Backups

(page 41 of DOG)

Disaster Recovery Backups
An Exchange backup will be performed each weekday evening starting at 11:30 PM local time. The backup file, which is named servername.bkf (where servername is the name of the Exchange 2003 server), will initially be placed on your Exchange 2003 server, but will then be copied to your Active Directory global catalog server (GC). The GC will contain a directory for each weekday, and the backup file will be copied into the corresponding directory, overwriting the file from the previous week.
Due to infrastructure limitations, the KETS Exchange 2003 environment does not provide for any off-site backups of your Exchange 2003 data, so a disaster that destroys both the Exchange 2003 server and the GC will result in total loss of e-mail data. At district discretion, you can arrange for offsite disaster recovery backups using the methods described below for archival backups.

Archival Backups
Archival backups can be important for legal purposes as well as recovery from large-scale disasters. Keep in mind the disaster recovery backup files from the AD global catalog server will only cover five days.
If you want additional backups of your Exchange 2003 system for archival purposes, you may make copies of the backup files using the share on the GC that contains the disaster recovery backups. The share is named \\gcservername\ExBackups and all members of the DIST Support Admins security group have read access to the share and its contents.

User Data Recovery
User data recovery means restoring e-mail content for a user or group of users without restoring the entire system to a previous state; for example, restoring a particular message that was accidentally deleted. Exchange 2003 has two features, Deleted Item Retention and Deleted Mailbox Retention, which can be used for user data recovery in some cases; in other situations recovery is only possible from EXMERGE backups, which are a district responsibility.

Deleted Item Retention
Individual mail messages/items that end users delete are actually retained within the Exchange 2003 database and may be recovered up to 14 days after the deletion. This recovery can be performed by end users with the Outlook client software.
Deleted Mailbox Retention
Mailboxes that you delete (by adjusting OU membership) are actually retained within the Exchange 2003 database and may be recovered up to 30 days after the deletion. This recovery must be performed by OET.
EXMERGE Backups
If you want the ability to use EXMERGE backups to recover user data, you must create and safely store EXMERGE backups. You may want to schedule periodic EXMERGE executions to store all or part of user e-mail content. More information about create and restoring from EXMERGE backups may be found in the video referenced in section 5.1.2, "EXMERGE." EXMERGE backups are a district responsibility.

Procedures

Initiate Disaster Recovery
If OET detects that your Exchange 2003 system is not operating correctly and requires disaster recovery, OET staff will contact you to coordinate work. If you believe that your Exchange 2003 system needs disaster recovery, please contact the KETS Help Desk to initiate the process.
Recover a Deleted Mailbox
To arrange for recovery of a deleted mailbox, contact the KETS Help Desk. Mailboxes can only be recovered within 30 days of deletion.
Recover a Deleted Item
To recover a deleted item, use the Outlook 2003 "Recover Deleted Items" feature. For more information, search in Outlook 2003 Help for "Retrieve a deleted item". Items can only be recovered within 14 days of deletion.
Recover Content Using EXMERGE Backups
To recover content using EXMERGE backups, review the video referenced in section 5.1.2, "EXMERGE." You must have had EXMERGE backups in place before the item was deleted, and have those backup files available, in order to recover content using EXMERGE.

EXMERGE

(page 44 of DOG) 

EXMERGE, the Exchange Mailbox Merge utility provided by Microsoft, has a variety of uses in the KETS Exchange 2003 environment. A version of the utility that works against all versions of Exchange can be downloaded from:

ftp://ketsftp.k12.ky.us/Messaging/E2K3/Exmerge/exmergeallv.exe

You should install this utility on the same management workstation on which the Exchange 2003 System Management Tools have been installed. If you need assistance downloading or installing the utility, please contact the KETS Help Desk.

You may download a video illustrating various uses of EXMERGE from:

ftp://ketsftp.k12.ky.us/Messaging/Exchange 2003 Project/exmergevideo.zip

This video was made using Exchange 5.5, but the instructions and examples work in the KETS Exchange 2003 environment. One screen (Database Selection) is new in Exchange 2003. On this screen you choose to work with Student, Staff or Leadership mailboxes by choosing the database with the corresponding name. Note: The first database listed (FIRST STORAGE GROUP/MAILBOX STORE) contains system objects, not user mailboxes; do not make any changes in this database.

NOTE: If you need to recover large amounts of data (multiple users mailboxes), please contact the KETS Help Desk prior to running EXMERGE. They will notifiy OET to turn on circular logging to prevent filling up the log disks. Once you have completed the import using EXMERGE, contact the KETS Help Desk so they can notify OET to turn off circular logging.

Mailbox and Messaging Size Limits

(page 59 of DOG) 

Mailbox Size Limits
Mailbox size limits (measured in megabytes) are based on OU membership of the user as follows:

Mailbox size limit (in MB) by OU membership

OU	Warning	Prohibit Send	Prohibit Send & Receive
Leadership	200	250	300
Staff	45	50	60
Students	5	10	15

Message Size/Recipients Limits

Enterprise Message Size Limit
The enterprise message size limit is 10 MB, which is the Exchange 2003 default. This means that a single message, including any attachments, will only pass through the KETS Exchange 2003 environment (even within a district) if it is 10 MB or less in size. Messages larger than 10 MB will not be sent and the sender will receive a non-delivery report (NDR).
Routing Group Connector Size Limit
Each routing group connector is configured with a 5 MB limit. This means that a single message sized between 5 MB and 10 MB (including any attachments) which is destined outside the originating district will not be sent to its destination during regular business hours. Instead, it will be held by the Exchange 2003 server and sent between 6 PM and 6 AM local time. Messages destined within the district are not affected by this Routing Group Connector limit. If a message is destined to some addresses inside the district and other outside the district, it will be delivered immediately to the in-district addresses and will be queued for out-of-district addresses.
Enterprise Recipient Count Limit
The enterprise recipient count limit is 5000, which is the Exchange 2003 default. This means that a single message originating within the KETS Exchange 2003 environment that is addressed to more than 5000 mail destinations (including each individual member of any distribution groups) will not be sent. An end user attempting to send such a message will receive an error message. In those cases in which an end user has a legitimate need to send to more than 5000 recipients, you can adjust the limit for that user using ADUC.

OU and Address List Relationships

(simplified from pages 13-15, 62-67 of DOG)

 

Visibility of District Address Lists

		Viewing User
User, Contact, or Distribution List's OU	Address List	District Staff and Leadership	District Students	Outside Staff	Outside Students
Leadership	District Staff Staff & Resources Staff & Resources & Students	yes	yes	yes	no
_Exchange Resources	District Staff Staff & Resources Staff & Resources & Students	yes	yes	no (except state-required distribution lists)	no
_Groups	no email provisioning
Staff	District Staff Staff & Resources Staff & Resources & Students	yes	yes	yes	no
_Exchange Resources	Staff & Resources Staff & Resources & Students	yes	yes	no	no
_Groups	no email provisioning
Students	Staff & Resources & Students Students	yes	yes	no	no
_Exchange Resources	Students	no	yes	no	no
_Groups	no email provisioning

Provisioning

(page 7 of DOG)

When a new user is created in Active Directory, or certain changes are made to an existing user in Active Directory, the provisioning system is responsible for creating or modifying the corresponding Exchange 2003 mailbox. An OET-maintained provisioning script executes every weekday (5 days a week) at 7 pm local time on each district's Exchange 2003 system to check for changes to Active Directory and make the appropriate corresponding changes in the Exchange 2003 system.

Note: All Active Directory changes must be made between 7 AM and 6 PM local time in order for the scheduled script to make the related Exchange 2003 changes by the following morning.

KySTE Note: new mailboxes, changes in group membership to lock or delete mailboxes, and name changes will not occur until provisioning has taken place.  Be sure to inform users of this as you make changes.

Required and Optional Attributes

(page 12 of DOG)

Required Object Attributes
The required attributes of Active Directory user objects must have correct values. Use mixed case (John Doe, not JOHN DOE or john doe) for the first and last names of personal users.

Students
The following fields must be filled in correctly for students:

• First Name
• Last Name
• Department - must contain expected four-digit high school graduation year (like 2014).

All other fields that display in the Address Book must be blank in order to meet FERPA and Kentucky requirements for privacy of student information.

Staff
The following fields must be filled in correctly for staff (including Leadership):

• First Name
• Last Name

Resource
No specific fields are required for resource objects. Note that if the first name and last name fields are not filled in for a resource object, the SMTP prefix will be the same as the object's logon name.

NOTE: The special character "/" (forward slash) cannot be used in the following attributes: Name, First Name, Last Name and Alias. Additionally, the "/" cannot be used in the Leadership, Staff and Student sub-OU names

Optional Extension Attributes
Districts will be able to use five Active Directory extension attributes on mail-enabled objects of any kind (user, distribution group, mail-enabled security group, contact). These fields do not appear in any global address list or other address list and are useful for information that should not be publicized. The use and format of these fields will not be standardized by KDE and is completely at your discretion. The attributes are:

• ExtensionAttribute1
• ExtensionAttribute2
• ExtensionAttribute3
• ExtensionAttribute4
• ExtensionAttribute5

These attributes can only be edited from a machine on which the Exchange 2003 System Management Tools are installed.
Extension attributes six through fifteen are reserved for KDE use. These attributes may eventually have standard meanings and formats.

 

Security Groups Effecting Email Access

(page 10 of DOG)

Security group membership is used to control user access and activity for both e-mail end users and administrators. The Exchange-related security groups, which are not mail-enabled, are located within the Users and Groups sub-OU of the _District Admins OU and should not be modified, though you may change their membership.

DIST Staff District EMail Only
Any AD user object that is in the Staff or Leadership OU (or any of their sub-OUs) and which is added to this security group will only be able to send and receive e-mail within the district. The change will take effect immediately.

DIST Students District EMail Only
Any AD user object that is in the Students OU (or any of its sub-OUs) and which is added to this security group will only be able to send and receive e-mail within the district. The change will take effect immediately.

DIST Staff All Mailbox Access
Any AD user object which is added to this security group will be able to open any and all mailboxes that are related to AD user objects that are located in the Staff or Leadership OUs (or any of their sub-OUs); this can be used to inspect a particular mailbox or to export mailbox content. Members of this security group can also add contact objects and update e-mail addresses within the Staff and Leadership OUs (any any of their sub-OUs). The access provided by this group will take effect the next time the user logs in to the domain.

DIST Students All Mailbox Access
Any AD user object which is added to this security group will be able to open any and all mailboxes that are related to AD user objects that are located in the Students OU (or any of its sub-OUs); this can be used to inspect a particular mailbox or to export mailbox content. Members of this security group can also add contact objects and update e-mail addresses within the Students OU (and any of its sub-OUs). The access provided by this group will take effect the next time the user logs in to the domain.

DIST Public Folder Admins 
(optional) Any AD user object which is added to this security group will have the ability to manage your district's public folders. In addition, this group will own all of your district's public folders. This security group will only be created for districts that are using public folders. The access provided by this group will take effect the next time the user logs in to the domain. Note: This group should not be used to give end users access to individual folders; that type of access is granted using the permissions tab of the public folder (using the Outlook client).

DIST Staff Deleted Mailboxes
Any AD user object that is in the Staff or Leadership OU (or any of their sub-OUs) and which is added to this security group will not have a related mailbox created for it. If the AD user object currently has a related mailbox, the mailbox will be deleted by the provisioning system. The AD user object may still be used for other tasks, such as accessing file servers. To reverse this configuration and have the mailbox recreated, remove the user from the security group.

DIST Staff Locked Mailboxes
Any AD user object that is in the Staff or Leadership OU (or any of their sub-OUs) and which is added to this security group will not be able to access its related mailbox after the provisioning system's next execution. The mailbox will not be removed from the system. Although the mailbox is inaccessible to the user, all mail destined for the mailbox will be delivered. The AD user object may still be used for other tasks, such as accessing file servers. Important Note: To reverse this configuration and give the user access to their mailbox, remove the user from the security group.

DIST Students Deleted Mailboxes
Any AD user object that is in the Students OU (or any of its sub-OUs) and which is added to this security group will not have a related mailbox created for it. If the AD user object currently has a related mailbox, the mailbox will be deleted by the provisioning system. The AD user object may still be used for other tasks, such as accessing file servers. To reverse this configuration and have the mailbox recreated, remove the user from the security group.

DIST Students Locked Mailboxes
Any AD user object that is in the Students OU (or any of its sub-OUs) and which is added to this security group will not be able to access its related mailbox after the provisioning system's next execution. The mailbox will not be removed from the system. Although the mailbox is inaccessible to the user, all mail destined for the mailbox will be delivered. The AD user object may still be used for other tasks, such as accessing file servers. Important Note: To reverse this configuration and give the user access to their mailbox, remove the user from the security group.

SMTP Relaying

(page 61 of DOG) 

SMTP Relaying means configuring a mail system to accept messages on port 25 which are destined for another server. This feature is usually used by an application (such as a batch system or monitoring system) which needs to originate e-mail messages but does not have all the mail functionality to determine the proper final destination server for those messages. By default, Exchange 2003 systems in the KETS Exchange 2003 environment will not be configured for SMTP Relaying and you cannot change this configuration yourself. If you need this feature configured, please contact your KETS Engineer, who will submit a Direct Engineering Request.

Please note that ordinary use of Exchange 2003 by client software such as Outlook, Outlook Web Access, etc. does NOT require SMTP Relaying.

KySTE Note: Many application servers such as ISA and web servers may require SMTP relaying.

State-Required Distribution Groups

(page 9 of DOG) 

KDE requires districts to maintain certain distribution groups to support sending messages to teachers, principals, etc. statewide. OET creates and modifies KDE-required distribution groups but you are expected to keep the membership up to date. These distribution groups are located within the _Exchange Resources sub-OU of the Leadership OU. The groups are:

• All District Supt
• All District Prin
• All District EL Prin
• All District MS Prin
• All District HS Prin
• All District Teachers
•  All District EL Teachers
• All District MS Teachers
• All District HS Teachers
• All District IT Teachers
• All District KVHS (and subsequent KVHS DGs per school where applicable)

where District refers to District Name, with either Co for County or Ind for Independent (with no ending period).

Examples:

• All Franklin Co Supt
• All Frankfort Ind EL Prin

Contacting EHS Support

Who can contact support?

Any school district technology staff in the "DIST EMail Antivirus Notification" Active Directory group can contact EHS support directly. Microsoft will not provide support directly to end users of this service. Any issues encountered by end users should be communicated to the appropriate district technology staff and they should contact EHS technical support on the end users behalf.

How do I contact support?

Before contacting EHS technical support, it is highly recommended that school district technology staff create their own personal administrator accounts in the EHS Admin Center. This will allow school district technology staff to communicate directly with EHS technical support using their own e-mail address and their own login credentials, instead of using the shared "ehsadmin" administrator account. Creating personal administrator accounts can be accomplished by completing the steps below.

Creating Personal Administrative Accounts

1) Login to the EHS admin center (https://admin.global.frontbridge.com/) using the previously supplied ehsadmin@.kyschools.us credentials.
2) Click on "accounts" located on the menu bar across the top of the page.
3) In the "Manage Accounts" section of the page, ensure that "Create/Manage Account(s)" is selected in the "Select Action" dropdown box, and click the "Go" button.
4) Ensure that the school district's domain is selected in the "Select Domain" dropdown box, and click the "Go" button.
5) In textbox in section 3 ("Enter Addresses Manually OR Upload Addresses from a List") enter the e-mail address of each school district technical staff (one per line) in the "DIST Email Antivirus Notification" Active Directory Group, set "Spam Notifications" in section 4 ("Set Account Properties") to "No", then enter and confirm a temporary password in section 5 ("Assign Password To Accounts"). After verifying these settings, click the "Create Accounts" button at the bottom of the screen.
6) Click "Ok" on the window that appears asking "Are you sure you want to proceed with adding the user(s) to your Quarantine/AC list?".
7) Click "Proceed".

