[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 488
  • Last Modified:

Accepted Domains on two different Exchange organizations

I'd like to get some feedback on my plan of action from some of the experts out there.

The Situation:  I've picked up a new client with 4 domains across 3 forests with two different Exchange 2003 organizations.  The environment is unhealthy.  There are replication issues and other various problems caused by a malware outbreak.  To resolve this and simplify the network configuration, I am creating an entirely new forest, domain, and Exchange 2010 organization.  The existing Exchange setup consists of 9 accepted domains between the two servers.  Each one has its own set of domains.

The Plan:  The client wants to retain all 9 of the mail domains and obviously wants no disruption in mail flow between the organizations.  I've already built out a new domain and setup the Exchange 2010 servers.  I have added all of the mail domains as accepted domains.  I have set them all as Internal Relays and have placed a temporary connector to forward to the appropriate smart hosts.  As I understand from my research, this should allow any unresolved mail on the new Exchange org to get relayed to the old Exchange 03 orgs.  Is this correct?

From a mail flow standpoint, all 3 of these Exchange organizations are currently internet facing.  I am switching them to a 3rd party spam filtering service for the new org.  I realize that manipulation of public DNS will ultimately determine where the mail is going. If I stand up the new organization to receive all mail first then relay out accordingly, how can I still continue to make Active Sync work on the legacy environment?  Due to the state of the network, it has been decided that users are going to be created on the new domain and then mailboxes will be imported via PST one at a time.  As far as Active Sync is concerned, if I left all 3 mail servers internet facing and had MX records point to the new server and then setup public records for mail, mail2, and mail3 I should then be able to point Active Sync devices to the appropriate host.  Is this correct?

I apologize for being so long winded on this.  I would appreciate any feedback or suggestions anyone has.
0
tasselhoff2000
Asked:
tasselhoff2000
  • 3
  • 3
1 Solution
 
Simon Butler (Sembee)ConsultantCommented:
MX records have nothing to do with ActiveSync. Therefore if you don't touch the host name used by ActiveSync, it will continue to work.

For email flow, you are sharing the SMTP address space. See this article on Technet for the correct setup of this:
http://technet.microsoft.com/en-us/library/bb676395.aspx

Do recipient filtering on the third party spam service, it if cannot do recipient filter, get another service.

Simon.
0
 
tasselhoff2000Author Commented:
Thank you for the response.  I know MX records have nothing to do with ActiveSync.  They would be updated to reflect the 3rd party spam service.  I was stating that I would set up 3 A records, one for each Exchange org, and direct ActiveSync on a per device basis.

As for the link, I read that prior and used it's information to configure my connectors to the other Exchange orgs.  

Why would the spam filter need recipient filtering?  I was under the impression that the filtering would be handled by configuring the accepted domains on the Exchange 2010 servers.  I basically understood it as EX10 passes the message to the mailbox database if the recipient exists.  If it doesn't, i then passes it through the respective send connector to the other exchange servers in the other domains and forests.  Am I incorrect?
0
 
Simon Butler (Sembee)ConsultantCommented:
Recipient validation should be the first thing that an anti-spam filter does, simply because it will drop a huge amount of email. My clients drop anything from 40 to as high as 80% of all email that attempts to deliver to their severs simply on recipient validation. That is a huge amount of traffic that doesn't have to be processed.

In this scenario it becomes more important because you are dependant on the first sever not recognising the user and passing it on to the second server. That will mean your servers could be processing an awful lot of junk that you simply do not want. If the recipient validation has already taken place, then all that is being passed is valid email and not causing any kind of loops.

You cannot use recipient validation on Exchange because that will stop email for the second location from being delivered.

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
tasselhoff2000Author Commented:
Thanks for the clarification.  Does everything else sound sufficient to handle this migration?
0
 
Simon Butler (Sembee)ConsultantCommented:
Everything else seems fine. This kind of migration is never neat and tidy.

Simon.
0
 
tasselhoff2000Author Commented:
You are correct about that.  Thanks again for the feedback and I'll mark as solution.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now