Days in the Life of an IT Consultant

Integrating Outlook Web App 2010 with OCS 2007 R2

Johan Dreyer — Mon, 16 Nov 2009 17:24:00 GMT

Not many of us my know this yet, except for those with some product experience, but in Exchange 2010 Microsoft have changed the name of what we have traditionally know as Outlook Web Access to Outlook Web App. No worries though, its still abbreviated as OWA so our users won't be confused by it. The change in name is brought on by the new interface and host of additional freatures that have been added, one of which I will address in this post: Outlook Web App Integration with Office Communications Server 2007 R2.

So basically, now, with OWA 2010 we can integrate OWA and OCS so that the users who are logged into OWA 2010 have the ability, not only to work with their emails as everyone is used to, but also to see presence information and even exchange Instant Messages. Pretty cool huh?

So how do you do this you ask? Well its quite simple, really, but you do need to have the supporting infrastructure in place:

Exchange 2010
OCS 2007 R2

With those in place you can get started with the following Step-by-Step guide which was kindly provided by a colleage Gregory Horn for use in this blog post. Cheers Dude!!

Integrating Outlook Web App with Office Communications Server 2010

The technet article for how to do this can be found here. Although this article is pretty comprehensive, there are a few "gotcha's" we came accross prompting this blog post.

So now, down to the step by step:

1. Download the Office Communications Server 2007 R2 Web Service Provider from here.

2. Download the Office Communications Server 2007 R2 hotfix KB968802

3. Copy both the downloaded files onto the server which is running the Exchange 2010 Client Access Server role

4. (on the Client Access Server) Run CWAOWASSPMain.msi which you downloaded in step 1

5. Find the directory where the files from CWAOWASSPMain.msi were placed. The default is C:\Web Services Provider Installer Package\

6. Double-click on vcredist_x64.exe and follow the default installation steps

7. Double-click on UcmaRedist.msi and follow the default installation steps

8. Open a command window using "Run as Administrator" and run CWAOWASSP.msi

9. If you are running Windows Server 2008 R2, you must install a patch for UcmaRdist.msi (downloaded in step2)

10. On the Client Access From Exchange Management Shell run this command: "Get-ExchangeCertificate | fl" Keep this window open for now

11. Edit C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OWA\web.config

You need to change the three entries

<add key="OCSServerName" value="" />
<add key="OCSCertificateIssuer" value="" />
<add key="OCSCertificateSerialNumber" value=""/>

Your OCS server FQDN

<add key="OCSServerName" value="pool-a.domain.local" />

Get this next info from step 9

<add key="OCSCertificateIssuer" value="CN=ca1, DC=domain, DC=local" />

You must put a space between each pair of figures

<add key="OCSCertificateSerialNumber" value="52 98 3T 3P 00 00 00 00 00 9A"/>

Save and close the file

12. From EMC run this command: Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingType OCS

13. Restart IIS (from CMD run IISRESET)

14. From OCS server add the “FQDN of the certificate” that you specified in the web.config as a trusted host to your OCS environment. To do so, right click your pool and select Properties –> Front End Properties. Click the Host Authorization tab and then click Add. Add the FQDN of your Client Access and check the “Throttle as server” and “Treat as authenticated” check boxes.

There we go, having done that, you should not be able to log into Outlook Web App and see the presence information as well as interact with other users that you have added to your friends list.

Donate to the Macmillan Cancer Support - Another worthy cause!

Johan Dreyer — Wed, 07 Oct 2009 16:55:00 GMT

Ok, so another charity event is happening and this time its my younger sister, Sally-Ann Grobler, who is doing a 10km sponsored run for Macmillan Cancer Support in the UK.

I humbly ask all of those visiting my blog to consider making a small donation to such a worthy cause simply by clicking on this link and making a donation either via credit card or paypal. Remember, charity begins at home and is also tax deductible in many countries.

Office Communicator Mobile Client for iPhone

Johan Dreyer — Mon, 28 Sep 2009 17:33:00 GMT

So it seems after quite some time there is finally a Communicator Client available for the iPhone. The app is called iDialogue and made by a company called Modality Systems and is available for purchase from the iTunes AppStore.

This is big news for the iPhone in the corporate world running majorly on the Microsoft stack of applications as since the release of iPhone software v.2.0 we have seen the introduction of:

Exchange ActiveSync Support (Native)

and now

OCS Client that supports OCS 2007 R2

which when coupled with what is arguably the best mobile web browser available to support some sharepoint functionality makes the iPhone a seriously viable option for the business user.

Micrsoft Deployment Toolkit Error - peimg.exe

Johan Dreyer — Fri, 11 Sep 2009 19:03:00 GMT

Today we have been playing with the Microsoft Deployment Toolkit and actually had a bit of a stuggle with it - Using the latest Windows Automated Installation Kit (WAIK) for Windows 7 with the previous version of MDT throws out an error something like the following:

"PEIMG.EXE IS NOT RECOGNIZED AS AN INTERNAL OR EXTERNAL COMMAND"

When you look in the location where MDT searches for the peimg.exe file, you will notice the file does not exist at all.

So what's happening here? Its actually quite simple - the AIK and PE Image in the Windows 7 environment has changed from Vista to use img files only.

In simple terms, there are 2 ways you can solve this error;

Download & Install the Windows Vista AIK on the MDT Computer
Download & Install MDT 2010 on the Computer

So basically the latest AIK is only compatible with the latest MDT...

How to Enable Intel-VT on Sony Vaio Laptops with Insyde H2O EFI BIOS

Johan Dreyer — Fri, 11 Sep 2009 09:26:00 GMT

A while back I wrote this blog post about how to enable Intel-VT (hardware assist virtualization) on the Sony Vaio notebooks which are shipped with EFI BIOS, and noted that the procedure would not work for the Insyde H2O release notebooks.

Well today, I write with some good news for owners of the Insyde H2O Sony Vaio notebooks, its now possible (through a BIOS hack) to enable this feature and there is a nice little app available to do this.

Thanks to Berhard Froemel for coming up with the fix and posting the detailed walkthrough of how to do this on his blog.

I can definitely vouch for the tool and is functionality as my boss has run it on his notebook and is now able to run 64bit virtual machines on his Vaio VGN-Z series without any hassle, however, running the tool on your notebook is still a calculated risk which you is your responsibility.

Windows 7 32 Bit Unattend.xml file for Sysprep

Johan Dreyer — Fri, 11 Sep 2009 07:17:00 GMT

After working out the whole Sysprep Process for Windows 2008 R2 last week, this week I was asked to image-deploy a whole bunch of notebooks for one of our clients. Of course, as per best practice I had to sysprep the Windows 7 Base Image to ensure that unique SIDs are generated for each notebook deployed.

The process for the Sysprep Unattend.xml creation is exactly the same as that for Windows 2008 posted here, just that you obviously use the Windows 7 file as opposed to the Windows 2008... duh

A quick summary of the process:

Download & Install the Windows 7 AIK
Copy the Install.wim & *.clg files from the Windows 7 Media on to your local hard drive
Remove the Read-Only attribute from the WIM & CLG files you copied
Run Windows System Image Manage & Load the Windows 7 Image
Create a new Unattend.xml in WSIM
Drag and Drop the various Windows Components into the Unattend.xml and customize them as you will
Save the Unattend.xml
Copy it to c:\windows\system32\sysprep on the computer you wish to sysprep
Run sysprep.exe /generalize /oobe /shutdown /unattend:"path to unattend.xml" file

As usual, for those who are looking for a simple, basic unattend.xml answer file, here it is:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <Display>
                <ColorDepth>32</ColorDepth>
                <HorizontalResolution>1024</HorizontalResolution>
                <VerticalResolution>768</VerticalResolution>
            </Display>
            <ProductKey>XXXXX-XXXXX-XXXXX-XXXXX-XXXXX</ProductKey>
            <RegisteredOrganization>Registered Organization</RegisteredOrganization>
            <RegisteredOwner>Registered Owner</RegisteredOwner>
        </component>
    </settings>
    <settings pass="generalize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RegisteredOrganization>Registered Organization</RegisteredOrganization>
            <RegisteredOwner>Registered Owner</RegisteredOwner>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="catalog:c:/w7sysprep/install_windows 7 enterprise.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

How to Sysprep Windows Server 2008 R2

Johan Dreyer — Fri, 04 Sep 2009 21:11:00 GMT

Right now I am working on a project which aims to deliver a fully dynamic IT infrastructure to one of the leading investment and development companies in the region.

A key part of this Dynamic Infrastructure is the rapid, automated deployment of servers and workstations alike within their chosen virtuaization platform as well as physical server environment. The infrastructure will primarily be based on Windows Server 2008 R2 and therefore one of my tasks has been looking into the unattended installation & sysprep of Windows 2008 R2.

A few things have changed in th way that sysprep now works, these are listed here. Key changes worth noting are;

Sysprep now uses an XML file to store settings rather than the traditional Sysprep.inf
There is no longer a Config Manager tool to create the XML File
There is no longer any real GUI to Sysprep.exe
Sysprep is included by default with the Windows Server Installation

So the question is How do we work with Sysprep now?

The Answer:

Download the Windows 7 Automated Installation Kit from the Microsoft Website (approx. 1.7GB)
Install the Automated Installation Kit on the Computer where you wish to prepare the Unattend.xml file (I do not recommend using the server / image you wish to sysprep, use a workstation or another server instead)
Copy the Install.wim and all the .clg files from the Windows 2008 Media on to a folder / directory on your computer
Remove the Read-Only attribute from Install.wim and all the .clg files
In the Start Menu, locate & open the Windows System Image Manager (WSIM) which is in the Microosft Windows AIK folder
Right-Click the white space beneath Windows Image in WSIM and choose Select Windows Image
Browse to the location of your WIM & CLG files and open the CLG file which corresponds with the version of Windows Server you wish to sysprep.
Right Click the white space beneath Answer File in the center of the WSIM window and select New Answer File
Drag and Drop the various components you wish to customize from the Component Section of the Windows Image on to the respective operation in the Answer File & modify the settings according to your requirements.

Guidence to what actually happens at each of the listed phases can be found here.

Once you are done, you can save the file as Unattend.xml then copy the file to c:\windows\system32\sysprep on the server which you want to sysprep.

To sysprep the server, from command prompt navigate to c:\windows\system32\sysprep then type the following:

sysprep.exe /generalize /oobe /shutdown /unattend:unattend.xml

If possible I would recommend testing your sysprep file in a virtual machine which has been snap-shotted before running it on the actual image which you want to sysprep. I went through a number of re-installs thanks to some issues with my sysprep settings which wasted a good amount of my time.

For those who do not require any extensive customization of the Sysprep Image and just need a working sysprep that includes the corporate product key, some corporate info and the default admin password, below is a sample unattend.xml file which provides just this functionality:

Windows Server Licensing for Virtualization

Johan Dreyer — Sat, 29 Aug 2009 07:56:00 GMT

I realise this tool has been available in various flavors for quite a while now, but I still get a number of questions aroung licensing Windows Server for Virtualization & thought it would be worth writing a post about it for anyone out there reading my blog.

Lets start by looking at the Microsoft Windows Server Licensing Policy for Virtualization which states in brief:

Windows Edition	Physical Licenses	Virtual Servers Licensed
Standard Edition	1	1
Enterprise Edition	1	4
Datacentre Edition (Per Processor)	1	Unlimited

Ok so based on the above it is clear that selecting the correct version of Windows to assign to the physical server on which you are going to run server virtualization will have direct impact on your Virtualization ROI calculations.

No, its not rocket science to work this out for yourself, but then why do all that work when you dont have to? Microsoft have created and released a very nice little tool that does all this for you, along with rough estimate costs of each licensing model called the Windows Server Virtualization Calculator.

Simply find the correct tier based on the number of processors you are going to have, enter the number of physical servers in the server virtualization platform and finally the number of guest operating systems you will be running on average. The tool will do the rest for you.

Happy Virtualization.

Windows Server 2008 R2 Released

Johan Dreyer — Sat, 25 Jul 2009 08:05:55 GMT

Microsoft Windows Server 2008 R2 was released to public on the 22^nd July 2009. This new version of the operating systems introduces a host of new features and improvements including:

Active Directory Recycle Bin – Quickly & Easily recover deleted Active Directory Objects

Offline Domain Join – Provides the ability to Pre-Stage Computer Accounts on the domain, when the computer is installed & connected to the network it will be automatically joined to the domain.

Direct Access – Allowing VPN-Less Secure access to the corporate network for mobile users

Hyper-V Live Migration – Migrate Virtual Machines from one physical host to another without the need to suspend their state

Multiple NAP System Health Validator – Allowing more flexibility in assessing NAP policies for multiple Clients, Servers, Organizational Units etc.

There are a number of additional improvements not listed above, for a more detailed overview check out the Windows 2008 R2 Technet “Whats Changed” section.

For organizations considering evaluating Windows 2008 R2 it is important to remember that this release of Windows Server is 64bit Only.

Also be sure to check out the Top 10 Reasons for Windows 2008 R2

How to enable Intel VT (Hardware Assist Virtualization) on a Sony Vaio SR, FW, AW Laptop

Johan Dreyer — Tue, 14 Jul 2009 04:51:00 GMT

I recently joined a new company and as part of that received my new laptop, a Sony Vaio VGN-SR46MD with AMI APTIO Bios, Core 2 Duo 2.53Ghz Processor, 4 GB RAM and 320 GB Hard disk. This was pretty exciting for me since this is obviously a reasonably good spec notebook and I would be able to run some VM's on it for my own R&D as well as client demonstrations... At least so I thought.

The problem I soon encountered is that Sony, in their infinite wisdom, release these nice beafy notebooks which are fully capable of achieving some form of virtualization with the Intel VT (Hardware Assist Virtualization) feature disabled by default and the BIOS locked down so that you cannot enable it. Way-to-Go Sony!

A couple of days of Internet Searches pointed me to various forums talking about the issue and offering resolutions with manual BIOS hacks. I tried to run through some of them but was having very limmited success, that is, until I came accross this post on the Notebook Review Forums where a user called levicki has come up with a BIOS Patch, downloadable froom his website.

Needless to say, I took the risk, downloaded the patch, ran it and am now able to run Virtual PC on my Windows 7 Notebook.

Thanks livicki, your work will surely help thousands of Vaio users out there.

Note: This will not work for the Sony Vaio's with the H20 logo on the Vaio Boot Screen.

SpamTitan & IE: Internet Explorer cannot Download *.php from server.domain.com

Johan Dreyer — Thu, 29 Jan 2009 05:02:00 GMT

I have been running some additional tests on Spamtitan in my lab environment as I am still considering using it for our hosted services environment and interestingly enough came accross a problem when access the Admin Website over SSL in IE, basically I could not generate any PDF files or Download Spreadsheets from the reports and similarly could not download the config Backup.

IE kept throwing the following Error in my face:

Internet Explorer cannot Download topten.php from server myserver.mydomain.com

Thinking this was actually a problem with my Spamtitan, I checked the appliance a friend is using for his own network and guess what, the same issue so I asked him to open a case with Spamtitan Support who came back with the resolution within a couple of hours. (not bad for email support - well done guys)

It would seem that the problem stems from IE itself, they pointed me to the following KB Article: Microsoft KB 323308

I implemented the Registry changes for my version of IE, restarted my Browser ONLY and tried to download the respective items - worked like a charm :)

Hope this is helpful to someone else out there!

WSS 3.0 Error: Your search cannot be completed because this site is not assigned to an indexer.

Johan Dreyer — Tue, 20 Jan 2009 08:27:00 GMT

I recently started evaluating & familiarizing myself with the WSS Environment which we have setup in our Hosted Messaging & Collaboration environment with the view that we need to launch the service soon & I need to figure out how it all works.

To cut a long story short, I managed to get the site provisioned, worked out how to do some customizations and got on with it. Once I had put some content on the site I waited a few hours for the indexer to catch up then tested the Search Function, this returned the error:

"Your search cannot be completed because this site is not assigned to an indexer."

I am no Sharepoint Guru and in fact this is probably only the second or third time I have seen it in my life which makes troubleshooting it pretty fun. A few web searches pointed me in various funny directions which included re-installation & restoration of Databases & applications, registry hacks and goodness knows what else.

After poking around the admin console for a while I managed to solve the problem with a few clicks.

Here's How:

Open the Central Administration site
Goto Application Management > Content Databases
Click on the content database which your application is using (in my case WSS_Content)
Look for the Search Server Field & Select the Search Server which you want to index the content database
Click OK & wait a few hours, search should now start to work.

Of course, the above required that you have setup & configured the Search Service in the Operations Section of the Central Administration.

Hope this saves someone out there some time & hassle.

Cisco ASDM Error: ASDM is unable to read the configuration from the ASA

Johan Dreyer — Mon, 15 Dec 2008 15:13:00 GMT

I have recently decided to go back to dabbling a little with firewalls and one of the toasters I am playing with at the moment is the Cisco ASA 5500 series. Now I have always worked with these appliances using the CLI, however, since ASDM is out there I thought I would look into using the GUI Config tools too, no harm in knowing a bit of both now is there?

ASDM is a java applet & this presents no real problem, given that JRE is a free download from www.java.com, so I went accross to the java site, downloaded the latest version, installed it and ASDM and tried to access my ASA Appliance, enter the surprise:

Initially, I thought this had something to do with my firewall configuration so I spend a couple of hours trawling the web and every site confirmed that my http configuration on the ASA was indeed correct and there are not too many variations out there. At this point I decided to check the web for other instances of this error.

As it turns out, aparently java 6 updates are not as backward compatible as we would expect - well either that or Cisco need to do something about the coding behind ASDM - for the resolution to this problem was actually to remove JRE 6 update 11 (the current version at time of going to print) and install JRE 6 Update 6, which is conventiently available from http://java.sun.com/products/archive/

Now the reports out there say that Update 6 & 7 work fine with ASDM, where Update 10 & 11 seem to have the ability to break ASDM and cause the "ASDM is unable to read the configuration from the ASA" error to appear.

Hopefully this post helps someone out there and manages to save them the hassle I went through.

Update 01/02/2009 - Alternative Workaround:

Many thanks to Tim Braun who poked around ASDM a little and found the below work-around, allowing you to run ASDM on an old version of Java while your Computer uses the latest version.

His findings were kindly posted in the comments section and are still there for all to see.

1. Open up the ASDM Installation folder (default: C:\Program Files\Cisco Systems\ASDM)
2. Right Click the File in the folder called asdm-launcher.config & remove the Read-Only attribute
3. Edit the asdm-launcher.config file in Notepad
4. Add the below line to the Config File
javapath c:\Program Files\Java\jre1.6.0_07\bin\client\jvm.dll
5. Save the Config File & Run ASDM

Note: you will need to have had JRE 1.6 Update 7 installed prior to updating to Update 11 in order for this to work, if yours is a new installation of JRE then you need to go back, download & install the previous version (Update 7) and install that before updating in order for this workaround to work.

In my case, I couldnt be asked to go through all that effort so I just checked the java folder on my pc (C:\Program Files\Java) to see what versions were previously installed & ammended the javapath line accordingly - worked a treat.

Thanks again to Tim!

Exchange 2007 OWA Users cannot change password with "does not meet the complexity requirements" error

Johan Dreyer — Sat, 01 Nov 2008 10:42:00 GMT

One of my clients where we had deployed Exchange 2007 called me the other day with a complaint that his users could not change their passwords from Outlook Web Access.

Each time they tried to change their password, OWA would throw back "Password does not meet the complexity requirments, please contact your administrator".

This would happen no matter how long / short / complex / simple you made the password. Even more interesting was the fact that there was no complexity required in the domain GPO and the minimum password length set to only 3 characters.

I was puzzled for ages on this and eventually stumbled accross something - it appears this behaviour is caused by the Minimum Password Age setting in the Domain GPO. If you do not enable a minimum password age then OWA will not let you change the password.

Solution: Enable the Minimum Password Age setting and set it to 0 or higher for the Change Password feature of OWA to work.

Donate to a worthy Cause

Johan Dreyer — Fri, 03 Oct 2008 16:18:00 GMT

A friend in the UK is raising money for the Royal Marsden Cancer Campaign and will be doing a Sponsored Horse Ride as a fund raiser. Everyone can support the cause, even if you are not in the UK, simply go to the following website & make your donation to help with this worthy cause.

Not to mention that when you do, you can claim it back as a tax deduction.

http://www.justgiving.com/clairemallett01

Intermittent Connection Resets on ISA 2006 with Broadcom NIC

Johan Dreyer — Tue, 09 Sep 2008 16:16:00 GMT

I recently deployed ISA 2006 on an HP Proliant DL Series Server for one of my clients & tried to publish a whole lots of servers.

For the most part it worked pretty well, at least, until I tried publishing an SMTP Server. I then noticed a strange behaviour: Although I was able to connect to the SMTP Server, the connection was terminated a second or so later & I was never able to successfully establish a productive session.

This lead to much confusion as I had never faced such an issue before when publishing servers. A look into google & the event logs however, did manage to resolve my issue.

It would appear that some Broadcom NICs seem to have an issue with ISA 2006, particularly, with the Recieve Side Scaling setting the NIC. If you turn this feature off in the Network Card Driver Properties and the system seems to function fine.

It is also recommended to turn off TCP Chimney feature of the Scalable Networking Pack which ships with Windows 2003 SP2.

netsh int ip set chimney disabled

Wicked tool for Small to Medium Business Network Monitoring, Asset Tracking, Helpdesk Ticketing & Software Inventory

Johan Dreyer — Sat, 30 Aug 2008 09:04:00 GMT

Spiceworks is by no means a new tool in the market, it has been around for a while now & is becoming increasingly popular.

For those who do not know, Spiceworks, is a Free (Ad Supported) Network Monitoring & Management tool designed for the Small to Medium Business environment and integrates such features as Agentless Monitoring of Networked Devices (including Switches, Routers, Firewalls, Servers, Computers & Printers amongst other things,) as well as IT Inventory, Hardware & Software Asset Management, Integrated HelpDesk Application, Configurable Alerting with SMTP (Email) Notification & Automatic Ticket Logging.

The tool is not only used today by internal IT Departments, but also by Service Providers who would like to "UP" their Service Levels to their customers through proactive monitoring & management of their systems.

With the advent of Version 3, it is now also possible to add Service Provider Details into Spiceworks, enabling the IT department to keep track of those often "difficult to find" details & settings for their various Services.

Additionally, with Spiceworks MyWay, companies can now pay $220 per year for the priviledge of "Rebranding" Spiceworks to suite their Corporate Image & remove those Ads, although they usually dont get in the way.

Hats off to the developers at Spiceworks, they have delivered a very good solution which is simple to deploy & understand, requires minimal administration & configuration and pretty "Cost Effective"

Windows Vista & 2008 Computers cannot apply for SSL Certificates from Windows 2003 CA

Johan Dreyer — Sun, 24 Aug 2008 11:03:00 GMT

One problem we come accross quite regularly is that of Windows Vista or 2008 Servers not being able to request / download certificates from a Certificate Server running on Windows Server 2003.

This is once again due to ActiveX funtionality (Xenroll) which has been removed from Vista / 2008 & requires you to patch your Certificate Server in order to enable the functionality again.

Further details can be found in Microsoft KB Article KB922706

SpamTitan IS cool!

Johan Dreyer — Fri, 15 Aug 2008 20:42:00 GMT

A while back, I was looking for cost effect, reliable, functional SMTP Security Solutions which I could bundle in with my Exchange Deployment & Migration Projects for SMB Customers.

The first thing I did was set out some selection criteria:

Easy to Deploy
Easy to Configure
Easy to Administer
Effective
Reliable
Multi-Function Anti-Spam (Definitions, Bayesian, Block Lists, SPF Lookup, PTR Lookup etc)
Multiple Anti-Virus Engines
LDAP (Active Directory / Directory Services) Integration
Quarantine
Reporting
COST EFFECTIVE

My search saw me spending much time on google & many result sites, reading about products, features, installation manuals, administrators manuals, evaluating products ranging from Free / Open Source to Paid.

I got to a stage where I was even considering building up my own open source Anti-Spam Solution, but soon came to the conclusion I did not have the time to dedicate to such a project, so on the search went...

I eventually stumbled on a RARE GEM of a product: SPAMTITAN

It delivered EVERYTHING I was looking for & More.

Form Factor

- Installable Software (ISO Download)
- VMWare Appliance (Downloadable)
- Physical Appliance (only available on request I believe)

Some of the Features

LDAP Integration
Kaspersky & ClamAV Anti-Virus Engines
Multi-Layered Anti-Spam
Low False Positive Rate
Content Filtering
Optical Character Recognition
Multi-Tenancy
Per-User Message Management through Quarantine Reports
Multiple Domain Support
Inbound / Outbound Scanning
20 Mins to Deploy
20 Mins to Configure

The Cost

$ 550 for 100 Users
$ 4,400 for 5000 Users

With everything in between, license entitles you to run one secondary (offline) deployment of SpamTitan as standby (secondary MX or otherwise) in case of failure of Primary Route.

The Specs (For 100-1000 Users):
3.0 Ghz or Better Processor
1 GB RAM
80 GB HDD

Bottom Line:

The guys who developed this product have certainly done a good job & are delivering Value in terms of Punch for Price and score a definite Recommendation from me!

Open Source Control Panel Additional Links / Sites

Johan Dreyer — Wed, 30 Jul 2008 16:48:00 GMT

So there seems to be quite a bit of a buzz out there regarding setting up an HMC Control Panel which is Open Source & well, who can blame anyone for their interest in such a worth while project?

There is now a site setup at CodePlex called ExchangeControl - I would recommend checking it out & signing up if you have even a few measly hours a week to dedicate to a small portion of such a project.

Configuring your DNS Host(A), MX & PTR records for Exchange 2007

Johan Dreyer — Fri, 25 Jul 2008 15:44:00 GMT

Now building your Exchange 2007 Server is one thing, but once its built you need to setup your public DNS do that it is accessible from the internet.

In this article we will cover how to setup your DNS Host (A) records, Mail Exchanger (MX) Records, Reverse Lookup (PTR) Records & SPF (TXT) Records.

So lets have a look at what we require to do this:

1. Decided on the MX & Webmail Host Names, e.g. mx.sortedit.net & mail.sortedit.net
2. Decided which PUBLIC IP's to use on your Router / Firewall (they can be the same IP but this isnt recommended
3. Ensure that the MX, Host & Autodiscover Host Names are included in your Exchange 2007 SSL Certificate

The first step we need to complete is to register our Host (A) records with our public DNS Service Provider, this is either done by yourself through a DNS control panel or it is done by requesting the record registration from your ISP.

The Records you will require (Basic) are:

Purpose                      Type            Host                                        Public IP
Mail Exchanger            Host (A)       mx.sortedit.net                        64.202.165.4
                                   (Usually created as "mx" only since your DNS Domain is automatically appended)

Webmail                      Host (A)       mail.sortedit.net                      64.202.165.92
                                   (Usually created as "mail" only since your DNS Domain is automatically appended)

AutoDiscover               Host (A)       autodiscover.sortedit.net        64.202.165.92
                                   (Usually created as "autodiscover" only since your DNS Domain is automatically appended)

Once you have the above records created, you now need to make sure you register a PTR record for your MX record to ensure that your domain can send emails to the likes of AOL who require a successful reverse lookup to complete as an anti-spam tactic.

Your ISP is the authoritative entity for the Reverse Lookup Zone of the Public IP Address range which you have been allocated, so you would usually have to request them (either by Fax or Email) to register the following record

Type                            IP Address                                        Host Name
PTR Record                  64.202.165.4                                      mx.sortedit.net

Now that all the pre-requsite static records are created, you need to make sure that your Mail Exchanger (MX) record is pointing in the right direction. Now the MX record is very much just another CNAME or Alias record, therefore it must always point to a Host Record (either yours or that of some other mail server authoritative for your domain)

The MX Record also contains a Preference or Priority field, which, is used for assigning primary & backup email servers for your domain (in the event you have multiple mail servers or have backup mail exchangers).

The LOWER the preference integert the higher the Priority of the Server to which it points.

e.g. if I have 2 MX records: mx1.sortedit.net pref 5 & mx2.sortedit.net pref 10, then mail will ALWAYS try to flow to MX1 first & ONLY when MX1 does not respond / is not available will mail transfer to MX2.

In any event, here is how you should publish your MX:

Type                            Domain                       Host Name                            Preference
MX Record                   sortedit.net                  mx.sortedit.net                      5 (or High)
                                    (Domain is usually left blank as this is the DNS Domain which you are editing)

On a final note, more & more organizations out there are beginning to use Sender Policy Framework or SPF Records to classify or identify email as SPAM.

Most DNS Server Control Panels will have a tool to help you create the SPF record, however, if you do not have one then a simple Google Search will reveal many tools which will help you create the contents of the TXT file.

Type                            Name                       Data
TXT Record                   SPF                           v=spf1 a mx ip4:64.202.165.4 -all

One you have all of the above records registered, ensure to setup the required Nat Rules on your Firewall / Router, allowing traffic on port 25 for the MX record & 443 for the Webmail & Autodiscover Host Records.

It is equally IMPORTANT that you ensure that ALL outgoing SMTP traffic from your Exchange Server is Natted to your MX Public IP when it leaves the network to ensure you outgoing emails pass the SPF & PTR Record checks on the revieving mail server.

Cool Tool for Website Visit Monitoring & its FREE for Basic Monitors

Johan Dreyer — Thu, 24 Jul 2008 06:23:00 GMT

Hey Guys,

Not too sure how many people out there care much about the number of hits they recieve on their website, or what it is that people are looking for / at, but I stumbled accross a pretty cool monitoring tool which is available for FREE if all you are after is the basic functionality!!

The service is provided by w3Counter & all you have to do is sign-up to the service & add a small bit of code to your website. for the tool to start monitoring.

The FREE edition will place a w3Counter Logo on your Page & does not support Geographic Live View or Stats by Email, however, for me this is just fine.

Check out my Stats at the following link: Blog.SortedIT.net Stats

Add custom options to Microsoft DHCP Server

Johan Dreyer — Sat, 05 Jul 2008 13:19:00 GMT

Depending on who you are and what kind of environment you are in, this is something which you could either come accross very early in your IT Carreer or it could be years before you even considered having to create manual Scope Options in your MS DHCP Server.

For me, well it was the latter, two weeks ago, for the first time in about 8 years of IT Consultancy, the requirement popped up to add some Scope Options to my DHCP Server in order for the Clients VoIP system to work.

15mins of googling soon relinquished the answer to me, it works as follows:

1. Open DHCP Management Console
2. Right Click the Server
3. Select Manage Scope Options
4. Click Add Option
5. Give the Name, The Option No, Type & Value (Only if Hard Coded)

Hows about an Open Source Control Panel for HMC?

Johan Dreyer — Mon, 30 Jun 2008 15:29:00 GMT

Today I got my first good look into the management tools which are provided by Microsoft along with HMC,and well, there's not much more to say other than it falls miles short of what you need!

So what are the alternatives then?

Well since everything in MPS is based on .Net Framework & XML, you could develop your own CP which will suit your needs precisely, however, this would take some time & a significant investment.

Alternatively you could purchase a Provisioning Engine & CP Solution from someone out there at a pretty high cost.

OR

You could head over to the HMC ASP.Net forums & sign up on developing an OpenSource Solution which can Plug On top of the MPE/MPS Servers in your environment. You Dont necessarily need to be a coding or design guru, just someone who wants to learn, have fun doing it & benefit the IT world as a whole.

I know NOTHING about coding, .Net, XML etc, yet I still signed up as think it will be an awesome driving force in learning those aspects of my job! Head over there now & Sign up!

http://forums.asp.net/t/1276696.aspx

http://groups.google.com/group/microsoft-hosted-messaging--collaboration

HowTo: Upgrade SCOM from Evaluation to RTM or MVLS

Johan Dreyer — Sun, 29 Jun 2008 09:40:00 GMT

I have been facing a silly problem for the last few days that had me pretty stumped, however, I found the work around on Stefan Stranger's Blog where he posted the following article: SCOM 2007 full RTM on MVLS.

The Procedure I followed:
1. Insert the RTM or MVLS media in the SCOM Server
2. Browse the CD
3. Goto: SupportTools\i386 (or AMD64)
4. Run LicensingWizard.msi

and voila! your SCOM is licensed, with no requirement of Service Restart or Server Reboot!
(Just as Stefan Said, Thanks man!)

How I build MY Microsoft Servers

Johan Dreyer — Sat, 28 Jun 2008 04:38:00 GMT

Right, so there is a lot of speculation out there as to exactly how to setup a Server to achieve the best performance & stability from it. Everyone has their own practices which they like to follow & I thought I would share mine with you too.

Lets Start at the Hardware RAID Level:

I like my Operating Systems to sit on a RAID 1 or RAID 1+0 Array configured (at the Array Controller level with seperate Partitions as follows:)

OS Partition	20-30 GB	RAID 1/1+0
PageFile Partition	110% Physical RAM	RAID 1/1+0
Data/Binary Partition	Remaining Space	RAID 1/1+0

So what does the above setup achieve? Well first of all, once Windows is installed, you will see 3 Seperate "Disks" meaning that you cannot mess with the HDD config.

You have also ensured that the OS sees the disks as seperate meaning your "Best Practice Analyzers & Tools" should come back with less warnings when you run them.

On deploying the Operating System, I will follow the Normal Deploy Procedures & then configure it as follows once installed:

NTFS Partitions: C:\ = System Partition
                           D:\ = Data Partition
                            P:\ = Page File Partition

Page Files: C:\ = Amount of Physical Memory for Dump File (Only if you want to keep a Dump File)
                    P:\ = 110% Amount of Physical Memory

Application Installations: C:\

Application Source Files: D:\
Application Data: D:\

Set ALL Event Logs Size to: 40+ MB

Hardware FirmWare at Latest Release

Hardware Drivers at Latest Release

Operating System Service Packs & Patches at Latest Release

Application Service Packs & Patches at Latest Release

For me, this has always been a successful recipe of building Reliable & Optomized Back-End Infrastructure and I hope its of use to someone else out there.

If you feel you think some changes to this build guide would benefit Myself & Other users more, feel free to share your opinion in the comments. After All, we are here to help one another.

GO HOSTED! & HMC4.5 Released

Johan Dreyer — Sat, 28 Jun 2008 04:09:00 GMT

So once again, it has been ages since I last posted on here & I thought I would post something before heading into the office this morning.

To update you on whats been happening in the last year or so that has culminated in the last month:

I have been part of a team whose ambition has been to drive the business to change some of its business model from that of a Traditional VAR / Di-LAR / SI to something more annuity based with higher margins - Managed / Hosted Services
Over the Last 3 months we have sat with many Managed Service Solutio Vendors, Hosting Vendors & Microsoft to establish a road map to implementing the services we will offer & route to market
In the last month, an announcement was made that our General Manager of Services was to become the Directory - Managed Services
Along with the above announcement, I have been (as part of the driving force behind the change) asked to move over to the Managed Services Team as Business Development Manager & Senior Technical Lead (the second being unofficial)

So where are we now?

Well quite fankly, At the dawn of a new era for our business & my career path. Something I am pretty excited about as the business side of corporate life has always held a certain level of interest for me.

At the same time, I am building a Consolidated HMC Platform to provide a starting point for our Managed Services which I plan to "Soft Launch" on the 1st of July.

Speaking on this point, Microsoft Released HMC 4.5 on the 15th of June, which now supports Windows Server 2008, Windows Server 2003 R2 SP2, Exchange 2007 SP1, Systems Centre Operations Manager 2007 SP1 & Office Communications Server 2007 without the requirement for customization.

The documentation included in the HMC Help File is truly amazing, to date, I have followed it extensively & come accross no problems what so ever - well, I am yet to complete the setup, but it seems pretty complete & extensive so I am not complaining at all.

Updated! Upload Hundreds of Contacts into your Exchange 2007 in 8 simple steps -

Johan Dreyer — Tue, 15 Apr 2008 10:55:00 GMT

I previously posted an article on how to upload Contacts into Exchange 2007 from a CSV file (the article can be found here).

The script has always generated errors when face with situations where Contacts had Double First or Last names thanks to the white space between the names which cannot be used as an alias. So today, I revisited the script & did some research to try 'fix' this little bug.

About 10 mins into reasearching it, The Scripting Guys came to the rescue again with a brilliant article on Manipulating String Values in PowerShell.

Anyway, it was relatively simple to fix the script & here it is for download, along with the CSV file template which is bes populated using Microsoft Excel.

Download CreateContactsV2.0

Avoid common causes of Exchange D/R- Part 3: Correctly configure your File System (File level) anti-virus on Exchange Server 2007 Hub Transport Servers

Johan Dreyer — Mon, 07 Apr 2008 18:32:00 GMT

Now I realise its been a while since I posted Part 2 of this series, however, finally we are looking at the Hub Transport Servers and this will hopefully be followed by the CAS, UM & Edge shortly thereafter.

Im just going to delve straight into the exclusions here, so you need to set the following File Level AV Exclusions on your Exchange 2007 Hub Transport Servers:

Directory Level Exclusions:

General Log Files (Powershell: Get-TransportServer <servername>| fl *logpath*,*tracingpath*)
Message Paths (Powershell: Get-TransportServer <servername>| fl *dir*path*)
Queue Database, Checkpoint & Log Files (%Program Files%\Microsoft\Exchange Server\TransportRoles\Data\Queue)
Sender Reputation Database (%Program Files%\Microsoft\Exchange Server\TransportRoles\Data\SenderReputation)
IP Filter Database (%Program Files%\Microsoft\Exchange Server\TransportRoles\Data\IpFilter)
OLE Converter Folder (%Program Files%\Microsoft\Exchange Server\Working\OleConvertor)
Server's Temp Folders

Process Level Exceptions:

Store.exe
CDB.exe
CiDaemon.exe
Cluster.exe
InetInfo.exe
Mad.exe
Microsoft.Exchange.Cluster.ReplayService.exe
Microsoft.Exchange.InfoWorker.Assistants.exe
Microsoft.Exchange.Search.ExSearch.exe
Microsoft.Exchange.ServiceHost.exe
MicrosoftExchangeADTopologyService.exe
MicrosoftExchangeTransportLogSearch.exe
MsfteSQL.exe
OleConverter.exe
PowerShell.exe
Dsamain.exe
Msexchangefds.exe
Msexchangemailsubmission.exe
Msexchangetransport.exe
Msexchangetransportlogsearch.exe
Microsoft.Exchange.Imap4.exe
Microsoft.Exchange.Imap4service.exe
Sesworker.exe
Powershell.exe
Microsoft.Exchange.Monitoring.exe
Microsoft.Exchange.Pop3.exe
Microsoft.Exchange.Pop3service.exe
W3wp.exe

File Level Exceptoions

.chk
.log
.edb
.jrs
.que
.lzx
.ci
.dir
.wid
.000
.001
.002
.dia
.wsb
.config

So that's it, in Part 4, we will look into the CAS Server AV Exclusions

VBScripts to Remove Domain Users from Local Admins on PC's

Johan Dreyer — Sun, 06 Apr 2008 07:54:00 GMT

First of all thanks to The Scripting Guy, The Google Groups on Scripting & ScriptingAnswers.com - truly invaluable sources of script code & information on how to do things- making life easier for scripting noobs like me!

I have just started to delve a little into the world of Scripting & what a learning curve it is! I can honestly say that I still know hardly anything about vbscript & the wmi components, but have managed to implement a few minor scripts which do what I have required at various intervals.

Not too long ago I had to complete a Domain Migration for 200 PC's at one of my client's. User Profiles had to be maintained intact with no access to the source Domain so some work Arounds had to be implemented. The procedure was tedious and complex & in order to ensure we would be able to complete the necessary steps to success at the task, we added Domain Users to the Local Admins on all PC's using Group Policy. The idea being that once everything had settled Post Migration, we could then simply remove the priviledge & carry on with normal day to day activities.

As it turned out, removing the priviledges became pretty tedious in that we had to touch each workstation to make 100% sure the rights required remained after the Domain Users were removed. This was not acceptable, not by myslef and not by the Client.

A work around in the way of a script had to be realised & this is what I came up with:

Scenario #1: Normal Users who require NO Admin Priviledges on their PC - The following Script Removes ALL objects from the Local Admins Group on the computer it runs, EXCEPT Administrator & Domain Admins

Set objNetwork = CreateObject("Wscript.Network")

strComputer = objNetwork.ComputerName

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")

For Each objUser In objGroup.Members

If objUser.Name <> "Administrator" AND objUser.Name <> "Domain Admins" Then

objGroup.Remove(objUser.AdsPath)

End If

Next

Scenario #2: Power Users who require Local Admins rights on their PC ONLY for themselves & Domain Admins
(Note: USER MUST ALREADY BE AN ADMIN FOR THIS SCRIPT TO WORK, e.g. Domain Users in Local Admins)

blnUserinAdmGroup = False

Set objNetwork = CreateObject("Wscript.Network")

strComputer = objNetwork.ComputerName

strDomain = objNetwork.UserDomain

strUser = objNetwork.UserName

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")

For Each objUser in objGroup.Members

If objUser.Name = "Domain Users" Then objGroup.Remove "WinNT://YourDOMAIN/Domain Users"

Next

Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser)

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")

If Not objGroup.IsMember(objUser.ADsPath) Then

objGroup.Add(objUser.ADsPath)

End If

The above script will remove all objects from Local Admins Except for Administrator & Domain Admins, then it will Add the Logged On user to the Local Admins Group.

To Use the scripts, simply copy & paste the Italicised text into NotePad, save it as ChosenFileName.vbs & execute using cscript by typing cscript <PathToFile>\ChosenFileName.vbs on the computer you want to make the changes to.

In my case, I use a batch to call Cscript & run the Command, then added the batch as a Logon for my users.

Enjoy

Recovering from Database Corruption in Exchange 2007 with LCR enabled

Johan Dreyer — Mon, 10 Mar 2008 03:19:00 GMT

Two nights back I received that dreaded call that inevitably comes late at night & bears the bad news of sleeplessness along with it. One of my clients had power problems in their data centre & their primary Exchange Server had fallen over, well the database servicing the largest number of clients had some corruption & just would not mount no matter what!

Fortunately, our company is currently evaluating Webex Remote Support which meant that I was able to assist my client from home. (I highly recommend this tool, it is safe, secure & reliable).

Once the session was setup, I ran all the standard checks against the database & came up with a strange error (something about the database page sizes being inconsistant). At this point it became obvious, the dreaded ESEUTIL /P or Database Restore from Backup was necessary to recover..... Or was it?

See the thing is, we implemented LCR when we deployed Exchange 2007 for the client, and along with that came a strict SLA with a Call to Repair time of 6hrs.

Now at the time this was all sold on concept, we understood the technology, how it works, the point of having it implemented etc. So we went ahead with the SLA along those lines. I knew I had to stick with in this SLA & ensure the clients server was running within the shortest possible time if I were to get some sleep that night.

The solution implemented? Well I ran two simple EMS Powershell cmdlet:

Restore-StorageGroupCopy -Identity "Server\StorageGroup" -ReplaceLocations:$True -Confirm:$False
Mount-Database -Identity "Server\StorageGroup\Database"

With-in 20 Minutes, from time of session start to time of completion, I had recovered the functionality of their Exchange Server & ensured the integrity of their data without having to resort to Eseutil or Backup.

Note: The Restore-StorageGroupCopy cmdlet breaks the LCR Replication for the storage group. As such you need to manually enable reverse LCR after running the cmdlet.

Exchange CCR Mailbox Server Backup using Third Party Backup Tools such as Backup Exec, Arcserve, Data Protector etc

Johan Dreyer — Sat, 08 Mar 2008 04:44:00 GMT

With a number of LCR & CCR Deployments out there completed by myself & my team over the past year, we have come accross a few issues which seem to be common & should be highlighted to the rest of the world.

Possibly one of the most significant of these issues is Backup of your CCR Cluster when using Third Party backup tools such as Symantec BackupExec, CA Arcserve, HP Dataprotector etc.

As some of you may be aware, and others may not, the recommended backup model for Exchange 2007 Continuous Replication Servers is to take a backup of the Replica (off-line) Storage Groups & Databases using VSS. The logic behind this is pretty simple, backup then will not have adverse effects on your production Exchange performance & can be done at any time without causing degradation of performance to the users.

This all makes sense, so far, but brings up the next question - what about log file truncation on the production server? Well your backup software is supposed to Truncate those logs (on both live SG & Replica) which it has successfully backed up.

That takes care of the theory, so now lets look at how this is working (or rather isnt) in the production Environment:

Scenario 1: Exchange Server 2007 CCR Cluster with CA Arcserver 11.5 sp3

We struggled for months to get this backup working smoothely, multiple support calls to CA led to calls to HP & MSFT to try resolve the issues.

The Symptoms:

VSS Errors when taking backup caused backup to fail
Backup from Node 2 Succeeds but Fails from Node 1
Small Storage Group Backups Succeed but Large SG Backups Fail
SAN Based Backup takes 20+ Hours to complete 100GB Data Backup (supposed to be 45mins or so)
Well after much R&D from CA & their Microsoft Support representitives (almost 3 months) we managed to clear off ALL, but the last symptom using various Registry Fixes, INI & DLL Edits, Replacing HBA's on the Servers, it was a nightmare - most of the time CA Support had no idea what they were doing but none the less they stuck with us & solved the issues one by one so big props to them.

It became apparent that we were making no headway on the last symptom though, SAN Backup was running at 50 MB per minute !!!!! Its supposed to run at 2 500 MB per minute. Now backup was "working", I mean it never failed, just took 20+ hours to complete.

Anyway, we lived with this for a while - had CA on the blower, HP too & MSFT for just in case once again to try to resolve this problem.

In the mean time, I moved onto another client who was having some Exchange CCR Problems of other natures to assist him.

Scenario 2: Exchange 2007 CCR Cluster with Symantec Veritas Backup Exec

For this client, backup seemed to be working fine (succeeding) even if at a snail's pace (50MB per min) on the RTM version of Exchange 2007. The major problems came after we updated his Servers to Exchange Server 2007 SP1. I suspected this to be the result of a change implemented in SP1 "for security reasons" which (through registry) disables the ability to take Online Streaming Backup of Exchange Databases. (puzzling or what?)

Long story cut short, this clients backup turned to shambles & it wasn't the fault of the above mentioned registry key. His Backup Exec started to display erratic backup behaviour:
Sometimes Backup Completes, Sometimes it Fails
Sometimes its just one SG that fails the job, Sometimes its ALL
Backup Speed is way below Normal for Network Backup (50MB/Min as opposed to 3-600MB/min)

The above symptoms were applicable no matter which CCR node was the Active & which the replica.

I checked out the backup setup & implemented some changes in the user accounts & backup accounts, ensuring that the Backup Exec Server & Agent Services ALL used a common account to Logon, Ensuring the Bakup Service Account had the necessary Exchange & Server Level Permissions to complete the backup, etc.

All pretty standard stuff, but since it wasnt all correctly configured to start with - I thought perhaps it would make a difference. Well NO! No difference at all.

The Common Factors:

In both the above scenario's, testing was done using Windows Native NTBackup solution to take SG & IS level Backups of the Exchange Mailbox Servers to Disk and this appeared to work perfectly fine. It was Reliable, Speedy & presented no real challenges aside from not being SAN Capable or able to handle the Tape Libraries / Autoloaders.

This lead me to believe it was something to do with CA & Symantech's products, something in the way they called the VSS Writers or parsed data to the backup server from the agents.

One thing could not be denied, both clients had bought Ferarri's that either wouldnt Drive faster than 50MB/min or would break down half way to their destination- this was unnacceptable.

The Solution:

After many months of having resources allocated to these clients, trying to solve the issue, I took a decision & informed the responsible people to try something - Tell the Backup Agent to backup from Active Server not Replica Server, test the performance then move the cluster to the replica & run the same test again.

Something pretty simple, but for some reason had not yet been tried. The results were astounding:

Backup Completed Successfuly without any errors BOTH times
Backup Speeds were back to Normal on BOTH Nodes

The issues were solved, change the Backup Job to take Active Node Backup on your schedule & things will be fine. This was a common solution for both clients - now, this leads me to believe that the problem is with MSFT, which means next step is to raise a support call & have them troubleshoot the same & provide me the solution so that I may return my clients backup procedures to the "Recommended" backup procedure.

If anyone out there has had similar issues & been able to solve them without using this work around, I would really like to hear about it. Post a comment & I will get back to you!

Windows Server 2008 in the Production Environment - Microsoft Exchage 2007 Unified Messaging Server

Johan Dreyer — Fri, 07 Mar 2008 02:56:00 GMT

Windows Server 2008 officially went RTM early last month & was at the same time made available for download to all MS customers who have purchased Software Assurance & Microsoft's Certified Partner's.

Now here, in the UAE, the official Launch Date for the product is 27th March 2008 & Microsoft opened up a special offer to a select number of their Partners.

The offer was two-fold:

1. All Partners who are able to successfully deploy Windows Server 2008 at a client in the Production Environment BEFORE the Launch Date & submit proof of the same to MS would be Mentioned on a Slide at the Launch Event, with a brief overview of the Partner's business.

2. MS would give out a free Xbox 360 Elite to the first 2 Technical Staff & first 2 Sales Staff of any partner who successfully manage to Deploy or Sell Microsoft Windows Server 2008 to a Client.

Now, I am fortunate enough to have an EA Client who is always looking to improve thier IT Offerings to their User's & reasonably happy to use / test new products in the market, provided they do not interfere with the stability of the existing & critical Infrastructure.

They were using MS Exchange Server 2007 already (without the Unified Messaging Features) & had some spare hardware lying around. Tactfully, I managed to convince them to Deploy Windows Server 2008 in their Environment & use that as the Unified Messaging Server, Primarily for the Exchange Voice Access Feature set. They Agreed.

So whats the low down?

Hardware Used:            HP BL460c Blade Server
Hardware Spec:            2x 3.0Ghz Dual Core Xeon, 2 GB RAM, 2x 146 GB HDD, 2x Gbit LAN
Operating System:        Windows Server 2008 Enterprise Edition x64
Application Server:        Exchange Server 2007 SP1
Server Role:                  Exchange Unified Messaging Server

The deployment of 2008 was very smoothe, in-fact, it had ALL the required drivers for the hardware I was using natively supported so no need to spend countless hours looking for drivers which may or may not have been released by the manufacturer.

The client uses Symantec Antivirus Enterprise Edition at their site and I had a major fear that this wouldnt work & I would have to scrap the server for it, but this did not affect me as the Vista 64 client for Symantec Antivirus Deployed Seamlessly & is working a treat since.

(Congrats to Symantec / MSFT for the first time I have found third Party AV solution to work with a New O/S right from before the OS is released!)

The new interface takes a bit of getting used to (for users of Vista Basic Theme, this wont be a problem)

Windows Server 2008 ships with ALL the pre-requisites for your Exchange Server 2007 Deployment as native "Add-On" Features, so no need to run backwards & forwards downloading stuff from the Internet.

The Exchange Server Deployment was again Very smooth, telling me at each step precisely which "Features" of Windows Server 2008 I should enable to match the pre-requisites.

Surprisingly, the Windows Server 2008 performs about 70% better when dealing with the Exchange 2007 Management Tools (Both Exchange Management Console & Exchange Management Shell) than the Existing Windows Server 2003 boxes in the Environment which are having 4 GB of RAM & 2x Quad Core Processors (so higher spec hardware).

So far, the Server has now been Running for almost 3 weeks, non-stop, with no indication of any stability issues or performance issues.

My Conclusion: Windows Server 2008 is Definitely a good product & stable enough to go into your production environment. I would, however, not deploy any applications on their (or even consider it) if they have not officially been published as compatible with server 2008.

That being said, all my future networks are going to run Windows 2008 Domain Controllers & Exchange 2007 Servers with Windows 2003 Server ONLY going in on those boxes which explicitly require the O/S version.

Avoid common causes of Exchange D/R- Part 2: Correctly configure your File System (File level) anti-virus on Exchange Server 2007 Mailbox Servers

Johan Dreyer — Tue, 04 Mar 2008 06:28:00 GMT

So in my last article we looked at configuring the File Level Virus Scanners for Exchange 2003, but what about 2007? Is it the same? Well not really.

As we already know Exchange 2007 revolutionized the way we design, deploy & maintain our messaging environments. The new Roles Based architecture ensures that our messaging platform remains scalable, secure & efficient but also means that we need to consider the ways in which the different roles operate in order to effectively configure the File Level virus scanners in our organization.

In this article, I will endeavour to list the necessary Directory, Process & File Extention exclusions which you should set for each server role in your environment in order to ensure integrity & reliability of your Exchange messaging solution.

Of course, the recommendation still stands of running Exchange Aware Antivirus along with your file level scanners to secure the traffic that passes through Exchange.

Mailbox Server Role

Directory Level Exclusions:

Mailbox Database Directory (Powershell: Get-MailboxDatabase -Server "ServerName" | Format-List *Path*)
Mailbox Database Temporary Folder (Default: %Program Files%\Microsoft\Exchange Server\Mailbox\MDBTemp)
Public Folder Database Directories (Powershell: Get-PublicFolderDatabase -Server "ServerName" | Format-List *Path*)
Database Content Indexes (Powershell: %Program Files%\Microsoft\Exchange Server\Scripts\GetSearchIndexForDatabase.ps1)
Storage Group Directory (Powershell: Get-StorageGroup -Server "ServerName" | Format-List *Path*)
Message Tracking & Managed Folders Log Directory (Powershell: Get-MailboxServer -Server "ServerName" | Format-List *Path*)
Offline-Address Book Directory (Default: %Program Files%\Microsoft\Exchange Server\ExchangeOAB)
OLE Content Conversion Directory (Default: %Program Files%\Microsoft\Exchange Server\Working\OleConvertor)
IIS System Files (%Windir%\System32\InetSrv)
Server's Temp folder (%Windir%\Temp)

Process Level Exceptions:

Store.exe
CDB.exe
CiDaemon.exe
Cluster.exe
InetInfo.exe
Mad.exe
Microsoft.Exchange.Cluster.ReplayService.exe
Microsoft.Exchange.InfoWorker.Assistants.exe
Microsoft.Exchange.Search.ExSearch.exe
Microsoft.Exchange.ServiceHost.exe
MicrosoftExchangeADTopologyService.exe
MicrosoftExchangeTransportLogSearch.exe
MsfteSQL.exe
OleConverter.exe
PowerShell.exe

File Level Exceptoions

.chk
.log
.edb
.jrs
.que
.lzx
.ci
.dir
.wid
.000
.001
.002
.dia
.wsb
.config

Phew, thats a lot more than we had to do in Exchange 2003, but wait for it.... This is ONLY for the mailbox servers, what about the Hub, CAS, UM & Edge? Well, those are different & Will be covered in follow-on articles.

Avoid the most common cause for Exchange D/R- Part 1: Correctly configure your File System (File level) anti-virus on Exchange Server 2003

Johan Dreyer — Mon, 03 Mar 2008 05:52:00 GMT

As professionals out there know, improperly configured File Level (File System) Anti-Virus Software is the cause of an inevitable Exchange Server Crash.

Now we all know File-Level Anti-Virus is a necessity on ALL servers in your environment, so how do we ensure we deploy it on our Exchange Servers in a way which will not affect the performance / reliability of our Exchange Servers & still maintain the desired level of security on our network?

The answer is two fold & relatively simple, even if not regularly / correcly implemented in most environments.

1. Implement Exchange Aware Anti-Virus Products to Monitor & Secure your messaging environment
2. Implement File Level Anti-Virus with the correct exclusions set

Both products can seemlessly co-exist since they use different methods for scanning & scan different portions of data.

In this article I will address the File Level AV exclusions since the reliability of your Exchange Server is directly impacted by the same.

The following is a list of Exclusions which need to be set at the Directory, File Extension & Process level with preference given to the Directory & Process levels over & above the Extension level.

Exchange Server 2003

Set Directory Level Exclusions for:

Folders Where the Exchange Databases Reside (Default Path: \Exchsrvr\MDBData)
Folders where the Exchange Streaming Transaction files reside (Default Path: \Exchsrvr\MDBData)
Exchange MTA Files (Default Path: Exchsrvr\MTAdata)
Message Tracking Log files (Default Path: \Exchsrvr\Server_Name.log)
SMTP Virtual Server folders (Default Path: \Exchsrvr\mailroot)
Site Replication Service Folders (Defailt Path: \Exchsrvr\srsdata)
IIS System Files (Default Path: %SystemRoot%\System32\Inetsrv)
Internet Mail Connector Files (Default Path: \Exchsrvr\IMCData)
Path to the Storage Group Log Files (Default Path: Default Path: \Exchsrvr\MDBData)

Set the Process Exclusion for the following Exchange Processes:

Store.exe
MAD.exe
W3WP.exe

Set the File Exntension Exclusions for the following:

*.edb
*.stm
*.chk
*.log

With the above Exclusions set, your AV software will not be able to "Tamper" with the day to day function of your Exchange 2003 Server, causing it to Fall-Over & the possibility of a lengthly restore procedure with risk of data-loss.

Exchange Server 2007 Installation Pre-Requisites - A Comprehensive List

Johan Dreyer — Wed, 13 Feb 2008 05:32:00 GMT

For all those out there looking for the Pre-requisites for Exchange Server 2007 as a simple checklist to follow, here they are.

Please note: This applies to x86 as well as x64 distro's BUT ONLY the x64 distro is supported in Production environment!

General Domain Level Requirements

At least 1 Windows 2003 Server Domain Controller & Global Catalogue Server
Windows Domain & Forest in Native Mode
Domain must NOT be a Single Labeled DNS Domain

Edge Transport Server (Preferably a WorkGroup Server NOT Domain Member with 2 NIC Configuration)

Windows 2003 R2 SP1 or above
Domain Suffix Appended to the Server Name (Computer Name / Change / More)
.Net Framework 2.0
.Net Framework 2.0 SP1
.Net Framework 3.0 (recommended for Exchange 2007 SP1)
.Net Framework 3.0 SP1
Windows Powershell 1.0
Active Directory Application Mode (ADAM installed from ADD/Remove Programs)

Hub Transport

Windows 2003 R2 SP1 or above
Domain Member
.Net Framework 2.0
.Net Framework 2.0 SP1
.Net Framework 3.0 (recommended for Exchange SP1)
.Net Framework 3.0 SP1
Windows Powershell 1.0
IIS (ONLY required for centralized remote management through Management Consoles)

Client Access Server

Windows 2003 R2 SP1 or above
Domain Member
.Net Framework 2.0
.Net Framework 2.0 SP1
.Net Framework 3.0 (recommended for Exchange SP1)
.Net Framework 3.0 SP1
Windows Powershell 1.0
IIS (Required)
RPC/HTTP Proxy Service (Required for Outlook Anywhere)

Mailbox Server

Windows 2003 R2 SP1 or above
Domain Member
.Net Framework 2.0
.Net Framework 2.0 SP1
.Net Framework 3.0 (recommended for Exchange SP1)
.Net Framework 3.0 SP1
Windows Powershell 1.0
IIS (ONLY required for centralized remote management through Management Consoles)

Unified Messaging Server

Windows 2003 R2 SP1 or above
Domain Member
.Net Framework 2.0
.Net Framework 2.0 SP1
.Net Framework 3.0 (recommended for Exchange SP1)
.Net Framework 3.0 SP1
Windows Powershell 1.0
IIS (ONLY required for centralized remote management through Management Consoles)
MS XML 6.0 Parser Libraries
Windows Media Player 11 Runtime Files

I hope that someone out there wil find this post helpful, if you find any variations / requirements I have skipped out above, please feel free to post a comment & share the knowledge!

Import Bulk Contacts into Exchange 2003

Johan Dreyer — Sun, 20 Jan 2008 03:10:00 GMT

If you want to import contacts into Active Directory without the hassle of creating each individual object manually, then this is for you.

We make use of the CSVDE tool shipped with Windows for Importing/Exporting Data from CSV into AD.

Note: The CSVDE tool can ONLY be used to import & export objects to / from CSV files & NOT to update existing objects in the AD. If you want to make changes to existing objects then you have to use the LDIFDE tool.

The Tool to import Bulk Contacts into Exchange 2007 can be found here

Download the tool & follow the Instructions in the ReadMe.

This tool is provided "As-Is" & without any garuntees / warranties, use at your own risk.

Download Contact Generator NOW!

Nokia Mail For Exchange ( M4E ), Microsoft Exchange Server 2007, Multiple SAN Certificates & Making them All Work Together (NOT A PROBLEM OF MULTIPLE SAN CERTIFICATES or NOKIA SUPPORT FOR THEM)

Johan Dreyer — Thu, 27 Dec 2007 20:27:00 GMT

I have seen a lot of speculation with getting Nokia Mail for Exchange working with Exchange Server 2007 on the internet & face countless problems with the same myself.

Initially, I thought it "Just didn't Work", I had deployed Exchange 2007 at 2-3 of my clients & each time I tried to connect a M4E mobile device to Exchange it kept failing. Upon examining the logs on the mobile device I found an error something like the following:

"A field in the handshake was out of range or inconsistent with other fields"

Now the thing that REALLY got to me was that for one of the Deployments I did, it Actually worked, the only difference being that I had used ISA 2006 to publish the CAS server for this particular project which the others had not been.

So I thought I had found the answer, but in truth, the next time I tried to do this again it failed, with the same errors.

This time, I knew it actually did work & so I began troubleshooting the problem. A process that ended up taking 2 full days of my time, but rewarding none the less.

* I should point out that at this point I was using an Internal Microsoft Certificate Authority to issue certificates to my servers & installed the Root CA on the Nokia Mobile prior to enable M4E.

