Forefront TMG 2010 Capacity Planning Tool

Posted on June 29, 2010 by Michel de Rooij

Version 1.0 of the ForeFront Threat Management Gateway2010 Capacity Planning Tool has been released.

This tool is to help you with planning and sizing (or verifying) your TMG 2010 configuration, and gives a calculation on the hardware configuration, number of concurrent users and bandwidth requirements using hardware, concurrent users or bandwith as starting point.

For its calculations the tool uses parameters like number of concurrent users and features you want to enable on the TMG. Regarding features you can make your own selection or use presets, e.g. “Mail Protection” for using TMG as an anti-spam/anti-malware e-mail gateway. The calculator has support for load-balancing and virtualization.

You can download the Forefront TMG 2010 capacity planning tool here.

Exchange 2010 Hub Transport Diagrams

Posted on June 23, 2010 by Michel de Rooij

Seem to have forgot to blog these and considering many people are searching for them, here is a link to the Exchange 2010 architecture diagrams:

Microsoft Exchange Server 2010 Transport Server Role Architecture Diagrams
(on the Hub Transport Server and Hub Transport extensibility)

Unfortunately, the Exchange 2007 Component Architecture and Edge Transport diagrams haven’t been updated for Exchange 2010. For archival purposes, here are the links to the Exchange 2007 diagrams:

Exchange Server 2007 Component Architecture
Microsoft Exchange Server 2007 Transport Server Role Architecture Diagrams
(on Hub Transport, both RTM and SP1, and Edge Transport)

Exchange 2010 Throttling Policies

Posted on June 22, 2010 by Michel de Rooij

Note: Parts of the following information are based on Exchange 2010 SP1 Beta and subject to change in the final product.

Exchange allows clients to connect in lots of ways. All these connections, e.g. Outlook/MAPI, ActiveSync, Outlook Anywhere, OWA or POP3, are handled by the Client Access Server. With improved scaling up possibilities of recent Exchange Server versions, meaning more users per server, the Client Access Server is expected to be handling more and more connections, without compromising performance or increasing response times.

In this regard recent Exchange versions are already doing a great job when compared to their predecessors, but how to guarantee availability of client resources to meet these demands? Here is where the throttling policies come into play.

Throttling policies are used to restrict clients in the Exchange Server resources they can use. The purpose of these restrictions is to make sure a client can’t bring down an Exchange Server or disrupt services for other clients, intentionally or unintentionally, by exhausting resources. Thus, throttling will also help in lowering the impact of denial-of-service attacks.

Because the limit is enforced on clients, and clients can connect to their mailbox simultaneously using different components, throttling policies are applied to mailboxes. By default the mailbox attribute ThrottlingPolicy is not set, meaning the default throttling policy will be used. This policy is created during the setup of Exchange Server SP1. It is named “DefaultThrottlingPolicy_” followed by a GUID and contains the following settings:

You’ll notice most MaxConcurrency parameters contain values while the other parameters don’t. Note that no value (or $null) means the settings is unthrottled. Now, before we go into detail on explaining these settings, I’ll give you first a little background information.

As you probably can see the policy itself is diverted in the several components (access methods if you will). Most of these components are represented in the settings using their acronym:

Acronym	Component	Description	Note
Anonymous	N/A	Anonymous connections to user’s calendar	New in SP1
EAS	Exchange ActiveSync	ActiveSync connections to Exchange Server
EWS	Exchange Web Services	Exchange Web Services connections to Exchange Server	including Unified Messaging users
IMAP	IMAP4	IMAP4 connections to Exchange Server
OWA	Outlook WebApp	Outlook WebApp connections to Exchange Server
POP	POP3	POP3 connections to Exchange Server
RCA	RPC Client Access	RPC Client Access Server connections to Exchange Server
CPA	Cross Premise Access	Cross premise connections to Exchange Server	New in SP1

Each component can have one or more of the following parameters; which ones can be used depends on the component (there are some component specific settings, which we’ll mention later on):

Parameter	Description
MaxConcurrency	The number of maximum concurrent connections. The lifespan of a connection is from the moment of request until it closes or disconnects.
PercentTimeInAD	% of 1 minute user can spend on AD queries
PercentTimeInCAS	% of 1 minute user can spend on CAS requests
PercentTimeInMailboxRPC	% of 1 minute user can spend on RPC requests

Note: Given this information, the values over 100 (%) for PercentTimeIn.. settings as shown in the output above seem a bit weird. This looks like a Beta issue (default values in RTM are $null = unthrottled).

