exchange 2010 deployment and transitions mmcug 9232011

8/2/2019 Exchange 2010 Deployment and Transitions MMCUG 9232011

1/43

page 1L e a d w i t h S t r a t e g y . L e v e r a g e T e c h n o l o g y . D e l i v e r R e s u l t s .

Exchange 2010 C lient Access

Sep23,2011

Alan Wang

Technical Specialist

Project Leadership Associates


2/43


H o w O u t l o o k C o n n e c t s t o E x c h a n g e 2 0 1 0

InLegacyExchange(2003/2007),Outlookclientsconnectdirectlytothemailboxserver

2003FEisresponsibleforOWA\ActiveSync\OutlookAnywhere

2007CAS

is

responsible

for

OWA\ActiveSync\OutlookAnywhere\EWS\OAB

Exchange2010CASnowbecomestheRPCendpointforOutlookclients

mailbox database is no longer attached to any specific mailbox server.

Database in a DAG group can be mounted\activated on any DAG node.

How does Outlook client know the database has been activated toanother server? It doesnt know where the database is located.

It knows the name of the database and what CAS server it needs toconnect to. Then the CAS server will proxy the RPC call to the mailboxserver where the database is mounted.

Each database has an attribute called RPCClientAccessServer, whichtells the client in order to connect to the database, you need toconnect to this CAS server\array.

2010 CAS becomes more important than it ever used to be. If CAS isdown, Outlook clients lose connection even the database staymounted.


3/43


S t o r e A c c e s s P a t h s

Middle

Tier

Mailbox MAPIRPC DAV*

Exchange

Business

Logic

Store

Exchange Components(EWS,ActiveSync,UM,

OWA,MailboxAgents,

TransportAgents)

Outlook,other

MAPI

clients

Entourage,3rd

partyapps

Middle

Tier

MAPI,RFR&

NSPIRPC

ExchangeCore

BusinessLogic

Exchange

Business

Logic

Mailbox MAPIRPC

Store

Exchange Components

(EWS,ActiveSync,UM,

OWA,MailboxAgents,

TransportAgents)Outlook,other

MAPIclients

Entourage,3rd

partyapps


4/43


E x c h a n g e2 0 1 0

M i d d l e

T i e r

W h a t

i s

i t ?

NewservicesinExchange2010thatresideonCAS

Restrict all Outlook data access to a singlecommon path by migrating Mailbox and

Directory endpoints to CASWhatithandles:

Outlook data connections go to RPC ClientAccess Service on CAS instead of connectingto Mailbox servers

Address Book Service on CAS replacesDSProxy interface, handles all OutlookDirectory connections

Public folder connections connect directly tothe Mailbox server, but through RPC Client

Access Service running on Mailbox server MBX

Ex chan ge CAS

Ar ray

Out lookCl ien ts

GC


5/43


T h eM i d d l e

T i e r

W h a t

i t

P r o v i d e s

Providesabetterclientexperienceduringswitchovers/failovers

When a MBX server fails over, Outlook client will only see~30 sec disconnect, as compared to 1 min -TTL before

UsesthesamebusinesslogicforOutlookandCASclients

Data validation, especially Calendar logging + repair

Compliance

Archive mailbox infrastructure Content/body conversion

Scalingmailboxconnections

More concurrent connections/mailboxes per Mailbox

serverReducescodeandclientlogicinExchangeStoreprocessforincreasedreliability


6/43


M a i l b o xD a t a b a s e

C o n f i g u r a t i o n

RPCClientAccessServer valueonusersmailboxdatabasedeterminestheCASserverorarrayclient

willuse

Endpoint value determined by existence of CAS servers or array in thesite in which database is created

Autodiscover will provide the value to Outlook 2007+

Manual profile creation will change the Exchange Server name in profileto this value if another NSPI endpoint is entered, having retrieved thecorrect endpoint from Active Directory


