A good day, in which we covered high availability, backup/restore and security.
Topics which have been a major part of my career, so I have more to say today. (Sorry!)
High Availability - Databases
It isn't using Windows Clustering.
Do you have any idea how good that is? Windows Clustering is awful. I've lost count of the number of times I've seen it fail to work properly. Why anyone uses it is beyond me.
Instead, Exchange 2010 uses multiple Client Access Servers at the front end to keep things highly available to clients, and multiple database locations to keep the data available to those clients. It's pretty slick. In the lab, failover was instant and seamless.
You don't have to install with this high availability - it's there by default for the Client Access Server role, and when you make a Database Availability Group the relevant components are installed and activated seamlessly. So you can move up to it very easily.
Only one of the databases is active at any time - the others update via log shipping. But they ship parts of logs incrementally rather than waiting for a log to fill up, and the logs are just 1Mb large anyway - so the log shipping is very quick.
You can have up to 16 instances of a database on different servers, which is a lot of redundancy. (And will probably make your network card glow white hot with all the log shipping.) Specific instances of the database can also be told not to import logs immediately, but to wait for a (configurable) amount of time - which may help prevent shipping of corruptions or data loss. However, only one of the instances is active at any one time, and there is no automatic failback. I sense a manual morning check in my future...
Creating new instances is very easy, and you can set an order for failover on each database to prevent going across network links you want to be a last resort - so some thought has gone into all of this.
It's not Notes replication. But it's just about as close as you can get, and that's a good thing.
High Availability - Mail Routing
Shadow Redundancy during transport is a superb idea. Basically, an email is always in two places during transport - it won't be removed from the previous hop until it has been confirmed as passed on to the next one. This means if your server dies before it can be delivered, the system can just deliver to the next database instance.
This also means that mails which were just being delivered to databases that fail aren't lost or delayed. Which is why it's worth a heading all of its own!
Backup and Restore
The usual database/transaction logs kind of thing, at its core, using VSS to back up the files.
But what is a nice touch is that you can then restore as an offline "Recovery" database which will never be mounted, and merge mailboxes back into live ones on the fly. You can even, from those databases, search the recovery copy for mails with specific strings in the subject/body/sender/recipients and restore only those. Or just the contents of one folder.
The feedback is quite low - it dumps a text log and an XML log out to a folder - but otherwise it works nicely.
Also, one neat trick is that you can run the Exchange Server setup and rebuild a server from the AD information. So if you have a calamity, there's no reconfiguring clients to account for a new machine name etc., you can just easily and quickly get the server back up with the same name and then migrate the data back in from backups.
They threw these in alongside security, and I can see why. Lots of selection criteria for mails, a reasonable selection of actions, and they seem to work quickly enough.
You can enforce moderation for some recipients, for example, or modify headers, reject email, send copies to their manager (assuming AD Is filled out correctly) and plenty more.
I did try to recreate a low-priority delay sort of rule with them, and it seems that can't be done. In fact, there's no low-priority delay as Domino has at all, which is a bit of a shame.
You can create custom classifications ("Do not forward", "Confidential", "Customer Information Within" etc.) and then apply transport rules on them to prevent mail going where it shouldn't.
Combined with checking mails for text to see if they have certain keywords and then applying the correct classification, this is a very powerful way to erect chinese walls etc.
Rights Management Server
Exchange can integrate with Rights Management Server, which is basically DRM and ACLs for all your company's documents.
It's also cripplingly expensive. I saw a quote for a multi-national organisation, and frankly at that kind of price you could afford to just hire all the lawyers and pre-emptively sue everyone on the planet for Intellectual Property crimes. It would be cheaper, easier, and - given that "everyone on the planet" includes your own employees - a lot more popular with your staff than a steady stream of beeping noises telling them they can't do whatever it is they just tried to do.
Well, that's day four. Overall, I'm still fairly impressed.