Pardon my ignorance, but I've looked everywhere for Exchange '101'. Everywhere I look starts off with upgrading and existing situations...
I have a small office (10 ppl) that currently just has an application server. I would like to implement a domain controller and also have exchange server setup.
Do I need both a front-end (in the DMZ) exchange server and a back-end exchange server? I'm assuming it doesn't make sense (security-wise) to have exchange on the same server as the active directory if it needs to be in the DMZ.
What are the steps to establishing a brand new Exchange server? I have a domain, and I believe that I just need to create an MX record that points to the static IP of my Exchange server, right?
I've tried to do my homework on the web, but I haven't found anything that explains it from the ground up.
Can anyone help? Thanks
I appreciate your response. I should have mentioned that I looked at SBS, but decided that full blown Server 2003 would be better in the long run. The office plans on expanding to other locations in the near future and SBS Domain Controller won't support multiple domains. I would end up having to upgrade down the road.
If SBS will not suit, then what I would suggest is that you get yourself a good consultant type guy to help you walk through all the steps. You don't necessarily need him to do the work, if you feel confident in your abilities to follow directions, but he can help you keep on the straight and narrow and get the job done with the minimum of fuss.
Of course, you can just hire someone to do it all, but if they do, make sure they document it wll for you, and do leave you room to expand as you explain in your other reply.
Do you need to go multi-domain if you go multisite? You can easily have 1 domain across all your sites. This was one of the big adantages of going from NT to W2K AD so unless there is a real requierment for multiple domains don't bother as it is a much bigger headache than you need. In which case you are back to SBS, and yes in an SBS domain you can have multiple DC's, just only 1 FMSO (operations master, schema master, global catalogue server) which of course is your SBS server.
First off you have to consider all the limitations of SBS not only is it limited to 1 domain it is also limited to 75 users. I can see if the company is growing fast where this could be a complicated resolution given the current scale.
First I would get your domain setup and architected out the way you want it. This would include all the DNS records that are needed at this point, as well if you?re DHCP.
Next I would look at are you going to run ISA server as well. And if so install that and your SQL solution and then install Exchange I know this is a security issue that you?re initially brought up. But since this is all you have to work with I would also suggest that you have a hardware firewall in place to restrict traffic to everything except that of 25 and 110, or whatever your inbound traffic needs are. Also I would do a finger test on those ports so they do not report back as to what is there this will also help cut down on hackers.
Exchange Server Deployment Guide
http://www.microsoft.com/technet/prodtechnol/exchange/Guides/Ex2k3DepGuide/fa02f087-7fe7-4eb7-b859-12632d762f9e.mspx?mfr=true
Security for Exchange
http://www.microsoft.com/technet/prodtechnol/exchange/2003/security.mspx
First off you have to consider all the limitations of SBS not only is it limited to 1 domain it is also limited to 75 users. I can see if the company is growing fast where this could be a complicated resolution given the current scale.
First I would get your domain setup and architected out the way you want it. This would include all the DNS records that are needed at this point, as well if you?re DHCP.
Next I would look at are you going to run ISA server as well. And if so install that and your SQL solution and then install Exchange I know this is a security issue that you?re initially brought up. But since this is all you have to work with I would also suggest that you have a hardware firewall in place to restrict traffic to everything except that of 25 and 110, or whatever your inbound traffic needs are. Also I would do a finger test on those ports so they do not report back as to what is there this will also help cut down on hackers.
Exchange Server Deployment Guide
http://www.microsoft.com/technet/prodtechnol/exchange/Guides/Ex2k3DepGuide/fa02f087-7fe7-4eb7-b859-12632d762f9e.mspx?mfr=true
Security for Exchange
http://www.microsoft.com/technet/prodtechnol/exchange/2003/security.mspx
No you don't need both a front-end and back end Excahgne machine. Those are configurations for really big or really secure companies with lots of money.
You can first implement the domain controller then run ADPREP (adds Exchange objects to AD scheme) and install the Exchange server on one machine to save hardware money. Buy fast CPU, plenty of memory and relatively fast disks though.
However I do suggest you look at prices first. For 10 people your initial cost could well exceed $2000 per person if you go full-blown "we are going to be a huge company any minute now" insteasd of $320 per person for SBS.
There is a conversion package for moving from Small Business Server to full blown servers when you are ready. They even let you use the licenses from SBS toward your new network setup. It is called Windows Small Business Server 2003 R2 Transition Pack. SBS software gives it all to you for $1200.
(reinsert slashes in link below)
http://www.microsoft.com/WindowsServer2003/sbs/techinfo/planning/transition.mspx
Lesson in economics --
Summary:
Software: SBS $1200 vs $10000-$12000 for 10-20 people. Hardware $2K-$4k for SBS versus up to $10K-$16K
(1) Windows 2003 will be "obsolete" by the time you are likely to need more than one domain. Longhorn servers will have been out long enough to shake the bugs off. Wouldn't you really like an excuse to convert? Grin
(2) Given the fact that most companies cannot sustain growth faster than doubling in size every 6 months without falling apart...it will be at least 18 months before you need to transition to multiple domains and full blown Windows 2003 servers.
This is good. You get a chance to learn what you are doing with all the servers like Exchange, WSUS and ISA cheaply. And if you really find you need it, you can add full fledged Windows 2003 Domain COntorllers at remote sites in between.
(3) Every separate server needs a copy of Windows 2003 server (or Longhorn) at $1000 (Standard) to $2000 (Advanced) -- plus the application server software Exchange 2003 ($2000) SQL 2005 ($2000) ISA ($1000) Terminal Server ($1000) etc. PLUS you need client licenses (CALs) for domain use $15-$25 each and for each server Exchange $25-$40, SQL $50-$70 etc. These price depend on any discounts your company earns via volume purchases. Don't count on getting even these prices until you have 200 employees or more. So SBS really is a great deal while you can use it.
Actually it doesn't matter if you create an MX record on your Windows AD domain or not. All the internal Windows DNS records wil get set up automatically unless something goes wrong during setup.
But you do need to register an Internet domain with one of many official registers
http://www.networksolutions.com/domain-name-registration/index.jsp
http://www.register.com/retail/index.rcmx
To do so you need your Internet Service Provider (or another Internet DNS provider) to agree add an entire set domain records for your new domain. This includes an MX record, and A host record and reverse DNS record for your mail server. Reverse DNS is becoming a minimum security measure for larger email servers to accept your email as not being SPAM - not universal but frequent. There are other DNS records along that line that you can discuss with your ISP if you have problems, but they are very new. Other domain records will include a minimum of two NS record for Internet name servers (DNS) that have these records. A small ISP might not be able to provide this.
You may want to think about a website A record and a Verisign or Thawte certificate for activating your web server. Exchange Outlook Web Access can be nice for travelling business types but you'll want to insist on SSL to encrypt those account logons and email. (Basic logons in cleartext are fine for logon if SSL is already active.) Plus you can be designing that business website with SSL encryption and authentication. Clue: don't name your Outlook Web Access site www or mail as that will attract additional attention of crackers. If your users can remember the IP address of OWA that would let it go unlisted in DNS.
If you want to worry about first separate servers, I suggest you look at 2003 Web server if you host your own publicly visible webserver -- for Denial of Service and security reason. Plus 2003 Web Server is very cheap $600-$800 range (try CDW.com as reseller to beat price on).
Actually it doesn't matter if you create an MX record on your Windows AD domain or not. All the internal Windows DNS records wil get set up automatically unless something goes wrong during setup.
But you do need to register an Internet domain with one of many official registers
http://www.networksolutions.com/domain-name-registration/index.jsp
http://www.register.com/retail/index.rcmx
To do so you need your Internet Service Provider (or another Internet DNS provider) to agree add an entire set domain records for your new domain. This includes an MX record, and A host record and reverse DNS record for your mail server. Reverse DNS is becoming a minimum security measure for larger email servers to accept your email as not being SPAM - not universal but frequent. There are other DNS records along that line that you can discuss with your ISP if you have problems, but they are very new. Other domain records will include a minimum of two NS record for Internet name servers (DNS) that have these records. A small ISP might not be able to provide this.
You may want to think about a website A record and a Verisign or Thawte certificate for activating your web server. Exchange Outlook Web Access can be nice for travelling business types but you'll want to insist on SSL to encrypt those account logons and email. (Basic logons in cleartext are fine for logon if SSL is already active.) Plus you can be designing that business website with SSL encryption and authentication. Clue: don't name your Outlook Web Access site www or mail as that will attract additional attention of crackers. If your users can remember the IP address of OWA that would let it go unlisted in DNS.
If you want to worry about first separate servers, I suggest you look at 2003 Web server if you host your own publicly visible webserver -- for Denial of Service and security reason. Plus 2003 Web Server is very cheap $600-$800 range (try CDW.com as reseller to beat price on).
Hi
Your situation is very similar to ours.
We have used W2K3 Server (not SBS), on top of that MSES 2K3. No front end, back end stuff, and despite our best efforts no RPC over HTTP. For external access its OWA. You can get a free SSL certificate from this Israeli company. I forget their name. For the certificate procedures and all and others goodies on MSES, the best site is www.msexchange.org. There are a couple of writers (like Henrik Walther and Lee Derbyshire) who have a ton of very good information, tips, and procedures.
Antivirus MSES Protection is provided by Trend Micro's suite. I am testing GFI's MailEssentials and find it a great value proposition.
This is all protected by a Fortinet Firewall+IPS. We are using an FG60 with no problems up to 20 users, but then we operate on a 256K DSL connection. You can use an FG100 if you like.
The installation is pretty straight forward not much rocket science, but man, is it time consuming.
Install W2K3
Set up DNS
Set up Active Directory
Set up Application Server (installs IIS)
You need to activate a few additional things. My sysadmin is not here right now, but if you want to PM me I can get the details
Install MSES 2K3
You will need to set up and configure the default SMTP Server (of IIS). **Do not screw around with IIS and the Exchange Directories without documents and procedures from msexchange.org**
If you want to use a POP server on your ISP and download, GFI MailEssentials is essential (sorry for the pun).
For all this, I recommend a server with at least 2GB RAM. Ideally run a RAID config for your data. You can have 2 hard-disks mirrored for your OS partition.
Try and put exchange at its directories on the data drives, otherwise you will overload your system eventually.
Hope this helps.
Regards
Devesh
From a security perspective if you want to support OWA access from the Internet then you should install a reverse proxy to protect your Exchange server (which would sit on your internal network integrated with AD). ISA 2006 is supposed to be effective and affordable but there are other reverse proxies that will work depending upon your requirements.
If you do not need OWA access but simply e-mail accessible from internal clients then you could get away with using an external service (like Postini which for your size is resold through VARs) and lock down SMTP access to their source IP range only on your firewall.
Free Guide: Managing storage for virtual environments
Complete a brief survey to get a complimentary 70-page whitepaper featuring the best methods and solutions for your virtual environment, as well as hypervisor-specific management advice from TechTarget experts. Don’t miss out on this exclusive content!
Discuss This Question: 10  Replies