Saturday, 21 March 2015

16 Tips to Optimize Exchange 2013 (Part 2)

5.    Exchange Administrator's toolkit

There are lots of tools for Exchange Server available, you can find most of them at the Exchange Server Wiki (some of the tools listed are for previous versions of Exchange).
Here is a short selection from the vast collection available:
There are also some good scripting resources I’d like to recommend:
  • Script Repository & TechNet Gallery: download resources and applications for Windows, Windows Server, SharePoint, System Center, Office, and other products. Find resources written in VB Script, PowerShell, SQL, JavaScript, or other script languages.
  • All-In-One Script Framework: All-In-One Script Framework is an automation script sample library for IT Professionals. The key value that All-In-One Script Framework is trying to deliver is Scenario-Focused Script Samples driven by IT Pros' real-world pains and needs.

6.    Outlook Performance and Housekeeping

So, you designed this super-duper Exchange 2013 infrastructure, with the best hardware money can buy, correctly sized, high-available, capable of providing 50GB mailboxes and an online personal archive to your users, but suddenly you start getting complaints regarding performance from a bunch of unhappy users. It should be no surprise, since sometimes providing better service from the server side might cause a perverse effect at the client side, usually related with the performance of Outlook when it has to deal with the large offline files of the cached mailbox. Fortunately, Outlook 2013 manages offline email much better than its predecessors, but nevertheless there are a couple of other issues that might cause an impact on the user experience.
  1. Check if the Outlook versions hitting your servers are fully supported. Regarding Exchange Server 2013, the TechNet article Outlook Versions Supported by Exchange 2007/2010/2013/Online states the following:

    The following Outlook client versions are fully supported by Exchange server 2013. Please bear in mind there’s a difference between what is supported and what might be compatible with Exchange 2013. All of the Outlook versions listed below have been thoroughly tested by the Exchange Product group:
  2. Prevent previous versions of Outlook from connecting, by running the following cmdlet:
  • Set-RpcClientAccess -Server CAS01 -BlockedClientVersions "0.0.0-5.6535.6535;7.0.0;8.02.4-11.6535.6535"
You’ll probably want to block everything below version 14, as shown in Table 3.
Outlook version
Version number
Outlook 2013
15
Outlook 2010
14
Outlook 2007
12
Outlook 2003
11
Table 3: Outlook versions
  1. Enable cached mode in Outlook 2013. The configuration of cached mode can be made from the client side, by applying a Group Policy, or by forcing it at the Exchange servers:
    • Set-CasMailbox MailboxName –MAPIBlockOutlookNonCachedMode:$true
  1. If using PST files, keep them at a reasonable size. Although the 2GB limit is long ago gone, it’s still recommended to keep them relatively small (<5GB).
  2. Check the OST file size and compact it if needed.
    • In Outlook, right-click the mailbox in the navigation pane, and then click Data File Properties. Click Folder Size, and then note the Total size value on the Local Data tab.
    • Open the Outlook system folder by opening the following folder path, %userprofile%\AppData\Local\Microsoft\Outlook
    • Note the size of the OST file for the user’s Outlook profile. If the OST file is more than 3 to 4 gigabytes (GB) larger than the Total size value, the file may be corrupted or fragmented. Close Outlook, rename the OST file, and then reopen Outlook to re-create the OST file.
  3. Reduce the number of items in Calendar, Contacts, Inbox, and Sent Items folders. The Inbox folder or the Sent Items folder should contain no more than 20,000 items; the Calendar folder or the Contacts folder should have less than 5,000 items.
  4. Disable add-ins that may be causing Outlook to respond slowly. Click the File tab, click Options, and then click the Add-ins tab. In the Add-ins window, disable or remove any add-ins that might be causing the performance problems, such as those that scan each message that you receive or those that scan index messages.
  5. Configure shared folders caching. By default, if a Microsoft Outlook 2013 profile is configured in Cached mode and you add another user’s mailbox or shared folder to your profile, all items in all the folders to which you have access in the shared mailbox are downloaded to your local cache. Depending on the mailbox size, this can have an impact on performance, so you’ll have to decide whether to keep an offline copy or not. To modify this behavior, you have to go to Account Settings in Outlook, select the mail profile, click Change, More Settings and then Advanced. Configure the Download shared folders setting accordingly (Figure 20).
Image
Figure 20:
Outlook cached mode setting
  1. Disable Mailbox Auto-Mapping in Outlook. Outlook 2007/2010/2013 can map to any mailbox to which a user has Full Access and, through Autodiscover, automatically loads all mailboxes to which the user has Full Access. If the user has Full Access to a large number of mailboxes, performance suffers when starting Outlook. To disable this behavior, follow these steps: Disable Outlook Auto-Mapping with Full Access Mailboxes.
  2. Disable Email scanners, such as Google desktop, and other services that scan the Outlook mailbox, which may affect the performance of Outlook. Some desktop antivirus software can also scan incoming email messages. Try disabling any such programs or services, and then see whether Outlook performance improves.
  3. Try to disable hardware graphics acceleration. Performa nce and display issues can occur with Office 2013 client applications. Knowledge Base article 2768648 has some more technical information about this subject. If this is affecting Outlook 2013 particularly, go to File, Options, Advanced and select Disable Hardware Graphics Acceleration.
Image
Figure 21:
Disable hardware graphics acceleration
  1. Try restarting Outlook in safe mode by running the following command from the Run box or from the search box on the Start menu: outlook.exe /safe.

7.    Security and Compliance

Exchange Server 2013 is a “secure by default” product, and it was designed to meet most demanding requirements of today’s business organizations:
  • Accounts used by Exchange 2013 have the minimum rights required to perform a given task.
  • By default, services are started only when they are required.
  • Access control list (ACL) rights for Exchange objects are minimized.
  • Administrative permissions are set according to the scope of change on the object that a given modification requires.
  • By default, all internal default message paths are encrypted.
Furthermore, there are two new message policy and compliance features in Exchange 2013:
  • Data loss prevention (DLP) capabilities help you protect sensitive data, by using deep content analysis, and inform users of internal compliance policies. Exchange Server 2013 offers built-in DLP policies that are based on regulatory standards such as personally identifiable information (PII) and payment card industry data security standards (PCI). DLP is extensible so that it can support other policies that are important to your business. Additionally, the new Policy Tips in Outlook inform users about policy violations before they send data, thus helping them to prevent sharing sensitive information with unauthorized people by mistake.
  • The Microsoft Rights Management connector (RMS connector) is an optional application that helps you enhance data protection for your Exchange 2013 server by connecting to cloud-based Microsoft Rights Management services. Once you install the RMS connector, it provides continuous data protection throughout the lifespan of the information and because these services are customizable, you can define the level of protection you need. For example, you can limit email message access to specific users or set view-only rights for certain messages.
But even with the most advanced security features, the “human factor”, which is usually the weakest link, can have a significant impact on the reliability of your systems. Follow these best practices procedures to make your infrastructure a little bit safer:
  1. Keep your servers always up to date with the latest security patches by running Microsoft Update.
  2. Run the Microsoft Baseline Security Analyzer.
  3. Leverage the DLP capabilities of Exchange Server 2013 by regularly updating the DLP Policy Templates.
  4. Leverage Information Rights Management.
  5. Implement Administrator audit logging.
  6. Block legacy Outlook clients. Based on your requirements, you can configure Outlook client blocking to block legacy Outlook client versions. For more information, see Configure Outlook Client Blocking.
  7. If you deploy file-system antivirus software to protect your Exchange servers, you must exclude the directories where the Exchange mailbox and public folder databases are stored, from file system antivirus scanners. For details, see Anti-Virus Software in the Operating System on Exchange Servers.
  8. Do not disable Windows Firewall. Exchange 2013 is designed to run with the Windows Server Firewall with Advanced Security enabled. Exchange Setup creates the required firewall rules to allow Exchange services and processes to communicate. It creates only the rules required for the services and processes installed on a given server role.
  9. For external client access mechanisms and protocols, such as Outlook Web App, POP3, IMAP4, Outlook Anywhere, and AutoDiscover, use certificates signed by a commercial certification authority (CA) that's trusted by clients accessing those services.
  10. Your Exchange servers rely on SSL certificates to encrypt data. Since SSL certificates expire, it’s a good idea to check regularly the expiration dates. If a certificate expires, then services like ActiveSync and OWA will fail. To check certificate usage, open the Exchange Management Shell (EMS) and enter the following command:
    Get-ExchangeCertificate | FL PsComputerName, IssuerName, Status, NotAfter
  11. Design your organizational unit (OU) structure for role-based policies. For example, you can disable the POP or IMAP service for all Exchange servers but enable it for Client Access servers. For additional information on this topic, please read Creating an Organizational Unit Design.
  12. Configure S/MIME for message signing and encryption.
  13. Enable Reverse SSL or SSL Bridging if you don’t have a secure network between the Hardware Load Balancers (HLB) and CAS.
  14. The Edge server is back with SP1, use it to handle all Internet-facing mail flow.

8.    Load Balancing

Exchange 2013 has some architectural changes that impact the requirements for load balancers used with the Client Access Servers (CAS). These servers now support proxy and redirection logic for client protocols and, most importantly, the use of Layer 4 load balancing (Exchange 2010 required Layer 7 load balancers).
When planning a high-availability solution with load balancing, keep this tips in mind:
  • SSL offloading is back with the release of SP1 and it can improve CAS performance, as it offloads intensive processor utilization from Client Access Server. Please read Configuring SSL offloading in Exchange 2013.
  • Consider round-robin as the traffic distribution policy, in order to approximately equal spread of inbound client requests across CAS servers.
  • For information about the hardware load balancing solutions that will likely work with Exchange 2013, see Exchange Server 2010 load balancer deployment (this page shows the more complex Layer-7 configuration of hardware load balancers with Exchange 2010).
  • Windows Network Load Balancing (WLNB) is supported but has the following caveats:
    • WNLB can't be used on Exchange servers where mailbox DAGs are also being used because WNLB is incompatible with Windows failover clustering. The clustering component added to Mailbox servers that are members of a DAG prevents Network Load Balancing (NLB) from being installed on the server. In this case, there are two main options:
a)     Purchase a hardware load balancing appliance.
b)     Virtualize the Exchange server roles and isolate the Mailbox server role onto a separate virtual machine running on the same physical server as the virtual Client Access server. With this isolation, you can run NLB for Client Access servers and Mailbox servers that are members of a DAG on the same physical server.
    • WNLB isn’t service-aware, it only detects server outages by IP address. If a particular web service, such as Outlook Web App, fails, but the server is still alive, WNLB won’t detect the failure and will still route requests to that CAS.
    • Using WNLB can result in port flooding, which can overwhelm networks.
    • Because WNLB only performs client affinity using the source IP address, it's not an effective solution when the source IP pool is small (for example when the source IP pool is from a remote network subnet or a network being NAT’ed).

No comments:

Post a Comment