Some design principles for Microsoft Exchange

Posted on By Mark Wilson

In a previous role, I managed a team that was responsible for Microsoft Exchange design. Working with Microsoft, we established a set of design principles, some template designs and a rule-book for any changes made to those designs. Soon afterwards, Microsoft published their Preferred Architecture for Exchange and the similarity was striking (to be honest, I’d have been concerned if it was different)!

As that Preferred Architecture is publicly available, I think it’s fine to talk about some of the principles we applied. They seem particularly pertinent now as I was recently working with a customer whose Exchange design doesn’t follow these… and they were experiencing a few difficulties that were affecting the stability of their systems…

Physical, not virtual

Virtualisation has many advantages in many circumstances but it is not a “silver bullet”. It also brings complexity and operational challenges into Exchange design, with few (if any) advantages that would not be already provided by Exchange out of the box. Exchange is designed to make full use of the available hardware and Microsoft is able to provide large, low cost mailboxes within Office 365 (Exchange Online), without a requirement to virtualise their Exchange 2013 platform. In addition to the operational and supportability complexities that virtualisation brings, virtualising the Exchange deployment requires more Exchange design effort.

Deploy multi-role Exchange servers

Microsoft’s current recommended practice is to deploy multi-role Exchange 2013 servers (i.e. client access and mailbox roles on the same server) for the following reasons:

  1. Reduced hardware. Multi-role servers make best use of processor capacity given the more powerful server specifications which are now available.
  2. Reduced operational and capital expenditure. Fewer servers to deploy and manage.
  3. Building block design which is simple to deploy and scale. Automated deployment of standard server builds.

The mailbox server role must be designed not to exceed the maximum processor capacity guidance for multi-role servers; this provides confidence that the hardware deployed can co-host all roles on a single server. This is where the Exchange 2013 Server Role Requirements Calculator comes in…

Use direct attached storage – not a SAN

Microsoft designed Exchange 2013 to run on commodity hardware and believes this is the most cost effective way to provide storage for the Exchange mailbox databases.  Changes to the Exchange 2013 storage engine have yielded a significant reduction in I/O over previous versions of Exchange, allowing customers to take advantage of larger, cheaper disks and reduce the overall solution costs. In general, Direct Attached Storage (DAS) should be used in a Just a Bunch of Discs (JBoD) configuration although there are some circumstances where a Redundant Array of Inexpensive Devices (RAID) configuration may be used.

Microsoft uses a commoditised email platform with DAS and JBoD architecture to provide and support large, low cost mail mailboxes within Office 365. There are many more solution elements to consider with a SAN (Host Bus Adapters (HBAs), fibre channel switches and SAN I/O modules) as well as additional software for managing the infrastructure and firmware to keep up-to-date. Consequently, there is an increased likelihood of technical integration issues using a SAN and, once installed, a SAN infrastructure has to be carefully monitored and managed with appropriately skilled staff. In stark contrast, the costs of direct-attached JBoD solutions is falling as larger disks become available.

Native resilience

Database availability groups (DAGs) were introduced in Exchange Server 2010 to replicate databases between up to 16 servers. A DAG with multiple mailbox database copies, can provide automatic recovery from a variety of server, storage, network and other hardware failures. Auto-reseed functionality in Exchange Server 2013 allows for automatically bringing spare disks on line in the event of failure and creating new database copies.

If four highly available copies of each database are deployed, Exchange native resilience can be used without the requirement for third party backup solutions. Only specific requirements (i.e. ability to recover to an offline datacentre; recovery of deleted mailbox outside the deleted mailbox recovery retention time; protection against operational immaturity; protection against security breaches etc.) drive a requirement for adoption of a third party backup solution

Exchange Online uses the Exchange native resilience to protect against database failures, without resorting to the use of third party backup solutions.

Whilst a DAG can support 16 servers, it may be prudent to artificially limit the number of DAG members (e.g. to 12) in order to provide flexibility in upgrade scenarios.

Site resilience

DAGs can be extended between sites and copies of databases replicated across sites to provide additional redundancy. Each member of the DAG must have a round trip latency no greater than 500ms to contact the other members, regardless of their physical location. In general, Exchange DAGs should span at least two physical sites and Microsoft also recommends that separate Active Directory sites are used.

Mailbox distribution

With multiple sites in use, the next consideration is whether both are active (i.e. providing live service) or whether one is a secondary, passive, datacentre (i.e. invoked for disaster recovery purposes).  If all active mailboxes are hosted in a single site, and all passive copies of the mailboxes reside in a secondary site, the user distribution model is referred to as active/passive. If there are active mailboxes in both primary and secondary datacentres then the user distribution model is known to be active/active.

This should not be confused with the databases within the DAG, where only one copy of each database is active at any time.

Exchange 2013 simplified the client access model and with all clients connecting using HTTPS an active/active architecture is simple and spreads the client load across all Client Access servers, making best use of the deployed hardware.

This also facilitates a simplified SMTP namespace and allows automatic site failure (assuming the File Share Witness is located in a tertiary datacentre).

Archiving

With today’s storage capabilities, large mailboxes are becoming normal.  The use of a native Exchange 2013 archive or a third party archiving solution is only required where there is a defined need for a user experience that warrants the management of email data (the ‘personal archive’ user experience, e.g. auto archive functionality) or by legal/policy requirements regarding the retention and discovery of email data (‘the regulatory archive’).

There is a common misconception that using a third party archive solution will provide a cost effective, single instance storage solution by differentiating ‘hot’ and ‘cold’ data and providing the ability to store ‘colder’ data on cheaper, slower disks. In fact, introducing a secondary system increases costs and complexity (in design and management) as well as reducing the flexibility of the solution.

Many organisations are electing to leave behind their archives with browser-only access as they migrate to larger online mailboxes in the cloud, e.g. using Exchange Online.

Conclusion

Whilst Exchange is supported in a virtualised environment, with SAN-attached storage, third party backup and making use of email archive solutions, deviating from the Preferred Architecture is a huge risk. The points in this blog post, combined with Microsoft’s advice linked above highlight the reasons to keep your Exchange design as simple as possible. Whilst a more complex design will probably work, identifying issues when it doesn’t will be a much bigger challenge.

 

Importing users to Office 365 from CSV file – username must be in UPN format

Posted on By Mark Wilson

Every now and again, I come across a piece of advice on the net from seemingly authoritative sources that’s just plain wrong. Or at least it’s factually correct but doesn’t answer the question that was asked.  One such example was a few weeks ago when I was uploading user details via CSV to bulk provision cloud accounts in Office 365.

The import was failing, telling me that “The user name is not valid. You can only use letters and numbers. No spaces”. Except that’s not really the problem here – we were using the CSV template downloaded from the Office 365 Admin Center and there were no letters and spaces.

Stupidly, I’d put in the user names – like MarkWilson – but of course Office 365 usernames are in UPN format.  What the message could (more helpfully) have said is “The user name is not valid. It should be in the format username@fullyqualifieddomainname”.

Unfortunately, there is a “verified answer” on a Microsoft Community forum post that is incorrect. It tells the original poster to download a blank CSV file from the portal and to populate that but that’s exactly what they (and I) did. The correct answer (which is a “suggested answer”, but not a “verified answer”) says to include the @domainname in the user name field in the CSV file. In my example, that would be markwilson@tenantname.onmicrosoft.com (assuming no other domain names have been associated with the tenant). So far, my requests for Microsoft to get this fixed have failed… here’s hoping that my blog post comes up in the next person’s Google/Bing search…

Changing the default app used to open tel: links on Windows

Posted on By Mark Wilson

Earlier this morning I had a missed call notification in Outlook. I clicked the number, Windows asked me which app I wanted to open that type of link (a tel: URI) and I clicked the wrong option. All of a sudden I had phone numbers opening in the Skype Windows 8 app rather than in my Skype for Business client (previously the Lync client).

It turns out that it’s a relatively simple change to make but it’s not necessarily obvious that the UI to do this is the one to change file type associations (this is a link, not a file…).

  1. In Control Panel go to Default Programs and then Set Default Programs (the quickest way is to hit the Windows key and type “Default Programs“).
  2. Scroll down to Lync (desktop). Despite the name, this is the Skype for Business desktop client.
  3. Select Lync (desktop) and click Chose defaults for this program:
  4. You’ll see that the URL:Tel Protocol entry is not checked, because it’s associated with Skype:
  5. Select the Checkbox next to TEL and click Save:
  6. If you look at the Skype program associations, TEL will now be showing as defaulting to Skype for Business (desktop):

There’s more information in Paul Thurrott’s Windows 8 Tip on Changing File Associations.

Short takes: @ in DNS records; are ‘ and & legal in an email address?; changing the search base for IDfix

Posted on By Mark Wilson

A few short items that don’t quite warrant their own blog post…

@ in DNS records

Whilst working with a customer on their Office 365 integration recently, we had a requirement to add various DNS records, including the TXT record for domain verification which included an @ symbol. The DNS provider’s systems didn’t allow us to do this, or to use a space instead to denote the origin of the domain. Try googling for @ and you’ll have some challenges too…

One support call later and we had the answer… use a *.  It seemed to do the trick as soon after that the Microsoft servers were able to recognise our record and we continues with the domain configuration.

Are ‘ and & “legal” in an email address?

Another interesting item that came up was from running the IDfix domain synchronisation error remediation tool to check the on-premises directory before synchronisation.  Some of the objects it flagged as requiring remediation were distribution groups with apostrophes (‘) or ampersands (&) in their SMTP addresses. Fair enough, but that got me wondering how/why those addresses ever worked at all (I once had an argument with someone who alleged that the hyphen in my wife’s domain name was an “illegal” character). Well, it seems that, technically, they are allowable in SMTP (I struggled reading the RFCs, but Wikipedia makes it clearer) but certainly not good practice… and definitely not for synchronisation with Azure AD.

Changing the search base for IDfix

I mentioned the IDfix tool above and, sometimes, running it against a whole domain can be difficult to cope with the results.  As we planned to filter directory synchronisation on certain organizational units (OUs), it made sense to query the domain for issues on those same OUs. This is possible in the settings for IDfix, where the LDAP query for the search base can be changed.

Short takes: missing keys, closing apps and taking screen grabs

Posted on By Mark Wilson

Another post with a few things I’ve collected in my browser tabs over the last few weeks…

Locating the hash (#) key on a Mac keyboard

I love the Apple wireless keyboard that I use with my Mac Mini but tweeting without a hash key can be challenging at times…

So much for the Mac’s simplicity when I have to Google to find the hash key (it’s at Alt+3, BTW)!

Closing Windows 8 apps with the Surface/Surface Pro touch/type covers

And, talking of missing keys… the Surface/Surface Pro touch/type covers have function keys that double up as media keys so, if you want to Alt-F4 to close an app, remember that’s Alt+Fn+F4.

Snipping from “Metro” apps in Windows 8.1

If you want to snip a portion of the screen in Windows 8.x and you’re running a full-screen (“Metro”) app, then you’re out of luck – the Snipping Tool only works in desktop mode. The workaround is to take a screenshot with PrtSc and then edit the resulting clipboard contents. Hopefully this gets better in Windows 10?

So where is the PrtSc key for the Surface/Surface Pro touch/type covers?

There isn’t a PrtSc key, but Fn+space will grab the whole screen (as PrtSc does on a normal PC keyboard) and Alt+Fn+space will grab the current window and copy it to the clipboard (as Alt+PrtSc does normally).

 

The OneDrive that’s really two drives…

Posted on By Mark Wilson

Jamie Thomson and I have long since lamented the challenges of Microsoft’s two directories for cloud services and it doesn’t stop there. Take a look at cloud storage:

  • OneDrive is Microsoft’s cloud-based storage offering, accessed with a Microsoft Account (formerly a Windows Live ID, or a Passport if you go back far enough…)
  • OneDrive for Business is Microsoft’s cloud-based storage offering, accessed with an Organizational Account (which lives in Microsoft Azure AD)

Similar names, similar purpose, totally different implementation – as the OneDrive for Business product is still Groove (which later became SharePoint Workspace) under the covers (have a look at the filename when you download the client).

And look what happens when you have both products with the same email address used to access them:

Still, at least the site detects that this has happened and gives you the choice. And there is some hope for future convergence as Jamie highlights in this blog post from earlier in the year.

Earlier this week, I was helping a customer to get ready for an Office 365 pilot and they were having challenges with the OneDrive client. The version available for download from the Office 365 portal is a click-to-run installation and it didn’t want to play nicely with their .MSI-based Office 2013 installation (which should already include the client anyway). Actually, that didn’t really matter because the OneDrive client is also included in Windows 8.1, which was the operating system being used.

The confusion came with setting up the connected services inside Office:

  • To set up a OneDrive account, click on OneDrive – but that will only accept Microsoft Account credentials and, after configuration it will show as something like “OneDrive – Personal”.
  • To set up OneDrive for Business, don’t click OneDrive but select SharePoint instead. After logging on with your Organizational Account credentials, that will be displayed as “OneDrive – organisation name” (with SharePoint sites appearing as “Sites – organisation name”).

Some illustration might help so, below is a shot of my connected services. Because I’m connected to multiple Office 365 tenants, you can see that I have multiple OneDrive [for Business] and Sites entries:

If you’re trying to get hold of the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online, Microsoft knowledge base article 2903984 has the links for the click-to-run install.  If you want an MSI version, then you’re out of luck – but you can create a customised Office 2013 installation instead as OneDrive for Business (formerly SkyDrive Pro) was originally released as part of several Office 2013 suites (as described in Microsoft knowledge base article 2904296.

Finally, if you’re trying to work out how to get a OneDrive for Business app on Windows Phone, the OneDrive app can connect to both OneDrive and OneDrive for Business.

Confused?

Some patience required when changing a display name for an Exchange Online mailbox

Posted on By Mark Wilson

Mrs W and I have been married for a long time but, until last week, she was still using her maiden name for work. Now, for a variety of reasons, is a good time for her to switch and, as we use Office 365 for her business email, I said “Yeah, it’s really simple; just let me know when you’ve told your contacts about the name change and I’ll switch it over.”

So, when the time came, I changed the display name in the Exchange Online Exchange Admin Center (no changes to her SMTP addresses were needed) and thought that would be it. Nope. Test emails sent came from the original display name. The same happened with another account that I changed the name on. Wondering if this was an Outlook issue, I tried from Outlook Web App: no difference. Test emails were sent back and forth to email addresses outside our Office 365 tenant (like my work account) and the original name stubbornly stuck – I even looked in the message headers and, there it was.

I’m not sure, but I think the issue was related to the offline address book as, the GAL reflected the change immediately but the offline GAL was still showing the old display name.

Unlike in an on-premises Exchange installation, I couldn’t update the address book: connecting to Exchange Online via PowerShell and asking for Get-Command *Offline* told me that the Update-OfflineAddressBook cmdlet is not available in Exchange Online (confirmed in the TechNet reference, which only refers to Exchange Server 2013).

Like so many things in Exchange (and I remember this from my original Exchange 4.0 training course in 1996), it proved to be one issue that’s best left for a few hours to fix itself. The offline GAL updated overnight and emails were then sent with the new display name (not sure why this affected OWA though…).

One month with the Surface Pro 3

Posted on By Mark Wilson

When I started my current job and tweeted about my new “laptop” (a Microsoft Surface Pro 3), I was a little surprised at the reaction from some people, including one of my friends whose words were along the line of “give it a month and then then tell me if you still like it…”

Well, it’s been a month, so here we go…

<tl; dr> I really, really, like it.

That’s not really much of a review though… so here’s some of the things that are good, and some that are less so…

Starting out with the positives:

  • It’s a fully-featured PC. Every time I see someone comparing the Surface with an iPad I cringe. I tried using an iPad as my primary device and it didn’t work for me. I can see why it would for some people but I need to work with multiple applications and task switch, copy and paste text all of the time. The Surface Pro runs Windows 8.1 and does everything I expect of a Windows PC, plus the benefits of having a touch screen display and a tablet form factor.
  • The display is fantastic. Crisp, clear, 2160×1440 (as Ed Bott highlights, that would be called a retina display on an Apple device).
  • The type cover keyboard is really good. Backlit keys, easy to type on, a good size. Combined with the kickstand on the tablet itself, it becomes a fully-featured 12″ laptop and it’s far more stable than many tablet/cover/keyboard combinations.
  • I live in OneNote. I can draw with the Surface Pen now – and that is incredibly useful.
  • It’s light. I haven’t checked how light, but light enough to carry with ease.
  • The power supply is not too big – and it has a USB charging socket too. Having said that, I can usually manage on the battery to catch the train in/out of London and get through a customer meeting.

On the downside though:

  • There aren’t enough USB ports and the use of a Mini DisplayPort means I need to carry adaptors. To be fair, I carry quite a few for my other devices too.
  • The price of accessories is way over the top: type cover is a penny under £110; Surface Pen is £45; Docking station is £165. Really? Add that to the cost of the device itself and you could buy a pretty good laptop. (The Surface Pro 3 range starts at £639 but the Intel i5 model with 4GB RAM and 128GB of storage that I use is £849 and the top of the range Intel i7 with 8GB RAM and 512GB storage will set you back £1549).
  • The type cover trackpad is awful. I use a mouse. That’s how bad it is.
  • The pen takes some getting used to (this post from Microsoft helps) – and I ran through the first set of batteries in no time (this support page came in useful too).
  • I’ve had some worrying issues with resuming from standby, sometimes not resuming at all, sometimes having to go through a full reboot. I suspect that’s the Windows build it’s running though – I can’t blame the Surface for that…

I’m more than happy with the Surface Pro 3 (at least, I am until the Surface Pro 4 comes out!). I was given the choice between this and a Dell ultrabook and I’m pretty sure I made the right choice. Maybe if I was a developer and I needed a laptop which was effectively a portable server then that would be a different story – but for my work as a Consultant/Architect – it’s exactly what I need.

If you need a Windows PC, your work is mobile (and not too taxing in terms of hardware requirements), and your employer has the facilities for effective remote working, the Surface Pro 3 is worth a look. I’d even go as far as to say I would spend my own money on this device. That’s more than I can say about any company-supplied PC I’ve had to date.

The tools of a mobile worker… including a plethora of cables and adapters

Posted on By Mark Wilson

One of the great things about working for my current employer is that they provide me with the devices I need for mobile working and we use all of the software that we are helping our customers to adopt. My tools are a Microsoft Surface Pro 3 tablet and a Nokia Lumia 830 smartphone, together with the latest released versions of Windows and Office and I consume services from the Microsoft Cloud including all of the Office 365 workloads as well as some on-premises apps like Skype for Business. Using the full Microsoft stack does mean I’ve had to go back to using Internet Exploder though… and I am at last getting used to Bing and weening myself of the habit of using the big G for search – at least on my work PC!

I’m not saying that the use of a Surface Pro 3 was the reason I took the job – but it may have been a factor and not lugging around a heavy laptop has some major advantages (even the small form factor laptop I used for my last job was pretty weighty).

Unfortunately, with such a svelte device comes a down-side… namely that I now carry a plethora of cables and adapters, as illustrated by my former colleague Dom Allen (who now works for a rival Microsoft Partner):

https://instagram.com/p/0sxOw9jjTK/

So, what’s in my bag these days alongside the Surface Pro and its charger?

Maybe not quite the portable computing panacea I might have hoped for… but at least they all fit inside a pencil case!

(Unrelated to work, I also carry a 10cm Apple Certified Lightning to USB cable and an Anker Astro E1 5200mAh external battery power bank to keep my iPhone alive all day…)

Milton Keynes Geek Night – three years on and going from strength to strength (#MKGN)

Posted on By Mark Wilson

I don’t remember how I first became aware of Milton Keynes Geek Night but, three years ago, I turned up in a room above a converted bus station to see what this new event would be like. 13 Geek Nights later (plus a special Geek Mental Health event too) and I haven’t missed a single night*, being described as a “groupie” by one of the founders. I even brought my wife along once…

In the early days, I used to blog about the topics of discussion. More recently I’ve struggled to find the time but the audio from the talks is on SoundCloud (well, all of the talks from Geek Night 3 onwards, that is).

Last night’s MK Geek Night lived up to expectations. Not being a designer or a developer, I tend to find that some of the talks are a little beyond my knowledge but still good for an IT architect to understand at a conceptual level.

I thought that, as MK Geek Night celebrates its third birthday, now would be a good time to look back on some of my favourite talks:

…and then there are Ben Foxall (@BenjaminBenBen)’s talks which are in a category of their own – they need to be on YouTube not SoundCloud! I just cant do them justice in words but how he gets 200 people to join in on their devices and illustrate some amazing functionality inside a browser I do not know. Similarly, Sii Cockerill (@siicockerill)’s dynamic art based on maths/environmental considerations was incredibly visual but you can at least see the results on the web.

I’ll sign off with massive congratulations and a huge thank you to Richard Wiggins (@RichardWiggins) and David Hughes (@DavidHughes) who organise and MC these events – and to all of the sponsors (without whom they wouldn’t be able to take place) – and of course to the speakers too! Here’s to many more years of #MKGN.

 

*There was also an MKGN All-Dayer which I was unable to join but hey, that’s not a “geek night” is it?!