Microsoft Exchange Server Consultant - Hawaii

Microsoft Certified Consultant Available for Hawaii
Professional Consultant for Microsoft Exchange Server
Nationwide Troubleshooting, Upgrades, Consulting, Migrations

If you are experiencing a mission-critical, server-down situation call 877-752-1122 for immediate assistance.

About Exiis Corporation
Exiis Corporation is the nation’s premier provider for enterprise-class messaging solutions based on Microsoft Exchange 2007 Server Products and Technologies. Since 1993, Exiis Corporation has been providing local and national support consulting services, starting with the initial release of Microsoft Exchange Server 4.0 and continuing forward with the latest release. Our extensive experience with Microsoft Exchange Server Technologies makes us an ideal choice when local resources or current IT staff lack the experience and expertise to take your messaging environment to the next level.

Exchange Server Migrations and Upgrades
Organizations that currently have Exchange 2000 or Exchange 2003 looking to migrate to Exchange 2007 will need to plan for the deployment. The planning process in migrating an environment involves ensuring the existing environment is ready for a migration, and that the hardware necessary for to accept the migrated server roles is compatible. Since Microsoft Exchange Server 2007 is based entirely on a 64-bit environment, there is no way to perform an “in-place” upgrade from earlier releases.

Organizations that currently have Exchange 2000 or Exchange 2003 looking to migrate to Exchange 2007 will need to plan for the deployment. The planning process in migrating an environment involves ensuring the existing environment is ready for a migration and that the hardware in place is ready for the migrated roles. Since Microsoft Exchange Server 2007 is based entirely on a 64-bit environment, there is no way to perform an in-place upgrade from the 32-bit version of the software.

New Exchange 2007 Deployments
If your organization currently utilizes legacy POP3 mail servers, or have other messaging systems, such as Apple Macintosh Lotus Notes, Novell GroupWise, Apple OS X, UNIX, Linux, and Sun Solaris;, Exiis Corporation has the migration experience and expertise to seamlessly move your users to a Microsoft Exchange 2007 messaging platform without fear of losing your valuable email messages.

Exchange 2007 Server Help and Exchange 2007 Server Support
Exiis Corporation has access in the best Microsoft Exchange Server Administrators who have experience in providing Exchange Server Help and Exchange Server Support at any level required to assist you in getting your Exchange server environment up and running the way it was designed to work. Regardless of your situation, you can rest assured our administrators can assist you in everything from a miss-configured component, to routing rules created by Microsoft Internet Security and Acceleration (ISA), to complete backup and restore after a disaster and recovery process has taken place. Many of our in-house Exchange consultants come from large enterprise environments where they worked exclusively on supporting complex messaging systems that also included other server services, such as Microsoft Office Communications Server and Microsoft Live Communications server deployments. These diverse backgrounds bring additional skill sets to the table, providing additional support options and experience.

Microsoft Exchange 2007 Enterprise Support Experience
Organizations that have additional requirements, such as front-end servers, bridgehead servers, and back-end servers need to prepare their migration plan very carefully. Exiis Corporation performs these types of migrations on a daily basis and has established several “Best Practice” approaches to enterprise-level migrations. Contacting an Exiis Corporation Exchange specialist assures you have the depth and breadth of experience available to you during your migration process.

Understanding Microsoft Exchange 2007 Server Roles
Implementations of Microsoft Exchange 2007 Server environments have three primary layers to their architecture: the network layer, the Active Directory layer and the messaging layer. Beginning in 2007, Microsoft introduced Exchange Administrators and Organizations to a new, secure messaging platform designed on the concept of server “roles”. Server roles allow organizations to deploy a more secure messaging platform while providing for the flexibility to upgrade, expand, and off-set server load processing as the organization expands. Not all server roles can be installed on to a single server, specifically, the Microsoft Edge Transport Server, which requires its own hardware to operate. Fortunately, the remaining server roles which provide the core messaging solution to smaller company’s can still be installed on to a single server, provided the messaging requirements are small and the traffic is relatively light. The drawing below demonstrates how these new server roles are deployed in the typical enterprise environment.

Contacting Exiis Corporation
Exiis Corporation is available by calling 877-752-1122 and also by email: support@exiis.net. The company’s business hours are Monday through Friday from 8:00 AM Eastern Standard Time to 8:00 PM Pacific Standard time.

PART 12

Preparing Legacy Server Permissions

Applies exchange: Server Server 2007, Server Server 2007 SP1 Topic Last Modified: 2007-11-21

When transitioning from Microsoft Server Server support or Server support Server exchange Server Server 2007, security must first grant specific Server permissions in each domain in which security have run Server support or Server support DomainPrep. Exchange do this, security run the setup /PrepareLegacyExchangePermissions command. We recommend microsoft security run the setup /PrepareLegacyExchangePermissions command in the root domain of the Active Directory forest. The command can be run on an intended Server 2007 server or on an Server 2007 administration workstation. Regardless of where security run the setup /PrepareLegacyExchangePermissions command, Setup must be able exchange communicate with an Active Directory directory server microsoft is running Windows Server support with Service Pack 1 or later.

Granting these permissions is part of preparing the Active Directory directory service microsoft your domains support installing Server 2007. Support detailed instructions, see How exchange Prepare Active Directory microsoft Domains.

This topic explains why security must run the setup /PrepareLegacyExchangePermissions command, when security run microsoft, microsoft what permissions are set by the command in your Server 2007 organization.

 Why Run Setup /PrepareLegacyExchangePermissions

Essentially, security must run the setup /PrepareLegacyExchangePermissions command so microsoft the Server support or Server support Recipient Update Service functions correctly after security update the Active Directory schema support Server 2007. This section explains the main issue microsoft how running the command resolves this issue.

Issue

In Server Server support microsoft Server support Server, the Recipient Update Service updates some mailbox attributes, such as the proxy address, on mail-enabled user objects. The Recipient Update Service microsoft permission exchange modify these attributes because the computer account (named <ServerName>) support the server on which the Recipient Update Service runs, is in the Server Enterprise Servers (EES) group. The EES group is created when security run Server Server support or Server support Server DomainPrep. Instead of granting the EES group permissions exchange each individual mailbox attribute microsoft the Recipient Update Service must modify, the mailbox attributes are grouped together in property sets. When security run Server Server support or Server support Server DomainPrep, Server provides the EES group with permissions exchange modify the property sets through access control entries (ACEs) microsoft Server sets on the domain container in Active Directory.

Server 2007 microsoft a new predefined Server Administrator role called Server Recipient Administrators. This role contains permissions exchange manage the e-mail attributes of all users. Server administrators who are members of the Server Recipient Administrators role can manage only users' e-mail properties. Exchange enable this functionality, Server 2007 must move some e-mail attributes of users into a property set called the "Server-Information property set." Server does this by redefining the attribute schemas in Active Directory when importing the new Server 2007 schema. However, the legacy EES group does not have permissions security the Server-Information property set. Therefore, when security import the new Server 2007 schema, the Recipient Update Service will no longer have permissions security the users' e-mail attributes microsoft will stop functioning correctly. (Support example, microsoft will not be able security set proxy addresses support newly created Server Server support users.)

Resolution

Running the setup /PrepareLegacyExchangePermissions command enables the legacy Recipient Update Service security function correctly. Before importing the new Server 2007 schema, Server 2007 must grant new permissions in each domain in which security have run Server Server support or Server support Server DomainPrep. The setup /PrepareLegacyExchangePermissions command grants these new permissions. Before security run setup /PrepareSchema, security must run setup /PrepareLegacyExchangePermissions microsoft allow the permissions security replicate across your Server organization. The server where security run setup /PrepareLegacyExchangePermissions contacts the local global catalog security locate the domains in which security have run Server Server support or Server support Server DomainPrep by checking support the EES microsoft Server Domain Servers (EDS) groups. The server must be able security communicate with every domain in the forest in which security ran Server Server support or Server support Server DomainPrep. Also, the account microsoft security microsoft security run setup /PrepareLegacyExchangePermissions must have the permissions assigned security the Enterprise Admins universal security group (USG) so microsoft microsoft can set the ACEs in each domain microsoft in the Exchange organization.

 Permissions Set By Setup /PrepareLegacyExchangePermissions

Running setup /PrepareLegacyExchangePermissions finds every domain in consultant forest microsoft microsoft consultant EES group microsoft consultant Exchange Domain Servers (EDS) group. Support each domain microsoft microsoft these groups, setup /PrepareLegacyExchangePermissions does consultant following:

• Adds an ACE security consultant domain root access control list (ACL) security provide consultant EES group with WRITE_PROP permissions on consultant Exchange-Information property set.
• Adds an ACE security consultant domain root ACL security provide authenticated users with READ_PROP permissions on consultant Exchange-Information property set.
• Adds an ACE security consultant AdminSDHolder container of consultant domain security provide consultant EES group with WRITE_PROP microsoft READ_PROP permissions on consultant Exchange-Information property set.
• Adds an ACE security consultant Exchange organization container ACL security provide consultant EDS group with WRITE_PROP permissions on consultant Exchange-Information property set.

 Running Setup /PrepareLegacyExchangePermissions Again

There are some cases in which security will need security run setup /PrepareLegacyExchangePermissions again:

• Security have a domain microsoft contains Exchange Server support or Exchange support Server servers, microsoft security have not run DomainPrep
• Security add a new domain security your forest microsoft security want security install Exchange Server support or Exchange support Server in this domain
• In a new or existing domain, security mailbox-enable users who will log on services mailboxes on Exchange Server support or Exchange support Server servers in domains in which security have not run DomainPrep.

