Cool stuff to know

vBlock: a VMware, EMC & Cisco allience

noreply@blogger.com (My precious) — Fri, 23 Apr 2010 09:23:00 +0000

The 3 IT giants are forming a shared-equity company named Acadia which will handle the new vBlock concept.

What is vBlock?
vBlock is the name they gave to a cloud producing computing system which integrates their respective hardware and software.
so the "vBlocks" are preintegrated, preconfigured computing systems consisting of networkware from Cisco, storage/security/system management from EMC, and virtualization software from VMware.

These cloud computing systems will produce environments ranging from hundreds of VM's to more than 6000 VM's.
Of course, as always, it's the budget you are willing to spend that will size up your new vBlock environment, but you can imaging prices for the 'cheapest' vBlocks will start at 100k.

Call me crazy, but I think things could be very big. Especially since they bring (in my opinion) the best of their respective fields together: virtualisation, storage and network. This in combination with a seperate management structure but with combined resources such as technical pre-sales, consultancy, ...

So thinking of staring a cloud computing system? And not affraid of buying into "1" supplier? It's worth a look.

FCoE vs FC (vs iSCSI)

noreply@blogger.com (My precious) — Thu, 22 Apr 2010 09:32:00 +0000

A client from the company I work for is starting with a FCoE (Fibre Channel over Ethernet) project for their entire datacenter. As part of this project, the seperate fibre channel and ethernet switches will be replaced by Cisco Nexus 5000 series and the servers will be equiped with network adapter that simulate Eth and FC in one.

A quick high-level overview:

What is FCoE exactly?
FCoE transports Fibre Channel over Ethernet. It does this by replacing the FC0 and FC1 layers of the Fibre Channel stack with Ethernet headers. And since FCoE doesn't change anything to the FC transmissions, it can integration perfectly into the existing Fibre Channel networks.
So basically, SAN's can be cabled with ethernet instead of Fibre Channel, reducing complexity.

FCoE ≈ iCSCI?
NO! iSCSI runs on TCP and IP. FCoE runs directly above Ehternet in the Network layer of OSI. What does this mean? Basically it means that FCoE is not routable and therefore will not work across router IP networks.

Why FCoE?
FCoE will only be used in data centers (I guess) as an alternative cabling for the SAN environment. And it has some very clear benefits over FC:
1. reduces cabling significantly
2. it can handle very high physical I/O connections
3. a single network switch suffices
4. fewer NIC's in the servers
5. fewer hardware means power and cooling costs are reduced

Here, a big TCO calculation has preceded the project that is starting now, in which it was clear that since hardware was needing to get replaced, FCoE was the way to go.

Perhaps something to look into yourself when you are thinking of replacing old hardware?

Let's PingPing!

noreply@blogger.com (My precious) — Thu, 22 Apr 2010 07:34:00 +0000

Ever heard of PingPing yet?

Here in Belgium the mobile service providers are developing a framework for paying small amounts with your cell phone. Unfortunately, the major cell phone manufacturers (BlackBerry, HTC, Apple, Nokia, ...) aren't agreeing on a standard yet, so for now things will have to be done via a NFS tag (stricker) than you can paste on the back of your cell.

How does it work?
The NFS tag has a chip in it with your information: name, address, bank account, mobile service contract, ...
When you want to pay for something, you can have the NFS tag scanned and that's it. Nothing more. While you use what you just bought, the amount will disappear from your bank account or amount that you put on your NFS tag for this purpose. Soon, the amount can also be added to your phone bill so you pay the mobile service provider.

So what all can you?
Walk up to a vending machine and just push the button for a cola, drive in and out of a parking lot without hassling with tickets, pay for the movie theatre, pay for you lunch, ...
Leant a few bucks from a colleague yesterday? No problem, you can even transfer the amount from your PingPing account to his/hers, directly from your cell phone. Pretty cool no?

Problems?
Of course you don't see any information about problems posted somewhere, but my first thought was security. You steal/find someones phone, can't just call on their expense, you can actually start paying for stuff, since the process never requires you to enter the pin code or anything like that.
But perhaps even a bigger problem, personal control? Because let's face it, we keep our cell phones on us like our wallets nowadays.
We'll be paying for pretty much everything by just waving our cell phone, without "noticing" the rest. You can already imagine the stories you'll be reading pretty soon: "PingPing bill of +5000$, John Doe didn't realise his spendings, ..."

Still I believe people should be responsible for their own actions.
I think this is great technology and can't wait to REALLY start using it.

External link:
PingPing

Non-functional requirements checklist

noreply@blogger.com (My precious) — Tue, 02 Mar 2010 07:37:00 +0000

I have recently started as an architect at a large international company with as clear objective to improve quality of the current designs being made.

