Any good system administrator is going to know what files are on his company's server and what are in those files.
The first thing you want to do is use a program or write a script to take note of all the files on the hard drive. The safest way to do this would to mount the hard drive on a known working OS so the OS doesn't hide any files from you. You make note of this and keep it in a safe place.
The next thing you do is create a checksum for each of those files listed and keep that in a safe place as well.
This process will go well with your server backups because you'll know where to restore from.
Whenever you suspect and intrusion you will check to see what files have been added to the system and verify the integrity of the files with the checksum. There will be certain files that will always fail of course, such as log files. But you will want to flag files that have changed without your knowledge such as the boot files or system files.
An additional resource would be to analyze the traffic from the server. Gather any information you can to be helpful such out going server port, where the traffic is going, etc.
Typically a compromised system is going to try and send things out to the internet. Being that it was an exchange server, it may be used to spam emails so that it wouldn't look to peculiar.
A lot of intrusions can be detected with anti virus as well, but of course, that doesn't mean your safe!