Evan Dodds Microsoft Exchange Server Microsoft Paul MacKnight Microsoft Exchange Server Microsoft UNC317 Exchange 2010 Investments Simplify Administration The annual cost of helpdesk support staff for e-mail systems.
Download ReportTranscript Evan Dodds Microsoft Exchange Server Microsoft Paul MacKnight Microsoft Exchange Server Microsoft UNC317 Exchange 2010 Investments Simplify Administration The annual cost of helpdesk support staff for e-mail systems.
Evan Dodds Microsoft Exchange Server Microsoft Paul MacKnight Microsoft Exchange Server Microsoft UNC317 Exchange 2010 Investments Simplify Administration The annual cost of helpdesk support staff for e-mail systems with 7,500 mailboxes is approximately $20/mailbox. This cost goes up the smaller the organization. (“Email Support Staff Requirements and Costs: A Survey of 136 Organizations”, Ferris Research, June 2008). Empower Specialist Users to Perform Specific Tasks with Rolebased Administration Compliance Officer - Conduct Mailbox Searches for Legal Discovery HR Officer - Update Employee Info in Company Directory Lower Support Costs Through New User Self-Service Options Track Status of sent messages Create and Manage Distribution Lists Exchange 2010 Management What's New? New Exchange Management Console (EMC) features Exchange Control Panel (ECP) New and simplified web based management console Targeted for end users, hosted tenants, and specialists Role Based Access Control (RBAC) New authorization model Easy to delegate and customize All Exchange management clients (EMS, EMC, ECP) use RBAC Remote PowerShell Manage Exchange remotely using PowerShell v2.0 Note: No more local PowerShell, it's all remote in Exchange 2010 Monitoring Exchange 2010 Management Supported OS platforms All of Exchange 2010 is 64-bit only Admin-tools also require 64 bit OS Supported OS platforms for Admin/Management Tools Vista x64 SP1 (*may be SP2) W2k8 x64 SP2 Windows7 x64 Client and W2k8 R2 x64 Remote PowerShell management Does not require Exchange binaries at the client Supported client OS platforms Vista (x86 or x64) W2k8 (x86 or x64) W2k8 R2 (x86 or x64) or Win7 (x86 or x64) W2k3 (x86 or x64) XP (x86 or x64) Exchange Management Console (EMC) Improvements Built on Remote PowerShell and RBAC Multiple Forest Support Cross-premises Exchange 2010 Management Including Mailbox Moves Recipient Bulk Edit PowerShell Command Logging New feature support For example: High Availability Exchange Management Console Exchange Control Panel (ECP) What is it? A browser based Management client for end users, administrators, and specialists Accessible directly via URL, OWA & Outlook 2010 Deployed as a part of the Client Access Server role Simplified user experience for common management tasks RBAC aware Exchange Control Panel Who will use it? Specialists and administrators Administrators can delegate to specialists e.g. Help Desk Operators, Department Administrator, and eDiscovery Administrators End Users Comprehensive self service tools for End Users Hosted Customers Tenant Administrators and Tenant End Users Exchange Control Panel What It Looks Like UI Scope Control Secondary Navigation Slab Primary Navigation Exchange Control Panel ECP Architecture Overview High Level View AJAX-based Shares some code with OWA, but two separate applications Deployed on Client Access Server ECP ASP.Net RBAC PowerShell Authentication Windows Integrated, Basic, Forms Based Browser support - Same as OWA premium IE Firefox Safari Client Access Server ECP Architecture Overview Role Based Access Control Users shouldn't have access to message tracking Message tracking tab doesn't show up in ECP Users can edit mailboxes, but not create new ones "New Mailbox" button hidden Users can edit display name but not Department Department field visible but read-only RBAC in Exchange 2010 RBAC has replaced the permission model used in Exchange 2007 Your “role” is defined by “what you do” Define precise or broad roles and assignments based on the tasks that need to be performed Includes self administration Used by EMC, EMS and ECP Who can do What… and Where? Admins What? End-Users Who? RoleGroup/USG Role <Role RoleEntry> Entry Role Entry Cmdlet: Param1 Role Assignment Cmdlet: Param1 Cmdlet:Param2 Param1 Param2 Param2 Param3 Param3 Param3 Configuration Write Scope Role Assignment Policy Where? Configuration Read Scope Recipient Read Scope Recipient Write Scope Who can do What… and Where? Admins What? End-Users Who? Add-RoleGroupMember Remove-RoleGroupMember RoleGroup/USG Role <Role Entry> Role Assignment Role Assignment Policy New-RoleAssignmentPolicy Remove-RoleAssignmentPolicy Where? Cmdlet: Param1 Param2 Param3 New-ManagementRoleAssignment Get-ManagementRoleAssignment Configuration Set-ManagementRoleAssignment Write Scope Remove-ManagementRoleAssignment Configuration Read Scope Recipient Read Scope Recipient Write Scope Who can do What… and Where? Admins What? New-RoleGroup Set-RoleGroup Get-RoleGroup Remove-RoleGroup Role <Role RoleEntry> Entry Role Entry Cmdlet: Param1 RoleGroup End-Users Assigned Roles Who? RoleGroup/USG Role Assignment Cmdlet: Param1 Cmdlet:Param2 Param1 Param2 Param2 Param3 Param3 Param3 Configuration Write Scope Role Assignment Policy Where? Configuration Read Scope Recipient Read Scope