Scribd Logo
Upload

Welcome to Scribd!

  • Microsoft Exchange Server 2003 Transport and Routing Guide

    Uploaded by

    Ngo Van Truong
    3 views348 pages

    Original Title

    E2k3TransnRouting

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views348 pages

    Microsoft Exchange Server 2003 Transport and Routing Guide

    Uploaded by

    Ngo Van Truong

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 348

    Microsoft Exchange Server 2003 Transport and Routing Guide

    Microsoft Corporation Published: December 12, 2006 Author: Exchan e !er"er Documentation #eam

    Abstract
    #his uide explains ho$ transport and routin $or%s in Microsoft& Exchan e !er"er 200', and ho$ (ou can confi ure Exchan e to enable internal and external mail flo$) Comments* !end feedbac% to exchdocs+microsoft)com)

    Contents
    Microsoft Exchan e !er"er 200' #ransport and ,outin -uide)))))))))))))))))))))))))))))))))))))))))))))))1 Contents))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ' Exchan e !er"er #ransport and ,outin -uide)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))1. Part /ne))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1. 0nderstandin ,outin Components))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))16 #(pes of ,outin Components))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))16 0nderstandin ,outin -roups)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))11 0nderstandin Connectors)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 12 0nderstandin 3in% !tate 4nformation)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))12 0nderstandin !M#P and Exchan e !er"er 200')))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))21 5o$ Exchan e !er"er Extends !M#P 6unctionalit()))))))))))))))))))))))))))))))))))))))))))))))))))))))))))22 ,ecei"in 4nternet Mail)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2' !endin 4nternet Mail)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 27 0nderstandin the !M#P 8irtual !er"er)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))2. Misconceptions about Multiple !M#P 8irtual !er"ers)))))))))))))))))))))))))))))))))))))))))))))))))))))))))2. 4nbound Mail !ettin s on the !M#P 8irtual !er"er)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))26 /utbound Mail !ettin s on the !M#P 8irtual !er"er)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))26 !ettin ,ela( ,estrictions))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 21 Confi urin Default ,ela( ,estrictions))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))22 0nderstandin !M#P Connectors)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 29 6unctions of an !M#P Connector)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'1 0ses for an !M#P Connector)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'2 #ransport Dependencies for Exchan e !er"er 200'))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'7 4nternet 4nformation !er"ices))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'. Acti"e Director())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '6 Domain :ame !(stem ;D:!<)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'1 ,ecipient Policies)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 70 ,ecipient 0pdate !er"ice)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 71 Director( !er"ice to Metabase !er"ice)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))71 Part #$o))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 72 8erif(in D:! Desi n and Confi uration))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))7'

    Confi urin D:! for 4nbound Mail)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))7' Confi urin D:! for /utbound Mail))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))77 6or More 4nformation))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 77 5o$ to 8erif( that M= ,ecords Do :ot Point to the 6>D: of an Exchan e !er"er)))))))))))))))7. ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 7. Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 7. 5o$ to 8erif( that M= ,ecords Do :ot Point to an 4nternal Domain))))))))))))))))))))))))))))))))))))))76 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 76 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 76 5o$ to 8erif( that Exchan e !er"ers Can ,esol"e 4nternal D:! :ames))))))))))))))))))))))))))))))71 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 71 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 71 5o$ to 0se :sloo%up to 8erif( M= record confi uration))))))))))))))))))))))))))))))))))))))))))))))))))))))))72 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 79 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 79 Example)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 79 5o$ to 0se #elnet to Ensure 4nternet Accessibilit())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))).0 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .0 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .0 5o$ to Confi ure D:! !ettin s on the Exchan e !er"er)))))))))))))))))))))))))))))))))))))))))))))))))))))).1 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .1 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .1 5o$ to Confi ure !ettin s on the D:! !er"er))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))).2 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .2 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .2 5o$ to Confi ure External D:! !er"ers on an /utbound !M#P 8irtual !er"er)))))))))))))))))))).' ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .' Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .' 5o$ to 0se the D:! ,esol"er to 8erif( D:! Confi uration))))))))))))))))))))))))))))))))))))))))))))))))))).. ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .. Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .6 Example)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .6 5o$ to 0se :sloo%up to 8erif( D:! Confi uration)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))).1 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .1 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .1 Example)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .2

    Confi urin a ,outin #opolo ()))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) .9 -eneral Plannin Considerations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))).9 Common ,outin #opolo ies)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 60 CentraliAed Messa in #opolo ()))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))61 Distributed Messa in #opolo ()))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 61 Definin ,outin -roups)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 6' Definin ,outin -roup Connectors and ?rid ehead !er"ers))))))))))))))))))))))))))))))))))))))))))))6. Connectin ,outin -roups)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 61 5o$ to Confi ure the /ptions for a ,outin -roup Connector)))))))))))))))))))))))))))))))))))))))))))))))69 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 69 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 69 5o$ to !pecif( a ,emote ?rid ehead !er"er for a ,outin -roup Connector)))))))))))))))))))))))10 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 10 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 10 0nderstandin Connector !cope and ,estrictions)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))12 0sin Connector !cope to ,estrict 0sa e))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))12 0sin Deli"er( ,estrictions to ,estrict 0sa e)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))1' 5o$ to Enable the ,e istr( Be(s for Deli"er( ,estrictions)))))))))))))))))))))))))))))))))))))))))))))))))))))1. ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1. Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 16 Desi natin a ,outin -roup Master)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))16 5o$ to Chan e Chich !er"er 4s the ,outin -roup Master)))))))))))))))))))))))))))))))))))))))))))))))))))12 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 12 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 12 Ad"anced ,outin Confi uration))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))12 0sin Connectors for 3oad ?alancin and 6ailo"er))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))12 !uppressin 3in% !tate #raffic for Connectors))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))19 5o$ to Create a ,outin -roup))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 21 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 22 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 22 Deplo(ment !cenarios for 4nternet Connecti"it()))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))2' Common Deplo(ment !cenarios))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))27 0sin a !in le Exchan e !er"er in 4ts Default Confi uration)))))))))))))))))))))))))))))))))))))))))))))))))26 ?asic Confi uration))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 26 4nbound 4nternet Mail))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 21

    /utbound 4nternet Mail)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 21 0sin a DualD5omed Exchan e !er"er as an 4nternet -ate$a())))))))))))))))))))))))))))))))))))))))))))22 ?asic Confi uration))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 22 4nbound 4nternet Mail))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 29 /utbound 4nternet Mail)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 29 0sin 4nternet Mail CiAard to Confi ure a DualD5omed Exchan e !er"er)))))))))))))))))))))))))90 !ecurit( Considerations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 91 0sin a ?rid ehead !er"er ?ehind a 6ire$all))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))92 ?asic Confi uration))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 92 4nbound 4nternet Mail))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 97 /utbound 4nternet Mail)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 97 0sin a Cindo$s !M#P ,ela( !er"er in a Perimeter :et$or%))))))))))))))))))))))))))))))))))))))))))))))97 ?asic Confi uration))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 9. 4nbound 4nternet Mail))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 91 /utbound 4nternet Mail)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 91 Custom Deplo(ment !cenarios))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))91 0sin a :et$or% !er"ice Pro"ider to !end and ,ecei"e Mail))))))))))))))))))))))))))))))))))))))))))))))))92 !upportin #$o !M#P Mail Domains and !harin an !M#P Mail Domain $ith Another !(stem)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 99 !upportin #$o !M#P Mail Domains))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))99 !harin an !M#P Mail Domain $ith Another !(stem))))))))))))))))))))))))))))))))))))))))))))))))))))))))10' !upportin Additional Mail !(stems))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))102 5o$ to Enable Address ,e$rite b( 0sin the Exarcf #ool))))))))))))))))))))))))))))))))))))))))))))))))))109 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 109 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 109 5o$ to Create a Contact in Acti"e Director()))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))110 ?efore @ou ?e in))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 110 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 110 5o$ to 8ie$ the !ettin that Determines Chether Exchan e !er"er is Authoritati"e)))))))))))112 ?efore @ou ?e in))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 112 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 112 5o$ to Modif( the Default ,ecipient Polic())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))11' ?efore @ou ?e in))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 117 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 117 5o$ to Create a 5i her Priorit( ,ecipient $ith the !hared Mail Domain))))))))))))))))))))))))))))))11. ?efore @ou ?e in))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 11.

    Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 11. 5o$ to Modif( an Existin ,ecipient Polic( for the !M#P Domain that @ou Cant to !hare) 116 ?efore @ou ?e in))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 116 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 116 5o$ to Create a :e$ ,ecipient Polic( for an !M#P Mail Domain that Does :ot Exist on a ,ecipient Polic())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 111 ?efore @ou ?e in))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 111 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 111 5o$ to Create an !M#P Connector to ,oute Mail to a !pecific 5ost)))))))))))))))))))))))))))))))))))112 ?efore @ou ?e in))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 112 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 112 5o$ to !hare All Address !paces in @our Exchan e /r aniAation))))))))))))))))))))))))))))))))))))))119 ?efore @ou ?e in))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 119 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 119 Confi urin CrossD6orest !M#P Mail Collaboration)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))120 Enablin CrossD6orest Authentication)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))122 Enablin CrossD6orest Collaboration b( ,esol"in Anon(mous Mail))))))))))))))))))))))))))))))))12' 5o$ to Create the Account 0sed for CrossD6orest Authentication)))))))))))))))))))))))))))))))))))))))12. ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 12. Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 126 5o$ to Confi ure a Connector and ,eEuire Authentication for CrossD6orest Authentication )))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 121 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 122 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 122 5o$ to ,estrict Access b( 4P Address on the ,ecei"in ?rid ehead !er"er))))))))))))))))))))))))1'2 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'2 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'2 5o$ to Confi ure an !M#P 8irtual !er"er to ,esol"e Anon(mous EDmail Addresses)))))))))1'' ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'' Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'' 5o$ to Enable an Exchan e !er"er to Accept Messa e Extended Properties that Are !ent Anon(mousl())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'7 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'7 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'. 5o$ to Enable an !M#P 8irtual !er"er to Accept Messa e Extended Properties that Are !ent Anon(mousl())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'.

    ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'6 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'6 5o$ to Confi ure a Cindo$s !er"er 200' !er"er as a ,ela( !er"er or !mart 5ost)))))))))))1'6 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'1 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'1 6or More 4nformation))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1'2 Connectin Exchan e to the 4nternet)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))1'2 0sin 4nternet Mail CiAard to Confi ure 4nternet Mail Deli"er()))))))))))))))))))))))))))))))))))))))))))))1'9 Confi urin a DualD5omed !er"er 0sin the CiAard))))))))))))))))))))))))))))))))))))))))))))))))))))))))1'9 5o$ to 0se 4nternet Mail CiAard))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))170 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 170 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 172 5o$ to 3oad Exchan e !M#P Properl()))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))17. ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 176 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 176 Example)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 171 5o$ to !tart 4nternet Mail CiAard)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))172 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 179 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 179 Manuall( Confi urin @our Exchan e !er"er for 4nternet Mail Deli"er())))))))))))))))))))))))))))))))1.0 !ettin 0p @our Exchan e !er"er to ,ecei"e 4nternet Mail))))))))))))))))))))))))))))))))))))))))))))))1.0 5o$ to Confi ure the 4nbound Port and 4P Addresses on the !M#P 8irtual !er"er)))))))))))))1.2 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1.' Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1.' 5o$ to 8erif( that @our !M#P 8irtual !er"er Allo$s Anon(mous Access)))))))))))))))))))))))))))))1.7 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1.7 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1.7 5o$ to 8erif( that ,ecipient Policies Do :ot Contain Addresses that Match the 6>D:))))))1.. ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1.6 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1.6 5o$ to 8erif( that 0sers Can ,ecei"e EDmail Messa es from /ther !M#P Domains)))))))))1.1 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1.2 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 1.2 5o$ to Confi ure the :ecessar( !M#P EDmail Addresses for @our 0sers)))))))))))))))))))))))))))1.9 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 160 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 160

    6or More 4nformation))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 160 5o$ to 8erif( ,ela( ,estrictions on an !M#P 8irtual !er"er)))))))))))))))))))))))))))))))))))))))))))))))161 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 161 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 161 Confi urin 4nbound !ettin s on !M#P 8irtual !er"ers)))))))))))))))))))))))))))))))))))))))))))))))))))))))167 !ettin 0p @our Exchan e !er"er to !end 4nternet Mail)))))))))))))))))))))))))))))))))))))))))))))))))))167 5o$ to 8erif( that @our /utbound Port 4s !et to 0se Port 2.)))))))))))))))))))))))))))))))))))))))))))))))166 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 166 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 166 5o$ to Allo$ Anon(mous Access on @our /utbound !M#P 8irtual !er"er))))))))))))))))))))))))))162 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 162 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 162 5o$ to Create an !M#P Connector)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))169 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 169 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 110 Confi urin a !mart 5ost on a !M#P 8irtual !er"er))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))111 Confi urin Ad"anced !ettin s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))112 5o$ to !pecif( an Address !pace for the Connector)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))117 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 117 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 117 5o$ to Confi ure Access Controls and Authentication Methods))))))))))))))))))))))))))))))))))))))))))111 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 111 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 112 5o$ to !pecif( Messa e 3imits)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 120 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 120 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 121 5o$ to Ensure (our Exchan e !er"er Does :ot 0se ,#6 Exclusi"el())))))))))))))))))))))))))))))))122 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 122 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 12' 5o$ to !et /utbound Messa e 3imits on @our !M#P 8irtual !er"er)))))))))))))))))))))))))))))))))))127 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 127 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 127 5o$ to Enable ,e istr( Be(s for Deli"er( ,estrictions))))))))))))))))))))))))))))))))))))))))))))))))))))))))126 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 121 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 121

    5o$ to !et Deli"er( ,estrictions on the !M#P Connector)))))))))))))))))))))))))))))))))))))))))))))))))))122 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 122 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 122 5o$ to !et a Connector !chedule))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))190 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 190 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 190 5o$ to !et Content ,estrictions on an !M#P Connector)))))))))))))))))))))))))))))))))))))))))))))))))))))192 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 192 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 192 5o$ to !pecif( 5o$ 0ndeli"erable Mail is Mana ed))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))197 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 197 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 197 Part #hree))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 196 !ecurin @our 4nfrastructure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))191 !ecurin 44!))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 191 0sin 6ire$alls)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 192 0sin 8irtual Pri"ate :et$or%s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))199 !ecurin @our Exchan e !er"er))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 199 Disablin /pen ,ela(in on All !M#P 8irtual !er"ers))))))))))))))))))))))))))))))))))))))))))))))))))))))200 5o$ to !et ,estrictions on a 0ser)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 202 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 202 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 20' 5o$ to !et ,estrictions on a Distribution -roup)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))207 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 207 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 207 5o$ to ,estrict !ubmissions to an !M#P !er"er ?ased on a !ecurit( -roup)))))))))))))))))))))20. ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 206 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 206 5o$ to ,estrict ,ela(in ?ased on a !ecurit( -roup))))))))))))))))))))))))))))))))))))))))))))))))))))))))))201 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 201 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 201 Confi urin 6ilterin and Controllin !pam))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))202 Connection 6ilterin )))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 209 ,ecipient 6ilterin ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 21' Enablin ,ecipient 6ilterin )))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))21' 5o$ to Create a -lobal Accept 3ist))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))211

    ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 212 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 212 5o$ to Create a -lobal Den( 3ist))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))219 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 220 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 220 5o$ to Create a Connection 6ilter))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))221 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 222 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 222 5o$ to 8erif( #hat Exchan e 200' is Confi ured to :ot ,esol"e Anon(mous Mail)))))))))))))226 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 226 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 221 5o$ to Confi ure Exchan e 2000 to :ot ,esol"e External Email Addresses))))))))))))))))))))))221 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 222 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 222 5o$ to Create a ,ecipient 6ilter))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 229 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 229 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 229 5o$ to Appl( a ,ecipient 6ilter to an !M#P 8irtual !er"er))))))))))))))))))))))))))))))))))))))))))))))))))2'1 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2'1 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2'1 5o$ to !pecif( an Exception to a Connection ,ule))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))2'2 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2'2 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2'' 5o$ to Appl( a Connection 6ilter to An !M#P 8irtual !er"er)))))))))))))))))))))))))))))))))))))))))))))))2'7 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2'7 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2'7 Part 6our))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2'. #roubleshootin ,outin ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2'6 0sin Cin,oute)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2'6 Common 3in% !tate Problems))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2'6 ?ro%en 3in% !tate Propa ation))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))277 5o$ to ,un ,emonitor)exe as 3ocal !(stem Account in 4nFect Mode)))))))))))))))))))))))))))))))))))276 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 271 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 271 5o$ to !uppress 3in% !tate 4nformation on a !er"er)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))271 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 272

    Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 272 6or More 4nformation))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 279 #roubleshootin Mail 6lo$ and !M#P))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))279 0sin the !M#P and =)700 >ueues)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))2.0 5o$ to 0se #elnet to #est !M#P Communication))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))2.1 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2.1 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2.2 6or More 4nformation))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 2.2 5o$ to 8ie$ the Properties of a >ueue))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))260 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 260 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 260 5o$ to 8ie$ Messa es in a >ueue))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))260 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 261 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 261 5o$ to Chec% the !M#P Performance Counters)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))262 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 262 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 26' 6or More 4nformation))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 26' 5o$ to Enable Messa e #rac%in Center on a !er"er)))))))))))))))))))))))))))))))))))))))))))))))))))))))))261 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 261 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 261 6or More 4nformation))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 262 5o$ to 8ie$ the Application 3o in E"ent 8ie$er)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))262 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 262 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 269 5o$ to 8ie$ the !(stem 3o in E"ent 8ie$er))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))210 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 210 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 210 5o$ to Modif( 3o in !ettin s for M!Exchan e#ransport)))))))))))))))))))))))))))))))))))))))))))))))))211 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 211 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 211 5o$ to !et 3o in at the Debu 3e"el for the !M#P Protocol)))))))))))))))))))))))))))))))))))))))))))21' ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 21' Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 21' 5o$ to Enable 3o in at the Debu 3e"el for the Messa e Cate oriAer)))))))))))))))))))))))))))21' ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 217

    Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 217 #roubleshootin :onDDeli"er( ,eport Messa es)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))217 #ools for #roubleshootin :D,s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))21. #roubleshootin !trate ies and #ips))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))216 Determinin Possible Causes of an :D,))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))216 0sin E"ent 3o s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 291 0sin ,e trace))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 291 5o$ to Enable re trace)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 292 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 292 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 292 8erif(in the ,eEuired Acti"e Director( Attributes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))297 5o$ the ,ecipient 0pdate !er"ice 0pdates Attributes))))))))))))))))))))))))))))))))))))))))))))))))))))))292 Common :onDDeli"er( ,eport !cenarios)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'00 4ssues $ith Acti"e Director())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '00 Dela(ed Messa e Deli"er( Due to -lobal Catalo !er"er 4ssues)))))))))))))))))))))))))))))))))))))'02 :onDDeli"er( ,eports Chen !endin to Personal Address ?oo% and Contact 3ist)))))))))))'07 !endin Messa es to a Public 6older)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'0. 5o$ to Determine the Expansion !er"er for a Distribution -roup))))))))))))))))))))))))))))))))))))))))'01 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '01 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '01 5o$ to Correct Missin Attribute 4ssues)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'02 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '09 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '09 5o$ to !pecif( a -lobal Catalo !er"er)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'09 ?efore @ou ?e in)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '10 Procedure)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '10 Additional :D, ,eference)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '12 Part 6i"e))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '17 0nderstandin 4nternal #ransport Components))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'1. ,ecei"in 4nternet Mail)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '16 !endin 4nternet Mail)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '11 Ad"anced 3in% !tate Concepts))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '12 3in% !tate Components)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '19 0nderstandin the /r 4nfo Pac%et)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'19

    0nderstandin /r 4nfo Pac%et Details)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'20 !er"er !er"ices and ,outin :odes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'27 ,outin 0pdates))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '2. MaFor 0pdates))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '2. Minor 0pdates))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '26 0ser 0pdates)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '26 ,outin #opolo ( 0pdate Communications))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'26 Director( 0pdates to ,outin -roup Masters))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'21 ,outin -roup Master 0pdates to ,outin -roup Members)))))))))))))))))))))))))))))))))))))))))))))''2 5o$ 0pdates Are Communicated in an !M#P Con"ersation))))))))))))))))))))))))))))))))))))))))))))''6 !M#P Commands and Definitions)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '72 !M#P Commands))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '72 E"ent !in%s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '77 Common Ports 0sed b( Exchan e)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))'7. Cop(ri ht)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) '71

    #$

    Exchange Server Transport and Routing Guide


    Microsoft& Exchan e ser"ers use !imple Mail #ransfer Protocol ;!M#P< to communicate $ith each other and to send messa es) !M#P is part of the Microsoft Cindo$s !er"erG 200' or Cindo$s& 2000 !er"er operatin s(stem) #he Exchan e !er"er #ransport and ,outin -uide discusses basic components of transport and routin , explains ho$ !M#P $or%s in Exchan e !er"er 200', pro"ides information on confi urin a routin topolo (, discusses deplo(ment scenarios, su ests $a(s to help secure (our infrastructure, and offers troubleshootin tips) Note Do$nload Microsoft Exchan e !er"er 200' #ransport and ,outin -uide to print or read offline)

    !art "ne
    #o ether, messa e routin and transport are responsible for messa e deli"er( internall( and externall() Messa e routin is the $a( that messa es flo$ bet$een ser"ers $ithin the or aniAation and to other ser"ers outside of the or aniAation) @our routin topolo (, based on the routin roups and connectors that (ou define, dictates the path that these messa es ta%e to reach their final destination) #ransport determines the $a( that messa es are processed and deli"ered) !imple Mail #ransfer Protocol ;!M#P< is the transport protocol that Microsoft& Exchan e ser"ers use to communicate $ith each other and to send messa es usin the routin topolo () !M#P is part of the Microsoft Cindo$s !er"erG 200' or Microsoft Cindo$s& 2000 !er"er operatin s(stem) Chen (ou install Exchan e on a ser"er runnin Cindo$s !er"er 200' or Cindo$s 2000 !er"er, Exchan e extends !M#P to support additional !M#P commands for additional functionalit() #his functionalit( includes the abilit( to communicate the lin% state status ;information about and costs of a"ailable messa in routes< and other Exchan e functionalit() Part 1 contains the follo$in topics: 0nderstandin ,outin Components

    Explains ho$ routin roups, connectors, and lin% state information function to enable efficient messa e deli"er() 0nderstandin !M#P and Exchan e !er"er 200'

    #,

    Pro"ides a detailed o"er"ie$ of !M#P, includin ho$ !M#P $or%s in Exchan e !er"er 200', and explains the process of sendin and recei"in 4nternet mail) #ransport Dependencies for Exchan e !er"er 200'

    Describes the components on $hich !M#P depends and discusses each componentHs interaction $ith !M#P)

    %nderstanding Routing Co&ponents


    ,outin determines ho$ messa es flo$ bet$een ser"ers $ithin (our Microsoft& Exchan e or aniAation and to users outside of (our or aniAation) 6or internal and external messa e deli"er(, Exchan e uses routin to determine first the most efficient path and then the least expensi"e and a"ailable path for messa e deli"er() 4nternal routin components ma%e this determination based on the routin roups and connectors that (ou confi ure and the address spaces and costs that are associated $ith each path) ,outin is responsible for the follo$in functions: Determinin the next hop ;the next destination for a messa e en route to its final destination< based on the most efficient path) Exchan in lin% state information ;the status and a"ailabilit( of ser"ers and connections bet$een ser"ers< $ithin routin roups and bet$een routin roups) #his topic explains ho$ routin messa e deli"er() roups, connectors, and lin% state information enable efficient

    T'pes of Routing Co&ponents


    ,outin components ma%e up the topolo ( and the routes that are used to deli"er mail internall( and externall() ,outin relies on the follo$in components that (ou define $ithin (our routin topolo (: Routing groups 3o ical collections of ser"ers that are used to control mail flo$ and public folder referrals) ,outin roups share one or more ph(sical connections) Cithin a routin roup, all ser"ers communicate and transfer messa es directl( to one another) Connectors Desi nated paths bet$een routin roups, to the 4nternet, or to another mail s(stem) Each connector specifies a oneD$a( path to another destination) (in) state infor&ation 4nformation about routin roups, connectors, and their confi urations that is used b( routin to determine the most efficient deli"er( path for a messa e) *nterna+ routing co&ponents 4nternal routin components, in particular, the routin en ine, that pro"ide and update the routin topolo ( for Exchan e ser"ers $ithin (our

    #-

    or aniAation) 6or more information about internal routin components, see 0nderstandin 4nternal #ransport Components)

    %nderstanding Routing Groups


    4n its default state, Exchan e !er"er 200', li%e Exchan e 2000 !er"er, functions as thou h all ser"ers in an or aniAation are part of a sin le, lar e routin roup) #herefore, an( Exchan e ser"er can send mail directl( to an( other Exchan e ser"er $ithin the or aniAation) 5o$e"er, in en"ironments $ith special administrati"e reEuirements, "ar(in net$or% connecti"it( and eo raphical distribution, (ou can increase messa e flo$ efficienc( b( creatin routin roups and routin roup connectors in accordance $ith (our net$or% infrastructure and administrati"e reEuirements) ?( creatin routin roups and routin roup connectors, ser"ers $ithin a routin roup still send messa es directl( to each other, but the( use the routin roup connector on those ser"ers $ith the best net$or% connecti"it( to communicate $ith ser"ers in another roup) 6or more information about the creation of routin roups and the considerations in"ol"ed, see Deplo(ment !cenarios for 4nternet Connecti"it()

    %sing Routing Groups in Native Mode or Mixed Mode


    4n Exchan e !er"er 200' and Exchan e 2000 !er"er, the administrati"e and routin functions are di"ided into different units: Administrati"e roups define the lo ical administrati"e boundar( for Exchan e ser"ers) ,outin roups define the ph(sical routes that messa es tra"el o"er the net$or%)

    4f (our Exchan e or aniAation is in nati"e mode, $here all ser"ers are runnin Exchan e 2000 !er"er or later, this di"ision bet$een administrati"e roups and routin roups enables (ou to create routin roups that span administrati"e roups and mo"e ser"ers bet$een routin roups that exist in different administrati"e roups) #his functionalit( also allo$s (ou to separate routin and administrati"e functions) 6or example, (ou can administer ser"ers in t$o central administrati"e roups, placin ser"ers from each administrati"e roup in different routin roups, based on (our net$or% topolo ( and usa e reEuirements) 5o$e"er, the functionalit( of routin roups in a mixedDmode en"ironment, $here some ser"ers are runnin Exchan e !er"er 200' or Exchan e 2000 !er"er $hile others are runnin Exchan e !er"er .)., is different than in nati"e mode) 4n mixed mode, (ou: Cannot ha"e a routin roup that spans multiple administrati"e roups) roups that exist in different administrati"e

    Cannot mo"e ser"ers bet$een routin roups)

    #1

    #his situation exists because the routin topolo ( in Exchan e !er"er .). is defined b( sites Ilo ical combinations of ser"ers connected b( a hi hDband$idth reliable net$or%) !ites pro"ide the functionalit( of both the administrati"e roup and routin roup in Exchan e !er"er 200' and Exchan e 2000 !er"er) #his difference in routin topolo ( limits the functionalit( of routin roups in a mixedDmode en"ironment)

    %nderstanding Connectors
    Connectors pro"ide a oneD$a( path for messa e flo$ to a specific destination) #he primar( connectors in Exchan e !er"er 200' are: Routing group connectors ,outin roup connectors pro"ide a oneD$a( path throu h $hich messa es are routed from ser"ers in one routin roup to ser"ers in a different routin roup) ,outin roup connectors use a !imple Mail #ransfer Protocol ;!M#P< connection to enable communication to ser"ers in the connected routin roup) ,outin roup connectors are the preferred method of connectin routin roups) SMT! connectors !M#P connectors are used to define isolated paths for mail that is destined for the 4nternet or an external address or nonDExchan e mail s(stem) 0sin the !M#P connector to connect routin roups is neither recommended nor preferred) !M#P connectors are desi ned for external mail deli"er() ./000 connectors =)700 connectors are desi ned primaril( to connect Exchan e ser"ers $ith other =)700 s(stems or ser"ers runnin Exchan e !er"er "ersion .). outside of the Exchan e or aniAation) An Exchan e !er"er 200' ser"er can then send messa es usin the =)700 protocol o"er this connector) *&portant =)700 connectors are onl( a"ailable in Exchan e !er"er 200' Enterprise Edition) Each connector has an associated cost and address space or a connected routin roup that is desi nated as the destination point for the connector) Chen determinin the most efficient route for a messa e, Exchan eHs routin lo ic first examines the address space or connected routin roup defined on each connector to find the destination that most closel( matches the messa eHs destination, and then routin e"aluates the cost that is associated $ith each connector) ,outin onl( uses costs $hen the defined address space or connected routin roups are the same on t$o connectors) #he follo$in section explains ho$ Exchan e uses this information)

    %nderstanding (in) State *nfor&ation


    Exchan e !er"er .). relied on the -ate$a( Address ,outin #able ;-CA,#< to determine route selection $ithin an Exchan e or aniAation) #his method uses a distance "ector routin al orithm, $hich can be susceptible to routin loops in certain situations) Exchan e !er"er 200', li%e Exchan e 2000 !er"er, uses a lin% state routin al orithm and a routin protocol to

    #3

    propa ate lin% state information in the form of a lin% state table that is stored in memor( on all Exchan e 2000 !er"er and Exchan e !er"er 200' ser"ers in the or aniAation) A lin% state al orithm pro"ides the follo$in ad"anta es: Each Exchan e ser"er can select the optimum messa e route at the source instead of sendin messa es alon a route $here a lin% ;or path< is una"ailable) Messa es no lon er bounce bac% and forth bet$een ser"ers because each Exchan e ser"er has current information about $hether alternate or redundant routes are a"ailable) Messa e loopin no lon er occurs)

    #he lin% state table contains information about the routin topolo ( of the entire Exchan e or aniAation and $hether each connector $ithin the topolo ( is a"ailable ; up< or una"ailable ;down<) Additionall(, the lin% state table contains costs and address spaces associated $ith each a"ailable connector) Exchan e uses this information to determine the route $ith the lo$est cost for the destination address) 4f a connector alon the lo$est cost route is una"ailable, Exchan e determines the best alternate route, based on cost and connector a"ailabilit() ?et$een routin roups, lin% state information is communicated d(namicall( b( usin the extended !M#P "erb, =D34:B2!#A#E)

    %sing (in) State *nfor&ation for *nterna+ Mai+ 2e+iver'


    #o understand ho$ lin% state information and connector costs $or%, consider a routin topolo (, in $hich four routin roups exist: !eattle, ?russels, 3ondon, and #o%(o) #he connectors exist bet$een each routin roup and are assi ned costs based on the net$or% speed and a"ailable band$idth) Routing topo+og' and costs

    4f all connections bet$een the routin roups are a"ailable, a ser"er in the !eattle routin roup al$a(s sends a messa e to the ?russels routin roup b( sendin the messa e first

    20

    throu h the 3ondon routin roup) #his route has a cost of 20, the lo$est cost route a"ailable) ?ut, if the brid ehead ser"er in 3ondon is una"ailable, messa es ori inatin in !eattle and destined for ?russels tra"el throu h the #o%(o routin roup, $hich has a hi her cost of '.) An important concept to understand is that for a connector to be mar%ed as una"ailable, all brid ehead ser"ers for this connector must be do$n) 4f (ou ha"e confi ured (our routin roup connector to use the default option of An( local ser"er can send mail o"er this connector, the routin roup connector is al$a(s considered in ser"ice) 6or more information about confi urin routin roup connectors, see JConnectin ,outin -roupsJ in Definin ,outin -roups)

    %sing (in) State *nfor&ation for Externa+ Mai+ 2e+iver'


    6or external mail deli"er(, routin uses the information in the lin% state table to first e"aluate the connector $ith the address space that most closel( matches the destination, and then routin e"aluates the cost) #he follo$in dia ram illustrates a compan( $ith the follo$in topolo (: /ne !M#P connector $ith an address space of K)net and a cost of 20)

    /ne !M#P connector $ith an address space of K, encompassin all external addresses and a cost of 10) 4o5 Exchange uses address space to route &ai+

    4n this topolo (, $hen mail is sent to an external user $ith an eDmail address of ted+tre(research)net, routin first loo%s for a connector $ith an address space that most closel( matches the destination of tre(research)net) #he !M#P connector $ith the address space of K)net most closel( matches the destination, so routin uses this connector re ardless of cost) 5o$e"er, if mail is sent to an external user $ith an address of adam+contoso)com, routin uses the !M#P connector $ith the address space of K because it is the closest match) ,outin does not e"aluate cost) 4f t$o !M#P connectors exist and both ha"e an address space of K but each ha"e different costs, routin uses the information in the lin% state table

    2#

    and selects the !M#P connector $ith the lo$est cost) ,outin onl( uses the connector $ith the hi her cost if the lo$er cost connector is una"ailable) Note 6or more information about lin% information and ho$ it is propa ated, see Ad"anced 3in% !tate Concepts) ,outin does not fail o"er from a connector $ith a specific address space to a connector $ith a less specific address space) 4n the scenario abo"e, if all users can use both connectors and a user attempts to send mail to a user at tre(research)net, routin "ie$s the connector $ith the )net address space as its destination) 4f this connector is not in ser"ice or is una"ailable, routin does not attempt to find a connector $ith a different, less restricti"e address space such as K because it considers this a different destination) 5o$e"er, in this same topolo (, assume that restrictions exist on the connector $ith the K)net address space, and the restriction permits onl( users of the sales department to send throu h this connector) 4n this situation, if this connector is not in ser"ice, routin $ill not reroute mail that is sent b( a user in the sales department and destined to a )net address throu h the connector $ith the K address) Mail Eueues until the connector $ith the K)net address becomes a"ailable) 5o$e"er, users outside of the sales department are ne"er affected $hen this connector becomes una"ailable because their mail is al$a(s routed throu h the !M#P connector $ith the K address space)

    %nderstanding SMT! and Exchange Server 2003


    ?efore confi urin (our Exchan e !er"er or aniAation to send and recei"e mail, (ou should ha"e a ood understandin of ho$ !imple Mail #ransfer Protocol ;!M#P< enables messa e flo$ in Microsoft& Exchan e!er"er 200') Exchan e!er"er 200' uses !M#P to deli"er internal mail bet$een Exchan e ser"ers and routin roups) !imilarl(, Exchan e !er"er 200' uses !M#P to deli"er 4nternet mail outside the Exchan e or aniAation) !M#P is the 4nternet standard for transportin and deli"erin electronic messa es) ?ased on specifications in ,eEuest 6or Comments ;,6C< 2221 and ,6C 2222, the Microsoft !M#P ser"ice is included in Microsoft Cindo$s& 2000!er"er and Cindo$s!er"erG 200') #he Cindo$s !M#P ser"ice is a component of 4nternet 4nformation !er"ices ;44!< and runs as part of 4netinfo)exe) Exchan e !er"er 200' relies on the Cindo$s !M#P ser"ice as its nati"e transport protocolL therefore, Exchan e uses !M#P to route all internal and external messa es)

    22

    4o5 Exchange Server Extends SMT! 6unctiona+it'


    Chen Exchan e !er"er is installed, it extends the underl(in !M#P functionalit( b(: Mo"in mana ement of the !M#P ser"ice ;b( means of !M#P "irtual ser"ers< from the 44! administrati"e console to Exchan e !(stem Mana er) 4mplementin support for lin% state information) Exchan e uses lin% state information to determine the best method for sendin messa es bet$een ser"ers, based on the current status of messa in connecti"it( and cost, and the associated expense of the route that (ou define based on (our topolo () Extendin !M#P to support the command "erbs that are used to support lin% state routin and other Exchan e functionalit() #he follo$in commands are added $hen Exchan e is installed: =DE=P! -!!AP4 =DE=P!M3/-4: =DE=C5.0 =D34:B2!#A#E

    Note 6or a list of all the !M#P commands and their definitions, see !M#P Commands and Definitions) !ettin up an Exchan e 4nstallable 6ile !(stem ;46!< store dri"er to allo$ messa e retrie"al from and deli"er( to the Exchan e store) !ettin the dis% location $here messa es are Eueued to Nexchsr"NmailrootN"s 1NEueue) #his is the location of the first !M#P "irtual ser"er on the Exchan e ser"er) 4f (ou add a second !M#P "irtual ser"er, Exchan e creates an additional location ;Nexchsr"NmailrootN"s 2NEueue<) 4mplementin support for ad"anced Eueuin ) Exchan e enhances the Eueuin capabilities of Cindo$s 2000 and Cindo$s !er"er 200') #he ad"anced Eueuin en ine handles underl(in transport functions in Exchan e) Enhancin messa e cate oriAation) Messa e cate oriAation is a process performed b( the messa e cate oriAer, a component of the ad"anced Eueuin en ine) #he cate oriAer sends 3i ht$ei ht Director( Access Protocol ;3DAP< Eueries to the lobal catalo ser"er to retrie"e user and confi uration information stored in Microsoft Acti"e Director(& director( ser"ice) #he messa e cate oriAer retrie"es recipient polic( information and Exchan e "irtual ser"er information to enable messa e deli"er() 4t uses this information to "alidate the recipient address, to "erif( that messa e limits are not

    23

    exceeded, and ultimatel( to determine ho$ the messa e is deli"ered usin Exchan e routin and !M#P) An important concept to understand about !M#P and Exchan e 2000 !er"er and later "ersions is the interaction amon Exchan e, Acti"e Director(, and the 44! metabase) Cith Exchan e !(stem Mana er, an( confi uration chan es (ou ma%e ;such as to (our recipient policies and !M#P "irtual ser"ers< are $ritten to Acti"e Director(, allo$in for eas( and remote administration) 5o$e"er, because the !M#P ser"ice reads its settin s from the 44! metabase, the D!2M? ser"ice, $hich is a component of Exchan e !(stem Attendant, replicates this information from Acti"e Director( into the local ser"erHs 44! metabase)

    Receiving *nternet Mai+


    4f the follo$in conditions exist, Exchan e !er"er 200' is able to recei"e 4nternet mail in its default confi uration: #here is a constant connection to the 4nternet) Note DialDup connections to the 4nternet reEuire special confi uration) 6or more information about dialDup connections, see 5o$ to !et a Connector !chedule) #he external Domain :ame !(stem ;D:!< ser"ers for (our domain must ha"e mail exchan er ;M=< resource records pointin to (our mail ser"ers, or, if (ou are usin an 4nternet ser"ice pro"ider ;4!P< or an external s(stem, this external s(stem must ha"e an M= record for (our domain and a mechanism to for$ard mail to (our Exchan e ser"ers) @our mail ser"er must be accessible to other ser"ers on the 4nternet) 4f (ou are usin an 4!P or external s(stem to recei"e (our mail, this external s(stem must be able to contact (our Exchan e ser"ers to deli"er (our mail) @our recipient policies must be confi ured correctl() #o recei"e 4nternet mail, (ou must confi ure a recipient polic( that contains an address space matchin the !M#P domain) Also, (our Exchan e or aniAation must be responsible for deli"erin mail to this address ;this is the default settin <) 6or example, to accept 4nternet mail for ted+example)com, (ou must ha"e a recipient polic( that contains +example)com) 5o$e"er, there are some exceptions to this rule) 4nbound 4nternet mail flo$s throu h an Exchan e ser"er in the follo$in manner: 1) #he sendin !M#P ser"er Eueries D:! to locate the 4P address of the recipientHs !M#P mail ser"er) 2) #he sendin !M#P ser"er then initiates a con"ersation on the recipientHs !M#P ser"er ;on port 2.<) /n an Exchan e ate$a(, the recipientHs !M#P ser"er is the !M#P "irtual ser"er that is confi ured to accept inbound 4nternet mail)

    20

    ') 4deall(, the inbound !M#P ser"er onl( accepts the incomin messa e if it is destined for a recipient of its !M#P mail domain) #hese recipients are defined in the recipient policies ;unless the ser"er is open to rela(, $hich is stron l( discoura ed<) Note 4f (ou lea"e (our s(stem open for rela(, unauthoriAed users can use (our ser"ers to send mail to external addresses) As a result, (our s(stem ma( be bloc% listed Ia process that bloc%s mail from ser"ers that are suspected of sendin unsolicited commercial eDmail ;spam<) 7) Chen the messa e is accepted, the !M#P "irtual ser"er uses the transport mechanisms $ithin Exchan e to determine the method for deli"erin the messa e) Exchan e locates the recipient in Acti"e Director( and determines $hich ser"er in the Exchan e or aniAation $ill deli"er the messa e) .) 6inall(, the !M#P "irtual ser"er uses its internal transport mechanisms to deli"er the messa e to the appropriate Exchan e ser"er)

    Sending *nternet Mai+


    Assumin there is a constant 4nternet connection, Exchan e sends 4nternet mail b( the follo$in methods: 4t uses D:! directl( to contact the remote mail ser"er)

    4t routes mail throu h a smart host that assumes responsibilit( for D:! name resolution and mail deli"er() ?efore each of these methods is described in detail, (ou should ha"e a eneral understandin of ho$ outbound mail flo$s in an Exchan e or aniAation) /utbound 4nternet mail flo$s throu h an Exchan e !er"er 200' ser"er in the follo$in manner: 1) An internal user sends a messa e to a recipient in a remote domain) 2) #o determine if the recipient is local or remote, the !M#P "irtual ser"er on the senderHs Exchan e ser"er uses internal transport functions to Euer( the lobal catalo ser"er for the recipient address) 4f the recipient address on the messa e is not in a recipient polic(, it is not stored in Acti"e Director(L therefore, Exchan e determines that the messa e is destined for a remote domain) ') 4f necessar(, the Exchan e ser"er deli"ers the messa e to the appropriate !M#P "irtual ser"er) 7) #he !M#P "irtual ser"er uses its 44! metabase information to determine the method for deli"erin a messa e to a remote domain) .) #he !M#P "irtual ser"er on the Exchan e ser"er then performs one of t$o actions:

    2$

    0ses D:! to loo% up the 4P address for the tar et domain, and then attempts to deli"er the messa e) 6or$ards the messa e to a smart host that assumes responsibilit( for the D:! resolution and deli"er( of the messa e)

    %nderstanding the SMT! 7irtua+ Server


    !M#P "irtual ser"ers pro"ide the Exchan e mechanisms for mana in !M#P) Each !M#P "irtual ser"er represents an instance of the !M#P ser"ice runnin on the Exchan e ser"er) @ou use Exchan e !(stem Mana er to confi ure !M#P "irtual ser"ers that control the beha"ior of !M#P) Essentiall(, an !M#P "irtual ser"er is an !M#P protocol stac% ;a process or ser"er that both recei"es eDmail messa es and acts as a client for sendin eDmail messa es<) Each !M#P "irtual ser"er represents an instance of the !M#P ser"ice on a ser"er) An !M#P "irtual ser"er is defined b( a uniEue combination of an 4P address and port number) #he default !M#P "irtual ser"er uses all a"ailable 4P addresses on the ser"er and uses port 2. for inbound connections) A sin le ph(sical ser"er can host man( "irtual ser"ers) @ou use Exchan e !(stem Mana er to control most of the !M#P settin s) #he propert( settin s of the !M#P "irtual ser"er control inbound mail and, to a lesser de ree, outbound mail settin s) *&portant ?ecause an !M#P "irtual ser"er pla(s a critical role in mail deli"er(, use caution $hen (ou modif( its propert( settin s) 6or example, the default !M#P "irtual ser"er sends messa es $ithin a routin roup) Additionall(, if the ser"er is a domain controller, Acti"e Director( uses this "irtual ser"er for !M#P director( replication) #herefore, instead of modif(in the default !M#P "irtual ser"er, it is recommended that (ou either create an additional !M#P "irtual ser"er or create an !M#P connector to o"erride the default "irtual ser"er settin s)

    Misconceptions about Mu+tip+e SMT! 7irtua+ Servers


    A common misunderstandin is that creatin multiple !M#P "irtual ser"ers on a sin le Exchan e ser"er increases throu hput) 4t is important to understand that each !M#P "irtual ser"er is multithreaded) Creatin additional !M#P "irtual ser"ers on a sin le Exchan e ser"er does not increase performance and introduces complexit( in (our Exchan e or aniAation) An example of a case in $hich multiple !M#P "irtual ser"ers are reEuired is a

    2,

    dualDhomed ser"er confi uration) 6or most other scenarios, usin the default !M#P "irtual ser"er $ith its default settin s is enerall( sufficient)

    *nbound Mai+ Settings on the SMT! 7irtua+ Server


    @ou can use the "irtual ser"erHs propert( settin s to confi ure the follo$in inbound settin s: *nbound ports and *! addresses #he !M#P "irtual ser"er listens on its assi ned 4P address for incomin communications and accepts inbound connections on its assi ned port) #o confi ure these settin s, use the -eneraltab of the !M#P "irtual ser"erHs properties) *&portant #he !M#P ser"ice defines port 2. as its standard port) Do not chan e this settin ) Note 0pon installation in its initial confi uration, the default "irtual ser"er connects to the remote !M#P ser"er on port 2. to send outbound mail) #his is a separate settin from the inbound port settin ) #o confi ure this settin , use the "utbound Connections button on the 2e+iver' tab) Re+a' restrictions #o pre"ent unauthoriAed users from usin (our ser"er to send messa es to external addresses, use the ,ela( button on the Access tab) ?( default, the default !M#P "irtual ser"er rela(s messa es onl( for authenticated users) Restrict sub&ission and re+a' per&issions to specific users and groups 4n Exchan e !er"er 200', (ou can limit $ho can submit mail to an !M#P "irtual ser"er b( usin ,ela( and Authentication buttons on the Access tab) Securit' @ou can reEuire #ransport 3a(er !ecurit( ;#3!<, an implementation of !ecure !oc%ets 3a(er ;!!3<, on incomin connections) @ou can also confi ure other settin s such as inbound connection restrictions, performance tunin , and handlin of deli"er( reports notifications)

    "utbound Mai+ Settings on the SMT! 7irtua+ Server


    4f (ou $ant (our !M#P "irtual ser"er to send mail directl( to the 4nternet, (ou can confi ure outbound mail settin s) !pecificall(, (ou can confi ure (our "irtual ser"er to use an external D:! ser"er to resol"e external addresses and send mail directl( to mail ser"ers outside of (our or aniAation)

    2-

    *&portant ?ecause an !M#P "irtual ser"er pla(s a critical role in mail deli"er(, use caution $hen modif(in its propert( settin s) 6or example, the default !M#P "irtual ser"er sends messa es $ithin a routin roup) Additionall(, if the ser"er is a domain controller, Acti"e Director( uses this "irtual ser"er for !M#P director( replication) #herefore, instead of modif(in the default !M#P "irtual ser"er, it is recommended that (ou either create an additional !M#P "irtual ser"er or create an !M#P connector to o"erride the default "irtual ser"er settin s) 4n man( instances, it is preferable ;but not reEuired< to set up an !M#P connector to handle outbound mail) 6or more information about !M#P connectors, see 0nderstandin !M#P Connectors) Note 4f (ou use an !M#P connector, it o"errides some of the outbound mail settin s and controls for outbound mail deli"er() #o control outbound deli"er( on (our "irtual ser"er, (ou can confi ure the follo$in settin s: /utbound port /utbound restrictions /utbound deli"er( options /utbound securit( Performance tunin :otification of deli"er( reports

    6or more information about ho$ to confi ure these settin s, see JConfi urin /utbound !ettin s on !M#P 8irtual !er"ersJ in Connectin Exchan e to the 4nternet)

    Setting Re+a' Restrictions


    ,ela(in is the abilit( to for$ard mail to domains other than (our o$n) More specificall(, rela(in occurs $hen an inbound connection to (our !M#P ser"er is used to send eDmail messa es to external domains) ?( default, (our Exchan e ser"er accepts mail submitted b( internal or authenticated users and sends it to an external domain) 4f (our ser"er is open for rela(in , or if rela(in is unsecured on (our ser"er, unauthoriAed users can use (our ser"er to send unsolicited commercial eDmail ;spam<) #herefore, to secure (our !M#P "irtual ser"er, it is crucial that (ou set rela( restrictions) 4t is important to understand the difference bet$een authenticated rela(in and anon(mous or open rela(in :

    21

    Authenticated re+a'ing Authenticated rela(in allo$s (our internal users to send mail to domains outside of (our Exchan e or aniAation, but reEuires authentication before the mail is sent) ?( default, Exchan e allo$s onl( authenticated rela(in ) Anon'&ous re+a'ing Anon(mous rela(in allo$s an( user to connect to (our Exchan e ser"er and use it to send mail outside (our Exchan e or aniAation) #he follo$in examples demonstrate ho$ Exchan e !er"er 200' accepts and rela(s mail b( usin authenticated rela(in : An anon(mous user connects to the !M#P "irtual ser"er and attempts to deli"er mail to an internal user in the Exchan e or aniAation) 4n this situation, the !M#P "irtual ser"er accepts the messa e because it is destined for an internal domain and because the user exists in Acti"e Director() An anon(mous user connects to the !M#P "irtual ser"er and attempts to deli"er mail to an external user in an external domain) 4n this situation, the !M#P "irtual ser"er reFects the mail because it is destined for an external domain for $hich the Exchan e ser"er is not responsible) ?ecause the user is not authenticated, the !M#P "irtual ser"er does not rela( this mail outside of the Exchan e or aniAation) A user connects to the !M#P "irtual ser"er usin a Post /ffice Protocol ;P/P< or 4nternet Messa e Access Protocol ;4MAP< client ;for example, Microsoft /utloo%& Express<, authenticates, and then attempts to send a messa e to a user in an external domain) 4n this situation, the eDmail client connects directl( to the !M#P "irtual ser"er and authenticates the user) Althou h the messa e is destined for a remote domain, the !M#P "irtual ser"er accepts and rela(s this mail because the user is authenticated) ?( usin the rela( control features of Exchan e !er"er 200', (ou can pre"ent third parties from rela(in mail throu h (our ser"er) ,ela( control allo$s (ou to specif( a list of incomin remote 4P address and subnet mas% pairs that ha"e permission to rela( mail throu h (our ser"er) Exchan e chec%s an incomin !M#P clientHs 4P address a ainst the list of 4P net$or%s that are allo$ed to rela( mail) 4f the client is not allo$ed to rela( mail, onl( mail that is addressed to local recipients is allo$ed) @ou can also implement rela( control b( domain) 5o$e"er, this approach reEuires the implementation of re"erse D:! resolution, $hich is controlled at the !M#P "irtual ser"er le"el)

    Configuring 2efau+t Re+a' Restrictions


    ?( default, the !M#P "irtual ser"er allo$s rela(in onl( from authenticated users) #his confi uration is desi ned to pre"ent unauthoriAed users from usin (our Exchan e ser"er to rela( mail) #he "irtual ser"erHs default confi uration allo$s onl( authenticated computers to rela( mail)

    23 2efau+t re+a' restrictions

    0nsolicited commercial eDmail enerall( comes from a spoofed or for ed address and is often rela(ed b( usin a ser"er that is not secured for rela() 6or this reason, b( default Exchan e !er"er 200' allo$s onl( authenticated users to rela() ?e cautious $hen chan in this settin Iman( 4nternet pro"iders bloc% ser"ers that allo$ open rela(in )

    %nderstanding SMT! Connectors


    !M#P connectors are used primaril( to connect to other mail s(stems or to define additional options for an !M#P 4nternet ate$a() !M#P connectors can also be used to connect a routin roup to another routin roup internall(, but an !M#P connector is enerall( not recommended for doin so) Essentiall(, !M#P connectors allo$ (ou to desi nate an isolated route for messa es to flo$ either to a specific domain or o"er the 4nternet) /ne ad"anta e to usin an !M#P connector is that (ou can specif( additional confi uration settin s to affect mail deli"er() #hese settin s include: /utbound mail deli"er(

    Chen (ou confi ure a connector, (ou can route mail in one of t$o $a(s:

    30

    0se D:! to route all out oin mail throu h the connector) 4f (ou use D:! to route out oin mail, the !M#P connector uses D:! to resol"e the 4P address of the remote !M#P ser"er, and then it deli"ers the mail) !pecif( a smart host ;another ser"er to $hich the connector routes all mail<) #he smart host ta%es responsibilit( for D:! resolution and deli"ers the mail) 3ocal brid ehead ser"ers

    An !M#P "irtual ser"er hosts a connector) Chen (ou create a connector, (ou desi nate at least one Exchan e ser"er and !M#P "irtual ser"er as brid ehead ser"ers) #he connector inherits siAe restrictions and other settin s from the !M#P "irtual ser"erL ho$e"er, (ou can o"erride these settin s on the connector) @ou can also desi nate multiple brid ehead ser"ers for load balancin , performance, and redundanc() Address space

    #he address space defines the mail addresses or domains for the eDmail messa es that (ou $ant to route throu h a connector) 6or example, an address space of K ;asteris%< encompasses all external domainsIthis connector is used to route all external eDmail) 4f (ou created a second connector $ith an address space of K)net, Exchan e $ould route all mail sent to a domain $ith a )net extension throu h the second connector) #his action occurs because Exchan e selects the connector that has the most similar address space) #his settin is confi ured on the Address tab of the !M#P connectorHs properties) !cope

    @ou can select either an entire or aniAation or a routin roup for the connectorHs scope) #he scope is also defined on the Address tab of the !M#P connectorHs properties) Deli"er( restrictions

    @ou can restrict $ho can send mail throu h a connector) ?( default, mail is accepted from e"er(one) #hese settin s are confi ured on the 2e+iver' tab of the !M#P connectorHs properties) Note ?( default, (ou cannot restrict mail unless (ou chan e the re istr( %e( settin s) 4f (ou chose to enable deli"er( restriction, be a$are that restrictin deli"er( is extremel( processorDintensi"e and can ne ati"el( affect ser"er performance) 6or more information about ho$ to enable deli"er( restrictions, see 5o$ to !et Deli"er( ,estrictions on the !M#P Connector) Content restrictions

    @ou can specif( $hat t(pes of messa es are deli"ered throu h a connector) #hese settin s are confi ured on the Content Restrictions tab of the !M#P connectorHs properties) Deli"er( options

    3#

    4f (ou connect to a net$or% ser"ice pro"ider to retrie"e (our mail, (ou can confi ure a connector to run on a specified schedule and implement ad"anced Eueuin and deEueuin features) #hese settin s are confi ured on the 2e+iver' "ptions tab of the !M#P connectorHs properties) !M#P communication

    @ou can control ho$ the connector uses !M#P to communicate $ith other !M#P ser"ers) !pecificall(, (ou can specif( $hether the connector uses !M#P or Extended !imple Mail #ransfer Protocol ;E!M#P< commands to initiate a con"ersation $ith another ser"er and control the use of the E,#: and #0,: commands ;these commands are used to reEuest that another !M#P ser"er send an( eDmail messa es that it has<) #hese settin s are confi ured on the Advanced tab of the !M#P connectorHs properties) /utbound securit(

    @ou can also ensure that an( mail that flo$s throu h the connector is authenticated) #his is useful if (ou $ant to establish a secure route for communicatin $ith a partner compan() Cith this settin , (ou can establish an authentication method and reEuire #3! encr(ption) All of these settin s are confi ured b( usin the "utbound Securit' button on the Advanced tab of the !M#P connectorHs properties)

    6unctions of an SMT! Connector


    !M#P relies on D:! to determine the 4P address of its next destination ser"er) #o send mail directl( to an external mail ser"er, an !M#P connector must use D:! to resol"e external domain names) Alternati"el(, the connector can simpl( for$ard mail to a smart host that assumes responsibilit( for D:! name resolution and deli"er() After (ou set up an !M#P connector, as lon as the destination address matches the address space that is confi ured on the !M#P connector, the ser"ers no lon er route the mail directl(L instead, the ser"ers route the mail throu h the !M#P connector) ;#hese ser"ers are called either ate$a( or brid ehead ser"ers)< #o illustrate this point, assume that (ou $ant all external mail routed throu h a connector to a brid ehead ser"er, $hich is the onl( ser"er that communicates $ith the 4nternet) #o confi ure this, create a connector on the brid ehead ser"er $ith an address space of K ;asteris%<, $hich specifies all external domains) Chen eDmail is sent to an external domain, Exchan e automaticall( routes it to this connector, rather than an !M#P "irtual ser"er sendin the external mail directl() 4f (ou ha"e more than one connector, Exchan e first attempts to route mail throu h the connector that has the most similar address space ;$hich is the most restricti"e address space<)

    32

    Note 4n a mixedDmode en"ironment, if (ou ha"e an Exchan e !er"er "ersion .). 4nternet Mail Connector, Exchan e !er"er 200' treats this connector as a "alid route) 4f (ou experience problems sendin or recei"in 4nternet eDmail messa es, chec% the M#A Eueues on the Exchan e !er"er .). ser"er and the =)700 Eueues on the Exchan e !er"er 200' ser"er) Exchan e !er"er 200' uses the M#A to communicate $ith earlier "ersions of Exchan e)

    %ses for an SMT! Connector


    ?ecause of Exchan e !er"er 200' "irtual ser"er functionalit(, it is not necessar( to create an !M#P connector to allo$ for mail flo$, to connect it to other ser"ers in an Exchan e or aniAation, or to connect it to the 4nternet) 6urthermore, (ou do not need a connector if all of (our Exchan e !er"er 200' ser"ers connect to the 4nternet and successfull( perform Domain :ame !(stem ;D:!< loo%ups for 4nternet addresses) 5o$e"er, althou h it is not essential for 4nternet mail deli"er(, the benefits of usin an !M#P connector are that it: Pro"ides simplified administration) Pro"ides limited exposure to the 4nternet)

    Establishes an isolated route for communicatin $ith another domain or another mail s(stem) ,outes mail to another mail s(stem or rela(s mail to another domain) Allo$s multiple brid ehead ser"ers for load balancin ) Allo$s (ou to control ho$ !M#P is used to communicate $ith other ser"ers) Permits scheduled connection times $ith customiAed settin s)

    #he follo$in sections pro"ide detailed information about each of these benefits) 6or more information about !M#P connectors, see Microsoft Bno$led e ?ase article 2971'6, JChen to Create !M#P Connectors in Exchan e 2000 and 3ater)J !implif( Administration of Mail 6lo$

    An !M#P connector pro"ides more administrati"e control o"er ho$ 4nternet mail flo$s out of (our or aniAation) @ou can use an !M#P connector, or a set of connectors, to limit the a"ailable routes for out oin 4nternet mail) Also, because (ou need onl( chec% the !M#P Eueues and other confi urations on a sin le ser"er, usin a sin le ser"er as a brid ehead ser"er simplifies troubleshootin ) 3imit 4nternet Exposure

    /ne of the primar( benefits of creatin an !M#P connector is that (ou can route all inbound or outbound external !M#P mail throu h a particular ser"er or set of brid ehead

    33

    ser"ers) ?( desi natin an isolated route for 4nternet mail that uses a connector, (ou limit (our Exchan e or aniAationHs exposure to the 4nternet) #o use an !M#P connector to route 4nternet mail, specif( one ser"er or a set of ser"ers as (our ate$a( to the 4nternet, create an !M#P connector, and then desi nate those ser"ers as the source brid ehead ser"ers of the connector) 4solate a ,oute for Communicatin $ith /ther Domains

    @ou can also use an !M#P connector to establish an isolated route for communicatin $ith other domains) #his approach can be useful $hen (ou $ant to use secure communications $ith a particular compan() 4n pre"ious "ersions of Exchan e, (ou can confi ure settin s per eDmail domain) Althou h these options are not a"ailable in Exchan e !er"er 200', (ou can create multiple !M#P connectors, set address spaces for these connectors, and then specif( the settin s that (ou $ant for those domains) 6or example, suppose (ou $ant to use !!3 to secure all eDmail messa es that are sent to the militar(, but (ou do not $ant to use !!3 for other eDmail communications) #o achie"e this outcome, (ou need t$o !M#P connectors: /ne $ith an address space of /ne $ith an address space of
    SMTP:*.mil SMTP:*

    ?ecause Exchan e routes all mail throu h the connector that most closel( matches the address space, all mail that is destined for the)mil domain initiall( tries to pass throu h theK)mil connector) @ou can specif( that the K)mil connector send mail to onl( one ser"er ;a smart host<, and that it use !!3 and reEuire authentication) ?ecause routin considers K)mil and K as t$o separate destinations, if the K)mil connector is una"ailable, mail Eueues until the connector becomes a"ailable) Mail does not reroute throu h the !M#P connector that uses the K address space) 3oad ?alance $ith Multiple ?rid ehead !er"ers

    Chen (ou ha"e a sin le connector that is hosted b( multiple brid ehead ser"ers, the ser"ers usin the connector randoml( select the brid ehead ser"er that the( use, thereb( load balancin reEuests across the brid ehead ser"ers) #he situation is different if (ou ha"e multiple connectors $ith the same address space, each $ith a sin le brid ehead ser"er) #he ser"ers that use these connectors use a method based on the ser"er -04D to determine $hich of the a"ailable connectors the( $ill use) #he al orithm ma( not e"enl( distribute the ser"er selections across the a"ailable connectors) !o, to achie"e load balancin , it is recommended that (ou use a sin le connector sourced to multiple brid ehead ser"ers) 0se !pecific !M#P or E!M#P Commands

    @ou can use a connector to control ho$ (our Exchan e ser"ers use !M#P to communicate $ith other ser"ers) #o initiate !M#P sessions, (ou can choose $hether

    30

    (our ser"er uses the E!M#P commands or !M#P commands, and (ou can control $hat t(pe of commands (our ser"er issues) Chen (ou confi ure an !M#P connection, the follo$in communication options are a"ailable: !end or do not send ser"erDside or clientDside E#,:O#0,: commands)

    #0,: is an !M#P command that allo$s the client and ser"er to s$itch roles and send mail in the re"erse direction $ithout ha"in to establish a ne$ connection) E#,: is an E!M#P command that is sent b( an !M#P ser"er to reEuest that another ser"er send an( eDmail messa es it has) @ou can use these commands if (ou depend on a net$or% ser"ice pro"ider to hold (our mail for (ou and deli"er it upon reEuest) ,eEuest E#,:O#0,: from specific ser"ers) !end 5E3/ ;an !M#P command< instead of E53/ ;an E!M#P command<)

    5E3/ is an !M#P command that is sent b( a client to identif( itself, usuall( $ith a domain nameL E53/ is an E!M#P command $ith $hich a ser"er identifies its support for E!M#P commands) !chedule and CustomiAe /utbound Connections

    @ou can use a connector to open an outbound connection at specified times) #his functionalit( is helpful if (ou use a net$or% ser"ice pro"ider to deli"er (our outbound mail, or if (ou ha"e limited band$idth and $ant to control $hen external mail is sent) @ou can also confi ure a connector to: Allo$ hi h, normal, or lo$ messa e priorities for a domain) Allo$ s(stem or nonDs(stem messa es) 0se different deli"er( times for o"ersiAed messa es) >ueue mail for remote tri ered deli"er()

    !et specific deli"er( restrictions)

    Transport 2ependencies for Exchange Server 2003


    #o function properl(, !imple Messa e #ransfer Protocol ;!M#P< depends on the follo$in components: 4nternet 4nformation !er"ices ;44!<, a feature in Microsoft& Cindo$s !er"erG 200' Microsoft Acti"e Director(& director( ser"ice Domain :ame !(stem ;D:!<

    3$

    ,ecipient policies ,ecipient update ser"ice Director( ser"ice to metabase ser"ice ;D!2M?<

    #his topic pro"ides detailed information about each of these components and ho$ the( interact $ith !M#P)

    *nternet *nfor&ation Services


    4nternet 4nformation !er"ices ;44!< pro"ides a frame$or% process for 4nternet ser"ices such as the Corld Cide Ceb Publishin !er"ice ;C'!8C<, !M#P ser"ice ;!M#P!8C<, and :et$or% :e$s #ransfer Protocol ser"ice ;:ntp!"c<) Do not confuse 44! $ith Ceb ser"ices because se"eral other ser"ices, such as !M#P, depend on 44! to function) #he installation of 44! pro"ides: #he frame$or% process %no$n as the 44! Admin !er"ice ;44!ADM4:<, $hich allo$s for the administration of ser"ices throu h the 44! snapDin) Administrati"e consoles or snapDins for the Microsoft Mana ement Console ;MMC<) #he 44! metabase, $hich is the confi uration repositor( for 44!)

    Common files, $hich are shared libraries that pro"ide soc%et connection poolin , re istration, and mana ement of these 4nternet ser"ices) Microsoft Exchan e 2000 !er"er and Exchan e !er"er 200' setup reEuires that the Corld Cide Ceb Publishin !er"ice, !M#P ser"ice, and ::#P ser"ice be installed) #his prereEuisite ensures that all the necessar( components are installed prior to the installation of Exchan e) Exchan e le"era es the core !M#P ser"ice throu h an e"ent infrastructure) ;6or more information about e"ent infrastructures, see the M!D:& Ceb site)< After Exchan e is installed, the !M#P ser"ice is dependent onl( on the 44! Admin !er"ice) @ou can disable the Corld Cide Ceb Publishin !er"ice $ithout affectin the !M#P ser"iceL ho$e"er, (ou cannot use the AddO,emo"e Cindo$s Component option in Add or ,emo"e Pro rams to disable the 44! Admin !er"ice or to remo"e the 44! component entirel() 4nstallin 44! creates se"eral "irtual directories under the Corld Cide Ceb Publishin !er"ice that are not reEuired for an( Exchan e component, includin Microsoft /utloo%& Ceb Access) #o help secure 44!, Microsoft pro"ides the follo$in tools: 0,3!can "ersion 2). for Cindo$s !er"er 200'

    0,3!can "ersion 2). is a securit( tool that restricts the t(pes of 5##P reEuests that 44! $ill process) #o increase securit( on (our ser"er that is runnin Cindo$s !er"er 200', run 0,3!can) @ou can do$nload 0,3!can from the Microsoft Do$nload Center) 6or more information about 0,3!can, see Microsoft Bno$led e ?ase article 22'11., J6ineD #unin and Bno$n 4ssues Chen @ou 0se the 0rlscan 0tilit( in an Exchan e 200' En"ironment)J

    3,

    44! 3oc%do$n CiAard for Cindo$s& 2000 !er"er

    44! 3oc%do$n CiAard is a securit( tool that remo"es unnecessar( "irtual directories, enhances file securit(, and processes realDtime 0,3 reEuests a ainst userDdefined confi urations) #o increase protection in the unli%el( e"ent that the Corld Cide Ceb Publishin !er"ice is started in error, if (ou are runnin Exchan e on Cindo$s 2000 ser"ers, (ou should deplo( the 44! 3oc%do$n CiAard on e"er( Exchan e ser"er and domain controller) @ou can do$nload the 44! 3oc%do$n CiAard from the Microsoft Do$nload Center) 6or more information about usin the 44! 3oc%do$n CiAard, see J0sin 44! 3oc%do$n CiAard on Cindo$s 2000 !er"erJ in !ecurin @our 4nfrastructure)

    Active 2irector'
    Exchan e !er"er 200' is ti htl( inte rated $ith Cindo$s 2000 and Cindo$s !er"er 200' and $ith Acti"e Director() Exchan e !er"er 200' stores all of its confi uration information in Acti"e Director(, includin information about recipient policies, routin and connector confi uration, !M#P "irtual ser"er confi uration, user mailboxes, and much more) 5o$e"er, !M#P reads its settin s from the 44! metabase) #herefore, to suppl( 44! $ith the information that it needs for !M#P functionalit(, Microsoft Exchan e !(stem Attendant ;a ser"ice in the Exchan e Default !er"ices< replicates the confi uration information from Acti"e Director( to the 44! metabase) Additionall(, routin depends on Acti"e Director( for information about the current routin topolo () /n startup, each Exchan e ser"er reads information from Acti"e Director( about the routin topolo (, such as the existin connector confi uration, routin roups, and local and remote brid ehead ser"ers) 4f an obFect such as a routin roup or connector is corrupt, it is not read from Acti"e Director() Chen this occurs, ser"ers then ha"e an incomplete topolo ( "ie$) Monitor for e"ent 929 in the E"ent 8ie$er to detect this situation) 6or more information about E"ent 8ie$er, see 5o$ to 8ie$ the Application 3o in E"ent 8ie$er and 5o$ to 8ie$ the !(stem 3o in E"ent 8ie$er) After startup, the routin roup master ;the ser"er that is responsible for maintainin and communicatin information about the routin topolo ( in its routin roup< in each routin roup re isters $ith Acti"e Director( and is notified b( the confi uration domain controller of maFor routin "ersion chan es) Chen a routin roup master recei"es an update to the routin topolo (, it sends the updated information to all member ser"ers in its routin roup and notifies all brid ehead ser"ers in remote routin roups) #hese brid ehead ser"ers then notif( their respecti"e routin roup masters) Additionall(, the cate oriAer, an internal transport component, accesses a cached "ersion of information in Acti"e Director( usin D!Access or b( Euer(in Acti"e Director( directl( usin the 3DAP Eueries) 6or more information about the cate oriAer, see 0nderstandin 4nternal #ransport Components)

    3-

    2o&ain Na&e S'ste& 82NS9


    Althou h a complete anal(sis and discussion of D:! is be(ond the scope of this uide, this section pro"ides information about the relationship bet$een D:! and !M#P in Exchan e) ?ecause Exchan e !er"er 200' relies on D:! for name resolution, D:! pla(s a crucial role in 4nternet mail flo$) !M#P depends on D:! to determine the 4nternet Protocol ;4P< address of its next internal or external destination ser"er) -enerall(, internal D:! names are not published on the 4nternet) #herefore, !M#P must be able to contact a D:! ser"er that can resol"e external D:! names to send 4nternet mail, as $ell as a D:! ser"er that can resol"e internal D:! names for deli"er( $ithin the or aniAation) 6or information about ho$ to confi ure D:! for sendin and recei"in mail, see 8erif(in D:! Desi n and Confi uration) #he follo$in sections pro"ide a eneral o"er"ie$ of D:! Eueries and an explanation of the role that D:! pla(s in sendin and recei"in mail)

    4o5 Externa+ 2NS :ueries ;or)


    Chen a D:! client needs to resol"e the name of a ser"er, it Eueries the D:! ser"ers) Each Euer( that the client sends essentiall( as%s the D:! ser"er to pro"ide the information) #he client specifies the Euer( t(pe, $hich can either indicate a resource record b( t(pe or a specialiAed t(pe of Euer( operation) 6or example, to find !M#P mail ser"ers from the 4nternet, specif( the Euer( t(pe M= ;mail exchan er resource record<) 6or example, the name that is specified could be an external domain, such as example)microsoft)com), and the Euer( t(pe that is specified to loo% for could be an M= record b( that name) #hin% of a D:! Euer( as a client as%in a ser"er a t$oDpart Euestion: 6irst, JDo (ou ha"e an( M= resource records for a domain named Hexample)microsoft)com)H*J follo$ed b( J4f so, can (ou resol"e this M= record to an A ;host< record and resol"e its 4P address*J Chen the client recei"es an ans$er from the ser"er, it reads and interprets the M= record and ets the A record, thereb( resol"in the computerHs 4P address)

    :uer'ing a 2NS Server


    Chen the D:! ser"er recei"es a Euer(, the ser"er first chec%s to see if it can ans$er the Euer( authoritati"el(, based on M= record information that is contained in a locall( confi ured Aone on the ser"er) 4f the Eueried name matches a correspondin M= record in the local Aone, the ser"er ans$ers authoritati"el( and uses this information to resol"e the Eueried name) 4f no Aone information exists for the Eueried name, the ser"er then chec%s to see if it can resol"e the name b( usin locall( cached information from pre"ious Eueries) 4f a match is found, the ser"er ans$ers $ith this information) A ain, if the preferred ser"er can pro"ide the reEuestin client $ith a positi"e matched response from its cache, the Euer( is completed)

    31

    4f no Aone or cached information exists for the Eueried name, the Euer( process uses recursion to full( resol"e the name) ,ecursion is the process in $hich a D:! ser"er Eueries other D:! ser"ers on behalf of the reEuestin client to full( resol"e the name, and then sends an ans$er bac% to the client) ?( default, the D:! Client ser"ice reEuires that the ser"er use recursion to full( resol"e names on behalf of the client before returnin an ans$er) 4n most cases, the D:! ser"er is confi ured ;b( default< to support the recursion process) 4o5 2NS reso+ves a <uer' for an M. record and finds the *! address

    6or more information about D:!, see the Cindo$s 2000 or Cindo$s !er"er 200' 5elp)

    Ro+e of 2NS in Sending and Receiving *nterna+ Mai+


    Cindo$s 2000 and Cindo$s !er"er 200' both re ister the full( Eualified domain name ;6>D:< of each ser"er $ith d(namic D:!) @our Exchan e ser"er and (our !M#P "irtual ser"ers also use the 6>D:) 4f (ou chan e the 6>D: that (our !M#P "irtual ser"er uses, be sure to add a record for this 6>D: into D:! manuall() Ro+e of 2NS in Receiving *nternet Mai+ #o recei"e 4nternet mail, (our external D:! ser"ers must ha"e an M= record pointin to an A record that contains the 4P address of (our mail ser"ers, or a ser"er that can for$ard mail to (our mail ser"ers) #o ensure that (our M= records are confi ured correctl(, (ou can use the :sloo%up tool) #o "erif( that (our ser"er is accessible on port 2. to other ser"ers on the 4nternet, (ou can use telnet)

    33

    %sing 2NS to Send *nternet Mai+


    Chen (ou use D:!, the most important thin to remember is that all ser"ers in the D:! search order must be able to resol"e external domains ;also referred to as 4nternet domains<) ?ecause it is li%el( (ou $ill use internal ser"ers for internal name resolution, (ou ha"e three possible setup options: Set up 'our interna+ 2NS servers as caching servers that use root hints for *nternet do&ains/ ,oot hints point to D:! ser"ers that are authoritati"e for the Aone containin the domain root and topDle"el domains) ,oot hints help D:! ser"ers locate the correct ser"er to resol"e a domain name) Set up the interna+ 2NS servers 5ith for5arders to externa+ 2NS servers/ A for$arder is a D:! ser"er that is desi nated b( an internal ser"er to be used for resol"in external D:! names) ;#o set up a for$arder, in the D:! console, select the D:! ser"er) /n the Action menu, clic% !roperties= clic% the 6or5arders tab, and then select the Enab+e for5arders chec% box) Add 4P addresses for other D:! ser"ers that act as for$arders for this ser"er)< Configure the SMT! service to use externa+ 2NS servers/ #o confi ure an external D:! ser"er, ri htDclic% (our !M#P "irtual ser"er, clic% !roperties, and then clic% the 2e+iver' tab) Clic% Advanced= and then clic% Configure to set up an external D:! ser"er) 6or example, consider that an internal client in the domain example)com sends a messa e to a recipient in the remote domain contoso)com) #o route the messa e, Exchan e uses D:! to resol"e the 4P address of the !M#P ser"er in the Contoso domain and deli"er the messa e to the recipient at contoso)com) 4o5 Exchange uses 2NS to reso+ve externa+ *! addresses

    00

    #he follo$in seEuence also explains ho$ Exchan e uses D:! to resol"e an external 4P address: 1) After the !M#P ser"er in the domain example)com recei"es the messa e that is destined for the recipient at contoso)com, the !M#P "irtual ser"er contacts the appropriate D:! ser"er and sends an M= Euer( for the external domain of contoso)com) 2) #he D:! ser"er locates an A record that is associated $ith the M= record for contoso)com, and then uses that A record to determine the 4P address) 6or more information about ho$ the D:! ser"er locates the A record, see J>uer(in a D:! !er"erJ earlier in this chapter) ') #he D:! ser"er returns the 4P address of 112)2'7)2'7)2' for the mail ser"er in contoso)com to the !M#P "irtual ser"er) 7) #he !M#P "irtual ser"er opens a connection on port 2. of the remote !M#P ser"er at the 4P address of 112)2'7)2'7)2' and deli"ers the mail)

    6or5arding *nternet Mai+ to a S&art 4ost


    A smart host is a ser"er or mail process that handles the deli"er( of 4nternet mail) A smart host does not ha"e to be an Exchan e ser"erIit can be an( !M#P process or ser"er that ta%es the responsibilit( of deli"erin mail, either b( sendin it to another !M#P ser"er or b( usin D:! to deli"er the mail directl() 4n scenarios $here there is a persistent connection to the 4nternet, a smart host is not reEuired) 5o$e"er, often the smart host is an anti"irus scanner or a Cindo$s 2000 or Cindo$s !er"er 200' !M#P ser"ice that is in a perimeter net$or%) 0sin a smart host for D:! resolution is similar to usin a D:! ser"er, except that the smart host assumes the responsibilit( of resol"in the 4P address and sendin the mail) 6or more information about ho$ to confi ure the Cindo$s 2000 !M#P ser"ice in a perimeter net$or%, see Microsoft Bno$led e ?ase article 29'200, J=C/:: 5o$ to !et 0p Cindo$s 2000 as a !M#P ,ela( !er"er or !mart 5ost)J 6or more information about ho$ to set up Exchan e behind Microsoft 4nternet !ecurit( and Acceleration ;4!A< !er"er, see the technical article Microsoft 4!A !er"er 2000 P Confi urin and !ecurin Exchan e 2000 !er"er and Clients)

    Recipient !o+icies
    A recipient polic( establishes the default eDmail addresses that use a specific protocol ;such as !M#P< for a set of users) EDmail addresses are used to define the "alid formats for addressin inbound eDmail messa es to the Exchan e s(stem) #he default recipient polic( sets the mail domain for $hich the "irtual ser"er accepts incomin eDmail messa es) 4t specifies the default !M#P and =)700 addresses for all Exchan e !er"er 200'Dbased, mailboxDenabled obFects)

    0#

    An( !M#P domains that are specified in the recipient policies are replicated into the 44! metabase and set as authoritati"e local domains) As a result, !M#P accepts inbound mail for these domains) #he onl( time that an !M#P address is not considered local is $hen (ou clear the This Exchange "rgani>ation is responsib+e for a++ &ai+ de+iver' to this address chec% box in SMT! Address !roperties $hile addin the address to the recipient polic() A recipient polic( can contain more than one eDmail address for a specified protocol ;such as !M#P or =)700<) 6or example, if all users in (our Exchan e or aniAation ha"e an external eD mail address of +example)com, but (ou $ant all (our !eattle users to ha"e t$o external mail addressesIone $ith +example)com, and another $ith an eDmail address of +seattle)example)comI(ou can set up a recipient polic( for all users in (our !eattle office and add an additional address of +seattle)example)com) #o achie"e this result, perform the follo$in procedure) 6or more information about ,ecipient Policies, see Connectin Exchan e to the 4nternet and JMana in ,ecipients and ,ecipient Policies in Exchan e !er"er 200'J in the Exchan e !er"er 200' Administration -uide)

    Recipient %pdate Service


    #he ,ecipient 0pdate !er"ice is part of the Microsoft Exchan e !(stem Attendant ser"ice ;M!Exchan e!A< that monitors Acti"e Director( for ne$ recipients and $rites the appropriate eDmail address and other Exchan e properties for the user in Acti"e Director() #he ,ecipient 0pdate ser"ice uses the information that is defined in recipient policies to update Acti"e Director( $ith the correct user information for the recipients that are included in each recipient polic() @ou must ha"e a ,ecipient 0pdate !er"ice for each domain in (our or aniAation) 4n lar e or aniAations, multiple recipient update ser"ices are recommended) Consider ha"in a recipient update ser"ice for each Acti"e Director( site) /ther$ise, replication of ne$ recipients and their updated information can ta%e up to thirt( minutes in a simple replication topolo () 0ntil this replication is complete, these recipients are unable to send or recei"e mail)

    2irector' Service to Metabase Service


    D!2M? ser"ice ;director( ser"ice to metabase ser"ice<, a component of the Exchan e !(stem Attendant ser"ice, is responsible for propa atin information from Acti"e Director( into the 44! metabase) D!2M? is critical to the operation of !M#P, 4nternet Messa e Access Protocol 7 ;4MAP7<, Post /ffice Protocol ' ;P/P'<, and the Corld Cide Ceb Publishin !er"ice ;C'!8C<, $hich is the ser"ice for Microsoft /utloo%& Ceb Access) D!2M? replicates the follo$in information from Acti"e Director( into the 44! metabase: !M#P "irtual ser"ers and most of their confi urable properties)

    02

    !M#P connector address spaces so that the metabase for the ad"anced Eueuin en ine routes messa es properl() Authoritati"e domains from the recipient policies ;replicated to the !M#P!8COxODomain sub%e( and used b( the ad"anced Eueuin en ine<) At startup, D!2M? chec%s all obFects that it has replicated in the past, as $ell as for an( chan es since the last replication) 4f D!2M? detects that no replication has pre"iousl( occurred, it initialiAes and replicates all obFects) After startup, D!2M? re isters $ith the confi uration domain controller so that the domain controller notifies D!2M? if an( chan es are made to the Exchan e confi uration and deleted obFects container) As a result, almost as soon as a chan e is replicated to the confi uration domain controller, D!2M? replicates that obFect to the metabase) 4f D!2M? experiences problems, it lo s an e"ent $ith an 4D of 1070) 4f this occurs, increase dia nostic lo in to le"el . for M!Exchan eM0, the metabase update ser"ice) @ou can turn on dia nostic lo in in Exchan e !(stem Mana er b( ri htDclic%in (our Exchan e ser"er, clic%in !roperties, clic%in the 2iagnostic (ogging tab, and selectin M!Exchan eM0 under Services) 6or more information about this procedure, see 5o$ to Modif( 3o in !ettin s for M!Exchan e#ransport)

    !art T5o
    Part 2 explains the factors that (ou should consider and the procedures that are in"ol"ed in confi urin mail flo$ $ithin (our or aniAation) 4t contains the follo$in sections: 8erif(in D:! Desi n and Confi uration

    #his section explains ho$ to "erif( that D:! is correctl( confi ured for internal and external name resolution) Additionall(, this section explains ho$ to "erif( that other ser"ers on the 4nternet can find (our mail ser"er and deli"er mail to (our or aniAation) Confi urin a ,outin #opolo (

    #his section presents common routin topolo ies) Also, this section explains ho$ to define and confi ure routin roups and routin roup connectors and ho$ to desi nate a routin roup master) Deplo(ment !cenarios for 4nternet Connecti"it(

    #his section presents common and custom scenarios that are used b( or aniAations to connect to the 4nternet) Connectin Exchan e to the 4nternet

    #his section uides (ou throu h the process of connectin to the 4nternet and confi urin (our or aniAation to send and recei"e 4nternet mail)

    03

    7erif'ing 2NS 2esign and Configuration


    ?efore (ou can "erif( (our D:! confi uration, ensure that (our D:! desi n conforms to the follo$in conditions: Each domain controller runs D:!)

    Existin recursi"e name resolution is used as confi ured for the or aniAation) 4f no method is in place, use root hints on all ser"ers) #he follo$in table sho$s the preferred method of confi urin D:!) !e"eral other "alid confi urations exist) 5o$e"er, the confi uration in the table is the preferred method) #he table also sho$s ho$ to confi ure the Aone for each Exchan e domain) !referred 2NS configuration Desi n element Qone t(pe D(namic updates !ca"en in Desi n Acti"e Director(Dinte rated !ecure d(namic updates onl( Enabled

    Chen !M#P Eueries D:!, it al$a(s Eueries for M= records first) 4f an internal M= record exists andOor it is incorrectl( confi ured, (our internal mail deli"er( ma( not $or%) 6or detailed steps about ho$ to "erif( that M= ,ecords do not point to the 6>D: of an Exchan e !er"er, see 5o$ to 8erif( that M= ,ecords Do :ot Point to the 6>D: of an Exchan e !er"er) 6or detailed steps about ho$ to "erif( that M= ,ecords do not point to an internal domain, see 5o$ to 8erif( that M= ,ecords Do :ot Point to an 4nternal Domain)

    Configuring 2NS for *nbound Mai+


    D:! pla(s a "ital role in 4nternet mail deli"er() #o recei"e 4nternet mail, the follo$in settin s are necessar(: A mail exchan er ;M=< record for (our mail ser"er must exist on (our external D:! ser"er) @ou can use the :sloo%up tool to determine if (our M= records are confi ured correctl() Ensure that the mail ser"ers (ou use as brid ehead ser"ers or 4nternet mail ser"ers ha"e an M= record on (our external D:! ser"ers) 6or external D:! ser"ers to resol"e (our mail ser"erHs M= record and contact (our mail ser"er, (our mail ser"er must be accessible from the 4nternet) @ou can use the telnet pro ram to determine if other ser"ers can access (our mail ser"er)

    00

    @our Exchan e !er"er must be confi ured to contact a D:! ser"er or to resol"e D:! names) @our D:! ser"er must be confi ured correctl()

    Note 4t is recommended, althou h not reEuired, that (ou use the D:! !er"er ser"ice in Microsoft Cindo$s& 2000 or Cindo$s !er"er 200') #he uidelines in the topics listed in the 6or More 4nformation section appl( to the D:! !er"er ser"ice in Cindo$s 2000 and Cindo$s !er"er 200') 6or detailed steps about ho$ to use :sloo%up to "erif( M= record confi uration, see 5o$ to 0se :sloo%up to 8erif( M= record confi uration) 6or detailed steps about ho$ to use #elnet to ensure 4nternet accessibilit(, see 5o$ to 0se #elnet to Ensure 4nternet Accessibilit()

    Configuring 2NS for "utbound Mai+


    @ou can use one of t$o methods to confi ure D:! for outbound mail: @ou can confi ure Exchan e !er"er to rel( on (our internal D:! ser"ers) #hese ser"ers resol"e external names on their o$n, or use a for$arder to an external D:! ser"er) Exchan e !er"er relies on (our D:! ser"ers to resol"e domain names) -enerall(, (ou confi ure (our Exchan e !er"ers as D:! clients of (our internal D:! ser"er) /n (our internal D:! ser"er, confi ure an external for$arder to point to trusted external D:! ser"ers) @ou can confi ure Exchan e !er"er to use a dedicated external D:! ser"er)

    6or detailed steps about ho$ to confi ure D:! settin s on the Exchan e !er"er, see 5o$ to Confi ure D:! !ettin s on the Exchan e !er"er) 6or detailed steps about ho$ to confi ure settin s on the D:! ser"er, see 5o$ to Confi ure !ettin s on the D:! !er"er) 6or detailed steps about ho$ to confi ure external D:! ser"ers on an outbound !M#P "irtual ser"er, see 5o$ to Confi ure External D:! !er"ers on an /utbound !M#P 8irtual !er"er) 6or detailed steps about ho$ to use the D:! ,esol"er to "erif( D:! confi uration, see 5o$ to 0se the D:! ,esol"er to 8erif( D:! Confi uration) 6or detailed steps about ho$ to use :sloo%up to "erif( D:! confi uration, see 5o$ to 0se :sloo%up to 8erif( D:! Confi uration)

    6or More *nfor&ation


    #he follo$in topics explain ho$ to "erif( each of these settin s)

    0$

    5o$ to 8erif( that M= ,ecords Do :ot Point to the 6>D: of an Exchan e !er"er 5o$ to 8erif( that M= ,ecords Do :ot Point to an 4nternal Domain 5o$ to 8erif( that Exchan e !er"ers Can ,esol"e 4nternal D:! :ames 5o$ to 0se :sloo%up to 8erif( M= record confi uration 5o$ to 0se #elnet to Ensure 4nternet Accessibilit( 5o$ to Confi ure D:! !ettin s on the Exchan e !er"er 5o$ to Confi ure !ettin s on the D:! !er"er 5o$ to Confi ure External D:! !er"ers on an /utbound !M#P 8irtual !er"er 5o$ to 0se the D:! ,esol"er to 8erif( D:! Confi uration 5o$ to 0se :sloo%up to 8erif( D:! Confi uration

    4o5 to 7erif' that M. Records 2o Not !oint to the 6:2N of an Exchange Server
    Chen !M#P Eueries D:!, it al$a(s Eueries for M= records first) 4f an internal M= record exists andOor it is incorrectl( confi ured, (our internal mail deli"er( ma( not $or%)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read 8erif(in D:! Desi n and Confi uration

    !rocedure
    To verif' that M. records do not point to the 6:2N of an Exchange Server 1) At a command prompt, t(pe ns+oo)up, and then press E:#E,) 2) #(pe server A*! addressB,$here IP addressis the 4P address of (our internal D:! ser"er) ') #(pe set <C&x, and then press E:#E,) 7) #(pe Af<dnB, $here fqdnis the full( Eualified name of (our !M#P "irtual ser"er ;and (our Exchan e ser"er<, and then press E:#E,) .) 8erif( that no M= records exist for (our internal ser"er) @our results should loo%

    0,

    similar to the follo$in :


    > set q=mx > server1.example.local example.local primary name server = server01.example.local responsible mail addr = hostmaster.example.local serial = !!"#0$ re%resh = &00 '1" mins( retry = 00 '10 mins( expire = ) *00 '1 day( de%a+lt TT, = $ 00 '1 ho+r(

    4o5 to 7erif' that M. Records 2o Not !oint to an *nterna+ 2o&ain


    Chen !M#P Eueries D:!, it al$a(s Eueries for M= records first) 4f an internal M= record exists andOor it is incorrectl( confi ured, (our internal mail deli"er( ma( not $or%)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read 8erif(in D:! Desi n and Confi uration)

    !rocedure
    To verif' that M. records do not point to an interna+ do&ain 1) At a command prompt, t(pe ns+oo)up, and then press E:#E,) 2) #(pe server A*! addressB, $here IP addressis the 4P address of (our internal D:! ser"er) ') #(pe set <Ca, and then press E:#E,) 7) #(pe Af<dnB, $here fqdnis the full( Eualified name of (our !M#P "irtual ser"er ;and (our Exchan e ser"er<, and then press E:#E,) .) 8erif( that the results that are returned match the 4P address of the machine) /n a multihomed computer, the 4P address should match the 4P address of the !M#P "irtual ser"er ;except in the case of a sin le "irtual ser"er $ith an 4P address of JAll unassi nedJ<) @our results should loo% similar to the follo$in :
    set q=a > server1.example.local

    0-

    -ame: server1.example.local .ddress: 1&!.1 ).1.10

    4f the onl( result returned is the correct A record, internal name resolution should succeed) 4f there are no records, or if an M= record is returned and points to the $ron 6>D: or 4P address, other ser"ers ma( be unable to send mail to this Exchan e ser"er)

    4o5 to 7erif' that Exchange Servers Can Reso+ve *nterna+ 2NS Na&es
    Chen !M#P Eueries D:!, it al$a(s Eueries for M= records first) 4f an internal M= record exists andOor it is incorrectl( confi ured, (our internal mail deli"er( ma( not $or%)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read 8erif(in D:! Desi n and Confi uration) #he !M#P D:! Dia nostic #ool is a"ailable for use on Exchan e !er"ers runnin Microsoft& Cindo$s& !er"erG 200') #he !M#P D:! Dia nostic #ool simulates the internal code path of the !M#P ser"ice and enerates dia nostic messa es that indicate ho$ D:! resolution is proceedin ) ,un the !M#P D:! Dia nostic #ool on the computer for $hich (ou $ant to "erif( D:! confi uration) @our path should include RC4:D4,RN!(stem'2N4netsr" so that the tool $or%s) #he !M#P D:! Dia nostic #ool is included $ith the Cindo$s !er"er 200' ,esource Bit #ools and (ou can do$nloaded it from the Cindo$s !er"er 200' ,esource Bit #ools Ceb pa e)

    !rocedure
    4o5 to verif' that Exchange Servers can reso+ve interna+ 2NS na&es 1) /n (our Exchan e !er"er, open a command prompt, na"i ate to the follo$in director( and t(pe the follo$in : /drive letter>:012-341S0system$!0inetsrv 2) #(pe the follo$in : dnsdia5 internal host name6v

    01

    Chere internal host name is the full( Eualified domain name of another Exchan e !er"er in (our or aniAation) ') 8erif( that the correct 4P address of the Exchan e !er"er is returned) @our output should loo% similar to the follo$in :
    7-.M8 = example.microso%t.com Type = M9 '0x%( :la5s = ;3P de%a+lt< T=P on tr+ncation '0x0( Protocol = ;3P 3-S Servers: '3-S cache >ill not be +sed( 1#!.1 .1.101 =onnected to 3-S 1#!.1 .1.101 over ;3P?2P. @eceived 3-S @esponse: AAAAAAAAAAAAAAAAAAAAAA 8rror: &"01 3escription: -o records co+ld be located %or this name These records >ere received: microso%t.com S4. 7+eryin5 via 3-S.P2: AAAAAAAAAAAAAAAAAAAA 7-.M8 = example.microso%t.com Type = . '0x1( :la5s = 3-SB7;8@CBT@8.TB.SB:73-< '0x1000( Protocol = 3e%a+lt ;3P< T=P on tr+ncation Servers: '3-S cache >ill be +sed( 3e%a+lt 3-S servers on box. @eceived 3-S @esponse: AAAAAAAAAAAAAAAAAAAAAA 8rror: 0 3escription: S+ccess These records >ere received: example.microso%t.com . 1#!.1 .1.10 1 . record's( %o+nd %or example.microso%t.com Tar5et hostnames and 2P addresses AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Dost-ame: Eexample.microso%t.comE 1#!.1 .1.10 .

    4o5 to %se Ns+oo)up to 7erif' M. record configuration


    4f (ou are runnin Exchan e !er"er on a Cindo$s 2000 !er"er, (ou can use the :sloo%up tool on the mail ser"er that accepts 4nternet mail to "erif( that (our M= records are confi ured correctl()

    03

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read 8erif(in D:! Desi n and Confi uration)

    !rocedure
    4o5 to use Ns+oo)up to verif' M. record configuration 1) At a command prompt, t(pe ns+oo)up, and then press E:#E,) 2) #(pe server A*! addressB,$here IP address is the 4P address of (our external D:! ser"er) ') #(pe set <CM., and then press E:#E,) 7) #(pe <domain name>, $here domain name is the name of (our domain, and then press E:#E,) #he M= record for the domain (ou entered should be displa(ed) 4f the M= record is not displa(ed, D:! is not confi ured properl()

    Exa&p+e
    #he example belo$ sho$s ho$ M= records appear for the fictitious domain, example)com)
    =:0> nslooF+p 3e%a+lt Server: .ddress: pdc.corp.example.com

    1&!.1 ). .1$

    > server 1#!.$1.01.01 3e%a+lt Server: .ddress: > set q=mx > example.com. Server: .ddress: dns1.example.com 10.10#.1.# M9 pre%erence = 10< mail exchan5er = mail1.example.com M9 pre%erence = 10< mail exchan5er = mail!.example.com M9 pre%erence = 10< mail exchan5er = mail$.example.com M9 pre%erence = 10< mail exchan5er = mail*.example.com M9 pre%erence = 10< mail exchan5er = mail".example.com dns1.example.com

    1#!.$1.01.01

    example.com example.com example.com example.com example.com

    $0

    mail1.example.com mail!.example.com mail$.example.com mail*.example.com mail".example.com

    internet address = 1#!.$1.$1.01 internet address = 1#!.$1.$1.0! internet address = 1#!.$1.$1.0$ internet address = 1#!.$1.$1.0* internet address = 1#!.$1.$1.0"

    4n this example, the preconfi ured D:! ser"er is behind a prox( ser"er) #herefore, an external or 4nternet D:! ser"er $ith a %no$n 4P address of 112)'1)01)01 $as used to perform the Euer() :ext, the Euer( t(pe $as set to M= to locate the mail exchan ers for example)com) 4n this example, fi"e !M#P ser"ers are eEuall( balanced, each $ith its o$n 4P address) 5o$e"er, (our domain mi ht onl( ha"e a sin le entr(, as seen in the follo$in example:
    contoso.com M9 pre%erence = 10< mail exchan5er = mailbox.contoso.com internet address = 10."#.!!.$

    mailbox.contoso.com

    4o5 to %se Te+net to Ensure *nternet Accessibi+it'


    4f ser"ers on the 4nternet cannot reach (our mail ser"er, (ou cannot recei"e 4nternet mail) @ou can use telnet to "erif( that (our mail ser"er is accessible b( other ser"ers on the 4nternet) After (ou "erif( that (our M= records are set up correctl(, (ou can then "erif( that other ser"ers on the 4nternet can access (our Exchan e !er"er) #o "erif( that other ser"ers on the 4nternet can access (our Exchan e !er"er, from a location outside of (our intranet, use telnet to connect to (our mail ser"er on port 2.) #o "alidate connecti"it( $hen (ou connect, (ou must use a computer that has direct access to the 4nternet) 4f the ser"er has multiple net$or% interface cards ;:4Cs< or 4P addresses, (ou must use telnet to connect to the 4nternetDfacin 4P address)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read 8erif(in D:! Desi n and Confi uration)

    !rocedure
    To verif' that 'our server is accessib+e on the *nternet 1) At a command prompt, t(pe te+net A'our &ai+ serverB 2$, and then press

    $#

    E:#E,) 2) 8erif( that (ou recei"e a response similar to the follo$in , $hich sho$s the results of a telnet session to the mail ser"er for Contoso, mailbox)contoso)com)
    =:0> telnet mailbox.contoso.com !" !!0 corp.contoso.com Microso%t 8SMTP M.2, Service< Gersion: ".0. !1&".1 00 ready at T+e< " Sep !00! 11:"!:$ A0*00

    4o5 to Configure 2NS Settings on the Exchange Server


    #he Exchan e !er"er should point to the primar( ;local< D:! ser"er for (our domain) 4f (ou ha"e multiple local D:! ser"ers, (ou can confi ure Exchan e !er"er to point to an( of them) 5o$e"er, it is recommended that Exchan e !er"er point to the primar( D:! ser"er for that domain) #o specif( $hich D:! ser"er the Exchan e ser"ers point to, (ou must access the *nternet !rotoco+ 8TC!D*!9 !roperties dialo box)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read 8erif(in D:! Desi n and Confi uration)

    !rocedure
    4o5 to configure 2NS settings on the Exchange Server 1) Clic% Start, point to Settings, and then clic% Net5or) and 2ia+Eup Connections) 2) DoubleDclic% (oca+ Area Connection, and then, in (oca+ Area Connection Status, clic% !roperties) ') 4n (oca+ Area Connection !roperties, under Co&ponents chec)ed are used b' this connection, doubleDclic% *nternet !rotoco+ 8TC!D*!9) 7) 4n *nternet !rotoco+ 8TC!D*!9 !roperties, "erif( that D:! is confi ured correctl()

    $2

    4o5 to Configure Settings on the 2NS Server


    #his topic pro"ides uidelines for confi urin (our D:! ser"er) #o access the D:! console, lo on as the administrator, clic% Start, point to Contro+ !ane+, point to Ad&inistrative Too+s, and then clic% 2NS) Note #he confi uration settin s in this topic assume that (ou are runnin D:! on (our domain controllers)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read 8erif(in D:! Desi n and Confi uration)

    !rocedure
    To configure settings on the 2NS server 1) Ensure that the D:! ser"er points to its 4P address) #o confirm this settin , access the *nternet !rotoco+ 8TC!D*!9 !roperties dialo box for the D:! ser"er) 6or more information about ho$ to access this dialo box, see 5o$ to Confi ure D:! !ettin s on the Exchan e !er"er) Note 4t is stron l( recommended that, $hen operatin the computer as a D:! ser"er, (ou manuall( confi ure #CPO4P and use a static 4P address) 2) #he D:! ser"er should contain for$ard loo%up Aones for each of the domains bein hosted) #o confi ure for$ard loo%up Aones, in the 2NS console, expand the D:! ser"er, expand 6or5ard (oo)up Fones, ri htDclic% the for$ard loo%up Aone that (ou $ant, clic% !roperties, and then use the settin s on theGenera+ tab) 6or each for$ard loo%up Aone: !et A++o5 d'na&ic updates to @es) !et T'pe to Active 2irector' *ntegrated)

    ') #he D:! ser"er should contain re"erse loo%up Aones for each 4P subnet ran e bein hosted) #o confi ure re"erse loo%up Aones, in the 2NS console, expand the D:! ser"er, expand Reverse (oo)up Fones, ri htDclic% the re"erse loo%up Aone (ou $ant, clic% !roperties, and then use the settin s on the Genera+ tab) 6or each re"erse loo%up Aone:

    $3

    !et A++o5 d'na&ic updates to @es) !et T'pe to Active 2irector' *ntegrated)

    Note 4f re"erse loo%up Aones are not enabled on (our internal D:! ser"ers, D:! $ill still function correctl() 7) Confi ure (our D:! ser"er to include for$arders to external ;4nternet< D:! ser"ers) #his settin allo$s (our D:! ser"er to recei"e a Euer( for external names, for$ard the Euer( to the remote ser"er, and deli"er the response to the reEuestor) #o confi ure this settin , open the 2NS console, ri htDclic% (our D:! ser"er, clic% !roperties, clic% the 6or5arders tab, and then confi ure for$arders to external D:! ser"ers) Note 4f the Enab+e 6or5arders chec% box on the 6or5arders tab is una"ailable, the D:! ser"er $as confi ured as a root D:! ser"er) 4f this is the case, to confi ure for$arders (ou must remo"e the J/J ;period< Aone, restart the D:! console, and then confi ure the for$arders)

    4o5 to Configure Externa+ 2NS Servers on an "utbound SMT! 7irtua+ Server


    Chen (ou confi ure external D:! ser"ers, (ou specif( a different D:! ser"er than the ser"er that is confi ured in the #CPO4P properties of the computer runnin Exchan e !er"er) #his D:! ser"er is used b( !M#P to resol"e external D:! names and deli"er mail)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read 8erif(in D:! Desi n and Confi uration)

    !rocedure
    4o5 to configure externa+ 2NS servers on an outbound SMT! virtua+ server 1) Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, expand AServer Na&eB, expand

    $0

    !rotoco+s, and then expand SMT!) ') ,i htDclic% A@our "utgoing SMT! 7irtua+ ServerB, and then clic% !roperties) 7) Clic% the 2e+iver' tab, and then clic% Advanced) #he Advanced 2e+iver' dialo box appears) The Advanced 2e+iver' dia+og box

    .) 4n Advanced 2e+iver', clic% Configure) #heConfiguredialo box appears) The Configure dia+og box

    $$

    6) 4n Configure, clic% Add, t(pe the 4P address of the external D:! ser"er that (ou $ant to use, and then clic% "G) 1) 4n Configure, under Externa+ 2NS, "erif( that the 4P address is correct, and then clic% "G t$ice to appl( the settin s)

    4o5 to %se the 2NS Reso+ver to 7erif' 2NS Configuration


    6or Exchan e !er"er to send 4nternet mail, the D:! ser"ers that Exchan e !er"er uses for (our domain must be able to resol"e external domain names) #o "erif( that (our D:! ser"ers can resol"e external domain names, use the D:! ,esol"er tool ;Dnsdia )exe< if (ou are runnin Exchan e !er"er 200' on Cindo$s !er"er 200')

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read 8erif(in D:! Desi n and Confi uration)

    $,

    Note #he D:! ,esol"er tool is included $ith the Microsoft Cindo$s !er"er 200' ,esource Bit #ools) 6or more information about ho$ to install and use the D:! ,esol"er tool, see Microsoft Cindo$s !er"er 200' ,esource Bit #ools)

    !rocedure
    To use the 2NS Reso+ver too+ to verif' configuration 1) /n (our Exchan e !er"er, cop( dnsdia )exe to the path C:NC4::#Ns(stem'2Ninetsr" director(, $here C is the dri"e to $hich Cindo$s !er"er is installed) 2) /pen a command prompt and na"i ate to the inetsrv director() ') At the command prompt, t(pe the follo$in :
    dnsdia5 contoso.com Av 1

    $here contoso)com is an external domain and 1 is the instance number of the !M#P "irtual ser"er that (ou $ant to use) #he mail exchan er ;M=< resource record for the domain that (ou entered should be displa(ed) 4f the M= record is not displa(ed, D:! is not confi ured to resol"e external domain names)

    Exa&p+e
    #he follo$in example sho$s ho$ the D:! ser"er for example)com resol"es the 4P address of the external domain contoso)com:
    =reated .sync 7+ery: AAAAAAAAAAAAAAAAAAAA 7-.M8 = contoso.com Type = M9 '0x%( :la5s = ;3P de%a+lt< T=P on tr+ncation '0x0(

    Protocol = ;3P 3-S Servers: '3-S cache >ill not be +sed( 1#!.1 .1.1 =onnected to 3-S 1#!.1 .1.1 over ;3P?2P. @eceived 3-S @esponse:

    $-

    AAAAAAAAAAAAAAAAAAAAAA 8rror: 0 3escription: S+ccess These records >ere received: contoso.com M9 . 10 mail.contoso.com 1#!.1 .1.!

    mail.contoso.com

    Processin5 M9?. records in reply. Sortin5 M9 records by priority.

    Tar5et hostnames and 2P addresses AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Dost-ame: Email.contoso.comE 1#!.1 .1.!

    4o5 to %se Ns+oo)up to 7erif' 2NS Configuration


    6or Exchan e !er"er to send 4nternet mail, the D:! ser"ers that Exchan e !er"er uses for (our domain must be able to resol"e external domain names) #o "erif( that (our D:! ser"ers can resol"e external domain names, use the :sloo%up tool ;:sloo%up)exe< if (ou are runnin Exchan e 200' on Cindo$s 2000 ser"ers)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read 8erif(in D:! Desi n and Confi uration)

    !rocedure
    4o5 to use Ns+oo)up to verif' 2NS configuration 1) At a command prompt, t(pe Ns+oo)up, and then press E:#E,) 2) #(pe server A*! addressB, $here IP addressis the 4P address of (our external D:! ser"er)

    $1

    ') #(pe set <CM., and then press E:#E,) 7) #(pe Ado&ain na&eB, $here domain name is the name of an external mail domain, and then press E:#E,) #he mail exchan er ;M=< resource record for the domain that (ou entered should be displa(ed) 4f the M= record is not displa(ed, D:! is not confi ured to resol"e external domain names)

    Exa&p+e
    #he follo$in example sho$s ho$ the D:! ser"er for example)com resol"es the 4P address of the external domain contoso)com:
    =:0> nslooF+p 3e%a+lt Server: .ddress: pdc.corp.example.com

    1&!.1 ). .1$

    > server 10.!"".!"".!"" 3e%a+lt Server: .ddress: > set q=mx > contoso.com. Server: .ddress: dns1.example.com 1&!.1 ).10.10 M9 pre%erence = 10< mail exchan5er = mail1.contoso.com M9 pre%erence = 10< mail exchan5er = mail!.contoso.com M9 pre%erence = 10< mail exchan5er = mail$.contoso.com internet address = 1&!.1 ).!"".011 internet address = 1&!.1 ).!"".01! internet address = 1&!.1 ).!"".01$ dns1.example.com

    10.!"".!"".!""

    contoso.com contoso.com contoso.com

    mail1.contoso.com mail!.contoso.com mail$.contoso.com

    4n this example, the preconfi ured D:! ser"er is behind a prox( ser"er) #herefore, an external or 4nternet D:! ser"er $ith a %no$n 4P address of 10)2..)2..)2.. $as used to perform the Euer() :ext, the Euer( t(pe $as set to M= to locate the mail exchan ers for contoso)com) 4n this example, three !M#P ser"ers are eEuall( balanced, each $ith its o$n 4P address)

    $3

    Configuring a Routing Topo+og'


    #his section explains the plannin , concepts, and procedures that are in"ol"ed in confi urin (our routin topolo () 4t contains the follo$in topics: Note 4f (ou are operatin Microsoft& Exchan e !er"er on a sin le ser"er, most of the topics about routin roups do not appl( to (our or aniAation) 5o$e"er, (ou ma( find these topics useful if (ou are plannin to expand (our messa in s(stem to support multiple ser"ers) Genera+ !+anning Considerations

    #his topic explains the information that (ou need to ather before confi urin (our routin topolo (, and the "ariables that influence (our routin topolo () Common ,outin #opolo ies

    #his topic presents the t$o common routin topolo ies, a centraliAed routin topolo ( and a distributed routin topolo (, and explains $hen these topolo ies are t(picall( used) Definin ,outin -roups roups, routin roup connectors, and ho$ to

    #his topic explains ho$ to create routin connect routin roups)

    0nderstandin Connector !cope and ,estrictions

    #his topic explains the decisions that are in"ol"ed in usin connector scope and restrictions) Desi natin a ,outin -roup Master

    #his topic explains $hat the routin roup master is, ho$ it $or%s, and the criteria for desi natin a routin roup master) Ad"anced ,outin Confi uration

    #his topic presents ad"anced routin confi uration topics) 4t discusses ho$ to use connectors for load balancin and failo"er, and ho$ to suppress lin% state traffic)

    Genera+ !+anning Considerations


    A $ellDdesi ned routin topolo ( is essential for efficient and reliable messa e flo$) ?efore (ou desi n (our routin topolo (, be a$are of the follo$in limitations for a sin le Exchan e or aniAation) A sin le Exchan e or aniAation cannot exceed: More than 1,000 administrati"e roups) More than 1,000 ser"ers)

    ,0

    ?efore (ou confi ure (our routin topolo (, (ou must perform a detailed assessment of (our current en"ironment, ta%in into account the follo$in "ariables: Net5or) topo+og' and users in each +ocation

    #he connecti"it( bet$een locations and the a"ailable band$idth, $ith consideration to the applications currentl( usin the net$or% and future proFects reEuirin the existin band$idth) %ser nu&ber= +ocation= and usage patterns

    #he number of users sendin messa es across the net$or% is an important consideration) Additionall(, ho$ users are distributed and $hether the( communicate primaril( $ith other users in their location, or $ith other users in different locations) Also, (ou should consider the siAe of messa es that are sent b( users in specific locations) 6or example, a desi n department ma( send messa es $ith attachments of lar e raphic files to "arious business partners) #his traffic $ill ha"e a reater effect on the net$or% than traffic from a department that sends "er( fe$ attachments across the net$or%) T'pe of app+ications used b' 'our co&pan'

    #he t(pes of applications that are used b( the net$or% and the pea% usa e times for the net$or%) 2ata center +ocations

    #he location of (our data centers and the a"ailable connecti"it( to re ional offices and other data centers) 6reeDbus' re<uire&ents

    #he use of current freeObus( information in different eo raphical locations) Public folder replication includes the replication of freeObus( information) Do users in different eo raphical locations reEuire current freeObus( information for users outside of their eo raphical locations, or do users enerall( need current information onl( for users $ithin their location* Current Microsoft Active 2irector'& director' service design

    #he placement of lobal catalo ser"ers and domain controllers, the $a( in $hich (our Microsoft Cindo$s& sites are desi ned, and ho$ the( correspond to (our routin roups)

    Co&&on Routing Topo+ogies


    #his topic discusses t$o commonl( deplo(ed messa in topolo ies: A centraliAed messa in topolo ( in $hich all ser"ers ha"e fullDmesh connecti"it( and communicate pointDtoDpoint)

    ,#

    A distributed messa in topolo ( in $hich a sin le hub or data center connects to numerous branch office sites)

    Centra+i>ed Messaging Topo+og'


    4n a centraliAed messa in topolo (, (ou ha"e a sin le data center or hub site in $hich all ser"ers are connected b( hi hDspeed, reliable band$idth) E"en if this site spans a lar e eo raphical area, as lon as all (our ser"ers are connected b( the same reliable band$idth, (ou can use a sin le routin roup) #he ad"anta es of a centraliAed messa in topolo ( include ease of administration and more efficient mail flo$ because all ser"ers communicate in a pointDtoDpoint manner) 5o$e"er, if (ou ha"e some ser"ers in a central location that are connected b( a slo$er net$or%, it is best to roup these ser"ers in a separate routin roup) /ne ser"er $ith unreliable net$or% connecti"it( in a sin le routin roup can enerate lin% state traffic) ?ecause all other ser"ers need to be notified if this ser"er or a routin roup connector on this ser"er becomes una"ailable, the routin roup master ;the ser"er that is responsible for communicatin information about the routin topolo ( to ser"ers $ithin a routin roup< must propa ate chan es in this ser"erHs status to all the ser"ers in the routin roup) 6or more information about the routin roup master, see Desi natin a ,outin -roup Master)

    2istributed Messaging Topo+og'


    4n a branch office or distributed messa in topolo (, t(picall( one or more data centers are connected to se"eral smaller branch office locations usin a hubDandDspo%e net$or% desi n) 4n this scenario, (our ser"ers in the central hub are rouped to ether in a sin le routin roup $here all ser"ers ha"e reliable net$or% connecti"it() Each branch office location constitutes its o$n routin roup) -enerall(, in the central hub site, (ou ha"e dedicated brid ehead ser"ers that connect to the branch office routin roups) #hese routin roups are often leaf-noderouting groups, that is, routin roups that ha"e onl( a sin le inbound routin roup connector and a sin le outbound routin roup connector in exact opposite connections) :o other connectors can exist in a leafDnode routin roup) #here are three possible confi urations for a leafDnode routin A routin connectors) A routin connectors) roup: roup and no outbound roup and no inbound roup) !ee the fi ure

    roup $ith an inbound connector to a sin le routin roup $ith an outbound connector to a sin le routin

    A routin roup $ith an outbound connector to a sin le routin for examples of leafDnode routin roups)

    ,2

    4n Exchan e !er"er 200', if no alternate path exists for a connector connectin to or from a leafDnode routin roup, the connector state is al$a(s mar%ed as JupJ ;in ser"ice<) Exchan e !er"er 200' no lon er chan es the connector state to Jdo$nJ ;una"ailable< if no alternate path exists) 4nstead, Exchan e Eueues mail for deli"er( and sends it $hen the route becomes a"ailable) #his chan e enhances performance because it reduces the propa ation of lin% state information, $hich is particularl( rele"ant in a distributed messa in en"ironment $here a hubDandDspo%e topolo ( is used) Consider that (ou ha"e a sin le routin roup connector connectin the remote site, a leafDnode routin roup to the hub, and another routin roup connector connectin the hub to the remote site) 4f the routin roup connector becomes una"ailable at either the hub or the remote site, messa es Eueue until the connector becomes a"ailable) :o lin% state traffic is enerated, and the net$or% is not affected) #he follo$in fi ure illustrates a distributed messa in topolo ( in a t(pical hubDandDspo%e confi uration) 4n this topolo (, each ph(sical site maps to a routin roup) 4n the central site, all ser"ers are in one routin roup and communicate point to point) ?ecause each of the remote office sites has onl( one a"ailable route to the central site, if a connector is una"ailable in a remote site, mail Eueues until it becomes a"ailable and no lin% state chan es are propa ated) 2istributed &essaging topo+og' in a t'pica+ hubEandEspo)e configuration

    ,3

    2efining Routing Groups


    As a eneral uideline, (ou should define one routin roup and add others onl( $hen necessar() #he fe$er routin roups in (our en"ironment, the less complex and more mana eable it is) 5o$e"er, eo raphical and administrati"e reEuirements, as $ell as net$or% a"ailabilit(, ma( mandate the creation of additional routin roups) ,outin roups are enerall( created for one of t$o reasons: #o accommodate "ar(in net$or% connecti"it( across ser"ers)

    #o restrict the usa e of a connector to users in a particular area) 6or more information about usin routin roups to restrict connector use, see 0nderstandin Connector !cope and ,estrictions) ?efore (ou define (our routin roups, consider the ad"anta es and disad"anta es of multiple routin roups as sho$n in the follo$in table) Advantages and disadvantages of &u+tip+e routing groups Ad"anta es of multiple routin roups Disad"anta es of multiple routin roups

    Allo$s schedulin and control of mail flo$) @ou can restrict connector use to a particular routin roup or schedule the use of a connector) Allo$s (ou to control usa e based on messa e siAe or content b( usin connector restrictions)

    4ntroduces more hops en route to the final destination, thereb( decreasin deli"er( efficienc() Adds complexit( to (our messa in en"ironment) Can reduce the reliabilit( of messa in because the more hops (ou ha"e en route, the more points of failure are possible) !imple Mail #ransfer Protocol ;!M#P< handles latenc( in a $ellD connected #CPO4P en"ironment, and this often eliminates the need for multiple routin roups) #$o routes enerall( use the same net$or%, and the net$or% has the same inherent reliabilit( or stabilit()

    #he chart that is sho$n in the follo$in fi ure can help (ou determine ho$ to define routin roup boundaries)

    ,0 2eter&ining routing group boundaries

    ,$

    2efining Routing Group Connectors and ?ridgehead Servers


    Althou h all ser"ers communicate $ith each other directl( $ithin a routin roup, this is not the case $hen a ser"er in one routin roup needs to communicate $ith a ser"er in another routin roup) #o allo$ ser"ers to communicate $ith ser"ers in other routin roups, (ou need to create a routing group connector) Althou h (ou can use an =)700 connector or an !M#P connector to connect routin roups, the routin roup connector is specificall( desi ned for this purpose and is the preferred method of connectin routin roups in most cases) ?( default, all ser"ers $ithin a routin roup can send mail o"er the routin roup connector) !er"ers that are capable of sendin mail o"er a routin roup connector are bridgehead servers) A brid ehead ser"er is a combination of an !M#P "irtual ser"er and an Exchan e ser"er that is responsible for deli"erin all messa es throu h a connector) Chen (ou create a routin roup connector, (ou ha"e the option of either %eepin all the ser"ers as brid ehead ser"ers for that connector, or specif(in that onl( a selected set of ser"ers act as brid ehead ser"ers for that connector) #he follo$in table compares the ad"anta es of each approach) Se+ecting the nu&ber of bridgehead servers in a routing group :umber of brid ehead ser"ers All ser"ers in a routin roup Ad"anta es Pro"ides more efficient messa e flo$ because all of the ser"ers in the routin roup can directl( deli"er messa es to other routin roups) CapitaliAes on confi urations $here all of the ser"ers in a routin roup ha"e the same net$or% connecti"it( to the ser"ers in other routin roups) Can add complexit( in lar e or aniAations $here all ser"ers communicate in a pointDtoDpoint fashion) 4t can be more difficult to troubleshoot mail flo$ issues) Direct pointDtoDpoint connecti"it( can pro"ide load balancin )

    ,,

    :umber of brid ehead ser"ers /nl( a select fe$ ser"ers in a routin roup

    Ad"anta es Ma%es troubleshootin messa e flo$ easier because there are limited points of contact bet$een routin roups) Distributes messa in if (ou anticipate hea"( messa e flo$ bet$een routin roups) Allo$s (ou to specif( ser"er roles of brid ehead ser"ers and mailbox ser"ers in lar e en"ironments $here (ou do not $ant mailbox ser"ers handlin the traffic sent throu h a brid ehead ser"er) Ma%es mail flo$ more reliable and efficient in those confi urations $here some ser"ers ha"e better net$or% connecti"it( than others)

    #he follo$in fi ure illustrates the basic components of routin discussed thus far) 6i ure .)7 sho$s messa e flo$ bet$een ser"ers $ithin a routin roup and bet$een routin roups) 4t also illustrates a topolo ( that uses onl( a sin le brid ehead ser"er in each routin roup) Co&&unication 5ithin and bet5een routing groups

    Chen a topolo ( is as simple as that sho$n in 6i ure .)7, (ou do not ha"e to consider ho$ to best route messa es bet$een routin roups) As topolo ies become more complex, $ith lar e numbers of routin roups spread o"er "ar(in eo raphical distances, messa e routin amon roups becomes critical) @ou confi ure routin amon routin roups b( assi nin costs ;an associated expense for the route based on net$or% a"ailabilit(, net$or% traffic, and administrati"e reEuirements< to

    ,-

    the routin roup connectors that are used b( these roups) Chen a user on a ser"er in one routin roup sends mail to a user on a ser"er in another routin roup, Exchan e uses these costs ;part of the lin% state information that is maintained b( Exchan e< to determine the most efficient route) Exchan e al$a(s uses the route $ith the lo$est cost unless a connector or ser"er in that route is una"ailable) !o that e"er( routin roup %no$s $hat the "arious costs are for each connector and the status of those connectors, each routin roup has a routing group master that updates and coordinates this information $ith all of the other ser"ers in a routin roup) 6or more information about routin roup masters, see JDesi natin a ,outin -roup MasterJ later in this chapter)

    Connecting Routing Groups


    Chen (ou create a routin roup, (ou desi nate a roup of ser"ers that can communicate directl( $ith one another) 6or ser"ers in different routin roups to communicate $ith each other, (ou need to connect the routin roups) 4t is possible to connect routin roups b( usin either an !M#P connector or an =)700 connector) 5o$e"er, usin these t(pes of connectors is enerall( not recommended) #he preferred connection method is a routin roup connector because this connector is desi ned and intended specificall( for connectin routin roups) Note 4f (ou must use an !M#P or =)700 connector bet$een routin roups, do not add an address space on the connector) @ou should onl( desi nate a connected routin roupL other$ise, routin $ill not function correctl() ,outin roup connectors are oneD$a( routes for out oin messa es, $hich means that messa es tra"el outbound to the connected routin roup) 6or t$o routin roups to communicate, a routin roup connector must exist in each routin roup to send messa es outbound to the other routin roup) Chen (ou create a connector to a routin roup, Exchan e displa(s a messa e as%in if (ou $ant to create a routin roup connector in the remote routin roup so that (ou can send messa es from the remote routin roup to the routin roup $here (ou are creatin the first connector) ?efore (ou create and confi ure a routin follo$in Euestions: roup connector, (ou should thin% about the

    To 5hich routing group does this connector de+iver &essagesH #his information is critical) 4dentif(in the routin roup to $hich the connector deli"ers messa es establishes the relationship bet$een the sendin and recei"in routin roups and the rest of (our topolo () @ou need to %no$ ho$ the sendin and recei"in routin roups fit into (our topolo ( so that (ou can determine a cost for the associated connector) ;hat cost shou+d this connector haveH Cost is the "ariable that Exchan e uses to determine the most efficient messa in route) Exchan e considers the lo$est cost

    ,1

    route the most efficient) Exchan e uses a more expensi"e route onl( if a ser"er or connector is una"ailable on the route $ith the lo$est cost) @ou should assi n the lo$est costs to the routes $ith the hi hest a"ailable net$or% band$idth) ;hich servers in the routing group can act as bridgehead serversH /nl( desi nated brid ehead ser"ers can send messa es across the connector to the connected routin roup) #he default and preferred settin is to ha"e the ser"ers in the local routin roup send mail usin this connector) 0se this default option $hen all ser"ers in the routin roup can connect directl( o"er the net$or% to the remote brid ehead ser"er and share the same messa in load) Connectin directl( to the remote brid ehead ser"er pro"ides more efficient messa e flo$) 5o$e"er, (ou ma( ha"e better direct net$or% connecti"it( bet$een specific ser"ers in the local routin roup and the desi nated remote brid ehead ser"er) 6or example, !er"er A has a direct connection of .6 %ilobits per second ;Bbps< to a remote brid ehead ser"er, and !er"er ? and !er"er C each ha"e a direct connection of 10 me abits per second ;Mbps< to the same remote brid ehead ser"er) 4n this case, (ou should specif( the ser"ers that ha"e the better direct net$or% connecti"it( ;that is, !er"er ? and !er"er C< as the brid ehead ser"ers, and add those specific ser"ers to a list of allo$able brid ehead ser"ers) @ou can confi ure all ser"ers in the routin t$o $a(s: roup to act as brid ehead ser"ers in one of

    !elect the default option of An' +oca+ server can send over this connector) Chen (ou select this option, the connector is al$a(s mar%ed as in ser"ice or a"ailable e"en if all brid ehead ser"ers become una"ailable) #his option offers the ad"anta e of eneratin less lin% state information because this connector is ne"er mar%ed as una"ailable) !elect These servers can send &ai+ over this connector and manuall( add each ser"er in the routin roup as a brid ehead ser"er) Chen (ou confi ure (our brid ehead ser"ers in this $a(, if all the brid ehead ser"ers become una"ailable, the routin roup connector is mar%ed as una"ailable) 5o$e"er, usin this option can increase the siAe of (our lin% state table because the full( Eualified domain name ;6>D:< of each brid ehead "irtual ser"er is then $ritten to the lin% state table) 6or more information about lin% state, see Ad"anced 3in% !tate Concepts) 6or more information about e"aluatin the ad"anta es of usin multiple brid ehead ser"ers "ersus usin desi nated brid ehead ser"ers, see #able .)' earlier in this chapter) Shou+d users access pub+ic fo+ders that are not avai+ab+e +oca++' using this connectorH ?( default, public folder referrals are enabled across connectors connectin routin roups) 5o$e"er, net$or% traffic increases $hen users access a public folder in a remote routin roup) 4f (our routin roups are connected b( slo$ net$or% lin%s, or if (our net$or% ma( not be able to handle the additional traffic, disable public folder referrals)

    ,3

    ;hat are the re&ote bridgehead servers to 5hich this connector can send &essagesH #he remote brid ehead ser"ers are the ser"ers in the connected routin roup that recei"e all messa es destined for this routin roup) #he remote brid ehead ser"ers also recei"e lin% state information from the brid ehead ser"ers for the connector) After considerin these Euestions, (ou can set (our confi urations options on the Genera+ tab in the Routing Group Connector !roperties dialo box) @ou can address the last Euestion in the abo"e list b( specif(in remote brid ehead ser"ers on the Re&ote ?ridgehead tab) 6or detailed instructions, see 5o$ to Confi ure the /ptions for a ,outin -roup Connector and 5o$ to !pecif( a ,emote ?rid ehead !er"er for a ,outin -roup Connector)

    4o5 to Configure the "ptions for a Routing Group Connector


    Chen (ou create a routin roup, (ou desi nate a roup of ser"ers that can communicate directl( $ith one another) 6or ser"ers in different routin roups to communicate $ith each other, (ou need to connect the routin roups)

    ?efore @ou ?egin


    #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el)

    !rocedure
    To configure the options for a routing group connector 1) 4n Exchan e !(stem Mana er, expand the routin roup, ri htDclic% Connectors, point to :e$, and then clic% ,outin -roup Connector) 2) /n the Genera+ tab, select from the follo$in options: 6or the name of the routin roup connector, it is a common practice to use the t$o routin roups that it connects) 6or example, (ou could use the name Paris#o!eattle to define a connector connectin (our Paris routin roup to (our !eattle routin roup) 4n Connects this routing group 5ith, select the routin $ant to connect) 4n Cost, assi n a cost for the connector) roups to $hich (ou

    -0

    #o ha"e all ser"ers $ithin the local routin roup function as brid ehead ser"ers, select An' +oca+ server can send &ai+ over this connector) *&portant ,emember, $hen (ou select this option, the connector is al$a(s considered a"ailable, e"en if all brid ehead ser"ers become una"ailable) 4f (ou $ant (our connector to be mar%ed una"ailable if all brid ehead ser"ers become una"ailable, add each ser"er in the routin roup as the brid ehead ser"er manuall(, usin the These servers can send &ai+ over this connector option described next) #o specif( $hich ser"ers in the local routin roup can function as brid ehead ser"ers for this connector, select These servers can send &ai+ over this connector, and then clic% Add to add the appropriate ser"ers to the list) #o prohibit users from accessin public folders that are not a"ailable locall( usin this connector, select the 2o not a++o5 pub+ic fo+der referra+s chec% box)

    4o5 to Specif' a Re&ote ?ridgehead Server for a Routing Group Connector


    A remote brid ehead ser"er is a ser"er in a connected routin roup that recei"es all messa es destined for that routin roup) A remote brid ehead ser"er also recei"es lin% state information from the brid ehead ser"ers for the connector)

    ?efore @ou ?egin


    #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el)

    !rocedure
    To specif' a re&ote bridgehead server for a routing group connector 1) 4n the Routing Group Connector !roperties dialo box, on the Re&ote ?ridgehead tab, clic% Add, and then select the remote brid ehead ser"er from the list of ser"ers in the routin roup to $hich (ou are connectin )

    -#

    Note @ou must specif( a remote brid ehead ser"er) 6or redundanc(, (ou should specif( more than one remote brid ehead ser"er, if possible) Re&ote ?ridgehead tab in the Routing Group Connector !roperties dia+og box

    2) 4f (ou are creatin a routin roup connector bet$een routin roups that includes Exchan e .). ser"ers, in "verride connection credentia+s for Exchange $/x, clic% Modif', and then enter the Exchan e .). ser"ice account credentials for the Exchan e .). ser"er to $hich (ou are connectin ) ') Clic% App+' to create the connector) 7) Chen a messa e appears that as%s if (ou $ant to create a routin connector in the remote routin roup, clic% @es) roup

    After (ou clic% @es, Exchan e creates a routin roup connector in the remote routin roup) #his ne$ routin roup connector allo$s the remote routin roup to send messa es to the local routin roup) Chen creatin this ne$ routin roup connector, Exchan e does the follo$in :

    -2

    %nderstanding Connector Scope and Restrictions


    4f (ou need to control access to specific connectors, either b( roup or b( a specific eo raphic area, (ou ha"e t$o choices: %se connector scope to restrict connector use/ ?( definition, onl( users in a specific routin roup can use that routin roupHs connector) 5o$e"er, (ou can also desi nate a routin roup scope for another t(pe of connector, li%e an !M#P connector, so that onl( users in a particular routin roup can use the !M#P connector) 0se an !M#P connector $ith a routin roup scope if (ou $ant to ensure that users in a specific location al$a(s use this !M#P connector) Create a restriction on the connector/ @ou can restrict access to an( t(pe of connector b( usin the 2e+iver' Restrictions tab of the connector properties) @ou can desi nate a distribution roup that explicitl( has ri hts to use this connector, or (ou can desi nate a distribution roup that is explicitl( denied access to the connector)

    %sing Connector Scope to Restrict %sage


    #o understand ho$ (our routin topolo ( and connector scope affects messa e flo$, consider a compan( named Contoso, 3td) ;contoso)com<, $hich is located exclusi"el( in the 0nited !tates $ith t$o maFor offices, one in Colorado and one in Maine) All ser"ers are connected b( a hi hDspeed net$or%, but a fax connector and an !M#P connector exist in each site) 4f the fax connectors ha"e an or aniAational scope, users in Colorado can use the fax connector in Maine and ma( incur lon distance costs) Additionall(, the Contoso administrator $ants all users in Maine to use the !M#P connector to the 4nternet that is located in the Maine site, and all users in Colorado to use the local !M#P and fax connectors) 4n this case, despite the hi h net$or% connecti"it( bet$een all ser"ers, it ma%es sense to use routin roups and restrict the connector scopes to the appropriate routin roup)

    -3 Topo+og' of Contoso/co&

    4n this topolo (, each site has the follo$in connectors: An !M#P connector to the 4nternet $ith a routin A fax connector $ith a routin roup scope) roup scope)

    A routin roup connector that allo$s an( ser"er in the routin roup to send messa es o"er this connector and desi nates all three ser"ers in the remote site as remote brid ehead ser"ers) ?ecause all ser"ers in each site share the same net$or% connecti"it(, it ma%es sense to desi nate all of them as brid ehead ser"ers, so that ser"ers can communicate in a pointDtoDpoint fashion)

    %sing 2e+iver' Restrictions to Restrict %sage


    @ou can restrict the use of (our connector to a particular roup of users) #he ad"anta e of usin deli"er( restrictions to restrict usa e is that this option eliminates the need to create a routin roup) #he disad"anta e to usin a restriction is that for each messa e that is sent throu h this connector, the distribution roup must be expanded to its indi"idual recipients to enforce the restriction) #his expansion is costl( in terms of performance) #herefore, it is recommended that (ou use the 2e+iver' Restrictions tab on a connector in cases $here the distribution roup is small or $here (ou are certain that the performance impact is acceptable to (our users) *&portant ?e a$are that restrictin deli"er( is extremel( processDintensi"e and can affect ser"er performance) A re istr( %e( on the Exchan e 200'Dbased brid ehead ser"er ;$hich is the source for the connector that is bein chec%ed< controls the restriction chec%in functionalit() 4f (ou need to confi ure a connector to restrict $ho can send data to the desi nated lin%, (ou must manuall( add the restriction chec%in re istr( "alue)

    -0

    Note 4ncorrectl( editin the re istr( can cause serious problems that ma( reEuire (ou to reinstall (our operatin s(stem) Problems resultin from editin the re istr( incorrectl( ma( not be able to be resol"ed) ?efore editin the re istr(, bac% up an( "aluable data) 6or detailed instructions, see 5o$ to Enable the ,e istr( Be(s for Deli"er( ,estrictions) After enablin the re istr( %e( and restartin the ser"ices abo"e, (ou can set deli"er( restrictions on the connector properties b( usin the 2e+iver' Restrictions tab) Note @ou can also desi nate specific users or Euer(Dbased distribution roups on the 2e+iver' Restrictions tab) #his approach is not recommended because each user is added as an entr( in the lin% state table, $hich causes the lin% state table to ro$ "er( lar e) A lar e lin% state table can affect the net$or% and performance because it needs to be replicated to all other ser"ers in the or aniAation)

    -$ 2e+iver' Restrictions tab in SMT! Connector !roperties dia+og box

    4o5 to Enab+e the Registr' Ge's for 2e+iver' Restrictions


    A re istr( %e( on the Exchan e !er"er 200'Dbased brid ehead ser"er ;$hich is the source for the connector that is bein chec%ed< controls the restriction chec%in functionalit() 4f (ou need to confi ure a connector to restrict $ho can send data to the desi nated lin%, (ou must manuall( add the restriction chec%in re istr( "alue)

    ?efore @ou ?egin


    #he follo$in permissions are reEuired to perform this procedure:

    -,

    Member of the local administrators roup

    !rocedure
    To enab+e the registr' )e's for de+iver' restrictions 1) !tart ,e istr( Editor: 6rom a command prompt, t(pe Regedt32/exe) 2) :a"i ate to and select the follo$in %e( in the re istr(: 5BE@S3/CA3SMAC54:EO!(stemOCurrentControl!etO!er"icesO,E!"cOParametersO ') /n the Edit menu, clic% Add 7a+ue, and then add the follo$in re istr( "alue:
    Gal+e -ame: =hecF=onnector@estrictions 3ata Type: @8HB314@3 3ate: 1 @adix: 3ecimal

    7) Exit ,e istr( Editor: /n the Registr' menu, clic% Exit) .) After enablin the re istr( %e( settin , restart the follo$in ser"ices on (our Exchan e ser"er: Microsoft Exchan e M#A !tac%s ;M!Exchan eM#A< Microsoft Exchan e ,outin En ine ;,E!"c< !imple Mail #ransport Protocol ;!M#P!8C<

    2esignating a Routing Group Master


    Chen (ou create a routin roup, the first ser"er in that routin roup is assi ned the role of routin roup master) #he routin roup master maintains current lin% state information for its routin roup and propa ates it to the other ser"ers $ithin the routin roup) #he routin roup master monitors the routin confi uration that is $ritten in Acti"e Director( for its routin roup onl() Member ser"ers can communicate an( connector state or ser"er a"ailabilit( information to the routin roup master) 6or example, if a member ser"er tries to contact another ser"er in a different routin roup o"er a connector, and this lin% is una"ailable, the member ser"er immediatel( notifies the routin roup master) 3i%e$ise, $hen a nonDmaster ser"er recei"es ne$ lin% state information, it immediatel( transfers the connector state information to the routin roup master, so that other ser"ers can recei"e the information about the routin chan e) Chen (ou desi nate a routin roup master, ensure that the ser"er (ou choose has ood access to a domain controller because this is $here it reads the confi uration information that

    --

    is stored in Acti"e Director() Additionall(, $hen a chan e occurs in the confi uration of its routin roup, Exchan e !(stem Mana er $rites this information directl( to Acti"e Director( and then the domain controller notifies the routin roup master of this chan e) #he routin roup master then propa ates this information to all the member ser"ers) Cithin a routin roup, the routin roup master and the other Exchan e ser"ers communicate lin% state information o"er #CPO4P port 691) 5o$e"er, communication of lin% state information bet$een routin roups is different) 4f the routin roup master is not a brid ehead ser"er for the routin roup, the routin roup master sends the lin% state information to the roupHs brid ehead ser"er o"er #CPO4P port 691) #he brid ehead ser"er then for$ards this information ;o"er #CPO4P port 2. usin !M#P and the =D34:B2!#A#E "erb< to the brid ehead ser"ers of other routin roups) Note 6or more information about lin% information and ho$ it is updated, see Ad"anced 3in% !tate Concepts) 4f (ou do not $ant the first ser"er that is installed in the routin roup to be the routin roup master ;the default settin <, (ou can chan e the routin roup master to another ser"er b( usin the follo$in procedure) Note Do not chan e the routin roup master freEuentl() Chen (ou desi nate a ne$ routin roup master, all member ser"ers need to reconnect and this chan e reEuires that the lin% state table replicate across the or aniAation, $hich increases net$or% traffic) 6or detailed instructions about ho$ to chan e the routin Chich !er"er 4s the ,outin -roup Master) *&portant #here is no automatic failo"er for routin roup masters) 4f a routin roup master fails, (ou must manuall( confi ure a ne$ routin roup master in Exchan e !(stem Mana er) 4f a routin roup master fails, the other ser"ers in the routin roup use the last %no$n lin% state information until a routin roup master becomes a"ailable or another routin roup master is desi nated) 6or more information about failure of a routin roup master, see Microsoft Bno$led e ?ase article 261221, Jhttp:OO o)microsoft)comOf$lin%O*lin%idM'0.2T%bidM261221)J roup master, see 5o$ to Chan e

