By having an installation guide, Contoso will be able to ensure standardization across the enterprise, reducing Total Cost of Ownership, and easing troubleshooting steps.

The scope of this document is limited to installation of an Exchange 2007 Edge Transport server for Contoso on the Windows Server 2003 Enterprise x64 Edition operating system platform.

The operator should have working knowledge of Windows Server 2003 Enterprise x64 Edition concepts, Exchange Server 2007 concepts, the Exchange Management Console and Exchange Management Shell, the command line, and various system utilities. This document does not elaborate on the details of any system utility except as necessary to complete the tasks within.

In addition, the operator should review the Planning for Edge Transport Servers topic in the Exchange 2007 Online Help before implementing the server role.

This document assumes that Windows Server 2003 Enterprise x64 Edition is installed per company baseline regulations which include the latest approved service pack and hotfixes. The current service pack level is Windows Server 2003 Service Pack 2 for x64 Editions.

It is also assumed that the following are installed:

• Windows Server 2003 Service Pack 2 32-bit Support Tools are installed on the server as the tools are useful for troubleshooting.
  
  
• Windows Server 2003 Resource Kit Tools are installed on the server as the tools are useful for troubleshooting.
  
  

This document assumes that forest and domain preparation steps have been performed per How to Prepare Active Directory and Domains topic in the Exchange 2007 Online Help.

This document assumes that both Exchange 2007 and Windows Server 2003 will be secured following the best practices found in:

• Exchange Server 2007: Security and Protection
  
  
• Windows Server 2003: Windows Server 2003 Security Guide
  
  

  Important:
  The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.

This document also assumes that the host record for the Edge Transport server is generated within the internal forest's DNS so that the Hub Transport servers can locate the Edge Transport servers.

1. Verify that Remote Desktop is enabled.
   
   
2. As an optional process, install Microsoft Network Monitor.
   
   

The Edge Transport server will use DNS for the following two types of lookups:

• MX record lookups for DNSEnabled Send Connectors (this can be overridden on the connector).
  
  
• A record lookups to resolve Hub Transport servers for routing mail into the organization (HOSTS file can be used instead).
  
  

1. Log on to the server with an account that has at least local administrative access.
   
   
2. Click Start, Control Panel and right-click Network Connections, and select Open.
   
   
3. Locate the connection for the network(s) and rename it appropriately.
   
   
4. Right-click the network connection and select Properties.
   
   
5. Select Internet Protocol (TCP/IP) and click the Properties button.
   
   
6. Add or adjust the following items:
   
   
   1. Static IP Address, Subnet Mask, and Gateway.
      
      
   2. DNS Server IP Addresses.
      
      
   3. Check the box to Append parent suffixes of the primary DNS suffix.
      
      
   4. WINS IP Addresses (if using WINS).
      
      

Important:
Changing the DNS suffix will require uninstalling and reinstalling the Edge Transport server role, so be sure to set the DNS suffix properly before Edge Transport server installation.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.
   
   
2. Follow the procedures from the Exchange 2007 Online Help topic How to Configure a DNS Suffix for the Edge Transport Server Role.
   
   

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.
   
   
2. Open the Disk Management MMC and format, rename, and assign the appropriate Drive Letters so that the volumes and DVD drive match the appropriate server configuration. At the very least, there should be a D drive for the Exchange binaries and the DVD drive should be configured as the Z drive. Refer to the Database Log LUN Appendix at the end of this document for the actual drive configuration that should be used.
   
   

   Drive configuration

   LUN	Drive letter	Usage
   1	C	Operating system
   2	D	Exchange binaries, tracking logs, databases
   3	E	Exchange transaction logs
   4	Z	DVD drive

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Insert the Exchange 2007 Configuration DVD.
   
   
3. Browse to \IE7\ and double-click IE7-install.bat.
   
   
4. Click Yes for any Digital Signature not Found dialog boxes that may appear.
   
   

   Note:
   These dialog boxes will not appear in environments that have not deployed the Windows Security templates.

5. Wait for all file copies to complete and restart the server.
   
   

All hotfixes are installed through a batch file. For a complete list of hotfixes that are installed, see Contoso server build DVD hotfix list. A sample hotfix list can be seen at Server Build DVD - Sample Hotfix List.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and was delegated local Administrator access.
   
   
2. Insert the Exchange 2007 Configuration DVD.
   
   
3. Browse to \W2K3-PostSP2\ and double-click W2K3-post-sp2.bat.
   
   
4. Click Yes for any Digital Signature not Found dialog boxes that may appear.
   
   

   Note:
   These dialog boxes will not appear in environments that have not deployed the Windows Security templates.

5. Wait for all file copies to complete and restart the server.
   
   

Installing the Edge Transport server role into a domain is an optional step. Domain membership provides the ability to manage the server via group policy, control access, utilize Microsoft System Center Configuration Manager 2007, and utilize Microsoft System Center Operations Manager.

However, the Edge Transport server should not be installed in the internal forest for security purposes.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start, right-click My Computer and select Properties.
   
   
3. Click the Computer Name tab.
   
   
4. Click Change.
   
   
5. Choose the Domain option button and enter the appropriate Domain name.
   
   
6. Enter the appropriate credentials.
   
   
7. Click OK and OK.
   
   
8. Click OK to close the System Properties.
   
   
9. Restart the server.
   
   

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Verify (or add if not already there) that the following accounts are members of the local administrators group on this server.
   
   

   Local administrators

   Item	Account	Description	Role
   1	Domain Admins	Domain Administrative Global Group	Administrator
   2	Root Domain\Exchange Organization Administrators	Exchange Administrators	Administrator

3. Verify that your user account is a member of a group which is a member of the local administrators group on the Windows Server 2003 server. If it is not, use an account that is a member of the local administrators group before continuing.
   
   

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start, right-click My Computer and select Manage.
   
   
3. Expand to Local Users and Groups\Users.
   
   
4. Right-click Administrator and select Set Password. Change the password so that it meets strong complexity requirements.
   
   
5. Optional: Right-click Administrator and select Rename. Rename the account according to company regulations.
   
   

This section installs several useful tools that will aid administrators in Exchange administration and in troubleshooting support issues.

Note:
Debugging Tools for Windows will allow administrators to debug processes that are affecting service and determine root cause. For more information, see Debugging Tools for Windows - Overview.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Insert the Exchange 2007 Configuration DVD.
   
   
3. Open a command prompt and browse to the \Support folder.
   
   
4. Run the following command where DVDROM-Drive is the DVD drive: E2K7Toolsinstall.cmd DVDROM-Drive (ex: E2K7Toolsinstall.cmd Z:).
   
   
5. Right-click the c:\Tools folder and select Properties.
   
   
6. Click the Security tab.
   
   
7. Click the Advanced button.
   
   
8. Clear Inheritance and copy the permissions.
   
   
9. Remove the Everyone (and if listed, the Authenticated Users) security principal.
   
   
10. Add the following groups, granting FULL CONTROL:
    
    
    1. SYSTEM
       
       
    2. The local Administrators group
       
       
    3. Creator Owner
       
       

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start, right-click My Computer and select Properties.
   
   
3. Select the Advanced tab.
   
   
4. Under Startup and Recovery, click the Settings button.
   
   
   1. Under Write Debugging Information, change the memory dump drop-down list to Kernel Memory Dump.
      
      
   2. Click OK.
      
      
5. Under Performance, click the Settings button.
   
   
6. Click the Advanced tab.
   
   
7. Under Virtual Memory, click the Change button.
   
   
8. On servers that have a dedicated page file drive, follow these steps:
   
   
   1. For the C: drive, set the Initial Size (MB) value to a minimum of 200 MB. (Windows requires between 150 MB and 2 GB of page file space. The amount depends on server load and on the amount of physical RAM that is available for page file space on the boot volume when Windows is configured for a kernel memory dump. Therefore, you may be required to increase the size.)
      
      
   2. For the C: drive, set Maximum Size (MB) to the value of Initial Size.
      
      
   3. For the P: drive, type the result of one of the following calculations in the Initial Size (MB) box:
      
      - If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5.
      
      - If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB.
      
      
   4. For the P: drive, set Maximum Size (MB) to the value of Initial Size.
      
      
   5. Delete any other page files.
      
      
   6. Click OK.
      
      
9. On servers that do not have a dedicated page file drive, follow these steps:
   
   
   1. For the C: drive, type the result of one of the following calculations in the Initial Size (MB) box:
      
      - If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5.
      
      - If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB.
      
      
   2. For the C: drive, set Maximum Size (MB) to the value of Initial Size.
      
      
   3. Delete any other page files.
      
      
   4. Click OK.
      
      
10. Click OK to close the System Properties dialog box.
    
    
11. Click No if you are prompted to restart the system.
    
    

    Note:

    For more information on Page File recommendations, see the following articles: Configuring paging files for optimization and recovery in Windows Server 2003, in Windows 2000, and in Windows NT; How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP; and Overview of memory dump file options for Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start and select My Computer.
   
   
3. Right-click the D Drive and select Properties.
   
   
4. Click the Security tab.
   
   
5. Select the Everyone group and then click Remove.
   
   
6. Select Users and then click Remove.
   
   
7. Click Add and select the local server from Locations.
   
   
8. Grant the following rights as outlined in the following table.
   
   

   Drive permissions

   Account	Permissions
   Administrators	Full Control
   SYSTEM	Full Control
   Authenticated Users	Read and Execute, List, Read
   CREATOR OWNER	Full Control

9. Click the Advanced button.
   
   
10. Select the CREATOR OWNER permission entry and then click View/Edit.
    
    
11. Select Subfolders and Files Only from the drop-down list.
    
    
12. Click OK two times.
    
    
13. Click OK to close the drive properties.
    
    
14. Repeat Steps 3-10 for each additional drive (other than the C Drive).
    
    

This is an optional step and does not need to be followed for Edge Transport servers that are not deployed within a forest.

Submit a change request and have the computer object moved to the appropriate organizational unit (OU). If following the recommendations in the Exchange 2007 Security Guide, the OU will be \Member Servers\Exchange Backend Servers\Exchange EdgeTransport Servers.

This is an optional step and does not need to be followed for Edge Transport servers that are not deployed within a forest.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Open a command prompt.
   
   
3. Verify that the server is in the correct domain and Active Directory site. At the command line run:
   
   

   	Copy Code
   NLTEST /server:%COMPUTERNAME% /dsgetsite

4. The name of the Active Directory site to which the server belongs will be displayed. If the server is not in the correct Active Directory site, submit a change request to the appropriate operations group and have the server moved to the appropriate Active Directory site.
   
   

This is an optional step and does not need to be followed for Edge Transport servers that are not deployed within a forest.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Open a command prompt and change paths to the C drive.
   
   
3. Run the following command:
   
   

   	Copy Code
   dcdiag /s:<Domain Controller> /f:c:\dcdiag.log

   Note:
   Change <domain Controller> to a domain controller contained within the same Active Directory site as the Exchange server.

4. Review the output of C:\dcdiag.log file and verify that there are no connectivity issues with the local domain controller.
   
   
5. Repeat steps 3 and 4 for each domain controller in the local Active Directory site.
   
   

   Note:

   Domain Controller Diagnostics (DCDiag) is a Windows support tool that tests network connectivity and DNS resolution for domain controllers. If the account being used does not have administrative rights, several tests under the Doing primary tests heading may not pass. These tests can be ignored if the connectivity tests pass. In addition, the log file may report that some service validation tests did not pass. These messages can be ignored if the services do not exist on the domain controller.

Network Diagnostics (NETDIAG) is a Windows support tool that tests network connectivity and DNS resolution for workstations and servers. Look for tests that failed and messages designated as "FATAL," and use this information to isolate network and connectivity problems.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Open a command prompt and change paths to the C drive.
   
   
3. Run the following command: netdiag /Q /L.
   
   
4. Review the output of C:\netdiag.log file and verify that there are no network or connectivity issues with the Exchange Server.
   
   

The following prerequisites will be installed through a batch file.

(This note should be updated to list the appropriate list of hotfixes for your environment.)

• Microsoft .NET Framework Version 2.0 Redistributable Package (x64).
  
  
• MMC 3.0 update is available for Windows Server 2003 and for Windows XP.
  
  
• .NET FW 2.0 Hotfix.
  
  
• Windows PowerShell 1.0 English Language Installation Packages for Windows Server 2003 and for Windows XP.
  
  

The installation steps are as follows:

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Insert the Exchange 2007 Configuration DVD.
   
   
3. Browse to \E2K7-PreReqs\ and double-click E2K7-prereqs.bat.
   
   
4. Click Yes for any Digital Signature not Found dialog boxes that may appear.
   
   

   Note:
   These dialog boxes will not appear in environments that have not deployed the Windows Security templates.

5. Wait for all file copies to complete and restart the server.
   
   

Though this document uses the command line method for installing the Exchange roles, the GUI can also be used. For more information about how to use the setup GUI to install an Exchange role, see the Exchange 2007 Online Help topic How to Perform a Custom Installation Using Exchange 2007.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and was delegated the Exchange Server Administrator role (or higher) if the server was pre-created.
   
   
2. Follow the procedure from the Exchange 2007 Online Help topic How to Install Exchange 2007 in Unattended Mode. For example, setup.com /r:MB /t:d:\exchsrvr.
   
   

All hotfixes are installed through a batch file. For a complete list of hotfixes that are installed, see the Contoso server build DVD hotfix list.

A sample hotfix list can be seen at Server Build DVD - Sample Hotfix List.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and was delegated local Administrator access.
   
   
2. Insert the Exchange 2007 Configuration DVD.
   
   
3. Browse to \E2K7-PostSP1\ and double-click E2K7-postsp1.bat.
   
   
4. Click Yes for any Digital Signature not Found dialog boxes that may appear.
   
   

   Note:
   These dialog boxes will not appear in environments that have not deployed the Windows Security templates.

5. Wait for all file copies to complete and restart the server.
   
   

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access and was delegated the Exchange Organization Administrator role.
   
   
2. Follow the procedure outlined in the Exchange 2007 Online Help topic How to Enter the Product Key.
   
   

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.
   
   
2. Follow the procedures from the Exchange 2007 Online Help topic How to Install the Security Configuration Wizard to install the Security Configuration Wizard.
   
   
3. Follow the procedures from the Exchange 2007 Online Help topic How to Register Exchange Server Role SCW Extensions to register the Exchange 2007 Edge Transport Server SCW extension.
   
   
4. Follow the procedures from the Exchange 2007 Online Help topic How to Create a New Exchange Server Role SCW Policy to configure and apply the policy.
   
   

By default, Exchange Server 2007 optimizes the server’s memory management for programs, which configures the server’s system cache as the default size.

1. Connect to the server through Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start, right-click My Computer and select Properties.
   
   
3. Select the Advanced tab.
   
   
4. Under Performance, click the Settings button.
   
   
   1. Click the Advanced tab.
      
      
   2. Verify that the Processor Scheduling is set to Background Services.
      
      
   3. Verify that the Memory Usage is set to System Cache.
      
      
5. Click OK.
   
   

This is an optional step and need not be performed. If you would like to manually configure the settings (or if you need to as a result of the first Edge Transport server role being deployed), you can do so by reviewing the Appendix within this topic.

For more information about what information is and is not cloned, see the Exchange 2007 Online Help topic Using Edge Transport Server Cloned Configuration.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.
   
   
2. Follow the procedures from the Exchange 2007 Online Help topic How to Configure the Edge Transport Server Role by Using Cloned Configuration Tasks to clone certain information from one Edge Transport server to another.
   
   
3. Verify that the cloned settings are applied by reviewing the customized settings on the source server with this server. (The Appendix within this topic may also be of help.)
   
   

Before executing the EdgeSync configuration process, review the Exchange 2007 Online Help topic Preparing to Run the Microsoft Exchange EdgeSync Service.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative permissions.
   
   
2. Follow the procedures from the Exchange 2007 Online Help topic How to Export an Edge Subscription File to export the necessary information to enable synchronization to the Edge Transport Server from an Active Directory Site within the Exchange organization.
   
   
3. Follow the procedures from the Exchange 2007 Online Help topic How to Import the Edge Subscription File to import the Edge Subscription file into the Exchange organization and enable synchronization from the Active Directory site to the Edge Transport server.
   
   
4. Follow the procedures from the Exchange 2007 Online Help topic How to Force EdgeSync Synchronization to force immediate synchronization.
   
   

Before manipulating message size limits, review the Managing Message Size Limits topic from the Exchange 2007 Online Help.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.
   
   
2. Click Start, All Programs, Microsoft Exchange Server 2007 and select Exchange Management Shell.
   
   
3. Modify the maximum receive message size limit according to company policy by running the following command where the value is qualified in either KB or MB:
   
   

   	Copy Code
   Set-ReceiveConnector "Default Internal Receive Connector *" -MaxReceiveSize <MaxReceiveSize>

This section is optional and may be skipped.

Domain Security refers to the set of functionality in Exchange Server 2007 and Microsoft Office Outlook 2007 that provides a relatively low-cost alternative to S/MIME or other message-level security solutions. The purpose of the Domain Security feature set is to provide administrators a way to manage secured message paths over the Internet with business partners. After these secured message paths are configured, messages that have successfully travelled over the secured path from an authenticated sender are displayed to users as "Domain Secured" in the Outlook and Outlook Web Access interface.

For more information, see the Exchange 2007 Online Help topic Planning for Domain Security.

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.
   
   
2. Follow the procedures in the Exchange 2007 Online Help topic Creating a Certificate or Certificate Request for TLSto create and initialize a certificate for TLS use with SMTP.
   
   
3. Follow the procedures from the Exchange 2007 Online Help topic How to Configure Mutual TLS for Domain Security to configure mutual TLS between the mail systems.
   
   

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.
   
   
2. Follow the procedures in the Exchange 2007 Online Help topic How to Configure Anti-Spam Automatic Updates to allow for anti-spam automatic updates.
   
   

1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.
   
   
2. Verify that the MSExchangeTransport service is stopped. If it is not stopped, stop the service.
   
   
3. Create the folder E:\Exchange\QueueLogs.
   
   
4. Move the TRNxxxx.LOG and *.JRS files from <Exchange Install Path>\TransportRoles\Data\Queue to the E:\Exchange\QueueLogs.
   
   
5. Navigate to <Exchange Install Path>\bin.
   
   
6. Open the EdgeTransport.exe.config file in notepad and edit the following entry:
   
   

   	Copy Code
   <add key="QueueDatabaseLoggingPath" value="E:\Exchange\QueueLogs" />

7. Save the file.
   
   

1. Connect to an Exchange 2007 server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   
2. Verify that the MSExchangeTransport service is stopped. If it is not stopped, stop the service.
   
   
3. Create the E:\Exchange\Logs folder.
   
   
4. Move the folders that reside in <Exchange Install Path>\TransportRoles\Logs to the E:\Exchange\Logs folder.
   
   
5. Open the Exchange Management Shell and run the following commands:
   
   

   	Copy Code
   Set-TransportServer <ServerName> -ConnectivityLogPath "E:\Exchange\Logs\Connectivity" -MessageTrackingLogPath "E:\Exchange\Logs\MessageTracking" -ReceiveProtocolLogPath "E:\Exchange\Logs\ProtocolLog\SmtpReceive" -SendProtocolLogPath "E:\Exchange\Logs\ProtocolLog\SmtpSend" -RoutingTableLogPath "E:\Exchange\Logs\Routing"

6. Open a command prompt and start the transport service by running the following command:
   
   

   	Copy Code
   command net start MSExchangeTransport

1. Connect to an Exchange 2007 server via Remote Desktop, and then log on to the server by using an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).
   
   
2. Verify that the MSExchangeTransport service is stopped. If it is not stopped, stop the service.
   
   
3. Move to the <Exchange Install Path>\bin directory.
   
   
4. Open the EdgeTransport.exe.config file in Notepad, and then change the TemporaryStoragePath entry to point to the mail.que drive. By default, this path is "C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Temp."
   
   

   	Copy Code
   <add key="TemporaryStoragePath" value="<path of mail queue>" />

5. Save the file.
   
   

1. Connect to the server via Remote Desktop, and then log on by using an account that has local administrative access.
   
   
2. Start Registry Editor.
   
   
3. Locate the HKEY_LOCAL_MACHINE\CurrentControlSet\Services\ESE\Performance registry subkey.
   
   
4. Right-click Performance, point to New, and then click DWORD Value.
   
   
5. Type Show Advanced Counters to name the new value.
   
   
6. Double-click Show Advanced Counters.
   
   
7. In the Value data box, type 1, and then click OK.
   
   
8. Exit Registry Editor.
   
   

1. Using test mailboxes located on the Internet, send sample messages to various internal mailboxes and verify that mail is successfully delivered.
   
   
2. Send sample messages from internal mailboxes to various Internet test mailboxes and verify that the mail is successfully delivered.
   
   
3. If Domain Security was implemented between two mail organizations, test mail flow between the organizations and verify that the message is listed as “Domain Secured” in the receiving client.
   
   
4. Review the event logs and tracking logs and ensure the Edge Transport server is operating correctly.