Pro Exchange Administration Understanding On Premises and Hybrid Exchange Deployments 3rd Edition Jaap Wesselius

Pro Exchange Administration
Understanding On premises and Hybrid

Exchange Deployments 3rd Edition
Jaap Wesselius
Visit to download the full and correct content document:
https://ebookmeta.com/product/pro-exchange-administration-understanding-on-premi
ses-and-hybrid-exchange-deployments-3rd-edition-jaap-wesselius/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Pro Exchange 2019 and 2016 Administration: For Exchange

On-Premises and Office 365 2nd Edition Michel De Rooij
https://ebookmeta.com/product/pro-
exchange-2019-and-2016-administration-for-exchange-on-premises-
and-office-365-2nd-edition-michel-de-rooij/
The Exchange 2nd Edition John Grisham
https://ebookmeta.com/product/the-exchange-2nd-edition-john-
grisham/
International Exchange of Information in Tax Matters

Towards Global Transparency 3rd Edition Oberson
https://ebookmeta.com/product/international-exchange-of-
information-in-tax-matters-towards-global-transparency-3rd-
edition-oberson/
Deploying SharePoint 2019: Installing, Configuring, and

Optimizing for On-Premises and Hybrid Scenarios 1st
Edition Vlad Catrinescu
https://ebookmeta.com/product/deploying-
sharepoint-2019-installing-configuring-and-optimizing-for-on-
premises-and-hybrid-scenarios-1st-edition-vlad-catrinescu/
Management of Foreign Exchange Risk 1st Edition Yew C.
Lum
https://ebookmeta.com/product/management-of-foreign-exchange-
risk-1st-edition-yew-c-lum/
Travel Art and Collecting in South Asia Vertiginous

Exchange 1st Edition Natasha Eaton
https://ebookmeta.com/product/travel-art-and-collecting-in-south-
asia-vertiginous-exchange-1st-edition-natasha-eaton/
Art Mobility and Exchange in Early Modern Tuscany and

Eurasia 1st Edition Francesco Freddolini
https://ebookmeta.com/product/art-mobility-and-exchange-in-early-
modern-tuscany-and-eurasia-1st-edition-francesco-freddolini/
Across the Sahara Tracks Trade and Cross Cultural

Exchange in Libya Klaus Braun
https://ebookmeta.com/product/across-the-sahara-tracks-trade-and-
cross-cultural-exchange-in-libya-klaus-braun/
Ion Exchange Technology Advances in Pollution Control

Arup K Sengupta Editor
https://ebookmeta.com/product/ion-exchange-technology-advances-
in-pollution-control-arup-k-sengupta-editor/
Pro Exchange
Administration
Understanding On-premises and
Hybrid Exchange Deployments
—
Third Edition
—
Jaap Wesselius
Michel de Rooij
Pro Exchange
Administration
Understanding On-premises
and Hybrid Exchange
Deployments
Third Edition
Jaap Wesselius
Michel de Rooij
Pro Exchange Administration: Understanding On-premises and Hybrid
Exchange Deployments, Third Edition
Jaap Wesselius Michel de Rooij
MARKNESSE, Flevoland, The Netherlands VLEUTEN, Utrecht, The Netherlands
ISBN-13 (pbk): 978-1-4842-9590-8 ISBN-13 (electronic): 978-1-4842-9591-5

https://doi.org/10.1007/978-1-4842-9591-5
Copyright © 2023 by Jaap Wesselius and Michel de Rooij

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or
part of the material is concerned, specifically the rights of translation, reprinting, reuse of
illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way,
and transmission or information storage and retrieval, electronic adaptation, computer software,
or by similar or dissimilar methodology now known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark
symbol with every occurrence of a trademarked name, logo, or image we use the names, logos,
and images only in an editorial fashion and to the benefit of the trademark owner, with no
intention of infringement of the trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if
they are not identified as such, is not to be taken as an expression of opinion as to whether or not
they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of
publication, neither the authors nor the editors nor the publisher can accept any legal
responsibility for any errors or omissions that may be made. The publisher makes no warranty,
express or implied, with respect to the material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Smriti Srivastava
Development Editor: Laura Berendson
Editorial Project Manager: Mark Powers
Cover designed by eStudioCalamar
Cover image by Jon Wicks on Pixabay (www.pixabay.com)
Distributed to the book trade worldwide by Springer Science+Business Media New York,
1 New York Plaza, Suite 4600, New York, NY 10004-1562, USA. Phone 1-800-SPRINGER, fax (201)
348-4505, e-mail orders-ny@springer-sbm.com, or visit www.springeronline.com. Apress Media,
LLC is a California LLC and the sole member (owner) is Springer Science + Business Media
Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.
For information on translations, please e-mail booktranslations@springernature.com; for reprint,
paperback, or audio rights, please e-mail bookpermissions@springernature.com.
Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook
versions and licenses are also available for most titles. For more information, reference our Print
and eBook Bulk Sales web page at http://www.apress.com/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is
available to readers on GitHub (github.com/apress). For more detailed information, please visit
https://www.apress.com/gp/services/source-code.
Paper in this product is recyclable
Table of Contents
About the Authors��xv
About the Technical Reviewer��xvii
Introduction��xix
Part I: Infrastructure and Exchange Server��1

Chapter 1: Exchange 2019 Introduction��3
Exchange Server 2019 Editions��7
What’s New in Exchange Server 2019��8
What Has Been Discontinued or Deprecated in Exchange Server 2019��13
Exchange 2019 and Active Directory��14
Integration with Active Directory��15
Active Directory Partitions��15
Active Directory Permissions��20
Active Directory Sites��21
Exchange Online and Azure Active Directory��24
Exchange Server 2019 Architecture��25
Exchange 2019 Services��25
Exchange 2019 Client Access Services��27
Exchange 2019 Mailbox Services��29
Exchange Server 2019 Management��30
Exchange Admin Center��31
Exchange Admin Center in Exchange Online��36
iii
Table of Contents
Exchange Management Shell��38

Exchange Online PowerShell��47
Virtualization��51
Summary��51
Chapter 2: Exchange Infrastructure��53

Designing Your Exchange 2019 Environment��54
Exchange 2019 Server Role Requirements Calculator��56
Installation of Exchange 2019��63
Hardware Requirements��63
Software Requirements��65
Installing Exchange 2019��67
Configuring Exchange 2019��98
Virtual Directories��99
Configure an SSL Certificate��104
Create a Send Connector��107
Receive Connectors��108
Accepted Domains��110
Create an Email Address Policy��112
Relocate the Initial Mailbox Database (GUI Setup Only)��114
Relocate the SMTP Queue Database (Optional)��116
Relocate IIS Log Files (Optional)��118
Enter a Product Key��119
Add Additional Mailbox Databases��119
High Availability��120
Mailbox Service High Availability��121
Exchange Transport��141
Transport Pipeline��142
iv
Table of Contents
Edge Transport Server��174

Installing and Configuring Edge Transport Servers��176
Upgrading from Exchange 2013 or Exchange 2016��195
Moving to Exchange 2019��196
Installing Exchange 2019��200
Namespaces with Exchange��203
Moving Resources to Exchange 2019��210
Summary��216
Chapter 3: Managing Exchange��219

Managing Databases��220
Rename a Mailbox Database��221
Move a Mailbox Database��221
Circular Logging��222
Quota Settings��223
Assign an Offline Address Book��226
Create a New Mailbox Database��226
Delete a Mailbox Database��227
Online Maintenance��229
Managing Mailboxes��233
Create a User Mailbox��233
Mailbox-Enabling an Existing User Account��235
Remove a Mailbox��237
Managing Mailboxes��239
Linked Mailboxes��257
Managing Groups��260
Create a New Distribution Group��261
Mail-Enable an Existing Group��261
v
Table of Contents
Manage Group Membership��262

Group Membership Approval��263
Dynamic Distribution Groups��265
Moderated Distribution Group��266
Expansion Server��268
Remove a Distribution Group��270
Managing Contacts��270
Mail-Enabled Contacts��270
Mail-Enabled Users��272
Cumulative Updates and Security Updates��273
Cumulative Updates��274
Security Updates��283
Monitoring and Reporting��284
Monitoring Tools��285
Crimson Channel��292
Performance Monitoring��296
Managed Availability��307
Summary��340
Part II: Office 365 Integration��341

Chapter 4: Azure AD Identities��343
Cloud Identities��346
Synchronized Identities��347
Federated Identities��349
Azure AD Connect��351
AD Connect Deployment��354
AD Connect Health��359
vi
Table of Contents
Chapter 5: Exchange Online��361

Exchange Hybrid Topologies��365
Deploying Exchange Hybrid��370
Hybrid Configuration Wizard��371
PowerShell: Connecting to Office 365��380
Connecting to Exchange Online��381
Connecting to Azure Active Directory��385
OAuth��386
Autodiscover in Exchange Hybrid��391
Mailbox Migration��395
Managing Remote Mailboxes��408
Federation with Azure Active Directory��410
Sharing of Information��414
Organizational Relationships��417
Sharing Policies��423
Internet Calendar Publishing��425
Mail Transport��426
Inbound Mail��428
Centralized Mail Transport��430
Outbound Mail��433
Enhanced Filtering��435
Exchange Online Archiving��437
Message Tracking��440
Recipient Management Only��445
Summary��450
vii
Table of Contents
Part III: Security��451

Chapter 6: Publishing Exchange Server��453
Virtual Directories��458
Namespaces��467
Split DNS��470
Certificates��471
Requesting Certificates��472
Exporting Certificates��473
Importing Certificates��475
Autodiscover��476
Domain-Joined Clients��478
Non-Domain-Joined Clients��481
Autodiscover Redirect��485
Autodiscover SRV Records��492
Autodiscover V2��494
Client Connectivity��496
Outlook��496
MAPI over HTTP��498
Web-Based Clients��499
Exchange Web Services��503
REST API��506
Mobile Clients��508
IMAP and POP��510
High Availability��511
Load Balancing��512
Health Check Monitors��516
SSL Offloading��517
viii
Table of Contents
Load Balancer Transparency��519

Up-Level and Down-Level Proxying��521
Azure AD Application Proxy��521
Azure Front Door��531
Chapter 7: Email Authentication��533

Sender Policy Framework��534
Constructing the SPF Record��537
Checking the SPF Record��539
DKIM��542
Exchange and DKIM��547
DKIM and Exchange Online Protection��549
DMARC��552
Implementing DMARC��554
DMARC Reporting��556
DNSSEC and DANE��558
DNSSEC��558
DANE��559
MTA-STS��563
Summary��566
Chapter 8: Message Hygiene and Security��567

Exchange Online Protection Introduction��568
Connection Filtering��572
IP Allow and IP Block Lists��574
Tenant Allow/Block Lists (TABL)��578
Antimalware��585
ix
Table of Contents
Content Filtering��591
Anti-spam��592
Anti-phishing��598
Preset Security Policies��605
Directory-Based Edge Blocking (DBEB)��608
Summary��609
Chapter 9: Authentication��611
Hybrid Modern Authentication��613
Configuring an Enterprise Application��628
Multifactor Authentication��630
Conditional Access��641
Client Access Rules��648
SMTP AUTH��651
Certificate Authentication��659
Windows Extended Protection��664
PowerShell Serialization Payload Signing��672
Summary��675
Chapter 10: Permissions and Access Control��677

Role-Based Access Control��678
RBAC Components��684
The Who��686
The What��693
The Where��704
1+1+1=3: Management Role Assignments��714
x
Table of Contents
Split Permissions��725
RBAC Split Permissions��727
Active Directory Split Permissions��730
Summary��732
Part IV: Compliance��735

Chapter 11: Backup and Restore��737
Back Up an Exchange Server��738
Backup Technologies��739
VSS Backup��739
Back Up a Mailbox Database��744
Back Up Other Configuration Information��753
Restoring Exchange Server��754
The Restore Process��762
Recovering an Exchange Server��771
Rebuilding an Exchange Server��772
ESEUTIL and Corrupt Databases��777
Summary��781
Chapter 12: Policy and Compliance��783

In-Place Archiving��784
In-Place Archive Mailbox��784
Enabling Archive Mailboxes��788
Disabling In-Place Archive Mailboxes��791
Reconnecting Archive Mailboxes��792
Checking and Modifying Archive Mailbox Quotas��793
Relocating the Archive Mailboxes��794
Exporting and Importing Archive Mailboxes��795
xi
Table of Contents
Messaging Records Management��796

Retention Policy Tags��797
Retention Policies��806
In-Place Hold and Litigation Hold��816
Enabling In-Place Hold��822
Disabling In-Place Hold��825
Litigation Hold��825
In-Place eDiscovery��829
Management of In-Place eDiscovery��830
Discovery Mailbox��831
Searching Mailboxes��833
Mail Flow Rules��841
Create a Transport Rule��842
Priority Ranking for Transport Rules��850
Journaling��851
Options for Journaling Rules��853
Create a Standard Journal Rule��857
Create a Premium Journal Rule��858
Configure an Alternative Journal Recipient��860
Data Loss Prevention��861
Creating DLP Policies��862
Importing and Exporting DLP Policies and Templates��872
Customizing Your DLP Policy��875
DLP Document Fingerprinting��878
Auditing��884
xii
Table of Contents
Administrator Audit Logging��884

Administrator Audit Logging Options��888
Custom Logging Entries��890
Auditing Log Searches��890
Mailbox Audit Logging��897
Mailbox Audit Logging Options��898
Searches of the Mailbox Audit Logging��901
Bypass of Mailbox Audit Logging��908
Summary��909
Index��911
xiii
About the Authors
Jaap Wesselius is an independent consultant
based in the Netherlands. As a consultant,
Jaap has been working with Exchange Server
since Exchange 5.0 in 1997. After working
for Microsoft, he became an independent
consultant in 2006. For his work in the
(Exchange) community, primarily his blog
on jaapwesselius.com and presentations on
Microsoft events like TechEd and MEC, Jaap has received a Microsoft MVP
award in 2007, an award he still holds in 2023. The first MVP category was
Exchange Server, but over the years that has changed to Office Apps and
Services. Besides working with Exchange, Jaap also works with Office 365,
identity management, privacy, and security. Jaap is 56 years old and married,
has three grown sons, and likes to ride his motorcycle, when possible.
Michel de Rooij is a consultant and Microsoft

MVP since 2013. He lives in the Netherlands
and has been working in the IT industry for
over 20 years. Michel helps customers with
their journeys related to Microsoft 365, with
a focus on Exchange and Identity, but also
related technologies such as Microsoft Teams
or email in general. Michel has a developer
background, but after a long-term Exchange-
related project for a large multinational switched to Exchange and never
looked back. Michel is also an enthusiastic fan of automating processes
xv
About the Authors
and procedures related to infrastructure, whether supporting projects or

automating administrator tasks. Michel is active in online communities,
such as the Microsoft Tech Community, or on social media such as Twitter
(@mderooij). He runs a blog at eightwone.com, guest authors for several
other sites, and speaks at international events.
xvi
About the Technical Reviewer
Vikas Sukhija has nearly two decades of IT
infrastructure experience. He is Microsoft
certified and has worked on various Microsoft
and related technologies.
He has been awarded seven times with the
Microsoft Most Valuable Professional title.
Vikas is a lifelong learner, always eager
to explore new technologies and expand
his knowledge. He keeps himself up to date with the latest trends and
developments in the field, ensuring that his reviews reflect the current
best practices and industry standards. His commitment to continuous
improvement and his passion for sharing knowledge make him an
invaluable resource for technical content creators and readers alike.
With a strong foundation in Microsoft technologies, Vikas has
continuously expanded his knowledge and skills throughout his career,
adapting to the ever-evolving landscape of cloud. His deep understanding
of the Microsoft ecosystem, including Windows Server, SQL Server,
Exchange Server, Active Directory, and other technologies, allows him to
provide comprehensive and insightful reviews of technical materials.
Vikas’s passion for automation and scripting led him to specialize
in PowerShell and Python, where he has honed his skills in developing
efficient and robust scripts for various administrative tasks. His expertise
in PowerShell/Python ranges from simple automation scripts to complex
solutions, empowering organizations to streamline their processes and
enhance productivity.
xvii
About the Technical Reviewer
His contributions can be browsed at the following sites and pages, of

which he is the owner and author:
http://TechWizard.cloud
http://SysCloudPro.com
www.facebook.com/TechWizard.cloud
xviii
Introduction
A book about Exchange 2019—that is not something one would expect to
be released, but after all these years, we are still amazed by the amount
of Exchange deployments on-premises. We must admit though that most
deployments are in a hybrid configuration, where mailboxes reside in
Exchange on-premises or in Exchange Online (EXO) or both.
At the same time, we see a lot of old versions of Exchange Server
on-premises, and these are all subject to upgrade anytime soon. Since
Exchange 2019 is the only version that is currently in Microsoft mainstream
support, this is also the version most customers migrate to.
This book is the third version of our Exchange on-premises book, but
we have removed most of the Exchange 2016 content since Exchange
2016 is no longer in mainstream support, so the book only focuses on
Exchange 2019. There is also a strong focus on hybrid scenarios, identity
management, and security. It has the following chapters:
1. “Exchange 2019 Introduction”: This chapter covers

the Exchange Server versions, licenses, and features
that come and go in the product. Since an update
of Exchange 2019 is released two times per year,
new features are introduced in the same cadence.
At the same time, features are deprecated as well,
especially when it is about security. Part of the
introduction is networking where Active Directory
sites and services are discussed, with a focus on
virtual networking in Microsoft Azure to host your
on-premises Exchange servers in the Azure cloud.
xix
Introduction
2. “Exchange Infrastructure”: Chapter 2 is about

installing and designing and building a solid
Exchange 2019 infrastructure, including high
availability.
3. “Managing Exchange”: An important chapter where

not only the management of Exchange Server is
discussed but also the management of all recipients
in Exchange 2019.
4. “Azure AD Identities” covers the identity models

supported when deploying hybrid identities.
5. “Exchange Online” talks about Exchange hybrid

topologies, deploying Exchange hybrid, and some of
the key topics in those scenarios.
6. “Publishing Exchange Server” talks about

publishing Exchange, namespaces, availability,
and how features such as Autodiscover need to
be configured properly for the smoothest client
connectivity experience. We also talk about using
Azure Application Proxy to securely publish internal
web applications such as Outlook on the Web.
7. “Email Authentication”: This chapter discusses

Sender Policy Framework (SPF), DomainKeys
Identified Mail (DKIM), and Domain-based
Message Authentication, Reporting & Conformance
(DMARC). These are the most basic email
authentication mechanisms that are more and
more in use. Although these can hardly be used in
Exchange 2019, they are used in Exchange Online.
After discussing these topics, Domain Name
System Security Extensions (DNSSEC), DNS-based
xx
Introduction
Authentication of Named Entities (DANE), and Mail

Transfer Agent Strict Transport Security (MTA-STS)
are discussed briefly—briefly, because these are
mechanisms that are still in development, even in
Exchange Online.
8. “Message Hygiene and Security”: Chapter 8

discusses anti-spam and anti-phishing measures
in Exchange Online Protection. This is by default
available for mailboxes in Exchange Online, but
Exchange Online Protection can also be purchased
to be used in front of Exchange 2019.
9. “Authentication” talks about Hybrid Modern

Authentication (HMA) to handing off authentication
for your Exchange on-premises to Azure Active
Directory with all additional benefits such as
multifactor authentication (MFA) and Conditional
Access. We also discuss Client Access Rules, SMTP
AUTH, and certificate-based authentication and
end with Windows Extended Protection to counter
man-in-the-middle attacks.
10. “Permissions and Access Control” talks about Role-
Based Access Control (RBAC) and when you might
want to consider the split permissions model.
11. “Backup and Restore”: This is a traditional and

Exchange 2019 on-premises chapter where the
technologies and procedures around backup and
restore in Exchange 2019 are discussed, not only
backing up mail data but also restoring entire
Exchange servers.
xxi
Introduction
12. “Policy and Compliance”: This is a topic that is

gaining more and more importance. The chapter
discusses the options available in Exchange 2019 to
safeguard your email data and make sure it is kept
the right way and no data leakage can take place.
Although these technologies are also available
in Exchange Online, we only discuss them for
Exchange 2019 since the approach in Exchange
Online is so much different.
If you are in an Exchange hybrid scenario and want to manage your

Exchange 2019 environment, this book can be very useful since it covers
the most important topics in any Exchange deployment.
xxii
PART I
Infrastructure and
Exchange Server
CHAPTER 1
Exchange 2019
Introduction
Exchange Server 4.0 was introduced in 1996, more than 25 years ago! Now,
in 2023, Exchange Server is still around and still alive, despite the massive
migrations to Exchange Online.
I must admit though that for a hybrid configuration, you need at
least one Exchange server on-premises, but lots of customers still have
mailboxes in Exchange Server on-premises. There are also customers that
are legally not allowed to move their data to the cloud, and they must keep
Exchange servers on-premises.
For these customers Microsoft has released its Exchange Server
Roadmap, which you can find on https://bit.ly/ExchRoadmap. This
roadmap outlines that Exchange Server is still alive and that Microsoft is
still investing in Exchange Server.
At the time of writing, mid-2023, the only version of Exchange Server
in mainstream support is Exchange 2019. This means that Microsoft is only
developing new features and bug fixes for Exchange 2019. For Exchange
2016 there are no more developments going on, but Security Updates are
still released for Exchange 2016.
© Jaap Wesselius and Michel de Rooij 2023 3

J. Wesselius and M. de Rooij, Pro Exchange Administration,
https://doi.org/10.1007/978-1-4842-9591-5_1
Chapter 1 Exchange 2019 Introduction
In October 2025, support for both Exchange 2016 and Exchange 2019
will end, and a new version of Exchange Server will be released, at this
moment with codename “Exchange vNext.” If you check the Exchange
Server roadmap on a regular basis, you’ll see upcoming changes for the
product, both Exchange 2019 and Exchange vNext.
Looking back over the years, three real major infrastructural changes
can be identified in Exchange Server:
• Use of Active Directory: The first versions of Exchange

Server had their own X.500 directory, which was used
in combination with the NT4 directory. User accounts
were created in the NT4 domain, and mailboxes were
created in the Exchange directory. Exchange 2000 was
the first version of Exchange that used Active Directory,
and it still is up to today.
• 64-bit architecture: Exchange Server 2007 was the first

version that was built on the x64 platform, although a
32-bit version for testing purposes was still available.
Exchange Server was growing tremendously, and it hit
the boundaries of the 32-bit architecture of Exchange
Server 2003, which resulted in major performance
issues. By moving to a 64-bit architecture, Microsoft
was able to work on the performance issues, and
performance has been improved with each new
version.
• Managed code: Exchange Server 2013 was the first

version that was 100% built on top of the .NET
Framework, and as such it was really built from the
ground up. I do not want to sound like a marketing guy,
but this really was a big change. Another big change
with the introduction of Exchange Server 2013 was that
Exchange Server 2013 and Exchange Online shared
4
the same codebase, which means that all releases and

Cumulative Updates (CUs) of Exchange Server 2013
are a spin-off of Exchange Online. This was continued
with Exchange Server 2016 but stopped with Exchange
2019, which now is a separate product compared
with Exchange Online. This was clearly visible when
the HAFNIUM vulnerability hit. Exchange servers
on-premises were vulnerable, but Exchange Online
was not.
Starting with Exchange Server 2013, Microsoft introduced a new

servicing model based on Cumulative Updates or CUs. Microsoft releases
a CU two times a year, and a CU contains fixes and new features when
available. Microsoft stepped away from the concept of service packs; all
features are now included in CUs. Because of the cumulative nature of the
CUs, a CU contains all features and fixes of earlier CUs. Therefore, you can
“jump” over several CUs, for example, from Exchange Server 2019 CU10
to Exchange Server 2019 CU13. There is no need to install CUs that are
between those versions.
CUs are only released when the product is in mainstream support.
When critical security issues are found and a product is in extended
support, a Security Update (SU) is released. This happened in March
2021, when Microsoft released Security Updates for all Exchange servers
in mainstream and in extended support for the HAFNIUM vulnerability.
SUs are also cumulative, so the August 2023 Security Updates contain all
previous Security Updates for the same CU. SUs are also CU specific, so
a SU for Exchange Server 2019 CU13 is different from a SU for Exchange
Server 2019 CU12. Microsoft typically releases SUs only for the current
CU and the previous CU. For the HAFNIUM vulnerability, an exception
was made. Because of the critical and dangerous nature of the HAFNIUM
vulnerability, SUs were released for older CUs and even out-of-support
Exchange builds as well, but this should really be considered an exception.
5
Exchange Server 2013, 2016, and 2019 are very similar and to
some extent compatible. Over the years, there have not been major
infrastructural changes to the product, but more lots of improvements.
The first area of improvement is security with support for Windows
Server Core, TLS 1.2, and blockage of the Exchange Control Panel (ECP)
and Exchange Management Shell (EMS) externally.
Another area of improvement is performance and reliability.
Performance improvement in Exchange Server 2019 is achieved by
modern hardware support (Exchange Server 2019 now supports up to
256 GB memory!), a new search engine (which also improves failover
times), and the MetaCache database (MCDB), a combination of large
JBODs and SSDs.
There are also several client improvements, such as the “Do not
forward” option in meeting invites, improved out-of-office support, and
the option to remove calendar events (using PowerShell), possibly the
most requested feature.
From a security perspective, Microsoft introduced new features, like
Modern Authentication (CU13), the Exchange Emergency Mitigation
Service (EEMS, CU11), or the Windows Antimalware Scan Interface
(AMSI, CU10).
Of course, there are differences between Exchange Server 2013,
2016, and 2019, especially when it comes to features. But these versions
also work together quite well. For example, it is possible to create a
load-balanced array for Exchange servers with all three versions in this
array. It does not matter on which Exchange server a client connection
is terminated; the request is automatically proxied to the correct
Mailbox server. This is extremely useful when upgrading your Exchange
environment from Exchange 2013 or Exchange 2016 to Exchange
Server 2019.
There is one major difference between Exchange Server 2013 on one
hand and Exchange Server 2016 and 2019 on the other hand. Exchange
Server 2013 does have two server roles, the Client Access server role and
6
the Mailbox server role. In Exchange Server 2016 and up, these two roles
are combined, and only the Mailbox server role is available. The different
components are still there, but only available in one server role. The Edge
Transport server role is still available in Exchange 2019.
Exchange Server 2019 is targeted toward large enterprise customers.
Smaller customers can still use Exchange Server 2019 or move to Exchange
Online, not surprisingly the Microsoft recommended approach. Exchange
Online contains the latest and greatest features, Exchange Server 2019
is the rock-solid solution for enterprise customers that need a solid on-
premises mail environment.
Exchange Server 2019 Editions

Exchange 2019 is available in two editions:
• Exchange 2019, Standard Edition: This is a “normal”

Exchange 2019 but limited to five (5) mailbox databases
per Mailbox server.
• Exchange 2019, Enterprise Edition: This version can

host up to 100 mailbox databases per Mailbox server.
Except for the number of mailbox databases per Exchange server, there
are no differences between the two versions; the binaries are the same.
Entering the Exchange 2019 license key changes the limit of maximum
mailbox databases for that server. Besides the Exchange 2019 server
license, there is also a Client Access license (CAL), which is required for
each user or device accessing the server software.
There are two types of CALs available:
• Standard CAL: This CAL offers standard email

functionality from any platform. The license is for
typical Exchange and Outlook usage.
7
• Enterprise CAL: This more advanced CAL offers

functionality such as integrated archiving, compliance
features, and information protection capabilities. The
CAL is an add-on to the Standard CAL, so both licenses
need to be purchased!
This is not a complete list of all available features for the different
CALs. For a complete overview, visit the Microsoft licensing page at
https://bit.ly/X2019Licensing.
Note An Exchange Server 2019 server license is always needed.

But an Exchange Online P1 or P2 of Office 365 E1 or E3 license can
also be used for a CAL. When an Exchange 2019 server is used in
a hybrid environment, and all mailboxes are in Exchange Online,
customers might be eligible for a free “hybrid server license” from
Microsoft.
What’s New in Exchange Server 2019

So what are the new features and improvements in Exchange Server 2019?
Twice a year Microsoft releases a Cumulative Update for Exchange 2019,
so new features are added twice a year as well. This book is written based
on Exchange 2019 Cumulative Update 13, which has a lot of new features
compared with the initial release of Exchange 2019 by the end of 2018.
Let’s discuss the most interesting features, listed from new to older:
• Modern Authentication (CU13): Modern Authentication

is introduced in Exchange 2019 CU13 and is targeted
toward customers that do not have any cloud
integration and as such cannot use Hybrid Modern
Authentication. Traditionally Exchange Server
8
used basic authentication, NTLM, or Kerberos for

authentication, but Modern Authentication is claims-
based authentication. Modern Authentication replaces
basic authentication and is much more secure than
older, legacy authentication methods.
• Configuration Preservation (CU13): Configuration

Preservation is introduced in Exchange 2019 CU13
and is a long-requested feature in Exchange. When
you have made manual changes to configuration files
in Exchange, they are no longer overwritten when
installing a new CU, but they are kept.
• Removal of UNC paths in PowerShell commands

(CU12): For security reasons, the use of UNC paths in
PowerShell commands has been decommissioned,
starting in Exchange 2019 CU12. Using a UNC path in
a PowerShell command to read contents of a file no
longer works directly. Instead, you need to read the
contents of a file into a variable and use that variable
in the PowerShell command. This makes it much
more difficult for a malicious user to read the contents
of a (deliberately placed) file and manipulate the
Exchange server.
• Exchange Emergency Mitigation Service (EEMS, CU11):

The Exchange Emergency Mitigation Service or EEMS
is introduced in Exchange 2019 CU11, shortly after the
ongoing security issues that were found in Exchange.
It’s a service that runs on an Exchange server and that
stays online with Microsoft. When a security issue
is found, Microsoft can push a rewrite rule to the
Exchange server, mitigating the vulnerability.
9
EEMS is using the IISRewrite module, hence the

additional prerequisite software in Exchange 2019
CU11 and later. Please note that EEMS is also available
for Exchange 2016.
• Windows Antimalware Scan Interface (AMSI) (CU10):

Support for AMSI, or the Windows Antimalware Scan
Interface, is introduced in Exchange 2019 CU10. AMSI
is an interface that allows applications and services to
interact with any antimalware vendor. For Exchange,
it means that an antimalware application can scan the
content of any HTTP request performed against the
Exchange server and act appropriately. This happens
in real time, so it’s an extra layer of security against
malicious attacks on the Exchange web services.
• Support for Windows Server Core: Exchange Server

2019 is supported on Windows 2022 and Windows
2019, both Desktop Experience and Server Core.
Windows 2022 Server Core is the recommended
operating system for Exchange Server 2019 because of
the lower footprint and improved security. Exchange
2019 is only supported on Windows 2022 and
Windows 2019; Windows 2016 is NOT supported for
Exchange 2019.
• TLS 1.2: To improve the client-to-server connections,

the default protocol for encrypting traffic between
clients and the Exchange Server 2019 server. Older
versions are still available but are disabled by default.
Please note that a client in this respect can also be
another (Exchange) server that is communicating with
the Exchange Server 2019 server. Unfortunately, TLS 1.3
is supported on Windows 2022, but still not supported
10
in Exchange 2019 CU13. Support for TLS 1.3 is expected

in a future Exchange 2019 CU.
• Blocking external access to ECP and EMS: In Exchange

Server 2019, it is possible to block external access
to the Exchange Control Panel (ECP) and Exchange
Management Shell (EMS) using Client Access Rules.
Based on conditions, exceptions, and actions, Client
Access Rules help you control access to ECP and EMS
in a very granular manner.
• Improved search infrastructure: The search

infrastructure in Exchange Server 2019 is improved
and is now based on the Bing search technology. Its
codename is “Big Funnel,” something you can still
see in Exchange Server 2019 under the hood. Search
indexes are no longer stored in a separate directory on
the disk containing the mailbox database, but they are
stored in the user’s mailbox. Because of this, search
data replication is always up to date, and mailbox
database failover is much faster, therefore improving
the performance of the Exchange Server 2019 server.
• Modern hardware support: Exchange Server 2019
supports more modern hardware, up to 256 GB
memory, and up to 48 CPU cores. The minimum
recommended amount of memory for Exchange
Server 2019 is also 128 GB (it can run with less memory
though), and performance greatly benefits from this
large amount of memory. Large memory and multiple
processor cores also enable switching from Workstation
Garbage Collection (GC) to Server GC. This setting in
the .NET Framework can handle more requests per
second, thus improving performance.
11
• MetaCache database: Exchange Server 2019 has a new

feature called MetaCache database (MCDB). This
feature uses SSDs to cache frequently accessed data
from mailbox databases. Mailbox databases are still
stored on slow JBODs, but frequently accessed data can
now be cached on SSDs. For every four (slow) JBODs,
one SSD is used to cache information. This greatly
improves performance and latencies, which is very
beneficial for remote desktop or Citrix environments
where Outlook clients are running in online mode.
The downside is that MCDB only works in bare-metal
deployments of Exchange 2019.
• Dynamic database cache: Mailbox database

information is kept in memory. While this is useful for
active mailbox databases, it does not make much sense
for passive mailbox databases in a Database Availability
Group (DAG). Previous versions of Exchange did not
differentiate between these two, therefore “wasting”
valuable memory on passive mailbox databases.
Exchange Server 2019 has a dynamic database cache,
which means that passive mailbox database use less
memory than active mailbox databases. In other words,
active mailbox databases in Exchange Server 2019 can
use more memory than they could in Exchange Server
2016. This also improves overall Exchange Server 2019
performance.
Of course, there are more new features in Exchange 2019, but these are
the most important and interesting ones.
12
hat Has Been Discontinued or Deprecated

W
in Exchange Server 2019
Every new version of Exchange Server introduces new features, but at
the same time, other features are discontinued, deprecated, or available
only in some other form or scenario. When you are upgrading from
Exchange 2013 or Exchange 2016, here’s a list of most important changes
or discontinued features in Exchange 2019:
• Unified Messaging (UM) server role: The Unified Messaging

(UM) server role has been removed from Exchange Server
2019 but is still available in Exchange Server 2016. Since
the UM role is no longer available in Exchange Server
2019, it is out of scope for this book. The UM role in
Exchange Server 2016 has not changed since Exchange
Sever 2013, so when information is needed about the UM
role, you are kindly referred to our Pro Exchange Server
2013 SP1 PowerShell Administration book.
• Separate server roles: Exchange 2013 had a separate

Client Access server role and a Mailbox server role.
In these days it is a best practice to combine these
roles into a multi-server role. In Exchange 2016 and
Exchange 2019, the separate server roles are no longer
available; only the Exchange 2019 Mailbox server role
is available. Under the hood you can still see the two
different server roles if you look closely.
• MAPI/CDO library: When moving from Exchange

Server 2013 to Exchange Server 2019, you will see
that the MAPI/CDO library is no longer available.
The functionality of the MAPI/CDO library has been
replaced by Exchange Web Services (EWS), Exchange
ActiveSync (EAS), or REST APIs.
13
• RPC/HTTP: RPC/HTTP (also known as Outlook

Anywhere) is deprecated in Exchange Server 2019
and is replaced by Mapi/Http for Outlook client
communications. Although being deprecated, this is
still a requirement for installing Exchange 2019 for
compatibility purposes.
• Cluster administrative access points for DAGs: Database

Availability Groups in Exchange 2019 no longer use a
cluster administrative access point, so when creating a
DAG, there’s no need any more to pre-create the cluster
object before creating the DAG. As a result, the DAG
must be managed using the Exchange Admin Center or
Exchange PowerShell. Please note that this is already
the recommended approach to managing a DAG.
Exchange 2019 and Active Directory

Active Directory is the foundation for Exchange Server 2019, as it has been
for Exchange Server since Exchange 2000 was released 24 years ago. Earlier
versions of Exchange Server—that is, Exchange 5.5 and earlier—relied on
their own directory, which was separate from the (NT4) user directory.
Active Directory stores most of Exchange’s configuration information, both
for server/organization configuration and for mail-enabled objects.
A Microsoft Windows ADDS, or Active Directory Domain Services, is
best described as a forest; this is the highest level in the directory service
and is the actual security boundary. The forest contains one or more Active
Directory domains; a domain is a logical grouping of resources, such as
users, groups, and computers. An Exchange 2019 organization is bound to
one forest, so even if you have an environment with one Active Directory
forest and over 100 Active Directory domains, there is only one Exchange
organization.
14
Active Directory sites also play an important role in Exchange

deployment. An Active Directory site can be seen as a location, well
connected with high bandwidth and low latency—for example, a data
center or an office. Active Directory sites can contain multiple Active
Directory domains, but an Active Directory domain can also span multiple
Active Directory sites.
Exchange 2019 depends heavily on ADDS, and ADDS depends heavily
on DNS (Domain Name Service). Obviously, both need to be healthy. For
Exchange 2019, the minimum levels in ADDS need to be Windows 2012 R2
Forest Functional Level (FFL) and Windows 2012 R2 Domain Functional
Level (DFL). The Domain Controllers need to be at a minimum level of
Windows Server 2012 R2.
Integration with Active Directory

As mentioned in the previous section, Exchange 2019 relies heavily on
Active Directory, and the following topics can be identified:
• Active Directory partitions
• Active Directory permissions
• Active Directory sites

These are discussed in the next sections.
Active Directory Partitions

A Microsoft Windows ADDS consists of three system-provided partitions:
• Schema partition: The schema partition is the blueprint

for all objects and properties that are available in
Active Directory. For example, if a new user is created,
a user object is instantiated from the schema, the
required properties are populated, and the user
15
account is stored in the Active Directory database. All

objects and properties are in the schema partition,
and therefore, it depends on which version is used.
Windows 2019 Active Directory has much newer
objects and newer (and more) properties than, for
example, Windows 2012 R2 Active Directory. The
same is true, of course, for applications like Exchange
Server. Exchange 2019 adds a lot of new objects and
attributes to Active Directory that make it possible to
increase functionality. Therefore, every new version
of Exchange Server, or even the Cumulative Updates
or service packs, needs to make schema changes.
There is only one schema partition in the entire Active
Directory forest. Even if you have an Active Directory
forest with 100 domains and 250 sites worldwide,
there is only one schema partition. This partition is
replicated among all Domain Controllers in the entire
Active Directory forest. The most important copy of
the schema partition is running on the schema master,
which is typically the first Domain Controller installed
in the forest. This copy is the only read-write copy in
the entire Active Directory forest.
• Configuration partition: The configuration partition is

where all non-schema information is stored that needs
to be available throughout the Active Directory forest.
Information that can be found in the configuration
partition is, for example, about Active Directory sites,
about public key infrastructure, about the various
partitions that are available in Active Directory, and
16
of course about Exchange Server. Just like the schema

partition, there is only one configuration partition. It
replicates among all Domain Controllers in the entire
Active Directory environment so that all the Exchange
servers have access to the same, consistent set of
information. All information regarding the Exchange
server configuration, like the Exchange servers
themselves, the routing infrastructure, or the number
of domains that Exchange Server is responsible for, is
stored in the configuration partition.
• Domain partition: The domain partition is where all

domain-specific information is stored. There is one
partition per domain, so if you have 100 domains in
your Active Directory forest, you have 100 separate
domain partitions. User objects, contacts, and security
groups and Distribution Groups are stored in the
domain partition.
The best tool for viewing the three Active Directory partitions is the
ADSI Edit MMC (Microsoft Management Console) snap-in, which is
shown in Figure 1-1.
17
Figure 1-1. The Exchange information is stored in the configuration

partition
Warning There is very little safeguarding in this tool, so it is

easy to destroy critical parts in Active Directory when you are just
clicking around!
In Windows Server 2019, the Active Directory Administrative Center

(ADAC) is the preferred tool to manage the Active Directory environment,
but Active Directory Users and Computers (ADUC) can also be used. Using
either tool is relatively safe since the tool prevents messing around with
objects in a way that Active Directory does not like.
Tip Enable the Active Directory recycle bin. Using the Active

Directory Administrative Center, it is possible to restore (accidentally)
deleted objects.
18
The Active Directory Sites and Services (ADSS) MMC snap-in reads
and writes information from the configuration partition. All changes made
here are visible to all domains in the forest; the same is true for the Active
Directory Domains and Trusts MMC snap-in.
A very powerful tool regarding Active Directory is the Schema MMC
snap-in, which is usually run on the Domain Controller that holds the
schema master role. Using the Schema MMC snap-in, it is possible to
make changes to the Active Directory schema partition.
Warning Only do this when you are absolutely sure of what you

are doing and when you have proper guidance—for example, from
Microsoft support. Changes made to the Active Directory schema are
irreversible!
Domain Controllers also have tools like LDIFDE and CSVDE installed
as part of the AD management tools. These are command-line tools that
can be used to import and export objects into or out of Active Directory.
LDIFDE can also be used to make changes to the Active Directory
schema, and the Exchange 2019 setup application uses the LDIFDE tool
to configure Active Directory for use with Exchange 2019. These tools are
beyond the scope of this book.
When promoting a server to a Domain Controller or when installing
the Remote Server Administration Tools (RSAT) for Active Directory
Directory Services (ADDS), the PowerShell Active Directory module is
installed as well. This module enables Active Directory functionality
in PowerShell, making it possible to manage Active Directory using
PowerShell cmdlets.
19
Active Directory Permissions

There are three partitions in Active Directory. Each of these partitions has
separate permission requirements, and not everybody has (full) access to
these partitions. The following are the default administrator accounts or
security groups that have access to each partition:
• Schema Admins security group: The Schema Admins

have full access to the schema partition. The first
administrator account is the top-level domain, which
is the first domain created. To make the necessary
changes to the schema partition for installing Exchange
Server, the account that is used needs to be a member
of this security group. Any other domain administrator
in the forest is, by default, not a member of this group.
• Enterprise Admins security group: The Enterprise

Admins have full access to the configuration partition.
Again, the first administrator account in the top-level
domain is a member of this group and as such can
make changes to the configuration partition. Since all
Exchange Server configuration information is stored
in the configuration partition, the account used for
installing Exchange Server needs to be a member of
this group. Please note that the Enterprise Admins
security group does not have permission to make
changes to the schema partition.
• Domain Admins security group: The Domain Admins

have full access to the domain partition of the
corresponding domain. If there are 60 domains in an
Active Directory environment, there are 60 domain
partitions and thus 60 different Domain Admins
20
security groups. The first administrator account in the

top-level domain is a member of the Domain Admins
security group in this top-level domain.
Why is this important to know? In the early days of Active Directory,

Microsoft recommended using multiple domains in an Active Directory
forest, preferably with an empty root domain. This empty root domain
was a domain without any resources, and its primary purpose was for
Active Directory management. All resources like servers, computers, users,
and groups were in child domains. This has some implications for the
use of various administrator accounts. It is a delegated model, where the
administrator accounts in the top-level domain have control over all Active
Directory domains, whereas the administrators in the other domains have
administrative rights only in their respective Active Directory domains.
These other administrators do not have administrative privileges in other
domains, let alone permission to modify the configuration partition or the
schema partition.
But things have changed, and although an empty root Active
Directory domain environment can still be used, it is no longer actively
recommended. Mostly recommended these days is a “single-forest, single-
domain” environment unless there are strict legal requirements that
dictate using another Active Directory model.
Active Directory Sites

Active Directory sites play an important role in any Exchange Server
deployments. As stated earlier, an Active Directory site can be seen
as a (physical) location with good internal network connectivity, high
bandwidth, and low latency—that is, a local LAN. An office or data center
is typically a good candidate for an Active Directory site.
21
An organization can have multiple locations, multiple data centers,

or a virtual data center in Microsoft Azure, resulting in multiple Active
Directory sites. Sites are typically interconnected, with lower bandwidth
and higher latency connections. An Active Directory site can also have
multiple domains, but at the same time, an Active Directory domain can
span multiple sites.
An Active Directory site also is a replication boundary. Domain
Controllers in an Active Directory site replicate their information almost
immediately among Domain Controllers in the same site. If a new object
is created or if an object is changed, the other Domain Controllers in that
same site are notified immediately, and the information is replicated
within seconds. All Domain Controllers in an Active Directory site must
contain the same information.
Information exchanged between Domain Controllers in different
Active Directory sites is replicated on a timed schedule, defined by the
administrator. A typical timeframe can be 15 minutes, but depending on
the type of connection or the bandwidth used to a particular location (you
do not want your replication traffic to interfere with normal production
bandwidth), it can take up to several hours. This means that when changes
are made to Active Directory—for example, when installing Exchange
2019—it can take a serious amount of time before all the information is
replicated across all the Domain Controllers and the new changes are
visible to the entire organization.
Active Directory sites are created using the Active Directory Sites and
Services MMC snap-in. The first step is to define the network subnets in
the various locations in the snap-in and then tie the actual Active Directory
site to the network subnet. For example, a data center in the Amsterdam
site has IP subnet 10.83.4.0/24, while the network in Microsoft Azure has IP
subnet 172.16.0.1/24. This is shown in Figure 1-2.
22
Figure 1-2. Two different subnets and sites, as shown in Active

Directory Sites and Services
A location like a data center in Amsterdam or Microsoft Azure (which

corresponds with the Active Directory site) can be “Internet facing” or
“non-Internet facing,” a descriptor that indicates whether the location has
Internet connectivity or not. This is important for Exchange 2019, since it
determines how namespaces are configured and thus how external clients
are connected to their mailboxes in the different locations.
For example, the environment in Figure 1-2 has two Active Directory
sites. If the data center in Microsoft Azure has an Internet connection
and the data center in Amsterdam does not, all clients from the Internet
are connected initially to the Exchange 2019 servers in Microsoft Azure.
If a user’s mailbox is in Amsterdam, the client request is proxied to the
Exchange 2019 servers in Amsterdam.
But, if the data center in Amsterdam also has an Internet connection
and the Exchange servers are configured accordingly, the Amsterdam-
based clients can access the Exchange 2019 servers from the Internet in
Amsterdam, though the request will be redirected from the Exchange 2019
servers in Azure and thus connect directly to the servers in Amsterdam.
23
Also, the routing of Simple Mail Transfer Protocol (SMTP) messages

through the Exchange organization is partly based on Active Directory
sites. In the example just given, it is not that difficult to do, but if you have
an environment with dozens of Active Directory sites, the SMTP routing
will follow the Active Directory site structure unless otherwise configured.
This will be the case in a hub and spoke model for routing, for example.
Exchange Online and Azure Active Directory

Exchange 2019 relies heavily on Active Directory, and Exchange Online
relies on Azure Active Directory, to some extent. Although the names are
similar, Azure Active Directory cannot be compared to Active Directory,
but it can better be compared to Active Directory Lightweight Directory
Services (AD LDS) as used in an Edge Transport server. AD LDS is pretty
much an LDAP directory.
Accounts in Azure Active Directory can be
• Cloud identities: These are accounts that are created

directly in Azure Active Directory and do not
have any correlation with an on-premises Active
Directory. They are entirely managed in the cloud,
using tools like the Azure Active Directory portal, the
Microsoft Online Portal, or the Azure Active Directory
PowerShell module.
• Synced identities: These are accounts that are created

and managed in the on-premises Active Directory.
Using an Azure AD Connect server, the identities are
synchronized with Azure Active Directory. Important
to keep in mind is that they are managed on-premises
and NOT in the cloud. This implies that mailboxes in
Exchange Online in this situation are also managed
24
Another random document with
no related content on Scribd:
CHAPTER XIII
THE GREAT TARNOV CRYSTAL
I t was late one evening in April, a few weeks after the

unsuccessful attack of Peter upon the tower, that the alchemist,
Kreutz, and the student, Johann Tring, were sitting upon rude
stools in the loft above the alchemist’s lodging, arguing with much
heat some question that had arisen between them. The day had
been sultry for early spring and the sun was setting red over the
distant hills, flooding with its crimson the high mound called the
Krakus Mound over beyond the river on the road to Wieliczka and
the salt mines.
Tring sat where he could see the sunshine through the little
window, but the alchemist sat within the gathering darkness of the
room. Above their heads on the slanting walls vials and glass tubes
of the alchemist’s craft gleamed like precious stones, and every now
and then some substance lying upon the hot coals of the braziers
would hiss up into a little flame and smoke, for all the world like a
serpent suddenly raising its slender head and coils above a quiet
patch of grass.
“I tell you that I have had enough,” the alchemist replied to some
remark of the student’s. “I am ready to forswear this scientific
experiment into which we have so boldly launched and go back to
my old studies which are much better suited to a God-fearing man.”
Tring laughed, low but maliciously. “So that is where your
courage lies,” he answered. “That is the crown of valor that you
boast in exploring the wonders of the unknown world. Come,” he
added after a minute, as if changing his tactics in dealing with this
man who was now thoroughly in his power, or so he thought, “come
and put a better complexion upon things; we are already past the
hardest stretch of the road—if there is to be found the solution to that
problem upon which we both have spent so much time, it will be
found so much the more readily now because of the sacrifices that
we have already made for it. Are the trances tiring you beyond
endurance?”
The alchemist let his head sink into his hands. “I am tired—I am
tired,” was all that he could say.
Tring regarded him with disgust, but held back the angry words
which sprang to his lips and expressed himself more gently.
“Then if there is a fault it must lie with you, Pan Kreutz,” he said.
“It is beyond my understanding that such a man as you should find
exhaustion in these simple experiments that I have performed. Many
another person I have put into trances similar to yours, and for
longer periods of time, too, and there has been no harm, nay, nor
physical exhaustion from it.”
“Alas,” the alchemist moaned as if making a confession, “I have
been in trances other than those of your making, and almost
continually, too.”
“What?” Tring leaped to his feet in astonishment. “What do you
say? You have been in trances induced by others? Other men share
our secrets, then? Who may it be that is also a master of this rare
craft? I had thought that no others, save I, in this town were able to
bring about such trances.” He glared at Kreutz with open hatred and
let his fingers stray as well to the handle of a short knife that he
carried in his belt, for although he was but a young man, he took his
occult powers very seriously. There was as well an element of fear in
his emotions, since the civil authorities of that day dealt usually in
short and severe fashion with persons brought before magistrates on
the charge of indulging in dark or occult practices. Death even was
prescribed as punishment for some, although disfiguring, whipping,
stocks, and banishment were the most common penalties.
Tring’s powers, though mysterious in those days, could be easily
explained in ours. The so-called trances into which certain persons
have the power to send others we call in these times merely hypnotic
sleep. Hypnotism in the days when all men and women were to an
extent superstitious was looked upon as one of the very worst works
of a malignant devil upon earth. Tring possessed to some extent the
ability to summon hypnotic sleep to a willing patient, and the
alchemist had become a too willing patient in his endeavor to
discover the secret that Tring had made appear so desirable.
And as is the case with most practitioners of hypnotism and their
subjects, the hypnotist had gained, little by little, more and more
power over his co-worker, until in a few months the alchemist had
become merely a tool in the hands of Tring, who, knowing his ability
and scholarly accomplishments, did not hesitate to use them for his
own ends. He did this, however, with great caution, and enjoined
ever upon the alchemist the need for the utmost secrecy, for if it had
become known that such tricks were being practiced, the law would
make short shrift of both.
“No man,” answered the wretched alchemist, “no man, but
perhaps—devils!”
“Devils?” Tring stood motionless, thunderstruck. Was the
alchemist losing his mind?
“Yes, devils. I can stand it no longer.” The alchemist rose from his
stool and turned upon Tring. “You who have powers greater than
man, know most of what is passing in my soul. The secrets of my
craft, the sciences of actions and reactions—all these you know. But
I hold from you one secret, one great secret which has bowed my
shoulders with care and blackened my heart with crime. Come,
watch, I will show you something that has powers beyond those of
which you dream. See . . .” His accents became wilder and his voice
trembled. He shuffled about the attic as if making preparations for
some experiment. He set up a tripod in the very middle of the room
and linked the top with chains as if he were to set a bowl upon it; he
unlocked a great chest that stood in one corner under the eaves and
took from it some object wrapped in black cloths, and this object he
placed upon the tripod.
“Now let us have a light,” he said.
He shook some powder into a brazier full of coals which suddenly
leaped into flame. As the whole room burst into existence with the
illumination there appeared most prominently in it the tripod which
bore the covered mystery. The alchemist whipped the cloth covering
away.
It was as if he had uncovered a diamond of the finest water!
Upon the brass top of the tripod gleamed in that instant a very
miracle of color and light; the object itself was about the size of a
man’s head. Upon this exquisite thing no artificial effort of man had
been expended; it was as nature had fashioned it in the depths of
some subterranean grotto where drops of water falling in steady
succession for thousands and thousands of years had slowly created
it. The outer layers were clear like the water of a mountain spring; as
the eye fell farther and farther within the surface a bluish tint was
perceptible and at the very center there was a coloring of rose. Such
was its absolute beauty that whoever looked into its depths seemed
to be gazing into a sea without limit.
“In the name of Heaven,” shrieked Tring, “what is this?”

The alchemist spoke in a low voice as one might speak in a
church: “The Great Tarnov Crystal.”
“The Great Tarnov Crystal!” repeated Tring. “The Great Tarnov
Crystal! . . . Why, that is the stone for which alchemists and workers
of magic have been searching these hundreds of years. The Great
Tarnov Crystal!” He shouted it almost in high excitement. “Why, man,
we have here the greatest scientific treasure of all ages.” He began
to skip about in transports as the possibilities of the treasure’s
possession leaped into his mind. “And now I understand,” he
continued. “Indeed you have been under the hand of a devil if you
have been gazing into that thing. Why, do you know that this stone
can send a man into a trance in which all manner of truths will be
divulged? Do you know that we can learn now for a certainty the very
secret that we have been seeking?” And going close to the stone, he
gazed into its depths as a thirsty man might gaze into a well of water.
There was this curious property of the Great Tarnov Crystal, and
perhaps of all great crystals in the world’s history, that it never
presented the same vista twice to the man who looked within its
depths. Now this may have been due to many things, to the fact that
the lights surrounding it were never twice the same, and also
perhaps to this, that the crystal had the strange property of reflecting
back to the observer the very thoughts that were tucked away deeply
in his head. What drew men to the Tarnov Crystal in the beginning
was, of course, its beauty, its color, its light, its constantly changing
vistas, and besides these, there was that indefinable fascination that
all such stones have. Diamonds, as well, possess this fascinating
power to a high degree though the diamond is, of course, a small
stone, and not large enough to hold the concentrated focus of two
eyes for a very long time; the crystal by reason of its size possesses
this quality according to its fineness.
The Tarnov Crystal was the finest crystal known to the magicians
of the Middle Ages. And although magic was frowned upon by
scholars and men of science such as astronomers and alchemists,
still there was no distinct line between science and magic, with the
result that many of these men found themselves practicing magic
when they had intended only to make scientific investigations. It was
even so with Pan Kreutz, who ordinarily had but little use for magic
or the Black Arts in any form—until now he had come entirely under
the domination of the student Tring whose enthusiasm had carried
him away.
“I tell you that I have had enough,” the alchemist repeated now. “I
have perjured my soul to obtain this stone and I am ready to return it
to its rightful owners. This stone is a thing of wickedness and blood
and it has a woeful history, as old perhaps as the world itself.”
“Return it!” shouted Tring. “Return it! Why, Pan Kreutz, listen to
my reasoning. I know not how you have come by this thing—I do not
ask at present—but you would be scarce the man I took you for did
you not use it for the purpose that we need it. After that we may
return it—if indeed it has been stolen—or if it sticks within your
conscience to retain it now, then perhaps I——”
“Nay, nay, Johann Tring,” exclaimed the alchemist emphatically,
“to its rightful owners it shall go. Here I have kept the secret to
myself knowing that the knowledge would tempt you—and indeed
you would not have known now unless the secret had burned so
heavily in my brain.”
“As you will,” said Tring, humoring the alchemist with his
concession, though the purpose in his eyes was of different intent,
“but first let us learn from it at once how to transmute baser metals
into gold; this I am sure we shall do, then we can be independent of
these smirking dogs who rule the universities.”
“Then let our experiments be brief,” said the alchemist. “I have
looked too long upon this glittering thing.”
“You should have told me before.” Tring again adopted the
attitude of a kindly adviser.
“But, in truth,” went on the alchemist, “I doubt if we can wring that
secret from the crystal. I have now an opinion, though perhaps a
wrong one, that the crystal only gives us back our own thoughts. We
may not call upon it as upon some friendly spirit to tell us what we do
not know—we may not wish and have our wishes fulfilled. I begin to
doubt it all.” Here he rose to his feet and began to stride about the
floor. “It is already having a bad influence upon me. I cannot see
straightly in the world of men as once I did. When I have looked into
it for minutes and minutes my thoughts come back to me crookedly,
and while I have taken much interest in such contemplation, I find
that there is too deadly a fascination in gazing into those crystal
depths. I have, as I said, found much of interest, and were I alone in
the world, I might even pursue these studies to the very limits of
human thought, but I sometimes feel as if my very soul were getting
caught in the rays of that bright thing.”
“Might I ask,” inquired Tring, unable to restrain his curiosity
longer, “how the crystal came into your possession?”
“It was like this”—the alchemist willingly relieved his mind of the
secret that he had been bearing alone. “That night when the thieves
came here some time ago I entertained them for a bit with some
Greek fire and niter.”
“Yes?”
“It seems that the crystal was at that time in the possession of the
family in the rooms below ours.”
“What! The trumpeter and the boy who bear the name Kovalski?”
“Yes, though that is not their name. They are Charnetskis and
lived formerly in the Ukraine.”
“I see—and the thieves? Tartars and Cossacks who followed
them perhaps from the Dnieper country?”
“Yes, the crystal was actually in the hands of the leader when I
surprised him with an explosive powder. In the surprise and pain
occasioned by my attack he dropped the crystal—the powder blazed
about his face and burned his hair—the crystal rolled upon the floor
and I pounced upon it.”
“But how had it come into the possession of the Charnetski
family?” asked Tring eagerly.
“It was in this fashion. When the Tartars devastated the Polish
country in the thirteenth century the village that stood where now is
Tarnov was inhabited by the Charnetskis, among others, of course. It
was Andrew Charnetski of that day who performed heroic feats in
the defense of the city against the Tartars, and to him was presented
for safe-keeping the great crystal which has come to be known as
the Great Tarnov Crystal. It was the chief ornament of the old town,
and even kings had come there to see it. For besides its qualities as
a thing of rare value and beauty, it had those reputed properties you
have mentioned: that a man who looked into it might there read the
secrets of the past and the future; that he might find out the intimate
thoughts of other men and women; that he might learn to overcome
the elements, to fly through the air like a bird, to walk invisibly, to
transmute base metals into gold. In those times no man was allowed
to look more than three minutes upon it, for even in three minutes a
man might find his head swimming and curious thoughts coming into
his brain.”
“But how did the Charnetskis save it from the Tartars?”
“They fled with it to the Carpathian Mountains and remained
there until Batu the Tartar was forced to return to the land of the
Golden Horde. Then as it passed from eldest son to eldest son, it
went to an ancestor of this Andrew Charnetski who settled in the
Ukraine after the country had been put under Polish dominion in the
days of Vladislas Jagiello. Of course the name Andrew Charnetski is
by no means an uncommon one throughout Poland, so little did I
think when this man came into the humble lodgings below that he
belonged to the Charnetski family which had possession of the
Tarnov Crystal.”
“Did he tell you his story?”
“Yes. On the day after the crystal disappeared, he made a
confidant of me as one already acquainted with his name and a part
of his history.”
“But you had heard of the crystal before?”
“What alchemist has not?” he answered. “I knew that it was
brought in early days to Egypt from somewhere in the East, and
there it stood in a temple for many centuries. When the Romans
conquered Egypt, the crystal was taken to Rome. During the years
when the Romans were colonizing the lands around the Black Sea a
certain Roman officer fell in love with a woman of Transylvania, and
being sent there with a legion, stole for her this crystal from a temple
in Rome. When his crime was discovered the Emperor sent a
detachment of soldiers to bring him back, but he fled to the district
which is now Halicz, but which went then under the Roman name
Galicia. There he lived with his wife under an assumed name, in a
remote village later known as Tarnov, and there the crystal remained
up to the time that it passed into the hands of the Charnetskis.
Around it grew up a sect of sorcerers, magicians, practicers of the
Black Art, astrologers, and alchemists—some sincere, others mere
charlatans.”
“Surely there have been many attempts to steal the crystal from
the Charnetskis?”
“Only one. It seems that men, even alchemists and astrologers,
lost for a time the thread of its history, and it was only when a
runaway servant of Andrew Charnetski spread the news in the East
that it was in his possession that an attempt was made to find it. That
attempt, as you know, cost Pan Andrew his house and property in
the Ukraine. Who it is that is inciting these robbers I know not, but I
have no doubt that the leader of the band was in the pay of some
person in high authority.”
“Would the robbers taken prisoners say nothing?”
“No, they did not know all, I believe. And like most Tartars they
would rather die than betray a secret. Torture could not wring it out of
them.”
“Does Pan Andrew suspect that you have the crystal?”
“Pan Andrew considers me his friend. And at heart I am ashamed
and sick that I have not restored it before now.”
“But think. If it had not been for you, the Cossack would have
escaped with the crystal and it would have been lost forever.”
“I know it. Yet that is no justification for me. I stole it if a thief ever
stole anything. When I first saw it that night on the floor of Pan
Andrew’s lodging I would have exchanged my chance of heaven for
its possession. When I had obtained it, and the attention of the
crowd in the court below was turned to the robbers and to the man
escaping over the roofs, I brought it here to the loft, under my coat.”
“You did well,” said Tring, the wildest impulses of excitement
leaping within him. “Look—look at the crystal. It glows and dances
and quivers like a thing alive, ready to tell its secrets. Quick, draw
your chair near to it as you used to draw your chair to me when I was
the master of your trances. Gaze deeply into it”—he fixed the
hesitating alchemist with his eyes as a serpent might fix a helpless
bird—“and now let us try the greatest experiment of all.”
The alchemist pulled his chair close to the crystal as he was bid,
and fixed his eyes upon it. Tring watched him closely from a
distance. One minute—two minutes—three—the alchemist still
looked at the crystal and Tring regarded him as a cat might regard a
mouse that it was playing with. Four minutes—five. The alchemist
still sat motionless, but his posture in the chair was changing slightly.
His arms and neck seemed to be stiffening, his face was taking on
the look of an entirely different person; his breath came regularly but
in longer and deeper draughts than was his wont. His eyes became
wide open and staring.
“Listen,” Tring’s tone was sharp, commanding.
“I am listening,” the reply came instantly.
Tring trembled with excitement. Not only had the alchemist gone
into this trance more quickly than he, Tring, had ever been able to
send him, but he was still responsive to the student who had feared
lest the agency of the crystal might render Kreutz unresponsive to
him. But Tring had sent him into trances so many times that now his
mind seemed to answer the student’s bidding automatically.
“Tell me what you see.”
“I can see a huge hall like an alchemist’s room, filled with braziers
and glass instruments. In these instruments fluids of fire are rushing
to and fro and near them are great copper kettles out of which are
coming puffs of steam.”
“It is the devil’s workshop that you are in,” said Tring sharply. “Do
you see any men at work?”
There was silence a moment as the alchemist’s consciousness
went roaming through the vast room.
“There is no one here,” he said at length.
“Are there any manuscripts there?” demanded Tring.
Silence again. Then—“Yes, on the wall hangs a parchment.”
“Take it down.”
“It burns my hands.”
“Pay no heed to that. Your reward will be greater than your
pains.”
“It is in my hands.”
Tring glanced involuntarily at the hands of the man in the trance.
Curiously enough they seemed to be turning red as if exposed to a
great heat. “Now read what the parchment says.”
The alchemist replied slowly as if reading, and he spoke in the
Latin tongue, “Here May One Find Things Which Be Neither
Good Nor Evil But Which Are Sought of All Men.”
“Good! Now unroll the parchment.”
There was another silence. At length the alchemist said, “I have
found somewhat.”
“Read!”
“Nay, I may not. It is in symbols.”
“Then write.” Tring deftly slipped a piece of board across his
knees and put into his fingers a kind of pen made of wood and a
feather; this he had dipped into a pot of ink as thick as paint, and he
guided it in the alchemist’s hand until it rested upon a piece of fresh
white parchment that he laid upon the board.
The alchemist wrote as follows:
“What else?”
The alchemist wrote:
“Quod primum incredibile, non continuo falsum est; crebro
siquidem faciem mendacii veritas retinet.”
“No. That’s nothing. Do you find other formulæ?”
The alchemist looked closely and recited as if reading:
“Thus saith Olimpiodorus of Thebes, Osthanes the Egyptian,
Psellos of Byzantium, and Giabr of Arabia: heat the fires upon thy
brazier and place thereon a vessel full of yellow sulphur; this thou
shalt melt until it gives forth a spirit; when the spirit is departed pour
slowly upon the sulphur that quicksilver which has its birth in the
planet Mercury. In but the twinkling of an eye this will be reduced
from its natural state unto a state that is of the earth, black, without
life, dead. Then take this lifeless substance and put it in a closed
vessel; heat it and it will suddenly take on life again and become a
brilliant red.”
“Write it, write it,” exclaimed Tring. The alchemist wrote. “And is
there more?”
“Much. It saith here that this is the secret of the Seven Golden
Chapters, of the Emerald Table, and the Pimander. Natura naturam
superat; deinde vero natura naturae congaudet; tandem natura
naturam continet.”
“No more of that. That is vile philosophy,” shouted Tring. “Find
and write the completion of the Philosopher’s Stone, by which we
may convert brass into gold.”
The alchemist continued:
“Zosimus the Theban directs that this is the true method of
turning brass into gold: To the above heated solution of sulphur and
mercury add that pure niter which men find in the heart of India. Into
this cast brass and it will in a moment change to gold.”
“Quick, to work. Light the braziers and bring out sulphur,
quicksilver, and brass,” commanded Tring. “Have you any of this
Indian niter?”
“I have—a small packet on the third shelf of the closet,” answered
the alchemist. Tring rushed to get it and set all the materials ready
for the experiment. Truly and sincerely did he believe that the
alchemist had hit upon the solution of the much desired process of
changing base metals into gold, and his own lack of knowledge in
the realm of the science of alchemy was responsible for the
ignorance with which he ordered the alchemist to compound one of
the most dangerous chemicals known to man. The alchemist, on his
part, was but acting under the hypnotic suggestion of Tring, and had
no opportunity to interpose his normal-self sense between the
student’s intention and its execution. Indeed the information he had
during the trance came from his own fund of learning, although the
suggestion of adding niter to the heated compound was but a fancy
of a mind grown either tired or weak.
As the student hurried about arranging materials for the
experiment Kreutz sang a Latin hymn which extols the practice of
alchemy and the alchemist:
Inexhaustium fert thesaurum
Qui de virgis fecit aurum
Gemmas de lapidibus.
“Compound the Philosopher’s Stone,” commanded Tring.

The alchemist, still in the trance, arose, and leaned over the
brazier. Something flaky and white and inflammable was tucked
close to the bottom to act as kindling, and a coal brought from a
farther brazier and laid upon this. It turned all black for a minute, then
sizzled into an intense heat and ignited the brazier’s contents. The
flame was at first yellow and creeping, then it changed to blue and
leaping. Kreutz put a vessel filled with sulphur into the flames, and
sure enough in a moment the spirit of the sulphur arose in fumes that
filled the room.
Both leaned over the brazier eagerly as the alchemist shook
mercury over the melted sulphur. As the parchment had decreed, so
the reaction followed; in a short time the glittering mercury had
mingled with the melted sulphur and became an ugly black
substance. Tring handed to Kreutz another vessel which was closed
at the top. Kreutz shook the hot material from the first vessel into the
second and put the latter back on the brazier. In all his motions he
acted mechanically as if he were but working out the will of another.
He opened this second vessel after a few seconds and, sure
enough, the black substance was becoming a lively red.
“The niter; the niter,” exclaimed Tring eagerly at his elbow.
The alchemist took the package from his hands and tossed it into
the substance now seething with heat. As he did so, as if obeying
some unconscious instinct of self-preservation, he leaped back into
the middle of the room and drew Tring with him. The exclamation of
anger on Tring’s lips was cut in half, for at that instant the loft of the
house rocked in a terrific explosion!
“Quick, seize the crystal and descend!” screamed Tring, who was
already speeding through the doorway, frantically wiping sparks of
fire from his clothing.
The exploding substances had sent their flames into the dry roof
and walls of the house, and fire was leaping through them merrily.
Everything in the room was beginning to blaze, and in two minutes
more it would have been impossible to leave. The alchemist, still in a
daze, took the crystal as he had been commanded, and made for the
stairway. The stone gleamed in his hands like a million diamonds,
rubies, and emeralds where the flames fell upon it, and he clutched it
with all the strength of his right hand as he clung to the stair rail with
his left, now swaying out over the court like a drunken man, now
regaining his hold and descending another stair. But the student had
been more nimble, and by the time that the alchemist had
descended to the third floor of the house, Johann was down the
stairs and through the gate, calling with all his might for the watch to
notify the water master that the house above him was in flames. No
watch was in sight and so he sought one at full speed, and while he
was searching, Pan Kreutz had reached the open door and
disappeared in the night, the Great Tarnov Crystal hidden under the
folds of his black gown.
But behind him the flames had eaten through the roof of his
house and had leaped to the adjoining house. In a few minutes they
had bounded clear across an open court near by, and had laid hold
of one of the pensions of the university. The wind then veering swept
the flames in a seething mass in the direction of the great Rynek,
and in less than fifteen minutes after the flight of the two men from
the loft of the building, the university section of Krakow was in the
grip of a terrible conflagration that threatened to devour the whole
city.
CHAPTER XIV
A GREAT FIRE RAGES
S ince earliest times Krakow was divided into four sections

