Tony Redmond's Exchange Unwashed Blog

Oct 4, 2012
blog

Outlook 2013 introduces hybrid cached mode

One of the nice things about attending the Microsoft Exchange Conference (MEC) is the chance to sit down with development engineers to learn about the software they’re working on. Karim Batthish introduced me to Allie Bellew because he wanted me to know about a new feature that’s coming in Outlook 2013. The problem that they are trying to solve is to provide users with quicker access to data when working in cached mode. As you might recall, Outlook 2013 changes its cached model to allow users to selectively keep a certain amount of data cached in the local OST while the remainder is held in the online mailbox. The theory here is that as we deal with larger and larger mailboxes, it doesn’t make much sense to keep everything cached because users really only need access to their most recent data. In any case, Outlook 2013 includes “hybrid mode”, which means that it’s got the ability to switch between cached and online data to display information to the user faster. The gate is 400ms, measured when the user logs on and connects to Exchange and updated when the user switches folders. If the network connection is good enough, Outlook can switch into hybrid mode to fetch data from the server and if not, access the OST. The thought might cross your mind that it’s always going to be faster to access information from a local source, especially when the OST is held on a SSD. This is true: local cached information is always faster and Outlook prefers to get data from the OST if possibl...More
Oct 2, 2012
blog

Exchange 2010 SP3 prepares the way for Exchange 2013

Given the fuss around the Microsoft Exchange Conference, you might have missed Microsoft’s announcement of the upcoming release of Exchange 2010 Service Pack 3, but I didn’t. Indeed, it was a strange announcement in some respects because Microsoft generally doesn’t announce a service pack some three or four months before the software shifts. In this case, they had to release the news (which was an open secret anyway) because sessions at MEC such as “co-existence with Exchange 2013” discussed the need for customers to deploy Exchange 2010 SP3 before they can install Exchange 2013. A host of architectural and other changes are in Exchange 2013, many of which flow from the decision to retrench Exchange server roles into Client Access Server (CAS, or front-end) and Mailbox (or back-end). The older Hub Transport and Unified Messaging roles have been succumbed into CAS or Mailbox and there’s been a redistribution of workload across the server roles to make the CAS a true stateless server. Older servers have no knowledge of the changes in Exchange 2013. It’s logical that these servers would need to be updated to be able to co-exist alongside Exchange 2013 in the same organization. Exchange 2010 SP3 updates servers so that they can exchange messages and proxy connections with Exchange 2013 – and share the upgraded Active Directory schema required by Exchange 2013 to support its range of new features such as Data Leak Protection. You’ll need to apply SP3 to all Exchange 2010 servers...More
Sep 27, 2012
blog

The upside and downside of Microsoft's focus on the cloud

The upside and downside flowing from Microsoft’s growing investment in cloud-based services was illustrated by two recent blog posts. On the downside, Microsoft announced that they were cancelling a range of on-premises security products including Threat Management Gateway (TMG) and Forefront Protection for Exchange (FPE). Microsoft’s new focus is on cloud-based security, a move that makes absolute business sense for Microsoft as it allows them to move out of what has become an area of low profitability when measured against engineering investment. In addition, Microsoft already has to provide anti-virus and anti-spam protection for Office 365 and can offset their costs against the monthly subscriptions that are now flooding into “the service”. All in all, it’s a good deal for Microsoft that will cause some pain for customers who need to get their heads around the new situation. I don’t treat the situation as a problem because I think it opens up a space where Microsoft previously took a lot of the available oxygen to innovation that will hopefully flow from other companies. Although the traditional on-premises anti-malware products will continue to handle situations such as regular scans of mailbox databases, I think that hardware-based appliances (perhaps virtualized) might be the right way to process the ever-increasing volume of inbound email. Time and investment will tell here. The upside of Microsoft’s focus on the cloud platform can be seen in the new monitoring...More
Sep 25, 2012
blog

MEC shows that Outlook, OWA, and EAC user interfaces maturing nicely

The demos in yesterday’s MEC opening keynote revealed an improved user interface for Outlook and Outlook Web App (OWA) compared to the preview versions released in August. This is to be expected as the developers refine their code in a drive to eliminate bugs and streamline the UI before the products eventually ship, expected later this year or in early 2013. In any case, improvement is always good to see, even if some still believe that the Metro influence results in far too much white space, so much so that I’ve heard people complain of headaches after a day working with Outlook 2013. Perhaps the changes seen yesterday will help. The new user interface makes it hard sometimes to tell Outlook and OWA apart. OWA 2013 is now a very feature-rich client that shares many new features with its big brother, including inline editing of messages and the display of “people” data gathered from sources such as LinkedIn and Facebook (Twitter seems missing, which is interesting). These data sources are revealed by add-ins created using the new Outlook development model, which holds out the promise that apps developed now will survive without needed rework for future versions of Outlook. OWA 2013 also includes offline mode (providing you use a suitable browser), but lacks some of Outlook’s offline capabilities such as the OAB or local full-text indexing. No doubt these gaps will close over time. Outlook 2013 and OWA 2013 have also been optimized for touch with big buttons that are easy for fingers to locate. In addition, if you detach a touch-enabled client device such as the unnamed but highly likely to be Microsoft Surface from its keyboard, Outlook 2013 reveals a number of command buttons (including delete) positioned so that they’re easy to use with right-handed thumbs. No comment was made whether this is a configurable setting that left-handers can change. It probably is. Despite its twice-over remake in Exchange 2010 (once in RTM and again for SP1), OWA receives another...More
Sep 20, 2012
blog

Questions for Exchange engineers at MEC

A Microsoft Exchange Conference (MEC) provides a unique opportunity to engage in direct debate with the Exchange development group. Lots of engineers and product managers will be present at the conference and they won’t be able to hide! Not that they would, of course, but it will be difficult for engineers and product managers to disguise their status given that many of them will be presenting sessions. Given a target-rich environment for people who might provide interesting answers to questions, here’s a selection of questions relating to Exchange 2013 that I’m interested in knowing more about. You probably have your own list, but for those who don’t… Explain the full deployment methodology required to introduce Exchange 2013 into an existing organization containing Exchange 2007 and Exchange 2010 servers. What server roles are introduced first, where do they go, and are there any specific interoperability issues to deal with? Why have you dropped context-sensitive menus and the PowerShell learning tools from the Exchange Administration Center (EAC)? Given that Exchange 2013 includes almost 200 new PowerShell cmdlets, it doesn’t sound like a great idea to drop features that helped administrators understand the syntax and use of Exchange’s cmdlets. What features of Exchange 2013 such as Data Leakage Prevention (DFP) and site mailboxes depend on Outlook 2013? Of course, some features also depend on SharePoint 2013 (site mailboxes again)....More
Sep 18, 2012
blog

Choosing the right operating system for Exchange 2013 1

One of the interesting decisions awaiting those who want to deploy Exchange 2013 is the operating system to use. The choice is pretty straightforward. You can use either Windows 2012 Server or Windows 2008 R2 SP1. Is the choice then between the well-proven record of the latter and the new promise of the former? Let’s discuss. An obvious influence on the debate is the way that Microsoft now treats upgrades for new versions of Exchange. Whereas B2B (build-to-build) upgrades are supported within a specific version of Exchange, you haven’t been able to upgrade one version of Exchange to a newer release ever since Microsoft discovered the joys of forcing customers to deploy new servers for Exchange 2007. Of course, Microsoft had a great covering story when Exchange 2007 hove into view. The complexity of moving a server running a 32-bit version of Windows and a 32-bit version of Exchange to 64-bit versions of the O/S and email server were just too horrendous to be contemplated. Panic would ensure if Microsoft even attempted such a feat, so they simply said “we’re making this real easy for you – buy some nice new 64-bit hardware and have a nice day”. And so it came to pass that ever since we’ve experienced easy upgrades while making it possible for the friendly representative of our preferred server vendor to make their quarterly sales target. From Microsoft’s perspective, the decision to avoid in-place server upgrades makes life very much easier for the installation engineers...More
Sep 13, 2012
blog

Will Exchange Customers Trust the Cloud to Provide Anti-Malware Protection?

