Ilse Van Criekinge TSP Core UC Microsoft BeLux Session Code: UNC316
Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring
Exchange 2010 Investments Simplify Administration Empower Specialist Users to Perform Specific Tasks with Role- based Administration Compliance Officer - Conduct Mailbox Searches for Legal Discovery HR Officer - Update Employee Info in Company Directory Lower Support Costs Through New User Self-Service Options Track Status of sent messages Create and Manage Distribution Lists The annual cost of helpdesk support staff for systems with 7,500 mailboxes is approximately $20/mailbox. This cost goes up the smaller the organization. (“ Support Staff Requirements and Costs: A Survey of 136 Organizations”, Ferris Research, June 2008).
What's New? Exchange 2010 Management What's New? New Exchange Management Console (EMC) features Exchange Control Panel (ECP) New and simplified web based management console Targeted for end users, hosted tenants, and specialists Role Based Access Control (RBAC) New authorization model Easy to delegate and customize All Exchange management clients (EMS, EMC, ECP) use RBAC Remote PowerShell Manage Exchange remotely using PowerShell v2.0 Note: No more local PowerShell, it's all remote in Exchange 2010 Monitoring
Exchange 2010 Management Supported OS platforms All of Exchange 2010 is 64-bit only Admin-tools also require 64 bit OS Supported OS platforms for Admin/Management Tools Vista x64 SP1 (*may be SP2) W2k8 x64 SP2 Windows7 x64 Client and W2k8 R2 x64 Remote PowerShell management Does not require Exchange binaries at the client Supported client OS platforms Vista (x86 or x64) W2k8 (x86 or x64) W2k8 R2 (x86 or x64) or Win7 (x86 or x64) W2k3 (x86 or x64) XP (x86 or x64)
Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring
Exchange Management Console (EMC) Improvements Built on Remote PowerShell and RBAC Multiple Forest Support Cross-premises Exchange 2010 Management Including Mailbox Moves Recipient Bulk Edit PowerShell Command Logging New feature support For example: High Availability
Exchange Management Console
Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring
Exchange Control Panel (ECP) What is it? A browser based Management client for end users, administrators, and specialists Accessible directly via URL, OWA & Outlook 2010 Deployed as a part of the Client Access Server role Simplified user experience for common management tasks RBAC aware
ECP Architecture Overview High Level View AJAX-based Shares some code with OWA, but two separate applications Deployed on Client Access Server ECP ASP.Net RBAC PowerShell Authentication Windows Integrated, Basic, Forms Based Browser support - Same as OWA IE Firefox Safari Client Access Server
Exchange Control Panel Who will use it? Specialists and administrators Administrators can delegate to specialists e.g. Help Desk Operators, Department Administrator, and eDiscovery Administrators End Users Comprehensive self service tools for End Users Hosted Customers Tenant Administrators and Tenant End Users
Exchange Control Panel: User View Primary Navigation Secondary Navigation
Exchange Control Panel: Admin View Primary Navigation UI Scope Control Secondary Navigation
Exchange Control Panel: User Self-Service features Lower Support Costs Through New User Self-Service Options Distribution Group Management Join existing groups Create and manage groups
Exchange Control Panel: User Self-Service features Lower Support Costs Through New User Self-Service Options Message Tracking Track message delivery Can be accessed from messages in OWA
Exchange Control Panel: User Self-Service features Lower Support Costs Through New User Self-Service Options Edit own details Modify Address List Contact details
Exchange Control Panel: Administration features Empower Specialist Users Specialist Administration Compliance Officers: Multi-mailbox search HR: Manage Users and Groups
Exchange Control Panel: Administration features Empower Specialist Users Manage other users Help Desk can manage user’s OWA options Can make same changes as targeted user
Exchange Control Panel: Administration features Empower Specialist Users Manage Permissions Manage roles Manage User self-service policies
Exchange Control Panel
Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring
RBAC in Exchange 2010 RBAC has replaced the permission model used in Exchange 2007 Your “role” is defined by “what you do” Define precise or broad roles and assignments based on the tasks that need to be performed Includes self administration Used by EMC, EMS and ECP
RBAC Management Role Assignment Who can do What… and Where? Administrators / Specialists Role Assignment Binds a Role and Scope to an Role Holder (Assignee) Role Group RecipientScopeRecipientScope ConfigurationScopeConfigurationScope Where? Who? What? Role Role Entry Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Role Holder Higher Level Job Function Binding Layer Task-based permissions Individual Permissions Role Assignment
Role membership managed through ECP and Exchange Management Shell Built-In Role Groups Organization Management Public Folder Management Recipient Management View-Only Organization Management UM Management Help Desk Records Management Discovery Management Server Management Delegated Setup Hygiene Management
RBAC Role Assignment Policies New mailboxes are assigned the default assignment policy A mailbox can have only one role assignment policy Scope = “Self” Where? Who? What? Role Role Holder Higher Level Job Function Binding Layer Task-based permissions Role Assignment Policy Scope = “Self” Role Assignment
Customizing Permissions Some customization supported through ECP Changes effect entire user segment Assignments can be additive or subtractive Add/Remove- ManagementRoleAssignment Only applies to end user roles Role assignment policies
Customizing Permissions Simplest method: Update role groups Change effects all members Assignments can be additive or subtractive Add/Remove-ManagementRoleAssignment Role groups
RBAC Role Delegation Role membership is not a right to delegate RoleAssignment Delegation Special kind of role assignment Delegation does not grant role permissions RoleGroup Delegation Controlled through RoleGroup ownership ManagedBy parameter similar to DGs (Multi-Valued) Ownership does not grant RoleGroup permissions
RBAC Permissions Reporting Effective users by role/scope/group Effective permissions to a writable object Get-ManagementRoleAssignment
Role Based Access Control
Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring
Remote PowerShell Allows Role-Based Access Control model Restricted PSSession allows RBAC to hide cmdlets and parameters Client / Server separation Local Shell and Remote Shell Remote PowerShell is always used to connect “remotely” to localhost Enables firewall and cross-forest scenarios “No Binaries” scenarios Exchange-cmdlet management from a client machine which does not have Exchange Management Tools (Exchange binaries) installed
How does it work? Remote PowerShell How does it work? IIS WSMan + RBAC stack: Authorization PSv2 RBAC Server Runspace > New-Mailbox –Name Robin PSv2 Client Runspace Ilse Ilse: Role Assignment New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Cmdlets Available in Runspace: New-PSSession > New-PSSession –ConnectionUri Remote Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Exchange Server IIS: Authentication Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name [Robin Mailbox Object in Pipeline]
Remote PowerShell and Files Importing and exporting files changed Limitations on importing files 500MB for each cmdlet that’s run 75MB for each object that’s passed to a cmdlet Can be altered
Remote PowerShell
Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring
Monitoring and Reporting Greatly reduced alert “noise” Uses Operations Manager health model to hide “symptom alerts” and leave “root cause alerts” Only raises alerts for lowest level failure within 90- second window Faster problem resolution Reporting Service Level Agreement (SLA) target support Mail flow statistics based on message tracking logs Distribution group usage
Sample Reports
Summary Exchange Management Console New Features, Bulk Management, and PowerShell convergence Role Based Access Control RBAC has replaced the permission model used in Exchange 2007 Enables the definition of broad or precise roles and assignments, based on the actual roles administrators perform Exchange Control Panel Provides a new way to administer a subsets of Exchange features Provides a great self provisioning portal Remote Powershell Uses familiar Exchange cmdlets Allows administration without the Exchange management tools Provides a firewall friendly management access
Related Content UNC306Information Protection and Control in Microsoft Exchange Server 2010 Ilse Van Criekinge 11/11/200910: :00 UNC201Introducing Microsoft Exchange Server 2010 Adam Glick, Astrid McClean 11/10/200909: :15 UNC202Discover the New OWA: Outlook Web App Adam Glick 11/10/200913: :45 UNC14-HOLMicrosoft Exchange Server 2010 Setup and Deployment Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.
UNC Track Call to Action! Learn More! Related Content at TechEd on “Related Content” Slide Attend in-person or consume post-event at TechEd OnlineTechEd Online Check out learning/training resources at Microsoft TechNet Exchange ServerExchange Server and Office Communications ServerOffice Communications Server Check out Exchange Server 2010 at Virtual Launch Experience (VLE) at the new efficiency.comthe new efficiency.com Try It Out! Download the Exchange Server 2010 TrialExchange Server 2010 Trial Take a simple Web-based test drive of UC solutions through the 60-Day Virtual Experience60-Day Virtual Experience
Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification and Training Resources Microsoft Certification & Training Resources Unified Communications Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! Required Slide
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide