Mastering Microsoft Exchange Server 2016

Mastering Microsoft Exchange Server 2016
TableofContents
TitlePage
CopyrightPage
Dedication
Acknowledgments
AbouttheAuthors
AbouttheTechnicalEditor
Introduction
MajorChangesinExchangeServer2016
HowThisBookIsOrganized
ConventionsUsedinThisBook
TheMasteringSeries
Part1:ExchangeFundamentals
Chapter1:PuttingExchangeServer2016inContext
Email'sImportance
WhatIsExchangeServer?
ThingsEveryEmailAdministratorShouldKnow
TheBottomLine
Chapter2:IntroducingtheChangesinExchangeServer2016
GettingtoKnowExchangeServer2016
ExchangeServerArchitecture
Now,WhereDidThatGo?
ClearingUpSomeConfusion
TheBottomLine
Chapter3:UnderstandingAvailability,Recovery,andCompliance
ChangingfromaTechnologytoaBusinessViewpoint
What'sinaName?
ACloserLookatAvailability
StorageAvailability
ComplianceandGovernance
TheBottomLine
Chapter4:VirtualizingExchangeServer2016
VirtualizationOverview
EffectsofVirtualization
VirtualizationRequirements
Operations
DecidingWhentoVirtualize
DecidingWhattoVirtualize
PossibleVirtualizationScenarios
TheBottomLine
Chapter5:IntroductiontoPowerShellandtheExchangeManagementShell
WhyUsePowerShell?
UnderstandingtheCommandSyntax
Object-OrientedUseofPowerShell
PowerShellv3,v4,andv5
TipsandTricks
GettingHelp
TheBottomLine
Chapter6:UnderstandingtheExchangeAutodiscoverProcess
AutodiscoverConcepts
PlanningCertificatesforAutodiscover
TheBottomLine
Part2:GettingExchangeServerRunning
Chapter7:ExchangeServer2016QuickStartGuide
ServerSizingQuickReference
ConfiguringWindows
InstallingExchangeServer2016
Post-installationConfigurationSteps
ConfiguringRecipients
TheBottomLine
Chapter8:UnderstandingServerRolesandConfigurations
TheRolesofServerRoles
ExchangeServer2016ServerRoles
PossibleRoleConfigurations
TheBottomLine
Chapter9:ExchangeServer2016Requirements
GettingtheRightServerHardware
SoftwareRequirements
AdditionalRequirements
TheBottomLine
Chapter10:InstallingExchangeServer2016
BeforeYouBegin
PreparingforExchange2016
GraphicalUserInterfaceSetup
Command-LineSetup
RemovingExchangeServer
TheBottomLine
Chapter11:UpgradesandMigrationstoExchangeServer2016orOffice365
Upgrades,Migrations,Cross-ForestMigrations,andDeployments
FactorstoConsiderbeforeUpgrading
ChoosingYourStrategy
Office365
PerformingaCross-ForestMigration
MovingMailboxes
ImportingDatafromPSTs
TasksRequiredPriortoRemovingLegacyExchangeServers
ExchangeServerDeploymentAssistant
TheBottomLine
Part3:RecipientAdministration
Chapter12:ManagementPermissionsandRole-BasedAccessControl
RBACBasics
ManagingRBAC
DefiningRoles
DistributingRoles
AuditingRBAC
TheBottomLine
Chapter13:BasicsofRecipientManagement
UnderstandingExchangeRecipients
DefiningEmailAddresses
TheBottomLine
Chapter14:ManagingMailboxesandMailboxContent
ManagingMailboxes
MovingMailboxes
DeletingMailboxes
BulkManipulationofMailboxesUsingtheEMS
ManagingMailboxContent
GettingStartedwithMessagingRecordsManagement
TheBottomLine
Chapter15:ManagingMail-EnabledGroups,MailUsers,andMailContacts
UnderstandingMail-EnabledGroups
CreatingandManagingMailContactsandMailUsers
TheBottomLine
Chapter16:ManagingResourceMailboxes
TheUniqueNatureofResourceMailboxes
Exchange2016ResourceMailboxFeatures
CreatingResourceMailboxes
CreatingRoomLists
ConvertingResourceMailboxes
TheBottomLine
Chapter17:ManagingModernPublicFolders
UnderstandingArchitecturalChangesforModernPublicFolders
MovingPublicFolderstoExchangeServer2016
ManagingPublicFolderMailboxes
ManagingPublicFolders
UnderstandingthePublicFolderHierarchy
ComparingPublicFolders,SiteMailboxes,andSharedMailboxes
TheBottomLine
Chapter18:ManagingArchivingandCompliance
IntroductiontoArchiving
BenefitsofArchiving
IndustryBestPractices
ArchivingwithExchangeServer2016
EnablingIn-PlaceArchiving
UnderstandingLitigationandIn-PlaceHold
RequirementsandConsiderations
TheBottomLine
Part4:ServerAdministration
Chapter19:CreatingandManagingMailboxDatabases
GettingtoKnowExchangeServerDatabases
PlanningMailboxDatabaseStorage
ManagingMailboxDatabases
TheBottomLine
Chapter20:CreatingandManagingDatabaseAvailabilityGroups
UnderstandingDatabaseReplicationinExchangeServer2016
ManagingaDatabaseAvailabilityGroup
UnderstandingActiveManager
DAGandDatabaseMaintenance
UnderstandingSiteResiliencyforExchangeServer2016
TheBottomLine
Chapter21:UnderstandingtheClientAccessServices
ClientAccessServicesOverview
NamespacePlanning
ConnectivityforOutlookClients
ConnectivityforNon-OutlookClients
SharingbetweenOrganizations
SecuringExternalAccess
CoexistingwithPreviousExchangeServerVersions
TheBottomLine
Chapter22:ManagingConnectivitywithTransportServices
UnderstandingtheTransportImprovementsinExchangeServer2016
MessageRoutingintheOrganization
SendingandReceivingEmail
MessagesinFlight
UsingExchangeServer2016Antispam/Anti-MalwareTools
TroubleshootingEmailRouting
TheBottomLine
Chapter23:ManagingTransport,DataLossPrevention,andJournalingRules
IntroducingtheExchange2016TransportArchitecture
SettingUpMessageClassifications
SettingUpMailFlow(Transport)Rules
IntroducingDataLossPrevention
IntroducingJournaling
TheBottomLine
Part5:TroubleshootingandOperating
Chapter24:TroubleshootingExchangeServer2016
BasicTroubleshootingPrinciples
GeneralServerTroubleshootingTools
TroubleshootingMailboxServers
TroubleshootingMailFlow
TroubleshootingClientConnectivity
TheBottomLine
Chapter25:BackingUpandRestoringExchangeServer
BackingUpExchangeServer
PreparingtoBackUpandRecovertheExchangeServer
UsingWindowsServerBackuptoBackUptheExchangeServer
UsingWindowsServerBackuptoRecovertheData
RecoverExchangeServerDataUsingAlternativeMethods
RecoveringtheEntireExchangeServer
TheBottomLine
Appendix:TheBottomLine
Chapter1
Chapter2
Chapter3
Chapter4
Chapter5
Chapter6
Chapter7
Chapter8
Chapter9
Chapter10
Chapter11
Chapter12
Chapter13
Chapter14
Chapter15
Chapter16
Chapter17
Chapter18
Chapter19
Chapter20
Chapter21
Chapter22
Chapter23
Chapter24
Chapter25
EndUserLicenseAgreement
ListofIllustrations
Chapter1:PuttingExchangeServer2016inContext
Figure1.1Outlook2016AppointmentschedulingonanExchangeServer2016
mailbox
Figure1.2TheOutlook2016clientInboxonanExchangeServer2016mailbox
Figure1.3OutlookonthewebonanExchangeServer2016mailbox
Figure1.4Exchangedataandtransactionlogs
Figure1.5ActiveDirectoryandExchangeServer
Figure1.6Configuringautomaticupdates
Figure1.7ViewingtheMicrosoftRemoteConnectivityAnalyzer
Chapter2:IntroducingtheChangesinExchangeServer2016
Figure2.1DeployinganEdgeTransportserver
Figure2.2Examiningatransportrule
Chapter3:UnderstandingAvailability,Recovery,andCompliance
Figure3.1ThefourstagesoftheMicrosoftITservicemanagementlifecycle
Chapter4:VirtualizingExchangeServer2016
Figure4.1Alookatvirtualization
Chapter5:IntroductiontoPowerShellandtheExchangeManagementShell
Figure5.1OutputoftheGet-Mailboxcmdlet
Figure5.2Formattingoutputintoaformattedtable
Figure5.3Formattingoutputtoaformattedlist
Figure5.4OnlinehelpforpipeliningusingtheExchangeManagementShell
Figure5.5ViewingtheTipoftheDay
Chapter6:UnderstandingtheExchangeAutodiscoverProcess
Figure6.1CompletingtheinitialOutlookconfigurationusingAutodiscover
Figure6.2UsingtheTestE-mailAutoConfigurationtool
Figure6.3AccessingtheTestE-mailAutoConfigurationtool
Figure6.4TheCertificatesMMCsnap-in
Figure6.5Viewingthedomainstobeincludedinthecertificaterequest
Figure6.6TheCertificateDomainsWizardPage
Figure6.7Selectingservicesthatwillusethecertificate
Figure6.8Viewingcertificateproperties
Chapter7:ExchangeServer2016QuickStartGuide
Figure7.1Settingastaticpagefilefor8GBofRAM
Figure7.2Checkingthedomainandforestfunctionallevels
Figure7.3CheckingforUpdates
Figure7.4SelecttheserverRole
Figure7.5ChoosingtheInstallationlocation
Figure7.6Organizationname
Figure7.7TheSetupCompletedscreen
Chapter8:UnderstandingServerRolesandConfigurations
Figure8.1SelectingtheExchangeServer2016roles
Figure8.2ThewarningmessagewhenanewdatabaseisaddedtoaMailbox
server
Chapter10:InstallingExchangeServer2016
Figure10.1DeterminingwhichdomaincontrollerholdstheSchemaMaster
role
Figure10.2ExchangeconfigurationContainersthatarefoundintheActive
Directoryconfigurationpartition
Figure10.3TheServerRoleSelectionscreen
Chapter12:ManagementPermissionsandRole-BasedAccessControl
Figure12.1TheinteractionamongtheRBACcomponentsforgranting
permissionstoadministrators
Figure12.2HowRBACisusedtograntpermissionstoendusers
Figure12.3ManagingadministratorrolesanduserrolesintheEAC
Figure12.4ViewingrolegroupdetailsintheEAC
Figure12.5ViewingtheuserroleinformationintheEAC
Figure12.6Tabstomanageroles,roleassignmentpolicies,rolegroups,and
scopes
Figure12.7Therelationshipbetweenamanagementroleanditsmanagement
roleentries
Figure12.8TheroleobjectsinActiveDirectory
Figure12.9ThepropertiesfortheMailboxImportExportroleobject
Figure12.10ThemanagementroleentriesfortheMailboxImportExportrole
asseeninADSIEdit
Figure12.11Therelationshipbetweenaparentroleandachildrole
Figure12.12Implementationofanexclusivescope
Figure12.13AroleassignmentobjectiscreatedinActiveDirectorywhenroles
areassigned
Figure12.14AdeeperlookattheroleassignmentobjectinActiveDirectory
Figure12.15Therelationshipbetweenmanagementroleassignments,scopes,
managementroles,andmanagementrolegroups
Figure12.16AdministratoraccountsareaddedtotheADgroupthatrepresents
managementrolegroups
Figure12.17ThelistofmanagementrolegroupsispopulatedintotheEAC
Figure12.18ClicktheAddbuttontoaddamemberofarolegroupintheEAC
Figure12.19Roleassignmentobjectsarealsousedforassigningrolestorole
assignmentpolicies
Figure12.20Checkandunchecktherolesthatyouwanttoaddtoorremove
fromtheroleassignmentpolicy
Figure12.21AuditingRBACchangesusingtheEAC
Chapter13:BasicsofRecipientManagement
Figure13.1Listofaccepteddomains
Figure13.2Creatinganewaccepteddomain
Figure13.3EmailaddresspoliciesforanExchangeServer2016organization
Figure13.4ChanginghowtheSMTPaddressisgenerated
Figure13.5Definingtheemailaddressformatfortheemailaddresspolicy
Figure13.6Namingtheemailaddresspolicy
Figure13.7Conditionsavailableintheemailaddresspolicyrules
Figure13.8Specifyingwordsforaruleinanemailaddresspolicy
Chapter14:ManagingMailboxesandMailboxContent
Figure14.1TheMailboxessectionoftheEAC'sRecipientConfigurationwork
center
Figure14.2IntheMailboxWizard,youcanselectamailboxdatabaseforauser,
aswellasenableanarchivemailboxandassignanaddressbookpolicy
Figure14.3Availablemailboxpermissions
Figure14.4CreatingauseraccountandmailboxfromtheExchange
AdministrationCenter
Figure14.5Generalpropertiespageforamailbox
Figure14.6EmailAddresspropertiesofamailbox
Figure14.7MailboxFeaturespropertiesofamailbox
Figure14.8MessageDeliveryRestrictionsoptions
Figure14.9MoveConfigurationsettings
Figure14.10Optionsforthemigrationbatch
Figure14.11TheMigrationDashboard
Figure14.12MigrationprogressintheMigrationDashboard
Figure14.13Connectingadisconnectedmailbox
Figure14.14Listofthedefaultandpersonalretentiontags
Figure14.15Creatingapersonalretentiontag
Figure14.16Creatingaretentionpolicy
Figure14.17Assigningaretentionpolicytoauser'smailbox
Chapter15:ManagingMail-EnabledGroups,MailUsers,andMailContacts
Figure15.1CreatinganewgroupusingActiveDirectoryUsersandComputers
Figure15.2ViewingthegroupchoicesintheExchangeAdminCenter
Figure15.3OpeningtheNewDistributionGroupwindow
Figure15.4Filtersettingsandconditionsforadynamicdistributiongroup
Figure15.5TheDeliveryManagementwindowofaDistributionGroupobject
Figure15.6Configurationoptionsformoderatedgroups
Figure15.7ConvertingagrouptoauniversalgroupusingActiveDirectory
UsersandComputers
Figure15.8ManaginggroupmembershipfromwithinOutlook
Figure15.9Managinggroupmembershipfromwithinthecontrolpanel
Figure15.10CreatinganewcontactobjectusingActiveDirectoryUsersand
Computers
Figure15.11ContactinformationinActiveDirectoryUsersandComputers
Figure15.12Creatingamail-enabledcontact
Chapter16:ManagingResourceMailboxes
Figure16.1Defininggeneralinformationforaconferenceroommailbox
Figure16.2ViewingroomresourcesintheAddressBookusingOutlook
Figure16.3Enteringtheroomcapacityforaresourcemailbox
Figure16.4ViewingthecustomattributesofroomresourcesintheAddress
BookusingOutlook
Figure16.5Delegatesforaresourcemailbox
Figure16.6BookingOptionsforaresourcemailbox
Figure16.7AvailabilityofresourcemailboxinOutlook
Figure16.8AvailabilityusingroomlistsinOutlook
Chapter17:ManagingModernPublicFolders
Figure17.1ThePublicFolderMailboxesscreen
Figure17.2Creatinganewpublicfoldermailbox
Figure17.3Primaryhierarchypublicfoldermailbox
Figure17.4PublicFolderMailboxproperties
Figure17.5Addinganewpublicfolder
Figure17.6ThePublicfolder'sGeneralpropertiespage
Figure17.7ThePublicfolder'sStatisticspropertiespage
Figure17.8ThePublicfolder'sLimitspropertiespage
Figure17.9Mailflowsettings
Figure17.10Openingthefolderpermissions
Figure17.11Creatinganewfolder
Figure17.12TheOutlookclient'spropertiesdialogboxforapublicfolder
Figure17.13ManagingpublicfolderpermissionsviaOutlook
Chapter18:ManagingArchivingandCompliance
Figure18.1Assigningaretentionpolicytoasinglemailbox
Figure18.2SelecttheCreateAnOn-PremisesArchiveMailboxForThisUser
option
Figure18.3TheExchangeServer2016In-PlaceeDiscovery&HoldConsole
Figure18.4Selectingmailboxes,distributiongroups,andpublicfoldersinthe
In-PlaceeDiscovery&HoldWizard
Figure18.5Definingasearchquery
Figure18.6Definingthemessagetypestosearch
Figure18.7UsingtheIn-PlaceHoldsettingstoplacesearchresultsonhold
Chapter19:CreatingandManagingMailboxDatabases
Figure19.1CreatinganewdatabaseusingtheExchangeAdminCenter
Figure19.2Generalsectionofthemailboxdatabase'spropertiesdialogbox
Figure19.3TheMailboxdatabase'sMaintenancesettings
Figure19.4TheMailboxdatabase'sLimitssettings
Figure19.5QuotalimitinOutlook
Figure19.6QuotalimitinEAC
Figure19.7TheClientSettingspropertiesofamailboxdatabase
Chapter20:CreatingandManagingDatabaseAvailabilityGroups
Figure20.1CreatinganewDAGintheEAC
Figure20.2ExchangeServer2010JBODconfiguration
Figure20.3MailboxdatabasessymmetricallyplacedbetweentheMailbox
servers
Figure20.4Thenetworkbindingorderthatshouldbeinplacebeforeaddinga
MailboxservertoaDAG
Figure20.5Mailboxdatabaselayout
Figure20.6AddingamailboxdatabasetoaMailboxserver
Figure20.7DatabaseoptionsfromtheDetailspaneinEAC
Figure20.8AutomaticReseedconfiguration
Figure20.9Event227showsthataconfigurationchangewasdetected.
Figure20.10Event111showsthatthechangetoPAMiscomplete.
Figure20.11Anattempttocopyremainingtransactionlogfiles
Figure20.12MessagesrequestedromSafetyNet
Figure20.13ExchangeServer2016preferredarchitecture
Figure20.14AsimpleDAG
Figure20.15MultipleDAGs
Chapter21:UnderstandingtheClientAccessServices
Figure21.1Communicationbetweenfrontendandback-endservices
Figure21.2ExchangeServer2016UnifiedMessagingarchitectureandports
Figure21.3Singlenamespaceinasite
Figure21.4Boundnamespaces
Figure21.5Unboundnamespace
Figure21.6HostrecordsforDNSroundrobin
Figure21.7Hardwareloadbalancer
Figure21.8DefaultcertificatesinExchangeServer2016
Figure21.9ASANcertificate
Figure21.10TheNewExchangeCertificateWizard
Figure21.11Assigningservicestoacertificate
Figure21.12TestE-mailAutoConfiguration
Figure21.13OutlookAnywhereFQDN
Figure21.14URLsforOutlookontheweb
Figure21.15Outlookonthewebauthenticationsettings
Figure21.16OutlookWebApppolicy
Figure21.17FileAccesssettingsinanOutlookWebApppolicy
Figure21.18SecuritysettingsfortheDefaultMobile-DeviceMailboxPolicy
Figure21.19MobileDeviceAccessSettings
Figure21.20CalendarsharingoptionsinOutlook
Figure21.21TheSendACalendarViaE-mailsettings
Figure21.22Settingsforcalendarpublishing
Figure21.23Usingareverseproxytosecureaccess
Figure21.24Loadbalancerinaperimeternetwork
Figure21.25CoexistencewithpreviousExchangeServerversions
Chapter22:ManagingConnectivitywithTransportServices
Figure22.1TheMailboxservertransportcomponents
Figure22.2MailflowbetweenDAGmembers
Figure22.3Receiveconnectors
Figure22.4ReceiveconnectorsintheExchangeAdminCenter
Figure22.5DefaultFrontendReceiveconnectorpermissions
Figure22.6SendconnectorintheExchangeAdminCenter
Figure22.7TheIntroductionpageoftheNewSendConnectorwindow
Figure22.8AddingtheRequireTLSEncryptionactiontoatransportrule
Figure22.9ListofacceptedDomains
Figure22.10Creatinganewaccepteddomain
Figure22.11Defaultantimalwaresettings
Chapter23:ManagingTransport,DataLossPrevention,andJournalingRules
Figure23.1AmessageclassificationdisplayedinOutlook2016
Figure23.2Asamplelistofmessageclassifications
Figure23.3LocatingthetransportrulesintheExchangeAdminCenter
Figure23.4TransportruleversionintheEMS
Figure23.5ViewingtheactionsfromtheEAC
Figure23.6Templatestocreatenewtransportrules
Figure23.7TheNewRulewindowforEAC
Figure23.8TheNewRulewindowforEACwithmoreOptions
Figure23.9RulescreatedfromDLPtemplateU.S.PersonallyIdentifiable
Information(PII)Data
Figure23.10OptionsforsensitiveinformationtypePassportNumber(U.S./
U.K.)
Figure23.11TheDLPPolicyFromTemplatewindowfromEAC
Figure23.12PolicyTipforDPLpolicyU.S.FinancialData
Figure23.13ThesensitiveinformationtypescoveredbytheU.S.Financial
transportrule:ScanEmailSentOutside–HighCount
Figure23.14ContentsoftheXMLafterrunningExport-DlpPolicyCollection
Chapter24:TroubleshootingExchangeServer2016
Figure24.1TheloggingdirectoryontheExchangeserver
Figure24.2ViewinganeventfromtheExchangeApplicationlogs
Figure24.3UsingtheTest-ServiceHealthcmdlet
Figure24.4UsingtheQueueViewerinterface
Figure24.5ViewingmessagetrackinginEAC
Figure24.6TrackingmessagesfromtheExchangeAdminCenter
Figure24.7UsingtheTestE-mailAutoConfigurationtool
Figure24.8TheRemoteConnectivityAnalyzer
Chapter25:BackingUpandRestoringExchangeServer
Figure25.1WindowsServerBackuphasbeeninstalled
Figure25.2Selectingtheitemstoincludeinabackup
Figure25.3Selectingtheapplicationtorecover
Figure25.4Searchnameanddescription
Figure25.5TheSearchQueryPage
Figure25.6SearchresultsintheDiscoverySearchMailbox
ListofTables
Chapter3:UnderstandingAvailability,Recovery,andCompliance
Table3.1RAIDConfigurations
Chapter4:VirtualizingExchangeServer2016
Table4.1VirtualizationTerms
Chapter5:IntroductiontoPowerShellandtheExchangeManagementShell
Table5.1PowerShellCommonAliases
Table5.2ShellValuesandOperators
Table5.3InformationOutputforEachGet-HelpView
Chapter9:ExchangeServer2016Requirements
Table9.1MicrosoftOutlookUserTypes
Table9.2ProcessorRecommendationsBasedonNumberofMessagesSentor
ReceivedperMailboxperDay
Table9.3AdditionalMemoryFactorforMailboxServers
Table9.4MemoryRequiredBasedonMailboxSize
Table9.5UserType,DatabaseVolumeIOPS,andMessagesSentandReceived
perDayforExchangeServer2016
Table9.6TaskPermissions
Chapter10:InstallingExchangeServer2016
Table10.1ExchangeServer2016Command-LineInstallationOptions
Table10.2ExchangeServer2016Server-RecoverySetupOptions
Table10.3ExchangeServer2016DelegatedSetupOptions
Table10.4ExchangeServer2016LanguagePackOptions
Chapter11:UpgradesandMigrationstoExchangeServer2016orOffice365
Table11.1ComparisonofExchangeServer2016UpgradeStrategies
Chapter12:ManagementPermissionsandRole-BasedAccessControl
Table12.1CmdletsforManagingtheRBACComponents
Table12.2ImplicitScopeValues
Chapter13:BasicsofRecipientManagement
Table13.1UserMailboxes,MailUsers,andMailContacts
Table13.2Mail-EnabledPublicFoldersandSharedMailboxes
Table13.3EMSCmdletsUsedtoManipulateEmailAddressPolicies
Chapter14:ManagingMailboxesandMailboxContent
Table14.1AccessRightsofMailboxFolders
Table14.2AccessRights(Roles)ofMailboxFolders
Table14.3DefaultMRMPolicyRetentionTags
Chapter15:ManagingMail-EnabledGroups,MailUsers,andMailContacts
Table15.1EMSandPowerShellCmdletsforGroupManagement
Table15.2CommonMail-EnabledGroupProperties
Table15.3ExchangeManagementShellCmdletsforMailContactsandMail
Users
Table15.4UsefulPropertiesofMailContactandMailUserObjects
Chapter16:ManagingResourceMailboxes
Table16.1Recipient-RelatedAttributesforResourceMailboxes
Table16.2BookingOptionsandEMSEquivalents
Table16.3ResourceInformationSettingsandTheirEMSEquivalents
Table16.4EMSParametersofIn-PolicyBookingPolicies
Table16.5EMSParametersofOut-of-PolicyBookingPolicies
Table16.6Set-MailboxCalendarConfigurationParameters
Table16.7AccessRights(Roles)ofCalendarFolders
Chapter18:ManagingArchivingandCompliance
Table18.1DefaultArchiveTags
Chapter20:CreatingandManagingDatabaseAvailabilityGroups
Table20.1ActiveManagerEvaluationofEachDatabaseCopy
Table20.2DB1ReplicationStatus
Table20.3DB2ReplicationStatus
Table20.4DB3ReplicationStatus
Chapter21:UnderstandingtheClientAccessServices
Table21.1CertificateGenerationMethods
Table21.2Forms-BasedAuthenticationLogonFormats
Table21.3PropertiesofanOrganizationRelationship
Table21.4SharingPolicyPermissions
Chapter23:ManagingTransport,DataLossPrevention,andJournalingRules
Table23.1ExchangeServer2016DLP-ScannableFileTypes
Chapter25:BackingUpandRestoringExchangeServer
Table25.1SampleScenarioswithRecoveryGoals
Table25.2Single-ItemRecoveryFeatures
Mastering
Microsoft®ExchangeServer2016
CliftonLeonard
BrianSvidergol
ByronWright
VladimirMeloski
SeniorAcquisitionsEditor:KenyonBrown
DevelopmentEditor:KellyTalbot
TechnicalEditor:JosephNguyen
ProductionEditor:AthiyappanLalithKumar
CopyEditor:KathyGrider-Carlyle
EditorialManager:MaryBethWakefield
ProductionManager:KathleenWisor
ExecutiveEditor:JimMinatel
Proofreader:NancyBell
Indexer:NancyGuenther
ProjectCoordinator,Cover:BrentSavage
CoverDesigner:Wiley
CoverImage:©i3d/Shutterstock
Copyright©2016byJohnWiley&Sons,Inc.,Indianapolis,Indiana
PublishedsimultaneouslyinCanada
ISBN:978-1-119-23205-6
ISBN:978-1-119-23208-7(ebk.)
ISBN:978-1-119-23207-0(ebk.)
ManufacturedintheUnitedStatesofAmerica
Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyany
means,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections
107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,or
authorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222Rosewood
Drive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbe
addressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)
748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswith
respecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,
includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextended
bysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforevery
situation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,
orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalperson
shouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.Thefactthatan
organizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoes
notmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideor
recommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmay
havechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.
Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactour
CustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)572-3993orfax(317)5724002.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwith
standardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.Ifthisbookrefersto
mediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialat
http://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.
LibraryofCongressControlNumber:2016946244
TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&
Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwritten
permission.MicrosoftisaregisteredtrademarkofMicrosoftCorporation.Allothertrademarksarethepropertyof
theirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthis
book.
Thisbookisdedicatedtomyloving,gorgeouswife,Marie,andtomyincredible
inspirationsPierce,Treyden,Gabrielle,Cheyenne,Taylor,Zoe,andTalon.Thank
youforenduringallmylatenightsandcontinuouslyencouragingmethrough
thisjourney.Iloveyouall!
—CliftonLeonard
I'dliketothankmywife,Lindsay;myson,Jack;andmydaughter,Leah,forthe
unendingsupportandDavidElfassyforreachingouttometogetinvolvedwith
thisproject—thankyou!Finally,I'dliketothanktheoriginalExchange“super
team”—Larry,Mike,Carl,George,Dennis,andtheChicagocrew—youguys
helpedmeelevatemygame.
—BrianSvidergol
Idedicatethisbooktomyparentswhounwittinglyputmeonthepathtoworking
withtechnologybyindulgingmeinmyyouth.WhoknewbuyingaCommodore
VIC-20wouldgetitallstarted?Iamthankfulforthatandyoursupportinmany
otherwaysovertheyears.
—ByronWright
Tomylovingfamilywhoalwayssupportsme.
—VladimirMeloski
Acknowledgments
Thankyouonceagain,Microsoft,foragreatreleaseofExchangeServer.Thisisnow
theeighthmajorreleaseofthewell-knownpremiermessagingsystem.Inthisrelease,
wecanseetheeffortandingenuitycometogetherinsolvingcustomerproblemsto
createatrulysuperior​product.Congratulations!
Astheteamthatisworkingonthisbookcompletesthefinalstepsrequiredtosendit
totheprinter,Icontinuetobringsomereal-worldexpertiseintothecontent.Ihave
deployedseveralExchangeServer2016infrastructurestodate,butthisproductisso
vastandsobroadthatIcontinuetofinddesignoptions,bestpractices,and
architecturerecommendationsonadailybasis.I'mprettysurethatIwillbeupdating
thecontentuptothelastminute!
WhenIwasapproachedtotakeonthisbook,severalmonthsbeforeExchangeServer
2016wasabouttoreleasetomanufacturing,myreactionwas,“WhataboutDavidand
Jim?”DavidElfassyauthoredthepreviouseditionandhasbeenaninvaluable
contributortotheMicrosoft,andmorespecificallyExchangeServer,community.Prior
toDavid,JimMcBeeauthoredthreepreviouseditionsofthisbookandhasbeenthe
pillaroftheMasteringExchangeServerseries.Iconsiderittobeatruehonortotake
overforDavidElfassyandJimMcBeeastheleadauthorforthisbook,andIhopethat
thiseditionhasadequatelyfollowedthroughontheirtraditions.
Throughoutthebook,wehavetriedtokeepthetoneandlanguagesimilartowhatwas
usedinthepreviouseditionsofthisbook,soifyouarefamiliarwithbothofthese
men'swritingstyle,youshouldfindcomfortinthesepages.Inaddition,wehave
removedsomeoftheintroductorytechnicalinformationfrompreviouseditions,to
reflectthedepthofinitialexperienceofthereaders.
Takingontheresponsibilityofa816-plus-pagemanualisnosimpletaskandnotone
thatcanbeundertakenbyonlyoneperson.Alongtheway,Ihaveinvitedseveral
contributorstothiseffort.Theirknowledgeandexpertisehaveaddedincrediblevalue
tothisbook.Havingwrittenanywherefromseveralparagraphstocompletechapters,
BrianSvidergol,ByronWright,andVladimirMeloskiareExchangeServerguruswho
haveprovidedkeycontentforthisbook.Thesemenarewellrespectedwithinthe
ExchangeServercommunityandareauthorsofMicrosoftOfficialCurriculum,
includingExchangeServer2016.Theyhavebeengreatcontributionstothiseffort.
Thankyou!
Thereisalsoamanwhohaskeptusallhonestandhasbeenthegatekeeperfor
technicalaccuracyinthisbook,andhehashelpedreviseacoupleofchaptersmore
substantially.JosephNguyenagreedtotakeontheresponsibilityoftechnicalreviewer
forthisbookandhasdoneaformidablejob.Iconsideritanhonortohaveworked
withhim!Joseph,thankyou!
ThegreatfolksatWileyhavebeenpatientbeyondbeliefwhenitcomestodeadlines,
content,andoutlinechangesaswellasourever-changinglistofcontributors.They
includeacquisitionseditorKenBrown,developmentaleditorKellyTalbot,and
productioneditorAthiyappanLalithKumar.
Andaspecialacknowledgmenttothoseinmydailylife,myfather,DCLeonard;my
mother,LynetteLeonard;mysister,JaenaPoppe;andmybrothers,Jerry,Adam,and
Jeff:thankyouforalwaysbeingsupportiveofallmyendeavors.
—CliftonLeonard
AbouttheAuthors
CliftonLeonard,MCSE:ExchangeServer,hasmorethan25years'experienceinthe
IT​industryasanengineer,architect,consultant,trainer,andauthor.Cliftonhas
extensiveexperience​consultingonActiveDirectory,ExchangeServer,LyncandSkype
forBusinessServer,IdentityManagement,Office365,andAzurecloudsolutions.His
clientsincludelargeenergycorporations,K-12schools,universities,technology
manufacturers,financialinstitutions,theUnitedStatesAirForce,andtheDepartment
ofDefense.WhileCliftoncuthisteethonMicrosoftMailonNovellNetwareand
ExchangeServer5.0onDECAlpha,hehasworkedwitheveryversionofExchange
Serversincethen.Hehasalsocontributedasasubjectmatterexperttomultiple
MicrosoftcoursesincludingWindowsDesktop,WindowsServer,ExchangeServer,
SharePointServer,HyperV,IdentityManagement,Office365,andAzure.Helping
organizationsmigratetothelatestversionsofMicrosoftExchangeServerhasalways
beenakeyfocusofClifton'sconsultingcommitments.
BrianSvidergolbuildsMicrosoftinfrastructureandcloudsolutionswithWindows,
MicrosoftExchange,ActiveDirectory,Office365,andrelatedtechnologies.Heholds
theMicrosoftCertifiedTrainer(MCT),MicrosoftCertifiedSolutionsExpert(MCSE)–
ServerInfrastructure,andseveralotherMicrosoftandindustrycertifications.Brian
hasauthoredbooksonActiveDirectory,WindowsServer,ExchangeServer,and
relatedinfrastructuretechnologies.HeservedasanMCTAmbassadoratTechEd
NorthAmerica2013andatMicrosoftIgnite2015.Brianworksasasubjectmatter
expert(SME)onmanyMicrosoftOfficialCurriculumcourses,edXcourses,and
Microsoftcertificationexams.Hehasauthoredavarietyoftrainingcontent,blog
posts,andpracticetestquestionsandhasbeenatechnicalreviewerforalargenumber
ofbooks.
ByronWrightistheownerofBTWTechnologySolutionswhereheprovides,
designs,andimplementssolutionsusingExchangeServerandOffice365.Hehasbeen
aconsultant,author,andinstructorfor20years,specializinginExchangeServer,
WindowsServer,Office365,networkdesign,networksecurity,andrelated
technologies.ByronhasbeenaMicrosoftMVPforExchangeServersince2012.
VladimirMeloskiisaMicrosoftMostValuableProfessionalonOfficeServerand
Services,MicrosoftCertifiedTrainer,andconsultant,providingunified
communicationsandinfrastructuresolutionsbasedonMicrosoftExchangeServer,
SkypeforBusiness,Office365,andWindowsServer.Withabachelor'sdegreein
computersciences,Vladimirhasdevotedmorethan20yearsofprofessional
experiencetoinformationtechnology.VladimirhasbeeninvolvedinMicrosoft
conferencesinEuropeandintheUnitedStatesasaspeaker,moderator,proctorfor
hands-onlabs,andtechnicalexpert.Healsohasbeeninvolvedasanauthorand
technicalreviewerforMicrosoftofficialcourses,includingExchangeServer2016,
2013,2010,and2007;Office365;andWindowsServer2012.AsaskilledIT
professionalandtrainer,Vladimirshareshisbestpractices,real-worldexperiences,
andknowledgewithhisstudentsandcolleaguesandisdevotedtoITcommunity
developmentbycollaboratingwithITProanddeveloperusergroupsworldwide.
AbouttheTechnicalEditor
JosephNguyenisaseniorconsultantforMicrosoft.Hehas20yearsofexperience
asasystemadministrator,messagingengineer,ITanalyst,systemsengineer,
consultant,andtrainerprovidingmessaging,communications,andcollaboration
expertiseforawiderangeofcorporationsandinstitutions.Josephcoauthored
ExchangeServer2010Administration:RealWorldSkillsforMCITPCertificationand
BeyondandMCITPSelf-PacedTrainingKit(Exam70-238):DeployingMessaging
SolutionswithMicrosoftExchangeServer2007.
Introduction
Thankyouforpurchasing(orconsideringthepurchaseof)MasteringExchange
Server2016;thisisthelatestinaseriesofMasteringExchangeServerbooksthathave
helpedthousandsofreaderstobetterunderstandMicrosoft'sexcellentmessaging
system.Alongtheway,wehopethatthisseriesofbookshasmadeyouabetter
administratorandallowedyoutosupportyourorganizationstothebestofyour
abilities.
Whenwestartedplanningtheoutlineofthisbookmorethanayearbeforeitsrelease,
ExchangeServer2016appearedtobesimplyaminorseriesofimprovementsover
ExchangeServer2013.Ofcourse,thefurtherweexploredtheproduct,themorewe
foundthatwasnotthecase.ManyoftheimprovementsinExchangeServer2016were
majorimprovements(suchasOutlookontheweb)andsometimesevencomplete
rewrites(suchasinthecaseoftheClientAccessservicesrole)ofhowtheproduct
workedpreviously.
Anotherchallengethenpresenteditself.ThemarketpenetrationofExchangeServer
2013wasfairlydominant,butwefoundthatmanyorganizationsstillrunExchange
Server2010.Therefore,weneededtoexplainthedifferencesfornotonlyExchange
Server2013administratorsbutalsofortheExchangeServer2010administrators.On
theotherhand,ExchangeServer2003reachedend-of-lifeonApril8,2014.Asaresult,
Microsoftnolongerprovidessecurityupdates,offersfreeorpaidsupportoptions,nor
providesupdatedonlinecontentsuchasKBarticlesforExchangeServer2003.
OrganizationswithExchangeServer2003deployedafterApril8,2014,areresponsible
fortheirownsupportoftheproductandaccepttheriskassociatedwiththe
deployment.
Wetookastepbackandlookedatthepreviouseditionsofthebooktofigureouthow
muchofthepreviousmaterialwasstillrelevant.Someofthematerialfromthe
ExchangeServer2013bookisstillrelevantbutneededupdating.Somerequired
completelyrewritingchapterstocovernewtechnologiesintroducedinExchange
Server2016ortechnologiesthathavesincetakenonmoreimportanceindeployments
andmanagement.Wefacedthechallengeofexplainingtwomanagementinterfaces,
ExchangeManagementShellandExchangeAdminCenter,aswellasdescribingthe
newrolesandfeatures.
WestartedworkingwiththeExchangeServer2016codemorethanayearbeforewe
expectedtoreleasethebook.MuchofthebookwaswrittenusingtheRTMcodethat
wasfirstmadeavailableinOctober2015,butaswecontinuedwritingthebook,we
madeupdatesbasedonchangesintroducedinCumulativeUpdate1(March2016).So,
youcansafelyassumewhenreadingthisbookthatitisbasedonthelatestbitsof
ExchangeServer2016thatreleasedinlatesummer2016.Inwritingthisbook,wehad
afewgoalsforthebookandtheknowledgewewantedtoimparttothereader:
Wewantedtoprovideanappropriatecontextfortheroleofmessagingservicesin
anorganization,outliningtheprimaryskillsrequiredbyanExchangeServer
administrator.
WewantedthereadertofeelcomfortablewhenapproachinganExchangeServer
environmentofanysize.Thecontentinthisbookcanassistadministratorsof
smallcompanieswithonlyoneserver,aswellasadministratorswhohandlelarge
ExchangeServerfarms.
Wewantedtheskillsandtaskscoveredinthisbooktobeapplicableto80percent
ofallorganizationsrunningExchangeServer.
Wewantedthebooktoeducatenotonly“newtoproduct”administratorsbutalso
those“newtoversion”administratorswhoareupgradingfromapreviousversion.
WewantedthebooktofamiliarizeadministratorswithOffice365environments
andtheimplementationofhybridcoexistencewithon-premisesExchangeServer
deployments.
Wewantedtoprovidefamiliarreferencesforadministratorsofpreviousversions,
ensuringthatExchangeServer2010and2013administratorscaneasilyfind
equivalentsolutionsinExchangeServer2016.
Microsoftlistenedtotheadviceofmanyofitscustomers,itsinternalconsultantsat
MicrosoftConsultingServices(MCS),MicrosoftCertifiedSystemsEngineers
(MCSEs),MostValuableProfessionals(MVPs),MicrosoftCertifiedSolutionsMasters
(MCSMs),andMicrosoftCertifiedTrainers(MCTs)tofindoutwhatwasmissingfrom
earlierversionsoftheproductandwhatorganizations'needswere.Muchofthiswork
startedevenbeforeExchangeServer2016wasreleased.
MajorChangesinExchangeServer2016
ThisbookcoversthemanychangesinExchangeServer2016indetail,butwethought
wewouldgiveyoualittlesampleofwhatistocomeinthechapters.Asyoucan
imagine,thechangesareonceagainsignificant,consideringthetremendouseffort
thatMicrosoftsinksintotheExchangeServerlineofproducts.ExchangeServerisa
significantgeneratorofrevenueforMicrosoftandisalsoafoundationalservicefor
Office365.Microsofthaseveryreasontocontinueimprovingthismostimpressive
marketleaderofemailandcollaborationservices.
TheprimarychangesinExchangeServer2016sincethelatestrelease(Exchange
Server2013)havecomeinthefollowingareas:
ClientaccessserviceshavebeenintegratedintotheMailboxserverrole,andthe
ClientAccessserverrolehasbeenremoved.
OutlookWebAppisnowknownasOutlookontheweb,isoptimizedfortablets,
andprovidesplatform-specificexperiencesforsmartphones.
MAPIoverHTTPisnowthedefaultprotocolthatOutlookusestocommunicate
withExchange,whichallowsahigherlevelofvisibilityoftransporterrorsand
enhancedrecoverability.
WithSharePointServer2016,youcanenableOutlookonthewebuserstolinkto
andsharedocumentsstoredinOneDriveforBusinessinanon-premises
SharePointserverinsteadofattachingafiletothemessage.
TheHybridConfigurationWizard(HCW)isprovidedasadownloadtosupport
changesintheOffice365serviceandtoprovideamorestabledeploymentand
consistentexperience.
SignificantenhancementsforDataLossPrevention(DLP)havebeenadded.Witha
DLPpolicyandmailflowrules,youcanidentify,monitor,andprotect80different
typesofsensitiveinformation.
PublicfolderintegrationintotheIn-PlaceeDiscoveryandHoldworkflowenable
youtosearchpublicfoldersinyourorganizationandconfigureanIn-PlaceHold
onpublicfolders.
AneweDiscoverysearchtool,calledComplianceSearch,providesimprovedscaling
andperformancecapabilitiessoyoucansearchverylargenumbersofmailboxesin
asinglesearch.
Ofcourse,manymorechangeshavebeenintroducedinExchangeServer2016,butthe
precedingliststandsouttousasthemostnoteworthyimprovements.Chapter2,
“IntroducingtheChangesinExchangeServer2016,”containsanexhaustivelistofall
significantchanges,aswellaschangessincespecificversionsofExchangeServer(for
example,ExchangeServer2010andExchangeServer2013).
HowThisBookIsOrganized
Thisbookconsistsof25chapters,dividedintofivebroadparts.Asyouproceed
throughthebook,you'llmovefromgeneralconceptstoincreasinglydetailed
descriptionsofhands-onimplementation.
Thisbookwon'tworkwellforpractitionersofthetime-wornritualofchapterhopping.
Althoughsomereadersmaybenefitfromreadingoneortwochapters,werecommend
thatyoureadmostofthebookinorder.EvenifyouhaveexperienceasanExchange
Serveradministrator,werecommendthatyoudonotskipanychapter,becausethey
allprovidenewinformationsincethepreviousiterationsofExchangeServer.Onlyif
youalreadyhaveconsiderableexperiencewiththeseproductsshouldyoujumptothe
chapterthatdiscussesindetailtheinformationforwhichyouarelooking.
Ifyouarelikemostadministrators,though,youliketogetyourhandsonthesoftware
andactuallyseethingsworking.Havingaworkingsystemalsohelpsmanypeopleas
theyreadabookorlearnaboutanewpieceofsoftwarebecausethisletsthemtest
newskillsastheylearnthem.Ifthissoundslikeyou,thenstartwithChapter7,
“ExchangeServer2016QuickStartGuide.”Thischapterwilltakeyoubrieflythrough
someofthethingsyouneedtoknowtogetExchangeServerrunning,butnotinalot
ofdetail.Aslongasyou'renotplanningtoputyourquickieserverintoproduction
immediately,thereshouldbenoharmdone.Beforeyouputitintoproduction,
though,westronglysuggestthatyouexploreotherpartsofthisbook.Followingisa
guidetowhat'sineachchapter.
Part1:ExchangeFundamentals
ThispartofthebookfocusesonconceptsandfeaturesofMicrosoft'sWindowsServer
2012R2,ExchangeServer2016,andsomeofthefundamentalsofoperatingamodern
client/serveremailsystem.
Chapter1,“PuttingExchangeServer2016inContext,”isforthoseadministrators
whohavebeenhandedanExchangeServerorganizationbutwhohavenever
managedapreviousversionofExchangeServerorevenanothermailsystem.This
willgiveyousomeofthebasicinformationandbackgroundtohelpyougetstarted
managingExchangeServerand,hopefully,providealittlehistoryandperspective.
Chapter2,“IntroducingtheChangesinExchangeServer2016,”introducesthenew
featuresofExchangeServer2016ascontrastedwithpreviousversions.
Chapter3,“UnderstandingAvailability,Recovery,andCompliance,”helpseven
experiencedadministratorsnavigatesomeofthenewhurdlesthatExchange
Serveradministratorsmustovercome,includingprovidingbettersystem
availability,siteresiliency,backupandrestorationplans,andlegalcompliance.
Thischapterdoesnotcoverdatabaseavailabilitygroupsindetail;instead,that
informationiscoveredinChapter20,“CreatingandManagingDatabase
AvailabilityGroups.”
Chapter4,“VirtualizingExchangeServer2016,”helpsyoudecidewhetheryou
shouldvirtualizesomepercentageofyourservers,asmanyorganizationsare
doing.
Chapter5,“IntroductiontoPowerShellandtheExchangeManagementShell,”
focusesonandusesexamplesoffeaturesthatareenabledinPowerShellthrough
theExchangeServer2016managementextensionsforPowerShell.All
administratorsshouldhaveatleastabasicfamiliaritywiththeExchange
ManagementShellextensionsforPowerShellevenifyourarelyusethem.
Chapter6,“UnderstandingtheExchangeAutodiscoverProcess,”helpsyoutocome
uptospeedontheinnerworkingsofthemagicvoodoothatisAutodiscover,a
featurethatgreatlysimplifiestheconfigurationofbothinternalandexternal
clients.
Part2:GettingExchangeServerRunning
Thissectionofthebookisdevotedtotopicsrelatedtomeetingtheprerequisitesfor
ExchangeServerandgettingExchangeServerinstalledcorrectlythefirsttime.While
installingExchangeServercorrectlyisnotrocketscience,gettingeverythingrightthe
firsttimewillgreatlysimplifyyourdeployment.
Chapter7,“ExchangeServer2016QuickStartGuide,”iswhereeveryonelikesto
jumprightinandinstallthesoftware.Thischapterwillhelpyouquicklygeta
singleserverupandrunningforyourtestandlabenvironment.Whileyoushould
notdeployanentireenterprisebasedonthecontentofthisonechapter,itwill
helpyougetstartedquickly.
Chapter8,“UnderstandingServerRolesandConfigurations,”coverstheprimary
servicesthatrunontheExchangeServer:mailboxservices,transportservices,and
clientaccessservices.
Chapter9,“ExchangeServer2016Requirements,”guidesyouthroughthe
requirements(pertainingtoWindowsServer,ActiveDirectory,andprevious
versionsofExchangeServer)thatyoumustmeetinordertosuccessfullydeploy
ExchangeServer2016.
Chapter10,“InstallingExchangeServer2016,”takesyouthroughboththe
graphicaluserinterfaceandthecommand-linesetupforinstallingExchange
Server2016.
Chapter11,“UpgradesandMigrationstoExchangeServer2016orOffice365,”
helpsyoudecideontherightmigrationortransitionapproachforyour
organization.Itrecommendsstepstotaketoupgradeyourorganizationfrom
ExchangeServer2010or2013toExchangeServer2016ortoOffice365.Also
includedinthischapterarerecommendationsformigrationphasesandhybrid
coexistencewithOffice365.
Part3:RecipientAdministration
Recipientadministrationgenerallyendsupbeingthemosttime-consumingportionof
ExchangeServeradministration.Recipientadministrationincludescreatingand
managingmailboxes,managingmailgroups,creatingandmanagingcontacts,and
administeringpublicfolders.
Chapter12,“ManagementPermissionsandRole-BasedAccessControl,”introduces
oneofthemostpowerfulfeaturesofExchangeServer2016,Role-BasedAccess
Control,whichenablesextremelydetaileddelegationofpermissionsforall
ExchangeServeradministrativetasks.Thisfeaturewillbeofgreatvaluetolarge
organizations.
Chapter13,“BasicsofRecipientManagement,”introducesyoutosomeconcepts
youshouldconsiderbeforeyoustartcreatingusers,includinghowemailaddresses
aregeneratedandhowrecipientsshouldbeconfigured.
Chapter14,“ManagingMailboxesandMailboxContent,”isatthecoreofmost
ExchangeServeradministrators'jobssincethemailboxesrepresentthedirect
customer(theenduser).Thischapterintroducestheconceptsofmanaging
mailboxes,mailboxdata(suchaspersonalarchives),andmailboxdataretention.
Chapter15,“ManagingMail-EnabledGroups,MailUsers,andMailContacts,”
coversmanagementoftheseobjects,includingcreatingthem,assigningemail
addresses,securinggroups,andallowingforself-servicemanagementofgroups,
anditoffersguidelinesforcreatingcontacts.
Chapter16,“ManagingResourceMailboxes,”discussesakeytaskformost
messagingadministrators.Aresourcecanbeeitheraroom(suchasaconference
room)orapieceofequipment(suchasanoverheadprojector).ExchangeServer
2016makesiteasytoallowuserstoviewtheavailabilityofresourcesandrequest
theuseoftheseresourcesfromwithinOutlookorOutlookontheweb.
Chapter17,“ManagingModernPublicFolders,”introducesyoutothenewpublic
folderstorageandmanagementfeaturesinExchangeServer2016.Althoughpublic
foldersarebeingdeemphasizedinmanyorganizations,otherorganizationsstill
havemassivequantitiesofdatastoredinthem.Microsofthasreinventedpublic
foldersinthislatestreleaseofExchangeServer.
Chapter18,“ManagingArchivingandCompliance,”coversnotonlytheoverall
conceptsofarchivingandhowtherestoftheindustryhandlesarchivingbutalso
theexcitingarchivalandretentionfeatures.
Part4:ServerAdministration
Althoughrecipientadministrationisimportant,administratorsmustnotforgettheir
responsibilitiestoproperlysetuptheExchangeserverandmaintainit.Thissection
helpsintroduceyoutotheconfigurationtasksandmaintenancenecessaryforsomeof
theExchangeServer2016servicesaswellassafelyconnectingyourorganizationto
theInternet.
Chapter19,“CreatingandManagingMailboxDatabases,”helpsfamiliarizeyou
withthechangesinExchangeServer2016withrespecttomailboxdatabase,
storage,andbasicsizingrequirements.Manyexcitingchangeshavebeenmadeto
supportlargedatabasesandtoallowExchangeServertoscaletosupportmore
simultaneoususers.
Chapter20,“CreatingandManagingDatabaseAvailabilityGroups,”isakey
chapterinthisbookthatwillaffectalladministratorsfromsmalltolarge
organizations.ExchangeServer2016reliesheavilyonWindowsFailover
Clusteringforitssiteresilienceandhighavailabilityfunctionalities.Thischapter
coverstheimplementationandmanagementofhighavailabilitysolutions.
Chapter21,“UnderstandingtheClientAccessServices,”introducesyoutothe
criticalclientaccessservicesandtherelatedcomponentsrunningontheMailbox
server.
Chapter22,“ManagingConnectivitywithTransportServices,”bringsyouupto
speedontheTransportservicesthatrunwiththemailboxandclientaccess
services.Thischapter​discussesmailflowandthetransportpipelineindetail.
Chapter23,“ManagingTransport,DataLossPrevention,andJournalingRules,”
showsyouhowtoimplementafeaturesetthatwasfirstintroducedinExchange
Server2007buthassincebeengreatlyimproved:thetransportrulefeature.This
chapteralsodiscussesmessagejournalingandDataLossPreventionpolicies.
Part5:TroubleshootingandOperating
TroubleshootingandkeepingapropereyeonyourExchangeservers'healthareoften
neglectedtasks.YoumaynotlookatyourExchangeserversuntilthereisanactual
problem.Inthispart,wediscusssometipsandtoolsthatwillhelpyouproactively
manageyourExchangeServerenvironment,ensuringthatyoucantrackdown
problemsaswellasrestoreanypotentiallostdata.
Chapter24,“TroubleshootingExchangeServer2016,”introducesyounotonlyto
troubleshootingthevariouscomponentsofExchangeServer2016butalsotogood
troubleshootingtechniques.Thischapteralsoincludesadiscussionofsomeofthe
ExchangeServer2016built-intools,suchastheExchangeManagementShelltest
cmdletsandtheRemoteConnectivityAnalyzer.
Chapter25,“BackingUpandRestoringExchangeServer,”includesdiscussionson
developingabackupplanforyourExchangeServer2016serversaswellashowto
implementappropriatebackupsolutionsforExchangeServerconfiguration,
databases,logs,andanyotherrelevantinformation.
ConventionsUsedinThisBook
Weusethecode-continuationcharacteronPowerShellcommandstoindicatethatthe
lineoftextispartofapreviouscommandline.
Manyofthescreencapturesinthisbookhavebeentakenfromlabandtest
environments.However,sometimesyouwillseescreencapturesthatcamefroman
actualworkingenvironment.Wehaveobscuredanyinformationthatwouldidentify
thoseenvironments.
AnyexamplesthatincludeIPaddresseshavehadtheIPaddresseschangedtoprivate
IPaddressesevenifwearereferringtoInternetaddresses.
Remember,ExchangeServerisdesignedtohelpyourorganizationdowhatitdoes
better,moreefficiently,andwithgreaterproductivity.Havefun,beproductive,and
prosper!
TheMasteringSeries
TheMasteringseriesfromSybexprovidesoutstandinginstructionforreaderswith
intermediateandadvancedskills,intheformoftop-notchtraininganddevelopment
forthosealreadyworkingintheirfieldandclear,seriouseducationforthoseaspiring
tobecomepros.EveryMasteringbookincludesthefollowing:
Real-WorldScenarios,rangingfromcasestudiestointerviews,thatshowhowthe
tool,technique,orknowledgepresentedisappliedinactualpractice
Skill-basedinstruction,withchaptersorganizedaroundrealtasksratherthan
abstractconceptsorsubjects
Self-reviewtestquestions,soyoucanbecertainyou'reequippedtodothejobright
Part1
ExchangeFundamentals
Chapter1:PuttingExchangeServer2016intoContext
Chapter2:IntroducingtheChangesinExchangeServer2016
Chapter3:UnderstandingAvailability,Recovery,andCompliance
Chapter4:VirtualizingExchangeServer2016
Chapter5:IntroductiontoPowerShellandtheExchangeManagement
Shell
Chapter6:UnderstandingtheExchangeAutodiscoverProcess
Chapter1
PuttingExchangeServer2016inContext
EmailisoneofthemostvisibleservicesthatInformationTechnology(IT)
professionalsprovide;mostorganizationshavebecomedependenton“soft”
informationtoruntheirbusiness.Asaresult,usershavedevelopedanattachmentto
emailthatgoesbeyondthehardvalueoftheinformationitcontains.Ifthere'sa
problemwithemail,itaffectsusers'confidenceintheirabilitytodotheirjobs—and
theirconfidenceinIT.
Microsoft'sExchangeServerproductsplayakeyroleinelectronicmessaging,
includingemail.Thischapterisahigh-levelprimeronExchangeServer–basedemail
administrationandgoodadministrationpractices,anditpreparesyoutoputExchange
Server2016intothepropercontext.Anexperiencedemailadministratormaywantto
proceedtomoretechnicalchapters.However,ifyouarenewtothejoborneeda
refresher,ormaybeyoujustwanttoputemailservicesbackintoperspective,this
chapterisforyou!
INTHISCHAPTER,YOUWILLLEARNTO:
Understandemailfundamentals
Identifyemail-administrationduties
Email'sImportance
Ifyou'reresponsibleforelectronicmessaginginyourorganization,noonehastotell
youaboutitssteadilyexpandinguse—youseeevidenceeverytimeyoucheckthe
storagespaceonyourdiskdrivesorneedanadditionaltapetocompletethebackupof
yourmailserver.Thissectiondiscussessomeaspectsofelectronicmailandtheeverchangingnatureofemail.EvenexperiencedExchangeServeradministratorsmaywant
toreviewthissectiontobetterunderstandhowtheirusersandrequirementsare
evolving.
Billionsofemailsaresenteveryday(morethan200billionworldwide,accordingto
researchfirmTheRadicatiGroup).That'salotofemailmessages,onalotofservers—
manyofthemExchangeservers.
Sure,sendingsimpletextemailandfileattachmentsisthemostbasicfunction,but
emailsystems(theclientand/ortheserver)mayalsoperformthefollowingimportant
functions:
Actasapersonalinformationmanager,providingstorageforandaccessto
personalcalendars,personalcontacts,to-doandtasklists,personaljournals,and
chathistories.
Providetheuserwithasingle“pointofentry”formultipletypesofinformation,
suchasvoicemail,faxes,andelectronicforms.
Providesharedcalendars,departmentalcontacts,andothersharedinformation.
Providenotificationsofworkflowprocesses,suchasfinance/accountingactivities,
ITevents(serverstatusinformation),andmore.
Archiveimportantattachments,textmessages,andmanyothertypesof
information.
Allowuserstoaccesstheir“emaildata”throughavarietyofmeans,including
clientsrunningonWindowscomputers,Applecomputers,Unixsystems,web
browsers,mobilephones,andevenaregulartelephone.
Performrecordsmanagementandenablelong-termstorageofimportant
informationorinformationthatmustbearchived.
Enablenear-timecommunicationofsalesandsupportinformationwithvendors
andcustomers.
Thesearejustafewofthetypesofthingsthatanemailsystemmayprovidetotheend
usereitherviatheclientinterfaceorasaresultofsomefunctionrunningonthe
server.
HowMessagingServersWork
Atthecoreofanymessagingsystem,youwillfindacommonsetofbasicfunctions.
Thesefunctionsmaybeimplementedindifferentwaysdependingonthevendoror
eventheversionoftheproduct.ExchangeServerhasevolveddramaticallyoverthe
past20years,anditscurrentarchitectureisalmostnothinglikeExchangeServer4.0
from1996.Commoncomponentsofmostmessagingsystemsincludethefollowing:
Amessagetransportsystemthatmovesmessagesfromoneplacetoanother.
ExamplesincludetheSimpleMailTransportProtocol(SMTP).
Amessagestoragesystemthatstoresmessagesuntilausercanreadorretrieve
them.Messagesmaybestoredinaclient/serverdatabase,asharedfiledatabase,
oreveninindividualfiles.
Adirectoryservicethatallowsausertolookupinformationaboutthemail
system'susers,suchasauser'semailaddress.
Aclientaccessinterfaceontheserverthatallowstheclientstogettotheirstored
messages.Thismightincludeawebinterface,aclient/serverinterface,orthePost
OfficeProtocol(POP).
Theclientprogramthatallowsuserstoreadtheirmail,sendmail,andaccessthe
directory.ThismayincludeOutlook,Outlookontheweb,andamobiledevicesuch
asaWindowsphone,aniPhone,oranAndroiddevice.
Workingintandemwithreal-timeinteractivetechnologies,electronicmessaging
systemshavealreadyproducedasetofimaginativebusiness,entertainment,and
educationalapplicationswithhighpayoffpotential.Allofthisaction,ofcourse,
acceleratesthedemandforelectronicmessagingcapabilitiesandservices.
Mostorganizationsthatdeployanemailsystemusuallydeployadditionalcomponents
fromtheiremailsoftwarevendororthirdpartiesthatextendthecapabilitiesofthe
emailsystemorproviderequiredservices.Theseincludethefollowing:
Integrationwithexistingphonesystemsorenterprisevoicedeploymentstopull
voicemessagesintothemailbox
Message-hygienesystemsthathelpreducethelikelihoodofamaliciousor
inappropriatemessagebeingdeliveredtoauser
Backupandrecovery,disasterrecovery,andbusinesscontinuitysolutions
Messagearchivalsoftwaretoallowforthelong-termretentionandindexingof
emaildata
Electronicformsroutingsoftwarethatmayintegratewithaccounting,orderentry,
orotherline-of-businessapplications
Mailgatewaystoallowdifferingmobiledevices,suchasBlackBerrydevices,to
accessthemailserver,alongwithnativeaccessthroughExchangeActiveSync
Emailsecuritysystemsthatimprovethesecurityofemaildataeitherwhilebeing
transferredorwhilesittingintheuser'smailbox
AlinkloadbalancertobalancetheloadbetweenmultipleInternet-facingservers
orinternalservers
WhatIsExchangeServer?
Initssimplestform,ExchangeServerprovidestheunderlyinginfrastructure
necessarytorunamessagingsystem.ExchangeServerprovidesthedatabasetostore
emaildata,thetransportinfrastructuretomovetheemaildatafromoneplaceto
another,andtheaccesspointstoaccessemaildataviaanumberofdifferentclients.
However,ExchangeServer,whenusedwithotherclientssuchasOutlookorOutlook
ontheweb,turnsthe“mailbox”intoapointofstorageforpersonalinformation
managementsuchasyourcalendar,contacts,tasklists,andanyfiletype.Userscan
sharesomeorallofthisinformationintheirownmailboxwithotherusersonthe
messagesystemandstarttocollaborate.
TheOutlookandOutlookonthewebclientsalsoprovideaccesstopublicfolders.
Publicfolderslooklikeregularmailfoldersinyourmailbox,exceptthattheyareinan
areawheretheycanbesharedbyalluserswithintheorganization.Afoldercanhave
specializedformsassociatedwithittoallowthesharingofcontacts,calendarentries,
orevenotherspecializedforms.Further,eachpublicfoldercanbesecuredsothat
onlycertainuserscanviewormodifydatainthatfolder.
TheUnifiedMessagingfeaturesinExchangeServer2016furtherextendthefunctions
ofExchangeServerinyourorganizationbyallowingyourExchangeServer
infrastructuretoalsoactasyourvoicemailsystemanddirectvoicemailsandmissedcallnotificationsautomaticallytotheuser'smailbox.
WhileintegratedvoicemailsolutionsarenothingnewforExchangeServercustomers,
Microsoftisnowprovidingthesecapabilitiesoutoftheboxratherthanrelyingon
third-partyproducts.
ExchangeServer2016tightenstheintegrationofcollaborativetoolsinitsintegration
withSkypeforBusinessServer2015,theSkypeforBusinessclient,andtheSkypefor
Businessmobileclient.SkypeforBusinessprovidesacoresetofSessionInitiation
Protocol(SIP)–basedenterprisevoicecapabilitiesthatallowsittoactasaPBXin
manycases.WithExchangeServer,SkypeforBusiness,Outlook,andtheSkypefor
Businessclient,usersenjoyfullUnifiedMessagingwithsoftware-basedtelephony
fromtheircomputer,includingthevoicemailandmissed-callnotificationprovidedby
ExchangeServerandOutlook.Furthermore,SkypeforBusinesscanlogchatand
instant-messageconversationlogstoafolderintheuser'smailbox.ExchangeServer
2016furtherpushesthisintegration,embeddingbasicinstantmessaging(IM)and
presencecapabilitiesintotheOutlookonthewebpremiumexperience.
Thecapabilitiesoftheclientcanbeextendedwiththird-partytoolsandforms-routing
softwaresothatelectronicformscanberoutedthroughemailtousers'desktops.
AboutMessagingServices
Electronicmessagingisfarmorethanemail.Together,ExchangeServer2016andits
clientsperformavarietyofmessaging-basedfunctions.Thesefunctionsincludeemail,
unifiedmessaging,messagerouting,scheduling,andsupportforseveraltypesof
customapplications.Togetherthesefeaturesarecalledmessagingservices.
ManyModesofAccess
Foryears,theonlywaytoaccessyouremailsystemwastouseaWindows,Mac,or
Unix-basedclientandaccesstheemailsystemdirectly.InthecaseofOutlookand
ExchangeServer,thisaccesswasoriginallyintheformofaMAPIclientdirectly
againsttheExchangeserver.AsExchangeServerhasevolved,ithasincludedsupport
forRPCoverHTTP,MAPIoverHTTP,ExchangeWebServices(EWS),andfinally
mobiledeviceaccess(viaActiveSync).ExchangeServer2016doesn'tofferany
radicallynewmodesofmailboxaccessasExchangeServer2007did,butitdoes
provideongoingsupportandrefinementofexistingExchangeServer2007
technologies,suchasExchangeWebServices,thatcanprovideadditionalmechanisms
foraccessingdatainmailboxesandamoveawayfromRPCinclientconnectivityin
favorofOutlookonthewebandmobiledevices.
Outlookontheweb(formerlyOutlookWebAccess)hasevolvedquicklyand,in
ExchangeServer2016,bearsalmostnoresemblancetotheoriginalversionfoundin
ExchangeServer5.0intermsoffeatures,functions,andthelookoftheinterface.
ExchangeServer2016OutlookonthewebisastepbeyondExchangeServer2013.It
expandsthepreviousoptionconfigurationexperienceoftheExchangeControlPanel
(ECP),whichgivesusersamuchgreaterdegreeofcontrolovertheirmailboxes,
contacts,andgroupmemberships.ECPisbuiltintotheOutlookonthewebinterface.
UsingECP,enduserscancreateandjoindistributiongroups(wherepermissionshave
beenassigned),tracktheirownmessagesthroughouttheorganization,andperform
otherfunctionsthatinExchange2010andearlierversionsrequiredhelp-deskorIT
professionalintervention.AnothersignificantfeatureofOutlookonthewebisthe
abilitytousetheweb-basedinterfacewhenworkingofflineandcompletely
disconnectedfromthenetwork.
WithExchangeServer2016,ExchangeActiveSync(EAS)continuestooffersignificant
partnershipswithandcontrolovermobiledevices.ManyvendorshavelicensedEAS
toprovidetheirmobiledeviceswithahigh-performance,full-featuredpushmobile
synchronizationexperiencethatextendsbeyondmobilephonesandintotablet
devices.
Withallofthesemechanismsforretrievingandsendingemail,itisnotunusualfor
userstoaccesstheirmailboxesusingmorethanonedevice.Insomecases,wehave
seenasingleuseraccessinghermailboxfromherdesktopcomputer,hertabletdevice
usingOutlookAnywhere,andherWindowsPhonedevice.
Inmediumandlargeorganizations,thefactthatusersareaccessingtheirmailboxes
frommorethanonedeviceormechanismwillaffectnotonlyhardwaresizingbut
also,potentially,yourlicensingcosts.
HowMessagingServicesAreUsed
Certainly,emailisakeyfeatureofanymessagingsystem,andtheOutlookCalendaris
farbetterthanpreviousversionsofMicrosoft'sappointmentandmeeting-scheduling
software.Outlook2016togetherwithExchangeServer2016introducesevenmore
synergy.Figure1.1andFigure1.2showtheOutlook2016clientCalendarandInboxin
action.
Figure1.1Outlook2016AppointmentschedulingonanExchangeServer2016
mailbox
Figure1.2TheOutlook2016clientInboxonanExchangeServer2016mailbox
Figure1.3showsthenewOutlookontheweb2016webbrowserclient.Outlookonthe
webprovidesthefull,premiumuserexperienceforbrowsersotherthanInternet
Explorer;italsosupportsMacOSXSafari,Firefox,andChrome.Thosecomingfrom
olderversionsofExchangeServerwillimmediatelynoticeacleaner,less-cluttered
interfaceandnewfunctionalitiessuchasOfflineUsage.
Figure1.3OutlookonthewebonanExchangeServer2016mailbox
Emailclientsareexcitingandsexy,buttogetthemostoutofExchangeServer2016
youneedtothrowawayanypreconceptionsyouhavethatmessagingsystemsareonly
foremailandscheduling.Thereallyexcitingapplicationsarenotthosethatusesimple
emailorschedulingbutthosethatarebasedontheroutingcapabilitiesofmessaging
systems.Theseapplicationsbringpeopleandcomputerstogetherforimproved
collaboration.
TheUniversalInbox
Emailsystemsareconvergingwiththeirvoicemailandenterprisevoice-solution
cousins.Theconceptofunifiedmessagingisnothingnewtoemailusers.Forthepast
20years,third-partyvendorshaveincludedemailintegrationtoolsforvoicemail,
networkfaxingsolutions,andthird-partyintegration.However,formost
organizations,integratedvoicemailremainstheexceptionratherthantherule.
ExchangeServer2007introducedintegratedvoice,whichExchangeServer2016
continuestoimprove.
OrganizationswithIP-basedtelephonesystemsortelephonesystemswithanIP
gatewaycaneasilyintegrateauser'svoicemailwiththeExchangeServeruser's
mailbox.TheExchangeServer2016UnifiedMessagingfeatureshandletheinteraction
betweenanorganization'stelephonesystemandExchangeServermailboxes.Inbound
voicemailistransferredintotheuser'smailboxasacross-platform-friendlyMP3file
attachment;thismessageincludesanOutlookorOutlookonthewebformthatallows
theusertoplaythemessage.Aswell,thevoicemailtextcanbetranscribedintothe
bodyoftheemailmessageforquickreadingbytheuserduringmeetingsorrapid
glancingattheInbox.BecausethedefaultformatisMP3inExchangeServer2016(it
wasaWindowsMediafileinExchangeServer2007,usingacustomcodec),thisfile
canbeeasilyplayedonmobiledevicesfromanymanufacturer,allowingeasyon-thegoaccesstovoicemail.Ashortvoicemailmessagemaybeanywherefrom40KBto75
KBinsize,whereaslongervoicemailmessagesmayrangefrom200KBto500KBin
size.Oneestimatethatisfrequentlyusedforthesizeofavoicemailmessageisaround
5KBpersecondofmessage.
InboundvoicemailincreasesthedemandsonyourExchangeserverfromthe
perspectiveofrequireddiskspaceandpossibleadditionalserverhardware.Asan
administrator,youneedtoconsiderthis.
JusttheFax,Ma'am
InExchangeServer2007,theUnifiedMessagingfeaturesincludedtheout-of-theboxcapabilitytocaptureincomingfacsimile(fax)messages.Thereweresome
limitations,butitprovidedgoodbasicfunctionality.Foroutboundfaxcapability,
organizationshadtodeploysomeothersolution,typicallyathird-partyfax
package.
SinceExchangeServer2010,Microsoftmadethedecisiontocutthisfeature.
Whentalkingwiththeproductgroup,it'snothardtofigureoutwhy;theinboundonlyfaxfunctionalitywasn'tenoughforthecustomerswhoneededfax
integration.ExchangeServerneededtoeitheraddoutgoingfaxcapabilityandbeef
upitsfeatureset(andloseotherdesiredfunctionality)ordroptheexisting
functionalitybecausethemajorityofExchangeServer2007customersneededa
third-partyproductanyway.Althoughit'salwaysdisappointingtoloseafeature,
mostoftheorganizationswe'vetalkedtodidn'tuseittobeginwith.Wethinkthat
Microsoftdefinitelymadetherightcall,ifyou'llpardonthepun.
ArchitectureandCoreFunctionalityOverview
UnderstandingabitabouthowExchangeServerworksfromanarchitectural
perspectivewillhelpmakeyouabetteradministrator.Youdon'thavetobeableto
reproduceorwriteyourownclient/servermessagingsystem,butithelpstoknowthe
basics.
TheExtensibleStorageEngine
TheExchangeServerdatabaseusesahighlyspecializeddatabaseenginecalledthe
ExtensibleStorageEngine(ESE).Generically,youcouldsayitisalmostlikeSQL
Server,butthisistechnicallynottrue.Itisaclient/serverdatabaseandissomewhat
relationalinnature,butitisdesignedtobeasingle-userdatabase(theExchange
serveritselfistheonlycomponentthatdirectlyaccessesthedata).Further,the
databasehasbeenhighlytunedtostorehierarchicaldata,suchasmailboxes,folders,
messages,andattachments.
Withoutgoingintoalotoftechno-babbleonthedatabasearchitecture,itisimportant
thatyouunderstandthebasicsofwhatthedatabaseisdoing.Figure1.4shows
conceptuallywhatishappeningwiththeESEdatabaseasdataissenttothedatabase.
Instep1,anOutlookclientsendsdatatotheExchangeserver(theInformationStore
service);theInformationStoreserviceplacesthisdatainmemoryandthen
immediatelywritesthedataouttothetransactionlogfilesassociatedwiththat
database.
Figure1.4Exchangedataandtransactionlogs
Thetransactionlogthatisalwayswrittentoisthecurrenttransactionlogforthat
particulardatabase(e00.log,forexample).Eachtransactionlogfileisexactly1MBin
size,sowhenthetransactionlogisfilledup,itisrenamedtothenextsequential
number.Forexample,anoldtransactionlogfilemightbenamedlikethis:
e000004032.log.Weoftengetquestionsaboutthelogicofthetransactionlogs,and
howtheyreservespaceonthedisk,whethertheyareemptyorfull.Aneasywayto
lookatitistocomparealogfiletoacartonofmilk.Whenyouhaveacartonofmilk,it
alwaystakesupthesamespaceinyourfridge,emptyorfull.Thesameistrueofthe
logfiles.Emptylogfiles(currentlogfileandreservedlogfiles)areempty,orpartially
full;therenamed,old,logfilesarefull.However,theytakeupthesameamountof
spaceonthedisk.
Thedata,suchasnewemailmessagesthatentertheorganization,isretainedinRAM
forsomeperiodoftime(maybeaslittleas5secondsormaybeeven60secondsor
more)beforeitisflushedtothedatabasefile.Theactualperiodthatdataisretainedin
memorywilldependonhowmuchcachememoryisavailable,whattypesof
operationsarehappeninginthedata,andhowbusytheserveris.Theimportant
operation,though,istomakesurethatassoonasthedataissenttotheExchange
server,itisimmediatelyflushedtothetransactionlogfiles.Iftheservercrashes
beforethedataiswrittentothedatabasefile,thedatabaseengine(thestoreprocess)
willautomaticallyreadthetransactionlogfilesoncetheserverisbroughtbackupand
comparethemtothedatathat'sstoredinthecorrespondingmailboxdatabases.Any
inconsistencyisresolvedbyreplayingthemissingdataoperationsfromthe
transactionlogsbackintothedatabase,assumingthattheentiretransactionis
present;ifit'snot,theoperationsarenotwritten(andyoucanbeconfidentthatthe
operationwasn'tcompletedatthetimethecrashhappened).Thishelpsensurethat
theintegrityofthemailboxdatabaseispreservedandthathalf-completeddata
operationsaren'twrittenbackintothedatabaseandallowedtocorruptgooddata.
Thetransactionlogfilesareimportantforanumberofreasons.Theyareusedby
Microsoftreplicationtechnologies(asyou'lllearninChapter19,“Creatingand
ManagingMailboxDatabases”),buttheycanalsobeusedindisasterrecovery.The
transactionlogsarenotpurgedoffthelogdiskuntilafullbackupisrun;therefore,
everytransactionthatoccurredtoadatabase(newdata,modifications,moves,
deletes)isstoredinthelogs.Ifyourestorethelastgoodbackuptotheserver,
ExchangeServercanreplayandrebuildallthemissingtransactionsbackintothe
database—providedyouhaveallthetransactionssincethelastfullbackup.
InearlyversionsofExchangeServer,youhadtwoseparatemailstoreobjects:the
storagegroup,whichwasalogicalcontainerthatheldanassociatedsetoftransaction
logs,andthemailboxdatabase,asetoffilesthatheldtheactualpermanentcopiesof
usermailboxes.Youoftenhadmultiplemailboxdatabasesperstoragegroup,meaning
thatonesetoftransactionlogscontainedinterwoventransactiondataformultiple
databases(whichcouldhavedetrimentaleffectsonperformance,space,andbackups).
InExchangeServer2016,youstillhavemailboxdatabases.However,storagegroups
wereremovedinExchangeServer2010;eachmailboxdatabasenowhasitsown
integralsetoftransactionlogfiles.Infact,mailboxdatabases—whichwereonce
tightlycoupledwithspecificservers—canhavecopiesonmultipleserversinthe
organization,evenspreadacrossmultiplesites.Thisfunctionalitywasintroducedby
movingthemailboxdatabasesfromtheServerhierarchytotheOrganization
hierarchy,essentiallyrenderingthemasharedobjectthatcanbecomeactiveonany
serverintheorganization.Thedatabaseavailabilitygroupcontainerisnowavailable
tocontainserversthatparticipateinthereplicationofmailboxdatabaseswitheach
other.
ExchangeandActiveDirectory
WecouldeasilywritetwoorthreechaptersonhowExchangeServerinteractswith
ActiveDirectory,butthebasicswillhavetodofornow.ExchangeServerrelieson
ActiveDirectoryforinformationaboutitsownconfiguration,userauthentication,and
email-specificpropertiesformail-enabledobjectssuchasusers,contacts,groups,and
publicfolders.LookatFigure1.5toseesomeofthedifferenttypesofinteractionsthat
occurbetweenExchangeServerandActiveDirectory.
Figure1.5ActiveDirectoryandExchangeServer
BecausemostoftheExchangeServerconfigurationdataforanExchangeserveris
storedinActiveDirectory,allExchangeServerrolesmustcontactadomaincontroller
torequestitsconfigurationdata;thisinformationisstoredinaspecialpartitionof
ActiveDirectorydatabasecalledtheconfigurationpartition.Theconfiguration
partitionisreplicatedtoalldomaincontrollersintheentireActiveDirectoryforest.
NotethatyoucanhaveonlyasingleExchangeorganizationperActiveDirectory
forest.
EachoftheExchangeServercomponentsusesActiveDirectoryfordifferentthings.
Someofthosefunctionsinclude:
MailboxComponentsFormailboxoperations,ExchangeServermustquery
ActiveDirectorytoauthenticateusers,enumeratepermissionsonmailboxes,look
upindividualmailboxlimits,anddeterminewhichmailboxesareonaparticular
server.Theyalsorequireaccesstoglobalcatalogserverstolookupemail
addressinginformation,distributionlistmembershipinformation,andotherdata
relatedtomessagerouting.
ClientAccessComponentsForclientaccess,ExchangeServerrequiresaccessto
ActiveDirectorytolookupinformationaboutusers,ExchangeActiveSync,and
Outlookonthewebuserrestrictions.
ControllingMailboxGrowth
AsusershavebecomemoresavvyandcompetentatusingOutlookandthefeaturesof
ExchangeServer,andemailmessagesthemselveshavebecomemorecomplex,the
needforemailstoragehasgrown.BackinthedaysofExchangeServer4.0,an
organizationthatgaveitsusersa25MBmailboxwasconsideredgenerous.With
ExchangeServer2003,atypicaluser'smailboxmayhaveastoragelimitof300to500
MB,withpowerusersandVIPsrequiringevenmore.AtTechEd2006,Exchange
Servergurusweretossingabouttheideathatinthefutureadefaultmailboxlimit
wouldbecloserto2GBasusersstartincorporatingUnifiedMessagingfeatures.
Currentdiscussionsnowlookforwardtoandassumeunlimited-sizedmailboxes
withinthenextfewyears.
Weallseeuserswithmailboxsizesinthegigabyterange,butisyourorganization
preparedforatypicaluserwithanunlimitedmailboxsize?Whatsortofconcernswill
youfacewhenyouraverageuserhas25GB,50GB,100GB,orevenunlimitedcontent
(notjustemail!)intheirmailbox?
Certainly,theneedformorediskstoragewillbethefirstfactorthatorganizations
needtoconsider.However,diskstorageisreasonablycheap,andmanylarger
organizationsthataresupportingthousandsofmailboxusersonasingleMailbox
serveralreadyhavemorediskspacethantheycanpracticallyuse.Thisisduetothe
factthattheyrequiremorediskspindlestoaccommodatethenumberof
simultaneousI/Ospersecond(IOPS)thatarerequiredbyalargenumberofusers.
WhileearlyversionsofExchangeServerwereprimarilyperformance-bound—
meaningthattheywouldrequiremoredriveperformancebeforetheyrequiredmore
diskcapacity—versionssinceExchangeServer2007havesolidlypushedthattobeing
capacity-bound.Withtheperformancecharacteristicsandcapacitiesofmodern
drives,itbecomesfeasibletoeconomicallyprovisionExchangeServerstoragein
supportoflargemailboxes.
Formostadministratorswithlargeamountsofmailstorage,theprimaryconcernthey
faceistheabilitytoquicklyandefficientlyrestoredataintheeventofafailure.These
administratorsareoftenfacedwithservice-levelagreementsthatbindthemto
maximumrestorationtimes.Ineventhemostoptimalcircumstances,a300GB
mailboxdatabasewilltakesometimetorestorefrombackupmedia.However,these
issueshavelargelybeenmitigatedbytheuseofdatabaseavailabilitygroups(DAGs),
whichensureconstantcopiesofmailboxdatabasesthatresideonotherservers,
essentiallyprovidingaconstantlivebackupofmailboxdatabasesonotherservers,
andinotherdatacenters.
MicrosoftrecommendsthatyoudonotallowanExchangeServermailboxdatabaseto
growlargerthan200GBunlessyouareimplementingcontinuous-replication
technologiesinExchangeServer2016.Ifyouusedatabaseavailabilitygroupsto
replicatedatabasestomultipleservers,themaximumdatabasesizerecommendation
goesup(wayup)to2TB.However,themaximumsupporteddatabasesizeisactually
64TB.Ifyourequiremorethanthemaximumrecommenddatabasestorage,
ExchangeServer2016StandardEditionallowsyoutohaveupto5mailboxdatabases
andExchangeServer2016EnterpriseEditionallowsyoutohaveupto100.
Thesolutioninthepastwastorestraintheusercommunitybypreventingthemfrom
keepingallofthemaildatathattheymightrequireonthemailserver.Thiswasdone
byimposinglowmailboxlimits,implementingmessage-archivalrequirements,
keepingdeleteditemsforonlyafewdays,andkeepingdeletedmailboxesforonlya
fewdays.
However,asUnifiedMessagingdataarrivesinauser'smailboxandusershave
additionalmechanismsforaccessingthedatastoredintheirmailbox,keepingmail
dataaroundlongerisademandandarequirementforyourusercommunity.The
ExchangeServer2016archivemailboxfeaturealsodrivestheneedformorestorage,
asmessagearchivalmovesawayfromthePSTfilesandbackintoExchangeServerin
theformofarchivemailboxes.Thosearchivemailboxescanbesegregatedtoa
dedicatedmailboxdatabaseandbesettoadifferentbackupscheduleandtheirown
setofmanagementpractices.
PersonalFoldersorPSTFiles
Whilewe'reonthesubjectofPSTfiles,let'sdiscussthispeskyfeatureofclient
management.TheOutlookPersonalFolder,orPSTfiles,canbetheverybaneofyour
existence.Outlookallowsuserstocreatealocaldatabase,namedPersonalFolder,in
whichuserscancreatefoldersandarchiveemail.Althoughthisseemslikeagood
featureonthesurface,thereareafewdownsides:
Oncedataisinauser'sPSTfile,you,astheserveradministrator,havelostcontrol
ofit.Ifyoueverhadtofindallcopiesofacertainmessage,perhapsforalawsuit,
youwouldbeoutofluck.PSTscanbecomeamanagementandsecuritynightmare
asdataissuddenlydistributedalloveryournetwork.
ThedatainPSTfilestakeupmorespacethanthecorrespondingdataonthe
server.
ThedefaultlocationforaPSTisthelocalportionoftheuser'sprofile;thismeansit
isstoredonthelocalharddiskoftheircomputerandisnotbackedup.
PSTfilescangetcorrupted,becomemisplaced,orevenbelostentirely.PSTsare
notdesignedforaccessoveranetworkconnection;they'remeanttobeonthelocal
harddrive,whichwastesspace,aswellascomplicatesthebackupand
managementscenarios.
StartingwithExchangeServer2010,PersonalArchivesstoredontheservercanbe
populatedfromPSTfiles,thereforeofferingatruealternativetothosepeskylocal
files.
EmailArchiving
Sometimes,managingamailserverseemslikeaconstantracebetweenITandusers
tokeepusersfromlettingtheirmailboxrunoutofspace.Usersarepackratsand
generallywanttokeepeverything.Ifthereisabusinessreasonforthemtodoso,you
shouldlookatwaystoexpandyouravailablestoragetoaccommodatethem.
However,asdatabasesbecomelargerandlarger,theExchangeserverwillbemore
difficulttomanage.Youmightstartrequiringhundredsandhundredsofgigabytes(or
eventerabytes)ofstorageforemaildatabases.Worsestill,performingbackupsand
datarecoverytakelonger.
ExchangeServer2016providessomearchivingfeatures,suchasthePersonalArchive.
Also,largemailboxescouldbemovedtoanOffice365subscription,inahybrid
coexistencemodel.
Forthoseorganizationsthatarenotoptingtoheadouttothecloudordonotchoose
Office365astheiremailsolution,thisiswhereemailarchivingbecomesuseful.The
lasttimewecounted,severaldozencompanieswereinthebusinessofsupplying
emailarchivingtoolsandservices.Archivingproductsallhavealotoffunctionsin
common,includingtheabilitytokeepdatalongterminemailarchival,toallowthe
userstosearchfortheirowndata,andtoallowauthorizeduserstosearchtheentire
archive.
Ifyoulookathowemailisarchived,archivesystemsgenerallycomeinoneofthree
flavors:
Systemsthatdependonjournalingtoautomaticallyforwardeveryemailsentor
receivedbyspecifiedusersontothearchivesystem.
Systemsthatperformascheduled“crawl”ofspecifiedmailboxes,lookingfor
messagesthatareeligibletobemovedorcopiedtothearchive.
Systemsthatmovedatatothearchivebycopyingthelogfilesfromtheproduction
Mailboxserversandthenreplayingthelogsintothearchive.Thisiscalledlog
shipping.
Eachofthesemethodshasitsadvantagesanddisadvantageswithrespecttousing
storage,providingacompletearchive,anddealingwithperformanceoverhead.
Intheprevioussection,wediscussedbrieflythearchivemailboxasanalternativeto
themanagementofPSTfiles.However,itsabilitygoesbeyondthemanualmoveof
emailmessagestoadedicatedlocationontheserver.Foranyuserwhorequiresemail
archival,aPersonalArchivecanbecreatedforthatuser.Asemailagespastacertain
point,themailismovedfromtheactivemailboxtothearchivemailboxbyusing
ArchivePolicies.Theusercanstillaccessandsearchthearchivemailboxfrom
OutlookontheweborOutlook,though.TheemaildataremainsontheExchange
serverand,therefore,doesnotrequireanadditionalemailarchivalinfrastructure.
Weoftenareaskedifthisinformationcanbemadeavailableoffline;keepinmind
thatitcannot.PersonalArchivescannotbeincludedinOfflineStores(OST)files.This
isbydesign,andwe'rekindofgladthatitworksthisway,becausewearecontinuously
tryingtoreducetheemailfootprintontheclientcomputers.OSTfilesgetverylarge,
veryfast,andcancauseplentyofheadachesaswell.NotethatwithOutlook2013and
Outlook2016,youcanadjusthowmanydays,weeks,months,oryearstosyncoffline.
IfIUseaThird-PartySolution,DoesItMatterHowIArchive?
Everythird-partyarchivalvendorisgoingtotellyouhowtheirproductisbestand
giveyoulongtechnicalreasonswhytheirapproachissomuchbetterthanthe
competition's.Thedirtylittlesecretisthatallthreeapproacheshavetheirpros
andcons:
JournalingisbasedonSMTP.Ifcontentdoesn'trunacrossSMTP,itwon't
getjournaledand,therefore,won'tgetarchived.Journalingisgreatfor
capturingmessagingandcalendaringtrafficthatinvolvesmultiplepartiesor
externalentities,butitwon'tcapturewhathappenstomessagesandother
mailboxdataoncethey'reinthemailbox.Journalingcanalsoplacean
additionalloadontheHubTransportservers,dependingontheamountand
typeofmessagingtrafficyourusersgenerate.
Crawlingcancapturechangesonlyatcertainintervals;itcan'tcaptureevery
singlechange,eventhoughitovercomesmanyofthelimitationsofjournaling.
Forexample,ifoneusersendsamessagetoanotherinviolationofpolicyand
bothhard-deletetheircopyofthemessagebeforethenextcrawlinterval,that
messagewon'tbedetectedandarchived.Themoreoftenyouschedulethe
crawl,themoreofaperformanceimpactyourMailboxserverswillsuffer.
Logshippingisthebestofalloptions;itcaptureseverytransactionand
change,allowingyoutocapturetheentirehistoryofeachobjectwhile
offloadingtheperformancehitfromyourExchangeservers.However,the
ExchangeServerproductteamdoesnotliketheconceptoflogshippingand
triestodiscourageitsuse—mainlybecausetherearevendorswhotrytoinject
databackintoExchangeServerbymodifyinglogs.This,needlesstosay,
resultsinmailboxdatathatwon'tbesupportedbyMicrosoft.
PublicFolders
Theend-userexperienceforpublicfoldershasnotchangedinExchangeServer2016,
thoughthearchitecturehaschangedinrecentyears—mainlythestorageofthepublic
folders,whichisnowinamailboxdatabase,insteadofthepublicfolderdatabase.
Publicfoldersareforcommonaccesstomessagesandfiles.Filescanbedraggedfrom
file-accessinterfaces,suchasFileExplorer,anddroppedintopublicfolders.The
wholeconceptofpublicfoldershasmanyorganizationsinaquandaryastheytryto
figureoutthebestplaceforthesecollaborativeapplications.Increasingly,applications
thatwereonce“bestsuited”forapublicfolderarenowbettersuitedforwebpagesor
portals,suchasSharePointworkspaces.Althoughthewholeconceptofpublicfolders
isperceivedasbeingdeemphasizedsinceExchangeServer2007,Microsoftcontinues
tosupportpublicfolders,andmanyorganizationswillcontinuetofinduseful
applicationsforpublicfoldersfortheforeseeablefuture.
Akeychangeinpublic-folderstorageoccursinExchangeServer2016,onethatfinally
breakstheparadigmofdedicatedpublicfolderdatabasesandpublicfolderreplication.
AlthoughwediscussthischangeinChapter2,“IntroducingtheChangesinExchange
Server2016,”wejustbrieflynoteherethatpublicfoldersarenowstoredinmailbox
databasesandcanbereplicatedasmailboxdatabasecopiesinadatabaseavailability
group.
Youcansetupsortingrulesforapublicfoldersothatitemsinthefolderare
organizedbyarangeofattributes,suchasthenameofthesenderorcreatorofthe
itemorthedatethattheitemwasplacedinthefolder.Itemsinapublicfoldercanbe
sortedbyconversationthreads.Publicfolderscanalsocontainapplicationsbuilton
existingproductssuchasWordorExcelorbuiltwithExchangeServerorOutlook
FormsDesigner,clientorserverscripting,ortheExchangeServerAPIset.Youcanuse
publicfolderstoreplacemanyofthemaddeningpaper-basedprocessesthataboundin
everyorganization.
Foreasyaccesstoitemsinapublicfolder,youcanuseafolderlink.Youcansenda
linktoafolderinamessage.Whensomeonenavigatestothefolderanddouble-clicks
afile,thefileopens.Everyonewhoreceivesthemessageworkswiththesamelinked
attachment,soeveryonereadsandcanmodifythesamefile.Aswithdocument
routing,applicationssuchasMicrosoftWordcankeeptrackofeachperson'schanges
toandcommentsonfilecontents.Ofcourse,youruserswillhavetolearntolivewith
thefactthatonlyonepersoncaneditanapplicationfileatatime.Mostmodernenduserapplicationswarntheuserwhensomeoneelseisusingthefileandifsoallowthe
usertoopenaread-onlycopyofthefile,whichofcoursecan'tbeedited.
ThingsEveryEmailAdministratorShouldKnow
Theinformationinthissectionissomethingthatweoftenfindevenourownemail
administratorsandhelp-deskpersonnelunawareof.Sometimesthemostimportant
skillanytechnologyadministratorhasisnotaspecificknowledgeofsomethingbut
genericknowledgethattheycanusetoquicklyfindtherightanswer.
ADayintheLifeoftheEmailAdministrator
Weknowandworkwithalotofemailadministrators,andwecanhonestlysaythatno
twopeoplehavethesamesetoftasksrequiredofthem.YourCEO,directorof
informationtechnology,orevenyoursupervisorisgoingtoaskyoutopullrabbitsout
ofyourhat,sodon'texpecteverydaytobethesameasthelastone.(Andinvestin
somerabbits.)Keepupwithyourtechnologyandsupportingproductssothatyoucan
bereadywithanswersorattheveryleastintelligentresponsestoquestions.
DailyAdministrativeTasks
So,whataresometypicaltasksthatyoumayperformaspartofyourdutiesasan
emailadministrator?Thesetaskswilldependonthesizeofyourorganization,the
numberofadministratorsyouhaverunningyourExchangeServerorganization,and
howadministrativetasksaredividedup.
RecipientManagementTasksThesearecertainlythebiggestday-to-daytasks
thatmostExchangeServeradministratorsinmediumandlargeorganizationswill
experience.Recipientmanagementtasksmayinclude:
Assigningamailboxtoauseraccount
Creatingmail-enabledcontacts
Creatingandmanagingmailgroups
Managingmail-enabledobjectpropertiessuchasusers'phonenumbers,
assigningmoreemailaddressestoauser,oradding/removinggroupmembers
BasicMonitoringTasksTheseensurethatyourExchangeserversarehealthy
andfunctioningproperly:
Checkingqueuesforstalledmessages
Verifyingthatthereissufficientdiskspaceforthedatabasesandlogs
Makingsurethatthemessage-hygienesystemisfunctioningandup-to-date
Runningandverifyingdailybackups
Reviewingtheeventlogsforunusualactivity,errors,orwarnings
CheckingPerformanceMonitortogaugehowtheExchangeserversare
performing
DailyTroubleshootingTasksTheseincludethefollowing:
Reviewingnondeliveryreportmessagesandfiguringoutwhysomemailyour
usersaresendingmightnothavebeendelivered
Lookinguperrorsandwarningsthatshowupintheeventlogstodetermineif
theyareseriousandwarrantcorrectiveaction
Lookingatmailflowintheorganizationtoidentifywhydeliverytosome
recipientsistakingalongtime
Security-RelatedTasksSomeoftheseareperformeddaily,whileothersare
performedonlyweeklyormonthly:
Lookingatserverandserviceuptimestoensurethatserversarenotrebooting
unexpectedly
Reviewingtheeventlogsforwarningsthatmayindicateusersare
inappropriatelyaccessingotherusers'data
SavingtheIIS(InternetInformationServices)andSMTPandconnectivitylogs
orevenreviewingtheircontent
EmailClientAdministrationTasksTheseincludethefollowing:
TroubleshootingAutodiscoverconnectivityandclientissues
DiagnosingproblemswithmobileortabletdevicesthatuseExchange
ActiveSyncconnectivity
ApplicationIntegrationTasksTheseareperformedonanas-neededbasisand
mayincludethefollowing:
EstablishinganddiagnosingSMTPconnectivitywithemail-enabledthird-party
applicationssuchaswebservers
Configuring,testing,andtroubleshootingUnifiedMessaginginteroperability
withvoiceandSessionInitiationProtocol(SIP)systems
Configuring,testing,andtroubleshootingconnectivitywithSharePointServer
sitemailboxes
CommunicatingwithYourUsers
Communicatingwithyourusersisprobablyoneofthemostimportantthingsyoudo.
Keepingyourusersinformedanddeliveringgoodcustomerservicearealmostas
importantasdeliveringtheITserviceitself.Keepingusersinformedoffullorpartial
serviceoutagessuchasmobileoriPhonesupportorwebconnectivitymaynotscore
anyimmediatepoints,butusersappreciatehonest,forthrightinformation.Remember
howyoufeltthelasttimeyouwerewaitingforanairplanetoarrivethatkeptonbeing
delayedanddelayed,andalltheairlinecoulddowasbeevasive?
Also,remembertohavemultipleavenuesofcommunicationavailabletoyourusers.
Forexample,youmayneedtogetouttoyourusersthemessagethatyouwillbe
havingdowntimeontheweekend.Postingsonyourcompanyintranetoreventhe
bulletinboardinthecafeteriaoronthewalloftheelevatoraregoodwaystokeep
yourusersinformed.
PreparingReports
MaybewehavejustworkedinlargeITenvironmentsfortoolongnow,butitseemsto
usthatinformationtechnologyismoreandmoreaboutreportsandmetrics.Weare
frequentlyaskedtoprovidereports,statistics,andinformationonusage—not
necessarilyinformationonperformance(howwellthesystemperformedforthe
users)butothertypesofmetrics.Dependingonyourmanagement,youmaybeasked
toprovidethefollowing:
Totalnumberofmailboxesandmailboxsizes
Topsystemusersandtopsource/destinationdomains
Antispamandmessage-hygienestatistics
Diskspaceusageandgrowth
Systemavailabilityreportsindicatinghowmuchunscheduleddowntimemayhave
beenexperiencedduringacertainreportingperiod
Totalnumberofmessagessentandreceivedperday
Averageend-to-endemaildeliverytime
Exchangedoesnotprovideyouwithawaytoeasilyaccessmostofthisdata.The
mailboxstatisticscanbegeneratedusingtheExchangeManagementShell,butmany
ofthesewillactuallyrequireanadditionalreportingproduct,suchasSystemCenter
2012R2.
Somethingthatyoucandotoprepareforareportingrequirementistoensurethat
youarekeepingtwotofourweeks'worthofmessage-trackingandprotocollogs.
ScheduledDowntime,Patches,andServicePacks
Asthediscussionovermovingto“thecloud”becomesmoreprevalentinmost
industries,thecommonargumentthatkeepsoncomingbackinfavorformoving
ExchangeServerservicestosomeversionofExchangeOnlineorOffice365isserver
availability.Noonelikesdowntime,whetheritisscheduledornot.Managementmay
actuallybeholdingyoutoaspecificservice-levelagreement(SLA)thatrequiresyouto
providesomanyhoursofuptimepermonthortoprovideemailservicesduring
certainhours.Unscheduleddowntimeisanythingthathappensduringyourstated
hoursofoperationthatkeepsusersfromaccessingtheiremail.
Evenasmallorganizationcanprovideverygoodavailabilityforitsmailservices,and
withoutlargeinvestmentsinhardware.Goodavailabilitybeginswiththefollowing:
Serverhardwareshouldalwaysbefromareputablevendorandlistedinthe
MicrosoftServerCatalog.
Serverhardwareshouldbeinstalledusingthevendorrecommendedprocedures
andupdatedregularly.Problemswithserversarefrequentlycausedbyoutdated
firmwareanddevicedrivers.
Oncetheserverisinproduction,itshouldnotbeusedasatestbedforother
software.Keepanidenticallyconfiguredserverthatusesthesamehardwarefor
testingupdates.
Don'tunderestimatetheimportanceoftraininganddocumentation.Ingeneral,the
industryformulaforprovidingbetteravailabilityforanysystemistospendmore
moneytopurchaseredundantserversandbuildfailoverclusters.Butoftenbetter
trainingforITpersonnelandasimpleinvestmentinsystemdocumentation,aswellas
systempoliciesandprocedures,canimproveavailability—andforlessmoney.
InternalStaffTrainingIsJustasImportantasYourInfrastructure
CompanyLMNOPinvestedhundredsofthousandsofdollarsintheir
infrastructuretoimproveserveruptime.Threemonthsintotheoperationofthe
newsystem,anuntrainedoperatoraccidentallybroughtdowna15,000-mailbox
databaseavailabilitygroup(DAG)simplybecausehehadbeenaskedtodoatask
hehadneverdonebeforeandtheorganizationdidnothavedocumentationon
howtoproceed.Sokeepinmindthatdocumentation,training,andproceduresare
veryimportantinimprovinguptime.
Eventhebiggestmailboxserversinlargedatabaseavailabilitygroupsneedsome
scheduleddowntime.Evenifitisscheduledintheweehoursofthemorning,
undoubtedlysomeone,somewhere,somehowwillneedaccesswhenyouareworking
onthesystem.Thankfully,theDAGsolutionforhighavailabilityensuresthatusers
maynevernoticethescheduledserverdowntime,sincemailboxservicescanbe
switchedovertoanothermemberserverintheDAG.Thatbeingsaid,whenyouare
drivingyourcarwithnosparetireinthetrunk,youaremorevulnerabletoaflattire.
ThesameistrueoftheDAG,becausewhenamemberserverisofflinefor
maintenance,theDAGlosesapotentialmailboxserverthatiscapableoftakingover
intheeventofserverfailure.
Whenyourscheduleddowntimewillaffectcomponentsthatcanimpactserver
availabilityforyourusers,thatdowntimeshouldbewellcommunicated.Also,you
shoulddocumentyourscheduleddowntimeaspartofyouroperationalplansandlet
yourusercommunityknowabouttheseplans.Thespecifictimewindowfor
maintenanceshouldalwaysbethesame;forsomeorganizations,thismightbe6:30
pmto10:30pmonThursdayoncepermonth,whereasotherorganizationsmight
scheduledowntimefrom11:00pmSaturdayuntil4:00ameverySunday.
Thenumber-onereasonfordowntimeistoapplyupdatesandfixestotheoperating
systemortotheapplicationsrunningontheserver.Microsoftreleasesmonthly
securityupdatesfortheoperatingsystemandapplicationsifvulnerabilitiesare
discovered.Everyfewmonths,MicrosoftreleasesupdatesforExchangeServer2016
thatfixbugsorthatmayevenaddslightfunctionality.NewforExchangeServer2016,
Microsoftusesaquarterlyupdatereleasecycle.Eachquarter,acumulativeupdate
(CU)isreleasedforExchangeServer2016.YoucaninstalltheCUinyour
environmenttoupdateitwiththelatestupdatesandfixes,andyoudonotneedto
installpreviousCUsbeforeyouinstallthelatestCU.
Microsoft'supdatesareusuallydownloadedtoyourserversshortlyaftertheyare
released.TheservercandownloadthemdirectlyfromMicrosoft,ortheycanbe
downloadedfromWindowsSoftwareUpdateService(WSUS),MicrosoftSystem
CenterConfigurationManager2012R2,oranotherthird-partyserverinsideyour
network.Whicheveryouchoose,itisimportantthatyoumakesurethatthemachine
isaserverandnotaworkstation.Forexample,makesuretheautomaticupdates
componentofWindowsServerisconfiguredcorrectly.Figure1.6showstheChange
SettingsoptionsforWindowsUpdate.
Figure1.6Configuringautomaticupdates
ForproductionExchangeservers,youshouldconfiguretheserverwiththeoption
DownloadUpdatesButLetMeChooseWhetherToInstallThem.Thisisanimportant
settingbecauseifyouchoosetheInstallUpdatesAutomatically(Recommended)
option,theserverwillautomaticallyapplyanyupdatewithinadayorsoof
downloadingit.Thisisnotadesirableactionforaproductionmailserver.Instead,you
wanttheservertodownloadtheupdatesandnotifyyouviatheupdatesiconinthe
systemtray.Youcantheninvestigatetheupdatesandscheduleappropriatedowntime
toapplythemmanually.
FindingAnswers
Thistopicdeservesspecialattention.OneofourjobsisworkinginTier3supportfora
largeorganization.Thethingwerespectthemostabouttheadministratorswho
actuallyrunthesystemandhandlethetroubleticketsisthattheydotheirhomework
priortocomingtouswithaproblem.
Toooftentechiesmakeupananswerwhentheyarenotsureaboutsomething.Don't
dothat!Whenyouareaskedaquestionthatyoudon'tknowtheanswerto,itisokay
tosayyoudon'tknowtheanswer—butmakesuretofollowthatupbyindicatingthat
youwillfindtheanswer.Knowingtherightresources(wheretogetanswers)isjustas
importantasthetechnicalknowledgeittakestoimplementtheanswer.Keyplayersin
yourorganizationwillrespectyoumuchmorewhentheyknowthatyouarewillingto
acceptthelimitationsofyourknowledgeandhavetheappropriateresourcestofind
theresolutiontoaproblemortheanswertoaquestion.
HelpfulResources
ExchangeServerhastobeoneofthemostdocumentedanddiscussedproducts(short
ofmaybeWindows)thatMicrosoftproduces.Thismeansthatmostofthequestions
thatwehaveaboutExchangeServercanusuallybeansweredviatherightsearchorby
lookingintherightplace.Themostobviousplacetostartwhenyouhaveaproblemor
aquestionistoperformanInternetsearch,butmanyotherresourcesareavailable:
ExchangeServerDocumentationThereisaworldoffreeinformationonthe
Internet,butlet'sstartrightonthelocalharddiskofyourExchangeServerorany
placeyouhaveinstalledtheadmintools.Microsofthasdoneanexcellentjobof
providingbetterandbetterdocumentationforExchangeServeroverthepastfew
years.TheExchangeServer2016documentationiscomprehensiveandsoreadable
youwillwonderifitisreallyfromMicrosoft.Alinktothedocumentationcanbe
foundintheinstallationdirectoryofExchangeServer.Lookforthefollowingfile:
C:\ProgramFiles\Microsoft\ExchangeServer\v15\Bin\ExchHelp.url
YoucanalsorunitfromtheMicrosoftExchangeServer2016folderontheStart
menu.EitheroptionwillopenawebbrowserthatnavigatestotheTechNet
referencelibraryforExchangeServer.
ExchangeServerReleaseNotesAnothergoodresourcefor“IwishIhadknown
that”typesofthingsisthereleasenotes.Youshouldbeabletofindalinktothe
releasenoteshere:
C:\ProgramFiles\Microsoft\ExchangeServer\v15\
ExchangeServerForumsIfyouhaveaquestionforwhichyouhavedoneyour
duediligenceinsearchingandresearchingtheproblembutyoudon'thavean
answer,itistimetoasktheworld.AgoodplacetostartistheMicrosoftforums,
alsoknownassocial.technet.microsoft.com.YoucanfindtheExchangeServer
sectionhere:
http://social.technet.microsoft.com/forums/en-US/category/exchangeserver/
Whenyoupostyourquestion,pleasetakeamomenttothinkaboutwhat
informationtheotherreadersaregoingtoneedtoansweryourquestion.
Althoughyoucanpostavaguequestionsuchas“Exchangeisgivingmeanerror,”
doingsoisonlygoingtoresultin(atbest)delayswhileotherforumparticipants
havetorequestspecificinformationfromyou.Instead,posttheexacterror
messageandanyerrorcodesyouareseeing.Also,indicate,atminimum,what
versionofthesoftwareyouareusing(includingservicepack),theroleofthe
server,andwhatoperatingsystemyouareusing.
YouHadMeatEHLOThisistheMicrosoftExchangeTeam'sblog.Thisisthe
bestsiteontheInternetforgettingtheinsidescooponhowExchangeServer
works,bestpractices,andthefutureofExchangeServer.Youcanreadarticles
writtenbyExchangeServerdevelopersandCustomerSupportServicesengineers.
Whenchangestotheproductareannounced,orcustomersrequestchangesinthe
product,youwillhearfirstfromtheproductgroupengineersaboutthewaythey
havechosentodealwiththeissue.
http://blogs.technet.com/b/exchange/
MSExchange.OrgWebsiteOneofthebestsitesontheInternetforfree,easyto-accesscontentaboutExchangeServeriswww.msexchange.org.Thearticlesare
writtenbyExchangeServergurusfromallovertheworldandareusuallyinthe
formofeasy-to-readandeasy-to-followtutorials.Thereisalsoaforumssection
whereyoucanpostquestionsorreadotherpeople'squestions.
CallingforSupport
Ifyoursystemisdownoryouroperationsareseriouslyhinderedandyoudon'thavea
cluewhattodonext,itistimetocallinthebigguns.Sure,youshoulddosome
Internetsearchestotrytoresolveyourproblem,butInternetnewsgroupsandforums
arenottheplacetogetsupportforbusiness-criticalissues.
MicrosoftProductSupportServices(PSS)isMicrosoft'stechnicalsupport
organization.Itshomepageishttp://support.microsoft.com.Professionalsupport
options(rangingfrompeer-to-peersupporttotelephonesupport)canbefoundatthe
followingURL,whereawebbrowser–basedwizardguidesyouthroughyoursupport
options:
https://gettechsupport.microsoft.com/default.aspx?locale=en-us&supportregion=enus&pesid=14886
IfyoudonothaveaMicrosoftPremieragreement,Microsofttelephonesupportmay
seemtobeabitexpensive,butbelieveme,whenanExchangeserverisdownandthe
usersareburningyouineffigyinthecompanyparkinglot,afewhundreddollarsfor
businesshourssupportischeap.
Whenyoucallandgetasupporttechnicianonthephone,don'tbesurprisedor
offendediftheystartatthebeginningandaskyoualotofelementaryquestions.They
havetodouble-checkeverythingyouhavedonebeforetheycanlookintomore
advancedproblems.Frequently,oneofthesebasicquestionswillhelpyoulocatea
problemthatyouwereconvincedwasmorecomplicatedthanitreallywas.Thoughthe
beginningofthecallmaybeunderwhelming,thetechnicianwillstaywithyouonthe
phoneuntiltheproblemisresolvedorsomekindofanacceptableresolutionisputin
place.
WealwaysencouragepeopletocallPSSiftheytrulyneedassistance.ButPSS
engineersarenotmindreaders,nordotheyknoweverybitofExchangeServercode.
YouwilldobothyourselfandthePSSengineerabigfavorifyouhaveallofyourducks
inarowbeforeyoucall.Dothefollowingbeforeyoucall:
Attemptagracefulshutdownandrestartoftheserverinquestion,ifapplicable.
Performacompletebackupifpossible.
Haveacomplete,documentedhistoryofeverythingyouhavedonetosolvethe
problem.Atthefirstsignoftrouble,youshouldstartkeepingachronologicallogof
thethingsyoudidtofixtheproblem.
Findoutifyouareallowedtoinitiatesupportsessionswithremotesupport
personnelthroughatoollikeSkypeforBusiness2015orWebEx.
Beatatelephonethatisphysicallyattheserver'sconsole,orbeinaplacewhere
youcanaccesstheserverremotelyviatheRemoteDesktopclient.Yoursupport
callwillbeverybriefifyoucannotimmediatelybegincheckingthingsforthePSS
engineer.
Havetheusernamesandpasswordsthatwillprovideyouwiththerightlevelof
administrativeaccess.Ifyoudon'thavethose,havesomeonenearbywhocanlog
youin.
Savecopiesoftheeventlogs.BepreparedtosendthesetoPSSifrequested.
Knowthelocationofyourmostrecentbackupandhowtoaccessitwhenneeded.
Keepcopiesofallerrormessages.Don'tparaphrasethemessage.Screencaptures
workgreatinthiscase.PressingAlt+PrintScrn(orusingtheSnippingtool)and
savingthescreencaptureasafileworksgreat,too.Weusuallycreateadocument
withscreencapturesalongwithnotesofwhatweweredoingwhenwesaweach
message.
Bepatient;telephonesupportisaterriblydifficultjob.Alittlekindness,patience,and
understandingonyourpartwillmostcertainlybereturnedbythePSSengineer.
ToolsYouShouldKnow
Outofthebox,ExchangeServerisanexcellentproduct,butsometimesthebase
softwarethatyouinstallcanusesomeassistance.Someofthesetoolsareactually
installedwithExchangeServer,whereasyoumayneedtodownloadothertools.
PowerShellandtheExchangeManagementShellEvenhereintheveryfirst
chapters,weareextollingthevirtuesofPowerShell.PowerShellenablessome
basicWindowsmanagementfunctions,suchasmanagingeventlogsandservices,
tobeperformedviaacommand-lineinterface.Thisinterfaceissimpletouseand
easytolearn,evenforaGUIguy.TheExchangeServerteampioneeredthe
adoptionofPowerShellwhentheybuilttheentireExchangeServer2007
managementinterface,knownastheExchangeManagementShell(EMS),asan
extensiontoPowerShell.ExchangeServer2013andExchangeServer2016
continuetofollowthispattern.
Althoughalmosteverychapterinthisbookwillincludeatleastsomeinformation
aboutusingEMStoperformExchangeServermanagementtasks,wehave
dedicatedallofChapter5,“IntroductiontoPowerShellandtheExchange
ManagementShell,”tohelpingyoulearnyourwayaroundEMS.
ExchangeManagementShellTestCmdletsTheExchangeManagementShell
hasaseriesofcommand-linetoolsthatareverygoodfortestinganddiagnosing
problems.TheseincludetoolsfortestingOutlookonthewebconnectivity,Unified
Messagingconnectivity,Outlookconnectivity,andevenmailflow.Theyare
installedwhenyouinstalltheExchangeServer2016ManagementTools.Formore
information,attheEMSprompt,enterGet-Excommandtest*.
MicrosoftRemoteConnectivityAnalyzer(PreviouslyExchangeRemote
ConnectivityAnalyzer)Availableatwww.testexchangeconnectivity.com,the
RemoteConnectivityAnalyzerislikelygoingtobethemostusefultoolinyour
troubleshootingarsenal.InitiallystartedasasideprojectbytwoMicrosoft
employees,thiswebsiteactsastheultimateconnectivitytroubleshootingcatch-all.
ThebasictroubleshootingscenariosforExchangeServer2016(on-premises)are
showninFigure1.7.
Thoseofyouwhohaveused“analyzers”fromMicrosoftinthepastmayremember
theExchangeBestPracticesAnalyzer(ExBPA).TheRemoteConnectivityAnalyzer
shouldnotbeconfusedwiththeExBPA.Infact,anewversionoftheExBPAhas
notbeenreleasedforExchangeServersinceExchangeServer2010.
Figure1.7ViewingtheMicrosoftRemoteConnectivityAnalyzer
TheBottomLine
Understandemailfundamentals.TogainthebestadvantagefromExchange
Server2016,youshouldhaveagoodgroundingingeneralemailapplicationsand
principles.
MasterItWhattwoapplicationmodelshaveemailprogramstraditionally
used?WhichonedoesExchangeServeruse?Canyounameanexampleofthe
othermodel?
Identifyemail-administrationduties.InstallinganExchangeServersystemis
justthefirstpartofthejob.Onceit'sinplace,itneedstobemaintained.Be
familiarwiththevariousdutiesandconcernsthatwillbeinvolvedwiththecare
andfeedingofExchangeServer.
MasterItWhatarethevarioustypesofdutiesthatatypicalExchangeServer
administratorwillexpecttoperform?
Chapter2
IntroducingtheChangesinExchangeServer2016
Emailclientsusedtobefairlysimpleandtextbased.Emailservershadfew
connectivityoptions,nohigh-availabilityfeatures,andnointegrateddirectory.Then,
beginninginthemid-1990s,wesawabigpushtowardprovidingemailservicetomost
ofourusercommunities.Wealsosawemailgofromanoccasionallyused
conveniencetoabusiness-criticaltool.Businessmanagementandusersdemanded
morefeatures,betteravailability,andmoreconnectivityoptionsastheemailclient
andserverevolved.
MicrosoftreleasedExchangeServer4.0(thefirstversionofExchangeServer)in1996,
andtheproducthasbeenevolvingeversince.ExchangeServer2016istheeighth
majorreleaseoftheExchangeServerfamilyandrepresentscontinuedevolutionofthe
product.Thefeaturesandfunctionsofthisnewreleaseincludenotonlyfeatures
requestedfrommanythousandsofMicrosoft'scustomersbutalsorequirements
sharedinternallyatMicrosoftbyMicrosoftConsultingServicesandtheirownIT
department,whichsupportsmorethan100,000mailboxes.
We'llexplorehowsomeproductfeatureshaveevolvedtothislatestrelease,providing
contextforfunctionalitiesthatwereadded,removed,modified,renamed,or
reinvented.Asofthiswriting,mostExchangeServercustomersarestillusing
ExchangeServer2013ratherthanExchangeServer2016.Therefore,we'llfocusonthe
changesthathavebeenmadetoExchangeServersinceExchangeServer2013.
INTHISCHAPTER,YOUWILLLEARNTO:
UnderstandthechangesinExchangeserverarchitecture
UnderstandthechangesintheExchangeServerroles
GettingtoKnowExchangeServer2016
ItseemsthatweapproachanynewreleaseofExchangeServerwithasenseofboth
excitementandtrepidation.Welookforwardtothenewfeaturesandcapabilitiesthat
areintroducedwithanewerversionoftheproduct.Certainly,thenewsite-resiliency
features,compliancefunctionalities,resourcemanagement,managementfeatures,
andsecurityfeatureswillallowustodeliverbetter,morereliablemessagingservices
toourendusers.
Ontheothersideofthecoinisthefeelingthatwehavetolearnawholenewseriesof
featuresinsideandoutsothatwecanbetterusethem.Sure,weknowExchange
Server2013prettywell,buttherewillbenewdetailstolearnwithExchangeServer
2016.Sometimeswehavetolearntheseimplementationormanagementdetailsthe
hardway.
However,thismilestoneintheevolutionofExchangeServerisagoodone.Wecan't
helpbutbeexcitedaboutlearningaboutthisnewversionandsharingwhatwehave
learned.Wehopethatyouwillfeelthesamesenseofexcitement.Wehavepickeda
top-tenlistofnewfeaturesthatwelikeandhopethatyouwillinvestigatefurtheras
youstarttolearnExchangeServer2016.Someofthesearesummarizedinthis
chapterandmanyoftheseyouwillfindinmoredetailinlaterchapters.
Simplicityofserverroles:MailboxandEdgeTransport
ProxytrafficfromandtoExchangeServer2016
Outlookontheweb(formerlyOutlookWebApp)
MAPIoverHTTPasthedefaultprotocol
DocumentcollaborationwithSharePoint2016andOneDriveforBusiness
WizardforhybridOffice365environments
NewconditionsandactionsforDataLossPrevention(DLP)policies
PublicfoldersupportforIn-PlaceeDiscoveryandIn-PlaceHolds
ComplianceSearchwitheDiscovery
Redesignedarchitectureformailboxsearches
LearntheExchangeManagementShell(andWearSunscreen!)
TothoseofyouwhohavebeenaroundtheInternetlongenoughtorememberthe
“WearSunscreen”email,thatwassupposedlythe1997commencementaddressto
MITgivenbyKurtVonnegutbutwasinrealityacolumnwrittenbytheChicago
Tribune'sMarySchmich,wegiveyou“LearntheManagementShell(andWear
Sunscreen)”tohelpyouprepareforExchangeServer2016,projectmanagement
bestpractices,andtheworldingeneral:
IfwecouldofferyouoneimportanttipwhenlearningExchangeServer2016,
itwouldbethatyoushouldgettoknowtheExchangeManagementShell
(EMS).Sure,itlooksintimidatingandnearlyeverythingyouwilleverneedto
doisintheExchangeAdminCenter.ManyExchangeServerguruswillbackus
uponthevalueandusefulnessoftheEMS,whereastheymightnotagreewith
usonthingssuchasusingreal-timeblocklists,makingfullbackupsdaily,and
keepinglotsoffreediskspaceavailable.
MakeregularExchangeServerdatabackups.
Document.
Don'tbelieveeverythingyoureadfromvendors;theirjobistosellyouthings.
Don'tputoffmaintenancethatmightaffectyouruptime.
Ifyougetintrouble,callforhelpsoonerratherthanlater.Afewhundred
dollarsforaphonecalltoyourvendororMicrosoftProductSupportServices
isbetterthanafewdaysofdowntime.
Shareyourknowledgeandconfigurationinformationwithcoworkers.
Acceptcertaininalienabletruths:diskswillfail,serverswillcrash,userswill
complain,viruseswillspread,andimportantmessageswillsometimesget
caughtinthespamfilter.
Gettoknowyourusersandcommunicatewiththem.
Implementsiteresiliencyandhighavailabilityformailboxesandforpublic
foldermailboxes.
MakeregularbackupsofyourActiveDirectory.
Ifaconsultantistellingyousomethingthatyouknowinyourgutiswrong,
double-checktheirworkorruntheirrecommendationbyanothercolleague.
Secondopinionsandanothersetofeyesarealmostalwayshelpful.
Thinktwice.Clickonce.
ButtrustmeontheEMS.
Inthischapter,wewillcoverthefeaturesofExchangeServer2016notonlytogive
experiencedExchangeServeradministratorstheproperperspectiveonExchange
Server2016butalsotoeducatenewlymintedExchangeServeradministratorsonjust
howpowerfulExchangeServerhasbecome.Somefeatureswe'lldiscussinthis
chapteraren'tbrandnew,buttheyaresokeytotheproductandhavebeensogreatly
improvedinthisreleasethatwearecompelledtomentionthemattheoutset.
ExchangeServerArchitecture
Overthelastseveralreleases,anumberofsignificantchangeshavebeenmadetothe
architectureofExchangeServer.Thesechangespositivelyimprovetheperformance
andscalabilityofExchangeServer,buttheyalsoresultinsomeprettysignificant
differencesintheplatformonwhichyousupportExchangeServer.
WindowsServer2012R2andExchangeServer2016
BecauseofsomeoftheunderlyingrequirementsofExchangeServer2016,youmust
runWindowsServer2012orWindowsServer2012R2.Thefollowingeditionsof
WindowsServerwillsupportExchangeServer2016:
WindowsServer2012StandardEdition
WindowsServer2012DatacenterEdition
WindowsServer2012R2StandardEdition
WindowsServer2012R2DatacenterEdition
ItmayalsobesafetoassumethatExchangeServer2016willalsobesupportedon
WindowsServer2016.However,atthetimeofthiswriting,WindowsServer2016is
stillonlyavailableasatechnicalpreview.Becauseofthis,ExchangeServer2016has
notyetbeenqualifiedonWindowsServer2016.
ExchangeServer2016alsohasseveralotherrequirements.Theserequirements
include:
WindowsManagementFramework4.0
Microsoft.NETFramework4.5.2
AforestfunctionlevelofWindowsServer2008orhigher
AlldomaincontrollersmustberunningWindowsServer2008orlater
ThesupportedOutlookclientsforExchange2016include:
Outlook2016withthelatestservicepacksandupdates
Outlook2013withthelatestservicepacksandupdates
Outlook2010withthelatestservicepacksandupdates
OutlookforMacforOffice365
ThemanagementtoolsforExchangeServer2016canbeinstalledonacomputerthat
hasoneofthefollowingoperatingsystems:
WindowsServer2012StandardorDatacenter
WindowsServer2012R2StandardorDatacenter
Windows1064-bit
Windows8.164-bit
NotethatExchangeServer2016andExchangeServer2007cannotcoexistinthesame
environment.
ToinstallExchangeServer2016withExchangeServer2010,theExchangeServer
2010servermustberunningUpdateRollup11forExchange2010SP3orlater.
ToinstallExchangeServer2016withExchangeServer2013,Exchange2013
CumulativeUpdate10orlatermustbeinstalledonallExchangeServer2013servers
intheorganization.
ServerRoles
ExchangeServer2013hadthreeserverroles:theClientAccessserverrole,theEdge
Transportserverrole,andtheMailboxserverrole.InExchangeServer2016,thereare
nowjusttwoserverroles.TheClientAccessserverrolehasbeenretired.Now,thetwo
serverrolesaretheMailboxserverroleandtheEdgeTransportserverrole.The
MailboxserverroleincludesallofthecomponentsthataClientAccessserverrole
providedwithExchangeServer2013.TheMailboxserverrolenowprovidesthese
services:
ClientAccessprotocols
Transportservice
Mailboxdatabases
Unifiedmessaging
TheEdgeTransportserverroleisdesignedtoenableyoutodeployamessagingserver
inaperimeternetwork,outsideofanActiveDirectoryDomainServices(ADDS)
environment.ThisassistsinminimizingtheattacksurfaceofyourExchange
environment.Italsoassistsbyaddingapointofsecurityformessagesthatinclude
virusesandspam,keepingthemoutoftheinternalnetwork.
ExchangeServer2016alsogivesyoutheabilitytoproxytrafficfromanExchange
Server2013environment,aswellasfromExchangeServer2016toExchangeServer
2013.ThisflexibilityenablesyoutocontroltheprocessofmigratingtoExchange
Server2016,suchaswithaphasedmailboxapproach.Itisalsobeneficialfor
interoperabilitybetweenExchangeServer2013andExchangeServer2016becauseany
mailboxservercanproxyclientstothecorrectserver,regardlessofwhethertheserver
isrunningExchangeServer2013orExchangeServer2016.Wetalkmoreabout
migrationsandinteroperabilityinChapter11,“UpgradesandMigrationstoExchange
Server2016orOffice365.”
High-AvailabilityDecisions
High-availabilitydecisionsdonotneedtobemadeatinstallationtime.High
availabilityforExchangeServer2016databasesisaddedincrementallyafterthe
initialdeploymentoftheMailboxserver.ThereisnoclusteredMailboxserver
installationoption;however,administratorscreateDatabaseAvailabilityGroups
(DAGs)toimplementhighavailability.Highavailabilityisdiscussedindetailin
Chapter20,“CreatingandManagingDatabaseAvailabilityGroups.”Mailbox
databasescanbeaddedtodatabaseavailabilitygroupsatanypointinthegame.
Thedatabasescanberemovedfromdatabaseavailabilitygroupsaswell,as
needed.Essentially,thehigh-availabilitydecisionscanbedoneincrementally
afteradeploymenthasoccurredandreversediftheynolongerservetheneedsof
theorganization.ItisimportanttonotethataDAGcancontainonlyserversthat
runthesameversionofExchangeServer.AddinganExchangeServer2016toa
DAGthatcontainsExchangeServer2013serversisnotsupported,andviceversa.
TheMailboxServerRole
TheMailboxserverroleisresponsibleforsomuch,yetchangesinthearchitecture
haveensuredthatitrequiresfewresourcestoperformallitsnecessarytasks.Wewill
discuss,inlaterchapters,thedatabasebenefitswithregardtothedatabaseschema
andmemoryutilizationinExchangeServer2016.Recentimprovementsaredesigned
toenhancetheabilityofaMailboxservertodosomuchmorewithsomuchless.
AnotherverysignificantchangeintheMailboxserverroleisthenumberofClient
Accessfeaturesthatarenowhandledbythisrole.InExchangeServer2016,aMailbox
serverhandlesthedatarenderingforclientrequests,runsalloftheclientaccess
protocols,andstillmaintainsallmailboxes.
TheMailboxserverroleisresponsibleforthefollowingfunctionality(thislistisn't
exhaustive):
Hostsmailboxdatabases
Hostspublicfolderdatabase
Providestransport-relatedservices,includingproxying(notethattransportwas
originallyhandledbyaHubTransportserverrolethatwentawayinExchange
Server2013)
Providesclientconnectivityforallclients(notethatclientaccesswashandledby
theClientAccessserverroleinExchangeServer2013butisnowhandledbythe
MailboxserverroleinExchangeServer2016)
TheEdgeTransportServerRole
Theamountofspam,maliciousemail,andvirusesthatsomeorganizationsreceiveis
staggering.Evensmallorganizationsarereceivingtensofthousandsofpiecesof
spam,dozensofviruses,andhundredsofthousandsofdictionaryspammingattacks
eachweek.Someorganizationsestimatethatmorethan90percentofallinbound
emailisspamorotherunwantedcontent.Keepingthisunwantedcontentawayfrom
yourExchangeserversisimportant.Acommonpracticeformessagingadministrators
istoemployadditionallayersofmessagehygieneandsecurity.Thefirstlayeris
usuallysometypeofapplianceorthird-partySMTPsoftwarepackagethatisinstalled
intheorganization'sperimeternetwork.Theproblemwiththesethird-partyutilitiesis
thattheadministratorhastobecomeanexpertonanadditionaltechnology.Aneasier
methodthatsomeorganizationschooseistouseacloud-basedsolution.The
ExchangeOnlineProtection(EOP)servicefromMicrosoftisapopularcloud-based
messageprotectionsolution.
ExchangeServer2016includesaserverrolenamedEdgeTransport.Theroleremains
similartotherolefromExchangeServer2010andExchangeServer2013.TheEdge
TransportserverroleisrecommendedforperimeternetworksoutsideofanADDS
environment.AlthoughitispossibletoinstalltheEdgeTransportroleonadomain
server,noneoftheExchangeservicesusedforEdgeTransportrequireADDS.The
EdgeTransportserverroleusesActiveDirectoryLightweightDirectoryServices(AD
LDS)tostoreconfigurationandrecipientinformation.
AnEdgeTransportserverwillhandleallinboundandoutboundmessagingtrafficfora
Mailboxserver.ThisincludesmailrelayandsmarthostservicesfortheExchange
environment.YoucandeploymultipleEdgeTransportserverstoenableredundancy
andfailovercapabilitiesintheperimeternetwork.Youcanalsoloadbalanceincoming
messagesbydistributingtheSMTPtraffictomultipleEdgeTransportservers.
IstheEdgeTransportServerRoleRequired?
AcommonmisconceptionisthattheEdgeTransportroleisrequiredforan
ExchangeServerorganization.Thisisnotthecase,especiallyfororganizations
thatchoosetouseacloud-basedmessageprotectionsolution.Inboundemailcan
besentdirectlytotheMailboxserver,oryoucancontinuetouseyourexisting
third-partyantispam/message-hygienesystemtoactasaninboundmessagerelay
forExchangeServer.
TheEdgeTransportserverisastand-alonemessagetransportserverthatismanaged
usingtheEMSandthesamebasicmanagementconsolethatisusedtomanage
ExchangeServer2016.AserverfunctioninginanEdgeTransportroleshouldnotbea
memberoftheorganization'sinternalActiveDirectorydomain,althoughitcanbepart
ofaseparatemanagementforestusedinaperimeternetwork.
ContentfilteringandMicrosoftForefrontSecurityforExchangeareimplementedon
theEdgeTransportserverthroughcontentfilteringandotherantispamfeatures.You
canalsorunthefeaturesonthemailboxserverifyoudonothaveEdgeTransport
servers.
AnexampleofhowanorganizationmightdeployanEdgeTransportserverisshown
inFigure2.1.InboundemailisfirstdeliveredtotheEdgeTransportserversthatare
locatedintheorganization'sperimeternetwork,wherethemessageisinspectedby
thecontentfilter,ForefrontSecurityforExchange,andanymessagetransportrules.
Theinboundmessageisthensentontotheinternalservers.Additionally,the
ExchangeServerMailboxserversareconfiguredtodelivermail,leavingthe
organizationtotheEdgeTransportserversratherthanconfiguringtheinternal
serverstodelivermaildirectlytotheInternet.
Figure2.1DeployinganEdgeTransportserver
TheEdgeTransportserverisafullyfunctionalSMTPmessage-hygienesystemwith
manyofthesamefeaturesthatarefoundinexpensivemessage-hygienesoftware
packagesandappliances.Thefollowingfeaturesareincluded:
Per-usersafe-sender,safe-recipient,andblocked-senderlistsareautomatically
replicatedfromtheuser'smailboxtotheEdgeTransportserver.Recipientfiltering
isenabledwhenvalidrecipientsaresynchronizedtotheEdgeTransportserver's
localActiveDirectoryLightweightDirectoryServices(ADLDS)database.
Senderandrecipientfilteringcanbeconfiguredviaadministrator-controlledlists.
IntegratedMicrosoftcontentfilterisincludedforspamdetection.Spamcanbe
rejected,deleted,quarantined,ordeliveredtotheuser'sJunkemail.
Multiplemessage-quarantinesallowmessagesthatarehighlylikelytobespamto
bequarantinedandsenttoaquarantinemailboxonyourExchangeserver.A
separatequarantineexistsintheformoftheuser'sJunkemailfolderformessages
thatarestilltaggedasspambutwithalowerSpamConfidenceLevel.
MicrosoftForefrontSecurityforExchangeServerisavailablefortheEdge
TransportserverwhenEnterpriseclientaccesslicensesareused.However,this
willbeashort-livedsolution,sinceMicrosofthasannouncedthattheentiresuite
ofForefrontproductsisbeingdecommissioned.Instead,manyorganizationsuse
EOPoranotherthird-partysolution.
Dailycontentfilterandvirussignatureupdatesareavailablefororganizations
usingMicrosoftForefrontSecurityforExchangeServer.
Real-timeblocklistsandtheIPReputationServiceallowanIPaddresstobe
checkedtoseeifitisaknownsourceofspam.Reputationfilterscanbeupdatedon
adailybasis.
SenderIDfiltersallowfortheverificationofthemailserverthatsentamessage
andwhetheritisallowedtosendmailforthemessagesender.
