Transcript Overview of Exchange Server 2013 SP1

Overview of
Exchange Server
2013
Service Pack 1
Scott Schnoll
Senior Content Developer
Microsoft Corporation
Turn off your mobile.
Thank you.
Milestones
RTM: 10/11/12 (15.000.516.32)
CU1: 4/2/13 (15.00.0620.29)
http://aka.ms/E15RTM
http://aka.ms/E15RTMCU1
On-Premises GA: 12/3/12
CU2: 7/29/13 (15.00.0712.024)*
http://aka.ms/E15GA
http://aka.ms/E15RTMCU2
Service GA: 2/27/13
CU3: 11/25/13 (15.00.0775.38)
http://aka.ms/ServiceGA
http://aka.ms/E15RTMCU3
CU4/SP1: 2/25/14 (15.00.0847.32)
http://aka.ms/E15SP1
(1 year, 4 months, 2 weeks; or 502 days since RTM)
3
SP1 Install Note – Custom Transport Agents
After installing SP1
The third-party or custom-developed transport agents cannot be installed correctly
You cannot enable third-party products that rely on transport agents
The Microsoft Exchange Transport service (MSExchangeTransport.exe) cannot start automatically
You receive an error message: The TransportAgentFactory type must be the Microsoft .NET class type of the
transport agent factory
Problem occurs because global assembly cache (GAC)
policy configuration files contain invalid XML code
Hotfix and
at http://aka.ms/KB2938053
Download script from http://aka.ms/KB2938053DL
4
Updatable PowerShell Help
Cmdlet Help and TechNet Help topics are the same
5
Updatable PowerShell Help
Problem
It’s easy to update cmdlet topics on TechNet/CHM
Not so easy to get updates to on-premises cmdlet help (had to wait for SP/CU)
Solution
Downloadable PowerShell Help (CU2 and later)
Update-ExchangeHelp downloads latest cmdlet help package and installs on local Exchange server
Significantly reduces time to get localized cmdlet updates
8
Returning Features in
Exchange Server 2013 SP1
Returning in Exchange Server 2013 SP1
Edge Transport Server
S/MIME in Outlook Web App
SSL Offloading
EAC Command Logging
10
Edge Transport Server
Enables you to use a perimeter network Exchange 2013
server to handle all Internet-facing email
Requires minimum 4GB memory
Easy to set up
Designed for minimal attack surface
No GUI / No ECP – this means IIS not used, which reduces attack surface
11
Edge Transport Server
Manage with PowerShell
33 Edge Transport cmdlets
Add-AttachmentFilterEntry
Get-IPAllowListConfig
New-AddressRewriteEntry
Set-AttachmentFilterListConfig
Add-IPAllowListEntry
Get-IPAllowListEntry
Remove-AddressRewriteEntry
Set-IPAllowListConfig
Add-IPAllowListProvider
Get-IPAllowListProvider
Remove-AttachmentFilterEntry
Set-IPAllowListProvider
Add-IPBlockListEntry
Get-IPAllowListProvidersConfig
Remove-IPAllowListEntry
Set-IPAllowListProvidersConfig
Add-IPBlockListProvider
Get-IPBlockListConfig
Remove-IPAllowListProvider
Set-IPBlockListConfig
Get-AddressRewriteEntry
Get-IPBlockListEntry
Remove-IPBlockListEntry
Set-IPBlockListProvider
Get-AttachmentFilterEntry
Get-IPBlockListProvider
Remove-IPBlockListProvider
Set-IPBlockListProvidersConfig
Get-AttachmentFilterListConfig
Get-IPBlockListProvidersConfig
Set-AddressRewriteEntry
Test-IPAllowListProvider
Test-IPBlockListProvider
12
Edge Transport Server
Can work with Exchange 2010/2007 environments
Need update to use Edge 2013 Subscription File (KB2926397 for 2007; no KB for 2010)
Update Rollup 5 for Exchange 2010 SP3 – KB2917508
Update Rollup 13 for Exchange 2007 SP3 – KB2917522
Uses existing PowerShell module name
Microsoft.Exchange.Management.PowerShell.E2010
This does not mean it is re-packaged Exchange 2010 code; rather, it was easier to keep module names
consistent
13
S/MIME in Outlook Web App
Supports multiple encryption algorithms
RC2 (supported key lengths are 40, 56, 64, and 128) – 6602
DES (56-bit) – 6601
3DES (168-bit) – 6603
AES128 – 660E
AES192 – 660F
AES256 – 6610
Supports multiple signing algorithms
CALG_SHA_512 Type: 512 bit secure hashing algorithm (SHA)
CALG_SHA_384 Type: 384 bit SHA
CALG_SHA_256 Type: 256 bit SHA
SHA1
Type: SHA
CALG_MD5
Type: MD5 hashing algorithm
14
S/MIME in Outlook Web App
Supports Triple-wrapped messages
Message is signed, then encrypted, and then signed again (e.g., signed-encrypted-signed)
This is the highest form of S/MIME encryption, but it does increase message size
Configure settings using Set-SMimeConfig
Requires Organization Management role
15
S/MIME in Outlook Web App
Allow users the choice of signing the message
Limit the Certificate Revocation List (CRL) retrieval time-out
Specify type of encryption
Allow users the choice of signing the message, limit the CRL retrieval timeout to 10 seconds, and specify 128-bit RC2 encryption
Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $true
-OWACRLRetrievalTimeout 10000 -OWAEncryptionAlgorithms
6602:128
Allow users the choice of signing the message, and specify 3DES, RC2-128,
RC2-64, DES, and RC2-56 encryption algorithms
Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $true
-OWAEncryptionAlgorithms 6603;6602:128;6602:64;6601;6602:56
16
SSL Offloading
Can be configured for multiple services:
Outlook Web App
Exchange Control Panel / Exchange Admin Center
Outlook Anywhere
Offline Address Book
Exchange ActiveSync
Exchange Web Services
Autodiscover
Mailbox Replication Service Proxy*
17
SSL Offloading
No need to configure SSLOffloaded registry value
Reverse SSL is recommended if you don’t have a secure
network between HLB and CAS
MRSProxy service runs under EWS, but it doesn’t support
SSL offloading
MRSProxy service expects traffic to be signed/encrypted
Must use SSL Bridging instead: load balancer or firewall must re-encrypt the traffic for MRSProxy before
sending it on to the server
See http://aka.ms/E15SP1SSLOffload for full details
18
EAC Command Logging
EAC Command Logging
Must be open to log actions
Displays up to 500 entries
Click
to clear log
Log is cleared when EAC is closed
Click
to search log
Select one or more items
Multi-select to see cmdlets from multiple items
20
New Features in
Exchange Server 2013 SP1
New Features in Exchange Server 2013 SP1
Support for Windows Server 2012 R2
Install on Windows Server 2012 R2
Use Windows Server 2012 R2 writable directory servers
Leverage Windows Server 2012 R2 DFL/FFL
MAPI over HTTP protocol
New connection option for Outlook 2013 SP1 and later
Disabled by default in Exchange 2013 SP1
Data Loss Prevention enhancements
DLP Policy Tips in Outlook Web App
DLP Document Fingerprinting
DLP Classification Rules and DLP Policies for new regions
24
New Features in Exchange Server 2013 SP1
IW Improvements
Rich Text Editor in Outlook Web App
Outlook Web App Offline Access for Firefox
Apps for Office available in new item compose
Hybrid Improvements
Hybrid Deployments with Multiple Active Directory Forests and Single Tenant
New process to obtain Hybrid Product Key for Hybrid server(s)
High Availability Improvements
DAGs without cluster administrative access points
Loose Truncation
25
New Cmdlets in Exchange Server 2013 SP1
New | Remove-SearchDocumentFormat
New | Remove | Set | Get-IntraOrganizationConnector
Get-IntraOrganizationConfiguration
Get | Set-SMimeConfig
New | Get | Set | Remove-AuthRedirect
Get | Start | Stop-HistoricalSearch
New-Fingerprint
New | Remove | Set | Get-DataClassification
26
MAPI over HTTP
New communication mechanism added to Exchange
2013 SP1 and Outlook 2013 SP1
Modernizes the Outlook/Exchange connection by
removing dependency on RPC at transport layer
Outlook continues to use the same ROP verbs to communicate with Exchange
Outlook creates an HTTP tunnel directly to Exchange
Outlook connects to the /mapi virdir for mail and
directory, not /rpc
Only mail and directory connect via /mapi
Still uses /EWS, /OAB, /AutoDiscover, etc., for Web service calls
27
MAPI over HTTP
Additional pre-reqs needed above and beyond Exchange
requirements
.NET Framework 4.5.1 deployed on all Exchange servers with CAS role
If .NET Framework 4.5.1 cannot be installed, a hotfix for .NET Framework 4.5 is required
KB2745583 – Windows Server 2012
KB2745582 – Windows Server 2008 R2
Publishing to Internet
TMG: Add /mapi/* path to OA publishing rule
ARR: Works OOB; can also create healthcheck (/mapi/healthcheck.htm)
UAG: Doesn’t work with MAPI over HTTP right now
WAP: Create new application and publish (no pre-authentication)
If you were not already publishing Outlook Anywhere you will need to run the Application Publishing
wizard, with pass-through authentication for EWS, OAB and AutoDiscover
28
MAPI over HTTP
/m:RecoverServer does not recreate /mapi virdir
After server recovery, you must manually recreate /mapi virdir
http://support.microsoft.com/kb/2931223
Steps
1.
Get properties of /mapi virdir
Get-MapiVirtualDirectory –Server <ServerName> -ADPropertiesOnly
2.
Note the values for InternalURL, ExternalURL, and IISAuthenticationMethods
3.
Remove the /mapi virdir
Remove-MapiVirtualDirectory -Identity "EXCH1\mapi (Default Web Site)
4.
Create a new /mapi virdir configured with properties noted in Step 2
New-MapiVirtualDirectory -Server <ServerName> -InternalUrl <URL>
-IISAuthenticationMethods Ntlm, OAuth, Negotiate
29
Data Loss Prevention Enhancements
DLP Policy Tips in Outlook Web App
DLP Document Fingerprinting
DLP Classification Rules and DLP PII Policies for Finland,
Poland and Taiwan
Finland National ID
Poland National ID (PESEL)
Poland Identity Card
Poland Passport
Taiwan National ID
30
DLP Policy Tips in Outlook Web App
Available in the desktop version of Outlook Web App
and the mobile version (OWA for Devices)
DLP Document Fingerprinting
Enables you to identify standard forms used in your
organization, which may contain sensitive information
Document fingerprints created by uploading a blank
form/template
Once created, document becomes part of sensitive information types that are used when customizing DLP
policies
For example, create a fingerprint based on a blank 1040
EZ tax form, and then detect all 1040 EZ’s with sensitive
content
32
DLP Document Fingerprinting
Configure in EAC or use cmdlets
New | Get | Set | Remove-DataClassification
New-Fingerprint
DLP Document Fingerprinting
New Fingerprint
Create a new document fingerprint based on a company’s patent template
$Patent_Template = Get-Content "C:\My Documents\Contoso Patent Template.docx"
-Encoding byte
$Patent_Fingerprint = New-Fingerprint -FileData $Patent_Template -Description
"Contoso Patent Template"
34
DLP Document Fingerprinting
New Classification
$Employee_Template = Get-Content "C:\My Documents\Contoso Employee
Template.docx" -Encoding byte
$Employee_Fingerprint = New-Fingerprint -FileData $Employee_Template Description "Contoso Employee Template"
$Customer_Template = Get-Content "D:\Data\Contoso Customer Template.docx" Encoding byte
$Customer_Fingerprint = New-Fingerprint -FileData $Customer_Template Description "Contoso Customer Template"
New-DataClassification -Name "Contoso Employee-Customer Confidential" Fingerprints $Employee_Fingerprint,$Customer_Fingerprint -Description
"Message contains Contoso employee or customer information."
35
IW Improvements
Rich text editor (RTE) for OWA enables enhanced table
formatting and composition capabilities
Now uses SharePoint RTE
Apps for Office in compose – Mail apps now available for
use during the creation of new items
Allows developers to build apps to help users while they are composing mails to easily create content in
messages
Compose apps leverage the Apps for Office platform and can be added via the existing Office store or
corporate catalogs
36
DAGs w/o Cluster Admin Access Points
Windows Server 2008 R2 and Windows Server 2012
DAGs require at least one IP address on MAPI network
DAGs require more than one IP address when the MAPI network is extended across subnets
Windows Server 2012 R2 introduces clusters that can
operate without an administrative access point
No IP Address resource
No Network Name resource
No Cluster Name Object (CNO)
No DNS registration for cluster
No Failover Cluster Manager access
37
DAGs w/o Cluster Admin Access Points
Create a DAG without a CAAP using EAC or the Shell
Create a DAG without a CAAP using the Shell
New-DatabaseAvailabilityGroup –Name <DAGName>
-WitnessServer <WitnessServerName>
-DatabaseAvailabilityGroupIpAddresses ([System.Net.IPAddress])::None
Behind the scenes, we are calling
New-Cluster –AdministrativeAccessPoint None
See http://aka.ms/NewClusterR2
This is not the same as an Active Directory-detached cluster
Currently does not work with disjoint namespaces
Fix expected in CU5
38
http://aka.ms/PowerShell_WFC
Loose Truncation
Prior to SP1, log truncation doesn't occur on the active
mailbox database copy when one or more passive copies
are suspended
If planned maintenance activities are going to take an
extended period of time, you may have considerable log
file buildup
To prevent the log drive from filling up with transaction logs, you remove the affected passive copy
instead of suspending it
When the planned maintenance is completed, you re-add the passive copy
42
Loose Truncation
Exchange 2013 SP1 introduces loose truncation
Disabled by default
Enabled via registry entry on Mailbox servers
Additional registry entries to configure two other settings
Provides new behavior that is designed to prevent
database copies from running out of disk space when log
volume builds up
43
Cluster Database Hang Detection
When a node contains a cluster database update that
has to be shared with other nodes it first obtains a Global
Update Manager (GUM) lock
Then, the node shares the update by using a Multicast
Request Reply (MRR) message to the other nodes
After this update is sent, the initiator node waits for a response from other nodes before continuing
In certain conditions, one of the other nodes does not
reply to the GUM request in time because the node is
“stuck” for some reason (often due to storage issues)
DCR change to enable ability to determine which node is stuck and not replying to the GUM request
44
Autoreseed
Autoreseed bug fixes and other work has improved
reliability
New misconfiguration events introduced
The Volume Manager found misconfigured volume '%1' mounted at '%2'. It does not have the expected
number of database mount points.
The Volume Manager found misconfigured volume '%1' mounted at '%2'. It does not have the expected
number of database directories. There may be older database files still present on this volume that were not
cleaned up by the Disk Reclaimer.
45
New Process to Obtain Hybrid Key
When an Exchange on-premises customer wants to
onboard to Office 365 using Hybrid, they are eligible for
a free product key to license their Hybrid server(s)
To obtain this license key they have to either create a
support ticket in O365 or call in to Microsoft support.
The support personnel verifies if the customer has a paying tenant and confirms which version of
Exchange they are using
Now, they can self-serve at http://aka.ms/HybridKey
46
Fixed in
Exchange Server 2013 SP1
Fixed in SP1
TAP, MVP, and customer-reported issues
KB
Title
2860242 HTML format is lost after saving as an MSG file in Exchange 2013
2900076 Mailbox quota warning message uses an incorrect language in Exchange Server 2013
2910199 "Reply all by IM" chat window displays seven recipients in Outlook Web App
2913999 Meeting request body and instructions are lost in delegate's auto-forwarded meeting request
2918655 Microsoft.Exchange.Servicehost.exe crashes after you enable FIPS
2918951 Users cannot access public folders after you upgrade to Exchange Server 2013 Cumulative Update 3
2925281 Outlook connectivity issue if SSLOffloading is "True" in Exchange 2013
2925544 Empty ExternalURL value for ActiveSync virtual directory after build-to-build upgrade of Exchange 2013
2927708 Resource mailboxes that are created by EAC will not be updated by policies in Exchange Server 2013
53
Fixed in SP1
Other Miscellaneous Fixes
KB
Title
2919164
Retention policies aren't applied when you move a mailbox to Exchange 2013
2928803
Long server connection for Outlook after a database failover in Exchange Server 2013
2930346
POP3 access does not work if name of the resource mailbox differs from the user's name
2930348
Manual redirection occurs in Outlook Web App if External URLs in each site are the same
2930352
Outlook Web App cross-site silent redirection does not work in Exchange Server 2013
2928748
Default from delegate's address in shared mailboxes in Exchange Server 2013
54
Resources
Related Sessions
Exchange Server 2013 Virtualization Best Practices
Thursday, 9:45a – 11:00a, Cankar
56
Resources for Exchange 2013 SP1
Download Exchange 2013 SP1 – http://aka.ms/E15SP1
Documentation for Exchange 2013 SP1 –
http://aka.ms/E15Docs
Description of Exchange Server 2013 Service Pack 1 http://support.microsoft.com/kb/2926248
57
Scott Schnoll
[email protected]
Twitter: @Schnoll
Blog: http://aka.ms/Schnoll
Q&A.