Wednesday 26 September 2012

miscrosoft exchange server studies

I've been reluctantly learning about exchange, this is where I will post some info.

Hub Server
  • Most of the items we are interested are under organization conf, hub transport)
  • Send connectors , none by default on a hub
  • Recieve connectors (under server conf) defaults are "client" and "default" recieve connectors
  • Anti-spam settings are not enabled by default on a hub, can be turned on
  • Transport rules are enabled but none configured by default, can be configured
  • Journal rules are there, nothing configured
  • Edge subscriptions are there, nothing configured
Edge server
  • Edge servers are not part of the domain by design
  • Edge server should be in DMZ, hub server should be in internal network
  • The edge server's console only has the one edge transport role
  • It has the following:
  • Anti-Spam is enabled
  • Send connectors (nothing configured)
  • Receive connectors (default internal receive connector is there by default)
  • Transport rules (nothing configured)
  • Accepted domains (nothing configured)
The edge server is supposed to sit in the DMZ and defend your organization from spam, virus and DDOS attacks. The hub handles all of the mail flow within the organization. Applies transport rules, journalling policies, delivers messages to mailboxes, if there is no edge it can send/receive emails to/from the internet.You can have multiple hub and edge servers. Hub servers sync settings with each other, edge servers do not but you can export/import settings.
Edge servers are not required, but it is best practice from Microsoft and anyone with experience  If you choose not to use one, you should use an antispam/virus checking service like mxsweep. You can enable antispam, configure transport rules and uses a 3rd party solution on the hub server.
Mail flow
Mail will flow in/out of hub and edge transport servers.
Edge transport servers will never see emails that goes between internal users.
To connect the hub and edge you need to create an edge sync subscription
The edge transport role is designed to protect, its not part of the domain,
it can cut down the spam at the front door
A 3rd party solution can be just as good or better than the edge server.
A combination of forefront, ISA server and edge transport server can offer pretty good protection.

Send/Receive connectors
Connectors are like train tracks one going in and one going out.
You can have more than one outgoing or incoming tracks.
When you have 2 hub servers, there are invisible send connectors between the hub servers.
The edge transport role is configured automatically to receive email from the internet.
The hub transport server must be configured to do this.
Anti-Spam/Virus
The edge server has it turned on by default
The hub server you need to turn it on
Should use AV internally (Forefront / modusGate from Vircom / other 3rd party hosted)
Transport rules
You can make rules that applies to incoming/outgoing mail while in transit
The differences between the hub and egde transport rules
The edge (edge rules agent) is more for message hygiene, stops virus attack, DDOS etc
The hub (transport rules agent) is more for message compliance and policy enforcement, message classifications, disclaimers etc
you can make a transport rule to attach a disclaimer to emails that go out of your organization but internal emails will not have it attached.
Transport rules are built upon three components:
Conditions , exceptions and actions
Edge Sync subscription
Install hub and edge servers.
Make sure to set the DNS suffix correctly on the edge server during installation.
For the hub this is done automatically because it is part of the domain.
The edge should be in the DMZ, so it wont be in DNS automatically.
You may have have an internal network card on the edge server also.
Configure a host/A record on the DNS server that the edge server uses to point to the hub server
Configure a host/A record on the DNS server that the hub server uses to point to the edge server
Alternatively you can edit the hosts file (C:\windows\system32\drivers\etc\hosts) on each server
  • 192.168.1.10 edge.domain.com
  • 192.168.1.35 hub.domain.com
Ensure hub and edge can take to each other through DNS name resolution
From hub server
  • ping edge.domain.com
From edge server
  • ping hub.domain.com
Port LDAP TCP:50389 Secure LDAP TCP:50636 must be open between the two servers(best practice to have a firewall between them).
  • telnet edge.domain.com 50389
  • telnet edge.domain.com 50636
  • telnet hub.domain.com 50389
  • telnet hub.domain.com 50636 
On edge, create the subscription file (in the EMS run New-EdgeSubscription –file “C:\edgesub.xml")
Copy the xml file to hub and import it (in the EMC, Organization Configuration > Hub Transport> Create New Edge Subscription)
It can be difficult to get the subscription file off the edge if the network is locked down. You may have to get the restrictions lifted temporarily
or get the file off with a USB.
The application log should not show any errors, it should say it completed successfully
Two default send connectors will be created on the hub server
Start the EMS on hub, run
Start-EdgeSynchronization
Test-EdgeSynchronization (we should see sync status normal)
Test-EdgeSynchronization -VerifyRecipient user.name@domain.com (RecipientStatus)
On Edge we should see the two send connectors were created in the EMC
Test mailflow by sending and reciving email to/from an external email address, from a client inside your network.
Transport Layer Security (TLS)
Exchange 2010 by default uses self signed certs for all internal message transfers (also called direct trusts).
Exchange 2010 it will try to use TLS with a remote server, if it doesn't work it will use SMTP.
You can configure Mutual TLS between external organizations. You need to purchase a public cert for this.
Remember TLS only protects data in transit.
You can only ensure one hope is encrypted, but not the next hop.
You may need to speak with your third party vendors to see if they support TLS.
The exchange toolbox
In the EMC there are a lot of tools there by default that can help troubleshooting
You can add extra useful tools (Jetstress / Load Generator)
One of the most important tools to run is the best practices analyser.
You should run it after install, after any upgrades, and perhaps schedule it at least once a year.
Mail flow trouble shooting tool is also very good.
Details templates editor - will probably never be used
Remote connectivity analyser (should be run on edge if you are using one)

 Monitoring tools in the exchange management shell
You can do more with the shell than you can with the GUI
Get-Command Test* (show all the test commands)
Test-Mailflow
Test-ServiceHealth
Test-MapiConnectivity
don't forget get-help [command]
Get-MailboxStatistics (-server -identity -FolderScope)
Get-MailboxFolderStatistics
Get-MailboxDatabase
Get-TransportPipeline (needs to be run on the hub server)
PowerGUI has an exchange 2010 powerpack that you can download and add to powergui.
Remember to test send/receiving email from outlook, owa etc.
After a system outage exchange should be the last server to start up.
Generally we  want to start DCs, SQL servers and then exchange. Exchange services take some times to start up.


RAID
You should use RAID 10 on the disk groups that you store databases on for optimal performance.

Perfmon
You can use start -> perfmon to monitor performance aspects of Exchange.
First see if you can match spike in average disk queue length for all disks (under physical disk) to a single disk. Then for that disk monitor the average reads/writes per second. The values should be below 20ms most of the time with spikes to 50ms.

Some good articles on using perfmon are here
http://www.computerperformance.co.uk/HealthCheck/Disk_Health.htm
http://www.windowsnetworking.com/articles_tutorials/Windows-Server-2003-Performance-Tuning.html

Get largest mailboxes
Get-MailboxStatistics | Sort-Object TotalItemSize -Descending | ft DisplayName,@{label="TotalItemSize(MB)";expression={$_.TotalItemSize.Value.ToMB()}},ItemCount
Creating a new self signed certificate
New-ExchangeCertificate -DomainName servername,sername.domain.local, mail.domain.ie,owa.domain.ie -lPrivateKeyExportable:$true
enable-ExchangeCertificate -Thumbprint [copy from output above] -services "SMTP,POP,IIS,IMAP"
On edge server
enable-ExchangeCertificate -Thumbprint [copy from output above] -services SMTP
Remember you can't use the same certificate on the hub and the edge server, the same goes for third party certs.

Exporting a cert
  • From the certificates snapin
  • personal -> certificates
  • right click all tasks - > export
  • tick export the private key
  • Personal Information exchnage
  • tick include all certificates in the
  • tick export all extended properties
  • type a password
  • browse for where you want to save the file
Importing a cert
  • Export the cert on hub server as detailed above
  • Copy the cert to edge
  • Import-ExchangeCertificate -Path c:\certificates\ExportedCert.pfx -Password:(Get-Credential).password
  • type anyusername
  • type the password that was used to export the cert
  • enable-exchcertificate -services SMTP
 restart topology service on hub server.

 Databases and transaction logs
Emails come in over the network, first they enter RAM on the server, then they are moved into the transaction logs. The transactions logs are written into the database. Checkpoint files (.chk) are used to keep track of which transaction logs have been written into the database and which have not. Transactions logs are 1MB in size and more and more are created as more emails come in. You should be able to tell from the checkpoint files which emails have been written to the database. JRS files are reserved transaction log files (only used when the disk runs out of space, but they are only 1MB in size so they are useless these days).
If the disk a database is on runs out of space that's bad. It can't be mounted/debugged. When the disk gets to 1 GB of space left it will stop the transport service to that database. E00 is the current log, when it fills up it will be renamed and a new log is started. Circular logging can be turned on which writes over the transaction logs once they have been written into the database. Also many backup solutions delete the transaction logs after a full backup completed successfully.
DB files should be kept on separate disks from transaction logs. They should also be kept separate from the system partition and where exchange is installed. Take for example, you have the OS, exchange install, the DB and the transaction logs all on a single non-redundant physical disk. If that disk fails we have lost everything. Even with a full backup from the night before we will miss out on all the mails in between. This is why we want to use redundant disks or a SAN for storage. Lets say we set up 3 redundant disks, the OS and exchange are installed on disk1, the DB is on disk2, the transaction logs are on disk3. This way if we lose a disk, we just replace it without any interruption. If some how we actually lose one, we just need to restore that disk from back up everything else is in place.

Transactions logs should be on a mirrored volume RAID 1 at least (depending on what you can afford) Database files should be on RAID5 or RAID10 (depending on what you can afford)
Think about if you are using physical disks in the server or are you using virtual disks on a SAN ?
The MS exchange team have created an "Exchange 2010 Mailbox Server Role Requirements Calculator" its a spreadsheet that can help you calculate how much disk space you need. What ever answer you get always add some more, no doubt you'll need it some day.
Exchange standard supports 5 databases. (small medium businesses)
Enterprise supports 100 databases. (enterprise)
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)