Harold Wong's Blog with Geekie Thoughts and Insights

Virtualization, Cloud (Private, Public and Hybrid), Unified Communications and Thoughts on Sushi

Exchange Server 2007 Series (Part 12 of 24) Questions and Answers Log (02-28-07)

Exchange Server 2007 Series (Part 12 of 24) Questions and Answers Log (02-28-07)

  • Comments 1
  • Likes

Ok.  I am SOOOOOOOOOOOOOOOO sorry it took so dog gone long for me to get this one (and the next few) Q&A Logs posted!!!!!

Here is Part 12 of 24.  Let me know if you have any questions.

Harold Wong
harold.wong@microsoft.com

Exchange Server 2007 Webcast Series (Part 12 of 24) Questions and Answers Log (02-28-07)


Question: on a 2 node ccr configuration, if the active node dies for a couple of days and the passive node takes over as is suppose to, when the failed server comes back online and is quickly set to be the active node again will there be a data loss since the node had been offline for a period of time?

Answer: Once the original active node comes back online, it must be synchronized before it can be made the active node.


Question: Is there a way to present two different GALs and OABs to users in the same Org and forest, but are in two separate child domains?

Answer: Yes.  You would need to create multiple Custom Address Lists and expose the appropriate List to the appropriate users.


Question: what is the mail routing path for POP,IMAP,OWA, EAS,Otlk RPC/HTTP, both when these clients are used in an internal network and Externally (both inbound and outbond)?

Answer: CAS handles all of those clients. Remember routing of e-mail is performed by the Hub Transport server.  If the Edge Transport server role is deployed, then external email will be routed from the Hub Transport to the Edge Transport for Internet delivery.


Question: Please confirm: Because of ADAM on the Edge Transport server, it can therefore NOT be a full Active Directory DC. Correct?

Answer: Incorrect.  The Edge Transport server can be a Domain Controller as well.  We don’t recommend this configuration though.  Regardless, the Edge Transport server role will still use ADAM for storage of Edge related information, not AD.


Question: If an internal hub transport is unavailabe, can the Edge store email and then forward when HT is available again?

Answer: Yes, the Edge Transport will queue messages for delivery.


Question: is data synchronized between production AD and ADAM, and if so, how?

Answer: Yes.  This is done via Edge Sync from Hub Transport server to Edge Transport server.  http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx?mfr=true explains ADAM Better.


Question: Is the data for ADAM functionality structured as some kind of SQL database?

Answer: http://technet2.microsoft.com/WindowsServer/en/library/29fb059e-544c-4577-bf7c-ba4b08df48431033.mspx?mfr=true More information on ADAM and it's Database.


Question: why do we need RDP ports?

Answer: You don’t “Need” the RDP ports, but you will need some way to connect to the Edge Transport to manage it.  RDP is just one option.


Question: my question about synchronizing AD and ADAM was specific to Edge Transport. Is this synch setup automatically?

Answer: No, this is not setup automatically upon installing the Edge Transport server.  You must configure the Edge Sync as I showed during the demo.


Question: Sorry for the license question, is a ForeFront license included with Exchange Enterprise?

Answer: No, the ForeFront Security for Exchange licenses are not included with Exchange Server Enterprise Edition.  They are included as part of the Exchange Enterprise CAL.


Question: Is MIIS used to synch AD and ADAM?

Answer: If you are referring to the Edge Sync component of Exchange 2007, the answer is no.


Question: What will be the dns server on Edge Transport?

Answer: You will want to configure the Edge Transport to use an external DNS for Internet resolution and an internal DNS for internal resolution.  http://technet.microsoft.com/en-us/library/bb124896.aspx.


Question: will this be prone to directory harvesting attacks if it uses the adam

Answer: There is always a chance of that.  The Tarpitting feature helps to reduce this type of attack.


Question: Are the two interfaces required?

Answer: No, this is not a requirement.  Personally, I prefer this configuration though.


Question: which gateway should you use? internal or external?

