562 Networks

New to Exchange 2010 is the Exchange Control Panel, or ECP.  This is a component of Outlook Web App 2010 where an administrator can sit in their OWA screen and not only check their emails, calendar appointments, and contacts, but can perform administrative tasks.  So instead of the administrator having to find a computer and terminal server remote into a system to add a user, delete a user, make configuration changes in public folders, delegate administration or the like, the administrator can now run those tasks straight within OWA 2010.

 

The ECP is primarily targeted to be used by

End users—Personnel granted the authority to self-manage aspects of their accounts such as the ability to track messages they have sent and received, create and manage distribution lists, or edit aspects of their personal account information.

Hosted tenants—Tenant administrators for hosted customers.

Specialists—Personnel such as Help Desk operators, Department Administrators, and eDiscovery Administrators who have had the appropriate level of access delegated by administrators.

 

The ECP can be accessed through Outlook Web Access 2010 by logging into OWA and selecting the Options link. It can also be accessed directly via a URL which, by default, is located at   https://CASServerName/ecp

 

The Exchange Control Panel (ECP) is a web-based management console that can be accessed from web browsers that have no Exchange specific client-side software installed. It can be accessed from the same Internet browsers that are support the Outlook Web Access premium client—Internet Explorer 7+, Mozilla Firefox, and Apple Safari 3+. This AJAX-based application is built into the Client Access Server role in an Exchange environment and, although it shares some code with OWA, it is a separate application.

 

It is important to note the Exchange Control Panel is RBAC-aware, meaning that administrative options are available only to those who have the appropriate permissions to utilize them.  ECP can show a user logged in with full administrative access several administrative tasks (note the Select What to Manage option in the top-left corner and the Manage your Organization option in the bottom-right corner) which shows the same interface as viewed by a standard user.

By default, the standard user does have the ability to self-administer his account, as shown by the Edit link that when clicked allows the user to modify his Account Information. This default ability can be removed (or limited to certain fields only) using RBAC. For example

• If a user has been restricted from message tracking, that button does not appear in the ECP.
• If a user can edit mailboxes, but not create new ones, the New mailbox button will not display, but the Details button does.
• If users are allowed to edit their department but not their display name, the display name is visible but grayed out and read-only.

After an administrator elects to manage My Organization, the four main components of the Exchange Control Panel display, as shown in 18.6. These components are:

• UI Scope Control—At the top of the screen, identified by the text stating “elect What to Manage (and the drop-down box beside it), the UI Scope Control enables those with the appropriate RBAC permissions to select whether they want to manage themselves, their organization, or another user.
• Primary Navigation Panel—To the left of the screen is the Primary Navigation panel, enabling the administrator to select which area of administration she wants to work with.
• Secondary Navigation Panel—Next to the Primary Navigation Panel and identified by icons in the figure labeled Mailboxes, Groups, External Contacts, and so on, is the Secondary Navigation Panel, which enables the user to further specify the area to administer.
• The Slab—At the bottom of the pane, identified in the figure by the list of Display Names and E-mail addresses, is the slab  the list of items that can be administered based on the preceding selections.

Creating a New Mailbox in the Exchange Control Panel

Creating a new mailbox in the Exchange Control Panel is so easy that it’s hardly worth the time to explain it. However, because the ECP is brand new, this section runs through the process to show how quick and easy it is.

 

To create a new mailbox user in the Exchange Control Panel, perform the following steps:

1. Log in to the OWA server with administrative credentials.
2. From the OWA page, select Options.
3. Select Manage Your Organization.
4. Ensure My Organization is selected in the UI Scope Control, Users & Groups is selected in the Primary Navigation Panel, and Mailboxes is selected in the Secondary Navigation Panel.
5. Click the New Mailboxes icon.
6. On the New Mailbox page, enter the information for the new account. Those marked with asterisks (*) are required fields. An example of the New Mailbox page
7. When finished, click the Save button.

The ECP passes the information on to the CAS server, which, in turn, uses Remote PowerShell commands to perform the actual operation and create the account.

 

Creating Distribution Groups in the ECP

New in Exchange Server 2010 is the ability to create and manage distribution lists from within the Exchange Control Panel web interface.

 

Before we discuss the process, there are a few items to note:

• Although both Mail Universal Distribution Groups and Mail Universal Security Groups are visible from within the ECP, there is no noticeable differentiation between the two.
• All distribution groups created from within the ECP are created as Mail Universal Distribution Groups; there is no option to create a security group.
• Dynamic Distribution Groups are not visible from within the ECP, nor can new ones be created there.

To create a new distribution group in the ECP, perform the following steps:

1. Connect to the ECP by logging into OWA as an administrator and selecting the Options page, clicking Manage Your Organization, and selecting the Groups icon. Alternatively, you can go directly to https://{CAS server name}/ecp and authenticating through OWA.
2. Under Groups, click the New button.
3. In the New Group window complete the following fields:

• Display Name—(Required)—This name must be unique in the domain. This is the name that displays in the address book and on the To: line when mail is sent to the group. The display name should be user-friendly to help people recognize the purpose or membership of the group
• Alias—(Required)—This is the name portion of the e-mail address that appears to the left of the @ symbol. The alias must be unique in the domain and, because it is part of the e-mail address, cannot contain any spaces.
• Description—(Not Required)—This description populates the Notes field for the object. This descriptive name can be viewed by employees who view the properties of the distribution list. If populated, the field should describe the purpose or membership of the group.
• Ownership—(Required)—Owners can add members to the group, approve or reject requests to join, and approve or reject messages sent to the group.

By default, the person creating the group is added as a group owner. If an administrator creates the group at the request of an employee, the administrator can add the employee as an owner and then remove herself.

• Membership—(Not Required)—By default, all group owners are added as group members. If this behavior is not desired, deselect the check box for this option. Add or remove members to the group as desired.
• Membership Approval—(Required)—New to distribution groups in Exchange Server 2010 is the ability for users to self-manage their distribution lists, joining those that interest them and leaving those that don’t.

During the creation of the distribution group using the ECP, the following options are available:

• Owner Approval—Open—Anyone can join the group without being approved by the group owners.
• Owner Approval—Closed—Members can be added only by the group owners. All requests to join will be rejected automatically.
• Owner Approval—Owner Approval—All requests are approved or rejected by the group owners.
• Group Open to Leave—Open—Anyone can leave the group without being approved by the group owners.
• Group Open to Leave—Closed—Members can be removed only by the group owners. All requests to leave will be rejected automatically.

After all fields have been populated and all options selected, click Save to create the distribution group.

 

 

 

 

By integrating the two applications, users can simply go to OWA 2010 to get their email, calendar appointments, contacts, etc as they normally do, AND they can also see who in their IM list is online and initiate instant messaging conversations straight from within OWA.

The pre-requisites for this capability is to obviously be running Exchange 2010 with Outlook Web App 2010, and you need to be running OCS 2007 R2.

For this configuration to work, there are four high-level steps needed:

Properly Configure the Exchange 2010 Client Access Server.

Properly Configure the OCS 2007 R2 Server.

Modify Windows Firewall on the Client Access Server.

Confirm User Configuration.

Configuring the Exchange Client Access Server

There are five steps that must be taken to configure the Exchange Server 2010 Client Access Server:

1. Download and install the “Microsoft Office Communications Server 2007 R2 Web Service Provider” on your Exchange 2010 CAS server (this adds special DLLs and configuration files needed to link OWA 2010 to your OCS 2007 R2 environment)

2. Gather Information about the certificate used by the Client Access Server.

3. Edit the OWA Web Config file.

4. Enable OCS Integration.

5. Restart Internet Information Services.

Step 1:- Downloading/Installing the OCS 2007 R2 Web Service Provider Files

Download and install the “Microsoft Office Communications Server 2007 R2 Web Service Provider” from Microsoft http://www.microsoft.com/downloads/details.aspx?FamilyID=ca107ab1-63c8-4c6a-816d-17961393d2b8&displaylang=en and install this update on your Exchange 2010 CAS server (this adds special DLLs and configuration files needed to link OWA 2010 to your OCS 2007 R2 environment)

Step 2: Gather Certificate Information

The Client Access Server needs to use a certificate that is trusted by the OCS server. Effectively, you should be able to sit on the CAS server, run Internet Explorer, and access Communicator Web Access (CWA) and be able to logon to CWA with a user account without any certificate errors. If you sit on the OWA server and access CWA and you get an error that the certificate is not trusted, then you need to add the RootCA of the CWA certifcate to your “Trusted Root Certificates” on the OWA server, effectively letting the OWA server know that the CWA is a trusted server. If you get any CWA errors from a browser as a CWA user sitting on the OWA server, then the link between CAS and OCS won’t work.

NOTE: To simplify the configuration, the certificate used by the Client Access Server should be issued by the same Issuer as the certificate used by OCS 2007 R2.

Assuming you have no errors running CWA from the CAS server, then using Exchange PowerShell, gather certificate information of the Exchange Server by running the following command:

Get-ExchangeCertificate | fl

(The last character of the command is an L, not a one.)

Sample Output, with only relevant information shown:

IsSelfSigned : False

Issuer : CN=ca1, DC=companyabc, DC=com

SerialNumber : 71652G3R00000000001A

Services : IMAP, POP, IIS, SMTP

Status : Valid

Subject : CN=e2010w2k8

Locate the certificate that will be used and make note of the following information:

Issuer of the certificate
Serial Number assigned to the certificate
Subject of the certificate
Document this information for use in later steps.

Step 3: Edit the OWA Web Config File

On the Client Access Server, navigate to the following directory:

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OWA

Open the web.config file using Notepad and perform the following steps:

1. Search for OCS (IM) Server Name. You see the following three entries:

 

 

 

2. Populate the server name:

In the

 

3. Populate the Certificate Issuer:

In the

 

4. Populate the Certificate SerialNumber:

In the

 

Important: You must manually add spaces in the Serial Number string to separate each octet or the system cannot locate the certificate.

5. Save and close the Web.config file.

Step 4: Edit the OCS Integration

To enable the OWA Virtual Directory to use OCS IM integration, from Exchange PowerShell, type the following command:

Get-OwaVirtualDirectory -server SERVERNAMEHERE Set-OwaVirtualDirectory –InstantMessagingType 1

Step 5: Restart Internet Information Services

Although the preceding changes should be detected automatically, administrators might need to restart IIS on the Client Access Server. However, doing so can cause any current OWA sessions to be logged off, so care should be taken.

From the command prompt on the Client Access server, issue the IISRESET command to restart the services.

Configure the OCS Server

The Exchange Server 2010 OWA IM integration component is implemented as an OCS 2007 end-point. For the integration component to sign in to OCS 2007 R2, the OCS server must be configured to trust the Client Access Server.

This is accomplished by adding the Exchange Client Access Server as a trusted server on the OCS 2007 R2 front end. To do so, perform the following steps:

1. While logged in as an OCS administrator, start the OCS Management Console by selecting the following:

Start\All Programs\Administrative Tools\Office Communicator Server 2007 R2

2. Navigate to the OCS 2007 R2 Pool. Right-click the OCS Pool name and select Properties; then select Front End Properties

3. Click on the Host Authorization tab; then click the Add button.

4. In the Add Authorized host window

Select the FQDN radio button.

Type the name of the Client Access Server, basically what you type in to run OWA, such as owa.companyabc.com (note: you could use the IP address button instead of the FQDN button but this is less secure as it does not rely on certificate authentication, so use the name you use to access OWA externally as that’ll likely use https SSL security and will work)

Select (checkbox) the following options: Treat as Authenticated and Throttle as Server.

5. Click OK to save the configuration changes.

6. To allow changes to take effect immediately, stop and restart the OCS front-end services; note that doing so will disconnect any active users.

Note: If you install OCS 2007 R2 on Windows 2008 R2, you have to download a hotfix for UcmaRedist.msi; UcmaRedist.msp from the Microsoft Office Communications Server 2007 R2 Hotfix KB 968802. If you don’t, everything works except IM communication back to OWA, you would receive an Error id: 504. With UcmaRedist.msp installed, the issue is resolved. {this point added Dec 5, 2009 thanks to input from Jahad Suboh who commented on my blog to add this point of additional accuracy!}

Troubleshooting the Installation

Next are a few troubleshooting steps that can assist with some of the more common problems encountered with Exchange/OCS integration.

Configuring the Firewall on the CAS Server

If the Client Access Server has the Windows Firewall enabled, it might need an exception to enable OCS 2007 R2 to communicate with it. To create the exception, perform the following steps:

1. From the Control Panel, open Windows Firewall.

2. On the left side of the Windows Firewall window, click .“Allow a Program Through Windows Firewall.

3. Click Add Program; then click Browse.

4. Browse to C:\Windows\System32\inetsrv and select w3wp.exe.

5. Click Open and then click OK twice to apply changes and close the window. Be sure to perform this step on all CAS servers with IM integration enabled.

User Configuration

Before the user community can utilize the IM features, they must be “provisioned” for Office Communications Server R2 and must be enabled for Enhance Presence. When the user is initially enabled on OCS 2007 R2, he will automatically be enabled for Enhanced Presence.

Users must also have a valid SIP proxy address for the OWA IM integration component to enable the IM Integration UI.

Instant Messaging Not Available

When attempting to view the Instant Messaging contact list, a user might receive a notification that states:

Instant Messaging Isn’t Available Right Now. The Contact List Will Appear When the Service Becomes Available.

If this occurs, perform the following steps:

1. Using the same user account, confirm that you can access the IM services using the Office Communicator 2007 R2 client.

2. If functional, confirm that the OCS Server name is properly entered in the Web.Config file of the CAS server.

3. Also confirm the configuration of the Authorized Hosts option on the OCS pool contains all IM Integrated Client Access Servers.

OWA Certificate Error

If OWA cannot locate the certificate, an error stating The Local Certificate Specified Was Not Found in the Store for the Local Computer appears.

In this case, confirm that the value of the OCSCertificateIssuer and OCSCertificateSerialNumber fields in the Web.Config file are correct. Also ensure that there are blank spaces between every two characters in the serial number to separate octets in the string.

The preceding procedures were taken (AND Updated 12/3/2009) from my book “Exchange 2010 Unleashed” from Sams Publishing where I cover, in 1300-pages, everything on Exchange 2010 from architecture planning to migrations from Exchange 2003 and 2007 to securing Exchange 2010 to the latest in administration, management, high availability, and recoverability

My next post will be on the Exchange Control Panel component of Outlook Web App 2010 that provides administrators the ability to perform administrative tasks like adding users, disabling users, configuring public folders, etc right from the OWA 2010 screen.

The release-to-manufacturing (RTM) buzz around Microsoft Exchange 2010 is starting to grow louder. I’m hearing from various partners and customers it could be finalized any time now, maybe even before this month is up.

Exchange Server is directly and indirectly at the crux of a number of new and recently announced products from Microsoft. The company’s Mac Business Unit announced on August 13 that the 2010 version of Mac Office will include Outlook, rather than Entourage, as its new e-mail client. The next Mac Office release also will feature improved Exchange and Exchange Online connectivity, the Softies said. (Microsoft Mac Office customers who need better Exchange connectivity now can use the just-finalized Entourage Web Services, Microsoft officials said.)

Additionally, Exchange ActiveSync licensees Nokia and Apple are both expected to tout the ability of users to sync with their corporate mail systems as part of their forthcoming Nokia Mobile Office and Apple Snow Leopard releases.

As many as 1 million testers have been test-driving the public beta version of Microsoft’s on-premise Exchange Server 2010 product since April of this year. Another 5 million or so testers have been working with the cloud-based complement in the form of Outlook Live, which is a slightly modified version of the Exchange Online product.

The Exchange team has said to expect the product to RTM before the end of 2009. More recently, company officials said to expect Microsoft to “launch” Windows Server 2008 R2, Windows 7 and Exchange 2010 together via a series of “business launch” events, which kick off in the U.S. on November 9.

The Exchange 2010 release includes new, integrated e-mail archive functionality; the ability to see text previews of voice mail; a new “Conversation View” feature; customizable call-routing menus; and a “MailTips” feature designed to help stamp out e-mail “faux pas.”

More than a few testers report having been impressed with the Outlook Web Access (OWA) improvements that Microsoft has made as part of the 2010 release. The new and more robust OWA supports Firefox and Safari.

Exchange 2010 is a 64-bit-only release. Other caveats: Users who want to run Exchange 2007 and Exchange 2010 together must upgrade to Exchange 2007 Service Pack (SP) 2. And Exchange 2007 also won’t work at all on Windows Server 2008 R2, so users who want to run Exchange on the latest and greatest Windows Server release have no choice but to upgrade to Exchange 2010. In-place upgrades from Exchange 2007 to Exchange 2010 seemingly are prohibited.

I asked Microsoft officials whether Exchange 2010 is ready to get the RTM designation real soon now. A corporate spokesperson replied: “We have said that Exchange 2010 will become available in the second half of 2009. There’s nothing additional to share at this point.”

After postponing the development of one data center and losing a couple of high-level managers in its data center group, Microsoft said it will soon open new facilities in Dublin, Ireland, and Chicago.

The data centers will support Microsoft services such as its new search offering, Bing, and Azure, its cloud computing platform.
The Dublin facility, to open on Wednesday, will be the largest for Microsoft outside of the U.S. It covers 303,000 square feet and uses outside air to cool the facility, for power consumption savings.

The Chicago facility, scheduled to open July 20, will be more than twice as large, covering 700,000 square feet. Two-thirds of the center will be able to accommodate servers in containers. In some data centers, Microsoft has started using standard shipping containers loaded with 1,800 to 2,500 servers, because it can save on electricity by cooling just the containers rather than the whole facility.

The openings come after Microsoft announced earlier this year that it would put a planned Iowa data center on hold. It also delayed the openings of the Chicago and Dublin facilities.

At the time, the company optimistically described the Iowa postponement as a result of successful efforts to improve efficiency of data center operations elsewhere.

But in fact Microsoft may have put off construction after discovering that growth in hosted services has been lower than it may have expected. Revenue in Microsoft’s online services group during the quarter ending March 31 dropped to $721 million from $843 million in the same quarter last year.

Microsoft is not alone in reining back its data-center expansion plans during the recession. Google late last year decided to delay building a facility it planned in Oklahoma.

Microsoft has also lost a couple of well-known leaders in its data center group. In April, Michael Manos, the general manager of the data center services division, left to take a job at wholesale data-center provider Digital Realty Trust. Late last year, James Hamilton, another respected data center engineer, left Microsoft to join Amazon Web Services

Will Google Chrome OS be the undoing of Windows? For the past two decades, the biggest threat to Microsoft has been that someone would create a new consumer operating system, popularize it, and then grow the new OS to challenge Windows on all fronts. That is what I told Microsoft execs on numerous occasions over many years. I encouraged them to build a modern operating system that could eventually replace Windows. Instead, they built Windows 2000, XP, and Vista. Of the three, I actually liked Windows 2000 the best.

If Microsoft had taken my advice and started fresh, they might not have Google kicking them around today.
Apple understood when its OS reached a dead end, and responded masterfully with Mac OS X. Microsoft continues behaving as though the Windows highway is endless.

Windows customers deserved a totally new replacement OS a decade ago. Fearing market confusion that would create a competitive opening, Microsoft went ahead and confused the market anyway. They just didn’t do it with a great, all-new OS. We got more Windows, built atop Windows, built atop, well, DOS.

Google’s announcement of its Chrome desktop OS should come as no surprise, particularly in Redmond. There have been signs pointing in this direction for several years. What Google lacked was a hardware platform where Microsoft was at some sort of a disadvantage.

Android, primarily for smartphones, was the first salvo in the battle, launched against Windows Mobile. Chrome OS will use Microsoft’s need to (now) almost give netbook operating systems away to defend share, while still charging full price for the same OS running on a laptop, as a wedge.

I have changed my thinking a bit and no longer believe Google will have to challenge Windows across the entire computing marketplace to succeed. Google is betting on a new, web-driven, connected computing model that plays to its strengths and is, essentially, is a place that Microsoft isn’t. At least not right now.

If Google can find success on netbooks and other consumer/personal devices, I think the business desktop/laptop market may, over time, take care of itself and head in Google’s direction. By then, of course, it is likely to be Microsoft’s direction, too.

I wanted to touch base again on the best way to pass your IT exams. For example I have my 3rd of 5 exams coming up for CCSP soon. 1st I buy the actual exam books and read the whole book doing the tutorial’s at the end of each book. Then Since I have the hardware I get good with the hands on. Then I buy this software which helps you prepare for the exam and for the 8th time in a row I pass atleast 90% of the exam with flying colors.