Chris Antonakis Messaging Premier Field Engineer Microsoft South Africa

Exchange 2010 Investments Simplify Administration Empower Specialist Users to Perform Specific Tasks with Role- based Administration Compliance Officer - Conduct Mailbox Searches for Legal Discovery HR Officer - Update Employee Info in Company Directory Lower Support Costs Through New User Self-Service Options Track Status of sent messages Create and Manage Distribution Lists The annual cost of helpdesk support staff for systems with 7,500 mailboxes is approximately $20/mailbox. This cost goes up the smaller the organization. (“ Support Staff Requirements and Costs: A Survey of 136 Organizations”, Ferris Research, June 2008).

What's New? Exchange 2010 Management What's New? New Exchange Management Console (EMC) features Exchange Control Panel (ECP) New and simplified web based management console Targeted for end users, hosted tenants, and specialists Role Based Access Control (RBAC) New authorization model Easy to delegate and customize All Exchange management clients (EMS, EMC, ECP) use RBAC Remote PowerShell Manage Exchange remotely using PowerShell v2.0 Note: No more local PowerShell, it's all remote in Exchange 2010 Monitoring

Exchange 2010 Management Supported OS platforms All of Exchange 2010 is 64-bit only Admin-tools also require 64 bit OS Supported OS platforms for Admin/Management Tools Vista x64 SP1 (*may be SP2) W2k8 x64 SP2 Windows7 x64 Client and W2k8 R2 x64 Remote PowerShell management Does not require Exchange binaries at the client Supported client OS platforms Vista (x86 or x64) W2k8 (x86 or x64) W2k8 R2 (x86 or x64) or Win7 (x86 or x64) W2k3 (x86 or x64) XP (x86 or x64)

Exchange Management Console (EMC) Improvements Built on Remote PowerShell and RBAC Multiple Forest Support Cross-premises Exchange 2010 Management Including Mailbox Moves Recipient Bulk Edit PowerShell Command Logging New feature support For example: High Availability

The Exchange Management Console

Exchange Control Panel (ECP) What is it? A browser based Management client for end users, administrators, and specialists Accessible directly via URL, OWA & Outlook 2010 Deployed as a part of the Client Access Server role Simplified user experience for common management tasks RBAC aware

Exchange Control Panel Who will use it? Specialists and administrators Administrators can delegate to specialists e.g. Help Desk Operators, Department Administrator, and eDiscovery Administrators End Users Comprehensive self service tools for End Users Hosted Customers Tenant Administrators and Tenant End Users

Exchange Control Panel What It Looks Like Primary Navigation UI Scope Control Secondary Navigation Slab

Exchange Control Panel

ECP Architecture Overview High Level View AJAX-based Shares some code with OWA, but two separate applications Deployed on Client Access Server ECP  ASP.Net  RBAC  PowerShell Authentication Windows Integrated, Basic, Forms Based Browser support - Same as OWA premium IE Firefox Safari Client Access Server

Role Based Access Control ECP Architecture Overview Role Based Access Control Users shouldn't have access to message tracking Message tracking tab doesn't show up in ECP Users can edit mailboxes, but not create new ones "New Mailbox" button hidden Users can edit display name but not Department Department field visible but read-only

RBAC in Exchange 2010 RBAC has replaced the permission model used in Exchange 2007 Your “role” is defined by “what you do” Define precise or broad roles and assignments based on the tasks that need to be performed Includes self administration Used by EMC, EMS and ECP

RoleGroup/USG Who can do What… and Where? Role Assignment Policy Role Entry Cmdlet: Param1 Param2 Param3 Role Entry Cmdlet: Param1 Param2 Param3 Role Entry Cmdlet: Param1 Param2 Param3 Role Entry Cmdlet: Param1 Param2 Param3 Cmdlet: Param1 Param2 Param3 Cmdlet: Param1 Param2 Param3 Role Recipient Write Scope Recipient Read Scope Configuration Write Scope Configuration Read Scope What? Where? Who? Admins End-Users Role Assignment

Who can do What… and Where? RoleGroup/USG Role Assignment Policy Cmdlet: Param1 Param2 Param3 Cmdlet: Param1 Param2 Param3 Role Recipient Write Scope Recipient Read Scope Configuration Write Scope Configuration Read Scope What? Where? Who? Admins End-Users Role Assignment New-ManagementRoleAssignmentGet-ManagementRoleAssignmentSet-ManagementRoleAssignmentRemove-ManagementRoleAssignmentNew-ManagementRoleAssignmentGet-ManagementRoleAssignmentSet-ManagementRoleAssignmentRemove-ManagementRoleAssignment Add-RoleGroupMemberRemove-RoleGroupMemberAdd-RoleGroupMemberRemove-RoleGroupMember New-RoleAssignmentPolicyRemove-RoleAssignmentPolicyNew-RoleAssignmentPolicyRemove-RoleAssignmentPolicy

