Create Domain and new exchange server

Tags:
DataCenter
Desktops
Exchange security
Firewalls
Forensics
Hardware
Incident response
Intrusion management
Management
Microsoft Exchange
Microsoft Windows
Network security
Networking
OS
Security
Servers
SQL Server
VPN
Wireless
Pardon my ignorance, but I've looked everywhere for Exchange '101'. Everywhere I look starts off with upgrading and existing situations... I have a small office (10 ppl) that currently just has an application server. I would like to implement a domain controller and also have exchange server setup. Do I need both a front-end (in the DMZ) exchange server and a back-end exchange server? I'm assuming it doesn't make sense (security-wise) to have exchange on the same server as the active directory if it needs to be in the DMZ. What are the steps to establishing a brand new Exchange server? I have a domain, and I believe that I just need to create an MX record that points to the static IP of my Exchange server, right? I've tried to do my homework on the web, but I haven't found anything that explains it from the ground up. Can anyone help? Thanks

Answer Wiki

Thanks. We'll let you know when a new response is added.

I’d look into buying Small Business Server 2003. It comes with Exchange, and you only need one, so your mail problems are partially solved. It’s probably the best all around solution I can think of for your situation. You’ll need to read up on creating a domain and things of that nature on your own. I suggest getting a copy of the software and experiment (without activating) on a couple of old PC’s at home. Once you feel comfortable with it, take it to the office and knock it out. You don’t want to play mad scientist with 10 angry users.

Discuss This Question: 10  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • BandHSolutions
    I appreciate your response. I should have mentioned that I looked at SBS, but decided that full blown Server 2003 would be better in the long run. The office plans on expanding to other locations in the near future and SBS Domain Controller won't support multiple domains. I would end up having to upgrade down the road.
    0 pointsBadges:
    report
  • Stevesz
    If SBS will not suit, then what I would suggest is that you get yourself a good consultant type guy to help you walk through all the steps. You don't necessarily need him to do the work, if you feel confident in your abilities to follow directions, but he can help you keep on the straight and narrow and get the job done with the minimum of fuss. Of course, you can just hire someone to do it all, but if they do, make sure they document it wll for you, and do leave you room to expand as you explain in your other reply.
    2,015 pointsBadges:
    report
  • IrishHairyman
    Do you need to go multi-domain if you go multisite? You can easily have 1 domain across all your sites. This was one of the big adantages of going from NT to W2K AD so unless there is a real requierment for multiple domains don't bother as it is a much bigger headache than you need. In which case you are back to SBS, and yes in an SBS domain you can have multiple DC's, just only 1 FMSO (operations master, schema master, global catalogue server) which of course is your SBS server.
    0 pointsBadges:
    report
  • Mharrall
    First off you have to consider all the limitations of SBS not only is it limited to 1 domain it is also limited to 75 users. I can see if the company is growing fast where this could be a complicated resolution given the current scale. First I would get your domain setup and architected out the way you want it. This would include all the DNS records that are needed at this point, as well if you?re DHCP. Next I would look at are you going to run ISA server as well. And if so install that and your SQL solution and then install Exchange I know this is a security issue that you?re initially brought up. But since this is all you have to work with I would also suggest that you have a hardware firewall in place to restrict traffic to everything except that of 25 and 110, or whatever your inbound traffic needs are. Also I would do a finger test on those ports so they do not report back as to what is there this will also help cut down on hackers. Exchange Server Deployment Guide http://www.microsoft.com/technet/prodtechnol/exchange/Guides/Ex2k3DepGuide/fa02f087-7fe7-4eb7-b859-12632d762f9e.mspx?mfr=true Security for Exchange http://www.microsoft.com/technet/prodtechnol/exchange/2003/security.mspx
    0 pointsBadges:
    report
  • Mharrall
    First off you have to consider all the limitations of SBS not only is it limited to 1 domain it is also limited to 75 users. I can see if the company is growing fast where this could be a complicated resolution given the current scale. First I would get your domain setup and architected out the way you want it. This would include all the DNS records that are needed at this point, as well if you?re DHCP. Next I would look at are you going to run ISA server as well. And if so install that and your SQL solution and then install Exchange I know this is a security issue that you?re initially brought up. But since this is all you have to work with I would also suggest that you have a hardware firewall in place to restrict traffic to everything except that of 25 and 110, or whatever your inbound traffic needs are. Also I would do a finger test on those ports so they do not report back as to what is there this will also help cut down on hackers. Exchange Server Deployment Guide http://www.microsoft.com/technet/prodtechnol/exchange/Guides/Ex2k3DepGuide/fa02f087-7fe7-4eb7-b859-12632d762f9e.mspx?mfr=true Security for Exchange http://www.microsoft.com/technet/prodtechnol/exchange/2003/security.mspx
    0 pointsBadges:
    report
  • Mortree
    No you don't need both a front-end and back end Excahgne machine. Those are configurations for really big or really secure companies with lots of money. You can first implement the domain controller then run ADPREP (adds Exchange objects to AD scheme) and install the Exchange server on one machine to save hardware money. Buy fast CPU, plenty of memory and relatively fast disks though. However I do suggest you look at prices first. For 10 people your initial cost could well exceed $2000 per person if you go full-blown "we are going to be a huge company any minute now" insteasd of $320 per person for SBS. There is a conversion package for moving from Small Business Server to full blown servers when you are ready. They even let you use the licenses from SBS toward your new network setup. It is called Windows Small Business Server 2003 R2 Transition Pack. SBS software gives it all to you for $1200. (reinsert slashes in link below) http://www.microsoft.com/WindowsServer2003/sbs/techinfo/planning/transition.mspx Lesson in economics -- Summary: Software: SBS $1200 vs $10000-$12000 for 10-20 people. Hardware $2K-$4k for SBS versus up to $10K-$16K (1) Windows 2003 will be "obsolete" by the time you are likely to need more than one domain. Longhorn servers will have been out long enough to shake the bugs off. Wouldn't you really like an excuse to convert? Grin (2) Given the fact that most companies cannot sustain growth faster than doubling in size every 6 months without falling apart...it will be at least 18 months before you need to transition to multiple domains and full blown Windows 2003 servers. This is good. You get a chance to learn what you are doing with all the servers like Exchange, WSUS and ISA cheaply. And if you really find you need it, you can add full fledged Windows 2003 Domain COntorllers at remote sites in between. (3) Every separate server needs a copy of Windows 2003 server (or Longhorn) at $1000 (Standard) to $2000 (Advanced) -- plus the application server software Exchange 2003 ($2000) SQL 2005 ($2000) ISA ($1000) Terminal Server ($1000) etc. PLUS you need client licenses (CALs) for domain use $15-$25 each and for each server Exchange $25-$40, SQL $50-$70 etc. These price depend on any discounts your company earns via volume purchases. Don't count on getting even these prices until you have 200 employees or more. So SBS really is a great deal while you can use it.
    0 pointsBadges:
    report
  • Mortree
    Actually it doesn't matter if you create an MX record on your Windows AD domain or not. All the internal Windows DNS records wil get set up automatically unless something goes wrong during setup. But you do need to register an Internet domain with one of many official registers http://www.networksolutions.com/domain-name-registration/index.jsp http://www.register.com/retail/index.rcmx To do so you need your Internet Service Provider (or another Internet DNS provider) to agree add an entire set domain records for your new domain. This includes an MX record, and A host record and reverse DNS record for your mail server. Reverse DNS is becoming a minimum security measure for larger email servers to accept your email as not being SPAM - not universal but frequent. There are other DNS records along that line that you can discuss with your ISP if you have problems, but they are very new. Other domain records will include a minimum of two NS record for Internet name servers (DNS) that have these records. A small ISP might not be able to provide this. You may want to think about a website A record and a Verisign or Thawte certificate for activating your web server. Exchange Outlook Web Access can be nice for travelling business types but you'll want to insist on SSL to encrypt those account logons and email. (Basic logons in cleartext are fine for logon if SSL is already active.) Plus you can be designing that business website with SSL encryption and authentication. Clue: don't name your Outlook Web Access site www or mail as that will attract additional attention of crackers. If your users can remember the IP address of OWA that would let it go unlisted in DNS. If you want to worry about first separate servers, I suggest you look at 2003 Web server if you host your own publicly visible webserver -- for Denial of Service and security reason. Plus 2003 Web Server is very cheap $600-$800 range (try CDW.com as reseller to beat price on).
    0 pointsBadges:
    report
  • Mortree
    Actually it doesn't matter if you create an MX record on your Windows AD domain or not. All the internal Windows DNS records wil get set up automatically unless something goes wrong during setup. But you do need to register an Internet domain with one of many official registers http://www.networksolutions.com/domain-name-registration/index.jsp http://www.register.com/retail/index.rcmx To do so you need your Internet Service Provider (or another Internet DNS provider) to agree add an entire set domain records for your new domain. This includes an MX record, and A host record and reverse DNS record for your mail server. Reverse DNS is becoming a minimum security measure for larger email servers to accept your email as not being SPAM - not universal but frequent. There are other DNS records along that line that you can discuss with your ISP if you have problems, but they are very new. Other domain records will include a minimum of two NS record for Internet name servers (DNS) that have these records. A small ISP might not be able to provide this. You may want to think about a website A record and a Verisign or Thawte certificate for activating your web server. Exchange Outlook Web Access can be nice for travelling business types but you'll want to insist on SSL to encrypt those account logons and email. (Basic logons in cleartext are fine for logon if SSL is already active.) Plus you can be designing that business website with SSL encryption and authentication. Clue: don't name your Outlook Web Access site www or mail as that will attract additional attention of crackers. If your users can remember the IP address of OWA that would let it go unlisted in DNS. If you want to worry about first separate servers, I suggest you look at 2003 Web server if you host your own publicly visible webserver -- for Denial of Service and security reason. Plus 2003 Web Server is very cheap $600-$800 range (try CDW.com as reseller to beat price on).
    0 pointsBadges:
    report
  • Develish
    Hi Your situation is very similar to ours. We have used W2K3 Server (not SBS), on top of that MSES 2K3. No front end, back end stuff, and despite our best efforts no RPC over HTTP. For external access its OWA. You can get a free SSL certificate from this Israeli company. I forget their name. For the certificate procedures and all and others goodies on MSES, the best site is www.msexchange.org. There are a couple of writers (like Henrik Walther and Lee Derbyshire) who have a ton of very good information, tips, and procedures. Antivirus MSES Protection is provided by Trend Micro's suite. I am testing GFI's MailEssentials and find it a great value proposition. This is all protected by a Fortinet Firewall+IPS. We are using an FG60 with no problems up to 20 users, but then we operate on a 256K DSL connection. You can use an FG100 if you like. The installation is pretty straight forward not much rocket science, but man, is it time consuming. Install W2K3 Set up DNS Set up Active Directory Set up Application Server (installs IIS) You need to activate a few additional things. My sysadmin is not here right now, but if you want to PM me I can get the details Install MSES 2K3 You will need to set up and configure the default SMTP Server (of IIS). **Do not screw around with IIS and the Exchange Directories without documents and procedures from msexchange.org** If you want to use a POP server on your ISP and download, GFI MailEssentials is essential (sorry for the pun). For all this, I recommend a server with at least 2GB RAM. Ideally run a RAID config for your data. You can have 2 hard-disks mirrored for your OS partition. Try and put exchange at its directories on the data drives, otherwise you will overload your system eventually. Hope this helps. Regards Devesh
    0 pointsBadges:
    report
  • Stuberman
    From a security perspective if you want to support OWA access from the Internet then you should install a reverse proxy to protect your Exchange server (which would sit on your internal network integrated with AD). ISA 2006 is supposed to be effective and affordable but there are other reverse proxies that will work depending upon your requirements. If you do not need OWA access but simply e-mail accessible from internal clients then you could get away with using an external service (like Postini which for your size is resold through VARs) and lock down SMTP access to their source IP range only on your firewall.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following