Exchange Server 2007/2010 interview questions and answers – Part 2

Dear All, this is the second part, I hope the below question bank will help you.

Click here for Part 1


Exchange Transport Role

1. Where does Exchange 2007 get its routing topology from?
Exchange 2007 uses the Active Directory site topology to determine how messages are transported in the organization. The Hub Transport server uses the Active Directory Topology service to retrieve the Exchange organization’s configuration information. Unlike earlier versions of Exchange, Exchange 2007 does not use a link state routing table and does not try to calculate an alternative route when a connection is unavailable.

2. What is a Mail Relay? Name a few known mail relay software or hardware options?
3. What’s a Smart Host? When would you configure and use it?
4. What is Send Connector?
Send Connector

5. What is Receive Connectors? Provide two default receive connector names?
Receive Connector: By default, when you install the Hub Transport server role, two Receive connectors exist. No additional Receive connectors are needed. The default Receive connectors do not require any additional configuration changes.


Default Receive connector:
(A) Client <Servername>: This Receive connector accepts SMTP connections from all non-MAPI clients, such as POP and IMAP. This connector work on port 587.
(B) Default <Servername>: This Receive connector accepts connections from Edge Transport servers to receive messages from the Internet and from other Hub Transport servers. This connector work on port 25

What’s the major issue blocking you from receiving e-mail from the world, considering you’ve enabled the right port(s) on the firewall, and properly configured MX records for your domain(s)?
6. What’s the difference between the “Client” and the “Default” Receive Connectors?
You’re looking to troubleshoot e-mail delivery issues. Name 4 options/tools/logs that are built into Exchange 2007/2010 that can help you in your task.

7. How to enable Anti-Spam features on the HT role and what is the recommendation?
8. Where does Edge role store its settings?
Edge Transport server role installed doesn’t have access to Active Directory. The Edge Transport server stores all configuration and recipient information in ADAM. Because Active Directory and ADAM both use Lightweight Directory Access Protocol (LDAP), and because both directory services use the Exchange 2007 schema, you can replicate data from Active Directory to ADAM.

Types of Data Replicated to ADAM
A. Edge Subscription information
Provision and maintain the credentials to help secure the LDAP connection.
Arbitrate the synchronization lock and lease process.
Optimize the EdgeSync synchronization process

B. Configuration information
Hub Transport servers
Accepted domains
Message classifications
Remote domains
Send connectors
Internal SMTP servers
Domain Secure lists

C. Recipient information
Proxy addresses
Safe Senders List and Safe Recipients List
Per recipient anti-spam settings

D. Topology information
Notification of newly subscribed Edge Transport servers. This data is refreshed every five minutes.

9. How to enable high-availability and load balancing on Edge servers?
10. What is Edge subscription and process to enable Edge subscription?
Exchange 2007 Edge Transport server role is always deployed in organization’s DMZ (perimeter) network. Edge Transport server handles all Internet mail flow. It also provides some additional protection and security provided by a series of agents running on the Edge Transport server. These agents protect messages against viruses and spam and apply transport rules to control message flow.

This is an optional process, subscribing an Edge Transport server provide anti-spam features, recipient lookup or safelist, or secure SMTP communications.

Edge Subscription Process
A. Make sure that the Hub Transport servers and the Edge Transport server can resolve the each other FQDNs by using DNS.
B. Run the New-EdgeSubscription cmdlet in the EMS on the Edge Transport server to export the Edge Subscription file.
C. Copy the Edge Subscription file to a Hub Transport server.
D. Run the New-EdgeSubscription cmdlet in the EMS or EMC to import the Edge Subscription file.

11. What’s the default replication interval for Edge sync and what is the step to force replication?
When the Exchange Edge server starts, the Microsoft Exchange EdgeSync service starts and establishes a synchronization schedule.
Configuration data is synchronized to ADAM once every hour.
Recipient data is synchronized to ADAM once every four hours.

You cannot modify the synchronization intervals.

Steps to Sync Edge sync replication
Use the EMS to immediately start synchronization of data from the Active Directory service to the subscribed Edge Transport servers. Run the below command on the HB transport server.

