In-Place Archiving with Exchange is a new paradigm in thinking for many organizations.  Shifts in technology perceptions breed a variety of questions.  Some are questions of trust and others are questions of technology.  We hope to answer a number of questions and help you explore some of the more advanced business and compliance requirements that Exchange archiving can meet for you.

People have used email archiving for more than a decade to help meet their compliance, data management, and eDiscovery needs.  Organizations are used to shipping data off to a separate repository, either in-house or to a 3^rd-party service, and saying that my compliance stuff is "over there." This is typically performed with a journaling agent which runs on Exchange to capture messages in transport. Unfortunately, the way businesses operate today is very different than a decade ago.  Valuable information in Exchange is not just in email, but it could also be in calendar items, contacts, tasks, RSS feeds, or more. Journaling your Exchange data isn't sufficient for organizations, and with Exchange Server 2010 and Exchange Online we set about changing the model. With new in-place capabilities, we broaden the capabilities of a compliance platform, while simplifying the end user and administrative experience. 

When it comes to compliance, ensuring the data is not tampered with and can be retrieved in an un-modified version is paramount. Historically, organizations used Write Once Read Many (WORM) storage. Unfortunately, writing to media like this has disadvantages. Storage medium can be lost, broken, or not survive the duration of need. It also adds challenge to the administrative process.  The media needs to be catalogued and destroyed on a regular basis.  With Exchange, organizations can leverage In-Place Hold (previously known as litigation or legal hold) to easily capture data that is relevant. Enabling this doesn’t require IT involvement – it can be completely delegated to your compliance or HR people. All changes and edits are captured and the content is immutably retained.  With Database Availability Group technology, this is also expandable to ensure you have multiple copies of the data – further helping ensure your data is there when you want it to be.

Managing the volume of email data a typical in an organization involves thoughtful planning. Putting data in a separate repository would, at first glance, look to offload pressure from Exchange.  However, information workers want to be able to access all of their email – not just the recent items with speed and ease. These users and administrators would need to learn a new interface and management tools – which means more training, cost and lost productivity. On top of it, managing storage for these 3^rd party applications is typically expensive. With Exchange, an In-Place Archive (previously known as a Personal Archive or Online Archive) can store this data and it can be accessed by Microsoft Outlook and Outlook Web App – tools your users use daily. With Exchange you also enable flexibility.  Organizations can choose to keep this data on-premises, or in the cloud. Organizations even have the capability to keep only their In-Place Archive in the cloud with Exchange Online Archiving (EOA).

Organizations need to respond to eDiscovery requests quickly.  With Exchange there is a fully integrated toolset for placing data on In-Place Hold and discovering it.  All of the tools an organization needs are built into the tools that users are already using. In-Place Hold in Exchange has some great benefits beyond ease of use. It can be fully transparent to users or they can be notified. Further, when items are on hold, everything is captured - edits, deletions, and the metadata associated with an item – including folder hierarchy. Some organizations have a need to immutably preserve everything for a user for a minimum period of time (whether it is 30 days, 7 years, or more).  To meet those needs, Exchange has a built-in capability known as rolling hold or Time-Based In-Place Hold. For organizations that don’t know how long preservation is required, In-Place Hold can be set without expiration – allowing for items to be held for an indefinite period.

With Exchange, delegated individuals can search across the ocean of messaging data that exists in most organizations.  No extra tools are needed, eDiscovery can natively be done with Exchange – you can search across mailboxes on-premises, in Exchange Online, or a mix of the two from a single location.  Searches can be done using an easy-to-use web-based interface, or for those more tech savvy folks, via PowerShell.  These query results are shown to the user – so they can fine tune as necessary.  Organizations that need more visibility into specific user behavior can use supervision features in Exchange to analyze data pre-send and post-send. To ensure that compliance is met before an email reaches its destination, moderation on specific email content can be routed to a supervisor, human resources or compliance officer to allow for acceptance or rejection. Post-send, some organizations need to ensure that users are not breeching internal or regulatory requirements.  For those, eDiscovery capabilities can search through the contents of a user’s email.  Furthermore, if random sampling is required, you can run the random sampling tool to pull a percentage of email for review.

The prospect of migrating gigabytes, terabytes, or more of data into Exchange from a 3^rd party archiving solution can seem daunting. Fortunately, there are several ways of getting data from a legacy solution into Exchange.  First, you can restore content to a mailbox (for instance, Exchange Server 2003/2007) and then migrate it to Exchange Server 2010 or Exchange Online. In this process, you’ll need to ensure you have enough delta storage to manage the swing state.  A second approach is to export the 3^rd party archive data to .PST files. You can then import the .PST files into a user’s In-Place Archive using Exchange-based tools, namely PST Capture and new-mailboximportrequest. A third approach is to use a solution from Microsoft partners to migrate directly from a 3^rd party archive to an In-Place Archive in Exchange.

A wealth of further documentation is available in the spring housecleaning blog post: http://community.office365.com/en-us/blogs/office_365_technical_blog/archive/2012/04/06/spring-housecleaning.aspx

Ankur Kothari

The Exchange Team is pleased to announce that in the first half of calendar year 2013 we will be releasing Exchange Server 2010 Service Pack 3 (SP3) to our customers. With SP3, the following new features and capabilities will be included:

Coexistence with Exchange 2013: Customers that want to introduce Exchange Server 2013 into their existing Exchange 2010 infrastructure will need the coexistence changes shipping in SP3.

Support for Windows Server 2012: With Service Pack 3, you will have the ability to install and deploy Exchange Server 2010 on machines running Windows Server 2012.

Customer Requested Fixes: All fixes contained within update rollups released prior to Service Pack 3 will also be contained within SP3. Details of our regular Exchange 2010 release rhythm can be found in Exchange 2010 Servicing.

In order to support these newly added features, there will be a requirement for customers to update their Active Directory schema. We are communicating the required changes ahead of the release date in order to assist our customers with planning their upgrade path ahead of time.

We hope these announcements come as welcome news to you. It is our custom to provide ongoing improvements to features, functionality and security of Exchange Server, based largely on customer feedback, and to provide continual innovation on an already great messaging product. We look forward to receiving your comments and announcing more detailed information as we continue to develop the features that will be included in SP3.

Kevin Allison
General Manager
Exchange Customer Experience

When faced with eDiscovery requests, organizations need to be able to preserve email records, search relevant records and produce them for review.

In Exchange Server 2010 and Office 365, Litigation Hold makes it possible to preserve mailbox items. When a user or a process attempts to delete an item permanently, it is removed from the user’s view to an inaccessible location in the mailbox. Additionally, when a user or a process modifies an item, a Copy-on-write (COW) is performed and a copy of the original item is saved right before the changed version is committed, preserving original content. The process is repeated for every change, preserving a copy of all subsequent versions.

Using Multi-Mailbox Search, also new in Exchange 2010, delegated legal, human resources or IT personnel (referred to as discovery managers because they need to be assigned Discovery Management permissions) can search mailbox content across their entire Exchange 2010 organization. Messages returned from a search can be copied to a Discovery mailbox, which is a special type of mailbox with higher mailbox quotas and no capability to send or receive messages.

What's New in In-Place eDiscovery & Hold in Exchange 2013

Since the release of Exchange 2010 and Office 365, we have received a lot of feedback from organizations of all sizes about the messaging policy & compliance features, including archiving, eDiscovery & hold. When planning the evolution of compliance features, we’ve kept your feedback front and center. Let’s take a look at what has changed.

• A new name In the new Exchange, Multi-Mailbox Search is known as In-Place eDiscovery.
• A new search engine In-Place eDiscovery still uses the search indexes generated by Exchange Search, but under the hood Exchange Search has been retooled to use Microsoft Search Foundation. The content indexing function was previously performed by Windows Search. Microsoft Search Foundation is a rich search platform that comes with significantly improved indexing and querying performance and improved search functionality.
• A new way to preserve In the new Exchange, you can use In-Place Hold to place searched content on hold. In-Place Hold is integrated with In-Place eDiscovery, allowing you to simultaneously search and hold content using the same easy-to-use interface. Integrating hold with eDiscovery allows you to be very specific as to what you hold using a query. Reducing the volume of data you preserve lowers the cost of reviewing the data later.
• A new UI The new Exchange sports a brand new, unified web-based admin tool, the Exchange Administration Center (EAC). Discovery Managers use the new In-Place eDiscovery & Hold wizard to perform eDiscovery searches.
• Keyword statistics After you create an In-Place eDiscovery search, you can get detailed keyword statistics showing you the number of items matched for each keyword. You can use this information to determine if the query has returned the number of messages you estimated. Depending on whether a query is too broad or too narrow, the search may return too many or too few messages. Use this information to fine-tune your query.
• eDiscovery Search Preview After you’ve created an eDiscovery search, you can quickly preview search results. Messages returned from each source mailbox are displayed in search preview. Being able to quickly preview messages allows you to ensure your query returns the content you’re searching and further fine-tune your query.

• Integration with the New SharePoint Exchange offers an integrated eDiscovery & Hold experience with the new SharePoint. Using the eDiscovery Center, you can search and hold in-place all content related to a case -– SharePoint web sites, documents, file shares indexed by SharePoint, mailbox content in Exchange and archived Lync content from a single location. You can export content associated with case, including files, lists, web pages and Exchange mailbox content. Mailbox content is exported as a .PST file. An XML manifest that complies with the Electronic Discovery Reference Model (EDRM) specification provides an overview of the exported information.

  To search Exchange content, SharePoint uses Exchange’s Federated Search API. Regardless of whether you search Exchange content from the EAC or using SharePoint, the same search results are returned. The new SharePoint and Exchange both use the same underlying indexing and querying engine – Microsoft Search Foundation, which allows you to use the same search query for both SharePoint and Exchange content.

Performing an In-Place eDiscovery search

Let’s take a look at how one discovery manager performs an In-Place eDiscovery search.

Robin works on the legal team at marketing firm Contoso. Contoso receives a request from a company called Tailspin Toys to assist with a marketing campaign for a new toy they are producing. Contoso is known for doing great toy marketing campaigns since they do a lot of work in the toy industry. This is great for business but they also have to be careful because many of the toy companies with which they work are competitors. Contoso just finished a highly successful marketing campaign with another toy company called Wingtip Toys and Robin wants to ensure that there's no confidential information that may accidentally get past from one customer to another through his team. To that end, Robin wants to search through her company's email and documents with the help of her legal team to make sure there are no potential issues.

To use In-Place eDiscovery, a user must be delegated the Discovery Management role group. You can delegate the role to authorized legal, compliance management or human resources personnel. Robin is one of those legal team members. This ability to have scoped roles in the new Exchange 2013 allows IT Pros to delegate compliance responsibilities to folks like Robin without giving them full access to all Exchange server functionality.

Robin starts by navigating to the Exchange Administration center Center. The EAC’s Compliance Management tab is where you can manage compliance features in the new Exchange. Because Robin doesn’t have any other Exchange administrator roles, she only sees the interface relevant to the Discovery Management role group. On the compliance management tab, she can only see In-Place eDiscovery & Hold.

Figure 1: In-Place eDiscovery and Hold tab is accessible to users with delegated Discovery Management permissions

She clicks on the Add button to start the New new In-Place eDiscovery & Hold wizard and enters a name and an optional description for the search.

Figure 2: Create an In-Place eDiscovery search using the new In-Place eDiscovery & Hold wizard in EAC

Robin can search all mailboxes in the Exchange organization or select the mailboxes she wants to search.

Figure 3: Specify mailboxes (to search or search all mailboxes)

On the Search query page, Robin can select the option to return all mailbox content or just specific content. Robin wants to find specific content related to work done between hers team members and WingTip Toys. She has the option to perform a simple search by just entering in a few key words or more complex search if she wants with Boolean operators like ANDs, ORs, parenthesis, etc. so she can be very specific as to what she is looking for. This can be a big time and cost savings for her since multiple gigabyte mailboxes are very common and she wants to reduce that set of content down to the minimum amount she needs to look at to find what she wants.

Figure 4: Specify a search query, including keywords, start and end dates, sender and recipients

In addition to using Boolean logic she’s also using the proximity operator (NEAR), which allows her to find words that are close to each other. You can also see her using a wildcard character so in this case she is looking for the word wingtip within three words of toy, toys, toymaker or anything similar.

In this particular case, Robin wants to look for these keywords anywhere in a given email, but if she wants to be more specific, for example search for a phrase only in the message subject, she could type in Subject: and then her phrase right after it. Depending on how specific she wants to be, she can create complex queries. You can use several hundred keywords in a query.

She can also choose specific types of messages. An Exchange mailbox has email but also calendar items, tasks, notes and other items related to personal information management. The new Exchange allows her to search all of those items or she can narrow the query down to specific types of items. She selects email and also meetings so she can track which ones of her employees met with Wingtip and read the meeting invites to find out what was discussed.

Figure 5: Select all message types or specify the message types to search

Once Robin has created hers query to define what content is important to her, she has a few options in terms of what to do with the results. If she feels it's important to protect this content she has the option to place it on hold. When content is placed on hold, Exchange automatically captures any attempts to edit or delete or delete data and stores those items in a hidden folder in the mailbox. It's completely invisible to the end-users so it doesn't interrupt their daily workflow, but it does keep that important data for recovery later.

Figure 6: Placing search results on an In-Place Hold

We will talk more about In-Place Hold in Part II of this post.

Robin clicks Finish. The search is running against Exchange 2013 mailboxes and placing items on hold.

When the search is complete, Robin takes a look at the total size and item count to see if it’s manageable. If there are a million items, her query is likely too broad;, if there are no items, it may be too narrow. If she wants to dig into the details, she can view the search statistics to see exactly how each keyword contributed to the overall result set. That lets her really be targeted about the way she's tweaking her queries so she can quickly get a result set down to a manageable size.

Figure 7: Use search estimate and keyword statistics to fine-tune search queries

Once she is done tweaking her query, she can stop the search and discuss with her team or legal counsel whether the query is correct. She can also create additional eDiscovery searches and use different query parameters.

She can also choose to preview messages returned in the search.

Figure 8: eDiscovery Search Preview to preview messages and determine query effectiveness

The eDiscovery Search Preview displays message count and total size for each mailbox searched. The preview functionality is built on Outlook Web App, which shows the message in its native format without any changes.

Figure 9: eDiscovery Search Preview displays live message preview without copying messages to a Discovery mailbox

Robin can quickly scroll through all of her results to view additional items that came back with her search. Since she is using the full- fidelity Outlook Web App preview, she can also view attachments.

Once Robin has previewed her results and she's happy with them, she can make a copy for of them for later review, or export them so that she can export them to handoff to her outside legal counsel. To do that, she simply clicks on the Copy search results link.

Figure 10: Copying messages returned by the search to a Discovery mailbox

When copying messages to a discovery mailbox, she has the following options:

• Include unsearchable items She can choose whether she wants to include "unsearchable" items, items that our indexing system may not be able to handle, such as a corrupted item, a password-protected zip attachment, or an item encrypted with something other than Information Rights Management. This check box gives her the option to include those two in case she wants to review them manually just to make sure she's doing her due diligence and not missing anything.
• Enable de-duplication She also has the option to enable de-duplication. As you know, it's very common to send email to multiple people at once. De-duplication allows her to reduce that down to only one copy so there are fewer messages to review.
• Enable full logging She can also keep a full log of research results of she wants, which includes a complete list of every item she found. This is especially useful for de-duplication, since if you duplicate you only keep one copy of a message that multiple people may have. Later on, you she may have a need to know if one person had it in his inbox and it was flagged as important, but another person moved it into his deleted items folder and never read it. All that information is in that log.
• Email notification She can also choose to have an email sent to her when the copy process completes. If search results return 20-30 GB of data, it can take a while to copy them to a discovery mailbox.

The last thing Robin will pick is the Discovery mailbox into which she wants to put her search results.

After copying is completed, Robin can see that the copy operation is complete and she has a link to the mailbox where the results are stored. Robin can now navigate to the copy of her search results to view them. In this view, she does have the ability to perform a review on her items, she can tag items that are important, or if she decides some are not important, she can take them and move them to the deleted items folder so that they are no longer in her view.

Once that's done, if Robin needs to share the consolidated results with an outside counsel, she can use her Outlook client to export the consolidated results list to a PST file.

We’ve provided you with an overview of the In-Place eDiscovery & In-Place Hold functionality in the new Exchange. In Part II of this post, which is scheduled to be published shortly, we will dig deeper into In-Place Hold.

Bharat Suneja and Julian Zbogar-Smith

The Microsoft Exchange Conference (MEC) was a huge success, and even though the conference has come to a close, the EHLO team is still cranking out some great content for Compliance Week.  Don’t forget to check out Harv Bhela’s article – Keeping Your Organization Safe with the New Exchange – which was posted to Office Next on Monday.

Also, keep an eye out for Part II of “In-Place eDiscovery and In-Place Hold in the New Exchange” as well as an article on Data Loss Prevention (DLP).

Finally, the Exchange team announced at MEC the advent of the new Microsoft Exchange Community website - http://www.iammec.com – which will become the hub of everything Exchange.  Check it out!

Thanks again for your support!

The Exchange Team

The Data loss prevention (DLP) feature in the new Exchange will help you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is increasingly important for enterprise message systems because business critical email includes sensitive data that needs to be protected. It’s the financial information, personally identifiable information (PII) and intellectual property data that can be accidently sent to unauthorized users that keeps the CSO up all night. In order to protect sensitive data without affecting worker productivity, the new version of Microsoft Exchange Server 2013 integrates DLP features so you can manage sensitive data in email more easily than ever before.

You can be comfortable getting started with DLP in Exchange because Microsoft has included a simple management interface that allows you to:

• Start with a pre-configured policy template that can help you detect specific types of sensitive information such as PCI-DSS data, Gramm-Leach-Bliley act data, or even locale-specific personally identifiable information (PII).
• Use the full power of existing transport rule predicates and actions and add new transport rules
• Test the effectiveness of your DLP policies before fully enforcing them
• Incorporate your own custom DLP policy templates and sensitive information types
• Detect sensitive information in message attachments, body text or subject lines and adjust the confidence level at which Exchange takes action
• Add Policy Tips, which can help reduce data loss by displaying a notice to your Outlook users and can also improve the effectiveness of your policies by allowing false-positive reporting
• Review incident data in message tracking logs or add reporting by using a new generate incident report action

Using the Microsoft-supplied DLP policy templates are an easy way to get started. DLP policies are packages of transport rules with new features that you can customize. These rules include classification types that define the type of content you are looking for in the DLP policy. You can use the Exchange management shell or the Exchange Administration Center (EAC) or even your own XML file editor to start incorporating DLP policies into your messaging environment. The image here shows the data loss prevention management interface.

Figure 1: Managing Data loss prevention (DLP) using the EAC

A number of new transport rule conditions and actions have been created in Exchange Server 2013 in order to accomplish new DLP capability. One key feature of the new transport rules is a new approach to detecting sensitive information that can be incorporated into mail flow processing. This new DLP feature performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, internal functions such as validate checksum on credit card numbers, and other content examination to detect specific content types within the message body or attachments.

Policy Tips to inform your workers in real time

With the new DLP features, you can inform email senders that they may be about to pass along sensitive information that is detected by your policies—even before they click send. You can accomplish this by configuring Policy Tips. Policy Tips are similar to MailTips, and can be configured to present a brief note in the Microsoft Outlook 2013 client that provides information about your business policies to the person creating a message. You can configure Policy Tips that will merely warn workers or block their messages, or even allow them to override your block with a justification. Policy tips can also be useful for tuning your DLP policy effectiveness, as they allow end users to seamlessly report false positives. Here’s a screenshot that shows the Policy Tip in action.

Figure 2: A Policy Tip informs email senders about sensitive information before they send the message

Begin by establishing policies that protect your sensitive data

Three different methods exist for you to begin using DLP:

1. Apply an out-of-the-box template supplied by Microsoft The quickest way to start using DLP policies is to create and implement a new policy using a template. This saves you the effort of building a new set of rules from scratch.
2. Import a pre-built policy file from outside your organization You can import policy templates that have already been created outside of your messaging environment by independent software vendors. In this way you can extend the DLP solution to suit your business requirements.
3. Create a custom policy without any pre-existing conditions Your enterprise may have its own requirements for monitoring certain types of data known to exist within a messaging system. You can create a custom DLP policy entirely on your own in order to start checking and acting upon your own unique message data.

Sensitive Information Types in DLP Policies

When you create DLP policies, you can include rules that include checks for sensitive information. The conditions that you establish within a policy, such as how many times something has to be found before an action is taken or exactly what that action is can be customized within your new custom policies in order to meet your business requirements. Sensitive information rules are integrated with the transport rules framework by introduction of a condition that you can customize: If the message contains…Sensitive Information. This condition can be configured with one or more sensitive information types that are contained within the messages.

To make it easy for you to make use of the sensitive information-related rules, Microsoft has supplied policy templates that already include some of the sensitive information types. An inventory of the sensitive information types supplied out of the box is provided on the TechNet Library. A brief sample can be seen here:

Data loss prevention in Exchange 2013 is one of several new features that are focused on helping to solve compliance issues in email. Check out In-Place eDiscovery, In-Place Archiving, Retention policies, and the new additions to transport rules, and information rights management too. We hope you become more productive and safe with the new DLP features that help you protect your organization’s sensitive data.

John Andrilla

In Part I of this post, we covered what’s new in In-Place eDiscovery in the new Exchange. In this post, let’s take a look at how the new Exchange retains data immutably.

One of the first steps you must take when reasonable expectation of litigation exists or when served an eDiscovery request is to preserve messaging records so they can be produced when required. Before Exchange 2010, this was generally achieved using different methods, including archiving data to an external system, suspending automated deletion mechanism (such as Exchange’s Messaging Records Management), or in some cases - by instructing users to not delete records.

Failure to preserve records required for litigation may expose your organization to legal and financial risk.

