Friday, May 09, 2008
#
A lot of you may have missed this: Microsoft just released a new white paper for Exchange,
Outlook Anywhere Scalability with Outlook 2007, Outlook 2003, and Exchange 2007. This paper should give you some detailed guidance goodness on scaling your CAS servers, and also talks about the port exhaustion issues that lead to upper scalability limits.
Devin talks about several Exchange certificate-related tidbits.
Tuesday, May 06, 2008
#
I've been sitting on a cool announcement for several days now, and I'm happy that it's now time to announce it.
I've been working with a group of people to get a new user group for Unified Communications (UC) put together here in the Pacific Northwest. While all of us are here in the Puget Sound area, our goal is to put in place a framework to empower a variety of events and meetings all throughout the region, not just based here in Seattle. Rather than be a typical boring user group with a jawbreaking acronym (PNWUCUG, which we do use), we're defining ourselves as people who do UC. This gives us a simpler name -- We do UC, hosted at ucdoers.org.
From our website:
We are the Pacific Northwest Unified Communications User Group (PNWUCUG) and we have a passion for UC. If you are one of the following, you could be one of us:
- IT professionals in the Pacific Northwest who design, deploy, or manage Exchange Server, Live Communications Server, and Office Communications Server systems.
- Developers who write or maintain solutions that integrate, extend, or provide UC capabilities to Exchange Server, Live Communications Server, and Office Communications Server and clients.
- Industry experts with a recognized expertise in UC.
- Hobbyists who are exploring Microsoft-based UC solutions.
One thing that's important for me to clarify -- my vision of this user group (which is echoed by the other folks who are getting it off the ground) is that it exists to support all Exchange, LCS, and OCS users, not just people running 2007 and doing the VoIP stuff. We may have a focus on UC, but that's mainly to align ourselves with the direction Microsoft is taking these products. If you're using Exchange, we want you to participate; we want to make sure we have content for you.
So, if this sounds like goodness to you, head on over to the blog for the announcement of our May 28th kick-off meeting at The Parlor Billiards & Spirits in Bellevue, WA. For those of you who can't be there in person, we're even going to have a Live Meeting feed for you -- how cool is that?
Friday, May 02, 2008
#
As I typically do, I'm posting links to my slide decks for the presentations I just finished giving. I apologize to the Connections folks; I was supposed to get this done Monday afternoon or Tuesday and got ambushed by a travel-induced migraine.
Orlando was nice this time of year; not too hot, so the humidity slipped under the radar. It was nice to see a bunch of familiar faces and meet some new ones, and I was very pleased with the attendance at all of my sessions. Doing all three sessions back-to-back is definitely a drain, but the conference organizers helped out a lot by keeping me in the same room for all of them, and had I stayed for a couple of days I'd definitely have had the . And I have apparently finally beaten my notorious string of demo failures; my demo DPM environment (provided by Jason Buffington of Microsoft, thank you Jason) worked quite nicely.
For the MMS folks, I can't put my deck up directly; you'll need to get it from the MMS CommNet or wait for your attendee DVD to show up. Las Vegas is still completely over the top; the Venetian was opulent and provided a nice venue. For some reason, the casino didn't seem nearly as intrusive as it could have been (and is in other venues). I am, however, glad I had new shoes -- my feet didn't hurt from all the walking. For the flight home, I picked up 21: Bringing Down the House - Movie Tie-In: The Inside Story of Six M.I.T. Students Who Took Vegas for Millions
at the airport and read it cover-to-cover; a great story told well.
This was a big travel week for me; I got the privilege of speaking about protecting Exchange with DPM 2007 at both Exchange Connections (in Orlando) and Microsoft Management Summit (in Las Vegas). The session had a good response at both shows, and there's clearly a lot of buzz going around about DPM. I've gotten some good questions which I'll list here and update as I get answers.
- Q: Does DPM protect message tracking logs on an Exchange mailbox server?
A: Very good question. My gut instinct is "No" but I need to confirm that. I'll post the confirmation in a separate blog article when I get an answer back.