Start-EdgeSynchronization -Server <Hub Transport server name>

12. What ports required to open between the DMZ holding the Edge role and internal network?

13. How to configure E-mal routing to be able to send e-mail externally (to the Internet) and what do you need to do?

14. What are the default connectors created during the Exchange Edge subscription?

When we do the EdgeSync synchronization process, it creates two send connector which then replicated to ADAM.
A Send connector that is configured to relay e-mail messages from the Exchange organization to the Internet.
Connector Name: EdgeSync – <Site Name> to Internet

A Send connector that is configured to relay e-mail messages from the Edge Transport server to the Exchange organization.
Connector Name: EdgeSync – Inbound to <Site Name>

Name EdgeSync – <Site Name> to Internet EdgeSync – Inbound to <Site Name>
Address Space SMTP:*;100 SMTP:–;1
Source Servers Edge Subscription name Edge Subscription name
The name of the Edge Subscription is the same as the name of the subscribed Edge Transport server.



DNS Routing Enabled



Domain Secure Enabled (Mutual Auth TLS)


15. What is Accepted Domains and difference?

Exchange Mailbox Role

What is OAB?  OAB? When it is used and what are the OAB distribution options?
What is the GAL and when would you decide to create more than one GAL?
What are the major changes in the way Exchange 2007 stores work?
What’s a Recovery Storage Group? How do you work with one?
Can you use Exmerge in Exchange 2007/2010? Why?
How do you export a mailbox content in Exchange 2007/2010?
What’s a Dial Tone recovery?
Describe the concept behind Log Shipping.
What’s the difference between LCR, CCR and SCR and SCC?
What are the high availability solutions introduced in Exchange Server 2010?
What id DAC and when it need to enable?
What’s the major difference in store high availability in Exchange 2007?
What Exchange edition version do you need for LCR? What Windows edition version do you need for LCR?
How do you recover from a store corruption when using LCR? Name the procedures you would use.
What are the major changes in the way Exchange 2010 stores work? Name some of the changes in comparison with Exchange 2003 and Exchange 2007.

Exchange Tools, Backup
1. What is Eseutil and Isinteg, Name a few scenarios for using both tools?
Scenario when you need there utilities.
When there is a logical corruption in database.
When you have enough free white space in Exchange database.
When your Exchange database disk going to full and need to free disk space.

For more details go to URL

2. What backup solutions are you familiar with in Exchange 2007/2010?
3. What built-in tool do you have to allow you to manage Exchange store recoveries?
4. What the difference is between online and offline defrag?
5. What are streaming backups and VSS backups?
6. How would you backup Exchange 2007/2010 on a Windows Server 2008/R2 machine without using 3rd-party tools?
7. What’s a Brick-Level backup?

