Mr. Robert Bachert, ESTAEICD

1
Track 4 LandWarNet Network Operations (NETOPS)
Windows Server 2008and Exchange 2007 Roadmap
Session 8 23 August/1000-1100
Mr. Robert Bachert, ESTA/EICD Robert.Bachert_at_us.a
rmy.mil, DSN 821-1855
2
Track 4, Session 8 Exchange 2007 Windows
Server 2008 Roadmap

• This session will provide a roadmap for the
  implementation of Exchange 2007 Windows Server
  2008 Way Ahead. The enhanced features will be
  discussed in addition to providing an overview on
  the architecture, strategic concept, and the
  integration into the current active directory
  environment
• OBJECTIVES By the end of this session, you will
  be able to
• Understand the enhanced features of Exchange 2007
  Windows Server 2008 
• Understand the concept of implementing Exchange
  2007 within the Army and how it is integrated
  with active directory
• See the importance of having a standard set of
  user attributes

Mr. Robert Bachert, ESTA/EICD Robert.Bachert_at_us.a
rmy.mil, DSN 821-1855
3
Background (Problem)

• The Army has two different messaging environments
  spread across multiple Active Directory
  environments.
• Exchange 5.5 (30)
• Exchange 2003 (70 migrated)
• Exchange 2003 is 4 years old
• Exchange 5.5 is no longer supported
• Standardized operating system (OS) environment
  by 2008
• Standardized naming convention and User Attribute
  environment
• Lessons Learned from Exchange 2003 migration
  need to be applied for migration to Exchange 2007.

4
EXCHANGE 2003 MIGRATION STATUS

• OCONUS - 100 migrated, but EDS Lite is not
  implemented
• USAR - 100 migrated, but EDS Lite is not
  implemented
• NGB - 100 migrated, but EDS Lite is not
  implemented
• CONUS - 50 migrated, and EDS Lite is implemented

CONUS Exchange migration Status
Approximate Number Users 388727 (Were
Approximate _at_ 50) GAL Completion approximate
_at_175,000 Users
Approximate STATS AT A GLANCE AS OF 28 June 07
Migrated to Date 170,000 (3, 899) 49
Remaining 168,000
53 Completed Migrations
40 Active Migration
15
5
Exchange Environment Transition
APC
Exchange 2003
Exchange 5.5
Exchange 2007
Installation A
APC 1

• Installation Consolidation
• Same directory
• Common GAL
• Limited APC Service

Installation A

• Same directory
• Common GAL
• Unified Communications

• No common directory
• No common GAL

APC 2
APC 3
Installation B
Installation C
Installation B
Installation C
Few instances in Theater
Single instance on installation
Multiple instances on installation
6
Forest conditions for migration to Exchange 2007

• Approved AD Forest
• Deployed and completed EDS-Lite implementation
• Directory is IAW with Naming Standards
• Contacts imported
• Exchange 2003 deployed throughout the Forest or
  approved waiver from CIO/G-6
• Release of Exchange 2007 SP1
• S/MIME support in OWA
• Mobile remote wipe confirmation

Exchange 2003 Mainstream Support Ends
2008Exchange 2003 Extended Support Ends 2013
7
Solution

• Utilizing the current CONUS Active Directory
  forest and the Exchange 2003 environment, Move
  all mailboxes to Exchange 2007 utilizing the Area
  Processing Center concept.

• Exchange 2007 Client Access servers can connect
  to Exchange Server 2003
• Exchange 2007 Hub Transport servers can route
  e-mail to Exchange 2003
• Exchange 2007 Public Folder database is required
  to share free\busy information with pre-Outlook
  2007 clients

8
Why Exchange 2007?

• Enterprise-class availability at lower cost
• Greater protection from internal and external
  threats
• Simplified compliance for the organization

• Unified messaging solution
• Outlook experience from desktop to mobile devices
• Efficient collaboration meetings and document
  sharing

• Optimized for performance and scalability
• Easier and more flexible deployment
• Greater administrator productivity

9
Operational Efficiency
Optimized for performance and scalability

• Simplified server routing
• Fast and accurate search
• Native 64-bit architecture
• Superior performance
• Improved storage efficiency

10
Reduced TCO MS IT Case Study

• 64-bit technology and Exchange 2007 CCR feature
  enabled MS IT to lower storage costs by 50, and
  still deliver a 10 fold increase in users quota
• Tape backups replaced by continuous replication,
  saving 5 million a year
• 1,500 users moved on a weekend compared to taking
  a week at 200 users per night

• Cluster Continuous Replication allows us to
  maintain our high service level agreements on
  lower cost hardware, removes our dependency on
  expensive tape backups and eliminates the single
  point of failure. Its availability based on
  software, not dependent on hardware.
• Kyryl Perederiy, Senior Systems Engineer, MS IT

Source  Microsoft IT on Exchange Server 2007
11
Microsoft IT Legacy Exchange Server 2003
Pre-Consolidation Environment
70 Sites with Exchange Mailboxes 215 Exchange
Servers -110 mailbox (non-clustered)
12
Microsoft IT Legacy Exchange Server 2007
Post-Consolidation Environment

• 4 Sites with Exchange mailbox servers
• 64 Exchange 2007 mailbox clusters
• 99.99 availability goal (scheduled and
  unscheduled downtime inclusive)

13
How?

• Where do we begin?
• What should it look like when were done?
• Questions
• Questions
• Question

14
Watervliet Arsenal (6 / 599)
Current Exchange 2003 CONUS Environment
Tobyhanna AD(8 / 4064)
Ft. Drum (8 / 7816)
Ft. Devens (6 / 148)
New Cumberland APC (6 / 136) LTC (6 / 130)
Natick (6 / 1,400)
Northwest Domain
Northeast Domain
Ft. Hamilton (6 / 381)
Carlisle Barracks (6 / 2,175)
Picatinny Arsenal (8 / 4200)
Letterkenny AD (6 / 1,720)
Ft. Lewis (7 / 9542)
Ft. Monmouth (5 / 7098)
Ft. Detrick (6 / 615)
Yakima (6 / 143)
Ft. Dix (6 / 1799)
ALC (4 / 310) ARL (4 / 3025) Multiple Locations
Aberdeen Proving Grounds (8 / 5562) RDECOM (8 /
6214)
Umatilla CD (6 / 405)
CID / OPMG (6 / 551)
Ft. Meade (8 / 1800)
Ft. Belvoir(8 / 7897)
Ft. Myer/McNair (6 / 1512)
ATEC (8 / 6094) Multiple Locations
Ft. McCoy(6 / 1371)
Detroit Arsenal(8 / 4608)
Army Audit Agency (6 / 639)
RMDA (4 / 165)
ILAP (10 / 15,000)
Interim Hub
CHRA Alexandria (6 / 2600)
ACA ITEC4 (4 / 150)
HRC Alexandria (2 / 11935)
AP Hill (6 / 294)
Newport News (2 / 147)
BFC (4 / 125)
HRC St. Louis (6 / 1,777) CECOM St. Louis (6 /
38) DOLWMDD St. Louis(6 / 87)
Dugway(6 / 1342)
Newport CD(6 / 523)
Radford (6 / 145)
Ft. Monroe (6 / 2577)
EREC(6 / 284)
Ft. Lee (8 / 7828)
Rock Island(6 / 5250)
Ft. Eustis / Ft. Story(8 / 5227)
SDDC (6 / 2188) Multiple Locations
Tooele (6 / 455)
Columbus
DAHQ Domain
Rocky Mtn. (6 / 303)
Sierra AD (6 / 476)
Deseret (6 / 645)
Ft. Riley (6 / 3440)
Hawthorne (6 / 181)
Ft. Carson (6 / 4125)
Crane(6 / 702)
Ft. Leavenworth(8 / 5011)
Ft. Leonard Wood(8 / 7,620)
Pueblo (6 / 241)
IMCEN (8 / 9459) AOC (4 / 604) Raven Rock (6 /
618)
Blue Grass AD (6 / 468)
Ft Knox (8 / 5226)
Ft Bragg(10 / 11,182)
Camp Roberts (6 / 92)
Ft Campbell (10 / 11,332)
Ft Hunter Liggett (6 / 340)
Sunny Point (2 / 323 )
Oklahoma City
Pentagon
McAlester(6 / 1,005)
Ft Jackson (8 / 4300)
Ft Irwin(6 / 3339)
Ft McPherson(6 / 5000)
Pine Bluff(6 / 938)
Ft Sill (6 / 6350)
Redstone Arsenal(10 / 22749)
White Sands(6 / 3019) TRAC (6 / 258)
Goose Creek (6 / 390)
Yuma PG(6 / 1,564)
Anniston AD(6 / 1650)
Ft Benning (6 / 9975)
Ft Rucker(5/ 4800)
Ft Gordon(8 / 5196)
Red River (6 / 2,400)
Ft Stewart/Hunter Army Airfield(10 / 10872)
Ft Huachuca(8 / 7,763)
Ft Bliss(8 / 7,512)
Ft Hood (10 / 15,128)
Ft Sam Houston(8 / 5047)
5th Army(2 / 538)
PEO STRI(4 / 1142)
Fort Wainwright
Ft. Greely
Orlando
Ft Polk(8 / 5516)
US Army CRC (3/ 303)
Fort Richardson
Corpus Christi(6 / 3703)
Ft Buchanan (2 / 651)
Southeast Domain
Southwest Domain
Fort Shafter
Schofield Barracks
15
Watervliet Arsenal (6 / 599)
Use the APCs
Tobyhanna AD(8 / 4064)
Ft. Drum (8 / 7816)
Ft. Devens (6 / 148)
New Cumberland APC (6 / 136) LTC (6 / 130)
Northwest Domain
Northeast Domain
Natick (6 / 1,400)
Ft. Hamilton (6 / 381)
Carlisle Barracks (6 / 2,175)
Picatinny Arsenal (8 / 4200)
Letterkenny AD (6 / 1,720)
Ft. Lewis (7 / 9542)
Ft. Monmouth (5 / 7098)
Ft. Detrick (6 / 615)
Yakima (6 / 143)
Ft. Dix (6 / 1799)
ALC (4 / 310) ARL (4 / 3025) Multiple Locations
Aberdeen Proving Grounds (8 / 5562) RDECOM (8 /
6214)
Umatilla CD (6 / 405)
CID / OPMG (6 / 551)
Ft. Meade (8 / 1800)
Ft. Belvoir(8 / 7897)
Ft. Myer/McNair (6 / 1512)
ATEC (8 / 6094) Multiple Locations
Ft. McCoy(6 / 1371)
Detroit Arsenal(8 / 4608)
Army Audit Agency (6 / 639)
RMDA (4 / 165)
ILAP (10 / 15,000)
Interim Hub
CHRA Alexandria (6 / 2600)
ACA ITEC4 (4 / 150)
HRC Alexandria (2 / 11935)
AP Hill (6 / 294)
Newport News (2 / 147)
BFC (4 / 125)
HRC St. Louis (6 / 1,777) CECOM St. Louis (6 /
38) DOLWMDD St. Louis(6 / 87)
Dugway(6 / 1342)
Newport CD(6 / 523)
Radford (6 / 145)
Ft. Monroe (6 / 2577)
EREC(6 / 284)
Ft. Lee (8 / 7828)
Rock Island(6 / 5250)
Ft. Eustis / Ft. Story(8 / 5227)
SDDC (6 / 2188) Multiple Locations
Tooele (6 / 455)
APC 2
DAHQ Domain
Rocky Mtn. (6 / 303)
Sierra AD (6 / 476)
Deseret (6 / 645)
Ft. Riley (6 / 3440)
Hawthorne (6 / 181)
Ft. Carson (6 / 4125)
Crane(6 / 702)
Ft. Leavenworth(8 / 5011)
Ft. Leonard Wood(8 / 7,620)
Pueblo (6 / 241)
IMCEN (8 / 9459) AOC (4 / 604) Raven Rock (6 /
618)
Blue Grass AD (6 / 468)
Ft Knox (8 / 5226)
APC 1
Ft Bragg(10 / 11,182)
Camp Roberts (6 / 92)
Ft Campbell (10 / 11,332)
Ft Hunter Liggett (6 / 340)
Sunny Point (2 / 323 )
Pentagon
McAlester(6 / 1,005)
Ft Jackson (8 / 4300)
Ft Irwin(6 / 3339)
Ft McPherson(6 / 5000)
Pine Bluff(6 / 938)
Ft Sill (6 / 6350)
Redstone Arsenal(10 / 22749)
White Sands(6 / 3019) TRAC (6 / 258)
Goose Creek (6 / 390)
Yuma PG(6 / 1,564)
Anniston AD(6 / 1650)
Ft Benning (6 / 9975)
Ft Rucker(5/ 4800)
Ft Gordon(8 / 5196)
Red River (6 / 2,400)
Ft Stewart/Hunter Army Airfield(10 / 10872)
Ft Huachuca(8 / 7,763)
Ft Bliss(8 / 7,512)
Ft Hood (10 / 15,128)
Ft Sam Houston(8 / 5047)
5th Army(2 / 538)
PEO STRI(4 / 1142)
Fort Wainwright
Ft. Greely
Orlando
Ft Polk(8 / 5516)
US Army CRC (3/ 303)
Fort Richardson
Corpus Christi(6 / 3703)
Ft Buchanan (2 / 651)
Southeast Domain
Southwest Domain
Fort Shafter
Schofield Barracks
16
Process to Upgrade to Exchange 2007

• Deploy the Client Access Server Role (CAS)
• Deploy the Hub Transport Server Role
• Deploy the Mailbox Server Role
• Move resources to Exchange 2007 servers
• Uninstall previous versions of Exchange Server
  and delete administrative and routing Groups
• Deploy the Unified Messaging Server role and the
  Edge Transport Server role

17
Build Out Deploy Client Access, Hub Transport,
and Mailbox Servers
CONUS Exchange 2003 Environment
Proposed CONUS Exchange 2007 Environment
Area Processing Center
18
Process to Upgrade to Exchange 2007

• Deploy the Client Access Server Role (CAS)
• Deploy the Hub Transport Server Role
• Deploy the Mailbox Server Role
• Move resources to Exchange 2007 servers
• Uninstall previous versions of Exchange Server
  and delete administrative and routing Groups
• Deploy the Unified Messaging Server role and the
  Edge Transport Server role

19
Move resources to Exchange 2007 servers
CONUS Exchange 2003 Environment
Proposed CONUS Exchange 2007 Environment
Area Processing Center
20
Process to Upgrade to Exchange 2007

• Deploy the Client Access Server Role (CAS)
• Deploy the Hub Transport Server Role
• Deploy the Mailbox Server Role
• Move resources to Exchange 2007 servers
• Uninstall previous versions of Exchange Server
  and delete administrative and routing Groups
• Deploy the Unified Messaging Server role and the
  Edge Transport Server role

21
Decommission existing Exchange 2003
InfrastructureDeploy Unified Messaging Server
role and the Edge Transport Server role
CONUS Exchange 2007 Environment
Area Processing Center
22
Active Directory (AD) W2K3 Update

• NIPRNET
• 15 approved forests
• Deployed
• SIPRNET
• One Forest per theater (6)
• Deployed
• CONUS SIPRNET expansion (on-going)
• AD Next Phase

23
Ten Reasons to transition to Windows Server 2008
(Previously Code Name Longhorn)
24
Branch Office/Remote Office Deployment
Configuration Feature

• Windows Server 2008 adds a new type of
  configuration that makes it possible for
  organizations to easily deploy a domain
  controller in locations where the physical
  security of the server cannot be guaranteed.
• Remote Office Deployment Configuration (RODC)
  hosts a read-only replica of the AD directory
  services database for a given domain and offers
  the following benefits to the branch office
• Reduced security risk
• Secure by default - No users\computers passwords
  replicated to or stored on an RODC
• Kerberos key separation - Each RODC has its own
  KDC Kerberos account
• Delegation of administration for applications
  hosted on an RODC No need to provided Domain
  Administrator permissions
• Reduced network traffic
• Unidirectional replication for AD and SYSVOL

25
How RODC Works
HUB
Branch

• Request sent to RODC (request for TGT)

• RODC Looks in DB "I don't have the users
  secrets"

• Forwards Request to Windows Server Longhorn DC

Hub Windows Server Longhorn
Read Only DC

• Windows Server Longhorn DC authenticates request

• Returns authentication response and TGT back to
  the RODC

• RODC gives TGT to User and Queues a replication
  request for the secrets

7) Hub DC checks Password Replication Policy to
see if Password can be replicated
Note At this point the user will have a hub
signed TGT
26
Network Access ProtectionHow it works
Policy Servers e.g. Patch, AV
3
1
2
Not policy compliant
4
MSFT NPS
Windows Client
Policy compliant
DHCP, VPN Switch/Router
5
27
BitLocker Drive Encryption

• Designed specifically to help prevent a thief who
  boots another Operating System or runs a hacking
  tool from breaking Windows file and system
  protections
• Secure Startup - Helps provides data protection
  on your Windows systems, even when the system is
  in unauthorized hands
• Uses a v1.2 TPM or USB flash drive for key storage

BitLocker
28
Server, Server Roles (for example only)
Windows Server Core

• Minimal installation option
• Low surface area
• Command line interface
• Limited set of server roles

TS
IAS
WebServer
SharePoint
Etc
Server With WinFx, Shell, Tools, etc.
Server Core Server Roles
DNS
DHCP
File
AD
Server Core Security, TCP/IP, File Systems,
RPC,plus other Core Server Sub-Systems
GUI, CLR, Shell, IE, Media, OE, etc.
29
Restartable Active Directory

• Introduction
• Restart Active Directory without rebooting
• Can be done through command line and MMC
• Cant boot the DC to stopped mode of Active
  Directory
• No effect on non-related services while
  restarting Active Directory
• Several ways to process login under stopped mode
• Benefits
• Reduces time for offline operations
• Improves availability for other services on DC
  when Active Directory is stopped
• Reduces overall DC servicing requirements with
  Server Core

30
Terminal Services Enhancements
APC

• Centralized Application Access
• App Deployment (app virtualization)
• Branch Office
• Secure Anywhere Access
• New features
• TS Gateway
• TS Remote Programs
• SSO for managed clients

31
Terminal Services GatewayRemote access to
internal server resources
DMZ
Internet
Army LAN
Terminal Server APC 1
Internal Firewall
External Firewall
Home
Terminal Server APC 2
Internet
HTTPS / 443
Hotel
Terminal Services Gateway Server
E-Mail Server
Remote Site
32
Terminal Services Gateway

• Security (compared to VPN)
• Authentication with passwords, smartcards
• Uses industry standard encryption and firewall
  traversal (SSL, HTTPS)
• RDP traffic still encrypted end-to-end client
  to terminal server
• Client machine health can be validated (using
  NAP)
• SSL termination devices can terminate SSL traffic
  on separate device. (for intrusion detection or
  filtering in DMZ)
• User can access Army applications and Army
  desktops via Web Browser
• Friendly with home machines
• Crosses firewalls and NATs (w/ HTTPS443)
• Granular access control at the perimeter
• Connection Authorization Policy (CAP)
• Resource Authorization Policy (RAP)

33
Conclusion

• Continue migration/consolidation to Exchange
  2003 at local sites
• Build-out Exchange 2007 at APCs
• Migrate all users to APCs and Exchange 2007
• Develop an Army Active Directory strategy for
  the deployment of Windows Server 2008
• Development of Army Windows Server 2008 Design
  and Implementation Plan that includes the APC
  Concept