Recipient Write Scope Who can do What… and Where? Admins End-Users New-ManagementScope –Name VIP-Recipients Who? What? -RecipientRestrictionFilter ((Title –eq ‘CEO’) –or (Title –eq ‘CIO’) -Exclusive RoleGroup/USG Role <Role Entry> Role Assignment Role Assignment Policy Where? Cmdlet: Param1 Param2 Param3 Configuration Write Scope Configuration Read Scope Recipient Read Scope Recipient Write Scope Custom Management Roles Custom roles can be added to suit specific delegation requirements Roles are hierarchical, with built-in role at the top Role Entries can only be removed from a role Steps to delegate a role: 1. Create the management role 2. Change the new role's management role entries (by removing role entries) 3. Create a management scope (if required) 4. Assign the new management role Custom Management Roles What does it look like? New-ManagementRole -Name “eDiscovery-Sales” – Parent DiscoveryManagement New-ManagementScope –Name “Sales Mailboxes” – DomainRestrictionFilter “(RecipientType –eq ‘UserMailbox’)” –DomainRoot “OU=Sales,DC=contoso,DC=Com” New-ManagementRoleAssignment –Name “RA-Sales eDiscovery Administrators” –User “USG-Sales eDiscovery Admins” -Role “eDiscovery-Sales” – DomainScopeRestriction “Sales Mailboxes” Role Based Access Control RBAC Role Delegation Role membership is not a right to delegate RoleAssignment Delegation Special kind of Role Assignment Delegation does not grant role permissions RoleGroup Delegation Controlled through RoleGroup ownership ManagedBy parameter similar to DGs (Multi-Valued) Ownership does not grant RoleGroup permissons RBAC Permissions Reporting Get-ManagementRoleAssignment Effective Roles for a User Effective Users by Role/Scope/Group Effective permissions to a Writable Object Remote PowerShell New management architecture for PowerShell in Exchange 2010 Allows Role-based Access Control (RBAC) model Restricted PSSession allows RBAC to hide cmdlets and parameters Client / Server separation Remote PowerShell is always used to connect “remotely” to localhost Enables firewall and cross-forest scenarios “No Binaries” scenarios Exchange-cmdlet management from a client machine which does not have Exchange Management Tools (Exchange binaries) installed Remote PowerShell How does it work? > New-PSSession –URI https://server.fqdn.com/PowerShell/ > New-Mailbox –Name Bob [Bob Mailbox Object in Pipeline] Evan PSv2 Client Runspace IIS PSv2 RBAC Server Runspace WSMan + RBAC stack: Authorization Evan: Role Assignment New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Active Directory IIS: Authentication Cmdlets Available in Runspace: New-PSSession Remote Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Exchange Server Remote PowerShell How Do I Use It? The Beta Way $wso = New-WSManSessionOption -SkipCACheck -SkipCNCheck – SkipRevocationCheck $rr = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<Exchange 2010 fqdn>/powershell –SessionOption $wso –Authentication NegotiateWithImplicitCredential Import-PSSession $rr The RTM way $rr = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<Exchange 2010 fqdn>/powershell –Authentication Kerberos Import-PSSession $rr Or… just run the Exchange Management Shell icon! Remote PowerShell Monitoring Monitoring & Reporting Based on Operations Manager 2007 Supports 2007 SP1 or 2007 R2 MP Releasing concurrently with Exchange 2010! Greatly reduced alert “noise” Correlation Engine Uses Operations Manager health model to hide “symptom alerts” and leave “root cause alerts” for faster problem resolution, fewer headaches Smarter alerts: Exchange 2010 diagnostics specifically designed for monitoring Scale ready, no more “magic number” threshold tuning! Reporting Mail flow statistics based on message tracking logs Reports that understand Exchange, more accurately model end-user availability Service Level Agreement (SLA) target support Summary Exchange Management Console New Features, Bulk Management, and PowerShell convergence Role Based Access Control RBAC has replaced the permission model used in Exchange 2007 Enables the definition of broad or precise roles and assignments, based on the actual roles administrators perform Exchange Control Panel Provides a new way to administer a subsets of Exchange features Provides a great self provisioning portal Remote Powershell Uses familiar Exchange cmdlets Allows administration without the Exchange management tools Provides a firewall friendly management access Related Content UNC204: Introduction to Microsoft Exchange Server 2010 (already done) UNC316: Microsoft Exchange Server 2010 Architecture (already done) UNC03-INT: Mastering Exchange Management with the Exchange Management Shell WSV325: Windows PowerShell: Tips from the Expert Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Call to Action Learn More! Related Content at TechEd on “Related Content” Slide Attend in-person or consume post-event at TechEd Online Check out online learning/training resources http://technet.microsoft.com/exchange/2010 http://technet.microsoft.com/office/ocs Try It Out! Download the Exchange Server 2010 Beta Evaluation http://www.microsoft.com/exchange/2010/try-it Get a 5-Day Trial of Office Communications Server 2007 R2 https://r2.uctrial.com/ Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.