Active Directory Interview Questions and Answers

1. What is AD?
Active directory is a centralized database that contains information about objects and their attributed like Users, Groups, Computers, Printers, OUs, and Contacts & shared folders, domains, forest ant, Replication and trusts.
2. What is the Component of AD?
  • Logical Structure Component: Domains, Tress, Forests and OU.
  • Physical Structure Component: Sites and Domain Controllers.
3. What is the protocol used by AD for directory Access?
LDAP (Light Weight Directory Access Protocol)
4. What are the naming conventions used by LDAP?
  • DN (Distinguished Name):
  • CN=mycomputer,OU=MyOrganizationalUnit,DC=nakshatraitlabs,DC=com
  • RDN (Relative Distinguished Name):
  • UPN (User Principal Name):
  • GUID (Global Unique Identifier)
  • Canonical Name:
5. .What is a Forest?
Collection of trees which don’t share contiguous name space
6. What is a Domain?
Domain is collection of computers connected together with a server and users.
7. How to promote DC on a member server?
Start > Run > Type DCPROMO
8. What are the additional tools found after installing a DC?
Active Directory User and Computers,
Active Directory Sites and Services,
Active Directory Domain & Trust,
Domain Controller Security Policy,
Domain Security Policy
9. What is the diff. functional level of 2003?
Domain functional level:
Forest functional level:
10. What is the diff. operation master of 2003 and impact if in case any one is down?
Schema Master: Is responsible for overall management, structure and design of schema Only one schema master in entire forest
Domain naming master: Is responsible for addition or removal of domains and maintaining unique domain names only one domain naming master in entire forest
PDC Emulator: Is responsible for providing backup compatibility for NT BDCs, in mixed mode it acts like a PDC for BDCs. It updates the password changes, synchronizes time between DCs. Only one PDC Emulator per domain.
Infrastructure Master: Is responsible for updating user and group information and updating Global Catalog Only one infrastructure master per domain
RID Master: Relative identifier is responsible for assigning unique IDs to the object s created in the AD. Only one RID Master per domain.
11. How do you change the DS Restore admin password?
Start > Run > type ‘ntdsutil’ and click OK.
C:\Ntdsutil>set dsrm password
C:\Ntdsutil\set dsrm password>Reset password
C:\Ntdsutil\set dsrm password>quit
C:\Ntdsutil >quit
12. What are the scopes of Groups?
Local groups: These are truly local, defined on and available to a single computer. Local groups are created in the security accounts manager (SAM) database of a domain member computer on both workstations and servers have local groups.
Its Membership A local group can include as members:
• Any security principals from the domain: users, computers, global groups, or domain local groups.
• Users, computers, and global groups from any domain in the forest
• Users, computers, and global groups from any trusted domain.
• Universal groups defined in any domain in the forest.
Domain Local Groups: Domain local groups are used primarily to manage permissions to resources.
Its Membership: A domain local group can include as members:
• Any security principals from the domain: users, computers, global groups, or other domain local groups
• Users, computers, and global groups from any domain in the forest
• Users, computers, and global groups from any trusted domain
• Universal groups defined in any domain in the forest
Global Groups: Global groups are used primarily to define collections of domain objects based on business roles.
Its Membership: A global group can include as members users, computers, and other global groups in the same domain only.
Universal Groups:  A universal group is defined in a single domain in the forest but is replicated to the global catalog. Universal groups are useful in multidomain forests. They let you define roles, or manage resources, that span more than one domain.
Its Membership:  A universal group can include as members users, global groups,and other universal groups from any domain in the forest.
Users, Computers
Global groups
Universal groups
Domain local groups
Local users defined on the same
computer as the local group
Users, Computers
Global groups
Universal groups
Domain Local
Users, Computers
Global groups
Universal groups
Domain local groups
Users, Computers
Global groups
Universal groups
Users, Computers
Global groups
Users, Computers
Global groups
Users, Computers
Global groups
Universal groups
Users, Computers
Global groups
Universal groups
13. What are Directory Partitions?
To scale to tens of millions of objects, a forest is partitioned into domains. Each Active Directory domain controller can be a member of one domain, and domain controllers within the same domain contain the same information. Domain controllers from different domains share the same configuration and schema data, but they do not share the same domain data. The means to distributing storage in this manner is the directory partition , which is also called a “naming context.”
In Active Directory, a directory partition is a portion of the directory namespace. Each directory partition contains a hierarchy of directory objects in the directory tree. The same directory partition can be stored as copies on many domain controllers.
Schema: Contains the Schema container, which stores class and attribute definitions for all existing and possible Active Directory objects in cn=schema,cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest. You can view the contents of the Schema container in the Active Directory Schema console.
Configuration: Contains the Configuration container, which stores configuration objects for the entire forest in cn=configuration,dc= forestRootDomain. Updates to this container are replicated to all domain controllers in the forest. Configuration objects store information about sites, services, and directory partitions. You can view the contents of the Configuration container by using ADSI Edit.
Domain: Contains a < domain > container, which stores users, computers, groups, and other objects for a specific domain. Updates to the < domain > container are replicated to only domain controllers within the domain and to Global Catalog servers. The hierarchy of domain directory partitions can be viewed in the Active Directory Domains and Trusts console, where trust relationships between domains can be managed.
Application directory partitions: An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only Domain controllers running Windows Server 2003 can host a replica of an application directory partition.
14. What is LDAP?
The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directorinformation services over an Internet Protocol (IP) network
The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories.
The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory.
15. Where is the AD database stored?
AD stores database n “C:\Windows\ntds\ntds.dit” as default location where as it can be changed during or after DC promotion.
There are some other files are generated in NTDS folder..
ntds.dit –  Actual file of AD database where the objects and its information is written.
edb.log  – Transaction written in this logs before written to AD database.
res1.log – It is a log file for reserve space during the low disk space.
res2.log – It is 2nd temp log file, used when res1 is filled.
edb.chk – It is a check point file and contains information of las transition written into AD databse.
16. What is AD replication and difference between Intersite and Intrasite replication?
In AD directory service maintain an exact copy of directory data on al domain controllers in a forest that ensure all updated directory  information available for all users.
All domain controllers within a forest hold a replica of the schema and configuration partitions for that forest and all domain controllers within a particular domain hold a replica of the domain partition for their domain.
Application directory partitions hold directory data specific to a particular application and can be stored by domain controllers belonging to different domains.
Active Directory uses remote procedure call (RPC) over Internet Protocol (IP) to transfer replication data between domain controllers. RPC over IP is used for both intersite and intrasite replication. To keep data secure while in transit, RPC over IP replication uses both authentication and data encryption.
Intrasite Replication:  The replication that occurs within all domain controllers within an AD site called Intra-site replication. The Active Directory Knowledge Consistency Checker (KCC) builds the intrasite replication topology using a bidirectional ring design. bidirectional ring topology attempts to create at least two connections to each domain controller (for fault tolerance) and no more than three hops between any two domain controllers.
Intersite Replication:  The replication that occurs between all domain controllers between two or more different AD sites called Intersite replication. The Active Directory Knowledge Consistency Checker (KCC) builds the intersite replication topology using a least-cost spanning tree design.
One domain controller per site, called the intersite topology generator, is assigned to build the topology.
17. What are the tools used in Active Directory?
DCDiag. NETDiag, Repadmin, Replmon, NLTest
18. What is tombstone lifetime in active directory?
The tombstone lifetime in an Active Directory determines for how longtime a deleted object (called a “tombstone”) is retained in Active Directory. The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.
19. What are the trusts in Active Directory?
20.  What are the port in `

