Image via Wikipedia This post is focused on those of you who have decided to deploy Exchange in a resource forest. You’re in for tears. While the resource forest is technically a supported deployment method for Exchange, I’m going to point out what can go wrong in your Exchange world that will keep your admins up at night.
Let’s start with the definition of a resource forest, just in case you’re not sure. The resource forest approach means that you have one Active Directory forest where your user accounts live and another Active Directory forest where your application (Exchange, in this case) lives. You have user accounts in the resource forest that are disabled and then externally associated with the users in the user forest. This of course, requires a trust between the two forests, which you likely have anyway, right? Right.
A disabled user in the resource forest means the attribute msExchMasterAccountSID is empty. This value is required for Exchange to identify and resolve the user account when permissions are calculated against a mailbox or folder in a mailbox; for instance, in a delegation scenario. If your user accounts and Exchange live in the same forest, then this is set to “SELF” in Active Directory Users and Computers/Exchange Advanced/Mailbox Permissions. This will write the SID of the user account into the msExchMasterAccountSID attribute and then be used to identify the user. This also means that the forest is able to “track” the operations of this account. If the account is disabled or deleted, when ACL’s are calculated against the msExchMasterAccountSID value, everything is hunky dory and happy.
When you have a resource forest setup and you externally associate a user from the user forest to a disabled user in the resource forest, what you’re really doing is writing the SID from the user object in the user forest to the msExchMasterAccountSID. Now, that’s the SID that will be stamped on a folder or object that gets ACL’d with your permissions… keep in mind, this is the SID from the user forest.
Now when Exchange needs to calculate the permissions, it will run across that SID and go talk to a domain controller to resolve it. The DC will refer to the trusted user forest DC for resolution, but it proxies this communication over to the trusted DC, then returns with the answer. This traffic pattern can be headache-inducing all to itself, but that’s a topic for another day.
So now here’s the problem. Because these SIDs are external to the forest, it has no way of realizing if the SID is valid or not. In other words, if you whack a user account in the user forest, the resource forest has no way of being notified of that SID’s destruction. You now have what I call “SID ghosting.” I’m sure there’s a term for it, but that’s the term I use around here.
Let’s look at an example.
Mary D. is a manager. She has an administrative assistant, Ken G. She assigns delegate permissions to Ken G. so he can manage the calendar. What she has really done is stamp Ken G.’s SID from the user forest on her calendar as a permission object. If you were to look at her calendar with pfdavadmin and check the permissions, you would see Ken’s access expressed as USERFOREST\KenG, not RESOURCEFOREST\KenG. This is because the SID value from Ken’s account in the user forest is stamped in his msExchMasterAccountSID attribute in the resource forest.
Now let’s pretend Ken G. was looking at pr0n one day and got busted. He’s terminated at the user forest and his account is deleted. Now the resource forest still has his account and the ACL still exists on the calendar. To preserve Ken G.’s data, his account in the resource forest is not deleted, but let’s say they shut down mail delivery by setting his mailbox quota to 0 or something.
What you have now is thus: every time Mary gets a meeting invitation, she will get an automatic bounce from Ken G.’s mailbox.
From a usability perspective, this sounds crazy. If it’s happening to a top end manager (which, let’s face it, is where this will usually happen), they’re likely to go berserk and demand that you fix it right away. When you research it, you find out that Ken G.’s SID is still stamped on Mary’s calendar. This is because the resource forest has no way of knowing that the user object in the user forest was whacked and the mail delivery is now failing due to the disabled mailbox in the resource forest.
Let’s make it worse. What is Ken G. had an assistant? What if that assistant had another assistant? What if your users created a delegation chain about twenty people deep? Well, then what might happen is Mary would get a meeting invitation and then she’d get a bounce from someone way down in the chain, perhaps someone she doesn’t even know! That one is really hair raising.
How do you debug this? Well, so far that we’ve determined, the best you can do is open up pfdavadmin and figure out who delegated rights to whom and follow the breadcrumb trail. If your users overuse delegation, this can be a painful exercise. They should not be adding more than 4 delegates to their mailbox under any circumstances, but that’s a talk for another day. Anything more than 4 delegates and they probably only need sharing permissions anyway, so consider using that instead.
If you’re really paying attention, apply all of this knowledge to Sharepoint. Try setting permissions to your trusted user objects in the user forest.
Now think of all this (Sharepoint included) and think of the day that management decides that this just isn’t working - you need to get all applications and user objects into the same forest. Did your brain just explode? If not, you’re not paying attention. Key words are SID and msExchMasterAccountSID and Sharepoint permissions.
Run. Run screaming from the resource forest. Friends don’t let friends set this up.
Really.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=e500c887-d147-4083-a7b7-27a6d158715a)
Tags: Active Directory, Domain controller, File system permissions, Microsoft, Microsoft SharePoint, Sharepoint, User, Windows Server 2008
I keep reading a lot of tweets from folks that are not much more than USA fanboys preaching the goodness of the red-blooded Yanks and how China is just a bunch of commie bastards and I’m getting pretty sick of it.
First of all, that kind of talk does nothing to help peace in the world. Shut up.
Secondly, let’s examine the country of China. China is a country full of over a billion people and thousands of ethnic tribes with thousands of dialects of thousands of languages. When you have a country where people can barely communicate with one another, how do you have a democracy? You can’t really do it, that’s how. In places where democratic-style freedoms can be enjoyed, they are (a la Shanghai and Hong Kong).
As sick as it may sound, I believe this also relates to the human rights abuses and crises that we so often pinpoint. I agree that the laws are tough and unusual, but again - with a population that could absolutely turn the entire country into a complete lawless anarchy (is that redundant?), what else do you do?
Now for protesting at the Olympics. C’mon people. Is there nothing safe? Can we not have a gathering of countries without politics and harsh words? Wait for the next WTO meeting if you want a real chance to protest. Just because the world’s eyes are on you does not mean that you have the obligation to ruin the chance for forgiveness and giving peace a chance.
I’m also trying to get my head around the idea that it’s a GOOD IDEA to go to a country like this that has laws against protesting… bucking the system and trying to do things that you get away with in the USA… and then fracking whining all of the net and other communication mechanisms when you get fracking ARRESTED. Newsflash, id10ts… this is a country with laws UNLIKE OURS. If you’re IN THEIR COUNTRY, you must FOLLOW THEIR LAWS. If I ever get my head around that mentality, I’ll let you know.
Now for the darker side of things.
Yes, I agree there are human rights abuses in China, but these are largely the part of corrupt government officials. Before you try to convince me that this is a problem only in China, you need to look no further than the current fucking morons running our country to understand that government corruption is rampant even in the good ol’ US of A.
Stop and take a look at your own country before you criticize what another country is doing - and give them the chance to explain why they’re Commies to begin with. It makes sense, trust me. The human rights abuses do not, but human rights abuses are occurring here in the USA every day as well - why is China any different?
Related articles by Zemanta
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=6c4bf0a8-5190-4a81-8b9b-cdf31030834d)
Tags: Beijing, China, Hong Kong, Human rights, Olympic Games, Olympics, People's Republic of China, United States
Image via Wikipedia I see it happen every day. There’s a cast of characters out there - Leo Laporte, Chris Pirillo, Jason Calacanis, John Dvorak, Robert Scoble (whom I absolutely DESPISE because of that “I’m the man!” snapshot on his blog… makes me want to beat him with his fucking tripod)… a whole elite clique of cynical blog/journalists who bring up topics and lead folks around them.
The listeners (and I admit, I’m one of them) follow them from point A to point B every morning, midday and afternoon. It can be a link they found, a story they found, what have you. Now take these salt shakers and add the wire press (Reuters, Associated Press, etc.) and you have the flock.
I started thinking about this tonight while listening to John Dvorak’s Tech5 podcast. One regular complaint of Mr. Dvorak is the redundancy in the news business today. One story gets picked up by a wire service and it explodes all over the net with thousands of redundant postings. Add the Cynic Clique into the mix and then you’ve grabbed their listeners to comment on the stories at whatever social network has the spotlight today.
Web 2.0 and social networking is likely to fail. There is an enormous amount of time and originality being wasted here on a daily basis. I’m starting to wonder when people move on.
I guess it should start with myself.
Related articles by Zemanta
- Blood and Laporte Discuss Blogging Ethics: What Happened?
- The Old Dull Thing Is The New Shiny Thing (or deconstructing the Calacanis email newsletter)
- Leo Laporte Rules With Iphone Talk
- Podcasting Giant Leo Laporte Chooses Stickam
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=dbe2e8ca-c363-431d-8005-4644f34a2e40)
Tags: Blog, Chris Pirillo, Jason Calacanis, John C. Dvorak, John Dvorak, Leo Laporte, Robert Scoble, Social network, Stickam, This Week in Tech, Twitter, Web 2.0
Lawsuit says eatery to blame for 9-foot tapeworm - CNN.com
GROSS! EWW! SICK! GROSS ALERT! OMG WTF THIS IS DISGUSTING!
Fugitive mom ‘uncomfortable,’ wants out of prison - CNN.com
I don’t recall anything in my life’s teachings that says prison should be comfortable. Isn’t that why you avoid it?
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=58964c9c-8a2a-41a4-b858-202db45edc0c)
Tags: CNN
The net is abuzz tonight as MobileMe users recieve more notices that MobileMe still isn’t what Apple had hoped it would be, so it’s offering 60 days more for free.
Paul Thurrott has already played the part of the cynic and provided a rather insightful metaphor, but I’m going to come down on the positive side and say that MobileMe has been a wonderful experience for me. Not only has it been wonderful, it’s turned my iPhone into something I can only describe as a thing of glory.
Combining home data sync over MobileMe with work data sync over ActiveSync, all on the same device, has been absolutely wonderful. I realize, however, that the experience on Windows just isn’t that fab. That’s okie with me though, Windows users need to be using Apple products on Apple products anyway.
Kinda like Microsoft products work best on Microsoft products. It’s just common sense.
At least I think it is.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=679fa857-4ff9-4641-881b-f0d8ce8a8bf5)
Tags: apple, iPhone, iPhone 3G, Mac, mobile me, MobileMe, online, Paul Thurrott
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=0c1f29ee-90c7-4eff-aacb-579d0e72512f)
Way to go you idiot bastards:
Man whose US immigration notice was sent to the wrong address is detained with untreated spinal cancer until he dies, denied access to his wife and children: “A Hong Kong computer programmer who had legally resided in the US for 15 years (since he was 17) and fathered two American children went for his final green card interview and was locked up, detained until he died of cancer that the DHS refused to treat him for. He had overstayed a visa (the DHS sent a key notice to the wrong address), and this prompted the DHS to lock him away and demand that he waive all right to immigration appeal and be immediately deported. In detention, his complaints of excruciating back pain were treated as fakery, and he was dragged around in shackles after he lost the ability to walk, taken on long, bumpy drives while official demanded that he drop his immigration appeals. The jailers who caused his death were private contractors with fat deals with the DHS to lock up immigration detainees.
As he lay dying, his family — wife and two children, aged 1 and 3 — were denied access to him while the warden considered their request to visit.
‘Give us your poor, your tired, your huddled masses…’
(Via Boing Boing.)
As you can see, I’ve made a fairly large update to the Wordpress theme. Like it? Hate it? Tell me all about it.
I found a forum plugin for this thing too. Anyone interested in yet another forum? I doubt it.
Tom’s Hardware posts an article with a Mac Pro/PC cost comparison and what do ya know… it draws pretty much the same conclusion I posted in June of last year. (WARNING: Difference is that I did a cost comparison between a Dell PowerEdge server with Small Business Server 2003 and an XServe, which turns out to be an even greater value).
I notice Paul Thurrott isn’t rebutting the article either. I don’t consider myself part of the iCabal, but I do consider myself a member of the class of common computing sense.