Tuesday, May 29, 2007

Good bye RUS” we won’t miss you forever

I have just finished some of small projects installing exchange 2007 servers into existing Exchange 2003 environment. Implementing exchange 2007 is fairly simple and fun. It is a lot different for exchange administrators, and somehow I see the challenge on the administrator faces. Users look to me are so happy with new OWA 2007. It is absolutely stunning. Users seem to like the new OWA and outlook 2007.

Microsoft Exchange Server 2007 does not support an in-place upgrade from any earlier version of Exchange. The Exchange organization must be operating in native mode before you can start introducing any Exchange 2007 servers into the environment. This means that only Exchange Server 2003 and Exchange 2000 Server servers can exist in the organization. If your organization includes Exchange Server version 5.5, you must perform an upgrade to Exchange Server 2003 or Exchange 2000 Server before moving to Exchange 2007. To move messaging services and data from Exchange Server 2003 or Exchange 2000 Server to Exchange 2007, you must use the move mailbox functionality in Exchange 2007.

Taken from Exchange 2007 resources click on Help. I also enable a web site on one of the servers accessible to everyone for quick shell reference.

Moving mailboxes from exchange 2003 to 2007 is very easy task. While we were moving mailboxes we had an issue with RUS was not stamping exchange 2003 server. Rather than taking time and going through those entire trouble shooting steps we ended up creating users on Exchange 07 and moved them back to the Exchange 03.

If you have not read the article Good bye RUS here it is. The key change is in exchange 2007 the subservice is removed. Recipients are fully provisioned as they are created.

Below is taken from the article "Good bye RUS" we won't miss you forever. (- :

Why remove the RUS

The RUS has always been a bit of a black box for administrators. When it works, it's great. But if it ever stops working as expected, it is quite difficult to figure out what's wrong. Worse, since the subservice processes recipients asynchronously, it is difficult to determine whether the subservice is "not working", or simply "working slowly".

The advantage of bringing the stamping of recipient objects into the Cmdlets as a synchronous operation extends beyond troubleshooting, however. Even in the case where the RUS is working as expected, moving this functionality into a synchronous cmdlet execution allows for "instant on" recipient provisioning and faster service.

With Exchange 2007, you can immediately use a mailbox once the mailbox is created. No need to wait 5 minutes for the RUS to stamp the object!

Best regards

Oz ozugurlu

Exchange 2007 Resources

There are not many books available out there for Exchange 2007 yet. The good part is Microsoft has everything out there waiting for you to download. I am listing all these free download below. These Microsoft white papers are great and they have tons of good information in them. I recommend you all to download these and start reading them. (TechNet).These download also available on Microsoft site.


Exchange 2007 downloads links


Release notes for Exchange Server 2007

The Microsoft Exchange Server 2007 Release Notes contain late breaking information for Exchange Server 2007.

Microsoft Exchange Server 2007 Help

Exchange Server 2007 Help can help you in the day-to-day administration of Exchange. Use this information to guide you through Exchange Server 2007 features, tasks, and administration procedures.

Deploying a Standard Exchange Server 2007 Organization

Of the four defined organizational models for Exchange 2007 (simple, standard, large, and complex), the standard Exchange organization represents the most common topology into which Exchange 2007 is deployed. This document provides descriptions and overviews of features, guidelines for planning, and steps for deploying a standard Exchange 2007 organization.

Deploying a Simple Exchange Server 2007 Organization

The simple Exchange organization represents the most basic topology into which Exchange 2007 can be deployed. This document provides descriptions and overviews of features, guidelines for planning, and steps for deploying a simple Exchange 2007 organization.

Deploying a Large Exchange Server 2007 Organization

The large Exchange organization is the largest organization model that can be deployed in a single Active Directory and directory service forest environment. This document provides descriptions and overviews of features, guidelines for planning, and steps for deploying a large Exchange 2007 organization

Deploying a Complex Exchange Server 2007 Organization

As its name implies, a complex Exchange organization represents the most intricate topology into which Exchange 2007 is deployed. The complex Exchange organization is the only model that includes multiple Active Directory and directory service forests or the use of synchronization technology. This document provides descriptions and overviews of features, guidelines for planning, and steps for deploying a complex Exchange Server 2007 organization.

Managing Transport in Exchange Server 2007

This guide documents the message transport components of a computer that runs Exchange 2007 and has the Hub Transport server role or the Edge Transport server role installed. It provides overviews of the transport components and the tasks you must perform to manage and configure them.

Configuring Permissions in Exchange Server 2007

This document helps you to plan, implement, and manage the permissions model in your Exchange 2007 organization

Operations Management and Monitoring of an Exchange Server 2007 Organization

This document provides information, including checklists for daily, weekly, and monthly tasks, related to operations management of an Exchange Server 2007 organization. In addition, guidance is provided for using Microsoft Operations Manager 2005 Service Pack 1 to monitor an Exchange organization.

Managing Mailbox Features in Exchange Server 2007

The purpose of this document is to help you manage and configure Microsoft Exchange Server 2007 Mailbox servers. The information and procedures in this document focus specifically on the mailbox features of an Exchange 2007 computer that has the Mailbox server role installed.

