Exchange Server 2007 Design and Architecture at

Download Report

Transcript Exchange Server 2007 Design and Architecture at

Exchange Server 2007 Design and
Architecture at Microsoft
Published:
November 2007
How the Microsoft Information Technology
organization designed the corporate Exchange
Server 2007 environment
Agenda
●
●
●
●
●
●
●
Solution overview
Reasons for Microsoft IT to use Exchange
Server 2007
Environment prior to Exchange Server 2007
Planning and design process
Architecture and design decisions
Deployment planning
Best practices
Solution Overview
Solution
Business Challenge
•
The costs and
general limitations
associated with the
platforms and
technologies used in
the Exchange
Server 2003
environment
prevented Microsoft
IT from efficiently
meeting emerging
messaging and
business needs.
•
With Exchange
server 2007
Microsoft IT created
new opportunities to
drive down costs
and system
complexities,
increase security,
and deploy new
features not
available in previous
versions of
Exchange Server.
Results/Benefits
•
•
•
•
•
•
•
Increased reliability.
Larger mailbox sizes.
Reduced total cost of
ownership (TCO).
Increased protection
against spam.
Reduced topology
complexities.
improved regulatory
compliance
Enhanced remote
access and mobility
options.
Reasons for Microsoft IT to use Exchange
Server 2007
●
●
●
●
Increase employee
productivity
Increase operational
efficiency
Decrease security
risks
Decrease costs
“Our mission is to deliver value
by enabling people with
innovative and reliable
information technology
solutions that seamlessly
integrate with, and improve,
how people work..”
Jim DuBois
General Manager, MSIT
Microsoft Corporation
Environment Prior to Exchange
Server 2007
Redmond
(Puget Sound area in
Washington State)
56,000 users
21 Mailbox servers
Dublin
(Europe, Africa, and
the Middle East)
22,000 users
6 Mailbox servers
Leased lines,
155 Mbps or faster.
Sao Paulo
(Remainder of North
America and South America)
1,500 users
1 Mailbox server
Singapore
(Asia and the
South Pacific)
15,000 users
5 Mailbox servers
Environment Prior to Exchange
Server 2007 (Directory Infrastructure)
●
●
●
●
●
Multiple forests for various legal and
business requirements
70% of resources in Corporate forest – over
1 million objects
9 domains in corporate forest based on
geography
202 sites in hub and spoke topology
Dedicated Exchange site in Redmond
Environment Prior to Exchange
Server 2007 (Directory Topology)
ADSITE_REDMONDEXCHANGE
ADSITE_DUBLIN
Domain controllers:
Mailbox servers:
Front-end servers:
Public Folder servers:
Bridgehead servers:
Internet mail gateways:
Special purpose:
4
21
6
5
6
3
3
Domain controllers:
Mailbox servers:
Front-end servers:
Public Folder/Bridgehead servers:
Internet mail (outbound):
4
6
2
2
2
ADSITE_REDMOND
ADSITE_NORTH
CAROLINA
ADSITE_SILICON
VALLEY
Domain controllers:
Mailbox servers:
Bridgehead servers:
Internet mail gateways:
ADSITE_SINGAPORE
Domain controllers:
Mailbox servers:
Front-end servers:
Public folder/Bridgehead servers:
Internet mail (outbound):
2
0
2
3
Site without Exchange servers
Site with Exchange servers
Bidirectional IP site link
Domain controller
ADSITE_SAO
PAULO
Domain controllers:
Mailbox/Public Folder/
Bridgehead servers:
Front-end servers:
2
1
2
2
5
2
2
2
Environment Prior to Exchange
Server 2007 (Messaging Topology)
●
●
●
●
●
●
Centralized administration from Redmond
Four administrative groups (North America,
Dublin, Singapore, and Sao Paulo)
Routing topology correspond to WAN links
Routing group connectors between routing
groups with default option
Four central bridgehead servers in North
America as remote bridgehead servers in the
RGC configuration
Inbound Internet mail messages through two
redundant locations
Environment Prior to Exchange
Server 2007 (Messaging Topology)
Routing group
RG_REDMONDEXCHANGE
Mailbox
servers
(clustered)
21
Public-folder
servers
Bridge-head
servers
5
8
Front-end
servers
Gateway
servers
Special
purpos
e
6
0
3
RG_DUBLIN
6
2
2
2
0
RG_SINGAPORE
5
2
2
2
0
2
0
0
RG_SAO PAULO
1
RG_REDMOND
PERIMETER
0
0
0
0
3
0
RG_SILICON
VALLEY
PERIMETER
0
0
0
0
3
0
Planning and Design Process
ut
lo
l
ro
se
ss
m
Deployment
complete
nd
sc
op
in
g
Envisioning
Release
readiness
approved
erci
ses
Deploying
en
ta
ct
oje
Developing
s
Scope
complete
Planning
Project
plans
approved
Engineering lab
Pre-release deployments and TAP
nt p
la
t pr
Pilo
Stabilizing
nnin
g ex
Vision and
scope
approved
Dep
loym
e
uc
d
o
Pr
n
tio
As
Architecture and Design Decisions
●
●
●
●
●
●
●
●
“Microsoft IT is our first and best customer. Almost
Administration and
two years prior to RTM, Microsoft IT began with
pre-release production deployments to help us
permissions model
build an excellent product. The close relationship
with Microsoft IT is so vital to our culture of
Message routing topology quality
and customer satisfaction that we do not
ship products or service packs until Microsoft IT
signs off on the enterprise readiness. We
Server architectures and shipped
Exchange Server 2007 on December 7,
2006, with the confidence and proof in hand that
designs
the product delivers on its potential to help
customers build reliable enterprise-class
Mailbox storage design
messaging environments while reducing total
cost of ownership.”
Backup and recovery
Terry Myerson
General Manager
Client access server
Exchange Server Product Group
Microsoft Corporation
topology
Unified messaging
Internet mail connectivity
Administration and Permissions Model
●
●
●
●
●
●
Security Principles and Guidelines
Exclusive Microsoft IT Management
Centralized System Administration
Default Permissions Mode
Formal Approval Process
Permissions Review
Administration and Permissions Model
(Approval Processes)
Root
domain
root.msft
Microsoft Exchange
security groups
Exchange view-only
administrators
Exchange organization
administrators
Exchange recipient
administrators
Child domains
X.root.msft
Team
manager
adds and
removes
group
members.
Y.root.msft
LCA
Users
Z.root.msft
System engineering
Users
Operations team
User administrators
Users
Message Routing Topology
●
●
●
●
●
●
Network Infrastructure and Site Consolidation
Dedicated Exchange Sites in the Active Directory
Topology
Optimized Message Transfer Between Hub
Transport servers
Connectivity to Remote SMTP domains
Increased Message Routing security
Coexistence with Exchange Server 2003
Message Routing Topology (Network
Infrastructure and Site Consolidation)
●
●
●
Physical network -> IP routing topology ->
Active Directory site topology
Previous consolidation With Exchange 2003
made planning easier
Many benefits of consolidated datacenters
●
●
●
Uncomplicated messaging topology
Best possible Hub Transport server utilization
Reduced chance of server communication
issues
Message Routing Topology (Dedicated
Exchange Sites in the Active Directory Topology)
ADSITE_REDMONDEXCHANGE
(8 Hub Transport,
31 Mailbox servers)
ADSITE_DUBLIN
(3 Hub Transport,
15 Mailbox servers)
ADSITE_
REDMOND
(No Exchange
servers)
ADSITE_
CHARLOTTE
(No Exchange
servers)
Active Directory
site links
ADSITE_SINGAPORE
(3 Hub Transport,
14 Mailbox servers)
ADSITE_SAO PAULO
(1 Multi-role server for
Hub and Client Access)
Message routing
topology
Message Routing Topology (Optimized
Message Transfer Between Hub Transport servers)
Redmond
user
Dublin
user 1
Dublin
user 2
ADSITE_REDMONDEXCHANGE
(8 Hub Transport,
31 Mailbox servers)
Bifurcation
point
ADSITE_DUBLIN
(3 Hub Transport,
15 Mailbox servers)
IP site links to establish
message routing topology
(cost: 999, Exchange cost: 10)
Message to
Redmond,
Dublin, and
Singapore users
ADSITE_SINGAPORE
(3 Hub Transport,
14 Mailbox servers)
ADSITE_SAO PAULO
(1 Multi-role server for
Hub and Client Access)
Sao
Paulo
user
Singapore
user
Message Routing Topology (Increased
Message Routing Security)
●
●
Messaging traffic encryption and lab
environment exception
Technologies used
●
●
●
●
IPSec
Transport layer (TLS)
Restricted access to SMTP submission points
Forefront Security on Hub Transport and
Edge Transport
Message Routing Topology (Coexistence
with Exchange Server 2003)
●
Special routing group where Active Directory site
topology defines the message routing topology
Active Directory site
Routing group
ADSITE_DUBLIN
ADSITE_
REDMONDEXCHANGE
ADSITE_SINGAPORE
ADSITE_SAO PAULO
EXCHANGE ROUTING GROUP (DWBGZMFD01QNBJR)
RG_DUBLIN
RG_REDMOND
RG_SINGAPORE
RG_SAO PAULO
Message Routing Topology (Coexistence
with Exchange Server 2003)
Routing group connector
Local bridgeheads
Remote bridgeheads
From RG_REDMOND to
EXCHANGE ROUTING GROUP
(DWBGZMFD01QNBJR)
Any local server can send mail over
this connector. This enables all
Exchange 2003 servers to transfer
messages directly to the Hub
Transport servers without involving
Exchange 2003 bridgeheads.
All Hub Transport servers located in
ADSITE_REDMOND-EXCHANGE
From EXCHANGE ROUTING
GROUP (DWBGZMFD01QNBJR) to
RG_REDMOND
All Hub Transport servers located in
ADSITE_REDMOND-EXCHANGE.
All Hub Transport servers located in
RG_REDMOND
From RG_DUBLIN to EXCHANGE
ROUTING GROUP
(DWBGZMFD01QNBJR)
Any local server can send mail over
this connector.
All Hub Transport servers located in
ADSITE_DUBLIN
From EXCHANGE ROUTING
GROUP (DWBGZMFD01QNBJR) to
RG_DUBLIN
All Hub Transport servers located in
ADSITE_DUBLIN.
The public-folder servers in
RG_DUBLIN, which also function as
bridgehead servers
From RG_SINGAPORE to
EXCHANGE ROUTING GROUP
(DWBGZMFD01QNBJR)
Any local server can send mail over
this connector.
All Hub Transport servers located in
ADSITE_SINGAPORE
From EXCHANGE ROUTING
GROUP (DWBGZMFD01QNBJR) to
the Singapore routing group
All Hub Transport servers located in
ADSITE_SINGAPORE.
The public-folder servers in
RG_SINGAPORE, which also
function as bridgehead servers
Server Architectures and Designs
●
●
●
Flexible and Scalable Messaging
Infrastructure
Multiple-Role and Single-Role Server
Designs
Scaling Up Server Designs
Server Architectures and Designs
(Flexible and Scalable Messaging Infrastructure)
User tier
Middle tier
Data tier
Telephone
Unified Messaging
Mailbox
SMTP host
Internet
Edge Transport
Hub Transport
Mailbox
Office Outlook
Web Access
Exchange ActiveSync
Outlook Anywhere
Client Access
Mailbox
Server Architectures and Designs
(Multiple-Role and Single-Role Server Designs)
Server role
Redmond
Silicon
Valley
Dublin
Singapore
Sao
Paulo
Technology
Mailbox
31
0
15
15
1
Microsoft Windows Clustering and CCR.
Network interface card (NIC) teaming by
using NICs connected to different switches
Edge
Transport
3
3
2
2
0
Domain Name System (DNS) round robin and
Mail Exchanger (MX) records with same cost
values. Multiple Hub Transport servers as
bridgeheads in Send Connector configuration
Hub
Transport
8
0
3
3
1
Automatic load balancing through Mail
Submission Service. Edge Subscriptions for
Hub/Edge connectivity.
Client
Access
16
0
6
4
Web Publishing Load Balancing (WPLB) on
Microsoft Internet Security and Acceleration
(ISA) Server 2006. Microsoft Network Load
Balancing (NLB) internally.
Unified
Messaging
7
0
2
2
Automatic round robin load balancing
between Unified Messaging servers. Multiple
voice over IP (VoIP) gateways per dial plan.
Server Architectures and Designs
(Scaling Up Server Designs)
●
●
●
New scaled-up Mailbox designs after initial
rollout
Up to 6000 users with 500 MB mailboxes
Quad-core Intel Xeon with 16 GB RAM to
eliminate bottleneck
Mailbox Storage Design
●
●
●
●
Eliminating Storage as the Single Point of
failure
Reducing Storage Costs and Configuration
Complexities
Optimizing the Storage Design for
Reliability and Recoverability
Standardizing the Storage Design
Mailbox Storage Design (Eliminating
Storage as the Single Point of Failure)
●
CCR configuration with cluster nodes and the fileshare witness in the same Active Directory site
Active Directory site
Transport dumpster
Hub Transport
File-share witness
Public network
Private network
Active node
Transaction log
shipping
Mailbox server
Passive node
Mailbox Storage Design (Optimizing the
Storage Design for Reliability and Recoverability)
●
●
CCR still requires reliability and
recoverability provisions at storage and
server levels
Microsoft IT uses these strategies
●
●
●
●
RAID
Separate transaction logs from database files
No circular logging on Mailbox servers
Configure multiple storage groups per Mailbox
server
Mailbox Storage Design
●
Standardizing the Storage Design
Universal storage building block
Database drive
(RAID 10)
Storage
enclosure 1
Storage
enclosure 2
Database drive
(RAID 10)
Database drive
(RAID 10)
Log drive
(RAID 10)
Mailbox Storage Design
●
6000-user mailbox server with two USBBs
per cluster node
Mailbox server
Active node
Passive node
E:
F:
G:
L:
E:
F:
G:
L:
H:
I:
J:
M:
H:
I:
J:
M:
Backup and Recovery
●
●
●
Performing VSS-Based Backups on
Passive Node
Eliminating Backups to Tape
Optimizing Backup Cycles According to
SLAs
Backup and Recovery (Performing VSSBased Backups on Passive Node)
●
Software VSS backups on passive node
with DPM
Mailbox server
Active node
Passive node
DPMv2 agent
DPMv2 agent
Mailbox server
DPM host
Active node
Passive node
DPMv2 agent
DPMv2 agent
Mailbox server
Active node
Passive node
DPMv2 agent
DPMv2 agent
Backup and Recovery (Eliminating
Backups to Tape)
●
14 days of online database backups
Mailbox server
Active node
Passive node
Data storage
Data storage
Backup storage
Backup and Recovery (Optimizing Backup
Cycles According to SLAs)
●
●
●
New 500 MB and 2
GB quotas would
overtax existing
backup processes
Weekly full, daily
incremental
Seven storage
groups on each
LUN
Storage
group
Mon
Tue
Wed
Thu
Fri
Sat
Sun
SG 1
Full
Inc
Inc
Inc
Inc
Inc
Inc
SG 2
Inc
Full
Inc
Inc
Inc
Inc
Inc
SG 3
Inc
Inc
Full
Inc
Inc
Inc
Inc
SG 4
Inc
Inc
Inc
Full
Inc
Inc
Inc
SG 5
Inc
Inc
Inc
Inc
Full
Inc
Inc
SG 6
Inc
Inc
Inc
Inc
Inc
Full
Inc
SG 7
Inc
Inc
Inc
Inc
Inc
Inc
Full
Client Access Server Topology
●
●
●
●
●
●
Preserving Existing Namespaces for Mobile
Access to Messaging Data
Increasing Security Based on ISA Server 2006
Providing Load Balancing and Fault Tolerance for
External Client Connections
Providing Load Balancing and Fault Tolerance for
Internal Client Connections
Optimizing Offline Address Book Distribution
Enabling Cross-Forest Availability Lookups
Client Access Server Topology (Preserving
Existing Namespaces for Mobile Access to Messaging
Data)
● 60,000 Outlook Web Access unique users per month and
30,000 ActiveSync sessions
● Existing Multiple URL namespaces to distribute load that
need to be preserved with Exchange 2007
● Deploy Client Access servers, verify, then migrate users
● Each Active Directory site with Mailbox servers must also
include Client Access servers
● Redirect Office Outlook Web Access users to Client
Access servers that are local to the user’s Mailbox server
via ExternalURL property
● Client Access servers act as proxy servers for local Client
Access servers (Exchange ActiveSync, Exchange Web
Services)
Client Access Server Topology (Increasing
Security Based on ISA Server 2006)
●
●
●
●
Stateful inspection and application-layer filtering
Blocks any traffic that appears out of context,
such as requests to initiate a connection on an
established session
SSL bridging process enables ISA Server 2006 to
filter invalid data packets before the traffic
reaches the Client Access servers
Externally trusted SSL certificates for both
external and internal traffic
Client Access Server Topology (Providing
Load Balancing and Fault Tolerance for External Client
Connections)
Office Outlook Web Access
Exchange ActiveSync
Outlook Anywhere
Internet
HTTPS
Network load balancing with single affinity
SSL certificate
ISA server
ISA server
ISA server
Web publishing load balancing
SSL certificate
Cookie-based:
/exchange/*
/owa/*
/public/*
IP-based:
/Microsoft-ServerActiveSync/*
/RPC/*
/Autodiscover/*
/EWS/*
/UnifiedMessaging/*
Client Access servers
MAPI / RPCs
Mailbox server
Mailbox server
Mailbox server
Mailbox server
Mailbox server
Client Access Server Topology (Providing
Load Balancing and Fault Tolerance for Internal Client
Connections)
Corporate
Office Outlook Web Access
Office Outlook 2007
Exchange ActiveSync
Outlook Anywhere
network
on internal networks
HTTPS
Network load balancing with single affinity
SSL certificate
Client Access servers
MAPI / RPCs
Mailbox server
Mailbox server
Mailbox server
Mailbox server
Mailbox server
Client Access Server Topology (Optimizing
Offline Address Book Distribution)
Office Outlook 2007
(Background Intelligent Transfer service)
https://redmond.microsoft.com/oab
Office Outlook 2003
(Outlook Anywhere)
https://redmond.microsoft.com/rpc
Internet
HTTPS
Network load balancing with single affinity
SSL certificate
ISA server
ISA server
ISA server
Web publishing load balancing
Internal clients
Client Access servers
(with OAB virtual directories and RPC proxy)
Office
Outlook 2007
N
L
B
SSL certificate
Office
Outlook 2003
Exchange File Distribution service
MAPI / RPCs
ExchangeOAB
shared folder
...cn=OAB
public folder
Mailbox server
(OABGen)
HTTPS
Public Folder
server
Client Access Server Topology
(Enabling Cross-Forest Availability Lookups)
Extranet Forest
Corporate Forest
ADSITE_DUBLIN
REDMOND-EXTRANET
ADSITE_REDMOND-EXCHANGE
Client Access server
Mailbox server
ADSITE_SINGAPORE
Mailbox server
Client Access server
Windows Legacy Forest
Client Access server
...ou=Exchange
Administrative Group
(FYDIBOHF23SPDLT)
public folder
REDMOND-LEGACY
Client Access server
Mailbox server
ADSITE_SAO PAULO
InterOrg
Repl.
Exchange Server 2003
Mailbox server
Multiple-role server
Mailbox server
Unified Messaging (Topology)
Redmond
(60,000 users, 8 Hub Transport
servers, 7 Unified Messaging servers,
4 PBX locations, 10 VoIP gateways)
Dublin
(25,000 users, 3 Hub Transport
servers, 2 Unified Messaging servers,
1 PBX location, 2 VoIP gateways)
Sao Paulo
Singapore
(2,000 users, 1 Multiple-role
server, 1 PBX location, 2 VoIP
gateways)
(15,000 users 3 Hub Transport
servers, 2 Unified Messaging servers,
2 PBX locations, 4 VoIP gateways)
Unified Messaging (Redundancy and Load
Balancing)
Redmond
Dual T1s for more bandwidth
Dual T1s
Primary SMDI
Secondary SMDI
Dual T1s
Dual T1s for more bandwidth
Silicon Valley
T1
T1
Unified
Messaging
servers
Mailbox server
Primary SMDI
Secondary SMDI
Active Directory
Other locations
8 Digital set
for more ports
Mailbox server
8 Digital set
8 Digital set
8 Digital set
for more ports
Unified
Messaging
servers
Active Directory
Unified Messaging (Security)
●
●
●
●
●
Many possible security issues: SIP Proxy
impersonation, session hijacking, sniffing, etc
Secure protocols such as MTLS can mitigate risk
Trusted LANs, VLANs, and other methods of
segmentation
IPSec
General practices such as strong password
Unified Messaging (Feature and User
Considerations)
●
●
●
●
●
Some settings and features with default values,
some customized
Need to customize dial plans, VoIP gateway
partners, hunt groups, mailbox policies, etc.
Need to inform users of changes and provide
documentation for self-service
Microsoft created custom e-mail templates
Custom intranet site with documentation for usage
and user self-service
Internet Mail Connectivity
●
●
●
●
●
●
Inbound and Outbound Message Transfer
Redundancy and Load Balancing
Increasing Perimeter Network Security
Server Hardening
Optimizing Spam and Virus Scanning
Optimizing Outbound Message Transfer
Internet Mail Connectivity (Inbound and
Outbound Message Transfer)
Dublin
North America
Redmond perimeter
ADSITE_REDMONDEXCHANGE
3 Edge Transport servers
ADSITE_DUBLIN
Dublin perimeter
3 Hub Transport
with antivirus
2 Edge Transport
(outbound)
Internet
Internet
Singapore
Silicon Valley
perimeter
8 Hub Transport
servers with
antivirus
ADSITE_
SINGAPORE
Singapore
perimeter
3 Hub Transport
with antivirus
2 Edge Transport
(outbound)
Sao Paulo
3 Edge Transport servers
1 Multi-role server
Internet Mail Connectivity (Redundancy and
Load Balancing)
●
●
●
●
●
Multiple Hub Transport servers with Edge
Transport servers
All Hub Transport servers transfer outbound
messages to local Edge Transport servers
Edge Transport servers can transfer inbound
messages to Hub Transport servers
For inbound messages, DNS round-robin and MX
records with preference value of 10
Edge Transport servers in Europe and North
America
Internet Mail Connectivity (Increasing Perimeter
Network Security)
Internet
Outbound ports:
SMTP: TCP 25
DNS: TCP/UDP 53
HTTP: TCP 80
Inbound ports:
SMTP: TCP 25
Dublin
Dublin perimeter
2 Edge Transport
(outbound)
Singapore
Singapore
perimeter
2 Edge Transport
(outbound)
North America
Redmond perimeter
3 Edge Transport
Silicon Valley perimeter
3 Edge Transport
Outbound ports:
SMTP: TCP 25
Terminal
services: TCP 3389
EdgeSync: TCP 50636
Inbound ports:
SMTP: TCP 25
ADSITE_DUBLIN
3 Hub Transport
ADSITE_
SINGAPORE
3 Hub Transport
ADSITE_REDMOND-EXCHANGE
8 Hub Transport servers
Internet Mail Connectivity (Server Hardening)
●
●
●
●
●
Ports
Services
File Shares
Accounts
Security updates
Internet Mail Connectivity (Optimizing Spam and
Virus Scanning)
●
Connection-filtering configuration
●
●
●
Recipient-filtering configuration
Content-filtering configuration
●
●
●
●
IP block-list, IP allow-list providers, and Sender
Reputation Level
Store SCL: 5
Reject SCL:7
No delete or quarantine SCL
Attachment-filtering configuration with Forefront
Security
Internet Mail Connectivity (Optimizing Outbound
Message Transfer)
●
●
●
●
Built-in protection on SMTP connectors, including
header firewall, tarpitting, backpressure, etc
One receive connector that faces the Internet and
one send connector for transferring incoming email to Hub Transport servers
One receive connector faces Hub Transport
servers for outbound messages
Three send connectors for relaying outbound
messages to Internet hosts
Deployment Planning
●
●
●
●
●
●
●
●
●
●
Introducing Exchange Server 2007 into the Corporate
Production Environment
Verifying the Successful Integration of Exchange Server
2007
Fully Deploying Client Access Servers in North America
Fully Deploying Hub Transport Servers in North America
Deploying Mailbox Servers in North America
Introducing Edge Transport Servers in North America
Deploying Forefront Security for Exchange Server 2007
Deploying Exchange Server 2007 in Regional Data
Centers
Switching the Messaging Backbone to Exchange Server
2007
Completing the Transition to Exchange Server 2007
Deployment Planning (Fully Deploying
Client Access Servers in North America)
User
tier
Office Outlook Web Access user
with mailbox on Exchange Server 2003
/public/*
/exchweb/*
Client
Access
server
Office Outlook Web Access user
with mailbox on Exchange Server 2007
/exchange/*
/owa/’
Internet Information Services
Office Outlook Web Access
authorization ISAPI
Office Outlook Web
Access 2007
rendering
Office Outlook Web Access 2003
proxy component
Data
tier
/public/*
/exchweb/*
/exchange/*
Office Outlook Web
Access 2007
business logic
/public/*
/exchange/*
MAPI
Mailbox
Public
folder
Exchange Server 2003
back-end server
Mailbox
Exchange Server 2007
Mailbox server
Deployment Planning (Fully Deploying
Servers in North America)
●
●
●
●
Hub Transport role including SMTP
connectors
Mailbox role and user migration – at least
16,000 mailboxes before other deployment
tasks
Edge Transport coexistence and
replacement
Forefront Security
Planning and Design Best Practices
●
●
●
●
●
●
Clearly define goals
Design for production in mind
Design for peak load days
Test in lab environment
Identify key risks
Develop rollback and mitigation procedures
Server Design Best Practices
●
●
●
Use multiple-core processors and design
storage based on both capacity and I/O
performance
Use VSS-based backup
Eliminate single points of failure
Deployment Best Practices
●
●
●
●
●
●
●
Establish flexible and scalable messaging
infrastructure
Carefully plan URL namespaces
Manage permissions through security groups
Use fewest permissions necessary
Use Forefront and multiple layers of protection
Place Edge Transport servers in a perimeter
network
Use ISA Server 2006 to publish Client Access
servers
Summary
●
●
●
●
●
●
●
Messaging environment hosts 130,000-plus mailboxes
with 500 MB and 2 GB quotas in 4 datacenters on 62
Mailbox servers
25 Client Access, 15 Hub Transport, 10 Edge, and 11
Unified Messaging servers
Many cost and reductions with transition to Exchange
Server 2007
Migration from SAN to DAS storage with Exchange Server
2007
USBBs enable scaling up Mailbox servers
Eliminated single points of failure
Increased security and better filtering
Windows Legacy
Exchange Dev.
Extranet
Windows Deploy.
Exchange
organization
Exchange
organization
Exchange
organization
Exchange
organization
Corporate Forest
Extranet
Exchange
organization
Dublin
North America
Redmond perimeter
ADSITE_REDMONDEXCHANGE
15 Mailbox servers
2 Public Folder
servers
3 Edge Transport servers
8 Hub Transport
servers with antivirus
3 Hub Transport
with antivirus
Internet
Silicon Valley
perimeter
6 Client Access
2 Edge Transport
(outbound)
2 Unified Messaging
Internet
16 Client Access servers
Singapore
3 Edge Transport servers
Region/Data center
Active Directory
forest
Active Directory
site
4 Client Access
2 Unified Messaging
7 Unified Messaging servers
Messaging
connections
2 Edge Transport
(outbound)
3 Hub Transport
with antivirus
15 Mailbox servers
2 Public-folder
servers
31 Mailbox servers
Sao Paulo
5 Public-folder servers
1 Multiplerole server
2 Public-folder
servers
1 Mailbox server
For More Information
●
Additional content on Microsoft IT
deployments and best practices can be
found on http://www.microsoft.com
●
●
Microsoft IT Showcase Webcasts
http://www.microsoft.com/howmicrosoftdoesitw
ebcasts
Microsoft TechNet
http://www.microsoft.com/technet/itshowcase
This document is provided for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2006 Microsoft Corporation. All rights reserved.
This technical white paper presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Active Directory, ActiveSync, Forefront, Outlook, Windows, and Windows
Server are either registered are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.