In MOST cases I had enabled my internal CA to issue Multiple SAN Certificates & generated CSR's which included the names for my organization using the New-ExchangeCertificate cmd-let as is generally accepted out there, but this always resulted in the issue above.

The time it worked, I had generated the CSR from ISA 2006 IIS with a single Subject Name & then MANUALLY ADDED the SANs at my CertSrv when I generated the certificate.

To do this, in the Attributes field when you request a new certificate type the following (without any Spaces):
SAN: DNS=mail.domain.com&DNS=autodiscover.domain.com&DNS=server.domain.local

Now when you compare the certificates generated in these two different ways, they both appear pretty similar, except for 1 thing - If you look at the Details Tab of the Certificate one of them will have a Yellow Warning Triangle on the Subject Alternative Name attribute & one will have the Good Green Circle on the same attribute...

Now the trick here - When you generate the CSR using New-ExchangeCertificate Cmd-Let it appears that although it generates the CSR & the certificate is issued without any complaints it would appear that the CA somehow understands, but doesn't like, the way the SANs have been added & gives you a certificate which works, but has some warning attached.

(I haven't been able to figure out what or why yet so if anyone knows please feel free to enlighten me)

Now Mail for Exchange does NOT like this anomaly in the certificate & as such WILL NOT connect to the exchange server & download the mail.

However, if you have a nice Green Circle in the SAN Attribute (Added SANs Manually when you request the Cert) then all seems to work perfectly well provided you have put the Root Certificate on the phone too.

The Good News, however, is that this ONLY applies to Internal Certificates - It appears that once you upload your New-ExchangeCertificate CSR to a Public Trusted CA they "Normalize" the certificate before issuing it to you & your M4E will work after the Public CA Certificate is deployed on your Exchange / ISA Servers.

It should also be noted that you need to make sure your Mobile is running a revision of Symbian OS newer than 1.5 (I think it is) to be able to handle Multiple Subject Name Certificates.

Blog Hits by Operating System

Johan Dreyer — Tue, 25 Dec 2007 19:55:00 GMT

Well I certainly hope everyone out there has had an excellent Xmas & is now looking forward to the New Years Eve celebrations & new year as a whole. I certainly am.

Today I was looking at the Statistics for my blog, as I do from time to time, when something caught my attention, The Hits by Operating System stats presented what I thought would make for an interesting bit of trend analysis.

The blogs been running for just under a year now, 11 months & some days so the information presented was gathered over the same period. This means it should give us a rough indication on the technologies out there being used by everyone & whats presently taking off / hanging back in the market...

Anyway, enough with the ramblings, why not have a look for yourself, the following Pie shows the Hits by O/S in a percentage form:

Now, as you can see, the largest chunk of hits come from Vista based machines (Microsoft will love this), which to me is pretty interesting since in this region we mostly see clients being very hesitant to adopt vista in general.

There is even a hit from a Windows 98 based station out there somewhere, nice to know some people got some die hard machines still running on that - imagine support for it is becoming a bit of a problem as we go along ( I couldnt imaging having to go back to working on 98, although once I considered myself a 98 Wizzard) haha how times change when we have the technology available to us & opportunity to grow right?

Merry Xmas & Happy New Year

Johan Dreyer — Mon, 24 Dec 2007 16:04:00 GMT

I would just like to take this opportunity to wish all of you out there a VERY merry xmas & happy new year. May 2008 bring peace & prosperity to You & Yours as well as more regular posts to this blog from me & mine!

Import Contacts into Exchange 2007 using CSV

Johan Dreyer — Sun, 21 Oct 2007 05:08:00 GMT

* This article has been superceded by the one posted HERE

One of my clients came up with a pretty standard request the other day, one I have been meaning to get around to myself but just hadn't had the time. He wanted a script to assist him in importing bulk contacts into his Exchange Server 2007 Organization.

Now this is pretty simple, well much simpler than it was in 2003, when you leverage the functionality of PowerShell Cmd-Lets, Scripting & the native CSV file support.

The procedure is as follows:

1. Create a new File in notepad
2. Paste the following text into it

Last,First,Email,Company,Department,Title,Location,Tel,Fax,Mobile,POBox,Zip,StreetAdd,City,Country
Gates,bill,gates.bill@microsoft.com,Microsoft Corporation,Executive,Chairman,Redmond,+1 (0)830 308 3665,+1 (0)830 336 6727,+1 (0)191 555 1780,8469,A9141,"1 MS Close",Redmond,United States of America

3. Save the file as Contacts.csv
4. Open the file in Xcel & Populate it with all the required data
5. Open Notepad & Paste the following into it:

# Create User Accounts & Mailboxes According to Information in contacts.csv (CSV Formatted)

# NOTE: Be sure that the Contacts.csv file resides in the same directory as the script when running.

# $_. (defined by $entry) calls the column in the CSV (e.g. $_.First calls the data from csv column titled First)
# $_.First is First Name
# $_.Last is Last Name
# $DN is Display Name
# $uLogin is User Login Name
# $OU is the Organizational Unit for User Objects (String Value enclosed in '')
# $Domain is the UPN Domain Name (either internal Domain Name or Public Domain Name if added as additional UPN Domain in Domains & Trusts, string value enclosed in '')
# $Server is the Database Serer Name (String value enclosed in '')
# $SG is the Storage Group Name for hosting Mailboxes
# $MDB is the Mailbox Database Name for hosting Mailboxes

# Define Common Variables

$OU = 'Contacts'

# Call CSV File & Create Mailboxes

Write-host "Creating Contacts..."

import-csv 'contacts.csv' |
foreach{
  $entry = $_
  $DN = $_.First+" " +$_.Last;
  $Alias = $_.First+"_" +$_.Last
  New-MailContact $DN -DisplayName $DN -FirstName $_.First -LastName $_.Last -organizationalunit $OU -Alias $Alias -ExternalEmailAddress $_.email
  Set-Contact $DN -Company $_.Company -Title $_.Title -Department $_.Department -Fax $_.Fax -MobilePhone $_.Mobile -Office $_.Location -Phone $_.Tel -PostalCode $_.Zip -PostOfficeBox $_.POBox -City $_.City -StreetAddress $_.StreetAdd -CountryorRegion $_.Country
  Write-Host 'OU   =' $OU
  Write-host 'First Name =' $_.First
  Write-Host 'Last Name =' $_.Last
  write-host 'Display Name =' $DN
  Write-Host 'Alias   =' $Alias
  Write-Host 'Email Address =' $_.Email
  Write-Host 'Company =' $_.Company
  Write-Host 'Office  =' $_.Location
  Write-Host 'Title  =' $_.Title
  Write-Host 'Department =' $_.Department
  Write-Host 'Telephone =' $_.Tel
  Write-Host 'Fax  =' $_.Fax
  Write-Host 'Mobile No. =' $_.Mobile

  }

6. Save the file as CreateContacts.ps1
7. Create an OU in AD Called Contacts
8. Copy both Contacts.csv & CreateContacts.ps1 onto a computer with Exchange Management Shell Installed
9. From EMS, navigate to the folder where you placed the files above & run the PS1 script (type .\CreateContacts)

Hint: When entering numbers, i.e. telephone, extension etc in excel, be sure to start the input with ' to ensure no leading 0 is dropped, e.g. '04 301 9112

Publishing Exchange 2007 Client Access (OWA, Outlook Anywhere, ActiveSync) on ISA 2006

Johan Dreyer — Sun, 29 Jul 2007 04:40:00 GMT

Of late I have had the fortunate experience (or unfortunate in some cases) of publishing Exchange 2007 CAS servers on ISA Server 2006 reverse proxies. This has indeed proved to be interesting & at times trying or troublesome so I'm gonna try give a few pointers here to cover quite a bit of what was missed out / not clear on many of the articles on the same subject which I found before.

First off, lets start at thise brilliant article by Rui Silva of the MSExchange.org which can be found here. I used this in my first ever Exchange 2007/ISA 2006 publishing procedure & found it covers the publishing procedure quite comprehensively, no matter if you ar using a uni or multi-homed ISA Server.

There are however a few basic guidelines & rules which need to be followed that are not covered in Rui's Article.

In my opinion, the most important of these is the fact that, if not setup correctly, multiple Subject Alternative Name (SAN) certificates can BREAK, yes BREAK, your ISA Web Publishing Rules. How so? Well, it appears that ISA Server 2006, although SAN Aware to some degree, can ONLY use either the Certificate Subject Name or the FIRST SAN entry in a certificate. This means that if you have placed the name of the site you are publishing in the SAN attributes of the Certificate & its NOT at the top of the list then you in for some trouble. Well its just not gonna work.

More on this can be found on the ISA Server Team Blog.

A coleague, Suraj Masrani, brought the above to my attention after he had been doing some research. Out of shear luck, the first time I tried to publish Exchange 2007 on ISA I actually matched ALL the certificates to the above rule! Kudo's to Suraj!!

Secondly is that in some cases you actually need to patch ISA 2006 to add the Exchange Server 2007 Web Publishing Rules. The patch can be downloaded from this Microsoft Web Page.

Now a Third thing I learnt along the way, Do NOT Specify a Gateway on the Network Connection Properties of your ISA Server, this may well lead to disaster for you. Instead add persistant static routes via Command Line Route Add tool. This is especially important, as I discovered, in a multi-homed environment.

You can do this by typing Route Add Ip_Range Mask Subnet_Mask Gateway_IP -P from command line for each subnet / vlan you are running. In my case I had to add the following:

route add 172.16.0.0 mask 255.255.0.0 172.16.0.254 -p (for the internal, 172.16.x.x, VLANS)
route add 0.0.0.0 mask 0.0.0.0 83.111.190.254 -p (for all other traffic)

Simply adding the gateway to the network connection TCP/IP properties on each interface cause ISA Publishing to cease to work regularly & required a reload to bring them back up. Now I suppose to someone who knows ISA quite well & networking too this would make sense, but then I profess to be no Guru in either.

So with that all done, I follow Rui's Article above & successfully manage to publish my Exchange 2007 on ISA 2006.

Now I am stuck on 1 (2 potentially) more fronts:

Potential Problem #1.
I want my internal clients to access Webmail using the same URL internally as they would Externall & still make sure they get the same Forms Based Authentication page that they would from without the LAN.

This is easily solved by setting up a split DNS infrastructure where you add an additional Primary Zone to your internal DNS Servers to make them 'Authoritative' for the public domain (from within the corporate network).

Now all you so is manually create host records for WWW, Webmail, Intranet, Extranet etc & have them point to the correct private / public IP so the users are still able to browse their sites & connect to internal sites using the same public url they would from home.

So where should your internal Webmail Host record point to? Well the ISA server, ofcourse, for if it pointed to the Exchange 2007 CAS then your users would get the basic authentication login prompt as opposed to the pretty FBA one.

The trick is, the ISA Web Listener you created before needs to be configured to listen on both Internal & External Networks for this to work properly though.

Potential Problem #2:
I have multiple Exchange 2007 Client Access Servers with Multiple ISA 2006 Reverse Proxies, how can I enforce some form of load balancing / redundancy in this scenario when manipulating the Hosts record allows me to only point a single IP to the Published Host Name when DNS Round Robin MUST point to the ISA Servers for internal resolution of the public hostname?

In my scenario above, the work around I used was to deploy DNS on the ISA Servers, make the local DNS Authoritative for the public domain (internally ONLY) & create the necessary Host (A) records for DNS Round Robin to work. DNS Forwarders for the Private Domain & All other domains were added to the DNS on ISA & finally ISA pointed to itself & its peer for DNS Resolution.

This meant that ISA was able to resolve the public webmail URL (hostname) to either one of the internal CAS Servers while the Corporate Clients, using internal DNS would resolve the same URL (hostname) to either of the ISA servers.

Any clients accessing Webmail / CAS Services from the public would be directed to my public IP's by the relevant authoritative Public DNS servers which also had redundant DNS Records Registered for Round Robin, so Availability & redundancy requirements were met without the complications of using Load Balancing with Exchange 2007.

Next up are some useful tips & tricks learnt when trying to use Nokia Mail for Exchange (M4E) with Exchange 2007, Subject Alternative Name Certificates & ISA Server 2006

Exchange 2007, Multiple SAN Certificates & Issuing Public CA's (Where to buy)

Johan Dreyer — Thu, 12 Jul 2007 17:35:00 GMT

So after completing the migration, we still had some small issues to iron out. One of those was Upgrading the Private CA certificates I had installed on the Exchange Servers to Public CA Certificates.

Now not too long ago, when you needed a Multiple SAN certificate that was publicly trusted you only had a small handful of CA's you could go to and whats more they actually appeared quite expensive. Times have changed slightly with most public CA's now offering some flavor of Multiple SAN Cert & at prices ranging from $50 - $1000+ per year.

This is GREAT, you now have choice & the possibility of suiting your budget right? Well thats up to you to decide, here I just want to give a simple comparison between these certificates & let you choose what you want out of your public certificate.

First of all, let us have a look at some of the places you can buy these certificates & what they cost / offer:

Verisign Managed PKI SSL Certificates
Not much information on the Multiple SAN Certs from Verisign, I found a document saying they can support up to 20 SANs per certificate, however policies & costs are not readily available on the site- or I just couldn't find em.

The most trusted & widely supported CA on the web

Entrust Unified Communication SSL Certificates
Cost: US$ 599 - 849 / year
SANs Supported: 10 or more (extra charges apply)
Guarantee: Unlimited re-issue guarantee within certificate lifetime
Lifetime: 1 / 2 year options

Trusted by more than 99 percent of all browsers & Mobile Technologies

GeoTrust PowerServer ID Certificates
Cost: US$ 599 per year
SANs Supported: unto 4
Guarantee: Unlimited re-issue guarantee within certificate lifetime
Lifetime: 1 / 2 year options

Automatic renewal reminders

Trusted by more than 99 percent of all browsers & Mobile Technologies

Go daddy 6-in-1 Certificate
Cost: US$ 70 - 250 per year
SANs Supported: 6
Guarantee: Up to 2 Re-Keys within the first 30 days after issue
Lifetime: Up to 10 years, with Savings

Limited Support from Browsers & Mobile Technologies

Now there are a few more providers out there who offer these certificates & it is up to you to choose the one that suits you best.

I personally like the offering from Entrust, it gives you a nice flexibility in the number of SANs supported, the Certificate Lifetime Re-Issue Guarantee & the support from browsers & mobile devices out there.

The Go Daddy certs are also a good option on the low budget end, however I found them to give a certificate error with some browsers, operating systems & mobile devices- but then this is a compromise some organizations are willing to make.

In either case, if you use the standard validation or Turbo SSL solutions your certificates are usually issued within 5 working days @ most making the turn around time pretty efficient too.

I have spoken with the local Comtrust CA here in Dubai & unfortunately as yet they have not been very forthcoming with current or future plans to support Multiple SANs.

Kudo's to Quest & their Notes Migrator for Exchange

Johan Dreyer — Thu, 12 Jul 2007 17:24:00 GMT

OK, well I just finished up the Notes migration I was doing a couple of weeks back & I am pleased to say the migration went on smoothly, we turned Domino off on Thursday evening at around 7 pm & Exchange on by about 7:45 pm the same night- then tidied up a few things, made sure the data was readily available & went live on Sunday! Only 600 odd mailboxes so was a bit of a task but hell, we pulled it off so why not celebrate?

Anyway, the clients new Exchange 07 Org is fast, stable & the users are stoked with the new features so everyone happy on that front.

Kudo's & Thousands of thanks to Quest, for a brilliant migration tool, the team of 5 who went around to all the clients & eased them into Outlook & to all those who helped us out on the back-end. All of these played an equally important part in doing it once, doing it right & the complete success of the project.

