EXCHANGE 2016: WHY AND HOW TO UPGRADE Joe Hoegler, Kraft Kennedy August 31, 2016 #ILTA102
INTRODUCTION Joe Hoegler Practice Group Leader, Infrastructure & Enterprise Systems at Kraft Kennedy Microsoft Certified Master Exchange 2010 Microsoft Certified Master Office 365: Exchange Online Microsoft Certified Solutions Master: Messaging Advised over 100 law firm clients totaling over 100,000 users on recent Exchange projects, including almost 50% of Am Law 20 Exchange TAP participant since 2011
SESSION GOALS Exchange 2016 Architecture and Product Overview Compelling Reasons for Law Firms Coexistence With and Migration From Legacy Exchange Known Issues and Common Pitfalls Questions
EXCHANGE 2016 ARCHITECTURE AND PRODUCT OVERVIEW
EXCHANGE 2003 ARCHITECTURE
EXCHANGE 2007 ARCHITECTURE
EXCHANGE 2010 ARCHITECTURE
EXCHANGE 2013 ARCHITECTURE
EXCHANGE 2016 ARCHITECTURE
EXCHANGE 2016 SUPPORTED PLATFORMS Operating System Windows 2012, Windows 2012 R2, and Windows 2016 (eventually) Exchange Coexistence with Exchange 2010 SP3 RU11 and/or Exchange 2013 CU10 or later only Outlook Outlook 2010 SP2 (with hotfixes), Outlook 2013 SP1 (with hotfix), or Outlook 2016 RPC/HTTPS and MAPI/HTTP supported Active Directory Minimum: Windows 2008 domain/forest functional level (was Windows 2008 R2) Recommended: Windows 2012 R2 domain/forest functional level Deprecated Outlook 2007, Entourage 2008 Web Services MAPI/CDO (yes, it s dead ) Note supportability about reintroducing legacy Exchange versions
MODERN PUBLIC FOLDERS Renewed investment in public folders Public folders move to mailboxes Inherit all features and functionality (e.g. DAG) as traditional mailboxes Legacy Public Folders Public Folders in Exchange 2016 Public Folder Databases Public Folder Replicas Public Folder Hierarchy Public Logon Public Folder Mailboxes Database Availability Groups Public Folder Hierarchy Mailbox Public Logon
MODERN PUBLIC FOLDERS Users connect to hierarchy mailbox for folder operations Redirection occurs to content mailbox for individual folders (single content mailbox may contain multiple PFs) Loss of multi-master replication and access Gain of resiliency features associated with DAG Client access occurs through same Outlook/OWA interface as legacy public folders High-level migration from legacy public folders Migrate all mailboxes Exchange 2016 first (no forward compatibility) Use scripts to stage public folder mailboxes and map public folders to mailboxes Synchronize content (2-3 GB/hour) Test Perform environment-wide cutover
OFFICE ONLINE SERVER Previously for Lync/Skype PowerPoint streaming Used by Exchange 2016 for rich browserbased content viewing Enables side-by-side viewing and edit/reply in OWA
CLIENT SUPPORT Client versions no longer supported: Outlook 2007 and previous Mac clients requiring WebDAV Entourage 2008 with Web Services MAPI/CDO (e.g. BES 5.x) Supported client versions Outlook 2016 Outlook 2013 Outlook 2010 - requires KB2965295 Outlook for Mac for Office 365 Outlook 2011 for Mac
LEGACY EXCHANGE COEXISTENCE Supported versions for coexistence Exchange 2013 CU10 or later Exchange 2010 SP3 RU11 or later Not supported Exchange 2007 or earlier
ONGOING RELEASE CADENCE
COMPELLING REASONS FOR LAW FIRMS
EXCHANGE 2016 FEATURES FOR LAW FIRMS Document collaboration OWA rich content editing/viewing Search enhancements Inbox enhancements DLP extension to other Office applications Integration with Equivio Zoom
DOCUMENT COLLABORATION Integrated with OneDrive for Business Send an attachment as a file or link Access anytime, anywhere and from any device Streamlined attachment view View attachments inline within a message Frictionless collaboration Edit attachments and reply in a single view Make attachments smarter
DOCUMENT COLLABORATION: SHARING
DOCUMENT COLLABORATION: ATTACHMENT PREVIEW
DOCUMENT COLLABORATION: ATTACH AS FILE OR COPY
DOCUMENT COLLABORATION: ATTACHMENT UPLOAD
DOCUMENT COLLABORATION: ATTACH FROM CLOUD
DOCUMENT COLLABORATION: REQUIREMENTS Exchange 2016 New attachment experience, photo preview/thumbnail, download attachments only Office Online Server Side-by-side document preview, edit/reply normal attachments SharePoint 2016 SharePoint links, edit/reply cloud attachments, save to OneDrive for Business
SEARCH ENHANCEMENTS Faster performance More accurate/complete results Search suggestions with fuzzy matching, tailored to you Search refiners
INBOX ENHANCEMENTS (OUTLOOK) Inline previews for URLs Inline video player Intelligent recipient selection and people search
INBOX ENHANCEMENTS (OWA) Improved HTML rendering One-click archive Common typos/suggestions Import contacts from CSV Better attachment view
DATA LOSS PREVENTION New sensitive information types PolicyTips extended other Office apps Extension of DLP to SharePoint
EDISCOVERY AND ARCHIVING Search re-designed for improved reliability and speed In-place hold for public folder data Equivio Zoom in cloud for advanced analytics
POST-RTM UPDATES Cumulative Update 1 Maintain web.config customizations between CUs Cumulative Update 2 Avoid data loss during modern public folder migrations Automatic rebalancing of database copies
COMING SOON PASSIVE COPY INDEXING Scheduled for a future CU Enables local indexing against passive database copies Reduces bandwidth requirements between active and passive database copies by 40%
SEARCH OPTIMIZATIONS IN EXCHANGE 2016 Transport Mailbox Mailbox Passive Log Log
EXCHANGE 2010 TODAY? You must upgrade to: Exchange 2016 Exchange 2013 Exchange Online Gmail, Notes, GroupWise, cc:mail
COEXISTENCE WITH AND MIGRATION FROM LEGACY EXCHANGE
NAMESPACE PLANNING Exchange 2016 no longer requires the namespaces required by Exchange 2010 Two namespace models Bound Model Unbound Model
BOUND MODEL Sue (somewhere in NA) DNS Resolution mail.contoso.com mail2.contoso.com DNS Resolution Jane (somewhere in NA) mail VIP mail2 VIP DAG1 Active Passive DAG2 Passive Active
UNBOUND MODEL Sue (somewhere in NA) DNS Resolution mail.contoso.com Round-Robin between # of VIPs VIP #1 VIP #2 DAG
MICROSOFT PREFERRED ARCHITECTURE Single namespace, unbound model Layer 4 load balancing without affinity/persistence Physical server deployment 2U commodity servers 4 database copies, 2 in each of 2 data centers 1 copy lagged by 7 days JBOD storage Exchange Native Protection No dedicated replication networks Witness in third data center ReFS volumes with BitLocker encryption
SSL CERTIFICATE PLANNING Single certificate for entire Exchange environment Use Subject Alternative Name certificate with the following names: webmail.client.com (Subject Name) webmailny.client.com, webmailla.client.com (data center external names and internal via split DNS) autodiscover.client.com Other names only as necessary
EXCHANGE 2016 COEXISTENCE OPTIONS Option 1 Exchange 2013 Up-Version Proxy Leverage existing Exchange 2013 CAS to proxy to Exchange 2016 as it is deployed Avoids needing to fully deploy all Exchange 2016 infrastructure to support the entire environment Option 2 Exchange 2016 Down-Version Proxy Deploy entire Exchange 2016 infrastructure and cutover client access namespaces Similar to previous migrations to Exchange 2007, 2010, or 2013 DAGs are still version-bound, in place upgrades unsupported
COEXISTENCE & MIGRATION OVERVIEW Complete design Prepare legacy environment and update AD E2010 SP3 RU11 E2013 CU10 No E2003/2007 anywhere (including improperly removed servers) Enable Outlook Anywhere (if necessary) Validate deployed hardware with Jetstress Install E2016 Install certificates, configure virtual directories Configure DAG and other components Complete client access cutover Move mailboxes Complete mail flow cutover Migrate legacy public folders to modern public folders Decommission legacy environment
UPGRADE FROM EXCHANGE 2010 TO EXCHANGE 2016 Clients autodiscover.contoso.com mail.contoso.com 1 2 E2010 HUB E2010 MBX E2010 CAS SP3 RU11 Internet facing site Upgrade first 3 4 E2016 MBX E2016 MBX Exchange 2010 Servers SP3 RU11 Intranet site 5 6 1. Prepare Install Exchange 2010 SP3 UR11 across the ORG Validate existing Client Access using MCA and ExRCA and built-in Test cmdlets Prepare AD with E2016 schema 2. Deploy Exchange 2016 servers As required per design 3. Obtain and Deploy Certificates Obtain and deploy certificates on E2016 servers 4. Switch primary namespace to Exchange 2016 E2016 fields all traffic, including traffic from Exchange 2010 users Validate using MCA and ExRCA 5. Move Mailboxes Build out DAG Move E2010 users to E2016 MBX 6. Repeat for additional sites
CLIENT ACCESS SCENARIOS
E2016 CLIENT PROTOCOL CONNECTIVITY FLOW Clients autodiscover.contoso.com DNS E2010 CAS CAS 2010 handles request PROXY E2016 MBX PROXY E2010 CAS CAS 2010 handles request E2010 MBX E2010 MBX Internet-facing site Intranet site
E2016 CLIENT PROTOCOL CONNECTIVITY FLOW Outlook clients Lookup SCP records in AD Internal LB namespace The triangle (AD) E2010 CAS CAS 2010 handles request PROXY E2016 MBX PROXY E2010 CAS CAS 2010 handles request E2010 MBX E2010 MBX Internet-facing site Intranet site
E2016 CLIENT PROTOCOL CONNECTIVITY FLOW Clients RPC/HTTP mail.contoso.com RPC/HTTP RPC E2010 CAS Enable OA Client Auth: Basic IIS Auth: NTLM PROXY E2016 MBX Enable OA Client Auth: Basic IIS Auth: Basic PROXY E2010 CAS Enable OA Client Auth: Basic IIS Auth: NTLM RPC 1. Enable Outlook Anywhere On intranet 2010 servers 2. Client settings Make 2010 client settings the same as 2016 Server (in this case meaning OA hostname = mail.contoso.com and client auth = Basic) E2010 MBX E2010 MBX 3. IIS authentication methods Must include NTLM Internet-facing site Intranet site
E2016 CLIENT PROTOCOL CONNECTIVITY FLOW OWA mail.contoso.com LAYER 4 LB europe.mail.contoso.com LAYER 7 LB E2010 CAS Same site proxy request HTTP PROXY E2016 MBX Auth 2016 logon page HTTP PROXY E2010 CAS single Cross sign site on proxy (sso) redirect request RPC RPC E2010 MBX Internet-facing site E2010 MBX Intranet site
E2016 CLIENT PROTOCOL CONNECTIVITY FLOW EAS mail.contoso.com LAYER 4 LB europe.mail.contoso.com LAYER 7 LB E2010 CAS Same site proxy request HTTP PROXY E2016 MBX HTTP PROXY E2010 CAS Cross site proxy request E2010 MBX Internet-facing site E2010 MBX Intranet site
E2016 CLIENT PROTOCOL CONNECTIVITY FLOW EWS mail.contoso.com LAYER 4 LB europe.mail.contoso.com LAYER 7 LB E2010 CAS Same site proxy request HTTP PROXY E2016 MBX HTTP PROXY E2010 CAS Cross site proxy request E2010 MBX Internet-facing site E2010 MBX Intranet site
PROTOCOL FLOW SUMMARY Basic principles to apply are: Co-existence with E2010 E2016 proxies all traffic to CAS 2010 E2016 no longer does HTTP 451 redirects But E2010 still does
MODERN PUBLIC FOLDERS - LIMITATIONS No access to modern PFs from legacy OWA No access to legacy PFs from OWA 2016 Limit of 1,000,000 total public folders in hierarchy (including subfolders) Less than 100,000 recommended Limit of 1 MM message per public folder Limit of 100 total public folder mailboxes Limit of 300 folder depth
KNOWN ISSUES AND COMMON PITFALLS
OAB DOWNLOAD STORM Issue E2013/2016 creates an OAB in a new format and, if a legacy mailbox database does not have a default OAB defined, the E2013/2016 OAB will be chosen. Impact Full OAB download occurs, which can be painful for a large number of clients simultaneously and/or across a WAN. Mitigation Define default OAB on all mailbox database prior to first E2013/2016 server installed. Status Documented - http://technet.microsoft.com/enus/library/jj150489(v=exchg.150).aspx
DELEGATE MAILBOX & LEGACY PF ACCESS Issue E2013/2016 uses a new form of authentication called RPC Anonymous (displayed as Anonymous Authentication in Outlook), which is not properly understood by E2010. Impact E2016 user opening legacy mailbox or PF resources will be prompted for authentication continuously. Mitigation Force NTLM authentication in E2016 until all mailboxes are moved. Status Documented - http://support.microsoft.com/kb/2834139
E2016 MAILBOXES APPEAR LARGER Issue E2013/2016 calculates the true size of a mailbox more accurately than in previous versions, accounting for mailbox impact on database-level tables, etc. Size on disk is unaffected but the reported size may increase by 30-40%. Impact Clients using mailbox quotas may see mailboxes above/at/near quota immediately following a mailbox move to E2013/2016. Mitigation Increase mailbox quotas by 50-70% prior to migration. Status Documented - http://technet.microsoft.com/en-us/library/jj150489(v=exchg.150).aspx
