An Inside View of Microsoft Exchange 2010 SP2 Jeff MealiffeSr. Program ManagerMicrosoft Corporation

EXL304

Agenda

Some facts, figures and otherwise interesting info about Exchange 2010 SP2 and our servicing processFour new features in SP2

Mini version of Outlook Web AppHybrid Configuration WizardAddress Book Policies

Impact on our hosting/multi-tenant strategy

OWA Cross Site Silent RedirectionThe latest from our update rollups

Recoverable items versioning

Exchange SP2 Facts

Exchange is a very complex product~20 million lines of code (over half is test code)Every release we produce goes through a very large battery of automated testing as well as targeted hands-on testing in various formsWe’re constantly working to improve quality and efficiency

SP2 was released ~6 months ago3 rollup updates have been released since then

Exchange SP2 Facts

Service packs these days are about bugs AND featuresNew features are generally reserved for service packs (vs. update rollups)

Features often require schema updatesSP2 contained ~600 bug fixes in addition to 4 new featuresEvery bug is triaged for risk, cost and applicability (i.e. how many customers will benefit)

Bugs that simply make us look bad are frequently not fixedWe can take it and deserve to sometimes

Mini Version Of Outlook Web App

OMA? No, Introducing OWA Mini!

What you previously knew as OMA is back in SP2This feature was driven by demand from markets where browser phones still ruleSimple to administer via EMSThis is a complete re-write, none of the 2003 code was re-usedIt is built as a set of OWA forms, rather than as a separate application – hence OWA Mini

Managing OWA Mini

Enabled and disabled using Set-OWAMailboxPolicySet-OWAMailboxPolicy Name -OWAMiniEnabled:$True

OWA Mini is an alternative view of OWAOWA mailbox policies and segmentation are inheritedAny unsupported features (IRM for example) in the policy are secure by default – i.e. disabled for OWA Mini

ActiveSync policies are not applied to OWA MiniAccess to fully supported features such as calendar & contacts can be managed via policyWorks in all OWA languages

How Does OWA Mini Work?

New v-dir /owa/oma created, points to same path as /owa v-dir

Similar to the /owa/Calendar v-dirBasic auth configured instead of FBAApp runs in the OWA app pool

When ASP.NET app starts on that v-dir, it detects path and creates an OWA Mini application (different forms that “normal” OWA)Same common codebase throughout OWA, but forms are specific to this device type

Hybrid Configuration Wizard

Hybrid Configuration Wizard

Wizard plus cmdlets for setting up on-premises Exchange and O365 to work together properly – in Hybrid modeVastly simpler process than the previous SP1 manual experienceWhat once took ~49 steps, now takes 6 (your mileage may vary)

>80% reduction for the administrator

Interested in more?EXL303 – Configuring Hybrid Exchange the Easy Way (Wednesday @2:45PM)

Address Book Policies

First, Some History Of GAL Segmentation

By default in Exchange, the Global Address List contains every mail enabled objectGAL Segmentation means dividing up the GAL and Address ListsWhy would you want to do this?

Legal or compliance reasons – people are not allowed to see each other in the GALOptimization reasons – you have a huge GAL but operate in smaller logical unitsHosting reasons – you want to host multiple organizations on one platform and don’t want them seeing each other

Some History…

In the Exchange 2000 timeframe a KB that was released that outlined to how carve up your GAL but we pulled it when HMC was createdFor 2003, no such paper, but many support casesFor 2007, a new whitepaper was bornFor 2010, we decided to engineer the solution into the product fully

It enables us to systematically test the solutionIt allows CSS to fully support the solutionAnd because customers asked for it

How Did The Previous Solutions Work?

Based on a combination of methodsUsing ACLs on GALs and ALs (Outlook and EAS)

Requires security group membership and all ACLs to be evaluated (scale limits)

MsExchQueryBaseDN (for OWA but not needed since SP1)Specify per user the base OU the user can search from (this means the OU hierarchy is rigid)

Per-user OAB assignmentSpecify per-user the OAB the user can access

Obviously many ways for things to breakNeed to script provisioning operations to avoid mistakesNot really well-integrated with the core design of ExchangeOU hierarchy dependency didn’t work for many customers

Introducing Address Book Policies

New in SP2: Address Book Policies (ABPs) enable you to achieve GAL Segmentation in Exchange 2010 ABPs work on the principal of direct GAL and Address List assignment rather than allowing or denying access to all available listsABPs only apply to users with mailboxes on Exchange 2010 as they plug in to the Address Book Service on the 2010 SP2 CAS roleAny request that comes through the Address Book Service on CAS is evaluated against the ABP assigned to the user

A Picture Says A Thousand WordsAddress Book Policy A

Address Book Policy A

Address Book Policy Assignment

Effective Filter = GAL1

Address Lists

AL1AL2AL5AL6

Default Address List

GAL1

Room Address List

RM AL 1

Offline Address Book

OAB B

User

Offline Address Books

OAB A

OAB A = AL1 + AL3 + AL4

OAB B

OAB B = AL1 + AL2 + AL5 + AL6 + GAL1

Global Address Lists

GAL 1 GAL 2

GAL 3 GAL 4

Address Lists

AL 1 AL 2 AL 3

AL 4 AL 5 AL 6

Room Address Lists

RM AL 1

RM AL 2

What Kind Of Actions Are Impacted?

ABPs work for any client that goes through CAS for directory and:

Opens the address list pickerTries to resolve a name or an aliasAdds a room resource to a meeting requestSearches the GALSearches the directory from Outlook Voice AccessQueries the directory from a mobile deviceViews someone’s DL memberships, or views the members of a DL

Yes – if a user in a DL is outside the scope of your ABP, you won’t see themThis prevents GAL mining by surfing up and down the member/memberof properties in some scenariosThis does mean you might be sending to more people than you think you are… and that MailTips might (apparently) not be telling the truth…

Tailspin Inc.

AL-TAIL-Users-DL’s

GAL-TAIL OAB-TAIL

Contacts Room Mailbox

AL-TAIL-ContactsAL-TAIL-Rooms

Fabrikam Inc.

AL-FAB-Users-DL’s

GAL-FAB OAB-FAB

ContactsRoom

Mailbox

AL-FAB-Contacts AL-FAB-Rooms

Address Lists

AL-TAIL-Users-DL’sAL-TAIL-RoomsAL-TAIL-Contacts

Default Address List

GAL-TAIL

Room Address List

AL-TAIL-Rooms

Offline Address Book

OAB-TAIL

Address Book Policy ‘TAIL’

Users and DL’s

Users and DL’s

Address Lists

AL-FAB-Users-DL’sAL-FAB-RoomsAL-FAB-Contacts

Default Address List

GAL-FAB

Room Address List

AL-FAB-Rooms

Offline Address Book

OAB-FAB

Address Book Policy ‘Fab’

ABP Deployment ScenariosTwo Independent Companies

ABP Deployment ScenariosTwo Companies Sharing One CEO

Tailspin Inc.Fabrikam Inc.

GAL-TAIL OAB-TAIL

Room Mailbox

AL-TAIL-RoomsAL-TAIL-Contacts

GAL-FAB OAB-FAB

Contacts

AL-FAB-RoomsAL-FAB-Contacts

Address Lists

AL-FAB-Users-DL’sAL-FAB-RoomsAL-FAB-Contacts

Default Address List

GAL-FAB

Room Address List

AL-FAB-Rooms

Offline Address Book

OAB-FAB

Address Book Policy ‘Fab’

Address Lists

AL-TAIL-Users-DL’sAL-TAIL-RoomsAL-TAIL-Contacts

Default Address List

GAL-TAIL

Room Address List

AL-TAIL-Rooms

Offline Address Book

OAB-TAIL

Address Book Policy ‘TAIL’

ContactsRoom Mailbox

AL-FAB-Users-DL’s AL-TAIL-Users-DL’s

Users and DL’s

Users and DL’s

Big Boss

Address Lists

All The AL’s There Are

Default Address List

Default GAL

Room Address List

Default All Rooms

Offline Address Book

Default OAB

Address Book Policy ‘Boss’

Address Lists

AL-Class AAL-All TeachersAL-All Groups

Default Address List

GAL-Class-A

Address Book Policy‘Student Class A’

Class A Class B

Teacher A Teacher B

Principal

Class A - All Class B - All

Student 1 Student 2

Everyone

Faculty

Address ListsAL-Class AAL-Class B etcAL-All TeachersAL-All StudentsAL-All GroupsDefault Address List

GAL-Principal

Address Book Policy‘Principal’

All Teachers

All Students

All Groups

Where attribute y = ‘teacher’ or ‘principal’

Where attribute z = ‘student’

Where object type = group

Address List

Class X

Scope

All students in a specific class (one per class)

Class B - All

Everyone

Faculty

2

4

3

DL Object

Class A - All

Members

3

Class B - All

Everyone

Faculty

3

5

3

DL Object

Class A - All

Members

3

ABP Deployment ScenariosEducation

ABP Deployment Considerations

Deploying ABPs successfully is all about planning and understanding what they can, and cannot doABPs alone do not result in ‘true’ separation – smart users can usually figure out ways to get around them or expose some data

As an example: Transport will send to the real members of a DL – it ignores ABPs

Don’t try and use ABPs alone to ‘fake’ multi-tenancy, it’s more complex than thatABPs are better suited to providing optimized address lists for discrete groups of users that do not share resources

Anything Else We Need To Know?

ABPs cannot prevent anyone directly connecting to AD and bypassing ABP logic

So any LDAP clients, for example Outlook Mac/Entourage using LDAP will not work with ABPs

You can’t use ABPs if Exchange is installed on a GCIn that case, NSPI is provided by AD rather than the Address Book Service

If you span DLs over ABPs you need to disable Group Management in ECP as ECP uses Get-Group which ignores ABPsDon’t try and mix and match ABPs and ACLs (unless migrating) or use QBDNs

What About ABPs and Office 365?

Making ABPs work in Office 365 is part of our long term plan but it’s not as easy as just putting the new code there

Tenant admins cannot today create or manage ALs, GALs or OABs so they wouldn’t be able to create very useful ABPs

We would need to allow creation and enforce throttling

Lync and SharePoint have their own directory access methods, and so do not respect ABPsWe would also need to add dirsync capability to make the feature easy to manage for hybrid customers

How Does This Relate To /Hosting Mode?

Exchange 2010 “/Hosting” mode is a setup option which deploys a multi-tenant Exchange systemWe have announced that /Hosting mode is deprecated

There will be no /Hosting mode in the next major release of the product, and there will be no additional feature adds in Exchange 2010 within /Hosting Mode

Instead of using /Hosting mode, customers can deploy a hosting Exchange solution using SP2 (without /Hosting mode) and our published guidance, in collaboration with one of our 3rd party solution vendors

We require using ABPs to handle GAL segmentation within the context of a multi-tenant hosting solution

Deploying A Multi-Tenant Solution

Key takeaway: Don’t use /Hosting mode*Check out our partner solution site: http://technet.microsoft.com/en-us/exchange/hh563895Site contains approved, supported solutions which use the product group’s guidance to achieve multi-tenancy within Exchange 2010 SP2You’ll also find detailed information from the product group on supportability guidelines for solutions of this type as well as scale guidance

* /Hosting mode continues to be supported within the support lifecycle of Exchange 2010

OWA Cross-Site Silent Redirection

Why You Want This Feature (And You Will)

Pre Exchange 2010 SP2, if you try to use OWA on a CAS in the ‘wrong’ AD site, CAS has a decision to make

It can proxy or redirect the connection to the target siteIf there is no ExternalURL in that site, we proxy, the mailbox opens and the user gets accessIf the target site has an ExternalURL we show the user a page with a link to click

The user clicks the link, and logs in again, and gets accessThe user has to log in twiceWe are removing the need to click the link

For some scenarios this results in a Single Sign On experience

Additional Detail On Silent Redirect

It is disabled by defaultThis means that out of the box, cross-site “manual redirection” still occurs

Can be a single sign-on experience when the source and target OWA virtual directories leverage Forms-Based AuthenticationIs only available for intra-org cross-site redirection events

How Do I Enable This Feature?

You enable Cross-Site Silent Redirection on your Internet Facing CAS, on a per OWA virtual directory basis

Set-OWAVirtualDirectory -Identity “CAS1\owa (default web site)" -CrossSiteRedirectType Silent

When you enable silent redirection you will be informed that:

The target CAS must have an ExternalURL that leverages HTTP SSL protocolSingle sign-on experience may not be possible if FBA is not enabled

Let’s see this in action!

Experience, Before and After

Cue Applause….

How It Works

If OWA determines that a cross-site silent redirect is possible and should be performed…

Same logic from legacy (Exchange 2007) SSO redirectRather than sending a redirect response, send HTML to browser with 200 OK responseHTML contains dynamically generated login form content with appropriate location for form submissionJavaScript OnLoad() method submits the form

The Latest In Exchange 2010 SP2 Update Rollup (RU) 3

Update Rollups

In addition to our normal cycle of bug fixes, update rollups often include some significant improvementsBased on feedback from customers & partners (and our own experience in Office 365) we are constantly tuning how things workMany of these “tune-ups” are discussed on the Exchange Team Blog

Recoverable Items Versioning Changes

Some backgroundSingle item recovery and litigation hold enable versioning of content in the mailboxItem changes result in copy-on-write (COW) behavior within the Recoverable Items Store

Copy-on-write triggered based on specific changes, Drafts exempt

Primary Mailbox

Recoverable Items Store 2.0

Recoverable Items

Deleted Items

Inbox…

Versions

Purges

Recoverable Items Versioning Changes

Problem scenario: calendar item with attachmentOpen item, open attachmentOutlook auto-save (3 min interval) results in copy-on-write for the item as well as the attachment(s)

In SP2 RU3, we’ve been able to reduce the versions generated for this scenario to only include the message changes (which include the attachment(s))End result is reduced space consumption, potentially a dramatic reduction…

Related Content

Breakout SessionsEXL305: Microsoft Exchange Server 2010 SP2 Tips & Tricks (Wednesday @ 10:15AM)EXL303: Configuring Hybrid Exchange the Easy Way (Wednesday @ 2:45PM)

Geek Out with Perry Blog: http://blogs.technet.com/b/perryclarke/

Track Resources

Exchange Team Blog: http://blogs.technet.com/b/exchange/

Exchange TechNet Tech Center: http://technet.microsoft.com/exchange

MEC Website and Registration: http://www.mecisback.com/

Resources

Connect. Share. Discuss.

http://europe.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Evaluations

http://europe.msteched.com/sessions

Submit your evals online

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.