Overview

Presentation

Introduction Supported coexistence scenarios Upgrade and coexistence Exchange 2003 Upgrade and coexistence Exchange 2007

Exchange version
Exchange Server 5.5 Exchange 2000 Server Exchange Server 2003 Exchange 2007

Mainstream support phase

12/31/2003 12/31/2005 4/14/2009 4/10/2012

Extended support phase

1/10/2006 1/11/2011 4/8/2014 4/11/2017

Source: http://support.microsoft.com/lifecycle

Exchange version Exchange Server 5.5 Exchange 2000 Server Exchange Server 2003

Exchange organization coexistence Not supported Not supported Supported

Exchange 2007 Mixed Exchange 2007 and Exchange Server 2003 organization

Supported Supported

In-Place Upgrade NOT possible!

Exchange
Exchange 2003 Sp2 Exchange 2007 Sp2 Exchange organization in native mode

Active Directory
In every site 1 Global Catalog Win 2003 Sp2 or later At least Windows Server 2003 forest functionality mode Schema Master Win 2003 Sp2 or later

Be aware of new features Be aware of dropped features Understanding coexistence

Management interfaces Server role features Routing differences

The order
Active Directory sites Server roles

From 2 server roles to 5 server roles: Client Access, Hub Transport, Edge Transport, Mailbox, Unified Messaging 64-bit only for production AD Sites replace Routing Groups Exchange Web Services & Autodiscover Unified Messaging New admin tools

On-Premise & In-The-Cloud High Availability solution for mailboxes is Database Availability Groups (DAG) RPC Client Access Service Management Tools (Exchange Binaries) are 64-bit only

Routing groups Administrative groups Link state routing Exchange Installable File System (ExIFS) Event service ExMerge Outlook Mobile Access (OMA) Network News Transfer Protocol (NNTP)

Local Continuous Replication Fax services Single copy clusters (SCC) and along with them:: Shared storage Pre-installing a cluster Clustered mailbox servers Running setup in cluster mode Moving a clustered mailbox server Storage groups
Properties moved to database objects

Two copy limitation of CCR Streaming Backup WebDAV, ExOLEDB, CDOEx (Entourage EWS uses EWS)

Desktop
Microsoft Office Outlook 2003 and later POP/IMAP Entourage

Web
Internet Explorer Mozilla Safari

Mobile
EAS + Third-Party vendors

Exchange 2003

Exchange 2007

Exchange 2010

ADUC / ESM

Domain Partition EMS/EMC

Configuration Partition Schema Partition

RBAC EMS/EMC/ECP

ESM

Actions that create new objects, such as new mailboxes or a new Offline Address Book, can only be performed on a version of the Exchange Management Console that is the same as the target object. Exchange 2007 Mailbox databases cannot be managed from the Exchange 2010 Management Console, although these databases can be viewed. Exchange 2010 Management Console can't enable or disable Exchange 2007 Unified Messaging mailboxes. Exchange 2010 Management Console can't manage Exchange 2007 mobile devices. Actions that require management can be performed on Exchange 2007 objects from the Management Console in Exchange Server 2010. These actions cannot be performed from the Management Console in Exchange 2007 on objects from Exchange Server 2010.

Actions that require viewing of objects can be performed from any version of the Exchange Management Console to any version of Exchange objects with a few exceptions. Exchange 2007 and Exchange 2010 transport rule objects can only be viewed from the corresponding version of the Exchange Management Console. Exchange 2007 and Exchange 2010 servers can only be viewed from their corresponding version of the Exchange Management Console. Exchange 2010 Management Console's Queue Viewer tool can't connect to an Exchange 2007 server to view queues or messages.

Start = internet accessible Active Directory sites first Step 1. Upgrade existing servers to SP2 Step 2. Deploy E2010 servers
CAS first, MBX last Start with a few, add more as you move mailboxes

Step 3. Legacy hostname for old FE/CAS

SSL cert purchase End Users dont see this hostname Used when autodiscover and redirection from CAS 2010 tell clients to talk to FE2003/CAS2007 for MBX2003/MBX2007 access

Step 4. Move
Internet hostnames to CAS2010 UM phone numbers to UM 2010 SMTP end point to HUB 2010

Step 5. Move Mailboxes Step 6. Decommission old servers Upgrade internal sites second (repeat same steps)

ESM E2003

EMC E2007

EMS E2007

EMC E2010

EMS E2010

Best practice: minimize the number of certificates Use Subject Alternative Name (SAN) certificate which can cover multiple hostnames Wildcard Certificates Certificate Wizard in E2010

1 certificate for all CAS servers + reverse proxy + Edge/HUB

Yes But: Windows Mobile 5 + Outlook Anywhere

1.

Configure reverse proxy or external DNS

Point legacy.contoso.com to FE2003/CAS2007 Configure Exchange2003URL parameter on CAS2010 OWA virtual directory (https://legacy.contoso.com/exchange) Legacy.contoso.com works for Internet Access Use the Exchange Remote Connectvity Analyzer

2.

Transition from E2003: Ensure OWA can redirect user to correct URL

3.

Test before switching over

4.

5.

Transition from E2007: Tell CAS2010 how to send users to CAS2007: Configure externalURL parameters on CAS2007 virtual directories (OWA,EAS,EWS,OAB etc.) to point to legacy URL Test that CAS2010 is redirecting/proxying to CAS2007 Configure reverse proxy or DNS

Step 1. Upgrade existing E2003 and E2007 servers to SP2 Step 2. Install HUB and MBX 2010 Step 3. Switch Edgesync + SMTP to go to HUB2010 Step 4. Install Edge2010 Step 5. Switch internet email submission to Edge2010 HUB2007-HUB2010: SMTP HUB2007-MBX2007: RPC HUB2007-MBX2010: NO HUB2010-MBX2007: NO HUB2010-MBX2010: RPC EDGE2010-HUB2007Sp1: EdgeSync Yes

No OCS

With OCS

Step1. Introduce UM2010 to existing dial plan Step 2. Route IP GW/PBX calls to UM2010 for dial plan Step 3. Remove UM2007 after UMenabled mailboxes have been moved

Step 1. Introduce UM2010 with new dial plan Step 2. Remove UM2007 after UM-enabled mailboxes have been moved

Online = minimal user disruption (briefly disconnected as recently received messages are copied over) Online:
E2007 SP2, E2010 -> E2010, Exchange Online

Offline:
E2003 -> E2010 E2010 -> E2003/E2007

http://technet.microsoft.com/en-us/exdeploy2010/default(EXCHG.140).aspx#Home

Exchange 2010 High Availability Fundamentals High Availability Management Storage Improvements End-to-End Availability Improvements High Availability Design Examples

High Availability Improvements

Improved mailbox uptime
Improved failover granularity Simplified administration Incremental deployment Unification of CCR + SCR Easy stretching across sites Up to 16 replicated copies

Key benefits

Easier & cheaper to deploy Easier & cheaper to manage Better SLAs Reduced storage costs Larger mailboxes Easier & cheaper to manage Better SLAs

More storage flexibility

Further IO reductions RAID-less / JBOD support

Better end-to-end availability

Improved transport resiliency Online mailbox moves

Unified Platform for High Availability and Disaster Recovery

Mailbox Server Mailbox Server
DB1 DB2 DB3 DB4 DB5

Mailbox Server
DB1 DB2 DB3 DB4 DB5

Replicate databases to remote datacenter

Recover quickly from disk and database failures

DB1 DB2 DB3 DB4 DB5

San Jose

Dallas

Evolution of Continuous Replication technology Combines the capabilities of CCR and SCR into one platform Easier than traditional clustering to deploy and manage Allows each database to have up to 16 replicated copies Provides full redundancy of Exchange roles on two servers

Exchange 2010 High Availability Overview

AD site: Dallas

All clients connect via CAS servers

AD site: San Jose
Client Access Server

Client Access Server

Mailbox Server 6

Easy to stretch across sites

Mailbox Server 1

Mailbox Server 2

Mailbox Server 3

Mailbox Server 4

Mailbox Server 5

Failover managed within Exchange

Database centric failover

Database Availability Group (DAG) Mailbox Servers Mailbox Database Database Copy Active Manager
Active Manager Active Manager Active Manager
RPC Client Access Service

RPC Client Access Service (Active Manager Client)