Technical Architecture of Exchange Server 2007

This document discusses the technical architecture of Exchange Server 2007, including descriptions of server roles, topologies, and the transport architecture.

Exchange Server 2007 Planning

This document provides guidance on planning for the supported Exchange 2007 organization models. Information is also provided to help plan for the use of Active Directory and directory service and Exchange 2007 server roles. A planning checklist is included


Best regards

Oz ozugurlu



Saturday, May 26, 2007

Subletting and Network assessment for Small Office

Here is another situation. We are hired as a network consultant to SMTP25.org. This company has point to point network connection as it is illustrated in the Visio diagram. Clients are complaining about not being able to open their files from their workstation. Client is using roaming profile, even though they don't travel except 100 remote users. Exchange is very slow and users get kicked out from exchange frequently every day. Come up with a good plan and don't worry about the budget. Tell me what is wrong with existing network, and tell me how you are going to fix the existing issues

Network A

  • What is Network IP address
  • What is Default Gateway IP address
  • First usable IP address
  • Last usable IP address
  • Broadcast IP address
  • Create DHCP Scope
  • Reserve IP addresses for server ( how many servers)
  • How many Exchange servers?
  • How many DC?

Network B

  • What is Network IP address
  • What is Default Gateway IP address
  • First usable IP address
  • Last usable IP address
  • Broadcast IP address
  • Create DHCP Scope
  • Reserve IP addresses for server ( how many servers)
  • How many Exchange servers?
  • How many DC?

Network C

  • What is Network IP address
  • What is Default Gateway IP address
  • First usable IP address
  • Last usable IP address
  • Broadcast IP address
  • Create DHCP Scope
  • Reserve IP addresses for server ( how many servers)
  • How many Exchange servers?
  • How many DC?


Total users: 1200

Network A = 300 users

Network B = 500 users

Network C= 300 user

Remote users =100 users

The given host IP Address is /20, by location this host in one of the networks, will lead you to get all the IP addresses for all the networks

Users are complaining network is very slow. The company has two servers one DC and one exchange server. The DC is DNS, DHCP, FUSMO roles (all) Exchange is, file server, backup server, antivirus server. Design the best network for SMTP25 Company. Make users happy. Think about the server performance. Come up with a plan and tell me how many server do I need and where I should place them? I need a complete network setup from ground. I need you guys design exchange infrastructure, tell me which version of exchange I need here in this company. Make the design as simple as it can be and think about a future growth. Finally subnet this network pleases and assigns IP addresses for each server, DHCP scope and so forth

Thanks everyone for their contributions

Best regards

Oz ozugurlu

Wednesday, May 23, 2007

A lot of spam targeted at my Exchange server

I have seen more often these days, people asking about how to stop spammers, or make Exchange a little bit stronger for defending itself for this endless spam war. Receiving blank messages or spam makes a business valuable time and resources waste, and top of that we have to deal with angry managers and unhappy users. I have decided to put some notes together for those who need some guides in order to achieve goal of making Exchange a little bit more secure and strong.. I have already mentioned about Exchange 2007 and new Role based administration model, and how strong 64Bit Exchange is in my several previous blogs, read it here you will learn a lot and hopefully move into Exchange 2007 as soon as possible. Especially read and do research about Edge transport server and Exchange ForeFront technologies.

Goals and Objectives listed below.

  • Use IMF Microsoft Intelligent Message Filter, it is FREE
  • Use antivirus and spam software with your exchange server, I am little bias and like Trend Micro in this matter, Trend is doing great job, if you are corporate than you may want to implement hardware solution, Iron port, Barracuda, end etc.
  • Enable Sender filtering
  • Enable Filter messages with blank senders
  • Enable Drop connection if address matches filter
  • Add your own domain (whole domain into Block list) I know this will sound weird (- : This won't cause any mail interruption, even though it sounds like it, basically it will stop someone is spoofing a valid address from your company and sending message back inside your Authoritative SMTP domain and making it look like it came from inside
  • Make sure you do not have application within your network; this might break some of the applications which are relaying exchange server to send inbound or outbound e-mails (payroll, or Application server etc) They sit outside of your SMTP domain and send mail back to your SMTP domain, by using an internal SMTP address, even though they are not autherative for your SMTP Domain.
  • Enable Recipient filtering
  • Enable Filter recipients who are not in the Directory
  • Add regularly spammers either Whole domain (@smapmer.com) or single e-mail address (smapmer@spam.com) into block list
  • Download Exchange tools and RUN again your server to make sure it is secure and healthy and you followed Microsoft best practice
  • Go for Exchange 2007 if it is possible it is much stronger and secure if I compare to any other version of Exchange servers, you can eliminate third part Spam solution and even Save $$$$$$ for your company , while bringing the art of state messaging system into your organization, lower the TCO

We are almost done. A good exchange administrator should check to make sure Spam software is getting updated; as well as file signature is up to date. You don't want to wake up when your boss come to office and telling at you, what is going on I am getting a lot of spams. Prepare a good documentation of your own environment; make sure your e-mails Queues are not growing up fast. Turn on some of the basic maintenance Alerts build in exchange. Watch a lot of Webcast/Podcast Exchange 2003 and 2007 series from TechNet.