In Exchange 2010 and Office 365, we introduced Litigation Hold to enable you to preserve messaging records. Litigation Hold is a mailbox property – placing a mailbox on litigation hold places all items in a mailbox on hold indefinitely (or until hold is removed), resulting in accumulation of a large volume of data – all of which may not be required to be preserved.

In the new Exchange, you can use In-Place Hold to retain items immutably. In-Place Hold is integrated with In-Place eDiscovery, allowing you to perform both search and hold using the same interface and the same query parameters. You can use In-Place Hold in the following scenarios.

• Indefinite Hold: You can create an In-Place Hold without any query parameters and without a hold duration to hold all items in a mailbox indefinitely or until the hold is removed. This emulates the behavior of litigation hold.

• Query-Based Hold: Using In-Place Hold, you can create a search query and specify the source mailboxes and parameters such as keywords, senders and recipients, as well as start and end dates. You can also specify the type of items to search – email messages, calendar items such as meetings and appointments, tasks, notes, or Lync content archived in Exchange mailboxes.

• Time-Based Hold: Whereas Litigation Hold placed all mailbox contents on hold indefinitely or until you remove the hold, In-Place Hold allows you to specify a duration of time for which to hold items. The time is calculated based on the received date or the date the item was created in the mailbox (for items such as appointments, tasks and notes that are not sent/received).

  One of the more common feature requests in Exchange 2010 was to be able to specify a definite time period for which an item is retained. Whereas retention policies allow you to specify the email lifecycle and automatically delete items when the specified period is reached, they don’t guarantee retention for that period. In other words, you could specify items will be kept for a maximum of 7 years, but you couldn’t guarantee items won’t be deleted before that period by a user or a process.

  The commonly recommended workaround to meet this requirement was to use configure the Deleted Item Recovery period to the minimum period you want an item to be retained for. In this example, setting the deleted item retention period to 7 years means if a user deletes an item before 7 years, it is retained in the Recoverable Items folder for 7 years. However, the period for Deleted Item Retention is calculated from the date of deletion. If a user deletes an item after 6 years, it is retained for an additional 7 years in the Recoverable Items folder, resulting in a total retention period of 13 years. In others words, you can guarantee an item will be retained for a minimum of 7 years, but not the maximum retention period.

  In the new Exchange, when you create a time-based In-Place Hold, because the hold period is calculated from the item received/creation date, you can guarantee the item won’t be held beyond that period. You can combine a time-based In-Place Hold with a Retention Policy (that has a single default policy tag) to ensure items in the mailbox are deleted by the Managed Folder Assistant (MFA) after 7 years, and items deleted by a user or a process before that period are retained for at least the specified duration.

You can also combine a query-based In-Place Hold with a time-based hold to preserved items matching query parameters for the specified period. You can also place a user on multiple holds - for example, when a mailbox may contain records pertaining to multiple cases or investigations.

In-Place Hold & Permissions

Like In-Place eDiscovery, In-Place Hold can be used by authorized users with delegated Discovery Management permission. However, there’s a slight twist. The Discovery Management role group is assigned the Mailbox Search and Litigation Hold management roles. The former allows an authorized user to create a mailbox search for In-Place eDiscovery and Hold. The latter actually allows you to place mailbox content on hold.

If a user is only assigned the Litigation Hold role, for example by creating a custom role-based access control (RBAC) role group or via membership of a role group such as Organization Management that has the Litigation Hold role assigned, the user is able to use In-Place Hold - but only to place all mailbox content on hold. The user can’t specify query parameters. In other words, the user can’t create a query-based In-Place Hold.

Creating an In-Place Hold

Let’s go back to the query Robin created in Part I of this post. When creating the In-Place Hold, on the Mailboxes page Robin must select Specify mailboxes to search and select the mailboxes or distribution groups. If she selects Search all mailboxes, the option to place content on hold will not be available.

You must specify mailboxes or distribution groups to place on hold. If you select Search all mailboxes, the option to place content on hold will not be available.

Figure 1: To create an In-Place Hold, you must select Specify mailboxes to search

Note: If you select a distribution group, the hold applies to mailbox users that are members of the group when the hold is created.

On the Search query page, Robin can use the same query she used for the In-Place eDiscovery.

Figure 2: Messages matching query parameters are preserved

She can also select the message types to place on hold.

Figure 3: You can specify the message types to hold or hold all message types

On the In-Place Hold settings page, Robin selects the option to Place content matching the search query in selected mailboxes on hold. She can then select Hold indefinitely to hold content indefinitely (or until the In-Place Hold is removed or a mailbox is removed from the search). To hold items for a specific period, she can select Specify number of days to hold items relative to their received date and specify the number of days.

Figure 4: You can specify a hold duration or hold items indefinitely

It’s important to reiterate here that for the time-based hold, the duration is calculated from the date a message is received/created.

How In-Place Hold Works

Let’s take a look at what happens under the hood.

When a user deletes a message, it goes to the Deleted Items folder. When the Deleted Items folder is emptied or messages are deleted from it, or the user uses Shift-Delete to delete a message, it is moved to the Recoverable Items\Deletes folder. Contents of this folder are exposed when the user uses Recover Deleted Items in Outlook or Outlook Web App.

If the user doesn’t do anything, messages from the Deletes folder are purged when the Deleted Items Retention period configured for the mailbox database or the user expires.

If the user deletes a message from this view, few things can happen:

1. If Single Item Recovery is enabled for the mailbox, the item is moved to the Recoverable Items\Purges folder and retained until the deleted item retention period expires. This provides the administrator the capability to recover items without having to recover from backups.
2. If the mailbox is placed on Litigation Hold, the items is moved to the Recoverable Items\Purges folder and retained until the hold is removed.
3. If the mailbox is placed on an In-Place Hold, the item is moved to the Recoverable Items\DiscoveryHolds folder.

Figure 5: Deleted items and original copies of modified items are preserved in the Recoverable Items folder of each mailbox

When the MFA, a mailbox assistant that processes mailboxes and expires content, processes the mailbox, it checks if messages meet the query parameters of any In-Place Holds the user is placed on. This evaluation is done for up to 5 queries, beyond which all items are retained – emulating the same behavior as litigation hold. If the number of holds is brought below 5, the MFA again reverts to the query-based In-Place Hold behavior.

When the In-Place Hold is removed, messages placed on hold are removed if they no longer match query parameters of any other In-Place Hold that the user may have been placed on.

In-Place Hold and Immutability

When talking about preservation, the concept of immutability invariably comes up. Immutability means messages placed on hold must be preserved without alteration. Not only should we prevent them from deletion (even if the user placed on hold thinks they’ve successfully purged the message), but the messages should also be prevented from tampering or alteration. Immutability is not a product feature but a combination of feature and the hold processes your organization implements.

In-Place Hold also helps you preserve content from intentional tampering or modification. This is achieved by performing a copy-on-write (COW) – when the user or any process attempts to modify a message, before the modified message is saved a copy of the original message is made and saved in the Recoverable Items\Versions folder. Items captured in the Versions folder are also indexed and returned in an In-Place eDiscovery search. When the hold is removed, the copies made in the Versions folder are also removed by the Managed Folder Assistant.

Together, In-Place Hold and In-Place eDiscovery provide an easy-to-use mechanism for authorized legal, human resources or other non-technical personnel to easily search and immutably preserve messaging records.

Bharat Suneja and Julian Zbogar-Smith

You may have seen the introduction to the new Exchange Administration Center (EAC). The EAC is a unified Web-based portal for both on-premises and online Exchange deployments. Managing high availability (HA) is one of the key scenarios for on-premises customers, and the EAC delivers a brand new experience of managing HA. With EAC, the HA management tools are put together with a new modern look and feel.

Managing Exchange HA involves different operations like database switchovers, server switchovers, adding database copies, reseeding, etc. In previous versions of Exchange, there were UI gaps in the management consoles that required you to use both the console and the shell for some management tasks. For example, configuring lagged database copies. In previous versions of Exchange, you had to create a lagged database copy using the shell. In Exchange 2013, you can do this using EAC.

When you use the EAC to manage an on-premises environment, you will see a feature pane called “Servers.” This is where the Mailbox server-related HA features are managed. An example of this is shown below in Figure 1.

Figure 1. Where to Manage HA with the EAC

In this feature area, you will see 5 tabs (servers, databases, database availability groups, virtual directories, and certificates). The first 3 tabs are used to manage mailbox server-related HA features.

Database Availability Group creation and configuration

Let’s start by setting up a new DAG. As shown in the figure below, you can quickly create a DAG using the EAC.

Figure 2: new Database Availability Group

Then you can add Mailbox servers to the DAG, as shown in Figure 3.

Figure 3: managing DAG membership

Database and database copies management

Now it’s time for you to switch to database management to configure mailbox databases and deploy database copies on DAG members.

Continuing from where we left off, we switch to the databases tab. As you can see, there is an option called “Add database copy”, as shown in the figure below.

Figure 4: add mailbox database copies

All database copies are shown in the database details pane, as shown in Figure 5.

Figure 5: database copies in details pane

By drilling down to the mailbox database details pane, you can see the status of the selected database and its copies. You can also see important information like copy queue length and content index state. For the passive copies, you can do different operations like suspend and activate based on their current status.

After you have created database copies for a database, you can easily switch to the other databases from the main database list view to create copies of them. As you see, admins can manage database and database copies in one view without switching to another UI. Very handy and straightforward!

Server Switchovers

As mentioned before, besides managing HA at the database level, you can also perform switchovers at the server level. The EAC provides a more comprehensive way of managing servers.

For example, for a variety of reasons, you may need to take some a DAG member offline. The first step in doing this will always be to perform a server switchover; that is, to move all of the active copies currently hosted on that server to other DAG members, as shown below.

Figure 6: Server Switchover

As with Exchange 2010, when performing a switchover, you can specify the switchover target or perform a targetless switchover, as shown below Figure 7.

Figure 7: Two choices for Server Switchover

Conclusion

The handy and improved UI brings you a brand new experience in managing HA in the EAC. You don’t need to toggle between console and shell anymore. And more importantly, you can easily access it from anywhere.

Go and try it out, we are looking forward to hearing from you!

Bin Sun

Yes, we’ve heard your feedback and the Exchange Deployment Assistant for Exchange Server 2013 is on the way!

We want to let you know that we’re working, right now, on the Exchange Server 2013 Deployment Assistant. It will be very similar to the current Exchange Server 2010 Deployment Assistant. Don’t worry, the 2010 version will live on. But, we want to provide the same step-by-step upgrade and deployment guidance for the new Exchange as well! We expect to release initial scenarios like a greenfield Exchange 2013 on-premises installation and Exchange 2013 hybrid deployment scenario early next year and then add additional scenarios over time.

In case you’re not familiar with it, the Exchange Server 2010 Deployment Assistant  is a web-based tool that helps you upgrade to Exchange 2010 on-premises, configure a hybrid deployment between an on-premises and Exchange Online organization, or migrate to Exchange Online. It asks you a small set of simple questions, and then based on your answers, it provides a checklist with instructions to deploy or configure Exchange 2010 that’s customized to your environment.

We’ve received great feedback from you on the value of having customized, step-by-step upgrade and deployment instructions. Here are a few comments from Exchange administrators like you:

• “Love this! I wish I could have had this during the Exchange 2003 to Exchange 2007 upgrade. I think everyone who deals with Exchange needs to see this.“
• “The tool was a tremendous help in organizing and clearly directing the steps necessary for upgrading from Exchange 2003 to 2010. Instructions were extremely clear. Links for more information led to pages that were also very informative. Instructions on how to verify that each step worked were also helpful, and provided reassurance that everything was working properly.”
• “THIS TOOL IS AMAZING.  Honestly, this is by far the most useful migration tool I have ever used!  The ability to interact with the assistant and specify details of my particular environment makes it especially valuable. Also, the “How do I know this worked?” fields are probably the most innovative thing I’ve ever seen in a guide like this. Please make these for any/all future releases of Exchange (and any other Microsoft products)!”

If you’d like to receive notifications as to when the Exchange Server 2013 Deployment Assistant launches and when new scenarios release, subscribe to the RSS feed at: http://technet.microsoft.com/en-us/exchange/jj657516

Also, feel free to send any feedback regarding either Deployment Assistant to: edafdbk@microsoft.com

Katie Kivett

Earlier today we re-released the following Rollup Updates. These updates address an issue in which digital signatures on files produced and signed by Microsoft will expire prematurely, as described in Microsoft Security Advisory 2749655. Also see Security Advisory 2749655 and timestamping on the Security, Research & Defense blog.

• Update Rollup 4-v2 for Exchange Server 2010 Service Pack 2 (KB2756485)
• Update Rollup 7-v2 for Exchange Server 2010 Service Pack 1 (KB2756496)
• Update Rollup 8-v2 for Exchange Server 2007 Service Pack 3 (KB2756497)

The re-released Exchange 2010 SP2 RU4 includes the following additional fix:

2756987 Only one result is returned after you click "view all results" in Outlook 2010 or in Outlook 2013 in an Exchange Server 2010 environment

It is not required to uninstall the previous rollups to install the re-released rollups listed above.

Exchange Team

Today we reached an important milestone in the development of the new Exchange.

Moments ago, the Exchange engineering team signed off on the Release to Manufacturing (RTM) build. This milestone means the coding and testing phase of the project is complete and we are now focused on releasing the new Exchange via multiple distribution channels to our business customers. General availability is planned for the first quarter of 2013.

We have a number of programs that provide business customers with early access so they can begin testing, piloting and adopting Exchange within their organizations:

• We will begin rolling out new capabilities to Office 365 Enterprise customers in our next service updates, starting in November through general availability.
• Volume Licensing customers with Software Assurance will be able to download Exchange Server 2013 through the Volume Licensing Service Center by mid-November. These products will be available on the Volume Licensing price list on December 1.

Since announcing the Preview of the new Exchange back in July, the EHLO team has been actively blogging about the features and capabilities of the new Exchange. We’re excited to start getting the finished product into the hands of our customers!

For those who are interested in learning more about the new Exchange, check out the series of posts that have been published over the past couple months:

• The New Exchange – Rajesh Jha, Corporate Vice President
• The New OWA Rocks Tablets and Phones! – Kristian Andaker
• Managing the New Exchange – Exchange Manageability team
• Site Mailboxes in the new Office – Alfons Staerk and Andrew Friedman
• Using EAC to manage multi-forest Exchange deployments – Exchange Manageability team
• Exchange Online Protection: A Premium Protection and Policy Service for Email – Tony Trivison
• Comparing Exchange Online and Exchange Server 2013 – Ann Vu
• The Cloud On Your Terms (PART I): Deploying Hybrid – Ben Appleby, Robert Mazzoli and the Hybrid team
• The Cloud On Your Terms (PART II): Managing Hybrid – Warren Johnson
• Lessons from the Datacenter: Managed Availability – Ross Smith IV
• Keeping Your Organization Safe with the New Exchange – Harv Bhela, General Manager
• In-Place Archiving – Ankur Kothari
• In-Place eDiscovery and In-Place Hold in the New Exchange (Part I) – Bharat Suneja and Julian Zbogar-Smith
• Introducing Data Loss Prevention in the New Exchange – John Andrilla
• In-Place eDiscovery and In-Place Hold in the New Exchange (Part II) – Bharat Suneja and Julian Zbogar-Smith
• Managing High Availability with the EAC – Bin Sun

In addition to Exchange, the new Office, SharePoint, and Lync have also reached RTM. For more information on the announcement, go to Office News. Thanks again for your continued support, and please do keep the feedback coming!

Exchange Team

Exchange 2010 includes a feature called Datacenter Activation Coordination (DAC) mode that is designed to prevent split brain at the database level during switchback procedures that are being performed after a datacenter switchover has occurred. One of the side benefits of enabling DAC mode is that it enables you to use the built-in recovery cmdlets to perform the datacenter switchover and switchback.

In the real world, there are several different factors that determine what commands to run and when to run them. For example:

• Are Exchange Servers available in the primary datacenter?
• Is network connectivity available between the primary and remote datacenter?
• Is Exchange deployed in a topology with a single Active Directory site or multiple sites?

The answers to these questions determine not only the specific commands to run but also where the commands should be run.

In addition, administrators need to understand what the desired outcomes of those commands are. For example:

• How do I verify that stop-databaseavailability group was successful?
• How do I verify that restore-databaseavailabilitygroup performed the correct steps?
• When is it appropriate to run start-databaseavailailitygroup?

Each of these requires a different set of verification steps before proceeding.

And of course as with any process there are those occasional expected errors.

With this in mind, I want to introduce the Datacenter Switchover Tool, a kiosk-based PowerPoint application that allows administrators to work through the flow of questions to determine:

• What commands to run and where to run them
• How to verify the commands completed successfully.
• How to walk through a Datacenter Switchover from the Mailbox server / database availability group perspective.

To use the tool, simply download it and open it in PowerPoint. Make sure use only the buttons that are available on the screen. The tool will walk you through the correct questions, in the correct order, and provide feedback on the commands to execute and their verification.

The location of the tool is here: http://gallery.technet.microsoft.com/Exchange-2010-Datacenter-09a81fc6

Enjoy!

Tim McMichael

One of the great benefits to running one of the world’s largest Exchange deployments is that we at Microsoft get to see all the things that our customers face on a daily basis. With the recent release of iOS6, we have noticed a marked increase in support calls due to meetings having the owner of the meeting changed (sometimes called “meeting hijacking”). Most instances reported to us to date involve users with delegates who first open a meeting request in Outlook and then act on that same meeting in iOS.

Meeting issues are a large part of the challenges that we know some organizations see with 3^rd party devices (here is our list). Unfortunately the recent iOS update has exacerbated one of these issues. We wanted to let you know about this issue as well as let you know that we have discussed this issue with Apple. We are also looking at ways that we can continue to harden the Exchange infrastructure to protect our servers and service from poorly performing clients.

In the meantime we wanted to offer a few mitigation options:

• Tell users not to take action on calendars on iOS We're not seeing this particular issue if users don't take action on their calendar items (for example, accept, delete or change meetings).

• Switch iOS users to POP3/IMAP4 Another option is to switch users over to POP/IMAP connections. This will remove calendar and contacts functionality while allowing users to still use email (though the email may shift to pull from push while using these protocols).

• 3^rd party clients/OWA Moving impacted users over to another email client that is not causing these issue for your organization may help alleviate the pain here. There are a number of other client options (OWA being one of them of course). Numerous clients are available in mobile application stores. We don’t recommend any particular client.

• Block delegates Many of the issues we are seeing involve delegates. An admin can take the less drastic step of using the Allow/Block/Quarantine list to block only users who are delegates, or have a delegate, to minimize the impact here.

• Block iOS 6 devices Exchange server comes with the Allow/Block/Quarantine functionality that enables admins to block any device or user.

• Tell users not to upgrade to iOS 6 or to downgrade their devices – This solution may work as a temporary fix until Apple provides a fix but many users may have already made the decision to update.

• Wait We do not have any information on the timeline of a fix from Apple but if this timeline is short, this may be the easiest course of action. Please contact Apple about any potential fix or timeline for its delivery.

• Our support team has also published a KB article on this issue that you can read here. And we will update this post when a fix is available or we have additional information.

Adam Glick
Sr. Technical Product Manager

OAB History

Offline Address Books, fondly referred to as OABs, are a critical component in Exchange infrastructure for a long time now. An OAB is used by Microsoft Outlook clients in Cached Exchange Mode for address book lookups when offline. OABs are also critical in reducing the workload on Exchange servers as cached mode Outlook clients will always query the local OAB first.

The OAB has evolved over Exchange releases. The last major overhaul of OAB architecture was in Exchange Server 2007, where we introduced web-distribution of OAB along with CAS server role taking major responsibility of distributing the OAB. But the OAB generation process itself hasn't changed much.

Until now.

With the change in the server role architecture introduced in Exchange Server 2013, we have also changed the way OABs are generated and distributed to clients. Let’s explore the new OAB in Exchange 2013 by comparing it to its predecessors.

Changes in OAB generation

Which Server will generate the OAB?

In all previous Exchange releases, OAB generation was bound to a specific Exchange server by the Server property. When you install the first Exchange mailbox server, setup designates it as the OAB generation server. You can create new OABs as needed. When creating a new OAB, the OAB generation server has to be specified.

OAB in Exchange Server 2010:

Get-OfflineAddressBook "Default Offline Address Book" | fl name,server
 
Name : Default Offline Address Book
Server : MBX1

The disadvantage with this approach was that only one server was configured for OAB generation, and it was a single point of failure. If this server was unavailable for a long period, the OAB generation was affected.

In Exchange 2013, the OAB is generated by each Exchange 2013 Mailbox server(s) that hosts a special type of arbitration mailbox, called organization mailbox. OAB generation is not bound by the Server parameter anymore.

OAB in Exchange Server 2013:

Get-OfflineAddressBook "Default Offline Address Book (Ex2012)" | fl name,server
 
Name : Default Offline Address Book (Ex2012)
Server :

The unbinding of OAB from a specific server allows the same OAB to be generated by multiple Mailbox servers. This new architecture provides greater resiliency in OAB generation.

Which component will generate the OAB?

The Microsoft Exchange System Attendant service was the workhorse responsible for OAB generation in previous Exchange versions. The OAB generation was a scheduled process, i.e. OAB generation would start at the scheduled time configured on the OAB property, irrespective of the work load on the server.

In Exchange 2013, the OABGeneratorAssistant, a mailbox assistant running under the Microsoft Exchange Mailbox Assistants service, generates the OAB. Like most other mailbox assitants, the OABGEnerationAssistant is a throttled process – it runs or pauses according to the workload on the server.

Where are the OAB files stored?

In previous Exchange versions, the OAB generated by the Mailbox server was located in the %ExchangeInstallPath%\ExchangeOAB folder. The folder was shared so the CAS could retrieve the OAB files for distribution to Outlook clients.

In Exchange 2013, the OAB files are generated and stored in the Organization Mailbox first and later copied to the %ExchangeInstallPath%\ClientAccess\OAB\ folder.

Changes in OAB distribution

Exchange 2007 and 2010 supported two methods of OAB distribution: web distribution and Public Folder distribution. Exchange 2013 supports only the web distribution method, so let’s explore the changes in web-distribution method.

