Site Sections
Posts
254
Comments
120
Trackbacks
120
October 2006 Entries
Costumes for servers

One of my hats here at 3Sharp is as sysadmin. We don't want me doing it full time, but every now and then there's a task that needs to be done and I have a couple of hours free in which to herd servers. Today was one of those days; we've been slowly amassing a pile of rackmount server hardware, and it's been piling up on a plastic banquet table in my office. Needless to say, four Dell PowerEdge servers, a KVM, and the necessary monitor/keyboard/mouse/hub/cables take up a bit of room (not to mention the noise that the Dells make!) At the same time, we had a handful of 1U HP servers in an old half-cabinet rack that used the old telco-style mounting posts instead of the newer square-hole mounting posts.

I figured that today was a good day to get the servers out of my office and into a proper new rack. It would be like a costume for them -- they'd get a chance to look like servers in a real IT organization:

image

But before you start thinking that they're really cute, consider how scary they'd be in the dark:

image

Okay, so it's really more of an excuse to play around with Paint.NET, the free .NET-based photo manipulation software I told you about last week, not really a serious IT-related post, but if you can't post a couple of pictures on Halloween, when can you? .NET was very easy to use -- the alpha version I used even detected a newer version was available and offered to let me download it -- and was the perfect tool to use to turn the pictures from my Qtek 9100 WM 5.0 PocketPC into blog fodder.

posted @ Tuesday, October 31, 2006 6:29 PM | Feedback (0)
Community Server 2.1 SP1 is now available

Community Server 2.1 Service Pack 1 is now available for download. This SP fixes bugs, increases security, and provides feature enhancesments.

Some of the notable fixes include:

  • CSS fixes and improvements for blog skins
  • Performance increases in the TinyMCE editor, aggregate blog caching, stored procedures
  • Security bugfixes, including a potential cross-site scripting issue

If you're using CS 2.1, Telligent recommends that you download and apply this SP.

posted @ Tuesday, October 31, 2006 11:55 AM | Feedback (0)
Want to present at Exchange Connections?

Paul has just posted the Call For Proposals for Exchange Connections 2007 in Orlando. If you've ever thought about getting involved in the highly glamorous, lucrative life of a technical presenter, here's your chance! Obviously, they'll let anyone in -- look at me!

In all seriousness, if you've got ideas for topics that you think other Exchange admins need to know about or could make their lives easier, follow Paul's directions and send them in. You don't have to send in highly polished proposals; a paragraph or two for each proposed session is more than sufficient.

posted @ Friday, October 27, 2006 1:30 PM | Feedback (0)
The 64-bit Vista Kernel furball

You may have heard that there's been a storm in the trade magazines in recent weeks because certain major security software vendors are throwing what, in my humble opinion, essentially amounts to a tantrum over the PatchGuard security functionality in the 64-bit version of the forthcoming Windows Vista operating system. The whole point of PatchGuard is to close off any unauthorized, undocumented access to the kernel. This protects against threats such as rootkits, but it also turns out to protect against certain techniques that are used by some security vendors to install their protective software. They've cloaked their protests as protests about Microsoft abusing its monopoly yet again (claiming to be worried about the unfair advantage that Microsoft's new OneCare security offering will have in the market), but many people out there (both inside Microsoft and out) have pointed out that the screams of woe and agony seem more likely to come from other motivations.

(I find it personally amusing that the two vendors crying the loudest and making the most noise about this issue are the two whose products I have personally found, over the years, to be the most de-stabilizing and useless security software packages that users can ever install on their system. There are plenty of my peers who would agree with that assessment -- and to be fair, plenty who don't. Nevertheless, this does not stop me from immediately uninstalling these products whenever I encounter them on a system that is having issues. I have yet to find that this step fails to provide better security and stability in the end. In one memorable case, it put an end to one user's need to perform a fresh reinstall of her copy of Windows on a monthly basis.)

On October 20th, Microsoft's Jim Allchin wrote an open letter to Microsoft customers, partners, and vendors to clarify Microsoft's position on the 64-bit PatchGuard brou-ha-ha. Go read it now, because I'm not going to summarize it here. Instead, I want to publicly thank Mr. Allchin for an unambiguous, well-thought, customer-focused response. Their "no exceptions" policy has now been publicly stated to apply to Microsoft first, giving us a clear metric of how we can judge their commitment to security.