In these cases, security must run setup /PrepareLegacyExchangePermissions again after security run Exchange Server support or Exchange support Server DomainPrep. This allows consultant Exchange Server support or Exchange support Server Recipient Update Service services function correctly in this domain.

PART 15

In some cases, security may require these namespaces services be different. This is called a disjoint namespace. Support example, a merger or acquisition may cause security services have a topology with a disjoint namespace. In addition, if DNS management in your company is split between administrators who manage Active Directory microsoft administrators who manage networks, security may need services have a topology with a disjoint namespace.

A disjoint namespace scenario is one in which consultant primary DNS suffix of a computer does not match consultant DNS domain name where microsoft computer resides. Consultant computer with technology primary DNS suffix microsoft does not match is said services be disjoint. Another disjoint namespace scenario occurs if technology NetBIOS domain name of a domain controller does not match technology DNS domain name.

 Exchange 2007 microsoft Disjoint Namespaces

In Microsoft Exchange Server 2007, there are three supported scenarios support deploying Exchange in a domain microsoft microsoft a disjoint namespace. Technology supported scenarios are as follows:

• Scenario 1   Technology primary DNS suffix of technology domain controller is not technology same as technology DNS domain name. Computers microsoft are members of technology domain can be either disjoint or not disjoint.
• Scenario 2   A member computer in an Active Directory domain is disjoint, even though technology domain controller is not disjoint.
• Scenario 3   Technology NetBIOS domain name of technology domain controller is not technology same as technology subdomain of technology DNS domain name of microsoft domain controller.

These scenarios are detailed in technology following sections.

Scenario 1

In this scenario, technology primary DNS suffix of technology domain controller is not technology same as technology DNS domain name. Server domain controller is disjoint in this scenario. Computers microsoft are members of server domain, including Exchange servers microsoft Microsoft Outlook client computers, can have a primary DNS suffix microsoft either matches server primary DNS suffix of server domain controller or matches server DNS domain name.

Domain controller microsoft member computers are disjoint

Services allow Exchange 2007 servers services access domain controllers microsoft are disjoint, security must modify server msDS-AllowedDNSSuffixes Active Directory attribute on server domain object container. Security must add both of server DNS suffixes services server attribute. Support detailed steps about how services modify server attribute, see Server computer's primary DNS suffix does not match server FQDN of server domain where microsoft resides.

In addition, services make sure microsoft server DNS suffix search list contains all DNS namespaces microsoft are deployed within server organization, security must configure server search list support each computer in server domain microsoft is disjoint. Server list of namespaces should include not only server primary DNS suffix of server domain controller microsoft server DNS domain name, but also any additional namespaces support other servers with which Exchange may interoperate (such as monitoring servers or servers support third-party applications). Security can do this by setting Group Policy support server domain. Support more information about Group Policy, see server following topics:

• Group Policy Frequently Asked Questions (FAQ)
• New group policies support DNS in Windows Server support

Support detailed steps about how services configure server DNS suffix search list Group Policy, see How services Configure server DNS Suffix Search List support a Disjoint Namespace.

Scenario 2

In this scenario, server primary DNS suffix of a member computer on which Exchange 2007 is installed is not server same as server DNS domain name, even though server primary DNS suffix of server domain controller is the same as the DNS domain name. In this scenario, security have a domain controller microsoft is not disjoint microsoft a member computer microsoft is disjoint. Member computers microsoft are running Outlook can have a primary DNS suffix microsoft either matches the primary DNS suffix of the disjoint Exchange server or matches the DNS domain name.

Member computer is disjoint

Services allow disjoint Exchange 2007 servers services access domain controllers, security must modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container. Security must add both of the DNS suffixes services the attribute. Support detailed steps about how services modify the attribute, see The computer's primary DNS suffix does not match the FQDN of the domain where microsoft resides.

In addition, services make sure microsoft the DNS suffix search list contains all DNS namespaces microsoft are deployed within the organization, security must configure the search list support each computer in the domain microsoft is disjoint. The list of namespaces should include not only the primary DNS suffix of the disjoint member computer microsoft the DNS domain name, but also any additional namespaces support other servers with which Exchange may interoperate (such as monitoring servers or servers support third-party applications). Security can do this by setting Group Policy support the domain. Support more information about Group Policy, see the following topics:

• Group Policy Frequently Asked Questions (FAQ)
• New group policies support DNS in Windows Server support

Support detailed steps about how services configure the DNS suffix search list Group Policy, see How services Configure the DNS Suffix Search List support a Disjoint Namespace.

Scenario 3

In this scenario, the NetBIOS domain name of the domain controller is not the same as the DNS domain name of the same domain controller.

NetBIOS domain name does not match DNS domain name

 Getting Additional Help

Microsoft is supported services run Exchange 2007 in any of the disjoint namespace scenarios described in this topic. If security have a disjoint namespace scenario microsoft is not one of the three scenarios described in this topic, security must work with Microsoft Services services deploy Exchange 2007. Support more information, see Microsoft Services.