A braindump of each day of the course is nice, but I'd like to tie it all up with a nice summary, so that I can move on and use this website for something more interesting than work...
From a Domino Administrator's point of view, Exchange 2010 is the best version of Exchange yet.
It has to be looked at from a viewpoint of "just mail", of course.
But from that viewpoint, it has solved many problems. Its high availability features are excellent. It takes great pains to make it very difficult to lose data. Its general architecture, whilst heavy on Windows licenses, is sound.
Nothing is perfect. But Exchange is, at its core, at least as good for email as Domino is - maybe better. It depends on your exact needs.
Some parts are bad. I was also distressed to see that features had been dropped from previous versions of Exchange, or were being changed within service packs - so I still have a bit of that "not a consistent platform in the long term" feeling I've always had about Exchange. But those were minor features at the edges, not core ones.
I could waste time saying what Domino would need to improve to compete against Exchange, but I doubt IBM will be listening and I want to keep this short.
I've been avoiding Exchange for years, for a variety of reasons. I've even been known to change jobs because Exchange was on the cards. But Exchange 2010 is the first version that I feel happy to work with.
It took fifteen years for Microsoft to deliver something that I could say that about. But I'm picky. So if it's good enough for me, I'd say that makes it pretty good.
A smorgasbord of topics on the final day...
(Apologies for the delayed write-up - I had a busy social weekend.)
We need an Enterprise CAL to journal individuals? Really?
Otherwise, it seems OK if basic - you simply get a copy sent to another mailbox as well. No hassle for the user at all...
Easy to enable, easy to do searches - although dependent on the web-based Exchange Control Panel, so via the web only.
Remind me to hide this from the Compliance/Security/HR, as they'll no doubt bring servers to their knees with this feature!
Retention Tags and Policies
A rather nice way of tagging content to say both how long and why you're keeping something, as well as what should happen once the retention period is reached.
Tags are managed by the administrators, and you can set up a "managed folder" which you assign users to - the user then gets the folder automatically, and anything in that folder gets the retention policy applied.
The system can also autotag new mails - it looks at your old tags and figures out which ones to apply. We didn't see this in action, as you need 500 tagged messages for it to work!
That high threshold for enabling it and the fact that you can't assign tags via Hub Transport rules means that this feature will probably be doomed to obscurity.
Requires an Entreprise CAL!
As shipped, archiving is to the same mailbox anyway - post SP1, it can be to another mailbox or to the cloud.
I knew that already - every upgrade path presented seems to require building a new shadow infrastructure and migrating. This still astonishes me.
RBAC (Role Based Access Control)
Exchange now has a comprehensive list of things that can be delegated to local or helpdesk staff, and allows reasonably granular control over this.
Some groups are provided by default, but not all the roles you may want are assigned to them - probably a good thing, as permissions should not be granted by default! Worth remembering if you're going to use it though...
A performance analyser, but not much else. Apparently we should all use SCOM - can you guess who sells that product?
I've had some time to think about what I've seen, and will probably be putting up a "first impressions" style entry shortly.
A good day, in which we covered high availability, backup/restore and security.
Topics which have been a major part of my career, so I have more to say today. (Sorry!)
High Availability - Databases
It isn't using Windows Clustering.
Do you have any idea how good that is? Windows Clustering is awful. I've lost count of the number of times I've seen it fail to work properly. Why anyone uses it is beyond me.
Instead, Exchange 2010 uses multiple Client Access Servers at the front end to keep things highly available to clients, and multiple database locations to keep the data available to those clients. It's pretty slick. In the lab, failover was instant and seamless.
You don't have to install with this high availability - it's there by default for the Client Access Server role, and when you make a Database Availability Group the relevant components are installed and activated seamlessly. So you can move up to it very easily.
Only one of the databases is active at any time - the others update via log shipping. But they ship parts of logs incrementally rather than waiting for a log to fill up, and the logs are just 1Mb large anyway - so the log shipping is very quick.
You can have up to 16 instances of a database on different servers, which is a lot of redundancy. (And will probably make your network card glow white hot with all the log shipping.) Specific instances of the database can also be told not to import logs immediately, but to wait for a (configurable) amount of time - which may help prevent shipping of corruptions or data loss. However, only one of the instances is active at any one time, and there is no automatic failback. I sense a manual morning check in my future...
Creating new instances is very easy, and you can set an order for failover on each database to prevent going across network links you want to be a last resort - so some thought has gone into all of this.
It's not Notes replication. But it's just about as close as you can get, and that's a good thing.
High Availability - Mail Routing
Shadow Redundancy during transport is a superb idea. Basically, an email is always in two places during transport - it won't be removed from the previous hop until it has been confirmed as passed on to the next one. This means if your server dies before it can be delivered, the system can just deliver to the next database instance.
This also means that mails which were just being delivered to databases that fail aren't lost or delayed. Which is why it's worth a heading all of its own!
Backup and Restore
The usual database/transaction logs kind of thing, at its core, using VSS to back up the files.
But what is a nice touch is that you can then restore as an offline "Recovery" database which will never be mounted, and merge mailboxes back into live ones on the fly. You can even, from those databases, search the recovery copy for mails with specific strings in the subject/body/sender/recipients and restore only those. Or just the contents of one folder.
The feedback is quite low - it dumps a text log and an XML log out to a folder - but otherwise it works nicely.
Also, one neat trick is that you can run the Exchange Server setup and rebuild a server from the AD information. So if you have a calamity, there's no reconfiguring clients to account for a new machine name etc., you can just easily and quickly get the server back up with the same name and then migrate the data back in from backups.
They threw these in alongside security, and I can see why. Lots of selection criteria for mails, a reasonable selection of actions, and they seem to work quickly enough.
You can enforce moderation for some recipients, for example, or modify headers, reject email, send copies to their manager (assuming AD Is filled out correctly) and plenty more.
I did try to recreate a low-priority delay sort of rule with them, and it seems that can't be done. In fact, there's no low-priority delay as Domino has at all, which is a bit of a shame.
You can create custom classifications ("Do not forward", "Confidential", "Customer Information Within" etc.) and then apply transport rules on them to prevent mail going where it shouldn't.
Combined with checking mails for text to see if they have certain keywords and then applying the correct classification, this is a very powerful way to erect chinese walls etc.
Rights Management Server
Exchange can integrate with Rights Management Server, which is basically DRM and ACLs for all your company's documents.
It's also cripplingly expensive. I saw a quote for a multi-national organisation, and frankly at that kind of price you could afford to just hire all the lawyers and pre-emptively sue everyone on the planet for Intellectual Property crimes. It would be cheaper, easier, and - given that "everyone on the planet" includes your own employees - a lot more popular with your staff than a steady stream of beeping noises telling them they can't do whatever it is they just tried to do.
Well, that's day four. Overall, I'm still fairly impressed.
Day three of learning about Exchange 2010, from a Notes & older Exchange viewpoint.
The mail routing is fairly simple, which is good. An improvement over some (very old) previous versions...
Message tracking logs
Wait... Useful logs from Microsoft?
I was stunned.
Useful logs that are in a usable text format, rather than some odd binary format?
PRAISE THE DARK GODS! FOR THEY ARE SURELY REWARDING US!
(Seriously, this was a very welcome surprise. My town is going to be suspiciously empty of chickens as an act of thanks.)
Clear and simple. With simple being the operative word, unfortunately. You can't restrict by sender unless the sender authenticates - great for controlling users, not so good for controlling applications.
Message delivery tracking
Is on by default, and users can track their own status.
That'll save us some time - just write up some instructions, and tell the helpdesk to send them to anyone whose "important email hasn't arrived".
Antivirus and antispam. A mixed bag, as it's both extremely capable and a little rough around the edges. (No pun intended.)
I'm still uncertain about Edge servers. I suppose I'm just not the target market - they're probably superb in SMEs, but seem a bit useless to me.
Mutual TLS is nice.
But overall, let's be honest - Notes has better security options here. S/MIME certificates aren't stored in the directory, but as files. Technically, Notes is the same - except you have no access if you don't have that file. Which focuses minds and ensures they don't get lost.
By comparison, I can't see how the Exchange/Outlook implementation of S/MIME can actually be a workable solution.
A general observation
The interface is slick. As well as always showing you the Powershell commands it used to accomplish something, it's just nicely laid out.
Well, maybe not nicely laid out - but it's pretty flat. I remember trying to amend the DNS settings on Exchange Server 2000. Properties of something, third tab out of nine, click on a button, go to the second tab out of seven, click on a button, go to the other tab of the two, click another button... It was an awful Byzantine nest of properties boxes and buttons, and I hated it.
With 2010, there's none of that. Everything is usually in one properties dialogue, with buttons being a rare exception in there.
This is a good thing.
And my thoughts from day two of the course...
Exchange Control Panel
It's a sort of web admin light.
It's more oriented towards user and group admin, and could be handy. It also exposes itself via the user's settings in Outlook Web Access, so can be used to delegate control of groups to users.
On the one hand, I was doing this in Domino back in 2004 (with Domino 6.5), and I wasn't exactly pushing the boundaries... On the other hand, I can see why this would be very handy, and late is better than never.
Users and Groups
The strong connection with AD is evident, and provides a wealth of options. Of particular interest are dynamic groups - effectively groups which populate themselves based on a query.
If the data in the directory is good, then that's a winning feature right there!
Also, moderated groups were interesting - groups which have approvers for messages sent to them, to prevent people from abusing "All Staff" kinds of groups. Nice.
There are some nice touches in the handling of resources, especially in the approval and automation. Not much of it is different from Domino/Notes, but it's certainly come on since I last saw it in Exchange.
I particularly liked the ability to add custom attributes - if they can be queried easily enough in the client, then it could be very useful. I wouldn't want to bet that they are easily usable in the client, mind you - but at least the building blocks are there.
Having installed a few other Microsoft products recently, I have to say that certificates are both a huge weakness and something which now inspires dread in everyone I work with.
Given that we all come from a Notes/Domino background, where certificates are embedded into the product so much that it's a snap, this is a bit of a shock.
Exchange 2010 makes it easier than any other Microsoft product I've had to do this with, but that's still not easier than *any* product I've ever used.
Well, that's pretty decent. It basically does a DNS query to a fixed subdomain, based on the user's email address. So all they need to provide for setup is their SMTP address. No server details, nothing - it Just Works(tm).
Someone should steal that for Notes. It's not that typing in a server name is onerous - it isn't. It's that desktop support staff frequently can't remember it or don't bother to make a note of it when working on an issue, and then end up calling administrators to get that little bit of detail... A waste of everyone's time.
Tunnelling RPC over HTTPS. Interesting, and allows access from anywhere. I can see why a small business would want it, but unless you genuinely can't afford a VPN I think it's a bit too much of a security risk for my liking... Direct access to CAS servers? From the internet? Most network admins would have a fit!
Outlook Web Access and ActiveSync controls
Not bad. Not quite Blackberry Enterprise Server, but not bad at all. Simple to configure on the client, if a bit of a pain to set up on the server. (Due to, of course, CERTIFICATES! Bah.)
The most obvious thing is that the configuration for these items is full of dire warnings that you need an Enterprise license for the user in order to use anything useful. For basic access, it's fine - but for much else, I suspect your operating costs are about to skyrocket.
And that's day two. Overall, this is a very capable product with some nice touches. If they could just sort out certificate handling and licensing, it would be better - but at least you only have to do that once.
(Well, until the certificates or licenses expire...)