Unified Boxes, The Sum of all fears

Correction: By mistake I included SQL in the supportability statement, apparently I was was speaking about the stack as hall including backup, sorry for that.

Hi there, earlier this week, fellow MVP Michel Di Rooij published a blog post http://eightwone.com/2014/07/02/exchange-and-nfs-a-rollup/ speaking about NFS/Exchange support “Again”, the post motivated me to delve into the pool and add my experience.

The were some hesitation in the MVP community about if we should blog/speak about it or not, Michel was so brave to jump and speak about the topic, and after exchange some emails, we (including Fellow MVP Dave Stork) agreed that this blog is critical and we created it.

IF you want to read more, check Tony Redmond’s article http://windowsitpro.com/blog/raging-debate-around-lack-nfs-support-exchange 

So, from where the story begins ???!!!

I am currently working for a major data center provider. In my current role we try to find new ways, innovate and find new technologies that will save us time, effort and money and my team was working on investigating the unified boxes option.

But before delving into the technical part, let me give you a brief background from where I am coming, my position as an architect in a service provide is an awkward position, I am a customer, partner and a service provide, so I don’t innovate only, I don’t design only, I don’t implement only, I don’t support only and I don’t operate only, I do all of that, and that makes me keen investigating how every piece of new innovations will be designed, implemented, supported and operated.

Now speaking about the unified boxes, I was blown away with their capabilities. The capabilities of saving space, time and effort using these boxes are massive, but there is a catch, they use NFS, the source of all evil.

NFS has been used for years by VMware to provide “cost effective” shared storage option, a lot of customer adopted NFS over FC because of the claimed money saving and complexity, but NFS has its own issues (we will see that later).

I was a fan of the technology, and created a suggestion on ideascale.com to bring the issue to the PG attention, we did our best but Microsoft came back and informed us that NFS won’t be supported, they have their own justifications, we are not here to speak about it because we can’t judge Microsoft, but the bottom line, NFS is not supported as storage connectivity protocol for Exchange.

Now the reason of this post is to highlight to the community 2 things:

• NFS is not supported by Microsoft for Exchange (any version), there is no other workaround this.
• Choosing a unified box as a solution has its own ramifications that you must be aware about.

I am not here to say nutanix/simplivity/VMware VSAN..etc are good or bad, I am highlighting the issues associated with them to you, and the final decision will be yours, totally yours.

I was fortunate to try all of the above, got some boxes to play with and tested them to the bone, the testing revealed some issues, they might not to you, but they are from my point of view:

• Supportability: Microsoft doesn’t support placing Exchange on NFS, with the recent concerns about the value of Exchange virtualization (see a blog post from fellow MVP Devin Ganger http://www.devinonearth.com/2014/07/virtualization-still-isnt-mature/) using these boxes and these set of technologies might not the best way for those specific products, you might want to choose going with physical servers or other options for Exchange/SQL rather than going with non-supported configurations, although that vendors might push you to go for their boxes and blinding you with how great and shiny these solutions are. The bottom line, they are not supported by Microsoft and they won’t in the near future.
• Some of the above uses thin provisioned disks, meaning that disks are not provisioned ahead for Exchange which is the only supported configuration for virtual harddisks for Exchange. Disks are thinly provisioned meaning they are dynamically expanded on the fly as storage consumed which is another not supported configuration.
• The above boxes have no extensibility to FC, also you are limited to a max of 2 * 10 GbE connections (I don’t know if some have 4 but I don’t think so) meaning that you have no option to do FC backups, all the backups will have to go through Gbe Network, we can spend years discussing which is faster or slower, in my environment I run TBs if not PBs of backups and they were always slow on GbE networks, all of our backups as to be done over FC.
• The above means you will run backup, operations, production and management traffic on single team on shared networks, maybe 2 teams or will run it over 1 GbE, this might be fine with you, but for larger environments, it is not.
• The above limitations limits you to a max number of network connection, a single team with 2 NICs might be sufficient to your requirements, 2 teams maybe, but some of my customers have different networking requirements and this will not fit them.
• Some of the above boxes does caching for reads/writes, I have some customers ran into issues when running Exchange jetstress and high IO applications, the only solution as provided by the vendor’s support is to restart the servers to flush the cache drives.
• Some of the vendors running compression/deduplication in software and this requires a virtual machine of 32 GB or larger to start utilizing deduplication.
• All of the above uses NFS, meaning you will lose VAAI, VAAI is very critical as it accelerates storage operations by offloading those tasks directly to the array, you can use VAAI with NFS with virtual machines that has snapshots or running virtual machines, meaning that you rely on the cache or you must shutdown the virtual machines to use VAAI, VAAI is very important and critical element, so you must understand what are the effects of losing it.
• Those boxes don’t provide tiering, tiering is another important if you are running your own private cloud, by allowing you to provision different storage grades to different workloads, also it is important if you want to move hot data to faster tiers and cold data to slower tiers. Tiering touches the heart and soul every cloud (private or public) and you must understand how this will affect your business, operations, charging and business model.
• From support/operations and compliance point of view, you still running unsupported configuration from disk provisioning and storage backend, again it is your call to decide.

I am not saying that unified boxes are bad, they are a great solution for VDI, Big Data, branch offices, web servers and applications servers and maybe databases that support this sort of configuration, but certainly not for Exchange.

We can spend years and ages discussing if the above is correct or not, valid or not and logic or not, but certainly they are concerns that might ring some bills at your end, also it is certain that the above configurations are not supported by Microsoft, and unless Microsoft changes its stance, we can do nothing about it.

We, as MVPs, have done our duty and raised this as a suggestion to Microsoft, but the decision was made not support it, and it is up to you to decide if you want to abide to this or not, we can’t enforce you but it is our duty to highlight this risk and bring it to your attention. And as MVPs and independent experts, we are not attracted to the light like butterflies, it is our duty to look deeper and further beyond the flashlights of the brightest and greatest and understand/explain the implications and consequences of going this route so you can come up with the best technical architecture for your company.

Configuring Azure Multifactor Authentication with Exchange 2013 SP1

Thanks to Raymond Emile from Microsoft COX, the guy responded to me instantly and hinted me around the OWA + basic Auth, Thanks a lot Ray…

In case you missed it, Azure has a very cool new feature called Azure multifactor authentication, using MFA in Azure you can perform multifactor for Azure apps and for on-premise apps as well.

In this blog, we will see how to configure Azure Cloud MFA with Exchange 2013 SP1 on premise, this will be a long blog with multiple steps done at multiple levels, so I suggest to you to pay a very close attention to the details because it will be tricky to troubleshoot the config later.

here are the highlevel steps:

• Configure Azure AD
• Configure Directory Sync.
• Configure multifactor Authentication Providers.
• Install/Configure MFA Agent on the Exchange server.
• Configure OWA to use basic authentication.
• Sync Users into MFA agent.
• Configure users from the desired login type.
• Enroll users and test the config.

so let us RNR:

Setting up Azure AD/MFA:

Setting up Azure AD/MFA is done by visiting https://manage.windowsazure.com , here you have 2 options (I will list them because I had them both and it took me a while to figure it out):

• If you have never tried azure, you can sign up for a new account and start the configuration.
• If you have Office 365 enterprise subscription, then you will get Azure AD configured, so you can sign in into Azure using the same account in Office 365 and you will find Azure AD configured for you (I had this option so I had to remove SSO from the previous account and setting it up again).

Once you login to the portal, you can setup Azure AD by clicking add:

Since I had Office 365 subscription, It was already configured, so if you click on the directory, you can find list of domains configured in this directory:

If you will add a new domain, click on add and add the desired domain, you will need to verify the domain by adding TXT or MX record to prove you domain ownership, once done you will find the domain verified and you can configure it, the following screenshots illustrates the verification process:

 

Once done, go to Directory Integration  and choose to activate directory integration:

 

One enabled, download the dirsync tool on a computer joined to the domain:

Once installed, you will run through the configuration wizard which will ask you about the azure account and the domain admin account to configure the AD Sync:

Once done, you can check the users tab in Azure AD to make sure that users are sync’d to Azure successfully:

If you select a user, you can choose to Manage Multifactor Authentication

you will be prompt to add a multifactor authentication provider, the provider essentially controls the licensing terms for each directory because you have per user or per authentication payment, once selected you can click on manage to manage it:

Once you click manage, you will be taken to the phonefactor website to download the MFA agent:

click on downloads to download the MFA agent, you will install this agent on:

• A server that will act as MFA agent and provides RADIUS or windows authentication from other clients or
• Install the agent on the Exchange server that will do the authentication (frontend servers).

Since we will use Exchange, you will need to install this agent on the Exchange server, once install you will need to activate the server using the email and password you acquired from the portal:

Once the agent installed, it is time to configure the MFA Agent.

Note: the auto configuration wizard won’t work, so skip it and proceed with manual config.

Another note: FBA with OWA won’t work, also auto detection won’t work, so don’t waste your time.

Configuring the MFA Agent:

I need to stress on how important to follow the below steps and making sure you edit the configuration as mentioned or you will spend hours trying to troubleshoot the errors using useless error codes and logs, the logging still poor in my opinion and doesn’t provide much information for debugging.

the first step is to make sure the you have correct name space and ssl certificate in place, typically you will need users to access the portal using specific FQDN, since this FQDN will point to the Exchange server so you will need to publish the following:

• Extra directories for MFA portal, SDK and mobile app.
• or Add a new DNS record and DNS name to the ssl certificate and publish it.

In my case, I chose to use a single name for Exchange and MFA apps, I chose https://mfa.arabcloud.tv, MFA is just a name so it could be OWA, mail or anything.

SSL certificate plays a very important role, this is because the portal and mobile app speaks to SDK over SSL (you will see that later) so you will need to make sure that correct certificate in place as well as DNS records because the DNS record must be resolvable internally.

once the certificate/DNS issue is sorted, you can proceed with the install, first you will install the user portal, users will use this portal to enrol as well as configuring their MFA settings.

From the agent console, choose to install user portal:

It is very important to choose the virtual directory carefully, I highly recommend changing the default names because they are very long, in my case I chose using MFAPORTAL as a virtual directory.

once installed, go the user portal URL and enter the URL (carefully as there is no auto detection or validation method), and make sure to enable the required options in the portal (I highly recommend enabling phone call and mobile app only unless you are in US/EU country then you can enable text messages auth as well, it didn’t work with me because the local provider in Qatar didn’t send the reply correctly).

Once done, Proceed with SDK installation, again, I highly recommend changing the name, I chose MFASDK

Once installed, you are ready to proceed with the third step, installing the mobile app portal, to do this browse to the MFA agent installation directory, and click on the mobile app installation, also choose a short name, I chose MFAMobile

Once Installed, you will have to do some manual configuration in the web.config files for the portal and the mobile app.

You will have to specify SDK authentication account and SDK service URL, this configuration is a MUST and not optional.

to do so, first make sure to create a service account, the best way to do it is to fire you active directory users and computers management console, find PFUP_MFAEXCHANGE account and clone it.

Once cloned, open c:\intepub\wwwroot\<MFAportal Directory> and <MFA Mobile App Directory> and edit their web.config files as following:

For MFA portal:

For MFA mobile App:

Once done, you will need to configure the MFA agent to do authentication for IIS.

Configure MFA to do authentication from IIS:
To configure MFA agent to kick for OWA, you will need to configure OWA to do basic authentication, I searched on how to do FBA with MFA, but I didn’t find any clues (if you have let me know).

Once you configured OWA/ECP virtual directories to do basic authentication, go to the MFA agent , from there go to IIS Authentication , HTTP tab, and add the OWA URL:

Go to Native Module tab, and select the virtual directories where you want MFA agent to do MFA authentication (make sure to configure it on the front end virtual directories only):

Once done….you still have one final step which is importing and enrolling users…

to import users, go to users, select import and import them from the local AD, you can configure the sync to run periodically:

Once imported, you will see your users, you can configure your users with the required properties and settings to do specific MFA type, for example to enable phone call MFA, you will need to have the users with the proper phone and extension ( if necessary):

You can also configure a user to do phone app auth:

Once all set, finally, you can enrol users.

Users can enrol by visiting the user portal URL and signing with their username/password, once signed they will be taken to the enrolment process.

for phone call MFA, they will receive a call asking for their initial PIN created during their configuration in MFA, once entered correctly, they will be prompted to enter a new one, once validated the call will end.

in subsequent logins, they will receive a call asking them to enter their PIN, once validated successfully, the login will be successful and they will be taken into their mailbox.

in mobile app, which will see here, they will need to install a mobile app on their phones, once they login they can scan the QR code or enter the URL/Code in the app:

Once validated in the app, you will see a screen similar to this:

Next time when you attempt to login to OWA, the application will ask you to validate the login:

Once authentication is successful, you will see:

and you will be taken to OWA.

Final notes:

again, this is the first look, I think there are more to do, like RADIUS and Windows authentication which is very interesting, also we can configure FBA by publishing OWA via a firewall or a proxy that does RADIUS authentication + FBA which will work.

I hope that this guide was helpful for you.

Did you note the show redundancy and Shadowmessageperefencesetting

I was reading the Exchange 2013 poster where I noted something I missed during my Exchange 2013 readings:

In DAG environments, a shadow server in remote Active Directory site is preferred.

That is interesting, reading more from

http://technet.microsoft.com/en-us/library/dd351027(v=exchg.150).aspx

If the primary server is a member of a DAG, the primary server connects to a different Mailbox server in the same DAG. If the DAG spans multiple Active Directory sites, a Mailbox server in a different Active Directory site is preferred by default.

This means that servers in DAG will copy the message to a remote AD site by default, that might be ok for you, but for some environment this might not be the case due to network constrains.

to control this setting, continue reading:

This setting is controlled by the ShadowMessagePreference parameter on the Set-TransportService cmdlet. The default value is PreferRemote, but you can change it to RemoteOnly or LocalOnly.

so you can use the set-transportservice cmdlet to control this setting.

Just a reminder to all of us.

Exchange 2010 Supportability with Hyper-v Replica

I got a question from one of my colleagues about Exchange 2010 DAG support and Hyper-v Replica, Hyper-v Replica is a great feature that was shipped with Microsoft Windows Server 2012, it enables customers to replicate VMs from site to site for DR purposes.

a confusing diagram is published here http://technet.microsoft.com/en-us/library/hh831716.aspx and that implies that Exchange is supported with Hyper-v Replica.

the solid statement that I had and confirmed by the Exchange product group that Hyper-v Replica is not supported at all with Exchange products (2010/2013) and in DAG and without DAG, if you want to protect Exchange server you must configure a DAG and use the Exchange level replication technology or use a 3rd party replication software or hardware that is certified to work with Exchange.

Backup&Restore Exchange 2010 mailbox database or mailbox item using ARCserve R16 #msexchange #arcserve

In my ultimate Journey discovering how to backup and restore Exchange 2010 by every single application on our universe, I blog today about how to do that using CA’s ARCserve r16 SP1.

We will continue using my single Exchange server hen installing ARCserver r16 SP1 and then discovering how to make a backup job to backup Exchange and Restore from our backup.

Installing ARCserve r16 SP1:

There is nothing genius about installing the ARCserve, you possible want to plan ahead for the following:

SQL Database location.

Configuring Windows authentication instead of the ARCserve authentication.

If you will configure windows authentication later, you need to remember the password you used for the default admin account “caroot” because you will use it to login.

other than that, the installation itself is no brainer, next, next and ok

Configuring ARCserve r16 Devices:

Once you are finished installing and opening the ARCserve console “Manage”, you will be prompt with a very nice tutorial that walks you through the basic configuration of your ARCserve.

In this step we will configure “Disk device” that we will use for our backup to disk, so from Devices choose launch device configuration:

In the Login Server screen, enter your credentials to login to the server:

In the Login Server  choose your login server:

In the Device Configuration screen, choose Windows File System Devices to configure a backup folder (the de-duplication device is a folder that could configured to store multiple backups, the ARCserve then divide the backup to small chunks that is compared and de-duplicated using the proprietary ARCserve algorithm) then click add:

and if you somehow missed the wizard, you can do the same using the device wizard from the administration menu:

Once the Device is configured, we can deploy the Agent and start protecting our Exchange server, you can do that from the administration, and then go to Agent Deployment :

Note: In Order to backup the Exchange server using ARCserve you must installing MAPI CDO, this is a must because unlike Symantec which uses EWS to restore emails, ARCserve using MAPI CDO to backup and restore individual email, also note that MAPI CDO must be installed before installing the ARCserve if you don’t you will get the following error message:

“The request is denied by the agent. The requested agent is not installed.”

When you deploy the agents for the first time, you must specify the ARCserve source to copy the agents from it, once copied you won’t need to do that again and you will be able to proceed with the deployment:

Once copied, you will proceed with the agent deployment, so specify the Login Server:

In the agent installation option and normally you will get the automatic, you might want to choose custom to fine tune the installation options:

In the agent select the agents that needs to be deployed:

In the host selection, you have a nice option here to discover the Exchange servers and deploy the agent to them automatically:

to discover the Exchange infrastructure, Just specify you Domain Controller and credentials and the ARCserve will discover the Exchange server for you, nice!!!:

Backup Exchange 2010 Mailbox Database and Mailboxes using ARCserve:

To Create a backup job, it is so easy, from the Protection & Recovery menu choose Backup:

From the Job Setup Menu select your Job Setup Type:

In the Source, select the Mailbox Database, if you want to recover specific mailboxes or mailox items you must configure the Document Level Type backup, unlike Symantec which uses 1 type of backups to either restore Mailbox Database or Mailbox or Mailbox item, ARCserve uses 2 types of backup (mailbox database backup for mailbox level and Mailbox Document level for Mailboxes and Mailbox items):

In the Schedule, select your scheduling:

In the Destination, select your destination, in my case I will use the folder I already configured previously:

Once all set, click the Submit button to submit the job for run.

Restore the Exchange Mailbox Database or Mailbox items from the ARCserve Backup:

Now you can restore either the Mailbox Database or the Mailbox items, you can go to the Restore section, explore the Exchange infrastructure and either select the Mailbox Database or the Mailbox Items:

Conclusion:

In this Article we have explored the basic ARCserve configuration and how to backup and restore Exchange 2010 Mailbox and Mailboxes using ARCserve. it was easy and sweet although I don’t understand why in ARCserve I have to create 2 jobs and duplicates to backup Mailbox Database and Mailboxes (Document level).

So what is the next product, I don’t know I will be waiting for your suggestions , so let me know so I can blog it.

Restoring Entire Mailbox Exchange 2010 Database using Backup Exec 2012 #Symantec #backupexec #msexchange

In previous posts we have seen how to backup Mailbox database and restore single item from the backup.

In this post we will explore how to restore the entire database to its original location, although you might ask why would I do that when I can restore the item that I want directly from my backup set, Well there might be some scenarios where you want to restore an entire database:

– Database corruption either physically or logically.

– reseed operation.

– restoring to restore database for finer search and extraction.

we will use the same backup we did last time to restore the entire database, let us start:

User one received 2 emails (Diff 1 and Diff2):

It looks that those emails some how caused a Database corruption, and the database is dismounted and can’t be mounted again (this simulates a logical or physical corruption at the database level):

If I try to mount it I get the error:

Also there is an error in the event viewer:

Now I need to restore the entire database, from the Backup Exec management console Select the Exchange server and click restore, in the restore type, select Microsoft Exchange databases or storage groups:

In the Resource view, select the backup job you want to restore:

In the restore location, I will choose the original location since I want to restore it on top of the current one since the current one is corrupted, you might want to restore it to another location or the recovery database or to another server in case of dial-tone recovery.

In the overwrite page, I will choose to overwrite existing DB and logs, if you trust that logs are ok and your DB is having troubles due to a corrupted harddisk for example you can restore the database set and keep exiting logs and when the replay starts it will restore the database into the most recent status, however in my case there is a logical corruption caused by bad emails thus bad logs, so I don’t want these and I will overwrite them:

In the Temporary location, I will chose the default location, but you need to make sure that the selected location has enough space to hold the restored data:

In the next screen, you have the option to wait to start mounting the database, if you are restoring from differential backup or you want to run eseutil before mounting the database for example you might want not to mount the database otherwise, the backup exec will mount the database and start playing the logs directly, in my case I will choose to mount the database:

In the job name and schedule, set your options and click next:

on done, go to the Job list, select the restore job and click run now, the job will start restoring your database:

after the restore completes, the DB is mounted and everything is back to track :

User1 can login now to his mailbox, but you will note that Diff1 and Diff2 emails (the problematic ones) are not restored since they are weren’t backed up:

 

In the next post we will see how to restore differential backup, we have been talking about the full backups and we will see how to configure and restore differential backups.

How to Restore Exchange 2010 Mailbox or Mailbox Item using Backup Exec 2012 #msexchange #backupexec #symantec

In This post we will explore how to restore a mailbox or a single mailbox item using Backup Exec 2012 to Exchange 2012.

Setting up the stage:

you need to make sure that you have a working backup set, we will continue from our configuration we have committed in the first part of this series: https://autodiscover.wordpress.com/2012/09/04/how-to-backup-exchange-2010-using-symantec-backup-exec-2012-msexchange-microsoft-symantec-backupexec/

To Restore a single item from the backup set:

Note: your backup job must have been configured to use GRT, otherwise you will not be able to recover single item from the mailbox database.

select your Exchange server, and choose restore:

In the data selection page, select the Exchange data and click next:

In the following screen and for the sake of this part of the article select mailbox item and click next:

In which mailbox and items do you want to restore, explore the database and mailbox to find the item you want to restore, in my case I want to restore the mail item “Test 5” which was in the administrator mailbox and I have deleted it:

Select the location of the restore, in our case I will restore it to the original location (the administrator inbox):

in the following screen, Select the options as per your restore preference, in my case I will select none and continue:

In the additional tasks, you have the option to notify some users or run pre-commands, it is a nice option and new to Backup Exec 2012 “I Loved it”, in my case I will continue:

In the summary page click next and then the restore job starts.

Now if you believe that the restore will work, I would like to tell with a lot of joy it will not .

I spent 2 days trying to figure out the reason why the restore is not working, I was getting this misleading error:

The job failed with the following error: Cannot log on to EWS with the specified credentials. Review the resource credentials for the job, and then run the job again

I searched for the error and found a knowledge base from Symantec stating that I need to configure the service account in the form of “account@domain.name” not “domain\account”, I did that and even suspected in the SSL certificate and created a new one with no luck no matter how hard I tried, it didn’t work.

so back to the basics, I read the BE admin guide, and went to the GRT restore part to find interesting statement:

Backup Exec also creates an impersonation role and a role assignment for Exchange
Impersonation. Exchange Impersonation role assignment associates the
impersonation role with the Backup Exec resource credentials you specify for the
restore job.
Backup Exec creates and assigns the following roles:
■ SymantecEWSImpersonationRole
■ SymantecEWSImpersonationRoleAssignment

and all of a sudden things started to make sense, to access EWS and restore item for another mailbox, you MUST have the impersonation rights, well powershelling my Exchange server, I didn’t find the mentioned roles, it looks like setup is broken and didn’t create them or they weren’t created on my server for a reason or another.

to fix this issue, assign the BEadmin the impersonation permissions using the following cmdlets:

1- Command to create a new role called SymantecEWSImpersonationRole:
New-ManagementRole -Name SymantecEWSImpersonationRole -Parent ApplicationImpersonation

2- Command to assign a user to SymantecEWSImpersonationRoleAssignment:
New-ManagementRoleAssignment -Role SymantecEWSImpersonationRole -User Username SymantecEWSImpersonationRoleAssignment

Reference: http://www.symantec.com/business/support/index?page=content&id=TECH125119

trying again I got a very nice error “again” :

The job failed with the following error: Cannot restore one or more mailboxes. The database that the mailboxes reside in is dismounted or is not accessible. Ensure that the server is available and that the database is mounted, and then run the job again.

Honestly I was trying to restore the administrator mailbox, so I tried to restore a normal user and it worked .

Lessons learnt: don’t be misled by error messages, and it is always reading the architecture again and again for every feature you are using.

by now you should be able to restore single item from your Backup Exec 2012 backup, next blog post will talk about restoring an entire database.

have fun !!!

How to Backup Exchange 2010 using Symantec Backup Exec 2012 #msexchange #Microsoft #Symantec #backupexec

The Single Item Restore article has been Published here: https://autodiscover.wordpress.com/2012/09/06/how-to-restore-exchange-2010-mailbox-or-mailbox-item-using-backup-exec-2012-msexchange-backupexec-symantec/

I would like to continue my successful blog series on Backup and restore Exchange 2010, the previous 2 entries where the most visited entries during the past 5 months, I will continue with the Backup Exec 2012 and hopefully I will be able to reach netbackup later this month.

so let us setup the stage:

Configuring the Backup Exec 2012 Service Account:

referencing my previous blog https://autodiscover.wordpress.com/2012/03/12/how-to-backup-and-restore-exchange-2010-using-symantec-backup-exec-exchange2010-backupexec-part1/ ;the backup exec service account requirement has not changed, below are the required permissions for the service account to perform backup and restore:

1. For non-GRT backups (database only with no granular restore functionality) the logon account specified must be a member of the local Backup Operators group on the Exchange server
2. For database only restores (database only with no granular restore functionality) the logon account specified must be a member of the local Administrators group on the Exchange server
3. For GRT (Granular Restore Technology) enabled backups to disk (where the disk device is local to the BE Media Server and in the same domain) the logon account specified must be a member of the local Administrators group on the Exchange server
4. For GRT backups to a tape device and ALL GRT restore operations, from tape or disk, the logon account specified must be a member of the local Administrators group on the Exchange server. In addition, the logon account must have a unique mailbox and the mailbox can NOT be hidden from the Global Address List. For Exchange 2003 the account must also be granted the Exchange Administrator, or Exchange Full Administrator role. On Exchange 2007 and 2010 servers the account must be granted the Exchange Organization Administrator role. Finally, for Exchange 2010 the account must also have the Administrator role on the AD Domain for AD access as part of the GRT operations.

this is a screenshot for the BEadmin group membership:

Prerequisites:

To Backup Exchange 2010 using Backup Exec 2012, you need to make sure that the Exchange management console is installed, you have to make sure that the EMC version is the same as the backed up server version.

Installing the Backup Exec 2012 Agent on the Server:

I got to admit that I was so impressed with the new BE interface, it was “WOOOOOOOOOOOW”, and they did good work with it, it is simple and intuitive and I managed to find everything super fast.

there is now a new wizard for adding server, go to “backup and restore” node and select add from the servers section:

from there you get the new add server wizard, you got 2 options either add server which you use if you have a single Exchange server or Microsoft Exchange Database Availability group and you use this option if you have DAG, in my lab I don’t have a dag so I will go with the add server:

select enable the trust with the server:

add the server:

In the service account section, you can either choose to use the default system account or use another account, I configured the BE server to use my “beadmin” account as its service account so I will select the default account, but again and it is very important to make sure that this account has the required permissions on the Exchange server:

In the next page, make sure to select reboot the server option if you want the server to reboot directly after the installation, otherwise you will have to reboot it manually it depends on your environment:

then click install to install the agent.

Configuring the Backup Jobs:

I am configuring a normal backup to folder job, the actual media configuration is beyond the scope of this article.

to create a backup job:

1- Select the Exchange 2010 server in the section.

2- open the backup node and select “Backup to Disk”

Note: as per my knowledge this is the same steps you will use for tapes or network share backup

you will note that BE detected the information store on the Exchange 2010 server, by default it will backup all the items on the Exchange server including all drives, system state and DBs on the server, if you want to edit it click edit:

expand the information store section and select the desired database to backup:

going back to the backup properties, in the backup details click edit:

by default the backup job is configured to perform weekly backup and daily incremental, you might want to edit that as per your need, in my scenario I will be fine with only the full backup so I will delete the incremental step:

also make sure to select enable GRT backup to be able to restore single mailbox or single item (if this is not selected you will not be able to restore mailboxes or mailbox items from the backup exec):

the backup job is scheduled, you can see it by going to the Jobs section:

to run it, select the job and choose run now, this will run the job immediately.

after backup completion, go to the job history and confirm that backup completed successfully:

Congratulations, you have completed your task backing up your Exchange server, in the next blog post we will explore the restoration options for the this backup job.

Blog Post: Understanding Exchange Server 2013–Part2 (Public Folders) #Microsoft #msexchange

Public Folders provide an awesome way for collaboration, for years there were rumors that Microsoft will drop PF with the introduction of Exchange 2007, Microsoft saw obstacles in PF as they are using different management and different hierarchy and architecture from regular mailbox.

With the introduction of Exchange 2013, Microsoft made PF leaps into the future with the changes that Microsoft introduced on PF storage in Exchange 2013, so what happened to PF in 2013, let us take a look:

• PFs are not stored in PF mailboxes: previously PF were stored in the PF database, thus prevented the use of modern protection technologies offered by Exchange 2007/2010 such as replication/DAG, in Exchange 2013 PF are now stored in special type of mailbox called a PF mailbox, this mailbox stores the PF hierarchy and the PFs content that were created on that mailbox.
• PFs no longer utilize PF replication architecture: In previous versions of Exchange PFs were utilizing the PF replication architecture, it was a separate architecture that was managed separately and required its own set of monitoring and management and was inherited from previous versions of Exchange, with the new architecture PFs no longer use replication as before, the mailbox itself can be replicated now using DAG architecture offering mailbox resiliency and protection, but content themselves are not replicated across mailboxes, each content mailbox holds his own content and he is the only holder of that content, the mailbox is replicated using underlying DAG architecture but not the content.

With the new architecture we have now a new type of mailboxes called “Public Folder Mailbox” this mailbox can be divided into 2 types:

1. Master Hierarchy PF Mailbox: the Master Hierarchy mailbox is special kind of PF mailbox that you create to either import your hierarchy from previous versions or and hold your PF hierarchy and this is usually the first PF mailbox you create.
2. PF mailbox: All later PF mailboxes are that kind of PF mailbox, there is a very important difference between PF mailboxes and Master PF mailbox, the Master PF mailbox holds a writable copy of the hierarchy but other PF mailboxes hold a read-only copy of the hierarchy (note: you can upgrade a PF mailbox to a master one anytime, but at any time there is only 1 writable copy of the hierarchy) (another note: all PF gets a copy of the hierarchy but it is read only one)

Design Considerations:

with the new architecture there is a very important point to note (PF contents are not replicated) so organizations that are geographically dispersed and utilizing PF replication to provide local access to Public Folders must reconsider their PF hierarchy and how it is planned now because in order for a user to access the PF content he will need to access the content PF mailbox directly and that might occur over the WAN if content distribution is not well planned.

For the last point some people might have some concerns, but with the all HTTPS traffic between clients and CAS I can imagine that with the use for WAN optimizers and proper planning this will offer orgs greater flexibility and even better management.

From end-users perspective, PFs in Mailboxes are just the same as PF in older versions of Exchange, the storage of the PF is different from admin point of view but users are not aware of that change

The other things you might want to consider is the PF mailbox storage limit, mailbox in Exchange 2013 supports 100 GB, although it is fine for normal mailboxes, you will need to take serious consideration if your organization is heavily using PFs and you have PF trees that is larger than this limit.

The only things that you will need to know that RTM launch, PF will be available from Outlook Only, OWA access to PF is not ready yet.

at this point and as this article is being written any of the secondary hierarchy mailboxes could be prompted to a primary one, but this is not documented until now, I will update this article to include a pointer for the new information, to identify which mailbox is the master hierarchy mailbox you can use this cmdlet:

Get-OrganizationConfig | fl DefaultPublicFolderMailbox

PF Migration from earlier versions:

As this article is being written Exchange 2010 SP3 is the only source from where migration  can be done, Exchange 2007 is supported for coexistence with Exchange 2013 but an update that is unknown so far will be released later to allow such coexistence.

The migration high-level steps are done as following:

• You Generate a CSV file that contains your hierarchy from your older Exchange server. Keep in mind that you can open that CSV and edit its content mapping to PF mailbox if you would like to spread your content across mailboxes for geo-access or for proper distribution.
• You create a Master Hierarchy PF mailbox and import that CSV to it.
• Create a new PF migration request.
• Lock down the access to the PF, at the final stages a lock down is placed which prevents users from accessing the PF to lock access to finalize the migration.
• Complete the request and resume the migration.

the steps are detailed here http://technet.microsoft.com/en-us/library/jj150486(v=exchg.150), once lab is done I will post a blog post about editing the CSV before migration.

I hope that you enjoyed the post and wish you happy Public Foldering .

Mahmoud

Understanding Exchange Server 2013–Part1 (Role Architecture Changes) #Microsoft #msexchange

Today the Exchange server 2013 technical preview has been announced, it was a long waited version that will take the Microsoft communication and messaging platform to the new level, with the new version there are a lot of changes in how things work internally and in architecture in general, in these blog series we will explore the new architectural changes in details, this the first part we will speak on the new role architecture changes.

Old Architecture:

in Exchange 2007, Microsoft did a dramatic change in server role architecture by splitting the functionality into HUB, CAS, UM, Edge and Mailbox, this was huge change from the old Backend/Frontend architecture in Exchange 2003, the new architecture was the same in Exchange 2010.

Behind the scene:

Behind the scene, Microsoft saw a limiting boundary in hardware expansion from Memory and Disk perspective and saw that CPU power is increasing over time; additionally current server roles architecture and binaries doesn’t make full use of the current CPU cores capabilities which introduce a potential for server role consolidation ; and that was the major drive for the new architecture change.

New Exchange server 2013 Architecture:

in Exchange Server 2013, the architecture has been changed to consolidate all the roles to the following:

• Client Access Server Role: The Role proxies and handles all client connectivity protocols including HTTPs/POP3 and SMTP, you will have to note that in Exchange server 2013 all client to server traffic is done over HTTPs so no RPC traffic any more.
• Mailbox Server Role: this role does all Mailbox functionality, UM functionality.

The driver behind the new architecture that more roles can be combined in a single box offering less server roles and higher hardware utilization and better capacity also since roles are combined they can communicate internally using RPC thus eliminating the need to support RPC protocol outside a single box and making communication between Mailbox and CAS servers only over HTTPs or SMTP.

with the new architecture; the CAS does its role differently by doing pure proxy’ing for connections that he handles thus offering simplified deployment for 2 reasons:

• Since all traffic is proxied there is no need for advanced Layer 7 load balancers, because everything is stateless it just takes the connections and forward it to the appropriate mailbox or backend server so all what you need is a layer 4 TCP with source IP load balancer to do the job, this means that if a CAS server failed there is no problem in forwarding the session to another client access server because there is no session affinity to maintain.
• since CAS server is now doing proxy there are no need for different types of stickiness or session affinity configuration needed in previous versions, which has been simplified by using a simple single namespace to o all of the work.

CAS servers also now handle SMTP connection, the sole service responsible for that is the Frontend transport services which does all of the SMTP related functionality including recipient/sender filtering, protocol logging…etc.

there is no Edge Server 2013 specific version, you can use the Exchange 2010 Edge server along with your Exchange server 2013 deployment, there might be change in this regard in later service packs.

in part 2 we will explore the new features in mailbox servers and how it differs from its predecessors.