As a first, simple but important, step I have composed a non-functional requirements checklist. Many of us architects many a very good grasp of the technical side and therefore can create very good designs from a technical point of view. But business requirements are often forgotten.

With the checklist I have attached in this post, I've wanted to create a personal checklist for the architect to verify he has covered all aspects of the project he is working on and make sure his design fits in the companies strategy and long-term vision.

Non-functional requirements checklist

As a next step, this checklist can be converted to a business analist's question list. More on that in my next post.

Enjoy!

Windows 7: God Mode

noreply@blogger.com (My precious) — Wed, 06 Jan 2010 10:52:00 +0000

Ever get frustrated with the control panel of Windows 7? I always stuck with the "classic view" since it was a whole lot easier to find stuff. Now with Windows 7 you are not with that possibility anymore.

However, there is another hidden feature called the "God Mode" which gives you basically a classic control panel, but with even more possibilities. And all of that combined in a single list!

How to enable this God Mode?
Easy, create a new folder anywhere you want to be able to access this feature, for example the desktop:

Rename the folder to GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}:

You will notice that the icon has changed to the "Control Panel" icon:

From here, you will get the whole list of the things you can change to change the appearence of your Windows 7 machine.

Enjoy!

Certificate procedure – Step 5: Export the private key and store in a safe location

noreply@blogger.com (My precious) — Thu, 10 Dec 2009 10:36:00 +0000

This post is a continuation of my previous post in which I have assigned a certificate to the website.

In this last post, we'll be exporting the private key to a secure location for legal requirements:
1. Open the IIS manager and browse to the website that has the certificate assigned
2. Right click the website and choose Properties, then go to the tab Directory Security. Here choose View Certificate.

3. Go to the tab Details and click Copy to File.

4. After the Welcome Screen, you will see that now we have the option to Yes, Export the Private Key and click Next.
5. Choose the options you desire, I always use these:

6. Next you will be required to supply a password and a location. When you click Finish, you should receive a Success message.

OK, you are done: a certificate created which is used to secure a website and the private key is exported to a secure location for recovery purposes.

I hope the series can help you.

Have fun!

Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location

Certificate procedure – Step 4: Assign the certificate to your website in IIS

noreply@blogger.com (My precious) — Thu, 10 Dec 2009 10:16:00 +0000

OK, following my previous posts, the certificate can now be used to assign it to a website (or whatever you want to use it for).

The assignment of the certificate is also pretty straightforward:
1. Open the IIS manager and browse to your website.

2. Go the Directory Security tab and click on Server Certificate.

3. A wizard will open, click Next on the Welcome Screen and choose Process the pending request and install the certificate.

4. Browse to your newly created certificate and click Next. Then choose the default SSL port 443 and click Next.
5. You can overview the summary and click Next if the displayed information is correct.

6. As a last step, Finish the wizard to assign your certificate.

That's it. Your website is now secured. As a last step I'll be exporting the private key to a safe location for recovery purposes.

Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location

Certificate procedure – Step 3: Issuing the certificate

noreply@blogger.com (My precious) — Thu, 10 Dec 2009 10:09:00 +0000

Now that we have created our certificate request, we’ll be issuing it ourselves with our Certification Authority (CA) for testing purposes.

A very quick and simple process:
1. Open the Certification Authority console and browse to Pending Certificates. Once there, right click on the certificate and under “all tasks” choose Issue.

2. Then, go to Issued Certificates, right click on the issued certificate and click on “Copy to file” to save the certificate to a safe location.

Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location

Certificate procedure – Step 2: Creating a certificate

noreply@blogger.com (My precious) — Fri, 20 Nov 2009 15:02:00 +0000

Now that our request is created and since we’ll be creating the certificate ourselves, let’s just get it over with … :)

1. Copy the text file to your CA, go to the CA website: http://localhost/certsrv and select Request a Certificate

2. Select Advanced Certificate Request

3. Here, choose the second option (I’m not gonna write that whole thing out :))

4. Now we can copy the text from our request file and paste it here.

5. You will see that your certificate is pending after having clicked Submit

And that’s it, nothing more to this simple step. Next we’ll be issuing our pending request.

Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location

Certificate procedure - Step 1: Creating a certificate request

noreply@blogger.com (My precious) — Fri, 20 Nov 2009 14:28:00 +0000

In my previous post (see link below), I talked about the various steps you need to perform to create a certificate to secure your data transmission, both self-signed and officially signed.

As promised, the following posts provide a step-by-step overview of the complete procedure. Thanks to Bram Poelaert for his input!

The first step is creating the certificate request:
1. Open the IIS Manager, right click the Default Web Site and select Properties

2. On the tab Directory Security, select Server Certificate

3. In the wizard, click Next on the Welcome screen
4. Since we are creating a new certificate, select Create a new certificate

5. We are creating the request now and processing it later, so choose Prepate the request now, but send it later

6. Give the request a name, this can be anything, just make it clear what it is

7. Provide the name and OU

8. This is the most important part of your certificate: the common name. This needs to be the fully qualified domain name to which the users will be connecting.