—the Castle Quarter, the Potters’ Quarter, the Butchers’
Quarter, and the Slavkov. At the head of each of these
districts was a quartermaster who was responsible for everything
that went on in his district, the fighting of fires being one of his chief
concerns. Therefore the watchman from one of the streets that lay in
the districts threatened by the fire went pounding at the gate of the
quartermaster’s house, shouting “Fire” at the top of his lungs in order
to send the servants flying to the master. In a short time the
quartermaster was up and dressed, and had sent summons to the
water master who had charge of the town reservoir and aqueducts.
The bell meanwhile began to sound clamorously from the tower
of the Church of Our Lady Mary, for the watchman there had caught
sight of the flames. Cries of “fire” were now being echoed from all
sections of the city, and in the red glare which was beginning to
illumine all the grim Gothic buildings and churches, a very tumult of
confusion was arising. The water master had already set his
machinery in motion and drummers were pounding away at their
drums in all the city streets in order to awaken the merchants and
their apprentices upon whom fell the burden of fighting the flames.
All the town guilds were assembling, companies of servants from the
palaces were filling buckets of water and taking positions on the
roofs of their own houses, and all citizens were busily getting down
from the wall, hooks and axes and pails such as the law required
them to keep for such emergencies.
A fire of any size in Krakow was a serious thing in those days, for
there were hundreds upon hundreds of wooden and part-wooden
houses clustered together in the thickly populated streets. In the
section about the old university the majority of dwellings were very
ancient, dry, and cobwebbed everywhere, and a single spark upon
their roofs was enough to turn them in exceedingly rapid fashion into
belching furnaces of flame and smoke. As the fire raced through
these streets, the inhabitants poured out in panic-stricken confusion;
each building was literally teeming with life, and the whole scene,
viewed from above, would have resembled a huge ant hill suddenly
destroyed or burned out by a careful gardener.
Women and children came out rushing and shrieking. Black-
robed students dashed through the streets with manuscripts and
parchments in their hands; others came carrying glass tubes or
astrolabes or metal dividers; frantic domestics ran here and there
with no definite refuge in view save only to escape the heat and
terror of the ever-spreading flames. The streets were rapidly filling
with furniture, clothing, beds, and personal possessions of every
variety, hurled out of casements by desperate owners—and some of
this material in the streets had already caught fire from the sparks
which were descending like rain in a spring thunderstorm, making
the lot of the fugitives even more unendurable. Inside some of the
courts those who had preserved presence of mind were combating
the fire with much vigor; tubs of water and pails were being pressed
into action, and burning walls were already being hauled down.
The water master had marshaled a line of water carts which
extended from the burning buildings to the aqueduct; these water
carts were usually drawn by horses, and some of them were on this
night, but there had been difficulty in getting enough horses quickly,
and men and boys were harnessed into the shafts. At the aqueduct
men were busy filling the carts with water; as each cart was filled it
moved on some little distance to the fire, and there being emptied,
swung about into another street and returned to the aqueduct for
another filling. The nearest section of the aqueduct was about an
eighth of a mile from the point where the fire started.
Forces of men armed with hooks and axes were sent out by the
water master to surround the district where the flames were
reaching, for the rapid spread of the fire had made it apparent at an
early stage that very little could be saved in the university area.
These men were under orders to demolish any building that seemed
to offer a chance for a further spread of the blaze, whether the fire
had already reached it or not. One detachment formed a line in front
of the Church of the Franciscans, another on St. Ann’s Street, and
another on Bracka. All these detachments were forced to retreat,
however, as the fire ate its way out of the district where it had
started. The Rynek was the scene of a turbulent mob which had
struggled from the burning section in the Street of the Pigeons, and
every open space was quickly filled with rescued goods. Two
families had even taken possession of the platform where the town
pillory stood and children were being put to sleep there by mothers
thankful to find a place of rest.
Amid all this uproar, an elderly woman, a boy, a girl, and a dog
were fighting their way through the Street of the Pigeons amidst the
débris of furniture and personal belongings that had been thrown
from windows. They had all been sleeping when the fire broke out,
and not having been roused until the flames were all about them,
had been able to rescue nothing but themselves and the clothes
which they wore. The boy was Joseph, the girl, Elzbietka, and the
woman the wife of Pan Andrew. Wolf, cut loose by Joseph, was the
most terror-stricken of the group, but he followed after them,
submissive and obedient, not knowing exactly what he was expected
to do.
Each of them was busy with separate thoughts as they fought
their way through the disorder. Joseph was ever figuring the quickest
route out of the burning district, and this was no easy task, since the
fire was playing so many tricks. It was not marching ahead in a
straight wall of flame but was whirling about, leaping here and there,
skipping this house and fastening upon that, advancing, retreating,
spreading to the flanks, all with terrific speed and unexpected
vivacity. Sometimes the two roofs just above the heads of the
fugitives would shoot up in flames—passing these with great peril,
they would find that the fire was now behind them and rejoice at the
breath of air that fell upon them; then suddenly without warning the
roof of a building just ahead would belch forth smoke and flame as if
the fire demon were working invisibly, and this new peril must be
passed.
At length they reached the place where the Street of the Pigeons
is cut by a cross lane, known to-day as Wislna Street, but this lane
was already full of smoking beams and fallen timbers; escape that
way was impossible. There was nothing to do but to push on through
the Street of the Pigeons where it curves to meet Bracka.
Elzbietka was wondering most of all about her uncle; there had
been no answer to their hurried calls when they left the doomed
house, and, besides, the loft was glowing in red and purple flames of
such intensity that no person alive could have been there at that
time. Joseph’s mother was thinking of the father, wondering if he had
left his post at the church to come to his family’s aid, and wondering,
too, if they could reach him at the tower before he began to suffer
too much from anxiety concerning them.
The houses were a little higher in this portion of the street and
there was therefore more cool air, in the lower reaches. The fire was
still whirling along here but was not taking hold quite so fast as it had
done down below, and consequently the fugitives made better
progress. The only difficulty was the ever-increasing crowd that now
swept in from three directions, making it hard for the three to keep
together. Finally they locked arms and literally fought their way
through the crowd. All about them the scenes were heart-rending,
men and women fleeing with but few possessions from the only
homes they had ever known, children lost in the mad scramble who
set up shrill cries and tried to keep their feet as the crowd pushed
ahead. Sick persons were brought into that raging torrent of
humanity, carried on the shoulders of their relatives or perhaps
stretched upon cots. Here was one old man who sat astride a young
fellow’s neck like Anchises on the back of Æneas fleeing from the
burning city of Ilium.
At length they stood where the fire had not reached, much more
fortunate in that than many other people that night. Joseph waited
only until they caught their breath, though he, too, felt like throwing
himself down upon the ground and resting, and then started forward
again through Bracka in the direction of the Rynek. In his heart he
hoped that when he had settled Elzbietka and his mother in the
tower where his father was on duty, he might come back with the
apprentices and help fight the fire, for there is that in a youth which
draws him into such fighting. As they went along Bracka he heard
the sound of horses’ hoofs from the direction of the Wawel.
“Wait,” he said, drawing the women back on a footpath, “here
come soldiers from the castle to preserve order.”
He spoke truly, for the next moment a great troop of cavalry
wearing mail armor and carrying spears rode into Bracka Street from
below and began to deploy in lines that marked the district
immediately threatened by fire. A few minutes later foot soldiers and
artisans began to appear and, joining with the watch, pulled down
buildings at the edge of the fire. Siege machinery was also drawn up
into Bracka and the buildings just outside the reach of the fire began
to crumble under its pounding.
“This will prevent the spread of the flames,” thought Joseph.
They went ahead again toward the church, but while they were
still in the Rynek they saw a company of soldiers dragging forward a
prisoner whom they had taken in the burning district.
“A thief,” said the boy.
“Bless us,” exclaimed the mother. “It is not possible that men
could be so cruel as to steal from poor folk driven mad with terror.”
As the company came near and the torches fell upon the face of
the prisoner, Joseph let out a cry of amazement.
“Why, mother, that is Peter of the Button Face, the leader of the
men that attacked our house. That is the man who met us on the first
day we were in Krakow. He it was who tried to make us prisoners in
the church tower. . . . See how he struggles—but they are holding
him tight for all that. And mother, it is not the city watch that has
taken him. It is the King’s own guard. Do you not see the royal crown
on their helmets, do you not notice the richness of their clothing? I
wonder what it can be about.”

Pro Exchange Administration Understanding On Premises and Hybrid Exchange Deployments 3rd Edition Jaap Wesselius

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pro Exchange Administration Understanding On Premises and Hybrid Exchange Deployments 3rd Edition Jaap Wesselius

Uploaded by

Copyright:

Available Formats

Pro Exchange Administration

Understanding On premises and Hybrid

Pro Exchange 2019 and 2016 Administration: For Exchange

The Exchange 2nd Edition John Grisham

International Exchange of Information in Tax Matters

Deploying SharePoint 2019: Installing, Configuring, and

Travel Art and Collecting in South Asia Vertiginous

Art Mobility and Exchange in Early Modern Tuscany and

Across the Sahara Tracks Trade and Cross Cultural

Ion Exchange Technology Advances in Pollution Control

ISBN-13 (pbk): 978-1-4842-9590-8 ISBN-13 (electronic): 978-1-4842-9591-5

Copyright © 2023 by Jaap Wesselius and Michel de Rooij

About the Technical Reviewer����������������������������������������������������������xvii

Part I: Infrastructure and Exchange Server���������������������������������1

Exchange Management Shell������������������������������������������������������������������������38

Chapter 2: Exchange Infrastructure���������������������������������������������������53

Edge Transport Server���������������������������������������������������������������������������������174

Chapter 3: Managing Exchange��������������������������������������������������������219

Manage Group Membership������������������������������������������������������������������������262

Part II: Office 365 Integration��������������������������������������������������341

Chapter 5: Exchange Online��������������������������������������������������������������361

Part III: Security����������������������������������������������������������������������451

Load Balancer Transparency�����������������������������������������������������������������������519

Chapter 7: Email Authentication�������������������������������������������������������533

Chapter 8: Message Hygiene and Security���������������������������������������567

Chapter 10: Permissions and Access Control�����������������������������������677

Part IV: Compliance�����������������������������������������������������������������735

Chapter 12: Policy and Compliance��������������������������������������������������783

Messaging Records Management���������������������������������������������������������������������796

Administrator Audit Logging�����������������������������������������������������������������������������884

Michel de Rooij is a consultant and Microsoft

and procedures related to infrastructure, whether supporting projects or

His contributions can be browsed at the following sites and pages, of

1. “Exchange 2019 Introduction”: This chapter covers

2. “Exchange Infrastructure”: Chapter 2 is about

3. “Managing Exchange”: An important chapter where

4. “Azure AD Identities” covers the identity models

5. “Exchange Online” talks about Exchange hybrid

6. “Publishing Exchange Server” talks about

7. “Email Authentication”: This chapter discusses

Authentication of Named Entities (DANE), and Mail

8. “Message Hygiene and Security”: Chapter 8

9. “Authentication” talks about Hybrid Modern

11. “Backup and Restore”: This is a traditional and

12. “Policy and Compliance”: This is a topic that is

If you are in an Exchange hybrid scenario and want to manage your

© Jaap Wesselius and Michel de Rooij 2023 3

• Use of Active Directory: The first versions of Exchange

• 64-bit architecture: Exchange Server 2007 was the first

• Managed code: Exchange Server 2013 was the first

the same codebase, which means that all releases and

Starting with Exchange Server 2013, Microsoft introduced a new

Exchange Server 2019 Editions

• Exchange 2019, Standard Edition: This is a “normal”

• Exchange 2019, Enterprise Edition: This version can

• Standard CAL: This CAL offers standard email

• Enterprise CAL: This more advanced CAL offers

Note An Exchange Server 2019 server license is always needed.

What’s New in Exchange Server 2019

• Modern Authentication (CU13): Modern Authentication

used basic authentication, NTLM, or Kerberos for

• Configuration Preservation (CU13): Configuration

• Removal of UNC paths in PowerShell commands

About the Technical Reviewer��xvii

Part I: Infrastructure and Exchange Server��1

Exchange Management Shell��38

Chapter 2: Exchange Infrastructure��53

Edge Transport Server��174

Chapter 3: Managing Exchange��219

Manage Group Membership��262

Part II: Office 365 Integration��341

Chapter 5: Exchange Online��361

Part III: Security��451

Load Balancer Transparency��519

Chapter 7: Email Authentication��533

Chapter 8: Message Hygiene and Security��567

Chapter 10: Permissions and Access Control��677

Part IV: Compliance��735

Chapter 12: Policy and Compliance��783

Messaging Records Management��796

Administrator Audit Logging��884

Exchange Server 2019 Editions

What’s New in Exchange Server 2019

hat Has Been Discontinued or Deprecated

Exchange 2019 and Active Directory

Integration with Active Directory

Active Directory Partitions

Active Directory Permissions

Active Directory Sites

Exchange Online and Azure Active Directory