Mastering Microsoft Exchange Server 2003 phần 9 ppt

Exchange Backup Strategies A backup strategy should include decisions about the following: information store adds complexities that you don't need when you're under pressure to get back

Figure 16.38: Entering information required to locate an Exchange server−based mailbox

Don't click Next First, click More Settings to open the dialog box shown in Figure 16.39 Tab over to theConnection property page This is where you set up ROH Don't worry about the offline stuff at the top of thisdialog box Select Connect to My Exchange Mailbox Using HTTP Then click the Exchange Proxy Settingsbutton to open the Exchange Proxy Settings dialog box, shown in Figure 16.40 If you're using an ROHfront−end server, enter the fully−qualified domain name of the server; if not, enter the fully−qualified name ofthe Exchange server your mailbox resides on I'm using EXCHANGE02 as my ROH front−end server, so I'veentered its fully−qualified domain name Next, select Mutually Authenticate the Session When ConnectingWith SSL to assure the highest level of security Then, in the Principal Name for Proxy Server field, enter thename of your ROH front−end server or the server that contains your mailbox if you're not using a front−end

server Be sure to prefix the server name with msstd:, as in Figure 16.40 I'm using the internal Windows

2003 domain names of my ROH front−end server, because I'm doing this test not on the Internet but within

my local area network

Figure 16.39: Setting Outlook 2003 to connect to Exchange server using ROH

RPC Over HTTP

Figure 16.40: Setting parameters required to connect Outlook 2003 to Exchange server using ROH

Next, select Connect Using HTTP First, Then Connect Using My Local Area Network (LAN) This ensuresthat your Outlook 2003 client always tries to connect using HTTP If an attempt to connect using HTTP fails,the client reverts to a RPC over TCP/IP−based connection Finally, select Basic Authentication in the ProxyAuthentication Settings area of the Exchange Proxy Settings dialog box OK your way out of the two dialogboxes you opened

You should now be back in the Exchange Server Settings wizard page shown earlier in Figure 16.38 ClickNext and a dialog box opens, asking for your username and password The wizard uses these to connect toyour Windows/Exchange environment and to check the Exchange server and mailbox information youprovided If all goes well, you'll find yourself back in the mail profiles dialog box, shown in Figure 16.41 Ihave two profiles I've selected Prompt for a Profile to Be Used so that when I start up Outlook, I have achoice of using one or the other of my two profiles If you have only one profile, checking this box is

unnecessary

Figure 16.41: A newly created ROH−based Outlook 2003 profile is in place

In Figure 16.42, I've started Outlook I'm offered a choice of profiles I'm choosing the one that supports RCPover HTTP Figure 16.43 shows my Outlook 2003 client as it opens using ROH Because Outlook can fall

RPC Over HTTP

back to RPC over TCP/IP mode if it can't connect to your Exchange server using ROH, there's no way inlooking at the Outlook client to know for sure that ROH is in use There are a couple of ways to check theprotocol If your Outlook client is on the Internet and your internal network is protected by a firewall thatallows external access using only the HTTP protocol and you can open your Exchange mailbox, you have to

be using HTTP Another way to check the protocol your Outlook 2003 client is using to communicate withyour Exchange 2003 servers is with a packet sniffer Packet sniffers can show you the ports being used by aparticular network node to communicate with another network node

Figure 16.42: Choosing to use an ROH−based profile when opening Outlook 2003

Figure 16.43: Outlook 2003 opened using an ROH profile

In Figure 16.44, I'm using CommView (www.tamos.com), a very nice and inexpensive software−based packetsniffer, to monitor communications between my Windows XP workstation set up for ROH Outlook

2003−to−Exchange 2003 connectivity, BARRYXPPRO (IP address: 192.168.0.247), and my Exchange ROHfront−end server, EXCHANGE02 (IP address 192.168.0.105) CommView is running on EXCHANGE02.Notice in the second line in Figure 16.44 that communication between the two computers uses only port 443.That proves ROH is being used 'What!' you might be exclaiming, 'I thought HTTP used port 80.' It does, butsecure HTTP communications, such as those that use https:// instead of http://, use port 443 Secure HTTP issupported by the Secure Sockets Layer (SSL) protocol, which you'll notice is an unchangeable default on thedialog box shown earlier in Figure 16.40

RPC Over HTTP

Figure 16.44: A software−based packet sniffer shows that an ROH−based Outlook 2003 client and an

Exchange ROH server are communicating using the secure HTTP port, 443

When I use CommView to look at communications between EXCHANGE02 and my mailbox server,

EXCHANGE01, a variety of ports are used, but not port 443 This demonstrates that Exchange ROH

front−end servers talk to back−end servers using standard Exchange server−to−Exchange server

communications ports

Tip One quick and dirty, though not always as reliable, alternative to a packet sniffer such as

CommView is the netstat command built into Windows Open a command prompt, type netstat,

and press Enter It might take as much as a minute to complete, but you'll soon see a list of theother computers your computer or server is connected to and the ports being used for the

connection Some ports will be listed numerically, others will be listed by the name of the servicethey support, such as LDAP

That does it for RPC over HTTP Now let's look a bit at RPC over TCP/IP

RCP Over TCP/IP

Aside from ensuring that remote users install and set up their Outlook client properly, you don't have to domuch else to support ROTI remote users on the server side Users will have to create an entry for the server inthe HOSTS file on the computer on which they are running Outlook Except for Outlook 2003, the entry must

be for the Exchange server name only, not the fully−qualified domain name of the server−that is,

EXCHANGE01, not EXCHANGE01.BGERBER.COM Outlook 2003 accepts fully−qualified domain names

as well as server names For more on the HOSTS file, see Mastering Windows Server 2003 (Sybex, 2003).

The remote procedure calls that support Exchange client/server communications must be capable of passingthrough the ISP−based link between your client and server Technically, this requires that certain TCP/IPports be enabled on all firewalls and routers between the client and the server I'll talk more about using ROTIwith firewalls in Chapter 18

To connect Outlook to the server, you need to get to the MS Exchange Settings Properties dialog box To dothis for Outlook 2000 and earlier, right−click the Microsoft Outlook icon on your desktop, and select

Properties Double−click Microsoft Exchange Server in the MS Exchange Setting Properties dialog box Enterthe name of your Exchange server as named in your HOSTS file Then type in your mailbox's display name oralias, and click Check Name You'll know that all is well if the display name for your mailbox shows upunderlined Click OK to exit the various dialog boxes and open your mailbox It takes a while the first time,but when your client is capable of talking to the server directly over the Internet, you will be able to dovirtually anything that you can do locally If you're using Outlook 2002 or 2003, follow the instructions in theprevious section for entering and checking a connection to an Exchange mailbox, ignoring all the stuff about

RCP Over TCP/IP

Supporting Roving Users

Some users sit at the same desk all day, every day Others move around all the time, often not even having a

computer of their own These users are often referred to as roving users Basically, you want all roving users

to have a directory on a server where they can pick up their Exchange and other settings every time they log in

to the network, whatever workstation they use to log in

The Exchange settings that you're interested in are those for home server and mailbox name You want aroving user to get the same server and mailbox name, no matter what workstation he or she chooses to log inon

Supporting a roving Exchange user is no different from supporting a roving user who is working with anyother software, such as Microsoft Word With Exchange, you want to present the same server and mailboxname With Word, your goal is for the user to get the same default template, window−size settings, and so on.The specific procedures that you must follow to support roving users depend on the workstation (and

sometimes network) operating system that you're using

Fortunately, Microsoft has a tool for simplifying the job of setting up correct profiles for roving Exchangeusers This tool, PROFGEN.EXE, can be found in the Exchange Resource Kit You can also download theprogram for free from Microsoft's Exchange website

A third−party product, Profile Maker, is easier to use and more comprehensive in scope than

PROFGEN.EXE Check it out at the site of its manufacturer, AutoProf.com (www.autoprof.com)

Migrating Foreign Messaging System Users to Exchange

You can move users from foreign messaging systems to your Exchange system In some cases, Microsoftprovides specific migration tools, while in others it provides more generic tools Remember that your primarygoal is to import data from your legacy messaging system into Windows 2003's Active Directory and

Exchange's information stores

Migration is a complex process Rather than describe it here in detail, I just want to make sure that you knowit's available Most of the documentation for migration is provided only online and on the Exchange ServerCD−ROM, in the Migrate directory Let's take a quick look at your options

Exchange Server ships with comprehensive migration tools for the following foreign messaging systems:

Other Exchange Server organizations

Supporting Roving Users

Note Whichever route you take, be sure that someone on your migration team fully understands both theforeign electronic messaging system that you're working with and the computer operating system that itruns on top of Without this expertise, you can get into some very hot water If no one in your

organization qualifies for this distinction, consider getting help from the vendors of your electronicmessaging system and operating system, or think about hiring a knowledgeable consultant or two

Summary

This chapter covered a number of advanced features of Exchange Server 2003 and Exchangeưrelated features

of Windows Server 2003 These features enable Exchange administrators to do everything from trackingExchange Serverưbased messages to modifying eưmail address formats to migrating foreign messagingsystem users to Exchange

The Exchange Message Tracking Center is used to follow a message through an Exchange organization.Messages can be tracked as they move across Exchange servers and connectors, right up to the point that theyleave an Exchange organization Both eưmail and system messages can be tracked Message tracking is usefulboth to prove to users that a message did indeed reach its destination and for troubleshooting Exchangesystem problems or apparent problems

Exchange managers can modify the default eưmail address formats used to create eưmail addresses forExchange recipients One of the most interesting and oftenưused modifications involves the creation ofsecondary SMTP proxy addresses for a user Secondary proxies enable a user to have multiple Internetaddresses When secondary proxies are created that involve domains not already registered in an

Internetưconnected DNS server, MX and host records for the domain must be created in the DNS, or otherSMTP hosts won't be capable of sending messages to the new secondary proxy address

Several Exchange features are implemented at the global or Exchange organizationưwide level Using

recipient policies, Exchange managers can set up differently formatted default eưmail addresses for differentExchange recipients A variety of selection criteria is available for specifying the recipients covered by arecipient policy Exchange managers can also set up address lists using similar filters Address lists are visible

to users in their Outlook address books The Exchange recipient update service, running on an Exchangeserver, keeps recipient eưmail addresses and address lists current as selection criteria change and new

recipients are added to recipient policies and address lists Multilingual details and address templates,

Summary

respectively, support Outlook client features and one−off address creation in Outlook Exchange

administrators can set Exchange organization−wide message size and recipients per message limits for

Exchange mailboxes

Manual creation of Windows 2003 users and Exchange 2003 mailboxes and other recipients can be verylabor−intensive It is possible to import information into Windows 2003 Active Directory and export it fromActive Directory The programs LDIFDE.EXE and CSVDE.EXE can be used for Active Directory importsand exports The programs are run at a command prompt and are not very easy to use Exchange

administrators must possess a good deal of knowledge regarding Active Directory and the format of

LDIFDE.EXE and CSVDE.EXE import files, as well as the format of individual entries in LDIFDE.EXE andCSVDE.EXE import files, before they can safely undertake Active Directory imports

Exchange server troubleshooting is a constantly moving target The best tools are an advanced Exchangeserver management book; use of online support from Microsoft and others, ensuring that the latest Windows

2003 and Exchange 2003 service packs are installed on servers; and, if all else fails, use of paid Microsoft orother consulting support

Connectors that link Exchange routing groups can be monitored to assure that they are available The status ofeach connector is automatically displayed in the Monitoring and Status\Status container in Exchange SystemManager You can also set things up so that you are notified when a connector is down

Supporting both remote and roving Outlook clients is quite easy with Exchange Remote clients can besupported over the Internet connection using either a traditional RPC over TCP/IP connection or an RPC overHTTP link Roving users are most easily supported using a product such as Microsoft's PROFGEN.EXE.Exchange Server 2003 comes with a variety of tools for migrating users from foreign messaging systems toExchange The Exchange Migration Wizard simplifies migration from a number of messaging systems,supporting live links to these systems during migration For other foreign messaging systems, Microsoftprovides source extractors to pull data from the systems and place it into files The files can then be importedusing the wizard

Summary

Chapter 17: Exchange Server Reliability and

Availability

Overview

One of the biggest issues for my clients is Exchange server disaster recovery The first time a client brings upthe subject, I tell them that disaster recovery is the last thing they should worry about After they get up off thefloor, I tell them that they should focus first on Exchange server reliability and availability, of which disasterrecovery is but the last part I go on to tell them that if they worry about the whole reliability and availabilityspectrum, they'll not only prepare themselves for serious nondisaster recovery scenarios, but they also might

be able to avoid many of the disasters that haunt their nightly dreams

If you want to achieve optimal Exchange server reliability and availability, you have to focus on three majorareas:

Featured in this chapter:

component is best However, even if you have to bring your system down for a short time to replace a

component with no or minimal data loss, you'll be a hero to your users In addition to eliminating or sharplyreducing downtime, redundant systems can help you avoid the pain of standard or disaster−based Exchangeserver recovery

Systems redundancy is a complex matter It's mostly about hardware, though a good deal of software,

especially operating system software, can be involved I'm going to deal here with two areas that are essential

to redundant systems: server redundancy and network redundancy

Server Redundancy

There are two basic kinds of server redundancy:

Intraserver redundancy

•

Let's look at each aspect of server redundancy in more detail.

Redundant Storage

Redundant disk storage relies on a collection of disks to which data is written in such a way that all datacontinues to be available even if one of the disk drives fails The popular acronym for this sort of set up isRAID, which stands for Redundant Array of Independent Disks

There are several levels of RAID, one of which is not redundant Here's a quick look at each:

RAID 0 Part of each byte of data is written (striped) to each drive in the array RAID 0 is not redundant, but it

provides the highest performance, because each byte of data is written in parallel, not sequential, fashion.RAID 0 is included here because RAID 0 strategies are used in another RAID design that I discuss later

RAID 1 All data on a drive is mirrored to a second drive This provides the highest reliability Write

performance is fairly slow, because data must be written to both drives Read performance can be enhanced ifboth drives are used when data is accessed Mirroring requires lots of disk storage compared to RAID 5 (seebelow)

RAID 0+1 As with RAID 0, data is striped across each drive in the array However, the array is mirrored to

one or more parallel arrays This provides the highest reliability and performance, but has the same high diskstorage requirements as RAID 1

RAID 5 Part of each byte of data is striped to each drive in the array However, writes include parity

information that allows any data to be recovered from the remaining drives if a drive fails RAID 5 is reliable,though performance is slower With RAID 5, you lose the equivalent of one disk in total GB of storage Forexample, a RAID 5 array of three 36GB drives gives you 72GB, not 108GB of storage This is more efficientthan RAID 1 or 0+1, which require a disk for each drive mirrored, but write performance is about one−third ofRAID 0+1, and read performance is about one−half of RAID 0+1

Server Redundancy

So, which RAID level is right for you? RAID 0+1 is nice, but I reserve it for clients with really demandingperformance requirements You compromise some with RAID 5, but it's the best price−

high−pitched whistling sound They reported that they were 'going nuts from the sound.' So I had to figure outwhat was up as quickly as possible I contacted Dell premium support and within five minutes, I knew it was afailed RAID drive I used the administrative terminal server option in Windows 2000 to get to the computerover the Internet, using a virtual private network connection for security Using Dell's support software for itsRAID arrays, I was quickly able to shut off that horrible sound and set the server to the tasks of checking thefailed drive and attempting to reinsert it into the array Meanwhile, users were happily working away on theirExchange−based e− mail, knowing nothing about the failure The drive recovered without a problem

If the failed drive was not recoverable, I would have asked my clients to remove the failed drive and insert aready−to−go standby drive into the server The server has three active RAID drives and three empty slots all

on a hot−swap backplane So, drive removal and insertion can be done without interrupting user access to theserver I could have also installed a fourth drive and set it up to act as a standby drive The initial failurewould then have triggered a rebuild of the array onto the standby drive Then, at my leisure, I could come byand check the failed drive to see if it was still serviceable

If RAID sounds like a good idea, but you're worrying about costs, consider this On my recommendation, one

of my clients recently (June 2003) bought a Dell PowerEdge 1600SC server with 72GB of usable RAID 5storage, hot−swappable drives and power supplies, a hot−spare drive, a 2.4GHz Intel Xeon processor, and1GB of memory for around $3,000 Figure out what you'd pay for a quality server without all these featuresand I think you'll conclude that the peace of mind that comes with redundant server hardware is worth theextra cost

Warning As you'll remember from Chapter 12, 'Managing the Exchange Server Hierarchy and Core

Components,' Exchange Server quickly writes data to simple transaction logs and then later commitsthe data to the information store when time is available This assures that data are on disk and willnot be lost should system memory fail If you're using RAID 5 for your information stores, youshould place your log files on RAID 1 or 0+1 mirrored drives Disk mirroring is faster than RAID 5'sparity bit−based striping

Tip For the best performance, be sure to use a RAID solution that is implemented in hardware on a RAIDadapter Limited software−based RAID is available in Windows Server 2003, but you're not going to behappy with the speed of such an implementation

RAID solutions don't necessarily have to be implemented inside a server There is one very viable, if

expensive, RAID solution that connects to your server or servers via a very high−throughput link The

technology is called a Storage Area Network (SAN) SAN devices connect to servers using fiber optic cable.

You can connect multiple servers to a SAN Each server is connected to the SAN through one or more veryhigh−speed switches This provides excellent throughput between the SAN and each server Backups also

Server Redundancy

benefit from SAN's high levels of performance Tape units are available that connect directly to SAN fiberswitches.

SANs include fairly complex storage and management software Support is not a trivial matter, though

support requirements are reduced somewhat because data can be consolidated onto one device Minimal SANimplementations are measured in terabytes (TB) of storage Five TB is not unusual for such an

implementation At this writing, because of their costs and complexity, SANs are being promoted by vendorsfor really high−end storage capacity and performance requirements Microsoft takes the same position

regarding running Exchange on SANs

Generally, if you're going to implement a SAN solution, you'll do it in a clustered server environment Formore on server clustering, see the following section, 'Interserver Redundancy.'

If SANs are too rich for your blood, take comfort: There are alternatives You can buy lower throughput,lower capacity, external RAID boxes that attach to your server or servers using sufficiently high−speed links

to support an Exchange environment Vendors such as Compaq (www.hp.com) and Dell (www.dell.com)offer this hardware

Warning If you've been tempted by Network Attached Storage (NAS) solutions, forget it Exchange databases

must reside on a disk that is directly attached to the server Through their switches, SANs are

attached to the servers they support NAS devices are not It is no different than if you tried to install

an Exchange information store on a disk residing on another server on your network It doesn't work.Devices are available based on Redundant Array of Independent Tapes (RAIT) technology Like RAID diskunits, RAIT tape backup systems either mirror tapes one to one or stripe data across multiple tapes As withdisk, multi−tape striping can improve backup and restore performance as well as provide protection againstthe loss of a tape Obviously, RAIT technology includes multiple tape drives It is almost always implementedwith tape library hardware so that tapes can be changed automatically, based on the requirements of backupsoftware

Redundant Power

Redundant power supplies are fairly standard in higher−end servers You'll remember that a set of redundantpower supplies was included in the $3,000 Dell server that I asked a client to purchase That Dell had twopower supplies Each power supply has its own power cord and runs all of the time In fact, both powersupplies provide power to the server at all times Because either power supply is high enough in wattage tosupport the entire computer, if one power supply fails, the other is fully capable of running the computer Aswith storage, system monitoring software lets you know when a power supply component has failed

Many higher−end servers offer more than two redundant power supplies These are designed for higher levels

of system availability They add relatively little to the cost of a server and are worth it

Ideally, each power supply should be plugged into a different circuit That way, the other circuit or circuitswill still be there if the breaker trips on one circuit I urge my hospital clients go a step further and ensure thatone of the power supplies is plugged into an emergency circuit that is backed up by the hospital's

gasoline−powered standby electricity−generating system And, of course, each circuit should be plugged into

an uninterruptible power supply (UPS)

Compaq, now a part of Hewlett Packard, offers another form of power redundancy, redundant voltage

regulator modules (VRMs) In some environments, it's fine to have multiple power supplies, but if the power

to your server isn't properly regulated because the computer's VRM has totally or partially failed, you'd be

Server Redundancy

better off if the power had just failed I expect that redundant VRMs will quickly become standard on

higher−end servers from other manufacturers

Redundant Cooling

Modern CPUs, RAM, and power supplies produce a lot of heat Internal cooling fans are supposed to pull thisheat out of a computer's innards and into the surrounding atmosphere If a fan fails, components can heat to apoint where they stop working or permanently fail Redundant cooling fans help prevent this nightmarescenario In most systems, there is an extra fan that is always running Monitoring software lets you knowwhen a fan fails The system is set up so that the remaining fans can support the server until you are able toreplace the failed fan

One−for−one redundant fans are becoming more and more available With these, each fan in a system isshadowed by an always−running matching fan When a fan fails, monitoring software lets you know so youcan replace the fan

Redundant CPUs

As I mentioned in the introduction to this section, redundancy has not been a strong point of Intel CPUs.Mainframe and specialty mini−computer manufacturers have offered such redundancy for years Pushed bycustomers and large companies such as Microsoft, Intel now has a standard for implementation of redundantCPUs

Each CPU lives on its own plug−in board Each CPU has its own mirror CPU Mirroring happens at

extremely high speed When one CPU board detects problems in the other CPU, it shuts down the CPU andtakes over the task of running the server Intel claims that these transitions are transparent to users

System monitoring software lets you know that a CPU has been shut down You can use management

software to assess the downed CPU to see if the crash was soft (CPU is still okay and can be brought backonline) or hard (time to replace the CPU board) If the board needs replacing, you can do it while the

computer is running This is another victory for hot−swappable components and high system reliability andavailability

Intel is marketing this technology for extremely high−reliability devices such as telecommunications

networking However, I expect that it will quickly find its way into higher−end corporate server systems.Note While they don't fall into the category of redundancy because they don't use backup hardware,

error−correcting code (ECC) memory and registered memory deserve brief mention here ECC memoryincludes parity information that allows it to correct a single bit error in an 8−bit byte of memory It canalso detect, but not correct, an error in two bits per byte Higher−end servers use special algorithms tocorrect full 8−bit errors Registered memory includes registers where data are held for one clock cyclebefore being moved onto the motherboard This very brief delay allows for more reliable high−speeddata access

Interserver Redundancy

Interserver redundancy is all about synchronizing a set of servers so that server failures result in no or littledowntime There are a number of third−party solutions that provide some synchronizing services, but

Microsoft's Windows clustering does the most sophisticated and comprehensive job of cross−server

synchronization I'm going to focus here on this product I'll also spend a bit of time on redundant SMTP hostsusing a simple DNS trick

Server Redundancy

Windows Server Clusters

The Enterprise and Datacenter editions of Windows Server 2003 include clustering capabilities Interserverredundancy clustering is supported by the Microsoft Cluster Service (MSCS) MSCS supports clusters using

up to eight servers or nodes The servers present themselves to clients as a single server A server in a clusteruses ultra−high−speed internode connections and very fast, hardware−based algorithms to determine if afellow server has failed If a server fails, another server in the cluster can take over for it with minimal

interruption in user access It takes between one and two minutes for a high−capacity Exchange server clusterwith a heavy load (around 5,000 users) to recover from a failure With resilient e−mail clients such as Outlook

2003, client−server reconnections are transparent to users

Clusters share disk storage, ideally SAN disk storage More basic, stand−alone, sharable RAID boxes workfine too, as long as they can be connected on high−bandwidth links to multiple servers It's important to notethat clusters alone do not provide any protection for data stored on disks Such protection comes from theredundancy built into disk storage components

In addition to providing a level of redundancy, clusters can also be used to implement network load−balancing(NLB) strategies NLB requires the installation of supporting Microsoft software NLB is especially useful inExchange environments with lots of incoming POP3, IMAP4, OWA, RPC over HTTP, and LDAP traffic.Implementing MSCS clusters is beyond the scope of this book For more information on planning and

deploying MSCS clusters, check out Mastering Windows Server 2003 (Sybex, 2003) and Microsoft's

Windows Server 2003 website

That number 10 in the MX record is called a priority value If I were to add another MX record for

bgerber.com that pointed to a different server, say exchange02.bgerber.com, and if I were to give that record apriority value of 20, guess what would happen: SMTP servers would continue to deliver messages to

exchange01.bgerber.com However, if an SMTP server had trouble contacting EXCHANGE01, it would thenlook for other MX records for bgerber.com If EXCHANGE02 were available, it would send to that server

You can have as many MX records for a mail server as you want Just be sure each points to a different serverand has a different priority value

Network Redundancy

As you'll remember from Chapter 15, 'Installing and Managing Additional Exchange Servers,' ExchangeServer 2003 connectors support redundant networks Connector cost settings provide priority settings for theorder in which a connector is to be used This section supplements the discussion in Chapter 15, focusing onintranetwork− and internetwork−device hardware redundancy

The same redundancy concepts that apply to servers also apply to network redundancy There are networkadapters, switches, bridges, and routers that support intradevice redundancy Of course, as we learned with

Server Redundancy

Exchange connectors, redundancy doesn't mean much if redundant devices are connected to the same physicalnetwork.

You can achieve network interface card (NIC) redundancy by using what is called NIC teaming With

teaming, two or more NICs are treated by your server and the outside world as a single adapter with a single

IP address For fault−tolerance, you connect each NIC to a separate layer 2 MAC address−based switch Allswitches must be able to physically communicate with each other, that is, they must be in the same layer 2domain and they must support NIC teaming All the network cards work together to send and receive data Ifone NIC fails, the others keep on chugging away doing their job and you are notified of the failure You needWindows 2003−based software from your NIC vendor to pull this off Compaq and Dell, among others, offerthis software and compatible NICs

Beyond the switch, you can use routers with redundant components Cisco Systems (www.cisco.com) makes anumber of these Cisco also offers some nice interdevice redundancy routing options These can get expensive

so if you want redundant physical connections to the Internet or other remote corporate sites, you need tofactor in the cost of these

If you use an ISP, you should pick one with more sophisticated networking capabilities Maybe you can'tafford multiple redundant links to the Internet, but your ISP should Look for ISPs that use the kinds of routersdiscussed in the previous paragraph

Standard Backup and Recovery vs Disaster Recovery

In life, as in IT, one person's everyday occurrence can be another person's disaster If your systems supportstaff is small or you are the systems support staff, and if you haven't had the time to keep up to date on or testthe latest backup and restore techniques, the loss of a single Exchange information store can seem like adisaster that ranks right up there with a major earthquake On the other hand, to a very large systems staff thathas extensively prepared for and tested Exchange server backup and recovery, only that earthquake and itsconsequences might qualify as a real disaster

All of the above is well and good, but it doesn't help us make distinctions that are important when it comes tothe allocation of resources to deal with standard backup and recovery and disaster recovery For the sake ofthis book, I'll assume the following definitions:

I'll treat standard backup and recovery as involving the rebuilding of a server, including restoration ofWindows 2003 and/or Exchange 2003

I think the main reason for the difference is that I've done a lot of the standard stuff and have an approach thatseems to get me through the process fairly smoothly On the disaster side, I'm usually called in after thedisaster and asked to get things up and running again I have to learn the client's system, often without much,

if any, documentation, and figure out the best and most cost− effective way to get them back up and running.It's grueling Given my experience, you've probably guessed that you're going to hear a lot in the followingtwo sections about planning, documentation, and testing

Standard Backup and Recovery vs Disaster Recovery

Before we move on to standard backup and recovery and disaster recovery, I need to remind you about therole of intraserver and interserver redundancy Think of redundancy as protection against having to do arecovery, at least from a passive offline device such as backup tape or disk Consider redundancy as the firstline of defense in your war against downtime caused by unreliable hardware Recovery is a fallback positionthat you turn to only when everything else has failed.

Preventing Recovery with Good Virus−Control Software

I will discuss virus−control software in the next chapter, 'Exchange Server System Security.' However, I want

to take a moment to encourage you to look at server and e−mail anti−virus software as an additional tool inyour battle for reliability and availability I've been in a situation where a virus attack literally destroyed everyone of a client's servers By my definition, fixing a problem such as this is disaster recovery, not standardbackup and restore Believe me, my blood pressure told me in a minute that I was into disaster recovery, not astandard restore−and the bill I sent my client reinforced that reality

Standard Backup and Recovery

To plan for standard backup and recovery, you need to come up with strategies for backing up and recoveringyour servers These strategies should specify what you'll back up or restore and how you'll do it Strategiesshould focus on both Windows and Exchange Once your strategies are in place, you need to think about thebackup hardware and software that you'll use

Windows Server 2003 Backup

Windows Server 2003 backup is a complex matter that is by and large beyond the scope of this book

However, I want to take a little time to talk more generally about Windows backup options and a couple ofoptions that rely on little or no actual backup These include

Automatic System Recovery (ASR) backups

ASR and Windows Server 2003 backup in general, see Mastering Windows Server 2003 (Sybex, 2003).

It's important to remember that ASR doesn't back up the nonsystem data on your computer For example, itdoesn't back up the Exchange server application itself or Exchange information stores

Another really exciting option for Windows backup is Windows 2003's new VSCS VSCS lets you make aconsistent copy of a disk volume at any given point in time You can restore that copy and be almost 100percent sure that the restored volume will function just as it did when the shadow copy was made BecauseVSCS has much to offer Exchange Server 2003 administrators, I'll discuss VSCS in more detail in the section'How to Back Up,' later in this chapter

Standard Backup and Recovery

Another Windows backup strategy involves backing up everything on a Windows server, including SystemState data on all servers and Active Directory data on domain controllers Recovering a server so backed upisn't as easy as if you use ASR or VSCS, but it works.

There are two other options for recovering from a Windows server crash First, you can put together a spareWindows/Exchange server and use it when it comes time to do a Windows and/or Exchange recovery Thisserver should be a member of your Exchange organization, but not actively networked with the servers in yourExchange organization Second, after a server crash, you can literally do a fresh installation of Windows andExchange on the same or a different piece of server hardware In any of these cases, you still need to recoveryour Exchange information store databases once Windows is in place

Throughout the rest of this chapter, I assume that you or someone responsible for Windows Server 2003 isdealing with Windows backup and recovery This includes all the niceties connected with backing up andrecovering Active Directory on domain controllers You'll remember that Active Directory includes a ton ofExchange objects If you've followed my recommendations and you have not installed Exchange Server 2003

on a Windows 2003 domain controller, and your Exchange server goes south, your only worry about ActiveDirectory will be assuring that your recovered Exchange server is properly registered in Active Directory andproperly installed in your Exchange organization

I also assume in the rest of this chapter that Windows Server 2003 is already on an Exchange server that youneed to recover This might be because only Exchange Server failed on that server, or you recovered

Windows to that server, or you are using a freshly installed copy of Windows on that or another server

Exchange Backup Strategies

A backup strategy should include decisions about the following:

information store adds complexities that you don't need when you're under pressure to get back up and

running quickly Full information store backups might take more tape or disk space, but that stuff is cheapcompared with the tension and user ire generated by longer recovery times

If you've set up things correctly, simply backing up an Exchange information store with Exchange− awaresoftware forces unprocessed transaction log data into the information store and deletes processed transactionlogs (See the section 'Enable Circular Logging' in Chapter 12 For the record, the answer is to disable circularlogging, not to enable it.) An information store backup with Exchange− aware software also backs up any logscreated during the backup itself Logs are created during a backup because Exchange continues running andperforming its messaging functions

Tip You can separately back up each information store in a storage group However, it's more

efficient to back up entire storage groups For example, when you back up individual information

Exchange Backup Strategies

stores, all transaction log files are backed up for each store This not only extends backup times,but it also results in less efficient use of disk or tape backup space.

You should also back up what is called the metabase The metabase is an Internet Information Server entity

that includes a good deal of Exchange information, such as Internet protocol and routing information

Metabase backup is a manual process You use the Internet Information Services manager in the ComputerManagement snap−in or by choosing Start > All Programs > Administrative Tools > Internet Services

Manager Right−click on your server in Internet Services Manager and select Backup/Restore Configuration.Use the resultant dialog box to set up a backup When you close the dialog box, the backup is done To protectthe metabase backup, copy it to tape The backup is stored in the file

\WINNT\SYSTEM32\INETSRV\metabase.bin

You need to back up the metabase only when you make changes in Exchange You need to restore the

metabase only when it is necessary to recover Windows Server 2003 on an Exchange server Because themetabase is not backed up automatically, you must be sure to go through this manual backup and recoveryoperation

Note Some people like to back up the Exchange files in \PROGRAM FILES\EXCHSRVR and its

subdirectories This was more or less necessary with earlier versions of Exchange Newer Exchangerecovery methods make such a backup unnecessary

How to Back Up

I showed you how to do a basic backup of Exchange information stores in Chapter 8, 'Installing ExchangeServer 2003,' in the section 'Backing Up Exchange Server 2003.' Examples there were based on the backupprogram built into Windows 2003 In Figure 17.1, I'm using another product, Veritas Backup Exec for

Windows Servers (www.veritas.com), to back up the information store database files on EXCHANGE01 Youcan't see it, because the option is set elsewhere but, as I advised earlier, I'm doing a full backup of the

information store, not an incremental or differential backup

Figure 17.1: Backing up an Exchange 2003 server's information store using Veritas Backup Exec

Notice in Figure 17.1 that you can back up Exchange mailboxes and, I should note, any item or items theycontain This is a nice feature, because it lets you restore a mailbox or a few items from a mailbox However,you should use mailbox backup with caution In my experience, mailbox backups are very slow Backing up

as few as 100 moderately sized mailboxes can take a number of hours Mailbox backup is not supported in theWindows Server 2003 built−in backup program even after you install Exchange It's available only in

Exchange Backup Strategies

thirdưparty backup products.

Warning Individual mailbox backup is not a substitute for backing up an information store Mailbox

backup is designed to let you restore a mailbox or some of the items in it to an existinginformation store Don't even think about recovering individually backed up mailboxes to anewly created information store

I've saved the best for last Windows Server 2003, in league with Exchange Server 2003, can do some reallyneat things using VSCS, which I briefly introduced earlier in this chapter With VSCS, the backup of a

volume reflects the state of the volume at the beginning of the backup Changes that take place during thebackup are not reflected in the backup This has its downside in that your backup doesn't include anything thathappened after the backup started The upside is that there are no inconsistencies in your volume backup Youcan restore an entire disk volume with every expectation that the volume will function perfectly

You can get around VSCS's lack of change history by doing more frequent backups If you're correctly doing

a regular nightly backup using older technology, your data might be up to date when you do the backup, but

by the time you do your next backup, it's 24 hours old With VSCS and fast backup devices such as

highưspeed RAID disk storage units, you should be able to do hourly backups Even if you overwrite your lastbackup, you'll always have a recent backup from which to recover Good practice, of course, dictates that youretain at least a sample of several weeks of regular VSCS backups For example, you might choose to commityour midnight VSCS backup to tape each night

VSCS backup of the Windows Server 2003 portion of a volume is built into the Windows 2003 backupprogram This includes the nondatabase aspects of ExchangeưExchange program files, for example ExchangeServer 2003 adds a set of application programming interface (API) hooks that support VSCS backup ofExchange information store databases However, as with Exchange individual mailbox backup APIs,

Exchange VSCS APIs are supported only by thirdưparty backup software vendors

So you need to buy a thirdưparty product if you want the full benefits of VSCS backup of an Exchange 2003server But think of the total neatness here You can back up an entire Exchange server, disk volume by diskvolume If something goes wrong, you can reliably restore whole volumes in a snap VSCS, where have youbeen all my life?

Be sure to coordinate VSCS volume backups For example, if Windows Server 2003 is installed on onevolume and Exchange Server 2003 on another, you should start the backup of both volumes at exactly thesame time If you don't do this, you run the risk that your two volumes will be out of sync Of course, youneed backup software and devices that can handle multiple simultaneous backups to make this work Ifhardware performance requirements and realities permit, you can get around the volume backup

synchronization problem by putting everything on the same disk volume

Can VSCS Backup Replace Traditional Backup Approaches?

If I were you, I wouldn't run off and implement VSCS as the only backup approach in my backup strategyright now First, I'd want to be sure that VSCS works and supports all of the recovery scenarios I can think of.Second, I'd want to retain the ability to recover an Exchange database from an information store backup Let'ssay I wanted to recover a few items from a single Exchange mailbox A full VSCS recovery not only seemslike overkill, but it wouldn't provide as easy a path to recovery as an information store restore or restorationfrom an individually backedưup mailbox

Exchange Backup Strategies

However you choose to back up your Exchange environment, you need to set up your backups so that you canrotate backup copies off site without impairing your ability to quickly restore data in an emergency Ideally, Ilike to make initial backups to disk, copy the backups to tape, and move the tapes off site If you can't affordthis approach, then you should design a backup plan that at least allows you to take yesterday's backup offsite.

When to Back Up

I already touched on the matter of backup timing in previous sections Here's a bit more on the subject At aminimum, you should back up your Exchange information stores on a daily basis For most organizations, it'sbest to do this backup in the late evening (after 10 p.m.) or early morning (before 3 a.m.)

Protecting and Retaining Backups

Having implemented a backup strategy that lets you rotate tapes off site, you should be sure the rotationhappens Also, you should buy a fireproof, magnetic−media storage safe and keep all other backups on site inthat safe A fireproof safe for paper does not protect magnetic media Temperature and humidity controlrequirements for magnetic media are higher than for paper

As I've implied throughout this chapter, you can make an initial backup to tape or disk If you choose to doinitial backups to disk, here are a few precautions you might want to consider First, don't back up to the diskthat contains what you're backing up You can't recover the disk if the backup is blown away when the disk isblown away Second, immediately back up to tape whatever you backed up to disk Even if your backup is on

a different disk, it will do you no good if that disk fails Third, rotate and store these tapes just as you wouldinitial backups to tape You can no more afford to lose these tapes than your initial backups to tape

Tape retention policies are, unfortunately, only partly related to technical issues For legal reasons, someorganizations must retain data, including e−mail data, for extended periods Other organizations, to avoid thelegal hassles associated with the subpoenaing of data, choose to dump their backups almost as quickly as theyare created For you, there is only one issue Your users need to understand the implications for data recovery

of whatever retention schedule is implemented If legal niceties aren't an issue in your organization, I

recommend that you retain daily backups for the last five weeks, and one weekly full backup for three months

to a year, depending on your level of comfort

Exchange Recovery Strategies

You need to recover all or part of your Exchange system How do you do it? That depends on what youbacked up and how, what failed, and what you need to recover You might need to recover

Recovering Mailbox Items

Imagine that John Bumblefingers manages to delete three key messages from his Inbox He then empties hisDeleted Items folder and doesn't discover his deed until the retention time for recovering deleted items hasexpired How do you get John's three precious items back?

There are two ways to recover mailbox items You can restore the items from an individual mailbox backup,

or you can restore the information store containing the mailbox and copy the items from the restored mailbox

to the real mailbox

If you backed up John's individual mailbox using a third−party backup product, and that backup is available,recovery is easy You just run the backup software, go into Restore mode, find the items you want to restore

in the product's GUI, and start the restore The backup program places the items in the mailbox in the correctfolder, and you're done

If you didn't back up John's mailbox, you've got a fair amount of work ahead of you Here's how to recoverthose deleted items:

Recover the Exchange information store that contains John's entire mailbox to an Exchange serverthat is physically separate from your Exchange organization (See the section 'Restore a Mailbox fromBackup to a Recovery Server' in Microsoft Knowledge Base Article 813337.)

a reasonable deleted−item retention period, say, 30 days, and then to set a policy that you do not do mailboxitem restores

Recovering a Mailbox to an Information Store

As with individual mailbox items, if you've made a backup of a mailbox with third−party backup software,you can simply restore it directly to its home information store If you haven't made such a backup, but youhave backed up the information store that contains the mailbox, then things still aren't too bad, thanks to a newExchange Server 2003 feature, recovery storage groups (RSGs)

In one sense, RSGs are just like mailbox or public folder storage groups However, you can restore onlyExchange mailbox stores to RSGs You can't restore public folders, and users can't access mailboxes in anRSG Put simply, RSGs are for recovering mailbox data More specifically, they are for recovering mailboxesand, in a more gross way than individual mailbox backups, they are for recovering items from mailboxes.Except for certain kinds of recovery (see the previous section for an example), RSGs eliminate the need to set

up a special Exchange recovery server when you need to recover a mailbox or its content

An Exchange 2003 server can have one and only one RSG By default, the RSG does not exist You mustcreate it To do so, right−click the appropriate Exchange server in Exchange System Manager and select New

> Recovery Storage Group This opens the Recovery Storage Group Properties dialog box, shown on the right

Exchange Recovery Strategies

side of Figure 17.2 You can change the names and location of the RSG's files if you wish Click OK in thedialog box, and your RSG is created As you can see in Figure 17.3, your new RSG exists on the same level asmailbox and public folder storage groups.

Figure 17.2: Setting parameters for a new Exchange Server 2003 recovery storage group

Figure 17.3: A new recovery storage group exists on the same level as mailbox and public folders

You must specify mailbox stores that are to be restored to the RSG Right−click the RSG and select AddDatabase to Recover Next use the Select Database to Recover dialog box, shown on the right side of Figure17.4, to pick the database on your server that you want to recover In the figure, I'm selecting the mailboxstore in the first storage group on the server EXCHANGE01 Click OK to finish

Exchange Recovery Strategies

Figure 17.4: Specifying the Exchange database to be recovered to a recovery storage group

This opens a Properties dialog box for the mailbox store you have selected (see Figure 17.5) Note that thedefault public folder store and offline address list are specified, but can not be altered The same is true ofother store information in the General property page This is current information for the mailbox store you'veselected You can't change it because you want existing settings for the store you're going to recover to rulehere You can use the Database page of the Properties dialog box to change the location of the files that willhold the recovered mailbox store

Figure 17.5: The General property page of the dialog box that opens when a database is selected for inclusion

in a recovery storage group

When you're finished with the Mailbox Store Properties dialog box, click OK As you can see in Figure 17.6,the mailbox store you selected is added to the RSG

Exchange Recovery Strategies

Figure 17.6: A new mailbox store in its recovery storage group

You can select as many mailbox stores to recover as you want as long as the stores reside in the same storagegroup I have only one mailbox store in my first storage group, so if I were to select Add Database to Recoveragain, an error dialog box would open, telling me that there are no more databases to select

At this point, if I restore the mailbox store in my first storage group, the restoration places the mailbox storebackup into the RSG I created The backup is not placed into my real first storage group, overwriting myexisting production mailbox store If the latter happened, I'd curse Microsoft until my dying day Why, itwould be a catastrophe of major proportions!

If you ever need to recover a mailbox store to its original storage group, just delete your RSG or at least theparallel mailbox store in the RSG If you want to retain your RSG configuration, you can modify the registry

on your Exchange server to override recovery to the RSG on the server Be careful when editing the registry

Choose Start > Run, type REGEDIT in the Open field, and click OK Find the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem Click

the key, right−click REGEDIT's right pane, and select New > DWORD Name the new value Recovery SG Override, then double−click the object and enter 1 in the Value Data field Whenever you need to recover to

the RSG, set the value of Recovery SG Override to zero

To recover a mailbox store to your RSG, you need to do a restore using an RSG−aware program The backupprogram built into Windows 2003 is one such program Most third−party products can also perform RSGmailbox restores

In Figure 17.7, I'm using the Windows 2003 backup program to recover the mailbox store in the first storagegroup on EXCHANGE01 Notice that I've chosen to restore both the mailbox store database and its

transaction log files If you knew that the transaction log files contained actions that you didn't want applied to

a mailbox, such as the deletion of the mailbox, you wouldn't want to recover the logs and have them applied

to the mailbox store I discuss this in more detail in the next section, in the sidebar 'Transaction Logs: ToReplay or Not to Replay.' After specifying what to recover, click Start Restore

Exchange Recovery Strategies

Figure 17.7: Restoring a mailbox store and its transaction logs to a recovery storage group

At this point, the Restoring Database Store dialog box pops up You're offered the opportunity to specify theExchange server to restore to Unless you're running your restore on a different server from the one with theRSG, leave the Restore To field as is You do need to enter a directory to hold temporary log and patch files Iuse a directory called \EXTMP for this purpose Enter the name of your directory, and don't forget the diskdrive letter if you use disk drive designations If this is the last backup to be restored to the database, selectLast Restore Set so that the log files are replayed into the database If you wish, you can also select MountDatabase After Restore Finally, click OK to start recovery In more or less time, depending on the size of themailbox store you're recovering, the database is recovered to the RSG and, if you specified their recovery, thetransaction log files are played into the database

Warning If your backup includes a public folder store, don't select it for recovery to an RSG

Remember, RSGs are only for mailbox recovery If you include a public folder store in arecovery to an RSG, the restore will fail

Figure 17.8 shows the RSG with the mailbox store database recovered Those little Xs next to the mailboxes

indicate that the mailboxes are not active and you can't activate them All you can do is merge their contentswith existing mailboxes To do this, you use the Exchange Mailbox Merge Wizard The wizard merges data inthe RSG version of the mailbox with data in the real version of the mailbox As of this writing, the wizard isavailable at the following website: www.microsoft.com/ exchange/2003/updates The Mailbox Merge Wizard

is well documented and pretty easy to use I'll leave it to you to apply it to your recovery needs

Figure 17.8: A recovery storage group with a restored mailbox store

Exchange Recovery Strategies

Note Technically you can use the Exchange Mailbox Merge Wizard to recover items deleted from a user'smailbox The problem is that with a merge, you can't see what items are being recovered Depending onthe age of the backup, you could wind up restoring tons of unwanted items If you need to restorespecific items to a mailbox, it's better to use the two techniques I discussed earlier in this chapter, in thesection 'Recovering Mailbox Items.'

Recovering All or Part of an Information Store to an Exchange Server

If you have a problem accessing a mailbox or public folder store, your first recovery strategy should be toattempt to fix it The program ESEUTIL.EXE is the tool you use to fix Exchange databases You run

ESEUTIL from a command prompt Before you can run ESEUTIL on a mailbox or public folder store

database, you should check to see if the database is mounted Sometimes problem stores can't be mounted, but

if the store is mounted, you have to dismount it to run ESEUTIL on its database If you need to dismount astore, find the store in Exchange System Manager, rightưclick it, and select Dismount Store from the popưupmenu (see Figure 17.9)

Figure 17.9: Dismounting an Exchange mailbox store prior to running ESEUTIL against it

Warning ESEUTIL includes a number of options, and there are a number of precautions you should

take before using it I strongly urge you to read and make sure you understand everything inMicrosoft Knowledge Base article number 317014 If the article isn't available, search the

Knowledge Base for eseutil command line switches.

You can use ESEUTIL to do a variety of tasks The following three tasks are the most useful when you'retrying to recover a mailbox or public folder store database

Checking the integrity (consistency) of a store [command line switch /g]

•

Recovering a store that is 'dirty' due to an unplanned shutdown; plays transaction log files into thestore database [command line switch /r, plus the threeưcharacter log file base name For example,E00; check \PROGRAM FILES\EXCHSRVR\MDBDATA for the base name of the log files youwant to use]

to mount and access it If you still can't access the database, dismount it again, run ESEUTIL in Repair mode,

do an integrity check, and mount and try to access the database If you still can't access the database, it's time

to do a recovery from tape or disk

Exchange Recovery Strategies

Figure 17.10: Results of a database integrity check using ESEUTIL

If you have a tape or disk backup of a mailbox or public folder store in the information store, you can recover

it to a storage group on an Exchange server The storage group and mailbox or public folder store must havethe same name as the original store, which means you can recover the store to the original Exchange server or

to a clone of the original server Exchange−aware backup programs make information store recovery veryeasy You can recover an entire information store or specific mailbox or public stores within an informationstore Be sure that the database you need to recover isn't mounted before starting a recovery

Transaction Logs: To Replay or Not to Replay

When you recover an information store database, the content of available unprocessed transaction log files is

written to the recovered database This is called replaying transaction logs If the logs contain stuff that's

messing up your database in one way or another, you don't want them to be replayed In many instances, youcan prevent the replaying of logs during an information store database recovery Check out Microsoft

Knowledge Base article number 298901 for help Also, watch for options to not replay logs in

Exchange−aware backup programs This option is included in the Windows Server 2003 built−in backupprogram as augmented by the installation of Exchange Server 2003

Recovering an Entire Exchange Server

If you lose an entire Exchange server, how you recover it depends on how you backed up or didn't back up theoriginal server Your main goal is to get Windows and then Exchange up and running on the old server or anew one

If you have a VSCS backup of your Windows/Exchange server, restore it, and you should be good to go Ifyou don't have a VSCS backup, you need to get Windows up and running on your server There are a fewways to do this

Restore Windows 2003 from an ASR backup

want to mess up Active Directory and such by doing a full, standard installation of the product You want tonudge Exchange back to life as though it never died You can do this by running the Exchange installationprogram with a special switch.

Finally, with the Exchange system back on your server, you need to restore the server's Exchange databasesfrom information store backups Let's look at each of these activities in more detail

Restoring Windows 2003 and Exchange 2003 from a VSCS Backup

After only a little time with VSCS backups, I'm a dedicated fan VSCS makes it so easy to recover Exchangeservers A restore slaps Windows 2003 and Exchange 2003 onto the old or a new server in a pretty muchready−to−go state You might have problems with drivers if you are using hardware that is different from thehardware on the server you backed up Such problems are usually easily solved and your server can be up andrunning in record time, and you're done with this section Well, almost done Check out the following warningbefore moving on to the next section

Don't Forget That Metabase Backup You Made

Before we move on, I need to talk about restoration of the metabase I showed you how to back up the

metabase earlier in this chapter, in the section 'What to Back Up.' You should restore the metabase no matterwhich method you use to recover Windows 2003 If you don't restore the metabase, Exchange won't functionproperly It is not enough that there is a metabase file in the correct directory The file created when youbacked up the metabase is the one that you need to restore To perform the restore, copy the metabase backupfile, metabase.bin, to the directory \WINNT\SYSTEM32\INETSRV\metabase.bin Then, open

Backup/Restore Configuration in Internet Services Manager, click the database, and choose Restore

Restoring Windows 2003 from an ASR Backup

If you used ASR to back up your Windows 2003 system, you need to restore that backup All you have to do

is insert the ASR disk you made when doing your backup and turn on your server It will boot up, and if all iswell, ASR will access any attached disk or tape drives and begin recovery You just have to be sure that thecorrect drivers are available for your backup device, if they're not included in Windows Server 2003's largelibrary of drivers

Using a Spare Server with Windows 2003 and Possibly Exchange 2003 Installed

If your ready−to−go spare server includes only Windows, then you need to install Exchange For more oninstalling Exchange, see the upcoming section, 'Installing Exchange Server 2003.' If Exchange is alreadyinstalled, then you just need to recover your Exchange mailbox and public folder stores See the upcomingsection 'Recovering Exchange Mailbox and Public Folder Stores' for more information

Reinstalling Windows 2003 on a Server

You need to reinstall Windows Then you have to restore System State and Active Directory (domain

controllers only) data from backups When you are finished with these tasks, you can move on to the nextsection, 'Installing Exchange Server 2003.'

Exchange Recovery Strategies

Installing Exchange Server 2003

Once Windows is available and running, you need to focus on Exchange server You can do a special

installation of Exchange that sets things up pretty much as they were before your server crashed Insert the

Exchange CD, find the program SETUP.EXE Select Start > Run, type D:\SETUP.EXE / DisasterRecovery

(where D:\ is the drive letter and path) and click OK With the DisasterRecovery switch, Exchange is installedwithout any modifications to Active Directory settings Existing AD settings are used The installation alsosets the correct Exchange registry entries on your new server and builds the Exchange directory (folder)structure, including the BIN directory that contains the Exchange executables

When the installation is finished, open Exchange System Manager You should see your rebuilt server in thetree for your organization, and you should be able to open it and mess around a bit with its objects Don't gettoo smug You're not finished yet You have to recover your Exchange stores Move on to the next section

Recovering Exchange Mailbox and Public Folder Stores

I discussed the recovery of Exchange stores earlier and I'm sure not going to repeat that discussion here :) So,

if you will, please refer to the earlier section, 'Recovering All or Part of an Information Store to an ExchangeServer.'

Testing Backups

Everyone who writes about backups always warns you to test your backups Don't let the monotony of

repetition lead you to ignore this warning As many have said, a backup is useless if you can't restore from it Itest my backups when I first set them up, and then again whenever I change anything from server softwareand hardware to backup hardware software I restore to hardware that is as much like the hardware on my realserver as possible, though I sometimes like to restore to really different hardware just to be sure I can handlesome diversity

A number of systems managers tell me that they just don't have the time to test backups Actually, theyusually use the past tense, as in 'I just didn't have time to test my backups.' And this is usually in response tocalls from clients who have drifted far up the Exchange creek (crashed server) and now find themselveswithout a paddle (backup)

What can I say? If you really don't have time to test backups, tell your boss and ask for more resources orwork with the boss to prioritize the tasks you have While you're talking with bossy, be sure to add thatwithout backup tests, you can't guarantee you'll be able to bring e−mail back up in case of a hardware orsoftware failure You can also use this argument when requesting the kinds of redundant hardware that Idiscussed at the start of this chapter If nothing else comes of these discussions, you will have at least set yourboss's expectations at a more realistic level should all or part of all hell break loose

Disaster Recovery

From a hardware and software perspective, I have already talked about at least 90 percent of the disasterrecovery puzzle If you're an Exchange system manager and you've protected your servers with redundanthardware, especially interserver redundant hardware, or you can restore any crashed Exchange server underyour management, you've pretty much got it made If you also have to worry about Windows 2003 and youcan bring a domain controller or stand−alone server back from the dead with VSCS or ASR backups or evenclunky, more traditional backups, you're in a good place too

Exchange Recovery Strategies

Disaster recovery adds another dimension to the reliability and availability picture You have to deal withsimultaneous multisystem unavailability, up to and including the sudden disappearance of all or a major part

of your server, storage, workstation, and networking systems The cause of such a disaster can be anythingfrom a terrorist attack to an earthquake to a building fire to a major power outage to a lightning strike

Disaster recovery isn't usually fun to think about There are so many variables, including the potential forastronomical costs, that it's easy to either go bonkers or avoid even thinking about the whole thing The bestway to calm yourself and your boss when disaster recovery rears its ugly head is by building and living by aset of best−possible, cost−realistic strategies that specify what you'll do to avoid disasters and the actionsyou'll take if disaster strikes

In this section, I'll talk about

Disaster recovery strategies

•

The Tao of disaster recovery

•

Disaster Recovery Strategies

I buy my cars on the Internet now and I don't put up with any infamous dealer games such as those $1,500sprayed−on paint−protection rip−offs When I bought at the dealership, it always bugged me when the

salesperson urged me not to worry about price and just test−drive the car I really wanted I mean, my time islimited, and I can't see myself spending hours literally driving down dead−end roads when there's no way Icould ever afford my ideal car

Well, developing disaster recovery strategies can be like buying a car at a dealership You call in a companythat traffics in disaster recovery and before you know it, you've got a proposal for a multimillion−dollarsolution The solution, by the way, is usually quite impressive If only you could afford it

The first thing you need to consider when developing a disaster recovery strategy is what your organizationdoes and how a disaster might affect what it does If e−mail and related Exchange services are central to yourorganization's operation and bottom line, then you need a very aggressive disaster recovery strategy If yourorganization could do without e−mail for a few days, then a less aggressive strategy should be acceptable

In building your disaster recovery strategy, don't be driven by unrealistic assessments of the importance ofe−mail And don't take a seat on the curb in discussions about the role of e−mail in your organization Youlive with Exchange You know what users are doing with e−mail, and you hear user complaints when yourExchange system isn't available Your goal must be to drive e−mail disaster recovery deliberation toward asolution that you are comfortable with−the checkbooks, egos, or misperceptions of your bosses

notwithstanding As strategies are considered, you need to make sure your management clearly understandsthe limits of each This is not just to protect yourself, but to set realistic management expectations from theget−go

Piggybacking on Non−E−Mail Disaster Recovery Strategies

Unless e−mail is all your organization does, it should have a disaster recovery strategy for other IT

functionality Adding e−mail to an existing strategy can be a relatively inexpensive option But don't

piggyback if you know the non−e−mail strategy won't work for e−mail I've been in situations where e−mailwas both more and less important than other IT functions Management loved it when I told them that e−mailrequired a less aggressive disaster recovery strategy They hated it when I pressed for a more aggressive (more

Disaster Recovery Strategies

expensive) strategy for e−mail.

I'm going to discuss five disaster recovery strategies, from the fanciest and most costly to the more mundaneand reasonably priced Remember that most of these strategies can be implemented in house or by a thirdparty Don't write off outsourcing for disaster recovery For some organizations, it is a good, cost−effectiveoption

Here are the disaster recovery strategies that I'll cover in this section:

Offsite replication of an entire system

Warning Keep in mind as you read through the discussion of disaster recovery strategies that a strategy is not

a plan Once you've selected the strategy or strategies that work for your organization, you shoulddevelop a written plan that provides specifics You need to specify your strategy in detail and

provide step−by−step up−to−date instructions for recovering after a disaster You also need clearand up−to−date documentation for your hardware systems and the software running on them And,once you've completed your disaster recovery plan, make sure paper and electronic copies areavailable off site The best−laid plans have no value if you can't find a copy when you need it

Offsite Replication of an Entire System

I live in Los Angeles Any disaster recovery strategy I develop for my LaLaLand clients has to take intoaccount the possibility of earthquake−related collapsing buildings and fractured WAN infrastructure Forthose clients who need to operate without missing a beat and who can afford it, offsite replication of theirentire system, including up−to−the−minute replication of data, is the right answer

The idea is that the minute a production system takes a major hit, the offsite system becomes the productionsystem Appropriate IT and other staff go to the offsite location and begin doing their thing While the

transition is never going to be totally transparent, with networking switchovers and the loss of last−minutedata to deal with, a total offsite strategy can get an organization up and running quickly

One addendum to this strategy is to actually use the disaster site to conduct the organization's business Staff

at each site performs a portion of all or some of the IT and other business tasks of the organization Whendisaster strikes, required personnel are already at the disaster recovery site and able to keep the organizationrunning until reinforcements arrive

As you can imagine, this sort of disaster recovery strategy is very, very expensive It's for banks and otherfinancial institutions, really big hospitals, and other corporate giants who both need this sort of quick recoverycapability and can afford to put it in place

Disaster Recovery Strategies

None of my clients has placed their system in one of those bunkers built into a mountain in Colorado that youmight have read about or seen in the movies However, they have implemented less aggressive strategieswhere a replicated system is set up in a nearby structure and data is kept up to date, though not up to theminute, using tape backups Often the offsite location is in a single−story building, which is less likely to beseriously damaged in an earthquake They still have to worry about potential damage and loss of WANinfrastructure, but it's quite okay if these folks come back up within a day or so and not within minutes orhours of a disaster So this strategy is fine for them.

Offsite Replication of Servers, Workstations, Disk Storage, Backup Hardware, Networks, Related Software, and Data

The major difference between this strategy and the previous one is that you don't replicate your entire

production system off site You replicate just enough of the system to get your organization back up andrunning in a reasonable time In this disaster recovery scenario, you replicate hardware and operating systemand applications software as required However, you don't necessarily replicate data, being happy to recoverdata from backups shortly after a disaster strikes You also don't necessarily replicate WAN links

If you need to replicate data or even your entire disk storage system, consider the SAN systems that I

discussed earlier in this chapter Using capabilities built into SAN systems or the Windows Server 2003cluster service, you can replicate the data on one SAN to another SAN Such replication is fairly quick andwell suited to disaster recovery strategies where data needs to be readily available after a disaster strikes.This disaster recovery strategy works if your organization can stand up to a few days of downtime You andother IT staff need to be ready to scramble to get things running, but you don't have to stand the staff expenseand other costs associated with trying to build a full mirror of your production system

Onsite Replication of an Entire System

This strategy is the same as the first one I discussed, except your replicated disaster recovery system exists inclose physical proximity to your production system This is a pretty fancy strategy, especially if you also have

an offsite replication of your entire system However, if you need to get up and running after a major systemfailure, onsite full−system replication might be the only answer

Windows Server 2003 cluster services can play a major role here and in the next two strategies Because yoursystem is on site, you can use the very high−speed, server−to−server, server−to−storage, and server−tonetwork links that make clustering such a great server and storage replication solution It won't solve all ofyour replication problems, but it takes care of major components in the replication equation

Onsite Replication of Servers, Disk Storage, Backup Hardware, Networks, Related Software, and Data

As I'm sure you've gathered, this strategy is an onsite version of the second disaster recovery strategy Idiscussed previously It can provide the tools you need to meet the operating requirements of your

organization As I noted in the last section, Windows Server 2003 cluster services can make this strategymuch easier to implement

Onsite Presence of Spare Server, Disk Storage, Backup and Network Hardware, Software, and Data

Under this strategy, you have spares at hand, but they're not kept up to date by replication Rather, youactivate spares when a disaster requires

Disaster Recovery Strategies

Like so much of my discussion of disaster recovery strategies, this one brings to mind my earlier discussions

of server recovery in nondisaster situations I hope, as I come to the end of my relatively brief treatment ofdisaster recovery strategies, that you begin to synthesize the content of this chapter into a coherent view of theExchange Server 2003 reliability and availability continuum

The Tao of Disaster Recovery

A detailed discussion of actual disaster recovery operations is beyond the scope of this book This wholechapter and the specific disaster recovery strategies that I've discussed provide detail and hints as to the how

of disaster recovery Your disaster recovery plan will provide the specific operational steps to be taken when adisaster occurs

What I really need to talk about here is what might be called the Tao of disaster recovery Taoism is a way oflife that associates every aspect of existence with a kind of overarching spirituality It mixes the right and leftsides of the brain, and in so doing, can bring calm and understanding to even the most stressful experience

I participated in disaster recovery operations after the September 11, 2001 tragedy in New York City I wasn't

on site and I didn't work for the biggies in the World Trade Center, but I was involved in a number of phoneconversations with IT types in two buildings damaged but not destroyed by the airplane crashes Most of what

I talked about involved Exchange server recovery

I'm a hands−on visual type, so I was especially nervous as I tried to provide help in a voice−only situation I'mnot a Taoist, but I've had enough exposure to the philosophy to know that going bonkers wasn't going to help

So I slapped myself in the face and began breathing in a consciously slow and regular manner before takingthe first phone call

It helped I was relatively calm until I began talking to a bunch of people who had hours before seen twomassive buildings collapse and kill thousands and who were worried about their own personal safety

Understandably, these folks were in a much worse state than I My first suggestion to them was that they take

a few minutes or even a few hours to relax−after, of course, clearing it with their bosses

My clients agreed to try and called me back in 15 minutes to tell me that they had the go−ahead to wait for anhour I strongly urged them to do anything but IT work during that hour Given the mess that portion of NewYork was in, there wasn't a lot they could do So they decided to see if they could help others in that hour.Almost two hours later, my clients called back It turned out that venturing out to help others made it veryclear to them how lucky they were to be alive and still able to do their jobs In spite of what they'd seen, myclients seemed calm and relaxed about the task ahead of us

We took the recovery process in steps After they got their power generator going, we started up their

Exchange server, which had been pelted by a major portion of the ceiling and a bunch of heavy chairs fromthe floor above Fortunately, they were able to shut off power to the server before its UPS had run out ofbattery power Unfortunately, the server did not come back Not only was their Exchange server dead, so weretheir two Windows 2000 domain controllers

Not being major players in trade and finance, these folks didn't have any offsite disaster−recovery setup Theyalso had no real onsite setup Fortunately, they had backups that were stored both on site and off site And,they had two standby servers in a closet that more or less survived the disaster The servers both worked, butdidn't have current software on them

The Tao of Disaster Recovery

So we set up a replacement Windows 2000 domain controller and recovered a backup of Active Directory to

it Then we set up a Windows 2000 server to support the Exchange server At this point, I suggested we stopfor 20 minutes and just talk about what was going on I actually had a better view of things from Los Angeles

by TV than they had in the stillưsmoky and dusty environment where they were working This brief respitehelped all of us relax, and we were able to recover the Exchange server fairly quickly

The next day, employees were able to get some work done using internal eưmail It took more than a week toget some sort of Internet connection running It wasn't until several weeks later that they had their 1.5MbpsInternet connection back in place

It took about four hours, including relaxation breaks, to get the job done If we had pushed ourselves, Iestimate it would have taken maybe 10 hours with all the mistakes we'd have made and had to correct Whilethese folks had a written plan for the recovery, they didn't have an easyưtoưuse checklist, which would havemade things easier They have one now

The moral of this story is quite simple: Disasters are stressful Don't try to recover from one when you're atyour most stressed And you can often make your job easier by involving someone who doesn't have the sameemotional and jobưrelated connection to your organization as you do Don't call me I'm disasterưrecoveriedout However, you should try to get someone else involved in your recovery efforts, whether it's other

Windows/Exchange system managers in your area or Microsoft or thirdưparty consultants

Now that you have some tools to increase the reliability and availability of your Exchange system, you'reready to tackle Exchange system security As I noted earlier in this chapter, system security can affect

reliability and security So, after we both pause to take a few slow and regular breaths, I'll see you in the nextchapter

Summary

Providing users with reliable and available Exchange server services is a complex task You have to combineredundant hardware with a whole range of backup and recovery strategies and, if the unusual should happen,disaster recovery strategies

You have to pay attention to both intraserver and interserver hardware redundancy RAID storage systems,including fiberưattached Storage Area Network (SAN) devices, should be used in any intraserver solutionwhere redundant hardware is a requirement Redundant server power supplies and fans are readily availableand are relatively inexpensive Redundant CPUs are also an option, though they are fairly new to the

Windows server world Errorưcorrecting registered memory, though technically not fully redundant, can helpensure system reliability and availability

Microsoft's own Windows server platform, with its cluster services, leads the market in providing Windowsinterserver redundancy Clustered servers share standard RAID or SAN devices They can benefit greatlyfrom all forms of intraserver redundancy

Backing up and restoring Windows Server 2003 and Exchange Server 2003 is easier than it was with earlierversions of the two products An Automatic System Recovery (ASR) backup of a Windows 2003 servercaptures everything you need to reconstruct a standưalone server or domain controller A backup usingWindows 2003's Volume Shadow Copy Service (VSCS) enhanced by Exchange 2003 APIs can provide avery easy to restore, internally consistent snapshot of a server Older Windows and Exchange backup/restoremethods work with the 2003 versions of the products, but they tend to require considerably more work thanASR or VSCS backups and restores

Summary

A VSCS copy of an Exchange server could be used to restore a user mailbox or items in a user mailbox.However, there are better ways to accomplish this end You can back up and restore individual mailboxes, butsuch a backup takes much longer than a backup of an Exchange storage group or mailbox store You can back

up and restore whole Exchange storage groups or the mailbox or public folder stores they contain WithExchange 2003's new recovery storage groups, you can easily recover a mailbox from a restored mailboxstore

Hardware redundancy and mastery of backup and recovery strategies takes you a long way down the path tohigh server reliability and availability It also gives you a leg up as you enter the complex world of disasterrecovery Disaster recovery strategies depend significantly on hardware redundancy and Windows andExchange server backup and recovery strategies

Good disaster recovery strategies and plans are based on a careful balance between organizational needs andthe resources required to meet those needs E−mail disaster recovery needs might or might not be met by anorganization's non−e−mail disaster recovery strategies When disaster recovery strategies are considered, it'smost important that bosses and managers understand the benefits and disadvantages of each strategy

Whatever strategy or set of strategies is chosen, bosses and managers must have a clear set of expectationsregarding what can be recovered in what time frame

Disaster recovery strategies can range from complex and costly offsite replications of entire systems to theonsite presence of spare pieces of hardware The mechanics of a recovery after a disaster are the easiest things

to specify and carry out Maintaining the presence of mind required to pull off a disaster recovery is not soeasy, but just as important

Summary

Chapter 18: Exchange Server System Security

Overview

There was a time when I didn't take e−mail server security all that seriously My e−mail career started longbefore the emergence of the mass of weirdoes who attempt to earn their special place in hell by making theirfellow humans miserable I'll never forget the first server I lost to a worm virus that was deposited on theserver over the Internet and slowly ate away at whatever rationality the then− current Windows operatingsystem possessed That was my wakeup call Since then, I have been a zealous adherent to the practices ofcomputing and networking system security

In this chapter, I'll tackle some key security threats and talk about ways to deal with them This includes

Sabotage of computer and networking hardware

That's a pretty scary list The good news is that security threat control is a thriving industry with lots of

solutions You have to pick your way carefully through a minefield of products and services, but the answersare there To help you through that minefield, this chapter provides some grounding in security, especially as

it relates to Exchange Server 2003 Additionally, I'll mention some security products that I like, and you'll findmore in the Appendix, 'Cool Third−Party Applications for Exchange Server and Outlook Clients.' Let's getstarted

Featured in this chapter:

So much security and so little time to implement it

So Much Security and So Little Time to Implement It

'Help,' I can hear you saying, 'there's already enough to do and you want me to deal with all that security stufftoo?' I wish that I could tell you that some of the security threats listed earlier are more serious than others, but

I can't All of the threats are of equal import and any of them could put your organization temporarily out ofbusiness If your organization doesn't have the wherewithal to deal with all of these security threats, thenyou'll have to draw up a priority list based on your assessment of each threat

I suggest that you first harden the physical space where your servers and networking hardware are located.More on that in the next section Then put your Exchange system behind a firewall, get some sort of

anti−virus software running and assure that your servers are kept up to date with the latest Microsoft security