Also Visit Harold Blog Site

Best Regards

Oz Ozugurlu

Outlook is retrieving data from Exchange server

Outlook is retrieving data from the Microsoft Exchange Server Server_Name; Christmas Balloon is not welcome for many Exchange administrators. We normally hate to see this message from client's outlook. I have seen this error so many times and decided to put some of the good trouble shooting notes together. Understanding the Mechanic being how Outlook application talk to the Exchange server is always plus. So Microsoft has a great explanation below, I am posting it as it is

This error may occur in different environments for different reason, most of the reasons are listed in here, you need to be patient for going through the trouble shooting process and document what you have doing.

I have seen a failed Exchange server Public folder replication, referrals was bringing 5000 people down. As soon as I disable the referrals thing went back to normal

I have also seen this problem on VPN remote user type of clients. In this type of chases user connect to a network from remote office and opens outlook within the VPN tunnel. The low bandwidth and both way encryption makes the Christmas balloon to show up all the times. Connect to a client and figured out the exchange server the client is connection too. Issue ping request back to the Exchange server anything over >50ms in ping request indicates Latency in the network Upgrading firmware might have helped the client experience on the local router. Checking MTU size or adjusting it time to time helps the Christmas balloon also increase the size of the ICMP packets by using below command

Ping exc03 -l 1000 -t

Asking client to call ISP and get more bandwidth is always a good thing if you can. Remember the Bottle neck can be Exchange related or the Global catalog server, as it is explained below. I have included the basic counters below, go ahead and kick these off from perfmon (performance monitor)

Click Start Perfmon and hit enter; I am including here my Vista nice looking one to make you all jealous

Hold "CTRL" Key and click on the outlook Icon right lower corner to get the Connection Status to see where the outlook is connecting


In Outlook 2002 and Outlook 2003, when Outlook requests data from a Microsoft Exchange computer, Outlook calls a function that wraps the remote procedure call to the Exchange computer. This wrapper is the CancelableRPC wrapper. By default, this wrapper starts a timer and then issues the remote procedure call. The timer stops when a response is received. However, if the remote procedure call for data takes more than five seconds to return the data, the wrapper produces the "retrieving data" message. The dialog box that contains the message remains on the screen until the remote procedure call is answered or until the user clicks Cancel. If the action that the user performs in Outlook creates multiple remote procedure calls, the message could appear one time for each remote procedure call.

You receive this message as part of the standard interoperation of Outlook and Exchange. Even on the fastest network that has the best hardware and architecture, some remote procedure calls will take more than five seconds to obtain a response. This is a simple fact, and the appropriate expectations should be set with users. If the message appears only occasionally, no extensive troubleshooting is required. Trying to troubleshoot when the message appears only occasionally is not likely to be productive.

Remote procedure call is a sequential transport. When a remote procedure call is made, it must be answered, or the remote procedure call session must be restarted. This is different from a protocol like the Internet Protocol (IP) where packets can be received in any order and then reconstructed on the other side. This understanding is fundamental when you try to troubleshoot problems that are related to remote procedure calls that can be canceled from the dialog box or the balloon that contains the "receiving data" message.


If client-side troubleshooting and data gathering is required, the support engineer has to know the actions that users are performing when the "retrieving data" message is frequently displayed. For example, the following information is important:

  • Is the user browsing a public folder that is homed in another administrative group? Does the public folder not exist as a replica in the user's own site?
  • Is the user opening a meeting that has many attendees?
  • Is the user creating or updating a meeting and checking the free-busy status of the attendees?

Finally, analyze the Active Directory, directory service architecture and the Exchange architecture in the environment. Be prepared to provide us with the answers to the following questions: • Are the global catalogs located on a local computer or on a remote computer?

  • Does the connectivity to the remote site involve passing through routers and firewalls?
  • Are there dedicated public folder servers?
  • Where are the system public folders homed?

Note any add-ins or Component Object Model (COM) add-ins that Outlook uses. To find these items, follow these steps In Outlook, click Tools, click Options, click other, and then click Advanced Options. In this window, click Add-in Manager and COM Add-ins. Note the contents of both windows. The following are the default items that are included with Exchange profiles:

  • Delegate Access
  • Deleted Item Recovery
  • Exchange Extensions Commands
  • Exchange Extensions property pages
  • Server Scripting (Typically, this item is not selected

In Outlook 2002, a feature is added notifies users that the connection to the Microsoft Exchange computer is taking longer than expected because of network congestion or server availability. This connection can include connections to the user's mailbox, a free and busy server, or any other server that Outlook may need to communicate with to fulfill a request for information. When such a delay occurs, the following Cancel Request dialog box is displayed:

Outlook is retrieving data from the Microsoft Exchange Server Server_Name. You can cancel the request or minimize this message to the Windows taskbar until Outlook closes the message automatically.