What are your Views on Virtualization ?

Johan Dreyer — Mon, 11 Jun 2007 08:44:00 GMT

So there's a lot of talk about virtualization out there, the possibility of running multiple servers on single machines, instant (nano second) delay failovers, clustering clustered virtual servers, reduction in costs etc.

I am looking into virtualization @ the moment, possibly using ISCSI disk systems & a few deskops to run the VServers.

I have a pretty good idea which servers I want to virtualize, how to do it what my expectations are from this.

I want to hear from you out there on the following:

Are you using virtualization & how do you find it?
Are / Would you consider Virtualization?
Which Servers on your network would you virtualize & which wouldnt you "trust" / risk to virtualization?

ForeFront Installation Crashes When installing on an Exchange 2007 Single Copy Cluster

Johan Dreyer — Mon, 11 Jun 2007 08:21:00 GMT

One of my clients has an Enterprise Agreement with MS & as part of this they migrated to Exchange 2007. Now thanks to the EA, they are allowed to use ForeFront Security for Exchange on their servers at no additional charge- this makes sense too since it does integrate so well into the Exchange 07 Org.

So I went in there yesterday to deploy & configure the forefront on their Hub/Cas and Mailbox SCC Cluster servers. I started with the hub/cas servers & everything went Great, it took a while to donload updates- I think the MS site where you get them from is reasonably busy so many timeouts while downloading but they came eventually.

I also configured one of the HUB/CAS servers as an update distribution server so the other 3 servers on the network do not have to download from the web.

As expected, all of the above went smoothely with no problems @ all! How ever, once I got to deploying it on the Single Copy Cluster I found that somewhere in the middle of the installation (in fact before it begins copying files) the installation crashes, just literally disappears off screen!

I tried the installation several times on both nodes with different accounts & for the life of me could not get it to work. Eventually, fed up with being stubborn I resorted to asking google, which gave me the solution & get this:

The solution was to rename the Exchange Cluster Group so that it has the same name as the Exchange Network Name Resource.

See the following MS KB: support.microsoft.com/kb/934287

Now lets consider: its MS ForeFront, MS Windows, MS Clustering & MS Exchange - surely their AV should be able to differentiate between the various cluser groups & install its resources in the correct one with out us having to rename our groups, which in some cases may have been done according to a naming convention...

Exchange 2007 SSL Certificates & Subject Alternative Names

Johan Dreyer — Thu, 31 May 2007 04:21:00 GMT

Exchange 2007 presents new challenges on the front of SSL certificates - we know now that we need to include multiple names into our certificates to make all the features of this great new server system work. We also know its certainly never a best practice to keep the self signed exchange certificates which are deployed with the exchange installation.

So how to we generate the new Certificate Requests & who do we submit them to?

Well the easiest way to generate the certreq with multiple Subject Alternative Names is from within the Exchange Management Shell. As for the names to include, well that's entirely upto your deployment & environment.

The commandlet used is New-ExchangeCertificate and the syntax is something like this:

New-ExchangeCertificate -DomainName webmail.fjdent.com, webmail.fjd.local, mbxhubcas.fjd.local -FriendlyName "F J D Enterprises" -GenerateRequest:$True -Keysize 1024 -IncludeAutoDiscover -path c:\fjdent.req -privatekeyExportable:$true -subjectName "c=ae, o=Johan Dreyer, CN=webmail.fjdent.com"

Now the above commandlet will generate a certreq for a certificate to be issued to the server named webmail.fjdent.com (public CAS Access) with Subject Alternative Names included for webmail.fjd.local (internal CAS access), mbxhubcas.fjd.local (Exchange 2007 Server Internal FQDN), autodiscover.fjdent.com, autodiscover.fjd.local & autodiscover.AnyOtherExchangeAutoritativeDomain.com

* Note that should you can use the -Force switch to force the commandlet to overwrite existing files with the same name in the path specified.

So now you have the Certificate Request file, what do you do with it? Well you have 2 options here, you can either submit it to a Public Trusted Certification Authority which supports issuing certificates with Subject Alternative Names, one such CA is EnTrust, or you could submit it to your internal MS Certificate Server.

Now if you go the public CA Route then you have not much to worry about, except meeting their verification criteria to get the certificate/s issued.

However, if you plan on using your internal CA to issue the certificate you would need to enable this functionality on that server first. This is because MS Certificate Services is not configured by default to issue certificates with multiple SAN's.

The good news is its pretty easy to do, on your Certificate Server just run the following commands:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

Since I do this for multiple clients / lab environments I have copied these commands to notepad & saved the batch file on my USB Memory stick - now I just plug my memory stick into the CS & run the batch.

Once you have done this you can now submit your certificate request to the internal CA & have it issue your Exchange Compliant SAN Certificate.

Note that the clients would need to have the CA Root Certificate installed in the Trusted Root Certification Authorities store of their local computer to avoid getting the untrusted certificate error in their browser- Outlook does not check the trust status of a certificate, only the availability & validity there of.

To use an internal certificate with Windows Mobile based devices, you should export the CA Root Certificate in DER format, copy it onto the device & install it. WM Devices will NOT connect to any server which is using a certificate that it does not trust!

Exchange 2003 OWA & Windows Vista - users cannot compose / reply / forward messages

Johan Dreyer — Mon, 28 May 2007 04:39:00 GMT

Now I know many of us have experienced, lived with & ignered the feature encountered when browsing OWA2k3 from IE6 or IE7 and having to click on the content box to "active & use the activex" control, this has never been a huge issue since it always worked. Hoever, now with more & more Windows Vista clients in the market, we face a new chalenge - MS have kindly removed support for the legacy OWA ActiveX control used when compsing new messages in OWA2k3.

This causes a problem since now, your director whose all proud of his new, smart, cutting edge Windows Vista laptop decides to travel & guess what, when he tries to access OWA from abroad he can view all his messages / calendar / tasks etc but just let him try create a new message or reply to a message & all he gets is a big greyed out square with a small red X in the top left corner. He can't enter any data into the email body.

This is disasterous for you, well potentially so anyway. The good news is you can be pro-active, you can click on the following link, download the patch, install it & reboot your exchange front end.

http://support.microsoft.com/kb/911829

The good news is not only will your Vista enabled users now be able to use OWA again but those users still on XP / 2000 with IE6/7 will now no longer have to "click to enable / use this activex control"

Neat huh? well, not really - just a handy tip...

The interruption in service...

Johan Dreyer — Mon, 21 May 2007 16:22:00 GMT

Ok, so the blogs back online now - there were some technical issues caused by yours truly playing with the dns records of my domain --> you right, I should know better.

anyway, its back now for good so lets keeep checking back for the updates as & when they come in.

Disk Usage Issues - WHERE DID MY FREE SPACE GO??

Johan Dreyer — Fri, 18 May 2007 03:46:00 GMT

Hey guys,

I dont know about you, but one problem I seem to regularly face in the field with my clients is lack of disk space. Admins these days just dont seem to do much housekeeping on their servers on the front of freeing up the space they should & eventually this ends up causing problems.

Worst off is so many of us out there then resort to wasting a lot of time checking the size of individual files & folder through Windows Explorer trying to find where all the utilization has gone to.

Guys, there are tools out there to make your life easier- use them!

One such tool (my favourite) is Jam Software's TreeSize / TreeSize PRO - this is NOT freeware but a fully functional shareware copy can be downloaded, used & evaluated... Then if you like, please buy.

There are a number of other similar GPL tools available from SourceForge.net which can do the same job accross platforms so its up to you what you want to use - freesize is one I have used before which is similar to treesize...

Use these tools people - they small, light weight, analyze your disks in secconds and give you an easy to use visual display of where your disk space is being utilized / wasted so its quick n easy for you to clean up.

I'd like to see some of you try them out & then post some comments on here if indeed you find these tools saved you some time & effort...

Enabling Exchange 2003 SP2 Mobile Access (DirectPush & OMA) in a Front-End/Back-End Scenario

Johan Dreyer — Wed, 16 May 2007 15:19:00 GMT

So you have Exchange 2003, your boss wants mail on his mobile - you look to Blackberry & other similar products for help!

Well I don't - Exchange 2003 SP2 comes with a native built in DirectPush technology called ActiveSync- yes, its true this is primarily supported by the Windows Mobile based pda's out there but you can also get a licensee version of the Active Sync client for many other kinds of mobile device. The favourite by far can be checked out at the following url:

http://www.dataviz.com/solutions/enterprise/roadsync/index.html

Cool, so now you have an idea that you going to use Exchange Active Sync in your environment, the next step is enabling it & setting up your devices... well this is pretty easy provided you have a front-end/back-end topology (if using ssl otherwise this doesnt matter)

All you need to do is open up Exchange System Manager on your management station or one of your Exchange Servers

Expand Global Settings
Right Click Mobile Services & select Properties
Enable Outlook Mobile Access
Enable Unsupported Devices
Setup the Device Security as per your policies

Now Goto Active Directory Users & Computers, right click those users who you are going to be using ActiveSync, select Exchange Tasks> Configure Features > Enable Mobile Services

Finally on the Device itself, connect to the WAP / GPRS, open ActiveSync / RoadSync, Add a new Server (Account), specify the username, the public IP of your OWA site (front end Server), and your netbios domain name & hit next/merge/finish.

Presto - it connects to the server, sets up a partnership & begins downloading the relevant data... Calendar, Contacts & Inbox are but a few of what can be sync'd (dependant on device & exchange version - ) so check it out.

Exchange 2003 Disaster Recovery - Restoring to a Single Server from a failed Cluster

Johan Dreyer — Wed, 16 May 2007 10:41:00 GMT

Ok, so many of us out there are faced with situations which require us to restore data backed up from an Exchange Cluster onto a single server.

This can happen in multiple scenario's, maybe your SAN has become unavailable for some reason, maybe you need to test your DR Procedure in a lab environment to make sure your prepared in the event of a Disaster & that your backups are indeed reliable.

There are many reasons out there but not so many reasonable howto's.

Im going to try give you a general idea here on the procedure - dont expect a 100% accurate step by step, its more of a general guideline which if you use a bit of common sense, intelligence and well, some more research you should be able to perform the D/R with no problems at all.

Onto the Procedure:

Delete the Cluster Virtual Server object from A/D using ADSIEDIT

Delete the Virtual Server Computer object from Active Directory Users & Computers

Install the new server with the same server name, O/S Level & Patches then install a fresh copy of Exchange as part of the origional organization

You will need to create the exact same drive & folder structure as what you had on the cluster, e.g. x:\exchsrvr\mdbdata\priv1.edb etc

Create Identically named Storage Groups & Information Stores which are located in the same path as on the cluster then dismount the stores & mark them to never be mounted @ startup & Database may be over written by a Restore

Add the following Registry DWORD Recovery SG Override = 1 to this registry key:
HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
(Remember to set this back to 0 after the restore)

Install your backup software, catalogue the last successful backup media & restore your information stores.

* It is normally a best practice when restoring multiple information stores to run each store as an individual job - this allows them to be mounted one at a time as and when the restore completes.

Now reconnect all the mailboxes to their respective user accounts using the Mailbox Recovery Centre in Exchange System Manager & your system is back up & running.

HP Exchange 2007 Server Sizing Tool

Johan Dreyer — Tue, 15 May 2007 08:17:00 GMT

For all of us out there who are responsible for designing & deploying solutions based on Exchange Server 2007 HP have finally created & released a Sizing Tool to make our lives a lot simpler.

This tool can be accessed on their Active Answers Website at the following URL:
http://h71019.www7.hp.com/activeanswers/Secure/483374-0-0-0-121.html

(You will need to setup an HP Passport Account & Log In to access the tools)

Also remember to always use some of your own logic when sizing & scaling hardware for your solutions since tools like this apply ONLY the recommended best practices from MS and do not really take cost into consideration.

example: Single Exchange Server for 100 Users according to the tool requires 14x 72GB SAS HDD's in a mirror, this is not practical since a) its Expensive b) 6x 146GB Disks would meet the performance & storage requirements for this size solution quite fine.

Im not saying ALWAYS do this, just sometimes the solutions put forward by the sizer are not quite 100% what suits us or our customers.

Have FUN playing with it.

Exchange 2007 Continuous Replication Part 1: LCR

Johan Dreyer — Mon, 14 May 2007 05:42:00 GMT

For many of us, the transition from Exchange 2003 to Exchange 2007 is taking its toll. This is because Exchange 2007 requires us to take up a new way of thinking, completely, in the planning, deployment & Disaster Recovery scenario as well as in the server sizing side.

I have already mentioned that Exchange 2007 Databases are no longer bound to a particular server name and that MS have included Log Shipping (Replication) into Exchange Server 2007 making it possible for you to keep an almost (log shipping is ASYNCHRONOUS) up-to-date copy of your live Information Stores in another location. Be this a separate folder / disk set or subsystem.

Now there are some limitations to LCR, off the top of my head these are:
- Only 1 Database per Storage Group can be configured for LCR
- Databases can ONLY be replicated to what windows thinks is Direct Attached Storage
- Replication is asynchronous, which means your off-line database will always be at least 1MB behind in email   content (1 log File)
- Ok, so now we looked at that, lets see how this technology / system helps us & our clients in the production environment.

Scenario:
I have a client with about 150 users who is on a tight budget and decides he does not require high-availability, what he does require, however, is fast reliable D/R solution which can bring his services up in the least amount of time.
An intranet Server will also be purchased & will use the same HDD type as those in Exchange Server.

Additionally backup of A/D, Exchange & Intranet will be performed onto tape daily.

Reduced Performance after D/R is acceptable while the production Exchange Server is brought back online, what is important to the client is service availability.

Solution:

Deploy Single Exchange 2007 Server with recommended config + additional 2x 300GB HDD (Mirrored for LCR).

Create Multiple Storage Groups each with a Single Information Store enabled for LCR. Place the Replica on the 300GB Mirrored Patition

Deploy intranet server.

Now lets look at how the above solution compares to the scenario requirements in various D/R situations:

Database Level Corruption:- Since Off-Line database is generated from log file replication by an off-line jet engine the corruption would not have propagated so all we need to do is point our Information Stores in Exchange 2007 to the LCR Databases & mount them, replay uncommitted/replicated logs, repair origional database off-line & then swtich back at your next convenience
                                                                                                                  Estimated Down time           <30mins
                                                                                                                  Data Loss                             0%
                                                                                                                  Performance Degradation      Temporary
Server Failure / Total System Failure:- Intranet Server makes use of the same hard disks as those in the Exchange server, therefore install Exchange 2007 on the intranet server, move the Live Database HDD’s / LCR + Log HDD to the Intranet server, Mount the databases & Replay Logs. For the users with Outlook 2007 + Auto-discover the new server name settings automatically update, for those with Previous Versions of Outlook, manually re-home or use Exchange Profile Update tool + Login Script to re-home outlook profiles
                                                                                                                  Estimated Down Time           <3 hours
                                                                                                                  Data Loss                             0%
                                                                                                                  Performance Degradation      Temporary

Of course, in the event that the production Exchange server was totally destroyed (Disks Included) you would have no option but to revert to the conventional Tape Backup & Restore procedure which has not changed much, except that you can now take VSS backup of the Off-Line Databases, and in this case restore time would depend on the size of data, availability of hardware etc. etc. etc. However, these scenario’s are pretty rare in the production environment & the only real alternative would of course be a geo-cluster…

Now I’ll leave you to draw your own conclusions as to how this can make your life easier- All I know is it’s a real alternative to traditional recovery methods & can save me a lot of headache, sleepless nights & SLA penalties therefore included in all my solutions.
CCR coming Soon …

D/R #1: Recovering Active Directory / Exchange 2003 - Single DC Running Exchange

Johan Dreyer — Sat, 12 May 2007 08:30:00 GMT

I recently underwent a wonderful 2 weeks in which I had to do a number of Disaster Recoveries for my clients, three to be precise. Now this sux since they all happened during the working week n that meant sleepless nights for me.