The news that Microsoft will discontinue producing standalone releases of their Forefront-branded anti-malware products will come as a bit of a shock to many, but I think it makes good sense. Here’s why.First, the world of threat prevention and cure has come a long way since the first wave of email-transmitted viruses hit at the end of the last century. Although some spammers and virus authors might consider using a vector similar to the famous “I Love You” virus that launched an industry for email AV engines, I doubt that their work would make it past the first line of defense of any AV product available today. Much more intelligence (some might say deviousness) is exerted to penetrate the sophisticated AV scanning that exists today....More
Sep 11, 2012
blog

Exchange 2013 Site Mailboxes; a new beginning for collaboration?

What are we to make of the latest attempt by Microsoft to achieve collaborative nirvana in the shape of Exchange 2013 site mailboxes as described in a recent EHLO post? Those of us experienced enough to have gone through many false dawns in the past might be forgiven to being a tad cynical about the promises of collaboration bliss, the easy interaction between SharePoint and Exchange, the completeness of discovery searches across multiple repositories, and the excellence of the Outlook 2013 user interface, but that’s not a reason to consign site mailboxes to the wastebasket, at least not at this point. Everyone will have their own definition of what collaboration means and how this can be best achieved within Exchange. Some believe that email (still the collaborative application par excellence) is good enough, provided it is used well. Others consider public folders to be capable of satisfying the needs of their organization and look forward to the advent of “modern” public folders in Exchange 2013. And there are many who have invested heavily in SharePoint and are annoyed that Microsoft has not been able to connect Exchange to SharePoint in any coherent manner since SharePoint was first released some eleven years ago. I doubt that site mailboxes will do much for anyone who is focused on email or public folders. There is sufficient in Exchange 2013 to keep these folk happy and anyway, the thoughts of having to deploy SharePoint 2013 into production....More
Sep 6, 2012
blog

The Implications of Outlook 2013 Changing OST Cache Behavior 2

When I wrote about my initial experiences of Outlook 2013 Preview on July 24, I remarked that the installation of Outlook 2013 forced a recreation of my Offline Storage file (OST). The new OST was much smaller than the older version used by Outlook 2010, a fact that seemed to be a good thing at the time even if the creation of OSTs en masse might generate a resource consumption problem for servers if you deployed Outlook 2013 to multiple users at one time....More
Sep 4, 2012
blog

Exchange 2013 dumps CAS arrays

One of the truisms much beloved by those who pontificate about designing for Exchange is the necessity to follow “best practice.” There’s absolutely nothing wrong with this approach as best practice is defined to be a method or technique that has consistently shown better results than other methods. In other words, it’s an approach that works well, probably because others have tried different methods and failed. But the important thing is not to become clogged in best practice and to understand that best practice evolves constantly in line with human experience and developments in the underlying technology. Take CAS arrays for instance. Introduced with Exchange 2010, CAS arrays provided a method to group a set of CAS servers together in such a way that they could be addressed as a single entity (and had a single IP address and FQDN). Individual servers could join and leave the array over time and the array would keep functioning as long as a single server was active. All-in-all, it was a nice concept, even if a CAS array didn’t perform any load-balancing of incoming client connections. In this respect, you can ignore the statement in TechNet’s documentation of the New-ClientAccessArray cmdlet that says it creates “a load-balanced array of client access servers within a single Active Directory site.” That’s not true, but the vendors of load balancers were all too happy to fill that gap....More
Aug 30, 2012
blog

Soft or Hard Deletes for Moved Mailboxes

One of the small but important changes that might have passed some by in Exchange 2010 SP1 was the change in the way that the Mailbox Replication Service (MRS) preserves source mailbox content after it successfully moves a mailbox. In the original release of Exchange 2010, MRS deletes the source mailbox as soon as it deems that it has successfully moved a mailbox to a target database. Successful means that MRS moved the mailbox’s content, locked the mailbox, performed a final incremental synchronization to ensure that any changes that occurred since the move commenced have been captured, and then switched the user’s Active Directory attributes to point to the new mailbox location. If everything works smoothly (99.9995% of the time), then it is quite safe for MRS to remove the source mailbox from its database to release the pages occupied by the mailbox for reuse....More
Aug 28, 2012
blog

