Exchange 2010 Management tool - UNC318

A. Introduction:
1. 2010 is 64 bit only
· Admin tools also require 64 bit
2. Supported OS:
· Vista, 2008, windows 7
3. Remote power shell:
· Does not require exchange binaries to be installed on the admin machine which means you can also use 32 bit clients to remotely manage your exchange environment

B. EMC: Exchange Management Console:
1. Features:
· Built on remote PS and RBAC (Role based access control)
· Allows for multiple forest
· Cross premise 2010 management – including mailbox moves across organizations
· Recipient bulk edit – you can change mailbox attributes and permissions in bulk
· Power shell command logging

2. Demo: EMC (Exchange Management Console)
· You can see a extra node from EMC on the top for forest
· You can see all licensing info form forest level
· You can also view stuff for High availability; DAG
· You can select multiple mailbox and edit AD attributes and other exchange configurations
· The command log also even shows you the commands launched by EMC to view the information

C. ECP: Exchange control panel
1. What is it:
· Brower based management client for end users, administrator and specialist
· Accessible directly via url, owe, and outlook 2010
2. Who uses it:
· Admins and specialist: admins can delegate to specialist elg. Help desk operators, department admins and eDiscovery admins
· End users: comprehensive self service tools for end users
· Hosted customers: tenant administrators and tenant end users
3. Demo:
· Logging in as a regular user into owa. The user has restricted access so some of the buttons and dropped down menu is missing
· The user is able to change their own information
· Running delivery report: the users can populate the fields and run a search
· Managing distribution list (public groups): the user can created a new group and set permissions. You can set it so that other people can join by your approval.
· Logging in as another regular user
4. ECP architecture overview:
· Ajax based
· Shares some code with owa but two separate applications
Deployed on CAS
· ECP--> ASP.Net-->RBAC-->power shell
· Authentication: windows integrated, basic forms based
5. RBAC, how it changes UI:
· From a user POV, the options are not even there
D. RBAC (Role Based Access Control) in exchange 2010
1. Intro:
· RBAC has replaced permissions model in 2007: 2007 still used ACL
· Your role is defined by what you do
· Defined precise or broad roles and assignments based on the tasks that need to be performed. Its tied to power shell commands
· Includes self administration
· Used by EMC, EMS and ECP
2. Who can do what and where?
· Admins and end users
· Concept of roleGroup/USG
· You assign roles to people
3. What? Tasks that users can do. This come to be set of commandlets tied to following management roles:
· Organization management
· View only org management
· Recipientmangemente
· Um management
· Discovery management
4. Where?
· What is the scope? Could be recipient organization unit
· You can define by OU or by AD attribute
· You can also narrow by server scope
· You can further narrow permissions by use of Exclusive scopes. These are like exception clause.
5. custom management roles:
a. custom roles can be added to suit specific delegation requirements:
· roles are hierarchical, with build in role at the top
· role entries can only be removed from a role
b. steps to delegate a role:
· create the management role
· change the new role’s management role entries by removing role entries
· create a management scope
· assign the new management role

6. Demo:
· Get-managementroleassignment cmdlet: you can view all the role assignment
· Assigning helpdesk role: new-mangementroleassingment helpdesk –role mailboxadmin – user ‘contoso\jills’
· From ECP view you can see that she has my organization view: she can see mailboxes, can edit properties of mailbox, can create a new mailbox,
· Customizing the mailbox admin roles using power shell: set-mangementroleentry mailboxadmin\set-user –parameters department –removeparameter. This should make it read only
· Remove-mangaementroleEntry mailboxadmin\*new-mailbox*, you get a warning, continue this will remove permissions for mailbox management all together
· You don’t see the new button on the ECP, you can’t set the department field on the mailbox
· You can granular control over the set roles
7. RBAC role delegation:
a. Role membership is not a right to delegate
b. Role assignment delegation:
· Special kind of role assignment
· Delegation does not grant role permissions
c. RoleGroup delegation:
· Controlled through role group ownership
· Managed by parameter similar to DGs
· Ownership does not grant role group permissions
8. RBAC permission reporting
a. Get-managemtroleassignment:
· Effective roles for a user
· Effective user by role/scope/group
· Effective permissions to a writable object
E. Remote power shell:
1. New management architecture for power shell in 2010
a. Allows role based access control model:
· Restricted possessions allows rbac to hide completes and parameters
b. Role membership is not a right to delegate
· Rote power shell is always used to connect remotely to local host
· Enabled firewall and cross forest scenarios
c. No binaries scenarios:
· Exchange-cmdlet management from a client machine which does not have a exchange management tolls (exchange binaries) installed

2. How does it work?
a. Start off with 32 bit client
· Makes connection to IIS on the exchange server
· Wsman + rbac stack authorization, querying AD
· Role assignment given: you have a list of commandlets that you can run
· A PS session is created on the server with a list of commandlets that you can run
· You still get tab completion and all that good stuff
· After a command runs, it pipe lines on the client
3. How do I use it?
a. The beta way:
· Uses SSL
b. The rtm way:
· Uses http since authentication is via Kerberos
4. Demo:
· Running PS session from 32 bit client
· $rs = new-PSSsession –configurationName microsoft.exchhange –connectionURi http://slc-exch01.contoso.com/powershell/ -credential $cred
· Import-0pSSession$rs – this will go out to sever and fetch all commandlets available
· You can now run exchange commandlets

F. Monitoring:
1. Monitoring and reporting based on operations manager 2007
a. Supports 2007 sp1 or 2007 r2
b. Mp releasing concurrently with exchange 2010
2. Greatly reduced alert “noise:
a. Correlation engine
· Uses operations manager health model to hide symptoms alerts and leave root cause alerts for a faster problem resolution, fewer headaches
· Smarter alerts: exchange e2010 diagnostics specifically desinged for monitoring : scale ready, no more ;magic number threshold tuning
b. Better reporting