Microsoft hosted its annual Ignite conference in Orlando this September. Ignite was massive at 1,610 sessions. That is a lot of sessions! For the first time ever, Microsoft live-streamed most of its sessions. Not just the keynotes! You can find the on-demand sessions at the Microsoft Tech Community. Here are the top 15 sessions I think every Exchange admin should watch.
Tip: I have included extensive notes for each session and the time each topic starts. You can expand the session notes under each video by clicking “Show more session notes”
Welcome to Exchange Server 2019
In this session, Greg Taylor and Brent Alinger discuss all the new features shipping in Exchange 2019. They also discuss features that have been discontinued and the system requirements for Exchange 2019.
- Current state of Exchange Online (1:05 mins)
- Office 365 revenue 38% YoY growth
- Office 365 seats 29% YoY growth
- 135 million users in Office 365
- Outlook mobile on >100 million devices
- 94% of Fortune 500 have Office 365
- Exchange 2019 only available via volume licensing (3:30 mins)
- Changes to Exchange development (4:20 mins)
- Exchange on-prem & Exchange online were developed in tandem using the same code
- Exchange on-prem code moved to its own code branch & will be independent of Exchange online
- Discussion on cumulative update schedule going forward
- Unified Messaging removed from Exchange 2019 (10:40 mins)
- UM functions have been removed
- Migrating a UM-enabled mailbox to Exchange 2019 will UM-disable that mailbox
- Recommend replacement is Cloud Voice Mail which can still store voice mail in Exchange mailboxes via EWS or SMTP
- If you need Unified Messaging:
- Move all mailboxes to Office 365
- Migrate to Skype for Business Server 2019 & utilize Cloud Voice Mail
- Stay on Exchange 2016
- Deploy a 3rd party voice mail solution
- For more information see BRK3229 – Everything you need to know about Skype for Business Server
- Unified Messaging Migration scenarios for Exchange 2019 (15:30 mins)
- Exchange 2013 or 2016 + Skype for Business
- Migrate to Skype for Business Server 2019
- Enable Cloud Voice Mail
- Migrate to Exchange Server 2019
- Exchange 2013 or Exchange 2016 + 3rd Party PBX
- Implement a 3rd party voice mail solution
- Migrate to Exchange Server 2019
- Note: Due to the discontinuation of Session Border Controllers, 3rd party PBX systems cannot use Cloud Voice Mail.
- Exchange 2013 or 2016 + Skype for Business
- Vision for Exchange 2019 (17:30 mins)
- Exchange Server 2019 requires Windows Server 2019 (19:20 mins)
- Windows Server 2019 available in October
- Exchange Server 2019 supports Server Core (20:15 mins)
- Microsoft recommends server core for improved performance, smaller attack surface & smaller disk footprint.
- Exchange 2019 can still be installed on an OS with a GUI.
- Exchange 2019 will only use TLS 1.2 (23:15 mins)
- RC2, RC4, DES, 3DES, MD5 & SHA disabled during install
- Preference for elliptic curve key exchange
- Exchange will use forward key secrecy
- EHLO Blog: Getting ready for TLS 1.2
- Exchange RAM requirements (25:55 mins)
- Max supported RAM = 256 GB
- Mailbox role min RAM = 128 GB (2016 was 8 GB)
- Edge role min. RAM = 64 GB (2016 was 8 GB)
- Max processor count = 48 cores (2016 was 24)
- Search changes in Exchange 2019 (29:35 mins)
- Big Funnel (powered by Bing technology) replaces Fast Search
- Indexes now stored in the DBs (in each mailbox)
- No more potentially huge index files that can become unhealthy
- Index health no longer an issue for DB failovers or switchovers
- DB log shipping includes the indexes
- Outlook 2019 in cached mode will attempt to pull search results from the server (not locally)
- For more information see – BRK3130 Email search in a flash! Accelerating Exchange 2019 with SSDs (notes and session below)
- Storage (and MCDB) in Exchange 2019 (32:50 mins)
- Exchange 2019 can optionally leverage a MetaCache Database (“MCDB”) which is stored on SSD
- MCDB allows for:
- Faster logons
- Faster search
- Faster retrieval of very small items
- MCDB caches 10% of key data from a DB including:
- Index data
- Mailbox folder structure
- Very small items
- If the SSD or MCDB were to fail all requests will be served directly from the mailbox DB on the spindle disk
- Sizing for MCDB
- Regardless of whether you deploy MCDB or not, your spindles must always meet the IOPS requirements for your users
- All servers must have the same spindle & SSD layout
- Spindle disk to SSD should be 3:1
- To plan for SSD storage take 5-6% of your total spindle storage
- Brent’s example
- 15 spindle disks = 5 SSDs
- 15 spindle disks at 10 TB each = 150 TB of mailbox storage
- 5-6% of 150 TB = 10 TB of total MCDB storage
- 10 TB = 5 SSDs at 2 TB each
- Code optimizations (45:00 mins)
- No more UM code
- No more UM language packs to install
- Exchange 2019 DVD size reduced by 20%
- This results in:
- Faster installs
- Fewer files and disk usage
- Improved security
- Reduced surface area
- Dynamic Database Cache (46:25 mins)
- Memory allocation between active & passive DB copies optimized
- Active copies get more memory and cache than passive copies
- Performance gains from MCDB & Dynamic Database Cache (49:30 mins)
- 20% more users per server
- Latency cut by 50% for many client/server operations
- Client Access Rules in Exchange 2019 (51:15 mins)
- This restricts who can access the Exchange Admin Center & Exchange Management Shell
- For example, allows the Exchange Admin Center to be restricted externally
- Exchange 2019 should be the front-end for all client communications
- Administrator mailboxes must be on Exchange 2019 to leverage these rules
- This restricts who can access the Exchange Admin Center & Exchange Management Shell
- Remove-CalendarEvents (54:10 mins)
- Exchange administrators can cancel meetings (not appointments).
- This is particularly useful to cancel a meeting from an organizer who has left the company
- Outlook default option for recurring meetings now configures an end-date rather than no-end-date (57:00 mins)
- Do Not Forward Meetings (57:20 mins)
- Do Not Forward can now be set on meetings created in OWA.
- Meeting attendees in OWA will see a banner stating Do Not Forward is enabled & Forward option is greyed out in the menu.
- Exchange transport enforces the Do Not Forward settings so all Outlook clients honor this setting
- All other Outlook clients will receive an NDR if they attempt to forward a Do Not Forward meeting
- New Out of Office (OOF) options in OWA (1:00:20 mins)
- Automatically decline meeting invites received during the OOF
- Clear existing meetings during the OOF
- Mark the user’s calendar as blocked during the OOF
- Email Address Internationalization (1:01:45 mins)
- Send/receive messages to/from non-English email addresses such as:
- Latin
- Greek
- Chinese
- Japanese
- Cyrillic
- Hindi
- Adding EAI proxy addresses or accepted domains in Exchange is not supported
- Send/receive messages to/from non-English email addresses such as:
- Exchange 2019 system requirements (1:03:00 mins)
- Windows Server 2019
- .NET Framework 4.7.2 (preinstalled with Windows Server 2019)
- Forest functional level of Server 2012 R2
- 128 GB minimum RAM (64 GB for Edge)
- Minimum coexistence is Exchange 2013
- For more information see – Exchange Server System Requirements
- Future plans & roadmap (1:05:15 mins)
Hybrid Exchange: Making it easier and faster to move to the cloud
In this session, Jeff Kizner discusses all the advancements coming to Exchange hybrid. Topics include:
- Future vision for hybrid (3:30 mins)
- Administration challenges (6:00 mins)
- Organization Configuration Transfer (“OCT”) (7:30 mins)
- Version 1 released June 2018
- Performs a one-time transfer of the following objects (and skips any named policy if it exists in the tenant already):
- Retention policy
- Retention policy tags
- OWA mailbox policy
- Mobile device mailbox policy
- ActiveSync mailbox policy
- Jeff demos OCT Version 2 (9:00 mins)
- Hybrid key acquisition built into the hybrid configuration wizard (“HCW”)
- Tip: Pressing F12 in the HCW gives you easy access to logs & PowerShell
- Version 2 grants the administrator the ability to resolve conflicting policies
- Rollback_OCT script available in the logging folder.
- This gives you the PowerShell to reverse changes made by OCT
- Version 2 adds the following objects into one-time transfer:
- DLP policy
- Organization configuration
- ActiveSync device access rules
- ActiveSync organization settings
- Malware filter policy
- Policy tips
- Address lists
- Demo of the new Hybrid Agent (24:15 mins)
- Designed to establish hybrid with zero inbound connections from the cloud (no firewall, DNS, or, certificate changes required)
- Utilizes Azure App Proxy technology
- Demo of free/busy & MRS moves with Exchange on-prem not published over HTTPS 443
- Demo of the following configuration in Exchange Online
- Get-OrganizationRelationship shows TargetSharingEpr configured with a Microsoft owned endpoint (not your on-prem endpoint)
- Get-MigrationEndPoint shows RemoteServerAddress configured with a Microsoft owned endpoint (not your on-prem endpoint)
- Set-OrganizationRelationship with TargetSharingEpr can override the autodiscover configuration for intra-org sharing
- Hybrid Agent architecture overview (32:50 mins)
- Hybrid Agent installed on-prem & talks to Hybrid Proxy Service in the cloud
- Hybrid Agent only needs outbound HTTPS 443 for mailbox moves & HTTP 80 for CRL checks
- Each hybrid agent gets a unique Hybrid Proxy Service URL
- URL formed from a randomly generated GUID
- GUID can only be found in your on-prem logs or your Office 365 tenant
- GUID combinations are 2 power of 22
- Hybrid Proxy Service URL is locked down to just the Exchange Online IP addresses
- Currently available in private preview
- Hybrid Agent – Free/Busy lookups (36:05 mins)
- Free/busy lookups from on-prem to cloud go directly to the internet
- Free/busy lookups from cloud to on-prem use Hybrid Agent
- Hybrid Agent – Mailbox migrations (37:05 mins)
- Always uses the hybrid agent
- Jeff demos setup of the Hybrid Agent (37:20 mins)
- HCW asks if you want:
- Classic Hybrid – same hybrid we use today
- Modern Hybrid – automatically downloads & starts the Hybrid Agent install process
- Install process
- Download the agent
- Install the bits
- Register agent
- This generates a certificate for your tenant that can only be used by you
- Configure agent
- Certificate valid for 180 days
- Certificate auto rolled 30 days before expiration
- Private key is non-exportable
- Agent identifies a URL to use
- Validate agent
- Tests migration endpoint availability
- Complete configuration
- Set organization relationship (TargetSharingEpr, etc.)
- HCW asks if you want:
- Hybrid Agent Version 1 (43:40 mins)
- Supports hybrid free/busy and mailbox moves only
- Version 1 for new hybrid setups only
- Install 3 or more agents for high availability
- Dedicated servers not required (install the agent on existing Exchange servers)
- Hybrid Agent can be installed in DMZ but required HTTPS back to Exchange on-prem servers
- Hybrid Agent will auto-update
- Demo solving hybrid Send As with the Hybrid Agent (49:15 mins)
- Q&A from the audience (55:00 mins)
- Can we control the updating of the Hybrid Agent?
- Can we have a PowerShell version of the OCT?
- What is the scalability of the Hybrid Agent?
- Can RBAC be integrated into OCT & Hybrid Agent?
- How can I get rid of Exchange on-prem?
- Would the Hybrid Agent eliminate the need to keep Office 365 URLs & IPs up to date on our firewall?
- Does the Hybrid Agent support multi-forest?
- How does the Hybrid Agent work with organizational sharing of free/busy?
- When is the Hybrid Agent expected to GA?
- Do I still need a 3rd-party SSL cert for on-prem Exchange servers in hybrid?
- Will there be a path from classic to modern hybrid?
- Will the hybrid agent support multiple geographically dispersed migration endpoints?
- Are there any advantages to sticking with the classic hybrid?
- Is the private preview of the Hybrid Agent fully supported?
- Does the Hybrid Agent remove the requirement to publish Autodiscover on-prem?
- Will hybrid Send As work in multi-forest?
- Will hybrid Send As be available in the classic hybrid?
- Does the Hybrid Agent eliminate all DNS changes I need to make to go to Office 365?
Deploying Outlook mobile securely in the enterprise
In this session, Ross Smith IV discusses how to secure the Outlook mobile app for Exchange online and on-prem mailboxes using various technologies. Topics include:
- Current Outlook mobile connectivity model for online & on-prem (2:50 mins)
- Future Outlook connectivity model will consolidate all Outlook clients to just 2 protocols (5:10 mins)
- Proprietary and REST protocols to be replaced by Hx starting EOY
- Outlook Mac, Outlook Mobile & Windows 10 clients will all use Hx
- Removes the need of the stateless protocol translator
- Outlook Windows will continue to use MAPI/HTTP
- ADAL authentication for Exchange online & on-prem mailboxes (7:20 mins)
- Outlook mobile authentication explained (federated identity) (9:00 mins)
- Required for user-based certificate authentication
- Hybrid modern authentication (HMA) for on-prem mailboxes (11:55 mins)
- Outlook Mobile only makes connections to Exchange Online
- MRS syncs data between Exchange online and on-prem with ActiveSync
- Ability to lock down on-prem ActiveSync to IPs for AutoDetect & Exchange online
- Securing with Conditional Access (16:15 mins)
- Require Outlook mobile as the exclusive messaging client with conditional access (19:30 mins)
- Utilizes required approved client app
- Use two conditional access policies
- 1st policy matches either iOS or Android using modern auth and forces them to use Outlook mobile
- 2nd policy matches for ActiveSync using basic auth and forces them to use Outlook mobile
- In this config Exchange online will quarantine basic auth ActiveSync
- Sign-in conditional access (26:50 mins)
- Requires Azure Identity Protection
- Can block Outlook mobile access based on leaked credentials or suspicious sign-ins
- Possible action can force a password reset via SSPR
- InTune MDM (30:25 mins)
- Android for Enterprise (Android 5.0) is a container for corporate apps & data
- Isolates corporate and personal data
- InTune App Protection (35:25 mins)
- Protects the individual apps without enrolling the device
- Control access to app & data
- Controls movement of data
- Selective wipe of the app (by admin, user, or, offline interval)
- Corporate data encrypted independent of device-level encryption
- Personal or unmanaged data is untouched
- Application configuration policies (47:00 mins)
- Allows for the configuration & management of apps (e.g. Outlook mobile email account config)
- New Outlook mobile admin experience in InTune (52:00 mins)
- Securing data in Office 365 (53:30 mins)
- Lockbox (just in time) for Office 365 engineers
- TLS 1.2 encryption for data in flight
- BitLocker for data at rest
- Service encryption for data at rest in Exchange Online
- Azure Information Protection now Microsoft Information Protection (57:00 mins)
- Discover & classify sensitive data
- Apply protection (encryption, restriction, watermarks), governance (retention, deletion, archiving), and monitoring (alerts).
- Outlook mobile can set & see sensitivity labels
- Estimated release Q2 2019
- Demo on conditional access policies & user experience (59:00 mins)