Besides the common component – parameter combinations, there are also some component specific settings (we’ll leave the PowerShell ones to your imagination as they are of no use for ordinary users):

EASMaxDevices limits the number of active EAS partnerships per user;
EASMaxDeviceDeletesPerMonth limits the number of EAS partnerships a user can delete per month;
EWSMaxSubscriptions limits the number of Push and Pull subscriptions per CAS server;
EWSfastSearchTimeoutInSeconds determines the timeout for EWS searches;
EWSFindCountLimit caps the number of items returned for EWS searches;
MessageRateLimit limits the number of messages a user can submit;
RecipientRateLimit limits the number of recipients a user can address per 24 hour period;
ForwardeeLimit limits the number of recipients for Inbox forward/redirect actions.

Now to put this all to work you can use set-ThrottlingPolicy to modify an existing Throttling Policy or new-ThrottlingPolicy to create a new one. For example, if you want to modify the default throttling policy and set the maximum concurrency for ActiveSync to 5 you should execute the following in PowerShell:

Get-ThrottlingPolicy | where {$_.IsDefault -eq $true} | Set-ThrottlingPolicy –EASMaxConcurrency 5

A more practical example would be environments where Blackberry Enterprise Server (BES) is used. Due to the nature of how BES interacts with Exchange Server (BES proxies client requests using a single account), this might lead to reaching the default throttling limits resulting in Outlook error messages, e.g. Outlook can’t open folders or items. The culprit in this example is RCA or RPC Client Access with a default value of 20. A solution would be to create a seperate throttling policy for the BES proxy account with no RCA limit and to apply that policy to the BES account’s mailbox (BESAdmin), thus:

New-ThrottlingPolicy “BES Throttling Policy” –RCAMaxConcurrency $null
Set-Mailbox BESAdmin –ThrottlingPolicy “BES Throttling Policy”

Exchange Server 2007 SP3

Posted on June 21, 2010 by Michel de Rooij

Microsoft released Service Pack 3 for Exchange Server 2007. SP3 raises Exchange Server 2007 version number to 8.3.83.6.

Major change in this Service Pack is that it enables you to install Exchange Server 2007 on Windows Server 2008 R2. It will also allow you to install the Exchange 2007 Management Tools on Windows 7.

Another nice addition is the new password reset tool for OWA users; no more fiddling around with the IISADMPWD in IIS on Client Access Servers. Enabling the password reset rool just requires creating or setting the following registry key on CAS servers (its disabled by default):

HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA\ChangeExpiredPasswordEnabledValue (REG_DWORD) = 1

More information on the new password reset tool can be found on TechNet here.

The Exchange Server 2007 SP3 Release Notes are available on TechNet here; the What’s New in Exchange Server 2007 SP3 topic is located here.

Note that the download contains the full set of binaries; you can use it to upgrade existing installations but it can also be used to deploy new Exchange 2007 SP3 installations. Note that upgrading or installing Exchange 2007 SP3 on a system which is going to be or has been upgraded from Windows Server 2008 to Windows Server 2008 R2 in any way is unsupported.

You can download the x64 or x86 version of SP3 from here. The updated Unified Messaging Language Packs can be found here.

The Exchange versions, builds and dates table has been updated accordingly and can be found here.

Active Directory Migration Tool 3.2

Posted on June 20, 2010 by Michel de Rooij

At last, the Active Directory Migration Tool (ADMT) 3.2 was released to public. ADMT can be used to migrate and reorganize objects across in inter-forest (cross-forest) or intra-forest scenarios.

The previous version, ADMT 3.1, dates back to July, 2008 and is supported only on Windows Server 2008, but not R2. With the release of R2 this lead to added complexity because projects needed to introduce a different OS in their environment.

The new 3.2 version of ADMT only runs on Windows Server 2008 R2, but not on earlier versions. As you can also see from the table below, the new ADMT version requires Windows Server 2003 domain functional level in both the source and the target domain:

ADMT Version	OS Support	Source Domain				Target Domain
ADMT Version	OS Support	2000	2003	2008	2008 R2	2000	2003	2008	2008 R2
3.1	2008	YES	YES	YES		YES	YES	YES
3.2	2008 R2		YES	YES	YES		YES	YES	YES

You can download ADMT 3.2 here. The updated ADMT Guide: Migrating and Restructuring Active Directory Domains can be found here.

Note that ADMT uses Password Export Server (PES) which is currently still at version 3.1. Be advised that this version of PES isn’t supported on Windows Server 2008 R2, so I expect an update for PES as well. PES 3.1 can be downloaded here (x64) or here (x86).