E2016 CAS ARRAY NAMESPACE USAGE Issue In E2010, it was common to use the RPC CAS Array namespace for both RPC connectivity as well as webbased connectivity (e.g. OWA, EWS, etc.). E2013/2016 CAS does not have an RPC endpoint. Impact If cas.client.com is moved to E2013/2016 as part of client access cutover, internal client access for E2010 mailboxes will be broken. Mitigation Force Outlook Anywhere for E2010 connectivity, change the RPC CAS Array FQDN in E2010, or use load balancer configuration to fork traffic. Status Documented - http://blogs.technet.com/b/exchange/archive/2013/05/23/ambiguous-urls-and-theireffect-on-exchange-2010-to-exchange-2013-migrations.aspx
ALLOWCROSSSITERPCCLIENTACCESS Issue Configuring AllowCrossSiteRpcClientAccess on a DAG to True was common in E2010 to allow a seamless client experience when databases activated across site boundaries. Setting this to True in E2013/2016 causes unexpected Outlook Anywhere endpoints to be used. Impact If an unexpected endpoint is used, there could be performance issues across a WAN and outages if servers are rebooted. Mitigation Leave this at the default of False. Status Working As Designed Undocumented K&K discovered.
DATABASECOPYAUTOACTIVATIONPOLICY Issue DatabaseCopyAutoActivationPolicy on an MBX is used to control database copy activation behavior, most commonly to restrict out-of-site copies. Setting this to anything other than Unrestricted breaks client access when those copies are activated. Impact Outage for users in affected databases unless DCAAP is set back to Unrestricted. Mitigation Leave DCAAP at default of Unrestricted. Status Working As Designed Blogged but not formally documented.
LOGGING SIZE Issue E2013/2016 leverages extensive logging, creates PerfMon captures to gauge server performance, etc. This can quickly consume a large amount of disk space on the Exchange binaries volume. Impact Exchange binaries volume could run out of space, causing an outage. Mitigation Leverage PowerShell script as Scheduled Task to purge after X days. Status Blogged but not formally documented.
PLAN, PLAN, THEN PLAN SOME MORE High Availability and Site Resiliency Virtual vs. Physical Deployment Sizing Compute, Network, Storage Server Topology and Specifications Namespace Planning Load Balancing Coexistence and Migration Decommissioning
ARCHITECTURE FAILS..
DESIGN - MEASURE TWICE, CUT ONCE Understand design requirements for high availability, site resiliency, etc. Complete sizing calculations Need user message profile and average message size Determine required storage capacity Verify achievable IOPS from capacity match user load Verify Background Database Maintenance based on database copy count Determine megacycles and CPU count don t forget ActiveSync devices!!! Determine memory requirements
VIRTUALIZATION CONSIDERATIONS Size for physical then virtualize CPU and RAM requirements significantly increased from Exchange 2010 Virtualization still provides benefits but need to understand cost vs. benefit Ensure accurate user message profile data before sizing Do not assume either value you will undersize or oversize Consider issues of oversizing when virtualizing Jetstress is critical to validate the design Virtualizing Exchange!= server consolidation Choose virtualization for availability/flexibility benefits
VIRTUALIZATION CONSIDERATIONS 2:1 CPU oversubscription supported 1:1 CPU strongly recommended If heterogeneous host environment, must ensure slowest host can handle Exchange CPU requirements Memory overcommit unsupported Use reservations to guarantee memory for Exchange Choose the right storage presentation method VMDKs in VMFS Host-based RDMs In-guest presentation
NOT RUNNING JETSTRESS Common reasons for skipping Jetstress My storage vendor said Jetstress is unrealistic and always fails My storage is brand new and couldn t possibly have issues IOMeter says I will achieve 50,000 IOPS I m feeling lucky.. What could possibly go wrong?
REAL WORLD ISSUES UNCOVERED BY JETSTRESS Dramatically insufficient spindle count for storage performance requirements Saturation of storage networking fabric (fiber channel or iscsi) RAID controller lost flush issues only encountered under load Firmware issues resulting in drive failures only encountered under load Storage traffic occurring over single iscsi NIC and without jumbo frames A/V software causing 85%+ reduction in IOPS even with proper exclusions Bug in VMware vsphere 5.0 PVSCSI adapter causing I/O failures
QUESTIONS