Who can do What… and Where? Role Assignment Policy Role Entry Cmdlet: Param1 Param2 Param3 Role Entry Cmdlet: Param1 Param2 Param3 Role Entry Cmdlet: Param1 Param2 Param3 Role Entry Cmdlet: Param1 Param2 Param3 Cmdlet: Param1 Param2 Param3 Cmdlet: Param1 Param2 Param3 Role Recipient Write Scope Recipient Read Scope Configuration Write Scope Configuration Read Scope What? Where? Who? Admins End-Users Role Assignment New-RoleGroupSet-RoleGroupGet-RoleGroupRemove-RoleGroupNew-RoleGroupSet-RoleGroupGet-RoleGroupRemove-RoleGroup RoleGroup/USG RoleGroup Assigned Roles RoleGroup

Who can do What… and Where? RoleGroup/USG Role Assignment Policy Cmdlet: Param1 Param2 Param3 Cmdlet: Param1 Param2 Param3 Role Recipient Write Scope Recipient Read Scope Configuration Write Scope Configuration Read Scope What? Where? Who? Admins End-Users Role Assignment

Custom Management Roles Custom roles can be added to suit specific delegation requirements Roles are hierarchical, with built-in role at the top Role Entries can only be removed from a role Steps to delegate a role: 1. Create the management role 2. Change the new role's management role entries (by removing role entries) 3. Create a management scope (if required) 4. Assign the new management role

Custom Management Roles What does it look like? New-ManagementRole -Name “eDiscovery-Sales” – Parent DiscoveryManagement New-ManagementScope –Name “Sales Mailboxes” – DomainRestrictionFilter “(RecipientType –eq ‘UserMailbox’)” –DomainRoot “OU=Sales,DC=contoso,DC=Com” New-ManagementRoleAssignment –Name “RA-Sales eDiscovery Administrators” –User “USG-Sales eDiscovery Admins” -Role “eDiscovery-Sales” – DomainScopeRestriction “Sales Mailboxes”

Role Based Access Control

RBAC Role Delegation Role membership is not a right to delegate RoleAssignment Delegation Special kind of Role Assignment Delegation does not grant role permissions RoleGroup Delegation Controlled through RoleGroup ownership ManagedBy parameter similar to DGs (Multi-Valued) Ownership does not grant RoleGroup permissons

RBAC Permissions Reporting Get-ManagementRoleAssignment Effective Roles for a User Effective Users by Role/Scope/Group Effective permissions to a Writable Object

Remote PowerShell New management architecture for PowerShell in Exchange 2010 Allows Role-based Access Control (RBAC) model Restricted PSSession allows RBAC to hide cmdlets and parameters Client / Server separation Remote PowerShell is always used to connect “remotely” to localhost Enables firewall and cross-forest scenarios “No Binaries” scenarios Exchange-cmdlet management from a client machine which does not have Exchange Management Tools (Exchange binaries) installed

How does it work? Remote PowerShell How does it work? IIS WSMan + RBAC stack: Authorization PSv2 RBAC Server Runspace > New-Mailbox –Name Bob PSv2 Client Runspace Evan Evan: Role Assignment New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Cmdlets Available in Runspace: New-PSSession > New-PSSession –URI Remote Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Exchange Server IIS: Authentication Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name [Bob Mailbox Object in Pipeline]

How Do I Use It? Remote PowerShell How Do I Use It? The Beta Way $wso = New-WSManSessionOption -SkipCACheck -SkipCNCheck – SkipRevocationCheck $rr = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri /powershell –SessionOption $wso –Authentication NegotiateWithImplicitCredential Import-PSSession $rr The RTM way $rr = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri /powershell –Authentication Kerberos Import-PSSession $rr Or… just run the Exchange Management Shell icon!

Remote PowerShell

Summary Exchange Management Console New Features, Bulk Management, and PowerShell convergence Role Based Access Control RBAC has replaced the permission model used in Exchange 2007 Enables the definition of broad or precise roles and assignments, based on the actual roles administrators perform Exchange Control Panel Provides a new way to administer a subsets of Exchange features Provides a great self provisioning portal Remote Powershell Uses familiar Exchange cmdlets Allows administration without the Exchange management tools Provides a firewall friendly management access

International Content & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Tech ·Ed Africa 2009 sessions will be made available for download the week after the event from:

Related Content Breakout Sessions (session codes and titles) Whiteboard Sessions (session codes and titles) Hands-on Labs (session codes and titles) Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Any queries, please check with your Track Owner. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Any queries, please check with your Track Owner.

Required Slide Complete a session evaluation and enter to win! 10 pairs of MP3 sunglasses to be won

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide