Introduction to Exchange 2010

• From the past couple of years MS Exchange Team was building Exchange server 2010.
• MS are expecting it as a important milestone.
• It has known that 5 million users are already using this Exchange 2010.
• The input for this session is purely based on beta version which may vary.

Exchange 2010 Server Roles

• Hub Transport Server Role
• Client Access Server Role
• Mailbox Server Role
• Unified Messaging Server Role
• Edge Transport Server Role

Installation Pre-requisites

AD Preparation

• Schema Master – 32\64 bit windows server 2003 or later either standard or enterprise
• GC Master – 32\64 bit windows server 2003 or later either standard or enterprise
• Functional Level – Windows 2003 Native Mode

Server – Level Specification

• Hardware –
  • Processor : Intel 64-bit Processor\AMD 64 processor (production)
  • Processor supported for 32-bit : Intel Pentium or compatible 800-megahertz (MHz) or faster 32-bit processor
  • Memory : Depends upon the actual requirement minimum 2 GB plus 2\3.5\4 MB per mailbox and can be support upto 64 GB
• Software
  • Windows Server 2008 Standard or Enterprise Edition
  • Active Directory management tools - ServerManagerCmd -i RSAT-ADDS
  • Microsoft .Net Framework 3.5
  • Windows Remote Management (WinRM) 2.0 Community Technology Preview 3 (CTP3)
  • Windows PowerShell V2 CTP3.
  • IIS (roles should be enabled based on the server role)
  • ASP.Net

New Features in HUB

• Transport Database improved which increase performance & reduce IOPS per message
• Shadow Redundancy
• Enhanced Disclaimer – Support HTML Format, Images & hyperlink
• Transport rules integration with AD RMS (Right Management Service) - used for restricting access to rights-protected content to authorized users only.
• Moderated Transport provides approval functionality before the message reach out to recipient.
• MailTips

New Features in CAS

• Outlook 2007 or later version will no longer connect to Mailbox Server (MAPI)
• This is will increase performance, as CAS is a middle tier which will be a single common path.
• User will no longer be aware when a failover occurs .
• New outlook web access.
• Any browser can allow you to access the Outlook Live.

Database Changes

• Drastic schema improvement as it will create Less tables & indexes eventually will get better performance
• Database page size from 8KB to 32KB
• No More Storage Concept
• Database reside on the organization level.

Exchange 2007 – Challenges

• Still need to depend on Windows Clustering
• Temporary disruption of service to users on the mailbox server.
• Transport dumpster – HUB fails while processing message cannot be recovered.
• High level of Administrator intervention require
• At least 3-4 exchange server require
• If a single database failure occurred, needs to failover the entire clustered mailbox server to another node

High Availability Improvement

• Reengineered the concept of continuous replication technology.
  • Database Availability Groups – support upto 16 copies
  • Increment Deployment
  • Backup-less Exchange Organization
  • Database Mobility – Multiple server role can co-exist
  • High Availability can be build at any time
  • No more to be an expert in cluster
  • Easy to move the database when needed.
    
• Good Bye to LCR, SCC and Clustered Mailbox Server.

Outlook Live

• Any browser can support outlook live.
• ECP – create & manage DG, message tracking, Users creation, modifying AD attributes
• Search folders and Favorites are included in the navigation pane
• You can now send text (SMS) messages from OWA 2010
• OWA 2010 now integrates with Office Communicator, so you can take advantage of its capabilities, such as seeing presence of colleagues on your contact list, sending and receiving instant messages, and more

Unified Messaging Role

• Personal auto attendants (call answering rules)
• Additional language support including in Outlook Voice Access and Voice Mail Preview
• Messaging Waiting Indicator
• Missed call and voice mail notifications using text messaging (SMS)

Administration Improvement

• Exchange 2010 uses the Role Based Access Control (RBAC) permissions model on the Mailbox, Hub Transport, Unified Messaging and Client Access server roles to control what resources your administrators and users can access.
• New Move-Mailbox functionality
• Connect Remote Exchange Management Shell to an Exchange Server
• Mailflow Testing

Exchange co-existence

• Exchange 2003 with sp2
• Exchange 2007 with sp2
• No more support for Exchange 2000

High Availability for Microsoft Exchange 2007

High Availability is nothing but a pre-solutions back up where we are keeping our system accessible to users. i.e keeping the servers up as much as possible it not only include that servers should not goes down but also include the performance so that all users can access the resource without any issue.

Examples include…

• Clustering
• Load balanced hosts
• Built-in redundancy or load balancing
• DNS / application redundancy or load balancing

Solutions that allow for contingency of operations

• Recovery in the event of a serious disaster
• Usually not automatic failover
• Examples include…
  • Standby Continuous Replication
  • Local Continuous Replication

High Availability for E2K7

• High Availability for Mailbox Server
• High Availability for Client Access Server
• High Availability for Hub Transport Server
• High Availability for Edge Transport Server
• High Availability for Unified Messaging

High Availability for MBX

High availability for Mailbox servers comes in two forms: service availability and data availability.

Service availability is provided through the use of a Windows Server failover cluster. Data availability is provided through a built-in feature called continuous replication.

Continuous Replication

• Continuous replication, also known as log shipping, is the process of automating the replication of closed transaction log files from a production storage group to a copy of that storage group that is located on a second set of disks on the local computer or on another server altogether. After being copied to the second location, the log files are then replayed into the copy of the database, thereby keeping the storage groups synchronized with a slight time lag.
• Continuous replication is available in two forms in Exchange 2007 RTM (LCR and CCR) and three forms in Exchange 2007 SP1 (LCR, CCR, and SCR).
• Apart from Continuous Replication we have another form of availability called as SCC

Local Continuous Replication

LCR is a single-server solution that uses built-in asynchronous log shipping technology to create and maintain a copy of a storage group on a second set of disks that are connected to the same server as the production storage group. LCR provides log shipping, log replay, and a quick manual switch to a secondary copy of the data

 

Cluster Continuous Replication

CCR, which is a non-shared storage failover cluster solution, is one of two types of clustered mailbox server (CMS) deployments available in Exchange 2007. CCR is a clustered solution (referred to as a CCR environment) that uses built-in asynchronous log shipping technology to create and maintain a copy of each storage group on a second server in a failover cluster. CCR is designed to be either a one or two data center solution, providing both high availability and site resilience.

Standby Continuous Replication 

• Coming in Service Pack 1
• Source and target machines can be
• Stand-alone
• In two different MSCS clusters
• On different subnets
• Controlled per storage group
• Many-to-one and one-to-many supported
• Manually activated

LCR Vs CCR Vs SCR

• LCR
• –Focused towards resiliency
• –Improve restore time
• –Administrator has to initiate restore manually
• –Single data-center solution
• –Implements log shipping and replay out of the box
• Log files are copied locally and replayed
• CCR
• Targeted towards site resiliency
• Automatic failovers
• Single or two-data center solution
• Supports “stretch” option
• Implements log shipping and replay out of the box
• Log files are copied to remote server and replayed
• Simplifies cluster deployment
• No SAN or shared storage
• SCR
• Provides site and server resiliency
• “Cold spare” approach cuts hardware costs
• Can be combined with LCR, CCR, and SCC for maximum flexibility

 

Single Copy Cluster

SCC, which is a shared storage failover cluster solution, is the other of two types of clustered mailbox server deployments available in Exchange 2007. SCC is a clustered solution that uses a single copy of a storage group on storage that is shared between the nodes in the cluster. SCC is somewhat similar to clustering in previous versions of Exchange Server; however, along with numerous improvements, there are also some significant changes.

Other Mode of Clusters

• Stretch Cluster

A stretch cluster, also known as a geographically dispersed cluster, is a failover cluster that is stretched (that is, it spans) more than one physical datacenter. Stretch clusters can be used as part of a site resilience design for your Exchange organization. Because CCR does not use shared storage, it can be easily deployed in a geographically dispersed failover cluster, including a multi-subnet stretch cluster on Windows Server 2008. SCC is also supported in a stretch cluster; however, stretching SCC requires third-party synchronous replication technology.

• Standby Cluster

Another type of cluster that is supported by Exchange 2007 and Exchange 2007 SP1 is called a standby cluster. A standby cluster is a Windows Server failover cluster that does not contain a clustered mailbox server, but can be quickly provisioned with a replacement clustered mailbox server in the event of a disaster, another failure of the production failover cluster, or some other recovery scenario.

HA for other Server Roles

• Edge Transport   You can deploy multiple Edge Transport servers and use multiple DNS Mail Exchanger (MX) records to load balance activity across those servers.
  
• Client Access   You can use NLB or a third-party hardware-based network load-balancing device for Client Access server high availability.
  
• Unified Messaging   Unified Messaging deployments can be made more resilient by deploying multiple Unified Messaging servers where two or more are in a single dial plan. The Voice over IP (VoIP) gateways supported by Unified Messaging can be configured to route calls to Unified Messaging servers in a round-robin fashion. In addition, these gateways can retrieve the list of servers for a dial plan from DNS. In either case, the VoIP gateways will present a call to a Unified Messaging server and if the call is not accepted, the call will be presented to another server, providing redundancy at the time the call is established.
  
• Hub Transport   You can deploy multiple Hub Transport servers for internal transport high availability. Resiliency has been designed into the Hub Transport server role in the following ways:
• Hub Transport server to Hub Transport server (intra-org)   Hub Transport server to Hub Transport server communication inside an organization automatically load balances between available Hub Transport servers in the target Active Directory directory service site.
• –Mailbox server to Hub Transport server (intra-Active Directory site)   The Microsoft Exchange Mail Submission service on Mailbox servers automatically load balances between all available Hub Transport servers in the same Active Directory site.
• –Unified Messaging server to Hub Transport server   The Unified Messaging server automatically load balances connections between all available Hub Transport servers in the same Active Directory site.
• –Edge Transport server to Hub Transport server   The Edge Transport server automatically load balances inbound Simple Mail Transfer Protocol (SMTP) traffic to all Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed.

How to check ClusterMBX type

You can also check Active Directory to determine if a clustered mailbox server is hosted in a CCR environment or in an SCC by examining the value for the msExchClusterStorageType attribute of the Mailbox server object. A value of 1 for the msExchClusterStorageType attribute indicates that the clustered mailbox server is hosted in a CCR environment, and a value of 2 indicates that the clustered mailbox server is in an SCC. A value of <Not Set> indicates that the Mailbox server is a stand-alone server.

Transitioning Client Access to Exchange Server 2010

By now most of you have heard about the release of Exchange 2010.  Those of you that are upgrading from Exchange 2003, Exchange 2007 or a mixture of the two, are probably curious about the client access upgrade strategy.  To satisfy your curiosity, we are releasing a series of blog articles on the subject.  The first in this series provides a summary of the steps that are required to introduce Exchange 2010 within your environment from a client access perspective.  More detailed information about the upgrade process is discussed in TechNet and within the Deployment Assistant.  The second and third parts in this series will discuss the end user experience for OWA and ActiveSync, respectively.  Look for those in upcoming weeks.

Many of you have been asking how you can transition your existing Exchange environment to Exchange 2010 from a client access perspective. For most of you, this will also mean coexisting with legacy Exchange and Exchange 2010 for a period of time. This post will hopefully answer these questions by breaking down your transition into two scenarios:

1. Transitioning an Exchange 2003 environment to Exchange 2010.
2. Transitioning an Exchange 2007 (that may or may not contain Exchange 2003 mailbox servers) environment to Exchange 2010.

The underlying goal here is to move your primary namespace, mail.contoso.com and autodiscover.contoso.com, over to Exchange 2010 and introduce a new namespace for legacy access, legacy.contoso.com and associate it with your legacy Exchange client access infrastructure. Users will continue to use mail.contoso.com as their access point into the organization for messaging services. While Exchange 2003/2007 end users will see the legacy.contoso.com namespace in their browser address bar, ActiveSync settings, and Test Auto-Configuration output within Outlook, they only need to use the mail.contoso.com namespace as their primary entry point into the organization; in addition, IT should continue directing customers to utilize the mail.contoso.com namespace for all external connectivity mechanisms.

Note: The host names, mail.contoso.com or legacy.contoso.com, that are referenced in this document are not hard-coded or required. You can utilize whichever names make the most sense for your environment (e.g. owa.contoso.com and legacyowa.contoso.com). From a documentation perspective, we are going to utilize mail.contoso.com and legacy.contoso.com so that we are consistent in our transition story. For more information on Autodiscover namespaces, please see http://technet.microsoft.com/en-us/library/bb332063.aspx.

Transitioning an Exchange 2003 Environment to Exchange 2010

When you are ready to begin transitioning your organization to Exchange 2010, you must transition the "Internet Facing AD Site(s)" first, and then transition your internal Active Directory sites. It is not supported to transition an internal Active Directory site before all your Internet-accessible sites have been transitioned.

The steps for introducing Exchange 2010 into the environment are:

Note: These steps do not discuss how to set up your CAS2010 servers in a load balancing array. Please review your load balancing solution's instructions for how to properly create and join your CAS2010 servers in a load balancing array.

1. In order to support external client coexistence with CAS2010 and legacy Exchange in your "Internet Facing AD Site", you will (potentially) need to acquire a new commercial certificate.  As a best practice, Microsoft recommends utilizing a certificate that supports Subject Alternative Names; however, you can utilize a wildcard certificate as well.

This commercial certificate that will be leveraged by external clients will contain at a minimum three SAN values (note that other scenarios may require you to add additional values):

1. mail.contoso.com (your primary OWA/EAS/OA access URL)
2. autodiscover.contoso.com
3. legacy.contoso.com (your OWA/EAS namespace for legacy mailbox access)

2. Ensure all Exchange 2003 servers are at Service Pack 2 and that you meet all forest/domain pre-requisites.

3. Install CAS2010 and configure it accordingly:

• During the installation of CAS2010 you have the option to enter the external namespace that will be used for the virtual directories. You can enter this value in both the graphical user interface or the command-line setup:
  • For the graphical user interface setup experience of CAS2010 you are asked to configure a Client Access external domain. At this point you canter the domain name of mail.contoso.com.
  • If installing via the command line, you can utilize the setup property /ExternalCASServerDomain and specify mail.contoso.com
• If you haven't already done so, install the RPC over HTTP proxy component.  You can do this utilizing the ServerManagerCmd tool: ServerManagerCmd.exe -i RPC-over-HTTP-proxy
• Configure your OWA settings appropriately (e.g. forms based authentication vs. basic authentication). For the purpose of this document, the default OWA settings are assumed.
• Configure your EAS authentication settings appropriately (e.g. Basic vs. certificate authentication). For the purposes of this document, the default authentication mechanism, basic authentication, is assumed.
• Enable Outlook Anywhere (for the purposes of this document, the default authentication settings are assumed): Enable-OutlookAnywhere -Server:<CAS2010> -ExternalHostName:mail.contoso.com - SSLOffloading $false

4. If you chose to not specify the external domain name for CAS during setup, you will need to enable the following ExternalURLs to ensure that clients that leverage Autodiscover function correctly:

• Offline Address Book: Set-OABVirtualDirectory <CAS2010>\OAB* -ExternalURL https://mail.contoso.com/OAB
• Web Services: Set-WebServicesVirtualDirectory <CAS2010>\EWS* -ExternalURL https://mail.contoso.com/ews/exchange.asmx
• ActiveSync: Set-ActiveSyncVirtualDirectory -Identity <CAS2010>\Microsoft-Server-ActiveSync -ExternalURL https://mail.contoso.com/Microsoft-Server-ActiveSync

5. To ensure that Outlook Web Access functions correctly, you will need to enable the following URLs:

• Outlook Web Access:
  • For environments without Exchange 2003: Set-OWAVirtualDirectory <CAS2010>\OWA* -ExternalURL https://mail.contoso.com/OWA
  • For environments with Exchange 2003 mailbox servers: Set-OWAVirtualDirectory <CAS2010>\OWA* -ExternalURL https://mail.contoso.com/OWA -Exchange2003URL https://legacy.contoso.com/exchange
• Exchange Control Panel: Set-ECPVirtualDirectory <CAS2010>\ECP* -ExternalURL https://mail.contoso.com/ECP

6. For your Outlook clients, you can configure CAS2010 to participate in an RPC Client Access Service array:

• Create a load balancing array for CAS2010, if one has not already been created.
• Create a DNS entry in your internal DNS infrastructure that resolves to the Virtual IP Address (VIP) of the CAS load balancing array. The DNS entry, for example, could be outlook.contoso.com.
• Configure your load balancing array to load balance the MAPI RPC ports:
  • TCP 135
  • UDP/TCP 1024-65535
• Run the following cmdlet to create the Client Access Service array: New-ClientAccessArray -Name outlook.contoso.com -FQDN outlook.contoso.com -Site "Internet Facing AD Site"

7. Install the HT2010 and MBX2010 server roles into the "Internet Facing AD Site" and configure accordingly.

• You can change the Offline Address Book generation server and enable web distribution on CAS2010 by performing the following steps:
  • To move the Offline Address Book: Move-OfflineAddressBook "Default Offline Address List" -Server <MBX2010>
  • To add CAS2010 as a web distribution point:
    • $OABVDir=Get-OABVirtualDirectory -Server <CAS2010>
    • $OAB=Get-OfflineAddressBook "Default Offline Address List"
    • $OAB.VirtualDirectories += $OABVdir.DistinguishedName
    • Set-OfflineAddressBook "Default Offline Address List" -VirtualDirectories $OAB.VirtualDirectories

8. Create the legacy host record (legacy.contoso.com) in your external DNS infrastructure and associate it either with the FE2003 infrastructure (less likely) or your proxy infrastructure (more likely).

9. You will configure External DNS and/or your reverse proxy infrastructure's publishing rules to have the autodiscover.contoso.com namespace point to CAS2010.

10. If utilizing a reverse proxy infrastructure, you will publish the legacy namespace to the FE2003 infrastructure so that at this point the FE2003 infrastructure can be accessed either via mail.contoso.com or legacy.contoso.com namespaces.

11. You will then schedule Internet protocol client downtime (please note that this downtime window should be relatively small - enough time for you to make the change and validate that everything works as desired) and perform the following steps:

• You will reconfigure External DNS and/or your reverse proxy infrastructure's publishing rules to have the mail.contoso.com namespaces point to CAS2010. 
• Users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access Server and the Exchange 2003 back end server to communicate using Kerberos authentication.

To enable this authentication change on Exchange 2003 you need to either:

• Install http://support.microsoft.com/?kbid=937031 and then use the Exchange System Manager to adjust the authentication settings of the ActiveSync virtual directory. Repeat this for each Exchange 2003 mailbox server in your organization.
• Or, set the msExchAuthenticationFlags attribute to a value of 6 on the Microsoft-Server-ActiveSync object within the configuration container on each Exchange 2003 mailbox server.  An example script is provided at http://technet.microsoft.com/en-us/library/cc785437.aspx.

Note: It is important that you do not use IIS Manager to change the authentication setting on the Microsoft-Server-ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.

• Disable Outlook Anywhere by utilizing the Exchange System Manager and selecting the "Not part of an Exchange managed RPC-HTTP topology" radial button on the RPC-HTTP tab of the Front-End server's properties. Optionally, you can also remove the RPC over HTTP proxy component (refer to your Windows Server documentation for more information).

Important: This requires an up-front investment in CAS2010 architecture as all Outlook Anywhere clients will utilize CAS2010 once you transition the Outlook Anywhere endpoint. Be sure to follow all proper scalability planning documentation when deploying CAS2010 to ensure that you do not create a bottleneck in your CAS infrastructure due to Outlook Anywhere clients.

• Test all client scenarios and ensure they function correctly.

12. Complete downtime and enable Internet protocol client usage.

As a result of following these steps, the environment would look similar to this diagram:

Transitioning an Exchange 2007 environment to Exchange 2010

When you are ready to begin transitioning your organization to Exchange 2010, you must transition the "Internet Facing AD Site" that is associated with your external Autodiscover record, then regional Internet facing AD Sites, and then transition your internal Active Directory sites. It is not supported to transition an internal Active Directory site before all your Internet-accessible sites have been transitioned.

The steps for introducing Exchange 2010 into the environment are:

Note: These steps do not discuss how to set up your CAS2010 servers in a load balancing array. Please review your load balancing solution's instructions for how to properly create and join your CAS2010 servers in a load balancing array.

1. In order to support external client coexistence with CAS2010 and legacy Exchange in your "Internet Facing AD Site", you will (potentially) need to acquire a new commercial certificate.  As a best practice, Microsoft recommends utilizing a certificate that supports Subject Alternative Names; however, you can utilize a wildcard certificate as well.

This commercial certificate that will be leveraged by external clients will contain at a minimum three SAN values (note that other scenarios may require you to add additional values):

1. mail.contoso.com (your primary OWA/EAS/OA access URL)
2. autodiscover.contoso.com
3. legacy.contoso.com (your OWA/EAS namespace for legacy mailbox access)

2. Ensure all Exchange 2007 CAS within the organization are at Service Pack 2, all Exchange 2003 servers (if they exist) are at Service Pack 2, and that all Exchange 2007 Mailbox, Hub Transport, and Unified Messaging servers are at Service Pack 2 in the "Internet Facing AD Site". Also, ensure you meet all the forest/domain pre-requisites.

3. Install CAS2010 and configure it accordingly:

• During the installation of CAS2010 you have the option to enter the external namespace that will be used for the virtual directories. You can enter this value in both the graphical user interface or the command-line setup:
  • For the graphical user interface setup experience of CAS2010 you are asked to configure a Client Access external domain. At this point you canter the domain name of mail.contoso.com.
  • If installing via the command line, you can utilize the setup property /ExternalCASServerDomain and specify mail.contoso.com
• If you haven't already done so, install the RPC over HTTP proxy component.  You can do this utilizing the ServerManagerCmd tool: ServerManagerCmd.exe -i RPC-over-HTTP-proxy
• Configure your OWA settings appropriately (e.g. forms based authentication vs. basic authentication). For the purpose of this document, the default OWA settings are assumed.
• Configure your EAS authentication settings appropriately (e.g. Basic vs. certificate authentication). For the purposes of this document, the default authentication mechanism, basic authentication, is assumed.
• Enable Outlook Anywhere (for the purposes of this document, the default authentication settings are assumed): Enable-OutlookAnywhere -Server:<CAS2010> -ExternalHostName:mail.contoso.com -SSLOffloading $false

4. If you chose to not specify the external domain name for CAS during setup, you will need to enable the following ExternalURLs to ensure that clients that leverage Autodiscover function correctly:

• Offline Address Book: Set-OABVirtualDirectory <CAS2010>\OAB* -ExternalURL https://mail.contoso.com/OAB
• Web Services: Set-WebServicesVirtualDirectory <CAS2010>\EWS* -ExternalURL https://mail.contoso.com/ews/exchange.asmx
• ActiveSync: Set-ActiveSyncVirtualDirectory -Identity <CAS2010>\Microsoft-Server-ActiveSync -ExternalURL https://mail.contoso.com

5. To ensure that Outlook Web Access functions correctly, you will need to enable the following URLs:

• Outlook Web Access:
  • For environments without Exchange 2003 mailbox servers: Set-OWAVirtualDirectory <CAS2010>\OWA* -ExternalURL https://mail.contoso.com/OWA
  • For environments with Exchange 2003 mailbox servers: Set-OWAVirtualDirectory <CAS2010>\OWA* -ExternalURL https://mail.contoso.com/OWA -Exchange2003URL https://legacy.contoso.com/exchange
• Exchange Control Panel: Set-ECPVirtualDirectory <CAS2010>\ECP* -ExternalURL https://mail.contoso.com/ECP

6. If you have Exchange 2007 deployed in "Non-Internet Facing AD Sites" then you must copy the Exchange 2007 OWA binaries to CAS2010:

• On the CAS2010 server(s), establish a connection to the CAS2007 server's drive that contains the Exchange binaries and navigate to the \Client Access\OWA directory (e.g. \\cas2007\c$\Program Files\Microsoft\Exchange Server\Client Access\Owa).
• Copy the highest version folder (e.g. 8.2.140.0) from the CAS2007 to CAS2010 Exchange binaries \Client Access\OWA directory (e.g. C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa).
• Execute IISReset on all the CAS2010 machines.

7. For your Outlook clients, you can configure CAS2010 to participate in an RPC Client Access Service array:

• Create a load balancing array for CAS2010, if one has not already been created.
• Create a DNS entry in your internal DNS infrastructure that resolves to the Virtual IP Address (VIP) of the CAS load balancing array. The DNS entry, for example, could be outlook.contoso.com.
• Configure your load balancing array to load balance the MAPI RPC ports:
  • TCP 135
  • UDP/TCP 1024-65535
• Run the following cmdlet to create the Client Access Service array: New-ClientAccessArray -Name outlook.contoso.com -FQDN outlook.contoso.com -Site "Internet Facing AD Site"

8. Install the HT2010 and MBX2010 server roles into the "Internet Facing AD Site" and configure accordingly.

• You can change the Offline Address Book generation server and enable web distribution on CAS2010 by performing the following steps:
  • To move the Offline Address Book: Move-OfflineAddressBook "Default Offline Address List" -Server <MBX2010>
  • To add CAS2010 as a web distribution point:
    • $OABVDir=Get-OABVirtualDirectory -Server <CAS2010>
    • $OAB=Get-OfflineAddressBook "Default Offline Address List"
    • $OAB.VirtualDirectories += $OABVdir.DistinguishedName
    • Set-OfflineAddressBook "Default Offline Address List" -VirtualDirectories $OAB.VirtualDirectories

9. Create legacy host record (legacy.contoso.com) in your external DNS infrastructure and associate it either with the CAS2007 infrastructure (less likely) or your proxy infrastructure (more likely).

10. If utilizing a reverse proxy infrastructure, you will publish the legacy namespace to the CAS2007 infrastructure so that at this point the CAS2007 infrastructure can be accessed either via mail.contoso.com or legacy.contoso.com namespaces.

11. You will then schedule Internet protocol client downtime (please note that this downtime window should be relatively small - enough time for you to make the change and validate that everything works as desired) and perform the following steps:

• You will re-configure your CAS2007 URLs in the "Internet Facing AD Site". This ensures that clients that leverage Autodiscover function correctly and that legacy mailboxes can be redirected to Outlook Web Access:
  • Outlook Web Access: Set-OWAVirtualDirecotry <CAS2007>\OWA* -ExternalURL https://legacy.contoso.com/owa
  • Offline Address Book: Set-OABVirtualDirectory <CAS2007>\OAB* -ExternalURL https://legacy.contoso.com/OAB
  • Unified Messaging: Set-UMVirtualDirectory  <CAS2007>\UnifiedMessaging* -ExternalURL https://legacy.contoso.com/UnifiedMessaging/Service.asmx
  • Web Services: Set-WebServicesVirtualDirectory <CAS2007>\EWS* -ExternalURL https://legacy.contoso.com/ews/exchange.asmx
  • ActiveSync: Set-ActiveSyncVirtualDirectory -Identity <CAS2007>\Microsoft-Server-ActiveSync -ExternalURL https://legacy.contoso.com
• If you have Exchange 2003 mailbox servers in your environment, then users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access Server and the Exchange 2003 back end server to communicate using Kerberos authentication.

To enable this authentication change on Exchange 2003 you need to either:

• Install http://support.microsoft.com/?kbid=937031 and then use the Exchange System Manager to adjust the authentication settings of the ActiveSync virtual directory.
• Or, set the msExchAuthenticationFlags attribute to a value of 6 on the Microsoft-Server-ActiveSync object within the configuration container on each Exchange 2003 mailbox server.  An example script is provided at http://technet.microsoft.com/en-us/library/cc785437.aspx.

Note: It is important that you do not use IIS Manager to change the authentication setting on the Microsoft-Server-ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.

• Disable Outlook Anywhere on your Exchange 2007 CAS infrastructure in the "Internet Facing AD Site" by utilizing the cmdlet, Disable-OutlookAnywhere -Server <CAS2007>. Optionally, you can also remove the RPC over HTTP proxy component (refer to your Windows Server documentation for more information).

Important: This requires an up-front investment in CAS2010 architecture as all Outlook Anywhere clients will utilize CAS2010 once you transition the Outlook Anywhere endpoint. Be sure to follow all proper scalability planning documentation when deploying CAS2010 to ensure that you do not create a bottleneck in your CAS infrastructure due to Outlook Anywhere clients.

• You will reconfigure External DNS and/or your reverse proxy infrastructure's publishing rules to have the autodiscover.contoso.com and mail.contoso.com namespaces point to CAS2010.
• Test all client scenarios and ensure they function correctly.

12. Complete downtime and enable Internet protocol client usage.

As a result of following these steps, the environment would look similar to this diagram:

So why the additional namespace?

To understand why we are introducing a new namespace for the legacy Exchange environment, it is important to understand what the Internet client behavior will be by introducing Exchange 2010.

• For Outlook Web Access, Exchange 2010 CAS does not support rendering mailbox data from legacy versions of Exchange.  Exchange 2010 CAS does one of four scenarios depending on the target mailbox's version and/or location:
  • If the Exchange 2007 mailbox is in the same AD Site as CAS2010, CAS2010 will silently redirect the session to the Exchange 2007 CAS.
  • If the Exchange 2007 mailbox is in another Internet facing AD Site, CAS2010 will manually redirect the user to the Exchange 2007 CAS.
  • If the Exchange 2007 mailbox is in a non-Internet facing AD site, CAS2010 will proxy the connection to the Exchange 2007 CAS.
  • If the mailbox is Exchange 2003, CAS2010 will silently redirect the session to a pre-defined URL.
• For Exchange ActiveSync, Exchange 2010 CAS does not support rendering mailbox data from legacy versions of Exchange.  Exchange 2010 CAS does one of four scenarios depending on the target mailbox's version and/or location, and device capabilities:
  • If the Exchange 2007 mailbox is in the same AD Site as CAS2010 and the device supports Autodiscover, CAS2010 will notify the device to synchronize with CAS2007.
  • If the Exchange 2007 mailbox is in the same AD Site as CAS2010 and the device does not support Autodiscover, CAS2010 will proxy the connection to CAS2007.
  • If the Exchange 2007 mailbox is in a non-Internet facing AD site, CAS2010 will proxy the connection to the Exchange 2007 CAS.
  • If the mailbox is Exchange 2003, CAS2010 will proxy the connection to the Exchange 2003 mailbox server.
• For Outlook Anywhere, you are going to move the Outlook Anywhere endpoint from the Exchange 2003 Front-End or Exchange 2007 CAS to the Exchange 2010 CAS.  Exchange 2010 CAS will always proxy the Outlook MAPI RPC data that is embedded in the RPC-HTTPS packet to the target legacy mailbox server (regardless of AD site or version) or to the appropriate Exchange 2010 CAS.

Important: This requires an up-front investment in CAS2010 architecture as all Outlook Anywhere clients will utilize CAS2010 once you transition the Outlook Anywhere endpoint. Be sure to follow all proper scalability planning documentation when deploying CAS2010 to ensure that you do not create a bottleneck in your CAS infrastructure due to Outlook Anywhere clients.

Microsoft Exchange 2007 Search Basics

Unlike Exchange 2003, Exchange Search is enabled by default in Exchange 2007 and is automatically applied to new databases as they are created. Exchange Search depends on a full-text indexing and each mailbox database in Exchange 2007 has a full-text index associated with it. However, this latest incarnation of Exchange server-side search not the status quo. Search for Microsoft Exchange 2007 has been rewritten.

Indexing content is now performed as messages arrive at the store and not on a set schedule. Certain attachment types are also indexed, most notably Word, Excel, PDF, PowerPoint and HTML files. To facilitate these changes, indexing is now more integrated with the Information Store Service. The result has been much improved indexing performance in Exchange 2007.

Exchange 2007 Search will show a few processes in Task Manager:

• Microsoft.Exchange.Search.ExSearch.exe (MSSearch)
• Msftefd.exe (filter daemon - similar to SQL Server 2005)
• Msftesql.exe (core indexer)

These Exchange 2007 Search processes will throttle server-side full-text indexing when the Exchange Server needs resources for client access so the user experience is not negatively impacted. Otherwise, new messages get indexed within seconds of arrival. Searches using the server-side Exchange 2007 Search return results expeditiously.

Exchange 2007 Search is not the same as Instant Search in Outlook 2007, which is implemented with Windows Desktop Search (WDS) on the client. Outlook 2007 Instant Search requires either a .pst or Exchange cached mode (.ost). For the desktop client to benefit from Exchange 2007 Search they need to use either Outlook Web Access or a MAPI profile without Exchange cached mode (online mode).

Even though they are index-enabled by default, some databases may not need to be searched efficiently and therefore do not require an index. Full-text indexing is toggled on or off ($true or $false) from the Exchange Management Shell as follows:

>Set-MailboxDatabase <MailboxDatabaseName> -IndexEnabled $false

Also using PowerShell, the Test-ExchangeSearch cmdlet is used to verify the status of Exchange 2007 Search by creating a message and querying for that message and reporting back to the administrator.

Access is denied errors

This issue typically indicates a Kerberos authentication problem, although there are several exceptions. To resolve the replication failure in this case, resolve the authentication failure before you try to fix the replication problem. To resolve this issue:

1. Make sure the Access this computer from network user right in the source server's security policy includes the appropriate groups. To do this, check the <computername>_userrights.txt file in the Directory Services MPSReports to confirm which groups are listed. Everyone, Authenticated Users, and Enterprise Domain Controllers must have that user right for successful replication.

2. Make sure the Kerberos Key Distribution Center (KDC) service is started.

3. Make sure the Trust computer for delegation check box is selected on the General tab of the domain controller Properties dialog box in Active Directory Users and Computers.

4. Using Adsiedit or Ldp (both included in the Windows 2000 Support Tools), confirm that the userAccountControl attribute is set to 532480. To check this, perform the following steps:

• Type adsiedit.msc from Start, Run.
• Expand the Domain NC container.
• Expand the object below, i.e. DC=Contoso, DC=COM.
• Expand OU=Domain Controllers.
• Right-click CN=<domain_controller>, and select Properties.
• Under Select a property to view, select userAccountControl and verify the value is 532480.

5. If the problem exists between domain controllers from different domains, check the trust relationship by doing the following:

• Open Active Directory Domains and Trusts.
• Right-click the desired domain and select Properties.
• Click the Trusts tab.
• Highlight the domain to verify and click Edit.
• Click Verify.

The Netdom tool included in the Windows 2000 Support Tools can also be used to verify the trust.

netdom trust <trusting_domain_name> /domain:<trusted_domain_name> /userd:<administrator> /password:<password> /verify /kerberos

6. If replication is failing between domain controllers in different domains, follow these steps:

Add the following registry value to the upstream replication partner:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Value name:  Replicator Allow SPN Fallback
Value type:  REG_DWORD
Value data:  1

Run the following command from the upstream partner:
repadmin /add CN=Configuration,DC=<domain controller>,DC=<com> <root DC name> <fully qualified name of child domain controller>

Remove the Replicator Allow SPN Fallback registry value after testing replication.

7. Attempt to reset the computer account password and force a refresh of Kerberos tickets of the downstream partner.

netdom resetpwd /server:<DC> /userd:<domain>\administrator /passwordd:<password>

Note Run the command on the problem domain controller. <DC> is any domain controller other than the domain controller with an invalid password. Set the Kerberos Key Distribution Center (KDC) service to manual on the problem domain controller and reboot. Restart the KDC service and switch it back to automatic after the reboot is completed.

8. Make sure the Service Principal Name (SPN) is registered for each domain controller object on each partner domain controller. For more information see KB article 308111.

Review the Registered Service Principal Names section of the Netdiag output on partner domain controllers to ensure that the test passes. Export the SPNs of each domain controller object involved in the replication failure from each partner using the following command:

ldifde -f spndump.txt -p base -l servicePrincipalName -d <DN of DC>

Either visually compare the SPNs or use the Windiff tool from the Windows 2000 Support Tools to compare the files for differences. Under the Options menu in Windiff, uncheck everything except Show different files, Show left-only lines, and Show right-only lines. After identifying the missing SPNs, edit the good SPN file as follows:

• Change changetype:  add to changetype:  modify.
• Add replace:  servicePrincipalName after the changetype line.
• Add "-" to the last line of the file.

Import the correctly registered SPNs on the partner domain controllers that do not have proper SPNs registered for its replication partner domain controllers.

ldifde -I -f goodSPNs.txt

9. If the problem domain controllers exist in only one domain with more than two domain controllers, force all computer accounts to be replicated throughout the enterprise. That means all domain controllers must be synchronized with all other copies of their domain. For each computer that is reporting a replication error, use the following command to force that computer to become synchronized. The domain to synchronize must be specified. For more information see KB article 296993.

repadmin /syncall /d /e <problem domain controller> <DN of domain>

Note For large environments, remove the /e switch to replicate domain controllers with the same site, or use /sync to target specific domain controllers in remote sites.

10. If the failing domain controllers reside in different domains, then specify the configuration partition. For more information see KB article 296993.

repadmin /syncall /d /e <problem domain controller> <DN of config>

Note For large environments, remove the /e switch to replicate domain controllers with the same site or use /sync to target specific domain controllers in remote sites.

11. Make sure the Enterprise Domain Controllers group has the required permissions on the directory partition’s access control list (ACL):

• Start Active Directory Users and Computers.
• On the View menu, select Advanced Features.
• Right-click the root domain object, and then select Properties.
• Select the Security tab, click Enterprise Domain Controllers in the name list, and then make sure the following permissions are selected under Allow:
  • Manage Replication Topology.
  • Replicating Directory Changes.
  • Replication Synchronization.

12.  Use Active Directory Sites and Services to make sure the server object and its corresponding NTDS Settings child object exist in the correct site.

13. Verify the following Group Policy security options under Security Settings match on all partner domain controllers.

• Additional Restrictions for Anonymous Connections.
• Digitally Sign Client Communication (Always).
• Digitally Sign Client Communication (When Possible).
• Digitally Sign Server Communication (Always).
• Digitally Sign Server Communication (When Possible).
• LAN Manager Authentication Level.

14. Check for Kerberos fragmentation by typing ping <destination computer> -f -l 1500. Start with 1500 first, and then work up to 2000. If it fails before 2000, then packets are likely being fragmented. For more information see KB article 244474.

How to Enable NETLOGON Logging

When you troubleshoot authentication problems, analyzing the Netlogon service log files can be useful.

Public URL: 109626 Enabling debug logging for the Net Logon service

http://support.microsoft.com/?id=109626

Value Path: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\ParametersValue Name: DBFlagValue Type: REG_SZValue Data: 0x2080FFFF (hex)
Note: As an alternate method, you can set the dbflag without using the registry. To do this run the following command from a command prompt:
nltest /dbflag:0x2080ffff
After you finish debugging, you can run the "nltest /dbflag:0x0" (without the quotation marks) command from a command prompt to reset the debug flag to 0.
Output: %systemroot%\debug\netlogon.log

Windows 7 - What's New in Windows Search, Browse, and Organization

Windows 7 introduces a number of new features and enhancements that can help IT professionals deploy and maintain desktop search, browse, and organization functionality:

· Improvements in the performance and stability of the indexer.

· Improvements in the performance and relevance of the search experience.

· The introduction of federated search and search connectors.

· The introduction of aggregation and visualizations to improve the organization of search results.

· The introduction of libraries to help with organization.

· Improvements in the performance and user interface of Windows Explorer.

· Additional Group Policy settings, available on all supported operating systems.

· Reduced impact on the server running Microsoft Exchange Server when indexing uncached (classic online) e-mail.

· The ability to index delegate mailboxes for e-mail.

· Support for indexing encrypted documents of local file systems.

· Support for indexing digitally signed e-mail of MAPI-enabled e-mail clients such as Microsoft Outlook®.

· An expanded ability to do fast remote queries of file shares, including on Windows Vista®, Windows Server® 2008, Windows® XP with Windows Search 4.0 installed, and earlier versions.

The Windows Search Service enables you to perform fast file searches on a server from computers running Windows® 7 or Windows Server® 2008 R2, or from computers that have Windows Desktop Search installed and running Windows Vista, Windows Server 2008, Windows XP, Windows Server® 2003 R2, or Windows Server® 2003.

Note

Indexing of uncached e-mail is also known as classic online e-mail. In Windows® 7 there is less impact on Microsoft Exchange Server when indexing uncached e-mail. In contrast to uncached or classic online e-mail, cached e-mail uses a local Offline Folder file (.ost) to keep a local copy of your Exchange Server mailbox on your computer, which permits indexing of e-mail locally.

Who will want to use Windows Search, Browse, and Organization?

This feature is intended for IT professionals. Improvements in search are also relevant to home users.

Before deploying Windows Search, Browse, and Organization in Windows 7, administrators should consider several factors, including the following:

· The role of desktop search within your enterprise search strategy.

· Which data stores or services you want to publish for direct client access in Windows Explorer by using the OpenSearch standard.

· Current document storage practices and how they relate to libraries.

· The importance of file storage encryption to your organization.

· The importance of e-mail encryption and signing to your organization.

What are the benefits of the new and changed features?

A brief overview of the major new features and capabilities for Windows Search, Browse, and Organization in Windows 7 is provided in the following table.

Feature	New in Windows 7
Improvements in the performance and user interface of Windows Explorer	The navigation is better organized and more intuitive, everyday tasks are easier to access, and there are numerous improvements in the presentation of end user content.
The introduction of libraries to help with organization	Libraries make it quicker and easier to find files. Built on the existing My Documents experience, libraries work like folders do but have additional functionality. In addition to browsing files by using the hierarchical folder structure, you can also browse metadata such as date, type, author, and tags. Users can include files from multiple storage locations in their libraries without having to move or copy the files from original storage locations.
Improvements in the search experience	The search experience is integrated into everyday tasks through Windows Explorer, the Start menu, and the introduction of new libraries. Search results take relevance into account, making it faster to find what you are looking for. Other improvements to the experience include the introduction of highlighted matches in the searched document, a search builder to construct advanced queries, and arrangement views. Arrangement views allow you pivot search results, list the most recent searches, and provide broader Start menu scope including Control Panel tasks.
The introduction of federated search and search connectors	Windows 7 enables searching for content on remote indices. Integrating federated search into Windows gives users the benefits of using familiar tools and workflows to search remote data. This enhanced integration provides the added benefit of highlighting matches within the searched document. Windows 7 enables federated search via the public OpenSearch standard. Other improvements are the consistent UI for remote search results within Windows Explorer and the ability to drag and drop files listed in the search results between different locations.
Indexing of uncached (classic online) e-mail	Before users can search for e-mail, the Windows indexing service must index the e-mail store, which involves collecting the properties and content of e-mail items within the store. This initial indexing is later followed by smaller incremental indexing (as e-mail arrives, is read, and deleted, and so on) to keep the index current. Windows 7 minimizes the impact on the server running Exchange Server by reducing the number of remote procedure calls (RPC) required to index e-mail messages and attachments. Because e-mail messages are indexed in native formats (HTML, RTF, and text) there is no load on the server to convert mail types. Windows indexes public folders only when they are cached locally.
Remote query	Windows 7 extends the ability to search across remote desktops. Windows 7 or Windows Search 4.0 (available on Windows Vista and Windows XP) enables users to query remote computers running on supported operating systems; Windows Vista allows users to search remote computers only if they are running Windows Vista.
Support for indexing encrypted files	Windows 7 fully supports indexing encrypted files on local file systems, allowing users to index and search the properties and contents of encrypted files. Users can manually configure Windows to include encrypted files in indexing, or administrators can configure this by using Group Policy.
Support for indexing digitally signed e-mail	Windows 7 allows users to search all content in digitally signed e-mail messages. This includes the message body and any attachments. A computer that is running Windows Vista Service Pack 1 (SP1) and Windows Search 4.0 functions as follows: · Users can search all digitally signed e-mail messages that they have sent. This search includes all message content. · Users can search all digitally signed e-mail messages that they have received. However, these searches are limited to certain properties, such as subject, sender, or recipients. Users cannot search the message body or attachment contents.

What's the impact of these changes on Windows Search, Browse, and Organization?

There are significant improvements in how you use Windows Search, Browse, and Organization in Windows 7:

· Closer integration with everyday workflows.

· More relevant search results.

· Highlighted search terms to easily identify results.

· An integrated advanced query builder.

In Windows 7, there is a new emphasis on organization with the introduction of libraries and the multiple improvements in the arrangement views and visualization of data.

Windows 7 - What's New in Windows PowerShell

Windows PowerShell™ is a command-line shell and scripting language designed especially for system administration. Built on the Microsoft .NET Framework, Windows PowerShell helps IT professionals control and automate the administration of Windows operating systems and of applications that run on Windows.

The simple command tools in Windows PowerShell, called cmdlets, let you manage the computers in your enterprise from the command line. Windows PowerShell providers let you access data stores, such as the registry and the certificate store, as easily as you access the file system. In addition, Windows PowerShell has full support for all Windows Management Instrumentation (WMI) classes.

Windows PowerShell is fully extensible. You can write your own cmdlets, providers, functions, and scripts, and you can package them in modules to share with other users.

Windows® 7 includes Windows PowerShell 2.0. It also includes other cmdlets, providers, and tools that you can add to Windows PowerShell so that you can use and manage other Windows technologies such as Active Directory® Domain Services, Windows® BitLocker™ Drive Encryption, the DHCP Server service, Group Policy, Remote Desktop Services, and Windows Server Backup.

What's new in Windows PowerShell?

The following changes are available in Windows PowerShell in Windows 7:

· New cmdlets. Windows PowerShell includes more than 100 new cmdlets, including Get-Hotfix, Send-MailMessage, Get-ComputerRestorePoint, New-WebServiceProxy, Debug-Process, Add-Computer, Rename-Computer, Reset-ComputerMachinePassword, and Get-Random.

· Remote management. You can run commands on one computer or hundreds of computers with a single command. You can establish an interactive session with a single computer. And, you can establish a session that can receive remote commands from multiple computers.

· Windows PowerShell Integrated Scripting Environment (ISE). Windows PowerShell ISE is a graphical user interface for Windows PowerShell that lets you run commands, and write, edit, run, test, and debug scripts in the same window. It offers up to eight independent execution environments and includes a built-in debugger, multiline editing, selective execution, syntax colors, line and column numbers, and context-sensitive Help.

· Background jobs. With Windows PowerShell background jobs, you can run commands asynchronously and "in the background" so you can continue to work in your session. You can run background jobs on a local or remote computer, and you can store the results locally or remotely.

· Debugger. The Windows PowerShell debugger can help you debug functions and scripts. You can set and remove breakpoints, step through code, check the values of variables, and display a call-stack trace.

· Modules. Windows PowerShell modules let you organize your Windows PowerShell scripts and functions into independent, self-contained units. You can package your cmdlets, providers, scripts, functions, and other files into modules that you can distribute to other users. Modules are easier for users to install and use than Windows PowerShell snap-ins. Modules can include any type of file, including audio files, images, Help files, and icons. Modules run in a separate session to avoid name conflicts.

· Transactions. Windows PowerShell now supports transactions, which let you manage a set of commands as a logical unit. A transaction can be committed, or it can be completely undone so that the affected data is not changed by the transaction.

· Events. Windows PowerShell includes a new event infrastructure that lets you create events, subscribe to system and application events, and then listen, forward, and act on the events synchronously and asynchronously.

· Advanced functions. Advanced functions behave just like cmdlets, but they are written in the Windows PowerShell scripting language instead of in C#.

· Script internationalization. Scripts and functions can display messages and Help text to users in multiple languages.

· Online Help. In addition to Help at the command line, the Get-Help cmdlet has a new Online parameter that opens a complete and updated version of each Help topic on Microsoft TechNet.

Who will want to use Windows PowerShell?

The following groups might be interested in these changes:

· IT professionals who want to manage Windows at the command line and automate administrative tasks.

· Developers who want to use the extensive Windows PowerShell scripting language to build .NET Framework applications and extend Windows PowerShell.

· All users who want to learn Windows PowerShell to manage their system, write scripts to automate their tasks, and create new tools without having to learn a programming language.

What are the benefits of the new and changed features?

Windows PowerShell provides these new management features, among many others.

Remote Management

Windows PowerShell remote management lets users connect to and run Windows PowerShell commands on all of their computers. IT professionals can use it to monitor and maintain computers, distribute updates, run scripts and background jobs, collect data, and make uniform, optimized changes to one computer or to hundreds of computers.

Windows PowerShell ISE

Windows PowerShell ISE makes it easier and more efficient to use Windows PowerShell. Beginners will appreciate the syntax colors and the context-sensitive Help. Multiline editing makes it easy to try the examples that you copy from the Help topics and from other sources. Advanced users will appreciate the availability of multiple execution environments, the built-in debugger, and the extensibility of the Windows PowerShell ISE object model.

Modules

Windows PowerShell modules make it easier for cmdlet and provider authors to organize and distribute tools and solutions. And, they make it easier for users to install the tools and add them to their Windows PowerShell sessions. IT professionals can use modules to distribute tested and approved solutions throughout their enterprise and share them with other professionals in the community.

Transactions

Windows PowerShell transactions let you use Windows PowerShell to make changes that might have to be rolled back or committed as a unit, such as database updates and changes to the registry.

What's the impact of these changes on Windows PowerShell?

Windows PowerShell has the following system and feature requirements:

· Windows PowerShell requires the Microsoft .NET Framework 2.0.

· Windows PowerShell ISE, the graphical user interface program for Windows PowerShell, requires the Microsoft .NET Framework 3.5 with Service Pack 1.

· The Out-GridView cmdlet requires the Microsoft .NET Framework 3.5 with Service Pack 1.

· The Get-WinEvent cmdlet requires Windows Vista or later versions of Windows and the Microsoft .NET Framework 3.5.

· The Export-Counter cmdlet runs only on Windows 7 and later versions of Windows.

· The WMI-based remoting features of Windows PowerShell require no configuration and run on all versions of Windows that support Windows PowerShell. The WS-Management-based remoting features require both the local and remote computers to run Windows Vista or a later version of Windows. Also, you must enable and configure WS-Management on all participating computers. For more information, see About_Remote.

· Several cmdlets work only when the current user is a member of the Administrators group on the computer or when the current user can provide the credentials of a member of the Administrators group. This requirement is explained in the Help topics for the affected cmdlets.

Windows 7 - What's New in Virtual Hard Disks

The Microsoft Virtual Hard Disk file format (.vhd) is a publicly available format specification that specifies a virtual hard disk encapsulated in a single file, capable of hosting native file systems and supporting standard disk operations. VHD files are used by Microsoft Windows Server 2008 Hyper-V, Microsoft Virtual Server and Microsoft Virtual PC for virtual disks connected to a virtual machine. VHDs are useful containers and the .vhd file format is also used by Microsoft Data Protection Manager, Windows Server Backup as well as many other Microsoft and Non-Microsoft solutions.

What's new in Virtual Hard Disks?

In Windows® 7, a virtual hard disk can be used as the running operating system on designated hardware without any other parent operating system, virtual machine, or hypervisor. Windows 7 disk-management tools, the DiskPart command line tool and the Disk Management Microsoft Management Console can be used to create a VHD file. A Windows 7 image (.wim format) file can be deployed to the VHD and the .vhd file can be copied to multiple systems. The Windows 7 boot manager can be configured for native, or physical boot of the Windows image contained in the VHD. The .vhd file can also be connected to a virtual machine for use with the Hyper-V Role in Windows Server® 2008 R2. Native-boot VHD files are not designed or intended to replace full image deployment on all client or server systems. Previous Windows releases do not support native boot from a VHD and require a hypervisor and virtual machine in order to boot from a VHD file.

For more information about using Virtual Hard Disks for Native Boot in Windows 7, see the Walkthrough: Deploy a Virtual Hard Disk for Native Boot topic in the Windows Automated Installation Kit for Windows 7 Beta.

Who will want to use Virtual Hard Disks?

Enterprise environments already managing and using .vhd files for virtual machine deployment will find the most benefit from the disk management support for VHD files and native-boot VHD capabilities. Many of our data center customers are transitioning to Hyper-V virtual machines (VMs) for server consolidation and lower energy costs. Native VHD support in the disk management utilities and core storage system simplify creation and image management in VHD files.

While moving an increasing number of applications to virtual machines, Enterprise environments still operate a significant part of the data center on physical machines. IT administrators have to maintain two sets of images: one set based on the .wim format for physical machines, another set based on the .vhd format for virtual machines. The common image format supporting both physical and virtual machines provides flexibility in image deployment while simplifying the process of image management.

Developers and testers are using virtual machines to test new system and application software. Virtual machines provide a convenient, isolated test environment and reduce the need for dedicated test hardware. But sometimes you need to run tests on a physical machine to access a specific hardware device, like the graphics card, or to get accurate performance profiling. A common image format that runs on both virtual and physical machines also benefits developers and testers. Native boot from VHD enables booting a Windows 7 image from a file without creating a separate physical disk partition in which to install Windows.

What are the benefits of the new and changed features?

Native support for VHDs makes image management simpler and reduces the number of images to catalog and maintain. To create a VHD on Windows Server 2008, you install the Hyper-V Server role and use the Hyper-V Manager to create a VHD file, and then started the virtual machine to install a version of Windows from the CD/DVD onto a partition in the VHD. In Windows 7, the native support for the VHD format means that VHD files can be created and modified without installing the Hyper-V Server role. VHD files can be attached using the disk management tools, and the Windows image inside the VHD is available for servicing. The Windows Deployment tools in the Windows Automated Installation Kit (Windows AIK) can be used to apply a Windows image to the VHD, and to apply updates to the system image in the VHD file.

The Windows image applied to a VHD file can boot in either a Hyper-V virtual machine, or boot natively on a physical machine without the use of a hypervisor. In order to boot the Windows system in either a virtual or physical machine, the boot environment must be initialized correctly for each scenario.

What are the dependencies?

The steps for deploying a Windows 7 or Windows Server 2008 R2 image to a VHD file depends on the Windows deployment tools, including imagex.exe. Imagex.exe is used to capture a Windows operating system partition into a Windows Image (.wim) file format, and to apply a .wim file to a file system partition, which may reside inside a VHD file.

The imagex.exe deployment tool is one of the tools distributed in the Windows Automated Installation Kit (Windows AIK). The Windows 7 Beta version of the Windows AIK must be installed to get the deployment tools and is available for download from the Windows Automated Installation Kit for Windows 7 Beta.

The Windows AIK download is an ISO image that you burn to a DVD and then install on your system. After installing the Windows AIK, the ImageX command line tool is located in the Windows AIK\PE Tools directory.

Native boot of Windows 7 from a VHD file also requires the Windows 7 boot environment. The Windows 7 boot environment is initialized during a full operating system installation and includes the Windows Boot Manager and Boot Configuration Data (BCD) and other supporting files.

What's the impact of these changes on Virtual Hard Disks?

The support for VHD as a native format targets key scenarios in the enterprise where the IT staff is well versed with different imaging technologies and tools to manage their client and servers. A managed enterprise environment also employs technologies like folder redirection and roaming profiles to manage the user’s data outside the deployed VHD images. There are recommendations and limitations for virtual hard disks in the Frequently Asked Questions: Virtual Hard Disks topic.

Windows 7 - What's New in User Account Control

Before the introduction of User Account Control (UAC), when a user was logged on as an administrator, that user was automatically granted full access to all system resources. While running as an administrator enabled a user to install legitimate software, the user could also unintentionally or intentionally install a malicious program. A malicious program installed by an administrator can fully compromise the computer and affect all users.

With the introduction of UAC, the access control model changed to help mitigate the impact of a malicious program. When a user attempts to start an administrator task or service, the User Account Control dialog box asks the user to click either Yes or No before the user's full administrator access token can be used. If the user is not an administrator, the user must provide an administrator's credentials to run the program. Because UAC requires an administrator to approve application installations, unauthorized applications cannot be installed automatically or without the explicit consent of an administrator.

In Windows® 7 and Windows Server® 2008 R2, UAC functionality is improved to:

· Increase the number of tasks that the standard user can perform that do not prompt for administrator approval.

· Allow a user with administrator privileges to configure the UAC experience in the Control Panel.

· Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for local administrators in Admin Approval Mode.

· Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for standard users.

Who will want to use UAC?

UAC helps standard users and administrators protect their computers by preventing programs that may be malicious from running. The improved user experience makes it easier for users to perform daily tasks while protecting their computers.

UAC helps enterprise administrators protect their network by preventing users from running malicious software.

What are the benefits of the new and changed features?

By default, standard users and administrators access resources and run applications in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.

When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs have been removed. The standard user access token is used to start applications that do not perform administrative tasks (standard user applications).

When the user runs applications that perform administrative tasks (administrator applications), the user is prompted to change or "elevate" the security context from a standard user to an administrator, called Admin Approval Mode. In this mode, the administrator must provide approval for applications to run on the secure desktop with administrative privileges. The improvements to UAC in Windows 7 and Windows Server 2008 R2 result in an improved user experience when configuring and troubleshooting your computer.

Reduced number of UAC prompts

Windows 7 and Windows Server 2008 R2 reduce the number of UAC prompts that local administrators and standard users must respond to.

To reduce the number of prompts that a local administrator must respond to:

· File operation prompts are merged.

· Internet Explorer prompts for running application installers are merged.

· Internet Explorer prompts for installing ActiveX® controls are merged.

The default UAC setting allows a standard user to perform the following tasks without receiving a UAC prompt:

· Install updates from Windows Update.

· Install drivers that are downloaded from Windows Update or included with the operating system.

· View Windows settings. (However, a standard user is prompted for elevated privileges when changing Windows settings.)

· Pair Bluetooth devices to the computer.

· Reset the network adapter and perform other network diagnostic and repair tasks.

Configure UAC experience in Control Panel

Windows Vista® offers two levels of UAC protection to the user: on or off. Windows 7 and Windows Server 2008 R2 introduce additional prompt levels that are similar to the Internet Explorer security zone model. If you are logged on as a local administrator, you can enable or disable UAC prompts, or choose when to be notified about changes to the computer. There are four levels of notification to choose from:

· Never notify me. You are not notified of any changes made to Windows settings or when software is installed.

· Only notify me when programs try to make changes to my computer. You are not notified when you make changes to Windows settings, but you do receive notification when a program attempts to make changes to the computer.

· Always notify me. You are notified when you make changes to Windows settings and when programs attempt to make changes to the computer.

· Always notify me and wait for my response. You are prompted for all administrator tasks on the secure desktop. This choice is similar to the current Windows Vista behavior.

The following table compares the number of UAC prompts for user actions in Windows 7 and Windows Server 2008 R2 with the number of UAC prompts in Windows Vista Service Pack 1.

Actions	Only notify me when programs try to make changes to my computer	Always notify me
Change personalization settings	No prompts	Fewer prompts
Manage your desktop	No prompts	Fewer prompts
Set up and troubleshoot your network	No prompts	Fewer prompts
Use Windows Easy Transfer	Fewer prompts	Same number of prompts
Install ActiveX controls through Internet Explorer	Fewer prompts	Fewer prompts
Connect devices	No prompts	No prompts if drivers are on Windows Update, or similar number of prompts if drivers are not on Windows Update
Use Windows Update	No prompts	No prompts
Set up backups	No prompts	Same number of prompts
Install or remove software	No prompts	Fewer prompts

Change the behavior of UAC messages for local administrators

If you are logged on as a local administrator, you can change the behavior of UAC prompts in the local security policies for local administrators in Admin Approval Mode.

· Elevate without prompting. Applications that are marked as administrator applications and applications that are detected as setup applications are run automatically with the full administrator access token. All other applications are automatically run with the standard user token.

· Prompt for credentials on the secure desktop. The User Account Control dialog box is displayed on the secure desktop. To give consent for an application to run with the full administrator access token, the user must enter administrative credentials. This setting supports compliance with Common Criteria or corporate policies.

· Prompt for consent on the secure desktop. The User Account Control dialog box is displayed on the secure desktop. To give consent for an application to run with the full administrator access token, the user must click Yes or No on the User Account Control dialog box. If the user is not a member of the local Administrators group, the user is prompted for administrative credentials. This setting supports compliance with Common Criteria or corporate policies.

· Prompt for credentials. This setting is similar to Prompt for credentials on the secure desktop, but the User Account Control dialog box is displayed on the desktop instead.

· Prompt for consent. This setting is similar to Prompt for consent on the secure desktop, but the User Account Control dialog box is displayed on the desktop instead.

· Prompt for consent for non-Windows binaries. The User Account Control dialog box is displayed on the desktop for all files that are not digitally signed with the Windows digital certificate.

Change the behavior of UAC messages for standard users

If you are logged on as a local administrator, you can change the behavior of UAC prompts in the local security policies for standard users.

· Automatically deny elevation requests. Administrator applications cannot run. The user receives an error message that indicates a policy is preventing the application from running.

· Prompt for credentials. This is the default setting. For an application to run with the full administrator access token, the user must enter administrative credentials in the User Account Control dialog box that is displayed on the desktop.

· Prompt for credentials on the secure desktop. For an application to run with the full administrator access token, the user must enter administrative credentials in the User Account Control dialog box that is displayed on the secure desktop.

What's the impact of these changes on UAC?

In response to customer requests, the improved UAC allows users to perform their daily tasks with fewer prompts and gives administrators more control over how UAC prompts users.

Windows 7 - What's New in Smart Cards

Windows® 7 includes new features that make smart cards easier to use and to deploy, and makes it possible to use smart cards to complete a greater variety of tasks. The new smart card features are available in all versions of Windows 7.

What's new in smart cards?

Windows 7 features enhanced support for smart card–related Plug and Play and the Personal Identity Verification (PIV) standard from the National Institute of Standards and Technology (NIST).

This means that users of Windows 7 can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers are downloaded in the same way as drivers for other devices in Windows.

When a PIV-compliant smart card is inserted into a smart card reader, Windows attempts to download the driver from Windows Update. If an appropriate driver is not available from Windows Update, a PIV-compliant minidriver that is included with Windows 7 is used for the card.

Who will want to use smart cards?

Network administrators who want to enhance the security of the organization's computers, particularly portable computers used by remote users, will appreciate the simplified deployment and use scenarios made possible by smart card Plug and Play PIV support. Users will appreciate the ability to use smart cards to perform critical business tasks in a secure manner.

What are the benefits of the new and changed features?

The new smart card support options in Windows 7 include:

· Encrypting drives with BitLocker Drive Encryption. In the Windows 7 Enterprise and Windows 7 Ultimate operating systems, users can choose to encrypt their removable media by turning on BitLocker and then choosing the smart card option to unlock the drive. At run time, Windows retrieves the correct minidriver for the smart card and allows the operation to complete.

· Smart card domain logon by using the PKINIT protocol. In Windows 7, the correct minidriver for a smart card is retrieved automatically, enabling a new smart card to authenticate to the domain without requiring the user to install or configure additional middleware.

· Document and e-mail signing. Windows 7 users can rely on Windows to retrieve the correct minidriver for a smart card at run time to sign an e-mail or document. In addition, XML Paper Specification (XPS) documents can be signed without the need for additional software.

· Use with line-of-business applications. In Windows 7, any application that uses Cryptography Next Generation (CNG) or CryptoAPI to enable the application to use certificates can rely on Windows to retrieve the correct minidriver for a smart card at run time so that no additional middleware is needed.

What's the impact of these changes on smart card usage?

Smart card usage is expanding rapidly. To encourage more organizations and users to adopt smart cards for enhanced security, the process to provision and use new smart cards is simplified and supports more end user scenarios.