- Q: Is there any good guidance on sizing a DPM installation?
A: Yes. First see the Data Protection Manager 2007 Storage Calculator (currently only supports the Exchange workload), then see this third-party deconstruction. Note that the second post was written against an earlier release of the calculator, so is in need of some updating, but it's still a good read.
- Q: What kind of overhead does DPM incur?
A: I have to admit that I don't remember the specifics of this question (this is why I strongly encourage folks to email their questions to me, as is the case with the following question -- thanks!); all I have is a cryptic note "CPU overhead" on my notepad. So, I'm going to assume that we're talking about the overhead of the protection agent on a protected server. And my answer to that is: Very good question; I need to get some specifics.
- Q: From e-mail: "Yesterday during MMS at the Advanced Exchange protection session you mentioned that you had created a white paper on getting DPM working with IBM’s TSM product. If you have a link to this I would be very grateful as I have not been able to find it currently and I am wanting to ensure that they way I have it set up and kind of working is the same way that someone else has been able to get it working."
A: Unfortunately, I must have been unclear, for which I apologize. 3Sharp did work with Microsoft during the DPM 2006 timeframe to create several white papers on how to integrate DPM with several backup products: Commvault QiNetix, Symantec Backup Exec, Yosemite Backup, and Windows Backup. Unfortunately, Tivoli wasn't one of them, and I'm not aware of any current guidance that gives a complete end-to-end picture of integrating TSM with DPM 2007. However, the Backup of DPM Servers section in the DPM Operations Guide should be a good starting place.
- Q: Why can't I use DPM 2007 to recover to the Recovery Storage Group on Exchange 2003 servers, only on Exchange 2007 servers?
A: Another great question, which I'm querying to find the answer to.
- Q: If I can use DPM 2007 to do document-level recovery in SharePoint, why can't I recover mailboxes or even messages in Exchange without having to use the RSG (for Exchange 2007)or ExMerge (for Exchange 2003)?
A: There are two parts of this answer, but they both are based on the same premise: DPM does not use "privileged" information on the internals of other Microsoft applications it protects. When recovering documents from a SharePoint replica, DPM doesn't directly reach into the replica database and extract the information. Instead, it recovers the relevant databases to a temporary recovery SharePoint installation (which can be a single server SPS 3.0 install on a virtual machine, even if you're recovering data from MOSS 2007) and then finds the relevant documents using SharePoint's HTTP interfaces. With Exchange, the principle is the same; we recover the mailbox database to a parallel location (the RSG in Exchange 2007; a network folder in Exchange 2003) and then use the Exchange native tools to extract and import the relevant information. Trying to do direct restores of mailboxes or messages into a production database would involve going beyond the existing Exchange APIs. Personally, as an Exchange MVP I hope that Microsoft works on expanding those interfaces to make this sort of thing easier for all third-party vendors, but until they do, DPM plays by Exchange's rules.
- Q: You mentioned coming updates to DPM. Where can I find more info on that?
A: Jason Buffington of Microsoft has you covered with this webcast.
That's a good start for now; catch you all later!
Monday, April 28, 2008
#
I'm posting from a break between sessions at Exchange Connections in Orlando, FL. I just had a good session on protecting Exchange with DPM -- thanks to everyone who attended and gave lots of good feedback.
Next up -- a session on DCAR with Exchange, and then Exchange 2007 update best practices.
The weather is actually the best I've ever seen here -- not too hot, with a nice breeze, so the humidity isn't overwhelming. However, the A/C is up full in the room I'm presenting, so I'm glad the speaker shirts are long-sleeved.
More later!
Wednesday, April 23, 2008
#
I was completely floored to discover, via Paul, that you can control which codec the UM role uses to record voicemails on a per-user basis. This is seriously cool stuff, and if you can't see why quite yet, let me offer the following scenarios for you:
- Most common: you have multiple users who have non-Windows Mobile devices that don't support the WMA codec, but still want to be able to listen to their voicemail on their devices. The GSM and G.711 PCM Linear codecs may be more widely supported. For example, on an EAS-aware iPhone will Apple also roll in support for recognizing UM voicemails? If they do, will they support the WMA codec? Now, in theory, they don't have to.
- Also common: you have multiple users who use a non-Windows based client. (Paul already calls out one example, those of us who use Entourage.) This would be just as valuable, though, for people who are using some IMAP or POP3 client on a Linux/BSD/Solaris box.
- Not so common, but possible: you have a specific need to automatically process voicemails in an automated fashion and need to use either the GSM or G.711 PCM linear codecs instead of being able to support WMA. Switching one or two mailboxes over keeps the entire Exchange storage system from suffering the increase in voicemail file size that would result.
Okay, so these are slightly lame scenarios, but I'm sure there's more out there that I can't see.
Friday, April 11, 2008
#
When people start digging into the specifics of the A/V Edge role in OCS 2007, they usually have a strong and immediate knee-jerk reaction something along the lines of, "No way!" (Mine was, "Oh, heck no!") This reaction is usually caused by learning one or more of the following deployment requirements:
- Public IP address. The A/V Edge server needs to have a publicly routable IP address. This address must be publicly routable; you can't fudge it by giving it an IP address in a private range (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and do any sort of NAT to it. 1:1 NAT or static NAT mapping won't do the trick here. You can and should have a firewall between it and the Internet, but it can't be doing any address translation.
- Dual-homed. The A/V Edge server cannot be separated from the internal OCS servers by NAT. Therefore, if you're using a private address range and NAT in your internal network, you have to give the A/V Edge server a second network interface and IP address on routable, non-NAT address range. (Note, however, it doesn't have to be the same address range as the internal network, simply on an address range that is directly routable without NAT.)
- 20,0002 external ports. The external (publicly routable) interface needs to have the following ports opened to the Internet: UDP 3478, TCP 443, UDP 50,000-59,999, and TCP 50,000-59,999. Security people immediately look at the need to have 10,000 dynamic TCP ports and 10,000 dynamic UDP ports and have their head asplode in sheer instinctive security reaction.
I've personally reacted to all three of these requirements; I've yet to talk to a security-conscious IT professional new to OCS who hasn't. So what on Earth is Microsoft doing putting these requirements in place? Have they completely lost it about security?
In a word, no.
There are good reasons why these requirements are in place. Rather than go over them myself, however, let me simply direct you to this excellent post on the OCS team blog. If you have any questions, post them there and tell 'em I sent you. Note that to post questions on their blog, you need to first join their Community Server site. This is painless and easy; simply click the Join link in the upper right-hand corner, pick a username and password, provide your email address, and you're ready to go.
Thursday, April 10, 2008
#
Devin talks about some of the new Exchange and Outlook protocol documentation that is made available under Microsoft's Interoperability Principles.
Friday, March 28, 2008
#
One of the cool things about Exchange 2007 is the new Web service interface into the store. In theory, having mailboxes and contents exposed via Web services makes it a lot easier for developers and casual dabblers to use Web service-aware tools to interact with Exchange content.
Two weeks ago, I wanted to perform a quick experiment by seeing if I could use Exchange Web Services (EWS) in a SharePoint page to make an always up-to-date extension list for our office. Now, I know this information is stored in Active Directory as attributes on the User objects, but I didn't see a quick, easy way to configure a SharePoint web part to perform an LDAP or AD query. Instead, I opened up SharePoint Designer and pointed it toward our EWS instance, and what I found surprised me.
Does anyone out there in reader land have any clue why SharePoint Designer insists that an EWS instance isn't "a valid description of an XML Web service"?
https://exchange.server.fqdn/ews/Services.wsdl
I can browse to it manually, enter my credentials, and get a bunch of XML that sure looks like valid WSDL -- but SharePoint Designer's integrated WSDL parser can't seem to make heads or tails of it. I could easily consume other types of Web services, and looking at their WSDL, it looks like it's making use of a lot fewer XML namespaces; their XML structure seems quite a bit simpler than Exchange is generating.