To all of you out there looking at the main stream server support field as a career move- I certainly hope you dont like your sleep or personal life as these come to an end when you are supporting clients backend infrastructure. LOL

So what was involved in these D/R's??

D/R #1: Small Organisation- Single DC running E2k3
Failure: RAID 5 Array

The above failure happened thanks to a faulty RAID Cache module on the Array controller of the server which didnt allow the failed disks to rebuild correctly.

I spent about 3 hours trying to FORCE the raid controller to rebuild the logical volume, which it wouldnt so as a result I decided on rebuilding the server & restoring A/D & Exchange - My first ever D/R in this scenario...

The Procedure:

1. Complete Rebuild of the Server from the RAID 5 Logical drive to the O/S & Partitioning
   -Same ServerName
   -Same IP
   -Same Logical Disk Partitioning
2. Install ALL updates & Patches which were applied before
   -This can be tricky on servers which have been running for a while, in my case I simply applied the latest service pack at time of D/R
   -I did not update the IE, not having realised the server had been updated to IE7, & this caused an unmentionable amount of stress for me - Note to Administrators: always document the IE version installed on each server
3. Install backup software & Reboot to DS Restore mode
4. Catalogue the lask good FULL Backup & Restore SYSTEM STATE
5. Set the HKLM\SYSTEM\CCS\SERVICES\NTFRS\BACKUP/RESTORE/BURFLAGS to d4 value & reboot
*check out kb315457
                                    Expect a large number of services to fail & slow startup time here since the old registry has been restored & not all applications put back on the server

Before installing exchange, be sure to delete the Exchange registry key under HKLM\Software\Microsoft or your installation WILL fail!

6. Install MS Exchange 2003 by running setup /disasterrecovery switch & Apply the correct Exchange SP level then restore the databases from backup - be sure your username & password for the restore are correct!!!!!
7. Mount the databases / replay logs using eseutil /cc & Mount the databases

your server should be UP now with pretty much in an identical way to what it was before.

NOTE: I had a lot of trouble with Symantec Mail Security for Exchange in this scenario, it would not reinstall correctly & interfered with my internal & external mail routing. I eventually had to find the manual uninstall instructions on the net, remove the registry keys & finally reinstall it to get mail routing again.

All in All, this procedure was a reasonably painless one though time consuming. We wer just luck that the client had a good clean backup of both System State of the DC & the Exchange information store's.

It is recomended that at least one System State Backup of each Domain Controller in your domain be taken every 50 days, the tombstone period for A/D backups is 60days so you will not be able to restore any system state backup older than that!

From Domino to Exchange 2007

Johan Dreyer — Sat, 12 May 2007 08:07:00 GMT

Ok, so after having mentioned once or twice the new tools out with Exchange 2007 & ranted & raved about these products, I think its about time I eat some humble pie!!

One of the reasons I have not been keeping up with my blog is an ongoing Migration project for a client with about 600 mailboxes from IBM Domino 7.x to Exchange 2007. I was pleased that we were able to secure this tender since Seven Seas received a late invitation as an independant bidder (not recommended by MS on this project) and I worked on the entire concept, proposal & tender document along with a very capable account manager.

Kudo's to ghassan, me & the rest of the team who helped secure this!

Anyway, onto the more interesting stuff...

The solution deployed includes 2x HUB/CAS servers using NLB & an Active/Passive SCC Cluster all deployed on AMD based HP Blade C Class servers. The Exchange setup & configuration was a breeze, of course, and it wasnt long before I had it all up & running, ready for the migration configuration.

The concept was to try save some money for the client & use the Transporter Suite for to migrate the users & mailboxes accross (no requirement for Application migration here) so I proceeded to install & configure the transporter suite for testing.

The results? FRIGHTENING!!

The setup was reasonably simple, co-existance using the domino connector proved to be a problem so we decided to use SMTP based mail routing between 2 seperate domains, in theory no-problem but in this case Domino config has problems so it still doesnt work properly, but hey, thats another story not to be told here.

As for the transporter suite itself, well I found some pretty erratice behaviour coming from it, quite often the service would crash, requiring a complete restart of the server for everything to go back to normal, the MMC keeps crashing too, countles unnecessary errors are reported from the MMC which simply are NOT there when you use powershell etc. Its a pretty painful process.

Additionally, when migrating mailboxes I found anything upto 20% of the users emails wer not being migrated for one reason or another, MS claim its due to encryption / corruption, but then I checked the mails out in Notes & cant find anything wrong with them, certainly not corrupt or encrypted anyway.

(Silly me, Should have known these limitations exist with the MS Migration tools - we live, we learn)

Of course, PAB's & Archives are not migrated as part n parcell of the MS tool migration either so this makes life more interesting cos you nw have to find alternatives to move these.

Something else I learned during this R&D phase is that MS are currently releasing a new version of the Transporter Suite on a monthly basis with new fixes included, so if you have the time & patience then you could keep waiting & trying each new version.

For the rest of us though, there REALLY is not real alternative to switching to a third party tool such as Quest Notes Migrator for Exchange. This tool really rocks in terms of cost/pound of performance. reasonably priced at about 12USD/mailbox for 600 users (prices may vary according to no. of mailboxes) you honestly cannot complain when all Mailboxes, Archives & PAB's are migrated all at once in a quick easy n stable environment with minimal data loss, so far max = 4%.

Those of us who have unlimited budgets though, I would recomend checking out XitNotes its by far the easiest n most user friendly but costs a packet.... will let you check it out!!

Anyway, I guess the bottom line here - when you migrate from notes to exchange, DONT BE CHEAP, spend the extra cash on a tool to help you n you will be thankful end of day!!

How Do I Setup My AD Sites??

Johan Dreyer — Mon, 26 Mar 2007 19:08:00 GMT

So another long while has passed since I last updated my blog- well in my defence I work for a living - haha, what a thought... No seriously, I have taken on a few new responsibilities in the office and well, they seem to consume a lot more of my time.

For those interested in what I am doing now check back shortly, I will be posting some personal news in the next couple of days.

For now, I want to talk a bit about Active Directory Sites.

Now as most of us undoubtedly know by now, and some are about to find out, a huge change in Exchange 2007 is site based routing. This means no more routing groups, Routing Group Connectors etc. and centralized, single point setup of your domain topology. Obviously, this streamlines administration but can also complicate matters for your organization if your site structure is not setup correctly.

So what are AD Sites? Well they are a logical representation of your network connectivity between the physical locations which your domain stratches to. They can be setup, configured and viewed from the Active Directory Sites & Services MMC snap in.

By Default a single Defaul-First-Site-Name site is created and a Default-Site-Link with a global cost of 100 is also created. Now this assumes all domain controllers have the same high bandwidth network link (in this case, single location & all connected to LAN). This is fine for you if you only have a single site with a single domain and do not plan on growing in the future.

However, should you have multiple sites, with multiple WAN Links and Domain controllers all interconnected then you should definitely setup sites & services according so that the AD Replication, client authentication etc can be taken care of accordingly.

So how do you do this? Well its pretty simple, consider the following example:

ZimWave is a multi-national company which specializes in network consultancy. They have 5 offices split accross 5 different locations as follows:

Head Office - Harare, Zimbabwe               250 Users
Branch Office - Bulawayo, Zimbabwe          50 Users
Branch Office - London, England               300 Users
Branch Office - Holland                                73 Users
Branch Office - Dubai, UAE                        120 Users

All offices host at least 1 domain controller and are connected to at least 1 other site using WAN Connectivity as follows:

Harare - Bulawayo            256k Point 2 Point Leased Line
Harare - London               512k Internet VPN
Harare - Dubai                  512k Internet VPN
London - Dubai                 1Mb MPLS
London - Holland              1MB MPLS

Now you could draw this out on a piece of paper to help you understand the connectivity if you like. In fact I would recomend it. All you need to do is draw each location, then connect the locations with lines as detailed above, be sure to note down connection speeds too.

Ok, now we have a single domain, multiple sites and multiple links. Using the default topology that comes with runing the active directory installation wizzard all these locations are seen as a single site and all links considered equal. This means that ALL domain controllers will try to replicate with one another directly (even when no direct link exists) and clients will try to athenticate with any domain controller on the network with no logical preference considerations. More so, replications will be performed between domain controllers as if they were all residing on the same (local) network - no bandwidth optomization.

How do we cure this? Well we go into Active Directory Sites & Services and we first define all of our sites, first by renaming the Default First Site and then creating additional sites for the branch offices.

That being done, we now create new IP Site Links which represent our routing topology. We then associate a cost to each site link which reflects the speed of the connection between them.

For this scenario, it should look something like this:

Site Link                              Cost

HRE to BYO                         600
HRE to LON                         200
HRE to DXB                         200
LON to DXB                         100
LON to HOL                         100

Link Costs are assigned according to the speed of the connection between sites, the faster the link the lower the cost of transmitting data over it.

As a best practice, all sites with the same link speed should bear the same standard cost and all slower links should bear a minimum cost which is the total of all the links of higher speed.

In this instance, the fastest links are between London, Holland & Dubai (1mbps) and therefore these links carry the lowest cost. (100)

The next fastest links are between Harare, London & Dubai (512kbps) and therefore they are assigned a minimum cost which amounts to the total of all faster links. (Lon to DXB + Lon to Hol = 200)

Finally, the slowest link exists between Harare and Bulawayo, again the same rule applies here, the mimimum cost of the link should amount to the total of all faster links on the network.
(Lon to DXB + Lon to Hol + HRE to DXB + HRE to Lon = 600)

The Default Site Link should now be deleted.

Having configured your sites & site links, at this point you are ready to begin assigning your different networks to the specific sites. This is done by adding each physical locations network address range to the subnets and assigning each subnet to its respective site.

Once all subnets have been assigned to sites, it is now time for you to move the domain controllers into their respective sites.

Allow for replication to take place.

Now that you have correctly setup the sites & services of the domain, clients will always try to login to the domain using the domain controller assigned to their site first and only after failing to contact their local DC will they try one in another location - this speeds up the login process as well as reduces WAN traffic.

Another advantage is that structured replication will now occur - for example, the London or Dubai Domain controllers will never automatically try to replicate directly with the Bulawayo Domain Controller. Same as the Harare Domain Controller will never try to directly replicate to the Holland Domain Controller. You now have a structured replication topology in which duplication of traffic is being reduced.

AD also takes into account the relative cost of replication accross site links and compensates accordingly so as not to consume too much bandwidth on any one link.

Exchange 2007 SP1 Updates & Lotus Transporter Features

Johan Dreyer — Mon, 26 Feb 2007 12:46:00 GMT

Ok, so as you may have figured I'm pretty passionate, nay - crazy, about exchange. And since starting to work with E12 its become worse! It seems I just cant get enough, the new feature set, scalability functionality, all get me really excited. It truly is a great product and I cannot wait for people to start realizing that and putting some faith into it!

Anyway, enough with the ramblings. If you have used Exchange 2007 at all to date you may know that amongst all of the new features, there are some "ommitances". Although they dont make life that difficult having that functionality integrated or improved upon would make life a little more pleasant and day to day tasks a little easier too.

Microsoft have finally come out with some concrete information on what we can expect in SP1 for E12, to have a look into it, check out the MSExchangeTeam.com Blog

Something thats not so much new news really is that the public release of the Exchange Transporter Suit for Lotus has finally been released and well, its been transformed into an all in one tool suit, it migrates the directory, mail and applications from domino 6 and above to exchange and WSS 2003 / 2007. It looks a pretty breezy process along with having some cool advanced functionality from scripting in EMS!

Check out the Webcast on the MSExchangeTeam.com Blog.

MS have also released a new and up-to-date complete help file for E12, which all of you literature hungry people out there can download and read through. This is considered to be the primary resource for MS Exchange 2007 technical information to date.

It can be downloaded from the MS Website by clicking Here

The O.S.

Johan Dreyer — Thu, 15 Feb 2007 04:11:00 GMT

I been so busy lately I have ended up kind of neglecting the blog - NO excuse of course but then it does happen and I'm happy to say I am back again!

Since I have spoken about selecting hardware and then DNS I think its only fair to pay some attention to your Windows Server Operating system Deployment.

Yes, this is a pretty mundane topic and I know all we ever do it click next, next, next then hurry up and wait! But there are some reasonable considerations which need to be made when planning the deployment and deploying the Operating System, which could help with the future performance & security of your servers.

The redundancy factor - how many HDD's available, what RAID to use

Regardless what anyone out there tells you or says, you should NEVER install anything on a server if it is not protected by some form of redundancy on the storage level. Why? Well the hard disks on a server are always the first to fail and by far the most common hardware failure on any network. Now ask yourself, what happens if the system partition hard disk crashed? Answer: D/R = sleepless nights, 72hr shifts etc. not fun!

Disk Space & Logical Drives

Now in the ideal server scenario, you would look at this in a slightly different way. Some basic best practices, no matter how big the disks or what your raid configuration, are to keep the System Partition size down to the smallest necessary size. (In most cases 20-30G

Keep in mind that the system partition is not meant to hold any growing data such as databases, log files etc. It is precisely what its name says, a system partition, holding only the windows system files and program files for any application you are running, and possibly one page file of max size 2GB.

You should consider creating separate partitions at both the Hardware RAID and OS level for each of the following: Additional Page File, AD Database (NTDit), AD Logs, Print spoolers, File Server Shares, Exchange Databases, SQL Databases etc. Remember, each drive need only be big enough to hold the required data and have enough free space to perform maintenance should it be required.

All your disks should be formated in NTFS and properly labeled or named. (I like to change the drive letter of the CD-ROM so that all my disks are lettered sequentially, its up to you if you want to do that or not.

The O.S. Installation

There is not really much to say here, except the more attention you pay to "fixing" the small things during setup, such as time, keyboard, locale, etc the less time you spend configuring these later.

Once setup is complete, it is always a good practice to apply all service packs and patches you have available, then install and update anti virus software and finally connect to the internet and check windows update for any new patches/updates which may be available before installing any additional services, or reconfiguring the server.

With all updates / patches and service packs applied and anti-virus running on your server, you may now begin setting it up. Start with creating the additional disk partitions which you need, then additional page files and move onto installing any services which are going to be required by the server to perform its function on the network. Finally install A/D or Join the Domain and install the application software or publish the services its offering.

Its about time

Johan Dreyer — Wed, 07 Feb 2007 10:29:00 GMT

Wow, I been busy the last week or two. And it just doesnt seem like there will be an end to it at the moment.

Well the good news is I took a break last weekend and headed down to Abu Dhabi with some friends to check out the Formula1 festival they were holding there before they announced that F1 would be coming to Abu Dhabi in 2009! Now thats cool stuff, I cannot wait for it to happen!!

Back at work I just been playing with a few servers, the usual thing really, just lots of it so I have not been in any frame of mind to write up technical posts, but I do have to work on some Exchange 2007 training / workshop matarial soon so am thinking my next posts will be along those lines.

Hope you all have a great day!

Your Network's YellowPages - DNS

Johan Dreyer — Thu, 01 Feb 2007 04:47:00 GMT

My job requires me to spend most of my time moving around Dubai, meeting clients, proposing solutions to their problems or just simply fixing their servers when all has gone pair shaped. Naturally, having only lived here for 9 months of the year I still manage to get lost quite often and most times have no idea where the next client’s office is, what their numbers are etc so I have to rely on other sources for this information.

Luckily for me, we have an online yellow pages directory which is pretty comprehensive and has saved me many a day. We also have a dial in service where we can call in and request the number for a certain company or individual then call them up and ask for directions, again, a well used service.

Of course, without these services there would be other ways for me to obtain the information, but it would require a lot more time and effort on my part resulting in a loss of productivity, not only for myself but for those significant others around me I would constantly be bombarding for details.

In a sense, this is what a DNS server is to your network or the internet, an online directory which maps names and services to addresses.

Let me explain in a little more detail, say for example, I am trying to call Microsoft Licensing, but don’t have their number. The first thing I do is consult my online directory, be it the yellow pages if I have an internet access or the dial in service if I don’t. I give them the name of the company I wish to contact and they look it up in their database then get back to me with the correct contact number (or sometimes not). Armed with the number I can then contact Microsoft myself and have the conversation I need to with them.

DNS does precisely this for computers and networks. When you open internet explorer and try to connect to www.google.com, what actually happens is the following:

1. Your computer asks its DNS server what the IP Address for www.google.com is

2. The DNS server checks its local database for an answer and sends it back to your computer

3. Your computer then contacts www.google.com directly on the IP Address it was given by DNS and retrieves the relevant information to display to you.

The same process takes place to deliver your email. You send the message to the email server, the email server queries DNS for a Mail Exchanger (MX) Record for the domain to which you are sending, and once it has received the IP Address for the remote domain, it sends the email to the recipients server.

As in the above examples, there are many services out there which are published using DNS for example: Active Directory Services, SIP services (instant messenger servers) and web servers amongst others.

A DNS server basically consists or 2 types of Zone, a Forward Lookup Zone and a Reverse Lookup Zone.

A Forward Lookup Zone is used to store all information relevant to a particular domain based on that domain name, i.e. all information for the SortedIT.net domain is stored in the corresponding forward lookup zone of the authoritative DNS Servers. The only requirement for records to exist in this zone is that they have the FQDN attached to the end of them, e.g. blog.sortedit.net. The IP address of the host server for the forward lookup record can be anything.

Essentially, what a forward lookup zone does is map a user friendly FQDN to the IP address of a server, e.g. blog.sortedit.net = 64.202.189.158. The forward lookup zone for SortedIT.net will hold all the records for the servers and services which are hosted by my domain regardless of the IP address of the server on which they are hosted. Forward lookup zones CANNOT hold records for other domains, as in, I cannot create a record for mail.sorted.co.zw in the sortedit.net forward lookup zone.

The Reverse Lookup Zone, is exactly the opposite of the Forward Lookup Zone, it maps IP addresses to host names. Reverse Lookup Zones are bound to specific IP Subnets and can only host records for the IP addresses which belong to that subnet. In this case, if both blog.sortedit.net and mail.sorted.co.zw had IP addresses from the same subnet, e.g. 64.202.189.x then the pointer records for both domains can be created in the same Reverse Lookup Zone regardless of each servers domain membership.

Exchange 2007 Certification - Introduction to

Johan Dreyer — Wed, 31 Jan 2007 08:40:00 GMT

Really it will be an interesting meeting, Trika just posted an announcement about Live Meeting to Introduce Exchange 2007 Certifications

Rob Linsky (he's Microsoft Learning's cert product manager, you've probably heard him speak at an event or one of our other meetings...) will talk about the new exams, associated training, and implications for people planning to work with Exchange 2007 or who hold an MCSA: Messaging or MCSE: Messaging certification. As usual, we'll have 2 meetings with the same content to make it easier for people to attend worldwide and ask questions.

Register for February 15, 2007, 7:30 AM PST (What time is this in my region?)
Register for February 15, 2007, 5-00 PM PST (What time is this in my region?).

I achieve White Belt - Exchange 2007 (E12) Chain Reaction Readiness

Johan Dreyer — Wed, 31 Jan 2007 04:48:00 GMT

Microsoft here in the gulf came up with a program to improve awareness of and readiness for the deployment of E12 in the Region, it is the first program of its type to run here, therefore in Pilot phase and not part of MOC and therefore not associated with any certifications at this time.

So whats the point you may ask? Well the benefits are two fold:

1. Knowledge, Awareness & Readiness: Where most of the systems engineers out there are learning about E12 from trial & error, reading blogs, technical docs and all that we get the opportunity to have the inner workings explained to us by one of the Microsoft Messaging Rangers here in the gulf- thereby giving the delegates an edge on inside info.

2. MVP status: Since the requirements of the program are: successful completion & passing each workshop assessment, redelivery of each workshop to an audience of the MS Subsidiary's choice and Completion on at least one full sales cycle (pre-sales, RFQ, design, implementation and finally sign off) Microsoft have decided that those who are able to complete and pass all modules of the program and the post requisites with MVP status.

Now the catch is that the program was only opened to a select few of Microsoft Gulf's Partners and each Partner was only permitted to have 2 delegates attend. I fortunately was selected to be one of the delegates representing Seven Seas.

The way they have worked the program is that it is split into 4 workshops which are graded according to the karate belts as follows:

White Belt: Full Technical Overview of E12
Green Belt: Migration, Coexistance & Routing
Brown Belt: Unified Messaging
Black Belt: High Availability & Design

Each delegate is graded by the instructor according to the following criteria and only those individuals who exceed the minimal expectations of the trainer get to progress onto the next level:

1. Pre-Test, a written pre-test is taken by all delegates before the commencement of the workshop to assess knowledge level (weighted 40% of final score)
2. Lab and workshop attendance assessment, this is an assessment of random labs during the course of the workshop, interaction with other delegates and in the workshop and teamwork displayed (weighted 20% of final score)
3. Post-Test / Interview, time permitting delegates are required to complete either a post test or interview with a Microsoft Ranger or both and are scored accordingly (weighted 40% of final score)

The over all pass mark to advance to the next level of the program is set at between 70 and 80% with the selection of attendees for the next level being decided upon by the average score of all delegates. So although you may be invited back to attend the next workshop, you will only be able to advance in the belts if you scored above the required pass mark. Seems fair enough right?

Well I managed to, by the skin of my teeth, score above the required pass mark and am eligible to move onto the next level - I am exceedingly please about this since out of a total of 30 attending professionals, I am one of only 4 who managed to meet the requirements.

I personally think that is a pretty good achievement, at least good enough to share with everyone out there!

The Beginning – Sizing, scaling, costing & selecting the server/s for your Environment

Johan Dreyer — Sun, 28 Jan 2007 07:50:00 GMT

Whether you are looking at setting up a new network or adding a new server to an existing infrastructure, the process of sizing, scaling, costing and finally purchasing a new server can be pretty daunting.

The role a server will play in your networking environment greatly affects the specifications of the hardware involved. Of course, the hardware configuration of the server will have a direct impact on the cost too. It is not uncommon to make a compromise between cost and functionality in this day and age, but what you need to ask yourself is whether you are making an informed compromise or just simple cost cutting? The one can provide you with an effective solution where the other can land you in serious trouble.

I cannot count the number of times I have walked into a client’s site to solve some problem only to arrive there and not be able to help since their hardware is under specked and over loaded. In this scenario, my only recommendation can be to purchase additional hardware, which in most cases is just not on the cards so they have to live with what they got and work the cost into their next budget, and in the mean time put up with unhappy end users.

Now some good planning on your part, as the IT Manager, Administrator or Service Provider can avoid these kinds of complications, increase the value to the client and ultimately lower the total cost of ownership.

So what are should we consider when purchasing a new server?

1. The role of the server: Different server roles have different hardware requirements. Database servers for example place an emphasis on Disk IOPS (input/output per second) where Web Servers prefer more Processing power. Multiple roles may require a combination of multiple requirements, its up to you to decide the roles and stick to your decision once there.

2. Availability: Some servers are considered more critical in terms of workflow operations on a daily basis where other server roles tend to be redundant in one way or another, Email servers, for example are usually considered mission critical where Domain Controllers are normally installed in pairs or more, making them redundant. The company would continue to function should one of your domain controllers crash, but should one of your exchange servers crash, all the user’s with mailboxes on that server would be unable to send / receive mail until you have recovered from the disaster.

3. Redundancy: Redundant power supplies are a must for every server today, redundant hard disks a definite consideration, the level depends on the role of the server and data stored on the array, for DC’s the norm is 2 disks in Raid 1 or Raid 1+0 (Raid10), for exchange servers the recommendation is system files & Logs on Raid 1 or 1+0 and information stores or databases on Raid 5 for higher reliability and performance (Disk IOPS)

4. Scalability / Expansion: It is the nature of networks to grow, software to be upgraded, etc. The average lifecycle of a server is 5-10 years, you need to take into consideration paths and methods to deal with the projected changes over through out the lifetime of the server, this should include upgrades & purchasing of additional servers & licenses.

5. Backup: Backup and Restore plays is a major part of any network and you should plan accordingly from the start. Ask yourself how much information from each server needs to be backed up, what is the acceptable time frame for the backup to run, what is the acceptable time frame for a recovery / restore process, what are your licensing requirements and finally whether a network backup or local backup should be performed to meet these objectives.

6. After Sales Service and Support: The after sales service and support is a huge factor in the availability and functionality of your server, so always consider such things as “is the hardware locally supported”, “what is included in the warranty”, “is there a Service Level Agreement available and what benefits does it have”, “in the event of hardware failure, how quickly can I obtain a replacement part, either from the supplier or another independent vendor”. These are important questions since some suppliers will sell you hardware and claim support for it then in 6 months time when the system board fails, you get told they need to order one and it can take up to 6 weeks to deliver.

7. Cost: Finally you should consider cost, I have left this till last because in my opinion when it comes to deciding on your infrastructure this should be the last thing on your mind. Yes, it is a deciding factor, but just as important is the question of how cutting cost will effect the availability and performance of your systems overall. A compromise between functionality and cost is always required but rather than placing emphasis on cost, one should place emphasis on availability and functionality, at the end of the day, the server hosts the business applications, without its services (or if it underperforms) most companies become severely crippled or in some cases unable to function at all and someone’s going to pay, are you going to let that someone be you?

Sales people will always overwhelm you with quotations, proposals and recommendations, and persistently harass you for that order. The main thing to always bear in mind is that most sales people are just that, sales people, and are not trained or geared up to correctly spec the server to suit your specific needs. As such, the onus falls on you to research your requirements and then veto the quotation.

There are various tools out there on the web which will help you scale your servers for particular applications and roles, my advice here, find them & use them, it WILL save your bacon in the near future.

Remote Assistance, The GTALK way - The Pai, Atlanta, Georgia

Johan Dreyer — Sun, 28 Jan 2007 02:31:00 GMT

I was online checking out the Microsoft Technet Forums a couple of days ago, when I came across a post from someone who was asking how to install, configure and setup Exchange. I responded to the post with the information I had at hand.

Turns out that his problems weren't as simple as setting up a fresh domain and he really needed some help fix the existing infrastructure first, so we decided to collaborate using email, googletalk, LogMeIn, and various other google services to share information and collaborate.

The Pais then took a huge risk... Since I needed to know what I was dealing with to help him, I needed to have a look at the server myself. This is a tricky thing when you dealing with a complete stranger who you met on the internet and has offered his services, at no cost too. A few precautions were taken and using LogMeIn, I was able to access the server in Atlanta and do a quick 5 min assessment of the situation.

Since it was the Pai's system and he seemed interested in learning something, I insisted that he do the actual work and I would simply guide him. Unfortunately, with LogMeIn, only one user is allowed to be logged into the server from a remote station so we had to improvise and I had to come out of the server.

It turns out the person who had setup the server originally did not know much about Windows 2003 A/D Domains and their reliance on DNS to function so first things first, we had to configure his internal DNS. Luckily, I use a Microsoft Virtual Server at home as a lab environment and was able to use this to find the exact screens and locations I needed to tell him to change on his server in Atlanta.

At this point we moved to using Google Talk, to chat in realtime, passing questions and instructions between one another, Email, passing screenshots between one another to confirm correct settings in correct locations, The Pai also suggested using Google Doc's to share documents and information relevant to the exercises we were performing.

Thanks to the time zone differences, me being in Dubai and Pai being in Atlanta, we were only able to collaborate for short periods, 4 hours at the most, once a day. Not to mention I hold a day job as a systems admin this side and since I was helping Pai on the side as a personal favor I obviously couldn't let it cut into my working day.

Turns out, after almost a week of remote support, we finally managed to get everything sorted out, Exchange installed and configured, mail routing both internally and externally and implemented some best practices for maintaining his exchange environment.

A true success for the both of us and proof that remote assistance does pay off! Props to Pai for his patience, excellent will to learn and most of all for not being too scared to play with the configs of his server. Big Up Buddy!

This brings about more concrete to the theme of the SortedIT.net resources, I want to share with everyone, the information they require to troubleshoot, diagnose, implement and support their networks using Microsoft technologies - because there is so much information out there and yet no 1 definitive resource.

Thanks for reading this, I look forward to your continuous support - keep checking back with us, or subscribe to the RSS/Atom feeds. New posts coming soon.

Who am I, What is this?

Johan Dreyer — Fri, 26 Jan 2007 06:22:00 GMT

You know, some people seem to find it so easy to talk about themselves. I don't, I never know what to say or how to say it without sounding too vain, to be honest, talking about myself sounds vain to me so it just makes it so much harder.

Anyway, So who am I? well my name is Johan Dreyer and I am a systems engineer working in Dubai for one of the larger solution providers in the country - Seven Seas Computers. I have been working in the Microsoft Support / Solution Provider field for about 7 years now, concentrating on design, implementation and support MS Windows server and Exchange server systems.

So what's this all about then?

Well in my time of working in the field, I have been lucky enough to learn a few things here and there about how to deploy and maintain the environments I support. I have also been lucky enough to work with a great many people who work in the same field and somehow, never seem to have the level of knowledge required to complete the task at hand both correctly and professionally.

The point of this blog, the website I'm working on and any future developments stemming from the SortedIT.net domain will be aimed at easily making some basic knowledge available to everyone out there so they could better understand the concepts, technology and systems they are working with.

The way I see it, this will reduce the amount of work load on me, increase the productivity of other's and keep the customer happy since having their systems deployed correctly from the start translates to less problems and minimized downtime in the future - its a win, win situation out there in the end.

Now I want everyone out there to know, I do not consider myself an expert on the topics covered on this blog, simply knowledgeable, I am not MCSE certified, and have never been, but hopefully will get around to completing it this year just for kicks.

I am simply an engineer who has worked extensively with the technologies I cover, done more than 500 MS Windows and Exchange server deployments in my time and gained some knowledge through that which I now wish to share.

My plan is to sugar coat all the lessons I have to pass on with analogies which relate to our everyday life and in doing so make it more fun, less technical and easier to understand.

Finally, I am only human and as such, could just possibly have the wrong information or make mistakes at times. If you feel any of the information presented on this site to be incorrect, or better yet, have an easier analogy for something I'm trying to explain, please feel free to correct me/give me feed back on your thoughts. I may just ignore it, I may just use it (props to you), or I may just flaunt it about to make fun of you - just remember, no question is a bad question, no correction is bad correction, no comments are bad comments. We are all here to learn, after all its the point of sharing information with one another.

Oh yeah, one last thing - those who choose to knock me about spelling and grammar - BEWARE! I quite frankly dont have the time, patience nor concern for these things and if just 60% of the world can understand what I am trying to say then why should I care about you?