Site Sections
Posts
254
Comments
120
Trackbacks
120
April 2005 Entries
A look at Microsoft's Data Protection Manager

Remember my previous post about Microsoft Data Protection Server? Now I can talk about it a bit more in-depth. Heck, even The Register is talking about it. Microsoft has changed the name of the product; it's now Microsoft System Center Data Protection Manager (DPM). Because I've been working on a DPM project, I've known about the name change for a while. Now that DPM has gone beta, Microsoft updated the site with the new name. This is the first application, to my knowledge, that requires Windows Server 2003 SP1.

Paul wrote the overview paper that's on the DPM site. I worked with Paul and the incomparable Jim Boyce to produce the papers that explain how to integrate DPM with assorted backup systems. As usual, we got to work with the talented and dedicated folks at Microsoft; they gave us excellent support, technical expertise, and feedback all through the project. I worked primarily on the DPM and Veritas BackupExec paper and the DPM with Yosemite Backup paper. Although I helped with some minor touch-ups, Jim wrote theDPM and Windows Backup paper.

I found an unexpected but welcome perk with this project: getting to work with the fine folks at Yosemite Technology (hello Daniel, Alan, and Ken!). I'd never used their Yosemite Backup product before this project, but I'm definitely going to be giving it a closer look in the upcoming weeks. Through my years as a sysadmin, backups and restores have always been a chore; something you do because you have to, not because it's sexy or fun. I caught myself having fun with their product and their people were always a pleasure to work with. Alan deserves special mention for going above and beyond the call of duty; he actually returned my calls from the beach on his day off. More about Yosemite in upcoming posts.

For those of you who aren't familiar with the concept, DPM is a client-server product that allows you to define protected volumes and shares on your production file servers. The DPM agent replicates protected data to the central DPM server according to the schedule you define (as often as hourly); the DPM server stores these replicas. This replication happens at the file block, so only the data that is actually changing gets replicated. Once the data is safely replicated, DPM creates snapshots of the replicas according to a separate schedule. These snapshots can be used for end-user point-in-time recovery of files. Not only do you protect your data from loss events, you gain file versioning capabilities on all of your DPM-protected servers. When you want to archive your data to tape, you use a DPM-aware backup system (like Yosemite) or the included utilities to create a special backup snapshot of your replicas. The backup happens directly from the DPM server, which means you can do it in the middle of the day. DPM is the backup window killer.

DPM is a joy to work with. The actual protection process is extremely simple: install the DPM client on your file servers, define your protection groups (a collection of shares and volumes that have the same policies defined), and start synchronizing your data. This product really makes you sit up and take notice of the Windows Server 2003 Volume Shadow Copy Service (VSS) technology, as it extends it across the network to allow you to effortlessly create and manage point-in-time copies of your data (even if it wasn't originally on a Windows 2003 server).

I found that it was actually harder to install DPM than it was to use it, and then only because it has some hefty dependencies. DPM requires SQL Server 2000 (plus service pack) and the SQL Server Reporting Services (plus service pack). It makes for a long install process, although the wizard-driven installer does most of the heavy lifting of configuration. If you're having flashbacks to installing the MIIS Feature Pack, don't worry; DPM installation is a lot less work. You owe it to yourself to grab the beta and look at this product.

posted @ Thursday, April 21, 2005 5:52 PM | Feedback (2)
Exchange Security Update

There's a new Exchange security update (MS05-021) out; there is a potential for remote code execution. There are updates for:

  • Exchange 2000 Server Service Pack 3 (update of MS04-035)
  • Exchange Server 2003
  • Exchange Server 2003 Service Pack 1
Exchange 5.0 and 5.5 are not affected.

Details:
The flaw allows remote SMTP sessions to run code in the context of the SMTP service if they exploit a buffer overflow in the proprietary Exchange X-LINK2STATE SMTP extension. On Exchange 2003, the vulnerability cannot be executed by anonymous users; attackers must be authenticated (and according to the bulletin) would need to be granted a level of trust normally given to other Exchange servers in the organization. The Exchange 2000 hotfix updates the level of authentication that Exchange requires.

ISA 2000 and ISA 2004 SMTP filtering/SMTP publishing can help mitigate this flaw, as will disallowing connections from anonymous SMTP sessions (this will, of course, prevent the bulk of incoming external SMTP mail). According to KB 812455, the X-LINK2STATE verb only requires a single reply and the maximum size for both is 1,024 bytes, which seems to fit the critera listed in Using the ISA Server 2004 SMTP Filter and Message Screener for allowing the addition of the X-LINK2STATE verb to ISA 2004 SMTP filter. [Editor: I have not tested this approach; if anyone knows of a reason why it won't work, please let me know via the comments.]

