Insert a Windows Server 2003 CD into the Windows 2000 domain controller or map a drive to the files contained on the CD. Run the following command from the \i386 directory:

	> winnt32 /checkupgradeonly

Using a command-line interface

To produce a compatibility report from the command line, first you need to create a text file containing the following information:

[Unattended]

Win9xUpgrade = Yes

[Win9xUpg]ReportOnly = Yes

SaveReportTo = "\\server1\upgradereports\"

Save this file as unattend.txt, and then run the following from the command-line:

	> winnt32 /checkupgradeonly /unattend:c:\unattend.txt

The big question is: which audit settings should you enable? If you turned on everything, your server would start flooding your Security event log and ultimately it wouldn’t be very useful. In fact, there are no hard and fast rules for which settings you should enable.

All audit settings have three possible configurations: not configured, Success, and Failure. Not configured means auditing isn’t enabled for the setting, Success means log any applicable event that was successful, and Failure means log any applicable event that failed. Often, it is more useful to log Failure events since you want to discover someone who is attempting to perform an activity surreptitiously, which may mean doing it several times until successful.

With some settings, simply enabling Success or Failure won’t actually cause any events to be logged. You also have to enable auditing on specific objects, such as a particular file, before events will be audited. This is useful because in some cases, such as files and folders, you may only want to audit certain ones. If auditing were enabled for all files, the amount of events would render auditing unfeasible.

Using a graphical user interface

1. Open the Local Security Policy snap-in.

2. In the left pane, expand Local Policies -> Audit Policy.

3. In the right pane, double-click the setting you want to enable, and check the box beside Success and/or Failure depending on the types of events you want to audit.

You can force new auditing settings to be applied by running the secedit command on Windows 2000 or the gpupdate command on Windows Server 2003.

Run the following command on Windows 2000:

> secedit /refreshpolicy machine_policy

And run this command on Windows Server 2003:

> gpupdate /target:computer

MBSA has both a graphical and command-line interface. The MBSA graphical interface allows you to scan a single or multiple computers at one time (up to 10,000).

The MBSA command-line interface, mbsacli.exe, has the same functionality as the graphical interface. With it, you can easily automate periodic scans of your servers.

For more information on MBSA, including download instructions, see http://www.microsoft.com/technet/security/tools/mbsahome.mspx.

MBSA keeps itself up to date with the latest vulnerabilities and security updates by automatically polling Microsoft when you start the program. As of Version 1.2, you can alternately point MBSA at a SUS server to download the update catalog. This lets you determine what servers in your network are up to date according to your internal SUS server.

Using a graphical user interface

1. Open the Exchange System Manager (ESM) snap-in.
2. In the left pane, browse to the server and storage group that contains the mailbox store you want to manipulate.
3. Right-click on the mailbox store and select Dismount Store.
4. Click Yes when prompted to continue.

Using VBScript

' This code mounts/dismounts a Mailbox Store.

' ------ SCRIPT CONFIGURATION ------

strServer  = "<Exchange Server>"     ' e.g., ExchServer2

strSGName  = "<Storage Group Name>"  ' e.g., SG1

strMailStoreName = "<Database Name>" ' e.g., DB1

' ------ END CONFIGURATION ---------' Find Storage Group URL

strSearch = "CN=" & strSGName  & ","

set objSrv = CreateObject("CDOEXM.ExchangeServer")

objSrv.DataSource.Open strServer

for each sg in oSrv.StorageGroups

if (instr(1,sg,strSearch,1)>0) then strSGUrl = sg

next

' Generate Mailbox Store URL

strMBUrl = "LDAP://CN=" & strMailStoreName & "," & strSGUrl

' Open Mailbox Store

set objMb = CreateObject("CDOEXM.MailBoxStoreDB")

objMb.DataSource.Open strMBUrl

if (objMb.Status = 0) then

Wscript.Echo "Mailbox store is mounted, dismounting..."

objMb.Dismount

else

Wscript.Echo "Mailbox store is dismounted, mounting..."

objMb.Mount

end if

Wscript.Echo "Script completed successfully."

While the GUI provides only a listing of the domain controllers and global catalog servers in use, the WMI provider offers considerably more information. This additional information can be extremely important during troubleshooting, so you should have this script or something similar available to your Exchange Admins for troubleshooting purposes.

Using a graphical user interface

1. Open the Exchange System Manager (ESM) snap-in.
2. In the left pane, browse to the Servers container.
3. Right-click on the target server and select Properties.
4. Click on the Directory Access tab and view the domain controllers being used.

Using VBScript

' This code enumerates domain controllers being used.' ------ SCRIPT CONFIGURATION ------

strComputer = "<Exchange Server>" 'e.g., ExchServer2

' ------ END CONFIGURATION ---------set objWMI = GetObject("winmgmts:\\" & strComputer & _

"\root\MicrosoftExchangeV2")

set objDCList = objWMI.ExecQuery("Select * from Exchange_DSAccessDC",,48)

for each objDc in objDCList

Wscript.Echo "DCName: objDc.name"

strTemp = "Automatic"

if (dc.ConfigurationType=0) then strTemp="Manual"

Wscript.Echo "  Selection: " & strTemp

Wscript.Echo "  Is Fast  : " & objDc.IsFast

Wscript.Echo "  In Sync  : " & objDc.IsInSync

Wscript.Echo "  Is Up    : " & objDc.IsUp

Wscript.Echo "  Ldap Port: " & objDc.LDAPPort

strTemp = "Global Catalog"

if (objDc.type=0) then strTemp = "Config"

if (objDc.type=1) then strTemp = "Local Domain"

Wscript.Echo "  Role     : " & strTemp

Wscript.Echo "-----------"

Next

Wscript.Echo "Script completed successfully.

Depending on the version (Standard or Enterprise) of Exchange, you can have up to four storage groups per server and up to five mailbox stores per storage group. ESM enforces these limits, but it is possible to directly modify Active Directory to exceed these limits. If you create more databases or storage groups than allowed, the additional databases will not mount.

Mailbox stores are represented in Active Directory by the msExchPrivateMDB class. This class is not as simple as some of the other classes used by Exchange. In addition, several of the attributes hold binary data, so working directly with these Active Directory objects can be difficult via VBScript or command-line methods. One of the more notable attributes of the mailbox store objects is a back-link attribute called homeMDBBL. This multivalued attribute links back to all of the user objects that have mailboxes in this mailbox store.

Using a graphical user interface

1. Open the Exchange System Manager (ESM) snap-in.
2. In the left pane, browse to the server and storage group where you want to create a new mailbox store.
3. Right-click on the storage group and select New -> Mailbox Store.
4. Enter a name for the store, configure the settings on each tab, and click OK.
5. When prompted to mount the store, click Yes.

Using VBScript

' This code creates a Mailbox Store.' ------ SCRIPT CONFIGURATION ------

strServer  = "<Exchange Server>"          ' e.g., ExchServer2

strSGName  = "<Storage Group Name>"       ' e.g., SG1

strMailStoreName = "<MailBox Store Name>"  ' e.g., DB1

' ------ END CONFIGURATION ---------' Find Storage Group URL

strSearch = "CN=" & strSGName  & ","

set objSrv = CreateObject("CDOEXM.ExchangeServer")

objSrv.DataSource.Open strServer

for each strSg in objSrv.StorageGroups

if (instr(1,strSg,strSearch,1)>0) then strSGUrl = strSg

next

' Generate Mailbox Store URL

strMBUrl = "LDAP://CN=" & strMailStoreName & "," & strSGUrl

' Create/configure Mailbox Store and save it

set objMb = CreateObject("CDOEXM.MailBoxStoreDB")

objMb.DataSource.SaveTo strMBUrl

' Mount DataBase

objMB.Mount

Wscript.Echo "Successfully created mailbox store."

Depending on the version (Standard versus Enterprise) of Exchange, you can have up to four storage groups per server and up to five mailbox stores per storage group. ESM enforces these limits, but it is possible to directly modify Active Directory to exceed them. If you create more databases or storage groups than allowed by your version, the additional databases will not mount.

Storage groups are represented in Active Directory by the msExchStorageGroup class. This class has several attributes that have fairly intuitive string values and names and can be matched up to the options in ESM. Unfortunately, the raw Active Directory objects and attributes and their valid values for Exchange are not well documented. You can experiment with their settings, but do so only in a lab environment.

Using a command-line interface

A bad aspect of creating storage groups by direct Active Directory object manipulation is that you will not get warnings concerning the maximum number of storage groups allowed.

