Content Introduction Supported coexistence scenarios Upgrade and coexistence Exchange 2003 Upgrade and coexistence Exchange 2007
Introduction
Exchange version Mainstream support phase
Extended support phase
Exchange Server 5.5 12/31/2003 1/10/2006
Exchange 2000 Server
12/31/2005 1/11/2011
Exchange Server 2003
4/14/2009 4/8/2014
Exchange 2007 4/10/2012 4/11/2017
Source: http://support.microsoft.com/lifecycle
Supported Coexistence Scenarios
Exchange version Exchange organization coexistence
Exchange Server 5.5 Not supported
Exchange 2000 Server Not supported
Exchange Server 2003 Supported
Exchange 2007 Supported
Mixed Exchange 2007 and Exchange Server 2003 organization
Supported
In-Place Upgrade NOT possible!
General Prerequisites
Exchange◦ Exchange 2003 Sp2◦ Exchange 2007 Sp2◦ Exchange organization in native mode
Active Directory◦ In every site 1 Global Catalog Win 2003 Sp2 or later◦ At least Windows Server 2003 forest functionality mode◦ Schema Master Win 2003 Sp2 or later
Planning Roadmap for Upgrade and Coexistence Be aware of new features Be aware of dropped features Understanding coexistence
◦ Management interfaces◦ Server role features◦ Routing differences
The order◦ Active Directory sites◦ Server roles
New from E2003 to E2007
From 2 server roles to 5 server roles: Client Access, Hub Transport, Edge Transport, Mailbox, Unified Messaging
64-bit only for production AD Sites replace Routing Groups Exchange Web Services & Autodiscover Unified Messaging New admin tools
New from E2007 to E2010
On-Premise & In-The-Cloud High Availability solution for mailboxes is
Database Availability Groups (DAG) RPC Client Access Service Management Tools (Exchange Binaries) are 64-bit
only
Exchange 2003 Dropped Features Routing groups Administrative groups Link state routing Exchange Installable File System (ExIFS) Event service ExMerge Outlook Mobile Access (OMA) Network News Transfer Protocol (NNTP)
Exchange 2007 Dropped Features Local Continuous Replication Fax services Single copy clusters (SCC) and along with them::
◦ Shared storage◦ Pre-installing a cluster
Clustered mailbox servers◦ Running setup in cluster mode◦ Moving a clustered mailbox server
Storage groups◦ Properties moved to database objects
Two copy limitation of CCR Streaming Backup WebDAV, ExOLEDB, CDOEx (“Entourage EWS” uses EWS)
Supported Client Access Methods Desktop
◦ Microsoft Office Outlook 2003 and later◦ POP/IMAP◦ Entourage
Web◦ Internet Explorer◦ Mozilla◦ Safari
Mobile◦ EAS + Third-Party vendors
Management Interfaces
Domain Partition
Configuration Partition
Schema Partition
Exchange 2003 Exchange 2007 Exchange 2010
ADUC / ESM
ESM
EMS/EMCRBAC
EMS/EMC/ECP
Management Console Interoperability Actions that create new objects, such as new mailboxes or a new
Offline Address Book, can only be performed on a version of the Exchange Management Console that is the same as the target object.
Exchange 2007 Mailbox databases cannot be managed from the Exchange 2010 Management Console, although these databases can be viewed.
Exchange 2010 Management Console can't enable or disable Exchange 2007 Unified Messaging mailboxes.
Exchange 2010 Management Console can't manage Exchange 2007 mobile devices.
Actions that require management can be performed on Exchange 2007 objects from the Management Console in Exchange Server 2010. These actions cannot be performed from the Management Console in Exchange 2007 on objects from Exchange Server 2010.
Management Console Interoperability ...2
Actions that require viewing of objects can be performed from any version of the Exchange Management Console to any version of Exchange objects with a few exceptions.