DNS Interview Questions and Answers

 Interview questions and answers on dns server n Windows 2003 and 2008


Q1. What is DNS?
Domain Name System is a service that can be installed on any windows server operating system to resolve the Name to IPAddress and vice-versa. TCP/IP networks, such as the Internet, use DNS to locate computers and services through user-friendly names

Q2. What is DDNS?
Dynamic DNS or DDNS is a method of updating, in real time, a Domain Name System to point to a changing IP address on the Internet. This is used to provide a persistent domain name for a resource that may change location on the network.

Q3. What are the resource records in DNS?

  • A (Address) Maps a host name to an IP address. When a computer has multiple adapter cards and IP addresses, it should have multiple address records.
  • CNAME (Canonical Name) Sets an alias for a host name. For example, using this record, can have an alias as
  • MX (Mail Exchange) Specifies a mail exchange server for the domain, which allows mail to be delivered to the correct mail servers in the domain.
  • NS (Name Server) Specifies a name server for the domain, which allows DNS lookups within various zones. Each primary and secondary name server should be declared through this record.
  • PTR (Pointer) Creates a pointer that maps an IP address to a host name for reverse lookups.
  • SOA (Start of Authority) Declares the host that is the most authoritative for the zone and, as such, is the best source of DNS information for the zone. Each zone file must have an SOA record (which is created automatically when you add a zone).

Q4. What are a Forward and Reverse Lookup?

  • Forward Lookup: When a name query is send to the DNS server against to IP address, it is generally said a forward lookup.
  • Reverse Lookup: DNS also provides a reverse lookup process, enabling clients to use a known IP address during a name query and look up a computer name based on its address.

Q5. What is Primary zone?
This is the read and writable copy of a zone file in the DNS namespace. This is primary source for information about the zone and it stores the master copy of zone data in a local file or in AD DS. Dy default the primary zone file is named as zone_name.dns in %windir%\System32\DNS folder on the server.

Q6. What id Secondary zone?
This is the read only copy of a zone file in the DNS namespace. This is secondary source for information about the zone and it get the updated information from the master copy of primary zone. The network access must be available to connect with primary server. As secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS.

Q7. What is stub Zone?
A stub zone is a read only copy of a zone that contains only those resource records which are necessary to identify the authoritative DNS servers for that particular zone. A stub zone is practically used to resolve names between separate DNS namespaces. This type of zone is generally created when a corporate merger or acquire and DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.

A stub zone contains:
The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone.
The IP address of one or more master servers that can be used to update the stub zone.

Q8. What is Caching Only Server?
Caching-only servers are those DNS servers that only perform name resolution queries, cache the answers, and return the results to the client. Once the query is stored in cache, next time the query in resolved locally from cached instead of going to the actual site.