The Exchange 2007/2010 CAS pulled the OAB files generated on the respective Mailbox server and stored them locally. The Microsoft Exchange File Distribution Service on the CAS role did the task of pulling OAB files.

This was the flow OAB download from client side:

1. Outlook receives OAB URL from Autodiscover and reaches a CAS server.
2. The CAS authenticates the user and serves OAB files from local disk.

Couple of disadvantage with this method:

1. The OAB download fails if the CAS doesn't have the OAB files locally.
2. If the File Distribution Service on CAS isn't working, clients will receive stale OAB files or, in other words will not receive the updates.

In Exchange 2013, OAB files are not stored locally on the CAS. CAS 2013 proxies all OAB download requests to the appropriate Exchange 2013 Mailbox server. With this change in the architecture, the Microsoft Exchange File Distribution Service is removed from the CAS role.

In Exchange 2013, this is the flow of OAB download:

1. Outlook receives OAB URL from Autodiscover and reaches designated CAS 2013 through OAB URL.

The CAS server performs the following actions:

1. Performs initial authentication for OAB.
2. Queries Active Directory and determines the closest Organization Mailbox for the requesting user.

3. Queries Active Directory again to determine the mailbox database hosting the Organization Mailbox.

4. Queries the Active Manager to determine the mailbox server where the mailbox database is active (mounted).
5. Proxies the request to the Mailbox server identified in step 5.
6. Retrieves OAB files and passes them to the client.

This new workflow overcomes the disadvantages of legacy OAB download workflow.

The Organization Mailbox

The Organization Mailbox is a new type of arbitration mailbox introduced with Exchange 2013. The arbitration mailbox with persisted capability OrganizationCapabilityOABGen is referred to as Organization Mailbox. It plays a crucial role in OAB generation, storage and distribution.

Each Exchange Server 2013 mailbox role hosting an Organization Mailbox will generate all Exchange 2013 OAB’s defined in the environment. The OAB is generated in the Organization Mailbox first and later copied to the disk.

Use the following command to identify the Organization mailbox:

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like "*oab*"}

Example:

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like "*oab*"}
 
Name Alias ServerName ProhibitSendQuota
---- ----- ---------- -----------------
SystemMailbox{bb558c35... SystemMailbox{bb5... mbx1 Unlimited

Storing the OAB files in the Organization Mailbox makes the OAB files more resilient.

Putting it together: A real-life scenario:

The following scenario puts together the critical points we learned so far:

1. MBX1 and MBX2 are Exchange 2013 Mailbox servers and member of a DAG. CAS1 is an Exchange 2013 CAS.
2. The organization mailbox is present on mailbox database DB1. DB1 has copies on MBX1 and MBX2.
3. DB1 is currently active on MBX1.
4. The Microsoft Exchange Mailbox Assistants service on MBX1 will generate the OAB.
5. The OAB will be first generated in the organization mailbox and later copied to disk of MBX1. At this point, MBX2 is not playing any role in OAB generation.
6. An Outlook client tries to download OAB, and reaches CAS1 through OAB URL.
7. CAS1 queries Active Manager and finds out database hosting organization mailbox (DB1) is active on MBX1.
8. CAS1 proxies the OAB download request to MBX1 and serves the files back to the client.
9. At this point, MBX1 goes down due to power failure and DB1 is activated on the server MBX2.
10. CAS1 receives another request for OAB download, queries the Active Manager again and this time proxies the request to MBX2, as DB1 is now active on MBX2.
11. MBX2 extracts OAB files present in the organization mailbox to the disk, to ensure latest files are served to the client.
12. MBX1 comes back online, but DB1 remains active on MBX2.
13. At next OAB generation work cycle, the Microsoft Exchange Mailbox Assistants service on MBX2 will generate the OAB.

The next article in this series will talk about how to manage the new OAB in Exchange 2013.

Bhalchandra Atre

One of the biggest benefits that Exchange Server 2013 provides is that it enables personal information sharing among different people in different organizations. Email itself is a great example of sharing because it allows people to easily share thoughts, images, and attachments. However, using federated sharing in Exchange 2013, you can share much more than just email. Federated sharing allows your users to share calendar free/busy information and additional calendar/contact information with people in different Exchange organizations.

This post covers the basic steps for using the Exchange Administration Center (EAC) to set up and configure federated sharing for an on-premises Exchange 2013 or an Office 365 Exchange Online organization. To learn more about federated sharing, see Understanding Federated Sharing.

Although the introduction of the EAC in Exchange 2013 significantly changed the administrative management experience, the basic process of configuring federated sharing hasn’t changed much from Exchange 2010. For those of you already familiar with how to configure federated sharing in Exchange 2010, here’s a quick rundown of the general configuration steps in Exchange 2013:

1. Configure a federation trust For your on-premises Exchange 2013 organization, you must configure a federation trust with the Microsoft Federation Gateway (MFG). The MFG, a free cloud-based service offered by Microsoft, acts as the trust broker between your on-premises Exchange 2013 organization and other federated Exchange 2010 and Exchange 2013 organizations. To learn more about federation trusts, see Understanding Federation.

   If you’re configuring federated sharing for an Exchange Online-only organization as part of an Office 365 tenant, you don’t have to configure a federation trust. The federation trust with the Microsoft Federation Gateways is automatically configured when you sign up for the Office 365 service, and it’s automatically updated with any custom domains that you add to the Office 365 tenant.

2. Configure an organization relationship Organization relationships allow organizations to share calendar free/busy information between users in different Exchange organizations. Organization relationships are one-to-one relationships between two Exchange organizations, not a relationship between individual users in the Exchange organizations. To learn more about organization relationships, see Understanding Federated Sharing.

3. Configure a sharing policy A sharing policy enables user-established, sharing of calendar and contact information with different types of external users. To learn more about sharing policies, see Understanding Federated Sharing.

Federated Sharing - EMC vs. EAC

If you’ve managed federated sharing for an Exchange 2010 organization, you’re probably very familiar with the Exchange Management Console (EMC). In the EMC, you’d use the Organization Configuration node to create and manage the federation trust and organization relationships for your on-premises Exchange organization. Shown below in Figure 1, each area had its own sub-node within the Organization Configuration node that allowed you to launch the configuration wizards and modify the configuration settings. For sharing policies, administrators would navigate to the Mailbox sub-node and use the Sharing Policies tab (in the result pane) and the New Sharing Policy wizard (in the action pane).

Although efficient and straight-forward, the management experience for federated sharing in the EMC didn’t offer an intuitive feel for the sequence in which the basic steps for configuring federated sharing needed to be performed, which increased the chances of misconfiguration.

Figure 1 Managing federation trust and organization relationships in the EMC

In Exchange 2013, the EAC provides a more functional and centralized method for setting up and managing federated sharing. In the EAC, the controls for managing federation trusts (for on-premises organizations only), organization relationships, and sharing policies for both on-premises and Exchange Online organizations are grouped together on the Sharing tab in the Organization feature area. The EAC also guides you through the federated sharing configuration process by explicitly asking you to enable and configure a federation trust with the MFG when you initially access the Sharing tab (see Figure 2).

Figure 2 EAC federated sharing entry point

Creating and Configuring a Federation Trust for an On-Premises Exchange Organization

Creating a Federation Trust

As shown in Figure 2, the first step when enabling federated sharing in an on-premises Exchange organization is to create of a federation trust. When you click the enable button, the EAC creates the federation trust object and guides you through the process of configuring the federation trust.

Important Creating and configuring a federation trust is skipped when setting up federated sharing for Exchange Online-only organizations. The federation trust with the Microsoft Federation Gateways is automatically configured when you sign up for the Office 365 service, and it’s automatically updated with any custom domains that you add to the Office 365 tenant.

When you click Enable, the EAC:

• Creates a self-signed certificate for the federation trust.
• Uses the New-FederationTrust cmdlet to create the federation trust using this self-signed certificate.

After clicking Enable, you’ll see a progress bar that displays the status of the federation trust creation process. When complete, a confirmation window will notify you that the federation trust has been enabled successfully.

After the federation trust object has been created, the EAC will display the Organization Sharing and Individual Sharing management sections on the Sharing tab, as shown in Figure 4. Because a federation trust is a requirement for most federated sharing features, the EAC always starts the configuration process by enabling and creating a federation trust object. However, there are still some federation trust configuration items that must be completed before the federation trust is complete. If you want to configure an organization relationship before completely enabling the federation trust, you’ll need to use the Exchange Management Shell to complete the process. However, to enable all the federated sharing features in your organization, we strongly recommend that you first enable and configure the federation trust completely before you configure an organization relationship and a sharing policy.

Figure 4 Organization Sharing and Individual Sharing sections in the EAC

Configuring the federation trust

In the Federation Trust section of the Sharing tab, click the modify button to open the Sharing-Enabled Domains page, which walks you through the steps for configuring federated domains for the federation trust.

Figure 4 Sharing-Enabled Domains page

One of the great improvements provided by the EAC federated sharing management experience is that it helps you identify the correct sequence for each action. As you can see in Figure 5, there are two steps listed:

1. Select an accepted domain First, you’ll need to add an accepted domain to be used as the primary shared domain for the federation trust. The term primary shared domain is new and introduced in the EAC to help you better understand the correct sequence for configuring the federation trust. The primary shared domain is the unique account namespace used as the organization identifier (OrgID) for the federation trust and will have the pre-defined string FYDIBOHF25SPDLT appended to the primary shared domain as the account namespace. For example, if you specify the accepted domain contoso.com as the primary shared domain for your federation trust, the FYDIBOHF25SPDLT.contoso.com account namespace will be automatically created as the OrgID for the federation trust in your Exchange organization.
2. Add additional domains you want to enable for sharing Use this section to add additional accepted domains as federated domains for the federation trust.

Step 1: Select the primary shared domain

Click Browse to select an accepted domain to be the primary domain you want to enable for sharing. Typically, this is the primary SMTP domain for your organization. Next, you’ll need to prove your ownership of this domain by adding a TXT record for the primary shared domain on your public DNS server. The EAC automatically generates a validation string for the TXT record after you’ve selected an accepted domain for the primary shared domain.

Figure 5 The string you must use for creating a TXT record to prove domain ownership

After the TXT record has propagated on your public DNS, click Update to submit a request to the Microsoft Federation Gateway to add this domain as your primary shared domain. When you click Update, the EAC uses the Set-FederatedOrganizationIdentifier cmdlet to create the account namespace for the federation trust. The full command:

Set-FederatedOrganizationIdentifier –AccountNamespace <primary shared domain that you selected>

Important  In Exchange 2013, as well as in Exchange 2010 SP2, you don’t need to specify a domain starting with exchangedelegation as an account namespace. You can use any accepted domain to be your primary shared domain without worrying about the underlying detail of the account namespace.

When you open the Sharing-Enabled Domains page again, you’ll notice that the primary shared domain and the account namespace has been set correctly (see Figure 7).

Figure 6 Account namespace and primary shared domain are ready.

Step 2: Add additional domains you want to enable for sharing

If needed, your next step would be to add additional domains to the federation trust as federated domains. If you’re running a small company (and only use a single domain for user email addresses), you may only need to enable sharing for your primary shared domain. However, this may not be the case for larger businesses where you may have multiple segments in your organization and need to enable sharing for different subdomains.

If you need to add additional domains for sharing, click the + button to open the Select Accepted Domains page and select one or more domains you want to federate. Next, you’ll need to prove domain ownership for the domain(s) you’ve selected and add a TXT record for each additional domain to your public DNS. As in Step 1 above, Exchange automatically generates validation strings for the additional domains and displays them in the right pane, next to the list of additional domains.

Figure 7 EAC displays the string you must use for creating TXT records for each additional federated domain

After the TXT record has propagated in your public DNS, click Update to submit your request to the Microsoft Federation Gateway to add the domain(s) as additional federated domain(s). When you click Update, the EAC uses the Add-FederatedDomain cmdlet and the additional domain(s) to update the federation trust. The full command:

Add-FederatedDomain –DomainName <your additional shared domain(s)>

In terms of free/busy sharing and calendar/contact sharing, these additional domains will behave exactly the same as primary shared domain.

When you open the Sharing-Enabled Domains page again, you’ll see that these additional shared domains have been added to federation trust successfully.

Figure 8 Additional federated domain has been added successfully

You’ve now configured your federation trust successfully! If you want to enable calendar free/busy and additional calendar/contact sharing, you’ll also need to configure an organization relationship and sharing policy in your organization.

Configuring an Organization Relationship for On-Premises or Exchange Online Organizations

By creating and configuring an organization relationship, you’ll be able to enable organizational-level free/busy sharing between your organization and another federated Exchange organization. Users in both organizations will be able to see and share calendar free/busy information with each other in accordance with the organization relationship settings. To create and configure an organization relationship, navigate to Organization > Sharing > Organization Sharing in either the Enterprise or Office 365 areas of the EAC.

Figure 9 Organization Sharing in the Enterprise version of the EAC

To create and configure an organization relationship, click the + button to open the Organization Relationship page and enter the following settings:

• Relationship name The friendly name for the organization relationship.
• Domains to share with The domains for external federated Exchange organizations you want to enable sharing with in your organization.
• Calendar free/busy sharing level The level of calendar free/busy sharing you want to allow users in external Exchange organizations to see for you users.
• Who should share calendar free/busy information The users or groups in your organization that will share calendar free/busy information with external Exchange organizations.

Figure 10 Creating an Organization Relationship

If you need to configure other settings of an organization relationship, such as enabling or disabling MailTips or mailbox moves, you’ll need to use the OrganizationRelationship cmdlets in the Shell.

Configuring a Sharing Policy for On-Premises or Exchange Online Organizations

Sharing policies enable user-established, people-to-people sharing of both calendar and contact information with different types of external users. Sharing polices are assigned to user mailboxes and allow your users to self-manage and share both their free/busy and contact information (including the Calendar and Contacts folders) with recipients in other external federated organizations. For recipients that aren't in an external federated organization or are in non-Exchange organizations, sharing policies also allow people-to-people sharing of their calendar information with anonymous users through the use of Internet Calendar Publishing.

To create and configure sharing policies, navigate to Organization > Sharing > Individual Sharing in either the Enterprise or Office 365 areas of the EAC.

Figure 11 Individual Sharing in the Enterprise version of the EAC

To create and configure a sharing policy, click the + button to open the Sharing Policy page. You’ll need to define the following settings:

• Policy name The friendly name for the sharing policy.
• Define sharing rules for this policy Rules that apply to this sharing policy, including the domains you want to share with, the level of sharing for calendar information, and if you want to share your Contacts folder.
• Default sharing policy Whether this policy is the default sharing policy for your organization.

Figure 12 New Sharing Policy page in EAC

To create and configure a sharing rule for the sharing policy, click + to open the Sharing Rule page. You’ll need to define the following settings:

• Who to share calendar/contact information with
• What information you want to share
• Whether to share your Contacts folder

Figure 14 Sharing Rule page in EAC

Each rule defined in the policy will map to an individual-to-individual sharing relationship. A user can initiate multiple sharing relationships with different individuals under the control of the sharing policy. For example, you create these two rules in a sharing policy:

1. Share calendar free/busy with contoso.com
2. Share calendar free/busy + subject + location + Contacts folder with fabrikam.com

If you assign this sharing policy to a user named Jim, Jim would be able to share his calendar and contact information differently for the contoso.com and fabrikam.com organizations.

We hope that you’re as excited as we are about the new federated sharing experience in Exchange 2013 and the EAC. If you’d like to know more details, see Federated Sharing.

Elber Ren and Robert Mazzoli

What is it?

Offline access in Outlook Web App for Exchange 2013 lets users use Outlook Web App even when not connected to a network.

Offline access is newly available in Outlook Web App on the following web browsers.:

• Internet Explorer 10
• Safari 5 or greater (supported on Mac desktops only)
• Chrome

For more information about the offline user experience, see Using Outlook Web App offline.

What data is available offline?

Mail

• Users will be able to see all their folders, and content in all offline-supported folders.
• Offline-supported folders include:
• Inbox
• Drafts
• Any folder viewed from the browser in the last week
• For each offline-supported folder, users will have 3 days of content or 150 items, whichever is larger.
• Attachments are not available when offline.

Calendar

• Reminders will pop-up for meetings and appointments
• Current month and upcoming year of calendar
• Multiple calendars are not available when offline

People

• All Contacts
• Anyone the user emails often or has emailed recently
• The Auto-Complete cache (the list of matching names that appear as someone is added to a message)

What user actions are supported offline?

Note: Users can’t search or sort messages while offline

Protecting data

Setting up offline access through a browser starts a process that copies mailbox data locally into a web database storage location. This is determined by the browser, and is typically a file or set of files on disk. For example, at the time this post was written, IE10 and Chrome browsers used the following file locations for their web database storage (on Windows):

• Internet Explorer: %systemdrive%\Users\%username% \Local\Microsoft\Internet Explorer\Indexed DB
• Chrome: %systemdrive%\Users\%username% \AppData\Local\Google\Chrome\User Data\Default\databases

The data stored for offline use is accessible through the Windows user account under which it is enabled, and is not encrypted. Like the other files on the computer, the best way to protect it is to use disk-level encryption such as Bitlocker.

Organization Policy Controls:

By default, users are able to set up Outlook Web App 2013 for offline use. You can disable the ability for users in your organization to use Outlook Web App offline using the following Exchange Management Shell (EMS) commands:

To set offline access for an Outlook Web App mailbox policy, use:

Set-OwaMailboxPolicy –AllowOfflineOn [NoComputers | AllComputers | PrivateComputers]

To set offline access for an Outlook Web App virtual directory:

Set-OwaVirtualDirectory –AllowOfflineOn [NoComputers | AllComputers | PrivateComputers]

Deep Dive: How does it work?

Getting and storing mailbox data:

The browser’s local database stores some of the content of the Exchange mailbox. In Internet Explorer, this database is an industry standard HTML5 IndexedDB database. In Safari and Chrome browsers, this is a WebSQL database. The browser (not Outlook Web App) decides where the data is stored, what the quotas are, and how the data is ultimately aged-out. When Outlook Web App is set up for offline use, a process begins to copy all necessary Outlook Web App data locally. On a high bandwidth network, this process will often complete in a minute or two. Once offline is set up, the process will run whenever Outlook Web App is in use, and make sure that any server-side changes are reflected in the local database

• when Outlook Web App is first set up for offline use,
• on Outlook Web App startup (after it’s been set up for offline use)
• while using Outlook Web App, whenever anything in the Exchange mailbox changes

This process iterates through the Exchange mailbox, getting and writing updates to the browser’s local database in the following order:

1. The data needed to update the message list currently displayed in Outlook Web App
2. Calendar reminder notifications
3. The latest Inbox list
4. The latest message list of the rest of offline-supported folders
5. People updates
6. Calendar updates
7. The content of messages in the current list
8. The content of messages in the Inbox
9. The content of messages in the rest of the offline-supported folders
10. In-line images in any messages stored locally
11. Each item in the above list is called a sync module

The amount of storage Offline Outlook Web App uses is bounded by the browser’s database quota. If the process hits browser quota while copying data, it pauses, and a back-off algorithm iterates through the above modules in reverse order, removing them from the local database until it is under quota.

Figure 1: Offline Storage Model

What happens when Outlook Web App goes offline

If the network connection fails or is disabled while Outlook Web App is in use, users can continue working normally. Similarly, a user can start Outlook Web App when offline, such as on an airplane or in a café without WiFi, and use it normally. Outlook Web App will appear without requiring that they sign in. The best way to get to Outlook Web App when offline is by using a favorite or bookmark. When Outlook Web App is set up for offline use, Internet Explorer will give the option of creating a favorite. The Favorite makes it easy to navigate to the right place. The only indication that the app is working offline will be a timestamp in the bottom corner of the Outlook Web App mail view indicating the last time that Outlook Web App was updated.

Other places that will differ between Outlook Web App in an offline vs online state are features that aren’t supported offline. For example, “Create Rule…” from right-clicking on a message, will show the same error message that would display if Outlook Web App was not setup for offline use.

When a supported action is taken while offline (for example, deleting a message), within a period of milliseconds the following sequence of events occur:

• The delete will be applied to the view, which is cached in memory. The message will disappear immediately
• The delete will be applied to the message in the local database, so that even if you stay offline across many Outlook Web App sessions, the item will appear deleted in Outlook Web App.
• The delete action will be written to a queue that will be replayed as soon as connectivity to the server is reestablished. All offline create/update/delete activity is stored in this queue, which is stored as a table in the local web database. Outlook Web App replays this activity to the server the next time Outlook Web App is connected

Figure 2: Offline Action and Data Synchronization Model

Outlook Web App determines network connectivity status based on the response of each web request to the Exchange server. As soon as network connectivity is detected, Outlook Web App replays the queue of offline activity back to the server, so that all clients will now reflect any work you’ve done while offline. After the queue is replayed and the server is up to date, the process to copy changes or new messages from the server to the local Outlook Web App database begins.

To store messages that were created offline, Outlook Web App creates an Outbox folder in the folder tree. This Outbox is local to the machine you’re on. Users can open and edit messages from the Outbox folder, at which point they become drafts and are moved to the Drafts folder until Send or Save is selected. Messages that are created and sent while offline will remain on the client until the next time Outlook Web App is open and connected to Exchange.

If the user regains network connectivity while working offline in Outlook Web App, they may be prompted to sign in again.

Sara Manning

Modern public folders – ready for Office 365

We made significant architectural changes with modern public folders to deliver against the feedback we got from customers:

• “Having a separate management and replication model is complicated and expensive.”
• “We don’t get public folders in Office 365 so we cannot migrate to the service.”
• “We want public folders, don’t take them away!”

Built on mailbox infrastructure

Building on known mailbox infrastructure greatly simplifies management and backup/restore for public folders. IT administrators no longer need to learn two different management approaches for mailboxes and public folders.

Furthermore storage cost can be significantly reduced by leveraging mailbox infrastructure. Future improvements in mailbox storage management will automatically accrue to public folders as well.

No more public folder replication required

High availability is ensured through the existing high availability service for mailboxes instead of managing public folder replication separately. Public folder replication is a thing of the past.

Scaling to Internet scale

The new public folders literally scale to Internet scale. As public folders grow, content simply spans out to a new mailbox. In Office 365 a new mailbox will be added automatically, on premises IT will fork out to a new mailbox.

Office 365

In Office 365 management and storage is handled by Microsoft. You can keep supporting your public folder business scenarios but outsource management and storage to Microsoft by moving public folder deployments to the cloud.

Terabytes of public folder data turns from a cost to a differentiating asset for the business.

Figure 1: Public folders in Office 365 Customer Preview

The architectural work and redesign we did for public folders in the new Office is really focused on the IT admin. Management and scalability is much improved over the previous architecture and public folders are now ready for the service while we kept the end user experience the same for this release.

Modern public folder architecture

Core concepts

Here are some of the core concepts of the modern public folder architecture. We will talk though their impact in the following paragraphs

Hierarchy

• Each public folder mailbox has a copy of the public folder hierarchy
• There is only one writeable copy of the hierarchy at any given time
• Clients connect to their home hierarchy

Content

• Public folder content is stored in a public folder mailbox
• It is not replicated across multiple public folder mailboxes (although passive copies of the mailbox are supported through high availability services)
• All clients access the same public folder mailbox for a given set of content

Let’s discuss next what those core concepts mean for some of the key IT scenarios.

Scaling out public folders

As public folders grow, the content will outgrow capacity of the existing mailbox(es). IT will have a script to split off a branch of the public folder tree and have its content be moved and stored in a new public folder mailbox (remember: that new mailbox will also host a full copy of the public folder hierarchy).

In Office 365 the content will be automatically branched out into a new mailbox as the threshold is reached.

Scale out flow

As content in mailbox 2 grows, the ‘Finance’ folder will be branched out to a new mailbox.

New content for the ‘Finance’ folder or new folders under that branch will be stored in mailbox 3.

It’s completely transparent for end users whether content is stored in one mailbox or another.

Availability and redundancy

Modern public folders build on mailbox infrastructure and leverage the same mechanisms for availability and redundancy. Every public folder mailbox can have multiple redundant copies with automatic failover in the case of failures.

Failover flow

Public folder mailboxes have copies for high availability.

If one of the mailboxes fails, a passive copy will automatically take over.

Client access and geo scale

Clients connect to the datacenter through their closest Client Access Sever which will proxy them to the public folder mailbox with their home hierarchy. Access to public folder mailboxes is routed within the high bandwidth corporate network or Office 365.

Client home hierarchies are equally distributed across all public folder mailboxes for load balancing. If needed admins can override this per user setting to optimize for proximity.

This optimizes for proximity to the client as well as for partitioning access load to any given copy of the hierarchy.

Client access flow across datacenters

A client in Europe connects to the closest datacenter to his location (usually that datacenter will be hosted in the same geography as the user but let’s say for a moment the user is travelling).

The Client Access Server will reroute him to the public folder mailbox with his home hierarchy. The connection will be made within the datacenter network avoiding slow client connections to remote datacenters over the Internet.

When that client accesses the ‘Finance’ folder, he will be redirected to the mailbox hosting that content.

Writing to the public folder hierarchy

There is only one writeable copy of the hierarchy within a public folder deployment. Writes against the hierarchy (e.g. new folder) will always be performed against that writeable copy.

In the case that the mailbox hosting the writeable copy fails, the writeable hierarchy role will automatically fail over to a passive mailbox copy in the DAG.

What is the difference between site mailboxes, shared mailboxes and public folders?

Site mailboxes

For groups of people that are working together on a shared set of deliverables. They want to keep important emails and documents in one place.

The content is scoped to a particular project that a small team is working on. As such, all content in that mailbox is highly relevant to the team members.

User will not see a site mailbox in their Outlook client unless they are an owner or member of that site mailbox.

Shared mailboxes

A group of people is working on behalf of a virtual entity (e.g. help@contoso.com). They are triaging incoming emails against a shared inbox and responding on behalf of the virtual entity.

Integrated document collaboration is not a requirement for this scenario.

Users will usually only do this for one shared mailbox and the mailbox is added manually to the user’s Outlook profile.

Public folders

Public folders hold the full body of shared email knowledge in an organization.

Public folders are a great technology for distribution group (DG) archiving. A public folder can be mail enabled and added to the DG. Emails that are sent to the DG will be automatically added to the public folder for later reference.

With the new Office public folders are now also available in Office 365.

Distribution groups

Distribution groups are not actually a shared store in Exchange. They are rather a way for sending emails to a defined set of people such that emails are delivered to those users’ inboxes for triage.

Summary

We redesigned modern public folders and moved them to a new architecture that scales well into the future. Public folders are now also available in Office 365.

Public folders support the same high availability strategies as regular mailboxes. They are massively scalable by branching content out into a new mailbox. Building on the mailbox infrastructure reduces storage cost for customers.

Stay tuned

This was just a quick overview of some of the important changes in modern public folders. This blog will have more detailed technical posts on public folders coming soon.

Some of the topics we will cover are:

• Operating Modern Public Folders
• Managing Modern Public Folders
• Modern Public Folders for developers
• Public Folders in Office 365

Alfons Staerk, Nikhil Aggarwal

Quick note to inform you that we've updated Exchange TechNet Library URLs. Starting today, if you've bookmarked an Exchange 2010 article in the library (for example, http://technet.microsoft.com/en-us/library/bb124558.aspx), it'll take you to the Exchange 2013 version of the article.

Note, if an Exchange 2013 version of the article does not exist, the URL will still take you to the Exchange 2010 version.

You can still reach the Exchange 2010 version of the article by appending version information ((v=exchg.141) for Exchange 2010) at the end of the URL, right before the file extension (.aspx). So the Exchange 2010 version of the above URL will be http://technet.microsoft.com/en-us/library/bb124558(v=exchg.141).aspx. Please update your browser favorites/shortcuts and links in any blog posts if you still want them to point to the Exchange 2010 versions.

You can also get to the main documentation page for each Exchange Server version by using the following short URLs:

• Exchange Server 2013 - aka.ms/ex2013docs
• Exchange Server 2010 - aka.ms/ex2010docs
• Exchange Server 2007 - aka.ms/ex2007docs

Bharat Suneja

Recently, we have released a Guided Walk Through (GWT) for troubleshooting public Folder replication issues in Microsoft Exchange 2003.  There are a couple of ways to access the troubleshooter.  You can use the link here to access it directly.  As well, it will be embedded in various related public folder replication articles such as the following:  http://support.microsoft.com/KB/842273.

Now, I know you are wondering why we came out with a troubleshooter for Exchange 2003 since it’s no longer in mainstream support?  We made this decision for a number of reasons.  First, there is a good amount of our Exchange customers who are still transitioning off Exchange 2003 and we want to help those customers as much as possible to move to our newer supported versions of the product.  This is the best way to help guide those customers since we no longer have a phone support option for them.  Secondly, for the most part, all of our Exchange server 2003 Public Folders issues have already been identified, so creating a troubleshooter covering this material means it will not change drastically. Finally, due to the fact that the public folder replication mechanism has not significantly changed for a while (until Exchange 2013), it made sense to start with Exchange 2003 as it gave us the framework that we can update for later versions relatively easily.

The support organization will be putting efforts into expanding this troubleshooter to include 2007/2010 in the future.

This walk through is really a guide through the replication troubleshooting, as laid out in a series of blog posts by Bill Long, here, here and here. It is not meant to replace all of the data that helps you understand the public folder replication process, but rather quickly give you the steps you need to help find the problem if there are problems with replication.

I wanted to thank the people who helped make this a reality. Here are the parties involved (that I am aware of):

Exchange support:

• Nick Basile
• Rob Whaley
• Bill Long
• Charlotte Raymundo
• Will Duff
• Nino Bilic

Documentation / content creation teams:

• Bobbie DeFault
• Geoffrey Crisp (Entirenet)
• Jerry Sitser (Entiernet)
• Jarrett Renshaw
• Star Li (Wicresoft)
• Chen Jiang
• Victor Zhang (Wicresoft)

Regards,

Charlotte Raymundo
Messaging Knowledge Engineer

Have you ever gotten a call from someone you know whose Outlook client is having trouble connecting to their email server? Don’t you just wish you had a tool that you could send to them that would walk them through a connectivity test and provide a simple way for them to send the results back to you?

Or perhaps you’re an administrator that has been using the Remote Connectivity Analyzer for years to verify email configuration, but wish you had a way to verify the same tests from within your organization, that provided the same diagnostic details as the RCA website?

We’ve heard requests like these, and our team has built a tool for just these scenarios. I’d like to introduce you to the Microsoft Connectivity Analyzer (beta), a portable version of the Remote Connectivity Analyzer website. Here is a short 49 second video that introduces the Microsoft Connectivity Analyzer.

This tool contains the same tests as the website, in a slightly simpler UI – something you can share with your users, family, or your neighbor down the street.

In addition, we’ve split the results into two views – a simplified view which only shows results that your mom could understand, and the full detailed results that only an administrator would love (yes, that’s you).

And the additional details for administrators is shown under “Review all the tests we ran”:

Or ask your user to save the detailed results and send them to you! The detailed results are saved as an HTML file and can be viewed in your browser.

Microsoft Connectivity Analyzer Pre-Requisites

1. The tool supports the following operating systems: 64bit Windows 7, Windows 7, Windows Server 2008+
2. Microsoft .NET Framework 4.5 is required.
3. Browsers requirements:

The installation will work on all modern browsers. However…

• If you are using Google Chrome, you will need to install ClickOnce for Google Chrome
• If you are using FireFox, you will need to install Microsoft .Net Framework Assistant for FireFox.

You can find the full release notes here.

We're not finished yet. We have plans to add additional tests.

Just like when we first released the website, this first version of the Microsoft Connectivity Analyzer is a work in progress.

Having a tool on site with the end user, we’re in a unique position to extend the testing to include common problems with all types of connectivity. This early version of the tool is just the beginning.

And that’s not all!

In addition to providing a new tool, we’ve joined forces with the Lync Remote Connectivity Analyzer, and brought the two tools together. You’ll notice we’ve dropped the “Exchange” from the name, and we have a new way to access the website: http://testconnectivity.microsoft.com. That’s right – all the same great tests for Lync and Exchange available on the same website.

Tests include:

• Microsoft Lync Mobile Auto-Discover Web Service Remote Connectivity Test will test your remote connectivity to the Microsoft Lync Mobile Auto-Discover Web Service Server
• Microsoft Office Communications Server Test will test your remote connectivity to the Microsoft Office Communications Server, it will auto-discover the Access Edge and port to connect to, OR allow you to specific an Access Edge server.
• Microsoft Lync Server Remote Connectivity Test will test your remote connectivity to the Microsoft Lync Server, it will auto-discover the Access Edge and port to connect to, OR allow you to specific an Access Edge server.

But wait, there’s more…

Did we mention we’ve been busy this year? On the Office 365 tab, you’ll notice two new tests – the Office 365 Lync DNS test, and the Free/Busy test.

The Office 365 Lync DNS Test will check the external domain name settings for your custom domain user in Office365.

Thanks to the Office 365 Deployment Services team, the RCA website now hosts the Office 365 Free/Busy test. This test verifies an Office 365 mailbox can access the free/busy information of an on-premises mailbox and vice versa.  This includes:

• a check to confirm the system time of the hybrid server is not offset by more than five minutes, which causes failures when requesting delegation tokens from the Microsoft Federated Gateway.
• a check to verify inbound connectivity to the hybrid server does not require firewall pre-authentication; that is, the firewall allows pass-through authentication.
• a check to verify the hybrid server meets the minimum Exchange Server version requirement (Exchange Server 2010 SP1).
• a basic free/busy query against the target Availability Service.
• Links to guidance on the Hybrid Configuration Wizard, a common source of hybrid deployment misconfiguration

Phew! Thanks for reading this far. We hope you enjoy the new updates, and we look forward to hearing from you,

Nicole Allen
On behalf of the RCA team

Now that Exchange Server 2013 is available, some of you may well be wondering how to publish it to the Internet using Microsoft Threat Management Gateway (TMG) or perhaps the Microsoft Unified Access Gateway (UAG).

This post will help you configure TMG, for sure, but not UAG – as for the time being, you can’t effectively publish Exchange Server 2013 using UAG without turning off many of the security features in UAG. Why’s that? Well, as you’ll have gathered from other posts on this fine blog, we re-wrote OWA for Exchange 2013. And when an application like UAG inspects OWA traffic, it gets a little confused when you change everything, without telling it. So, the UAG team are busy beavering away re-writing their rule sets to work properly with Exchange 2013, so the advice for now if you have UAG, is to wait for a future UAG update, where it is currently expected that Exchange Server 2013 support will be added.

So back to TMG. TMG can be configured to work with Exchange Server 2013, and that’s what I’m going to walk through in this post.

I’m going to make an assumption here (risky perhaps, but if you are reading this post it is highly probable you already have TMG publishing either Exchange 2007 or 2010) that you are familiar with the existing guidance we have published. That covers the basic configuration of things like certificates, authentication, publishing rules and more – so rather than repeat all that here, we’re just going to focus on the Exchange Server 2013 specific changes you need to make. If you want to go refresh yourself and re-read that whitepaper, go ahead, this page will wait patiently for your return.

Welcome back. And off we go.

The first thing to know is that there is no Exchange Server 2013 publishing wizard, but do not panic as you can instead use the 2010 wizard, and then make some changes described here.

The first thing you will want to actually do is create a new web farm (and I hope you use web farms rather than publish load balancer VIPs or single servers as it makes life much easier in the long run) and put your 2013 Client Access servers into it. It’s the same procedure as for 2007 and 2010 including the connectivity verifiers, so just go ahead and create a web farm. Here’s mine. It’s a small farm. More of a gentleman’s farm than a real farm, but it will work nonetheless.

Now you have a web farm, let’s create some rules. But before we get into that, we’re not going to cover the actual cutover here, that’s perhaps another post, we’re just going to run through the rules you need. When it comes to the actual cutover, just to briefly mention it as I’ve started now, and it’s hard to stop typing once you get the flow going, if you have both 2007/2010 web farms and 2013 web farms all you really need to do is change the web farm being used on the To: tab for each publishing rule, and assuming the rest of your Exchange configuration is correct, you just did a cutover. Is that an oversimplification? Sure, but frankly the cutover is as it was for previous versions and if I don’t get to actually writing about the TMG rules for 2013 and instead keep rambling on about things like this then I’ll never get this post finished and you will have given up reading.

Oh, I’m sidetracked again.  Squirrel.  Oh sorry, back again.  Before we can cover the rules we also have to talk about delegation. Delegation is the method by which TMG authenticates, proxies, re-uses (depending on how you see it) or delegates the credentials, of the authenticated user to the Exchange Server it is publishing. At this time, Exchange 2013 only supports Basic or NTLM delegation, it does not support Kerberos Constrained Delegation (KCD) for now, so all delegation must be Basic, or NTLM. If you have no idea what KCD is, welcome to the majority, just make sure you don’t select it ok? So with that last piece of housekeeping out the way, onto the publishing….

We shall begin by agreeing that you have used the TMG wizard for publishing Exchange ActiveSync. You have selected the Exchange 2013 CAS Farm as your target and set the correct Delegation setting (typically Basic but it’s your choice if you want that, or to use NTLM, as long as Exchange is enabled for the auth type you have chosen to delegate it should work fine).

What now? Nothing. For Exchange ActiveSync you are done. Move along, nothing to see here. It just works. Well done you.

Given that was so easy, let’s try another. Outlook Anywhere. That must be harder.

You run the Exchange Server 2010 Outlook Anywhere wizard, don’t forget to check the ‘Publish additional folders on the Exchange Server for Outlook 2007 (yes, out of date isn’t it) clients’ option and choosing the Exchange 2013 CAS server farm.

Now, just like before, you may need to revisit the rule the wizard creates, particularly the Public Name tab, and add the autodiscover.company.com name to it, just as you did for 2007 and 2010, and if you are using Basic Delegation you will probably need to go and add basic to the authentication methods enabled on the CAS for OAB and EWS (just as you did for 2007 and 2010), but apart from those few things, you are done. The rule works for 2013, there is nothing else to do.

Wizard Default	You Probably Want This

So at this stage you are probably wondering why we needed a blog post. If this stuff just works, why bother wasting valuable pixels and your time with a blog post. Well, OWA doesn’t work out of the box. So that’s where we need to focus.

The first thing to do is run the OWA Publishing Wizard for 2010. That gets us part of the way there. It creates a rule, which you can tell to prove OWA is working at the most basic level.

Clearly as you test the rule you will see the 2010 OWA Forms Based logon page. Don’t go trying to make it look like 2013 OWA just yet, let’s get the whole thing working before you start fiddling, as I know some of you will. For now, leave it…

So the first thing we need to do is modify the logoff parameter. That has changed between 2010 and 2013 and so the default TMG sets you up with won’t work. This is easy to do. Open the properties of the OWA publishing rule you just created and change the parameters on the Application Settings tab thus;

Wizard Default	You DO Want This

That was easy. Next is the tricky one. Strap yourselves in, this one might be a bit hard to get on the first read.

Outlook 2013 brings to the table a new cloud app model, meaning you can download and install apps that enhance the power of Outlook. OWA has them too, if you have tried OWA 2013 or Outlook 2013 you might have seen the Bing Maps app, the Suggested Meeting app – some really cool apps that you can use out of the box. You can also build your own, integrating into your own in-house systems, for example.

Why am I telling you this? Did the app team want some free advertising? No. It’s really because they don’t work out of the box if you have TMG doing OWA Forms Based authentication in front of Exchange. Why? Well, the apps are surfaced in Outlook via a trident control, which is essentially an instance of IE framed into the Outlook host. The user’s exchange credentials are not provided to the app at runtime. So from a network perspective, the app loading looks like an anonymous HTTP GET, coming from an IE browser. And that request is to a sub directory of /OWA.

So guess what TMG does? Throws up a form, inside the app control window, asking the user to log in. Oops. Not a super user experience it has to be said. It looks a bit like this.

Now the way around this is familiar if you have ever configured Hybrid, or Org Relationships using the Microsoft Federation Gateway. We need to exclude some requests from pre-authentication. We need to craft a higher priority rule than that for /owa/* to catch these requests. Now, this is a bit deep, but I know the readers of this blog are smart, so I’m sure you will follow along.

The request Outlook makes is actually to /owa/guid@domain.com/version/owa2/ext/def/ and what makes this more challenging is that TMG won’t allow you to specify path wildcards in the middle of a path, eg. /owa/*/*/owa2/ext/def – not allowed. Wildcards are only allowed at the end of a path – path/path/* is allowed for example.

The good thing here is that /guid@domain.com/ is predictable. (Version on the other hand changes each time you update Exchange). It’s constructed using the ExchangeGUID of the org mailbox with the OrganizationCapabilityClientExtensions capability. You can find this cleverly named mailbox by running the following command on your Exchange Server;

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “OrganizationCapabilityClientExtensions”} | fl exchangeGUID, PrimarySmtpAddress

Here’s my example:

[PS] C:\WINDOWS\system32>Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like "OrganizationCapabilityClientExtensions"} | fl exchangeGUID, primarysmtpaddress
  
ExchangeGuid : 3eccca51-d996-49df-b6e0-302d644fdcaa
PrimarySmtpAddress : SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@contoso.com

So once we have those two pieces of information, we take the ExchangeGUID and the @domain part of the primary SMTP address of that mailbox, and construct a string (guid@domain.com) like this;

3eccca51-d996-49df-b6e0-302d644fdcaa@contoso.com

Warning: You should only do this during months with an ‘r’ in them otherwise you may cause a black hole to open and swallow the entire planet. Do not come looking for me if that happens and say I did not warn you.

Now for the TMG rule.

Use the OWA publishing wizard in TMG to create a higher priority rule than that you already built for OWA that contains these settings;

Path Tab: /owa/3eccca51-d996-49df-b6e0-302d644fdcaa@contoso.com/*

Users Tab: All Users (no pre-auth in other words)

Authentication Delegation: No delegation, but client may authenticate directly.

It looks a bit like this;

Apply that rule and it should now all work as expected. The rule allows just Outlook 2013 apps to bypass pre-authentication and work as expected.

Here’s my rule, it is higher in the list, making it a higher priority and so it is processed before the generic OWA rule. The rule is more specific to the request, so it applies to the traffic from Outlook apps.

Is this rule opening you up to an attack or some vulnerability you might ask? And you should ask, it’s a good question. Well for one, the Exchange GUID is unique to your organization. So in order to use the rule someone has to figure that out. That’s quite hard unless someone is eavesdropping on your traffic, and if the session is SSL encrypted, which it should be if you are serious about what you are doing, so really it’s a non-issue.

Secondly, you should understand that mail apps activate in context of a given (user selected) message, and only execute (load the source html/js) when clicked on by the user. The app needs to load in context of the Outlook/OWA host for any of the API's to be able to access data via cross-document messaging (in other words, loading the app source directly into a standalone browser instance won't have any message data to access).

What data the app can access depends on the permission level requested by the app (declared in the app manifest, and viewable in the app management EAC page). So as an admin, with the ability to publish apps you approve of to your users, you can ensure only apps you trust can be used.

For more information about requesting permission levels for mail apps, you should review the following topics:

• Privacy and security for mail apps in Outlook
• Using the permission model for mail apps in Outlook

So to wrap up, don’t forget, this new rule has to be higher in the processing order than the regular OWA rule. And if you were to move the OrganizationCapabilityClientExtensions capability to another mailbox, the ExchangeGUID would change, necessitating the rule to be fixed up.

So what else? Nothing. Well, nothing for now. At this stage you should have Exchange 2013 working very nicely through TMG, but if you do have issues, post them here and we’ll try to help.

Greg Taylor
Principal Program Manager
Exchange Customer Experience