Expert Reference Series of White Papers Optimizing Microsoft Exchange in the Enterprise Part I: Optimizing the Mailbox Server Role and the Client Access Server 1-800-COURSES www.globalknowledge.com
Optimizing Microsoft Exchange in the Enterprise: Optimizing the Mailbox Server Role and the Client Access Server B Gigovic, Introduction Exchange Server 2010 is one of the most flexible and robust products in managing the messaging infrastructure of an organization. It includes a considerable number of features that help control the way emails are stored and exchanged within the premises of the company. While the default setup provides basic functionality, it s typically a worthwhile endeavor to tune your Exchange configuration for maximize productivity. In this two-part white paper, we are going to explore and recommend changes for a standard installation of Exchange server in the organization. It is divided in five sections, in accordance to major Exchange roles that are available in the product. Part 1 examines Optimizing the Mailbox Server Role and Optimizing the Client Access Server (CAS). Part 2 looks at Optimizing the Hub Transport Server, Miscellaneous Features, and Lync and SharePoint Integration. Optimizing the Mailbox Server Role The mailbox server role is one of the most critical components of Exchange. It is the location where the user s data is stored. It is also a key component in the proper functioning of the following: Hosting of public folder databases; E-mail address policies and address lists; Retention policies and messaging record management; Offline Address Book generation server role. While the standard setup creates the default mailbox database and allows storage of e-mails, additional features can be used to ease the administration of different types of objects, turn on archival for user mailboxes or implement high availability and failover clustering in the design. Number of databases and location The default storage location of the mailbox database, as well as the logs, is the system drive. For performance and better recovery, it is recommended to move these components on separate physical drives or locations within a SAN. A minimum RAID level, such as RAID1 or RAID5, will provide fault tolerance for that data. Copyright 2012 Global Knowledge Training LLC. All rights reserved. 2
The databases and logs can be moved within the Exchange Management Console (Organization Configuration-> Database Management-> Right-click on database-> Move database path) or with the following sample cmdlet: Move-DatabasePath Identity Marketing EdbFilePath D:\DBs\Marketing.edb LogFolderPath D:\DBs\ Marketing Databases will be dismounted while the move operation is in progress. Exchange Standard Edition supports five database instances, while the Enterprise Edition supports 100. It is recommended to use smaller databases fewer users are affected in the case of an outage, backup and restore is quicker, more granularity when it comes to applying quotas, and much more. Resource mailboxes Resources mailboxes are practical for managing meetings and booking different types of resources, such as projectors, rooms, whiteboards, and other type of equipment. This feature permits the automatic management of the resources through the Resource Booking Attendant, as well as other numerous options that allow administrators to granularly control how resources can be used and scheduled in meetings. Prior to using resource mailboxes, in a legacy environment, we would create a generic Active Directory (AD) account that would then be treated as the resource object, or we can create specific calendars in public folders, from where management of these objects would be done. Now, a type of mailbox exists exclusively for that purpose. With resource mailboxes, a specific type of object is created within the organization, and then used in meeting requests of users though Outlook or Outlook Web App. Instead of using a generic account for managing these types of operations, a resource mailbox allows for the creation of a specific type of user account in AD that is disabled after creation. Key features of the resource mailboxes include the following: Specify who can use resource objects and exceptions when it comes to users that can override approval of delegates (resource in-policy and out-of-policy meeting requests) Ability to specify objects found in a specific conference room that users can see through the description of the resource in their Exchange client (resource custom properties) Control meeting requests though the Exchange client without having to add the resource mailbox as an additional mailbox in Outlook (resource delegates) Ability to specify properties of a room or resource, such as duration, conflicts, room capacity, etc. (resource policies) Change common options of the resource mailbox through the Exchange Control Panel It is possible to create new mailbox resource objects through the Exchange Management Console or through the Exchange Management Shell using the following examples: Copyright 2012 Global Knowledge Training LLC. All rights reserved. 3
Conference room New-Mailbox -Room -Name Room1 -Alias Room1 -UserPrincipalName Room1@contoso.com -First- Name Room -LastName 1 Projector New-Mailbox -Equipment -Name Projector1 -Alias Projector1 -UserPrincipalName Projector1@contoso.com -FirstName Projector -LastName 1 It is also possible to convert an existing legacy room resource account into a resource mailbox using the following command: Set-Mailbox LegacyRoom1 -Type Room Dynamic distribution groups Dynamic distribution groups are useful when membership of users change often in e-mail groups. A static distribution group gets its members assigned manually by the recipient administrators. In contrast, dynamic distribution groups take advantage of AD attributes to automatically assign memberships to users by defining filters and conditions. For instance, when an employee changes function or department, an administrator changes the corresponding attributes in AD, and the user account s membership to an e-mail group also changes without direct interaction to the group properties. We can use very specific filters to fulfill different business requirements, such as sending e-mail to all users in a specific location, or to accounts that share some information in common. While dynamic distribution groups require a little more processing on servers in order to find members before the e-mail is sent, it is certainly a way to automate membership, but only if attributes in AD are well-populated. As an alternative, recipient administrators can also define custom attributes if they do not have the appropriate permissions to change AD objects attributes. A dynamic distribution group has the same properties and settings as a static group, including group moderation, a feature that allows for message approval by group moderators, authentication options, and MailTips, as well as options defining the group SMTP settings. It can be managed using the Exchange Management Console or the Exchange Management Shell. To create a new distribution group, we can use the following command: New-DynamicDistributionGroup -Name Users in Toronto office -OrganizationalUnit contoso.com\users -RecipientFilter {((RecipientType -eq UserMailbox ) and (Office -eq Users in Toronto office ))} Copyright 2012 Global Knowledge Training LLC. All rights reserved. 4
We can edit different properties of the group by using the set-distributiongroup cmdlet with appropriate parameters. Personal archives One of the top challenges Exchange administrators face is the decentralized management of older e-mail messages, which is done through PST files. PST files contain e-mail archives and are normally stored locally on client computers. Thus, the administration of those PST files is very difficult, and the following concerns exist. Theft of PST files storing sensitive data can occur Searching the PST archive can be difficult No centralized quotas PST archive is only seen from the local computer where the data resides The solution to this problem is the creation of Personal Archives on the Exchange Server. A Personal Archive allows the removal of older e-mail messages from the local computer and the transition of that data to a special mailbox on the server. That mailbox does not have to be on the same database/physical location as the live mailbox, and several configuration options, such as quotas, can be applied to it. Older e-mail can then be secured, managed in a centralized way, and accessed through Outlook (version 2010 only), as well as Outlook Web App. Combined with retention tags and policies (which specify what action to perform over older e-mail), the Personal Archive can be useful because Exchange Server can apply these retention settings to the received e-mail and automatically populate the Personal Archive, allowing a seamless transition of messages to the Archive mailbox. A Personal Archive can be enabled by creating a user mailbox. It is possible to activate it for an existing account through the Exchange Management Console or the following Exchange Management Shell sample cmdlet: Enable-Mailbox User1 -Archive ArchiveDatabase DB1 Transitioning the existing PST files of all users to the online archive can be a long process. One of the options available is to use the Outlook interface and manually move the content of the PST to the archive. For larger organizations, this can be a scalability issue and requires an extensive administrative effort. Exchange offers a way to inject PST files into a user mailbox or archive mailbox, allowing administrators to bulk import this data and populate the archives: New-MailboxImportRequest Mailbox User1-IsArchive FilePath \\SRV\LocalArchive\User1.pst The only downside to this method is that the PST must be placed on a network; however, an interaction with the client in this case is not necessary. Copyright 2012 Global Knowledge Training LLC. All rights reserved. 5
Database Availability Groups Implementing Database Availability Groups (DAGs) is a major feature that solves the problem of downtime when it comes to the database servers. A DAG is a collection of mailbox servers that replicate some or all of their databases amongst each other. With continuous replication, DAG members get the most up-to-date content replicated on their passive databases. A witness server within the infrastructure is also present to maintain integrity across active and passive nodes. What is most interesting about this feature is that this design is not a server-to-server replication, but rather a database-to-database replication, allowing a lot more of flexibility when designing a failover clustering scenario. Consistency is maintained when DAG members are located on different physical sites, providing the ability to include a disaster recovery site in our Exchange organization topology. Prior to the