Database Availability Group

Group of up to 16 servers Wraps a Windows Failover Cluster Defines the boundary of replication and failover/switchover

Mailbox Servers . Host the active and passive copies of multiple mailbox databases Support up to 100 Databases per server

Mailbox Database
Unit of Failover/Switchover 30 second Database Failover/Switchover Database names are unique across an forest

Mailbox Database Copy

A database has 1 Active copy in a DAG A server may not host more than 1 copy of a given database Replication of copies using Log Shipping System tracks health of each copy

Healthy Initializing Failed Suspended

Mounted Resynchronizing Dismounted Seeding Disconnected ActivationSuspended FailedandSuspended

Log shipping in Exchange Server 2010 leverages TCP sockets Target Replication service notifies the active instance the next log file it expects Source Replication service responds by sending the required log file(s) Copied log files are placed in the targets Inspector directory Validation tests are performed prior to log replay

Supports encryption and compression

Active Manager

High Availabilitys Brain Manages which database copies should be active and passive Source of definitive information on where a database is active and mounted
Active Directory is primary source for configuration information Active Manager is primary source for changeable state information such as active and mounted

A process that runs on every server in DAG

Active Manager selects the best copy to become when the active fails
1. 2. 3. 4. Ignores servers that are unreachable or activation is temporarily or regularly blocked Sorts copies by currency Breaks ties in during sort based on Activation Preference Selects from sorted listed based on copy status of each copy

Outlook Clients

Exchange CAS NLB

CAS Failure: Client just reconnects

MBX1

MBX2

Failover: Connected client disconnected for 30 seconds

Exchange 2010

Exchange 2010 High Availability Fundamentals High Availability Management Storage Improvements End-to-End Availability Improvements High Availability Design Examples

Easy to add high availability to existing deployment High availability configuration is post-setup HA Mailbox servers can host other Server Roles

Reduces cost and complexity of HA deployments

Datacenter 1
Database Availability Group

Datacenter 2

Mailbox Server 1

Mailbox Server 2

Mailbox Server 3

Create DAG
New-DatabaseAvailabilityGroup

Add servers to a DAG

Add-DatabaseAvailabilityGroupServer

Add database copies to a server in a DAG

Add-MailboxDatabaseCopy

HA Administration within Exchange Recovery uses the same simple operation for a wide range of failures Simplified activation of Exchange services in a standby datacenter

Reduces cost and complexity of management

Managing Availability in the Exchange Management Console

1

Select a database

2 View locations and status of replicated copies

Take action (add 3 copies, change master, etc.)

Use a VSS backup solution

Restore from any of these backups

Database Availability Group
Mailbox Server 1 Mailbox Server 2 Mailbox Server 3

Backup from any copy of the database/logs Always choose Passive (or Active) copy Backup an entire server Designate a dedicated backup server for a given database

VSS requestor

Exchange 2010 High Availability Fundamentals High Availability Management Storage Improvements End-to-End Availability Improvements High Availability Design Examples

Storage Improvements
Performance Enhancements Enable New Options
Ex 2003

Read IOPS

Write IOPS

Exchange 2010 Storage Enhancements 70% reduction in IOPS Smoother IO patterns Resilience against corruption

Choose from a wide range of storage technologies without sacrificing system availability:

Storage Area Network (SAN)

Direct Attached w/ SAS Disks

Direct Attached w/ SATA Disks

JBOD SATA (RAID-less)

 Optimized for DAS storage

Use larger, slower, cheaper disks

Support larger mailboxes at lower cost

HA provides resilience from disk failures

HA Solution remains unchanged regardless of data volume size

JBOD/RAID-less storage now an option

Requires 3+ DB Copies

Server/Storage Capex $/Mailbox

$35 $30 $25 $20 $15 $10 $5 $0 $34 $27 $19 $21 $13 $/Mailbox (500 $0 E2003 SCC E2007 CCR E2010 DAG (SATA DAS) MB)

(FC SAN) (SAS DAS)

Hardware Capex $/Mailbox

$40
$30 $20 $10 $0 E2007 CCR (SAS DAS) E2010 DAG (SATA DAS) $8 $/Mailbox $32

Exchange 2010 High Availability Fundamentals High Availability Management Storage Improvements End-to-End Availability Improvements High Availability Design Examples

Online Move Mailbox

Limit User Disruption During Mailbox Moves And Maintenance
E-Mail Client

Sending messages Receiving messages Accessing entire mailbox

Client Access Server

Mailbox Server 1 Mailbox Server 2

Exchange 2010 High Availability Fundamentals High Availability Management Storage Improvements End-to-End Availability Improvements High Availability Design Examples

CAS/HUB/ MAILBOX 1

CAS/HUB/ MAILBOX 2

Mailbox servers in a DAG can host other Exchange server roles

DB2

2 server configurations, should always use RAID

Upgrade server 1 Single Site Server 2 fails 4 Nodes Server 1 upgrade is done 3 HA Copies 2 active die Copies JBOD ->copies 3 physical
Mailbox Server 1 Mailbox Server 2 Mailbo x Server 3 Mailbo x Server 4

Database Availability Group (DAG)

Customers can evolve to site resilience Standalone Local Redundancy Site Resilience No single subnet requirements Normal administration remains unchanged Disaster recovery usually requires manual intervention Standby datacenter is "always live"

Keep extending the DAG

High Availability for Other Server Roles

Client Access

Hardware load balancer (recommended) or Windows Network Load Balancing (NLB)

Hub Transport
Edge Transport Unified Messaging

No special configuration required (load balancing and failover is automatic)

Use DNS round robin, Multiple MX records

Configure IP gateway to point to more than one UM server

Exchange 2010 High Availability ..

Easier & Cheaper to deploy Simplified Administration Granular failover & recovery Better End-to-End Availability One Technology for both High Availability
and Site Resilience

The annual cost of helpdesk support staff for e-mail systems with 7,500 mailboxes is approximately $20/mailbox. This cost goes up the smaller the organization.
(Email Support Staff Requirements and Costs: A Survey of 136 Organizations, Ferris Research, June 2008).

Empower Specialist Users to Perform Specific Tasks with Role-based Administration Compliance Officer - Conduct Mailbox Searches for Legal Discovery HR Officer - Update Employee Info in Company Directory Lower Support Costs Through New User Self-Service Options Track Status of sent messages Create and Manage Distribution Lists

New Exchange Management Console features Exchange Control Panel (ECP) Role Based Access Control (RBAC)

New and simplified web based management console Targeted for end users, hosted tenants, and specialists

Remote PowerShell

New authorization model Easy to delegate and customize All Exchange management clients (EMS, EMC, ECP) use RBAC Manage Exchange remotely using PowerShell v2.0 Note: No more local PowerShell, it's all remote in Exchange 2010

 Built on Remote PowerShell and RBAC Multiple Forest Support Cross-premises Exchange Management
Including Mailbox Moves Recipient Bulk Edit PowerShell Command Logging New feature support For Example: High Availability

 A browser based Management client for end users,

administrators, and specialists Simplified user experience for common management tasks Accessible directly via URL, OWA & Outlook 14 Deployed as a part of the Client Access Server role RBAC aware

Specialists

Administrators can delegate to specialists e.g. Help Desk

Operators, Department Administrator, and eDiscovery Administrators

End Users

Comprehensive self service tools for End Users

Hosted Customers

Tenant Administrators

UI Scope Control Secondary Navigation Slab Primary Navigation

High Level View

AJAX-based Shares some code with OWA, but two separate applications Deployed on Client Access Server ECP ASP.Net RBAC PowerShell Authentication
Windows Integrated, Basic, Forms Based

Browser support - Same as OWA premium

IE Firefox Safari
Client Access Server

Users shouldn't have access to message tracking Message tracking tab doesn't show up in ECP Users can edit mailboxes, but not create new ones "New Mailbox" button hidden Users can edit display name but not Department

Department field visible but

read-only

RBAC has replaced the permission model used in Exchange 2007 Your role is defined by what you do Define precise or broad roles and assignments based on the tasks that need to be performed Includes Self Administration Used by EMC, EMS and ECP

Admins What? Who?

End-Users

RoleGroup/USG

Role Assignment Policy

Role
<Role Entry> Role RoleEntry Entry Cmdlet: Param1
Cmdlet: Param1 Cmdlet: Param1 Param2 Param2 Param2 Param3 Param3 Param3

Role Assignment
Configurati on Write Scope

Where?
Configurati on Read Scope

Recipient Read Scope Recipient Write Scope

Admins What?
Add-RoleGroupMember Remove-RoleGroupMember

End-Users Who?

RoleGroup/USG

Role Assignment Policy

Role
Role Entry
Cmdlet: Param1 Param2 Param3

Role Assignment

New-RoleAssignmentPolicy Remove-RoleAssignmentPolicy

Where?

New-ManagementRoleAssignment Get-ManagementRoleAssignment Configurati Set-ManagementRoleAssignment on Write Scope Remove-ManagementRoleAssignment

Recipient Read Scope Recipient Write Scope

Configurati on Read Scope

Admins What? Who?

End-Users

New-RoleGroup Set-RoleGroup Get-RoleGroup Remove-RoleGroup

RoleGroup/USG

Role Assignment Policy

Role
<Role Entry> Role RoleEntry Entry Cmdlet: Param1
Cmdlet: Param1 Cmdlet: Param1 Param2 Param2 Param2 Param3 Param3 Param3

Role Assignment
Configurati on Write Scope

Where?
Configurati on Read Scope

Recipient Read Scope Recipient Write Scope

New-ManagementScope Name VIP-Recipients What? Who? -RecipientRestrictionFilter ((Title eq CEO) or (Title eq CIO) -Exclusive
RoleGroup/USG
Role Assignment Policy

Admins

End-Users

Role
Role Entry
Cmdlet: Param1 Param2 Param3

Role Assignment
Configurati on Write Scope

Where?
Configurati on Read Scope

Recipient Read Scope Recipient Write Scope

 Custom Roles can be added to suit specific

delegation requirements
Roles are hierarchical, with built-in role at the top Role Entries can only be removed from a role

1.Create the management role

2.Change the new role's management role entries (by removing role entries) 3.Create a management scope (if required) 4.Assign the new management role

New-ManagementRole -Name eDiscovery-Sales Parent DiscoveryManagement

New-ManagementScope Name Sales Mailboxes DomainRestrictionFilter (RecipientType eq UserMailbox) DomainRoot OU=Sales,DC=contoso,DC=Com New-ManagementRoleAssignment Name RA-Sales eDiscovery Administrators User USG-Sales eDiscovery Admins -Role eDiscovery-Sales DomainScopeRestriction Sales Mailboxes

 Role membership is not a right to delegate RoleAssignment Delegation

Special kind of Role Assignment Delegation does not grant role permissions

RoleGroup Delegation
Controlled through RoleGroup ownership ManagedBy parameter similar to DGs (Multi-Valued) Ownership does not grant RoleGroup permissons

Get-ManagementRoleAssignment
Effective Roles for a User Effective Users by Role/Scope/Group Effective permissions to a Writable Object

New management architecture for PowerShell in Exchange 2010

Allows Role-based Access Control (RBAC) model

Restricted Runspace allows RBAC to hide cmdlets and parameters

Client / Server separation

Remote PowerShell is always used to connect remotely to localhost Enables firewall and cross-forest scenarios

No Binaries scenarios
Exchange-cmdlet management from a client machine which does not have Exchange Management Tools (Exchange binaries) installed

> New-PSSession URI https://server.fqdn.com/PowerShell/ > New-Mailbox Name Bob

Erik
PSv2 Client Runspace

[Bob Mailbox Object in Pipeline]

IIS PSv2 RBAC Server Runspace

Erik: Role Assignment New-Mailbox -Name Get-Mailbox Set-Mailbox -Name

WSMan + RBAC stack: Authorization

Active Directory

Cmdlets Available in Runspace: New-PSSession Remote Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name

IIS: Authentication

Exchange Server

Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name

$UserCredential = Get-Credential $rs = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<Exchange 2010 servername>/powershell Credential $UserCredential

Import-PSSession $RS

Role Based Access Control

RBAC used as the permissions model Enables the definition of broad or precise roles and assignments,
based on the actual roles administrators perform

Exchange Control Panel

Remote Powershell

Provides a new way to administer a subsets of Exchange features Provides a great self provisioning portal Uses familiar Exchange cmdlets Allows administration without the Exchange management tools Provides a firewall friendly management access