Site Sections
Posts
254
Comments
120
Trackbacks
120
July 2008 Entries
First Look at Microsoft Online Services: the Sign-In tool

Continuing from my previous post on MOS...

I didn't really mention this in the previous post, but MOS is designed to provide a hosted alternative to the server-side applications. One of the goals is to continue working with existing native clients and client access methods, so (for example) you can access your Exchange Online mailbox through OWA (running from MOS), through Outlook, or even through EAS/Windows Mobile. In order to do this, though, your client applications need to know how to talk to MOS and provide the proper credentials.

You can do this the hard way or the easy way. The hard way is running around and reconfiguring each application by hand and teaching your users how to use a separate set of credentials. The easy way is to use the MOS Sign-In tool, a little .NET 3.0 application that runs on the client desktop. It interacts with Outlook 2007 RTM/SP1, LiveMeeting 8, and IE7+.

When this application is run, it will invite the user to logon to MOS. The first time they do so, they're required to change their password. It then detects the apporpriate applications, offers to configure them to work with MOS, and then just sits quietly on the desktop, providing a seamless SSO experience.

To be continued...

posted @ Monday, July 28, 2008 11:30 AM | Feedback (0)
First look at Microsoft Online Services: adding domains

I'm at an airlift here in Redmond for the new Microsoft Online Services (MOS), Microsoft's hosted services platform. Right now, MOS offers a combination of hosted Exchange (OWA, Outlook, and even EAS!), hosted SharePoint, and Live Meeting. We've just gone through an overview of the service, and it looks cool -- enough so that I'm now seriously considering switching my personal domains over to it (especially since they offer the ability to synchronize with your Active Directory deployment).

MOS is currently in beta and you can go sign up for a time-limited trial. There's only a certain number of trial accounts active at any given time, so your trial request may not be provisioned immediately; however, you can go to https://mocp.microsoftonline.com and sign up for one. You'll need a Windows Live account.

As you might imagine, MOS allows you to associate one or more DNS domains with your online account. When you register for your account, you're asked for a domain. This domain is not verified and, in fact, seems to be used simply as an internal administrative tag -- once your account and service is set up, you have to specifically add DNS domains. Adding them is a fairly simple process:

  1. Register your domain name with a registrar.
  2. Provision your domain with a DNS provider (often combined with step 1).
  3. Add the domain name to your MOS Admin Center.
  4. Run the verification wizard and add the auto-generated CNAME to your domain's DNS zone.
  5. Validate the domain in the MOS Admin Center.
  6. Start provisioning users with this domain, enable inbound e-mail on this domain, etc.

The verfication step is an important piece, because this helps MOS make sure that you're using a domain you're actually in control of. Otherwise, malicious people could sign in and hijack your domain, which would suck. The way Microsoft does this is actually simple and elegant: they generate a unique CNAME record (that looks very much like a GUID), and ask you to add this CNAME record, pointing back to a server under their control, to your zone. This has lots of advantages:

  • It's pragmatic. If you can add a CNAME record to a zone file, you effectively control the domain.
  • It avoids the nastiness that can result in WHOIS-based verification and allows people who register domains to continue using proxy companies, hiding their personal info from WHOIS spammers.
  • It's relatively easy. You simply have to add a simple record to your DNS; if you can't do this (or your DNS hoster can't do it for you), then you have much bigger problems managing your DNS and verifying your DNS domain under MOS is the least of your problems.
  • It's low-impact. The generated CNAME is highly unlikely to be queried during normal operations by your users; only MOS is likely to be looking for it. It doesn't require you to repoint your MX records or otherwise make major modifications to your infrastructure if all you want to do is start using online SharePoint and Live Meeting.

Note that just because you add a domain to MOS doesn't mean you have to use it for email! That's a separate operation, which is a two-step process of enabling inbound email for that domain and then updating your MX records appropriately.

More on other MOS functionality coming later...big thanks to the event staff for their kind permission for me to blog!

posted @ Monday, July 28, 2008 11:21 AM | Feedback (1)
DPM 2007 Rollup packages now available

While I was away on vacation last week, Microsoft finally released the DPM 2007 Rollup packages to Microsoft Downloads. (I blame Jason Buffington; I'm sure he waited until I was out of office.) There are  both x86 and x64 packages; both require you to download three separate files.

In addition to various bug fixes, this rollup (also known as a "feature pack") provides the following new functionality:

  • Official support for protecting Windows Server 2008 servers (and supported applications, such as Exchange Server 2007, running on Windows 2008), including protecting the system state.
  • You get support for backing up clustered Virtual Server 2005 R2 SP1 environments. Before, the cluster itself was not seen as a cluster by DPM, and depending on your configuration you may have needed to do some funky scripting.
  • Better tape handling. You can now share tape libraries between multiple DPM servers, reducing the cost of long-term tape retention and allowing better utilization of high-end tape libraries. You can also put multiple protection groups on a single tape; DPM 2007 RTM would start a new tape as it began writing each protection group, even if the previous tape was not fully used. This could get expensive.

I haven't yet been able to confirm whether the cleaning tape bug Tim noted has been fixed in this update, but I suspect not.

Applying this update is a four-step process:

  1. Install the main DPM update (DataProtectionManager2007-KB949779.exe)on your DPM servers.
  2. Install the SQL Server update (SqlPrep-KB949779.msp) on the machine hosting the SQL Server database for DPM. In a default install, this is the same machine that is your DPM server.
  3. Update the agents on your protected servers to version 2.0.8107.0. You can push them out through the console or manually run the .msp update package on your protected machines (using any supported push mechanism). You will need to restart the protected machines for the new agent version to take effect.
  4. Update the DPM Management Shell update (DPMManagementShell2007-KB949779.msp) on all of your DPM management stations (including the DPM servers themselves).

Although the official instructions give the update steps in the previous order, I have run all three udpates on my lab DPM servers before updating the agents on my protected servers, and as long as Microsoft doesn't say that's not supported, that's the way I'd recommend doing it -- that way, all of your PowerShell tasks are using the updates even if you don't have all the protection agents pushed out yet.

posted @ Wednesday, July 09, 2008 7:34 PM | Feedback (0)
News

Devin has moved on
to new adventures.
This blog is preserved
for historical purposes.

Please follow his
personal blog at:
Devin on Earth

Virtual Devin
Article Categories
Archives
Post Categories
Data Protection
DCAR
Exchange
Other
Security
Unified Communications
Windows