This is new and pretty simple video of our education cloud vision but it clearly lays out our Software+Services strategy:
Here are a couple of large Microsoft cloud education wins I want to showcase:
I get asked this quite a bit for a reference architecture. We just published our MS IT Whitepaper on how and what we did for deploying 180,000 mailboxes on Exchange 2010. There is excellent information in there around Exchange 2010 best practices, architecture considerations, DAG and storage design, backupless strategies, UM design, user training, etc. I snipped a few shots from the whitepaper:
Our sample hardware we leveraged:
Microsoft IT used the following hardware per server role:
· Client Access Two quad-core Intel Xeon x5470, 3.3 gigahertz (GHz), with 16 GB of memory.
· Hub Transport Two quad-core Intel Xeon x5470, 3.3 GHz, with 16 GB of memory.
· Mailbox Two quad-core Intel Xeon x5470, 3.3 GHz, with 32 GB of memory.
· Unified Messaging Two quad-core Intel Xeon x5470, 3.3 GHz, with 16 GB of memory.
Our hub routing design:
JBOD Storage architecture we deployed for Exchange 2010 using anywhere from 4 to 16 node DAGs:
Our DAG design showing ~3,000 mailboxes per DAG node:
Our UM design showing how UM can scale. We leverage only 5 UM servers for 85,000 endpoints:
How we designed highly available UM:
I have been asked this by several education customers evaluating our cloud solution so I put together a top 10 list of our proposed upcoming online services features (diagrams from our product teams or personal screen shots):
1) Single Sign On and identity federation with On Prem Active Directory
True federation using ADFS 2.0 and Microsoft Federation Gateway which allows for the ability to leverage your on prem AD credentials against our online cloud services. This eliminates the need for the pseudo-SSO client, dual passwords, dual identities, etc.
2) Calendar federation with Exchange on prem (Free/busy or varied calendar details) and Live@edu’s Outlook Live
A popular request for hybrid scenarios where you can share your cloud calendar with external Exchange entities. Another popular request is to share online calendar information with students hosted on Outlook Live. Read more about Exchange 2010 calendar federation on my post here.
3) Exchange Online Unified Messaging – can leverage voicemail in the cloud with your on prem PBX
There is a lot of movement with customers wanting to retire legacy voicemail systems in education. The upcoming Exchange Online release will now support voicemail in the cloud where your on prem PBX can send unanswered calls to Exchange Online for voicemail. A session border controller is needed to support this design.
4) Office Web Apps
Office in the cloud will be popular in education since it will allow you to run applications like Word 2010, Excel 2010, PowerPoint 2010, and OneNote 2010 in any browser without Office 2010 installed locally. The nice part here is you can maintain fidelity with Office 2010 locally unlike other cloud office application like solutions.
5) E-discovery and Archiving native with Exchange Online
Exchange Online will provide native archiving, legal hold, and e-discovery which will meet a lot of compliance and regulation needs without having to leverage an add-on solution for Exchange Online such as Exchange Hosted Archiving.
6) Cross prem Exchange management – e.g. can migrate from on prem 2010 to cloud 2010 or vice versa
This is a useful hybrid feature if you have some of your campus on prem and some of your campus in the cloud. The Exchange 2010 on prem administration console has plumbing to support cloud mailbox management and migration, etc.
7) OWA browser parity – works with full fideilty with Safari and Firefox
Exchange Online will have full browser parity with Safari and Firefox which is a big ask in education.
8) External access and sandboxed application support for Sharepoint Online
SharePoint Online moving to SharePoint 2010 platform will bring about significant changes for the online offering including the ability to access SharePoint sites externally (read off campus users) as well as host custom SharePoint applications in a sandboxed fashion.
9) OCS Online federation with Live@edu IM and OCS on prem
OC Online will bring the ability to federate with students hosted on Live@edu or with OCS on prem (hybrid) or other OCS entities.
10) More granular administrative control and SMTP smarthosting
The online platform is providing much richer granular administrative control which is a common ask with multiple campuses/colleges and also the ability to provide smarthosting which is useful for multi-smtp domain hosting.
Here is our public announcement of the upcoming BPOS features released this week from the Worldwide Partner Conference:
Additional features will be available based on Communications Server “14” as part of ongoing service updates.
One of the presentations at Teched went over this and I haven’t seen anyone mention this but it will be a big deal in education. Since many of our customers are already introducing Live@edu for students with respect to email and Exchange 2010 this inclusion in Windows Live Messenger provides us with some very interesting scenarios. We are doing interop testing now with CS14 and WLM for Peer-to-Peer (P2P) audio and video communications.
If you missed the note and you have iOS4 (new iPhone or new iPod Touch running the iOS4) users please ensure you add the new configuration profile patch to the latest iPhone or iPod Touch prior to connecting to Exchange Server or Exchange Online.
Where do I grab the configuration patch?
Information about obtaining and installing the profile can be found in the Apple support knowledgebase, Article TS3398.
What if I don’t patch the new iPhone or iPod Touch for Exchange?
Failure to install this patch may result in a degraded performance for iOS4 devices, including the inability to connect to Exchange and Exchange Online via ActiveSync to synchronize message and calendar items. There may also be some server impacts so it is worth patching to avoid any issues.
What does the patch do?
Apple tweaked a couple of sync and polling intervals to eliminate these performance issues.
The config notes for CuCM direct SIP integration with Exchange 2010 UM were posted last week. You can download them here.
Some questions I received from a large university in the Chicago area:
How many nodes can I have in a DAG?
Anywhere from 1 to 16 mailbox servers can be included in a DAG.
Does DAG use SMB replication like CCR and SCR did?
No, DAG uses one TCP socket per database for replication.
Which ports does DAG use for replication?
DAG uses a single port for replication and it is port 64327. This is configurable by administrators if needed.
Can you leverage Storage Groups with DAG?
Storage groups have been removed in Exchange 2010 in order to leverage database level failover.
Can I put a public folder database in a DAG?
No, in order to maintain PF database availability it is recommended to setup a public folder replica.
How do I failover to another datacenter? Can I do this after setup or does it have to be performed from initial setup?
SCR used to be the method for datacenter resiliency in Exchange 2007 and it has been replaced with DAG in Exchange 2010. The nice part about a DAG is you can add additional datacenter sites for failover at a later point post DAG setup.
How many NICs do I need in a DAG server? Does it all have to be on one subnet?
2 NICs per server minimum are needed for a DAG server node. DAG also supports multiple subnets (multi-datacenter locations).
Do I have to run a static IP for my DAG
No, DAG defaults to a DHCP based IP and can be used with either a static or dynamic IP.
What OS can I run and what OS version for a DAG node is required?
Windows Server 2008 or Windows Server 2008 R2 Enterprise or Datacenter Edition is required.
Where can I put my file share witness?
It has to be in the same AD forest as the DAG and cannot reside on a DAG member. It is recommended to be placed on the hub transport in order to be administered by Exchange admins.
Do I have to pre-create my file share witness like in Exchange 2007?
No, Exchange 2010 will auto-create the FSW share with correct Exchange permissions.
Can I encrypt or compress DAG over the wire?
Yes to both. You would leverage the Set-DatabaseAvailabilityGroup cmdlet to enable either feature.
Any new DAG features coming in SP1 I should know about?
There are some enhancements which are slated (subject to change) to be included with DAG SP1 including:
Block mode replication DAG server maintenance mode option DAG database re-distribution Better cross-datacenter DAG experience for Outlook users (read - fewer Outlook restarts needed) Better DAG reporting DAC mode available for one site now Re-seeds can use spare storage Other minor DAG additions and tweaks
Block mode replication
DAG server maintenance mode option
DAG database re-distribution
Better cross-datacenter DAG experience for Outlook users (read - fewer Outlook restarts needed)
Better DAG reporting
DAC mode available for one site now
Re-seeds can use spare storage
Other minor DAG additions and tweaks
This was a question asked by a university in New Mexico. I searched high and low for one but the product team has confirmed there is no SCW template available for OCS 2007 R2.
What can I do to reduce the attack surface for my OCS 2007 R2 servers?
The first thing you can do is apply the Windows Server 2008 OS SCW template to reduce the attack surface of the hosting OCS server. You can export the XML file and re-apply to each OCS server. Read more here. Be sure to read the OCS R2 Security guide below to allow for appropriate ports which OCS R2 needs to communicate.
Where can I read about how to secure OCS 2007 R2 servers?
Download the OCS 2007 R2 Security Guide here. This security guide has a lot of good information around securing your edge server, firewall rules, client policy, hardening OCS servers, etc.
Are there other ways to turn down unused OCS services?
Yes, you can disable unused OCS Edge services using LCSCMD such as this example if the Web Conf and Access Edge roles are not used on a consolidated Edge server:
LCSCmd.exe /Server /Role:AP /Components:AP,DP /Action:Deactivate
Server
Executes the action for the specified server FQDN.
/server - deactivates the local server.
/server:<remoteComputerFQDN> - deactivates the role on the remote computer.
/Role
Specifies the role of the server.
/Components
Specifies the component roles available on an Office Communications Server 2007 R2 Edge Server. Components are separated by commas. You must specify at least one Edge Server role, or activation will fail.
Valid values are:
AP to deactivate Access Edge Server
DP to deactivate Web Conferencing Edge Server
MR to deactivate A/V Edge Server
If you aren’t using services like Conferencing Attendant, Conferencing Announcement Service, Response Group Service and Outside Voice Control on an OCS front end server:
You can stop the Windows Service called: UCAS to reduce your attack surface