Senderreputationfiltersallowasendertobetemporarilyplacedonablocklist
basedoncharacteristicsofmailcomingfromthatsender,suchasmessagecontent,
senderIDverification,andsenderbehavior.
ClientConnectivity
WithExchangeServer2013,OutlookclientsconnectedtotheExchangeServerby
usingRPCoverHTTP(OutlookAnywhere).ThisenabledOutlooktoconnecttoan
Exchangeserver,regardlessofitslocation,byusingtheOutlookAnywhereservice.
BeginningwithExchangeServer2016,OutlookclientsconnecttotheExchangeserver
byusingMAPIoverHTTP.RPCoverHTTPisstillavailable,butisofficialdeemphasized(meaningthatitmaynotbeincludedinfuturereleasesofExchange
Server).MAPIoverHTTPisthedefaultcommunicationmethodbetweentheclient
andtheserver.
MAPIoverHTTPincreasesreliabilityandstabilityoftheclientconnection.This
protocolenablesahigherlevelofvisibilitytoerrorsthatmightoccurbetweenthe
clientandserver,aswellasenhancedrecoverability.MAPIoverHTTPalsoincludes
supportforapauseandresumefunction,whichenablestheclientstochange
networkswhilemaintainingaconnectiontotheExchangeServer.MAPIoverHTTP
canalsoreducethetotalnumberofclientconnections,whichcanbehelpfulfroma
performanceperspective.
WhileMAPIoverHTTPisthedefaultconnectionprotocolfornewExchangeServer
2016environments,ifyouinstallExchangeServer2016inanenvironmentwith
ExchangeServer2013,theprotocolwillnotbeusedautomatically.Thisisbecause
MAPIoverHTTPisnotenabledbydefaultinExchangeServer2013andwas
introducedwithExchangeServer2013ServicePack1.
HybridImprovements
ExchangeServer2016canbeimplementedwithOffice365forahybridon-premises
andcloud-basedservice.WhenconfiguringahybridorganizationwithExchange2016,
youwillbepromptedtodownloadtheHybridConfigurationWizard.Thiswizardis
includedtoassistconfiguringthehybridenvironment.
ThewizardhasbeenupdatedforExchangeServer2016toincludethefollowing
features:
EasyupdatesforchangesinOffice365services
Assistsintroubleshootingahybridenvironmentconfiguration
Improveddiagnosticinformationtoresolveproblems
SupportforbothExchangeServer2013and2016hybridenvironments
HybriddeploymentsshouldbeperformedbyusingAzureActiveDirectoryConnect
(AADConnect).AADConnectprovidesfunctionalitytosynchronizemultipleonpremisesADDSforestswithasingleOffice365account.
Inahybridenvironment,ExchangeActiveSyncclientswillbeautomaticallydirectedto
Office365iftheuser'smailboxismovedtothecloud.Tosupportthisautomatic
redirection,theActiveSyncclientmustsupportHTTP451redirects.Aftertheclient
hasbeenredirected,theExchangeprofileonthedevicewillbeupdatedtousethenew
URLoftheExchangeOnlineservice.Atthispoint,theclientwillnotcontacttheonpremisesenvironmentformailboxinformation.
OneDriveforBusinessIntegration
WithExchangeServer2016andSharePoint2016,Outlookonthewebuserscanlink
toandsharedocumentsthatarestoredinOneDriveforBusinessoronanonpremisesSharePointserver.Insteadofattachingafiletoanemailmessage,userscan
linktodocumentsdirectlyfromOutlookontheweb.UserscancollaborateinanonpremisesdeploymentjustastheycanwithOffice365.
IfauserreceivesaWord,Excel,orPowerPointfilethatisstoredinOneDrivefor
BusinessorSharePoint2016,therecipientcanviewandeditthefiledirectlyfrom
Outlookontheweb.Foranon-premisesenvironment,aservermustberunning
OfficeOnlineServer,whichisinpreviewatthetimeofthiswriting,intheonpremisesorganization.
AftereditingthefilewithinOutlookontheweb,therecipientcansaveoruploadthe
filetoOneDrive.
Performance
ThenewarchitectureofExchangeServer2016combinesthecorefeaturesintoa
singleserverrole.Aspartofthatarchitecture,thesearchfunctionalityhasalsobeen
redesigned.InpreviousversionsofExchangeServer,thesearchingfunctionswerenot
fault-tolerantandwereperformedsynchronously.InExchangeServer2016,searching
isperformedasynchronouslyandisdecentralized.Searchfunctionsaredistributed
acrossallExchangeServersintheorganization,andretriesareattemptedifservers
aretoobusy.
Thesearchscalabilityhasalsobeenimproved.Previously,upto5,000mailboxes
couldbesearchedsimultaneouslyfromthewebapp.WithExchangeServer2016,this
hasincreasedto10,000mailboxes.WhenusingtheEMS,thereisnolimittothe
numberofmailboxesthatcanbesearched.
ImprovedPolicyandComplianceFeatures
ExchangeServer2016hasmadesignificantimprovementstobothDataLoss
Prevention(DLP)andeDiscovery.
DataLossPrevention(DLP)
InExchangeServer2016,transportruleshavebeenupdatedwithseveralnew
predicatesandactions.Also,thecoolestnewfeaturetohittransportrulesisDLP
policies.DLPpoliciesaredesignedtopreventusersfromsharingsensitive
informationwithunauthorizedusers.
Everytransportrulehasthreecomponents:conditions,actions,andexceptions.The
conditionsspecifyunderwhichcircumstancestheruleapplies,whereastheexceptions
specifyunderwhichconditionsitwillnotapply.ExchangeServer2016hastheability
toidentify,monitor,andprotect80differenttypesofsensitiveinformationbasedon
conditionsandactions.
Anewcondition,“Anyattachmenthastheseproperties,includinganyofthesewords,”
willcauseatriggerifanattachedOfficedocumentcontainsthedefinedwords.This
conditionenablesyoutointegratethetransportruleswithSharePoint,Windows
Server2012R2FileClassificationInfrastructure,orathird-partyclassification
system.
Anewaction,“Notifytherecipientwithamessage,”willsendacustomizablemessage
totherecipient.Forexample,youcannotifytherecipientiftheemailwasrejectedor
quarantinedbasedonthecontents.
Theexistingaction“Generateincidentreportandsenditto”hasbeenupdatedsothat
thereportcanbemessagedtomultipledistributionlists.
Theactionsaretheinterestingpartofthetransportrule.Figure2.2showsthe
conditionsontheNewRulewindowoftheTransportRuleWizard;thisscreenhas
threeparts.Thefirstpartischeckingonwhichobjecttotakeaction,thesecondis
simplycheckingtheactionstotake,andthethirdpartspecifiesmoredetailsaboutthe
action.
Figure2.2Examiningatransportrule
eDiscoveryandPublicFolders
Themarketforthird-partytoolstosupportExchangeServerhasgrownrapidly.Atone
point,thereweremorethan60thirdpartiesprovidingemailarchivesolutionsfor
ExchangeServer.Thesheervolumeofemailthatusersreceiveandtheirdemandto
keephistoricalemailhavemadethesetoolsveryattractive.
ExchangeServer2010introduced,andExchangeServer2016continues,apremium
featurethatallowsfortheintegrationofemailarchiving.Theemailarchivingfeature
isactuallyaseriesoffeaturesthatinteractdirectlywiththeuser'smailbox:
ArchiveMailboxAnarchivemailboxisasecondarymailboxforauserthatis
usedtostorelong-termemail(archiveemail).Anarchivemailboxcanbeusedin
placeof.pstfiles.Userscancopyemailmessagesfromtheirprimarymailboxto
theirarchivemailbox.Archivemailboxeshelpusersdealwithlargevolumesof
emailwhilestayingwithinmailboxsizelimits.Thearchivemailboxisdefinedona
user-by-userbasisbecausenotallusersneedanarchivemailbox.Thecontentin
thearchivemailboxcanbeaccessedbyusersusingtheOutlook2010orlaterclient
orOutlookontheweb.
RetentionPoliciesRetentionpoliciesdefinethetypesofmailandhowlongthe
mailcanberetainedwithintheuser'sprimarymailbox.Retentionpoliciestakethe
placeofmessagingrecordsmanagement(MRM)inExchangeServer2007and
ExchangeServer2010.Retentionpoliciescanbedefinedtocontrolwhenitemsare
permanentlydeletedorwhentheyaremovedintothearchivemailbox.With
Outlook2010orlater,enduserscanparticipateintheretentionprocessby
applyingretentiontagstomessagesoranentirefolder.
eDiscovery(akaMulti-MailboxandFederatedSearch)TheeDiscovery
featuresenablesanauthorizedusertosearchforcontentacrossmultipledata
sources(boththeuser's“active”mailboxaswellastheir“personalarchive
mailbox”)withinanorganization.Youareabletosearchforinformationacross
Exchange,SharePoint,andSkypeforBusinessarchives,aswellasusethe
eDiscoveryCenterinSharePoint2013tosearchforcontentinExchangeServer.
Discoverymanagerscanalsoexportmailboxcontenttoa.pstfilefromthe
SharePoint2013eDiscoveryconsole.YoucanopttousetheExchangeAdmin
Center(EAC)toperformeDiscoveryoropttouseSharePoint'seDiscoveryCenter.
TheeDiscoveryCenterofferssomeexpandedcapabilities,suchastheabilityto
searchandpreservecontentacrossmultiplesourcesfromasingleconsole.
ExchangeServer2016alsointroducessupportforintegratingpublicfoldersinto
eDiscovery.WithIn-PlaceeDiscovery,youcanquerypublicfoldersinthe
organizationandputholdsonpublicfolders.Similartoplacingamailboxonhold,
publicfolderssupportquery-basedandtime-basedholds.Asofthiswriting,you
canonlysearchandholdallpublicfolders.Theabilitytochooseindividualpublic
folderstosearchandholdisexpectedinalaterrelease.
In-PlaceHoldIn-PlaceHoldenablesanadministratortoplaceaholdonauser's
mailboxsothatdeletedandediteditemsareheldduringtheholdperiod.This
wouldbenecessaryintheeventoflegalactionoraninvestigationregardingthe
conductofoneormoreofyourusers.
Ultimately,theExchangeServer2016archivingandretentionpoliciesareintendedto
replacethemessagingrecords-managementfeaturesthatwereintroducedin
ExchangeServer2007.
eDiscoveryandComplianceSearch
AnewfeatureofeDiscoveryinExchangeServer2016isComplianceSearch.
ComplianceSearchisperformedfromtheEMS,sothereisnolimittothenumberof
mailboxesthatcanbesearched.ForIn-PlaceeDiscovery,youcansearchupto10,000
mailboxeswithasinglesearch.EachExchangeServerorganizationcanrunuptotwo
In-PlaceeDiscoverysearchessimultaneously.
ToperformaComplianceSearch,youmustbeassignedtheMailboxSearch
managementroleorbeamemberoftheDiscoveryManagementrolegroup.Thenew
EMScmdletsavailablewithComplianceSearchare
Get-ComplianceSearch
New-ComplianceSearch
Remove-ComplianceSearch
Set-ComplianceSearch
Start-ComplianceSearch
Stop-ComplianceSearch
MessageTransportRules
MessagetransportrulesarequitesimilartoOutlookrulesandcanevenbecreated
usingawizardsimilartotheoneusedtocreateOutlookrules.However,theserules
arequiteabitmorepowerfulandarerunonMailboxservers.Becauseallmessages
areprocessedbyaMailboxserverregardlessofwhethertheyareinbound,outbound,
orforlocaldelivery,youcanbuildpowerfulpoliciestocontrolthemessagesanddata
thatflowwithinyourorganization.Transportrulescanalsobedefinedatyour
organization'sperimeterbyusingtheEdgeTransportserverroleinExchangeServer
2016.
NewandImprovedOutlookontheWeb
ThoseofuswhogushedwhenwesawtheOutlookWebAccess(OWA)interfacein
Exchange2003thoughtawebinterfacecouldnotgetmuchbetter.ForOutlookonthe
webinExchange2013,theExchangeteamstartedoverfromscratchtobuildamuch
morefunctionalinterfacethaneverbefore.ForExchange2016,ithasbeenupdated
andenhancedfurther!First,thenamehaschanged!ThenewnameisOutlookonthe
web.HerearesomeofthefeaturesinOutlookontheweb:
Platform-specificexperiencesforiOSandAndroid
PremiumAndroidexperiencewithChromeonAndroidversion4.2orlater
EmailimprovementstotheInboxviewandreadingpane
ContactlinkingwithLinkedIn
Updatedcalendar,includingemailreminders
Searchsuggestions
Thirteennewthemes
PreviewURLlinkswithinmessages
InlinevideoplaybackfromURLs
DocumentcollaborationwithSharePoint2016andOneDriveforBusiness
OverviewofChangesSinceExchangeServer2013
SinceExchangeServer2013,theprimarychangestoExchangeServer2016are
Combinedservices(HT,CAS,MBX)intheMailboxserverrole
IntegrationwithOneDriveandSharePoint2016
Additionalpolicyandcompliancefeatures
OutlookWebAppredesignedasOutlookontheweb
ThesearethekeyfeaturedifferencessinceExchangeServer2013andhavebeen
discussedinthischapter.Knowingsomeofthechangesandintroductionoffeatures
canbehalfofthebattletoupgradingyourknowledgeonanewlyreleasedproduct.
Now,WhereDidThatGo?
AsnewandbetterfunctionsandAPIshavebeenintroduced,naturallysomefunctions
arenolongeremphasizedorsupported.We'vealreadymentionedafewfeaturesthat
havebeenremoved,buttherearemanymore.Therehasbeenalotofconfusion
surroundingwhatwillcontinuetobesupportedinExchangeServer2016andwhat
willnolongerwork.Thephrase“nolongersupported”itselftendstogeneratealotof
confusionbecauseanunsupportedfunctionmaycontinuetoworkbecauseithasnot
trulybeenremoved.Yourmileagemayvarywhenitcomestofeaturesthatareno
longersupported.
What'sbeenremovedfromExchangeServerreallydependsonyourperspective.Are
youanExchangeServer2010expert?IsExchangeServer2013yourcomfortzone?
We'vebrokendownthenextsectionofremovedfeaturesbasedonyourperspective.
FeaturesNoLongerIncluded
AsExchangeServerhasevolvedintoitscurrentform,thecodehasexperienced
significantchanges.SomefeaturesandAPIshavebeencompletelyremoved.Although
mostofthesefeatureswillnotaffectthemajorityofExchangeServerdeployments,
youshouldkeeptheminmindandthoroughlyevaluateyourexistingmessaging
environmenttomakesureyouarenotdependentonafeaturethathasnoequivalent
inExchangeServer2016.IfyourequireanyofthefeaturesorAPIsthatwerenot
carriedoverfromExchangeServer2010or2013,youmayneedtokeepanolder
versionofExchangeServerinoperation.
ExchangeServer2016EschewsExchangeServer2007
OnlyExchangeServer2010andExchangeServer2013cancoexistwithExchange
Server2016inthesameorganization.Ifyoustillrequirefeaturesprovidedbythe
ExchangeServer2007platform,youwillnotbeabletotransitiontoExchange
Server2016untilyoucanreplacethatparticularfeaturerequirementwithnewer
software.
ExchangeServer2010FeaturesRemovedfromExchangeServer2016
ThefollowingfeatureswereincludedwithExchangeServer2010butarenolonger
availableinExchangeServer2016:
UnifiedMessagingdirectorylookupsusingAutomaticSpeechRecognition.
ManagedFoldersformessagingretentionmanagement,includingthePort
ManagedFolderWizard.
AntispamagentsfromtheGUI.WithExchangeServer2016,antispamcanbe
managedonlyfromtheEMS.
ConnectionandAttachmentfilteringonMailboxserverroles.Theonlywayto
enableConnectionFilteringistouseanEdgeTransportserverinaperimeter
network.
Theabilitytolinkasend-and-receiveconnectorhasbeenremoved.
OutlookWebApphasbeenrenamedtoOutlookontheweb.Additionally,spell
check,customizablefilters,messageflags,chatcontactlists,andsearchfolders
havebeenremovedfromthewebclient.
Outlook2003and2007arenotsupported.Outlookclientsmustuseeither
OutlookAnywhere(RPCoverHTTP)orMAPIoverHTTP.
TheExchangeManagementConsoleandExchangeControlPanelhavebeen
replacedbytheExchangeAdminCenter.
TheHubTransportandUnifiedMessagingserverroleshavebeenremoved.Both
serverrolesareincludedasfeaturesintheMailboxserverrole.
ExchangeServer2013FeaturesRemovedfromExchangeServer2016
Thefollowingfeaturesarebeingde-emphasizedwithExchangeServer2016andmay
notbeincludedinfutureversions:
Third-partyreplicationAPIs.
RPCoverHTTPforclientconnections.
DatabaseAvailabilityGroupsupportforfailoverclusteradministrativeaccess
points.
ClientAccessserverrole.Thefunctionsofthisrolehavebeenincludedinthe
Mailboxserverrole.
TheMAPI/CDOlibraryhasbeenreplacedbyExchangeWebServices,ActiveSync,
andRESTAPIs.
ClearingUpSomeConfusion
WementionedearlierthatExchangehascertainlybeenhypedalotduringthedesign
andbeta-testingprocess.Thishasgeneratedalotofbuzzintheinformation
technologyindustry,butthisbuzzhasalsogeneratedalotofconfusionandsome
misinformation.Herewe'llclearuptheconfusionbyansweringafewofthecommon
questionsaboutExchange2016.
DoIhavetohavetwoserverstoruneachoftheserverroles?Inthedays
ofExchangeServer2010,manyorganizationsdeployeddifferentrolestodifferent
serversinlargeorganizations.Manyadministratorsreservedtheconsolidated
serverapproachforsmallenvironments.However,theperformancecapabilitiesof
ExchangeServer2016surpassthepreviousversionstosuchanextentthatall
servicesarerunwithintheMailboxserverrole.
Istherea32-bitversionofExchangeServer2016?No,a32-bitversionof
ExchangeServer2016isnotavailable.
IstheEdgeTransportserverrequired?No,EdgeTransportserversarenot
required.Youcanuseanythird-partymessage-hygienesysteminyourperimeter
network,youcandirectinboundandoutboundmailthroughyourinternalservers,
oryoucandoboth.
IsEMSknowledgerequired?DoIhavetolearnscripting?Mostcommon
administrativetaskscanbeperformedthroughtheExchangeAdminCenterwebbasedinterface.Command-linemanagementandscriptingforExchangeServer
2016havebeengreatlyimprovedthroughtheuseoftheEMS.Manytasksare
simplerormorepowerfulthroughtheEMS,butitisnotnecessarytolearn
scriptinginordertostartworkingwithExchangeServer2016.Westrongly
encourageyoutogettoknowmanyofthepowerfulfeaturesoftheEMSasyouget
comfortablewithExchangeServer2016.Anumberofadvancedadministration
tasksdonothaveagraphicaluserinterfaceoption.
Whatishappeningwithpublicfolders?Theuseofpublicfolderswith
ExchangeServer2016isstillavailableandsupported.However,foryears,there
hasbeentalkaboutmovingawayfrompublicfolders,potentiallyremovingsupport
forthematsomepoint.Atthetimeofthiswriting,thereisn'tanyinformationto
indicatethatthisiscomingsoon(orcomingatall).Butyoumaywanttoexamine
yourpublicfolderapplicationswithaneyetowardmigratingthemtosystemssuch
asMicrosoftSharePointServer2016totakeadvantageofthelatestcollaboration
features.Also,rememberthatthetraditionalpublicfolderdatabasesarenolonger
availableinExchangeServer2016andthatyoumustnowstoreallpublicfoldersin
apublicfoldermailbox.
TheBottomLine
UnderstandthekeychangesinExchangeServer2016.Significantupdates
weremadetotheExchangeServer2016architecturetocontinuetheimprovement
tothescalability,security,andstability.TheMailboxrolehandlesmailboxes,
publicfolders,transport,andclientconnectivity.Compliancesfeatures,suchas
compliancesearchandeDiscovery,aregreatlyenhancedandsimplified.Thedisk
I/Orequirementscontinuetobereduced,enablingorganizationstoruntheir
Exchangeserversonlower-performingstorage.
MasterItYouareplanningyouremaildatastoragestrategy,especiallyfor
long-termstorage.Youwanttominimizeoreliminatetheuseof.pstfiles.
Whichtechnologyshouldyouusetomaintainemaildataindefinitely?
UnderstandtheMailboxrole'sexpandedduties.Overthelastcoupleof
versionsofExchangeServer,theExchangeserverroleshavebeenupdated.Ineach
version,aserverrolewasconsolidated,enablingorganizationstoreducetheir
serverfootprintandsimplifytheirenvironments.
MasterItYouareplanningatrainingsessionforyourjunioradministratorsto
preparethemintheirSMTPconnectivitytroubleshootingtasks.Whichserver
roleshouldyourecommendtheyinspectwhenattemptingtotroubleshoot
emaildeliveryproblems?
Chapter3
UnderstandingAvailability,Recovery,andCompliance
Themodernbusinessworldisgettingmorecomplex,notless;emailinturnevolvesto
keepup.AsanExchangeServeradministratororimplementer,youneedtoknow
moreaboutawidervarietyoftopicswithoutlosingyourcorecompetencyinExchange
Server.
INTHISCHAPTER,YOUWILLLEARNTO:
Distinguishbetweenavailability,backupandrecovery,anddisasterrecovery
Determinethebestoptionfordisasterrecovery
Distinguishbetweenthedifferenttypesofavailabilitymeantbythetermhigh
availability
Implementthefourpillarsofcomplianceandgovernanceactivities
ChangingfromaTechnologytoaBusinessViewpoint
You'veprobablyheardtheoldproverbthat“everycloudhasasilverlining.”Itcanbea
comforttoknowthatgoodcanusuallybefoundduringeventheworstoccasions.
Whenamailboxdatabaseserver'sRAIDcontrollergoesbadandcorruptsthedrive
arraycontainingtheexecutivemailboxes,youhavetheopportunitytovalidateyour
backupstrategyanddemonstratethatitworksperfectlyunderpressure.
However,theunacknowledgedcorollaryisMurphy'sLaw:“Anythingthatcango
wrongwillgowrong.”Everyfeature,functionality,andcomponentthatisaddedtoa
messaginginfrastructureincreasescomplexityandthenumberofpotentialfailures.If
youthinkforamomentaboutthespreadofemailandhowithaschangedfroma
luxurytoautility,youcanseethatelectronicmessagingadministratorshavebecome
victimsoftheirownsuccess.
Gonearethedayswhereyousimplyhadtoworryabouteditingandpublishingthe
correctDNSrecordsforyourdomains,provisioningandconfiguringyourT1routers,
andwrestlingwithserverhardware.Today'schallengesinvolvemeetingmoregoals,
supportingmorecomplexenvironments,meetingbusinessrequirements,and
analyzingrisks.Thesearecommonscenarios:
Ensuringthatmailboxservershavetheproperstorageback-enddesigntoallow
backupstohappenwithinadefinedwindow
Ensuringthatyouruserscontinuetohaveaccesstotheirmailboxesevenwhena
serverfails,aflakyroutertakesasiteoffline,orpowerfailsforanentirerackof
servers
Ensuringthataplanexistsforquickrecoveryandrestorationofyourcore
messagingcapabilitieswhenthestorageisofflineorcorrupt
Ensuringthatthemessagesuserssendtoexternalclientsareincompliancewith
allbusinesspoliciesandregulations
Determiningtherisksassociatedwithfailingtoprovidedisaster-recoveryplans
andtherisksassociatedwithafailuretomeetservice-levelagreements
Balancingbusinesscostsversusrisksassociatedwithprovidingrecovery,ensuring
compliance,andprovidingaspecifiedlevelofservice Technet24.ir
What'sinaName?
Backupandrecovery,highavailability,disasterrecovery,andcomplianceand
governance—youhavelikelyheardofthesemanytimes.Eachplaysaroleinthe
overallprotectionstrategyforyourorganization'sdata.
EachofthesetopicsmustbeevaluatedbyeverymodernExchangeServer
administratorandprofessional,alongwithappropriatebusinessstakeholders,evenif
theyarenotactivelyaddressedineverydeploymentofExchangeServer2016.When
youdoneedtoaddresstheminyourplanning,ExchangeServer2016providesa
varietyofoptionstoensurethatthedeploymentmeetstheparticularneedsofyour
business.Onesizeandonesetofcapabilitiesdonotfitallorganizations.Tomakethe
bestuseofthetoolsthatExchangeServergivesyou,youmustclearlyunderstandthe
problemsthateachcapabilityisdesignedtosolve.Itdoesn'thelptouseascrewdriver
whenyouneedahammer—andyoucan'tsolveadisaster-recoveryproblembyusing
aneDiscoverysearch.
Inthissection,acommonvocabularywillbepresentedfordiscussingthesetopics.
Thiswillenableyoutogetthemostfromourdiscussionsofthenewfeaturesand
functionalityinExchangeServer2016thatarecoveredinlaterchapters.Youshould
clearlyunderstandhowMicrosoftintendedExchangeServer2016'sfeaturestobe
deployedandused,sothatyouhaveconfidencethattheywillmeetyourbusiness
goals.
BackupandRecovery
LetusbeginwithatopicthatisoneofthecoretasksforanyITadministrator,notjust
ExchangeServeradministrators:backupandrecovery.
Backupistheprocessofpreservingoneormorepoint-in-timecopiesofasetofdata,
regardlessofthenumberofcopies,frequencyandschedule,ormediatypeusedto
storethem.
Asanadministrator,youneedtomakesureyourbackupsincludeallofthe
componentsyouneedtogetExchangeServerservicesupandrunningagain.That
meansmorethanjustthedatabases.Youshouldalsoconsiderthefollowing
components:
ActiveDirectoryDomainServices.ExchangeServerreliesonActiveDirectory,
soitiscriticalthatActiveDirectoryishighlyavailableandbackedup.YourActive
Directoryadministratorsprobablyhandlethis.Butnomatterwhohandlesit,you
shouldensurethatthebackupsareinplace.
OperatingsystemfortheExchangeservers(SystemStateasa
minimum).Priortovirtualization,backinguptheExchangeserveroperating
systemswasquiteimportantbecausebuildinganewphysicalserver(orrebuilding
aphysicalserver)fromscratchwastime-consuming.Today,withvirtualization,
buildinganewserverisquitefast.Someorganizationsopttodeploynewservers
andforgothebackupoftheoperatingsystemforsomeservers.However,withouta
backupoftheoperatingsystemorsystemstate,youwilllosecustomizationssuch
asinIISandtheRegistry.
Filesystem.Thefilesystemhaslogfiles,configurationfiles,andotherdatathat
canbehelpfulinadisaster-recoverysituation.
Databaseanddatabaselogfiles.TheExchangedatabasesareacriticalpieceof
yourbackupsbecausealloftheemaildataisstoredinthedatabases!
Asyoucansee,backingupallofthecomponentscanquicklybecomecomplicated.It
isimportanttohavetherightbackuptoolsatyourdisposal.Aspartofyourdisasterrecoveryplanning,youshouldlookattheavailabletools,includingthird-partytools,
tofigureoutwhichtoolsbestmeetyourrequirementsandprovidethebest
administrativeexperience.
WithExchangeServer,therearefourmaintypesofdatabasebackups:
FullBackups(Normal)Fullbackupscaptureanentiresetoftargetdata;in
earlyversionsofExchangeServer,thisisastoragegroupwiththetransactionlog
filesandalltheassociatedmailboxdatabasesandfiles.BeginningwithExchange
Server2010andcontinuinginExchangeServer2013andExchangeServer2016,
eachmailboxdatabaseisaseparatebackuptarget,sincethereisnowanenforced
1:1relationshipbetweenmailboxdatabasesandtransactionlogs(itwas“strongly
recommended”inearlierversions).Fullbackupstakethemosttimetoperform
andusethemostspace.Ifcircularloggingisdisabledforamailboxdatabase,full
backupsmustbeexecutedonaregularbasis.Asuccessfulfullbackupinforms
ExchangeServerthatthedatabasesandtransactionlogshavebeenpreservedand
thatsavedtransactionlogscanbepurged.Circularloggingwillbediscussedin
moredepthlater.
CopyBackupsCopybackupsareexactlylikefullbackups,exceptthatsaved
transactionlogsarenotpurged.
IncrementalBackupsIncrementalbackupscaptureonlyapartialsetofthe
targetdata—specifically,thedatathathaschangedsinceeitherthelastfullbackup
orthelastincrementalbackup.ForExchangeServer,thismeansanynew
transactionlogs.Incrementalbackupsaredesignedtominimizehowoftenfull
backupsareperformed,aswellasminimizethespaceusedbyanyparticular
backupset.Asaresult,abackupsetthatincludesincrementalbackupscanbe
moretime-consumingandfragiletorestore;successfulrecoveryincludesfirst
recoveringthelatestfullbackupandtheneachsuccessiveincrementalbackup.
IncrementalbackupsalsoinstructExchangeServertopurgethesavedtransaction
logsafterthebackupiscomplete.Incrementalbackupsarenotavailablewhen
circularloggingisenabled.
DifferentialBackupsDifferentialbackupsalsocaptureonlyapartialsetofthe
targetdata—specifically,thedatathathaschangedsincethelastfullbackup.No
otherbackups(incrementalordifferential)areconsidered.ForExchangeServer,
thismeansanytransactionlogsgeneratedsincethelastfullbackup.Differential
backupsaredesignedtominimizehowmanyrecoveryoperationsyouhaveto
performinordertofullyrestoreasetofdata.Inturn,differentialbackupsuse
morespacethanincrementalbackups,buttheycanberecoveredmorequicklyand
withfeweropportunitiesfordatacorruption;successfulrecoveryincludesfirst
recoveringthelatestfullbackupandthenthelatestdifferentialbackup.A
differentialbackupdoesnotpurgesavedtransactionlogs.Differentialbackupsare
notavailablewhencircularloggingisenabled.
Alsoknownasrestoration,recoveryistheprocessoftakingoneormoresetsofthe
datapreservedthroughbackupsandmakingitonceagainaccessibletoadministrators,
applications,and/orendusers.Mostrecoveryjobsrequiretherestorationofmultiple
setsofbackupdata,especiallywhenincrementalanddifferentialbackupsareinuse.
Twometricsareusedtodetermineiftherecoverytimeandtheamountofdata
recoveredareacceptable:
RecoveryTimeObjectiveRecoveryTimeObjective(RTO)isametriccommonly
usedtohelpdefinesuccessfulbackupandrestoreprocesses.TheRTOdefinesthe
timewindowinwhichyoumustrestoreExchangeServerservicesandmessaging
dataafteranadverseevent.Youmayhavemultipletiersofdataandservice,in
whichcaseitcouldbeappropriatetohaveaseparateRTOforeachtier.Often,the
RTOisacomponentof(ideally,aninputinto,butthat'snotalwaysthecase)your
service-levelagreements.Asaresult,theRTOisacriticalfactorinthedesignof
ExchangeServermailbox-databasestoragesystems;it'sabadideatodesignor
provisionmailboxdatabasesthatarelargerthanyoucanrestorewithinyourRTO.
RecoveryPointObjectiveRecoveryPointObjective(RPO)isametricthatgoes
handinhandwiththeRTO.WhiletheRTOmeasuresatimeframe,theRPOsetsa
benchmarkforthemaximumamountofdata(typicallymeasuredinhours)you
canaffordtolose.Again,multipletiersofserviceanddataoftenhaveseparate
RPOs.TheRPOhelpsdrivethebackupfrequencyandschedule.It'sworthnoting
thatthismetricmakesanexplicitassumptionthatalldatawithinagivencategory
isequallyvaluable;that'sobviouslynottrue,whichiswhyitisimportantto
properlyestablishyourcategories.Remember,though,ifyouhavetoomany
classesorcategories,you'lljusthaveconfusion.
OnethingtonoteaboutExchangeServer2016databasesisthattheysupportonly
onlinebackupsandrestorescreatedthroughtheWindowsVolumeShadowCopy
Service(VSS).VSSprovidesseveraladvantagescomparedtootherbackupmethods,
includingtheabilitytointegratewiththird-partystoragesystemstospeedupthe
backupandrecoveryprocesses.ThemostimportantbenefitVSSgives,though,isthat
itensuresthattheExchangeServerinformationstoreflushesallpendingwrites
consistently,ensuringthatabackupdatasetcanbecleanlyrecovered.
Wewillusethephrase“backupset”severaltimes.Abackupsetisacopyofallofthe
variousbackupsthatarerequiredtoperformaparticularrecovery.Thiswillalmost
alwaysincludeatleastthelastfullbackupandmayincludeoneormoreincremental
ordifferentialbackups
HowMuchDataGetsCopied?
OnethingthatVolumeShadowCopyServicedoesnotnativelyprovideisthe
abilitytoreducetheamountofdatathatmustbecopiedduringabackup
operation.VSSsimplycreateseitherapermanentortemporaryreplica(depending
onhowtheinvokingapplicationrequestedthereplicabecreated)ofthedisk
volume;it'sthenuptotheapplicationtosortouttheappropriatefilesandfolders
thatmakeupthedataset.Usually,thisistheentirediskvolume,butdepending
ontheselectedVSSwritersitmayonlybeaportionofadiskvolumeorspecific
filesonadiskvolume.ManyExchangeServer–awarebackupapplicationssimply
copythevarioustransactionlogfilesandmailboxdatabasefilestothebackup
server.
Someapplications,however,areabitmoreintelligent;theykeeptrackofwhich
blockshavechangedinthetargetfilessincethelastbackupinterval.These
applicationscancopyjustthosechangedblockstothebackupdataset—typically
somepercentageoftheblocksinthemailboxdatabasefileaswellasallthenew
transactionlogfiles—thusreducingtheamountofdatathatneedstotravelover
thenetworkandbestored.Block-levelbackupshelpstrikeagoodbalance
betweenstorage,speed,andreliability.AsyougoforwardwithVSS-aware
ExchangeServer–compatiblebackupsolutions,besuretoinvestigatewhether
theyofferthisfeature.Microsoft'sSystemCenterDataProtectionManagerdoes
offerthisfeature.
DisasterRecovery
Regularbackupsareimportant;theabilitytosuccessfullyrestorethemisevenmore
important.Thiscapabilityisakeypartofyourextendedarsenalforproblem
situations.Restoringtheoccasionalbackupisfairlystraightforwardbutassumesthat
youhaveafunctionalExchangeserverandthedependentnetworkinfrastructures.
Whatdoyoudoifanentiresiteordatacentergoesdownandyourrecoveryoperations
extendbeyondasingleExchangeServermailboxdatabase?Theanswertothis
questionisabroadtopicthatcanfillmanybooks,blogpostings,andwebsitesofits
own.
Disasterrecovery(DR)isthepracticeofensuringthatcriticalservicescanberestored
whensomedisasteroreventcauseslarge-scaleorlong-termoutage.AsuccessfulDR
planrequirestheidentificationofcriticalservices,dependencies,anddata,creationof
documentationthatliststhenecessarytaskstore-createandrestorethem,and
modificationoftherelevantpoliciesandprocesseswithinyourorganizationto
supporttheDRplan.
It'snotenoughtoconsiderhowtorebuildExchangeserversandrestoreExchange
Servermailboxdatabases.ExchangeServerisacomplexapplicationwithmany
dependencies,soyourplansneedtoaccommodatethefollowingissues:
NetworkDependenciesTheseincludesubnets,IPaddressassignments,DNS,
loadbalancers,DHCPservices,switchconfigurations,network/Internetaccess,
androuterconfigurations.AreyourebuildingyourservicestohavethesameIP
addressesornewones?Whateveryoudecide,you'llneedtomakesurethat
requiredservicesandclientscanreachtheExchangeservers.
ActiveDirectoryServicesTheseincludeassociatedDNSzonesandrecords.
ExchangeServercannotfunctionwithoutreliableaccesstoglobalcatalogservers
andotherdomaincontrollers.WhichforestsanddomainsholdobjectsExchange
Serverwillneedtoreference?Doesyourexistingreplicationconfigurationmeet
thoseneedsduringaDRscenario?WhatwouldhappenifanActiveDirectoryuser
accountthatwasassociatedwithamailboxwasaccidentallydeleted?
Third-PartyApplicationsTheseincludemonitoring,backup,archival,orother
programsandservicesthatrequiremessagingservicesorinteractwiththose
services.Don'tjustblindlycatalogeverythinginproduction;besurethesesystems
arealsobeingaddressedaspartofthedisaster-recoveryplan.
There'sablurrylinebetweendisasterrecoveryandtheassociatedconceptofbusiness
continuity(alsocalledbusinesscontinuance).Businesscontinuity(BC)istheability
ofyourorganizationtocontinueprovidingsomeminimumsetofoperationsand
servicesnecessarytostayinbusinessduringalarge-scaleoutage,suchasduringa
regionaleventornaturaldisaster(forexample,ahurricaneorearthquake).Ina
businesscontinuityplan,yourorganizationwillidentifyandprioritizethemost
criticalservicesandcapabilitiesthatneedtoprovideatleastsomelevelofoperational
capacityassoonaspossible,evenwithoutfullaccesstodataorapplications.
It'simportanttonotethatthebusinesscontinuityplanisdesignedandimplemented
alongsideyourdisaster-recoveryefforts.Inmanyorganizations,theywillbe
maintainedbytwoseparategroupsofprofessionals.Itisimperativethatthesegroups
shouldhavegoodlinesofcommunicationinplace.
DrawingtheLinebetweenDisasterRecoveryandBusiness
Continuity
There'salotofconfusionoverexactlyhowdisasterrecoveryandbusiness
continuityrelatetoeachother.Wehavegoodnewsandbadnews:Thegoodnews
isthatit'sasimplerelationship.Thebadnewsis,“Itdepends.”
Bothtypesofplansareultimatelyaimedatthegoalofrepairingthedamage
causedbyextendedoutages.Thebiggestdifferenceisthescope;manybusinesscontinuityplansfocusverylittleontechnologyandlookinsteadatoverall
businessprocesses.Incontrast,disaster-recoveryplansofnecessityhavetobe
concernedwiththefinerdetailsofITadministration.Therealityisthatboth
levelsoffocusareoftenneeded—andmustbehandledinparallel,with
coordination,andinsupportofanyadditionalongoingcrisismanagement.
We'lltrytoclarifythedifferencebyprovidinganexample.AcmeInc.isanational
manufacturerandsupplierofvariousgoods,mainlytowholesaledistributorsbut
withasmallandthrivingmail-orderretaildepartmentfortheoccasional
customerwhoneedsqualityAcmeproductsbuthasnoconvenientretailoutletin
theirlocale.Acme'smaincallcenterhasasmallnumberofpermanentstaffbuta
largenumberofcontractcallcenteroperators.
Unfortunately,Acme'smainorderfulfillmentcenter—forbothbulkwholesale
orders,aswellastherelativelysmallamountofmail-ordertraffic—getshitbya
largefragmentinameteorshower,causingafirethatrapidlytransformsthe
entiresiteintosmokingrubbleevenasallpersonnelaresafelyevacuated.Thecall
centerandsupportingdatacenterarecompletelydestroyedand,conservatively,
willtakeseveralmonthstofullyrebuild.Obviously,Acmeisgoingtosuffersome
sortofsetback,butwithproperplanningtheycanminimizetheeffects.What
typesofactionswouldAcme'sBCandDRplanseachbetaking?
Acme'sBusinessContinuityPlanAcmeisconcernedwithgettingthe
minimumlevelofoperationalfunctionbackonlineasquicklyaspossible.In
thiscase,it'sgoingtotakeawhilebeforetheycanresumecallcenter
operations.Theirimmediateneedsaretoestablishatleastsomelevelof
messagingsupportforthetemporarycallcenterworkerstheBCplanbringsin.
TheirBCplandoesnotassumethattheywillhavein-housecapability,soit
makesprovisions—ifrequired—tousehostedExchangeServerservicesasa
short-termstopgapsothatcommunicationswithcustomersandwholesalers
willproceeduntilAcme'sITstaffcanbringupsufficientExchangeserversto
switchbacktoon-premisesservices.
Acme'sDataRecoveryPlanAcmeisconcernedwithrebuildingcritical
structures.Inadditiontorestoringcriticalnetworkinfrastructureservices,
Acme'sExchangeServeradministratorsaretaskedwithfirstrebuilding
sufficientExchangeserversintheirDRlocationtorecoverthemailbox
databasesforthecallcenter'spermanentstaff.Theyalsoneedtothencreate
sufficientExchangeserverstoallowtherecoveryofoperatormailbox
databasestoextractmessagedatapertainingtocurrentlyopencasesthatneed
investigation.Oncethedatacenterisrebuilt,theycanbuildtherestofthe
ExchangeserversandrestoreoperationsfromtheDRsite.
Location,Location,Location
Onefactortendstoconsistentlyblurthelinebetweenregularbackups,disaster
recovery,businesscontinuity,andevenhighavailability:whereyoursolutionis
located.Wehavetalkedtomanyadministratorswhohavethefalseassumptionthat
oncearecoveryactivitymovesoff-site,thatautomaticallymakesitdisasterrecovery
(orbusinesscontinuity,orhighavailability).Thisisanunderstandablemisconception
—butit'sstillnottrue.
Inreality,thequestionof“where”isimmaterial.Ifyou'retakingstepstoprotectyour
data,it'sbackupandrecovery.Ifyou'retakingstepstorebuildservices,it'sdisaster
recovery.Ifyou'retakingstepstoensureyoucanstilldobusiness,it'sbusiness
continuity.Thisisobviouslyanoversimplification,butit'lldofornowunlesswestart
lookingatallthewaysthelinescanblur.However,wedowanttotouchononeof
thosecomplicationsnow:whereyoudeployyourrecoveryoperations.Therearethree
overallapproaches:on-premises,off-premises,oracombinationofthetwo.
On-PremisesRecoverySolutions
MostofwhatwedoasExchangeServeradministrators,especiallyinbackupand
restorework,ison-premises.Inanon-premisessolution,youhaveoneormoresites
whereyourExchangeserversaredeployed,andthosesamesiteshostthebackupand
disaster-recoveryoperations.Notethatthisdefinitionof“on-premises”differs
somewhatfromtraditionaldisaster-recoveryterminology,whichtalksaboutdedicated
disaster-recoverysites.Thesesitesarestillpartofyourpremisesandsoarestill“onpremises”forourpurpose.
Manyorganizationscanhandlealltheiroperationsinthisfashionthroughtheuseof
ExchangeServer,storageandnetworkingdevices,andthird-partyapplications.Some,
however,canuseadditionalhelp.Whenyouneedon-premiseshelpintheExchange
Serverworld,therearetwobroadcategories:
AppliancesAppliancesareself-containedboxesorservers,usuallyasealed
combinationofhardwareandsoftware,placedintothenetwork.Theyaredesigned
tointerfacewithorbecomepartoftheExchangeServerorganizationandprovide
additionalabilities.Appliancesareusefulforsmallerorganizationsthatwant
sophisticatedoptionsfordisasterrecoverybutdon'thavethebudgetorskilllevel
toprovidetheirown.Appliancescanbeusedtoprovideservicessuchascross-site
datareplication,sitemonitoring,orevenadditionalservicesaimedatothertypes
offunctionality.
Ontheupside,appliancesaretypicallyeasytoinstall.Onthedownside,theycan
quicklybecomeasinglepointoffailure.Thetemptationtoplaceanapplianceand
treatitasa“fire-and-forget”solutionishigh.Inreality,mostappliancesneedto
betested,monitored,andupgradedonaregularbasis.
RemoteManagedServicesRemotemanagedservices(orremotemanagement)
areserviceofferings.Insteadofbuyingasealedblackbox,thecustomerpurchases
aperiodofservicefromavendor.Theserviceproviderprovidesdesign,
deployment,andongoingmaintenanceservicesaspartoftheofferingforthe
customer—sometimesasapackage,sometimesasasetofàlacarteofferings.Like
appliances,theseofferingscanextendbeyondtraditionaldisaster-recovery
offerings.
ThesetypesofserviceprovidersareabletoprovidetrainedExchangeServer
expertiseonascalethatistypicallyavailableonlytoverylargeorganizations.
Theycandothisthrougheconomiesofscale;byusingthesehighlytrained
personneltomonitor,maintain,andtroubleshootmanydisparatecustomer
organizationsofallsizesandtypes,theycanbothaffordthistypeofstaffand
offerthemthekindofchallengesnecessarytoretainthem.
Somesolutionsexistthatcombinethesetwoapproaches;customerspurchasebothan
appliance,aswellasamanagedserviceoffering.
Off-PremisesRecoverySolutions
Someproblemsareeasiertosolve—ormoreefficienttosolve—ifyouletsomeoneelse
dealwiththem.IntheExchangeServerworld,thistranslatestohostedservices—
servicesorofferingsprovidedbyathirdparty.Hostedservicesmayprovidealarge
varietyoffunctionalitytoanExchangeServerorganization,rangingfrombackup,
disasterrecovery,andbusinesscontinuitytosuchservicesasmessagehygiene,
archival,andcomplianceandgovernance.
There'saclosesimilaritybetweenhostedservicesandremotemanagedservices.Both
areprovidedbyanexternalservicemodel.Theycanbothofferacombinationof
features,performance,andconveniencethatmakesthemattractivetosmall-and
medium-sizedorganizations.Thedifferenceisthatwithhostedservices,messaging
trafficistargeted—whetherexternallyorinternally—tothehostingprovider,which
thenperformsspecificactions.Dependingonthespecificservice,trafficmaythenbe
reroutedbacktotheorganizationoritmaycontinuetoresideatthehostingprovider.
Mosthostedserviceschargeonaper-userorper-mailboxbasis.Becauseofthis,they
wereoftenoriginallyfavoredbysmallerorganizationsorforspecificportionsofa
largerenterprise.However,today'scostsforhostedservicesaresolowthatevenvery
largeorganizationshavedeployedhostedservices.Hostedservicescanalsorequirea
largeamountofbandwidth,dependingontheoverallamountoftrafficbetweenyour
organizationandtheservice.Thiscandrivethecostshigherthanjusttheup-front
per-userprice.
Oneofthemaindifferencesbetweenhostedservicesandremotemanagedservicesis
thatahostedserviceproviderusually(butnotalways)hasaninternalExchange
Serverdeploymentthatisdesignedtohostmultipletenants.Formanyyears,theretail
versionofExchangeServerwasdesignedaroundtheassumptionthateach
deploymentwouldbeusedforasingleorganizationorcorporateentity.
BeginningwithExchangeServer2000,Microsoftbeganaddingenhancementsto
ExchangeServertoprovidebettersupportformulti-tenantdeployments.However,it
wasnotuntilafterthereleaseofExchangeServer2007andMicrosoft'sowninitial
multi-tenantoffering(BPOS–BusinessProductivityOnlineSuite)thatMicrosoft
begantoinvestsignificantresourcesintoimprovingtheExchangeServerstoryaround
multi-tenantsupport.TheseimprovementscontinuedwithExchangeServer2013and
havefurthercontinuedwithExchangeServer2016.
WithOffice365,MicrosoftishostingmillionsofmailboxesbasedonExchangeServer
2013andExchangeServer2016.ExchangeServer2016canberunon-premises,inthe
cloud,orinahybridconfigurationofthetwo.Ineachcase,theavailablefunctionality
isalmostidenticalirrespectiveofwherethemailboxesarelocated(on-premisesorin
thecloud).
Sonowthatwe'vetalkedquiteabitaboutbackupandrecovery,thereisanother
concepttotalkabout.Thisnewconcept,calledExchangeNativeDataProtection,is
newsinceExchange2013.NativeDataProtectionisanExchangedeploymentthatis
configuredtouseallofthebuilt-inExchangeServerfeaturestominimizeoreliminate
traditionalbackups.ThefollowingfeatureshelpdeliverNativeDataProtection:
MultipledatacenterstohouseExchangeservers.Youneedtohavea
minimumoftwodatacenterstohouseExchangeservers,butmorecanbehelpful,
too.FromapureNativeDataProtectionstandpoint,threedatacentersisoptimum.
Unboundnamespace.Thenamespaceforyourenvironmentdictateswhich
domainsandfullyqualifieddomainsareusedtoconnecttoExchangeservices.A
boundnamespaceisanamespacethatisdesignedtohavespecificusersoperate
outofspecificdatacenters.Anunboundnamespaceisanamespacethatisdesigned
tobesiteagnostic,enablinguserstouseanydatacenter.Theunboundnamespace
presentsasimplifiedconfiguration,butitmaynotbefeasibleinevery
organization.
Multiplecopiesofeachdatabase.Youshouldoptforaminimumofthree
copiesofeachdatabase.Indoingso,youcanpotentiallyeliminatedatabase
backups.However,therearestillriskstoyourdatabases,namelylogical
corruption,whichcanreplicatetoeachcopyofyourdatabase.Luckily,itdoesn't
happenofteninmostorganizations,andExchangehasamitigatingfeature,a
laggeddatabasecopy,whichwediscussnext.
Laggedcopyofeachdatabase.Alaggeddatabasecopyisacopyofadatabase
thatisaspecificamountoftimebehindthesourcedatabase.Forexample,you
mighthaveaprimarydatabasenamedDB01.Itreplicatestoalaggeddatabase.But
thelaggeddatabaseiseighthoursbehind.Allofthechangesinthepasteight
hoursareintransactionlogsandnotplayedintothedatabaseyet.Iflogical
corruptionoccursandreplicates,youhaveeighthourstocatchitandstopitfrom
playingintothelaggedcopy.
Emaildatarecovery.Thisconcernsdeleteditemretentionandsingleitem
recovery.Thisenablesyouand/oruserstorecoveremaildatawithouttheuseof
traditionalbackups.
TheNativeDataProtectionrouteisenhancedbyhavinghighlyavailablecomponents
inyourinfrastructure.Thisincludespower,cooling,Internetconnectivity,routers,
switches,firewalls,loadbalancers,andstorage.WhileNativeDataProtectionisagood
thing,itoftenisn'trealisticformostorganizationsforavarietyofreasonssuchascost
andcomplexity.SomeorganizationschoosetogowithNativeDataProtectionand
traditionalbackups,withtheideabeingthatNativeDataProtectionprovides
everythingthatisneededandbackupsarethereasasecondaryapproach(and,
hopefully,theyareneverrequired).
ManagementFrameworks
There'salotofgreatguidanceoutthere(includingfinebookssuchasthisone)onthe
technicalaspectsofdesigning,installing,configuring,andoperatingExchangeservers
andorganizations.There'salotlessmaterialthatprovidesacoherentlookatthe
issuesoftheentirelifecycleofITmanagementingeneral,letaloneWindowsor
ExchangeServerdeploymentsinparticular.Theremaybe,however,morethanyou
think:everyorganizationofeverysizestruggleswithcommonnontechnicalissues
andneedsagooddefinedframeworkformanagingITresources.Havingthistypeof
frameworkinplacemakesiteasiertoproperlyplanfordisasterrecoveryandbusiness
continuityconcerns,aswellasothercommonmanagementtasks.Thinkof
managementframeworksashavingallemployeesworkinginthesameway,usingthe
sameprocesses.Forexample,everydeploymentofExchangeserverwouldhavea
methodologybehindit,facilitatingtheplanning,preparation,design,deployment,and
support.Documentationisabigpartofmostframeworks.Asyoucansee,witha
managementframeworkinplace,yourcompanyisbettersituatedtodealwitha
disaster-recoverysituation.
Thereareseveralframeworksyoumaywanttoexamine,orwithwhichyouare
alreadyfamiliarinsomefashion:
TheInformationTechnologyInfrastructureLibrary(ITIL)isthe900-pound
gorillaoftheITmanagementframeworkworld.ITILprovidesagenericsetoftools
forITprofessionalstouseastemplateconceptsandpolicieswhendevelopingtheir
ownmanagementprocessesoftheirITinfrastructureandoperations.
MicrosofthasdevelopedtheMicrosoftOperationsFramework(MOF),adetailed
frameworkbasedontheconceptsandprinciplesofITIL.MOFtakesthegeneric
frameworkofferedbyITILandprovidesgreaterdetailoptimizedforWindowsand
otherMicrosofttechnologies.
LikeMicrosoft,IBMoffersitsownITIL-centricframework:theIBMTivoliUnified
Process(ITUP).ITUPprovidesguidanceontakinggenericITILconceptsand
processesandlinkingthemintoreal-worldprocessesandtasksthatmaptorealIT
objectives.
TheControlObjectivesforInformationandRelatedTechnologies(COBIT)best
practicesframeworkwasinitiallycreatedasawaytohelporganizationsdevelopIT
governanceprocessesandmodels.WhileCOBITistypicallythoughtofas
optimizedforITaudits,itofferssupplementalpracticessuitableforIT
management.
Sohownecessaryaremanagementframeworksinrealdeployments?Whyarewe
wastingvaluablespacetalkingaboutITILandMOFwhenwecouldbecrammingina
couplemorenuggetsofyummyExchangeServer2016technicalgoodness?The
answerissimple:wecan'tincludeeverything.Nomatterhowthorough(andlong)the
book,therewillalwaysbemoretechnicaldetailsthatwecan'tinclude.Instead,we
wantedtoincludeatleastanintroductiontosomeofthenontechnicalareasthatcan
giveyouanadvantage.
Whileadeepdiveintoanyofthesealternativesisoutofscopeforthisbook,wedo
wanttotakeashortpeekattwoofthem:firstITILandthenMOF.Althoughyoudon't
havetoknowanythingaboutthesesubjectstobealow-levelExchangeServer
administrator(butyoushould!),Microsofthasbegunintroducingexposuretothese
conceptsintothetrainingfortheirhigh-levelExchangeServercertifications.
ITIL
ThebestwaytolearnaboutITIListogothroughoneofthetrainingandcertification
events.Outsidesuchclasses,ITILisinessenceacollectionofbestpracticesinthe
disciplineofITservicemanagement.ITservicemanagementisjustwhatitsounds
like:effectiveandconsistentmanagementofITservices.ITmanagementisinmany
respectsnonintuitiveandoffersseveralspecificchallengesthatarenotcommonto
manyothermanagementdisciplines;mostpeopleneedspecifictrainingtolearnhow
tomanageITinthemosteffectiveway.ITILrepresentsthemostacceptedIT
managementapproachintheworld.
ITILwasdevelopedbytheUKCentralComputerandTelecommunicationsAgencyin
anattempttodevelopacentralizedmanagementstandardforITthroughoutthe
variousBritishgovernmentagencies.Thiseffortwasnotsuccessful—inpartduetothe
changefrommainframe-basedcomputingtopersonalcomputersandnetworksand
theresultingloweringofbarrierstoserveracquisitionanddeployment.However,it
didallowtheformationofexistingbestpracticesandthoughtsonITservice
managementintoasinglecollectionofbestpracticesandprocedures,supportedby
tasksandchecklistsITprofessionalscanuseasastartingpointfordevelopingtheir
ownITgovernancestructures.ITILissupportedandofferedbyawidevarietyof
entities,includingmanylargeenterprisesandconsultingfirms,withtrainingand
certificationavailableforITprofessionals.
ITILhasbeenthroughseveraliterations.Themostcurrentversion,ITIL2011,became
availableinJuly2011andconsistsoffivecoretexts:
ServiceStrategyDemonstrateshowtousetheservicemanagementdiscipline
anddevelopitasbothasetofcapabilitiesandalarge-scalebusinessasset
ServiceDesignDemonstrateshowtotakeyourobjectivesanddeveloptheminto
servicesandassetsthroughthecreationofappropriateprocesses
ServiceTransitionDemonstrateshowtotaketheservicesandassetspreviously
createdandtransitionthemintoproductioninyourorganization
ServiceOperationDemonstratestheprocessesandtechniquesrequiredto
managethevariousservicesandassetspreviouslycreatedanddeployed
ContinualServiceImprovementDemonstratestheongoingprocessof
improvingontheservicesandassets
FormoreinformationonITIL,seeitsofficialwebsiteat
https://www.axelos.com/best-practice-solutions/itil.Foragreatimprovementover
theofficialITILtexts,seeITILFoundationExamStudyGuide(Sybex,2012).
MOF
MicrosofthasworkedwithITILformorethan10years,beginningin1999.AsITIL
hasdevelopedandgrowninpopularity,Microsofthasseenthatitscustomersneeded
morespecificguidanceforusingtheprinciplesandconceptsofITILinthecontextof
Microsofttechnologiesandapplications.Asaresult,theycreatedtheMicrosoft
OperationsFramework,whichtheydescribeinthefollowingmanner:
TheMicrosoftstrategyforITservicemanagementistoprovideguidanceand
softwaresolutionsthatenableorganizationstoachievemission-criticalsystem
reliability,availability,supportability,andmanageabilityoftheMicrosoft
platform.ThestrategyincludesamodelfororganizationsandITprostoassess
theircurrentITinfrastructurematurity,prioritizeprocessesofgreatestconcern,
andapplyprovenprinciplesandbestpracticestooptimizeperformanceonthe
Microsoftplatform.
MOFisnotareplacementforITIL;itisonespecificimplementationofITIL,
optimizedforenvironmentsthatuseMicrosoftproducts.It'sspecificallydesignedto
helpITprofessionalsalignbusinessgoalswithITgoalsanddevelopcohesive,unified
processesthatallowthecreationandmanagementofITservicesthroughoutall
portionsoftheITlifecycle.Itiscurrentlyonversion4.0,whichalignswithITILv3.
MOFdefinesfourstagesoftheITservicemanagementlifecycle:
PlanPlanisthefirststageofthecycle:newITservicesareidentifiedandcreated,
ornecessarychangesareidentifiedinexistingITservicesthatarealreadyinplace.
DeliverDeliveristhesecondstage:thenewserviceisimplementedforusein
production.
OperateOperateisthefinalstageofthecycle:theserviceisdeployedand
monitored.ItfeedsbackintothePlanstageinordertoaffectincrementalchanges
asnecessary.
ManageManageisnotaseparatestage;instead,itisanongoingsetofprocesses
thattakeplaceatalltimesthroughoutthecycletomeasureandmonitorthe
effectivenessofyourefforts.ThisisillustratedinFigure3.1.
Figure3.1ThefourstagesoftheMicrosoftITservicemanagementlifecycle
FormoreinformationonMOF,seethefollowingwebpage:
https://technet.microsoft.com/en-us/library/dd320379.aspx
WhatAreYouMeasuring?
Let'sdemonstratethepracticalvalueofsomeofthis“managementframework”
mumbojumbobytacklingahottopic:availabilityanduptime.We'veheardalot
ofexecutivestalkabout“fiveninesofavailability”—butwhat,exactly,doesthat
mean?Youcan'thaveameaningfuldiscussionaboutavailabilitywithoutknowing
exactlywhatkindofavailabilityyou'retalkingabout(whichwe'llgettolaterin
thischapter),andwithoutknowingthat,youcan'tmeasureit,letalonetothe
ludicrousdegreeofdetailthatfiveninesrepresents.
Nowlet'sdiscussuptime.Uptimehasaprettywell-definedmeaning;youjust
needtoknowwhatscopeitappliesto.Areyoutalkingserveruptime,mailbox
uptime,orserviceuptime?Onceyouhavethatdefined,youcantake
measurementsandapplynumbersforquantitativecomparisons.
ITILandMOFgiveyounotonlytheconceptualframeworkforagreeingonwhat
you'remeasuringbutalsoguidanceonhowtoputtheprocessofmeasurement
intoplace.Thatkindofdisciplinecangiveyoualotoflong-termadvantagesand
helpkeepyourExchangeServerdeploymentbettermanagedthanyoucoulddoon
yourown.Thethingtorememberisthattheseframeworksarestartingpoints;
they'renotcastinstone,andthey'renotlawsyoumustrigidlyobey.Ifyoufind
someaspectthatdoesn'tworkforyourorganization,youshouldfirstmakesure
youunderstandwhatthepurposeofthatfeatureisandhowit'sintendedtowork.
Onceyou'resurethatitdoesn'tapplyasis,feelfreetomakedocumentedchanges
tobringitintoalignmentwithyourneeds.
ACloserLookatAvailability
We'vealreadytalkedaboutdisasterrecoveryandhowitcanbeconfusedwithgeneral
dataprotection(backupandrecovery)andbusinesscontinuity.Perhapsanevenmore
commonconfusion,though,isthedistinctionbetweenhighavailabilityanddisaster
recovery.Thisisacommonenougherrorthatwefeltitwasworthdevotingaseparate
sectionofthischapter.
Highavailability(HA)isadesignstrategy.Thestrategyissimple:trytoensurethat
userskeepaccesstoservices,suchastheirExchangeServermailboxesorUnified
Messagingservers,duringperiodsofoutageordowntime.Theseoutagescouldbethe
resultofanysortofevent:
Hardwarefailure,suchasthelossofapowersupply,amemorymodule,orthe
servermotherboard
Storagefailure,suchasthelossofadisk,diskcontroller,ordata-levelcorruption
Networkfailure,suchasthecuttingofanetworkcableorarouteroraswitch
losingconfiguration
Someotherservicefailure,suchasthelossofanActiveDirectorydomain
controlleroraDNSserver
HAtechnologiesandstrategiesaredesignedtoallowagivenservicetocontinuetobe
availabletousers(orotherservices)intheeventofthesekindoffailures.Nomatter
whichtechnologyisinvolved,therearetwomainapproaches,oneorbothofwhichare
usedbyeachHAtechnologyandstrategy:
FaultToleranceandRedundancyThisinvolvesplacingresourcesintoapool
sothatonecantakeuptheloadwhenanothermemberofthepoolfails.This
strategyremovesthepresenceofasinglepointoffailure.Faulttoleranceneedsto
beaccompaniedbysomemechanismforselectingwhichoftheredundant
resourcesistobeused.Thesemechanismsareeitherround-robinorload
balancing.Intheformer,eachresourceinthepoolisusedinturn,regardlessof
thecurrentstateorload.Inthelatter,additionalmechanismsareusedtodirect
userstotheleastloadedmemberoftheresourcepool.Manyhigher-endhardware
systemsuseredundantpartstomaketheoverallserversystemmoreredundantto
manycommontypesofhardwarefailures.
ReplicationThisprocessinvolvesmakingcopiesofcriticaldatabetweenmultiple
membersofaresourcepool.Ifreplicationhappensquicklyenoughandwitha
smallenoughtimeinterval,whenonememberoftheresourcepoolbecomes
unavailable,anothermembercantakeovertheload.Mostreplicationstrategies,
includingExchangeServer'sdatabasereplicationfeatures,arebasedonasingle
masterstrategy,whereallupdateshappentothemaster(oractive)copyandare
replicatedtotheadditionalcopies.SometechnologiessuchasActiveDirectoryare
designedtoallowmultimasterreplication,whereupdatescanbedirectedtothe
closestmember.ExchangeServer2016canusedatabaseavailabilitygroups
(DAGs)toreplicatecopiesofdatafromoneMailboxservertoanotherandto
providefailoverintheeventthedatabasewherethemailboxresidesfails.
MeasuringAvailability
Itisnotuncommontofindthatavailabilityofasystemismeasureddifferently
dependingontheorganization.Typically,toreportthepercentageofavailability,
youtaketheamountoftimeduringameasurementperiodandthensubtractthe
totaldowntimeduringthatperiod.Finally,youdividethatnumberbythetotal
elapsedtime.
So,let'ssaythatduringa30-dayperiodoftime,therewasnoscheduled
downtime,buttherewasa4-hourperiodoftimewhenpatcheswereappliedto
thesystem.So,30days–.17days=29.8daysoftotaluptime,and29.8/30=99.3
percentavailability.
Thisisjustasamplecalculation,ofcourse.Intherealworld,youmayhavea
maintenancewindowduringyouroperationsthatwouldnotcountagainstyour
availabilitynumbers.Youwanttodoyourverybesttominimizetheamountof
unplanneddowntime,butyoualsohavetotakeintoconsiderationscheduled
maintenanceandplanneddowntime.
Insomeorganizations,nodowntime,plannedorunplanned,isacceptable.You
mustdesignyoursystemsaccordingly.
ServiceAvailability
WhenwehavediscussionswithpeopleabouthighavailabilityinExchangeServer
organizations,wefindthatthelevelofhighavailabilitythatmostofthemareactually
thinkingaboutisserviceavailability.Thatis,theythinkoftheExchangeServer
deploymentasanoverallserviceandthinkofhowtoensurethatuserscangetaccess
toeverything(eitherthatortheythinksolelyofhardwareclusters,storagereplication,
andtheotherlow-endtechnologies).Itisimportanttonotethatwhendiscussing
serviceavailability,thistermmaymeandifferentthingstodifferentpeople.
Serviceavailabilityisanimportantconsiderationfortheoverallavailabilitystrategy.It
doesn'tmakealotofsensetoplanforredundantserverhardwareifyouforgetto
deploysufficientnumbersofthoseserverswiththerightExchangeServerrolesinthe
appropriatelocations.(We'lldiscusstheproperratiosandrecommendationsforrole
andserverplacementinChapter8,“UnderstandingServerRolesand
Configurations.”)Toensuretrueserviceavailability,youneedtoconsideralltheother
levelsofavailability.
TheotheraspectofserviceavailabilityistothinkaboutwhatotherservicesExchange
Serverisdependenton:
TheobviousdependencyisActiveDirectory.EachExchangeserverrequiresaccess
toadomaincontroller,aswellasglobalcatalogservers.ThemoreExchange
serversinthesite,themoreofeachActiveDirectoryrolethatthesiterequires.If
yourdomaincontrollersarealsoDNSservers,youneedenoughDNSserversto
survivethelossofoneortwo.IfyouloseallDNSserversoralldomaincontrollers
inanActiveDirectorysite,ExchangeServerwillfail.
Whattypeofnetworkservicesdoyouneed?DoyouassignstaticIPaddressesand
defaultgatewaysordoyouuseDHCPanddynamicrouting?Doyouhaveextra
routerorswitchingcapacity?Whataboutyourfirewallconfigurations—doyou
haveonlyasinglefirewallbetweendifferentnetworkzonesorarethoseredundant
aswell?
WhatotherapplicationsdoyoudeployaspartofyourExchangeServer
deployment?DoyourelyonamonitoringsystemsuchasMicrosoftSystemCenter
OperationsManager?Whatwilloccurifsomethinghappenstoyourmonitoring
server;istherearedundantorbackupsystemthattakesover,orwilladditional
faultsandfailuresgounnoticedandbeallowedtoimpacttheExchangeServer
system?DoyouhaveenoughbackupagentsandserverstoprotectyourMailbox
servers?
Serviceavailabilitytypicallyrequiresacombinationofredundancyandreplication
strategies.Forexample,youdeploymultipleActiveDirectorydomaincontrollersina
siteforredundancy,buttheyreplicatethedirectorydatabetweeneachother.
NetworkAvailability
Thenextareawewanttotalkaboutisnetworkavailability.Bythis,wedon'tmeanthe
typesofnetworkserviceswementionedintheprevioussection.Instead,whatwe
meanistheabilitytoensurethatyoucanreceivenewconnectionrequestsfrom
clientsandotherservers,regardlessofwhetheryourorganizationusesExchange
servers,PBXsystemsandtelephonygateways,orexternalmailservers.Network
availabilityisakeypartofExchangeServerinfrastructureandmustbeconsideredasa
partofyouroverallserviceavailability.
Thetypicalstrategyfornetworkavailabilityisloadbalancing.Thisisnetwork-level
redundancy.Simplenetworkloadbalancersusearound-robinmechanismtoalternate
andevenly(onthebasisofnumbers)distributeincomingconnectionstothemembers
oftheresourcepool.Othersolutionsusemoresophisticatedmechanisms,suchas
monitoringeachmemberofthepoolforoverallloadandassigningincoming
connectionstotheleast-loadedmember.
ForlargerorganizationsandcomplexExchangeServerdeployments,it'scommonto
usehardwareloadbalancers.Hardwaresystemsaretypicallymoreexpensiveand
representyetmoresystemstomanageandmaintain,sotheyaddadegreeof
complexitythatisoftenundesirabletosmallerorganizations.Smallerorganizations
oftenprefertousesoftware-basedload-balancingsolutions,suchasWindows
NetworkLoadBalancing(WNLB).
Unfortunately,WNLBisn'tgenerallysuitableforExchangeServer2016deployments.
ThisistheofficialrecommendationofboththeExchangeServerproductgroupand
theWindowsproductgroup,thefolkswhodeveloptheWNLBcomponent.WNLBhas
afewcharacteristicsthatrenderitunsuitableforusewithExchangeServerinanybut
thesmallestofdeploymentsortestenvironments:
WNLBsimplyperformsround-robinbalancingofincomingconnections.Itdoesn't
detectwhethermembersoftheload-balanceclusteraredown,soitwillkeep
sendingconnectionstothedownedmember.Thiscouldresultinintermittentand
confusingbehaviorforclientsandlossordelayofmessagesfromexternalsystems.
IfyoumustdeployWNLB,alsoconsiderdeployingscriptsthatcanmonitor
applicationhealthandupdatedWNLBaccordingly,asdemonstratedhere:
http://msdn.microsoft.com/en-us/library/windows/desktop/cc307934.aspx
WNLBisincompatiblewiththeWindowsFailoverClustering.Thismeansthat
smallshopscan'tdeployapairofserverswiththeMailboxroleandthenuse
WNLBtoloadbalanceclientaccessorusecontinuousreplicationtoreplicatethe
mailboxdatabases.
Evenwhenusinghardwarenetworkloadbalancing,thereareseveralthingsto
rememberandbestpracticestofollow.(Formoreinformationonloadbalancing,
DNS,andWNLB,seeChapter21,“UnderstandingtheClientAccessServer.”)
DataAvailability
We'veseenmanyExchangeServerorganizationdesignsanddeploymentplans.Most
ofthemspendalotoftimeensuringthatthemailboxdatawillbeavailable.
InallversionsofExchangeServerpriortoExchangeServer2007,havinghigh
availabilityformailboxdatabasesmeantusingWindowsFailoverClustering(WFC),
whichwasafeatureofWindowsEnterpriseEdition.Oneofthefeaturesprovidedby
WFCistheabilitytocreategroupsofservers(clusters)thatsharestorageresources.
Withinthisclusterofservers,oneormoreinstancesofExchangeServerwouldbe
runningandcontrollingthemailboxdatabases.Ifonehardwarenodeweretofail,the
activeserverinstancewouldfailovertoanotherhardwarenode,andtheshared
storageresourceswouldmovewithit.
FailoverclusteringisacommonHAstrategy,andWFCisaproventechnology.This
turnedouttobeagoodstrategyformanyExchangeServerorganizations.However,
failoverclusteringhassomecons.Forclustersthatrelyonasharedquorum,the
biggestistherelianceonsharedstorage—typically,astorageareanetwork.Shared
storageincreasesthecostandcomplexityoftheclusteringsolution,butitdoesn't
guardagainstthemostcommoncauseofExchangeServeroutage:diskfailureor
corruption.
ExchangeServer2007introducedadata-availabilitysolutioncalledcontinuous
replicationtohelpovercomesomeoftheweaknessesassociatedwithfailover
clusteringandtoallowmoreorganizationstotakeadvantageofhighlyavailable
deployments.Continuousreplication,alsoknownaslogshipping,copiesthe
transactionlogscorrespondingtoamailboxdatabasefromoneMailboxserverto
another.Thetargetthenreplaysthelogsintoitsownseparatecopyofthedatabase,
re-creatingthelatestchanges.
ExchangeServer2010addedmorefeaturestocontinuousreplication,includingdata
encryptionandcompression.WithExchangeServer2016,aMailboxservercanhave
upto15replicationpartners.Youcanjoinserversintoadatabaseavailabilitygroup;
membersofthatgroupcanreplicateoneormoreoftheirmailboxdatabaseswiththe
otherserversinthegroup.Eachdatabasecanbereplicatedseparatelyfromothersand
haveoneormorereplicas.ADAGcancrossActiveDirectorysiteboundaries,thereby
providingsiteresiliency,andactivationofapassivecopycanbeautomatic.
We'llgointomoredetailaboutDAGsandcontinuousreplicationinExchangeServer
2016inChapter20,“CreatingandManagingDatabaseAvailabilityGroups.”
HAvs.DR:NottheSame
We'llprovideaquickcomparisonbetweenthetypicalExchangeServerHA
deploymentandDRdeployment.Ifyouthinkthatbyhavingdisasterrecoveryyou
haveavailability,orviceversa,thinkagain.
InanHAExchangeServerenvironment,thefocusisusuallyonkeeping
mailboxesupandrunningforusers,transferringmailwithexternalsystems,and
keepingExchangeServerservicesup.InaDRenvironment,thefocusisusually
onrestoringabareminimumofservices,oftenforasmallerportionoftheoverall
userpopulation.Inshort,thedifferenceisthatofabundanceversustriage.
ForExchangeServer,anHAdesigncanprovideseveraladvantagesbeyondthe
obviousavailabilitygoals.AhighlyavailableExchangeServerenvironmentoften
enablesserverconsolidation;thesametechnologiesthatpermitmailboxdatato
bereplicatedbetweenserversortokeepmultipleinstancesofkeyExchange
Serverservicesalsopermitgreaterusermailboxdensityorforcetheupgradingof
keyinfrastructure(likenetworkbandwidth)sothatagreaternumberofuserscan
behandled.ThisincreaseddensitycanmakeproperDRplanningmoredifficultby
increasingtherequirementsforaDRsolutionandmakingithardertoidentify
andtargettheappropriateuserpopulations.
That'snottosaythatHAandDRareincompatible.Farfromit;youcanand
shoulddesignyourExchangeServer2016deploymentforboth.Todothat
effectively,though,youneedtohaveaclearunderstandingofwhateach
technologyandfeatureactuallyprovideyou,soyoucanavoiddesignerrors.For
example,ifyouhaveseparategroupsofuserswhowillneedtheirmailboxes
replicatedtoaDRsite,setthemasideinseparatemailboxdatabases,ratherthan
minglingtheminwithuserswhosemailboxeswon'tbereplicated.
StorageAvailability
ManyadministratorsandITprofessionalsimmediatelythinkofstoragedesignswhen
theyhearthewordavailability.Althoughstorageisacriticalpartofensuringthe
overallserviceavailabilityofanExchangeServerorganization,theimpactofstorage
designisfarmorethanjustavailability;itdirectlyaffectsperformance,reliability,and
scalability.
AnOverviewofExchangeStorage
Inmedium-sizedandlargeorganizations,theExchangeServeradministratoris
usuallynotresponsibleforstorage.Manymedium-sizedandlargeorganizationsuse
specializedstorageareanetworksthatrequireadditionaltrainingtomaster.Storageis
amassivetopic,butwefeelitisimportantthatyouatleastbeabletospeakthe
languageofstorageandbeknowledgeableaboutstorageconcepts.
Fromtheverybeginning,messagingsystemshavehadagive-and-takerelationship
withtheunderlyingstoragesystem.Evenonsystemsthataren'tdesignedtooffer
long-termstorageforemail(suchasISPsystemsthatofferonlyPOP3access),email
createsdemandsonstorage:
Thetransportcomponentsmusthavespacetoqueuemessagesthatcannotbe
immediatelytransmittedtotheremotesystem.
Thedeliverycomponentmustbeabletostoreincomingmessagesthathavebeen
deliveredtoamailboxuntiluserscanretrievethem.
Themessagestore,insystemslikeExchangeServer,permitsuserstokeepacopy
oftheirmailboxdataoncentralservers.
Astheserveraccepts,transmits,andprocessesemail,itkeepslogswithvarying
levelsofdetailsoadministratorscantroubleshootandauditactivities.
Althoughyou'llhavetowaitforsubsequentchapterstodelveintothedetailsof
planningstorageforExchangeServer,thefollowingsectionsgooverthetwobroad
categoriesofstoragesolutionsthatareusedinmodernExchangeServersystems:
directattachedstorage(DAS)andstorageareanetworks(SANs).Thethirdtypeof
storage,network-attachedstorage(NAS),isgenerallynotsupportedwithExchange
Server2013orExchangeServer2016.
Directattachedstorageisthemostcommontypeofstorageingeneral.DASdisksare
usuallyinternaldisksordirectlyattachedviacable.Justabouteveryserver,exceptfor
somehigh-endvarieties,suchasbladesystemsusingboot-over-SAN,usesDASat
somelevel;typically,atleastthebootandoperatingsystemvolumesareonsomeDAS
configuration.However,inversionsofExchangeServerpriortoExchangeServer
2010,DAShasdrawbacks:itdoesn'tnecessarilyscaleaswellforeithercapacityor
performance.Further,organizationsthathaveinvestedsignificantamountsofmoney
intheirSANsmaystillrequirethatExchangeServerusetheSANinsteadofDAS.
Tosolvetheseproblems,peoplelookedatNASdevicesasoneofthepotential
solutions.Thesemachines—giantfileservers—sitonthenetworkandsharetheirdisk
storage.Theyrangeinpriceandconfigurationfromsmallplug-indeviceswithfixed
capacitytolargeinstallationswithmoreconfigurationoptionsthanmostluxurycars
(andapricetagtomatch).Companiesthatboughtthesewereusingthemtoreplace
fileservers,webserverstorage,SQLServerstorage—whynotExchangeServer?
However,theonlyversionofExchangeServerthatsupportedNASwasExchange
Server2003.InsteadofcontinuingtosupportNAS,theExchangeServerdevelopment
teamswitchedtoreducingtheoverallI/OrequirementssothatDASconfigurations
becomepracticalfororganizations.ExchangeServer2007movedtoa64-bit
architecturetoremovememory-managementbottlenecksinthe32-bitWindows
kernel,allowingtheExchangeInformationStoretousemorememoryforintelligent
mailboxdatacachingandreducediskI/O.ExchangeServer2010inturnmade
aggressivechangestotheon-diskmailboxdatabasestructures,suchasmovingtoa
newdatabaseschemathatallowspagestobesequentiallywrittentotheendofthe
databasefileratherthanrandomlythroughoutthefile.Theschemaupdatesimprove
indexingandclientperformance,allowingcommontasks,suchasupdatingfolder
viewstohappenmorequicklywhilerequiringfewerdiskreadsandwrites.These
changeshelpimproveefficiencyandcontinuetodrivemailboxI/Odown.
EveryversionofExchangeServerhasreducedtheI/Orequirementsforrunning
ExchangeServer.ExchangeServer2016isnoexception.PriortoExchangeServer
2016,ExchangeServer2013madesignificantchangestotheI/Oprofilepresentedby
ExchangeServer.BetweenExchangeServer2010andExchangeServer2013,
MicrosoftreducedI/Orequirementsbetween33percentand50percent.From
ExchangeServer2003toExchangeServer2013,I/Orequirementshavebeenreduced
byover90percent!However,thesereductionsinI/Orequirementsnowmakeit
practicaltoreexamineDASasasolutionforExchangeServerstorage(and,infact,
DASisrecommendedbyMicrosoftforExchangeServer2010andlaterversions).If
youopttouseDASforyourimplementation,considerusingfourdatabasecopiesfor
eachdatabasetomeetMicrosoft'srecommendationformaximizingavailabilityand
minimizingissues.
ThepremisebehindaSANistomovediskstodedicatedstorageunitsthatcanhandle
alltheadvancedfeaturesyouneed—high-endRAIDconfigurations,hot-swap
replacement,on-the-flyreconfiguration,rapiddisksnapshots,tightintegrationwith
backupandrestoresolutions,andmore.Thishelpsconsolidatetheoverheadof
managingstorage,oftenspreadoutondozensofserversandapplications(andtheir
associatedstaff),intoasinglesetofpersonnel.Then,dedicatednetworklinksconnect
thesestoragesiloswiththeappropriateapplicationservers.Yetthisconsolidationof
storagecanalsobeaseriouspitfallbecauseExchangeServerisusuallynottheonly
applicationplacedontheSAN.Applications,suchasSharePoint,SQL,archiving,and
fileservicesmayallbesharingthesameaggregatedsetofspindlesandcausedisk
contention,whichleadstopoorperformance.
DirectAttachedStorage
AsusedforlegacyExchangeServerstorage,DAShistoricallydisplaystwomain
problems:performanceandcapacity.Asmailboxdatabasesgotlargerandtrafficlevels
rose,prettysoonpeoplewantedtolookforalternatives;DASstorageunderExchange
Server2000andExchangeServer2003requiredmanydiskstomeetI/O
requirements,becauseExchangeServer'sI/Oprofilewasoptimizedforthe32-bit
memoryarchitecturethatWindowsprovidedatthetime.
TogetmorescalabilityonlogicaldisksthatsupportExchangeServerdatabases,you
canalwaystryaddingmorediskstotheserver.Thisgivesyouaconfigurationknown
asJustaBunchofDisks(JBOD).
AlthoughJBODcanusuallygiveyoutherawdiskstoragecapacityyouneed,ithas
threeflawsthatrenderitunsuitableforallbutthesmallestoflegacyExchangeServer
deployments:
JBODForcesYoutoPartitionYourDataBecauseeachdiskhasafinite
capacity,youcan'tstoredataonthatdiskifitislargerthanthecapacity.For
example,ifyouhavefour250GBdrives,eventhoughyouhaveapproximately1TB
ofstorageintotal,youhavetobreakthatupintoseparate250GBpartitions.
Historically,thishascausedsomeinterestingdesigndecisionsinmessaging
systemsthatrelyonfilesystem-basedstorage.
JBODOffersNoPerformanceBenefitsInmanyJBODimplementations,each
diskisresponsibleforonlyonechunkofstorage,soifthatdiskisalreadyinuse,
subsequentI/Orequestswillhavetowaitforittofreeupbeforetheycango
through.Asinglediskcanthusbecomeabottleneckforthesystem,whichcan
slowdownmailforallyourusers(notjustthosewhosemailboxesarestoredon
theaffecteddisk).
JBODOffersNoRedundancyIfoneofyourdisksdies,you'reoutofluck
unlessyoucanrestorethatdatafrombackup.True,youhaven'tlostallyourdata,
buttheone-quarterofyouruserswhohavejustlosttheiremailarenotlikelytobe
comfortedbythatobservation.
SeveraloftheExchangeServer2010designgoalsfocusedonbuildinginthenecessary
featurestoworkaroundtheseissuesandmakeaDASJBODdeploymentarealistic
optionformoreorganizations.ExchangeServer2016designgoalsincludedcontinuing
toreducethetotalI/OrequirementnecessaryforExchangeServer,makingDASeven
morerealisticformanyorganizations.Infact,Office365runsoffDAS!
However,legacyversionsofExchangeServercontainnomechanismstoworkaround
theseissues.Luckily,somebrightpeoplecameupwithagreatgenericanswerto
JBODthatalsoworkswellforlegacyExchangeServer:theRedundantArrayof
InexpensiveDisks(RAID).
ThebasicpremisebehindRAIDistogrouptheJBODdiskstogetherinvarious
configurationswithadedicateddiskcontrollertohandlethespecificdiskoperations,
allowingthecomputer(andapplications)toseetheentirecollectionofdrivesand
controllerasoneverylargediskdevice.Thesecollectionsofdisksareknownasarrays;
thearraysarepresentedtotheoperatingsystem,partitioned,andformattedasifthey
werejustregulardisks.ThecommontypesofRAIDconfigurationsareshowninTable
3.1.
Table3.1RAIDConfigurations
Raid Name
Description
Level
None Concatenated Twoormoredisksarejoinedtogetherinacontiguousdata
drives
space.Asonediskinthearrayisfilledup,thedataiscarried
overtothenextdisk.Thoughthissolvesthecapacityproblem
andiseasytoimplement,itoffersnoperformanceor
redundancywhatsoeverandmakesitmorelikelythatyou're
goingtoloseallyourdata,notless,throughasinglediskfailure.
ThesearraysarenotsuitableforusewithlegacyExchange
servers.
RAID Striped
Twoormorediskshavedatasplitamongthemevenly.Ifyou
0
drives
writea1MBfiletoatwo-diskRAID0array,halfthedatawill
beononedisk,halfontheother.Eachdiskinthearraycanbe
writtento(orreadfrom)simultaneously,givingyoua
noticeableperformanceboost.However,ifyouloseonediskin
thearray,youloseallyourdata.Thesearraysaretypicallyused
forfast,large,temporaryfiles,suchasthoseinvideoediting.
ThesearraysarenotsuitableforusewithExchangeServer;
whiletheygiveexcellentperformance,theriskofdatalossis
typicallyunacceptable.
RAID Mirrored
Typicallydonewithtwodisks(althoughsomevendorsallow
1
drives
more),eachdiskreceivesacopyofallthedatainthearray.If
youloseonedisk,youstillhaveacopyofyourdataonthe
remainingdisk;youcaneithermovethedataorplugina
replacementdiskandrebuildthemirror.RAID1alsogivesa
performancebenefit;readscanbeperformedbyeitherdisk,
becauseonlywritesneedtobemirrored.However,RAID1can
beoneofthemorecostlyconfigurations;tostore500GBof
data,you'dneedtobuytwo500GBdrives.Thesearraysare
suitableforusewithlegacyExchangeServervolumes,
dependingonthetypeofdataandtheperformanceofthearray.
RAID1isfairlycommonfortheoperatingsystemdisk.
RAID Paritydrive Threeormorediskshavedatasplitamongthem.However,one
disk'sworthofcapacityisreservedforparitychecksumdata;
5
thisisaspecialcalculatedvaluethatallowstheRAIDsystemto
rebuildthemissingdataifonedriveinthearrayfails.Theparity
dataisspreadacrossallthedisksinthearray.Ifyouhadafourdisk250GBRAID5array,you'dhaveonly750GBofusable
space.RAID5arraysofferbetterperformancethanJBODbut
worseperformancethanotherRAIDconfigurations,especially
onthewriterequests;thechecksummustbecalculatedandthe
dataplusparitywrittentoallthedisksinthearray.Also,ifyou
loseonedisk,thearraygoesintodegradedmode,whichmeans
thatevenreadoperationswillneedtoberecalculatedandwill
beslowerthannormal.Thesearraysaresuitableforusewith
legacyExchangeServermailboxdatabasevolumesonsmaller
servers,dependingonthetypeofdataandtheperformanceof
thearray.Duetotheirwriteperformancecharacteristics,they
areusuallynotwellmatchedfortransactionlogvolumes.
RAID Doubleparity ThisRAIDvariantisdesignedtoprovideRAID5arrayswiththe
6
drive
abilitytosurvivethelossoftwodisks.Otherthanofferingtwodiskresiliency,baseRAID6implementationsoffermostlythe
samebenefitsanddrawbacksasRAID5.Somevendorshave
builtcustomimplementationsthatattempttosolvethe
performanceissues.Thesearraysaresuitableforusewith
ExchangeServer,dependingonthetypeofdataandthe
performanceofthearray.
RAID Mirroring
ARAID10arrayisthemostcostlyvarianttoimplement
10
plusstriping becauseitusesmirroring.However,italsousesstripingto
RAID
aggregatespindlesanddeliverblisteringperformance,which
0+1
makesitagreatchoiceforhigh-endarraysthathavetosustain
RAID
ahighlevelofI/O.Asasidebonus,italsoincreasesyour
1+0
chancesofsurvivingthelossofmultipledisksinthearray.
Therearetwobasicvariants.RAID0+1takestwobigstripe
arraysandmirrorsthemtogether;RAID1+0takesmultiple
mirrorpairsandstripesthemtogether.Bothvariantshave
essentiallythesameperformancenumbers,but1+0ispreferred
becauseitcanberebuiltmorequickly(youonlyhaveto
regenerateasingledisk)andhasfarhigherchancesofsurviving
thelossofmultipledisks(youcanloseonediskineachmirror
pair).Thesearrayshavetraditionallybeenusedforhigh-end
highlyloadedlegacyExchangeServermailboxdatabase
volumes.
NotethatseveralofthesetypesofRAIDarraysmaybesuitableforyourExchange
server.Whichone,ifany,shouldyouuse?Theanswertothatquestiondepends
entirelyonhowmanymailboxesyourserversareholding,howthey'reused,andother
typesofbusinessneeds.Bewareofanyonewhotriestogivehard-and-fastanswers
suchas“AlwaysuseRAID5forExchangeServerdatabasevolumes.”Todeterminethe
trueanswer,youneedtogothroughaproperstorage-sizingprocess,findoutwhat
yourI/Oandcapacityrequirementsarereallygoingtobe,thinkaboutyourdata
recoveryneedsandservice-levelagreements(SLAs),andthendecidewhatstorage
configurationwillmeetthoseneedsforyouinafashionyoucanafford.Thereareno
magicbullets.TakealookattheExchangeServerRoleRequirementsCalculator,
whichprovidesgoodvalueforsizingforyourExchangeenvironment,including
storage.Seehttps://gallery.technet.microsoft.com/office/Exchange-2013-Server-Rolef8a61780formoreinformation.
Ineverycase,theRAIDcontrolleryouuse—thepieceofhardware,plusdrivers,that
aggregatestheindividualdiskvolumesforyouintoasinglepseudo-devicethatis
presentedtoWindows—playsakeyrole.Youcan'tjusttakeacollectionofdisks,toss
themintoslotsinyourserver,andgototownwithRAID.Youneedtoinstallextra
driversandmanagementsoftware,youneedtotakeextrastepstoconfigureyour
arraysbeforeyoucanevenusetheminWindows,andyoumayevenneedtoupdate
yourdisaster-recoveryprocedurestoensurethatyoucanalwaysrecoverdatafrom
drivesinaRAIDarray.Generally,you'llneedtotestwhetheryoucanmovedrivesin
onearraybetweentwocontrollers,eventhosefromthesamemanufacturer;notall
controllerssupportalloptions.AfteryourserverhasmelteddownandyourSLAisfast
approachingisnotagoodtimetofindoutthatyouneededtohaveasparecontroller
onhand.
IfyouchoosetheDASroute(whetherJBODorRAID),you'llneedtothinkabouthow
you'regoingtohousethephysicaldisks.Modernservercasesdon'tleavealotofextra
roomfordisks;thisisespeciallytrueofrack-mountedsystems.Usually,thismeans
you'llneedsomesortofexternalenclosurethathooksbackintoaphysicalbuson
yourserver,suchasSASoreSATAdisks.Makesuretogivetheseenclosuressuitable
powerandcooling;harddrivespullalotofpowerandreturnitalleventuallyasheat.
Alsomakesurethatyourdrivebackplanes(thephysicalconnectionpoints)and
enclosuressupporthot-swapcapability,whereyoucaneasilypullthedriveand
replaceitwithoutpoweringthesystemdown.Keepacoupleofsparedrivesanddrive
sledsonhand,too.Manyenclosuressupporthotspares,whicharedisksthatare
installedintheenclosurebutarenotactiveuntilanotherdrivefails.Youdon'twantto
havetoscheduleanoutageofyourExchangeserverinordertoreplaceafaileddrivein
aRAID5array,lettingallyourusersenjoytheperformancehitofathrashingRAID
volumebecausethearrayisindegradedmodeuntilthereplacementdrivesarrive.
RAIDControllersAreNotAllCreatedEqual
Beware!NotallkindsofRAIDarecreatedequal.Beforeyouspendalotoftime
tryingtofigureoutwhichconfigurationtochoose,firstthinkaboutyourRAID
controller.Therearethreekindsofthem,andunlikeRAIDconfigurations,it's
prettyeasytodeterminewhichkindyouneedforExchangeServer:
SoftwareRAIDSoftwareRAIDavoidsthewholeproblemofhavingaRAID
controllerbyperformingallthemagicintheoperatingsystemsoftware.Ifyou
convertyourdisktodynamicvolumes,youcandoRAID0,RAID1,andRAID
5(knownasSimple,Mirror,orParitystoragelayouts)nativelyinWindows
Server2012R2withoutanyextrahardware.However,Microsoftstrongly
recommendsthatyounotdothiswithExchangeServer,andtheExchange
Servercommunityechoesthatrecommendation.Ittakesextramemoryand
processingpower,anditinevitablyslowsyourdisksdownfromwhatyou
couldgetwithasimpleinvestmentingoodhardware.Youwillalsonotbeable
tosupporthigherlevelsofI/Oloadwiththisconfiguration,inourexperience.
BIOSRAIDBIOSRAIDattemptstoprovide“cheap”RAIDbyputtingsome
codeforRAIDintheRAIDchipset,whichisthenplacedeitherdirectlyonthe
motherboard(commoninworkstation-gradeandlow-endserver
configurations)oronaninexpensiveadd-incard.Thedirtylittlesecretisthat
theRAIDchipsetisn'treallydoingtheRAIDoperationsinhardware;againit's
allhappeninginsoftware,thistimeintheassociatedWindowsdriver(which
iswrittenbythevendor)ratherthananofficialWindowssubsystem.Ifyou're
abouttopurchaseaRAIDcontrollercardforapricethatseemstoogoodtobe
true,it'sprobablyoneofthesecards.TheseRAIDcontrollerstendtohave
fewerports,whichlimitstheiroverallutility.AlthoughyoucangetExchange
Servertoworkwiththem,youcandosoonlywithaverylownumberofusers.
Otherwise,you'llquicklyhitthelimitsthesecardshaveandstressyour
storagesystem.Justavoidthem;thetimeyousavewillmorethanmakeupfor
theup-frontpricesavings.
HardwareRAIDThisistheonlykindofRAIDyoushouldevenbethinking
aboutforyourExchangeservers.Thismeansgood-quality,high-endcardsthat
comefromreputablemanufacturersthathavetakenthetimetogetthe
productontheWindowsHardwareCompatibilityList(HCL).Thesecardsdoa
lotoftheworkforyoursystem,removingtheCPUoverheadofparity
calculationsfromthemainprocessors,andtheyarewortheverypennyyou
payforthem.Betteryet,they'llbeabletohandletheloadyourExchange
serversandusersthrowatthem.
Ifyoucan'ttellwhetheragivencontrolleryou'reeyeingisBIOSortruehardware
RAID,gethelp.LotsofforumsandwebsitesontheInternetwillhelpyousortout
whichhardwaretogetandwhichtoavoid.Whileyou'reatit,springafewextra
bucksforgood,reliabledisks.Wecannotstressenoughtheimportanceofnot
cuttingcornersonyourExchangeServerstoragesystem;althoughExchange
Server2016givesyoualotmoreroomfordesigningstorageandbringsback
optionsyoumaynothavehadbefore,youstillneedtobuythebestcomponents
thatyoucantomakeupthedesignedstoragesystem.Thetimeandlong-term
costsyousavewillbeyourown.
StorageAreaNetworks
InitialSANsolutionsusedfiber-opticconnectionstoprovidethenecessarybandwidth
forstorageoperations.Asaresult,thesesystemswereincrediblyexpensiveandwere
usedonlybyorganizationswithdeeppockets.TheadventofGigabitEthernetover
copperandnewstoragebustechnologies,suchasSATAandSAS,hasmovedthecost
ofSANsdownintotherealmwheremidsizedcompaniescannowaffordboththe
stickerpriceandtheresourcetrainingtobecomecompetentwiththesenew
technologies.
Overtime,manyvendorshavebeguntoofferSANsolutionsthatareaffordableeven
forsmallcompanies.Themainreasonthey'vebeenabletodosoistheiSCSIprotocol:
block-basedfileaccessroutedoverTCP/IPconnections.AddiSCSIwithubiquitous
GigabitEthernethardware,andSANdeploymentshavebecomealotmorecommon.
Clusteringandhigh-availabilityconcernsaretheotherfactorsinthegrowthof
ExchangeServer/SANdeployments.ExchangeServer2003supportedclustered
configurationsbutrequiredtheclusternodestohaveasharedstoragesolution.Asa
result,anyorganizationthatwantedtodeployanExchangeServerclusterneeded
somesortofSANsolution(apartfromthehandfulofpeoplewhostuckwithshared
SCSIconfigurations).ASANhasacertainelegancetoit;yousimplycreateavirtual
sliceofdrivespaceforExchangeServer(calledaLUN,orlogicalunitnumber),use
FibreChanneloriSCSI(andcorrespondingdrivers)topresentittotheExchange
server,andawayyougo.EvenwithExchangeServer2007—whichwasreengineered
withaneyetowardmakingDASasupportablechoiceforExchangeServerstoragein
specificCCRandSCRconfigurations—manyorganizationsstillfoundthatusingaSAN
forExchangeServerstoragewasthebestanswerfortheirvariousbusiness
requirements.Bythistime,managementhadseenthebenefitsofcentralizedstorage
managementandwantedtoensurethatExchangeServerdeploymentswerepartof
thebigplan.
However,SANsolutionsdon'tfixallproblems,evenwith(usuallybecauseof)their
pricetag.Often,SANsmakeyourenvironmentevenmorecomplexanddifficultto
support.BecauseSANscostsomuch,thereisoftenastrongdrivetousetheSANfor
allstorageandmakefulluseofeverylastfreeblockofspace.Thecostpergigabyteof
storageforaSANcanbebetween3and10timesasexpensiveasDASdisks.
Unfortunately,ExchangeServer'sI/Ocharacteristicsareverydifferentthanthoseof
justaboutanyotherapplication,andfewdedicatedSANadministratorsreallyknow
howtoproperlyallocatediskspaceforExchangeServer:
SANadministratorsdonotusuallyunderstandthattotaldiskspaceisonlyone
componentofExchangeServerperformance.Forday-to-dayoperations,itisfar
moreimportanttoensureenoughperformance.Traditionally,thisisdeliveredby
usinglotsofphysicaldisks(commonlyreferredtoas“spindles”)toincreasethe
amountofsimultaneousread/writeoperationssupported.Itisimportanttomake
suretheSANsolutionprovidesenoughperformance,notjustfreediskspace,or
ExchangeServerwillcrawl.
EvenifyoucanconvincethemtoconfigureLUNsspreadacrossenoughdisks,SAN
administratorsimmediatelywanttoreclaimthatwastedspace.Asaresult,youend
upsharingthesamespindlesbetweenExchangeServerandsomeotherapplication
withitsownperformancecurve,andthensuddenlyyouhaveextremelynoticeable
buthard-to-diagnoseperformanceissueswithyourExchangeservers.Shared
spindleswillcraterExchangeServerperformance.
AlthoughsomeSANvendorshaveputalotoftimeandeffortintounderstanding
ExchangeServeranditsI/Oneedssothattheirsalespeopleandcertified
consultantscanhelpyoudeployExchangeServerontheirproductsproperly,not
everyonedoesthesame.Manyvendorswillshrugoffperformanceconcernsby
tellingyouabouttheirextensivewritecachingandhowgoodwritecachingwill
smoothoutanyperformanceissues.Theirargumentistrue—uptoapoint.Acache
canhelpisolateExchangeServerfromtheeffectsoftransientI/Oevents,butit
won'thelpyoucomeMondaymorningwhenallyourusersarelogginginandthe
SQLServerdatabasesthatshareyourspindlesarechurningthroughextra
operations.
Themoralofthestoryissimple:don'tbelievethatyouneedtohaveaSAN.Thisis
especiallytruewithExchangeServer2016;therehavebeenalotofunder-the-hood
changestothemailboxdatabasestoragetoensurethatmorecompaniescandeploya
7200RPMSATAJBODconfigurationandbeabletogetgoodperformanceand
reliabilityfromthatsystem,especiallywhenyouareusingdatabaseavailabilitygroups
andmultiplecopiesofyourdata.
IfyoudofindthataSANprovidesthebestvalueforyourorganization,getthebest
oneyoucanafford.MakesurethatyourvendorsknowExchangeServerstorageinside
andout;ifpossible,getthemtoputyouincontactwiththeiron-staffExchangeServer
specialists.HavethemworkwithyourSANadministratorstocomeupwithastorage
configurationthatmeetsyourrealExchangeServerneeds.
We'llgointomoredetailsaboutExchangeServerstorageinChapter19,“Creatingand
ManagingMailboxDatabases.”
ComplianceandGovernance
Quitesimply,today'slegalsystemconsidersemailtobeanofficialformofbusiness
communicationjustlikewrittenmemos.Thismeansthatanytypeoflegal
requirementorlegalactionagainstyourorganization(regardingbusinessrecords)
willundoubtedlyincludeemail.Unlessyouworkinaspecificverticalmarket,suchas
healthcareorfinance,theemergenceofcomplianceandgovernanceastopicsof
importtothemessagingadministratorisarelativelyrecentevent.Thedifference
betweencomplianceandgovernancecanbesummarizedsimply:
Governanceistheprocessofdefiningandenforcingpolicies,whilecomplianceis
theprocessofensuringthatyoumeetexternalrequirements.
However,bothofthesegoalssharealotofcommonground:
Theyrequirethoroughplanningtoimplement,basedonadetailedunderstanding
ofwhatbehaviorsareallowed,required,orforbidden.
Thoughtheyrequiretechnicalcontrolstoensureimplementation,theyareatheart
aboutpeopleandprocesses.
Theyrequireeffectivemonitoringinordertoaudittheeffectivenessofthe
complianceandgovernancemeasures.
Inshort,theyrequireallthesamethingsyouneedinordertoeffectivelymanageyour
messagingdata.Asaresult,there'sausefulframeworkyoucanusetoevaluateyour
complianceandgovernanceneeds:Discovery,Compliance,Archival,andRetention,
alsoknownastheDCARframework.
DCARrecognizesfourkeypillarsofactivity,eachhistoricallyviewedasaseparatetask
formessagingadministrators.However,allfourpillarsinvolvethesamemechanisms,
people,andpolicies;allfourinfactareoverlappingfacetsofmessagingdata
management.Thesefourpillarsaredescribedinthefollowinglist:
DiscoveryFindingmessagesinthesystemquicklyandaccurately,whetherfor
litigation,auditing,orotherneeds.Therearegenerallytwosilosofdiscovery:
personaldiscovery,allowinguserstofindandmonitorthemessagestheysendand
receive,andorganizationaldiscovery,whichencompassesthetraditional
litigationorauditingactivitiesmostmessagingadministratorsthinkabout.It
requiresthefollowing:
Goodstoragedesigntohandletheadditionaloverheadofdiscoveryactions
Theaccurateandthoroughindexingofallmessagingdatathatentersthe
ExchangeServerorganizationthroughanymeans
Controlovertheabilityofuserstomovedataintoandoutofthemessaging
systemthroughmechanismssuchaspersonalfolders(PSTs)
Controloftheuser'sabilitytodeletedatathatmayberequiredbylitigation
ComplianceMeetingalllegal,regulatory,andgovernancerequirements,whether
derivedfromexternalorinternaldrivers.Althoughmanyofthetechnologiesused
forcompliancealsolooksimilartothoseusedbyindividualusersformailbox
management,compliancehappensmoreattheorganizationlevel(evenifnotall
populationswithintheorganizationaresubjecttothesameregimes).Itrequires
thefollowing:
Clearguidanceonwhichbehaviorsareallowed,required,orprohibited,aswell
asacleardescriptionofwhichwillbeenforcedthroughtechnicalmeans
Themeanstoenforcerequiredbehavior,preventdisallowedbehavior,andaudit
forthesuccessorfailureofthesemeans
TheabilitytocontrolandviewallmessagingdatathatenterstheExchange
Serverorganizationthroughanymeans
ArchivalTheabilitytopreservethemessagingdatathatwillberequiredfor
futureoperations,includinggovernancetasks.Likediscovery,archivalhappenson
twobroadlevels:theuserarchiveisapersonalsolutionthatallowsindividual
userstoretainandreusehistoricalpersonalmessagingdatarelevanttotheirjob
function,whilethebusinessarchiveisaimedatprovidingimmutableorganizationwidebenefitssuchasstoragereduction,eDiscovery,andknowledgeretention.It
requiresthefollowing:
Clearguidanceonwhichdatamustbepreservedandacleardescriptionof
proceduralandtechnicalmeasuresthatwillbeusedtoenforcearchival
Theaccurateandthoroughindexingofallmessagingdatathatentersthe
ExchangeServerorganizationthroughanymeans
Controlovertheabilityofuserstomovedataintoandoutofthemessaging
systemthroughmechanismssuchaspersonalfolders
RetentionTheabilitytoidentifydatathatcanbesafelyremovedwithoutadverse
impact(whetherimmediateordelayed)onthebusiness.Althoughmanyretention
mechanismsaredefinedandmaintainedcentrallyintheorganization,itisnot
uncommonformanyimplementationstoeitherdependonvoluntaryuseractivity
forcomplianceorallowuserstoeasilydefinestricterorlooserretentionpolicies
fortheirowndata.Itrequiresthefollowing:
Clearguidanceonwhichdataissafetoremoveandacleardescriptionofthe
timeframesandtechnicalmeasuresthatwillbeusedtoenforceremoval
TheaccurateidentificationofallmessagingdatathatenterstheExchange
Serverorganizationthroughanymeans
Controlovertheabilityofuserstomovedataintoandoutofthemessaging
systemthroughmechanisms,suchaspersonalfolders
Ifmanyoftheserequirementslookthesame,good;thatemphasizesthatthese
activitiesareallmerelydifferentpartsofthesameoverallgoal.Youshouldbe
realizingthattheseactivitiesarenotthingsyoudowithyourmessagingsystemso
muchastheyareactivitiesthatyouperformwhilemanagingyourmessagingsystem.
Thedistinctionissubtlebutimportant;knowingyourrequirementshelpsmakethe
differencebetweendesigninganddeployingasystemthatcanbeeasilyadaptedto
meetyourneedsandonethatyouwillconstantlyhavetofight.Someofthese
activitieswillrequiretheadditionofthird-partysolutions,evenforExchangeServer
2016,whichincludesmoreDCARfunctionalityoutoftheboxthananyotherprevious
versionofExchangeServer.
Whatmakesthisspaceinterestingisthatmanyofthesefunctionsarebeingfilledbya
varietyofsolutions,includingbothon-premisesandhostedsolutions,oftenata
competitiveprice.AlsointerestingisthetensionbetweenMicrosoft'sviewofhowto
managemessagingdataintheExchangeServerorganizationversusthedefinedneeds
ofmanyorganizationstocontrolinformationacrossmultipleapplications.Morethan
ever,nosolutionwillbeone-size-fits-all;beforeacceptinganyvendor'sassurancethat
theirproductwillmeetyourneeds,firstmakesurethatyouunderstandtheprecise
problemsyou'retryingtosolve(insteadofjustthesetoftechnologybuzzwordsthat
youmayhavebeentoldwillbeyourmagicbullet)andknowhowtheirfunctionality
willaddresstherealneeds.
WhereJournalingFitsintoDCAR
InourdiscussionofDCAR,wedeliberatelyleftoutacommonkeywordthatyou
inevitablyhearabout.Journalingisacommontechnologythatgetsmentioned
whenevercompliance,archival,anddiscoveryarediscussed.However,itoften
getsover-discussed.Journalingisnottheendgoal;it'ssimplyamechanismfor
gettingdataoutofExchangeServerintosomeothersystemthatprovidesthe
specificfunctionthatyoureallywantorneed.
Verysimply,journalingallowsExchangeServeradministratorstodesignatea
subsetofmessagingdatathatwillautomaticallybeduplicatedintoajournal
reportandsenttoathirdparty—anothermailboxintheExchangeServer
organization,astand-alonesystemintheorganization,orevenanexternal
recipient,suchasahostedarchivalservice.Thejournalreportincludesnotonly
theexact,unalteredtextoftheoriginalmessagebutalsoadditionaldetailsthat
thesendersandrecipientsmaynotknow,suchasanyBCCrecipients,thespecific
SMTPenvelopeinformationused,orthefullmembershiplistandrecipient
distributionlists(astheyexistedatthetimeofmessagereceipt).Thesereports
arecommonlyusedforoneoftwopurposes:tocapturedataintosomeother
systemforarchivalortoprovideahistoricalrecordforcompliancepurposes.
Wedon'tknowasingleExchangeServeradministratorwhohasevercomeupto
usandsaid,“Iwanttojournalmydata.”Instead,theysay,“Ineedtoarchivemy
dataandIhavetousejournalingtogetittomyarchivalsolution.”Journaling
isn'ttheendgoal;it'sthemeanstotheend.Ifjournalingisapotentialconcernfor
you,youshouldstopandaskyourselfwhy:
WhatinformationamItryingtojournal?
WhatdoIwantthejournaledinformationfor?
Perhapsmostimportant,whatamIgoingtodowiththejournaled
information?
Understandingwhyyouneedjournalingwillgiveyouthebackgroundyouneedto
effectivelydesignyourExchangeServerorganization,journalingrequirements,
andappropriateadd-onapplicationsandhostedsolutions.Itwillalsohelpyou
identifywhenjournalingmaynotbetheansweryouneedtosolvetheparticular
businessproblemsyou'refacing.
Youshouldalsounderstandtheimpactthatjournalingwillhaveonyoursystem,
aswellasknowwhatlimitationsjournalinghas.Therearecertaintypesofdata
thatnevergetjournaled,andifyouneedthatdata,you'llhavetoataminimum
supplementyoursolutionwithsomethingthatcapturesthatdata.
WewilldiscussExchangeServer2016'sjournalingandarchivingfeaturesin
greaterdetailinChapter23,“ManagingTransport,DataLossPrevention,and
JournalingRules.”Fornow,justbeawarethattheyaremerelytoolsthathelpyou
solvesomeotherproblem.
TheBottomLine
Distinguishbetweenavailability,backupandrecovery,anddisaster
recovery.WhenitcomestokeepingyourExchangeServer2016deployment
healthy,youhavealotofoptionsprovidedoutofthebox.Knowingwhich
problemstheysolveiscriticaltodeployingthemcorrectly.
MasterItYouhavebeenaskedtoselectabackuptypethatwillbackupall
dataonceperweekbutonadailybasiswillensurethattheserverdoesnotrun
outoftransactionlogdiskspace.
Determinethebestoptionfordisasterrecovery.Whencreatingyour
disaster-recoveryplansforExchangeServer2016,youhaveavarietyofoptionsto
choosefrom.ExchangeServer2016furtherenhancesthebuilt-incapabilitiesto
providedisasterrecovery.
MasterItWhatarethedifferenttypesofdisasterrecovery?
Distinguishbetweenthedifferenttypesofavailabilitymeantbytheterm
highavailability.Thetermhighavailabilitymeansdifferentthingstodifferent
people.WhenyoudesignanddeployyourExchangeServer2016solution,you
needtobeconfidentthateveryoneisdesigningforthesamegoals.
MasterItWhatfourtypesofavailabilityarethere?
Implementthefourpillarsofcomplianceandgovernanceactivities.
EnsuringthatyourExchangeServer2016organizationmeetsyourregular
operationalneedsmeansthinkingaboutthetopicsofcomplianceandgovernance
withinyourorganization.
MasterItWhatarethefourpillarsofcomplianceandgovernanceasappliedto
amessagingsystem?
Chapter4
VirtualizingExchangeServer2016
Virtualizationstartedasatechniqueformakingbetteruseofmainframecomputer
resources,butinthemid-2000s,itmadethejumptoserversinthedatacenter.While
someorganizationsdabbledwithvirtualizingExchangeServer2003and2007,
ExchangeServervirtualizationmaturedwithExchangeServer2010andExchange
Server2013.Inthischapter,wewilldiscussvirtualizingMicrosoftExchangeServer
2016.
INTHISCHAPTER,YOUWILLLEARNTO:
Evaluatethepossiblevirtualizationimpacts
EvaluatetheexistingExchangeenvironment
Determinerolesandscenariostovirtualize
VirtualizationOverview
Itisimportanttobeclearaboutwhatkindofvirtualizationisunderdiscussion.The
moderndatacenteroffersanumberofvirtualizationstrategiesandtechnologies:
platformvirtualization,storagevirtualization,networkvirtualization,anddesktop
virtualization.AlthoughallofthesecanaffectanExchangedeployment,Exchange
virtualizationusuallyreferstoplatformvirtualization,alsoknownashardwareor
hostvirtualization.Platformvirtualizationgivesyoutheabilitytocreatemultiple
independentinstancesofoperatingsystemsonasinglephysicalserver.Thesevirtual
instancesaretreatedasseparateserversbytheoperatingsystembutareassigned
physicalresourcesfromthehostsystem.Theadministratorconfigurestherequired
amountofphysicalresourcesforeachvirtualmachine.Herearesomeofthe
resourcesyoucanmanageandpresenttoyourvirtualmachines:
CPUsocketsandcores
RAM
Storageinterfaces
Numberandtypeofharddrives
Networkinterfacecards
Platformvirtualizationisoneofthekeytechnologiesinthecurrentdatacentertrends
toreducepowerandcoolingcosts,anddeployprivatecloudimplementations.There
areseveraltypesofplatformvirtualization,butthetypeusedforExchangeis
hardware-assistedvirtualization,whichusesahypervisortomanagethephysical
hostresourceswhileminimizingtheoverheadofthevirtualizationsolution.
Dependingonthesolutionused,thehypervisorcaneitherbeafullserveroperating
systemorastripped-downminimalistkernel.Hypervisorsdonotprovideemulation;
theguestvirtualmachinesprovidethesameprocessorarchitectureasthehostserver
does.Modernhypervisorsrelyonspecificinstructionsetsinthehardwareprocessors
designedtoincreaseperformanceforvirtualmachineswhiledecreasinghypervisor
overhead.
Therearecompellingreasonstoconsidervirtualizationforyourinfrastructure,
althoughnotallsituationsorapplicationslendthemselvesequallytoapositive
virtualizationexperience.Someofthesereasonswillbecoveredabitlaterinthe
chapter.Youmayevenencounterbothpositiveandnegativeexperiences.
Technologycontinuestoevolve,andwehaveseengreatstridestakeninthe
virtualizationworldoverthepastfewyears.Althoughtherearemultiplevendorsin
thevirtualizationgame,VMwareandMicrosoftareatthetopofthepilefor
virtualizingExchange.Thesesolutionsprovidethemostrigorousanddetailed
guidanceforsuccessfullydeployingExchangeontheirvirtualizationsolutions.Figure
4.1givesavirtualizationoverview.
Figure4.1Alookatvirtualization
Terminology
Table4.1containstermsyouneedtobefamiliarwithasyoumovethroughthis
chapterandthevirtualizationworld.
Table4.1VirtualizationTerms
Term
Definition
Virtualization
host,Host,
Root,Parent
Guest,virtual
machine
Database
availability
group(DAG)
Pass-through
disk,Raw
diskmapping
(RDM)
Virtualhard
disk(VHD)
Thephysicalserverthatisrunningthevirtualizationproduct.Thisis
thecomputerthatissharingitsphysicalresourcestoitsvirtual
machines.
VirtualmachinerunningasupportedOSandusingtheresources
providedbythevirtualizationhost.
AgroupofMailboxserversthathostasetofdatabasesandprovide
automaticdatabase-levelrecoveryfromfailures.
Virtualharddisksthataredirectlylinkedtounformattedvolumeson
thehostserver,whetheronlocaldisksorsomesortofstoragearray.
Thesedisksholdtheoperatingsystem,applications,andotherdatafor
thevirtualmachine.
Virtualharddisksthatarestoredasfilesonaformattedvolumeonthe
hostserver,whetheronlocaldisksorsomesortofstoragearray.These
disksholdtheoperatingsystem,applications,andotherdataforthe
virtualmachine.Filescanusethe.vhdformatorthenewer.vhdx
format.
FixedVHD
AVHDwhoseunderlyingfileonthehoststorageoccupiesits
maximumsize.Forexample,a100GBfixeddiskwithonly25GBused
intheguestwillstilluse100GBonthehoststorage.
Dynamic
AVHDwhoseunderlyingfileonhoststorageoccupiesonlythe
VHD
amountofspaceusedintheguest.Forexample,a100GBdynamic
VHDthatisonly25percentusedintheguestwilluseonly25GBon
thehoststorage.Thereisaperformancehitasthediskgrows,and
dynamicVHDscanbeextremelyfragmentedevenwhenthelogical
structureinsidethediskseemstobedefragmented.
Differencing Amultiple-partVHD,witharead-onlyfixedordynamicVHDasthe
VHD
baselineandasecondVHDforallwrites.Neworupdateddiskblocks
arewrittentothedifferencingVHD,nottothebaselineVHD.Any
changescanberolledbacktoapreviousstate,andabaselineVHDcan
beusedwithmanydifferentdifferencingVHDs.Thesediskshave
significantperformancepenalties,fortheincreasedlevelofI/O
abstractionandCPU,aswellasforthefragmentationinthe
differencingVHDfile.
UnderstandingVirtualizedExchange
ExchangeServer2003wasthefirstversionofExchangethatMicrosoftofficially
supportedundervirtualization,althoughthatsupportcamelateintheproduct's
lifetime.AlthoughcustomershadbeenvirtualizingExchangeunderVMwareproducts
foryears,Microsoft'sofficialsupportpermittedExchangeServer2003toberunonly
underMicrosoft'sownVirtualServerproduct.
In2008,MicrosoftannouncedtheirnewServerVirtualizationValidationProgram
(SVVP).Thisprogramprovidesacentralmechanismforon-premisesandhosted
virtualizationproviderstogettheirsolutionsvalidatedinspecificconfigurations.The
SVVPallowsWindowscustomerstogetofficialMicrosoftsupportforvirtualized
WindowsserversandapplicationsthatarerunningonSVVP-certifiedvirtualization
configurations.Laterthesameyear,Microsoftreleasedtheirvirtualizationsupport
statementforExchangeServer2007SP1andlaterversions,buildingoffofthe
baselineprovidedbytheSVVP.ThismovedExchangeintothemainstreamfor
applicationsthatcouldtakeadvantageofthebenefitsofvirtualization.
Microsoft'ssupportguidelinesforvirtualizingExchangeServer2007andExchange
Server2010haveundergonemanychanges.UnderthetermsoftheSVVP,Windows
Server2008SP2andWindowsServer2008R2weretheonlyoperatingsystems
supportedforvirtualExchangeServer2007and2010deployments.Initially,the
UnifiedMessagingrolewasnotsupportedundervirtualization,butanupdatedmedia
componentwasintroducedinExchangeServer2010SP1.Atthesametime,Microsoft
relaxedsomeoftheirrestrictionsontheuseofhypervisoravailabilityfeatureswith
Exchange.Now,withExchangeServer2013andExchangeServer2016,alotofthe
guidanceforpreviousversionsnolongerappliesbecauseofthechangesinservice
architecture.Now,besidesusingHyper-VasthehypervisorforvirtualizingExchange
Server,youcanalsouseVMware'shypervisorsorCitrixXenServerbecausethey
adheretotheSVVP.ThisexpandedsupportofExchangeServerevenextendstothe
cloudwithMicrosoftAzure.YoucanvirtualizeExchangeServer2016inMicrosoft
Azure.
ThesupportforExchangeisaconstantlyevolvingstory,especiallyafterCumulative
Updatepacksarereleased.Whenindoubt,visithttp://technet.microsoft.com/enus/library/jj619301.aspxtoviewthelatestversionofMicrosoft'sguidelinesand
recommendationsforvirtualizingExchangeServer2016.Thevirtualizedinstancesof
ExchangemuststillmeettheExchangeprerequisites.
MicrosoftRequirementsandRecommendations
Makesureyouhavereadandarefamiliarwiththe“Exchange2016Virtualization”
articleat:
http://technet.microsoft.com/en-us/library/jj619301.aspx
Thefollowinghypervisortechnologiesareunsupportedforuseinyourproduction
ExchangeServer2016servers:
TheuseofhypervisorsorhostingplatformsthatarenotontheSVVP
Theuseoffile-levelprotocols(NetworkFileSystemorServerMessageBlock—
NFSorSMB)forstoragepoolsusedforExchangeVHDsorpartitions
DeployingonAzurevirtualmachinesthatusestorageotherthanAzure
PremiumStorage
HypervisorsnapshotsoftheExchangevirtualmachines
DifferencingVHDs
Host-basedclusteringandmigrationtechnologiesthatrelyonsaving
Exchangevirtualmachinememorystatetodiskfiles
Virtual-to-logicalprocessorratiosgreaterthan2:1
Dynamicmemoryorovercommittingofmemory
Anyapplicationsotherthanmanagementsoftwarerunningonthehypervisor
host
ThereisoneexcitingchangeintheserequirementsinvolvingtheSMB3.0
protocol,whichisnewinWindowsServer2012andothermodernstorage
solutionsthatlicensethisprotocol.UnderSMB3.0(andSMB3.0only),youcan
configureyourhypervisorenvironmenttomountSMB3.0filesharesandstore
fixed-lengthvirtualharddrivefilesonthosemounts;thesevirtualharddrivescan
thenbeusedtostoreExchangedata.Inthisconfiguration,thenewfeaturesof
SMB3.0helpensurethatthespecifictypeandorderofExchangedatawritesare
preservedallthewaytothephysicaldisks,removingthetypicalriskofdataloss
orcorruptionthatispresentwhenusingotherfile-basedprotocols.
ThischangehelpssimplifystoragerequirementsforvirtualExchangeServer
deployments,butonlyifallofthefollowingconditionsaremet:
Boththeclient(thehypervisor)andthestoragesolution(SAN,Windows
Server2012server,orotherdevice)supporttheSMB3.0protocolandare
configuredtouseit.
Neithertheclientnorthestoragesolutionisconfiguredtofallbacktoan
earlierversionofSMB.
TheSMB3.0fileshareismountedbythehypervisorsystemsandnotdirectly
bytheExchangeserver.
TheExchangedataisstoredonfixed-length(full-size)virtualharddrivefiles
ontheSMB3.0mount.
UnderstandingYourExchangeEnvironment
BeforevirtualizingyourExchangeenvironment,youmustdefineyourcurrent
environment.Thebetteryouunderstandyourenvironment,themorepreparedyou
willbetodefinethevirtualizedenvironment.Hereissomeoftheinformationyou
needtogather:
Numberofusers
Userprofiles
Numberofmessagessent/receivedperday,peruser
ServerCPUutilization
Servermemoryutilization
Servernetworkutilization
Databasesizes
Storagepatterns
Storagetype
Currenthigh-availabilitymodel
Concurrentlyconnectedusers
Numberandtypesofclientsaccessingthesystem
Exchangeconnectors
Administrationmodel
Asyougatherthisinformation,youwillbepaintingapictureofyourExchange
environment.Thisinformationwillbeplacedintovariouscalculationsthroughoutthe
processtoensurethatyouhavedoneacompleteevaluationbeforemovingforward
withvirtualization.ThisinformationwillhaveasignificantimpactontheExchange
systemmovingforward.
Eachbitoftheinformationyougatherwilladdanotherpiecetothepuzzle.Asyouput
thepuzzletogether,youwillhaveagoodideawhethervirtualizationwillmeetyour
needs.Youalsowillbeabletovalidatewhetheryouwillgettheperformancefromthe
virtualizedenvironmentthatyourusersrequire.Laterinthebook,welookmore
closelyatsizingandhowtheExchangeRoleRequirementsCalculatorcanbeatoolto
help.
EffectsofVirtualization
Thepopularityofvirtualizationinthedatacenterisduetothemanybenefitsitbrings,
bothtangibleandintangible.However,notallapplicationsarecreatedequal.While
virtualizingExchangeServeristechnicallypossible,thereareanumberofadditional
impactsandissuesthatyoushouldconsider.
EnvironmentalImpact
Formostorganizations,theenvironmentalimpactisoneofthemajordrivingfactors
behindvirtualizationinitiatives.Theconceptissimple:reducethenumberofservers
andreducetheamountofpower.Activeserversconsumeelectricityandconvertitto
heat,indirectlyconsumingmoreelectricityintheformofcoolingsystems.
Consolidatingunderutilizedserversandreplacingolderserverswithless-efficient
hardwarecanresultinasignificantamountofsavedpower.Thisnumberisa
completelyfluidnumberandisdependentontheenvironmentthatyouwantto
virtualize.Anorganizationwith100serverswillseeamuchdifferentimpactthana
companywithonly15servers.However,anorganizationwith100lightlyloaded
serverswilllikewiseseeamuchdifferentimpactthanacompanywith100heavily
loadedservers.
SpaceImpact
Environmentalimpactisimportant,butserverconsolidationhasanimpactthatmay
notbeasimmediatelyobvious:reducedrackspaceintheserverroomordatacenter.
Notallorganizationswillfeelthisimpact,dependingontheirchoiceofhosthardware.
Organizationsthatpayforserverhostinginaseparatefacilitymayfindthatpaying
attentiontothisareaofimpactcanresultinadditionalcostsavings.Thesesavings
mayincludethefollowingbasiccostsassociatedwithhosting:
Rackmountingspaceforthephysicalservers
Power
Networkconnectivity
Cooling
Theremayalsobeoptionalcostsassociatedwithyourservers,suchasthefollowing:
Monitoringofthehardware
Additionalfirewallcapabilities
Out-of-bandaccesstotheservers
Bydeployingpowerfulphysicalhardwarerunningahypervisorenvironment,youcan
increaseyourphysicalhostingcostsinapredictable,building-blockfashion,build
virtualapplicationserverswithouthavingtovisitthedatacenter,andstillprovidecost
efficiency.Dependingontheworkloadoftheserversbeforeyouvirtualizedthem,you
mayneedtodeploylargerservers,whichmayincreasetheper-servercostforthe
space.Besuretodothemathbeforedecidingthatthisapproachwillsaveyoumoney.
ComplexityImpact
Manysavingsestimatesoverlooktheadditionalcomplexitythatavirtualized
environmentcanbringtothetable.Dependingonthelevelofavailabilityrequired,the
additionalhostserversandnetworkinggearrequiredtoprovideclusteringandspare
capacity—aswellasthehigherclassofhardwaretoprovideredundantcomponents
withinthehostservers—canwhittleawaytheinitialestimatedsavings.
Oncethevirtualserversaredeployed,complexityalmostalwaysstrikesinthe
operationalprocessesandtechnicaloperationalskillsofyourstaff.Havingthe
additionalhypervisorlayersinthenetworking,storage,andserverstackcandriveup
thetimeinvolvedinkeepingvirtualExchangeServer2016serversoperating.The
additionallayersofdependencycanalsobringdowntheexpectedSLAsforthe
Exchangeservicesintheeventofanoutageandlengthenthetimeittakesto
troubleshootproblems.
VirtualExchangedeploymentscanalsobebittenbythecomplexitybugwhenthe
designsdonotadequatelyconsiderfailuredomains.Considertheimpactofafailure
ofahostserverandthecorrespondingvirtualmachines.Consideralsothespecific
hypervisorfeaturesthatcannotbeusedwithExchange,suchasdifferencingdisks,
hypervisorsnapshots,orfile-levelstorage;determinetheimpactontheorganizationif
thosefeaturesareusedwithExchangevirtualmachinesandthereisaproblem.What
featuresofExchange,suchasnativedataprotection,areyougoingtobeunableorless
likelytouseinavirtualdeploymentwithoutoffsettingtheprojectedcostsavings?Are
theseriskshighenoughtooffsetthevalueofvirtualizingExchange?
AdditionalConsiderations
Oneofthewayscompaniesaresavingmoneyisbyvirtualizingunderusedservers.By
doingthis,theyreducethepowerandcoolingfootprintsthatwehavetalkedabout.An
underusedserveristhoughttouselessthan20percentofitsphysicalhardware.If
yourcurrentExchangeenvironmenthasbeensizedproperly,Exchangeserversshould
notfallintotheunderusedcategory.
ThisdoesnotmeanthatyouwillnotbenefitfromvirtualizingExchange;youneedto
doyourresearch.Foragoodbackgroundontheimpactvirtualizationcanhave,check
outthewhitepaper,“ComparingthePowerUtilizationofNativeandVirtualExchange
Environments,”availableathttp://technet.microsoft.com/enus/library/dd901773.aspx.ItwaswrittenforExchangeServer2007,butthe
informationisstillapplicable.Thestudyshowsareductionof50percentinpower
utilizationfortheserversusedinthestudy.Thetotalpowerreductionfortheservers
andstoragewasbetween34and37percent,dependingonthestoragesolution.
AreMyExchangeServersUnderutilized?
Withstand-aloneExchangeServer2016servers,theprocesstodetermine
utilizationisrelativelysimple:first,establishabaselineperformancesetby
runningtheWindowsPerformanceMonitor(PerfMon)foratleastaweekusinga
combinationofcommoncountersforprocessor,memory,disk,andnetwork
resources.Oncethisbaselineisestablished,youcanuseittocomparecurrent
performancelevelswhenexperiencingissuestoidentifynotableareasofchange.
Atthetimeofthiswriting,nospecificperformanceguidancehasbeenpublished
forExchangeServer2016,butatsomepointMicrosoftwilllikelyprovidespecific
counterandthresholdguidance.Untilthen,useacombinationofthecountersfor
anExchangeServer2013multiroleservercombinedwithsomecommonsense
andhealthyskepticismtoestablishyourcurrentserverbaseline.Ifanyspecific
counter(otherthanRAM)averagesabove60percentutilizationorhasfrequent
spikesabovethatthreshold,theservermaybeundersizedormisconfigured.
OnepointtokeepinmindisthatDAG-memberMailboxserversinaloadbalancingpoolcan'tbedirectlymeasured.Toensureyouaccuratelymeasurethe
loadontheseservers,takeyourmeasurementswhiletheyarerunningatthe
designedandexpectedmaximumload.IfyourDAGisdesignedtolosetwo
servers,thensimulatethelossoftwoserverstoperformyourbaseline
measurement.
Hypervisorandstoragevendorsusuallygivespecificguidanceforvirtualizing
Exchange.Makesureyouobtain,read,andunderstandthisguidancetoensure
thatyourvirtualExchangedeploymentwillbesuccessfulthroughoutitslife.
VirtualizationRequirements
Justaswithanysoftwareyoudeploy,therearehardwareandsoftwarerequirements
thatyouneedtomeetwhenyouvirtualize.
HardwareRequirements
Forthemodernvirtualizationtechnologies,makesurethatyourhardwaresupports
theproperlevelofvirtualization.Mostofthecurrentmarket-leadingserversdohave
theproperBIOS,motherboard,andCPUsupport,butoldermodelsmaynotsupport
thespecificCPUextensionsortechnologiesrequiredbythehypervisorsyouwillneed
torunExchangeServer2016onWindowsServer2012orWindowsServer2012R2.If
youarebuildingaserverfromscratch,reviewthehardwarerequirementsforthe
hypervisoryouwillbeusingtomakesuretheserveryouarebuildingwillperformthe
wayyouintendittoperform.Alsomakesurethatyoufollowthereferenceprocessor
andmemoryrecommendationsandserverratiosthatarepostedonTechNet.These
guidelinesshouldalwaysbeyourfirststopforplanning,alongwiththeExchange
ServerRoleRequirementsCalculator.
Knowwhichserverswillbevirtualized.Youwillfindthattherearedifferent
pitfallsforthevirtualizationhostthanwhatyounormallyseewithphysical
servers.Becauseyouwillbesharingthevirtualizationhost'sphysicalresources,
makesurethatyouhaveanideawhatserverswillbevirtualizedonthehost,as
wellaswhatsparecapacitythehostwillbeexpectedtohaveandwhatvirtual
machineswillbeaddedtotheworkloadduringmaintenanceoroutage.Thiswill
allowyoutoverifythatyouhaveenoughRAM,processors,andnetwork
connections.Gatherthephysicalrequirementsofeachconfirmedandprovisional
guest.Knowingwhatyourguestvirtualmachineswillneedbeforeyouenterthe
planningstagesforvirtualizationwillputyouinabetterpositionforsuccess.
Planbasedonsystemresources.Nomatterwhatworkloadsorhowmany
serversyouwillbevirtualizing,youneedtoplan.Thevirtualizationhostwill
requireresourcesbeforethevirtualmachinesareevenstarted.Onceyouhave
startedthevirtualmachines,yourresourcescandepleteveryquickly.Makesure
thatyouhaveenoughsystemresourcestogoaroundandthatyouhavesome
breathingroom.
PlanforyourvirtualizationhoststoconsumeaCPUoverheadof9to12percent.
Thiswilldifferfrominstallationtoinstallation,butitisagoodnumbertouse
whensizingyourequipmentandlayingoutyourvirtualmachines.Trytovalidate
yourconfigurationinalab(orbyconfiguringyourproductionhardwareasalab)
beforemovingintoproduction.
Planbasedonstoragerequirements.Knowingwhichworkloadswillbe
virtualizedwillalsoenableyoutoplantheproperstorageforthevirtualmachines.
StorageisamajordesignpointforvirtualizingExchange.ExchangeServer2016
continuesthetrendofI/Oimprovementsthatfavordiskcapacityoverdisk
performance.VirtualExchangeserversmayhaveasignificantamountofI/O
overhead,dependingonthespecificstorageoptionsyouhavechosen;passthroughdisksonlocaloriSCSIstoragewillhaveloweroverheadthanVHDs(.vhd
or.vhdx).BeginyourstoragedesignwiththeExchangestoragecalculatorandsize
yourstorageappropriately;thenusethatasinputforthecalculatorsforyour
virtualizationandstoragesolutionstoensurethatyou'remeetingallexpectations.