9. Next, choose your Country, State and City

10. Save the request file to a location
11. Verify the settings you have chosen in the overview before completing the wizard.

The result will be a TXT file. In the text file you will see -----BEGIN NEW CERTIFICATE REQUEST----- & -----END NEW CERTIFICATE REQUEST-----

This is the result that can be forward to an official Certification Authority, but for testing purposes we’ll be issuing the certificate ourselves.

Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location

Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006

noreply@blogger.com (My precious) — Thu, 19 Nov 2009 13:52:00 +0000

Last week, a colleague and I have configured an Exchange 2003 SP2 for push mail. Since it was a joint effort, I want to thank Bram Poelaert for his help and expertise. All information in these posts are therefore the result of our teamwork.

First a small overview. We were installing and configuring an ISA 2006 server with 1 network adapter to publish the OMA and OWA functionalities to the external world for push mail functionalities. In the backend, an Exchange 2003 SP2 is serving as the mail server. We’ll be offloading the SSL on the ISA 2006 server. To complete the picture, a CheckPoint firewall is placing the ISA in the DMZ by using the three zones: untrusted, DMZ & trusted.

As always, the most difficult (and critical) part of the installation isn’t the configuration of Exchange or even ISA 2006, but the installation of the necessary certificate. This is what this post will be about.

Having an official authority create a certificate for you costs quite a bit money, so you don’t want to have to do it twice. For that reason, it’s always best to test your procedures by creating a certificate yourself and make sure your certificate request is correct.

To create and install a certificate yourself, these steps have to be completed:
1. Create a certificate request via IIS web wizard
2. Process the request via your Certification Authority (CA)
3. Issue the pending certificate in CA
4. Assign the certificate to your website in IIS
5. Export the private key and store in a safe location

Make sure that when you connect to your secure website that no error messages are displayed. Most frequent mistakes are the common names that are not the same as the URL or the certificate chain that is broken somewhere.

Also, be careful with the private key. This key is residing on the computer that created the certificate request. Do NOT import the certificate again (via MMC for example) before having the private key exported. If you do, the private key will be gone and you can not use the certificate!

OK, you’ve tested your certificate and it works as you expected. Cool! Now delete everything and start over by creating a new certificate request that you can send to the third party for the creation of your certificate.
1. Create a certificate request via IIS web wizard
2. Send the certificate request (TXT file) to the CA
3. Import the certificate received in IIS web wizard
4. Export the private key and store in a safe location
5. Install the certificate and the private key on the ISA 2006 server
6. Use the certificate to secure the data

In my next post I’ll go over the process step-by-step for an easy manual.
I hope this can already put you well underway.

Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location

Enjoy!

Manually upgrading the vpxa agent of an ESX server

noreply@blogger.com (My precious) — Fri, 06 Nov 2009 15:19:00 +0000

During my ESX 2.5 Upgrade project I ran into some VM migration problems.
As soon as the vmdk was too big to be able to complete the migration in 25 minutes, the operation would fail.

A cause could have been that the version of the vpxa agent on the ESX 2.5 agent was of a different build than the vpxa agent on the ESX 3.5 destination host. So I needed to manually upgrade the vpxa agent of the ESX 2.5 host.

As you can figure, documentation on how to do this isn’t very widely spread, so I decided to write a short blog post on it:
1.Log into the VC server locally and browse to the “Upgrade” folder. Default: C:\Program Files\VMware\Infrastructure\VirtualCenter Server\Upgrade
2.Browse to the correct vpx upgrade file for your ESX server version you need to upgrade the vpxa agent on.
My ESX 2.5 was version 2.5.2 so I needed vpx-upgrade-esx-4-linux-*. I found this info in the bundleversion.xml file

3.Copy this file to the ESX host you need to upgrade the vpxa agent on via a winSCP or PenguiNet or something like it.
4.Log into the ESX as root and browse to the folder where you have copied to upgrade file
5.Run the command: service vmware-vpxa restart
This will stop and start the agent and automatically upgrade it’s version. This shouldn’t take more than 5 – 10 seconds.
6.Now log back into the VirtualCenter server locally and restart the services:
a. VMware License Server
b. VMware VirtualCenter Server

OK, that’s it. Your vpxa agent is now upgrade to the version and build you have selected. It could be that in VC itself you will have to disconnect the ESX host and then connect it again.

ESX command line commands

noreply@blogger.com (My precious) — Thu, 05 Nov 2009 13:28:00 +0000

I am currently busy with designing a migration strategy for a large ESX 2.5.2 migration to ESX 3.5 for one of our customers. (yeah I know, a little late ... but at least they will migrate immediately on the vShpere4 :))

While doing my tests and type the commands mostly only once and from then on use the arrow keys to go up to previous commands. You know how it goes: as lazy as you can get it ... :)

Anyways, I decided I would post most of these commands here. Not just for you guys, but admittingly also for myself as I regularly find myself looking through my memory for correct syntaxes ... :)

List files:
vmware-cmd –l
List path and names of .registered VM vmx files on the present host

Get state vm
vmware-cmd /vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx getstate
Retrieve power state of the VM: off, on, suspended, stuck

Reboot vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx reset trysoft/hard
Reboot the VM. First try a nice shutdown (trysoft), then if necessary force a shutdown before reboot (hard).

Power on vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx start
Power on the VM

Shutdown vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx stop trysoft/hard
Shutdown/halt the VM. First try a nice shutdown (trysoft), then if necessary force a shutdown (hard).

Suspend vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx suspend
Suspend the VM

Verify snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx hassnapshot
Query if VM has a snapshot

Create snapshot
vmware-cmd createsnapshot name description quiesce memory
Quiesce will quiesce file system writes, while Memory will grab the memory state

Revert to snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx revertsnapshot
Revert to previous created snapshot (you loose the current VM state!)

Remove snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx removesnapshots
Remove previous created snapshots (you keep the current VM state!)

Register vm
vmware-cmd -s register vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx
Register VM (add to inventory)

Unregister vm
vmware-cmd -s unregister vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx
Unregister VM (remove to inventory)

Answer vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx answer
answer pending request for userinput

Extend virtual Disk
vmkfstools -X 12G ./testing.vmdk
To extend an existing Virtual Disk to 12GB.
Be aware if the shrinked size is smaller as the partition size in the guest there might be a data losse or a corrupted system resulting!

Copy virtual disk
vmkfstools -i /vmfs/volumes/'vmfslabel'/'VMName'/'VMName'.vmdk /vmfs/volumes//'VMName'.vmdk
Copy vmdk from one vmfs to another datastore

Export virtual disk
vmkfstools -i /vmfs/'VMName'/'VMName'.vmdk -d 2gbsparse //'VMName'.vmdk
Export vmdk to ext3 partition

Rename files
vmkfstools -E
Rename files associated with a specified virtual disk

Delete Virtualdisk
vmkfstools -U
Delete files associated with the specified virtual disk

Delete folders
rm –R –f /vmfs/volumes//VM folder>
Delete non-empty folders

Find functionality
| grep –i “”
Example: vi *440*.vmx | grep –I “version”
Find a word with a file. In this example “version”

There are of course a whole lot more vmkfstools and vmware-cmd commands, but I think this gives a good start ...

Enjoy!

SMS Site System Status Summarizer still cannot access storage object. The operating system reported error 2147942405: Access is denied.

noreply@blogger.com (My precious) — Tue, 19 May 2009 10:58:00 +0000

Now that I've got my OCS 2007 R2 successfully integrated with Cisco Call Manager 7, I thought I'll expand our test environment and start implementing SCCM 2007 R2 for monitoring the servers installed and facilitate the deployment of future clients.
I chose to set up my SCCM environment on 4 servers:
SCCM1 = MP, FSP, SLP, Site server
SCCM2 = DP, PXE, SUP
IIS1 = Reporting Point, SQL Reporting
SQL1 = DB server

I installed the first SCCM1 server and from within the management console I deployed the other SCCM services (SCCM2 and IIS1). For this I followed the Technet deployment and configuration guides for SCCM 2007 R2. No problems there.
Also with the installation and configuration of Reporting on IIS1 all went ok. Running the reports works fine. So all ok you would think?!

Still, I kept receiving these annoying messages under Site Status - Site System Status - IIS1\C$\SMS
(in the print screen below, the status is now OK, because of course by now I resolved the problem ...)
(The Site System Status is CRITICAL because I have installed the PXE service, but haven't configured it yet, I'll do that next ...)

So anyway, here I would get these messages:

SMS Site System Status Summarizer still cannot access storage object "\\BTLABIIS1\C$\SMS" on site system "\\BTLABIIS1". The operating system reported error 2147942405: Access is denied.

Everywhere you look online it will tell you to make sure the SCCM site server computer account (SCCM1 in my case) is member of the local Administrators group on the remote SCCM server.

Unfortunately for me, that didn't do the trick. Reading the documentation on Technet, I knew I had this before anything else, but still with the result displayed above.

To resolve this, there is a second account that needs to be member of the Administrators group on the remote server: the service account used to deploy the SCCM service with. You can look it up Site management - Site Settings - Site Systems - - Role properties.

When you add this account to the Administrators group, this error message will dispear.

Hope it helps.

OCS 2007 R2 Documentation

noreply@blogger.com (My precious) — Mon, 27 Apr 2009 09:11:00 +0000

You also noticed that when you search for OCS 2007 R2 documentation, you get a lot of OCS 2007 documents? Drove me crazy, whenever I followed a link on a OCS 2007 R2 site, I got to OCS 2007 knowledge base.

So I decided to make a collection of true OCS 2007 R2 document libraries, to facilitate my OCS 2007 R2 - Cisco Call Manager integration project:
1. Microsoft Office Communications Server 2007 R2
The mother load, from the Microsoft download center. I just don't understand why this doesn't show up when you Google it.
2. Microsoft Office Communications Server 2007 R2 Documentation
A CHM file with technical documentation to help you understand, plan, deploy, and operate Microsoft Office Communications Server 2007 R2 servers.
Remember that you might have to "Unblock" the content.
If you need help on that, here is the Microsoft support page: You cannot open HTML Help (.chm) files from Internet Explorer
3. Microsoft Office Communications Server 2007 R2 online documentation
If you don't want to mess about with the .chm file, you can find the same documentation online, on the Technet pages.

Hope this can help you on your OCS search.

Exchange 2010 beta available: a list of the new features

noreply@blogger.com (My precious) — Thu, 16 Apr 2009 07:36:00 +0000

So yesterday (14/04/09) we were able to download the first beta of the new email system that is used by 65 % of the companies. In Q3 of 2009 the distribution of the RTM version should be a fact.

First thing I noticed is that the admin interface has not been majorly changed, compared to the new interface we got from E2K7. That's good, cause I like this new interface much better than the old one.

Based on Microsoft documentation, I've set off testing and playing around in my test lab. The improvements they have made (27 to be exact) are divided by Microsoft in 3 big pilars:
1. Flexibility and reliability
2. Anywhere access
3. Protection and compliance

Of course, one of the most eye catching improvement is the support for OWA on Internet Explorer 7 & 8, Safari 3 and Firefox 3. But another cool feature that I think will be much used is the "MailTips". It will protect end users from sending personal mails to large mailing groups. The last thing that caught my eye yesterday already is the "Consolidated view" and "Conversation Mute". Finally we are able to view all e-mails concerning a single topic in a single node (in Outlook ànd OWA).

Below is a list of the other 27 improvements. The ones I think are really interesting and that I'll be looking into I've indicated in bold:
1. Added internet browser support for OWA
2. Answer/forward status is being kept by the server and can be shown on all clients
3. MailTips to prevent personal mails from being distributed to large communities
4. Conversation view for the threating of messages
5. Calendar sharing available in OWA and for federated users
6. Sharing of contacts outside the company and outside the desktop
7. Voice Mail Preview: automatic written preview of a received voice mail
8. Call Answering Rules to administer phone calls just like e-mails
9. Rights Management in OWA as well as Outlook
10. Federation Services to connect your Exchange servers to those of other organizations
11. Page patching: automatic fixing of corrupted DB pages
12. I/O Optimalization: less I/O bursts, support for SATA disks
13. JBOD (Just a Bunch Of Disks) support instead of only RAID
14. Database Availability groups: redundant DB's for mailboxes which provide automatic recovery
15. Failover on DB level, clustering not longer necessary to provide high-availability, so more uptime
16. Online Move-Mailbox: moving MBX'en while the user is logged in
17. Rules for transport protection: an administrator can change the IRM protection AFTER they have been sent
18. Moderation: a transport rule that allows you to send a message to a reviewer before the message is actually sent
19. Rules for protection Outlook which allows you to automatically assign RMS templates to e-mails
20. Role-based access control for Outlook
21. Exchange Control Panel to assign end users specific levels of control
22. Message tracking for end users (without having to contact the helpdesk)
23. Distribution Groups can be created, modified and deleted by end users
24. Block/Allow list for mobile devices
25. Protected voicemail: you are able to block the sending of voicemails outside the organization
26. Personal archive: moving of PST files to a secundary mailbox for better performance and compliance
27. Multi mailbox search: finally you are able to search multiple mailboxes with a single click

As you can see, there are quite a few cool improvements.
Can't wait to get started ... :)

OCS 2007 - Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022

noreply@blogger.com (My precious) — Mon, 06 Apr 2009 08:27:00 +0000

So now that I have my OCS server installed, a few troubleshooting tasks have to be done (in my case anyway).

First error I saw when running the Validate Front End Server Configuration wizard, is this:

Looking around online I see everywhere that the certificate is probably wrong. I configured the certificate with the FQDN of the OCS server, which looks to be correct, especially when I see the entries above the check user logon section, where it shows it succeeds in connecting to the OCS pool.

So anyway, I tried recreating a new certificate, this time with the FQDN of the OCS pool instead of the OCS server. After signing the new certificate with my CA and assigning it to the OCS server, it still Completes with failures. Only this is very interesting: now my login is successful but I can't connect to the OCS pool anymore. Complete opposite of what I had before!

What the f***??!! Before you start trying: assigning the certificate with the server FDQN to the OCS server and the OCS FQDN to the IIS (or visa versa) does not work either.

Instead, create a new certificate with these settings:
1. Subject name: FQDN of the OCS pool
2. Alternate name: not that important
3. Remember to check the Automatically add local machine name to Subject Alt Name, that way you create a multi-homed certificate

After assigning this certificate to your OCS server and in the IIS manager, you should be good:

Hope it can help...

OCS 2007 & SQL2005 SP3 – Pool backend discovery failed

noreply@blogger.com (My precious) — Mon, 06 Apr 2009 07:45:00 +0000

A few weeks ago I was installing an OCS server in a lab environment for the purposes of giving demo’s and testing some stuff out myself.

However, before I could actually even start I ran into a nice little problem.
First I prepared the AD, as documented by Microsoft, no problem there at all. Then I launched the Create Enterprise Pool from the setup.exe

In the next screen of the simple wizard you need to provide a pool name, after which the FQDN is filled in automatically and the SQL backend. (if your SQL farm is separated by a firewall, make sure port 1433 is open from the OCS to the SQL)

That should be that. Unfortunately for me, I received this error:

Since I have a SQL 2005 server, I checked the Service Pack level and made sure it was the latest version (SP3). The Backward Compatibility pack installed on the OCS is from the same SP level. No problem there you would say. But no matter how I tried configuring the OCS pool, it didn’t work.

I guess not many people have this issue, since I didn’t find much online about it. But then I stumbled across this article from Microsoft: You cannot create the enterprise pool for Office Communications Server 2007 on a back-end server that has SQL 2005 Service Pack 3 (SP3) installed
Basically it says the backward compatibility pack from SP3 does NOT work correctly and what you need to do is this:
1. Uninstall the SQL 2005 SP3 Backward compatibility pack
2. Download the correct backward compatibility pack (SQLserver2005_BC.msi) from this link: SQLServer2005_BC.msi
3. Install this new BC pack

Immediately after that I tried the OCS enterprise pool wizard again (no reboot) and what do you know: it flew straight through!

Replicate Exchange to a DRS (Disaster Recovery Site): Best Practices

noreply@blogger.com (My precious) — Tue, 27 Jan 2009 14:04:00 +0000

In my last post I’ve gone over some of the considerations you need to keep in mind when choosing a replication setup for Exchange 2007.

Now there are of course some best practices you can keep in mind when you’ve chosen your setup concerning the replication of Exchange 2007. Since we are on the subject, and in order to keep a nice overview, I’ve created this post which is a summary of the Microsoft guidelines.

1. Mandatory Data to replicate
a) edb files: messages and MAPI-content
b) stm files: non-MAPI content
c) log files: changes to commit to the database
d) chk files: info on the entries in the log files

2. Best Practices for asynchronous replication (replication mechanisms)
a) Configure replication at the logical/mount point volume level: if the mailbox data path is G:\MDB1\MDB1.EDB, then drive G should be the base unit to perform replication. As a result, all the data on drive G will be replicated. Setting replication to occur at the file or subdirectory level is prone to human error and is not supported by Microsoft.
b) Create many replication points: reduce the queuing of multiple I/O’s which are destined for the same replication point
c) Keep transaction logs on different logical volumes: since each write I/O request is queued at the replication point, it is best to split the edb and log files to different logical volumes, to reduce long write response times.
d) Use multiple replication links: expensive, but necessary (although not technically) for availability and load-balancing.

3. Best Practices for Configuring Exchange For Synchronous Replication
a) Create the maximum number of storage groups per Exchange server: there will be more parallel log writing processes, which can reduce the overall transaction log-write latency
b) Increase transaction log buffer size: Increasing the log buffer size reduces the frequency of capacity flushes, increases the log write size, and subsequently reduces the overall log write latency.

That's about it for this post. Of course, this is only a short summary and can (should be) supplemented with other articles on this subject.

Replicate Exchange to a DRS (Disaster Recovery Site): Design

noreply@blogger.com (My precious) — Tue, 27 Jan 2009 13:00:00 +0000

Last week, we had a discussion over the design and configuration of an Exchange 2007 server in a DRS.

Of course, as always, there isn’t one answer that fits all. There are a few questions you need to answer to get to a solution that fits your needs:
- How will the data be replicated to the server located in the DRS?
- How performant is the link between the main site and the DRS?
- How important is are the e-mails within your company?
- How much money do you have to spend?

Let’s go over the questions one by one to come to our solution.

1. How will the data be replicated to the server located in the DRS?
There are 4 different replication menthods:
a) Synchronous replication: the Exchange host receives a “successful write” response when the operation is complete on the local AND remote locations.
Advantages:
I. guaranteed no data loss (how is that for a sole advantage … )
Disadvantage:
I. reduced performance (site link, link utilization, distance very important since mails have to saved to both local and remote storage)
II. more expensive than asynchronous replication
III. need for 3rd party software
b) Asynchronous replication: the Exchange host writes to the local storage and the data is replicated independently afterwards
Advantages:
I. not as heavy on performance indicators as synchronous replication
II. cheaper than synchronous replication
III. native Exchange 2007 technology (LCR, SCR & CCR)
IV. robust: (in case of a CCR no single failure will lead to a loss of service)
Disadvantages:
I. no guarantee against data loss can be provided
c) Host-based replication: a filter driver manages the replication (and needs to cut the I/O stream to do this)
d) Storage-based replication: replication at storage level (more performant than host-based replication)

2. How performant is the link between the main site and the DRS?
Whether you choose synchronous or asynchronous replication might not just depend on the budget you have to spend, but also on the environment that is already in place. Be aware that choosing synchronous replication will not only reduce the number of mailboxes per server (up to 75 % reduction in mailboxes/server scalability), the site link is largely impacted as well.

The tools LoadSim and JetStress are developed by Microsoft to test latencies and storage throughput.

3. How important is are the e-mails within your company?
As said above, asynchronous replication cannot guarantee that all data will be retained in case of a “disaster”, while synchronous replication does (providing the site links are operational). However, Exchange 2007 is designed to lose as little information as possible in case of a failure. Thanks to the LCR, CCR and SCR technologies, the losses should be minimized to read/unread messages statuses, incomplete contact, calendar entries, … If this is acceptable for your SLA, they offer a really good solution. Of course, if databases have to be moved to a new stand-by Exchange server, some downtime will be unavoidable.

4. How much money do you have to spend?
I guess this point is pretty clear. Choosing between LCR, SCR and CCR have already huge price effects on your budget. If your SLA requires you to choose for synchronous replication, this price will mount exponentially since third party software will have to be purchased, installed, configured, received training on, …

PowerShell Graphical Help

noreply@blogger.com (My precious) — Tue, 13 Jan 2009 09:31:00 +0000

PowerShell is cool, isn't it? I absolutely love it.

But there was a downside. Using the help function within the PowerShell prompt is difficult to read not to mention it can scroll your screen quite a bit.

So instead of using the help function within PowerShell, the PowerShell guys of Microsoft have created a Graphical Help File.

It contains just the same information as the help within PowerShell when using the -detailed switch, but it comes with some definate advantages:
- fully searchable
- graphical
- seperate window so you can a clear eye on your code

A must have download.

“The execution of scripts is disabled on this system” … How to run your own PowerShell scripts

noreply@blogger.com (My precious) — Wed, 17 Dec 2008 09:38:00 +0000

So you’re picking up PowerShell scripting, are you?
As a first test, you create a little, never fail “hello world” script and launch it from within a PowerShell, but instead of seeing “Hello World” you see this:
File C:\scripts\test.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-
help about_signing" for more details.
At line:1 char:19
+ c:\scripts\test.ps1 <<<<

What the hell?? Yep, that’s right: by default only digitally signed scripts can be run from within PowerShell. Luckily, this can be remedied fairly easily.

If you launch the command Get-ExecutionPolicy you will see that the default policy is set to Restricted, basically creating your problem.

Now we can change that value to 5 different settings:
1. Restricted: no scripts will be executed
2. Unrestricted: all scripts will be executed
3. RemoteSigned: all scripts you created yourself will be run, all scripts downloaded from the internet will need to be signed by a trusted publisher
4. AllSigned: all scripts, including your own, will need to be signed by a trusted publisher
5. Default: = Restricted (unless you change the default value to something else)

OK, so now that we know that we can change the policy by simply typing Set-ExecutionPolicy RemoteSigned.

And that’s it! Your scripts can be run. I’ll be posting soon about how to set up your own “trusted publisher” so that we can secure our PowerShell environment as much as possible.

Have fun!

Infrastructure Planning & Design (IPD)

noreply@blogger.com (My precious) — Mon, 15 Dec 2008 09:07:00 +0000

This weekend I've found a collection of documents on the Microsoft download pages: IPD.zip

It holds a whole list of documents, defided per technology, in which they go over the design processes:
- Windows Server 2008 File Services
- Selecting the Right NAP Architecture
- Windows Server 2008 Active Directory Domain Services
- ...

The series is a collection of documents that leads the reader through a sequence of core decision points to design an infrastructure for Microsoft products. It also provides a means to validate design decisions with the business to ensure that the solution meets the requirements for both business and infrastructure stakeholders..

Very interesting reading, for whoever is interested ...

Configuring IPsec NAP (Network Address Protection) - Part 4: Testing with a NAP client

noreply@blogger.com (My precious) — Fri, 12 Dec 2008 13:33:00 +0000

Now that our NAP has been configured, we can start playing around with a NAP client.
In the following post I’ve logged on with an administrator account on a Vista client that is part of the domain krva.local.

Test 1: Log on to the Vista client with an administrator account and open a command screen. In the cmd box, type netsh nap client show grouppolicy. You should check for the following:

Test 2: Open a command screen and in the cmd box, type netsh nap client show state. You should see something like this:

Test 3: Verify that you have the required certificate, via MMC  Certificates  Local computer. You should see something like this:

Test 4: Verify that the Network Address Protection Agent has been started as a service

Test 5: Turn off your firewall. You should quickly see a message saying that your machine is not compliant after which the client will be auto-remedied and the firewall enabled. If you missed it, you can always request the status via the command napstat.

That’s pretty much it for now.
Of course, there are LOTS more things about NAP and possible errors you might encounter during the installation and configuration of it. Two tools you will definitely need during the troubleshooting of NAP are the NAP server events and the NAP client events.
They can be found in the event viewer under \Custom Views\Server Roles\Network Policy and Access Services (for the server) and \Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational (for the client).

Everything is correctly configured, but still your NAP clients are not being enforced? Check this first: are all systems involved activated?

NAP WILL ONLY FUNCTION IF YOUR SERVERS & CLIENTS ARE ACTIVATED!!

Enjoy!

Network Address Protection (NAP) posts:
IPsec NAP: Network Address Protection in Server 2008

Configuring IPsec NAP (Network Address Protection) - Part 1: Certificates

Configuring IPsec NAP (Network Address Protection) - Part 2: Installation of the NPS (Network Policy Server)

Configuring IPsec NAP (Network Address Protection) - Part 3: Configuring the NPS as NAP HRA (Health Registration Authority)

Configuring IPsec NAP (Network Address Protection) - Part 3: Configuring the NPS as NAP HRA (Health Registration Authority)

noreply@blogger.com (My precious) — Tue, 09 Dec 2008 12:42:00 +0000

The bulk of the work is done by now. Now all that is left to do is configure our newly configured NPS and a NAP Health Policy Server.

The components of the NPS to configure are: System Health Validators, Health Policies, Network Policies, Connection Request Policies, RADIUS Clients and Servers and Remediation Server Groups, as indicated in the screen shot.

To configure these components I'm just going to take the easy way and use the configuration wizard.

Step 1: NAP wizard: launch the wizard by clicking on Configure NAP in the details pane of the NPS.

Now in the wizard, choose the following uptions:
a) select IPsec with Health Registration Authority (HRA) and give it a name
b) no Radius clients are being added, since the HRA is installed on the NAP Health Policy Server
c) we are going to apply to policy to all users, so we don't need to add any machine groups
d) make sure the Windows Security Health Validator and Enable auto-remediation of client computers are selected
e) Finish the wizard

Step 2: Configure the SHV (System Health Validators): By default, the WSHV is configured to require firewall, virus protection, spyware protection, and automatic updating. You can easily change this in the Properties of the SHV.

Step 3: Configure a GPO for the NAP client settings: now we can start enforcing specific client computers to apply to our NAP. To do this, create a new GPO and define the following settings:
a) Computer Configuration/Policies/Windows Settings/Security Settings/System Services/Network Access Protection Agent --> Define the policy: Automatic
b) Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration/Enforcement Clients --> Enable IPsec Relying Party
c) Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration/Health Registration Settings/Trusted Server Groups --> New "Trusted HRA Servers" --> Add URL "Https://NPS.Test.local/domainhra/hcsrvext.dll" --> Finish
d) Computer Configuration/Policies/Windows Settings/Security Settings/Network Access Protection/NAP Client Configuration --> right click and choose Apply

e) Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center --> Enable Turn on Security Center (Domain PCs only)
f) close the GPO editor
g) go to the Security Filtering of the GPO and Remove the Authenticated Users and Add the security group created earlier. In my case, that would be GS_NAP_ClientPCs.

And there you have it, IPsec NAP is installed, configured and ready to be used. In my last post about IPsec NAP I'll be using a Vista client to try and connect to the secure network section as an example.

Network Address Protection (NAP) posts:
IPsec NAP: Network Address Protection in Server 2008

Configuring IPsec NAP (Network Address Protection) - Part 1: Certificates

Configuring IPsec NAP (Network Address Protection) - Part 2: Installation of the NPS (Network Policy Server)

Configuring IPsec NAP (Network Address Protection) - Part 4: Testing with a NAP client