Site Sections
Posts
254
Comments
120
Trackbacks
120
March 2006 Entries
DCAR ebook Chapter 4: Implementation part 1: People and processes

Chapter 4, Implementation part 1: People and processes, of my ebook on DCAR (Discovery, Compliance, Archival, and Retention) is now available for download. This ebook is published online by Windows IT Pro.

Before you spend a lot of time thinking about the specifics of your hardware and software design, you need to design your solution. This chapter reviews your business drivers, examines the scope of your efforts, and talks about how to get the right planning team selected. It also discusses how to examine your processes and ensure that your planning team covers all your needs.

All four chapters are a free download away (registration required) so please go download and enjoy. I'd love to hear your thoughts and feedback. Also, I'll be in Exchange Connections in Orlando in just a few days, and I'll be presenting a session that is a condensed version of this ebook. If you're going to be there, stop by and let me know what you think!

posted @ Friday, March 31, 2006 12:01 PM | Feedback (0)
An update on Windows Mobile 5.0 certificates

A month ago, I posted about some of the limitations of Windows Mobile 5.0's handling of certificates. In the comments, Exchange MVP Ben Winzenz informed me about a registry hack you can perform on your WM5.0 device that disables certificate checking. He posted more details on his own blog. This is pretty cool stuff, because it allows you to get SSL working even if your device doesn't have the root certificate used by your Exchange SSL cert, or if you're using a wildcard cert for Exchange (which many companies do).

However, there's still a fly in the ointment -- and that is that not everyone is going to be able to get to the registry. Ben and I are both using unlocked devices that give us management access to everything we need -- the registry, the Trusted certficate store (so we can load new trusted root certificates), RAPI for firmware updates -- to completely control our devices. Many of the users who will be buying devices from Verizon, T-Mobile, Cingular, and other carriers won't be so lucky. Their devices will be locked; they won't be able to mess with the registry, and many carriers are not rolling out the utilities to update the root certificate store, so they'll be stuck with whatever CAs the carriers see fit to include.

Windows Mobile 5.0 is a great step forward, don't get me wrong. I use it and love it, especially now that I have upgraded to the MSFP. However, it is important to remember the business model used for WM differs from standard Windows. Windows Mobile is not sold to end-users; it is sold to device manufacturers and telco carriers/operators. They are the ones who decide what the final feature loadout will be and how the devices will be configured, not the people who purchase them.

The moral of the story? Choose your OEMs and carriers carefully. Get test units and make sure you're going to be able to get all the features you need working before doing a full deployment. If your carrier doesn't offer a configuration that meets your needs -- or won't work with you to get the tools you need to modify the configuration -- then find someone who does.

posted @ Thursday, March 23, 2006 11:54 AM | Feedback (2)
Beat Exchange Event ID 9548!

Sooner or later as an Exchange admin, you want to disable a mailbox-enabled user account in Active Directory while keeping the associated mailbox intact. Up until now, this caused problems, because as soon as the account was disabled, any mail sent to that alias (or any DL containing that alias) would generate an NDR and a 9548 event ID.

Fatal? No. Pain in the butt? Definitely. In some cases it could cause performance issues, the NDRs were annoying and confusing for non-technical users, and the constant nagging in the event log irritated admins left and right.

In fact, it was a widespread enough problem that Alex Seigler of Microsoft wrote the NoMAS tool, which is available from Microsoft PSS. This tool automatically populates the msExchMasterAccountSid attribute on disabled user accounts.

With this new hotfix, Exchange’s internal logic has been changed to automatically act as if the msExchMasterAccountSid attribute on a disabled account contains the SELF well-known SID if account doesn’t have the attribute already defined.

Note: this hotfix is currently available only for Exchange 2003 SP1; you can’t apply this to systems that are already running SP2. A SP2 version is expected soon.

Alex has written a blog article on the MS Exchange team blog about this if you want more detail. Note that the original article doesn’t state that this hotfix is for SP1 only; you have to read down in the comments to see that. I also don’t see any indication that this hotfix will be available for Exchange 2000…and I’m not holding my breath. Still, this is a welcome hotfix, and it’s a simple no-charge call in to PSS to get it.

posted @ Wednesday, March 22, 2006 8:30 PM | Feedback (0)
Book signing in Orlando
Paul, Missy, and I will all be speakers at this spring's Exchange Connections 2006 conference, held at the Walt Disney Swan Hotel in sunny Orlando this April 9-12. Not only will we have 8 sessions of Exchange goodness to share with you, we'll also be having a book signing at the conference bookstore. Come find us at 3:30pm on Monday, April 10th -- if you're going to be at Connections, I'd love to hear from you!
posted @ Wednesday, March 22, 2006 8:00 PM | Feedback (0)
A good regulatory compliance resource

I know I've been on a Windows Mobile kick for the past few days, but it's not all I've been doing. I just recently turned in the final draft of Chapter 4 of my DCAR (Discovery, Compliance, Archival, and Retention) ebook to my editors at Windows IT Pro, so I expect to be seeing that go live on the website in the very near future. As always, I'll let you know once I know it's up.