7/43


O u t l o o k C o n n e c t i v i t y B e h a v i o r

AllOutlookversionsbehaveconsistentlyinasingledatacenterHAscenario

Profile points to Client Access Server array

Profile is unchanged by failovers or loss of CASAllOutlookversionsshouldbehaveconsistentlyinadatacenteractivationscenario

Primary datacenter Client Access Server array DNS name is bound tovirtual IP address of standby datacenters CAS array load balancer

Autodiscover continues to hand out primary datacenter CAS name as

Outlook RPC endpoint Profile remains unchanged


8/43


O u t l o o k C r o s s S i t e D B * o v e r E x p e r i e n c e

ThedefaultbehavioristoperformadirectconnectfromtheCASarrayinthefirstdatacentertothe

mailboxhostingtheactivecopyintheseconddatacenter

YoucanonlygetaredirecttooccurbychangingtheRPCClientAccessServerpropertyonthe

database

However, the Outlook client may not automatically apply the changesfor the Home Server property*

You can force a profile update by performing a profile repair


9/43


Namespaces

E2003

OutlookWeb

Access

/ ow a

ExchangeWebServices

/ ew s

Offline

Address

Book / oab

UnifiedMessaging

/ u n i f ied m essagin g

Autodiscover

/ au t od iscov er

Outlook Web Access/exchange,/exchweb, /public

Exchange ActiveSync

/microsoft-server-

activesync

Outlook Anywhere

/rpc

POP/IMAP/SMTP

Outlook MobileAccess

/oma

OutlookWeb

App

- / ow a

ExchangeControlPanel

/ ecp

E2003/E2007services

mail.contoso.com mail.contoso.commail.contoso.com

autodiscover.contoso.com

autodiscover.contoso.com

legacy.contoso.com

E2007 E2010


10/43


E x c h a n g e 2 0 1 0 V i r t u a l D i r e c t o r i e s

OWAVirtualDirectory

- InternalURL https://mail.contoso.com/owa

- ExternalURL https://mail.contoso.com/owa

ECPVirtualDirectory

- InternalURL https://mail.contoso.com/ecp returned by EXCH

- ExternalURL https://mail.contoso.com/ecp returned by EXPR

ActiveSyncVirtualDirectory

- InternalURL https://mail.contoso.com/Microsoft-Server-ActiveSync- ExternalURL https://mail.contoso.com/Microsoft-Server-ActiveSync

WebServicesVirtualDirectory

- InternalURL https://mail.contoso.com/ews/Exchange.asmx -returned by EXCH

- ExternalURL https://mail.contoso.com/ews/Exchange.asmx -returned by EXPR

OABVirtualDirectory

- InternalURL https://mail.contoso.com/OAB - returned by EXCH

- ExternalURL https://mail.contoso.com/OAB - returned by EXPR


11/43


If the request is made by an Outlook Exchange RPC client,the EXCH provider will return the InternalUrl configured onthe best CAS server for the following services: AvailabilityService, OAB virtual directory and Unified Messagingvirtual directory


12/43


If the request is made by an Outlook Anywhere Exchange HTTPclient, the EXPR provider will return the External URL configured onthe best CAS server for the same services: Availability Service, OABvirtual directory and Unified Messaging virtual directory andExternalHostName for Outlook Anywhere.


13/43


Deploy ing E2010 - SSL Certificates

Best practice: minimize the number of

certificates 1 certificate for all CAS servers + reverse proxy +

Edge/HUB

Use Subject Alternative Name (SAN)certificate which can cover multiple hostnames

Dont list machine hostnames in certificate

hostname list Dont list ClientAccessArray name in certificate

hostname list


14/43


Deploy ing E2010 - SSL CertificatesBasic Names:

mail.contoso.com (Common Name of the SAN cert)

Autodiscover.contoso.com Legacy.contoso.com (for co-exist between 2003\2007 & 2010)

MailDR.contoso.com (for datacenter failover) - optional

Failback.contoso.com (for datacenter failback) - optional

Smtp.contoso.com (if secure SMTP is required) - optional


15/43


Dep loy ing E2010 - SSL Certificates MakesuretheCommonNamematchesthePrincipalCertName ofOutlookEXPRProvider

SetOutlookProvider Identity

EXPR

CertPrincipalName msstd:*.contoso.com

* .Cont oso.com

Mai l .Contoso.com


16/43


Deploy ing E2010 - Split DNS

Best Practice: Use Split DNS for Exchange

hostnames used by clients Goal: minimize number of hostnames

mail.contoso.com for Exchange connectivity onintranet and Internet

mail.contoso.com has different IP addresses inintranet/Internet DNS

Important before moving down this path, be

sure to map out all the host names (outside ofExchange) that you will want to create in theinternal zone


17/43


18/43


L o a dB a l a n c i n g

R e c o m m e n d a t i o n s

Recommended

Hardware Load Balancers

Integrated is alive monitoring recommended

Fixing of MAPI and directory endpoint ports

Create CAS Array and load-balance selected or all CAS ina site

Client IP affinity or cookie-based authentication whereappropriate

NotRecommended

DNS Round Robin

Windows Network Load Balancing Do not load-balance cross-site, create two arrays instead

and load-balance separately


19/43


L o a d

B a l a n c i n g

P r o t o c o l

P e r s i s t e n c e

R e c o m m e n d a t i o n s

Pers is tence:Requ i red

Pers is tence:Recommended

Pers is ten ce: NotRequ i red

Outlook Web App Outlook Anywhere Offline Address Book

Exchange ControlPanel

Activesync AutoDiscover

Exchange WebServices

Address Book Service POP3

RPC Client AccessService

Remote PowerShell IMAP4

Recommended

Reduced performance without persistence

Notrequired

Does not suffer performance hit without persistence


20/43


Deploy ing E2010 - CAS Load Balancing

OWA and EWS load balancing require ClientServer

affinity OWA supports cookie based but other clients do not and requireIP based

Tell Autodiscover where to send clients: configure load

balanced internalURL and externalURL parameters onvirtual directories

Example: Set-WebServicesVirtualDirectory cas2010\ews*-ExternalURL https://mail.contoso.com/ews/exchange.asmx

Tell Outlook clients where to go for intranet MAPI access Use New-clientaccessarray and set-mailboxdatabase


21/43



CAS AutoDiscoverServiceInternalUriproperty should be set toNLB FQDN

Ensure the Web Services property InternalNLBBypassURL isset to the Server FQDN

Configure virtual directory URLs according to this table:

Vi r t u a l Di r ect o r y I n t er n alUR

L

Externa lURL

( I n t e r n e t Fa ci n gAD Si t e)

Ex terna lURL

( N o n - I n t e r n e tFac ing AD Si t e)

/OWA Server FQDN NLB FQDN $null

/ECP NLB FQDN NLB FQDN $null

/Microsoft-Server-ActiveSync

NLB FQDN NLB FQDN $null

/OAB NLB FQDN NLB FQDN $null

/EWS NLB FQDN NLB FQDN $null


22/43



Real World Gotcha:

Outlook 2007\2010 clients get cert warning after the 1st Exchange2010 CAS server is brought online

Cause

Outlook 2007\2010 happens to usehttps://cas2010.contoso.com/autodiscover/autodiscover.xml forAutodiscover lookup

Solutions

Set AutodiscoverServiceInternalURI for CAS2010 tohttps://autodiscover.contoso.com/autodiscover/autodiscover.xml


23/43


D y n a m i co r

S t a t i c

P o r t s

DynamicportrangeforoutgoingconnectionsonWindows2008/R2is 49152

to65535,butthisrangeischangedwhenyouinstalltheCASroleto6005to

59530 If you want to utilize the dynamic port range, ensure that

this entire port range is open on any firewalls betweenclients and CAS role servers

You

can

define

static

ports

for

both

the

MAPI

and

directory

endpoints If deploying static ports, the guidance is to choose two

numbers above the dynamic range (6005 to 59530) butless than the max user port (60554)

So choose two numbers between 59531 and 60554Whydeploystaticports?

Reduces the range of destination ports in load balancerconfig and memory

Easier firewall configuration (if applicable)


24/43


S e t t i n g S t a t i c P o r t s i n E x c h a n g e 2 0 1 0 S P 1

OnCASroleservers

MAPI: HKLM\SYSTEM\CurrentControlSet\

Services\MSExchangeRPC\ParametersSystemTCP/IP Port [DWORD] is value for port to use

Directory:HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeAB\Parameters \RpcTcpPort [REG_SZ] is value the port touse

Onpublicfolderservers

MAPI: HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeRPC\ParametersSystemTCP/IP Port [DWORD] is value for IP port to use

NotethatOutlookAnywhereportsshouldnotbechangedastheyare

hardcodedinOutlook


25/43


Transit ioning Client Access toExchange 2010


26/43


Internet facing AD Site

Internal ADSite

Inter

net

FE, BE, CAS, HUB,UM, MBX 2003 or

2007

CAS, HUB,UM,

MBX 2010

UpgradeInternet facing

sites firstUpgrade

Internal sitessecond

CAS, HUB,UM, MBX

Deploy E2010 serversCAS first; MBX last Start with a few Gradually add more

servers as you movemailboxes

2

MoveMailboxes

5

CAS-CASproxy

Upgradeexisting

servers to SP2

1

Legacy hostname for oldFE/CAS SSL cert purchase End Users dont see this

hostname Used when Autodiscover and

redirection from CAS2010 tellclients to talk to

FE2003/CAS2007 forMBX2003/MBX2007 access

3

Decommission

old servers

6

Move

HUB2010

Move Internet hostnames toCAS2010

UM phone number toUM2010

SMTP end point toHUB2010

4


27/43


Remote Connect iv i ty Ana lyzer https://www.testexchangeconnectivity.com/ Test

Exchange ActiveSync (EAS)

Outlook Anywhere (RPC/HTTP) Autodiscover EWS SMTP and more

Remember: RCA lies

If you see any failure result, dont consider it as a true failure. Try use adifferent account to duplicate the failure and also try a real client\device forthe same test.

Ive wasted a lot time trying to figure out a failure reported by RCA wherethe real client didnt have any problem at all.


28/43


T r a n s i t i o n i n gE x c h a n g e

2 0 0 3

t o

2 0 1 0


29/43


T r a n s i t i o n i n gE x c h a n g e

2 0 0 7

t o

2 0 1 0


30/43


S wi tch in g t o C AS 2010 - P rep St ep s - 1

1. Obtain and deploy a new certificate that includes the

required host name valuesa. mail.contoso.comb. autodiscover.contoso.com

c. legacy.contoso.com

2. Upgrade all Exchange servers to Service Pack 2a. Enable Integrated Windows Authentication on Exchange 2003

MSAS virtual directory (KB 937031)

3. Install and configure CAS2010 servers

a. Configure InternalURLs and ExternalURLs

b. Configure the Exchange2003URL parameter to behttps://legacy.contoso.com/exchange


31/43


S wi tch in g t o CA S20 10 - P re p S te ps - 2

4. Join CAS2010 to a load balanced array

a. Create CAS2010 RPC Client Access Service array

b. Ensure MAPI RPC and HTTPS ports are load balanced

5. Install HUB2010 and MBX2010 servers

a. Configure routing coexistence

b. Configure OAB web-based distribution to generate on 20106. Create Legacy record in DNS (internal/external)

7. Create Legacy publishing rules in your reverseproxy/firewall solution pointed to FE2003 / CAS2007

array

8. Use ExRCA to verify connectivity for Legacy namespace


32/43


Switching to CAS2010

The switchover involves a minor serviceinterruption

1. Update internal DNS and havemail.contoso.com point to CAS2010array

2. Update/Create Autodiscover publishingrule and point to CAS2010 array

3. Update Mail publishing rules and pointto CAS2010 array

a. Remember to update paths with newExchange 2010 specific virtual directories

4. Disable Outlook Anywhere on legacyExchange

5. Test that CAS2010 isredirecting/proxying to CAS2007(externally and internally)

ISA

E200x SP2E2010

CAS+HUB+MBX

autodiscovermail

1

2

2

1Clients access E2010 throughAutodiscover and mail

Redirection (legacy),proxying and direct access toE2003/E2007

2

legacy


33/43


Clientsaccess

CAS2010

first

FourdifferentthingshappenforE2003/E2007mailboxes

1 . Au tod iscov er tellsclients to talk toCAS2007

2 . HTTP r ed ir ect toFE2003 or CAS2007

3 . Pr ox y in g of requests

from CAS2010 toCAS2007

4 . Di r ect CAS2 0 10suppo r t for theservice against

BE2003 andMBX2007

CAS2010Serv ice E2 0 0 3 / E2 0 0 7 m a il b oxt r e a t m e n t

OWA E2003: Single Sign-On FBARedirect

E2007 Same AD Site: SSO FBARedirect

E2007 Externally Facing ADSite: Manual Redirect

E2007 Internally Facing ADSite: Proxy

EAS E2007: Autodiscover & redirect(WM6.1 and newer), Proxying(WM6 and older, all non-Microsoft)

E2003: Direct CAS2010support.

Clients which use new EAS2010

features need to re-syncOutlookAnywhere &OAB

Direct CAS2010 support

EWS Should use AutoDiscover

POP/IMAP E2007:CAS to CAS ProxyE2003: Direct CAS2010 support


34/43


ActiveSync Transit ion: 2003 to 2010

Regardless of the location of the Exchange 2003 mailbox, CAS2010 will always proxy the request to the Exchange 2003 mailbox

Since Exchange 2003 does not support Autodiscover, the device version does not matter


35/43


ActiveSync Transit ion: 2007 to 2010


36/43


For the legacy device scenario (i.e., the device does not support Autodiscover or protocolversion 12.1 or later): User1's device is already configured to use the namespace mail.contoso.com. User1's device attempts to synchronize. CAS2010 will authenticate the user and access Active Directory and retrieve the

following information:- User's mailbox version- User's mailbox location (AD Site)- The ExternalURL of Exchange 2007 Client Access Server(s) EAS virtual directorylocated within the mailbox's AD site (if it exists)- The InternalURL of the Exchange 2007 Client Access Servers(s) EAS virtual directorylocated within the mailbox's AD site (if it exists)

While the user's mailbox does reside in the "Internet Facing AD Site" and theExternalURL is populated on CAS2007 in that site, because the device does not supportredirection via Autodiscover, CAS2010 will proxy the connection to the Exchange 2007CAS infrastructure in the "Internet Facing AD Site". Specifically the request is proxied to

CAS2007 (InternalURL value) \Microsoft-Server-ActiveSync\Proxy virtual directory. CAS2007 will authenticate the user and retrieve and render the mailbox data from the

Exchange 2007 mailbox server and will provide the rendered data back to the CAS2010server.

CAS2010 will expose the data to the end user.


37/43


For the Autodiscover-supported device scenario (e.g., Windows Mobile 6.1 or later): User3's device is already configured to use the namespace mail.contoso.com. User3's device attempts to synchronize. CAS2010 will authenticate the user and access Active Directory and retrieve the following

information:

- User's mailbox version- User's mailbox location (AD Site)- The ExternalURL of Exchange 2007 Client Access Server(s) EAS virtual directorylocated within the mailbox's AD site (if it exists)- The InternalURL of the Exchange 2007 Client Access Servers(s) EAS virtual directorylocated within the mailbox's AD site (if it exists)

Since the user's mailbox does reside in the "Internet Facing AD Site", the ExternalURL ispopulated on CAS2007 in that site, and the device does support redirection viaAutodiscover (this is determined by the protocol version of ActiveSync when establishinga synchronization; it must be version 12.1 or later), CAS2010 will return a response(HTTP error code 451) indicating that the device should use legacy.contoso.com

namespace for all synchronization events.

You can see the response in the IIS logs:POST /Microsoft-Server-ActiveSync/default.easUser=user3&DeviceId=foo&DeviceType=PocketPC&Cmd=Settings&Log=RdirTo:https%3a%2f%2flegacy.contoso.com%2fMicrosoft-Server-ActiveSync_Error:MisconfiguredDevice_ 443 contoso\user3 10.20.100.117 MSFT-PPC/5.2.5082 451 0 0 17


38/43


The device updates its profile to use legacy.contoso.com and attempts to synchronizewith legacy.contoso.com.

CAS2007 will authenticate the user and retrieve and render the mailbox data from theExchange 2007 mailbox server and will provide the rendered data back to the device.

Important: Some third-party ActiveSync devices advertise support for protocol version12.1 or later; however, they do not correctly process the 451 error response by updatingthe device profile. For these devices you will have to manually update the namespace inthe device ActiveSync profile once CAS2010 has been deployed with thelegacy.contoso.com namespace.

Always use proxy instead of redirection to avoid problem caused bydifferent versions of the devices.


39/43


C av ea ts a nd G ot chas - Sum ma ry

SSO redirect is only between 2010 and 2007 in the same AD site, orfrom 2010 to 2003

Redirect between 2010 and 2007 in another externally facing 2007site is manual, just as it was in 2007

OWA never proxies inside the same AD site

If there is no ExternalURL set on CAS 2007 then CAS 2010 will

redirect to the InternalURL for OWA SSO only works with FBA, so if you are using Basic against a

server, or directly accessing a 2003 BE, then you need FBA

If you are doing FBA on ISA then you need to either point internal

clients at ISA if you want FBA, or enable WI on CAS For SSO with ISA\TMG to work, you need to use the same listener

to publish 2010 and 2007 OWA


40/43


C av ea ts a nd Gotc ha s - Sum ma ry

CAS 2010 will always proxy EAS request for 2003 user and theproxy goes directly to the BE 2003 server. So you dont need WI

authentication for EAS on the FE 2003 server. Leave ExternalURL for ActiveSyncDirectory to $Null. So CAS 2010

will always proxy EAS request for 2007 users instead of redirect.

FBA is required for OWA silent redirect (SSO). So if you cannot

enable FBA for whatever reason, you can change the silent redirectto manual using the following command

Get-OwaVirtualDirectory servername CAS2010 | Set-OwaVirtualDirectory LegacyRedirectType Manual


41/43


C av ea ts a nd G ot chas - Sum ma ry

A real world example

Exchange 2003 environment without FE and reverse proxy. FBA not enabled on Exchange 2003 server.

ActiveSync is being deployed.

Goal is to do SSO during co-exist with 2010

ActiveSync gets broken as soon as FBA is enabled on the Exchange 2003 server.

http://support.microsoft.com/kb/817379

Follow the Method 2 in the above article, then deploy Exchange 2010


42/43


C av ea ts a nd Gotc ha s - Sum ma ry

Most popular ActiveSync error 500 after moving mailbox to 2010

http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx

Check Includeinheritable permissionfrom this objects parentafter the mailbox ismoved and initiatesynchronization within

15 minutes.


43/43


AlanWang

TechnicalSpecialist CommunicationandCollaboration

ProjectLeadershipAssociates(PLA)| 120SouthLaSalle,Suite1200,Chicago,IL60603

Mobile:630.888.0164|Lync:312.258.5323

Email:

[email protected]

LinkedInProfile:

http://www.linkedin.com/pub/alanwang/16/128/778

PersonalTechnical

Blog

http://UCOutLoud.blogspot.com

Twitter

@UCOutLoud

exchange 2010 deployment and transitions mmcug 9232011

Documents