Using VBScript

The process of calling the CDOEXM interfaces to create storage groups is rather straightforward once you have the URL for the object’s location in Active Directory. In this solution, to get the storage group container’s distinguished name for the server, the script loops through all storage groups on the sever and sets strTemp to the URL value of the last storage group. This value is then parsed to get the parent container for the storage groups to build the new storage group URL.

Using a graphical user interface

1. Open the Exchange System Manager (ESM) snap-in.
2. In the left pane, browse to the server that you want to create a new storage group for.
3. Right-click on the server and select New -> Storage Group.
4. Enter a name, transaction log location, system path location for storage of temporary and recovered files, and click OK.

Using a command-line interface

First, create an LDIF file called add_sg.ldf with the following contents:

dn: CN=<Storage Group Name>,<ParentDN>changetype: add

objectClass: msExchStorageGroup

cn: <Storage Group Name>

showInAdvancedViewOnly: TRUE

systemFlags: 1610612736

msExchESEParamEnableIndexChecking: TRUE

msExchESEParamEnableOnlineDefrag: TRUE

msExchESEParamSystemPath: <Path to store system files>

msExchESEParamPageFragment: 8

msExchESEParamPageTempDBMin: 0

msExchRecovery: TRUE

msExchESEParamZeroDatabaseDuringBackup: 0

msExchESEParamBaseName: E01

msExchESEParamCircularLog: 0

msExchESEParamEventSource: MsExchangeIS

msExchESEParamCheckpointDepthMax: 20971520

msExchESEParamCommitDefault: 0

msExchESEParamLogFilePath: <Path to log files>

msExchESEParamDbExtensionSize: 256

msExchESEParamLogFileSize: 5120

Replace <Storage Group Name> with the name of the storage group, <ParentDN> with the distinguished names of the storage groups container for the appropriate server, <Path to store system files> with the filesystem path where you want system files (temporary and recovered files), and <Path to log files> with the filesystem path where you want exchange log files. Then run the following command:

>ldifde -i -f add-sg.ldf

Using VBScript

' This code creates a Storage Group.' ------ SCRIPT CONFIGURATION ------

strServer = "<Exchange Server>"      ' e.g., ExchServer2

strName   = "<Storage Group Name>"   ' e.g., SG1

strPath   = "<File Path>" & strName  ' e.g., D:\Program Files\ExchSrvr

' ------ END CONFIGURATION ---------' Create URL to Storage Group

Set objSrv = CreateObject("CDOEXM.ExchangeServer")

objSrv.DataSource.Open strServer

' This for loop is a bit of a hack to retrieve the first Storage Group

' in the collection. VBScript doesn't let you access specific elements

' of a collection the way Jscript can.

for each strSg in objSrv.StorageGroups

strTemp = strSg

exit for

next

strTemp = mid(strTemp,instr(2,strTemp,"cn",1))

strSGUrl = "LDAP://cn=" & strName & "," & strTemp

' Create/configure Storage Group and save it

set objSG = CreateObject("CDOEXM.StorageGroup")

objSG.MoveSystemFiles(strPath)

objSG.MoveLogFiles(strPath)

objSG.DataSource.SaveTo strSGUrl

Wscript.Echo "Successfully created storage group."

Recipient policy is too involved to do simply from the command line or through VBScript. Several of the values in the Active Directory msExchRecipientPolicy class are binary types, which are not trivial to manipulate with LDIF or VBScript. If you wish to programmatically create recipient policies, you can do it, but you will need to use something a bit more involved, such as Visual Basic or C++.

One note of warning: do not test the manipulation of recipient policies in your production environment. Changes to recipient policies get stamped on many or possibly all mail-enabled objects in the directory, and you could unintentionally bring down entire sections of your mail delivery system. Due to its widespread effect, you could have great difficulty getting it all back up and running quickly. One company that shall remain unnamed had gone through a merger process and was trying to standardize some of their mail systems. Unfortunately, they unintentionally changed the primary email address of more than 100,000 employees with one small incorrect recipient policy change. Due to the type of mistake, this wasn’t noticed internally. It took a couple of days for people outside of the company to notice and report the issue to the company before it was corrected. In the meanwhile, most email going into the company from the outside was not properly delivered.

