Before we start digging deeper into the
Client Access server, we want to explain the services that the CAS
provides. There are some things added into the Exchange Server 2010
version of the CAS that have a great impact on your Exchange
organization. We'll start off by covering the new services: RPC Client
Access, mailbox replication, the Address Book service, and Remote
PowerShell. We'll then discuss the new version of Outlook Web App and
its tight integration with the Exchange Control Panel. After that,
we'll cover other services that are provided by the CAS and call out
the changes in the Exchange Server 2010 version of the services as we
go along.
1. RPC Client Access
RPC Client Access is probably the most significant
change to the CAS in Exchange Server 2010. This service provides RPC
connectivity to Outlook clients, performs data validation, creates a
compliance log, and provides the infrastructure for connecting to the
archive mailbox. The RPC Client Access service runs as a Windows
service on your Client Access servers using the Network Service
account. The name of the service is Microsoft Exchange RPC Client
Access (MSExchangeRPC).
RPC Client Access moves the connection for
MAPI-based connections for mailbox data to the Client Access server
instead of the Mailbox server. This means that the Outlook clients
inside the LAN will no longer connect to Mailbox servers to access
their mail. Instead, they talk to the Client Access servers, which in
turn broker the connection to the Mailbox servers. This layer of
abstraction for client connections is useful and important for a few
reasons:
In the past, there was a limit of 65,535 RPC
context handles to Mailbox servers. This is no longer an issue.
Instead, you can add multiple Client Access servers to a site and each
CAS can handle 65,535 RPC context handles. This means that the Mailbox
server can support more MAPI client connections.
There
is a reduced network load on the Mailbox servers since they maintain
fewer connections. Keep in mind, however, that this network load could
be replaced by other functions of a Mailbox server, such as data
replication.
This architecture has
enabled a dramatic improvement in the Mailbox server switchover and
failover experience. Since clients connect to the CAS, a failed Mailbox
server does not require a reconfiguration of the client connection
settings.
Because the connection to the
Mailbox server is abstracted, mailboxes can be moved from one Mailbox
server to another without client profile reconfiguration. The user
simply needs to close Outlook and reopen it.
All
client connections connect to Client Access servers now instead of the
Mailbox server (except in the case of public folder access). This
supplies a consolidated entry point into your Exchange organization.
This enhanced functionality does come at a cost. RPC
Client Access is a big factor in driving the hardware requirements for
the CAS in Exchange Server 2010 higher than in Exchange Server 2007.
There is an increased load on Client Access servers from the
perspective of processor utilization, memory utilization, and network
utilization.
Your Outlook 2007 and Outlook 2010 clients can
natively talk to the RPC Client Access service on the CAS without any
changes. However, your Outlook 2003 clients may need a configuration
change. The RPC Client Access service enables RPC encryption by
default. Outlook 2007 and Outlook 2010 already encrypt RPC in their
default configurations. But if you want your Outlook 2003 clients to
use RPC Client Access, then you will need to enable the encryption
setting for those clients. You can do this through a Group Policy
Object or you can reconfigure it manually in Outlook.
Another option you have, which we don't recommend,
is to turn off the encryption requirement for RPC Client Access. You
have to turn this off on a per–Client Access server basis, so if you
are turning it off in your environment, you need to remember to do this
when you add new Client Access servers to the Exchange organization.
You don't want to run into a situation where you have the RPC
encryption requirement enabled for some Client Access servers and
disabled for others. If so, Outlook 2003 clients will be able to
connect to some servers, but not others. And if you were to do this
inside a load-balanced Client Access server array, the problems that
arise could be difficult to troubleshoot. We highly recommend that you
leave the encryption setting alone, but if you want to do this in a lab
or just want to ignore our warning, you can disable the RPC encryption
requirement with the following command:
Set-RpcClientAccess -Server CAS-1 -EncryptionRequired $False
2. Address Book Service
The Address Book service on Client Access servers
replaces the Name Service Provider Interface (NSPI) referral
functionality that used to run on Mailbox servers in previous versions
of Exchange. The purpose of the NSPI is to either refer Outlook clients
to a Global Catalog server or proxy connections to the Global Catalog
server for the client. In the past, this service was provided by the
System Attendant service on the Mailbox server. It now exists on the
CAS as part of the initiative to make this server the primary
connection point for clients. In addition to directory referrals, the
Address Book service writes changes that are made in Outlook to Active
Directory. When the user changes the membership of a distribution
group, manages their list of delegates, or manages their certificates
from Outlook, the Address Book service calls the appropriate EMS cmdlet
to make the change. The Address Book service runs as a Windows service
under the context of the Local System account. The name of the service
is Microsoft Exchange Address Book (MSExchangeAB), and it only runs on
Client Access servers.
The CAS still uses the NSPI to provide directory
services to older clients and to provide directory services to
mailboxes on legacy versions of Exchange Server. When a user whose
mailbox is on an Exchange Server 2003 or an Exchange Server 2007
Mailbox server connects, the Exchange Server 2010 Client Access server
issues a referral to the client to contact the Mailbox server instead.
If the user's mailbox is on an Exchange Server 2010 Mailbox server, the
Exchange Server 2010 Client Access server will either handle the
request itself or refer the client to an Exchange Server 2010 Client
Access server that is in the same site as the user's mailbox.
The Address Book service uses the following steps to provide the address book to the Outlook client:
Outlook contacts the CAS and requests the address book.
The CAS uses Active Directory to gather the mailbox location, Exchange version, and the name of the CAS specified in the RPCClientAccessServer property of the mailbox database.
The CAS uses the information it gathered to tell Outlook which CAS to use for the address book.
The Outlook client connects to the appropriate CAS for accessing the address book.
3. Mailbox Replication
Mailbox replication is one of the more interesting and welcomed
new features of the Exchange Server 2010 Client Access server.
Traditionally, when you wanted to move a mailbox from one server to
another, you would have to open your Exchange management tool (either
the Exchange System Manager or the Move-Mailbox cmdlet in the
Exchange Management Shell) and process the mailbox move from the
computer that you were logged in at. Unless you scheduled the move to
happen later, you would have to remain logged in until the move
completed. Not only that, but users couldn't access their mailbox
during the move.
In Exchange Server 2010, mailbox moves are executed
differently. Instead of the move occurring with the client, the client
simply creates a new move request. Once this move request is created, a
CAS will find the request and fill it. The Mailbox Replication service
actively monitors for move requests and executes them when it finds
them. The Mailbox Replication service runs as a Windows service on the
Client Access servers. The name of the service is Microsoft Exchange
Mailbox Replication Service (MSExchangeMailboxReplication), and it runs
under the context of the Local System account.
The mailbox replication that is performed by the
Mailbox Replication service is done asynchronously. The service can
move mailboxes from Exchange Server 2003/2007/2010 source Mailbox
servers to Exchange Server 2003/2007/2010 target Mailbox servers, with
two exceptions: Exchange 2003 to Exchange 2003 and Exchange 2007 to
Exchange 2007 mailbox moves are not supported.