The bulletin also gives a procedure to un-register the XLASINK.DLL, which prevents updates of link state information over SMTP and requires Exchange to fallback to Active Directory for routing information. Because the flaw is in an Exchange SMTP extension, the underlying IIS SMTP service is not affected.

Get this now and apply it to your Internet-facing Exchange servers. Issues like this, by the way, are an excellent reason for not using Exchange on the edge of your organization, or for heavily restricting which SMTP extensions are active on your edge Exchange machines. If you're running MSBA 1.2.1, you'll be alerted about this patch. [Editor: Am I the only one who wishes that Microsoft would start linking some of the excellent tools they've got out there, like ExBPA and MBSA, without requiring MOM as a full-fledged management framework?]

Update: Thanks to the message forums at Tom Shinder's isaserver.com site for all things ISA, I found out about the ISA Server Preventative Measures page at Microsoft. It gives clear, simple directions on configuring ISA to block a number of threats, including this brand-new paper on blocking MS05-021.

posted @ Wednesday, April 13, 2005 2:02 AM | Feedback (0)
Shirts vs. Skins

I've taken the plunge into learning how to create skins for Community Server. My first attempts will be aimed at getting the basic aggregator pages modified to fit 3Sharp as part of our pending upgrade from .Text to CS, coupled with some custom blog skins. I've also got some work to do for my personal blog, which is going to be part of a larger community of blogs, galleries, and shared forums whose other members will include my wife. That's a lot of skins.

The goal is to be able to start writing and posting some decent tutorials and references that will fill in the gap for the lacking documentation. That's part of the fun of being a tech writer; you see great software that is missing equally good documentation and your fingers itch to start writing.

In the meantime, let me leave you with my current list of CS add-ons, skins, and tutorials since the doc wiki doesn't seem to be updated that much. I really don't like wikis to begin with; if I want someone to come along and edit my work, it'll be someone like Phil in whose skills as an editor I have faith. I've done them as an article so I can come back later and easily keep it up-to-date.

posted @ Friday, April 08, 2005 1:10 AM | Feedback (3)
My contribution to the Notes roadshow

I made a small and unintentional contribution to the Notes roadshow just now. John, Paul, and Greg are currently in Washington, D. C. giving a demo; I'm at home, working away on some papers when my phone rings. I can see from the Caller ID that it's from Microsoft, and it turns out to be Paul.

Paul was talking to me through his Thinkpad latpop, having clicked on my contact info in Outlook to link up via a PSTN gateway (he was surprised to have me actually pick up since he wasn't expecting the gateway to be live, but we rolled with the mutual surprise). There was a weird sort of lag where I could hear my voice being replayed in the background, but it wasn't too bad, considering how really cool the whole thing was. Open your laptop, click on a contact, be talking to them even though they're using a POTS line.

If you have a Lotus Notes deployment and are interested in getting the most out of it in conjunction with Windows and Office, you really need to see this event. I think you'll find at least one cool and valuable thing to take away from it, and knowing the guys at the office like I do, you'll find more than one. And if your surprise live demo person says that, you know it has to be true.

posted @ Thursday, April 07, 2005 11:27 AM | Feedback (3)
Keeping up with Microsoft

Keeping up with Microsoft security and support information can be tricky, but Microsoft provides quite a few useful websites and tools you can use to make the job easier.

  • The Microsoft Security Site. This site gives you links into Windows Update, Office Update, the latest security incidents, and even an RSS feed for the latest security updates.
  • Pre-canned KB searches. This is probably my favorite tip, because I spend a lot of time digging around in the Knowledge Base to find the details I need for the projects I work on. I'm sure you already know about the Knowledge Base. It's great when you know your problem and need a solution, but trying to use it to browse information is like drinking from a firehose. The Microsoft Support site offers a variety of pre-canned searches that help you save time. You can bookmark these searches and know that you'll have all the relevant KB articles at your finger tips. Unfortunately, they're somewhat difficult to find; the only one I currently have bookmarked is a list of post-SP1 hotfixes for Exchange 2003.
  • Product Solution Centers. Microsoft provides a handy central hub for all of their product solution centers. You can go to the hub at http://support.microsoft.com/gp/selecthub or you can bookmark the centers for the products you're running.
  • RSS Feeds. Hey, I just learned this one myself! Microsoft offers RSS feeds for new KB articles, organized by product. Get the list at http://support.microsoft.com/selectindex/?target=rss and add your product feeds to your favorite RSS aggregator.

If you've got any more useful sites, tools, and techniques for staying current, I'd love to hear about them. And send me any of the KB canned searches you can find; I'm collecting them into an article that I'll keep updated.

posted @ Wednesday, April 06, 2005 12:11 PM | Feedback (0)
News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Virtual Devin
Article Categories
Archives
Post Categories
Data Protection
DCAR
Exchange
Other
Security
Unified Communications
Windows