management Node. In this case Packages Repository Mirror is located on the Management Node itself. Obtain Package Tarball and deliver it to the Management Node to the POA_INSTALLATION_DIRECTORY/sysvhosts/ppmmirror/data directory. Typically, POA_INSTALLATION_DIRECTORY is /usr/local/pem/. Windows-based Management Node. In this case Initial POA Tarballs Storage is located on the Management Node itself. Obtain Package Tarball and deliver it to the Management Node to the POA_INSTALLATION_DIRECTORY\install\tarballs directory. Typically, POA_INSTALLATION_DIRECTORY is C:\Program Files\SWsoft\PEM\.

409 Common Operations 409 Installing a Package on the Host This section describes the following operations: Installing a package on the host. Use this operation to install one package on one host. For example, to install a Service Controller on the Management Node. Installing a set of packages on the group of hosts. Use this operation to install a set of packages on the group of hosts. For example, to install a Control Panels on several UI Servers. Installing a Package on the Host To install a package on the host, perform the following steps: 1 In POA Control Panel, go to the target host (path in Control Panel depends on type of host): Hardware Node: Top > Deployment Director > Server Manager > Hardware Nodes. VPS: Top > Service Director > Virtuozzo Manager > VPSs. 2 Select the host you wish to install the package on by clicking on it. The Summary tab opens. 3 Click on the Packages tab. The list of installed packages appears. Figure 91: Installing Package - List of Installed Packages 4 Click on the Install Package button. You will be offered the list of available components, not yet installed.

410 410 Parallels Operations Automation 2.9 Parallels Figure 92: Installing Package - List of Available Components 5 Select the package you'd like to install and click on appropriate Install package icon in the Actions column. The list of components that should be installed on the host is displayed. Figure 93: Installing Package - List of Components That Should Be Installed There are the following types of packages: Package has no editable properties. In this case the following icon is displayed in the Actions column:

411 Common Operations 411 Package has editable properties. Properties have default values and can be customized. In this case the following icon is displayed in the Actions column: Package has editable properties. Properties have no default values and should be defined prior to package installation. In this case the following icon is displayed in the Actions column: 6 Click on or icon and specify package's properties. Click on the Submit button. Figure 94: Installing Package - Edit Package Properties Screen Note: This step is performed if a package has editable properties or properties that are mandatory to fill out. 7 Click the Finish button to install the package. Note: To check that a package is installed on the host, the following options are available: 1. Select the target host, switch to the Packages tab, and check that package is available in the list of installed packages. 2. Use the Notification system. Notification system is described in the POA Provider's Guide, Monitoring System > Managing Notifications section. Installing Set of Packages on Group of Hosts To install a set of packages on the group of hosts, perform the following actions: 1 Fill out the mandatory properties of packages you wish to install. To do that, execute the following steps: a In POA Control Panel, go to Top > Deployment Director > Applications Manager > Packages Repository. b Select the target package and click on c icon in the Actions area. Fill out mandatory package properties and click on the Submit button. Important! Execute these steps for every package which participates in the installing operation and has mandatory properties. 2 In POA Control Panel, go to Top > Deployment Director > Applications Manager > PPM group operations.

412 412 Parallels Operations Automation 2.9 Parallels 3 Click on the Create new PPM group operation link. The Create PPM group operation wizard starts. 4 Select the Installation option in the Operation area and click on the Next button to continue. Figure 95: PPM Group Operations Wizard - Select Operation Type Screen 5 Select target hosts and click on the Next button to continue. Figure 96: PPM Group Operations Wizard - Select Target Hosts Screen 6 Select packages to install and click on the Next button to continue. Figure 97: PPM Group Operations Wizard - Select Packages Screen

413 Common Operations Click on the Finish button to start the installation of packages on the selected hosts. Note: To check that a package is installed on the host, the following options are available: 1. Select the target host, switch to the Packages tab, and check that package is available in the list of installed packages. 2. Use the Notification system. Notification system is described in the POA Provider's Guide, Monitoring System > Managing Notifications section.

414 414 Index A Adding a Package 405 Adding MPFServiceAcct Account to BES 334 Adding MPFServiceAcct Account to BES Security Subsystem 152 Adding MPFServiceAcct Account to GMS 166, 344 Adding MPSExchangeAccts Group to Local Administrators 106 Adding Nodes to a Server Cluster 23 After-Installation Steps 388 Assigning Front-End Role to Server 49 B Binding SSL Certificate to Website on RPC Proxy Server 95 BlackBerry Enterprise Server Pre-Installation Steps 327 BlackBerry Enterprise Server Pre- Installation Steps 142 Branding Verification 320 C Carrier Level 203 Checking Highest Priority of Private Network Interface 379 Checking MSExchange Stores Status 116 Checking Presence of Sysnative Directory 381 Checking Readiness of Exchange Servers to Provide 130 Checking Successful Installation of ForestPrep and DomainPrep 29 Checking that RPC Proxy Server Uses Specified Ports 88 Client Access Servers Configurations 308 Cluster Continuous Replication 206 Cluster Network Configuration 224, 242 Cluster Verification 241, 254 Common Operations 372 Configuring Active Directory 17, 213 Configuring Administrative Groups to be Shown in Exchange System Manager 42 Configuring All Address Lists Container 104 Configuring and Start IIS Service on Protocols Front-End Servers 60 Configuring and Starting IIS Service 46, 265, 281 Configuring Anti-Spam Filtering 278 Configuring AS/AV Gateway to Route Incoming SMTP Traffic to Exchange Hub Transport Servers 288 Configuring AUTD Notification on Windows Mobile Smartphones 132 Configuring AutoDiscover Service 266 Configuring Branded Access Points in Branding Manager 318 Configuring Branding for POP3 and IMAP4 Services 317 Configuring ClusterAdmin Account for Clustered Exchange 101 Configuring Data Location on Transport Servers 269 Configuring Default Global Address List 145, 161, 330, 343 Configuring DNS Suffix 223 Configuring Domain Name Resolving 276 Configuring Domain Permissions For Cluster Service Account 251 Configuring Edge Servers 275 Configuring EdgeSync 277 Configuring Exchange 2007 Branding 317 Configuring Exchange 2007 Servers 262 Configuring Exchange Client Access Server as RPC Proxy Server 85 Configuring Exchange Hub Servers to Route Outgoing SMTP Traffic to AS/AV Gateway 292 Configuring Exchange Hub Transport Servers to Accept Incoming SMTP Traffic from AS/AV Gateway 287 Configuring Exchange Mailbox Servers 42 Configuring Exchange Mailbox Servers as Targets for RPC Proxy Servers 84 Configuring Exchange Permissions for BlackBerry Service Account 146 Configuring Exchange Permissions for GMS Service Account 162 Configuring Exchange Server 2007 Client Access Server 263

415 Index 415 Configuring Exchange Servers to Route Locally Delivered Messages via AS/AV Gateway 292 Configuring File Share Witness 233 Configuring File Share Witness for Windows Server Configuring File Share Witness for Windows Server Configuring Firewall 285 Configuring Firewall for Exchange 2003 Services 101 Configuring Forms-Based Authentication and OWA Compression 61 Configuring Global Catalog Servers 80 Configuring HTTP Virtual Server in Exchange System Manager 43 Configuring Hub Servers 271 Configuring IIS on Front-End Protocol Servers 98 Configuring Incoming Mail Delivery 285 Configuring 'Internet Newsgroups' Public Folder 46 Configuring Log Files Parameters 388 Configuring Mailbox Deletion Settings 45 Configuring Mailbox Servers 280 Configuring Microsoft Provisioning System Server for Hosted Exchange 103 Configuring MPFServiceAccts Group As Exchange Full Administrator 103 Configuring MPS Server 102 Configuring MPSExchangeAccts Group As Exchange Full Administrator 104 Configuring MS SQL Permissions for BES Service Account 145, 330 Configuring MX Records to Point to AS/AV Gateway IP Address 290 Configuring Network Interfaces 372 Configuring Network Load Balancing 96 Configuring Network Load Balancing for Exchange 2003 Servers 96 Configuring Network Load Balancing for Exchange 2007 Servers 281 Configuring NLB for CAS Servers 283 Configuring NLB for EDGE Servers 284 Configuring NLB for HUB Servers 283 Configuring NLB on Front-End Protocol Servers 97 Configuring NLB on Front-End SMTP Servers 97 Configuring Outgoing Mail Delivery 291 Configuring Outlook Anywhere 266 Configuring Outlook Web Access (OWA) 265 Configuring Permissions for BES Service Account 143, 328 Configuring Permissions for GMS Service Account 159, 342 Configuring POA Administrator Account as Exchange Full Administrator 111 Configuring POA Administrator Account as Exchange Organization Administrator 305 Configuring POA to Work with Global Relay Control Panel 370 Configuring POP and IMAP Services 263 Configuring Primary Address of BESAdmin Mailbox 147 Configuring Primary Address of GoodAdmin Mailbox 164 Configuring Proxy Server 140, 157 Configuring RPC Virtual Directory on RPC Proxy Server 85 Configuring Security Settings for Mobile Devices 73 Configuring Servers for BES 329 Configuring Servers for GMS 342 Configuring showinaddressbook Attribute 148, 164 Configuring SSL Certificate for SMTP Service on Transport Servers 278 Configuring SSL Certificate on Client Access Servers 268 Configuring Storage and Volume Mount Points 238 Configuring Windows Node 372 Configuring Windows Server 2003 on Nodes 18 Creating BES Service Account 327 Creating BlackBerry Service Account 142 Creating ClusterAdmin Account 20 Creating Default SMTP Connector 100 Creating Disk Resource 37 Creating DNS Records for Exchange Client Access Servers 108 Creating Exchange 2003 System Attendant Resource 38 Creating Exchange Mailbox 147, 163 Creating Exchange Mailbox Cluster 19 Creating Exchange Virtual Servers for Clustered Configuration 32 Creating 'Global Relay Archiving' Resource Type 364 Creating GMS Service Account 158, 341 Creating Group to Host Exchange Virtual Server 33 Creating IMAP4 Cluster Resource 42 Creating IP Address Resource 34

416 Index 416 Creating 'MessageLabs Security' Resource Type 352 Creating 'MXLogic Security' Resource Type 358 Creating Network Name Resource 36 Creating New Cluster 228, 247 Creating New Cluster in Windows 2008 Server 250 Creating New Cluster in Windows Server , 247 Creating New Cluster in Windows Server Creating POP3 Cluster Resource 41 Creating Request File for Certificate Authorities 90 Creating Resource Type 125 Creating Send Connectors to External AS/AV Gateway for Local Delivered Messages 295 Creating Service Template 130 Creating Service Template Containing Global Relay Archiving Service 368 Customizing Outlook Web Access 67 Customizing OWA Login Screen 67 D Delivering Messages Marked by AS/AV Gateway as Spam into Junk Folder 297 Deploying and Configuring Exchange 2007 Servers 179 Deploying BlackBerry Enterprise Server for Microsoft Exchange Deploying BlackBerry Messaging Service for Microsoft Exchange Deploying Client Access Role 219 Deploying Cluster Continuous Replication Mailbox Servers 224 Deploying Database for BES 327 Deploying Edge Transport Server 222 Deploying Exchange Provisioning 101, 298 Deploying Exchange Server 2007 Roles 219 Deploying Global Relay Archiving Integration 363 Deploying Global Relay Archiving Service 360 Deploying Good Messaging Server for Microsoft Exchange Deploying Good Messaging Server for Microsoft Exchange Deploying HMC Deploying Hosted Exchange Deploying Hosted Exchange , 208 Deploying Hosted Exchange Provisioning 303 Deploying Hosted Messaging and Collaboration 4.0 Server 175 Deploying Hub Transport Role 221 Deploying MessageLabs Security Service 351 Deploying Microsoft SQL Server for BES Configuration Database 327 Deploying Microsoft SQL Server for BlackBerry Configuration Database 141 Deploying MX Logic Security Service 355 Deploying New Hardware 175 Deploying Postini Security Service 169, 349 Deploying RPC-over-HTTP for Exchange 2003 Server 80 Deploying Single Copy Cluster Mailbox Servers 242 Deploying Standalone Mailbox Server 255 Deployment and Installation Troubleshooting 321 Deployment Architectures 203 Deployment Overview 190 Disabling Exchange Information Store 54 Documentation Conventions 8 E Enabling DHCP Client Service 376 Enabling Exchange ActiveSync Support 70 Enabling Network Protocols 57 Enabling Outlook Mobile Access 70 Enabling Outlook Web Access 61 Enabling Out-of-office Responses, Automatic Replies, and Automatic Forward 106 Entering Exchange Product Key 262 Entry Level 203 Exchange 2003 to Exchange 2007 Transition 171 Exchange 2007 Hardware and Software Requirements 192 Exchange 2007 Role-Based Deployment 190 Exchange 2007 Server Installation 209 Exchange Server Exchange Server 2007 Distribution Packages 209 Exchange Server 2007 Media Prerequisites 210 Exchange Servers 2007 Software Requirements 201 Extending Maximum Number of Global Address Lists 213

417 Index 417 F Feedback 10 G General Configuration of Exchange Mailbox Cluster 19 General Conventions 10 Get List of Accepted Domains 289 Getting LDAP Path to Public Folders Store 115 Getting Mailbox Store Name 114 Good Messaging Server Pre-Installation Steps 158, 341 H Hardware Requirements 323, 339 Hardware Requirements for Hosted Exchange 2007 Server Roles 195 High Availability for Exchange Hub, Edge and CAS Servers 208 High Availability for Exchange Mailbox Servers 204 Hosted Exchange and Active Directory 15 Hosted Exchange and Clustering 16 I Importing Existing BlackBerry Accounts in POA 336 Importing Existing BlackBerry Accounts into POA 154 Importing Existing GMS Accounts into POA 168 Importing Existing Good Accounts in POA 347 Importing Process Diagram 336, 347 Installing a Package on the Host 409 Installing Additional Exchange Mailbox Servers 31 Installing Address Rewriter Transport Agent 315 Installing All Windows Components Required by Exchange Server 27 Installing and Configuring Exchange Client Access Server 47 Installing and Configuring Exchange SMTP Servers 78 Installing BESUserAdminClient 152 Installing BESUserAdminClient Tools 333 Installing BESUserAdminService 150, 332 Installing BlackBerry Enterprise Server Software 330 Installing BlackBerry Resource Kit 332 Installing BlackBerry Enterprise Server Resource Kit 150 Installing BlackBerry Enterprise Server Software 148 Installing CP Package 113 Installing Exchange 2007 Server Roles in Unattended Mode 212 Installing Exchange Client Access Server 47 Installing Exchange CP Package on UI Servers 305 Installing Exchange OAB Service 123 Installing Exchange Server 2007 Management Tools 298 Installing Exchange Server 2007 Prerequisites 219, 221, 222, 226, 245, 255, 299 Installing Exchange Server 2007 Prerequisites for Windows 2008 Server 220, 221, 222, 247, 256 Installing Exchange Server 2007 Prerequisites for Windows Server , 221, 222, 226, 245, 255 Installing Exchange Server 2007 Prerequisites for Windows Server Installing Exchange Server 2007 SP1 Prerequisites 258 Installing Exchange Server 2007 Updates 263 Installing Exchange2007 Protocols Service Package 311 Installing Exchange2007Autodiscover Service Package 312 Installing Exchange2007IMAP4 Service Package 310 Installing Exchange2007Mailstore Service PPM Package 305 Installing Exchange2007OAB Service Package 307 Installing Exchange2007POP3 Service Package 309 Installing Exchange2007SMTP Service Package 316 Installing Exchange2007SMTPAuth Service Package 314 Installing First Exchange Mailbox Server 25 Installing Global Relay Archiving Packages 363 Installing GMS Server Software 165 Installing Good Management Console Software 344 Installing Good Messaging Server and Good Management Server Software 344 Installing Good Management Console Software 165 Installing Good Messaging Server and Good Management Server Software 165

418 Index 418 Installing HMC 4.0 Update Rollup 4 for Hosted Exchange 300 Installing IIS (for Windows Server 2003) 140 Installing Mailbox Server Role on Active Node 237, 252 Installing Mailbox Server Role on Passive Node 241, 254 Installing MessageLabs Security Service Packages 351 Installing Microsoft Exchange System Management Tools 102 Installing MPF Exchange Provider 107 Installing MX Logic Security Service Packages 358 Installing POA Agent 381 Installing POA Agent on Active Cluster Node 385 Installing POA Agent on Exchange Mailbox Servers 111 Installing POA Agent on Exchange SMTP Servers 118 Installing POA Agent on Non-Cluster Node 383 Installing POA Agent on Passive Cluster Node 387 Installing POA Packages 153, 166 Installing POA Packages for BlackBerry 335 Installing POA Packages for Good Messaging 345 Installing Postini Security Service 169, 350 Installing PPM Packages 404 Installing QoS Packet Scheduler 379 Installing Recent Service Packs and Hot Fixes 149, 331 Installing Routing Override Transport Agent 296 Installing RPC-over-HTTP Windows Component 81 Installing Service Package 113 Installing Service PPM Package on Exchange SMTP Servers 119 Installing SP2 for Exchange Installing SQL Server Installing SSL Certificate from Certification Authorities 266 Installing SSL Certificate on RPC Proxy Server 89 Installing Update Rollup 1 for Exchange Server 2007 SP1 262 Installing Windows Server 2003 Server Cluster 21 Integrating with External AS/AV Mail Gateway 285 Internet SMTP Branding 317 J Joining Windows Node to Domain 375 L Limitations 17 List of Resources 128 Local Continuous Replication 206 M Managing Messaging Services 349 Message Routing in Exchange 2007 Organization 191 Migrating Exchange Subscriptions 184 Moving / Upgrading System Objects 183 N Network Architecture 13 Network Requirements 139, 326, 340 Networks Requirements 157 NLB Overview 281 Number of Global Catalog Servers 16 O Obtaining Host Initial Data File 382 Output Format for Importing Results 338 Output Format For Importing Results 349 Overview 135, 154, 171, 208, 304, 321, 338 Overview of Hosted Exchange Deployment 13 P Performing DNS Registration 378 Performing Exchange Provisioning Steps 103 Planning for Cluster Continuous Replication 224 Planning for Single Copy Cluster 242 POA BSS Guidance 186 POA PCP/RCP Guidance 185 POA-Related Installation Steps 108, 304 Preface 8 Preparing Active Directory 177 Preparing Active Directory for Exchange 2007 Installation 215 Preparing Active Directory for Windows Server 2003 R2 390 Preparing Cluster Nodes for Exchange 2003 Installation 23 Preparing Computer for Installation of BlackBerry Enterprise Server 144 Preparing Computer for Installation of GMS 160

419 Index 419 Preparing for Active Directory Initializations 215 Preparing MPS Server 175 Preparing Node for BES 139 Preparing Node for Exchange 2003 Installation 25 Preparing Node for GMS 157 Preparing POA Hosted Exchange for Global Relay Integration 361 Preparing Servers for Exchange Preparing Windows Server 2003 Servers 216 Preparing Windows Server 2008 Servers 218 Preventing Correlation of Authorization Data 69 Problems with Mail Delivery to Newly Created Recipient 321 R Reconfiguring Blackberry Enterprise Server 180 Reconfiguring Good Messaging Server 180 Reconfiguring Wireless Services 180 Redirecting OWA Logon Page to Default Website on Exchange Client Access Server 62 Reducing Metric of Private Network Interface 373 Registering All Exchange Client Access Servers 308 Registering All Hub Transport Servers 313 Registering and Configuring Client Access Server 308 Registering and Configuring Edge Transport Server 316 Registering and Configuring Hub Transport Servers 313 Registering and Configuring Mailbox Servers 305 Registering and Configuring New MPS and Exchange 2007 Nodes 181 Registering BES Servers in POA 335 Registering BlackBerry Enterprise Servers in POA 153 Registering Clustered Mailbox Servers 305 Registering Exchange Client Access Servers in POA 121 Registering Exchange Mailbox Servers in POA 111 Registering Exchange SMTP Servers in POA 118 Registering Global Relay Archiving Service in POA 366 Registering GMS Servers in POA 166, 345 Registering MessageLabs Security Service in POA 352 Registering MX Logic Security Service in POA 359 Registering Postini Account in POA 170, 351 Registering Standalone Mailbox Servers 305 Removing Exchange 2003 Servers from Active Directory 188 Removing HMC 3.5 and Exchange Removing Mailbox Stores 53 Removing Public Stores 50 Renaming Computer 374 Resetting Incorrectly Ordered Permissions on DGAL in Active Directory 343 Resetting MPFServiceAcct Password in the HMC Running Exchange Server 2007 Setup 220, 221, 223, 256, 299 Running Microsoft Exchange Installation Wizard 28 Running PrepareAD 215 Running PrepareSchema 215 Running Upgrade to Exchange Server 2007 SP1 259 S Securing Default Global Address List 47 Selecting Disk Storage 194 Selecting Memory Configuration 193 Selecting Processor 192 Service Downtime Summary 389 Single Copy Clusters 207 Specifying Instant Access URL Prefix Template 127 Standard Level 203 Starting POP3 and IMAP4 Services 40 Storage Configuration 245 Supported Storage Technologies 204 Switching Client Access and SMTP Traffic to Exchange 2007 Servers 183 Switching Provisioning from HMC 3.5.to HMC System Requirements 136, 156, 326, 340 T Testing BES Service Account Proper Functioning 335 Testing BlackBerry Service Account 153 Testing GMS Service Account 166 Testing GMS Service Account Proper Functioning 345 Transition Procedure 172 Typographical Conventions 8

420 Index 420 U Uninstalling Exchange 2003 Back-End Servers 187 Uninstalling HMC 3.5 MPS Server 187 Updating Exchange 2003 Servers 180 Upgrading Clustered Mailbox Server to Exchange 2007 SP1 260 Upgrading to Exchange 2007 Service Pack Upgrading to Windows Server 2003 R2 389, 391 V Validating Cluster and Configuring Cluster Networks 231 Validating Cluster and Configuring Cluster Networks for Windows 2008 Server 232 Validating Cluster and Configuring Cluster Networks for Windows Server Verifying Exchange Server 2007 Installation 212, 221, 222, 224, 257 Verifying Exchange Server 2007 SP1 Installation 261 Verifying External DNS for SMTP Virtual Server 75 Verifying Prerequisites 357 W Windows Updates Compatibility 392