Brian Day Senior Program Manager Exchange Customer Experience Team Jeff Guillet Exchange MVP amp Principal Systems Architect at Strategic Products and Services BRK3220 Go to the Exchange booth and ask for a TAP PM ID: 921381
Download Presentation The PPT/PDF document "Deploy Microsoft Exchange Server 2016" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Deploy Microsoft Exchange Server 2016
Brian DaySenior Program Manager, Exchange Customer Experience TeamJeff GuilletExchange MVP & Principal Systems Architect at Strategic Products and Services
BRK3220
Slide2Go to the Exchange booth and ask for a TAP PM
Tell us about your Office 365 environment/or on-premises plans
Get selected to be in a program
Try new features first and give us feedback!
Start now by emailing davidesp@Microsoft.com or by visiting this blog post: Exchange On-Premises TAP Program accepting nominations
Pre-Release Programs TeamBe first in line!
Slide3Preparing for Exchange 2016
Slide4Environmental and Client requirements
Exchange 2016 supports coexistence withExchange 2010 SP3 RU11 and laterExchange 2013 CU10 and laterExchange 2016 requires
Windows Server 2008 R2 Forest Functional Level
Windows Server 2008 and later Active Directory Global Catalog servers in all Exchange sites
Outlook client minimum requirementsOutlook 2010 SP2 (with KB2956191 and KB2965295) or laterOutlook 2013 SP1 (with KB3020812) or laterOutlook 2016Outlook for Mac 2011 or laterNo longer supportedOutlook 2007, Outlook for Mac 2008 EWS EditionMAPI/CDO Package
Slide5Server requirements
Exchange 2016 is supported on full GUI installs ofWindows Server 2012Windows Server 2012 R2Windows Server 2016 (RTM only, no pre-release builds. Requires CU3 or later.)Exchange 2016 requires
.NET Framework 4.5.2 or 4.6.x (More on that later!)
Windows Management Framework 4.0
Unified Communications Managed API (UCMA) 4.0
Slide6Server requirements
Optional RequirementsOffice Online Server (Bits available only via Volume License Service Center) Provides OWA the ability to preview attachments No long using 3
rd
party licensed software to
do previewingSharePoint 2016 Provides the ability to use “cloudy attachments” Send a link to a OD4B doc instead of a full file attachment.
Slide7.NET 4.6.1 and 4.6.2
.NET 4.6.1 supported if the following hotfixes are installedWindows Server 2008 / 2008 R2 (For Exchange 2013 CU13 or later) https://support.microsoft.com/kb/3146716
Windows Server 2012
https://support.microsoft.com/kb/3146714
Windows Server 2012 R2https://support.microsoft.com/kb/3146715.NET 4.6.2 to become supported with 2013 CU15 and 2016 CU4. No additional hotfixes required with 4.6.2.NET 4.6.2 to become mandatory with 2013 CU16 and 2016 CU5. Setup will block installation if 4.6.2 is not detected
Slide8Windows Management Framework
What should we expect to see?Did the OS ship with it? It is supported.e.g. Windows Server 2016 ships with WMF5, therefore Exchange 2016 CU3 or later can use WMF5 if installed on Windows Server 2016, but not if installed on Windows Server 2012 R2 as that OS did not ship with WMF5.
Do you have to install it to use it? Then it is not supported.
Slide9Servicing Model
Slide10Exchange 2016 Servicing Model
Exchange 2016 continues the Cumulative Update model as well as standalone critical updates for CUn and CUn-1 versions when applicable.
CUs are shipped quarterly and critical updates (e.g. security updates) will be released as needed on “patch Tuesday.”
Service packs will not be shipped for Exchange 2016.
Only versions CUn and CUn-1 will be serviced for product fixes.Customers with hybrid relationships to O365 are required to be on one of the two most recent updates for their major Exchange version, be it 2010, 2013, or 2016 as of today.Application bits are now distributed in ISO format. Yes, you can mount/extract to a network share and then install.
Slide11Virtualization
Slide12Exchange 2016 Virtualization
A valid deployment model for some scenarios.Stay true to the virtualization requirements.Design as physical, deploy to virtual.
Slide13Coexistence
Slide14Short version…
Same story as Exchange 2010 + Exchange 2013No legacy name spaces requiredExchange 2016 can proxy down to 2010Exchange 2010 cannot up-level proxy to 2016Deploy enough 2016 to cover all of 2010’s client load.
Exchange 2010 + Exchange 2016
Slide15Short version…
No legacy namespaces requiredExchange 2016 can proxy down-version to 2013Exchange 2013 can proxy up-version to 2016
Exchange 2013 + Exchange 2016
Slide16Option 2, let Exchange 2016 down-version proxy.
Condensed stepsPrep your environment (server versions, DFL/FFL, schema, AD, domains, etc…)Install 2016Configure Exchange 2016 server URLs as you would have Exchange 2013
Import the certificate(s) to 2016 server(s)
Swing the load balanced namespaces over from 2013 to 2016
Setup your DAG(s)Start moving mailboxesRepeat for all Internet facing sites and then repeat for non-Internet facingMove incoming mail flow to deliver to 2016 first once it makes sense (>50% moved)Coexisting with Exchange 2013 + 2016
Slide17Option 1, let Exchange 2013 up-version proxy.
Condensed stepsPrep your environment (server versions, DFL/FFL, schema, AD, domains, etc…)Install 2016 (I like to use a deployment AD site.)Configure Exchange 2016 server URLs as you would have Exchange 2013
Import the certificate(s) to 2016 server(s)
Setup your DAG(s)
Start moving mailboxesRepeat for all Internet facing sites and then repeat for non-Internet facingMove incoming mail flow to deliver to 2016 first once it makes sense (>50% moved) Swing the load balanced namespaces over from 2013 to 2016Recommended: Gradually introduce 2016 servers into the existing LB pool.Supported: Cutover to all 2016 servers at onceCoexisting with Exchange 2013 + 2016
Slide18Client Connectivity Flow for 2013 + 2016
Protocol/App
Exchange
2013 user accessing an Exchange 2016 namespace
Exchange 2016 user accessing an Exchange 2013 namespaceRequires
No additional namespace
No additional
namespaces
OWA/ECP
Mailbox mounted in the same AD Site: Exchange 2016
proxies to Exchange 2013 Mailbox Role server in the local AD site with the active DB copy
Mailbox mounted in an Internal only AD site: Exchange 2016 proxies to the Exchange 2013 Mailbox Role server in the remote AD site with the active DB copy
Mailbox mounted in an External facing AD site: Exchange 2016 proxies to the Exchange 2013 Mailbox Role server with
the
active DB copy, or issues a silent/SSO
cross-site r
edirect to
the site’s
ExternalURL
, your choice.
*
*
= The
ExternalURL
in the remote AD site could resolve to Exchange 2016 or 2013 as both are capable of getting the traffic to Exchange 2013 mailboxes in that site.
Mailbox mounted in the same AD Site: Exchange 2013
proxies to Exchange 2016 Mailbox server in the local AD site with the active DB copy
Mailbox mounted in an Internal only AD site: Exchange 2013 proxies to the Exchange 2016 Mailbox server in the remote AD site with the active DB copy
Mailbox mounted in an External facing AD site: Exchange 2013 proxies to the Exchange 2016 Mailbox server with
the
active DB copy, or issues a silent/SSO
cross-site r
edirect to
the site’s ExternalURL, your choice. ** = The ExternalURL in the remote AD site could resolve to Exchange 2016 or 2013 as both are capable of getting the traffic to Exchange 2016 mailboxes in that site.EASOutlook AnywhereEWSPOP/IMAPRemote PowerShellMAPI/HTTPExchange 2016 proxies to Exchange 2013 Mailbox Role server with the Active DB copyExchange 2013 proxies to Exchange 2016 Mailbox server with the Active DB copyAutodiscoverExchange 2016 proxies the request to the Exchange 2013 Mailbox role server with the active DB copyExchange 2013 CAS proxies the request to the Exchange 2016 Mailbox server with the active DB copyOABExchange 2016 proxies the request to an OAB generation mailbox with the OAB or a shadow copy of the OABExchange 2013 proxies the request to an OAB generation mailbox with the OAB or a shadow copy of the OAB
18
Slide19Exchange 2016/2013/2010 Coexistence
Layer 4 or 7 LB
2013 CAS
IIS
HTTP Proxy
2013 MBX
Protocol Head
DB
2016 Client Access
Services
IIS
2016 Store
Protocol Head
DB
Site Boundary
2010 CAS
Protocol Head
2010 MBX
Store
DB
Layer 7 LB
europe.mail.contoso.com
mail.contoso.com
19
RPC
HTTP Proxy
Always hit the server with the active DB copy for that user.
OWA/ECP redirects where appropriate.
Slide20Client Access
Services
IIS
2016 Store
Protocol Head
DB
Exchange 2016/2013/2010 Coexistence
Layer 4 or 7 LB
2013 CAS
IIS
HTTP Proxy
2013 MBX
Protocol Head
DB
Site Boundary
2010 CAS
Protocol Head
2010 MBX
Store
DB
Layer 7 LB
europe.mail.contoso.com
mail.contoso.com
20
RPC
HTTP Proxy
2016 MBX Server
OWA/ECP redirects where appropriate.
Slide21Client Access
Services
IIS
2016 Store
Protocol Head
DB
Exchange 2016/2013/2010 Coexistence
Layer 4 or 7 LB
2013 MBX
Protocol Head
DB
Site Boundary
2010 CAS
Protocol Head
2010 MBX
Store
DB
Layer 7 LB
europe.mail.contoso.com
mail.contoso.com
21
RPC
HTTP Proxy
2016 MBX Server
OWA/ECP redirects where appropriate.
Slide22CAS replacement process w/up-version proxy
2016
MBX
2013 MBX
E13 CAS
2013 CAS
2013 CAS
2013 MBX
2013 MBX
2013 MBX
LB is sending traffic to 2013 CAS services
Exchange 2016 is introduced
Exchange 2016 CAS services added to LB pool
Exchange 2013 CAS services removed from LB pool
More Exchange 2016 introduced and added into LB pool
More 2013 CAS services removed from LB pool
More Exchange 2016 introduced and added to LB pool
Final 2013 CAS services removed from LB pool
2016
MBX
2016
MBX
2016
MBX
LB to Client Access Services
Client Access Services to Mailbox
2013 Client Access to 2016 Mailbox
Not Shown: Intra-2016 Server Traffic
Slide23Hybrid Connectivity
Slide24Upgrading Exchange servers only for Hybrid?
Short answer:
Long answer:
It depends…
Upgrade to 2016
Only if using a shared SMTP namespace
Slide25Should I install 2013/2016 for hybrid?
Exchange 2010
MRS
Slide26Should I install 2013/2106 for hybrid?
MRS
Exchange 2013
Exchange 2010
Slide27Does the guidance change for 2016?
Exchange 2013
MRS
2016
Add Servers when ready
Slide28Namespace Planning and Load Balancer Recommendations
Slide29Unbound namespace
It does not matter what datacenter the client accesses to reach their mailbox.Exchange is allowed to route the client traffic to the appropriate datacenter.Proxying a heavy amount of client traffic between datacenters is expected/normal/ok.
Bound namespace
We force clients to connect to specific datacenters depending on where the mailbox is mounted.
Exchange is relieved of routing most client traffic between datacenters.It is not expected to proxy a heavy amount of client traffic between datacenters.What Namespace Models Do We Have
Slide30This may affect your planned names. Know this ahead of time!
Layer-7 with SSL Bridging or (less likely) SSL pass-through or (even less likely) SSL offloadingAll protocols/apps will likely share a name
Layer-4 with SSL pass-through
If you want service health awareness of each protocol/app then you will need additional names
e.g. owa.mail.contoso.com, ews.mail.contoso.com, ecp.mail.contoso.com, etc…If you can live without service health awareness you can share a name across protocols/apps, but you reduce the LB’s ability to react to single services being offline and will impact users.How Will You Be Load Balancing?
Slide31Unbound namespace
Layer-7 with SSL BridgingConfigured to watch the vDir /healthcheck.htm resultsNo Affinity for Exchange services
One Caveat: Use session affinity with the ‘
ExchangeCookie
’ when performing hybrid mailbox moves.Affinity required for Office Online Server namespace connectionsTCP timeout Longer than the OS under Exchangee.g. if Exchange’s OS TCP timeout is 15 minutes, the LB cannot use 10 minutes.Round Robin Load DistributionLeast Connections can be used, but is a far 2nd place and should only be used if your device supports a slow ramp feature
Current Load Balancing Recommendation
Slide32Exchange 2010 + 2016 Unbound Model
outlookrpc.us.corp.fabrikam.com
*
outlookrpc.emea.corp.fabrikam.com
*
Exchange 2010
Multi-Role Server
Exchange 2010
Multi-Role Server
Exchange 2016
Exchange 2016
autodiscover.fabrikam.com
mail.fabrikam.com
mail.corp.fabrikam.com
*
mail.fabrikam.com
mail.corp.fabrikam.com
*
* = Internal DNS Only
oos.us.fabrikam.com
oos.us.corp.fabrikam.com
*
Office Online Server
oos.emea.fabrikam.com
oos.emea.corp.fabrikam.com
*
Office Online Server
Slide33Exchange 2010 + 2016 Unbound Model
Internal Only DNS Recordsmail.corp.fabrikam.comoutlookrpc.us.corp.fabrikam.com (Not on the certificate)outlookrpc.emea.corp.fabirkam.com (Not on the certificate)oos.us.corp.fabrikam.com
oos.emea.corp.fabrikam.com
Internal+External
DNS Recordsautodiscover.fabrikam.commail.fabrikam.comoos.us.fabrikam.comoos.emea.fabirkam.com
9 Names7 Names on the certificate
Slide34Exchange 2013 + 2016 Unbound Model
Exchange 2013
Multi-Role Server
Exchange 2013
Multi-Role Server
Exchange 2016
Exchange 2016
autodiscover.fabrikam.com
mail.fabrikam.com
mail.corp.fabrikam.com
*
mail.fabrikam.com
mail.corp.fabrikam.com
*
* = Internal DNS Only
When Using Up-Version Proxy
When Using Down-Version Proxy
oos.us.fabrikam.com
oos.us.corp.fabrikam.com
*
Office Online Server
oos.emea.fabrikam.com
oos.emea.corp.fabrikam.com
*
Office Online Server
Slide35Exchange 2013 + 2016 Unbound Model
Internal Only DNS Recordsmail.corp.fabrikam.comoos.us.corp.fabrikam.comoos.emea.corp.fabrikam.comInternal+External
DNS Records
autodiscover.fabrikam.com
mail.fabrikam.comoos.us.fabrikam.comoos.emea.fabrkam.com7 Names
7 Names on the certificate
Slide36Exchange 2010 + 2013 + 2016 Unbound
mail.fabrikam.com
autodiscover.fabrikam.com
mail.corp.fabrikam.com
*
mail.fabrikam.com
mail.corp.fabrikam.com
*
Exchange 2013
Multi-Role Server
Exchange 2013
Multi-Role Server
Exchange 2016
Exchange 2016
* = Internal DNS Only
oos.us.fabrikam.com
oos.us.corp.fabrikam.com
*
Office Online Server
oos.emea.fabrikam.com
oos.emea.corp.fabrikam.com
*
Office Online Server
When Using Up-Version Proxy
When Using Down-Version Proxy
Exchange 2010
Multi-Role Server
Exchange 2010
Multi-Role Server
outlookrpc.emea.corp.fabrikam.com
*
outlookrpc.us.corp.fabrikam.com
*
Slide37Exchange 2010 + 2013 + 2016 Unbound
Internal Only DNS Recordsmail.corp.fabrikam.comoos.us.corp.fabrikam.comoos.emea.fabrikam.comoutlookrpc.corp.fabrikam.com (Not on the certificate)outlookrpc.us.fabrikam.com (Not on the certificate)
outlookrpc.emea.fabrikam.com
Internal+External
DNS Recordsautodiscover.fabrikam.commail.fabrikam.comoos.us.fabrikam.comoos.emea.fabrikam.com
9 Names7 Names on the certificate
Slide38OOS Namespace Logic in 2016 CU1 and later
Previously in 2016 RTM, we always used OOS’ external URL for attachment viewing. However, in CU1 and later…OWA Virtual Directory ParametersIsPublic
:
$True/$False
WacViewingOnPublicComputersEnabled: $True/FalseBoth $True = Use External OOS URL and/or External SharePoint URL instead of internal URLs.IsPublic $True + WacViewingOnPublicComputersEnabled $False = Don’t allow OOS viewing if the client came in through this vDir.
Slide39MAPI/HTTP
Slide40The answer should always be yes!
MAPI/HTTP will be enabled by default when…Exchange 2016 is the first Exchange server in a greenfield Exchange orgThe first Exchange 2016 server is installed in an Exchange 2010-only orgThe first Exchange 2016 server is installed in an Exchange 2013 org if MAPI/HTTP is
already
enabled
MAPI/HTTP will not be enabled by default when…The first Exchange 2016 server is installed in an Exchange 2013 org when MAPI/HTTP is not already enabledMAPI/HTTP … to enable or not to enable.
Slide41You want options? The MoMT team gave you options!
So MAPI/HTTP, how can I ease into it?
Slide42Scenario…
An Exchange 2013 org with MAPI/HTTP disabled is migrating to Exchange 2016.Goal… only enable MAPI/HTTP for users as they are migrated to 2016
Leave the organization level
MapiHttpEnabled
as $FalsePrior to moving mailboxes use Set-CasMailbox from the 2016 EMS to set MapiHttpEnabled to $True on the 2013 mailboxes.Move the mailboxes to 2016Once all mailboxes are on 2016, set MapiHttpEnabled to $True at the organization levelUse Set-CasMailbox on all 2016 mailboxes to set MapiHttpEnabled to $Null so the organization level value is inherited once again.
So MAPI/HTTP, how can I ease into it?
Slide43Public Folders
Slide442016 CU2 or later support 1,000 PF mailboxes*
*= 99 allowed for hierarchyEXO also now supports 1,000 PF mailboxes.2016 CU2 and after use a push replication model for more predictable and hierarchy change sync.
Public Folders Changes
Slide45Outlook for Mac now supports legacy public folders with KB3142577 installed and 2016 CU2 or 2013 CU13.
More details at: https://blogs.technet.microsoft.com/exchange/2016/07/25/outlook-for-mac-and-public-folder-access/
Public Folders Changes
Slide46Outlook 2016 no longer respects
ecWrongServer.2013/2016 users must use a DefaultPublicFolderMailbox that resides in a 2007/2010 database with the same PublicFolderDatabase value configured.
Legacy Public Folders and Outlook 2016
Slide47Outlook On The Web & Office Online Server
Slide48Office Online Server and
OOtW
Exchange 2016
Exchange 2016
autodiscover.fabrikam.com
mail.fabrikam.com
mail.fabrikam.com
* = Internal DNS Only
oos.emea.fabrikam.com
oos.emea.corp.fabrikam.com
*
Office Online Server
oos.us.fabrikam.com
oos.us.corp.fabrikam.com
*
Office Online Server
Slide49Before Attachment Viewing is Configured
No Native App Installed
Native App Installed
That’s all folks!
Slide50Configure the WAC discovery endpoint per mailbox server
Restart MSExchangeOWAAppPool
If you are missing
WACDiscoveryEndpoint
on Set-MailboxServer, run Setup /PrepareAd to update RBAC.Configuring Attachment Viewing
[PS]
C:\>Set-MailboxServer E16LAB-E2K16-101 –
WACDiscoveryEndpoint
https://oos.us.corp.e16lab.com/hosting/discovery
[PS]
C:\>Get-MailboxServer E16LAB-E2K16-101 | FL
WACDisc
*
WACDiscoveryEndpoint
: https://oos.us.corp.e16lab.com/hosting/discovery
[PS]
C:\>Get-MailboxServer E16LAB-2K16-101 | FL
WACDiscovery
*
WACDiscoveryEndpoint
:
Slide51After Attachment Viewing is Configured
Look, Mom, two options now!
The new side-by-side (
SxS
) view
Slide52OOtW
/ OOS logical flow…
Exchange 2016
Office Online Server
Exchange uses discovery URL to ask OOS which file types it can view and edit.
OOS returns table of supported file types
User opens mail with a supported file type. OWA requests doc URLs for the supported file types.
Exchange builds URL with
Auth
token, app URL, and Attachment ID and returns it to OWA.
User clicks attachment within OWA and spawns an
iFrame
OOS retrieves document content from Exchange
OOS renders content to client in web client (e.g. Word Web App)
3
1
2
4
5
6
7
OWA Client
Slide53What is
WACDiscovery?
It tells you “stuff.”
Lots and lots of stuff.
Think of it like Office Web App Server’s version of Autodiscover.
Slide54For On-Premises Cloudy Attachments you’ll need…
OOS setup and working with Exchange
SharePoint 2016 configured for
MySites
SharePoint WOPI Binding established with OOS via
New-SPWOPIBinding
OAuth configured on SP to trust EX (Script available soon)
OAuth configured on EX to trust SP (Script shipped with Exchange)
Configure OWA Mailbox Policy
InternalSPMySiteHostURL
and
ExternalSPMySiteHostURL
values and policy assigned to users.
Or the OWA
vDirs
themselves if you need server-level granularity.
Slide55A few random nuggets.
Slide56Exchange 2010 + Exchange 2016
Follow the current Exchange 2010 / Exchange 2013 guidance http://aka.ms/kerbcoexist20102013
Exchange 2013+ Exchange 2016
A single ASA used for both 2013 and 2016 servers in the same environment.
Exchange 2010+ Exchange 2013+ Exchange 2016Two ASAs where one is 2010 and the other is shared with 2013 & 2016. The 2010 ASA is for RPC connections The 2013/2016 ASA is for all HTTP connectionsKerberos Authentication
Slide57PreferenceMoveFrequency
in 2016 CU2 DAGsWith all DAG nodes on CU2 or later the servers will periodically activate DB copies with the lowest Activation Preference number if a lossless activation is possible.
Prior to CU2 the script RedistributeActiveDatabases.ps1 had to be scheduled or run manually.
Can be disabled by setting
PreferenceMoveFrequency to the value of [System.Threading.Timeout]::InfiniteTimeSpanWhy are my databases moving around?
Slide58Move all system mailboxes from 2010/2013 to 2016
SystemMailbox{1f05a927-d5d7-47a6-b498-f5266abdf909}SystemMailbox
{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
SystemMailbox
{e0dc1c29-89c3-4034-b678-e6c29d823ed9}FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042Migration.8f3e7716-2011-43e4-96b1-aba62d229136Can’t save admin tasks to the admin audit log or export itCan’t start eDiscovery searchesCan’t start migration batches with 2016 target DBsAnd more…System Mailbox Moves After Install
Slide59Go to the Exchange booth and ask for a TAP PM
Tell us about your Office 365 environment/or on-premises plans
Get selected to be in a program
Try new features first and give us feedback!
Start now by emailing davidesp@Microsoft.com or by visiting this blog post: Exchange On-Premises TAP Program accepting nominations
Pre-Release Programs TeamBe first in line!
Slide60Deploy, ramp-up on new services and onboard new users with Microsoft FastTrack:
http://fasttrack.microsoft.com/
Slide61Join the Microsoft Tech Community
to collaborate, share, and learn from the experts:http://techcommunity.microsoft.com
Slide62From your PC or Tablet visit MyIgnite at
http://myignite.microsoft.com
From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting
https://aka.ms/ignite.mobileapp
Please evaluate this session
Your feedback is important to us!
Slide63