An Inside View of Microsoft Exchange 2010 SP2 Jeff Mealiffe Sr. Program Manager Microsoft...
-
Upload
amice-armstrong -
Category
Documents
-
view
217 -
download
1
Transcript of An Inside View of Microsoft Exchange 2010 SP2 Jeff Mealiffe Sr. Program Manager Microsoft...
An Inside View of Microsoft Exchange 2010 SP2 Jeff MealiffeSr. Program ManagerMicrosoft Corporation
EXL304
Agenda
Some facts, figures and otherwise interesting info about Exchange 2010 SP2 and our servicing processFour new features in SP2
Mini version of Outlook Web AppHybrid Configuration WizardAddress Book Policies
Impact on our hosting/multi-tenant strategy
OWA Cross Site Silent RedirectionThe latest from our update rollups
Recoverable items versioning
Exchange SP2 Facts
Exchange is a very complex product~20 million lines of code (over half is test code)Every release we produce goes through a very large battery of automated testing as well as targeted hands-on testing in various formsWe’re constantly working to improve quality and efficiency
SP2 was released ~6 months ago3 rollup updates have been released since then
Exchange SP2 Facts
Service packs these days are about bugs AND featuresNew features are generally reserved for service packs (vs. update rollups)
Features often require schema updatesSP2 contained ~600 bug fixes in addition to 4 new featuresEvery bug is triaged for risk, cost and applicability (i.e. how many customers will benefit)
Bugs that simply make us look bad are frequently not fixedWe can take it and deserve to sometimes
OMA? No, Introducing OWA Mini!
What you previously knew as OMA is back in SP2This feature was driven by demand from markets where browser phones still ruleSimple to administer via EMSThis is a complete re-write, none of the 2003 code was re-usedIt is built as a set of OWA forms, rather than as a separate application – hence OWA Mini
Managing OWA Mini
Enabled and disabled using Set-OWAMailboxPolicySet-OWAMailboxPolicy Name -OWAMiniEnabled:$True
OWA Mini is an alternative view of OWAOWA mailbox policies and segmentation are inheritedAny unsupported features (IRM for example) in the policy are secure by default – i.e. disabled for OWA Mini
ActiveSync policies are not applied to OWA MiniAccess to fully supported features such as calendar & contacts can be managed via policyWorks in all OWA languages
How Does OWA Mini Work?
New v-dir /owa/oma created, points to same path as /owa v-dir
Similar to the /owa/Calendar v-dirBasic auth configured instead of FBAApp runs in the OWA app pool
When ASP.NET app starts on that v-dir, it detects path and creates an OWA Mini application (different forms that “normal” OWA)Same common codebase throughout OWA, but forms are specific to this device type
Hybrid Configuration Wizard
Wizard plus cmdlets for setting up on-premises Exchange and O365 to work together properly – in Hybrid modeVastly simpler process than the previous SP1 manual experienceWhat once took ~49 steps, now takes 6 (your mileage may vary)
>80% reduction for the administrator
Interested in more?EXL303 – Configuring Hybrid Exchange the Easy Way (Wednesday @2:45PM)
First, Some History Of GAL Segmentation
By default in Exchange, the Global Address List contains every mail enabled objectGAL Segmentation means dividing up the GAL and Address ListsWhy would you want to do this?
Legal or compliance reasons – people are not allowed to see each other in the GALOptimization reasons – you have a huge GAL but operate in smaller logical unitsHosting reasons – you want to host multiple organizations on one platform and don’t want them seeing each other
Some History…
In the Exchange 2000 timeframe a KB that was released that outlined to how carve up your GAL but we pulled it when HMC was createdFor 2003, no such paper, but many support casesFor 2007, a new whitepaper was bornFor 2010, we decided to engineer the solution into the product fully
It enables us to systematically test the solutionIt allows CSS to fully support the solutionAnd because customers asked for it
How Did The Previous Solutions Work?
Based on a combination of methodsUsing ACLs on GALs and ALs (Outlook and EAS)
Requires security group membership and all ACLs to be evaluated (scale limits)
MsExchQueryBaseDN (for OWA but not needed since SP1)Specify per user the base OU the user can search from (this means the OU hierarchy is rigid)
Per-user OAB assignmentSpecify per-user the OAB the user can access
Obviously many ways for things to breakNeed to script provisioning operations to avoid mistakesNot really well-integrated with the core design of ExchangeOU hierarchy dependency didn’t work for many customers
Introducing Address Book Policies
New in SP2: Address Book Policies (ABPs) enable you to achieve GAL Segmentation in Exchange 2010 ABPs work on the principal of direct GAL and Address List assignment rather than allowing or denying access to all available listsABPs only apply to users with mailboxes on Exchange 2010 as they plug in to the Address Book Service on the 2010 SP2 CAS roleAny request that comes through the Address Book Service on CAS is evaluated against the ABP assigned to the user
A Picture Says A Thousand WordsAddress Book Policy A
Address Book Policy A
Address Book Policy Assignment
Effective Filter = GAL1
Address Lists
AL1AL2AL5AL6
Default Address List
GAL1
Room Address List
RM AL 1
Offline Address Book
OAB B
User
Offline Address Books
OAB A
OAB A = AL1 + AL3 + AL4
OAB B
OAB B = AL1 + AL2 + AL5 + AL6 + GAL1
Global Address Lists
GAL 1 GAL 2
GAL 3 GAL 4
Address Lists
AL 1 AL 2 AL 3
AL 4 AL 5 AL 6
Room Address Lists
RM AL 1
RM AL 2
What Kind Of Actions Are Impacted?
ABPs work for any client that goes through CAS for directory and:
Opens the address list pickerTries to resolve a name or an aliasAdds a room resource to a meeting requestSearches the GALSearches the directory from Outlook Voice AccessQueries the directory from a mobile deviceViews someone’s DL memberships, or views the members of a DL
Yes – if a user in a DL is outside the scope of your ABP, you won’t see themThis prevents GAL mining by surfing up and down the member/memberof properties in some scenariosThis does mean you might be sending to more people than you think you are… and that MailTips might (apparently) not be telling the truth…
Tailspin Inc.
AL-TAIL-Users-DL’s
GAL-TAIL OAB-TAIL
Contacts Room Mailbox
AL-TAIL-ContactsAL-TAIL-Rooms
Fabrikam Inc.
AL-FAB-Users-DL’s
GAL-FAB OAB-FAB
ContactsRoom
Mailbox
AL-FAB-Contacts AL-FAB-Rooms
Address Lists
AL-TAIL-Users-DL’sAL-TAIL-RoomsAL-TAIL-Contacts
Default Address List
GAL-TAIL
Room Address List
AL-TAIL-Rooms
Offline Address Book
OAB-TAIL
Address Book Policy ‘TAIL’
Users and DL’s
Users and DL’s
Address Lists
AL-FAB-Users-DL’sAL-FAB-RoomsAL-FAB-Contacts
Default Address List
GAL-FAB
Room Address List
AL-FAB-Rooms
Offline Address Book
OAB-FAB
Address Book Policy ‘Fab’
ABP Deployment ScenariosTwo Independent Companies
ABP Deployment ScenariosTwo Companies Sharing One CEO
Tailspin Inc.Fabrikam Inc.
GAL-TAIL OAB-TAIL
Room Mailbox
AL-TAIL-RoomsAL-TAIL-Contacts
GAL-FAB OAB-FAB
Contacts
AL-FAB-RoomsAL-FAB-Contacts
Address Lists
AL-FAB-Users-DL’sAL-FAB-RoomsAL-FAB-Contacts
Default Address List
GAL-FAB
Room Address List
AL-FAB-Rooms
Offline Address Book
OAB-FAB
Address Book Policy ‘Fab’
Address Lists
AL-TAIL-Users-DL’sAL-TAIL-RoomsAL-TAIL-Contacts
Default Address List
GAL-TAIL
Room Address List
AL-TAIL-Rooms
Offline Address Book
OAB-TAIL
Address Book Policy ‘TAIL’
ContactsRoom Mailbox
AL-FAB-Users-DL’s AL-TAIL-Users-DL’s
Users and DL’s
Users and DL’s
Big Boss
Address Lists
All The AL’s There Are
Default Address List
Default GAL
Room Address List
Default All Rooms
Offline Address Book
Default OAB
Address Book Policy ‘Boss’
Address Lists
AL-Class AAL-All TeachersAL-All Groups
Default Address List
GAL-Class-A
Address Book Policy‘Student Class A’
Class A Class B
Teacher A Teacher B
Principal
Class A - All Class B - All
Student 1 Student 2
Everyone
Faculty
Address ListsAL-Class AAL-Class B etcAL-All TeachersAL-All StudentsAL-All GroupsDefault Address List
GAL-Principal
Address Book Policy‘Principal’
All Teachers
All Students
All Groups
Where attribute y = ‘teacher’ or ‘principal’
Where attribute z = ‘student’
Where object type = group
Address List
Class X
Scope
All students in a specific class (one per class)
Class B - All
Everyone
Faculty
2
4
3
DL Object
Class A - All
Members
3
Class B - All
Everyone
Faculty
3
5
3
DL Object
Class A - All
Members
3
ABP Deployment ScenariosEducation
ABP Deployment Considerations
Deploying ABPs successfully is all about planning and understanding what they can, and cannot doABPs alone do not result in ‘true’ separation – smart users can usually figure out ways to get around them or expose some data
As an example: Transport will send to the real members of a DL – it ignores ABPs
Don’t try and use ABPs alone to ‘fake’ multi-tenancy, it’s more complex than thatABPs are better suited to providing optimized address lists for discrete groups of users that do not share resources
Anything Else We Need To Know?
ABPs cannot prevent anyone directly connecting to AD and bypassing ABP logic
So any LDAP clients, for example Outlook Mac/Entourage using LDAP will not work with ABPs
You can’t use ABPs if Exchange is installed on a GCIn that case, NSPI is provided by AD rather than the Address Book Service
If you span DLs over ABPs you need to disable Group Management in ECP as ECP uses Get-Group which ignores ABPsDon’t try and mix and match ABPs and ACLs (unless migrating) or use QBDNs
What About ABPs and Office 365?
Making ABPs work in Office 365 is part of our long term plan but it’s not as easy as just putting the new code there
Tenant admins cannot today create or manage ALs, GALs or OABs so they wouldn’t be able to create very useful ABPs
We would need to allow creation and enforce throttling
Lync and SharePoint have their own directory access methods, and so do not respect ABPsWe would also need to add dirsync capability to make the feature easy to manage for hybrid customers
How Does This Relate To /Hosting Mode?
Exchange 2010 “/Hosting” mode is a setup option which deploys a multi-tenant Exchange systemWe have announced that /Hosting mode is deprecated
There will be no /Hosting mode in the next major release of the product, and there will be no additional feature adds in Exchange 2010 within /Hosting Mode
Instead of using /Hosting mode, customers can deploy a hosting Exchange solution using SP2 (without /Hosting mode) and our published guidance, in collaboration with one of our 3rd party solution vendors
We require using ABPs to handle GAL segmentation within the context of a multi-tenant hosting solution
Deploying A Multi-Tenant Solution
Key takeaway: Don’t use /Hosting mode*Check out our partner solution site: http://technet.microsoft.com/en-us/exchange/hh563895Site contains approved, supported solutions which use the product group’s guidance to achieve multi-tenancy within Exchange 2010 SP2You’ll also find detailed information from the product group on supportability guidelines for solutions of this type as well as scale guidance
* /Hosting mode continues to be supported within the support lifecycle of Exchange 2010
Why You Want This Feature (And You Will)
Pre Exchange 2010 SP2, if you try to use OWA on a CAS in the ‘wrong’ AD site, CAS has a decision to make
It can proxy or redirect the connection to the target siteIf there is no ExternalURL in that site, we proxy, the mailbox opens and the user gets accessIf the target site has an ExternalURL we show the user a page with a link to click
The user clicks the link, and logs in again, and gets accessThe user has to log in twiceWe are removing the need to click the link
For some scenarios this results in a Single Sign On experience
Additional Detail On Silent Redirect
It is disabled by defaultThis means that out of the box, cross-site “manual redirection” still occurs
Can be a single sign-on experience when the source and target OWA virtual directories leverage Forms-Based AuthenticationIs only available for intra-org cross-site redirection events
How Do I Enable This Feature?
You enable Cross-Site Silent Redirection on your Internet Facing CAS, on a per OWA virtual directory basis
Set-OWAVirtualDirectory -Identity “CAS1\owa (default web site)" -CrossSiteRedirectType Silent
When you enable silent redirection you will be informed that:
The target CAS must have an ExternalURL that leverages HTTP SSL protocolSingle sign-on experience may not be possible if FBA is not enabled
Let’s see this in action!
How It Works
If OWA determines that a cross-site silent redirect is possible and should be performed…
Same logic from legacy (Exchange 2007) SSO redirectRather than sending a redirect response, send HTML to browser with 200 OK responseHTML contains dynamically generated login form content with appropriate location for form submissionJavaScript OnLoad() method submits the form
Update Rollups
In addition to our normal cycle of bug fixes, update rollups often include some significant improvementsBased on feedback from customers & partners (and our own experience in Office 365) we are constantly tuning how things workMany of these “tune-ups” are discussed on the Exchange Team Blog
Recoverable Items Versioning Changes
Some backgroundSingle item recovery and litigation hold enable versioning of content in the mailboxItem changes result in copy-on-write (COW) behavior within the Recoverable Items Store
Copy-on-write triggered based on specific changes, Drafts exempt
Primary Mailbox
Recoverable Items Store 2.0
Recoverable Items
Deleted Items
Inbox…
Versions
Purges
Recoverable Items Versioning Changes
Problem scenario: calendar item with attachmentOpen item, open attachmentOutlook auto-save (3 min interval) results in copy-on-write for the item as well as the attachment(s)
In SP2 RU3, we’ve been able to reduce the versions generated for this scenario to only include the message changes (which include the attachment(s))End result is reduced space consumption, potentially a dramatic reduction…
Related Content
Breakout SessionsEXL305: Microsoft Exchange Server 2010 SP2 Tips & Tricks (Wednesday @ 10:15AM)EXL303: Configuring Hybrid Exchange the Easy Way (Wednesday @ 2:45PM)
Geek Out with Perry Blog: http://blogs.technet.com/b/perryclarke/
Track Resources
Exchange Team Blog: http://blogs.technet.com/b/exchange/
Exchange TechNet Tech Center: http://technet.microsoft.com/exchange
MEC Website and Registration: http://www.mecisback.com/
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.