Answer: If you configure your Edge Transport with an Internal and External network interface like I did in the demo, then you would configure the Default Gateway on the External interface.  For the Internal interface, you would define any required routes manually.  Usually, this is not required since the Internal interface only communicates with one or two servers on the “Internal” side of the network.


Question: Could you load an Edge Transport Server on a public DNS server?

Answer: If this is something you want to do, it is technically possible.


Question: Is it possible to use an edge server in cluster mode for high availability, we use cluering especialy by mail queuing, in case of single server mails aren't delivered during maintenance! What's your recommendation?

Answer: The Edge Transport is not cluster aware.  You can use DNS Round robin as described in the following article: http://technet.microsoft.com/en-us/library/bb124721.aspx.


Question: If you get a lot of spam, shouldn't storage requirements be a serious planning topic?

Answer: spam is filtered at the edge transport server. They should never get to your mailbox database server.  If you choose to quarantine the SPAM, then it is sent to a mailbox that resides on your Mailbox server.  However, there is no storage requirements on the Edge Transport itself.


Question: Edge Transport server serves inbound email traffics only. It cannot be used to serve outbound email traffics. Right?

Answer: That is incorrect.  You can push all Internet bound emails through your Edge Transport server as well.  In fact, when you configure interaction between the Edge Transport and Hub Transport, this is the default communication path for outbound email.


Question: I thought you didn't need AD info to setup the Edge Subscription?

Answer: The Hub Transport must gather its information from AD to synchronize to the Edge Transport server.  The Edge Transport server itself does not directly access AD.


Question: What is the best way to assure resiliency of the edge transport service? For example, would it make most sense to set up two active Edge Transport Servers and use them in a load sharing mode? Or is there some other better means to achieve resiliency?

Answer: http://technet.microsoft.com/en-us/library/bb124721.aspx with Round Robin is our recommended method.


Question: Isn't spam stored on the Edge server?

Answer: No.  As I answered previously, the SPAM is no longer stored on the file system but sent to a Quarantine Mailbox that resides on your Mailbox server.


Question: how is mail flow effected during the edge transport subscription process if HUB was recieving with an MX and edge has an MX live

Answer: If your Hub Transport server is not directly exposed to the Internet, then you would no longer have an MX record in DNS that points to the Hub Transport, but that only points to the Edge Transport.  http://technet.microsoft.com/en-us/library/bb125223.aspx has more information on mail flow.


Question: Can't you setup the edge subscription via the Exchange PowerShell?

Answer: Remember, anything that you can do from the Exchange Management Console (GUI) can be done from the Exchange Management Shell.


Question: Looking at the address rewriting now, it tells me you can use Edge to server outbound email traffics. right? So, for such outbound rules, which role is preferred, Edge or Hub?

Answer: Edge Transport server role is what you want to use.  Please see http://technet.microsoft.com/en-us/library/bb123896.aspx for more info.


Question: can address rewrites be done for inbound emails as well?

Answer: Yes, you can.  Please see http://technet.microsoft.com/en-us/library/bb123896.aspx for more info.


Question: Can Anti-Spam and Antivirus Functionality be used also on Hub Transport Server or do we need Edge Server?

Answer: Yes, you can.  Keep in mind that not all of the Anti-Spam capabilities that are available on the Edge Transport are exposed on the Hub Transport.


Question: If I install Edge Transport Server, do I have to pay Antivirus license besides Ex2007?

Answer: When you install the Edge Transport server, the Forefront Security for Exchange (Anti-Virus) product is not automatically installed.  You must still license this separately from Exchange itself.  However, if you purchase the Exchange Enterprise CAL (nothing to do with the edition of the Exchange Server), you do get the License to use Forefront Security for Exchange.


Question: what about optical spam - in email is there filtering for that

Answer: If you are referring to image spam, then no, we don’t have anything that specifically targets this currently.  We are working on a solution for this though.


Question: Is "Address Rewriting" going to pose a problem with spoofing filters on NON-MICROSOFT-MAIL Filtering?

Answer: It depends on where these spoofing filters sit within the mail flow architecture as well as how you implement them.  Usually, this is not an issue.


Question: Can the edge server exist on a DC in the DMZ?

Answer: Yes, but it is not recommend.


Question: You can install the intelligent message filter which includes Anti-Spam on a Hub Transport Server if you are not using Edge, correct?

Answer: Yes.


Question: Harold previously said that you could intall Anti-Spam and Anti-Virus on a server with the Mailbox role.

Answer: That is correct – I did say that.  However, this is not a “Recommended” configuration any longer, but absolutely supported.


Question: Sorry, I hope this isn't a stupid question, but is it going to be a requirement then of Exchange 2007 that you are going to require more than one server? How do you guys plan to mitigate the cost of hardware and licensing for the SMB segment in that case?

Answer: Please keep in mind that the Edge Transport server is not required. You can still run the other 4 roles on one server. So if cost is an issue, you can run one Exchange server in your environment. You just won’t deploy an Edge Transport server.  The next SBS version that includes Exchange 2007 is still about a year away.


Question: where do we find the link for the registration of Exch 07 to the Security Configuration Wizard?

Answer: Here's what I used - scwcmd register /kbname:Ex2007EdgeKB /kbfile:"%programfiles%\Microsoft\Exchange Server\Scripts\Exchange2007Edge.xml".


Question: Do you know if they will be modifying the security config wizard to include the new exchange server roles?

Answer: I’m not sure, but I would assume it would as they update the tool.


Question: Is there a list of Anti-Spam technologies used by the Edge Server somewhere?

Answer: http://technet.microsoft.com/en-us/library/aa996604.aspx.


Question: Without Edge Transfer server, can one Ex 2007 server host email from two domain names, such as @a.com and @b.com.

Answer: http://technet.microsoft.com/en-us/library/aa998597.aspx explains how to do that.


Question: Are there any new commands in the Ex2k7 ESMTP command set that did not exist in the Ex2k3 ESMTP command set? (I'm not finding this on MSDN.) thanks

Answer: Not that I’m aware of.


Question: So, re say Non-MAPI clients, from routing point of view, mail/client will first hit the Hub Transfer, then CAS, then Mailbox server internally and externally: Edge Transport, Hub Trasport, CAS, Mailbox?

Answer: In terms of client connectivity, Non-MAPI clients will connect to the Client Access server role to retreive / read emails. POP3 and IMAP clients will also need to connect to an SMTP server to send emails. This is a scenario where they will need to communicate either with the Hub Transport (if they are internal clients) or Edge Transport (for external clients). MAPI clients will connect to the Mailbox server role directly to retrieve and send emails. Please don't confuse client connectivity with email routing within your Exchange architecture.


Question: Hi, will external email encryption be covered in a later session? thanks

Answer: Unfortunately, that is not one of the future parts of this series.


Question: From Default SMTP Virtual Server properties, click Deliver tabl, Advanced, under FQDN, do you still suggest to use external DNS to high Exchange 2003 or 2007 name?

Answer: Yes, I would.


Question: when i define multiple gateways (one for each NIC) windows complains that i should only use one instead of both

Answer: That is correct. You should only have one Default Gateway configured for all NICs. My Edge Transport Server was hosed and I had to rush to get it up and running before the webcast today. I did not mean to implement the Default Gateway address on my Internal connection. Sorry for that.


Question: Are there any default content filters to use, or do you have to fill them out from scratch?

Answer: We do not provide any default filters.


Question: Command to show the Edge Transport in the security configuration wizard?

Answer: Here's what I used - scwcmd register /kbname:Ex2007EdgeKB /kbfile:"%programfiles%\Microsoft\Exchange Server\Scripts\Exchange2007Edge.xml".

Comments
  • <p>Microsoft Bows to EU, Makes Comm Protocols Public No More IIS in Exchange 2007 Open Source E-Mail Could</p>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment