Arkiv för November 15th, 2010

Teched Europe 2010 Day 4

DirectAccess with UAG

DirectAccess (a remote access solution for Windows 7 and Windows 2008 R2)

It extends the corporate network to the client sitting on the Internet.

It creates two tunnels

The first is pre logon that communicates with the infrastructure server(Patch management, health check and GPOs) in the Corporate network

The second tunnel is established when you login. It is for Network level computer/user authetication and encryption

Forefront UAG is a single entry-point for all remote access

  

It also extends Windows DirectAccess capabilities to IPv4 only servers

You can publish applications and reverse proxy with UAG

UAG Array

  • We can bulid up to 8 array members (NLB)
  • One server acts as the Array Manager Server (AMS)
    • It propagates configuration to the other members

 

UAG DirectAccess Functions

  • Runs DirectAccess Wizard
  • Provides IPSec tunnel gateway to/from DirectAccess clients
  • Routes IPv6 traffic between clients and server on the corporate network
  • Provides IPv6 over IPv4 tunnel end-points for internet clients
  • Can provide ISATAP router to support IPv6 over IPv4 for intranet
  • Can provide DNS64 and NAT64
    • Support IPv6 to IPv4 translation for IPv4 only internal resources

 

Planning is Essential

  • Identify DirectAccess clients
  • Identify server to be available via infrastructure tunnel
    • DCs, DNS, Management server, NAP servers etc
  • Identify servers to be available to user via intranet tunnel
  • Identify server requiring end-point authentication/encryption
  • Choose name resolution options (anything for internal servers goes to internal DNS)
  • Design the network location server
  • Choose authentication enhancements
    • Smart card, NAP health certificates
  • Design PKI and issue require certificates
    • Must include design for CRL distribution points
  • Design the internal IPv6 network connectivity
  • Design Active Directory subnets
  • Design UAG server array and placement requirements

Teched Europe 2010 Day 3

Microsoft Exchange Server 2010: High Availability Deep Dive (including changes introduced by SP1)

Important in Exchange HA is Quorum so we will start here:

Quorum

Dual Usage of Quorum:

  • Data shared between the voters representing configuration, etc.
    • Physical data located on DAG servers.
  • Number of voters required for the solution to stay running (majority).

Exchange 2010 uses only two of four available cluster quorums

  • Node majority
  • Node and file share Majority

It is essential for function in the DAG.

Witness

A witness is a file share on a server (witness server).

Needed for quorum decisions

                             One of the nodes will lock witness.log referred as the locking node.

Only used by DAGs that have a even number of members (node and file share majority quorum mode)

Witness server

No pre-configuration typically necessary

  • Exchange Trusted Subsystem must be member of local Administrators group on Witness Server if Witness Server is not running Exchange 2010

Must be in the same Active Directory forest as DAG

Can be Windows Server 2003 or later

  • File and Printer sharing for Microsoft Networks must be enabled

Replicating witness directory/share with DFS not supported

Not necessary to cluster Witness Server

  • If you do cluster witness server, you must use Windows 2008

Single witness server can be used for multiple DAGs

  • Each DAG requires its own unique directory/share

 DAG networks

Used for multi Subnet DAG

A DAG network is a collection of subnets

There a two types of DAG Networks:

  • MAPI Network – Connects DAG members to network resources (Active Directory, other Exchange server, DNS) Default GW will be configured here
  • Replication Network – Used for/by continuous replication only (log shipping and seeding)

DAG Networks automatically created when Mailbox server is added to DAG

DAG Networks include built-in encryption and compression

  • Encryption: Kerberos SSP EncrypsMEssage/DecryptMessage APIs
  • Compression: Microsoft XPRESS, based on LZ77algoritm

(30% less on the wire when doing compressions)

Active Manager (the brain of Exchange HA)

  • New in 2010
  • Manages *overs
  • Runs on every server in the DAG
  • Selects best available copy on failovers

 Active manager is code that runs in cluster service (not a service)

  • Active manager client runs on CAS and HUB
    • Failover can be performed in 30 seconds or less, that why it it not stored in AD. AD could have 15 min between replication.                
  • PAM holds the default cluster group

Best copy selection

  • Active Manager selects the “best” copy to become the new active copy when the existing active copy fails
  • Behavior difference between RTM and SP1
    • List of potential passive copies is sorted diff when AutoDatabaseMountDial is set to Lossless

 

Improvements in Service pack (replication and copy)

Continues replication changes

  • Block mode (shipping blocks during replications)
    • Enhanced to reduce data loss
    • Eliminates log drive as single point of failure
    • Automatically switched between modes
      • File mode
      • Block mode

Relocate and distribute load Scripts

                             RedistribureAtivedatabases.ps1

DAG Maintenance Scripts

                             StartSAGServerMaintenance.ps1

Exchange Management Console enhancement in SP1

                             Manage DAG IP addresses

                             Manage witness/directory and

Tillbaka