A Few Recommendations for Exchange 2010
The following is a partial list of items that I recommend be reviewed for all Exchange 2010 server deployments. The focus is to ensure that the environment is consistently configured, reliable, and performing optimally. This is not an official, just something that I've been using for a while.
Server Build
- Confirm that hardware has been updated to the latest driver and firmware builds
- Verify that the latest software builds have been installed, to include for Exchange, antivirus, monitoring agents, filterpacks, etc.
- Operating System is running the latest build and has the recommended OS hotfixes
Server Network Interfaces
- Know if your environment explicitly denies IPv6 network traffic. If so, then you may need to disable IPv6 on the NICs
- NIC teaming is great for the MAPI/Public adapters - but should be configured to use Fault Tolerance (not automatic or load balance)
- Network settings should be consistent on ALL servers, to include driver, TCP/IP Settings (i.e. DNS), and Binding order
System Settings
- Server's Page File should be moved off of the system partition
- Server System Failure should be using Kernel Memory Dump
- Proper file level antivirus exclusions should be configured - include for the file share witness, monitoring agents, cluster, IIS, and Exchange
Active Directory
- Verify that Active Directory has been properly configured (i.e. AD site links, no RODC, use 64-bit GS/DC running 2008 R2 is preferred, etc.)
- AD Replication time should be optimally configured, documented, and confirmed that there are no replication errors occurring
- All domain controllers are responsive (i.e. none are offline) and pass DCDIAG and other AD related tests
- Subnets should be properly defined within the AD Site design
Other Dependencies
- Confirm that the hardware (server, storage, network, etc.) is working properly without any errors or warnings being generated
- Network performance and reliability should be evaluated. If network is slow or unreliable, users will feel that pain!
- DNS should be reviewed for proper records and replication/configuration. Remove any old records that may impact messaging.
Client Access
- All AD sites are defined within your AutoDiscoverSiteScope, including client-only sites
- Enable Kerberos for the CAS Array
- Enable logging on IIS and the CAS and track which clients are accessing your environment
- Have recommended minimum client builds for your environment and know how to parse the logs to determine builds
Transport
- Confirm that EWS and OWA are properly configured to allow for your organization's message size limits
- Verify that message limits are consistently configured (server, global, connectors, etc.)
- Routing components should be evaluated and remove any unnecessary transport settings (ex: Accepted Domains, Connectors, etc.)
Public Folders
- If using dedicated PF servers, PF should be configured to replicate to all of those servers (min of 2 copies)
- Does you Exchange aware antivirus software scan Public Folder replication messages? Should it?
- To improve Public Folder access performance, remove deleted security objects from the client permissions
Security
- Should Administrator Audit Logging be enabled?
- Windows Firewall should be enabled and properly configured to work with all applications installed on the server
- Rarely should you modify the default RBAC groups. Rather make new groups and manage the permissions thru that model
Some other things...
- Go thru the Exchange Best Practice Analyzer health check
- Be sure to follow the Mailbox Storage Calculator - either provided by MSFT or by your storage vendor
- Determine your requirements for custom Client Throttling Policies (ex: service accounts)
- Have you set the External Post Master Address?
Hope this helps!
Doug