Makesurethatyouhaveproperlypartitionedyourstorage.Youdon'twanttohave
spindlecontentionbetweenyourvirtualizationhostOSandthestorageforyour
virtualmachineOSorapplicationdata.Forthemajorityofvirtualworkloads,you
shouldhavetheunderlyingstorageinaRAIDconfiguration.ThelevelofRAID
thatyouchooseisuptoyouanddependsontheprojectrequirements.However,
ifyouaretakingtheoptionofusingdirect-attachedstorageonyourvirtualization
hosttoprovidestorageforExchangemailboxdatabasesinaDAGandyouplanto
takeadvantageofExchange-nativedataprotection,youmaynotneedRAID.
WhenyouarecreatingyourvirtualmachineOSVHDs,orlogicalunitnumbers
(LUNs),includeenoughspaceforoperationofthevirtualmachine,including
spaceforupdates,additionalapplications,andthepagefile.Usethefollowing
calculationtodeterminetheminimumVHDsizethatwillbeneededforthe
virtualmachine:
OSrequirement+virtualmachineRAM=minimumOSVHDsize.Fornormal
virtualworkloads,thediskrequirementsshouldincludespaceforthememory
statefile(suchasthe.VSVand.BINfilesusedinHyper-VduringQuickMigration
andVMpauseoperations).However,Microsoft'ssupportguidelinesarevery
emphatic:theuseofdisk-basedmemorystatesisnotsupportedwithvirtual
Exchangeservers.
Planbasedonnetworkingconfiguration.Inadditiontothestorage-capacity
requirements,makesureyouhavetheappropriatebandwidthforallyourvirtual
machinestoaccessyourstoragesubsystem.ExchangeServer2016storageshould
befixedVHDs,pass-through,oriSCSILUNs.Microsoftrecommendsthatyouuse
pass-throughdisksoriSCSILUNstohostthedatabases,transactionlogs,andmail
queues.
Makesureyouhaveplannedyournetworkbandwidth.Youaregoingtobesharing
alimitednumberofphysicalnetworkportsonyourvirtualizationhostwithyour
virtualmachines.Dependingonyourvirtualmachinelayoutandrequirements,
youwillexhaustyourphysicalnetworkportsinshortorder.
Youmayendupneedingtoinstallmultiplequad-portnetworkinterfacecards
(NICs)togettheportdensityrequiredtosupportyourExchangedesign.Keepin
mindthatyoumayneedseveralNICspervirtualmachine.Dependingontherole
oftheserver,theremaybereplicationtrafficaswellasclienttraffic.For
virtualizationhoststhatwillbehostingExchangeMailboxserversinaDAG,the
replicationNICsintheguestsshouldnotbeboundtoeitherofthefollowing
physicalNICtypesinthehost:
AnyhostNICthatconnectstostorage(suchasiSCSISANs)
ThehostNICsboundtotheprimaryguestclientNICs
IfyouuseNICteamingonthehosttoincreasebandwidthorprovideavailability,
ensurethattheteamingvendorsupportstheuseofteamedNICsforvirtualization
ingeneralandguestvirtualnetworksthatwillbeusedwithExchangeServerin
particular.
Consideryourphysicalservertype.Youarenotlockedintoonetypeof
physicalserverforthevirtualizationhost.Youcanuseastandardserver,oryou
maychoosetousebladeservers.Bladeserversrequireabitmoreplanningthan
standardservers.Becauseyouaresharingresourcesbeforeyoustartyour
virtualization,besureyouhavecarvedoutyourdisks,networktraffic,andstorage
trafficadequately.
WhyCan'tIUseNFSorSMB?
OneofthemostcommonlyviolatedsupportguidelinesforvirtualExchange
deploymentsistheprohibitiononfile-levelprotocolsinthestoragestack.For
somehypervisordeployments,suchasVMware,itisverycommontouse
network-attachedstorageorstorageaccessnetworks(NASorSANstorage)using
NFStoprovidethedatastoresusedtoholdvirtualmachinedrivesfiles.Often,the
storagesolutionisentirelydedicatedtotheNFSpartitions,andtheentirevirtual
environmentprovisioningprocessisautomatedaroundbuildingoutthevirtual
machinedisks(VMDKs).It'sefficient,it'srelativelyinexpensive,andmost
importantlyit'salreadyworking.Havingtoreclaimstoragespaceonlytocarveit
outasiSCSILUNsorrawdevicemappings(RDMs)isalotofworkandwill
requireacompleteoverhauloftheassociatedbackuproutines.You'realready
usingVMDKsoverNFSforallyourotherworkloads.Whyisitnecessarytothrow
thisbigwrenchintheworks?
Theanswerissimple:you'reputtingyourdataatriskbylyingtoExchange.
Inordertomaximizeperformanceandkeepyourdatasafe,theExchangestorage
enginehasaveryspecificsequenceofeventsforhowithandleswritestodisk.All
writestothedatabasefirstmustbewrittenouttoatransactionlogfile,andthe
updatestothevariousfilesandblockshavetohappeninaveryspecificsequence
ordatabasecorruptionanddatalossresults.Tomakesurethishappens,
Exchangehastoassumeit'stalkingtotherawdiskblocks;onlybydoingsocanit
ensurethatallthedataandmetadatagetswrittentothediskinthecorrectorder
withinthecorrecttimeframe.Block-levelprotocols(iSCSI,FC,SATA/SAS,etc.)
andpass-throughdiskscanallmakethisguarantee.Evenwhenwritecachingisin
themix(anditshouldbe,usingaproperbatterybacking),thecachingcontroller
istakingontheresponsibilityofensuringthewritesgetcommittedtodisk.
Withfile-levelprotocols,suchasNFSandSMB(beforeSMB3.0whenmounted
bythehypervisorhost),youdon'thavethosesamecommitments.That'snotto
saythattheseprotocolswon'ttrytokeepyourdatasafe,becausetheydo,butthe
waystheydoit—andthefeaturestheyprovide,suchasfilelockingandcaching
anddisconnecttime-outs—areverydifferentthanablock-levelprotocolwould.As
aresult,Exchangeisrelyingononesetofbehaviorsbecauseitthinksit'stalking
toaphysicaldisk,butbyslippingNFSorSMBintothestack,you'vesilently
changedthosebehaviors.Thetranslationsbetweenthetwoworkmostofthe
time,butwhentheydon't,theresultscanbeamazinglydestructive.
Ifyou'regoingtodeployyourExchangeVMsonfile-levelvirtualharddisks,be
smart.Youcanusethesesolutionsforthebaseoperating-systempartition,but
don'tinstallExchangeonthosedrives.Instead,provisionadditionalpass-through
drives,RDMs,orblock-levelLUNsforyourExchangedatabases,logs,and
binaries.KeepyourExchangedataonvolumeswhereithasastraightblock-based
pathallthewaybacktothespindles.Thedata(andjob)yousavewillbeyour
own.
SoftwareRequirements
YoursoftwarerequirementsforthehostOSwilldifferdependingonwhichhypervisor
youhavedecidedtouse.Checkwithyourhypervisorprovidertoensurethatyouhave
alltherequiredsoftwarebeforeyoubegin.TherearedifferencesinthebaseOSsthat
mayprecludeyoufromloadinganyhypervisorwithoutacompletereloadofthe
server.Althoughthisisnotahugedeal,itistime-consuming,andifyoupurchasedan
incorrectversion,itisalsoexpensive.Makesurethatyouknowhowmanyserverswill
bevirtualizedonthehostserversaswell.Thismayhaveanimpactonwhatversionof
theOSyouneedtoinstalltominimizethenumberofguestWindowslicensesyou
needtopurchase.Makecertainthatyouhavecompletedthevirtualmachine
configurationbeforeyoustarttoloadExchange.
Forthevirtualmachine,thesoftwarerequirementsandinstallationare
straightforward.Onceyouhavemadetheinitialconfigurationsforthevirtual
machine,loadtheappropriateWindowsoperatingsystemforthedesignedExchange
roles.Therearenorequirementsfromavirtualizationperspectiveastowhichversion
ofWindowsyouneedtoloadaslongastheversionofhypervisorandWindowsguest
(virtualmachine)arevalidatedontheSVVPlist.TheguestOSwillbedrivenbythe
businessandtechnicalrequirementsfortheapplicationandconfigurationyouwillbe
deploying.Thisiswhereyourrequirements-gatheringwillguideyoutothecorrectOS
andapplicationversions.
InadditiontothenormalrequirementsforExchangeservers,ensurethatthelatest
hypervisorintegrationdriversareloaded.ForMicrosoftHyper-Vguests,theHyper-V
integrationcomponentsarepartofthebaseWindowsOSandservicepacks,although
iftheversionofWindowstheHyper-Vhostsarerunningisnewerthantheversionin
theguests,youmayneedtoinstalltheadditionalHyper-Vintegrationcomponents.
Theotherhypervisorvendorsallhavetheirownintegrationcomponentsorguest
toolkitstoload.
Regardlessofwhichhypervisoryouareusing,itiscriticallyimportanttokeepyour
guestsup-to-dateonthelatestintegrationdrivers.Asyourhostsareupdatedtonewer
versionsandpatchlevels,ensurethatalloftheguestsonthehost(orcluster)are
runningthelatestdriversbeforehostsareupgradedtothenewversion,especiallyif
notallofthevirtualizationhostsintheclusterwillbeupgradedatthesametime.
Exchangecanbeextremelysensitivetomismatchesbetweentheintegrationdrivers
andthehostversion,withcatastrophicimpactstoperformance.
Operations
Operationsincludemanyfactors,suchasthepatchingandmonitoringoftheOSand
application,dailymaintenance,andtroubleshooting.Apopularmisconceptionisthat
youroperatingcostswillmagicallydecreasewhenyoustarttovirtualize,whileyour
uptimeandserviceavailabilitywillfrolicwithunicornsandrainbows.Therealityis
thatwithoutcarefulplanningandthecreationofmatureprocesses,thechancesare
goodthatyourcostswillactuallyincrease,aswillyourdowntime.Thereasonforthis
mismatchbetweenexpectationsandrealityisthataddingvirtualizationbringsmore
tothetablethanjustthetechnology.TohaveasuccessfulvirtualExchange
deployment,youneednotonlytechnologybutalsoprocessesandpersonnel.
Virtualizationtechnologyismature,butmostvirtualizationguidancemakesthe
assumptionthatallapplicationsarethesameintermsofignoranceaboutthe
underlyinghardware.Overtheyears,Microsofthasgonetoalotoftroubletomake
Exchangeasreliableasitcanandtoensurethatifthereisunavoidabledataloss,itis
assmallaspossible.ThefrictionbetweenExchange'sassumptionsaboutthehardware
stackandthewidespreadscalabilitybestpracticesforvirtualenvironmentscancreate
acombinationwhereExchangeislessreliable.
Balancingthevirtualmachines'needsagainstthehost'sresourcesandtheusers'
requirementscanbeadauntingtask.DoingsoforExchangegueststypicallyincreases
thecomplexitybycreatingExchange-specifictechnologychallenges.Thesechallenges
canallbesolvedatthetechnologylevel,butdoingsorequiresadditionalcrosstrainingforyourstaffandspecificexceptionsinyourvirtualizationprocessesand
policies.
ThesizeofyourITorganizationandthenumberandlocationofserverswillaffectthe
costofoperations.Ifyouhaveenoughstafftolearnthevirtualizationtechnology,
theremaynotbeahugeimpacttothebottomline.Ifyoudon'thaveadequatestaff,
youwillmostlikelybelookingforadditionalpersonneltosupportyourvirtualization
efforts.WhenyouvirtualizeyourExchangeservers,youstillhavetotakecareofthe
guestWindowsinstallationandtheExchangeapplicationaswellasthehypervisor
hostsandenvironment.
VirtualExchangeservershave100percentofthedailyoperationalrequirementsthat
physicalExchangeserversdo.Youstillhavetotestandpatchyoursystems.Youstill
havesystemsthatwillexperienceissues,andyouneedtospendtimetroubleshooting.
Ontopofthat,younowhaveaddedthehypervisorlayer.Thislayermayormaynotbe
familiartoyoursupportandengineeringstaff.Youcan'tjustrebootavirtualization
hostbecauseyoufeelthatitisthebestsolutionforasituation.Younowhaveto
expandyourthoughtprocesstoincludetheExchangeserversthatarevirtualizedon
thathostandtakethesefactorsintoconsideration:
WhatExchangeserviceswillbeaffectedbyshuttingdownthishost?
Exchangevirtualmachinesareonthevirtualizationhost,buthowwilltheusersbe
affectedwhentheyareshutdown?
Dotheaffectedserviceshavearedundantnature?
Aretheredundantserviceslocatedonthesamevirtualizationhostoronadifferent
host?(Iftheyareonthesamevirtualizationhost,aretheyreallyredundant?)
DecidingWhentoVirtualize
Decidingtovirtualizeisabigdecision.Itshouldnotbetakenlightly.Beforeyou
embarkontheroadtovirtualizingExchangeServer,youneedtomakesureitisright
foryourorganization.Whileeveryorganizationhasslightlydifferentrequirements
andgoals,thefollowinglistrepresentssomeofthecommonreasonsthat
organizationschoosetovirtualizeExchangeServer:
Savemoney.Whilevirtualizationdoesn'talwayssavemoney(infact,sometimes
itcancostmoremoneythanhavingphysicalservers),itcansavemoneyinmany
environments,especiallyifanorganizationisvirtualizingeverything.Costsavings
areassociatedwithpower,cooling,datacenterspace,andsometimesoperating
systemcosts.
Adheretoyourorganization'scommonITmanagementplatform.Many
organizations,especiallylargeorganizations,haveastandardizedsetofIT
managementplatformsandprocessestosupporttheirenvironment.Muchwork
hasgoneintodevelopingtheplatformsandprocesses.Wheneveratechnology
doesn'tadheretothecommonITmanagementplatform,supportcanbecome
inefficient,expensive,andpronetoerrorsordowntime.Ifyourorganizationhas
virtualizedthevastmajorityofyourservers,itmightmakesensetovirtualize
ExchangeServertotakeadvantageofthatinvestmentininfrastructureandpeople.
Companymandate.Awhileback,wewereworkingwithacompanythathada
mandatefromtheCIO.Thatmandatewastovirtualizeeveryserverinthe
datacenters.Ifyouwantedanexception,youhadtopresentastrongcaseforit—
andwemeanreallystrong.Althoughsuchamandatecouldcomefromcostsor
otherfactors,thereasonoftendoesn'tmatter.Insuchacase,youneedtoprepare
tovirtualize!
Thesearejustafewofthecommonreasonstovirtualize.Therearemanyothers.As
theadministrator,youneedtoweightheoptions,examinetheprosandcons,and
ultimatelydecidewhichroutetotakeforyourorganization.Ifyoudecidetovirtualize,
yournextstepistodecidewhattovirtualize,whichwetalkaboutnext.
DecidingWhattoVirtualize
NomatterhowmanyExchangeserversyouplantovirtualize,youmustdoyour
researchasyouareplanningthearchitectureforyourenvironment.Planyourvirtual
machinesjustasthoughtheywerephysicalservers.Thenincludetheadditional
overheadforthevirtualizationhost.Makesurethatyouarethinkingabouttheend
productthatyouwilldelivertoyourusers.Considerthepossibledifferencesbetween
thephysicalandvirtualizedenvironment.Willyouruserbasebeashappywitha
virtualizedenvironmentifitmeansadecreaseinperformance?Ifyousetthe
expectations,sizetheenvironmentappropriately—andtestappropriately.There
shouldbenonoticeabledifferenceforyourendusers.
Aswithanyarchitecture,thingsthatyoudocanmakepositiveornegativeimpacts.
WithExchangeServer2007,MicrosoftchangedtheExtensibleStorageEngine(ESE)
toallowExchangeServer2007toutilizeasmuchRAMasneededtocacheasmuch
mailboxinformationaspossibletodrivedownreadI/Ooperations.InExchange
Server2007andExchangeServer2010,theExchangeESE—amonolithicInformation
Storeprocessthathandlesallthedatabasesontheserver—usesallavailablephysical
memoryinthesystemforthiscache.Ifyourserverhas16GBofmemory,youcan
expectthatESEwillconsumeroughly14GBofituntilotherprocessesneedthe
resources.Atthatpoint,Exchangewillnotletgoofthatmemorybutwillinsteadallow
theoperatingsystemtoplacememorypagesinthedisk-basedpagefile.With
ExchangeServer2013andExchangeServer2016,theESEspawnsaseparateprocess
foreachmailboxdatabaseontheserver,completelychanginghowmemory
managementworks.
UnderstandinghowthesechangesaffectthebehavioroftheExchangeserverallows
youtoproperlyplananddeployvirtualExchangeservers.Youshouldknow,for
example,thatusingpopulartechniqueslikememoryover-allocationordynamic
memoryallocationwouldbeabadmatchforExchangeservers—andinfact,neitheris
supportedbyMicrosoftforExchange.However,over-allocationofCPUresourcesis
supporteduptoaratiooftwovirtualCPUstoeveryonephysicalCPUcore(although
itisrecommendedtohaveonevirtualCPUforeachCPUcore).Whenlookingat
resourceallocations,don'tforgettoplanforoutagesandensurethathavingtomove
Exchangevirtualmachinesinanemergencywon'tbumptheseallocationsoverthe
recommendednumbers.
WithExchangeServer2013andExchangeServer2016,youcansupportmixingnative
Exchangeandhypervisorhigh-availabilitytechnologies,aslongasyoustaywithinthe
Microsoftsupportboundaries.YoucandeployExchangeDAGsonvirtualclustersand
moveactiveDAGmembersaroundusinghypervisormigrationtechnologies,aslong
asyouavoidusingtechnologiesthatwritethecurrentmemorystateoftheExchange
guesttoadisk-basedfile.Thesetechnologiesarecommonlyusedtoenhance
availabilityandevendisasterrecoveryatthehypervisorlevelwithoutrequiringthe
virtualmachineoperatingsystemorapplicationtoexplicitlysupportthem.These
technologiesincludethefollowing:
Hyper-V'sLiveMigrationandVMware'svMotionbothtransfermemorypagesof
anactivevirtualmachinefromthesourcehosttothetargetusingadirectnetwork
connection.Thesemethods,andotherslikethemonotherSVVP-validated
hypervisors,aresupportedforusewithvirtualExchangemachinesbecausethey
ensurethatthememoryofthetransitionedmachineswon'tgrowoverlystale
comparedwiththeotherDAGmembersorcausethestorecachestogetoutofsync
withtheon-diskdata.BeawarethatmanyorganizationsopttouseExchange
Server'snativehighavailabilityfeaturesinstead.Thisisbecausetherecanbe
occasionalissuesafteralivemigrationorvMotion.
Hyper-V'sQuickMigration,andothertechnologieslikeit,isnotsupported.Quick
Migrationwritesthememorystatetoadisk-basedfile.Thisslowsdownthe
transitionandputsthevirtualmachineatriskofhavingamismatchbetweenthe
machinememoryandthestateoftheotherDAGmembersorthedatabasecache
anddataondisk.
Virtualsnapshotscreateafile-baseddumpofmemory.Ifthemachineisever
rolledbacktothissnapshot,theon-diskdatabasedatawillbeseverelyoutofdate.
Permanentdatalosscouldresult.Usingvirtualsnapshots,androllingback
virtually,guaranteesthatyou'llscrewupyourdatabases—andbecauseMicrosoft
doesn'tsupportvirtualsnapshotsandrollbacks,you'llbeonyourowntocleanup
themess.
Technologiesthatbringupafailedvirtualmachineonanotherhost,suchas
VMware'shighavailability,aresupportedaslongastheybringupthatnew
instancefromacoldboot.Butthinkcarefullyaboutwhetheryoureallywanta
failedExchangeservertocomebackupautomaticallywithouthavingachanceto
analyzewhat'sgoingonwithit.Intheworst-casescenario,youcouldhavean
Exchangeserverbouncingthroughthehostsinyourvirtualcluster,wreaking
havoconthem.
Technologies,suchasVMware'sDistributedResourcesSchedulerandHyper-V's
integrationwiththeSystemCentersuite,havethecapabilitytodynamicallymove
virtualmachinesfromonehosttoanothertoensureresourceutilizationis
balancedorstayswithinthresholds.Thisisagoodcapabilityinprinciple,but
again,forExchangeserversthisfeaturecancreatemoreproblemsthanitsolves.
YoushouldneverallowmultipleDAGmemberstobeactiveonthesamehost;
withoutcarefulmanagement,thesefeaturescanputyourdataatgreaterrisk.
DAGsmakeiteasiertoplanfor,configure,andmaintainbothhighavailabilityand
siteresilienceintheExchangeapplication.BecauseDAGsareapplication-aware,your
serversarealwaysincontrolofanyExchangedata.WheninaDAG,theExchange
serversareinconstantcommunicationaboutthestatusofadatabaseintheDAG;
thereshouldbeminimalimpactifaserverordatabasegoesdownforanyreason.
ManyadministratorsbelievethatnativeExchangetechnologiesprovideamore
effective,highlyavailableExchangeenvironmentcomparedtovirtualizationproviding
highavailabilityand/ordisasterrecovery.
ExchangeRoles
Previousversions(andservicepacks)ofExchangeServerlimitedtherolesyoucould
virtualize.TheselimitationshavebeengonesinceExchangeServer2013;youcan
virtualizeboththeMailboxandEdgeTransportroles.Makesuretofollowcommonsensebest-practiceguidelines:
Don'tplacetwoofthesameroleonthesamevirtualizationhost,especially
MailboxserversinaDAG.
Inavirtualcluster,leaveahostortwofreeofExchangeguestssoyouhavethe
freedomtomoveExchangevirtualmachinestorespondtooutagesoremergencies.
Whenplanningcapacity,don'tforgettoaccountfortheimpactoflosingan
Exchangeguest.AMailboxserverthatprovidessufficientfreeheadroomwhenthe
entireDAGisupandrunningmaytipthehostovertoprocessorormemory
overutilizationwhenyoutakeaDAGmemberdownforpatching.
Testing
Aswithanyengineeringeffort,youneedtomakesurethatyouhaveatestingplanfor
thevirtualizedguestsandhost.Yourplanneedstoincludetestingallyourvirtual
machinesatthesametime.Oneoftheworstthingsyoucandoistotestonlyasingle
serveratatime.Instead,testasclosetoreal-worldoperatingconditionsaspossible.
Testtheentiresolutionandnotpiecesofthesolution.Thesolutionshouldinclude
anythird-partyapplicationsthatareintheenvironment,aswell.Anythingthatyou
leaveoutofthetestingcyclecouldcomebacktohauntyouwhenyoumoveto
production.
UsetheMicrosoftExchange–specificvalidationtoolstotestyourconfigurationand
ensurethatyouhaveallthesettingsproperlydialedin.Jetstresswasreleasedfor
ExchangeServer2013andissupportedforExchangeServer2016,anditis
downloadablefromtheMicrosoftdownloadsite.Itisoneofthekeytoolsusedtotest
theperformanceofthedisksubsystembeforeExchangeisinstalledinthevirtual
machines.TheinformationthatJetstressgivesyoushouldlineupwiththe
performancerequirementsyougatheredearlyintheproject.LoadGeneratorfor
ExchangeServer2013,alsoavailableforfreefromMicrosoftDownloads,willsimulate
thedifferentclientconnectionsthatwillbeinyourenvironment.Youwillbeableto
definehowmanysimulatedclientswilluseeachconnectionprotocolandhowmuch
emailtraffictheywillsendandreceive.Whenusingthetestingtools,trytoemulate
theuserbasethatiscurrentlyintheenvironment.IfnoneofyourusersuseOutlook
ontheweb,thendon'tputitinthetestcases.Ifyourorganizationincludesheavy
usersofExchangeActiveSync,makesurethatyouhaveincludedthecorrect
informationtoheavilytestforExchangeActiveSync.Atthetimeofthiswriting,Load
GeneratorhasnotyetbeenupdatedforExchangeServer2016.
Remember:inthevirtualizedenvironment,youshoulddoeverythingyouwould
normallydoinaphysicalenvironment.Don'tfallintothetrapofthinkingthat
becauseitisavirtualizedenvironment,itisadifferentsolution.Youaretheonlyone
whoshouldknowthattheseserversarevirtualized.Theendusersandthefirstlineof
thehelpdeskshouldneverbeabletotellthedifference.
PossibleVirtualizationScenarios
Inthissection,wewilllookatseveralscenariosthatcouldleadtoapositive
virtualizationexperience.Thesescenariosarenotguaranteesofsuccessbutexamples
ofwhatmaywork.(Onceyoustarttestingyourenvironment,youmayfindsituations
inwhichphysicalserversarethebestsolution.)Wewilldiscusspossiblehardwarefor
boththevirtualizationhostandthevirtualmachine,butthisisjustanestimationof
hardwarethatmaybeneeded;wewillnotbelookingatthephysicalspecifications.
Thesescenarioshavenotbeentestedinalabforperformance.Theyaremerely
examplesofwhatcouldbevirtualized.
SmallOffice/RemoteorBranchOffice
Inthisscenario,ourofficehasarelativelysmallnumberofusers,andweneedto
provideemailservicestothem.Wehavedeterminedthatuserswouldbebetteroff
usinglocalExchangeserversthanpullingemailacrosstheWAN.Becausetheusers
areinaremoteoffice,wewillbesupplyingdirectoryservicesaswell.Wewantto
provideredundancyandhighavailabilitywherepossible.Byusingasmallnumberof
physicalhostsasavirtualcluster,wecandeploythenecessaryservers,keepcosts
down,andmeetouravailabilityrequirements.
Wehavedeterminedthroughresearch,interviewswithstaffmembers,anddata
collectionthatwehavelightemailusers.Wewillbeprovidinghighavailabilityvia
DAG.Wealsohavearequirementforsiteresilience,sowewillextendtheDAGtothe
maindatacenter.
Aswestarttobuildthissolution,wemustdeterminewhichvirtualmachineswillbe
placedonwhichvirtualizationhosts.Weseeaneedforthefollowing:
TwoExchangeservers
Twodomaincontrollers
Afileserver(whichwecanuseasthefile-sharewitness)
Abackupserver
Wecanputthissolutiontogetherwithaminimumoftwophysicalserversand
storage,althoughforfullredundancy—forpatching,outages,andthelike—wewould
needthree.Theexactspecificationsontheserversandstoragearenotbeing
discussed.WhenwecreatetheDAG,wewillspecifythecorrectlocationforthefilesharewitness.Wemustnotcreateanissuewherethefile-sharewitnessendsupbeing
onthesamevirtualizationhostasaMailboxserverintheDAG.Ifthisweretohappen
andwecreatedthefile-sharewitnessonVirtualizationHost1or3,thenwe'dhavetwo
votingmembersoftheDAGonthesamephysicalhardware.Thisisnota
recommendedsolution.Followingisavirtualizationlayoutdepictingathree-server
solution.
VirtualizationHost1willhavethefollowingvirtualmachines:
DomainController1
Exchange1
VirtualizationHost2willhavethefollowingvirtualmachines:
DomainController2
Fileserver
VirtualizationHost3willhavethefollowingvirtualmachines:
Exchange2
Backup
Withproperspecifications,ourphysicalserverswillnotbeover-utilizedbythe
plannedworkloads;therewillbeenoughsparecapacitytoensurethatvirtual
machinescanbemovedforshortperiodsoftime.Insteadofhavingsixserversinuse,
wewillhavethreeservers—a50percentreductioninphysicalserversforthislocation.
SiteResilience
Inthisscenario,we'llsetupasecondlocationforsiteresilience.Weassumethatthe
primarydatacenterisfullyfunctionalwithExchangeServer2016physicalservers.We
havebeenhandedanewrequirementtoprovidesiteresilienceforallusersinour
organization.Wewillalsoneedtoprovidethesamelevelofperformanceand
reliabilityastheprimarydatacenter.OurprimarydatacenterhasfourExchange
serversinaDAG.
Tomeettherequirements,wewillbedeployingninevirtualmachines:fourdomain
controllers,onefileserver,andfourExchangeservers.Weareusingfourdomain
controllerstokeepdownthenumberofvirtualprocessorsandRAMoneachdomain
controller.
Wewillneedfourphysicalserversforthesolution.Foreaseofordering,wewillorder
allserverswiththesamehardwarespecifications.
VirtualizationHost1willhavethefollowingvirtualmachines:
DomainController1
ExchangeServer1
VirtualizationHost2willhavethefollowingvirtualmachines:
DomainController2
ExchangeServer2
VirtualizationHost3willhavethefollowingvirtualmachines:
DomainController3
ExchangeServer3
VirtualizationHost4willhavethefollowingvirtualmachines:
DomainController4
ExchangeServer4
Inthisscenario,wewouldmanuallyplacethefile-sharewitnessonanexistingfile
serverinthesite.Youmayrecallthatthefile-sharewitnessisusedwhenthereisan
evennumberofserversintheDAG.Wehavethathere,butthereareenoughservers
toseparatethewitnesswithoutputtingtheDAGinjeopardy.
Byseparatingthevirtualmachinesacrossfourvirtualizationhosts,wehave
accomplishedthetaskathand.Ifwehadchosentomirrortheproduction
environmentandusephysicalservers,wewouldhaveneededeightservers.Ata
minimum,wecutourserversby50percentwiththeinclusionofthedomain
controllers.Theflipsideofthisisthatweprobablyincreasedthenumberof
processorsandamountofRAMinthevirtualizationhosts.Bydoingthis,wealso
increasedthecostofthevirtualizationhosts.Thecostincreasemaybeminimal,but
youshouldcalculateitbeforeimplementingthissolution.Dependingonwhich
hypervisoryouchoose,theremaybecostsassociatedwiththehypervisorsoftware.In
addition,thereareoperationalcostsassociatedwitheachvirtualizationhost.
MobileAccess
Forthemobilesolution,wehaveacustomerthatmustreactquicklytoanemergency.
Theyneedtohavetheirentireinfrastructurephysicallywiththem.Theydonotneed
totiebackintoacorporateenvironment,buttheywillbeconnectingtotheInternet
andmustbeabletosendandreceiveemailandsurftheInternet.Theyalsorequirea
databaseserver,file/printcapabilities,andcollaboration.Therewillbeanexternal
appliancetoprovidefirewallprotection.Thisisalsoconsideredashort-termsolution.
Oncethedisasterisoverorapermanentdatacenterhasbeenestablished,themobile
solutionwillbedecommissioned.Thissolutionbringsinseveraldifferent
technologiesinadditiontoExchange.
Thecustomerhasonly50users,buttheywillbesendingandreceivingalargeamount
ofemail.Withthisnumberofusers,therewillnotbeahugedrawonanyofthe
servers.Knowingthis,weareabletominimizetheserverrequirements.Wecankeep
thefile-sharewitnessseparatedfromtheExchangeservers.Wewillplaceanodeof
thedatabaseclusteronthesamevirtualizationhostasoneoftheExchangeservers.
Thisisnotarecommendedsolutionforenvironmentswithhigherrequirements,but
becausewehaveasmallnumberofusersandlowdemand,weshouldbefinewiththe
layout.
VirtualizationHost1willhavethefollowingvirtualmachines:
DomainController1
ExchangeServer1
DatabaseServerNode1
VirtualizationHost2willhavethefollowingvirtualmachines:
DomainController2
ExchangeServer2
CollaborationServer1
VirtualizationHost3willhavethefollowingvirtualmachines:
FileandPrintNode
DatabaseServerNode2
CollaborationServer2
Weareabletomeettherequirementsforthecustomerwithonlythreephysical
servers.Ifduringtestingwedecidethatweneedadditionalcapacity,wecanadd
anotherserverorincreasethespecsontheexistingservers.Lookingatthenumbers,
youcanseethatwehavedecreasedthenumberofphysicalserversfromninetothree,
whichisa66percentreduction.
VirtualizetheLab
YouwillhaveplentyofopportunitiestovirtualizeExchange.Oneofthose
opportunitiesisinthelab.Whenyouvirtualizeyourlab,youcandoa
virtualizationequaltowhatisgoingtobeinproductionoryoucanhavea
differentlayout.Therearebenefitstoboth.
Ifyouareabletoduplicatethelabandproduction,youcanincludeperformance
testing.Duplicatingthelabtoproductionmeansnotonlymatchingthenumberof
serversandroledesignationsbutalsodeterminingwhethertheywillbephysical
servers.Ifyouaregoingtovirtualizeinproduction,thistestwillgiveyouaccurate
resultsandabaselinefortheproductionenvironment.Youwillalsoincreasethe
hardwarerequirementforthevirtualizationhostsandthestorageyouwillbe
using.
Ifyouarenotabletoduplicatethelab,youmustprepareyourselfandinform
managementthatthelabisforfunctionaltestingonly.Ifyouweretodoany
performancetesting,theresultswouldnotbeaccurate.Byusingthismethod,you
willsaveonhardwareforthevirtualizationhostsandstorage.
BothscenarioswillgiveyouagoodbasefortestingyourvirtualizedExchange
environment.Onegivesyoutheabilitytotestperformanceandfunctionalitywith
anaddedhardwarecost,whiletheothergivesyoutheabilitytodoafunctional
testwithminimalhardwarecosts.
TheBottomLine
Evaluatethepossiblevirtualizationimpacts.Knowingtheimpactsthat
virtualizationcanhavewillhelpyoumakethevirtualizationasuccess.Conversely,
failuretorealizehowvirtualizationwillimpactyourenvironmentcanendup
makingvirtualizationapoorchoice.
MasterItWhatkindofimpactwouldvirtualizingExchangehaveinyour
environment?
EvaluatetheexistingExchangeenvironment.Beforeyoucandeterminethe
feasibilityofavirtualizedExchangeenvironment,youmustknowhowyour
currentsystemsareperforming.
MasterItAreyourExchangeserversgoodcandidatesforvirtualization?
Determinewhenphysicalserversaretherightchoice.Therewillbetimes
whenvirtualizationofExchangeServerisn'tappropriateforanorganization.
MasterItWhataresomecommonreasonstostickwithphysicalserversfor
ExchangeServer?
Chapter5
IntroductiontoPowerShellandtheExchange
ManagementShell
MicrosoftPowerShellisanextensible,object-orientedcommand-lineinterfaceforthe
Windowsoperatingsystem.TheExchangeManagementShell(EMS)isasetof
ExchangeServer–specificextensionstoMicrosoft'sPowerShell.TheEMSwasfirst
introducedwithExchangeServer2007andhasbeenenhancedwitheachsubsequent
releaseofExchangeServer.Thelatestreleaseincludestheabilitytoconnecttoremote
sessionsonotherExchangeserverswithouttheExchangeManagementtools.
Inthischapter,weintroduceyoutobothPowerShellandtheEMS.Wehopetogive
youabasicideaofsomeofthecapabilitiesandencourageyoutolearnmore.
IsknowledgeoftheEMSrequired?SomeadministratorswillmanagetheirExchange
serversforyearsandrarelyusetheEMS,whereasothersuseitdaily.However,we
thinkitissafetosaythatatleastalimitedknowledgeoftheEMSwillberequiredby
alladministratorsbecausesomespecializedconfigurationoptionscanbesetonly
fromtheEMS.
Wehopethatthischapterwillprovideyouwithenoughofanintroductionto
PowerShellthatyouwon'tdreadgettingtoknowit.
INTHISCHAPTER,YOUWILLLEARNTO:
UsePowerShellcommandsyntax
Understandobject-orienteduseofPowerShell
EmploytipsandtrickstogetmoreoutofPowerShell
GethelpwithusingPowerShell
WhyUsePowerShell?
BasedondiscussionsinInternetnewsgroups,webforums,andclassroomsaboutthe
decisiontoputthemanagementarchitectureofExchangeServer2007ontopof
PowerShell,youwouldthinkthatthiswasoneofthemostcontroversialdecisions
Microsoftevermade.Originally,therewasenthusiasticdebate(andname-calling)on
bothsidesofthefence.ButsomeexperiencedExchangeServeradministrators
thoughttheExchangeManagementShellwasthebestimprovementMicrosofthad
madesinceExchangeServer2003.NowthatMicrosofthasextendedPowerShellto
virtuallyalloftheircoreinfrastructureproducts,moreadministratorsarecomfortable
withPowerShellandarehappywithitbeingakeymanagementtechnology.
WehavetoadmittobecomingbigsupportersoftheEMSfromthebeginning.Allit
tookwasspendingabitoftimewithitandgettingtoknowsomeofthebasic
functionality.Thebiggestfearthatmanyadministratorshaveisthattheywillhaveto
learnnotonlysomeoftheshell'scommands(calledcmdlets)butalsoascripting
languagejusttomanageExchangeServer.Thatisnotthecase.
TheintentoftheEMSistoprovideaconsistentinterfaceforperformingmanagement
tasksforExchangeservers,whetherperformingautomationtasks,writingscripts,or
extendingthemanagementcapabilities.Tasksoroperationsthatoncerequired
multipleprogrammingAPIsandhundredsoflinesofscriptingcannowbe
accomplishedinasinglecommand.Singlecommandscanbejoinedtogether—the
outputofonecommandcanbepipedtoanothercommandasinput—toperform
extremelypowerfulfunctions.
ThebasePowerShellthatshipswithWindowsServer2012andlaterversionsprovides
thousandsofbuilt-incmdlets,andthereareseveralhundredadditionalExchange
Server–relatedcmdletsyoucanuseintheEMS;thegoalistocoverallExchange
Server–relatedadministrativetasks.Youwillfindcmdletsthatmanipulateotherdata
inActiveDirectory(suchascmdletsformanaginguseraccounts)andcontrol
ExchangeServer–relateddataintheRegistryorInternetInformationServices,butthe
cmdletswillonlymanipulateormanagedatarelatedtoExchangeServer.The
ExchangeteamisexpectingotherinternalMicrosoftteams,suchastheActive
DirectoryorInternetInformationServerteam,toprovidetheirownextensionstothe
managementshell(whichtheyhave).
TherearealotofverygoodreasonsforMicrosofttocreatethismanagementlayer
acrossallitsproducts.Itprovidesaconsistentmanagementandscriptinginterfacefor
allserverproducts,developsasecuremethodforremotescripting,improvesbatching,
andprovidesyouwithaneasywaytoautomateandrepeatanythingyoucandointhe
GUI.Infact,PowerShell,firstintegratedinExchangeServer2007,isnowthedefacto
managementinterfaceforallMicrosoftenterpriseproducts,suchasSystemCenter,
SQLServer,andSkypeforBusiness.
TheExchangeManagementShellisbuiltontopofWindowsPowerShell.Ithasthe
built-inExchangecmdletsthatyou'llusetoperformallofyouradministrativework.
YoucanuseittodoeverythingyoucandointheEACandmore.But,youcan'timport
anExchangePowerShellmoduleatastandardPowerShellprompt.Well,whilethere
arewaysofdoingso,itisn'tsupportedandsomefunctionalityismissing.Thus,always
planonrunningtheExchangeManagementShellwhenyouwanttousePowerShell
foryourExchange-basedadministrativetasks.
UnderstandingtheCommandSyntax
Theproblemwithalotofscriptinglanguagesandcommandshellsisthat,astheyget
morecomplexandpowerful,thecommandsyntaxgetsmoreandmorecryptic.
PowerShellandtheEMSseektomakeusingthecommand-lineinterfaceandscripting
moreintuitive.Tothisend,mostPowerShellandEMScmdletsconsistoftwo
components:averbandanoun.
JustinCase
PowerShellcmdletsandtheEMSextensionsforPowerShellarecaseinsensitive.
Thatmeansyoucantypeeverythinginuppercase,typeeverythinginlowercase,or
mixandmatchthecaseofthelettersinyourcommands.
ForreadabilityandpersuggestionsfromfolksontheExchangeServerteamat
Microsoft,weareusingPascal-casinginthisbook.WhenyouusePascalcasing,
thefirstcharacterofeachwordisinuppercase;ifthecmdlethasmorethanone
word,thefirstletterineachwordisinuppercase.Allotherlettersinthecmdlet
arelowercase;soforexample,thecmdletthatisusedtoretrievemailbox
statisticsiswrittenasGet-MailboxStatistics.
VerbsandNouns
Theverbidentifiestheactionthatisbeingtaken,andthenounindicatestheobjecton
whichtheactionisbeingtaken.Theverbalwayscomesfirst,andtheverbandnoun
areseparatedbyahyphen(suchas,Get-Mailbox).Thefollowinglistshowssomeofthe
commonverbsyou'lluseintheEMS;someofthesearespecifictotheEMS,butmost
aregenerictoWindowsPowerShell.
GetGetisprobablythemostcommonverbyouwilluse.Getretrievesinformation
aboutthespecifiedobjectandoutputsinformationabouttheobject.
SetSetisprobablythesecondmostcommonverbyouwilluse.Setallowsyouto
updatepropertiesoftheobjectspecifiedinthenoun.
NewNewcreatesnewinstancesoftheobjectspecifiedinthenoun.
EnableEnableactivatesorenablesaconfigurationontheobjectspecified,suchas
enablinganexistinguseraccount.
AddAddcanbeusedtoadditemstoanobjectortoaddpropertiesofanobject.
RemoveRemovedeletesaninstanceoftheobjectspecifiedinthenoun.
DisableDisabledisablesordeactivatestheobjectspecifiedinthenoun.An
exampleofthisisremovingamailboxfromanexistinguser(butnotdeletingthe
useraccount).
MountMountisusedtomountanExchangeServermailboxorpublicfolder
database.
DismountDismountisusedtodismountanExchangeServermailboxorpublic
folderdatabase.
MoveMovecanbeusedtoactivateadatabasecopyonamailboxserver.
TestTestperformsdiagnostictestsagainsttheobjectspecifiedbythenounand
theidentityoption.
UpdateUpdateisusedtoupdatespecifiedobjects.
Theactualnounsthatareusedinconjunctionwiththeseverbsaretoonumerousto
mentioninevenafewpagesoftext.Thefollowingisalistofcommonnouns;laterin
thischapteryou'lllearnhowtousetheonlinehelptofindmorecmdletsthatyou
need.Thenounsinthislistcanbeusedinconjunctionwithverbs,suchastheonesin
theprecedinglist,tomanipulatethepropertiesofExchangeServer–relatedobjects.
However,notallverbsworkwithallnouns,andunfortunatelyitsometimesrequires
sometrialanderrortodeterminewhatworksandwhatdoesn't.
ActiveSyncMailboxPolicyPropertiesofActiveSyncpoliciesthatcanbeassignedto
amailbox
CASMailboxPropertiesofamailboxrelatingtoclientfeaturessuchasOutlookon
thewebandExchangeActiveSync
ClientAccessServerPropertiesspecifictoclientaccess
DistributionGroupPropertiesrelatingtomail-enableddistributiongroups
DynamicDistributionGroupPropertiesrelatingtoadynamicdistributiongroup
EmailAddressPolicyPropertiesrelatingtothepoliciesthatareusedtodefine
emailaddresses
ExchangeServerPropertiesrelatedtoExchangeservers
MailboxPropertiesrelatedtousermailboxes
MailboxDatabasePropertiesrelatedtomailboxdatabases
MailboxServerPropertiesspecifictoanExchangeServerMailboxserverrole
MailContactPropertiesrelatingtomail-enabledcontactobjects
MailUserPropertiesrelatingtoauserthathasanemailaddressbutnotamailbox
MoveRequestPropertiesandactionsrelatedtomovemailboxrequests
ReceiveConnectorPropertiesrelatingtoReceiveconnectors
SendConnectorPropertiesrelatingtoSendconnectors
TransportConfigPropertiesspecifictoExchangeServerTransportservices
UMMailboxPropertiesrelatingtoUnifiedMessaging
UserPropertiesrelatingtouserobjects
CmdletsWorkOnlywithRemotePowerShellinExchangeServer
2010andLater
Oneimportantthingtokeepinmindwithcmdletsisthattheyarenotindividual
executablesbutrather.NETclassesthatareaccessibleonlyfromwithin
PowerShellandonlyiftheExchangeServerextensionstoPowerShellareloaded.
WithExchangeServer2010andlater,though,youcanconnecttoaremote
sessiononaremoteExchangeServercomputertoperformcommandsonthat
remotecomputer.ThisisoftenreferredtoasremotePowerShell,ortheabilityto
connectremotelytoaPowerShellsession.Whetheryouusetheshellto
administeralocalserveroradministeraserveracrossthecountry,remote
PowerShellisusedtoperformtheoperationinExchangeServer.
UnlikeinMicrosoftExchangeServer2007,whichusesalocalWindows
PowerShell,WindowsPowerShellconnectstotheclosestExchangeServer
(version2010orlater)serverusingWindowsRemoteManagement.The
PowerShellmodulethenperformsauthenticationchecksandthencreatesa
remotesession.Whentheremotesessioniscreated,theuserseesandhasaccess
onlytothecmdletsandtheparametersassociatedwiththemanagementrole
groupsandmanagementrolesassignedtotheuser.
Help
Thereisamoredetailedsectionneartheendofthischaptertitled“GettingHelp”;
however,asyoustartyourjourneyintolearningPowerShellandtheEMS,youshould
knowhowtogetquickandbasichelp.IfyouareusingPowerShellversion3orlater,
youfirstneedtodownloadallofthehelpcontent.YoucanruntheUpdate-Help
commandtodownloadthehelpcontent.Thereafter,youcanusetheGet-Helpcmdlet
toshowwhatparametersanycmdlettakes.Thisismuchlikethemancommandon
Linuxsystems:
Get-HelpGet-Mailbox
The-IdentityParameter
Forcmdletsthatrequireinput,usuallythefirstparameterprovidedisthe-Identity
parameter.Forexample,ifyouwanttoretrieveinformationaboutamailboxnamed
LawrenceCohenintheCorporateorganizationalunit(OU),youwouldrunthe
followingcommand:
Get-Mailbox-Identity'contoso.com/Corporate/LawrenceCohen'
However,youwillquicklyfindthatthe-Identityparameterisnotrequired.Ifyour
aliasesoraccountnamesareunique,eventhedomainandorganizationalunit
informationisnotrequired.Forexample,thiscommandwouldyieldthesameresult:
Get-Mailbox'contoso.com/Corporate/LawrenceCohen'
AslongasthereisonlyoneLawrenceCoheninActiveDirectory,youcanevendrop
thedomainandtheOUnameandthiscmdletwillyieldthesameresult:
Get-Mailbox'LawrenceCohen'
YouCanQuoteMeonThat
Anytimetheidentityyouareusinghasaspaceinit,youmustusequotes.Either
singleordoublequoteswillwork.
The-Identityparameterisoptionalbydesign.Asyouwillfindshortly,theinputfor
onecmdletcanevenbepipedinfromtheoutputofanothercmdlet.
Ifyouarenotsurewhatinputcanbespecifiedforthe-Identityparameter,youcan
easilylookupthisinformationeitherintheExchangeServeronlinehelporbyusing
theEMS​command-linehelp(moreonthislaterinthischapter).Fornow,let'slookat
onesmallpieceoftheGet-Mailboxhelpscreenthatshowsthedifferentvaluesthatcan
beusedtoidentifyamailbox:
-Identity<MailboxIdParameter>
TheIdentityparameteridentifiesthemailbox.Youcanuseoneofthefollowing
values:
*Name
*Displayname
*Alias
*Distinguishedname(DN)
*CanonicalDN
*<domainname>\<accountname>
*Emailaddress
*GUID
*LegacyExchangeDN
*SamAccountName
*UserIDoruserprincipalname(UPN)
Youcanseethatthe-IdentityparameterwilltakethemailboxGUID,theuser's
distinguishedname,thedomainnameandaccount,theUPNname,thelegacy
ExchangeServerdistinguishedname,theSMTPaddress,ortheExchangeServeralias.
Cmdletvs.Command
Youwillnoticethatsometimesweuse“command”andsometimesweuse
“cmdlet”whentalkingaboutPowerShell.Thereisasubtledifference:
Acmdletistheverb-nouncombinationthatperformsaspecifictask;itisthe
basePowerShellobjectthattakesinput,doessomethingtoit,andproduces
someoutput.
Acompletecommandisthecmdletalongwithanynecessaryoptionsthatthe
taskmightrequire.Thecommandnecessarytoretrieveinformationabouta
specificmailboxlookslikethis:
Get-Mailbox"GillianKatz"
CmdletParameters
PowerShellandEMScmdletssupportanumberofcommand-lineparametersthatare
useful.Parameterscanbecategorizedasmandatoryornotandaspositionalornot.
Whenaparameterismandatory,PowerShellrequiresyoutoaddtheparameterwitha
givencmdletandspecifyavalueforit.Iftheuseofaparameterisnotmandatory,you
areallowedtoincludeit,butyoudon'thavetodoso.ThecmdletNew-Mailbox
illustratesthisbehaviornicely.Whencreatinganewmailbox-enableduser,youhave
toincludetheparameterUserPrincipalName,butyouarefreetoincludetheparameter
OrganizationalUnit.TheEMSwillpromptyouforthevalueofanymandatory
parameteryouforgettospecify.Nexttobeingmandatoryornot,itisnotalways
necessarytoincludetheparametername.Whenaparameterispositional,youcan
justaddthevalueandleaveouttheparametername.ThecmdletGet-Mailboxhasno
mandatoryparametersbutdoeshaveapositionalparameter,namely-Identity.Ifwe
runthefollowingEMSline,theshellwillreturnthepropertiesofamailbox-enabled
userwhoseExchangealiasisOliver.Cohen:
Get-MailboxOliver.Cohen
NameAliasServerNameProhibitSendQuota
---------------------------------Oliver.CohenOliver.CohenEx1unlimited
Thisisthesameasrunningthis:
Get-Mailbox-IdentityOliver.Cohen
NameAliasServerNameProhibitSendQuota
---------------------------------Oliver.CohenOliver.CohenNYC-EX1unlimited
However,ifwerunthefollowingcommand,theshellwillcomplainthatitdoesn't
knowanymailbox-enableduserbythenameofEx1,becausetheparameterServeris
notpositional:
Get-MailboxEx1
Theoperationcouldn'tbeperformedbecauseobject'Ex1'couldn'tbe
foundon'dc01.contoso.com'.
+CategoryInfo:NotSpecified:(:)[Get-Mailbox],
ManagementObjectNotFoundException
+FullyQualifiedErrorId:3FEDEA30,Microsoft.Exchange.Management.
RecipientTasks.GetMailbox
However,ifyouapplytheproper-Serverparameterinyourcommand,theserver
namebecomesapparenttotheExchangeserver.Notethatthiscommanddisplaysall
ofthemailboxes,notjustthoseonEX1.
Get-Mailbox-ServerEx1
NameAliasServerNameProhibitSendQuota
-----------------------------------AdministratorAdministratorNYC-EX1unlimited
DiscoverySearchMailbox…DiscoverySearchMa…NYC-EX1unlimited
BobClementsBobClementsNYC-EX1unlimited
JordanChangJordanChangNYC-EX1unlimited
TylerM.SwartzTylerM.SwartzNYC-EX1unlimited
EliasMerebEliasMerebNYC-EX1unlimited
JohnRodriguezJohnRodriguezNYC-EX1unlimited
JonathanLongJonathanLongNYC-EX1unlimited
KevinWileKevinWileNYC-EX1unlimited
JohnParkJohnParkNYC-EX1unlimited
JulieR.SamanteJulieR.SamanteNYC-EX1unlimited
JimMcBeeJimMcBeeNYC-EX1unlimited
ChuckSwansonChuckSwansonNYC-EX1unlimited
KellySiuKellySiuNYC-EX1unlimited
GeraldNakataGeraldNakataNYC-EX1unlimited
Thefollowingaresomeoftheparametersthatcmdletsaccept.Notallcmdletswill
acceptalloftheseparameters;theseareusuallyoptional,and,ofcourse,someof
themwillnotberelevant.
-Identity-Identityspecifiesauniqueobjectonwhichthecmdletisgoingtoact.
The-Identityparameterisapositionalparameter,whichmeansthatitdoesnot
necessarilyhavetobeonthecommandline;PowerShellwillpromptyouforthe
identityifitisnotspecified.Asnotedpreviously,inmostcasesyoudonotneedto
specifythe-Identityparameterbutjusttheuniqueobjectname.
-WhatIf-WhatIftellsthecmdlettosimulatetheactionthatthecmdletwould
actuallyperformbutnotactuallymakethechange.
-Confirm-Confirmasksthecmdlettopromptforconfirmationpriortostartingthe
action.ThisoptiontypeisBoolean,soyouneedtoincludeeither$Trueor$False.
Somecmdlets(suchasNew-MoveRequest-)askforconfirmationbydefault,soyou
couldspecify-Confirm:$Falseifyoudidnotwanttheconfirmationrequestto
occur.
-Validate-Validatewillchecktheprerequisitesofthecmdlettoverifythatitwill
runcorrectlyandletyouknowifthecmdletwillrunsuccessfully.
-Credential-Credentialallowsyoutospecifyalternativecredentialswhen
runningaPowerShellcommand.
-DomainController-DomainControllerallowsyoutospecifytheFQDNofaspecific
domaincontrolleragainstwhichyouwanttoperformaPowerShelltask.
-ResultSizeThe-ResultSizeoptionallowsyoutospecifyamaximumnumberof
resultswhenworkingwithGet-cmdlets.
-SortByThe-SortByoptionallowsyoutospecifyasortingcriteriawhenoutputting
datathatisusuallytheresultofaGet-cmdlet.
-Verbose-VerboseinstructsGet-cmdletstoreturnmoreinformationaboutthe
executionofthecmdlet.
-Debug-Debuginstructsthecmdlettooutputmoreinformationandtoproceed
step-by-stepthroughtheprocessofperformingatask.-Debugreturnsmore
informationthanatypicaladministratorneedstoperformdailytasks.
Ifyouarepipingoutputofonecmdletintoanother,theparametersmustbewithin
thecmdletthatyouwanttheparametertoaffect.
TabCompletion
Inordertobedescriptiveandhelpful,someofthecmdletsareprettylong.Considerif
youhadtotypeGet-DistributionGroupMemberseveraltimes!However,PowerShell
includesafeaturecalledtabcompletion.Ifyoutypepartofacommandandthenpress
theTabkey,PowerShellwillcompletethecmdletwiththefirstmatchingcmdletitcan
find.Forexample,ifyoutypeGet-DistriandpressTab,PowerShellwillautomatically
filloutGet-DistributionGroup.IfyoupressTabagain,PowerShellwillmoveontothe
nextmatchingcmdlet,orinthiscaseGet-DistributionGroupMember.
Thetabcompletionfeaturealsoworksforcmdletparameters.Ifyoutypeacmdlet
followedbyaspaceandahyphen,suchasGet-Mailbox- ,andthenpressTab,youwill
cyclethroughalltheparametersforthatparticularcmdlet.Whenyouinclude
parameterswithyourcmdlet,itisnotnecessarytospecifytheirfullnames.Itis
sufficienttoenterenoughletterstomakesuretheEMScanfigureoutwhich
parameteryoumeanttodefine.Forexample,ifyouenterGet-Mailbox-Seserver1,
youwillbegivenalistofallmailboxeshousedonserver1.Buttabcompletioncanbe
usefultohelpyoukeepanoverviewofyourEMSlines.
Alias
PowerShellandtheEMSalsoincludealiasesthatallowyoutoinvokecmdletsusinga
familiarsynonym.AtypicalexamplehereisenteringDirtogetalistofallfilesinthe
directorythatyouareinandallsubdirectoriesafterthatdirectory,whichisinfactan
aliasforthecmdletGet-ChildItem.Table5.1showssomecommonaliasesthatare
builtintoPowerShell.
Table5.1PowerShellCommonAliases
Alias Definition
Dir
Get-ChildItem
Ls
Get-ChildItem
Type
Get-Content
Cat
Get-Content
Write Write-Output
Echo
Write-Output
cd
Set-Location
sl
Set-Location
cls
Clear-Host
Butitisimportanttorememberthatenteringanaliasintheendislikeenteringa
cmdlet,thusimposingsomeconstraintsthatdonotapplywhenenteringthealiases
fromTable5.1inacommandprompt.Ifyouwouldliketogetalistofallfiles,and
fileslocatedinsubdirectories,youwouldbeinclinedtoenterdir/s,butwhendoing
soyouwillbefacedwiththefollowingerrormessage:
dir/s
Get-ChildItem:Cannotfindpath'C:\s'becauseitdoesnotexist.
Atline:1char:4
+dir<<<</s
Ofcourse,dir/sworksatacommandprompt.UsingPowerShell,youknowyouneed
toincludeanyparameterbyaddingahyphenfollowedbytheparametername:
dir-Recurse:$True
or:
dir-r
Object-OrientedUseofPowerShell
OneofthereasonsPowerShellissoflexibleisthattheoutputofcommandsisnottext
basedbutratherobjectbased.PowerShellusesanobjectmodelthatisbasedonthe
Microsoft.NETFramework.PowerShellcmdletsacceptandreturnstructureddata.
Don'tlettheterms“objectmodel”or“object-oriented”scareyou,though.Thisisreally
quitesimple.Forexample,Figure5.1showstheoutputoftheGet-Mailboxcmdlet.
Figure5.1OutputoftheGet-Mailboxcmdlet
Whatyouseeonthescreenistexttotheuserinterface,buttoPowerShellitisreallya
listofobjects.Youcanmanipulatetheoutputtoseethepropertiesyouwant,filterthe
output,orpipetheoutput(theobjects)toanothercmdlet.
FilteringOutput
InFigure5.1,youcanseethatthecmdletweused(Get-Mailbox)outputsevery
mailboxintheentireorganization.Thereareanumberofwaysyoucanfilteror
narrowthescopeoftheoutputyouarelookingforfromaspecificcmdlet.Inthecase
ofGet-Mailboxandothercmdlets,youcanspecifyjusttheidentityofthemailboxfor
whichyouarelooking.
PowerShellincludestwooptionsthatcanbeusedspecificallyforfilteringtheoutput.
ThesearetheWhere-Object(orWherealias)andtheFilter-Object(orFilter)objects.
TheWhereclausecanbeusedonmostcmdlets,andthefilterisappliedattheclient.
TheFilterclauseisavailableonlyonasubsetofthecommandsbecausethisfilteris
appliedbytheserver.
Inthefollowingcommand,theoutputoftheGet-MailboxcmdletispipedtotheWhere
clause,whichfilterstheoutput:
Get-Mailbox|Where-Object{$_.MaxSendSize-gt25000000}
Inthiscase,theoutputisanymailboxwhose-MaxSendSizeparameterisgreaterthan
25,000,000bytes.DidyounoticetheportionoftheWherestatement$_.MaxSendSize?
The$_portionrepresentsthecurrentobjectthatisbeingpipedtotheWhere-Object
cmdlet,and.MaxSendSizerepresentstheMaxSendSizepropertyofthatobject.
Fornonprogrammers,thismightseemalittledifficultatfirst,butwepromiseitgets
mucheasierasyougoalong.Theoperatorsarealsosimpletoremember.Table5.2
showscommonoperatorsthatcanbeusedinclausessuchasWhere-Objectorjustthe
Wherealias.TheOperatorcolumndefineshowthevaluedefinedasanobjectproperty
istreated.
Table5.2ShellValuesandOperators
Shell Operator Function
Value
-eq
Equals
Theobject.propertyvaluemustmatchexactlythespecifiedvalue.
-ne
Not
Theobject.propertyvaluemustnotmatchthespecifiedvalue.
equals
-gt
Greater
-gtworkswhentheobject.propertyvalueisaninteger.
than
-ge
Greater
-geworkswhentheobject.propertyvalueisaninteger.
thanor
equalto
-lt
Lessthan -ltworkswhentheobject.propertyvalueisaninteger.
-le
Lessthan -leworkswhentheobject.propertyvalueisaninteger.
orequal
to
-like
Contains -likeisusedwhentheobject.propertyvalueisatextstring.The
matchingstringcaneithermatchexactlyorcontainwildcards(*)
atthebeginningorendofthestring.
Doesnot -notlikeisusedwhentheobject.propertyvalueisatextstring
notlike contain
andyouwanttoseeifthevaluesdonotmatchthestring.The
matchingstringcancontainwildcards(*)atthebeginningorend
ofthestring.
Sometimes,findingallofthepropertiesthatcanbeusedwithaparticularcmdletcan
bedifficult.Wewouldliketoshareacoupleoftipsthatwillhelpillustrateordiscover
theseproperties.Let'staketheSet-Mailboxcmdletasanexample.First,youcan
simplyusetheavailableonlinehelpsuchasthis:
set-mailbox-?
NAME
Set-Mailbox
SYNOPSIS
Thiscmdletisavailableinon-premisesExchangeServer2016andinthe
cloud-basedservice.Someparametersand
settingsmaybeexclusivetooneenvironmentortheother.
UsetheSet-Mailboxcmdlettomodifythesettingsofexistingmailboxes.
ForinformationabouttheparametersetsintheSyntaxsectionbelow,see
Syntax.
SYNTAX
Set-Mailbox-Identity<MailboxIdParameter>[-AcceptMessagesOnlyFrom
<MultiValuedProperty>]
[-AcceptMessagesOnlyFromDLMembers<MultiValuedProperty>][AcceptMessagesOnlyFromSendersOrMembers
<MultiValuedProperty>][-AddressBookPolicy
<AddressBookMailboxPolicyIdParameter>][-Alias<String>]
[-AntispamBypassEnabled<$true|$false>][-ApplyMandatoryProperties
<SwitchParameter>][-Arbitration
<SwitchParameter>][-ArbitrationMailbox<MailboxIdParameter>][ArchiveDatabase<DatabaseIdParameter>]
[-ArchiveDomain<SmtpDomain>][-ArchiveName<MultiValuedProperty>][ArchiveQuota<Unlimited>][-ArchiveStatus
<None|Active>][-ArchiveWarningQuota<Unlimited>][-AuditAdmin
<MultiValuedProperty>][-AuditDelegate
<MultiValuedProperty>][-AuditEnabled<$true|$false>][-AuditLog
<SwitchParameter>][-AuditLogAgeLimit
<EnhancedTimeSpan>][-AuditOwner<MultiValuedProperty>][BypassModerationFromSendersOrMembers
<MultiValuedProperty>][-CalendarLoggingQuota<Unlimited>][CalendarRepairDisabled<$true|$false>]
[-CalendarVersionStoreDisabled<$true|$false>][-ClientExtensions<$true
|$false>][-Confirm
[<SwitchParameter>]][-CreateDTMFMap<$true|$false>][-CustomAttribute1
<String>][-CustomAttribute10<String>]
[-CustomAttribute11<String>][-CustomAttribute12<String>][CustomAttribute13<String>][-CustomAttribute14
<String>][-CustomAttribute15<String>][-CustomAttribute2<String>][CustomAttribute3<String>]
[-CustomAttribute4<String>][-CustomAttribute5<String>][CustomAttribute6<String>][-CustomAttribute7
<String>][-CustomAttribute8<String>][-CustomAttribute9<String>][Database<DatabaseIdParameter>]
[-DefaultPublicFolderMailbox<RecipientIdParameter>][DeliverToMailboxAndForward<$true|$false>][-DisplayName
<String>][-DomainController<Fqdn>][-DowngradeHighPriorityMessagesEnabled
<$true|$false>]
[-DumpsterMessagesPerFolderCountReceiveQuota<Int32>][DumpsterMessagesPerFolderCountWarningQuota<Int32>]
[-EmailAddresses<ProxyAddressCollection>][-EmailAddressPolicyEnabled
<$true|$false>]
[-EnableRoomMailboxAccount<$true|$false>][-EndDateForRetentionHold
<DateTime>][-ExtendedPropertiesCountQuota
<Int32>][-ExtensionCustomAttribute1<MultiValuedProperty>][ExtensionCustomAttribute2<MultiValuedProperty>]
[-ExtensionCustomAttribute3<MultiValuedProperty>][ExtensionCustomAttribute4<MultiValuedProperty>]
[-ExtensionCustomAttribute5<MultiValuedProperty>][-ExternalOofOptions
<InternalOnly|External>]
[-FederatedIdentity<String>][-FolderHierarchyChildrenCountReceiveQuota
<Int32>]
[-FolderHierarchyChildrenCountWarningQuota<Int32>][FolderHierarchyDepthReceiveQuota<Int32>]
[-FolderHierarchyDepthWarningQuota<Int32>][-FoldersCountReceiveQuota
<Int32>][-FoldersCountWarningQuota
<Int32>][-Force<SwitchParameter>][-ForwardingAddress
<RecipientIdParameter>][-ForwardingSmtpAddress
<ProxyAddress>][-GMGen<$true|$false>][-GrantSendOnBehalfTo
<MultiValuedProperty>]
[-HiddenFromAddressListsEnabled<$true|$false>][-IgnoreDefaultScope
<SwitchParameter>]
[-ImListMigrationCompleted<$true|$false>][-ImmutableId<String>][InactiveMailbox<SwitchParameter>]
[-IsExcludedFromServingHierarchy<$true|$false>][-IsHierarchyReady
<$true|$false>][-IssueWarningQuota
<Unlimited>][-JournalArchiveAddress<SmtpAddress>][-Languages
<MultiValuedProperty>][-LinkedCredential
<PSCredential>][-LinkedDomainController<String>][-LinkedMasterAccount
<UserIdParameter>][-LitigationHoldDate
<DateTime>][-LitigationHoldDuration<Unlimited>][-LitigationHoldEnabled
<$true|$false>][-LitigationHoldOwner
<String>][-MailboxMessagesPerFolderCountReceiveQuota<Int32>][MailboxMessagesPerFolderCountWarningQuota
<Int32>][-MailboxPlan<MailboxPlanIdParameter>][MailboxProvisioningConstraint<MailboxProvisioningConstraint>]
[-MailboxProvisioningPreferences<MultiValuedProperty>][-MailRouting
<$true|$false>][-MailTip<String>]
[-MailTipTranslations<MultiValuedProperty>][-Management<$true|$false>]
[-MaxBlockedSenders<Int32>]
[-MaxReceiveSize<Unlimited>][-MaxSafeSenders<Int32>][-MaxSendSize
<Unlimited>]
[-MessageCopyForSendOnBehalfEnabled<$true|$false>][MessageCopyForSentAsEnabled<$true|$false>]
[-MessageTracking<$true|$false>][-MessageTrackingReadStatusEnabled
<$true|$false>]
[-MicrosoftOnlineServicesID<SmtpAddress>][-Migration<$true|$false>][ModeratedBy<MultiValuedProperty>]
[-ModerationEnabled<$true|$false>][-Name<String>][-NewPassword
<SecureString>][-OABGen<$true|$false>]
[-OABReplica<$true|$false>][-Office<String>][-OfflineAddressBook
<OfflineAddressBookIdParameter>]
[-OldPassword<SecureString>][-OMEncryption<$true|$false>][-Password
<SecureString>][-PrimarySmtpAddress
<SmtpAddress>][-ProhibitSendQuota<Unlimited>][-ProhibitSendReceiveQuota
<Unlimited>][-PstProvider<$true|
$false>][-PublicFolder<SwitchParameter>][-QueryBaseDN
<OrganizationalUnitIdParameter>]
[-QueryBaseDNRestrictionEnabled<$true|$false>][-RecipientLimits
<Unlimited>][-RecoverableItemsQuota
<Unlimited>][-RecoverableItemsWarningQuota<Unlimited>][RejectMessagesFrom<MultiValuedProperty>]
[-RejectMessagesFromDLMembers<MultiValuedProperty>][RejectMessagesFromSendersOrMembers<MultiValuedProperty>]
[-RemoteAccountPolicy<RemoteAccountPolicyIdParameter>][RemoteRecipientType<None|ProvisionMailbox|
ProvisionArchive|Migrated|DeprovisionMailbox|DeprovisionArchive|
RoomMailbox|EquipmentMailbox|
SharedMailbox|TeamMailbox>][-RemoveManagedFolderAndPolicy
<SwitchParameter>][-RemovePicture<SwitchParameter>]
[-RemoveSpokenName<SwitchParameter>][-RequireSenderAuthenticationEnabled
<$true|$false>]
[-ResetPasswordOnNextLogon<$true|$false>][-ResourceCapacity<Int32>][ResourceCustom<MultiValuedProperty>]
[-RetainDeletedItemsFor<EnhancedTimeSpan>][-RetainDeletedItemsUntilBackup
<$true|$false>][-RetentionComment
<String>][-RetentionHoldEnabled<$true|$false>][-RetentionPolicy
<MailboxPolicyIdParameter>][-RetentionUrl
<String>][-RoleAssignmentPolicy<MailboxPolicyIdParameter>][RoomMailboxPassword<SecureString>][-RulesQuota
<ByteQuantifiedSize>][-SamAccountName<String>][-SCLDeleteEnabled<$true
|$false>][-SCLDeleteThreshold
<Int32>][-SCLJunkEnabled<$true|$false>][-SCLJunkThreshold<Int32>][SCLQuarantineEnabled<$true|$false>]
[-SCLQuarantineThreshold<Int32>][-SCLRejectEnabled<$true|$false>][SCLRejectThreshold<Int32>]
[-SecondaryAddress<String>][-SecondaryDialPlan<UMDialPlanIdParameter>]
[-SendModerationNotifications<Never|
Internal|Always>][-SharingPolicy<SharingPolicyIdParameter>][SimpleDisplayName<String>]
[-SingleItemRecoveryEnabled<$true|$false>][SkipMailboxProvisioningConstraintValidation<SwitchParameter>]
[-StartDateForRetentionHold<DateTime>][-TenantUpgrade<$true|$false>]
[-ThrottlingPolicy
<ThrottlingPolicyIdParameter>][-Type<Regular|Room|Equipment|
Shared>][-UMDataStorage<$true|$false>]
[-UMDtmfMap<MultiValuedProperty>][-UMGrammar<$true|$false>][UseDatabaseQuotaDefaults<$true|$false>]
[-UseDatabaseRetentionDefaults<$true|$false>][-UserCertificate
<MultiValuedProperty>][-UserPrincipalName
<String>][-UserSMimeCertificate<MultiValuedProperty>][-WhatIf
[<SwitchParameter>]][-WindowsEmailAddress
<SmtpAddress>][-WindowsLiveID<SmtpAddress>][<CommonParameters>]
Set-Mailbox-Identity<MailboxIdParameter>[-AcceptMessagesOnlyFrom
<MultiValuedProperty>]
[-AcceptMessagesOnlyFromDLMembers<MultiValuedProperty>][AcceptMessagesOnlyFromSendersOrMembers
<MultiValuedProperty>][-AddressBookPolicy
<AddressBookMailboxPolicyIdParameter>][-Alias<String>]
[-AntispamBypassEnabled<$true|$false>][-ApplyMandatoryProperties
<SwitchParameter>][-Arbitration
<SwitchParameter>][-ArbitrationMailbox<MailboxIdParameter>][ArchiveDatabase<DatabaseIdParameter>]
[-ArchiveDomain<SmtpDomain>][-ArchiveName<MultiValuedProperty>][ArchiveQuota<Unlimited>][-ArchiveStatus
<None|Active>][-ArchiveWarningQuota<Unlimited>][-AuditAdmin
<MultiValuedProperty>][-AuditDelegate
<MultiValuedProperty>][-AuditEnabled<$true|$false>][-AuditLog
<SwitchParameter>][-AuditLogAgeLimit
<EnhancedTimeSpan>][-AuditOwner<MultiValuedProperty>][BypassModerationFromSendersOrMembers
<MultiValuedProperty>][-CalendarLoggingQuota<Unlimited>][CalendarRepairDisabled<$true|$false>]
[-CalendarVersionStoreDisabled<$true|$false>][-ClientExtensions<$true
|$false>][-Confirm
[<SwitchParameter>]][-CreateDTMFMap<$true|$false>][-CustomAttribute1
<String>][-CustomAttribute10<String>]
[-CustomAttribute11<String>][-CustomAttribute12<String>][CustomAttribute13<String>][-CustomAttribute14
<String>][-CustomAttribute15<String>][-CustomAttribute2<String>][CustomAttribute3<String>]
[-CustomAttribute4<String>][-CustomAttribute5<String>][CustomAttribute6<String>][-CustomAttribute7
<String>][-CustomAttribute8<String>][-CustomAttribute9<String>][Database<DatabaseIdParameter>]
[-DefaultPublicFolderMailbox<RecipientIdParameter>][DeliverToMailboxAndForward<$true|$false>][-DisplayName
<String>][-DomainController<Fqdn>][-DowngradeHighPriorityMessagesEnabled
<$true|$false>]
[-DumpsterMessagesPerFolderCountReceiveQuota<Int32>][DumpsterMessagesPerFolderCountWarningQuota<Int32>]
[-EmailAddresses<ProxyAddressCollection>][-EmailAddressPolicyEnabled
<$true|$false>]
[-EnableRoomMailboxAccount<$true|$false>][-EndDateForRetentionHold
<DateTime>][-ExtendedPropertiesCountQuota
<Int32>][-ExtensionCustomAttribute1<MultiValuedProperty>][ExtensionCustomAttribute2<MultiValuedProperty>]
[-ExtensionCustomAttribute3<MultiValuedProperty>][ExtensionCustomAttribute4<MultiValuedProperty>]
[-ExtensionCustomAttribute5<MultiValuedProperty>][-ExternalOofOptions
<InternalOnly|External>]
[-FederatedIdentity<String>][-FolderHierarchyChildrenCountReceiveQuota
<Int32>]
[-FolderHierarchyChildrenCountWarningQuota<Int32>][FolderHierarchyDepthReceiveQuota<Int32>]
[-FolderHierarchyDepthWarningQuota<Int32>][-FoldersCountReceiveQuota
<Int32>][-FoldersCountWarningQuota
<Int32>][-Force<SwitchParameter>][-ForwardingAddress
<RecipientIdParameter>][-ForwardingSmtpAddress
<ProxyAddress>][-GMGen<$true|$false>][-GrantSendOnBehalfTo
<MultiValuedProperty>]
[-HiddenFromAddressListsEnabled<$true|$false>][-IgnoreDefaultScope
<SwitchParameter>]
[-ImListMigrationCompleted<$true|$false>][-ImmutableId<String>][InactiveMailbox<SwitchParameter>]
[-IsExcludedFromServingHierarchy<$true|$false>][-IsHierarchyReady
<$true|$false>][-IssueWarningQuota
<Unlimited>][-JournalArchiveAddress<SmtpAddress>][-Languages
<MultiValuedProperty>][-LinkedCredential
<PSCredential>][-LinkedDomainController<String>][-LinkedMasterAccount
<UserIdParameter>][-LitigationHoldDate
<DateTime>][-LitigationHoldDuration<Unlimited>][-LitigationHoldEnabled
<$true|$false>][-LitigationHoldOwner
<String>][-MailboxMessagesPerFolderCountReceiveQuota<Int32>][MailboxMessagesPerFolderCountWarningQuota
<Int32>][-MailboxPlan<MailboxPlanIdParameter>][MailboxProvisioningConstraint<MailboxProvisioningConstraint>]
[-MailboxProvisioningPreferences<MultiValuedProperty>][-MailRouting
<$true|$false>][-MailTip<String>]
[-MailTipTranslations<MultiValuedProperty>][-Management<$true|$false>]
[-MaxBlockedSenders<Int32>]
[-MaxReceiveSize<Unlimited>][-MaxSafeSenders<Int32>][-MaxSendSize
<Unlimited>]
[-MessageCopyForSendOnBehalfEnabled<$true|$false>][MessageCopyForSentAsEnabled<$true|$false>]
[-MessageTracking<$true|$false>][-MessageTrackingReadStatusEnabled
<$true|$false>]
[-MicrosoftOnlineServicesID<SmtpAddress>][-Migration<$true|$false>][ModeratedBy<MultiValuedProperty>]
[-ModerationEnabled<$true|$false>][-Name<String>][-NewPassword
<SecureString>][-OABGen<$true|$false>]
[-OABReplica<$true|$false>][-Office<String>][-OfflineAddressBook
<OfflineAddressBookIdParameter>]
[-OldPassword<SecureString>][-OMEncryption<$true|$false>][-Password
<SecureString>][-PrimarySmtpAddress
<SmtpAddress>][-ProhibitSendQuota<Unlimited>][-ProhibitSendReceiveQuota
<Unlimited>][-PstProvider<$true|
$false>][-PublicFolder<SwitchParameter>][-QueryBaseDN
<OrganizationalUnitIdParameter>]
[-QueryBaseDNRestrictionEnabled<$true|$false>][-RecipientLimits
<Unlimited>][-RecoverableItemsQuota
<Unlimited>][-RecoverableItemsWarningQuota<Unlimited>][RejectMessagesFrom<MultiValuedProperty>]
[-RejectMessagesFromDLMembers<MultiValuedProperty>][RejectMessagesFromSendersOrMembers<MultiValuedProperty>]
[-RemoteAccountPolicy<RemoteAccountPolicyIdParameter>][RemoteRecipientType<None|ProvisionMailbox|
ProvisionArchive|Migrated|DeprovisionMailbox|DeprovisionArchive|
RoomMailbox|EquipmentMailbox|
SharedMailbox|TeamMailbox>][-RemoveManagedFolderAndPolicy
<SwitchParameter>][-RemovePicture<SwitchParameter>]
[-RemoveSpokenName<SwitchParameter>][-RequireSenderAuthenticationEnabled
<$true|$false>]
[-ResetPasswordOnNextLogon<$true|$false>][-ResourceCapacity<Int32>][ResourceCustom<MultiValuedProperty>]
[-RetainDeletedItemsFor<EnhancedTimeSpan>][-RetainDeletedItemsUntilBackup
<$true|$false>][-RetentionComment
<String>][-RetentionHoldEnabled<$true|$false>][-RetentionPolicy
<MailboxPolicyIdParameter>][-RetentionUrl
<String>][-RoleAssignmentPolicy<MailboxPolicyIdParameter>][RoomMailboxPassword<SecureString>][-RulesQuota
<ByteQuantifiedSize>][-SamAccountName<String>][-SCLDeleteEnabled<$true
|$false>][-SCLDeleteThreshold
<Int32>][-SCLJunkEnabled<$true|$false>][-SCLJunkThreshold<Int32>][SCLQuarantineEnabled<$true|$false>]
[-SCLQuarantineThreshold<Int32>][-SCLRejectEnabled<$true|$false>][SCLRejectThreshold<Int32>]
[-SecondaryAddress<String>][-SecondaryDialPlan<UMDialPlanIdParameter>]
[-SendModerationNotifications<Never|
Internal|Always>][-SharingPolicy<SharingPolicyIdParameter>][SimpleDisplayName<String>]
[-SingleItemRecoveryEnabled<$true|$false>][SkipMailboxProvisioningConstraintValidation<SwitchParameter>]
[-StartDateForRetentionHold<DateTime>][-TenantUpgrade<$true|$false>]
[-ThrottlingPolicy
<ThrottlingPolicyIdParameter>][-Type<Regular|Room|Equipment|
Shared>][-UMDataStorage<$true|$false>]
[-UMDtmfMap<MultiValuedProperty>][-UMGrammar<$true|$false>][UseDatabaseQuotaDefaults<$true|$false>]
[-UseDatabaseRetentionDefaults<$true|$false>][-UserCertificate
<MultiValuedProperty>][-UserPrincipalName
<String>][-UserSMimeCertificate<MultiValuedProperty>][-WhatIf
[<SwitchParameter>]][-WindowsEmailAddress
<SmtpAddress>][-WindowsLiveID<SmtpAddress>][<CommonParameters>]
Set-Mailbox-Identity<MailboxIdParameter>[-AcceptMessagesOnlyFrom
<MultiValuedProperty>]
[-AcceptMessagesOnlyFromDLMembers<MultiValuedProperty>][AcceptMessagesOnlyFromSendersOrMembers
<MultiValuedProperty>][-AddressBookPolicy
<AddressBookMailboxPolicyIdParameter>][-Alias<String>]
[-AntispamBypassEnabled<$true|$false>][-ApplyMandatoryProperties
<SwitchParameter>][-Arbitration
<SwitchParameter>][-ArbitrationMailbox<MailboxIdParameter>][ArchiveDatabase<DatabaseIdParameter>]
[-ArchiveDomain<SmtpDomain>][-ArchiveName<MultiValuedProperty>][ArchiveQuota<Unlimited>][-ArchiveStatus
<None|Active>][-ArchiveWarningQuota<Unlimited>][-AuditAdmin
<MultiValuedProperty>][-AuditDelegate
<MultiValuedProperty>][-AuditEnabled<$true|$false>][-AuditLog
<SwitchParameter>][-AuditLogAgeLimit
<EnhancedTimeSpan>][-AuditOwner<MultiValuedProperty>][BypassModerationFromSendersOrMembers
<MultiValuedProperty>][-CalendarLoggingQuota<Unlimited>][CalendarRepairDisabled<$true|$false>]
[-CalendarVersionStoreDisabled<$true|$false>][-ClientExtensions<$true
|$false>][-Confirm
[<SwitchParameter>]][-CreateDTMFMap<$true|$false>][-CustomAttribute1
<String>][-CustomAttribute10<String>]
[-CustomAttribute11<String>][-CustomAttribute12<String>][CustomAttribute13<String>][-CustomAttribute14
<String>][-CustomAttribute15<String>][-CustomAttribute2<String>][CustomAttribute3<String>]
[-CustomAttribute4<String>][-CustomAttribute5<String>][CustomAttribute6<String>][-CustomAttribute7
<String>][-CustomAttribute8<String>][-CustomAttribute9<String>][Database<DatabaseIdParameter>]
[-DefaultPublicFolderMailbox<RecipientIdParameter>][DeliverToMailboxAndForward<$true|$false>][-DisplayName
<String>][-DomainController<Fqdn>][-DowngradeHighPriorityMessagesEnabled
<$true|$false>]
[-DumpsterMessagesPerFolderCountReceiveQuota<Int32>][DumpsterMessagesPerFolderCountWarningQuota<Int32>]
[-EmailAddresses<ProxyAddressCollection>][-EmailAddressPolicyEnabled
<$true|$false>]
[-EnableRoomMailboxAccount<$true|$false>][-EndDateForRetentionHold
<DateTime>][-ExtendedPropertiesCountQuota
<Int32>][-ExtensionCustomAttribute1<MultiValuedProperty>][ExtensionCustomAttribute2<MultiValuedProperty>]
[-ExtensionCustomAttribute3<MultiValuedProperty>][ExtensionCustomAttribute4<MultiValuedProperty>]
[-ExtensionCustomAttribute5<MultiValuedProperty>][-ExternalOofOptions
<InternalOnly|External>]
[-FederatedIdentity<String>][-FolderHierarchyChildrenCountReceiveQuota
<Int32>]
[-FolderHierarchyChildrenCountWarningQuota<Int32>][FolderHierarchyDepthReceiveQuota<Int32>]
[-FolderHierarchyDepthWarningQuota<Int32>][-FoldersCountReceiveQuota
<Int32>][-FoldersCountWarningQuota
<Int32>][-Force<SwitchParameter>][-ForwardingAddress
<RecipientIdParameter>][-ForwardingSmtpAddress
<ProxyAddress>][-GMGen<$true|$false>][-GrantSendOnBehalfTo
<MultiValuedProperty>]
[-HiddenFromAddressListsEnabled<$true|$false>][-IgnoreDefaultScope
<SwitchParameter>]
[-ImListMigrationCompleted<$true|$false>][-ImmutableId<String>][InactiveMailbox<SwitchParameter>]
[-IsExcludedFromServingHierarchy<$true|$false>][-IsHierarchyReady
<$true|$false>][-IssueWarningQuota
<Unlimited>][-JournalArchiveAddress<SmtpAddress>][-Languages
<MultiValuedProperty>][-LinkedCredential
<PSCredential>][-LinkedDomainController<String>][-LinkedMasterAccount
<UserIdParameter>][-LitigationHoldDate
<DateTime>][-LitigationHoldDuration<Unlimited>][-LitigationHoldEnabled
<$true|$false>][-LitigationHoldOwner
<String>][-MailboxMessagesPerFolderCountReceiveQuota<Int32>][MailboxMessagesPerFolderCountWarningQuota
<Int32>][-MailboxPlan<MailboxPlanIdParameter>][MailboxProvisioningConstraint<MailboxProvisioningConstraint>]
[-MailboxProvisioningPreferences<MultiValuedProperty>][-MailRouting
<$true|$false>][-MailTip<String>]
[-MailTipTranslations<MultiValuedProperty>][-Management<$true|$false>]
[-MaxBlockedSenders<Int32>]
[-MaxReceiveSize<Unlimited>][-MaxSafeSenders<Int32>][-MaxSendSize
<Unlimited>]
[-MessageCopyForSendOnBehalfEnabled<$true|$false>][MessageCopyForSentAsEnabled<$true|$false>]
[-MessageTracking<$true|$false>][-MessageTrackingReadStatusEnabled
<$true|$false>]
[-MicrosoftOnlineServicesID<SmtpAddress>][-Migration<$true|$false>][ModeratedBy<MultiValuedProperty>]
[-ModerationEnabled<$true|$false>][-Name<String>][-NewPassword
<SecureString>][-OABGen<$true|$false>]
[-OABReplica<$true|$false>][-Office<String>][-OfflineAddressBook
<OfflineAddressBookIdParameter>]
[-OldPassword<SecureString>][-OMEncryption<$true|$false>][-Password
<SecureString>][-PrimarySmtpAddress
<SmtpAddress>][-ProhibitSendQuota<Unlimited>][-ProhibitSendReceiveQuota
<Unlimited>][-PstProvider<$true|
$false>][-PublicFolder<SwitchParameter>][-QueryBaseDN
<OrganizationalUnitIdParameter>]
[-QueryBaseDNRestrictionEnabled<$true|$false>][-RecipientLimits
<Unlimited>][-RecoverableItemsQuota
<Unlimited>][-RecoverableItemsWarningQuota<Unlimited>][RejectMessagesFrom<MultiValuedProperty>]
[-RejectMessagesFromDLMembers<MultiValuedProperty>][RejectMessagesFromSendersOrMembers<MultiValuedProperty>]
[-RemoteAccountPolicy<RemoteAccountPolicyIdParameter>][RemoteRecipientType<None|ProvisionMailbox|
ProvisionArchive|Migrated|DeprovisionMailbox|DeprovisionArchive|
RoomMailbox|EquipmentMailbox|
SharedMailbox|TeamMailbox>][-RemoveManagedFolderAndPolicy
<SwitchParameter>][-RemovePicture<SwitchParameter>]
[-RemoveSpokenName<SwitchParameter>][-RequireSenderAuthenticationEnabled
<$true|$false>]
[-ResetPasswordOnNextLogon<$true|$false>][-ResourceCapacity<Int32>][ResourceCustom<MultiValuedProperty>]
[-RetainDeletedItemsFor<EnhancedTimeSpan>][-RetainDeletedItemsUntilBackup
<$true|$false>][-RetentionComment
<String>][-RetentionHoldEnabled<$true|$false>][-RetentionPolicy
<MailboxPolicyIdParameter>][-RetentionUrl
<String>][-RoleAssignmentPolicy<MailboxPolicyIdParameter>][RoomMailboxPassword<SecureString>][-RulesQuota
<ByteQuantifiedSize>][-SamAccountName<String>][-SCLDeleteEnabled<$true
|$false>][-SCLDeleteThreshold
<Int32>][-SCLJunkEnabled<$true|$false>][-SCLJunkThreshold<Int32>][SCLQuarantineEnabled<$true|$false>]
[-SCLQuarantineThreshold<Int32>][-SCLRejectEnabled<$true|$false>][SCLRejectThreshold<Int32>]
[-SecondaryAddress<String>][-SecondaryDialPlan<UMDialPlanIdParameter>]
[-SendModerationNotifications<Never|
Internal|Always>][-SharingPolicy<SharingPolicyIdParameter>][SimpleDisplayName<String>]
[-SingleItemRecoveryEnabled<$true|$false>][SkipMailboxProvisioningConstraintValidation<SwitchParameter>]
[-StartDateForRetentionHold<DateTime>][-TenantUpgrade<$true|$false>]
[-ThrottlingPolicy
<ThrottlingPolicyIdParameter>][-Type<Regular|Room|Equipment|
Shared>][-UMDataStorage<$true|$false>]
[-UMDtmfMap<MultiValuedProperty>][-UMGrammar<$true|$false>][UseDatabaseQuotaDefaults<$true|$false>]
[-UseDatabaseRetentionDefaults<$true|$false>][-UserCertificate
<MultiValuedProperty>][-UserPrincipalName
<String>][-UserSMimeCertificate<MultiValuedProperty>][-WhatIf
[<SwitchParameter>]][-WindowsEmailAddress
<SmtpAddress>][-WindowsLiveID<SmtpAddress>][<CommonParameters>]
DESCRIPTION
Youcanusethiscmdletforonemailboxatatime.Toperformbulk
management,youcanpipelinetheoutputof
variousGet-cmdlets(forexample,theGet-MailboxorGet-Usercmdlets)and
configureseveralmailboxesina
single-linecommand.YoucanalsousetheSet-Mailboxcmdletinscripts.
Youneedtobeassignedpermissionsbeforeyoucanrunthiscmdlet.
Althoughallparametersforthiscmdletare
listedinthistopic,youmaynothaveaccesstosomeparametersifthey're
notincludedinthepermissions
assignedtoyou.Toseewhatpermissionsyouneed,seethe"Recipient
ProvisioningPermissions"sectioninthe
RecipientsPermissionstopic.
RELATEDLINKS
OnlineVersionhttp://technet.microsoft.com/EN-US/library/a0d413b9-d9494df6-ba96-ac0906dedae2(EXCHG.160).aspx
REMARKS
Toseetheexamples,type:"get-helpSet-Mailbox-examples".
Formoreinformation,type:"get-helpSet-Mailbox-detailed".
Fortechnicalinformation,type:"get-helpSet-Mailbox-full".
Foronlinehelp,type:"get-helpSet-Mailbox-online"
TheSet-Mailbox-?commandgeneratesalotofoutputtothescreen,anditis
compressedintoahard-to-readformat.BecausetheSet-Mailboxcmdletis
manipulatingthesameobjectastheGet-Mailboxcmdlet,youcouldalsousethe
followingcommandtoviewallthepropertiesthathavebeensetonaparticular
mailbox(Oliverinthisexample):
Get-MailboxOliver|Format-List
RunspaceId:0ba072d8-b808-472c-a1c0-ddbc58118450
Database:MailboxDatabase1
MailboxProvisioningConstraint:
MessageCopyForSentAsEnabled:False
MessageCopyForSendOnBehalfEnabled:False
MailboxProvisioningPreferences:{}
UseDatabaseRetentionDefaults:True
RetainDeletedItemsUntilBackup:False
DeliverToMailboxAndForward:False
IsExcludedFromServingHierarchy:False
IsHierarchyReady:True
HasSnackyAppData:False
LitigationHoldEnabled:False
SingleItemRecoveryEnabled:False
RetentionHoldEnabled:False
EndDateForRetentionHold:
StartDateForRetentionHold:
RetentionComment:
RetentionUrl:
LitigationHoldDate:
LitigationHoldOwner:
LitigationHoldDuration:Unlimited
ManagedFolderMailboxPolicy:
RetentionPolicy:
AddressBookPolicy:
CalendarRepairDisabled:False
ExchangeGuid:4e417359-f557-4213-bc98-9e6982168d0c
MailboxContainerGuid:
UnifiedMailbox:
MailboxLocations:{1;4e417359-f557-4213-bc989e6982168d0c;Primary;Contoso.com;c421c171-bc76-45438b2f-43b2e92cc4a3}
AggregatedMailboxGuids:{}
ExchangeSecurityDescriptor:
System.Security.AccessControl.RawSecurityDescriptor
ExchangeUserAccountControl:None
AdminDisplayVersion:Version15.1(Build225.42)
MessageTrackingReadStatusEnabled:True
ExternalOofOptions:External
ForwardingAddress:
ForwardingSmtpAddress:
RetainDeletedItemsFor:14.00:00:00
IsMailboxEnabled:True
Languages:{}
OfflineAddressBook:
ProhibitSendQuota:Unlimited
ProhibitSendReceiveQuota:Unlimited
RecoverableItemsQuota:30GB(32,212,254,720bytes)
RecoverableItemsWarningQuota:20GB(21,474,836,480bytes)
CalendarLoggingQuota:6GB(6,442,450,944bytes)
DowngradeHighPriorityMessagesEnabled:False
ProtocolSettings:{}
RecipientLimits:Unlimited
ImListMigrationCompleted:False
IsResource:False
IsLinked:False
IsShared:False
IsRootPublicFolderMailbox:False
LinkedMasterAccount:
ResetPasswordOnNextLogon:False
ResourceCapacity:
ResourceCustom:{}
ResourceType:
RoomMailboxAccountEnabled:
SamAccountName:Oliver
SCLDeleteThreshold:
SCLDeleteEnabled:
SCLRejectThreshold:
SCLRejectEnabled:
SCLQuarantineThreshold:
SCLQuarantineEnabled:
SCLJunkThreshold:
SCLJunkEnabled:
AntispamBypassEnabled:False
ServerLegacyDN:/o=ContosoOrg/ou=Exchange
AdministrativeGroup
(FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=NYC-EX1
ServerName:ex1
UseDatabaseQuotaDefaults:True
IssueWarningQuota:Unlimited
RulesQuota:256KB(262,144bytes)
Office:
UserPrincipalName:[email protected]
UMEnabled:False
MaxSafeSenders:
MaxBlockedSenders:
NetID:
ReconciliationId:
WindowsLiveID:
MicrosoftOnlineServicesID:
ThrottlingPolicy:
RoleAssignmentPolicy:DefaultRoleAssignmentPolicy
DefaultPublicFolderMailbox:
EffectivePublicFolderMailbox:
SharingPolicy:DefaultSharingPolicy
RemoteAccountPolicy:
MailboxPlan:
ArchiveDatabase:
ArchiveGuid:00000000-0000-0000-0000-000000000000
ArchiveName:{}
JournalArchiveAddress:
ArchiveQuota:100GB(107,374,182,400bytes)
ArchiveWarningQuota:90GB(96,636,764,160bytes)
ArchiveDomain:
ArchiveStatus:None
ArchiveState:None
DisabledMailboxLocations:False
RemoteRecipientType:None
DisabledArchiveDatabase:
DisabledArchiveGuid:00000000-0000-0000-0000-000000000000
QueryBaseDN:
QueryBaseDNRestrictionEnabled:False
MailboxMoveTargetMDB:
MailboxMoveSourceMDB:
MailboxMoveFlags:None
MailboxMoveRemoteHostName:
MailboxMoveBatchName:
MailboxMoveStatus:None
MailboxRelease:
ArchiveRelease:
IsPersonToPersonTextMessagingEnabled:False
IsMachineToPersonTextMessagingEnabled:False
UserSMimeCertificate:{}
UserCertificate:{}
CalendarVersionStoreDisabled:False
ImmutableId:
PersistedCapabilities:{}
SKUAssigned:
AuditEnabled:False
AuditLogAgeLimit:90.00:00:00
AuditAdmin:{Update,Move,MoveToDeletedItems,
SoftDelete,HardDelete,FolderBind,
SendAs,SendOnBehalf,Create}
AuditDelegate:{Update,SoftDelete,HardDelete,
SendAs,Create}
AuditOwner:{}
WhenMailboxCreated:3/20/201611:49:39PM
SourceAnchor:
UsageLocation:
IsSoftDeletedByRemove:False
IsSoftDeletedByDisable:False
IsInactiveMailbox:False
IncludeInGarbageCollection:False
WhenSoftDeleted:
InPlaceHolds:{}
GeneratedOfflineAddressBooks:{}
AccountDisabled:False
StsRefreshTokensValidFrom:
Extensions:{}
HasPicture:False
HasSpokenName:False
AcceptMessagesOnlyFrom:{}
AcceptMessagesOnlyFromDLMembers:{}
AcceptMessagesOnlyFromSendersOrMembers:{}
AddressListMembership:{\Mailboxes(VLV),\AllMailboxes(VLV),
\AllRecipients(VLV),\DefaultGlobal
AddressList,\AllUsers}
Alias:Oliver
ArbitrationMailbox:
BypassModerationFromSendersOrMembers:{}
OrganizationalUnit:contoso.com/Sales
CustomAttribute1:
CustomAttribute10:
CustomAttribute11:
CustomAttribute12:
CustomAttribute13:
CustomAttribute14:
CustomAttribute15:
CustomAttribute2:
CustomAttribute3:
CustomAttribute4:
CustomAttribute5:
CustomAttribute6:
CustomAttribute7:
CustomAttribute8:
CustomAttribute9:
ExtensionCustomAttribute1:{}
ExtensionCustomAttribute2:{}
ExtensionCustomAttribute3:{}
ExtensionCustomAttribute4:{}
ExtensionCustomAttribute5:{}
DisplayName:OliverLee
EmailAddresses:{SMTP:[email protected]}
GrantSendOnBehalfTo:{}
ExternalDirectoryObjectId:
HiddenFromAddressListsEnabled:False
LastExchangeChangedTime:
LegacyExchangeDN:/o=ContosoOrg/ou=Exchange
AdministrativeGroup
(FYDIBOHF23SPDLT)/cn=Recipients/cn=4ae68cb0a00d48769bd97945e13b3f43-OliverLee
MaxSendSize:Unlimited
MaxReceiveSize:Unlimited
ModeratedBy:{}
ModerationEnabled:False
PoliciesIncluded:{98dda7b4-7ba7-4bf3-8de31cd7e78066aa,
{26491cfc-9e50-4857-861b-0cb8df22b5d7}}
PoliciesExcluded:{}
EmailAddressPolicyEnabled:True
PrimarySmtpAddress:[email protected]
RecipientType:UserMailbox
RecipientTypeDetails:UserMailbox
RejectMessagesFrom:{}
RejectMessagesFromDLMembers:{}
RejectMessagesFromSendersOrMembers:{}
RequireSenderAuthenticationEnabled:False
SimpleDisplayName:
SendModerationNotifications:Always
UMDtmfMap:{emailAddress:654837,
lastNameFirstName:533654837,
firstNameLastName:654837533}
WindowsEmailAddress:[email protected]
MailTip:
MailTipTranslations:{}
Identity:Contoso.com/Sales/OliverLee
IsValid:True
ExchangeVersion:0.20(15.0.0.0)
Name:OliverLee
DistinguishedName:CN=Oliver
Lee,OU=Sales,DC=Contoso,DC=com
Guid:b3578263-b81c-40be-91b8-721f21b99da2
ObjectCategory:Contoso.com/Configuration/Schema/Person
ObjectClass:{top,person,organizationalPerson,
user}
WhenChanged:3/20/201611:49:39PM
WhenCreated:10/21/201311:31:35PM
WhenChangedUTC:3/21/20166:49:39AM
WhenCreatedUTC:10/22/20136:31:35AM
OrganizationId:
Id:Contoso.com/Sales/OliverLee
OriginatingServer:DC1.Contoso.com
ObjectState:Unchanged
NotethatsomeofthepropertiesyouseeasaresultofaGet-cmdletcannotbeset
becausetheyaresystem-controlledpropertiesortheyaremanipulatedusingother
cmdlets,suchasExchangeGuidorDatabase.
Thethirdwaytoviewallofthepropertiesassociatedwithanobjectissimplytouse
theGet-Membercmdlet.HereisanexamplewheretheGet-Mailboxcmdletpipesits
outputtotheGet-Membercmdletandfiltersonlythemembersthatareproperties.
Becauseafulllistingwouldincludeafewpagesofinformationyoucaneasilylookup
yourselfandwillprovidelittlevaluetothisdiscussion,theoutputisonlyapartial
listing:
TypeName:Microsoft.Exchange.Data.Directory.Management.Mailbox
NameMemberTypeDefinition
-----------------------AcceptMessagesOnlyFromProperty
Microsoft.Exchange.Data.MultiValuedProperty[Microsoft.Exchange.Dat…
AcceptMessagesOnlyFromDLMembersProperty
Microsoft.Exchange.Data.MultiValuedProperty[Microsoft.Exchange.Dat…
AcceptMessagesOnlyFromSendersOrMembersProperty
Microsoft.Exchange.Data.MultiValuedProperty[Microsoft.Exchange.Dat…
AccountDisabledPropertyboolAccountDisabled
{get;set;}
AddressBookPolicyProperty
Microsoft.Exchange.Data.Directory.ADObjectIdAddressBookPolicy{ge…
AddressListMembershipProperty
Microsoft.Exchange.Data.MultiValuedProperty[Microsoft.Exchange.Dat…
AdminDisplayVersionProperty
Microsoft.Exchange.Data.ServerVersionAdminDisplayVersion{get;}
AggregatedMailboxGuidsProperty
Microsoft.Exchange.Data.MultiValuedProperty[guid]AggregatedMailbo…
AliasPropertystringAlias{get;set;}
AntispamBypassEnabledPropertyboolAntispamBypassEnabled
{get;set;}
ArbitrationMailboxProperty
Microsoft.Exchange.Data.Directory.ADObjectIdArbitrationMailbox{g…
ArchiveDatabaseProperty
Microsoft.Exchange.Data.Directory.ADObjectIdArchiveDatabase{get;}
ArchiveDomainProperty
Microsoft.Exchange.Data.SmtpDomainArchiveDomain{get;set;}
ArchiveGuidPropertyguidArchiveGuid{get;}
ArchiveNameProperty
Microsoft.Exchange.Data.MultiValuedProperty[string]ArchiveName{g…
ArchiveQuotaProperty
Microsoft.Exchange.Data.Unlimited[Microsoft.Exchange.Data.ByteQuan…
ArchiveReleasePropertystringArchiveRelease{get;}
ArchiveStateProperty
Microsoft.Exchange.Data.Directory.Recipient.ArchiveStateArchiveSt…
FormattingOutput
IfyoulookattheoutputoftheGet-MailboxcmdletshowninFigure5.1,youmightbe
temptedtothinkthattheoutputcapabilitiesofPowerShellarelimited,butthisisfar
fromthetruth.ThedefaultoutputoftheGet-Mailboxcmdletisaformattedtablewith
theName,Alias,ServerName,andProhibitSendQuotapropertiesascolumns.However,
youcanselectthepropertiesyouwantbymerelypipingtheoutputoftheGet-Mailbox
cmdlettoeithertheFormat-Table(FTforshort),Format-List(FLforshort),orSelect
cmdlet:
Get-Mailbox|FTName,ProhibitSendQuota,ProhibitSendReceiveQuota
Figure5.2showstheoutputoftheprecedingcommand.
Figure5.2Formattingoutputintoaformattedtable
TheoutputoftheGet-MailboxcmdletwasdirectedtotheFormat-TableorFTcmdlet;
theresultwascolumnsfortheName,ProhibitSendQuota,andProhibitSendReceiveQuota
limits.
Youmaybewonderinghowyoucanlearnallthepropertiesofanobject.Thedefault
outputoftheGet-Mailboxcmdlet,forexample,isprobablynotthemostusefulfor
yourorganization.WediscussgettinghelpinPowerShellandtheExchange
ManagementShelllaterinthischapter,buthereisasimpletricktoseeallthe
propertiesofanobject:justdirecttheoutputofaGet-cmdlettotheFormat-List(FLfor
short)cmdletinsteadofthedefaultFormat-Tablecmdlet.
Whenyoudirecttheoutputofacmdlet,suchasGet-MailboxtotheFormat-Listcmdlet,
youwillseeallthepropertiesforthatobject.Figure5.3showsanexamplewherewe
havedirectedtheoutputofaGet-MailboxcmdlettotheFL(Format-List)cmdlet.You
willnoticeinFigure5.3thatthepropertiesfilledupmorethanonescreen.However,
youwillfindthatoutputtingallthepropertiesofanobjectusingtheFormat-List
cmdletisveryusefulifyouneedtoknowspecificpropertynames.
Figure5.3Formattingoutputtoaformattedlist
Thecommandweusedisasfollows:
Get-Mailbox"AlanSteiner"|Format-List
DirectingOutputtoOtherCmdlets
Youhavealreadyseenacoupleofexampleswhereweusedthepipesymbol(|)to
directtheoutputofonecommandtobeusedasinputforthenextcommand,suchas
Get-Mailbox|Format-Table.YoucandothisbecausePowerShellcommandsacton
objects,notjusttext.Unlikewithothershellsorscriptinglanguages,youdon'thaveto
usestringcommandsorvariablestopassdatafromonecommandtoanother.The
resultisthatyoucanuseasinglelinetoperformaqueryandcomplextask—
somethingthatmighthaverequiredhundredsoflinesofprogramminginthepast.
Oneofourfavoriteexamplesismakingspecificchangestoagroupofpeople's
mailboxes.Let'ssayyouneedtoensurethatallexecutivesinyourorganizationcan
sendandreceiveamessagethatisupto50MBinsizeratherthanthedefault10MB
towhichthesystemlimitstheuser.Earlierweshowedyouhowyoucouldgetthe
propertiesofthemailboxthatyouwereinterestedin,suchastheMaxSendSizeand
MaxReceiveSizeproperties.
First,let'susetheGet-DistributionGroupMembercmdlettoretrievethemembersofthe
Executivesdistributiongroup:
Get-DistributionGroupMember"Executives"
NameRecipientType
----------------ZainalArifinUserMailbox
SameerAthalyeUserMailbox
AdamBarrUserMailbox
AnnaBedecsUserMailbox
DanaBirkbyUserMailbox
TomaszBochenekUserMailbox
BryanBredehoeftUserMailbox
DerekBrownUserMailbox
RandyByrneUserMailbox
Rememberthatalthoughyouseethetextlistingofthegroupmembers,whatis
actuallyoutputareobjectsrepresentingeachofthemembers.
Itisimportanttonotethatwhilepipingtheoutputofonecmdletasinputfor
anothercmdletworksfrequently,itdoesnotworkallthetime.Pipinginputtoa
cmdletwillalwaysworkwhenthenounusedbythetwocmdletsisthesame,such
asthis:
Get-Mailbox-ServerEx1|Set-Mailbox-CustomAttribute1"Iamona
greatserver!"
Forcmdletsthatdonotsupportpipingbetweenthem,youcanusuallyuseatrick,
suchasusingtheforeachcmdlettoprocessthedata.
So,nowlet'spipetheoutputofthatcmdlettotheSet-Mailboxcmdletanddosomereal
work!Tochangethemaximumincomingandoutgoingmessagesizeforthemembers
oftheExecutivesgroup,youwouldtypethefollowingcommand:
Get-DistributionGroupMember"Executives"|Set-Mailbox
-MaxSendSize:50MB-MaxReceiveSize:50MB
-UseDatabaseRetentionDefaults:$False
NoticethattheSet-Mailboxcmdletdidnotrequireanyinputbecauseitwilltakeas
inputtheobjectsthatareoutputfromGet-DistributionGroupMember.Whenyourun
thesetwocommands,therewillbenooutputunlessyouhavespecifiedotheroptions.
ButyoucaneasilychecktheresultsbyrequestingthemembershipoftheExecutives
group,pipingthattotheGet-Mailboxcmdlet,andthenpipingthatoutputtothe
Format-Tablecmdlet,asshownhere:
NameMaxSendSizeMaxReceiveSize
----------------------------ZainalArifin50MB(52,428,800bytes)50MB(52,428,800bytes)
SameerAthalye50MB(52,428,800bytes)50MB(52,428,800bytes)
AdamBarr50MB(52,428,800bytes)50MB(52,428,800bytes)
AnnaBedecs50MB(52,428,800bytes)50MB(52,428,800bytes)
DanaBirkby50MB(52,428,800bytes)50MB(52,428,800bytes)
TomaszBochenek50MB(52,428,800bytes)50MB(52,428,800bytes)
BryanBredehoeft50MB(52,428,800bytes)50MB(52,428,800bytes)
DerekBrown50MB(52,428,800bytes)50MB(52,428,800bytes)
RandyByrne50MB(52,428,800bytes)50MB(52,428,800bytes)
Prettycool,eh?AfterjustafewminutesworkingwithPowerShellandtheEMS
extensions,wehopethatyouwillbeaspleasedwiththeease-of-useasweare.
PowerShellv3,v4,andv5
ExchangeServer2016usesPowerShellversion4(v4).ExchangeServer2013uses
PowerShellv3,whereasExchangeServer2010usedPowerShellv2andExchange
Server2007usedthepowerofPowerShellv1(orv2withExchangeServer2007SP2).
PowerShellv3includessomeamazingfeatures,likeremotingandeventing,which
enableittomanageanyITenvironmentevenbetterthanbefore.PowerShellv4,
standardonWindowsServer2012R2,addedDesiredStateConfiguration(DSC)anda
fewminorenhancements,butnotasmanyasv3.PowerShellv5,standardon
WindowsServer2016,addsmoreprogramming-likepowertoPowerShell,including
theabilitytodevelopbyusingclasseslikeobject-orientedprogramminglanguages.
RemotePowerShell
ExchangeServer2010andlaterdoesn'tuselocalPowerShellanymorebutrelieson
remotePowerShelltomanageitsroles.
Youwon'tseeanydifferencebetweenusingremoteorlocalshelltomanageExchange
Server.WhenyouclicktheEMSshortcut,WindowsPowerShellconnectstothe
closestExchangeserverusingWindowsRemoteManagement,performsan
authenticationcheck,andthencreatesaremotesessionforyoutouse.It'sthanksto
RemotePowerShellthatRole-BasedAccessControl(RBAC)canbefullyimplemented.
(FormoreinformationaboutRBAC,refertoChapter12,“ManagementPermissions
andRole-BasedAccessControl.”)
AnotheradvantageofintroducingRemotePowerShellistheabilitytolaunchtheshell
andmanageyourExchangeserversbyconnectingtoanExchangeserverwithout
requiringyoutoinstallthemanagementtoolslocallyonthatmachine;thiswasa
requirementbackinExchangeServer2007.
TipsandTricks
Inthissection,wediscusshandlingdataoutput,sendingoutputtoafile,sending
emailfromthePowerShell,anddebugging.
ManagingOutput
Let'sstartbyexploringhowtomassageormanipulatetheoutputofPowerShelland
EMScmdlets.Inthissection,wearegoingtofocusontheGet-MailboxStatistics
cmdlet;weareusingthiscmdletinourexamplebecauseinouropinionitsdefault
outputformatistheleastdesirableofalltheEMScmdlets.Whoeversetthedefaults
forthiscmdlet'soutputclearlyexpectedtheusertobeproficientatmanipulatingthe
output.
IfyouarecomingfromanExchangeServer2007environment,youmaybeusedto
runningtheGet-MailboxStatisticscmdletwithnoparameters.ExchangeServer2013
andlaterexpectsyoutospecifyeitheramailboxname,servername(-Server),or
mailboxdatabase(-Database)inthecommandline.HereisanexampleoftheGetMailboxStatisticscmdlet'soutputspecifyingamailboxserver:
Get-MailboxStatistics-ServerEx1
DisplayNameItemCountStorageLimitStatusLastLogonTime
--------------------------------------------------JohnPark7BelowLimit
SystemMailbox{21db5e47…1BelowLimit
ChuckSwanson6BelowLimit
OnlineArchive-Tyler…0NoChecking
MicrosoftExchange1BelowLimit
MicrosoftExchangeApp…1BelowLimit
GillianKatz7BelowLimit
Administrator2BelowLimit8/9/20161:24:44AM
JimMcBee6BelowLimit
DiscoverySearchMailbox1BelowLimit
ClaytonK.Kamiya27NoChecking7/24/201612:17:44
AM
MicrosoftExchangeApp…1BelowLimit
TylerM.Swartz6BelowLimit
JulieR.Samante6BelowLimit
MichaelG.Brown9BelowLimit
JonathanLong6BelowLimit
SystemMailbox{94c22976…1BelowLimit
KevinWile8BelowLimit
JohnRodriguez6BelowLimit
AnitaVelez6BelowLimit
Obviously,thisoutputisnotveryusefulformostofus.
OutputtoListsorTables
Keepinmindthatinternally,whenPowerShellisretrievingdata,everythingistreated
asanobject.However,whenyouaredisplayingsomethingtothescreen,youseejust
thetextualinformation.Mostcmdletsoutputdatatoaformattedtable,butyoucan
alsooutputthedatatoaformattedlistusingtheFormat-ListcmdletorFLalias.Here
isanexampleofpipingasinglemailbox'sstatisticstotheFormat-Listcmdlet:
[PS]C:\>Get-MailboxStatistics"ClaytonK.Kamiya"|Format-List
RunspaceId:3a8e6797-44a5-4c71-8a21-3022b379cb57
AssociatedItemCount:16
DeletedItemCount:0
DisconnectDate:
DisplayName:ClaytonK.Kamiya
ItemCount:27
LastLoggedOnUserAccount:contoso\Clayton.Kamiya
LastLogoffTime:7/24/20169:54:13AM
LastLogonTime:7/24/201612:17:44AM
LegacyDN:/O=Contoso/
OU=EXCHANGEADMINISTRATIVEGROUP(FYDIBOHF23SPDLT)/
CN=RECIPIENTS/CN=CLAYTONK.KAMIYA
MailboxGuid:a9e676e9-f67b-4206-817e-ad07eca52659
ObjectClass:Mailbox
StorageLimitStatus:NoChecking
TotalDeletedItemSize:0B(0bytes)
TotalItemSize:949.5KB(972,245bytes)
Database:MBX1
ServerName:NYC-EX1
DatabaseName:MBX1
MoveHistory:
IsQuarantined:False
IsArchiveMailbox:False
Identity:a9e676e9-f67b-4206-817e-ad07eca52659
MapiIdentity:a9e676e9-f67b-4206-817e-ad07eca52659
OriginatingServer:NYC-EX1.contoso.com
IsValid:True
ThisexampleshowsyouallthepropertiesthatcanbedisplayedviatheGetMailboxStatisticscmdlet.
ThefollowingarethedefaultresultsoffilteringthecommandthroughtheFormatTableorFTalias:
Get-MailboxStatistics"ClaytonK.Kamiya"|FT
DisplayNameItemCountStorageLimitStatusLastLogonTime
--------------------------------------------------ClaytonKamiya1063BelowLimit8/9/20161:33:31PM
However,theFormat-TableandFormat-Listcmdletsallowyoutospecifywhich
propertiesyouwanttoseeintheoutputlist.Let'ssaythatyouwanttoseetheuser's
name,itemcount,andtotalitemsize.Here'sthecommandyouwoulduse:
Get-MailboxStatistics"ClaytonKamiya"|FTDisplayName,
ItemCount,TotalItemSize
DisplayNameItemCountTotalItemSize
--------------------------------ClaytonK.Kamiya10634.00MB(4,190,207bytes)
Therewego—thatisabitmoreuseful.
SortingandGroupingOutput
Anyoutputcanalsobesortedbasedonanyofthepropertiesthatyouaregoingto
display.IfyouareusingtheFormat-Tablecommand,youcanalsogrouptheoutputby
properties.First,let'sgobackandlookattheoriginalexamplewhereweare
outputtingallthemailboxstatisticsforthelocalmailboxserver.Let'ssayweare
interestedinsortingbythemaximummailboxsize.Todoso,wecanpipetheoutput
ofGet-MailboxStatisticstotheSort-Objectcmdlet.Hereisanexample:
Get-Mailbox|Get-MailboxStatistics-ServerEx1|Sort-Object
TotalItemSize-Descending|Format-TableDisplayName,
ItemCountTotalItemsize
DisplayNameItemCountTotalItemSize
--------------------------------------MikeBrown30622.92MB(24,030,192bytes)
ClaytonKamiya106321.34MB(22,376,612bytes
LawrenceCohen2221.3KB(226,596bytes)
OliverCohen271.75KB(73,469bytes)
BrianTirch250.00KB(51,200bytes)
EliasMereb650.00KB(51,200bytes)
ThisexampleusedthecommandSort-ObjectTotalItemSize-Descending,butwecould
alsohaveusedthe-Ascendingoption.Thereareseveralfarmoresophisticated
examplesinPowerShellhelp.
WecantakethisastepfurtherwhenusingtheFormat-TablecmdletbyaddingaGroupByoption.Hereisanexamplewhereweareexportingthisdataandgroupingit
usingtheStorageLimitStatusproperty:
Get-Mailbox|Get-MailboxStatistics|Sort-ObjectTotalItemSize
-Descending|Format-TableDisplayName,ItemCount,TotalItemSize
-GroupByStorageLimitStatus
StorageLimitStatus:MailboxDisabled
DisplayNameItemCountTotalItemSize
----------------------------------MikeBrown31421.25MB(21,763bytes)
StorageLimitStatus:ProhibitSend
DisplayNameItemCountTotalItemSize
----------------------------------ClaytonKamiya10665.02MB(5,145bytes)
StorageLimitStatus:BelowLimit
DisplayNameItemCountTotalItemSize
----------------------------------LawrenceCohen81.09MB(1,119bytes)
OliverCohen6286B(286bytes)
OrenPinto6286B(286bytes)
OutputtoFile
Outputtingdatatothescreenisgreat,butitdoesnothelpyouwithreports.Youcan
alsooutputdatatoCSVandXMLfiles.Twocmdletsmakethiseasytodo:
Export-CsvexportsthedatatoaCSVfile.
Export-ClixmlexportsthedatatoanXMLfile.
Simplydirecttheoutputyouwantsenttoafile,andthesecmdletswilltakecareof
convertingthedatatotheproperformat.Let'stakeourearlierexamplewherewewant
areportofallmailboxesandtheirProhibitSendandProhibitSendAndReceivelimits.
Wecan'tusetheFormat-Tablecmdletinthisinstance;wehavetousetheSelectObjectorSelectcmdlettospecifytheoutputbecausewewillbedirectingthisoutput
toanothercmdlet.HereisanexampleoftheGet-Mailboxcmdletwhenusingthe
Selectcommand:
Get-Mailbox|SelectName,ProhibitSendQuota,ProhibitSendReceiveQuota
Theoutputofthiscmdletisshownhere:
NameProhibitSendQuotaProhibitSendReceiveQuota
--------------------------------------------OrenPintounlimitedunlimited
ZacharyElfassyunlimitedunlimited
ZoeElfassyunlimitedunlimited
SavannahElfassyunlimitedunlimited
MikeBrownunlimitedunlimited
DanHolmeunlimitedunlimited
RussZimmerunlimitedunlimited
TylerSwartzunlimitedunlimited
ChrisPfennigunlimitedunlimited
TodirectthisoutputtotheC:\report.csvfile,wesimplypipeittotheExport-Csv
cmdletasshownhere:
Get-Mailbox|SelectName,ProhibitSendQuota,ProhibitSendReceiveQuota|
Export-Csvc:\report.csv
IfyouwanttoexportthereporttoanXMLfile,simplyusetheExport-Clixmlcmdlet
insteadofExport-Csv.
Finally,justaswhenworkingwiththeDOSprompt,youcanredirectoutputofa
commandtoatextfile.TosendtheoutputoftheGet-Mailboxtothefile
c:\mailboxes.txt,youwouldtypethis:
Get-Mailbox>c:\mailboxes.txt
PuttingItAllTogether
Let'sconsideronemoreexampleofGet-MailboxStatisticspiping.Hopefully,thiswill
beanexampleyoucanuseinthefuture.Wewillcreateareportofthemailbox
statisticsusingtheGet-MailboxStatisticscmdlet.Thenwewillexportthemailbox
statisticsforaspecificserver.WewilllimittheoutputbyusingtheWhere-Object
command,choosethepropertiestooutputusingtheSelectcommand,andfinallypipe
thatoutputtotheExport-Csvcmdlet:
Get-MailboxStatistics-ServerEx1|Sort-ObjectTotalItemSize
-Descending|Select-ObjectDisplayName,ItemCount,TotalItemSize
|Export-CSVc:\StorStats.csv
Ifyouarethinkingthatthislooksabitstickytoimplement,youareprobablyright.
Gettingthissyntaxtogethertookthebetterpartofanafternoon,andarguably,you
shouldbeabletoperformcommontaskslikeexportingmailboxstoragestatistics
fromtheGUI.However,onthebrightside,nowwehavethecommandweneedtorun
eachtimewewanttogeneratethisreport;further,theknowledgetodothisparticular
typeofreportwithinPowerShellcarriesoverintomanyothertasks.
RunningScripts
PowerShellscriptsareeasytobuildandtorun,butthereareafewthingsyouneedto
knowtowriteyourownscriptsand/ortoreadothers'scripts.Thoughthisiscertainly
notacomprehensivebriefingonPowerShellscriptingorvariables,wehopeitwillgive
youaquickintroductiontoafewthingsthatwefoundinterestingandhelpfulwhen
wegotstarted.
ThefileextensionforaPowerShellscriptis.PS1.
Youcan'trunthescriptfromthesourcedirectory.Youactuallyhavetoprefacethe
scriptnamewiththepath.
Saywehaveascriptnamedc:\scripts\Report.ps1.Wecan'tjustchangeittothe
c:\reportsdirectoryandrunreport.ps1,sowewouldhavetotype.\report.ps1.
PowerShell(andscripts)usevariablesprecededwitha$symbol.Youcanseta
variablewithinascriptorjustbytypingitatthecommandline.ThePowerShell
variableisanobject,soyoucanassociateanobjectoranentirelistofobjectswith
asinglevariable.
Forexample,thefollowingcommandassociatesthevariable$Zachwiththeentire
objectfortheuserZacharyElfassy:
$Zach=Get-User"ZacharyElfassy"
Wecouldthenusejustspecificpropertiesofthatobject.Forexample,ifwewant
tojustoutputZachary'sdisplayname,wecouldtypethis:
$Zach.DisplayName
Evenbetter,wecouldthensetZachary'sdisplaynametoavariablecalled
$ZachDisplayNamebydoingthis:
$ZachDisplayName=$Zach.DisplayName
Wecansetasinglevariabletoalotofobjectsandthenmanipulatethemallat
onceviaascript.Hereisanexamplewherewesetthe$AllUsersvariabletoallthe
usersinthedomain:
$AllUsers=Get-Users
Nowherearesomeinterestingthingswecandowiththatvariable.Wecanobtain
acountofhowmanyobjectsitcontains:
$AllUsers.Count
944
Further,eachofthe944objectscontainedinthe$AllUsersvariableistreatedas
aniteminanarray,sowecanretrieveindividualones,suchasobjectnumber
939:
AllUsers[939]|FLSamAccountName,DisplayName,WindowsEmailAddress,Phone,
Office
SamAccountName:Andrew.Roberts
DisplayName:AndrewRoberts(Operations)
WindowsEmailAddress:[email protected]
Phone:011-77-8484-4844
Office:Tokyo
SendingEmailfromtheExchangeManagementShell
Sometimesthesmallestfeaturesareamongthebestfeatures.Inthisparticular
case,wearetalkingaboutaPowerShellcmdletcalledSend-MailMessagethatallows
youtoeasilysendanemailfromwithinPowerShell.
Forexample,ifyouwanttosendanemailmessagefromthealias
[email protected]@Contoso.com,itwouldlooksomething
likethis:
[email protected]"Thisisatest
message"[email protected]"This
isthebodyofthemessage"-SmtpServerEx1
NotethatyoumustspecifyanSMTPserverthatwilleitheracceptthisconnection
orrelaythemessageforyoubyusingthe-SmtpServerparameter,asshowninthe
precedingexample.
RunningScheduledPowerShellScripts
Frequently,PowerShelladvocateswillextolthevirtuesofcreatingsimplePowerShell
scripts(PS1files)thatyoucanscheduletoperformroutinetasks.Therearequitea
fewarticlesandnewsgrouppostingsabouthoweasythisistodo.However,running
thePS1scriptusingascheduledtaskisabittrickier.Youcan'tjustrunaPS1script
fromtheDOScommandpromptortheTaskScheduler.BeforeaPS1scriptcanberun,
PowerShellhastoberun,theExchangeManagementExtensionshavetobeloaded,
andthenthescriptorcommandcanbecalled.
ThePowerShellexecutable(powershell.exe)isfoundinthe
C:\Windows\System32\WindowsPowerShell\v1.0\folder.PowerShellneedstobetold
fromwhichExchangeserveritwillneedtoimporttheExchangeServersession(using
theImport-PSSessioncmdlet).
Finally,weneedthenameandthelocationofthescriptwearegoingtorun,solet's
saywearegoingtoexecutethiscommand:
Get-Mailbox|SelectName,ProhibitSendQuota,ProhibitSendReceiveQuota
|Export-Csvc:\report2.csv
Ratherthanpastingallthisintothejobscheduler,wecancreateasimplebatchfile
thatlookslikethis:
@echooff
cls
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
-command"&{c:\scripts\Report1.ps1}"
NowweneedtocreatetheReport1.ps1scriptthatwillrunoncePowerShellisopened:
$Session=New-PSSession-ConfigurationNameMicrosoft.Exchange
-ConnectionUrihttp://NYC-EX1/PowerShell/
Import-PSSession$session
Get-Mailbox|SelectName,ProhibitSendQuota,ProhibitSendReceiveQuota
|Export-Csvc:\report2.csv
DebuggingandTroubleshootingfromPowerShell
PowerShellhasalotoffeaturesthatwillhelpyoutestyourscriptsandone-line
commands.
Set-PSDebugThecmdletSet-PSDebugisdesignedtoallowyoutodebugPowerShell
scripts.Tousethis,addthiscommandtoyourscript:Set-PSDebug-Trace1.This
willallowyoutoexamineeachstepofthescript.Youcanenablemoredetailed
traceloggingbysettingthetracelevelto2:Set-PSDebug-Trace2.IfyouaddtheStepoptiontothecommandline,youwillbepromptedforeachstep.Toturnoff
tracelogging,usethiscommand:Set-PSDebug-Off.
-WhatIfMostcmdletssupportthe-WhatIfoption.Ifyouaddthe-WhatIfoptionto
thecommandline,thecmdletwillrunandtellyouwhatwillhappenwithout
actuallyperformingthetask.Thisisusefulforcheckingtomakesurethe
commandyouareabouttorunwillreallydowhatyouwant.
-ConfirmMostcmdletssupportthe-Confirmoptionandmanycmdletsthat
performmoredestructivetypesofoptions,suchasthosethatbeginwithRemove-,
Move-,Dismount-,Disable-,andClear-,havethe-Confirmoptionturnedonby
default.Ifthisisturnedon,thecmdletwillnotproceeduntilyouhaveconfirmedit
isOKtoproceed.Forcmdletsthatconfirmbydefault,youcanincludetheConfirm:$Falseoptionifyoudonotwanttobeprompted.
-ValidateOnlyThe-ValidateOnlyoptionisabitmorepowerfulthan-WhatIf.TheValidateOnlyoptionwillperformallthestepsthecmdletisspecifyingwithout
actuallymakinganychangesandthenwillsummarizewhatwouldhavebeendone
andifthiswouldhavecausedanyproblems.*
GettingHelp
WehaveshownyouafewsimpleyetpowerfulexamplesofhowtousePowerShelland
theEMS.OnceyoudiginandstartusingtheEMS,youwillneedsomereferencesto
helpyoufigureoutallthesyntaxandpropertiesofeachofthecmdlets.
InformationisavailableonthecmdletsfromwithinPowerShell.Foragoodstarting
point,youcanjusttypethehelpcommandandthiswillgiveyouagoodoverviewof
usingPowerShellandhowtogetmorehelp.Thefollowinglistsummarizescommon
methodsofgettinghelponPowerShellandExchangeManagementShellcmdlets:
HelpProvidesgenericPowerShellhelpinformation.
help*Keyword*Listsallcmdletsthatcontainthekeyword.Forexample,ifyou
wanttofindallPowerShellv2cmdletsthatworkwiththeWindowseventlog,you
cantypehelp*EventLog*.TofindallExchangeServercmdletsthatworkwith
mailboxes,typeGet-ExCommand*mailbox*.Youcannotusethehelpaliastolocate
allavailableExchangeServercmdlets.
Get-Command*Keyword*ListsallPowerShellcmdletsandfiles(suchashelpfiles)
thatcontainthekeyword.
Get- CommandListsallcmdlets(includingallPowerShellextensionscurrently
loaded,suchastheEMScmdlets).
Get- ExCommandListsallExchangeServercmdlets.
Get- PSCommandListsallPowerShellcmdlets.
HelpCmdletorGet-HelpCmdletListsonlinehelpforthespecifiedcmdletand
pausesbetweeneachscreen.Providesmultipleviewsoftheonlinehelp(suchas
detailed,full,examples,anddefault).InFigure5.4,thehelpinformationfor
pipelininginPowerShellisdisplayed.
Cmdlet-?Listsonlinehelpforthespecifiedcmdlet.
Figure5.4OnlinehelpforpipeliningusingtheExchangeManagementShell
WhenworkingwithhelpwithinPowerShell,helptopicsaredisplayedbasedonthe
viewofhelpthatyourequest.Inotherwords,youcan'tjusttypeGet-Helpandsee
everythingaboutthatcmdlet.TheGet-Helpcmdletincludesfourpossibleviewsofhelp
foreachcmdlet.Thefollowinglistexplainsthefourprimaryviewsalongwiththe
parametersview:
DefaultViewListstheminimalinformationtodescribethefunctionofthe
cmdletandshowsthesyntaxofthecmdlet
ExampleViewIncludesasynopsisofthecmdletandsomeexamplesofitsusage
DetailedViewShowsmoredetailsonacmdlet,includingparametersand
parameterdescriptions
FullViewShowsallthedetailsavailableonacmdlet,includingasynopsisofthe
cmdlet,adetaileddescriptionofthecmdlet,parameterdescriptions,parameter
metadata,andexamples
ParametersViewAllowsyoutospecifyaparameterandgethelpontheusageof
justthatparticularparameter
TheFulloptionforGet-Helpincludesinitsoutputeachparameter'smetadata.The
metadataisshowninthefollowinglist:
Required?Istheparameterrequired?Thisvalueiseithertrueorfalse.
Position?Specifiesthepositionoftheparameter.Ifthepositionisnamed,the
parameternamehastobeincludedintheparameterlist.Mostparametersare
named.However,the-Identityparameteris1,whichmeansthatitisalwaysthe
firstparameterandthe-Identitytagisnotrequired.
DefaultvalueSpecifieswhatavaluewillbeforaparameterifnothingelseis
specified.Formostparametersthisisblank.
Acceptpipelineinput?Specifiesiftheparameterwillacceptinputthatispipedin
fromanothercmdlet.Thevalueiseithertrueorfalse.
Acceptwildcardcharacters?Specifiesiftheparameteracceptswildcard
characters,suchastheasteriskorquestionmarkcharacter.Thisvalueiseither
trueorfalse.
Stillnotclearaboutwhateachviewgivesyou?PerhapsTable5.3canshedsomemore
lightontheissue.Thistableshowsyouthevarioussectionsthatareoutputwhen
usingeachviewoption.
Table5.3InformationOutputforEachGet-HelpView
DefaultView ExampleView DetailedView
Synopsis
✓
✓
✓
Detaileddescription ✓
✓
Syntax
✓
✓
Parameters
✓
Parametermetadata
Inputtype
Returntype
Errors
Notes
Example
✓
✓
FullView
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
Tousetheseparameters,youwouldusetheGet-Helpcmdletandtheviewoption.For
example,toseetheexampleviewfortheGet-Mailbox,youwouldtypethefollowing:
Get-HelpGet-Mailbox-Example
Wefeelitisimportantforadministratorstounderstandtheavailableonlinehelp
options,solet'slookatacouplemoredetailedexamplesfortheGet-MailboxStatistics
cmdlet.Wearepickingacmdlet(Get-MailboxStatistics)thatwefeelispretty
representativeoftheEMScmdletsbutthatalsodoesnothaveahugeamountofhelp
information.First,let'slookatthedefaultview:
Get-HelpGet-MailboxStatistics
NAME
Get-MailboxStatistics
SYNOPSIS
Thiscmdletisavailableinon-premisesExchangeServer2016andinthe
cloud-basedservice.Someparametersand
settingsmaybeexclusivetooneenvironmentortheother.
UsetheGet-MailboxStatisticscmdlettoobtaininformationaboutamailbox,
suchasthesizeofthemailbox,the
numberofmessagesitcontains,andthelasttimeitwasaccessed.In
addition,youcangetthemovehistoryora
movereportofacompletedmoverequest.
ForinformationabouttheparametersetsintheSyntaxsectionbelow,see
Syntax.
