Site Sections
Posts
254
Comments
120
Trackbacks
120
May 2008 Entries
One last quick tidbit: Exchange 2007 and Outlook Anywhere scalability whitepaper
A lot of you may have missed this: Microsoft just released a new white paper for Exchange, Outlook Anywhere Scalability with Outlook 2007, Outlook 2003, and Exchange 2007. This paper should give you some detailed guidance goodness on scaling your CAS servers, and also talks about the port exhaustion issues that lead to upper scalability limits.
posted @ Friday, May 09, 2008 5:07 PM | Feedback (0)
A certificate roundup

Certificates are one of the biggest issues I keep hearing about with Exchange and OCS, and apparently I'm not the only one. Fellow MVP Michael B. Smith has recently posted two blog articles on certs: how to use SAN certificates with ISA 2006 and other certificate limitations. However, he's got a couple of points on the second article that I'm confused about:

  • According to this announcement on the Windows Mobile team blog, Windows Mobile 6.0 and up do in fact support wildcard certificates.
  • The first point he makes is also head-scratcher, because I've also heard this was an issue, but I'd also recently heard of a workaround for it:
    1. In Outlook, go to the properties for your Exchange account (Tools, Account Settings, select your Exchange account and click Change) and click More Settings.
    2. On the Connection tab, click Exchange Proxy Settings.
    3. Look for the field Only connect to proxy servers that have this principal name in their certificate and make sure it's checked (you may need to check the Connect using SSL only checkbox first).
    4. The value in this field should normally be set to msstd:server.external.fqdn, the FQDN the server is known as from the outside and that is the subject name of the certificate. So if my certificate was issued for 3Sharp, it would be msstd:mail.3sharp.com. To use this with a wildcard certificate issued to *.3sharp.com, this value would need to be set to msstd:*.3sharp.com.

      Let's try a diagram to make the point:
       image

I'm doing more checking, trying to figure out what the deal is here; in the meantime, if you've got operational experience with either of these issues, please let me know.

At any rate, there's some more interesting factoids on certificates I've picked up:

  • If you want to use a certificate with the Exchange 2007 UM role, you need to have a certificate on the machine whose subject name matches the server's AD/DNS FQDN. It seems that you can't enable a certificate for the UM service using the Enable-ExchangeCertificate cmdlet if this does not match. Note that you can do this for other services, such as those hosted by the CAS role; the cmdlet performs different name checks on the certificate based on the services (SMTP, POP3, IMAP, HTTP, and UM) that you are enabling.
  • I've said it before, but it needs to be repeated: if you're not using the default self-signed certificate, simply use the Enable-ExchangeCertificate cmdlet to move all services to one or more additional certificates. Do not delete the default certificate; although in most cases Exchange will simply recreate it when the appropriate service is restarted, you can cause subtle errors that will take a while to figure out.
  • Learn more about certificate usage in Exchange in Creating a Certificate or Certificate Request for TLS.
  • And learn more about the Enable-ExchangeCertificate cmdlet.

More later!

posted @ Friday, May 09, 2008 4:55 PM | Feedback (1)
Doing UC in the Pacific Northwest

I've been sitting on a cool announcement for several days now, and I'm happy that it's now time to announce it.

I've been working with a group of people to get a new user group for Unified Communications (UC) put together here in the Pacific Northwest. While all of us are here in the Puget Sound area, our goal is to put in place a framework to empower a variety of events and meetings all throughout the region, not just based here in Seattle. Rather than be a typical boring user group with a jawbreaking acronym (PNWUCUG, which we do use), we're defining ourselves as people who do UC. This gives us a simpler name -- We do UC, hosted at ucdoers.org.

From our website:

We are the Pacific Northwest Unified Communications User Group (PNWUCUG) and we have a passion for UC. If you are one of the following, you could be one of us:

  • IT professionals in the Pacific Northwest who design, deploy, or manage Exchange Server, Live Communications Server, and Office Communications Server systems.
  • Developers who write or maintain solutions that integrate, extend, or provide UC capabilities to Exchange Server, Live Communications Server, and Office Communications Server and clients.
  • Industry experts with a recognized expertise in UC.
  • Hobbyists who are exploring Microsoft-based UC solutions.

One thing that's important for me to clarify -- my vision of this user group (which is echoed by the other folks who are getting it off the ground) is that it exists to support all Exchange, LCS, and OCS users, not just people running 2007 and doing the VoIP stuff. We may have a focus on UC, but that's mainly to align ourselves with the direction Microsoft is taking these products. If you're using Exchange, we want you to participate; we want to make sure we have content for you.

So, if this sounds like goodness to you, head on over to the blog for the announcement of our May 28th kick-off meeting at The Parlor Billiards & Spirits in Bellevue, WA. For those of you who can't be there in person, we're even going to have a Live Meeting feed for you -- how cool is that?

posted @ Tuesday, May 06, 2008 10:19 AM | Feedback (0)
Post-Conference report

As I typically do, I'm posting links to my slide decks for the presentations I just finished giving. I apologize to the Connections folks; I was supposed to get this done Monday afternoon or Tuesday and got ambushed by a travel-induced migraine.

Orlando was nice this time of year; not too hot, so the humidity slipped under the radar. It was nice to see a bunch of familiar faces and meet some new ones, and I was very pleased with the attendance at all of my sessions. Doing all three sessions back-to-back is definitely a drain, but the conference organizers helped out a lot by keeping me in the same room for all of them, and had I stayed for a couple of days I'd definitely have had the fun of shuttling back and forth. And I have apparently finally beaten my notorious string of demo failures; my demo DPM environment (provided by Jason Buffington of Microsoft, thank you Jason) worked quite nicely.

For the MMS folks, I can't put my deck up directly; you'll need to get it from the MMS CommNet or wait for your attendee DVD to show up. Las Vegas is still completely over the top; the Venetian was opulent and provided a nice venue. For some reason, the casino didn't seem nearly as intrusive as it could have been (and is in other venues). I am, however, glad I had new shoes -- my feet didn't hurt from all the walking. For the flight home, I picked up 21: Bringing Down the House - Movie Tie-In: The Inside Story of Six M.I.T. Students Who Took Vegas for Millions at the airport and read it cover-to-cover; a great story told well.

posted @ Friday, May 02, 2008 1:16 PM | Feedback (2)
A DPM roundup

This was a big travel week for me; I got the privilege of speaking about protecting Exchange with DPM 2007 at both Exchange Connections (in Orlando) and Microsoft Management Summit (in Las Vegas). The session had a good response at both shows, and there's clearly a lot of buzz going around about DPM. I've gotten some good questions which I'll list here and update as I get answers.

  1. Q: Does DPM protect message tracking logs on an Exchange mailbox server?
    A: Very good question. My gut instinct is "No" but I need to confirm that. I'll post the confirmation in a separate blog article when I get an answer back.
  2. Q: Is there any good guidance on sizing a DPM installation?
    A: Yes. First see the Data Protection Manager 2007 Storage Calculator (currently only supports the Exchange workload), then see this third-party deconstruction. Note that the second post was written against an earlier release of the calculator, so is in need of some updating, but it's still a good read.
  3. Q: What kind of overhead does DPM incur?
    A: I have to admit that I don't remember the specifics of this question (this is why I strongly encourage folks to email their questions to me, as is the case with the following question -- thanks!); all I have is a cryptic note "CPU overhead" on my notepad. So, I'm going to assume that we're talking about the overhead of the protection agent on a protected server. And my answer to that is: Very good question; I need to get some specifics.
  4. Q: From e-mail: "Yesterday during MMS at the Advanced Exchange protection session you mentioned that you had created a white paper on getting DPM working with IBM’s TSM product. If you have a link to this I would be very grateful as I have not been able to find it currently and I am wanting to ensure that they way I have it set up and kind of working is the same way that someone else has been able to get it working."
    A: Unfortunately, I must have been unclear, for which I apologize. 3Sharp did work with Microsoft during the DPM 2006 timeframe to create several white papers on how to integrate DPM with several backup products: Commvault QiNetix, Symantec Backup Exec, Yosemite Backup, and Windows Backup. Unfortunately, Tivoli wasn't one of them, and I'm not aware of any current guidance that gives a complete end-to-end picture of integrating TSM with DPM 2007. However, the Backup of DPM Servers section in the DPM Operations Guide should be a good starting place.
  5. Q: Why can't I use DPM 2007 to recover to the Recovery Storage Group on Exchange 2003 servers, only on Exchange 2007 servers?
    A: Another great question, which I'm querying to find the answer to.
  6. Q: If I can use DPM 2007 to do document-level recovery in SharePoint, why can't I recover mailboxes or even messages in Exchange without having to use the RSG (for Exchange 2007)or ExMerge (for Exchange 2003)?
    A: There are two parts of this answer, but they both are based on the same premise: DPM does not use "privileged" information on the internals of other Microsoft applications it protects. When recovering documents from a SharePoint replica, DPM doesn't directly reach into the replica database and extract the information. Instead, it recovers the relevant databases to a temporary recovery SharePoint installation (which can be a single server SPS 3.0 install on a virtual machine, even if you're recovering data from MOSS 2007) and then finds the relevant documents using SharePoint's HTTP interfaces. With Exchange, the principle is the same; we recover the mailbox database to a parallel location (the RSG in Exchange 2007; a network folder in Exchange 2003) and then use the Exchange native tools to extract and import the relevant information. Trying to do direct restores of mailboxes or messages into a production database would involve going beyond the existing Exchange APIs. Personally, as an Exchange MVP I hope that Microsoft works on expanding those interfaces to make this sort of thing easier for all third-party vendors, but until they do, DPM plays by Exchange's rules.
  7. Q: You mentioned coming updates to DPM. Where can I find more info on that?
    A: Jason Buffington of Microsoft has you covered with this webcast.

That's a good start for now; catch you all later!

posted @ Friday, May 02, 2008 1:06 PM | Feedback (1)
News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Virtual Devin
Article Categories
Archives
Post Categories
Data Protection
DCAR
Exchange
Other
Security
Unified Communications
Windows