release of Exchange Server 2010, high availability and failover clustering were somewhat confusing. Multiple high availability options existed, but each of these was lacking some features. DAG combines the best features in terms of ease of configuration, reliability, and flexibility, and uses some components of the Failover Clustering feature in Windows (e.g., heartbeat, file share witness, etc.). A DAG can be configured through the Exchange Management Console or using the Exchange Management Shell by following these three steps. Create the DAG New-DatabaseAvailabilityGroup Name DAG1 WitnessServer SRV2 -WitnessDirectory C:\FSWDAG1 Add member servers to the DAG Add-DatabaseAvailabilityGroupServer DAG1 MailboxServer EX1 Configure replication on databases Add-DatabaseAvailabilityGroupServer -Identity DAG -MailboxServer EX1 Once the DAG is functional, an administrator can configure lagged copies, which work against logical corruption being replicated to the passive database. A lagged copy will stop logs being replayed against a passive database (in the instance below for seven days), avoiding traditional restores to be done over the corrupted database: Set-MailboxDatabaseCopy -identity DAG1\EX1 -ReplayLagTime 7.0:0:0 The DAG configuration is supported on Standard versions of Exchange Server 2010. Offline Address Book distribution The Offline Address Book (OAB) is used by offline Outlook clients in cache mode. By default, the OAB distribution mechanism allows the OAB to be transferred to client machines through Public folders as well as IIS. Copyright 2012 Global Knowledge Training LLC. All rights reserved. 6
If Outlook clients are running Outlook 2007 and later versions, you can disable the Public Folder distribution mechanism and rely on Web Services to upload the OAB to Outlook clients. Web Services offer more flexible and secure file transfer over to the clients. Technically, a virtual directory exists on the CAS servers, where OAB content is generated by following an update schedule (OAB properties), then transferred to clients when they connect from an online Outlook. It is possible to make the change by unchecking Enable public folder distribution option found in the properties of the OAB (Organization Configuration-> Mailbox-> Offline Address Book tab-> Properties-> Distribution tab). You can also customize which types of clients are allowed to retrieve the OAB from the Exchange servers. Optimizing the Client Access Server (CAS) The client access server role is a major component in providing connectivity of end users to their mailboxes. In Exchange Server 2010, a mailbox cannot be accessed without connecting to a CAS first, which stresses the importance of appropriately configuring this role. Remote access solutions Enabling the remote access solutions can be interesting because the same secure protocol is used for all types of access. SSL provides a seamless type of access for all client methods. Outlook Web App The Web application that allows end users access to their e-mail provides a graphical user interface that is very similar to the Outlook client. It features most of the same options that the Office client has. Many organizations rely exclusively on this type of access because it doesn t require any particular software to be installed on the client machines, and it is reliable. Outlook Web App is enabled by default for all users; however, certificate configuration should be done (as for all other methods below), which is covered in the next sections. Outlook Web App policies can be configured to allow users access to specific options within the Outlook Web App web console. Outlook Anywhere Many users complain about being unable to use the full Outlook client when off premises. The solution is Outlook Anywhere, which allows seamless access to the user s mailbox wherever the client has Internet connectivity. A secure tunnel is established from the client to an RPC proxy (CAS Server), allowing the client to pass RPC traffic over HTTPS. Since the full Outlook client is used, it is a very transparent connection to the CAS servers. Outlook Anywhere can be enabled on the server by specifying the external FQDN of the CAS, as well as by choosing the authentication type (Basic or NTLM). SSL Offloading allows terminating the encryption at a loadbalancing endpoint, which is left disabled for most instances. This can be done through the Exchange Management Console or using the following cmdlet: Copyright 2012 Global Knowledge Training LLC. All rights reserved. 7
Enable-OutlookAnywhere -Server EX1 -ExternalHostname mail.contoso.com -DefaultAuthentication- Method Basic -SSLOffloading $false On the client side, it is necessary to modify RPC Proxy settings, or properly configure Autodiscover settings to allow auto-detection of parameters when a client reaches the infrastructure. Outlook MAPI This is the most common setup and is already configured in most organizations. This type of access is used when Outlook is running inside the organization. ActiveSync Organizations can enable mobile phone access to company s e-mail. This feature is interesting because of the high amount of policies that can control the end-user device, as well as e-mail stored on that type of media. By enabling ActiveSync, users have the option to control access to their phone in case of a loss, and can wipe it remotely while making sure data cannot be recovered. ActiveSync is constantly in sync with the CAS servers a convenient way to read e-mail as it comes to the mailbox. What happens to POP and IMAP? These types of protocols should not be used, as they do not provide a synchronization interface between client and server, but rather a pull operation. E-mail will be kept on the server for a specific period of time, and clients will need to configure auto-retrieve settings in Outlook. Moreover, these types of solutions are not natively secure. POP and IMAP are disabled by default and should be used only if legacy clients need to connect to the organization. Certificates Certificates are the base of a trust relationship between servers and clients. Certificates are used to provide a secure way to interact with CAS servers. While certificates exist by default in an Exchange installation, these need to be changed in order to reflect a consistency and a well-established trust for connecting clients. The default setup comes with a self-signed certificate which is untrusted. Many of features such as Outlook Anywhere will not work without a properly configured certificate on the CAS servers. A certificate can be obtained from two types of certification authorities: Internal CA: The advantage of requesting a certificate from an internal CA is that the certificate is delivered at no cost. External users whose computers are not members of domain will not trust the issuing CA, thus these end-users will be presented with a message specifying this problem. Although it seems the internal CA comes at no cost, it is important to consider that an entire PKI needs to be set up to support this design. If CAs are used for other purposes within the organization already, then it may be a useful solution; however, if a PKI is built exclusively for the purpose of delivering certificates to Exchange, then administrative overhead needed to set up and maintain the servers can also be a concern. Public CA: The advantage of having configured a certificate delivered by an external party is because it will be typically trusted by all connecting computers. However, this implies costs based on the level of security, validity, number of domain names, etc. A certificate issued from a public CA is recommended due to the ease of setup; it does not require internal CA infrastructure or modifications to any end-user computer. Copyright 2012 Global Knowledge Training LLC. All rights reserved. 8
It is possible to configure a server certificate within the Exchange Management Console. A wizard is typically used to create a request file that is sent to a certification authority with domain names chosen during the assistant. Some organizations prefer having separate domain names to identify types of services offered (e.g., Webmail.contoso.com for OWA, oa.contoso.com for Outlook Anywhere, etc.), while others keep the consistency with a domain name such as mail.contoso.com, corresponding to any service accessed on CAS servers. Once the request is approved, it is necessary to complete the installation of the certificate through the same wizard and assign it to selected services (typically, IIS is chosen). While it is possible to request certificates through the IIS console on a CAS server, a recommended way of performing the operations is through the Exchange Management Console (Server Configuration). Load-balancing arrays Now that all types of client connectivity rely on CAS servers, including Outlook MAPI, it is critical to implement a load-balancing scenario with multiple CAS servers that can help in the event of failure of one or more CAS servers. It is possible to create a group of CAS servers (an array) that have the exact same configuration, allowing clients to connect to one of these and access their mailboxes. This scenario is different from a DAG, because DAG uses clustering features with active/passive nodes, while in this case, all servers perform processing at the same time. An array can also be useful to scale out if the number of requests increases, or if a denial of service is happening, more array members will be able to support more load. An array can be defined using a hardware load balancing solution, or the NLB feature of Windows. While it is not recommended to use the NLB feature, it can still provide a low-cost load balancing solution. In case of using NLB, CAS array members get assigned a virtual IP address defined by the load balancing mechanism. NLB members can coordinate by themselves which server gets the next request (heartbeat). In case of a HLB solution, the clients will connect to a dedicated load balancing device, which is responsible for distributing the load on members of arrays appropriately, using policies and filters. In both scenarios, DNS settings have to be modified: the A record has to point to the VIP or HLB IP address. While some configuration is performed on load balancers, it is necessary to create the arrays on the CAS servers, as well as define some basic properties for its members. A CAS array can be exclusively created through the Exchange Management Shell: New-clientaccessarray Name Array1 FQDN mail.contoso.com Site Toronto In this case, we are defining the array, as well as the FQDN that has to match the DNS entry. Notice we do not specify the member servers, but rather the site on which the array will be created. Through AD, Exchange is able to find out the corresponding members. We can have one array per AD site. Copyright 2012 Global Knowledge Training LLC. All rights reserved. 9
While new databases and mailboxes created will be using this array for access, existing mailbox databases need to be updated in order for them to detect the presence of an array. This is a per mailbox database setting and can be done through a cmdlet: Set-mailboxdatabase DB1 RPCClientAccessServer mail.contoso.com Failure to perform this step will cause a connection issue for clients already having a mailbox on that particular site. We do not have this issue when creating databases after the array is set up. Autodiscover Autodiscover helps an Outlook client populate connection and database settings automatically when a profile is created. When an Outlook (version 2007 or greater) is launched, and the user specifies login credentials, it tries to contact a particular FQDN that can help in the auto configuration of the client: autodiscover.domain.com. Then, it will download an XML file from a CAS server (autodiscover DNS record points to CAS) that instructs the client on which mailbox server to find the database, how to configure RPC over HTTP settings, and other useful connectivity settings. This solves the problem of moving mailboxes when transitioning/upgrading. Outlook is able to update its configuration without requiring assistance from the user. It is a great feature because the end-user does not have to know any part of the infrastructure for the configuration of the client. Autodiscover can be also useful when a mailbox failure occurs, and databases need to be moved to an alternate location. It is used in scenarios such as dial tone recovery, reducing the load on administrators who would normally have to reconfigure clients manually to point to new mailbox servers. Autodiscover is enabled by default, but still requires the creation of an A record in DNS pointing to that CAS server or CAS array. Firewall and publishing applications considerations It is often challenging to properly secure the Exchange environment, especially servers that can be directly accessible from the Internet. Exchange Server requires a minimum number of ports that need to be open to the outside world. For client access (not referring to e-mail flow in this case), only one port needs to be open as inbound from the outside world to the CAS: 443. Exchange Web Services all work on SSL, providing great security natively, as well as allowing for easier reconfiguration of firewalls at the corporate side and on the user side. Client outbound connections are usually not denied on port 443, allowing the client to access e-mails remotely virtually from anywhere. Although Web Services require our CAS servers to have one port open, there is still one concern. At that point, the issue we encounter is that these external clients directly connect to the CAS servers (which need to be internal a DMZ setup is not recommended). Thus, authentication will be performed directly on front-end servers. This can be a security concern for some organizations. Copyright 2012 Global Knowledge Training LLC. All rights reserved. 10
We can solve this issue by configuring a reverse proxy solution. A reverse proxy solution is a server that is configured to impersonate a CAS server, allowing clients to trust that server and to authenticate to it, without making a direct connection to the internal CAS infrastructure. A reverse proxy is very different from a port-forward mechanism because of that additional layer of security. It is normally found in a DMZ or at the inner edge of the network. A reverse proxy can publish an Exchange application (such as Outlook Web App, Anywhere, etc.) as well as any other application to the outside world; client connectivity will end on that proxy. A new connection is then initiated from that server to the back-end CAS servers, secured inside the organization. One of these solutions is the Forefront Threat Management Gateway (TMG). While TMG can be used for reverse proxying, it is also capable of providing Web filtering, caching, and many other features that enhance how internal and external users can access different types of resources. Conclusion While Exchange Server 2010 is a mature product there are always ways to configure and optimize your messaging solution for improved performance. Now that we ve examined the basic Mailbox server role and Client Access Server, we will next review how administrators can improve performance of the Hub Transport Server and a variety of other Exchange administration tips. We ll also discuss ways to integrate your Exchange deployment with Lync Server and SharePoint for a tightly integrated communications platform in the second half of this white paper, Optimizing Microsoft Exchange for the Enterprise, Part II. Learn More To learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge, Global Knowledge suggests the following courses: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2 (M10135) Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 Service Pack 2 (M10233) MCITP: Enterprise Messaging Administrator 2010 Boot Camp Visit www.globalknowledge.com or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor. About the Author Boris Gigovic (MCTS, MCITP, CCNA) is a Global Knowledge trainer focused on Microsoft, Citrix, and Windows technologies. With over ten years of experience in the field, Boris is in high demand as an IT consultant conducting corporate security and network audits in the Montreal area. Copyright 2012 Global Knowledge Training LLC. All rights reserved. 11