Vermyndax’s Lair

Once again, the iPhone rules the press with a heavy dollop of enticing news.

There’s a lot here on the surface and a lot below the surface. Let’s scratch the surface first.

The announcements about Apple licensing ActiveSync are interesting. There was lots of speculation in this regard and greetz to those who called it. I myself lost a bet. I was thinking that Apple might actually thumb their nose at ActiveSync and employ webdav for Exchange 2003 (much like Entourage) or web services for Exchange 2007. Of course, that would not be a quick route to policy controls on the device itself (i.e. remote kill), so ActiveSync makes the most business sense both in time and money. It’s a good investment. I was just hoping they wouldn’t just… well, because.

But they did. Let’s analyze what this brings:

- Sync with email (effectively push email, but it’s not TRULY push email… ActiveSync, even on Windows Mobile, IS NOT PUSH EMAIL. It just appears that way).

- Sync with contacts

- Sync with calendars

- NOTICEABLY ABSENT: sync with tasks

- Policy control over device. The You Had Me At EHLO blog states that this is about at the Exchange 2003 SP2 level of device control, which means it’s not as feature rich as the Blackberry, but a good starting point.

Other items of note for enterprises:

- Cisco IPSEC and VPN clients

- Two-factor authentication

What’s missing? Well, you saw me point out that task syncing is missing… Merlin Mann is likely pissing himself right about now over that. But I noticed today that there were no federal government folks present and… here’s the bad news for those federal workers… Jobs never mentioned encryption of data at rest. Thanks to an OMB directive, encryption of data at rest is a requirement for a mobile device on a federal government network. Guess what device is the only one to meet that requirement?

If you’re thinking of a berry in the color of night, you’d be right.

You’d also be right if you’re thinking of the next version of Windows Mobile… 6.1, I believe they call it. Last I remember, that also had encryption of data at rest.

So unfortunately, this may leave the iPhone out of the federal government networks for a little while longer. Perhaps it’s an oversight that it wasn’t mentioned - but I’m betting that it was left out deliberately.

All in all, I wasn’t crazy about the iPhone before but I certainly am now. The fact that they’ve really turned it into a platform with an ecosystem makes this very, very exciting. One of the challenges of the OS X platform was the lack of an ecosystem. Now with OS X advances, the freely-available Xcode and now the freely-available iPhone SDK, Apple stands to really rock the world with an ecosystem that could quickly rival Microsoft.

To make sure they’re shaking things up, there’s that iFund thing. What a fantastic idea. Folks, when was the last time Microsoft paid you to develop applications for their platform? If you want to get into the Microsoft developmental mafia, you’re likely looking at an MSDN subscription ($2500 or so the first year, $1500 each year afterwards… PER SEAT!)… you’re looking at heavy software licensing costs and hell, they don’t even distribute the application or updates for you.

Apple is not only making the price of entry into their ecosystem dirt cheap ($99), the development software is free and they will distribute your applications/updates. Folks, this is a hell of a deal and I’m betting there are small businesses and garage developers everywhere getting excited about this.

I really, really think Microsoft is in trouble on many fronts. It’s going to be hard to stop this kind of excitement. I don’t even intend to develop apps for the iPhone or the Mac and I’m excited.

Truly, there was an earthquake today in California. It may have been a subtle earthquake for some, but I felt it quite strong here on the other side of the states. I’m excited about computing again - and that’s something to cheer about.

Technorati Tags:
Apple, Mac, OS X, iPhone

Bookmark to:

Hide Sites

Here’s one of those technical blog posts that I’ve been meaning to post for a while now, but did not have the chance to do. Since I’m sitting here in the Baltimore airport next to a German-looking girl with extremely long hair, I’ve decided to work on the blog post so I do not appear to be admiring her hair.

On one of my visits to a NASA center, I was asked to look at a desktop situation that had really, really puzzled the local desktop techs. They had migrated the user to our mail system from the legacy system. The profile had been converted over to the new mail system, rather than a full wipe and reload of Outlook settings and whatnot (like we recommend).

THe problem was that no matter what she did, the user’s messages went out to certain people using the infamous Outlook rich-text format. This was producing winmail.dat attachments and was giving our mail system a really bad name. User perception is another issue… another day, another blog post.

Anyway, go read this if you don’t know what I’m talking about. This article describes the TNEF attachment situation and what to do about it.

Mainly, to stop winmail.dat attachments coming out of your Outlook users, you’re told to do the following:

• Check Tools/Options/Email Format is not set to use Outlook rich-text (use HTML or plain text).
• Check the contact entry for the receiver in your Contacts folder. Make sure they are not set to receive rich-text from you only.
• Check your Exchange system mail paths to make sure that there are no conversions taking place at the server level.

Even after checking all of this information, this user was still sending winmail.dat attachments to certain users. It was incredibly annoying. I asked her to demonstrate how she picks the user from the list to send a message. I noticed that she uses the autocomplete feature. She types the first few letters of the person’s name, then arrows down and hits enter to choose the autocomplete entry. After sending the message, the receiver still receives a winmail.dat.

I took over the keyboard and started over by typing the name, then I arrowed down and hit DEL to delete the autocomplete entry. I then had her choose the recipient from the GAL again on the next message, which recached the entry from the GAL.

Surprise… no winmail.dat.

That’s right folks - if you’ve been all over hell and high water looking for what is setting your messages to send a winmail.dat, try removing the autocomplete entry. It appears the autocomplete entry stores this preference.

Of course, I don’t recall Microsoft mentioning that fact. They probably don’t even know.

Bookmark to:

Hide Sites

HUNTSVILLE, AL: A creature formed by excess cable in a data center has been slain by an intrepid systems administrator armed with a caution sign.

The creature, which formed after floor tiles were opened for the first time in 7 years, spoke to the systems administrators working in the area and taunted them with “trash talk.”

“It told me I couldn’t network my way out of a paper bag,” said Mortimer Franklin, a Windows 2003 systems administrator. “That really upset me, because I was right in the middle of following the wizard to install Exchange 2003. I know how to follow directions, so its claims just weren’t true.” Mr. Franklin was so offended by the taunting of the creature that he put down the clipboard containing instructions on how to do his job and informed security.

Security was on site within the hour, but the creature managed to swallow one of the guards before he could unlatch his gun. The other administrators began to take matters into its own hands while the creature allegedly continued to act superior by informing everyone that it contained cables that were hooked up to far more advanced Linux, UNIX and VAX servers.

“If you can’t click on it, you can’t run it!” the creature was chanting, according to other eyewitnesses.

It took the bravery of Lyle Crambit, the data center facility manager and Harold Harkins. Lyle managed to find the weapon and as the creature threatened to mount another attack, tossed it ten feet to Mr. Harkins. It was Mr. Harkins who landed the fatal blow.

When asked how he made such an accurate throw to Mr. Harkins, Crambit stated, “Sometimes I gotta throw my scattergun to Mrs. Crambit when she sees baby coons out in her garden. She cock that thing and BAM!”

“It was a lucky shot,” Harold Harkins said of his heroic death blow. “I mean, I’ve run lots of power, cat 5, cat 6 and fiber… but honestly, who knew there was this much cable under the floor and it was that pissed off?”

Bookmark to:

Hide Sites

I was one of the engineers on the call documented here from last weekend. This was the Friday night from hell.

I won’t rehash the technical details of what happened. If you want to know the tech piece of it, head to the link. There’s no need to restate it - besides, it would bring back memories that might cause me to draw my own blood and scrawl nasty proverbs on the wall.

Needless to say, we learned a lot about 2007 that night, which will be good for the time that we run into this issue in production (because we will - and so will you). However, there is that feeling once again that someone shipped Exchange 2007 far too early.

There’s another conference call about this very subject tomorrow night that should prove to be interesting and enlightening. Here’s to hoping that Microsoft is listening to my coworker there (because they sure as hell don’t read my blog, I know that). My coworker tends to get a little emotional about things like this, but given how much of his life he has sunk into supporting Microsoft, perhaps he has license to feel this way. I certainly feel as though I have some license to register complaints as well.

Look, in the past it was always known that products would ship first and patch later, but at least the software was usable in some form or fashion. I wouldn’t even call Vista or Exchange 2007 usable in the “can be used” sense of the word. This type of product mismanagement is going to get the the core of Microsoft and, couple that with running them in circles, may continue to be their undoing.

Even Bill Gates knows Microsoft can’t be around forever and one day will be unseated.

But ya know, enough about tech. I’m feeling the urge to do some artsy stuff. I really am. I hope to share more of that with you soon. I’m doing my best to find myself there… where I left myself years ago… on that street corner by the garage, under the coffee sign, with a cigarette that makes my trenchcoat smell quite bad. I’m there and waiting to come and visit you again. I have things to share.

I have a lot of digging to do first.

Bookmark to:

Hide Sites

Proving that Mary Jo Foley knows absolutely nothing about what she’s writing, she claims to have “inside information” that Apple will announce it has licensed Exchange ActiveSync so they can hook up to Exchange servers.

Article is here: http://blogs.zdnet.com/microsoft/?p=534

Why do I say she’s an idiot?

Anyone who’s been paying attention knows that the iPhone already does POP or IMAP and Exchange supports this out of the box. Granted, it doesn’t support it well (that’s a story for another day kids), but it supports it. So, sorry Mr. IT Manager… come Friday, you will have those big boss cheeseheads scrambling to get their email from your Exchange server; security be damned.

Now, if you’re looking to also support server-side calendars/tasks and whatever other crap your company is slinging around in Exchange, that’s fine. ActiveSync is probably going to have to happen for you.

I would also say that there’s a bit more work that needs to go into supporting Exchange ActiveSync on OS X/iPhone - it’s not going to be a cut and dry implementation like another phone provider who licenses say… oh I dunno… WINDOWS MOBILE.

So with all of that in mind, this is a little sensationalist and at the moment, I’m not really buying it. We know Mary Jo Foley is just oozing with truth, so I’ll sit and wait for it to happen.

I almost hope I’m wrong.

Bookmark to:

Hide Sites

Greetings again from WWDC 2007.

Those of you who know me know that I’ve made my living thus far as a Windows admin. I’ve always had a particular bent toward messaging technologies and I do have certifications in the Microsoft space to prove that I can architect these solutions.

The project I am working on now has made me take a second and more objective look at Exchange server. For a long time, I’ve heard Microsoft trainers and other folks complain bitterly about Microsoft Exchange. Most of the complaints started around Exchange 2000, when Exchange merged in with Active Directory. The complaints get worse as the enterprise grows. Exchange 2003 has some real issues with clustering and large deployments. I’m hoping many of these issues are resolved in Exchange 2007, but as I’ve not had the chance to dive into that just yet I cannot speak for any improvements.

It may be fitting that my disgruntlement was on the plane with me (sitting beside me, whispering sweet nothings in my ear) on my way to WWDC 2007. I’m not a Mac developer, I’m an IT implementor with dreams of getting back into media production, theatrics, etc. Attending these sessions have interested me greatly and taken my newfound love for the Mac to a whole new level. I can hardly wait to build my own Mac system at home to begin video production.

That being said, let’s look at the messaging space now.

Despite the WWDC sessions being under NDA, I do not feel that anything I say here will breach what has already been released to the public. As most of you know, Leopard server brings with it the ability to cluster the Mail server. You can now also add to that the iCal server, which is brand new in Leopard and considered to be a direct response to Microsoft’s groupware solutions.

Using the power of Mail server, iCal server, Open Directory, Wiki server, FreeRADIUS and other Mac technologies, I now believe it’s completely possible to run an all-Mac IT environment. Couple that with the ability to run Windows applications in three different ways and you have an environment that can literally do it all. I completely fail to see how this would not be attractive to everyone in the business.

Let’s think for a moment about Microsoft’s Small Business Server, which will be used for small businesses employing 10-50 clients on the network in most cases. Let’s take the major components of Xserve running Leopard server and do a direct software and cost comparison.

First, let’s start with software.

Microsoft Exchange Server == Leopard Mail/iCal/Open Directory
Microsoft ISA Server == Leopard proxy services via squid or other proxy components
Microsoft Active Directory == Leopard Open Directory (which can chain auth to other directories)
Microsoft Sharepoint Services == Leopard Wiki Server
Microsoft volume shadow services == Leopard Time Machine

As you can see, there are major components within Microsoft Small Business server that Apple now has an answer.

Combine that with the reliability record of Apple’s hardware and software and you can start to see a winning formula.

Now let’s compare costs.

I’ll put together a Microsoft Small Business Server at Dell’s website. brb while I do that.

Okie, I’m back. What do ya know… Dell is having a MONEY SAVING SPECIAL! Hooray for cheap PC parts.

I tried to piece together two systems with comparable hardware. Here’s what we ended up with on the PC side:

Dell PowerEdge SC1430
Dual-processor, dual-core Xeon 2.0ghz
2gb of RAM (note: the sale says I get a free 1gb upgrade!)
Includes Microsoft Small Business Server Premium (+5 cals)
3 x 80gb SATA II hard drives
1 Broadcom (yuck!) gigabit ethernet adapter
48x CD-ROM drive
No mouse, no monitor
+45 CALs for Small Business Server Premium

Total: $5,147 USD

Now let’s look at the Xserve plus Mac OS X Server:

2x dual-core Xeon processors, 2.0ghz
2gb RAM
3×80gb SATA ADM hard drives
24x DVD/CD-ROM drive
Built-in ATI X1300 video
Dual 650w power supply
Apple Remote Desktop 3 - unlimited license
Applecare premium support for 3 years

Total: $5,344

Note: Every Apple Xserve includes the current version of Mac OS X Server with unlimited clients for free.

Now then, as you can see, two like-configured servers cost pretty much the same for hardware and software with one important exception. You’re limited on the Windows server to 50 clients. With this configuration of an Xserve, you’re not limited at all.

Also, I should point out that Small Business Server has an important restriction that prevents you from growing the business beyond this one server as a domain controller. You can add other servers doing other roles, but you cannot add a second domain controller. Or, if your business grows beyond 50 employees and you need to have domain controller redundancy, you’ll be hard-pressed to take your domain to the next level thanks to this restriction.

With an Apple Xserve, it’s as simple as adding another server when this one gets too overloaded.

It’s clear to me that Apple is making a slow, yet aggressive move into the small business space. One could also easily picture this development standing up to a larger enterprise, as it certainly scales to that large. The feature sets being introduced in Leopard server make this even more compelling. At this point, small businesses might be totally insane to not consider a full Apple infrastructure.

For more information on the iCal server and its features on Leopard, see this URL. I’ve seen these features in action and I can tell you - the notifications and free/busy information are just plain cool. It’s simple, clean and well implemented.

Kudos to Apple. I’m behind you, hoping to see you compete in this space even better.

Bookmark to:

Hide Sites

I spoke with a developer here at WWDC who is deploying Exchange 2007. He said that the Linux/UNIX folks on Evolution are finding it impossible to use due to some kind of webdav issues introduced with Exchange 2007.

I’ve not yet had a chance to test/play with this to look into it deeper. I will get a chance to do so next month. However, as I said before, Exchange 2007 introduced web services for working with your mail and that’s where Evolution needs to go. Webdav is officially deprecated in 2007 and will be completely absent from the next Exchange server. Evolution needs to uhh… evolve.

Maybe 2007 SP1 will fix some of the webdav issues in the meantime.

Bookmark to:

Hide Sites

That’s a loss for Microsoft - OSS Ramblings

Congratulations to Tony, who has succeeded in migrating his company off of Microsoft Exchange an onto an open source replacement. Check out his blog to see how it was pulled off.

Granted, they probably aren’t using shared calendaring much - but still, an interesting project for any small business out there.

Bookmark to:

Hide Sites

Hands off the delegates tab

So, in the last entry I mentioned that a lot of people use the delegation feature in Exchange when their workflow and business processes could benefit from the use of sharing permissions instead. Why would it be useful for you to implement this workaround? Let’s clarify a little bit.

Many companies today are finding the RPC over HTTPs (a.k.a. Outlook Anywhere in 2007) scenario to be quite an interesting deployment method. I’m here to tell you, battle scarred and worn… I’ve deployed RPC over HTTPs as the primary topology for an Exchange environment. We’re talking 80% of the population. It presents some unique challenges, but we won’t go into all of those here and now. Ask me later sometime about non-paged pool memory and I’ll share horror stories with you.

As of Exchange 2003 SP2, Microsoft made one of their famous changes in how things operate within Exchange. Apparently, a complaint from customers resulted in the correction of a “security issue.” The issue at hand was that if you were to pull up the “Connection Status” window in Outlook 2003 or 2007, you would see the names of global catalog servers listed for your directory connections. (Ref: to open Connection Status, ctrl-right-click on the Outlook icon in your systray and choose “Connection Status.” The Directory connections are what I’m referring to). In Exchange 2003 SP2, the global catalog references are now handled by the backend servers. Your requests are proxied by those backend mailbox servers on your behalf, therefore you will see your backend mailbox server listed as your Directory server.

If you’re fortunate enough to have an Outlook client on the same basic network as your servers and you can use straight-up MAPI, this doesn’t pose much of a problem to you. However, you should still see below about the hidden delegates limitations.

In an RPC over HTTPS deployment scenario, let’s take an example architecture and consider how your client connections are processed:

client (port 443 connection) –> ISA Server –> Front-end server –> Backend server (proxy request) –> global catalog DC

This means for each directory request, your transaction passes through three servers before reaching the 4th server to be processed. The request is then routed back through that same chain. As you can see, there’s a lot that can happen there.

Now then. Let’s say you have a shared resource calendar that 30 people use as part of a standard process. It could be a conference room, whatever. Let’s say that you decide that all 30 of these people need access to the calendar as a delegate. We won’t talk about whatever silly decisions you made to get you to this conclusion, we’ll just talk about what happens.

You open your Outlook client, log into the resource mailbox, and open Tools/Options/Delegates tab and begin to add your 30 delegates.

Notice that as you start to add delegates, things start to slow down around the 10th or 15th delegate or so. Open your connection status window and note that your Directory queries are running unusually high. Keep adding those delegates and keep watching your client slow to a crawl - but watch those directory queries go into the thousands.

If you’re lucky enough to get to punch the OK button to save your changes, you’re likely going to be sitting there for another 30-45 minutes. If you’re in a resource forest setup, you could be waiting up to an hour or 90 minutes or so. No, I’m not kidding. It will take that long to process your delegates changes.

Now let’s remember, I did say that if you’re lucky enough to have a direct MAPI connection to your Exchange environment, chances are this isn’t going to happen to you. You will, however, run into the unwritten limitations.

So by this point, you’re probably wondering what has happened to your client. You may even perform an “end task” on Outlook… which, honestly, wouldn’t be a very good idea at this point. You really need to let the client complete, regardless of how hosed it appears. If your Outlook client ever does finish, I challenge you to open Tools/Options/Delegates tab and endure another long wait with your connection status window open. I would wager that your Directory connections spin off into the five digit thousands or so.

Alright, so now you see part of the problem. The customer has a business process that led them to want to use this feature and the feature is essentially broken for a large number of delegates. If you’re like any other sysadmin out there, you’re probably on the phone to Microsoft by now.

Here’s what you’ll be told. Microsoft has actually only tested the delegates feature with no more than 4 delegates. That’s right - 4 delegates. There you have it - an undocumented rule on how many delegates you should have - no more than 4.

It gets better. Delegates count as part of your 32kb limit per mailbox on the rules. If you add too many delegates, you may find yourself out of room to add rules to the mailbox - or vice versa.

Microsoft is going to use this as an out - because quite frankly, up until now, no one has tried to use the delegates feature the way you’re using it, etc. etc. You’re screwed. You now get to play the customer management game and convince them that right-clicking on the calendar folder and adding permissions on the Sharing tab is what they really meant to do.

But you get to convince them of that after you remove all of the delegates… and that means opening that tab and letting it sit overnight, just so you can remove the delegates.

Ghost SIDs

In a resource forest setup, it’s important to note that the identities of your users come from the trusted forests, not the forest that your Exchange organization is built in.

Oh… wait… what do you mean what’s a resource forest?

A resource forest is a Microsoft-supported method for creating a brand new Active Directory and using it to deploy services separately from your user accounts. There may be several technical or political reasons to do this - but should you result in this design decision, you need to make sure that your enterprise has several things going right for it in the process area.

In a resource forest with Exchange deployed into it, you still have user accounts - but they are disabled. They are empty “zombie” user accounts. The “soul” of the account is referenced back to the trusted userid in the trusted forest. How does one do that, you might ask? Create an account and disable it - then right-click on the account and choose “Exchange tasks.” Choose “Associate with external account” and you will do just that - associate the soul of a user with a zombie in the resource forest.

This presents some unique challenges.

When assigning permissions or delegate settings in your Exchange forest, the SID that is associated with the ACL is the SID of the user in the trusted forest, not the SID of the disabled zombie account. This means that if you assign delegates or permissions on a user and the userid is destroyed in the trusted resource forest, you now have a “ghost” - or more specifically, a “ghost SID.”

Take the following example:

• Roger works at contoso.com.
• Julie works at northwind.com
• Both users are members of companies that were purchased by breadandbutter.com
• breadandbutter.com’s Exchange deployment is stood up in a resource forest known as mail.breadandbutter.com
• Roger and Julie both have disabled accounts in mail.breadandbutter.com that are externally associated to their accounts in contoso.com and northwind.com
• Julie accesses the delegates tab and makes Roger a delegate of her mailbox. This places Roger’s contoso.com SID on her mailbox with the appropriate permissions (NOTE: NOT the mail.breadandbutter.com SID!)
• Brenda sends an invitation to a meeting to Julie. Roger receives a copy of the invitation too because, well, he’s a delegate and things are functioning happily.
• Roger is caught looking at pr0n and fired on the spot. His account is immediately deleted from contoso.com but is NOT deleted from mail.breadandbutter.com.
• Brenda sends another invitation for a meeting to Julie. She receives an NDR, indicating that delivery has failed - but the NDR does not state who the failure against!

Bing, you have a ghost SID problem. Can you tell me which step created the NDR/ghost SID issue? That’s right, class… it’s when Roger was fired for looking at pr0n. When Roger was fired and his SID was destroyed, the SID was still associated in Julie’s mailbox but no longer resolves correctly. Thus, when Brenda sent the invite, Exchange tried to “do the right thing” but it sent a copy of the invite to a ghost.

Now you might see the light with what I mentioned earlier… if you’re going to have this kind of setup, make sure your enterprise has the processes together. What should have happened is that if they deleted Roger’s contoso.com account, they should also delete his mail.breadandbutter.com account. Without that deletion, no one has any clue that Roger is MIA… including Exchange.

How do you resolve it? One of two ways:

1. Open Julie’s delegates settings and remove the SID listed there
2. Open Julie’s mailbox with pfdavadmin and remove the SID listed there on the calendar folder

You will see Roger’s SID instead of his name because the domain is trying to resolve Roger’s SID on the trusted domain, not the resource forest. Since the SID does not resolve, all you see is the SID itself. That indicates a problem.

Now then. Combine this issue with the problem of people putting 30-40 delegates on a mailbox and you have the makings for a real customer management crisis. The devil’s in the design and documentation, folks. Pay attention to what your users are doing and why. Otherwise, they could work themselves into a very confusing scenario much like this and hey, any confusing scenario equals more stress for you.

Write them a spiffy Word document that steers them clear of the delegates tab and you’ll be sitting Tazo tea the rest of the afternoon. Assuming those sheep read documentation, that is. We all know what to think about that, don’t we?

Bookmark to:

Hide Sites

There’s a monster post on the Exchange blog about problems with assigning delegates and/or updating distribution list memberships from the Outlook client.

I can say that we’ve definitely suffered from some of the goofy issues in this article. One item they do not cover is that as a general rule, you should not be assigning more than 4 delegates to your mailbox if you can help it. All too often, people use the delegation feature to work through a business process that can be solved with simple sharing permissions.

But I digress. Here’s the blog post.

Bookmark to:

Hide Sites