I only found out about Out-GridView two days ago, the day that Tony Redmond’s Windows IT Pro post about the loss of the Message Tracking tool hit the Internet. A Twitter conversation started up, and UK Exchange MCM Brian Reid quickly chimed in with a link to a post from his blog introducing us to using the Out-GridView control with the message tracking cmdlets in Exchange Management Shell.

This is a feature introduced in PowerShell 2.0, so Exchange 2007 admins won’t have it available. What it does is simple: take a collection of objects (such as message tracking results, mailboxes, public folders — the output of any Get-* cmdlet, really) and display it in a GUI gridview control. You can sort, filter, and otherwise manipulate the data in-place without having to export it to CSV and get it to a machine with Excel. Brian’s post walks you through the basics.

In just two days, I’ve already started changing how I interact with EMS. There are a few things I’ve learned from Get-Help Out-GridView:

• On PowerShell 2.0 systems, Out-GridView is the endpoint of the pipeline. However, if you’re running it on a system with PowerShell 3.0 installed (Windows Server 2012), Out-GridView can be used to interactively filter down a set of data and then pass it on in the pipeline to other commands. Think about being able to grab a set of mailboxes, fine-tune the selection, and pass them on to make modifications without having to get all the filtering syntax correct in PowerShell.
• Out-GridView is part of the PowerShell ISE component, so it isn’t present if you don’t have ISE installed or are running on Server Core. Exchange can’t run on Server Core, but if you want to use this make sure the ISE feature is installed.
• Out-GridView allows you to select and copy data from the gridview control. You can then paste it directly into Excel, a text editor, or some other program.

This is a seriously cool and useful tip. Thanks, Brian!

The post Using Out-GridView (#DoExTip) appeared first on Devin on Earth.

It’s a simple script: run it and you get a single-page HTML report that gives you a thumbnail overview of your servers and databases, whether standalone or DAG. It’s no substitute for monitoring, but as a regular status update posted to a web page or emailed to a group (easily done from within the script) it’s a great touch point for your organization. Run it as a scheduled task and you’ll always have the 50,000 foot view of your Exchange health.

I’ve used it for migrations in a variety of organizations, from Exchange 2003 (it must be run on Exchange 2007 or higher) on up. I now consider this script an essential part of my Exchange toolkit.

The post Exchange Environment Report script (#DoExTip) appeared first on Devin on Earth.

I’ve had an idea for several years to fill what I see is a gap in the Exchange community. I’ve been toying with this idea for a while, trying to figure out the perfect way to do it. Today, I had a Voltaire moment: forget perfect.

So, without further ado, welcome to Devin on Exchange Tips (or #DoExTips for short). These are intended to be small posts that occur frequently, highlighting free scripts and tools that members of the global Exchange community have written and made available. There’s a lot of good stuff out there, and it doesn’t all come from Microsoft, and you don’t have to pay for it.

The tools and scripts I’ll highlight in DoExTips are not going to be finished products or polished. In many cases, they’ll take work to adapt to your environment. I’m going to quickly show you something I found that I’ve used as a starting point or spring board, not solve all your problems.

So, if you’ve got something you think should be highlighted as a DoExTip, let me know. (Don’t like the name? Blame Tom Clancy. I’ve been re-reading his Jack Ryan techno-thrillers and so military naming is on the brain.)

The post Introducing DoExTips appeared first on Devin on Earth.

When I was buying a cup, I had no clue what to get. The only sports I’d done as a kid were one season of track in high school and some Pee-Wee/Little League baseball. I’d never had to deal with a cup before. I’d heard lots of horror stories about them: they were uncomfortable, didn’t fit, and didn’t really keep blows from hurting as much as they reduced the pain to manageable levels.

No, thanks. This geek did some research and came up with the Nutty Buddy. This was a cup whose inventor stood by his product by taking 90mph fast balls from a pitching machine to his crotch. After reading around, I was sold. It was more expensive, but hey, not feeling soul-crushing pain is worth it, right?

Here’s what happened next, as I sent it to Nutty Buddy:

My order arrived on the day of a sparring class. That night, I prepped for class a little early so I could figure out how to get my Nutty Buddy put in place. Having bought the “Build Your Own Package” option, I had everything I needed, and soon I was all dressed in my gi, ready to go. I walked out from my bedroom to the living room to pick up my gear bag and was met by my son, then 11 years old. “Do you have it on?” he asked eagerly and I nodded. “Great, let’s test it!” he said as he executed a perfect front snap-kick to the boys. It was a great kick, too – one of those kind you can’t be thinking about, you just have to let it rip. He immediately realized what he’d done and started apologizing, but was shocked when I laughed. The only thing I’d felt was the shock. The Nutty Buddy lived up to the hype, and I knew it was worth every penny.

No matter how prepared you are for life, sometimes you only know whether something’s going to work by just doing it.

The post Let’s Test It! appeared first on Devin on Earth.

Windows Update offers up .NET 4.0 to Windows 2008 R2 systems as an Important update (and has been for a while). This is fine and good – various versions of the .NET framework can live in parallel. The problem, however, comes when you accept this update on an Exchange 2010 server with the CAS role.

If you do this, you may notice that the /exchange, /exchweb, and /public virtual directories (legacy directories tied to the /owa virtual directory) suddenly aren’t redirecting to /owa like they’re supposed to. Now, people aren’t normally using these directories in their OWA URLs anymore, but if someone does attempt to hit one of these virtual directories it leaves a gnarly error message to spam your event logs.

This is occurring because when .NET 4.0 is installed and the ASP.NET 4.0 components are tied into IIS, the Default Application Pool is reconfigured to use ASP.NET 4.0 instead of ASP.NET 2.0 (the version used by the .NET 3.5 runtime on Windows 2008 R2). What exactly it is about this that breaks these legacy virtual directories, I have no idea, but break them it does.

The fix for this is relatively simple: uninstall .NET 4.0 and hide the update from the machine so it doesn’t come back. If you don’t want to do that, follow this process outlined in TechNet to reset the Default Application Pool back to .NET 2.0. Be sure to run IISRESET afterwards.

The post #MSExchange 2010 and .NET 4.0 appeared first on Devin on Earth.

My blue-green hair in December

I loved the cut and the color (a blue-green-silver mix), and after two weeks it had faded to a soft cotton-candy color of blue. However, it just kept on fading. Time for a refresh, so back in to my fantastic hairstylist, Liz!

My partner in crime

This time, we dropped the green and mixed the blue and silver in nearly equal proportions. The result is vivid now, but we think it’s going to be fantastic after some fading!

Move over, IBM

The best part of this experiment is that if I ever get tired of looking like a dry-erase marker, I can simply shave it off. It’s not like that’s a new look for me. The plan, though, is to keep experimenting with fun colors and settle down on a few favorites.

The post Blues Brother appeared first on Devin on Earth.

I’ve had some thoughts stirring around for a while on the topic of America and the 2nd Amendment, but it wasn’t until today I pulled them together enough to start the process of writing a blog post.

Note 1: I’m going to do my level best to be polite and respectful to all parties, regardless of their political position on this subject, and I request that all commenters do the same. People crossing the line of civility may get a warning or I may just delete their comment, depending on the severity.

The Ground Rules

Today, on Facebook, one my friends posted this picture:

Figure 1: Constitutional law qualifications
(can’t find the original source for this, if you know please let me know?)

As you can imagine, this prompted (as do almost all gun control threads on the Internet) a barrage of comments. Sadly, these types of discussions tend to quickly be dominated by one of two vocal extremes:

• The gun enthusiast (pejoratively known as the “gun nut” or “right-wing whackjob”), who often gives the impression that she won’t be happy until she can personally and privately own any weapon system ever made, up to and including ICBMs, aircraft carriers, Abrams tanks, and F-22 Raptors. She is typically, but not always, aligned with the more extremely conservative side of the political spectrum
• The gun worrier (pejoratively known as the “gun grabber” or “bleeding-heart liberal”), who commonly and frequently opines that mankind will know nothing but a wretched existence devoid of any light, joy, or hope until every last physical instance of, drawing of, reference to, or even the mental concept a of weapon is wiped from existence. He is typically, but not always, aligned with the more extremely liberal side of the spectrum.

Note 2: if you fit into one of these two extremes, I will give you good advice: stop reading now, and move on. You won’t like what I have to say; I refuse to validate your unreasonably narrow and exclusionary viewpoint. I won’t let other people call you names should you choose to ignore my advice and comment, but I will redact your extremist attempts to redirect a civil conversation into your own flavor of lunacy. Be warned – my blog, my rules. You want to post your own screed? Go burn your own storage and bandwidth to do it.

Almost immediately, a good point was made: while Obama’s credentials are accurately stated, this picture attempts to make a point through blatant use of stereotypes. We know nothing about the gentleman in the red box – he might also be an Ivy League Constitutional scholar, or a distinguished judge, or even a talented and knowledgeable amateur scholar. We don’t know and we’re not told. This is the good old “guilt by association” propaganda ploy – if you like big scary guns, you’re probably ignorant just based on your appearance. Not a great way for liberals to make a point.

At the same time, conservatives are guilty of blatantly false propaganda too:

Figure 2: One of these things is not like the other
(found on rashmanly.com)

Really? A democratically elected (twice, now, even!) federal executive, in a country with some of the most extensive checks and balances, who for at least half of his time in office has had to deal with a Congress (you know the branch of the government that actually makes the laws) controlled by his political opponents, is magically a dictator on par with some of the worst tyrants of recorded history? Because his biggest political acts have been to try to keep our country from plunging into a hyper-inflationary depression, to make sure poor people have access to medical care, and to try to maybe do something to reduce the number of innocent people killed by guns in this country every year? Remember, this is the President who pissed off many in his party because he didn’t bother to dismantle many of the incentives put in place by his predecessor.

Note 3: Don’t even think of heading to the “Democrats just want to take away guns and Republicans are protecting gun rights.” Remember the assault rifle ban that expired in 2004? The one that was enacted in 1994, which would have been during the (Democratic) Clinton administration? The one that was lobbied for by Ronald Reagan?

Finding Middle Ground

Okay, now that I’ve unilaterally declared extremes off the table, let’s dig into the meat of the original graphic – which is the fact that Obama has a background in Constitutional law, so unlike many politicians and political wonks, he might actually have a more than passing familiarity with some of the issues involved.

Obama is using executive orders to make changes within the framework of existing law, as well as working to introduce legislation to accomplish additional goals such as reintroducing the expired assault rifle ban. Some of these changes are likely to be polarizing, but outside of the echo chambers and spin factories, there’s actually a large amount of support for many of these proposals – and this according to a poll of 945 gun owners conducted last July by Republican party pollster Frank Luntz, before the events of Newton. After Newton, support for stricter laws on the sale of firearms has increased overall, including increased support for passing new laws although support for renewal of the assault rifle ban is still just shy of a majority. Yet somehow, any discussion of changes provokes an immediate, hostile response.

It’s also inevitable to see someone trot out the argument that since cars kill far more people, we need to regulate cars. Um, hello? We do. Car manufacturers have to regularly participate in studies and make changes to cars to reduce the deaths because of cars, and over the decades, it’s worked. We do the same thing for other forms of violence — we study it, and we make intelligent changes to reduce the impact. But the current climate and talking points (such as the historically inaccurate charge that gun control led to the Holocaust) have kept us in a virtual standstill on dealing with gun violence of any type.

Thanks to a careful and prolonged lobbyist and political spending campaign by the NRA and the gun manufacturers, we don’t even have credible research that would tell us why American gun deaths are so much higher than comparable nations. Let me be clear; the NRA does a lot of good, but they are a human institution and over the past couple of decades, they’ve transformed themselves from a simple society to promote scientific rifle shooting to a lobbyist organization. At times, I think this dichotomy can at times drive the NRA leadership out of sync with their members’ concerns and lead them to try to drive policy and dictate their members beliefs rather then represent them.

At this point, I think its obvious that some sort of changes need to be made. The USA has a gun homicide rate that is 4.5 times higher (or more) than other G-8 countries. When confronted with these facts, many people respond with talking points about how countries that have enacted gun control laws see a rise in crimes such as violent assault (Australia is a frequently featured talking point). However true these points may be, I can’t help but think that’s an invalid comparison. If I were to be the victim of a crime, I think I would rather be injured rather than outright killed. I would rather that my stuff got stolen than lose my wife or one of my kids. But overall, the crime rate in the US is dropping.

Like many Americans, I’m in favor of extending background checks and doing more to ensure that people with a history of violent mental illness and misdemeanor violence have reduced access to guns. Without comprehensive studies, I’m not convinced that renewing the assault rifle ban will actually help anything (are extended magazines actually useful in genuine self-defense scenarios, or would regular magazines do the trick?) But there’s a number of potential steps I’ve thought of that I’ve seen no discussion on:

• I’m disturbed by the fact that when I take a free CPR or First Aid class, I have more stringent requirements than I do for my CPL. When I get CPR training I have to demonstrate that I am up-to date in my training and technique and recertify every year or two at the most; when I applied for my concealed pistol license, all I had to do was not currently be a felon and I get a five year license. Different states have different requirements; maybe it’s time to get a more consistent framework in place that requires more frequent check-ins and more frequent training?
• While we’re talking about training, let’s hit another popular talking point: that armed private citizens are likely to stop mass shootings. While there are incidents of gun owners (typically store clerks) stopping an attempted robbery, the private citizens that have stopped instances of mass shootings all turn out to be private or off-duty security personnel who have substantially higher levels of firearms training than the average citizen (such as the Clackamas Mall shooting in Portland, OR).
• One of the claimed benefits of having less restrictive firearms statutes is crime reduction. More armed citizens, it is said, equals lower crime. However, in order to have this kind of deterrent effect, don’t the criminals have to either know that people are carrying, or at least have a reasonable suspicion that people are carrying? Concealed carry would seem to be counter-productive; open carry would actually allow criminals to know what they’re about to get into. Is American culture ready for open carry? Again, this is an area we’d need more research on.
• What about on-site gun safe inspections as part of the permit approval process? If one of the big concerns is people getting inappropriate access to guns, we should be making sure they’re being appropriate stored and locked away.

There’s a horrible patchwork of laws in place and there are some loopholes that should be closed, as long as we can do so without heading down the path of a guns registry. Come on, yes there are some screwballs who want to take all guns away, just as there are some screwballs who think that they should be able to own fully operable RPGs and tanks and fighter jets. Most of us are somewhere in the middle, although not in the same part of the middle, but we can’t even have a realistic, reasoned discussion on this because the people who benefit financially from the status quo make sure we can’t.

At this point in time, we can’t have a meaningful conversation on what the “well-regulated” clause in the 2nd Amendment is supposed to mean. All of our other liberties have been slowly and carefully re-interpreted over time – sometimes overly so, usually with corrections in the long run — as the times changed and as the nation changed and (yes) as we saw the fruits of some of the Founders’ mistakes. They were human; of course they made mistakes. They knew they would make mistakes and that we would have to adjust for situations they could never have foreseen. And yet, a strict reading of the 2nd Amendment is somehow off the table for even reasonable discussion? Why must we hew strictly to the Founding Fathers’ intentions in this one area when we willingly ignore them in other areas? (Check out what they had to say about professional politicians, lobbyists, and a two-party system.)

So, yes, sometimes it takes a Constitutional scholar to understand not only the original context of our Constitution, but also remember that the Founding Fathers always intended this Constitution to grow and live and adapt as our country did. It’s time for us to open the doors to a reasoned discussion on all areas of the 2nd Amendment, including the precise definition of which weapons it makes sense to allow citizens to have and what sorts of controls might be prudent to put in place to balance the right to self-defense with the reasonable safety of those around us.

The post A Few Bullet Points on American Gun Culture appeared first on Devin on Earth.

So, um…I knew it was going to take me a while to write this third part of the Exchange 2010 storage saga…but over two years? Damn, guys. I don’t even know what to say, other than to get to it.

So, we’ve this lovely little 3-dimension storage axis I’ve been talking about in parts 1 (JBOD vs. RAID) and 2 (SATA vs. SAS/FC). Part 3 addresses the third axis: SAN vs. DAS.

What’s in a name?

It used to be that everyone agreed on the distinction between DAS, NAS, and SAN:

• DAS was typically dumb or entry-level storage arrays that connected to a single (or at most two or three) servers via SCSI, SATA/SAS, or some other storage-specific cabling/protocol. DAS arrays typically had very little on-board smarts, other than the ability to run RAID configurations and present the RAID volumes to the connected server as if they were a single volume instead.
• NAS was file-level storage presented over a network connection to servers. The two common protocols used were NFS (for Unix machines) and SMB/CIFS (for Windows machines). NAS solutions often include more functionality, including features such as direct interfaces with backup solutions, snapshots of the data volumes, replication of data to other units, and dynamic addition of storage.
• SAN was high-end, expensive block-level storage presented over a separate network infrastructure such as FC or iSCSI over Ethernet. SAN systems offer even more features aimed at enterprise markets, including sophisticated disk partitioning and access mechanisms designed to achieve incredibly high levels of concurrence and performance.

As time passed and most vendors figured out that providing support for both file-level and block-level protocols made their systems more attractive by allowing them to be reconfigured and repurposed by their customers, the distinction between NAS and SAN began to blur. DAS, however, was definitely dumb storage. Heck, if you wanted to share it with multiple systems, you had to have multiple physical connections! (Anyone other than me remember those lovely days of using SCSI DAS arrays for poor man’s clustering by connecting two SCSI hosts – one with a non-default host ID – to the same SCSI chain?)

At any rate, it was all good. For Exchange 2003 and early Exchange 2007 deployments, storage vendors were happy because if you had more than a few hundred users, you almost certainly needed a NAS/SAN solution to consolidate the number of spindles required to meet your IOPS targets.

The heck you say!

In the middle of the Exchange 2007 era, Microsoft upset the applecart. It turns out that with the ongoing trend of larger mailboxes, Exchange 2007 SP1, CCR, and SCR, many customers were able to do something pretty cool: decrease the mailbox/database density to the point where (with Exchange 2007’s reduced IOPS) the total IOPS for their databases no longer required a sophisticated storage solution to provide the requisite IOPS. In general, disks for SAN/NAS units have to be of a higher quality and speed than for DAS arrays, so they typically had better performance and lower capacity than consumer-grade drives.

This trend only got more noticeable and deliberate in Exchange 2010, when Microsoft unified CCR and SCR into the DAG and moved replication to the application layer (as we discussed in Part 1). Microsoft specifically designed Exchange 2010 to be deployable on a direct-attached RAID-less 2TB SATA 7200 RPM drive to hold a database and log files, so they could scale hosted Exchange deployments up in an affordable fashion. Suddenly, Exchange no longer needed SAN/NAS units for most deployments – as long as you had sufficiently large mailboxes throughout your databases to reduce the IOPS/database ratio below the required amount.

Needless to say, storage vendors have taken this about as light-heartedly as a coronary.

How many of you have heard in the past couple of years the message that “SAN and DAS are the same thing, just different protocols”?

Taken literally, DAS and SAN are only differences in connectivity.

The previous quote is from EMC, but I’ve heard the same thing from NetApp and other SAN vendors. Ever notice how it’s only the SAN vendors who are saying this?

I call shenanigans.

If they were the same thing, storage vendors wouldn’t be spending so much money on whitepapers and marketing to try to convince Exchange admins (more accurately, their managers) that there was really no difference and that the TCO of a SAN just happens to be a better bet.

What SAN vendors now push are features like replication, thin provisioning, virtualization and DR integration, backup and recovery – not to mention the traditional benefits of storage consolidation and centralized management. Here’s the catch, though. From my own experience, their models only work IF and ONLY IF you continue to deploy Exchange 2010 the same way you deployed Exchange 2003 and Exchange 2007:

• deploying small mailboxes that concentrate IOPS in the same mailbox database
• grouping mailboxes based on criteria meant to maximize single instance storage (SIS)
• planning Exchange deployments around existing SAN features and backup strategies
• relying on third-party functionality for HA and DR
• deploying Exchange 2010 DAGs as if they were a shared copy cluster

When it comes right down to it, both SAN and DAS deployments are technically (and financially) feasible solutions for Exchange deployments, as long as you know exactly what your requirements are and let your requirements drive your choice of technology. I’ve had too many customers who started with the technology and insisted that they had to use that specific solution. Inevitably, by designing around technological elements, you either have to compromise requirements or spend unnecessary energy, time, and money solving unexpected complications.

So if both technologies are viable solutions, what factors should you consider to help decide between DAS and SAN?

Storage Complexity

You’ve probably heard a lot of other Exchange architects and pros talk about complexity – especially if they’re also Certified Masters. There’s a reason for this – more complex systems, all else being equal, are more prone to system outages and support calls. So why do so many Exchange “pros” insist on putting complexity into the storage design for their Exchange systems when they don’t even know what that complexity is getting them? Yes, that’s right, Exchange has millennia of man-hours poured into optimizing and testing the storage system so that your critical data is safe under almost all conditions, and then you go and design storage systems that increase the odds the fsck-up fairy[1] will come dance with your data in the pale moonlight.

SANs add complexity. They add more system components and drivers, extra bits of configuration, and additional systems with their own operating system, firmware, and maintenance requirements. I’ll pick on NetApp for a moment because I’m most familiar with their systems, but the rest of the vendors have their own stories that hit most of the same high points:

• I have to pick either iSCSI or FC and configure the appropriate HBA/NICs plus infrastructure, plus drivers and firmware. If I’m using FC I get expensive FC HBAs and switches to manage. If I go with iSCSI I get additional GB or 10GB Ethernet interfaces in my Exchange servers and the joy of managing yet another isolated set of network adapters and making sure Exchange doesn’t perform DAG replication over them.
• I have to install the NetApp Storage Tools.
• I have to install the appropriate MPIO driver.
• I have to install the SnapDrive service, because if I don’t, the NetApp snapshot capability won’t interface with Windows VSS, and if I’m doing software VSS why the hell am I even using a SAN?
• I *should* install SnapManager for Exchange (although I don’t have to) so that my hardware VSS backups happen and I can use it as an interface to the rest of the NetApp protection products and offerings.
• I need to make sure my NetApp guy has the storage controllers installed and configured. Did I want redundancy on the NetApp controller? Upgrades get to be fun and I have to coordinate all of that to make sure they don’t cause system outage. I get to have lovely arguments with the NetApp storage guys about why they can’t just treat my LUNs the same way they treat the rest of them, yes I need my own aggregates and volumes and no please don’t give me the really expensive 15KRPM SAS drives that store a thimble because you’re going to make your storage guys pass out when they find out how many you need for all those LUNs and volumes (x2 because of your redundant DAG copies).[2]

Here’s the simple truth: SANs can be very reliable and stable. SANs can also be a single point of failure, because they are wicked expensive and SAN administrators and managers get put out with Exchange administrators who insist on daft restrictions like “give Exchange dedicated spindles” and “don’t put multiple copies of the same database on the same controller” and other party-pooping ways to make their imagined cost savings dwindle away to nothing. The SAN people have their own deployment best practices, just like Exchange people; those practices are designed to consolidate data for applications that don’t manage redundancy or availability on their own.

Every SAN I’ve ever worked with wants to treat all data the same way, so to make it reliable for Exchange you’re going to need to rock boats. This means more complexity (and money) and the SAN people don’t want complexity in their domain any more than you want it in yours. Unless you know exactly what benefits your solution will give you (and I’m not talking general marketing spew, I’m talking specific, realistic, quantified benefits), why in the world would you want to add complexity to your environment, especially if it’s going to start a rumble between the Exchange team and the SAN team that not even Jackie Chain and a hovercraft can fix?

Centralization and Silos

Over the past several years, IT pros and executives have heard a lot of talk about centralization. The argument for centralization is that instead of having “silos” or autonomous groups spread out, all doing the same types of things and repeating effort, you reorganize your operation so that all the storage stuff is handled by a single group, all the network stuff is handled by another group, and so on and so forth. This is another one of those principles and ideas that sounds great in theory, but can fall down in so many ways once you try to put it into practice.

The big flaw I’ve seen in most centralization efforts is that they end up creating artificial dependencies and decrease overall service availability. Exchange already has a number of dependencies that you can’t do anything about, such as Active Directory, networking, and other external systems. It is not wise to create even more dependencies when the Exchange staff doesn’t have the authority to deal with the problems those dependencies create but are still on the hook for them because the new SLAs look just like the old SLAs from the pro-silo regime.

Look, I understand that you need to realign your strategic initiatives to fully realize your operational synergies, but you can’t go do it half-assed, especially when you’re messing with business critical utility systems like corporate email. Deciding that you’re going to arbitrarily rearrange operations patterns without making sure those patterns match your actual business and operational requirements is not a recipe for long-term success.

Again, centralization is not automatically incompatible with Exchange. Doing it correctly, though, requires communication, coordination, and cross-training. It requires careful attention to business requirements, technical limitations, and operational procedures – and making sure all of these elements align. You can’t have a realistic 1-hour SLA for Exchange services when one of the potential causes for failure itself has a 4-hour SLA (and yes, I’ve seen this; holding Exchange metrics hostage to a virtualization group that has incompatible and competing priorities and SLAs makes nobody happy). If Exchange is critical to your organization, pulling the Exchange dependencies out of the central pool and back to where your Exchange team can directly operate on and fix them may be a better answer for your organization’s needs.

The centralization/silo debate is really just capitalism vs. socialism; strict capitalism makes nobody happy except hardcore libertarians, and strict socialism pulls the entire system down to the least common denominator[3]. The real answer is a blend and compromise of both principles, each where they make sense. In your organization, DAS and an Exchange silo just may better fit your business needs.

Management and Monitoring

In most Exchange deployments I’ve seen, this is the one area I consistently see neglected, so it doesn’t surprise me that it’s not more of an issue. Exchange 2010 does a lot to make sure the system stays up and operational, but it can’t manage everything. You need to have a good monitoring system in place and you need to have automation or well-written, thorough processes to handle dealing with common warnings and low-level errors.

One of the advantages of a SAN is that (at least on a storage level) much of this will be taken care of you. Every SAN system I’ve worked with not only built-in monitoring of state of the disks and the storage hardware, but has extensive integration with external monitoring systems. It’s really nice when at the same time you get notification that you’ve had a disk failure in the SAN that the SAN vendor has also been notified, so you know in the next day a spare will show up via FedEx (or even possibly brought by a technician who will replace it for you). This kind of service is not normally associated with DAS arrays.

However, even the SAN’s luscious – nay, sybaritic – level of notification luxury only protects you against SAN-level failures. SAN monitoring doesn’t know anything about Exchange 2010 database copy status or DAG cluster issues or Windows networking or RPC latency or CAS arrays or load balancer errors. Whether you deploy Exchange 2010 on a SAN or DAS offering, you need to have a monitoring solution that provides this kind of end-to-end view of your system. Low-end applications that rely on system-agnostic IP pings and protocol endpoint probes are better than nothing, but they aren’t a substitute for application-aware systems such as Microsoft System Center Operations Manager or some other equivalent that understand all of the components in an Exchange DAG and queries them all for you.

You also need to think about your management software and processes. Many environments don’t like having changes made to centralized, critical dependency systems like a SAN without going through a well-defined (and relatively lengthy) change management process. In these environments, I have found it difficult to get emergency disk allocations pushed through in a timely fashion.

Why would we need emergency disk allocations in an Exchange 2010 system? Let me give you a few real examples:

• Exchange-integrated applications[4] cause database-level corruption that drives server I/O and RPC latency up to levels that affect other users.
• Disk-level firmware errors cause disk failure or drops in data transfer rates. Start doing wide-scale disk replacements on a SAN and you’re going to drive system utilization through the roof because of all the RAID group rebuilds going on. Be careful which disks you pull at one time, too – don’t want to pull two or three disks out of the same RAID group and have the entire thing drop offline.
• Somebody else’s application starts having disk problems. You have to move the upper management’s mailboxes to new databases on unaffected disks until the problems are identified and resolved.
• A routine maintenance operation on one SAN controller goes awry, taking out half of the database copies. There’s a SAN controller with some spare capacity, but databases need to be temporarily consolidated so there is enough room for two copies of all the databases during the repair on the original controller.

Needless to say, with DAS arrays, you don’t have to tailor your purchasing, management, and operations of Exchange storage around other applications. Yes, DAS arrays have failures too, but managing them can be simpler when the Exchange team is responsible for operations end-to-end.

Backup, Replication, and Resilience

The big question for you is this: what protection and resilience strategy do you want to follow? A lot of organizations are just going on auto-pilot and using backups for Exchange 2010 because that’s how they’ve always done it. But do you really, actually need them?

No, seriously, you need to think about this.

Why do you keep backups for Exchange? If you don’t have a compelling technical reason, find the people who are responsible for the business reason and ask them what they really care about – is it having tapes or a specific technology, or is it the ability to recover information within a specific time window? If it’s the latter, then you need to take a hard look at the Exchange 2010 native data protection regime:

• At least three database copies
• Increased deleted item/deleted mailbox recovery limits
• Recoverable items and hold policies
• Personal archives and message retention
• Lagged database copies

If this combination of functionality meets your needs, you need to take a serious look at a DAS solution. A SAN solution is going to be a lot more expensive for the storage options to begin with, and it’s going to be even more expensive for more than two copies. None of my customers deployed more than two copies on a SAN, because not only did they have to budget for the increased per-disk cost, but they would have to deploy additional controllers and shelves to add the appropriate capacity and redundancy. Otherwise, they’d have had multiple copies on the same hardware, which really defeats the purpose. At that point, DAS becomes rather attractive when you start to tally up the true costs of the native data protection solution.

So what do you do if the native data protection isn’t right for you and you need traditional backups? In my experience, one of the most compelling reasons for deploying Exchange on a SAN is the fantastic backup and recovery experience you get. In particular, NetApp’s snapshot-based architecture and SME backup application head the top of my list. SME includes a specially licensed version of the Ontrack PowerControls utility to permit single mailbox recovery, all tied back into NetApp’s kick-ass snapshots. Plus, the backups happen more quickly because the VSS provider is the NetApp hardware, not a software driver in the NTFS file system stack, and you can run the ESE verification off of a separate SME server to offload CPU from the mailbox servers. Other SAN vendors offer some sort of integrated backup option of some equivalency.

The only way you’re going to get close to that via DAS is if you deploy Data Protection Manager. And honestly, if you’re still replying on tape (or cloud) backups, I really recommend that you use something like DPM to stage everything to disk first so that backups from your production servers are staging to a fast disk system. Get those VSS locks dealt with as quickly as possible and offload the ESE checks to the DPM system. Then, do your tape backups off of the DPM server and your backup windows are no longer coupled to your user-facing Exchange servers. That doesn’t even mention DPM’s 15-minute log synchronization and use of deltas to minimize storage space on its own storage pool. DPM has a lot going for it.

A lot of SANs do offer synchronous and asynchronous replication options, often at the block level. These sound like good options, especially to enhance site resiliency, and for other applications, they often can be. Don’t get suckered into using them for Exchange, though, unless they are certified to work against Exchange (and if it’s asynchronous replication, it won’t be). A DAS solution doesn’t offer this functionality, but that’s no loss in this column; whether you’re on SAN or DAS, you should be replicating via Exchange. Replicating using the SAN block-level replication means that the replication is happening without Exchange being aware of it, which means depending on when a failure happens, you could in the worst case end up with a corrupted database replica volume. Best case, your SAN-replicated database will not be in a consistent state, so you will have to run ESEUTIL to perform a consistency check and play log files forward before mounting that copy. If you’re going to that, why are you running Exchange 2010?

Now if you need a synchronous replication option, Exchange 2010 includes an API to allow a third-party provider to replace the native continuous replication capability. As far as I know, only one SAN vendor (EMC) has taken advantage of this option, so your options are pretty clear in this scenario.

Conclusion

We’ve covered a lot of ground in this post, so if you’re looking for a quick take-away, the answer is this:

Determine what your real requirements are, and pick your technology accordingly. Whenever possible, don’t make choices by technology or cost first without having a clear and detailed list of expected benefits in hand. You will typically find some requirement that makes your direction clear.

If anyone tells you that there’s a single right way to do it, they’re probably wrong. Having said that, though, the more I’ve seen over the past couple of years, the more people deviate from the Microsoft sweet spot, the more design compromises they’ve made when perhaps they didn’t have to. Inertia and legacy have their place but need to be balanced with innovation and reinvention.

[1] Not a typo, I’m just showing off my Unix roots. The fsck utility (file system check) helps fix inconsistencies in the Unix file systems. Think chkdsk.

[2] Can you tell I’ve been in this rodeo once or twice? But I’m not bitter. And I do love NetApp because of SME, I just realize it’s not the right answer for everyone.

[3] Yes, I did in fact just go there. Blame it on the nearly two years of political crap we’ve suffered in the U.S. for this election season. November 6th can’t come soon enough.

[4] The application in this instance was an older version of Microsoft Dynamics CRM, very behind on its patches. There was a nasty calendar corruption bug that made my customer’s life hell for a while. The solution was to upgrade CRM to the right patch level, then move all of the affected mailboxes (about 40% of the users) to new databases. We didn’t need to have a lot of new databases, as we could move them in a swing fashion, but in order to get it done in a timely fashion we needed to provision enough LUNs to have enough databases and copies that we could get the process done in a timely fashion. Each swing cycle took about two weeks because of change management when we could have gotten it done much sooner.

The post Attached To You: Exchange 2010 Storage Essays, part 3 appeared first on Devin on Earth.

Update: We’re around $1,365 or so, give or take some pending funds from current fundraising efforts and some pledges we’ve not yet receiving but are expecting. Thank you to everyone who has helped us out so far!

The post Alaric’s Fundraising Progress appeared first on Devin on Earth.

After replicating creating public folder replicas on Exchange 2010 public folder databases and ensuring that the public folders were starting to replicate, my colleague received notice that specific mail-enabled public folders weren’t getting incoming mail content. Lo and behold, the HT queues were full of thousands of public folder replication messages, all queued up.

After looking at the event logs and turning up the logging levels, my colleague noticed that they were seeing a lot of the 4.3.2 STOREDRV.Deliver; recipient thread limit exceeded error message mentioned in the Microsoft Exchange team blog post Store Driver Fault Isolation Improvements in Exchange 2010 SP1. Adding the RecipientThreadLimit key and setting it to a higher level helped temporarily, but soon the queues would begin backing up again.

At that point, my colleague called me for some suggestions. We talked over a bunch of things to check and troubleshooting trees to follow depending on what he found. Earlier tonight, I got an email confirming the root cause was identified. I was not surprised to find out that the cause turned out to be something relatively basic. Instead of just telling you what it was though, I want you to tell me which of the following options YOU think it is. I’ll follow up with the answer on Monday, 10/15.

The post Can You Fix This PF Problem? appeared first on Devin on Earth.

Many of you know that my son Alaric has been involved in Scouting for many years. Despite my own issues with the Scouting organization’s policies[1], we’ve seen a lot of benefits from Alaric’s involvement. There are some really great boys and adults we’ve met through Scouting and my boy has learned and grown a lot. He’s currently a Star Scout and an Ordeal member of the Order of the Arrow, and has been serving as a patrol leader for a year. Alaric is well on his way to Life Scout by the end of the year and has given himself a goal of becoming an Eagle Scout by the end of summer 2013.

Alaric receiving four merit badges

Next summer, Alaric has the opportunity to have the kind of summer adventure that every Boy Scout can only dream of:

• It’s time for the National Scout Jamboree. This event typically takes place once every 4 years. This year is particularly cool because it will be the first jamboree held on the new Summit grounds in West Virginia’s Bechtel Reserve wilderness area, Scouting’s new permanent jamboree home and high adventure base.
• Alaric’s troop will be heading to Philmont Scout Ranch in New Mexico, Scouting’s oldest and most famous high adventure backpacking camp. It can take years for troops to get a slot to come to Philmont for a mountain adventure.

Both of these events are usually once-in-a-lifetime events for most Boy Scouts. The fact that Alaric has the chance to go to both is amazing and requires an immense amount of commitment and dedication from him (and us).

Unfortunately, my getting laid off in July threw a huge wrench into the fund-raising portion of this adventure. The total cost to participate in both events, including airline tickets and required gear upgrades, is going to be around $5,000 for our family. If I had a steady job, this wouldn’t have been a problem — we’d have covered half and Alaric could have motored through fund raisers with his troops to get the rest covered. He’s already raised over $600 just through mowing lawns, odd jobs, and even a garage sale.

Even if you don’t want to donate to Scouting — are you willing to invest in my son? The typical Scouting fundraiser is through the sales of Trail’s End popcorn products. Trail’s End is an amazing outfit that makes online sales very easy, they produce fantastic popcorn, and they offer the choice for making donations to help send popcorn to active-duty military units.

Alaric’s popcorn pitch letter can be seen below:

Dear Dad’s Reader,

Did you know you can help send me to the National Jamboree? Just click here and place an order on my behalf. There are all kinds of products to choose from, and every product has better flavor and is better for you.

Plus, you won’t just be helping me go to Jamboree. 70% of your purchase will benefit Scouting in my area and help more kids experience all the things that make Scouting great. It’s a situation where everyone wins.

Thanks for your support,

Alaric

P.S. If you cannot click on the link above, copy and paste this full URL:
http://www.trails-end.com/shop/scouts/email_referral.jsp?id=3440240

If you would rather donate to Alaric directly, contact me using the form below.

If you’re still with me this far, thanks for reading and for your support.

[1] I have two main issues. The first is that they discriminate against gay boys, girls (several programs for older youth are co-ed), and leaders. The second is that their religious requirements discriminate against boys who are atheists or agnostic yet are willing to investigate a religion in the spirit of understanding and tolerance. Look at Girl Scouts to see how these issues can be dealt with sensibly.

The post Alaric’s Summer of Awesome appeared first on Devin on Earth.

When Office 2007 was still in beta back in 2006, Microsoft released optional patches to Office 2003 to allow it to open and save the new file formats. Over time, these patches got included in Windows Update, so if you still have Office 2003 but have been updating, you probably have this capability today. Office 2003 can’t open these newer documents with 100% fidelity, but it’s good enough to get the job done. And if you’re on earlier versions of Office for Word, Microsoft hasn’t forgotten you; Office 2000 and Office XP (2002) users can also download the Compatibility Pack.

What boggles me are some of the comments on the ZDNet article. I can’t understand why anyone would think this was a bad idea:

• The legacy formats are bloated and ill-defined. As a result, files saved in those format are more prone to corruption over the document lifecycle, not to mention when moving through various import/export filters. Heck, just opening them in different versions of Word can be enough to break the files.
• The legacy formats are larger — much larger — than the new formats. Between the use of standard ZIP compression (the new format documents are actually an archive file containing a whole folder/file structure inside) along with smart use of XML rather than proprietary binary data, the new formats can pack a lot more data into the same space. Included picture files, for example, can be stored in compressible formats rather than as space-hogging uncompressible bitmaps.
• The legacy formats are safer. Macro information is safely stored away from the actual data in the file, and Office (at least) can block the loading and saving of macro information from a variant of these files.

For many companies it would simply be cost-prohibitive to convert legacy files into the new formats…but it might not be a bad idea for critical files. Nowadays, I personally try to make sure I’m only writing new format Office files unless the people I am working with specifically ask for one of the legacy formats. I’m glad to see that Google is doing the right thing in helping make these legacy formats nothing more than a historical footnote — and I’d love to see Microsoft remove write support for them in Office 2013.

The post Forced Obsolescence appeared first on Devin on Earth.

I ended up not hitting the conference center until a bit after noon, just in time to brave lunch. What would a Microsoft conference be without the dreaded salmon meal? At that point, my stomach rebelled and my head agreed, so I wandered back to the MVP area and chatted until it was time to head upstairs to my room for my last session at 1pm.

Big thanks to everyone who showed up for the session. I took some of the feedback from Day 2, and combined with my increased mellowness from the migraine, I made some changes to the structure of the session and clarifications to the message I wanted the attendees to walk away with. We had what I thought was a brilliant session. Apparently, I do my best work while in pain.

After that, it was down to the expo floor for a quick round of good-byes, then off to catch my shuttle to Orlando International Airport. I was able to get checked in with more than enough time for a leisurely meal, then on to gate 10 where I met up with various other MEC attendees on their way back home to Seattle.

WHAT AN AMAZING CONFERENCE. I had SO much fun, even with missing essentially all of Day 3 and the wonderful sessions that I’d planned to sit into. My apologies for the missed Twitter stream that day.

We’ll have to do this again next year. I hope you’ll be there!

The post MEC Day 3 appeared first on Devin on Earth.

Windows 8: Why IT admins don’t know best by Mary Branscombe

The gist of it is that IT departments spend a lot of time and effort trying to stop users from doing things with technology when they would often be better served enabling users. Users these days are not shy about embracing new technology, and Mary argues that users find creative ways around IT admins who are impediments:

The reality is that users are pushing technology in the workplace — and out of it. The Olympics has done more to advance flexible and remote working than a decade of IT pilot projects.

What got her going is the tale of an IT admin who found a way to disable, via Group Policy, the short tutorial that users are given on navigating Windows 8 the first time they log on.

I see this behavior all the time from admins and users – admins say “No” and users say “Bet me.” Users usually win this fight, too, because they are finding ways to get their work done. A good admin doesn’t say “No” – they say, “Let me help you find the best way to get that done.”

Mary finishes with this timely reminder:

See something new in Windows 8? If your first impulse is to look for a way to turn it off, be aware that you’re training your users to work around you.

What a refreshing dose of common sense.

The post And @marypcbuk Nails IT appeared first on Devin on Earth.

• The day started off with a keynote by Microsoft Distinguished Engineer Perry Clarke, head of Exchange Software Development. Perry does a blog called Ask Perry which regularly includes a video feature, Geek Out With Perry. The keynote was done in this format. The latter half was quite good, but the first half was a little slow and (I thought) lightweight for a deeply technical conference such as MEC. However, that could just have been a gradual wake-up for the people still recovering from last night’s attendee party of Universal’s Islands of Adventure theme park.
• After a short break, we were off to the interactive sessions! I got caught up in a conversation and made it to my first session a few minutes late – and wasn’t able to enter, as the room was at capacity. So, I missed Jeff Mealiffe’s session on virtualizing Exchange 2013, much to my annoyance. Instead I headed down to the exhibit floor and hung out in the MVP area, talking with a bunch of folks (including one my homies from MCM R1).
• At lunch I caught up with some old friends – one of the best reasons for coming.
• After lunch, I squeezed (and by squeezed I am being literal; we were crammed into the room like sardines) into Bill Thompson’s session on the Exchange 2013 transport architecture. WOW. Some bold changes made, but I think they’re going to be good changes.
• At 3:00, my time at the front of the room had come and I gave my first session of my Exchange 2010 virtualization lessons learned. Mostly full room and there were some good questions. I received some interesting feedback later, so will be wrapping that into tomorrow’s repeat presentation.
• My last session of the day was Greg Taylor’s session on Exchange 2013 load balancing. Again, lots of good surprises and changes, and as always watching Greg in action was entertaining and informative. This is, after all, the man who talks about Exchange client access using elephant’s asses.
• Afterwards, I caught up with former co-workers and enjoyed a couple of beers at MAPI Hour in the lovely central atrium of the Gaylord Palms Hotel, then went out to dinner (fantastic burger at the Wrecker’s Sports Bar). Capped the night off with a sundae.

Two down, one more to go. What a fantastic time I’ve been having!

The post MEC Day 2 appeared first on Devin on Earth.

I decided to live tweet my sessions. I did a good job too – my Twitter statistics are telling me that I’ve sent 258 tweets! If any of my Facebook friends are still bothering to read my automatic Twitter-to-Facebook updates..shit, sorry. Two more days to go and you know I can’t be nearly as prolific today or Wednesday because I’m presenting a session each day:

• E14.310 Three Years In: Looking Back At Virtualizing Exchange 2010
  Tuesday, September 25 2012 3:00 PM – 4:15 PM in Tallahassee 1
• E14.310R1 Three Years In: Looking Back At Virtualizing Exchange 2010
  Wednesday, September 26 2012 1:00 PM – 2:15 PM in Tallahassee 1

Monday was the “all Microsoft, all Exchange 2013” day with typical keynotes and breakouts. Today, we start the “un-conference” – smaller, more interactive sessions, led by members of the community like myself. Today and tomorrow will be a lot more peer-to-peer…which will be fun.

See you out there! Drop me a note or track me down to let me know if you read my blog or have a question you’d like me to answer!

The post MEC Day 1 appeared first on Devin on Earth.

Intel Corporation: Pull your financial support until the Boy Scouts pull their anti-gay policy http://www.change.org/petitions/intel-corporation-pull-your-financial-support-until-the-boy-scouts-pull-their-anti-gay-policy … via @change

I was asked if I thought that it was better for Scouting to lose funds. I was asked how doing this would help the boys in Scouting. I was told that it was abusive and manipulative to use funding to try to effect change in Scouting’s policies over what is a relatively minor matter.

I am a former Boy Scout, my son is a Boy Scout, I have just been registered as an adult Scouter, and my daughter is looking at joining a Venture crew sometime in the next year. I think that Scouting is a fantastic youth program. So how can I support Scouts while calling for Intel to defund them?

I have two main reasons to support the petition to Intel.

Reason 1: Choices have consequences

The value of Scouting isn’t just the outdoor skills and learning how to handle yourself in the wilderness; it’s in the character formation that goes along with the outdoor program. Scouting teaches principles and duty. Scouting youth often drop out when they hit a certain age because of the peer pressure they’re getting by being different, by standing up for their beliefs and values. The kids who stay in Scouting learn that making a stand comes with consequences. It is precisely this kind of character formation that many former Scouts go on to say is the most valuable lesson they learn from Scouting.

The national Scouting organization has now said multiple times that they see having gay Scouts and Scouters as somehow being incompatible with Scouting ideals. Intel and the other companies identified in this article by Andy Birkey on The American Independent (linked to from the petition, BTW) have made their policies on charitable donations crystal clear. These policies are not new. These companies need to make sure their house is in order by verifying that their giving is in line with their policies (as the ones in orange have done). However, Scouting has a responsibility here too. By continuing to accept money from organizations such as Intel in violation of their stated donation guidelines, I believe that Scouting is sending the message that money is more important than principles. I’ve heard a lot of justification for accepting the money, but when it comes right down to it, taking donations from these companies when you don’t comply with their guidelines is hypocrisy, plain and simple. I think Scouting is better than that.

Whether I agree with the national organization’s stance on gay Scouts/Scouters or not, I think the unwritten message is doing more harm in the long run that the immediate defunding would do. I’m confident that should Scouting actually have the courage to turn down this money, alternate funding sources would quickly emerge in today’s polarized climate. Look at the Chik-Fil-A protests and responses if you doubt me. So no, I’m not worried that there would be long-term financial damage to Scouting.

It’s not like this is a theoretical situation for my family. Our local troop enjoys a high level of funding thanks to Microsoft matching contributions to the men and women who volunteer as our Scouters and committee members, many of whom are full-time Microsoft employees. I suspect that Microsoft’s policies are actually the same as Intel’s, based on their publicly stated policies for software donations to charities. If Microsoft were to stop funding Scouting (or Scouting were to stop taking Microsoft dollars because of this policy) our troop would be directly and severely affected.

I personally know at least two gay Scouters, and I suspect I know more. Scouting would somehow find the money to replace the lost donations. I don’t know how they’d replace the people I’m thinking of.

I’ve talked this over with my son on multiple occasions. When we discussed this particular petition and the fact that I was going to publicly support it, we talked about the implications. I asked him if he had any concerns. His response: “Do it, Dad. Scouting needs a kick in the ass.” (Yes, he’s my kid.)

And if you think I’m somehow being abusive or manipulative for supporting the use of defunding as a tool for policy change, go back to that Birkey article:

In a brief filed in the landmark case of Boy Scouts of America v. Dale, a lawyer for the LDS Church warned that the church would leave the scouts if gays were allowed to be scout leaders.

“If the appointment of scout leaders cannot be limited to those who live and affirm the sexual standards of BSA and its religious sponsors, the Scouting Movement as now constituted will cease to exist,” wrote Von G. Keetch on behalf of the LDS Church and several other religious organizations in 2000. “The Church of Jesus Christ of Latter-day Saints — the largest single sponsor of Scouting units in the United States — would withdraw from Scouting if it were compelled to accept openly homosexual Scout leaders.”

According to the Chartered Organizations and the Boy Scouts of America fact sheet, as of December 31, 2011 there are over 100,000 chartered Scouting units, with nearly 7/10 of them chartered by religious organizations. In the tables in that fact sheet, we see data on the top 25 religious charterers, top 20 civic charterers, and the educational charterers – giving us data on 55,100 units (just over half) and 1,031,240 youth. According to this data, the LDS Church sponsors almost 35% of the Scouting units in the BSA. Yet, according to this same data, they have only 16% of the actual youth in Scouting. The youth-to-unit average for the LDS Church is a mere 11.1, which is the lowest of any organization (or group of organizations) listed in the fact sheet data.

Several of the organizations on that list, including the next largest religious sponsor (the United Methodist Church – 11,078 units, 371,491 youth, 33.5 youth per unit, 10% of the total units, and 14% of the total youth) would support and welcome gay Scouts and Scouters. The LDS Church gets to be vocal about it because of that 1/3 number of units – that translates into money for Scouting. This kind of ultimatum is in fact what manipulative behavior (using the threat of defunding) looks like.

Reason 2: People who see a problem need to be part of the solution

I’m continuing to get more involved with Scouting for one simple reason: I believe that if I see something I think is wrong, I need to be part of the solution. I don’t think it’s right that Scouting be in a position where it can have its cake and eat it too. However, I’m not going to throw the baby out with the bathwater; I see the incredible value the Scouting program gives to young men (and the young women who participate in the Venturer program).

My own religious beliefs and principles move me to be more involved precisely because I think Scouting needs more Scouts and Scouters who are open about their support for changing these policies. I know people who gave up on Scouting; I refuse to be one of them.

I want Scouting to change its policies, but I’m willing to keep being a part of it during those changes. I’m not trying to take my bat and ball and go home if the game doesn’t go my way. I want Scouts to continue producing young people of character for future generations.

Want to see the data I’m looking at? I got the fact sheet from the link stated above, brought the data in Excel, and added formulas for unit/youth ratios and percentages. I’ve put this spreadsheet online publicly via SkyDrive.

The post The BSA Funding Hornet’s Nest appeared first on Devin on Earth.

Microsoft finally confirmed that information. Although the TMG product will receive mainstream support until April 14, 2015 (a little bit more than 2.5 years from time of writing), it will no longer be available for sale come December 1, 2012.

Why do Exchange people care? Because TMG was the simple, no-brainer solution for environments that needed a reverse proxy in a DMZ network. Many organizations can’t allow incoming connections from the Internet to cross into an interior network. TMG provided protocol-level inspection and NAT out of the box, and could be easily configured for service-aware CAS load balancing and pre-authentication. As I said, no-brainer.

TMG had its limitations, though. No IPv6 support, poor NAT support, and an impressively stupid inability to proxy all non-HTTP protocols in a one-armed configuration. The “clustered” enterprise configuration was sometimes a pain-in-the ass to troubleshoot and work with when the central configuration database broke (and it seemed more fragile than it should be).

The big surprise for me is that TMG shares the chopping block with the on-server Forefront protection products for Exchange, SharePoint, and Lync/OCS. I personally have had more trouble than I care for with the Exchange product — it (as you might expect) eats up CPU like nobody’s business, which made care and feeding of Exchange servers harder than it needed to be. Still, to only offer online service — that’s a telling move.

The post TMG? Yeah, you knew me! appeared first on Devin on Earth.

• Changed the primary URL of the site from www.thecabal.org to www.devinonearth.com. This is actually something I’ve been wanting to do for a long time, to reflect the site’s really awesome branding. Devin on Earth has long been its own entity that has no real connection to my original web site.
• Added a secondary URL of www.devinganger.com to the site. This is a nod toward the future as I get fiction projects finished and published – author domains are a good thing to have, and I’m lucky mine is unique. Both www.devinganger.com and www.thecabal.org will keep working, so no links will ever go stale.

As a final aside, this is the 600th post on the site. W00t!

The post Duke of URL appeared first on Devin on Earth.

1. Client rendering is moved from the Client Access role to the Mailbox role. (TechNet) Yes, this means some interesting architectural changes to SMTP, HTTP, and RPC, but I think it will help spread load out to where it should be – the server that host active users’ mailboxes.
2. The Client Access role is now a stateless proxy. (TechNet) This means we no longer need an expensive L7 load balancer with all sorts of fancy complicated session cookies in our HTTP/HTTPS sessions. It means a simple L4 load balancer is enough to scale the load for thousands of users based solely on source IP and port. No SSL offload required!
3. The routing logic now recognizes DAG boundaries. (TechNet) This is pretty boss – members of a DAG that are spread across multiple sites will still act as if they were local when routing messages to each other. It’s almost like the concept of routing groups has come back in a very limited way.
4. No more MAPI-RPC over TCP. (TechNet) Seriously. Outlook Anywhere (aka RPC over HTTPS) is where it’s at. As a result, Autodiscover for clients is mandatory, not just a really damn good idea. Firewall discussions just got MUCH easier. Believe it or not, this simplifies namespace and certificate planning…
5. Public folders are now mailbox content. (TechNet) Instead of having a completely separate back-end mechanism for public folders, they’re now put in special mailboxes. Yes, this means they are no longer multi-master…but honestly, that causes more angst than it solves in most environments. And now SharePoint and other third-party apps can get to public folder content more easily…

There are a few things I’m not as wild about, but this is a preview and there’s no point kvetching about a moving target. We’ll see how things shake down.

I’m looking forward to getting a deeper dive at MEC in a couple of weeks, where I’ll be presenting a session on lessons learned in virtualizing Exchange 2010. Are you planning on attending?

Have you had a chance to play with Exchange 2013 yet, or at least read the preview documentation? What features are your favorite? What changes have you wondering about the implications? Send me an email or comment and I’ll see if I can’t answer you in a future blog post!

The post My Five Favorite Features of Exchange Server 2013 Preview appeared first on Devin on Earth.

The steps are pretty simple:

1. Download and install the tool.
2. Download the ISO image of the version of Windows you want to install (Windows 7 and 8 for sure, I believe it works with Windows Server 2008 R2 and Windows Server 2012 RC as well).
3. Plug in a USB stick (8GB or larger recommended) that is either blank or has no data on it you want to keep (it will be reformatted as part of the process).
4. Run the tool and pick the ISO image.
5. Select the USB drive (note that this tool can also burn the ISO to DVD).
6. Wait for the tool to reformat the USB stick, copy the ISO contents to the stick, and make it bootable.

Everything was going fine for me until I got to step 6. The tool would format the USB stick, and then it would immediately fail before beginning the file copy:

Redmond, we have a problem…

At first I was wondering if it was related to UAC (it wasn’t) or a bad ISO image (it wasn’t). So I plugged the appropriate search terms into Bing and away we went, where I finally found this thread on the TechNet forums, which led me to this comment in the thread (wasn’t even marked as the solution, although it sure should have been):

We ran across this same "Error during backup., Usb; Unable to set active partition. Return code 87" with DataStick Pro 16 GB USB sticks. The Windows 7 DVD/USB Download Tool would format and then fail as soon as the copy started.

We ended up finding that the USB stick has a partition that starts at position 0 according to DiskPart. We used DiskPart to select the disk that was the USB, then ran Clean, then created the partition again. This time it was at position 1024. The USB stick was removed then reinserted and Windows prompted to format the USB stick, answer Yes.

The Windows 7 DVD/USB Download Tool was now able to copy files.

So, here’s the process I followed:

Follow my simple step-by-step instructions. I make hacking FUN!

To do it yourself, launch a command window (either legacy CMD or PowerShell, doesn’t matter) with Administrator privileges and type diskpart to fire up the tool:

1. LIST DISK gives a listing of all the drives attached to the system. At this point, no disk is selected.
2. I have a lot of disks here, in part because my system includes an always-active 5-in-1 card reader (disks 1 through 5 that say no media). I also have an external USB hard drive (230GB? How cute!) at disk 6. Disk 7, however — that’s the USB stick. Note that the "free" column is *not* showing free space on the drive in terms of file system — it’s showing free space that isn’t allocated to a partition/volume.
3. Diskpart, like a lot of Microsoft command-line tools, often requires you to select a specific item for focus, at which point other commands that you run will then run against the currently focused object. Use SELECT DISK to set the focus on your USB stick.
4. Now that the USB stick has focus, the LIST PART command will run against the selected disk and show us the partitions on that disk.
5. Uh-oh. This is a problem. With a zero-byte offset on that partition (USB sticks typically only have a single partition) that means there’s not enough room for that partition to be marked bootable and for the boot loader to be put on the disk. The volume starts at the first available byte. Windows needs a little bit of room — typically only one megabyte — for the initial boot loader code (which then jumps into the boot code in the bootable disk partition).
6. So, let’s use CLEAN to nuke the partitions and restore this USB stick to a fully blank state.
7. Use LIST PART again (still focused on the disk object) confirms that we’ve removed the offending partition. You can create a new partition in diskpart but I happened to have the Disk Manager MMC console open already as part of my troubleshooting, so that’s what I used to create the new partition.
8. Another LIST PART to confirm that everything is the way it should be…
9. Yup! Notice we have that 1 MB offset in place now. There’s now enough room at the start of the USB stick for the boot loader code to be placed.
10. Use EXIT to close up diskpart.

This time, when I followed the steps with the Download Tool, the bootable USB stick was created without further ado. Off to install Windows 8!

The post Can’t make a bootable USB stick for Windows 8? Join the club! appeared first on Devin on Earth.

No, I am no longer with Trace3. No, this was not my decision — I was happy with my position and work and was excited about what was happening there. At the same time, this was not a complete shock. I’m not at liberty to go into it (and even if I were, I don’t think I would anyway) but all living organisms (including vibrant corporations) change, and while many of those changes are good for the organism as a whole, they aren’t always so great for individual cells.

I have no hard feelings. I had a fantastic time at Trace3 and have learned a lot. I wish everyone there all the success in the world and am reasonably confident they’ll grab it. At the same time, there were some aspects of my fit at Trace3 that could have been improved on. Always being remote with no local co-workers, for one — that was a definite downer.

I’m feeling confident in my ability to find my next job. I have some exciting opportunities under way. In the meantime, though, if you have a lead or opportunity, let me know — and yes, that does include the potential for 1099 independent consulting work.

The post Back on the market appeared first on Devin on Earth.

The Problem: Verisign certificates cause Exchange publishing problems

So here’s the scenario: you’re deploying Exchange 2010 (or some other version, this is not a version-dependent issue with Exchange) and you’re using a Verisign certificate to publish your client access servers. You may be using a load balancer with SSL offload or pass-through, a reverse proxy like TMG 2010, some combination of the above, or you may even be publishing your CAS roles directly. However you publish Exchange, though, you’re running into a multitude of problems:

• You can’t completely pass ExRCA’s validation checks. You get an error something like:  The certificate is not trusted on any version of Windows Phone device. Root = CN=VeriSign Class 3 Public Primary Certification Authority – G5, OU=”(c) 2006 VeriSign, Inc. – For authorized use only”, OU=VeriSign Trust Network, O=”VeriSign, Inc.”, C=US
• You have random certificate validation errors across a multitude of clients, typically mobile clients such as smartphones and tablets. However, some desktop clients and browsers may show issues as well.
• When you view the validation chain for your site certificate on multiple devices, they are not consistent.

These can be very hard problems to diagnose and fix; the first time I ran across it, I had to get additional high-level Trace3 engineers on the call along with the customer and a Microsoft support representative to help figure out what the problem was and how to fix it.

The Diagnosis: Cross-chained certificates with an invalid root

So what’s causing this difficult problem? It’s your basic case of a cross-chained certificate with an invalid root certificate. “Oh, sure,” I hear you saying now. “That clears it right up then.” The cause sounds esoteric, but it’s actually not hard to understand when you remember how certificates work: through a chain of validation. Your Exchange server certificate is just one link in an entire chain. Each link is represented by an X.509v3 digital certificate that is the footprint of the underlying server it represents.

At the base of this chain (aka the root) is the root certificate authority (CA) server. This digital certificate is unique from others because it’s self-signed – no other CA server has signed this server’s certificate. Now, you can use a root CA server to issue certificates to customers, but that’s actually a bad idea to do for a lot of reasons. So instead, you have one or more intermediate CA servers added into the chain, and if you have multiple layers, then the outermost layer are the CA servers that process customer requests. So a typical commercially generated certificate has a validation chain of 3-4 layers: the root CA, one or two intermediate CAs, and your server certificate.

Remember how I said there were reasons to not use root CAs to generate customer certificates? You can probably read up on the security rationales behind this design, but some of the practical reasons include:

• The ability to offer different classes of service, signed by separate root servers. Instead of having to maintain separate farms of intermediate servers, you can have one pool of intermediate servers that issue certificates for different tiers of service.
• The ability to retire root and intermediate CA servers without invalidating all of the certificates issued through that root chain, if the intermediate CA servers cross-chain from multiple roots. That is, the first layer intermediate CA servers’ certificates are signed by multiple root CA servers, and the second layer intermediate CA servers’ certificates are signed by multiple intermediate CA servers from the first layer.

So, cross-chaining is a valid practice that helps provide redundancy for certificate authorities and helps protect your investment in certificates. Imagine what a pain it would be if one of your intermediate CAs got revoked and nuked all of your certificates. I’m not terribly fond of having to redeploy certificates for my whole infrastructure without warning.

However, sometimes cross-chained certificates can cause problems, especially when they interact with another feature of the X.509v3 specification: the Authority Information Access (AIA) certificate extension. Imagine a situation where a client (such as a web browser trying to connect to OWA), presented with an X.509v3 certificate for an Exchange server, cannot validate the certificate chain because it doesn’t have the upstream intermediate CA certificate.

If the Exchange server certificate has the AIA extension, the client has the information it needs to try to retrieve the missing intermediate CA certificate – either retrieving it from the HTTPS server, or by contacting a URI from the CA to download it directly. This only works for intermediate CA certificates; you can’t retrieve the root CA certificate this way. So, if you are missing the entire certificate chain, AIA won’t allow you to validate it, but as long as you have the signing root CA certificate, you can fill in any missing intermediate CA certificates this way.

Here’s the catch: some client devices can only request missing certificates from the HTTPS server. This doesn’t sound so bad…but what happens if the server’s certificate is cross-chained, and the certificate chain on the server goes to a root certificate that the device doesn’t have…even if it does have another valid root to another possible chain? What happens is certificate validation failure, on a certificate that tested as validated when you installed it on the Exchange server.

I want to note here that I’ve only personally seen this problem with Verisign certificates, but it’s a potential problem for any certificate authority.

The Fix: Disable the invalid root

We know the problem and we know why it happens. Now it’s time to fix it by disabling the invalid root.

Step #1 is find the root. Fire up the Certificates MMC snap-in, find your Exchange server certificate, and view the certificate chain properties. This is what the incorrect chain has looked like on the servers I’ve seen it on:

The invalid root CA server circled in red

That’s a not very helpful friendly name on that certificate, so let’s take a look at the detailed properties:

Meet “VeriSign Class 3 Public Primary Certification Authority – G5”

Step #2 is also performed in the Certificates MMC snap-in. Navigate to the Third-Party Root Certification Authorities node and find your certificate. Match the attributes above to the certificate below:

Root CA certificate hide and seek

Right-click the certificate and select Properties (don’t just open the certificate) to get the following dialog, where you will want to select the option to disable the certificate for all purposes:

C’mon…you know you want to

Go back to the server certificate and view the validation chain again. This time, you should see the sweet, sweet sign of victory (if not, close down the MMC and open it up again):

Working on the chain gang

It’s a relatively easy process…so where do you need to do it? Great question!

The process I outlined obviously is for Windows servers, so you would think that you can fix this just on the the Exchange CAS roles in your Internet-facing sites. However, you may have additional work to do depending on how you’re publishing Exchange:

• If you’re using a hardware load balancer with the SSL certificate loaded, you may not have the ability to disable the invalid root CA certificate on the load balancer. You may simply need to remove the invalid chain, re-export the correct chain from your Exchange server, and reinstall the valid root and intermediate CA certificates.
• If you’re publishing through ISA/TMG, perform the same process on the ISA/TMG servers. You may also want to re-export the correct chain from your Exchange server onto your reverse proxy servers to ensure they have all the intermediate CA certificates loaded locally.

The general rule is that the outermost server device needs to have the valid, complete certificate chain loaded locally to ensure AIA does its job for the various client devices.

Let me know if this helps you out.

The post Beating Verisign certificate woes in Exchange appeared first on Devin on Earth.

I can hear some of you (both of you still reading, thank you loyal fans) asking what finally brought me back, and I have to say it’s a rant. A rant about autism (and Asperger’s, and the rest of the spectrum), how it is perceived, and how trendy equals insensitive. You have been warned.

Hip To Be Square

After karate class tonight on the drive home, Steph was reading through Facebook (something I do but occasionally these days, having overdosed myself on social media some time ago) and came across the following comment on a mutual friend’s post:

Yes, that really does say that stupid thing

For some reason, this really punched my buttons. I don’t know much about the person who posted it. I don’t know if they’re a fellow spectrum traveller or not. I don’t know how many close friends or family members they have who have autism. To a certain extent, it really doesn’t matter, because this comment is a textbook illustration of a fallacy that I’m seeing more and more:

If geeks are cool, and a lot of geeks are autistic, they must be cool because they are autistic.

This is a fallacy because it is the living embodiment of failure to grasp proper logic and set theory. This growing "Autism Is The New Cool" meme (AITNC for those of us who adore our acronyms), for lack of a better word, is reaching stupid proportions.

Venn We Dance

Now listen up, because if you’d paid attention in Algebra the first time, I wouldn’t have to be telling you this shit now.

What we are talking about here are properties that people have: the property of being cool, the property of being a geek, and the property of being on the autism spectrum. These are not variables that we can just slam together in a transitive[1] orgy of equation signs, as much as someone might like to be able to write on a whiteboard that A=B=C.

You get to stay after class and wipe down the whiteboard

Instead, we need to head over to set theory, which is where we look at groupings (or "sets") of objects, where said sets are organized by a shared trait. Such as being a geek, or being cool, or being on the autism spectrum. We represent these sets by drawing circles. Then we can make useful and interesting (and sometimes even more occasionally related to real life) observations by seeing where these sets overlap and what that tells us. This is a Venn diagram, and it helps us immediately destroy AITNC, because it reminds us that people (the members of the sets) are not single-value variables like A and B and C and the rest of their letter trash, but complex people who are not in any way entirely equal. This is my AITNC mega-buster Venn diagram, whipped up on this evening when I had lots of better stuff to do, just for your edification:

Filling in the missing names is left as an exercise for the reader[2]

Note that there are plenty of places where there is no overlap. Note that there are four separate regions where there are overlap. I can think of people who are examples of each of those areas, but I’m not enough of a dick to tell you who they are.

The Big Boy/Girl Panties Are Right Over There

I have, I shit you not, had parents ask me how to get their kid diagnosed with Asperger’s so they can "give him an extra educational advantage" (or some such nonsense). Yeah, I know. Fucked up, right?

I’m no child psychology professional, but I know spoiled, overly sugared kids when I see them. You want your kid to get an extra educational advantage? Don’t let the little bastards play video games and watch TV when they get home from school. Make them do homework and chores. Stop buying them everything they want and make them earn a meager amount of money and prioritize they things they really want from passing whims. Spend time with them and find out what they’re learning. Teach them about things you’re doing, which means you might want to put down the remote and pick up some more books or spend time outdoors or in your shop. Take the time to buy and prepare healthy food instead of boxed-up pre-digested pap. Teach them how to cook and clean, while you’re at it. Get involved with what they’re doing at school and be ruthlessly nosy about their grades and progress. Limit their after-school activities so they have time to study. Make and enforce a reasonable bedtime. In short, be a fucking parent. Stick with that for a year, and I guarantee your kids will have an educational advantage that you can’t believe.

Unless you want it in kebabs for dinner

Once you’ve done that for a few years and your kids have adjusted to having the meanest parents on the block like mine have, then you can worry about whether your precious little shit belongs on the autism spectrum, or has ADHD, or whatever other crutch diagnosis you think you need to compensate for being a mere gamete donor instead of a real parent.

People Are Strange (When You’re A Stranger)

I’m not going to sing a litany of woes about how tough it is being Asperger’s. I have fought most of my adult life to keep this thing from defining who I am. Devin != autism, not by a long shot. It’s one of a large number of properties about me, and it’s a mere footnote at that. I refuse to self-identify as an "Aspie" because I see that many of them (not all, but a significant fraction of them) use it as a Get Out Of Life Free card. "Oh, boohoo, I can’t make friends. Boohoo, I can’t have a relationship. Boohoo, my boss doesn’t understand me." I’ll grant it makes things difficult at times, but you know what? I look at so-called "neurotypical" people and they seem to have rough patches too. Life isn’t perfect for anyone. I don’t know how much harder my life is because of Asperger’s, and you don’t either. Anyone who claims to know is full of shit. At best, they’re making wild-ass guesses.

I choose not to play "what-if" games, because there is always something you think of after the fact. This wiring malfunction in my brain does not define or control me unless I choose to let it. The only reason its effects dominated my life through my early adulthood is that I didn’t know. Once I knew…well, I went all G. I. Joe[3] on its ass.

You know what really sucks? That my wife and kids have to be hyper-vigilant about what food they eat because their bodies are attacking their own auto-immune systems. I can tell you exactly how much of a crimp that’s put into their enjoyment of life. One thoughtless dweeb in a restaurant kitchen who doesn’t properly wash bread crumbs off a counter, or clean off that dollop of butter on the knife, can make them miserable for a week. That’s a pretty raw deal, friends. Asperger’s has nothing on that. Try traveling or going out to a restaurant with friends. The number of things you can eat with one of the 8 major food allergies quickly limits your options. Enjoy two of them (like my family) and you can start counting your dining options on one hand.

So if you’re one of those assholes who thinks autism is cool or glamorous, get a life. Seriously. Be thankful for what you have. And recognize that people are cool not because of their afflictions but because they are cool people.

[1] You’ll probably have forgotten in five minutes, but transitive means if one thing is equal to a second thing, and a third thing is also equal to the second thing, then the first and third things are equal too. This only usually works in math and quantum mechanics, because how often are two things actually equal in the real world?

[2] Extra credit if you noticed that I really did match the color coding between the two diagrams.Without thinking.

[3] "Knowing is half the battle."

The post Autism Is Not The New Cool appeared first on Devin on Earth.

Here…watch this:

Now, go do something about it.

The post Stop SOPA/PIPA now appeared first on Devin on Earth.