I tried contacting the official SharePoint team blog and was basically told, "Go away, kid. Call support." I've not had a lot of spare time recently to pursue this, but I'm pursuing some other avenues to see if I can't get to the bottom of this. Stay tuned!
Thursday, March 13, 2008
#
Wednesday, March 12, 2008
#
Because of a fun new project I'm working on, I've been starting to get my hands dirty with Windows Server 2008 and the beta version of Hyper-V this week. So far, I'm impressed -- Microsoft has clearly put a lot of work into virtualization and this product appears to be much smoother than Virtual Server 2005 R2 SP1 (MSVS) or Virtual PC 2007 (VPC). Big wins include:
- Better virtualization. Even when I was starting up a baseline Windows Server 2003 virtual machine to prepare it (strip off the old MSVS VM additions and install the corresponding Hyper-V Integration Services), the VM was very speedy and responsive. The host is a dual-core Athlon64 workstation with 8GB of RAM and two SATA hard drives (one for the OS, one for the virtual machine images). No metrics, but the bare VM booted and felt snappier than it did under MSVS.
- Built-in snapshot facility that makes use of VSS. You can take snapshots of running VMs. I can't wait to see the DPM agent upgraded to provide Hyper-V support.
- Better networking support. It's a lot less painful to get multiple networks and interfaces working properly, and by adding RRAS to the host OS you can get some sophisticated networking going. The VMs now support real Gigabit Ethernet speeds and it appears to support VLAN tagging, which will make a few folks happy.
- MUCH better administrative UI than MSVS -- not that this is hard. I've never been a fan of web-based UI (unless they're built on AJAX, and even then, most of them are less than impressive). Going back to an MMC application is just fine with me.
However, there are still a few things that either haven't been adequately addressed or (worse) took an active step backwards from MSVS:
- The best feature, bar none, of MSVS was the Virtual Machine Remote Console (VMRC). This little app was built on top of the same ActiveX control that the web-based console used, but had so much nice functionality built into it. For example, did you know that under VMRC, you had a virtual KVM switch -- just by pressing Host + Left or Host + Right, you could cycle through all of the VMs running on the currently connected host machine? I LOVED that feature; it kept my desk uncluttered when I was working with six VMs at a time, unless they were running on different hosts. The new Virtual Machine Connection application seems to be locked into a single VM-per-instance model, which sucks.
- Speaking of the Virtual Machine Connection application, who named this? We already have the VMC (virtual machine configuration) acronym in use with Microsoft virtualization. This is just a pointless, confusing name change just for the sake of changing things.
- And let's not forget that we've taken away the Host key -- to send Ctrl-Alt-Del to the guest VM, we have to type Ctrl-Alt-End, which neatly prevents that key mapping from being used on the machine running the client. At the very least, Microsoft, give us the option to use the old VMRC key behavior. Some of us liked it a lot.
- There still seems to be no way to pass hardware on the host through to a guest VM. This is essential for full virtualization support -- being able to pass USB peripherals or SCSI controllers and chains through to VMs and have them appear as hardware in the guest VM would be VERY useful in a lot of situations. Without this capability, using Hyper-V for high-end enterprise virtualization is a joke. Heck, I can do this in Parallels on Mac OS X -- plug in a USB headset and it will ask you if it should be joined to the host Mac machine or the Windows guest VM. Hyper-V (and the eventual Virtual PC version that uses Hyper-V technology) should be able to do this too.
Flaws aside, Hyper-V looks like it's going to be a major step forward. This is good, as we use a lot of virtual machines here, so having a stable and easy-to-use VM solution is important for me.
Thursday, March 06, 2008
#
A couple months back, I was able to work with Quest Software on a new whitepaper for Exchange 2007 migrations. As you probably already know, Reader, Quest makes some of the slickest migration software on the market. They also make Quest Archive Manager, which offers (of course!) email archiving capabilities. Quest's notion, and the one I explored in this whitepaper, is that by deploying an archival solution such as Quest Archive Manager, you can actually reduce the risks you'll face during messaging migration. The paper is specifically about migrating to Exchange 2007; while I didn't focus on the details of Exchange migration, I do cover some of the possible risks you face during a migration to Exchange 2007.