Using a graphical user interface

1. Open the Exchange System Manager (ESM) snap-in.
2. In the left pane, browse to the Recipients -> Recipient Policies container.
3. Right-click on Recipient Policies and select New -> Recipient Policy.
4. Select the property pages you want on the recipient policy form and click OK.
5. Enter the recipient policy name.
6. Click on Filter Rules, click Modify, select the search criteria, click OK.
7. Read the warning message that is displayed and click OK.
8. Set the desired policies on the E-Mail Addresses (Policy) and Mailbox Manager Settings (Policy) tabs.
9. When you are done, click OK.

A curious point about address lists is that even though an LDAP filter is used to specify who should and shouldn’t be in the list, Exchange doesn’t actually use the filter to do an LDAP lookup against Active Directory. Instead, the RUS does its own compare on objects one by one. This is why you can’t specify a search base where the address list should start; it encompasses the entire forest including the configuration container. This means you need to be very careful with the filter so that it is limited to the objects you truly want displayed. A positive aspect of this implementation is that it doesn’t matter if you select indexed attributes for the filter. Since the RUS isn’t using LDAP to resolve the objects from the filter, performance is not affected by any indexes on the attributes. One final note: be careful if you use the preview button in the Exchange System Manager to verify the list’s validity. That method will use an LDAP query against Active Directory to display the values, and has no bearing on whether the list is built yet or even what will end up on it. It is possible in certain cases that the preview will not match with what you actually get in the address list.

Address lists are represented in Active Directory by the addressBookContainer class. This is a simple class. The main value, the address list filter, is stored in the purportedSearch attribute.

Using a graphical user interface

Using the GUI for this process is straight forward and is the most likely way you’ll want to create address lists unless you need to create a lot of them on the fly or you are importing them from a test lab.

Using a command-line interface

As mentioned previously, you need to be very careful with the filter you specify for the purportedSearch attribute. The slightest mistake can cause the filter to not produce any results or produce an incorrect or incomplete result set. A filter such as (!attrib=value) instead of (!(attrib=value)), while acceptable to Active Directory’s LDAP parser, will cause undefined results when interpreted by the RUS. The only way to verify that the list has been properly built is to manually compare what the query should generate with what has been generated.

To do this comparison, first generate a list of distinguished names that are members of the address list. This is done by using LDAP to query for all mail-enabled objects that have the address list distinguished name listed in the showInAddressBook attribute (e.g., (&(mailNickname=*)( showinaddressbook=cn=All Users,cn=All Address Lists,cn=Address Lists Container,cn=RALLENCORP,cn=Microsoft Ex-change,cn=Services, cn=Configuration,dc=rallencorp,dc=com)) ). Next, generate a list of distinguished names that are matched by the query you used for the address list. Finally, compare these lists.

Using a graphical user interface

1. Open the Exchange System Manager (ESM) snap-in.
2. In the left pane, browse to the Recipients -> All Address Lists container.
3. Right-click on the All Address Lists container and select New -> Address List.
4. Enter the address list name.
5. Click on Filter Rules, configure the filter settings, and click OK.
6. Click Finish.

Using a command-line interface

First, create an LDIF file called add_al.ldf with the following contents:

dn: CN=<Address List Name>,<ParentDN>changetype: addcn: <Address List Name>

displayName: <Address List Name>

objectClass: addressBookContainer

purportedSearch: <LDAP Filter>

systemFlags: 1610612736

Replace <Address list Name> with the name of the address list and <ParentDN> with the distinguished name of the Address Lists container in Active Directory (e.g., cn=All Address Lists, cn=Address Lists Container, cn=RALLENCORPMAIL, cn=Microsoft Exchange, cn=Services, cn=Configuration, dc=rallencorp, dc=com). Then, run the following command:

>ldifde -i -f add-al.ldf

Using VBScript

' This code creates an Address List.' ------ SCRIPT CONFIGURATION ------

strParentDN  = "<DN to All Address Lists Container>"

' e.g., CN=All Address Lists,CN=Address Lists Container,

' CN=RALLENCORPMAIL,CN=Microsoft Exchange,

' CN=Services,CN=Configuration,DC=rallencorp,DC=comstrObjClass = "addressBookContainer"

strALName = "<Address List Name>"   ' e.g., Sales Dept

strFilterAttrib = "purportedSearch"

strFilter = "<LDAP Filter>"   ' e.g., (&(department=sales)(homemdb=*))

' ------ END CONFIGURATION ---------

' Set Dynamic values

set objOU = GetObject("LDAP://" & strParentDN)

set objNewObj = objOU.Create(strObjClass,"cn=" & strALName)

objNewObj.Put "displayName",strALName

objNewObj.Put strFilterAttrib,strFilter

' Set static values

objNewObj.Put "systemFlags",1610612736

' Save object

objNewObj.SetInfo

Wscript.Echo "Successfully created address list."

This is an extremely powerful addition for Exchange, but you have to be careful because you can get into trouble with it. Unlike address lists, the query-based DL is resolved each time it is used with an actual LDAP query against Active Directory. This means that the query needs to be efficient. Used enough, a poorly designed query for the DL could severely impact Exchange and Active Directory performance. You will want to use indexed attributes and avoid bitwise operators, the NOT operator, and medial search strings as per normal Active Directory efficient programming guidelines. A medial search string is a search string that has a wildcard somewhere other than at the end of the string (e.g., *llen or j*e). See MSDN for more details (search for “Creating Efficient Active Directory Queries”).

Unlike every other object you can mail-enable, when you create a query-based DL you are not using the CDOEXM interface. However, when you create this object with ADUC, the Exchange Management tools must be loaded or the distribution list object will not be properly populated and will not function properly. When creating the object from script or command line, you directly set all of the Active Directory attributes of the msExchDynamicDistributionList object. The specific changes that need to be made are to the following attributes:

• displayName
• mailNickname
• reportToOriginator
• legacyExchangeDN
• systemFlags
• msExchDynamicDLBaseDN
• msExchDynamicDLBaseFilter

Using a graphical user interface

1. Open the ADUC snap-in.
2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
3. In the left pane, browse to the parent container of the new object, right-click on it and select New -> Query-based Distribution Group.
4. Enter the group name and mail alias and click Next.
5. Select the search base, enter the specifics of the filter, and then click Next.
6. Verify the summary and click Finish.

Using a command-line interface

First, you need to create an LDIF file called add_qbdl.ldf with the following contents:

dn: CN=<QB DL Name>,<ParentDN> changetype: addcn: <QB DL Name>displayName: <QB DL Name>

objectClass: msExchDynamicDistributionList

mailNickname: <mail nickname>

legacyExchangeDN: <legacy Exchange DN>

msExchDynamicDLFilter: <LDAP Filter>

msExchDynamicDLBaseDN: <BaseDN>

reportToOriginator: TRUE

systemFlags: 1610612736

Replace <QB DL Name> with the name of the address list, <mail nickname> with the mail nickname, <legacy Exchange DN> with the appropriate legacy Exchange DN value, <LDAP Filter> with the specific LDAP filter you want to be used to determine group membership, <BaseDN> with the base distinguished name you want used in combination with the filter, and <ParentDN> with the distinguished name of the container you want the group created in. Then run the following command:

> ldifde -i -f add-qbdl.ldf

Using VBScript

' This code creates and mail enables a Query-Based Distribution List.

' ------ SCRIPT CONFIGURATION ------strParentDN  = "<Parent DN>"

' e.g., ou=groups,dc=rallencorp,dc=comstrGroupName ="<DL Name>"

' e.g., Sales Dept

strBaseDN = "<Base DN>"        ' e.g., ou=mail,dc=rallencorp,dc=com

strFilter = "<Filter>"         ' e.g., (&( department=sales)(homemdb=*))

strLegacyDN = "<Legacy DN of Recipients>" & "/cn=" & strGroupName

' e.g. /o=RALLENCORPMAIL/ou=First Administrative Group/cn=Recipients

' ------ END CONFIGURATION ---------

' Set Dynamic values

set objOU = GetObject("LDAP://" & strParentDN)

set objGroup = objOU.Create("msExchDynamicDistributionList","cn=" & _

strGroupName)

objGroup.Put "msExchDynamicDLBaseDN", strBaseDN

objGroup.Put "msExchDynamicDLFilter", strFilter

objGroup.Put "displayName", strGroupName

objGroup.Put "mailNickname", strGroupName

objGroup.Put "legacyExchangeDN",strLegacyDN

' Set static values

objGroup.Put "systemFlags",1610612736

objGroup.Put "reportToOriginator",TRUE

objGroup.SetInfo

Wscript.Echo "Successfully created query-based DL."