Exchange 2007 and Exchange 2010 transport rule objects can only be viewed from the corresponding version of the Exchange Management Console.
Exchange 2007 and Exchange 2010 servers can only be viewed from their corresponding version of the Exchange Management Console.
Exchange 2010 Management Console's Queue Viewer tool can't connect to an Exchange 2007 server to view queues or messages.
Upgrade Step-by-Step Start = internet accessible Active Directory sites first Step 1. Upgrade existing servers to SP2 Step 2. Deploy E2010 servers
◦ CAS first, MBX last◦ Start with a few, add more as you move mailboxes
Step 3. Legacy hostname for old FE/CAS◦ SSL cert purchase◦ End Users don’t see this hostname◦ Used when autodiscover and redirection from CAS 2010 tell clients to talk to
FE2003/CAS2007 for MBX2003/MBX2007 access Step 4. Move
◦ Internet hostnames to CAS2010◦ UM phone numbers to UM 2010◦ SMTP end point to HUB 2010
Step 5. Move Mailboxes Step 6. Decommission old servers Upgrade internal sites second (repeat same steps)
Certificates ... Best practice: minimize the number of
certificates◦ 1 certificate for all CAS servers + reverse proxy +
Edge/HUB Use “Subject Alternative Name” (SAN)
certificate which can cover multiple hostnames
Wildcard Certificates◦ Yes◦ But: Windows Mobile 5 + Outlook Anywhere
Certificate Wizard in E2010
Transition to E2010 CAS1. Configure reverse proxy or external DNS
◦ Point legacy.contoso.com to FE2003/CAS2007
2. Transition from E2003: Ensure OWA can redirect user to correct URL◦ Configure Exchange2003URL parameter on CAS2010 OWA virtual
directory (https://legacy.contoso.com/exchange)
3. Test before switching over◦ Legacy.contoso.com works for Internet Access◦ Use the Exchange Remote Connectvity Analyzer
4. Transition from E2007: Tell CAS2010 how to send users to CAS2007:◦ Configure externalURL parameters on CAS2007 virtual
directories (OWA,EAS,EWS,OAB etc.) to point to legacy URL◦ Test that CAS2010 is redirecting/proxying to CAS2007
5. Configure reverse proxy or DNS
Transition to E2010 HUB Step 1. Upgrade existing E2003 and E2007 servers to SP2 Step 2. Install HUB and MBX 2010 Step 3. Switch Edgesync + SMTP to go to HUB2010 Step 4. Install Edge2010 Step 5. Switch internet email submission to Edge2010 HUB2007-HUB2010: SMTP HUB2007-MBX2007: RPC HUB2007-MBX2010: NO HUB2010-MBX2007: NO HUB2010-MBX2010: RPC EDGE2010-HUB2007Sp1: EdgeSync Yes
No OCSStep1. Introduce UM2010 to existing dial planStep 2. Route IP GW/PBX calls to UM2010 for dial planStep 3. Remove UM2007 after UM-enabled mailboxes have been moved
Transition to UM2010 With OCSStep 1. Introduce UM2010 with
new dial planStep 2. Remove UM2007 after
UM-enabled mailboxes have been moved
Move Mailboxes: Online & Offline Online = minimal user disruption (briefly
disconnected as recently received messages are copied over)
Online:◦ E2007 SP2, E2010 -> E2010, Exchange Online
Offline:◦ E2003 -> E2010◦ E2010 -> E2003/E2007
Exchange Deployment Assistant
http://technet.microsoft.com/en-us/exdeploy2010/default(EXCHG.140).aspx#Home
Agenda
• Exchange 2010 High Availability Fundamentals
• High Availability Management
• Storage Improvements
• End-to-End Availability Improvements
• High Availability Design Examples
•Improved failover granularity•Simplified administration•Incremental deployment•Unification of CCR + SCR•Easy stretching across sites•Up to 16 replicated copies
High Availability Improvements
Easier & cheaper to deploy
Easier & cheaper to manage
Better SLAs
Reduced storage costs
Larger mailboxes
•Further IO reductions •RAID-less / JBOD support
Key benefits
•Improved transport resiliency•Online mailbox moves
Easier & cheaper to manage
Better SLAs
Improved mailbox uptime
More storage flexibility
Better end-to-end availability
Mailbox Server
• Evolution of Continuous Replication technology• Combines the capabilities of CCR and SCR into one platform• Easier than traditional clustering to deploy and manage• Allows each database to have up to 16 replicated copies• Provides full redundancy of Exchange roles on two servers
DB1
DB3DB2
DB4DB5
Mailbox Server
DB1DB2
DB4DB5
DB3
Mailbox Server
DB1DB2
DB4DB5
DB3
San Jose Dallas
Recover quickly from disk and database failures
Replicate databases to remote datacenter
Unified Platform for High Availability and Disaster Recovery
Client Access Server
Mailbox Server 1
Mailbox Server 2
Mailbox Server 3
Mailbox Server 6
Mailbox Server 4
AD site: Dallas
AD site: San Jose
Mailbox Server 5
Exchange 2010 High Availability Overview
Failover managed within Exchange
Easy to stretch across sites
Client Access Server
All clients connect via CAS servers
Database Availability Group
Client
DB2
DB3
DB1 DB4
DB5
DB1
DB2
DB3
DB4
DB5
DB1
DB2
DB3
DB4
DB5
DB1
DB3
DB5
DB1
DB1
Database centric failover
High Availability Fundamentals
Database Availability Group (DAG)
Mailbox Servers
Mailbox Database
Database Copy
Active Manager
Database Availability Group
DB2
DB1
DB2
DB3
DB1
DB2
DB3
DB1
• RPC Client Access Service (Active Manager Client)
Active Manager
Active Manager
Active Manager
RPC Client Access Service
DB3
Exchange 2010 HA Fundamentals:Database Availability Group (DAG)
• Group of up to 16 servers• Wraps a Windows Failover Cluster• Defines the boundary of replication and failover/switchover
Mailbox Servers …. Host the active and passive copies of multiple mailbox
databases Support up to 100 Databases per server
Exchange 2010 HA FundamentalsMailbox Databases and Copies
Mailbox Database◦ Unit of Failover/Switchover◦ 30 second Database Failover/Switchover◦ Database names are unique across an forest
Mailbox Database Copy◦ A database has 1 Active copy in a DAG ◦ A server may not host more than 1 copy of a given
database◦ Replication of copies using Log Shipping◦ System tracks health of each copy
Exchange 2010 HA FundamentalsMailbox Database Copy Status• Healthy• Initializing• Failed• Suspended
• Resynchronizing• Seeding
• ActivationSuspended
• Mounted• Dismounted• Disconnected• FailedandSuspended
Exchange Server 2010 HA FundamentalsLog Shipping
Log shipping in Exchange Server 2010 leverages TCP sockets◦ Supports encryption and compression
Target Replication service notifies the active instance the next log file it expects
Source Replication service responds by sending the required log file(s)
Copied log files are placed in the target’s Inspector directory
Validation tests are performed prior to log replay
Exchange 2010 HA FundamentalsActive Manager
• High Availability’s Brain• Manages which database copies should be
active and passive• Source of definitive information on where a
database is active and mounted◦ Active Directory is primary source for configuration
information◦ Active Manager is primary source for changeable state
information such as active and mounted• A process that runs on every server in DAG
Active Manager
Exchange 2010 HA FundamentalsActive Manager Selection of Active Database Copy
• Active Manager selects the “best” copy to become when the active fails1. Ignores servers that are unreachable or activation is
temporarily or regularly blocked
2. Sorts copies by currency
3. Breaks ties in during sort based on Activation Preference
4. Selects from sorted listed based on copy status of each copy
Exchange 2010 HA FundamentalsClient Access
Exchange 2010
Exchange CAS NLB
Outlook Clients
MBX1 MBX2
Failover:Connected
client disconnected
for 30 seconds
CAS Failure:Client just reconnects
Agenda• Exchange 2010 High Availability
Fundamentals
• High Availability Management
• Storage Improvements
• End-to-End Availability Improvements
• High Availability Design Examples
Incremental Deployment Easy to add high availability to existing deployment High availability configuration is post-setup HA Mailbox servers can host other Server Roles
Mailbox Server 1
Mailbox Server 2
Database Availability Group
Mailbox Server 3
Datacenter 1 Datacenter 2
DB2
DB3
DB1
DB2
DB3
DB1
DB2
DB3
DB1
Reduces cost and complexity of HA deployments
Creating a Database Availability GroupExchange Management Shell
Create DAG
New-DatabaseAvailabilityGroup
Add servers to a DAG
Add-DatabaseAvailabilityGroupServer
Add database copies to a server in a DAG
Add-MailboxDatabaseCopy
Simplified Management
HA Administration within Exchange Recovery uses the same simple operation
for a wide range of failures Simplified activation of Exchange services
in a standby datacenter
Reduces cost and complexity of management
1
2
Managing Availability in the Exchange Management Console
3View locations and status of replicated copies
Take action (add copies, change master, etc.)
Select a database
DB2
DB3
DB1
DB2
DB3
DB1
DB2
DB3
Exchange Server 2010 Backups• Use a VSS backup solution
• Backup from any copy of the database/logs• Always choose Passive (or Active) copy• Backup an entire server • Designate a dedicated backup server for a given database
• Restore from any of these backups
VSS requestor
DB1
Mailbox Server 1
Mailbox Server 2
Database Availability Group
Mailbox Server 3
Agenda• Exchange 2010 High Availability
Fundamentals
• High Availability Management
• Storage Improvements
• End-to-End Availability Improvements
• High Availability Design Examples
Exchange 2010 Storage Enhancements
• 70% reduction in IOPS• Smoother IO patterns• Resilience against corruption
Storage ImprovementsPerformance Enhancements Enable New
Options
Storage Area Network (SAN)
Direct Attached w/ SAS Disks
JBOD SATA(RAID-less)
Direct Attached w/ SATA Disks
Read IOPS
Write IOPS
Ex 2003
Ex 2007
Ex 2010
Choose from a wide range of storage technologies without sacrificing system availability:
Lowering Exchange 2010 Storage Costs
• Optimized for DAS storage• Use larger, slower, cheaper disks
• Support larger mailboxes at lower cost
• HA provides resilience from disk failures• HA Solution remains unchanged regardless of data
volume size
• JBOD/RAID-less storage now an option• Requires 3+ DB Copies
Exchange 2010 Cost Savings
• Storage flexibility
• Simplified management
• Simplified site resilience
• All server roles on one server (Small deployments)
Storage Cost savings examples
E2003 SCC (FC SAN)
E2007 CCR (SAS
DAS)
E2010 DAG (SATA
DAS)
$0
$5
$10
$15
$20
$25
$30
$35
$27
$19
$13
$0
$34
$21
Server/Storage Capex $/Mailbox
$/Mailbox (500 MB)$/Mailbox (2 GB)
3000 Mailboxes2 Node Cluster
E2007 CCR (SAS DAS)
E2010 DAG (SATA DAS)
$0
$10
$20
$30
$32
$8
Hardware Capex $/Mailbox
$/Mailbox (2GB)
24,000 Mailboxes
4 x 2 Node CCR 2 copies (RAID)
6 Node DAG 3 copies (JBOD)
Double Server/Disk Failure Resiliency
Agenda• Exchange 2010 High Availability
Fundamentals
• High Availability Management
• Storage Improvements
• End-to-End Availability Improvements
• High Availability Design Examples
Improved Transport Resiliency Automatic Protection Against Loss of Queued Emails Due to Hardware Failure
Mailbox Server
HubTransport
Edge Transport
EdgeTransport
Servers keep “shadow copies” of items until they are
delivered to the next hop
X
• Simplifies Hub and Edge Transport Server upgrades and maintenance
Online Move Mailbox Limit User Disruption During Mailbox Moves And MaintenanceE-Mail Client
Mailbox Server 1 Mailbox Server 2
Client Access Server
• Users remain online while their mailboxes are moved between servers Sending messages Receiving messages Accessing entire mailbox
• Administrators can perform migration and maintenance during regular hours
• Also can be used to migrate users from on-premise server to Exchange Online
• Exchange 2010 & Exchange 2007 SP2 Online
• Exchange 2003 Offline
Agenda• Exchange 2010 High Availability
Fundamentals
• High Availability Management
• Storage Improvements
• End-to-End Availability Improvements
• High Availability Design Examples
CAS/HUB/
MAILBOX 1
CAS/HUB/
MAILBOX 2
Mailbox servers in a DAG can host other Exchange server roles
Hardware Load Balancer
DB1
DB2
DB3
DB2
DB1
DB2
DB3
2 server configurations, should always use RAID
High Availability Design ExampleBranch Office or Smaller Deployment
High Availability Design ExampleDouble Resiliency
Single Site4 Nodes3 HA CopiesJBOD -> 3 physical Copies
Database Availability Group (DAG)
DB2
DB3
DB5DB4
DB7 DB8 DB1
DB2 DB3 DB4
MailboxServer 1
DB5 DB6 DB7
DB8 DB1 DB2
MailboxServer 2
MailboxServer 3
X
CAS NLB Farm
AD: Dublin
DB3 DB4 DB5
DB6 DB7 DB8
MailboxServer 4
DB1 X
DB6
Upgrade server 1Server 2 failsServer 1 upgrade is done2 active copies die
Site Resilience Datacenter Failover: Basics
• Customers can evolve to site resilience• Standalone Local Redundancy Site Resilience
• Keep extending the DAG
• No single subnet requirements• Normal administration remains unchanged• Disaster recovery usually requires manual
intervention• Standby datacenter is "always live"
High Availability for Other Server Roles
• Hardware load balancer (recommended) or Windows Network Load Balancing (NLB)
Client Access
• No special configuration required (load balancing and failover is automatic)
Hub Transport
• Use DNS round robin, Multiple MX recordsEdge
Transport
• Configure IP gateway to point to more than one UM server
Unified Messaging
High Availability for Other Server Roles
SummaryExchange 2010 High Availability …..
• Easier & Cheaper to deploy
• Simplified Administration
• Granular failover & recovery
• Better End-to-End Availability
• One Technology for both High Availability and Site Resilience
Exchange 2010 InvestmentsSimplify Administration
• Empower Specialist Users to Perform Specific Tasks with Role-based Administration− Compliance Officer - Conduct Mailbox Searches for Legal
Discovery− HR Officer - Update Employee Info in Company Directory
• Lower Support Costs Through New User Self-Service Options− Track Status of sent messages− Create and Manage Distribution Lists
The annual cost of helpdesk support staff for e-mail systems with 7,500 mailboxes is approximately $20/mailbox. This cost goes up the smaller the organization. (“Email Support Staff Requirements and Costs: A Survey of 136 Organizations”, Ferris Research, June 2008).
Exchange 2010 ManagementWhat's New?
• New Exchange Management Console features• Exchange Control Panel (ECP)
− New and simplified web based management console− Targeted for end users, hosted tenants, and specialists
• Role Based Access Control (RBAC)− New authorization model− Easy to delegate and customize− All Exchange management clients (EMS, EMC, ECP) use RBAC
• Remote PowerShell− Manage Exchange remotely using PowerShell v2.0− Note: No more local PowerShell, it's all remote in Exchange 2010
Exchange Management Console (EMC)Improvements
• Built on Remote PowerShell and RBAC• Multiple Forest Support• Cross-premises Exchange Management
−Including Mailbox Moves• Recipient Bulk Edit• PowerShell Command Logging• New feature support
−For Example: High Availability
Exchange Control Panel (ECP)What is it?
• A browser based Management client for end users, administrators, and specialists
• Simplified user experience for common management tasks
• Accessible directly via URL, OWA & Outlook 14• Deployed as a part of the Client Access Server role• RBAC aware
Exchange Control PanelWho will use it?
• Specialists
−Administrators can delegate to specialists e.g. Help Desk Operators, Department Administrator, and eDiscovery Administrators
• End Users
−Comprehensive self service tools for End Users
• Hosted Customers
−Tenant Administrators
Exchange Control PanelWhat It Looks Like
Primary Navigati
on
UI Scope Control
Secondary
Navigation
Slab
ECP Architecture Overview
High Level View◦ AJAX-based◦ Shares some code with OWA, but two
separate applications◦ Deployed on Client Access Server◦ ECP ASP.Net RBAC PowerShell◦ Authentication
Windows Integrated, Basic, Forms Based
Browser support - Same as OWA premium◦ IE◦ Firefox◦ Safari
Web Browser
ECP Client Library
AJAX
Client Access Server
HTTP.SYS (IIS)
LiveId/FBA Auth
PowerShell
Exchange Cmdlets
RBAC
ECP Server Library
ECP Architecture OverviewRole Based Access Control
Users shouldn't have access to message tracking◦ Message tracking tab
doesn't show up in ECP
• Users can edit mailboxes, but not create new ones◦"New Mailbox" button hidden
• Users can edit display name but not Department
◦Department field visible but read-only
RBAC in Exchange 2010• RBAC has replaced the permission model used in Exchange
2007
• Your “role” is defined by “what you do”
• Define precise or broad roles and assignments based on the tasks that need to be performed
Includes Self Administration Used by EMC, EMS and ECP
RoleGroup/USG
Who can do What… and Where?
Role Assignment
Policy
Role EntryCmdlet: Param1
Param2Param3
Role EntryCmdlet: Param1
Param2Param3
<Role Entry>Cmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write
Scope
Configuration Read Scope
What?
Where?
Who?
Admins End-Users
Role Assignment
Who can do What… and Where?
RoleGroup/USG Role
Assignment Policy
Role EntryCmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write
Scope
Configuration Read Scope
What?
Where?
Who?
Admins End-Users
Role Assignment
New-ManagementRoleAssignmentGet-ManagementRoleAssignmentSet-ManagementRoleAssignmentRemove-ManagementRoleAssignment
Add-RoleGroupMemberRemove-RoleGroupMember
New-RoleAssignmentPolicyRemove-RoleAssignmentPolicy
Who can do What… and Where?
Role Assignment
Policy
Role EntryCmdlet: Param1
Param2Param3
Role EntryCmdlet: Param1
Param2Param3
<Role Entry>Cmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write
Scope
Configuration Read Scope
What?
Where?
Who?
Admins End-Users
Role Assignment
OrganizationManagement<All Roles>
ViewOnlyOrgManagement<All Roles View-Only>
RecipientManagementPasswordManagementMailRecipientManagementDistributionGroupManagement…
UMManagementUMServerManagementUMRecipientManagement…
DiscoveryManagementMailboxSearchManagementLegalholdManagement
RoleGroupAssigned Roles
New-RoleGroupSet-RoleGroupGet-RoleGroupRemove-RoleGroup
RoleGroup/USG
Who can do What… and Where?
RoleGroup/USG Role
Assignment Policy
Role EntryCmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write
Scope
Configuration Read Scope
What?
Where?
Who?
Admins End-Users
Role Assignment
New-ManagementRoleAssignment –Name Sales-RecipMgt …-RecipientOrganizationalUnitScope “OU=Sales,CN=Users…”
New-ManagementScope –Name Sales-Recipients-RecipientRestrictionFilter “(Department –eq ‘Sales’)”
New-ManagementScope –Name Euro-Servers -ServerRestrictionFilter “(Name –like ‘EuroMBX*’)”
New-ManagementScope –Name VIP-Recipients-RecipientRestrictionFilter ((Title –eq ‘CEO’) –or (Title –eq ‘CIO’)-Exclusive
•Exclusive scopes take effect immediately
•Access is granted through Role Assignment to an Exclusive Scope
Custom Management Roles
• Custom Roles can be added to suit specific delegation requirements−Roles are hierarchical, with built-in role at the top−Role Entries can only be removed from a role
1.Create the management role
2.Change the new role's management role entries (by removing role entries)
3.Create a management scope (if required)
4.Assign the new management role
Custom Management RolesWhat does it look like?
New-ManagementRole -Name “eDiscovery-Sales” –Parent DiscoveryManagement
New-ManagementScope –Name “Sales Mailboxes” –DomainRestrictionFilter “(RecipientType –eq ‘UserMailbox’)” –DomainRoot “OU=Sales,DC=contoso,DC=Com”
New-ManagementRoleAssignment –Name “RA-Sales eDiscovery Administrators” –User “USG-Sales eDiscovery Admins” -Role “eDiscovery-Sales” –DomainScopeRestriction “Sales Mailboxes”
RBAC Role Delegation• Role membership is not a right to delegate
• RoleAssignment Delegation
−Special kind of Role Assignment
−Delegation does not grant role permissions
• RoleGroup Delegation
−Controlled through RoleGroup ownership
−ManagedBy parameter similar to DGs (Multi-Valued)
−Ownership does not grant RoleGroup permissons
RBAC Permissions ReportingGet-ManagementRoleAssignment
• Effective Roles for a User• Effective Users by Role/Scope/Group• Effective permissions to a Writable Object
Remote PowerShellNew management architecture for PowerShell in Exchange 2010
• Allows Role-based Access Control (RBAC) model− Restricted Runspace allows RBAC to hide cmdlets and parameters
• Client / Server separation− Remote PowerShell is always used to connect “remotely” to localhost
− Enables firewall and cross-forest scenarios
• “No Binaries” scenarios− Exchange-cmdlet management from a client machine which does not
have Exchange Management Tools (Exchange binaries) installed
Remote PowerShellHow does it work?
IIS
WSMan +RBAC stack:
Authorization
PSv2 RBACServer
Runspace
> New-Mailbox –Name Bob
PSv2 Client
RunspaceErik Erik: Role
AssignmentNew-Mailbox -NameGet-MailboxSet-Mailbox -Name
Cmdlets Available in Runspace:New-PSSession
> New-PSSession –URI https://server.fqdn.com/PowerShell/
Remote Cmdlets Available in Runspace:New-Mailbox -NameGet-MailboxSet-Mailbox -Name
Exchange Server
IIS: Authentication
Active Directory
Cmdlets Available in Runspace:New-Mailbox -NameGet-MailboxSet-Mailbox -Name
[Bob Mailbox Object in Pipeline]
Remote PowerShellHow Do I Use It?
$UserCredential = Get-Credential
$rs = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<Exchange 2010 servername>/powershell –Credential $UserCredential
Import-PSSession $RS
Summary
• Role Based Access Control−RBAC used as the permissions model−Enables the definition of broad or precise roles and assignments,
based on the actual roles administrators perform
• Exchange Control Panel−Provides a new way to administer a subsets of Exchange features−Provides a great self provisioning portal
• Remote Powershell−Uses familiar Exchange cmdlets−Allows administration without the Exchange management tools −Provides a firewall friendly management access