Make note of any vendors who continue the FUD from this point on -- they're vendors whose products probably deserve to be given a wide berth. Instead, look for the vendors who spend their energies figuring out how to better protect your system and providing innovative services worth purchasing instead of trying to point fingers at Microsoft.

posted @ Wednesday, October 25, 2006 4:38 PM | Feedback (0)
Exchange SMTP virtual servers

Every now and then we find ways to forcibly remind ourselves of the basics. I had such a moment yesterday morning, and if my screwup can help someone else then it may have been worth it.

Sunday night I was troubleshooting some SMTP injection problems on my home network, and I was making changes to the configuration of my Exchange 2003 SMTP virtual server. At one point, I stopped the SMTP virtual server instance in the Exchange System Manager and was preparing to restart it when I decided that since I had email temporarily stopped anyway, I might as well take a few minutes and apply some patches. Ten minutes later, the patches were in place, the system looked good, so I rebooted the server. I stayed around just long enough to ensure that the system booted back up and that I could get to my mailbox, then I went to bed.

Monday morning, I got an IM from my wife telling me that she only had two spam messages in her Inbox. Since she's on a couple of busy email lists, this was a good sign I'd broken something...and I immediately knew what it was.

On Exchange 2000 and 2003, the SMTP stack is made up of the IIS SMTP service (SMTPSVC) combined with several transport event sinks that add in the extended Exchange functionality. Each SMTP virtual server on the machine is another instance of the SMTP service. When you stop the SMTPSVC using net start or the Services Control Panel, you stop the base SMTP service, and all of the virtual servers are shut down. Should you reboot the server, the SMTP service will restart according to the state of the service (it's set to Automatic by default), and all of the virtual server instances will also restart.

However, when you stop an Exchange SMTP virtual server instance via the ESM, you've only stopped that instance, just like stopping a web site in the IIS management console persists across restarts of the W3SVC. So when I ran updates and rebooted, I'd failed to restart the virtual server, and it sat there not running until I logged in yesterday morning and turned it on. No permanent harm done, an easy enough fix, and I even got a blog post out of it. My pain for your gain.

This is a design artifact of the IIS-based infrastructure I will not miss once we move to Exchange 2007, BTW. The new receive/send connector architecture makes multiple SMTP virtual servers a thing of the past. Of course, the times you'd want to use multiple SMTP virtual servers in Exchange 2003 were a lot fewer than most people thought, because they never worked the way most of us would at first assume they did. I remember the first time I had to deal with the concept that I could configure multiple SMTP virtual servers on a machine, set to different ports, and that they wouldn't be able to communicate with each because they used the network interfaces to do it. Since SMTP expects to be used over port 25, you were pretty much limited to binding virtual servers to specific virtual interfaces. Exchange 2007's receive connectors make all that a thing of the past; they are multiple pathways (with separate configuration sets) into the same hub transport goodness, allowing the SMTP submission port 587 architecture to not only be possible, but so easy that it's included out of the box.

posted @ Tuesday, October 24, 2006 11:46 AM | Feedback (1)
Exchange 2007, the OWA experience, and AJAX

If you haven't had a chance to use Exchange 2007 Outlook Web Access (OWA) yet, you're missing a treat. As one of the partners here told me the other day, "It's just like Outlook!"

As was the case in Exchange 2003, OWA has two modes: a rich client mode when run on supported versions of Internet Explorer, which gives the full user experience, and a fallback mode (referred to in various places as the "reach" client, apparently because it's reaching out to everyone else) that has more limited functionality but gets the basics taken care of. Exchange 2007 OWA continues with this dual-world approach; Users with IE on Windows get the full rich "I can't believe it's not Outlook!" experience.

Before I go any further, I want to make it clear that Exchange 2007 OWA rocks on toast in both modes. OWA has always been one of my "run in IE if at all possible" web applications, as the Exchange 2003 implementation of OWA was good enough to do a quick email or contact lookup in, but wasn't robust enough for my day-to-day email habits. In contrast, I've spent many weeks on various projects where I was logged into Exchange 2003 OWA all day long as my primary mail client, and not really suffered for it. From the testing I've done on Exchange 2007 OWA so far, this will only improve in both cases. The non-IE version is such a better experience.

However, this is one area where I think the Exchange 2007 team needs to concentrate some effort and produce some updates as quickly as possible, because given the rise of AJAX, the excuses for having the two-tiered level of support break down to "IE on Windows" and "everything else" become a lot less convincing.

If you've taken a look at some of the software being produced in the collaboration suite market these days (Zimbra comes to mind), it's obvious that one of the main competitive points against the entrenched market leaders is the user experience. Zimbra, in particular, has a particularly rich web UI that works well in just about any of the leading browser/platform/version combinations.

Regardless of the technical merits, there are a lot of people out there who are convinced *now* that IE is an insecure platform and that it is too hard to properly secure. These are not the people who are waiting with baited breath for IE7 so they can ditch their corporate investment in deploying and securing alternative browsers such as Firefox and Opera. There are some days, where, reading the various pitches, it seems that Exchange marketing thinks that the promise of a better OWA experience will somehow lure these users back to IE. Color me doubtful.

There are times when it seems like Microsoft's emerging "Better together" strategy suffers some gaping holes in communication, and the OWA/IE divide seems to be one of them. Firefox, Opera, and Safari all offer good CSS and JavaScript support; it's not hard to understand why some people feel that Microsoft is making a deliberate attempt to leave them as second-class citizens. It doesn't help when you see announcements such as the relase of ASP.NET AJAX Beta 1. If the ASP.NET team can produce easy-to-use components that allow rich AJAX applications, the casual viewer starts to wonder, why can't Exchange leverage those components and provide first-class support for alternative browsers?

Never ascribe to malice what can be explained by inertia. Let's face some realities here:

  • The ASP.NET AJAX beta has just recently been released. Exchange 2007 OWA has been under development for quite a while now. They couldn't very will sit and wait for the AJAX components to be released before beginning development work.
  • Exchange moves to a different project schedule than ASP.NET does. It's probably really bad project management to sync such a large piece of Exchange 2007 to components that are being developed outside of the control of the Exchange group, because now a key piece of functionality is outside of your control. It's really, really difficult to make meaningful estimates on how long development will take under those conditions, and Microsoft gets a bad rap for slipping ship dates as it is.
  • As the Exchange team has pointed out, it takes more testing resources to be able to run the battery of tests that the rich client OWA is subjected to against a large matrix of browsers and operating systems. On the other hand, I'm personally far less sympathetic to this point because clearly their competitors are managing to do it. Even IBM's Workplace offering is fairly browser-agnostic.

Now that the ASP.NET AJAX controls are coming to fruition, I for one certainly hope that the Exchange team can retrofit those controls back into OWA. That may be a major engineering task -- a daunting one -- but I think that it will produce some important wins for Microsoft as a whole far beyond the immediate concerns of "how many additional seats will this allow us to sell?" The main benefit I see is yet another blow to the claims that Microsoft is only interested in promoting its own technologies at all costs. There are some great features in IE that the Exchange team could extend with in the spirit of "Better together" without sacrificing good user experience for Firefox, Opera, and Safari users, still providing a compelling reason to use IE. (The RSS integration, for one, makes me think cool thoughts, especially when Exchange 2007 is accessing SharePoint 3.0...)

The other major benefit is that the Exchange team can certainly help give the ASP.NET AJAX controls a thorough workout. I bet they'd be a major source of bugs and enhancements, which would in turn eventually benefit every single developer and user in the .NET ecosystem. How cool would it be to know that ASP.NET AJAX powers Exchange OWA? Wouldn't that be a great dogfooding story for Microsoft to tell, to be able to evangelize?

posted @ Monday, October 23, 2006 7:44 AM | Feedback (1)
Free image manipulation software!

Every now and then, I need to work with images in a way that goes beyond the use of MS Paint. Unfortunately, 3Sharp hasn't seen fit to keep me updated with a license for the latest and greatest version of Adobe Photoshop, and I've never really liked using the GIMP or any of the other commercial contenders.

One of my favorite SF authors, John Scalzi, maintains not only his own popular blog The Whatever, but also does a paid blogging gig for AOL Journals (their version of blogs). This morning on his AOL journal By the Way, he linked to a free .NET image maniuplation program with some features that are usually the mark of more advanced packages, such as layers and built-in effects. It even includes a plug-in architecture.

image

I've not used it yet, but I'm downloading it right now and will let you all know how it goes. Frankly, while I love Photoshop, there's so much functionality I don't understand that I always feel slightly guilty for using it, like I'm somehow taking away a license that some genius kid in Portugal could be using to become thenext Einstein. Having a lighter alternative (less than 4MB download!) will be nice. I'll let you know how it goes.

Note: this only works on Windows machines, BTW, since it requires .NET 2.0. The download page has a link to a "full" version of Paint .NET that includes the .NET 2.0 runtime, if you don't already have it installed.

posted @ Monday, October 23, 2006 6:44 AM | Feedback (3)
Taming the HTC Wizard stylus

If you're the owner of an HTC Wizard mobile device (Qtek 9100, I-mate K-Jam, T-Mobile MDA Vario, Cingular 8125, Orange SPV M3000a, and more), then you may have discovered one of the few design flaws of the device: the fact that the stylus, after a few months, stops staying in the body of the phone. It's a bit disconcerting to go to pull your stylus out and find that it's not there anymore.

I've seen lots of people posting on the Net about it, and there have been a variety of fixes and work-arounds posted. Some people wrap the stylus with Scotch tape, thus making it a bit thicker. Other brave souls have opened their devices up and fixed the liner that causes the problem. I found a third solution that seems to be working for me, and since I haven't seen it anywhere else, I figured I'd share it. And for the faint of heart, it requires no alternations or additions.

My tip is very simple: extend the stylus to its full length before putting it back in the slot. Yup, that's it. The stylus on these devices telescopes slightly. For whatever reason, it fails to grip fully if I collapse the stylus first; by fully extending the stylus, I can get it to make a solid contact inside the case and not fall out.

As a note, not all the cases are alike. My wife's Cingular 8125, for example, has a nifty ridged lip design that helps hold the stylus in place from the top. I don't think she'll be suffering from this problem.

posted @ Sunday, October 22, 2006 1:45 PM | Feedback (0)
Your default Exchange 2007 hub transport receive connectors

Exchange admins are used to working with connectors -- SMTP connectors, X.400 connectors, and Routing Group connectors, plus other connector types that can be added to interface with specific foreign mail systems. Each of these connector types offers a myriad of settings that give you the ability to control the behavior of incoming and outgoing mail.

In Exchange 2007, Microsoft has further split connectors into receive connectors and send connectors. There are actually some very good reasons for this, but the simplest one is that it helps reduce complexity in your configuration tasks. If you stop and think about it for a moment, any SMTP mail server actually has to act as both an SMTP server (when it is receiving messages from other systems) and as an SMTP client (when it is sending messages to other systems). Moving to a separate send/recieve configuration scheme makes it a lot easier to tell Exchange precisely how you want it to behave, while minimzining the chances that you're going to change a parameter and cause unintended consequences.

In another stroke of brilliance, send connectors and receive connectors have different scopes. That is, they apply to different levels of object in your Exchange organization. Receive connectors apply to the specific transport server (hub and Edge) they are configured on. Send connectors, as I mentioned previously, apply to the entire organization. Again, if you stop and think about this for a minute, you can see the logic. Not only does this scope change again give you much more granular control over your organization, it allows for the easy implemention of a current best practice I previously mentioned: the authenticated SMTP submission port on TCP 587.

By default, when you install the Exchange hub transport role, it creates two default receive connectors out of the box. Since Microsoft's recommended deployment includes the Edge transport role (which must always be on a separate physical server from any other roles, not joined to the same Active Directory forest), they assume that you will have one or more Edge servers in your topology and these these servers will be taking care of transferring messages to and from anonymous hosts on the Internet. Therefore, the two default receive connectors are configured for authenticated SMTP transactions only:

  • Internal receive connectors are intended to receive connections from other Exchange servers (2007, 2003, and 2000) within your organization. They are configured to require the Exchange server authentication mechanism.
  • Client receive connectors are intended to server as a safe submisson port for clients using mailbox access protocols -- POP3, IMAP, and NNTP. They are configured to use TLS, Basic + TLS, or Windows authentication. These connectors are not available on Edge transport servers by design. I would guess this is because Edge transport servers cannot be part of the same AD forest as the Exchange organization and thsu don't have the necessary AD access to authenticate user accounts.

Looking at this more closely, it looks like Client receive connectors are intended to be published to the Internet via a proxy like ISA. I've poked around a little bit in the documentation and not seen what the recommendation here is, but I'll dig into it and see what I can find. I find it very heartening that Exchange 2007 is coming with support for the SMTP submission port standard.

posted @ Thursday, October 19, 2006 8:13 PM | Feedback (0)
Database and disk spindle management in Exchange 2007

When you're optimizing Exchange 2003/2000 servers for performance, one of the first places you look is at your disk configuration. As a rule of thumb, you want to get as many of the following components as possible reading and writing to separate sets of disk spindles (thus reducing contention):

  • The operating system
  • The Exchange binaries
  • Logs (protocol logs, etc.)
  • Mailbox/PF databases
  • Mailbox/PF database transaction logs (by storage group)
  • SMTP queue directories

Under Exchange 2003/2000, the SMTP queues are a set of directories that are by default located on the same disk you installed Exchange to.