If you're interested in reading the whitepaper, you can get it for free from Quest; you simply need to register your email address with them.
Friday, February 29, 2008
#
I came across an interesting article yesterday on a new form of spam: using webmail providers' Out-of-Office features to do a new type of backscatter spam. This is an excellent example of how unsecured messaging does not mix well with automated message generation capabilities. Any good Web developer can tell you that it's a bad decision to blindly accept and process untrusted input, and yet SMTP bots (that's what OOF functionality is at its core) do precisely that, thanks to the lack of a standard for verifying the authenticity of the sending identity and the integrity of the end-to-end message route. This is nothing new; this is the same variety of vulnerability that backscatter spam has been exploiting for years: target the NDR/bounce generation mechanism to do the dirty work for the spammers and send the paylod to the victim.
This new form of attack just underscores my growing conviction that our current system of email is going to be gradually supplanted by a variety of mechanisms for communicating with people outside of our organizations. There's too big of a disconnect between “enterprise” features that business want from email and the inherent limitations of the current store-and-forward mechanism SMTP is built upon. And no, I'm not one of those people who thinks that pay-per-email schemes are the answer; what works well for physical, tangible products becomes quickly unworkable for virtual communications.
I don't think there's going to be One True Successor for SMTP, nor do I see SMTP going completely away any time soon (just as Usenet, despite all predictions, still manages to hang on for certain applications and communities). Dependable synchronous communications modes such as instant messaging, voice, and video will, I think, begin taking up a lot more of the message trafrfic currently carried by email. By avoiding store-and-forward asynchronous mechanisms, you reduce the opportunities that attackers and spammers have to forge and inject illegitimate communications into your users' workspaces. Allowing users to decide which communications mode is best for them helps alleviate the pressure on email systems.
Thursday, February 28, 2008
#
And yes, that's "free as in beer," not "free as in what some people think all information wants to be."[1]
Frank Koch and Marcel Trümpy of Microsoft (in Switzerland) have created not one, but two Windows PowerShell ebooks, and you can get them both for free:
- A Windows PowerShell course book with associated demo files and examples.
- A Windows PowerShell server administration book with associated demo files and examples.
Get them both in one easy download either in English or German. The downloads are from Microsoft and no registration is required, according to the blog posting.
[1] If you believe all information wants to be free, I challenge you to put your money where your mouth is and post your Social Security number (if you live in the USA; equivalent if you don't), birthdate, address, personal phone number, and bank account information here in my comments. After all, that's all information -- and it wants to be free!
Wednesday, February 27, 2008
#
Early this week, Ryan and I received our authors' copies of Mastering System Center Data Protection Manager 2007
, the book we co-wrote about, well, mastering DPM 2007. Amazon says it's in stock, so if the topic is at all of interest to you, please consider buying a copy or ten and making our publisher happy!
Two more interesting tidbits around the book:
- I'l be giving a session on Exchange and DPM for the Spring 2008 Exchange Connections conference in Orlando; I'm hoping to be able to make other arrangements as well.
- The book will have its own website, http://www.masteringdpm.com/ (it's not live yet!), in just another couple of days, by the weekend at the latest; the DNS zone is already registered, I just need to get the website software up and running.
Sunday, February 24, 2008
#
I am sick and tired of the shoddy programming practices most companies still have in place today with their websites.
I can understand the desire to not provide certain types of downloads to users unless they have an account that can be tracked, especially (yes, Parallels, I'm looking right at you!) when they distribute updates as a completely new installer instead of an updater or service pack. I can understand why they justify the need to use a completely separate account management system instead of one of the many standards that are available, such as Windows Live (formerly known as Passport). I cannot understand, then, why they spend the development (and, one would hope, testing) effort to write a sloppy, poor authentication system that makes assumptions about the habits of the users. If you're going to spend that internal time and effort poorly, just pay the fee to Microsoft for Windows Live already and at least give your users one fewer set of credentials to remember!
I use passphrases everywhere I can these days, even for "throwaway" accounts on websites. I know the arguments for weaker security on them and agree with them as a personal choice for the user; the website should not be free to make the same assumptions. I'm tired of getting error messages because I've entered "too many characters" (turned out that 12 was too many for that particular website) or dared to use symbols instead of just numbers and letters. How dare I try to keep myself in the habit of using cryptographically strong (and easy to remember) passphrases everywhere!
These may seem like little things, but if developers aren't even getting these usability issues right because they favor "decreased complexity" (what, properly handling symbols in a text string is too hard to figure out how to do properly?), what assurance do we, the consumer, have of them getting bigger security issues right?
Wednesday, February 13, 2008
#
Tomorrow I'm going to be giving two webcasts for
Quest on
What You Need to Know about Microsoft Unified Communications -- one at 9am EDT, the other at 2pm EDT. (Yes, that's 6am and 11am here, so my morning tomorrow is going to start earlier than normal.) This is going to be a fun, high-level overview of the UC initiative -- it won't be a deep technical dive. Instead, we're going to look at the implications of deploying the Microsoft UC platform for the IT professional. If you have time to join one of the sessions, I'd love to see you!
Tuesday, February 12, 2008
#
A couple weeks back, I received an offer for a review copy of the Exchange Server 2007 video training from TrainSignal. I, of course, gleefully accepted. Over the next few days, I'll be checking it out and will let you all know what I think. I'm prepared for goodness, though; fellow MVP
David Shackelford is the instructor. Hey, David, I didn't realize that you sound a lot like David Spade!
Thursday, February 07, 2008
#
Day Five of Devin's notes from the UC Voice Ignite event in Sydney, Australia.
Wednesday, February 06, 2008
#
Day Four of Devin's notes from the UC Voice Ignite event in Sydney, Australia.
Tuesday, February 05, 2008
#
Day Three of Devin's notes from the UC Voice Ignite event in Sydney, Australia.
I've noticed something for a while now -- people are really reluctant to install a proper PKI system. If you're a Windows-based organization, I have three words for you:
Get over it.
The Windows Certificate Service (WCS) is powerful and fairly easy to manage -- and it's included in Windows Server Standard or Enterprise versions.
For years, people have been complaining about the lack of security in various products. Well, Microsoft and other vendors have listened, and standards like TLS and Mutual TLS are now getting put into most of the new products and versions rolling out the door. However, in order to USE these standards and get the security, you must have certificates. You can spend a lot of money buying and installing and managing these certificates from third-party vendors or you can install WCS.
The most common objection I hear is, “But I can just use commercial certificates!“ True, you can. But now you're paying for every certificate and adding to the complexity of your deployment tasks. Rolling out Exchange 2007 or OCS 2007 with all the proper certificates is a lot easier when your servers have an internal WCS infrastructure to talk to -- requests are fulfilled almost immediately. You don't have to spend money on all those internal server certificates -- just the external-facing certs for machines that are talking to external clients or mobile devices.
Either way you choose to go, there are a few facts of life:
- You WILL need to take time to learn how certificates and requests actually work. Knowing why you want to keep secure exported copies of certificates with their private keys associated is a good thing.
- You WILL have to allocate time managing your certificates and infrastructure. Commercial certificates expire -- we at 3Sharp had a certificate expiration sneak up on us and disable OWA and EAS until we got it sorted out.
- You WILL have to worry about certificate backups and processes. See the point about exported certificates.
Okay, here's a question -- would there be any interest in having me do a series of blog posts on the basics of certificate handling? I know there's good material out there, so I'd focus my stuff on common tasks and gotchas I've run across when deploying certificates for Exchange and OCS. If that sounds like something you'd want to see, drop me a comment.
Monday, February 04, 2008
#
Day Two of Devin's notes from the UC Voice Ignite event in Sydney, Australia.
Sunday, February 03, 2008
#
Day One of Devin's notes from the UC Voice Ignite event in Sydney, Australia.