SYNTAX
Get-MailboxStatistics-Identity<GeneralMailboxOrMailUserIdParameter>[Archive<SwitchParameter>][-CopyOnServer
<ServerIdParameter>][-DomainController<Fqdn>][-IncludeMoveHistory
<SwitchParameter>][-IncludeMoveReport
<SwitchParameter>][-IncludeQuarantineDetails<SwitchParameter>][NoADLookup<SwitchParameter>]
[<CommonParameters>]
Get-MailboxStatistics[-AuditLog<SwitchParameter>][-Identity
<GeneralMailboxOrMailUserIdParameter>]
[-DomainController<Fqdn>][-IncludeMoveHistory<SwitchParameter>][IncludeMoveReport<SwitchParameter>]
[-IncludeQuarantineDetails<SwitchParameter>][-NoADLookup
<SwitchParameter>][<CommonParameters>]
Get-MailboxStatistics-Database<DatabaseIdParameter>[-CopyOnServer
<ServerIdParameter>][-Filter<String>]
[-StoreMailboxIdentity<StoreMailboxIdParameter>][-DomainController
<Fqdn>][-IncludeMoveHistory
<SwitchParameter>][-IncludeMoveReport<SwitchParameter>][IncludeQuarantineDetails<SwitchParameter>]
[-NoADLookup<SwitchParameter>][<CommonParameters>]
Get-MailboxStatistics-Server<ServerIdParameter>[-Filter<String>][IncludePassive<SwitchParameter>]
[-DomainController<Fqdn>][-IncludeMoveHistory<SwitchParameter>][IncludeMoveReport<SwitchParameter>]
[-IncludeQuarantineDetails<SwitchParameter>][-NoADLookup
<SwitchParameter>][<CommonParameters>]
DESCRIPTION
OnMailboxserversonly,youcanusetheGet-MailboxStatisticscmdlet
withoutparameters.Inthiscase,thecmdlet
returnsthestatisticsforallmailboxesonalldatabasesonthelocal
server.
TheGet-MailboxStatisticscmdletrequiresatleastoneofthefollowing
parameterstocompletesuccessfully:
Server,Database,orIdentity.
YoucanusetheGet-MailboxStatisticscmdlettoreturndetailedmove
historyandamovereportforcompletedmove
requeststotroubleshootamoverequest.Toviewthemovehistory,youmust
passthiscmdletasanobject.Move
historiesareretainedinthemailboxdatabaseandarenumbered
incrementally,andthelastexecutedmoverequest
isalwaysnumbered0.Formoreinformation,see"Example7,""Example8,"
and"Example9"inthistopic.
Youcanonlyseemovereportsandmovehistoryforcompletedmoverequests.
Youneedtobeassignedpermissionsbeforeyoucanrunthiscmdlet.
Althoughallparametersforthiscmdletare
listedinthistopic,youmaynothaveaccesstosomeparametersifthey're
notincludedinthepermissions
assignedtoyou.Toseewhatpermissionsyouneed,seethe"Recipient
ProvisioningPermissions"sectioninthe
RecipientsPermissionstopic.
RELATEDLINKS
OnlineVersionhttp://technet.microsoft.com/EN-US/library/cec76f70-941f4bc9-b949-35dcc7671146(EXCHG.160).aspx
REMARKS
Toseetheexamples,type:"get-helpGet-MailboxStatistics-examples".
Formoreinformation,type:"get-helpGet-MailboxStatistics-detailed".
Fortechnicalinformation,type:"get-helpGet-MailboxStatistics-full".
Foronlinehelp,type:"get-helpGet-MailboxStatistics-online"
Thedefaultview(asyoucouldhavepredictedfromTable5.3)includesthesynopsis,
syntax,anddetaileddescriptionsections.Let'schangeourapproachandlookatthe
exampleview:
[PS]C:\>Get-HelpGet-MailboxStatistics-Examples
NAME
Get-MailboxStatistics
SYNOPSIS
Thiscmdletisavailableinon-premisesExchangeServer2016andinthe
cloud-basedservice.Someparametersand
settingsmaybeexclusivetooneenvironmentortheother.
UsetheGet-MailboxStatisticscmdlettoobtaininformationaboutamailbox,
suchasthesizeofthemailbox,the
numberofmessagesitcontains,andthelasttimeitwasaccessed.In
addition,youcangetthemovehistoryora
movereportofacompletedmoverequest.
ForinformationabouttheparametersetsintheSyntaxsectionbelow,see
Syntax.
--------------------------Example1-------------------------Thisexampleretrievesthemailboxstatisticsforthemailboxoftheuser
AylaKolbyusingitsassociatedalias
AylaKol.
Get-MailboxStatistics-IdentityAylaKol
--------------------------Example2-------------------------Thisexampleretrievesthemailboxstatisticsforallmailboxesonthe
serverMailboxServer01.
Get-MailboxStatistics-ServerMailboxServer01
--------------------------Example3-------------------------Thisexampleretrievesthemailboxstatisticsforthespecifiedmailbox.
Get-MailboxStatistics-Identitycontoso\chris
--------------------------Example4-------------------------Thisexampleretrievesthemailboxstatisticsforallmailboxesinthe
specifiedmailboxdatabase.
Get-MailboxStatistics-Database"MailboxDatabase"
--------------------------Example5-------------------------Thisexampleretrievesthemailboxstatisticsforthedisconnected
mailboxesforallmailboxdatabasesinthe
organization.The-neoperatormeansnotequal.
Get-MailboxDatabase|Get-MailboxStatistics-Filter'DisconnectDate-ne
$null'
--------------------------Example6-------------------------Thisexampleretrievesthemailboxstatisticsforasingledisconnected
mailbox.Thevalueforthe
StoreMailboxIdentityparameteristhemailboxGUIDofthedisconnected
mailbox.YoucanalsousetheLegacyDN.
Get-MailboxStatistics-Database"MailboxDatabase"-StoreMailboxIdentity
3b475034-303d-49b2-9403-ae022b43742d
--------------------------Example7-------------------------Thisexamplereturnsthesummarymovehistoryforthecompletedmove
requestforAylaKol'smailbox.Ifyoudon't
pipelinetheoutputtotheFormat-Listcmdlet,themovehistorydoesn't
display.
Get-MailboxStatistics-IdentityAylaKol-IncludeMoveHistory|Format-List
--------------------------Example8-------------------------Thisexamplereturnsthedetailedmovehistoryforthecompletedmove
requestforAylaKol'smailbox.Thisexample
usesatemporaryvariabletostorethemailboxstatisticsobject.Ifthe
mailboxhasbeenmovedmultipletimes,
therearemultiplemovereports.Thelastmovereportisalways
MoveReport[0].
$temp=Get-MailboxStatistics-IdentityAylaKol-IncludeMoveHistory
$temp.MoveHistory[0]
--------------------------Example9-------------------------Thisexamplereturnsthedetailedmovehistoryandaverbosedetailedmove
reportforAylaKol'smailbox.This
exampleusesatemporaryvariabletostorethemoverequeststatistics
objectandoutputsthemovereporttoaCSV
file.
$temp=Get-MailboxStatistics-IdentityAylaKol-IncludeMoveReport
$temp.MoveHistory[0]|Export-CSVC:\MoveReport_AylaKol.csv
Theexampleviewdoesnothaveasmuchdata,butalotoftechieslearnbylookingat
examples,sowefindthisviewparticularlyuseful.Next,let'slookatthedetailedview;
becausethisviewincludestheparameters,itwillhavequiteabitmoreinformation:
[PS]C:\>Get-HelpGet-MailboxStatistics-Detailed
NAME
Get-MailboxStatistics
SYNOPSIS
Thiscmdletisavailableinon-premisesExchangeServer2016andinthe
cloud-basedservice.Someparametersand
settingsmaybeexclusivetooneenvironmentortheother.
UsetheGet-MailboxStatisticscmdlettoobtaininformationaboutamailbox,
suchasthesizeofthemailbox,the
numberofmessagesitcontains,andthelasttimeitwasaccessed.In
addition,youcangetthemovehistoryora
movereportofacompletedmoverequest.
ForinformationabouttheparametersetsintheSyntaxsectionbelow,see
Syntax.
SYNTAX
Get-MailboxStatistics-Identity<GeneralMailboxOrMailUserIdParameter>[Archive<SwitchParameter>][-CopyOnServer
<ServerIdParameter>][-DomainController<Fqdn>][-IncludeMoveHistory
<SwitchParameter>][-IncludeMoveReport
<SwitchParameter>][-IncludeQuarantineDetails<SwitchParameter>][NoADLookup<SwitchParameter>]
[<CommonParameters>]
Get-MailboxStatistics[-AuditLog<SwitchParameter>][-Identity
<GeneralMailboxOrMailUserIdParameter>]
[-DomainController<Fqdn>][-IncludeMoveHistory<SwitchParameter>][IncludeMoveReport<SwitchParameter>]
[-IncludeQuarantineDetails<SwitchParameter>][-NoADLookup
<SwitchParameter>][<CommonParameters>]
Get-MailboxStatistics-Database<DatabaseIdParameter>[-CopyOnServer
<ServerIdParameter>][-Filter<String>]
[-StoreMailboxIdentity<StoreMailboxIdParameter>][-DomainController
<Fqdn>][-IncludeMoveHistory
<SwitchParameter>][-IncludeMoveReport<SwitchParameter>][IncludeQuarantineDetails<SwitchParameter>]
[-NoADLookup<SwitchParameter>][<CommonParameters>]
Get-MailboxStatistics-Server<ServerIdParameter>[-Filter<String>][IncludePassive<SwitchParameter>]
[-DomainController<Fqdn>][-IncludeMoveHistory<SwitchParameter>][IncludeMoveReport<SwitchParameter>]
[-IncludeQuarantineDetails<SwitchParameter>][-NoADLookup
<SwitchParameter>][<CommonParameters>]
DESCRIPTION
OnMailboxserversonly,youcanusetheGet-MailboxStatisticscmdlet
withoutparameters.Inthiscase,thecmdlet
returnsthestatisticsforallmailboxesonalldatabasesonthelocal
server.
TheGet-MailboxStatisticscmdletrequiresatleastoneofthefollowing
parameterstocompletesuccessfully:
Server,Database,orIdentity.
YoucanusetheGet-MailboxStatisticscmdlettoreturndetailedmove
historyandamovereportforcompletedmove
requeststotroubleshootamoverequest.Toviewthemovehistory,youmust
passthiscmdletasanobject.Move
historiesareretainedinthemailboxdatabaseandarenumbered
incrementally,andthelastexecutedmoverequest
isalwaysnumbered0.Formoreinformation,see"Example7,""Example8,"
and"Example9"inthistopic.
Youcanonlyseemovereportsandmovehistoryforcompletedmoverequests.
Youneedtobeassignedpermissionsbeforeyoucanrunthiscmdlet.
Althoughallparametersforthiscmdletare
listedinthistopic,youmaynothaveaccesstosomeparametersifthey're
notincludedinthepermissions
assignedtoyou.Toseewhatpermissionsyouneed,seethe"Recipient
ProvisioningPermissions"sectioninthe
RecipientsPermissionstopic.
PARAMETERS
-Database<DatabaseIdParameter>
Thisparameterisavailableonlyinon-premisesExchange2016.
TheDatabaseparameterspecifiesthenameofthemailboxdatabase.When
youspecifyavaluefortheDatabase
parameter,theExchangeManagementShellreturnsstatisticsforallthe
mailboxesonthedatabasespecified.
Youcanusethefollowingvalues:
*GUID
*Database
ThisparameteracceptspipelineinputfromtheGet-MailboxDatabase
cmdlet.
-Identity<GeneralMailboxOrMailUserIdParameter>
TheIdentityparameterspecifiesamailbox.Whenyouspecifyavalue
fortheIdentityparameter,thecommand
looksupthemailboxspecifiedintheIdentityparameter,connectsto
theserverwherethemailboxresides,
andreturnsthestatisticsforthemailbox.
Thisparameteracceptsthefollowingvalues:
*Example:JPhillips
*Example:Atlanta.Corp.Contoso.Com/Users/JPhillips
*Example:JeffPhillips
*Example:CN=JPhillips,CN=Users,DC=Atlanta,DC=Corp,DC=contoso,DC=com
*Example:Atlanta\JPhillips
*Example:fb456636-fe7d-4d58-9d15-5af57d0354c2
*Example:[email protected]
*Example:/o=Contoso/ou=AdministrativeGroup/cn=Recipients/cn=JPhillips
*Example:[email protected]
*Example:[email protected]
-Server<ServerIdParameter>
Thisparameterisavailableonlyinon-premisesExchange2016.
TheServerparameterspecifiestheserverfromwhichyouwanttoobtain
mailboxstatistics.Youcanuseoneof
thefollowingvalues:
*Fullyqualifieddomainname(FQDN)
*NetBIOSname
WhenyouspecifyavaluefortheServerparameter,thecommandreturns
statisticsforallthemailboxesonall
thedatabases,includingrecoverydatabases,onthespecifiedserver.
Ifyoudon'tspecifythisparameter,the
commandreturnslogonstatisticsforthelocalserver.
-Archive<SwitchParameter>
TheArchiveswitchparameterspecifieswhethertoreturnmailbox
statisticsforthearchivemailboxassociated
withthespecifiedmailbox.
Youdon'thavetospecifyavaluewiththisparameter.
-AuditLog<SwitchParameter>
ThisparameterisreservedforinternalMicrosoftuse.
-CopyOnServer<ServerIdParameter>
Thisparameterisavailableonlyinon-premisesExchange2016.
TheCopyOnServerparameterisusedtoretrievestatisticsfroma
specificdatabasecopyontheserver
specifiedwiththeServerparameter.
-DomainController<Fqdn>
Thisparameterisavailableonlyinon-premisesExchange2016.
TheDomainControllerparameterspecifiesthedomaincontrollerthat's
usedbythiscmdlettoreaddatafromor
writedatatoActiveDirectory.Youidentifythedomaincontrollerby
itsfullyqualifieddomainname(FQDN).
Forexample,dc01.contoso.com.
-Filter<String>
Thisparameterisavailableonlyinon-premisesExchange2016.
TheFilterparameterspecifiesafiltertofiltertheresultsofthe
Get-MailboxStatisticscmdlet.For
example,todisplayalldisconnectedmailboxesonaspecificmailbox
database,usethefollowingsyntaxfor
thisparameter:-Filter'DisconnectDate-ne$null'
-IncludeMoveHistory<SwitchParameter>
TheIncludeMoveHistoryswitchspecifieswhethertoreturnadditional
informationaboutthemailboxthat
includesthehistoryofacompletedmoverequest,suchasstatus,
flags,targetdatabase,baditems,start
times,endtimes,durationthatthemoverequestwasinvariousstages,
andfailurecodes.
-IncludeMoveReport<SwitchParameter>
TheIncludeMoveReportswitchspecifieswhethertoreturnaverbose
detailedmovereportforacompletedmove
request,suchasserverconnectionsandmovestages.
Becausetheoutputofthiscommandisverbose,youshouldsendthe
outputtoa.CSVfileforeasieranalysis.
-IncludePassive<SwitchParameter>
Thisparameterisavailableonlyinon-premisesExchange2016.
WithouttheIncludePassiveparameter,thecmdletretrievesstatistics
fromactivedatabasecopiesonly.Using
theIncludePassiveparameter,youcanhavethecmdletreturnstatistics
fromallactiveandpassivedatabase
copies.
-IncludeQuarantineDetails<SwitchParameter>
Thisparameterisavailableonlyinon-premisesExchange2016.
TheIncludeQuarantineDetailsswitchspecifieswhethertoreturn
additionalquarantinedetailsaboutthe
mailboxthataren'totherwiseincludedintheresults.Youcanuse
thesedetailstodeterminewhenandwhythe
mailboxwasquarantined.
Specifically,thisswitchreturnsthevaluesofthe
QuarantineDescription,QuarantineLastCrashand
QuarantineEndpropertiesonthemailbox.Toseethesevalues,youneed
useaformattingcmdlet.Forexample,
Get-MailboxStatistics<MailboxIdentity>-IncludeQuarantineDetails|
Format-ListQuarantine*.
-NoADLookup<SwitchParameter>
Thisparameterisavailableonlyinon-premisesExchange2016.
TheNoADLookupswitchspecifiesthatinformationisretrievedfromthe
mailboxdatabase,andnotfromActive
Directory.Thishelpsimprovecmdletperformancewhenqueryinga
mailboxdatabasethatcontainsalargenumber
ofmailboxes.
-StoreMailboxIdentity<StoreMailboxIdParameter>
Thisparameterisavailableonlyinon-premisesExchange2016.
TheStoreMailboxIdentityparameterspecifiesthemailboxidentitywhen
usedwiththeDatabaseparameterto
returnstatisticsforasinglemailboxonthespecifieddatabase.You
canuseoneofthefollowingvalues:
*MailboxGuid
*LegacyDN
Usethissyntaxtoretrieveinformationaboutdisconnectedmailboxes,
whichdon'thaveacorrespondingActive
DirectoryobjectorthathasacorrespondingActiveDirectoryobject
thatdoesn'tpointtothedisconnected
mailboxinthemailboxdatabase.
<CommonParameters>
Thiscmdletsupportsthecommonparameters:Verbose,Debug,
ErrorAction,ErrorVariable,WarningAction,WarningVariable,
OutBuffer,PipelineVariable,andOutVariable.Formoreinformation,see
about_CommonParameters(http://go.microsoft.com/fwlink/?LinkID=113216).
--------------------------Example1-------------------------Thisexampleretrievesthemailboxstatisticsforthemailboxoftheuser
AylaKolbyusingitsassociatedalias
AylaKol.
Get-MailboxStatistics-IdentityAylaKol
Noticeintheprecedingoutputthatweleftoutmostoftheexamplesbecausewehad
alreadyshownthemtoyouearlier.Wedidthiswiththefullviewaswellbecauseit
containsevenmoreinformationthanthedetailedview.Thefullviewincludesthe
metadataforeachparameter,aswellasexamples:
Get-HelpGet-MailboxStatistics-Full
NAME
Get-MailboxStatistics
SYNOPSIS
Thiscmdletisavailableinon-premisesExchangeServer2016andinthe
cloud-basedservice.Someparametersand
settingsmaybeexclusivetooneenvironmentortheother.
UsetheGet-MailboxStatisticscmdlettoobtaininformationaboutamailbox,
suchasthesizeofthemailbox,the
numberofmessagesitcontains,andthelasttimeitwasaccessed.In
addition,youcangetthemovehistoryora
movereportofacompletedmoverequest.
ForinformationabouttheparametersetsintheSyntaxsectionbelow,see
Syntax.
SYNTAX
Get-MailboxStatistics-Identity<GeneralMailboxOrMailUserIdParameter>[Archive<SwitchParameter>][-CopyOnServer
<ServerIdParameter>][-DomainController<Fqdn>][-IncludeMoveHistory
<SwitchParameter>][-IncludeMoveReport
<SwitchParameter>][-IncludeQuarantineDetails<SwitchParameter>][NoADLookup<SwitchParameter>]
[<CommonParameters>]
Get-MailboxStatistics[-AuditLog<SwitchParameter>][-Identity
<GeneralMailboxOrMailUserIdParameter>]
[-DomainController<Fqdn>][-IncludeMoveHistory<SwitchParameter>][IncludeMoveReport<SwitchParameter>]
[-IncludeQuarantineDetails<SwitchParameter>][-NoADLookup
<SwitchParameter>][<CommonParameters>]
Get-MailboxStatistics-Database<DatabaseIdParameter>[-CopyOnServer
<ServerIdParameter>][-Filter<String>]
[-StoreMailboxIdentity<StoreMailboxIdParameter>][-DomainController
<Fqdn>][-IncludeMoveHistory
<SwitchParameter>][-IncludeMoveReport<SwitchParameter>][IncludeQuarantineDetails<SwitchParameter>]
[-NoADLookup<SwitchParameter>][<CommonParameters>]
Get-MailboxStatistics-Server<ServerIdParameter>[-Filter<String>][IncludePassive<SwitchParameter>]
[-DomainController<Fqdn>][-IncludeMoveHistory<SwitchParameter>][IncludeMoveReport<SwitchParameter>]
[-IncludeQuarantineDetails<SwitchParameter>][-NoADLookup
<SwitchParameter>][<CommonParameters>]
DESCRIPTION
OnMailboxserversonly,youcanusetheGet-MailboxStatisticscmdlet
withoutparameters.Inthiscase,thecmdlet
returnsthestatisticsforallmailboxesonalldatabasesonthelocal
server.
TheGet-MailboxStatisticscmdletrequiresatleastoneofthefollowing
parameterstocompletesuccessfully:
Server,Database,orIdentity.
YoucanusetheGet-MailboxStatisticscmdlettoreturndetailedmove
historyandamovereportforcompletedmove
requeststotroubleshootamoverequest.Toviewthemovehistory,youmust
passthiscmdletasanobject.Move
historiesareretainedinthemailboxdatabaseandarenumbered
incrementally,andthelastexecutedmoverequest
isalwaysnumbered0.Formoreinformation,see"Example7,""Example8,"
and"Example9"inthistopic.
Youcanonlyseemovereportsandmovehistoryforcompletedmoverequests.
Youneedtobeassignedpermissionsbeforeyoucanrunthiscmdlet.
Althoughallparametersforthiscmdletare
listedinthistopic,youmaynothaveaccesstosomeparametersifthey're
notincludedinthepermissions
assignedtoyou.Toseewhatpermissionsyouneed,seethe"Recipient
ProvisioningPermissions"sectioninthe
RecipientsPermissionstopic.
PARAMETERS
-Database<DatabaseIdParameter>
Thisparameterisavailableonlyinon-premisesExchange2016.
TheDatabaseparameterspecifiesthenameofthemailboxdatabase.When
youspecifyavaluefortheDatabase
parameter,theExchangeManagementShellreturnsstatisticsforallthe
mailboxesonthedatabasespecified.
Youcanusethefollowingvalues:
*GUID
*Database
ThisparameteracceptspipelineinputfromtheGet-MailboxDatabase
cmdlet.
Required?true
Position?Named
Defaultvalue
Acceptpipelineinput?True
Acceptwildcardcharacters?false
-Identity<GeneralMailboxOrMailUserIdParameter>
TheIdentityparameterspecifiesamailbox.Whenyouspecifyavalue
fortheIdentityparameter,thecommand
looksupthemailboxspecifiedintheIdentityparameter,connectsto
theserverwherethemailboxresides,
andreturnsthestatisticsforthemailbox.
Thisparameteracceptsthefollowingvalues:
*Example:JPhillips
*Example:Atlanta.Corp.Contoso.Com/Users/JPhillips
*Example:JeffPhillips
*Example:CN=JPhillips,CN=Users,DC=Atlanta,DC=Corp,DC=contoso,DC=com
*Example:Atlanta\JPhillips
*Example:fb456636-fe7d-4d58-9d15-5af57d0354c2
*Example:[email protected]
*Example:/o=Contoso/ou=AdministrativeGroup/cn=Recipients/cn=JPhillips
*Example:[email protected]
*Example:[email protected]
Required?true
Position?1
Defaultvalue
Acceptpipelineinput?True
Acceptwildcardcharacters?false
-Server<ServerIdParameter>
Thisparameterisavailableonlyinon-premisesExchange2016.
TheServerparameterspecifiestheserverfromwhichyouwanttoobtain
mailboxstatistics.Youcanuseoneof
thefollowingvalues:
*Fullyqualifieddomainname(FQDN)
*NetBIOSname
WhenyouspecifyavaluefortheServerparameter,thecommandreturns
statisticsforallthemailboxesonall
thedatabases,includingrecoverydatabases,onthespecifiedserver.
Ifyoudon'tspecifythisparameter,the
commandreturnslogonstatisticsforthelocalserver.
Required?true
Position?Named
Defaultvalue
Acceptpipelineinput?True
Acceptwildcardcharacters?false
-Archive<SwitchParameter>
TheArchiveswitchparameterspecifieswhethertoreturnmailbox
statisticsforthearchivemailboxassociated
withthespecifiedmailbox.
Youdon'thavetospecifyavaluewiththisparameter.
Required?false
Position?Named
Defaultvalue
Acceptpipelineinput?False
Acceptwildcardcharacters?false
Yes,that'salotoftextforexamplesofonecmdlet,butwehopethattheseexamples
willmakeiteasierforyoutoquicklylearnthecapabilitiesofallcmdletsandhowyou
canusethem.
ThePowerShellhelpsystemalsogivesyousomeoptionswithrespecttogettinghelp
onparameters.Forexample,hereisanexampleifyouwanthelponjustthe-Database
parameteroftheGet-MailboxStatisticscmdlet:
Get-HelpGet-MailboxStatistics-ParameterDatabase
-Database<DatabaseIdParameter>
TheDatabaseparameterspecifiesthenameofthemailboxdatabase.
WhenyouspecifyavaluefortheDatabaseparameter,theExchange
ManagementShellreturnsstatisticsforallthemailboxesonthe
databasespecified.
Youcanusethefollowingvalues:
*GUID
*Server\Database
*Database
Thisparameteracceptspipelineinputfromthe
Get-MailboxDatabasecmdlet.
Required?true
Position?Named
Defaultvalue
Acceptpipelineinput?True
Acceptwildcardcharacters?false
The-Parameteroptionalsoacceptstheasterisk(*)wildcard.Hereisanexampleifyou
wanttoseehelponalltheparametersthatcontainSCLQuarantinefortheSet-Mailbox
cmdlet:
[PS]C:\>Get-HelpSet-Mailbox-Parameter*SCLQuarantine*
-SCLQuarantineEnabled<Nullable>
TheSCLQuarantineEnabledparameterspecifieswhethermessages
thatmeettheSCLthresholdspecifiedbytheSCLQuarantineThreshold
parameterarequarantined.Ifamessageisquarantined,it'ssent
tothequarantinemailboxwherethemessagingadministratorcan
reviewit.Youcanusethefollowingvalues:
*$true
*$false
*$null
Required?false
Position?Named
Defaultvalue
Acceptpipelineinput?False
Acceptwildcardcharacters?false
-SCLQuarantineThreshold<Nullable>
TheSCLQuarantineThresholdparameterspecifiestheSCL
atwhichamessageisquarantined,iftheSCLQuarantineEnabled
parameterissetto$true.Youmustspecifyanintegerfrom0through9
inclusive.
Required?false
Position?Named
Defaultvalue
Acceptpipelineinput?False
Acceptwildcardcharacters?false
GettingTips
YoumayhavenoticedausefultipeachtimeyoulaunchedtheExchangeManagement
Shell(EMS).Figure5.5showstheTipoftheDaytextthatyouseeeachtimeyou
launchtheEMS.Therearemorethan100ofthesetips.
Figure5.5ViewingtheTipoftheDay
Ifyouwanttoviewadditionaltips,justtypeGet-TipattheExchangeManagement
Shellprompt.
Youcanevenaddyourowntipsifyoudon'tmindeditinganXMLfile;thetipsfor
EnglisharefoundinC:\ProgramFiles\Microsoft\Exchange
Server\V15\Bin\ExTips.xml.
TheBottomLine
UsePowerShellcommandsyntax.ThePowerShellisaneasy-to-use
command-lineinterfacethatallowsyoutomanipulatemanyaspectsofthe
Windowsoperatingsystem,Registry,andfilesystem.TheExchangeManagement
ShellextensionsallowyoutomanageallaspectsofanExchangeServer
organizationandmanyActiveDirectoryobjects.
PowerShellcmdletsconsistofaverb(suchasGet,Set,New,orMount)thatindicates
whatisbeingdoneandanoun(suchasMailbox,Group,ExchangeServer)that
indicatesonwhichobjectthecmdletisacting.Cmdletoptionssuchas-Debug,Whatif,and-ValidateOnlyarecommontomostcmdletsandcanbeusedtotestor
debugproblemswithacmdlet.
MasterItYouneedtousetheExchangeManagementShellcmdletSet-Userto
changethecitytoIrvineforallmembersoftheITdistributionlist.Butyou
wanttofirstconfirmthatthecommandwilldowhatyouwanttodowithout
actuallymakingthechange.Whichcommandshouldyouuse?
Understandobject-orienteduseofPowerShell.Outputofacmdletisnot
simpletextbutratherobjects.Theseobjectshavepropertiesthatcanbeexamined
andmanipulated.
MasterItYouareusingtheSet-Usercmdlettosetpropertiesofauser'sActive
Directoryaccount.Youneedtodeterminethepropertiesthatareavailableto
usewiththeSet-Usercmdlet.Whatcanyoudotoviewtheavailableproperties?
GethelpwithusingPowerShell.Manyoptionsareavailablewhenyouare
tryingtofigureouthowtouseaPowerShellcmdlet,includingonlinehelpandthe
ExchangeServerdocumentation.PowerShellandtheEMSmakeiteasyto
“discover”thecmdletsthatyouneedtodoyourjob.
MasterItHowwouldyoulocateallthecmdletsavailabletomanipulatea
mailbox?YouaretryingtofigureouthowtousetheSet-Usercmdletandwould
liketoseeanexample.Howcanyouviewexamplesforthiscmdlet?
Chapter6
UnderstandingtheExchangeAutodiscoverProcess
BeinganExchangeServeradministratorisrewardingand,attimes,frustrating.Oneof
themostcommonsourcesoffrustrationwe'veencounteredismanagingthe
interactionsbetweenourExchangeserversandtheOutlookdesktopclient.Inlarge
organizations,twoseparategroupsmaintainthesepiecesofthecommonpuzzle.In
smallerorganizations,though,thesamepeoplecanhandleboththeserverandthe
clients.It'sinorganizationslikethesethatyoulearnthetruthofthematterthat
ExchangeServerandOutlookweredevelopedbytwoseparateproductgroups
(althoughthegroupsarenowjoined).
Historically,manyOutlookclientissuesweretheresultofmismatchesbetweenthe
Outlookprofilesettingsandtheactualserverconfigurations.InExchangeServer
2007,MicrosoftintroducedtheAutodiscoverservice,acomponentoftheClient
Accessrole,whichwasintendedtoallowbothclients(suchasOutlook,Windows
Mobile,andEntourage)andotherExchangeserverstoautomaticallydiscoverhow
yourExchangeServerorganizationisconfiguredanddeterminetheappropriate
settingswithoutdirectadministratorinvolvement.
ManyExchangeServer2007organizationsranintotwomainproblemsgetting
Autodiscoverproperlyconfiguredanddeployed:understandingtheconceptsand
gettingthecertificatesproperlydeployed.BydeployingExchangeServer2010,
administratorsincreasedtheirknowledgeoftheAutodiscoverprocesses.Inthislatest
releaseofExchangeServer,theupdateisamuchsimpler,muchmoreevolved,anda
moreadministrator-friendlyfeature.
INTHISCHAPTER,YOUWILLLEARNTO:
WorkwithAutodiscover
TroubleshootAutodiscover
ManageExchangeServercertificates
AutodiscoverConcepts
Let'sshareanunpleasanttruththatalotofadministratorshavenotyetlearned:the
AutodiscoverserviceisnotanoptionalcomponentofanExchangeServer
organization.Itmayseemasifit'soptional,especiallyifyouhaven'tyetdeployeda
versionofOutlook,WindowsPhone,orOfficeforMacthattakesadvantageofit.More
thanthat,youcan'tgetridofit—Autodiscoverisonfromthemomentyouinstallthe
firstserverintheorganization.Youcan'tshutitoff,youcan'tdisableit,andyoucan't
keepclientsandExchangeserversfromtryingtocontactit(althoughyoucancause
problemsbynotproperlyconfiguringAutodiscover,breakingfeatures,andforcing
fallbacktoolder,moreerror-pronemethodsofconfiguration).
WeknowseveralExchangeServer2007organizationsthatlimpedalongseemingly
justfinewithAutodiscoverimproperlyconfiguredorjustplainignored.However,
whenAutodiscoverhasbeenneglected,thisinevitablysignalsanExchangeServer
organizationwithotherproblems—andthisiseventruerinExchangeServer2016
thaninpreviousversions.Autodiscoverismorethanjustawaytoeasethe
administrationofOutlookclientprofiles.OtherExchangeServercomponents,servers,
andservicesalsouseAutodiscovertofindtheserversandsettingswithwhichthey
needtocommunicate.InorderfortheOutlookclienttoleveragemanyofthe
advancedfeaturesofExchangeServer,includingthehigh-availabilityfeatures,the
clientdependsonafunctionalAutodiscoverservice.Ifyouwanttousetheexternal
calendarsharingorSkypeforBusinessintegration,you'dbettergetAutodiscover
squaredaway.
InordertoproperlyplananddeployAutodiscover,youhavetoworkthroughsomeof
themostpotentiallyconfusingaspectsofanExchangeServerdeployment.Thegood
news,though,isthatonceyouhavetheseissuessolved,youwillhaveheadedoff
someconfusingandannoyingerrorsthatmightotherwisecauseproblemsdownthe
road.Theseissuesincludenamespaceplanningandcertificatemanagement.Trustme
thatgettingtheseissuessortedwillmakeyourclientaccessdeploymentandyour
overallmanagementtasksaloteasier.
WhatAutodiscoverProvides
Autodiscoverisnecessaryforfarmorereasonsthanthatitmakesconfiguringyour
Outlookclientseasier.InExchangeServer2007,theclientsdidbenefitagreatdeal,
whichispartofthereasonmanypeopledidnotseethepointoflearningaboutthe
service.Eitherthat,oritworkedsubtlybehindthescenes,andsomeadministrators
livedinignorantbliss,oncesomeconfigurationwasdone.BeginningwithExchange
Server2013,boththeclientandtheserverbenefitsgetbetter.
TheinformationprovidedbyAutodiscoverincludesthefollowing:
Outlookclientconnectionconfiguration
ConfigurationURLsfortheOfflineAddressBook(OAB)
ConfigurationURLsforfreeandbusyinformation
Outlookprofileconfigurationinformation
ClientBenefits
ExactlywhatbenefitsyougetfromAutodiscoverdependsonwhichclientyou're
using:
Outlook2010,Outlook2013,andOutlook2016fullysupportAutodiscover.
Outlook2007supportsAutodiscoverbutisn'tasupportedclientforExchange
Server2016.Outlookversionspriorto2007donotuseAutodiscover,buttheyare
notsupportedasclientsofExchangeServer2016either.Whenwesay“not
supported,”wemeanthatMicrosoftwon'tprovidesupport.Insomecases,youmay
havebasicfunctionality,butsomeotherfunctionalitymaynotwork.Notethat
extendedsupportforOffice2007endsinOctoberof2017.
iPhones,iPads,Android,WindowsMobile6.1,WindowsPhone7.x/8.x,and
WindowsPhone10andlatersupportAutodiscover,andmanymobileuserstoday
relyonAutodiscoverforeasyconfigurationofanewdevice.
TheWindowsMailappthatisbuiltintotheWindows8Proandlateralsouses
Autodiscovertoconfigureclientsettings(incidentally,thoseclientsarethen
configuredasExchangeServerActiveSyncclients).
Ifyou'reaMacuser,youmaypreferusingOutlookforMac2016.Thisversionof
OutlookworksinasimilarwaytothePCversion,exceptitdoesnotsupport
serviceconnectionpoint(SCP)lookup.SCPlookupisamethodusedforlocating
services,ormorespecificallytheserversthatruntheservices,andisexplained
lateroninthischapter.
EventhoughyougetallthesegreatbenefitsfromAutodiscover,likelytheonlytime
youwillseeAutodiscoverworkingiswhenconfiguringaclient,suchasOutlook,for
thefirsttime.Whenrunningthroughaninitialconfigurationwizard,auseris
promptedtoconfigureOutlooktoconnecttoanemailserver.Theonlyinformation
theyneedtoknowistheemailaddressandpassword.Then,theircomputerwilllook
upthecorrectdetailsusingAutodiscoverandconfiguretheOutlookprofile
automaticallyasshowninFigure6.1.
Figure6.1CompletingtheinitialOutlookconfigurationusingAutodiscover
AlthoughthesearethemainAutodiscover-awareclients,they'renottheonlyones.For
example,theMicrosoftSkypeforBusinessclientanddevicesuseAutodiscoverand
ExchangeWebServices.ThebehaviorofAutodiscoverhasbeenclearlydocumentedby
Microsoft,sootherthird-partyclientsandmobiledevicesalsoutilizeit.Featuresthat
OutlookandWindowsPhonewillleverageincludethefollowing:
SupportforDNSARecordsBydefault,externalclientsattempttofindthe
AutodiscoverservicethroughDNSlookupsbasedontheemailaddressoftheuser.
SupportforDNSSRVRecordsDuetopopulardemand,startinginExchange
Server2010,theExchangeServerandOutlookteamsprovidedsupportfortheuse
ofServiceLocator(SRV)recordsfororganizationsthatcouldn'tuseAddress(A)
recordsanddidn'twanttouseCNAMEs.SRVrecordsarealsousefulwhen
Exchangeishostedinaseparateforest.
SupportforActiveDirectoryServiceConnectionPointObjectsDomainjoinedclientsthatcancontactActiveDirectory—effectivelyanyWindowsclient
runningOutlook2010orlater—canutilizeanActiveDirectoryfeaturecalled
serviceconnectionpoints.SCPsprovideanumberofbenefitsthataren'tavailable
withplainDNSlookups.SCPsallowclientstolocateresourcesviaSCPobjects
withintheActiveDirectory.TheSCPobjectcontainsthelistofAutodiscoverURLs
fortheActiveDirectoryforest.YoucanusetheSet-ClientAccessServicecmdletto
modifytheSCPobject.(Andofcourse,youcanuseGet-ClientAccessServicetoview
theobject.)
InternalOrganizationSettingsServicesonExchangeServer2016servershave
bothinternalURLsforclientswithinthefirewall(suchasOutlookandSkypefor
Businessondomain-joinedWindowsdevices)andexternalURLsforprettymuch
everythingelse.InternalsettingsusetheappropriateExchangeServerFQDNsby
default,unlessyoumodifythem(suchaswhenusingloadbalancers).
ExternalOrganizationSettingsExternalsettingsallowservicestobereached
throughInternet-availableFQDNs.Forsomereason,manyorganizationsdon'tlike
publishingtheinternalFQDNsoftheirExchangeservers.Usingexternalsettings
mayalsoensurethatconnectionsareloadbalancedorsentthroughfirewalls.
LocationoftheUser'sMailboxServerInearlierversionsofExchangeServer,
theuser'sMailboxserverwasstoredinActiveDirectory,stampedontheuser
object.However,withthearchitecturalchangestoExchangeServer2013,Outlook
canconnecttooneofseveralMailboxservers,whichprovidetheclientaccess
servicesinasite.Theconnectionisstateless;inotherwords,thereisnosession
affinity,sofromonehourtothenextadifferentMailboxservermaybehandling
theconnection.ThismakesAutodiscoverallthemoreimportant.Nowusinga
user'smailboxGUIDplusthedomainnamefromtheSMTPaddressoftheuser,
OutlookfindsaconnectionpointtoaMailboxserver.Previously,Outlookhada
directaffinitytotheMailboxserveroraClientAccessserverwiththeClientAccess
arrayfeatureintroducedinExchangeServer2010.ClientAccessarrays,thevirtual
RPCendpointavailableinExchangeServer2010,nolongerexistsinExchange
Server2013orExchangeServer2016;butthenagainit'snolongernecessary
either.
LocationoftheAvailabilityServiceCalendaritemsarestoredineachuser's
mailbox.However,theirfree/busyinformationhashistoricallybeenplacedina
systempublicfolder,whichcouldsufferfromlatencyduetoreplicationlag.The
ExchangeAvailabilityServiceallowscurrentinformationtobequicklylookedup
byclients(bothintheorganizationandinfederatedorganizations)astheyneedit,
ratherthanhavingthemdependentonstaledatainpublicfoldersaswasthecase
inpreviousversions.
LocationoftheOfflineAddressBookServiceOABsinExchangeServer2016
aregeneratedbyanarbitrationmailbox,knownasanOrganizationmailbox.This
createsthefilesthataClientAccessservicewilldelivertoOutlookclientsvia
HTTPS.InExchangeServer2010andprevious,clientscouldretrievethisfroma
publicfolder.LocatingtheOABURLisessential,becauseOutlookrunsincached
modebydefaultandreliesontheOABforaddressbooklookups.Autodiscover
directsOutlooktotheOABURLthatcanfetchthechangesaclientrequires.Ifthis
oranyotherExchangeWebServicesURLmightchangeontheExchangeserver,
theclientperiodicallycheckstheAutodiscoverservicetoreceivethoseupdatesand
changes.AutodiscoveriscontactednotonlyduringthestartupprocessofOutlook
butothertimesaswell.
OutlookAnywhereSettingsWithExchangeServer2016,allOutlook
connectionsuseRPCoverHTTPS,akaOutlookAnywhere,orMAPIoverHTTP.
OutlookAnywhereisnowtheconnectionmethodforinternal,aswellasexternal
connections,andthislatestversionofExchangeServernolongeracceptsMAPI
overRPCconnectionsfromOutlookclients.Now,havingtheexternalURL
informationisarequirementforclientsoutsideyourcorporatefirewall,butmore
settings,suchasthecertificatevalidationname,arenecessaryforasuccessful
OutlookAnywheresessiontobeestablished.
Laterinthischapter,we'llwalkthroughatypicalOutlook2016Autodiscoversession
andshowhowallthisinformationisused.Fornow,justbeawarethatthevalueof
manyoftheseoptionscanbeuserdependent(suchasthemailboxlocation)orsite
dependent.Asaresult,theAutodiscoverserviceisavitalpartofspreadingload
throughouttheentireorganization,minimizingtrafficoverWANlinksbetweensites
andbranches,andensuringthatyourusersareconnectingtothebestserverstheycan
reachatthetime.
ServerBenefits
Autodiscoverisn'tjustusefulforclientsconnectingtotheExchangeServer
infrastructure;it'salsousefulforotherservers,bothwithintheorganizationand
without:
ServerswithinthesameorganizationandActiveDirectoryforestuseAutodiscover
tolocatevariousservicesonauser'sbehalf.Forexample,whenauserperformsa
logontoOutlookontheweb,theMailboxserverhandlingtheOutlookontheweb
sessionneedsseveralofthepiecesofinformationprovidedbyAutodiscover.Using
AutodiscoverreducestheloadonActiveDirectorydomaincontrollersandglobal
catalogserversandremovesrelianceoncachedinformation.Thisistruewhether
you'reinamixedExchangeServer2016/2013organizationoraredeploying
ExchangeServer2016forthefirsttime.
ServerswithinthesameorganizationbutinadifferentActiveDirectoryforest
dependoncross-forestserviceconnectionpointsandinternalAutodiscoverto
crosstheforestboundariesanddiscovertheappropriateserverstouse.Inthis
situation,oneExchangeserverinthesourceforestwilloftenactasaproxyforthe
appropriateservicesinthetargetforest,oritmaysimplyredirecttheclient.In
multiple-forestdeployments,theuseofAutodiscoverisprettymuchmandatoryto
ensurethatExchangeserversinseparateforestscaninteroperateproperly.
Serverswithinseparatefederatedorganizationsrequiretheuseoftheexternal
Autodiscoverinformationtoreachfederatedavailabilityservices.This,plusthe
relevantauthenticationinformation,allowsuserstosecurelysharecalendarand
free/busyinformationwiththeircounterpartsinfederatedExchangeServer
organizations.WithotherExchangeServerorganizations,federationgreatly
simplifiestheconfigurationandmanagementofthesetypesofoperations.
So,let'stakealookatthenitty-grittyofhowAutodiscoverworks.
HowAutodiscoverWorks
Don'tbefooledbytheseemingcomplexityyou'reabouttosee.Autodiscoverispretty
simpletounderstand.Thebiggestcomplicationscomefromcertificatesand
namespaceplanning,whichwe'llgettoinabitandwhichhavegottensignificantly
simpler,withfewernamespacesrequired.
TheServiceConnectionPointObject
ThefirstpieceoftheAutodiscoverpuzzlelieswiththeserviceconnectionpoint(SCP)
object.AseachMailboxserverinstanceisinstalledintoyourorganization,itcreates
anSCPobjectintheConfiguration-namingpartitionoftheActiveDirectorydomainto
whichitisjoined,atthefollowinglocation:
CN=<MailboxServerNetBIOSName>,CN=Autodiscover,CN=Protocols,CN=<CASServer
NetBIOSName>,CN=Servers,CN=ExchangeAdministrativeGroup
(FYDIBOHF23SPDLT),CN=AdministrativeGroups,CN=<OrganizationName>,
CN=MicrosoftExchange,CN=Services,CN=Configuration,DC=<domainname>,DC=<domain
suffix>
Here'swhatatypicalSCPobjectlookslikewhendumpedfromtheLDP(LDP.EXE)tool:
ExpaNYC-ndingbase
'CN=EX1,CN=Autodiscover,CN=Protocols,CN=NYC-EX1,CN=Servers,CN=Exchange
AdministrativeGroup(FYDIBOHF23SPDLT),CN=AdministrativeGroups,CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'…
Getting1entries:
Dn:CN=NYC-EX1,CN=Autodiscover,CN=Protocols,CN=NYC-EX1,CN=Servers,CN=Exchange
AdministrativeGroup(FYDIBOHF23SPDLT),CN=AdministrativeGroups,CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
cn:EX1;
distinguishedName:
CN=NYC-EX1,CN=Autodiscover,CN=Protocols,CN=EX1,CN=Servers,CN=Exchange
AdministrativeGroup(FYDIBOHF23SPDLT),CN=AdministrativeGroups,CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com;
dSCorePropagationData:0x0=();
instanceType:0x4=(WRITE);
keywords(2):Site=Default-First-Site-Name;77378F46-2C66-4aa9-A6A63E7A48B19596;
name:NYC-EX1;
objectCategory:CN=Service-ConnectionPoint,CN=Schema,CN=Configuration,DC=contoso,DC=com;
objectClass(4):top;leaf;connectionPoint;serviceConnectionPoint;
objectGUID:44f44e8c-164a-446a-9eb8-f21a59b11b65;
serviceBindingInformation:
https://nyc-ex1.contoso.com/Autodiscover/Autodiscover.xml;
serviceClassName:ms-Exchange-AutoDiscover-Service;
serviceDNSName:NYC-EX1;
showInAdvancedViewOnly:TRUE;
systemFlags:0x40000000=(CONFIG_ALLOW_RENAME);
uSNChanged:184521;
uSNCreated:184521;
whenChanged:8/1/20166:05:05PMPacificDaylightTime;
whenCreated:8/1/20166:05:05PMPacificDaylightTime;
Thereareafewkeypropertiesoftheseentriesyoushouldnote:
TheobjectClasspropertyincludestheserviceConnectionPointtype.Thisidentifies
theentryasanSCP,allowingittobesearchedeasilyusingLDAP.
TheserviceClassNamepropertyidentifiesthisparticularSCPasanms-ExchangeAutoDiscover-Serviceentry.ThecomputerssearchingforAutodiscoverrecordscan
therebydeterminethatthisisanentrypertainingtoAutodiscoverandthatthey
shouldpayattentiontoit.Theclientsearchestheconfiguration-namingcontext
foranyobjectsthathaveaserviceClassName=ms-Exchange-Autodiscover-Service.
UsingthecombinationofobjectClassandserviceClassNameallowscomputersto
efficientlyfindallrelevantSCPentries(throughanindexedsearchfromadomain
controller)withoutknowinganycomputernamesaheadoftime.
TheserviceBindingInformationpointstotheactualAutodiscoverXMLfilethatthe
clientshouldaccessinordertoretrievethecurrentAutodiscoverinformation.
Moreonthislater.
Thekeywordspropertyholdsadditionalinformationthattheclientsuse.
Specifically,takenoteoftheSite=value.Thisvaluehelpsyoucontrolsiteaffinity,
ensuringthatclientsusenearbyserversthataren'tinfar-offsitestoprovidetheir
ExchangeServerservices(unlessthatisdesirable).
TherestofthepropertiesonanSCPobjectarefairlystandardforActiveDirectory
objects,sowewon'tdiscussthemfurther.
Nowthatyouknowwhataserviceconnectionpointisandwherethey'relocated,
you'remostlyset.ThedistinguishednameofeachSCPobjectuniquelyidentifiesthe
hostassociatedwithoutthatobject.IftheclientsearchreturnsmultipleSCPobjects
thattheclientwilluse,itwillselectamongthemaccordingtoalphabeticalorder.This
canbeusefultoknow.
NotealsothatanExchangeserverinstancepublishesitscorrespondingSCPobjectto
ActiveDirectoryonlywhenitisinstalled(whichisdoneautomaticallyforyou).Ifyou
changesomethingabouttheExchangeserver—suchaswhichsiteit'slocatedin—it
willnotupdateitsSCPobject.Youhavetodothatmanually.Thebestwayistouse
ExchangeManagementShell.Hereisasamplecommandthatconfiguresaserver
namedNYC-EX1tohaveaninternalURLfortheXMLfilelocationandalsosetsitto
beauthoritativefortwosites:
Set-ClientAccessService-IdentityNYC-EX1-AutodiscoverServiceInternalURI
"https://mail.contoso.com/autodiscover/autodiscover.xml"
-AutoDiscoverSiteScope"Site1","Site2"
TheDNSOption
TheSCPisusedwhentheclientorserverisjoinedtoanActiveDirectorydomainand
canperformthesearchagainstthedomaincontrollers.Whenthediscovering
computerisexternalornotdomainjoined,anothermechanismisused:DNSlookups.
ThefollowinglistdescribestheDNSlookupsthatareperformedfortheAutodiscover
serviceinagivendomain.Forthisexample,let'[email protected]
Theclient(orserver)takesthedomainportion(contoso.com)ofthisaddressand
performsthefollowinglookupsinorderuntilitfindsamatch:
1. ADNSArecord(orCNAMErecord)forcontoso.comthatpointstoawebserver
thatrespondstotheHTTPSURL
https://contoso.com/Autodiscover/Autodiscover.xml.
2. ADNSArecord(orCNAMErecord)forautodiscover.contoso.comthatpointstoa
webserverthatrespondstotheHTTPSURL
https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml.
3. ADNSArecord(orCNAMErecord)forcontoso.comthatpointstoawebserver
thatrespondstotheHTTPURL
http://autodiscover.contoso.com/Autodiscover/Autodiscover.xml.(Notethatthis
URLshouldbeconfiguredtoredirecttotheactualHTTPSlocationofthe
Autodiscoverservice.)
4. ADNSSRVrecordforautodiscover._tcp.contoso.com.(Thisrecordshouldcontain
theportnumber443andahostname,suchasmail.contoso.com,allowingthe
clienttotrytheHTTPSURL
https://mail.contoso.com/Autodiscover/Autodiscover.xml.)
IftherequestedhostnameisreturnedthrougheitheraCNAMErecordoranSRV
record,beawarethatyourclients(Outlookinparticular)maydisplayawarningdialog
withthefollowingtext:
[email protected]?
https://mail.contoso.com/autodiscover/autodiscover.xml
Youraccountwasredirectedtothiswebsiteforsettings.
Youshouldonlyallowsettingsfromsourcesyouknowandtrust.
ThiswarningwillappeareverytimetheclientperformsAutodiscoverunlessyou
checktheDon'tAskMeAboutThisWebsiteAgaincheckbox.Youcanalso
prepopulatetheRegistrykeytopreventthiswarning.SeetheKnowledgeBasearticle
athttp://support.microsoft.com/kb/2480582.
NotethatAutodiscoverexpectstheuseofHTTPS.Don'tpublishitovernonsecure
HTTPandexpectclientstobehappyaboutit.Youhavealotofsensitiveinformation
goingthroughAutodiscover,includingusercredentials.Asaresult,certificate
considerationswillplayalargepartinyourAutodiscoverconfiguration.
WhichOptionShouldIChoose?
YoucanuseseveraldifferentmethodstopublishAutodiscoverservicesthrough
DNS.Intheend,theoptionyouchooseisuptoyouandyourbusinessneeds.
However,youshouldconsiderthesepointstoseehowtheyalignwithyour
businessobjectives.Again,let'sconsiderthecaseofcontoso.com.
PublishingAutodiscoverunderhttps://contoso.comdoesn'trequireyouto
haveanextraDNSnameforinternalclients.IfyouhaveHTTPSpublishedon
thishostnamealready,youdon'tneedtouseanextracertificateorhostname
aslongasyoucanensurethattheAutodiscovervirtualdirectorycanbe
publishedundertheexistingwebsite.Mostorganizationswillprobablyalready
havethisnamespacepublishedintheirDNS,butitcouldresultinnameresolutioncollisionsiftheURLthatitpointstodoesnothavethe
Autodiscoverinformation.
PublishingAutodiscoverunderhttps://autodiscover.contoso.comrequiresyou
tohaveanextraDNSname,butit'sahostnamethatisn'tlikelytobeusedby
anyotherservers.However,you'llneedtohaveaSubjectAlternativeName
(SAN)certificateorawildcardcertificate(notrecommended—seethesection
“PlanningCertificateNames”)orusemultiplecertificatesandasecondvirtual
website.Publishingasecondwebsiteisquiteabitmorecomplicatedthan
simplyusingthedefaults,sokeepthatinmind.
PublishingAutodiscoverundertheHTTPredirectnotonlyrequiresyouto
haveanextraDNSnamebutalsoinvokesthesecuritywarningforeachuser.
You'llneedtoconfiguretheappropriateredirect,andyou'llneedtohaveaSAN
certificateorawildcardcertificateorusemultiplecertificatesandasecond
virtualwebsite.Thisoptionmaymakesensefororganizationsthatarehosting
multipleserversorSMTPnamespaceswithinasingleExchangeServer
organization.
PublishingAutodiscoverunderanSRVredirectrequiresyoutohaveexternal
DNSserversthathandletheSRVtype.MostmodernDNSserverscanhandle
this,butsomeDNShostingservicesdonot.Additionally,thisredirectinvokes
thesecuritywarningforeachuser.Finally,you'llneedtohaveaSAN
certificateorawildcardcertificateorusemultiplecertificatesandasecond
virtualwebsite.
Inmyexperience,thesecondoption(https://autodiscover.contoso.com)isthe
bestcombinationofsimplicityandcontrol.It'stheonethatmostorganizations
we'veworkedwithhaveused.WhenExchangeServer2007wasfirstintroduced,
certificateauthoritiesthatcouldprovideSANcertificateswererareandthe
certificatesthemselveswereexpensive,makingthealternativemorepalatable.
Now,however,thatisnolongerthecase.IfyouhesitatetodeploySAN
certificates,thereisalotofgoodguidanceouttheretohelpyou—includingthe
section“DeployingExchangeCertificates,”laterinthischapter—andExchange
Servergivesyoubettertoolstomanagethem.
TwoStep-by-StepExamples
Enoughtheory.Let'sdiveintoourexamplewithacompanythathasthecontoso.com
domainandshowyouawalk-throughofacommonscenario:adomain-joined
Outlook2016clientperformingAutodiscoverbehindtheorganizationfirewall.To
illustratethisscenario,we'lluseatooleveryExchangeServeradministratorshould
knowwell:theOutlookTestE-MailAutoConfigurationtool,showninFigure6.2.
Whenusingthistool,besuretounchecktheUseGuessmartandSecureGuessmart
AuthenticationoptionsinordertogetonlytheresultsofanAutodiscoverquery.The
greatthingaboutthistoolisthatitexposesalltheURLsthatarereturnedtothe
Outlookclient.ThisallowstheadministratortoquicklyidentifymisconfiguredURLs
andruleoutseveralpotentialproblemswhentroubleshootingconnectivity.
Figure6.2UsingtheTestE-mailAutoConfigurationtool
YoucanaccessthistoolfromOutlookbyholdingdowntheCtrlkeywhilerightclicking(orleft-clicking)theOutlookiconinthenotificationareaonthetaskbar.This
opensthemenushowninFigure6.3.Fromthismenu,selecttheTestE-mail
AutoConfigurationoption.
Figure6.3AccessingtheTestE-mailAutoConfigurationtool
Whenadomain-joinedmachineperformsAutodiscover,itstepsthroughthefollowing
process:
1. ItperformsanLDAPsearchforallSCPobjectsintheforest.Outlookenumerates
thereturnedresultsbasedontheclient'sActiveDirectorysitebysortingthe
returnedSCPrecordsusingthekeywordsattribute;iftherearenoSCPrecordsthat
containamatchingsitevalue,allnonmatchingSCPrecordsarereturned.Ifthere
aremultiplematchingSCPobjects,OutlooksimplychoosestheoldestSCPrecord
sincethelistisnotsortedinanyparticularorder.
2. OutlookattemptstoconnecttotheconfiguredURLspecifiedintheSCPrecord's
ServiceBindingInformationattribute:https://
mail.contoso.com/Autodiscover/Autodiscover.xml.
3. WhenOutlookattemptstoconnecttotheURL,theXMLfileisgeneratedfromthe
clientrequest,andthentheclientsuccessfullyreceivestheXMLfileshownin
Listing6.1.(ThisoutputcanbeseenontheXMLtabintheTest-Email
AutoConfigurationscreen.)
Listing6.1AnAutodiscoverXMLResponse
<?xmlversion="1.0"encoding="utf-8"?>
<Autodiscoverxmlns="http://schemas.microsoft.com/exchange/autodiscover/
responseschema/2006">
<Response
xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/
responseschema/2006a">
<User>
<DisplayName>UserOne</DisplayName>
<LegacyDN>/o=Contoso/ou=ExchangeAdministrativeGroup
(FYDIBOHF23SPDLT)/
cn=Recipients/cn=3c180eec39b04806a3516ed579c88e7a-UserOne</LegacyDN>
<AutoDiscoverSMTPAddress>[email protected]</AutoDiscoverSMTPAddress>
<DeploymentId>af1a8434-68f6-4a93-84c9-bd6129e1a10b</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<MicrosoftOnline>False</MicrosoftOnline>
<ConsumerMailbox>False</ConsumerMailbox>
<ProtocolType="mapiHttp"Version="1">
<MailStore>
<InternalUrl>https://nyc-ex1.contoso.com/mapi/emsmdb/
[email protected]</InternalUrl>
</MailStore>
<AddressBook>
<InternalUrl>https://nyc-ex1.contoso.com/mapi/nspi/
[email protected]</InternalUrl>
</AddressBook>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Internal>
<OWAUrlAuthenticationMethod="Basic,Fba">https://nycex1.contoso.com/
owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://nyc-ex1.contoso.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>nyc-ex1.contoso.com</Server>
<SSL>Off</SSL>
<AuthPackage>Ntlm</AuthPackage>
<ASUrl>https://nyc-ex1.contoso.com/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://nyc-ex1.contoso.com/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://nyc-ex1.contoso.com/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://nyc-ex1.contoso.com/owa/</EcpUrl>
<EcpUrl-um>?path=/options/callanswering</EcpUrl-um>
<EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>
<EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&
exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<
Mbx>&realm=contoso.com</EcpUrl-mt>
<EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>
<EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>
<EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>
<EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&
realm=contoso.com</EcpUrl-tm>
<EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&
SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>
&exsvurl=1&realm=contoso.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=
<Id>
&exsvurl=1&realm=contoso.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>
<OOFUrl>https://nyc-ex1.contoso.com/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://nyc-ex1.contoso.com/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://nyc-ex1.contoso.com/OAB/
8e45a957-b581-4044-9014-628b1cb31aef/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
<CertPrincipalName>None</CertPrincipalName>
</Protocol>
</Account>
</Response>
</Autodiscover>
TherearesixkeysectionstonoteinListing6.1:
TheUserandAccountsectionslisttheuserinformationfortheauthenticateduser.
TheEXCHprotocolsection(identifiedbytheEXCHtag)isforconnectionsinsidethe
firewall.Remember,allOutlookconnectionsarenowoverHTTPS.TheURLs
providedinthissectionarebasedontheInternalURLvalues.
TheEXPRprotocolsection(identifiedbytheEXPRtag)isOutlookAnywhere—RPC
overHTTPS.TheURLsprovidedinthissectionarebasedontheExternalURL
values.
TheWEBprotocolsection(identifiedbytheWEBtag)isusedforOutlookontheweb
andothertypesofclients.TheURLsprovidedinthissectionareforclientsandare
basedonthebestURLfortheuserstouse.
Youwillnoticewhatlookslikeanewprovider,ExHTTP,inthelistofreturned
providerstotheOutlookclient.However,ExHTTPisn'taprovider;itjustlookslike
oneintheAutodiscoverlog.ItisacalculatedsetofvaluesfromtheEXCHand
EXPRsettingsthatareprocessedonlybyOutlook2013andlaterclients.
Iftheclienthadbeenoutsidethefirewall,itwouldhavefollowedasimilarprocess,
butinsteaditstepsthroughthehostnamesandURLsasdescribedintheprevious
sectiononDNSnames.Anexternalclient(forthedomaincontoso.com)using
Autodiscovergoesthroughthesesteps:
1. TheclienttriestoconnecttotheActiveDirectorySCPbutisunabletodoso.
2. TheclientperformsaDNSqueryforcontoso.comandthen
autodiscover.contoso.comandtriestoconnecttotheAutodiscoverURL.
3. Theclientauthenticatesandretrievesautodiscover.xmlfromtheAutodiscover
HTTPShost.
4. TheclientparsesthroughtheWEBsectionsoftheautodiscover.xmlfileinorderto
determinethecorrectURLtowhichitshouldconnect.
5. TheclientinitiatesaconnectiontotheappropriateexternalURL.
Tohelpstepthroughandtroubleshootexternalconnectivity,youshouldbeawareof
theMicrosoftRemoteConnectivityAnalyzertool,availableonlinefrom
https://testconnectivity.microsoft.com/.Thisweb-basedtoolfromMicrosoftprovides
asecure,reliablesuiteofteststohelpdiagnoseproblemswithnotonlyAutodiscover
butalloftheweb-basedExchangeServerremoteclientaccessprotocolsandalso
server-to-servertestslikeSMTPconnectivityandconnectivityfromotherclientssuch
asSkypeforBusiness.
Wecan'tsayenoughaboutthisgreattroubleshootingweapon,initiallydevelopedasa
petprojectbyacoupleofMicrosoftengineers.EspeciallyintheearlydaysofExchange
Server2010,thistoolsavedusinmanysituations.Today,weuseitmoreasa
validationtoolthanatroubleshootingtool,butregardlessofyourlevelofexpertise
withAutodiscover,you'llfindhappinesssomewhereintheRemoteConnectivity
Analyzer.
SiteAffinity(akaSiteScope)
You'vegottenthroughthebasicsofAutodiscover,soyou'rereadyforsomeadvanced
concepts,suchashowsiteaffinityworks.
Tounderstandthepointofsiteaffinity,consideranorganizationthathasmultiple
locations—we'llsayinSeattle,Washington(codeSEA);Toledo,Ohio(codeTOL);and
NewOrleans,Louisiana(codeMSY).ThereareExchangeserversandusersineachof
theselocations.ThelinksbetweentheselocationsrunoverWANlinksfromSeattleto
ToledoandToledotoNewOrleans;itisneitheroptimalnordesiredtoallowusersin
SeattletouseClientAccessservicesinNewOrleans(orviceversa).Usingsiteaffinity,
wecanusethefollowingcommandstohelpensurethisdoesnothappen:
Set-ClientAccessService-Identity"sea-ex01"
-AutodiscoverServiceInternalURI"https://sea-ex01.contoso.com/
autodiscover/autodiscover.xml"-AutodiscoverServiceSiteScope
"Site-SEA","Site-TOL"
Set-ClientAccessService-Identity"sea-ex02"
-AutodiscoverServiceInternalURI"https://sea-ex02.contoso.com/
autodiscover/autodiscover.xml"-AutodiscoverServiceSiteScope
"Site-SEA","Site-TOL"
Set-ClientAccessService-Identity"tol-ex01"
-AutodiscoverServiceInternalURI"https://tol-ex01.contoso.com/
autodiscover/autodiscover.xml"-AutodiscoverServiceSiteScope
"Site-SEA","Site-TOL","Site-MSY"
Set-ClientAccessService-Identity"tol-ex02"
-AutodiscoverServiceInternalURI"https://tol-ex02.contoso.com/
autodiscover/autodiscover.xml"-AutodiscoverServiceSiteScope
"Site-SEA","Site-TOL","Site-MSY"
Set-ClientAccessService-Identity"msy-ex01"
-AutodiscoverServiceInternalURI"https://msy-ex01.contoso.com/
autodiscover/autodiscover.xml"-AutodiscoverServiceSiteScope
"Site-TOL","Site-MSY"
Set-ClientAccessService-Identity"msy-ex02"
-AutodiscoverServiceInternalURI"https://msy-ex02.contoso.com/
autodiscover/autodiscover.xml"-AutodiscoverServiceSiteScope
"Site-TOL","Site-MSY"
NotethattheSet-ClientAccessServicecmdletreplacestheSet-ClientAccessServer
cmdlet(althoughitstillexists).WhenclientsperformAutodiscover,theywillmatch
onlytherecordsforthoseMailboxserversthatmatchthesitetheyarecurrentlyin.
ClientsinSeattlewillmatchonlytheSEA-EX01,SEA-EX02,TOL-EX01,andTOL-EX02SCP
objects.Becausetherearemultipleobjects,theywillperformtheirinitialdiscoveryto
TOL-EX01(thiswasthelastserverconfigured),whichwillthenreturnURLsforthe
serversintheSeattlesite.
Likewise,clientsinNewOrleanswillmatchonlytheMSY-EX01,MSY-EX02,TOL-EX01,and
TOL-EX02SCPobjects.Becausetherearemultipleobjects,theywillperformtheir
initialdiscoverytoMSY-EX01,whichwillthenreturnURLsfortheserversintheNew
Orleanssite.
ClientsinToledowillmatchallsixSCPobjects.Becausetherearemultipleobjects,
theywillperformtheirinitialdiscoverytoMSY-EX01,whichwillthenreturnURLsfor
theserversintheToledosite.
Ifthesearenottherequiredbehaviors,youshouldtakeacloselookattheExchange
Server2007Autodiscoverwhitepaperathttp://technet.microsoft.com/enus/library/bb332063.aspx.AlthoughthispaperisforExchangeServer2007,the
conceptstransfertoExchangeServer2016withoutmuchdamage.
PlanningCertificatesforAutodiscover
TheotherhardpartforAutodiscoverismanagingtherequiredcertificates.After
workingwithanumberofExchangeServer2007deployments,webegantorealize
thatthebiggestdifficultywithAutodiscovercertificateswasinevitablytheneedtouse
astorageareanetwork(SAN)certificate.Whileotherscenariosarepossible(suchas
creatingaseparateAutodiscoverwebsiteonaseparateIPaddressandusingasecond
single-namecertificate)asoutlinedintheExchangeServer2007Autodiscoverwhite
paper,theseoptionsendedupbeingfarmorecomplicatedtorun.
Sowhat'ssodifficultaboutSANcertificates?Wethinkthatmostpeopledon't
understandwhatcertificatesreallyareorhowtheywork.CertificatesandPublicKey
Infrastructures(PKI)areblackmagic—stark-nakedvoodoo—mainlybecausethey've
traditionallybeencomplicatedtodeployandplaywith.GettingevenaninternalPKI
liketheWindowsServer2012R2ActiveDirectoryCertificatesServicesinplaceand
runningcanbehardtomanageunlessyoualreadyknowwhattodoandwhatthe
resultsshouldlooklike.Addtothatthedifficultyofmanagingcertificateswiththe
built-inWindowstools,andmostExchangeServeradministratorsweknowwantto
stayfarawayfromTransportLayerSecurity(TLS)andSecureSocketsLayer(SSL).
AlthoughExchangeServer2016followstheleadofpriorExchangeServerversions
andinstallsself-signedcertificatesoneachnewserver,thesecertificatesarenot
meanttotakeyouintoproductionforallscenarios.It'stechnicallypossibletoleave
theself-signedcertificateonsomeservices,buttheclientaccessserviceabsolutely
requiresthattheself-signedcertificatebereplacedbeforeenteringaproduction
environment.InternalOutlookclientscanusetheself-signedcertificates,butOutlook
doesnotignoreimproperlymatchednamesorexpiredcertificates.InternalOutlook
clientswillnotifytheuserthatthecertificateisfromanuntrustedcertificate
authority.
Externalorweb-basedclientswon'tacceptaself-signedcertificatewithoutyou
manuallyimportingtherootcertificate—whichisahugeadministrativeburdenfor
mobileclients.Forexternallyfacingdeployments,youeitherneedtohaveawellmanagedPKIdeploymentoruseathird-partycommercialcertificateauthority.Make
surethatyouuseonewhoserootandintermediateCAcertificatesarewellsupported
bytheoperatingsystemsanddevicesthatwillbeconnectingtoyournetwork.
TheX.509CertificateStandard
ThedigitalcertificatesthatExchangeServerandotherSSL/TLS-awaresystemsuseare
definedbytheX.509v3certificatestandard.ThisstandardisdocumentedinRFC2459
(andotherrelatedRFCs).TheX.509certificatesweredevelopedaspartoftheX.500
familyofstandardsfromtheOpenSourceInitiativebutprovedtobeusefulenough
thattheywereadoptedbyotherstandardsorganizations.
TheX.509certificatesarebasedontheconceptofprivatekeycryptography.Inthis
system,youhaveanalgorithmthatgeneratesapairofcryptographickeysforeach
entitythatwillbeexchangingencryptedmessagetraffic:aprivatekeythatonlythat
entityknowsandacorrespondingpublickeythatcanbefreelytransmitted.Aslongas
theprivatekeysarekeptsafe,thesystemcanbeusednotonlytosecurelyencrypt
networkcommunicationsandemailmessagesbutalsotoprovethatmessageswere
sentfromtheclaimedsender.Theexclusivityoftheprivatekeyprovides
authenticationaswellassecurity.
Forexample,IfUserAandUserBwanttoexchangeencryptedmessagesusinga
privatekeysystem(S/MIME),here'showitworks:
1. BothUserAandUserBensurethattheyeachhavesecureprivatekeys.Theyhave
exchangedtheircorrespondingpublickeys—maybethroughemail,bysendinga
digitallysignedemail,bypublishingthemontheirwebsites,orbylocatingthemin
ActiveDirectory.
2. UserA,whensendingamessagetoUserB,willuseUserA'sprivatekeytosignthe
messageandUserB'spublickeytoencryptthemessage.Allofthisensuresthat
onlyUserBwillbeabletodecryptthemessageandprovidesauthenticitythatthe
messagecamefromUserA.
3. UserBreceivestheencryptedmessages,validatesthedigitalsignature,anduseshis
privatekeytodecryptthemessage.Thisensuresthatthemessageactuallycame
fromUserA.
WhenUserBreceivesthemessage,heuseshisownprivatekeytodecryptthe
message.IfUserBwantstosendamessagetoUserAinreturn,hesimplyreverses
theprocess.IfUserBlaterneedstoopenthemessageinhisSentItemsfolder,he
wouldusehisprivatekeytodecryptit.
Digitalcertificateshelpstreamlinethisprocessandexpanditformoreusesthanjust
messageencryptionbyprovidingaconvenientwrapperformatforthepublickeysplus
someassociatedmetadata.Forourpurposes,though,we'reconcernedaboutusing
certificatesforserverauthenticationandestablishingthesymmetricshared-session
keyfortheTLSsession.
InWindows,youcanviewdigitalcertificates,examinetheirproperties,andvalidate
thecertificatechainthroughtheMMC.AlthoughWindowsdoesn'tincludea
preconfiguredCertificateconsole,itdoesincludetheCertificatessnap-in.Openan
instanceofMMC.exeandaddtheCertificatessnap-in,configuredforthelocalmachine,
asshowninFigure6.4.Youcannowviewandmanagetheservercertificatesthatwill
beusedbyExchangeServer.
Figure6.4TheCertificatesMMCsnap-in
WhileyoucanviewthepropertiesofacertificateusingtheCertificateconsole,all
certificatesthatareusedbyExchangeServer(forHTTPS,SMTP,UMCallRouter,
IMAP,orPOP)shouldbemanagedusingeithertheExchangeAdminCenterorthe
ExchangeManagementShell.
Let'stakealookatthetypicalpropertiesofanX.509v3digitalcertificateas
provisionedforExchangeServer:
SubjectNameThispropertyprovidestheidentityoftheentitytowhichthe
certificateapplies.ThiscanbeinX.500format,whichlookslikeLDAP,orinDNS
formatifintendedforaserver.
SubjectAlternativeNameThisisanoptionalpropertythatlistsoneormore
additionalidentitiesthatwillmatchthecertificate.IfthehostnameintheURL
thattheclientattemptstoconnecttodoesn'tmatchthesubjectnameorsubject
alternativenameproperties,thecertificatewillnotvalidate.Withoutthisproperty,
acertificatecanmatchonlyasinglehostname.
CommonNameAlsoknownasthefriendlyname,thispropertyprovidesauseful
texttagforhandlingandmanagingthecertificateonceyouhaveacollectionof
them.
IssuerThispropertyliststheidentityoftheissuingcertificateauthority(CA).
ThiscanbearootCAoranintermediateCA.Combinedwiththedigitalsignature
fromtheCA'sowndigitalsignature,thispropertyallowsestablishmentofthe
certificatechainoftrustbacktotherootCA.WhatdistinguishesarootCA?The
factthatthisproperty(plussignature)isself-signed.
SerialNumberThispropertyallowsthecertificatetobeeasilypublishedona
certificaterevocationlist(CRL)bythecertificateauthorityifthecertificatehas
beenrevoked.Thelocation(s)oftheCRLisusuallyincludedontheissuer's
certificate.ThisistypicallyaURL.Manyapplications,includingOutlook,attempt
tocheck(directlyorindirectlyusingWindowsCAPI2)theCRLtoverifythatthe
certificatehasbeenrevoked.
ThumbprintThisproperty(andthecorrespondingthumbprintalgorithm)isa
cryptographichashofthecertificateinformation.Thisthumbprintiscommonly
usedbyExchangeServerasaneasyidentifierforcertificates.
ValidFromandValidToThesepropertiesdefinetheeffectivedurationofthe
certificate.Theyareevaluatedaspartofthecertificatevalidation.
PublicKeyThispropertycontainstheentity'sassociatedcryptographicpublic
key.Thecorrespondingprivatekeyisneverviewedwiththecertificate.
TheCertificatePathtabofthepropertiesdialogboxdisplaysthecertificatetrustchain
andverifiesthattheproperCAcertificatesareinstalled.Wheninstallingathird-party
oraninternallygeneratedcertificate,itisessentialthattheExchangeservertrustsall
certificatesinthecertificatechain,similarlytothecertificatevalidationthatoccurson
aclientcomputer.Thetrustchainusesasimpletransitivelogicfortrusting
certificates.Certificatesareissuedbycertificationauthoritiesthatarealreadytrusted
bytheExchangeservers.Or,asitwasdescribedtomeincollege,ifyoutrustyour
father,andyourfathertrustshisfather,thenyouautomaticallytrustyour
grandfather.
DeployingExchangeCertificates
Nowthatwe'vetalkedaboutcertificatesingeneral,let'sdiveintotheissuesofgetting
themdeployedonyourExchangeServer2016servers.
PlanningCertificateNames
ThefirstpartofcreatingdigitalcertificatesforyourExchangeServer2016serversis
decidingwhichnamesyouneed.Fortheclientaccessservice,it'shighlyrecommended
thatyouaccepttheneedforaSANcertificate.AlthoughSANcertificatesaremore
expensivethansingle-namecertificates,youcanoftenconfigurethemsothatyoucan
reusethemonmultipleservers.Otherwise,youneedtousealotofsingle-name
certificates—potentiallywithmultiplewebsitesandvirtualdirectoriesonyour
Exchangeserverinstances.Thiscanbecomeanoverwhelmingamountofoperational
overhead.
Sure,youcanusewildcardcertificatesforsomescenarios,suchasOutlookand
WindowsPhones.Thewildcardcertificateisissuedforanentiredomain,suchas
*.contoso.com.Thiscertificatecouldthenbeusedbymultipleserversandsites.
Naturally,wildcardcertificatesareusuallymoreexpensivethancertificatesissuedfor
asinglehost.Beaware,also,thatnotallclients(suchasearlierWindowsMobile
phones)willrecognizewildcardcertificates.TheExchangeServerproductgroupdoes
notrecommendwildcardcertificates,andneitherdowe.Theypresentabiggerrisk
thanSANcertificates,whichpointtospecificnamedresources.Thatbeingsaid,for
smallorganizationsthatdonothavesignificantsecurityconcerns,awildcard
certificatecansometimesbeasimpleroveralldeploymentoption.
Let'stakethethree-sitecontoso.comexamplefromearlierinthischapterandsomeof
thefactorstoconsiderwhenrequestingcertificates:
ForInternetconnectivity,asinglesitewillactasthegatewayforallinbound
Internetconnectivity.ThatsitewillhosttheinitialAutodiscoverserviceand,
therefore,thedomainnameautodiscover.contoso.com.
We'llusetheFQDNmail.contoso.comasourgenericexternalaccessname.We
don'tneedtouseaseparatedomainnameforthis—wecouldeasilyuse
autodiscover.contoso.com,butusersareaccustomedtoaneasier-to-understand
name.
HavingtwonamescouldmeaneithermultipleIPaddressesandwebsitesoraSAN
certificate.Wedon'twanttoincurtheoverheadofmultiplecertificatesand
websites,sowewilluseaSANcertificate.Wecanissueasinglecertificateforall
theClientAccessserversateachsite.We'llincludetheFQDNsofeachofthe
serversintheSAN.MostcommercialCAshaveapriceincreaseafterfivenameson
aSANcertificate,soyouneedtokeepthatinconsideration.Butalwaysconsiderall
theplacesyoumaywanttouseacertificate,suchasonmultipleClientAccess
serversforloadbalancing.
So,ifwehavemultiplesites,thecertificatewillrequirethedistinctivenamesofthe
locations(suchascanada.contoso.comandeurope.contoso.com),aswellas
mail.contoso.comandautodiscover.contoso.com.Wedon'tneedtoincludethe
NetBIOSnamesofourservers—ExchangeServeranditsclientsdon'tusethemunless
wechoosetoconfigurethemotherwise.
Asyoustartrequestingcertificates,itisimportanttonotethatpoornamespace
planningorseparateinternalnamespaces(suchascontoso.comforexternalclientsbut
contoso.localforinternalclients)willresultinmorecomplexcertificate
requirements.Ensurethatyouhavecarefullythoughtouttheinternalandexternal
URLrequirementsasyouareplanningyourExchangeServer2016deployment.
Somethingtowatchforisthatyousetthecommonnametobethepreferredname
thatuserswillaccessthemostandtheonethatisseenonthefirstpropertiespage,so
inourexamplewewouldmostprobablyselectmail.contoso.comasthecommon
nameinthecertificate.
IssuingandEnablingCertificateswithExchangeAdminCenter
InExchangeServer2007andExchangeServer2010,youhadtodoallyourcertificate
requestsandimportseitherthroughtheCertificateMMCsnap-in(whichwasapain)
orthroughtheEMS.InExchangeServer2013andExchangeServer2016,ifyouclick
theServersnodeintheEAC,youcanview,manage,andevenrequestnewcertificates
foryourExchangeservers.
WhenyougothroughtheExchangeCertificateWizardtorequestanewcertificate,it
willpromptyouforavarietyofinformation.Forexample,ononepageofthewizard,
youneedtospecifythedomain(s)forwhicheachaccesstypeisavailable.For
example,youmayselectOutlookWebApp(thisrepresentsOutlookontheweb
althoughthewordinghasnotbeenupdatedintheEACyet)andExchangeActiveSync
forcontoso.com.
Onthenextpageofthewizard,youwillseethedifferenttypesofnamesthatyoucan
includeinyourcertificaterequest.Forexample,wecouldaddmail.contoso.comand
nyc-ex1.contoso.comtopopulatetheSANnames.
NoteinFigure6.5thatthisserver'sinternalOutlookontheweb(shownasOutlook
WebAppintheExchangeCertificatescreen)nameisnyc-ex1.contoso.comandthe
externalnameismail.contoso.com.Forsomeofthesefields,theNewExchange
CertificateWizardismakinga“bestguess”atthecorrectnames,butyouwillneedto
fillinsomeoftheothersmanually,dependingonyournamingpreferencesandwhat
youhaveconfiguredinDNS.
Figure6.5Viewingthedomainstobeincludedinthecertificaterequest
InFigure6.6,youcanseetheCertificateDomainspage;thispageallowsyouto
specifyadditionalfullyqualifieddomainnamesthatwillshowupinthecertificate
request.Thewizardismakinganother“bestguess”forthiscertificaterequestby
addingalloftheaccepteddomainsaswell.Youmaywanttocheckthatthehostname
Autodiscoverispresentforeachofthesedomainnames.
Figure6.6TheCertificateDomainsWizardPage
TheOrganizationandLocationpageofthewizardrequestsinformationthatmost
administratorswhohavealreadyconfiguredacertificaterequestwillrecognize.This
includestheorganizationinformation,department,city,state,andcountry.
Onthelastpageinthewizardyoumustprovideanameandpathwherethecertificate
requestfilewillbecreated.Thecompletionofthiswizardwillexecutetherelevant
cmdletforyou.Inthiscase,thecmdletNew-ExchangeCertificateisbeingrun,suchas
isshownhere:
New-ExchangeCertificate
{PrivateKeyExportable=True,FriendlyName=mail,
SubjectName=System.Security.Cryptography.X509Certificates.X500DistinguishedName,
DomainName={ex1.contoso.com,mail.contoso.com,EX1},
RequestFile=\\nyc-ex1\c$\cert.req,GenerateRequest=True,Server=NYC-EX1,
KeySize=2048}
(Thiscmdletcomes,ofcourse,withGet-andSet-partnersaswell,toviewand
configurethecertificate.)
Youcannowsubmittoacertificateauthoritythecontentsofthefilethatwascreated.
Onceyouhavereceivedbackasignedcertificate,youusetheCompletePending
RequestWizardtocompletetheprocess.StartthisbyclickingCompletenexttothe
certificateshowingapendingstate.Thiswizardwillloadthesignedcertificateintothe
certificatestoreontheappropriateserver.
Thefinalprocessafterthecertificateisfullyloadedistoassignthecertificatetobe
usedbytheappropriateservices(suchasSMTPorIIS).Selectthecertificateinthe
workpane,clicktheEditbuttononthetoolbar,andselecttheServicesnodeonthe
left.OntheServicesnodeofthewizard(showninFigure6.7),selecttheappropriate
services.WhenyouselectInternetInformationServices(IIS),theyincludeOutlook
ontheweb,theExchangeAdminCenter(EAC),theExchangeControlPanel(ECP),
ExchangeWebServices(EWS),andActiveSync.Notethataservicecanbeassignedto
onlyonecertificateatatime.
Figure6.7Selectingservicesthatwillusethecertificate
AWordofWarning
Whichevertoolyouusetorequestcertificatesshouldbethetoolyouuseto
importthem.Althoughyoushouldbeabletomixandmatchthemintheory,
we'veseenoddresultsinpractice.Also,don'tusetheCertificateWizardinIISto
requestExchangeServercertificates,especiallyifyouneedSANcertificates.Stick
totheExchangeServertoolsforcertificatemanagementandalsoforrenewals;
thenon–ExchangeServertoolswillnotinstallcertificatesormanagecertificates
intheappropriatelocationsorintheappropriatemanner.
IssuingandEnablingCertificateswithEMS
AlthoughExchangeServer2016providesanExchangeAdminCenterinterfacefor
managingcertificates,youcanstillmanagecertificatesthroughtheEMS.Ifyouhave
donethisinthepastwitholderversionsofExhangeServer,youmighthavetolearna
fewnewtricksinordertoworkwithcertificatesfromtheEMS.Becauseoftheway
PowerShellworksviaremotingnow,youcannolongerspecifyapathforacertificate
requestfile.Instead,thecertificaterequestisoutputtotheshell,soyoumustcapture
thattoavariable.Here'sthecommandyouwouldissuetogenerateacertificate
requestfortheURLmail.contoso.comandcaptureittothe$Datavariable:
$Data=New-ExchangeCertificate-GenerateRequest-SubjectName"c=US,
o=Contoso,cn=mail.contoso.com"-DomainNamecontoso.com
–PrivateKeyExportable$true
Next,weneedtotakeoutputthevaluestoredinthe$Datavariabletothefile
c:\CertRequest.requsingthiscommand:
Set-Content-path"C:\Docs\MyCertRequest.req"-Value$Data
HerearethedetailsoftheNew-ExchangeCertificatecmdlet(discussedearlier,inthe
section“IssuingandEnablingCertificateswithExchangeAdminCenter”):
GenerateRequestThisparametertellsExchangeServertogenerateacertificate
request.Hadweleftitoff,thecommandwouldhavegeneratedanewself-signed
certificate.That'susuallynotwhatyouwant.Thisrequestissuitableforeitheran
internalPKIoracommercialCA.
PrivateKeyExportableThisparameterisextremelyimportantandisthecauseof
mostcertificateheadacheswe'veseen.Whenacertificaterequestisgenerated,it
includesthepublickey,buttheprivatekeystaysinthesecureWindowscertificate
store.IftheCAisconfiguredtoallowexportoftheprivatekey,therequestmust
explicitlyaskfortheprivatekeytobeexportableinthefirstplace.Ifthis
parameterwasn'tincludedorwassetto$false,wewouldn'tbeabletoexportthe
certificate'sprivatekeytoimporttotheotherCASinstanceorontotheexternal
firewall,whichisoftendone.
FriendlyNameThisparameterissetforadministrativeconvenience.Ifwehave
multiplecertificatesissuedtothemachine,itallowsustoidentifythecertificate
withwhichwe'redealing.
DomainNameThisparameterallowsustosetoneormoredomainnames.Ifwe
specifymorethanone,ExchangeServerwillautomaticallycreateandpopulatethe
SANpropertywithalltherequestedhostnamesandsetthesubjectnameofthe
certificatetothefirsthostnameinthelist.Althoughthecmdletprovidesadditional
parameterstoexplicitlysetthesubjectandalternatenames,youdon'tneedthem.
Asuccessfulrunofthecmdletwillgeneratetherequestoutputandathumbprintof
therequest.SubmittherequesttoyourCA,downloadthecorrespondingcertificate,
andthenimportthecertificatebackonthesamemachine,asinthefollowing
example:
Import-ExchangeCertificate-FileData$(Get-Content
-Pathc:\CertImport.pfx-Encodingbyte)
-Password:(Get-Credential).password
Thiscmdletwillimportthesavedcertificateifitmatchesapendingrequestandprint
outthethumbprintofthenewlyimportedcertificate.Ensurethatyoulookafterthe
PFXfilethatisusedhere.We'veseenadministratorsleavingthisonthedesktopor
theC:driveofExchangeservers.Bestpracticeisnottostoreacopyofthisonthe
serveritself.Byallmeanskeepacopyinasafeplaceifitwillnotbepossibleor
convenienttodownloadacopyinthefuture.
YoucannowviewthecertificateintheCertificatessnap-ininMMCorfromthe
certificatemanagementfunctionalityintheExchangeAdminCenter.Fromhereyou
canviewthedetailsaboutthecertificate,suchasthethumbprint,SANnames,and
whichservicesthecertificateisassignedto,asshowninFigure6.8.
Figure6.8Viewingcertificateproperties
ThefinalstepistoenableExchangeServerservicesagainstthecertificate:
Enable-ExchangeCertificate-Thumbprint<certificatethumbprint>
-Services<services>
<services>isacomma-separatedlistofoneormoreofthefollowingvalues,
dependingontheprotocolsyouhaveenabledandtherolesyouhaveinstalled:
SMTPForusewithSMTP+TLSforfront-end/back-endtransportservices.
UMCallRouterForusewiththeUnifiedMessagingservices'callrouterand
connectingtotheClientAccessserver.
UMForusewithgeneralUnifiedMessagingservices.
FederationForusewhenconfiguringfederatedserviceswiththeMicrosoft
FederationGateway.(Youcannotassignthisservicewiththiscmdlet;itis
configuredwhenconfiguringafederatedtrust.)
IISForusewithclientaccess,includingAutodiscover.
IMAPForusewithclientaccessusingtheIMAPclientprotocol.
POPForusewithclientaccessusingthePOP3clientprotocol.
TheBottomLine
WorkwithAutodiscover.AutodiscoverisakeyserviceinExchangeServer
2016,bothforensuringhassle-freeclientconfigurationandforkeepingthe
Exchangeserversinyourorganizationworkingtogethersmoothly.Autodiscover
canbeusedbyOutlook2010,Outlook2013,Outlook2016,Entourage,Outlookfor
Mac2016,WindowsMobile/WindowsPhone,andothermobiledeviceslike
Android,iOS,andevenWindowsRTdevices.
MasterItYouareconfiguringOutlook2016toconnecttoExchangeServerand
youwanttodiagnoseaproblemthatyouarehavingwhenconnecting.Which
toolcanyouuse?
TroubleshootAutodiscover.InalargeorganizationwithmultipleActive
Directorysitesormultiplenamespaces,itisessentialtotracktheAutodiscover
trafficandunderstandwhereclientquerieswillbedirected.
MasterItIfyouhavemultipleActiveDirectorysites,whatshouldyoudoto
controltheclientflowofrequestsforAutodiscoverinformation?
ManageExchangeServercertificates.ExchangeServer2016serversrelyon
functionalX.509v3digitalcertificatestoensureproperTLSsecurity.
MasterItWhichtoolswillyouneedtocreateandmanageExchangeServer
certificates?
Part2
GettingExchangeServerRunning
Chapter7:ExchangeServer2016QuickStartGuide
Chapter8:UnderstandingServerRolesandConfigurations
Chapter9:ExchangeServer2016Requirements
Chapter10:InstallingExchangeServer2016
Chapter11:UpgradesandMigrationstoExchangeServer2016orOffice
365
Chapter7
ExchangeServer2016QuickStartGuide
ReadingthroughaMasteringbookjusttofigureouthowtogetaquickinstallationof
ExchangeServer2016upandrunningmayseemlikeadauntingtask—especiallyifall
youwanttodoisgetalookatExchangeandplayaroundwithit.Withthatinmind,
we'llpresentthestepsforgettingalabortestserverupandrunningquickly.
Thepurposeofbuildingatestserveristolearnandoptimizetheinstallationand
configurationexperience.Exchangeisafeature-richapplicationand,assuch,has
manydifferentwaystoconfiguresettingsforoptimization,performance,andstability.
Usingatestservertotryvariousscenariosprovidesforabetterproduction
deployment—andabetter-preparedadministrator.
Wewon'tcovereverylittledetailoneverysettingorextensivedesignandbest
practicesinthischapter—that'swhattherestofthisbookisfor—butwewilldiscuss
therequirementsforgettingatypicalExchangeServer2016serverupandrunning.A
typicalExchangeServer2016isonethatholdstheMailboxrole.TheMailboxrolein
ExchangeServer2016containsallthefunctionalitiesthatwerepreviouslylocatedin
theExchangeServer2013ClientAccessroleandMailboxroleandallthe
functionalitiesthatwerepreviouslylocatedintheExchangeServer2010ClientAccess
role,HubTransportrole,Mailboxrole,andUnifiedMessagingrole.ExchangeServer
2016SetupalsoincludestheEdgeTransportrole;ifyouintendtouseit,you'llneedto
installitonaseparatecomputerbecauseitisnotpossibletoinstalltheMailboxrole
andtheEdgeTransportroleonthesamecomputer.Furthermore,theEdgeTransport
roleshouldbeinstalledonacomputerconfiguredasaworkgroupcomputerlocatedin
aperimeternetwork.
INTHISCHAPTER,YOUWILLLEARNTO:
Quicklysizeatypicalserver
InstallthenecessaryWindowsServer2012R2orWindowsServer2012
prerequisites
InstallanExchangeServer2016MailboxandEdgeTransportserverroles
ConfigureExchangetosendandreceiveemail
Configurerecipients,contacts,anddistributiongroups
ServerSizingQuickReference
Althoughproperlysizingaserverforproductionisextremelyimportant,sizingfora
labortestserverissomewhatlessinvolvedifyou'reonlyinterestedinpushingsome
buttonsand“kickingthetires”ofExchangeServer2016.Forinstance,alabserver
mighthaveenoughstorageforafewusers,butaproductionservermightbe
configuredformanyhundredsorthousands.
However,inordertohavearesponsivelaborevaluationenvironment,youstillshould
payattentiontosomebasicswhenyou'rebuildingatestserver.
Hardware
Inthissection,we'lllookatthehardwarerequiredtoquicklysetupalab
environment.We'llfocusonmemory,processors,storage,operatingsystem,and
virtualizationconsiderations.
Memory
ExchangeServer2016isthefourthgenerationtouse64-bitarchitecture.Although
thisgivesoverallbettermemorymanagement,includingtheabilitytohandlehigher
amountsofphysicalmemory,italsomeansthatthebaselinememoryrequirements
haveincreasedwhencomparedtoearlierversionsofExchange.TheExchangeServer
2016architecture,whilereducingthenumberofrolesrequired,necessarilyincreases
thenumberofprocessesrunningonthetypicalserver.
ThebaselinerequirementfortheMailboxroleis8GBofRAM.Althoughthese
minimumsaren'tenforcedbytheSetupprogram,Exchangewillrunveryslowly
withoutenoughRAM.TheESEdatabasecomponentandExchangeservicesrequire
moreRAMevenonalightlyloadedserver.Thisoverheadaddsuponlow-endservers
suchastestserversbutscalesforbettercachingandefficiencyinserverswithmany
users.
ThefinalpieceformemoryutilizationistoproperlyconfigureyourWindowsServer
pagefile.Bydefault,Windowswillmanagethepagefileonitsown,butyouneedto
changethistokeepevenlightlyloadedlabExchangeserversfromexcessivepaging.As
showninFigure7.1,ifyourExchangeServerhas8GBofRAM,setthepagefiletoa
staticfixedsize:physicalRAM(8GB=8192MB)plus10MB(8202MB).
Figure7.1Settingastaticpagefilefor8GBofRAM
Processors
ServerhardwarethatwillhostExchangeServer2016requires64-bitprocessors.This
includeseitherx64IntelorAMD64CPUs.ItaniumIA64processorsarenotsupported
forExchangeServer2016.Theminimumrecommendednumberofprocessorcoresfor
alightweighttestExchangeserveristwo.Eveninalab,twoprocessorcoresmaynot
provideenoughperformance,soconsiderusingfourtoeightprocessorcores.Witha
singlecore,expectinstallationtotakeaninordinatelylongtimeduringnormal
operations.
DiskSpace
BasicExchangeServer2016storagerequirementsincludespacefortheExchange
binaryfiles,message-trackinglogs,mailboxdatabasesandtransactionlogs,and
transport-queuedatabasesandtransactionlogs.
Atypicalinstallationrequiresatleastthefollowing:
30GBavailableontheinstallationdriveforbinaries.Don'tforgettokeepfree
spaceavailableforutilitiesandcumulativeupdates.
200MBavailableonthesystemdrive(typically,C:),asidefromthespaceusedby
thepagefileandanysparespaceyoukeepforsystemupdatesandnormal
operations(suchasIISlogs).
500MBavailableforthetransportqueue,bydefaultontheinstallationdrive.
Spaceformailboxdatabasesandtransactionlogs.
Whenyou'reinstallingonWindowsServer2012,thesystemdrivemust,ofcourse,be
formattedwithNTFS,asmustallvolumesusedforExchangeServer2016binaries.
TheResilientFileSystem(ReFS)featureinWindowsServer2012issupportedand
recommendedbyExchangeforvolumesthathostmailboxdatabasesandtransaction
logs,wheretheintegrityfeatureinReFSshouldbedisabled.
Network
ExchangeServer2016serversshouldhaveone1GbpsEthernetnetworkinterfacecard
thatisnotteamed.Additionalcardscanbeusedbutaren'trequired,astheMicrosoft
preferredarchitectureforExchangeServer2016advisesthatonlyonenetworkadapter
isused.
Ifyou'redeployingaDAGonmailboxservers,youcan'tuseWindowsnetworkload
balancingontheMailboxroles.However,withthenewExchangeServerarchitecture,
simpleDNSround-robinrecordsmaybesufficienttotestloadbalancinginalab
environment.
Finally,whetheryou'reusingIPv6ornot,there'snorealadvantagetodisablingit.
Windows(andExchange)aretestedwithIPv6enabled.Ifyoudodisableit,followthe
WindowsIPv6FAQguidelinesoncompletelydisablingIPv6,includingkeepingIPv4
enabled.Don'tsimplyunbinditfromyournetworkadapters.Thispracticedoesnot
ensurethatIPv6componentsarenolongeractiveinthenetworkstackandhasbeen
thesourceofpastExchangenetworkandstabilityissues.
ServerVirtualization
BothExchangeServer2016rolesaresupportedinvirtualenvironmentswhenallthe
followingconditionsaretrue:
Thehardwarevirtualizationsoftwareisrunningoneofthefollowing:
WindowsServer2012R2withHyper-Vtechnology
MicrosoftHyper-VServer2012R2
WindowsServer2012withHyper-Vtechnology
MicrosoftHyper-VServer2012
Anythird-partyhypervisorthathasbeenvalidatedundertheWindowsServer
VirtualizationValidationProgram
NOTETheoretically,MicrosoftsupportsanyHyper-VeditionforExchangeServer
virtualization.However,installinganoldervirtualizationplatformisnot
recommendedduetotheshortersupporttimeframe.
YoucanalsouseMicrosoftAzurevirtualmachinesforyourtestlab.However,for
aproductionenvironment,ExchangeServer2016runningonMicrosoftAzureis
supportedonlyifvolumesusedforExchangemailboxdatabases,database
transactionlogs,andtransportdatabasesareconfiguredforAzurePremium
Storage.Foranonproductionenvironment,suchastestinganddevelopment,
AzurePremiumStorageisnotarequirement.
TheExchangeServerguestvirtualmachinemeetsallofthefollowing
requirements:
RunningMicrosoftExchangeServer2016.
DeployedonWindowsServer2012R2orWindowsServer2012.
Notbackedupandrestoredusingvirtualmachinesnapshots;onlyExchangesupportedbackupmechanismsaresupported.
NotprotectedbyvirtualizationHAmechanismsthatusedisk-basedstatesave
filessuchasHyper-V'sQuickMigration.
Thevirtualmachineconfigurationsmeetthefollowingconditions:
Nomemoryoversubscriptionordynamicmemoryallocationisused.
Processoroversubscriptionisataratioofnomorethan2:1.
Thevirtualstoragemeetsthefollowingconditions:
Ifvirtualharddrivesareused,theyshouldbeafixedsizeforperformanceand
datastability,notdynamicallyexpanding.
Itdoesn'tusedifferencingdrives.
Itdoesn'tuseanyfile-basedstorage,suchasSMBorNFSatanylayerinthe
stack,withtheexceptionofSMB3.0whenusedtohostfixed-sizevirtualdrives;
undernocircumstancescanyouusefile-basedstoragetodirect-mountand
hostExchangedatafiles(seethe“MicrosoftRequirementsand
Recommendations”sidebarinChapter4,“VirtualizingExchangeServer2016,”
formoreinformation).
Theoperatingsystemdriveshouldbeatleast15GBplusthesizeofthevirtual
memory,althoughrealisticallyinmanylabscenariosyouwillwantthisdriveto
belargeenoughforthebootpartition,theoperatingsystem,thepagefile,the
Exchangebinaries,thedefaultExchangedatabases,andanypatches.
OperatingSystems
ExchangeServer2016supportsthefollowingoperatingsystems:
WindowsServer2012R2(StandardorDatacenterEdition)
WindowsServer2012(StandardorDatacenterEdition)
Trialversionsofeachoftheseoperatingsystemsareavailablefordownloadfrom
Microsoft'swebsite.Theywillprovidemonthsofuseandcanbeinstalledoverand
overfortesting.YoucannotusetheServerCoreinstallationofeitherversionof
WindowsforExchangeServer2016machines,however.
WindowsServer2012R2includesmanystability-,performance-,andsecurity-related
updatesfromitspredecessors.ExchangeServer2016supportsbothWindowsServer
2012R2andWindowsServer2012StandardandDatacenterEditions.However,we
recommendthatyouinstallExchangeServer2016onWindowsServer2012R2or
WindowsServer2012StandardEdition.StandardEditionisquiteabitcheaper,andit
providesthesameoperatingsystemfunctionalityasDatacenterEdition.When
lookingatanewmailplatform,itmakessensetousethelatestoperatingsystem
becauseofalltheenhancementsavailable.Buildingatestserverisaperfect
opportunitytogetsomeexperiencewiththenewoperatingsystem.Additionally,it
makessensetodeployanoperatingsystemthatwillstillbeinmainstreamsupport
duringthetypicallifecycleofanewlydeployedserver.WindowsServer2012R2and
WindowsServer2012includemanyoftheprerequisitesrequiredforExchange,
makingdeploymentquickandeasycomparedtopreviousExchangeServerand
operatingsystemversions.
BecausewearefocusingongettinganExchangeserverupandrunningquicklyinthis
chapter,weassumethefollowing:
TheserverisjoinedtoanActiveDirectorydomain,andtheActiveDirectory
domainisisolatedfromanyproductiondomains.
TheActiveDirectoryforestanddomainareataminimumfunctionallevelof
WindowsServer2008.
TheserverhasastaticIPaddressassigned.
TestActiveDirectoryuseraccountshavebeencreated.
YouhaveanadministrativeaccountthatisamemberoftheSchemaAdmins,
DomainAdmins,andEnterpriseAdminssecuritygroups.
Theserverisnotadomaincontroller.
TherearenootherExchangeserversinthedomain.
ThereisadomaincontrollerinthesameActiveDirectorysiteinwhichthe
Exchangeserverwillreside.
Ifyouhavemultipledomainsintheforest,thefirstsiteinwhichyouwillinstallan
Exchangeservercontainsawriteableglobalcatalogserverfromeachdomain.
Basedontheseassumptions,youshouldbeabletogothroughthischapterandbuilda
functioningExchangeServer2016serverquickly.
ConsiderSettingUpaLabEnvironment
Inmanyenvironments,spaceisatapremium.Administratorsmayseenoneed
foralabenvironment,ortheymayfeelthattheydon'thavethetime,energy,or
budgettogetoneapprovedbymanagement.Ifyouenjoymanagingyour
Exchangeorganizationinareactivefashion—alwaysfixingproblemsafterthe
fact,alwaysfindingoutthehardwayaboutsoftwareincompatibilities,always
realizingtwohoursafteryourmaintenancewindowwassupposedtoendthat
you'reactuallynotsurehowaparticularfeatureworks—thenyouabsolutelydon't
needalab—orthischapter.Everyoneelse,readon.
Labsareoneofthebigfactorsthatmakethedifferencebetweenon-time,onbudgetExchangedeploymentsandcost/timeoverruns.Ifmanagementeverfeels
theneedforalab,givethemthefollowinglist:
Labsallowyoutotestnewpatchesandupdatesbeforeriskingproduction
systems.Althoughit'snotthenorm,occasionallyWindowsandExchangeupdates
haveproblemsthattakedownExchangeservices.Byupdatingyourlabfirst,you
haveabetterchanceoffindingtheseproblemsbeforetheytakeyoudown.
Labsallowyoutobebettertrainedandenableyoutoworkoutbugsand
omissionsinyourprocedures.Ifyou'veneverappliedupdatestoaDAGcluster
before(orit'sbeenawhilesincethelasttime),alabisinvaluableforclearing
outthecobwebs.Ifyouhaveaspecialworksequencethathastobe
performed,youcanfine-tunethatprocessinthesafetyofyourlab.Wantto
makesureyourdisasterrecovery(DR)staffknowshowtoperformasite-level
failover?Doitinyourlab.
Labscanendupsavingyoutimeandmoneyonsupportincidents.By
replicatingaprobleminthelabbeforecallingsupport,youcanoftennarrow
downtheprecisefactorsthatarecontributingtotheproblem.Whetheryou
haveaconcisesetofreprostepsorendupfindingtheanswer,you'relikelyto
wastelesstimeplayingphoneoremailtagwithsupportproviders.
ManyadministrativetaskscanbeefficientlyperformedinExchange
ManagementShell.ThelabenvironmentallowsyoutotestyourExchange
ManagementShellcmdletsandscriptsbeforeyouruntheminaproduction
environment.
Tomeetthesegoals,however,yourlabneedstomeetafewessentialcriteria:
Ithastobeaseparateforest.
Remember,youcanhaveonlyasingleExchangeorganizationinanActive
Directoryforest.Keepthatforestroughlyinsync,though.Ifyouhavemixed
levelsofdomaincontrollersinproduction,haveoneofeachinthelab.Considera
foresttrustandcross-forestgroupmembershipssothatyourExchange
administratorscanusetheirregularadministrativecredentialsinthelabrather
thanjuggleyetanotherusernameandpassword.KeeptheDNS,AD,and
Exchangeinfrastructuresimilartotheproductionenvironmentsothattests
performedinthelabenvironmentwillcloselymatchtotheproduction
environment.However,configuretestnamespacesdifferentlythanthe
productionnamespacestoavoidconfusingthelabenvironmentwiththe
productionenvironmentandmistakenlyperformingtestsintheproduction
environment.ConsideraregularActiveDirectorydumpofusersfromproduction
tothelab.
Simplicityiskey.
Introduceonlyasmuchcomplexityasyouneed—onlyyourkeythird-partyapps,
clienttypes,andsystemsneedtobeinthelab.Youdon'thavetohavealabcopy
ofeachExchangeserverinproduction,andyoudon'thavetoreplicateallthe
sites.IfyouhavemultipleDAGs,notethatyourlabneedsonlyone—anditneeds
onlytwoorthreemembers,notthefullnumberinproduction.YourlabDRsite
doesn'ttypicallyneedafullyredundantnumberofDAGmembers.
Youdon'tneedafullloadbalancerwhenaWindowsboxwithInternet
InformationServer(IIS)andtheApplicationRequestRoutingextensionmaygive
youthefunctionalityyouactuallyneedinthelab.However,ifyouneedyour
operatorstobecomfortableusingtheseadditionalcomponentsaspartoftheir
normalprocesses,theyshouldbeinthelab.
Don'tforgetclients.
Labsarefantasticfortroubleshootingclientissuesifyouincludeclientsinthe
lab.Keepthemup-to-datewiththeproductionclients.Don'twastetimesynching
plug-insandadditionaladd-onsunlessyouaretroubleshootingaproblemthat
includesthosecomponents.
Knowwhentobreaktherules.
Labsareaperfectplacetousevirtualizationtechnologiesandtoruthlesslyexploit
thebenefitsofvirtualization,suchasVMsnapshots.Whilethesefeaturesaren't
supportedinproductionenvironments,they'retime-saversforalab.However,
whenyou'retakingsnapshots,captureallofthevirtualmachines(domain
controllers,Exchangeservers,clients,andeverythingelse)atthesametimeso
rollbacksallcomebacktoaconsistentknownspot.
Makelabmaintenancearegularactivity.
Keeptimeonthescheduletopatchandupdateyourlab.Spreadtheloadfor
variousmaintenancetasksamongyourstaffsothatnoonepersongetsstuck
maintainingtheentirelabwhileeveryoneelsetrashesit.Ensurethateveryone
knowstheappropriatepoliciesandproceduresforresettingthelabandthat
there'sanoverrideinplaceforsituations(suchassupportcalls)whenchangesto
thelabshouldnottakeplace.
Havingabadlyimplementedlabcanrequirealotofwork.However,donesmartly,
alabcanincreaseyourproductivityandhelpyoubecomemoreproactiveabout
managingyourExchangeorganization.
ConfiguringWindows
Inthissection,we'lllookatprerequisites.ThisincludesthoseforActiveDirectoryas
wellastheserveranditsoperatingsystem.We'llstartwithActiveDirectory.
ActiveDirectoryRequirements
It'simportanttokeepyourtestenvironmentisolatedfromyourproduction
environment.ExchangeServer2016requiresmanychangestoActiveDirectory
throughschemaupdates,anditintroducesnewobjectsandaddsmanyparametersto
existingobjects.ExchangeServer2016hasthefollowingActiveDirectory
requirements:
Atleastonedomaincontrollerthatisatthesameglobalcatalogserverinthesame
sitemustbeWindowsServer2008orhigher.
Read-onlydomaincontrollersandread-onlyglobalcatalogsinthesameActive
DirectorysiteareignoredbyExchangeServer2016.Becauseofthis,aconventional
writabledomaincontrollerandglobalcatalogmustexistintheADsite.
ActiveDirectoryforestanddomainfunctionalmodesmustbeatleastWindowsServer
2008toinstallExchangeServer2016.Toverifythattheyare,followthesesteps:
1. Signintoadomaincontrollerasadomainadministrator.
2. InServerManager,selectTools⇨ActiveDirectoryDomainsAndTrusts.
3. Right-clickthedomainintheleftpaneandchooseProperties.
4. OntheGeneraltabofthepropertiesdialogbox,lookforDomainfunctionallevel
andForestfunctionallevel;bothappearinthelowerhalfofthescreen,asshown
inFigure7.2.
Figure7.2Checkingthedomainandforestfunctionallevels
IftheforestordomainfunctionallevelisnotWindowsServer2008orhigher,itmust
beraisedbeforeExchangeisinstalled.
AlthoughinstallingExchangeServer2016onadomaincontrollerisasupported
scenario,Microsoftstronglyrecommendsnotdoingsoforanumberofreasons.
PerformanceandsecurityareenhancedwhenExchangeServer2016isinstalledona
memberserver.OnceExchangeisinstalled,thatservercannotbepromotedtoa
domaincontrollerordemotedtoamemberserver.WhenExchangeisinstalledona
domaincontroller,thatservermustbeconfiguredasaglobalcatalogbecause
Exchangewillnotuseanyotherdomaincontroller.However,inthisconfiguration,
NameServiceProviderInterface(NSPI)servicesareprovidedbytheglobalcatalog
functionalityandnotbytheExchangeServerNSPIcomponent,whichcauseslossof
functionalityforfeatures,suchasaddressbookpolicies.Finally,thiscombinedserver
cannotbeamemberofasupportedDAGconfiguration.
OperatingSystemPrerequisites
TheprerequisitesarethesameforWindowsServer2012R2andWindowsServer
2012.ThisquickstartguideassumesyouwillbepreparingActiveDirectoryfor
ExchangeServer2016fromthefirstserveryouinstallExchangeServer2016on.
ToinstalltheExchangeServer2016prerequisitesforWindowsServer2012R2or
WindowsServer2012,followthesesteps:
1. OpenanadministrativeinstanceofPowerShellbyright-clickingitsiconand
selectingRunAsAdministrator.
2. Runthefollowingcommand:
Install-WindowsFeatureAS-HTTP-Activation,Desktop-Experience,NETFramework-45-Features,RPC-over-HTTP-proxy,RSAT-Clustering,RSATClustering-CmdInterface,RSAT-Clustering-Mgmt,RSAT-Clustering-PowerShell,
Web-Mgmt-Console,WAS-Process-Model,Web-Asp-Net45,Web-Basic-Auth,WebClient-Auth,Web-Digest-Auth,Web-Dir-Browsing,Web-Dyn-Compression,WebHttp-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,WebISAPI-Ext,Web-ISAPI-Filter,Web-Lgcy-Mgmt-Console,Web-Metabase,Web-MgmtConsole,Web-Mgmt-Service,Web-Net-Ext45,Web-Request-Monitor,Web-Server,
Web-Stat-Compression,Web-Static-Content,Web-Windows-Auth,Web-WMI,WindowsIdentity-Foundation
OnceyoupressEnter,theserverwillinstalltherequiredrolesandfeaturesandthen
automaticallyrestart.Notethatitisnormaltoseeyellowwarningtextscrollbywhile
thiscodeisrunning,showingthatarebootisrequired.
NOTEOperatingsystemcomponentsthatareExchangeServer2016prerequisitescan
bealsoinstalledduringthecommandlinesetupwiththe/InstallWindowsComponents
switch.Onlythe.NETframeworkandUCMAneedtobeinstalledseparately.
Afteryourebootthecomputer,runthefollowingcommandtoenablepreparingActive
DirectoryfromtheExchangeServercomputer:
Install-WindowsFeatureRSAT-ADDS
Next,locatethefollowingadd-incomponentsfromtheMicrosoftDownloadwebsite
andinstalltheminthefollowingorder:
1. Microsoft.NETFramework4.5.2.
2. MicrosoftUnifiedCommunicationsManagedAPI4.0,CoreRuntime64-bit
InstallingExchangeServer2016
TheinstallationofExchangeServer2016MailboxRolerequiresanaccountwith
specificpermissions.Installationmustbeperformedwithanaccountthathas
membershipinthefollowinggroups:
DomainAdmins
SchemaAdministrators(firstserver)
EnterpriseAdministrators(firstserver)
Duringtheinstallation,theActiveDirectoryschemawillbeextendedwithattributes
necessaryforExchangeServer2016,whichiswhytheSchemaAdministratorsgroup
membershipisrequired.AmoredetailedexplanationoftheExchangeServer2016
installation,includingthecommand-lineprocedure,ispresentedinChapter10,
“InstallingExchangeServer2016.”
Atthispoint,you'rereadytoinstallExchangeServer2016.YoucanusetheGUIto
installExchange,oryoucanusethecommandline.Eachapproachhasitsadvantages.
First,let'slookattheGUI-basedinstallation.
GUI-BasedInstallationforMailboxServerRole
DownloadormounttheExchangeServer2016installationmedia(youcanright-click
an.isofileandselectMounttohaveWindowstreatitasavirtualCDorDVD),
navigatetotherootofthefolder,andrunsetup.exe.
OncetheExchangeSetupprocessstarts,thefirstthingyouwillseeistheoptiontogo
onlineandcheckforupdatesfortheinstaller,asshowninFigure7.3.Onceupdates
aredownloaded(ifanyarefound),Setupwillcopyfilesandprepareothertasks
necessaryfortheinstallation.Oncethesetasksaredone,you'llseetheintroduction
screen.ThisscreencontainslinkstotheTechNetdocumentation,supported
languages,andtheExchangeServer2016DeploymentAssistant.ClickNexttomove
ontothelicenseagreement.AcceptitandclickNexttomoveon.
Figure7.3CheckingforUpdates
Onthenextscreen,choosewhethertosendusagefeedbacktoMicrosoftand(more
importantly)checkforadditionaldataonlinewhenerrorsoccur.Chooseanoptionand
clickNexttomoveontothemeatoftheinstallation:theServerRoleSelectionscreen,
showninFigure7.4.BecausethisisthefirstExchangeServer2016serverinthe
organization,youdon'thavetheoptiontoselectonlytheManagementtools;you
mustselectoneofthetwoserverroles.
Figure7.4SelecttheserverRole
Ifyouhavenotalreadymanuallyinstalledtheprerequisites,youcanchecktheoption
toinstallthem.Thisalsoservesasaconfirmationthatyou'vegottentheprerequisites
installedproperly.Eventhoughyoucaninstallthemhere,it'srecommendedthatyou
installthemaheadoftimetomakesureyoucanrunWindowsUpdatetofixanybugs
orproblems.ClickNexttomoveon.
Yournextchoreistoacceptthedefaultinstallationlocationorselectanewlocation.
Foratestenvironment,thismaynotmattermuch.Thisscreenalsoallowsyouto
confirmthatyouhavesufficientfreespaceinyourchosenfolder.Onceyoumakea
selection,clickNexttomoveon,asshowninFigure7.5.Ifyouwanttochangethe
pathfortheinstallation,clickBrowse,specifytheappropriatefolder,andthenclick
OK.ClickNext.
Figure7.5ChoosingtheInstallationlocation
BecausethisisthefirstExchangeServer2016serverinyourorganization,youare
presentedwiththeExchangeOrganizationscreen(Figure7.6).Typeanameforyour
Exchangeorganization.Thiscanbeanyname,suchasyourcompanyname.The
Exchangeorganizationnamecancontainonlythefollowingcharacters:
LettersAthroughZ,uppercaseorlowercase
Numbers0through9
Space(notleadingortrailing)
Hyphenordash
Figure7.6Organizationname
Theorganizationnamecan'tbemorethan64characterslongandcan'tbeblank.Note
thatonceyouentertheExchangeorganizationname,youwillnotbeabletomodifyit.
Whenyou'vefinishedtypingthename,clickNext.
ExchangeServer2016includesbuilt-inmalwarescreeningthatisbydefaultenabled.
Ifforsomereasonyoufeeltheneedtoturnthisoff,choosethatoptiononthenext
screen.ClickNexttomoveon.
OntheReadinessChecksscreen,thesetuproutinewilltakesometimetoinspectthe
systemtoverifythatExchangecanbesuccessfullyinstalled.Thisisbasedonthe
settingsyou'vechosen,therightsoftheuseraccount,andtheoperatingsystem
prerequisites.
IfExchangefindseverythinginorder,thisisyourlastchancetostopbeforemaking
modificationstoyourActiveDirectoryforest.Exchangeevenwarnsyouthatthisisthe
pointofnoreturn:
SetupisgoingtopreparetheorganizationforExchangeServer2016byusing
‘Setup/PrepareAD.’NoExchangeServer2010andExchangeServer2013server
roleshavebeendetectedinthistopology.Afterthisoperation,youwillnotbe
abletoinstallanyExchangeServer2010orExchangeServer2013serverroles.
Thisisexpected;it'ssimplyanoticethatlegacyversionsofExchangecan'tbeinstalled
afterExchangeServer2016isinstalledintoanorganization.Ifyouneedtotest
ExchangeServer2016coexistencewithExchangeServer2010orExchangeServer
2013,installtheearlierversionsfirst.
Viewthestatusoftheremainingitemstodeterminewhethertheorganizationand
server-roleprerequisitecheckscompletedsuccessfully.Iftheyhavenotcompleted
successfully,youmustresolveanyreportederrorsbeforeyoucaninstallExchange
Server2016.Afterresolvinganerror,clickRetrytoreruntheprerequisitechecks.
However,someconditionsmayrequireyoutoquitSetupandrunitagainatalater
time.
Ifalltheotherreadinesscheckshavecompletedsuccessfully,clickInstalltoinstall
ExchangeServer2016.TheSetupprogramwilldisplaytheProgressscreen,whichwill
showyoueachstepoftheprocess,aswellastheoutcome.Oncetheinstallation
processisfinished,theSetupCompletedscreenwilldisplay.
Atthispoint,youcanclickthelinkshowninFigure7.7topullupthecurrentlistof
post-installationtasks,selectthecheckboxtolaunchExchangeAdministration
Center,ordoneither.Whateveryouchoose,clickFinishtoexittheinstaller.
Figure7.7TheSetupCompletedscreen
Atsomepoint,besuretorunWindowsUpdatetoinstallanycriticalupdatesthatmay
nowberequired.Evenifyouarenotprompted,reboottheservertocompletethe
installationofExchangeServer2016.
Command-LineInstallationforMailboxServerRole
Asmentionedearlier,youcanalsoinstallExchangeServer2016fromthecommand
line.Thesetuproutineallowsyoutospecifyallnecessaryparametersinoneline,
therebyavoidhavingtoclickonthingsthroughaGUI.Youdo,however,needto
manuallypreparetheActiveDirectoryforestanddomaininaseparatestep.
ToinstallyourfirstExchangeServer2016serverfromthecommandline,opena
commandpromptwithadministrativeprivilegesandnavigatetotheDVDdriveorthe
directorywhereinstallationfilesarelocated.Fromthere,usethefollowing
commands:
Setup.exe/PrepareSchema/IAcceptExchangeServerLicenseTerms
Setup.exe/PrepareAD/IAcceptExchangeServerLicenseTerms/OrganizaionName:"
<OrganizationName>"
Setup.exe/mode:install/role:Mailbox/IAcceptExchangeServerLicenseTerms
Tofindoutmoreoftheoptionsavailable,runthefollowingcommand:
Setup.exe/h:install
Whenthesetuproutinefinishes,reboottheserverasprompted.Oncethesestepsare
completed,continuewiththerestoftheconfiguration,asexplainedinthenext
section.
Command-LineInstallationforEdgeTransportServerRole
TheExchangeServer2016EdgeTransportserverrolecanbeinstalledfromaGUIand
fromthecommandline.TheinstallationstepsinaGUIaresimilartothosefora
Mailboxserverrole,whereyouchoosetheEdgeTransportserverroleinsteadofthe
Mailboxserverrole.
ToinstalltheExchangeServer2016EdgeTransportserverrolefromthecommand
line,youshouldlogontotheserverasalocaladministratorbecausetheEdge
Transportserverroleshouldbeinstalledonacomputerthatisworkgroupmember.
ThestepsneededtoinstalltheEdgeTransportserverroleareasfollows:
1. OpenaPowerShellsessionwiththeappropriateadministrativerights.
2. RuntheInstall-WindowsFeaturecmdlettoinstallActiveDirectoryLightweight
DirectoryServices(ADLDS):
Install-WindowsFeatureADLDS
3. FromtheMicrosoftDownloadCenter,downloadandinstallthe.NETFramework
4.5.2supplementalcomponent:
https://www.microsoft.com/en-us/download/details.aspx?id=42642
4. OpenacommandpromptwithadministrativeprivilegesandnavigatetotheDVD
driveorthedirectorywheretheinstallationfilesarelocated.Fromthere,usethe
followingcommand:
Setup.exe/mode:install/role:EdgeTransport/IAcceptExchangeServerLicenseTerms
5. Finally,inordertosynchronizeEdgeTransportserverroletotheMailboxserver
role,performthefollowingsteps:
TocreatetheEdgesubscriptionfile,ontheEdgeTransportserverrole,runthe
followingcommand:
New-EdgeSubscription-FileNameC:\Edge1.xml
CopythesubscriptionfiletoafolderontheMailboxserverrole—forexample,
C:\Edge\.
ToimporttheEdgeSubscriptionfileEdge1.xmlandtosubscribetheEdge
TransportservertotheActiveDirectorysitenamedDefault-First-Site-Name,
ontheMailboxserverrole,runthefollowingcommand:
New-EdgeSubscription-FileData([byte[]]$(Get-Content-Path
"C:\Edge\Edge1.xml"-EncodingByte-ReadCount0))-Site"Default-FirstSite-Name"
TostartthesynchronizationbetweentheMailboxserverroleandtheEdge
Transportserverrole,ontheMailboxserverrole,runthefollowingcommand:
Start-EdgeSynchronization
Post-installationConfigurationSteps
Oncetheserverhasrebooted,takeafewminutestoverifythatthingsareworkingthe
waytheyshould.Ifyoudidn'tlookatthesetuplogattheendoftheinstallation,
reviewitnow.It'slocatedat<systemdrive>\ExchangeSetupLogs\ExchangeSetup.log.
Lookforerrorsandwarnings.
Next,opentheExchangeManagementShellandusetheGet-ExchangeServercmdletto
obtaininformationaboutinstalledroles.Hereisanexample:
Get-ExchangeServer|FTName,ServerRole-auto
TheoutputofthiscommandwilllistinstalledrolesfortheExchangeserver.You
shouldseeMailboxlistedunderServerRole.
Next,let'stakealookusingEventViewerforanysignsofproblems.InServer
Manager,selectTools⇨EventViewer.NavigatetoWindowsLogs⇨Application.Look
forerrorsandwarningsthatmayindicateaproblem.It'scommontoseewarnings
aboutvariousprocessesthathaven'tyethadachancetocomplete.
Whenyou'resurethattheinstallationhasbeensuccessful,youcanmoveontopostinstallationconfiguration.We'llstartwiththeExchangeAdminCenter.Toopenthat,
openInternetExplorer(IE)andenterthefollowingURL:
https://servername/ecp
Acceptanycertificatewarningsfromthedefaultself-signedcertificate(youshouldn't
seeanyifyou'rerunningIEfromthesameserveryouareconnectingto),enteryour
credentials,andwaitfortheEACtocomeup.
FinalConfiguration
Nowthatyou'reloggedintotheEAC,finishthestepsnecessaryforthefinalbasic
configuration.
ConfiguringtheOfflineAddressBook
First,configureanOfflineAddressBook(OAB)onthedefaultmailboxdatabase.The
OAB,whichOutlookuseswhenrunninginCachedmode,containsacopyoftheglobal
addresslist.UsethefollowingstepstoassociatethedefaultOABwiththemailbox
databases:
1. Intheleftpane,clickServers.
2. Inthemiddlepane,clickDatabases.
3. Selectthedefaultmailboxdatabase.
4. Clickthepencilicontoeditthedatabaseproperties.
5. Ontheleftsideofthepropertywindow,clickClientSettings.
6. ClickBrowsenexttoOfflineAddressBook.
7. ClickOK,andthenclickSave.
YoucandothesameintheExchangeManagementShellusingboththeGetMailboxDatabaseandSet-MailboxDatabasecmdletstogether:
Get-MailboxDatabase|Set-MailboxDatabase-OfflineAddressBook
"\DefaultOfflineAddressBook"
SettingSMTPDomains
Bydefault,ExchangeServer2016configuresadefaultaccepteddomainandemail
addresspolicyusingthefullyqualifieddomainnameoftheActiveDirectorydomain
intowhichyouinstalled.IfyouneedtoaddanewSMTPdomain,youcandosofrom
theEAC:
1. Intheleftpane,clickServers.
2. Inthemiddlepane,clickAcceptedDomains.
3. Clickthe+(Add)icontocreateanewaccepteddomain.
4. GivetheaccepteddomainadisplaynameandanSMTPdomainnameforwhich
Exchangewillreceiveemail.
5. ClickAuthoritativeDomaintoindicatethatExchangeisresponsiblefordelivering
emailforthatdomainintheExchangeorganization.
6. ClickSave.
7. Selectthenewlycreatedaccepteddomain.
8. Clickthepencilicontoeditthepropertiesoftheaccepteddomain.
9. SelecttheSetAsDefaultcheckbox.
10. ClickSave.
YoucanaccomplishthesamethingintheExchangeManagementShellusingtheNewAcceptedDomaincmdletandtheSet-AcceptedDomaincmdlettogether:
New-AcceptedDomain-Nameyourdomain
-DomainName*.yourdomain
-DomainTypeauthoritative|
Set-AcceptedDomain-MakeDefault$true
Emailaddresspoliciesdefinehowemailaddressesareassignedtorecipientswithin
theorganization.ConfigureoneforyournewdomainusingthesestepsintheEAC:
1. Intheleftpane,clickServers.
2. Inthemiddlepane,clickEmailAddressPolicies.
3. Clickthe+(Add)icontocreateanewemailaddresspolicy.
4. GivethepolicyanameandanSMTPdomainnameforwhichExchangewillreceive
email.
5. Enteranameforthepolicy.
6. UnderEmailAddressFormat,clickthe+(Add)icontocreatetheemailformat.
7. Choosethenewaccepteddomainfromthepull-downlist.
8. Selectyourchosenemailaddressformat.
9. ClickSavetoclosetheEmailAddressFormatwindow.
10. ClickSavetoclosetheEmailAddressPolicywindow.Acceptthewarning.
11. Selectthenewaddresspolicy.
12. Intherightpane,clickApply.
13. Atthewarning,clickYes.
14. ClickCloseoncethepolicyhasbeenapplied.
Aswithallthepreviousconfigurationsettings,youcanusetheExchange
ManagementShelltomakethesechangesusingtheNew-EmailAddressPolicyand
Update-EmailAddressPolicycmdletstogether:
New-EmailAddressPolicy-NameContoso
-EnabledPrimarySMTPAddressTemplate"SMTP:%g.%[email protected]"
-IncludedRecipientsAllRecipients-Priority1|
Update-EmailAddressPolicy
EnablingExternalMailFlow
InorderformailtoflowintoandoutofthenewExchangeorganization,youneedto
modifythedefaultconnectors.TheSendconnectorisanobjectthatholds
configurationinformationonhowExchangeserverscansendemailfromthe
organization.Bydefault,therearenoSendconnectors.
CreateanewSendconnectortohandlealloutboundtrafficfromtheEAC:
1. Intheleftpane,clickServers.
2. Inthemiddlepane,clickSendConnectors.
3. Clickthe+(Add)icontocreateanewSendconnector.
4. Givetheconnectoraname,suchasDefaultInternet.
5. UnderType,selectInternet.
6. ClickNext.
7. AcceptthedefaultnetworksettingstoallowyourExchangeservertoperformits
ownDNSlookups,andclickNext.
8. UnderAddressSpace,clickthe+(Add)icontocreatethedefaultaddressspace.
9. UnderFullyQualifiedDomainName,enter*(anasterisk).ClickSave.
10. ClickNext.
11. UnderSourceServer,clickthe+(Add)icon.EnsurethenewExchangeserveris
selected,clickAdd,andthenclickOK.
12. ClickFinish.
ToaccomplishthisintheExchangeManagementShell,usetheNew-SendConnector
cmdlet:
New-SendConnector-name"DefaultInternet"
-AddressSpaces"*"-DNSRoutingEnabled$true
-SourceTransportServers"MBX1"-UsageInternet
Inalabenvironment,itiscommontopassalloutgoingmessagestoadesignated
smarthostratherthanrelyonlookingupMXrecordsforthetargetdomainsthrough
DNSresolution.Ifthisisthecaseinyourlab,changetheSendconnectorsettingsto
useasmarthostinsteadofDNSresolution.
AReceiveconnectorisjusttheoppositeofaSendconnector.Receiveconnectorshold
theconfigurationinformationforhowExchangewillreceivemail.Thiscaninclude
mailfromclientmachinesaswellasfromtheInternetandotherExchangeservers.
WhenExchangeServer2016isinstalled,multipleReceiveconnectorsarecreated.
Thoseassociatedwiththeclientaccessservicesareproxyconnectors.TheDefault
FrontendReceiveconnectoroneachExchangeserverisconfiguredtoreceiveemail
fromtheInternetfromanonymoussenders.Again,youmusteitherconfigureexternal
serverstoforwardmessagessenttoyourtestExchangedomainsontoyourExchange
mailserversorestablishtheappropriateMXrecordsinDNSforyourlabdomains.
TestingtheConfiguration
YounowhaveasignificantportionoftheconfigurationfinishedinExchange.Youcan
testExchangeusingsomebuilt-inPowerShellcmdlets.Tobegin,starttheExchange
ManagementShellandtypeTest-mailflow.Checktheresultsinthe
TestMailflowResultcolumn.ItshouldsaySuccess.
Next,testMAPIclientconnectivityusingTest-MAPIConnectivity.Youshouldsee
SuccessunderResultforeachdatabase.
YoucanverifythatallnecessaryExchange-relatedservicesarerunningbyusingTestServiceHealth.Theoutputofthiscmdletbreaksdowntheservicesneededforeachof
theinstalledserverroles.Ifeverythingisrunningcorrectly,youshouldseeTruefor
eachoftheRequiredServicesRunningresults.
CreatinganSSLCertificate
Inaproductionenvironment,usingathird-partytrustedsecuresocketslayer(SSL)
certificatetosecureclientandservercommunicationsishighlyrecommended.When
ExchangeServer2016isinstalled,Exchangeinstallsaself-signedcertificatethatis
validforfiveyears.Thisisperfectlyfinefortestinginalabenvironment.When
testingExchangeusingOutlookontheweb,forexample,youwillbepresentedwitha
screenindicatingthatthesecuritycertificatewasnotissuedbyatrustedcertificate
authorityifyouconnectfromanothermachine.Youcanignorethesewarningsduring
testing.
Creatingacertificaterequestandinstallinganewcertificateareoutsidethescopeof
thischapter.SeeChapter21,“UnderstandingtheClientAccessServices,”formore
details.
EnteringtheProductKey
Youdon'thavetoenteraproductkeyinordertotestExchangeServer2016.However,
ifyoudohaveaproductkeyandwouldliketoenteritintotheserver,it'sverysimple
todousingthesesteps:
1. Intheleftpane,clickServers.
2. Inthemiddlepane,clickServers.
3. Intherightpane,clickEnterProductKey.
4. Enterthedigitsfortheproductkey.
5. Whenfinished,clickSave.
Aswithanyotherconfiguration,youcansettheproductkeyusingtheExchange
ManagementShellwiththeSet-ExchangeServercmdletandthe-ProductKey
parameter:
Set-ExchangeServer–identity'<server>'-ProductKey<productkey>
TestingOutlookontheWeb
YoucanalsotestOutlookontheweb,theweb-basedemailclientforExchangeServer
2016:
1. Openawebbrowserandtypehttps://<servername>/owa.
2. Ifyoureceiveaserverwarning,clickContinueToThisWebsite(Not
Recommended)atthecertificateprompt.
3. EnterthedomainandusernameforanAdministratorthatismailbox-enabled
duringthesetupautomatically,andenterapassword.ClickOK.
4. Setyourlanguageandtimezone,andclickOK.
YouwillbeloggedintoOutlookontheweb,andyoucantestmailboxandECP
functionality.Asmentionedearlier,becauseyou'reusinganinternalcertificate,
featuresthatrequireacertificatewillyieldacertificatepromptfirstifyouareusinga
machineotherthantheserver.Inallcases,youcanclickContinueToThisWebsite
(NotRecommended)tocontinuetesting.
ConfiguringRecipients
ExchangeServer2016hasvarioustypesofrecipients,includingmailboxes,
distributiongroups,andcontacts.Mailboxescanbefurtherbrokendown,andthatis
explainedelsewhereinthisbook.We'llfocusoncreatingmailbox-enabledusersand
mailcontacts.