Under Exchange 2007, things are a bit different. You still want to minimize contention for disk spindles by moving as many of the above components to separate disks. In most cases, moving these components is quite a bit easier under Exchange 2007. If you follow Microsoft's recommendations and only create one mailbox database per storage group, you end up with a 1:1 relationship between databases and transaction logs. I was able to move the database and transaction logs on a new Exchange 2007 mailbox server with the following two PowerShell commands:

Move-StorageGroupPath `
  -Identity "SERVER\First Storage Group" `
  -LogFolderPath:"E:\First Storage Group" `
  -SystemFolderPath:"E:\First Storage Group" `
  -Force
Move-DatabasePath
  -Identity "SERVER\First Storage Group\Mailbox Database" `
  -EdbFilePath:"F:\First Storage Group\Mailbox Database.edb" `
  -Force

Note: PowerShell uses the backtick as its line continuation character. I'm not sure why they couldn't use the underscore and stay consistent with .NET, but now you know.

The -force parameter tells Exchange that yes, I really mean to do this and stop prompting me to verify that I want to move these files, that yes I know I'll be interrupting service to users of this storage group/mailbox, etc. Exchange will automatically dismount the affected databases, move them to their new location, then remount them. Very easy -- much easier than in previous versions of Exchange.

Queues, on the other hand, get a bit trickier. On the brilliant side, queues are now ESE (the database formerly known as Jet) databases instead of directory structures on the filesystem. I'd imagine that this makes the dynamic creation/removal of queues happen a lot more quickly, since you're now serializing all of your I/O, reusing file handles, and avoiding the hassle of having to deal with file/directory metadata. If I could move the queue database as quickly and easily as I can move mailbox databases, my blog post would come to a rapid, joyous conclusion.

Alas. It's a bit more complicated than that.

There is no PowerShell cmdlet to move the queue database; instead, you have to follow these steps:

  • Create the target directory and give it the proper permissions. If the parent directory already has the proper permissions, then Exchange will create the actual directory for you.
  • Open the >Exchange install directory<\Bin\EdgeTransport.exe.config file (Notepad will work).
  • Modify the QueueDatabasePath and/or QueueDatabaseLoggingPath parameters to point to the new location.
  • Save and close the file.
  • Restart the Microsoft Exchange Transport service.

Don't believe me? You can verify for yourself; the process is outlined in the Exchange 2007 Beta 2 documentation topic How to Change the Location of the Queue Database.

Full kudos to the Exchange team for moving the queues into an ESE database -- but I'm confused why we aren't able to manage that database using the same, simple PowerShell methodolgy. Can anyone shed light on this seemingly incomprehensible design decision?

posted @ Thursday, October 19, 2006 7:41 PM | Feedback (4)
Exchange Connections is coming!

October is rapidly coming to a close, which means we're coming up on the fall Exchange Connections conference in Las Vegas. We're going to have a lot of good Exchange 2007 content there, but don't worry; we're not abandoning Exchange 2000 and Exchange 2003 users! I'll be reprising my All About Sender ID session from Orlando this past spring, as well as doing two new sessions: Getting Rid of PSTs and Testing Your Mail Hygiene Solution.

This conference is actually going to be my first real vacation in a long time, too. My wife and I are leaving the kids in good hands and she's coming to Vegas with me, so we'll have a whole four days out of state without our (admittedly wonderful, though far too clever and stressful) children. This will be the first time since, well, ever. I'll be glad to have Steph along for my first foray into Sin City, and it will help relieve a lot of my typical travel stress to have her along.

If you're going to be attending, drop me a note -- I'd love to hear from you. More importantly, if you've got a question or comment about my proposed topics, by all means let me know. I've still got time to fine-tune my presentations and I'm always eager for real-world feedback. Best yet, if you come to one of my sessions, I'll be giving out copies of the Exchange Server Cookbook again. Same deal as last time -- fill out and turn in your session evaluation and we'll draw them at the end of the session.

posted @ Monday, October 16, 2006 10:43 PM | Feedback (0)
News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Virtual Devin
Article Categories
Archives
Post Categories
Data Protection
DCAR
Exchange
Other
Security
Unified Communications
Windows