Saturday, 28 May 2016

Part II: Exchange 2016 vs Exchange 2013: What is the difference?

  • Server role consolidation   
    In previous versions of Exchange, we had option to install the Client Access server role and the Mailbox server role on separate computers. In Exchange 2016, the Client Access server role is installed as part of the Mailbox server role. Client Access server role is not available as a separate installation option. 
    A multi-role Exchange server architecture benefits:
    • Simplified hardware purchasing, maintenance and management of the Exchange servers.
    • Fewer physical Exchange servers resulting in less maintenance costs, less Exchange server licenses, and less rack/floor space, and power requirements.
    • Improved scalability. During a failure, the load on the remaining Exchange multi-role servers increases only incrementally, hence no adverse effect on other exchange functions.
    • Improved resiliency, because a multi-role Exchange server can survive a greater number of Client Access service failures.
  • Search improvements   The local search instance is now can read data from the local mailbox database copy. Hence, no need for passive instances to perform indexing from their Active counterparts.
  • Office Online Server Preview for Outlook on the web document preview  
    In Exchange 2016, Outlook on the web uses Office Online Server Preview to provide rich preview and editing capabilities for documents. You need to deploy Office Online Server Preview in your on-premises environment if you don't already have it.
  • MAPI over HTTP is the default for Outlook connections   
    In Exchange 2016, MAPI over HTTP is enabled by default, and offers additional controls, such as the ability to enable or disable MAPI over HTTP per user, and whether to publish it to external clients.

Exchange 2013 Architecture:

Image Source: Microsoft

Friday, 27 May 2016

Lockdown Mode vSphere 6.0 and 6.5

In order to improve security of ESXi host which is being managed by vCenter server centrally, we enable lockdown mode on ESXi hosts.

ESXi 5.x and prior:

When Lockdown mode is enabled, only the vpxuser has authentication permissions. Other users cannot perform any operations directly on the ESXi host. Lockdown mode forces all operations to be performed through vCenter Server.

When the ESXi host is in lockdown mode, we cannot use vCLI commands, script, or vSphere Management Assistant against the host directly bypassing vCenter Server. External software's or tools like backup agents also might not be able to retrieve or modify information from the ESXi host directly.

ESXi 6.x

With vSphere 6, VMware introduced couple of new concepts into lockdown mode as listed below in order to make it more flexible in nature as compared to its predecessors:
  • Normal Lockdown Mode
  • Strict Lockdown Mode
  • Exception Users 

Normal Lockdown Mode
  • In normal lockdown mode all the direct connections to ESXi servers are blocked.
  • You can manage ESXi Servers via vCenter Server or the other option is that, we can use the direct console user interface (DCUI). DCUI service is not stopped in Normal lockdown mode.
  • If the connection to the vCenter Server system is lost, privileged user accounts can log in to the ESXi host’s Direct Console User Interface (DCUI) and exit from lockdown mode.
Only the following accounts can access the Direct Console User Interface:
  • User accounts in the Exception User list for lockdown mode who have administrative privileges on the host. VMware vSphere 6.0 introduced the Exception User list. Exception users do not lose their privileges when the host enters lockdown mode. We can use the Exception User list to add the accounts of third-party solutions and external applications like backup agents that need to have access to ESXi host directly when the host is in lockdown mode.
  • Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
Strict Lockdown Mode
  • In strict lockdown mode, which is newly introduced in vSphere 6.0, the DCUI service is also stopped.
  • In the event where connection to vCenter serer is lost and we cannot restore the connection to the vCenter Server system, we will have to reinstall the ESXi host.
  • If the connection to vCenter Server is lost, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users list is populated.
  • ESXi Shell and SSH services are independent of lockdown mode. However these services are disabled by default.
  • When a host is in lockdown mode, users on the Exception Users list can access the ESXi host from the ESXi Shell and through SSH.

How to Enable Lockdown Mode:
  • While adding ESXi Host vCenter Server system through add host wizard. 

  • From vSphere Web Client. We can enable both Normal and Strict Lockdown Mode from ESXi server Manage Tab -> Security Profile ->click Edit as highlighted below. 

Select the appropriate mode you want to set on below screen.

  • From Direct Console User Interface (DCUI) 

Note: Privileged users can disable lockdown mode from the vSphere Web Client.

Note: Privileged users can disable normal lockdown mode from the Direct Console Interface (DCUI). These users cannot disable strict lockdown mode from the Direct Console Interface.

Note: DCUI doesn’t have the option of Normal or Strict lockdown mode. When you enable lockdown mode from the DCUI you will get Normal mode by default. Also, If you enable or disable lockdown mode using the Direct Console User Interface, permissions for users and groups on the host are discarded. To preserve these permissions, you can enable and disable lockdown mode using the vSphere Web Client.

Note: If you upgrade a host that is in lockdown mode to ESXi version 6.0 without exiting lockdown mode, and if you exit lockdown mode after the upgrade, all the permissions defined before the host entered lockdown mode are lost. The system assigns the administrator role to all users who are found in the DCUI.Access advanced option to guarantee that the host remains accessible. To retain permissions, disable lockdown mode for the host from the vSphere Web Client before the upgrade.

Wednesday, 25 May 2016

How to add Identity source in vCenter 6.0 Single Sign On?

  • Login to vCenter Web client and on home screen, navigate to Administration section from navigation menu as highlighted in below screenshot.

  • Click on Configuration and then click on green “+” symbol in middle pane as shown in below figure.

  • Once you click add symbol, Identity source details window will pop-up. Select correct identity source as I have selected AD over LDAP and then enter other details as shown in below figure.

  • Once entered all details, click “TestConnection” button. If all information is correct, you should get connection established box. Click OK to close it.
  • Click OK on identity source details window.

  • Once we are completed with this, we should have our identity source added to the list as shown in below figure.

  • Newly added identity source later can be used to search users/groups while granting permissions.

Tuesday, 24 May 2016

VMware Memory reclamation techniques run cycle in vSphere 6.0 PART1

Why Memory reclamation:

ESXi supports memory over commitment in order to provide higher memory utilization and higher ratio of consolidation. In order to effectively support memory over commitment, the hypervisor provides efficient host memory reclamation techniques.

ESXi uses several techniques to reclaim virtual machine memory, which are:
Do check the links for detailed discussion about each of these techniques.

Now the  question is, when do these techniques are running, is it always? is it at specific threshold? So lets explore that too.

Which memory reclamation technique is active will depend upon which memory state is active currently.
 Following are the possible memory states in vSphere.
  • High
  • Clear (New in vSphere 6 onward)
  • Soft
  • Hard
  • Low
 I have explained these states in another article on  Sliding scale method

Below chart explains which memory reclamation technique will be active considering which memory state is active.

  • NOTE: As we all know that vSphere 6 onward, TPS is by default turned OFF. However, if you enable it, the TPS runs always and tries to share memory pages like what we had in old versions of ESXi but this is applicable only on small memory pages i.e. 4KB pages.
  • When available free memory is less than High state but more then Clear state as in chart above then ESXi will start preemptively breaking up large pages so that TPS (If enabled in vSphere 6) can collapse them at next run cycle.
  • If the amount of available free memory is bit less than the Min.FreePct threshold as in chart above, the VMkernel applies ballooning to reclaim memory. 
  • The ballooning memory reclamation technique introduces the least amount of performance impact on the virtual machine by working together with the Guest operating system inside the virtual machine, however there is some latency involved with ballooning.
  • Compression helps to avoid hitting the low state without impacting virtual machine performance, but if memory demand is higher than the VMkernels’s ability to reclaim, drastic measure of Hypervisor swapping is taken to avoid memory exhaustion. 
  • However, hypervisor swapping will introduce VM performance degradation's due to issues like high latancy rate, paging/double paging. For this reason this reclamation technique is used when situation require drastic measurements. 
This post completes the series of posts on Memory reclamation. Lets explore something new in upcoming posts. I hope you enjoyed the series. :)

Below is the list of articles in this series for further reading.

PART2: Mem.minfreepct and sliding scale method 
PART3: Transperent Page sharing 
PART4: VMware Ballooning 
PART5: VMware Memory Compression
PART6: Hypervisor Swapping and Host SSD Swap 

Monday, 23 May 2016

Exchange Server-Shared Mailboxes

A shared mailbox is one of the recipient type in exchange that doesn’t have its own user name and password. Due to this, users can’t log into it them directly. 

To access a shared mailbox, users must first be granted Send As or Full Access permissions to the mailbox. Once that’s done, users sign into their own mailboxes and then access the shared mailbox by adding it to their Outlook profile.  

Shared mailboxes makes it easy for a group of people in your company to monitor and send email from a common account, such as or 

When a person in the group replies to a message sent to the shared mailbox, the email looks like it was sent by the shared mailbox, not from the individual user. 

VMware memory reclamation vSphere 6: Mem.minfreepct and sliding scale method PART2

Before I talk about sliding scale method, lets discuss about MEM.MINFREEPCT value. Eventually this discussion will lead us to understanding sliding scale method.

What is mem.minfreepct value?

MinFreePct determines the amount of memory that the VMkernel should keep free. This threshold is further subdivided in multiple memory thresholds i.e. High, Clear (New in vSphere 6), Soft, Hard and Low. These Memory thresholds are also called as Memory states, and it is introduced to prevent performance and correctness issues.

MinFreePct is not a fixed number instead it is calculated using sliding scale method and the value will depend on the host memory configuration.

Below table helps us to calculate the Minfreepct value.

 Let us understand sliding scale calculation of mem.minfreepct with an example.
  • Lets say I have 100GB of memory in ESXi host. 
  • So from the first 4GB of memory we will set aside 6% of 4GB which is equal to 245MB. 
  • For the second range of 4-12GB, i.e.8GB, we will set aside another 4% of 8GB  which is equal to 327MB.
  • For the third  range of 12-28GB, i.e.16GB, we will set aside 2% of 16GB which is equal to 327MB. 
  • Now from the remaining 72GB (i.e. 100GB host – 28GB) on my ESXi host, we will set aside 1% of 72 GB which is equal to 720MB. 
  • In total, If I sum all memory that I kept aside across all ranges, the value of Mem.MinFree is equal to1619MB. So the 1619MB of Memory, is being kept free for the system. 
  • Now, when the ESXi host has less than 1619MB of free memory, various memory reclamation techniques come in to play like High, Clear, Soft, Hard, and Low.
Memory states and their thresholds:

We referred something about different memory states earlier in this article. So in vSphere 6.0 onward, we have five memory states as listed below.
  • High
  • Clear (New in vSphere 6.0)
  • Soft
  • Hard
  • Low
These memory states are active as per the threshold value. Below table helps us to understand at which threshold these memory state are active.
Based on which memory state is active, respective memory reclamation techniques will kick in. I will talk more about it in another article. 
  • The soft and hard thresholds are related to virtual machine performance and memory starvation prevention.
  • The threshold for the low state protects the VMkernel layer from PSOD issues caused from memory starvation. 
  • The VMkernel employs more drastic memory reclamation techniques when it approaches the Low state
Below is the list of articles in this series for further reading.

PART1: Run cycle of reclamation techniques

PART3: Transperent Page sharing 
PART4: VMware Ballooning 
PART5: VMware Memory Compression
PART6: Hypervisor Swapping and Host SSD Swap

Sunday, 22 May 2016

VMware Memory Reclamation:Hypervisor Swapping PART6

ESXi employs hypervisor swapping to reclaim memory, if other memory reclamation techniques like ballooning, transparent page sharing, and memory compression are not sufficient to reclaim memory.

Transparent Page Sharing (TPS) speed is dependent of possibility to share memory pages, another reclamation technique of ballooning also depends on guest operating system response for memory allocation. Due to all this, these techniques may take time to reclaim memory.

Unlike other techniques, Hypervisor swapping is a guaranteed technique to reclaim a specific amount of memory within a specific amount of time.

At virtual machine start up, the hypervisor creates a separate swap file for the virtual machine (.vswp) inside virtual machine folder by default unless changed the swap file location. This file is used by hypervisor to directly swap out virtual machine physical memory to the swap file. This frees host physical memory and can be used by other virtual machines.

However, hypervisor swapping is used as a last resort to reclaim memory from the virtual machine as there will be performance impact on virtual machine due to some of known issues as listed below.

  • High swap-in latency
  • Page selection problems due to no visibility of guest OS pages.
  • Double paging problems
ESXi employs below methods to address the limitations mentioned above that improves hypervisor swapping performance:
  • Memory compression: To reduce the amount of pages that need to be swapped out while reclaiming the same amount of host memory. For more details on how compression work, do check my other article on the same.
  • SSD Swapping: If an SSD device is installed in the host, we can choose to configure a host SSD Cache. Using swap to host cachedoes not means placing regular swap files on SSD-backed datastores. Even if you enable swap to host cache, the host still needs to create regular swap files. ESXi will use the host cache (SSD) to store the swapped out pages first instead of putting them directly in the regular hypervisor swap file (.vswp). Upon the next access to a page in the host cache, the page will be pushed back to the guest memory and then removed from the host cache. Since SSD read latency, which is normally around a few hundred microseconds, is much faster than typical disk access latency, this optimization significantly reduces the swap-in latency and hence greatly improves the application performance in high memory over commitment scenarios.

How SSD Swap works?

Multiples of 1GB sized .vswp file chunks will be created inside SSD swap. As shown in below figure, 10GB SSD has ten .vswp files created inside it. These files can be seen by browsing the datastore. These .vswp files are not specific to VMs like one we have in shared storage. Each VM has its own regular .vswp in shared storage inside their specific VM folders. However, the .vswp files inside SSD swap will be shared by virtual machines whenever there is need for swapping. 

Below is the list of articles in this series for further reading.

PART1: Run cycle of reclamation techniques
PART2: Mem.minfreepct and sliding scale method 
PART3: Transperent Page sharing 
PART4: VMware Ballooning 
PART5: VMware Memory Compression

Prepare Active Directory and domains for Exchange Server 2016

Before we install Microsoft Exchange Server 2016, we need to prepare Active Directory forest and its domains. This step is required so that exchange 2016 can store information about your user’s mailboxes and the configuration of Exchange servers.

There are a couple of ways we can prepare Active Directory for Exchange.
  • The first option is to let the Exchange 2016 Setup wizard do it during setup. This approach is more suitable if we are doing small deployment and there are no separate teams to manage the servers.
  • The Second option is what as described in below detailed procedure.

NOTE: The account we use to perform these steps will need to be a member of both the Schema Admins and Enterprise Admins security groups.

Extend the Active Directory schema:

Before we extend your schema:

  • The account you're logged in must be a member of the Schema Admins and Enterprise Admins security groups.
  • The computer where you'll run the command to extend the schema needs to be in the same Active Directory domain and site as the schema master.
  • If you use the DomainController parameter, make sure to use the name of the domain controller that's the schema master.
  • The only way to extend the schema for Exchange is to use use Exchange 2016 Setup wizard or the process we are discussing in this article. Other ways of extending the schema are not supported.

Steps to extend Schema:
  1. Open a Windows Command Prompt window and navigate to the Exchange installation files location.
  2. Run the following command to extend the schema. 
  3. Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
NOTE: Once schema is extended, wait for Active Directory to replicate the changes to all domain controllers. We can check replication status using the Repadmin tool.

Prepare Active Directory:

Once Schema extension is completed successfully, we can move to next step to prepare AD. In this process, Exchange will create containers, objects, and other items in Active Directory that will be used to store information.

The collection of all of the Exchange containers, objects, attributes, and so on, is called the Exchange organization.

Before we prepare Active Directory for Exchange:
  • The account you're logged in as needs to be a member of the Enterprise Admins security group.
  • The computer where we'll run the command needs to be in the same Active Directory domain and site as the schema master. It'll also need to contact all of the domains in the forest on TCP port 389.
  • Wait until Active Directory has replicated the changes made in step 1 to all of your domain controllers before you do this step.
Exchange Organization Name:

We need to provide name for the Exchange organization during this step. This name is used internally by Exchange. The name of the company where Exchange is being installed is often used for the organization name. We can name it anything we want, provided that we follow below conditions:
  • Organization Name cannot be blank. 
  • Any uppercase or lowercase letters from A to Z.
  • Numbers 0 to 9.
  • Spaces. However not at the beginning or end of the name. 
  • Hyphen or dash in the name. 
  • The name can be up to 64 characters. 
  • The name can't be changed after its set.
Steps to Prepare AD:
  1. Open a Windows Command Prompt window and navigate to Exchange installation files location.
  2. Run the following command. 
  3. Setup.exe /PrepareAD /OrganizationName:"Organization name" /IAcceptExchangeServerLicenseTerms 

Once AD preparation is completed, wait for Active Directory to replicate the changes to all domain controllers. We can use Repadmin to check the replication status.

Prepare Active Directory domains

The final step to prepare AD for Exchange is to prepare each of the Active Directory domains where Exchange will be installed. 
We can skip this step if we have just one domain as previous step of PrepareAD already prepared the domain for us.

This step creates additional containers and security groups, and sets permissions so that Exchange can access them.

If we have multiple domains in your Active Directory forest, we have a couple of choices in how we can prepare them as listed below. 
  1. /PrepareAllDomains
  2. /PrepareDomain


This parameter will prepare every domain for Exchange in Active Directory forest. Steps to
Open a Windows Command Prompt window and go to where you downloaded the Exchange installation files.
Run the following command:

Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

With this parameter we need to include the fully qualified domain name (FQDN) of the domain we want to prepare.

NOTE: We need to prepare every domain where an Exchange server will be installed. We will also need to prepare any domain that'll contain mail-enabled users, even if those domains do not contain any Exchange servers.

Steps to prepare individual domains:

1. Open windows Command Prompt window & navigate to Exchange installation files location.

2. Run the following command with the FQDN of the domain we want to prepare. We don't have to include the FQDN if we are preparing the domain where we are executing the command.

3. Setup.exe /PrepareDomain:<FQDN of the domain to prepare> /IAcceptExchangeServerLicenseTerms

4. Repeat the steps for each Active Directory domain where we will install an Exchange server or where mail-enabled users will be located.

How to verify installation:
We can use a tool called Active Directory Service Interfaces Editor (ADSI Edit). ADSI Edit is included as part of the Active Directory Domain Services Tools feature in Windows Server 2012 R2 and Windows Server 2012. 
Check the values of below parameters are matching to the values in Exchange 2016 AD versions.
  • In the Schema naming context, verify rangeUpper property on ms-Exch-Schema-Verision-Pt. 
  • In the Configuration naming context, verify objectVersion property in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> 
  • In the Default naming context, verify objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain> 
  • We can also check the Exchange setup log to verify that Active Directory preparation has completed successfully. 
  • We won't be able to use the Get-ExchangeServer cmdlet mentioned until we have completed the installation of at least one Mailbox server role in an Active Directory site.

Exchange 2016 Active Directory versions

The following table shows you the Exchange 2016 objects in Active Directory that get updated with each time you do install a new version of Exchange 2016. 

You can compare the object versions you see with the values in the table below to verify that the version of Exchange 2016 you installed successfully updated Active Directory during installation.

Popular Posts This Week