Mailbox-enabledusersareActiveDirectoryaccountsthathaveamailboxlocatedin
Exchange.Takethesestepstocreateamailbox-enableduserfromtheEAC:
1. Intheleftpane,clickRecipients.
2. Inthemiddlepane,clickMailboxes.
3. Clickthe+(Add)icontocreateanewmailbox.
4. Givethenewmailboxanalias.
5. SelectNewUserandfillintheaccountnamedetails.
6. ProvidetheUserLogonName(typically,thesameasthealias)andselectthe
appropriateUPNsuffix(typically,thesameastheprimarySMTPdomain).
7. Typeinthepasswordandpasswordconfirmation.
8. ClickSave.
Creatingmailbox-enabledusersfortheexistingActiveDirectoryaccountsinthe
ExchangeManagementShellisquitesimple;you'llusetheEnable-Mailboxcmdletto
enableanexistinguseraccount:
Enable-Mailbox-IdentityTestUser
Mail-enabledusersareActiveDirectoryaccountsthatdonothaveamailboxlocatedin
Exchangebutdohaveanexternalemailaddress.Theyareusuallyassignedtousers
whoworkinyourcompanyfortheshortterm,suchasconsultants,part-timeworkers,
andinterns.Takethesestepstocreateamail-enableduserfromtheEAC:
1. Intheleftpane,clickRecipients.
2. Inthemiddlepane,clickContacts.
3. Clickthe+(Add)iconandthenchooseMailUser.
4. Givethenewuseranalias.
5. SelectNewUserandfillintheaccountnamedetails.
6. ProvidetheUserLogonName(typically,thesameasthealias)andselectthe
appropriateUPNsuffix(typically,thesameastheprimarySMTPdomain).
7. Typeinthepasswordandpasswordconfirmation.
8. ClickSave.
Mail-enabledcontactsareobjectsintheglobaladdresslistthatrepresentexternal
recipients,suchasvendorsorclients.Takethesestepstocreateanewmail-enabled
contact:
1. Intheleftpane,clickRecipients.
2. Inthemiddlepane,clickContacts.
3. Clickthe+(Add)icontocreateanewcontact.
4. Fillinthecontactnamedetails.
5. Givethenewcontactanalias.
6. Providetheexternalemailaddressassociatedwiththecontact.
7. ClickSave.
CreatingamailcontactintheExchangeManagementShellisquitesimpleusingthe
New-MailContactcmdlet:
New-MailContact-Name"TestContact"-ExternalEmailAddress"[email protected]"
TocreateadistributiongroupintheEAC,followthesesteps:
1. Intheleftpane,clickRecipients.
2. Inthemiddlepane,clickGroups.
3. Clickthe+(Add)icontocreateanewdistributiongroup.
4. Fillinthegroupdisplaynameandalias.
5. UnderMembers,clickthe+(Add)sign,selectthemail-enabledrecipientstobe
membersofthenewgroup,clickAdd,andclickSave.
6. ClickSave.
Youcanaccomplishbothcreatingadistributiongroupandaddingmembersinone
lineofcodeintheExchangeManagementShellusingsomethinglikethis:
New-DistributionGroup-name"GroupName"|
Add-DistributionGroupMember-member"User"
ConfiguringaPostmasterAddress
Apostmasteraddressisneededtosendnondeliveryreports(NDRs)andotherrelated
messagestorecipientsoutsidetheExchangeorganization,anditisrequiredbyRFC
2821.Configuringyourenvironmenttakestwosteps.First,eithercreateanew
mailboxforthepostmasterorassigntheaddresstoanexistingmailbox,suchas
Administrator.Second,usetheExchangeManagementShelltosettheexternal
postmasteraddressinExchange.Todoso,opentheExchangeManagementShelland
executetheSet-TransportConfigcmdletandthe–ExternalPostmasterAddress
parameter,usingthefollowingformat:
Set-TransportConfig-ExternalPostmasterAddress
<ExternalPostmasterSMTPAddress>
Here'sanexample:
Set-TransportConfig-ExternalPostmasterAddress
[email protected]
TheBottomLine
Quicklysizeatypicalserver.Usingaproperlyequippedserverfortestingcan
yieldamuchmorepositiveexperiencethanusingapoorlyequippedone.Taking
thetimetoobtaintherighthardwarewillavoidproblemslater.
MasterItWhatparametersmustbekeptinmindwhensizingalab/test
server?
InstallthenecessaryWindowsServer2012orWindowsServer2012R2
prerequisites.CertainsettingsmustbeconfiguredbeforeExchangeServer2016
isinstalled.
MasterItWhatisinvolvedininstallingandconfiguringtheprerequisites?
InstallanExchangeServer2016server.Youshouldprovideabasic,barebonesserverfortestingandevaluation.
MasterItWhatinstallationmethodscanbeusedtoinstallExchangeServer
2016?
ConfigureExchangetosendandreceiveemail.YournewExchangeserver
shouldinteractwithotheremailsystems.
MasterItWhataretheconfigurationrequirementsforsendingandreceiving
email?
Configurerecipients,contacts,anddistributiongroups.Addmailboxenabledusers,mail-enabledcontacts,anddistributiongroupstoExchange.
MasterItHowarerecipientscreated,andwhat'sthedifferencebetweenthem?
Chapter8
UnderstandingServerRolesandConfigurations
ExchangeServer2016,similarlytoExchangeServer2013,2010,and2007,providesa
role-basedinstallationprocedure.Thisprocedureprovidesonlytwoserver-role
choices:theMailboxserverroleandtheEdgeTransportserverrole.Asdiscussedin
previouschapters,theformerClientAccess,HubTransport,andUnifiedMessaging
serverrolefunctionalitiesfromExchangeServer2007and2010andtheClientAccess
rolefunctionalitiesfromExchangeServer2013havebeennowrolledintotheMailbox
serverrole,providingasimplifiedinstallationprocessanddeploymentarchitecture.
Thischapterwilldiscusstheserverroles,theirpreferreddeploymentoptions,andthe
componentsinstalledwitheachrole.
INTHISCHAPTER,YOUWILLLEARNTO:
Understandtheimportanceofserverroles
UnderstandtheExchangeServer2016serverroles
Exploreserverroleconfigurations
TheRolesofServerRoles
Althoughtheconceptofrolesisnotnew,thenumberofrolesavailableinExchange
Server2016haschangedfrompreviousversions.InExchangeServer2007and
ExchangeServer2010,youhadfiverolestoselectfromduringinstallation:Mailbox,
HubTransport,ClientAccess,UnifiedMessaging,andEdgeTransport.InExchange
Server2013,thenumberofroleswasreducedtothree:Mailbox,ClientAccess,and
EdgeTransport;inExchange2016,ithasbeenreducedtoonlytwo,MailboxandEdge
Transport.AllofthecomponentsoftheClientAccessrole,HubTransportrole,and
UnifiedMessagingroleinExchange2010andallthecomponentsintheClientAccess
serverinExchange2013havebeenstrippeddownandplacedintotheMailboxserver
role.
Akeybenefitofhavingrole-basedinstallationhasalwaysbeentheabilitytosegregate
orseparateExchangeServerfunctionalitiesontoseparateservers.Maximizingthe
usageofserverresourceshastraditionallybeenadriverforarchitectsdesigning
ExchangeServermessagingsolutions,androle-basedinstallationhasbeenusedasa
solutiontoachieveamoreoptimaldesign.Virtualizationsolutionshaveprovidedan
alternativesolutiontousethesehardwareresourcesappropriately.Intime,theneed
tosegregateExchangeServerroleshasbecomelessrelevantandbeneficial,whichhas
resultedinthenewExchangeServerarchitecture.Furthermore,theMicrosoft
preferredarchitectureforExchangeServer2013deploymenthadsuggestedthatboth
theClientAccessandMailboxrolesbecollocatedoneachserverinExchange
organization.Thispreferredarchitectureresultedintheintegrationofthosetworoles
inasingleMailboxserverroleinExchangeServer2016.
TheEdgeTransportroleretainedsimilarfunctionalityasinpreviouseditions,acting
asanSMTPgatewaybetweentheInternetandtheinternalnetwork,locatedinthe
perimeternetwork,andprovidingSMTProuting,transportrules,anti-malware,and
antispamfunctionality.
TheSeedsofServerRoles
TheconceptofanExchangeServerroleisnotnew.Microsoftofficiallyintroduced
theconceptinExchangeServer2007,andit'sbeencarriedovertoExchange
Server2016.
Duringinstallation,youarepromptedtochoosewhichserverrolesaparticular
Exchangeserverwillprovide.Figure8.1showsthescreenthatyouwillseeifyou
chooseacustomsetupofExchangeServer2016.Youarepromptedforwhichserver
rolesyouneedtoinstall.
Figure8.1SelectingtheExchangeServer2016roles
Therearesomeclearandimportantadvantagestothisapproach,suchasthe
following:
Ithasasimplifiedarchitecture,alsoknownasasinglebuildingblockarchitecture.
Serverconfigurationcomplexityisreduced.
Itisacost-effectivesolutionbecausetherearefewerservers,whichmeansfewer
licenses.
Becausetherearefewerservers,ithasalowermanagementcost.
Theloadisdistributedbetweenmultipleserverswiththesamerole,which
increasesscalabilityandhighavailability.
ExchangeServer2016ServerRoles
Now,let'stakealookatthespecificExchangeServer2016rolesyoumayfindinyour
organization.
MailboxServer
TheMailboxserverroleisatthecenteroftheExchangeServer2016universe.The
functionalitiesofthedeprecatedClientAccess,HubTransport,andUnifiedMessaging
rolesinExchangeServer2010havebeenmovedtotheMailboxserverrole.The
Mailboxserverhostsalltheservicesthatprocessandstorethedata.TheMailbox
serveralsohoststhelogicthatroutesaspecificprotocolrequesttotheprotocol
destinationpoint.Moreover,usersarealwaysconnectedtoclientaccessservices
runningontheMailboxserver.ClientaccessservicesontheMailboxserverproxythe
userrequesttotheactivemailboxdatabasecopythathoststheuser'smailbox.The
clientrequestisalwaysprocessedbytheprotocolinstancethatislocaltotheactive
mailboxdatabasecopythathoststheuser'smailbox.
ThissectionwillcoverthecommonMailboxrolefunctionalitythatissimilartolegacy
versionsofExchange,aswellasthesubstantialchangesthathavebeenintroducedin
ExchangeServer2016totheMailboxrole.
WhereAreActiveandPassiveClusteredMailboxes?
IfyouhaveworkedwithExchangeServer2007,youmaybewonderingwherethe
ActiveClusteredMailboxandPassiveClusteredMailboxserverrolesare.Theyare
nolongernecessary:clusteringcanbeachievedafterinstallationbecausethe
conceptofaclusteredmailboxservernolongerexistsasitdidinprevious
versions.Thisconceptisachievedthroughtheimplementationofdatabase
availabilitygroups(DAGs)andreliesontheFailoverClusteringfeaturebuiltinto
WindowsServer2012andWindowsServer2012R2.
MailboxDatabases
JustasinpreviousversionsofExchangeServer,theMailboxserverrolehostsmailbox
databases.ThemailboxdatabasecanbereplicatedtootherMailboxserverswhenthe
MailboxserverisamemberofaDAG,justasinExchangeServer2010andExchange
Server2013.
IfyouhaveworkedwithExchangeServer2007or2010,youwillnoticethatunlikein
thoseversions,youcannolongercreatepublicfolderdatabases.Beginningfrom
ExchangeServer2013andcontinuinginExchangeServer2016,publicfoldersare
storedwithinapublicfoldermailbox.Endusersnowconnecttoapublicfolder
mailboxtoretrievepublicfoldercontent.Thismeansthatpublicfolderhigh
availabilityisbasedonmailboxdatabasereplicationandnotontheall-too-
troublesomepublicfolderreplication.
TransportServices
Maildelivery(evenmailgoingfromonemailboxonalocaldatabasetoanother
mailboxonthesamedatabase)isroutedthroughTransportservicesontheMailbox
server.ThisisamajorchangefromExchangeServerversions2007and2010,which
usedtheservicesontheHubTransportservertodeliveremailmessages.Three
TransportservicesarecreatedwhentheMailboxroleisinstalled:Transportservice,
FrontEndTransportservice,andMailboxTransportservice.MailboxTransport
serviceconsistsofMailboxTransportSubmissionserviceandMailboxTransport
Deliveryservice,whichwillbediscussedlaterinthischapter.
Let'squicklyseehowtheseserviceshandleemailmessages.Whenanemailmessage
issenttoarecipientonadifferentMailboxserverinadifferentdeliverygroup,the
messageispickedupbytheMailboxTransportSubmissionserviceonthesource
serverandpassedtotheTransportserviceonthedestinationserverthatislocatedon
theleast-costroute.Then,theTransportservicesubmitsthemessagetotheMailbox
TransportDeliveryserviceonthedestinationserver,andthenfinally,theemail
messageiswrittentothemailboxdatabase.
MailRouting
MailroutingisnowaresponsibilityofserversrunningtheMailboxrole.Theclient
accessservicesonaMailboxserverprovideproxyservicesforinboundandoutbound
emailmessages.DuringtheinstallationoftheMailboxserverrole,threedefault
receiveconnectorsthatareassociatedtotheMicrosoftExchangeFrontEndTransport
servicearecreated.Oneofthereceiveconnectorsthatiscreatedduringinstallation
listensoverport25andisconfiguredwithproperpermissionstoacceptemail
messagesfromtheInternet.
OntheMailboxserver,theMicrosoftExchangeFrontEndTransportservicestill
listensonport25andtheMicrosoftExchangeTransportservicelistensonport2525.
UnifiedMessaging
AnothermajorchangestartinginExchangeServer2013andcontinuinginExchange
Server2016intheMailboxroleisthatitisnowresponsibleforalloftheUnified
Messagingfeatures.Infact,theservicesthatwereinstalledontheUnifiedMessaging
roleforanExchangeServer2007or2010serverarenowinstalledontheMailboxrole
forExchangeServer2016.Itshouldbenotedthattheclientaccessserviceisthefirst
serviceinthecommunicationpathforallinboundcallsorSessionInitiationProtocol
(SIP)requestsforUnifiedMessaging.However,oncethetrafficpassesthroughthe
clientaccessservice,theMailboxserverreceivesunifiedcommunicationand
establishestheRTPandSRTPchannelswiththeIPPBXorVOIPgateway.
OntheMailboxrole,theclientaccessservicesalsoplayanintegralpartofUnified
Messaging.TheMicrosoftExchangeUnifiedMessagingCallRouterservicenowruns
ontheMailboxserversandisresponsibleforredirectingSIPtrafficfromanincoming
calltoaMailboxserver.
MemoryAllocation
MemoryallocationfordatabasecachehasbeentweakedinExchangeServer2016.
WhenlookingatmemoryconsumptioninExchangeServer2007andExchangeServer
2010,theInformationStorewouldconsume,byfar,thelargestportionofthe
availablememory.MemoryconsumptioninExchangeServer2016serversrunningthe
MailboxrolecomparingtoExchangeServer2010isverydifferent.TheMailboxserver
reserves25percentofthetotalRAMfordatabasecache.Memoryallocationin
ExchangeServer2016isbasedonthefollowing:
Totalamountofmemory
Totalnumberofactivedatabases
Totalnumberofpassivedatabases
Themaxnumberofactivedatabases
Essentially,theExchangeserverlooksatitsmemoryrequirementsandthenensures
thatthemostimportantprocessrunningontheserverhasenoughresourcesavailable
tofunctioneffectively.
WhentheInformationStoreserviceisstarted,aworkerprocessanddatabasecacheis
allocatedperdatabase.Basedonthestateofadatabasebeingactiveorpassive,the
amountofRAMallocatedtothedatabasecachewillvary.Anactivecopyofamailbox
databasewillusealloftheallotteddatabasecache.Apassivedatabasecopywilluse
only20percentoftheallocateddatabasecache.Let'susethisexample:
Themailboxserverhas100GBofRAM.
Tenmailboxdatabasecopiesexistonthisserver.
Fivemailboxdatabasecopiesareactiveandfivemailboxdatabasecopiesare
passive.
Because25percentoftheavailablememoryisallocatedtothedatabasecache,the
totalamountofmemoryallocatedforthedatabasecacheis25GB.Thismeansthat
eachdatabaseisallocated2.5GBofthedatabasecache.Eachpassivecopyusesonly
20percentoftheallocateddatabasecache;therefore,thepassivedatabaseshavea
databasecacheof512MB.
Ifatanypointapassivecopybecomesactivated,thedatabasecacheforthatdatabase
copywillchangefrom512MBto2.5GB.
BecausethedatabasecacheisdeterminedwhentheInformationStoreserviceis
started,youmustrestarttheInformationStoreservicewhenanewdatabaseisadded
toanExchangeserver.(Therequirementforaservicerestartafteranewdatabaseis
createdwasintroducedinExchangeServer2013,anditisadirectresultofthenew
databasecache-allocationscheme.)Thisincludesthecreationofanewdatabaseorthe
additionofapassivecopyofamailboxdatabase.You'llseethewarningmessage
showninFigure8.2whenanewdatabaseisaddedtoaMailboxserver.
Figure8.2ThewarningmessagewhenanewdatabaseisaddedtoaMailboxserver
Notethatthisisonlyawarningmessageanddoesnotindicateanimmediateproblem.
PerformanceissuesmayariseinthefutureiftheInformationStoreserviceisnot
restartedandanewmailboxdatabasebecomespopulatedwithalargenumberof
mailboxes.
Theformulausedtodeterminememorysizingisasfollows:
Activedatabasecacheallocated=(totalservermemory)×25%÷(numberof
maximumallowedactivedatabases+[(totalnumberofdatabasesonaserver)–
(numberofmaximumallowedactivedatabases)]×20%
Ifthenumberofmaximumallowedactivedatabasesisnotset,thenthemaximum
allowedactivedatabaseswillequalthetotalnumberofdatabasesonaserver.
Services
OnanExchangeServer2016serverthatisdedicatedtoprovidingMailboxserver
functionality,youwillfindquiteafewExchangeservicesrunning.TheExchange
Server2016Mailboxserverservicesareasfollows:
MicrosoftExchangeActiveDirectory
Topology/MSExchangeADTopology/ADTopologyService.exeLocatesActiveDirectory
domaincontrollersandglobalcatalogservers,andprovidesActiveDirectory
topologyinformationtoExchangeServerservices.MostExchangeServerservices
dependonthisservice;ifitdoesnotstart,theExchangeserverwillprobablynot
function.
MicrosoftExchangeAnti-spam
Update/MSExchangeAntispamUpdate/Microsoft.Exchange.AntispamUpdateSvc.exe
Thisserviceisresponsibleforupdatingantispamsignatures.
MicrosoftExchangeComplianceAudit
/MSComplianceAudit/ComplianceAuditService.exeThisserviceisresponsiblefor
MicrosoftExchangeComplianceAuditing.
MicrosoftExchangeComplianceService
/MSExchangeCompliance/MSExchangeCompliance.exeThisserviceactsasahostfor
thecomplianceservice.
MicrosoftExchangeDAGManagement/MSExchangeDAGMgmt/MSExchangeDAGMgmt.exe
Thisserviceprovidesstoragemanagementanddatabaselayoutmanagement
functionalityformailboxserversinadatabaseavailabilitygroup.
MicrosoftExchange
Diagnostics/MSExchangeDiagnostics/Microsoft.Exchange.Diagnostics.Service.exe
UsesanagenttomonitorthehealthoftheExchangeserver.
MicrosoftExchange
EdgeSync\MSExchangeEdgeSync\Microsoft.Exchange.EdgeSyncSvc.exeKeeps
recipientandconfigurationdataup-to-datewhenanEdgeserverissubscribedto
thesameADsiteofwhichtheMailboxserverisamember.
MicrosoftExchangeFrontend
Transport/MSExchangeFrontEndTransport/MSExchangeFrontendTransport.exe
ProvidesSMTPproxyforinboundandoutboundemailmessagesfrom/tothe
Internet.
MicrosoftExchangeHealthManager/MSExchangeHM/MSExchangeHMHost.exe
MonitorsthehealthandperformanceofkeyservicesontheExchangeserver.
MicrosoftExchange
IMAP4/MSExchangeImap4/Microsoft.Exchange.Imap4Service.exeAuthenticatesthe
connectionandpassestherequesttotheappropriateMailboxserver.Thisservice
issettomanualbydefault.
MicrosoftExchangeIMAP4
Backend/MSExchangeIMAP4BE/Microsoft.Exchange.Imap4Service.exeProvides
IMAP4clientswithaccesstoExchangeServermailboxes.Thisserviceretrieves
IMAP4requestsfromtheclientaccessservices.Thisserviceissettomanualby
default.
MicrosoftExchangeInformationStore/MSExchangeIS/store.exeTheInformation
StoreistheactualExchangedatabaseengine(alsoknownasESE).Thisservice
managesthemailboxdatabases.Ifthestore.exeservicedoesnotstart,databases
willnotbemounted.
MicrosoftExchangeMailbox
Assistants/MSExchangeMailboxAssistants/MSExchangeMailboxAssistants.exe
HandlesbackgroundprocessingfunctionsforExchangeServermailboxes.
MicrosoftExchangeMailbox
Replication\MSExchangeMailboxReplication\MSExchangeMailboxReplication.exe
Thisserviceisresponsibleformailboxmoves.
MicrosoftExchangeMailboxTransport
Delivery\MSExchangeDelivery\MSExchangeDelivery.exeAcceptsemailmessages
fromtheTransportserviceanddeliverstheemailmessagestothemailbox.
MicrosoftExchangeMailboxTransport
Submission\MSExchangeSubmission\MSExchangeSubmission.exePullstheemail
messagesfromamailboxandfindsthebestTransportservicetowhichtosendthe
message.
MicrosoftExchangeNotifications
Broker\MSExchangeNotificationsBroker\Microsoft.Exchange.Notification.Broker.exe
GeneratesandroutesExchangenotificationstolocalandremoteExchange
processes.
MicrosoftExchangePOP3/MSExchangePop3/Microsoft.Exchange.Pop3Service.exe
Authenticatestheclientconnectionandpassestherequesttotheappropriate
Mailboxserver.Thisserviceissettomanualbydefault.
MicrosoftExchangePOP3
Backend\MSExchangePOP3BE\Microsoft.Exchange.Pop3Service.exeReceivesPOP3
requestsfromtheclientaccessservices.Oncetherequestisprocessed,the
MailboxserverprovidesaccesstothemailboxoverPOP3.Theservicestartuptype
ismanualbydefault.
MicrosoftExchangeReplication/MSExchangeRepl/msexchangerepl.exeProvides
theContinuousReplicationservicetocopylogfilesfromanactivedatabasetoa
serverthathostsapassivecopyofthedatabase.
MicrosoftExchangeRPCClient
Access/MSExchangeRPC/Microsoft.Exchange.RpcClientAccess.Service.exeHandles
theRPCconnectionsfortheExchangeserver.
MicrosoftExchange
Search/MSExchangeFastSearch/Microsoft.Exchange.Search.Service.exeHandles
contentindexingandqueuingofExchangeServerdata.
MicrosoftExchangeSearchHost
Controller\HostControllerService\hostcontrollerservice.exeProvidesservice
managementanddeploymentforapplicationsonthelocalhost.
MicrosoftExchangeServerExtensionforWindowsServer
Backup/wsbexchange/wsbexchange.exeAllowstheWindowsServerBackuputilityto
backupandrestoreExchangeServerdata.
MicrosoftExchangeService
Host/MSExchangeServiceHost/Microsoft.Exchange.ServiceHost.exeProvidesa
servicehostforExchangeServercomponentsthatdonothavetheirownservice.
TheseincludecomponentssuchasconfiguringRegistryandvirtualdirectory
information.
MicrosoftExchangeThrottling/MSExchangeThrottling/MSExchangeThrottling.exe
Handlesthelimitsontherateofuseroperationstopreventanysingleuserfrom
consumingtoomanyserverresources.
MicrosoftExchangeTransport\MSExchangeTransport\MSExchangeTransport.exe
HandlesSMTPconnectionsfromEdge,clientaccessservices,Submissionand
Deliveryservices,andotherSMTPconnectionpoints.
MicrosoftExchangeTransportLog
Search/MSExchangeTransportLogSearch/MSExchangeTransportLogSearch.exe
HandlestheremotesearchcapabilitiesfortheExchangeServertransportlogfiles.
MicrosoftExchangeUnifiedMessaging\MSExchangeUM\umservice.exeHandlesUM
requestsfromclientaccessservices.Thisserviceisresponsibleforunified
communicationtotheExchangeserver.
MicrosoftExchangeUnifiedMessagingCall
Router/MSExchangeUMCR/Microsoft.Exchange.UM.CallRouter.exeProvidescall-
routingfeatures.
ClientAccessServices
SinceExchangeServer2007,theresponsibilitiesoftheClientAccessrolehave
changeddramaticallyfromversiontoversion.Thecommonthreadbetweenthe
ExchangeServer2010ClientAccessroleandtheExchangeServer2013ClientAccess
rolewasthatitprovidedmostoftheinterfaceforaccessingemaildata.InExchange
Server2016,whenauserconnectstotheirmailbox,theconnectionfromtheclientis
establishedtoclientaccessservicesonaMailboxserver.Theclientaccessserviceson
theMailboxserverrolewillauthenticatetherequest,locatethemailbox,andproxyor
redirecttheclientrequesttotheappropriateMailboxserver.Clientaccessservicesare
alsoresponsibleforpartsofmailroutingandUnifiedMessaging.Microsoftmadethis
changetosimplifythedeploymentandmanagementofExchangeServer2016.Instead
ofhavingmultipleserverrolesactingasanentrypointforavarietyofservices,the
clientaccessservicesonMailboxserverhandleclientrequests,mailflow,andphone
calls.
Theclientaccessservicescoordinateallcommunicationbetweenclients.The
functionsoftheclientaccessservicesinclude:
SupportingconnectionsfromOutlookMAPIoverHTTP,whichisthedefault
protocolinExchangeServer2016.
SupportingconnectionsfromOutlookAnywhereclients(RPCoverHTTP).
SupportingconnectionsfromwebclientsbyusingOutlookontheweb(namedas
OutlookWebAppinExchangeServer2013andOutlookWebAccessinExchange
Server2010andolderversions).
SupportingconnectionsfrommobiledevicesusingMicrosoftActiveSync
technology.
SupportingconnectionsfromPOP3andIMAP4clients.
ProxyingSMTPmessageforinboundandoutboundemailmessagesto/fromthe
Internet.
SupportingconnectionsfromotherExchangeWebServices(EWS)applications.
ProxyingconnectionsfromvariousemailclientstotherelevantExchangeServer
Mailboxserver.
Servingasaninitialcommunicationpointforinboundcallsandfaxes.
ProxyingorredirectingconnectionsfromexternalOutlookMAPIoverHTTP,
OutlookAnywhere,OfflineAddressBook,ExchangeWebServices,Outlookonthe
web,orExchangeActiveSyncclientstoClientAccessserversinotherActive
Directorysites.Duringtheupgrade,differentExchangeServerversionsexistinthe
sameorganization,whichiscalledacoexistencescenario.Duringthecoexistence,
DNSshouldbeconfiguredtoconnectalltypesofclients(exceptMAPI-RPCin
ExchangeServer2010)toExchangeServer2016.Theactualmechanicsofthe
connectiondependontheclientthatisbeingusedandthelocationofthemailbox:
IfanOutlookonthewebuser'smailboxisonanExchangeServer2010server,
DNSshouldbeconfiguredtoconnectausertoExchangeServer2016.Oncethe
userconnectstoExchange2016,theclientaccessservicesonExchangeServer
2016proxyorredirecttheusertotheExchangeServer2010CASor2013
Mailboxserverrole,basedontheexternalURLsetontheOWAvirtual
directory.
IfanOWAuser'smailboxisonanExchangeServer2013orExchangeServer
2010serverandtheexternalURLonthatservermatchestheexternalURLon
theExchangeServer2016server,theExchangeServer2016clientaccess
servicesproxytherequesttoanExchangeServer2013orExchangeServer2010
serverrunningtheCASroleinthesameADsitethemailboxisin.
IfanOWAuser'smailboxisonanExchangeServer2013orExchangeServer
2010serverandtheexternalURLonthatserverdoesnotmatchtheexternal
URLontheExchangeServer2016server,theExchangeServer2016client
accessservicesredirecttherequesttotheexternalURLsetontheExchange
Server2013orExchangeServer2010server.
IfanActiveSyncuser'smailboxisonanExchangeServer2013or2010server
andtheexternalURLonthatservermatchestheexternalURLontheExchange
Server2016server,theExchangeServer2016clientaccessservicesproxythe
requesttoanExchangeServer2013or2010serverrunningtheCASroleinthe
sameADsitethatthemailboxisin.
IfanOutlookAnywhereuser'smailboxisonanExchangeServer2013or2010
serverandtheexternalURLonthatservermatchestheexternalURLonthe
ExchangeServer2016server,theExchangeServer2016clientaccessservices
proxytherequesttoanExchangeServer2013or2010serverrunningtheCAS
roleinthesameADsitethatthemailboxisin.
ReverseProxyinthePerimeterNetwork
Ifyourorganizationisgoingtoallowexternalclients(Outlookontheweb,mobile
phones,OutlookMAPIoverHTTP,OutlookAnywhere)toconnecttoyour
ExchangeserversfromtheInternet,acommonquestioniswhetherthereverse
proxyserverorareverseproxydeviceshouldbedeployedintheperimeteror
DMZ(demilitarizedzone)network.Someorganizationsusethird-partyproxy
serverssinceMicrosoftTMGServer2010hasbeendiscontinued,butMicrosoft
alsoinstructscustomersthatreverseproxyisnotnecessarilyneeded.
WhileitcansometimesbetemptingtoplacereverseproxyintheDMZ,especially
sinceMicrosofthasdiscontinuedtheForefrontThreatManagementGateway,
therearebetterapproachestothisproblem.Onesolutionthatispickingupsteam
istonotplacepre-authenticationorreverseproxytoacceptinboundconnections
fromtheInternet.Althoughafirewallappliancewouldstillbeplacedinfrontof
theExchangeservers,oncethetrafficgoesthroughthefirewallappliance,the
packetswouldbesentdirectlytotheExchangeservers.Beforeyourchinhitsthe
table,MicrosofthasbeendiligentovertheyearsinsecuringExchangeServer
servicesoutofthebox.Thismightnotbetherightapproachforallorganizations,
butitisworthconsidering.
HowManyMailboxServersDoINeed?
OrganizationsnowhaveasimplerwaytoplantheirExchangeServer2016
deployments.BecauseonlyoneExchangeServerroleislocatedintheinternal
network(theMailboxserverrole),organizationsshouldestimatehowmany
Mailboxserverrolesareneededintheirorganizationandinwhichsitesservers
shouldbedeployed.YoucanestimatethenumberofMailboxserverrolesby
usingtheExchangeServerRoleRequirementsCalculator
(https://gallery.technet.microsoft.com/Exchange-2013-Server-Role-f8a61780).
NotethatthecalculatorsupportsExchangeServer2016,eventhoughtheURL
containsnameExchange2013.
ThelocationofMailboxserverrolesdependsonmultiplefactorssuchas:
Disperseduserpopulationindifferentregionsandnumberoftheusers
locatedindifferentregions
Organization'sneedfordistributedadministrationandsecuritypermissions
Organization'sneedforsiteresilience
Organization'sneedforaddressingdifferentdisasterrecoveryscenarios
YoushouldkeepupwithMicrosoft'scurrentrecommendationsforsizingbecause
theychangeovertime.
EdgeTransportServer
TheEdgeTransportserverrole,asinpreviousExchangeServerversions,islocatedin
theperimeternetworkandisresponsibleformanagingallinboundandoutbound
InternetmailflowforyourExchangeorganization.Furthermore,theEdgeTransport
serverroleprovidesanti-malwareandantispamprotectionandtransportrulesthat
managethemailflow.
TheEdgeTransportserverisnotadomainmember.TheEdgeserverhostsADLDS
(ActiveDirectoryLightweightDirectoryServices),whichsynchronizesinformation
withActiveDirectorythatisrelevantformessagetransport,suchassendconnectors
andrecipientinformation.ThisdataissynchronizedtotheEdgeTransportserverby
theMicrosoftExchangeEdgeSyncservice(EdgeSync).
OrganizationsmightchoosetoinstallmultipleEdgeTransportserversforhigh
availabilityandscalability.
Services
OnanExchangeServer2016serverthatisdedicatedtoprovidingEdgeTransport
functionality,youwillfindsomedifferentExchangeservicescomparedtotheMailbox
serverrole.TheExchangeServer2016EdgeTransportserverservicesareasfollows:
MicrosoftExchangeADAM/ADAM_MSExchange/dsamain.exe–snMSExchangeADAM
(ActiveDirectoryApplicationMode)providesADLDS(ActiveDirectory
LightweightDirectoryServices)fortheEdgeTransportserverrole.
MicrosoftExchangeAnti-spam
Update/MSExchangeAntispamUpdate/Microsoft.Exchange.AntispamUpdateSvc.exe
Thisserviceisresponsibleforupdatingantispamsignatures.
MicrosoftExchangeCredentialService
/MSExchangeEdgeCredential/Microsoft.Exchange.EdgeCredentialSvc.exeThis
serviceistheMicrosoftExchangeCredentialservice.
MicrosoftExchange
Diagnostics/MSExchangeDiagnostics/Microsoft.Exchange.Diagnostics.Service.exe
UsesanagenttomonitorthehealthoftheExchangeserver.
MicrosoftExchangeHealthManager/MSExchangeHM/MSExchangeHMHost.exe
MonitorsthehealthandperformanceofkeyservicesontheExchangeserver.
MicrosoftExchangeService
Host/MSExchangeServiceHost/Microsoft.Exchange.ServiceHost.exeProvidesa
servicehostforExchangeServercomponentsthatdonothavetheirownservice.
TheseincludecomponentssuchasconfiguringRegistryandvirtualdirectory
information.
MicrosoftExchangeTransport\MSExchangeTransport\MSExchangeTransport.exe
HandlesSMTPconnectionsfromEdge,ClientAccessserver,Submissionand
Deliveryservices,andotherSMTPconnectionpoints.
MicrosoftExchangeTransportLog
Search/MSExchangeTransportLogSearch/MSExchangeTransportLogSearch.exe
HandlestheremotesearchcapabilitiesfortheExchangeServertransportlogfiles.
PossibleRoleConfigurations
TherearemanypossibleconfigurationsforExchangeServer2016;unfortunately,
thereisnomagicformulathatwillhelpyoudeterminetheexactnumberofservers
youwillneedandtherolesthoseserversshouldhost—well,atleastnotasimple
formula.KnowingexactlywhentoscaleExchangeServer2016fromasingleserverto
multiplemailboxserversdependsonalotoffactors:
Serverrolesthatyourorganizationrequires.NotethatallExchangeServer
organizationsrequireatleastoneMailboxserver.
Thenumberofsimultaneoususerswhowillbeusingthesystemandtheirusage
profile(light,average,heavy).
Thenumberofmessagessentandreceivedperhourandtheaveragesizeofthose
messages.
Anorganization'shigh-availabilityrequirements.
Thedistributionofyourusers(acrossvariousoffices)aswellastheWANlink
speedsandlatencybetweentheoffices.
Thenumberoftransportrules,journalingrules,dailymessagingrecords
managementevents,dailyarchiving,andotherExchangeServerfeaturesthatare
required.
Anythird-partyproductsthatplaceadditionaltransport,mailbox,orI/Oloadon
theserver,suchasdiscovery,compliance,antivirus,antispam,archiving,ormobile
devices.
Youmightneedtoaddserverrolesinasituationwhereyouneedtoscaleserver
configurationbyensuringthatonlyspecificserverrolesresideonasingleWindows
server.
NumberofMailboxServersDeployed
Formanycompanies,asingleWindowsServer2012R2runningExchangeServer2016
withtheMailboxserverrolewillbejustfinedependingontheirusagepatternsand
numberofsimultaneoususers.Acompanywithonlyafewhundreduserswillfit
perfectlywellonasingleserver.However,thisscenarioisvalidonlyforcompanies
thatdonothavebusinessrequirementsforhighavailability.Thesecompaniesaccept
thepossibilitythatintheeventofafailure,theywouldworkwithoutemailwhile
ExchangeServerisrecoveredfrombackup.Companiesthatneedhighavailability
woulddeployatleasttwoserversconfiguredinaDAG.
Whenproperlyconfiguredwithsufficientmemory,diskcapacity,andCPUresources,
theMailboxservercaneasilysupportyouruserbase,providedyoudon'toverloadthe
serverandyouhavegooddisaster-recoverydocumentation.Thedisaster-recovery
documentationisimportantbecauseiftheservereverhastoberebuilt,allserver
componentshavetoberecoveredatthesametime.
ExchangeServer2016andDomainControllersCoexisting
InalmostnocircumstancesdowerecommendinstallingExchangeServer2016
onthesamemachineasadomaincontroller.Toomanyproblemshavearisenin
everypreviousversionofExchangeServer.Troubleshootingoneortheother
becomesmoredifficultwhenbothExchangeServerandActiveDirectoryare
hostedonthesameWindowsserver.Wecertainlyseethelogicthatcanbe
appliedwhenbuyingserverhardware,though.
Foracompanythatsupportsonly50mailboxes(anddoesnotwanttousea
legacySmallBusinessserver),itseemsfoolishtopurchasetwoseparatephysical
machinesthatwillbothbeverylightlyloaded.(Keepinmindthatinthose
scenarios,MicrosoftrecommendsadeploymentofOffice365tomeettheneeds
ofthecompany.)
Forexample,acompanyhad50usersandnobusinessrequirementforhigh
availability;atanygiventimeonlyabout30ofthoseuserswereusingtheemail
server.Withthehelpoftheirconsultant,theydecidedtouseahostWindows
Server2012R2x64operatingsystemwhilerunningadomaincontrolleronone
Hyper-VvirtualmachineandtheExchangeServer2016serveronadifferent
Hyper-Vvirtualmachine.Thiskepttheapplicationsseparatedondifferent
operatingsystemsbutdidnotrequirethemtopurchasetwophysicalservers.A
thirdHyper-VmachinewasconfiguredtorunSharePointandanadditionalweb
applicationandtoactastheirfile/printserver.Theactualphysicalmachine
runningthesethreeguestoperatingsystemshadadualquad-coreprocessorand
128GBofphysicalmemory.
ScalingExchangeServer2016Roles
Ifyouhavedeterminedthatyoucan'taddressyourorganization'sperformance
requirementswiththeinitialnumberofExchangeServerMailboxrolesinaDAG,you
willneedtocontinueaddingMailboxserverrolestomultipleWindowsservers.This
willusuallybebecauseyouneedtoscaletosupportalargeruserloadthanthecurrent
numberofserverscanprovideoryou'reusingavirtualizationsolutionthatcan'tmeet
currentsizingrequirements.
OneofthebiggestdesigndecisionsorganizationswillfacewithExchangeServer2016
deploymentsistheplacementofroles.Eachorganizationisdifferent,buttheprocess
todeterminethebestapproachforExchangeServer2016deploymentsissimple.
PlanningforeachExchangeServer2016componentiscoveredinitsrespective
chapter,butproperplanningbasedontheusertypes,technicalrequirements,and
businessrequirementswilldrivethewayExchangeServer2016isdeployedwithin
yourorganization.Inmostorganizations,youmustevaluatetheimpactonaserver's
resources,aswellastheoverallimpactofwhereserversaredeployedandwhether
rolesmustcoexist.
Forexample,takeanorganizationthatneedstosupport4,000mailboxesandrequires
highavailabilityfortheMailboxserverrole.Inthisexample,theorganizationhas
purchasedfourservers,whereeachserverhasbeensizedtosupportupto2,000active
mailboxes.ByinstallingtheMailboxroleonthefourservers,theorganizationcan
place1,000mailboxesoneachserverandaddalltheMailboxserverstothesame
DAG.Thisapproachallowstheorganizationtowithstandthefailureoftwoservers
beforereachingthe2,000-mailboxlimitperserver.
Theprecedingisastraightforwardexampleofroleplacement.Inmorecomplex
environments,theoptionsaren'talwaysascutanddried.Asorganizationslookto
streamlineserverdeploymentsbyusingthesamehardwareorbyrequiringallservers
tobevirtualized,manyExchangeServeradministratorsfindthemselvesbetweena
rockandahardplacewhenitcomestoroleplacement.Shouldyouscaleoutand
segregatetheservers?Shouldyoutellthecustomernottovirtualizeandbuyphysical
serversthatcansupporttheMailboxserverrole?Frequently,acompany'sITstrategy
doesn'talignwiththebestdeploymentoption.Inthesesituations,youshouldprovide
thecustomerwithtwoprojectplans.Eachprojectplanshouldcontainthepros,cons,
andtheoverallcostsofeachdesign.
TheBottomLine
UnderstandtheExchangeServer2016serverroles.ExchangeServer2016
supportstwouniqueserverroles.Thefeaturesofalltheroles(exceptEdge
Transportrole)inExchangeServer2007,2010,and2013havebeenmovedtothe
MailboxserverroleinExchangeServer2016.TheMailboxserverhandlesmuch
moreinExchangeServer2016thanjusttheExchangeServerdatabaseengine.The
MailboxrolenowhandlesUnifiedMessaging,ClientAccess,andTransport
services.
TheClientAccessserverrolefunctionalitiesinExchangeServer2013arenowpart
oftheMailboxserverrole.ClientaccessservicesinExchange2016holdalotof
keyresponsibilities.ClientaccessservicesinExchange2016arestilltheendpoint
formostoftheprotocolsintheorganization,suchasSMTP,HTTP,andRTP.The
mainfunctionsoftheclientaccessservicesaretoauthenticateanincoming
request,locatethenexthopfortherequest,andproxyorredirecttherequestto
thenexthop.
MasterItWhichExchangeserverroleprovidesaccesstothemailboxdatabase
forOutlookonthewebandOutlookclients?
Explorepossibleserverroleconfigurations.Serverrolenumberand
placementcanbedesignedtomeetmostorganizationalandconfiguration
requirements.
Forsmallorganizationsthatdonotneedhighavailability,oneserverthathosts
theMailboxrolewillsuffice,providedithassufficienthardwareevenifitneedsto
support500ormoremailboxes.Companiesthatneedhighavailabilitywilldeploy
atleasttwomailboxserverrolesinDAG.Companiesthatneedhighavailability
butforsomereason(suchasbudgetconstraints)arenotabletoprovidehigh
availabilitymightchoosetomigratetoOffice365.
WedonotrecommendinstallingExchangeServer2016onadomaincontroller.
Allserverrolescanbevirtualized.Dependingontheclientload,Mailboxservers
mayalsobevirtualizedaslongasyouremainwithinMicrosoft'ssupport
boundaries.ItisimportanttosizeoutyourExchangeServer2016deployment
beforecommittingtoavirtualorphysicalserverdeployment.
MasterItYourcompanyhasapproximately400mailboxes.Yourusersrequire
onlybasicemailservices(email,sharedcalendars,Outlook,andOutlookonthe
web).Youalreadyhavetwoserversthatfunctionasdomaincontrollers/global
catalogservers.Whatwouldyourecommendtosupportthe400mailboxes?
Chapter9
ExchangeServer2016Requirements
Whenyou'replanningforyourExchangeServer2016installation,youneedtomake
sureyouhaveallthenecessaryprerequisites.Aspartofyourpreparation,youneedto
makesureyouhavetheoperatingsystemandActiveDirectoryprerequisites(software
versions,patches,updates)andanyrequiredpermissions.Ifyouareupgradingfroma
previousversionofExchangeServer,youmustmakesureyouareattherightversion
andservicepackforallyourexistingservers.
Inthischapter,wewillmakesureyouareawareofalltheserequirementssothat
whenyouarereadytoinstallExchangeServer2016,youwillbreezethroughthe
installationquicklyandwithoutinterruption.
INTHISCHAPTER,YOUWILLLEARNTO:
Usetherighthardwareforyourorganization
ConfigureWindowsServer2012R2andWindowsServer2012tosupport
ExchangeServer2016
ConfirmthatActiveDirectoryisready
VerifythatpreviousversionsofExchangeServercaninteroperatewithExchange
Server2016
GettingtheRightServerHardware
Whenyou'relookingatanymanufacturer'shardwarespecifications,oneofthethings
youcandependonisthatthespecswillprovidetheminimumrecommendations
necessarytoruntheproduct.However,Microsofthaslearnedthatrecommendinga
minimumconfigurationoftenyieldsunhappycustomers;thisiswhywhenMicrosoft
suggestshardwareconfigurations,youwilltypicallyseetwo:minimumand
recommended.
Theminimumhardwareconfigurationworksjustfineifyouarebuildingatestlabor
aclassroomenvironment.Butforproductionenvironments,you'llwanttomakesure
yourhardwarecansupportatypicaleverydayworkload.Ifrunninginahighavailabilityscenario,youhavetoensurethatintheeventofaserverfailure,servers
thatareupandrunningcancontinuetoworkwiththeincreasedutilization.Inthis
section,wewillmakesomerecommendationsthatarepartiallybasedonourown
experiencesandpartiallybasedonMicrosoft'sbestpractices.
Notethathardwareconfigurationcanvaryquiteabitdependingontheserver'srole
anditsworkload.Youmaybesupportingasingleserverwith100mailboxesora
multiple-serverinfrastructurewith100,000mailboxes.Youshouldplanto
comfortablysupportyourmaximumexpectedloadandallowsomeroomforgrowth.
Yourplanningprocesswillrequiremakingdecisionsaccordingtoyourcompany's
businessrequirements.
HardwareFoundations:Stability,Configuration,andManagement
EnsuringthatyourExchangeserversfunctionreliablyandefficientlyentails
severalkeyfactors:correctlyconfiguredsoftware,propermanagement,and
properlyplannedandsizedhardware,networks,andstorage.Ifyoufailtogetany
oneoftheseright,theresultwillbepoorperformance,downtime,dataloss,and
unhappyusers.
Windowshardwarestabilityandcompatibilityareprobablythemostimportant
factorsinyourchoiceforaserverplatform.Theseincludenotonlytheserver
modelitselfbutalsothecomponentsyouwillbeusing,suchasnetworkadapters
andanythird-partysoftware.Selectingastablehardwareplatformandvendorcan
becriticaltoasuccessfulimplementation.
Manyvendorsmaybeavailabletoyou.Youshouldconsiderlocalsupport,servicelevelagreements,quality,andperformancewhenyouselectavendor.
Chooseaservermodelthatwillprovideyouwiththecardslotsandavailabledisk
drives.Whenevaluatingservermodels,makesuretheservermodelisnearthe
beginningofitsmodelliferatherthanneartheend.Itisnotuncommonto
purchaseaserverthroughadiscountoutletthatisnearorattheendofitsmodel
life.
AsyoubuildyourWindowsservers,makesureyouarerunningreasonablyrecent
versionsofallsupportingsoftware,suchasdevicedrivers,andthattheoperating
systemispatched.Planaccordinglyforphysicaldeploymentsorvirtual
deployments(discussedinChapter4,“VirtualizingExchangeServer2016”).
Youwillalsowanttoimplementacomprehensivemanagementstrategy.Youcan
monitorsomeofyourExchangeServerdeploymentsbyusingbuilt-intools,such
asPerformanceMonitor,ResourceMonitor,andEventViewer.Afteryouhave
deployedExchangeServerinyourenvironment,anumberofdifferentExchange
Server–specificobjectsandcounterswillbeavailableinPerformanceMonitor.
Thesecounterscanprovideanabundanceofdatayoucanusetotuneyour
deployment.
OthertoolsfromMicrosoftthatyoumaybeabletoaccessinclude:SystemCenter
OperationsManagerandSystemCenterConfigurationManager.Itisworth
notingthatExchangeServerandtheSystemCentertoolsaredesignedtowork
together,andonedovetailsintotheotheraspartofacomprehensive
managementsolution.
Youmayhaveresearchedandchosentoimplementoneofthemanythird-party
networkandapplication-monitoringtools.Someofthesetoolsmaybesupplied
byyoursystemsvendor,whileothersarestand-aloneapplications.Priorto
makinganypurchases,youwillwanttoresearchthoseapplications,including
talkingwithyourpeersinExchangeServerusergroupsandvariouswebforums.
Regardlessofthemanagementtoolsyouchoosetoimplement,asolutionisonly
asgoodastheinformationyoucandrawfromthedata.Badorincompletedata
canleadtopoordecisionsaboutyourconfiguration—andthatleadstodissatisfied
users.Monitoryoursystemsovertime,andtunethemforoptimumperformance.
TheTypicalUser
Ifyouhaveworkedwithmorethanoneorganization,youhaveprobablyreachedthe
sameconclusionwehave:notwoExchangeServerorganizationsareexactlyalike.
Evenbusinesseswithinthesameindustrycanhavedramaticallydifferentusage
patternsbasedonslightlydifferentbusinesspractices.
Wheredoesthisputthepoorhaplesspersoninchargeoffiguringouthowmuch
hardwaretobuyandhowmuchcapacitythathardwareshouldhave?Ifyouare
currentlyrunninganearlierversionofExchangeServer,atleastyouhavealegup
overotherpeople.
Youcanusetools,suchasPerformanceMonitor,tomeasurethenumberofmessages
sentandreceivedperdayanddiskIOPS(Input/OutputOperationsPerSecond).
Microsofthasdonealotofresearchinthisareaandhaspublishedsomestatisticson
whattheyconsidertobelight,average,heavy,veryheavy,andextraheavyOutlook
users.Theyhavealsocalculatedthattheaverageemailmessageis50KBinsize.Table
9.1showshowMicrosofthasdefinedeachtypeofuser.
Table9.1MicrosoftOutlookUserTypes
UserType
Light
Average
Heavy
MessagesSentperDay
5
10
20
Veryheavy 30
Extraheavy 40
MessagesReceivedperDay
20
40
80
120
160
Justrelyingonemailssentandreceivedmaynotgiveyouthebestestimateofthe
hardwarecapacityrequired.Wewilltalkaboutotherfactorsthroughoutthebook,but
herewe'lljustlistsomefactorsthatcanadverselyaffectperformance:
Emailarchiving
Mobiledeviceusers(aBlackBerrycanplacealoadfourtimeshigheronaserver
thanthatofatypicalOutlookuser)
Antivirusscanning
Messagingrecordsmanagement
Transportrules
Databasereplication
CPURecommendations
ExchangeServer2016runsonlyonWindowsServer2012R2andWindowsServer
2012and,therefore,onlyonhardware(physicalorvirtualizedhardware)thatis
capableofsupportingthex64processorextensions.Theprimarybenefitof64-bit
processingistheabilitytotakeadvantageoflargeramountsofbothvirtualand
physicalmemory.Theprocessorshouldbeatleast1.6GHz,althoughyouwill
certainlybenefitfromprocessorsfasterthan2GHzaswellasmulticoreprocessors.
Theprocessormustbeoneofthefollowing:
IntelXeonorIntelPentiumx64thatsupportstheIntel64architecture(formerly
knownasEM64T)
AMDOpteron64-bitprocessorthatsupportstheAMD64platform
TheIntelItaniumIA64processorfamilyisnotsupported.
FortheMailboxserverrole,similartoExchangeServer2013,Microsoftrecommends
aserverwithaminimumof2processorcoresandmaximumof24processorcores.
However,comparedtoExchangeServer2013,processorrequirementsareincreased
basedonthenumberofmessagessentandreceivedpermailboxperday,whichis
showninTable9.2.
Table9.2ProcessorRecommendationsBasedonNumberofMessagesSentor
ReceivedperMailboxperDay
MessagesSentand
ReceivedperMailboxper
Day
50
100
150
McyclesperUser,Active
DBCopyorStand-Alone
McyclesperUser,
PassiveDBCopy
2.99
5.97
8.96
0.70
1.40
2.10
200
250
300
350
400
450
500
11.94
14.93
17.91
20.90
23.88
26.87
29.85
2.80
3.50
4.20
4.90
5.60
6.30
7.00
Thismayseemlikealotofprocessorpower—andinsomeways,itis—butremember
thatanExchangeServer2016serverdoesalotmorethanserversdidinprevious
versionsofExchangeServer.Forexample,onamailboxserverrole,Exchangeruns
notonlythedatabaseengine,webcomponents,andmessagetransportrunning,but
components,suchastransportrules,messagingrecordsmanagement,mailbox
archival,andclientaccessfunctionsarealsorunning.
IfyouhaveworkedwithExchangeServerinthepast,youmayalsonotethattheCPU
recommendationsfortheExchangeServer2016aresimilartotheExchangeServer
2013MailboxroleandarehigherthaninExchangeServer2010.Ifyouareplanningto
useexistingserverhardware,consultyourmanufacturer'sdocumentationforspecific
informationontheprocessorsandcores.
Ifyouarenotsurewhetheryourexistinghardwaresupportsthex64extensions,you
cancheckthisinanumberofways,includingconfirmingitwiththehardwarevendor.
IfthecomputerisalreadyrunningWindows,youcangetusethird-partysoftwarethat
willcheckyourprocessor.
NoticeintheCPUreportinformationthatthisparticularchipsupportsavarietyof
instructionsets,themostimportantbeingEM64T,Intel's64-bitextensiontotheIntel
32-bitinstructionset.
TheDisappearanceoftheClientAccessRole
OneofthesignificantchangestoExchangeServer2016istheremovalofthe
ClientAccessroleasaseparaterole.IfyouarestillrunningExchangeServer
2010,youwillnoticethattheClientAccess,HubTransport,andUnified
Messagingrolesarenotavailableasseparaterolesanymore.Thefunctionalityof
theClientAccessrolefromExchangeServer2013andClientAccess,Hub
Transport,andUnifiedMessagingrolesinExchangeServer2010havebeen
retained,buttheyarenowlocatedintheMailboxserverrole.
AllaccesstomailboxcontentisnowhandledthroughtheClientAccessservices
runningontheMailboxserverrole(seethesidebar“TheDisappearanceoftheClient
AccessRole”).Mobiledevices,webclients,Outlookclients,POP3,andIMAP4clients
gothroughtheclientaccessservices.Onesignificantchangetotheclientenvironment
isthatinExchangeServer2010,theOutlookclientconnectedtoExchangeServer
usingMAPI,whileOutlookAnywhereconnectedtotheClientAccessserverrolevia
RPCoverHTTPS.InExchangeServer2016,bothinternalandexternalOutlookusers
willuseMAPIoverHTTPSprotocolasthedefault,whileOutlookAnywhereisstill
supported.
ThenumberofprocessorsrequiredonaMailboxservermostlydependsonthetotal
numberofsimultaneoususers,theprotocoltheyuse,andthemessagessentand
receivedperday.AccordingtoMicrosoft,adedicatedMailboxserverwithsufficient
memoryandafour-processor-coreservershouldbeabletosupport2,000+mailboxes.
MicrosoftestimatesafactorforcalculatingCPUrequirementsisoneCPUcorefor
each1,000mailboxes;thisguidelineisbasedonsomeassumptionsabouttheusage
profilesofthose1,000users.Inthiscase,Microsoftassumesthat750ofthoseare
activeandheavy-usagemailboxes.Sizingyourmailboxserversfor10to20percent
morecapacitythanyouthinkyouaregoingtoneedisagoodpractice.
AnumberoffactorsaffectCPUrequirements,includingtheusageprofileofthe
typicaluserandtheconcurrencyrate(thepercentageofyouruserswhoareaccessing
theserveratanygiventime).Ifyouareplanningtosupport2,000veryheavyusers
whouseOutlook90percentoftheday,youmayneedmoreCPUcapacity.Factorsthat
affectmailboxserverCPUrequirementsincludethefollowing:
Numberofsimultaneoususersandusageprofile
Emailarchivingprocesses
Mobiledeviceusage
MemoryRecommendations
Asmentionedpreviously,theadvantageExchangeServergetsoutofthex64
architectureistheabilitytoaccessmorephysicalmemory.Additionalphysical
memoryimprovescaching,reducesthediskI/Oprofile,andallowsfortheadditionof
morefeatures.
Microsoftrecommendsaminimumof8GBofRAMineachExchangeMailboxserver
roleandaminimumof4GBofRAMineachExchangeEdgeTransportserverrole.
Theamountofmemoryneededinproductiondependsontherolestheserveris
supporting;fortheMailboxserverrole,itisrecommendedthatitnotbehigherthan
96GB.AlthoughMicrosoft'sminimumRAMrecommendationforanyserverhosting
theMailboxroleis8GB,westronglyrecommendaminimumof12GBbasedon
calculatedrequirements(12GBshouldbeadequatebasedonan8-GBbase,amessage
volumeof100messagesperdayfor600users,androundedup).Onceyouhave
calculatedtheminimumamountofRAMthatyourequirefortheserver,ifyouare
configuringaMailboxserver,youwillneedtoaddsomeadditionalRAMforeach
mailbox.Thisamountwilldependoneitheryourusercommunity'sestimated
messageprofileorthemailboxsize.Inotherwords,youshouldcalculatethememory
requirementbasedonnotonlytheusageprofileofyourusersbutalsothemailbox
size;thenusethelargerofthesetwocalculations.Let'sstartwiththeamountof
memoryrequiredbasedonusageprofiles.Table9.3showstheadditionalmemory
requiredbasedonthenumberofmailboxessupported.Theuserprofilesweredefined
previouslyinTable9.1.ThegeneralrulefromMicrosoftis3MBofRAMforevery50
messagessentorreceiveddaily.
Table9.3AdditionalMemoryFactorforMailboxServers
UserProfile
Light
Average
Heavy
Veryheavy
Extraheavy
Per-mailboxMemoryRecommendation
Add1.5MBpermailbox
Add3MBpermailbox
Add6MBpermailbox
Add9MBpermailbox
Add12MBpermailbox
Next,let'slookattherecommendationsbasedonthemailboxsize.Table9.4shows
Microsoft'sper-mailboxmemoryrecommendationsformailboxesofdifferentsizes.
Table9.4MemoryRequiredBasedonMailboxSize
MailboxSize
Small(0to1GB)
Medium(1to3GB)
Large(3to5GB)
Verylarge(5to10GB)
Extralarge(10GB+)
Per-mailboxMemoryRecommendation
Add2MBpermailbox
Add4MBpermailbox
Add6MBpermailbox
Add8MBpermailbox
Add10MBpermailbox
So,forexample,aserverhandlingaMailboxserverroleshouldhave8GBofmemory
plustheadditionalRAMpermailboxshowninTable9.3orthememoryshownin
Table9.4(whicheverislarger).Let'sdothecalculationsforasimpleorganization.If
theMailboxserverissupporting1,000mailboxesanditisestimatedthat500ofthe
usersareaverage(1.75GBofRAMifassuming4MBpermailbox)and500areheavy
users(2.5GBofRAMifassuming6MBpermailbox),theservershouldhaveabout12
GBofRAM.Forgoodmeasure,wewouldrecommendgoingwith16GBofRAMso
thatthereisadditionalRAMjustincaseitisneeded.
However,whenweperformanadditionalcalculationbasedonmailboxsize,wemay
arriveatadifferentamountofRAM.Ofthe1,000mailboxesthatthisserversupports,
400oftheseusershaveanaveragemailboxsizethatisinexcessof10GB,whereas
theremainderofthemailboxesaveragearound6GB.Thiswillrequire4GBofRAM
(400times10MBpermailbox)fortheextra-largemailboxesandabout5GBofRAM
(600times8MBpermailbox)fortheverylargemailboxes.Thatisatotalofabout12
GBofRAM.
Sointhiscase,goingwithatleast12GBto16GBofRAMformailboxcachingwould
definitelybeagooddesigndecision.RememberthattheseRAMestimatesarejust
that—estimates.Additionalfactors(messagehygienesoftware,continuousreplication,
emailarchiving,andsoon)mayrequiremoreorlessRAM(usuallymore)thanthe
calculationsandrecommendationshere.Forexample,antivirusandantispam
softwareonMailboxserverscanplaceasignificantburdenonRAM.Microsofthas
releasedtheExchangeServerRoleRequirementsCalculator,whichsupportsboth
ExchangeServer2016andExchangeServer2013andcanbeusefulwhenestimating
RAMrequirements;seethisarticleontheExchangeTeamBlogformoreinformation:
http://blogs.technet.com/b/exchange/archive/2015/10/15/exchange-server-rolerequirements-calculator-update.aspx
NetworkRequirements
WithearlierversionsofExchangeServer,recommendingnetworkconnectivityspeeds
wasoftenagrayareabecauseofthevarietyofnetworkinghardwarethatmost
organizationswereusing.Essentially,noteveryonehadaGigabitEthernetbackbone
fortheirservers.Today,however,GigabitEthernetispresentinmostdatacentersat
leastforthedatacenterbackbone.
So,arecommendationisprettysimple.AllExchangeServer2016serversshouldbeon
aGigabitEthernetbackbone.WillExchangeServer2016workona100Mbps
network?Sure,itwill,butyouwillgetthebestresultsinevenamedium-sized
networkifyouareusingGigabitEthernet.
Allofthe“client-to-server”communicationtrafficnowtakesplacebetweentheclient
(usuallyOutlook)andtheMailboxserver.
Ifyouareplanningtoimplementdatabaseavailabilitygroups(DAGs)betweentwoor
moreExchangeServer2016Mailboxservers,Microsoftrecommendsthateachserver
shouldhaveonlyonenetworkadapterinstalled.Thenetworkadapterwillbeusedfor
bothproductionLANcommunicationsandforreplicationoftheInformationStores.
EveninlargeenvironmentswithmultipleserversanddozensofdatabasesinaDAG,
considerusingonenetworkadapterperserverthatwillbeusedforbothreplication
andforclientandservernetworkconnections.
IfyouareplanningtoputDAGmembersonaseparatephysicalnetworktofacilitate
siteresiliency,themaximumnetworklatencybetweenmembersshouldnotexceed
500milliseconds(ms),andtheremustbesufficientbandwidthtokeepupwiththe
volumeofreplicationtraffic.
DiskRequirements
Whenyou'recalculatingdiskrequirementsforsomeapplications,decidingthata
single500GBharddiskwillsolveyourstorageneedsiseasy.Youmightbetemptedto
thinkthesamethingaboutExchangeServer.
WithearlierversionsofExchangeServer,gettingthediskrequirementssizedcorrectly
couldbeabittricky.Thatisnottosaythatdoingsocannotstillbetrickywith
ExchangeServer2016.Thisisbecausesizingadiskisnotjustamatteroffiguringout
howmuchstoragecapacityyouneed.Physicalstoragerequirementsareabigpartof
thesizing,ofcourse,becauseifyoudon'tgetlargeenoughdiskstosupportyourusers,
youwillbegoingbacktothebossformoremoneytobuymoredisks.
However,askingthebosstobuymorephysicaldiskdrivesbecausetheusers'
mailboxesarefullisatleastaskingforsomethingtangible.Theothersideofthesizing
requirementisensuringthatthediskIOPSwillkeepupwiththedatabaseengine.The
moreusersusingExchangeServer,thegreaterthediskI/Ocapacityrequiredbythe
disksubsystemwillbe.Tryexplainingtoyourbossthatthediskshaveplentyof
storageavailablebuttheycan'tkeepupwiththedatabaseload.
Thedisksubsystemthatyouchoosehastobeabletosupportnotonlytheamountof
storagerequiredbutalsotheIOPSloadthattheuserswillplaceonthedisk
subsystem.Therefore,understandingtheIOPSprofileaswellastheamountof
storagerequiredisimportant.Helpfully,MicrosofthasimprovedtheIOPSprofilewith
everyiterationofExchangeServer,andExchangeServer2016isnoexception,most
notablyimprovingtheInput/OutputOperationsPerSecond(IOPS)performance
whenreplicatingInformationStoredatabetweenDAGnodes.
Microsoft'srecommendedsystemrequirementsforthediskinclude:
ThedriveonwhichyouinstallExchangeshouldbeatleast30GB.
Anadditional500MBofdiskspaceshouldbeavailableforeachUnifiedMessaging
(UM)languagepackyouplantoinstall.
Thesystemdriveshouldhave200MBofavailablediskspace.
Theharddiskthatstoresthemessagequeuedatabaseshouldhaveatleast500MB
offreespace.
ThepagefilesizeminimumandmaximummustbesettophysicalRAMplus10
MB,toamaximumsizeof32,778MBifyou'reusingmorethan32GBofRAM.
DiskpartitionsshouldbeformattedasNTFSfilesystems,whichappliestothe
systempartition,partitionsthatstoreExchangebinaryfilesorfilesgeneratedby
Exchangediagnosticlogging,andpartitionscontainingdatabasefilesand
transactionlogfiles.
NOTEPartitionscontainingdatabasefilesandtransactionlogfilesmayalsobe
formattedasReFSwiththedataintegrityfeaturesdisabled.
MicrosofthighlyrecommendsusingtheExchangeServerRoleRequirements
CalculatortohelpplantheExchangeServerstoragethatwillfityourorganization
requirements.TheExchangeServerRoleRequirementsCalculatorwillrecommend
highavailabilitystrategiesforyourstoragesolution,aswellassimulatedifferent
failoverscenariosforplanningpurposes.Somethingelsethatyoumayfindofbenefit
relativetoExchangeServer2013thatalsoappliestoExchangeServer2016isthe
followingwebpage,whichaddressesanumberoffactorsassociatedwithvarious
storagearchitectures,physicaldisktypes,andbestpractices:
http://technet.microsoft.com/en-us/library/ee832792%28v=exchg.150%29.aspx
ImprovedCachingandReducedI/OProfiles
TheIOPSprofileshavechangedsignificantlycomparingtoExchangeServer2010
becauseoftheincorporationofallmessage-routingfunctionalityintotheMailbox
serverroles.Theinformationinthissectionappliestoserversthatarehostingthe
Mailboxserverrole.
Hundredsofpagesofmaterialhavebeenwrittenontheconceptofoptimizing
ExchangeServerformaximumperformancebyimprovingIOPSperformancewith
ExchangeServer—andwecertainlycan'tdotheconceptjusticeinjustafew
paragraphs—butunderstandingthebasicIOPSprofileofusersishelpful.Microsoft
hasdonealotofresearchonreducingIOPSrequirementsbasedonthemailboxsize
andtheaverageloadthateachuserplacesontheserver.Inthisvein,understanding
thedifferencesbetweenExchangeServer2010I/OandExchangeServer2013and
ExchangeServer2016I/Oissomethingyoumayfindhelpful.
OneareaMicrosofthascontinuouslyimprovedisIOPS.SinceExchangeServer2003,
we'vewitnessedanumberofchangestothestructureofExchangeServerandits
databasestoimproveperformance.Themostobviousimprovementmovingfrom
ExchangeServer2003toExchangeServer2007wastheremovalofthe.STM
database,adatabaseforstreamedInternetcontent.The.EDBdatabasewasmodified
tosupportthatsamecontent.Microsoftwasn'tfinishedthere.FromExchangeServer
2007andnewereditions,ExchangeServerisa64-bit-onlyapplication,which
increasedtheRAMmemorythatcanbeaddressedtotheoretically264bytes.
TheExchangeServerdatabaseteamworkedatfurtherreducingtheIOPSofExchange
Server2010MailboxServerRole.Oneofthekeyfactorsthatthedatabaseteam
focusedonwithExchangeServer2010wastofurtherimprovetheI/Operformanceso
thatmosttypesofaffordablediskdrivescouldbeused(suchasSATA,SAS,orSCSI).
Theydidthisbyfurtheroptimizingtheuseofcachememory,increasingdatabasepage
sizes,increasingI/Osize,andperformingsequentialreadstoreducethefrequencyof
readsandwrites,changingthedatabaseschema,andoptimizinghowthedatabase
arrangesdatatobewrittentothedisk.
TheresultingimprovementstotheExchangeServer2010databaseenginefurther
reducedtheI/Orequirementsforthestandardusageprofiles.I/Orequirements,of
course,arejustestimates,buttheygenerallyprovideaprettygoodguidelineforthe
IOPSrequirementsforthedisksthatwillhostExchangeServerdatabases.Thedisks
thatwillhosttheExchangeServertransactionlogswillrequireapproximately10to20
percentoftheIOPSrequirementsfortheircorrespondingdatabase.
TherehavebeensignificantchangestothewayExchangeServer2013and2016
interactwithInformationStores,butsomenumbersfromMicrosoft,asshownin
Table9.5,reflectthecontinuousimprovementinI/Operformance.
Table9.5UserType,DatabaseVolumeIOPS,andMessagesSentandReceivedper
DayforExchangeServer2016
UserType
Light
Average
Heavy
Large
DatabaseVolumeIOPS
0.017
0.034
0.067
0.101
MessagesSent/ReceivedperDay*
5sent/20received
10sent/40received
20sent/80received
30sent/120received
*Assumesaveragemessagesizeisapproximately50KB.
Itisreasonabletoassumethattherehasbeensomevariationinthetesting
methodologyusedtogeneratethedataovertheyears.Alotofthingshavechanged
sinceExchangeServer2003,butthefactisthatMicrosofthasworkedtoimprovethe
overallperformanceofI/OoperationsastheyrelatetoMailboxservers.ForanindepthbreakdownonperformanceimprovementstoExchangeServer2016,checkout
thisblogentryfromtheMicrosoftExchangeTeam:
http://blogs.technet.com/b/exchange/archive/2015/10/15/ask-the-perf-guy-sizingexchange-2016-deployments.aspx
MailboxStorage
ExchangeserversholdingtheMailboxserverroleconsumethemostdiskspace.
ExchangeServersystemdesignersoftenfallshortintheirdesignsbynotallowing
sufficientdiskspacefordatabasestorage,transactionlogs,andextradiskspace.Often
thediskspaceisnotpartitionedcorrectly,either.Herearesomeimportantpointsto
keepinmindwhenplanningyourdiskspacerequirements:
Transactionlogfilesshouldbeonaseparatesetofphysicaldisks(spindles)from
theircorrespondingExchangeServerdatabasefilesifyouaredeployingonlya
singledatabasecopy.RAID1orRAID1+0arraysprovidebetterperformancefor
transactionlogs.However,ifyouareimplementingaDAG,youdon'tneedto
separatethedatabasecopyandthetransactionlogfiles,becauserecoverytakes
placeviaareplicatedcopyhostedonanothermachineratherthanabackup.
Allowfor7to10days'worthoftransactionlogstobestoredforeachdatabase.The
estimatedamountoftransactionlogswillvarydramaticallyfromoneorganization
toanother,butagoodstartingpointisabout4GBoftransactionlogsperdayper
1,000mailboxes.Thisisjustoneestimateofaspecificusageprofile,though,and
youractualmileagemayvary.ToolsliketheExchangeStorageCalculatorcanbe
usedtohelpdeterminediskspacerequirements.
Allowforwhitespaceestimatesinthemaximumsizeofeachofyourdatabasefiles.
(Thewhitespaceistheemptyspacethatisfoundinthedatabaseatanygiven
time.)Thesizeofthewhitespaceinthedatabasecanbeapproximatedbythe
amountofmailsentandreceivedbytheuserswithmailboxesinthatdatabase.For
example,ifyouhaveonehundred2GBmailboxes(atotalof200GB)inadatabase
whereuserssendandreceiveanaverageof10MBofmailperday,thewhitespace
isapproximately1GB(100mailboxes×10MBpermailbox).Factorin5to10
percentadditionaldiskspaceforthecontentindexdatabases.Youwillhaveone
contentindexdatabaseforeachproductiondatabase.
Allocateenoughfreespaceonthediskorsparediskssothatyoucanalwaysmake
abackupcopyofyourlargestdatabaseandstillhavesomefreediskspace.Agood
waytocalculatethisistotake110percentofthelargestdatabaseyouwillsupport;
thatwillalsoallowyoutoperformmaintenanceonthedatabaseusingEseutilif
necessary.
Consideradditionaldiskspaceformessagetracking,messagetransport,andclient
access,aswellasHTTP,POP3,andIMAP4logfiles.
Alwayshaverecoveryinmind,andmakesureyouhaveenoughdiskspacetobe
abletorestoreadatabasetoarecoverydatabase.
Let'smoveontoanexampleofaserverthatwillsupport1,000mailboxes.Weare
estimatingthatwewillprovidethetypicaluserwithaProhibitSendsizewarningof
500MBandaProhibitSendAndReceivelimitof600MB.Inanyorganizationof
1,000users,youhavetotakeintoaccountthat10percentwillqualifyasVIPswhowill
beallowedmoremailstoragethanatypicaluser;inthiscase,let'sallow100VIPusers
tohaveaProhibitSendAndReceivelimitof2GB.
Thesecalculationsresultin540GBofmailstoragerequirements(600MB×900
mailboxes)forthefirst900usersplusanother200GB(2GB×100mailboxes)forthe
VIPusers.Thisresultsinamaximumamountofmailstorageof740GB.However,
thisestimatedoesnotincludeestimatesfordeleteditemsinauser'smailboxand
deletedmailboxes,sowewanttoaddanadditionaloverheadfactorofabout15
percent,orabout111MB,plusanadditionaloverheadfactorofanother15percent
(another111MB)fordatabasewhitespace.
Therefore,atanygiventimeforthese1,000mailboxes,wecanexpectmaildatabase
storage(validemailcontent,deleteddata,andemptydatabasespace)toconsume
approximately962GB,butbecausewelikeroundnumbers,we'llroundthatupto
1,000GB,or1TB.
Inthisexample,let'ssaythatwehavedecidedthemaximumdatabasesizewewantto
beabletobackuporrestoreis100GB.Thismeansthatweneedtosplittheusers'
mailboxesacross10mailboxdatabases.
Forthetransactionlogs,weestimatethatwewillgenerateapproximately5GBof
transactionlogsperday.Weshouldplanforenoughdiskspaceonthetransactionlog
diskforatleast50GBofavailablediskspace.
Next,becausefull-textindexingisenabledbydefault,weshouldallowenoughdisk
spaceforthefull-textindexfiles.Inthiscase,wewillestimatethatthefull-textindex
fileswillconsumeamaximumofabout10percentofthetotalsizeofthemaildata,or
approximately100GB.Ifwecombinethefull-textindexfilesonthesamediskdrive
asthedatabasefiles,wewillneedabout1.3TBofdiskspace.
Anytimeyouarenotsurehowmuchdiskspaceyoushouldinclude,itisagoodideato
planformoreratherthanless.Althoughdiskspaceisreasonablyinexpensive,unless
youhavesophisticatedstoragesystems,addingadditionaldiskspacecanbetime
consumingandcostlyfromtheperspectiveofeffortanddowntime.
PlanningforMailGrowth
Growth?Youmaybesayingtoyourself,“Ijustgavethetypicaluseramaximum
mailboxsizeof600MBandtheVIPsamaximumsizeof2GB!Howcanmyusers
possiblyneedmoremailboxspace?”Predictingtheamountofgrowthyoumayneedin
thefutureisadifficulttask.Youmaynotbeabletoforeseeneworganizational
requirements,oryoumightbeinfluencedbyfuturelawsthatrequirespecificdataretentionperiods.
Inourexperience,though,mailboxlimits,regardlessofhowrigidweplantobe,are
managedbyexceptionandbyneed.Intheprecedingexample,wecalculatedthatwe
wouldneed1.3TBofdiskspaceforour1,000mailboxes.Wouldwepartitionorcreate
adiskofexactlythatsize?Possibly.OneofthefactsthatMicrosofthastakeninto
considerationistheincreasingsizefactorasharddrivesaslargeas8TBarebecoming
availableonthemarketatanincreasinglyattractivepricepoint.
Insteadofcarvingoutexactlytheamountofdiskspaceyouanticipateneeding,adda
“flufffactor”toyourcalculations.Asabaseline,werecommendaddingapproximately
20to25percentadditionalcapacitytotheanticipatedamountofstorageyouthink
youwillrequire.Inthisexample,wemightanticipateusing1.3TBofdiskspaceifwe
added25percenttoourexpectedrequirements.Herearesomefactorsthatyoumay
wanttoconsiderwhendecidinghowmuchgrowthyoushouldexpectforyourmailbox
servers:
Averageannualgrowthinthenumberofemployees
Acquisitions,mergers,orconsolidationsthatareplannedfortheforeseeablefuture
Additionofnewmail-enabledapplications,suchasUnifiedMessagingfeaturesor
electronicformsrouting
Governmentregulationsthatrequiresometypesofcorporaterecords(including
email)toberetainedforanumberofyears
Conversely,potentialeventsinyourfuturecouldreducetheamountofmailbox
storageyourequire.Manyorganizationsarenowincludingmessagearchivalandlongtermretentionsystemsintheirmessagingsystems.Thesesystemsarchiveolder
contentfromauser'smailboxandmoveittosometypeofexternalstoragesuchas
disk,storageareanetwork,network-attachedstorage,optical,ortapestorage.
EmailArchivingandMailStorage
Emailhasemergedasthepredominantformofbusinesscommunications.Sales,
marketing,ordering,humanresources,legal,financial,andallothertypesof
informationarenowdisseminatedviaemail.
Myriadcompaniesprovidearchivingsolutionsforemailsystems.Someofthese
companiesprovidein-housesolutions,whereassomearehostedsolutions.Thereare
justaboutasmanyreasonstoimplementanemailarchivesystemastherearearchive
vendors.Thefollowingaresomeofthereasonstoimplementemailarchiving:
Reducesthesizeofmailboxdatabasesandmailboxes(smallerdatabasesand
smallermailboxesimprovedisaster-recoveryresponsetimesandimprove
performance)
Provideslong-termretentionofemaildata
Providesuserswithasearchableindexoftheirhistoricalemaildata
AllowsforeDiscoveryofemail(messagecontent,attachments,aswellasemail
metadata)thatoftenmustbeindexedforlegalproceedings
EliminatestheuseofOutlookpersonalfolder(PST)files
Third-partyarchivesystemsaregreatfororganizationsthatmustretainmuchofthe
informationintheirmailboxesbutwanttomoveittoexternalstorage.However,
dependingonthesystem,youdon'twanttoarchiveeverythingolderthanfivedays,
forexample,becausethatmaypreventtheuserfromaccessingitviaOutlookonthe
webormobiledevices.Further,oncethecontentisarchivedandnolongerresidingin
theuser'smailbox,itwillnolongerbeaccessiblefromauser'sdesktopsearchengine,
suchasthetheWindowsDesktopsearchengine.Therefore,keepingacertainamount
ofcontentintheuser'smailboxalwaysmakessense.
ExchangeServer2016hasretainedtheemailarchivesystemcreatedinExchange
Server2010.Microsoft'sapproachistoestablishanextraarchivemailboxforeach
userwhorequiresarchiving.Theemailarchivemailboxcanresideonthesame
mailboxdatabaseastheuser'smailboxoradifferentmailboxdatabasehostedona
differentserver.Thisapproachdoesservethegoalofreducingthesizeoftheuser's
primarymailbox,butitdoesnotreducethesizeoftheaggregatedatabasevolume.
Furthermore,itallowsuserswhomayhavebeenusingPSTfilesasanarchivalstorage
mechanismtoreturnthatemailbackintoanExchangeServerarchivemailboxforthe
purposesofeDiscoveryandlong-termarchival.
IfyouareplanningtousetheExchangeServer2016mailboxarchivefeature,youwill
needtotakethisintoaccountandplanforadditionalstorageasneeded.
SoftwareRequirements
AfteryouhavechosentherighthardwaretosupportExchangeServer2016,youneed
tomakesurethatthesoftwareisready.Thisincludesgettingtherightversionand
editionoftheoperatingsystem,softwareupdates,andanyprerequisiteWindowsroles
orfunctions.
OperatingSystemRequirements
TheoperatingsystemrequirementsforExchangeServer2016areprettycutanddried.
WindowsServer2102R2andWindowsServer2012aretheonlyoperatingsystems
supportedinthefollowingconfigurations:
WindowsServer2012R2StandardEdition
WindowsServer2012R2DatacenterEdition
WindowsServer2012StandardEdition
WindowsServer2012DatacenterEdition
Additionally,youmaybeafanoftheServerCoreinstallation,butExchangeServer
2016doesnotrunonServerCore.
IfyouareunsureastowhetheryouhavethecorrectServicePackinstalledonyour
system,youcanacquirethisinformationbyopeningControlPanel\Programs\Programs
andFeatures\InstalledUpdates.ThereyouwillseeacomprehensivelistofallService
Packs,CumulativeRollups,andHotFixesthathavebeenappliedtoyoursystem.
NametheServerQuickly!
OnceyouhaveinstalledWindowsServer2012R2orWindowsServer2012,make
surethattheserverisassignedthecorrectnamebeforeyouproceed.During
installation,theWindowsServersetupassignsarandomnametotheserver.
Morethanlikely,thisnamewillnotbetheoneyouwanttouse.OnceExchange
Server2016isinstalled,youcannotchangethisnamewithoutuninstalling
Exchange.Therefore,onceyouinstallWindowsServeroperatingsystemona
server,besureyouchangetheservernameinServerManagerconsolein
WindowsServer2012R2orWindowsServer2012.
WindowsServer2012R2andWindowsServer2012RolesandFeatures
YoumustaddanumberofrolesandfeaturestothedefaultinstallationofWindows
Server2012R2andWindowsServer2012tosupportthefunctionalityofExchange
Server2016.Therolesandfeaturesarerequiredforallversionsofthehostoperating
system.
MailboxServerRole
YouwillwanttousePowerShellonceagaintoinstalltheprerequisitefeatureson
WindowsServer2012R2andWindowsServer2012.Therearesomedifferences
betweentheMailboxserverroleandtheEdgeTransportserverrole.
1. OpenaPowerShellsessionwiththeappropriateadministrativerightstomodify
theinstallation.
2. RuntheInstall-WindowsFeaturecmdlettobeabletoprepareActivethedirectory
fromtheExchangeServercomputer:
Install-WindowsFeatureRSAT
3. Afterthatcommandiscomplete,youwillneedtorunthefollowingcmdletto
installtheWindowsServerprerequisitesfortheExchangeServer2016Mailbox
serverrole:
Install-WindowsFeatureAS-HTTP-Activation,Desktop-Experience,NETFramework-45-Features,RPC-over-HTTP-proxy,RSAT-Clustering,RSATClustering-CmdInterface,RSAT-Clustering-Mgmt,RSAT-ClusteringPowerShell,Web-Mgmt-Console,WAS-Process-Model,Web-Asp-Net45,WebBasic-Auth,Web-Client-Auth,Web-Digest-Auth,Web-Dir-Browsing,Web-DynCompression,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,WebHttp-Tracing,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Lgcy-Mgmt-Console,
Web-Metabase,Web-Mgmt-Console,Web-Mgmt-Service,Web-Net-Ext45,WebRequest-Monitor,Web-Server,Web-Stat-Compression,Web-Static-Content,
Web-Windows-Auth,Web-WMI,Windows-Identity-Foundation
4. ThenextstepistodownloadfromMicrosoftDownloadCenterandinstallthe
followingsupplementalcomponentsintheorderlisted:
a.NetFramework4.5.2.
https://www.microsoft.com/en-us/download/details.aspx?id=42642
b.MicrosoftUnifiedCommunicationsManagedAPI4.0,CoreRuntime64-bit.
http://www.microsoft.com/en-us/download/details.aspx?id=34992
EdgeTransportServerRole
TherequiredcomponentsandpackagesaredifferentwhenyouinstalltheEdge
TransportserverrolebyitselfcomparedtoaMailboxserverrolesystem.Toinstallthe
prerequisitefeaturestosupportanEdgeTransportserver,takethefollowingsteps:
1. OpenaPowerShellsessionwiththeappropriateadministrativerightstomodify
theinstallation.
2. RuntheInstall-WindowsFeaturecmdlettoinstallActiveDirectoryLightweight
DirectoryServices(ADLDS)
Install-WindowsFeatureADLDS
3. ThenextstepistodownloadfromMicrosoftDownloadCenterandinstallthe.Net
Framework4.5.2supplementalcomponent:
4.
https://www.microsoft.com/en-us/download/details.aspx?id=42642
Windows10andWindows8.1ManagementConsoles
YoucancreateamanagementconsoleforyourExchangeServer2016deploymentona
domain-joinedWindows10(64-bit)systemwithnoadditionalconfiguration.The
defaultinstallationissupported.YoucanalsouseWindowsPowerShelltoremotely
connecttoandmanageExchangeServerwithExchangeManagementShell,without
installingtheExchangeManagementtools.
Youcanalsoconfigureadomain-joinedWindows8.1(64-bitonly)tofunctionasa
managementconsoleforyourExchangeServer2016deployment,butyouhaveto
downloadandinstall.NETFramework4.5.2fromthefollowingURL:
https://www.microsoft.com/en-us/download/details.aspx?id=42642
AdditionalRequirements
Inadditiontomakingsurethatthehardwareandserversoftwarecansupport
ExchangeServer2016,youneedtoconsiderafewinfrastructurerequirements.These
includemakingsurethatyourActiveDirectoryinfrastructurecansupportExchange
Server2016andthatyouhavethenecessarypermissionstopreparetheforestand
domain.
ActiveDirectoryRequirements
TheActiveDirectorydomaincontrollerrequirementstoinstallExchangeServer2016
intoyourforestcanbeabitconfusing.We'vecreatedasummaryoftherequired
settingsforyou.HerearesomeADsettingsyoumustusetoensurethatyourActive
DirectoryinfrastructurewillproperlysupportExchangeServer2016:
AlldomaincontrollersineachActiveDirectorysitewhereyouplantodeploy
ExchangeServer2016mustberunningWindowsServer2008ataminimum.
TheActiveDirectoryforestmustbeinWindowsServer2008forestfunctional
level.EachActiveDirectorysiteinwhichyouwillinstallExchangeServer2016
serversshouldcontainatleasttwoglobalcatalogserverstoensurelocalglobal
catalogaccessandfaulttolerance.
Fororganizationsusingdomaincontrollersrunningx64Windowsandhaving
enoughRAMinstalledfortheentireNTDS.DITtobeloadedintomemory,each
ActiveDirectorysitethatcontainsExchangeserversshouldhaveonedomain
controllerprocessorcoreforeachoftheeightExchangeServerMailboxserver
processorcores.
Alwaystakeintoaccountthatdomaincontrollersmaynotbededicatedtojust
ExchangeServer.Theymaybehandlingauthenticationforusersloggingintothe
domainandforotherapplications.
ExchangeServer2016doesn'tuseread-onlydomaincontrollersandglobalcatalog
servers,sodonotincludethemwhenplanningyourdomaincontroller.
InstallationandPreparationPermissions
ItmightseemthattheeasiestpossiblewaytoinstallExchangeServer2016istologon
toaWindowsServer2012R2orWindowsServer2012computerasamemberof
DomainAdmins,SchemaAdmins,andEnterpriseAdmins.Indeed,usingauser
accountthatisamemberofallthreeofthosegroupswillgiveyoualltherightsyou
need.
Insomelargerorganizations,though,gettingauseraccountthatisamemberofall
threeofthesegroupsisimpossible.Insomecases,theExchangeServeradministrator
mayhavetomakearequestfromtheActiveDirectoryforestownertoperformsome
ofthepreparationtasksonbehalfoftheExchangeServerteam.Forthisreason,itis
importanttoknowthepermissionsthatarerequiredtoperformthedifferentsetup
tasks,asshowninTable9.6.
Table9.6TaskPermissions
Task
GroupMembership
Setup/PrepareSchemaor SchemaAdminsandEnterpriseAdmins
setup/ps
Setup/PrepareADor
setup/p
EnterpriseAdmins
Setup/PrepareDomain
orsetup/pd
DomainAdmins
InstallExchangeServer AdministratorsgroupontheWindowsserverandExchange
2016
OrganizationManagement
CoexistingwithPreviousVersionsofExchangeServer
ExchangeServerisfairlywidelydeployedinmostorganizations,soitislikelythatyou
willbetransitioningormigratingyourexistingExchangeServerorganizationoverto
ExchangeServer2016.Forsomeperiodoftime(hopefully,short),yourExchange
Server2016serverswillbeinteroperatingwitheitherExchangeServer2013and/or
ExchangeServer2010servers.Forthisreason,youmustknowthefactorsnecessary
toensuresuccessfulcoexistence.
TherecommendedorderforinstallingExchangeServer2016serversandtransitioning
messagingservicesovertothosenewserversisasfollows:
1. InstallMailboxserversand,dependingontheclientsyouneedtosupport,youwill
wanttoconfigureMAPIoverHTTP,OutlookAnywhere,Outlookontheweb,
ExchangeActiveSync,POP3,andIMAP4clientsonthenewservers.
2. Begintotransitionmailboxesandpublicfoldersfromthelegacyserverstothenew
servers.
3. IfyourorganizationwilluseEdgeTransportservers,installandconfigureEdge
Transportservers.
CoexistencewithExchangeServer2013
IfyouarecurrentlyusingExchangeServer2013,priortoinstallingthefirstExchange
Server2016server,makesurethatyoumeetthefollowingprerequisites:
AllExchangeServer2013serverswithintheActiveDirectorywhereyouare
planningtointroduceExchangeServer2016mustberunningaminimumof
ExchangeServer2013CU11.
TheActiveDirectoryforestmustbeattheWindowsServer2008forestfunctional
level.
EachActiveDirectorysitemusthaveatleastoneglobalcatalogserverrunning
WindowsServer2008orlater.
CoexistencewithExchangeServer2010
IfyouarecurrentlyusingExchangeServer2010,priortoinstallingthefirstExchange
Server2016server,makesurethatyoumeetthefollowingprerequisite:AllExchange
Server2010servers,includingtheEdgeTransportserver,mustbeatExchangeServer
2010ServicePack3RU11.
TheBottomLine
Usetherighthardwareforyourorganization.Thereareseveraltools
providedonlinetohelpyouproperlysizetheamountofRAM,aswellasthehard
diskconfiguration,foryourdeployment.Oneotherresourcethatyoushouldnot
overlookisyourhardwarevendor.Veryoftenvendorshavecreatedcustomtoolsto
helpyouproperlysizeyourenvironmentrelativetoyourorganizationalneeds.
Ifyouwanttogetafairideaastowhatyoushouldplan,usethetablesinthis
chapter,basedonbothmailboxsizeandmessagevolume.Remember,youshould
trybothsizingmethodsandselecttheoptionthatprojectsthemostRAMandthe
largeststoragevolume.YoucanneverhaveenoughRAMorstoragespace.
EnsurethattheprocessorcorenumberofMailboxserversisadequatetokeepup
withtheloadclientswillplaceontheseservers.
StartwiththeExchangeServer2016ServerRoleRequirementsCalculatorandtry
differentcombinationsofoptions.Itcanserveasasolidguidelinefor
deployments,fromsmall-tomedium-sizecompanies,aswellaslarge
multinationalorganizations.
Ifyouaremissingacomponent,youwillreceivefeedbackfromExchangeServer
2016whenyouattempttoinstalltheapplication.Thecomponentsaregoingto
differfromserveroperatingsystemtoserveroperatingsystemandfromrole
combinationtorolecombination.
IfyoufinditnecessarytointegrateExchangeServer2016witheitherExchange
Server2010orExchangeServer2013,youwillwanttomakesurethatyouhave
installedthelatestServicePacksandupdatesforthehostoperatingsystemsand
theserverapplications.
MasterItWhatistheprimarytoolyoucanusetoascertaintheappropriate
configurationofanExchangeServer2016deploymentbasedonthenumberof
usersandmessagevolume?
ConfigureWindowsServer2012R2andWindowsServer2012to
supportExchangeServer2016.Makesureyouhavealloftheprerequisite
featuresandmodules.UsingPowerShellisthemostefficientmethodforquickly
andcompletelyinstallingallofthenecessarycomponents.
MasterItYouneedtoverifythatallofprerequisitesaremet.Howcanyou
accomplishthisfromPowerShell?
ConfirmthatActiveDirectoryisready.Makesurethatyouhavesetyour
ActiveDirectorydomainandforestfunctionallevelstoWindowsServer2008ata
minimum.Youshouldnotencounteranyproblemsifyousetyourdomainand
forestfunctionallevelstoWindowsServer2012orWindowsServer2012R2.
Avoidfrustrationduringinstallationorpotentialproblemsinthefuturethatmay
resultfromdomaincontrollersorglobalcatalogserversrunningolderversionsof
thesoftware.
MasterItYoumustverifythatyourActiveDirectorymeetstheminimum
requirementstosupportExchangeServer2016.Whatshouldyoucheck?
VerifythatpreviousversionsofExchangeServercaninteroperatewith
ExchangeServer2016.ExchangeServer2016willinteroperateonlywith
specificpreviousversionsofExchangeServer.
MasterItYoumustverifythattheexistinglegacyExchangeserversinyour
organizationarerunningtheminimumversionsofExchangeServerrequiredto
interoperatewithExchangeServer2016.Whatshouldyoucheck?
Chapter10
InstallingExchangeServer2016
PeoplewhoinstallExchangeServer2016fallintotwocamps.Thefirstcamp—and
mostpeopleprobablyfallintothisone—containspeoplewhosimplyruntheSetup
programwithnocommand-lineoptionsandchoosethedefaultsettings.Thesecond
campconsistsofthosewhowanttomakecustomconfigurationstothedefault
settingsatthetimeofinstallationandwhomayneedthecommand-lineoptionsto
successfullyinstallthoseservers.
Regardlessofwhichcampyoufallinto,gettingtheprerequisitesoutofthewayfirst
willensureasmoothinstallation.Further,knowingyoursetupoptionswillhelpto
makesureyougeteverythingrightthefirsttime.
INTHISCHAPTER,YOUWILLLEARNTO:
ImplementimportantstepsbeforeinstallingExchangeServer2016
PreparetheActiveDirectoryforestforExchangeServer2016withoutactually
installingExchangeServer
EmploythegraphicaluserinterfacetoinstallExchangeServer2016
Determinethecommand-lineoptionsavailablewheninstallingExchange
BeforeYouBegin
BeforeyoustartinstallingExchangeServer,youneedtohaveaplan.Thereare
considerationsforwhatlevelofhighavailabilityyouneed:diskthroughputanalysis,
memoryrequirementsplanning,andclientnamespaceplanning.Allofthesetopics
arecoveredinlaterchaptersonconfiguringmailboxdatabasesandclientaccess
services.Thischapterfocusesonthemechanicsofinstallation.
WhenyouruntheExchangeServer2016Setupprogram,itchecksanumberofthings
toensurethatnotonlyWindowsServerbutalsoActiveDirectoryandyourspecific
permissionsallmeetthenecessaryprerequisites.Somemissingprerequisitesareeasy
toresolve,whereasothersmaytakehoursorevendays.
Youdon'twantthesemissingpiecesandprerequisitestoslowyoudown.Ifyouhave
notalreadyreadChapter9,“ExchangeServer2016Requirements,”youshoulddoso.
Herewe'llreviewonlytheprerequisitesandbestpractices:
IfyouhaveexistingExchangeserversinyourenvironment,runtheOffice365Best
PracticesAnalyzer(ExBPA)forExchangeServer.Makesureyoucorrectany
seriousproblemstheExBPAfinds.
TheActiveDirectoryforestshouldbeatleastWindowsServer2008Forest
Functionalmode.
TheActiveDirectorySchemaMasterrolemustbeonaWindowsServer2008
domaincontrollerorlater.
EveryExchange2010serverintheorganization,includingEdgeTransportservers,
mustberunningatleastExchangeServer2010SP3UpdateRollup11inorderfor
youtoinstallthefirstExchange2016serverintotheorganization.
AllexistingExchange2013servers,includingEdgeTransportservers,mustbe
runningatleastCumulativeUpdate10forExchange2013.
AllActiveDirectorysitesinwhichyouplantoinstallExchange2016serversshould
haveatleastoneglobalcatalogserver,butpreferablyatleasttwoforredundancy.
Mailboxserversmusthaveatleast8GBofRAMand30GBofharddiskspacefree.
However,ensurethatyouhaveperformedtheproperdiskspaceandmemory
requirementcalculationsandthatyouareprovidingtherightamountofdiskspace
andphysicalmemory.MicrosoftprovidestheExchangeServerRoleRequirements
Calculatorforthispurpose.Thiscalculatoridentifiesthecorrectserver
specificationsforyourscenario.Theminimumspecificationsareseldomsufficient
foradequateperformance.
WindowsServer2012orWindowsServer2012R2mustbetheoperatingsystem
usedonanyserverthatwillrunExchangeServer2016.
Ifyouhavestorageareanetworks(SANs),getyourdevicedriversconfiguredand
yourstorageandlogicalunits(LUNs)connectedaheadoftime.Don'tmix
ExchangetroubleshootingwithSANtroubleshooting.
InstalltherequiredWindowsServerrolesandfeatures.
ConfirmthatyouhavetheExchangeinstallationfiles(includinganyadditional
languagepacksaboveandbeyondEnglish)thatyourequire.Werecommendthat
youcopythemontoanetworksharesothattheyareeasilyaccessible.
PreparingforExchange2016
Insomelargeorganizations,youmayfinditnecessarytoprepareyourActive
DirectorypriortoinstallingExchangeServer2016.Youmayneedtodothisfora
numberofreasons.Rememberthatthevariousstepstopreparetheforestrequire
membershipintheSchemaAdminsandEnterpriseAdminsgroupsaswellasDomain
Adminsmembershipineachoftheforests'domains.
Inasmall-ormedium-sizebusiness,youmaybewheretheproverbialbuckstops.You
mayhaveauseraccountthathasallofthesepermissions,andyoucanruneverything
easilybyyourself.Inthatcase,simplylogonasauserwiththenecessarypermissions
andrunSetup.
However,largeorganizationsareabitdifferent.Hereareafewpointsyoushould
consider:
Largeorganizationsmayhaveconfigurationcontrolandchangemanagementin
place.Thosearebestpractices.Youmayneedtodocumentthestepsyouwilltake,
identifyrisksandrollbackplans,requestpermissiontoproceed,andschedulethe
forestpreparation.
LargeActiveDirectoryimplementationsmayhavemanyActiveDirectorysitesand
domaincontrollers.Organizationsthataredistributedacrosslargegeographic
areasmayhavereplicationdelaysontheirdomaincontrollersofanywherefrom15
minutestosevendays.Replicationofschemaanddomainchangesshouldbe
completedpriortoproceedingwithExchangeServerinstallations.
Permissionstoupdatetheschema,configurationpartition,andchilddomainsare
sometimesspreadacrossanumberofdifferentindividualsordepartments.You
mayneedtohaveanotheradministratorloginforyoutorunvariouspreparation
steps.
IfyouhavetopreparetheActiveDirectoryforest,you'llneedtotakeafewsteps.The
numberofstepswillvarydependingonthefollowingfactors:
WhetheryouhaveapreviousversionofExchangeServerrunning
Thenumberofdomainsinyourforest
Thepermissionswithintheforestrootdomainandthechilddomains
ImportantStepsPriortoPreparingAnyDomain
BeforerunninganyoftheActiveDirectorypreparationsteps,makesurethe
machinefromwhichyouarerunningthesetup.exeprogramisinthesameActive
DirectorysiteastheSchemaMasterandhasgoodconnectivitytotheSchema
Master.Itisalsopreferabletohaveadomaincontrollerfromeachdomainwithin
theforestinthesamesite.
ExistingExchangeOrganizations
Exchange2016supportscoexistencewithonlyExchange2010orlater.Ifyouhave
Exchange2003orExchange2007inyourorganization,youmustupgradeto
Exchange2010or2013beforeintroducingExchange2016orelseinstallExchange
2016intoanewforest.
IfyouhaveExchange2010or2013serversinyourorganization,youmustprepare
eachserversothatExchangeServer2016canproperlycommunicatewithit.Todo
this,installExchange2010SP3UpdateRollup11orlateroneveryExchange2010
serverintheforest,andinstallExchange2013CumulativeUpdate10orlateronevery
Exchange2013serverintheforest,includingEdgeTransportservers.Ifyouhave
morethanonesite,thepreferredsequenceistoupgradeanyInternet-facingsitesfirst
andthenupgradetheinternalsites.ThefirstInternet-facingsitethatyoushould
upgrade,iftherearemultiples,istheonewhereAutodiscoverrequestsfromthe
Internetarereceived.Moreinformationonupgradingfrompreviousversionsof
ExchangecanbefoundinChapter11,“UpgradesandMigrationstoExchangeServer
2016orOffice365.”
PreparingtheSchema
NextisthestepthatusuallyscaresActiveDirectoryadministratorsthemost:
extendingtheActiveDirectoryschema.Essentially,theschemaisthesetofrulesthat
definethestructure(theobjectsandtheattributesofthoseobjects)forActive
Directory.Thisoperationrequirestheuseraccountrunningthisoperationtohave
bothEnterpriseAdminsandSchemaAdminsgroupmemberships.
ThisscaresActiveDirectoryadministratorsforacoupleofreasons.First,schema
changescannotbeundone—ever.Second,oncetheschemachangesaremade,they
replicatetoeverydomaincontrollerintheentireforest.
Eventhoughmanyadministratorsgetnervousaboutschemaextensions,itisveryrare
fortheretobeproblems.Conflictsonlyoccurifyourorganizationhasmadecustom
schemaextensionsthathappentobethesameattributesasthoseinExchangeServer.
Mostorganizationsnevermakecustomschemaextensions.Themostcommon
problemisaschemaextensionnotcompleting.Iftheschemaextensiondoesn't
complete,youjustdoitagain.Thereisnocorruptionfromapartiallycompleted
schemaextension.
Naturally,schemachangesarenotmadetoanActiveDirectoryforestveryoften.
Whenschemachangesareperformed,oftentheActiveDirectoryadministratorswant
toknowexactlywhatisbeingchanged.ThisisabitdifficulttodocumentforExchange
becauseofthesheernumberofchanges.AnActiveDirectorythathasneverbeen
preppedforExchangewillhavemorethan3,000changesmadetotheschema,
includingnewclasses(objecttypes),newattributes,newattributesbeingflaggedfor
theglobalcatalogreplication,andexistingattributesbeingflaggedtoreplicatetothe
globalcatalog.IfyouwanttopointyourActiveDirectoryadministratorstoaspecific
listofchanges,thisURLishelpful:
http://technet.microsoft.com/en-us/library/bb738144.aspx
Ifyou,oryourActiveDirectoryadministrators,arecuriousaboutwhatisbeing
changed,takealookattheLDFfilesinthe\Setup\DatafolderwithintheExchange
2016setupfiles.Forthemostpart,youprobablydon'thavetoworryaboutthisunless
youhavedonesomethingnonstandardwithyourActiveDirectory,suchasdefining
yourownclassesorattributeswithoutgivingthemuniquenamesanduniqueobject
identifiers.
Toextendtheschemaeffectively,theserverfromwhichyouarerunningtheschema
preparationmustbeinthesameActiveDirectorysiteastheSchemaMasterdomain
controller.YoucanlocatetheSchemaMasterbyusingtheSchemaManagement
console;theconsoleisnotavailablebydefault,soyoufirstmustregisterit.Atthe
commandprompt,typeregsvr32.exeschmmgmt.dll;youwillseeamessageindicating
theschmmgmt.dllregistrationsucceeded.
ThenyoucanruntheMicrosoftManagementConsoleprogram(mmc.exe)andaddthe
ActiveDirectorySchemasnap-in.Thissnap-inwillnotappearunlesstheschmmgmt.dll
registeredproperly.OnceyouhavetheActiveDirectorySchemaconsoleopen,rightclickActiveDirectorySchemaandchooseOperationsMaster.TheChangeSchema
Masterdialog(Figure10.1)willshowyouwhichservercurrentlyholdstheSchema
Masterrole.
Figure10.1DeterminingwhichdomaincontrollerholdstheSchemaMasterrole
AnEasierWaytoDeterminetheSchemaMaster
Theprecedingstepsallowyoutobothdeterminewhichdomaincontroller
currentlyholdstheSchemaMasterflexiblesinglemasteroperations(FSMO)role
andrelocatetheSchemaMasterroletoanotherdomaincontroller.However,if
youonlywanttofindoutwhichdomaincontrollerholdstheSchemaMasterrole
withouthavingtoregistertheschmmgmt.dllfile,youcansimplyrunNetDOM/query
FSMO.YoucanalsofindtheSchemaMasterinWindowsPowerShellbyrunning
Get-ADForest|Format-List*master.
Toextendtheschema,runthefollowingcommandfromwithintheExchange2016
Setupfolder:
Setup.exe/PrepareSchema/IAcceptExchangeServerLicenseTerms
Notethatthiscantakebetween15and30minutesdependingonthespeedofthe
computeronwhichyouarerunningSetup,thespeedoftheSchemaMasterdomain
controller,andthenetworkconnectionbetweenthecomputers.
ImportantAspectsofSetupinExchange2016
TwoaspectsofExchange2016SetupandExchange2013Setupthataredifferent
fromExchangeServer2010andearliereditionsareimportantforadministrators
tobeawareof.BothoftheminvolverunningSetupcommandsfromthe
commandline.First,Setup.comhasbeendeprecated.ThereisnowonlyoneSetup
program,whichissetup.exe.
Second,wheneverrunningSetupfromthecommandline,youmustspecifythat
youagreetotheExchangeServerlicensingtermsbyincludingthe
/IAcceptExchangeServerLicenseTermsswitch.
Youwillseesetup.exeand/IAcceptExchangeServerLicenseTermsincluded
repeatedlythroughoutthischapter—whenevercommand-lineoperationsare
referenced.
PreparingtheActiveDirectoryForest
ThenextstepistopreparetheActiveDirectoryforesttosupportanExchange
organization.Althoughthisprocessdoesnotmakeasmanychangestotheforest,it
doesmakequiteafewmorenoticeablechanges,suchascreatingthevarious
ExchangeconfigurationcontainersandcreatingExchangesecuritygroups.Figure10.2
showsanexampleoftheconfigurationcontainersthatarecreated.
Figure10.2ExchangeconfigurationContainersthatarefoundintheActive
Directoryconfigurationpartition
HerearesomeofthetaskstheActiveDirectorypreparationprocessincludes:
DefiningtheExchangeorganizationnameifitdoesnotexistalreadyinthe
MicrosoftExchangecontainerundertheServicescontaineroftheActiveDirectory
configurationpartition
CreatingconfigurationobjectsandcontainersundertheExchangeorganization
container(seeFigure10.2)
CreatingtheMicrosoftExchangeSecurityGroupsorganizationalunitintheforest
rootdomainandthencreatingtheExchangeuniversalsecuritygroups:
ComplianceManagement
DelegatedSetup
DiscoveryManagement
ExchangeServers
ExchangeTrustedSubsystem
ExchangeWindowsPermissions
ExchangeLegacyInterop
HelpDesk
HygieneManagement
OrganizationManagement
PublicFolderManagement
RecipientManagement
RecordsManagement
ServerManagement
UMManagement
View-onlyOrganizationManagement
ImportingExchange-specificextendedActiveDirectoryrightsandassigningthe
necessarypermissionsinActiveDirectory
CreatingtheMicrosoftExchangeSystemObjectscontainerintheforestroot
domain
PreparingtheforestrootdomainforExchangeServer2016
Toruntheforestpreparation,youmustbeloggedonasamemberoftheEnterprise
Adminsgroup.Further,youshouldruntheforest-preparationprocessfromaserver
thatisinthesameActiveDirectorysiteanddomainthatholdstheSchemaMaster
FSMOrole.
YoumustusetheSetup/PrepareADoptiontopreparetheActiveDirectory.Youhave
twooptionswhenrunning/PrepareAD;theoptionyouchoosewilldependonwhether
youhaveanexistingExchangeorganization.Forexample,toprepareaforestthathas
neversupportedanyversionofExchangeServerandtousetheorganizationname
Contoso,youwouldrunthefollowingcommandfromtheExchange2016Setup
folder:
Setup/PrepareAD/OrganizationName:Contoso/IAcceptExchangeServerLicenseTerms
ChoosinganExchangeOrganizationName
InearlyversionsofExchangeServer,choosingtherightorganizationnamewas
oftenasourceofgreatanxiety.WithExchange5.5andearlier,whenyoubuiltan
Exchangesite,ifyoudidnotpicktherightorganizationname,youcouldnot
replicatethatsite'sglobaladdresslisttotherestoftheorganization.
EvenwithExchange2000/2003,theorganizationnamewasvisibleatthetopof
theglobaladdresslistandwithintheExchangeSystemManageradministrative
console.Oncetheorganizationnameisset,itcannotbechanged.Fearsof
acquisitions,mergers,andcompanynamechangesstilldrivepeopletobe
concernedaboutthisname.
Althoughwestillrecommendnamingyourorganizationsomethingdescriptive,
theactualnameisnotasimportantbecauseinExchange2016theorganization
nameisnotgoingtobeseenbytheendusersandisrarely(ifever)seenbythe
administrators.Youcanalwayssettheorganizationnametosomethinggeneric
likeExchangeOrganizationifyouwantsomethingthatwouldnotbeaffectedby
reorganization.
Whenyoupickanorganizationname,useanamethatis64charactersorlessand
usesonlyvalidActiveDirectorycharactersforacontainername.Werecommend
yousticktothebasics:
A–Z
a–z
0–9
Spacesandhyphens
However,iftheforestalreadysupportsapreviousversionofExchangeServer,the
/OrganizationNameoptionisnotnecessary.Youcansimplyrunthiscommand:
Setup/PrepareAD/IAcceptExchangeServerLicenseTerms
Whenthe/PrepareADprocessruns,itwillchecktoseeifthe/PrepareSchemastepneeds
toberun.Ifso,Setupwillchecktoseeifyouhavethenecessarypermissionsandthen
runitifso.However,ifrunning/PrepareSchemaisnecessaryandyoudonothavethe
requiredpermissions,youwillseeanerrorandSetupwillfail.
PreparingAdditionalDomains
IfyouhaveonlyasingledomaininyourActiveDirectoryforest,theSetupoption
/PrepareADwillpreparethatdomainandyouwillbereadytoproceedwithyourfirst
ExchangeServerinstallation.
However,ifyouhaveadditionaldomainsinyourActiveDirectoryforestandthey
containmail-enabledrecipientsorExchangeservers,youneedtopreparethese
additionaldomains.Todoso,usethe/PrepareDomainor/PrepareAllDomainsSetup
option.Thisprocessincludesthefollowing:
AssigningtothedomaincontainervariouspermissionstotheAuthenticatedUsers
andExchangeuniversalsecuritygroupsthatarenecessaryforviewingrecipient
informationandperformingrecipient-managementtasks.
CreatingaMicrosoftExchangeSystemObjectscontainerintherootofthedomain;
thiscontainerholdsmail-enabledrecipientinformationfororganizationobjects
suchasExchangedatabases.
Toprepareasingledomain,youmustbeloggedonasamemberofthatdomain's
DomainAdminsgroup,andthereshouldbeadomaincontrollerforthatdomainin
thesamesiteastheserverfromwhichyouarerunningSetup.Thedomaincontroller
shouldberunningaminimumofWindowsServer2008.Toprepareadomaincalled
contoso.com,typethiscommand:
Setup/PrepareDomain:contoso.com/IAcceptExchangeServerLicenseTerms
IfyouhaveauseraccountthatisamemberoftheEnterpriseAdminsgroup,youcan
runthiscommandandpreparealldomainsintheentireforest:
Setup/PrepareAllDomains/IAcceptExchangeServerLicenseTerms
VerifyingSuccessfulPreparation
Generallyspeaking,ifthepreparationstepsforExchangeServer2016complete
withoutgeneratinganerror,thenpreparationwassuccessful.However,youcanuse
ADSIEdittoverifythatthenecessarychangeshavebeencompletedfortheschema
anddomain.
TherangeUpperpropertyofthems-Exch-Schema-Verision-Ptattributeintheschema
definestheschemaversionforExchangeServer.Thisvalueisupdatedwithevery
Exchangecumulativeupdate.Verifythattheversionmatchesthecumulative
updateyouareinstalling.
TheobjectVersionpropertyofthecontainerforyourExchangeorganizationinthe
ConfigurationpartitionofActiveDirectoryisupdatedforsomecumulative
updates.ThefullpathfortheorganizationobjectisCN=Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Domain.
TheobjectVersionpropertyoftheMicrosoftExchangeSystemObjectsintheforest
rootdomainisalsoupdatedbymanycumulativeupdates.
MicrosoftprovidesalistofvaluesforthesepropertiesthatcorrespondwithExchange
Server2016cumulativeupdatesathttps://technet.microsoft.com/enus/library/bb125224(v=exchg.160).aspx#ADversions.
GraphicalUserInterfaceSetup
ThesimplestwaytoinstallExchangeServer2016istousethegraphicaluserinterface
(GUI).TheGUIwillbesufficientformostExchangeServerinstallations.We
recommendfirstcopyingtheExchangeServer2016installationfilestothelocalhard
diskorusingalocallyattachedDVDfromwhichtoruntheExchangeinstallation.
CopyingtheExchangebinariestothelocalharddiskwillspeeduptheinstallation
time.
Asabestpractice,youshoulddownloadthelatestcumulativeupdateforExchange
2016andperformtheinstallationfromthosefiles.Cumulativeupdatescontainallof
thefilesnecessarytoinstallExchange2016.Thisensuresthatyouhavethelatestfiles
forsetupandavoidstheneedtoperformanupdateafterinstallation.Thepublicly
availablecumulativeupdatescanbeusedwithvolumelicensing.
FromtheExchangeServerinstallationfolder,runSetup.exetoseetheinitialsetup
screen,whichwillaskyouifyouwanttocheckforupdates.Ifyousayyes,Setupwill
checktheMicrosoftwebsitetoseeifamorerecentCumulativeUpdateisavailable.
AftertheCheckforUpdatespage,Setupwillcopyfiles,prepareresources,andthen
displaytheMicrosoftExchangeServer2016SetupWizard'sintroductionpage.Click
Nexttoproceed.Onthenextpage,youwillseetheLicenseAgreementscreen.Select
theIAcceptTheTermsInTheLicenseAgreementradiobuttonandthenclickNext.
ThefourthpageoftheSetupWizardistitledRecommendedSettings.Hereyoucan
specifywhetheryouwanttoenableerrorreportingandparticipateintheCustomer
ExperienceImprovementProgram(CEIP).
EnablingerrorreportingwillallowExchangetocheckonlineforsolutionstoerrors
andsendreportsofproblemsautomaticallytoMicrosoft.Theserverwillsend
informationbacktoMicrosoftviaHTTPS;thisinformationmayprovevaluablefor
Microsoftinidentifyingerrorsintheirsoftware.Passingalongthisinformationalso
providesyou(thecustomer)withgoodvaluebecauseitmeansthatMicrosoftcan
morequicklyidentifybugsandsoftwareissues.ThereportsentbacktoMicrosoft
usuallydoesnotcontainanyinformationspecifictoyourorganizationortoyour
server,butsomeorganizations'InformationSecuritydepartmentswillwantyouto
blockthisanyway.Ifyouareconcernedaboutthis,selectDon'tUseRecommended
Settings.YoucanreadmoreabouttheMicrosoftOnlineCrashAnalysisprogram,as
wellasMicrosoft'sprivacystatementandwhatinformationmightbecollected,at
http://oca.microsoft.com/en/dcp20.asp.
IfyouparticipateintheMicrosoftCustomerExperienceImprovementProgram,the
serverwillperiodicallyuploadusageandconfigurationdatathathelpsMicrosoftwhen
designingfutureversionsofExchangeServer.Theprogramiscompletelyanonymous
andwillnotbeusedtogatherinformationaboutyourorganization.Werecommend
participatingintheprogram,butthisisadecisionthateachpersoninstalling
Exchangemustmake.FormoreinformationontheCEIP,visit:
www.microsoft.com/products/ceip/en-us/default.mspx
SelectingUseRecommendedSettingswillenablebotherrorreportingand
participationintheCEIP.SelectingDon'tUseRecommendedSettingswilldisable
botherrorreportingandparticipationintheCEIP.Thesesettingscanbechangedlater
andmanagedindividuallyaftertheinstallationhascompleted.Whenyouhavemade
yourchoice,clickNext.
ThenextpageonthewizardistheServerRoleSelectionscreen(Figure10.3).Here,
youspecifywhetheryouwanttoinstalltheMailboxrole,Managementtools,orEdge
Transportrole.YoucanselectonlytheManagementtoolsifyouwanttoconfigurethe
toolsonamanagementworkstation.WhenyouselecteitherMailboxroleorEdge
Transportrole,theManagementtoolsareautomaticallyselectedalso.
Figure10.3TheServerRoleSelectionscreen
Onthispage,thereisalsoanoptiontoallowWindowstoautomaticallyinstall
WindowsServerrolesandfeaturesthatarerequiredtoinstallExchangeServer.Keep
inmind,thiswillnotguaranteethatallsoftwareprerequisitesareinstalled—justthe
onesthatareapartofthenativeoperatingsystem.Ifyoudochoosetousethisoption,
itispossiblethatyouwillneedtoreboottheservertocompletetheinstallationof
someoftheWindowsfeaturesbeforeSetupcanproceedwiththeinstallationof
Exchange.
EnsureSuccessbyInstallingComponentsManually
TheoptionAutomaticallyInstallWindowsServerRolesAndFeaturesThatAre
RequiredToInstallExchangeServermightrequireseveralrestartstofinishthe
setupprocess.Inordertosaveyourselfsometimeandensureasuccessful
installationonthefirsttry,abetteroptionmightbetoinstalltherequired
componentsmanuallybeforehandusingPowerShell.Thisisalsousefulwhen
creatingastandardoperatingsystemimagefordeployingExchangeServer2016.
MicrosofthasmadethingseasybypublishingthePowerShellsyntaxtoinstallthe
requiredcomponentsonthefollowingURL:
[http://technet.microsoft.com/en-us/library/bb691354(v=exchg.160).aspx]
Forexample,toinstalltheoperatingsystemprerequisitesforaWindowsServer
2012orWindowsServer2012R2computerthatwillhavetheMailboxrole
installed,youwouldrunthefollowingcommand:
Install-WindowsFeatureAS-HTTP-Activation,Desktop-Experience,NETFramework-45Features,RPC-over-HTTP-proxy,RSAT-Clustering,RSAT-ClusteringCmdInterface,RSATClustering-Mgmt,RSAT-Clustering-PowerShell,Web-Mgmt-Console,WAS-ProcessModel,
Web-Asp-Net45,Web-Basic-Auth,Web-Client-Auth,Web-Digest-Auth,Web-DirBrowsing,
Web-Dyn-Compression,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,
Web-HttpTracing,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Lgcy-Mgmt-Console,WebMetabase,WebMgmt-Console,Web-Mgmt-Service,Web-Net-Ext45,Web-Request-Monitor,WebServer,WebStat-Compression,Web-Static-Content,Web-Windows-Auth,Web-WMI,WindowsIdentityFoundation
AfterdeployingthenecessaryWindowsServerrolesandfeatures,youneedto
install.NETFramework4.5.2andMicrosoftUnifiedCommunicationsManaged
API4.0,CoreRuntime64-bit.TheMicrosoftwebpagewithprerequisitesprovides
linkstotheseitems.
ThenextpageintheSetupWizardistheInstallationSpaceAndLocationscreen,
whereyoucanchoosetheinstallationpathfortheExchangeprogramfiles.Onceyou
selectaninstallationpathfortheExchangeprogramfiles,Setupwillprovidea
comparisonoftheamountofdiskspacerequiredtotheamountthatiscurrently
available.Theamountrequiredwilldependonwhichrolesyouchosetoinstallonthe
previousscreen.
WhenspecifyingapathfortheExchangeprogramfiles,rememberthatbydefaultthis
iswhereallExchangedatabasesandlogfileswillbestored.Mostoftheseyoucan
(andshould)moveaftertheinstallation,butyouwanttomakesurethatthevolume
onwhichtheExchangeprogramfilesarestoredhasatleast30GBoffreespace.
ConsiderDriveSpaceonC:
IfyouinstallExchange2016inthedefaultlocationoftheC:drive,youneedto
ensurethatthereisenoughspaceavailableontheC:drive.Manyorganizations
donotallocateenoughspacefortheC:driveandlaterneedtoeitherexpanditor
movefiles.Thisisparticularlytrueinvirtualizedenvironmentswheredisksizeis
intentionallykeptsmall.
DuringanExchange2016installation,onlyabout9GBofdataiscopiedtothe
installlocation.However,thereareseveralfeaturesthatuseadditionalspace:
Mailboxdatabases.Thedefaultlocationformailboxdatabasesisthe
Exchangeinstallationdirectory.Youshouldstoremailboxdatabasesandtheir
logsondedicateddrives.
ExchangeServerdiagnosticlogs.ExchangeServerisconstantly
performinginternaldiagnosticsandkeepslogsoftheresults.Theselogsare
storedintheExchangeinstallationdirectoryandcannotbemoved.
Transportqueues.ThetransportqueuesusedbyExchangeserverformail
deliveryarelocatedintheExchangeinstallationdirectorybydefault.Ona
busyserver,thedatabaseholdingthesequeuescangrowverylargeandnever
shrinksautomatically.Youcanmovemail.queandtheassociatedlogfilestoa
differentlocationafterinstallation.
IISlogfiles.Bydefault,IISlogfilesarestoredinC:\inetpub\logs.Thereis
noautomatedmechanismtoremovelogsafteraperiodoftime.Youshould
createascheduledtasktoremoveolderlogfilesorchangethelocationoflog
filestoadifferentdrive.
Transportlogs.Exchangehasvarioustransportlogsthatyoucanusefor
troubleshooting.Theseincludemessagetrackinglogs,protocollogs,and
others.Theselogscanbemanagedwithmaximumageandmaximum
directorysizesettingsbyusingtheSet-TransportServicecmdlet.
Asabestpractice,youshouldinstallExchangeServer2016onadriveotherthan
theC:drive.Thismakesiteasiertomanagedrivespaceinthelongrun.
IfActiveDirectoryhasnotalreadybeenpreparedandthisisthefirstExchangeServer,
thentheExchangeOrganizationscreenisdisplayed.Onthisscreen,youcanenterthe
nameoftheExchangeOrganization.YoucanalsochoosetoenabletheActive
Directorysplit-permissionssecuritymodel.Thissecuritymodelistypicallyusedonly
bylargeorganizationsthatneedtosplitthemanagementofActiveDirectoryand
Exchange.Next,theMalwareProtectionSettingsscreenprovidestheadministrator
withtheabilitytodisablemalwarescanningontheMailboxserverrole.Youmight
wanttodothisifyouareusingathird-partyproducttohandlemessagehygieneon
theserver.Thissettingcanalsobechangedlater,afterExchangeisinstalled.
Thelastscreenanalyzesalloftheselectionsyouhavemadeandusesthatinformation
todetermineiftheserverhasallofthesoftwareprerequisitesnecessarytoproceed
withtheExchangeinstallation.IfrequiredWindowsrolesorfeaturesaremissingand
youoptedtohaveSetupinstallthem,itwilldosonow.Ifyoudidnotopttohave
Setupinstallthem,itwillnotifyyousothatyoucantakethenecessaryaction.Ifyou
findanythingabouttheconfigurationthatshouldbechanged,youmustresolvethose
mattersbeforecontinuing.
OneofthenicethingsabouttheMicrosoftExchangeServer2016SetupWizardisthat
ifitdetectsamissingcomponentorsomethingthatmustbedonepriortostartingthe
Exchangesetup,youcanfixtheissueandthenclicktheRetrybutton.TheSetup
programwillrechecktheprerequisitesandpickupwhereitleftoff.
Oncetheprerequisiteshaveallbeenmetandthereadinesscheckiscomplete,you
mustclicktheInstallbuttontoinitiatetheinstallation.Whatyouobserveonthe
screenafterclickingtheInstallbuttonwilldependonwhichserverrolesyouoptedto
installandwhetheryoutookpreviousstepstoprepareActiveDirectorymanuallyor
areallowingSetuptodoitforyou.IfthisisthefirsttimeyouareinstallingExchange
Server2016inyourenvironment,youareinstallingtheMailboxserverrole,andyou
areallowingSetuptohandletheActiveDirectorypreparations,thenyouwillseea
totalof15stepsinasuccessfulinstallation.
Don'tbealarmediftheSetupprocessappearstobehungduringinstallation.Thiscan
benormal,particularlyduringstep8(Mailboxrole:Transportservice).Aslongas
Setupdoesnotreturnerrorsorexplicitlystatethatithasfailed,bepatient.Youcan
alsocheckExchangeSetup.loglocatedinc:\ExchangeSetupLogsformoredetailsabout
whatSetupisdoingatanygiventime.
YoucanalsoreviewExchangeSetup.logtoverifythatsetupcompletedproperly.After
setupiscomplete,youcanusetheGet-ExchangeServercmdlettoverifythatthenew
Exchangeserverhasbeeninstalled.
Command-LineSetup
TheExchangeServer2016Setupprogramincludesapowerfulsetofcommand-line
optionsthatcanhelpyouautomateanExchangeserversetuporperformcustom
setupoptionsthatyoucouldnotdothroughtheGUI.Thecommand-linesetup
optionsarebrokenintosixcategories:
InstallingExchangeserverroles
RemovingExchangeserverroles
RecoveringanexistingExchangeserver
PreparingActiveDirectorytosupportExchange
Creatingdelegatedorpre-provisionedservers
AddingorremovingUnifiedMessaginglanguagepacks
Foralloftheseoptions,yourunthesamesetup.exeprogramthatyouusefor
launchingtheGUI.
TheUsefulnessofCommand-LineInstallations
AlotofExchangeadministratorswonderwhythecommand-linesetupoptions
evenexistsincethegraphicaluserinterfaceissoeasy-to-useandhasmostofthe
sameoptions.Considerthecaseofanorganizationthatisinstalling30Mailbox
servers.
Duetotheorganization'srequirementsforcertifyingaproductionITsystem,all
serverbuildshavetobethoroughlydocumentedpriortobeingdeployed.By
generatingtheinstallationscriptsaheadoftime,theirExchangeteamcanensure
thateachserverisbuiltexactlytothedesignspecificationsandwiththenecessary
options.Thisspeedsuptheoverallinstallationandensuresthatnothingis
overlooked.
Command-LineInstallationOptions
Byandlarge,theserverroleinstallationoptionsareprobablythemostusefulfora
typicalpersoninstallingorconfiguringExchange.Theyarecertainlythemost
numerous.Someofthesesetup.exeoptionshaverequiredparameters.Forexample,if
youusethe/mode:installoption,youwillhavetospecifywhichserverroleorroles
youareinstalling.Table10.1liststhecommand-lineinstallationoptionsin
alphabeticalorder.
Table10.1ExchangeServer2016Command-LineInstallationOptions
Option
/ActiveDirectorySplitPermissions
/AnswerFile
/CustomerFeedbackEnabled
/DbFilePath
/DisableAMFiltering
/DomainController
/DoNotStartTransport
/EnableErrorReporting
/IAcceptExchangeServerLicenseTerms
/InstallWindowsComponents
Optional Explanation
(O)or
Required
(R)
O
Specifieswhethertoenableor
disabletheActiveDirectorysplitpermissionsmodewhenpreparing
theExchangeorganization.Disabled
bydefault.
O
Allowsyoutospecifyatextfilethat
containsanswerstosomeofthe
advancedsetupparameters.
O
ConfiguresExchangeServerto
reportusageinformationto
Microsoftautomatically.Allserver
rolescanusethisinformation.
O
Specifiesthepathandnametothe
defaultdatabasefile.Thisisusedin
conjunctionwiththe/Mdbnameand
the/LogFolderPathswitches.
O
Allowsyoutoturnoffmalware
scanningontheMailboxrole.
Enabledbydefault.
O
AllowsyoutospecifytheNetBIOS
nameortheFQDNofadomain
controller.
O
TellsSetupnottoallowthe
TransportserviceonaHub
TransportorEdgeTransportserver.
O
ConfiguresExchangeServerto
reporterrorsautomaticallyto
Microsoft.Allserverrolescanuse
thisoption.Thedefaultisnotto
enablethisfeature.
R
Specifiesthatyouunderstandand
acceptthetermsoftheExchange
Serverlicense.
O
AllowsyoutohaveSetup
automaticallyinstallanyrequired
Windowsrolesorfeatures.
/LogFolderPath
O
/Mdbname
O
/modeor/m
R
Specifiesthepathforthelogfilesfor
thedefaultdatabasewheninstalling
aMailboxserverrole.
Specifiesthenameofthedefault
mailboxdatabasewheninstallinga
Mailboxserver.
SpecifieswhethertheSetupprogram
isinstallinganewroleorremoving
it.Validoptionsareasfollows:
/mode:install
/mode:uninstall
/mode:upgrade
/OrganizationName
O
/roleor/r
R
/SourceDir
O
/TargetDir
O
O
/TenantOrganizationConfig
/UpdatesDir
O
Allowsyoutospecifyanorganization
name;thisisnecessaryonlyifthisis
thefirstserverbeinginstalledinthe
ActiveDirectoryforestandthe
/PrepareADstephasnotpreviously
beendone.
Specifieswhichrolesarebeing
installed.Thesearethevalidrole
types:
Mailbox,mb
ManagementTools,mt,t
EdgeTransport,et
Specifiesthelocationforthe
Exchangeinstallationfiles.
Allowsyoutospecifyanoptional
pathfortheExchangeprogramfiles
ratherthanthedefaultlocationon
theC:\drive.
Specifiesthepathtothefilethat
containsconfigurationdataabout
yourOffice365tenant.Thisfileis
createdbyrunningtheExportOrganizationConfigcmdletinyour
Office365tenant.
Specifiesapathtoadirectorythat
containsupdatesthatshouldbe
appliedasapartoftheinstallation
process.
AbbreviationsandShortcuts
Mostofthecommand-lineswitchesandoptionshavealongandshortoption.For
example,thefollowingthreecommandsaccomplishexactlythesamething
(installingtheMailboxrole):
setup/m:install/r:mb
setup/m:install/r:Mailbox
Inthischapter,wehavechosentospellouttheoptionscompletelytomore
clearlyillustratethecommandsandinthehopethatyouwillrememberthem
moreeasily.However,onceyoulearnthelongversionoftheoptions,youwill
probablyfinditeasiertousetheshorterversions.Theyarejustabitcrypticwhen
youarelearning.
Command-LineServer-RecoveryOptions
TheremaycomeatimewhenyouhavetorecoveranExchangeserverfromabackup.
ThisprocesswillinvolverebuildingtheWindowsserver(withthesameupdatesand
disklayout)andthenreinstallingExchangeServerusingtheRecoverServermode.
ThisoptionwillreadmostoftheconfigurationoftheserverfromtheActiveDirectory
ratherthaninstallingtheserverfromscratch.Severaloptionsareavailablewhen
recoveringaserver,asshowninTable10.2.
Table10.2ExchangeServer2016Server-RecoverySetupOptions
Option
/DomainController
Optional Explanation
(O)or
Required
(R)
O
AllowsyoutospecifytheNetBIOS
nameortheFQDNofadomain
controller.
/DoNotStartTransport
O
/EnableErrorReporting
O
/IAcceptExchangeServerLicenseTerms
R
/mode:RecoverServer
R
/TargetDir
O
/UpdatesDir
O
TellsSetuptonotallowthe
TransportserviceonaHub
TransportorEdgeTransportserver
tostart.Thisisusefulduringa
recoveryifyoudonotwantmessages
tostartflowinguntilyouaresurethe
serverisfullyrecovered.
ConfiguresExchangeServerto
reporterrorsautomaticallyto
Microsoft.Allserverrolescanuse
thisoption.Thedefaultissettonot
enablethisfeature.
Specifiesthatyouunderstandand
acceptthetermsoftheExchange
Serverlicense.
Specifiesthattheinstallationmode
istobetheRecoverServeroption.
Allowsyoutospecifyanoptional
pathfortheExchangeprogramfiles
ratherthanthedefaultlocationon
theC:\drive.
Specifiesapathtolookforupdates
aftertheinstallationiscompleted.
Command-LineDelegatedServerInstallation
Insomelargeorganizations,thepersonwhoisinstallingtheExchangeserversmay
nothaveanaccountwithsufficientActiveDirectorypermissionstocreatetheserver
objectsintheActiveDirectory.Forthisreason,someoneelsemayhavetocreatethe
necessaryserverobjects,andtheinstallercanthensetuptheservers.
Thisiswherethedelegatedserverinstallationishandy.Thepersonwiththenecessary
rightstosetuptheserverscan“prestage”theserversintheActiveDirectorydirectory.
Table10.3showsalistoftheoptionsavailablefordelegatedserversetup.
Table10.3ExchangeServer2016DelegatedSetupOptions
Option
Explanation
/IAcceptExchangeServerLicenseTerms
Optional
(O)or
Required
(R)
R
/NewProvisionedServeror/nprs
O
Createsanewprovisionedserver
withthenamespecifiedonthe
commandline,suchasthis:
Specifiesthatyouunderstandand
acceptthetermsoftheExchange
Serverlicense.
Setup.exe
/NewProvisionedServer:HNLMBX
/RemoveProvisionedServeror/rprs
O
Removesaserverthatwas
previouslyconfiguredwiththe
/NewProvisionedServeroption.