Exchange 2013 Modern Public Folders

There are many things to like about Exchange 2013’s “modern public folders.” It’s good to be able to move away from the separate public folder database and integrate everything under the comforting blanket of protection afforded to mailbox databases through the Database Availability Group (DAG). Likewise, it’s good to discard the old public folder replication model that seemed oh-so-cool when it debuted with Exchange 4.0 in 1996 but has proven over time to be a black box that almost no one understood, especially when things went wrong. The goodness of the new model will only be attained after new public folders are created and deployed. Companies that have long run Exchange will look forward to whatever migration facilities Microsoft cares to ship along with Exchange 2013. There’s a ton of work to do here to analyze existing public folder hierarchies and folder contents in preparation for the migration, then to decide on the layout of the new public folders when moved to Exchange 2013. For example, how many public folder mailboxes are required to host the hierarchy and data of the new public folders that we want to create? Given that new public folders use a single master model (only one public folder mailbox contains a writeable copy of the hierarchy – the others are just read-only copies), what databases should host these mailboxes and how should they be protected by a DAG? I suspect that sorting out a deployment plan for new public folders will be a slow process...More
Aug 23, 2012
blog

The Basic Impossibility of Renaming an Exchange Server 2

Because we’re all skilled computer professionals who have carefully considered a suitable computer naming convention before deploying any server into production, I can’t think of good reasons why anyone would ever want to rename an Exchange server. On the other hand, I can think of some pretty bad reasons for wanting to rename a server such as wishing to update all names following a corporate merger or as part of a rebranding exercise launched by the marketing department....More
Aug 21, 2012
blog

Exchange 2013 console (EAC) dumps context-sensitive menus

On August 7, I wrote about the sad omission of the PowerShell learning features from the new Exchange Administration Center (EAC) as introduced in Exchange 2013 Preview. These features, which have been present in the now-discontinued Exchange Management Console (EMC) since Exchange 2007, give administrators an insight into the PowerShell code that Exchange will execute (or has executed) to do work such as updating a set of mailboxes, setting a property on a connector, or creating a new mailbox database. Even after six years of exposure to the Exchange PowerShell cmdlets and its sometimes odd syntax (even for someone who worked extensively with VMS’s Digital Command Language for many years), I still find myself checking the PowerShell log to understand exactly how Exchange cmdlets work. Given that the cmdlet set has exploded in numbers since Exchange 2007, reviewing commands in the log has proven to be an excellent way to learn that is alas, no more. Good as EAC is in terms of presenting a modern browser-based management interface that works well across multiple platforms (I’m not quite sure whether we’ll see many administrators running EAC on their iPads or Microsoft Surface devices, but time will tell), it also drops another important UI feature in that the right-click context-sensitive menus that EMC supports are not present. Sure, there are UI elements to take up the slack, usually in the form of buttons that you can click on to perform an action, but context-sensitive menus are a really nice way of exposing the appropriate set of actions that you can take to work with an object in its current state. For example, if you select a mailbox database, you can right click to see options such as “dismount the database.” This doesn’t happen in EAC with the apparent logic being that all of the available options are clearly available as a set of icons (see the screen shot above – the icons are shown above the list of objects, in this case a set of retention tags)...More
Aug 17, 2012
blog

WSUS, Exchange 2010, and the WebReady fix

On July 31 I wrote about the increasing complexity of software engineering, illustrated by how a bug in a software library owned by Oracle and licensed to Microsoft for inclusion in Exchange 2007 and Exchange 2010 ended up causing a potential security issue. Microsoft moved quickly and fixed the bug in Exchange 2010 SP2 RU4 and Exchange 2007 SP3 RU8, released on August 14. Many articles duly followed to assess the contents of these roll-up updates, including two on the EHLO blog, one of which discussed the change to the way that calendar and task items are processed by the Managed Folder Assistant (MFA) after Exchange 2010 SP2 RU4 is deployed. As is my wont, I followed up with an article giving my thoughts on the MFA change. The task of documenting the regular roll-up updates done, thoughts turned to other issues until a tweet arrived from Paul Bendall, who observed: ”I am not sure if you are aware but the security vulnerability relating to WebReady document viewing for Exchange and discussed in MS12-058 has a horrible implication. Those who use WSUS to deploy security updates or manually apply MS12-058 will be inadvertently applying Exchange 2010 SP2 RU4 as the security vulnerability doesn’t have a standalone update and instead requires RU4 to be deployed. To be honest I can’t believe the product team have done this as many IT Security departments will be scanning for this critically rated vulnerability and insisting Exchange Admins deploy the ‘patch’ or admins inadvertent...More
Aug 16, 2012
blog

Automatic clean-out of Calendar and Task items now possible (but carefully)

The Microsoft Exchange Customer Experience Team (CXP, don’t you know) reinforced the importance for administrators to carefully review and assess the contents of a roll-up update (RU) when they released RU4 for Exchange 2010 SP2 on August 14. Exchange 2007 RU8 was released on the same day. Apart from a fix for the WebReady security issue (also fixed in Exchange 2010 SP2 RU4), this RU contains less of note, possibly reflecting the relative lack of importance for Exchange 2007 given the imminent arrival of Exchange 2013 and the stage that Exchange 2007 has reached in Microsoft’s product lifecycle. Exchange 2010 SP2 RU3 also contained some big changes, notably those that deal with cross-site failovers. Now RU4 comes along and changes the rules for how retention policies for calendar and task items are processed by the Mailbox Folder Assistant (MFA). The new processing behaviour is explained in a comprehensive post by Ross Smith IV so I won’t dive into the detail here. Suffice to say that the change closes a gap in Microsoft’s record retention strategy built around Exchange. Any Exchange 2010 server prior to the installation of RU4 ignore calendar and task items, even if you define a Default Policy Tag (DPT) that dictates that all items in a mailbox should be deleted or moved into an archive mailbox after a certain period. In the past, I’ve heard Microsoft representatives justify this on the basis that it would be a very bad idea if Exchange automatically cleaned up calendars...More
Aug 14, 2012
blog

Exchange 2013 focuses on RPC-over-HTTPS 1

One of the more interesting evolutions incorporated in Exchange 2013 is the decision to use RPC-over-HTTPS as the sole method to connect Outlook clients. In other words, direct MAPI connections over TCP are no longer supported, even for intranet connections. RPC-over-HTTPS or Outlook Anywhere has been supported since Exchange 2003 so it’s a well-known mechanism by this stage. Insisting that all MAPI clients encapsulate (or wrap) their traffic inside HTTPS packets delivers some advantages from the perspective of Exchange. First, it simplifies the Client Access Server (CAS) as CAS now has one less (albeit very important) protocol to deal with. Second, because CAS doesn’t have to handle MAPI any more, the RPC Client Access service is removed. Apart from reducing the amount of code that runs on a CAS, losing the RPC Client Access service allows Exchange 2013 to function without two namespaces that have to be defined on Exchange 2010 CAS servers to support site-resilient failovers. Third, HTTP is a protocol that is well-suited to connections over many different kinds of networks and RPC-over-HTTPS has proven its ability to reliability support huge number of connections over even extended links like those used to access Exchange Online in Office 365. The last advantage is gained by being able to remove the requirement to provide Outlook with a server FQDN as its endpoint. Exchange 2010 started the process by switching the endpoint from a mailbox server to a CAS server....More
Aug 9, 2012
blog

White paper on Microsoft internal deployment of Active Directory Rights Management Services

Microsoft recently published a white paper on TechNet describing their implementation of Active Directory Rights Management Services (ADRMS). It’s an interesting document because it reveals some details of the templates that Microsoft has deployed to protect against the kind of information leakage that email facilitates so easily. Companies have attempted to prevent users from doing things like forwarding confidential email outside the organization for at least twenty years. In the early 1990s, we were still in the transition from technologies like telex and fax as email became more pervasive. Although it’s possible to send a fax or telex to a wrong number, the number of incidents seemed low in comparison to the leakage that can accrue through email. In addition, the information provided in a fax or telex is relatively less usable than the data contained in an email or attachment. Early efforts to control email focused on human behavior. Unlike today, it wasn’t usual for everyone in the company to have access to email and so it was easier to concentrate on the small pool of email users who might make an error and forward something that they shouldn’t, or, on a more sinister level, deliberately share a company secret with a journalist, competitor, or someone else who might benefit from the information. However, people are fallible and corporate directives on the correct use of email were often ignored. Some companies attempted to implement email encryption as a way to prevent unauthorized access to information. Indeed, one of the big selling points for the first generation of Exchange in the late 1990s was its close integration with the Windows PKI infrastructure that enabled it relatively easy to distribute and manage the keys necessary to encrypt and decrypt messages. Relative is an important word here because although the deployment of encrypted email was absolutely feasible in terms of technology, it was a nightmare to manage and users didn’t comply. One majo...More
Aug 7, 2012
blog

Exchange 2013's browser-based management console drops EMS learning tools 2

Exchange 2013 dispenses with the MMC-based administrative console that’s been part of the product since Exchange 2000. I don’t shed many tears about this development because Exchange 2010’s Management Console (EMC) had become slow and unwieldy. Some might even apply the “fat, dumb, and happy” label to EMC, but I wouldn’t go quite that far even though the console went through some choppy waters after Microsoft shipped IE9 and EMC didn’t function quite as well as expected. The IE9 bug developed into a long-running fiasco that took Microsoft a surprising length of time to fix, but that’s not the reason why they decided to chop EMC from Exchange 2013. The more pressing requirement was to create a unified browser-based management platform that was common across on-premises and cloud deployments. The Exchange Control Panel (ECP) proved the essential concepts for both Exchange 2010 and Exchange Online but its functionality was limited. For example, you couldn’t even create a new mailbox with ECP. Server management was also a notable omission. This was understandable because you don’t need to manage servers when you use Office 365 and the immediate priority was to create the UI to manage Exchange Online. Exchange 2013 includes a new browser-based management console called Exchange Administration Center (EAC). It’s a much-enhanced console that builds on the principles established by ECP such as RBAC-controlled UI display and support for multiple browsers....More
Aug 2, 2012
blog

Self-signed Certificates Lead to Many Problems 1

Those who advocate the use of Office 365 instead of on-premises servers for small businesses were provided with some additional support for their stance when Australian researcher Peter Hannay reported how Android or iOS devices might fall victim to a “man in the middle” attack and end up wiping device contents. The root cause of the problem is the use of self-signed certificates, a habit supported by Exchange, but only really intended for test systems whose connections are not exposed to the Internet. Best practice for production systems is to secure all certificate-enabled communications (like SSL) with a certificate purchased from a reputable commercial vendor such as Twaite or Verisign. Windows Phone clients appear to be better protected, but you never know with self-signed anything. Small businesses don’t tend to operate sophisticated IT shops. In this environment, it’s no surprise when short-cuts are taken or costs that appear optional are eliminated. Certificates have a history of being difficult to manage for Exchange, which is the reason why the developers have spent so much effort to improve the process of creating certificate requests, importing certificates, and associating them with services in recent versions of Exchange. Certainly, the old adage that an Exchange administrator had to be somewhat of a certificate guru if they wanted to establish external connectivity was true in Exchange 2003 and Exchange 2007. It’s much easier in Exchange 2010 as new wizards...More
What's Tony Redmond's Exchange Unwashed Blog?

On-premises and cloud-based Microsoft Exchange Server and all the associated technology that runs alongside Microsoft's enterprise messaging server.

Contributors

Tony Redmond

Tony Redmond is a senior contributing editor for Windows IT Pro and the author of Microsoft Exchange Server 2010 Inside Out (Microsoft Press) and Microsoft Exchange Server 2013 Inside Out: Mailbox...
Featured Products
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×