paul macknight microsoft exchange server microsoft unc317 evan dodds microsoft exchange server...
TRANSCRIPT
Microsoft Exchange Server 2010 Management Tools
Paul MacKnightMicrosoft Exchange ServerMicrosoftUNC317
Evan DoddsMicrosoft Exchange ServerMicrosoft
Exchange 2010 InvestmentsSimplify Administration
Empower Specialist Users to Perform Specific Tasks with Role-based Administration
Compliance Officer - Conduct Mailbox Searches for Legal DiscoveryHR Officer - Update Employee Info in Company Directory
Lower Support Costs Through New User Self-Service Options
Track Status of sent messagesCreate and Manage Distribution Lists
The annual cost of helpdesk support staff for e-mail systems with 7,500 mailboxes is approximately $20/mailbox. This cost goes up the smaller the organization. (“Email Support Staff Requirements and Costs: A Survey of 136 Organizations”, Ferris Research, June 2008).
Exchange 2010 ManagementWhat's New?
New Exchange Management Console (EMC) featuresExchange Control Panel (ECP)
New and simplified web based management consoleTargeted for end users, hosted tenants, and specialists
Role Based Access Control (RBAC)New authorization modelEasy to delegate and customizeAll Exchange management clients (EMS, EMC, ECP) use RBAC
Remote PowerShellManage Exchange remotely using PowerShell v2.0Note: No more local PowerShell, it's all remote in Exchange 2010
Monitoring
Exchange 2010 ManagementSupported OS platforms
All of Exchange 2010 is 64-bit onlyAdmin-tools also require 64 bit OS
Supported OS platforms for Admin/Management ToolsVista x64 SP1 (*may be SP2)W2k8 x64 SP2Windows7 x64 Client and W2k8 R2 x64
Remote PowerShell managementDoes not require Exchange binaries at the clientSupported client OS platforms
Vista (x86 or x64)W2k8 (x86 or x64)W2k8 R2 (x86 or x64) or Win7 (x86 or x64)W2k3 (x86 or x64)XP (x86 or x64)
Exchange Management Console (EMC)Improvements
Built on Remote PowerShell and RBACMultiple Forest SupportCross-premises Exchange 2010 Management
Including Mailbox MovesRecipient Bulk EditPowerShell Command LoggingNew feature support
For example: High Availability
Exchange Management Consoledemo
Exchange Control Panel (ECP)What is it?
A browser based Management client for end users, administrators, and specialistsAccessible directly via URL, OWA & Outlook 2010Deployed as a part of the Client Access Server roleSimplified user experience for common management tasksRBAC aware
Exchange Control PanelWho will use it?
Specialists and administratorsAdministrators can delegate to specialists e.g. Help Desk Operators, Department Administrator, and eDiscovery Administrators
End UsersComprehensive self service tools for End Users
Hosted CustomersTenant Administrators and Tenant End Users
Exchange Control PanelWhat It Looks Like
Primary Navigation
UI Scope Control
Secondary Navigation
Slab
Exchange Control Paneldemo
ECP Architecture OverviewHigh Level View
AJAX-basedShares some code with OWA, but two separate applicationsDeployed on Client Access ServerECP ASP.Net RBAC PowerShellAuthentication
Windows Integrated, Basic, Forms Based
Browser support - Same as OWA premium
IEFirefoxSafari
Web Browser
ECP Client Library
AJAX
Client Access Server
HTTP.SYS (IIS)
LiveId/FBA Auth
PowerShell
Exchange Cmdlets
RBAC
ECP Server Library
ECP Architecture OverviewRole Based Access Control
Users shouldn't have access to message tracking
Message tracking tab doesn't show up in ECP
Users can edit mailboxes, but not create new ones
"New Mailbox" button hidden
Users can edit display name but not Department
Department field visible but read-only
RBAC in Exchange 2010
RBAC has replaced the permission model used in Exchange 2007Your “role” is defined by “what you do”Define precise or broad roles and assignments based on the tasks that need to be performedIncludes self administrationUsed by EMC, EMS and ECP
RoleGroup/USG
Who can do What… and Where?
Role Assignment
Policy
Role EntryCmdlet: Param1
Param2Param3
Role EntryCmdlet: Param1
Param2Param3
<Role Entry>Cmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write Scope
Configuration Read Scope
What?
Where?
Who?Admins End-Users
Role Assignment
Who can do What… and Where?
RoleGroup/USG Role Assignment
Policy
<Role Entry>Cmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write Scope
Configuration Read Scope
What?
Where?
Who?Admins End-Users
Role Assignment
New-ManagementRoleAssignmentGet-ManagementRoleAssignmentSet-ManagementRoleAssignmentRemove-ManagementRoleAssignment
Add-RoleGroupMemberRemove-RoleGroupMember
New-RoleAssignmentPolicyRemove-RoleAssignmentPolicy
Who can do What… and Where?
Role Assignment
Policy
Role EntryCmdlet: Param1
Param2Param3
Role EntryCmdlet: Param1
Param2Param3
<Role Entry>Cmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write Scope
Configuration Read Scope
What?
Where?
Who?Admins End-Users
Role Assignment
New-RoleGroupSet-RoleGroupGet-RoleGroupRemove-RoleGroup
RoleGroup/USG
OrganizationManagement<All Roles>
ViewOnlyOrgManagement<All Roles View-Only>
RecipientManagementPasswordManagementMailRecipientManagementDistributionGroupManagement…
UMManagementUMServerManagementUMRecipientManagement…
DiscoveryManagementMailboxSearchManagementLegalholdManagement
RoleGroupAssigned Roles
Who can do What… and Where?
RoleGroup/USG Role Assignment
Policy
<Role Entry>Cmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write Scope
Configuration Read Scope
What?