    -1

    4o5 to Change ;hich Server *s the Routing Group Master


    Chen (ou create a routin roup, the first ser"er in that routin roup is assi ned the role of routin roup master) #he routin roup master maintains current lin% state information for its routin roup and propa ates it to the other ser"ers $ithin the routin roup)

    ?efore @ou ?egin


    #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To change 5hich server is the routing group &aster 4n Exchan e !(stem Mana er, expand the routin roup, clic% Me&bers, ri htD clic% an Exchan e ser"er that (ou $ant to desi nate as master, and then select Set as Master)

    Advanced Routing Configuration


    #his topic presents some ad"anced routin confi uration topics) 4t explains the follo$in : %sing connectors for +oad ba+ancing and fai+over Confi urations that (ou can use to enable load balancin or failo"er bet$een connectors) Advanced +in) state configuration !pecific scenarios for disablin or suppressin lin% state information)

    %sing Connectors for (oad ?a+ancing and 6ai+over


    ,outin uses the costs that are associated $ith routin roup connectors to determine the best $a( to deli"er messa es internall() ,outin also uses the costs that are associated $ith !M#P and =)700 connectors to determine the best method for deli"erin external mail) 4t is important to understand that routin al$a(s chooses the connector $ith the closest matchin

    -3

    address space and then the lo$est cost) @ou can also use connectors to load balance messa es or confi ure connectors for failo"er) #he disad"anta e to usin connectors for load balancin or failo"er is that both confi urations increase the siAe of the lin% state table that is replicated across the Exchan e or aniAation) ,emember, the lar er the lin% state table, the more demands on s(stem performance)

    Configuring Connectors for (oad ?a+ancing


    4f (ou $ant to confi ure a connector to load balance reEuests bet$een t$o or more brid ehead ser"ers, create a sin le connector $ith the desired address space, for example, K for an !M#P connector, and then assi n t$o different Exchan e ser"ers and !M#P "irtual ser"ers as brid ehead ser"ers) ,outin chooses the brid ehead ser"er at random and effecti"el( load balances the reEuests that are sent throu h this connector) 5o$e"er, if a messa e reaches one of these brid ehead ser"ers, and this ser"er becomes una"ailable, routin does not automaticall( choose the alternate route) Mail simpl( Eueues until this ser"er becomes a"ailable) #here is no reroutin amon brid ehead ser"ers once a messa e reaches the intended brid ehead ser"er) 3in% state onl( contains a connectorHs state, and a connector is al$a(s considered a"ailable if one brid ehead ser"er is a"ailable) 4f one brid ehead ser"er becomes una"ailable, routin still considers this connector a "alid path and chooses randoml( amon the a"ailable brid ehead ser"ers)

    Configuring Connectors for 6ai+over


    4f (ou $ant to confi ure connectors to failo"er automaticall(, (ou can create t$o separate connectors on different brid ehead ser"ers, each $ith a different cost) 3in% state for a connector is determined b( its local brid ehead ser"er) 4f the brid ehead ser"er on the preferred connector $ith the lo$est cost is una"ailable, that connector is considered una"ailable and routin automaticall( chooses the second connector) Chen the brid ehead ser"er hostin the connector $ith the lo$er cost becomes a"ailable, Exchan e ser"ers then be in usin it a ain) 4f (ou use t$o connectors $ith the same cost, Exchan e ser"ers $ill randoml( pic% $hich brid ehead ser"er and connector the( use, and if this brid ehead ser"er becomes una"ailable, the( $ill fail o"er to the second connector) 5o$e"er, once the first brid ehead ser"er becomes a"ailable, the ser"ers $ill not failbac% to this ser"er because the route has the same cost as the ser"er the( are alread( usin )

    Suppressing (in) State Traffic for Connectors


    Exchan e 200' suppresses lin% state traffic $hen connections are oscillatin , or $hen no alternate route exists to a leafDnode routin roup) #hese impro"ements reduce the amount

    10

    of traffic that is enerated b( lin% state) Additionall(, if (ou use the default option of An' +oca+ server can send over this connector for a routin roup connector, this connector state is al$a(s mar%ed as up) 0sin this option effecti"el( suppresses an( lin% state traffic that is enerated b( chan es in this connectorHs state) 5o$e"er, this option is not possible for !M#P connectors or =)700 connectors) 4n en"ironments $ith extremel( lo$ band$idth and hi h latenc(, some companies choose to suppress lin% state traffic bet$een routin roups) @ou can suppress lin% state traffic on indi"idual ser"ers for all connectors b( chan in a re istr( %e( "alue) Chen (ou suppress lin% state traffic on a ser"er, the ser"er i nores an( lin% state chan es on an( connectors for $hich it is a brid ehead ser"er) 3in% state information for connectors on other ser"ers is still updated, and or aniAational lin% state information is still propa ated across all ser"ers in the or aniAationL ho$e"er, the ser"er $ith lin% state traffic suppressed does not send an( information about its connectors) #he follo$in table lists the ad"anta es and disad"anta es of suppressin lin% state traffic) !uppress lin% state traffic on a ser"er if the follo$in conditions exist: @ou ha"e a connector $hose status is not important to other ser"ers in the rest of the Exchan e or aniAation ;for instance, a connector that is used exclusi"el( b( a routin roup or a small number of ser"ers to send mail to the 4nternet<) 4f (ou ha"e net$or% problems that cause a connector to oscillate bet$een an a"ailable and an una"ailable state) ,emember, in Exchan e 200', an oscillatin connection is a connector that chan es state t$ice ;up and do$n< $ithin one lin% state inter"al, $hich is 10 minutes b( default) 4f a connector is mar%ed as una"ailable after the lin% state inter"al, and then it becomes a"ailable after another $indo$, lin% state traffic is enerated) Also, if (our Exchan e or aniAation contains Exchan e 2000 ser"ers, these ser"ers do not ha"e the lin% state impro"ements that are pro"ided b( Exchan e 200', and the( $ill enerate traffic for oscillatin lin%s) Advantages and disadvantages of suppressing +in) state traffic Ad"anta es !uppression of lin% state traffic is relati"el( simple to confi ure and can be applied to indi"idual ser"ers for isolated conditions) Disad"anta es @ou cannot create redundant paths or alternate connectors on a ser"er $here lin% state traffic is suppressed) 3in% state chan es on the primar( connector are ne"er detectedL therefore, messa es are not rerouted to an alternate connector because routin assumes that the primar( connector is a"ailable)

    1#

    Ad"anta es !uppressin lin% state traffic on a ser"er can decrease net$or% traffic that is caused b( freEuent chan es) A reduction in net$or% traffic is particularl( ad"anta eous in situations $here net$or% band$idth is "er( limited) #he actual ain from reduced traffic depends on the siAe of the Exchan e or aniAation and the freEuenc( of lin% state chan es that are replicated)

    Disad"anta es !uppressin lin% state traffic on a sin le ser"er does not completel( eliminate lin% state traffic bet$een routin roups)

    Note 4ncorrectl( editin the re istr( can cause serious problems that ma( reEuire (ou to reinstall (our operatin s(stem) Problems resultin from editin the re istr( incorrectl( ma( not be able to be resol"ed) ?efore editin the re istr(, bac% up an( "aluable data) 4t is important to understand that chan in this re istr( %e( does not stop the propa ation of the lin% state table across ser"ers) 4t suppresses onl( the lin% state traffic that is caused b( a connector state chan e) 6or detailed instructions, see 5o$ to !uppress 3in% !tate 4nformation on a !er"er)

    4o5 to Create a Routing Group


    ?( default, Microsoft& Exchan e !er"er functions as thou h all ser"ers are in a sin le routin roup) ?ased on (our administrati"e reEuirements, (our net$or% topolo (, and the reasons that are discussed in Confi urin a ,outin #opolo (, (ou can roup ser"ers into routin roups to enable Exchan e !er"er to maximiAe messa e flo$ efficienc() ?( default, all ser"ers in a nati"eDmode Exchan e !er"er or aniAation are placed in a sin le routin roup, called 6irst ,outin -roup, and these ser"ers communicate directl( $ith one another) 4n a mixedDmode en"ironment ;$here some ser"ers are runnin Exchan e !er"er "ersion .). or earlier<, each Exchan e !er"er .). site becomes a routin roup) Note 6or more information about the difference bet$een routin roups in mixed and nati"e mode, see J0sin ,outin -roups in :ati"e and Mixed ModesJ in 0nderstandin ,outin Components) After installation, (ou can create additional routin roups in (our Exchan e or aniAation) Chen (ou install additional Exchan e ser"ers into an existin or aniAation, (ou can then

    12

    desi nate the appropriate routin roups for these ser"ers) After installation, (ou can also mo"e ser"ers bet$een routin roups) Chen (ou create a routin roup, t$o containers appear beneath the routin roup:

    Connectors Displa(s an( connectors that are installed on the ser"ers $ithin the routin roup) #his list includes an( connectors to thirdDpart( mail s(stems, such as the 3otus :otes or :o"ell -roupCise connector, as $ell as an( routin roup connectors, =)700 connectors, and !M#P connectors that (ou confi ure) Me&bers Displa(s the ser"ers $ithin this routin roup) ?( default, the routin roup master is the first ser"er that is added to a routin roup)

    Note ?efore (ou can create routin roups, (ou must confi ure (our Exchan e or aniAation to displa( routin roups) 4n Exchan e !(stem Mana er, ri htDclic% (our Exchan e or aniAation, clic% !roperties, and then select the 2isp+a' routing groups chec% box)

    ?efore @ou ?egin


    #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el)

    !rocedure
    To create a routing group 1) 4n Exchan e !(stem Mana er, ri htDclic% Routing Groups, point to Ne5, and then select Routing Group) 2) /n the Genera+ tab, in the Na&e box, enter a name for the routin then clic% "G) Genera+ tab for routing group roup, and

    13

    2ep+o'&ent Scenarios for *nternet Connectivit'


    :o$ that (ou ha"e confi ured internal mail flo$, (ou are probabl( interested in learnin ho$ (ou can connect to the 4nternet so that (our users can send and recei"e 4nternet mail) #his section presents both some common and custom deplo(ment scenarios for 4nternet connecti"it() Common deplo(ment scenarios describe t(pical confi urations that are used b( companies to connect to the 4nternet, includin usin Microsoft& Exchan e in its default confi uration, usin a dualDhomed ser"er, usin an Exchan e brid ehead ser"er behind a fire$all, and usin a Microsoft Cindo$s& rela( ser"er)

    10

    Custom deplo(ment scenarios include topolo ies that meet special reEuirements, such as usin a net$or% ser"ice pro"ider, confi urin crossDforest mail collaboration, and sharin !imple Mail #ransfer Protocol ;!M#P< mail domains or supportin t$o !M#P mail domains) Exchan e !er"er 200' introduces a ne$ tool, Address ,e$rite, that can be used to re$rite out oin eDmail addresses from a subsidiar( compan() As a result, durin a mer er or acEuisition, all users displa( the same eDmail address) ,e ardless of $hat scenario applies most to (our or aniAation, consider the follo$in tips as (ou contemplate (our o$n implementation: 4f (our or aniAation contains multiple ser"ers, (ou should include ate$a( brid ehead ser"ers $hen plannin (our deplo(ment) 6ire$alls offer the most securit( for 4nternet connecti"it()

    !M#P connectors offer a con"enient and mana eable $a( to route out oin 4nternet mail) #he default !M#P "irtual ser"er in its default confi uration is sufficient for most scenarios) 4f (ou use multiple !M#P "irtual ser"ers on a sin le Exchan e ser"er, be careful $hen (ou confi ure them) ?( default, multiple "irtual ser"ers cannot communicate $ith one another) 6or proper mail flo$, (ou need to confi ure them appropriatel( so that mail can be routed bet$een them) Additionall(, each !M#P "irtual ser"er must be confi ured $ith a uniEue 4nternet Protocol ;4P< address and port combination) -enerall(, all !M#P "irtual ser"ers reEuire port 2. so (ou must assi n uniEue 4P addresses to them) Note !ome companies confi ure multiple "irtual ser"ers on a brid ehead ser"er, $ith one net$or% interface card ;:4C< acceptin inbound 4nternet mail and another :4C routin outbound 4nternet mail) 6or more information about this confi uration, see 0sin a DualD5omed Exchan e !er"er as an 4nternet -ate$a()

    Co&&on 2ep+o'&ent Scenarios


    #his section presents some common deplo(ment scenarios for 4nternet connecti"it() #he scenarios are presented in order of complexit(, startin $ith the simplest confi uration ;a sin le Exchan e ser"er in its default confi uration<) #he follo$in table summariAes each of these common scenarios)

    1$ Su&&aries of co&&on dep+o'&ent scenarios for *nternet connectivit' #opolo ( !in le Exchan e ser"er in its default confi uration ?est for !mall business $ith a small user base Ad"anta es 0sin the default confi uration reEuires no additional confi uration after (ou install Exchan e) /ffers a secure confi uration $hen behind a fire$all) Considerations #his topolo ( does not offer the more robust protection of a fire$all) @our Exchan e ser"er is exposed on the 4nternet) #his topolo ( should be used in conFunction $ith a fire$all) /ther$ise, (our Exchan e ser"er is still exposed on the 4nternet) Consider usin 4nternet Protocol securit( ;4P!ec< policies to filter ports on the 4nternet :4C) 0sin an Exchan e brid ehead ser"er behind a fire$all An( siAe compan( 0sin a dedicated brid ehead ser"er for 4nternet mail isolates 4nternet traffic) A fire$all protects (our intranet) :ormall(, a brid ehead ser"er is deplo(ed in lar er companies) ?ecause the ser"er does not host mailboxes, it ma( be underutiliAed in smaller companies)

    DualDhomed Exchan e ser"er

    !mall business $ith a small user base

    1,

    #opolo ( 0sin an Exchan e brid ehead ser"er to send mail to a rela( ser"er on a perimeter net$or%

    ?est for Medium to lar e companies $ith multiser"er en"ironments

    Ad"anta es /ffers the same ad"anta es as an Exchan e brid ehead ser"er behind a fire$all, but adds an extra la(er of securit( b( isolatin (our !M#P ser"er from the 4nternet) An !M#P rela( ser"er, rather than an Exchan e ser"er handlin 4nternet mail, is in an isolated net$or%) @our user information is secured on (our Exchan e ser"er behind a fire$all)

    Considerations #his topolo ( in"ol"es more confi uration and set up than the scenarios listed abo"e)

    Note 6or small companies that $ant a fullDfeatured net$or% solution that pro"ides a unified setup for eDmail, roup schedulin , fax, and database, as $ell as a shared 4nternet connecti"it( for an en"ironment of up to fift( computers, Microsoft Cindo$s !mall ?usiness !er"er200' ma( be an appropriate solution) 6or more information about !mall ?usiness !er"er, see the !mall ?usiness !er"er Ceb site)

    %sing a Sing+e Exchange Server in *ts 2efau+t Configuration


    #his scenario describes ho$ Exchan e deli"ers 4nternet mail in its default confi uration)

    ?asic Configuration
    4n this scenario, (ou need the follo$in : A persistent connection to the 4nternet)

    1-

    A Domain :ame !(stem ;D:!< ser"er that can resol"e external domain names, and a D:! ser"er on the 4nternet $ith a mail exchan er ;M=< record that points to (our Exchan e ser"er) A recipient polic( that is confi ured $ith the !M#P mail domain for $hich (ou $ant the Exchan e ser"er to recei"e mail)

    *nbound *nternet Mai+


    Chen usin a sin le Exchan e ser"er in its default confi uration, incomin 4nternet mail flo$s into the Exchan e ser"er in the follo$in manner: 1) #he remote !M#P ser"er Eueries D:! to resol"e the M= record for (our mail domain and to obtain the 4P address of (our Exchan e ser"er) 2) #he remote !M#P ser"er then connects to (our Exchan e ser"er on port 2., $hich (our default !M#P "irtual ser"er accepts) ') @our default !M#P ser"er "erifies that the domain on the incomin messa e matches an !M#P domain in its recipient policies) 7) @our default !M#P ser"er then accepts the messa e and deli"ers it to the recipient)

    "utbound *nternet Mai+


    Chen usin a sin le Exchan e ser"er in its default confi uration, out oin 4nternet mail flo$s out of the Exchan e ser"er in the follo$in manner: 1) An internal user sends a messa e $ith an external user as a recipient) 2) 6rom its recipient polic( information, the default !M#P "irtual ser"er determines that the messa e is destined for a remote domain) ') ?ecause the internal user is authenticated, the default !M#P "irtual ser"er accepts the messa e for outbound deli"er() ,emember, the default !M#P "irtual ser"er allo$s rela(in for authenticated users onl() 7) #he default !M#P "irtual ser"er Eueries D:! to resol"e the M= record of the remote mail ser"er to the 4P address of this ser"er) .) #he default !M#P "irtual ser"er connects to the remote !M#P ser"er on port 2. and initiates deli"er()

    11

    %sing a 2ua+E4o&ed Exchange Server as an *nternet Gate5a'


    #his scenario describes a supported confi uration of a dualDhomed Exchan e ser"er that acts as a ate$a( ser"er for the Exchan e or aniAation) #his ser"er can handle mail indi"iduall(, or it can act as a brid ehead ser"er for other ser"ers in the or aniAation) 6or securit( purposes, (ou should use this confi uration behind a fire$all)

    ?asic Configuration
    #he basic confi uration consists of a mail ate$a( that is confi ured $ith t$o net$or% interfacesL this ate$a( acts as the sin le connection point bet$een (our intranet and the 4nternet) #he follo$in lists pro"ide eneral confi uration reEuirements for the t$o "irtual ser"ers and the !M#P connector: Note 4f (ou confi ure t$o "irtual ser"ers on a sin le Exchan e ser"er, be sure to use a uniEue combination of 4P addresses and ports) Do not confi ure either "irtual ser"er to use the default "alue of all a"ailable 4P addresses) 8irtual ser"er 1 Confi ure "irtual ser"er 1 as the brid ehead ser"er for the !M#P connector)

    Confi ure "irtual ser"er 1 to use external D:! ser"ers, throu h the external D:! ser"er list) ?ind "irtual ser"er 1 to an intranet 4P address on port 2.) Enter the local compan( domain ;for example, contoso)com<)

    8irtual ser"er 2 Confi ure "irtual ser"er 2 so that it does not rela( mail ;this is the default confi uration<) 6or more information about default rela( restrictions, see 5o$ to 8erif( ,ela( ,estrictions on an !M#P 8irtual !er"er) Confi ure "irtual ser"er 2 to allo$ anon(mous access ;this is the default confi uration<) 6or more information about allo$in anon(mous access, see 5o$ to Allo$ Anon(mous Access on @our /utbound !M#P 8irtual !er"er) ?ind "irtual ser"er 2 to an 4nternet 4P address on port 2.) !elect the local compan( domain ;for example, contoso)com<)

    !M#P connector

    13

    Confi ure the !M#P connector to use D:! to route to each address space on the connector) 5ome the !M#P connector to "irtual ser"er 1 b( specif(in it as the brid ehead ser"er) Create an address space of K ;asteris%< or an eEui"alent) 0se t$o net$or% interface cards ;:4Cs<Ian internal :4C and an external :4C)

    8erif( that there is no 4P routin confi uration bet$een the t$o net$or%s on (our ser"er) ;#his is the default confi uration)< 6or more information about ho$ to confi ure an !M#P connector, see 5o$ to Create an !M#P Connector)

    *nbound *nternet Mai+


    Messa es flo$ into an Exchan e or aniAation in the follo$in manner: 1) Messa es that ori inate from the 4nternet use the 4nternet 4P address to send mail to recipients in the local domain) 2) 8irtual ser"er 2 monitors this 4nternet 4P address for mail and recei"es all incomin 4nternet messa es) ?ecause "irtual ser"er 2 is not confi ured to rela( mail, it reFects mail that is not directed to the compan(Hs domain ;for example, contoso)com<) ') Chen "irtual ser"er 2 recei"es a messa e from the 4nternet that is intended for a host inside the local domain, it contacts the Microsoft Acti"e Director(& director( ser"ice throu h the internal :4C to determine $here to send the messa e) #herefore, messa es that are recei"ed b( "irtual ser"er 2 are sent directl( to the internal host or to another brid ehead ser"er for deli"er( to another routin roup) Note Althou h "irtual ser"er 2 monitors an external 4P address for incomin mail, it uses $hate"er 4P address is appropriate for routin messa es, based on the entries in the routin table) 8irtual ser"er 2 uses onl( internal D:! ser"ices for name resolution) 8irtual ser"er 2 is not confi ured $ith an external list of D:! ser"ers, so it does not resol"e external addresses) 4t reFects all messa es $ith addresses to a domain other than the compan(Hs domain ;in this case, contoso)com<)

    "utbound *nternet Mai+


    Mail flo$s out of an Exchan e or aniAation in the follo$in manner: 1) A user sends a messa e to an external recipient)

    30

    2) ?ecause this messa e is outbound, it uses the !M#P connector that is homed on "irtual ser"er 1) ') Chen "irtual ser"er 1 recei"es a messa e for a remote domain, it uses the list of external D:! ser"ers to find the 4P address of the messa e recipient, and then uses the external :4C to deli"er the external mail) ;-enerall(, external 4nternet 4P addresses are not a"ailable on an internal D:! ser"er)< *&portant Althou h "irtual ser"er 1 is confi ured to monitor the intranet 4P address, it uses the 4nternet :4C for external mail) #he follo$in fi ure illustrates the flo$ of mail throu h a dualDhomed ser"er) *nternet &ai+ f+o5 through a dua+Eho&ed Exchange gate5a' server

    %sing *nternet Mai+ ;i>ard to Configure a 2ua+E 4o&ed Exchange Server


    @ou can use 4nternet Mail CiAard to confi ure a dualDhomed Exchan e ser"er) #he $iAard uides (ou throu h the necessar( confi uration and automaticall( creates a connector on (our outbound !M#P "irtual ser"er) 0se the 5o$ to !tart 4nternet Mail CiAard procedure to confi ure a dualDhomed Exchan e ser"er $ith t$o !M#P "irtual ser"ers to send and recei"e 4nternet mail) After (ou run 4nternet Mail CiAard, the Exchan e ser"er $ill send and recei"e all 4nternet mail accordin to the confi uration (ou specif( in the $iAard)

    3#

    Note @ou cannot use 4nternet Mail CiAard if (ou ha"e alread( confi ured an !M#P connector or created an additional !M#P "irtual ser"er on (our Exchan e ser"er) @ou must re"ert to the default confi uration before (ou can run 4nternet Mail CiAard) #he $iAard creates an additional !M#P "irtual ser"er on (our Exchan e ser"er) 4t confi ures 4nternet mail deli"er( in the follo$in $a(s: #o confi ure a ser"er to send 4nternet mail, the $iAard uides (ou throu h the process of assi nin the intranet 4P address to the default !M#P "irtual ser"er on $hich it creates the !M#P connector to send outbound mail) @ou assi n the intranet 4P address to this "irtual ser"er so that onl( internal users on (our intranet can send outbound mail) #o confi ure a ser"er to recei"e 4nternet mail, the $iAard uides (ou throu h the process of assi nin the 4nternet 4P address to the 4nternet !M#P "irtual ser"er) @ou assi n an 4nternet 4P address to this "irtual ser"er because external ser"ers need to be able to connect to this !M#P "irtual ser"er to send 4nternet mail to (our compan() Additionall(, (ou must ha"e an M= record on (our 4nternet D:! ser"er that references this ser"er) 4nternet Mail CiAard also performs the necessar( chec%s on (our 4nternet !M#P "irtual ser"er to ensure it is confi ured correctl() 4t "erifies the follo$in : @our 4nternet !M#P "irtual ser"er accepts anon(mous connections) @our 4nternet !M#P does not permit rela(in )

    6or more information about 4nternet Mail CiAard, see 0sin 4nternet Mail CiAard to Confi ure 4nternet Mail Deli"er()

    Securit' Considerations
    #o increase the securit( of a dualDhomed ate$a( ser"er confi uration, consider the follo$in recommendations: 0se 4nternet Protocol securit( ;4P!ec< policies to filter ports on the 4nternet :4C) 6or more information about 4P!ec policies, see the Microsoft Cindo$s 2000 or Cindo$s !er"er 200' online documentation) !trictl( limit the users that (ou allo$ to lo on to the ser"er) /ne simple $a( to do this is to lea"e the ser"er runnin $ithout a %e(board, mouse, or monitor and to use #erminal !er"ices to mana e the ser"er) #hen, (ou allo$ onl( administrators to ha"e #erminal ser"er access) 0sin a dualDhomed Exchan e ser"er as a ate$a( ser"er in this confi uration allo$s a compan( to limit its exposure b( minimiAin the entr( points from the 4nternet to its intranet) ?( pre"entin the "irtual ser"er on the 4nternet from rela(in messa es to other 4nternet hosts, (ou ensure that the "irtual ser"er routes onl( mail that is addressed to "alid internal

    32

    recipients) ?ecause "irtual ser"er 1 uses an external list of D:! ser"ers to route onl( outbound 4nternet mail ;not for internal mail<, external D:! ser"er issues $onHt affect internal mail traffic) ?( separatin (our incomin 4nternet mail, internal mail, and out oin 4nternet mail processes, the points of failure for an( of the three processes remain distinct and more mana eable)

    %sing a ?ridgehead Server ?ehind a 6ire5a++


    -enerall(, if (our or aniAation contains multiple Exchan e ser"ers, (ou should use a brid ehead ser"er to pro"ide 4nternet connecti"it( to a routin roup or an Exchan e or aniAation) #he follo$in fi ure illustrates this topolo () !roviding *nternet connectivit' to a routing group

    4f (ou use a brid ehead ser"er, it is not necessar( for e"er( Exchan e ser"er to ha"e 4nternet connecti"it() #his confi uration enhances securit( because onl( the brid ehead ser"er is exposed to the 4nternet) *&portant ?ecause ate$a( ser"ers usuall( ha"e different securit( reEuirements than internal computers, (ou must examine (our ate$a( ser"ers carefull( for securit( ris%s)

    ?asic Configuration
    #he basic confi uration consists of an Exchan e brid ehead ser"er that is connected to the 4nternet and has the appropriate D:! confi uration) An !M#P connector is installed on the brid ehead ser"er and pro"ides out oin messa e deli"er( o"er the 4nternet) 6urthermore, to protect the internal net$or%, a fire$all filters incomin 4nternet traffic and routes mail from the internal and external 4P addresses)

    33

    #he follo$in lists pro"ide eneral confi uration reEuirements for the D:! ser"ers, the Exchan e brid ehead ser"er, the Exchan e member ser"ers, and the fire$all: 2NS servers

    Exchan e relies on the existin D:! ser"ers in its or aniAation) !pecificall(, Exchan e uses internal D:! to route internal messa es and relies on the internal D:! ser"er to for$ard and resol"e external addresses throu h an external D:! ser"er) #o confi ure D:! in this $a(, ensure that the follo$in conditions are met: 6or the brid ehead ser"er to be identified as the domainHs mail ser"er, the or aniAationHs external D:! ser"er must contain an M= record for that brid ehead ser"er) #his D:! confi uration allo$s inbound mail to be directed to the brid ehead ser"er) #he or aniAationHs internal D:! ser"er must ha"e a for$arder to its external D:! ser"er) #he Exchan e ser"er should point to the internal D:! ser"er)

    6or more information about ho$ to confi ure D:! in this $a(, see 8erif(in D:! Desi n and Confi uration) Exchange bridgehead server #he Exchan e brid ehead ser"er has an 4nternet connection throu h the fire$all on port 2.) #he default !M#P "irtual ser"er is confi ured to send and recei"e 4nternet mail $ith the follo$in default settin s: D An 4P address of port 2., the standard !M#P port) D Confi ured to allo$ anon(mous access) @ou must allo$ anon(mous access to (our !M#P "irtual ser"er on (our Exchan e brid ehead ser"er because 4nternet !M#P ser"ers that send mail to this domain $ill not expect to authenticate) D Confi ured to not rela( mail) #he !M#P connector that is hosted b( the !M#P "irtual ser"er is confi ured $ith an address space of K ;asteris%< to force all out oin mail to use the brid ehead ser"er) Exchange &e&ber servers #hese ser"ers do not ha"e a direct connection to the 4nternet) #hese ser"ers use the default settin s on the !M#P "irtual ser"er)

    6ire5a++

    #he fire$all is confi ured in accordance $ith (our or aniAational uidelines and "endor specifications)

    30

    Note A complete discussion about fire$all confi uration is outside the scope of this uide) #here are man( $a(s (ou can confi ure a fire$all to $or% $ith an !M#P rela( ser"er) @ou can allo$ either the fire$all or the !M#P rela( ser"er to perform net$or% address translation bet$een internal and external addresses) 6or the purposes of this uide, mail flo$ throu h the fire$all is treated as if it is transparent)

    *nbound *nternet Mai+


    Mail flo$s into an Exchan e or aniAation in the follo$in manner: 1) #he remote !M#P ser"er Eueries D:! to resol"e the M= record for (our mail domain and to obtain the 4P address of (our Exchan e ser"er) 2) #he remote !M#P ser"er connects throu h the fire$all to the !M#P "irtual ser"er on port 2.) ') #he !M#P "irtual ser"er accepts the incomin messa e and then routes the mail to either the Exchan e ser"er that hosts the userHs mailbox or to a brid ehead ser"er to deli"er the messa e to another routin roup)

    "utbound *nternet Mai+


    Mail flo$s out of an Exchan e or aniAation in the follo$in manner: 1) An internal user sends a messa e to a recipient in an external domain) 2) #he internal userHs Exchan e ser"er sends mail to the !M#P connector on the brid ehead) ?ecause the connector is confi ured $ith an address space of K ;$hich denotes all external domains<, each Exchan e ser"er in the routin roup sends external eDmail messa es throu h the !M#P connector on the brid ehead ser"er) ') #he !M#P connector uses D:! to resol"e the 4P address of the recipientHs eDmail ser"er and to route the mail directl( to the recipientHs !M#P ser"er)

    %sing a ;indo5s SMT! Re+a' Server in a !eri&eter Net5or)


    Man( or aniAations use a standDalone Cindo$s 2000 or Cindo$s !er"er 200' !M#P ser"er in a perimeter net$or% as a mail rela( ser"er for incomin and out oin 4nternet mail) 4n this confi uration, (our Exchan e or aniAation is in an internal domain behind the fire$all and the

    3$

    !M#P ser"er is in a separate domain in a perimeter net$or%) 4nternal Exchan e brid ehead ser"ers route out oin mail throu h a connector to the !M#P rela( ser"er, $hich assumes responsibilit( for D:! resolution and mail deli"er() !imilarl(, (ou can confi ure the !M#P rela( ser"er to accept incomin 4nternet mail and route it internall() #he follo$in fi ure illustrates this topolo () ;indo5s Server 2003 re+a' server in a peri&eter net5or)

    Ad"anta es to usin an !M#P rela( ser"er in a perimeter net$or% include: (i&ited *nternet exposure #he internal net$or% protects (our Exchan e ser"ers that contain (our user information and other confi uration data) Additiona+ securit' @ou can install "irusDscannin soft$are to scan incomin mail before it reaches (our internal net$or%)

    ?asic Configuration
    #he basic confi uration consists of the follo$in : ;indo5s Server 2003 SMT! re+a' server

    #he !M#P rela( ser"er is confi ured $ith a default public domain) 4t is also confi ured to rela( messa es for onl( !M#P mail domains $ithin the Exchan e or aniAationIit does not rela( messa es to other domains) 6or detailed steps that describe ho$ to confi ure the !M#P rela( ser"er, see J#o confi ure a Cindo$s !er"er 200' ser"er as a rela( ser"er or smart hostJ later in this section) 2NS Server @our external D:! ser"er is confi ured $ith an M= record that points to the 4P address of (our !M#P rela( ser"erHs domain) All Exchan e ser"ers point to (our internal D:! ser"er)

    Exchange bridgehead server

    3,

    #he Exchan e brid ehead ser"er is connected to the 4nternet throu h the fire$all on port 2.) SMT! virtua+ server

    #he !M#P "irtual ser"er is confi ured to send and recei"e 4nternet mail $ith the follo$in default settin s: 4P address of port 2. ;the standard !M#P port<)

    Allo$ anon(mous access) @ou must allo$ anon(mous access to (our !M#P "irtual ser"er on (our Exchan e brid ehead because 4nternet !M#P ser"ers that send mail to this domain $ill not expect to authenticate) Does not rela( mail)

    SMT! connector #he !M#P "irtual ser"er hosts the connector)

    #he connector is confi ured $ith an address space of K ;asteris%< to force all out oin mail to use the Exchan e brid ehead ser"er) #he connector is confi ured to use the !M#P rela( ser"er as a smart host to rela( mail) All other settin s remain at their default "alues)

    "ther Exchange &e&ber servers Member ser"ers do not ha"e a direct connection to the 4nternet) All member ser"ers use the default !M#P "irtual ser"er $ith its default settin s)

    6ire5a++ #he fire$all is confi ured accordin to (our or aniAational uidelines and "endor specifications) Note A complete discussion about fire$all confi uration is outside the scope of this uide) #here are man( $a(s that (ou can confi ure a fire$all to $or% $ith an !M#P rela( ser"er) @ou can allo$ either the fire$all or the !M#P rela( ser"er to perform net$or% address translation ;bet$een internal and external addresses<) 6or the purposes of this uide, mail flo$ throu h the fire$all is treated as if it $ere transparent)

    6or detailed instructions, see 5o$ to Confi ure a Cindo$s !er"er 200' !er"er as a ,ela( !er"er or !mart 5ost) 6or more information about ho$ to confi ure a Cindo$s ser"er as a rela( ser"er or smart host, see Microsoft Bno$led e ?ase article 29'200, J=C/:: 5o$ to !et 0p Cindo$s 2000 as a !M#P ,ela( !er"er or !mart 5ost)J

    3-

    *nbound *nternet Mai+


    Chen usin a rela( ser"er in a perimeter net$or%, inbound 4nternet mail flo$s into the Exchan e or aniAation in the follo$in manner: 1) 4ncomin 4nternet mail flo$s throu h port 2. on the fire$all) 2) Mail is then sent to port 2. of the !M#P rela( ser"er in the perimeter net$or%) ') #he !M#P rela( ser"er routes the mail bac% throu h the fire$all to the Exchan e brid ehead ser"er) 7) #he Exchan e brid ehead ser"er uses !M#P and internal routin to deli"er mail to the Exchan e ser"er that hosts the userHs mailbox)

    "utbound *nternet Mai+


    Chen usin a rela( ser"er in a perimeter net$or%, outbound 4nternet mail flo$s out of the Exchan e or aniAation in the follo$in manner: 1) An internal user submits a messa e to a remote user) 2) #he Exchan e ser"er on $hich the userHs mailbox resides for$ards mail to the !M#P connector on the Exchan e brid ehead ser"er) ') #he !M#P connector rela(s the mail throu h the fire$all to the !M#P rela( ser"er in the perimeter net$or%) 7) #he !M#P rela( ser"er uses D:! to find the M= record and 4P address of the remote userHs !M#P ser"er) .) #he !M#P rela( ser"er sends mail bac% throu h the fire$all to port 2. of the remote userHs !M#P ser"er)

    Custo& 2ep+o'&ent Scenarios


    #his section presents t$o custom deplo(ment scenarios, includin o"er"ie$s of the eneral confi uration reEuirements for each one) %sing a net5or) service provider to send and receive &ai+/ #his scenario explains ho$ to confi ure (our Exchan e ser"er to use a dialDup connection for 4nternet mail deli"er() Supporting t5o SMT! do&ains and sharing an SMT! do&ain/ #his scenario addresses issues that are common in a mer er or acEuisition) 4n the earl( sta es of an acEuisition, (ou ma( need to support t$o existin !M#P mail domainsL in the later sta es, it is common to share a sin le !M#P mail domain bet$een t$o mail s(stems) #his section explains ho$ to confi ure Exchan e in both situations) Additionall(, it

    31

    explains ho$ to use a ne$ tool, called Address ,e$rite, to re$rite out oin eDmail addresses for users on a subsidiar( compan(Hs mail s(stem)

    %sing a Net5or) Service !rovider to Send and Receive Mai+


    4f (our Exchan e ser"er uses a dialDup connection to send and retrie"e 4nternet mail, (ou must ha"e a dialDup account to (our net$or% ser"ice pro"ider) 6urthermore, (ou must confi ure the Cindo$s 2000 or Cindo$s !er"er 200' ,outin and ,emote Access !er"ice ;,,A!< to dial and authenticate $ith the net$or% ser"ice pro"ider on demand) 6or more information about confi urin ,,A!, see the Microsoft Cindo$s 2000 or Cindo$s !er"er 200' 5elp) 4f (ou $ant to use a net$or% ser"ice pro"iderHs !M#P ser"er as a smart host ;also %no$n as a rela( ser"er< to deli"er outbound eDmail messa es, (ou can "erif( addresses on out oin mail $hen (ou send it) Mail can be sent on demand, or (ou can set up a specific deli"er( schedule) #o confi ure these settin s, use the 2e+iver' options tab in the !M#P connectorHs properties) #o retrie"e eDmail messa es from the smart host, on the Advanced tab of the !M#P connectorHs properties, clic% Re<uest ETRNDT%RN 5hen sending &essages) As mentioned earlier, E#,: is an E!M#P command that is sent b( an !M#P ser"er to reEuest that another ser"er send an( eDmail messa es it has) #0,: is an !M#P command that allo$s the client and ser"er to s$itch roles and send mail in the re"erse direction $ithout ha"in to establish a ne$ connection) #his abilit( to s$itch durin an !M#P session is useful because (ou can send mail and then issue the #0,: command to recei"e mail $ithout ha"in to reDestablish a ne$ connection) Additional times can be specified for retrie"al purposes onl() 4f (ou $ant to send eDmail messa es directl( to remote domains $ithout usin the net$or% ser"ice pro"iderHs eDmail ser"er as a smart host, (ou can confi ure the !M#P connector to use D:! to send mail) 5o$e"er, (ou can still retrie"e mail from (our net$or% ser"ice pro"ider) #o retrie"e mail from (our net$or% ser"ice pro"ider, select Re<uest ETRNDT%RN fro& different server on the Advanced tab of the !M#P connectorHs properties) 4f (ou confi ure the !M#P connector in this $a(, (ou are reEuired to set up a schedule for retrie"al)

    33

    Supporting T5o SMT! Mai+ 2o&ains and Sharing an SMT! Mai+ 2o&ain 5ith Another S'ste&
    !pecial situations ;mer ers and acEuisitions, in particular< necessitate the support of t$o namespaces and the sharin of a namespace $ith another s(stem) #o help explain such a situation, consider the mer er of t$o fictitious companies: Contoso, 3td) and 6ourth Coffee) Contoso ;contoso)com< acEuires 6ourth Coffee ;fourthcoffee)com<) #he process of consolidatin domain namespaces is as follo$s: 1) Contoso confi ures its Exchan e or aniAation to accept mail for the nonDlocal domain of fourthcoffee)com) 6or more information about acceptin mail for multiple domains, see J!upportin #$o !M#P Mail DomainsJ later in this topic) 2) ?oth s(stems e"entuall( share the !M#P mail domain contoso)com) ') 6inall(, the users are mi rated to a sin le Exchan e or aniAation, and the old or aniAation or s(stem is remo"ed)

    Supporting T5o SMT! Mai+ 2o&ains


    !upportin t$o !M#P mail domains is common durin the initial phase of a mer er or acEuisition) As an example of ho$ one Exchan e or aniAation can support t$o !M#P mail domains, consider the same mer er scenario in"ol"in Contoso and 6ourth Coffee) 4n the initial phases of the acEuisition, Contoso continues to use its local !M#P mail domain of contoso)com) 5o$e"er, to allo$ 6ourth Coffee emplo(ees to recei"e eDmail messa es $ith their ori inal address, Contoso must also accept mail for the nonDlocal mail domain of fourthcoffee)com) #he follo$in fi ure illustrates ho$ both the domains of fourthcoffee)com and contoso)com are supported)

    #00 Supporting t5o SMT! &ai+ do&ains

    #o accept mail for the nonDlocal domain of the ne$l( acEuired compan(, 6ourth Coffee, an administrator at Contoso creates an !M#P connector to fourthcoffee)com) #his connector is confi ured $ith an address space of the !M#P domain that is used b( 6ourth Coffee ;fourthcoffee)com< and confi ured to rela( messa es to this domain) #o do this, the administrator opens the !M#P connectorHs properties, clic%s the Address space tab, and then selects the A++o5 &essages to be re+a'ed to this do&ain chec% box) *&portant @ou must confi ure this connector on each brid ehead ser"er that accepts incomin 4nternet eDmail for the fourthcoffee)com domain) Additionall(, for the mail domain ;fourthcoffee)com< that the administrator $ants to accept mail, he ensures that an M= record exists on the 4nternet D:! ser"er) #his M= record should point to the 4P address of the ate$a( ser"er that accepts inbound mail) 6or more information about D:!, see JD:!J in #ransport Dependencies for Exchan e !er"er 200')

    %sing Address Re5rite as an *nteri& So+ution


    Cith Exchan e 200', (ou can use a ne$ tool called Address ,e$rite as an interim step in a mer er or acEuisition scenario) #his tool re$rites eDmail addresses on out oin messa es that are sent to Exchan e and destined to external or 4nternet addresses) ;Address ,e$rite is similar to the Exchan e .). feature, ,e,oute8ia!tore)< 4n a mer er or acEuisition, (ou can re$rite all out oin 4nternet mail $ith a sin le !M#P mail domain of the parent and continue to support both the !M#P domains of the parent compan( and the acEuired compan( until (ou are read( to mi rate all users to (our Exchan e s(stem) 0sin the example of the acEuisition of 6ourth Coffee b( Contoso, assume that as an interim solution in this acEuisition, (ou $ant all users of 6ourth Coffee to be in usin the !M#P mail domain of contoso)com) ?ecause these users ha"e not (et been mi rated to (our Exchan e

    #0#

    s(stem, (ou can use Address ,e$rite to re$rite all out oin eDmail messa es that are sent from users on the 6ourth Coffee s(stem $ith the eDmail address of contoso)com) 5o$e"er, (ou also $ant to continue to accept eDmail messa es that are sent to the users $ith the old eD mail address of fourthcoffee)com) #o re$rite out oin addresses and continue to support both !M#P domains, perform the follo$in steps: 1) 0se Address ,e$rite to re$rite all out oin eDmail addresses that are sent from 6ourth Coffee users) 2) Create contacts in Acti"e Director( for all users on the 6ourth Coffee mail s(stem $ith a tar et address of fourthcoffee)com and a primar( !M#P address of contoso)com) ') Create an !M#P connector $ith an address space of fourthcoffee)com)

    Step # %se Address Re5rite to Re5rite EE&ai+ Addresses


    After (ou confi ure the mail s(stem that is used b( 6ourth Coffee Compan( to route out oin 4nternet mail usin !M#P throu h (our Exchan e ser"er, (ou then need to enable Address ,e$rite on the !M#P "irtual ser"ers in (our Exchan e or aniAation that are responsible for acceptin mail from the subsidiar( compan(Hs mail s(stem) 4n this example, (ou enable address re$rite on all !M#P "irtual ser"ers that accept mail from the subsidiar( compan(, 6ourth Coffee) #he follo$in conditions must exist for Address ,e$rite to $or% properl(: #he messa e is externall( submitted !M#P mail that is sent to the Exchan e brid ehead ser"er) EDmail messa es are destined to the 4nternet)

    4nternal mail or mail sent from other Exchan e ser"ers in (our or aniAation to the brid ehead ser"er $here address re$rite is enabled b(pass address re$rite) #here is one exceptionL mail submitted usin /utloo% Express or an( other !M#P client under oes an address re$rite on this brid ehead ser"er) ,emember that the intent of this tool is to re$rite addresses onl( for mail comin from the subsidiar( compan( ;externall( !M#P submitted< into (our compan(Hs eDmail ser"ers and then destined to the 4nternet) @ou can do$nload the Address ,e$rite tool ;exarcf < from the Microsoft $ebsite at http:OO o)microsoft)comOf$lin%O*3in%4dM2.091) After (ou do$nload the tool, use the follo$in procedure to enable address re$rite on the appropriate !M#P "irtual ser"ers) *&portant Address re$rite must be enabled on the brid ehead !M#P "irtual ser"ers that recei"e mail from the subsidiar( compan(Hs mail s(stem) Address re$rite $ill not

    #02

    occur if the messa e is first submitted to an !M#P "irtual ser"er $ithout address re$rite enabled) 6or detailed instructions, see 5o$ to Enable Address ,e$rite b( 0sin the Exarcf #ool)

    Step 2 Create Contacts in Active 2irector' for 6ourth Coffee %sers


    4n Acti"e Director( 0sers and Computers, (ou must create a contact for each user on the 6ourth Coffee compan( mail s(stem) Each contact must ha"e a tar et address of fourthcoffee)com and a primar( !M#P address of contoso)com) #he tar et address appears on the Exchange Genera+ tab of a contactHs properties) @ou set the primar( !M#P address on the EE&ai+ Address tab of a contactHs properties) @ou can use an automated process to add these contacts to Acti"e Director(, or (ou can perform the steps manuall() #he 5o$ to Create a Contact in Acti"e Director( procedure sho$s ho$ to create a contact in Acti"e Director( manuall( b( usin the tar et address of the nonDMicrosoft mail s(stem, $hich is 6ourth Coffee in this example, and a primar( !M#P address that is used b( (our Exchan e or aniAation, $hich is Contoso in this example)

    Step 3 Create an SMT! Connector 5ith an Address Space of fourthcoffee/co&


    #o accept mail for 6ourth Coffee Compan( users, an administrator at Contoso creates an !M#P connector to fourthcoffee)com and specifies each !M#P "irtual ser"er that accepts incomin 4nternet mail as a local brid ehead ser"er for the connector) #his connector is confi ured $ith an address space of the !M#P domain that is used b( 6ourth Coffee ;fourthcoffee)com< and is confi ured to rela( messa es to this domain) #o do this, the administrator opens the !M#P connectorHs properties, clic%s the Address space tab, and then selects the A++o5 &essages to be re+a'ed to this do&ain chec% box) Note 6or performance reasons, it is recommended that (ou do not use the same !M#P "irtual ser"er to both recei"e mail from the subsidiar( compan( and accept incomin 4nternet mail) @ou should desi nate separate !M#P "irtual ser"ers on separate Exchan e ser"ers for each function) #he follo$in fi ure illustrates the topolo ( that is used b( Contoso and 6ourth Coffee) :ote that one Exchan e ser"er accepts out oin mail from 6ourth Coffee, and a separate ser"er routes incomin mail to 6ourth Coffee users) #he !M#P "irtual ser"er that accepts mail from 6ourth Coffee can also function as an outbound ate$a( ser"er, but this is not a reEuirement) #his !M#P "irtual ser"er can either route 4nternet mail that is recei"ed from 6ourth Coffee users directl( to the 4nternet, or it can route this mail to the appropriate ate$a( ser"er

    #03 Topo+og' 5ith address re5rite enab+ed

    Sharing an SMT! Mai+ 2o&ain 5ith Another S'ste&


    !harin an !M#P mail domain bet$een an Exchan e 200' or aniAation and another eDmail s(stem or another Exchan e 200' or aniAation is common durin the final sta es of a mer er or acEuisition) #o continue $ith the pre"ious scenario, assume that Contoso is in the final sta es of consolidatin its s(stems $ith those of the ne$l( acEuired compan(, 6ourth Coffee) Mailboxes in both the Exchan e 200' or aniAation ;$hich contains all of the emplo(ees of Contoso< and the other s(stem ;$hich contains all of the emplo(ees of 6ourth Coffee< no$ use the same !M#P domain of contoso)com in their addresses) 4deall(, the best $a( to share an !M#P mail domain is to allo$ Exchan e to accept incomin mail from the 4nternet, locate a matchin recipient in the Exchan e or aniAation, and then for$ard the mail to the users on the other mail s(stem) #he follo$in fi ure illustrates a shared domain $ith another s(stem)

    #00 Sharing an SMT! do&ain

    4f Exchan e functions as the first mail ser"er, there are t$o methods (ou can use to confi ure Exchan e to share an !M#P address space) Method # Sharing Se+ected Na&espaces

    4n Method 1, the mail s(stems share onl( selected !M#P address spacesIExchan e remains authoritati"e o"er the others) #his is the preferred method because it is the most flexible) Also, (ou must use this method or use the Address ,e$rite tool described pre"iousl( if an( of the follo$in conditions exist in (our en"ironment: @ou create contacts in Acti"e Director( for sendin mail to external recipients)

    #he tar et !M#P addresses of those external recipients matches an( of the !M#P domains that are confi ured in Exchan e 200' recipient policies) 6or example, if the address +contoso)com is confi ured on one of (our recipient policies, and (ou $ant to create contacts $ith a tar et address of +contoso)com, (ou must use this method to share the +contoso)com !M#P mail domain) Method 2 Share A++ Address Spaces

    Althou h Method 2 is less flexible, it is easier to confi ure in small en"ironments) 5o$e"er, (ou cannot use this method if contacts exist in Acti"e Director( for the external recipients on the other mail s(stem) 6or more information about usin contacts in a shared !M#P domain, see Microsoft Bno$led e ?ase article '191.9, J=ADM: 5o$ to Confi ure Exchan e 2000 !er"er to 6or$ard Messa es to a 6orei n Messa in !(stem #hat !hares the !ame !M#P Domain :ame !pace)J

    #0$

    Method # Sharing Se+ected Na&espaces


    Method 1 offers excellent flexibilit( because (ou can create contacts in Acti"e Director( and more easil( mi rate users to a sin le s(stem) #his method uses t$o basic principles: An SMT! connector is created 5ith an address space of the re&ote do&ain= fourthcoffee/co&/ #he connector allo$s messa es to be rela(ed to this domain) Allo$in rela( to the remote domain permits Exchan e to accept inbound messa es for this domain) *&portant @ou must confi ure this connector on each brid ehead ser"er that accepts incomin 4nternet eDmail for the fourthcoffee)com domain) Exchange is nonauthoritative over the do&ain/ 4f Exchan e is authoritati"e o"er a domain, it assumes that all the addresses in the domain exist in its or aniAation) #herefore, if messa es cannot be resol"ed locall(, Exchan e ne"er attempts to send the messa es throu h an external connector) ?( confi urin Exchan e to be nonauthoritati"e for the domain, if the user cannot be found locall(, Exchan e routes the messa e throu h the connector to the remote s(stem) Note 4n this case, because this !M#P mail domain is nonauthoritati"e, it is irrele"ant that Exchan e accepts messa es that are inbound for domains that it is authoritati"e o"er) #he connector confi uration ensures that the Exchan e or aniAation accepts mail for this domainIthis is because the connector is confi ured $ith an !M#P address space of the remote domain and allo$s rela(in to this domain) Exchan e accepts onl( inbound eDmail for the shared !M#P domain because the connector to the remote eDmail s(stem allo$s messa es to be rela(ed to this address space) ?ecause Exchan e is nonauthoritati"e for the shared mail domain, if (ou remo"e the connector, Exchan e stops acceptin inbound mail for this !M#P domain) #herefore, if (ou remo"e the connector, remember to chan e the recipient polic( and ma%e Exchan e authoritati"e for this !M#P mail domain) #here are three main steps to usin Method 1 ;each step is detailed further in the sections follo$in <: 1) Determine if Exchan e is authoritati"e o"er the !M#P mail domain (ou $ant to share) 2) Confi ure the recipient polic( for the !M#P mail domain that (ou $ant to share) 5o$ (ou do this depends on $hether the !M#P mail domain exists on the default recipient polic(, on another recipient polic(, or if it does not (et exist on a recipient polic() ') Create an !M#P connector to route mail to the other mail s(stem or host)

    #0,

    Step # 2eter&ine if Exchange is Authoritative "ver the SMT! Mai+ 2o&ain @ou ;ant to Share
    ?efore (ou confi ure (our recipient polic( for the !M#P mail domain that (ou $ant to share, (ou must determine if Exchan e is authoritati"e o"er the domain) ,emember, dependin on $hether Exchan e 200' is authoritati"e or nonauthoritati"e, Exchan e handles eDmail messa es differentl( for particular !M#P addresses) ?ecause Exchan e does not for$ard messa es that it cannot resol"e locall( for an authoritati"e domain, (ou must ensure that Exchan e is not authoritati"e o"er the !M#P mail domain (ou $ant to share) 6or detailed instructions, see 5o$ to 8ie$ the !ettin that Determines Chether Exchan e !er"er is Authoritati"e)

    Step 2 Configure the Recipient !o+ic' for the SMT! Mai+ 2o&ain @ou ;ant to Share
    Chen confi urin the recipient polic( for the !M#P mail domain that (ou $ant to share, there are three possible scenarios (ou ma( encounter: Scenario # #he !M#P mail domain that (ou $ant to share exists on the default recipient polic() Scenario 2 #he !M#P mail domain that (ou $ant to share exists on another recipient polic() Scenario 3 #he !M#P mail domain that (ou $ant to share does not exist on a recipient polic() Scenario # Configuring a Shared SMT! 2o&ain that Exists on the 2efau+t Recipient !o+ic' @ou cannot set Exchan e to be nonauthoritati"e o"er the default recipient polic(Hs primar( !M#P address space) #o pre"ent Exchan e from bein authoritati"e o"er this domain, (ou need to chan e the default recipient polic( b( addin a ne$ primar( address space that is strictl( for internal use) #his address could be similar to +localhost, si nif(in that it is used solel( for internal mail flo$ $ithin (our Exchan e or aniAation) After (ou add the ne$ address space, (ou must ma%e the shared address space nonauthoritati"e) #o confi ure Exchan e to share a mail domain that exists as the primar( address space on the default recipient polic(, (ou must perform the follo$in tas%s: 1) /n the default recipient polic(, add a ne$ primar( address space o"er $hich Exchan e is authoritati"e, and then ma%e the shared address space nonauthoritati"e) 2) Create a second recipient polic( that has the same search filter as the default recipient polic() #hen, assi n the second recipient polic( a hi her priorit( than the default recipient polic( so the repl(Dto or return address is displa(ed as the shared address space)

    #0-

    #his step is necessar( because Exchan e uses the primar( address space as the repl(D to address that is displa(ed in out oin mail) ?ecause (ou $ant out oin messa es to displa( the shared namespace on the repl(Dto line, (ou must create another recipient polic( that is also nonauthoritati"e but has a hi her priorit(L therefore, Exchan e uses this address space on the return address of out oin mail) ?ecause the ne$ recipient polic( is not the default recipient polic(, (ou can ma%e this address space nonauthoritati"e) Perform the 5o$ to Modif( the Default ,ecipient Polic( procedure to create a ne$ primar( address space on the default recipient polic( and ma%e the shared address space nonauthoritati"e) Chan in the default recipient polic( in this $a( causes Exchan e to use the ne$ primar( address as the return or repl(Dto address in out oin eDmail messa es) 4n the example abo"e, all users in this polic( no$ ha"e a return eDmail address that matches the ne$ primar( address space of Ilocalhost) ?ecause (ou $ant all (our users to ha"e the return address of the shared mail domain ;in this case, contoso)com (, (ou must create a ne$ recipient polic( $ith a hi her priorit( recipient polic( that contains the contoso)com address space) Exchan e uses the hi her priorit( recipient polic( on the return address) 6urthermore, because this recipient polic( is not the default recipient polic(, (ou can ma%e it nonauthoritati"e) ;,emember, this address space must be nonauthoritati"e for Exchan e to route it throu h the connector to the external s(stem)< Perform the 5o$ to Create a 5i her Priorit( ,ecipient $ith the !hared Mail Domain procedure to create a hi her priorit( recipient polic( so that out oin eDmail messa es displa( the correct return ;repl(Dto< address) Scenario 2 The SMT! 2o&ain @ou ;ant to Share Exists on Another Recipient !o+ic' 4f the !M#P domain that (ou $ant to share is not on the default recipient polic(, (ou can ma%e the address space nonauthoritati"e) 6or detailed instructions, see 5o$ to Modif( an Existin ,ecipient Polic( for the !M#P Domain that @ou Cant to !hare) Scenario 3 The SMT! 2o&ain @ou ;ant to Share 2oes Not Exist on a Recipient !o+ic' 4f the !M#P domain that (ou $ant to share does not exist on a recipient polic(, (ou can create a ne$ recipient polic( $ith the address space and ma%e it nonauthoritati"e) 6or detailed instructions, see 5o$ to Create a :e$ ,ecipient Polic( for an !M#P Mail Domain that Does :ot Exist on a ,ecipient Polic()

    Step 3 Create an SMT! Connector to Route Mai+ to the "ther Mai+ S'ste&
    :o$ that Exchan e 200' is nonauthoritati"e for the shared !M#P domain, $hen Exchan e 200' cannot find a matchin address in Acti"e Director(, it attempts to locate an external path to this domain) #o find this path, Exchan e first searches for a connector and

    #01

    then chec%s Domain :ame !(stem ;D:!<) 0nless the mail exchan er ;M=< record for that domain alread( points to the ser"er on $hich the other mail s(stem resides ;in man( cases the M= record points to the Exchan e 200' ser"er itself<, (ou must create an !M#P connector to route the mail to a specific host) *&portant @ou must confi ure this connector on each brid ehead ser"er that accepts incomin 4nternet eDmail for the fourthcoffee)com domain) 6or detailed instructions, see 5o$ to Create an !M#P Connector to ,oute Mail to a !pecific 5ost) After (ou confi ure these settin s, $hen Exchan e 200' cannot locate a local address match in that !M#P domain, Exchan e for$ards the mail to the host that has the matchin address space, as specified on the !M#P connector)

    Method 2 Sharing A++ Address Spaces


    #his method in"ol"es sharin all address spaces or !M#P mail domains) Althou h this confi uration is easier to implement, it is much less flexible than Method 1) 4n this confi uration, Exchan e 200' is authoritati"e for all address spaces) @ou cannot ha"e an( contacts in (our director( that ha"e a tar et address matchin a domain o"er $hich Exchan e 200' is authoritati"e) 6or detailed instructions, see 5o$ to !hare All Address !paces in @our Exchan e /r aniAation) ,emember, this settin affects onl( authoritati"e domains) #herefore, in an authoritati"e domain, an( messa e sent to an unresol"ed address is for$arded to the ser"er that is specified on the !M#P "irtual ser"er) An( nonauthoritati"e domain in Exchan e 200' is not affected b( this settin ) An( messa e that is sent to an unresol"ed address in a nonauthoritati"e domain is routed to a matchin !M#P connector, if present) 4f no matchin !M#P connector is located, the messa e is sent to the ser"er that is specified in the M= record found in D:!)