InstallingLanguagePacks
IfyouaresupportinganExchange2016serverforonlyEnglish-speakingusersand
administrators,youdonotneedtoworryaboutinstallingadditionallanguagepacks.
ExchangeServer2016automaticallyincludesnativesupportfortheU.S.English(enUS)messaginglanguagepack(anditcan'tberemoved),aswellasmanyother
languages.Forafulllistoflanguagessupportedbydefaultfromboththeserverand
client,pleaserefertothisURL:
http://technet.microsoft.com/en-us/library/dd298152.aspx
Dependingontheculturaldiversityofyourenvironmentandusers,youshouldknow
howtoinstalladditionalUnifiedMessaginglanguagepacks.
Table10.4showsthevalidoptionsforinstallingUnifiedMessaginglanguagepacks.
NotethattheUnifiedMessaginglanguagepackoptionsareavailableonlyonservers
thatalreadyhavetheMailboxroleinstalled.
Table10.4ExchangeServer2016LanguagePackOptions
Option
/AddUmLanguagePack
Optional Explanation
(O)or
Required
(R)
R
AddsthespecifiedUnified
Messaginglanguagepack.Youmust
specifythelanguagepacknamethat
youwanttoinstall;forFrench,you
wouldusethiscommand:
Setup/AddUmLanguagePack:fr-fr
Notrequiredif
/RemoveUmLanguagePackisused.
/IAcceptExchangeServerLicenseTerms
R
/RemoveUmLanguagePack
R
/SourceDir
O
/UpdatesDir
O
Specifiesthatyouunderstandand
acceptthetermsoftheExchange
Serverlicense.
RemovesthespecifiedUnified
Messaginglanguagepack.Not
requiredif/AddUmLanguagePackis
used.
Specifiesthesourcefolderforthe
UnifiedMessaginglanguagepack.
Specifiesthepathforupdatesforthe
UnifiedMessaginglanguagepack.
RemovingExchangeServer
UnderstandinghowtoremoveanExchangeserverisasimportantasunderstanding
howtoinstallExchangeServer.Ifyoudon'tremoveanExchangeserverproperly,
someActiveDirectoryobjectsareleftbehind,whichwillgenerateerrorsineventlogs
andcancauseperformanceproblems.
RemovinganExchangeserverisnotdifficult,butitneedstobedoneinanorderlyway
byuninstallingExchangeServerfromtheserver.Youcanuninstallbyusingthe
graphicalinterfaceorthecommand-lineinterface,butaproperuninstallneedstobe
done.TheuninstallprocessremovesallActiveDirectoryreferencestotheserver.If
theuninstallprocessfindsactivecomponentssuchasamailboxdatabase,youare
presentedwithanerrormessageindicatingwhyremovalcannotproceed.
IfanExchangeserverfailsandyoudecideyounolongerneedthatspecificserver,the
onlysupportedprocessforproperlyremovingitistofirstrecoverit,andthen
uninstallExchangeServer.However,ifyoudoaquickInternetsearch,you'llfindthat
manypeoplereferencecleaningupafailedExchangeserverbyusingADSIEditinthe
Configurationpartition.Justbeawarethatthisisdefinitelynotsupportedby
Microsoft.
TheBottomLine
ImplementimportantstepsbeforeinstallingExchangeServer2016.One
ofthethingsthatslowsdownanExchangeServerinstallationisfindingoutyou
aremissingsomespecificWindowscomponent,feature,orrole.Reviewingthe
necessarysoftwareandconfigurationcomponentswillkeepyourinstallation
movingalongsmoothly.
TheminimumrequirementsfortheMailboxserverroleareatleast30GBoffree
spaceand8GBofRAM.However,youneedtocalculatetheproperhardware
requirementsforyourimplementation.EnsurethatyouareusingWindows
Server2012orWindowsServer2012R2withthemostrecentupdates.Installthe
WindowsServerrolesandfeaturesnecessaryfortheExchangeserver'srole
requirements.
MasterItYouareworkingwithyourActiveDirectoryteamtoensurethatthe
ActiveDirectoryisreadytosupportExchangeServer2016.Whatarethe
minimumprerequisitesthatyourActiveDirectorymustmeetinorderto
supportExchangeServer2016?
PreparetheActiveDirectoryforestforExchangeServer2016without
actuallyinstallingExchangeServer.Insomeorganizations,theExchange
administratororinstallermaynothavethenecessaryActiveDirectoryrightsto
preparetheActiveDirectoryschema,theforest,orachilddomain.Hereisa
breakdownofthestepsinvolvedandtheassociatedgroupmembership
requirementstocompleteeach:
RunningtheExchangeServer2016setup.exeprogramfromthecommandline
withthe/PrepareSchemaoptionallowstheschematobepreparedwithout
installingExchange.AuseraccountthatisamemberoftheSchemaAdmins
groupisnecessarytoextendtheActiveDirectoryschema.
RunningtheExchangeServer2016setup.exeprogramfromthecommandline
withthe/PrepareADoptionallowstheforestrootdomainandtheActive
DirectoryconfigurationpartitiontobepreparedwithoutinstallingExchange.A
useraccountthatisamemberoftheEnterpriseAdminsgroupisnecessaryto
makeallthechangesandupdatesnecessaryintheforestroot.Whenpreparing
achilddomain,amemberoftheEnterpriseAdminsgrouporthechilddomain's
DomainAdminsgroupmaybeused.
MasterItYouhaveprovidedtheExchange2016installationbinariestoyour
ActiveDirectoryteamsothattheforestadministratorcanextendtheActive
Directoryschema.Shewantstoknowwhatshemustdoinordertoextendonly
theschematosupportExchangeServer2016.Whatmustshedo?
EmploythegraphicaluserinterfacetoinstallExchangeServer2016.The
graphicaluserinterfacecanbeusedformostExchangeServerinstallationsthatdo
notrequirespecializedprestagingornonstandardoptions.TheGUIwillprovideall
thenecessaryconfigurationsteps,includingActiveDirectorypreparation.
TheGUIallowsyoutoinstalltheMailboxorEdgeTransportrolesonaserver.
MasterItYouareimplementingExchangeServer2016foralargeorganization
withstrictsecurityrequirements.YouwanttoimplementtheActiveDirectory
split-permissionssecuritymodeltoensurethatExchangeadministratorsand
ActiveDirectoryadministratorshaveseparatesetsofpermissions.Whenyou
usetheGUItoinstallExchangeServer2016,thisoptionisnotavailable.Whyis
thisoptionnotavailable?
Determinethecommand-lineoptionsavailablewheninstalling
Exchange.TheExchange2016command-lineinstallationprogramhasarobust
setoffeaturesthatallowallinstallationoptionstobechosenfromthecommand
lineexactlyasifyouwereinstallingExchangeServer2016usingthegraphicaluser
interface.
MasterItYouareattemptingtousethecommandlinetoinstallanExchange
Server2016Mailboxserverrole.Whatisthepropercommand-linesyntaxto
installthisrole?
Chapter11
UpgradesandMigrationstoExchangeServer2016or
Office365
ExchangeServeristhedefactostandardforbusinessemailsystems.Itisraretofinda
largebusinessthatdoesnotuseExchangeServer.Veryfewbusinessesupgradean
emailsystemimmediatelyuponthereleaseofanewversion.Infact,manystickwith
olderversionsaslongastheycan.However,atsomepointbusinessesneedtoupdate
ExchangeServertoanewerversionorconsidermigratingtoOffice365.
YouneedtoknowhowtomovefromanolderversionofExchangeServertoExchange
Server2016orOffice365.Dependingonthesoftwareyouhaveusedinthepast,you
maybeusedtoin-placeupgrades,whereyouhaveanexistingversionofthesoftware
onacomputer,runtheinstaller,andendupwiththenewversionofthesoftware.
However,thereisnoin-placeupgradepathfororganizationsmigratingtoExchange
Server2016.
Thisabsencemayseemtocomplicatelife,butitactuallysimplifiesthemigrationpath
fromalegacyversionofExchangeServer.UsingnewExchangeserversmeansthat
theyaremorestable,anditwilleaseinteroperabilityduringthemigration.
INTHISCHAPTER,YOUWILLLEARNTO:
Choosebetweenanupgradeandamigration
Choosebetweenon-premisesdeploymentandOffice365
Determinethefactorsyouneedtoconsiderbeforeupgrading
UnderstandcoexistencewithlegacyExchangeservers
Performacross-forestmigration
Upgrades,Migrations,Cross-ForestMigrations,and
Deployments
Let“stakeamomenttoclearupmattersofterminology.Throughthereleaseof
ExchangeServer2003,itwaspossibletoupgradefromonemajorExchangeServer
versiontothenext—onthesameserver.Sincethattime,everymajorversionof
ExchangeServerhasrequireddeploymenttonewserversandmigrationofthedata
fromtheoldserverstothenewservers.SomeMicrosoftdocumentation(andlotsof
otherdocumentationaswell)makesastrongdistinctionbetweenupgradeand
migrationbecauseofthis.Thatdistinctionnolongermakesanydifference.Every
ExchangeServerupgradeisamigration.
However,whenyourupgradeinvolvesmovementbetweenanexistingExchange
ServerorganizationandanewExchangeServerorganization,you'llseeupgrades
referredtoasinter-organizationalmigrations,cross-forestmigrations,or
transitions.Thetermsareinterchangeable.
Therearetwovariationsyouneedtoknow:deployment(inwhichExchangeServer
doesnotconnecttoOffice365)andhybriddeployment(whichoccurswhenyou
configureyourExchangeServerorganizationtoresidebothon-premisesandinOffice
365).
Finally,whenwerefertomovingdatabetweenorganizations,wewillexplicitlysay
migrationstrategy.Thishelpsusbeclearandstayconsistentwiththedocumentation
providedforExchangeServer2016.
FactorstoConsiderbeforeUpgrading
Areyoureadytoupgrade?Notsofast!Beforeyoupullthetriggeranddouble-click
setup.exefromtheExchangeServer2016installationmedia,youmusttakeinto
accountanumberoffactors.Let'stakesometimetogoovertheminmoredetailso
thatyourupgradeissuccessful.
Prerequisites
BeforeyoucanbeginupgradingyourExchangeServerorganization,youhaveto
ensurethattheorganizationmeetstheprerequisites.We'vegoneoversomeofthem
inpreviouschaptersfromthecontextofafreshinstallationofExchangeServer2016,
butlet'slookatthemagain,thistimekeepinginmindhowyourexistingExchange
Serverorganizationmayaffectyourabilitytomeetthoseprerequisites.
HardwareandOperatingSystem
ExchangeServer2016isavailableonlyina64-bitversion.Thismeansitmustrunon
a64-bitoperatingsystemthatisrunningon64-bithardware.The64-bithardware
mustconformtox64(alsoknownasx86-64)specifications.
SincetheoperatingsystemssupportedbyExchangeServer2016areavailableonlyin
64-bitversions,thatdoessimplifythechoices.DobeawarethatExchangeServer2016
doesnotsupporttheuseofServerCoremodeinWindowsServer.WindowsServer
2016alsoincludesanevensmallermodenamedNanoServerthatisnotsupported.
YoumustusethefullGUImodeoperatingsystem.
Allmodernprocessorsaremulticoreprocessors,andExchangeServer2016takesfull
advantageofthis.WhenyoucalculatethehardwarerequirementsforExchangeServer
2016byusingtheExchangeRequirementscalculator,thecalculatoridentifiesthe
numberofcoresrequiredratherthanthenumberofprocessorsrequired.Whenusing
WindowsServer2012orWindowsServer2012R2,thelicensingisbasedon
processorsratherthancores.So,itistoyouradvantagetohavemorecoreswhen
possible.However,nomorethan24coresisrecommended.Also,rememberthatyou
shouldusetheExchangeServerRoleRequirementsCalculatortoidentifythe
requirementsforyourdeployment.
YoucanrunExchangeServer2016onanyeditionofWindowsServer2012orany
editionofWindowsServer2012R2.Thismeansthattoreuseexistingserver
hardware,youmusthaveatleastonespareserverandbepreparedtoreinstall
WindowsServerandExchangeServeronyourserversasyougo.Wediscussthistopic
inmoredetailinthesection,“AnOverviewoftheUpgradeProcess,”laterinthis
chapter.
AsofthiswritingWindowsServer2016hasnotbeenreleased,butitisexpectedthat
WindowsServer2016willbeasupportedoperatingsystemforExchangeServer2016.
BeawarethatMicrosofthasannouncedthatWindowsServer2016licensingisbased
oncores.So,itmaybetoyouradvantagetogetsufficientcoresinyourhardware
withoutmaximizingthenumberofcores.
ActiveDirectory
BecauseExchangeServer2016dependsonActiveDirectory,youshouldtakeagood
lookatthedomaincontrollersandglobalcatalogserversinyourActiveDirectory
forestbeforestartingtheupgradeprocess.
ExchangeServer2016requiresalldomaincontrollersthatmaybeaccessedby
ExchangeServer2016tohaveaminimumoperatingsystemversionofWindows
Server2008.ThisincludestheSchemaMasterdomaincontroller(usuallythefirst
domaincontrollerinstalledinyourActiveDirectoryforest)andallglobalcatalog
serversthatwillbeusedbyExchangeServer2016.IfExchangeServer2016cannot
finddomaincontrollersattherequiredversions,theninstallationfails.
OurrecommendationistoupgradeallyourdomaincontrollerstoatleastWindows
Server2008R2.WindowsServer2008andWindowsServer2008R2areboth
supporteduntilJanuary14,2020,butWindowsServer2008R2hasActiveDirectory
enhancementssuchasActiveDirectoryRecycleBin,whichmakesstandardizingon
WindowsServer2008R2beneficialoverWindowsServer2008.Bestpracticewould
beforyoutofindawaytoupgradeyourinfrastructureallthewaytoWindowsServer
2012R2.
ChecktheHealthofYourActiveDirectorySitebeforeUpgrading
ItisextremelyimportantthatActiveDirectorybehealthybeforeyouupgradeto
ExchangeServer2016.Amongotherthings,ExchangeServer2016reliesdirectly
onyourActiveDirectorysitestructureformessage-routinginformation.Most
configurationinformationforExchangeServer2016isstoredinActiveDirectory.
IftherearereplicationerrorsinActiveDirectory,youcouldseeerrorsduringthe
upgradeprocess.
Whetheryouupgradeallyourdomaincontrollersorjusttheminimumnumber,you
needtopreparealistofalltheActiveDirectorydomainsinwhichyouwilleither
installExchangeServer2016orcreateExchangeServer2016recipientobjects,suchas
users,contacts,anddistributiongroups.Foreachofthesedomains,ensurethatthe
domainfunctionallevelissettoWindowsServer2008orhigher.TheActiveDirectory
forestfunctionallevelmustalsobeWindowsServer2008orhigher.
ExchangeServer2016supportsdomainfunctionallevelsandforestfunctionallevels
fromWindowsServer2008allthewaytoWindowsServer2012R2.WhileExchange
Server2016doesnotmandatethatyoumovetohigherdomainandforestfunctional
levels,thereareActiveDirectorybenefitsandfeaturesthatareavailableifyoudoso.A
majoroneistheActiveDirectoryRecycleBinintroducedinWindowsServer2008R2.
ExchangeServerperformanceisdirectlyimpactedbyActiveDirectoryperformance.
Therefore,itisimportantforyourdomaincontrollerstoperformwell.Performance
foryourdomaincontrollersisenhancedwhenyourdomaincontrollershaveenough
memorytoloadtheentiretyofyourActiveDirectorydatabase(NTDS.DIT)into
memory.AlsobeawareofotherapplicationsthatareusingActiveDirectoryandmight
impactdomaincontrollerperformance.Reviewthecurrentperformanceofyour
domaincontrollersaspartoftheupgradeplanningprocess.
Technically,installingExchangeServeronadomaincontrollerissupported(although
itmustbeaglobalcatalogserver).However,doingsoisnotrecommended.Exchange
Serveranditsancillaryservicesconsumemostofthememoryavailableonanyserver
whereExchangeServerisinstalled.Thiscanhaveasignificantnegativeimpacton
ActiveDirectoryperformance.Also,restoringsuchacombinationserver,intheevent
ofacatastrophicfailureoftheserver,ismuchmoredifficultthanrestoringaserver
withjustActiveDirectoryorjustExchangeServer.
ExchangeServer2016andDCPROMO
DCPROMOisapartofActiveDirectoryDomainServices(beforeWindowsServer
2012)usedeithertopromoteacomputertobeadomaincontrollerortodemotea
computerfrombeingadomaincontrollertoanormalmembercomputer.After
ExchangeServerisinstalled,changingthedomaincontrollerstatusofthe
computerisnotsupported.Thatis,youmaynotpromotethecomputertoa
domaincontrollerordemotethecomputerfrombeingadomaincontrollerwith
ExchangeServerinstalled.ItwillbreakExchangeServer.Don'tdoit.
LegacyExchange
InordertoupgradetoExchangeServer2016inyourcurrentExchangeServer
organization,yourexistingExchangeServerenvironmentmustmeetcertain
minimumrequirements.
IfyouhaveExchangeServer2010serversinyourorganization,theymustbeupgraded
toaminimumofExchangeServer2010ServicePack3withUpdateRollup11.This
includesEdgeTransportservers.IfyouhaveExchangeServer2013serversinyour
organization,theymustbeupgradedtoaminimumofExchangeServer2013
CumulativeUpdate10.ThisalsoincludesEdgeTransportservers.Ifyouhaveboth
ExchangeServer2010andExchangeServer2013serversinyourorganization,the
sameminimumsapply.
HybridDeployments
Inahybridscenario,somepartofyourExchangeServerorganizationison-premises
andanotherpartisinOffice365.Forahybriddeployment,youron-premises
Exchangeserversmustbeupdatedtothesameminimumversionsasdescribedinthe
previoussection,“LegacyExchange.”ThisisbecauseExchangeOnlineinOffice365is
effectivelyExchangeServer2016.Whenyouinvestigatehybriddeployments,youwill
seethetermhybridserver.However,thereisnospecificserverroleforahybrid
server.AhybridserverisjustanExchangeserverthatcommunicateswithOffice365
formailroutingandintegrationoffree/busyinformation.Inmostcases,thesame
serversthatprovideclientaccessforInternetusersarealsoyourhybridservers.
HybridmodecanbeimplementedwithExchangeServer2010orlater.However,if
yourExchangeorganizationhasmultipleversionsofExchange,thenonlythemost
recentversionofExchangeissupportedfortheHybridmodeservers.So,ifyouhavea
mixofExchangeServer2010andExchangeServer2016,thehybridserversmustbe
ExchangeServer2016.
Office365PlansSupportingHybridDeployments
AnyOffice365planthatsupportsdirectorysynchronizationcanbeusedfor
Hybridmode.Thisincludesbusiness,enterprise,academic,andcharityplans.You
mayfindsomereferencestobusinessplansnotsupportingHybridmode,but
thosereferencesareforolderbusinessplansthatwerehostedseparatefrom
enterpriseplans.Office365tenantscannowhaveamixofbusinessand
enterpriselicenses.
Office365forEducation
MicrosoftprovidesOffice365—foracademicenvironments—forfree.Thisisasocalledbasicexperience.ItincludesExchangeOnline,SkypeforBusiness,
SharePointOnline,andOfficeWebApps,andiscurrentlyknownasplanA2.
ThereisalsoaplanforAlumni,whichisalsofree,thatincludesonlyExchange
Online.
Planswithmorefeaturecontentareavailablefornominalfees,includingOffice
ProPlus,home-userightsforfivePCs,Exchangevoicemail,Exchangearchiving,
Access,Excel,Infopath,andothers.
Theseplansarediscussedathttps://products.office.com/en-us/academic/office365-education-plan.IftheURLdisappears,youcansearchfor“Office365
education”atwww.microsoft.com.
Tosimplifysign-inforOffice365users,youshouldensurethattheuserprincipal
name(UPN)forusersmatchestheiremailaddress.AuthenticationtoOffice365is
donebyusingtheUPN,anditisconfusingforuserstoremembertwoitemsthatlook
likeemailaddresses.Itwillalsoenableyoutodeploysinglesign-on(SSO)byusing
ActiveDirectoryFederationsServices(ADFS)ifdesired.
Youalsoneedtoinstalladirectorysynchronizationtoolbetweenyouron-premises
ActiveDirectoryandOffice365.Directorysynchronizationcopiesuserandgroup
informationfromyouron-premisesActiveDirectoryandmakesitavailableto
ExchangeOnlineinOffice365.Thisinformationisusedtoensurethatthereisa
single,unifiedglobaladdresslist(GAL)thatincludeson-premisesandOffice365
mailboxes.Italsosynchronizestheinformationnecessaryformessagerouting.
Microsofthasprovidedseveraldifferenttoolsfordirectorysynchronization.Thefirst
toolwasDirSync,andmanypeoplestilluseDirSyncasagenerictermforthelatest
versionofthetool.ThemostrecentdirectorysynchronizationtoolisMicrosoftAzure
ActiveDirectoryConnect(AzureADConnect).Toavoidneedingtoupgradeinthe
future,ensurethatyouareinstallingthelatesttoolbecauseolderversionsarestill
availableandsomeinstructionsprovidelinkstoolderversions.Allsupportforthe
olderversionsendsonApril13,2017.Seehttps://azure.microsoft.com/enus/documentation/articles/active-directory-aadconnect-dirsync-deprecated/formore
information.
ChoosingYourStrategy
Nowthatyouareawareofthevariouspreparationsthatmustbecompletedto
upgradeExchangeServer,itistimetofigureouthowtodoit.Aswediscussedearlier,
therearethreeoptionsinfrontofus:upgrade,cross-forestmigration,andhybrid
deployment.
Hybriddeploymentisaspecialcasebecauseitinvolvesfirstperformingeitheran
upgradeoramigrationandthenintegratingwithOffice365.Becauseofthat,wewill
discussupgradesandcross-forestmigrationsfirstandthenreturntodiscuss
integrationwithOffice365.
Ifyou'relikemanyreaders,youprobablyhaveatleastsomepreferenceforyour
upgradestrategyalreadyinmind.Beforeyousetthatchoiceinstone,though,read
throughthissectionandseewhetherthereareanysurprises(goodorbad)thatmight
allowyoutoaddresssomeaspectoftheupgradethatyouhadn'tpreviously
considered.If,ontheotherhand,you'renotsurewhichstrategywouldbebestfor
you,thissectionshouldgiveyouenoughinformationtobeginmakingawell-informed
decision.
Let'sstartwithanoverviewofhowthetwostrategiesstackup.Table11.1listsseveral
pointsofcomparisonbetweenthecross-forestmigrationandupgradestrategies.
Table11.1ComparisonofExchangeServer2016UpgradeStrategies
Pointof
Cross-ForestMigration
Comparison Strategy
Tools
Youcanperformthistypeof
migrationbyusingonlyfree
Microsofttools,suchasthe
ActiveDirectoryMigrationTool
andthemailboxmove
functionalityincludedin
ExchangeServer.Therearealso
third-partytoolsavailableto
helpsimplifythemigration
process.
Hardware
Youwillusuallyrequirea
significantamountofnew
hardware.Youmaynotneedto
haveacompletesparesetof
replacementhardware,but
you'llneedenoughtohavethe
basicinfrastructureofyournew
ExchangeServer2016
organizationinplace.
UpgradeStrategy
Youcanusethebuilt-intoolsin
ExchangeServer2016andWindows
Servertocontrolallaspectsofthe
upgrade,includingbuildingthenew
servers,reconfiguringActive
Directory,ormovingmailboxdata.
Thehardwarerequirementsfor
ExchangeServer2013andExchange
Server2016areapproximatelythe
same.However,ExchangeServer
2016requiressignificantlymore
memoryandprocessorcoresthan
ExchangeServer2010.Inmost
cases,youwillwanttoreplaceolder
hardwareaspartofyourupgrade
process.Iftheserversare
virtualized,justensurethatyou've
allocatedthenecessaryresourcesfor
thenewvirtualmachines.
Active
YoumustcreateanewActive
YoucanutilizeyourexistingActive
Directoryand Directoryforest.Typically,this DirectoryandDNSdeployment;
DNS
meansthatyoucannotreusethe however,youmayneedtoupgrade
sameActiveDirectorydomain
yourexistingdomaincontrollersand
names(althoughyouwillbe
globalcatalogstomeetthe
abletosharethesameSMTP
prerequisites.
domainnames).
Useraccounts Youmustmoveyouruser
Youruserswillbeabletousetheir
accountstothenewADforestor existingaccountswithoutany
re-createthem.Inmostcases,
changes.
youalsowanttosynchronize
passwordsfromtheoldaccounts
tothenewaccounts.
Message
YourSMTPdomainsmustbe
Yourorganizationcontinuestobea
routing
splitbetweenyourlegacy
singleentity,withfullknowledgeof
organizationandyournew
allauthoritativedomainsshared
organization;oneofthemmust amongallExchangeservers.
beconfiguredtobe
Messageflowbetweenorganizations
nonauthoritativeandtorouteto canbecontrolledbynormalSend
theother.Thisconfiguration
andReceiveconnectorsalongwith
mayneedtochangeduringthe ADsitelinks.
courseofthemigration.
Additionally,youmustsetup
explicitexternalSMTP
connectorsbetweenthetwo
organizationsorplaytrickswith
nameresolution.
Outlook
Youwillneedtoeithercreate
Aslongasyoukeepthelegacy
profiles
newOutlookprofiles(manually mailboxserversupandrunning
orusingthetoolsfoundinthe duringanappropriatetransition
matchingversionofthe
phase,Outlookwilltransparently
MicrosoftOfficeResourceKit) updateyourusers’profilestotheir
orusethird-partytoolsto
newserverthefirsttimetheyopenit
migratethemovertothenew
aftertheirmailboxismovedto
organization.Thismaycause
ExchangeServer2016.
lossofinformation,suchasany
personalizationsmadeto
Outlook.
Forthemostpart,Table11.1speaksforitself;ifanypointrequiresmorein-depth
discussion,weaddressitproperlyinthedetailedsectionsthatfollow.
Cross-ForestMigration
FromtheoverviewgiveninTable11.1,itmayseemasifwehaveagrudgeagainst
upgradingtoExchangeServer2016byusingthecross-forestmigrationstrategy.
Althoughwehavetoadmitit'snotourfavoritestrategy,we'llhastentosaythatcrossforestmigrationofferspossibilitiesthatanormalupgradedoesn'toffer:
ItistheonlyrealisticwaytoconsolidatetwoormoreseparateExchangeServer
organizationsintoasingleorganization.Thiskindofconsolidationcanhappenas
theresultofamajorreorganizationinsideonecompanyoramergeroracquisition.
Itallowsyoutosetupagreenfield(atermusedtodenotetheidealstateof
implementation)deploymentofExchangeServer2016.Nomatterhow
conscientiousyouareasanadmin,anyrealnetworkistheproductofanumberof
designcompromises.Afterawhile,theweightofthosecompromisesand
workaroundsaddsup;thedesignandstructureofyournetworkcanreflect
imperativesandinputsthatnolongerexist,orarenolongerrelevant,inyour
organization.Althoughthereissomeappealtotheideaofwipingtheslateclean,it
israrelyworththetimeandefforttodoacross-forestmigrationtodoanActive
Directorycleanup.
ItpermitsyoutomoveyourExchangeserversoutofyourexistingActiveDirectory
forestandestablishthemintheirownforest.Ifyou'reinanenvironmentthat
separatesadministrativecontrolbetweenActiveDirectoryandtheExchangeServer
organization,havingaseparateforestforExchangeServercanmakeitaloteasier
toaccomplishmanyoftheday-to-daymanagementtasksonyourservers.(We
don'tknowaboutyou,butwe'dmuchprefertohavecontroloftheOUstructure
andGroupPolicyobjectsthataffectourExchangeservers.)Ifthebenefitsofa
multiforestdeploymentoutweighthedrawbacks,thisconfigurationmayimprove
theefficiencyofthesplitbetweendirectory/accountadministrationandExchange
Serveradministration.
Itgivesyouthechancetoeasilydefinenewpoliciesandproceduresthatapply
equallytoeveryone,fromaccountprovisioningtoserver-namingconventions.
WiththeimportanceofregulatorycomplianceandstronginternalITcontrolsand
auditingrisingonadailybasis,thiscanbeastrongmotivator.
Itallowsyoutoperformadditionalconfigurationandtestingofyournew
organizationbeforeyoumovethebulkofyourlivedataanduserstoit.Beingable
toperformadditionalvalidation,perhapswithapilotgroupofusers,givesyou
additionalconfidenceinthestrengthofyourdesignandaffordsyouextra
opportunitiestospotproblemsandcorrectthemwhileyoucan.
Nowthatwe'vesaidthat,weshouldpointoutthatacross-forestmigrationstrategy
usuallyinvolvesmorework,moremoney,orboth.Sometimes,though,it'swhatyou
havetodo.
Here'swhatacross-forestmigrationmightlooklike:
1. DeployanewActiveDirectoryforestandrootdomain,aswellasanyadditional
domains.Thesewillprobablybenamedsomethingdifferentfromthedomainsin
useinyourcurrentnetworksothatyoucanoperateinbothenvironments(and
youruserscanaswell).YoucouldbeusingthisforestasanExchangeServer
resourceforest,oryoucouldbemovingallyourserversanddesktopsaswell.
Becausecross-forestmigrationsdon'thappenovernight,you'llprobablyneedsome
sortofforesttrustbetweenyourforestssothataccountsandpermissionswill
workproperlywhilethecross-forestmigrationisinprogress.Thisstepisoutside
thescopeofthisbook;formoreinformationsee:MasteringMicrosoftWindows
Server2012R2byMarkMinasi,etal.(Sybex,2013).
2. Moveasuitablesetofuseraccountstothenewforest.Perhapsyou're
concentratingononesiteatonetimetominimizeconfusion;ifso,youneedto
moveeachuseraccountinthesitetothecorrespondingsiteinthenewActive
Directoryforest.Again,thisstepisoutsidethescopeofthisbook.
3. InstallWindowsServer2012R2andExchangeServer2016onasuitablenumber
ofserverstoformthecoreofyournewExchangeServerorganization.Youdon't
needtohavenewserversforeverything,butyouusuallyshouldhaveatleasta
site'sworthofequipmentonhand.You'llneedtoconfigureSMTPconnectors
betweenthetwoorganizations,andyoumusthavesomesortofdirectory
synchronizationgoingonbetweenthetwoforests.Thatway,asusersgetmoved
intothenewforest,eachGALisproperlyupdatedtoensurethatinternalmailis
deliveredtotherightExchangeServerorganization.
4. MovethemailboxdataforthesitefromthelegacyExchangeserverstothenew
ExchangeServer2016servers.Updateyourusers’Outlookprofilessothattheycan
gettotheirmailboxes,andensurethattheGALinformationisupdatedsothat
mailfollowstheseuserstotheirnewmailboxservers.Onceeverythingisworking,
youcanremovethelegacyExchangeserversfromthissite.
5. Don'tforgetthatyoumayhavetojoinyourusers’desktops,aswellasanyother
Windowsmemberservers(suchasfile/print,database,andwebservers)tothe
newforestifitisn'tbeingusedexclusivelyasanExchangeServerresourceforest.
Thisstepisoutsidethescopeofthisbook.
6. Continuethisprocessonesiteatatimeuntilyou'vemovedallyouruseraccounts
andmailboxdataintothenewExchangeServer2016organizationandhave
decommissionedtheremaininglegacyExchangeservers.
Nowyoucanseewhyweconsiderthecross-forestmigrationstrategytobethelaborintensiveroute.Youdon'thavetheluxuryofacceptingyourexistingActiveDirectory
structureandaccounts.Althoughyoucanmovemessagedataovertoanew
organization,moreeffortisinvolvedinmakingsureusers’profilesareproperly
updated.Alternatively,youcanrebuildyourusers’profilesandacceptsomedataloss.
Youalsohavetheadditionalworryofwhetheryouneedtomovethedesktop
machinesintoanewforest.
RememberthattheExchangeteaminyourorganizationcannotarbitrarilydecideto
createanewActiveDirectoryforestandmigrateuseraccountswithoutimpacting
otherservices.ActiveDirectoryisasharedresource,andyouneedtoworkwithother
teamstoidentifywhetheranewActiveDirectoryforestisagoodidea.
Ontheotherhand,ifyouhaveanActiveDirectorydeploymentwithseriousstructural
problems(whetherthroughyearsofaccumulationortheresultsofprevious
mistakes),ifyouneedtoextractyourExchangeserversintoaseparateActive
Directoryresourceforest,orifthereissomeotherreasonwhyupgradingyourexisting
organizationisn'tgoingtoworkforyou,across-forestmigrationhasalottooffer.
Cross-forestmigrationsrequireyoutokeeptrackofalotofdetailsandseparatetypes
ofinformation.Althoughyoucanmovealltheimportantinformation—mailboxes,
publicfolders,GALdata—usingthefreelyavailableMicrosofttools,you'llhavea
hardertimemigratingsomeofthesmallerdetailsthataren'tmissioncriticalbut
nonethelesscanadduptoanegativeuserexperienceifomitted.Iftheirfirst
experienceonthenewmessagingsystemishavingtoreconfigureOutlookwithall
theirpreferences,usersaregoingtobelessthanhappyabouttheexperience.Thecost
ofthird-partytoolsmaywellprovetobeagoodinvestmentthatsavesyoutime,
reducescomplexity,andgainsyouthegoodwillofyourusers.
UpgradingYourExchangeOrganization
TheprocessofupgradingyourExchangeServerorganizationtoExchangeServer2016
resemblestheprocessrequiredtoupgradefrompreviousversionsofExchangeServer.
Ifyouhaveexperienceinthoseparticularupgrades,relax.Allyou'redoingismoving
mailboxesandpublicfolderinformation,soit'seasy—well,aseasyasthesetypesof
projectsget.
Let'stakeacloserlookatthetypicalupgradetoExchangeServer2016.
AnOverviewoftheUpgradeProcess
WhetheryouareupgradingfromExchangeServer2010orExchangeServer2013,the
overallupgradeprocessisthesame.Atahighlevel,youinstallExchangeServer2016,
movemailboxes,andthenremovetheolderExchangeservers.Thisprocessallowsfor
coexistence,andwhendoneproperlytheonlyeffectonusersisaprompttorestart
Outlookwhenthemailboxmoveiscompleted.BecauseExchangeServer2007cannot
coexistwithExchangeServer2013,ifyouneedtoupgradefromExchangeServer
2007,youneedtofirstdoanupgradetoExchangeServer2010orExchangeServer
2013.
Forallbutthesmallestorganizations,multipleExchangeserversareusedtoprovide
highavailability.Thisrequiresloadbalancingforclientaccessservicesanddatabase
availabilitygroups(DAGs)formailboxdatabases.Inmostcases,youwanttosetup
theentireExchangeServer2016infrastructureandtestthehigh-availability
infrastructurebeforemovingmailboxes.Forthisreason,itisdifficulttoreuseexisting
ExchangeserversforanExchangeServer2016upgrade.
Atypicalupgradeprocessforasinglesitewouldlooklikethis:
1. UsethelatestversionoftheExchangeRequirementsCalculatortoidentify
hardwarerequirements.Thenpurchasetherequiredhardwareandinstalliton
site.
2. Ensurethatyourorganizationmeetsalltheprerequisiteswediscussedearlier.Run
thePrepareADstepofsetuptoupgradetheActiveDirectoryforestschemawiththe
ExchangeServer2016extensionsandtocreatetheproperobjectsintheforestand
therootdomain.
3. IfyouhaveadditionalActiveDirectorydomainsinyourforest,prepareeachof
thembyrunningthePrepareDomainstepofsetuporPrepareAllDomains.
4. InstallalloftheExchangeServer2016Mailboxservers.Thisincludes
configurationofloadbalancinganddatabasereplicationintheDAG.
5. Testmailflowandclientaccessservicesonthenewservers.Todothis,createa
testmailboxandtestalloftheservices,suchasOutlookontheweb,requiredby
yourusers.Youshouldalsodoatestmailboxmove.
6. UpdateexternalclientaccesstouseExchangeServer2016.Atthispoint,all
externalclientaccesswillbeproxiedthroughExchangeServer2016tolegacy
Exchangeservers.Beforemakingthischange,testtheproxyingfunctionality.
Usingthehostsfileonaworkstationcanhelpwiththisprocess.
7. UpdateexternalmailtouseExchangeServer2016.Changetheinboundmailflow
throughyourfirewallsorantispamdevicetobeginforwardingmailtoExchange
Server2016.You'llalsoneedtocreateasendconnectorthatusesExchangeServer
2016asthesourceforoutboundmessages.
8. MovemailboxestoExchangeServer2016.Asyoumoveeachmailbox,Outlook
automaticallyupdatestheprofiletoaccessingthemailboxinExchangeServer
2016.IftheuserisinOutlookwhenthemailboxmoveisperformed,theuserwill
bepromptedtorestartOutlook.OtherclientssuchasActiveSyncdonotneedtobe
updatedbecausetheexternalURLhasalreadyredirectedatthefirewall.
9. Afterallofthemailboxeshavebeenmoved,youcanremovethelegacyExchange
servers.BeforeremovinglegacyExchangeservers,verifythatnoapplicationsor
devicessuchasscannersarestillusingthem.ThenuninstallExchangeServerto
removeit.DonotsimplyturnoffanExchangeServertoremoveit.
PreparingActiveDirectory
IfyouareupgradingmorethanoneversionofExchange,youneedtobeawareof
alimitthatisinplacewhenyouprepareActiveDirectory.AfteryouprepareActive
DirectoryforthelatestversionofExchangeServer,youcannotprepareActive
DirectoryforapreviousversionofExchangeServer.Forexample,ifyouhavean
ExchangeorganizationwithExchangeServer2010andprepareActiveDirectory
forExchangeServer2016,thenyoucan'tdecidelatertoprepareActiveDirectory
forExchangeServer2013.
Asabestpractice,considerpreparingActiveDirectoryforallversionsofExchange
Server.Thisensuresthatyoucanaddadown-levelExchangeServerifrequired.
PreviousversionsofExchangeServerrequiredyoutoinstalltheClientAccessserver
rolebeforetheMailboxserverrole.SinceExchangeServer2016doesnothave
separateClientAccessserverandMailboxserverroles,thereisnoconcernaboutthe
orderinwhichtoinstallserverroles.
IfyouareimplementinganExchangeServer2016EdgeTransportserver,thenyou
shoulddosoatthesametimethatyouimplementtheExchangeServer2016Mailbox
servers.ThenewExchangeServer2016EdgeTransportserversareimplemented
beforeyouchangethemessageflowovertoExchangeServer2016.
WhenmovingmailboxestoExchangeServer2016Mailboxservers,youshoulduse
onlytheExchangeServer2016ExchangeAdminCenterNewMigrationBatchWizard
ortheExchangeManagementShellNew-MoveRequestorNew-MigrationBatchcmdlets.
DonotusethewizardorcmdletsinlegacyversionsofExchangeServeroryoucould
breakthemailboxes.
PublicfoldermigrationvariesdependingontheversionofExchangeServer.In
ExchangeServer2013andExchangeServer2016,publicfoldersarestoredinpublic
foldermailboxes.MigratingpublicfoldersfromExchangeServer2013toExchange
Server2016isaseasyasmovingthepublicfoldermailbox.Ifthepublicfoldersare
hostedonExchangeServer2010,themigrationprocessismoreinvolved.Migrating
publicfoldersfromExchangeServer2010toExchangeServer2016iscoveredin
Chapter17,“ManagingModernPublicFolders.”
IfyourExchangeorganizationhasmultiplesites,thenyoutypicallyupgradeto
ExchangeServer2016onesiteatatime.Internet-accessiblesitesshouldbeupgraded
firstastheyprovideproxyingfunctionality.WhileitispossibleforExchangeServer
2013toproxyconnectivitytoExchangeServer2016,itisnotpossibleforExchange
Server2010toproxyconnectivitytoExchangeServer2016orExchangeServer2013.
Thereismoredetailedinformationaboutproxyingclientaccessconnectivityin
Chapter21,“UnderstandingtheClientAccessServices.”
Office365
WearecertainlynotheretomakeapitchforyoutomovetoOffice365.Thatbeing
said,formanyorganizations,acloud-basedcommunicationplatformmakessense,
andthat'sprimarilywhatOffice365isabout.ExchangeOnlineprovidescloud-based
emailandscheduling,SkypeforBusinessprovidescloud-basedinstantmessagingand
videoconferencing,andSharePointOnlineprovidescloud-basedfilesharingandrich
websites.
Thepricepoint,ifyouexcludelicensingoftheOfficeclientsoftware,isquitelow.In
fact,wehavetowonderifMicrosoftactuallymakesaprofitatit!Ifyouhavenotyet
consideredit,itisafairbetthatyourmanagementwillexpectyoutosoon.
However,formanyothercompanies,cloud-basedsolutionsdon'tmakesense.Moving
youroperationstothecloudrepresentsasignificantlossofcontroland,potentially,
concernsaboutthesecurityofyourdata.
TheprocessofmovingontoOffice365fromon-premisessystems(orothercloud
providers)isknownasonboarding.Similarly,theprocessofmovingoffOffice365to
anotherproviderisknownasoffboarding.Wesuggestthatyounotonboardyour
ExchangeServerorganizationwithoutsomeplaninplacetooffboard.Some
companieshavemovedandthenretiredfromOffice365quicklyafterfindingthat
theycannotaccepttherestrictionsoftheservices.However,aproperplanningprocess
andanunderstandingofOffice365featuresandrestrictionsmitigatesthisrisk.
Verydetaileddescriptionsoftheservicesareavailableandaveryinterestingread.The
descriptionsincludedetailedexplanationsofexactlywhatis,andisnot,availableas
partoftheonlineserviceswhencomparedtotheon-premisessolutions:
http://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx
ShouldthatURLdisappear,searchfor“Office365servicedescriptions”on
http://technet.microsoft.comoryourfavoritesearchengine.
Surprisingly,perhaps,preparingforeitherahybriddeploymentofExchangeServer
2016withOffice365orafulltransitiontoOffice365requiresthesamestepsasforan
on-premisesdeploymentofExchangeServer2016.
Microsofthasinvestedheavilyinmakingtheonboardingprocesseasy—atleastas
easyasanon-premisesupgrade.
Office365Options
WhenmovingtoOffice365,therearefourbasicmechanismstodoso:
HybridDeploymentWehavediscussedhybriddeploymentasamechanismto
hostsomemailboxeson-premisesandsomemailboxesinOffice365.However,
hybriddeploymentcanalsobeusedtomigrateallmailboxesfromon-premisesto
Office365.BecauseHybridmodesynchronizestheGALandprovidesfree/busy
integrationbetweenon-premisesandOffice365,itiswellsuitedtolarge
migrationsthatwilltakeanextendedperiodoftime.
CutoverExchangeMigrationMicrosoftrecommendsacutovermigrationonly
fororganizationswithfewerthan1,000mailboxes.Allofthemailboxesaremoved
inasinglebatch,whichlimitshowmanymailboxescanbedoneinareasonable
periodoftime.Themigrationisalsolimitedbytheamountofdatainthe
mailboxesandthespeedoftheInternetconnection.Tohelpspeedupacutover
migration,mostofthedataismigratedbeforethecutover.Atthecutover,only
deltadata(newmessagesanddeletions)aremigrated,whichmakesthecutover
significantlyfaster.Acutovermigrationautomaticallycreatestheuseraccountin
Office365basedonthesource.
StagedExchangeMigrationAstagedmigrationisusedtomigrateExchange
Server2003orExchangeServer2007organizationthatcan'tuseahybrid
migration.Usersaremovedinbatchessimilartoahybridmigration,butthereis
notintegrationoffree/busydata.Directorysynchronizationisusedtoprepare
usersinOffice365.Youmusttakesomecaretoensurethatmailflowworks
properly.
IMAPMigrationThisapproachalsoallowsyoutomovemultiplegroupsof
users,acrossaperiodoftime,toonboardthemontoOffice365.Thesourceservers
maybeanyIMAPserver.WhilethistypeofmigrationcouldbeusedforExchange
Server,itistypicallyusedfornon-ExchangeemailsystemssuchasGmail.Priorto
executinganIMAPMigrationtoonboardyourusers,youmustusesometoolto
createusersandmailboxesinOffice365.(Seethesection“ExchangeServer
DeploymentAssistant”laterinthischapter.)Youmusttakesomecareinorderto
ensurethatmailflowworksproperly.
Forallthemigrationscenarios,mailboxmovescanbeinitiatedfromExchangeAdmin
CenterinOffice365.IfHybridmodehasbeenconfigured,youcanalsoinitiate
mailboxmovesfromtheon-premisesExchangeAdminCenter.
Office365Coexistence
ItispossibletomanuallyconfigureallofthefunctionalityprovidedbyHybridmode
withOffice365.Youcanperformallofthemanualstepstoconfigureatrust
relationshipandorganizationalsharingpolicies.Youcanalsocreateyourscriptsor
programmaticsolutionstosynchronizeuserandgroupinformation.However,Hybrid
modeandtheHybridConfigurationWizardperformtheconfigurationforyou.Each
iterationoftheHybridConfigurationWizardisbetterandeasiertousethanthelast.
HerearesomeoftheconsiderationswhenconfiguringHybridmode:
Sometypeofdirectorysynchronizationisrequired.MicrosoftprovidesAzureAD
Connectforthispurpose.However,ifyouhaveacomplexsituationandAzureAD
Connectcan'tdowhatisrequired,moreadvancedMicrosofttools,suchas
MicrosoftIdentityManager,andnon-Microsofttoolsareavailable.Regardless,
users,groups,contacts,andasignificantsetofattributesmustbecopiedfromthe
on-premisesenvironmenttoOffice365.
WhenyouimplementAzureADConnect,youhavetheoptiontoimplement
passwordsynchronizationfromyouron-premisesActiveDirectorytoOffice365.
Thismakesiteasierforyourusersbecausetheydon'tneedtorememberasecond
passwordforOffice365.However,thisisnottruesinglesign-onbecause
authenticationishappeninginOffice365.
YouhavetheoptiontouseADFStoimplementtruesinglesign-on.Whenyou
implementADFS,allauthenticationrequestsforyourusersareforwardedtoyour
on-premisesADFSimplementation.ThemainbenefitofusingADFSiscomplete
controloverauthentication.Forexample,whenyoudisableanon-premisesuser
account,theyarenolongerabletoauthenticatetoOffice365.However,ifyourAD
FSinfrastructureisunavailable,thenuserscan'tauthenticatetoOffice365,which
negatesoneofthebenefitsofmovingtocloud-basedservices.
Youmusthaveanon-premisesInternet-accessibleExchangeServer2016Mailbox
serverwithAutodiscoverDNSrecordspointingtoit.Inmostcases,youalready
havethisaspartofyourExchangeServerorganization.
MailboxserversthatwillbereferencedwhenusingtheHybridConfiguration
Wizardmusthaveavalidthird-partySSLcertificateinstalledonthem,andthe
AutodiscoverandExchangeWebServices(EWS)configurednamesmustbevalid
subjectalternativenamesonthecertificates.Again,thisisabestpracticefor
Internet-accessibleExchangeorganizations.
BeforerunningtheHybridConfigurationWizard,youshouldensurethatdirectory
synchronizationisworkingproperly.YoucandothisbyreviewingAzureADConnect
andbyviewingthesynchronizedusersandgroupsinOffice365.IfyouareusingAD
FS,verifythatitisworkingproperlytoo.YouverifytheconfigurationofyouronpremisesExchangeorganizationbyusingtheMicrosoftRemoteConnectivityAnalyzer
athttp://www.testexchangeconnectivity.com.
Oncethosetestsaresuccessful,youarereadytoexecutetheHybridConfiguration
Wizard.TostarttheHybridConfigurationWizard,logintotheExchangeAdmin
Centerononeofyouron-premisesMailboxserversorinExchangeOnline.Selectthe
HybridnodeandclickConfigure.ThiswillstarttheHybridConfigurationWizard,and
thenyousimplyselecttheappropriateoptionsforyourorganization.Theyareselfexplanatory.
WhentheHybridConfigurationWizardsuccessfullycompletes,yourhybrid
deploymentislive.Atthistime,youcanmovemailboxesbackandforthbetweenthe
cloudandon-premises.Formoreinformationonthattopic,see“MovingMailboxes”
laterinthischapter.
PerformingaCross-ForestMigration
ThispartofthischapterfocusesonmovingfromanExchangeServer2010or
ExchangeServer2013organizationintoaneworseparateExchangeServer2016
organization.Thistypeofmigrationissomewhatmoredifficultthanan
intraorganizationupgrade,maybemoredisruptiveforyourusers,andoftenleaves
youwithfeweroptionsthananormalupgrade.However,youmaybefacedwithan
organizationalconfigurationthatleavesyounochoice.
Intraorganizationvs.Cross-ForestUpgrade
AnintraorganizationupgradeoccurswithinyourcurrentExchangeServer
organization.Across-forestupgrade(ormigration)occursbetweenyourcurrent
ExchangeServerorganizationandanotherExchangeServerorganization.
IsCross-ForestMigrationtheRightApproach?
Across-forestmigrationisquiteabitmorecomplexforboththepersonhandlingthe
migrationandtheusers.The“upgrade”migrationisbyfarthesimplesttypeof
ExchangeServer2016migration.Beforeyouchooseacross-forestmigrationoveran
upgrade,youwanttomakesureyouarechoosingtheright(andsimplest)upgrade
path.
MostorganizationsthataremovingtoExchangeServer2016willnotneedtoperform
across-forestmigration.Ifthefollowingchecklistsoundslikeyourorganization,you
shouldperforman“upgrade”instead:
YouhaveasingleActiveDirectoryforestandnoresourceforests.
YouarerunningExchangeServer2010orExchangeServer2013.
YourExchangeServerorganizationispartofyourexistingActiveDirectory.
Doesthissoundlikeyou?Ifso,gobackandreadthefirstpartofthischapterbecause
performinganormalupgradeiswhatyouneedtodo.Becauseyoualreadyhave
ExchangeServerinyourActiveDirectory,thereisnoneedfortheextraeffortofa
cross-forestmigration.
So,whoneedstoperformacross-forestmigration?Youmightneedtoperforma
cross-forestmigrationforanumberofreasons:
YouareconsolidatingoneormoreseparateExchangeServerorganizations.
YouaremovingExchangeServerresourcesfromaresourceforestintoyour
accountsforest.
YouaremovingfromExchangeServer2007orearliertoExchangeServer2016.
YouaremovingfromadifferentmessagingsystemtoExchangeServer2016.
Ifyouhavemultipleorganizationsthatyouneedtoconsolidateorsomeotheritemin
theprecedinglist,youhavenochoicebuttoproceeddownthecross-forestmigration
path.Proceedingdownthispathmeansdifferentthingstodifferentorganizations,but
mostofthesecross-forestmigrationsfaceanumberofchallenges:
Findingthetoolsnecessarytoperformthemigrationbasedonyourneeds
Movingmaildatabetweentwosystems
Movingdirectorydatabetweentwosystems
Maintainingdirectorysynchronizationandmessagingbetweentwosystemsduring
someperiodofinteroperability
Ensuringthatemailflowscorrectlybetweentheemailsystemsduringthe
transition
Figuringouthowandwhentotransitionservices,suchaspublicfolders,MX
records,mobilephones,andwebmail
ChoosingtheRightTools
Whenyou'replanningacross-forestmigration,itisimportanttopicktherighttools
tohelpyoucreateaccounts,movedata,synchronizedirectories,createforwarders,and
performothermigrationtasks.Naturally,themostpowerfulandflexibleofthesetools
areallprovidedbythirdpartiesratherthanbyMicrosoft.However,Microsoftdoes
providesomebasictoolsthatyoucanusetoperformExchangeServer2007/2010to
ExchangeServer2016cross-forestmigrations.
ActiveDirectoryMigrationToolIftheuseraccountshavenotyetbeencreated
ormigratedintoyourtargetActiveDirectory,considermigratingtheaccountsfrom
theiroriginalActiveDirectoryratherthancreatingnewuseraccounts.TheActive
DirectoryMigrationTool(ADMT)isafreetoolfromMicrosoftthatwillhelpyou
migrateusers,groups,andcomputersfromoneWindowsdomainorActive
Directorytoanother.Thebigadvantagesofthistoolarethatitpreservesthe
sourcedomain'ssecurityidentifier(SID)inthetargetaccount'sSIDhistory
attributeandthatitpreservesgroupmembership.
YoucandownloadtheActiveDirectoryMigrationToolv3.2anditsassociated
documentationfromthedownloadcenterofMicrosoft'swebsiteat
http://microsoft.com/downloads.
New-MoveRequestandNew-MigrationBatchCmdletsTheExchangeServer2016
New-MoveRequestcmdletandtheNew-MigrationBatchcmdlethaveoptionsthatallow
youtomigratemailboxdatafromseparateExchangeServer2007ornewer
organizations,andthereareautomatedoptionsforthemtocreateanaccountfor
youifonedoesnotexist.Wecoverthesetoolsinmoredetaillaterinthischapter
inthesection,“MovingMailboxes.”
Third-PartyToolsIfyouhavemorethanafewhundredusers,alotofpublic
folderdata,orverylargemailboxes,orifyouwillneedtomaintainsomelevelof
interoperabilitybetweenyouroldExchangeServer2007ornewersystemandyour
newExchangeServer2016systemforalongperiodoftime(longerthanafew
weeks),youshouldconsiderathird-partytool.Theseareoftenatoughsellafteran
organizationhasinvestedalotofmoneyinanewmailsystem,buttheycanmake
yourmigrationmucheasierandallowforbetterlong-terminteroperability.
Export-MailboxandNew-MailboxImportRequestCmdlets
Ifyouhaveasmallnumberofusers(fewerthan50),youmightopttoexportall
theirmailfromtheiroldmailserverusingatoollikeExport-Mailbox(oreven
ExMergeorOutlook,yikes!)andthenusetheExchangeServer2016NewMailboxImportRequestcmdlettoimportmaildatafromthesePSTfilesintothe
users’newmailboxes.Thisisabasicsolution,butitsavesyoufromhavingto
learntheNew-MoveRequestcmdlet,andyoustillgettomoveyourusers’maildata.
Keepinmind,though,thatifyouusethismethod,youwilllosethingslikefolder
rulesanddelegatesthatusershaveassignedtotheirfolders.
MaintainingInteroperability
Duringeitheratruemigrationoratransitionmigrationfromonemessagingsystem
toanother,theperiodofinteroperabilityisalwaysoneofthebiggestheadaches.One
ofthefirstfactorswealwayswanttotakeintoconsiderationwhenfacedwithacrossforestmigrationisdevelopingaplanthatwillminimizethetimeduringwhichtheold
systemandthenewsystemmustcoexist.
Thetransitiontypeofmigrationisthesimplesttypeifyouaregoingtoneedtwo
systemstocoexistforsomeperiodoftime.However,thisapproachisnotalwaysan
option.Inthatcase,youneedtofigureoutifyoucanperforman“instant”orlightswitchmigrationorifyoumusthavesomeperiodofinteroperability.
Light-SwitchMigrations
Forarelativelysmallnumberofusers(fewerthan1,000mailboxes,forexample),we
trytofindawaytoperformalight-switchmigration.OnFridayafternoonwhena
userleaveswork,sheisusingtheoldsystem.OnMondaymorningwhenshereturns
towork,sheisusingthenewsystem.Thisisalight-switchmigration;fromtheuser's
perspective,thetransitionoccursveryquickly.
Welikethelight-switchmigrationstrategybecauseitusuallydoesnotrequireusto
performanysortofdestructivemigrationonthesourcesystem,andeverythingis
migratedallatonce.Wehaveperformedsuccessfullight-switchmigrationsfor20userorganizationsallthewayupto1,500-userorganizations.Anumberoffactorswill
determineifalight-switchmigrationispossibleinyourorganization.Herearesome
ofthefactorstoconsider:
Canallofthedatabemovedinashortperiodoftime?
Canusers’OutlookclientsandActiveSyncdevicesbedirectedorreconfiguredto
usethenewserverseffectivelyandaccurately?
Aretheresufficienthelpdeskandinformationtechnologyresourcestosupportthe
usercommunityon“themorningafter”?
Ifnewaccountshavetobecreatedforusers,cantheoldpasswordsbe
synchronizedorcannewpasswordsbedistributedtotheusers?
Ifyoucanproperlysupportthelight-switchmigration,itisbestforminimizing
interoperabilitybetweentwosystems.Thefirstgoalhastobeminimizingdisruption
fortheusercommunity,butalongtransitionbetweentwomailsystemscanoftenbe
moredisruptiveiftheinteroperabilityissuesarenotproperlyaddressed.
Alotoffactorsareinvolvedinplanninganycross-forestmigrationstrategy,buthere
isalistofmajorfactorsinroughlytheorderinwhichtheyshouldbedone:
Deploythenewmessagingsystemandtestallcomponents,including
inbound/outboundmailroutingandwebcomponents.
DevelopaplanformigratingOutlookprofilessuchasusingOutlookAutodiscover
orascriptthatcreatesanewprofile.
Createmailboxesandestablishemailaddressesthatmatchtheexistingmailboxes
onthesourcesystem.
Moveolderdata(mailboxesandpublicfolders)ifpossible.
Restrictuseraccesstotheoldermailsystemandstartthemigration.
Switchinboundemailtothenewmailsystem.
SwitchOutlookprofilestothenewservers.
SwitchoverinboundHTTP/HTTPSaccesstomailboxes.
Replicatepublicfolderdata.
Movemailboxdata;ifusingathird-partymigrationtool,trytoreplicateolder
mailboxdatapriortomigrationday.
Keeptheoldmailsystemupandrunningforamonthortwojustincaseyouneed
toretrievesomething.
InteroperabilityFactors
Inmigrations,wetrytoavoidkeepingtwomailsystemsoperatinginparallelforvery
long.Withouttherighttools,interoperabilityisaroyalpainintheneck.Thatbeing
said,youareprobablywonderingwhatsomeoftheissuesofinteroperabilityare.Here
isapartiallistofthingsyouneedtobeconcernedaboutorthatyourmigration
utilitiesshouldaddress:
Emailforwardingbetweendomainsshouldworkseamlessly;emailshouldbe
deliveredtotherightlocationregardlessofwhethersomeonehasbeenmigrated.
Directory/addressbooksynchronizationshouldworkseamlessly;usersshouldbe
abletocontinuetousetheGALanditshouldaccuratelyreflectthecorrectaddress
oftheuser.
Maildistributiongroupsshouldcontinuetoworkproperlyregardlessofwherethe
memberislocated.
Usersshouldstillbeabletoreplytoemailmessagesthatweremigratedtothenew
system.
Publicfolderdataandfree/busydatashouldbesynchronizedbetweenthetwo
systems.
Youshouldhaveaplanthatincludeshowtotransitionfromoneweb-basedmail
systemandmobiledevicesystemtoanother.
Yourplanshouldincludemigratingusersingroupsorbydepartmentifpossible.
Yourplanormigrationutilitiesshouldalsoincludeamechanismtomigrate(or
helptheusertoreproduce)rules,folderpermissions,andmailboxdelegateaccess.
PreparingforMigration
Youcandosomethingstogetreadyforyourcross-forestmigration;thesetaskswill
makethingsgomorequicklyforyou.Thispreparationincludesgatheringinformation
aboutwhatyouhavetomigrateaswellaspreparingfortheactualstepsofmigration.
Hereisapartiallist:
BecauseyouaremigratingyourusersfromanexistingExchangeServer
organizationtoanewExchangeServer2016organization,haveallthetarget
systems’ExchangeServer2016serversinstalled,tested,andreadytousebefore
startingthemigration.
Documenteverythingrelevantaboutyoursourceorganization,including
connectors,emailflow,storage/messagesizelimits,mail-enabledgroups,andweb
accessconfiguration(Outlookontheweb/OWA,ActiveSync,IMAP4,POP3).
EnsurethatDNSnameresolutionbetweenthetwoActiveDirectoriesisworking
correctly.Youmayneedtoconfigureconditionalforwardersorzonetransfersto
achievethis.
Makesuretherearenofirewallsbetweenthetwosystems;ifthereare,ensurethat
thenecessaryportsareopenbetweenthesystems.
Configuretrustrelationshipsbetweenthetwosystems.
EnsurethatyouhaveDomainAdministratorandExchangeAdministrator
permissionsinboththesourceandtargetsystems.
IfyouareplanningtousetheActiveDirectoryMigrationTool(ADMT)tomigrate
useraccounts,youmustestablishnameresolution,atrustrelationship,andadmin
accountsinbothdomains.
MovingMailboxes
ExchangeServer2016includestheNew-MoveRequestcmdlet,whichcanbeusedto
movemailboxeseitherwithinanorganization(intraorganization)orbetweentwo
differentExchangeServerorganizations(cross-forest).Forcross-forestmigrations,
New-MoveRequestcanbeusedtomigratemailboxesfromExchangeServer2010orlater
toExchangeServer2016.
TheNew-MoveRequestcmdletisapowerfultoolwithmanyparametersandoptions.In
thissection,wefocusjustonitsusewhenmovingmaildatabetweenoneExchange
Serverorganizationandanother.Keepinmindthatonerequirementforusingthe
New-MoveRequestcmdletisthattheglobalcatalogserversinboththesourceandtarget
forestsmustberunningWindowsServer2008orlater.
ExchangeServer2013introducedtheconceptofbatchesandofmigrationendpoints.
Abatchofmailboxesseemsfairlyself-explanatory—itissimplyagroupofmailboxes.
Abatchalwaysconnectstoalocalserverandtoamigrationendpoint.Batchmovesare
usedforcross-forestmigrationsofeverytype.Thetypesarediscussedinthesection,
“Office365Options,”earlierinthischapter.Abatchmovemustalwaysbeexecutedin
thetargetExchangeServerenvironment(thismeansthatallmigrationsare“pulled”
acrossfromthesourceenvironment).
Amigrationendpoint,whichisusedonlyforcross-forestmoves,isusedtoidentify
theconfigurationsettingsandconnectionmechanismforthesourcemailboxesthat
willbeusedbythebatchmoverequest.Therefore,ifyouareexecutingabatchmove
toonboardtoOffice365,youwillcreateamigrationendpointandexecuteabatch
moveeitherfromtheOffice365ExchangeAdminCenterorwhenconnectedtothe
Office365environmentviaremotePowerShell.
ThecmdletthatisusedtocreateamigrationendpointisNew-MigrationEndpoint.The
cmdletthatisusedtocreateanewmigrationbatchisNew-MigrationBatch.Thereare
alsomanyotherbatch-relatedcmdlets.Thecmdletsprovidewaystocontrolthe
movementofmailboxesviabatch,includingwaystostopabatchfromexecuting,
suspendit,getthestatusandstatisticsassociatedwithacurrentlyexecutingbatch,
andsoon.Youcanfindinformationonallthebatchcmdletsat
https://technet.microsoft.com/en-us/library/jj218644(v=exchg.160).aspxorby
searchingfor“Exchange2016moveandmigrationcmdlets”usingyourfavoritesearch
engine.
MigrationbatchesarepreferredovertheuseofNew-MoveRequestinExchangeServer
2016,butbothmechanismsaresupported.Migrationbatchescanbefullycontrolled
andmonitoredfromwithintheEAC,andthatistherecommendedmethodfordoing
so.Thebatchcmdletshavemanyoptionsandmanydifferentusagescenarios
dependingonwhetheryouareonboardingoroffboardingtoOffice365,performing
cross-forestmoves,doingstagedExchangeServermigrationsorcutoverExchange
Servermigrations,orevenjustperforminglocal(sameforest)mailboxmoves.
AlthoughsomeadminsareresistanttotheExchangeAdminCenteratfirst,theyoften
findthatitprovidesagreatinterfaceforexecutingandmonitoringbatchmoves.
MigratingUserAccounts
Usingeitherofthecross-forestmovemechanisms(individualmoverequestsor
migrationbatches)requiresthatamail-enableduseraccountbecreatedinthe
destinationforestbeforethemailboxmoveisinitiated.Asnotedinourpriorsection
“Office365Coexistence,”thiscanbeaccomplishedinanumberofdifferentways.
Microsoftcurrentlydocumentstheattributesthatmustbecopiedandthatmaybe
copiedforExchangeServer2013,whichisalsoaccurateforExchangeServer2016,at
thisURL:
http://technet.microsoft.com/en-us/library/ee633491
IfthatURLshoulddisappear,thenonhttp://technet.microsoft.com(oryourfavorite
Internetsearchengine)searchfor“preparemailboxesforcross-forestmoverequests.”
Anotherresourceforcreatingusersandcopyingattributesthatwehavenotpreviously
discussedcanbeveryhandy.AspartofExchangeServer2016,theExchangeServer
teamshippedascriptnamedPrepare-MoveRequest.ps1.Thisscriptislocatedinthe
$ExScriptsdirectory,normallyatC:\ProgramFiles\Microsoft\Exchange
Server\V15\Scripts.Itisextremelyusefulifyouareplanningsometypeofcustom
migrationwherenoneoftheearliertoolsareuseful,forwhateverreason.Usingthis
script(again,forExchangeServer2013butaccurateforExchangeServer2016)is
discussedat:
http://technet.microsoft.com/en-us/library/ee861103
Also,youcanfindthemostcurrentlinkbysearchingfor“preparemailboxesforcrossforestmovesusingthePrepare-MoveRequest.ps1scriptintheshell.”
PermissionsRequired
Whenyouaremovingmailboxesbetweenforests,youneedtohaveaccountsinboth
thesourceanddestinationforeststhatwillgiveyouthenecessarypermissionsto
movemailboxdatabetweenthetwoorganizations.Usually,theaccountsyouusefor
thesourceandtargetorganizationswillnotbethesameaccount.Permissions
requiredareprettysimple:youneedtobearecipientadministratorforallthe
accountsyouwillbemoving.InthecaseofOffice365,inHybridmode,youneed
RecipientManagementpermissions.
ImportingDatafromPSTs
Apersonalfolder(PST)filehastheabilitytoholdmailboxdata.OutlookusesPST
filestostoredataforPOP3andIMAPaccounts.OutlookalsousesPSTfilestoarchive
oldermessagesandlowermailboxsize.MostmessagingadministratorsdislikePST
filesbecausetheyaredifficulttomanage.However,PSTfilescanbeusefulsometimes
duringmigrations:
IfyouaremigratingfromaPOP3orIMAPemailsystem,youcanimportthePST
filesfromclientsintousermailboxes.
Ifyouaredoingasmallcross-forestmigration,itmightbeeasiertoexport
mailboxestoaPSTandimportthantosetuptheinfrastructuretodomailbox
movesbetweenthetwoExchangeorganizations.
ExchangeServer2016hasthenative(thatis,doesnotdependonOutlook)capability
toimportpersonalfolder(PST)filesintoamailbox.Similartomailboxbatches
discussedinthepriorsection,thereisanentiresuiteofcmdletscontrollingthis
capability.Unlikewithmailboxbatches,thereisanotanice,prettyinterfaceinthe
ExchangeAdminCenter,whichisunfortunate.
Regardless,thecmdletsareasfollows:
Get-MailboxImportRequest
Get-MailboxImportRequestStatistics
New-MailboxImportRequest
Remove-MailboxImportRequest
Resume-MailboxImportRequest
Set-MailboxImportRequest
Suspend-MailboxImportRequest
BeforeyoubegintryingtoimportPSTdataintoanexistingmailbox,makesurethat
youhavethenecessarypermissions.Bydefault,justbecauseyouareanExchange
Serveradministratordoesnotmeanyoucanimportdata.UsetheEMSNewManagementRoleAssignmentcmdlettogiveyouraccountthenecessarypermissions.Here
isanexamplewherewegiveuserRena.Dauriapermissiontoimportorexportuser
datafrommailboxes:
New-ManagementRoleAssignment-Role"MailboxImportExport"
-User"Rena.Dauria"
Onceyouhavethenecessarypermissionstothemailboxandhaveopenedaninstance
oftheExchangeManagementShell,youcanproceed.Hereisanexampleofimporting
aPSTfilecalledARoberts.PSTintothemailboxAndrew.Roberts:
New-MailboxImportRequestAndrew.Roberts-FilePath\\Server\PSTshare\ARoberts.PST
Unlikeinearlierversionsofthiscmdlet,thedumpsterisincludedbydefault.Youcan
alsospecifythatyouwantthedataimportedintotheuser'sarchiveversusthemain
mailbox,thespecificfoldersyouwanttoincludeandexclude,andmanyotheroptions.
Unfortunately,unliketheImport-MailboxcmdletthatwaspresentinExchangeServer
2010,thereisnowaytospecifyadaterange.
FormoredetailsabouttheNew-MailboxImportRequestcmdlet,see
http://technet.microsoft.com/en-us/library/ff607310.aspx
orsearchfor“Exchange2016New-MailboxImportRequest.”
TasksRequiredPriortoRemovingLegacyExchange
Servers
IfyouareperforminganupgradeoraremigratingcompletelytoOffice365,thetime
willcomewhenalloftheupgradeand/ormigrationtasksarecomplete(atleast,we
hopeso!).
Nowyouarereadytostartremovingtheoldservers.No,youcan'tjustcutthemoff
andbedonewithit.ExchangeServerhashooksdeepintoyourActiveDirectory,andif
youhavenewservers(oraregoingtocontinuewithdirectorysynchronizationtothe
cloud),youmustcleanuptheremnantsoftheoldservers.Ifyoudon't,theyare
guaranteedtocomebackandhauntyou.
ToactuallyremoveaninstallationofExchangeServerfromaserver,youneed
OrganizationAdminprivileges,pluslocalAdministratorprivilegesonthatserver.
BeforeyoubegintheprocessofremovingExchangeServer,therearesomeitemsthat
youshouldverifyforcompleteness:
Ifyouareusingpublicfolders,youneedtoensurethatreplicationhascompleted
andthatthemigrationiscompletedonthetargetenvironment.
Ifyouarenotusingpublicfolders,youneedtoensurethatallreplicasofboth
systemandnormalpublicfoldershavebeenremovedfromallpublicfolder
databasesandthatthepublicfolderdatabaseshavebeendeleted.
AllclientaccessconfigurationispointingtoExchangeServer2016Mailboxservers
(includingEWS,EAS,OutlookAnywhere,Autodiscover,andthelike).
AllSendandReceiveconnectorsarepointingtoExchangeServer2016servers.
AllusermailboxeshavebeenmovedtoExchangeServer2016.
AllsystemmailboxeshavebeenmovedtoExchangeServer2016(including
arbitrationanddiscoverysearchmailboxes).
Allmailboxdatabasesonthelegacyservershavebeenremoved.
AllExchangeServer2010clientaccessarrayshavebeenremoved.
AllapplicationsthatmaybeusingExchangeServerservices(SMTPrelay,for
example)havebeenreconfiguredtouseExchangeServer2016servers.
Onceallofthesetasksarecompleteandverified,youarereadytobeginremoving
legacyExchangeservers.
RemovingExchangeServerfromaserverisassimpleaschoosingProgramsand
Features⇨ExchangeServer⇨Uninstall.SimplyfollowtheUninstallationWizard.If
youhaveforgottentoperformanyofthestepslistedpreviously,thewizardwilllet
youknow.Atthatpoint,youshouldcorrecttheproblemandrerunthewizard.
ExchangeServerDeploymentAssistant
BeginningwithExchangeServer2010,Microsoftmadeavailableanonlinetoolto
assistintheplanninganddeploymentprocessforExchangeServer.Theweb-based
tool,knownastheMicrosoftExchangeServerDeploymentAssistant(EDA),allowsa
usertospecifytheirstartingconfigurationanddesiredendresult.Thenthetool
producesadetailedsetofinstructionsforhowtoreachthedesiredendresult.
EDA,especiallywithcommondeploymentscenarios,canbeagreattime-saver.While
EDAdoesnotcovereveryscenarioordiagramofeverythingthatmustbedone,
especiallywhenthird-partymessagingsystemsorextensionscomeintoplay,itdoes
provideextensivelinkstotherelevantTechNetliterature.Relevancyisthekey.
TechNetisahugerepositoryofdata,anddeterminingwhatisrelevanttoaparticular
deploymentcanbechallenging.ThatiswhereEDAcomesin.
Here'swhatEDAcovers:
On-premisesupgradesandtransitionsfromExchangeServer2010andExchange
Server2013toExchangeServer2016
Hybriddeployments
Transitionstocloud-onlysolutions(thatis,movingyourentiremessaging
infrastructuretoOffice365)
YoucanfindEDAathttps://technet.microsoft.com/en-us/office/dn756393.Should
thatlinkdisappear,youcansearchfor“MicrosoftExchangeServerDeployment
Assistant”onTechNet,usingyourfavoriteInternetsearchengine.
TheBottomLine
Choosebetweenanupgradeandamigration.Themigrationpaththatyou
takewilldependonanumberoffactors,includingtheamountofdisruptionyou
canputyourusersthroughandthecurrentversionofyourmessagingsystem.
MasterItYourcompanyiscurrentlyrunningExchangeServer2010andis
supporting3,000users.YouhaveasingleActiveDirectoryforest.Youhave
purchasednewhardwaretosupportExchangeServer2016.Managementhas
askedthatthemigrationpathyouchoosehaveminimaldisruptiononyour
usercommunity.Whichtypeofmigrationshouldyouuse?Whathigh-level
eventsshouldoccur?
Choosebetweenon-premisesdeploymentandOffice365.Acommon
choicetodayisdecidingwhethertomoveyourmailboxdataintothecloud.Office
365isMicrosoft'scloudsolution,ofwhichExchangeOnlineisapart.
MasterItYouworkatauniversityusingExchangeServer2010on-premises
for10,000students.YouwanttoofferthefunctionalitypresentinExchange
Server2016toyourstudents,butyouhavebudgetaryconstraintsandcannot
replacealloftherequiredservers.Whatisyourbestcourseofaction?
Determinethefactorsyouneedtoconsiderbeforeupgrading.
Organizationsfrequentlyaredelayedintheirexpecteddeploymentsduetothings
thattheyoverlookwhenpreparingfortheirupgrade.
MasterItYouareplanningyourExchangeServer2016upgradefroman
earlierversion.Whataresomekeyfactorsthatyoumustconsiderwhen
planningtheupgrade?
UnderstandcoexistencewithlegacyExchangeservers.Coexistencewith
earlierversionsofExchangeServerisanecessaryevilunlessyouareabletomove
allyourExchangeServerdataandfunctionalityatonetime.Coexistencemeans
thatyoumustkeepyouroldExchangeserversrunningforoneofanumberof
functions,includingmessagetransfer,emailstorage,publicfolderstorage,or
mailboxaccess.Oneoftheprimarygoalsofanyupgradeshouldbetomoveyour
messagingservices(andmailboxes)overtonewserversassoonaspossible.
MasterItYouareperforminganormalupgradefromExchangeServer2013to
ExchangeServer2016.YourdesktopclientsareamixofOutlook2010and
Outlook2013.YouquicklymovedallyourmailboxdatatoExchangeServer
2016.WhyshouldyouleaveyourExchangeServer2013serversonlineforafew
weeksafterthemailboxmoveshavecompleted?
Performacross-forestmigration.Cross-forestmigrationsarebyfarthemost
difficultanddisruptivemigrations.Thesemigrationsmovemailboxesaswellas
othermessagingfunctionsbetweentwoseparatemailsystems.Useraccountsand
mailboxesusuallyhavetobecreatedfortheneworganization;userattributes,
suchasemailaddresses,phonenumbers,andsoforthmustbetransferredtothe
neworganization.Metadatasuchas“reply-ability”ofexistingmessagesaswellas
folderrulesandmailboxpermissionsmustalsobetransferred.
AlthoughsimpletoolsareprovidedtomovemailboxesfromoneExchangeServer
organizationtoanother,largeorcomplexmigrationsmayrequirethird-party
migrationtools.
MasterItYouhaveabusinesssubsidiarythathasanExchangeServer2010
organizationwithapproximately2,000mailboxes;thisExchangeServer
organizationisnotpartofthecorporateActiveDirectoryforest.Theusersall
useOutlook2013.YoumustmovethesemailboxestoExchangeServer2016in
thecorporateActiveDirectoryforest.Whatfouroptionsareavailabletoyouto
moveemailtotheneworganization?
Part3
RecipientAdministration
Chapter12:ManagementPermissionsandRole-BasedAccessControl
Chapter13:BasicsofRecipientManagement
Chapter14:ManagingMailboxesandMailboxContent
Chapter15:ManagingMail-EnabledGroups,MailUsers,andMail
Contacts
Chapter16:ManagingResourceMailboxes
Chapter17:ManagingModernPublicFolders
Chapter18:ManagingArchivingandCompliance
Chapter12
ManagementPermissionsandRole-BasedAccess
Control
InExchangeServer2016,themethodologyformanagingaccesspermissionstouser
andadministrativefunctionalityisthesameasitwasinExchangeServer2010and
ExchangeServer2013.Thistechnology,calledRole-BasedAccessControl(RBAC),
providesmorepowerfulandgranularcontroloverwhatpeoplecandothanwhatwas
availableinearlierversionsofExchange.
Touseiteffectively,weneedtotakeanin-depthlookathowRBACworksandhowit
differsfromthepermissionmodelinpreviousversionsofExchange.Thenwe'll
examinethetoolsandprocessesforconfiguringandmanagingRBAC.Afterthat,we
candigdeeperintothetopicofrolesandhowtoassignthemtousersand
administrators.
INTHISCHAPTER,YOUWILLLEARNTO:
Determinewhatbuilt-inrolesandrolegroupsprovideyouwiththepermissions
youneed
Assignpermissionstoadministratorsusingrolesandrolegroups
Grantpermissionstoendusersforupdatingtheiraddresslistinformation
Createcustomadministrationrolesandassignthemtoadministrators
AuditRBACchangesusingtheExchangeManagementShellandbuilt-inreportsin
theExchangeAdministrationCenter
RBACBasics
Thegoalinthissectionistogiveyouabroadandhigh-levelunderstandingofwhat
RBACisandhowitworks.Aswediscussthesevarioustopicsthroughoutthischapter,
wewillbuildonthisknowledgeandyouwillgaindeeperinsightsintoRBAC.Thiswill
helpyoulearnwhatRBACcandoforyouandhowyoucanuseit.
DifferencesfromPreviousExchangeVersions
Inthemostbasicsense,RBACisthepermissionsmodelforExchangeServer2016.
AnyonewhohashadtocustomizepermissionsinExchangeversionspriorto
Exchange2010canunderstandtheinconvenienceofmakingpermissionchangesin
ActiveDirectoryandkeepingtrackofwhatpermissionmodificationsweremade.Prior
toRBAC'sintroduction,accesscontrollists(ACLs)onvariousActiveDirectoryobjects
wereusedtoconfigurepermissions.Eachobjecttowhichyouwantedtodelegate
permissionshaditsownACL.EachACLwasfurthercomposedofmultipleaccess
controlentries(ACEs)thatdefinedwhatpermissionseachuserorgrouphadonthat
object.Tomakethisprocessabitmoremanageable,Exchangeusedpropertysets.A
propertysetisagroupofattributesthatcanshareacommonACE.Forexample,
insteadofsettinganACEon15differentattributes,thoseattributescouldbeaddedto
apropertysetsothatapplyingtheACEtothepropertysetwouldupdatetheACLson
eachoftheattributes.
RBACisasignificantlydifferentapproachtosolvingthisproblem.Becausethe
managementofExchangeServer2016isbrokeredthroughPowerShellcmdlets,it
makesmoresensetoapplythepermissionsattheadministrativelevelinsteadofon
theActiveDirectoryobject.RBACdoesthisbyusingrolestodefinewhichExchange
cmdletscanberunandwhatparameterscanbeusedwiththosecmdlets.Bymoving
thesepermissionstothecmdletlevel,youensurethataccesscontrolisenforcedby
PowerShell.ThisallowsExchangetodosomereallypowerfulthings,suchas
presentingadministratorswithonlythecmdletsthattheyhavepermissionstorun.
AvailableCommandsBasedonRoleGroupAssignment
Ifanadministratordoesn'thaveaccesstorunacmdlet,suchastheSet-Mailbox
cmdlet,thecmdletwillnotbeavailabletothatadministratorwhentheExchange
ManagementShell(EMS)isused.Notonlywillthecmdletnotbefoundifthe
administratortriestorunit,butitwon'tbepartoftabcompletionintheEMS.
HowRBACWorks
ToillustratehowRBACworks,let'slookatanexample.Supposethatinyour
Exchangeinfrastructure,youhaveagroupofpeoplewhoprovidesupportforyourend
users.Thisgroupisprimarilyresponsibleforcreatingnewaccounts,mail-enabling
users,configuringmailboxproperties,andsimilartasks.Toenablethisgroupof
peopletodotheirjob,youcouldassigntheMailRecipientsroletotheiraccounts.
Whentheseusersareassignedthisrole,theygainthepermissionstorunthe
Exchangecmdletsthatthisroleallows.Inthisexample,theuserswillhaveaccessto
cmdlets,suchasEnable-Mailbox,Set-Mailbox,andGet-MailboxStatistics.Remember
thatthesepermissionsareusednotonlyfortheExchangeManagementShell,butalso
theExchangeadminconsole.
ThepreviousexampleillustratesonlyoneaspectofRBAC:theabilitytoassignrolesto
variouslevelsofExchangeadministrators.ButthereisanotheraspectofRBACthat
allowsyoutoassignrolestoendusers.Thetypesofrolesthatenduserswouldhave
aredifferentthantherolesthatanExchangeadministratorwouldhave.Whereasthe
Exchangeadministrator'srolesaregearedtowardmanagingExchange,theenduser's
rolesaregearedtowardtheendusersmanagingtheirowncontactinformation,
mailboxsettings,marketplaceapps,teammailboxes,anddistributiongroups.For
example,ifyouwantyouruserstobeabletoupdatetheirownphonenumbersinthe
globaladdresslist(GAL),youcanassignthemtheMyContactInformationor
MyPersonalInformationrole.
TounderstandhowRBACdefinesanddistributesroles,youwillneedtobecome
familiarwithafewrelevantterms:
ManagementRoleAmanagementrole,alsoreferredtosimplyasarole,
representsagroupingofExchangecmdletsthatcanberunbypeoplewhoare
assignedtherole.Thesecmdletsarealsoreferredtoasmanagementroleentries.
ManagementRoleEntryAmanagementroleentry,alsoknownsimplyasarole
entry,isthetermusedtorefertoeveryExchangecmdletandparameterthatis
definedonarole.Thereisalsoaspecialtypeofrolethatallowsyourroleentriesto
bePowerShellscriptsornon-Exchangecmdlets.
ManagementRoleScopeThescopedefinestheboundaryofobjectstowhicha
rolecanbeapplied.Bydefault,thescopeofimpactonrolesisnotveryrestrictive.
However,youcancreatecustomscopesthatmakethescopeofimpactforarole
morerestrictive,suchasrestrictingaroletoonlyanorganizationalunit(OU)of
recipients.
ManagementRoleGroupArolegroupisasecuritygroupinActiveDirectory
thathasbeenassignedmanagementroles.Usersthataremembersofthegroup
havetheabilitytorunthecmdletsdefinedbythemanagementrolesassignedto
thegroup.Whenmanagementrolesareassignedtothegroup,theycanbe
restrictedbyascope.Severaldefaultrolegroups,suchasOrganization
Management,arecreatedduringtheinstallationofExchangeServer,butyoucan
alsocreateyourownrolegroups.Forexample,youcouldcreatearolegroupthat
allowsadministrationofrecipientsonlyintheOUforaremotelocation.Thenhelp
deskstaffintheremotelocationaremademembersoftherolegrouptoallow
themtomanagelocalrecipients.Itispossibletoassignrolesdirectlytousers,but
aswithmanagingothertypesofpermissions,itisgenerallyeasiertomanage
permissionsbyusinggroups.
ManagementRoleAssignmentManagementroleassignments,alsoknownas
roleassignments,arewhatpulleverythingtogether.RBACdefineswho(therole
grouporuseraccount)haswhatpermissions(theroles)andwhere(thescope)
thosepermissionsareineffect.Theroleassignmentpullsthistogetherby
assigningamanagementroletoarolegroup,auseraccount,oraroleassignment
policy.Ascopecanalsobeattachedtoeachroleassignment.Eachtimearoleis
assignedtoauniquerolegroup,useraccount,orroleassignmentpolicy,adifferent
roleassignmentiscreated.Eachroleassignmentassignsonlyoneroletoonerole
grouporuseraccount.However,therecanbemultipleroleassignmentsforarole
grouporuseraccount.
RoleAssignmentPolicyAroleassignmentpolicyisacollectionofmanagement
permissionsforuserstomanagethemselves.Managementroleassignmentsare
usedtoassignendusermanagementrolestotheroleassignmentpolicy.The
managementroleassignmentsdefinethepermissionsthatareallowed.Each
mailboxisassociatedwithoneroleassignmentpolicythatcontrolsthe
permissionsauserhastomanagehisorherownattributes.
TwodifferentprocessesdefinehowtheRBACcomponentsinteractwithoneanother.
TheprocessforassigningpermissionstoExchangeadministratorsisdifferentthan
theprocessforassigningpermissionstoendusers,thoughthereissomeoverlap.In
bothinstances,managementrolesareusedtodefinewhattheassigneecando.
Managementrolescontainmanagementroleentries.Thedifference,however,isin
howmanagementrolesareassigned.
RBACforAdministrators
Whenassigningrolestoadministrators,managementrolegroupsarethebasic
methodusedtodefinewhichrolesadministratorshave.Thesegroupsareuniversal
securitygroupsinActiveDirectory.Whenyouwanttogiveanadministratoragroup
ofroles,youaddtheadministrator'sActiveDirectoryaccounttotheappropriate
managementrolegroup.Eachofthesegroupsisassignedoneormoremanagement
roles.
Managementroleassignmentsallowyoutoassignoneormoremanagementrolesto
managementrolegroups.Forexample,theOrganizationManagementrolegrouphas
severalrolesassociatedwithit.Eachoftheserolesisassociatedwiththerolegroupby
usingauniquemanagementroleassignment.Withinthismanagementrole
assignment,youcanalsodefinethescopeoftherole.Supposeyouwanttocreatea
groupofadministratorswhocanmanageonlythemailboxesbelongingtotheusersin
theBaltimoreOU.YoucancreatearolegroupcalledBaltimoreMailbox
AdministratorsanduseamanagementroleassignmenttoassigntheMailRecipients
roletothatgroupforonlyusersintheBaltimoreOU.
Tobetterillustratehowthesecomponentscometogether,seeFigure12.1.
Managementroleentriesaredefinedonmanagementroles.Managementrole
assignmentstieamanagementroletoamanagementrolegroup.Administrator
accountsareaddedasmembersoftherolegroup.Onceinthegroup,those
administratorshaveaccesstothefunctionalitydefinedbytherolesthatareassigned
tothegroup.
Figure12.1TheinteractionamongtheRBACcomponentsforgrantingpermissions
toadministrators
Justasyoucanassignfilepermissionsdirectlytoauser,youcanalsodirectlyassign
rolestoauseraccount.Thisiscalleddirectroleassignment.However,itismuch
easiertomanageifyouuserolegroups.
RBACforEndUsers
Theprocessforassigningrolestoendusersisdifferentthantheprocessforassigning
rolestoadministrators.Endusersstillusemanagementrolesandmanagementrole
entries.However,therolesareassignedtouseraccountsusingaroleassignment
policy.Theroleassignmentpolicyhasmanagementrolesassigned,justasrolegroups
do.Thedifferenceisthatroleassignmentpoliciesaren'tgroupstowhichuserscanbe
added.Therefore,ausercannothavemultipleroleassignmentpolicies.Likeother
typesofpoliciesinExchange,auseraccountcanhaveonlyoneroleassignmentpolicy
assignedtoit.TherolesthatusershaveinExchangearedefinedbythatpolicy.
Figure12.2describeshowthisprocesstakesplaceforuseraccounts.Contrastingthis
withFigure12.1,youcanseethateachend-useraccountgainsitsrolesbyspecifying
thepolicythattakeseffectonit,buteachadministratoraccountgainsitsrolesby
beingapartoftherolegroup.
Figure12.2HowRBACisusedtograntpermissionstoendusers
Youcanassigntherolesforusersdirectlytouseraccounts,butthisisnot
recommended.Roleassignmentpoliciesareabetterwaytomanagethese
permissions.
ManagingRBAC
AsyouaremanagingRBAC,multipleareasneedyourattention.Whenyoudeploy
Exchange,youhavetomanagethevariousRBACcomponents.Thisworkconsistsof
assigningtheroles,modifyingrolegroups,settingroleassignments,andmuchmore.
Youwillalsohavetomanagetheroledistribution,whichconsistsofmanagingthe
rolegroupsandtheroleassignmentpolicies,andbeforeanyonecanmanagethose
things,youmustdelegatetheRBACmanagementpermissionstotheappropriate
people.
Thereareprimarilytwobuilt-intoolsyoucanusetomanagethesevariousaspectsof
RBAC.Thereisalsoadownloadabletoolfromwww.codeplex.comnamedRBAC
Manager.Inthissection,we'lllookatthesetoolsanddiscusswhattheyenableyouto
doatahighlevel.Throughouttheremainderofthischapter,wewillbeusingthese
toolsandexaminingtheminmoredetail.
ExchangeAdministrationCenter
ThefirsttoolthatwewilllookatistheExchangeAdminCenter(EAC).TheEACisa
web-basedmanagementconsoleusedtomanageExchangeServer2016featuresand
services.
WhenyousignintotheEAC,youwillnavigatetothePermissionstaskintheFeature
pane.Noticethetwotabs,AdminRolesandUserRoles,showninFigure12.3.Ifyou
don'thavethesetabsavailable,youlikelydon'thavetheappropriatepermissionsto
managetheroles.
Figure12.3ManagingadministratorrolesanduserrolesintheEAC
WhenyouclicktheAdminRolestab,therolegroupsarelistedalphabetically.Thislist
includesboththebuilt-inrolegroupsandanycustomrolegroupsthatyoumayhave
created.Ifyouselectarolegroup,theDetailspaneontherightwilldisplaythe
descriptionoftherolegroup,therolesthatthegroupisassigned,andthemembersof
thegroup.ThisisshowninFigure12.4.
Figure12.4ViewingrolegroupdetailsintheEAC
Youcanalsocreateanewrolegroup,deletearolegroup,copyarolegroup,andedit
therolegroup.Thestepsfordoingthisaredescribedinthe“DistributingRoles”
section,laterinthischapter.
WhenyouclicktheUserRolestabintheEAC,youarepresentedwithalistofrole
assignmentpoliciesthatexistinyourorganization.InamannersimilartotheAdmin
Rolestab,youcanselecttheroleassignmentpolicyfromthelistandviewthedetails
ofthepolicyintheDetailspaneontheright.Youcanalsoedittheuserrolesthatare
assignedtothispolicy,createanewassignmentpolicy,anddeleteanassignment
policythatisnotassociatedwithamailbox.Thisiscoveredlaterinthesection,
“DistributingRoles.”Figure12.5showstheinformationavailableontheUserRoles
taboftheEAC.
Figure12.5ViewingtheuserroleinformationintheEAC
ThisistheextenttowhichyoucanmanageRBACinsidetheEAC.Ifyourequiremore
advancedconfigurationoptions,suchascustomizedmanagementroles,youmustuse
theEMSorRBACManager.
ExchangeManagementShell
TheEMSisthebuilt-intoolwhereyouwillprobablybespendingmostofyourtime
whenyouaremanagingRBAC.Table12.1listswhichcmdletsareavailablefor
managingeachRBACcomponent.Thesecmdletsarefurtherdiscussedandused
throughouttheremainderofthischapter.
Table12.1CmdletsforManagingtheRBACComponents
Component Cmdlet
Management New-ManagementRole
role
Get-ManagementRole
Remove-ManagementRole
Management
roleentry
Add-ManagementRoleEntry
Get-ManagementRoleEntry
RemoveManagementRoleEntry
Description
Createsanewrole
Getsthelistofrolesorthepropertiesofa
specificrole
Deletesarole
Addsaroleentrytoanexistingrole
Retrievesthelistofroleentriesonarole
Removesaroleentryfromarole
Set-ManagementRoleEntry
Rolegroup
Get-RoleGroup
New-RoleGroup
Remove-RoleGroup
Set-RoleGroup
Add-RoleGroupMember
Get-RoleGroupMember
Remove-RoleGroupMember
Update-RoleGroupMember
Role
assignment
policy
GetRoleAssignmentPolicy
NewRoleAssignmentPolicy
Management
role
assignment
Management
scope
Setstheparametersonanalready-defined
roleentry
Getsthelistofrolegroupsortheproperties
ofaspecificrolegroup
Createsanewrolegroup
Deletesarolegroup
Changesthepropertiesoftherolegroup
Addsanadministratortoarolegroup
Liststhemembersofarolegroup
Removesanadministratorfromarolegroup
Modifiestherolegroupmembershipinbulk
Retrievesthelistofroleassignmentpolicies
orretrievesthedetailsofaspecificrole
assignmentpolicy
Createsanewroleassignmentpolicy
RemoveRoleAssignmentPolicy
Deletesaroleassignmentpolicy
SetRoleAssignmentPolicy
Configuresthepropertiesofarole
assignmentpolicy,includingwhetherthe
policyisthedefaultpolicyforthedomain
Retrievesthelistofroleassignmentsorthe
detailsofaspecifiedroleassignment
GetManagementRoleAssignment
NewManagementRoleAssignment
Createsanewroleassignment
RemoveManagementRoleAssignment
Deletesaroleassignment
SetManagementRoleAssignment
Configuresthepropertiesoftherole
assignment,includingthescopethatthe
assignmentuses
Retrievesmanagementscopes,orphaned
scopes,andexclusiveorregularscopes
Createsaregularorexclusivemanagement
scopeforrecipientsorExchangeobjects
Get-ManagementScope
New-ManagementScope
Remove-ManagementScope
Set-ManagementScope
Removesmanagementscopesthatare
orphaned
Updatestheexistingconfigurationofa
managementscope
RBACManager
RBACManagerprovidesaGUIinterfacetomanagetheimplementationofRBAC
withinyourorganization.Thistoolprovidesmoreadvancedfunctionalityfor
managingRBACthantheEAC.
Thisisanopen-sourcetool(notfromMicrosoft)thatisnotactivelyindevelopment
andhasnotbeenupdatedsince2012.Thedescriptionforthetoolstatesthatitworks
withExchangeServer2010andExchangeServer2013Preview.However,RBAC
ManagerdoesworkwithExchangeServer2016.
ToinstallRBACManager,youneedtohave.NETFramework3.5.1installed.Because
thisisnotusedforExchangeServer2016,youarebetteroffinstallingthistoolona
workstationratherthanaserverrunningExchangeServer2016.Thetoolconnectsto
anExchangeserverandusesPowerShellremotingtoperformitstasks.Aslongasthe
cmdletsformanagingRBACremainthesame,RBACManagershouldcontinueto
workproperly.Ifyouviewthelogfile,youcanseethecmdletsthatarebeingusedas
youperformtasksintheapplication.
IntheRBACManagerwindow,therearefourtabsthatcanbeusedtomanageyour
RBACconfiguration:
ShowManagementRoles
ShowAssignmentPolicies
ShowRoleGroups
ShowManagementScopes
Figure12.6showsthetabsavailableinRBACManager—fromlefttoright,theyare
ShowManagementRoles,ShowRoleAssignmentPolicies,ShowRoleGroups,and
ShowManagementScopes.
Figure12.6Tabstomanageroles,roleassignmentpolicies,rolegroups,andscopes
TheShowManagementRolestab(brownbriefcaseimage)displaysallthebuilt-in
managementrolesthatarecreatedduringtheinstallationofExchangeServer2016.
Anycustommanagementrolesarestoredunderneaththeparentmanagementrole.
Built-inmanagementrolesarelistedingreen,andcustommanagementrolesare
listedinblue.
TheShowRoleAssignmentPoliciestabdisplaysallthemailboxroleassignment
policiesintherightpane.MuchliketheShowManagementRolestab,theDefault
RoleAssignmentPolicythatiscreatedduringinstallislistedingreen,andanynew
roleassignmentpolicyislistedinblue.
Toseealltheadministratorsandsecuritygroupsthathavebeenassignedarole,you
canusetheShowRoleGroupstab.Allsecuritygroupsthathavebeenassignedarole
aredisplayedasgreen,androlesthathavebeenassigneddirectlytoauserare
displayedinblue.
Thelasttab,ShowManagementScopes,providesalistofallthecustommanagement
scopesyouhavecreatedinyourorganization.
DefiningRoles
ThemanagementroleisthekeycomponentofRBAC.Thissectionwillgointoalittle
moredetailaboutrolesandshowyouhowtochooseanexistingroletoassignand
howtocreateacustomroleifit'snecessary.
What'sinaRole?
Atthemostbasiclevel,amanagementroleisagroupingofExchangecmdletsand
parameters.Anyonewhoisassignedthemanagementrolehaspermissionstoexecute
thosecmdletswiththoseparameters.Toillustratethismoreclearly,let'sexaminea
managementrole.TheMailboxImportExportroleisabuilt-inroleinExchange,
meaningthatExchangecreatedthisrolebydefaultduringsetup.Therearemany
built-inroles,butwe'lllookatMailboxImportExportinparticularforthisexample.
TheMailboxImportExportroleallowsassigneestorunthefollowingcmdlets:
New-MailboxImportRequest
Get-MailboxImportRequest
Set-MailboxImportRequest
Suspend-MailboxImportRequest
Resume-MailboxImportRequest
Remove-MailboxImportRequest
Get-MailboxImportRequestStatistics
New-MailboxExportRequest
Get-MailboxExportRequest
Set-MailboxExportRequest
Suspend-MailboxExportRequest
Resume-MailboxExportRequest
Remove-MailboxExportRequest
Get-MailboxExportRequestStatistics
Get-Notification
Set-Notification
Get-Mailbox
Search-Mailbox
Start-AuditAssistant
Write-AdminAuditLog
Get-UnifiedAuditSetting
Set-UnifiedAuditSetting
Set-ADServerSettings
Togetthelistofthemanagementroleentriesforamanagementrole,runthis
command:
Get-ManagementRoleEntry"MailboxImportExport\*"|flname
HavingtheGet-Mailboxcmdletasapartofthisroleisespeciallyimportant.Ifyou
don'thaveanyGet-*cmdletsdefinedinyourroles,theassigneecannotretrievethe
datatheyaremodifying.Witheachoneofthesecmdlets,theroledefineswhich
parameterstheassigneecanuse.Iftheparameterisn'tinthislist,itcan'tbeused.For
example,theMailboxImportExportroledoesn'tspecifythattheassigneescanusethe
DatabaseparameterwiththeGet-Mailboxcmdlet.Becauseofthis,theassigneecan'tlist
allthemailboxesonadatabaseunlesstheyareassignedanotherrolethathasthose
permissions.
Togetthelistoftheparametersthatareavailableforaspecificroleentry,runthis
command:
(Get-ManagementRoleEntry"MailboxImportExport\get-mailbox").parameters
BecausePowerShellistheunderlyingcommand-executionengineinExchange,you
canseehowthislevelofgranularityisverypowerful.InRBACterms,thesecmdlets
arereferredtoasmanagementroleentries.Thereisanothertypeofmanagementrole
thatallowsyoutousePowerShellscriptsandnon-Exchangecmdletsasmanagement
roleentries,butwe'lllookatthatalittlelater,inthesection,“UnscopedTop-Level
Roles:TheException.”Figure12.7showstherelationshipbetweenmanagementroles
andmanagementroleentries.
Figure12.7Therelationshipbetweenamanagementroleanditsmanagementrole
entries
Asdiscussedearlierinthischapter,theRBACdataisstoredinActiveDirectory.Each
managementrolehasanassociatedobjectoftheobjecttypemsExchRoleinActive
Directory.TheroleobjectsarestoredintheConfigurationNamingContextinsidethe
followingcontainer:Services\MicrosoftExchange\OrgName\RBAC\Roles.Ifyouwereto
examinethisinADSIEdit,youwouldseesomethingsimilartoFigure12.8.
Figure12.8TheroleobjectsinActiveDirectory
IfyouweretoopentheMailboxImportExportroleobject(CN=MailboxImport
Export),youwouldseethePropertiesdialogshowninFigure12.9.
Figure12.9ThepropertiesfortheMailboxImportExportroleobject
YouwillnoticethatoneoftheattributesonthisobjectisthemsExchRoleEntries
attribute.Thisisamultivaluedstringattributethatlistseachmanagementroleentry
andtheparametersthatroleassigneescanrun.Figure12.10showsthevaluesthatthe
MailboxImportExportobjecthasforitsmsExchRoleEntriesattributes,asviewedin
ADSIEdit.
Figure12.10ThemanagementroleentriesfortheMailboxImportExportroleas
seeninADSIEdit
Soasyoucansee,managementroleentriesareaddedtomanagementrolesasan
attributeofthemanagementrole.Themanagementroleitselfisitsownobject.Each
ofthesemanagementroleentriesdefinesanExchangecmdletthatanassigneecan
run.
ChoosingaRole
Exchangealreadyhasseveralmanagementrolesdefinedoutofthebox.Thesedefined
rolesgiveyouagreatdegreeofflexibilitywithouthavingtocreateandcustomizeyour
ownmanagementroles.Forthesakeofsimplicityandmanageability,thesebuilt-in
rolesshouldbeusedwheneverpossible.
Buthowdoyouknowwhichbuilt-inroletouse?Let'spretendthatyoudidn'tknow
theMailboxImportExportroleexisted.However,youhaveanongoinglegal
investigationandyouneedtogiveyourlawyer,Richard,theabilitytoimportmail
storedonthepersonalfolderstoretoaspecificmailbox.Todeterminewhichroleyou
needtoassigntoRichard,youcanusetheGet-ManagementRoleEntrycmdlet.Withit,
youcanspecifywildcardstodeterminethefollowing:
Whichmanagementrolecontainsaparticularmanagementroleentry
Whichmanagementroleentriesareallowedforaparticularmanagementrole
TodeterminewhichroleallowsRichardtoruntheNew-MailboxImportRequestcmdlet,
youcanrunthefollowingEMScommand:
Get-ManagementRoleEntry"*\New-MailboxImportRequest"
NameRoleParameters
-----------------New-MailboxImportRequestMailboxImportExport{AcceptLargeDataLos…
Asyoucanseefromthecommand'soutput,theNew-MailboxImportRequestcmdletis
addedonlytotheMailboxImportExportrole.Therearenootheroptionsbydefaultin
Exchange.Ifyouwanttousethebuilt-inroles,youmustassigntheMailboxImport
ExportroletoRichard.
Youwillalsonoticethatinthecommandwespecified*\New-MailboxImportRequestas
themanagementroleentryforwhichwewerelooking.Whenworkingwith
managementroleentries,theidentityofeachentryisinthefollowingformat:
managementrole\managementroleentry.Byspecifyingawildcardcharacter(*)in
placeofthemanagementroleportion,wetoldthecmdlettoretrieveevery
managementrolethathastheNew-MailboxImportRequestcmdletdefinedonit.Youcan
usewildcardsindifferentplacesandretrievedifferentresults.
Forexample,let'spretendthatyoustumbledacrosstheMailboxImportExportrole
andyouwanttofindoutwhatmanagementroleentriesthismanagementroleallows.
Again,youcanusetheGet-ManagementRoleEntrycmdlettofindthisinformation.
However,thistimeyouwillplacethewildcardattheendoftheroleentry'sidentity
insteadofthebeginning.Thefollowingcommandretrievesthemanagementrole
entriesthattheMailboxImportExportmanagementroleallows:
Get-ManagementRoleEntry"MailboxImportExport\*"
NameRoleParameters
-----------------Write-AdminAuditLogMailboxImportExport{Comment,Confirm,…
Suspend-MailboxImportRequestMailboxImportExport{Confirm,Debug,Do…
Suspend-MailboxExportRequestMailboxImportExport{Confirm,Debug,Do…
Start-AuditAssistantMailboxImportExport{Identity}
Set-UnifiedAuditSettingMailboxImportExport{Debug,ErrorAction…
Set-NotificationMailboxImportExport{Confirm,Debug,Do…
Set-MailboxImportRequestMailboxImportExport{AcceptLargeDataLos…
Set-MailboxExportRequestMailboxImportExport{AcceptLargeDataLos…
Set-ADServerSettingsMailboxImportExport{ConfigurationDomai…
Search-MailboxMailboxImportExport{Confirm,Debug,De…
Resume-MailboxImportRequestMailboxImportExport{Confirm,Debug,Do…
Resume-MailboxExportRequestMailboxImportExport{Confirm,Debug,Do…
Remove-MailboxImportRequestMailboxImportExport{Confirm,Debug,Do…
Remove-MailboxExportRequestMailboxImportExport{Confirm,Debug,Do…
New-MailboxImportRequestMailboxImportExport{AcceptLargeDataLos…
New-MailboxExportRequestMailboxImportExport{AcceptLargeDataLos…
Get-UnifiedAuditSettingMailboxImportExport{Debug,ErrorAction…
Get-NotificationMailboxImportExport{Debug,DomainContr…
Get-MailboxImportRequestSta…MailboxImportExport{Debug,Diagnostic,…
Get-MailboxImportRequestMailboxImportExport{BatchName,Debug,…
Get-MailboxExportRequestSta…MailboxImportExport{Debug,Diagnostic,…
Get-MailboxExportRequestMailboxImportExport{BatchName,Debug,…
Get-MailboxMailboxImportExport{Anr,Credential,D…
ByusingMailboxImportExport\*inthecommand,wetoldthecmdlettoretrieve
everymanagementroleentrythatisdefinedontheMailboxImportExport
managementrole.Whendecidingwhichrolesyouneedtoassigntoadministrators,
it'sveryimportanttolookatnotonlywhatroleallowstheadministratortodotheir
jobbutalsowhatotherpermissionstheadministratorwillgainwhenusingoneofthe
built-inroles.
CustomizingRoles
Youshouldalwaysturntothebuilt-inmanagementrolesfirstanddetermineifyou
canusewhat'salreadytherebeforeattemptingtocustomizeyourownroles.However,
theremaybetimeswhenthebuilt-inrolesofferyoutoomuchaccess.Toillustrate
this,let'scontinuewiththescenarioofyourlegalstruggles.Intheprevioussection,
wedeterminedthattogiveRichard,yourlawyer,theabilitytoimportmailstoredin
PSTfiles,youcouldassignhimtheMailboxImportExportrole.Thisroleallowshim
torunthecmdletsweidentifiedearlier.
Nowlet'ssupposethatyourunaverytightship.WhenyouexaminedtheMailbox
ImportExportrole,younoticedthatnotonlydoestherolegiveRichardtheabilityto
importmail,butitalsogiveshimtheabilitytoexportit.Knowingthis,you'vedecided
thatyoudon'twantyourlawyertobeabletoexportmailfrompeople'smailboxes.In
thiscase,youcancreateacustommanagementrole.
HowaCustomRoleWorks
Tocreateanewcustommanagementrole,youmuststartwithanexisting
managementroleandcopyit.Youcannotcreateacustommanagementrolefrom
scratch(however,thereisoneexceptionthatwewilldiscussshortlyinthesection
“UnscopedTop-LevelRoles:TheException”).Eachcustomrolethatyoucreatemust
inheritpropertiesfromanexistingmanagementrolethatisalreadyinplace.This
formsaparent/childrelationshipbetweenanexistingrole(theparent)andthe
customrole(thechild).Let'stakeacloserlookattheMailboxImportExportroleto
understandthismoreclearly.
TofulfillthescenariothatwejustdiscussedofallowingRichardtoonlyimportmail,
youwouldhavetocreateacustomrolethatissimilartotheMailboxImportExport
rolebutthatdoesn'thavetheabilitytoexportmail.Becauseeverycustomrolemust
haveaparentmanagementrolethatalreadyexists,wecanmaketheMailboxImport
Exportroletheparenttoournewcustomrole.We'llcallthisnewroleMailboxImport
Only.
Whenwecreatethecustomrole,itwillbeabletouseonlythesamemanagementrole
entriesthattheparentroleuses.ThiswillgivetheMailboxImportOnlyroleaccessto
thesamemanagementroleentriesdefinedonitsparentrole,MailboxImportExport.
Wecannotaddanyroleentriestoournewcustomrolethataren'talreadyincludedin
theMailboxImportExportrole.Thisrestrictionappliesnotonlytothecmdletsbut
alsototheparametersonthecmdlets.Becauseofthis,theroleentriesthatthechild
rolecanhavearelimitedtotheroleentriesdefinedontheparent.Eventhoughwe
don'thavetheabilitytoaddroleentriestotheMailboxImportOnlyrole,wedohave
theabilitytoremovethem.Inthiscase,youwouldremoveaccesstoallthe
MailboxExportRequestcmdlets.
ThisleavestheMailboxImportOnlyrolewithoutanyoftheMailboxExportRequest
cmdlets.Figure12.11illustratestherelationshipbetweentheparentandchildroles.
Figure12.11Therelationshipbetweenaparentroleandachildrole
DefiningCustomRoles
Tocreatecustomroles,youmustusetheEMSorRBACManager.TheEACdoesnot
giveyoutheabilitytomanagecustomroles.Whendefiningtheseroles,youwilluse
thefollowingcmdlets:
New-ManagementRoleCreatesanewcustomrole
Remove-ManagementRoleDeletesacustomrolethatyoupreviouslycreated
Add-ManagementRoleEntryAddsaroleentryontoanexistingrole
Remove-ManagementRoleEntryRemovesaroleentrythatyoupreviouslyadded
Set-ManagementRoleEntryAdjuststheparametersthatcanbeusedonaroleentry
thathasalreadybeenaddedtoarole
Tocontinuewiththelegalscenario,let'screatetheMailboxImportOnlyroleusing
theNew-ManagementRolecmdlet.Whenusingthecmdlet,youspecifythenameofthe
newroleandtheparentfromwhichtheroleisinheritingitsmanagementroleentries.
ThefollowingexamplecreatestheMailboxImportOnlyrolethatwe'vebeen
discussing:
New-ManagementRole"MailboxImportOnly"-Parent"MailboxImportExport"
NameRoleType
-----------MailboxImportOnlyMailboxImportExport
YoucanruntheGet-ManagementRoleEntrycmdletonthisnewlycreatedroletoseethat,
bydefault,thecustomroledefinesallthesameroleentriesthattheparentrolehas:
Get-ManagementRoleEntry"MailboxImportOnly\*"
NameRoleParameters
-----------------Get-MailboxMailboxImportOnly{Anr,Credential,D…
Get-MailboxExportRequestMailboxImportOnly{BatchName,Debug,…
Get-MailboxExportRequestSta…MailboxImportOnly{Debug,Diagnostic,…
Get-MailboxImportRequestMailboxImportOnly{BatchName,Debug,…
Get-MailboxImportRequestSta…MailboxImportOnly{Debug,Diagnostic,…
Get-NotificationMailboxImportOnly{Debug,DomainContr…
Get-UnifiedAuditSettingMailboxImportOnly{Debug,ErrorAction…
New-MailboxExportRequestMailboxImportOnly{AcceptLargeDataLos…
New-MailboxImportRequestMailboxImportOnly{AcceptLargeDataLos…
Remove-MailboxExportRequestMailboxImportOnly{Confirm,Debug,Do…
Remove-MailboxImportRequestMailboxImportOnly{Confirm,Debug,Do…
Resume-MailboxExportRequestMailboxImportOnly{Confirm,Debug,Do…
Resume-MailboxImportRequestMailboxImportOnly{Confirm,Debug,Do…
Search-MailboxMailboxImportOnly{Confirm,Debug,De…
Set-ADServerSettingsMailboxImportOnly{ConfigurationDomai…
Set-MailboxExportRequestMailboxImportOnly{AcceptLargeDataLos…
Set-MailboxImportRequestMailboxImportOnly{AcceptLargeDataLos…
Set-NotificationMailboxImportOnly{Confirm,Debug,Do…
Set-UnifiedAuditSettingMailboxImportOnly{Debug,ErrorAction…
Start-AuditAssistantMailboxImportOnly{Identity}
Suspend-MailboxExportRequestMailboxImportOnly{Confirm,Debug,Do…
Suspend-MailboxImportRequestMailboxImportOnly{Confirm,Debug,Do…
Write-AdminAuditLogMailboxImportOnly{Comment,Confirm,…
Nowthattheroleiscreated,youcanremovetheMailboxExportRequestcmdletsfrom
thelistofroleentries.Todoso,youruntheRemove-ManagementRoleEntrycmdletand
specifytheroleentrythatyouwanttoremove.Becausetherearemultiplecmdlets
withMailboxExportRequest,youwillfirstrunGet-ManagementRoleEntryandpipethe
resultstoRemove-ManagementRoleEntry.Whenyourunthiscommand,youwillbe
promptedwithaconfirmationmessagethatasksyouifyouaresurethatyouwantto
removetheroleentry.Youcanbypassthismessagebyaddingthe-Confirm:$False
parametertothecommand.Thefollowingexampledemonstratesthecommandyou
wouldusetoremovetheMailboxExportRequestcmdletsfromtheMailboxImportOnly
role,bypassingtheconfirmationmessage:
Get-ManagementRoleEntry"MailboxImportOnly\*-MailboxExportRequest"|RemoveManagementRoleEntry-confirm:$false
Toverifythattheroleentrywasremoved,youcanruntheGet-ManagementRoleEntry
cmdletagaintoretrievethemanagementroleentriesonthemanagementrole.You
willnoticethatallthemanagementroleentriesforMailboxExportRequesthavebeen
removed:
Get-ManagementRoleEntry"MailboxImportOnly\*"
NameRoleParameters
-----------------Get-MailboxMailboxImportOnly{Anr,Credential,D…
Get-MailboxExportRequestSta…MailboxImportOnly{Debug,Diagnostic,…
Get-MailboxImportRequestMailboxImportOnly{BatchName,Debug,…
Get-MailboxImportRequestSta…MailboxImportOnly{Debug,Diagnostic,…
Get-NotificationMailboxImportOnly{Debug,DomainContr…
Get-UnifiedAuditSettingMailboxImportOnly{Debug,ErrorAction…
New-MailboxImportRequestMailboxImportOnly{AcceptLargeDataLos…
Remove-MailboxImportRequestMailboxImportOnly{Confirm,Debug,Do…
Resume-MailboxImportRequestMailboxImportOnly{Confirm,Debug,Do…
Search-MailboxMailboxImportOnly{Confirm,Debug,De…
Set-ADServerSettingsMailboxImportOnly{ConfigurationDomai…
Set-MailboxImportRequestMailboxImportOnly{AcceptLargeDataLos…
Set-NotificationMailboxImportOnly{Confirm,Debug,Do…
Set-UnifiedAuditSettingMailboxImportOnly{Debug,ErrorAction…
Start-AuditAssistantMailboxImportOnly{Identity}
Suspend-MailboxImportRequestMailboxImportOnly{Confirm,Debug,Do…
Write-AdminAuditLogMailboxImportOnly{Comment,Confirm,…
UnscopedTop-LevelRoles:TheException
Earlierinthissection,westatedthattherewasanexceptiontothefactthatcustom
managementrolesrequireanexistingmanagementroletobetheparent.That
exceptionisaspecialtypeofmanagementrolecalledtheunscopedtop-levelrole.This
typeofroledoesnothaveaparent.Theunscopedtop-levelroleallowsyoutodefine
bothPowerShellscriptsandnon-Exchangecmdletsasitsroleentries.Thistypeofrole
ishighlycustomized,soitcan'thaveaparentrolebecausethereisnostartingpoint
forit.Youwouldtypicallywanttouseanunscopedtop-levelrolewhenyouwantto
strictlylimitwhatanadministratorcando,suchasonlygivingthemaccessto
predefinedscripts.
Bydefault,noonehaspermissionstocreateunscopedtop-levelroles.Ifyouwantto
grantthesepermissionstoanadministrator,youwillneedtoassigntherolecalled
UnscopedRoleManagementtotheadministratorwhoneedstocreateunscopedtoplevelroles.
Tocreatetheunscopedtop-levelrole,usetheNew-ManagementRolecmdletwiththe
UnscopedTopLevelparameter.IftheUnscopedTopLevelparameterisn'tavailable,that
meansyouhavenotbeenassignedtheUnscopedRoleManagementrole.The
followingexamplecreatesanunscopedtop-levelrolecalledRunCustomScripts:
New-ManagementRole"RunCustomScripts"-UnScopedTopLevel
NameRoleType
-----------RunCustomScriptsUnScoped
Aftertheroleiscreated,youcanusetheAdd-ManagementRoleEntrycmdlettoadd
customscriptsornon-Exchangecmdletsasroleentriesontherole.Whenyourun
thiscmdlet,specifythescriptwiththesyntaxofManagementRole\Script.Alsospecify
thetypeofroleentryyouareadding(scriptorcmdlet),andusetheUnScopedTopLevel
parameter.YoucanalsousetheParametersparametertospecifywhatparameterscan
beusedwiththescript.Forexample,toaddthecustomscriptcalled
CheckServerHealth.ps1totheRunCustomScriptsrole,youwouldusethefollowing
command:
Add-ManagementRoleEntry"RunCustomScripts\CheckServerHealth.ps1"
-UnScopedTopLevel-TypeScript-ParametersCheckServices,CheckLogs
Lastly,youneedtoassigntheunscopedroletoasecuritygrouporauser.Theprocess
forassigningrolesisdiscussedlaterinthischapter.
DistributingRoles
AfteryouhavedefinedtherolesyouwanttouseinyourRBACimplementation,you
mustdistributethoserolestoadministratorsandendusers.Thissectionwilldiscuss
theimportantaspectsofroledistributionandshowyouhowtodistributerolestoboth
administratorsandendusers.
DeterminingWhereRolesWillBeApplied
Whendistributingroles,oneimportantdetailthatshouldnotbeoverlookediswhere
thoserolesapply.InRBAC,thisisreferredtoastherole'sscope.Thescopedefines
whatobjects(suchasrecipientsorservers)therolecanimpact.Asyou'llsee
throughoutthissection,scopesareextremelyflexible.Theyallowrolestobeapplied
throughouttheorganizationorevenrestrictedtojustaparticularOUofrecipientsin
ActiveDirectory.Scopescanbeusedaspartoflimitingadministrativepermissionsto
onlywhatisrequired.
InheritedScopes
Everyrolehasascope.Whenaroleiscreated,ithasadefaultscope,alsoknownasan
implicitscope.Therearetwotypesofimplicitscopes:arecipientscopeanda
configurationscope.Therecipientscopedefineswhichrecipientstherolecanimpact.
Theconfigurationscopedefineswhichconfigurationcomponentstherolecanimpact.
Toillustratehowthisappliestoarole,let'slookatourexampleoftheMailboxImport
Exportrole.WecanusetheGet-ManagementRolecmdlettoviewtheimplicitscope
definedonthisrole:
Get-ManagementRole"MailboxImportExport"|fl*scope*
ImplicitRecipientReadScope:Organization
ImplicitRecipientWriteScope:Organization
ImplicitConfigReadScope:OrganizationConfig
ImplicitConfigWriteScope:OrganizationConfig
Thefirstthingyouwillnoticeisthattherearefourscopeattributesontherole.Each
typeofscope(recipientandconfiguration)hasbothareadscopeandawritescope
associatedwithit.Inmostcases,thereadandwritescopearethesame.However,
thereareafewroleswheretheyaredifferent.Ifyourunthefollowingcommand,you
canseetherolesthathavedifferentreadandwritescopesdefined.Asyoucantell
fromtheoutputofthecommand,thecaseswherethereadandwritescopediffer
makesense.Forexample,theView-OnlyConfigurationrolecanreadthe
configurationofExchangebutnotwritetoit.
Get-ManagementRole|where{
$_.ImplicitRecipientReadScope-ne$_.ImplicitRecipientWriteScope-or
$_.ImplicitConfigReadScope-ne$_.ImplicitConfigWriteScope}|
flName,*scope*
Name:LegalHold
ImplicitRecipientReadScope:Organization
ImplicitRecipientWriteScope:Organization
ImplicitConfigReadScope:OrganizationConfig
ImplicitConfigWriteScope:None
Name:View-OnlyConfiguration
ImplicitRecipientReadScope:Organization
ImplicitRecipientWriteScope:None
ImplicitConfigReadScope:OrganizationConfig
ImplicitConfigWriteScope:None
Name:View-OnlyRecipients
ImplicitRecipientReadScope:Organization
ImplicitRecipientWriteScope:None
ImplicitConfigReadScope:OrganizationConfig
ImplicitConfigWriteScope:None
Name:MyDistributionGroups
ImplicitRecipientReadScope:MyGAL
ImplicitRecipientWriteScope:MyDistributionGroups
ImplicitConfigReadScope:OrganizationConfig
ImplicitConfigWriteScope:None
Name:O365SupportViewConfig
ImplicitRecipientReadScope:Organization
ImplicitRecipientWriteScope:None
ImplicitConfigReadScope:OrganizationConfig
ImplicitConfigWriteScope:None
Name:View-OnlyAuditLogs
ImplicitRecipientReadScope:Organization
ImplicitRecipientWriteScope:None
ImplicitConfigReadScope:OrganizationConfig
ImplicitConfigWriteScope:None
Table12.2showsthevarioustypesofthescopeparametersandwhateachofthese
valuesmeans.
Table12.2ImplicitScopeValues
Scope
Appliesto
Description
Configuration
Scope
MyDistributionGroups
Applies
to
Recipient
Scope
Yes
MyGAL
Yes
No
None
Yes
Yes
Organization
Yes
No
OrganizationConfig
No
Yes
Self
Yes
No
No
Ifinthereadscope,allowsread
accesstodistributiongroups
ownedbytheuser.Ifinthewrite
scope,allowsuserstocreateor
modifydistributionliststhatthey
own.
Viewthepropertiesofrecipients
intheGAL.Validonlywiththe
readscope.
Disallowsaccesstothescopeto
whichit'sapplied.
Ifinthereadscope,givesusers
readaccesstoallrecipientsinthe
organization.Ifinthewritescope,
givesuserstheabilitytocreateor
modifyrecipientsinthe
organization.
Ifinthereadscope,allowsthe
usertoviewtheconfigurationof
anyserverintheorganization.If
inthewritescope,theusercan
modifyconfigurationsettingson
anyserver.
Ifinthereadscope,userscan
viewonlytheirownproperties.If
inthewritescope,userscan
modifytheirproperties.
Theimplicitscopethatisdefinedonarolecannotbechanged.Whenyoudefinea
customrole,thesameimplicitscopesontheparentrolealsoapplytothecustomrole,
andtheycannotbechanged.However,theimplicitscopesdefinedontherolescanbe
overwritten.Tooverwritetheimplicitscopes,youcansetanexplicitscopeontherole
assignment,insteadofconfiguringitontherole.Explicitscopesarescopesthatyou
apply,asopposedtotheimplicitscopesthatExchangehasalreadyapplied.Explicit
scopescomeintwoforms:predefinedscopesandcustomscopes.
OverwritingtheWrites
Explicitscopesonlyoverwritethewritescopesassociatedwiththerole.Theread
scopeswillalwaysapply,regardlessofanyexplicitscopedefinedintherole
assignment.Becauseofthis,youcan'tspecifyanexplicitwritescopethatisn't
withinthereadscopeofthemanagementrole.Forexample,ifthereadscopeona
roleisSelf,youcan'tspecifyawritescopeofOrganization.
UsingPredefinedScopes
PredefinedscopesareexplicitscopesthatExchangemakesavailabletoyoubydefault.
Thesepredefinedscopesapplyonlytotherecipientscopetype.Exchangecreatesthe
followingpredefinedscopes:
MyDistributionGroupsAllowsuserstocreatedistributiongroupsandmodifythe
propertiesofdistributiongroupswheretheyaredefinedastheowner.
OrganizationAllowsusersthatholdtheroletomodifyrecipientsintheentire
organization.Forexample,iftheroleallowsuserstochangetherecipientdisplay
name,thisscopewouldallowtheroleholderstochangeitforanyrecipientinthe
organization.
SelfAllowsuserstomodifyonlytheirownproperties.Forexample,iftherole
allowsuserstochangetherecipientdisplayname,thisscopewouldallowtherole
holdertochangeonlytheirowndisplayname.
CreatingCustomScopes
Asidefromusinganexistingpredefinedscope,youcancreateacustomscopethat
offersmoreflexibility.Customscopesareextremelyusefulbecausetheyallowyouto
narrowdownthescopeofaroletoaverygranularlevel.Forexample,youcannarrow
downthescopeofrecipientstoaspecificOUoronlyrecipientswithaspecific
attributesetontheiraccounts.Forservers,youcannarrowdowntheconfiguration
scopetoaspecificsiteorevennametheserversthemselves.Fordatabases,youcan
selectastaticsetofdatabasesoruseafiltertomanagedatabasesthathaveacommon
configuration.
Alongwithconfiguringwhichobjectsacustomscopeisappliedto,youcanconfigure
ifthescopeisexclusiveorregular.Bydefault,allnewscopesarecreatedasregular;
however,youcanspecifythatacustomscopebeanexclusivescope.Anexclusive
scopeandaregularscopeactalmostthesame.Themajordifferencebetweenthemis
thatanexclusivescopepreventsanyadministratorthatisnotassociatedwithan
exclusivescopefrommakingchangestoobjectseveniftheobjectfallswithinthe
boundariesofaregularscope.Onceyousetascopeasanexclusivescope,thedeny
actiontakeseffectimmediately.Forexample,ifyouhavearolegroupnamed
BaltimoreIT,withthecustomwritescopeoftheBaltimoreOU,membersofthe
BaltimoreITgroupwouldbeabletomanageusersintheBaltimoreOUbasedonthe
rolesappliedtotheBaltimoreITgroup.Ifyoucreatedanewexclusivescopewitha
filtertoincludeanyonewith“Manager”intheDepartmentfield,administratorsofthe
BaltimoreITgroupwouldnotbeabletoeditusersintheBaltimoreOUthathave
“Manager”intheDepartmentfieldunlesstheyhavebeenassociatedwiththenew
exclusivescopeoranequivalentexclusivescope.Figure12.12illustratesthe
implementationofanexclusivescope(notethatthe–eqcommandstandsforequal).
Figure12.12Implementationofanexclusivescope
Likepredefinedscopes,customscopesareappliedtotheroleassignmentsandnotthe
rolesthemselves.However,unlikewithpredefinedscopes,youcanspecifya
configurationscopeaswellasarecipientscope.Youcancreateacustomscopeusing
theNew-ManagementScopecmdlet.Whenyoucreatethescope,youhaveseveraloptions
thatgiveyoutheabilitytonarrowthescopeasgranularlyasyouwant.Youhavethe
followingoptionswhencreatingthescope:
DatabaseListAllowsyoutospecifyalistofdatabasestowhichthisscopeapplies.
DatabaseRestrictionFilterAllowsyoutodefineafilterbasedondatabases’
attributestowhichthescopeapplies.Forexample,youcanfilteroutdatabases
thatmatchacertainstring.
RecipientRestrictionFilterGivesyoutheabilitytodefineafilterbasedon
attributesontherecipient.Forexample,youcandefineascopewhoserecipients
includeonlythepeopleonthefourthfloorofaspecificbuilding.
RecipientRootAllowsyoutorestrictthescopetoanOUinActiveDirectory.
Toillustratehowthisworks,let'screateacoupleofcustomscopes:
ServerListAllowsyoutospecifyalistofserverstowhichthisscopeapplies.
ServerRestrictionFilterAllowsyoutodefineafilterbasedonserverattributesto
whichthescopeapplies.Forexample,youcanfilterouttheserversbasedonthe
ActiveDirectorysitetheyarein.
Forourfirstexample,we'llsaythatyouwanttocreateascopethatallowsyouto
confinecertainrolestoonlyserversinBaltimore.Toaccomplishthis,we'llusethe
New-ManagementScopecmdletwiththeServerRestrictionFilterparameter.Inthis
parameter,we'llcreateafilterthatspecifiesonlyserversintheBaltimoreActive
Directorysite.Thefollowingcommandwouldbeused:
New-ManagementScope-Name"BaltimoreSite"-ServerRestrictionFilter{
ServerSite-eq"CN=Baltimore,CN=Sites,CN=Configuration,DC=contoso,DC=com"}
Forthenextexample,we'llbuildacustomrecipientscopethatappliesonlytousersin
theAccountingOUinActiveDirectory.Referringtotheprecedinglist,youcansee
thatyouwillneedtousetheRecipientRootparameter.Youarealsorequiredtospecify
aRecipientRestrictionFilter,butyoucansetthistobeallaccountsthatareuser
mailboxes.Thiscommandcreatesascopethatincludesallusermailboxesinthe
AccountingOU:
New-ManagementScope-Name"AccountingOnly"-RecipientRoot
"OU=Accounting,DC=contoso,DC=com"-RecipientRestrictionFilter
{RecipientType-eq"UserMailbox"}
Youcanalsocreateacustomrecipientscopebasedonlyonafilter.Thefollowing
commandcreatesascopethatincludesonlymailboxesthatareconsideredDiscovery
Mailboxes:
New-ManagementScope-Name"DiscoveryMailboxes"-RecipientRestrictionFilter
{RecipientTypeDetails-eq"DiscoveryMailbox"}
Inthelastexample,youcancreateafilterforallmailboxdatabasesthatstartwith
“Baltimore”inthestringandensurethatonlyadministratorsassignedthisrolecan
managetheBaltimoremailboxdatabasesbyusingtheExclusiveparameter:
New-ManagementScope-Name"BaltimoreDatabases"-DatabaseRestrictionFilter
{Name-Like"Baltimore*"}-Exclusive-Force
Afterthescopeiscreated,youcanapplytheroleassignment.Thisisdiscussedin
moredetailinthenextsection.
GeographicRolesvs.TieredRoles
RBACgivesyougreatflexibilityindesigningtheaccessmodelforyourExchange
implementation.Therearemanymodelsthatyoucanusewhendefiningyour
roles.TheruleofthumbisthattheRBACmodelyouadoptshouldmirrorhow
youmanageyourExchangeorganization.Therearetwomodelsinparticularthat
we'vefrequentlyencounteredinvariousExchangeorganizations.
ThegeographicmanagementmodeldividesthemanagementofExchangeinto
differentphysicalregions.Supposeyou'reworkingwithanorganizationthat
wantedtohavecentralcontroloftheExchangeorganizationmaintainedfromone
regionbutalsoallowotherregionstomanagetheirownExchangeserversand
recipients.ThisorganizationcoulduseRBACtodefineserverscopesbasedon
sitesandrecipientscopesbasedonregionalOUs.
Anotherorganizationmightuseatieredmanagementmodel.Inthismodel,the
lowertier(Tier1inthiscase)handlesbasicrecipientmanagementtasks.Higher
tiers(Tier2andTier3)handlemoreadvancedtasks.Asyougettohighertiersof
support,thepermissionsgetlessandlessrestrictive.Eventually,youwouldreach
thetoptierofsupport,providinganadministratororagroupofadministrators
therightstomanagealltaskswithintheExchangeorganization.Thisorganization
couldalsouseRBACtotheirbenefitbycreatingdifferentrolegroupsforeachtier
ofsupportandassigningthenecessaryrolestotheappropriatetiers.Inthiscase,
thescopeofmanagementistheentireorganization,sotherewouldbenoneedto
specifyanexplicitscope.
AssigningRolestoAdministrators
Theprocessforassigningrolestoadministratorsisdifferentthantheprocessfor
assigningrolestoendusers.Therolesthatadministratorsareassignedareinherently
differentfromtherolesthatusersareassigned.Administratorsneedtohavethe
permissionstomanageandconfigureExchange.Beforewegofurtherandshowyou
howtoassignrolestoadministrators,youshouldfirstunderstandhowrole
assignmentsworkforadministrators.
HowRolesAreAssignedtoAdministrators
Whenassigningrolestoadministrators,youhavetwooptions.Thefirstoptionisto
assigntheroletoamanagementrolegroupandthenaddtheadministratortotherole
group.Thisistheeasiestandpreferredmethodofassigningrolestoadministrators.
Thesecondoptionistoassigntheroledirectlytotheadministrator'saccountusinga
directroleassignment.
Regardlessofwhichmethodyouuse,managementrolesareassignedtoeitherthe
managementrolegrouportheadministrator'saccountusingamanagementrole
assignment.InActiveDirectory,anmsExchRoleAssignmentobjectiscreatedthat
representstheroleassignmentbetweentheaccountandtherole.Theserole
assignmentobjectsarestoredintheConfigurationNamingContextunderthe
containerServices\MicrosoftExchange\<OrgName>\RBAC\RoleAssignments.