Q9. What is Aging and Scavenging?
DNS servers running Windows Server support aging and scavenging features. These features are provided as a mechanism to perform cleanup and removal of stale resource records from the server and zone. This feature removes the dynamically created records when they are stamped as stale.

By default, the aging and scavenging mechanism for the DNS Server service is disabled.

Scavenging and aging must be enabled both at the DNS server and on the zone

Q10. What is SRV record in DNS?
The SRV record is a resource record in DNS that is used to identify or point to a computer that host specific services i.e Active directory.

Q11. What is Forwarding in DNS?
A forwarder is a feature in DNS server that is used to forward DNS queries for external DNS names to DNS servers outside of that network. We ca configure a DNS server as a forwarder to forward the name query to other DNS servers in the network when they cannot resolve locally to that DNS server.

Q12. What is Conditional Forwarding in DNS?
We can configure the DNS server to forward queries according to specific domain names using conditional forwarders. In this case query is forward to an IP address against a DNS domain name.

  • Q13. What are Queries types in DNS?
    Recursive Query: This name queries are generally made by a DNS client to a DNS server or by a DNS server that is configured to pass unresolved name queries to another DNS server, in the case of a DNS server configured to use a forwarder.
  • Iterative Query: An iterative name query is one in which a DNS client allows the DNS server to return the best answer it can give based on its cache or zone data. If the queried DNS server does not have an exact match for the queried name, the best possible information it can return is a referral. The DNS client can then query the DNS server for which it obtained a referral. It continues this process until it locates a DNS server that is authoritative for the queried name, or until an error or time-out condition is met.

Q13. What are Tools for troubleshooting of DNS?

Q14. How to check DNS health?
Using the DCdiag.
i.e. (dcdiag /test:dns /v /e)

Exchange Server 2007/2010 interview questions and answers – Part 1

Dear All, I hope the below question bank will help you.

Click here for Part 2


Exchange General

1. What is the server roles in Exchange 2007?
2. What are the Exchange 2003 sever roles equivalents of the various Exchange server 2007/2010 roles?

Exchange server 2003 Exchange server 2007/2010
Front End Server (SMTP Service) HUB Transport Server
Front End Server Client Access Server
Backend End Server Mailbox Server
Edge Transport Server (NEW)
Unified Messaging


3. Name the system prerequisites for installing Exchange 2007?
4. Why doesn’t we install Outlook on the same machine running Exchange 2007/2010?
5. Where does Exchange store its configuration settings?
6. How do you prepare the AD for Exchange 2007?
7. How would you verify that the schema was in fact updated?
8. What are in the installation folder root and setup.exe. Which would you use and when?
9. What is PowerShell in Exchange server and Name one major benefit of PowerShell v2 over V1?
10. What’s the difference between the Enterprise and Standard editions of Exchange in relation with the number and size of the stores on the server?
11. What is Cached Mode in Outlook 2007/2010?
12. What is S/MIME? What are the usage scenarios for S/MIME?
13. What are E-Discovery features?
14. In Exchange 2007, what are the minimum requirements for implementing a high availability topology, in relation to the server roles and server numbers?

Exchange Recipient Level

1. What are the different Exchange Recipient types?

User mailbox: This mailbox is created for an individual user to store mails, calendar items, contacts, tasks, documents, and other business data.

Linked mailbox: This mailbox is created for an individual user in a separate, trusted forest. For example AD account is created in A.COM and Mailbox is created in B.COM Exchange Server.

Shared mailbox: This mailbox is not primarily associated with a single user and is generally configured to allow logon access for multiple users.

Legacy mailbox: This mailbox is resides on a server running Exchange Server 2003 or Exchange 2000 Server.

Room mailbox: This mailbox is created for a meeting location, such as a meeting or conference room, auditorium, or training room. When we create this mailbox, by default a disabled user object account is created.

Equipment mailbox: A resource mailbox is created for a non-location specific resource, such as a portable computer projector, microphone, or a company car. When we create this mailbox, by default a disabled user object account is created. Equipment mailboxes provide a simple and efficient way for users to use resources in manageable way.

2. What is the difference between mail user and mail contact?

Mail user: This is an Active Directory user that represents e-mail address outside your Exchange organization. Each mail user has an external e-mail address to which all messages sent to the mail user are routed.

Mail contact: This is an Active Directory contact that contains e-mail address information about people or organizations that exist outside your Exchange organization. Each mail contact has an external e-mail address. All messages sent to the mail contact are routed to this external e-mail address.

3. What is the difference between Distribution group and Dynamic Distribution group?

Mail-enabled (Universal distribution group): This is an Active Directory distribution group object that can be used only to distribute messages to a group of recipients.

Mail-enabled (Universal security group):A mail-enabled Active Directory security group object that can be used to grant access permissions to resources in Active Directory, and can also be used to distribute messages.

Mail-enabled (Non-universal group): This is an Active Directory global or local group object. Mail-enabled non-universal groups are de-emphasized in Exchange 2007 and can exist only if they were migrated from previous versions of Exchange. You cannot use Exchange 2007 to create new non-universal distribution groups.

Dynamic distribution group: A distribution group that uses recipient filters and conditions to derive its membership at the time messages are sent.

Exchange CAS Role

1. What is OWA?
OWA refer to Outlook Web Access in Exchange 2007 by you access your e-mail from any Web browser. Outlook Web Access contains many new features such as meeting booking, Microsoft SharePoint Services and Windows file share integration, and a rich user experience from any computer that has a Web browser.

2. What is the Exchange ActiveSync?
Exchange ActiveSync is a feature which synchronize you email data between your mobile device and Exchange server. Using Active sync you can synchronize e-mail, contacts, calendar and tasks. Mobile devices running Windows Mobile software and Windows Mobile 5.0, are all supported.

3. What is Availability service

The Availability service provides free/busy information using secure, consistent, and up-to-date free/busy data to users that are running Outlook 2007. Outlook 2007 uses the Autodiscover service to obtain the URL of the Availability service.

4. What is Autodiscover service?
This service enables Outlook clients and some mobile devices to receive their necessary profile settings directly from the Exchange server by using the client’s Active Directory domain credentials or user’s SMTP domain.

5. What is Outlook Anywhere and describe the method for enabling Outlook Anywhere?
Outlook Anywhere feature (previously known as RPC over HTTP) provide a facility to connect your Internet-based Microsoft Outlook clients to connect to your Exchange Server 2007. This featureeliminates the need to use virtual private networks (VPNs) if Exchange server 2003 with Sp1 and Exchange 2007.

Outlook Anywhere can be enabled by using the
Exchange Management Console
Open Exchange Management console tree > expand Server Configuration > then click Client Access.
In the action pane, click Enable Outlook Anywhere.

Exchange Management Shell
Enable-OutlookAnywhere -Server: <ServerName> -ExternalHostName: <ExternalHostName> -ClientAuthenticationMethod:Basic -IISAuthenticationMethods <MultiValuedProperty> -SSLOffloading:$false

Requirement of Outlook anywhere
Install a valid Secure Sockets Layer (SSL) certificate from a trusted certification authority (CA).
Install the Windows RPC over HTTP Proxy component

6. What are the certificates can be installed on Exchange 2007 and Name a few commercial CAs?
Wildcard Certificate: Exchange Server support certificates with wildcard names, such as * This is an acceptable domain. Please make sure that some legacy clients and mobile devices do not support wildcard names on a certificate.

SAN Certificate: This is the most widely used certificate type such as it has one common name like and some additional domain name refer to Exchange other services like,,

7. How to Determine When to Use Certificates Issued by Public CAs and When to Use Self-Signed Certificates?
Whenever your users are access Exchange components that require authentication and encryption from outside your corporate firewall, it is time to deploy a certificate issued by a public CA. Let users are accessing Exchange ActiveSync, POP3, IMAP4, and Outlook Anywhere. so in this case you require a certificate that is issued by a public CA.

A self-signed certificate used by Exchange 2007 component that uses Kerberos, Direct Trust, or NTLM authentication. These are all internal Exchange 2007 components, to the fact that the data paths are between Exchange 2007 servers and within the corporate network that is defined by Active Directory.

8. Named the Exchange 2007 components use certificates?
EdgeSync synchronization
POP3 and IMAP4
Unified Messaging
Client Access applications such as Outlook Anywhere, OWA, and Exchange ActiveSync