Where?
Who?Admins End-Users
Role Assignment
New-ManagementRoleAssignment –Name Sales-RecipMgt …-RecipientOrganizationalUnitScope “OU=Sales,CN=Users…”
New-ManagementScope –Name Sales-Recipients-RecipientRestrictionFilter “(Department –eq ‘Sales’)”
New-ManagementScope –Name Euro-Servers -ServerRestrictionFilter “(Name –like ‘EuroMBX*’)”
New-ManagementScope –Name VIP-Recipients-RecipientRestrictionFilter ((Title –eq ‘CEO’) –or (Title –eq ‘CIO’)-Exclusive
•Exclusive scopes take effect immediately
•Access is granted through Role Assignment to an Exclusive Scope
Custom Management Roles
Custom roles can be added to suit specific delegation requirements
Roles are hierarchical, with built-in role at the topRole Entries can only be removed from a role
Steps to delegate a role:1. Create the management role2. Change the new role's management role entries
(by removing role entries)3. Create a management scope (if required)4. Assign the new management role
Custom Management RolesWhat does it look like?
New-ManagementRole -Name “eDiscovery-Sales” –Parent DiscoveryManagement
New-ManagementScope –Name “Sales Mailboxes” –DomainRestrictionFilter “(RecipientType –eq ‘UserMailbox’)” –DomainRoot “OU=Sales,DC=contoso,DC=Com”
New-ManagementRoleAssignment –Name “RA-Sales eDiscovery Administrators” –User “USG-Sales eDiscovery Admins” -Role “eDiscovery-Sales” –DomainScopeRestriction “Sales Mailboxes”
Role Based Access Controldemo
RBAC Role Delegation
Role membership is not a right to delegateRoleAssignment Delegation
Special kind of Role AssignmentDelegation does not grant role permissions
RoleGroup DelegationControlled through RoleGroup ownership ManagedBy parameter similar to DGs (Multi-Valued)Ownership does not grant RoleGroup permissons
RBAC Permissions Reporting
Get-ManagementRoleAssignmentEffective Roles for a UserEffective Users by Role/Scope/GroupEffective permissions to a Writable Object
Remote PowerShellNew management architecture for PowerShell in Exchange 2010
Allows Role-based Access Control (RBAC) model
Restricted PSSession allows RBAC to hide cmdlets and parameters
Client / Server separationRemote PowerShell is always used to connect “remotely” to localhost
Enables firewall and cross-forest scenarios
“No Binaries” scenariosExchange-cmdlet management from a client machine which does not have Exchange Management Tools (Exchange binaries) installed
Remote PowerShellHow does it work?
IIS
WSMan +RBAC stack:
Authorization
PSv2 RBACServer Runspace
> New-Mailbox –Name Bob
PSv2 Client Runspace
Evan Evan: Role AssignmentNew-Mailbox -NameGet-MailboxSet-Mailbox -Name
Cmdlets Available in Runspace:New-PSSession
> New-PSSession –URI https://server.fqdn.com/PowerShell/
Remote Cmdlets Available in Runspace:New-Mailbox -NameGet-MailboxSet-Mailbox -Name
Exchange ServerIIS: Authentication
Active Directory
Cmdlets Available in Runspace:New-Mailbox -NameGet-MailboxSet-Mailbox -Name
[Bob Mailbox Object in Pipeline]
Remote PowerShellHow Do I Use It?
The Beta Way
$wso = New-WSManSessionOption -SkipCACheck -SkipCNCheck –SkipRevocationCheck
$rr = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<Exchange 2010 fqdn>/powershell –SessionOption $wso –Authentication NegotiateWithImplicitCredential
Import-PSSession $rr
The RTM way$rr = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<Exchange 2010 fqdn>/powershell –Authentication Kerberos
Import-PSSession $rr
Or… just run the Exchange Management Shell icon!
Remote PowerShelldemo
MonitoringMonitoring & Reporting Based on Operations Manager 2007
Supports 2007 SP1 or 2007 R2MP Releasing concurrently with Exchange 2010!
Greatly reduced alert “noise”Correlation Engine
Uses Operations Manager health model to hide “symptom alerts” and leave “root cause alerts” for faster problem resolution, fewer headaches
Smarter alerts: Exchange 2010 diagnostics specifically designed for monitoringScale ready, no more “magic number” threshold tuning!
ReportingMail flow statistics based on message tracking logsReports that understand Exchange, more accurately model end-user availabilityService Level Agreement (SLA) target support
SummaryExchange Management Console
New Features, Bulk Management, and PowerShell convergenceRole Based Access Control
RBAC has replaced the permission model used in Exchange 2007Enables the definition of broad or precise roles and assignments, based on the actual roles administrators perform
Exchange Control PanelProvides a new way to administer a subsets of Exchange featuresProvides a great self provisioning portal
Remote PowershellUses familiar Exchange cmdletsAllows administration without the Exchange management toolsProvides a firewall friendly management access
Related Content
UNC204: Introduction to Microsoft Exchange Server 2010 (already done)
UNC316: Microsoft Exchange Server 2010 Architecture (already done)
UNC03-INT: Mastering Exchange Management with the Exchange Management Shell
WSV325: Windows PowerShell: Tips from the Expert
question & answer
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Call to ActionLearn More!
Related Content at TechEd on “Related Content” SlideAttend in-person or consume post-event at TechEd Online
Check out online learning/training resourceshttp://technet.microsoft.com/exchange/2010 http://technet.microsoft.com/office/ocs
Try It Out!Download the Exchange Server 2010 Beta Evaluation
http://www.microsoft.com/exchange/2010/try-it
Get a 5-Day Trial of Office Communications Server 2007 R2https://r2.uctrial.com/
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.