This chapter was a very difficult one to write, because it (by design) had very little to do with technology. The technological challenges of DCAR -- especially the regulatory compliance aspects of DCAR -- get a lot of airtime in our industry; we're a tech-oriented industry, and frankly, tech solutions are a heck of a lot easier to figure out than people and process problems.

So, chapter 4 is all about people and processes. I have a fairly firm theory: any time you have an issue and need to make a change, it is either going to be a process change or a tech change. You won't have to do one or the other -- and if you find that you do, it has been my experience that you're really making two changes, or solving two problems, at once. This leads directly to a quote from Exchange MVP Ed Crowley:

There are seldom good technological solutions to behavioral problems.

One of the groups I've worked with at Microsoft, Microsoft Solutions for Security and Compliance(MSSC), is spending a lot of time focusing on regulatory compliance as a pain point for their customers. Via their secguide blog, I recently discovered the Regulatory Compliance blog, which is turning out to have some interesting and thought-prooiking posts from a variety of really smart and talented people. Give it a look-see.

I'd like to highlight one recent post of note: Regulatory Compliance Planning Guide Beta Coming. I eagerly await this guide; I think it's going to be chock full of the same kind of crunchy usefulness as previous guidance produced by MSSC. Paul and I worked worked with them last fall to help produce the Windows Server 2003 Security Guide v2.0 and the Threats and Countermeasures Guide v2.0.

Don't forget to check out the secguide blog as well; they have a lot of interesting and useful security content, much of which is applicable to DCAR solutions and concerns.

posted @ Friday, March 10, 2006 8:59 AM | Feedback (0)
Exchange 2003 SP2 and WIndows Mobile 5.0 MSFP first impressions

Wow. What a difference my little experiment yesterday is already making.

I've got my Qtek 9100 set to pull up Google as the home page. Previously, it could take 30-60 seconds to establish the initial connection, then resolve DNS and pull up the content. Now, it takes 3-5 seconds. Holy smoke! So I wanted to throw a harder test at it; last weekend, when I was out and about with the family, we ended up down near Boeing Surplus, so I pulled up their web page on my Qtek so we could swing by and look for goodies. It took about 2 minutes to pull their page up. This morning, it took 30 seconds. Definitely slower than it would be on a desktop, but again it is remarkably faster now.

And Direct Push is a dream -- email hits my device and Outlook at just about the same time. This is some good stuff -- nicely done, Microsoft!

posted @ Wednesday, March 08, 2006 7:52 AM | Feedback (0)
Kids, don't try this at home!

Today, I did something I'd never done before. It was risky and a bit scary, and I don't recommend it as a general procedure for everyone. Yes, I upgraded my Qtek 9100 to AKU2, better known as Windows Mobile 5.0 with the Messaging and Security Feature Pack. What made it risky was that Qtek hasn't provided AKU2 ROM images yet; I upgraded to the images released by I-mate for the K-JAM, which is the same hardware under the hood (same as the HTC Wizard). They only vary in the specifics of the software their vendors bundle on them, with minor differences in features.

If you're interested in why I did this, and how I did it, you can read all about it either online or via Word doc.

posted @ Tuesday, March 07, 2006 8:43 PM | Feedback (2)
Short reaction: Qtek 9100 Windows Mobile 5.0 Pocket PC

This isn't a full review, but I wanted to at least get some reactions down sooner rather than later.

In general, I really like the device. I've been unhappy with the increasing trend toward smaller and smaller devices, so the size and weight seem just about right to me. The belt case it comes with is adequate and is my preferred way to carry it (since it has a sturdy belt clip and a magnetic flap that actually works), so I don't have to worry about the logistics of carrying it in a pocket.

My biggest complaint about it is probably that it feels slightly unstable. I've been having constant problems with the GPRS service only working until I plug it in for a recharge, at which point it says it is connected but is no longer actually passing data (email won't sync, DNS won't resolve) and I have to completely reboot the device to get it to work. It also seems very sluggish and slow at times, and I find myself having to reset it on average once every other day. Other than that, though, I like how it works. The keyboard is great -- I've built up a decent amount of speed quickly -- and the stylus is conveniently placed. Windows Mobile 5.0 seems a lot nicer to work with than earlier versions, and I like it a lot better than the various versions of Palm OS I've used. It's nice to have Outlook on my device and not have to worry about contact synchronization weirdness.

The wired stereo headset that came with it scraped up my ears, so I punted and got a Motorola Bluetooth headset. That's been an interesting experience worth a separate blog posting.

I suspect that I will find a lot of my problems will just go away once I find a reliable set of ROMS to upgrade the device. Once I've done that and had a chance to compare, I'll write the full review.

posted @ Sunday, March 05, 2006 9:51 PM | Feedback (2)
Search your AD quickly and easily

If you're trying to search to see which object in AD holds a particular property, then Exchange guru Jim McBee's post on solving the "email address already exists in this organization" error should be a big help.

Using the custom search functionality, you can search for any arbitrary property or build your own complex query. Jim shows you how to find SMTP addresses added by Exchange, but you can adapt it to just about anything, as long as you know the right properties to search for.

posted @ Sunday, March 05, 2006 3:11 PM | Feedback (0)
News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Virtual Devin
Article Categories
Archives
Post Categories
Data Protection
DCAR
Exchange
Other
Security
Unified Communications
Windows