Discovering Exchange 2000 management tools

If you're an experienced Exchange 5.5 administrator, you may find yourself lost when it comes to working with Exchange 2000 management tools. In this Daily Drill Down, Brien Posey shows you the way.

When I upgraded to Exchange 2000 from Exchange 5.5, I expected the various tasks for managing the server to be somewhat similar to what I was doing in Exchange 5.5. However, I found myself lost in a maze of unfamiliar management techniques when I tried to manage my server. My mistake was not taking the time to learn a little about the new interfaces before I installed Exchange. The purpose of this Daily Drill Down is to ensure that you are better prepared than I was. You’ll learn how to perform familiar Exchange Server management tasks in this new environment.

Bait and switch
After installing Exchange 2000, I decided to take a look around. I clicked the Start button and went to Programs | Microsoft Exchange. Noticing the Exchange 5.5 Administrator was still on the menu, I was overjoyed that Microsoft had decided to keep a familiar interface. When I clicked the Exchange 5.5 Administrator option, however, I was asked to select the server I wanted to administer. It didn’t take long to realize that Exchange Administrator doesn’t work with Exchange 2000. Needless to say, it was time to start learning a brand-new interface from square one.

The new interfaces
As with just about anything related to configuration in a Windows 2000 environment, pretty much all of the Exchange 2000 administration is performed through various Microsoft Management Console (MMC) snap-ins, such as the Active Directory Users And Computers snap-in and the System Manager snap-in. Before you can understand the logic behind the way that the Exchange 2000 management interfaces are designed, you need to understand a little about the design philosophy behind Exchange 2000.

One of the primary design initiatives during the Exchange 2000 development was to take advantage of the power of the Windows 2000 Active Directory. As you may recall, in Exchange 5.5, the Exchange mailboxes existed in a totally different database from the Windows NT user accounts. The user accounts existed in the Security Accounts Manager (SAM), while the mailboxes existed in the private information store database. In Exchange 2000, the user accounts and the mailboxes are joined into a single object. In fact, according to many Microsoft publications, mailboxes don’t exist at all in an Exchange 2000 environment. Instead, the standard user accounts are converted to mail-enabled users. The user’s mailbox becomes a part of Active Directory.

To see this concept in action, open the Active Directory Users And Computers console and double-click on a user account to access the user’s properties sheet. As you can see in Figure A, when you install Exchange 2000, Exchange adds several tabs to each user’s properties sheet.

Figure A
Exchange 2000 adds several tabs to the user properties sheet.

As you can see in the figure, the Exchange General tab provides the interfaces for setting a user’s alias, mailbox storage limits, and maximum message size for inbound and outbound messages. You can also use the Delivery Restrictions button on this tab to control who the user’s mailbox will accept messages from. Likewise, you can click the Delivery Options button to access a dialog box that will allow you to control who has permissions to send messages on behalf of the user. This dialog box also allows the user to forward messages to a different e-mail account.

As you might have noticed in the figure, there are two other Exchange-related tabs under a user’s properties sheet. The E-mail Addresses tab lets you view a user’s e-mail addresses and add other addresses if necessary. The Exchange Features tab allows you to determine whether a user is allowed to use various Exchange features. For example, suppose you have the Instant Messaging feature installed on your Exchange Server. You may not want everyone to consume bandwidth by sending messages that aren’t business related. Therefore, you can use the Exchange Features tab to enable Instant Messaging for those who have a legitimate business need for it and to disable Instant Messaging for everyone else.

Working with distribution lists
You can also manage distribution lists through the Active Directory Users And Computers console. If you’ve upgraded from Exchange 5.5, you’ve probably noticed that your existing distribution lists migrated into Exchange 2000, but there’s no obvious place to create new distribution lists. The reason for this is that Exchange 2000 uses global groups and universal groups as distribution lists.

To understand the rationale behind doing this, imagine that you have Exchange 5.5 running on a Windows NT Server. Your server contains a security group that grants everyone in the IT department access to a certain folder. You also have a distribution list for the IT department that contains the same people. Rather than having to maintain two separate, but identical, lists, you can combine Windows groups and Exchange distribution lists into a single entity.

Of course, there are some groups you shouldn’t make available as Exchange distribution lists. For example, if you made the Administrators group into an Exchange distribution list, everyone in the company would instantly be able to tell which users had administrative access to the system. This makes it easy for a hacker to narrow down the list of accounts to try to crack. You may still want to create a distribution list that contains your administrators, but you’d have to call it something else. My point is that you don’t want to clutter the global address list with distribution lists that no one is going to use or that could compromise your network’s security. Because of this, not every Windows 2000 group automatically becomes a distribution list.

Before I show you how to turn a group into a distribution list—or, more precisely, mail-enable a group—you should know a few things. You can mail-enable only global groups and universal groups. You should avoid mail-enabling groups on a whim, however. You’ll need to consider some serious issues when mail-enabling either type of group. Therefore, before you mail-enable any groups, I recommend reading up on the effects of doing so. One source for this information is the Daily Feature ”Understanding Exchange 2000 integration with Windows 2000.”

With that said, mail-enabling a group is simple. Begin by right-clicking on the group you want to mail-enable, and select the Exchange Tasks command from the context menu. When you do, Windows will launch the Exchange Task Wizard. Click the Next button to bypass the Welcome screen. On the next screen, select the Establish An E-mail Address option from the list of available tasks and click the Next button. On the following screen, you’ll have the chance to enter an alias for the group and to select an administrative group for the group you’re mail-enabling. You’ll also see a warning message regarding the group issues I mentioned earlier. Click Next to continue.

At this point, Windows will perform the necessary tasks to mail-enable the group and will display a summary page. Click Finish to close the wizard. Now, open Outlook and look at the global address list. You’ll see that your security group is now also a distribution group, and any messages that you send to the group will be sent to all users in the group.

Working with Exchange System Manager
As you can see, you can configure a number of user- and group-related options under the Active Directory Users And Computers console. A number of Exchange tasks must be performed elsewhere, however. The primary interface for dealing with non-user-related Exchange 2000 configuration issues is Exchange System Manager. You can access Exchange System Manager by clicking Start | Programs | Microsoft Exchange | System Manager.

Exchange System Manager is every bit as complicated as Exchange Administrator was. I can’t discuss adequately all the configuration options in a single article, but I will show you how to perform some common tasks through the new interface.

One of the most important tasks that Exchange administrators face is filtering e-mail messages. Filtering is important because you don’t want your bandwidth congested by people outside the company sending spam to your users. Likewise, you may decide to block files of certain sizes to prevent users from congesting your Internet connection with large file transfers.

In Exchange 2000, you can accomplish these important tasks by navigating through the console tree to organizational root | Global Settings | Message Delivery. Now, right-click on Message Delivery and select Properties from the context menu. When you do, you’ll see the Message Delivery Properties sheet. The properties sheet’s Default tab allows you to place size limits on inbound and outbound messages. These options work exactly the same as they did for individual users—the only difference is that these settings define a global policy.

You can also use the Defaults tab to place a limit on the number of recipients that a single message can go to. For example, the default setting is to limit the number of recipients to 5,000. Unless the president of your company likes to send e-mail messages to every single employee, there’s a good chance that inbound messages with over 5,000 recipients could be electronic junk mail. Worse yet, such a message could be a part of a denial of service attack. Inbound messages going to a large number of recipients can place a strain on your server, so it’s a good idea to filter these messages if for no other reason than performance.

The next tab on the Message Delivery Properties sheet is the Filtering tab, shown in Figure B. As you can see, this tab allows you to weed out messages from users who have previously sent you spam, viruses, and so forth. As with the message size and recipients limitations, the filtering options you set here are applied on a global basis.

Figure B
The Filtering tab allows you to block messages from specific users on a global basis.

This tab also contains a couple of extra features. One option is to filter messages from blank senders. I really like this feature, because I’ve received malicious e-mail from an unknown sender, and such messages can be difficult to filter out. I also really like the option that lets you accept messages without notifying senders that you’re filtering their message. If you enable this option, the senders you have blocked will never know that their messages aren’t getting through. Using this option can also improve network performance because Exchange doesn’t send a nondelivery report back to the sender.

In this Daily Drill Down, I explained that the familiar Exchange Administrator program doesn’t work in Exchange 2000 and that it’s necessary to learn your way around a brand-new interface before you can manage Exchange 2000. I then discussed how to accomplish familiar tasks in Exchange 2000.

Editor's Picks

Free Newsletters, In your Inbox