The types of data that Outlook retrieves during this period include information in the user's mailbox, information in the user's public folders, free/busy information, and directory look-ups (check-name).

The server that Outlook queries for this information is either a

  • Microsoft Exchange Server
  • Global catalog server.

If the server name appears as a NetBIOS name, the data is being retrieved from an Exchange Server computer. If the server name appears as a fully qualified domain name (FQDN), the data is being retrieved from a global catalog server.

How to turn off third-party add-ins in Outlook If your profile contains any third-party add-ins, such as antivirus software, BlackBerry software, or fax software, follow these steps:

  • On the Tools menu in Outlook, click Options.
  • Click the Other tab, and then click the Advanced Options button.
  • Click the Add-In Manager button.
  • Click to clear the check box for any third-party add-ins that may be selected.
  • Click OK three times.
  • Restart Outlook


Troubleshoot performance issues

To troubleshoot performance issues, gather data by using Performance Monitor. It is common to experience RPC latency when either an Exchange Server computer or a global catalog server is experiencing performance issues.

If the RPC dialog references an Exchange Server (NetBIOS name), configure Performance Monitor to monitor the following counters in real time:

Physical Disk (All Instances)

  • Avg Disk Sec/Read
  • Avg Disk Sec/Write
  • Current Disk Queue Length


  • RPC Averaged Latency
  • RPC Requests
  • RPC Operations/Sec


  • %Processor Time

Database (Information Store Instance)

  • Log Record Stalls / sec

Note It is a good idea to run Performance Monitor from a remote workstation that has lots of free disk space.

Typically, it is a good idea for the RPC Requests counter to be lower than 10. If it is higher than 25, this is an indicator of a resource bottleneck. Only 100 requests can be handled at the same time. If the RPC Requests reach 100, the client will experience refused connections.

The RPC Averaged Latency counter displays the average time that it takes the server to respond to client requests. The value of the counter is typically less than 50 milliseconds in typical operations. If the value is consistently more than 50 milliseconds with Outlook 2002 or Outlook 2003 when most of the users are in Online Mode, this means that the Information Store is taking a long time to process user requests. If most Outlook 2003 users are in Cached Mode, this threshold increases to 100 milliseconds. Typically, if the Information Store is taking a long time, there is a disk bottleneck.

The recommended values for the Avg Disk Sec/Read counter and for the Avg Disk Sec/Write disk counter are as follows:

  • Good < 20 msec
  • Fair < 30 msec
  • Poor < 40 msec
  • Cache/Exec < 1 msec
  • Cache/Good < 2 msec
  • Cache/Fair < 4 msec


If the counters are greater than .050 seconds (50 msec), there is most likely a disk bottleneck.

Note It is not unusual to see brief spikes that are greater than .050, but if you are seeing counters greater than .050 for 30 to 60 seconds at a time, there probably is a problem.

To determine if there is a problem with the current disk queue length, see how frequently the value drops to zero. If the queue length drops to zero periodically, such as four times per minute, the queue is being cleared, and you probably do not have a disk bottleneck.

it is a good idea for the Log Record Stalls/sec counter to remain at 0. If you are seeing a high number of log stalls on an Exchange 2000 Server computer, change the value of the msExchESEParamLogBuffers property. For more information about changing the value of the msExchESEParamLogBuffers property, click the following article number to view the article in the Microsoft Knowledge Base:

328466 (http://support.microsoft.com/kb/328466/) ESE log buffers that are set too low can cause the Microsoft Exchange Information Store service to stop responding

If the Cancel Request dialog box references a global catalog server that has a fully qualified domain name (FQDN), configure Performance Monitor to monitor the % Processor Time counter on the global catalog server to make sure it is not too high. A value such as > 90 over a sustained period is too high. If the % Processor Time counter is high, you have an overloaded global catalog server. For additional information about using Performance Monitor, click the following article number to view the article in the Microsoft Knowledge Base:

811237 (http://support.microsoft.com/kb/811237/) How to capture performance data from a remote Windows 2000 computer using System Monitor

Troubleshoot network issues

Use Network Monitor or another protocol sniffer to determine whether you are experiencing problems with your network.

Discussing how to configure and to use a protocol sniffer is outside the scope of this article. However, if you are already familiar with using such a utility, it is a good idea to reproduce the issue while you monitor traffic on both the client and the server at the same time. When you analyze the data, look for retransmits. A retransmit occurs when the client or the server has to send the same packet of information again, typically because the packets are being dropped between the client and the server. Therefore, when you analyze network captures, determine if the client request is actually getting to the server or if the server is responding but the response is lost before the client receives it.

Best Regards

Oz ozugurlu

Tuesday, May 22, 2007

Routing Topology in Exchange 2007 & no more Link State

Exchange 2007 is using Active Directory site Topology to determine how messages are transported in the organization. Exchange 2007 takes advantage of the existing Active Directory site topology to eliminate separate Exchange routing topology. The Active Directory IP site links and the costs associated with them are used to calculate the least cost route between Hub Transport servers in different Active Directory sites.

Each Active Directory site that contains one or more Exchange 2007 Mailbox servers must also have at least one Hub Transport server. The Hub Transport server uses the Active Directory Topology service to retrieve the Exchange organization's configuration information and computes an implicit intra-organizational Send connector that is used when transporting messages from site to site. This topology is only updated when configuration changes occur. The result is minimized traffic related to Exchange. 

By default, the Hub Transport server always tries a direct connection to a Hub Transport server in another Active Directory site. Messages in transport do not relay through each Hub Transport server in a site link path. However, Hub Transport servers in intermediate Active Directory sites along the routing path may perform message relay in the following scenarios:

  • Direct relay between Hub Transport servers will not occur when a hub site exists along the least cost routing path. You can configure an Active Directory site as a hub site so that messages are routed to the hub site to be processed before the messages are relayed to the target server. Hub sites are discussed later in this topic.
  • Exchange 2007 uses the routing path derived from IP site link information when communication to the destination Active Directory site fails. If no Hub Transport server in the destination Active Directory site responds, message delivery backs off along the least cost routing path until a connection is made to a Hub Transport server in an Active Directory site along the routing path. The messages are queued in that Active Directory site and the queue will be in a retry state. This behavior is called queue at point of failure.
  • The Hub Transport server can also use the IP site link information to optimize routing of messages that are sent to multiple recipients. The Hub Transport server delays bifurcation of messages until it reaches a fork in the routing paths to the recipients. The bifurcated message is relayed to each recipient destination by a Hub Transport server in the Active Directory site that represents the fork in the individual routing paths. This functionality is called delayed fan-out.


  • A Hub Transport server must be able to communicate directly with a global catalog server to perform Active Directory lookups.
  • Mailbox servers should be located in the same site as a Hub Transport server. We recommend that you deploy more than one Hub Transport server in each Active Directory site to provide load balancing and fault tolerance.
  • Unified Messaging servers submit messages to a Hub Transport server for transport to a Mailbox server. A Unified Messaging server may be located in a hub site or near the IP/voice over Internet Protocol (VoIP) gateway or IP Private Branch eXchange (IP/PBX). The Hub Transport server that has the same site membership as the Unified Messaging server will receive messages for transport and route the messages to other Hub Transport servers and Mailbox servers in the organization.
  • Client Access servers provide a connectivity point to the Exchange organization for users who are accessing Exchange remotely. A Client Access server must be deployed in each site that contains Mailbox servers. The Client Access server lets the user connect directly to the Mailbox server to retrieve messages, but any messages that are sent from the remote client must be transported through the Hub Transport server


Unlike earlier versions of Exchange, Exchange 2007 does not use a link state routing table and does not try to calculate an alternative route when a connection is unavailable. This eliminates link state communication between Exchange servers and creates a more deterministic routing topology

Direct relay   Exchange 2007 relies on the underlying network infrastructure to transport a message. In the Exchange 2007 organization, messages are relayed directly from the source server to the target server, reducing the number of hops a message takes during delivery. When routing resolution occurs, the name and IP address of the destination server is resolved. If multiple IP site links exist between the source and destination, the route calculation is used to determine the optimal point for message bifurcation and the point at which to queue should delivery be unsuccessful. With direct relay, intermediate Hub transport servers don't process messages.

Hub sites   For administrators who require more control over Exchange routing, we have provided features that enable you to modify the default direct relay behavior. You can specify that an Active Directory site is a hub site. A hub site is an Active Directory site through which all messages to be relayed through the Hub Transport servers are forced to pass. The hub site must exist along the least cost routing path between the source and target servers. This configuration is especially useful for network environments that have firewalls between sites that may prevent successful direct relay.

Site link cost override   For even more control over message routing behavior, you can assign an Exchange-specific cost to Active Directory IP site links. By default, Exchange calculates the least cost route between Active Directory sites by using the costs assigned to those links for the purposes of determining Active Directory replication topology. If these costs don't provide the optimal Exchange routing behavior, you can use cmdlets in the Exchange Management Shell to set an Exchange-specific value to the IP site link. 

Queue at point of failure   In earlier versions of Exchange, when a target server was unreachable, the down connector state was propagated throughout the Exchange organization by link state updates, and an alternative route was calculated. In Exchange 2007, when a message can't be relayed directly to the target server because of network problems, no alternative route is calculated. The message queues on a Hub Transport server in the closest reachable site to the point of failure. Using the least cost routing path calculated at startup, message delivery backs up along the path of intermediate sites until delivery to a Hub Transport server is achieved. When the network problem is resolved, or configuration changes update the routing table, message delivery resumes to the target site. This behavior helps administrators to better determine the source of network problems.

Delayed fan-out   A message sent to more than one recipient must bifurcate, or split, to be delivered to more than one destination. Exchange 2007 delays this bifurcation until it reaches a fork in the routing paths. By delaying bifurcation of the message, bandwidth consumption is reduced.

Read more


Oz ozugurlu

Forefront Security for Exchange Server

What is Microsoft Forefront?

Microsoft Forefront is a comprehensive line of business security products providing greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis. Forefront security products help provide protection for client machines, server applications, and the network edge. The Microsoft Forefront comprehensive line of business security products provides greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis.

Microsoft Forefront Security for Exchange Server helps protect your e-mail infrastructure from infection and downtime through an approach that emphasizes layered defenses, optimization of Exchange Server performance and availability, and simplified management control. Forefront Security for Exchange Server is an on-premise solution that provides protection for Exchange 2007 Edge and Hub Transport server roles.

  • Advanced Protection   Forefront Security for Exchange Server provides multiple scan engines at multiple layers throughout the e-mail and collaboration infrastructure to provide maximum threat protection.
  • Improved Availability and Performance   Forefront Security for Exchange Server includes scanning innovations, performance controls and tight integration with Microsoft Exchange Server to improve the overall availability and performance of messaging environments.
  • Simplified Management   Forefront Security for Exchange Server helps ensure organizations can simply and cost-effectively manage the security of their messaging servers.


Microsoft Forefront White Papers


I will add more information in the near future

Best Regards,

Oz ozugurlu

Do not configure the DNS client settings on the domain controllers to point to your Internet Service Provider's (ISP's) DNS servers

It seems like one of the most asked question is about DNS, how to configure it correctly when it comes to the Exchange and active directory environment. Let me say this up front, Exchange is an application which depends upon Active directory, and Active directory is relays on healthy DNS. If you don't configure your DNS correctly you will not have healthy, properly functioning Active Directory and Exchange environment. Active directory and integrated DNS is what we have to deal most of the time day to day. What people seem to be confused about, the primary function of DNS? Also how it is being used in most of the networks. (TCP or UDP Port 53, depending upon the type of query) "What Port DNS operates" on is a tricky question. The DNS servers, that updating DNZ zone Data, the commutation is going to be TCP, we need some way of verifying if TCP/IP hand shake is occurring correctly, so that important DNS zone data can be safely replicated by its MR. IP( internet Protocol). If the acknowledgement won't come back from the recipient to the Sender, sender resends the IP packet.( we will ask the security master Zack Payton, last Living Unix samurai, no joke.) Let me tell you this up front as well, Zack Payton is my friend, who has immense heart and gigantic brain. I have learned a lot from master, anyway commercial break is over; let's get back to our topic. DNS Domain name system or service is, intended to resolve 32 Bits complicated Binary numbers to human friendly names. The classic story is that, when we open a browser, such as Internet explorer and type www.smtp25.blogspot.com, DNS converts the complicated IP addresses into, Human friendly name. Just like me for instance.

I don't remember Erika's ( My wife) social security number, but I do member her name (-: , DNS won't help at all here but, this just prevents me to sleep on the street or look for a shelter. If I need to know her SS number I call her and ask her what was the SS number.

When DNS was introduced in Microsoft active directory environment it pretty much provided same and deeper functionality. In active directory when a server gets DCPROMO, installation of active directory database "NTDS.DIT" a server is promotes itself to be the Domain Controller and Registers a service record called SRV record saying that, "Hey I am a DC (domain Controller) and I offer these services, come and get it from me, services such as, DHCP, DNS, Authentication service to the DNS name Space (SMTP25.org). With the help of registered service records, Clients are able to locate the Authentication Servers (DC) and register their own records as a CLIENT into the DNS, so that they can be found, and they get services when they need too.

Here What Microsoft Says about setting up your Domain Controller IP addresses for DNS.If the server is the first and only domain controller that you install in the domain, and the server runs DNS, configure the DNS client settings to point to that first server's IP address. For example, you must configure the DNS client settings to point to it. Do not list any other DNS servers until you have another domain controller hosting DNS in that domain.


During the DCPromo process, you must configure additional domain controllers to point to another domain controller that is running DNS in their domain and site, and that hosts the namespace of the domain in which the new domain controller is installed. or if using a 3rd-party DNS to a DNS server that hosts the zone for that DC's Active Directory domain

Configure the Preferred DNS server in TCP/IP properties on each Domain Controller to use itself as Primary DNS Server.


Ensures that DNS queries originating from the Domain Controller will be resolved locally if possible. Will minimize impact of Domain Controller's DNS queries on the network


Dependant on Active Directory replication to ensure that DNS zone is up to date. Lengthy replication failures may result in an incomplete set of entries in the zone.   Configure all Domain Controllers to use a centralized DNS server as their Preferred DNS Server. Advantages, Minimizes the reliance on Active Directory replication for DNS zone updates of Domain Controller locator records. This includes faster discovery of new or updated Domain Controller locator records, as replication lag time is not an issue. Provides a single authoritative DNS server, which may be useful when troubleshooting Active Directory replication issues

Disadvantages: Will more heavily utilize the network to resolve DNS queries originating from the Domain Controller.DNS name resolution may be dependent on network stability; loss of connectivity to the Preferred DNS server will result in failure to resolve DNS queries from the Domain Controller. This may result in apparent loss of connectivity, even to locations that are not across the lost network segment .Please note, only a failure to respond will cause the DNS client to switch Preferred DNS servers; receiving an authoritative but incorrect response does not cause the DNS client to try another server. As a result, configuring a Domain Controller with itself and another DNS server as Preferred and Alternate servers helps to ensure that a response is received, but it does not guarantee accuracy of that response. DNS record update failures on either of the servers may result in an inconsistent name resolution experience

Netlogon service on the domain controllers

Do not configure the DNS client settings on the domain controllers to point to your Internet Service Provider's (ISP's) DNS servers. If you configure the DNS client settings to point to your ISP's DNS servers, the Netlogon service on the domain controllers does not register the correct records for the Active Directory, directory service. With these records, other domain controllers and computers can find Active Directory-related information. The domain controller must register its records with its own DNS server.

To forward external DNS requests, add the ISP's DNS servers as DNS forwarders in the DNS management console. If you do not configure forwarders, use the default root hints servers. In both cases, if you want the internal DNS server to forward to an Internet DNS server, you also must delete the root "." (also known as "dot") zone in the DNS management console in the Forward Lookup Zones folder

If the domain controller that hosts DNS has several network adapters installed, you must disable one adapter for DNS name registration

To confirm that the DNS records are correct in the DNS database, start the DNS management console. There should be a host record for the computer name. (This host record is an "A" record in Advanced view.) There also should be a Start of Authority (SOA) record and a Name Server (NS) record that points to the domain controller

Use below commands

Ipconfig  /FlushDNS

Ipconfig /RegisterDNS

Ipconfig /DisplayDNS


Domain controller without DNS installed


If you do not use Active Directory-integrated DNS, and you have domain controllers that do not have DNS installed, Microsoft recommends that you configure the DNS client settings according to these specifications:

  • Configure the DNS client settings on the domain controller to point to a DNS server that is authoritative for the zone that corresponds to the domain where the computer is a member. A local primary and secondary DNS server is preferred because of Wide Area Network (WAN) traffic considerations.
  • If there is no local DNS server available, point to a DNS server that is reachable by a reliable WAN link. (Up-time and bandwidth determine reliability.)
  • Do not configure the DNS client settings on the domain controllers to point to your ISP's DNS servers. Instead, the internal DNS server should forward to the ISP's DNS servers to resolve external names. 


Windows 2000 Server and Windows Server 2003 member servers

On Windows 2000 Server and Windows Server 2003 member servers, Microsoft recommends that you configure the DNS client settings according to these specifications:

  • Configure the primary and secondary DNS client settings to point to local primary and secondary DNS servers (if local DNS servers are available) that host the DNS zone for the computer's Active Directory domain.
  • If there are no local DNS servers available, point to a DNS server for that computer's Active Directory domain that can be reached through a reliable WAN link (Up-time and bandwidth determine reliability.)
  • Do not configure the client DNS settings to point to your ISP's DNS servers. If you do so, you may experience issues when you try to join the Windows 2000-based or Windows Server 2003-based server to the domain, or when you try to log on to the domain from that computer. Instead, the internal DNS server should forward to the ISP's DNS servers to resolve external names.


Windows 2000 Server and Windows Server 2003 non-member servers

If you have servers that are not configured to be part of the domain, you can still configure them to use Active Directory-integrated DNS servers as their primary and secondary DNS servers. If you have non-member servers in your environment that use Active Directory-integrated DNS, they do not dynamically register their DNS records to a zone that is configured to accept only secure updates.

  • If you do not use Active Directory-integrated DNS, and you want to configure the non-member servers for both internal and external DNS resolution, configure the DNS client settings to point to an internal DNS server that forwards to the Internet.
  • If only Internet DNS name resolution is required, you can configure the DNS client settings on the non-member servers to point to the ISP's DNS servers 

To sum all up I wanted to copy and paste below information one more time.

Netlogon service on the domain controllers

Do not configure the DNS client settings on the domain controllers to point to your Internet Service Provider's (ISP's) DNS servers. If you configure the DNS client settings to point to your ISP's DNS servers, the Netlogon service on the domain controllers does not register the correct records for the Active Directory, directory service. With these records, other domain controllers and computers can find Active Directory-related information. The domain controller must register its records with its own DNS server

In multi master Replication model, Each DC/DNS server needs to point to itself first. Remember Clients can register their records to any available domain controllers in MultiMate replication model. Each DC has read and writes copy of DNS Zone Data in active directory integrated DNS model.

For Exchange servers, DSAccess and DSProxy will communicate with Active directory, you will have to point your Exchange server to your internal DNS server, not to the ISP DNS server.


So AD integration with Exchange 2003 was split into 2 components: DSAccess & DSProxy.

DSAccess.dll ran inside the System Attendant and was responsible for building a topology of the Domain Controllers available to the Exchange Server (increase diagnostics logging for MSExchangeDSAccess Service\Topology in the properties of your server in ESM and look at the 2080 events logged every 15 minutes in the application log); for querying AD to determine the destination of an email for example; and for maintaining a DSAccess cache.DSProxy provided an address book service for earlier Outlook clients and referred Outlook 2003, which is 'GC aware', to AD. (Hold down the control key and right-click on the Outlook icon in the Taskbar; select Connection Status to see the connections to the 'Directory'.) As long as your GC's were performing well; there were enough of them (4:1 – Exchange proc:GC proc); your AD site topology was designed well; and the automatic topology discovery process had not been overwritten, AD integration worked well with Exchange. To verify that Exchange was receiving timely responses to LDAP requests you could use performance monitor to gather MSExchangeDSAccess Domain Controllers\LDAP Search & Read Time counter data.

Where is DSAccess in Exchange 2007?

In Exchange 2007 DSAccess has been split into two parts: AD Provider & AD Driver. Ad Provider is responsible for maintaining the DSAccess cache and for passing LDAP queries to AD. AD Driver is a sub-component of the AD Provider and builds and maintains the DC topology. The remaining component here is 'AutoDiscover' which to some extent takes over from DSProxy and enables Outlook 2007 clients to determine the location of mailbox data, but is much more powerful and can be used to ease data recovery for example.

Ex2007 is still very much dependent on your AD site design. (Even more so from a routing perspective as linkstate becomes a thing of the past.) The new ad provider & driver run inside the 'Active Directory Topology service' which runs on all Exchange 2007 server roles. This service reads information from all Active Directory partitions. The data that is retrieved is cached and is used to discover the AD site location of all Exchange services in the organization. For example, what the AD site topology is and where therefore the closest or local Hub Transport role server is.

We need to be aware of how each different Ex2007 server role makes use of AD now. This will be important when we begin to troubleshoot issues involving AD and for capacity planning and performance monitoring. For example, the Hub Transport server role contacts AD when it performs message categorization. The categorizer uses the topology information that is cached by the Active Directory Topology service to discover the routing path for a message. The Hub Transport server uses AD site configuration information to determine the location of other servers and connectors in the topology and the location the mailbox store. If the mailbox store is in the same Active Directory site as the Hub Transport server, the message will be delivered directly to the user's mailbox. If the mailbox store is in a different Active Directory site the Hub Transport server delivers the message to a Hub Transport server in the remote AD site.

The Mailbox server role on the other hand stores the configuration for mailbox policies for example in AD. The Mailbox server uses AD therefore to retrieve this information to enforce mailbox policies.

Autodiscover is enabled by default and is used to gather configuration information in AD to enable Outlook 2007, OWA, and mobile e-mail clients to locate and connect to the appropriate Ex2007 Mailbox server that contains the user's mailbox. Autodiscover is also used to make configuring Outlook 2007 clients easier and to provision mobile devices that are used to connect to Exchange 2007. Essentially it means that you only need to know your proxyaddress for example to ensure a successful first synchronisation of your mailbox. (Provided you have the appropriate security access of course.)

(To get the global settings from the AutoDiscoverConfig object under the Global Settings object in AD use Get-OutlookProvider (Get-OutlookProvider [-Identity <OutlookProviderIdParameter>] [-DomainController <Fqdn>]))

When you install the Client Access server role; a requirement of the Autodiscover service, a new virtual directory named Autodiscover is created under the default Web site in IIS. This virtual directory handles the Autodiscover service requests.

A great new feature which complements the Autodiscover service is database portability. In Ex2007 a mailbox database (NOT PF database) can be mounted on any server in the same Organisation. This is of no use unless clients can be redirected to the mailbox data at the new location. With the Outlook 2007 and Ex2007 Autodiscover service, clients are redirected to the new server when they try to connect. This gives us a lot more options when it comes to Disaster Recovery planning.

I have not seen any figures so far but we can also expect much better scalability with Ex2007 and its integration with AD. If nothing else, with 64-bit Exchange Servers we can have much more RAM and will therefore be in a position to potentially be able to cache the entire AD database, thereby increasing lookup and response times

More here (Dougs Blog)



Oz Ozugurlu

Subnetting for Exchange Servers & for FUN

One of the most fun staff Subletting. I have decided to post this question here so that my students can post the answers here. Remember the question, what is an IP address. I have seen some people spending 10 minutes to explain this question. The simple answer would be "It is 32 Bits Binary number. What is a subnet mask than. The answer would be IT is 32 bits binary number as well. Him sound like they are twins, so what does subnet mask do? The answer would be "it divides an IP address into two distinct groups", network portion and host portion. Why is this so important than? Well the answer would be,

IP Address=32Bits Binary number

Subnet mask=32Bits Binary number

IP Address=Network+Host, The subnet Mask determines the Network portion as well as Host portion of the IP Address

If I tell you I live in Washington BLVD and if you live in Washington BLVD, do you think if we are we neighbors? (Assuming Washington Blvd is walkable distance)

Well the answer is maybe or maybe not.

I need my students explain the rest of the story

Here is the question



  1. What is IP address
  2. What is Subnet mask
  3. What is Default Gateway
  4. What is First Network
  5. What is Default Gateway
  6. What is First Usable IP Address
  7. What is Last Usable IP Address
  8. What is Broadcast IP Address
  9. How many Networks
  10. How many Hosts in each Network

User2 (Located on Network 2th)

  1. What is IP ADDRESS?
  2. What is Subnet Mask?
  3. What is Default Gateway?

Oz Ozugurlu