Microsoft Exchange Server 5.5 is a complex messaging platform that requires administration at many levels, ranging from routine chores, such as creating mailboxes, to more demanding responsibilities, such as capacity planning and monitoring. Managing tiered administrative permissions is a difficult endeavor in Exchange Server 5.5; as a result, delegating these administrative responsibilities to the appropriate person is a challenge. However, without a tiered system, you must choose between letting your organization's highly paid Exchange Server administrators be inundated by daily maintenance requests and expanding your Exchange Server administrative group to include staff members who have minimal technical skills and training. Discus Data Solutions claims to address this situation and other Exchange Server administrative problems in ExMS 2.5.
How It Works
ExMS's architecture consists of two parts: Messaging API (MAPI) forms that provide the interface you use to modify the Exchange Server databases, and the specialized ExMS mailbox agents that reside on the Exchange Server system and perform the tasks you specify through the MAPI forms. These mailbox agents run under an Exchange Server administrative account, acting as proxies between Exchange server and the users you delegate to perform maintenance tasks. These users don't need to have administrative privileges on the Exchange Server system; instead, ExMS lets them rely on lower-level permissions to access the forms they need to do their jobs.
The software has four components that represent the four mailbox agents it installs on an Exchange Server system: ExMS Account Creator, ExMS Account Updater, ExMS Account Deleter, and ExMS Directory Integrity Agent. ExMS runs these mailbox agents as Windows 2000 or Windows NT services and represents them as special mailboxes in the Microsoft Exchange Administrator interface, as Figure 1 shows. You use these agents to create, delete, and update information in the Exchange directory database. Directory Integrity Agent lets you maintain your Exchange directory database and synchronize portions of this database with other databases in your organization.
ExMS comes on a CD-ROM along with a 145-page manual, which provides spotty documentation. Within its five sections, I found detailed and well-written sections next to areas that provided sparse information. For example, the manual provided no apparent mention of which server you should install ExMS on. I found the answer on Discus Data Solutions' Web site, then stumbled across this information later in the manual. In addition, the manual didn't include a section about how to troubleshoot problems with the software. On at least two occasions, a troubleshooting section would have saved me a call to the company's technical support staff. Finally, an index or quick-reference section would have helped me better navigate the manual.
To test ExMS, I used a small test network of eight PCs that included a mix of servers and workstations. On one of the workstations, a Dell Precision Work-station, I installed NT 4.0 Service Pack 5 (SP5) and Exchange Server. ExMS runs on both Win2K and NT, and you can install the software on the Exchange Server system or on a separate server.
After I inserted the CD-ROM, the setup wizard began and checked for prerequisite components, including Collaboration Data Objects (CDO), HTML Help, ActiveX Data Objects (ADO), and Active Directory Service Interfaces (ADSI). ExMS uses ADSI for the software's Lightweight Directory Access Protocol (LDAP) services to provide compatibility with Active Directory (AD). The wizard successfully installed these components, then prompted me for the Exchange Server system's name and the container in which to install the ExMS mailbox agents. The wizard then requested an NT account that had Exchange Server administrative privileges as well as Log on as a Service and Act as part of the Operating System rights under NT. I created this account and assigned it to the ExMS services. Setup then installed the ExMS forms in the default Microsoft Outlook profile's personal forms library, and installation was complete.
However, when I launched Exchange Administrator, I ran into trouble. The window displayed the four ExMS components as stopped, and the components failed when I attempted to start them. The documentation offered no help, so I called Discus Data Solutions' technical support staff. With their help, I discovered that setup hadn't correctly registered the ExMS services. To correct this problem, I added to the registry the necessary entries for the services.
Next, I discovered that I had mistakenly granted the administrator role to the ExMS service account at the organization level only. To rectify this error, I opened Exchange Administrator and assigned the Service Account Administrator role, which includes logon rights, to the ExMS service account at the Site and Configuration levels. After taking these steps, I was able to begin configuring the software's services.
To set each service's properties, I highlighted the service and clicked the properties toolbar button from the ExMS Administrator GUI. In the resulting properties window, you can set the service start parameters and specify the NT account under which the service will run. By default, the services are set to start manually.
Double-clicking any of the ExMS components in the ExMS Administrator window brings up the component's configuration dialog box. In this window, you can specify configuration items such as the Exchange Server and recipients container in which the mailbox agents will reside, the interval at which the agents check for change requests, and options for sending email notifications of changes. Figure 2 shows the Account Creator Configuration dialog box. In this window, you can configure the Account Creator to create an NT account concurrently with the creation of an Exchange mailbox. (The Account Creator mailbox agent logon account must be a member of the Domain Administrators group.)
Before I could test the software, I had to set the appropriate rights on the Exchange Server system and configure access to the ExMS forms. By default, ExMS installs the forms in the personal forms library of the default Outlook profile on the system on which you installed ExMS. To provide more general access to the forms, you can move them to the Organizational Forms Library on the Exchange Server system or to a public folder. I created a public folder for the forms library because a public folder provides the most flexible means for assigning access controls.
Next, you need to determine the delegates who will perform Exchange Server maintenance tasks, provide them access to the forms, and give them Modify User Attribute rights for the appropriate recipients container. These rights are necessary to let the delegates use the Account Updater to update the Exchange Server directory database.
Finally, you manage ExMS security by setting permissions on your forms library to let only the appropriate delegates access it. In addition, you set standard Exchange Server delivery restrictions on the ExMS agent mailboxes to exclude everyone but the appropriate delegates. The only exception to this setup is if you want everyone in your organization to be able to update his or her Exchange Server account information, in which case you need to lift the delivery restrictions on the Account Updater mailbox.
After I completed the services' configurations, I began testing the Account Creator, Account Updater, and Account Deleter by using delegate accounts to log on to the network. From each account, I launched Outlook, navigated to the forms library public folder that I had created, clicked the Actions drop-down menu, and chose one of the five available forms. The only hitch I ran into was that I needed to install Expression Services from the Outlook 98 installation CD-ROM on Outlook 98 clients to make the forms work. The Outlook 2000 clients worked without a problem.
Distribution list (DL) forms let me create new DLs or modify existing lists. The Create Distribution List form worked well for creating short DLs but often failed at creating lists that included more than 1000 users. When the creation failed, I received an email notification that the software successfully created the DL, but the list was actually empty.
The Updater Distribution List form had similar problems with lists that included more than 1000 users. I had to wait an average of 50 seconds for the software to display the membership of large DLs, and ExMS didn't apply the updates to the lists. I notified Discus Data Solutions about this problem, and the support staff informed me that a limitation in Outlook restricts the amount of data that you can enter into a form—the long DLs that I was creating and trying to update obviously breached that limit. To work around this limitation, Discus Data Solutions recommended using its Directory Integrity Agent to create and modify long DLs. Although this workaround was successful, I discovered that I could use the Outlook Address Book to modify lists in only a few seconds.
The three forms that let me manipulate the individual Exchange Server accounts were more reliable. To create an account, I opened the Account Creator form and filled the necessary fields. I chose the option to create a new NT account and clicked Send. I received an email notification that provided detailed information about the mailbox, the account, and the password.
The Delete Exchange Account form lets you set a grace period during which the software disables the specified Exchange Server account before deleting it. This feature is useful because you can reactivate a mailbox after it has been virtually deleted as long as you reactivate it within the grace period. After you complete and send the form, the Account Deleter mailbox agent handles the account deletion without further intervention. This component worked without a problem.
Finally, I wanted to test Directory Integrity Agent. This component is unique in that it works behind the scenes and has no end-user interface. Directory Integrity Agent includes a scheduler and uses VBScript rules that are imposed on recipient objects, such as mailboxes and DLs in designated containers. You can use Directory Integrity Agent to maintain consistency in the directory database, and, because this tool works with other ODBC-compliant databases, you can use it to populate, modify, and synchronize external data sources with the Exchange Server directory. This functionality would be helpful to many organizations that still rely on disparate processes and scattered databases to maintain employee information. For example, a technician in a human resources (HR) department that maintains employee records on an AS/400 would have to generate and send a report to an IT administrator who was in charge of updating the Exchange Server directory. Using Directory Integrity Agent, the IT administrator could schedule the software to automatically synchronize changes to the AS/400 database with the Exchange Server directory.
To assist Exchange Server administrators who have varying VBScript skill levels, ExMS provides about 40 sample scripts that require only minor modifications before you can use them. In addition, the software includes a rule editor and debugger that you can use to modify and create scripts. For customers who need help creating a simple script, Discus Data Solutions provides free expertise. If you need an elaborate customized script, the company offers fee-based professional services.
To test Directory Integrity Agent, I used a sample script to update mailboxes to include information from a Microsoft Access database. As a reference point, the script matched the employee number field in the Access database with a Custom Attribute number for the mailbox recipient. I created several mailboxes and assigned them each a unique Custom Attribute number. To configure Directory Integrity Agent, I double-clicked its icon in the ExMS Administrator window. In the resulting Directory Integrity Agent Configuration window, I right-clicked the Directory Integrity Agent icon and chose to create a new rule set. After I created the new rule set, I double-clicked the Script subtree icon and used the ExMS Rule Editor to import a sample script. I didn't need to modify the script, but I ran the software's safe-run script debugger to check the script syntax. Next, I ran the script to synchronize my Access and Exchange Server databases. After processing the script, Directory Integrity Agent sent me a notification email message that included the changes it made to the Exchange Server database. I used Exchange Administrator to check the recipients and found that the software had synchronized and updated the mailboxes correctly.
Despite struggles with the documentation, my overall impression of ExMS was positive. I ran into a few quirks and questioned some of the features of the DL forms, but I think the software provides a valuable service to organizations—particularly to their Exchange Server administrators. If you provide your organization's Exchange Server administrators with a means to delegate tasks, they will have more time to spend on high-priority tasks, such as maintaining a corporate message platform. Directory Integrity Agent is the most impressive of the product's tools and will give your organization new and creative avenues to integrate your Exchange Server database with disparate databases and consolidate some of your routine business processes.
Contact: Discus Data Solutions * 212-279-9090
Price: Based on users in the Exchange Directory; an installation with 1000 Exchange accounts starts at $7500; enterprise pricing available
Pros: Lets you delegate common Exchange Server administrative tasks; provides ExMS Directory Integrity Agent to help you integrate databases and improve your organization's business processes
Cons: Includes spotty documentation; has quirks in the installation process; provides distribution list forms that don't work with long distribution lists