Assigning Administrative Permissions to Accounts

1) If not already, login to the EHS admin center (https://admin.global.frontbridge.com/) using the previously supplied ehsadmin@.kyschools.us credentials.
2) Click on "accounts" located on the menu bar across the top of the page.
3) In the textbox under the "Enter Account By Name" section, enter the first account name that you entered in the steps above, and click the "Search" button.
4) In the "Administrative Permissions" section of the user account that appears, click the "Add Permission" button.
5) In the "Select a domain" dropdown box, select your domain.
6) In the "Select a section" dropdown box, select "All Standard Areas".
7) In the "Privileges" section, select "Full".
8) Click the "Save Permission" button immediately below the "Privileges" section.
9) Repeat steps #4 through #8 and add the "Spam Quarantine/Quarantine Interface" permission.
10) Click the "Save Changes" button located at the bottom right of the window.
11) Click on "ADMINISTRATION" in the menu bar at the top of the screen.
12) Repeat steps #2 through #11 for each account you created in the previous section.
13) When finished, click "LOGOUT" in the menu bar at the top of the screen.
14) Login using your personal administrator account to ensure everything is working.
15) Give account information to other administrator's and ask them to login and change their passwords ASAP.

If you have any issues with the above steps, you can contact EHS technical support and they will walk you through this process. To contact technical support regarding this issue, call the EHS technical support line at (866)291-7726. When you're connected with a support agent, tell them that you have administrative level permissions on your domain ("adair.kyschools.us" for example) and that your e-mail address is "ehsadmin@.kyschools.us". The support agent will verify your permissions and provide you support in creating these accounts.

Exchange Hosted Services technical support can be contacted one of three ways:

1) Telephonically by calling (866)291-7726. When contacting support by phone, it will be necessary for you to inform the support agent that you have administrative level permissions on your domain ("adair.kyschools.us" for example) and supply them with your e-mail address ("john.smith@adair.kyschools.us" for example) so they can verify these permissions. After this process is complete, you will be able to obtain technical support for the issue you are calling about.

2) Via e-mail by sending a detailed description of the issue (and any e-mails that may be involved) to support@frontbridge.com.

3) Via the EHS technical support website at https://messaging.custhelp.com/.

What if I have problems with technical support?

If you are having trouble receiving support, please contact the KETS Service Desk at (866)KETS-HELP.

Reporting SPAM Abuse

Option 1:

To submit Outlook spam e-mail and Internet headers:

1. Open the message.
2. On the View menu, select Options.
3. Press CTRL-C to copy the text displayed in the Internet Headers window, and then close the Options window.
4. Go back to the original e-mail and click the Forward button.
5. Press CTRL-V to paste the headers into the top of the message. Leave a blank line between the headers and the message body.
6. Send this e-mail to abuse@frontbridge.com

Option 2:

The Junk Email Plug-In can be downloaded from EHS Admin Center. When you install it, it opens instructions on how to use the tool.

The following is a link to download the Plug-In:

http://www.microsoft.com/downloads/details.aspx?FamilyID=53541292-ce94-4c5b-9127-b7d56f11b619&displaylang=en

 

Administration Guide

KETS document created January 20, 2005

Adding Users to District Enterprise VPN User Group (Note: To be completed by District Technology Staff only).

1. Identify the users you will grant VPN access to your district.
2. Add those users to "_District Admins\Users and Groups\DIST Enterprise VPN Users" global security group.

   Open "Active Directory Users and Computers"
   
    
   Right click the "Dist Enterprise VPN Users" group and then select "Properties".
   
    
   Select the "Members" tab and click "Add".
   

   Enter the user object and/or groups that you wish to grant VPN access and then click "OK" for all open dialog boxes.

3. Provide User(s) with your Districts' Group ID and Password (received from KE).

Client Installation and Configuration Guide

KETS document updated November 1, 2007

Note:

• Before beginning, please click on Start - go to Settings - then Control Panel and select Add or Remove Programs
• When the next window populates, under Currently installed programs..., scroll down and select Nortel Networks Contivity VPN Client
• When Nortel Networks Contivity VPN Client item expands, click Change/Remove (you may be asked if you are sure or if you want to proceed, select Yes to all questions

KETS Enterprise VPN Client Download, Installation and Configuration.

1. Open Internet Explorer and open the following address:
   Windows XP - ftp://ketsftp.kyschools.us/VPN/KETS%20Enterprise%20VPN%20Client%20-%20XP.exe
   Windows Vista - ftp://ketsftp.kyschools.us/VPN/KETS%20Enterprise%20VPN%20Client%20-%20Vista.exe
2. Left click on "Run" in the following dialog box:
   
3. Several dialog boxes will open and then close during the installation process. Once the installation is complete you should see the following dialog box:
   
4. Verify that "Yes, I want to restart my computer now" is selected and left click on "Finish". Your system should now reboot.
5. Once the system reboots, left click on the "Start" button and then "Programs" or "All Programs". You should see a new folder called "KETS Enterprise VPN" which will contain three files/links. Left click on "KETS Enterprise VPN" to start the VPN application.
6. You should now see the following dialog box:
   
7. Left click on "Options" and then "Authentication Options" and the following dialog box should open:
   
8. Left click on the box to the right of "Group ID" and type in the Group ID you received from your District Technology Coordinator or TPOC.
9. Left click on the box to the right of "Group Password" and type in the Group Password you received from you District Technology Coordinator or TPOC.
10. Left Click on "OK". You should be returned to the following dialog box:
    
11. Left click "Save" to save the Group ID and Group Password changes.
12. Left click "Close" to complete the installation.
13. Contact the District Technology Coordinator or TPOC for User Name and Password information. For problems or issues with network connectivity, please contact the KETS Help Desk at ketshelp@education.ky.gov or by phone (866) 538-7435.

Making the connection to the KETS Enterprise VPN Server.

1. Left click on the "Start" button and then "Programs" or "All Programs" then "KETS Enterprise VPN" to start the VPN application.

2. You should now see the following dialog box:
   

3. Left click on the box to the right of "User Name" and enter your user name.
   (Note: This will be the same username that you use in your district or in the KETS Domain if a KDE User. If connecting from a district, please use the following convention for your username: \username, where would be replaced with your local district domain name.)
4. Left click on the box to the right on "Password" and enter your password. (Note: this password will be the same password your use to log into the machine(s) within your district.)
5. Left click "Connect" and the following dialog box will appear:
   
6. Click "Yes" to save. The client will now remember your user name (you will still be required to enter your password each time you connect to the VPN Server.
7. You should now see the following dialog box:
   
8. Left Click on "OK" and the following dialog box will appear:
   

Disconnecting from the KETS Enterprise VPN Server.

1. Right click on the KDE Logo in the system tray (lower right hand corner of your desktop). Then click "Disconnect Contivity VPN".
2. Contact the District Technology Coordinator or TPOC for User Name and Password information. For network connectivity issues, please contact the KETS Help Desk at ketshelp@education.ky.gov or by phone (866) 538-7435.

Vendor Account Creation

KETS document dated March 25, 2005

Procedures for Vendor VPN account request, creation and maintenance

1. KETS Enterprise VPN accounts will be created for Vendor representatives by the KETS Help Desk. Each account will be given a secure default password. The Vendor representative will use the KETS Enterprise VPN account per ‘Acceptable Use' (AUP) and change the password every 30 days when prompted*. District will identify need to provide Vendor access to the KETS network (example: HVAC controls, STI, Weather service, etc.)

2. District will stipulate, by email, receipt of a signed AUP from the Vendor representative to their KETS contact (KE), along with the name of the Vendor representative, Vendor email address and Vendor phone number,
3. The above mentioned KETS contact will then submit a Direct Engineering Request (DER) to the KETS Help Desk, by email (ketshelp@kde.state.ky.us), with information provided from 2. and stipulation that a signed AUP statement is on file at the district.
4. When all the above items are submitted to the KETS Help Desk, the KETS Enterprise VPN account will be created. Upon creation of the account, the KETS Help Desk will send an email to the Vendor representative. This email will contain the FTP link required to download the KETS Enterprise VPN client and VPN client installation instructions. The Vendor representative will be informed by email of the initial VPN login password and requirement that the Vendor representative change the VPN password after initial login. A separate email will be sent to district POC and KE confirming creation and email notification to vendor of new account.

* MAC (Apple) VPN client users requesting and receiving KETS Vendor VPN accounts will be supplied username and password required for login after account creation. Also, at this time, the available MAC VPN client does not provide ability for password change at any time. When 30 days has expired, and the MAC VPN client user cannot access the KETS Network, the user will simply contact the KETS Help Desk and request a VPN account password change.

KETS Help Desk - 1.866.538.7435 - 502.564.2002 - ketshelp@kde.state.ky.us