    Supporting Additiona+ Mai+ S'ste&s


    As described in the precedin scenarios, the other mail s(stem that recei"es mail for$arded b( Exchan e ma( perform the same tas%s as Exchan e and for$ard mail to a third eDmail s(stem) #o a"oid mail loopin , it is essential that the last eDmail s(stem ;to $hich mail is for$arded< is authoritati"e for the domain) 4n other $ords, the final recei"in mail s(stem must search for a matchin recipientL if the s(stem does not find a matchin recipient, it enerates a nonDdeli"er( report ;:D,< for the messa e) Mail loopin occurs $hen the recei"in s(stem searches for a match in its recipients and then for$ards the mail bac% to the ori inal s(stem $hen a match is not found)

    #03

    4f Exchan e is the last s(stem in this confi uration, b( default, it $ill return an :D, for an( unresol"ed messa es) 5o$e"er, it is preferable to create custom recipients in Acti"e Director( for all recipients that reside on a different mail s(stem) #hese recipients should ha"e tar et addresses similar to +subdomain.contoso)com< $here subdomain pro"ides additional address information to distin uish the address space from the t(pical +example)com namespaceL for example, +sales)contoso)com)

    4o5 to Enab+e Address Re5rite b' %sing the Exarcfg Too+


    Address re$rite must be enabled on the brid ehead !M#P "irtual ser"ers that recei"e mail from the subsidiar( compan(Hs mail s(stem) Address re$rite $ill not occur if the messa e is first submitted to an !M#P "irtual ser"er $ithout address re$rite enabled)

    ?efore @ou ?egin


    @ou can do$nload the Address ,e$rite tool ;exarcf < from the Do$nloads for Exchan e !er"er 200' Ceb site) After (ou do$nload the tool, use the follo$in procedure to enable address re$rite on the appropriate !M#P "irtual ser"ers) ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    !rocedure
    To enab+e address re5rite b' using the exarcfg too+ 1) Do$nload exarcf to the director( of (our choice) 2) /pen a command prompt) ') :a"i ate to the director( in $hich (ou installed exarcf ) 7) #(pe the follo$in command: exarc%5 6e As server 6v: SMTP virtual server instance number Chere server is the full( Eualified domain name ;6>D:< of the Exchan e ser"er on $hich (ou $ant to enable address re$rite)

    ##0

    SMTP virtual server instance number is the number representin the !M#P "irtual ser"er instance) 4f (ou do not specif( the P" option, the command defaults to the first "irtual ser"er instance, t(picall( the default !M#P "irtual ser"er)

    4o5 to Create a Contact in Active 2irector'


    Each user in (our Exchan e mail s(stem must be a contact in Microsoft& Acti"e Director(& director( ser"ice)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    !rocedure
    To create a contact in Active 2irector' 1) /pen Acti"e Director() 2) :a"i ate to the folder $here (ou $ant to create (our contacts, ri htDclic% the folder, point to Ne5, and then clic% Contact) ') /n the :e$ /bFect pa e, complete the name information, and clic% Next) 7) /n the next pa e, "erif( that the Create an Exchange eE&ai+ address chec% box is selected) .) 4n EE&ai+ address, clic% Modif') 6) 4n Ne5 EE&ai+ Address, select the eDmail address t(pe for the tar et address) 4n this example, select SMT! Address, and then clic% "G) 1) 4n *nternet Address !roperties, t(pe the eDmail address that is used b( the ne$l( acEuired compan() 4n this example, t(pe <user>+fourthcoffee)com, and then clic% "G) 2) Complete the $iAard to create a contact $ith the proper tar et address) 9) ,i htDclic% the contact, and clic% !roperties)

    ###

    10) Clic% the EE&ai+ Addresses tab, and select the !M#P address of the parent compan(, in this case, user1+north$indtraders)com) Clic% Set As !ri&ar') EE&ai+ Addresses tab in %ser !roperties dia+og box

    ##2

    4o5 to 7ie5 the Setting that 2eter&ines ;hether Exchange Server is Authoritative
    ?efore (ou confi ure (our recipient polic( for the !M#P mail domain that (ou $ant to share, (ou must determine if Exchan e !er"er is authoritati"e o"er the domain)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To vie5 the setting that deter&ines 5hether Exchange is authoritative 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Recipients, and then clic% Recipient !o+icies) ') 4n the details pane, ri htDclic% a recipient polic(, and then clic% !roperties) 7) Clic% the EEMai+ Addresses 8!o+ic'9 tab, select an !M#P address, and then clic% Edit) #he SMT! Address !roperties dialo box appears) The SMT! Address !roperties dia+og box for an authoritative do&ain

    ##3

    .) 4f the This Exchange "rgani>ation is responsib+e for a++ &ai+ de+iver' to this address chec% box is selected, Exchan e is authoritati"e for the address) 4f the chec% box is cleared, Exchan e is not authoritati"e for the address) 6) 6or more information about authoritati"e and nonauthoritati"e !M#P domains in Exchan e, see Microsoft Bno$led e ?ase article '1..91, J=C/:: Authoritati"e and :onDAuthoritati"e Domains in Exchan e 2000)J

    4o5 to Modif' the 2efau+t Recipient !o+ic'


    @ou cannot set Microsoft& Exchan e !er"er to be nonauthoritati"e o"er the default recipient polic(Hs primar( !M#P address space) #o pre"ent Exchan e !er"er from bein authoritati"e o"er this domain, (ou must chan e the default recipient polic( b( addin a ne$ primar( address space that is strictl( for internal use) #his address could be similar to +localhost, si nif(in that it is used solel( for internal mail flo$ $ithin (our Exchan e !er"er or aniAation)

    ##0

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To &odif' the defau+t recipient po+ic' 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Recipients, and then clic% Recipient !o+icies) ') 4n the details pane, ri htDclic% (our default recipient polic(, and then clic% !roperties) 7) Clic% the EEMai+ Addresses 8!o+ic'9 tab, and then clic% Ne5) .) 4n Ne5 EE&ai+ Address, clic% SMT! Address, and then clic% "G) 6) 4n SMT! Address !roperties, in the Address box, t(pe I+oca+host or some other address space for $hich the Exchan e or aniAation can be authoritati"e) @ou can use I+oca+host or (our Acti"e Director( domain if it is different from (our 4nternet domain) #his address space is strictl( for internal use) 1) 8erif( that the This Exchange "rgani>ation is responsib+e for a++ &ai+ de+iver' to this address chec% box is selected, and then clic% "G) 2) /n the EE&ai+ Addresses 8!o+ic'9 tab, clic% the ne$ !M#P address (ou Fust created, and then clic% Set as !ri&ar') 9) Clic% the !M#P address space that (ou $ant to share ;for example, contoso)com<, and then clic% Edit) 10) #o ma%e Exchan e nonauthoritati"e for this !M#P address, clear the This Exchange "rgani>ation is responsib+e for a++ &ai+ de+iver' to this address chec% box, and then clic% App+') 11) A messa e appears as%in if (ou $ant to update all correspondin recipient eD mail addresses) Clic% @es) 12) /n the EE&ai+ Addresses 8!o+ic'9 tab, clic% "G)

    ##$

    4o5 to Create a 4igher !riorit' Recipient 5ith the Shared Mai+ 2o&ain
    ?ecause all of (our users should ha"e the return address of the shared mail domain ;for example, contoso)com(, (ou must create a ne$ recipient polic( $ith a hi her priorit( recipient polic( that contains the contoso)com address space) Exchan e !er"er uses the hi her priorit( recipient polic( on the return address)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To create a higher priorit' recipient po+ic' 5ith the shared &ai+ do&ain 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Recipients, ri htDclic% Recipient !o+icies= point to Ne5, and then clic% Recipient !o+ic') ') 4n Ne5 !o+ic'= select the EEMai+ Addresses chec% box, and then clic% "G) 7) /n the Genera+ tab, in the Na&e box, t(pe an appropriate name, such as J0ser Addresses)J .) 0nder 6i+ter ru+es, clic% Modif') 6) 4n 6ind Exchange Recipients, select or clear the appropriate chec% boxes to specif( all applicable users) 4f (ou $ant to appl( the polic( to all users, clic% "G) 1) /n the EE&ai+ Addresses 8!o+ic'9 tab, clic% the !M#P mail domain that (ou $ant to share, and then clic% Set as !ri&ar' ;lea"in the +local domain as a secondar( prox(<, and then clic% App+') 2) A messa e appears as%in if (ou $ant to update all correspondin recipient eD mail addresses) Clic% @es) 9) /n the EE&ai+ Addresses 8!o+ic'9 tab, clic% "G))

    ##,

    4o5 to Modif' an Existing Recipient !o+ic' for the SMT! 2o&ain that @ou ;ant to Share
    4f the !M#P domain that (ou $ant to share is not on the default recipient polic(, (ou can ma%e the address space nonauthoritati"e)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To &odif' an existing recipient po+ic' for the SMT! do&ain that 'ou 5ant to share 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Recipients, and then clic% Recipient !o+icies/ ') 4n the details pane, ri htDclic% the recipient polic( that has the !M#P address space (ou $ant to share, and then clic% !roperties) 7) /n the EE&ai+ Addresses 8!o+ic'9 tab, clic% the !M#P address space, and then clic% Set as !ri&ar') .) Clic% the !M#P address space that (ou $ant to share, and then clic% Edit) 6) #o ma%e Exchan e nonauthoritati"e for this !M#P address, clear the This Exchange "rgani>ation is responsib+e for a++ &ai+ de+iver' to this address chec% box, and then clic% App+') 1) A messa e appears as%in if (ou $ant to update all correspondin recipient eD mail addresses) Clic% @es) 2) /n the EE&ai+ Addresses 8!o+ic'9 tab, clic% "G)

    ##-

    4o5 to Create a Ne5 Recipient !o+ic' for an SMT! Mai+ 2o&ain that 2oes Not Exist on a Recipient !o+ic'
    4f an !M#P domain that (ou $ant to share does not exist on a recipient polic(, (ou can create a ne$ recipient polic( $ith the address space and ma%e it nonDauthoritati"e)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To create a ne5 recipient po+ic' for an SMT! &ai+ do&ain that does not exist on a recipient po+ic' 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Recipients, ri htDclic% Recipient !o+icies, point to Ne5, and then clic% Recipient !o+ic') ') 4n Ne5 !o+ic', select the EEMai+ Addresses chec% box, and then clic% "G) 7) /n the Genera+ tab, in the Na&e box, t(pe a name for (our ne$ polic() .) /n the EEMai+ Addresses 8!o+ic'9 tab, clic% the !M#P address space, and then clic% Ne5) 6) 4n Ne5 EE&ai+ Address, clic% SMT! Address, and then clic% "G) 1) 4n SMT! Address !roperties, in the Address box, t(pe the !M#P address space that (ou $ant to share) 2) #o ma%e Exchan e nonauthoritati"e for this !M#P address, clear the This Exchange "rgani>ation is responsib+e for a++ &ai+ de+iver' to this address chec%

    ##1

    box) 9) 4n SMT! Address !roperties, clic% "G) 10) /n the EE&ai+ Addresses 8!o+ic'9 tab, clic% "G)

    4o5 to Create an SMT! Connector to Route Mai+ to a Specific 4ost


    Chen Microsoft& Exchan e !er"er cannot find a matchin address in Acti"e Director(& director( ser"ice, it attempts to locate an external path to this domain) #o find this path, Exchan e !er"er first searches for a connector and then chec%s the Domain :ame !(stem ;D:!<) 0nless the mail exchan er ;M=< record for that domain alread( points to the ser"er on $hich the other mail s(stem resides, (ou must create an !M#P connector to route the mail to a specific host)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To create an SMT! connector to route &ai+ to a specific host 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, ri htDclic% Connectors, point to Ne5, and then clic% SMT! Connector) ') /n the Genera+ tab, t(pe an appropriate name, and then clic% 6or5ard a++ &ai+ through this connector to the fo++o5ing s&art hosts) 4n sEuare brac%ets ;U V<, t(pe the full( Eualified domain name ;6>D:< or the 4P address of the ser"er to $hich eD mail messa es for the shared !M#P address space are to be routed) 7) Clic% Add to confi ure (our brid ehead ser"ers, and then select (our Exchan e

    ##3

    ate$a( ser"ers that accept 4nternet mail for this domain) .) Clic% the Address Space tab, clic% Add, clic% SMT!, and then clic% "G) 6) 4n EE&ai+ do&ain, t(pe the !M#P address space $ithout the JatJ s(mbol ;+<, for example, fourthcoffee/co&, and then clic% "G) Note 4t is important to enter the specific !M#P mail domain) Do not t(pe K ;asteris%< on the !M#P connector) !ettin K causes Exchan e !er"er to accept mail for all external domains and then rela( it externall() #his confi uration allo$s open rela(in for an(one on the 4nternet and is extremel( insecure) 1) ?ecause Exchan e !er"er 200' must also recei"e messa es for this domain, on the Address Space tab, clic% A++o5 &essages to be re+a'ed to these do&ains , and then clic% "G) #his settin ma%es it possible for all !M#P "irtual ser"ers that are listed under (oca+ ?ridgeheads to accept messa es for this domain)

    4o5 to Share A++ Address Spaces in @our Exchange "rgani>ation


    0se this procedure to share all address spaces in (our Exchan e or aniAation)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To share a++ address spaces in 'our Exchange organi>ation 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, expand <Server Name>, expand

    #20

    !rotoco+s, and then expand SMT!) ') ,i htDclic% (our !M#P "irtual ser"er, and then clic% !roperties) 7) 4n the !M#P "irtual ser"erHs !roperties, clic% the Messages tab) .) 4n the 6or5ard a++ &essages 5ith unreso+ved recipients to host box, t(pe the 4P address, in sEuare brac%ets ;U V<, or the 6>D: of the ser"er that $ill recei"e unresol"ed mail, and then clic% "G) 6) ,epeat this procedure for the default !M#P "irtual ser"er on all Exchan e 200' ser"ers, except for an( "irtual ser"er that is actin as an inbound ate$a( for the other s(stem) 4t is recommended that no mailboxes reside on this ser"er)

    Configuring CrossE6orest SMT! Mai+ Co++aboration


    #o pre"ent spoofin ;that is, for in identities<, Exchan e 200' reEuires authentication before a senderHs name is resol"ed to its displa( name in the lobal address list ;-A3<) #herefore, in an or aniAation that spans t$o forests, a user $ho sends mail from one forest to another forest is not authenticated) 6urthermore, the userHs name is not resol"ed to a displa( name in the -A3, e"en if the user exists as a contact in the destination forest) #o enable crossDforest mail collaboration in Exchan e 200', additional confi uration steps are reEuired to resol"e contacts outside (our or aniAation to their displa( names in Acti"e Director() @ou ha"e t$o options to enable the resolution of these contacts: "ption # 8reco&&ended9 0se authentication so that users $ho send mail from one forest to another are authenticated users, and their names are resol"ed to their displa( names in the -A3) "ption 2 ,estrict access to the !M#P "irtual ser"er that is used for crossDforest collaboration, and then confi ure Exchan e to resol"e anon(mous eDmail) #his confi uration is supported, but it is not recommended) ?( default, in this confi uration, the Exch.0 messa e properties, $hich are the extended properties of a messa e, are not persisted $hen mail is sent from one forest to another) #o understand the benefits of confi urin crossDforest mail collaboration, consider the follo$in scenarios of anon(mous mail submission and crossDforest authenticated mail submission) Scenario Anon'&ous Mai+ Sub&ission

    #2#

    EDmail addresses are not resol"ed if the submission is anon(mous) #herefore, $hen an anon(mous user $ho attempts to spoof ;for e< an internal userHs identit( sends mail, the return address does not resol"e to its displa( name in the lobal address list ;-A3<) 6or example, Bim A%ers is a le itimate internal user at Contoso, 3td) 5er displa( name in the -A3 is Gi& A)ers, and her eDmail address is %im+contoso)com) #o send mail, Bim must be authenticated) ?ecause she is authenticated, the intended recipients of BimHs mail see that the sender is Bim A%ers) 4n addition, the properties of Bim A%ers are displa(ed as her -A3 entr() 5o$e"er, if #ed ?remer attempts to for e BimHs address b( usin )i&Icontoso/co& in the 6ro& line and then sendin the mail to the Exchan e 200' ser"er at Contoso, the eDmail address is not resol"ed to BimHs displa( name because #ed did not authenticate) #herefore, $hen this eDmail messa e is displa(ed in Microsoft /ffice /utloo%&, the sender address appears as )i&Icontoso/co&L it does not resol"e to Bim A%ers, as authenticated mail from Bim does) Scenario CrossE6orest Mai+ 2e+iver' Consider a compan( that spans t$o forests: the Adatum forest and the 6abri%am forest) ?oth these forests are sin le domain forests usin the domains of adatum)com and fabri%am)com, respecti"el() #o allo$ crossDforest mail collaboration, all users in the Adatum forest are represented as contacts in the 6abri%am forestHs Acti"e Director() 3i%e$ise, all users in the 6abri%am forest are represented as contacts in Adatum forestHs Acti"e Director() 4f a user in the Adatum forest sends mail to the 6abri%am forest, and the mail is submitted o"er an anon(mous connection, the senderHs address is not resol"ed, despite the fact that the sender exists as a contact in the Acti"e Director( and in the /utloo% -A3) #his is because a user in the Adatum forest is not an authenticated user in the 6abri%am forest) 6or example, #ed ?remer is a mail user in the Adatum forestIhis eDmail address is ted+adatum)com, and his /utloo% -A3 displa( name is #ed ?remer) Adam ?arr is a user in the 6abri%am forestIhis eDmail address is adam+fabri%am)com, and his /utloo% -A3 displa( name is Adam ?arr) ?ecause Adam is represented as an Acti"e Director( contact in the Adatum forest, #ed can "ie$ AdamHs eDmail address and resol"e it to the displa( name of Adam ?arr in the /utloo% -A3) Chen Adam recei"es mail from #ed, #edHs address is not resol"edL instead of seein #edHs displa( name as it appears in the -A3, Adam sees his unresol"ed eDmail address of ted+adatum)com) ?ecause #ed sent mail as an anon(mous user, his eDmail address did not resol"e) Althou h #ed is authenticated $hen sendin mail, the connection bet$een the t$o forests is not authenticated) #o ensure that senders in one forest can send mail to recipients in other forests and to ensure that their eDmail addresses resol"e to their displa( names in the -A3, (ou should enable crossDforest mail collaboration) #he follo$in sections explain the t$o options that are a"ailable for confi urin mail collaboration bet$een t$o forests)

    #22

    Enab+ing CrossE6orest Authentication


    #o enable crossDforest !M#P authentication, (ou must create connectors in each forest that uses an authenticated account from the other forest) ?( doin this, an( mail that is sent bet$een the t$o forests b( an authenticated user resol"es to the appropriate displa( name in the -A3) #his section explains ho$ to enable crossDforest authentication) 0sin the example of the Adatum forest and the 6abri%am forest ;see J!cenario: CrossD 6orest Mail Deli"er(J earlier in this topic<, perform the follo$in steps to set up crossDforest authentication: 1) Create an account in the 6abri%am forest that has !end As permissions) ;6or all users in the Adatum forest, a contact exists in the 6abri%am forest as $ellL therefore, this account allo$s Adatum users to send authenticated mail)< Confi ure these permissions on all Exchan e ser"ers that $ill accept incomin mail from Adatum) 2) /n an Exchan e ser"er in the Adatum forest, create a connector that reEuires authentication usin this account to send outbound mail) !imilarl(, to set up crossDforest authentication from the 6abri%am forest to the Adatum forest, repeat these steps, creatin the account in Adatum and the connector in 6abri%am)

    Step # Creating a %ser Account in the 2estination 6orest 5ith Send As !er&issions
    ?efore (ou set up (our connector in the connectin forest, (ou must create an account in the destination forest ;the forest to $hich (ou are connectin < that has !end As permissions) Confi ure these permissions on all ser"ers in the destination forest that $ill accept inbound connections from the connectin forest) #he 5o$ to Create the Account 0sed for CrossD 6orest Authentication procedure sho$s (ou ho$ to set up an account in the 6abri%am forest, and the 5o$ to Confi ure a Connector and ,eEuire Authentication for CrossD6orest Authentication procedure sho$s (ou ho$ to confi ure a connector in the Adatum forest, thereb( allo$in users in the Adatum forest to send mail to the 6abri%am forest $ith resol"ed eDmail addresses)

    Step 2 Creating a Connector in the Connecting 6orest


    After creatin the account $ith the proper permissions in the destination forest, create a connector in the connectin forest and reEuire authentication usin the account (ou Fust created) 4n the 5o$ to Confi ure a Connector and ,eEuire Authentication for CrossD6orest Authentication procedure, assume that (ou are creatin a connector on an Exchan e ser"er in the Adatum forest that connects to the 6abri%am forest)

    #23

    Enab+ing CrossE6orest Co++aboration b' Reso+ving Anon'&ous Mai+


    Another $a( (ou can confi ure Exchan e to resol"e contacts outside (our or aniAation to their displa( names in Acti"e Director( is to confi ure Exchan e to resol"e anon(mous eD mail) Assume that (our compan( spans t$o forests, from the Adatum forest to the 6abri%am forest) *&portant Confi urin Exchan e ser"ers to resol"e anon(mous mail submissions allo$s unscrupulous users to submit messa es $ith a falsified return address) ,ecipients are unable to differentiate bet$een authentic mail and spoofed mail) #o minimiAe this possibilit(, ensure that (ou restrict access to the !M#P "irtual ser"er to the 4P addresses of (our Exchan e ser"ers) Perform the steps belo$ to resol"e contacts for Adatum users to their displa( names in the 6abri%am forest) Each of these steps is explained in detail in the follo$in sections: 1) Create a connector in the Adatum forest that connects to the 6abri%am forest) 2) /n the recei"in brid ehead ser"er in the 6abri%am forest, restrict access to the !M#P "irtual ser"er b( 4P address) ?( doin this, (ou can ensure that onl( ser"ers from the Adatum forest can send mail to this ser"er) ') /n the !M#P "irtual ser"er that hosts the connector, enable the ,esol"e anon(mous eDmail settin ) 7) Chan e a re istr( %e( to ensure that the extended messa e properties ;Exch.0 properties< are persisted across the forests) /ther$ise, (ou can lose important messa e information) After (ou complete these steps, all users $ho send mail from the Adatum forest to the 6abri%am forest $ill resol"e to their displa( names in the 6abri%am lobal address list ;-A3<) 4n a production en"ironment, (ou $ould then repeat this process to confi ure the resolution of 6abri%am contacts in the Adatum forest)

    Step # Creating a Connector in the Connecting 6orest


    6irst (ou must create a connector in the connectin forest) 6or detailed instructions, see J5o$ to Create a Connector in a Connectin 6orestJ in ChatHs :e$ in Exchan e !er"er 200') After (ou create the connector, Exchan e !er"er $ill route all mail destined to fabri%am)com ;the 6abri%am forest< throu h this connector)

    #20

    Step 2 Restricting *! Addresses on the Receiving ?ridgehead Server


    After (ou create the connector in the Adatum forest ;the connectin forest< (ou must restrict access to the recei"in brid ehead ser"er) @ou do this b( allo$in onl( the 4P address of the connectin ser"ers in the Adatum forest to send mail to the recei"in brid ehead ser"er in the 6abri%am forest) 6or detailed instructions, see 5o$ to ,estrict Access b( 4P Address on the ,ecei"in ?rid ehead !er"er)

    Step 3 Reso+ving Anon'&ous Mai+ on the SMT! 7irtua+ Server


    After (ou ha"e restricted access to the recei"in brid ehead ser"er, (ou must confi ure the !M#P "irtual ser"er on this brid ehead to resol"e anon(mous eDmail addresses) 6or detailed instructions, see 5o$ to Confi ure an !M#P 8irtual !er"er to ,esol"e Anon(mous EDmail Addresses)

    Step 0 Enab+ing Registr' Ge' to !ersist Message !roperties Across 6orests


    As explained earlier, $hen messa es are sent anon(mousl( across forests, the extended messa e properties on a messa e are not transmitted) 6or sin le companies that implement a crossDforest scenario, these messa e properties must be transmitted because information about the messa e can be lost) 6or example, the !C3 propert(, an extended Exchan e propert(, contains a spam ratin that is enerated b( thirdDpart( solutions) #his propert( is not transmitted $hen mail is sent anon(mousl() !o, if an antiDspam solution is deplo(ed in the Adatum forest, and a messa e that is recei"ed in this forest is destined to a recipient in the 6abri%am forest, the antiDspam solution stamps the !C3 propert( on the messa e) 5o$e"er, $hen the messa e is deli"ered to the 6abri%am forest, the extended propert( that contains the spam ratin is not persisted) #o confi ure Exchan e to accept the extended messa e properties, (ou can enable a re istr( %e( on the recei"in brid ehead ser"er or on the !M#P "irtual ser"er that resides on the brid ehead) Enablin the re istr( %e( on the Exchan e ser"er confi ures all !M#P "irtual ser"ers on the Exchan e ser"er to accept extended properties)

    Configuring the Exchange Server to Accept Extended Message !roperties on Anon'&ous Connections
    Perform the 5o$ to Enable an Exchan e !er"er to Accept Messa e Extended Properties that Are !ent Anon(mousl( procedure to confi ure the Exchan e ser"er to accept extended properties on anon(mous connections) 4f (our Exchan e ser"er functions solel( as the

    #2$

    brid ehead ser"er for crossDforest communication, (ou ma( $ant to confi ure this settin at the ser"er le"el) 4f (ou ha"e other !M#P "irtual ser"ers on this Exchan e ser"er, consider settin this re istr( %e( on the !M#P "irtual ser"er onl() Note 4f (ou enable this re istr( %e( on an Exchan e ser"er, the settin applies to all !M#P "irtual ser"ers on the Exchan e ser"er) 4f (ou $ant to confi ure a sin le !M#P "irtual ser"er $ith this settin , enable the re istr( %e( on the !M#P "irtual ser"er) Note 4ncorrectl( editin the re istr( can cause serious problems that ma( reEuire (ou to reinstall (our operatin s(stem) Problems resultin from editin the re istr( incorrectl( ma( not be able to be resol"ed) ?efore editin the re istr(, bac% up an( "aluable data)

    Configuring an SMT! 7irtua+ Server to Accept Extended Message !roperties Sent Anon'&ous+'
    Perform the 5o$ to Enable an !M#P 8irtual !er"er to Accept Messa e Extended Properties that Are !ent Anon(mousl( procedure to confi ure the !M#P "irtual ser"er on the Exchan e ser"er to accept extended properties)

    4o5 to Create the Account %sed for CrossE 6orest Authentication


    ?efore (ou set up a connector in a connectin forest, (ou must create an account in the destination forest ;the forest to $hich (ou are connectin < that has !end As permissions) Confi ure these permissions on all ser"ers in the destination forest that $ill accept inbound connections from the connectin forest)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    #2,

    !rocedure
    To create the account used for crossEforest authentication 1) 4n the destination forest ;in this case, the 6abri%am forest<, create a user account in Acti"e Director( 0sers and Computers) #his account must be an acti"e account, but it does not reEuire the follo$in permissions: lo on locall( and lo on throu h terminal ser"er) 2) /n each Exchan e ser"er that $ill accept incomin connections from the connectin forest, confi ure !end As permissions for this account: Note ?e careful $hen creatin the pass$ord polic() 4f (ou set the pass$ord to expire, ensure that (ou ha"e a polic( in place that chan es the pass$ord before its expiration date) 4f the pass$ord for this account expires, crossD forest authentication fails) ') !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 7) 4n the console tree, expand Servers, ri htDclic% an Exchan e ser"er that accepts incomin connections from the connectin forest, and then clic% !roperties) .) 4n WServer NameX Properties, on the Securit' tab, clic% Add) 6) 4n Se+ect %sers= Co&puters= or Groups, add the account that (ou Fust created, and then clic% "G) 1) /n the Securit' tab, under Group or user na&es, select the account) 2) 0nder !er&issions for connector, next to Send As, select the A++o5 chec% box) A++o5ing the Send As per&ission for a connector

    #2-

    4o5 to Configure a Connector and Re<uire Authentication for CrossE6orest Authentication


    Chen (ou confi ure Microsoft& Exchan e !er"er to resol"e mail anon(mousl( in a crossD forest scenario, a connector must be created that connects directl( to the forest from $hich (ou $ant to recei"e mail)

    #21

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To configure a connector and re<uire authentication for crossEforest authentication 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, ri htDclic% Connectors, point to Ne5, and then clic% SMT! Connector) ') /n the Genera+ tab, in the Na&e box, t(pe a name for the connector) 7) Clic% 6or5ard a++ &ai+ through this connector to the fo++o5ing s&art hosts , and then t(pe the 6>D: or 4P address of the recei"in brid ehead ser"er) .) Clic% Add to select a local brid ehead ser"er and !M#P "irtual ser"er to host the connector) The Genera+ tab in an SMT! virtua+ server !roperties dia+og box

    #23

    6) /n the Address Space tab, clic% Add, select SMT!, and then clic% "G) 1) 4n *nternet Address Space !roperties, t(pe the domain of the forest to $hich (ou $ant to connect, and then clic% "G) 4n this example, because the connector is sendin from the Adatum forest to the 6abri%am forest, the address space matches the domain for the forest, fabri%am)com) The *nternet Address Space !roperties dia+og box

    #30

    Exchan e $ill no$ route all mail destined to fabri%am)com ;the 6abri%am forest< throu h this connector) 2) /n the Advanced tab, clic% "utbound Securit'/ 9) Clic% *ntegrated ;indo5s Authentication) The *ntegrated ;indo5s Authentication button in the "utbound Securit' dia+og box

    #3#

    10) Clic% Modif') 11) 4n "utbound Connection Credentia+s, in the Account, !ass5ord, and Confir& pass5ord boxes, specif( an account and pass$ord in the destination forest ;in this case, 6abri%am< that has !end As permissions and is an authenticated 6abri%am account) 0se the follo$in format for the account name: domainJusername, $here: domain is a domain in the destination forest)

    username represents an account in the destination forest $ith !end As permissions on all Exchan e ser"ers in the destination forest that $ill accept mail from this connector) The "utbound Connection Credentia+s dia+og box

    #32

    12) Clic% "G)

    4o5 to Restrict Access b' *! Address on the Receiving ?ridgehead Server


    ?( restrictin access to the !M#P "irtual ser"er b( 4P address, (ou can help ma%e sure that onl( ser"ers from a specific 4P address can send mail to an Exchan e brid ehead ser"er)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To restrict access b' *! address on the receiving bridgehead server 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, expand A Bridgehead Server Name B, expand !rotoco+s, and then expand SMT!)

    #33

    ') ,i htDclic% the !M#P "irtual ser"er (ou $ant, and then clic% !roperties) 7) /n the Access tab, clic% Connection) .) 4n Connection, clic% "n+' the +ist be+o5 to restrict access to a specified list of 4P addresses) 6) Clic% Add, and then perform one of the follo$in steps: Clic% Sing+e Co&puter, and in the *! address box, t(pe the 4P address of the connectin Exchan e ser"er in the Adatum forest ;the connectin forest<) ,epeat this step for each computer in the Adatum forest) 1) Clic% Group of co&puters, and in the Subnet address and Subnet &as) boxes, t(pe the subnet address and subnet mas%s for the roup of computers that host connectors to the 6abri%am forest)

    4o5 to Configure an SMT! 7irtua+ Server to Reso+ve Anon'&ous EE&ai+ Addresses


    /ne $a( to confi ure Exchan e !er"er to resol"e contacts from outside (our or aniAation to their displa( names in Acti"e Director( is to confi ure the !M#P "irtual ser"er on to resol"e anon(mous eDmail addresses)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To configure an SMT! virtua+ server to reso+ve anon'&ous eE&ai+ addresses 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager)

    #30

    2) 4n the console tree, expand Servers, expand A Bridgehead Server Name B, expand !rotoco+s, and then expand SMT!) ') ,i htDclic% the !M#P "irtual ser"er (ou $ant, and then clic% !roperties) 7) /n the Access tab, clic% Authentication) .) 4n Authentication, ensure that the Anon'&ous access chec% box is selected, and then select the Reso+ve anon'&ous eE&ai+ chec% box)

    4o5 to Enab+e an Exchange Server to Accept Message Extended !roperties that Are Sent Anon'&ous+'
    Chen messa es are sent anon(mousl( across forests, the extended messa e properties on a messa e are not transmitted) 5o$e"er, man( small or aniAations that implement a crossD forest scenario must transmit messa e properties because that information could other$ise be lost) 6or example, the spam confidence le"el ;!C3< propert(, an extended Exchan e !er"er propert(, contains a spam ratin that is enerated b( thirdDpart( solutions) #his propert( is not transmitted $hen mail is sent anon(mousl() 4f an antiDspam solution is deplo(ed in one forest, and a messa e is recei"ed in this forest is destined to a recipient in another forest, the antiD spam solution $ill stamp the !C3 propert( on the messa e) 5o$e"er, $hen the messa e is deli"ered the extended propert( $ill not be persisted) #o confi ure Exchan e !er"er to accept extended messa e properties, (ou must enable a re istr( %e( on the recei"in brid ehead ser"er that resides on the brid ehead) #his $ill allo$ the Exchan e ser"er to accept extended properties anon(mousl()

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    #3$

    !rocedure
    To enab+e an Exchange server to accept &essage extended properties that are sent anon'&ous+' 1) !tart ,e istr( Editor: Clic% Start, clic% Run, and then t(pe regedit) 2) 4n the console tree, na"i ate to the follo$in re istr( %e(: 4GE@K("CA(KMAC4*NEJS@STEMJCurrentContro+SetJServicesJSMT!S7CJ .E.C4$0 ') ,i htDclic% .E.C4$0,point to Ne5, and then clic% 2;"R2 7a+ue) 7) 4n the details pane, t(pe Exch$0AuthChec)Enab+ed for the "alue name) ?( default, the "alue data is 0, $hich indicates that the =E=C5.0 properties are transmitted $hen mail is sent anon(mousl()

    4o5 to Enab+e an SMT! 7irtua+ Server to Accept Message Extended !roperties that Are Sent Anon'&ous+'
    Chen messa es are sent anon(mousl( across forests, the extended messa e properties on a messa e are not transmitted) 5o$e"er, man( small or aniAations that implement a crossD forest scenario must transmit messa e properties because that information could other$ise be lost) 6or example, the spam confidence le"el ;!C3< propert(, an extended Exchan e !er"er propert(, contains a spam ratin that is enerated b( thirdDpart( solutions) #his propert( is not transmitted $hen mail is sent anon(mousl() 4f an antiDspam solution is deplo(ed in one forest, and a messa e is recei"ed in this forest is destined to a recipient in another forest, the antiD spam solution $ill stamp the !C3 propert( on the messa e) 5o$e"er, $hen the messa e is deli"ered the extended propert( $ill not be persisted) #o confi ure Exchan e !er"er to accept extended messa e properties, (ou must enable a re istr( %e( on the recei"in brid ehead ser"er or on the !M#P "irtual ser"er that resides on the brid ehead) #his $ill allo$ all !M#P "irtual ser"ers to accept extended properties anon(mousl()

    #3,

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To enab+e an SMT! virtua+ server to accept &essage extended properties that are sent anon'&ous+' 1) !tart ,e istr( Editor: Clic% Start, clic% Run, and then t(pe regedit) 2) 4n the console tree, na"i ate to the follo$in re istr( %e(: 4GE@K("CA(KMAC4*NEJS@STEMJCurrentContro+SetJServicesJSMT!S7CJ .E.C4$0 ') ,i htDclic% .E.C4$0, point to Ne5, and then clic% Ge') 7) #(pe the number of the !M#P "irtual ser"er instance as the %e( "alue) 6or example, the default !M#P "irtual ser"er instance is #, $hereas the second !M#P "irtual ser"er created on a ser"er is 2) .) ,i htDclic% the %e( that (ou Fust created, point to Ne5, and clic% 2;"R2 7a+ue) 6) 4n the details pane, t(pe Exch$0AuthChec)Enab+ed for the "alue name) ?( default, the "alue data is 0, $hich indicates that the =E=C5.0 properties are transmitted $hen mail is sent anon(mousl()

    4o5 to Configure a ;indo5s Server 2003 Server as a Re+a' Server or S&art 4ost
    Chen Microsoft& Cindo$s !er"erG 200' is used as an !M#P rela( ser"er, it is confi ured $ith a default public domain) 4t is also confi ured to rela( messa es for onl( !M#P mail domains in the Exchan e !er"er or aniAation and does not rela( messa es to other domains)

    #3-

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    !rocedure
    To configure a ;indo5s Server 2003 server as a re+a' server or s&art host 1) 8erif( that !M#P is installed on the Microsoft Cindo$s !er"er 200' ser"er) #o "erif( that !M#P is installed: a) 4n Control Panel= doubleDclic% AddDRe&ove !rogra&s, and then clic% AddDRe&ove ;indo5s Co&ponents) b) 0nder Co&ponents, select *nternet *nfor&ation Services 8**S9, and then clic% 2etai+s) c) 0nder Subco&ponents of *nternet *nfor&ation Services 8**S9, "erif( that the SMT! Service chec% box is selected) 4f the chec% box is not selected, select it, clic% "G, and then complete the installation instructions) 2) 4n 4nternet !er"ices Mana er, add the !M#P mail domain for $hich (ou $ant the Cindo$s ser"er to rela() #o add the !M#P domain: a) Clic% Start, point to !rogra&s, point to Ad&inistrative Too+s, and then clic% *nternet Services Manager) b) Expand the ser"er that (ou $ant, and then expand the default !M#P "irtual ser"er) ?( default, the default !M#P "irtual ser"er has a local domain $ith the full( Eualified domain name ;6>D:< for the ser"er) c) #o create the inbound !M#P mail domain, ri htDclic% 2o&ains, point to Ne5, and then clic% 2o&ain) d) 4n Ne5 SMT! 2o&ain ;i>ard, clic% Re&ote as the domain t(pe, and then clic% Next) e) 4n Na&e, t(pe the domain name of (our !M#P mail domain for (our Exchan e or aniAation) f) Clic% 6inish)

    ') Confi ure the !M#P mail domain that (ou Fust created for rela(: a) 4n 4nternet !er"ices Mana er, ri htDclic% the !M#P mail domain, and then clic% !roperties)

    #31

    b) Clic% Allo$ the 4ncomin mail to be ,ela(ed to this Domain) c) Clic% 6or$ard all eDmail to smart host, and then t(pe the 4P address in sEuare brac%ets ;U V< or the 6>D: of the Exchan e ser"er that is responsible for recei"in eDmail for the domain) 6or example, to enter an 4P address, t(pe U12')12')12')12'V) d) Clic% /B) 7) !pecif( the hosts that (ou $ant to openl( rela( to all domains: a) 4n 4nternet !er"ices Mana er, ri htDclic% 2efau+t 7irtua+ Server and clic% !roperties) b) /n the Access tab, clic% ,ela() c) Clic% /nl( the list belo$, clic% Add, and then add the hosts that (ou $ant to use the !M#P ser"er to send mail) d) 0nder !in le computer, specif( the 4P address of the Exchan e brid ehead ser"er that (ou $ant to rela( usin this !M#P ser"er) Clic% D:! 3oo%up to find the 4P address of the specific ser"er)

    6or More *nfor&ation


    6or more information about ho$ to confi ure a Cindo$s ser"er as a rela( ser"er or smart host, see Microsoft Bno$led e ?ase article 29'200, J=C/:: 5o$ to !et 0p Cindo$s 2000 as a !M#P ,ela( !er"er or !mart 5ost)J

    Connecting Exchange to the *nternet


    :o$ that (ou ha"e confi ured internal mail and ha"e learned about "arious 4nternet connecti"it( scenarios, (ou are read( to connect (our Exchan e or aniAation to the 4nternet) #his section contains procedural information about ho$ to confi ure (our Microsoft& Exchan e !er"er 200' or aniAation to send and recei"e 4nternet mail) !pecificall(, (ou $ill learn ho$ to: 7erif' that SMT! has been proper+' insta++ed 8erif( that !imple Mail #ransfer Protocol ;!M#P< is functionin properl( on (our Exchan e ser"er before (ou connect to the 4nternet) %se a 5i>ard to configure *nternet &ai+ de+iver' 4nternet Mail CiAard is intended primaril( for small and medium companies $ith less complex en"ironments than lar e or enterprise companies) Manua++' configure *nternet &ai+ de+iver' 4n lar e or enterprise en"ironments, (ou ma( need to manuall( confi ure 4nternet mail deli"er(, in accordance $ith (our

    #33

    or aniAationHs policies) Chen manuall( confi urin 4nternet mail, (ou must complete a separate set of tas%s that are associated $ith confi urin Exchan e to send 4nternet mail and to recei"e 4nternet mail)

    %sing *nternet Mai+ ;i>ard to Configure *nternet Mai+ 2e+iver'


    Exchan e !er"er 200' implements a ne$ "ersion of 4nternet Mail CiAard that helps (ou confi ure 4nternet mail connecti"it( in Exchan e !er"er 200' or Exchan e 2000 !er"er) ?( usin 4nternet Mail CiAard, (ou can confi ure an Exchan e ser"er to send 4nternet mail, recei"e 4nternet mail, or send and recei"e 4nternet mail) 6urthermore, usin 4nternet Mail CiAard means that (ou do not ha"e to manuall( confi ure the !M#P connector and !M#P "irtual ser"er) 4nternet Mail CiAard automaticall( creates the necessar( !M#P connector for out oin 4nternet mail and confi ures (our !M#P "irtual ser"er to accept incomin mail) @ou can use 4nternet Mail CiAard to confi ure Exchan e !er"er to send, recei"e or send, and recei"e 4nternet mail) ,emember, if (our messa in en"ironment is lar e or complex, (ou cannot use 4nternet Mail CiAard) 4nstead, (ou must manuall( confi ure Exchan e for 4nternet mail deli"er() 6or detailed instructions, see 5o$ to 0se 4nternet Mail CiAard)

    Configuring a 2ua+E4o&ed Server %sing the ;i>ard


    Chen (ou use 4nternet Mail CiAard to confi ure 4nternet mail deli"er( on a dualDhomed ser"er ;a ser"er that is confi ured $ith t$o or more net$or% addresses, usuall( $ith t$o net$or% interface cards<, the $iAard performs the confi uration steps that are described in 5o$ to 0se 4nternet Mail CiAard) #he $iAard also creates an additional !M#P "irtual ser"er on the Exchan e ser"er) 4t enables 4nternet mail deli"er( on the !M#P "irtual ser"er in the follo$in $a(s: #o confi ure a ser"er to send 4nternet mail, the $iAard uides (ou throu h the process of assi nin the intranet 4P address to the default !M#P "irtual ser"er on $hich it creates the !M#P connector to send outbound mail) @ou assi n the intranet 4P address to this "irtual ser"er so that onl( internal users on (our intranet can send outbound mail) #o confi ure a ser"er to recei"e 4nternet mail, the $iAard uides (ou throu h the process of assi nin the 4nternet 4P address to the 4nternet !M#P "irtual ser"er) @ou assi n an 4nternet 4P address to this "irtual ser"er because external ser"ers need to be able to connect to this !M#P "irtual ser"er to send 4nternet mail) Additionall(, (ou must

    #00

    ha"e an M= record on an 4nternet D:! ser"er that references (our ser"er and the 4P address of the 4nternet !M#P "irtual ser"er) *&portant #o increase the securit( on a dualDhomed ser"er, use 4nternet Protocol securit( ;4P!ec< policies to filter ports on the 4nternet net$or% interface card ;:4C< and strictl( limit the users that (ou allo$ to lo on to this ser"er) 6or more information about 4P!ec, see the Cindo$s documentation)

    4o5 to %se *nternet Mai+ ;i>ard


    @ou can use 4nternet Mail CiAard to confi ure Exchan e !er"er to send, recei"e or send, and recei"e 4nternet mail) ,emember, if (our messa in en"ironment is lar e or complex, (ou cannot use 4nternet Mail CiAard) 4nstead, (ou must manuall( confi ure Exchan e for 4nternet mail deli"er() Exchan e !er"er 200' implements a ne$ "ersion of 4nternet Mail CiAard that helps (ou confi ure 4nternet mail connecti"it( in Exchan e !er"er 200' or Exchan e 2000 !er"er) 0sin 4nternet Mail CiAard, (ou can confi ure an Exchan e ser"er to send 4nternet mail, recei"e 4nternet mail, or send and recei"e 4nternet mail) 6urthermore, usin 4nternet Mail CiAard means that (ou do not ha"e to manuall( confi ure the !M#P connector and !M#P "irtual ser"er) 4nternet Mail CiAard automaticall( creates the necessar( !M#P connector for out oin 4nternet mail and confi ures (our !M#P "irtual ser"er to accept incomin mail) Note 4f (ou ha"e alread( set up !M#P connectors, modified the 4P address or port number of (our default !M#P ser"er, or created additional !M#P "irtual ser"ers on (our Exchan e ser"er, (ou cannot run 4nternet Mail CiAard unless (ou reset (our ser"er confi uration to its default state) *&portant 4nternet Mail CiAard is intended primaril( for small and medium siAe companies $ith less complex en"ironments than lar e enterprise companies) 4f (ou ha"e a complex or enterprise messa in en"ironment, (ou should manuall( confi ure Exchan e for 4nternet mail deli"er() 6or more information about manual confi uration, see JManuall( Confi urin @our Exchan e !er"er for 4nternet Mail Deli"er(J later in this chapter)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet)

    #0#

    #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el) Althou h 4nternet Mail CiAard automaticall( confi ures (our !M#P "irtual ser"er and !M#P connector for 4nternet mail deli"er(, (ou must complete the tas%s that are sho$n in this table before (ou run the $iAard) !rere<uisites to running the *nternet Mai+ ;i>ard !tep 1 #as% 8erif( that !M#P is installed correctl( on (our Exchan e ser"er) :otes 6or more information about "erif(in that !M#P is installed properl(, see 5o$ to 3oad Exchan e !M#P Properl() #o send 4nternet mail, the D:! ser"er that is used b( (our Exchan e ser"er must ha"e the abilit( to resol"e external addresses) #o recei"e 4nternet mail, (ou must ha"e a mail exchan er ;M=< resource record pointin to the 4P address of the !M#P "irtual ser"er recei"in inbound 4nternet mail) Additionall(, (our mail ser"er must be accessible from the 4nternet so that other D:! ser"ers can resol"e the M= record) 6or more information about "erif(in that D:! is correctl( confi ured, see JConfi urin D:! for /utbound MailJ in 8erif(in D:! Desi n and Confi uration)

    8erif( that D:! is correctl( confi ured)

    #02

    !rocedure
    To use *nternet Mai+ ;i>ard 1) 4n Exchan e !(stem Mana er, ri htDclic% (our Exchan e or aniAation, and then clic% *nternet Mai+ ;i>ard) Note #o run 4nternet Mail CiAard, (ou must use the "ersion of Exchan e !(stem Mana er that comes $ith Exchan e !er"er 200') 2) 6ollo$ the instructions in the $iAard to perform the confi uration tas%s that are necessar( to confi ure 4nternet mail deli"er() #he confi uration tas%s are documented in the follo$in tables: 0sin 4nternet Mail CiAard to confi ure the sendin of mail 0sin 4nternet Mail CiAard to confi ure the recei"in of mail

    %sing *nternet Mai+ ;i>ard to configure the sending of &ai+ #as% !elect an Exchan e ser"er $ithin (our or aniAation that $ill send 4nternet mail) :otes @ou cannot run the $iAard on a ser"er on $hich (ou ha"e alread( set up !M#P connectors or created additional !M#P "irtual ser"ers) @ou can onl( use the $iAard to desi nate Exchan e 2000 or later ser"ers) #his is the Exchan e ser"er and the !M#P "irtual ser"er on this ser"er) #he $iAard creates an !M#P connector on the selected !M#P "irtual ser"er and Exchan e ser"er) #he outbound brid ehead ser"er handles all mail that is sent throu h this connector)

    Desi nate a brid ehead ser"er)

    #03

    Confi ure an !M#P connector to send 4nternet mail)

    4nternet Mail CiAard uides (ou throu h the process of confi urin (our !M#P connector) #he options that are a"ailable to (ou include the follo$in : @ou can allo$ 4nternet mail deli"er( to all external domains, or (ou can restrict 4nternet mail deli"er( to specific domains) @ou can specif( $hether the !M#P connector sends outbound mail usin D:! to resol"e external domain names, or $hether it uses a smart host that assumes responsibilit( for resol"in external names and deli"erin mail)

    8erif( that (our !M#P "irtual ser"er is not open for rela(in )

    Cith open rela(in , external users can use (our ser"er to send unsolicited commercial eDmail, also %no$n as spam, $hich ma( result in other le itimate ser"ers bloc%in mail from (our Exchan e ser"er) 4f (ou pre"ent (our ser"er from rela(in , onl( authenticated users can send mail to the 4nternet usin (our ser"er)

    %sing *nternet Mai+ ;i>ard to configure the receiving of &ai+ #as% !elect an Exchan e ser"er $ithin (our or aniAation that $ill recei"e 4nternet mail) :otes @ou cannot run the $iAard on a ser"er on $hich (ou ha"e alread( set up !M#P connectors or created additional !M#P "irtual ser"ers) @ou can onl( use the $iAard to desi nate Exchan e 2000 or later ser"ers)

    #00

    Confi ure (our !M#P ser"er to recei"e 4nternet mail)

    #o recei"e incomin 4nternet eDmail messa es, the ser"er must ha"e onl( one !M#P "irtual ser"er, and that "irtual ser"er must ha"e a default 4P address of A++ %nassigned and an assi ned #CP port of 2.) 4f more than one !M#P "irtual ser"er exists on the Exchan e ser"er, or if the 4P address or the port assi nment is different than the default settin s, the $iAard $ill not continue) @ou can then either restore the Exchan e ser"er to its default confi uration and rerun the $iAard, or (ou can use Exchan e !(stem Mana er to confi ure Exchan e manuall() /ther ser"ers on the 4nternet expect to connect anon(mousl( to (our !M#P "irtual ser"er) #herefore, anon(mous access must be permitted on (our !M#P "irtual ser"er) 4f anon(mous access is not confi ured, the $iAard uides (ou throu h enablin anon(mous access)

    8erif( that (our !M#P "irtual ser"er allo$s anon(mous access)

    #0$

    Confi ure (our recipient policies $ith the !M#P domains for $hich (ou $ant to recei"e inbound mail)

    #he !M#P domains for $hich (ou $ant to recei"e 4nternet mail are confi ured in Exchan e !(stem Mana er in Recipient !o+icies) @ou must ha"e a recipient polic( confi ured for e"er( !M#P domain for $hich (ou $ant to accept 4nternet mail, and Exchan e must be authoritati"e for this domain, or ha"e a connector for this domain to $hich rela(in is permitted) 4f (our default recipient polic( contains the correct mail domain for (our or aniAation, use this polic() 4f (ou ha"e created multiple recipient policies in Exchan e !(stem Mana er, (ou cannot use the $iAard to create additional recipient policies) 4n this case, if (ou need to add or modif( (our recipient policies, (ou must use Exchan e !(stem Mana er) 6or more information about ho$ to confi ure recipient policies manuall(, see JConfi urin ,ecipient PoliciesJ in Manuall( Confi urin @our Exchan e !er"er for 4nternet Mail Deli"er() ,emember that (our D:! ser"ers must be able to resol"e all domain names either locall( or b( usin confi ured for$arders in D:!) 4f (our D:! ser"er is unable to resol"e an( domain names, Exchan e cannot process mail)

    4o5 to (oad Exchange SMT! !roper+'


    6or mail to flo$ properl(, !M#P must be installed correctl( on the Exchan e ser"er $ith all of the necessar( commands) 4f (ou experience mail problems, (ou should first "erif( the basic functionalit( of (our !M#P installation) Chen an Exchan e ser"er uses !M#P to communicate, it must ha"e access to port 2.) Chen !M#P is confi ured correctl(, Exchan e pro"ides extended !M#P "erbs to allo$ for

    #0,

    proper communication) #hese "erbs are controlled in the 4nternet 4nformation !er"ices ;44!< metabase and in Exchan e e"ent sin%s)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    #o determine $hether or not the proper extended Exchan e "erbs are loaded, (ou can perform a telnet test) #o perform this test, telnet to port 2. of (our Exchan e ser"erHs 4P address) 6or example, t(pe the follo$in text at a command prompt: te+net Aserver IP addressB 2$ $here server IP address is the 4P address of (our Exchan e ser"er, and 2$ indicates a connection to #CP port 2.) #he follo$in example sho$s a telnet command to connect to port 2. on a ser"er $ith an 4P address of 112)16)0)1:
    telnet 1#!.1 .0.1 !"

    :ext, t(pe eh+o Aserver nameB,$here server nameis the full( Eualified domain name ;6>D:< of (our Exchan e ser"er) @our Exchan e ser"er then responds b( listin the !M#P and E!M#P "erbs that it supports)

    !rocedure
    To +oad Exchange SMT! proper+' 1) 0ninstall 44!) 2) Delete the metabase)bin file) ') ,estart the ser"er) 7) ,einstall 44!) .) 4f (ou are runnin Exchan e !er"er on a Cindo$s 2000 ser"er, reappl( the latest Cindo$s 2000 ser"ice pac%) 6) ,einstall Exchan e !er"er) ,einstallin Exchan e !er"er replaces an( missin files and does not affect the settin s on the Exchan e ser"er) 1) ,eappl( an( Exchan e !er"er ser"ice pac%s and an( other Exchan eDrelated pro ram updates ;for example, an( Exchan e updates that are a"ailable from the Microsoft Ceb site<) Note

    #0-

    !ubscribe to the Microsoft !ecurit( :otification !er"ice to recei"e notifications automaticall( about an( securit(Drelated Exchan e updates) @ou can re ister for the ser"ice at http:OO o)microsoft)comOf$lin%O*3in%4dM12'22)

    Exa&p+e
    Example 1 lists the "erbs that (ou $ill recei"e if !M#P is loaded properl() 4f !M#P is not confi ured properl(, (ou $ill see onl( the "erbs that are listed in Example 2) Exa&p+e # SMT! extended verbs 8if Exchange event sin)s are +oaded proper+'9

    !"0Amail1.example.com Dello J1#!.1 .0.1K !"0AT;@!"0A.T@!"0AS2L8 "!*!))0 !"0A8T@!"0AP2P8,2-2-H !"0A3S!"0A8-D.-=83ST.T;S=438S !"0A)bitmime !"0AM2-.@CM2M8 !"0A=D;-N2-H !"0AG@:C !"0A9A89PS HSS.P2 -T,M * !"0A.;TD HSS.P2 -T,M !*0A9A89PS=,4H2- * !"0A9A,2-N!ST.T8 * !"0A989=D"0 * !"0 4N

    K #hese extended "erbs should be displa(ed) Chen Exchan e !M#P is not loaded properl(, or the 44! metabase is corrupt, the extended Exchan e "erbs do not appear in the ser"erHs response) Example 2 lists the "erbs that (ou $ill recei"e if Exchan e !M#P is not loaded properl() Note #he "erbs that are listed in Example2 are the same as the "erbs (ou $ould see if (ou had ne"er installed Exchan e) Exa&p+e 2 SMT! extended verbs 8if Exchange 2003 event sin)s are not +oaded9

    !"0Amail1.example.com Dello J1#!.1 .0.1K !"0AT;@!"0A.T@!"0AS2L8 "!*!))0 !"0A8T@!"0AP2P8,2-2-H

    #01

    !"0A3S!"0A8-D.-=83ST.T;S=438S !"0A)bitmime !"0AM2-.@CM2M8 !"0A=D;-N2-H !"0AG@:C !"0A.;TD HSS.P2 -T,M !"0 4N

    4f (ou recei"e onl( the !M#P "erbs that are listed in Example 2, the !M#P ser"ice for Microsoft Cindo$s& 2000 !er"er or Cindo$s !er"er 200'G is installed, but !M#P in Exchan e is not loaded properl() :ote that all "erbs startin $ith J=J ;J=J M e=tended< are missin ) /ther incomplete lists can also indicate that Exchan e !er"er is not properl( loaded, or that there is a possible corruption of the 44! metabase) Corruption of the 44! metabase can occur for an( of the follo$in reasons: ,einstallin Exchan e !er"er 200' ,einstallin Cindo$s 2000 !er"er or Cindo$s !er"er 200' ,emo"in or disablin 44! Anti"irus soft$are scannin the Rs(stemrootRNs(stem'2Ninetsr"Nmetabase)bin file 44sadmin)exe process stopped unexpectedl( ;un raceful shutdo$ns< 0nsupported editin of the metabase Dis% corruption or other hard$are failures

    4f there is corruption to the 44! metabase, (ou must load Exchan e !M#P properl() Note 4f (ou perform this procedure, an( customiAations to the 44! ser"ices $ill be lost) #his potential loss includes customiAation that is performed on Microsoft /ffice /utloo%& Ceb Access or an( other 44! ser"ices)

    4o5 to Start *nternet Mai+ ;i>ard


    @ou can use 4nternet Mail CiAard to confi ure a dualDhomed Exchan e ser"er) #he $iAard uides (ou throu h the necessar( confi uration and automaticall( creates a connector on (our outbound !M#P "irtual ser"er) 0se the follo$in procedure to confi ure a dualDhomed Exchan e ser"er $ith t$o !M#P "irtual ser"ers to send and recei"e 4nternet mail) After (ou run 4nternet Mail CiAard, the Exchan e ser"er $ill send and recei"e all 4nternet mail accordin to the confi uration (ou specif( in the $iAard)

    #03

    Note @ou cannot use 4nternet Mail CiAard if (ou ha"e alread( confi ured an !M#P connector or created an additional !M#P "irtual ser"er on (our Exchan e ser"er) @ou must re"ert to the default confi uration before (ou can run 4nternet Mail CiAard)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Deplo(ment !cenarios for 4nternet Connecti"it() #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To start *nternet Mai+ ;i>ard 1) 4n Exchan e !(stem Mana er, ri htDclic% (our Exchan e or aniAation, and then clic% *nternet Mai+ ;i>ard) Note #o run 4nternet Mail CiAard, (ou must use the "ersion of Exchan e !(stem Mana er that comes $ith Exchan e !er"er 200') 2) 6ollo$ the instructions in the $iAard to perform the confi uration tas%s that are necessar( to confi ure 4nternet mail deli"er() #he $iAard creates an additional !M#P "irtual ser"er on (our Exchan e ser"er) 4t confi ures 4nternet mail deli"er( in the follo$in $a(s: #o confi ure a ser"er to send 4nternet mail, the $iAard uides (ou throu h the process of assi nin the intranet 4P address to the default !M#P "irtual ser"er on $hich it creates the !M#P connector to send outbound mail) @ou assi n the intranet 4P address to this "irtual ser"er so that onl( internal users on (our intranet can send outbound mail) #o confi ure a ser"er to recei"e 4nternet mail, the $iAard uides (ou throu h the process of assi nin the 4nternet 4P address to the 4nternet !M#P "irtual ser"er) @ou assi n an 4nternet 4P address to this "irtual ser"er because external ser"ers need to be able to connect to this !M#P "irtual ser"er to send 4nternet mail to (our compan() Additionall(, (ou must ha"e an M= record on (our 4nternet D:! ser"er that references this ser"er) 4nternet Mail CiAard also performs the necessar( chec%s on (our 4nternet !M#P

    #$0

    "irtual ser"er to ensure it is confi ured correctl() 4t "erifies the follo$in : @our 4nternet !M#P "irtual ser"er accepts anon(mous connections) @our 4nternet !M#P does not permit rela(in )

    Manua++' Configuring @our Exchange Server for *nternet Mai+ 2e+iver'


    4f (our messa in en"ironment is lar e or complex, (ou cannot use 4nternet Mail CiAard to confi ure Exchan e to send and recei"e 4nternet mail) 4nstead, (ou must manuall( confi ure Exchan e for 4nternet mail deli"er() #he follo$in sections explain: !ettin up (our Exchan e !er"er to recei"e 4nternet mail !ettin up (our Exchan e ser"er to send 4nternet mail Confi urin ad"anced settin s

    Setting %p @our Exchange Server to Receive *nternet Mai+


    #his section explains ho$ to set up (our Exchan e ser"er to recei"e 4nternet mail) !pecificall(, (ou $ill learn ho$ to: Confi ure recipient policies) Confi ure inbound !M#P "irtual ser"er settin s)

    0se the chec%list in the follo$in table to ensure that (ou complete all the confi uration steps) Configuration steps to set up an Exchange server to receive *nternet &ai+ !tep 1 #as% 8erif( !M#P is loaded properl( on (our Exchan e ser"er) :otes !ee J8erif(in !M#P 4s 4nstalled Properl()J

    #$#

    !tep 2

    #as% 8erif( that an M= record exists on an 4nternet D:! ser"er that references (our ser"er and the 4P address of the !M#P "irtual ser"er acceptin inbound 4nternet mail) 8erif( that (our mail ser"er is accessible from the 4nternet)

    :otes !ee JConfi urin D:! for /utbound MailJ in 8erif(in D:! Desi n and Confi uration)

    '

    6or external D:! ser"ers to resol"e (our mail ser"erHs M= record and contact (our mail ser"er, (our mail ser"er must be accessible from the 4nternet) !ee JConfi urin D:! for /utbound MailJ in 8erif(in D:! Desi n and Confi uration)

    8erif( that no recipient !ee JConfi urin ,ecipient policies match the full( Policies)J Eualified domain name of an Exchan e ser"er) 8erif( that each domain for $hich (ou $ant to recei"e inbound 4nternet mail is listed on a recipient polic( and Exchan e is authoritati"e for that domain, or, if nonauthoritati"e, Exchan e has a connector confi ured for the domain and allo$s rela(in to it) 8erif( that (our inbound !M#P "irtual ser"er uses port 2. and is assi ned to the proper 4P addresses) !ee JConfi urin ,ecipient Policies)J

    /ther !M#P ser"ers expect to connect to (our !M#P "irtual ser"er on port 2.) !ee 5o$ to Confi ure the 4nbound Port and 4P Addresses on the !M#P 8irtual !er"er)

    #$2

    !tep 1

    #as% 8erif( that (our inbound !M#P "irtual ser"er allo$s anon(mous access)

    :otes /ther !M#P ser"ers expect to connect anon(mousl( to (our !M#P "irtual ser"er) !ee 5o$ to 8erif( that @our !M#P 8irtual !er"er Allo$s Anon(mous Access) #he default restrictions on an !M#P "irtual ser"er pre"ent open rela(in ) Cith open rela(in , external users can use (our ser"er to send spam, $hich ma( result in other le itimate ser"ers bloc%in mail from (our Exchan e ser"er)

    8erif( that the default rela( restrictions are confi ured on (our inbound !M#P "irtual ser"er)

    6or detailed instructions, see the follo$in topics: 5o$ to 8erif( that ,ecipient Policies Do :ot Contain Addresses that Match the 6>D: 5o$ to 8erif( that 0sers Can ,ecei"e EDmail Messa es from /ther !M#P Domains 5o$ to Confi ure the :ecessar( !M#P EDmail Addresses for @our 0sers 5o$ to Confi ure the 4nbound Port and 4P Addresses on the !M#P 8irtual !er"er 5o$ to 8erif( that @our !M#P 8irtual !er"er Allo$s Anon(mous Access 5o$ to 8erif( ,ela( ,estrictions on an !M#P 8irtual !er"er

    4o5 to Configure the *nbound !ort and *! Addresses on the SMT! 7irtua+ Server
    #he inbound port is the port $here the !M#P "irtual ser"er listens for incomin communicationsL the 4P address is the address to $hich incomin reEuests are sent) ?( default, the default !M#P "irtual ser"er uses port 2. and all a"ailable 4P addresses to listen for incomin reEuests) ?efore @ou ?e in

    #$3

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To configure the inbound port and *! addresses on the SMT! virtua+ server 1) ,i htDclic% 2efau+t SMT! 7irtua+ Server, and then clic% !roperties) 2) 4n 2efau+t SMT! 7irtua+ Server !roperties, clic% the Genera+ tab) The Genera+ tab in the 2efau+t SMT! 7irtua+ Server !roperties dia+og box

    ') 0nder 2efau+t SMT! 7irtua+ Server, "erif( the follo$in settin s:

    #$0

    *! address #he default settin is 8A++ %nassigned9) @ou should not chan e this settin unless (ou $ant to confi ure multiple !M#P "irtual ser"ers) ;#his is the 4P address that is used for incomin connections)< 4f (ou ha"e either multiple net$or% interface cards ;:4Cs< or multiple 4P addresses that are assi ned to a sin le :4C for this !M#P "irtual ser"er to listen on, and (ou $ant to select indi"idual 4P addresses, clic% Advanced, and then specif( ports other than the default) Note 0se the Advanced option carefull() /ther ser"ers ;on the 4nternet, for example< expect to communicate $ith (our ser"er on the default #CP port 2.)

    4o5 to 7erif' that @our SMT! 7irtua+ Server A++o5s Anon'&ous Access
    As (ou %no$, other !M#P ser"ers on the 4nternet expect (our !M#P "irtual ser"er to connect to them anon(mousl() ,emember that if (ou do not permit anon(mous access on (our ate$a( ser"ers that accept 4nternet mail, other !M#P ser"ers on the 4nternet are unable to send mail to (our or aniAation)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e 8ie$D/nl( Administrators role to "ie$ confi uration, or the Exchan e Administrators role to chan e confi uration, applied at the administrati"e roup le"el

    !rocedure
    To verif' that 'our SMT! virtua+ server a++o5s anon'&ous access 1) ,i htDclic% (our !M#P "irtual ser"er, and then clic% !roperties) 2) Clic% the Access tab, and then clic% Authentication) ') 4n Authentication, "erif( that the Anon'&ous accesschec% box is selected)

    #$$

    Authentication dia+og box

    4o5 to 7erif' that Recipient !o+icies 2o Not Contain Addresses that Match the 6:2N
    Exchan e !er"er uses recipient policies to determine $hich messa es should be accepted and internall( routed to mailboxes in (our or aniAation) ,ecipient policies that are confi ured improperl( can disrupt messa e flo$ for some or all recipients in (our messa in s(stem) #o ensure that (our recipient policies are confi ured properl(, "erif( the follo$in : 8erif( that recipient policies do not contain an !M#P address that matches the 6>D: of an( Exchan e ser"ers in (our or aniAation) 6or example, if (ou ha"e +exchan eser"er example com listed as an !M#P address and as a domain name on an( recipient polic(, it pre"ents mail from routin to other ser"ers in the routin roup)

    #$,

    8erif( that the domain for $hich (ou $ant to recei"e !M#P mail is listed on a recipient polic(Ieither on the default polic( or another recipient polic() ?( "erif(in this, (ou ensure that (our users can recei"e mail from other !M#P domains) 8erif( that (ou confi ured the necessar( !M#P eDmail addresses to recei"e eDmail messa es for additional domains) 4f (ou are not recei"in eDmail messa es for all of (our !M#P domains, (ou ma( need to confi ure additional !M#P addresses for (our recipients) 6or example, some of (our users ma( currentl( recei"e eDmail messa es addressed to contoso)com, but (ou also $ant them to recei"e eDmail addressed to fourthcoffee)com) Perform the follo$in procedure to "erif( that (our recipient policies are confi ured correctl( and match (our mail domain ;for example, +example)com< rather than the 6>D: of (our Exchan e ser"er ;for example, +exchan e)example)com<) 6or more information about $h( recipient policies cannot match the 6>D: of Exchan e ser"ers, see Microsoft Bno$led e ?ase article 22211., J=C/:: ,ecipient Polic( Cannot Match the 6>D: of An( !er"er in the /r aniAation, .)7)2 :D,s)J Althou h this article is $ritten for Exchan e 2000, the same principles appl( to Exchan e 200')

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To verif' that 'our recipient po+icies do not contain addresses that &atch the 6:2N 1) 4n the console tree, expand Recipients, and then clic% Recipient !o+icies) 2) 4n the details pane, ri htDclic% a recipient polic( that is confi ured on the ser"er, and then clic% !roperties) ') /n the EEMai+ Addresses 8!o+ic'9 tab of that polic(, "ie$ the !M#P addresses that are confi ured b( that polic( and ensure that none of the !M#P addresses match the 6>D: of an( Exchan e ser"ers in (our or aniAation) SMT! addresses on a recipient po+ic'

    #$-

    7) ,epeat steps 2 and ' of this procedure for each recipient polic( that is confi ured on this ser"er)

    4o5 to 7erif' that %sers Can Receive EE &ai+ Messages fro& "ther SMT! 2o&ains
    #o recei"e eDmail messa es from other !M#P domains, (our recipient polic( must correctl( specif( the domain for $hich (ou $ant to recei"e mail)

    #$1

    *&portant ?( default, the !M#P domain name on the default recipient polic( is the name of the domain in $hich Microsoft Acti"e Director(& director( ser"ice resides) #his default !M#P domain name is not al$a(s the same name (ou $ant to use for !M#P mail) 6or example, if (our or aniAation is a lar e distributed corporation, (ou can use a uniEue !M#P address to create distinct eDmail addresses for the recipients in each di"ision) 6or example, users in different di"isions at the compan( Cin tip #o(s could ha"e addresses such as someoneIadministration.>in5tiptoys.com and someoneImarFetin5.>in5tiptoys.com) Perform the follo$in procedure to confirm that recipients in (our or aniAation are able to recei"e mail from other !M#P domains)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    !rocedure
    To verif' that 'our users can receive eE&ai+ &essages fro& other SMT! do&ains 1) 4n Exchan e !(stem Mana er, in the console tree, expand Recipients, and then clic% Recipient !o+icies) 2) 4n the details pane, ri htDclic% a recipient polic( that is confi ured on this ser"er, and then clic% !roperties) ') /n the EEMai+ Addresses 8!o+ic'9 tab of that polic(, "ie$ the !M#P addresses that are confi ured b( that polic(, and then ensure that the domain for $hich (ou $ant to recei"e !M#P mail is listed as an address) 8erif( that the chec% box next to the address is selected) 7) DoubleDclic% the !M#P address (ou $ant, and then, in SMT! Address !roperties, "erif( that the This Exchange "rgani>ation is responsib+e for a++ &ai+ de+iver' to this address chec% box is selected) The SMT! Address !roperties dia+og box

    #$3

    Note 4f (ou ha"e more than one recipient polic( confi ured on a ser"er, the !M#P eDmail address that (ou are attemptin to "erif( ma( be located on another recipient polic() .) 4f (ou ha"e more than one recipient polic( confi ured on a ser"er, repeat steps ' throu h . of this procedure for each recipient polic()

    4o5 to Configure the Necessar' SMT! EE &ai+ Addresses for @our %sers
    0se the follo$in procedure to ensure that each userHs eDmail address is correctl( confi ured on a recipient polic() ,emember that Microsoft& Exchan e !er"er onl( accepts mail for addresses that are confi ured correctl( in a recipient polic() #hese addresses are stored in

    #,0

    Microsoft Acti"e Director(& director( ser"ice and the 44! metabase $here the messa e cate oriAer chec%s for address and confi uration information)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational roup le"el

    !rocedure
    To configure the necessar' SMT! eE&ai+ addresses for 'our users 1) 4n Exchan e !(stem Mana er, in the console tree, expand Recipients, and then clic% Recipient !o+icies) 2) 4n the details pane, ri htDclic% the recipient polic( that (ou $ant to modif(, and then clic% !roperties) ') /n the EEMai+ Addresses 8!o+ic'9 tab, clic% Ne5) 7) 4n Ne5 EE&ai+ Address, clic% SMT! Address, and then clic% "G) 4n SMT! Address !roperties, in the Address box, t(pe the information reEuired b( the address t(pe (ou selected) 6or example, to route mail to Example Corporation, t(pe Iexa&p+e/co& as sho$n in the follo$in fi ure)

    6or More *nfor&ation


    6or more information about ho$ to confi ure recipient policies, see Microsoft Bno$led e ?ase article 26091', J=C/:: !ettin 0p !M#P Domains for 4nbound and ,ela( EDMail in Exchan e 2000 !er"er and Exchan e !er"er 200')J Althou h this article is $ritten for Exchan e 2000, the same principles appl( to Exchan e 200') 6or more information about ho$ to correct problems $ith !M#P prox( addresses, see Microsoft Bno$led e ?ase article 1709'', J=6/,: !M#P Prox( Address -enerated 4ncorrectl()J Althou h this article is $ritten for Exchan e 2000, the same principles appl( to Exchan e 200')

    #,#

    4o5 to 7erif' Re+a' Restrictions on an SMT! 7irtua+ Server


    ?( default, the default !M#P "irtual ser"er allo$s onl( authenticated users to rela( eDmail) #he default settin is preferred because it pre"ents unauthoriAed users from usin (our Exchan e ser"er to send eDmail messa es to external domains) #he most secure rela( confi uration reEuires authentication for an(one connectin from the 4nternet and attemptin to rela() ?rid ehead ser"ers that are connected to the 4nternet and accept 4nternet mail must enerall( accept anon(mous connections) 5o$e"er, b( default, these brid ehead ser"ers do not allo$ anon(mous rela(in ) Enablin anon(mous rela(in is stron l( discoura ed) 4f (ou allo$ anon(mous rela(in , other users can use (our ser"er to send spam) !ubseEuentl(, this acti"it( could cause other 4nternet ser"ers to bloc% list (our ser"er)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e 8ie$D/nl( Administrators role to "ie$ confi uration, or the Exchan e Administrators role to chan e confi uration, applied at the administrati"e roup le"el

    !rocedure
    To verif' re+a' restrictions on an SMT! virtua+ server 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) Expand Servers, expand AServer NameB, expand !rotoco+s, and then expand SMT!) ') ,i htDclic% 2efau+t SMT! 7irtua+ Server, and then clic% !roperties) 7) 4n 2efau+t SMT! 7irtua+ Server !roperties, clic% the Access tab) The Access tab in the 2efau+t SMT! 7irtua+ Server !roperties dia+og box

    #,2

    .) 0nder Re+a' restrictions, clic% Re+a' to "erif( rela( restrictions) #he Re+a' Restrictions dialo box appears) 2efau+t re+a' restrictions in the Re+a' Restrictions dia+og box

    #,3

    6) 4n Re+a' Restrictions, "erif( the follo$in settin s: 8erif( that "n+' the +ist be+o5 is selected) #o list onl( those hosts that (ou $ant to allo$ to rela( mail, clic% Add, and then follo$ the instructions) 4f (ou clic% A++ except the +ist be+o5, (our ser"er ma( appear to be a ser"er that is a source of unsolicited commercial eDmail on the 4nternet) 8erif( that the A++o5 a++ co&puters 5hich successfu++' authenticate to re+a'= regard+ess of the +ist above chec% box is selected) #his settin allo$s (ou to den( access to all users $ho do not authenticate) An( remote Post /ffice Protocol ;P/P< and 4nternet Messa e Access Protocol ;4MAP< users accessin this ser"er $ill authenticate to send mail) 4f (ou do not ha"e users $ho access this ser"er throu h P/P or 4MAP, (ou can clear this chec% box to pre"ent rela(in entirel(, thereb( increasin securit()

    #,0

    Configuring *nbound Settings on SMT! 7irtua+ Servers


    #o confi ure (our !M#P "irtual ser"er to recei"e 4nternet mail, (ou must perform the follo$in tas%s: Confi ure the inbound port as 2. and specif( the 4P address) 8erif( that (our inbound !M#P "irtual ser"er allo$s anon(mous access)

    6or securit( reasons, "erif( the rela( restrictions on (our inbound "irtual ser"er) ?( default, rela( settin s allo$ onl( authoriAed users to rela( mail) *&portant @ou should "erif( that (our !M#P "irtual ser"er settin s are correct) @ou should also be familiar $ith the conseEuences of specific confi uration choices $hen troubleshootin !M#PDrelated messa e flo$ issues)

    Setting %p @our Exchange Server to Send *nternet Mai+


    #his section explains ho$ to confi ure (our Exchan e ser"er to send 4nternet mail) !pecificall(, (ou $ill learn ho$ to: Confi ure outbound settin s on !M#P "irtual ser"ers) Confi ure a smart host on an !M#P "irtual ser"er) Confi ure an !M#P connector)

    0se the chec%list in the follo$in table to ensure that (ou complete all the necessar( confi uration steps to set up (our Exchan e ser"er to send 4nternet mail) Each step is explained in detail in the follo$in sections or earlier in this document) Configuration steps to set up an Exchange server to send *nternet &ai+ !tep 1 #as% 8erif( !M#P is properl( loaded on (our Exchan e ser"er) 8erif( that (our D:! ser"er can resol"e external ;4nternet< names) :otes !ee 5o$ to 3oad Exchan e !M#P Properl() !ee JConfi urin D:! for /utbound MailJ in 8erif(in D:! Desi n and Confi uration)

    #,$

    !tep '

    #as% 8erif( that (our !M#P "irtual ser"erHs outbound port is set to 2.)

    :otes /ther !M#P ser"ers on the 4nternet expect (our !M#P "irtual ser"er to connect to them on port 2.) !ee 5o$ to 8erif( that @our /utbound Port 4s !et to 0se Port 2.) /ther !M#P ser"ers on the 4nternet do not expect (our !M#P ser"er to authenticate) !ee 5o$ to Allo$ Anon(mous Access on @our /utbound !M#P 8irtual !er"er) 4t is recommended that (ou confi ure smart hosts on an !M#P connector, rather than on the "irtual ser"er itself) 4f (ou must confi ure a smart host on the !M#P "irtual ser"er, ensure that it meets the criteria specified in Confi urin a !mart 5ost on a !M#P 8irtual !er"er) Chen (ou create an !M#P connector $ith an address space of K, Exchan e routes all 4nternet mail throu h this connector) !ee 5o$ to Create an !M#P Connector)

    8erif( that (our outbound !M#P "irtual ser"er permits anon(mous access)

    4f (ou must confi ure a smart host on (our !M#P "irtual ser"er, "erif( that it is confi ured correctl()

    Create an !M#P connector on (our outbound !M#P "irtual ser"er $ith an address space of K ;asteris%< to route 4nternet mail)

    Configuring "utbound Settings on SMT! 7irtua+ Servers


    #he outbound settin s on an !M#P "irtual ser"er control the ports and 4P addresses throu h $hich outbound mail is sent) Connectors that are confi ured on brid ehead ser"ers that route mail to the 4nternet use these settin s) Most of these settin s are confi ured on the 2e+iver' tab in the !M#P "irtual ser"er properties) #o confi ure (our !M#P "irtual ser"er to deli"er outbound mail, (ou must: Ensure that the outbound port is set to port 2. ;this is the default settin <)

    #,,

    Allo$ anon(mous access for (our outbound connection ;this is the default settin <)

    !et external D:! ser"ers for !M#P to use, if desired) @ou can confi ure the !M#P "irtual ser"er to use an external D:! ser"erL ho$e"er, it is easier and more common to rel( on internal D:! ser"ers to for$ard D:! Eueries to the confi ured external D:! ser"ers) 6or detailed instructions, see the follo$in topics: 5o$ to 8erif( that @our /utbound Port 4s !et to 0se Port 2. 5o$ to Allo$ Anon(mous Access on @our /utbound !M#P 8irtual !er"er

    4o5 to 7erif' that @our "utbound !ort *s Set to %se !ort 2$


    #o confi ure the outbound port that (our ser"er uses to deli"er 4nternet mail, use the 2e+iver' tab in the !M#P "irtual ser"er properties) 4f (ou use the same ate$a( ser"ers to send and recei"e 4nternet mail, the inbound and outbound ports should be set to port 2.)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e 8ie$D/nl( Administrators role to "ie$ confi uration, or the Exchan e Administrators role to chan e confi uration, applied at the administrati"e roup le"el

    !rocedure
    To verif' that 'our outbound port is set to use port 2$ 1) ,i htDclic% 2efau+t SMT! 7irtua+ Server, and then clic% !roperties) 2) 4n 2efau+t SMT! 7irtua+ Server !roperties, clic% the 2e+iver' tab) /n the 2e+iver' tab, (ou can specif( outbound settin s such as retr( timers, outbound securit( and connection limits, and other ad"anced settin s) The 2e+iver' tab in 2efau+t SMT! 7irtua+ Server !roperties

    #,-

    ') /n the 2e+iver' tab, clic% "utbound connections to set the #CP port that the ser"er $ill use to connect to remote ser"ers) #he "utbound Connections dialo box appears) The "utbound Connections dia+og box

    #,1

    7) 4n "utbound Connections, "erif( that the TC! port is set to 2$) ,emote ser"ers on the 4nternet expect (our ser"er to use #CP port 2.) Chan in TC! port to a "alue other than 2. is not recommended)

    4o5 to A++o5 Anon'&ous Access on @our "utbound SMT! 7irtua+ Server


    6or (our outbound !M#P "irtual ser"er, (ou should enable anon(mous access unless (ou connect directl( to a smart host) ,emote ser"ers on the 4nternet do not expect (our ser"er to authenticate) Note -enerall(, confi urin a smart host $or%s better on a connector) Confi urin a smart host on an !M#P "irtual ser"er is not the preferred method)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To a++o5 anon'&ous access on 'our outbound SMT! virtua+ server 1) ,i htDclic% <Your Outbound SMTP Virtual Server>, and then clic% !roperties) 2) Clic% the 2e+iver' tab) ') Clic% "utbound Securit' to select the t(pe of authentication the ser"er $ill use $ith remote ser"ers) 7) 4n "utbound Securit', clic% Anon'&ous access) The "utbound Securit' dia+og box

    #,3

    Note 4f (ou connect to a smart host ;confi ured b( clic%in Advanced on the 2e+iver' tab<, the smart host ma( reEuire (ou to authenticate) #o disco"er if authentication is reEuired, contact the o$ner of the smart host or (our 4nternet ser"ice pro"ider ;4!P<)

    4o5 to Create an SMT! Connector


    !M#P connectors are an efficient $a( to route 4nternet mail) 0se the follo$in procedure to create an !M#P connector)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure:

    #-0

    Member of the local administrators roup and a member of a roup that has had the Exchan e 8ie$D/nl( Administrators role to "ie$ confi uration, or the Exchan e Administrators role to chan e confi uration, applied at the administrati"e roup le"el

    !rocedure
    To create an SMT! connector 1) 4n Exchan e !(stem Mana er, ri htDclic% Connectors, point to Ne5, and then clic% SMT! Connector) 2) 4n !roperties, on the Genera+ tab, in the Na&e box, t(pe a name for the connector) SMT! connector properties

    #-#

    ') !elect one of the follo$in chec% boxes: 4f (ou $ant this connector to use D:! names to route mail directl( to the remote ser"er, select %se 2NS to route to each address space on this connector) ?( selectin this option, the connector uses the D:! ser"er that is confi ured to route eDmail messa es) 4f (ou select this chec% box, "erif( the follo$in information: 8erif( that (ou can use :sloo%up to successfull( resol"e names on the 4nternet) 6or more information about routin topolo (, see Confi urin a ,outin #opolo () 4f (ou $ant to route mail to a smart host that assumes responsibilit( for D:! name resolution and mail deli"er(, select the 6or5ard a++ &ai+ through this connector to the fo++o5ing s&art hosts chec% box) #his option is often used if (ou route mail to a Cindo$s !M#P ser"er or another ser"er in (our perimeter net$or%) 4f (ou select this chec% box, "erif( the follo$in information: 4f (ou list an 4P address for the smart host, enclose the 4P address in sEuare brac%ets, for example, J10.0.0.1K) 4f (ou specif( an 4P address for the smart host, it should not match the 4P address of this ser"er) 4f (ou specif( a name for the smart host, the name should be a 6>D:) 6or example, JServer -ameE is not an 6>D:L ho$e"er, servername.contoso.com is a 6>D:) 4f a name is specified, it should not be the 6>D: of this ser"er)

    4f (ou do not ha"e a smart host $ithin (our net$or%, contact (our 4!P to find out $hat 4P address or 6>D: (ou should enter here) 7) 0nder (oca+ bridgeheads, clic% Add to define at least one brid ehead ser"er and !M#P "irtual ser"er) #o send outbound mail, the connector uses the outbound port that is confi ured on the !M#P "irtual ser"er)

    Configuring a S&art 4ost on a SMT! 7irtua+ Server


    Problems ma( occur if (ou set the smart host at the "irtual ser"er le"el, rather than at the !M#P connector le"el) Chen (ou confi ure the smart host at the "irtual ser"er le"el, consider the follo$in restrictions:

    #-2

    Note #he follo$in smart host settin s are located in the Advanced 2e+iver' dialo box) #o access this dialo box, in AYour Outbound SMTP Virtual ServerB !roperties, on the 2e+iver' tab, clic% Advanced) 4f (our Exchan e or aniAation contains more than one computer runnin Exchan e, (ou should not t(pe an( data in the S&art host box) Mail flo$ bet$een ser"ers ma( not $or%) 4f an 4P address is listed in the S&art host box, it should be enclosed in sEuare brac%ets, for example, U10)0)0)1V) 4f an 4P address is listed in the S&art host box, "erif( that it does not match the 4P address of this Exchan e ser"er) 4f a name is listed in the S&art host box, it should be a 6>D:) 6or example, J!er"er :ameJ is not a 6>D:L ho$e"er, ser"ername)contoso)com is a 6>D:) 4f a name is listed in the S&art host box, it should not be the 6>D: of this ser"er)

    4f (ou do not ha"e a smart host $ithin (our net$or%, contact (our 4!P to find out $hat 4P address or 6>D: (ou should enter here) 4f (ou do enter a smart host, select the Atte&pt direct de+iver' before sending to s&art host chec% box) !electin this chec% box ma( help reduce Eueuin on this ser"er) 0sin multiple smart hosts and load balancin reEuests across them reEuires a specific confi uration) 6or detailed instructions, see the follo$in topics: 5o$ to Create an !M#P Connector 5o$ to !pecif( an Address !pace for the Connector

    Configuring Advanced Settings


    #his section explains ho$ to confi ure some of the ad"anced settin s that control 4nternet mail deli"er() Althou h these settin s are not essential for mail flo$, the( can assist (ou in performance tunin , controllin access to (our !M#P "irtual ser"ers, and man( other areas) !pecificall(, (ou $ill learn ho$ to: Confi ure ad"anced inbound settin s) Confi ure ad"anced outbound settin s) Confi ure ad"anced settin s on the !M#P connector) Confi ure the notification of deli"er( reports)

    #-3

    6or detailed instructions about confi urin access controls and securit( settin s, see the follo$in topics: 4o5 to Configure Access Contro+s and Authentication Methods 5o$ to !pecif( Messa e 3imits

    Configuring Advanced *nbound Settings


    #his section sho$s (ou ho$ to confi ure ad"anced settin s for inbound mail) !pecificall(, (ou $ill learn ho$ to: Confi ure access controls and other securit( settin s) Confi ure messa e filters) !et limits for incomin messa es)

    6or detailed instructions, see the follo$in topics: 5o$ to Ensure (our Exchan e !er"er Does :ot 0se ,#6 Exclusi"el( 5o$ to !et /utbound Messa e 3imits on @our !M#P 8irtual !er"er

    Configuring Advanced "utbound Settings


    #his section sho$s (ou ho$ to confi ure ad"anced settin s to control out oin mail) !pecificall(, (ou $ill learn ho$ to confi ure 4nternet mail messa e formats, outbound messa e limits, and ad"anced connector settin s)

    Configuring Advanced Settings on the SMT! Connector


    #he !M#P connector offers se"eral confi uration options, $hich (ou can use to tailor (our specifications for eDmail messa es that are routed throu h this ser"er) Cith the exception of messa e siAe limits, the settin s on the !M#P connector o"erride the settin s on the !M#P "irtual ser"er) 4n this case, the lo$est siAe limit is enforced) 4n this section (ou $ill learn ho$ to perform the follo$in tas%s: !pecif( deli"er( restrictions) !et a connector schedule for connectin to a net$or% ser"ice pro"ider) !et content restrictions on an !M#P connector) Confi ure ho$ nonDdeli"er( reports are handled)

    6or detailed instructions, see the follo$in topics: 5o$ to Enable ,e istr( Be(s for Deli"er( ,estrictions 4o5 to Set 2e+iver' Restrictions on the SMT! C"NNECT"R

    #-0

    5o$ to !et a Connector !chedule 5o$ to !et Content ,estrictions on an !M#P Connector 5o$ to !pecif( 5o$ 0ndeli"erable Mail is Mana ed

    4o5 to Specif' an Address Space for the Connector


    A connectorHs address space defines the domain or ran e of domains to $hich a connector sends mail) @ou can specif( $hich address roups that a specific connector $ill handle) 4f (ou use multiple !M#P connectors to route 4nternet mail, at least one connector should ha"e an address space of K ;asteris%<) #he asteris% represents all external domains)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To specif' an address space for the connector 1) 4n the !M#P connector !roperties, clic% the Address Space tab) 2) Clic% Add) #he Add Address Space dialo box appears) The Add Address Space dia+og box

    #-$

    ') 0nder Se+ect an address t'pe, clic% SMT!, and then clic% "G) #he *nternet Address Space !roperties dialo box appears) The *nternet Address Space !roperties dia+og box

    #-,

    *&portant 4n *nternet Address Space !roperties, in the EE&ai+ do&ain box, there is a default "alue of L) #he L represents all addresses) At least one connector in (our or aniAation should ha"e this address space to ensure that all external domains are routed to the 4nternet) 7) 4n *nternet Address Space !roperties, in the EE&ai+ do&ain box, t(pe an eD mail domain for the connector) 4n the Cost box, assi n an appropriate cost for this connector) 6or example, if (ou $ant all users to al$a(s use this connector and onl( use a bac%up connector if this connector is una"ailable, assi n this connector a cost of # and assi n the secondar( connector a hi her cost) ,emember that Exchan e al$a(s chooses the route $ith the lo$est cost, if that route is a"ailable) *&portant Do not list (our inbound domains on an !M#P address space for a connector) @our inbound domains are listed in (our recipient policies) 4f some or all of (our inbound domains are listed, (ou ma( recei"e :D,s that indicate

    #--

    a mail loop ;these :D,s ma( ha"e the dia nostic code .)').<) ?( specif(in domains on the Address Space tab, (ou can confi ure these domains as routable domains) .) Clic% "G to return to the Address Space tab) 6) 0nder Connector scope, select one of the follo$in based on (our routin topolo (: !elect Entire organi>ation if (ou $ant users in an( routin roup to be able to send 4nternet mail throu h this connector) Cith this option selected, all Exchan e ser"ers in the or aniAation can route mail throu h this connector to the 4nternet) !elect Routing Group if (ou $ant onl( users in this brid ehead ser"erHs routin roup to send mail throu h this connector) Note 6or more information about assi nin costs and scopin , see 0nderstandin Connector !cope and ,estrictions) 1) 4f (ou $ant mail to be rela(ed throu h (our s(stem to the domains that (ou specified, select the A++o5 &essages to be re+a'ed to these do&ains chec% box) Note Do not select this chec% box if (ou are creatin a connector $ith an address space of K) 2) Clic% "G)

    4o5 to Configure Access Contro+s and Authentication Methods


    6or !M#P "irtual ser"ers, (ou can specif( $hat t(pes of connections are accepted or denied, and (ou can reEuire user authentication before mail deli"er() 4f (ou support 4MAP or P/P clients that connect from the 4nternet, authentication methods are useful) 5o$e"er, on an !M#P "irtual ser"er that acts as an 4nternet ate$a(, (ou cannot reEuire authentication if (ou $ant to recei"e mail from users on the 4nternet)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet)

    #-1

    #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To configure access contro+s and authentication &ethods 1) ,i htDclic% 2efau+t SMT! 7irtua+ Server, and then clic% !roperties) 2) Clic% the Access tab, and then, under Access contro+, clic% Authentication to specif( the $a(s in $hich users must be authenticated prior to sendin mail to this ser"er) #he Authentication dialo box appears) The Authentication dia+og box

    ') 4n Authentication, the follo$in chec% boxes are a"ailable: Anon'&ous access #(picall(, (ou select this chec% box for ser"ers that are directl( connected to the 4nternet) 4f (ou select this chec% box, other ser"ers

    #-3

    on the 4nternet $ill not authenticate to this ser"er prior to sendin mail) 6or increased securit(, disable anon(mous access on (our internal !M#P "irtual ser"ers that do not accept incomin 4nternet mail) 6or similar securit( purposes, (ou can also disable anon(mous access on dedicated !M#P "irtual ser"ers that are used for remote 4MAP and P/P users) Note 4f the Anon'&ous access chec% box is not selected on (our 4nternet ate$a( ser"ers, (ou ma( not recei"e incomin mail from the 4nternet) 5o$e"er, for internal !M#P "irtual ser"ers or !M#P "irtual ser"ers that are used exclusi"el( b( 4MAP and P/P users, (ou can clear this chec% box because the( must authenticate) ?asic authentication 0se this chec% box for mail clients ;such as Microsoft /utloo%< that use Post /ffice Protocol "ersion ' ;P/P'< or 4nternet Messa e Access Protocol "ersion 7re"1 ;4MAP7< to connect to the ser"er) #o send eDmail messa es, these clients authenticate to the ser"er) *&portant 4f (ou select the ?asic authentication 8pass5ord is sent in c+ear text9 chec% box, user names and pass$ords are sent across the net$or% in clear text) #his information can be easil( intercepted on the 4nternet) 4f (ou use basic authentication, consider implementin #ransport 3a(er !ecurit( ;#3!< for more securit() Re<uires T(S encr'ption 0se this chec% box if (ou ha"e a di ital certificate, $hich is common in a hi hDsecurit( en"ironment) 4f (ou select this chec% box, in the correspondin 2efau+t do&ain box, (ou must t(pe the Cindo$s 2000 or Cindo$s !er"er 200' domain name that the user should authenticate a ainst if he or she does not specif( a domain) 6or more information about #3! encr(ption, see the Exchan e online documentation) *ntegrated ;indo5s Authentication #his chec% box is used onl( b( Cindo$s user accounts) 0sin the :#3M protocol, user names and pass$ords are encr(pted and are then passed to the !M#P "irtual ser"er for authentication purposes) Note ?( default, the Anon'&ous access, ?asic authentication, and *ntegrated ;indo5s Authentication chec% boxes are selected) 4f (ou are usin a sin le default "irtual ser"er, it is recommended that (ou use the default settin sL this allo$s users to authenticate b( usin the most common methods) 7) 4n <SMTP Virtual Server> !roperties, on the Access tab, under Secure co&&unication, clic% Certificate to confi ure a certificate ;used for #3! encr(ption<

    #10

    that encr(pts messa es as the( mo"e from ser"er to ser"er) 6or more information about #3! encr(ption, see the Exchan e online documentation) .) /n the Access tab, under Connection contro+, clic% Connection to allo$ or den( access to the ser"er based on 4P address) 4f (ou are usin multiple !M#P "irtual ser"ers, and (ou $ant to den( access to specific hosts, (ou must perform the follo$in procedure for each "irtual ser"er: a) 4n Connection, clic% A++ except the +ist be+o5 for ser"ers directl( connected to the 4nternet) b) #o list onl( those hosts from $hich (ou do not $ant to recei"e mail, clic% Add and then follo$ the instructions in the Co&puter dialo box) @ou can include an( ser"ers that (ou consider to be the source of spam) c) Clic% "G t$ice to appl( the settin s)

    4o5 to Specif' Message (i&its


    /n the Messages tab of the "irtual ser"erHs properties, (ou can confi ure the default number of recipients per messa e) ,educin this number can miti ate the effects of spam b( pre"entin the deli"er( of a sin le messa e to a lar e number of users) @ou can also decrease the maximum messa e siAe and the len th of each session) Note 4f (our or aniAation uses lar e distribution lists that arri"e throu h !M#P from 4nternet users, reducin the number of recipients per messa e can affect (our users) 5o$e"er, MAP4 recipients, such as /utloo% users, are not affected b( the reduction)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    #1#

    !rocedure
    To specif' &essage +i&its 1) ,i htDclic% the !M#P "irtual ser"er that (ou $ant to confi ure, and then clic% !roperties) 2) Clic% the Messages tab to specif( messa e limits for this ser"er) The Messages tab in the 2efau+t SMT! 7irtua+ Server !roperties dia+og box

    ') 0nder Specif' the fo++o5ing &essage infor&ation, select the (i&it &essage si>e to 8G?9 chec% box to limit the maximum messa e siAe) #o pre"ent users from sendin lar e documents, t(pe a small "alue in the correspondin box) 4f (ou do not set a limit to the maximum messa e siAe, it can affect performance) 4t is recommended that (ou set a limit eEual to the maximum messa e siAe that is appropriate for (our or aniAation) Note

    #12

    Documents expand in siAe approximatel( '' percent $hen sent outside the routin roup or or aniAation) 6or example, if (ou $ant to send documents up to 'M? in siAe, set the maximum messa e siAe to 7,096B?) 7) !elect the (i&it session si>e to 8G?9 chec% box, and t(pe a "alue that is lar er than the maximum messa e siAe) .) !elect the (i&it nu&ber of &essages per connection to chec% box to confi ure the s(stem to drop the connection after it reaches the specified number of messa es) #his default settin optimiAes messa e flo$ in most messa in topolo ies) 5o$e"er, selectin this chec% box can lead to sli ht performance de radation if (our s(stem recei"es man( messa es from a sin le source) 6) !elect the (i&it nu&ber of recipients per &essage to chec% box to ha"e Exchan e !er"er return a nonDdeli"er( report ;:D,< to senders $hose messa es exceed the maximum number of recipients) !electin this chec% box allo$s (ou to %eep users from sendin an eDmail messa e to an excessi"e number of recipients)

    4o5 to Ensure 'our Exchange Server 2oes Not %se RT6 Exc+usive+'
    6or each domain that is listed in *nternet Message 6or&ats, (ou can confi ure ho$ (ou send 4nternet mail messa es) As a eneral rule, do not send mail exclusi"el( in rich text format ;,#6< because man( nonDMicrosoft mail ser"ers cannot read richDtext messa es) 4nstead, users recei"e an empt( eDmail messa e $ith a $inmail)dat file attachment) #o a"oid this problem, ensure that (our lobal messa e settin does not use the Exchan e ,#6 exclusi"el()

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    #13

    !rocedure
    To ensure that 'our Exchange server does not use RT6 exc+usive+' 1) 4n Exchan e !(stem Mana er, expand G+oba+ Settings, and then clic% *nternet Message 6or&ats) 2) 4n the details pane, ri htDclic% the name (ou $ant, and then clic% !roperties) ') Clic% the Advanced tab) 7) 0nder Exchange richEtext for&at, ensure that either Never use or 2eter&ined b' individua+ user settings is selected) The Advanced tab for *nternet Message 6or&ats

    Note !electin A+5a's %se can pre"ent users on nonDMicrosoft ser"ers from readin (our eDmail messa es) #he( ma( recei"e an eDmail messa e $ith a

    #10

    $inmail)dat file attachment)

    4o5 to Set "utbound Message (i&its on @our SMT! 7irtua+ Server


    /n (our !M#P "irtual ser"er that handles outbound mail deli"er(, (ou can confi ure connection limits and timeDout settin s that the ser"er uses $ith remote ser"ers) Confi ure these limits to ensure that (our ser"er does not et o"erloaded)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To set outbound &essage +i&its on 'our SMT! virtua+ server 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, expand AServer Na&eB, expand !rotoco+s, and then expand SMT!) ') ,i htDclic% <Your Outgoing SMTP Virtual Server>, and then clic% !roperties) 7) Clic% the 2e+iver' tab) .) 0nder "utbound,(ou can modif( the time in minutes for first, second, third, and subseEuent retr( attempts b( enterin the appropriate "alues for (our or aniAation) #hese outbound settin s control messa e deli"er( for mail that is sent outside of the or aniAation) "utbound settings on the 2e+iver' tab

    #1$

    Note !ettin a retr( inter"al to too lo$ of a "alue ma( de rade performance, particularl( $hen (our 4nternet connection or the specified smart host is una"ailable) 6) 0nder (oca+, set 2e+a' notification and Expiration ti&eout for local messa e deli"er( b( t(pin the "alues in the correspondin boxes, and then selectin the time in Minutes, 4ours, or 2a's) 4t is recommended that (ou use the default settin s) #hese local settin s appl( to mail that is sent to the local mailbox store or in Microsoft Exchan e M#A) Note !(stems on the 4nternet ma( ha"e different "alues for dela( notification and expiration timeout) #he "alues entered here refer to messa es that are Eueued on this ser"er) 1) Clic% "utbound connections to confi ure connection limits and timeout "alues that the ser"er uses $ith remote ser"ers) #he "utbound Connections dialo box

    #1,

    appears) The "utbound Connections dia+og box

    2) Dependin on (our hard$are, (ou can select the (i&it nu&ber of connections to chec% box to limit connections to other ser"ers and to reduce traffic) @ou can also select the (i&it nu&ber of connections per do&ain to chec% box) After (ou select the chec% boxes, enter the appropriate "alues for (our or aniAation) 9) Dependin on (our band$idth and connection Eualit(, (ou can chan e the Ti&eE out 8&inutes9 "alue) Note ,educin the number of outbound connections and increasin the timeDout period ma( cause all (our outbound connections to $ait for responses from remote ser"ers) Cith such settin s, eDmail messa es remain in the Eueue for lon er periods of time ;potentiall( causin a dela( in messa e deli"er(<, but net$or% traffic is %ept to a minimum)

    4o5 to Enab+e Registr' Ge's for 2e+iver' Restrictions


    #he default settin allo$s e"er(one in (our or aniAation to use the !M#P connector) 4n most situations, the default settin is sufficient because (ou enerall( $ant (our users to be able to send 4nternet mail) 4f (ou $ant to set more ri id restrictions, use the follo$in procedure and 5o$ to !et Deli"er( ,estrictions on the !M#P Connector to set deli"er( restrictions)

    #1-

    @ou can use the 2e+iver' tab to restrict the use of (our connector) 5o$e"er, to enable these restrictions, (ou must also chan e certain re istr( %e( settin s) *&portant ?e a$are that restrictin deli"er( is extremel( processDintensi"e and can affect ser"er performance) A re istr( %e( on the Exchan e !er"er 200'Dbased brid ehead ser"er, $hich is the source for the connector that is bein chec%ed, controls the restrictionDchec%in functionalit() 4f (ou need to confi ure a connector to restrict $ho can send data to the desi nated lin%, (ou must manuall( add the restrictionDchec%in re istr( "alue) Note 4ncorrectl( editin the re istr( can cause serious problems that ma( reEuire (ou to reinstall (our operatin s(stem) Problems resultin from editin the re istr( incorrectl( ma( not be able to be resol"ed) ?efore editin the re istr(, bac% up an( "aluable data)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet and 5o$ to !et Deli"er( ,estrictions on the !M#P Connector) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    !rocedure
    To enab+e the registr' )e's for de+iver' restrictions 1) !tart ,e istr( Editor: 6rom a command prompt, t(pe Regedit/exe) 2) :a"i ate to and select the follo$in %e( in the re istr(: 5BE@S3/CA3SMAC54:EO!(stemOCurrentControl!etO!er"icesO,E!"cOParametersO ') /n the Edit menu, clic% Add 7a+ue, and then add the follo$in re istr( "alue:
    Gal+e -ame: =hecF=onnector@estrictions 3ata Type: @8HB314@3 3ate: 1 @adix: 3ecimal

    7) Exit ,e istr( Editor: /n the Registr' menu, clic% Exit) .) After enablin the re istr( %e( settin , (ou need to restart the follo$in ser"ices on (our Exchan e ser"er:

    #11

    Microsoft Exchan e M#A !tac%s ;M!Exchan eM#A< Microsoft Exchan e ,outin En ine ;,E!"c< !imple Mail #ransfer Protocol ;!M#P!8C<

    4o5 to Set 2e+iver' Restrictions on the SMT! Connector


    #he default settin allo$s e"er(one in (our or aniAation to use the !M#P connector) 4n most situations, the default settin is sufficient because (ou enerall( $ant (our users to be able to send 4nternet mail) 4f (ou $ant to set more ri id restrictions, use the 5o$ to Enable ,e istr( Be(s for Deli"er( ,estrictions procedure and the follo$in procedure to set deli"er( restrictions) After enablin the re istr( %e( and restartin the ser"ices, (ou can set deli"er( restrictions on the !M#P connector)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet and 5o$ to Enable ,e istr( Be(s for Deli"er( ,estrictions) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To set de+iver' restrictions on the SMT! connector 1) 4n Exchan e !(stem Mana er, expand Connectors b( performin one of the follo$in steps: 4f (ou do not ha"e routin roups or administrati"e roups displa(ed, expand (our Exchan e or aniAation, and then expand Connectors) 4f (ou ha"e onl( routin roups displa(ed, expand Routing Groups, expand WRouting Group NameX, and then expand Connectors) 4f (ou ha"e onl( administrati"e roups displa(ed, expand Ad&inistrative Groups, expand AAdmini trative Group NameB, and then expand Connectors)

    #13

    4f (ou ha"e administrati"e roups and routin roups displa(ed, expand Ad&inistrative Groups, expand WAdmini trative Group NameX, expand Routing Groups, expand WRouting Group NameX, and then expand Connectors) 2) ,i htDclic% <!our SMTP "onne"tor>, and then clic% !roperties) ') Clic% the 2e+iver' Restrictions tab) The 2e+iver' Restrictions tab of the SMT! Connector !roperties dia+og box

    7) #o accept messa es from e"er(one, but to reFect specified users: a) 0nder ?( default messa es from e"er(one are, "erif( that Accepted is selected) b) 0nder ReMect &essages fro&, clic% Add, and then, in Se+ect Recipient, t(pe each user or roupHs name that (ou $ant to pre"ent from usin the

    #30

    connector) .) #o reFect messa es from e"er(one but specified users: a) 0nder ?( default messa es from e"er(one are, clic% ,eFected) b) 0nder Accept messa es from, clic% Add, and then, in Se+ect Recipient, t(pe each userHs name that (ou $ant to allo$ to use the connector)

    4o5 to Set a Connector Schedu+e


    4f (ou are usin an !M#P connector to connect to a net$or% ser"ice pro"ider and do$nload (our 4nternet eDmail messa es, (ou ma( $ant to schedule specific times for the connector to contact the net$or% ser"ice pro"iderHs ser"er) Alternati"el(, (ou can specif( that a connector hold eDmail messa es until a remote ser"er tri ers deli"er()

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To set a connector schedu+e 1) 4n Exchan e !(stem Mana er, expand Connectors b( performin one of the follo$in steps: 4f (ou do not ha"e routin roups or administrati"e roups displa(ed, expand (our Exchan e !er"er or aniAation, and then expand Connectors) 4f (ou ha"e onl( routin roups displa(ed, expand Routing Groups, expand WRouting Group NameX, and then expand Connectors) 4f (ou ha"e onl( administrati"e roups displa(ed, expand Ad&inistrative Groups, expand AAdmini trative Group NameB, and then expand Connectors) 4f (ou ha"e administrati"e roups and routin roups displa(ed, expand Ad&inistrative Groups, expand WAdmini trative Group NameX, expand

    #3#

    Routing Groups, expand WRouting Group NameX, and then expand Connectors) 2) ,i htDclic% <!our SMTP "onne"tor>, and then clic% !roperties) ') Clic% the 2e+iver' "ptions tab) The 2e+iver' "ptions tab of the SMT! Connector !roperties dia+og box

    7) #o specif( a time $hen the connector runs, clic% Specif' 5hen &essages are sent through this connector) .) 4n the Connection ti&e list, select a time or clic% Custo&i>e to create a custom schedule) 6) #o schedule a different time for the connector to deli"er o"ersiAe messa es, select the %se different de+iver' ti&es for oversi>e &essages chec% box) 4f (ou select this chec% box, the follo$in options appear:

    #32

    "versi>e &essages are greater than 8G?9 4n this box, t(pe a threshold number that defines o"ersiAe messa es) Connection ti&e 4n this list, select a time or clic% Custo&i>e to create a custom schedule) 1) #o hold eDmail messa es until a remote ser"er tri ers deli"er(, clic% :ueue &ai+ for re&ote triggered de+iver', and then clic% Add to add authoriAed accounts that can tri er remote deli"er()

    4o5 to Set Content Restrictions on an SMT! Connector


    @ou can restrict the t(pe of messa es that are deli"ered throu h a connector) 6or example, if (ou ha"e special business or administrati"e reEuirements, (ou can restrict the messa e t(pe to onl( hi hDpriorit( mail throu h a particular connector)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To set content restrictions on an SMT! connector 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, o to Connectors b( performin one of the follo$in steps: 0nder the Exchan e or aniAation, expand Connectors)

    4f (ou do not ha"e routin roups defined, expand Ad&inistrative Groups, expand AAdmini trative Group NameB, and then expand Connectors) 4f (ou ha"e routin roups defined, expand Ad&inistrative Groups, expand WAdmini trative Group NameX, expand Routing Groups, expand WRouting Group NameX, and then expand Connectors)

    #33

    ') ,i htDclic% <!our SMTP "onne"tor>, and then clic% !roperties) 7) Clic% the Content Restrictions tab) The Content Restrictions tab of the SMT! Connector !roperties dia+og box

    .) 0nder A++o5ed priorities, select each t(pe of priorit( messa es that (ou $ant to send throu h the connector) 6) 0nder A++o5ed t'pes, select each t(pe of messa e ;s(stem or nonDs(stem< that (ou $ant to send throu h the connector) 1) 0nder A++o5ed si>es, if (ou $ant to set a siAe restriction, select the "n+' &essages +ess than 8G?9 chec% box, and then t(pe a siAe limit)

    #30

    4o5 to Specif' 4o5 %nde+iverab+e Mai+ is Managed


    0se the follo$in procedure to control ho$ undeli"erable mail is handled on a specific "irtual ser"er) @ou can al$a(s use the postmaster account to handle all nonDdeli"er( reports ;:D,< for an or aniAation) 4f (ou are sharin a namespace $ith another mail s(stem, and (ou $ant to accept mail for these users and for$ard this mail to the other s(stem b( desi natin it as a smart host, specif(in undeli"erable mail handlin on a "irtual ser"er can be useful)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Connectin Exchan e to the 4nternet) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To specif' ho5 unde+iverab+e &ai+ is &anaged 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, expand AServer NameB, expand !rotoco+s, and then expand SMT!) ') ,i htDclic% the !M#P "irtual ser"er that (ou $ant, and then clic% !roperties) 7) Clic% the Messages tab) The Messages tab in the 2efau+t SMT! 7irtua+ Server !roperties dia+og box

    #3$

    .) 4n the Send cop' of NonE2e+iver' Report to box, t(pe the !M#P address of the Exchan e administrator $ho (ou $ant to recei"e copies of :D,s) @ou can use the :D,s to help (ou dia nose user problems) 6or more information about examinin :D,s, see #roubleshootin :onDDeli"er( ,eport Messa es) Note :D,s often occur because users t(pe the $ron eDmail address) @ou ma( $ant to disable this feature until (ou experience problems and need to in"esti ate :D,s) 6) 4n the ?ad&ai+ director' box, (ou can modif( the location of the messa es that are misrouted and cannot be deli"ered) 4t is recommended that (ou %eep the default location) #he default location is NExchsr"rNMailrootN"si Y virtual server instance!badmail) Caution Mo"in the ?admail director( to a dis% that is separate from the Eueuin director( ma( de rade performance and ma%e it difficult to trac% bad

    #3,

    messa es) 1) 4n the 6or5ard a++ &ai+ 5ith unreso+ved recipients to host box, (ou can specif( an alternate host to $hich undeli"erable messa es are for$arded) #his is useful if (ou are sharin a namespace $ith another mail s(stemIspecificall( if there are mail recipients $ith (our domain name $ho do not belon to the Exchan e or aniAation) 6or example, e"change user+contoso)com resides in the Exchan e or aniAation, and uni" user+contoso)com resides outside the Exchan e or aniAation) 4n this example, users at e"change user+contoso)com can send mail to users at uni" user+contoso)com, and Exchan e for$ards the messa e to the specified alternate host)

    !art Three
    :et$or% attac%s are more common than e"er, and that trend is li%el( to continue) #herefore, after confi urin mail flo$ in (our Exchan e or aniAation, it is crucial that (ou ta%e measures to help secure this mail flo$) Messa es that are routed to and from Microsoft& Exchan e ser"ers and other external s(stems also tra"el across (our local net$or% and o"er the 4nternet) #o pre"ent malicious 4nternet users from interceptin (our or aniAationHs mail and attac%in (our ser"ers, it is important that (ou secure (our 4nternet connections) #he three t(pes of 4nternet connecti"it( are: 0sin connectors o"er the 4nternet to ha"e eDmail connecti"it( bet$een (our or aniAation and other external s(stems) 0sin connectors to connect Exchan e routin the 4nternet) roups $ithin (our or aniAation o"er

    Allo$in Exchan e clients to use 4nternet mail protocols or Microsoft /ffice /utloo%& Ceb Access to access Exchan e mailboxes in (our or aniAation) -enerall(, each of these t(pes of connecti"it( reEuire a different le"el of securit() #he sections in Part ' address "arious $a(s to secure (our Exchan e or aniAation: !ecurin @our 4nfrastructure

    #his section focuses on methods that (ou can use to help protect (our infrastructure b( disablin unnecessar( ser"ices in 4nternet 4nformation !er"ices ;44!< and b( usin fire$alls and "irtual pri"ate net$or%s) !ecurin @our Exchan e !er"er

    #his section discusses eneral securit( practices that (ou can use to protect (our Exchan e ser"ers) Confi urin 6ilterin and Controllin !pam

    #3-

    #his section explains ho$ to control unsolicited commercial eDmail, also %no$n as spam, b( usin Exchan e recipient, sender, and connection filterin ) Note 6or more information about securin Exchan e, see the Exchan e !er"er 200' !ecurit( 5ardenin -uide)

    Securing @our *nfrastructure


    #his topic focuses on important infrastructure components that (ou can implement for reater securit() 4t discusses the follo$in : !ecurin (our 4nternet 4nformation !er"ices ;44!< frame$or% to protect 4nternet ser"ices) #he importance of fire$alls in protectin ser"ers from direct 4nternet access)

    0sin "irtual pri"ate net$or%s as a secure means of accessin pri"ate net$or% resources)

    Securing **S
    As discussed in J4nternet 4nformation !er"icesJ in #ransport Dependencies for Exchan e !er"er 200', 44! pro"ides a frame$or% for 4nternet ser"ices such as 5##P, !imple Mail #ransfer Protocol ;!M#P<, 4nternet Messa e Access Protocol ;4MAP<, and :et$or% :e$s #ransfer Protocol ;::#P<) #herefore, it is essential that (ou ensure 44! is secure) #he $a( in $hich (ou can secure 44! differs dependin on $hich "ersion of Microsoft& Cindo$s& (ou are runnin on (our Exchan e ser"er) Cindo$s 2000 !er"er pro"ides the 44! 3oc%do$n CiAardL Cindo$s !er"er 200'G pro"ides 0,3!can) 0se the appropriate tool for (our "ersion of Cindo$s to secure 44!)

    %sing **S (oc)do5n ;i>ard on ;indo5s 2000 Server


    /n Cindo$s 2000 !er"er, the 44! 3oc%do$n CiAard pro"ided for 44! .)0 disables unnecessar( 44! ser"ices, thereb( reducin (our exposure to attac% throu h these ser"ices) #o defend a ainst attac%ers, 44! 3oc%do$n CiAard inte rates 0,3!can $ith customiAed templates for Exchan e ser"ers) 44! 3oc%do$n CiAard is desi ned primaril( to secure Microsoft /ffice /utloo%& Ceb Access ser"ers and frontDend ser"ersL ho$e"er, it is also useful for chec%in the securit( confi uration on an( Exchan e ser"er) 6or optimal securit(, run 44! 3oc%do$n CiAard on each Exchan e ser"er and domain controller in (our or aniAation) @ou can do$nload 44! 3oc%do$n CiAard from the Microsoft Do$nload Center)

    #31

    6or more information about 44! 3oc%do$n CiAard, see Microsoft Bno$led e ?ase article '09.02, J=CCC: 44! 3oc%do$n and 0,3scan Confi urations in an Exchan e En"ironment)J !ome issues exist $hen runnin 44! 3oc%do$n CiAard t$ice) 6or more information, about runnin 44! 3oc%do$n CiAard t$ice, see Microsoft Bno$led e ?ase article '110.2, J5/C #/: 0ndo Chan es Made b( the 44! 3oc%do$n CiAard)J

    Running %R(Scan on ;indo5s Server 2003


    44! 3oc%do$n CiAard is not a"ailable for Cindo$s !er"er 200'L ho$e"er, (ou can run 0,3!can to secure 44! on Cindo$s !er"er 200') 0,3!can "ersion 2). is a securit( tool that restricts the t(pes of 5##P reEuests that 44! $ill process) ?( bloc%in specific 5##P reEuests, the 0,3!can securit( tool helps pre"ent potentiall( harmful reEuests from reachin (our Exchan e ser"er) 6or more information about the 0,3!can tool, see Microsoft Bno$led e ?ase article 22'11., J6ineD#unin and Bno$n 4ssues Chen @ou 0se the 0rlscan 0tilit( in an Exchan e 200' En"ironment)J

    %sing 6ire5a++s
    A fire$all pre"ents unauthoriAed access to data on ser"ers that reside behind the fire$all) Chether (our or aniAation has an existin net$or% or is settin up a ne$ one, fire$all plannin is extremel( important) Cith soft$are such as Microsoft 4nternet !ecurit( and Acceleration ;4!A< !er"er, (ou can route all 4nternet traffic throu h a sin le location) Althou h this reEuires more setup and plannin than a simple direct 4nternet connection, it pro"ides increased securit( for the ser"ers in (our or aniAation) @ou can use a fire$all to allo$ onl( essential 4nternet traffic throu h ports that (ou specif() 6or example, (ou can confi ure (our net$or% to allo$ onl( !M#P ;port 2.< traffic to pass throu h (our fire$all, thereb( pre"entin connections on all other ports) 6or Exchan e to operate properl( in a fire$all en"ironment, specificall( in re ard to remote clients, certain reEuirements are necessar( to maintain 4nternet connecti"it() 6or instance, fire$alls can filter certain #CP ports or bloc% them entirel() #herefore, for remote clients and ser"ers to communicate throu h a fire$all, (ou cannot chan e or bloc% the port assi nments for the "arious protocols that Exchan e supports) 6or more information about the ports that Exchan e reEuires, see JCommon Ports 0sed b( Exchan eJ in !M#P Commands and Definitions and Microsoft Bno$led e ?ase article 212''9, J=-E:: #CPO0DP Ports 0sed ?( Exchan e 2000 !er"er)J Althou h this article $as $ritten for Exchan e 2000 !er"er, the same information applies to Exchan e 200')

    #33

    4f (ou need a simple !M#P ser"er in the perimeter net$or% of a fire$all, often a Cindo$s 2000 !er"er or Cindo$s !er"er 200' !M#P ser"ice computer is all that is necessar() Exchan e 200' Enterprise !er"er, Cindo$s 2000 !er"er or Cindo$s !er"er 200' :et$or% Address #ranslation ;:A#<, Microsoft 4!A !er"er, or an( solution that buffers the 4nternet from the internal 3A: can add additional securit() 4f (ou do not implement a fire$all connection to the 4nternet, (ou must consider ho$ securit( $ill be affected) All Exchan e ser"ers $ithin a net$or% that ha"e a direct connection to the 4nternet are exposed to the 4nternet)

    %sing 7irtua+ !rivate Net5or)s


    #he Cindo$s 2000 !er"er and Cindo$s !er"er 200' ,outin and ,emote Access !er"ice ;,,A!< is an open, extensible platform for routin and internet$or%in ) ,,A! offers remote access o"er the 4nternet and to or aniAations in 3A: and CA: en"ironments b( usin secure "irtual pri"ate net$or% ;8P:< connections) 8P:s are secure, authenticated lin%s across public or pri"ate net$or%s, such as the 4nternet) #he Cindo$s 2000 !er"er and Cindo$s !er"er 200' ,emote Access !er"ice ;,A!< and ,,A! tools offer options that remote users can use for dialDup 4nternet access) #o function properl(, these access ser"ices reEuire the follo$in : A remote connection method called PointDtoDPoint #unnelin Protocol ;PP#P<) An 4nternet connection to create a 8P:)

    PP#P is desi ned to support 8P:s) ?ecause of Di ital !ubscriber 3ine ;D!3< and cable modem 4nternet connections, 8P:s are less expensi"e to establish and support than traditional CA:s) A 8P: eliminates lon Ddistance telephone char es and offers secure connections, mutual authentication, and pac%et filterin ) After a PP#P ser"er authenticates a remote client, the 8P: connection opens) #he PP#P session acts as a tunnel throu h $hich net$or% pac%ets flo$) #he pac%ets are first encr(pted $hen sent) #he pac%ets then tra"el throu h the tunnel and are decr(pted upon receipt) 6or example, an or aniAation can allo$ remote clients to connect to a corporate net$or% across the 4nternet usin a 8P:) Althou h a broadband connection is not reEuired for a 8P:, a broadband 8P: connection can benefit remote 8P: users) ?( usin a broadband 8P: connection, users can connect to a corporate net$or% o"er the 4nternet and then use the corporate net$or% as if the( $ere directl( lo ed on to it)

    Securing @our Exchange Server


    #his topic focuses on $a(s that (ou can secure (our Microsoft& Exchan e ser"er) @ou can help protect (our ser"ers b( performin the tas%s belo$, $hich are each explained in detail in the follo$in sections:

    200

    2isab+e open re+a'ing on a++ SMT! virtua+ servers ) #he default rela( restrictions pre"ent unauthoriAed users from usin (our Exchan e ser"er to send mail to external locations) 4f (our ser"er is open for rela(in , unauthoriAed users can use (our ser"er to send spam) As a result, (our ser"er ma( become %no$n to other or aniAations as a source for open rela( and, as a conseEuence, bloc%ed from sendin le itimate mail) !revent anon'&ous access on interna+ SMT! virtua+ servers and dedicated SMT! virtua+ servers for *MA! and !"! c+ients) ?ecause all Exchan e ser"ers $ithin (our or aniAation authenticate $ith each other to send mail, (ou do not need to enable anon(mous access on (our internal !imple Mail #ransfer Protocol ;!M#P< "irtual ser"ers) Additionall(, all Post /ffice Protocol ;P/P< and 4nternet Messa e Access Protocol ;4MAP< clients authenticate $ith (our !M#P "irtual ser"er, so anon(mous access is not reEuired on a ser"er that is used exclusi"el( b( P/P and 4MAP clients) 4f (ou disable anon(mous access on these ser"ers, (ou can pre"ent unauthoriAed users from accessin them) Restrict sub&issions and re+a'ing access on interna+ SMT! virtua+ servers ) 4n Microsoft Exchan e !er"er 200', (ou can further restrict access to !M#P "irtual ser"ers b( usin securit( principles throu h the standard Microsoft Cindo$s& 2000 !er"er or Cindo$s !er"erG 200' Discretionar( Access Control 3ist ;DAC3<) #his abilit( enables (ou to rant explicit permissions to users and roups that (ou $ant to allo$ to use an !M#P "irtual ser"er)

    2isab+ing "pen Re+a'ing on A++ SMT! 7irtua+ Servers


    As explained in !ettin ,ela( ,estrictions, it is essential that (ou do not allo$ anon(mous or open rela(in on (our !M#P "irtual ser"ers) ,ela(in is $hen a user uses (our Exchan e ser"er to send mail to an external domain) 4n its default confi uration, Exchan e allo$s onl( authenticated users to rela( mailIin other $ords, onl( authenticated users can use Exchan e to send mail to an external domain) 4f (ou modif( the default rela( settin s to allo$ unauthenticated users to rela(, or if (ou allo$ open rela(in to a domain throu h a connector, unauthoriAed users can use (our Exchan e ser"er to send spam) As a result, (our ser"er ma( be bloc% listed and thereb( be pre"ented from sendin mail to le itimate remote ser"ers) #o pre"ent unauthoriAed users from usin (our Exchan e ser"er to rela( mail, (ou should al$a(s use the default rela( restrictions) Note ,ela(in is often confused $ith spam) ,ela( control does not bloc% spam) 6or more information about controllin spam, see Confi urin 6ilterin and Controllin !pam) 6or more information about ho$ to control rela(in , see Microsoft Bno$led e ?ase article '07291, J=4M!: Microsoft !M#P !er"ers Ma( !eem to Accept and ,ela( EDMail Messa es in #hirdDPart( #ests)J

    20#

    !reventing Anon'&ous Access on *nterna+ SMT! 7irtua+ Servers and 2edicated SMT! 7irtua+ Servers for *MA! and !"! C+ients
    6or increased securit(, (ou can pre"ent anon(mous access on (our internal !M#P "irtual ser"ers and on an( !M#P "irtual ser"ers that are dedicated to acceptin incomin mail from remote 4MAP and P/P users) Chen sendin internal mail, Exchan e ser"ers automaticall( authenticateL therefore, b( pre"entin anon(mous access on (our internal ser"ers, mail flo$ is not disrupted, and an extra la(er of securit( is pro"ided on (our internal !M#P "irtual ser"er) !imilarl(, 4MAP and P/P clients authenticate before sendin mail to !M#P "irtual ser"ers) !o, if (ou use dedicated !M#P "irtual ser"ers for (our 4MAP and P/P clients, (ou can confi ure these ser"ers to allo$ onl( authenticated access) #o pre"ent anon(mous access, on the Access tab in the !M#P "irtual ser"er properties, clic% Authentication, and then clear the Anon'&ous access chec% box) 6or stepDb(Dstep instructions about ho$ to pre"ent anon(mous access, see 5o$ to Confi ure Access Controls and Authentication Methods) *&portant Do not disable anon(mous access on (our 4nternet brid ehead !M#P "irtual ser"ers) !M#P "irtual ser"ers that accept mail from the 4nternet must allo$ anon(mous access)

    Restricting Sub&issions to 2istribution (ists and %sers


    4n Exchan e 200', (ou can restrict $ho can send eDmail messa es to an indi"idual user or a distribution list) ,estrictin submissions on a distribution list pre"ents nonDtrusted senders, such as unauthoriAed 4nternet users, from sendin mail to an internalDonl( distribution list) 6or example, an A++ E&p+o'ees distribution list should not be a"ailable to an(one outside the compan( ;b( spoofin or other$ise<) Note ,estricted distribution lists and submission restrictions for users onl( function on the brid ehead ser"ers or !M#P ate$a( ser"ers runnin Exchan e !er"er200') Consider settin restrictions on (our internal distribution lists that pertain to fullDtime emplo(ees and other internal roups) ?( ta%in this action, (ou protect these distribution lists from recei"in spam and restrict an( anon(mous users from sendin to these distribution lists) 6or detailed instructions about ho$ to set submission restrictions on users and distribution lists, respecti"el(, see 5o$ to !et ,estrictions on a 0ser and 5o$ to !et ,estrictions on a Distribution -roup)

    202

    Restricting Sub&issions and Re+a'ing !er&issions on an *nterna+ SMT! 7irtua+ Server


    4n Exchan e !er"er 200', (ou can restrict submissions and rela(in permissions to an !M#P "irtual ser"er to a limited number of users or roups thou h the standard Cindo$s 2000 !er"er or Cindo$s !er"er 200' Discretionar( Access Control 3ist ;DAC3<) #his allo$s (ou to specif( roups of users $ho can submit or rela( mail on a "irtual ser"er)

    Restricting Sub&issions to an SMT! 7irtua+ Server


    ,estrictin submissions to an !M#P "irtual ser"er is useful if (ou ha"e specific users that (ou $ant to allo$ to send 4nternet mail on particular "irtual ser"ers) @ou can rant onl( these users or roups access to submit mail to these !M#P "irtual ser"ers) Note Do not restrict submissions on !M#P "irtual ser"ers that accept 4nternet mail) 6or detailed instructions, see 5o$ to ,estrict !ubmissions to an !M#P !er"er ?ased on a !ecurit( -roup)

    Restrict Re+a'ing on an SMT! 7irtua+ Server


    ,estrictin rela(in on "irtual ser"ers is useful if (ou $ant to allo$ a roup of users to rela( mail to the 4nternet, but (ou $ant to den( rela( pri"ile es for a different roup) 6or detailed instructions, see 5o$ to ,estrict ,ela(in ?ased on a !ecurit( -roup)

    4o5 to Set Restrictions on a %ser


    4n Exchan e !er"er 200', (ou can restrict $ho can send eDmail messa es to an indi"idual user) Note !ubmission restrictions for users onl( function on the brid ehead ser"ers or !M#P ate$a( ser"ers that run Exchan e !er"er 200')

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read !ecurin @our Exchan e !er"er) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    203

    !rocedure
    To set restrictions on a user 1) Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% Active 2irector' %sers and Co&puters) 2) Expand (our or aniAational unit container, and then clic% %sers or the container in $hich the user resides) ') 4n the details pane, ri htDclic% the user for $hich (ou $ant to restrict submissions, and then clic% !roperties) 7) Clic% the Exchange Genera+ tab, and then clic% 2e+iver' Restrictions) .) 0nder Message Restrictions, under Accept &essages, select one of the follo$in options: Clic% 6ro& authenticated users on+'to allo$ onl( authenticated users to send messa es to the selected user) Chen (ou select 6ro& authenticated users on+', this option affects ho$ the other options are implemented) Clic% 6ro& ever'one to allo$ an(one $ho is an authenticated user to send mail to the selected user) Clic% "n+' fro& to specif( a set of authenticated users or roups that can send messa es to the selected user) Clic% Add to specif( the users or roups that (ou $ant to allo$ to send messa es to this user) Clic% 6ro& ever'one except to allo$ all authenticated users but a select set to send messa es to the selected user) Clic% Add to specif( the list of users or roups that (ou do not $ant to send messa es to this user) 6) 3ea"e 6ro& authenticated users on+' cleared) 4f (ou lea"e this chec% box cleared, the follo$in options are implemented as such: Clic% 6ro& ever'one to allo$ an(one to send messa es to the selected user) #his includes anon(mous users from the 4nternet) Clic% "n+' fro& to specif( a select set of users or roups that can send messa es to the selected user) Clic% Add to specif( the users or roups (ou $ant to allo$ to send messa es to this user) 1) Clic% 6ro& ever'one except to allo$ e"er(one but a select set of users or roups to send messa es to the selected user) Clic% Add to specif( the list of users or roups that (ou do not $ant to send messa es to this user) #hese users or roups can be authenticated users or anon(mous users)

    200

    4o5 to Set Restrictions on a 2istribution Group


    4n Exchan e !er"er 200', (ou can restrict $ho can send eDmail messa es to a distribution list) ,estrictin submissions on a distribution list pre"ents nonDtrusted senders, such as unauthoriAed 4nternet users, from sendin mail to an internalDonl( distribution list) 6or example, an A++ E&p+o'ees distribution list should not be a"ailable to an(one outside the compan( ;b( spoofin or other$ise<) Note ,estricted distribution lists and submission restrictions for users onl( function on the brid ehead ser"ers or !M#P ate$a( ser"ers runnin Exchan e !er"er 200') Consider settin restrictions on (our internal distribution lists that pertain to fullDtime emplo(ees and other internal roups) ?( ta%in this action, (ou protect these distribution lists from recei"in spam and restrict an( anon(mous users from sendin to these distribution lists)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read !ecurin @our Exchan e !er"er) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To set restrictions on a distribution +ist 1) Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% Active 2irector' %sers and Co&puters) 2) Expand (our or aniAational unit container, and then clic% %sers or the container in $hich the distribution list resides) ') 4n the details pane, ri htDclic% the distribution list for $hich (ou $ant to restrict submissions, and then clic% !roperties) 7) 4n A2istribution (istB !roperties, clic% the Exchange Genera+ tab) .) 0nder Message Restrictions, under Accept &essages, select one of the follo$in options:

    20$

    !elect the 6ro& authenticated users on+' chec% box to allo$ onl( authenticated users to send mail to the selected distribution list) 4f (ou select this chec% box, the follo$in options are implemented as such: Clic% 6ro& ever'one to allo$ authenticated users to send mail to the selected distribution list) Clic% "n+' fro& to specif( a select set of authenticated users or roups that can send messa es to the selected distribution list) Clic% Add to specif( the users or roups (ou $ant to allo$ to send messa es to this distribution list) Clic% 6ro& ever'one except to allo$ all authenticated users but a select set to send to the selected distribution list) Clic% Add to specif( the list of users or roups that (ou do not $ant to allo$ to send messa es to this distribution list) 6) 3ea"e 6ro& authenticated users on+' cleared) 4f (ou lea"e this chec% box cleared, the follo$in options are implemented as such: Clic% 6ro& ever'one to allo$ an(one to send messa es to the selected distribution list) #his includes anon(mous users from the 4nternet) Clic% "n+' fro& to specif( a select set of users or roups that can send messa es to the selected distribution list) Clic% Add to specif( the users or roups (ou $ant to allo$ to send messa es to this distribution list) Clic% 6ro& ever'one except to allo$ e"er(one but a select set of users or roups to send to the selected distribution list) Clic% Add to specif( the list of users or roups (ou do not $ant to allo$ to send messa es to this distribution list) #hese users or roups can be authenticated users or anon(mous users)

    4o5 to Restrict Sub&issions to an SMT! Server ?ased on a Securit' Group


    4n Exchan e !er"er 200', (ou can restrict submissions and rela(in permissions to an !M#P "irtual ser"er to a limited number of users or roups thou h the standard Cindo$s 2000 !er"er or Cindo$s !er"er 200' Discretionar( Access Control 3ist ;DAC3<) #his allo$s (ou to specif( roups of users $ho can submit or rela( mail on a "irtual ser"er) ,estrictin submissions to an !M#P "irtual ser"er is useful if (ou ha"e specific users that (ou $ant to allo$ to send 4nternet mail on particular "irtual ser"ers) @ou can rant onl( these users or roups access to submit mail to these !M#P "irtual ser"ers) Note Do not restrict submissions on !M#P "irtual ser"ers that accept 4nternet mail)

    20,

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read !ecurin @our Exchan e !er"er) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To restrict sub&issions to an SMT! server based on a securit' group 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, expand the ser"er that (ou $ant, expand !rotoco+s, and then expand SMT!) ') ,i htDclic% the !M#P "irtual ser"er on $hich (ou $ant to restrict submissions, and then clic% !roperties) 7) 4n ASMTP #irtual ServerB !roperties, clic% the Access tab, and then clic% Authentication) .) 4n Authentication, clear the Anon'&ous access chec% box, and then clic% %sers to specif( a subset of users for $hich (ou $ant to rant submit permissions on this !M#P "irtual ser"er) 6) 4n !er&issions for Sub&it and Re+a', to remo"e a roup or user, select the roup or user, and then clic% Re&ove) 1) #o add a roup or user, clic% Add, and then select the roup or user for $hich (ou $ant to specif( permissions) !elect from one of the follo$in options: /n Cindo$s !er"er 200', in Se+ect %sers= Co&puters= or Groups, under Enter the obMect na&e to se+ect, t(pe the name of the user or the roup) 4f (ou $ant to search for the user or roup, clic% Advanced, search for the user or roup name, and then clic% Chec) Na&es to "alidate (our entr() Tip Clic% the exa&p+es lin% to "ie$ the acceptable formats for (our entries) /n Cindo$s 2000 !er"er, in Se+ect %sers= Co&puters= or Groups, select the roup or user that (ou $ant to rant submit permissions, and then clic% Add) 2) Clic% "G to return to the !er&issions for Sub&it and Re+a' dialo box) 9) 0nder Group or user na&es, select the roup that (ou Fust added)

    20-

    10) 0nder !er&issions for <Selected $roup>, next to Sub&it !er&ission, if necessar(, clic% A++o5 to allo$ the selected user or roup to submit mail throu h this !M#P "irtual ser"er) 11) Clic% "G)

    4o5 to Restrict Re+a'ing ?ased on a Securit' Group


    4t is useful to restrict rela(in on "irtual ser"ers if (ou $ant to allo$ a roup of users to rela( mail to the 4nternet and den( rela( pri"ile es for a different roup)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read !ecurin @our Exchan e !er"er) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To restrict re+a'ing based on a securit' group 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, expand the ser"er that (ou $ant, expand !rotoco+s, and then expand SMT!) ') ,i htDclic% the !M#P "irtual ser"er on $hich (ou $ant to appl( rela( restrictions, and then clic% !roperties) 7) 4n ASMTP Virtual ServerB !roperties, clic% the Access tab, and then clic% Re+a') .) 4n Re+a' Restrictions, clear the A++o5 a++ co&puters 5hich successfu++' authenticate to re+a'= regard+ess of the +ist be+o5 chec% box, and then clic% %sers to specif( a subset of users that (ou $ant to rant rela( permissions on this !M#P "irtual ser"er) 6) 4n Permissions for !ubmit and ,ela(, to remo"e a user or roup, select the roup

    201

    or user, and then clic% Re&ove) 1) #o add a roup or user, clic% Add= and then select the users or roup for $hich (ou $ant to specif( permissions) !elect from one of the follo$in options: /n Cindo$s !er"er 200', in Se+ect %sers= Co&puters or Groups, under Enter the obMect na&e to se+ect, t(pe the name of the user or the roup) 4f (ou $ant to search for the user or roup, clic% Advanced, search for the user or roup name, and then clic% Chec) Na&es to "alidate (our entr() Clic% the examples lin% to "ie$ the acceptable formats for (our entries) /n Cindo$s 2000 !er"er, in Se+ect %sers= Co&puters or Groups= select the roup or user that (ou $ant to rant submit permissions, and then clic% Add) 2) Clic% "G to return to the !er&issions for Sub&it and Re+a' dialo box) 9) 0nder Group or user na&es +ist, select the roup (ou Fust added) 10) 0nder !er&issions for A ele"ted groupB= next to Sub&it !er&ission, if necessar(, select the chec% box under A++o5 to allo$ the selected user or roup to submit mail throu h this !M#P "irtual ser"er) 11) :ext to Re+a' !er&issions, select the chec% box under A++o5 to permit the selected obFect to rela( throu h this !M#P "irtual ser"er, or select the chec% box under 2en' to pre"ent the selected obFect from rela(in throu h this "irtual ser"er) Note @ou must allo$ !ubmit Permissions if (ou $ant to allo$ ,ela( Permissions) 12) Clic% "G)

    Configuring 6i+tering and Contro++ing Spa&


    Controllin spam is a challen e, but there are some methods that (ou can use to reduce spam: %se Exchange 2003 fi+tering features) Microsoft& Exchan e !er"er 200' offers connection filterin , recipient filterin , and sender filterin to reduce the amount of spam that is sent to users in (our or aniAation) Educate 'our users not to respond to or for5ard spa&) 4nstruct (our users not to clic% an( Jremo"eJ lin%s included in the mail because the lin%s are often used to "erif( addresses) 4n Exchan e !er"er 200', (ou can confi ure and enable filterin on (our !M#P "irtual ser"ers to restrict access to the "irtual ser"er) 6ilterin is confi ured in Exchan e !(stem

    203

    Mana er under -lobal !ettin s in Messa e Deli"er( Properties) Althou h (ou confi ure filterin at the lobal le"el, (ou must enable it on each indi"idual "irtual ser"er) 0se filterin to bloc% incomin eDmail messa es that are sent to (our !M#P "irtual ser"er in the follo$in $a(s: Connection fi+tering allo$s (ou to bloc% messa es that are sent to (our or aniAation based on the 4nternet Protocol ;4P< address of the connectin !M#P ser"er) @ou can confi ure lobal accept lists for 4P addresses from $hich (ou al$a(s $ant to accept messa es and lobal den( lists for 4P addresses from $hich (ou al$a(s $ant to reFect messa es) @ou can also subscribe to a thirdDpart( bloc% list pro"ider, and "erif( that the connectin 4P address is not on their list of bloc%ed 4P addresses) Note 4f (ou $ant to bloc% a particular 4P address from sendin to (our !M#P "irtual ser"ers, (ou can add these 4P addresses b( usin the Connection button on the Access tab of (our !M#P "irtual ser"er properties) @ou should confi ure these restrictions on (our ate$a( !M#P "irtual ser"ers) Recipient fi+tering allo$s (ou to bloc% messa es that are sent to a specific recipient address $ithin (our or aniAation) Sender fi+tering allo$s (ou to bloc% messa es that are sent b( a specific sender) 4f (our or aniAation repeatedl( recei"es spam from the same sendin addresses, (ou can choose to bloc% these senders from sendin mail to (our or aniAation)

    Connection 6i+tering
    Exchan e !er"er 200' supports connection filterin based on bloc% lists) Connection filterin ta%es ad"anta e of external ser"ices that list %no$n sources of spam, dialDup user accounts, and ser"ers that are open for rela( ;based on 4P addresses<) Connection filterin complements thirdDpart( content filter products) #his feature allo$s (ou to chec% an incomin 4P address a ainst a bloc% list pro"iderHs list for the cate ories that (ou $ant to filter) 6urthermore, (ou can use se"eral connection filters and prioritiAe the order in $hich each filter is applied) Cith connection filterin , (ou can also do the follo$in : Configure g+oba+ accept and den' +ists/ A lobal accept list is a list of 4P addresses from $hich (ou $ill al$a(s accept mail) A lobal den( list is a list of 4P addresses from $hich (ou $ill al$a(s den( mail) @ou can use lobal accept and den( lists $ith or $ithout usin a bloc% list ser"ice pro"ider) Configure a recipient address as an exception to a++ connection fi+tering ru+es) Chen mail is sent to this address, it is automaticall( accepted, e"en if the sender appears on a bloc% list)

    2#0

    4o5 ConnectionE6i+tering Ru+es ;or)


    Chen (ou create a connectionDfilterin rule, !M#P uses the rule to perform a D:! loo%up to a list that is pro"ided b( a thirdDpart( bloc% list ser"ice) #he connection filter matches each incomin 4P address a ainst the 4P addresses on the thirdDpart( bloc% list) #he bloc% list pro"ider issues one of t$o responses: host not found 4ndicates that the 4P address is not present on its bloc% list)

    #2-/0/0/" A response status code indicatin that a match for the 4P address $as found in the list of offenders) #he " "alue can "ar(, dependin on (our bloc% list pro"ider) 4f the incomin 4P address is found on the bloc% list, !M#P returns a .) " " error in response to the ,CP# #/ command ;#he ,CP# #/ command is the !M#P command that the connectin ser"er issues to identif( the intended messa e recipient)< @ou can customiAe the response that is returned to the sender) Additionall(, because bloc% list pro"iders usuall( contain different offender cate ories, (ou can specif( the matches that (ou $ant to reFect) Most bloc% list pro"iders screen for three t(pes of offenders: Sources of spa& #hese lists are enerated b( scannin unsolicited commercial eD mail messa es and addin the source address to the list) Gno5n open re+a' servers #hese lists are created b( identif(in open rela( !M#P ser"ers on the 4nternet) #he most common reason for an open rela( ser"er is a confi uration mista%e b( the s(stem administrator) 2ia+Eup user +ists #hese lists are created from either existin 4nternet ser"ice pro"ider ;4!P< lists that contain 4P addresses $ith dialDup access, or from the inspection of addresses that indicate a probable dialDup connection)

    4o5 ?+oc) (ist !roviders Match "ffending *! Addresses


    After (ou set up (our connection filter, $hen an eDmail messa e is sent to (our or aniAation, Exchan e contacts the bloc% list pro"ider) #he pro"ider chec%s for the existence of an A ;host< record in its D:!) Exchan e Eueries for this information in a specific format) 6or example, if the connectin address is 192)162).)1, and the bloc% list pro"iderHs or aniAation is contoso)or , Exchan e Eueries for the existence of the follo$in record:

    /reverse 2P address o% the connectin5 server>./dns name %or the blocF list or5aniOation> 2- . 1!#. 0.0.x

    $hich, in this case, is:


    1.".1 ).1&!..contoso.or5

    4f this 4P address is found on the pro"iderHs list, the pro"ider returns a 121)0)0) " status code that indicates an offendin 4P address and the t(pe of offense) All bloc% list pro"iders return a

    2##

    response code of 121)0)0)", $here " indicates the t(pe of offense) #he " "alue "aries, dependin on the bloc% list pro"ider)

    %nderstanding ?+oc) (ist !rovider Response Codes


    As mentioned earlier, if a bloc% list pro"ider finds a match, the pro"ider al$a(s returns a status code of 121)0)0)") #he status code is either an explicit return code or a bit mas%, $hich is a multifunctional return code) 4f (our bloc% list pro"ider returns a "alue, (ou can specif( $hich "alues (ou $ant to filter a ainst) 5o$e"er, if (our bloc% list pro"ider returns a bit mas%, (ou must understand ho$ a bit mas% $or%s to specif( the matches that (ou $ant to filter) A bit mas% is a method that is used for "erif(in that a particular bit is set for an entr() A bit mas% differs from a traditional mas% in that it chec%s for a specific bit "alue, as opposed to a subnet mas%, $hich chec%s for a ran e of "alues) Consider the follo$in example) 6or each match in its bloc% list, assume a bloc% list pro"ider returns the status codes that are listed in the follo$in table) Exa&p+es of b+oc) +ist status codes Cate or( Bno$n source of spam DialDup user account Bno$n rela( ser"er ,eturned status code 121)0)0)' 121)0)0)2 121)0)0)7

    5o$e"er, if an 4P address is a member of t$o lists, the bloc% list pro"ider adds the "alues of the last octet) #herefore, if an 4P address is on the list of %no$n rela( ser"ers and %no$n sources of spam, the bloc% list pro"ider returns a status code of 121)0)0)1, $here 1 is the combined "alues of the last octet that is returned for the %no$n sources of unsolicited commercial eDmail status code and the %no$n rela( ser"ers status code) 4f (ou $ant to filter a ainst onl( %no$n sources of unsolicited commercial eDmail, enter a bit mas% "alue of 0)0)0)'L the bloc% list then filters a ainst an( of the possible "alues, in this case, 121)0)0)', 121)0)0)., 121)0)0)1, and 121)0)0)9) #he follo$in table lists the bit mas% "alues that are associated $ith each of the example status codes) Exa&p+es of b+oc) +ist status codes and corresponding bit &as) va+ues Cate or( Bno$n source of spam DialDup user account ,eturned status code 121)0)0)' 121)0)0)2 ?it mas% "alue 0)0)0)' 0)0)0)2

    2#2

    Cate or( Bno$n rela( ser"er Bno$n rela( ser"er and dialDup user account

    ,eturned status code 121)0)0)7 121)0)0)6

    ?it mas% "alue 0)0)0)7 0)0)0)6

    4n the last cate or( in this table ;JBno$n rela( ser"er and dialDup user accountJ<, the bit mas% 0)0)0)6 returns a match for an 4P address onl( if it appears on both the %no$n rela( ser"er and dialDup user account lists) 4t does not return a match if the 4P address appears on onl( one of the t$o lists) @ou cannot use a bit mas% to chec% for a sin le match in multiple lists) Note A bit mas% chec%s onl( a ainst a sin le "alue) 4f (ou set a bit mas% "alue that is returned $hen an 4P address appears on t$o lists, the mas% matches onl( 4P addresses that appear on both lists) 4f (ou $ant to chec% for an 4P address on either of t$o lists, enter the status codes for these settin s)

    Specif'ing Exceptions to the Connection 6i+ter Ru+e


    @ou can allo$ messa e deli"er( to specific recipients, re ardless of $hether the( appear on a bloc% list) #his exception is useful if (ou $ant to allo$ le itimate or aniAations to communicate $ith (our administrators b( contactin the postmaster account) 6or example, if a le itimate compan( has a ser"er inad"ertentl( confi ured to allo$ open rela(in , eDmail messa es from this compan( to (our users $ould be bloc%ed) 5o$e"er, if (ou confi ure connection filterin to allo$ messa e deli"er( to the postmaster account in (our or aniAation, the administrator in the bloc%ed compan( could send mail to (our postmaster account to communicate their situation or inEuire as to $h( their mail $as reFected)

    Enab+ing Connection 6i+tering


    #o enable connection filterin , perform the follo$in steps: 1) Create the connection filter b( usin the Connection 6i+tering tab on the Message 2e+iver' !roperties dialo box) 6or detailed instructions, see 5o$ to Create a ,ecipient 6ilter) 2) Appl( the filter at the !M#P "irtual ser"er le"el) 6or detailed instructions, see 5o$ to Appl( a ,ecipient 6ilter to an !M#P 8irtual !er"er) Each of these steps is detailed in the follo$in sections)

    Configuring Connection 6i+tering


    #o confi ure connection filterin , perform the follo$in tas%s:

    2#3

    Create lobal accept and den( lists) Create connection filterin rules) Create exceptions to the connection filterin rules) lobal accept lists and lobal den( lists, see the

    6or detailed instructions about creatin follo$in topics:

    5o$ to Create a -lobal Accept 3ist 5o$ to Create a -lobal Den( 3ist

    6or detailed instructions on creatin exceptions to the connection filterin rules, see the follo$in topic: 5o$ to Create a Connection 6ilter 5o$ to !pecif( an Exception to a Connection ,ule

    App+'ing the Connection 6i+ter to the Appropriate SMT! 7irtua+ Servers


    After creatin the connection filter and an( exceptions for the filter, (ou must appl( it to the appropriate !M#P "irtual ser"ers) 0suall(, (ou appl( the connection filter to the !M#P "irtual ser"ers that exist on (our ate$a( ser"ers that accept inbound 4nternet eDmail messa es) 0se the follo$in procedure to appl( a connection filter to an !M#P "irtual ser"er) 6or detailed instructions, see 5o$ to Appl( a Connection 6ilter to An !M#P 8irtual !er"er)

    Recipient 6i+tering
    Cith recipient filterin , (ou can filter messa es that are sent to nonexistent recipients in (our or aniAation, or add specific recipient addresses that are often tar eted b( senders of spam)

    Enab+ing Recipient 6i+tering


    #o enable recipient filterin , perform the follo$in steps: 1) Create the recipient filter b( usin the Recipient 6i+tering tab in the Message 2e+iver' !roperties dialo box) 2) Appl( the filter at the !M#P "irtual ser"er le"el) Each of these steps is detailed in the follo$in sections)

    2#0

    Sender 6i+tering
    !ender filterin functions in the same $a( in Exchan e !er"er 200' as it did in Exchan e 2000 !er"erL it allo$s (ou to filter messa es that are sent b( a specific sender) @ou can bloc% messa es that are sent b( an( users in a domain or b( a specific sender)

    Enab+ing Sender 6i+tering


    #o enable sender filterin , perform the follo$in steps: 1) Create the sender filter b( usin the Sender 6i+tering tab in the Message 2e+iver' !roperties dialo box in -lobal !ettin s) 2) Appl( the filter at the !M#P "irtual ser"er le"el)

    %nderstanding 4o5 Enab+ed 6i+ters and *! Restrictions Are App+ied


    Exchan e 200' supports the follo$in filters and 4P restrictions: Connection filterin ,ecipient filterin !ender filterin 4P restrictions on a "irtual ser"er basis

    Althou h connection filterin , recipient filterin , and sender filterin are all confi ured in Message 2e+iver' !roperties, the( must be enabled on indi"idual !M#P "irtual ser"ers) 4n contrast, 4P restrictions are confi ured directl( on each !M#P "irtual ser"er) #his section sho$s the order in $hich 4P restrictions and filters, $hen confi ured and enabled, are chec%ed durin an !M#P session) 1) An !M#P client attempts to connect to the !M#P "irtual ser"er) 2) #he 4P address of the connectin client is chec%ed a ainst the !M#P "irtual ser"erHs 4P restrictions ;confi ured on the Connection button on the Access tab of the !M#P "irtual ser"er !roperties<: 4f the connectin 4P address is on the list of restricted 4Ps, the connection is immediatel( dropped) 4f the connectin 4P address is not on the list of restricted 4Ps, the connection is accepted) ') #he !M#P client issues an E53/ or 5E3/ command) 7) #he !M#P client issues a MA43 6,/M: command, similar to the follo$in : MA*( 6R"M tedIcontoso/co&

    2#$

    .) #he 4P address of the !M#P client is then chec%ed a ainst the lobal accept list ;confi ured in Exchan e !(stem Mana er on the Connection 6i+tering tab in the Message 2e+iver' !roperties dialo box<) 4f the connectin 4P address is on the lobal accept list, the lobal den( list is not chec%ed) #he process s%ips !tep 6 and proceeds to !tep 1) 4f the connectin 4P address is not on the lobal accept list, !teps 6 and 1 are performed) 6) #he 4P address of the !M#P client is chec%ed a ainst the lobal den( list ;confi ured in Exchan e !(stem Mana er on the Connection 6i+tering tab in the Message 2e+iver' !roperties dialo box<) 4f the 4P address of the !M#P client is on the lobal den( list, the connection is dropped) 4f the 4P address of the !M#P client is not on the lobal den( list, the session continues) 1) !ender filterin chec%s the sender that is specified in the MA43 6,/M command a ainst its list of bloc%ed senders ;confi ured in Exchan e !(stem Mana er on the Sender 6i+tering tab in the Message 2e+iver' !roperties dialo box<) 4f the sender appears on the bloc%ed senders list, one of t$o actions occur, dependin on ho$ sender filterin is confi ured: D 4f sender filterin is confi ured to drop the connection, the connection is dropped) D 4f sender filterin is confi ured to accept messa es $ithout notif(in the sender, the session continuesL ho$e"er, mail is sent to the ?admail director( and not deli"ered to the intended recipient) 4f the sender does not appear on the sender filterin list, the !M#P "irtual ser"er issues a response similar to the follo$in : 2$0 2/#/0 tedIcontoso/co&///Sender "G 2) #he connectin !M#P ser"er issues a ,CP# #/ command similar to the follo$in : RC!T T" )i&Iexa&p+e/co& 9) #he connection filterin rules chec% the connectin 4P address a ainst an( bloc% lists that are pro"ided b( their bloc% list ser"ice pro"iders) 4f the 4P address of the !M#P client is in the accept list, the connection filter rules are b(passed) #he process proceeds to !tep 10) Connection filterin chec%s each ser"ice pro"iderHs bloc% list in the order that is confi ured in connection filterin ) 4f connection filterin finds a match on a pro"iderHs bloc% list, the !M#P "irtual ser"er returns an error code and then sends the

    2#,

    customiAed error messa e that is confi ured for the connection filterin rule) After a match is found, no other ser"ice pro"ider lists are chec%ed) 4f the 4P address of the !M#P client is not on a bloc% list ser"ice pro"iderHs bloc% list, the session continues) 10) Connection filterin chec%s if the intended recipient is on the connection filterin exception list) 4f the recipient is on this list, the communication is accepted, and no other chec%s are applied at the ,CP# #/ command) #he process s%ips !teps 11 and 12 and proceeds to !tep 1') 4f the recipient does not appear on the exception list, the recipient is chec%ed a ainst other filters) 11) 4f the recipient does not appear on the exception list that is confi ured in connection filterin , the recipient is then chec%ed a ainst an( bloc%ed recipients that are confi ured in recipient filterin ) 4f the recipient is a bloc%ed recipient, the !M#P "irtual ser"er returns an in"alid recipient error) 4f the recipient is not a bloc%ed recipient, the session continues)

    12) 4f the recipient is not a bloc%ed recipient, Acti"e Director( is chec%ed to ensure that the intended recipient exists in Acti"e Director() 4f the intended recipient is not a "alid recipient that exists in Acti"e Director(, the !M#P "irtual ser"er returns an in"alid recipient error) 4f the recipient is a "alid recipient that exists in Acti"e Director(, the session continues) 1') 6or each additional recipient that is specified in a ,CP# #/ command, !teps 10 throu h 12 are applied) 17) #he connectin ser"er then issues a DA#A command that is similar to the follo$in : 2ATA To Gi& A)ers 6ro& tedIcontoso/co&ATed ?re&erB SubMect Mai+ Message 1.) !ender filterin then chec%s that the 6ro& address does not match a bloc%ed sender) 4f the sender that is specified in the DA#A command is a bloc%ed sender, one of t$o actions occur: D 4f sender filterin is confi ured to drop the connection, the !M#P "irtual ser"er returns a .)1)0 !ender Denied error and drops the connection)

    2#-

    D 4f sender filterin is confi ured to accept messa es $ithout notif(in the sender, the session continuesL ho$e"er, mail is sent to the ?admail director( and not deli"ered to the intended recipient) 4f the sender that is specified in the DA#A command is not a bloc%ed sender, the messa e is accepted and Eueued for deli"er()

    *dentif'ing Spoofed Mai+


    @ou can educate (our users on ho$ to identif( spoofed mail) 0nli%e Exchan e 2000, Exchan e 200' does not resol"e anon(mous eDmail messa es to their displa( names in its default confi uration) #herefore, $hen mail is sent from a for ed address, Exchan e 200' does not resol"e the senderHs eDmail address to its displa( name in the lobal address list) #o understand ho$ Exchan e 200' pre"ents spoofin , suppose that (ou ha"e an internal user named #ed ?remer, and he sends mail internall( from (our domain example)com) #he eD mail messa e sho$s his sendin address as Ted ?re&er, $hich is the displa( name that is confi ured in Acti"e Director( for ted+example)com) ;#his is because $hen #ed ?remer sends mail, he is an authenticated user)< Exchan e then "erifies that #ed ?remer has Jsend asJ permissions under his credentials and then resol"es his eDmail address to his displa( name in Acti"e Director() !poofin occurs $hen an unauthoriAed user pretends to be #ed b( for in this address and then sends mail to another user in (our domain) Exchan e 200' does not resol"e eDmail addresses that ori inate externall() #herefore, $hen an anon(mous user attempts to send mail spoofin #edHs identit(, Exchan e $ill not resol"e the sendin address in the 6ro& line to its displa( name) 4nstead, tedIexa&p+e/co& $ill appear in the 6ro& line of the eDmail) 4f (our users understand this difference, the( can at least identif( spoofed mail) 5o$e"er, Exchan e 2000 ser"ers do resol"e anon(mous eDmail b( default) 4f (our or aniAation contains Exchan e 2000 ser"ers, and the( resol"e an anon(mous eDmail messa e and send it to an Exchan e 200' ser"er, the address resol"es to its displa( name in the -A3) #o pre"ent this, confi ure (our Exchan e 2000 ser"ers so that the( do not resol"e anon(mous mail) 6or detailed instructions, see 5o$ to 8erif( #hat Exchan e 200' is Confi ured to :ot ,esol"e Anon(mous Mail and 5o$ to Confi ure Exchan e 2000 to :ot ,esol"e External Email Addresses)

    4o5 to Create a G+oba+ Accept (ist


    Connection filterin allo$s (ou to create lobal accept lists) @ou can use these lists to al$a(s accept mail that is sent from specific 4P addresses, re ardless of $hether (ou use a bloc% list

    2#1

    ser"ice pro"ider) An( 4P address that appears on the lobal accept list is automaticall( accepted, and an( connection filterin rules are b(passed) Entries in the lobal accept list ta%e precedence o"er the entries in the lobal den( list) Exchan e !er"er chec%s the lobal accept list before it chec%s the lobal den( list) #herefore, to reFect connections from a specific subnet and mas%, but accept connections from a sin le 4P address $ithin this ran e, (ou must enter the 4P address from $hich (ou $ant to accept connections on the lobal accept list) Chen the connectin 4P address that (ou added to the lobal accept list attempts to connect to (our Exchan e ser"er, Exchan e !er"er chec%s the lobal accept list first) ?ecause Exchan e !er"er finds a match for this 4P address, the connection is accepted, and Exchan e !er"er performs no additional connection filterin chec%s)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Confi urin 6ilterin and Controllin !pam) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To create a g+oba+ accept +ist 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand G+oba+ Settings, ri htDclic% Message 2e+iver', and then clic% !roperties) ') Clic% the Connection 6i+tering tab) 7) Clic% Accept) #he Accept (ist dialo box appears) The Accept (ist dia+og box

    2#3

    .) Clic% Add) 6) 4n *! Address 8Mas)9, select one of the follo$in options: Clic% Sing+e *! Address to add a sin le 4P address to the lobal accept list for this connection filter rule) Clic% Group of *! Addresses to add a subnet address and mas% to the lobal accept list)

    1) Clic% "G)

    4o5 to Create a G+oba+ 2en' (ist


    Connection filterin allo$s (ou to create lobal den( lists) @ou can use these lists to al$a(s reFect mail that is sent from specific 4P addresses, re ardless of $hether (ou use a bloc% list ser"ice pro"ider) An( 4P address that appears on the lobal den( list is automaticall( reFected)

    220

    Entries in the lobal accept list ta%e precedence o"er the entries in the lobal den( list) Exchan e !er"er chec%s the lobal accept list before it chec%s the lobal den( list) #herefore, to reFect connections from a specific subnet and mas%, but accept connections from a sin le 4P address $ithin this ran e, (ou must enter the subnet and mas% for the ran e of 4P addresses from $hich (ou $ant to reFect connections on the lobal den( list)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Confi urin 6ilterin and Controllin !pam and 5o$ to Create a -lobal Accept 3ist) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To create a g+oba+ den' +ist 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand G+oba+ Settings, ri htDclic% Message 2e+iver', and then clic% !roperties) ') Clic% the Connection 6i+tering tab) 7) Clic% 2en') #he 2en' (ist dialo box appears) The 2en' (ist dia+og box

    22#

    .) Clic% Add) 6) 4n *! Address 8Mas)9, select one of the follo$in options: Clic% Sing+e *! Address to add a sin le 4P address to the lobal den( list for this connection filter rule) Clic% Group of *! Addresses to add a subnet address and mas% to the lobal den( list)

    1) Clic% "G)

    4o5 to Create a Connection 6i+ter


    0se the follo$in procedure to create a connection filter rule and an( exceptions that (ou $ant to confi ure for this rule)

    222

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Confi urin 6ilterin and Controllin !pam) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To create a connection fi+ter 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand G+oba+ Settings, ri htDclic% Message 2e+iver', and then clic% !roperties) ') Clic% the Connection 6i+tering tab) The Connection 6i+tering tab in the Message 2e+iver' !roperties dia+og box

    223

    7) #o create a connection filter rule, clic% Add) #he Connection 6i+tering Ru+e dialo box appears) The Connection 6i+tering Ru+e dia+og box

    220

    .) 4n the 2isp+a' Na&e box, t(pe a name for the connection filter) 6) 4n the 2NS Suffix of !rovider box, t(pe the D:! suffix that the pro"ider appends to the 4P address) 1) 4n the Custo& Error Message to Return 8defau+t error &essage 5i++ be used if +eft b+an)9 box, if desired, t(pe the custom error messa e to return to the sender) 3ea"e this box blan% to use the follo$in default error messa e: A#P addre B has been b+oc)ed b' A$onne"tion %ilter Rule NameB

    @ou can use the follo$in "ariables to enerate a custom messa e: R0 P connectin 4P address R1 P connection filter rule name R2 P the bloc% list pro"ider name

    6or example, if (ou $ant (our custom messa e to read: The *! address <#P addre > has been b+oc)ed b' the fo++o5ing b+oc) +ist provider <blo"& li t provider name>' t(pe the follo$in in the customer error messa e: The *! address N0 5as reMected b' b+oc) +ist provider N2/

    22$

    Exchan e replaces N0 $ith the connectin 4P address and N2 $ith the bloc% list pro"ider) Note 4f (ou $ant to include a percent si n ;R< in (our error messa e, (ou must t(pe the percent si n t$ice ;RR<) 2) #o confi ure $hich return status codes recei"ed from the bloc% list pro"ider that (ou $ant to match in the connection filter, clic% Return Status Code) #he Return Status Code dialo box appears) The Return Status Code dia+og box

    9) !elect one of the follo$in options: Clic% Match 6i+ter Ru+e to An' Return Code 8this connection fi+ter ru+e is &atched to an' return status code received fro& the provider service9 to set the default "alue that matches the connection filter to an( return status) Clic% Match 6i+ter Ru+e to the 6o++o5ing Mas) 8this connection fi+ter ru+e is &atched to return status codes received fro& the provider b' using a &as) to interpret the&9, and then t(pe the mas% (ou $ant to filter a ainst the

    22,

    mas%s that are used b( (our pro"iders) Note A bit mas% chec%s onl( a ainst a sin le "alue) 4f (ou set a bit mas% "alue that is returned $hen an 4P address appears on t$o lists, the mas% $ill match onl( 4P addresses that appear on both lists) 4f (ou $ant to chec% for an 4P address on either of t$o lists, enter the status codes for these settin s) Clic% Match 6i+ter Ru+e to An' of the 6o++o5ing Responses 8this connection fi+ter ru+e is &atched to returned status codes received fro& the provider service b' using the specific va+ues of the return status codes be+o59) Clic% Add, and in Return Status Code, t(pe the status code that (ou $ant to match) 6or each additional status code, clic% Add, t(pe the code, and then clic% "G) 10) Clic% "G)

    4o5 to 7erif' That Exchange 2003 is Configured to Not Reso+ve Anon'&ous Mai+
    Exchan e 2000 ser"ers resol"e anon(mous eDmail b( default) 4f (our or aniAation contains Exchan e 2000 ser"ers, and the( resol"e an anon(mous eDmail messa e and send it to an Exchan e 200' ser"er, the address resol"es to its displa( name in the lobal address boo% ;-A3<) #o pre"ent this, confi ure (our Exchan e 2000 ser"ers so that the( do not resol"e anon(mous mail) Note 4ncorrectl( editin the re istr( can cause serious problems that ma( reEuire (ou to reinstall (our operatin s(stem) Problems resultin from editin the re istr( incorrectl( ma( not be able to be resol"ed) ?efore editin the re istr(, bac% up an( "aluable data)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Confi urin 6ilterin and Controllin !pam) #he follo$in permissions are reEuired to perform this procedure:

    22-

    Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at administrati"e roup le"el

    !rocedure
    To verif' that 'our Exchange 2003 server is configured to not reso+ve anon'&ous &ai+ 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, expand A Bridgehead Server Name B, expand !rotoco+s, and then expand SMT!) ') ,i htDclic% the !M#P "irtual ser"er that (ou $ant, and then clic% !roperties) 7) /n the Access tab, clic% Authentication) .) 4n Authentication, under the Anon'&ous access chec% box, "erif( that the Reso+ve anon'&ous eE&ai+ chec% box is cleared) Note ,emember that if this ser"er is an internal !M#P "irtual ser"er, (ou can also clear the Anon'&ous access chec% box) 6or more information about anon(mous access on an internal !M#P "irtual ser"er, see JPre"entin Anon(mous Access on 4nternal !M#P 8irtual !er"ers and Dedicated !M#P 8irtual !er"ers for 4MAP and P/P ClientsJ in !ecurin @our Exchan e !er"er)

    4o5 to Configure Exchange 2000 to Not Reso+ve Externa+ E&ai+ Addresses


    Exchan e !er"er 200' does not resol"e eDmail addresses that ori inate externall() #herefore, $hen an anon(mous user attempts to send mail spoofin a userHs identit(, Exchan e !er"er $ill not resol"e the sendin address in the 6ro& line to its displa( name) 4nstead, for a user named #ed, tedIexa&p+e/co& $ill appear in the 6ro& line of the eDmail) 4f (our users understand this difference, the( can at least identif( spoofed mail)

    221

    ?efore @ou ?egin


    ?e cautious $hen (ou select the ser"ers on $hich (ou $ant to enable this settin ) 4f (ou chan e the beha"ior on the default !M#P "irtual ser"er, and there are multiple ser"ers in (our or aniAation, all internal mail that ori inates on other Exchan e 2000 ser"ers is also affected) #herefore, because Exchan e 2000 !er"er uses !M#P to route internal mail bet$een ser"ers, (ou ma( $ant to create a ne$ !M#P "irtual ser"er, or perhaps to appl( this settin onl( on an incomin !M#P brid ehead ser"er) ?efore (ou perform the procedure in this topic, read Confi urin 6ilterin and Controllin !pam and 5o$ to 8erif( #hat Exchan e 200' is Confi ured to :ot ,esol"e Anon(mous Mail) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To configure Exchange 2000 Server to not reso+ve eE&ai+ addresses that originate externa++' 1) !tart ,e istr( Editor: Clic% Start, clic% Run, t(pe regedt32, and then clic% "G) 2) 3ocate or create the follo$in %e( in the re istr( ;$here % is the !M#P "irtual ser"er number<: 5BE@S3/CA3SMAC54:EO!@!#EMOCurrentControl!etO!er"icesO MsExchan e#ransportOParametersO1 Note @ou ma( need to create both the !ara&eters %e( and the # %e() ') /n the Edit menu, clic% Add 7a+ue, and then add the follo$in re istr( "alue:
    Gal+e name: @esolveP! 3ata type: @8HB314@3

    7) 0se the follo$in fla s to determine $hich "alue to use:


    :ield AAAAAAAAAAA :@4M: T4: and ==: @8P,C T4: Gal+e AAAAA ! 1 $!

    #o determine the "alue that (ou $ant to use, add the "alues for all of the elements that (ou $ant to be resol"ed) 6or example, to resol"e all of the fields except the sender, t(pe 01 ;16Z'2M72<) #o resol"e onl( the recipients, t(pe onl( #,) ?( default,

    223

    Exchan e 2000 !er"er resol"es e"er(thin ) @ou can specif( this beha"ior either b( remo"in the %e( or b( settin the "alue $ith this formula: 2Z16Z'2M.0) .) >uit ,e istr( Editor) 6) ,estart the !M#P "irtual ser"er)

    4o5 to Create a Recipient 6i+ter


    0se the follo$in procedure to create a recipient filter)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Confi urin 6ilterin and Controllin !pam) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To create a recipient fi+ter 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand G+oba+ Settings, ri htDclic% Message 2e+iver', and then clic% !roperties) ') 4n Message 2e+iver' !roperties, clic% the Recipient 6i+tering tab) The Recipient 6i+tering tab in the Message 2e+iver' !roperties dia+og box

    230

    7) #o add the address of a specific recipient, clic% Add, and then, in Add Recipient, t(pe the recipient address, and then clic% "G) #he recipient address must meet the follo$in criteria: #he recipient address must contain an at si n ;+<)

    Displa( names must be enclosed in Euotation mar%s $ith the + si n immediatel( follo$in ) Ensure that there are no spaces bet$een the Euotation mar%s and the + s(mbol 6or example, if (ou $ant to filter mail for a recipient $ith the displa( name of #ed ?remer in the contoso)com domain, (ou t(pe: OTed ?re&erOIcontoso/co& 0se an asteris% ;K< to denote all members of a domain or simpl( enter +domain) 6or example, to filter mail that is sent to all users $ith the domain suffix of contoso)com, t(pe either: LIcontoso/co& Icontoso/co&

    23#

    .) #o filter mail that is sent to users $ho do not exist in Microsoft& Acti"e Director(& director( ser"ice, select the 6i+ter recipients 5ho are not in the 2irector' chec% box) Note !electin the 6i+ter recipients 5ho are not in the 2irector' chec% box can potentiall( allo$ malicious senders to disco"er "alid eDmail addresses in (our Exchan e !er"er or aniAation)

    4o5 to App+' a Recipient 6i+ter to an SMT! 7irtua+ Server


    After creatin the recipient filter, (ou must appl( it to the appropriate !M#P "irtual ser"ers) 0suall(, (ou appl( the recipient filter on the !M#P "irtual ser"ers that exist on (our ate$a( ser"ers that accept inbound 4nternet eDmail) 0se the follo$in procedure to appl( a recipient filter to an !M#P "irtual ser"er)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Confi urin 6ilterin and Controllin !pam and 5o$ to Create a ,ecipient 6ilter) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To app+' a recipient fi+ter to an SMT! virtua+ server 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, expand the ser"er that (ou $ant, expand !rotoco+s, and then expand SMT!) ') ,i htDclic% the !M#P "irtual ser"er on $hich (ou $ant to appl( the filter, and then clic% !roperties) 7) 4n <SMTP Virtual Server> !roperties, on the Genera+ tab, clic% Advanced)

    232

    .) 4n Advanced, select the 4P address for $hich (ou $ant to appl( the filter, and then clic% Edit) 6) 4n *dentification, select the App+' Recipient 6i+ter chec% box to appl( the filter that (ou pre"iousl( set) The *dentification dia+og box

    1) 4f (ou ha"e multiple "irtual ser"ers, repeat !teps ' throu h 6 for each "irtual ser"er on $hich (ou $ant to appl( the filter)

    4o5 to Specif' an Exception to a Connection Ru+e


    @ou can create exceptions to the connection filter rule) !pecificall(, (ou can allo$ messa e deli"er( to specific recipients ;for example, to the postmaster<, re ardless of $hether the connectin 4P address is on a bloc% list)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Confi urin 6ilterin and Controllin !pam) #he follo$in permissions are reEuired to perform this procedure:

    233

    Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To specif' an exception to a connection ru+e 1) 4n Message 2e+iver' !roperties, on the Connection fi+tering tab, clic% Exception) #he ?+oc) (ist Service Configuration Settings dialo box appears) The ?+oc) (ist Service Configuration Settings dia+og box

    2) Clic% Add) ') 4n Add Recipient, t(pe the !M#P address of the recipient for $hom (ou $ant to accept all messa es, re ardless of $hether the connectin 4P address appears on a bloc% list) 7) Clic% "G t$ice)

    230

    4o5 to App+' a Connection 6i+ter to An SMT! 7irtua+ Server


    After creatin the connection filter and an( exceptions for the filter, (ou must appl( it to the appropriate !M#P "irtual ser"ers) 0suall(, (ou appl( the connection filter to the !M#P "irtual ser"ers that exist on (our ate$a( ser"ers that accept inbound 4nternet eDmail messa es) 0se the follo$in procedure to appl( a connection filter to an !M#P "irtual ser"er)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read Confi urin 6ilterin and Controllin !pam) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at administrati"e roup le"el

    !rocedure
    To app+' a connection fi+ter to an SMT! virtua+ server 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, expand the ser"er that (ou $ant, expand !rotoco+s, and then expand SMT!) ') ,i htDclic% the !M#P "irtual ser"er on $hich (ou $ant to appl( the filter, and then clic% !roperties) 7) 4n <SMTP Virtual Server> !roperties, on the Genera+ tab, clic% Advanced) .) 4n Advanced, select the 4P address for $hich (ou $ant to appl( the filter, and then clic% Edit) 6) 4n *dentification, select the App+' Connection 6i+ter chec% box to appl( the filter that (ou pre"iousl( set) The *dentification dia+og box

    23$

    1) 4f (ou ha"e multiple "irtual ser"ers, repeat !teps ' throu h 6 for each "irtual ser"er on $hich (ou $ant to appl( the filter)

    !art 6our
    Part 7 concentrates on troubleshootin techniEues that (ou can use to identif( and resol"e transport problems) 4t also presents some common scenarios that can cause messa e flo$ problems and illustrates $a(s to remed( these situations) #roubleshootin ,outin

    #his section pro"ides information about usin the Cin,oute tool to troubleshoot routin problems in a Microsoft& Exchan e 2000 !er"er and Exchan e !er"er 200' messa in en"ironment) #roubleshootin Mail 6lo$ and !M#P

    #his section explains man( common problems in mail flo$) 4n addition, this section pro"ides (ou $ith information about ho$ to use se"eral tools and ho$ to confi ure dia nostic lo in ) #roubleshootin :onDDeli"er( ,eport Messa es

    #his section pro"ides strate ies to ta%e and tools to use $hen (ou are attemptin to resol"e issues that are related to nonDdeli"er( reports) :D,s are a t(pe of deli"er( status notification)

    23,

    Troub+eshooting Routing
    #his topic discusses some common situations that can disrupt routin in (our Microsoft& Exchan e or aniAation) #opics addressed include: %sing ;inRoute

    #his section explains the "alue of the Cin,oute tool in troubleshootin routin issues) Co&&on (in) State !rob+e&s

    #his section explains the problems that are created b( disconnections bet$een routin roups, routin roup master conflicts, deleted routin roups, connectors that are not mar%ed as a"ailable, and oscillatin connections, and explains ho$ to resol"e these situations) ?ro)en (in) State !ropagation

    #his section explains the problems that occur $hen (ou chan e a routin roup brid ehead ser"er from an Exchan e !er"er "ersion .). ser"er to an Exchan e 2000 !er"er or Exchan e !er"er 200' brid ehead ser"er, and then chan e the brid ehead ser"er bac% to an Exchan e .). ser"er)

    %sing ;inRoute
    Cin,oute is an Exchan e 200' tool that is used to determine the routin topolo ( and lin% state routin information that is %no$n to the routin master) #his tool should be the first step in troubleshootin routin issues in an Exchan e 2000 and Exchan e 200' messa in en"ironment) #he tool connects to the lin% state port, #CP port 691, on an Exchan e 2000 ser"er or Exchan e 200' ser"er, and extracts the lin% state information for an or aniAation) #he information is a series of -04Ds that Cin,oute matches to obFects in Microsoft Acti"e Director(& director( ser"ice, connectors and brid ehead ser"ers, and then presents in a readable format) Note #he Cin,oute tool and user documentation are a"ailable at the Do$nloads for Exchan e !er"er 200' Ceb site) 4t is recommended that (ou do$nload and use this tool on all Exchan e 2000 and Exchan e 200' ser"ers in (our or aniAation) 0se this tool rather than the Cin,oute tool that shipped $ith Exchan e 2000)

    Co&&on (in) State !rob+e&s


    Cithin a routin roup, Exchan e uses #CP port 691 to communicate lin% state and routin information updates bet$een the routin roup master and its routin roup members) ?et$een t$o routin roups, t$o routin roup brid ehead ser"ers use the =D34:B2!#A#E

    23-

    "erb to exchan e lin% state information b( comparin the di est, an encr(pted di ital si nature in the /r info pac%et, that contains lin% state information of the t$o routin roup brid eheads) A discrepanc( bet$een these di ests causes an exchan e of lin% state information bet$een the t$o ser"ers usin !M#P port 2.) #he routin roup master coordinates chan es to lin% state that are learned b( ser"ers $ithin its routin roup and retrie"es updates from Acti"e Director() 4f the routin roup master becomes una"ailable, all ser"ers in the routin roup continue to operate on the same information that the( had at the time that the( lost contact $ith the routin roup master) Chen the routin roup master becomes a"ailable a ain, it reconstructs its lin% state information, be innin $ith all ser"ers and connectors mar%ed as una"ailable) #hen, disco"erin an( una"ailable ser"ers, the routin roup master updates members $ithin the routin roup) #his section discusses the follo$in lin% state problems and explains the recommended resolution: Disconnection bet$een routin Conflicts bet$een routin roup member and master

    roup masters roups

    Problems that are caused b( deleted routin Connectors that are not mar%ed as Jdo$nJ /scillatin connections

    2isconnection ?et5een Routing Group Me&ber and Master


    Chen a routin roup member is unable to connect to the routin roup master, Cin,oute indicates the situation $ith a red = next to the routin roup member)

    231 2isconnection bet5een routing group &e&bers and &aster

    #a%e the follo$in steps to resol"e this issue: Ensure that the Microsoft Exchan e ,outin En ine ser"ice ;,E!"c< is started and in a controlled state on all affected ser"ers in the routin roup) 4f the routin en ine ser"ice is in an unstable state, routin roup members ma( not be able to connect to the routin roup master) 4n"esti ate the root cause of an( unstable ser"ices first) 8erif( that port 691 is not restricted b( a fire$all b( initiatin a telnet session to port 691 of the affected ser"ers and the master node) @ou should see a Microsoft ,outin En ine banner to indicate an acti"e state) 6rom a command line, t(pe the follo$in :

    netstat 6a 6n

    #he output should re"eal all routin roup members and the master itself connectin to port 691 on the master node, similar to the follo$in :
    T=P 1!#.0.0.1: &1 1!#.0.0.1: &1 8ST.M,2SD83

    Chec% E"ent 8ie$er application lo s for an( e"ents that indicate a failure to authenticate usin the machine account ;domainNserver name<) Monitor for the follo$in transport e"ents:

    233

    E"ent 4D 961 is lo routin roup master) E"ent 4D 962 is lo ser"ice ;,E!"c<)

    ed $hen a member ser"er fails to authenticate $ith its ed after a client node fails to authenticate $ith the routin

    E"ent 4D 996 is lo ed $hen a client routin node successfull( authenticates $ith the routin en ine ser"ice) E"ent 4D 99. is lo ed $hen a routin $ith its routin roup master) roup member successfull( authenticates

    8erif( that the affected ser"ers can enerate a !er"icePrincipal:ame ;!P:< that is used in the authentication process b( chec%in the ncacnSipStcp "alue in the net$or% address attribute of the affected ser"ers) #his is done b( usin a director( access tool, such as 3DP ;ldp)exe< or AD!4 Edit ;adsiEdit)msc<) Members in a routin roup ha"e to mutuall( authenticate $ith the routin roup master to connect) #o do this, the( use the ncacnSipStcp "alue in the net$or% address attribute of the Exchan e ser"er to enerate the !P: for the master node b( callin 2sC+ientMa)eSpn6orTargetServer) #he routin roup members can then authenticate usin Berberos) Ma%e sure this "alue is a full( Eualified domain name ;6>D:<, and not a :et?4/! name or an 4nternet Protocol address) ,estart the Exchan e ,outin En ine ser"ice) 8erif( that the domain machine account pass$ord has not expired

    4f the membership of the routin roup spans multiple domains, ensure that the cause of the problem is not a child domain or root domain problem from a D:! misconfi uration) Chec% for an( nonDMicrosoft applications or roup polic( obFects that restrict permissions or securit() Confi ure another ser"er in the routin roup as the routin roup master) #his approach offers an interim solution) ,eassi nin the routin roup master role can pro"ide relief until the problem is resol"ed) 4f the routin roup master or an( routin roup members are missin the !endAs permission, Cin,oute $ill sho$ the ser"er as A& * connected to the MasterH N") 8erif( that this ser"er or the roups it belon s to are not explicitl( denied the !endAs permission on the routin roup master)

    Conf+icts ?et5een Routing Group Masters


    #he first ser"er that is installed into the routin roup is automaticall( desi nated as the master node or routin roup master) As other ser"ers are installed, (ou can desi nate another ser"er as the routin roup master)

    200

    At an( point in time, onl( one ser"er should be reco niAed b( itself and other ser"ers as the master) #his confi uration is enforced b( an al orithm $here ;&O2< Z1 ser"ers in the routin roup must a ree and ac%no$led e the master) & denotes the number of ser"ers in the routin roup) #he member nodes conseEuentl( send lin% state A##AC5 data to the master) !ometimes, t$o or more ser"ers mista%e the $ron ser"er as the routin roup master) 6or example, if a routin roup master $as mo"ed or $as deleted $ithout choosin another master node, it is possible for &sExchRoutingMaster2N, the attribute in Acti"e Director( that desi nates the routin roup master, to point to a deleted ser"er because the attribute is not lin%ed) 6urthermore, this situation can also occur $hen an old routin roup master refuses to detach as master, or a ro ue node %eeps sendin lin% state A##AC5 information to an old routin roup master) 4n Exchan e 200', if &sExchRoutingMaster2N points to a deleted obFect, the master node relinEuishes its role as master and initiates a shutdo$n of the master role) #a%e the follo$in steps to resol"e this issue: Chec% for health( lin% state propa ation $ithin the routin roup on port 691) 8erif( that a fire$all or !M#P filters are not bloc%in communication) 8erif( that no Exchan e ser"ice is stopped)

    Chec% Acti"e Director( replication latencies b( usin the Acti"e Director( ,eplication Monitor tool ;,eplmon)exe< that is a"ailable in the Cindo$s ,esource Bit) Chec% for net$or% problem and latencies)

    Chec% for deleted routin roup masters or ser"ers that no lon er exist) 4f this is the case, a transport e"ent 9.2 is lo ed in the application lo of E"ent 8ie$er that states that a routin roup master no lon er exists) 8erif( this information b( usin a director( access tool, such as 3DP ;ldp)exe< or AD!4 Edit ;adsiEdit)msc<)

    !rob+e&s Caused b' 2e+eted Routing Groups


    Chen routin roups are deleted after ser"ers are mo"ed out of them or for other reasons, Cin,oute ma( displa( the text JobFectSnotSfoundSinSD!J for the obFects) Exchan e ser"ers maintain the lin% state table that still references the obFects, but these obFects are missin from Acti"e Director( $hen the routin en ine ser"ice initialiAes and chec%s Acti"e Director( to find the related obFects) Exchan e routin cannot automaticall( remo"e deleted routin roups and their members ;that is, ser"ers and connectors< from the lin% state table) 4n fact, routin treats the deleted routin roups no differentl( than existin , functional routin roups) 4n rare cases, deleted routin roups can cause a malfunction in routin as $ell as mail loops) Deleted routin roups can se"erel( affect topolo ies in $hich an Exchan e .). site Foins an Exchan e 200' or aniAation)

    20#

    Additionall(, these deleted routin roup obFects ma( si nificantl( contribute to the siAe of the lin% state table, and thereb( increase the net$or% traffic that is incurred in the exchan e of lin% state information) 6inall(, if the Personal Address ?oo% ;PA?< or /ffline Address ?oo% ;/A?< has a le ac(Exchan e domain name that matches a deleted routin roup, the deleted routin roup obFects $ill cause mail that is sent to nonDexistent users from the PA?s or /A?s to be added to the messa es $ith an unreachable destination Eueue) After the default timeout of t$o da(s, the mail $ill be returned to the sender $ith a nonDdeli"er( report ;:D,<) Cithout the deleted routin roup obFect, mail sent to nonDexistent users $ill immediatel( be returned to the sender $ith an :D,, instead of bein added to the Eueue first) 2e+eted routing group in ;inRoute

    #o resol"e this issue, first "erif( that the account that (ou are usin to "ie$ routin information on the ser"er has adeEuate permissions) 4f possible, lo on to Cin,oute b( usin the s(stem account and the A# interacti"e command) 3ac% of adeEuate read permissions can result in erroneous obFectSnotSfoundSinSD! messa es in Cin,oute) @ou can pur e deleted routin follo$in methods: roups from the lin% state information b( usin one of the

    !hut do$n all ser"ers in the or aniAation at the same time to refresh routin cache information, and pur e deleted routin roups and connectors) !hut do$n all Exchan e and Cindo$s Mana ement 4nstrumentation ;CM4< ser"ices on all Exchan e ser"ers in the or aniAation simultaneousl()

    202

    @ou can also resol"e this issue b( usin ,emonitor)exe to reduce the siAe of the deleted routin roup footprint and to mar% the routin roup as deleted) ,emonitor)exe is a tool that can inFect a custom routin pac%et into an Exchan e or aniAation) #he custom pac%et is a modified "ersion of the deleted routin roup pac%et) #his modified "ersion does not ha"e ser"er or connector entries, $hich si nificantl( reduces the siAe of the routin roup obFect) Also, this "ersion eliminates the possibilit( of a malfunction or dela( in routin that can occur due to a connector entr( in $hich the routin roup is deleted) ?ecause the tool inFects a modified pac%et that does not ha"e connector entries, there cannot be a connector entr( in $hich the routin roup is deleted) 6inall(, ,emonitor)exe updates the "ersion number of the modified routin roup so that no ser"er or connection entries can be added to this deleted routin roup) 6or detailed instructions, see 5o$ to ,un ,emonitor)exe as 3ocal !(stem Account in 4nFect Mode) After runnin ,emonitor)exe, the routin pac%et no lon er contains an( ser"er members or connectors) #he routin roup addresses are no$ prefaced b( the %e( $ord de+eted) Also, the "ersion number of the routin roup obFect is incremented) 2e+eted routing group in ;inRoute after running Re&onitor/exe

    Connectors Are Not Mar)ed as O2o5nO


    #here are some instances $here a connectorHs lin% state ma( be mar%ed as JupJ $hen it is in fact una"ailable or Jdo$n)J ,outin does not mar% lin% state on a connector as do$n in the follo$in situations:

    203

    Connectors that use D:! to route to a domain in the address space ;for example, !M#P connectors usin D:!<) Exchan e .). or custom EDB ;Exchan e De"elopment Bit< connectors because the( do not use lin% state routin ) ,outin roup connectors $ith local brid ehead ser"ers of an( local brid ehead) @ou desi nate an( local brid ehead ser"er as the local brid ehead b( clic%in An' +oca+ server can send &ai+ over this connector $hen creatin a routin roup) ,outin roup connectors $here one brid ehead ser"er is an Exchan e .). ser"er)

    /ther unusual instances include: !ituations $here, $ithin a routin roup, rela( mail fails to pre"ent messa e transfer a ent ;M#A< loops $ithin a routin roup) Connectors confi ured $ith a smart host that has chan ed "er( recentl()

    6or routin to mar% a connector as do$n, all source brid ehead ser"ers ha"e to be do$n $ith a state of 8!SC/::S:/#SA8A43A?3E or 8!SC/::S:/#S!#A,#ED) @ou can chec% the status b( usin Cin,oute)

    "sci++ating Connections
    Connectors that are on an unreliable net$or% and are mar%ed as JupJ and then Jdo$nJ repeatedl( cause excessi"e lin% state updates bet$een ser"ers) #hese chan es cause expensi"e and freEuent recalculation of routes $ithin Exchan e) 4n E"ent 8ie$er, e"ent 4D 700. is lo ed freEuentl( and appears $ith the text Jreset routes)J Exchan e 200' miti ates these chan es if it detects a freEuentl( chan in connector state b( lea"in the state mar%ed as up $ithin a sin le pollin $indo$, the period durin $hich a ser"er monitors the chan e) 5o$e"er, if these chan es occur in different pollin periods, an oscillatin connection can still enerate lin% state traffic) #he default state dela( chan e inter"al is 10 minutes for Exchan e 200' ser"ers) Exchan e routin chooses the optimal path and locates the next ser"er for a messa e to ma%e its next hop to, i"in this JnextDhopJ ser"er name to Eueuin ) #he optimal path is chosen considerin "ariables such as cost, messa e t(pe, and restrictions) ConseEuentl(, because of the oscillatin state of a connector, Exchan e has to recalculate the most optimal path repeatedl(, $hich in"ol"es Eueries to Acti"e Director( and performance costs) Chen Exchan e Eueuin notices a lin% failure to the brid ehead ser"er on a connector, routin rela(s this information to the routin roup master) #he routin roup master suppresses this information for up to 10 minutes to pre"ent connector state fluctuations) 4f routin mar%s the connector as do$n, this chan e is propa ated to all Exchan e ser"ers in the or aniAation, includin the ser"er on $hich the ori inal failure occurred) #his notification is called a reset route, and it is a hi hl( expensi"e process in terms of CP0 usa e) Mail no

    200

    lon er Eueues on the connector, and routin must enerate ne$ paths for deli"er() #he same process occurs for mar%in a connector as up) An oscillatin connection occurs in the follo$in situations: :et$or% problems, $hich can be seen in a net$or% trace)

    ,eactions to lin% status notification callbac%s from underl(in protocol ser"ices ;!M#P and M#A< due to an interference on the =)700 or !M#P protocol le"els b( nonD Microsoft applications) 4n this scenario, onl( a net$or% monitor capture can re"eal the issues) 4n addition (ou can use the remonitor)exe tool that is a"ailable from Microsoft Product !upport !er"ices) @ou can use :et$or% Monitor ;:etmon)exe< or the remonitor)exe tool in monitor mode to identif( and address the root causes of oscillatin connections) Additionall(, if the oscillatin connections are causin excessi"e propa ation traffic, (ou can suppress the propa ation of lin% state chan es until (ou sol"e the root cause) 6or detailed instructions, see 5o$ to !uppress 3in% !tate 4nformation on a !er"er) 6or more information about suppressin lin% state traffic, see J!uppressin 3in% !tate #raffic for ConnectorsJ in Ad"anced ,outin Confi uration)

    ?ro)en (in) State !ropagation


    Exchan e .). ser"ers do not use lin% state information, but instead the( rel( on the ate$a( address routin table ;-CA,#< to route messa es) 4n a mixedDmode or aniAation, Exchan e 2000 and later "ersions reco niAe this limitation and read the confi uration of Exchan e .). ser"ers directl( from Acti"e Director() #hus, Exchan e 2000 and Exchan e 200' ser"ers do not expect Exchan e .). ser"ers to exchan e lin% state information $ith them) Chen an Exchan e .). brid ehead ser"er in an Exchan e routin roup is up raded to an Exchan e 2000 or Exchan e 200' ser"er and desi nated as a brid ehead ser"er, it be ins to participate in the exchan e of lin% state information and it no lon er has a maFor "ersion number of Aero) Exchan e 2000 and Exchan e 200' ser"ers use "ersion numbers in the lin% state table to compare lin% state tables and ensure that ser"ers ha"e the most recent information about lin% state) A maFor "ersion number of Aero indicates a ser"er that does not participate in lin% state information or has ne"er exchan ed lin% state information) All pure Exchan e .). sites ha"e a "ersion number of Aero because the( do not exchan e lin% state information) Chen the ser"er is up raded to an Exchan e 2000 or Exchan e 200' ser"er, it be ins to participate in lin% state information and increments its maFor "ersion number) !o, brid ehead ser"ers in other routin roups expect the ne$l( up raded ser"er to inform them of lin% state chan es in its routin roup) A problem occurs if (ou no$ desi nate an Exchan e .). ser"er as the brid ehead ser"er for this routin roup) /ther ser"ers still expect the Exchan e .). brid ehead ser"er, the former

    20$

    Exchan e 2000 or Exchan e 200' brid ehead ser"er, to participate in lin% state propa ation and $ait for this ser"er to i"e them updated lin% state information) 5o$e"er, because the ser"er has re"erted to Exchan e .)., it no lon er has a lin% state table) #herefore, this routin roup no$ becomes isolated and does not participate in d(namic lin% state updates in the or aniAation) #his isolated routin roup is problematic in a situation as sho$n in 6i ure 11)7) !pecificall(, because the Exchan e .). brid ehead ser"er $as formerl( an Exchan e 2000 or Exchan e 200' brid ehead ser"er, other ser"ers expect it to participate in lin% state propa ation) #he Exchan e .). 4nternet Mail Connector and Exchan e 200' !M#P connector in the follo$in fi ure both use a sin le smart host to route mail to the 4nternet) #he smart host becomes una"ailable, so the Exchan e 200' brid ehead ser"er mar%s the route throu h its !M#P connector as una"ailable) 5o$e"er, because the brid ehead ser"er expects the Exchan e .). ser"er to send lin% state information about its routin roups and connectors, it assumes that the route throu h the 4nternet Mail Connector is a"ailable and attempts to deli"er messa es throu h this route) After one failure, the Exchan e 200' ser"er detects a possible loop and does not attempt deli"er( throu h this route) Exchange $/$ and Exchange 2003 servers connecting to a s&art host

    3in% state propa ation can also be bro%en if a fire$all that is bloc%in lin% state propa ation is added to the s(stem) 6or example, ports 2. and 691 are reEuired $ithin a routin roup, and port 2. is reEuired bet$een routin roups) Also, the Extended !imple Mail #ransfer Protocol ;E!M#P< command =D34:B2!#A#E must not be bloc%ed b( a fire$all) #o resol"e this problem, the follo$in solutions are a"ailable: 0p rade the Exchan e .). brid ehead ser"er to an Exchan e 2000 or Exchan e 200' ser"er, or use another Exchan e 2000 or Exchan e 200' ser"er to send lin% state information for this routin roup a ain) Either of these options pro"ides the preferred and simplest resolution)

    20,

    #o reset nonDconnected routin roups to lin% state maFor "ersion number 0, shut do$n all Exchan e ser"ers in (our or aniAation simultaneousl(, and then restart all Exchan e ser"ers) Confi ure the fire$all so that lin% state propa ation is not pre"ented)

    6or more information about isolated or disFointed routin roups and the maFor "ersion numbers, see Microsoft Bno$led e ?ase article 272026, J,outin status information is not propa ated correctl( to all ser"ers in Exchan e 2000 !er"er or in Exchan e !er"er 200')J

    4o5 to Run Re&onitor/exe as (oca+ S'ste& Account in *nMect Mode


    ,emonitor)exe is a tool that can inFect a custom routin pac%et into an Exchan e !er"er or aniAation) #he custom pac%et is a modified "ersion of the deleted routin roup pac%et) #his modified "ersion does not ha"e ser"er or connector entries, $hich si nificantl( reduces the siAe of the routin roup obFect) Also, this "ersion eliminates the possibilit( of a malfunction or dela( in routin that can occur due to a connector entr( in $hich the routin roup is deleted) ?ecause the tool inFects a modified pac%et that does not ha"e connector entries, there cannot be a connector entr( in $hich the routin roup is deleted) 6inall(, ,emonitor)exe updates the "ersion number of the modified routin roup so that no ser"er or connection entries can be added to this deleted routin roup) #o use ,emonitor)exe, (ou must first reEuest the tool from Microsoft& Product !upport !er"ices) @ou must cop( ,emonitor)exe to the Exchsr"rNbin director( on an Exchan e ser"er) Note @ou cannot inFect a routin pac%et on the same ser"er on $hich (ou run the ,emonitor tool) @ou must run the tool on a separate ser"er) Note After (ou delete a routin roup, (ou must $ait for this chan e to be replicated to all Microsoft Acti"e Director(& director( ser"ice ser"ers in the or aniAation before (ou run ,emonitor)exe) @ou must run the tool $ith an account that has !endAs permissions on the Exchan e ser"er, such as the local s(stem account) Note @ou onl( need to run ,emonitor)exe a ainst one ser"er in the Exchan e !er"er or aniAation) #he pac%et inFection is propa ated to the remainin ser"ers in (our or aniAation)

    20-

    After runnin ,emonitor)exe, the routin pac%et no lon er contains an( ser"er members or connectors) #he routin roup addresses are no$ prefaced b( the %e( $ord de+eted) Also, the "ersion number of the routin roup obFect is incremented)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin ,outin )

    !rocedure
    To run Re&onitor/exe as +oca+ s'ste& account in inMect &ode 1) At the command prompt, t(pe the follo$in : at AtimeB Dinteractive Oc&d/exeO $here <time> is an( time of da() 2) Clic% Start, point to A++!rogra&s, point to Accessories, point to S'ste& Too+s, and then clic% Schedu+ed Tas)s) ') 4n Schedu+ed Tas)s, ri htDclic% the At Fob (ou Fust created, and then clic% Run) Note #he At tas% (ou created appears as AtA#(B $here #( is the tas% 4D assi ned $hen (ou created the tas%) 7) A ne$ command prompt $indo$ opens, runnin as the local s(stem account) .) 4n this $indo$, na"i ate to the )NExchsr"rNbin director( in (our Exchan e installation director() ?( default, this director( is Adrive letter)BNPro ram 6ilesNExchsr"rNbin) 6) #(pe the follo$in command: re&onitor Ei A erver to in*e"tB 1) 4n Schedu+ed Tas)s, ri htDclic% the At tas%, and then clic% 2e+ete)

    4o5 to Suppress (in) State *nfor&ation on a Server


    @ou can use :et$or% Monitor ;:etmon)exe< or the remonitor)exe tool in monitor mode to identif( and address the root causes of oscillatin connections) Additionall(, if the oscillatin

    201

    connections are causin excessi"e propa ation traffic, (ou can suppress the propa ation of lin% state chan es until (ou sol"e the root cause) 4t is important to understand that chan in this re istr( %e( does not stop the propa ation of the lin% state table across ser"ers) 4t suppresses onl( the lin% state traffic that is caused b( a connector state chan e) Caution 4ncorrectl( editin the re istr( can cause serious problems that ma( reEuire (ou to reinstall (our operatin s(stem) Problems resultin from editin the re istr( incorrectl( ma( not be able to be resol"ed) ?efore editin the re istr(, bac% up an( "aluable data)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin ,outin ) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    !rocedure
    To suppress +in) state infor&ation on a server 1) !tart ,e istr( Editor ;re edit< 2) :a"i ate to and ri htDclic% the follo$in %e(: 5BE@S3/CA3SMAC54:EN!@!#EMNCurrentControl!etN!er"icesN,E!"cNParameters ') /n the Edit menu, clic% Add 7a+ue, and then add the follo$in re istr( "alue: 8alue :ame: !uppress!tateChan es Data #(pe: ,E-SDC/,D Data: 1 ,adix: Decimal 7) Close ,e istr( Editor) .) ,estart the follo$in ser"ices: Microsoft Exchan e ,outin En ine ;,E!"c< !M#P !er"ice ;!M#P!8C< Microsoft Exchan e M#A !tac%s ;M!Exchan eM#A<

    203

    6or More *nfor&ation


    6or more information about suppressin lin% state traffic, see J!uppressin 3in% !tate #raffic for ConnectorsJ in Ad"anced ,outin Confi uration)

    Troub+eshooting Mai+ 6+o5 and SMT!


    E"en after (ou ha"e successfull( confi ured !imple Mail #ransfer Protocol ;!M#P< in (our Microsoft& Exchan e !er"er or aniAation and ta%en e"er( measure to secure it, (ou mi ht experience mail flo$ problems) #his topic discusses man( of the common problems that (ou ma( encounter and methods to help resol"e them) !pecificall(, (ou $ill learn ho$ to: 0se #elnet 0se the !M#P and =)700 Eueues 0se Messa e #rac%in Center 0se E"ent 8ie$er Confi ure dia nostic lo in for !M#P

    5o$e"er, before considerin the troubleshootin recommendations in this topic, first ensure that Exchan e !er"er is confi ured correctl( to send and recei"e mail) #he lists belo$ briefl( summariAe the reEuirements for inbound and outbound mail to flo$ properl() 6or incomin 4nternet mail to flo$ correctl(: @our recipient policies must be confi ured correctl()

    @our !M#P "irtual ser"er that accepts 4nternet mail must be confi ured on port 2. and allo$ anon(mous connections) A mail exchan er ;M=< resource record for (our domain must exist on an internet D:! ser"er, and the M= record must point to the external or 4nternet domain of (our mail ser"er) @our 4nternet mail ser"er must be accessible to remote ser"ers on the 4nternet)

    6or out oin 4nternet mail to flo$ correctl(: @our !M#P "irtual ser"er that sends 4nternet mail must be confi ured to use port 2.)

    4f (ou are usin !M#P connectors, at least one connector must contain an address space of K, $hich specifies all external domains) @our Exchan e ser"er must be able to resol"e external D:! names) @ou can resol"e external D:! names in the follo$in $a(s:

    2$0

    0se an internal D:! ser"er that for$ards mail to an external D:! ser"er) Confi ure (our !M#P "irtual ser"er to use a specific external D:! ser"er) ,oute mail to a smart host that performs D:! resolution)

    6or more information about ho$ to confi ure Exchan e !er"er to send and recei"e eDmail messa es, see 8erif(in D:! Desi n and Confi uration) 6or detailed information on ho$ to use #elnet to test !M#P, see the follo$in topic: 5o$ to 0se #elnet to #est !M#P Communication

    %sing the SMT! and ./000 :ueues


    !M#P uses the !M#P Eueues to deli"er mail internall( and externall() Exchan e !er"er "ersion .). ser"ers, MAP4 clients ;such as Microsoft /ffice /utloo%&<, and other mail connectors ;such as Microsoft Exchan e Connector for 3otus :otes and Microsoft Exchan e Connector for :o"ell -roup$ise< use the =)700 Eueues to send mail to and recei"e mail from Exchan e !er"er) #he follo$in sections explain ho$ to use both the !M#P and =)700 Eueues to troubleshoot messa e flo$)

    %nderstanding the SMT! :ueues


    Durin messa e cate oriAation and deli"er(, the ad"anced Eueuin en ine sends all mail throu h the !M#P Eueues of an !M#P "irtual ser"er) 4f there is a problem deli"erin the messa e at an( point in the process, the messa e remains in the Eueue $here the problem occurred) 0se the !M#P Eueues to isolate the possible causes of mail flo$ issues) 4f a Eueue is in a J,etr(J status, (ou should chec% the properties of the Eueue to determine the cause) 6or example, if the Eueue properties displa( a messa e that is similar to JAn !M#P error has occurred,J (ou should re"ie$ (our ser"erHs e"ent lo s to locate an( !M#P errors) 4f there are no e"ents in the lo , (ou should increase the !M#P Protocol lo in le"el) 6or more information about ho$ to increase the !M#P Protocol lo in le"el, see 5o$ to 8ie$ the Application 3o in E"ent 8ie$er and 5o$ to Modif( 3o in !ettin s for M!Exchan e#ransport) #he follo$in table lists the !M#P Eueues, includin their descriptions, and troubleshootin information for messa e accumulation in each Eueue)

    2$# 2escriptions of SMT! <ueues and associated troub+eshooting infor&ation !M#P Eueue U3ocal domain nameV ;3ocal Deli"er(< Description Contains messa es that are Eueued on the Exchan e ser"er for local deli"er( to an Exchan e mailbox or public folder store) #roubleshootin Messa es can accumulate in this Eueue if the Exchan e ser"er is not acceptin messa es for local deli"er() !lo$ or sporadic messa e deli"er( can indicate a loopin messa e or a performance problem) #his Eueue is affected b( the Exchan e store) 4ncrease dia nostic lo in for the Exchan e store as described in 5o$ to Modif( 3o in !ettin s for M!Exchan e#ransport)

    2$2

    !M#P Eueue

    Description

    #roubleshootin -enerall(, messa es accumulate in this Eueue because the ad"anced Eueuin en ine is unable to cate oriAe the messa e) #he ad"anced Eueuin en ine ma( not be able to access the lobal catalo ser"ers and access recipient information, or the lobal catalo ser"ers are unreachable or performin slo$l() Additionall( the follo$in ma( cause messa es to accumulate: Acti"e Director( is una"ailable ;because the cate oriAer uses Acti"e Director( to cate oriAe messa es<) Acti"e Director( ma( be excessi"el( loaded ;if man( messa es are Eueuin in the preD cate oriAation Eueue<) A failure in con"ersion) #he cate oriAer also handles content con"ersion) Messa e cate oriAer cannot find the mailbox stores) 4f !M#P $as reinstalled or remo"ed, that ma( in"alidate the follo$in 44! metabase %e(s: Osmtps"cODs0seCat and Osmtps"cO"siYODs0seCat ) Determine $hether

    Messa es a$aitin director( Contains messa es to loo%up recipients that ha"e not (et been resol"ed a ainst Microsoft Acti"e Director(& director( ser"ice) Messa es are also held here $hile distribution lists are expanded)

    2$3

    !M#P Eueue Messa es $aitin to be routed

    Description 5olds messa es until their nextDdestination ser"er is determined, and then mo"es them to their respecti"e lin% Eueues)

    #roubleshootin Messa es accumulate in this Eueue if Exchan e !er"er routin problems exist) Messa e routin ma( be bac%ed up) 4ncrease dia nostic lo in for routin as described in 5o$ to Modif( 3o in !ettin s for M!Exchan e#ransport) 4f messa es accumulate in this Eueue, (ou must first identif( the status of the Eueue) 4f the Eueue is in J,etr(,J chec% the Eueue properties to determine the reason it is in this state) 6or D:! issues, use :sloo%up and telnet to troubleshoot) 4f the host is unreachable, use telnet to ensure that the remote ser"er is respondin )

    ,emote deli"er( U'onnector name[ Server name[ (emote domainV

    5olds messa es that are destined for remote deli"er() #he name of the Eueue matches the remote deli"er( destination, $hich ma( be a connector, a ser"er, or a domain)

    2$0

    !M#P Eueue 6inal destination currentl( unreachable

    Description #he final destination ser"er for these messa es cannot be reached) 6or example, Exchan e cannot determine a net$or% path to the final destination)

    #roubleshootin Messa es can accumulate in this Eueue if no route exists for deli"er() Additionall(, an( time a connector or a remote deli"er( Eueue is una"ailable or in J,etr(J for a period of time, and no alternate route exists to the connector or remote destination, ne$ messa es Eueue here) #his allo$s an administrator to fix the problem or define an alternate route) #o et ne$ messa es to flo$ to their remote destination Eueue so (ou can force a connection and et a :et$or% Monitor ;:etmon< trace, restart the !M#P "irtual ser"er) Messa es that are accumulatin constantl( ma( indicate a performance problem) /ccasional pea%s in performance can cause messa es to appear in this Eueue intermittentl()

    PreDsubmission

    5olds messa es that ha"e been ac%no$led ed and accepted b( the !M#P ser"ice) #he processin of these messa es has not be un)

    2$$

    !M#P Eueue D!: messa es pendin submission

    Description Contains deli"er( status notifications, also %no$n as nonDdeli"er( reports that are read( to be deli"ered b( Exchan e) Note #he follo$in operations are una"ailable for this Eueue: Delete All Messa es ;no :D,< Delete All Messa es ;:D,<

    #roubleshootin Messa es can accumulate in this Eueue if the Microsoft Exchan e 4nformation !tore ser"ice is una"ailable or not runnin , or if problems exist $ith the 4MA43 Exchan e store component, $hich is the component that performs messa e con"ersion) Chec% the e"ent lo for possible errors $ith the Microsoft Exchan e 4nformation !tore ser"ice) Possible causes for failed messa es are: Corrupted messa es) #hirdDpart( pro rams or e"ent sin%s ma( be interferin $ith messa e Eueuin or fidelit() 3o$ s(stem resources could cause the s(stem to respond slo$l( or cause other performance issues) ,estartin 44! ma( temporaril( impro"e resource issues, but (ou should determine the root cause)

    6ailed messa e retr( Eueue

    Contains messa es that failed some t(pe of Eueue submission, often before an( other processin has ta%en place) ?( default, messa es in this Eueue are reprocessed in 60 minutes)

    2$,

    !M#P Eueue Messa es Eueued for deferred deli"er(

    Description Contains messa es that are Eueued for deli"er( at a later time, includin messa es that $ere sent b( older "ersions of /utloo%) ;@ou can set this option on /utloo% client computers)< Pre"ious "ersions of /utloo% depend on the messa e transfer a ent ;M#A< for messa e deli"er() :o$, ho$e"er, !M#P handles messa e deli"er(, not the M#A) #herefore, messa es that are sent b( older "ersions of /utloo% treat deferred deli"er( differentl() #hese messa es remain in this Eueue until their scheduled deli"er( time)

    #roubleshootin Possible causes for messa e accumulation are: 4f a messa e is sent to a userHs mailbox $hile the mailbox is bein mo"ed, messa es can Eueue here) Chen the user does not (et ha"e a mailbox and no master account !ecurit( 4D ;!4D< exists for the user) 6or more information, see Microsoft Bno$led e ?ase article '16071, J=ADM: Addressin Problems #hat Are Created Chen @ou Enable ADCD-enerated Accounts)J #he messa e ma( be corrupt or the recipient ma( not be "alid) #o determine if a messa e is corrupt, chec% its properties) 4f a messa e is not accessible, it ma( be a corrupt messa e) @ou can also chec% that the recipient is "alid)

    6or more information about troubleshootin mail flo$ and !M#P, see the follo$in topics: 5o$ to 8ie$ the Properties of a >ueue 5o$ to 8ie$ Messa es in a >ueue 5o$ to Chec% the !M#P Performance Counters 5o$ to Enable Messa e #rac%in Center on a !er"er

    2$-

    5o$ to 8ie$ the Application 3o in E"ent 8ie$er 5o$ to 8ie$ the !(stem 3o in E"ent 8ie$er 5o$ to Modif( 3o 5o$ to !et 3o in !ettin s for M!Exchan e#ransport

    in at the Debu 3e"el for the !M#P Protocol in at the Debu 3e"el for the Messa e Cate oriAer

    5o$ to Enable 3o

    4o5 to %se Te+net to Test SMT! Co&&unication


    #elnet is an extremel( useful tool for troubleshootin issues related to !M#P and mail flo$) 6or example, (ou can use telnet to: 8erif( that !M#P is installed properl(, and that it has all the necessar( commands) Ensure that (our ser"er is accessible o"er the 4nternet) Attempt mail deli"er( directl( o"er the #CP port) Determine that all ser"ers are acceptin connections) Determine if a fire$all is bloc%in a connection) Ensure that a sin le user can recei"e mail) Ensure that a specific domain can recei"e mail) Ensure that a specific user or domain can send mail to (our domain)

    Note #he follo$in procedure sho$s (ou ho$ to test the process of an internal user sendin mail to a remote user $hen basic authentication is reEuired for rela(in mail outside (our or aniAation)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin Mail 6lo$ and !M#P) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    2$1

    !rocedure
    To use te+net to test SMT! co&&unication 1) /pen a telnet session: 6rom a command prompt, t(pe te+net, and then press E:#E,) 2) #(pe set +oca+Kecho on a computer runnin Microsoft Cindo$s& 2000 !er"er or !E# 3/CA3EC5/ on a computer runnin Cindo$s !er"erG 200' or Cindo$s =P, and then press E:#E,) #his command allo$s (ou to "ie$ the responses to the commands) Note 6or a list of a"ailable telnet commands, t(pe set H) ') #(pe o <!our mail erver domain> 2$,and then press E:#E,) 7) #(pe E4(" <!our mail erver domain>, and then press E:#E,) .) #(pe A%T4 ("G*N) #he ser"er responds $ith an encr(pted prompt for (our user name) 6) Enter (our user name encr(pted in base 67) @ou can use one of se"eral tools that are a"ailable to encode (our user name) 1) #he ser"er responds $ith an encr(pted base 67 prompt for (our pass$ord) Enter (our pass$ord encr(pted in base 67) 2) #(pe MA*( 6R"M < ender+domain'"om>, and then press E:#E,) 4f the sender is not permitted to send mail, the !M#P ser"er returns an error) 9) #(pe RC!T T" <re"ipient+remotedomain'"om>,and then press E:#E,)4f the recipient is not a "alid recipient or the ser"er does not accept mail for this domain, the !M#P ser"er returns an error) 10) #(pe 2ATA) 11) 4f desired, t(pe messa e text, press E:#E,, t(pe a period ; /<, and then press E:#E, a ain) 12) 4f mail is $or%in properl(, (ou should see a response similar to the follo$in indicatin that mail is Eueued for deli"er(:
    !"0 !. .0 /2-8TA2M=A01;1r)1nn&000%bad)Imail1.contoso.com.

    6or More *nfor&ation


    #he follo$in example sho$s a telnet test sendin mail from contoso)com to a remote domain $ith a successful result:

    2$3

    !"0Amail1.%o+rthco%%ee.com Dello J1#!.1 .0.0K !"0AT;@!"0A.T@!"0AS2L8 "!*!))0 !"0A8T@!"0AP2P8,2-2-H !"0A3S!"0A8-D.-=83ST.T;S=438S !"0A)bitmime !"0AM2-.@CM2M8 !"0A=D;-N2-H !"0AG@:C !"0A9A89PS HSS.P2 -T,M !"0A.;TD HSS.P2 -T,M !"0A9A,2-N!ST.T8 !"0A989=D"0 !"0 4N

    $$* G9-lcm"hb1;

    $$* ;H:Oc$dvcm7

    !$" !.#.0 .+thentication s+ccess%+l.

    !"0 !.1.0 FimI%o+rthco%%ee.com....Sender 4N

    !"0 !.1." tedIcontoso.com

    $"* Start mail inp+tP end >ith /=@,:>./=@,:>

    2,0

    . !"0 !. .0 /2-8TA2M=A01;1r)1nn&000%bad)Imail1.%o+rthco%%ee.com> 7+e+ed mail %or delivery

    6or more information, see !ecurin @our Exchan e !er"er)

    4o5 to 7ie5 the !roperties of a :ueue


    Chen messa es accumulate in one of the Eueues, (ou can "ie$ the Eueue properties to et more information about the possible causes of this accumulation)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin Mail 6lo$ and !M#P) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To vie5 the properties of a <ueue 1) !tart Exchan e !(stem Mana er: Clic% Start, point to A++ !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) Expand Ad&inistrative Groups, expand AAdmini trative Group NameB, expand Servers, expand the ser"er (ou $ant, and then clic% :ueues/ ') 4n the details pane, clic% the Eueue (ou $ant) An( additional information for that Eueue appears under Additiona+ <ueue infor&ation at the bottom of the details pane)

    4o5 to 7ie5 Messages in a :ueue


    4f (ou experience mail flo$ problems, it is important to determine $hether (ou ha"e lobal problems or problems $ith indi"idual recipients or domains) 8ie$in the messa es in a Eueue can help (ou determine this)

    2,#

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin Mail 6lo$ and !M#P) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el ,i htDclic%in the indi"idual Eueues in >ueue 8ie$er pro"ides the follo$in options: 6ind Messages 3ets (ou pro"ide search criteria for the messa es that (ou $ant to inspect) 6ree>e !tops deli"er( of all messa es that are in the Eueue) @ou can use this option to temporaril( pre"ent messa es from lea"in the Eueue $hile (ou are inspectin the messa es) 6reeAin the Eueue pre"ents messa es from lea"in the Eueue, but does not pre"ent messa es from enterin the Eueue) %nfree>e Enables the deli"er( of messa es that are in the Eueue to resume) 0nfreeAin the Eueue does not unfreeAe indi"idual messa es that ha"e been froAen b( the administrator) 6orce Connection 6orces a Eueue that has a retr( state to immediatel( tr( to connect)

    !rocedure
    To vie5 &essages in a <ueue 1) /pen Exchan e !(stem Mana er) Expand Ad&inistrative Groups, expand <)dministrative $roup &ame>, expand Servers, expand the ser"er on $hich (ou $ant to "ie$ Eueues, and then clic% :ueues) Note 4f (ou $ant to "ie$ a specific messa e, (ou can use the Message Trac)ing Center to determine $hich ser"er last processed that messa e and then "ie$ the Eueues on that ser"er to inspect the messa e) 1) #he Eueues that are located on the selected ser"er are displa(ed in the results pane) 4n the results pane, ri htDclic% the Eueue (ou $ant to inspect, and then clic% 6ind Messages) #he 6ind Messages dialo appears) 2) /ptional) !pecif( the Address Restrictions that $ill be used to filter the search results) #o find all messa es from a specific sender, t(pe an !M#P address in the Sender field, or clic% Sender to select a sender from the Acti"e Director( director( ser"ice) #o find all messa es addressed to a specific recipient, t(pe an !M#P address in the Recipient field, or clic% Recipient to select a recipient from

    2,2

    Acti"e Director() ') /ptional) !pecif( the Message Restrictions that $ill be used to limit the search results) #o control ho$ man( results are returned, select a "alue from the Nu&ber of &essages to be +isted in the search dropDdo$n list) #he default "alue is 100) #o find onl( messa es that ha"e a particular state, select a "alue from the Sho5 &essages 5hose state is dropDdo$n list) #he default "alue is to sho$ all messa es) @ou can also select to sho$ onl( messa es that ha"e a froAen or retr( state) 7) Clic% 6ind No5 to displa( the search results) #he messa es that match the search criteria are displa(ed in the Search Resu+ts) .) #o "ie$ the properties of an indi"idual messa e, in the results pane, ri htDclic% the messa e (ou $ant, and then clic% !roperties) #he messa eHs !roperties dialo box displa(s the senderHs name, the recipientHs name, the messa e siAe, and other details about the messa e) 6) #o chan e the status of an indi"idual messa e, in the results pane, ri htDclic% the messa e, and select from the follo$in options: %nfree>e ,esumes deli"er( of a pre"iousl( froAen messa e) 6ree>e !uspends deli"er( of a messa e)

    2e+ete 85ith N2R9 Deletes the messa e from the Eueue and sends an :D, to the sender of the messa e) 2e+ete 8no N2R9 Deletes the messa e from the Eueue and does not send an :D, to the sender of the messa e)

    4o5 to Chec) the SMT! !erfor&ance Counters


    4f messa es are accumulatin in the preDcate oriAation Eueue ;labeled Jmessa es a$aitin director( loo%upJ in >ueue 8ie$er<, chec% the !M#P performance counters, particularl( the cate oriAer Eueue len th counters) 0se the follo$in procedure to enable these performance counters)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin Mail 6lo$ and !M#P) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    2,3

    !rocedure
    To chec) the SMT! perfor&ance counters 1) /pen !(stem Monitor: Clic% Start, point to Run, and then t(pe perf&on)

    2) 4n !(stem Monitor, ri htDclic% the !(stem Monitor details pane, and then clic% Add Counters) ') !elect one of the follo$in : #o monitor an( computer on $hich the monitorin console is run, clic% %se +oca+ co&puter counters) #o monitor a specific computer, re ardless of $here the monitorin console is run, clic% Se+ect counters fro& co&puter, and then specif( a computer name ;the name of the local computer is selected b( default<) 7) 4n !erfor&ance obMect, clic% SMT! Server) .) !elect one of the follo$in : #o monitor all counters, clic% A++ counters)

    #o monitor onl( selected counters, clic% Se+ect counters fro& +ist, and then select the counters that (ou $ant to monitor) 6) Clic% Add) 1) 8ie$ the CA#: Cate oriAer Eueue len th counter))

    6or More *nfor&ation


    #he follo$in table lists additional performance counters that (ou can use to monitor cate oriAation issues) !erfor&ance counters for &onitoring categori>ation issues Performance counter Cat: Address loo%up completions Cat: Address loo%up completionsOsec Cat: Address loo%ups Cat: Address loo%ups not found Description #he number of address loo%up completions that $ere processed) #he number of address loo%up completions processed per second) #he number of director( ser"ice loo%ups for indi"idual addresses) #he number of address loo%ups that did not find an( director( ser"ice obFect)

    2,0

    Performance counter Cat: Address loo%upsOsec

    Description #he number of address loo%ups that $ere dispatched to the director( ser"ice per second) #he total number of messa es submitted to messa e cate oriAer that ha"e finished cate oriAation) #he number of cate oriAations that completed $ithout an( errors) #he rate of cate oriAations that $ere completed per second) #he number of cate oriAations that failed because of a director( ser"ice connection failure) #he number of cate oriAations that failed because of a director( ser"ice lo on failure) #he number of cate oriAations that failed $ith a hard error ;not retr(able<) #he number of cate oriAations that failed because of a lac% of a"ailable memor() #he number of cate oriAations that failed $ith a retr(able error) #he number of cate oriAations that failed $ith a eneric retr(able error) #he number of cate oriAations in pro ress) #he total number of 3i ht$ei ht Director( Access Protocol ;3DAP< bind failures) #he number of successful 3DAP binds that $ere performed) #he number of connection failures to 3DAP ser"ers) #he total number of 3DAP connections that $ere opened) #he number of 3DAP connections that are currentl( open)

    Cat: Cate oriAations completed

    Cat: Cate oriAations completed successfull( Cat: Cate oriAations completedOsec Cat: Cate oriAations failed ;director( ser"ice connection failure< Cat: Cate oriAations failed ;director( ser"ice lo on failure< Cat: Cate oriAations failed ;nonDretr(able error< Cat: Cate oriAations failed ;/ut /f Memor(< Cat: Cate oriAations failed ;retr(able error< Cat: Cate oriAations failed ;sin% retr(able error< Cat: Cate oriAations in pro ress Cat: 3DAP bind failures Cat: 3DAP binds Cat: 3DAP connection failures Cat: 3DAP connections Cat: 3DAP connections currentl( open

    2,$

    Performance counter Cat: 3DAP eneral completion failures Cat: 3DAP pa ed search completion failures Cat: 3DAP pa ed search failures Cat: 3DAP pa ed searches Cat: 3DAP pa ed searches completed Cat: 3DAP search completion failures Cat: 3DAP search failures Cat: 3DAP searches Cat: 3DAP searches abandoned Cat: 3DAP searches completed Cat: 3DAP searches completedOsec Cat: 3DAP searches pendin completion Cat: 3DAP searchesOsec Cat: mailms duplicate collisions

    Description #he number of 3DAP completions $ith a eneric failure) #he number of 3DAP pa ed searches that completed $ith a failure) #he number of failures to dispatch an as(nchronous pa ed 3DAP search) #he number of 3DAP pa ed searches that $ere successfull( dispatched) #he number of pa ed 3DAP completions that $ere processed) #he number of 3DAP searches that completed $ith a failure) #he number of failures to dispatch an as(nchronous 3DAP search) #he number of 3DAP searches that $ere successfull( dispatched) #he number of 3DAP searches that $ere abandoned) #he number of 3DAP search completions that $ere processed) #he number of 3DAP search completions that $ere processed per second) #he number of 3DAP searches pendin as(nchronous completion) #he number of 3DAP searches that $ere successfull( dispatched per second) #he number of times that a duplicate recipient address $as detected b( mailms or messa e cate oriAer) #he number of messa es that $ere mar%ed to be aborted b( messa e cate oriAer) #he number of ne$ messa es that $ere created b( messa e cate oriAer ;bifurcation<)

    Cat: Messa es aborted Cat: Messa es bifurcated

    2,,

    Performance counter Cat: Messa es cate oriAed Cat: Messa es submitted Cat: Messa es submittedOsec Cat: ,ecipients after cate oriAation

    Description #he number of messa es that messa e cate oriAer submitted to Eueuin ) #he total number of messa es that $ere submitted to messa e cate oriAer) #he rate at $hich messa es are bein submitted to messa e cate oriAer) #he number of MA43M!- recipients that $ere submitted from messa e cate oriAer to Eueuin ) #he number of MA43M!- recipients that $ere submitted to messa e cate oriAer) #he number of recipients that messa e cate oriAer is currentl( processin ) #he number of recipients $ith addresses that match multiple director( ser"ice obFects) #he number of recipients that messa e cate oriAer enerates an :D, for because of a for$ardin loop detection) #he number of recipients $ith ille al addresses that $ere detected b( messa e cate oriAer) #he number of recipients that messa e cate oriAer enerates an :D, for because of a eneric recipient failure) #he number of unresol"ed recipients ;local addresses not found<) #he number of recipients for $hich messa e cate oriAer is set to enerate an :D,) #he number of senders that $ere not found in the director( ser"ice) #he number of senders $ith addresses that match multiple director( ser"ice obFects)

    Cat: ,ecipients before cate oriAation Cat: ,ecipients in cate oriAation Cat: ,ecipients :D,d ;ambi uous address< Cat: ,ecipients :D,d ;for$ardin loop<

    Cat: ,ecipients :D,d ;ille al address<

    Cat: ,ecipients :D,d ;sin% recip errors<

    Cat: ,ecipients :D,d ;unresol"ed< Cat: ,ecipients :D,d b( Cate oriAer

    Cat: !enders unresol"ed Cat: !enders $ith ambi uous addresses

    2,-

    Performance counter Cate oriAer >ueue 3en th

    Description #he number of messa es in the messa e cate oriAer Eueue)

    4o5 to Enab+e Message Trac)ing Center on a Server


    #o lo information about messa es that are sent o"er (our messa in s(stem, (ou can use Messa e #rac%in Center in Exchan e !er"er) Messa e #rac%in Center lo s information about the sender, the mail messa e, and the messa e recipients) !pecificall(, (ou can re"ie$ statistics such as the time the messa e $as sent or recei"ed, the messa e siAe and priorit(, and the list of messa e recipients) @ou can also lo the subFect line of eDmail messa es) Messa e #rac%in Center searches for all t(pes of messa es, includin s(stem messa es, public folder messa es, and eDmail messa es) @ou must enable Messa e #rac%in Center on each ser"er for $hich (ou $ant to trac% messa es) Chen enabled, all messa es that are routed throu h a ser"er are added to the messa e trac%in lo s)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin Mail 6lo$ and !M#P) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To enab+e Message Trac)ing Center on a server 1) 4n Exchan e !(stem Mana er, expand Servers, ri htDclic% the ser"er on $hich (ou $ant to enable messa e trac%in , and then clic% !roperties) 2) /n the Genera+ tab, select the Enab+e &essage trac)ing chec% box) ') #o record the subFect of an( messa e sent to, from, or throu h the ser"er, select the Enab+e subMect +ogging and disp+a' chec% box) Note

    2,1

    Enablin subFect lo

    in causes some performance de radation)

    7) 0nder (og fi+e &aintenance, (ou can pre"ent the remo"al of lo files or modif( the len th of time that the lo files are %ept) #he default period that trac%in lo s are %ept is se"en da(s) Note /n ser"ers that process lar e Euantities of mail, the trac%in lo s ro$ Euic%l() Ensure that (ou ha"e adeEuate dis% space for the lo files and for other ser"ices or applications that use this dis%) .) Clic% "G or App+') @ou do not need to restart ser"ices for this chan e to ta%e effect)

    6or More *nfor&ation


    6or more information about ho$ to use Messa e #rac%in Center, see Microsoft Bno$led e ?ase article 262162, J=ADM: 0sin the Messa e #rac%in Center to #rac% a Messa e)J

    4o5 to 7ie5 the App+ication (og in Event 7ie5er


    4n E"ent 8ie$er, both the application lo and the s(stem lo contain errors, $arnin s, and informational e"ents that are related to the operation of Exchan e !er"er, the !M#P ser"ice, and other applications) #o identif( the cause of messa e flo$ issues, carefull( re"ie$ the data that is contained in the application lo and s(stem lo ) 0se the follo$in procedure to "ie$ errors, $arnin s, and informational e"ents in the application lo )

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin Mail 6lo$ and !M#P) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    2,3

    !rocedure
    To vie5 the app+ication +og in Event 7ie5er 1) Clic% Start, point to !rogra&s, point to Ad&inistrative Too+s, and then clic% Event 7ie5er) 2) 4n the console tree, clic% App+ication (og) ') #o sort the lo alphabeticall( and Euic%l( locate an entr( for an Exchan e ser"ice, in the details pane, clic% Source) 7) DoubleDclic% a lo entr( to open an e"entHs properties pa e) .) #o filter the lo to list entries for a specific t(pe of Exchan eDrelated e"ent, from the 7ie5 menu, clic% 6i+ter) 6) 4n App+ication (og !roperties, use the Event source list to select an Exchan eDrelated e"ent source) 6or example: MSExchangeTransport E"ents that are recorded $hen !M#P is used to route messa es) *MA!0Svc E"ents that are related to the ser"ice that allo$s users to access mailboxes and public folders throu h 4MAP7) MSExchangeA( E"ents that are related to the ser"ice that addresses eD mail messa es throu h address lists) MSExchange*S E"ents that are related to the ser"ice that allo$s access to the Exchan e 4nformation !tore ser"ice) MSExchangeMTA E"ents that are related to the ser"ice that allo$s =)700 connectors to use the messa e transfer a ent ;M#A<) MSExchangeM% E"ents that are related to the metabase update ser"ice, a component that reads information from Acti"e Director( and transposes it to the local 44! metabase) MSExchangeSA E"ents that are recorded $hen Exchan e uses Acti"e Director( to store and share director( information) MSExchangeSRS E"ents that are recorded $hen !ite ,eplication !er"ice ;!,!< is used to replicate computers runnin Exchan e 200' $ith computers runnin Exchan e .).) !"!3Svc E"ents that are recorded $hene"er Post /ffice Protocol "ersion ' ;P/P'< is used to access eDmail) 1) 4n the Categor' list, select a specific set of e"ents or, to "ie$ all e"ents for that e"ent source, lea"e the default settin at A++)

    2-0

    2) Clic% "G)

    4o5 to 7ie5 the S'ste& (og in Event 7ie5er


    4n E"ent 8ie$er, both the application lo and the s(stem lo contain errors, $arnin s, and informational e"ents that are related to the operation of Exchan e !er"er, the !M#P ser"ice, and other applications) #o identif( the cause of messa e flo$ issues, carefull( re"ie$ the data that is contained in the application lo and s(stem lo ) 0se the follo$in procedure to "ie$ errors, $arnin s, and informational e"ents in the s(stem lo for the !M#P ser"ice)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin Mail 6lo$ and !M#P) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    !rocedure
    To vie5 the s'ste& +og in Event 7ie5er 1) Clic% Start, point to !rogra&s, point to Ad&inistrative Too+s, and then clic% Event 7ie5er) 2) 4n the console tree, clic% S'ste& (og) ') #o sort the lo alphabeticall( and Euic%l( locate an entr( for an Exchan e ser"ice, in the details pane, clic% Source) 7) DoubleDclic% a lo entr( to open an e"entHs properties pa e) .) #o filter the lo to list entries for a specific t(pe of !M#P ser"ice e"ents, from the 7ie5 menu, clic% 6i+ter) 6) 4n S'ste& (og !roperties, in the Event source list, select SMT!S7C) 1) 4n the Categor' list, select a specific set of e"ents or, to "ie$ all e"ents for the !M#P ser"ice, lea"e the default settin at A++) 2) Clic% "G)

    2-#

    4o5 to Modif' (ogging Settings for MSExchangeTransport


    #o help determine the root of a transport issue, "ie$ e"ents for M!Exchan e#ransport) 4f (ou experience problems $ith Exchan e !er"er messa e flo$, immediatel( increase the lo in le"els that relate to M!Exchan e#ransport) 3o in le"els control the amount of data that is lo ed in the application lo ) #he more e"ents that are lo ed, the more transportDrelated e"ents that (ou can "ie$ in the application lo L therefore, (ou ha"e a better chance of determinin the cause of the messa e flo$ problem) #he !M#P lo file is located in the Exchsr"rN Server*name )lo folder) As discussed in J0nderstandin the !M#P >ueuesJ in #roubleshootin Mail 6lo$ and !M#P, issues $ith specific routin and transport components can cause messa es to accumulate in a Eueue) 4f (ou are ha"in problems $ith a specific Eueue, increase the lo in le"els for the component affectin the Eueue)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin Mail 6lo$ and !M#P) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To &odif' +ogging settings for MSExchangeTransport 1) Clic% Start, point to !rogra&s, point to Microsoft Exchange, and then clic% S'ste& Manager) 2) 4n the console tree, expand Servers, ri htDclic% AServer NameB, and then clic% !roperties) ') Clic% the 2iagnostics (ogging tab) 7) 0nder Services, clic% MSExchangeTransport) .) 0nder Categories, clic% the cate or( for $hich (ou $ant to confi ure the lo le"el: in

    2-2

    !elect Routing EngineDService to troubleshoot routin issues) 4ncrease the lo in le"el for this component if messa es are accumulatin in the Messages 5aiting to be routed !M#P Eueue) !elect Categori>er to troubleshoot problems $ith address resolution in Acti"e Director(, distribution list expansion, and other cate oriAer issues) 4ncrease the lo in le"el for this component if messa es are accumulatin in the Messages a5aiting director' +oo)up !M#P Eueue) !elect Connection Manager to troubleshoot issues $ith dialDup and "irtual pri"ate net$or% connecti"it( throu h Connection Mana er) !elect :ueuing Engine to troubleshoot problems $ith the Eueuin en ine) 4ncrease the lo in le"el for this component if (ou are experiencin mail flo$ problems, and mail is not accumulatin in an( of the Eueues) !elect Exchange Store 2river to troubleshoot issues $ith the Exchan e store dri"er) 4ncrease the lo in le"el for this component if messa es are accumulatin in the local deli"er( !M#P Eueue, the =)700 Eueues, or if (ou ha"e problems recei"in mail from Exchan e .)" ser"ers or other mail s(stems) !elect SMT! !rotoco+ to troubleshoot eneral !M#P issues) 4ncrease the lo in le"el for this component if messa es are accumulatin in the Re&ote de+iver' !M#P Eueue to determine if !M#P errors are causin the bottlenec%) !elect NT6S store driver to troubleshoot issues $ith the :#6! store dri"er) 4ncrease the lo in le"el for this cate or( if messa es are accumulatin in the >ueue folder of (our !M#P "irtual ser"er and are bein processed slo$l( or not bein processed at all) 0nder (ogging +eve+, clic% None, Mini&u&, Mediu&, or Maxi&u&) Clic% Maxi&u& for troubleshootin purposes) Caution 4f (ou increase the lo in le"els for Exchan e ser"ices, (ou $ill experience some performance de radation) 4t is recommended that (ou increase the siAe of the application lo to contain all the data that is produced) 4f (ou do not increase the siAe of the application lo , (ou $ill recei"e freEuent reminders that the application lo is full)

    2-3

    4o5 to Set (ogging at the 2ebug (eve+ for the SMT! !rotoco+
    4f (ou are experiencin mail flo$ issues and $ant to "ie$ all e"ents, (ou can modif( a re istr( %e( to set lo in to the hi hest le"el ;field en ineerin le"el 1<) Note 4ncorrectl( editin the re istr( can cause serious problems that ma( reEuire (ou to reinstall (our operatin s(stem) Problems resultin from editin the re istr( incorrectl( ma( not be able to be resol"ed) ?efore editin the re istr(, bac% up an( "aluable data)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin Mail 6lo$ and !M#P) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To set +ogging at the debugging +eve+ for the SMT! protoco+ 1) !tart ,e istr( Editor: 6rom the Start menu, clic% Run, and then t(pe regedit) 2) 4n ,e istr( Editor, locate and ri htDclic% the follo$in re istr( %e( "alue, and then clic% Edit: 5BE@S3/CA3SMAC54:EN!(stemNCurrentControl!etN!er"icesN M!Exchan e#ransportNDia nosticsN!M#P Protocol ') !et the "alue to -)

    4o5 to Enab+e (ogging at the 2ebug (eve+ for the Message Categori>er
    4f (ou are experiencin mail flo$ issues and $ant to "ie$ all e"ents, (ou can modif( a re istr( %e( to set lo in to the hi hest le"el ;field en ineerin le"el 1<)

    2-0

    Note 4ncorrectl( editin the re istr( can cause serious problems that ma( reEuire (ou to reinstall (our operatin s(stem) Problems resultin from editin the re istr( incorrectl( ma( not be able to be resol"ed) ?efore editin the re istr(, bac% up an( "aluable data)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin Mail 6lo$ and !M#P) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To enab+e +ogging at the debugging +eve+ for the &essage categori>er 1) !tart ,e istr( Editor: 6rom the Start menu, clic% Run, and then t(pe regedit) 2) 4n ,e istr( Editor, locate and ri htDclic% the follo$in re istr( %e( "alue, and then clic% Edit: 5BE@S3/CA3SMAC54:EN!(stemNCurrentControl!etN!er"icesN M!Exchan e#ransportNDia nosticsNCate oriAer ') !et the "alue to -)

    Troub+eshooting NonE2e+iver' Report Messages


    :onDdeli"er( reports ;:D,s< are a t(pe of deli"er( status notification) :D,s are enerated $hene"er a messa e cannot be deli"ered) 4f a ser"er detects the reason for the deli"er( failure, it associates the reason to a status code and a correspondin error messa e is $ritten) #he follo$in are basic Euestions that (ou should consider to troubleshoot :D,s in Microsoft& Exchan e !er"er 200') -ather this information at the be innin of (our troubleshootin :

    2-$

    Chat t(pes of clients are used ;for example, Microsoft /utloo%& 2000, or /utloo% 2002, or Microsoft /ffice /utloo% 200'<* Do one or more users recei"e :D,s $hen the( send mail to a specific recipient or to e"er( recipient* Can other users send mail successfull( to the same recipient from the same ser"er*

    Do users on a specific ser"er experience this issue, or do users on multiple ser"ers experience the same issue* 4s the issue siteDspecific, or does the issue occur in multiple sites* Can (ou reproduce the issue on demand, or does it occur randoml(* 4f the :D,s are random, $hat is the freEuenc( of the :D,s*

    Chat t(pe of recipient is experiencin the problem* Chere does the recipient ph(sicall( reside* 5o$ $as the recipient entered in the To field of the messa e ;for example, selected from the lobal address boo%, selected from a personal address boo%, or manuall( t(ped<* Note Creatin a ne$ test user is al$a(s helpful in :D, troubleshootin ) ?e sure to in"esti ate the time periods $hen :D,s occur and to obtain an( bac% round information that is a"ailable about the issue) ?e a$are of an( chan in "ariables that affect the issue) 4t is important that (ou narro$ the issue as much as possible b( as%in Euestions that are similar to those described in the precedin list)

    Too+s for Troub+eshooting N2Rs


    @ou can use the follo$in dia nostic tools and files to help $ith basic :D, troubleshootin : A cop' of the N2R/ Ma%e sure that (ou sa"e the :D, messa e)

    The de+iver' status notification code in the N2R/ Ma%e sure that (ou sa"e the deli"er( status notification code in the :D, messa e) The app+ication event +og) !et the dia nostic lo to le"el 1) in of the messa e cate oriAer

    (2! too+ outputs/ @ou can use outputs from the 3DP tool ;ldp)exe< to help troubleshoot :D,s) @ou can use this tool to perform 3i ht$ei ht Director( Access Protocol ;3DAP< operations a ainst Microsoft Acti"e Director(& director( ser"ice) #he 3DP tool is included $ith the Microsoft Cindo$s& 2000 !er"er and Cindo$s !er"erG 200' support tools)

    2-,

    (2*62E outputs/ @ou can use outputs from 3D46DE to help troubleshoot :D,s) @ou can use this commandDline tool to create, modif(, and delete Acti"e Director( obFects) #his tool is included $ith Cindo$s 2000 !er"er and Cindo$s !er"er 200') 6or additional information about 3D46DE, see the Cindo$s online documentation) Message Trac)ing Center/ Messa e #rac%in Center can trac% messa es in Exchan e 200' or aniAations and in mixed Exchan e !er"er "ersion .). and Exchan e 2000 and Exchan e !er"er 200' deplo(ments) 6or more information about Messa e #rac%in Center, see the Exchan e !er"er 200' online documentation) Metabase outputs/ @ou can obtain metabase outputs b( usin Metabase Editor to bro$se throu h and modif( attributes in the Microsoft 4nternet 4nformation !er"ices ;44!< metabase) Metabase Editor is included $ith the Microsoft Cindo$s 2000 !er"er ,esource Bit and Microsoft Cindo$s !er"er 200' ,esource Bit) S'ste& Monitor counters/ 0se the !(stem Monitor counters for Messa e Cate oriAer to assist (ou $ith :D, troubleshootin ) Messa e cate oriAer performance counters are discussed later in this section) Net5or) Monitor trace/ @ou can use :et$or% Monitor ;:etmon)exe< to capture all local net$or% traffic, or (ou can select a subset of frames to capture) @ou can also ma%e a capture respond to e"ents on (our net$or%) :et$or% Monitor is included $ith Cindo$s 2000 !er"er and Cindo$s !er"er 200') 6or additional information about :et$or% Monitor, see the Cindo$s online documentation) The regtrace too+/ 6or additional information about the ,e trace tool, see Microsoft Bno$led e ?ase article 2'2617, J=C/:: 5o$ to !et 0p ,e trace for Exchan e 2000)J Althou h this article is $ritten for Exchan e 2000, the same information applies to Exchan e 200')

    Troub+eshooting Strategies and Tips


    #his section contains strate ies and tips for troubleshootin :D,s) 0se the follo$in steps to determine the cause of an :D,: 1) 0se the dia nostic code of the :D, to determine its possible causes) 2) 4ncrease e"ent lo in to capture all e"ents)

    ') 0se ,e trace to ather information)

    2eter&ining !ossib+e Causes of an N2R


    #he follo$in table lists the most common :D, dia nostic codes, correspondin error conditions, and troubleshootin su estions)

    2-N2R diagnostic codes and corresponding error conditions :D, code 7)2)2 Possible cause 4n Exchan e 2000, this deli"er( status notification is enerated $hen the recipientHs mailbox exceeds its stora e limit) /n Cindo$s 2000 and Microsoft Cindo$s !er"er 200', this messa e is enerated $hen the stora e siAe of the drop director( ;a director( $here messa es can be placed for deli"er(< exceeds the !imple Mail #ransfer Protocol ;!M#P< "irtual ser"er dis% Euota) #he dis% Euota of the !M#P "irtual ser"er is 11 times the maximum messa e siAe on the "irtual ser"er) 4f no maximum siAe is specified, the dis% Euota defaults to 22 M?) 4f the dis% space is $ithin one maximum messa e siAe of the Euota or if the dis% space reaches 20 M? and no maximum messa e is defined, Exchan e assumes that the incomin messa e $ill exceed the dis% Euota, and then issues the :D,) 7)')1 An outDofDmemor( error occurred) A resource problem, such as a full dis%, can cause this problem) Ensure that (our Exchan e ser"er has enou h dis% stora e) 4f possible, mo"e (our mail Eueues to an :#6! dis% partition) #roubleshootin Chec% the mailbox stora e and the Eueue stora e Euota limit)

    2-1

    :D, code 7)')2

    Possible cause

    #roubleshootin

    A"ailable in Exchan e 2000 0nfreeAe the Eueue) !er"ice Pac% ;!P< 1 and later) #his :D, is enerated $hen a Eueue has been froAen) A host is not respondin ) #ransient net$or% conditions can cause this error) #he Exchan e ser"er automaticall( tries to connect to the ser"er a ain and deli"er the mail) 4f deli"er( fails after multiple attempts, an :D, $ith a permanent failure code is enerated) Monitor the situation) #his is a transient problem that ma( correct itself)

    7)7)1

    7)7)2

    A connection dropped Monitor the situation) #his is bet$een the ser"ers) a transient problem that ma( #ransient net$or% correct itself) conditions or una"ailable ser"ers can cause this error) #he ser"er attempts to deli"er the messa e for a specific time period, and then enerates further status reports) #he maximum hop count $as exceeded for the messa e) A loopin situation bet$een the sendin and recei"in ser"ers in different or aniAations can cause this error) #he messa e bounces bet$een the ser"ers until the hop count is exceeded) #he maximum hop count propert( is set per "irtual ser"er, and (ou can manuall( o"erride the default settin of #$) @ou should also chec% for situations that mi ht cause loopin bet$een ser"ers)

    7)7)6

    2-3

    :D, code 7)7)1

    Possible cause #he messa e in the Eueue has expired) #he sendin ser"er tried to rela( or deli"er the messa e, but the action $as not completed before the messa e expiration time occurred) #his messa e can also indicate that a messa e header limit has been reached on a remote ser"er, or some other protocol timeD out occurred $hile communicatin $ith the remote ser"er)

    #roubleshootin #his messa e usuall( indicates an issue on the recei"in ser"er) Chec% the "alidit( of the recipient address and determine if the recei"in ser"er is confi ured correctl( to recei"e messa es) @ou ma( ha"e to reduce the number of recipients in the messa e header for the host about $hich (ou are recei"in this error) 4f (ou resend the messa e, it is placed in the Eueue a ain) 4f the recei"in ser"er is a"ailable, the messa e is deli"ered)

    210

    :D, code 7)7)9

    Possible cause #his indicates a temporar( routin error or bad routin confi uration) Possible causes are: 6irst scenario: !omeone confi ured an !M#P connector usin D:! ;rather than a smart host< and added a nonD!M#P address space, such as an =)700 address, to this connector) !econd scenario: !omeone created a routin roup, and a recipient in this routin roup $as supposed to recei"e mail) A routin roup connector usin D:! $as used to brid e the routin roup, and then this administrati"e or routin roup $as remo"ed) #herefore, an( mail sent to this routin roup $as sent in the M!-C4A)=.00 format ;the address encapsulation used for nonD!M#P addresses<L D:! does not reco niAe this format)

    #roubleshootin ,outin detects these situations, and Exchan e returns D!:s) #o remed( the first scenario, confi ure the !M#P connector to use a smart host, instead of D:!, to resol"e the nonD !M#P address space) #o remed( the second scenario, ensure that (ou mo"ed all users in the remo"ed administrati"e roup or routin roup to a "alid roup)

    21#

    :D, code .)0)0

    Possible cause Note Prior to Exchan e 2000 !P1, the follo$in codes appeared under the .)0)0) code: 7)')2 .)7)0 .)7)7 .).)0

    #roubleshootin /n one or more !M#P connectors, add an asteris% ;L< "alue as the !M#P address spaceL "erif( that D:! is $or%in L ensure that routin roups ha"e connectors connectin them)

    #he cate oriAer failedL possible causes include: #here is no route for the i"en address spaceL for example, an !M#P connector is confi ured, but this address does not match) D:! returned an authoritati"e host that $as not found for the domain) #he routin roup does not ha"e a connector definedL mail from one ser"er in one routin roup does not ha"e a route to another routin roup) An !M#P error occurred)

    212

    :D, code .)1)0

    Possible cause #his :D, is caused b( a eneral cate oriAerDbased failure ;bad address failure<) An eDmail address or another attribute could not be found in Acti"e Director() Contact entries $ithout the targetAddress attribute set can cause this problem) Another possible cause could be that the cate oriAer is unable to determine the ho&eM2? attribute of a user) #he ho&eM2? attribute corresponds to the Exchan e ser"er on $hich the userHs mailbox resides) Another common cause of this :D, is if (ou used /utloo% to sa"e (our eDmail messa e as a file, and then someone opened the messa e offline and replied to the messa e) #he messa e propert( onl( preser"es the +egac'Exchange2N attribute $hen /utloo% deli"ers the messa e, and therefore the loo%up could fail)

    #roubleshootin Either the recipient address is incorrectl( formatted, or the cate oriAer $as not able to resol"e the recipient properl() #he first step in resol"in this error is to chec% the recipient address and resend the messa e)

    213

    :D, code .)1)1

    Possible cause #he eDmail account does not exist in the or aniAation $here the messa e $as sent) #his can occur $hen users mo"e to ne$ locations $ithin a site) 6or instance, if a former Administrati"eS-roupS1 user mo"es to Administrati"eS-roupS2 and then replies to an old messa e or does not reD create an /utloo% profile, an old Administrati"e -roup st(le 3e ac(D: address $ill be used, and this :D, is issued) 3i%e$ise, sendin mail to obsolete personal address boo% entries results in this error) Also, if (ou confi ured (our !M#P contact $ith in"alid !M#P characters ;as per ,6C 221<, the cate oriAer reFects the deli"er( $ith this dia nostic code)

    #roubleshootin Either the recipient address is formatted incorrectl(, or the cate oriAer $as not able to resol"e the recipient properl() #he first step in resol"in this error is to chec% the recipient address, and resend the messa e)

    .)1)'

    #his :D, is caused b( incorrect address s(ntax) 6or example, a contact that $as confi ured in Acti"e Director( $ith a targetAddress attribute but $ithout an address $ould result in this error) #$o obFects ha"e the same ;prox(< address, and mail is sent to that address) #his issue can also occur if the recipient does not exist on the remote ser"er)

    Either the recipient address is formatted incorrectl(, or the cate oriAer $as not able to resol"e the recipient properl() #he first step in resol"in this error is to chec% the recipient address and resend the messa e) Chec% the recipient address, and resend the messa e)

    .)1)7

    210

    :D, code .)1)6

    Possible cause /ne possible cause of this :D, is that the user director( attributes such as ho&eM2? ;the userHs home mailbox store< or &sExch4o&eServerNa&e ;the ser"er on $hich the userHs mailbox resides< are missin or corrupted)

    #roubleshootin Chec% the user director( attributeHs inte rit(, and rerun the ,ecipient 0pdate !er"ice to ensure the "alidit( of the attributes that are reEuired for transport)

    .)1)1

    #he sender has a Chec% the sender director( malformed or missin !M#P structure, and determine if address, the &ai+ attribute the &ai+ attribute exists) in the director( ser"ice) #he cate oriAer cannot deli"er the mail item $ithout a "alid &ai+ attribute) 3ocal mail is refused because the messa e is too lar e) A missin Master Account !ecurit( 4D ;!4D< number on the recipient can also cause this error) Chec% access permissions as $ell as the messa e siAe) Chec% if the recipient has a !4D in Acti"e Director()

    .)2)1

    .)2)2

    #his :D, is enerated Chec% the mailbox stora e $hen the recipientHs mailbox or the Eueue stora e Euota exceeds its stora e limit) limit) #he messa e is too lar e, and the local Euota is exceeded) 6or example, a remote Exchan e user mi ht ha"e a restriction on the maximum siAe of an incomin messa e) ,esend the messa e $ithout attachments, or set the ser"er or the clientDside limit to allo$ a lar er messa e siAe limit)

    .)2)'

    21$

    :D, code .)')0

    Possible cause Exchan e 200' can operate $ithout the messa e transfer a ent ;M#A<) 4f mail $as mista%enl( sent to the M#A, Exchan e returns this D!: to the sender) #his condition is enforced onl( if (ou ha"e disabled the M#A ser"ice and used specific re istr( settin s to disable the M#AO!toreDri"er) A default confi uration strands the misrouted mail on the M#A Eueues) Chen the Exchan e remote ser"er reaches capacit( of its dis% stora e to hold mail, it could respond $ith this :D,) #his error usuall( occurs $hen the sendin ser"er is sendin mail $ith an E!M#P ?DA# command) #his error also indicates a possible !M#P error) A mailDloopin situation is detected) #his means that the ser"er is confi ured to loop mail bac% to itself) 4f (ou ha"e multiple !M#P "irtual ser"ers confi ured on (our Exchan e ser"er, ensure that the( are ser"in uniEue incomin ports) Also, to a"oid loopin bet$een local !M#P "irtual ser"ers, ensure that the out oin !M#P port confi uration is "alid)

    #roubleshootin Chec% (our routin topolo () 0se the Cin,oute tool to ensure that the routes are properl( replicated bet$een ser"ers and routin roups)

    .)')'

    Ensure that the remote ser"er has enou h stora e capacit( to hold mail) Chec% the !M#P lo )

    .)').

    Chec% the confi uration of the ser"erHs connectors for loops) 4f there are multiple "irtual ser"ers, ensure that none are set to JAll 0nassi ned)J

    21,

    :D, code .)7)0

    Possible cause Possible causes include: Authoritati"e host not found in D:!) !mart host entr( is incorrect) 6ull( Eualified domain name ;6>D:< in 5/!#! file ;fixed in Cindo$s 2000 !P'<) D:! failure occurred, or (ou confi ured an in"alid 4P address as (our smart host) !M#P "irtual ser"er does not ha"e a "alid 6>D: or loo%up of (our !M#P "irtual ser"er) A contactHs !M#P domain does not resol"e to an( !M#P address spaces)

    #roubleshootin 0se the D:! ,esol"er tool ;Dnsdia )exe< or :sloo%up to chec% the D:! confi uration) 8erif( that the 4P address is in 4P"7 literal format) 8erif( the "alid D:! entr( for the ser"erOcomputer name in Euestion) 4f (ou rel( on an 6>D: in a 5/!#! file, update the entr( in Exchan e !(stem Mana er $ith a "alid 4P address or correct name)

    .)7)7

    A"ailable in Exchan e 2000 !P1 and later "ersions) #his :D, occurs if no route exists for messa e deli"er(, or if the cate oriAer could not determine the nextDhop destination) @ou set up a routin roup topolo (, but no routin roup connector exists bet$een the routin roups)

    Add or confi ure (our routin roup connector bet$een routin roups)

    21-

    :D, code .)7)6

    Possible cause A cate oriAer for$ard loop is detected) #he targetAddress attribute is set on a mailboxDenabled user)

    #roubleshootin

    #his happens $hen contact ) has an alternate recipient that points to contact +,$hich then has an alternate recipient that points bac% to contact )) #his common hostin Chec% the contactHs confi uration problem alternate recipient) Chec% occurs $hen someone and remo"e the creates a contact in one targetAddress attribute or aniAational unit, and then from mailboxDenabled users) uses the pro"isionin tool to 6or hostin , that is, sendin create a user in another mail from one user in one or aniAational unit $ith the compan( in an same eDmail address) or aniAational unit to a user in another compan( in a separate or aniAational unit, (ou should confi ure the follo$in t$o related obFects: 0ser: !M#P prox(: user+contoso)com Contact: tar etAddress: user+contoso)comL !M#P prox(: contact+fourthcoffee)com, $here fourthcoffee)com is the name of the second compan()

    211

    :D, code .)7)2

    Possible cause A"ailable in Exchan e 2000 !P1 and later "ersions) #his messa e $arns of a loopin condition, $hich ma( occur because one of the recipient policies includes a local domain that matches the 6>D: of an Exchan e ser"er in the or aniAation) Chen the cate oriAer is processin mail that is destined for a domain matchin an Exchan e ser"erHs 6>D:, it returns this :D,)

    #roubleshootin Chec% (our recipient policies) 4f a recipient polic( contains an Exchan e ser"erHs 6>D:, (ou must remo"e that entr() @our recipient polic( should not contain the 6>D: of (our ser"erL instead, it should contain the mail domain onl( Ifor example, instead of ser"er1)contoso)com, (ou enter contoso)com)

    .).)0

    A eneric protocol error or an !M#P error causes this :D,) #he remote !M#P ser"er responds to a sendin ser"erHs identif(in E53/ $ith a .00Dle"el error) #he sendin s(stem $ill then terminate the connection and deli"er an :D, indicatin that the remote !M#P ser"er cannot handle the protocol) 6or example, if a Microsoft 5otmail& eDmail account is no lon er acti"e, a ..0 !M#P error $ill occur)

    ,un the !M#P 3o or a :etmon trace to see $h( the remote !M#P ser"er reFects the protocol reEuest)

    213

    :D, code .).)2

    Possible cause A eneric !M#P error occurs $hen !M#P commands are sent out of seEuence) 6or example, a ser"er attempts to send an A0#5 ;authoriAation< command before identif(in itself $ith an E53/ command) 4t is possible that this error can also occur $hen the s(stem dis% is full)

    #roubleshootin ,un the !M#P 3o or a :etmon trace, and ensure there is enou h dis% stora e and "irtual memor( for !M#P to operate)

    .).)'

    #oo man( recipients on a messa e can cause this :D,)

    #he recipient limit is a confi urable settin ) #o resol"e this issue, either increase the recipient limit or re"ise the messa e into multiple messa es to fit the ser"er limit) Note #he default recipient limit on an !M#P messa e is $=000) #o chan e this limit, start Exchan e !(stem Mana er, expand G+oba+ Settings, ri htDclic% Message 2e+iver' , clic% !roperties, and then use the 2efau+ts tab) #his can also be a perD user settin in Acti"e Director()

    230

    :D, code .)1)1

    Possible cause Possible causes include: -eneral access denied, and sender access deniedIthe sender of the messa e does not ha"e the reEuired permissions necessar( to complete deli"er() @ou are tr(in to rela( (our mail throu h another !M#P ser"er, and the ser"er does not permit (ou to rela() #he recipient ma( ha"e mailbox deli"er( restrictions enabled) 6or example, if a recipientHs mailbox deli"er( restriction is set to recei"e mail from a distribution list onl(, nonDmemberHs mail $ill be reFected and produce this error) Ne5 in Exchange 2003 An anon(mous user attempted to send mail to recipients or distribution lists that accept mail onl( from an authenticated !M#P session)

    #roubleshootin Chec% s(stem pri"ile es and attributes for the contact, and tr( sendin the messa e a ain) Also, to resol"e other potential issues, ensure that (ou are runnin Exchan e 2000 !P1 or later)

    23#

    %sing Event (ogs


    4f (ou still cannot determine $h( (our mail is eneratin :D,s, the next step is to increase dia nostic e"ent lo in ) #hen, tr( to reproduce the :D,, and examine the application e"ent lo ) 4t ma( pro"ide information about $h( the :D, is bein enerated) #he Cindo$s cate oriAer has limited e"ent lo in , but the Exchan e cate oriAer has extensi"e e"ent lo in ) #o identif( the causes of :D,s, (ou should set dia nostic lo in on the Messa e Cate oriAer to field en ineerin le"el 1) Chen (ou enable lo in at this le"el, the follo$in informational e"ent messa e is enerated in E"ent 8ie$er for messa es that produce :D,s:
    Messa5eid=&000 :acility=2nter%ace Severity=2n%ormational Symbolic-ame=PD.T=.TB-3@B@8.S4The %+nction o% /%+nction name> %ailed %or reason /ca+se o% %ail+re> >hen processin5 recipient /recipient name> o% type /recipient type> . delivery stat+s noti%ication has been 5enerated

    %sing Regtrace
    ,e trace is a"ailable on Exchan e ser"ersL it is a useful tool for dia nosin and troubleshootin :D,s) 6or detailed instructions, see 5o$ to Enable re trace)

    The Trace 6i+e


    #he trace file is a"ailable at the location that is specified on the "utput tab of ,e trace) #he default location for the file is C:N#race)atf) #he trace file is a binar(Dencoded file than contains debu Dle"el information about the transport and routin components that are bein traced) 6or this reason, Microsoft Product !upport !er"ices ;P!!< reEuires that customers send the trace files for internal anal(sis) @ou ma( ha"e to use file compression soft$are to pac%a e the files so that (ou can deli"er them to P!! b( means of an 6#P ser"er, the Microsoft 6ile Exchan e ;M!6E<, or the Premier !er"ice Des%) 6or details about an( of these deli"er( methods, consult (our P!! representati"e)

    232

    4o5 to Enab+e regtrace


    ,e trace is a"ailable on Exchan e ser"ers) 4t is a useful tool for dia nosin and troubleshootin :D,s) 0se the follo$in procedure to enable re trace)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin :onDDeli"er( ,eport Messa es) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    !rocedure
    To enab+e regtrace 1) At a command prompt, t(pe regtrace) #he Trace Settings $indo$ opens) 2) /n the Traces tab, select all the chec% boxes) Traces tab of Trace Settings properties

    ') /n the "utput tab, ma%e sure that the 6i+e option is selected, and then pro"ide a path to a location that has enou h capacit( to store a "er( lar e file as output)

    233

    7) /n the Threading tab, ma%e sure that the ;rite traces on a ?ac)ground Thread option is not selected, and then clic% /B) .) 4n ,e istr( Editor, locate the follo$in re istr( %e(:
    DN8CB,4=.,BM.=D2-80S4:T1.@80Microso%t0MosTrace0=+rrentGersion0 3eb+5.syncTrace

    6) /n the Edit menu, clic% Add 7a+ue, and then add the follo$in re istr( "alues:
    Gal+e -ame: Mod+les 3ata Type: @8HBSL Gal+e: .7 =.T 3S!MM dsevnt>rap 89S2-N 2M.P*SG= @8.P2 @8SG= @o+tin5 SMTP Store3ev TranMs5 3S.==8SS

    1) :ext, add the MaxTrace6i+eSi>e re istr( %e( "alue to set the maximum trace file siAe to 20 me ab(tes ;M?<) /n the Edit menu, clic% Add 7a+ue and add the follo$in :
    Gal+e -ame: MaxTrace:ileSiOe 3ata Type: @8HB314@3 Gal+e: !0 'decimal(

    2) >uit ,e istr( Editor) 9) ,eproduce the issue that (ou are troubleshootin ) 6or example, if mail is bein returned as undeli"erable, send some eDmail messa es to an address that $ill cause Exchan e to return the messa e undeli"ered) 10) Chen (ou ha"e reproduced the issue se"eral times, stop tracin ) 4n ,e trace, clic% the "utput tab and select No Tracing) #he trace file is a"ailable at the location that is specified on the "utput tab of ,e trace) #he default location for the file is C:N#race)atf) #he trace file is a binar(Dencoded file than contains debu Dle"el information about the transport and routin components that are bein traced) 6or this reason, Microsoft Product !upport !er"ices ;P!!< reEuires that customers send the trace files for internal anal(sis) @ou ma( ha"e to use file compression soft$are to pac%a e the files so that (ou can deli"er them to P!! b( means of an 6#P ser"er, the Microsoft 6ile Exchan e ;M!6E<, or the Premier

    230

    !er"ice Des%) 6or details about an( of these deli"er( methods, consult (our P!! representati"e)

    7erif'ing the Re<uired Active 2irector' Attributes


    Chen (ou are troubleshootin an :D,, "erif( that all mailDenabled attributes that Messa e Cate oriAer reEuires exist for that recipient in Acti"e Director() 4n Exchan e 2000, multiple attributes must be correct for messa es to be cate oriAed: ho&eM2? ho&eMTA +egac'Exchange2N &ai+ &ai+Nic)na&e &sExch4o&eServerNa&e &sExchMai+boxGuid &sExchMai+boxSecurit'2escriptor prox'Addresses

    #his list of reEuired attributes is "alid onl( if the recipient is a mailboxDenabled obFect in Acti"e Director( ;for example, an Exchan e 200' recipient<) 5o$e"er, if the recipient is an Exchan e !er"er .). recipient, the onl( attributes that ha"e to be present are: +egac'Exchange2N ho&eM2? ho&eMTA

    6or mailDenabled obFects ;for example, a custom recipient< and alternate addresses, the targetAddress attribute is reEuired) 4f the targetAddress attribute is not present, the fallbac% is to the &ai+ attribute) 4f an eDmail messa e is missin an( of the reEuired attributes or if the( are incorrect, the messa e ma( remain in the cate oriAer, and no e"ents are created in E"ent 8ie$er) 4f (ou trac% the messa e, it appears in Messa e Cate oriAer or it enerates an :D,, dependin on $hich attribute is missin ) 4f (ou $ant to chec% these attributes for a user in Acti"e Director(, use the 3DP tool or AD!4 Edit) 6or more information about the 3DP tool or AD!4 Edit, see the Cindo$s online documentation)

    23$

    Note 4f (ou use the AD!4 Edit snapDin, the 3DP tool, or an( other 3DAP "ersion' client, and (ou incorrectl( modif( the attributes of Acti"e Director( obFects, (ou can cause serious problems) #hese problems ma( reEuire (ou to reinstall an( of the follo$in : Cindo$s2000 !er"er or Cindo$s !er"er200', or Exchan e !er"er200') @ou ma( not be able to sol"e problems that occur if (ou incorrectl( modif( Acti"e Director( obFect attributes) Modif( these attributes at (our o$n ris%) #he follo$in table sho$s examples of each of the attributes that Acti"e Director( reEuires) Mai+EEnab+ed Exchange 2003 Active 2irector' attributes Exchan e 200' mailDenabled attribute ho&eM2? Example C:MMailbox !tore ;C/:#/!/DM!-D 01<,C:M6irst !tora e -roup,C:M4nformation!tore,C:MC/:#/! /DM!-D01,C:M!er"ers,C:M6irst Administrati"e -roup,C:MAdministrati"e -roups,C:M6irst /r aniAation,C:MMicrosoft Exchan e,C:M!er"ices,C:MConfi uration, DCMcontoso,DCMcom C:MMicrosoft M#A,C:MC/:#/!/DM!-D 01,C:M!er"ers,C:M6irst Administrati"e -roup,C:MAdministrati"e -roups,C:M6irst /r aniAation,C:MMicrosoft Exchan e,C:M!er"ices,C:MConfi uration, DCMcontoso,DCMcom OoM6irst /r aniAationOouM6irst Administrati"e -roupOcnM,ecipientsOcnMted ted+contoso)com ted OoM6irst /r aniAationOouM6irst Administrati"e -roupOcnMConfi urationOcnM!er"ersOcnMC/ :#/!/DM!-D01 0x06 0x7f 0x69 0xcc 0x.e 0xfe 0x19 0x7f 0x2c 0x6e 0x1b 0x61 0x.1 0x92 0x.1 0xd2 #his attribute is a binar( blob that does not displa( a "alue in AD!4Edit or 3DP)

    ho&eMTA

    +egac'2N &ai+ &ai+Nic)na&e &sExch4o&eServerNa&e

    &sExchMai+boxGuid &sExchMai+boxSecurit'2escriptor

    23,

    Exchan e 200' mailDenabled attribute prox'Addresses

    Example !M#P: scott+contoso)com =700:cMusLaM LpM6irst /r aniAatiLoMExchan eLsM?remerL M#edL

    #he follo$in example sho$s a dump file from the 3DP tool $ith all the mailDenabled Exchan e 200' Acti"e Director( attributes that the cate oriAer reEuires:
    8xpandin5 base Q=-=Ted Mremer<=-=;sers<3==contoso<3==comQ... @es+lt /0>: 'n+ll( Matched 3-s: Hettin5 1 entries: >> 3n: =-=Ted Mremer<=-=;sers<3==contoso<3==com 1> homeM3M: =-=Mailbox Store '=4-T4S4AMSHA01(<=-=:irst Stora5e Hro+p<=-=2n%ormationStore<=-==4-T4S4AMSHA01<=-=Servers<=-=:irst .dministrative Hro+p<=-=.dministrative Hro+ps<=-=:irst 4r5aniOation<=-=Microso%t 8xchan5e<=-=Services<=-==on%i5+ration<3==contoso<3==comP 1> member4%: =-=Sales Team<=-=;sers<3==contoso<3==comP 1> acco+nt8xpires: &!!$$#!0$ )"*##")0#P 1> badPass>ordTime: 0P 1> badP>d=o+nt: 0P 1> codePa5e: 0P 1> cn: Ted MremerP 1> co+ntry=ode: 0P 1> display-ame: Ted MremerP 1> mail: tedIcontoso.comP 1> 5iven-ame: TedP 1> instanceType: *P 1> last,o5o%%: 0P 1> last,o5on: 1! *1 00$"**) *#0*P 1> le5acy8xchan5e3-: ?o=:irst 4r5aniOation?o+=:irst .dministrative Hro+p?cn=@ecipients?cn=tedP 1> lo5on=o+nt: 1&P 1> distin5+ished-ame: =-=Ted Mremer<=-=;sers<3==contoso<3==comP

    23-

    1> obRect=ate5ory: =-=Person<=-=Schema<=-==on%i5+ration<3==contoso<3==comP *> obRect=lass: topP personP or5aniOationalPersonP +serP 1> obRectH;23: %dd0)ce)Abe&!A* "!A& dbA%**#)"e%*&e*P 1> obRectSid: SA1"A=!8:!.$.A*: #88 &A &0 )30*A *.P 1> primaryHro+p23: "1$P !> proxy.ddresses: SMTP:tedIcontoso.comP 9*00:c=+sPa= Pp=:irst 4r5aniOatiPo=8xchan5ePs=MremerP5=TedPP 1> p>d,astSet: 1! *1"& !$&1"&#$" P 1> name: Ted MremerP 1> s.M.cco+nt-ame: tedP 1> s.M.cco+ntType: )0"$0 $ )P !> sho>2n.ddressMooF: =-=3e%a+lt Hlobal .ddress ,ist<=-=.ll Hlobal .ddress ,ists<=-=.ddress ,ists =ontainer<=-=:irst 4r5aniOation<=-=Microso%t 8xchan5e<=-=Services<=-==on%i5+ration<3==contoso<3==comP =-=.ll ;sers<=-=.ll .ddress ,ists<=-=.ddress ,ists =ontainer<=-=:irst 4r5aniOation<=-=Microso%t 8xchan5e<=-=Services<=-==on%i5+ration<3==contoso<3==comP 1> sn: MremerP 1> text8ncoded4@.ddress: c=+sPa= Pp=:irst 4r5aniOatiPo=8xchan5ePs=MremerP5=TedPP 1> +ser.cco+nt=ontrol: "1!P 1> +serPrincipal-ame: tedIcontoso.comP 1> +S-=han5ed: 1 )!0P 1> +S-=reated: 1 )1*P 1> >hen=han5ed: )? ?!001 11:$1:1# Paci%ic Standard Time Paci%ic 3ayli5ht TimeP 1> >hen=reated: )? ?!001 11:$0:$) Paci%ic Standard Time Paci%ic 3ayli5ht TimeP 1> homeMT.: =-=Microso%t MT.<=-==4-T4S4AMSHA01<=-=Servers<=-=:irst .dministrative Hro+p<=-=.dministrative Hro+ps<=-=:irst 4r5aniOation<=-=Microso%t 8xchan5e<=-=Services<=-==on%i5+ration<3==contoso<3==comP 1> ms8xchMailboxH+id: /ldp: Minary blob>P 1> ms8xchMailboxSec+rity3escriptor: /ldp: Minary blob>P 1> ms8xch.,4bRectGersion: " P 1> ms8xchDomeServer-ame: ?o=:irst 4r5aniOation?o+=:irst .dministrative Hro+p?cn==on%i5+ration?cn=Servers?cn==4-T4S4AMSHA01P 1> mail-icFname: tedP

    231

    1> m3M;se3e%a+lts: T@;8P 1> ms8xchPolicies2ncl+ded: S8#M* *3!A "8:A*M$8A).:*A)8M)*M.#0))8T<S! *&1=:=A&8"0A*)"#A ) 1MA0=M)3:!!M"3#TP 1> ms8xch;ser.cco+nt=ontrol: 0P

    4o5 the Recipient %pdate Service %pdates Attributes


    #he ,ecipient 0pdate !er"ice has three s(stem policies for mailDenabled recipients, mailboxD enabled users, and hidden distribution roup membership that are installed b( default $hen (ou install Exchan e 200') All three policies ha"e the same purpose: to update a fe$ attributes for obFects in Acti"e Director( under certain circumstances) Chen custom tools are used to create users, contacts, or distribution roups, the ,ecipient 0pdate !er"ice attempts to correct an( omissions in cases $here a tool does not create all the necessar( attributes for an obFect) 4f a user, contact, or distribution roup lac%s reEuired attributes, problems can occur) 6or a mailDenabled recipient, a minimum set of attributes is reEuired to ma%e all Exchan e components $or% properl() 6or example, a mailDenabled entr( ;a user, contact, roup, or public folder< has to ha"e at least these attributes: &ai+Nic)na&e, +egac'Exchange2N, and disp+a'Na&e) Cithout the &ai+Nic)na&e attribute, an obFect is not considered mailDenabled) After an obFect has a &ai+Nic)na&e attribute, the other t$o attributes must be set)

    Mai+EEnab+ed Recipient !o+ic'


    4f the ,ecipient 0pdate !er"ice identifies a ne$ entr( that $as added or modified, and that entr( has the &ai+Nic)na&e attribute, but does not ha"e the +egac'Exchange2: or disp+a'Na&e attributes, the ,ecipient 0pdate !er"ice tries to create those attributes) #he disp+a'Na&e attribute is copied from the &ai+Nic)na&e attribute as is) #he +egac'Exchange2N attribute oes throu h an al orithm that identifies the or aniAation and administration roup for the entr(, and then creates a "alue in the follo$in format:
    ?o=My=ompany?o+=My.dminHro+p?cn=@ecipients?cn=Mail-icFname

    Mai+boxEEnab+ed %ser !o+ic'


    6or a mailboxDenabled user, t$o attributes must be present) #he first is the &ai+Nic)na&e attribute, and the second is one of the follo$in attributes: &sExch4o&eServerNa&e ho&eM2?

    233

    ho&eMTA

    4f an( one of these attributes is present, and the user has a &ai+Nic)na&e attribute, the user is considered a mailboxDenabled user) 4n this case, the ,ecipient 0pdate !er"ice attempts to populate some of the follo$in attributes if the( are not present: &sExch4o&eServerNa&e ho&eM2? ho&eMTA +egac'Exchange2N disp+a'Na&e &sExchMai+boxGuid

    #hese attributes are populated in the follo$in order: 1) 4f the &sExch4o&eServerNa&e attribute is not present, it is created based on the ho&eM2? or ho&eMTA attribute, dependin on $hich one is present) 4f the &sExch4o&eServerNa&e attribute cannot be created, the process stops) 2) After the &sExch4o&eServerNa&e attribute is set, the ho&eM2? and ho&eMTA attributes are populated if either one is missin ) 4f (ou ha"e multiple mailbox stores or messa e transfer a ents ;M#As< on (our ser"er, the ,ecipient 0pdate !er"ice pic%s the first one that it finds $hen it does an Acti"e Director( search) #herefore, this selection can be considered a random choice) ') #o create the legac'Exchange2N and disp+a'Na&e attributes, the ,ecipient 0pdate !er"ice follo$s the same steps that are used for a mailDenabled recipient) 7) 6inall(, if the &sExchMai+boxGuid attribute is not present, the ,ecipient 0pdate !er"ice creates the &sExchMai+boxGuid attribute b( eneratin a -04D)

    4idden 2istribution Group Me&bership !o+ic'


    6or the hidden distribution roup membership polic(, the ,ecipient 0pdate !er"ice does not run onl( $hen a ne$ entr( is created ;such as a securit( roup or distribution roup<) #he ,ecipient 0pdate !er"ice also runs $hen (ou modif( the status of the hide2(Me&bership attribute) 4f this attribute is set to #,0E, the ,ecipient 0pdate !er"ice adds a noncanonical part to the securit( descriptor, $hich pre"ents an(one from "ie$in the JmemberJ attribute for that entr() #his applies to an( t(pe of client that searches the director( b( usin MAP4 or 3DAP) 4f the attribute is set to 6A3!E, the ,ecipient 0pdate !er"ice remo"es the noncanonical securit( descriptor, $hich exposes the member attribute a ain)

    300

    6or additional information about hidin roup membership, see Microsoft Bno$led e ?ase article 2.'221, J=ADM: 5o$ Exchan e 5ides -roup Membership in Acti"e Director()J Althou h this article is $ritten for Exchan e 2000, the same principles appl( to Exchan e 200')

    Co&&on NonE2e+iver' Report Scenarios


    #his topic co"ers the follo$in common scenarios that can cause :D,s to be enerated: 4ssues $ith Acti"e Director() Dela(ed messa e deli"er( because of lobal catalo ser"er issues) !endin messa es to recipients in personal address boo%s or contact lists) !endin messa es to a public folder)

    *ssues 5ith Active 2irector'


    :onDdeli"er( reports can occur because of issues $ith Acti"e Director() #he follo$in cate ories of :D,s are related to Acti"e Director( issues: ,ecipients $ere mo"ed to Acti"e Director( b( usin Acti"e Director( Connector ;ADC<) ,ecipients $ere mo"ed to Acti"e Director( b( usin the Mo"e Mailbox tool) Attributes are missin )

    Recipients ;ere Moved to Active 2irector' b' %sing Active 2irector' Connector
    4f some of (our users are experiencin :D,s and (ou ha"e mo"ed recipients usin the Acti"e Director( Connector, determine the follo$in : Chat t(pe of recipient is eneratin the :D, ;for example, a mailbox, a distribution roup, or a contact<)

    5o$ the recipient $as mo"ed to Acti"e Director() 4f the recipient $as replicated to Acti"e Director( b( the ADC, use the ADCDump tool to obtain an ADC dump file, and then compare the attributes that exist in both directories for the recipient that is experiencin the issue) #he ADC dump file sho$s the missin attributes bet$een the Exchan e 200' obFect and the Exchan e !er"er .). obFect) #o obtain the ADCDump tool, contact Microsoft Product !upport !er"ices) 4f the users $ere mo"ed b( usin the ADC, the users must exist in Acti"e Director(, at least as disabled users) ,eplicatin users to Acti"e Director( as contacts ;custom recipients< from

    30#

    the Exchan e .). director( results in :D,s) 4f the Exchan e .). and Microsoft Cindo$s :#& !er"er "ersion 7)0 recipients $ere replicated to Acti"e Director( as contacts, Exchan e 200' no lon er sends eDmail messa es to Cindo$s :# !er"er 7)0 recipients that are represented as contacts in Acti"e Director() 4n this scenario, the follo$in :D, is returned:
    . con%i5+ration error in the eAmail system ca+sed the messa5e to bo+nce bet>een t>o servers or to be %or>arded bet>een t>o recipients. =ontact yo+r administrator. /servername.contoso.com U".*. >

    6or additional information, see Microsoft Bno$led e ?ase article 212.9', J=C/:: Messa e -enerates :D, Chen !ent to a Cindo$s :# !er"er 7)0 ,ecipient ,epresented as Contact in Acti"e Director()J Althou h this article $as $ritten for Exchan e 2000, the same principles appl( to Exchan e 200') #his beha"ior does not occur $ith contacts that are created in Exchan e 200'L this beha"ior occurs onl( $ith Cindo$s :# !er"er 7)0 users that are replicated to Acti"e Director( as contacts throu h the ADC) Messa es can be sent to nati"e Exchan e 200' contacts $ithout issues) Note 4f disabled users are not displa(ed in Acti"e Director(, and (ou are recei"in 2211 M!ADC error messa es, chan e the replication ser"er for the Connection A reement to the brid ehead ser"er in the Exchan e 200' site or domain to $hich (ou are replicatin ) Also, for complete interoperabilit( bet$een Exchan e 200' ser"ers and Exchan e .). computers, ma%e sure that ADC replication is set to t$oD$a()

    Recipients ;ere Moved to Active 2irector' b' %sing the Move Mai+box Too+
    Ma%e sure that all mailDenabled attributes exist if a recipient, distribution roup, or user exists as a nati"e Exchan e 200' obFect or $as mo"ed from Exchan e .). b( usin the Mo"e Mailbox tool) #he follo$in steps are useful: Determine the Exchan e ser"er that the sender ph(sicall( resides on) 4f the recipient is a distribution roup, find the distribution roup expansion ser"er) Determine $hich lobal catalo ser"er that the senderHs Exchan e ser"er or the distribution roup expansion ser"er contacts for name resolution) ;!ee the procedure later in this section for detailed steps)< ,un the :ltest tool, a"ailable on Cindo$s 2000 and Cindo$s !er"er 200', to determine $hich lobal catalo ser"er is bein contacted b( the senderHs ser"er or the distribution roup expansion ser"er) Ma%e sure that (ou run :ltest from the senderHs Exchan e ser"er or from the distribution roup expansion ser"er) 4f the distribution roup expansion is set to an( ser"er in the or aniAation, run :ltest from the sendin ser"er)

    302

    6or detailed instructions, see 5o$ to Determine the Expansion !er"er for a Distribution -roup) After (ou %no$ $hich lobal catalo is bein used, obtain a dump file of the recipient user distribution roup) 6or additional information about ho$ to obtain a dump file, see the follo$in Microsoft Bno$led e ?ase articles: 2..2.',J=ADM: 5o$ to Perform a Dump of a Container or /bFect in Exchan e 2000J 211201,J=ADM: Alternati"e Methods to /btain a Dump of an /bFectJ

    @ou can also use the 3DP tool to obtain the 3DP dump file of the recipient obFect) 4f (ou use the 3DP tool, ma%e sure that port '262 is used $hen connectin to the lobal catalo ser"er) #his is the port that Messa e Cate oriAer uses to Euer( lobal catalo ser"ers for name resolution) Note 4f the 3DP tool truncates results, (ou can obtain the base distin uished name information for the obFect ;$hich is reEuired to use the procedure discussed in Bno$led e ?ase article 211201< from the :D,) Each :D, contains the base distin uished name information of the obFect that cannot be deli"ered) 4f the format of the :D, or the recipient obFectHs base distin uished name information is suspect, (ou can send a ne$ test messa e $ith a deli"er( receipt reEuested) !end this test messa e to the recipient that is experiencin the issue from a user $ho can successfull( send to that recipient)

    Missing Attributes
    Attributes ma( be missin from an obFect for a "ariet( of reasons that ran e from attributes that $ere manuall( deleted to lobal catalo s(nchroniAation issues) 5o$e"er, if an( attributes are missin , it is most commonl( because ,ecipient 0pdate !er"ice did not $rite these attributes correctl( or because of ADC replication issues) 6or detailed information, see 5o$ to Correct Missin Attribute 4ssues)

    2e+a'ed Message 2e+iver' 2ue to G+oba+ Cata+og Server *ssues


    Problems $ith a lobal catalo can cause dela(s in messa e deli"er() 4n this case, :D,s are enerated to notif( the sender of the dela() @ou can use Messa e #rac%in Center to dia nose these problems) #he follo$in example sho$s data athered from Messa e #rac%in Center:
    ?!!?!001 ?!!?!001 $:"* PM TracFed messa5e history on server =4-T4S4AMSHA01 $:"* PM SMTP Store 3river: Messa5e S+bmitted %rom Store

    303

    ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001

    $:"* PM $:"* PM $:"* PM *:!* PM *:!* PM *:!* PM *:!* PM *:!* PM *:!* PM *:!* PM *:!* PM

    SMTP: Messa5e S+bmitted to .dvanced 7+e+in5 SMTP: Started Messa5e S+bmission to .dvanced 7+e+e SMTP: Messa5e S+bmitted to =ate5oriOer SMTP: Started 4+tbo+nd Trans%er o% Messa5e Messa5e trans%erred o+t to :4;@TD=4::88.=4M thro+5h SMTP SMTP: Messa5e S+bmitted to .dvanced 7+e+in5 SMTP: Started Messa5e S+bmission to .dvanced 7+e+e SMTP: Messa5e S+bmitted to =ate5oriOer SMTP: Started 4+tbo+nd Trans%er o% Messa5e Messa5e trans%erred o+t to :4;@TD=4::88.=4M thro+5h SMTP SMTP Store 3river: Messa5e 3elivered ,ocally to Store

    4n this example, notice that the messa e $as dela(ed in messa e cate oriAer for '0 minutes before outbound transfer started and the messa e $as e"entuall( deli"ered) 4n these situations, determine $hich lobal catalo ser"er Exchan e is usin b( runnin the :ltest tool as described in J,ecipients Cere Mo"ed to Acti"e Director( b( 0sin the Mo"e Mailbox #oolJ earlier in this topic) #hen, in"esti ate the lobal catalo ser"ers that are in"ol"ed) #he follo$in are common causes of lobal catalo issues: /"erloaded or o"er$or%ed lobal catalo ser"ers) Performance issues $ith lobal catalo ser"ers) 3o$ memor() 3o$ hard dis% space) 4ntermittent net$or% issues bet$een Exchan e 2000 and lobal catalo ser"ers)

    #oo man( Exchan e ser"ers usin the same lobal catalo ser"er ;the recommended ratio of Exchan e processors to lobal catalo ser"er processors is four to one<) *&portant Messa e trac%in lo s can be misleadin ) 6or example, if the lobal catalo ser"er is $or%in correctl( and the messa e cate oriAed correctl(, but a remote !M#P ser"er $as una"ailable for thirt( minutes, the messa e trac%in lo loo%s similar to the sample lo sho$n abo"e) Also, if the messa e had to be deli"ered locall( and the Exchan e store $as performin slo$l(, the messa e trac%in lo sho$s a lar e ap of time bet$een JMessa e !ubmitted to Messa e Cate oriAerJ and JMessa e Deli"ered 3ocall( to !tore)J 0se a !(stem Monitor lo from a lobal catalo ser"er $hile (ou reproduce the issue) 4t can help (ou dia nose these issues) ,ec(clin the lobal catalo ser"ers ma( resol"e these

    300

    issues) #o troubleshoot these issues, (ou can specif( a lobal catalo ser"er for each Exchan e ser"er) Note Manuall( confi urin lobal catalo ser"ers is onl( recommended for troubleshootin ) Chen (our lobal catalo ser"ers are manuall( confi ured, Exchan e cannot detect if a ser"er becomes una"ailable) 6or detailed information, see 5o$ to !pecif( a -lobal Catalo !er"er) 6or additional information about D!Access, see Microsoft Bno$led e ?ase article 2.0.10, J=C/:: Director( !er"ice !er"er Detection and D!Access 0sa e)J

    NonE2e+iver' Reports ;hen Sending to !ersona+ Address ?oo) and Contact (ist
    4f a user is mo"ed from an Exchan e !er"er .). computer b( usin the Exchan e 200' Mo"e Mailbox tool, and the mo"ed mailbox has a personal address boo% or contact list in the Exchan e .). mailbox, the personal address boo% and contact list becomes in"alid on an Exchan e 200' mailbox) An( addresses that are resol"ed a ainst the personal address boo% or contact list enerate an :D, that is similar to:
    Co+r messa5e did not reach some or all o% the intended recipients. S+bRect: Test Sent: )?$?!000 ":!* PM The %ollo>in5 recipient's( co+ld not be reached: =-=0 -et>orF<4;=;nited States<4;=3istrib+tion ,ists<3===ontoso<3==com on )?$?!000 ":!* PM The eAmail address co+ld not be %o+nd. Perhaps the recipient moved to a di%%erent eA mail or5aniOation< or there >as a mistaFe in the address. =hecF the address and try a5ain. /=4-T4S4AMSHA01.=ontoso.com U".1.0>

    ?ecause the Mo"e Mailbox tool does not mo"e personal address boo%s and contact lists, all addressin information in personal address boo%s and contact lists becomes in"alid) #o resol"e this issue, on (our /utloo% client, ensure that the lobal address list is selected as the source for the address boo%) 4deall(, (our users that ha"e been mo"ed from an Exchan e .). ser"er should delete personal address boo%s and contact lists, and then reD create them)

    30$

    Sending Messages to a !ub+ic 6o+der


    !endin an eDmail messa e to a public folder in Exchan e is more complicated than sendin an eDmail messa e to a mailbox) A mailbox can onl( exist on one ser"er and therefore belon s to a particular mailbox store) Acti"e Director( attributes for a mailbox point to a specific ser"er) #herefore, after the entr( is resol"ed, Exchan e can use routin to determine $hich mailbox store to deli"er the messa e to) A public folder in Acti"e Director( has no home ser"er) A public folder can exist on multiple ser"ers, and no information is held in Acti"e Director( to indicate $hich ser"ers hold replicas of the folder) #he Exchan e store handles this information) Chen Exchan e deli"ers a messa e to a public folder, the first tas% it performs is to deli"er the messa e to an Exchan e store that points to the location of the public folder replicas) #he Exchan e store loo%s up the pta ,eplica3ist entr(, $hich lists the Exchan e ser"ers $ith replicas of the folder, and then resubmits the messa e readdressed to an Exchan e store that holds a replica of the folder) #he cate oriAer is responsible for correctl( resol"in the address of a messa e) 4n the case of public folders, it is also responsible for: Determinin $hich topDle"el hierarch( the folder belon s to)

    Addressin the messa e correctl( to be submitted to a store in that topDle"el hierarch() ,e$ritin the address of the messa e to a store that holds a replica of that public folder, after the replica list is obtained) Chen an eDmail messa e is sent to a public folder, the cate oriAer performs the follo$in steps to deli"er the messa e: 1) 4nitial public folder loo%up 2) #opDle"el hierarch( ser"er loo%up

    *nitia+ !ub+ic 6o+der (oo)up


    Chen an eDmail messa e is submitted, Exchan e resol"es the address to an entr( in Acti"e Director() 4f that entr( is a public folder rather than a mailbox, the cate oriAer attempts to obtain the ho&eM2? attribute of the public folder:
    homeM3M: =-=P+blic :olders<=-=:older Dierarchies<=-=:irst .dministrative Hro+p<=-=.dministrative Hro+ps<=-=:irst 4r5aniOation<=-=Microso%t8xchan5e<=-=Services<=-==on%i5+ration<3==contosoAms5A 01<3==contoso<3==comP

    A folderHs ho&eM2? attribute contains the distin uished name of the topDle"el hierarch( to $hich the folder belon s)

    30,

    TopE+eve+ 4ierarch' Server (oo)up


    :ext, the cate oriAer loo%s up the topDle"el hierarch( that is retrie"ed from the folderHs ho&eM2? attribute to obtain a list of all the ser"ers in that folderHs topDle"el hierarch() #he cate oriAer is unable to determine the location of the replica, but it can submit the messa e to an Exchan e store that does ha"e the location information) #he topDle"el hierarch( distin uished name contains a lin% to all the ser"ers in that topDle"el hierarch() #o determine $hich public folder store or ser"er the cate oriAer pic%s from the topDle"el hierarch(, Exchan e uses the follo$in criteria: Does one of the public folder stores exist on the local ser"er* 4f so, Exchan e uses that store) Does one of the public folder stores exist on an Exchan e ser"er in the local routin roup* 4f so, Exchan e uses that store)

    Does one of the public folder stores exist on an( Exchan e ser"er* 4f so, Exchan e uses that store) /ther$ise, Exchan e uses the first store in the list) #he first ser"er on the list is contained in the &sExch"5ning!6Tree?( attribute) #his attribute is located on the public folder tree under folder hierarchies) #he cate oriAer then chooses a ser"er from the &sExch"5ning!6Tree?3 attribute to $hich it sends the messa e) #he follo$in example sho$s the contents of the &sExch"5ning!6Tree?( attribute, as obtained from 3DP output:
    ms8xch4>nin5P:TreeM,: =-=P+blic 2n%ormation Store 'P:@8P""(<=-=:irst Stora5e Hro+p<=-=2n%ormationStore<=-=P:@8P""<=-=Servers<=-=:o+rth=o%%ee<=-=.dministrative Hro+ps<=-=,aFe 3istrict<=-=Microso%t 8xchan5e<=-=Services<=-==on%i5+ration< 3==c+mbria<3==extest<3==microso%t< 3==comP =-=P+blic :older Store 'P:@8P"#(<=-=:irst Stora5e Hro+p<=-=2n%ormationStore< =-=P:@8P"#<=-=Servers<=-==oniston<=-=.dministrative Hro+ps<=-=,aFe 3istrict<=-=Microso%t 8xchan5e<=-=Services<=-==on%i5+ration<3==c+mbria<3==example<3==microso%t<3==comP =-=P+blic 2n%ormation Store 'P:@8P" (<=-=:irst Stora5e Hro+p<=-=2n%ormationStore<=-=P:@8P" <=-=Servers<=-==oniston<=-=.dministrative Hro+ps<=-=,aFe 3istrict<=-=Microso%t 8xchan5e<=-=Services<=-==on%i5+ration<3==c+mbria<3==example<3==microso%t<3==comP

    30-

    4o5 to 2eter&ine the Expansion Server for a 2istribution Group


    Expansion ser"ers route messa es that are sent to a sin le distribution list or roup for each of the recipient obFects in that list or roup) Chen a user sends a messa e to a roup, the Exchan e ser"er that is actin as the expansion ser"er expands the roup to its indi"idual members) #his expansion permits members of the distribution list or roup to recei"e the messa e) An expansion ser"er also resol"es the names of all recipients in the distribution list or roup, and then determines the most efficient path for routin the messa e)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin :onDDeli"er( ,eport Messa es) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the administrati"e roup le"el

    !rocedure
    To deter&ine the expansion server for a distribution group 1) 4n Acti"e Director( 0sers and Computers, ri htDclic% the distribution roup and then clic% !roperties) 2) Clic% the Exchange Advancedtab, and loo% in the "alue under Expansion server) The Exchange Advanced tab of the 2istribution group properties dia+og box

    301

    ') 6rom a command prompt, t(pe the follo$in : -,T8ST ?3SH8T3=:/domain> ?H= $here domainis the name of (our domain

    4o5 to Correct Missing Attribute *ssues


    Attributes ma( be missin from an obFect for a "ariet( of reasons that ran e from attributes that $ere manuall( deleted to lobal catalo s(nchroniAation issues) 5o$e"er, if an( attributes are missin , it is most commonl( because ,ecipient 0pdate !er"ice did not $rite these attributes correctl( or because of ADC replication issues)

    303

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin :onDDeli"er( ,eport Messa es) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup

    !rocedure
    To correct &issing attribute issues 1) 4n Exchan e !(stem Mana er, expand Recipients, and then expand Recipient %pdate Services) 2) ,i htDclic% the ,ecipient 0pdate !er"ice that (ou $ant to correct, and then clic% %pdate No5 to update the missin attributes from the recipient obFect that is experiencin this issue, or clic% Rebui+d to rebuild all recipient obFects)

    4o5 to Specif' a G+oba+ Cata+og Server


    Problems $ith a lobal catalo can cause dela(s in messa e deli"er() 4n this case, :D,s are enerated to notif( the sender of the dela() @ou can use Messa e #rac%in Center to dia nose these problems) #he follo$in are common causes of lobal catalo issues: /"erloaded or o"er$or%ed lobal catalo ser"ers) Performance issues $ith lobal catalo ser"ers) 3o$ memor() 3o$ hard dis% space)

    4ntermittent net$or% issues bet$een Exchan e 2000 !er"er and lobal catalo ser"ers) #oo man( Exchan e ser"ers usin the same lobal catalo ser"er ;the recommended ratio of Exchan e processors to lobal catalo ser"er processors is four to one<)

    3#0

    *&portant Messa e trac%in lo s can be misleadin ) 6or example, if the lobal catalo ser"er is $or%in correctl( and the messa e cate oriAed correctl(, but a remote !M#P ser"er $as una"ailable for thirt( minutes, the messa e trac%in lo loo%s similar to the sample lo sho$n abo"e) Also, if the messa e had to be deli"ered locall( and the Exchan e store $as performin slo$l(, the messa e trac%in lo sho$s a lar e ap of time bet$een JMessa e !ubmitted to Messa e Cate oriAerJ and JMessa e Deli"ered 3ocall( to !tore)J 0se a !(stem Monitor lo from a lobal catalo ser"er $hile (ou reproduce the issue) 4t can help (ou dia nose these issues) ,ec(clin the lobal catalo ser"ers ma( resol"e these issues) #o troubleshoot these issues, (ou can specif( a lobal catalo ser"er for each Exchan e ser"er) Note Manuall( confi urin lobal catalo ser"ers is onl( recommended for troubleshootin ) Chen (our lobal catalo ser"ers are manuall( confi ured, Exchan e cannot detect if a ser"er becomes una"ailable)

    ?efore @ou ?egin


    ?efore (ou perform the procedure in this topic, read #roubleshootin :onDDeli"er( ,eport Messa es) #he follo$in permissions are reEuired to perform this procedure: Member of the local administrators roup and a member of a roup that has had the Exchan e Administrators role applied at the or aniAational le"el

    !rocedure
    To specif' a g+oba+ cata+og server 1) 4n Exchan e !(stem Mana er, expand Servers, ri htDclic% (our Exchan e ser"er and then clic% !roperties) 2) Clic% the 2irector' Accesstab) ') 4n Sho5, select G+oba+ Cata+og Servers) 7) Clear the Auto&atica++' discover servers chec% box) 2irector' Access tab

    3##

    .) Clic% Add, and select the lobal catalo ser"er that (ou $ant to troubleshoot) #he lobal catalo that (ou select for the domain must exist in Acti"e Director(, must be accessible b( means of 3DAP port '262, must process the Exchan e ser"erHs reEuest in a timel( manner, and must ha"e all mailDenabled attributes for the recipient obFect) #he follo$in example sho$s data athered from Messa e #rac%in Center:
    ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 $:"* PM TracFed messa5e history on server =4-T4S4AMSHA01 $:"* PM $:"* PM $:"* PM $:"* PM *:!* PM SMTP Store 3river: Messa5e S+bmitted %rom Store SMTP: Messa5e S+bmitted to .dvanced 7+e+in5 SMTP: Started Messa5e S+bmission to .dvanced 7+e+e SMTP: Messa5e S+bmitted to =ate5oriOer SMTP: Started 4+tbo+nd Trans%er o% Messa5e

    3#2

    ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001 ?!!?!001

    *:!* PM *:!* PM *:!* PM *:!* PM *:!* PM *:!* PM *:!* PM

    Messa5e trans%erred o+t to :4;@TD=4::88.=4M thro+5h SMTP SMTP: Messa5e S+bmitted to .dvanced 7+e+in5 SMTP: Started Messa5e S+bmission to .dvanced 7+e+e SMTP: Messa5e S+bmitted to =ate5oriOer SMTP: Started 4+tbo+nd Trans%er o% Messa5e Messa5e trans%erred o+t to :4;@TD=4::88.=4M thro+5h SMTP SMTP Store 3river: Messa5e 3elivered ,ocally to Store

    4n this example, notice that the messa e $as dela(ed in messa e cate oriAer for '0 minutes before outbound transfer started and the messa e $as e"entuall( deli"ered) 4n these situations, determine $hich lobal catalo ser"er Exchan e is usin b( runnin the :ltest tool as described in the J,ecipients Cere Mo"ed to Acti"e Director( b( 0sin the Mo"e Mailbox #oolJ in Common :onDDeli"er( ,eport !cenarios) #hen, in"esti ate the lobal catalo ser"ers that are in"ol"ed) 6or additional information about D!Access, see Microsoft Bno$led e ?ase article 2.0.10, J=C/:: Director( !er"ice !er"er Detection and D!Access 0sa e)J

    Additiona+ N2R Reference


    #he follo$in table pro"ides a description of deli"er( status notification codes) #his table can help (ou interpret the codes that (ou recei"e in :D,s) 2e+iver' status notification codes Deli"er( status notification code =)1)0 =)1)1 =)1)2 =)1)' =)1)7 =)1). =)1)6 =)1)1 =)1)2 =)2)0 Description /ther address status ?ad destination mailbox address ?ad destination s(stem address ?ad destination mailbox address s(ntax Destination mailbox address ambi uous Destination mailbox address "alid Mailbox has mo"ed ?ad senderHs mailbox address s(ntax ?ad senderHs s(stem address /ther or undefined mailbox status

    3#3

    Deli"er( status notification code =)2)1 =)2)2 =)2)' =)2)7 =)')0 =)')1 =)')2 =)')' =)')7 =)'). =)7)0 =)7)1 =)7)2 =)7)' =)7)7 =)7). =)7)6 =)7)1 =).)0 =).)1 =).)2 =).)' =).)7 =).). =)6)0 =)6)1 =)6)2

    Description Mailbox disabled, not acceptin messa es Mailbox full Messa e len th exceeds administrati"e limit Mailin list expansion issue /ther or undefined mail s(stem status Mail s(stem full !(stem not acceptin net$or% messa es !(stem not capable of selected features Messa e too bi for s(stem !(stem incorrectl( confi ured /ther or undefined net$or% or routin status :o ans$er from host ?ad connection ,outin ser"er failure 0nable to route :et$or% con estion ,outin loop detected Deli"er( time expired /ther or undefined protocol status 4n"alid command !(ntax error #oo man( recipients 4n"alid command ar uments Cron protocol "ersion /ther or undefined media error Media not supported Con"ersion reEuired and prohibited

    3#0

    Deli"er( status notification code =)6)' =)6)7 =)6). =)1)0 =)1)1 =)1)2 =)1)' =)1)7 =)1). =)1)6 =)1)1

    Description Con"ersion reEuired but not supported Con"ersion $ith loss performed Con"ersion failed /ther or undefined securit( status Deli"er( not authoriAed, messa e refused Mailin list expansion prohibited !ecurit( con"ersion reEuired but not possible !ecurit( features not supported Cr(pto raphic failure Cr(pto raphic al orithm not supported Messa e inte rit( failure

    !art 6ive
    Part . contains ad"anced concepts about the underl(in transport architecture of Microsoft& Exchan e !er"er 200' and the lin% state concepts that it uses) @ou should read Part 1 of this uide and possess a sound %no$led e of the concepts that are presented in this uide before readin this section) Part . contains the follo$in sections: 0nderstandin 4nternal #ransport Components

    #his section explains ho$ the internal transport components, such as the routin en ine, the ad"anced Eueuin en ine, and the messa e cate oriAer, $or% to ether in the messa e deli"er( process) Ad"anced 3in% !tate Concepts

    #his section examines the details of the lin% state pac%et and explains ad"anced lin% state concepts)

    3#$

    %nderstanding *nterna+ Transport Co&ponents


    #his topic pro"ides detailed descriptions of the components that are in"ol"ed in recei"in and sendin mail in !imple Mail #ransfer Protocol ;!M#P<) 4n addition, this topic describes ho$ these components perform in a t(pical mail flo$ process) #he follo$in are important components that are in"ol"ed in mail transport: Routing engine

    #he Microsoft& Exchan e ,outin en ine, a ser"ice in the Default Exchan e !er"ices, is responsible for determinin the least expensi"e a"ailable path for messa e deli"er() 4t supplies this information to the ad"anced Eueuin en ine as part of the messa e deli"er( process) Advanced <ueuing engine

    #he ad"anced Eueuin en ine is responsible for se"eral aspects of messa e deli"er() !pecificall(, the ad"anced Eueuin en ine retrie"es messa es from !M#P or the Microsoft Exchan e store dri"er, cate oriAes them, determines each messa eHs destination, and then pro"ides an interface to the multiple Eueues to $hich a messa e can be assi ned $hile a$aitin deli"er() Message categori>er

    #he messa e cate oriAer is a component of the ad"anced Eueuin en ine that sends 3i ht$ei ht Director( Access Protocol ;3DAP< Eueries to the lobal catalo ser"er to perform director( loo%ups) #hese Eueries retrie"e the follo$in information: #he recipient eDmail addresses #he mailbox store on $hich a recipient mailbox resides #he Exchan e ser"er hostin that mailbox store

    #he follo$in fi ure illustrates the transport components in"ol"ed in mail flo$) #he shaded areas depict transport components)

    3#, Message f+o5 through interna+ transport co&ponents

    Receiving *nternet Mai+


    Exchan e relies on D:!, the !M#P protocol, the messa e cate oriAer, the ad"anced Eueuin en ine, and the Exchan e routin en ine to recei"e 4nternet mail) #he components perform the follo$in tas%s to deli"er 4nternet mail to a user in an Exchan e or aniAation: 1) #he sendin !M#P ser"er uses D:! to Euer( for the preferred M= ;mail exchan er< record of the destination domain or tar et ser"er) D:! returns a list of A ;host< records, $hich resol"e to an 4nternet Protocol ;4P< address or addresses of the ser"er) 2) #he sendin !M#P ser"er initiates a connection to port 2. of the destination !M#P ser"er) #he destination !M#P ser"er is the !M#P "irtual ser"er located on the ph(sical ate$a( ser"er that is confi ured to accept incomin 4nternet mail for the domain to $hich the mail is addressed) ') 4deall(, the inbound !M#P ser"er onl( accepts the incomin messa e if it is destined for an !M#P mail domain that is defined in a recipient polic( ;unless the ser"er is open to rela(, $hich is stron l( discoura ed<) 7) Chen the messa e is accepted, the !M#P "irtual ser"er creates an en"elope for the messa eIthis messa e structure is called MA43M!-) MA43M!- contains all of the properties of the messa e, includin the sender and recipient names) .) #he message categori,er ma%es an 3DAP Euer( to the lobal catalo ser"er to find the ho&eMdb attribute of the recipient) #he messa e cate oriAer then stamps the full( Eualified domain name ;6>D:< of this Exchan e ser"er on the MA43M!- obFect) #he ho&eMdb attribute is the userHs home mailbox ser"er, $hich is the location $here the userHs mailbox store and mailbox reside) 6) /ne of t$o e"ents occurs:

    3#-

    4f the userHs mailbox store is located on that Exchan e ser"er, the messa e cate oriAer mar%s the messa e for local deli"er(, and the advanced queuing engine transfers the messa e to the Exchan e store dri"er) #he Exchan e store dri"er then deli"ers the messa e to the mailbox store) 4f the userHs mailbox store is not located on that Exchan e ser"er, the messa e cate oriAer transfers the messa e to the ad"anced Eueuin en ine) #he ad"anced Eueuin en ine then calls the -"change routing engine to determine the best $a( to send the messa e to the ser"er ;based on lin% state routin <, and determines the next destination, or hop, in the route to the userHs home ser"er) 1) 6inall(, complete $ith destination information from the messa e cate oriAer and routin information from the routin en ine, the ad"anced Eueuin en ine sends the messa e to its final destination in one of the follo$in $a(s: 4f the destination is a local domain, the messa e is deli"ered to the !M#P "irtual ser"er located on the Exchan e ser"er $here the userHs mailbox resides) 4f the userHs mailbox is in a remote routin roup, the messa e ma( ha"e to be sent throu h other connectors) 4f the destination is outside of the Exchan e or aniAation, the messa e is deli"ered to the !M#P ser"er for remote domains in a different remote Eueue) An incomin messa e $ill be sent to a remote domain onl( if one of the follo$in confi urations is applied: D #he Exchan e ser"er is open for rela() D #he user sendin the messa e is authoriAed to rela() D Another connector is confi ured that allo$s rela(in to these domains) D 4f the destination is a connector to another s(stem or to an earlier "ersion of Exchan e, the Exchan e store dri"er submits the mail to the messa e transfer a ent ;M#A<)

    Sending *nternet Mai+


    #o send 4nternet mail, Exchan e relies on the same components that it relies upon for recei"in 4nternet mail: D:!, the !M#P protocol, the messa e cate oriAer, the ad"anced Eueuin en ine, and the Exchan e routin en ine) 4nternet mail is sent throu h Exchan e in the follo$in manner: 1) An internal user sends a messa e to a remote domain) #he messa e is submitted on the Exchan e ser"er on $hich the userHs mailbox resides) 2) #he messa e is submitted to the advanced queuing engine in one of t$o $a(s:

    3#1

    4f the messa e $as sent usin a Microsoft /ffice /utloo%& Ceb Access or /utloo% ;MAP4< client, the Exchan e store submits the messa e to the ad"anced Eueuin en ine throu h the store dri"er) 4f the messa e $as sent usin a Post /ffice Protocol ;P/P< or an 4nternet Mail Access Protocol ;4MAP< client, !M#P passes the messa e to the ad"anced Eueuin en ine) ') #he message categori,er then Eueries the lobal catalo ser"er $ith the recipient address to find the user) 4f the recipient address is not in a recipient polic(, or if a matchin recipient $ith a prox( address does not exist ;the recipient address $ill not be stored in Acti"e Director(<, the messa e cate oriAer determines that the messa e is bound for a remote domain) 7) #he ad"anced Eueuin en ine calls into the -"change routing engine to determine the next destination, or hop, for a route to the address space that more closel( matches the remote domain) .) Cith this information, the ser"er determines $hether to send the messa e, to route it to the smart host, or to use an !M#P connector $ith the remote address space) 6) 4f there are multiple connectors or "irtual ser"ers that handle outbound mail, the ad"anced Eueuin en ine determines the "irtual ser"er or connector $ith the address space that most closel( matches the address space of the remote domain and an( restrictions for that connector) 1) #he messa e is routed to the outbound connectorHs !M#P "irtual ser"er or to the outbound !M#P "irtual ser"er that is responsible for deli"er() 2) #he !M#P "irtual ser"er located on the Exchan e ser"er that performs cate oriAation then uses its metabase information for the route action attribute for the remote domain) 9) #he !M#P "irtual ser"er on the Exchan e ser"er then performs one of t$o tas%s: 0ses D:! to loo% up the 4P address for the tar et domain and then attempts deli"er( of the messa e) 6or$ards the messa e to a smart host that assumes responsibilit( for the D:! resolution and deli"er()

    Advanced (in) State Concepts


    #his section explains ad"anced concepts that o"ern ho$ lin% state information is communicated and propa ated throu hout a Microsoft& Exchan e or aniAation) 4t contains the follo$in topic: 3in% !tate Components

    3#3

    0nderstandin the /r 4nfo Pac%et 0nderstandin /r 4nfo Pac%et Details !er"er !er"ices and ,outin :odes ,outin 0pdates ,outin #opolo ( 0pdate Communications

    (in) State Co&ponents


    !e"eral components pla( a crucial role in the propa ation of lin% state information) #hese components are the: /r 4nfo pac%et that contains the pac%et of lin% state information for the Exchan e topolo () !er"er ser"ices and client nodes that use or exchan e lin% state information)

    ,outin roup master, a t(pe of ser"er ser"ice, that is responsible for maintainin accurate lin% state information for its routin roup and distributin that information ;the /r 4nfo pac%et< to its routin roup members)

    %nderstanding the "rg*nfo !ac)et


    #he /r 4nfo pac%et is the lin% state table that contains the details and status of the Exchan e or aniAationHs routin topolo () ,outin roup masters propa ate this information throu hout the or aniAation in the form of the /r 4nfo pac%et) #he pac%et includes details such as or aniAation name, routin roups, connectors, and address spaces) #he Cin,oute tool displa(s the contents of the /r 4nfo pac%et in a more readable form than the ra$ pac%et) #o identif( in detail the "arious portions of this pac%et, ho$e"er, this topic discusses the pac%et in its ra$ data form) Note @ou can do$nload the Cin,oute tool from the Do$nloads for Exchan e !er"er 200' Ceb site) 4n eneral, information fields $ithin the pac%et are separated b( parentheses in the follo$in $a(: ;,outin roup ;,outin roup members ;Connectors in routin roup ;Connector confi <<<<

    Cithin the pac%et, -04Ds are referenced for the "arious components) Certain information is represented in A!C44 text, such as:

    320

    Portions of the =)700 and =).00 routin routin roup section)

    roup addresses that are listed in each

    #he le ac( distin uished names, le ac(Exchan eD:s, of connectors)

    8irtual ser"er 6>D:s $hen listin the source or remote brid ehead ser"ers of connectors) 6or each restriction set on a connector, the distin uished name of the restricted obFect) 6or example, if a connector denies usa e to three users, the three distin uished names of the users are listed in A!C44 text in the pac%et) ?ecause the components abo"e are listed in A!C44 text, the number of these components in a routin topolo ( affect the o"erall siAe of the /r 4nfo pac%et) A practice of den(in connector access to users instead of distribution roups or specif(in source and destination brid ehead ser"ers $hen not necessar(, for example, $ill lead to a much lar er /r 4nfo pac%et than normal) ?ecause this pac%et is distributed throu hout the Exchan e or aniAation, and these restrictions add to the siAe of the pac%a e, the exchan e of the lin% state pac%et bet$een ser"ers can ha"e profound effects on net$or% utiliAation dependin on the siAe of the Exchan e or aniAation) As a best practice, if (ou must restrict connector access, use distribution roups rather than users, and onl( appl( specific source and destination brid ehead ser"ers $here appropriate if the siAe of the /r 4nfo pac%et is of a concern) Another important fact about the siAe of the /r 4nfo pac%et is that, once a routin roup has been created, the routin roup remains in memor( on each Exchan e ser"er in the or aniAation ; i"en that the information has propa ated throu hout< indefinitel( unless all Exchan e ser"ers in the or aniAation are shut do$n simultaneousl() #his is true e"en if the routin roup has been deleted in Exchan e !(stem Mana er)

    %nderstanding "rg*nfo !ac)et 2etai+s


    #o explain the contents of an /r 4nfo pac%et, this section anal(Aes the transmission of an /r 4nfo pac%et from one ser"er to another ser"er $ithin a routin roup) #he example that is illustrated in 6i ure 1.)1 is ta%en from an Exchan e or aniAation $ith one routin roup containin t$o ser"ers, both runnin Exchan e !er"er 200', $ith a sin le !M#P connector incorporatin user restrictions) #he /r 4nfo pac%et that $as transmitted o"er the net$or% contained the follo$in information:
    S00000*"#T..a&c*!1ebe1*%0 #10% ab"& $*"ac 1". '.a!a0%)& d1&#b)*&&&""#)"0ac#& !").!d0#*# #0$ $0a*d)#a "1*&)e!d#$b&.a.0.0.%0dcd) )&1!% "**#&b! d#!&) $bb)!".S! T*..!.0:)& A31&#AM)*&A&&""A#)"0.=#& !"). S*bTc=;SPa=.Pp=8xamplePo=8xchan5ePcn=.!.0:)& A31&#AM)*&A&&""A#)"0.=#& !")P*. S"$T?o=8xample?o+=:irst..dministrative.Hro+p?*?.!.0:)& A31&#AM)*&A&&""#)"0.=#& !"). '.!d0#*# #0$ $0a*d)#a "1*&)e!d#$b&.C8S.1.1aae. S10T0#01000000000101..&#&#$$&$!e&&"#*!bc!d"ec%&$1&)b*d.C8S.1.1aae.

    32#

    S10T0#01000000000101.(.'.%# 00"bd"#ad&$*!)"1)! )%!)%*%#e .'.=4-:2H.S*TSMTP. S!$TB%# 00"bd"#ad&$*!)"1)! )%!)%*%#e BS.ST. S"*T?o=8xample?o+=:irst..dministrative.Hro+p?cn==on%i5+ration?cn==onnections?cn=V;-N.0 .0.0.0.%%%%%%%%.%%%%%%%%.0.1.0.'(. .'.S!*T=-=tester0#<=-=;sers<3==domain<3==com.. S!*T=-=tester0*<=-=;sers<3==domain<3==com..S!*T=-=tester0$<=-=;sers<3==domain<3==com.. S!*T=-=tester0!<=-=;sers<3==domain<3==com..S!*T=-=tester01<=-=;sers<3==domain<3==com.. S!&T=-=.dministrator<=-=;sers<3==domain<3==com.(.0.'(.0.'(...@@41S.'.S*TSMTP. S1T*.1.(.MD.'.!%db$0b !e*ea&*&a#1%&1%$1&"$"1*$.=4--B.G.2,.S1$T@H@A "A 0!.domain.com.(.T.@HMD.'(.ST.T8.;P(((..

    Anal(Ain the pac%et sho$n abo"e in order of presentation, the J/,-4:6/J si nals to the recei"in ser"er that the /r 4nfo pac%et is contained $ithin this frame) #he contents that follo$ J/,-4:6/J are: #he MD. hash, an encr(pted si nature that represents the "ersion number for the lin% state table, of the current /r 4nfo pac%et) #his si nature is important because ser"ers use this information to determine if the( ha"e the identical lin% state information) As illustrated later, if this hash is different bet$een t$o Exchan e ser"ers, it si nals that the( ha"e different routin information, and the( $ill exchan e /r 4nfo pac%ets $ith each other to determine $hich ser"er has the most upDtoDdate information) #he first set of parentheses sho$s that information $ithin them pertains to a particular routin roup) #his example sho$s a sin le routin roup, so all routin information is contained $ithin this set of parentheses: #he -04D for the routin #he -04D for the routin roup: a2a0f296d191b27999..12.0ac1962.2 roup master: 2d0171610'6'0a7d21a6.1792e2d1'b9

    #he maFor, minor, and user "ersions of the lin% state information: a)0)0 #he -04D of this "ersion information: f0dcd262912f.7719b26d12926'bb22.

    !M#P address information for the routin roup: \26]) ?rac%ets si nal the start of this information) Chen an or aniAation is full( con"er ed, each routin roup $ill host this information, that is, if there are t$o routin roups, the information belo$ $ill be listed $ithin each routin roupHs section of the /r 4nfo pac%et) ;:ote that the characters $ithin these and subseEuent brac%ets mentioned are not necessaril( identical across implementations)< #he -04D immediatel( after the \26], A2A06296DD191D?279D99..D 12.0AC1962.2, is the -04D for the particular routin roup) \7b] #his si nals the start of =)700 addresses for the routin roup) As abo"e, this $ill be sho$n in each routin roupHs section of the /r 4nfo pac%et: cM0!LaM)LpMExampleLoMExchan eLcnMA2A06296DD191D?279D99..D 12.0AC1962.2LK indicates the =)700 address space, the JcnJ portion bein the -04D of the routin roup)

    322

    cM0!LaM)LpMExampleLoMExchan eLcnMA2A06296DD191D?279D99..D 12.0AC1962.2LK indicates the =)700 address space, the JcnJ portion bein the -04D of the routin roup) \.'] #his si nals the =).00 address information for the routin roup) As abo"e, this $ill be sho$n in each routin roupHs section of the /r 4nfo pac%et: OoMExampleOouM6irst Administrati"e -roupOKOA2A06296DD191D?279D99..D 12.0AC1962.2 !tartin at the next open parenthesis, routin #he -04D of a member ser"er in the routin 2d0171610'6'0a7d21a6.1792e2d1'b9 roup members are identified: roup: roup master) J@E!J

    Chether or not the member is connected to the routin indicates that the ser"er is connected) Note !er"er "ersion numbers are listed last)

    #he abo"e three attributes are then identified for the second ser"er in the routin roup) !tartin at the next open parenthesis, connectors are identified: #he -04D of the sin le connector: a9c721ebe17f06110f6ab.96'7.ac61.

    #he next open parenthesis identifies connector confi uration information: #he t(pe of connector ;!M#P<: \7]

    #he address of the local source brid ehead $hich is in the format: -04D of the connector itself appended b( an JS!J ;$ithout the Euotation mar%s< to indicate a source brid ehead: \2']Sf1600.bd.1ad9'722.12262f22f7f1e6S! #his is an !M#P connector) 5o$e"er, if it $as a routin roup connector $ith a destination or remote brid ehead ser"er assi ned, the /r 4nfo pac%et $ould sho$ another \2'] follo$ed a ain b( the -04D of the connector itself appended $ith a JSDJ) 4f it $ere an !M#P connector specif(in a smart host, the /r 4nfo pac%et $ould sho$ the 6>D: of the i"en smart host) #he distin uished name of the connector: \.7]OoMExampleOouM6irst)Administrati"e)-roupOcnMConfi urationOcnMConnectionsOcn M^0:B #he schedule of the connector is identified b( the first J0J) ;#he schedule in this case is JAl$a(sJ)< ,estrictions of the connector are identified next:

    323

    #he scope of the connector is identified b( the next J0J) ;#he scope in this case is J/r aniAationJ)< Chether tri ered deli"er( is confi ured) #he third J0J identifies tri ered deli"er(, for example, #0,:OE#,: ;in this case, tri ered deli"er( is not confi ured<) #he t(pe of messa e priorit( ;5i h, :ormal, 3o$< that is allo$ed throu h this connector is identified b( the last J0J) Messa e siAe restrictions: ffffffff indicates that there are no messa e siAe restrictions throu h this connector) Chether a not a lar e messa e threshold $as set: ffffffff indicates that no messa e threshold $as set) #he J0 1 0J follo$in the abo"e identifies that:

    D Public folder referrals are allo$ed) D ?( default, messa es $ill be accepted from e"er(one) D Allo$ed ori inators ;$hich is empt( in this case because messa es $ill be accepted from all b( default based on the abo"e settin <) A,,/C! indicates the start of address space information for the connector: \7]!M#P indicates that the address space t(pe is !M#P) \1]K indicates that it is for all !M#P domains) 1 indicates that it has a cost of one)

    !tartin $ith J?5J, the brid ehead ser"ers for the connector are identified) 4n this example, there is one brid ehead ser"er that is identified b(: #he -04D of the !M#P "irtual ser"er that is desi nated as a local brid ehead ser"er: 2fdb'0b62e7ea979a11f91f'19.'.17' #he a"ailabilit( of the remote brid ehead ser"er: C/::SA8A43

    #he 6>D: of the "irtual ser"er that acts as a brid ehead ser"er for this connector: \1'],-,D6.D02)domain)com #he 6>D: of an( tar et brid ehead ser"ers if the( $ere specified ;in this example, none $ere specified<: #A,-?5) #he status of the connector: !#A#ES0P identifies, in this case, that the status is J0PJ, $hich means that the connector is a"ailable) ;JDo$nJ, or una"ailable, is the onl( other option)<

    320

    Server Services and Routing Nodes


    :o$ that (ou understand the contents of the /r 4nfo pac%et, this section explains routin nodes, $hich are the components that are in"ol"ed in propa atin this information $ithin an Exchan e or aniAation) #hree t(pes of routin nodes can exist on an Exchan e ser"er: Master ser"ice node !ubordinate ser"ice node Client node

    /nl( one t(pe of ser"ice node can exist on a ser"er: either the master ser"ice node ;if the ser"er is the routin roup master< or the subordinate ser"ice node ;if the ser"er is a routin roup member<) Client nodes consist of "arious processes, $hich are consumers of routin information, runnin on the ser"er) Examples of these processes are !M#P ;inetinfo)exe<, the Messa e #ransfer A ent ;emsmta)exe<, the 4nformation !tore ;store)exe<, and the Cindo$s Mana ement 4nstrumentation ;CM4< ser"ice ;$mipr"se)exe<) #$o D33s implement the routin functionalit( in these components: res"c)dll for the ser"ices nodes and reapi)dll for the client nodes) #he follo$in fi ure illustrates the routin nodes and ser"er ser"ices) Routing services nodes

    Client nodes communicate directl( $ith their correspondin ser"er ser"ices) #his communication ne"er occurs outside of an( one indi"idual host, for instance, a client node communicates onl( $ith other components on the same ser"er) Member and master ser"ice nodes $ithin the same routin roup communicate $ith each other o"er #CP port 691)

    32$

    Routing %pdates
    #he section discusses the t(pes of updates that the routin roup master recei"es and distributes to its routin roup members) Exchan e ser"ers and domain controllers ma( communicate about the follo$in t(pes of information in the context of routin topolo ( and lin% state updates: MaMor Chen routin topolo ( updates occur, such as connector confi uration, $hich includes addin or deletin a connector, addin or deletin an address space on a connector, or a $hen a ne$ ser"er is desi nated as the routin roup master) Minor Chen information about connector or "irtual ser"er a"ailabilit( chan es, for example, a connector state chan es from up or do$n) %ser Chen ser"ices ha"e been started or stopped on an Exchan e ser"er ;used in the implementation of the H!tatusH node in Exchan e !(stem Mana er<, or $hen another ser"er has been added to the routin roup, or a ser"er loses its connecti"it( to the routin roup master)

    MaMor %pdates
    A domain controller informs routin roup masters of maFor chan es in the routin topolo ( for their particular routin roup, accordin to the standard 3i ht$ei ht Director( Access Protocol ;3DAP< chan e notification process) Chen the routin roup master starts, it re isters $ith the director( usin D!Access for chan e notifications that pertain to its routin roup) A routin roup master accepts maFor routin information updates pertainin to its routin roup onl( from the domain controller $ith $hich it communicates) Chen a routin information update is sent to a routin roup from another routin roup, for example, the recei"in routin roup master al$a(s i nores the information pertainin to its routin roup that is $ithin the /r 4nfo pac%et) 6or minor and user updates that pertain to its routin roup, the routin roup master accepts chan es from its local client nodes or an( subordinate ser"ices ;routin roup members< $ithin its routin roup) A domain controller sends notifications to the routin A ne$ connector has been added to the routin been made to an existin connector) Chen chan es ha"e been made to the routin routin roup master chan es) roup master in the follo$in situations: roup, or an( attribute chan es ha"e roup obFect itself, for example, the

    After the chan e notification process is complete, the routin roup master communicates the chan e in topolo ( to all of the ser"ers in the local routin roup and an( ser"ers that act as a remote brid ehead for one of the connectors in this routin roup)

    32,

    Minor %pdates
    Minor updates consist of lin% state chan es in the en"ironment such as a connector chan in from a state of JupJ to Jdo$n)J #his chan e in lin% state ma( be detected b( an( client node in the en"ironment) 4n Exchan e 2000 !er"er, $hen a client node detects a chan e, it communicates this chan e to its ser"er ser"ices nodes at .Dminute inter"als) 4n eneral, $hene"er a lin% state update is recei"ed b( a master or subordinate ser"ice node, the ser"er is forced to reEueue all messa es and inform the routin roup master of the lin% state chan e) 6or unreliable connections that cause freEuent state chan es ;oscillatin connections<, the communications cause excessi"e and often conflictin communications) 4n Exchan e !er"er 200', if no alternate path exists for a lin% in a leafDnode routin roup, the lin% state is al$a(s mar%ed as a"ailable) Exchan e does not chan e the lin% state to una"ailable if no alternate path exists) Exchan e Eueues mail for deli"er( and sends it $hen the route becomes a"ailable a ain) #his chan e enhances performance because it reduces the propa ation of lin% state information) As for oscillatin connections, Exchan e 200' "ie$s the lin% state Eueue and if there are multiple conflictin state chan es in a i"en inter"al for a connector, the connector is considered an oscillatin connection and its lin% state remains as a"ailable) 4t is better to lea"e an oscillatin connector in an a"ailable state than to continuall( chan e the lin% state) #his approach reduces the amount of lin% state traffic that is replicated bet$een ser"ers)

    %ser %pdates
    0ser updates consist of minimal chan es such as $hen the routin roup master has chan ed, $hen ser"ices ha"e been started or stopped on an Exchan e ser"er, $hen another ser"er has been added to the routin roup, or $hen a member ser"er loses connecti"it( to the routin roup master)

    Routing Topo+og' %pdate Co&&unications


    5o$ Exchan e communicates routin information differs dependin on $hether it is processin an interDroutin roup update or an intraDroutin roup update) #his section discusses ho$ specific communication update processes $or% in se"eral routin topolo ( scenarios, as follo$s: Director( updates to routin controller roup masters !in le Exchan e ser"er, sin le domain roup members #$o Exchan e ser"ers

    ,outin roup master updates to routin ;same routin roup<, one domain controller

    32-

    4nterDroutin roup updates #hree Exchan e ser"ers ;t$o in one routin in another routin roup<, one domain controller Note

    roup, one

    :et$or% captures that illustrate the concepts in practice are pro"ided to i"e a thorou h understandin of the communication update process) All of the captures $ere ta%en $ith the :et$or% Monitor tool ;:etmon)exe< that is pro"ided $ith Microsoft Cindo$s !er"erG200')

    2irector' %pdates to Routing Group Masters


    #he routin roup masters recei"e maFor updates from a domain controller b( means of the Microsoft Acti"e Director(& director( ser"ice chan e notification process) !pecificall(, Exchan e relies on its confi uration domain controller for director( update information, $hich is labeled as Config on a ser"erHs properties 2S Access tab in Exchan e !(stem Mana er) #he chan e notification process be ins $hen the client or $or%station on $hich a ne$ connector or another routin chan e has been made b( usin Exchan e !(stem Mana er contacts the domain controller $ith a reEuest to add this ne$ connector to Acti"e Director() #he domain controller communicates to the $or%station that the addition $as successful) #he domain controller then notifies the Exchan e ser"er that is the routin master of this ne$ connector and sends information about this connector throu h a series of communications) #he follo$in net$or% captures illustrate this process) #he follo$in fi ure sho$s an excerpt from a net$or% capture in"ol"in a Cindo$s 2000 domain controller $here a ne$ connector has been added to a routin roup ;Exchan e 2000<) :ote frame 171, $hich sho$s JAdd,eEuestJ) A ;indo5s 2000 do&ain contro++er 5here a ne5 connector has been added to a routing group

    321

    #his fi ure sho$s the client ;Cor%station< reEuestin that the domain controller ;DC< add a ne$ !M#P connector to the director() 6rame 172 sho$s the domain controller si nalin the successful completion of this addition) 4mmediatel( follo$in in frame 179 ;see the follo$in fi ure<, the domain controller sends a J!earch,esponseJ to the Exchan e ser"er that notifies Exchan e of the ne$ connector) #he domain controller automaticall( performs this seemin l( unsolicited action because the Exchan e ser"er has pre"iousl( si ned up for chan e notification, as all Exchan e 2000 and Exchan e 200' ser"ers do) #his illustrates the chan e notification process at $or%) Cithin frame 179, the domain controller is onl( informin Exchan e of the name and distin uished name of the ne$ connector) The do&ain contro++er sends a OSearchResponseO &essage to the Exchange server that notifies Exchange of the ne5 connector

    4n frames 1.0 and 1.1, the domain controller sends more information re ardin this addition to both the $or%station on $hich this connector $as added and the Exchan e ser"er) #he follo$in fi ure illustrates 6rame 1.1 ;sent to Exchan e<) 4n addition to the name of the obFect and the distinguishedna&e, the obMectG%*2, cn, and obMectC+ass attributes are no$ included)

    323 The do&ain contro++er sends &ore infor&ation regarding this addition to both the 5or)station on 5hich this connector 5as added and the Exchange server

    After the domain controller sends this information, the $or%station Eueries the domain controller for the full list of attributes re ardin the ne$ connector) 4n frame 116 ;see the follo$in fi ure<, Exchan e initiates Eueries re ardin its routin roup) Chene"er a chan e notification has been recei"ed b( the Exchan e ser"er, it initiates these actions) 4n particular, it be ins b( Euer(in for the distin uished name of the routin roup -04D) Exchange initiates <ueries regarding its routing group

    330

    After recei"in the distin uished name of the routin roup -04D, Exchan e Eueries for all attributes of an( child obFects that this obFect ma( be a parent to and that are of the obFect t(pe J&sExchconnectorJ) :ote the J!in le 3e"elJ scope of the search "ersus J?ase obFectJ search) #his desi nation indicates that the search is for a child obFect) 6rame 122 ;see the follo$in fi ure< sho$s this search reEuest) Search re<uest for a chi+d obMect

    6rame 12' ;see the follo$in fi ure< indicates the partial response from the domain controller)

    33# !artia+ response fro& the do&ain contro++er

    :ext, Exchan e Eueries the domain controller and recei"es the follo$in : #he 6>D: and -04D for an( brid ehead ser"er that is associated $ith the connector in Euestion) A Euer( for se"eral attributes of the ne$ connector) #his Euer( is based on the -04D of the connector, and it returns the result that is illustrated in the follo$in fi ure) Resu+t of a <uer' for attributes of a ne5 connector

    332

    As sho$n in the follo$in fi ure, the Exchan e ser"er sends a JModif(,eEuestJ messa e as%in the domain controller to replace three attributes of the Jle ac( -CA,#J obFect $ithin the administrati"e roup : Gate5a'RoutingTree, G;ART(astModified, and ridServer) Re<uest fro& the Exchange server to the do&ain contro++er to rep+ace three attributes of the O+egac' G;ARTO obMect

    #he domain controller responds $ith a JModif(,esponseJ messa e of success, and the Exchan e ser"er continues its Euer( process for "arious obFects $ithin its administrati"e roup) #he entire process that is described in this section sho$s ho$ domain controllers communicate maFor topolo ( updates to routin roup masters) 6ollo$in this update, the routin roup master must no$ communicate the information to its member ser"ers) #he follo$in section explains ho$ the routin roup master communicates this information to its routin roup members)

    Routing Group Master %pdates to Routing Group Me&bers


    Chen the routin roup master is informed of an update, it o"er$rites the lin% state information that it contains in memor( ;the /r 4nfo pac%et< $ith the ne$ information, creatin a ne$ MD. hash based on this information) #he routin roup master then propa ates the ne$ /r 4nfo pac%et to client nodes on the same computer and to subordinate ser"ices nodes or routin roup members $ithin the routin roup) #he routin roup master communicates $ith the routin roup o"er #CP port 691)

    333

    #he follo$in fi ure illustrates communication occurrin on either source or destination port 691) #he example illustrates a ne$ connectorHs addition to a routin roup containin t$o ser"ers) Routing group &aster propagates update infor&ation to routing group &e&bers

    6rame 11. is the J!earch,esponseJ that a domain controller sends to the routin roup master that is re istered for chan e notification) 4mmediatel( after recei"in this information, the routin roup master sends the entire /r 4nfo pac%et to the routin roup member, as sho$n in 6rame 116 ;6i ure 1.)11<) #he characters before the first parenthesis in this pac%et represent the MD. hash of the /r 4nfo pac%et, $hich ser"ers use to determine if the( ha"e the most upDtoDdate information) ?ecause the MD. hash that it recei"ed is different than the hash in memor(, the routin roup member also processes the /r 4nfo pac%et) After ma%in the appropriate chan es to its lin% state table in memor(, the routin roup member sends a short repl( to the routin roup master, follo$ed in the next frame b( its ne$l( re"ised /r 4nfo pac%et, no$ also referencin the ne$er MD. hash that the routin roup master sent earlier) #he follo$in fi ure sho$s the initial repl()

    330 *nitia+ rep+' fro& routing group &e&ber to routing group &aster

    #he /r 4nfo repl( from the routin roup member containin the no$ upDtoDdate /r 4nfo pac%et is sent next to the routin roup master ;see the follo$in fi ure<) "rg*nfo rep+' fro& the routing group &e&ber

    #he routin the routin

    roup master processes this information and sends a short ac%no$led ement to roup member)

    #his process occurs bet$een all routin roup members and the routin roup master $ithin the particular routin roup) Another process, %no$n as polling, ensures that all routin roup members ha"e the most upDtoDdate information from the routin roup master)

    33$

    !o++ing
    Pollin is the process of a routin roup member Euer(in the routin roup master for upDtoD date routin information) #he follo$in fi ure illustrates the routin roup member pollin the routin roup master e"er( . minutes) :ote the time that is associated $ith each frame ;the capture $as sa"ed as filtered for communications onl( o"er port 691L therefore, the frame numbers that are listed do not reflect the ori inal frame numbers<) Routing group &e&ber po++ing the routing group &aster

    Each t$oDframe exchan e includes the text J!impleSPollJ from the routin roup member, and a response from the routin roup master) 6rame 1 sho$s the Euer( ;see the follo$in fi ure<) :uer' fro& routing group &e&ber to routing group &aster

    6rame 2 sho$s the response ;see the follo$in fi ure<)

    33, Response fro& routing group &aster to routing group &e&ber

    4n addition to updatin the local routin roup, the routin roup master must update the remainin members of the Exchan e or aniAation) #he Exchan e !M#P ser"ice accomplishes interDroutin roup updates)

    4o5 %pdates Are Co&&unicated in an SMT! Conversation


    ,outin and lin% state update communications are part of the Exchan e !er"er 200' and Exchan e 2000 !M#P ser"ice) #he Exchan e !M#P ser"ice compares the "ersions of the /r 4nfo pac%et on each ser"er durin e"er( !M#P session bet$een t$o ser"ers) Chether this is an intraDroutin roup or an interDroutin roup has no effect on this process) #he process $or%s in the follo$in $a(: 1) !er"er 1 initiates the #CP session and contacts !er"er 2 usin !M#P) !er"er 2 sends a J220 ,ead(J response to !er"er 1) 2) !er"er 1 sends the E53/ command) ') !er"er 2 ans$ers $ith J2.0J and a list of its implemented E!M#P commands) 7) !er"er 1 responds $ith J=DE=P! -!! AP4J si nalin it $ants to authenticate b( means of the -!! AP4) .) !er"er 2 responds $ith J''7 -!!AP4 supportedJ) 6) #he next se"eral frames in"ol"e the authentication bet$een the t$o ser"ers, endin $ith !er"er 2 respondin J2'. 2)1)0 Authentication successfulJ) 1) After this response, lin% state communications be in) 2) !er"er 1 sends the information sho$n in the follo$in fi ure to !er"er 2:

    33*nfor&ation sent fro& Server # to Server 2

    #he follo$in information is contained in the information sent from !er"er 1: =D34:B2!#A#E indicates that this pac%et contains information pertainin to the or aniAational routin topolo () 3A!# C50:B indicates that this $ill be the last frame of lin% state communications $ithin the current !M#P session) /ther options for this command are: D 64,!# C50:B 4ndicates that the lin% state information to follo$ is spread across se"eral frames, $ith this frame bein the first frame) D :E=# C50:B 4ndicates that the lin% state information to follo$ is spread across se"eral frames, $ith this frame bein neither the first nor the last frame) 9) !er"er 2 no$ compares its MD. hash to the MD. hash that !er"er 1 sent, and one of t$o actions occurs: 4f the hashes are identical, !er"er 2 does not need to recei"e the complete /r 4nfo pac%et from !er"er 1) #herefore, !er"er 2 sends a JD/:ES,E!P/:!EJ ;see the follo$in fi ure<, and !er"er 1 sends the JMA43 6,/M:J command and completes the process of sendin the mail messa e) O2oneKResponseO sent fro& Server 2 to Server #

    331

    4f !er"er 2 does not ha"e the same hash as !er"er 1, !er"er 2 sends its entire /r 4nfo pac%et to !er"er 1 in a process that is similar to the one in $hich !er"er 1 sent its information to !er"er 1) #he next section describes this process in the context of interDroutin roup updates)

    *nterERouting Group %pdates


    Chen a maFor or minor update occurs $ithin a routin roup, the local brid ehead ser"ers that are connected to other routin roups propa ate the update to their attached routin roups o"er !M#P on #CP port 2.) 6rames 72.D721 ;see the follo$in fi ure< contain the complete /r 4nfo pac%et that is bein transmitted from the routin roup master to the routin roup member that is the local brid ehead ser"er) 6rame 722 sho$s the local brid ehead ser"erHs ac%no$led ement) Trans&ission of "rg*nfo pac)et fro& routing group &aster to routing group &e&ber that is the +oca+ bridgehead server

    4n 6rames 729 and 790 ;see the follo$in fi ure<, the local brid ehead ser"er Eueries Acti"e Director( for attributes of the default recipient polic(, $hich is the onl( recipient polic( that existed in the example en"ironment)

    333 :uer' fro& +oca+ bridgehead server to Active 2irector'

    After ha"in recei"ed the responses in 6rames 791D797, 6rame 79. ;see the follo$in fi ure< sho$s the local brid ehead ser"er no$ performin a subtree search on the confi uration container for an( routin roup of $hich it is a brid ehead ;note the J3DAP: 6ilter #(peJ<) Search b' +oca+ bridgehead server for routing groups of 5hich it is a bridgehead

    After recei"in the response, the local brid ehead ser"er no$ starts to Euer( D:! for the Exchan e ser"er in the remote routin roup and sets up a #CP session $ith this remote brid ehead ser"er) #he local brid ehead ser"er proceeds throu h the steps that $ere explained in J5o$ 0pdates Are Communicated in an !M#P Con"ersation,J earlier in this topic) #he process is as follo$s:

    300

    1) Chen the ser"ers compare MD. hashes, the remote brid ehead ser"er realiAes it does not ha"e the same hash as the local brid ehead ser"er, and sends its entire /r 4nfo pac%et to the local brid ehead ser"er) ?ecause this communication occurs b( usin !M#P, and the !M#P ,eEuest 6or Comments ;,6Cs< stipulate that an( one !M#P data command ma( not exceed 1 B? in siAe, it is li%el( that the /r 4nfo pac%et $ill be split into se"eral frames) 4n this situation, the !M#P ser"ice uses the "arious C50:B commands illustrated in the follo$in fi ure) %se of 6*RSTKC4%NG co&&and

    2) #he local brid ehead ser"er responds $ith J=D34:B2!#A#E M/,EJ ;see the follo$in fi ure<) (oca+ bridgehead server response to re&ote bridgehead server

    ') #he remote brid ehead ser"er sends the next portion of the /r 4nfo pac%et ;see the follo$in fi ure<) :ote that it Fust si nals JC50:BJ:

    30# Re&ote bridgehead server response to +oca+ bridgehead server

    7) #he remote brid ehead ser"er a ain responds $ith J=D34:B2!#A#E M/,EJ) #his communication continues until the remote brid ehead ser"er sends the last portion of the /r 4nfo pac%et, $hich it si nals b( usin the 3A!#SC50:B command ;see the follo$in fi ure<) Re&ote bridgehead server signa+s b' using the (ASTKC4%NG co&&and that it is sending the +ast portion of the "rg*nfo pac)et

    .) After this communication process is complete, the remote and local brid ehead ser"ers re"erse roles) After its receipt of the 3A!#SC50:B frame from the remote brid ehead ser"er, the local brid ehead ser"er immediatel( sends a 64,!#SC50:B frame ;identif(in the start of transmission of its /r 4nfo pac%et< to the remote brid ehead ser"er) 6) After completin the identical process in exchan in the /r 4nfo information, the remote brid ehead ser"er responds $ith a J200 DoneJ command ;see the follo$in fi ure< after it recei"es the 3A!#SC50:B command)

    302 Re&ote bridgehead server signa+s that it has received the "rg*nfo pac)et in its entiret'

    1) #he local brid ehead ser"er no$ issues the J>uitJ command, and the remote brid ehead ser"er ac%no$led es its receipt b( closin the !M#P transmission channel)

    SMT! Co&&ands and 2efinitions


    #his topic contains reference material about the follo$in topics: !imple Mail #ransfer Protocol ;!M#P< commands 4nternal !M#P transport mechanisms !M#P e"ent sin%s Ports that are commonl( used b( Microsoft& Exchan e

    SMT! Co&&ands
    #he follo$in table lists the !M#P commands that are pro"ided b( the Microsoft Cindo$s& !M#P ser"ice ;!M#P!8C<) SMT! co&&ands !M#P command 5E3/ E53/ Command function !ent b( a client to identif( itself, usuall( $ith a domain name) Enables the ser"er to identif( its support for Extended !imple Mail #ransfer Protocol ;E!M#P< commands) 4dentifies the sender of the messa eL used in the form MA43 6,/M:) 4dentifies the messa e recipientsL used in the form ,CP# #/:)

    MA43 6,/M ,CP# #/

    303

    !M#P command #0,:

    Command function Allo$s the client and ser"er to s$itch roles and send mail in the re"erse direction $ithout ha"in to establish a ne$ connection) #he A#,: ;Authenticated #0,:< command optionall( ta%es one or more domains as a parameter) #he A#,: command must be reFected if the session has not been authenticated) Pro"ides a mechanism b( $hich the !M#P ser"er can indicate the maximum siAe messa e supported) Compliant ser"ers must pro"ide siAe extensions to indicate the maximum siAe messa e that can be accepted) Clients should not send messa es that are lar er than the siAe indicated b( the ser"er) An extension of !M#P) E#,: is sent b( an !M#P ser"er to reEuest that another ser"er send an( eDmail messa es that it has) Pro"ides the abilit( to send a stream of commands $ithout $aitin for a response after each command) An E!M#P command that replaces the DA#A command) !o that the !M#P host does not ha"e to continuousl( scan for the end of the data, this command sends a ?DA# command $ith an ar ument that contains the total number of b(tes in a messa e) #he recei"in ser"er counts the b(tes in the messa e and, $hen the messa e siAe eEuals the "alue sent b( the ?DA# command, the ser"er assumes it has recei"ed all of the messa e data) !ent b( a client to initiate the transfer of messa e content) An E!M#P command that enables deli"er( status notifications)

    A#,:

    !4QE

    E#,:

    P4PE34:4:-

    C50:B4:-

    DA#A D!:

    300

    !M#P command ,!E# 8,6@

    Command function :ullifies the entire messa e transaction and resets the buffer) 8erifies that a mailbox is a"ailable for messa e deli"er(L for example, vr%y ted "erifies that a mailbox for #ed resides on the local ser"er) #his command is off b( default in Exchan e implementations) ,eturns a list of commands that are supported b( the !M#P ser"ice) #erminates the session)

    5E3P >04#

    #he follo$in table lists the extended !M#P commands that Exchan e ma%es a"ailable to the !M#P ser"ice) Extended SMT! co&&ands Extended !M#P command =DE=P! -!!AP4 Command function A method that is used b( Microsoft Exchan e !er"er 200' and Exchan e 2000 !er"er ser"ers to authenticate) A method that is used b( Exchan e 2000 and Exchan e 200' ser"ers to authenticate) Pro"ides the abilit( to propa ate messa e properties durin ser"erDtoDser"er communication) Adds support for lin% state routin in Exchan e)

    =DE=P!M3/-4:

    =DE=C5.0

    =D34:B2!#A#E

    Event Sin)s
    @ou can use e"ent sin%s to extend and modif( the beha"ior of the Microsoft Cindo$s 2000 !er"er and Cindo$s !er"erG 200' !M#P ser"ice) Exchan e 200' reEuires the Cindo$s 2000 or Cindo$s !er"er 200' !M#P ser"ice to function because most of the transport functionalit( in Exchan e 200' is accomplished $ith this architecture) #herefore, after (ou reinstall 4nternet 4nformation !er"ices ;44!< or the Cindo$s 2000 or Cindo$s !er"er 200' !M#P ser"ice, (ou must also reinstall Exchan e)

    30$

    An !M#P ser"ice e"ent is the occurrence of some acti"it( $ithin the !M#P ser"ice, such as the transmission or arri"al of an !M#P command or the submission of a messa e into the !M#P ser"ice transport component) Chen a particular e"ent occurs, the !M#P ser"ice uses an e"ent dispatcher to notif( re istered e"ent sin%s of the e"ent) Chen notif(in e"ent sin%s, the !M#P ser"ice passes information to the sin% in the form of Component /bFect Model ;C/M< obFect references) #he t$o eneral cate ories of !M#P ser"ice e"ents are: !rotoco+ Events

    Protocol e"ents occur $hen !M#P commands are either recei"ed or transmitted o"er the net$or%) #hese e"ents occur $hen: A client !M#P ser"ice or mail user a ent uses !M#P to transmit messa es for deli"er( to the local ser"ice) #he !M#P ser"ice rela(s messa es to other !M#P ser"ices)

    Transport Events

    #ransport e"ents occur $hen the !M#P ser"ice recei"es a messa e, and that messa e passes throu h the !M#P core transport) Durin the passa e throu h the transport, the messa e is cate oriAed ;examined and placed into cate ories<, and then either deli"ered to a local stora e location or, if it is not local, rela(ed to another destination) #he default Cindo$s 2000 and Cindo$s !er"er 200' protocol and transport e"ents are onl( accessible b( $ritin Component /bFect Model ;C/M< obFects in Microsoft 8isual CZZ&) #hese e"ents are fast, reEuire no extra processin , and offer access to the lo$estDle"el messa e propertiesL ho$e"er, these e"ents are more complex to $rite) 6or smaller Fobs that do not reEuire hi h performance, (ou can use the CD/S/nArri"al e"ent, $hich (ou can $rite usin Microsoft 8isual ?asic& !criptin Edition ;8?!cript<) 6or more information about $ritin one of these e"ent sin%s, do$nload the Platform !DB, or see the M!D:& de"eloper pro ram article Microsoft Cindo$s 2000 !M#P !er"ice E"ents)

    Co&&on !orts %sed b' Exchange


    #he follo$in table lists the ports commonl( used b( Exchan e) 6or more information about $hich ports need to be opened internall( or externall(, see 0sin Microsoft Exchan e 2000 6rontDEnd !er"ers) !orts used b' Exchange Protocol !M#P Port #CP: 2. Description #he !M#P ser"ice uses #CP port 2.)

    30,

    Protocol D:!

    Port #CPO0DP: .'

    Description D:! listens on port .') Domain controllers use this port) #he Microsoft Exchan e ,outin En ine ser"ice ;,E!"c< listens for routin lin% state information on this port) 3i ht$ei ht director( access protocol ;3DAP< used b( Microsoft Acti"e Director(& director( ser"ice, Acti"e Director( Connector, and the Microsoft Exchan e !er"er .). director( use this port) 3DAP o"er !ecure !oc%ets 3a(er ;!!3< uses this port) #he !ite ,eplication !er"ice ;!,!< uses this port) #his is the recommended alternate port to confi ure the Exchan e !er"er .). 3DAP protocol $hen Exchan e !er"er .). is runnin on an Acti"e Director( domain controller) -lobal catalo ) #he Cindo$s 2000 and Cindo$s !er"er 200' Acti"e Director( lobal catalo ;a domain controller JroleJ< listens on #CP port '262)

    3!A

    #CP: 691

    3DAP

    #CPO0PD: '29

    3DAPO!!3 3DAP 3DAP

    #CPO0DP: 6'6 #CPO0DP: '19 #CPO0DP: '90

    3DAP

    #CP: '262

    30-

    Protocol 3DAPO!!3Port

    Port #CP: '269

    Description -lobal catalo o"er !!3) Applications that connect to #CP port '269 of a lobal catalo ser"er can transmit and recei"e !!3 encr(pted data) 4nternet Messa e Access Protocol ;4MAP< uses this port) 4MAP7 o"er !!3 uses this port) Post /ffice Protocol "ersion ' ;P/P'< uses this port) P/P' o"er !!3 uses this port) :et$or% :e$s #ransfer Protocol ;::#P< uses this port) ::#P o"er !!3 uses this port) 5##P uses this port) 5##P o"er !!3 uses this port)

    4MAP7

    #CP: 17'

    4MAP7O!!3 P/P' P/P'O!!3 ::#P

    #CP: 99' #CP: 110 #CP: 99. #CP: 119

    ::#PO!!3 5##P 5##PO!!3

    #CP: .6' #CP: 20 #CP: 77'

    Cop'right
    #he information contained in this document represents the current "ie$ of Microsoft Corporation on the issues discussed as of the date of publication) ?ecause Microsoft must respond to chan in mar%et conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot uarantee the accurac( of an( information presented after the date of publication) #his Chite Paper is for informational purposes onl() M4C,/!/6# MABE! :/ CA,,A:#4E!, E=P,E!!, 4MP34ED /, !#A#0#/,@, A! #/ #5E 4:6/,MA#4/: 4: #54! D/C0ME:#)

    301

    Compl(in $ith all applicable cop(ri ht la$s is the responsibilit( of the user) Cithout limitin the ri hts under cop(ri ht, no part of this document ma( be reproduced, stored in or introduced into a retrie"al s(stem, or transmitted in an( form or b( an( means ;electronic, mechanical, photocop(in , recordin , or other$ise<, or for an( purpose, $ithout the express $ritten permission of Microsoft Corporation) Microsoft ma( ha"e patents, patent applications, trademar%s, cop(ri hts, or other intellectual propert( ri hts co"erin subFect matter in this document) Except as expressl( pro"ided in an( $ritten license a reement from Microsoft, the furnishin of this document does not i"e (ou an( license to these patents, trademar%s, cop(ri hts, or other intellectual propert() 0nless other$ise noted, the companies, or aniAations, products, domain names, eDmail addresses, lo os, people, places, and e"ents depicted in examples herein are fictitious) :o association $ith an( real compan(, or aniAation, product, domain name, eDmail address, lo o, person, place, or e"ent is intended or should be inferred) _ 2006 Microsoft Corporation) All ri hts reser"ed) Microsoft, M!DD/!, Cindo$s, Cindo$s !er"er, Cindo$s 8ista, Acti"e Director(, Acti"e!(nc, Acti"e=, Entoura e, Excel, 6rontPa e, 5otmail, ^!cript, Microsoft Press, M!D:, M!:, /utloo%, !harePoint, 8isual ?asic, 8isual CZZ, 8isual !tudio, Cin'2, Cindo$s Mobile, Cindo$s :#, and Cindo$s !er"er !(stem are either re istered trademar%s or trademar%s of Microsoft Corporation in the 0nited !tates andOor other countries) All other trademar%s are propert( of their respecti"e o$ners)

    You might also like