Whentheseroleassignmentsarecreated,thedefaultnameoftheassignmentobject
isthenameoftherole,followedbyahyphen,followedbythenameoftheobjectto
whichit'sbeingassigned.Figure12.13showsanexampleofaroleassignment.Here,
theMailRecipientsroleisassignedtotheOrganizationManagementrolegroup.
Figure12.13AroleassignmentobjectiscreatedinActiveDirectorywhenrolesare
assigned
Ifyouweretotakeacloserlookattheroleassignmentobject,youwouldseethatthe
msExchRoleLinkattributecorrespondstotheMailRecipientsrole'sADobjectandthe
msExchUserLinkattributecorrespondstothedistinguishednameoftheOrganization
Managementsecuritygroup(Figure12.14).Thisishowaroleisunitedwiththe
assignee.
Figure12.14AdeeperlookattheroleassignmentobjectinActiveDirectory
YoucanretrievealistoftheroleassignmentsintheEMSbyrunningtheGetManagementRole-Assignmentcmdletwithnoparameters.Severalroleassignmentsare
createdbydefault.Thefollowingexampleisonlyapartiallisting:
Get-ManagementRoleAssignment
NameRoleRoleAssigRoleAssigAssignmenEffectiv
neeNameneeTypetMethodeUserName
------------------------------------------View-OnlyConfiguratio…View-O…Delega…RoleGroupDirectAllG…
LegalHold-DiscoveryM…Legal…Discov…RoleGroupDirectAllG…
MailboxSearch-Discove…Mailbo…Discov…RoleGroupDirectAllG…
UserOptions-HelpDeskUserO…HelpDeskRoleGroupDirectAllG…
View-OnlyRecipients-H…View-O…HelpDeskRoleGroupDirectAllG…
ApplicationImpersonati…Applic…Hygien…RoleGroupDirectAllG…
ReceiveConnectors-Hyg…Receiv…Hygien…RoleGroupDirectAllG…
TransportAgents-Hygie…Transp…Hygien…RoleGroupDirectAllG…
TransportHygiene-Hygi…Transp…Hygien…RoleGroupDirectAllG…
View-OnlyConfiguratio…View-O…Hygien…RoleGroupDirectAllG…
View-OnlyRecipients-H…View-O…Hygien…RoleGroupDirectAllG…
ActiveDirectoryPermi…Active…Organi…RoleGroupDirectAllG…
ActiveDirectoryPermi…Active…Organi…RoleGroupDirectAllG…
…
Figure12.15illustratestherelationshipbetweenmanagementroleassignments,
scopes,managementroles,andmanagementrolegroups.Thisfigureshowsthata
managementroleassignmentobjectisusedtoassignaroletoarolegroup.
Figure12.15Therelationshipbetweenmanagementroleassignments,scopes,
managementroles,andmanagementrolegroups
AddingAdministratorstoaManagementRoleGroup
Youcanaddanadministrator'saccounttoamanagementrolegroupusingtheEMS,
EAC,RBACManagerorbyaddingtheaccountdirectlytothegroupinActiveDirectory
usingatool,suchasActiveDirectoryUsersandComputers.Whenyouaddan
administrator'saccounttoamanagementrolegroup,theaccountgainseveryrolethat
isspecifiedontherolegroup.Rolesareaddedcumulatively,soifanadministrator's
accountisamemberofanotherrolegroup,theaccountwillretainthosepermissions
inadditiontothepermissionsassignedbytherolesofthenewrolegroup.
Toaddanadministratortoamanagementrolegroup,usetheAdd-RoleGroupMember
cmdlet.Tousethecmdlet,specifythenameofthemanagementrolegroupandthe
administrator'saccountinthecommand.Thefollowingexampleshowsthecommand
foraddinglawyerJenniferFox'saccounttotheLawyersrolegroup,whichhas
permissionsonlytoexportmailfromamailbox:
Add-RoleGroupMember"Lawyers"-Member"JenniferFox"
Afteryouexecutethiscommand,youcanverifythattheadministratorwasaddedto
thegroupbyenumeratingthegroupmembershipusingtheGet-RoleGroupMember
commandandspecifyingthenameofthemanagementrolegroup:
Get-RoleGroupMember"Lawyers"
NameRecipientType
----------------JenniferFoxUserMailbox
RichardAlvinUserMailbox
IfyoulookintheActiveDirectorysecuritygroupthatrepresentstheLawyersgroup,
youwillalsonoticethatJenniferFox'saccounthasbeenaddedasamember(Figure
12.16).
Figure12.16AdministratoraccountsareaddedtotheADgroupthatrepresents
managementrolegroups
Youcanalsoaddtheadministrator'saccounttotherolegroupthroughtheEAC.This
providesaconvenientmethodformodifyingpermissionswithouthavingtoopena
remotePowerShellconnection.Youcanusethefollowingstepstoaddan
administratoraccounttoamanagementrolegroupintheEAC:
1. SignintoEACbyusingawebbrowsertoconnectto
https://<mailserverFQDN>/ECP.
2. IntheFeaturepane,intheleftcolumnoftheEAC,selectpermissions.
3. InthetoolbaracrossthetopoftheEAC,selecttheAdminRolestab.Therole
groupsarepopulatedinthelistinthecenteroftheEAC,asshowninFigure12.17.
Figure12.17ThelistofmanagementrolegroupsispopulatedintotheEAC
4. Double-clicktherolegrouptowhichyouwanttoaddtheadministrator'saccount.
Themanagementrolegroup'sdetailswillbedisplayedinaseparatewebbrowser
dialog.
5. Intherolegroup'sdialog,clicktheAddbutton(+sign)undertheMemberslist,as
showninFigure12.18.
6. TheSelectMembersdialogwillbedisplayed,listingtheaccountsthatcanbeadded
totherolegroup.Selecttheaccountsyouwanttoaddoneatatime,orhighlighta
groupofaccountsandclicktheAddbuttontoaddthemtothelist.Afteryouhave
addedalltheaccountsintheSelectMembersdialog,clickOK.
7. WhenyouarereturnedtotheDetailsdialogfortherolegroup,theaccountsthat
youaddedaredisplayedintheMemberslist.ClicktheSavebuttontoclosethis
dialogandreturntotheEAC.
Figure12.18ClicktheAddbuttontoaddamemberofarolegroupintheEAC
WhetheryoudecidetousetheEACtoaddadministratoraccountstomanagement
rolegroupsoryouusetheEMScmdletsorRBACManager,theresultisthesame:the
administratorsgainthepermissionstheyneedtodotheirjob.
ModifyingRoleGroups
Youmayfindthataroleyouwanttoassignisnotavailableonanyoftheexistingrole
groups.Youcanmodifytheexistingrolegroupsorevencreateyourowncustomrole
groupstoassignthemanagementrolesyouwanttouse.Toaddaroletoanexisting
rolegroup,youhavetocreatearoleassignmentforthegroup.
Forexample,let'ssupposeyourlegalteamisamemberoftheDiscoveryManagement
rolegroup.TheDiscoveryManagementrolegroupisassignedtherolesLegalHold
andMailboxSearch.Thelegalteamneedstobeabletosearchallmailcontentfor
usersintheAccountingOUoverthelastsixyears.Thelegalteamdiscoversthatsome
ofthemailcontenthasbeenmovedtoPSTfiles.Youneedtogivethelegalteamthe
abilitytoimportmessagesfromthePSTfilestomailboxesintheAccountingOU.To
dothis,youcanmodifytheDiscoveryManagementrolegroupandaddtheMailbox
ImportOnlyroletothegroup.
Tomodifyanexistingrolegroup,usetheNew-ManagementRoleAssignmentcmdletto
createtheroleassignmentbetweentheMailboxImportOnlyroleandtheDiscovery
Managementrolegroup.Whenrunningthecommand,specifytheSecurityGroup
parametertoindicatethattheroleisbeingassignedtoagroupandtoidentifythe
grouptowhichtheroleisbeingassigned.Thefollowingcommanddemonstrates
addingtheMailboxImportOnlyroletotheDiscoveryManagementrolegroup:
New-ManagementRoleAssignment-Role"MailboxImportOnly"-SecurityGroup
"DiscoveryManagement"
NameRoleRoleAssigRoleAssigAssignmenEffectiv
neeNameneeTypetMethodeUserName
------------------------------------------MailboxImportOnly-Di…Mailbo…Discov…RoleGroupDirect
Whenassigningaroletoarolegroup,youhavetheabilitytospecifythescopethatthe
roleimpacts.Earlierinthischapter,weshowedyouhowtouseexplicitscopesand
howtocreateyourowncustomscopes.Ifyouwanttoapplyacustomscopethatyou
created,specifytheCustomConfigWriteScopeandCustomRecipientWriteScopeparameters.
Forexample,ifyouwanttoapplytheMailboxImportOnlyroletotheusersinthe
AccountingOU,youcanusethecustomscopecalledAccountingOnlythatwecreated
earlierinthischapter.Thefollowingcommandwouldapplythis:
New-ManagementRoleAssignment-Role"MailboxImportOnly"-SecurityGroup
"DiscoveryManagement"-CustomRecipientWriteScope"AccountingOnly"
Inmostcases,thepreferredmethodistocreateanewrolegroupandthenusethe
previouscommandtocreatetheroleassignmenttoassignthenecessaryrolestoit.To
createarolegroup,usetheNew-RoleGroupcmdlet.Specifythenameoftherolegroup
youarecreatingandatleastonerolethatwillbeassignedtotherolegroup.Inthe
followingexample,we'recreatingtherolegroupcalledLawyersandassigningthe
MailboxImportOnlyroletoit:
New-RoleGroup"Lawyers"-Roles"MailboxImportOnly"
NameAssignedRolesRoleAssignmentsManagedBy
----------------------------------------Lawyers{MailboxImport…{MailboxImport…{contoso.com/Mic…
Aftertherolegroupiscreated,youcanmanageitjustlikeanyexistingrolegroup.If
youareusingActiveDirectoryUsersandComputerstomanagegroupscreatedbythe
New-RoleGroupcmdlet,thegroupsarelocatedintheMicrosoftExchangeSecurity
GroupsOU.Forthestepstoaddadministratoraccountstothisrolegroup,seethe
previoussection.
DirectlyAssigningRolestoAdministrators
Insteadofaddingadministratoraccountstomanagementrolegroups,youcanassign
managementrolesdirectlytotheadministrator'saccount.Althoughthismethodis
available,it'snotnecessarilypreferred.Whenyouusethismethodofassigning
permissions,it'shardertotracktherolesthatyoudelegatetoadministratorsandit's
moredifficulttomanagetheaccess.
AssigningRolestoEndUsers
Whenyouareassigningrolestoendusers,theprocessisalittledifferentthanwhen
assigningrolestoadministrators.Userrolesserveadifferentpurposethando
administratorroles.Whereasadministratorswillneedpermissionsassignedto
manageExchange,usersonlyneedtobeassignedpermissionstomodifycontact
information,mailboxsettings,marketplaceapps,teammailboxes,anddistribution
groups.Notonlyisthescopedifferentbetweentheadministratorsandusers,but
userswillbemanagingtheirownmailboxesinsteadofotherpeople'smailboxes.
HowRolesAreAssignedtoEndUsers
Asdiscussedintheprevioussection,administratorsareassignedtoroleseitherby
addingtheadministrator'saccounttoamanagementrolegroupthatcontainsthe
necessaryrolesorbyassigningthemanagementroledirectlytotheadministrator's
account.Thisprocessisquitedifferentforendusers.
Rolesareassignedtoendusersusingaroleassignmentpolicy.Eachmailboxcanhave
onlyoneroleassignmentpolicyattachedtoit.Managementrolesaretiedtotherole
assignmentpolicywithmanagementroleassignments.Exchangecreatesa
managementroleassignmentobjectinActiveDirectorythatlinksthemanagement
rolewiththemanagementroleassignmentpolicy.Ifyouarebrowsingthe
managementroleassignmentobjectsinActiveDirectory,youwillnoticethatamong
theassignmentsthatlinkrolestorolegroups,youwillalsofindassignmentsthatlink
rolestoassignmentpolicies.Mostrolesthatareassignedtousersstartwith“My”—for
example,MyBaseOptionsorMyTeamMailboxes.Figure12.19showsthe
MyBaseOptionsroleassignedtotheDefaultRoleAssignmentPolicyusingarole
assignmentobject.
Figure12.19Roleassignmentobjectsarealsousedforassigningrolestorole
assignmentpolicies
DefaultUserRoles
Everymailboxgetsaroleassignmentpolicybydefaultwhenthemailboxiscreated.
TheroleassignmentpolicycalledDefaultiscreatedwhenExchangeisinstalledandis
settobethedefaultpolicyfornewmailboxes.Onthisdefaultpolicy,sevenrolesare
assignedbydefault,asfollows:
MyBaseOptionsAllowsuserstomodifybasicmailboxsettingsfortheirown
mailbox.ThisincludessettingsformanagingtheirActiveSyncdevice,inboxrules,
andsoon.
MyContactInformationGivesuserstheabilitytoupdatetheircontact
informationinActiveDirectory.
MyDistributionGroupMembershipGivesuserstheabilitytochangetheirown
distributiongroupmemberships.Theycanusethisroletoaddorremove
themselvesfromdistributiongroups.
MyCustomAppsAllowsuserstomanagetheircustomapps.
MyMarketPlaceAppsAllowsuserstomanagetheirmarketplaceapps.
MyReadWriteMailboxAppsAllowsuserstoinstallappswith
ReadWriteMailboxpermissions.
MyTeamMailboxesAllowsuserstocreateasitemailboxandconnectitto
SharePointsites.
MyTextMessagingAllowsuserstomanagetheirtextmessagingsettings.
MyVoiceMailAllowsuserstochangetheirvoicemailsettings,whichincludesthe
abilitytodothingslikechangingtheirPIN.
TheDefaultRoleAssignmentPolicydoesn'thavetoremainasthedefaultpolicy.You
candesignateadifferentroleassignmentpolicythatyoucreatedtobethedefault
policy.Whenyoudothis,newmailboxeswillusethenewpolicyyoudefinedinstead
oftheoneExchangecreated.TheexistingmailboxesthatwereusingtheDefaultRole
AssignmentPolicywillremainwiththatpolicy.
TochangetheDefaultRoleAssignmentPolicy,usetheSet-RoleAssignmentPolicy
cmdletwiththeIsDefaultparameter.ThefollowingEMScommandchangesthe
DefaultRoleAssignmentPolicytoadifferentpolicy:
Set-RoleAssignmentPolicy"ContactUpdateOnlyPolicy"-IsDefault
WorkingwithRoleAssignmentPolicies
RoleassignmentpoliciescanbemanagedusingtheEAC,RBACManager,ortheEMS.
IntheEAC,youcanaddandremovecertainuser-specificrolestoandfromtherole
assignmentpolicy.Youcandothisbyperformingthefollowingsteps:
1. SignintoEACbyusingawebbrowsertoconnectto
https://<mailserverFQDN>/ECP.
2. OntheFeaturepaneoftheEAC,selectPermissions.
3. InthetoolbaracrossthetopoftheEAC,selecttheUserRolestab.Therole
assignmentpoliciesarepopulatedinthelistinthecenteroftheEAC.
4. Selecttheroleassignmentpolicyonwhichyouwanttoassignorunassignroles.
Whenyouselecttheroleassignmentpolicy,theDetailspanetotherightofthelist
willdisplaysomeinformationaboutthepolicy.
5. Afteryouhaveselectedtheroleassignmentpolicyyouwanttomodify,clickthe
Edit
buttonordouble-clicktheroleassignmentpolicy.
6. Anewwindowwillopendisplayingtheroleassignmentpolicyyouselectedtoedit.
Youcanassignorunassignrolesbycheckingoruncheckingtheroles.Thelistof
rolesfortheDefaultRoleAssignmentPolicywilllooklikeFigure12.20.
Figure12.20Checkandunchecktherolesthatyouwanttoaddtoorremove
fromtheroleassignmentpolicy
7. Afteryouhavechosentherolesyouwanttoassigntothepolicy,clicktheSave
buttonatthebottomofthedialog.
IfyouarepromptedwithaWarningdialogindicatingthatthispolicychangewill
affectmanyusers,clickYestoindicatethatyouwanttocontinue.
AlthoughyoucanassignrolestoroleassignmentpoliciesinEAC,thisoptiondoesnot
giveyoualotofflexibilitybecauseyoucan'tcreateorconfigureroleassignment
policies.Todothis,youmustusetheEMSorRBACManagertomanagetherole
assignmentpolicies.
Tostartoff,youcanviewalistoftheroleassignmentpoliciesthatarecurrentlyin
existencebyrunningtheGet-RoleAssignmentPolicycmdlet.Noparametersareneeded
torunthiscommand.WithafreshExchangeorganization,youshouldseeonlythe
DefaultRoleAssignmentPolicy.Thefollowingexampledemonstratestheuseofthis
commandandtheoutput:
Get-RoleAssignmentPolicy|flName,IsDefault,Description,RoleAssignments,
AssignedRoles
Name:DefaultRoleAssignmentPolicy
IsDefault:True
Description:Thispolicygrantsendusersthepermissiontosettheir
optionsinOutlookonthewebandperformother
self-administrationtasks.
AssignedRoles:{MyTeamMailboxes,MyDistributionGroupMembership,MyCustom
Apps,MyMarketplaceApps,MyReadWriteMailboxApps,
MyBaseOptions,MyContactInformation,MyTextMessaging,
MyVoiceMail}
YoucanviewtherolesthataretiedtothepolicybyusingtheGet-ManagementRoleAssignmentcmdletwiththeRoleAssigneeparameter.Justspecifythenameofthe
policy,andtheroleswillbeenumeratedforyou.Thefollowingcommand
demonstratesthisbylistingalltherolesintheDefaultRoleAssignmentPolicy:
Get-ManagementRoleAssignment-RoleAssignee"DefaultRoleAssignment
Policy"|ftName,Role
NameRole
-------MyTeamMailboxes-DefaultRoleAssignm…MyTeamMailboxes
MyDistributionGroupMembership-Defaul…MyDistributionGroupMembership
MyCustomApps-DefaultRoleAssignme…MyCustomApps
MyMarketplaceApps-DefaultRoleAss…MyMarketplaceApps
MyReadWriteMailboxApps-DefaultRol…MyReadWriteMailboxApps
MyBaseOptions-DefaultRoleAssignmen…MyBaseOptions
MyContactInformation-DefaultRoleAs…MyContactInformation
MyTextMessaging-DefaultRoleAssignm…MyTextMessaging
MyVoiceMail-DefaultRoleAssignment…MyVoiceMail
Ifyoucan'tuseanexistingroleassignmentpolicy,youcancreateacustompolicyand
addyourownsetofrolestoit.Tocreatethepolicyitself,usetheNewRoleAssignmentPolicycmdlet.Thefollowingexamplecreatesanewroleassignment
policythatissimilartothedefaultpolicybutremovessomeofthefunctionalityinthe
MyBaseOptionsrole:
New-RoleAssignmentPolicy"LimitedAssignmentPolicy"
Youcanaddaroletoanexistingpolicybycreatinganewmanagementrole
assignment.ThisisservicedbytheNew-ManagementRoleAssignmentcmdletintheEMS.
Specifytheroleyouareaddingtotheroleassignmentpolicyalongwiththenameof
theroleassignmentpolicyitself.Let'ssaythatyoudon'twantuserstohaveaccessto
themessage-trackingfeaturesthatcomewiththeMyBaseOptionsrole.Therefore,
you'vecreatedacustomrolebasedonMyBaseOptions,calledMyLimitedBaseOptions,and
removedthemessage-trackingroleentriesfromtherole.Thefollowingcommand
addstheMyLimitedBaseOptionsroletothepolicywejustcreated:
New-ManagementRoleAssignment-Role"MyLimitedBaseOptions"-Policy
"LimitedAssignmentPolicy"
Aftertheroleassignmentpolicyiscreatedandconfiguredwiththemanagementroles
youwanttouse,youcanstartapplyingthatpolicytoendusers.Toapplyarole
assignmentpolicytoendusers,usetheSet-MailboxcmdletintheEMS.Whenyoudo,
specifythenameofthemailboxtowhichyouareapplyingthepolicyaswellasthe
nameofthepolicyyouareapplying.Thefollowingexamplesetstheroleassignment
policyonLincoln'saccounttotheLimitedAssignmentPolicywecreatedpreviously:
Set-Mailbox"LincolnAlexander"-RoleAssignmentPolicy"LimitedAssignment
Policy"
AuditingRBAC
Astheprevioussectionshaveillustrated,therearealotofmovingpartsin
implementingandmanaginganRBACdeployment.WhenRBACisnotworkingas
expected,itcanbedifficulttogatherusableinformationtopinpointwherethe
problemliesandsearchthechangesmadetoyourRBACconfiguration.Thissection
willcoverhowtorevealwhatchangesweremadetoyourRBACconfigurationandfind
outwhichroleshavebeenassignedtoyourusers.
SeeingWhatChangesWereMade
BecauseRBACprovidesadministratorswithcontroloveranExchangeServer2016
organization,itiscriticalthatyoucloselymonitoranychangesmadetotheroles
assignedtoyourusers.WithanyadministrativechangemadeinyourExchangeServer
2016organization,thechangeisrecordedintheadministratorauditlog.Usingthe
administratorauditlog,youwillbeabletorevealanymodificationsmadetotheRBAC
implementation.Thereareacouplewaystodothis.
ExchangeAdminCenter
YoucangenerateanadministratorrolegroupreportthroughtheEAC.Thisprovidesa
convenientmethodofretrievingchangesmadetorolegroupswithouthavingtofilter
throughtheadministratorauditlogs.Youcanusethefollowingstepstorunarole
groupreportintheEAC:
1. SignintoEACbyusingawebbrowsertoconnectto
https://<mailserverFQDN>/ECP.
2. OntheFeaturepaneoftheEAC,selectComplianceManagement.
3. InthetoolbaracrossthetopoftheEAC,selecttheAuditingtab.Thebuilt-in
reportsarepopulatedinthecenteroftheEAC.
4. SelectRunAnAdministratorRoleGroupReport.
5. Anewwindowwillopendisplayingallchangesmadetoyourrolegroupsinthelast
twoweeks.Thenewwindowisbrokendownintofoursections:
Thenameanddateoftherolegroup(s)modified
Listsofchangesmadeagainsttherolegroupandtheuserwhomadethechange
Daterangetosearchforchangesmadeagainstrolegroups
TheSelectRoleGroupsbutton,whichallowsyoutosearchforaspecificrole
group
InFigure12.21,youcanseethattheAdministratoruserchangedthegroup
membershipoftheComplianceManagementrolegrouptoincludeJenniferFox.
Figure12.21AuditingRBACchangesusingtheEAC
ExchangeManagementShell
TheadministratorrolegroupreportdoesnotprovidealltheRBACchangesmadein
yourExchangeServer2016organization.UsingtheSearch-AdminAuditLogcmdlet,you
cansearchtheadministratorauditlogforaspecificcmdletandparameter.For
example,let'susethepreviousexamplewhenwechangedtheroleassignmentpolicy
ofLincoln'smailboxtoLimitedAssignmentPolicy.TochangeLincoln'srole
assignmentpolicytoLimitedAssignmentPolicy,weusedtheSet-Mailboxcmdletwith
theRoleAssignmentPolicyparameter.Tosearchtheadministratorauditlogforrole
assignmentpolicychanges,youcanrunthefollowingcommandtosearchthe
administratorauditlog:
Search-AdminAuditLog-CmdletsSet-Mailbox–Parameters
RoleAssignmentPolicy-StartDate04/01/2016-EndDate04/15/2016
RunspaceId:df81c2a9-8234-4492-aed6-148468333098
ObjectModified:contoso.com/Users/LincolnAlexander
CmdletName:Set-Mailbox
CmdletParameters:{RoleAssignmentPolicy,Identity}
ModifiedProperties:{}
Caller:contoso.com/Users/Administrator
…
EnableActiveDirectoryAuditing
RolegroupsinRBACareanysecuritygroupsthathavebeenassignedarole.
WhenmembersareaddedtoorremovedfromarolegroupusingtheExchange
Server2016tools,thechangeisrecordedintheadministratorauditlog.However,
ifamemberisaddedtoarolegroupusingActiveDirectorytools,ExchangeServer
2016doesnotlogthechangeintheadministratorauditlogs.Toensurethatany
membersaddedtoarolegrouparerecorded,youmustenableActiveDirectory
auditing.
SeeingWhoHasBeenAssignedRights
Generatingauditlogsisagreatwaytodeterminewhatchangeshavebeenmade,but
inmanycasesyouwillneedtofindoutwhatExchangeServer2016permissionshave
alreadybeenallocatedtousers.UsingtheEMS,youwillbeabletodiscovertheroles,
rolegroups,andhowthepermissionshavebeenallocatedtoyourusers.
AdministratorPermissions
UsingtheGet-ManagementRoleAssignmentcmdletwiththeGetEffectiveUsersparameter,
youcanoutputhoweachroleisassignedtoanadministrator.Inmostcases,rolesare
assignedtoadministratorsthroughgroupmembership,butanadministratorcould
haveadirectassignmentorapolicyapplication.Inthefollowingexample,Jennifer
FoxhasaccesstotherolesDataLossPrevention,InformationRightsManagement,
RetentionManagement,View-OnlyAuditLogs,View-OnlyConfiguration,andViewOnlyRecipientsbecausesheisamemberoftheComplianceManagementrolegroup.
ShealsohasaccesstotheMailboxImportOnlyrolebecausesheisamemberofthe
Lawyersrolegroup.
Get-ManagementRoleAssignment-GetEffectiveUsers|where
{$_.EffectiveUserName-eq"JenniferFox"}|ftName,Role,RoleAssigneeName
NameRoleRoleAssigneeName
-----------------------DataLossPrevention-Co…DataLossPreventionComplianceManagement
InformationRightsMana…InformationRightsMana…ComplianceManagement
RetentionManagement-Co…RetentionManagementComplianceManagement
View-OnlyAuditLogs-Co…View-OnlyAuditLogsComplianceManagement
View-OnlyConfiguration…View-OnlyConfigurationComplianceManagement
View-OnlyRecipients-Co…View-OnlyRecipientsComplianceManagement
MailboxImportOnly-Law…MailboxImportOnlyLawyers
YoucanalsousetheGet-ManagementRoleAssignmentcmdletwiththeGetEffectiveUsers
parameterandsearchtodeterminewhichusershaveaccesstoaspecificrole.Using
theUniqueparameterwillensurethateachadministratorisshownonlyonce,evenif
theyhaveaccesstotherolethroughdifferentroleassignments.Inthefollowing
example,alltheadministratorslistedunderEffectiveUserNamehaveaccesstothe
MailboxSearchrolegroup:
Get-ManagementRoleAssignment-Role'MailboxSearch'
-GetEffectiveUsers|selectEffectiveUserName-Unique
EffectiveUserName
----------------AllGroupMembers
Administrator
ExchangeOnline-ApplicationAccount
End-UserPermission
Whenmultipleroleassignmentpolicieshavebeencreatedandappliedtomailboxes,
theWhere-Objectcmdletcanbeusedtosearchallmailboxesthathaveaspecificrole
assignmentpolicyapplied.UsingtheLimitedAssignmentPolicywecreatedearlierin
thischapter,youcansearchallmailboxesforaspecificroleassignmentpolicy.By
runningthefollowingcommand,anymailboxwiththeroleassignmentpolicyof
LimitedAssignmentPolicywillbedisplayed:
Get-Mailbox-ResultSizeUnlimited|Where
RoleAssignmentPolicy-eq"LimitedAssignmentPolicy"}|FT-Auto
NameAliasServerNameProhibitSendQuota
-----------------------------------LincolnAlexanderLincolnnyc-ex1Unlimited
TheBottomLine
Determinewhatbuilt-inrolesandrolegroupsprovideyouwiththe
permissionsyouneed.ExchangeServer2016includesavastnumberofbuilt-in
managementrolesoutofthebox.Manyoftheserolesarealreadyassignedtorole
groupsthatarereadyforyoutouse.Tousethesebuilt-inroles,figureoutwhich
rolescontainthepermissionsyouneed.Ideally,determinewhichrolegroupsyou
canusetogainaccesstotheseroles.
MasterItAspartofyourrecentemailcomplianceandretentioninitiative,
yourcompanyhiredaconsultanttoadviseyouonwhatyoucandotomake
yourExchangeimplementationmorecompliant.Theconsultantclaimsthathe
needsescalatedprivilegestoyourexistingjournalrulessohecanexamine
them.BecauseyoutightlycontrolwhocanmakechangestoyourExchange
organization,youdon'twanttogivetheconsultanttheabilitytomodifyyour
journalrules,thoughyoudon'tmindifheisabletoviewtheconfiguration
detailsofExchange.WhatEMScommandcanyouruntofindoutwhatrolethe
consultantcanbeassignedtoviewyourjournalrulesbutnothavepermissions
tomodifythemorcreatenewones?Whatroledoyouwanttoassigntothe
consultant?
Assignpermissionstoadministratorsusingrolesandrolegroups.When
assigningpermissionstoadministrators,thepreferredmethodistoassign
managementrolestorolegroupsandthenaddtheadministratorsaccounttothe
appropriaterolegroup.However,Exchangeallowsyoutoassignmanagementroles
directlytotheadministrator'saccountifyouwant.
MasterItEarlierintheday,youdeterminedthatyouneedtoassignacertain
roletoyouremailcomplianceconsultant.You'vecreatedarolegroupcalled
EmailComplianceEvaluationandyouneedtoaddyourconsultanttothisrole
group.WhatcommandwouldyouuseintheEMStoaddyourconsultant,Sam,
tothisrolegroup?
Grantpermissionstoendusersforupdatingtheiraddresslist
information.RBACdoesn'tapplyonlytoExchangeadministrators.Youcanalso
useRBACtoassignrolestoend-useraccountssouserscanhavepermissionsto
updatetheirpersonalinformation,Exchangesettings,andtheirdistribution
groups.
MasterItYou'vedecidedthatyouwanttogiveyouruserstheabilitytomodify
theircontactinformationintheglobaladdresslist.Youwanttomakethis
changeasquicklyaspossibleandhaveitapplytoallexistingusersandnew
userscomingintoyourExchangeorganizationimmediately.Youdetermine
thatusingtheEACwouldbetheeasiestwaytomakethischange.Whatwould
youmodifyintheEACtomakethischange?
Createcustomadministrationrolesandassignthemtoadministrators.
Ifyoucan'tfindanexistingrolethatmeetsyourneeds,don'tworry!Youcancreate
acustomroleinExchangeServer2016andassignthepermissionsyouneedtothe
customrole.
MasterItYourcompanyhasaskedyoutoallowadministratorsinthe
BaltimoreofficetomanagemailboxsettingsforallusersintheBaltimoreOU.
YourcompanydoesnotwanttheadministratorsintheBaltimoreofficetobe
abletochangethemailboxstoragelimitsforindividualmailboxes.Whatwould
youimplementtoensurethatadministratorsintheBaltimoreofficecanonly
managemailboxesintheBaltimoreOUandarenotabletochangethemailbox
storagelimits?
AuditRBACchangesusingtheExchangeManagementShellandbuilt-in
reportsintheExchangeAdministrationCenter.AssigningRBAC
permissionsistheeasypart,determiningwhohasbeenassignedwhatpermissions
canbeabittricky.LuckilyEMScanbeusedtodeterminetherolesassignedto
users.
MasterIt
Yourcompanyhaspurchasedapartnercompany,whichhasanadministrator
namedDave.YouhavebeentaskedwithprovidingDavewiththesamelevelof
RBACpermissionsinyourExchangeServer2016organizationthathehasin
hisExchangeServer2016organization.Whatcommandwouldyouruninyour
partner'sorganizationtodeterminetherolesassignedtoDave?
Chapter13
BasicsofRecipientManagement
ThetermExchangerecipientdefinesanymailormailbox-enabledobjectinActive
DirectoryusedtosendorreceiveemailwithinanExchangeorganization.
Dependingonthesizeofyourorganization,recipientmanagement(handlingtheuser
accounts,groups,contacts,publicfolders,andotherresourcesthatcanreceiveemail)
mayconsumethevastmajorityofExchangeadministrationtime.Inasmall
organization,youmayberesponsibleforeveryaspectofyourExchangeserver,
includingcreatingandmanagingrecipients.Inalargerorganizationwithlotsof
changes,newusers,andusersleavingtheorganization,recipientadministrationwill
probablybehandledbyapersonorteamthatisseparatefromthepersonorteamthat
managestheExchangeServerinfrastructure(messagerouting,backups,server
maintenance,andsoon).
Thischapterdiscussesthebasicsofrecipientmanagement.Itexaminesthe
environmentconfigurationsthatmustexisttosupportrecipientmanagementandthe
toolsyouusetomanagerecipients.ItalsoexaminesExchangeaddresslistsandhow
emailaddressesaredefined.
INTHISCHAPTER,YOUWILLLEARNTO:
Identifythevarioustypesofrecipients
UsetheExchangeAdminCentertomanagerecipients
Configureaccepteddomainsanddefineemailaddresspolicies
UnderstandingExchangeRecipients
Therearedifferenttypesofusersinyourorganization,aswellasdifferenttypesof
needsformessagedelivery.Toaccountforthosedifferences,Exchangeprovides
variousrecipienttypes.Eachonefillsaspecificneedwithinyourmessaging
environment.
UserMailboxes
Ausermailbox,whichissometimesreferredtoasamailbox-enableduser,hasan
accountinActiveDirectoryandamailboxonanExchangeserver.Ausermailboxcan
sendandreceiveemailmessageswithintheExchangeorganizationandthroughthe
Internet—plusitcanhaveaccesstoapersonalcalendar,contactlist,andotherservices
providedbytheExchangeserver.Inmostorganizations,allcorporateusershave
mailboxesand,therefore,storeallemailsontheExchangeservers.Asyoucanguess,a
usermailboxisthemostcommontypeofrecipientinExchange.
Userswhohaveamailboxcanusevariousclientapplicationstoaccessmailbox
contentorsendemails.Forexample,theycanuseOfficeOutlook,Outlookonthe
web,orExchangeActiveSynctoaccessallmailboxcontent.
ResourceandSharedMailboxes
Whenyoucreateausermailbox,youcancreatemultipletypesofmailboxes.For
example,youcancreateastandardmailboxthatisassociatedwithauserandthen
usedbyacompanyemployeetosendandreceiveemails,oryoucancreatearesource
mailboxthatcanbeusedtorepresentacompany'sresources,suchasaconference
room.Additionally,theconceptofthesharedmailboxinExchangeServer2016
providesamorefluidsolutionformailboxsharingwithintheExchangeorganization.
Moredetailedinformationaboutmailbox-enabledusersisavailableinChapter14,
“ManagingMailboxesandMailboxContent.”
MailUsersandMailContacts
Amailuser,whichissometimesreferredtoasamail-enableduser,isquitedifferent
fromausermailbox—thedistinctionismorethanjustafewletters.Amailuserhasa
useraccountinActiveDirectoryandanexternalemailaddressassociatedwiththe
account.Infact,themailuserhasnomailboxonanExchangeServerinsideyour
organization.
Allmailuserswhoappearinthecorporateglobaladdresslistcanreceiveemailfrom
anyuserinsideyourorganization(assumingtherearenorestrictionsinplaceto
preventdelivery)andcanbeusedtomanagecertainaspectsofthoserecipients.
Sowhywouldacompanynotcreateamailboxforauser?Whywouldtheyonly
associateanexternalemailaddresswiththeiruseraccounts?Theansweristhatmail
usersfillaspecificneed:theneedtomakeanexternalcontactappearintheinternal
addresslist.Yes,butthereisalreadyanobjectthatfillsthatneed,themailcontact
(moreonthatrecipienttypelaterinthissection).Thecaveathereisthattheexternal
contactneedsaccesstointernalnetworkresourcesbyusinganActiveDirectoryuser
account.Anexampleofthiswouldbeanonsitecontractemployeewhorequiresaccess
tothenetworkbutneedstocontinuereceivingemailthroughtheirexistingexternal
emailaddress.Asaresult,themailuserappearsintheglobaladdresslistandother
userscaneasilylocateandsendemailtotheaddress,eventhoughtheuserdoesnot
haveamailboxintheExchangeorganization.Notealsothatamailusercannotsend
orreceiveemailbyusingtheinternalExchangeservers.Inadditiontothemailuser,
theotherrecipienttypeisthemailcontact,andthemailcontactisexactlythat:a
contactforanindividualwhoisexternaltoyourorganization.Amailcontactisan
individualwhohasneitherasecurityprincipalinActiveDirectorynoramailboxonan
internalExchangeserver.Mailcontactsarevisibleintheglobaladdresslist,butthey
receiveallemailonanexternalmessagingsystem.Anyinternalusercansendan
emailtoamailcontactsimplybyselectingthecontactfromanaddresslist.
Sowhatisthereal-worldpurposeofamailcontact?Imagineacompanythathasa
largenumberofsuppliersorcustomerswithwhommanyinternalusersregularly
communicate.Youmaywanttomakeiteasyforyourinternaluserstolocateand
identifytheseexternalcontacts;byaddingthesecontactstoActiveDirectory,youare
makingthemavailablefromacentrallocationandaccessibletoallinternalusers.This
alsoprovidesyouwithawaytoincludethesuppliersindistributiongroupsthatare
usedformassmailings.
ContactscanbecreatedinActiveDirectorywithoutanExchangeinfrastructurein
place,butinthatcase,theyareessentiallyuseless.EvenafterworkingwithActive
Directorysince1999,wearestilllookingforacompellingreasontocreatenon-mailenabledcontacts.Moreinformationaboutmailusersandmailcontactsisavailablein
Chapter15,“ManagingMail-EnabledGroups,MailUsers,andMailContacts.”
Table13.1showsthecoredifferencesbetweenusermailboxes,mailusers,andmail
contacts.
Table13.1UserMailboxes,MailUsers,andMailContacts
Recipient NeedsAccesstoInternal
Resources?
User
Yes
mailbox
Mailuser Yes
Mail
No
contact
NeedsaMailboxinYourExchange
Organization?
Yes
No
No
Contacts:UsedinaSynchronizationScenario
Wecertainlydon'twanttooversimplifyorminimizethepurposeofmailcontact
recipients.Theseseeminglyminimalobjects,whichhavenoaccessrights,arekey
elementsofsomeofthemostcomplexExchangeenvironments.Ifyour
organizationhaslong-lastingbusinessrelationshipswithotherorganizations,you
maywanttomaintainasomewhatunifiedaddresslistwhereallusersfromthe
partnercompaniesappear.
Toachievethisgoal,yourcompanywillcreatecontactobjectsforallusersinthe
othercompanies,andviceversa.Thoughthisdoesn'tactuallyresultinasingle
globaladdresslist,itisawaytomaketheaddresslistslookidentical.
Additionally,someorganizationsthatwanttoextendthefeature-richexperience
withtheiron-premisesExchangeorganizationtoOffice365maywanttocreate
mailcontactobjectsaspartoftheirhybriddeploymentscenarioandunified
globaladdresslistsolution.
Inscenarioswherecoexistencebetweenmultipledirectoriesisinplace,generally
asynchronizationsolutionmustbedeployed.MicrosoftIdentityManager2016
canbeusedtoachievesuchcoexistencescenarios.
Inscenariosofcoexistencebetweenon-premisesActiveDirectoryinfrastructures
andanOffice365tenant,MicrosoftAzureActiveDirectoryConnectisusedbythe
hybridsetuptosynchronizemailrecipientobjects,and,therefore,emailaddress
lists.
LinkedandRemoteMailboxes
Linkedmailboxesareusermailboxesthatareassociatedwithspecificusersina
separate,trustedActiveDirectoryforest.Whenyoucreatealinkedmailbox,adisabled
useraccountiscreatedintheExchangeorganization,andauseraccountfroma
trustedforestisgivenaccesstothemailbox.Userswithlinkedmailboxessigninwith
thecredentialstotheirlocalActiveDirectorydomain.ThroughtheActiveDirectory
trust,thosecredentialsarethenusedtoaccessamailboxinanExchangeorganization
inadifferentforest.
Linkedmailboxesarecommonlyusedinthefollowingscenarios:
Exchangeisdeployedinaresourceforest.WhenExchangeisdeployedina
resourceforestscenario,theExchangeserversareconnectedtooneActive
Directoryforest.Accesstothemailboxesisenabledonuseraccountslocatedin
oneormoretrustedforests(calledaccountforests).
Inamergeroracquisitionscenario.Inthisscenario,bothoftheorganizationswill
havedeployedExchangebeforethemergeroracquisition.Linkedmailboxes
providetheopportunitytoremovetheExchangeServerdeploymentfromoneof
theorganizations.Theusersfromoneoftheorganizationscanbeconfiguredwith
linkedmailboxesintheotherorganization.Thisensuresthatusersfromboth
organizationsarelistedinasingleGAL,makingavailabilityinformationaccessible
toallusers.
Remotemailboxesaresimilartolinkedmailboxesinthattheyspanmultiple
environments.Aremotemailboxconsistsofamail-enableduserinyouron-premises
ActiveDirectoryandanassociatedmailboxinyourcloud-basedservice(e.g.,Office
365).Whenyoucreateanewremotemailbox,themail-enableduseriscreatedinyour
on-premisesActiveDirectory.Then,directorysynchronization(e.g.,AzureAD
Connect)automaticallysynchronizesthenewuserobjecttothecloud-basedservice.
Thehostingservicerecognizestheobjectandconvertsittoausermailbox.Remote
mailboxesaretypicallyprovisionedasusermailboxesorasresourcemailboxesfor
meetingroomsandequipment.Directorysynchronizationandmailflowshouldbe
provisionedcorrectlyforthemailboxtobeprovisionedinthehostingservice.Also,
provisioningofthemailboxinthehostingserviceisnotimmediateanddependson
thedirectorysynchronizationschedule.
SiteMailboxes
SitemailboxesaremailboxesthatincludebothanExchangemailboxandaSharePoint
site.Withsitemailboxes,theemailmessagesarestoredinthemailbox,butthe
documentsarestoredontheSharePointsite.
SitemailboxesinExchangeServer2016provideanintegratedexperienceforusers
whoneedtocollaborate.Sitemailboxesenableuserstoaccessbothdocumentsstored
onSharePointServer2016andemailstoredonanExchangeServer2016mailboxby
usingthesameclientinterface—forexample,byusingOfficeOutlookandOutlookon
theweb.ThesamecontentalsocanbeaccesseddirectlyfromtheSharePointsite.
Withsitemailboxes,Exchangestorestheemail,providinguserswiththesameemail
conversationsthattheyuseeverydayfortheirownmailboxes.SharePointstoresthe
documentsandprovidesadvanceddocument-managementtoolssuchasversion
control.Sitemailboxesprovidethatintegrationontheuserinterfacelayer,while
leavingthecontentintheoptimizedstores,suchasExchangeforemailand
SharePointfordocuments.
Mail-EnabledGroups
Amail-enabledgroupisanActiveDirectorygroupthathasbeentaggedwithallthe
appropriateExchangemailattributes,includinganemailaddress.Onceagrouphas
beenmail-enabled,anyinternalorexternalusercansendemailtothegroup
(assumingthattherearenorestrictionspreventingmessagedeliverytothegroup).
Thegroupmembershipcanthenbemodifiedto​configurewhoreceivesemailsthat
aresenttothegroup.
AnActiveDirectoryforestthatdoesnotincludeanyExchangeorganizationalready
usesgroupstomanageaccesstoresourcesandpermissions.Withtheintegrationof
anExchangeorganizationintoActiveDirectory,thesamegroups(securitygroups)can
bemail-enabledornewgroups(distributiongroups)thatwillonlybeusedasa
distributionlistcanbecreatedandthenmail-enabled.
ActiveDirectorycontainstwotypesofgroups:distributionandsecurity.Some
organizationsmaydecidetomail-enableonlydistributiongroupstopreventthe
likelihoodofmistakenlyaddinguserstoagroupandassigningthemaccesstosecured
resources.Thisdecisionshouldbemadeearlyorduringthearchitectureanddesign
andgovernancephasesinanExchangedeploymenttoensureconsistentuseof
groups.
Amail-enabledgroupcancontainanytypeofExchangerecipients,includingother
mail-enabledgroups.InExchangeServer2016,youcanmail-enableonlygroupsthat
aresettotheuniversalgroupscope.Thegroupscanbeeithersecuritygroupsor
distributiongroups.Auniquetypeofdistributiongroup,calledadynamicdistribution
group,isagroupthathasanautomaticallyupdatedmembershipandismail-enabled
aswell.
Moreinformationaboutmail-enabledgroupsisavailableinChapter15.
Mail-EnabledPublicFolders
Apublicfolderisanelectronicversionofabulletinboard.Publicfolderscanbeused
tostoremessages,contacts,orcalendarsthatmustbeaccessedbymultipleusersin
yourorganization.UserscancreatepublicfoldersbyusingMicrosoftOutlook,and
administratorscancreatepublicfoldersbyusingtheExchangeAdministrationCenter.
InExchangeServer2016,publicfoldersareoftenreferredtoasmodernpublicfolders.
Amail-enabledpublicfolderisonethathasbeentaggedwithalltheappropriate
Exchangemailattributes.Mail-enabledpublicfoldershaveanemailaddressandcan
receiveemailfromanyinternalorexternaluserfromyourorganization(assuming
thattheappropriatepermissionshavebeenconfiguredforthefolder).
Mail-enabledpublicfoldersareparticularlyusefulifyouneedtohavea“virtual”
mailboxsharedbetweenmultipleusers.Forexample,youmaywanttohavemultiple
individualsintheHRdepartmentreviewthejobapplicationsthataresenttoyour
company.Youcancreateamail-enabledpublicfolderandprovideanemailaddressof
[email protected]
individualsintheHRdepartmenttoreviewthecontentsofthefolder,withouthaving
alargenumberofemailspollutingtheirinboxes.
Whiletherearenotmanychangesintermsofuseraccessandclientfunctionalityfor
publicfoldersinExchangeServer2016,thekeychangesarepresentinthebackend.
Themaindifferenceisrelatedtopublicfolderstorageandpublicfolderreplication.
Publicfoldersarestoredinpublicfoldermailboxes,whichresideonmailbox
databases.Publicfoldermailboxesmustbecreatedbyanadministratorfromthe
ExchangeAdministrationCenterortheExchangeManagementShell.
Itmayappearthatthesharedmailboxrecipienttypeprovidesthesamefunctionality
asamail-enabledpublicfolder,buttherearesomedistinctdifferences.Publicfolders
arecommonlyusedforprojectcollaborationorfordataarchiving.Inadditionto
receivingmessages,theycanalsoserveasamainappointmentcalendar,anelaborate
taskmanagementstructure,orsimpledocumentsharingfororganizationswithout
SharePoint.Themainfeatureofamail-enabledpublicfolderisitsdistribution—once
youenablepublicfolders,theyareautomaticallyshowninOutlook.Ontheother
hand,asharedmailboxserveswellasacommoncontactmailbox,suchassupport
teamorsalesrepresentative'semail.Commonly,eachdepartmentinacompanyhas
itsownsharedmailboxwithaccessgrantedtodesignatedusersorgroups.Inaddition
toExchangeServer2016,sharedmailboxesalsorequiredeployingSharePointServer
2013orlaterorSharePointOnline.
Table13.2showsthecoredifferencesbetweenmail-enabledpublicfoldersandshared
mailboxes.
Table13.2Mail-EnabledPublicFoldersandSharedMailboxes
Feature
Targeted
environments
Whocanaccessby
default
Accessibilityin
Outlook
Userscandragand
dropfilesforsharing
Mail-Enabled
PublicFolders
Small/Medium
SharedMailboxes*
Anyoneinthe
organization
Onceenabled,appears
automaticallyinall
Outlookclients
Yes
Designatedusersorgroups
Medium/Large
Eachusermayhavetoaddtheshared
mailboxtotheirOutlookmanually
No
*SharedmailboxesrequiredeployingSharePointServer2013orlaterorSharePointOnline.
DefiningEmailAddresses
Beforewediscusshowtocreatemailusers,groups,orcontacts,we'llfirstdiscusshow
theseobjectsgettheiremailaddresses.Theprocessofcreatinganemailaddressis
justabitdifferentinExchangeServer2016comparedwithearlierversionsof
ExchangesuchasExchangeServer2003and2007.Emailaddressesaregeneratedfor
theobjectatthetimethemail-enabledrecipientiscreated,andtheyaregeneratedby
anExchangeManagementShell(EMS)taskortheExchangeAdministrationCenter—
stillwithabackgroundEMStask,though.RecipientpoliciesfromExchangeServer
2016havebeenbrokenupintotwoseparateconcepts:
Emaildomainsforwhichyourorganizationwillacceptmail,alsoknownas
accepteddomains
Policiesthatdefinethesyntaxofemailaddresses,alsoknownasemailaddress
policies
ForaddressesthatwillbeassignedtomailboxesonyourExchangeServer2016
servers,youdefinebothanaccepteddomainandanemailaddresspolicy.
AcceptedDomains
AnaccepteddomainisanSMTPdomainname(akaSMTPnamespace)forwhichyour
ExchangeServer2016serverswillacceptemail.Theserverswilleitherdeliverthe
emailtoanExchangemailboxorrelayittointernalorexternalSMTPemailservers.If
youmigratefromapreviousversionofExchangeServer,thelistofaccepteddomains
inExchangeServer2016willincludeallaccepteddomainsfromtheprevious
environment.Accepteddomainsmustbedefinedforallemailaddressesthatwillbe
routedintoyourorganization.Mostsmall-andmedium-sizeorganizationswillhave
onlyasingleaccepteddomain.
AboutDomainTypes
Onetrickythingaboutdefininganaccepteddomainisthatyoumustdefinehow
Exchangeistotreatamessageforthedomain.Whencreatinganaccepted
domain,youcanchoosefromthreetypesofdomains:
AuthoritativeDomainsTheseareSMTPdomainsforwhichyouacceptthe
inboundmessageanddeliverittoaninternalmailboxwithinyourExchange
organization.Infact,iftherecipientofanemaildoesnotexistinyour
Exchangeorganization,thesenderwillreceiveaNon-DeliveryReport,orNDR.
InternalRelayDomainsTheseareSMTPdomainsforwhichyour
ExchangeOrganizationwillacceptinboundSMTPemail,andtheExchange
Servermayhostsome,butnotall,ofthemailboxesforthedomain.Often
referredtoasa“sharedSMTPnamespace,”one​common​scenarioforwhen
youmightuseaninternalrelaydomainistwocompaniesmergingbut​having
yettoconsolidatetheirExchangeenvironment.Afterenablinganinternal
relaydomain,ifanExchangeserverreceivesanemailforthedomainbutis
unabletolocatearecipientintheorganization,theserverwilllooktothelist
ofSendConnectorstodeterminewheretosendthemessage.TheExchange
serverthenrelaysthemessagetoanotherinternalemailsystem.
ExternalRelayDomainsTheseareSMTPdomainsforwhichyour
ExchangeorganizationwillacceptinboundSMTPemailbuttheExchange
serverhostsnomailboxesforthedomain.Thistypeofdomainiscommonly
usedwhenoneorganizationisactingasanInternetServiceProvider(ISP)for
anotherorganizationorofferingservicessuchasemailcontentfiltering(e.g.,
ExchangeOnlineProtection,orEOP,inOffice365).Afterenablinganexternal
relaydomain,ifanExchangeServerreceivesanemailforthedomain,thenthe
serverwillrelaytheemailtoanexternalSMTPemailserver,usuallyonethat
isoutsideoftheorganization'sboundaries.IfEdgeTransportserversare
deployedinyourenvironment,theywillhandleexternalrelaydomainsforthe
Exchangeorganization.
SettingUpanAcceptedDomainUsingtheExchangeAdministrationCenter
AccepteddomainsarefoundwithintheMailFlowwindow.Whenyouchoosethe
AcceptedDomainslinkinthetopbanner,youwillseealistoftheaccepteddomains
thathavebeendefinedforyourorganization,suchasthoseshowninFigure13.1.
Figure13.1Listofaccepteddomains
WhenyoucreateanExchangeorganization,asingleauthoritativeaccepteddomainis
createdautomaticallyandgivenaname.ThisisthenameoftheActiveDirectory
forestrootdomain;forsomeorganizations,thiswillnotbecorrectbecausethe
namingconventionsforActiveDirectorydomainnamesandSMTPdomainnames
maybedifferent.Forexample,yourActiveDirectorynamemaybeContoso.local,
whereasyourpublicdomainnameforemailisContoso.com.
Accepteddomainsaresimpletocreateandrequirelittleinput.Tocreateanew
accepteddomain,opentheNewAcceptedDomainwindowbyclickingthe+(Add)sign
intheActionslist.Youneedtoprovideonlyadescriptivenamefortheaccepted
domain,theSMTPdomainname,andanindicationofhowmessagesforthisdomain
shouldbetreatedwhenmessagesareacceptedbyExchangeServer2016(seeFigure
13.2).
Figure13.2Creatinganewaccepteddomain
Keepinmindthatyoucannotchangethedomainnameofanaccepteddomainonceit
iscreated.Youcanchangethedomaintype,however.Ifyouneedtochangethe
domainnameofanaccepteddomain,youwillhavetoremovethedomainnameand
thencreateanewdomainnamefortheaccepteddomain.
SettingUpanAcceptedDomainUsingtheEMS
YoucanalsomanageaccepteddomainsusingthefollowingEMScmdlets:
New-AcceptedDomain
Set-AcceptedDomain
Get-AcceptedDomain
Remove-AcceptedDomain
Forexample,tocreateanewaccepteddomainforaCanadiandivisionofContoso,use
thefollowingEMScommand:
New-AcceptedDomain-Name"ContosoCanada"-DomainName"Contoso.ca"
-DomainType"Authoritative"
EmailAddressPolicies
Forarecipienttosendorreceiveemailmessages,therecipientmusthaveanemail
address.Emailaddresspoliciesgeneratetheprimaryandsecondaryemailaddresses
forrecipientsinanExchangeorganizationsotheycansendandreceiveemail.Each
timearecipientobjectismodified,Exchangeenforcestheapplicationoftheemail
addresscriteriaandsettings.Also,whenanemailaddresspolicyismodified,all
recipientobjectsassociatedwiththecriteriaoftheemailaddresspolicyareupdated
withtheappropriateemailaddress.
UsingtheExchangeAdministrationCenter,youcanfindemailaddresspoliciesinthe
MailFlowwindow.SelecttheEmailAddressPoliciestabtoseealistoftheemail
addresspoliciesintheorganization.InFigure13.3,wehaveonlythedefaultpolicy
assignedbytheExchangeServer2016organization.
Figure13.3EmailaddresspoliciesforanExchangeServer2016organization
SimilartopreviousversionsofExchangeServer,thedefaultemailaddresspolicyis
thelowestprioritypolicy.
ChanginganExistingPolicy
WhenyouinstallExchangeServer2016,adefaultemailaddresspolicyiscreatedby
default.Thedefaultemailaddresspolicydefinestheemailaddresstoconsistofthe
recipientobject'salias,whichisthelocalpartofanemailaddressthatappearsbefore
theatsign(@),andthedomainnameoftheActiveDirectoryforestroot.Supposeyou
wanttomaketwochangestotheemailaddresspolicy:
YouwanttochangetheSMTPdomainnamethatisonthedefaultpolicyto
somethingelse.Forexample,thisisrelevantwhenthedefaultdomainnamefor
theActiveDirectoryforestrootisdifferentfromthepublicdomainnameusedfor
SMTP,andyouneedtofixthis.
Youwantallemailaddressestobegeneratedusingthefirstname,followedbya
period,thenthelastname,andthenthedomainname.
Toperformthosetasks,followthesesteps:
1. Defineanaccepteddomain.Ifthedefaultaccepteddomainisnotcorrectforyour
organization,youneedtocreateanewaccepteddomainbecauseExchange2016
doesnotallowyoutochangeanaccepteddomain.Asanexample,yourActive
DirectoryforestrootisnamedContoso.local,butyourpublicSMTPdomainis
Contoso.com.UndertheAcceptedDomainstab,createanewauthoritativeaccepted
domainforContoso.com.
2. Changethedefaultemailaddresspolicysothatitusesthenewdomainnameand
generatesanemailaddressusingthefirstname.lastnameformat,suchas
[email protected]ddress
Policiestab,highlightthedefaultpolicy,anddouble-clicktoeditthepolicy.Onthe
EmailAddressesFormatpage,youseethelistofalldomainnamesusedto
generateemailaddresses.Clickthedomainnameyouwanttomodify,inthiscase
@Contoso.com,andthenclicktheEditbuttontoseetheSMTPEmailAddressdialog
box.Thedefaultsettingintheemailaddresspolicyistousetheuser'saliasto
generatetheemail.Thiscanbemodifiedtomultiplecombinations,asFigure13.4
shows.
Figure13.4ChanginghowtheSMTPaddressisgenerated
3. ClicktheApplyTolinkonthenexttabtoselectthescopeofthepolicy.Thissetting
allowsyoutochoosewhichrecipientswillbeaffectedbytheemailaddresspolicy.
Oncetheemailaddresspolicyismodified,itwillrunautomaticallyatitspreset
interval.ThepresetintervalisimmediateoncetheActiveDirectorysiteisupdated.In
ordertoforcetheapplicationofthepolicytorecipients,anadministratormustrunthe
Update-EmailAddressPolicycmdlet.
Ofcourse,youcanalsocreateemailaddresspoliciesusingtheEMS;Table13.3shows
theEMScmdletsforcreating,deleting,modifying,andupdatingemailaddress
policies.
Table13.3EMSCmdletsUsedtoManipulateEmailAddressPolicies
EMSCmdlet
NewEmailAddressPolicy
Description
Createsanewemailaddresspolicy
SetEmailAddressPolicy
Changespropertiesoftheemailaddresspolicyspecified
UpdateEmailAddressPolicy
Updatesmail-enabledobjectsinActiveDirectoryifthe
conditionsofthepolicyspecifiedapplytothoseobjects
Retrievesalistofemailaddresspoliciesandtheirproperties
GetEmailAddressPolicy
RemoveEmailAddressPolicy
Deletesthespecifiedemailaddresspolicy
ThefollowingisanexampleofanEMScmdletthatwouldcreateanemailaddress
policyforthedomainContoso.ca:
New-EmailAddressPolicy-Name'ContosoCanada'-IncludedRecipients
'MailboxUsers'-Priority'1'-EnabledEmailAddressTemplates
'SMTP:%g.%[email protected]'
Finally,ifyouwanttoseetheemailaddressesthathavebeenappliedtoamailenabledobject,youcanalsouseanEMScmdlettoretrievethatinformation.You
coulduseEACforthistask,butitwouldrequirehoursofwork.Preferably,youwould
useGet-Mailbox,Get-MailContact,orGet-DistributionGroup.Toretrievetheemail
addressesforamailboxwithanaliasthatisJulie.Samante,forinstance,youcouldtype
theEMScmdlet,
Get-Mailbox"julie.samante"|Format-ListDisplayName,EmailAddresses
andseeoutputsimilartothis:
DisplayName:JulieSamante
EmailAddresses:{smtp:[email protected],
SMTP:[email protected]}
CreatingaNewEmailAddressPolicy
Ifyouhaveasmall-ormedium-sizeorganization,youprobablysupportonlyasingle
SMTPdomainforyourusers.However,evencompanieswithahandfulofmailboxes
cansometimesrequiretwoorthreeSMTPdomainnames.Let'slookatanexampleof
anorganizationthathastwodivisions,eachofwhichrequiresitsownuniqueSMTP
addresses.
Previously,youchangedthedefaultpolicyforanorganizationsothatalluserswould
[email protected]'sexpandthatexamplefurther.Let'ssaythat
thisorganizationhasanotherdivisioncalledVolcanoSurfboardsanditsSMTPdomain
[email protected]ctive
DirectorycontainsVolcanoSurfboardsshouldhaveanSMTPaddressof
[email protected],andthataddressshouldbesetasthe
mailboxdefaultreplyaddress.Thedefaultreplyaddressisalsoknownastheprimary
SMTPaddressorReplyToaddressandistypicallyshowninbold.ForSMTP
addresses,thereplyaddresswillalsodisplay“SMTP”inallcapitallettersintheType
column,whereastheotheraddresseswillbeinlowercaseletters.Mailboxescan
receiveemailsenttoanyoftheemailaddresses.
CreateaNewEmailAddressPolicyorModifytheDefaultEmail
AddressPolicy?
Thisisoneofthequestionswehearthemostoften:ShouldIcreateanewemail
addresslistwhenIneedtoaddanewSMTPdomain,orshouldIsimplymodify
thedefaultemailaddresslist?
Let'slookatanexampletoillustratewhenyoushoulduseonemethodorthe
other.Also,keepinmindthatonlyoneemailaddresspolicycanbeappliedtoa
recipientinyourorganization.Forexample,whenyoucreateanewuser,
Exchangecheckstoseewhichemailaddresspolicymatchesthenewrecipient,
basedonconditionsandfilters.Ifmultipleemailaddresspoliciesapplytothe
user,itwillapplyonlythepolicywiththehighestpriority.Iftherearenocustom
policiesthatapplytotheuser,thenthedefaultemailaddresspolicyisapplied.(A
policymustalwaysbeappliedwhenyoucreateausermailbox,whichiswhyyou
cannotremoveordeletethedefaultemailaddresspolicy.)
Nowontoourscenario.Oneofthisbook'sauthorswascalledinbecause“the
Internetwasbrokenandnotsendingemails.”(Welovethosedescriptions!)He
quicklynoticedthattheorganizationhadfivedifferentemailaddresspolicies.
EachaddresspolicyhadadifferentSMTPdomainandwasconfiguredtoapplyto
allusers.So,whenanewusermailboxwascreated,themailboxreceivedonlythe
highestpriorityemailaddresspolicyandwas,therefore,assignedonlyasingle
SMTPaddressthatmatchedthatpolicy.Theeasyfixtothiswastosimplyremove
allthecustomemailaddresspoliciesandthenaddtheSMTPdomainstothe
defaultemailaddresspolicy.Afterhereappliedtheemailaddresspolicy,alluser
mailboxeswereassignedthecorrectSMTPaddresses.
Sonowtoanswertheemailaddresspolicyquestion:Youshouldcreateacustom
emailaddresspolicywhenyouneedtoassignaseparateSMTPdomaintoasubset
ofyourusers.Alternatively,youshouldmodifythedefaultemailaddresspolicy
whenyouwanttoadddomainstoallusersinyourorganization.
YoushouldnowhaveenoughinformationforasolutiontotheVolcanoSurfboards
division.Thefirstthingyouneedtodoisdefinevolcanosurfboards.comasan
authoritativeaccepteddomain.Ifyoudon'tdefinetheaccepteddomain,youwill
receiveanerrormessagewhenyoutrytocreateanemailaddresspolicybasedonthe
domain.Theaccepteddomainmustalwaysexistfirst.
Next,youneedtocreatetheemailaddresspolicy.Tocreateanewemailaddress
policy,clickthe+(Add)signfromtheActionslistontheEmailAddressPoliciestabin
theMailFlowwindow.IntheNewEmailAddressPolicywindow,youwillconfigure
thenameofthepolicy,theemailaddressformat,thesequenceofthepolicyinrelation
tootherpolicies,andtowhattypesofobjectsthispolicyapplies.
Inthisexample,thepolicyisbeingcreatedfortheusermailboxesintheVolcano
Surfboardsdivision.Toconfiguretheemailaddressformat,youwillneedtoclickthe
+(Add)signfromtheActionslistundertheEmailaddressformat.OntheEmail
AddressFormatwindow,selectthenewaccepteddomainandclicktheoptiontouse
[email protected],asshowninFigure13.5.Click
SavetoreturntotheNewEmailAddressPolicywindow.
Figure13.5Definingtheemailaddressformatfortheemailaddresspolicy
Youalsoneedthepolicytoapplyonlytomailboxes,soyouwillprovidethat
informationonthescreenshowninFigure13.6.
Figure13.6Namingtheemailaddresspolicy
Youcanfurtherdefinetheconditionsthatwillbeusedtoapplytheemailaddress
policybyclickingtheAddaRulebutton.Thisbuilt-infilterprovidesmoregranularity
todefinethetargetofthepolicy.Figure13.7showstheconditionsavailableforthe
rule.Youcanselectsuchcriteriaasthestateorprovince,department,orcompany
nameoftheobject.
Figure13.7Conditionsavailableintheemailaddresspolicyrules
Inthisexample,youneedthepolicytoapplytorecipientswhosecompanyattribute
containsVolcanoSurfboards.
OnceyouselecttheCompanycondition,theSpecifyWordsorPhraseswindowopens;
thereyouenterthecompanyname(seeFigure13.8).IftheSpecifyWordsorPhrases
windowdoesnotopenautomatically,simplyselectEnterWordsnexttothedropdownmenu.
Figure13.8Specifyingwordsforaruleinanemailaddresspolicy
Afteryouhaveenteredthenecessarycompanyinformation,clickOKtoclosethe
window.Youcanverifythattheconditionsaredefinedcorrectlybyclickingthe
PreviewRecipientsThePolicyAppliesTolinknearthebottomoftheNewEmail
AddressPolicywindow.ThiswillopenthePreviewdialogbox;youshouldseeusers
whohaveamailboxandwhosecompanynamecontainsVolcanoSurfboards.After
youverifythisinformation,clickSavetocreatetheemailaddresspolicy.
ThePreviewRecipientsThePolicyAppliesTolinkisalsohelpfulinconfirmingthat
attributesarebeingenteredcorrectlyinActiveDirectory.However,ina10,000-user
company,administratorsmaynotrecognizeifeveryoneexistsintheEmailAddress
PolicyPreviewdialogbox.Fortunately,youcanuseEMStogetthesameinformation.
Forexample,toretrievethelistofrecipientsforanemailaddresspolicynamed
VolcanoSurfboards,usethefollowingEMScommand:
Get-Recipient-Filter(Get-EmailAddressPolicy"Volcano
Surfboards").RecipientFilter|sortName
Ifauser'scompanynamedoesnotcontainexactlyVolcanoSurfboards,thepolicy
conditionswillnotbemetandtheuser'smailboxwillincludetheemailaddresses
fromthedefaultemailaddresspolicyinstead.
TheBottomLine
Identifythevarioustypesofrecipients.MostrecipienttypesinExchange
Server2016havebeenaroundsincetheearlydaysofExchange.Eachservesa
specificpurposeandhasobjectsthatresideinActiveDirectory.
MasterItYourcompanyhasmultipleActiveDirectorydomainsthatexistina
singleforest.Youmustmakesurethatthefollowingneedsforyourcompany
aremet:
Groupmanagerscannot,bymistake,assignpermissionstoauserbyadding
someonetoagroup.
Temporaryconsultantsforyourcompanymustnotbeabletoaccessany
internalresources.
UsetheExchangeAdministrationCentertomanagerecipients.
Historically,ExchangeadministratorsmainlyusedacombinationofActive
DirectorytoolsandExchange-nativetoolstomanageExchangeserversandobjects.
ThathasallchangedwithExchangeServer2016,mainlywiththeadventofthe
remotePowerShellimplementationoftheExchangeManagementShell,butalso
withthebrowser-basedversionoftheExchangeAdministrationCenter.
MasterItYouareresponsibleformanagingmultipleExchangeorganizations,
andyouneedtoapplyidenticalconfigurationstoserversinallorganizations.If
youarejuststartingoutwithExchangeServer2016andyouarenotyetfamiliar
withRemotePowerShellandExchangeManagementShell,youneedsome
guidanceregardingthecommandsthatmustbeused.Whatshouldyoudo?
Configureaccepteddomainsanddefineemailaddresspolicies.Accepted
domainsandemailaddresspolicies,onceasingleconcept,havebeenbrokenup
sinceExchangeServer2007,andthatisstillthecaseinExchangeServer2016.This
givesyoumoreflexibilityinmanagingemailaddresssuffixesandSMTPdomains
thatwillbeacceptedbyyourExchangeservers.
MasterItYouplantoacceptmailformultiplecompaniesinsideyour
organization.Onceaccepted,themailwillbereroutedtotheSMTPservers
responsibleforeachofthosecompanies.Whatdoyouneedtocreateinyour
organization?
Chapter14
ManagingMailboxesandMailboxContent
Inasmall-ormedium-sizedbusiness,youmaybethesolepersonresponsibleforall
ExchangeServertasks,suchasbackinguptheserver,checkingthequeues,reviewing
eventlogs,andmanagingmailboxes.Inalargerbusiness,youmighthaveaspecific
task,suchasrunningbackupsormanagingmobiledevices.
Withanysizedbusiness,thecommonthreadforanyExchangeServerorganizationis
theday-to-dayadministrativetasksofmailboxmanagement.Themajorityofthese
tasksinvolvecreatingmailboxes,movingthemtothecorrectdatabase,setting
mailboxpropertiesor​policies,andmanagingemailaddresses.Othertypesoftasks
mayincludethemanagementofthemailboxcontent,suchaspurgingtheDeleted
Itemsfolder,movingcontenttootherfolders,orremovingcontentfromauser's
mailbox.
INTHISCHAPTER,YOUWILLLEARNTO:
Createanddeleteusermailboxes
Managemailboxpermissions
Movemailboxestoanotherdatabase
Performbulkmanipulationofmailboxproperties
UseMessagingRecordsManagementtomanagemailboxcontent
ManagingMailboxes
Thisfirstsectiononmailboxmanagementtacklesthemostcommontasks:creating,
managing,anddeletingmailboxesassociatedwithauseraccount.Ifyouareupgrading
fromExchangeServer2007/2010toExchangeServer2016,youwillimmediately
noticetheabsenceoftheExchangeManagementConsoleandtheExchangeControl
Panel.SinceExchangeServer2013,allGUI-basedmanagementoperationsare
performedviatheExchangeAdminCenter(EAC).
EnablingaMailboxUsingtheEAC
Let'sstartwithacommontask:enablingamailboxforanexistinguser.Youmayhear
this​processreferredtoas“mailbox-enabling”auserorsimplycreatingamailbox.
Let'ssaywehaveauserwhorequiresamailbox.Heruniquelocationand
distinguishednameareasfollows:
contoso.com/Corporate/AmanyBakr
CN=AmanyBakr,OU=Corporate,DC=contoso,DC=com
Toenablethisusermailbox,youmustuseeithertheExchangeManagementShell
(EMS)ortheEAC.
AWizardbyAnyOtherName
Youhadseveraloptionsavailable,suchastheExchangeManagementConsole,
theExchangeControlPanel,andthevenerableExchangeSystemManagerin
earlierversionsofExchangeServer.InExchangeServer2016,youcanusethe
ExchangeManagementShell,oryouhaveaunifiedGUIexperienceintheEACto
performanaction,enablingyoutodoyourtasksmoreefficientlyand
consistently.
LaunchtheExchangeAdminCenterandnavigatetotheMailboxessectionofthe
RecipientsoptionontheFeaturepane(Figure14.1).Abovethelistofrecipientsyou'll
noticethe+(Add)signintheActionsbar.ThislaunchestheNewUserMailbox
Wizard,whichwillallowyoutocreateausermailboxandassociateitwithanexisting
useraccount,createanewuseraccountwithamailbox,orlinkamailbox.
Figure14.1TheMailboxessectionoftheEAC'sRecipientConfigurationworkcenter
UserMailboxThiswizardcreatesamailboxforanexistinguserinthesame
ActiveDirectorydomain.Theusercouldbeanewuser(withoutauseraccount)or
anexistinguserwithoutamailboxaccount.
LinkedMailboxThiswizardalsocreatesadisableduseraccount,assignsita
mailbox,andpromptstheadministratortoprovideauseraccountinaseparate,
trustedforest.Theaccountintheotherforestisconsideredtheownerofthis
mailboxandhastheAssociatedExternalAccountpermissionstothemailbox.This
isusedinorganizationsthatinstallExchangeServerinaresourceforest.Ifyouare
creatinglinkedmailboxes,theuseraccountinyour​forestmustremaindisabled.
Inthisexample,youaremailbox-enablingauseraccountthathasnoexistingmailbox,
therebycreatingausermailbox.Toproceed,youwouldclicktheBrowsebuttonto
locatetheuseraccountthatyouwanttoenablewiththenewmailbox.Afteryouhave
selectedtheuseraccount,youcanspecifytheuser'sExchangeServeralias,definethe
mailboxdatabaseonwhichthemailboxwillbehosted(orallowExchangeServerto
selectoneforyouautomatically),createanarchive,andassignanaddressbookpolicy
totheuserifneeded.Figure14.2showsthewizard.
Figure14.2IntheMailboxWizard,youcanselectamailboxdatabaseforauser,as
wellasenableanarchivemailboxandassignanaddressbookpolicy
AutomaticallyAssigningaMailboxtoaMailboxDatabase
ExchangeServer2010'smanagementtoolsintroducedagreatfeaturethat
automaticallyassignedausertoamailboxdatabase,andExchangeServer2016
inheritedthisfeatureintheEAC.Historically,somemailboxadministrators
wouldselectthefirstmailboxdatabaseinthelist.Thisfeatureisabenefitto
organizationsthathavetroublebalancingmailboxesonmailboxdatabases.
ExchangeServer2016providesyoutheoptionofallowingExchangetochoosethe
mailboxdatabaseusingautomaticmailboxdistribution.Withautomaticmailbox
distribution,Exchangeusesbuilt-inlogicwhencreatingamailbox,movinga
mailbox,ormailbox-enablinganexistinguseraccount.Consequently,youdon't
needtospecifyamailboxdatabasenamewhenprovisioningamailbox.Thelogic
inautomaticmailboxdistributionisasfollows:
1. GatherallmailboxdatabasesintheExchangeServerorganization.
2. Excludeanymailboxdatabasesthataremarkedforexclusionfromthe
distributionprocess.
3. Excludeanymailboxdatabasesthatareoutsidethedatabasemanagement
scopesappliedtotheadministratorperformingtheoperation.
4. ExcludeanymailboxdatabasesthatarenotinthesameActiveDirectorysite
astheprovisioningserver.
5. Fromtheremaininglistofmailboxdatabases,Exchangewillchooseamailbox
databaseatrandom.Exchangeusesthemailboxdatabaseifthemailbox
databaseisonlineandhealthy.Ifthemailboxdatabaseisofflineornot
healthy,anothermailboxdatabaseischosenatrandom.Theoperationwillfail
ifnoonlineorhealthymailboxdatabasesarefound.
Ifyouwanttousetheautomaticmailboxdistribution,donotspecifyamailbox
databasewhenprovisioningormovingamailbox.Microsoftrecommendsthat
youbalancethedistributionofmailboxesandnotscopestoreswithspecifictypes
ofusers.
Therearescenarioswhereyoumayhavedefinedspecificdatabasesonwhichyou
donotwantautomaticdistributionofmailboxes(suchaswhenyou'veenabled
journalingonthemailboxdatabase).Youcanexcludemailboxdatabasesfrom
automaticdistributionbychangingthepropertiesonthemailboxdatabaseviathe
EMScmdletSet-MailboxDatabase.InExchangeServer2016,thiscmdletincludes
threeparametersforcontrollingautomaticmailboxdistribution:
IsSuspendedFromProvisioning,IsExcludedFromProvisioning,and
IsExcludedFromProvisioningDueToLogicalCorruption.
Thesethreeparametersprovidesimilarfunctionality(excludingthemailbox
databasefromautomaticmailboxdistribution),butoneisintendedforshort-term
exclusionandtheothertwoareintendedforlong-termexclusion.Thescenario
forIsSuspendedFromProvisioningisusedwhenyouaretemporarilytakinga
mailboxdatabaseorserveroutofrotationfornewmailboxes.Thescenariofor
IsExcludedFromProvisioningisusedwhenyouhaveamailboxdatabasethatyou
wanttopermanentlyexcludefromprovisioning—forexample,whenthemailbox
databaseisfullorisamailboxdatabasededicatedtoVIPpersonnel.Finally,the
scenarioforIsExcludedFromProvisioningDueToLogicalCorruptionisusedwhenyou
wanttoexcludeamailboxdatabasebecauseofdatabasecorruption.Whenanyof
theseparametersisenabled,youalsoneedtoconfigurethe
IsExcludedFromProvisioningReasonpropertywiththereasonfortheexclusion.
Whenyouenabletheseparametersonthemailboxdatabase,the
IsExcludedFromProvisioningBypropertyisautomaticallypopulatedwithyouruser
account.Inaddition,theIsExcludedFromProvisioningpropertyisautomatically
enabledwhentheIsExcludedFromProvisioningDueToLogicalCorruptionparameter
isenabled.Thereasonfortheseexclusiondistinctionsisthatyoumightpreferto
distinguishmailboxdatabasesthatarepermanentlyexcludedfromthosethatare
temporarilyexcludedfrommailboxprovisioning.
Afteryouhavedeterminedtowhichmailboxdatabaseyouwanttoprovisionthenew
mailboxorallowforautomaticmailboxdistribution,therearesomeadditional
settingsyoumightneedtoconfigure.FromtheMailboxSettingspage,youneedto
specifythefollowinginformation:
AliasThealiasisusedtogeneratethedefaultSMTPaddressesaswellasother
internalExchangeServerfunctions.Thedefaultvalueofthealiasistheuser
accountname,butyoucanchangeitifyouneedittoconformtootherstandards.
MailboxDatabaseThisbrowselistconsistsofmailboxdatabasesfoundinthe
Exchangeorganization.
CreateOn-PremisesArchiveExchangeprovisionsanadditionalon-premises
mailbox,alsocalledanArchivemailbox,towhichuserscanmoveemailsthat
shouldbesavedforlongerterms,savingtheinconvenienceofalocalPersonal
StorageTable(PST)andlostemails.Thiscanbeenabledmanuallyorbasedon
retentionpolicies.
AddressBookPolicyTheaddressbookpolicyallowsyoutoassignacustom
addressbookfortheuser,hidingsomeaspectsoftheGALfromtheuser.
Whenyouareconvincedthattheparametersforthemailboxyouarecreatingare
correct,clicktheSavebuttonontheNewUserMailboxscreen.TheEACthenlaunches
anEMScmdletinthebackgroundthatenablesthemailboxbyaddingthemailbox
attributestotheuseraccountinActiveDirectorythatarerequiredbyExchange.The
mailboxobjectisactuallycreatedinthemailboxdatabasewhentheuserlogsontothe
mailboxorreceivesanemailmessage.
AssigningaMailboxtoMoreThanOneUser
TheEACdoesnotoffertheabilitytocreateorenablemultiplemailboxesatthe
sametime.Inordertodothat,youmustusetheExchangeManagementShell
(thePowerShellcommand-linetoolforExchangeServer).Inthenextsection,
“EnablingaMailboxUsingtheEMS,”wewillexplorehowtodothatindetail.
EnablingaMailboxUsingtheEMS
Inlargerorganizations,youwillprobablywanttostreamlineorscriptthecreationof
new​mailboxesand/oruseraccounts.TheEMSallowsyoutodothisfasterthanthe
EAC.For​example,let'slookatthescenarioyoujustcompletedfromtheEACwhen
youenabledamailboxforanexistinguserandassignedtheusermailboxtoaspecific
mailboxdatabase.Thefollowingcmdletaccomplishesthesametask:
Enable-Mailbox-IdentityABakr-AliasAbakr-DatabaseMBX-002–ArchiveName
Abakr-AddressBookPolicy"EngineeringABPolicy"
Ifyouwanttoenablethemailboxonaspecificmailboxdatabase,youneedtospecify
themailboxdatabasename.Youwillneedtoestablishanamingstandardformailbox
databasesacrosstheExchangeorganization,sinceuniquedatabasenamesare
requiredforExchangeServer2016.Thisisbecausemailboxdatabasescanbemoved
betweenExchangeServersintheorganization.InversionsofExchangepriorto
ExchangeServer2010,themailboxdatabaseswerelocaltoeachExchangeServerand
onlyrequiredauniquedatabasenameonthelocalserver.Forthisreason,we
recommendagainstincludingtheservernameaspartofthemailbox​databasename.
Theactivecopyofamailboxdatabasemaymovefromoneservertoanotheronlyif
youareusingdatabaseavailabilitygroups.
AssigningPermissionstoaMailboxUsingtheEMS
Onsomeoccasions,youmayneedtoassignauserthepermissionnecessarytoaccess
anotheruser'smailbox.WithExchangeServer2010,youcouldaccomplishthisby
usingtheManageFullAccessPermissiontaskintheActionspane.InExchangeServer
2016,however,youneedtoopentheuser'smailboxandnavigatetotheMailbox
Delegationtab.ThepermissionsavailableforaselectedmailboxareshowninFigure
14.3;theyaretheSendAs,SendonBehalf,andFullAccesspermissions.
Figure14.3Availablemailboxpermissions
TheFullAccesspermissionallowsanotheruser,ordelegate,toopenthemailbox
andaccessthecontents,includingmessagesorfolders,ofthemailbox.
TheSendAspermissionallowsadelegatetosendamessagethatappearstohave
beensentfromthemailboxowner.
TheSendonBehalfpermissionallowsadelegatetosendamessagethatappearsto
havebeensentbythedelegateonbehalfofthemailboxowner.
Forexample,ifTerresaMusse(mailboxowner)grantsJohnRodriguez(delegate)the
SendonBehalfpermission,theFromaddressinanymessagesentbythedelegate
appearsasifthemessagehadbeensentbythedelegateonbehalfofthemailbox
owner.ThisimpliestotherecipientthatJohnRodriguezisauthorizedtosend
messagesonTerresaMusse'sbehalf,acommonscenarioforanexecutiveassistant.
Ontheotherhand,theFromaddressinanymessagesentbyadelegatewithSendAs
permissiontoanothermailboxwillappeartohavebeensentfromthemailboxowner.
Thisgrantsadegreeofimpersonationofthemailboxontothedelegate.
FullAccessvs.SendAsvs.ReceiveAsPermissions
Grantingauser,ordelegate,FullAccesspermissiontoanothermailboxwillallow
theusertoopenthemailboxandaccessthecontents,includingmessagesor
folders,ofthemailbox.ThiscanbeperformedintheEACorintheEMSviathe
Add-MailboxPermissioncmdlet.However,iftheuserneedstosendamessageas
themailboxowner,theSendAspermissionisrequired.Forexample,theSendAs
permissioncanbeusedfordelegatepermissiononsharedmailboxestoateamor
department.However,theteamwillnothavepermissiontoaccesstheshared
mailboxcontentswithoutgrantingthemFullAccesspermissionaswell.
WhenauserisgrantedFullAccesspermissionstoothermailboxes,Outlook,
throughAutodiscover,automaticallyloadsallmailboxestowhichtheuserhas
FullAccesspermission.IftheuserhasFullAccesspermissiontoalargenumber
ofmailboxes,performanceissuesmayoccurwhenstartingOutlook.Forexample,
insomeExchangeorganizations,administratorshavefullaccesstoallthe
mailboxesintheorganization.Inthisscenario,itmaymakemoresensetogrant
ReceiveAspermissiontothemailboxesortothemailboxdatabase.Grantinga
userReceiveAspermissiontoanothermailboxwillallowtheusertoopenthe
mailboxandaccessthecontents,includingmessagesorfolders,ofthemailbox,
buttheuserwillnothavepermissiontosendmessagesfromtheothermailbox.
OutlookwillnotloadmailboxestowhichtheuserhasReceiveAspermission.
WhenusingtheAdd-MailboxPermissioncmdlettograntFullAccesspermissionto
amailbox,youcanspecifytheAutoMappingparametertoignoretheautomappingfeatureinOutlook.Youmaybeaskingyourself,whenwouldIgrant
ReceiveAspermissiontoamailboxifIcanaccomplishthesametaskbygranting
FullAccesspermissionwiththeAutoMappingparameter?Youmayhavemissed
theearlierreference,butReceiveAspermissioncanalsobegrantedtothe
mailboxdatabase.Inthisscenario,ausergrantedReceiveAspermissiontoa
mailboxdatabasewouldallowtheusertoopenallthemailboxesonthemailbox
database,includingcurrentandfuturemailboxes.Thisoptionwouldenableyou
tograntfullaccesspermissiontonewmailboxesautomatically.Nice,huh?
AfewcommonscenarioswhenyoumaychoosetograntReceiveAspermissionto
themailboxdatabaseincludelegalrevieworintegrationwiththird-party
products.Forexample,BlackberryEnterpriseServer(BES)requiresthatyou
grantReceiveAsandSendAspermissionstotheBESserviceaccount.
YoucanaddReceiveAspermissionbyusingtheAdd-ADPermissioncmdletand
specifyingthe–ExtendedRightsReceive-Asparameter.YoucanaddSendAs
permissionsthroughtheEACorbyusingtheAdd-ADPermissioncmdletand
specifyingthe–ExtendedRightsSend-Asparameter.FullAccesspermissionscanbe
addedthroughtheEACorbyusingtheAdd-MailboxPermissioncmdletand
specifyingthe–AccessRightsFullAccessparameter.
AssigningFullAccessPermission
ToassignFullAccesspermissionstoamailbox,simplyselectthemailboxtowhich
youwanttoaddmorepermissionsanddouble-clickittoopenupthemailbox
properties.FromtheMailboxPropertiesinterfacewindow(theassigneduserappears
atthetopleft),selecttheMailboxDelegationoptiontabfromthefeaturelistonthe
left,andthenyoucanscrolldowninthe​window.You'llnoticetheFullAccesssection
list.Byclickingthe+(Add)signintheActionslist,youcanclicktheplussigntoadd
theselecteduser(delegate)tothelistofuserswithFullAccesspermissiontothis
mailbox.
YoucouldalsograntFullAccesspermissiontoamailboxusingtheEMScmdletAddMailboxPermission.Inthisexample,toassignusermJewelFullAccesspermissionto
TaylorFerguson'smailbox,youwouldusethiscommand:
Add-MailboxPermission–IdentitytFerguson-UsermJewel-AccessRightsFullAccess
YoucanremovetheFullAccesspermissionusingtheEMScmdletRemoveMailboxPermissionwiththefollowingcommand:
Remove-MailboxPermission–IdentitytFerguson-UsermJewel-AccessRights
FullAccess
IfyouwanttoassignanadministratorFullAccesspermissiontoallmailboxesinyour
Exchangeorganization,youcanusetheRole-BasedAccessControl(RBAC)
managementrolecalledMailboxImportExport.Whilethismanagementroleis
commonlyusedbyadministratorstoimportorexportmailboxcontent,ithasthe
distinctadvantageofgrantingfullaccesstoallmailboxesinyourExchange
organizationaswell.Forexample,toassignusermJewelthismanagementrole,you
wouldusethiscommand:
New-ManagementRoleAssignment-Role"MailboxImportExport"-UsermJewel
AssigningSendAsPermission
ToassignSendAspermission,younavigatetothesamepageasforassigningFull
Access​permission.FromtheMailboxPropertieswindow,selecttheMailbox
Delegationtabfromthefeaturelistontheleft.TheSendAslistislocatednearthetop
ofthepage.Byclickingthe+(Add)signintheActionslist,youcanaddtheuser
(delegate)tothelistofuserswithSendAspermissiontothemailbox.
YoucouldalsograntSendAspermissiontoamailboxusingtheEMScmdletAddADPermission.Inthisexample,toassignusermJewelSendAspermissiontoTaylor
Ferguson'smailbox,youwouldusethiscommand:
Add-ADPermission–IdentitytFerguson-UsermJewel-ExtendedRightSend-As
YoucanremovetheSendAspermissionusingtheEMScmdletRemove-ADPermission
withthefollowingcommand:
Remove-ADPermission–IdentitytFerguson-UsermJewel
-ExtendedRightsSend-As
AssigningSendonBehalfPermission
ToassignSendonBehalfpermissions,youwouldnavigatetothesamepagefor
assigningFullAccesspermission.FromtheMailboxPropertieswindow,selectthe
MailboxDelegationtabfromthefeaturelistontheleft.TheSendonBehalflistis
locatednearthemiddleofthepage.Byclickingthe+(Add)signintheActionslist,
youcanaddtheuser(delegate)tothelistofuserswithSendonBehalfpermissionto
themailbox.
YoucouldalsograntSendonBehalfpermissiontoamailboxusingtheEMScmdlet
Set-Mailbox.Inthisexample,toassignusermJewelSendonBehalfpermissionto
TaylorFerguson'smailbox,youwouldusethiscommand:
Set-Mailbox-IdentitytFerguson-GrantSendOnBehalfTomJewel
IfanexistinguserhasSendonBehalfpermissiontoamailbox,thepreviouscommand
willoverwritetheexistinglist.However,youcanadduserstothelistusingtheEMS
cmdletSet-Mailboxwiththefollowingcommand:
Set-Mailbox–[email protected]{Add="mJewel"}
YoucanremovetheSendonBehalfpermissionusingtheEMScmdletSet-Mailbox
withthefollowingcommand:
Set-Mailbox–[email protected]{Remove="mJewel"}
AssigningFolder-LevelPermission
Allofthepreviousmethodsforassigningpermissiontoamailboxinvolvemodifying
permissionontheentiremailbox.However,youmayneedtoassignpermission
selectivelytooneormorespecificfolderswithinthemailbox.Assigningsomeoneelse
permissionstoaccessindividualfolderswithintheirmailboxisacommontaskthatan
endusercanperformusingtheOutlookclient.
ForanExchangeadministrator,it'snotpracticaltorequirethemtousetheOutlook
clienttoassignfolder-levelpermissionforanenduser.AlthoughusingtheEACisnot
anoption,youcanassignandmanagefolder-levelpermissionforanenduserusing
theEMScmdletAdd-MailboxFolderPermission.Forexample,toassignusermJewel
ownerpermission(equivalenttofull-controlpermission)totheInboxofTaylor
Ferguson'smailbox,youwouldusethiscommand:
Add-MailboxFolderPermission-IdentitytFerguson:\Inbox-UsermJewel`
–AccessRightsOwner
Whenassigningfolder-levelpermission,therearemultipleaccessrights,aswellas
roles(acombinationofcommonlyusedaccessrights),thatyoucanuse.Refertothe
listofavailableaccessrightswiththecorrespondingindividualpermissionsinTable
14.1,aswellasthelistofavailableroleswiththecorrespondingpermissionsthatthey
assigninTable14.2.
Table14.1AccessRightsofMailboxFolders
AccessRights MailboxFolderPermission
CreateItems
Theusercancreateitemswithinthespecifiedfolder.
CreateSubfolders Theusercancreatesubfoldersinthespecifiedfolder.
DeleteAllItems
Theusercandeleteallitemsinthespecifiedfolder.
DeleteOwnedItems
EditAllItems
EditOwnedItems
FolderContact
FolderOwner
FolderVisible
ReadItems
Theusercanonlydeleteitemsthattheycreatedfromthespecified
folder.
Theusercaneditallitemsinthespecifiedfolder.
Theusercanonlyedititemsthattheycreatedinthespecified
folder.
Theuseristhecontactforthespecifiedpublicfolder.
Theuseristheownerofthespecifiedfolder.Theusercanviewthe
folder,movethefolder,andcreatesubfolders.Theusercan'tread
items,edititems,deleteitems,orcreateitems.
Theusercanviewthespecifiedfolderbutcan'treadoredititems
withinthespecifiedpublicfolder.
Theusercanreaditemswithinthespecifiedfolder.
Table14.2AccessRights(Roles)ofMailboxFolders
Role(Access
Rights)
MailboxFolderPermissions
Author
CreateItems,DeleteOwnedItems,EditOwnedItems,FolderVisible,
ReadItems
CreateItems,FolderVisible
CreateItems,DeleteAllItems,DeleteOwnedItems,EditAllItems,
EditOwnedItems,FolderVisible,ReadItems
FolderVisible
CreateItems,FolderVisible,ReadItems
Contributor
Editor
None
NonEditingAuthor
Owner
PublishingEditor
PublishingAuthor
Reviewer
CreateItems,CreateSubfolders,DeleteAllItems,
DeleteOwnedItems,EditAllItems,EditOwnedItems,
FolderContact,FolderOwner,FolderVisible,ReadItems
CreateItems,CreateSubfolders,DeleteAllItems,
DeleteOwnedItems,EditAllItems,EditOwnedItems,FolderVisible,
ReadItems
CreateItems,CreateSubfolders,DeleteOwnedItems,
EditOwnedItems,FolderVisible,ReadItems
FolderVisible,ReadItems
Ifyouneedtochangethepermissionauserhastoafolderwithinamailbox,youcan
usetheEMScmdletSet-MailboxFolderPermissiontoupdatetheexistingpermission.
Inthisexample,toupdatetheexistingpermissionthatusermJewelhasforTaylor
Ferguson'sInboxfoldertoReviewer,youwouldusethiscommand:
Set-MailboxFolderPermission–IdentitytFerguson:\Inbox–UsermJewel`
–AccessRightsReviewer
Youcanremovethefolder-levelpermissionusingtheEMScmdletRemoveMailboxFolderPermissionwiththefollowingcommand:
Remove-MailboxFolderPermission–IdentitytFerguson:\Inbox–UsermJewel
CreatingaMailboxUsingtheEACandEMS
Previously,yousawhowtoenableanexistinguserwithamailboxviatheEAC;now
wewillexplorehowtocreateanewuserandmailboxatthesametime(asshownin
Figure14.4).
Figure14.4CreatingauseraccountandmailboxfromtheExchangeAdministration
Center
IntheNewUserMailboxwindow,youselecttheNewUseroptionandprovideuser
accountinformation,suchasthefirstname,middleinitials,lastname,displayname,
canonicalname,userprincipalname(oruserlogonname),andanewpassword.
Becausetheuseraccountdoesnotexistyet,youmustalsospecifytheorganizational
unit(OU)inwhichtheuseraccountwillbecreated.Youmusthavethenecessary
ActiveDirectorypermissionstocreateuseraccountsintheOU.
WhilemostoftheNewUserMailboxwindowintheEACisthesamefornewand
existingusers,therearemoredifferenceswhencreatingausermailboxintheEMS.
Forexample,youwouldusethefollowingcommandstocreateamailboxanduser
accountatthesametime:
$password=Read-Host"Enterpassword"-AsSecureString
New-Mailbox–FirstNameMarie–LastNameJewel–DisplayName"MarieJewel"–Name
[email protected]–SamAccountNamemJewel-Database
"MBX-003"-OrganizationalUnitCorporate-Password$password
-ResetPasswordOnNextLogon$true
Youprobablynoticedthefirstmajordifference:thepasswordcomponentofthefirst
command.WhencreatingauseraccountinActiveDirectory,youarerequiredto
provideapasswordforthenewaccount.Withthefirstcommand,youarepromptedto
inputthe​passwordforthenewuseraccount.AsyoutypethepasswordintheEMS,
eachcharacterisreplacedwithanasteriskonthescreentoprotecttheprivacyofthe
password.Foradditionalprotection,thestringvariableofthepasswordwillbe
encryptedinmemorytopreventthepasswordfrombeingcompromised.Infact,you
arerequiredtouseanencryptedpasswordwhencreatingauseraccountinActive
Directory.
YouwillnoticethesecondcommandistheNew-Mailboxcmdlet,asopposedtothe
Enable-Mailboxcmdletusedintheearliersection,“EnablingaMailboxusingthe
EMS.”Whilethelattercmdletenablesamailboxforanexistinguseraccount,the
New-Mailboxcmdletcreatestheuseraccountandmailboxatthesametime.Further
inthecommand,youwillnoticethe-OrganizationalUnitparameter,whichallowsyou
tospecifythenameofthedomainandOUwherethenewuseraccountiscreated.If
notspecified,theuseraccountiscreatedinthedefaultUserscontainerinActive
Directory.
TheNew-Mailboxcmdletallowsyoutoalsoprovidethe-SamAccountNameparametersfor
definingthepre–Windows2000accountname.Finally,the–Passwordparameterwill
accepttheencryptedvariableyoudefinedearlier.Ifnotspecified,theadministrator
willbepromptedtoinputthepasswordforthenewuseraccount.
Asanalternativetoreadingthepasswordfromtheadministratorinput,youcan
convertastringdirectlyinthecommand.Forexample,thisabbreviatedversionofthe
earliercommandwillusethepassword,[email protected],whencreatingthenewuser
account:
New-Mailbox…-Password([email protected])
ManagingUserMailboxProperties
ManyoftheuseraccountpropertiesmanagedthroughtheActiveDirectoryUsersand
ComputersconsolecannowbemanagedthroughtheEACortheEMS.Forsome,
usingtheEACisalittleeasierthanusingthecommandline,buttheEMSismore
flexibleandmoreefficient,especiallywhenmanagingmultipleobjects.
UsingtheEACtoManageUserandMailboxProperties
Let'sstartwithmanaginguserandmailboxpropertiesusingtheEAC.We'lltakealook
atafewofthethingsthatyoucandoandsomeoftheuserpropertypages.
GeneralTheGeneralpage(Figure14.5)includesmuchofthesameinformation
providedwhencreatingamailbox,suchasthefirstname,middleinitials,last
name,canonicalname,displayname,alias,andtheuserlogonname.
Figure14.5Generalpropertiespageforamailbox
Inadditiontotheoptiontorequireapasswordchangeatthenextlogon,you'll
alsonoticetheoptiontoHideFromAddressLists.Exchangewillusethissetting
topreventthemailboxfromappearingintheglobaladdresslist(GAL)andother
customaddresslists.
LocatednearthebottomoftheGeneralpage,additionalinformationisavailable
by​clickingMoreoptions.TheGeneralpagewillexpandtodisplaymoreproperties
suchastheOrganizationalUnitandtheMailboxDatabasename.TheGeneral
pagealsoincludesaCustomAttributessectionthatallowsyoutoaccessall15
customattributes(alsoreferredtoasextensionattributes).
MailboxUsageExchangedisplaysthelasttimetheusersignedontotheir
mailboxinaread-onlyboxunderLastLogon.Thisisusefulindeterminingthe
frequencyofuseraccess.Anotherread-onlyitemisapercentagebarthatshows
thetotalsizeofthemailboxandthepercentageofthetotalmailboxquotathathas
beenused.YoucanclickMoreOptionstocustomizetheusagesettings.Thefirst
optionallowstheadministratortomodifythestoragequotatooverridethe
databasequotasettingssuchaswhentoissueawarning,whentoprohibittheuser
fromsendingemail,andwhentoprohibittheuserfromsendingandreceiving
email.
Thesecondstorageoptionallowsyoutocustomizethedeleteditemretention
settingsforthemailbox.Thisisthelengthoftimethatdeleteditemsareretained
beforetheyarepermanentlydeletedfromthemailboxandcannotberecoveredby
theuser.Permanentlydeleteditemsareanymailitemsthataredeletedfromthe
DeletedItemsfolder,alsoknownastherecoverableitemsfolder,orhard-deleted.
Bydefault,eachmailboxdatabasewillkeeppermanentlydeleteditemsfor14
days.Anotherdeleteditemstorageoptionallowsyoutopreventmailboxesand
emailmessagesfrombeingdeleteduntilafterthemailboxdatabaseonwhichthe
mailboxislocatedhasbeenbackedup.
Whileitmaynothavesignificantimpactwhencustomizingafewmailboxes,you
shouldbecautiouswhenincreasingstoragequotasandtheretentionofdeleted
itemsformanymailboxes.Youshouldkeepinmindtheoriginaldesignandgoals
forthemessaging​system.Ifquotaschange,thesystemneedstobereevaluatedto
determineifmoreresourcesarerequired.Becausetheseadjustmentscanincrease
thesizeofthemailboxdatabase,youshouldperiodicallymonitorthemailbox
databasetoassesstheimpact.
ContactInformationandOrganizationTheContactInformationandthe
OrganizationpagesincludemanyoftheuserattributesavailableinAD,suchas
street,city,state/province,zipcode,country/region,workphone,mobilephone,
fax,office,homephone,webpage,notes,title,department,company,manager,and
directreports.
EmailAddressTheEmailAddresspageallowsyoutomanagetheSMTP
addresses(andotheraddresstypes)thatareassignedtothemailbox,asshownin
Figure14.6.
Figure14.6EmailAddresspropertiesofamailbox
Regardlessofhowmanyemailaddressesareassignedtoamailbox,onlyone
emailaddresswillbeusedasthereplyaddress.Amailboxcanreceivemessages
senttoanyoftheemailaddresses,butmessagessentfromthemailboxwilluse
onlyoneemailaddress.Whenarecipientrepliestoamessagefromthemailbox,
themessagewillbesenttothereplyaddress.Thereplyaddressisalsoknownas
theprimarySMTPaddressorReplyToaddress.InFigure14.6,thisistheemail
addressshowninbold.ForSMTPaddresses,thereplyaddresswillalsoshow
“SMTP”inallcapitallettersintheTypecolumn,whereastheotheraddresseswill
beinlowercaseletters.YoucanchangetheReplyToaddressbyselectinganother
emailaddress,clickingthepencil(Edit)signintheActionsbar,andselectingthe
optiontoMakeThistheReplyAddress.
Onthesamepage,youhavetheoptiontoAutomaticallyUpdateEmailAddresses
BasedOnTheEmailAddressPolicyAppliedToThisRecipient.Whenthisoption
isenabledonamailbox,theemailaddressesareautomaticallyupdatedbasedon
changesthataredefinedintheemailaddresspoliciesinyourExchange
organization.Disablingthisoptionallowsyoutoassignadifferentreplyaddress,
asdiscussedearlier.
Emailaddresspoliciesaffecttheemailaddressesassignedtoamailbox.Asemail
addresspoliciesarecreated,additionalemailaddresseswillbeaddedtooneor
moremailboxesbasedonthescopeofthepolicy.Ifapolicyupdatesthedefault
SMTPaddress,thereplyaddresswillbeupdatedonmailboxes.
Thisisausefulfeaturefororganizationsthathavemorethanoneemaildomain.
NoticeinFigure14.6thatthemailboxforMarieJewelhasaddressesfromtwo
differentdomains:[email protected]@adatum.com.
Emailsenttoeitheremailaddresswillbeforwardedtohermailbox.However,
[email protected]
address.AlthoughExchangedoesnotallowuserstoselectwhichemailaddressto
useforthereplyaddresswhensendingamessage,Outlookprovidesanoptionfor
userssotheycan“haverepliessentto”anotheremailaddress.Withthe
appropriatepermission,userscansendamessagefromanothermailbox.
MailboxFeaturesTheMailboxFeaturespage(Figure14.7)includesanumberof
configurationitems.Dependingonyourenvironment,youmayneedtocustomize
featuresformailboxes.
Figure14.7MailboxFeaturespropertiesofamailbox
TheSharingPolicyoptiondefineswhichsharingpolicyisappliedtothemailbox.
Youcanusesharingpoliciestocontrolhowusersinyourorganizationshare
calendarinformationwithusersoutsideyourorganization.Sharingpoliciesallow
userstosharecalendarinformationwithdifferenttypesofexternalusers.They
supportthesharingofcalendarinformationwithexternalfederatedorganizations
(suchasOffice365oranotherExchangeorganization),externalnonfederated
organizations,andindividualswithInternetaccess.
TheRoleAssignmentPolicyoptiondefineswhichrole-basedaccesscontrol
(RBAC)roleisappliedtotheowner(user)ofthemailbox.TheRBACrolecontrols
whichmailboxanddistributiongroupconfigurationsettingstheusercanmodify.
MoreinformationaboutRBACisavailableinChapter12,“Management
PermissionsandRole-BasedAccessControl.”
TheRetentionPolicyoptiondefineswhichretentionpolicyandretentiontagsare
appliedtothemailbox.Theretentiontagscontrolhowlongmessagesarekeptin
themailboxandwhatactiontotakeonitemsthathavereachacertainage.
TheAddressBookPolicyoptiondefineswhichaddressbookpolicyisappliedto
the​mailbox.Anaddressbookpolicyallowsyoutoprovidecustomizedviewsof
theaddressbooktousers.
ThePhoneAndVoiceFeaturesoptionsallowyoutoenablethemailboxfor
UnifiedMessagingandassignaUnifiedMessagingmailboxpolicytothemailbox.
ThesefeaturesallowyoutoenablethemailboxforExchangeActiveSync,also
knownasMobileSync,andenableOutlookonthewebfordevices.Youcanalso
assignamobiledevicemailboxpolicyandmanagethemobiledevicesassociated
withthemailbox.
EmailConnectivityoptionsallowyouto:
EnableOutlookonthewebandassignanOutlookonthewebmailboxpolicy.
EnableuserstoconnecttotheirmailboxusingtheIMAP,POP3,andMAPI
clientprotocols.
EnableLitigationHold.
EnableArchiving.
MailFlowoptionsallowyouto:
EnableDeliveryOptions,suchasforwardingemailtoanotherrecipientand
settingalimitonthenumberofrecipientstheusercanincludeonanemail.
EnableMessageSizeRestrictionstosetamaximummessagesizeonmessages
sentorreceived.
EnableMessageDeliveryRestrictionstoidentifywhichsenderscanandcan't
sendmessagestotherecipient.
OntheDeliveryOptionspage,youcanenabletheoptiontodelivermessagestoan
alternativerecipient,alsoknownastheforwardingaddress.Therecipientthatyou
specifymustbeamailboxinyourorganizationoramailuserormailcontact.
Whenyouselectamailuserormailcontactinyourorganization,anymessagessent
tothemailboxareforwardedtotheexternalemailaddressofthemailuserormail
contact.Thisiscommonlyusedwhensomeoneleavesthecompanybutwantsto
receiveemailthatwassenttotheirpreviousemailaddress.
IfyouenabletheoptiontoDeliverMessageToBothForwardingAddressAnd
Mailbox,anymessagessenttothemailboxaresenttothemailboxandtothe
forwardingaddress.Thisiscommonlyusedwhenamanagerwantsherassistantto
receiveacopyofheremail.
Exchangewillpreventusersfromsendinganemailtomorethan5,000usersifyou
don'tenabletherecipientlimit,orthemaximumnumberofrecipientsausercan
includeonanemail.Thisdefaultgloballimitprovidesprotectionagainstspammers
whomayhavegainedaccesstoyoursystem.Youcanusetherecipientlimittoallow
VIPsorotherauthorizedusers,suchasHumanResourcespersonnel,tosend
messagestolargenumbersofusers.
TheMessageSizeRestrictionsallowyoutospecifythemaximumsizeofmessages
theusercansendorreceive.Exchangewillusethedefaultglobalmessagesize
restrictions,25MB,ortheconnectormessagesizerestrictions,10MB,bydefaultif
limitsarenotenabledonthemailbox.
TheMessageDeliveryRestrictions,asshowninFigure14.8,allowyoutorestrictwho
isallowedtosendmailtothisparticularmailbox.Forexample,youmightwantto
restrictmessagessenttoaVIPinyourorganizationbydefiningthelistofaccepted
senders.Conversely,youmightwanttorestrictharassingmessagessenttoauserin
yourorganizationbydefiningthelistofrejectedsenders.
Figure14.8MessageDeliveryRestrictionsoptions
Bydefault,allemailreceivedfromtheInternetisreceivedanonymously,inthatthe
sendersdonotauthenticatewithyourExchangeservers.Forsomerecipients,you
mayprefertorequirethatsendersauthenticatewithyourExchangeservers.By
enablingtheoptiontoRequireThatAllSendersAreAuthenticated,youcanpreventa
recipientfromreceivingemailfromanonymoussenders.Thiswouldalsoreduce
exposurefordistributionliststhatreceiveemailonlyfromusersinyour
organization.
YouwillneedanExchangeServerenterpriseclientaccesslicense(eCAL)for
deployingpersonalarchivemailboxes,personalretentiontags,transport
journaling,advancedfeaturesofActiveSync,In-PlaceHold,DataLossPrevention
(DLP),Informationprotectionandcontrol(IPC)features,andUnifiedMessaging
features.
UsingtheEMStoManageUserandMailboxProperties
YoucanmanagemailboxanduserpropertiesusingEMS.TherearethreeEMScmdlet
pairsthatyoushouldbefamiliarwithformanagingmostoftheuserandmailbox
properties:Get-UserandSet-User,Get-MailboxandSet-Mailbox,andGet-CasMailboxand
Set-CasMailbox.
Get-UserandSet-UserTheGet-UserandSet-Usercmdletsallowyoutomanage
useraccountpropertiesthatarenotdirectlyrelatedtoExchangeServer.For
example,youwouldusethefollowingcommandtoupdatethemobilephone
numberforMarieJewel:
Set-UserMarie.Jewel-MobilePhone"(920)646-6234"
TheSet-Usercmdlethasmanyusefulparametersformanaginguserproperties
(refertothefollowingpartiallist).YoucanretrievethemfromwithintheEMSby
typingGet-HelpSet-User.
CitySetsthecityorlocalityname.
CompanySetsthecompanyname.
DepartmentSetsthedepartmentname.
DisplayNameUpdatestheuser'sdisplayname,whichappearsintheGAL.
FaxSpecifiesthefaxnumber.
FirstNameSpecifiesthegivenorfirstname.
HomePhoneSetsthehomephonenumber.
LastNameSpecifiesthesurnameorlastname.
ManagerSetsthenameoftheuser'smanager;theinputvaluemustbea
distinguishednameincanonicalnameformat,suchas
Contoso.com/Corporate/CJLeon.
MobilePhoneSetsthemobile/cellphonenumber.
PhoneSetsthebusinessphonenumber.
PostalCodeSetstheziporpostalcode.
StateOrProvinceSetsthestateorprovince.
StreetAddressSetsthestreetaddress.
TitleSetsthetitleorjobfunction.
YoucanretrievethelistofpropertiesforauserwiththeGet-Usercmdlet,
specifyingausername,andthenpipingtheoutputtotheFormat-Listcmdlet;an
abbreviatedaliasforthiscmdletisFL.PipingtheoutputofGet-UsertoFormat-List
isagreatwayto​enumeratethepropertiesofanobjectandtolearntheproperty
names.Hereisanexampleofsomeofthepropertiesthatarereturnedwiththe
Get-Usercmdlet(somepropertieshavebeenremovedtosavespace).
Get-UserMarie.Jewel|FL
IsSecurityPrincipal:True
SamAccountName:Marie.Jewel
SidHistory:{}
UserPrincipalName:[email protected]
ResetPasswordOnNextLogon:False
CertificateSubject:{}
RemotePowerShellEnabled:True
NetID:
OrganizationalUnit:contoso.com/Corporate
AssistantName:
City:Honolulu
Company:SomoritaSurfboards
CountryOrRegion:
Department:SurfboardDesign
DirectReports:{}
DisplayName:MarieJewel
Fax:(920)555-6657
FirstName:Marie
HomePhone:
Initials:
LastName:Jewel
Manager:CJLeon
MobilePhone:(920)646-6234
Notes:
Office:HonoluluSurfboardDesign
OtherFax:{}
OtherHomePhone:{}
OtherTelephone:{}
Pager:(920)555-5545
Phone:(920)555-1234
PhoneticDisplayName:
PostalCode:96816
PostOfficeBox:{}
RecipientType:UserMailbox
RecipientTypeDetails:UserMailbox
SimpleDisplayName:MarieJewel(Honolulu)
StateOrProvince:Hawaii
StreetAddress:550KalakauaAvenue,Suite201
Title:SeniorSystemsEngineer
UMDialPlan:
UMDtmfMap:{emailAddress:62884392665,
lastNameFirstName:26656288439,firstNameLastName:62884392665}
AllowUMCallsFromNonUsers:SearchEnabled
WebPage:
TelephoneAssistant:
WindowsEmailAddress:[email protected]
UMCallingLineIds:{}
IsValid:True
ExchangeVersion:0.10(15.01.225.0)
Name:MarieJewel
DistinguishedName:CN=MarieJewel,OU=Corporate,
DC=contoso,DC=com
OriginatingServer:HNLMBX01.contoso.com
Asyoucanseefromthepreviousdetails,theFormat-Listcmdletallowsyoutosee
allthepropertynames.Asaresult,ifyouneedtoupdatetheStateattributeofa
user,youcanreviewtheoutputfromthepreviouscommand.Afterdetermining
thatthispropertyisreferredtoasStateOrProvince,youcouldusethefollowing
commandtoupdatetheuser:
Set-UserMarie.Jewel-StateOrProvince"Oklahoma"
WithEMS,youcanpipetheoutputofonecmdletwithanothercmdlettoperform
bulkadministration.Forexample,saythatyouneedtoupdatetheofficenameof
alluserswhoareinHonolulu.YoucanuseacombinationofGet-UserandSet-User
cmdletstoaccomplishthis,basedoncriteriadefinedwiththeWhere-Object
cmdlet;anabbreviatedaliasforthiscmdletisWhere:
Get-User|Where{$_.City-eq"Honolulu"}|`
Set-User-Office"MainOffice"
Inthisexample,wepipedtheoutputoftheGet-Usercmdlettoalocalfilter(using
theWhere-Objectcmdlet).Thisprovideduswithasubsetofonlytheuserswhose
CitypropertyisequaltoHonolulu.TheoutputwasthenpipedtotheSet-User
cmdletforupdatingtheOfficeproperty.YouwillbeamazedatthepowerofEMS
toperformbulkadministrationinyourorganization.
Get-MailboxandSet-MailboxTheGet-MailboxandtheSet-Mailboxcmdletsallow
youtomanagethepropertiesofamailbox.Youmayhavealreadyseenthese
cmdletsearlierinthisbookwhendetailinghowtoupdatethemailboxstorage
limits.Let'sreviewsomewaysyoucanusethesecmdletsformanaginguser
mailboxes.Forexample,youwouldusethe​followingcommandtoupdatetherules
quotafortheuserCheyennePike:
Set-MailboxCheyenne.Pike–RulesQuota128KB
TheSet-Mailboxcmdlethasmanyusefulparametersformanagingmailboxes
(refertothefollowingpartiallist).YoucanretrievethemfromwithintheEMSby
typingGet-HelpSet-Mailbox.
AntispamBypassEnabledWhenenabled,theExchangeServerwillskipantispam
processingofmessagessenttothemailbox.
CustomAttribute1Thispropertyallowsyoutostorecustominformationonthe
mailbox.ThepropertyCustomAttribute1isstoredastheattribute
ExtensionAttribute1inActiveDirectory.Fifteencustomattributesareavailable
throughEMS,referredtoasCustomAttribute1throughCustomAttribute15.
EmailAddressPolicyEnabledWhenenabled,theExchangeserverwillapplyan
emailaddresspolicytothemailbox,whichincludesdefiningtheemail
addresses.
ForwardingAddressThispropertystoresthenameoftherecipientwhen
forwardingemailtoanotherrecipientisenabled.
HiddenFromAddressListsEnabledWhenenabled,theExchangeserverwill
removethemailboxfromtheaddresslists.
IssueWarningQuotaThispropertystoresthewarningthresholdforthesizeof
themailbox.Theuserreceivesawarningmessagewhenthemailboxreachesor
exceedsthissize.
MaxReceiveSizeThispropertystoresthemaximumsizeofamessagethatcan
besenttothemailbox.Messageslargerthanthemaximumsizearerejected.
MaxSendSizeThispropertystoresthemaximumsizeofamessagethatcanbe
sentbythemailbox.Usersreceiveawarningmessagewhenemailmessagesare
largerthanthemaximumsize.
ProhibitSendQuotaThispropertystoresamailboxsizethreshold.Theuser
receivesawarningmessagethatExchangeispreventingtheuserfromsending
newmessageswhenthemailboxreachesorexceedsthissize.
ProhibitSendReceiveQuotaThispropertystoresamailboxsizethreshold.The
userreceivesawarningmessagethatExchangeispreventingtheuserfrom
sendingandreceivingnewmessageswhenthemailboxreachesorexceedsthis
size.
RecipientLimitsThispropertystoresthemaximumnumberofrecipientsa
usercanincludeonamessage.
RulesQuotaThispropertystoresthemaximumsizeofInboxrulesforthe
mailbox.
SCLDeleteEnabledWhenenabled,Exchangewillsilentlydeletemessagesthat
meetorexceedthespamconfidencelevel(SCL)valuespecifiedinthe
SCLDeleteThresholdproperty.
SCLJunkEnabledWhenenabled,Exchangewillmove,totheJunkEmailfolder,
messagesthatmeetorexceedthespamconfidencelevel(SCL)valuespecified
intheSCLJunkThresholdproperty.
SCLQuarantineEnabledWhenenabled,Exchangewillquarantinemessagesthat
meetorexceedthespamconfidencelevel(SCL)valuespecifiedinthe
SCLQuarantineThresholdproperty.Quarantinedmessagesaresenttothe
quarantinemailbox.
SCLRejectEnabledWhenenabled,Exchangewillrejectmessagesthatmeetor
exceedthespamconfidencelevel(SCL)valuespecifiedinthe
SCLRejectThresholdproperty.TheExchangeserverwillsendanNDRtothe
senderofrejectedmessages.
UseDatabaseQuotaDefaultsWhenenabled,themailboxusestheapplicable
storagequotasdefinedforthemailboxdatabaseonwhichthemailboxis
located.Whendisabled,themailboxusesthequotasthataredefinedonthe
mailbox.TheapplicablequotavaluesareCalendarLoggingQuota,
IssueWarningQuota,ProhibitSendQuota,ProhibitSendReceiveQuota,
RecoverableItemsQuota,andRecoverableItemsWarningQuota.
Similartothemethodearlier,youcanretrievethelistofpropertiesforamailbox
withtheGet-Mailboxcmdlet,specifyingamailboxname,andthenpipingthe
outputtotheFormat-List,orFL,cmdlet.Hereisanexampleofsomeofthe
propertiesthatarereturnedwiththeGet-Mailboxcmdlet(somepropertieshave
beenremovedtosavespace).
Get-MailboxMarie.Jewel|FL
Database:MBX-003
DeletedItemFlags:DatabaseDefault
UseDatabaseRetentionDefaults:True
RetainDeletedItemsUntilBackup:False
DeliverToMailboxAndForward:False
LitigationHoldEnabled:False
SingleItemRecoveryEnabled:False
RetentionHoldEnabled:False
EndDateForRetentionHold:
StartDateForRetentionHold:
RetentionComment:
RetentionUrl:
ManagedFolderMailboxPolicy:
RetentionPolicy:
CalendarRepairDisabled:False
ExchangeUserAccountControl:None
MessageTrackingReadStatusEnabled:True
ExternalOofOptions:External
ForwardingAddress:
RetainDeletedItemsFor:14.00:00:00
IsMailboxEnabled:True
OfflineAddressBook:
ProhibitSendQuota:unlimited
ProhibitSendReceiveQuota:unlimited
RecoverableItemsQuota:unlimited
RecoverableItemsWarningQuota:unlimited
DowngradeHighPriorityMessagesEnabled:False
ProtocolSettings:{}
RecipientLimits:unlimited
IsResource:False
IsLinked:False
IsShared:False
ResourceCapacity:
ResourceCustom:{}
ResourceType:
SamAccountName:Marie.Jewel
SCLDeleteThreshold:
SCLDeleteEnabled:
SCLRejectThreshold:
SCLRejectEnabled:
SCLQuarantineThreshold:
SCLQuarantineEnabled:
SCLJunkThreshold:
SCLJunkEnabled:
AntispamBypassEnabled:False
ServerName:hnlmbx01
UseDatabaseQuotaDefaults:True
IssueWarningQuota:unlimited
RulesQuota:64KB(65,536bytes)
Office:
UserPrincipalName:[email protected]
UMEnabled:False
MaxSafeSenders:
MaxBlockedSenders:
RssAggregationEnabled:True
Pop3AggregationEnabled:True
WindowsLiveID:
ThrottlingPolicy:
RoleAssignmentPolicy:DefaultRoleAssignmentPolicy
SharingPolicy:DefaultSharingPolicy
RemoteAccountPolicy:
MailboxPlan:
ArchiveGuid:00000000-0000-0000-0000000000000000
ArchiveName:{}
ArchiveQuota:unlimited
ArchiveWarningQuota:unlimited
QueryBaseDNRestrictionEnabled:False
MailboxMoveTargetMDB:
MailboxMoveSourceMDB:
MailboxMoveFlags:None
MailboxMoveRemoteHostName:
MailboxMoveBatchName:
MailboxMoveStatus:None
IsPersonToPersonTextMessagingEnabled:False
IsMachineToPersonTextMessagingEnabled:False
UserSMimeCertificate:{}
UserCertificate:{}
CalendarVersionStoreDisabled:False
Extensions:{}
HasPicture:False
HasSpokenName:False
AcceptMessagesOnlyFrom:{}
AcceptMessagesOnlyFromDLMembers:{}
AcceptMessagesOnlyFromSendersOrMembers:{}
AddressListMembership:{\Mailboxes(VLV),
\AllMailboxes(VLV),\AllRecipients(VLV),\DefaultGlobal
AddressList,\AllUsers}
Alias:Marie.Jewel
ArbitrationMailbox:
BypassModerationFromSendersOrMembers:{}
OrganizationalUnit:contoso.com/Corporate
CustomAttribute1:
CustomAttribute2:
DisplayName:MarieJewel
EmailAddresses:{SMTP:[email protected]}
GrantSendOnBehalfTo:{}
HiddenFromAddressListsEnabled:False
LegacyExchangeDN:/o=Contoso
/ou=ExchangeAdministrativeGroup(FYDIBOHF23SPDLT)/cn=Recipients/cn=Marie
Jewelclm
MaxSendSize:unlimited
MaxReceiveSize:unlimited
ModeratedBy:{}
ModerationEnabled:False
PoliciesExcluded:{}
EmailAddressPolicyEnabled:True
PrimarySmtpAddress:[email protected]
RecipientType:UserMailbox
RecipientTypeDetails:UserMailbox
RejectMessagesFrom:{}
RejectMessagesFromDLMembers:{}
RejectMessagesFromSendersOrMembers:{}
RequireSenderAuthenticationEnabled:False
SimpleDisplayName:
SendModerationNotifications:Always
UMDtmfMap:{emailAddress:62884392665,
lastNameFirstName:26656288439,firstNameLastName:62884392665}
WindowsEmailAddress:[email protected]
MailTip:
MailTipTranslations:{}
ExchangeVersion:0.10(15.01.225.0)
Name:MarieJewel
DistinguishedName:CN=Marie
Jewel,OU=Corporate,DC=tsxen,
DC=com
Youmaynoticethatsomeofthepropertiesoverlapwiththepropertiesreturned
fromtheGet-Usercmdlet.Thisisbecausebothcmdletsretrievemanyofthesame
propertiesstoredasattributesontheActiveDirectoryuserobject.
ModifyingMailboxParameters
Keepinmindthatnotallpropertiescanbemodified,evenwiththeEMS.
Someofthepropertiesshowninthepreviousexamplesaresystemproperties
andareeithercreatedormanagedexclusivelybytheExchangeserver.
Get-CasMailboxandSet-CasMailboxTheGet-CasMailboxandSet-CasMailbox
cmdletsallowyoutomanagetheclientaccesssettingsofthemailbox.Youcan
configure​settingsforActiveSync,MicrosoftOutlook,Outlookontheweb,POP3,
andIMAP4.Usingthesamepipingmethodearlier,hereisanexampleofsomeof
thepropertiesthatarereturnedwiththeGet-CasMailboxcmdlet(someproperties
havebeenremovedtosavespace):
Get-CASMailboxMarie.Jewel|FL
EmailAddresses:{SMTP:[email protected]}
LegacyExchangeDN:/o=Contoso/ou=Exchange
AdministrativeGroup(FYDIBOHF23SPDLT)/cn=Recipients/cn=MarieJewelclm
LinkedMasterAccount:
PrimarySmtpAddress:[email protected]
SamAccountName:Marie.Jewel
ServerLegacyDN:/o=Contoso/ou=Exchange
AdministrativeGroup(FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers
/cn=HNLMBX01
ServerName:hnlmbx01
DisplayName:MarieJewel
ActiveSyncAllowedDeviceIDs:{}
ActiveSyncBlockedDeviceIDs:{}
ActiveSyncMailboxPolicy:Default
ActiveSyncMailboxPolicyIsDefaulted:True
ActiveSyncDebugLogging:False
ActiveSyncEnabled:True
HasActiveSyncDevicePartnership:False
OwaMailboxPolicy:
OWAEnabled:True
ECPEnabled:True
EmwsEnabled:False
PopEnabled:True
PopUseProtocolDefaults:True
PopMessagesRetrievalMimeFormat:BestBodyFormat
PopEnableExactRFC822Size:False
PopProtocolLoggingEnabled:False
ImapEnabled:True
ImapUseProtocolDefaults:True
ImapMessagesRetrievalMimeFormat:BestBodyFormat
ImapEnableExactRFC822Size:False
ImapProtocolLoggingEnabled:False
MAPIEnabled:True
MAPIBlockOutlookNonCachedMode:False
MAPIBlockOutlookVersions:
MAPIBlockOutlookRpcHttp:False
IsValid:True
ExchangeVersion:0.10(15.01.225.0)
Name:MarieJewel
DistinguishedName:CN=MarieJewel,OU=Corporate,
DC=contoso,DC=com
MovingMailboxes
Movingmailboxesfromonemailboxdatabasetoanotherisacommontaskfor
ExchangeServeradministrators.Sometimes,mailboxesneedtobemovedduringa
transitionormigration.Youmayalsoneedtomoveallthemailboxestoanother
mailboxdatabasewhendecommissioninganExchangeserverormailboxdatabase.
Anothercommonscenarioiswhenyoudiscovera​corruptedmailbox;movingthe
mailboxtoadifferentmailboxdatabasewon'tmovethecorruptmessages.
MailboxmovesinExchangeServer2016arelargelythesameastheywerein
ExchangeServer2013andExchangeServer2010,usingaprocessknownasmove
requests.Theadvantageswithmoverequestsarethatthemailboxesarekeptonline
andavailableduringanasynchronousmovefromdatabasetodatabase,managedby
theMicrosoftExchangeMailboxReplication​service(MRS).InExchangeServer2016,
youmayenableoneormoremailboxserversforMRSandusethrottlingtomanage
theMRSperformance.ForremotemailboxmovesovertheInternet,youcanenable
theMicrosoftExchangeMailboxReplicationProxy(MRSProxy)service.
YoucanusetheExchangeAdministrationCenter(EAC)ortheNew-MoveRequestcmdlet
tostartamoverequest.Whichevermethodyouprefer,theExchangeserverwilluse
thesame​processtomovethemailbox.Thestepsforalocalmoverequestareas
follows:
1. TheExchangeadministratorsubmitsanewmove-mailboxrequesttotheExchange
server.
2. TheExchangeserveraddsthemailboxtobemovedtoaqueuebyplacingaspecial
messageinthesystemmailboxonthetargetmailboxdatabase.Thestatusofthe
moverequestisQueued.
3. AllinstancesofMRSperiodicallycheckthesystemmailboxoneverymailbox
databaseinitsActiveDirectorysitetoverifyifthereareanyqueuedmoved
requests.ThefirstMRSinstancethatdiscoversthemoverequestwillpickitup.
4. Ifthedatabasesarehealthy,theMRSlogsintothesourcemailboxandtarget
mailbox,beginstomovethemailboxdatafromthesourcemailboxdatabasetothe
targetmailboxdatabase,andupdatesthemailbox'sstatusinthesystemmailboxto
InProgress.
5. Neartheendofthemoverequest,themailboxistemporarilylockedwhilethefinal
mailboxsynchronizationiscompleted.Atthispoint,themoverequeststatus
changestoCompletionInProgress.
6. Whenthemoverequestiscompleted,theapplicableActiveDirectoryattributesare
updated,theoldmailboxonthesourcemailboxdatabaseissoftdeleted,andthe
newmailboxonthetargetmailboxdatabaseisactivated.Themoverequeststatus
changestoCompleted.Clientaccesstothemailboxwillberedirectedtothenew
mailboxdatabase.
7. TheExchangeadministratorcanusetheGet-MoveRequestStatisticscmdletto
reviewthemoverequeststatisticsandverifydetailedinformationaboutthe
mailboxmove,suchascorruptmessagesorlargeitemsthatareskipped,aswellas
averydetailedreport.
8. TheExchangeadministratorcanusetheRemove-MoveRequestcmdlettoclearor
removethemoverequest;themailboxcannotbemovedagainuntilthemove
requestiscleared.
Mailboxmoveoperationsmaytakeaconsiderableamountoftimedependingona
numberoffactors,includingnetworkbandwidthbetweenserversandserverresources
suchasavailableCPUanddiskI/O.Whileeveryenvironmentisdifferent,atypical
moverequestbetweentwoserversonLAN-speednetworksegmentsmaymove
between3GBto5GBperhour.Ofcourse,yourresultsmayvary.
Also,dependingonyourActiveDirectoryinfrastructureandreplicationtimes,Outlook
onthewebusersmightnotbeabletoreconnecttotheirmailboxesforupto15
minutesafteramoverequest.Thismaybetheresultofthehomemailboxdatabase
attributeneedingtobereplicatedtoalldomaincontrollers.
StartingwithExchangeServer2013,anewconceptaroseformanagingmoverequests,
themigrationbatch.AlthoughitstillreliesonMRS,usingmigrationbatchestomove
mailboxes​providesenhancedarchitecturalimprovements.Forexample,youcanmove
multiplemailboxesinlargebatches,generatemove-reportemailnotificationafterthe
moveiscomplete,facilitateautomaticretryandprioritizationofthemoverequests,
moveprimaryandarchivemailboxestogetherorseparately,providetheoptionfor
manualmove-requestfinalization(allowingyoutoreviewyourmovebeforeyou
completeit),andperformperiodicincrementalsyncstoupdatemigrationchanges.
MovingMailboxesUsingtheEAC
OneofthemethodsformovingmailboxesistousetheExchangeAdministration
Center(EAC).OpentheRecipientsworkcenteroftheEAC,selectoneormore
mailboxes,andthenselecttheMoveMailboxToAnotherDatabasetaskintheDetails
pane.ThislaunchestheNewLocalMailboxMoveWizard.
NewLocalMailboxMoveWizard
ThemostimportantinformationisfoundontheMoveConfigurationpageoftheNew
LocalMailboxMoveWizard(seeFigure14.9).Youcandefinethemigrationbatch
name,thechoiceformovingtheprimaryand/orarchivemailbox,thetargetdatabase
forthemailbox,thetargetdatabaseforthearchivemailbox(ifoneexists),andthebad
itemlimit.
Figure14.9MoveConfigurationsettings
Occasionally,thepropertiesofamessageinamailboxgetcorrupted.Thisoccurred
morefrequentlywithpreviousversionsofExchangeServerifapointerbetweenone
tableandanothertablewascorrupted.Thesecorruptedmessagesarelesscommonin
ExchangeServer2010andnewer,sincethesingle-instancestorage(SIS)featurewas
removed.Nonetheless,themoverequestwillfailifitencountersmorethanthe
maximumnumberofcorruptedmessagesallowedasdefinedbythebaditemlimit.
Onthenextpage,youarepresentedwithmigrationbatchsettings,includingthe
recipientwhowillreceiveamovenotificationreportwhenthebatchiscomplete,the
preferredoptionofstartingthebatchautomaticallyormanually,andthepreferred
optionofcompletingthebatchautomaticallyormanually(seeFigure14.10).
Figure14.10Optionsforthemigrationbatch
MigrationDashboard
TheMigrationDashboard(seeFigure14.11)allowsyoutomanagethemigration
batchesinyourorganization.Thedashboarddisplayshelpfulinformationaboutactive
andinactivemigrationbatchesandtheirprogress.
Figure14.11TheMigrationDashboard
Figure14.12showsasyncedmigrationbatchthatiswaitingtobecompleted.
Frequently,organizationsprefertoscheduleemailmigrationsovertheweekendor
duringnonbusinesshours.Usingtheoptiontodelaycompletionofthemigration
batchallowsanorganizationtopreparemigrationforlargevolumesofemailand
minimizethetimerequiredtocompletetheemailmigration.Youcancompletethe
migrationbatchbyclickingtheCompleteThisMigrationBatchlink.Thislinkis
availableifyouselecttheoptiontomanuallycompletethemigrationbatch,asshown
previouslyinFigure14.10.
Figure14.12MigrationprogressintheMigrationDashboard
Asanalternativetostartingamoverequestasdescribedearlier,youcanclickthe+
(Add)signintheActionsbartocreateamigrationbatch,eithertoadifferentdatabase
orfromanotherforest.
MostoftheoptionsintheNewLocalMailboxMoveWizardaresimilartotheearlier
description,withtheexceptionofthefirstpage.Uponstartingthewizard,youare
providedtheoptionofselectingtheusersthatyouwanttomoveoruploadingalistof
usersinaCSVfile.TheCSVfileformatisverysimple,specifyingtheuser'semail
addressoneachline.
Aftercreatingamigrationbatch,youcanselecttheoptiontostopabatchinprogress,
resumeasuspendedorfailedbatch,orcomplete(finalize)abatchthathascompleted
initialsynchronization.TheseoptionsareavailableintheActionsbarorDetailspane
ofamigrationbatch.
NewMigrationEndpointWizard
ExchangeServer2016usesmigrationendpointstocapturetheremoteserver
informationandtostoretherequiredcredentialsformigratingthedataaswellasthe
sourcethrottlingsettings.Youcanuseamigrationendpointforremoteandcrossforestmoves.Youdonotneedtouseamigrationendpointwhenyouaremoving
mailboxesbetweentwodifferenton-premisesExchangemailboxdatabases;this
procedureisalsoreferredtoasalocalmove.Inacross-forestmove,youcanmove
mailboxesbetweentwodifferenton-premisesExchangeforests,whichrequiresusing
anExchangeRemoteMoveendpoint.
Inahybriddeployment,mailboxescanbestoredonanon-premisesExchangeserver
orhostedontheInternetbyMicrosoftOffice365.Inthisenvironment,aremove
movemayincludeonboardingoroffboardingmigrations.Whenonboarding,
mailboxesaremovedfromanon-premisesExchangeServertoExchangeOnlinein
MicrosoftOffice365,whichrequiresusingaRemoteMoveendpoint.When
offboarding,mailboxesaremovedfromExchangeOnlineinOffice365toanonpremisesExchangeServer,whichrequiresusinganExchangeRemoteMoveendpoint.
Asyoucansee,migrationendpointscanbeeitherasourceoradestinationendpoint
tofacilitatemovingmailboxesbackandforthbetweenyourdifferentenvironments.
Becausehybriddeploymentscanexistindefinitely,theircorrespondingmigration
endpointsarekeptpersistentandusedbymigrationbatchestomovemailboxesas
necessary.
Tocreateamigrationendpoint,expandtheActionsbarbyclickingtheellipsis(More)
andselectMigrationEndpoints.ThiswillopentheMigrationEndpointslistand
displaythecurrentendpoints.Toaddanewendpoint,clickthe+(New)signfromthe
ActionsbartostarttheNewMigrationEndpointWizard.
Creatinganewmigrationendpointisverystraightforward;youneedtoenterthe
source-forestemailaddress,thesource-forestadministratorname,andthesourceforestadministratorpassword.
OnceyouclickNext,thewizardwillattempttoverifytheendpointsettingsvia
Autodiscover.Ifunsuccessful,thewizardwillpromptyoutomanuallyenterthe
FQDNoftheMailboxReplicationService(MRS)serverURL.
MovingMailboxesUsingtheEMS
Let'ssayyouneedtomovethemailboxbelongingtoGabrielleWilliamstoamailbox
databasenamedMBX-001,whileallowinguptotwocorruptmessages.Youwoulduse
theNew-MoveRequestcmdletinthefollowingcommandtoinitiatethismoverequest:
New-MoveRequest-Identity"GabrielleWilliams"-TargetDatabaseMBX-001BadItemLimit2
Youmaynoticethatthiscommandpromptsyoutoconfirmthatyouwanttomovethe
mailbox.Toavoidtheconfirmationprompt,youcanincludetheparameter–
Confirm$falseinthecommand.Thecompletecommandwouldlooksomethinglike
this:
New-MoveRequest–Identity"GabrielleWilliams"-TargetDatabaseMBX-001
-BadItemLimit2-Confirm:$false
SimilartomostEMScmdlets,youcanusepipingtocreatemoverequestsusingthe
New-MoveRequestcmdlet.Forexample,saythatyouwanttomoveeveryonewhoisa
memberoftheExecutivesgrouptothemailboxdatabasecalledMBX-001.Youwould
usetheGet-DistributionGroupMembercmdlettoenumeratethemembershipofthe
ExecutivesgroupandpipetheoutputtotheNew-MoveRequestcmdlet:
Get-DistributionGroupMember–Identity"Executives"|New-MoveRequest
-TargetDatabaseMBX-001-Confirm:$false
Alternatively,youcanmovethemailboxesviaamigrationbatch,whileaddingalittle
moresophisticationtothecommand.Inthefollowingexample,youcreatethebatch
jobusingtheNew-MigrationBatchcmdletwithabatchnameofMoveExecutives.The
parameterLocaldefinesthemigrationbatchasalocalmove(notovertheInternet).
TheparameterCSVDatadefinesthelistofmailboxestomigrateusingthe.NETmethod
ReadAllBytes().TheTargetDatabasesparameterdefinesthetargetmailboxdatabases
tomovethemailboxes.Finally,theparameterAutoStartwillstartthemigrationbatch
automatically.
New-MigrationBatch-NameMoveExecutives–Local-CSVData
([System.IO.File]::ReadAllBytes("C:\Users\Administrator\Desktop\Goldusers.csv"))
[email protected](MBX-001,MBX-002)-AutoStart
Aswediscussedearlier,youmayneedtomoveallthemailboxestoanothermailbox
databasewhendecommissioningamailboxdatabase.Inthisscenario,youcanusethe
Get-MailboxcmdletwiththeDatabaseparametertonarrowthescopeandpipethe
outputtotheNew-MoveRequestcmdlet,asshowninthefollowingexample:
Get-Mailbox-DatabaseMBX-001|New-MoveRequest-TargetDatabaseMBX-003
DisplayNameStatusTotalMailboxSizeTotalArchiveSizePercentComplete
---------------------------------------------------------------MarieJewelQueued59.54KB(60,966bytes)0
CheyennePikeQueued59.19KB(60,610bytes)0
DavidPikeQueued80.89KB(82,831bytes)0
TreydenJewelQueued59.4KB(60,822bytes)0
PierceJewelQueued59.13KB(60,547bytes)0
Withalittlecreativity,youcanprobablyfigureoutanumberofotherwaysto
accomplishthistaskortaskssimilartoit.
Aftersubmittingmoverequests,youhaveseveraloptionstocheckthestatusofthe
moverequests.ThesimplestmethodistheGet-MoveRequestcmdlet:
Get-MoveRequest
DisplayNameStatusTargetDatabase
------------------------------MarieJewelQueuedMBX-001
PierceJewelQueuedMBX-001
TreydenJewelQueuedMBX-001
CheyennePikeQueuedMBX-001
DavidPikeQueuedMBX-001
GabrielleWilliamsInProgressMBX-001
TaylorFergusonInProgressMBX-001
TalonFergusonInProgressMBX-001
YoucanusetheGet-MoveRequestStatisticscmdlettoviewdetailedinformationabout
moverequests.Theresultsfromthefollowingcommanddisplaydetailedinformation
onthemoverequestforTreydenJewel,suchasthemovetype(intraorganization),the
status,andtheprogress(percentage):
Get-MoveRequestStatisticsTreyden.Jewel|FL
UserIdentity:contoso.com/Corporate/TreydenJewel
DistinguishedName:CN=TreydenJewel,OU=Corporate,
DC=tsxen,DC=com
DisplayName:TreydenJewel
Alias:Treyden.Jewel
ArchiveGuid:
Status:InProgress
StatusDetail:CreatingInitialSyncCheckpoint
SyncStage:CreatingInitialSyncCheckpoint
Flags:IntraOrg,Pull
MoveType:IntraOrg
Direction:Pull
IsOffline:False
Protect:False
Suspend:False
SuspendWhenReadyToComplete:False
IgnoreRuleLimitErrors:False
SourceVersion:Version15.1(Build225.0)
SourceDatabase:MBX-001
TargetVersion:Version15.1(Build225.0)
TargetDatabase:MBX-003
RemoteHostName:
RemoteGlobalCatalog:
BatchName:
RemoteCredentialUsername:
RemoteDatabaseName:
RemoteDatabaseGuid:
TargetDeliveryDomain:
BadItemLimit:0
BadItemsEncountered:0
QueuedTimestamp:06/28/200910:45:38AM
StartTimestamp:06/28/200910:46:55AM
LastUpdateTimestamp:06/28/200910:47:16AM
InitialSeedingCompletedTimestamp:
FinalSyncTimestamp:
CompletionTimestamp:
SuspendedTimestamp:
MoveDuration:00:01:42
TotalFinalizationDuration:
TotalSuspendedDuration:
TotalFailedDuration:
TotalQueuedDuration:00:01:13
TotalInProgressDuration:00:00:29
TotalStalledDueToCIDuration:
TotalStalledDueToHADuration:
TotalTransientFailureDuration:
MoveServerName:HNLMBX01.contoso.com
TotalMailboxSize:4.355MB(4,566,443bytes)
TotalMailboxItEACount:44
TotalArchiveSize:
TotalArchiveItEACount:
BytesTransferred:22.55KB(23,089bytes)
BytesTransferredPerMinute:56.31KB(57,657bytes)
ItemsTransferred:0
PercentComplete:15
PositionInQueue:
FailureCode:
Message:
FailureTimestamp:
IsValid:True
ValidationMessage:
Youcanusethefollowingcommandtoalsopipetheoutputofallmoverequests,
sortingtheoutputontheStatuspropertywiththeSort-Commandcmdlet;anabbreviated
aliasforthiscmdletisSort:
Get-MoveRequest|Get-MoveRequestStatistics|SortStatus
DisplayNameStatusTotalMailboxTotalArchivePercentComplete
SizeSize
------------------------------------------------------GabrielleWi…Completed116.1KB…100
TaylorFergu…Completed59.24KB…100
TalonFergus…Completed59.24KB…100
MarieJewelCompletionInProg…401.6KB…95
PierceJewelInProgress3.895MB…29
TreydenJewelInProgress272.5KB…3.427KB(389
CheyennePikeQueued115.4KB…0
DavidPikeQueued59.74KB…0
YoucanalsousetheGet-MigrationStatisticscmdlettodisplaythemigrationbatch
statistics:
Get-MigrationStatistics|FL
RunspaceId:8077d2a0-1dd9-43cf-82ab-2aef5c008225
Identity:
TotalCount:8
ActiveCount:0
StoppedCount:0
SyncedCount:0
FinalizedCount:3
FailedCount:0
PendingCount:0
ProvisionedCount:0
MigrationType:ExchangeLocalMove
DiagnosticInfo:
IsValid:True
ObjectState:Unchanged
Youcanalsoconfigureexistingmigrationbatchestomigratemailboxesduringthe
moveusingtheSet-MigrationBatchcmdlet.Acoupleofkeyparametersareavailable
withthe​Set-MigrationBatchcmdlet:
AutoRetryCount.Thisparameterspecifiesthemaximumnumberofattemptsto
automaticallyrestartthemigrationbatchformoverequeststhatencountered
errors.
AllowIncrementalSyncs.Thisparameterspecifieswhethernewmessagessenttothe
sourcemailboxarecopiedtothecorrespondingtargetmailboxofamoverequest.
Ifenabled,theExchangeserverwillincrementallysynchronizethesourcemailbox
withthetargetmailboxevery24hours.
Forexample,youcanusetheSet-MigrationBatchcmdlettoupdatetheExecutives
migrationbatchwithnewparameters:
Set-MigrationBatch–IdentityExecutives–AutoRetryCount5`
–AllowIncrementalSyncs$true
YoucanusetheStop-MigrationBatchcmdlettostopthemigrationbatch:
Get-MigrationBatch|Stop-MigrationBatch
Alternatively,youcanusetheRemove-MigrationBatchcmdlettoremovethemigration
batch:
Get-MigrationBatch|Remove-MigrationBatch
Exchangestoressomeoftheinformationaboutamailboxmoveinthemailboxobject.
HereisanexampleofthemoverequestinformationavailableusingtheGet-Mailbox
cmdlet:
Get-MailboxTreyden.Jewel|FLDisplayname,*move*
DisplayName:TreydenJewel
MailboxMoveTargetMDB:MBX-001
MailboxMoveSourceMDB:MBX-003
MailboxMoveFlags:IntraOrg,Pull
MailboxMoveRemoteHostName:
MailboxMoveBatchName:
MailboxMoveStatus:Completed
Historicalmoverequestinformationthatisstoredinamailboxcanberetrievedusing
theGet-MailboxStatisticscmdletwiththeIncludeMoveHistoryparameter.Reviewthe
MoveHistorypropertyfromthefollowingcommandoutput:
Get-MailboxStatisticsTreyden.Jewel-IncludeMoveHistory|FL
AssociatedItEACount:12
DeletedItEACount:0
DisconnectDate:
DisplayName:TreydenJewel
ItEACount:32
LastLoggedOnUserAccount:ITHICOS\Treyden.Jewel
LastLogoffTime:
LastLogonTime:06/28/20091:34:31PM
ObjectClass:Mailbox
StorageLimitStatus:BelowLimit
TotalDeletedItemSize:0B(0bytes)
TotalItemSize:4.356MB(4,568,055bytes)
Database:MBX-003
ServerName:HNLMBX01
DatabaseName:MBX-003
MoveHistory:{(06/31/200910:48:01AM:TargetMDB=MBX-003,
Size=4.355MB(4,566,443bytes),Duration=00:02:18),(07/06/2009
11:31:02PM:TargetMDB=MBX-001,Size=4.301MB(4,510,383bytes),
Duration=00:02:03)}
IsQuarantined:False
IsArchiveMailbox:False
YoucanremovethecompletedorqueuedmoverequestsusingtheRemove-MoveRequest
cmdletwhenyounolongerneedinformationaboutthemove.Youarerequiredto
removemoverequestsformailboxesforwhichyouwanttosubmitanadditional
moverequest.
WhilethiscmdletremovesthemovestatusinformationfromActiveDirectory,itdoes
notremovethemovehistoryfromthemailboxstatistics.Toremoveuser
Treyden.Jewel'smoverequestinformation,usethiscommand:
Remove-MoveRequestTreyden.Jewel-Confirm:$false
Youcanalsousepipingtoremovemoverequestsbasedoncriteria.Thefollowing
commandremovesthecompletedmoverequestsfromActiveDirectory:
Get-MoveRequest|Where{$_.Status-eq"Completed"}|Remove-MoveRequest
ManagingtheMigrationBatch
Whenmigratingtoanewenvironment,manyExchangearchitectsand
consultantsspendagreatdealoftimestaringatprogressbarsorstatuswindows
asmailboxesmovebetweendatabases;thiscanbeextremelyfrustrating.Toavoid
wastingtime,youshouldnotwaituntiltheenvironmentiscompletelydeployed
beforeyoustartmovingthemailboxes.Rather,createamigrationbatchand
enableittoautomaticallysuspend,providingyouwithmoreflexibilityregarding
whenthebatchfilewillcomplete.Inthisway,youcancompletethedeployment
ofthepostmailboxdatabaseenvironmentwhilethemailboxesaremigrating.
Onceyouarereadytocompletethemigrationbatch,Exchangewillsynchronize
differencesinthemailboxessincetheinitialsync,orsincethelastsyncifyou
enabledincrementalsyncs,andcompletethemigrationbatch.Anytimeyou
spendlearninghowtocreateamigrationbatch,youwillmakeupforwhenthe
migrationoccursoverhoursinsteadofdays.
RetrievingMailboxStatistics
Atvarioustimes,Exchangeadministratorsmayneedtorunareportthatidentifiesthe
amountofstoragethateachmailboxisconsuming.Thebuildingblocksofinformation
forthistypeofreportareavailableusingtheGet-MailboxStatisticscmdlet,which
requiresoneofthreeparameters:
-IdentityRetrievesthemailboxstatisticsforaspecificmailbox
-DatabaseRetrievesstatisticsforallmailboxesonaspecificmailboxdatabase
-ServerRetrievesstatisticsforallmailboxesonaspecificserver
Hereisanexampleofusingthecmdlettoretrievemailboxstatisticsforaspecific
mailbox:
Get-MailboxStatistics–IdentityCheyenne.Pike
DisplayNameItemCountStorageLimitStatusLastLogonTime
--------------------------------------------------CheyennePike35NoChecking03/15/20091:34:31
PM
Hereisanexampleofusingthecmdlettoretrievemailboxstatisticsforallthe
mailboxesonthemailboxdatabaseMBX-003:
Get-MailboxStatistics-DatabaseMBX-003
DisplayNameItemCountStorageLimitStatusLastLogonTime
--------------------------------------------------SuriyaSupatanasakul4BelowLimit11/25/20099:55:28
AM
OnlineArchive-Chuck…0NoChecking12/15/20097:47:41
AM
MichaelG.Brown4BelowLimit11/26/20099:01:12
AM
ChuckSwanson9
JasonCrawford5BelowLimit11/27/20093:53:09
PM
JordanChang11BelowLimit
LukeHusky4BelowLimit12/21/20095:23:48
PM
ClaytonK.Kamiya35NoChecking12/23/20096:48:12
AM
TreydenJewel32BelowLimit12/13/20097:13:38
PM
TheGet-MailboxStatisticscmdletcontainsmultipleusefulproperties.Youcanuse
thesepropertiestodisplaythenecessaryinformationforanadministrator,aswellas
therequiredfieldsforamanagementreport.Thefollowingaresomeoftheproperties
thatarereturnedwiththeGet-MailboxStatisticscmdlet:
DisplayNameDisplaynameofthemailbox.
ItemCountTotalnumberofitemsinthemailbox.
TotalItemSizeTotalsizeofalltheitemsinthemailboxexceptforitemsinthe
RecoverableItemsfolder.
TotalDeletedItemsSizeTotalsizeofalltheitemsintheRecoverableItemsfolder,
previouslyknownastheDumpsterordeleteditemcache.
StorageLimitStatusStatusofthemailboxstoragelimits;thelimitsyoumaysee
areasfollows:
-BelowLimit—Mailboxisbelowalllimits.
-IssueWarning—Mailboxstorageisabovetheissuewarninglimit.
-ProhibitSend—Mailboxisabovetheprohibitsendlimit.
-MailboxDisabled—Mailboxisovertheprohibitsendandreceivelimit.
-NoChecking—Noquotachecking
DatabaseNameofthemailboxdatabase,suchasMBX-002,onwhichthemailbox
islocated.
ServerNameNameofthemailboxserveronwhichthedatabaseisactive.
LastLogoffTimeDateandtimethelastaccountloggedoffthemailbox.
LastLogonTimeDateandtimethelastaccountloggedontothemailbox.
LastLoggedOnUserAccountNameofthelastaccount(domainnameandusername)
loggedontothemailbox.Thiscouldbeanaccountwithfullaccesspermissionsto
themailbox,adelegate,orevensomeonesimplycheckingtheCalendar.
DisconnectDateDateandtimethemailboxwasdeletedordisconnected.
IsArchiveIndicatesifthemailboxisanarchivemailbox.
IsQuarantinedIndicatesifthemailboxisquarantined.AnExchangeserverwill
quarantineamailboxwhenitdetectsaclientconsumingtoomuchoftheStore
process.Thismaybecausedbycorruptmailboxdataorasoftwarebugineitherthe
clientorStoreprocess.
MoveHistoryHistoricalinformationofacompletedmoverequestwhentheIncludeMoveHistoryparameterisused.Thisinformationincludesstatus,flags,
targetdatabase,baditems,starttimes,endtimes,durationthatthemoverequest
wasinvariousstages,andfailurecodes.
Let'ssupposeyouwanttoviewamailboxreportthatincludesthedisplayname,the
totalsizeofthemailbox,thetotalnumberofitems,andthestoragelimitstatusonthe
mailbox​databaseMBX-003.Youcanusethefollowingcommandtoaccomplishthis
andincludetheWhereclausetofilteroutanymailboxwhosenamecontainstheword
system:
Get-MailboxStatistics-DatabaseMBX-003|Where{$_.DisplayName-notlike
"*System*"}|FTDisplayName,TotalItemSize,ItemCount,StorageLimitStatus
DisplayNameTotalItemSizeItemCountStorageLimitStatus
--------------------------------------------------JulieR.Samante372.5KB(381,396bytes)4
BelowLimit
SuriyaSupatanas…970MB(1,017,087,604bytes)4BelowLimit
KenVickers7.842KB(8,030bytes)4
BelowLimit
JohnPark5.138MB(5,387,323bytes)11
BelowLimit
OnlineArchive-…7.846KB(8,034bytes)0
NoChecking
MichaelG.Brown8.077MB(8,469,169bytes)4
BelowLimit
ChuckSwanson4.618GB(4,958,195,270bytes)9
OnlineArchive-…2.133GB(2,289,975,794bytes)0
NoChecking
ClarenceA.Birtcil17.4GB(18,680,008,619bytes)4BelowLimit
JonathanCore1.002GB(1,075,524,880bytes)4
BelowLimit
MarieBadeau15.28GB(16,404,419,182bytes)4
BelowLimit
KevinWile91.02GB(97,729,567,596bytes)4
BelowLimit
JasonCrawford16.39KB(16,785bytes)5
BelowLimit
Asyoumayhavenoticed,theunitofmeasureforthevaluesofTotalItemSizearenot
consistent;theyincludeKB,MB,andGB.Thiscanbeproblematicwhenyouneedto
produceareportformanagement.Fortunately,youcanusePowerShelltoconvertthe
mailboxsizetoastandardunitofmeasure.Dependingontheaveragesizeof
mailboxesinyourenvironment,youmayneedtoconvertthevaluetokilobytes,
megabytes,or​gigabytes.Forexample,youcanusethefollowingexpressiontoconvert
TotalItemSizetomegabytes:
expression={$_TotalItemSize.Value.ToMB()}
Startingwiththepreviousrequirements,youcanusethefollowingcommandthat
standardizestheTotalItemSizeasmegabytesandredirectstheoutputtoatextfile
usingthe>(greaterthan)characterandafilename:
Get-MailboxStatistics-DatabaseMBX-003|Where{$_.DisplayName-notlike
"*System*"}|FTDisplayName,@{expression={$_.TotalItemSize.value.ToMB()};
width=20;label="MailboxSize(MB)"},ItemCount,StorageLimitStatus
>c:\Mailbox.txt
YoucouldalsosendthedatatoaCSV,XML,orHTMLfilebypipingtheoutputusing
theExport-Csv,Export-Clixml,orConvertTo-Htmlcmdlet.Formoredetailedexamples
oftuningtheoutputofGet-MailboxStatistics,lookatChapter5,“Introductionto
PowerShellandtheExchangeManagementShell.”
Hereareafewmoreexamplesofcommonrequestsyoumayreceiveinyour
organization.UsingthePowerShellcmdletGet-Date,youcanusethefollowing
commandtoidentifythemailboxesthathavenotbeenaccessedinthelast30days
(subtracts30daysfromthecurrentdate):
Get-MailboxStatistics-DatabaseMBX-003|Where{$_.LastLogonTime-lt
(Get-Date).AddDays(-30)}-And$_.DisplayName-notlike"*System*"}|
Format-TableDisplayName,LastlogonTime,LastLoggedonUserAccount,ServerName
Youcanusethefollowingcommandtoidentifythemailboxesthathavebeen
disconnectedoverthelastsevendaysonserverHNLMBX01:
Get-MailboxStatistics-ServerHNLMBX01|Where{$_.DisconnectDate
-gt(Get-Date).AddDays(-7)}|Format-TableDisplayName,ServerName,
DatabaseName,TotalItemSize-Autosize
DeletingMailboxes
Deletingmailboxesmightnotseemlikesuchacomplicatedtaskuntilyourealize
therearemultipleways,oroptions,todeleteamailbox.Theseoptionsinclude
disconnectingthemailboxfromauseraccount,deletingboththeuseraccountandthe
mailbox,andpurgingthemailbox.
UseCautionWhenDeleting!
InExchangeServer2016,theActionsbarintheEACprovidesyouwiththedefault
Deleteaction,whichwilldeletethemailboxandtheuseraccount.Ifyoupreferto
deleteonlythemailbox,ensureyouclicktheellipsis(More)andselectDisable.
DeletingtheMailboxbutNottheUser
IfyouchoosetheDisableoptionwithintheEAC,themailboxisdisconnectedfromthe
useraccount,buttheuseraccountremainsinActiveDirectory.Thisisequivalentto
usingtheEMScmdletDisable-Mailbox.Forexample,youwouldusethefollowing
commandtodisableamailbox:
Disable-MailboxMarie.Jewel
Whenyoudisableamailbox,theExchangeattributesareremovedfromthe
correspondingActiveDirectoryuseraccount,buttheuseraccountisretained.Whena
mailboxisdeleted,Exchangeretainsthemailboxinthemailboxdatabaseand
switchesthemailboxtoadisabledstate.Disabledanddeletedmailboxesareretained
inthemailboxdatabaseuntilthedeletedmailbox-retentionperiodexpires,whichis
30daysbydefault.Aftertheretentionperiodexpires,themailboxispermanently
deletedorpurged.Disabledordeletedmailboxesarecommonlyreferredtoas
disconnectedmailboxes.Inadditiontoretainingdisconnectedmailboxesfor30days,
manyorganizationswill​commonlykeepthedisableduseraccountfor30daysincase
theyneedtobereactivated.
DeletingBoththeUserandtheMailbox
IfyouchoosetheRemoveoptionwithintheEAC,themailboxisdisconnectedfrom
theuseraccount,theExchangeattributesareremovedfromthecorrespondingActive
Directoryuseraccount,andtheuseraccountisdeletedfromActiveDirectory.Thisis
equivalenttousingtheEMScmdletRemove-Mailbox.Forexample,youwouldusethe
followingcommandtoremoveamailbox:
Remove-MailboxMarie.Jewel
Whentheuseraccountandthemailboxaredeleted,theproceduretorestorethem
wouldrequiremoresteps.Thisisbecausetheobjectsarestoredinseparatelocations.
Youwouldneedtorestorethemailboxfromthemailboxdatabase.Theuseraccount
wouldneedtoberestoredfromActiveDirectory(e.g.,usingtheActiveDirectory
RecycleBin).
PurgingtheMailbox
Whenyoupermanentlydeleteorpurgemailboxes,allmailboxcontentsarepurged
fromthemailboxdatabase,andthedatalossispermanent.Theassociateduser
accountinActiveDirectoryisalsodeleted,ifitexists.Thispreventsthemailboxfrom
beingrecovered.
Asnotedearlier,adeletedmailboxispermanentlydeletedorpurgedafterthe
retentionperiodexpires.However,herearetwomethodstomanuallypurgeamailbox
fromthemailboxdatabasebasedonthecurrentstatus.
Ifyouwanttopermanentlydeletetheuseraccountandthemailbox,youcanusethe
Permanentparameter.Forexample,youcanusethefollowingcommandto
permanentlydeleteanactivemailbox:
Remove-MailboxMarie.Jewel-Permanent:$true
TherearetwotypesofdisconnectedmailboxesinExchange:disabledandsoft-deleted.
Ifyouwanttopermanentlydeleteadisconnectedmailboxfromthemailboxdatabase,
youmustspecifyoneofthesetypeswhenusingtheRemove-Mailboxcmdletto
permanentlydeletethemailbox.Ifthetypeyouspecifydoesnotmatchtheactualtype
ofthedisconnectedmailbox,thecommandwillfail.
YoucanusetheGet-MailboxDatabaseandtheGet-MailboxStatisticscmdletstoidentify
whetheradisconnectedmailboxisdisabledorsoft-deletedandtoretrievethemailbox
GUIDvalueofthedisconnectedmailbox.ThisisusedbytheRemove-StoreMailbox
cmdlet.InadditiontothemailboxGUID,youwillneedtoidentifythemailbox
databasewherethemailboxwasdeleted.Forexample,youcanusethefollowing
commandstopermanentlydeletethe​disconnectedmailboxfromMBX-003,which
wasdisabled:
$Temp=Get-MailboxDatabase|Get-MailboxStatistics|`
Where{$_.DisplayName–eq"MarieJewel"}|`
flDisplayName,MailboxGuid,Database,DisconnectReason
Remove-StoreMailbox-Database$Temp.Database`
-Identity$Temp.MailboxGuid–MailboxState$Temp.DisconnectReason
ReconnectingaDeletedMailbox
ExchangeServerallowsyoutoundeleteadeletedmailbox,whichiscommonly
referredtoasreconnectingadeleted,ordisconnected,mailbox.Aswenotedearlier,
therearetwotypesofdisconnectedmailboxesinExchange.Forreconnection
purposes,hereisamorein-depthdescriptionofeach:
Disabledmailboxes.Whenamailboxisdisconnectedorremovedbyusingthe
Disable-MailboxorRemove-Mailboxcmdlet,Exchangeretainsthedisconnected
mailbox,andthemailboxisswitchedtoadisabledstate.TheActiveDirectoryuser
accountassociatedwiththemailboxisalsodeleted.Withdisabledmailboxes,you
canrecovermailboxdatawithouthavingtorestoretheentiremailboxdatabase.In
fact,disabledmailboxesareretainedinthemailboxdatabaseuntilthedeleted
mailboxretentionperiodexpires,whichis30daysbydefault,oruntilthemailbox
ispermanentlydeleted.
Soft-deletedmailboxes.Whenamailboxismoved,Exchangedoesnotcompletely
deletethemailboxfromthesourcemailboxdatabaseuponcompletionofthemove
request.Instead,themailboxinthesourcemailboxdatabaseisswitchedtoasoftdeletedstate.Withsoft-deletedmailboxes,youcanusetheNewMailboxRestoreRequestcmdlettoaccessmailboxdataduringamailboxrestore
operation.Soft-deletedmailboxesareretainedinthesourcemailboxdatabaseuntil
eitherthedeletedmailboxretentionperiodexpires,whichis30daysbydefault,or
untiltheRemove-StoreMailboxcmdletisusedtopurgethemailbox.
Untiladeletedmailboxispermanentlydeletedfromthemailboxdatabase,youcan
usetheEACortheShelltoconnectadeletedmailboxtoanActiveDirectoryuser
account.YoucanalsousetheShelltorestorethecontentsofthedeletedmailboxto
anexistingmailbox.
ReconnectingaMailboxUsingtheEAC
ToreconnectadeletedmailboxusingtheEAC,fromtheActionsmenuoftheMailbox
tab,clicktheellipsis(More)andthenselectConnectAMailbox.IntheConnecta
Mailbox,selecttheappropriatemailboxserverfromthedrop-downmenu(seeFigure
14.13).
Figure14.13Connectingadisconnectedmailbox
Thelistofdisconnectedmailboxesincludesdisabledmailboxes,deletedmailboxes,
and​soft-deletedmailboxes.Inthisexample,selectthedisconnectedmailboxforMarie
JewelandclickConnect.Ifthewizardisabletolocatethecorrespondinguseraccount
inActiveDirectory,youwillbepromptedtoconnectthemailboxtoeithertheoriginal
useraccountoradifferentaccount.Ifthewizardisunabletolocatethecorresponding
useraccountinActiveDirectory,youwillbepromptedtoonlyconnectthemailboxto
adifferentuseraccountinActiveDirectory.
Ifyouchoosetoconnectthemailboxtoadifferentuseraccount,youwillbeprompted
toselectitfromtheexistinguseraccountsinActiveDirectory.Youwillonlybeshown
alistofuseraccountsthataren'tmail-enabled.Next,youwillselectthetypeof
mailboxthatyouarereconnecting—Usermailbox,RoomResourcemailbox,
EquipmentResourcemailbox,orLinkedmailbox.
Youcanusethefollowingcommandtogeneratethesamelistofdisconnected
mailboxesbyusingtheGet-MailboxStatisticscommandwithafiltertoincludeonly
objectswithavaluefortheDisconnectDateproperty:
Get-MailboxStatistics-ServerHNLMBX01|Where{$_.DisconnectDate
-ne$null}|ftDisplayName,DisconnectDate
DisplayNameDisconnectDate
------------------------PierceJewel12/10/20093:13:37AM
MarieJewel12/02/20003:13:23AM
TreydenJewel11/25/20093:13:55AM
CheyennePike11/20/20093:13:47AM
DavidPike11/16/20093:13:01AM
NoMoreWorriesaboutDisconnectedMailboxes
InpreviousversionsofExchangeServer,youneededtoruntheCleanMailboxDatabasecmdletafteryoudeletedamailbox.Thiscmdletcleanedupthe
mailboxdatabasesodisconnectedmailboxeswouldappearintheDisconnected
Mailboxessection.
InExchangeServer2016,theDisable-Mailboxcmdletrunsacleanupprocess
immediatelyafteryoudisconnectauser'smailbox,updatingthedatabaseto
reflectthedisconnectedstatus.
Insomecases,however,thestorestateforamailboxmaybecomeout-of-sync
withthestateofthecorrespondinguseraccountinActiveDirectory.Thiscan
resultfromActiveDirectoryreplicationlatency.Forexample,amailbox-enabled
useraccountisdisabledinActiveDirectorybutisn'tmarkedasdisabledinthe
Exchangemailboxstore.
Inthisscenario,youcanusetheUpdate-StoreMailboxStatecmdlettosynchronize
thestorestateforthemailboxwiththestateofthecorrespondinguseraccountin
ActiveDirectoryandmarkthemailboxasdisabledintheExchangemailboxstore.
Thiscmdletisusefulfortroubleshootingissueswhenthestorestatefora
mailboxisunexpectedorifyoususpectthatthestorestateisdifferentfromthe
stateforthecorrespondingActiveDirectoryaccount.
ReconnectingaMailboxUsingtheEMS
ToreconnectadeletedmailboxusingtheEMS,youwouldusetheConnect-Mailbox
cmdlet.Whenusingthiscmdlet,youneedtoprovidethenameofthedeletedmailbox,
themailboxdatabasenamewherethemailboxwasdeleted,andtheuseraccountto
connectthemailbox.
TheidentifierforthedeletedmailboxshouldbetheuniquemailboxGUID,thedisplay
name,orthelegacyExchangedistinguishedname(commonlyreferredtoas
LegacyDN).Youcanalsoprovideanewaliasforthemailboxwhenreconnecting.
Inmanysituations,youmaynothavethenecessaryinformationaboutthedeleted
mailboxpriortoreconnectingthedeletedmailbox.YoucanusetheGetMailboxStatisticscmdlettoenumeratetheinformationyouneedtoreconnecta
mailbox:
Get-MailboxStatistics-ServerHNLMBX01|Where{$_.DisconnectDate
-ne$null}|FTDisplayName,Database
DisplayNameDatabase
------------------MarieJewelMBX-001
CJJewelMBX-002
PierceJewelMBX-003
TreydenJewelMBX-003
Withthisinformation,youcanusethefollowingcommandtoreconnectthedeleted
mailbox,MarieJewel,totheuseraccountContoso\Marie.Jewel:
Connect-Mailbox"MarieJewel"–DatabaseMBX-001-User"Contoso\Marie.Jewel"
BulkManipulationofMailboxesUsingtheEMS
ArguablythemostbeneficialfeatureofWindowsPowerShellandtheEMSisthe
abilityto​performbulkmanipulationofExchange-relatedobjects.
ManagingMailboxPropertiesUsingtheEMS
Let'ssayyouwanttodisableOutlookonthewebforallthemailboxesinyour
organization.Asyoumayrecallfromearlier,youwouldusetheSet-CASMailboxcmdlet
toconfigureclientaccesssettingsonamailbox.WithonelineintheEMS,youcan
retrieveallthemailboxesinyourorganizationandpipethemtotheSet-CASMailbox
cmdlet:
Get-Mailbox|Set-CASMailbox-OWAEnabled:$False
Asyoucanseefromthepreviousexample,theseareverypowerfulandpotentially
dangerouscommands.Ifnotcareful,youcaneasilydosomethingyoudidnotintend
todo.UseextremecautionwhenusingtheEMSifyouareperforminganytypeofbulk
administration.
YoumaywanttoconsiderappendingtheWhatIfparametertoanycommands
performingbulkadministration.Thisoptionallowsyoutotestwhatwouldhappenif
thescriptranwithoutactuallymakinganychangestotheenvironment.Effectively,it
providesapreviewofthechanges.
WhenbeginningtolearnEMS,youmaynotbeinterestedinmakingchangestoevery
mailboxoruseraccountinyourorganization.Forthisreason,youmaywantto
considerstartingwithsmallergroupsofusers.Inmanysituations,thesegroupsof
usersmayalreadybemembersofcommongroups.
YoucanusetheGet-DistributionGroupcmdlettolistallofthedistributiongroupsin
theorganization:
Get-DistributionGroup
NameDisplayNameGroupTypePrimarySmtpAddress
----------------------------------------OperationsGroupOperationsGroupGlobal,[email protected]
ExecutivesExecutivesGlobal,[email protected]
SalesGroupSalesGroupUniversal,[email protected]
Further,youcanusetheGet-DistributionGroupMembercmdlettoretrievealistof
membersofadistributiongroup(rememberthatthisisnottextwithinthe
PowerShellenvironment;theseareuniqueobjectsthatcanbepipedasinputto
anothercmdlet):
Get-DistributionGroupMember–Identity"Executives"
NameRecipientType
----------------MarieJewelUserMailbox
PierceJewelUserMailbox
TreydenJewelUserMailbox
Startingwithanexampleweusedearliertooverridethemailboxquotasforone
mailbox,youcanuseasimilarcommandtosetthequotaforallmembersofthe
Executivesgroup:
Get-DistributionGroupMember–Identity"Executives"|`
Set-Mailbox–ProhibitSendQuota250MB–IssueWarningQuota200MB`
-UseDatabaseQuotaDefaults$false–ProhibitSendReceiveQuota300MB
ThiscmdletretrievesthemembershiplistfortheExecutivesdistributiongroupand
thenpassesthoseobjectsasinputtotheSet-Mailboxcmdlet.
Anothercommontaskyoumayneedtoperformistomoveallofthemailboxesinthe
ExecutivesgrouptotheExecutivesmailboxdatabase:
Get-DistributionGroupMember–Identity"Executives"|`
New-MoveRequest-BadItemLimit2–TargetDatabaseMBX-003
Further,youcouldusethefollowingcommandtomoveallmailboxesonaspecific
mailboxserverbyusingtheGet-Mailboxcmdletwiththe-Serveroptiontohelpyou
narrowyourlistofmailboxes:
Get-Mailbox–ServerHNLEX04|New-MoveRequest–TargetDatabaseMBX-003
Similarly,youcouldusethefollowingcommandtomoveonlythemailboxesona
specificmailboxdatabase:
Get-Mailbox-DatabaseMBX-004|New-MoveRequest-TargetDatabaseMBX-003
Asyoucanimagine,therearemultiplewaystoaccomplishsimilartasksinEMS.
ScriptingAccountCreation
Inmanyorganizations,theaccountprovisioningprocesswillcreatemultipleaccounts
simultaneously.Thisisalsoacommontaskthatisusedduringmigrations.TheEMS
allowsyoutoautomatethisprocessbyreadingthedatafromatextorCSVfile.For
example,here'saCSVfileofnewusers:
Name,Database,OrganizationalUnit,UserPrincipalName
MarieJewel,MBX-001,contoso.com/Executives,[email protected]
TreydenJewel,MBX-001,contoso.com/Executives,[email protected]
PierceJewel,MBX-001,contoso.com/Executives,[email protected]
CheyennePike,MBX-002,contoso.com/Sales,[email protected]
DavidPike,MBX-002,contoso.com/Sales,[email protected]
ZoePike,MBX-002,contoso.com/Sales,[email protected]
TaylorFerguson,MBX-003,contoso.com/HR,[email protected]
WithintheCSVfilearefourcolumnsofattributes,whichrepresenttheminimum
requiredattributestocreateausermailbox,alongwiththepassword.Inyour
environment,however,youmayhaveadditionalattributesfornewusers,suchasfirst
name,lastname,SAMAccountName,userPrincipalName,alias,andsoon.Inmost
scenarios,theparentOUforeachusermustexistinActiveDirectory.
AcommonmethodforreadinginformationfromaCSVfileistousetheImport-CSV
cmdlet.Thiscmdletcreatestable-likecustomobjectsfromtheitemsintheCSVfile.
EachcolumnintheCSVfilebecomesapropertyofthecustomobject,andtheitemsin
rowsbecomethepropertyvalues.
Inthisscenario,youwillusetheNew-Mailboxcmdlettocreateamailboxforeachrow
intheCSVfileafteryouimportthefilewiththeImport-CSVcmdlet.Hereisasample
scriptforcreatingmailboxesreferencedintheCSVfile:
#ImporttheCSVfile–saveobjectstothe$Usersvariable.
$Users=Import-Csv–PathC:\Demo\newaccounts.csv
#Outputthecontentsofthe$Usersvariable–fordisplayonly
$Users
#Promptforapasswordthatwillbeusedforeachnewuseraccount.
$Password=Read-Host"Pleaseenterapassword"-AsSecureString
#UseaForeachlooptoparseeachlineoftheCSVfileseparately
Foreach($Userin$Users){
New-Mailbox-Name$User.Name-Database$User.Database`
-OrganizationalUnit$User.OrganizationalUnit`
-UserPrincipalName$User.UserPrincipalName-Password$Password
}
ManagingMailboxContent
Theneedtocontrolmailboxcontentandsizeisoftenduetolimiteddiskspacefor
mailbox​databases,butitmayalsobeduetocompanysecuritypolicies,email
archiving,electronic​discovery(eDiscovery)requirements,regulatorycompliance,or
simplyneedingtoassistyouruserswithcleaningthejunkoutoftheirmailboxes.
Overtheyears,therehavebeenmultiplethird-partysolutionsformanagingmailbox
andfoldercontent.
Manyorganizationsdeployemailarchivesolutionsthatremovecontentfromusers’
mailboxesandstoreitinlong-termstorage,suchastape,optical,network-attached
storage(NAS),orstorageareanetworks(SANs).Insomecases,archivesolutionsare
putinplacemerelytoreducethesizeoftheExchangeServermailboxdatabasesbut
stillallowuserslong-termaccesstotheiroldmaildata.Inothercases,anorganization
isrequiredtokeepcertaintypesofmessagecontent,suchasfinancialdata,official
companycommunications,andhealthcare-relateddata.
Asyoucanimagine,emailarchivinghasraisednewissuesandchallengesnotonlyfor
theExchangeServeradministratorbutformanagementandusersaswell.For
example,sometypesofmessagesmayneedtoberetainedforlongperiodsoftime,but
isonecopyofeachmessagesufficient?Therehastobesomemethodofdetermining
whichmessagesshouldberetainedorarchived.Unfortunately,mostofthetimethis
responsibilityfallstotheuser.
Organizationsthatareconcernedaboutmeetingregulatorycompliancerequirements
withrespecttomessagearchivingandlong-termretentionofcertaintypesof
messagesmayalsobeinterestedinkeepingajournaledcopyofmessages.
ExchangeServer2007introducedthebasicsofmailboxcontentsmanagement;
ExchangeServer2010leapedforwardwithretentionpoliciesandretentiontags.
ExchangeServer2013andExchangeServer2016continuewiththepoliciesandtags
frompreviouseditionsbutwithsomeadvancementsandmodifications.Inthis
section,wewillspecificallyexploreretentionpoliciesandretentiontagsinmore
detail.
Finally,significantimprovementsinIOPSforExchangeServer2016andincostsfor
largediskshavecreatedopportunitiesfororganizationstoprovide100GBmailboxes
on-premises.AlongwiththecachedmodesyncsliderinOutlook2013andOutlook
2016,verylargemailboxesarepossibleforendusers.
UnderstandingtheBasicsofMessagingRecordsManagement
BeforedivingintohowyouwoulddesignanddeployMessagingRecordsManagement
(MRM),youshouldbecomefamiliarwithsomebasicterminologyandbehavior.We'll
explorepossibleusagescenarios,whattheuserwouldexperience,andthebasicsof
gettingstarted.
Forstarters,MessagingRecordsManagementencompassesmanagementofemail
content“atrest.”Thismeansthatyouaremanagingthecontentwhileitissittingina
folderinamailbox.Youshouldn'tconfusethisconceptwithtransportrules,whichare
discussedinmoredetailinChapter23,“ManagingTransport,DataLossPrevention,
andJournalingRules.”
MessagingRecordsManagementandLicensing
ExchangeServer2016licensingforMRMissimple;youcanusethedefault
retentionpolicies.Defaultretentionpoliciesareappliedtotheentiremailbox.
Ifyouwanttousepersonalorcustompolicies,youwillneedtopurchasean
enterpriseCAL,oreCAL.Thefollowingwebpagescontainmoreinformation:
http://office.microsoft.com/en-us/exchange/microsoft-exchange-serverlicensing-licensing-overview-FX103746915.aspx
https://products.office.com/en-us/exchange/microsoft-exchange-serverlicensing-licensing-overview
UserParticipation
KeepinmindthatMRMrequiresuserparticipation.Apopularmisconceptionisthat
contentthatshouldberetainedwillautomaticallybemovedtotheappropriate
managedfolderinyourprimarymailbox.Messagesinyourprimarymailboxarenot
organizedautomatically—usersmustparticipateinMRMbymovingtherelevant
contentintotheappropriatemanagedfolders.
Ontheotherhand,therearesomeautomaticactionsthatdonotrequireuser
participation.Automaticactionsarelimitedtodeleting(purging)messagesormoving
messagestothearchivemailbox.Forexample,youcanenabletheExchangeserverto
automaticallypurgemessagesfromtheDeletedItemsfolderortomovemessages
fromtheInboxinyourprimarymailboxtothesamefolderinyourarchivemailbox.
However,therealpurposeofMRMisfortheusertoparticipateintheprocess.For
example,youcanenablecustomretentiontagsintheuser'smailbox,butitisuptothe
usertodeterminewhereandwhentoapplythosetags.Figure14.14showsasample
setofthedefaultandpersonalretentiontags.
Figure14.14Listofthedefaultandpersonalretentiontags
Theadministratordefinestheretentionpolicyname,theretentionaction,andthe
retentionperiod(numberofdaysbeforetheretentionactionshouldbeapplied),butit
isuptotheusertoapplythoseretentiontagsintheirmailbox.Usersshouldbe
trainedtocategorizetheirmailboxcontentandapplypersonalretentiontagstothe
content.ThiswillallowtheExchangeservertotakeactionsbasedontheretention
policiesappliedanddelete/moveitemsbasedontheretentiontags’settings.
PossibleScenarios
YouwillfindmanyusefulscenariosforMRM,evenifyourorganizationdoesnot
performemailarchivingorisnotrequiredtomeetregulatorycompliance,suchas
these:
Creatingcustomretentiontagsthatareusedbyuserstocategorizeororganize
informationthatmustberetainedinyourorganization
DeletingemailsintheJunkEmailfolderandemptyingtheDeleteditemsfolder
Archivingemailsinasharedmailbox
EnforcingdeletionofInboxmessagesafterthedefinedretentionperiod
Archivingordeletingvoicemailmessagesafteraperiodoftime
ThesearejustafewofthecommonscenariosforMRM.
GettingStartedwithMessagingRecordsManagement
RetentionpoliciesandtagscanbedefinedintheEACortheEMS.Inmostofour
scenarios,wewilldescribehowyoucandothisintheEACandfollowupwithEMS
commandsasnecessary.
TheretentionpoliciesandtagsarelocatedintheComplianceManagementsectionin
theEAC.Becauseofthecomplexities,youcannotsetupMessagingRecords
Management(MRM)usingasingledialogorwizard—multiplestepsarerequiredto
getstarted.We'llgointomoredetaillaterinthechapteronhowtodoeachofthese
steps,butfornow,let'sstartwithabasicoutlineofhowyouwouldbegincreatingand
applyingaretentionpolicy:
1. Createoneormoreretentiontags.
2. Defineretentiontagsettingsandactions.
3. Createaretentionpolicy,andlinkretentiontagstothepolicy.
4. Assigntheretentionpolicytousers.
ManagingDefaultFolders
ThedefaultfoldersinamailboxarethefoldersthatOutlookcreatesautomaticallythe
firsttimeyouopenamailbox.Thelistofdefaultfoldersisstatic;youcannotcreate
additionaldefaultfolders.Topreventconflictingpolicies,youcanenableonlyone
retentiontagforaparticulardefaultfolderwithinthesameretentionpolicy.The
followingisalistofthedefaultfoldersinExchange:
Calendar
ConversationHistory
DeletedItems
Drafts
Inbox
Journal
JunkEmail
Notes
Outbox
RSSFeeds
SentItems
SyncIssues
CreatingRetentionTags
Youcanuseretentiontagstoapplyretentionsettingstoitemsandfoldersintheuser's
mailbox.Theappliedsettingsspecifyhowlongamessagestaysintheuser'smailbox
andwhathappenswhenthemessagereachesitsretentionage.Whenamessage
reachesitsretentionage,itcanbemovedtotheuser'sarchivemailbox,deleted
(movedtotheRecoverableItemsfolder),orpermanentlydeleted(messageis
unrecoverable).Thisactiondependsontheretentiontagsettingsyouchoosewhen
youcreatetheretentiontag.Youcanalsoallowuserstoapplyaretentiontagtoitems
andfoldersintheirownmailboxes.
Whencreatingtheretentiontag,youcanchoosefromthreetypes:
AppliedAutomaticallyToEntireMailbox(Default)Alsoreferredtoas
defaultpolicytags(DPTs),theseretentiontagsapplytoanyuntaggedmailbox
itemsintheentiremailbox.Untaggeditemsaremailboxitemsthatdonothavea
retentiontagapplied.
AppliedAutomaticallyToAFolderAlsoreferredtoasretentionpolicytags
(RPTs),theseretentiontagsapplyretentionsettingstodefaultfolders,suchasthe
Inbox,DeletedItems,orSentItems.Itemswithinadefaultfolderwillinheritthe
RPTofthefolder,ifoneisassigned.UserscannotchangeanRPTthatisappliedto
adefaultfolder.Theycan,however,applyadifferentpersonaltagtooneormore
itemsinadefaultfolder.
AppliedByUsersToItemsAndFolders(Personal)Commonlyreferredtoas
personaltags,thesetagsareappliedmanuallybyuserstospecificitemsorfolders
throughOutlookorOutlookontheweb.Userscanapplypersonaltagstoitems
evenifadifferentpersonaltagisalreadyapplied.Whenplanningforlicensing,
yourorganizationwillneedtoacquireenterpriseCAL(eCAL)foreachuserwith
personaltags.
Threetypesofactionsareavailabletochoosefromwhenyou'recreatingthe
retentiontag:
DeleteAndAllowRecoveryThisoptiondeletestheitemfromthemailboxand
movesittotheRecoverableItemsfolder.Theusercanrecovertheseitemsfrom
there.YoucanapplythisactioninDPTs,RTPs,andpersonaltags.
PermanentlyDeleteThisoptionpurgestheitemfromthemailbox.Theuser
cannotrecovertheseitems.YoucanapplythisinDPTs,RTPs,andpersonaltags.
MoveToArchiveThisoptionmovestheitemtothearchivemailbox.Iftheuser
hasnotbeenenabledwithanarchivemailbox,noactionistaken.Youcanapply
thisactioninDPTsandpersonaltagsonly.
Youapplytheseactionsbasedonwhenanitemreachesaspecificretentionperiod.
Theretentionperiodistheageatwhichretentionisenforcedonanitem.Basedonthe
action,theagelimitcorrespondstothenumberofdaysfromthedatetheitemwas
delivered,thedateanitemwascreated,orthedateanitemwasdeleted(seeFigure
14.15).
Figure14.15Creatingapersonalretentiontag
Youcanalsoenableacommentontheretentiontag,whichcandisplayhelpful
informationtotheuserinOutlook.
Bydefault,ExchangecreatestheretentionpolicyDefaultMRMPolicyinyouronpremisesExchangeorganization.Althoughthepolicyisautomaticallyappliedtothe
mailboxwhenyouprovisionanarchiveforthemailbox,youcanchangetheretention
policyappliedtoamailboxatanytime.
Forexample,youcanmodifytagsincludedintheDefaultMRMPolicybychangingthe
retentionageorretentionactions,disableatag,ormodifythepolicybyaddingor
removingtagsfromit.Theupdatedretentionpolicyisappliedtomailboxesthenext
timethey'reprocessedbytheManagedFolderAssistant.Table14.3showsthedefault
retentiontagscontainedwithintheDefaultMRMPolicy.
Table14.3DefaultMRMPolicyRetentionTags
Name
Type
Retentionage Retention
(days)
action
Default2yearsmoveto
archive
RecoverableItems14days
movetoarchive
Personal1yearmoveto
archive
Personal5yearmoveto
archive
Personalnevermoveto
archive
1WeekDelete
DefaultPolicy
Tag(DPT)
Recoverable
Itemsfolder
Personaltag
730
MovetoArchive
14
MovetoArchive
365
MovetoArchive
Personaltag
1,825
MovetoArchive
Personaltag
Notapplicable
MovetoArchive
Personaltag
7
1MonthDelete
Personaltag
30
6MonthDelete
Personaltag
180
1YearDelete
Personaltag
365
5YearDelete
Personaltag
1,825
NeverDelete
Personaltag
Notapplicable
DeleteandAllow
Recovery
DeleteandAllow
Recovery
DeleteandAllow
Recovery
DeleteandAllow
Recovery
DeleteandAllow
Recovery
DeleteandAllow
Recovery
WhilemostorganizationswillsimplycustomizeandapplytheDefaultRetention
Policy,someorganizationsrequiremorethanoneretentionpolicy.Suchscenarios
requiringmultipleretentionpoliciesmayincludedifferentDPTsordifferentretention
requirementsfordefaultfolders.Youmayalsohavedifferentrequirementsforwhich
youpresentpersonalretentiontagstousers,therebynecessitatingmorethanone
retentionpolicyinyourorganization.
Whenplanningretentiontags,youshouldconsiderthefollowing:
YoucanonlyselectadeleteactionforRPTs—eitherdeleteandallowrecoveryor
permanentlydelete.
Youcan'tcreateanRPTtomovemessagestothearchive.Tomoveolditemsto
archive,youcancreateaDPT,whichappliestotheentiremailbox,oryoucan
enablepersonaltags,whichallowsuserstoapplyinOutlookorOutlookonthe
web.
Messageswithapersonaltagappliedtakeprecedenceoveranyotherretentiontag
thatmayalsobeappliedtothemessage.
YoucanonlyaddoneRPTforaparticulardefaultfoldertoaretentionpolicy.For
example,ifaretentionpolicyhasaDeletedItemstag,youcan'taddanotherRPTof
typeDeletedItemstothatretentionpolicy.
YoucannotapplyRPTstotheContactsfolder.
Retentionpoliciesareappliedtomailboxusers.Thesamepolicyappliestothe
user'smailboxandarchive.
TheDPTalsoappliestotheCalendarandTasksdefaultfolders.Consequently,this
mayresultinitemsbeingdeletedormovedtothearchiveinadvertentlybasedon
theDPTsettings.TopreventtheDPTsettingsfromdeletingitemsinthesefolders,
createRPTswithretentiondisabled,asthiswilltakeprecedenceovertheDPT.To
preventtheDPTsettingsfrommovingitemstothearchive,youcancreatea
disabledpersonaltagwiththemovetoarchiveaction,addittotheretentionpolicy,
andthenhaveusersapplyittothedefaultfolder.
KeepingtheDeletedItemsFolderCleanwithRetentionTags
OnepetpeeveofmanyExchangeServeradministratorsisthatuserswilldelete
messagesfromtheirInboxorSentItemsfolderbutneveremptytheDeleted
Itemsfolder.Itisnotuncommontofindhundredsofmegabytesofmessage
contentinauser'sDeletedItemsfolder.Inthefollowingexample,yousetup
conditionsontheDeletedItemsfoldersothatitemsolderthansevendaysare
deletedfromtheDeletedItemsfolder,butuserscanrecoverthedeletedmessage
fromtheRecoverableItemsfolder.
Let'screateanewretentiontagtopurgeitemsolderthansevendaysfromthe
DeletedItemsfolder.TodothisthroughtheEAC,chooseCompliance
Management⇨RetentionTagsandcreateanewtagthatisautomaticallyapplied
toadefaultfolder.SelecttheDeletedItemsfolderandspecifytheretentionaction
topermanentlydeleteaftersevendays.
HereistheEMScommandtodefinethismanaged-contentsetting:
New-RetentionPolicyTag–Name"RemoveItemsfromthedeleteditems
after7days"–Type"DeletedItems"–RetentionActionPermanentlyDelete
-RetentionEnabled$True–AgeLimitForRetention7.00:00:00
ManagingRetentionPolicies
Aftercreatingtheretentiontags,youassignthemtomailboxeswitharetentionpolicy.
A​retentionpolicyissimplyacollectionofoneormoreretentiontagsthatcanbe
appliedtoa​mailbox.Youcanassignthepolicytooneormoremailboxes.
OneRetentionPolicyperMailbox
Eachmailboxcanhaveonlyoneretentionpolicyassignedtoit.
CreatingRetentionPolicies
RetentionpoliciesarefoundintheRetentionPoliciessectionoftheCompliance
Managementworkcenter.Bydefault,thereisonepolicy;itcontainsallthedefault
tagscreatedinExchangeServer2016duringtheinstallation.
Aretentionpolicyhasfewproperties.WhenyoulaunchtheNewRetentionPolicy
Wizard,youareaskedtoprovideanameforthepolicy,andyoumustprovidethe
retentiontagsthatwillbeassignedthroughthispolicy.Figure14.16showstheNew
RetentionPolicypageofthewizard.
Figure14.16Creatingaretentionpolicy
Whencreatingretentionpolicies,youmustrememberthatonlyoneretentionpolicy
canbeassignedtoauser,soyoushoulddesignyourpoliciescarefully.However,you
cancreatemultipleretentionpoliciesfordifferentgroupsofusers.
YoucanusetheNew-RetentionPolicycmdletinthefollowingcommandtocreatea
retentionpolicy:
New-RetentionPolicy–Name"CorporateExecutives"–RetentionPolicyTagLinks"1Week
Delete","1YearDelete","NeverDelete"
Thefollowingretentiontagscanbeincludedinaretentionpolicy:
Oneormoreretentiontagsforsupporteddefaultfolders
OneDPTwiththeMoveToArchiveaction
OneDPTwiththeDeleteAndAllowRecoveryorPermanentlyDeleteaction
OneDPTforvoicemailmessageswiththeDeleteAndAllowRecoveryor
PermanentlyDeleteaction
Anynumberofpersonaltags
AssigningRetentionPoliciestoUsers
Afteryoudefinearetentionpolicy,thenextstepistoapplyittoamailbox.Youcando
thisinoneoftwoways.Thefirstmethodistoapplytheretentionpolicytoamailbox
intheEACafterthemailboxiscreated.Figure14.17showstheMailboxFeaturespage
ofthemailbox'sproperties.Youcanopenthedrop-downlistandselectthepolicyyou
wanttoassignforthatuse.
Figure14.17Assigningaretentionpolicytoauser'smailbox
Thesecondmethodistoapplytheretentionpolicytoamailboxbyusingoneofthese
EMScmdlets:Enable-Mailbox,Set-Mailbox,orNew-Mailbox.Withanyofthesecmdlets,
youcanusetheRetentionPolicyparametertoapplytheappropriateretentionpolicyto
amailbox.Forexample,youcanusethefollowingcommandtoapplytheretention
policywhenyouenableamailbox:
Enable-Mailbox–Identity"MarieJewel"-AliasMarie.Jewel
-DatabaseMBX-001-RetentionPolicy"CorporateExecutivesPolicy"
Ifthemailboxalreadyexists,youcanusethefollowingcommandtoassignthe
retentionpolicy:
Set-Mailbox"MarieJewel"–RetentionPolicy"CorporateExecutivesPolicy"
Ifyouknowthatyouhavetoapplyaretentionpolicytoagroupofmailboxes,itmay
beeasierusingtheEMS.Forexample,youcanusethefollowingcommandtoapply
theretentionpolicytoalltheusersintheExecutivesgroup:
Get-DistributionGroupMember–Identity"Executives"|Set-Mailbox
-RetentionPolicy"CorporateExecutivesPolicy"
Inanothercommonscenario,youhavebeentaskedwithidentifyingthemailboxes
withtheCorporateExecutivesPolicyapplied.Youcanusethefollowingcommandto
filtertheobjectsusingtheWherecmdlet:
Get-Mailbox|Where{$_.RetentionPolicy-like"*Executive*"}
|Format-TableName,RetentionPolicy
NameRetentionPolicy
-----------------------------MarieJewelCorporateExecutivesPolicy
PierceJewelCorporateExecutivesPolicy
TreydenJewelCorporateExecutivesPolicy
EnablingMessagingRecordsManagementontheMailboxServer
TheManagedFolderAssistantisaprocessthatrunsoneveryMailboxserverinyour
organizationandisresponsibleformakingMRMwork.TheManagedFolderAssistant
processesmailboxesthathavearetentionpolicyapplied,anditwillstampeachitem
withtheappropriateretentiontag.TheManagedFolderAssistantwillalsotake
appropriateactionsontheitems,includingmovingtoarchiveanddeleting.
WithearlierversionsofExchangeServer,youhadtomanagethescheduleforwhen
mailboxserversshouldruntheManagedFolderAssistant,preferringnonbusiness
hoursandduringtimeswhenavailabilityofresourceswasminimal.However,in
ExchangeServer2016,theManagedFolderAssistantisathrottle-basedassistant,
whichmeansthatitisalwaysrunninganddoesnotneedtobescheduled.Becausethe
ManagedFolderAssistantisthrottledontheamountofsystemresourcesitcan
consume,Exchangedefinesthefrequencyforhowoftenmailboxesareprocessedfor
MRM.Bydefault,theworkcyclefortheManagedFolderAssistantisoneday.
YoucanusethefollowingcommandtoviewthedefaultManagedFolderAssistant
settingsoneachmailboxserver:
Get-MailboxServer|flname,*managedFolder*
Name:EX2016MBX1
ManagedFolderWorkCycle:1.00:00:00
ManagedFolderWorkCycleCheckpoint:1.00:00:00
ManagedFolderAssistantSchedule:
LogPathForManagedFolders:C:\ProgramFiles\Microsoft\Exchange
Server\V16\Logging\ManagedFolderAssistant
LogFileAgeLimitForManagedFolders:00:00:00
LogDirectorySizeLimitForManagedFolders:Unlimited
LogFileSizeLimitForManagedFolders:10MB(10,485,760bytes)
RetentionLogForManagedFoldersEnabled:False
JournalingLogForManagedFoldersEnabled:False
FolderLogForManagedFoldersEnabled:False
SubjectLogForManagedFoldersEnabled:False
WhiletheManagedFolderAssistantisautomated,youcanalsorunitmanually.You
canusetheStart-ManagedFolderAssistantcmdletinthefollowingcommandto
immediatelystartprocessingthespecificmailboxforMRM:
Start-ManagedFolderAssistant-IdentityMarie.Jewel
TheBottomLine
Createanddeleteusermailboxes.ExchangeServer2016supportsthesame
typesofmail-enabledusersaspreviousversionsofExchangeServer.Theseare
mailbox-enableduserswhohaveamailboxonyourExchangeserverandthemailenableduseraccount.Themail-enableduseraccountisasecurityprincipalwithin
yourorganization(andwouldappearinyourglobaladdresslist),butitsemailis
deliveredtoanexternalemailsystem.
Therearefourdifferenttypesofmailbox-enableduseraccounts:aUsermailbox,a
RoomResourcemailbox,anEquipmentResourcemailbox,andaLinkedmailbox.
YoucanperformmailboxmanagementtasksviaeithertheExchange
AdministrationCenterortheExchangeManagementShell.
MasterItYourActiveDirectoryforesthasatrustrelationshiptoanother
ActiveDirectoryforestthatispartofyourcorporateITinfrastructure.The
administratorintheotherforestwantsyoutohosttheiremail.Whattypeof
mailboxesshouldyoucreatefortheusersinthisotherforest?
MasterItYoumustmodifyuserMarieJewel'sofficenamewithHonolulu.
YouwanttodothisusingtheExchangeManagementShell.Whatcommand
wouldperformthistask?
MasterItYouneedtoincreasethemaximumnumberofsendersthatcanbe
includedinthesafesenderslistforPierceJewel'smailboxfrom1,024to4,096.
YouwanttomakethischangeusingtheExchangeManagementShell.What
commandwouldyouuse?
Managemailboxpermissions.Anewlycreatedmailboxallowsonlytheowner
ofthemailboxtoaccessthefolderswithinthatmailbox.Anendusercanassign
someoneelsepermissionstoaccessindividualfolderswithintheirmailboxorto
sendmailontheirbehalfusingtheOutlookclient.Theadministratorcanassign
permissionstotheentiremailboxforotherusers.Further,theadministratorcan
assignausertheSendAspermissiontoamailbox.
MasterItAllexecutiveswithinyourorganizationshareasingleadministrative
assistantwhoseusernameisCheyennePike;alloftheexecutivesbelongtoa
maildistributiongroupcalledExecutives.Alloftheexecutiveswantyouto
grantuserCheyennePikeaccesstoallofthefolderswithintheirmailboxes.
Nametwowaysyoucanaccomplishthis.
Movemailboxestoanotherdatabase.ExchangeServer2016implementsa
waytomovemailboxcontentfromonemailboxdatabasetoanother.Althoughyou
initiatethemoveusingtheadministrativetools(i.e.,theEACandtheEMScmdlet
New-MoveRequest),theMicrosoftExchangeServerMailboxReplicationservice
(MRS)thatrunsoneachMailboxservermanagesthemovesandmigratesthe
data.
MasterItYouwanttousetheEMStomovethemailboxforTreydenJewel
frommailboxdatabaseMBX-001toMBX-002.Themoveshouldignoreupto
threebadmessagesbeforeitfails.Whatcommandshouldyouuse?
MasterItYouhavesubmittedamoverequestforuserTreydenJewel.You
wanttocheckthestatusandstatisticsofthemoverequesttoseeifithas
completed;youwanttousetheExchangeManagementShelltodothis.What
commandwouldyoutype?
Performbulkmanipulationofmailboxproperties.Bytakingadvantageof
pipingandtheEMS,youcanperformbulkmanipulationofusersandmailboxesin
asinglecommandthatpreviouslymighthavetakenhundredsoflinesofscripting
code.
MasterItYouwanttomoveallofyourexecutivestoasinglemailboxdatabase
calledMBX-004.Allofyourexecutivesbelongtoamaildistributiongroup
calledExecutives.Howcouldyouaccomplishthistaskwithasinglecommand?
UseMessagingRecordsManagementtomanagemailboxcontent.
MessagingRecordsManagementprovidesyouwithcontroloverthecontentofa
user'smailbox.BasicMRM​featuresallowyoutoautomaticallypurgeoldcontent,
suchasdeleteditemsorjunkemail.Youcancreatenewmanagedfolderswithin
theuser'smailboxaswellasmovecontenttothesefolders.
MasterItYouaremanaginganExchangeServerorganizationthatwas
transitionedfromExchangeServer2010.Youhavefoundthatmanyofyour
usersarenotemptyingthecontentsoftheirDeletedItemsandJunkE-mail
folders.Youwanttoautomaticallypurgeanycontentinthesefoldersafter14
days.Whatarethestepsyoushouldtaketodothis?
Chapter15
ManagingMail-EnabledGroups,MailUsers,andMail
Contacts
Atthispoint,youshouldbewellawareofthedifferentrecipienttypesthatare
availableinExchangeServer2016.(Ifyouneedarefresher,reviewChapter13,“Basics
ofRecipientManagement.”)
WhilemostadministratorsarefamiliarwiththeconceptofgroupsinActiveDirectory,
mail-enabledgroupsaresimplygroupswithallthenecessaryattributestobelistedin
theExchange-specificdirectoriesandtobeidentifiedasarecipientobject.Allthe
benefitsofgroups,asActiveDirectoryobjects,stillapplytomail-enabledgroups.The
largestbenefitofmail-enabledgroupsisthatyoucanusethemtoapplypermissions
toresourcesaswellastosendemailmessagestothesamegroupofusers.
INTHISCHAPTER,YOUWILLLEARNTO:
Createandmail-enableuserandcontactobjects
Managemailusersandmailcontactsinamessagingenvironment
Choosetheappropriatetypeandscopeofmail-enabledgroups
Createandmanagemail-enabledgroups
ExplorethemoderationfeaturesofExchangeServer2016
UnderstandingMail-EnabledGroups
Ifyourorganizationislikemostorganizationstoday,youmakesignificantuseofmail
groups.Youmayrefertotheseasmail-enabledgroups,distributiongroups,or
distributionlists.Theofficialtermforamailgroup,though,ismail-enabledgroup—
essentially,agroupthatresidesinActiveDirectorybutismanagedasamail-enabled
objectfromtheExchangeServeradministrativetools.WithinActiveDirectoryaretwo
primarytypesofgroups—securitygroupsanddistributiongroups:
SecurityGroupsThesegroupscanbeassignedpermissionstoresourcesor
rightstoperformcertaintasks.Securitygroupscanbemail-enabledandcanbe
usedforaddressingmailbyExchangeServerrecipients.
DistributionGroupsThesegroupsarenotsecurityprincipals;theyhaveno
securityidentifierand,therefore,cannotbeassignedanyrightsorpermissions.
Distributiongroupsareintendedforusewithamailsystemthatintegrateswith
ActiveDirectory,suchasExchangeServer.
DynamicDistributionGroupsThesegroupsareasubsetofdistribution
groups.Themembershipofadynamicdistributiongroup(DDG)isdynamic,based
oncriteriadefinedbytheadministrator.DDGsaremanagedbyusingtheExchange
AdministrationCenterortheExchangeManagementShell.Similartodistribution
groups,thesegroupscannotbeassignedanyrightsorpermissions.
WhenyoucreateanewgroupusingtheActiveDirectoryUsersandComputers
interface,youmustprovideascopeforthegroupinadditiontodefiningthegroup
type(seeFigure15.1).
Figure15.1CreatinganewgroupusingActiveDirectoryUsersandComputers
Allmail-enabledgroupsinExchangeServer2016mustbeconfiguredwithaUniversal
groupscope.Withthisscopetype,ActiveDirectorywillreplicatethemembershiplist
attributeforthegrouptoallglobalcatalogserversintheorganization.
InearlierversionsofExchangeServer,suchasExchangeServer2007,youcouldmailenablegroupsconfiguredwithaglobalordomainlocalgroupscope.However,this
couldcausemail-deliveryproblemsinorganizationswithmultipleActiveDirectory
domains,becausethemembershipofaglobalgroup,forexample,wasnotreplicated
toaglobalcatalogserver.Asyoucanimagine,thisresultedinlostemails.
NamingMail-EnabledGroups
Whencreatingmail-enabledgroups,animportantconsiderationshouldbemadewith
regardtoastandardforthedisplaynames.Chooseastandardthatwillworkforyour
organizationandthatyouruserswillclearlyunderstand.Thekeyistoidentifya
namingconventionthatrepresentsstaticunits(basedongeographyordepartment)
andthatis,therefore,lesslikelytoneedtobemodified.
Usinganamingstandardalsoallowsthemtoallbegroupedtogetherintheglobal
addresslist.Becauseaddresslistsaresortedalphabetically,userscaneasilylocatethe
correctmail-enabledgroup,eveniftheyareunawareofthegroupbeforehand.
Toassistwiththisendeavor,youcancreateadistributiongroupnamingpolicy.A
groupnamingpolicyallowsyoutostandardizeandmanagethenamesofdistribution
groupscreatedbyusersinyourorganization.Forexample,youcanrequirethata
specificprefixandsuffixbeaddedtothenameofadistributiongroupwhenit's
created,andyoucanblockspecificwordsfrombeingused,therebyminimizingtheuse
ofinappropriatewordsingroupnames.
Withagroupnamingpolicy,youcan:
Enforceaconsistentnamingstrategyforgroupscreatedbyusers.
Identifydistributiongroupsinthesharedaddressbook.
Suggestthefunctionormembershipofthegroup.
Identifythetypeofuserswhoarelikelymembersofthegroup.
Identifythegeographicregioninwhichthegroupisused.
Blockinappropriatewordsingroupnames.
CreatingMail-EnabledGroups
Thesimplestmethodtocreateandmanagemail-enabledgroupsistousethe
ExchangeAdminCenter.UsingonlyActiveDirectoryUsersandComputerswillnot
definethemailattributesrequiredbyExchange.
Tocreateamail-enabledgroup,launchtheExchangeAdminCenter,navigatetothe
Recipientsareaworkcenter,selectGroups,andthenclick+(Add)fromtheActions
menu.Selectoneofthethreegrouptypesfromthelistofavailablegrouptypes:
distributiongroup,securitygroup,ordynamicdistributiongroup,asshowninFigure
15.2.
Figure15.2ViewingthegroupchoicesintheExchangeAdminCenter
SelectingagrouptypelaunchestheNewGroupwindow.Forexample,selectingthe
grouptypeDistributionGroupopenstheNewDistributionGroupwindow,asshown
inFigure15.3.Inthiswindow,youcancreateadistributiongroupwiththefollowing
options:
DisplayName:ThenameofthegroupthatisvisiblefromtheExchangeAdmin
Centerandtheglobaladdresslist.
Alias:Thealiaswillbeusedtogeneratethegroup'semailaddress.
Notes:Thedescriptioncanbeusedtoprovidecontextforthegroupandisvisible
fromtheglobaladdresslistandActiveDirectoryUsersandComputers.
OrganizationalUnit:ThelocationwherethegroupwillbecreatedinActive
Directory.
Owners:Ownersofthegroupareuserswhocanchangethemembershipofthe
groupbyusingMicrosoftOutlookorOutlookontheweb.Additionally,anyuser
thathastheappropriateRecipientManagementroleassignedcanmodifythe
membershipofagroup.
Members:Membersofthegroupcanbeanyrecipienttype,includingothermailenabledgroups.Thissectionalsoincludesoptionsthatcontrolthemembershipof
thegroup.Forexample,youcanenablethegrouptoallowuserstojointhe
membershipofagroup.GroupmembershiprequirementscanbesettoOpen,
Closed,orOwnerApproval.OnlydistributiongroupscanbeenabledforOpenor
Closed.Becauseoftheriskofinadvertentlygrantingunnecessarypermissionsto
users,securitygroupscanonlybesettoOwnerApproval.
Figure15.3OpeningtheNewDistributionGroupwindow
Intheeventyouwanttomail-enableanexistingdistributiongrouporsecuritygroup,
youmustusetheExchangeManagementShell(EMS).Youcanusethefollowing
commandtomail-enabletheexistingExecutivesgroup:
Enable-DistributionGroup–IdentityExecutives-DisplayNameExecutives
-AliasExecutives
Mail-EnabledGroups:WhatNottoDo
Whilegroupsallowadministratorstoefficientlymanageresourcepermissions
andprovideuserswithasimplemethodofsendingemailmessagestomultiple
recipients,therearemanyexamplesofcompaniesthatmisuseoroverusegroups.
Inmostofthesescenarios,inappropriatemanagementofgrouppermissions,as
wellasthelackofastandardnamingconvention,canhaveunforeseen
consequencesforadministratorsandusers.
Inanexample,oneorganization'sActiveDirectoryinfrastructurehadlostall
defaultandstandardsecurityprovisionsforminimizingadministrativerights.
Theirlackofasecuritypolicyallowedeveryoneinthecompanytohavedomain
administratorpermission.Beyondtheobvioussecurityimplications,thisissue
hadsnowballedintoamessagingproblemwheretheglobaladdresslistincluded
morethan50,000objectsforacompanyoffewerthan200users.
Uponfurtherinspection,alargegroupofsupportuserswasinchargeofcreating
mail-enabledgroupsforanyonewhorequestedthem.Requestscamefrom
everyone,withlittlemorereasonthan,“IneedagroupforProjectX.Pleaseadd
metothatgroup.Weneedtosendemailstoeachotheraswell.”Becausethe
companylackedastandardgroup-namingconvention,itwasdifficulttoidentify
thepurposeofeachgroup.Tocomplicatethesituation,groupswereneverpurged
fromActiveDirectory.Mostofthemhadbeenstaleformanyyears,andallwere
mail-enabled.
Thisexampleillustratestheconsequencesofimproperplanningwhendesigning
andimplementingActiveDirectoryandExchangeServer.Alargeofflineaddress
book,asecurityrisk(whenmail-enabledsecuritygroupsaremistakenfor
distributiongroups),andaninefficientActiveDirectorystructureareonlysome
oftheimpactsofimpropergroupmanagement.
CreatingDynamicDistributionGroups
Withmanymediumandlargeorganizations,youmaydiscoveraproblemwith
keepingthemembershipofyourdistributiongroupsuptodate.Inmostscenarios,
youmayconsiderusingdynamicdistributiongroups(DDGs)asanalternative
solution.DDGsaredistributiongroupswhosemembershipisbasedonspecific
recipientfiltersratherthanadefinedsetofrecipients.Whenanemailissenttoa
DDG,ExchangewillqueryActiveDirectoryandidentifytherecipientsbasedononeor
morecriteria,suchasorganizationalunit,city,ordepartment.Thebenefittousinga
DDGisthatwhenActiveDirectorypropertiesarechanged,theDDGmembership
updatesdynamically.Similartodistributiongroups,DDGscannotbesecuritygroups
—theycannotbeusedtoassignpermissiontoresources.
TheprocesstocreateaDDGisalittledifferentthanothermail-enabledgroups
becauseyouneedtodefinetherecipientfiltersandtheconditionsofthemail-enabled
group.Exchangeprovidespre-cannedfilterstomakeiteasierforyoutocreatethe
recipientfiltersforDDGs.Inaddition,youcanspecifyalistofconditionsthatthe
recipientsmustmeet.
TocreateaDDG,launchtheExchangeAdminCenter,navigatetotheRecipientsarea
workcenter,selectGroups,select+(Add)fromtheActionsmenu,andthenclick
DynamicDistributionGroup.IntheNewDynamicDistributionGroupwindow,
providetheinformationrequiredforthenewgroup,includingtheorganizationalunit
inwhichtheobjectwillbecreated,thedisplayname,andtheExchangealiasofthe
group.Locatednearthebottomofthewindowarethefiltersettingsfordefiningthe
typesofrecipientstoincludeinthemembershiplistandthelistofconditionsfor
definingtherulesformembershipinthegroup(Figure15.4).
Figure15.4Filtersettingsandconditionsforadynamicdistributiongroup
Thefollowingrecipienttypescanbeincludedinthefiltersettings:
Allrecipienttypes
UserswithExchangemailboxes(mailbox-enabledusers)
Mailuserswithexternalemailaddresses(mail-enabledusers)
Resourcemailboxes(roomandequipment)
Mailcontactswithexternalemailaddresses(mail-enabledcontacts)
Mail-enabledgroups
AfterselectingtherecipienttypeandOUscopefortheDDG,youcanfurtherrefine
thescopeofthegroupmembershipbyaddingconditionalrules.Toaddthese,clickthe
AddARulebuttonandthenselecttheappropriatefilterbasedonthekeywordsofa
specificattribute.Forexample,ifyouhavepopulatedacustomattributeonall
recipientsinActiveDirectory,youmayconsiderusingafilteronthisattributefor
membershipoftheDDG.ThefollowingattributescanbeusedtofilterDDG
membershipwiththerulesinthenewdynamicdistributiongroup:
Recipientcontainer
Stateorprovince
Company
Department
Customattribute1through15
AftertheDDGiscreated,youcanusethePreviewbuttontoconfirmthatyourscope
andrulesaredefinedproperly.ThisbuttonwillopentheDynamicDistributionGroup
Previewdialogboxanddisplaythemembershipofthegroupbasedonthecurrent
attributesinActiveDirectory.
AswithmostactionsintheExchangeAdminCenter,youcanalsocreateDDGsby
usingtheEMS.YoucanusethefollowingcommandtocreateaDDGthatincludesall
mailboxesandmailusersintheRecipientsOUwiththeStateattributeofWashington.
New-DynamicDistributionGroup-Name"EveryoneinWashington"
-IncludedRecipients"MailboxUsers,MailUsers"
-ConditionalStateOrProvince"Washington"
-OrganizationalUnit"Contoso.com/Users"
-Alias"EveryoneInWashington"
-RecipientContainer"Contoso.com/Recipients"
ManagingMail-EnabledGroups
Onceagrouphasbeenmail-enabled,youcanconfigurethepropertiesforadditional
mailsettings.Thoughthecorefunctionofagroupistofacilitatethedeliveryofmail
messagestomultipleusers,anditssubsequentmanagement,therearemanyspecific
groupfeaturesthatyoucanconfigure.
KnowingWhentoUseaSharedMailboxInstead
Thesharedmailboxprovidesfunctionalitysimilartoamail-enabledgroup.Both
oftheserecipienttypesareoftenusedbygroupsofuserstoprovideasingleentry
pointforemails.However,therearemultipledifferencesbetweenshared
mailboxesandmail-enabledgroups.Inadditiontoreceivingemail,ashared
mailboxprovidesasharedcalendar.Also,recipientshaveacentrallocationfor
managingemailcontent.Moreinformationaboutthesharedmailboxisavailable
inChapter14,“ManagingMailboxesandMailboxContent.”
Let'sstartwithDeliveryManagement(Figure15.5).Availablefromthegroup's
properties,DeliveryManagementincludestwocomponentsyoucanconfigure:
whetherthegroupcanreceiveemailmessagesonlyfromsendersinsidethe
organizationorwhetherthegroupcanreceiveemailmessagesfromanysender,inside
andoutsidetheorganization.Youcanalsoconfigurethegrouptoreceiveemail
messagesonlyfromapredefinedlistofsenders.Thesendermustalreadyexistinthe
globaladdresslisttoincludetheminthepredefinedlistofsenders.Forexample,if
youneedtoaddaspecificsenderoutsideyourorganizationtothelist,youmustcreate
thesenderasamailcontactormailuserintheorganization.Withmanymediumand
largeorganizations,youshouldconsiderrestrictingwhoisallowedtosendemail
messagestolargemail-enabledgroupsorgroupsthatcontainVIPs.Thiswillminimize
sendersinadvertentlysendingemailtoalargenumberofrecipientsandrestrict
unwantedemailsenttoyourVIPs.
Figure15.5TheDeliveryManagementwindowofaDistributionGroupobject
TheEmailOptionspropertiespagedisplaystheemailaddressesthatcanbeusedwhen
addressingamessagetothegroup.Youcanedittheexistingaddressesoraddnew
addressesbyusingtheExchangeManagementShell.
TheReplyaddress,commonlyreferredtoastheReplyToaddress,willnotbe
particularlyimportantforadistributiongroupthatisusedprimarilywithinyour
organization.However,theReplyaddressisveryimportantforadistributiongroup
usedinternallyandexternally;keepinmindthattheReplyaddresswillbetheSMTP
addressusedbypeopleoutsidetheorganization.
Oneverycommonexampleiswhenauserinsideyourorganizationsendsanemailto
recipientsoutsideyourorganizationandincludestheaddressofadistributiongroup
withinyourorganization.YoushouldbeawareoftheReplyaddressforthe
distributiongroupifrecipientsoutsideyourorganizationreplytoalltherecipientsof
theemail.Frequently,userswillnotifyyouthatsendersoutsideyourorganization
werenotabletoreplytoanemailthatincludesthedistributiongroup.Youshould
considerwhetherthedistributiongroupshouldbeenabledtoreceiveemailfrom
sendersoutsideyourorganizationortheusersinsideyourorganizationshouldbe
educatedonwhentoincludethedistributiongroupasarecipientonemailmessages.
OthersettingsthatyoucanconfigurefromtheGeneralpropertiesofadistribution
groupincludetheoptiontoHideThisGroupFromAddressLists.Uncheckedby
default,thissettingallowsyoutopreventamail-enabledgroupfrombeingdisplayed
intheaddresslists.Thisoptionmaybeusefulforspecializedgroupsthatareused
onlyformaildistributionbyanautomatedsystemorforuserswhoonlysendemails
totheSMTPaddress.
Browsingthroughtheothergroupoptions,you'llquicklyrealizethatsomesettingsare
notavailablefromtheExchangeAdminCenter.Somesettings,suchastheMessage
Sizerestrictions,mustbesetfromtheExchangeManagementShell.MessageSize
restrictionscanhelppreventmisuseofdistributiongroupsortheaccidental
distributionoflargefiles.WiththeSet-DistributionGroupcmdlet,youcanuseeither
theMaxRecieveSizeparametertopreventlargemessagesfromlandinginthemailbox
ofeachrecipientinthegrouportheMaxSendSizeparametertopreventthegroupfrom
beingusedasthesenderoflargemessages.
AnothersettingthatisnotavailablefromtheExchangeAdminCenterandrequires
usingEMSistheExpansionServersetting,whichisusedviatheSetDistributionGroupcmdlet.Messageexpansionistheprocessofenumeratingthe
membersofamail-enabledgroupanddeterminingwhereeachmemberis,either
withinyourorganizationorexternally.Asyoucanimagine,expansionoflargemailenabledgroupscanbeaprettyintensiveprocessforanExchangeserveraswellasthe
ActiveDirectoryglobalcatalogserverthattheExchangeserverisusing.
Bydefault,theExpansionserverissettoanyserverintheorganization.Thismeans
thefirstExchangeServerMailboxserverthatreceivesthemessageisresponsiblefor
expandingthemembershipofthemail-enabledgroup.Insomeenvironments,you
mayprefertoconfigurewhichExchangeserverexpandsthemail-enabledgroup,
especiallyenvironmentswheremultipleversionsofExchangeServerwillbe
responsibleformaildeliveryorenvironmentswheretheExchangeservershave
differenthardwarespecifications.
Ifyouneedtoconfigureapreferredexpansionserver,youshouldchoosethe
appropriateExchangeserverbasedonthefollowingrecommendations:
IsrunningthelatestversionofExchangeServer
Hasareliableandrapidconnectiontodomaincontrollers
Hasenoughresourcesavailabletomanagetheadditionaldemandforgroup
expansion
Someorganizationschoosetoidentifyadedicatedexpansionserverforalldistribution
groupstofacilitatethetroubleshootingprocessandprovideclearprocessflowshould
maildeliveryproblemsarise.
ManagingModerationforDistributionGroups
Withsomedistributiongroups,yourorganizationmayrequireasecondsetofeyeson
amessagebeforeit'sdeliveredtothegroupmembers.Youcanenablethismoderation
process,alsoreferredtoasmessageapproval,onadistributiongroupanddefineone
ormoremoderators,aswellasexceptionstothemoderationprocess.Figure15.6
displaysthemessageapprovalconfigurationoptionsontheMessageApprovalpage.A
groupowneroranadministratorwhohasbeenassignedthenecessaryRBACrolecan
alsoenablegroupsformoderationandaddmultiplemoderatorsfromtheExchange
ControlPanel.
Figure15.6Configurationoptionsformoderatedgroups
Bydefault,moderationisdisabledonallgroups.Toenablethefeature,youwillneed
toconfigureoneormoremoderatorsforthegroup.Whenanemailmessageissentto
themoderatedgroup,themoderatorreceivesanemailwitharequesttoapproveor
rejectthemessage.Thetextofthemessageincludesbuttonstoapproveorrejectthe
message,andtheattachmentincludestheoriginalmessagetoreview.Messagesare
notdeliveredtothemembersofthegroupuntilamoderatorofthegrouphas
approvedthemessage.Whileyoucandefinemultiplemoderators,youcanassignonly
users,notgroups,asmoderators.
Anadministratorcanalsoexemptthemoderationprocessonmessagesfromspecific
senders.UserslistedintheSendersWhoDon'tRequireMessageApprovallistareable
tosendemailmessagestothegroupwithoutbeingmoderated.
NearthebottomoftheMessageApprovalpage,youcanchoosehowsendersare
notifiedwhenmessagesaren'tapproved.TheSelectModerationNotificationssettings
willnotifyorsilentlydropunapprovedmessagessenttothegroup.Ifyouchooseto
notifysendersofunapprovedmessages,youcanchoosetonotifyonlyinternalsenders
orall(internalandexternal)senders.
Youshouldbeawarethatmoderationisnotlimitedtogroups;anadministratorcan
alsoenablemoderationforemailmessagessenttomailboxesormailcontacts.In
addition,youcancreateamailflowruleasanalternativemoderationmethod.With
themailflowrule,youcanrequireapprovalformessagesthatmatchspecificcriteria
orthataresenttoaspecificperson.Youcanalsoenableexceptionstothemoderation
processinthemailflowrule.
ConvertingGlobalorLocalDistributionGroupstoUniversalGroups
InearlierversionsofExchangeServer,groupscreatedasglobalordomainlocalmay
experienceproblemswithgroupexpansion.IftheExchangeserverthatexpandedthe
groupwasusingadomaincontrollerfromadomainthatdidnotcontainthe
membershiplistforadomainlocalorglobalgroup,thedistributiongroupwouldnot
beexpandedandthemessagewouldnotbedeliveredtotheintendedrecipients.Even
moreproblematic,thesendermaynotreceiveanotificationthatthemessagewasnot
delivered.
Forthisreason,Microsoftnowrequiresthatallmail-enabledgroupscreatedin
Exchangeareuniversalgroups.Ifyoucreateadomainlocalorglobalgroupusing
ActiveDirectoryUsersandComputersandthenattempttomail-enablethegroup
usingtheEMS,thegroupwillnotappearinthelistofavailablegroups.
Fororganizationsthatwereupgradedortransitionedfromanearlierversionof
ExchangetoExchangeServer2016,youmayfindthatsomemail-enabledgroupsare
notuniversalgroups.Fortunately,youcanmanagethesegroupsusingeitherthe
ExchangeAdminCenterortheExchangeManagementShell.
YoucanmodifyanexistinggrouptoauniversalgroupusingActiveDirectoryUsers
andComputers.OntheGeneralpropertiespageofthemail-enabledgroup,asshown
inFigure15.7,selecttheUniversalradiobuttonandclickOKtoupdatethegroup.
Figure15.7ConvertingagrouptoauniversalgroupusingActiveDirectoryUsersand
Computers
YoucanalsousetheSet-Groupcommandtomodifyanexistinggrouptoauniversal
group:
Set-Group"OperationsGroup"-Universal
Formultiplegroups,youcanusetheGet-DistributionGroupcmdlet,withtheWhereObjectfilter,inthefollowingcommandtoidentifyallofthemail-enabledgroupsthat
arenotuniversalgroups:
Get-DistributionGroup|Where{$_.RecipientType-eq"MailNonUniversalGroup"}
NameDisplayNameGroupTypePrimarySmtpAddress
-----------------------------------------OperationsGroupOperationsGroupGlobal,Security…[email protected]…
Executivesand…Executivesand…Global,Security…ExecutivesandVIP…
FieldResearchG…FieldResearchG…Global,Security…FieldResearchGro…
FailureAnalysis…FailureAnalysis…GlobalFailureAnalysisT…
Thisresultsinalistofallmail-enabledgroupsthatarenotuniversalgroups.Youcan
usethefollowingcommandtoupdateallofthegroupstouniversalgroupsbypiping
thelistabovetotheSet-Groupcmdlet:
Get-DistributionGroup|Where{$_.RecipientType
-eq"MailNonUniversalGroup"}|Set-Group-Universal
Asyoumaydiscover,thiscommanddoesnotchangethegrouptype:securitygroup
anddistributiongroup.
ManagingGroupsUsingtheExchangeManagementShell
Toassistwithdailyadministrativetasksofgroupmanagement,hereisasummary
reviewofthecmdletsthatareavailableformanagingandmanipulatingmail-enabled
groups.Table15.1liststheEMScmdletsyoucanusetomanagegroupsandmailenabledgroups.
Table15.1EMSandPowerShellCmdletsforGroupManagement
Cmdlet
Get-Group
Set-Group
Get-DistributionGroup
Set-DistributionGroup
New-DistributionGroup
EnableDistributionGroup
DisableDistributionGroup
Remove-DistributionGroup
GetDistributionGroupMember
AddDistributionGroupMember
Function
RetrievesinformationaboutallActiveDirectorygroups.
SetsinformationaboutanActiveDirectorygroup;thiswill
workforanyActiveDirectorygroup,notjustmail-enabled
ones.
Retrievesinformationrelatedtomail-enabledgroups.
Setspropertiesofmail-enabledgroups.
CreatesanewgroupinActiveDirectoryandmail-enables
thatgroup.
Mail-enablesanexistinggroupthatwaspreviouslycreated
inActiveDirectory.
Removesmailattributesfromamail-enabledgroupbut
doesnotremovethegroupfromActiveDirectory.
Deletesthemailattributesofamail-enabledgroupand
removesthegroupfromActiveDirectory.
Retrievesmembershiplistinformationfromamailenabledgroup.
Addsmemberstoamail-enabledgroup.
RemoveDistributionGroupMember
Removesmembersfromamail-enabledgroup.
GetDynamicDistributionGroup
Retrievesinformationaboutadynamicdistributiongroup.
SetDynamicDistributionGroup
Setspropertiesfordynamicdistributiongroups.
NewDynamicDistributionGroup
Createsanewdynamicdistributiongroup.
RemoveDynamicDistributionGroup
Removesmailpropertiesfromadynamicdistribution
groupanddeletesthegroupfromActiveDirectory.
Forourpurposesinthischapter,we'llfocusononlyafewofthecmdletslistedin
Table15.1andsomecommonpropertiesthatcanbeusedwiththem.Thebestmethod
toillustratehowthesecmdletsfunctioniswithsomereal-worldexamples.
Inourfirstscenario,youhaveauniversalgroupintheCorporateOUinActive
DirectorycalledFinance.Youwanttoconfigurethisgroupasadistributiongroup.
BecausethegroupalreadyexistsinActiveDirectory,youwillwanttousetheEnableDistributionGroupcmdlet.Youcanusethefollowingcommandtoassignthegroupan
ExchangeServeraliasandadisplayname:
Enable-DistributionGroup–NameFinance-DisplayNameFinance
-AliasFinance
IfthegroupdoesnotexistinActiveDirectoryandyouwanttocreatethegroupand
mail-enableit,youwillwanttousetheNew-DistributionGroupcmdlet.Youcanusethe
followingcommandtocreatetheFinancegroupintheCorporateOU:
New-DistributionGroup–NameFinance–TypeDistribution
-OrganizationalUnit"contoso.com/Corporate"
-SamAccountNameFinance-DisplayNameFinance
-AliasFinance
Youmayhaveobservedthatadditionalparameterswereusedinthisexample
comparedwiththeprevious.ThisisbecausetheOrganizationalUnitparameteris
requiredfornewgroupsandtheSamAccountNameparameterisrequiredformailenabledsecuritygroups.
Toaddmemberstoagroup,youwillwanttousetheAdd-DistributionGroupMember
cmdlet.Forexample,youcanusethefollowingcommandtoaddMarieJeweltothe
Financegroup:
Add-DistributionGroupMember–IdentityFinance-Member"Marie.Jewel"
Conversely,youcanusetheRemove-DistributionGroupMembercmdlettoremove
membersfromagroup.
Toenumeratethemembersofagroup,youwillwanttousetheGetDistributionGroupMembercmdlet.Forexample,youcanusethefollowingcommandto
retrievealistofthemembersintheFinancegroup:
Get-DistributionGroupMember–IdentityFinance
NameRecipientType
----------------MarieJewelUserMailbox
YouwillwanttousetheSet-DistributionGroupcmdlettomodifythepropertiesofa
distributiongroup.Forexample,youcanusethefollowingcommandtoenable
moderationforagroupandthenconfigurethemoderators,alongwiththeexceptions
andthenotificationsettings:
Set-DistributionGroup–IdentityFinance-ModerationEnabled$true
-ModeratedBy"[email protected]","[email protected]"
-ByPassModerationFromSendersOrMembers"Administrators"
-SendModerationNotificationsInternal
Table15.2listssomeofthecommonpropertiesthatyoucandefineforamail-enabled
group.
Table15.2CommonMail-EnabledGroupProperties
Property
Alias
CustomAttribute1
Function
SetstheExchangeServeraliasforthegroup.Bydefault,the
aliasisusedwhenSMTPaddressesaregenerated.
Sets1ofthe15customattributes(akaextensionattributes).
through
CustomAttribute15
DisplayName
HiddenFromAddressLists
Enabled
MaxReceiveSize
ModerationEnabled
Setsthedisplaynameofthemail-enabledgroup;thedisplay
nameiswhatisvisibleinaddresslists.
Setswhetherthegroupwillbedisplayedinaddresslists.The
defaultisthattheobjectsarevisible.Youcansetthisto
$Trueandthegroupwillbehiddenfromtheaddresslists.
Setsthemaximumsizeofamessagethatcanbesenttothe
group.
Enablesordisablesmoderationforagroup.
YoucanusetheGet-DistributionGroupcmdlettoviewthepropertiesofagroup,oruse
theSet-DistributionGroupcmdlettomodifythepropertiesofagroup.
Finally,ifyounolongerneedagroup,youcanusetheRemove-DistributionGroup
cmdlettodeleteagroup,whichincludesthegroupobjectinActiveDirectory.
Alternatively,youcanusetheDisable-DistributionGroupcmdlettodisableagroup,
whichremovesthemailattributesfromthegroupbutleavesthegroupobjectin
ActiveDirectory.
Inadditiontodistributiongroups,youcancreateandmanagedynamicdistribution
groups,inthesameway,usingtheEMS.Forexample,youcanusethefollowing
commandtocreateadynamicgroupintheResearchOUthatincludesonlymailboxenableduserswiththenameofAllResearch:
New-DynamicDistributionGroup-Name"AllResearch"
-IncludedRecipients'MailboxUsers'
-ConditionalDepartment'Research'
-OrganizationalUnit'contoso.com/Research'
-Alias'AllResearch'
-RecipientContainer'contoso.com/Corporate'
Afterprovisioningthedynamicgroup,youcanusethefollowingcommandto
configurethemaximumreceivesizeofthegroupto750KB:
Set-DynamicDistributionGroup-Name"AllResearch"
-MaxReceiveSize750KB
AllowingEndUserstoManageGroupMembership
Asyourorganizationexpands,youmayconsiderdelegatingthemanagementof
distributiongroupstoyourusers.Withtheappropriatepermissions,userscan
managethemembershipofdistributiongroupsintheglobaladdresslistofOutlook.
Figure15.8showstheOutlookinterfacethatallowsyoutomanagethemembershipof
adistributiongroup.
Figure15.8ManaginggroupmembershipfromwithinOutlook
Notethatonlymail-enabledgroupscanhavetheirmembershipmanagedbyan
Outlookclient.Thisfeatureisnotavailablefordynamicdistributiongroups.
Withinthepropertiesofadistributiongroupistheownerormanagerofthegroup.In
earlierversionsofExchangeServer,youonlyneededtodefineauserastheownerfor
themtomanagethemembershipofagroup.However,inExchangeServer2016,the
abilitytomanageadistributiongroupmembershipisdelegatedthroughmanagement
roles.Asaresult,notonlydoyouneedtoconfigurethedistributiongroupowner,but
youalsoneedtoassigntheappropriateroleassignmentpolicytotheowner.The
necessaryroleassignmentpolicyshouldcontaintheMyDistributionGroupsandMy
DistributionGroupMembershiprolestomanagethemembershipofadistribution
group.(Managementrolesandrole-basedaccesscontrolarecoveredinmoredetailin
Chapter12,“ManagementPermissionsandRole-BasedAccessControl.”)
InadditiontoOutlook,userscanmanagethemembershipofdistributiongroups
usingthecontrolpanelinOutlookontheweb.Onceauserisdelegatedthe
appropriatepermissions,userscancreatenewdistributiongroupsandmanage
existingdistributiongroups,includinggroupmembership.Figure15.9showshowa
usercanmodifythemembershipofanexistingdistributiongroup.
Figure15.9Managinggroupmembershipfromwithinthecontrolpanel
OtheroptionsformanagingthemembershipofdistributiongroupsaretheExchange
AdminCenterortheExchangeManagementShell.Theseoptionsaremorecommonly
usedbyadministrators,butenduserscanleveragethesametoolsaftertheyare
delegatedthenecessarypermissions.WiththeExchangeAdminCenter,youcanlocate
thegroupintheGroupslistandmodifythemembersintheMembershippropertiesof
thegroup.WiththeExchangeManagementShell,youcanusetheAddDistributionGroupMemberandRemove-DistributionGroupMembercmdletstomodify
themembersofthedistributiongroup.Forexample,youcanusethefollowing
commandtoaddfouruserstothedistributiongroupExecutives:
Add-DistributionGroupMember-IdentityExecutives
-Member"[email protected],[email protected],
[email protected],[email protected]"
CreatingandManagingMailContactsandMailUsers
Ifyourcompany'susersfrequentlycorrespondwithotherorganizations,youmay
considerpublishingtheemailaddressesfromotherorganizationsasmailcontactsin
theExchangeServeraddresslists.Thiswouldprovideaccessibilityofthemailcontacts
toallofyourusers,ratherthanrequiringuserstomaintainthemintheirpersonal
contacts.Althoughmailcontactsappearinyourorganization'saddresslists,they
directemailmessagestomailsystemsoutsideofyourorganization.
AlthoughyoucancreateacontactobjectinActiveDirectoryusingtheActiveDirectory
UsersandComputerssnap-in,itwillnotbemail-enabledand,therefore,willnot
appearintheExchangeServeraddresslists.InearlierversionsofExchangeServer,
youcouldmail-enableacontactusingthesnap-in.However,inExchangeServer2016,
theprocessofmail-enablingacontactmayrequireasecondstepwhenusingthesnapin,asdescribedlaterinthesection“ManagingMailContactsandMailUsersUsingthe
EMS.”
WhenusingtheActiveDirectoryUsersandComputerssnap-in,youcancreatea
contactobjectinActiveDirectorywithminimalinformation;simplyspecifythe
contact'snameinformation.Figure15.10illustratestheoptionswhencreatingcontact
objectsusingtheActiveDirectoryUsersandComputerssnap-in.
Figure15.10CreatinganewcontactobjectusingActiveDirectoryUsersand
Computers
Afteryoucreateacontact,youmaynoticetheE-mailpropertyofthecontactinActive
DirectoryUsersandComputers(showninFigure15.11).However,ExchangeServer
doesnotuseonlythispropertytomail-enableacontact;additionalmailattributesare
requiredforamailcontact.
Figure15.11ContactinformationinActiveDirectoryUsersandComputers
Toproperlymail-enableacontactforusewithExchangeServer,youmustusethe
ExchangeAdminCenterortheExchangeManagementShell.
MakingThingsEasyforYourUsers
Weworkedwithacompanythathadalargenumberofexternalsuppliers—
contacts—thatwereoftenusedincommunicationsbyinternalusers.Usersoften
sharedthiscontactinformationwithoneanotherbyforwardingemailsandusing
old-fashionedpenandpaper.Thatsolutionwasinefficientanderrorprone.
Usingthecompany'sbillingsystem,wewereabletolocatethelistofsuppliersin
anexistingelectronicformat,withinaSQLServerdatabase.Thenextstepwasto
exportthedatabaseusingSQLtools.WedecidedtouseaSQLServerdatabase
exportcommandtoexporttoacomma-separatedvalue(CSV)file.
WiththeCSVfile,wewereabletousetheActiveDirectoryexport/importtool,
CSVDE.exe,tocreatecontactobjectsforallthesuppliers.Thenextstepwastomailenablethecontacts.Oncewecompletedthistask,thecontactinformationforall
thesupplierswasavailabletotheusersintheglobaladdresslist.Inretrospect,we
couldhaveusedoneExchangeManagementShellcmdlettocreatethemail
contact,insteadofthetwosteps.
Keepinmindthatwhenausercopiesacontacttotheirpersonalcontacts,the
contactthenbecomesalocalobject;anyupdatesthatmayoccurinActive
Directorywillnotbedownloadedtothelocalobject.
ManagingMailContactsandMailUsersUsingtheEAC
YoucanusetheExchangeAdminCenterandtheExchangeManagementShellto
createandmanageamailcontact.FromwithintheExchangeAdminCenter,navigate
totheRecipientsworkareaoftheExchangeAdminCenter,andselectContacts.
Displayedonthepagewillbealistofallmailcontactsandmailusersinthe
organization.AlthoughthepageislabeledContacts,thisisthelocationfromwhich
youcanviewandmanageallmailcontactsandmailusers.
AsdescribedearlierinChapter13,themailcontactisanobjectthatappearsinActive
DirectoryandtheExchangeServeraddresslists,butitisnotasecurityprincipal.You
cannotaddthemailcontacttoasecuritygroupnorassignitpermissionsbecauseit
doesnothaveasecurityidentifier.Thistypeofcontactisusefulwhenyouneedto
makeanexternalemailaddressavailablefromyouraddresslistsanddoesnotrequire
permissionsinyourorganization.
Themailuserisauseraccountinyourorganizationbutnotoneforwhichyouhosta
mailbox.Forexample,youmightneedtocreateauseraccountforanexternalauditor
whowillbeworkingfromoneofyourworkstations.Youraccountantsmayneedto
correspondwiththeauditorandpreferthattheauditorisavailablefromtheExchange
Serveraddresslists,buttheauditor'smailboxishostedoutsideofyourorganization.
Youmaybewonderingwhatthedifferenceisbetweenamail-enableduser,ormail
user,andamailbox-enableduser,orusermailbox.Theansweristhatyouarenot
responsibleforamailuser'semailstorage,butyouareresponsibleforauser
mailbox'semailstorage.
TheserecipienttypesarecoveredinmoredetailinChapter13,buthereisashortlist
describingthethreeprincipalrecipientsinExchangeServer2016andhowtheydiffer:
Usermailbox
Userexistsinsideyourorganization.
Mailboxexistsinsideyourorganization.
Recipientappearsinyouraddresslistsbydefaultorcanbehidden.
Mailuser
Userexistsinsideyourorganization.
Mailboxexistsoutsideyourorganization.
Recipientappearsinyouraddresslistsbydefaultorcanbehidden.
Mailcontact
Userexistsoutsideyourorganization.
Mailboxexistsoutsideyourorganization.
Recipientappearsinyouraddresslistsbydefaultorcanbehidden.
TocreateamailcontactintheExchangeAdminCenter,navigatetotheRecipients
workarea,selectContacts,clickthe+(Add)iconfromtheActionmenu,andthen
selectMailContact.TheNewMailContactwindowallowsyoutospecifybasic
informationaboutthecontactyouwanttocreate,asshowninFigure15.12.
Figure15.12Creatingamail-enabledcontact
Alternatively,youcanusetheExchangeManagementShelltomanageyourcontacts.
Forexample,youcanusethefollowingcommandtomail-enableacontactforan
externalusernamedMarieJewel:
Enable-MailContact-Identity"contoso.com/Users/MarieJewel"
-ExternalEmailAddress"SMTP:[email protected]"–AliasmJewel
CreatingamailuserintheExchangeAdminCenterissimilartocreatingamail
contact.NavigatetotheRecipientsworkarea,selectContacts,clickthe+(Add)icon
fromtheActionmenu,andthenselectMailUser.Inadditiontothebasicinformation
whencreatingamailcontact,theNewMailUserwindowallowsyoutospecify
informationabouttheuseraccount,includingthelogonnameandpassword.
Alternatively,withtheExchangeManagementShell,youcanusethefollowing
commandtocreateanewmailuser:
New-MailUser-Name"MarieJewel"-AliasmJewel
-OrganizationalUnit"contoso.com/Users"
-UserPrincipalName"[email protected]"
-SamAccountNamemJewel-FirstNameMarie-LastNameJewel
-Password'System.Security.SecureString'-ResetPasswordOnNextLogon$false
-ExternalEmailAddress'SMTP:[email protected]'
Mostpropertiesofamailcontactoramailuseraresimilartothoseyouhaveseenin
previouschaptersformailboxes.Infact,oneofthebenefitsisthatyoucanaddamail
contactoramailuserasamemberofadistributiongroup.
ManagingMailContactsandMailUsersUsingtheEMS
Withmediumandlargeorganizations,youshouldconsiderusingtheEMSformostof
yourExchangeServermanagementtasks.Table15.3showsthecmdletsthatcanbe
usedtomanipulatemailcontactsandmailusers.
Table15.3ExchangeManagementShellCmdletsforMailContactsandMailUsers
Cmdlet
NewMailContact
EnableMailContact
Description
CreatesanewcontactinActiveDirectoryandmail-enablesthat
contact
Mail-enablesapreviouslyexistingcontact
SetMailContact
Setsmailpropertiesforamail-enabledcontact
GetMailContact
Retrievespropertiesofamail-enabledcontact
RemoveMailContact
Removesthemailpropertiesfromacontactanddeletesthatcontact
fromActiveDirectory
Removesthemailpropertiesfromacontact
DisableMailContact
New-MailUser
EnableMailUser
Set-MailUser
Get-MailUser
RemoveMailUser
DisableMailUser
CreatesanewuserinActiveDirectoryandmail-enablesthatuser
Mail-enablesapreviouslyexistinguser
Setsmailpropertiesforamail-enableduser
Retrievespropertiesofamail-enableduser
Removesthemailpropertiesfromauseranddeletesthatuserfrom
ActiveDirectory
Removesthemailpropertiesfromauser
Hereareafewscenariostodemonstratesomeofthesecmdlets.Forexample,David
Pikeisacontractorwhooccasionallyworksforyourcompany.Whileonsite,heusesa
networkapplicationhostedfromoneofyourservers.Hismanagerhasrequestedthat
alloftheusersshouldreadilyhaveaccesstohisexternalemailaddress,
[email protected]ve
Directory,youneedtousethefollowingcommandtomail-enablehisuseraccount:
Enable-MailUser"DavidPike"-Alias"David.Pike"
-ExternalEmailAddress"SMTP:[email protected]"
Inadifferentscenario,CheyennePikeisanewcontractorwhowilloccasionallywork
foryourcompanyandwon'trequireaccesstoanynetworkapplications.Themanager
ofthecontractorhasrequestedthatalloftheusersshouldreadilyhaveaccesstoher
externalemailaddress,[email protected]'t
requestaccesstoActiveDirectory,youneedtousethefollowingcommandtocreatea
newmailcontact:
New-MailContact
-ExternalEmailAddress"SMTP:[email protected]"
-Name"CheyennePike"-Alias"Cheyenne.Pike"
-OrganizationalUnit"Contoso.com/Users"
-FirstName"Cheyenne"-LastName"Pike"
Whenconfiguringthepropertiesofamailcontactoramailuser,youshouldkeepin
mindsomeoftheirmoreusefulproperties.Table15.4showssomeofthecommon
propertiesthatthesetwoobjecttypesshare.
Table15.4UsefulPropertiesofMailContactandMailUserObjects
Property
Alias
CustomAttribute1
through
Description
Setstheobject'sExchangeServeralias.
Setscustomattributes1through10;thesearealsoknown
astheextensionattributes.
CustomAttribute10
DisplayName
ExternalEmailAddress
HiddenFromAddressLists
Enabled
MaxSendSize
Setsthedisplaynameoftheobject.
Setstheaddressthatistobeusedtodelivermailexternally
totheuserorcontact.
Specifieswhethertheobjectishiddenfromaddresslists.
Thedefaultis$False,butitcanbesetto$True.
Setsthemaximumsizeofamessagethatcanbesentto
thisrecipient.
TheBottomLine
Createandmail-enablecontactobjects.Insomecases,youshouldnotcreate
amailuserbutinsteadchooseanobjectwithfewerprivileges—amailcontact.Mail
contactscanbeusedtoprovideeasyaccesstoexternalemailcontactsbyusing
yourinternaladdresslists.Mailuserscanbeusedtoprovideconvenientaccessto
internalresourcesforworkerswhorequireanexternallyhostedemailaccount.
MasterItYouperiodicallyupdatetheemailaddressesforyourActive
Directorycontacts.However,someusersreportthattheyarenotseeingthe
updatedcontactaddressintheaddresslistandthattheyreceivenondelivery
reports(NDRs)whensendingemailtosomecontacts.Whatshouldyoudo?
Managemail-enabledcontactsandmail-enabledusersinamessaging
environment.AllExchangeServer–relatedattributesformailusersandmail
contactsareunavailablefromActiveDirectoryUsersandComputers.Tomanage
allExchangeServer–relatedattributes,youmustusetheExchangeAdminCenter
ortheEMStools.
MasterItWhetheryouwanttomanageusersinbulk,needtocreatemultiple
usersinyourdomainormultiplemailcontactsinyourorganization,orsimply
wanttochangethedeliveryrestrictionsfor5,000recipients,whichtoolshould
youuse?
Choosetheappropriatetypeandscopeofmail-enabledgroups.Although
youcanmodifyyourgroupscopeorgrouptypeatanytimeafterthegrouphas
beencreated,it'salwaysabestpracticetocreateallgroupsasuniversalgroupsin
anenvironmentthathostsExchangeservers.
MasterItYourcompanyneedstoensurethatifanadministratoraddsauser
toadistributionlist,thatuserwillnotgetanyunnecessaryaccesstoresources
onthenetwork.Howshouldyouensurethatthistypeofadministrative
mistakedoesnotimpactthesecurityofyournetworkingenvironment?
Createandmanagemail-enabledgroups.Creatingandmanaging
distributiongroupscanmostlybedonefromtheExchangeAdminCenter,with
onlylimitedoptionsthatrequiretheExchangeManagementShell.
MasterItYouwanttosimplifythemanagementofgroupsinyour
organization.Yourecentlyreviewedthefunctionalitiesofdynamicdistribution
groupsanddecidedthatthistechnologycanprovidethedesiredresults.You
needtoidentifythetoolsthatshouldbeusedtomanagedynamicdistribution
groups.Whattoolsshouldyouchoose?
ExplorethemoderationfeaturesofExchangeServer2016.Moderation
andmoderatedgroupsareoneoftheself-servicefeaturesofExchangeServer2016
thatallowausertoreviewmessagessenttoanemailaddressonyourserver.
MasterItYouneedtoenablemoderationofemailmessagessenttoparticular
recipientsinyourorganization.Yourecentlyreviewedthemultiplemethodsto
enablemoderationofdistributiongroupsandotherrecipientsinExchange
Server2016.Whichmoderationmethodshouldyouusebasedoneachoption's
advantagesandlimitations?
Chapter16
ManagingResourceMailboxes
Resourcemailboxesplayanimportantroleintheschedulingofvarioustoolsand
facilities—conferencerooms,projectors,laptopcomputers,smartboards,company
vehicles,andanyothersortoflocationortoolthatisindemandbutmayhavelimited
availability.Tothatend,it'simportanttomaintainacalendarfortheseresources,as
wellasdefinewhocanscheduleaccess.ExchangeServer2016,Outlookontheweb,
andMicrosoftOutlookallowyoutoviewtheavailabilityofresourcesandschedule
themeasily.
Insomerespects,managingresourcemailboxesisthesameasmanaginguseror
sharedmailboxes.However,therearesomefeaturesandsettingsthatareuniqueto
resourcemailboxesandenhancetheirfunctionality.
INTHISCHAPTER,YOUWILLLEARNTO:
Understandhowresourcemailboxesdifferfromothertypesofmailboxes
Createresourcemailboxes
Configureresourceschedulingpolicies
Convertresourcemailboxes
TheUniqueNatureofResourceMailboxes
AsmentionedinChapter13,“BasicsofRecipientManagement,”therearemultiple
typesofmailboxes.Someofthesetypesincludeusermailbox,roommailbox,
equipmentmailbox,linkedmailbox,sharedmailbox,andsitemailbox.Wecovered
userandlinkedmailboxesinChapter14,“ManagingMailboxesandMailboxContent.”
Inthischapter,we'llfocusonroommailboxesandequipmentmailboxes.
RoomMailboxAroommailboxisaresourcemailboxassignedtoaphysical
location,suchasaconferenceroom,atrainingroom,oranauditorium.Meeting
organizerscanreserveconferenceroomsbyincludingroommailboxesinmeeting
requestsasresources.
EquipmentMailboxAnequipmentmailboxisaresourcemailboxassignedtoa
resourcethatisnotlocationspecific,suchasaprojector,aportablecomputer,
specialtyA/Vequipment,oracompanycar.Likeroommailboxes,equipment
mailboxescanbeincludedinmeetingrequestsasresources.
Likeallmailboxtypes,resourcemailboxeshaveanassociateduseraccountinActive
Directory.However,thereshouldneverbeaneedtologintoActiveDirectorywiththe
useraccount.Forthisreason,thecorrespondinguseraccountofaresourcemailboxis
disabledinActiveDirectory.
Incontrast,theiconsassociatedwithresourcemailboxesintheglobaladdresslistare
differentthantheiconsassociatedwithusermailboxesandmail-enabledgroups.
Further,additionalattributesareincludedonresourcemailboxesthatallowthemto
beutilizedasresources.Outsideofthesedifferences,resourcemailboxesarethesame
asusermailboxesandtheircorrespondinguseraccountsinActiveDirectory.
Exchange2016ResourceMailboxFeatures
Resourcemailboxesareveryusefulforreservingorbookingresources,suchas
conferenceroomsorequipment,suchasprojectors.InExchangeServer2016,
resourcemailboxesfor​conferenceroomsallowyoutoacceptordeclinemeeting
requestssentfrommeetingorganizers.Thepropertiesofaroommailboxcaninclude
informationabouttheseatingcapacityaswellasinformationaboutpermanentitems
intheroom,suchaswhiteboardsandvideoteleconferencingtools.Likewise,the
propertiesofresourcemailboxesforequipmentcanprovidedescriptionsaboutthose
resources,suchasthemakeandmodelforalaptopcomputeroracompanycar.
Variousclients,includingMicrosoftOutlook,Outlookontheweb,andmobileclients,
scheduleresourcemailboxesusingtheCalendarandAvailabilityservices,thesame
wayattendeesareinvitedtomeetingrequests,.
Multiplecustomizationsforbookingareavailablewithresourcemailboxes.Youcan
enableabookingpolicytoacceptordeclinemeetingrequestsautomatically.Basedon
thepolicy​criteriayouconfigure,validmeetingrequestsautomaticallyreservethe
room.Incontrast,youcanconfigurepolicycriteriatoautomaticallydeclinemeeting
requestsifthere'saschedulingconflictwithanexistingreservationorifthebooking
requestviolatestheschedulinglimitsoftheresource.
Withabookingpolicy,youcanenforcerulestodefinethemaximumtimearesource
canbereserved,whocanreserveit,andwhatactionstoperformonsomeofthe
informationwithinmeetingrequests.Forexample,youcanrestrictmeetingrequests
tobusinesshoursonlyorallowmeetingrequestsonlyfrommeetingorganizersin
yourorganization.Withapolicy,youcanalsoensurethatattachmentsare
automaticallyremovedfrommeetingrequestssenttotheresourcemailboxorthat
non-calendarmessagesaredeletedautomatically.
Fororganizationswithlessstandardizationofmeetingrequests,youcanenable
delegationofresourcemailboxes.Delegationallowsyoutoconfigureresource
delegateswhoareresponsibleforacceptingordecliningmeetingrequestssenttothe
resourcemailbox.Evenwithdelegationenabled,youcanconfigurealistofmeeting
organizerswhoareallowedtoreservetheresourceoutsideofthedefinedpolicies.
CreatingResourceMailboxes
Youwilldiscoverthatcreatingresourcemailboxesisverysimilartocreatingother
typesofmailboxes.Usingthesametools,theExchangeAdministrationCenter(EAC)
ortheExchangeManagementShell(EMS),youcanprovisionaresourcemailboxby
includingaparametertodefinethemailboxasaresourcemailbox.
CreatingandConfiguringResourceMailboxes
Let'sbeginbycreatingaresourcemailboxfortheconferenceroomConferenceRoom
South.WithintheEAC,navigatetoRecipientsfromtheFeaturepane,selectthe
Resourcestab,click+(Add)fromtheActionsmenu,andthenselectRoomMailbox.
IntheNewRoomMailboxWizard(showninFigure16.1),fillintheappropriate
information.
Figure16.1Defininggeneralinformationforaconferenceroommailbox
Ifanorganizationalunit(OU)isnotdefinedwhenaresourcemailboxisprovisioned,
thecorrespondinguseraccountwillbeplacedintheUserscontainerinActive
Directory.Alternatively,youcanclicktheBrowsebuttonnexttoOrganizationalUnit
intheNewRoomMailboxWizardtodefinetheappropriateOUtolocatethe
correspondinguseraccount.
Theremainingmailboxsettingsinthewizardarethesameasforothertypesof
mailboxes.WhenyoucreatearesourcemailboxintheEAC,thecorrespondinguser
accountisalsocreatedinActiveDirectoryasadisabledaccount.
WithintheEMS,youwillusetheNew-MailboxcmdletwiththeRoomparameterto
createaconferenceroomresourcemailbox.Forexample,youcanusethefollowingto
createtheconferenceroomConferenceRoomSouth:
New-Mailbox-Name'ConferenceRoomSouth'–Room
-OrganizationalUnit"contoso.com/ResourceMailboxes"
-DisplayName"ConferenceRoomSouth"
InExchangeServer2016,youmaynoticepropertiesthatareuniquetoresource
mailboxes.SomeofthesepropertiesincludeRecipientTypeDetails,ResourceType,
ResouceCapacity,IsResource,andResourceCustom.Forexample,youcanusetheGetMailboxcmdlettodisplayinformationaboutaresourcemailbox,suchasinthe
followingcode(somepropertieshavebeenremovedtosavespace):
Get-Mailbox"ConferenceRoomSouth"|FLName,*recipient*,*resource*
Name:ConferenceRoomSouth
RecipientType:UserMailbox
RecipientTypeDetails:RoomMailbox
IsResource:True
ResourceCapacity:
ResourceCustom:{}
ResourceType:Room
Table16.1providesdetailsabouttheseattributesforresourcemailboxes.
Table16.1Recipient-RelatedAttributesforResourceMailboxes
Attribute
RecipientType
RecipientTypeDetails
IsResource
ResourceCapacity
ResourceCustom
ResourceType
Value/Purpose
AlwayssettoUserMailbox,regardlessofwhetherthemailboxis
ausermailboxorresourcemailbox
SettoeitherRoomMailboxorEquipmentMailbox
Forindicatingwhetherthemailboxisaresourcemailbox
Fordefiningroomcapacitytoassistwhenplanningthenumber
ofattendees
Fordefiningadditionalpropertiesofaresourcemailbox
SettoeitherRoomorEquipment
ExchangeServerwillusetheinformationintheseattributesforspecifichandlingof
meetingrequestsandprovidinginformationformeetingorganizers.Forexample,
Exchangewilldisplayconferenceroomresourcemailboxesintheexclusiveaddress
listAllRooms(asshowninFigure16.2).
Figure16.2ViewingroomresourcesintheAddressBookusingOutlook
Asyoucanimagine,thisprovidesasimplifiedviewofconferenceroomstomeeting
organizerswithouttheclutteroftheentireglobaladdresslist.
ConfiguringAdvancedResourceMailboxFeatures
WithExchangeServer2016,youcanspecifyadditionalattributesoftheresource
mailboxtoaidmeetingorganizerswhenschedulingmeetings:theResourceCapacity
andResourceCustomattributes.TheResourceCapacityattributeallowsyoutodefinethe
maximumcapacityofaconferenceroom,asshowninFigure16.2,whichcancertainly
helpmeetingorganizerswhenplanningthenumberofattendees.
TodefinetheResourceCapacityofaresourcemailboxusingtheEAC,selectthe
resourcemailboxfromtheResourcestab,andthenclickthepencilicon(Edit)from
theActionsmenu.OntheGeneraltab,typetheappropriatenumberintheCapacity
box,asshowninFigure16.3.
Figure16.3Enteringtheroomcapacityforaresourcemailbox
TheresourcecapacityofaresourcemailboxcanalsobedefinedwithintheEMS.You
canusetheSet-Mailboxcmdletinthefollowingcommandtodefinetheroomcapacity
ofConferenceRoomNorth:
Set-Mailbox"ConferenceRoomNorth"-ResourceCapacity15
Inmostscenarios,meetingorganizersneedmoreinformationthanroomcapacity
whenplanningameeting;informationaboutequipmentintheconferenceroomcan
alsobehelpful.Inmostorganizations,eachconferenceroomisequippedwith
differentequipment.SomeroomsmayhaveaTV,whileotherroomsprovidea
projector.Likewise,conferenceroomsmayhavedifferentteleconferencingsystems
andaudio/videoequipment.Forthisreason,Exchangeprovidesthecustomresource
properties.
Customresourcepropertiescanhelpusersselectthemostappropriateconference
roomorequipmentbyprovidingadditionalinformationabouttheresource.For
example,youcancreateacustompropertyforroommailboxescalledAudio/Video
Teleconferencing.Afteryoucreatethisresourceproperty,youcanaddthepropertyto
allconferenceroomswithaudioandvideoteleconferencingequipment.When
schedulingameeting,organizerscanidentifywhichconferenceroomshave
audio/videoteleconferencingequipment.
ResourcepropertiesarestoredasresourceobjectattributesintheActiveDirectory
schema.Beforeyoucanaddtheresourcepropertiestoresourcemailboxes,youneed
tocreatethenecessaryattributesusingtheSet-ResourceConfigcmdlet.Unfortunately,
usingtheSet-ResourceConfigcmdletoverwritesallexistingattributesintheschema;
thecmdletdoesn'taddanewentrytothelist.Asaresult,youshouldusetheGetResourceConfigcmdlettoquerytheexistingentriesintheschemaandthenappend
themtothelist.Forexample,youcanusethefollowingcommandtoretrievethe
existinglistofattributes(thedefaultconfigurationdoesnotincludeentries):
Get-ResourceConfig|FLName,ResourcePropertySchema
Name:ResourceSchema
ResourcePropertySchema:{}
Withnoexistingentriesinthelist,youcanusethefollowingcommandtoaddthe
resourcepropertiesAudioVideoEquipment,orAV,andTeleconferencingEquipment,or
TeleConf,tothelistinActiveDirectory(entriesmustbeginwitheitherRoom/or
Equipment/toindicatetheresourcemailboxtypewithwhichtheyassociate):
Set-ResourceConfig-ResourcePropertySchema("Room/AV","Room/TeleConf")
Theprocesstoaddentriestothelistofresourceattributeswillchangeafterthefirst
timeyoupopulatethelist.Althoughyoucouldaddnewentriesbytypingtheexisting
andnewattributestothelistwiththepreviouscommand,youshouldconsiderusing
operatorsormethodsthatarenativetoWindowsPowerShelltominimizetypos.
Forexample,saythatyouwanttodefinetheadditionalresourcepropertiesTV,
Projector,andSpeakerphoneforassociatingtoroommailboxesandtheresource
propertiesLaptop,Van,andCarforassociatingtoequipmentmailboxes.Similartothe
previousexample,youwillusetheSet-ResourceConfigcmdletinthefollowing
commandtoaddnewentriestotheexistinglist(twooptionsareshownhere;choose
onlyone):
$ResourceConfig=Get-ResourceConfig
#Option1usingaMethod
$ResourceConfig.ResourcePropertySchema.Add("Room/TV","Room/Projector",
"Room/Speakerphone","Equipment/Computer","Equipment/Van","Equipment/Car")
#Option2usinganOperator
$ResourceConfig.ResourcePropertySchema.+=("Room/TV","Room/Projector",
"Room/Speakerphone","Equipment/Computer","Equipment/Van","Equipment/Car")
Set-ResourceConfig–ResourcePropertySchema
$ResourceConfig.ResourcePropertySchema
Inthepreviousexample,weretrievedthecurrentlistofentriesandstoredthemina
variable(morespecifically,anarray).Inbothoftheoptions,weaddedtheentriesto
thearray.Inthelastline,weconfiguredtheresourceattributesintheActiveDirectory
schemawiththeexistingandnewresourceproperties.
Whatifyoudecidethataresourcepropertyisnolongerneededandyouwantto
removeitfromthelistofavailableproperties?Forexample,youneedtoreplacethe
resourcepropertyComputerwithDesktop.Youwillusesimilaroptionsinthefollowing
commandtoupdate(remove/add)entriesintheexistinglist(twooptionsareshown
here;chooseonlyone):
$ResourceConfig=Get-ResourceConfig
#Option1usingaMethod
$ResourceConfig.ResourcePropertySchema.Remove("Equipment/Computer")
$ResourceConfig.ResourcePropertySchema.Add("Equipment/Desktop")
#Option2usinganOperator
$ResourceConfig.ResourcePropertySchema.-=("Equipment/Computer")
$ResourceConfig.ResourcePropertySchema.+=("Equipment/Desktop")
Set-ResourceConfig–ResourcePropertySchema
$ResourceConfig.ResourcePropertySchema
Asyoumayhavenoticedinthepreviousexample,themethodandoperatorarevery
similartothefirstexample.Ofcourse,it'snotnecessarytoaddaresourcepropertyto
thelistafteryouremovearesourcepropertyfromthelist;theseactionsare
independentofoneanother.Whenyouwanttoconfirmthelistofattributesafter
creatingthem,youcanusetheGet-ResourceConfigcmdletwiththeResourceCustom
attribute
Aftercreatingalloftherequiredresourceproperties,youwillusetheSet-Mailbox
cmdlettoassociatespecificpropertieswiththeresourcemailbox.Forexample,you
canusethefollowingcommandtoinformmeetingorganizersthattheresource
mailboxConferenceRoomNorthhasaudio/videoequipment,adesktopcomputer,anda
roomcapacityof15:
Set-Mailbox"ConferenceRoomNorth"-ResourceCustom("AV","Desktop")
-ResourceCapacity15
Toconfirmthechanges,youcanusetheGet-Mailboxcmdlet,asshowninthe
followingcommand:
Get-Mailbox"ConferenceRoomNorth"|FLName,*resource*
Name:ConferenceRoomNorth
IsResource:True
ResourceCapacity:15
ResourceCustom:{AV,Desktop}
ResourceType:Room
ExchangeServerwillupdatetheresourcemailboxintheaddressbookwiththis
informationsoOutlookmaydisplaythedetailsformeetingorganizers.Forexample,
Outlookdisplaystheresourceattributesforconferenceroomresourcemailboxesin
theaddresslistasshowninFigure16.4.
Figure16.4ViewingthecustomattributesofroomresourcesintheAddressBook
usingOutlook
ConfiguringResourceSchedulingPolicies
InExchangeServer2016,theprocessingofmeetingrequestsisconsideredthemost
importantfeatureofresourcemailboxes.Withtheappropriatepoliciesdeployed,most
oftheprocessingshouldbeautomated,requiringminimumactionsfromadminsand
usersalike.
Amongtheoptionsavailable,youcancustomizewhocanbookresources
automaticallyorviaadelegate,howtohandleconflictingrequests,andwhen
meetingscanbescheduledandforhowlong.ExchangeServer2016allowsyouto
managetheseoptionsusingtheExchangeAdminCenter(EAC)andtheExchange
ManagementShell(EMS).
ConfiguringResourceSchedulingPoliciesUsingtheEAC
AfteropeningthepropertiesofaresourcemailboxintheEAC,youcanusetwoofthe
fivetabstomanagetheresourceschedulingconfiguration:DelegatesandBooking
Options.
DelegatesYoucanusethissectiontovieworchangehowtheconferenceroom
mailboxhandlesreservationrequestsandtodefinewhocanacceptordecline
meetingrequests,ifthisisnotdoneautomatically.AnexampleoftheDelegatesis
showninFigure16.5.
BookingOptionsYoucanusethissectiontovieworchangethesettingsforthe
bookingpolicythatdefineswhentheconferenceroomcanbescheduled,howlong
theroomcanbereserved,andhowfarinadvancetheroomcanbereserved.You
canalsodefinewhetherrecurringmeetingrequestsareallowed,enablemessage
repliestomeetingorganizers,andperformmanyotheradvancedscheduling
options.AnexampleoftheBookingOptionsisshowninFigure16.6.
Figure16.5Delegatesforaresourcemailbox
Figure16.6BookingOptionsforaresourcemailbox
Althoughsomeofthecommonresourceschedulingconfigurationofaresource
mailboxcanbemanagedusingtheEAC,mostoftheconfigurationoptionsrequire
usingtheEMSwiththeSet-CalendarProcessingcmdlet.Table16.2providesalistof
themostcommonlyusedresourcescheduling,orbooking,configurationoptionsfor
resourcemailboxes.Alongwithabriefdescription,thistableincludesinformationon
whetheryoucanconfiguretheoptionintheEACortheEMSandthecorresponding
parameternameofeachoption.
Table16.2BookingOptionsandEMSEquivalents
EAC
EMSParameter
Parameter
(Not
AllowConflicts
availablein
EAC)
Allow
repeating
meetings
(Booking
Options)
AllowRecurringMeetings
Description
Specifieswhethertoallowconflicting
meetingrequests.Ifenabled,thiswill
allowmultiplemeetingstobeaccepted
forthesamedateandtime.Thedefault
valueis$false.
Specifieswhethertoallowrecurring
meetings.Whenenabled,recurring
meetingrequests,suchasthosefor
everyMondayat9a.m.,areaccepted.
Thedefaultvalueis$true.
(Not
availablein
EAC)
AutomateProcessing
Maximum
bookinglead
time(days)
BookingWindowInDays
(Booking
Options)
(Not
availablein
EAC)
ConflictPercentageAllowed
(Not
availablein
EAC)
EnforceSchedulingHorizon
(Not
availablein
EAC)
ForwardRequestsToDelegates
(Not
availablein
EAC)
MaximumConflictInstances
Enablescalendarprocessingonthe
mailbox.Thedefaultvalueona
resourcemailboxisAutoAccept,andthe
defaultva
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement