Jeff Mealiffe Sr Program Manager Microsoft Corporation EXL304 Agenda Some facts figures and otherwise interesting info about Exchange 2010 SP2 and our servicing process Four new features in SP2 ID: 602866
Download Presentation The PPT/PDF document "An Inside View of Microsoft Exchange 201..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
An Inside View of Microsoft Exchange 2010 SP2
Jeff MealiffeSr. Program ManagerMicrosoft Corporation
EXL304Slide2
Agenda
Some facts, figures and otherwise interesting info about Exchange 2010 SP2 and our servicing processFour new features in SP2Mini version of Outlook Web App
Hybrid Configuration WizardAddress Book PoliciesImpact on our hosting/multi-tenant strategyOWA Cross Site Silent RedirectionThe latest from our update rollupsRecoverable items versioningSlide3
Exchange SP2 Facts
Exchange is a very complex product~20 million lines of code (over half is test code)Every release we produce goes through a very large battery of automated testing as well as targeted hands-on testing in various forms
We’re constantly working to improve quality and efficiencySP2 was released ~6 months ago3 rollup updates have been released since thenSlide4
Exchange SP2 Facts
Service packs these days are about bugs AND featuresNew features are generally reserved for service packs (vs. update rollups)
Features often require schema updatesSP2 contained ~600 bug fixes in addition to 4 new featuresEvery bug is triaged for risk, cost and applicability (i.e. how many customers will benefit)Bugs that simply make us look bad are frequently not fixedWe can take it and deserve to sometimesSlide5
Mini Version Of
Outlook Web AppSlide6
OMA? No, Introducing OWA Mini!
What you previously knew as OMA is back in SP2This feature was driven by demand from markets where browser phones still ruleSimple to administer via EMS
This is a complete re-write, none of the 2003 code was re-usedIt is built as a set of OWA forms, rather than as a separate application – hence OWA MiniSlide7
Managing OWA Mini
Enabled and disabled using Set-OWAMailboxPolicy
Set-OWAMailboxPolicy Name -OWAMiniEnabled:$TrueOWA Mini is an alternative view of OWAOWA mailbox policies and segmentation are inheritedAny unsupported features (IRM for example) in the policy are secure by default – i.e. disabled for OWA MiniActiveSync policies are not applied to OWA Mini
Access to fully supported features such as calendar & contacts can be managed via policy
Works in all OWA languagesSlide8
How Does OWA Mini Work?
New v-dir /owa/
oma created, points to same path as /owa v-dirSimilar to the /owa/Calendar v-dirBasic auth configured instead of FBA
App runs in the OWA app pool
When ASP.NET app starts on that v-
dir
, it detects path and creates an OWA Mini application (different forms that “normal” OWA)
Same common codebase throughout OWA, but forms are specific to this device typeSlide9
Hybrid Configuration WizardSlide10
Hybrid Configuration Wizard
Wizard plus cmdlets for setting up on-premises Exchange and O365 to work together properly
– in Hybrid modeVastly simpler process than the previous SP1 manual experienceWhat once took ~49 steps, now takes 6 (your mileage may vary)>80% reduction for the administrator
Interested in more?
EXL303 – Configuring Hybrid Exchange the Easy Way (Wednesday @2:45PM)Slide11
Address Book PoliciesSlide12
First, Some History Of GAL Segmentation
By default in Exchange, the Global Address List contains every mail enabled objectGAL Segmentation means dividing up the GAL and Address ListsWhy would you want to do this?Legal or compliance reasons – people are not allowed to see each other in the GAL
Optimization reasons – you have a huge GAL but operate in smaller logical unitsHosting reasons – you want to host multiple organizations on one platform and don’t want them seeing each otherSlide13
Some History…
In the Exchange 2000 timeframe a KB that was released that outlined to how carve up your GAL but we pulled it when HMC was createdFor 2003, no such paper, but many support cases
For 2007, a new whitepaper was bornFor 2010, we decided to engineer the solution into the product fullyIt enables us to systematically test the solutionIt allows CSS to fully support the solutionAnd because customers asked for itSlide14
How Did The Previous Solutions Work?
Based on a combination of methodsUsing ACLs on GALs and ALs (Outlook and EAS)Requires security group membership and all ACLs to be evaluated (scale limits)
MsExchQueryBaseDN (for OWA but not needed since SP1)Specify per user the base OU the user can search from (this means the OU hierarchy is rigid)Per-user OAB assignmentSpecify per-user the OAB the user can accessObviously many ways for things to breakNeed to script provisioning operations to avoid mistakes
Not really well-integrated with the core design of Exchange
OU hierarchy dependency didn’t work for many customersSlide15
Introducing Address Book Policies
New in SP2: Address Book Policies (ABPs) enable you to achieve GAL Segmentation in Exchange 2010 ABPs work on the principal of direct GAL and Address List assignment rather than allowing or denying access to all available lists
ABPs only apply to users with mailboxes on Exchange 2010 as they plug in to the Address Book Service on the 2010 SP2 CAS roleAny request that comes through the Address Book Service on CAS is evaluated against the ABP assigned to the userSlide16
A Picture Says A Thousand Words
Address Book Policy A
Address Book Policy A
Address Book Policy Assignment
Effective Filter = GAL1
Address Lists
AL1
AL2
AL5
AL6
Default Address List
GAL1
Room Address List
RM AL 1
Offline Address Book
OAB B
User
Offline Address Books
OAB A
OAB A = AL1 + AL3 + AL4
OAB B
OAB B = AL1 + AL2 + AL5 + AL6 + GAL1
Global Address
Lists
GAL 1
GAL 2
GAL 3
GAL 4
Address Lists
AL 1
AL 2
AL 3
AL 4
AL 5
AL 6
Room Address Lists
RM AL 1
RM AL 2Slide17
What Kind Of Actions Are Impacted?
ABPs work for any client that goes through CAS for directory and:Opens the address list pickerTries to resolve a name or an alias
Adds a room resource to a meeting requestSearches the GALSearches the directory from Outlook Voice AccessQueries the directory from a mobile deviceViews someone’s DL memberships, or views the members of a DLYes – if a user in a DL is outside the scope of your ABP, you won’t see themThis prevents GAL mining by surfing up and down the member/memberof properties in some scenarios
This does mean you might be sending to more people than you think you are… and that MailTips might (apparently) not be telling the truth…Slide18
Tailspin Inc.
AL-TAIL-Users-DL’s
GAL-TAIL
OAB-TAIL
Contacts
Room Mailbox
AL-TAIL-Contacts
AL-TAIL-Rooms
Fabrikam Inc.
AL-FAB-Users-DL’s
GAL-FAB
OAB-FAB
Contacts
Room Mailbox
AL-FAB-Contacts
AL-FAB-Rooms
Address Lists
AL-TAIL-Users-DL’s
AL-TAIL-Rooms
AL-TAIL-Contacts
Default Address List
GAL-TAIL
Room Address List
AL-TAIL-Rooms
Offline Address Book
OAB-TAIL
Address Book Policy ‘TAIL’
Users and DL’s
Users and DL’s
Address Lists
AL-FAB-Users-DL’s
AL-FAB-Rooms
AL-FAB-Contacts
Default Address List
GAL-FAB
Room Address List
AL-FAB-Rooms
Offline Address Book
OAB-FAB
Address Book Policy ‘Fab’
ABP Deployment Scenarios
Two Independent CompaniesSlide19
ABP Deployment Scenarios
Two Companies Sharing One CEO
Tailspin Inc.
Fabrikam Inc.
GAL-TAIL
OAB-TAIL
Room Mailbox
AL-TAIL-Rooms
AL-TAIL-Contacts
GAL-FAB
OAB-FAB
Contacts
AL-FAB-Rooms
AL-FAB-Contacts
Address Lists
AL-FAB-Users-DL’s
AL-FAB-Rooms
AL-FAB-Contacts
Default Address List
GAL-FAB
Room Address List
AL-FAB-Rooms
Offline Address Book
OAB-FAB
Address Book Policy ‘Fab’
Address Lists
AL-TAIL-Users-DL’s
AL-TAIL-Rooms
AL-TAIL-Contacts
Default Address List
GAL-TAIL
Room Address List
AL-TAIL-Rooms
Offline Address Book
OAB-TAIL
Address Book Policy ‘TAIL’
Contacts
Room Mailbox
AL-FAB-Users-DL’s
AL-TAIL-Users-DL’s
Users and DL’s
Users and DL’s
Big Boss
Address Lists
All The AL’s There Are
Default Address List
Default GAL
Room Address List
Default All Rooms
Offline Address Book
Default OAB
Address Book Policy ‘Boss’Slide20
Address Lists
AL-Class A
AL-All Teachers
AL-All Groups
Default Address List
GAL-Class-A
Address Book Policy
‘Student Class A’
Class A
Class B
Teacher A
Teacher B
Principal
Class A - All
Class B - All
Student 1
Student 2
Everyone
Faculty
Address Lists
AL-Class A
AL-Class B etc
AL-All Teachers
AL-All Students
AL-All Groups
Default Address List
GAL-Principal
Address Book Policy
‘Principal’
All Teachers
All Students
All Groups
Where attribute y = ‘teacher’ or ‘principal’
Where attribute z = ‘student’
Where object type
=
group
Address List
Class X
Scope
All students in a specific class (one per class)
Class B - All
Everyone
Faculty
2
4
3
DL Object
Class A - All
Members
3
Class B - All
Everyone
Faculty
3
5
3
DL Object
Class A - All
Members
3
ABP Deployment Scenarios
EducationSlide21
ABP Deployment Considerations
Deploying ABPs successfully is all about planning and understanding what they can, and cannot doABPs alone do not result in ‘true’ separation – smart users can usually figure out ways to get around them or expose some dataAs an example: Transport will send to the real members of a DL – it ignores ABPs
Don’t try and use ABPs alone to ‘fake’ multi-tenancy, it’s more complex than thatABPs are better suited to providing optimized address lists for discrete groups of users that do not share resourcesSlide22
Anything Else We Need To Know?
ABPs cannot prevent anyone directly connecting to AD and bypassing ABP logicSo any LDAP clients, for example Outlook Mac/Entourage using LDAP will not work with ABPs
You can’t use ABPs if Exchange is installed on a GCIn that case, NSPI is provided by AD rather than the Address Book ServiceIf you span DLs over ABPs you need to disable Group Management in ECP as ECP uses Get-Group which ignores ABPsDon’t try and mix and match ABPs and ACLs (unless migrating) or use QBDNsSlide23
What About ABPs and Office 365?
Making ABPs work in Office 365 is part of our long term plan but it’s not as easy as just putting the new code thereTenant admins cannot today create or manage ALs, GALs or OABs so they wouldn’t be able to create very useful ABPs
We would need to allow creation and enforce throttlingLync and SharePoint have their own directory access methods, and so do not respect ABPsWe would also need to add dirsync capability to make the feature easy to manage for hybrid customersSlide24
How Does This Relate To /Hosting Mode?
Exchange 2010 “/Hosting” mode is a setup option which deploys a multi-tenant Exchange systemWe have announced that /Hosting mode is deprecated
There will be no /Hosting mode in the next major release of the product, and there will be no additional feature adds in Exchange 2010 within /Hosting ModeInstead of using /Hosting mode, customers can deploy a hosting Exchange solution using SP2 (without /Hosting mode) and our published guidance, in collaboration with one of our 3rd party solution vendorsWe require using ABPs to handle GAL segmentation within the context of a multi-tenant hosting solutionSlide25
Deploying A Multi-Tenant Solution
Key takeaway: Don’t use /Hosting mode*Check out our partner solution site:
http://technet.microsoft.com/en-us/exchange/hh563895Site contains approved, supported solutions which use the product group’s guidance to achieve multi-tenancy within Exchange 2010 SP2You’ll also find detailed information from the product group on supportability guidelines for solutions of this type as well as scale guidance* /Hosting mode continues to be supported within the support lifecycle of Exchange 2010Slide26
OWA Cross-Site Silent RedirectionSlide27
Why You Want This Feature (And You Will)
Pre Exchange 2010 SP2, if you try to use OWA on a CAS in the ‘wrong’ AD site, CAS has a decision to makeIt can proxy or redirect the connection to the target site
If there is no ExternalURL in that site, we proxy, the mailbox opens and the user gets accessIf the target site has an ExternalURL we show the user a page with a link to clickThe user clicks the link, and logs in again, and gets accessThe user has to log in twiceWe are removing the need to click the link
F
or some scenarios this results in a Single Sign On experienceSlide28
Additional Detail On Silent Redirect
It is disabled by defaultThis means that out of the box, cross-site “manual redirection” still occursCan be a single sign-on experience when the source and target OWA virtual directories leverage Forms-Based Authentication
Is only available for intra-org cross-site redirection eventsSlide29
How Do I Enable This Feature?
You enable Cross-Site Silent Redirection on your Internet Facing CAS, on a per OWA virtual directory basisSet-OWAVirtualDirectory
-Identity “CAS1\owa (default web site)" -CrossSiteRedirectType SilentWhen you enable silent redirection you will be informed that:The target CAS must have an ExternalURL that leverages HTTP SSL protocolSingle sign-on experience may not be possible if FBA is not enabledLet’s see this in action!Slide30
Experience, Before
and After
Cue Applause….Slide31
How It Works
If OWA determines that a cross-site silent redirect is possible and should be performed…Same logic from legacy (Exchange 2007) SSO redirectRather than sending a redirect response, send HTML to browser with 200 OK response
HTML contains dynamically generated login form content with appropriate location for form submissionJavaScript OnLoad() method submits the formSlide32
The Latest In Exchange 2010 SP2 Update Rollup (RU) 3Slide33
Update Rollups
In addition to our normal cycle of bug fixes, update rollups often include some significant improvementsBased on feedback from customers & partners (and our own experience in Office 365) we are constantly tuning how things workMany of these “tune-ups” are discussed on the Exchange Team BlogSlide34
Recoverable Items Versioning Changes
Some backgroundSingle item recovery and litigation hold enable versioning of content in the mailboxItem changes result in copy-on-write (COW) behavior within the Recoverable Items Store
Copy-on-write triggered based on specific changes, Drafts exempt
Primary Mailbox
Recoverable Items Store 2.0
Recoverable Items
Deleted Items
Inbox
…
Versions
PurgesSlide35
Recoverable Items Versioning Changes
Problem scenario: calendar item with attachmentOpen item, open attachmentOutlook auto-save (3 min interval) results in copy-on-write for the item
as well as the attachment(s)In SP2 RU3, we’ve been able to reduce the versions generated for this scenario to only include the message changes (which include the attachment(s))End result is reduced space consumption, potentially a dramatic reduction…Slide36
Related Content
Breakout Sessions
EXL305: Microsoft Exchange Server 2010 SP2 Tips & Tricks
(Wednesday @ 10:15AM)
EXL303: Configuring Hybrid Exchange the Easy Way
(Wednesday @ 2:45PM
)Slide37
Geek Out with Perry Blog:
http://blogs.technet.com/b/perryclarke
/
Track Resources
Exchange
Team Blog:
http://blogs.technet.com/b/exchange
/
Exchange
TechNet Tech Center:
http://technet.microsoft.com/exchange
MEC Website
and Registration:
http://www.mecisback.com
/Slide38Slide39
Resources
Connect. Share. Discuss.
http
://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn Slide40
Evaluations
http://europe.msteched.com/sessions
Submit your evals online Slide41
©
2012 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part
of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide42