Comparing PowerShell Switch Parameters with Boolean Parameters

If you’ve ever take a look at the help output (or TechNet documentation) for PowerShell cmdlets, you see that they list several pieces of information about each of the various parameters the cmdlet can use:

• The parameter name
• Whether it is a required or optional parameter
• The .NET variable type the parameter expects
• A description of the behavior the parameter controls

Let’s focus on two particular types of parameters, the Switch (System.Management.Automation.SwitchParameter) and the Boolean (System.Boolean). While I never really thought about it much before reading a discussion on an email list earlier, these two parameter types seem to be two ways of doing the same thing. Let me give you a practical example from the Exchange 2007 Management Shell: the New-ExchangeCertificate cmdlet. Table 1 lists an excerpt of its parameter list from the current TechNet article:

Table 1: Selected parameters of the New-ExchangeCertificate cmdlet

Parameter	Required	Type	Description
GenerateRequest	Optional	SwitchParameter	Use this parameter to specify the type of certificate object to create. By default, this parameter will create a self-signed certificate in the local computer certificate store. To create a certificate request for a PKI certificate (PKCS #10) in the local request store, set this parameter to $True.
PrivateKeyExportable	Optional	Boolean	Use this parameter to specify whether the resulting certificate will have an exportable private key. By default, all certificate requests and certificates created by this cmdlet will not allow the private key to be exported. You must understand that if you cannot export the private key, the certificate itself cannot be exported and imported. Set this parameter to $true to allow private key exporting from the resulting certificate.

On quick examination, both parameters control either/or behavior. So why the two different types? The mailing list discussion I referenced earlier pointed out the difference:

Boolean parameters control properties on the objects manipulated by the cmdlets. Switch parameters control behavior of the cmdlets themselves.

So in our example, a digital certificate has a property as part of the certificate that marks whether the associated private key can be exported in the future. That property goes along with the certificate, independent of the management interface or tool used. For that property, then, PowerShell uses the Boolean type for the -PrivateKeyExportable property.

On the other hand, the –GenerateRequest parameter controls the behavior of the cmdlet. With this property specified, the cmdlet creates a certificate request with all of the specified properties. If this parameter isn’t present, the cmdlet creates a self-signed certificate with all of the specified properties. The resulting object (CSR or certificate) has no corresponding sign of what option was chosen – you could just as easily submit that CSR to another tool on the same machine to create a self-signed certificate.

I hope this helps draw the distinction. Granted, it’s one I hadn’t thought much about before today, but now that I have, it’s nice to know that there’s yet another sign of intelligence and forethought in the PowerShell architecture.

posted @ 7/2/2009 1:33 PM by Devin L. Ganger

Some Thoughts on FBA (part 1)

It’s funny how topics tend to come in clumps. Take the current example: forms-based authentication (FBA) in Exchange.

An FBA Overview

FBA was introduced in Exchange Server 2003 as a new authentication method for Outlook Web Access. It requires OWA to be published using SSL – which was not yet common practice at that point in time – and in turn allowed credentials to be sent a single time using plain-text form fields. It’s taken a while for people to get used to, but FBA has definitely become an accepted practice for Exchange deployments, and it’s a popular way to publish OWA for Exchange 2003, Exchange 2007, and the forthcoming Exchange 2010.

In fact, FBA is so successful, that the ISA Server group got into the mix by including FBA pre-authentication for ISA Server. With this model, instead of configuring Exchange for FBA you instead configure your ISA server to present the FBA screen. Once the user logs in, ISA takes the credentials and submits them to the Exchange 2003 front-end server or Exchange 2007 (or 2010) Client Access Server using the appropriately configured authentication method (Windows Integrated or Basic). In Exchange 2007 and 2010, this allows each separate virtual directory (OWA, Exchange ActiveSync, RPC proxy, Exchange Web Services, Autodiscover, Unified Messaging, and the new Exchange 2010 Exchange Control Panel) to have its own authentication settings, while ISA server transparently mediates them for remote users. Plus, ISA pre-authenticates those connections – only connections with valid credentials ever get passed on to your squishy Exchange servers – as shown in Figure 1:

 

Figure 1: Publishing Exchange using FBA on ISA

Now that you know more about how FBA, Exchange, and ISA can interact, let me show you one mondo cool thing today. In a later post, we’ll have an architectural discussion for your future Exchange 2010 deployments.

The Cool Thing: Kay Sellenrode’s FBA Editor

On Exchange servers, it is possible to modify both the OWA themes and the FBA page (although you should check about the supportability of doing so). Likewise, it is also possible to modify the FBA page on ISA Server 2006. This is a nice feature as it helps companies integrate the OWA experience into the overall look and feel of the rest of their Web presence. Making these changes on Exchange servers is a somewhat well-documented process. Doing them on ISA is a bit more arcane.

Fellow Exchange 2007 MCM Kay Sellenrode has produced a free tool to simplify the process of modifying the ISA 2006 FBA – named, aptly enough, the FBA Editor. You can find the tool, as well as a YouTube video demo of how to use it, from his blog. While I’ve not had the opportunity to modify the ISA FBA form myself, I’ve heard plenty of horror stories about doing so – and Kay’s tool is a very cool, useful community contribution.

In the next day or two, we’ll move on to part 2 of our FBA discussion – deciding when and where you might want to use ISA’s FBA instead of Exchange’s.

posted @ 7/1/2009 10:27 PM by Devin L. Ganger

ISA 2006 and the fun of a corrupt rule

It always seems like every time one thing if fixed, something else breaks. This morning I was working on Project A and I needed to look something up on our ISA 2006 firewall. While I was there I decided that I would look into, and fix, something odd that was happening with Project B's rule. Well, after fixing the rule into a corrupt state, I now had a Project C to work on as well. Corrupt rules are never fun, but I was able to figure out how to fix it, but I'm sure it's NOT a supported or recommended procedure.

When I was trying to find out exactly what machine we are routing FTP traffic, I wanted to take a look at why my IMAP connections seemed to be getting mail that was MONTHS out of date. Looking up and down the list of rules, I found a duplicate IMAP(S) rule that was pointing to an old IP address of our Exchange 2007 server. I figured that somehow, that might be a reason why I'm not getting the correct e-mail. I clocked into the rule, and changed the internal endpoint to our current Exchange 2010 server, clicked Apply and then OK.

On closing out of the ISA Management Console and looking at my e-mail, I noticed that my Inbox was starting to fill up with alerts from System Center: Operations Manager telling me that there was a problem with the configuration on one of our ISA machines, specifically the one that I was logged into. Side Note: I know I should have been looking at the configuration on the Configuration server, not one of the nodes of the array, but the Configuration server is having problems of its own!!!

Logging into the Configuration server, I opened up the Management Console and noticed that the rule I had edited was missing a bunch of information. Clicking on it (right or left) brought up an error dialog stating that "there is not enough memory to perform the action." After much fumbling and scrolling up and down, I realized that the name of the corrupt rule was the same as one farther down on the list, and when I changed the IP, the rules ended up being exactly the same. This led to the node pushing the change up to the configuration server before it was really sure that it SHOULD, and so, I am stuck with this dumb ghost rule. Since I know that I couldn't affect the corrupt rule, I decided to change the name of the good rule, so they wouldn't match! Brilliant!!! (:

Things weren't quite that simple, however, and when I made any changes to anything else on the server, I wasn't able to commit the changes! I kept getting an error that the corrupt rule needed more information before the changes could be saved. Oops! I even tried Exporting the rule set, removing the offending rule from the XML file, and then Importing it back in, but I ran into the same error.

It was time to bite the bullet and following the somewhat sparse directions from this forum post, I fired up ADAM ADSI Edit to remove the offending rule, once and for all.

Even though the directions weren't the best, it was enough for me to get there, so I'll post a little bit more coherent account:

• Log into the machine that's hosting the ADAM database.
• Open the ADAM ADSI Edit application by clicking "Start -> All Programs -> ADAM -> ADAM ADSI Edit"
• Right-click the ADAM ADSI Edit node in the tree pane, and select "Connect to…"
• Leave the Server name the default value of "localhost" and change the Port to "2171"
• Select the Distinguished name (DN) or naming context: radio button and enter "CN=FPC2" into the box
• Click OK.
• In the tree pane, expand the My Connection [localhost:2171] node, and then the following nodes:
  • CN=FPC2
  • CN=Array-Root
  • CN=Arrays
  • CN={GUID of affected Array}
  • CN=ArrayPolicy
  • CN=PolicyRules
• Once in the right set of Policy Rules, find the GUID of the offending rule and delete it
• Restart the Microsoft ISA Server Storage service to re-populate the cache
• Profit!

NOTE: I am pretty sure this is NOT supported. Any time you mess with ANY of the raw editing tools, you stand a big chance of messing things up beyond recovery. DO NOT USE these steps if you are not willing to accept total failure as a possible case.

posted @ 6/16/2009 3:07 PM by Tim Robichaux

Office 2007 Marketing Videos

I just uploaded three marketing videos to GetSharp showing features in the 2007 Microsoft Office system:

• OneNote 2007 Web Clipping
• PowerPoint 2007 SmartArt
• Word 2007 Live Preview

At first glance these might seem unspectacular, given how late we are in the 2007 release cycle. These videos, however, are essentially a tease for feature videos related to Office 2010, which we will be uploading in the near future.

posted @ 5/6/2009 9:56 AM by David Gerhardt

Setting up a Domino Web Access redirect page

I've been working with Domino and Lotus for a fairly short amount of time, but every time I have to touch it, I find myself gritting my teeth. I've been a Microsoft Exchange admin for a while, but I have a bunch of experience with several different e-mail platforms. While I am not as familiar with many of them as I am with Exchange, I can set up systems, start e-mail flow, provision users and just generally get by. One of the things that helps me do this is the rich environment of help and documentation that exists out on the Internet. Sometimes the gems of wisdom lurk in forums, sometimes they are on a product's support site, but more often than not, someone else has run into the same problem that I am having. This makes me feel a lot more comfortable and at home with a product, when I know that other people are actually using it and willing to SHARE their experiences.

Well, IBM, you have earned my ire in a bad way!

The situation is that one of Domino 8.0.1 systems I'm managing needed to have Domino Web Access set up so that the end user didn't have to know the whole long URL to his or her mail database file. In Microsoft Exchange 2003, 2007, and now 2010, this is a built in feature that, for the most part, works out of the box. So long as the user is configured for Outlook Web Access, they just have to navigate to a website that was installed on the server by default, enter in valid credentials, and off we go.

This is not the case, however for Domino Web Access. By default, once the user is configured to use DWA, they have to type in an exact URL pointing to his or her specific mail database file. I had known this and just ignored it, since Domino didn't install with any web sites enabled as default, but the client wants people to be able to test the DWA experience without having to know that information. So began the journey (my Google searches):

"how to create a lotus notes login page"
"how to create a login page for DWA"
"how to create a login page for Domino web access"

Now, these searches didn't really net me anything useful, so I headed over to IBM's web site and went to the Documentation section to do some digging. After drilling down, I found this page with some helpful steps:

Setting up Domino Web Access Redirect

The Domino Web Access Redirect template (IWAREDIR.NTF) is in the Domino data directory. To set up Domino Web Access Redirect:

1. Create an application using the IWAREDIR.NTF template.
2. In the IBM^® Lotus^® Notes^® client, open the application that you created.
3. Click Setup and follow the prompts to set up Domino Web Access Redirect.

Note If you select MailServer as the Redirection Type under Server Settings, the common name of the Domino mail server must be the same as its fully-qualified TCP/IP domain name. For example, if the mail server field in the Person document is set to serverA/domainA, the server's TCP/IP fully-qualified domain name must be serverA.lotus.com.

Now, I have to say, this was a WTF moment. Once more, I know that I'm not an expert, but I like to think that I can figure things out. This set of instructions, however, left something to be desired. After poking around on the server, I found the template, and with a right-click, I found that "New..." wasn't an option. How am I supposed to create an application?!?!? More Googleing:

"lotus domino create new application from template"
"lotus domino create new application template"

Which led me to this page with some more detailed instructions on completing the FIRST step in the previous set of instructions:

1. Open the Notes client.

2. Choose File-Application-New. The New Application box appears.

3. In the New Application box, select the Blank Composite Application template from the Template list.

4. Enter a title in the Title field. The File name is also created for you from your title. You may change the file name if you wish.

5. Click OK. A blank composite application container appears with a message that the application does not have any content

6. Choose Action-Edit Application to open the Composite Application Editor and begin working on your composite application. You can use the Composite Application Editor to edit the pages, components, and basic properties of a composite application

This set of instructions is not perfect, but I can steal at least the first two, verbatim, and then monkey around with the settings until I manage to create the new application! Woo! Now I'm getting somewhere...

posted @ 4/29/2009 11:43 AM by Tim Robichaux

Introduction to Database Availability Groups - Full of WIN! (UPDATED)

Basic Overview

Now that Exchange 2010 has been released to beta, it's now time to talk about all the fun things that we've been working on and working with. To start off with, I want to point everyone over to the actual Exchange 2010 Official site.

Now that I've pointed you at the bits, let's get into some details about Database Availability Groups or "The DAG" as it's called! To start off with, it's a pretty simple concept. The DAG uses Windows Failover Clustering Services and a NEW component in Microsoft Exchange, called Active Manager, to allow automatic failover and uses continuous replication to keep copies of a Mailbox database floating on servers other than the one actually hosting the "active" copy. This is VERY simplistic, but I want to gloss over the details for a moment to build up to the details later. What this means is that now, we can host a bunch of copies of a Mailbox database on several servers (up to 16 servers can be in one DAG) and thanks to the magic of continuous replication, the log files are shipped and we can have multiple, concurrent copies of the database. In the event of a failure, Exchange 2010 "promotes" one of the copies of the database to "active" status and the Mailbox role then takes up the task of serving up the mailboxes on that database. Each database maintains separate status, so one server can host copies of multiple databases and only have some of those copies active at one time. This can be confusing, so let's draw a diagram (ooo, pictures!):

In this diagram, we have three servers, and three copies of each database, one on each server. The "active" database copy is the one with the star. The flow of data from the "active" copy to the "passive" copies is concurrent.

Hopefully, it's clear that a copy of each Mailbox database is hosted on two other servers in this scenario. There are actually several reasons for this, and let's start talking about some cases. In the first one, let's say that we lose MBDB01. In this case, it's just a simple failover and the next preferred server will elevate and start hosting the mailboxes (and for those of you wondering, YES you can set the preferred failover scheme, for example, if you want it to go 1, 3, 2 instead of 1, 2, 3, you can set that). That is a pretty simple case, why else would you want so many copies? In this case, we could use this type of architecture to fail a server, apply patches, and avoid nasty maintenance downtime, but will still be protected if one of the other servers fails during that time. Good 'ole double redundancy. The third case for maintaining at least three copies is that ensures that there are always enough servers in the DAG, up and running, to allow a quorum for the underlying cluster.

 

All of the mailboxes are hosted on one server, BUT, you are still able to have users access their e-mail, without long, expensive restores or complicated reconfiguration of your DNS or network!

How it actually works

Earlier on, I mentioned that the DAG uses Windows Failover Clustering and continuous replication to build the copies of the database. What is actually happening is (to me at least) much more interesting. The Windows Failover Clustering service is installed just for the purposes of the automatic failover. The way the databases are treated and how they are handled it much like the Exchange 2007 features of CCR with a few of the SCR features thrown in for good measure. One of the big differences between the DAG and CCR is that you can configure the number of database copies which allows you to make full use of the Clustering components. One of the reasons why I used the three server example, above, is because this is what Microsoft has recommended for the cluster to properly determine quorum decisions. You can get by with only two copies, but at least three is the recommended minimum.

One of the great features of using a DAG is that it is completely managed from Exchange. What this means is that when you are configuring the clustering you don't have to be a clustering wizard or HA guru to set it up correctly. Exchange 2010 takes care of all the configuration for you, and as my co-worker Devin says, this is a HUGE win.

What people are saying and doing

All this talk about clustering and data redundancy brings up an interesting conversation that is currently floating around, and that is, with a sufficiently robust DAG structure, do you still have a need for on-site backups? This has opened up a whole can of worms, and I can say that I feel confident that using a properly designed DAG scheme can easily replace many of the functions of standard backups. There are still areas that I would feel more comfortable with a reliable set of backups (database corruption or total site failure), but the DAG can mitigate some of the risks.

That being said, the way that we currently are using our DAG is a little bit different than the scenario I laid out above. To get even more complicated, I have plans to modify our structure to take advantage of Network Load Balancing and turning our current structure into one that it aimed at a high amount of availability! Here's the planned structure:

 

In this particular case, the plan is to basically mirror the servers using NLB to serve up one logical endpoint for the CAS, HT and UM roles (with the Hub Transport have to be careful to exclude the HT to HT traffic from the NLB, but that's a topic for another post). With that in place, and using the DAG to take care of two copies of a single database, we expand our ability to perform maintenance with minimal downtime to our internal clients while also providing a high amount of uptime in the case of a failure.

EDIT: It looks like, according to Microsoft, the combination of Windows Failover Clustering and Network Load Balancing is NOT SUPPORTED. They also say that it won't work, but I want to give it a try, anyway. This is a big pain since for a small to medium size business, you want to reduce the number of servers you have. This is what the documentation actually has to say:

 

Unlike Exchange 2007, where clustered mailbox servers required dedicated hardware, Mailbox servers in a DAG can host other Exchange roles (Client Access, Hub Transport, Unified Messaging), providing full redundancy of Exchange services and data with just two servers.

 

So, now I've talked about the DAG and what it can do, but there is quite a bit more. I'll follow this up shortly with some more advanced features like lag copies, off-site replication and other fun things!

posted @ 4/16/2009 4:36 PM by Tim Robichaux

You, too, can Master Exchange

One of the biggest criticisms I’ve seen of the MCM program, even when it first was announced, was the cost – at a list price of $18,500 for the actual MCM program, discounting the travel, lodging, food, and opportunity cost of lost revenue, a lot of people are firmly convinced that the program is way too expensive for anybody but the bigger shops.

This discussion has of course gone back and forth within the Exchange community. I think part of the pushback comes from the fact that MCM is the next evolution of the Exchange Ranger program, which felt very elitist and exclusive (and by many accounts was originally designed to be, back when it was only a Microsoft-only evolution designed to provide a higher degree of training for Microsoft consultants and engineers to better resolve their own customer issues). Starting off with that kind of background leaves a lot of lingering impressions, and the Exchange community has long memories. Paul has a great discussion of his point of view as a new MCM instructor and share his take on the “is it worth it?” question.

Another reason for pushback is the economy. The typical argument is, “I can’t afford to take this time right now.” Let’s take a ballpark figure here, aimed at the coming May 4 rotation, just to have some idea of the kinds of numbers folks are thinking about:

• Imagine a consultant working a 40-hour week. Her bosses would like her to meet 90% (36 hours) billable. Given two weeks of vacation a year, that 50 weeks at 36 hours a week.
• We’ll also imagine that she’s able to bill out at $100/hour. This brings her minimum annual revenue to $180,000. They set her opportunity cost (lost revenue) at $3,600/week.
• We’ll assume she have the pre-requisites nailed (MCITP Enterprise Messaging, the additional AD exam for either Windows 2003 or Windows 2008, and the field experience). No extra cost there (otherwise it’s $150/test, or $600 total).
• Let’s say her plane tickets are $700 for round-trip to Redmond and back.
• And we’ll say that she needs to stay at a hotel, checking in Sunday May 3rd, checking out Sunday May 24th, at a daily rate of $200.
• Let’s also assume she’ll need $75 a day for meals.

That works out to $18,500 (class fee) + $700 (plane) + 21 x $275 (hotel + meals) + 3 x $3,600 (opportunity cost of work she won’t be doing) -- $18,500 + $700 + $5,775 + $10,800 = a whopping total of $35,775. That, many people argue, is far too much for what they get out of the course – it represents just over 10 weeks of her regular revenue, or approximately 1/5th of her year’s revenue.

If those numbers were the final answer, they’d be right.

However, Paul has some great talking points in his post; although he focuses on the non-economic piece, I’d like to tie some of those back in to hard numbers.

• The level of training. I don’t care how well you know Exchange. You will walk out of this class knowing a lot more and you will be immediately able to take advantage of that knowledge to the betterment of your customers. Plus, you will have ongoing access to some of the best Exchange people in the world. I don’t know a single consultant out there who can work on a problem that is stumping them for hours or days and be able to consistently bill every single hour they spend showing no results. Most of us end up eating time, which shows up in the bottom line. For the sake of argument, let’s say that our consultant ends up spending 30% instead of 10% of her time working on issues that she can’t directly bill for because of things like this. That drops her opportunity cost from $3,600/week to $2,520, or $7,560 for the three weeks (and it means she’s only got an annual revenue of $126,000). If she can reduce that non-billable time, she can increase my efficiency and get more real billable work done in the same calendar period. We’ll say she can gain back 10% of that lost time and get up to only 20% lost time, or 32 hours a week.
• The demonstration of competence. This is a huge competitive advantage for two reasons. First, it helps you land work you may not have been able to land before. This is great for keeping your pipeline full – always a major challenge in a rough economy. Second, it allows you to raise your billing rates. Okay, true, maybe you can’t raise your billing rates for all the work that you do for all of your customers, but even some work at a higher rate directly translates to your pocket book. Let’s say she can bill 25% of those 32 hours at $150/hour. That turns her week’s take into (8 x $150) + (24 x $100) = $1,200 + $2,400 = $3,600. That modest gain in billing rates right there compensates for the extra 10% loss of billing hours and pays for itself every 3-4 weeks.

Let’s take another look at those overall numbers again. This time, let’s change our ballpark with numbers more closely matching the reality of the students at the classes:

• There’s a 30% discount on the class, so she pays only $12,950 (not $18,500).
• We’ll keep the $700 for plane tickets.
• From above, we know that her real lost opportunity cost is more like $7,560 (3 x $2,520 and not the $10,800 worst case).
• She can get shared apartment housing with other students right close to campus for more like $67 a night (three bedrooms).
• Food expenses are more typically averaged out to $40 per day. You can, of course, break the bank on this during the weekends, but during the days you don’t really have time.

This puts the cost of her rotation at $12,950 + $700 + (21 x $107) + $7,560, or $23,457. That’s only 66% – two-thirds – of the worst-case cost we came up with above. With her adjusted annual revenue of $126,000, this is only 19%, or just less than 1/5th of her annual revenue.

And it doesn’t stop there. Armed with the data points I gave above, let’s see how this works out for the future and when the benefits from the rotation pay back.

Over the year, our hypothetical consultant, working only a 40-hour work week (I know, you can stop laughing at me now) brings in 50 x $2,520 = $126,000.  The MCM rotation represents 19% of her revenue for the year before costs.

However, let’s figure out earning potential in that same year: (47 x $3,600) - ($13,650 + $700 + $2247) = $152,603. That’s a 20% increase.

Will these numbers make sense for everyone? No, and I’m not trying to argue that they do. What I am trying to point out, though, is that the business justification for going to the rotation may actually make sense once you sit down and work out the numbers. Think about your current projects and how changes to hours and billing rates may improve your bottom line. Think about work you haven’t gotten or been unwilling to pursue because you or the customer felt it was out of your league. Take some time to play with the numbers and see if this makes sense for you.

If it does, or if you have any further questions, let me know.

posted @ 4/9/2009 4:08 PM by Devin L. Ganger

Fixing interoperability problems between OCS 2007 R2 Public Internet Connectivity and AOL IM

One of the cool things you can do with OCS is connect your internal organization to various public IM clouds (MSN/Windows Live, Yahoo!, and AOL) using the Public Internet Connectivity, or PIC, feature. As you might imagine, though, PIC involves lots of fiddly bits that all have to work just right in order for there to be a seamless user experience. Recently, lots of people deploying OCS 2007 R2 have been reporting problems with PIC – specifically, in getting connectivity to the AOL IM cloud working properly.

Background

It turns out that the problem has to do with with changes that were made to the default SSL algorithm negotiations made in Windows Server 2008. If you deployed OCS 2007 R2 Edge roles on Windows Server 2003, you’d be fine; if you used Windows 2008, you’d see problems.

When an HTTP client and server connect (and most IM protocols use HTTPS or HTTP + TLS as a firewall-friendly transport[1]), one of the first things they do is negotiate the specific suite of cryptographic algorithms that will be used for that session. The cipher suite includes three components:

• Key exchange method – this is the algorithm that defines the way that the two endpoints will agree upon a shared symmetric key for the session. This session key will later be used to encrypt the contents of the session, so it’s important for it to be secure. This key should never be passed in cleartext – and since the session isn’t encrypted yet, there has to be some mechanism to do it. Some of the potential methods allow digital signatures, providing an extra level of confidence against a man-in-the-middle attack. There are two main choices: RSA public-private certificates and Diffie-Hellman keyless exchanges (useful when there’s no prior communication or shared set of trusted certificates between the endpoints).
• Session cipher – this is the cipher that will be used to encrypt all of the session data. A symmetric cipher is faster to process for both ends and reduces CPU overhead, but is more vulnerable in principal to discovery and attack (as both sides have to have the same key and therefore have to exchange it over the wire). The next choice is streaming cipher or cipher block chaining (CBC) cipher? For streaming, you have RC4 (40 and 128-bit variants). For CBC, you can choose RC2 (40-bit), DES (40-bit or 56-bit), 3DES (168-bit), Idea (128-bit), or Fortezza (96-bit). You can also choose none, but that’s not terribly secure.
• Message digest algorithm – the message digest is a hash cipher used to create the Hashed Message Authentication Code (HMAC), which is used to help verify the integrity of the cipher. It’s also used to guard against an attacker trying to replay this stream in the future and fool the server into giving up information it shouldn’t. In SSL 3.0, this is just a MAC. There are three choices: null (none), MD5 (128-bit), and SHA-1 (160-bit).

Problem

Windows Server 2003 uses the following suites for TLS 1.0/SSL 3.0 connections by default:

1. TLS_RSA_WITH_RC4_128_MD5 (RSA certificate key exchange, RC4 streaming session cipher with 128-bit key, and 128-bit MD5 HMAC; a safe, legacy choice of protocols, although definitely aging in today’s environment)
2. TLS_RSA_WITH_RC4_128_SHA (RSA certificate key exchange, RC4 streaming session cipher with 128-bit key, and 160-bit SHA-1 HMAC; a bit stronger than the above, thanks to SHA-1 being not quite as brittle as MD5 yet)
3. TLS_RSA_WITH_3DES_EDE_CBC_SHA (you can work out the rest)
4. TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
5. TLS_RSA_WITH_DES_CBC_SHA
6. TLS_DHE_DSS_WITH_DES_CBC_SHA
7. TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
8. TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
9. TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
10. TLS_RSA_EXPORT_WITH_RC4_40_MD5
11. TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
12. TLS_RSA_WITH_NULL_MD5
13. TLS_RSA_WITH_NULL_SHA

Let’s contrast that with Windows Server 2008, which cleans out some cruft but adds support for quite a few new algorithms (new suites bolded):

1. TLS_RSA_WITH_AES_128_CBC_SHA (Using AES 128-bit as a CBC session cipher)
2. TLS_RSA_WITH_AES_256_CBC_SHA (Using AES 256-bit as a CBC session cipher)
3. TLS_RSA_WITH_RC4_128_SHA
4. TLS_RSA_WITH_3DES_EDE_CBC_SHA
5. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 (AES 128-bit, SHA 256-bit)
6. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384(AES 128-bit, SHA 384-bit)
7. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521(AES 128-bit, SHA 521-bit)
8. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256(AES 256-bit, SHA 256-bit)
9. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384(AES 256-bit, SHA 384-bit)
10. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521(AES 256-bit, SHA 521-bit)
11. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 (you can work out the rest)
12. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
13. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
14. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
15. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
16. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
17. TLS_DHE_DSS_WITH_AES_128_CBC_SHA
18. TLS_DHE_DSS_WITH_AES_256_CBC_SHA
19. TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
20. TLS_RSA_WITH_RC4_128_MD5
21. SSL_CK_RC4_128_WITH_MD5 (not sure)
22. SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (not sure)
23. TLS_RSA_WITH_NULL_MD5
24. TLS_RSA_WITH_NULL_SHA

Okay, so take a look at line 20 in the second list – see how TLS_RSA_WITH_RC4_128_MD5 got moved from first to darned near worst? Yeah, well, that’s because AES and SHA-1 are the strongest protocols of their type likely to be commonly supported, so Windows 2008 moves those to the default offered. Unfortunately, this causes problems with PIC to AOL.

Solution

Now that we know what the problem is, what can we do about it? For the fix, check out Scott Oseychik’s post here.

[1] HTTPS is really Hop Through Tightened Perimeters Simply – aka the Universal Firewall Traversal Protocol.

posted @ 4/7/2009 3:19 PM by Devin L. Ganger

ExMon released (no joke!)

If you’re tempted to think this is an April Fool’s Day joke, no worries – this is the real deal. Yesterday, Microsoft published the Exchange 2007-aware version of Exchange Server User Monitor (ExMon) for download.

“ExMon?” you ask. “What’s that?” I’m happy to explain!

ExMon is a tool that gives you a real-time look inside your Exchange servers to help find out what kind of impact your MAPI clients are having on the system. That’s right – it’s a way to monitor MAPI connections. (Sorry; it doesn’t monitor WebDAV, POP3, IMAP, SMTP, OWA, EAS, or EWS.) With this release, you can now monitor the following versions of Exchange:

• Exchange Server 2007 SP1+
• Exchange Server 2003 SP1+
• Exchange 2000 Server SP2+

You can find out more about it from TechNet.

Even though the release date isn’t a celebration of April 1st, there is currently a bit of an unintentional joke, as shown by the current screenshot:

Note that while the Date Published is March 31, the Version is only 06.05.7543 – which is the Exchange 2003 version published in 2005, as shown below:

So, for now, hold off trying to download and use it. I’ll update this post when the error is fixed.

posted @ 4/1/2009 9:28 AM by Devin L. Ganger

Two CCR White Papers from Missy

This actually happened last week, but I’ve been remiss in getting it posted (sorry, Missy!) Missy recently completed two Exchange 2007 whitepapers, both centered around the CCR story.

The first one, High Availability Choices for Exchange Server 2007: Continuous Cluster Replication or Single Copy Clustering, provides a thorough overview of the questions and issues to be considered by companies who are looking for Exchange 2007 availability:

• Large mailbox support. In my experience, this is a major driver for Exchange 2007 migrations and for looking at CCR. Exchange 2007’s I/O performance increases have shifted the balance for the Exchange store being always I/O bound to now sometimes being capacity bound, depending on the configuration, and providing that capacity can be extremely expensive in SCC configurations (that typically rely on SANs). CCR offers some other benefits that Missy outlines.
• Points of failure. With SCC, you still only have a single copy of the data – making that data (and that SAN frame) a SPOF. There are mitigation steps you can take, but those are all expensive. When it comes to losing your Exchange databases, storage issues are the #1 cause.
• Database replication. Missy takes a good look at what replication means, how it affects your environment, and why CCR offers a best-of-breed solution for Exchange database replication. She also tackles the religious issue of why SAN-based availability solutions aren’t necessarily the best solution – and why people need to re-examine the question of whether Exchange-based availability features are the right way to go.
• RTO and RPO. These scary TLAs are popping up all over the place lately, but you really need to understand them in order to have a good handle on what your organization’s exact needs are – and which solution is going to be the best fit for you.
• Hardware and storage considerations. Years of cluster-based availability solutions have given many Exchange administrators and consultants a blind spot when it comes to how Exchange should be provisioned and designed. These solutions have limited some of the flexibility that you may need to consider in the current economic environment.
• Cost. Talk about money and you always get people’s attention. Missy details several areas of hidden cost in Exchange availability and shows how CCR helps address many of these issues.
• Management. It’s not enough to design and deploy your highly available Exchange solution – if you don’t manage and monitor it, and have good operational policies and procedures, your investment will be wasted. Missy talks about several realms of management.

I really recommend this paper for anyone who is interested in Exchange availability. It’s a cogent walkthrough of the major discussion points centering around the availability debate.

Missy’s second paper, Continuous Cluster Replication and Direct Attached Storage: High Availability without Breaking the Bank, directly addresses one of the key assumptions underneath CCR – that DAS can be a sufficient solution. Years of Exchange experience have slowly moved organizations away from DAS to SAN, especially when high availability is a requirement – and many people now write off DAS solutions out of habit, without realizing that Exchange 2007 has in fact enabled a major switch in the art of Exchange storage design.

In order to address this topic, Missy takes a great look at the history of Exchange storage and the technological factors that led to the initial storage design decisions and the slow move to SAN solutions. These legacy decisions continue to box today’s Exchange organizations into a corner with unfortunate consequences – unless something breaks demand for SAN storage.

Missy then moves into how Exchange 2007 and CCR make it possible to use DAS, outlining the multiple benefits of doing so (not just cost – but there’s a good discussion of the money factor, too).

Both papers are outstanding; I highly recommend them.

posted @ 3/17/2009 8:23 PM by Devin L. Ganger

Haz Firewall, Want Cheezburger

Although Window Server 2008 offers an impressive built-in firewall, in some cases we Exchange administrators don’t want to have to deal with it. Maybe you are building a demo to show a customer, or a lab environment to reproduce an issue. Maybe you just want to get Exchange installed now and will loop back to deal with fine-tuning firewall issues later. Maybe you have some other firewall product you’d rather use. Maybe, even, you don’t believe in defense in depth – or don’t think server-level firewall is useful.

Whatever the reason, you’ve decided to disable the Windows 2008 firewall for an Exchange 2007 server. It turns out that there is a right way to do it and a wrong way to do it.

The wrong way

This seems pretty intuitive to long-term Exchange administrators who are used to Windows Server 2003. The problem is, the Windows firewall service in Windows 2008 has been re-engineered and works a bit differently. It now includes the concept of profiles, a feature that built into the networking stack at a low level, enabling Windows to identify the network you’re on and apply the appropriate sets of configuration (such as enabling or disabling firewall rules and services).

Because this functionality is now tied into the network stack, disabling the Windows Firewall service and shutting it off can actually lead to all sorts of interesting and hard-to-fix errors.

The right way

Doing it the right way involves taking advantage of those network profiles.

Method 1 (GUI):

1. Open the Windows Firewall with Advanced Security console (Start, Administrative Tools, Windows Firewall with Advanced Security).
2. In the Overview pane, click Windows Firewall Properties.
3. For each network profile (Domain network, Public network, Private network) that the server or image will be operating in, select Firewall state to Off. Typically, setting the Domain network profile is sufficient for an Exchange server, unless it’s an Edge Transport box.
4. Once you’ve set all the desired profiles, click OK.
5. Close the Windows Firewall with Advanced Security console.

Method 2 (CLI):

1. Open your favorite CLI interface: CMD.EXE or PowerShell.
2. Type the following command:
   
   netsh advfirewall set profiles state off
   
   Fill in profiles with one of the following values:
   • DomainProfile -- the Domain network profile. Typically the profile needed for all Exchange servers except Edge Transport.
   • PrivateProfile -- the Private network profile. Typicall the profile you'll need for Edge Transport servers if the perimeter network has been identified as a private network.
   • PublicProfile -- the Public network profile. Typicall the profile you'll need for Edge Transport servers if the perimeter network has been identified as a public network (which is what I'd recommend).
   • CurrentProfile -- the currently selected network profile
   • AllProfiles -- all network profiles
3. Close the command prompt.

And there you have it – the right way to disable the Windows 2008 firewall for Exchange Server 2007, complete with FAIL/LOLcats.

posted @ 3/17/2009 10:57 AM by Devin L. Ganger

White Paper Announcement - CCR and DAS

My new white paper on CCR and DAS is now available!!

Continuous Cluster Replication and Direct Attached Storage: High Availability Without Breaking the Bank can be found on 3Sharp's Notable Accomplishments page, or downloaded directly from the link I've provided. Here's a quick synopsis of the paper:

The days of 2GB drives, tiny user mailbox sizes, and limiting Exchange Server to run on a single database have long since passed; storage options now abound, and disk space is cheap. Over the past ten years, storage area networks (SANs) have become ubiquitous, and IT management has often been persuaded that all data should reside on the SAN. However, the idea that the SAN is the best option for Exchange Server storage needs to be revisited; there are other options available today that provide the necessary reliability at greatly reduced cost.

The choice of building Exchange Server 2007 as a 64-bit architecture, and the availability of massive, cheap RAM, leads to greatly-reduced input/output operations per second (IOPS) for disk access. The synchronicity between this fact, and the availability of cheap disk space allows organizations to rethink their approach to storage. In this whitepaper, we explain the benefits of using Direct Attached Storage (DAS) as opposed to a SAN for Exchange Server Cluster Continuous Replication (CCR). We argue the use of DAS for CCR clusters, and provide a counterpoint to the idea that a SAN is the best storage option for CCR deployments.

posted @ 3/10/2009 2:28 PM by Missy Koslosky

White Paper Announcement - CCR or SCC?

My new white paper on CCR vs. SCC is now available!!

High Availability Choices for Exchange Server 2007: Continuous Cluster Replication or Single Copy Clustering can be found on 3Sharp's Notable Accomplishments page, or downloaded directly from the link I've provided. Here's a quick synopsis of the paper:

With today's reliance on e-mail services, the need for highly available systems where messaging services must be accessible at all times has become more apparent, and organizations are making significant investments in their messaging systems. Many organizations have come to the conclusion that redundancy is the only reliable way to keep e-mail services continuously available to their users. Exchange Server 2007 includes numerous high availability options that provide continuity of service and redundancy to help ensure messaging services are always up and operational. This whitepaper describes the benefits of Cluster Continuous Replication (CCR) for Exchange Server 2007, in contrast with Single Copy Clustering (SCC), and details the advantages and disadvantages of each.

posted @ 3/10/2009 2:23 PM by Missy Koslosky

Off-topic: trying to refurbish a Mac mini

Full details on my home blog.

posted @ 3/10/2009 1:30 PM by Devin L. Ganger

Migrating OCS 2007 to OCS 2007 R2 (Part 1 of Many)

With all the nifty features and functions that are available in the new version of OCS, I can't really see a reason to hold back and NOT migrate. Being the type of company that we are, it's important to keep up with the latest products and show that we can make them work. That being said, sometimes it's hard to hit the ground running when you don't have a large customer base for that type of work.

One of the struggles with any small company is that with the limited resources available, sometimes you can't set up a whole new lab environment just to test the new software. In my case, my work on other paying projects put a lot of internal IT projects on hold. This is not to say that the projects were being ignored, just that they took a much lower priority than I would have liked to assigned them.

My current project of love and devotion is our migration as a company to Office Communications Server 2007 R2, which was recently released. This is a big deal to me, being a Unified Communications consultant, so I've taken the time at work and at home to learn about what needs to be done.

I don't want to sit here and outline all the dinky step-by-step screen shots, since I'm sure that there are other sites out there that have those. What I'd rather do is outline the thought process and planning steps that are required for the migration.

Okay, on to the fun stuff... Let's talk about migration paths!

Supported Migration Paths

Microsoft has put a bunch of OCS 2007 R2 documentation on Technet, but none of it is available for download, so I'll just sum up some of the recommendations and provide the link so that you can get more detail about them on the site. Oh, wait... There isn't any more detail!

To start off with, there are two supported upgrade or migration paths:

• Side-by-side migration
• Uninstall/reinstall

Side-by-side Migration

This is the one that sounded like a really good idea for us, due to my limited time to ensure that everything was set up correctly. In this scenario, you stand up a second pool in the same Forest and then migrate users at your leisure.

Pros:

• You have the ability to deploy the environment and validate/test it before you deploy it
• It could be done with minimal downtime for users, theoretically no loss of service
• Pool co-existence allows for cross communication and migration

 

Uninstall/reinstall

For this install, the process is dead simple. You remove all the old stuff, and you install the new stuff. Of course, there are more steps to it than that, but the idea is pretty simple. I didn't think that this would be a good fit for us because of the downtime that would be incurred. Okay, who am I kidding? I didn't want to take the time to listen to people complain about downtime. I think we, as a company, could handle it

Pros:

• It minimizes the use of extra hardware (rebuild on the same platform)
• The installation is simplified when dealing with back ends (more on this in the details)
• This is a good chance to completely rebuild and redesign your OCS infrastructure

 

The Devil is in the Details

When the dust settles, it's all comes down to what actually the details of the situation are. In the case of migrating any production system from one version to another, there are going to be a host of issues and minor settings that can either slip through the cracks, or come back to bite you, later. The details always start out as a high level overview and then drill down to individual check boxes and radio buttons.

In Part 2, I'll cover the details of the Side-by-side Migration and in Part 3 I'll cover the Uninstall/reinstall details. More to follow!

posted @ 3/3/2009 1:41 PM by Tim Robichaux

Testing Exchange Connectivity

The Microsoft Exchange Product Group has a pretty cool tool available online (in Beta) that I learned about at the E14 Airlift (don't worry, it's not for Exchange 14), called the Microsoft Exchange Server Remote Connectivity Analyzer. This tool offers several tests that can be run against your Exchange infrastructure to see if things are configured correctly, including:

• MS Exchange ActiveSync Test, which simulates a mobile device connecting to Exchange Server
• MS Exchange ActiveSync Autodiscover Test, which simulates the steps a mobile device takes to connect to the AutoDiscover service
• MS Outlook 2007 Autodiscovery Connectivity Test, which simulates the steps Outlook 2007 takes to connect to the AutoDiscovery service
• MS Outlook 2003 RPC/HTTP Connectivity Test, which simulates the steps Outlook 2003 takes to connect to Exchange using RPC over HTTP
• Inbound SMTP Email Test, which simulates sending e-mail to your Exchange Server using SMTP

It's a pretty cool tool - you first choose one of the radio buttons, then simply click Next. You're then presented with fields where you enter your server name (obviously, use the Internet-facing name here) and your credentials (they do want a domain password, but they promise to not store it and to use SSL to encrypt it, as always YMMV, and use caution). There's also a challenge in the form of one of those annoyingly garbled strings of letters that are hard to see, but that keep automated systems from using the form. I hate these things and always mess up the first try, but understand why they're there.) Once you've filled out the forms and agreed to the terms of service, a simple click is all it takes to start the test. I just ran through the test, using 3Sharp as the target, and here's a snippet from our results (with some of the fields changed, which I've italicized. My goal is to show you what kind of results you'd see, not to show you everything we do here at 3Sharp):

Attempting to Resolve the host name server.3sharp.com in DNS.
 Host successfully Resolved
Additional Details
 IP(s) returned: 1.1.1.1

Testing TCP Port 443 on host server.3sharp.com to ensure it is listening/open.
 The port was opened successfully.

Testing SSLCertificate for validity.
 The certificate passed all validation requirements.
Additional Details
 Subject: CN=server.3sharp.com, OU=Domain Control Validated, O=server.3sharp.com, Issuer SERIALNUMBER=12345678, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Testing Http Authentication Methods for URL https://server.3sharp.com/Microsoft-Server-Activesync/
 Http Authentication Methods are correct
Additional Details
 Found all expected authentication methods and no disallowed methods Methods Found: Basic realm="server.3sharp.com"

Attempting an Activesync session with server
 Errors were encountered while testing the ActiveSync session
Test Steps
 Attempting to send OPTIONS command to server
 Testing the OPTIONS command failed. See Additional Details for more info
Additional Details
 A Web Exception occured because an HTTP 401 - Unauthorized response was received from IIS6

All in all, it's a pretty cool tool, and alleviates the need for you to get to a remote desktop to test your environment's connectivity. I was surprised I hadn't heard about it before, and thought I'd share this so more folks can try out the site!

posted @ 2/26/2009 1:22 PM by Missy Koslosky

MVP Summit - 2009

The Microsoft MVP Global Summit takes place next week in Redmond, Washington (although the attendees will stay in Seattle proper and be bussed out to Redmond each day). This is an event I've always looked forward to, but won't be attending this year because I lost my status as an MVP this past October (turns out that you really do need to participate in the community - something I knew, but had let slide some the past few years). I was an MVP for Exchange Server from 1999 until 2008, though, and that's not a bad run.

So my intention is to step back up to the plate in terms of community contributions - which means updating this blog more regularly, answering questions in the Microsoft newsgroups and other venues, and getting back to writing more.

To my MVP friends who will be at the Summit, have a great time, and enjoy your time with the Product Group. The Exchange Product Group is incredibly open and responsive, and I'll miss having face time with them (I was fortunate enough to see many of them at the E14 Airlift a few weeks ago, but more is always better!)

 

 

posted @ 2/26/2009 12:55 PM by Missy Koslosky

Microsoft Certified Master in 'da House!

A quick note of congratulations to my teammate Devin Ganger who recently passed the (grueling, I'm sure) lab to achieve Microsoft Certified Master status for Exchange Server 2007. This is a great achievement, and I'm thrilled for Devin!

Who, me? I have fantasies about becoming an MCM for Exchange, but the intensive three-week class keeps scaring me away - not because I don't think I could handle the technical aspect of the training, but more because it's hard on the family when I'm gone that long.

That said, if the opportunity arises to attend the training, I don't think I could turn it down. It's just too awesome to miss if you get the chance to go!

 

posted @ 2/26/2009 12:45 PM by Missy Koslosky

A long-overdue status update

So, you haven't seen a lot of me on the blog lately. The sad part is that I have three or four blog posts in various states of completion, I just seem to have very little time these days to work on it. I think part of it is that ever since my MCM Exchange 2007 class last October, I felt like I had a big burden of unfinished business on my shoulders.

Happily, that's not the case anymore. Yesterday I retook and passed the lab and received word that I am have officially earned the coveted Microsoft Certified Master | Exchange 2007 certification. While I'm taking this moment to express my utmost relief about this, be assured I've got plenty more to say about it in an upcoming blog post, but it'll have to wait.

I've also been re-awarded as an Exchange MVP -- 3 years, wow! -- and continue to be going full-bore with that. I have become very deeply aware that my continued presence in the Microsoft communities is in large part due to the fantastic caliber of people who are involved in them. A friend once mentioned the "open source community" as if it was a singular community and I had to laugh; from my experience, it's anything but. Consider the following examples:

• KDE vs. Gnome
• Linux vs. BSD
• Linux distro vs. Linux distro
• Sun Java vs. IBM Java
• Tomcat vs. other Java frameworks
• Sendmail vs. Postfix vs. Exim
• Berstein vs. everyone else
• Stallman/FSF vs. everyone else

I made the initial mental leap from "Unix IT pro who knows Windows" to being a "Windows IT pro who knows Unix" because of the management challenges I saw Active Directory and Group Policy addressing, but I stayed for the people. Including people like you, reading my blog.

On that note, since I know many of you started reading me because of seeing me at conferences: I will not be at Spring Connections this year. I know, right? Anyway, it's all for the best; things are shaping up to be busy and it will be nice to have one year when I'm not flying to Orlando. This is even more awesome because I will be at Tech-Ed, giving both a breakout session and an Interactive Theater session. More details as we get closer. I've also got a great project that I'm working on that I hope to be able to announce later.

Oh, hey, have you seen 3Sharp's new podcasting site, built entirely on the Podcasting Kit for SharePoint that we were the primary developers for? I've got a few podcasts in the works...so if you've got any questions or ideas of short subjects you'd like me to talk about, let me know!

Alright, folks -- it's late and my Xbox is calling me! (My wife and kids probably want a word with me too.)

posted @ 2/25/2009 8:10 PM by Devin L. Ganger

Outlook Performance Goodness

Microsoft has recently released a pair of Outlook 2007 updates (okay, technically, they're updates for Outlook 2007 with SP1 applied) that you might want to look at installing sooner rather than later. These two updates are together being billed as the "February cumulative update" at KB 968009, which has some interesting verbiage about how many of the fixes were originally slated to be in Outlook 2007 SP2:

The fix list for the February CU may not be identical to the fix list for SP2, but for the purposes of this article, the February CU fixes are referred to synonymously with the fixes for SP2. Also, when Office suite SP2 releases, there will not be a specific package that targets only Outlook.

Let's start with the small one, KB 697688. This one fixes some issues with keyboard shortcuts, custom forms, and embedded Web browser controls.

Okay, with that out of the way, let's move on to juicy KB 961752, an unlooked-for roll-up containing a delectable selection of fixes. Highlights include:

1. Stability fixes
2. SharePoint/Outlook integration
3. Multiple mailbox handling behavior
4. Responsiveness

From reports that I've seen, users who have applied these two patches are reporting significantly better response times in Outlook 2007 cached mode even when attaching to large mailboxes or mailboxes with folders that contain many items -- traditionally, two scenarios that caused a lot of problems for Outlook because of the way the .ost stored local data. They've also reported that the "corrupted data file" problem that many people have complained about (close Outlook, it takes forever to shut down so writes to the .ost don't fully happen) seems to have gone away.

Note that you may have an awkward moment after starting Outlook for the first time after applying these updates: you're going to get a dialog something like this:

"Wait a minute," you might say. "First use? Where's my data?" Chillax [1]. It's there -- but in order to do the magic, Outlook is changing the structure of the existing .ost file. This is a one-time operation and it can take a little bit of time, depending on how much data you've got stuff away in there (I've currently got on the order of 2GB or so, so you can draw your own rough estimates; I suspect it also depends on the number/depth of folders, items per folder, number of attachments, etc.)

Once the re-order is done, though, you get all the benefits. Faster startup, quicker shut-down, and generally more responsive performance overall. This is seriously crisp stuff, folks -- I opened my Deleted Items folder (I hardly ever look in there, I just occasionally nuke it from orbit) and SNAP! everything was there as close to instantly as I can measure. No waiting for 3-5 (or 10, or 20) seconds for the view to build.

 

[1] A mash-up of "chill" and "relax". This is my new favorite word.

posted @ 2/25/2009 7:52 PM by Devin L. Ganger

Content Type Book Corrections

I would like to thank everyone who has purchased our book Building Content Type Solutions in SharePoint 2007 (all three of you ☺). In a previous lifetime, I was a copy editor at a daily newspaper. That experience helped me to notice a few things that were slightly "off" when re-reading my own work. So, in an effort to bring you the highest quality of reading material, I want to point out the following corrections in the first printing:

• Page 48, first paragraph, ninth line - It should read "The New Site Column page allows you to define a site column...". The "to" is missing. I know that is a picky catch, but I am a picky person.
• Page 55, second line of the note - The name of the Office Word 2007 document template that is available at http://www.courseptr.com/downloads is Performance_Appraisal.docx. Note the "_" character between "Performance" and "Appraisal".
• Page 89, first paragraph, fourth line - It should read "...which will be displayed in the date picker content control...". The AppraisalDate column is mapped to a date picker content control, not a plain text content control.
• Page 122, first paragraph, third line - It should read "...can contain a hard-coded link to the appraiser document library...". In the email message body, we provide a link to the library, not the appraisal document.

Hopefully, these and other minor errors will be cleaned up in subsequent book printings.

posted @ 2/20/2009 11:22 AM by David Gerhardt

Multi-server PKS Install (Part 1)

The Podcasting Kit for SharePoint (PKS) was originally designed to work in a single server MOSS environment. Way back when we here at 3Sharp were writing the original Tech Preview versions, we decided to keep it simple while we were developing the original features. This made testing on our own local VMs much easier. Besides, it was a tech preview. No need to worry about high availability production environments yet.

Now, with the later Beta releases more people are wanting to install PKS on sharepoint farms, like normally used in a production SharePoint environment. This still isn't currently supported by PKS, but it is possible if you are willing to get your hands dirty.

So, in this "Part 1" post, I'm going to give some tips on how to get through the first part of the deployment of the December Beta. Note: this will not be enough to get everything working, but you will be able to at least see the home page without getting errors.

First things first, get SharePoint up and running with a regular "collaboration portal" on your farm.

Next, follow the setup instructions up through the "Welcome Page" section. When you go to the home page now, you will probably see a message Unknown server tag 'asp:ScriptManager'. This is because the installer was not able to properly set up the web.config file during the install, and the keys needed for ASP.NET AJAX are missing. [The AJAX framework is used by Silverlight]

Luckily, having been the developer who originally developed the Silverlight controls, I still had a copy of the required changes laying around... and here they are:

1. Add to the <configSections> element:
  <configSections>   
   <sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
    <sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
     <section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"/>
     <sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="Everywhere" />
      <section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication" />
      <section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication" />
     </sectionGroup>
    </sectionGroup>
   </sectionGroup>
  </configSections> 
  
  2. Add a safe control entry for System.Web.UI from the Microsoft AJAX Extensions within the <SharePoint><SafeControls> element:
  <SafeControls>
   <SafeControl Assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Namespace="System.Web.UI" TypeName="*" Safe="True" />
  </SafeControls>
  
  3. Add these new registrations at the end of the <httpHandlers> element:
  <httpHandlers>
    <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
    <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
    <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false"/>
  </httpHandlers>
  
  4. At the end of the <httpModules> section, add a new registration:
  <httpModules>
    <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  </httpModules>
  
  5. In <compilation><assemblies> add:
  <assemblies>
    <add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  </assemblies>
  
  6. In <system.web><pages…> add:
  <pages enableSessionState="false"…>
    <controls>
   <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
    </controls>
  </pages>
  
  7. Add the following at the bottom of the Web.config, before the </configuration> tag:
  <system.web.extensions>
   <scripting>
     <webServices>
     <!-- Uncomment this line to enable the authentication service. Include requireSSL="true" if appropriate. -->
     <!--
    <authenticationService enabled="true" requireSSL = "true|false"/>
     -->
     <!-- Uncomment these lines to enable the profile service. To allow profile properties to be retrieved and modified in ASP.NET AJAX applications, you need to add each property name to the readAccessProperties and writeAccessProperties attributes. -->
     <!--
     <profileService enabled="true"
         readAccessProperties="propertyname1,propertyname2"
         writeAccessProperties="propertyname1,propertyname2" />
     -->
     </webServices>
     <!--
     <scriptResourceHandler enableCompression="true" enableCaching="true" />
     -->
   </scripting>
  </system.web.extensions>
  <system.webServer>
   <validation validateIntegratedModeConfiguration="false"/>
   <modules>
     <add name="ScriptModule" preCondition="integratedMode" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
   </modules>
   <handlers>
     <remove name="WebServiceHandlerFactory-Integrated" />
     <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode"
       type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
     <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
     <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   </handlers>
  </system.webServer>
  
  8. Save the Web.config file.

Whew. Don't copy these changes to your other front-end servers just yet - there are more. If you point your browser to the first server you've updated, you'll now see an error message about the site map provider SPLeftNavigationProvider. Luckily, I was the author of this compentent also! There are two more nodes you'll need to add to the web.config file.

Under <siteMap><providers> add the following keys:

     <add name="SpLeftNavigationProvider" type="PKS.Sharepoint.Navigation.SpLeftNavigationProvider, PKS.Sharepoint.Navigation, Version=1.5.0.0, Culture=neutral, PublicKeyToken=3a737f14c332a521" siteMapList="PKS Left Navigation Items" isMobileView="false" />
    <add name="PKSNavigationProviderMobile" type="PKS.Sharepoint.Navigation.SpLeftNavigationProvider, PKS.Sharepoint.Navigation, Version=1.5.0.0, Culture=neutral, PublicKeyToken=3a737f14c332a521" siteMapList="PKS Left Navigation Items" isMobileView="true" />

Now you can save the web.config and copy it out to the other front-end servers you may have.

All of this should get you through the first part of the installation. If you are using a network share to host your Podcast Files library for the External File store - there is another slew of problems you're about to run into...

posted @ 2/12/2009 5:54 PM by Jeremy Campbell

Modifying Date Formats in SharePoint Designer Workflows

You may have noticed that you cannot modify date formats with out-of-the-box SharePoint Designer workflow functionality. As a result, when you look up a date field in the message body of a Send an Email action, the date will get displayed as "1/28/2009 12:00:00 AM" in the message that is sent to the user.

If the workflow is attached to a form library, there is a codeless workaround that you could implement from within the InfoPath form designer. Just add a rule for your dateTime node (or date node) that re-formats the value to a string node. Use one of the declarative substring functions to modify the format accordingly. In the case of a dateTime node, you may want to use the substring-before function to capture everything that precedes the "T", as shown in the following figure.

When publishing the form template back to the library, be sure to promote the string node that contains the modified date format. Then, in the SharePoint Designer workflow, you can perform a lookup for the string node.

posted @ 1/28/2009 3:58 PM by David Gerhardt

Setting Up Blog Clients to Post to Subtext

So many of the posts I put up are informational in that I found out something that I want to be able to find if it happens again. This post isn't much different.

Here at 3Sharp, we use the blogging platform Subtext. It's not my favorite platform in the world, but I understand the reasons why we use it. That being said, I'm going to get to the meat of this post. First up, posting using applications other than the web console. To post to Subtext, you have to make sure to use the right provider. With Subtext, that's MetaWebBlog.

Once you've set that, the URL that has to be entered to post is:

http://<blog URL>/<User Name>/services/MetaBlogAPI.aspx

This wasn't exactly hard to find; it seems lots of people want to try to connect to it using blog clients. I just want to make sure that I have the information handy when co-workers ask, "how do I use this thingy again?"

posted @ 1/28/2009 2:31 PM by Tim Robichaux

GetSharp lives!

If you've only interacted with 3Sharp through me, Paul, Missy, and Tim, then you've missed a whole key aspect of the talent we've got here at 3Sharp. Our group (Infrastructure Solution Group or ISG, formerly known as the Platform Group) is just a small part of what goes on around here.

GetSharp is 3Sharp's personal implementation of PKS, the Podcasting Kit for Sharepoint. PKS was the brainchild of a fairish bit of the rest of the company. Quite simply, it's podcasting for SharePoint -- think something like Youtube, mixed into SharePoint with a whole lot of awesome (like the ability to use Live IDs). When I saw the first demo of what we were doing with GetSharp, I was blown away. I'm happy to have uploaded the videocast series on Exchange 2007 we did for Windows IT Pro, and I've got a series on virtualization I'll be working on when I get back to work next week.

posted @ 1/10/2009 8:52 PM by Devin L. Ganger

GetSharp Goes Live

Over the holidays 3Sharp unveiled its Podcasting Kit for SharePoint (PKS) site, GetSharp. This site is an excellent opportunity for me and my colleagues to give you a glimpse into some of our SharePoint, Office, Exchange, and Office Communications Server projects. During the next few months, I am hoping to "convert" many of my blog posts into videos...

posted @ 1/5/2009 8:47 AM by David Gerhardt

OCS 2007 R2 Has Arrived

Woo! Now I can talk about it! It looks like Office Communications Server 2007 R2 has been officially blessed and released to manufacturer (RTM)! Once I get my grubby little hands on it, I'll be posting pictures and how I have things set up, but I wanted to mention a couple of things that are key (to me) in this release:

• 64-bit only
• Officially supported on Server 2008
• Simplified Edge role management and existence
• Management improvements
  • Additions to the MMC snap in to support new features (Conference Attendant, Application Sharing, etc..)
  • Administrative tools now have a separate install (I can put them on my remote workstation)
  • Automatic and Push updates to ALL devices (Roundtable, Phone Edition, OC 2007 R2)
• Improved Certificate Wizard and Management (I haven't seen this yet, but it is my favorite on paper)

 

Now that I have that little list, I can start to go through the Planning and Architecture and build a NEW OCS design based on the new goodies. I'll post a diagram as soon as I have it ready.

posted @ 12/23/2008 2:33 PM by Tim Robichaux

Office Communications Server 2007 R2 - A First Look

You name it and OCS can do it. I know that might be reaching a bit, but I've been looking into the new features that R2 will bring to the table, and it is really quite impressive. I've been working with OCS 2007 for about a year now, and while I've been impressed, there are some cases where I've had to say, "well, OCS really isn't a product for that arrangement," or, "it's still early in the product life-cycle, it'll get better." Now, most of those phrases are going to go away and will be replaced with comments like, "yes, OCS can do that, and that, too."

 

• Consolidated Edge Server -- This is a big deal. In the old release, you had to plan for a number of boxes to provide services to external users. Even if you had all of the services hosted on the same box, you had to have a couple of externally accessible IP addresses to assign to those roles, and some of the roles did not play nice with one another.
• Improved Archiving (IM separate from Voice records)
  • Better integration with 3rd party tools -- I don't think people are quite as touchy as right after Enron and all the other corporate fallout, but better integration with existing archiving and compliance tools was needed before a lot of health care and legal companies would ever consider a tool like OCS.
• Support for SCOM -- This is a BIG deal for larger companies that have a great deal invested in System Center. When you have a central tool for monitoring the health of your infrastructure, you like everything that makes up that infrastructure to play nice with it.
• Support for Virtualization in some roles -- While this is nothing new (we've virtualized all the roles before with only minor snags), having that virtualization be officially supported and given the golden stamp really makes this an attractive solution for companies that want to consolidate devices (Read: people who want to get rid of PBXs and move to a consolidated communications platform. Now you can do it with an even SMALLER footprint!)
• The core experience is still MMC based with added functionality for new features -- This is something of a two-edged sword. It's nice that things won't be changing too much when it comes to how OCS is managed, but it really lacks a lot of the things that other Microsoft is moving towards. Where's the PowerShell? The interface reminds me a lot more of Exchange 2003 than Exchange 2007 (meaning that it is not intuitive or organized logically). With my complaints out of the way, I'll toss a little bone and point out that at least they've updated Certificate Management (Hey Exchange 2007... C'mon, make it at least a LITTLE bit easier to do certificates right!!!).
• Huge reporting (performance and usage) improvements -- I was watching a video where some of the reporting was being demonstrated and I have to say that I was quite impressed. With the tools available, it will be a lot easier to justify your OCS implementation (and upgrades) when you can show just how much people are using the tools you are providing.

 

This is by no means an exhaustive list, but this is a quick start of the things to come with the new release. I garnished these points from watching a video here. There are a bunch more OCS 2007 R2 videos, and I can't wait until it hits RTM so I can install and play with it!

posted @ 12/11/2008 6:36 PM by Tim Robichaux

Exchange 2007 and Disabled Mailboxes

This is an information post, designed to make some information available to myself and others. I did NOT discover this but I thought it was something pretty important.

When disabling an Exchange 2007 mailbox, it sometimes will not automatically show up in the "Recipient Configuration | Disconnected Mailbox" bucket. It takes running the command:

  clean-mailboxdatabase <mailbox database>  

Once that command is run, you can reconnect it or do whatever you need to it. Thanks Missy and Amit (If you want the full explanation and pictures, click here)!

posted @ 12/12/2008 2:03 AM by Tim Robichaux

OCS, why are you breaking my heart?

Well, after a bit of time spent on Microsoft's campus, I have 8 Tanjay devices with the latest and greatest firmware. I used a Tanjay device (a Polycom CX700 IP Phone) for a number of months, and while I didn't have a ton of voice communications with it, I loved the ones I had. There are a few complaints that I have about the device, but they deal more with the form-factor than functionality. What I wanted to note was something more tangible (pun intended) than complaints. What I wanted to mention is a reminder that the Tanjay devices are Enterprise Voice extensions. They are devices that are supposed to sit on your desk and replace that silly little phone you have there with a Office Communicator client that provides the rich client experience that OCS 2007 is supposed to provide.

What does this mean to the average Joe User? Well, to give a real-life example, I was just talking about how I have 8 devices with hot-off-the-press firmware and a desire to get them up and running. Even before my co-worker and I went to Microsoft to get the update, we were having a debate about why his devices were not able to connect earlier today. After banging the issues about for a while, he was convinced that it was a certificate issue. I was a little bit more skeptical, simply for the fact that it didn't "feel" right. I was willing to come back to the office later, with the upgraded devices and look into it.

After trying to log in with the fresh devices, I was willing to admit that something was wrong. After poking around, I found that in some cases, autoenrollment of domain users and devices was disabled, and so I enabled it using GPO. Thinking hard about it, what this does is tells a device that is logging in with a domain account that it's okay to request a certificate from the domain CA and where that CA is. Sadly (at least for Devin), this didn't correct the issue. I sat and thought about it while I worked on something else, and when I finished with that, I decided to start back at square one and walk through setting up a Tanjay device for the first time. A quick web search and I ran across the problem (I didn't really "run across it.." It was more of a "the answer slapped me in the face and called me stupid"). Reading this post on a blog, I noticed that you have to enable the user for Enterprise Voice. Right now, we switched all of our users to Remote Call Control so we could use the connection with our Mitel 3300 ICP phone PBX.

Long story short, now our users have a choice between a Tanjay device and RCC. This is actually kind of a tough one for me, since I really like how RCC keeps track of my phone communications. I've been having trouble with some phone companies, and having the automatic tracking of who I call when is really helpful. I'll just have to see how things play out once I build our new OCS environment.

posted @ 12/12/2008 1:38 AM by Tim Robichaux

Hyper-V Host Clustering via ISCSI

There's a lot of articles out there about Hyper-V host clustering. But there isn't much about the associated caveats. The main issue I ran into was with creating new physical disk resources. When you create a cluster and add nodes to it, you may end up adding a disk resource from a machine that does not own the cluster group. Yes, contrary to what it looks like in the GUI, there are still cluster groups, and much of the underlying clustering administration is unchanged from server 2003. If you're in a situation where you need to add physical disk resources and the GUI won't see them, here's what you do:

1. On one of the nodes that is a possible owner for the resource, open two consoles as an administrator.

2. Log on to the LUN via the ISCSI administrator

3. In storage management, bring the disk online, initialize the disk, and create a simple volume (note, you can initialize the disk via MBR or GPT, but the disk MUST be a basic disk).

4. In the first command prompt you have open, type diskpart. Type select disk <appropriate disk number here>. And then type detail disk. You should see something like this:
MSFT Virtual HD SCSI Disk Device
Disk ID: 2E3EA1FE
Type   : iSCSI
Bus    : 0
Target : 10
LUN ID : 0
Read-only  : No
Boot Disk  : No
Pagefile Disk  : No
Hibernation File Disk  : No
Crashdump Disk  : No

5. In the second command prompt, type Cluster res "<resource name here>" /create /group:"Available Storage" /type:"Physical Disk"  This will create the resource.

6. In the second command prompt, type Cluster res "<resource name here>" /priv DiskSignature="0x<DiskID from first command prompt>" The 0x before the disk ID listed is important, and you won't be able to bring the disk online if you leave it out.

7. In the second command prompt, type Cluster res "<resource name here>" /on This will bring your new disk resource online.

When doing this, make sure that the Available Storage resource group is owned by a machine with access to the LUN you're trying to bring online. It seems that Microsoft wants you to grant access to every node in your cluster, but if you're like me and are a bit nitpicky about which machines have access to which LUNs, you'll want to follow these steps.

posted @ 12/9/2008 5:06 PM by Ryan Femling

New Version of Exchange 2007 Storage Cost Calculator

W00t! A new version of the Exchange Server 2007 Mailbox Server Storage Cost Calculator (sheesh, that's a lot of words) has been released, and the Exchange team has updated their original blog post on the subject to reflect the changes in the tool. (The calculator can be downloaded here.)

Why am I so excited? Well, I've been doing a lot of work around clustering and storage as of late (and having a lot of fun with it), and the work Microsoft has done for the calculator helps back up some of the work that I've done. Also, there seems to be a feeling among much of the Exchange community that SANs are best for Exchange, and I disagree with that viewpoint - I think a solution that the Exchange administrator can remain in control of is the best solution. Storage administrators don't really get Exchange, and have a tendency to say stuff like, "disk is disk", which drives me right up a tree. So my preference has always been to let the storage folks play with their bits, and have other folks let THEIR stuff reside on the SAN, and to keep Exchange away from their unappreciative hands. The storage cost calculator shows that there really are HUGE savings to be gained by following my preferred model, so I dig that too.

Anyway, the storage cost calculator is pretty cool stuff, and it definitely worth an afternoon's time to play with!

 

posted @ 12/5/2008 8:11 PM by Missy Koslosky

Quick Message Journaling Note

There are two types of message journaling for Exchange; message envelope journaling is the preferred method if you need to capture messages for compliance purposes, because it captures not only the message (the P2 information, i.e. the message contents), but also the message "envelope" (the P1 information, which contains specifics about who a message was sent to, including recipients who were blind copied, and expanded distribution list membership). Think about a letter you'd get in the mail - the envelope would be addressed to you, at your address, but the letter inside could say "Dear John, ...". Without envelope journaling, all you've got for reference is the "Dear John" portion of the message, but knowing who the message (i.e. letter) was actually addressed to (i.e. who received it) is also important contextual information.

If you're implementing a third-party archiving product, it will (or should - don't pick one that doesn't understand message envelope journaling) know how to handle messages that are journaled with the envelope data.

If you're not implementing a separate archiving product, and plan to use the journal mailbox as an archive, there will be some hoops to jump through to read the actual messages. However, if you're saving these messages for
compliance-related purposes, you want the envelope data, and I would strongly advise you that the journal mailbox is an inadequate long-term archive, especially for compliance-related purposes.

posted @ 12/5/2008 7:58 PM by Missy Koslosky

Exchange 2007 Database Corruption - Options for Getting Back to Life

Database corruption is the bane of Exchange Administrators – and recovering from any type of corruption is complex and time-intensive. When either logical or physical corruption is present, administrators must determine the best path to database recovery. Recovery options include:

·         Repairing the database by running the Exchange Server Database Utilities (ESEUTIL). This process entails taking the database itself offline (and thus, not providing messaging services to the users) and using ESEUTIL in repair mode (ESEUTIL /p). ESEUTIL can be destructive in certain circumstances, as database pages that cannot be repaired are discarded. After ESEUTIL has completed in repair mode, it should then be run again in defragment mode (ESEUTIL /d). ESEUTIL. It should be noted that ESEUTIL can process about 9GB of data per hour, so two different ESEUTIL operations on a 50GB database would take approximately 11 hours to complete. After both ESEUTIL operations have completed, database integrity should then be performed by using the Information Store Integrity Checker (ISINTEG) with the “–fix” and “–test alltests” switches. If ISINTEG is able to fix all database errors on the first pass, a report will be presented that shows the error count as zero – if all errors were not able to be corrected with the first ISINTEG operation, ISINTEG will need to be run again until the error count is zero.  ISINTEG performance is roughly equivalent to that of ESEUTIL, depending upon the number of errors that must be corrected.

·         Restoring an older database copy and letting the transaction logs generated since the backup was taken replay in order to bring the database back to the state when the failure occurred. These operations take less time than running database utilities; however there have been numerous instances where organizations that thought their backups were valid found that the backups could not be restored to operation when necessary. The speed of database recovery varies depending upon the type of backup performed – Volume Shadow Copy Service (VSS) allows third-party vendors to provide quick database backups, and these backups are also quick to restore – but they may only be restored to their original location. The Recovery Storage Group (RSG) introduced in Exchange Server 2003 reduced the complexity of previous recovery methods, however the RSG only works with streaming backups which take much longer to restore than VSS-based backups. Depending upon the number of transaction log files that must be replayed, there may be a significant amount of time that passes before a restored backup will be available to provide messaging services. (No lie - I once experienced a 10+ hour wait while transaction logs replayed. Not fun.)

·         In cases where the database is still operational, the best option is often to move the mailboxes themselves to a different information store. This process involves less down time for users (while a mailbox is in the process of being moved, it will be unavailable to the individual with whom it is associated; mailboxes that are not in the process of being moved will remain available for access) and is the preferred path when available. If a database has dismounted due to physical corruption and cannot be remounted, this option will not be available.

 

posted @ 12/5/2008 7:48 PM by Missy Koslosky

Certification Update...

I wanted to share with you my thoughts on one of the tools that I'm using to study for my 70-562 Exam. uCertify Exam study software for the 70-528 exam. The study content is for the .NET 2.0 exam. I am taking the .NET 3.5 exam, but I have found the content to be very well written and relevant.

I particullary like the interface. On the left hand side you can see a list of available practices tests. Below that there is a section where you can track your progress. On the right hand side is a list of various items to help you in your studies. I really like the Interactive Quiz and Flash Cards. Having the Exam objectives close at hand is nice as well.

It would be nice to see a few more practice questions in the practice tests, and it would also be nice to see the upgrade to .NET 3.5 (I'm sure this is in the works). 

Overall I like this product. When I'm getting ready to take future exams I will definitely check uCertify!

posted @ 12/3/2008 10:39 AM by Mike Rand