Upload
dell1300
View
186
Download
0
Embed Size (px)
Citation preview
24 DNS Enhancements in4Windows Server 2008 R2Windows Server 2008 R2 introduces powerfulfeature enhancements and new technologies to give you confidence in the security of your DNS infrastructure.
BY JOHN SAVILL
FEATURES29 Mobile Security withMDM 2008 SP1Mobile device management continues to be an IT headache, but MDM 2008 SP1 can help tame your Windows Mobile smartphone environment. Follow these steps to install and implement device control with MDM.
BY JOHN HOWIE
37 Virtualizing Active DirectoryFollow these recommendations to decide whatyou should virtualize for Active Directory, how to build and deploy it, and how to administer AD andmaintain security in a virtual environment.
BY SEAN DEUBYFor DCs, Simple Storage is Better Storage 38
C O N T E N T S
A U G U S T 2 0 1 0V O L U M E _ 1 6 N O _ 8
A PENTON PUBLICATION
Access articles online at www.windowsitpro.com. Enter the article ID (located at the end of each article) in the InstantDoc ID text box on the home page.
COLUMNS
41 Essential WindowsServer 2008 R2 Features forManaging Your File Server InfrastructureFour tools in the new OS—DFS Consolidation Root, File Server ResourceManager, File Classification Infrastructure, and Access Based Enumeration—bring you greater control over your file structure.
BY ERIC B. RUX
45 Error Trapping and Handling in PowerShellPowerShell 2.0 introduces the Try…Catch…Finally construct to trap and handle errors.Find out why it’s an improvement over the Trap construct, which is available in bothPowerShell versions.
BY DON JONES
48 Setting Up NetworkDevice Enrollment ServiceSecure your non-Active Directory devices by setting up Network Device Enrollment Service, a solution for issuing and managing security certificates.
BY RUSSELL SMITH
52 Exchange Server’s Client Access: Deploying Your ServersClient Access servers are relatively new to Exchange, and in Exchange 2010 they’remore important than ever. Learn how to deploy Client Access server with the GUI and using automation.
BY KEN ST. CYR
56 Get Proactive withSharePoint 2010’s ImprovedMonitoringSharePoint 2010’s monitoring feature—withimproved timer jobs, reporting, andSharePoint Health Analyzer—could makeyou a more efficient, and perhaps, even happier, admin.
BY TODD KLINDTSharePoint 2010 Improvements 58
CROCKETT | IT PRO PERSPECTIVES
5 Real Data for ITPros and DevelopersRichard Campbell, consultant to IT and developer departments,discusses Microsoft Visual Studio2010, which includes new toolsthat help IT organizations anddeveloper teams produce efficientbusiness applications.
THURROTT | NEED TO KNOW
7 What You Needto Know About Windows Server 2008 R2 SP1,Communications Server 14, Windows
InTune, and MoreQuick info about what’s new at Microsoft, including Windows InTune, MCS 14, SP1 for Server 2008 and Windows 7, and IE 9 HTML 5 compatibility.
MINASI | WINDOWS POWER TOOLS
9 CreatingBootable VHDs with Disk2VHDDisk2VHD simplifies theprocess of converting drives on running systems into one or more VHDs.
OTEY | TOP 10
11 TCP/IP PortsUsed by VMM 2008Microsoft System Center VirtualMachine Manager 2008 relieson specific TCP/IP ports in orderto communicate with other components; make sure theseports for the AdministratorConsole, the VMM library server,RDP, and other components arealways available.
WHEELER | WHAT WOULD MICROSOFT SUPPORT DO?
13 Monitor SystemStartup Performance in Windows 7Use the Windows 7 Event Viewer, which lets you filter events andperform queries on XML eventdata, along with the Wevtutil tool to find and collect event dataand view boot-time trends.
COLUMNS
INTERACT 15 Reader to ReaderCreate PDF files with the doPDF utility, get the real workgroup name in VBScript and PowerShell code, and investigate CPU spikes by using SystemMonitor in conjunction with Process Monitor.
19 Ask the ExpertsSet up a miniature Virtual Desktop Infrastructure lab, create your own self-signed certificates, log on to ESX’s service console as root, create bootableVirtual Hard Disks, and more.
IN EVERY ISSUE
79 Directory of Services
79 Advertising Index
79 Vendor Directory
80 Ctrl+Alt+Del
41 EsseServer 2ManaginInfrastru
COVER STORYCOVER STORY
BB77VH966JJF98UYYHHE445JJ4455CCJJ9G76NNHHP9DOGGFF2RPQQGG
2FGREEHGT4 6FW[FV3YX66ZZWW488MMXLRH4476N7
S9DFF494JJ55VTT77D HEFKO6A9900FFF99ENGFFKF0
L788YKX66ZGHH96W8;3TH55XXDD9VV5C3S9MMD0664C6EEHS
O229GDFF9GJJDFWEFKKGGJEGJJ5J77 MXXD9VV7V5FFC
M660FI33U00JFOMROOR4Y5O79DGS0FF9G 88FG5YY3
IFHTUU45DF94JTT9GF8G3G9KRFGF88YUFKELT33TE5J
J3LRKKC99XC7G8SS9T4KJ44EE775T2D3DDIG5H3FFHTTU45T
Y5H5JJ477LR9XC77NF6MOT 3KH77JV09GRRQ331RT0
T4R7HH4300YJ4NDDFM2QG6FG40FG699USG944J355J4YYE
9GGJPEGG0RRGIB8Y4455HR8VB6D87DDFF3GFGRHHE77BJB00E
GK55JD 77UVRG3ERRGGMMXD9VVXX33J6F9RO44T2266T4YY4W
W488FXDVV99V V5C34GI42OZGHHOOEFF55JT3HH5S
5F399VV7VC;;XMEEGG8S9TYGY35E4GB4455FUFFQ7F22DD09U
EE4J3RRGG5JWOOII9RG6677GGKK7DU44TTWWFF25GHH994JG00PPGW3TT
V;RTUA
L1ZAT;ON
MANAG
EM3NT
JU5T
GOT
S1MPL3R
BB77VH966JJF98UYYHHE445JJ4455CCJJ9G76NNHHP9DOGGFF2RPQQGG
2FGREEHGT4 6FW[FV3YX66ZZWW488MMXLRH4476N7
S9DFF494JJ55VTT77D HEFKO6A9900FFF99ENGFFKF0
L788YKX66ZGHH96W8;3TH55XXDD9VV5C3S9MMD0664C6EEHS
O229GDFF9GJJDFWEFKKGGJEGJJ5J77 MXXD9VV7V5FFC
M660FI33U00JFOMROOR4Y5O79DGS0FF9G 88FG5YY3
IFHTUU45DF94JTT9GF8G3G9KRFGF88YUFKELT33TE5J
J3LRKKC99XC7G8SS9T4KJ44EE775T2D3DDIG5H3FFHTTU45T
Y5H5JJ477LR9XC77NF6MOT 3KH77JV09GRRQ331RT0
T4R7HH4300YJ4NDDFM2QG6FG40FG699USG944J355J4YYE
9GGJPEGG0RRGIB8Y4455HR8VB6D87DDFF3GFGRHHE77BJB00E
GK55JD 77UVRG3ERRGGMMXD9VVXX33J6F9RO44T2266T4YY4W
W488FXDVV99V V5C34GI42OZGHHOOEFF55JT3HH5S
5F399VV7VC;;XMEEGG8S9TYGY35E4GB4455FUFFQ7F22DD09U
EE4J3RRGG5JWOOII9RG6677GGKK7DU44TTWWFF25GHH994JG00PPGW3TT
V;RTUA
L1ZAT;ON
MANAG
EM3NT
JU5T
GOT
S1MPL3R
E D I T O R I A LEditorial and Custom Strategy DirectorMichele Crockett [email protected]
Executive Editor, IT GroupAmy Eisenberg [email protected]
Technical DirectorMichael Otey [email protected]
Senior Technical AnalystPaul Thurrott [email protected]
Custom Group Editorial DirectorDave Bernard [email protected]
Web and Developer Strategic EditorAnne Grubb [email protected]
Systems ManagementKaren Bemowski [email protected] Marwitz [email protected] Wiggy [email protected]
Messaging , Mobility, SharePoint, and Office Brian Keith Winstead [email protected]
Networking and HardwareJason Bovberg [email protected]
SecurityLavon Peters [email protected]
SQL ServerMegan Bearly Keller [email protected] Molnar [email protected]
Editorial Web ArchitectBrian Reinholz [email protected]
IT Media Group EditorsLinda Harty, Chris Maxcer, Rita-Lyn Sanders
C O N T R I B U T O R SSharePoint and Office Community EditorDan Holme [email protected]
Senior Contributing EditorsDavid Chernicoff [email protected] Joseph Edwards [email protected] Ivens [email protected] Minasi [email protected] Robichaux [email protected] Russinovich [email protected]
Contributing EditorsAlex K. Angelopoulos [email protected] Deuby [email protected] Dragone [email protected] Fellinge [email protected] Hill [email protected] Mar-Elia [email protected] Redmond [email protected] Roth [email protected] B. Rux [email protected] Savill [email protected] Sheldon [email protected] Franklin Smith [email protected] Spanburgh [email protected] Thomas [email protected] Toombs [email protected] Wilansky [email protected]
A R T & P R O D U C T I O NProduction DirectorLinda Kirchgesler [email protected]
Senior Graphic DesignerMatt Wiebe [email protected]
A D V E R T I S I N G S A L E S
Publisher Peg Miller [email protected]
Director, International and Agency ServicesDon Knox [email protected]
EMEA Managing Director Irene Clapham [email protected]
Director of IT Strategy and Partner AlliancesBirdie J. Ghiglione [email protected] 619-442-4064
Online Sales and MarketingManager Dina Baird [email protected]
Key Account DirectorChrissy Ferraro [email protected]
970-203-2883
Account ExecutivesBarbara Ritter [email protected]
858-367-8058Cass Schulz [email protected]
858-357-7649
Client Project ManagersMichelle Andrews 970-613-4964Kim Eck 970-203-2953
Ad Production SupervisorGlenda Vaught [email protected]
MARKETING & CIRCULATION
Customer Service [email protected]
IT Group Audience Development DirectorMarie Evans [email protected]
Marketing DirectorSandy Lang [email protected]
CORPORATE
Chief Executive OfficerSharon Rowlands [email protected]
Chief Financial Officer/Executive Vice PresidentJean Clifton [email protected]
T E C H N O LO G Y G R O U P
Senior Vice President, Technology Media GroupKim Paulsen [email protected]
Windows®, Windows Vista®, and Windows Server® are trademarks or registered trademarks of MicrosoftCorporation in the United States and/or other countriesand are used by Penton Media under license fromowner. Windows IT Pro is an independent publication not affiliated with Microsoft Corporation.
WRITING FOR WINDOWS IT PROSubmit queries about topics of importance to Windows managers and sys tems ad min istrators to [email protected].
PROGRAM CODEUnless otherwise noted, all programming code in thisis sue is © 2009, Penton Media, Inc., all rights reserved. These pro grams may not be reproduced or distrib-uted in any form with out permission in writing from the publisher. It is the reader’s responsibility to ensure procedures and techniques used from this publication are ac cu rate and appro priate for the user’s installation. No war ranty is implied or expressed.
LIST RENTALSContact MeritDirect, 333 Westchester Avenue, White Plains, NY or www.meritdirect.com/penton.
REPRINTSDiane Madzelonka, [email protected],216-931-9268, 888-858-8851
C O N T E N T S
PRODUCTS60 New & Improved Check out the latest products to hit the marketplace.
PRODUCT SPOTLIGHT: ProStor Systems’ InfiniVault
61 Paul’s PicksApple iOS 4 beefs up the iDevice world; and Hotmail doesn’t get any respect, although it does get Exchange ActiveSync.
BY PAUL THURROTT
62 Best of TechEd 2010 AwardWinnersThe Best of TechEd Awards recognize the mostinnovative Microsoft platform products and services offered by Microsoft partners exhibiting atthe annual conference. Here are this year’s winners.
BY JASON BOVBERG
64 Corner Bowl Disk Monitor 2010Check out this feature-packed program for monitoring and managing enterprise disk data. It’s a great addition to any IT pro’s toolkit.
BY TONY BIEDA
65 Spiceworks 4.5Management, monitoring, inventory control, and aticketing system, all in one package—and it’s free!
BY MICHAEL DRAGONE
67 Rove Mobile AdminPhone-sized administration tools let you handleemergencies as well as perform routine maintenanceon your servers and network infrastructure.
BY ERIC B. RUX
68 Kerio Connect 7If setting up Exchange for your small business sounds like too much of a headache, thisalternative could be what you need.
BY RYAN FEMLING
69 NetPoint ProSmaller businesses can benefit from this agent-less asset management and inventory system.
BY JEFFERY HICKS
70 VMware Workstation 7.0 Rises Above the Virtual PackTake a quick dive into VMware’s Workstation 7.0 andsee how this desktop virtualization product works, thenscope out the rest of the desktop virtualization market.
BY MICHAEL OTEYAn Overview of Desktop Virtualization Products 71
73 SharePoint Auditing and Reporting ToolsExplore third-party solutions available to support yourorganization’s compliance needs through change tracking, reporting, data security features, and more.
BY BRIAN REINHOLZ
76 Industry Bytes Use biometric security to secure nearly any aspect of your business, and more.
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 5
Crockett
determine which features they should address. Application data
can help developers connect with the IT department’s view of an
app’s performance. “The production environment is where the
rubber meets the road, so that’s a process of getting the truth back,”
Campbell said.
Another tool that helps IT departments and developers get better
application data is Runtime Intelligence, a profiling tool produced
by PreEmptive Solutions that’s available in every version of Visual
Studio 2010. “Runtime Intelligence provides the ability to instrument
the assemblies at a fairly low level and then feed that data back into
a web service,” Campbell said. “And you can do that without actu-
ally recompiling the app. So from an IT perspective, this is detailed
instrumentation of how the app is running, where the errors occurred
in production, and also what parts are being used. So this gives the
ability for a deeper view into the app—not just a focus group but a
day-in, day-out view of how the staff is using the application.”
Typically, this level of detailed application data was available
only in a test lab, but Runtime Intelligence can run in the produc-
tion department full time, providing steady feedback that helps IT
departments and developers make decisions about resource alloca-
tion based on quantitative data rather than conjecture. Campbell
encourages every IT pro to become familiar with all the built-in testing
features that Visual Studio 2010 provides to understand how applica-
tions could perform better in the production environment. Campbell
said that by offering these testing tools, “Microsoft has poured a lot
of energy into making every failure reproducible, so we capture the
image of the machine so we know exactly the state it was in.”
My TechEd talk with Campbell was one of many conversations
we captured on film from our booth. If you couldn’t make it to New
Orleans, you can relive the best of the tech talk (if not the humidity,
the jazz, and the beignets) at our Taste of TechEd virtual trade show
on August 25 (www.vconferenceonline.com/shows/summer10/
teched). We’ll kick off the show with a technology overview from
Michael Otey and Paul Thurrott and follow with more interviews
with IT and developer experts, official TechEd session footage,
and demo booths where you can put new solutions through their
paces.
InstantDoc ID 125491
MICHELE CROCKETT ([email protected]) helped launchSQL Server Magazine in 1999, has held various business and editorial roleswithin Penton Media, and is currently editorial and custom strategy director of Windows IT Pro, SQL Server Magazine,e and System iNEWS.
As IT organizations look at ways to support their busi-
nesses with fewer resources—a trend that will likely
continue even as the economy improves—one corner
that could benefit from a bright light is the interaction
between the developers who are building applications
and the administrators who commandeer the produc-
tion environment. With the release of Visual Studio 2010, which won
the Best Microsoft Product award in our Best of TechEd program,
Microsoft introduces tools that help sync the IT department and the
developers in a way that helps businesses run more efficiently.
During our series of video interviews from the TechEd show
floor in New Orleans, I spoke with Richard Campbell, a consultant
who co-produces .NET Rocks, a Web-based audio talk show for
.NET developers, and Run As Radio, a show for IT professionals.
Campbell—who often straddles the developer and IT worlds in his
consulting business—pointed out some little-known features of
the Visual Studio 2010 release that further break down the barriers
between the IT and dev worlds. “I work as a consultant with a lot of
teams where you do have a good relationship between IT and dev,
where the way the app runs in the production environment is as
important to the developers as it is to the IT folks,” Campbell said.
“They have a good discipline, and a good feedback mechanism.
But the next phase past this discipline is tooling, and with Visual
Studio 2010, we’re starting to get good tooling. Some of the new
tools in Visual Studio 2010 really speak heavily to how developers
can communicate more effectively with IT pros so that they have
that common language.”
Campbell called IntelliTrace, available in Visual Studio 2010
Ultimate, one of the most important new debugging tools because
it provides developers and IT departments hard data rather than
speculation about an application’s use and points of failure. The tool
reduces time spent in trying to reproduce errors. “IntelliTrace gives
you the ability to capture the machine at the moment of failure,”
Campbell said. “The operators of the app—the production guys—
can get a clean record of how the app fails so developers can see it.
On the test side of things, it’s much easier to communicate back and
forth and see those kinds of failures.”
Getting this level of detail about the application is a big busi-
ness win because IT and developer teams can identify and solve
problems much more quickly. Campbell stressed the importance of
being able to see where real performance issues lie and which appli-
cations’ features are being used. Developers sometimes struggle to
“Become familiar with Visual Studio 2010’s built-in testing features to understand how
applications can perform better in a production environment.”
Real Data for IT Pros and DevelopersNew Visual Studio 2010 testing tools improve applications and business productivity
IT PRO PERSPECTIVES
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 7
ThurrottNEED TO KNOW
Although summer is usually a quiet time in the PC
and electronics industries, Microsoft holds its annual
TechEd conference at this time of year, and there’s
always a lot of good product and technology informa-
tion coming out of the show. Here’s what you need to
know about the news from TechEd 2010.
Windows Server 2008 R2 and Windows 7 SP1 BetaAs of press time, Microsoft is to deliver by the end of July a public
beta version of SP1 for Windows Server 2008 R2 and Windows 7.
The company says it will use feedback from the beta to determine
the final release schedule, but I expect to see the final release hit
before the end of 2010.
SP1 adds almost no new functionality to Windows 7 beyond a
Remote Desktop update. However, it represents a major functional
update to Windows Server 2008 R2, with support for new features
like Hyper-V Dynamic Memory and RemoteFX. Another new fea-
ture, RemoteFX USB Devices, aims to provide better USB device
redirection over RDP than the shipping version of Server 2008 R2.
You’ll be able to use virtually any USB device transparently over RDP,
including scanners, all-in-one printers, web cameras, VoIP phones
and headsets, and biometric devices.
And since I knew you were just thinking about this, yes—the
Dynamic Memory feature from SP1 is being added to Hyper-V Server
2008 R2. And System Center Virtual Machine Manager 2008 R2 will
get an update this year to support Dynamic Memory as well.
Looking Back and Looking Ahead with Windows ServerSpeaking of Windows Server, you can expect some changes in
naming and branding when the next version hits in 2012. Microsoft
is dropping the major/minor release cadence silliness and the
even sillier R2 naming scheme. Instead, Windows client and server
releases will be developed and released in lockstep going forward,
starting with vNext, as they call it internally.
Think about this for a second. Windows Vista SP1 and Server
2008 were developed on the same code base, so they were updated
together with the SP2 release that applied to both—although it
was Vista’s second service pack and Server 2008’s first. Meanwhile,
Windows 7 (a major release) and Windows Server 2008 R2 (a minor
release) were developed on the same code base and will be serviced
together starting with SP1. These two product generations—Vista/
Server 2008 and Windows 7/Server 2008 R2—are incompatible from
a servicing perspective. And Microsoft tells me it has no plans at all
for a Vista/Server 2008 SP3 release. I have to think a rollup will hap-
pen eventually, however.
Of course, some Windows Server users are facing bigger prob-
lems. Windows 2000 will have hit “end of life” by the time you read
this, meaning that it has exited the support lifecycle. So unless you
don’t mind paying for security updates, this OS is dead in the water.
And although Win2K Server usage is down to the single digits, these
machines are still out there.
For Windows Server 2003, it’s even worse. This OS represents
about 50 percent of the installed base and it hits extended support
in July 2010. That means that the majority of Microsoft’s server
customers have five years to move to something more modern. The
big issue with Windows 2003—and as it turns out, Server 2008—is
32-bit application compatibility. In fact, the number-one reason that
Server 2008 R2 customers exercise their downgrade rights is to install
a 32-bit version of Server 2008. Server 2008 R2, as you know, is 64-bit
only, and there’s an entire generation of 32-bit in-house and line of
business (LOB) apps that need to be updated or replaced, and from
what I can see, few are moving to do so with any alacrity.
“Windows Server 2003 is a power-hungry, non-virtualized, x86
world,” Microsoft group product manager Ward Ralston told me
recently. “It’s the classic server sprawl problem. Newer versions of
Windows Server are just so much more efficient.” Exactly right. Get
busy, people. If you’re on Windows Server 2003, it’s time to start
planning a migration today.
Small Business Server “7” and “Aurora”Microsoft will follow up the current Small Business Server version,
SBS 2008, with two products, each of which serves a particular need.
The first, currently code-named SBS “7” will be a traditional SBS”
product update and will offer, as before, on-premises versions of
Windows Server (2008 R2), Exchange 2010, Windows Server Update
Services (WSUS), and more.
The second product is, perhaps, more interesting. Currently
code-named SBS “Aurora”, this SBS version is based on the same ”
code base as Windows Home Server “Vail” and assumes that your
email and other services will be hosted in the cloud. It can create but
What You Need to Know about Windows Server 2008 R2 SP1, Communications Server 14, Windows InTune, and More
“Windows InTune offl oads system management to the cloud and provides
a way to manage all of the PCs in your environment remotely.”
8 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
NEED TO KNOW
not join domains, and offers only very sim-
plified on-site management tools. But it has
a super-simple interface and works with the
WHS-based Drive Extender technologies to
consolidate all attached storage as a single
block of storage. Good-bye, drive letters.
I’ll be writing more about Aurora soon.
This is a product that could transform the
small business market.
HTML 5 and the FutureHTML 5 is years away from being ratified as
an international standard, but browser mak-
ers are jumping all over this technology. The
reason is simple: HTML 5 is the future of the
web, and they want to prove that their prod-
uct will get you there. Microsoft’s response
to HTML 5 involves Internet Explorer (IE) 9,
as well as calls to the industry to rally around
standards test that make sense. That last bit
is important because today’s web standards
test seem designed to make IE fail. Though
I don’t expect to see IE 9 until early 2011, it
will include hardware acceleration of video
and SVG graphics.
Microsoft isn’t the first to step up to the
HTML 5 challenge, not by a long shot, and
by the time IE 9 does happen, it could be
swamped by a field of competitors that
have already exceeded whatever HTML 5
compatibility IE offers. Browser makers are
talking up HTML 5, but two in particular,
Apple and Google, have been rapidly ship-
ping new products as well.
Apple’s offering is, perhaps, less inter-
esting, but Safari 5 does offer one IE 9
feature—hardware acceleration, even on
Windows—and it’s aggressively adopting
HTML 5 features, including full-screen
video, closed captioning for video, geolo-
cation, and more. Safari 5 finally offers an
extensibility model, an area in which this
browser was lacking. I don’t expect Safari
to make major inroads in the Windows
market, but it’s not wise to discount Apple.
And Safari is certainly the overwhelming
champion in the mobile space right now.
Google’s latest browser, Chrome 5, also
embraces HTML 5, and Google is shipping
Chrome updates at an amazing clip. Chrome
5 features a great extensions infrastructure,
browser bookmarks and preferences sync,
and should have an integrated version of
Adobe Flash available by the time you read
this. On the HTML front, it now supports
many of the same HTML 5 features that
Apple added to Safari 5. Given Chrome’s
update schedule, it might prove the most
popular browser for those who like to use the
latest technologies.
Mozilla Firefox, of course, is still the
alternative browser of choice, though it
seems to have hit a plateau in usage shares.
Current versions of Firefox do support
HTML video and audio, but not with the
popular H.264 video and AAC audio for-
mats. Mozilla has been moving slowly,
not just with HTML but in general, and its
browser updates seem to be on an ever-
slower schedule. I wouldn’t be surprised
to see Firefox begin a gradual decline.
Communications Server “14”A couple of years ago, Microsoft’s Uni-
fied Communications (UC) vision was,
well, more vision than reality. But with
the release of Microsoft Communications
Server (MCS) “14” (it still doesn’t have a
final branding), later this year, the vision is
becoming reality. And that’s especially true
for those environments that can standard-
ize on Exchange 2010, SharePoint 2010, and
Office 2010 as well, given the hooks that tie
each together.
MCS 14 provides real-time communica-
tions solutions around instant messaging
(IM)— text, voice, and video—and it does
so via a tiered experience where you locate
a contact by using presence information
in the MCS client, in Outlook, in Share-
Point, or in other areas, then can escalate
the discussion to different conversation
types, including VoIP. New features include
enterprise skill searching through inte-
gration with SharePoint 2010, and major
improvements to the presence model so
that MCS exposes only those conversation
types for your location.
Aside from branding, there are some
other questions around scheduling and
licensing. But Microsoft says you can expect
a public preview release by the end of 2010.
Windows InTuneThanks to the cloud computing phenom-
enon, Microsoft has scaled back plans for
on-premises server products in small and
medium-sized businesses and is focusing
instead on delivering hosted services that
make more sense for those environments.
The one I think will have the broadest
implications over time is Windows InTune.
Currently aimed at midsized businesses, it
offloads system management to the cloud
and provides a way to manage all of the PCs
in your environment remotely. That it does
so outside of Active Directory (AD) will be
controversial to some.
There are two bit of news up front: First,
Microsoft’s initial public beta offering of
Windows InTune in April 2010 was, perhaps,
too popular, and the company had to shut
down the sign-up site. If you didn’t get in,
there should be a second, larger, public beta
offering by the time you read this. Second,
Microsoft is addressing the concerns of
partners who will want to support their own
customers using InTune by offering a part-
ner dashboard interface so they can manage
multiple sites more easily.
I’m happy to report that Microsoft
is now actively seeking to expand InTune
and will someday offer versions of the ser-
vice for small businesses and AD-wielding
enterprises as well. Although the company
is mum about how it will change InTune to
accommodate AD, in the short term you can
rest easy by understanding that AD-based
policies will always supersede any InTune-
specific policies, so it should be safe to use
in smaller environments. Microsoft plans to
deliver the initial InTune version in the first
quarter of 2011.
InstantDoc ID 125391
PAUL THURROTT ([email protected]) is the news editor for Windows IT Pro. He writes a weekly editorial for Windows IT ProUPDATE (www.windowsitpro.com/email) and a Edaily Windows news and information newslettercalled WinInfo Daily UPDATE (www.wininformantE.com).
Microsoft’s initial public beta off ering of Windows InTune in April 2010 was, perhaps, too popular, and the company had to shut down the sign-up site.
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 9
WINDOWS POWER TOOLSMinasi
This month, I’d like to start covering a few tools that
enable a feature in Windows 7 and Windows Server 2008
R2 that could be quite significant: the ability to boot a
physical system not from the physical C drive (as we’re
used to) but from a system drive stored as a virtual hard
disk (VHD). This particular column is a little unusual,
however, because typically when I introduce a tool to solve a prob-
lem, you already understand the nature of that problem. But booting
from a VHD is a new concept, so I’ll start by explaining it, then I’ll
introduce this month’s tool—Disk2VHD.
Why would you want to boot a physical system from a VHD? I
can think of several reasons, but two important reasons relate to ease
of OS deployment. First, consider how you get an OS onto a server
or workstation in the first place. You can install the system manually
by popping the installation DVD into the system’s drive, booting it,
and answering a lot of questions; you could use the installation DVD
and simplify the process with an unattended installation script; or
you could use one of the many available imaging tools to take a pre-
built OS image and blast it onto a new system’s empty hard disk.
Imaging is usually the fastest of the three options, but how do you
accomplish that imaging?
Symantec Ghost is probably the best-known commercial tool,
and Microsoft offers a free alternative called ImageX, but in both
cases the imaging process is fairly opaque. If something goes wrong
during the image transfer, it can be difficult to determine the cause.
In contrast, booting from VHD essentially requires that you copy a
specially prepared VHD file onto the target system’s hard disk. So,
booting from VHD offers what might be called XCOPY deployment.tt
The second reason is ease of virtual machine (VM) deployment.
By creating and maintaining your system images as VHDs—rather
than, say, as Ghost GHO files or ImageX WIM files—you can quickly
deploy (i.e., copy) those VHD-format images to physical systems or
as new, quickly built VMs under a Hyper-V server by simply copy-
ing the VHDs to the Hyper-V server and creating a new VM around
the VHD. Microsoft has even made VHDs a bit more attractive as
deployment tools by including VHD support in Server 2008 R2’s
Windows Deployment Services (WDS) servers.
To create a system that boots from a VHD, you need to accomplish
several steps. First, you need a VHD file that contains a bootable,
generalized image based on a Windows 7 or Server 2008 R2 system.
(If you’re unfamiliar with the term generalized, it’s just Microsoft’s d
latest word for “Sysprep-prepared.”) Second, you’ll need a VHD that
contains an image of a bootable Windows drive. Acquiring a VHD to
that specification requires that you create an empty VHD file (which
I’ve covered in previous months), grab a bootable system, use Sys-
prep to prepare it, boot it with an OS (probably WinPE), then use
ImageX /capture to convert that working system to a WIM file. Then,
you’d have to select and mount the VHD file as some drive letter and
use ImageX again (this time with /apply) to deploy that image to the
VHD. At that point, you’re done, and you can distribute the VHD to
new VMs or physical systems that will boot from that VHD.
That process is a fairly tall order, and I’ll show you how to do
those things in the coming months. But our friends at Sysinternals
offer some instant gratification with a free tool called Disk2VHD
(technet.microsoft.com/en-us/sysinternals/ee656415.aspx). Disk2-
VHD takes drives on running systems and converts them to one or
more VHDs—no ImageX, no WinPE, no Sysprep—all thanks to the
Volume Shadow Copy Service (VSS). Its syntax is simple:
disk2vhd <drive>|* <vhdfilename>
So, for example,
disk2vhd C: E:\a.vhd
would create a VHD from drive C, and
disk2vhd * E:\a.vhd
would copy all volumes—even Window 7’s unlettered volume—to
a VHD file. Alternatively, just start up Disk2VHD to get a GUI. Even
if you specify more than one volume, Disk2VHD packs them up
into one VHD.
Now, that’ll work in very specific situations, but not in most
cases: Simply creating an image and handing out identical copies
of that image to zillions of machines can cause security trouble. For
non-trivial deployments, however, we’ll need to make the images
generic with Sysprep. Next month, we’ll get closer to making boot-
from-VHD work.
InstantDoc ID 125422
MARK MINASI (www.minasi.com/gethelp) is a senior contributing editor for Windows IT Pro, an MCSE, and the author of 25 books, including Mastering Windows Server 2008 R2 (Sybex). He writes and speaks aroundthe world about Windows networking.
Creating Bootable VHDs with Disk2VHDBoot a physical system from a system drive stored as a VHD—a capability that you might find very handy
“Why would you want to boot a physical system from a VHD? I can think of several reasons, but two
important reasons relate to ease of OS deployment.”
TOP 10 Otey
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 11
RDP is a staple in my VM management; I have one or more RDP sessions going
to my VMs almost all day.
TCP/IP Ports Used by VMM 2008If you’re using a firewall, be sure to keep these ports open for VMM
Microsoft System Center Virtual Machine Manager
2008 (VMM) is Microsoft’s platform for virtualiza-
tion management. VMM offers a host of enterprise-
level virtualization management capabilities that
go far beyond the features in the more basic
Hyper-V Manager. VMM is a complex product
with many different connected components. Knowing what’s actually
going on under the hood in VMM is important when it comes to solv-
ing problems because each of the VMM components relies on specific
TCP/IP ports in order to communicate with other components. If
these ports aren’t available when called upon, select pieces of VMM
functionality won’t be available. If there’s a network firewall between
systems or if you’re using Windows Firewall, you need to make sure
these ports are available. In this column I’ll list the top 10 TCP/IP ports
used by VMM and explain what they’re used for. Bear in mind these
are the default port settings; all the port settings can be customized.
For a complete list of the ports and protocols used by VMM, refer to
the TechNet article “VMM Ports and Protocols” (technet.microsoft
.com/library/cc764268.aspx).
Administrator Console to VMM server, Port: 8100;Protocol: WCF—The VMM Administrator Console and the
VMM server can be installed on the same server, or you can
manage the VMM server remotely. For remote management, you
need to have port 8100 open on the VMM server.
VMM server to VMM agents, Port: 80; Protocol: WinRM (control); Port: 443; Protocol: SMB (data)—VMM uses—agents on the target hosts in order to manage them. The
VMM agents use port 80 for management tasks such as viewing or
changing the state of your virtual machines (VMs) and port 443 for
data transfers to the VMM server.
VMM library server to Hyper-V hosts, Port: 443; Protocol: BITS—The VMM library server stores VM templates and
stores gold image VM and Virtual Hard Disk (VHD) files that
the VMM administrator can use to rapidly create new VMs. A gold
image is an OS image that you use as a basis for deploying new sys-e
tems. The VMM server uses port 443 to transfer these files to the
Hyper-V host.
VMM server to Microsoft SQL Server database storage,Port: 1433; Protocol: T-SQL—VMM uses SQL Server as a
back-end data store. This SQL Server instance can be on the
1
2
3
4
same system as the VMM server, or it can instead be a preexisting
SQL Server instance. VMM uses port 1433 to access a networked
SQL Server system.
VMConnect to Hyper-V hosts, Port: 2179; Protocol: RDP—VMConnect is an application that’s part of Hyper-V Manager
and VMM; it lets you connect to a console session of a
Hyper-V VM. By default VMConnect uses port 2179.
VMM Self-Service Web Portal to VMM server, Port: 8100; Protocol: WCF—In addition to the VMM Administrator Con-
sole, VMM provides a web-based portal that enables end users
to manage their own VMs. The web-based portal must be installed on
a system that has Microsoft IIS, and it uses the same port as the Admin-
istrator Console, port 8100, to communicate to the VMM server.
Remote Desktop to Hyper-V VMs, Port: 3389; Protocol: RDP—Another important protocol for managing VMs is the
standard Remote Desktop Protocol. RDP is a staple in my VM
management; I have one or more RDP sessions going to my VMs
almost all day. RDP uses port 3389.
VMM server to VMware vCenter (administration), Port:443; Protocol: HTTPS—The release of VMM 2008 added
support for managing VMware’s ESX Server via an instance
of VMware vCenter Server. The VMM server communicates with
vCenter Server over port 443.
VMM server to ESX 3.0 and 3.5 file transfer, Port: 22; Proto-col: SFTP—The VMM server can also conduct file transfers
directly with ESX Server 3.5 and ESX Server 3.0. These
versions of ESX Server use the SFTP protocol over port 22 for remote
file access.
VMM server to ESXi file transfer, Port: 443; Protocol: SSH/HTTPS—The free version of VMware’s virtualization server,
ESXi, uses a different port for file transfers. The VMM server
communicates with ESXi hosts through port 443, and it uses both
SSH and HTTPS.
InstantDoc ID 125379
MICHAEL OTEY ([email protected]) is technical director forWindows IT Pro and SQL Server Magazine and author of Microsoft SQL Server 2008 New Features (Osborne/McGraw-Hill).
5
6
7
8
9
10
WHAT WOULD MICROSOFT SUPPORT DO?Wheeler
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 13
“You need a way to monitor desktop startup times across the enterprise and collect boot-
time measurements from every machine.”
Monitor System Startup Performance in Windows 7Use Windows 7’s Event Viewer and Wevtutil to monitor boot- and start-timetrends on enterprise PCs
Recently Microsoft support has fielded inquiries from
several customers asking how to troubleshoot prob-
lems that cause delays during the boot and user
logon processes on a desktop or laptop. The Windows
Performance Toolkit xbootmgr.exe tool works well for
troubleshooting boot and startup issues on a single
machine. But what if you’re a large enterprise with thousands of
desktops? You need a way to identify problem machines before a
user reports them to the Help desk. You need to monitor desktop
startup times over time and across the enterprise. And you need a
way to collect boot-time measurements, similar to those collected by
xbootmgr.exe, from every machine for every boot. Here, I’ll explain
how you can use an event log, the new Windows 7 Event Viewer, and
the Wevtutil tool to do these things.
A New Event Log to Aid in TroubleshootingBeginning with Windows Vista, Windows now includes a new cate-
gory of event logs: Applications and Services logs. The infrastructure
underlying event logging now conforms to an XML schema. You can
easily access the XML data for any event. The new event log interface
lets you construct XML-based queries against event logs. The Event
Viewer gives you to access to the new XML functionality in an easy-
to-use graphical interface.
One of the logs in this new category is the Diagnostics-
Performance/Operational log. This log contains events that
record performance measurements similar to those provided
by xbootmgr.exe. In fact, the data recorded is generated by the
same mechanisms that Xbootmgr uses. Event IDs 100 through
110 record boot and startup performance statistics.
Using the Event Viewer in Windows 7The new Event Viewer in Windows 7 lets you do more powerful filter-
ing. The new UI lets you specify ranges of events. Under the covers,
it builds an XPath query to filter out the events based on the criteria
you specify. In our example, we will filter for events 100 through 110.
We’re interested in Event ID 100 for the purpose of measuring the
boot performance. Figure 1 shows the XML view for event 100.
The XML presentation of the event contains a lot of interesting
information. The BootTime value represents the number of milli-
seconds that elapsed from the time the system booted to the point
after the user logged in that the system reached 80 percent idle for
10 seconds. The other time values listed represent the elapsed time
for various stages during this boot process. You can find more infor-
mation about the stages of the boot process in the Windows On/
Off Transition Performance Analysis white paper at www.microsoft
.com/whdc/system/sysperf/On-Off_Transition.mspx.
The other boot performance events record information about
specific events that contributed to delays during the boot/startup
sequence. The trick is how to know which boot instance these mes-
sages belong to. This is where the ActivityID comes in handy. In
Figure 1, you’ll see the following in the XML data:
<Correlation ActivityID="{00000001-0000-0000-1020-
5CA87BB1CA01}" />
All events related to this boot instance in this Event 100 record have
this same ActivityID. By performing the following steps, we can use
this information to create a more complex filter:
Click Filter Current Log… in the Actions Pane of Event1.
Viewer.
On the XML tab, check the box 2. Edit query manually, thenyy
answer Yes when prompted to continue.
Figure 1: XML Event Viewer view of event 100
WHAT WOULD MICROSOFT SUPPORT DO?
14 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
at boot time could be significant when
you’re investigating changes in perfor-
mance. With historical data like this, you
can now begin to do some trend analysis.
For example, this system was built on
1/13/2010. Application installations and
configuration changes continued over the
next couple of days. By 1/21/2010 the con-
figuration changes had been completed.
After that, the BootTime value was averag-
ing about 124 seconds. However, notice
that on 2/4/2010 and 2/9/2010 the times
were significantly longer than average.
Extending the ValueNow that we have an automated way
to extract the event data in XML form,
we can collect this data periodically
from multiple computers and store the
results in a database. Using some simple
reporting, it’s easy to do trend analysis.
A complete enterprise solution will
require more code development and
data management, but it’s feasible. And
that’s exactly what one of my largest
customers did.
Using a VBScript program I wrote,
the customer collects event data into
a SQL Server database. They’ve used
this data to establish some baseline
statistics for their desktop image build.
They can pivot this data based on the
hardware (e.g., memory, CPU, model)
and software configuration. Using SQL
Server Reporting Services, the customer
built a dashboard view that displays the
boot-time health status of all desktops
in the enterprise. With specific reports,
they can compare this baseline to new
data collected after deploying new group
policies, new security tools, or a hard-
ware upgrade. They also use this data to
proactively identify machines that take
longer than the average baseline. This
information allows IT to address issues
before users call the Help desk, reducing
the time to resolution and making end
users happier.
InstantDoc ID 125383
SEAN WHEELER ([email protected]) isa senior premier field engineer on Microsoft’sPremier Support team, assigned to support someof the largest enterprise customers. He’s one of the original creators of the MPS Reportingtool. He specializes in scripting, debugging, and performance issues.
Enter the following XML text into the3.
query box:
<QueryList>
<Query Id="0" Path="Microsoft-
Windows-Diagnostics-
Performance/Operational">
<Select Path="Microsoft-Windows-
Diagnostics-Performance/
Operational">*[System[(Correlation
[@ActivityID="{00000001-0000-
0000-1020-5CA87BB1CA01}"])]]
</Select>
</Query>
</QueryList>
Click OK.4.
After the query has been edited, a total of
three events for this ActivityID will be dis-
played. We can now examine these events to
understand the problems that contributed
to any boot/startup delays.
Collecting Data with WevtutilSo far we’ve looked at only one boot
instance. How do we collect data for all boot
instances? By using Wevtutil, a Windows
command-line tool for querying the Event
logs. Using the following example, you can
extract all the Event ID 100 records from the
event log on a system:
wevtutil qe Microsoft-Windows-
Diagnostics-Performance/
Operational /rd:true /f:xml
/q:"*[System[(EventID = 100)]]"
/e:Events > boot.xml
This creates an XML data file that
contains all instances of the boot perfor-
mance event for a machine. With each
ActivityID, you could then query for the
other related events. For example, the
following query extracts the same three
event records displayed after further
filtering the query:
wevtutil qe Microsoft-Windows-
Diagnostics-Performance/
Operational /rd:true /f:xml
/q:"* [System[(Correlation[@
ActivityID='{00000001-0000-0000-
1020-5CA87BB1CA01}'])]]" /e:Events >
bootrelated.xml
Wevtutil.exe has many more options.
Run the utility without any parame-
ters to see a list of available options.
For more information, see the MSDN
article “Event Queries and Event XML”
at msdn.microsoft.com/en-us/library/
bb399427.aspx. And for more informa-
tion about learning XPath to define
event queries, see XPath Syntax at
go.microsoft.com/fwlink/?LinkId=94637
and XPath Examples at go.microsoft
.com/fwlink/?LinkId=94638.
Putting It All TogetherOnce you have the event data in XML
f ormat, it’s fairly easy to extract the most
interesting data points. Figure 2 shows
some sample data I collected from one
machine. In this example, I converted
the time values to seconds. Differences
in the number of applications that start
Figure 2: Sample data collected using Wevtutil
PDF Files ■
Workgroup Names ■
CPU Spikes on a Laptop ■
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 15
Tool Time: Use doPDF to Create PDF FilesWhen it comes to creating PDF files, Mac fi users are probably more happy than Windows users. Mac OSs include a utility tocreate PDF fi les, whereas Windows OSs don’t.fiIf Windows users want to create PDF files, fithey need to install an additional program. One such program is doPDF (www.dopdf.com), a freeware PDF converter that can create PDF fi les from virtually any type fiof printable document. Al-though there are a few oth-er free PDF converters, suchas ActivePDF’s PrimoPDF (see “Tool Time: Create PDFFiles with PrimoPDF,” March2009, InstantDoc ID 101217), most of them require downloading additional software, such as Ghostscript or the Microsoft .NET Framework. ThedoPDF converter doesn’t require any additional programs, which means you can install it in seconds. Once installed, creating PDF files is asfisimple as printing a document:
Open the document you want to1.convert to a PDF.
Select Print on the File menu. On the 2.drop-down list of printers, select doPDF.
Click OK or Print (depending on your 3. Windows OS), and select where you wantto save the PDF file.
The doPDF program has an executablefile, so if you don’t like the method just fidescribed for creating PDF files, youfican simply go to Programs and click thedoPDF icon. You’ll be able to select your document and create the PDF fi le from the fiprogram’s interface. You can use doPDF on Windows 7, Windows Vista, WindowsXP, Windows Server 2008, Windows Server2003, and Windows 2000 Server.
—Claudiu Spulber, support technician for a
software development company
InstantDoc ID 125413
credentials used on standalone systems,the local host name is used in the role of the domain name, making the computername the correct value to return.
However, when you’re dealing with shar-ing issues in a workgroup-based environment(where the computers are not actually mem-bers of a domain), you might need the realworkgroup name. For that purpose, your best bet is to use WMI’s Win32_Computer System class. Its Domain property specifies the actual fidomain or workgroup name for the computer. The code at callout A in Listing 1demonstrates how to use the Domain property to retrieve and display the local computer’s workgroup name in VBScriptcode. You can do the same thing in PowerShell with code such as
(Get-WmiObject `
Win32_ComputerSystem).domain
Note that this technique doesn’t produce the same result if you happen to run it on a computer within a domain. In a domain,the Win32_ComputerSystem’s domain property is the name of the computer’s DNS domain. The Win32_Computer System class also
has the JoinDomain-OrWorkgroup methodthat you can use to setthe workgroup name for individual comput-ers. In a workgroup en-vironment, it’s very easy to use. All you needto do is specify thenew workgroup name.Note that on Windows Vista or later systems,you need elevated
Getting the Real Workgroup Name in VBScript and PowerShellIf you have scripts that need to run in bothdomain-based and workgroup-based environments, you might encounterproblems using the %USERDOMAIN% environment variable or the UserDomainproperty exposed by Windows ScriptHost’s (WSH’s) WshNetwork object to ob-
tain workgroup names. You can gen-erally work around the problem
with Windows ManagementInstrumentation (WMI).
The problem is that if acomputer isn’t logged onto adomain, the %USERDOMAIN%
variable and the UserDomainproperty don’t returnthe computer’s work-group membership. Instead, they return
the name of the local computer. This isn’ta bug or oversight. The % USERDOMAIN% variable and UserDomain property relateto the security domain and not the name used for grouping computers. Because thesecurity authority for a standalone com-puter in a workgroup is the local computeritself, the value is correct. Furthermore, in
Tell the IT community about the free tools you use, your solutions to problems, or the discoveries you've made. Email your contributions to [email protected].
If we print your submission, you’ll get $100.
Submissions and listings are available online at www.windowsitpro.com. Enter the InstantDoc ID in the InstantDoc ID text box.
READER TO READER
Listing 1: VBScript Code That Displays Then Changes the Local Computer’s Workgroup Name
Dim result, results, domainSet results = GetObject("winmgmts:"). _ execquery("select domain from win32_computersystem")
For Each result in results ' Returns the workgroup name if in a workgroup. ' If a domain member, returns the DNS domain name. .domain = result.domain
NextWScript.Echo domain
For Each result in results' On Vista and later, only works if script
runs elevated.results.JoinDomainOrWorkgroup("Workgroup")
Next
A
B
ding
tain worerally
witIns
codo
var
Claudiu Spulber
READER TO READER
16 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
privileges to use the JoinDomainOrWork-group method. The code at callout B in Listing 1demonstrates how to use the Join DomainOrWorkgroup methodto change the workgroup name in VBScript. In Powe r Shell, you can run code such as
(Get-WmiObject `
Win32_ComputerSystem).`
JoinDomainOrWorkgroup("Wkgp")
Before using either the VBScriptor PowerShell code, you’d needto replace Wkgp with your workgroup’s name. Although itcan take a few minutes for the workgroup change information to propagate on a network, the change will take effect im-ffffmediately on the PC without areboot.
—Alex K. Angelopoulos, IT consultant
InstantDoc ID 125503
Dealing with CPU Spikes on a LaptopI found the article on how to solve high CPU usage problems by Michael Morales (“Got High-CPU-Usage Prob-lems? ProcDump ‘Em!” September 2009,
InstantDoc ID 102479) interest-ing and thought I would sharea technique I used to deal withthe same issue. I had a particu-lar process (BESClient.exe) that was spiking the CPU on mylaptop. The BESClient process is the client for the BigFix patchmanagement solution. I used System Monitor in conjunctionwith the Sysinternals Process Monitor utility (technet
.microsoft
.com/en-us/sysinternals/ bb896645.aspx) to gain some insight as to what wasgoing on with my system during the spikes.
First, I created a shortbatch file, fi BigFix.bat, to run Process
Monitor and put it in the C:\data\bat folder. Listing 2 shows this batch file. A fifilter that limits the normally extensive fioutput can be created within Process Monitor if desired. Then, within System Monitor, I created an alert that would both log an entry in
the application event log and run my batch file when fiCPU usage (%ProcessorTime) was more than 95 percent for the BESClientprocess. The Microsoft article “How to create and configure performancefialerts in Windows Server 2003” (support.microsoft.com/kb/324752) explains how to create an alert. Although the article is written for Windows 2003, the instructions are appli-cable to other OSs. I used them to create an alerton my laptop, which runs Windows XP SP3.
The instructions for creating an alert are generally easy to follow, except for two tricky parts:• When selecting the
actions that you want to
occur when an alert is triggered, you haveseveral options, as Figure 2 shows. Whenyou want to run a batch file or anothertype of program, you must pass at least one argument to it, whether or not thatargument is used. In my case, BigFix.bat didn’t need an argument, so I simply useda text-message argument that I tailored to be self-documenting, as Figure 3 shows.If the program needs to run interactively, •
you must change some settings inthe Performance Logs and Alertsservice properties page—a situation that the “How to create and configureperformance alerts in Windows Server2003” article doesn’t mention. If youwant to trigger an interactive program, you need to do the following:
1. In the Performance Logs andAlerts page, select the Log On tab. 2. Choose Local System account int
the Log on as option and select the Allow
service to interact with desktop check box. 3. Click Apply.
When you’re done troubleshooting theproblem, make sure that you changethe Log on as option back to the defaultNT Authority\Network Service setting. Leave the password box blank becausethe system will create and manage one.
By using System Monitor in conjunction with Process Monitor, I was able to determine the reason for the spikes: TheBigFix client was iterating through all the thousands of fi les on my laptop. fi
—Dave Bartholomew, IT consultant
InstantDoc ID 125439
paca2.chAwthcthoW
cge•
Figure 2: Selecting the actions that you want to occur
Figure 3: Confi guring the arguments
Listing 2: BigFix.bat
"C:\Utilities\Sysinternals\Process Monitor\Procmon.exe" /BackingFile "C:\Tmp\Sysinternals\Process Monitor\
EventStore.PML" /Quiet
T lt t
.m
.cosysbb.assogodu
Alex K. Angelopoulos
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 19
Jan De Clercq | [email protected] Jones | [email protected] Lefkovics | [email protected]
John Savill | [email protected] Shields | [email protected]
Q: If I use application virtualization, how does application activation work?
A: You shouldn’t think of application virtu-alization as a way around activation. Whenyou virtualize an application, you typicallydon’t activate it. Instead, it’s confi guredfiwith the required information as part of thesequencing, but activated when it’s executed on user desktops. Many applications check the hardware that they’re running on, soeven if you activate them during sequencing,you have to reactivate them when the appli-cation actually runs on the user’s desktop.This also applies to licensing—you need to consider which desktops will run the virtual-ized application and license accordingly. Just because you virtualize an application doesn’tmean the license model of the applica-tion changes to, for example, concurrent executions instead of per desktop.
—John Savill
InstantDoc ID 125275
Q: How can I add syntax help to my Windows PowerShell scripts or functions?
A: I’ve seen a number of folks spend a lotof eff ort adding a -help parameter to their ffffscripts or functions—and there’s no need!
an equal chance of being given the job. While this responsibility doesn’t come intoplay often—typically, Hyper-V interactswith its disk fi les directly, not necessarily fithrough a coordinator node—it’s impor-tant for certain types of actions. One of those actions is copying VHD files to a LUN.fiHyper-V transparently redirects the fileficopy through the coordinator node. This redirection obviously means thatVHD fi le copies can take longer if you initiatefithem from servers other than the coordina-tor node. So always do heavy VHD file work fiso from the coordinator node to save your-self time. So how do you know which nodeis the coordinator node? There are a couple of ways to discover who’s got the job:
Inside the Failover Cluster Manager con-•
sole, click on the Cluster Shared Volumes link and browse through the CSVs you’vecreated. You’ll notice that each CSV has a listing for a Current Owner. The Current Owner is the coordinator node.Using Windows PowerShell, you can•
identify the coordinator node with theGet-ClusterSharedVolume cmdlet. Look for the Node column in the results for your current coordinator node.
—Greg Shields
InstantDoc IDs 125303 and 125325
You can add help simply by creating spe-cially formatted comments, as described in PowerShell’s own online help. Run
help about_comment_based_help
to read about it. The shell parses these spe-cially formatted comments and constructs a Help page that looks exactly like the “real” helpthat comes with shell cmdlets. Adding this Help page is a great idea. It helps to documentyour functions and scripts, making it easier forsomeone else to use them. By integrating theinformation into the shell’s existing Help fea-ture, your scripts and functions will look morelike “real” commands, and other users will have an easier time finding the information.fi
—Don Jones
InstantDoc ID 125329
Q: What’s a Hyper-V cluster’s coordinator node, and what does it do? How can I tell which Hyper-V host is also the coordinator node?
A: Hyper-V R2 added a new capability called Cluster Shared Volumes (CSV). This featureprovides the much-desired ability to handleindividual Virtual Hard Disk (VHD) files as indi-fividual items for failover. Prior to CSV, as you probably know, you had to fail over an entiredisk, rather than individual VHD files within it.fi Fast-forward to today. The technologiesthat let CSV-enabled volumes operate still require one cluster node that’s responsiblefor the coordination of file access. This ficluster node is called the coordinator node,with each individual LUN having its owncoordinator node. That node can be any of your cluster hosts, with each host having
Q: How can I schedule a Windows PowerShell script?
A: Scheduling a PowerShell script iseasy: Just schedule PowerShell.exe,which is located in \Windows\ System32\WindowsPowerShell\v1.0 (even v2 islocated in that folder for some reason).PowerShell.exe has command-lineparameters that let you specify a command—such as the name of ascript—that you want to run. Be sure that the scheduled task is running under a user account that has permission to do whatever the script is trying to do.
—Don Jones
InstantDoc ID 125135
PowerShell ■
VDI ■
Hyper-V ■
Outlook ■
ESX ■
tion virtu application activatio
u shouldn’t think of application vion as a way around activation. Whe
virtualize an application, you typicallyactivate it. Instead, it’s confi gured
the required information as part of tencing, but activated when it’s exec
r desktops. Many applications chware that they’re running on
ivate them during
ANSWERS TO YOUR QUESTIONS
ASK THE EXPERTS
20 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
Q: I don’t have a Certifi cation Authority (CA) or Public Key Infrastructure (PKI). Can I use SSL on my test website without purchasing a certifi cate?
A: Microsoft has built in support for the creation of self-signed certificates In IIS 7.0. These allow you to create webserver certificates easily, without the need for a PKI or an externally purchased certificate. You can create self-signed certificates fifrom the Server Certifi cates section in thefiIIS Manager MMC snap-in. To get to thissection, click the root machine node in the left-hand pane of the IIS Manager, and then select the “Server Certifi cates” icon fiin the right pane. The Server Certificatesfisection lists all certificates that are regis-fitered on the machine, and it allows you toimport and create certificates.fi To create a self-signed certificate, click fiCreate Self-Signed Certificate… in the fiActions pane of the IIS Manager. IIS will prompt you to enter a name for the cer-tificate. When you click OK, IIS automati-fically creates a self-signed certificate and firegisters it on the machine. Once you’ve registered an SSL certifi-ficate on your IIS machine, you still need to SSL-enable the website itself. To do so,select your website in the Web Sites node inthe left-hand pane of the IIS Manager and click the Bindings link in the Actions pane. This brings up a dialog box that shows allthe binding rules for the site. To enable SSL for your site, click the Add… button. Thisbrings up an Add Web Site Binding dialog box that you can use to add HTTPs protocol support. In this dialog, you must selecthttps in for Type: and the self-signed certifi-ficate you created earlier for SSL certificate:.fiFinally, click the OK button. There’s one small but important problem you must be aware of that has to do with the way IIS 7.0 creates self-signed certificates. IIS 7.0 always creates the SSL ficertificate with the local computer namefias the Common Name (CN). To make SSL function properly, the certificate’s CN fishould match the website’s DNS address,and in many cases the website’s DNS name is diff erent from the computer name. If ffffyour certificate CN doesn’t match the web-fisite DNS address, browsers will tell your
users that something is wrong with the SSLsetup or refuse to open the site. To fix this problem, you can use the fiSelfSSL.exe utility to generate a self-signed SSL certificate for your web server and link fiit to your website. SelfSSL is part of the IIS6Resource Kit and can be used to generateself-signed certificates in earlier IIS versions.fiYou can download the IIS6 Resource Kit Tools from Microsoft. Run SelfSSL using the syntax
Selfssl /N:CN=<your_websitename>
/V: <cert_validityperiod>
/S: <site_ID> /P: <portnumber>
Make sure that in the above command,you replace <your_websitename> withthe actual name of your website (such as mytest.internal.net), <cert_validity-period> with the numbers of days thecertificate should be valid, <site_ID> fiwith the actual site ID (see note below)and <portnumber> with the actual portnumber (defaults to 443 for HTTPs). Tolook up the site ID of your website, selectthe Sites node in the IIS Manager—you can fi nd the site ID in the ID column infithe right pane.
—Jan De Clercq
InstantDoc ID 125195
Q: How can I directly log on to ESX’s Service Console as root?
A: Right out of the box, you can’t. And most security guidelines say you shouldn’t. What you’re asking for is the ability to use Secure Shell (SSH) to connectdirectly to an ESX server’s Service Console, login as root, and manage theserver with your administrative cre-dentials. You’re used to doing that in Windows, but in the UNIX world, root isintended only for limited use. That’s why the standard procedureis to log on to your ESX server’s ServiceConsole as someone else and use thesudo command to run specific com-fimands that require root privileges. Some-times, when you have lots of commandsto run, you can elevate your privileges to root using the “su –” command and the root password. This separation helpsprotect you against an errant keystrokethat accidentally causes catastrophic
damage to your ESX environment. Being a command line-based UI, you can see how just a few characters in the wrong place can do that. If you insist on having the abilityto log on as root, you can enable root logons by editing the /etc/ssh/sshd_confi g fifi le using your favorite text editor,fisuch as nano or vi. Look for the line that says PermitRootLogin and change its no entry to yes. Restart the sshd daemonwith the command service sshd restartand you’re done.
—Greg Shields
InstantDoc ID 125225
Q: How do I quote command parameters for an external command in Windows PowerShell?
A: Normally, PowerShell can run external commands, such as ipconfig, ping, andfinslookup, if you simply type the com-mand name. However, some commands require extensive command-line param-eters. When those parameters start to involve quotation marks, it can get trickyto get PowerShell to properly parse the arguments and pass them to the external command. For example, consider thissimple command:
Wdsutil /replace-image /
image:"MyImage"
The easiest way to run it to use Power-Shell’s Start-Process cmdlet, which can accept the complete argument as a here-string:
Start-Process WdsUtil -argument @"
/replace-image /image:"MyImage"
"@
Note that you have to type it just likethis: The @” must be the last thing on the fi rst line, then you type whateverfiarguments you want passed, and fi nallyfithe closing “@ must be the first two ficharacters on the next line. There’s a more technical discussion of this trick at bit.ly/9c0p5Y, which also discusseshow PowerShell parses arguments for external commands.
—Don Jones
InstantDoc ID 125140
ASK THE EXPERTS
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 21
Q: How can I publish a Certifi cate Revocation List (CRL) or Certifi cation Authority (CA) certifi cate to an Active Directory (AD) Lightweight Directory Services (LDS) instance?
A: A Windows Enterprise CA (that is, anAD-integrated CA) automatically publishesits certificates and CRLs in AD. But if you’refiusing a different LDAP server, such as an ffffAD LDS instance, you must publish thecertificates and CRLs manually. The easiestfiway to do this is to use the Certutil com-mand line utility. To manually publish a certificate to an AD LDS instance, use the ficommand
certutil –addstore "ldap://<Server_
name>/<Distinguished_Name>?
CACertificate?base?ObjectClass=
CertificationAuthority" <Cert_
file_name>
For example,
certutil -addstore "ldap://
myadldsserver.mycompany
.net/CN=myCA,CN=Certification
Authorities,CN=Public Key Services,
CN=Services,CN=Configuration,
DC=mycompany,DC=net?CACertificate?
base?ObjectClass=Certification
Authority" mycacertificate.cer
To manually publish a CRL to an AD LDSinstance, use the command
certutil –addstore "ldap://<Server_
name>/<Distinguished_Name>?
CertificateRevocationList?base?
Objectclass=CRLDistributionPoint"
<CRL_file_name>
In the above commands, you mustreplace <Server_name> with the name of the AD LDS server, <Distinguished_Name> with the LDAP path you’ve used topublish CRLs in the CA configuration (this fiis a CRL Distribution Point), <CRL_fi le_finame> with the file name of the CRL youfiwant to publish, and <Cert_file_name>fiwith the fi le name of the certififi cate youfiwant to publish.
—Jan De Clercq
InstantDoc ID 125193
Q: How do I open Outlook 2010 email in a web browser?
A: There are some circumstances where youmight want to view an email in a web browser. For example, you might receive an email that doesn’t render well in Microsoft Outlook. Or perhaps you want to print an email using a more controlled interface; for example youmight want to print a single page of an email, see my tip Printing Only the First Page of an Outlook 2007 Email, InstantDoc ID 100555. Outlook 2010 provides a simple mechanism for viewing emails in a browser. When Outlook identifies that a mes-fisage might have some rendering issues, itincludes advice in the MailTips section of the message: “If there are problems with how this message is displayed, click here to view it in a web browser.” Clicking this ban-ner reveals a context menu, which includesthe option to View in Browser. You can also fi nd the View in Browser option in the fiMove section of the Ribbon of an opened message. Select Actions, View in Browser.This option opens Internet Explorer (IE). It won’t open your default browser, if you use a default browser other than IE. Outlook saves a copy of your message as a web archive (a Microsoft proprietary format) with the extension .mht in a tem-porary files folder. For example:fi
file://localhost/C:/
Users/<username>/AppData/Local/
Microsoft/Windows/Temporary%20
Internet%20Files/Content.Outlook/
WW7HRH1C/email%20(3).mht.
By default, files with the .mht extension are fiassociated with IE. It’s this fi le association that fidetermines which application is opened. You can change this file association withinfiWindows if you want another browser to try to view messages, but not all can render.mht files—Firefox and Chrome can’t do it by fidefault, but Opera can render .mht files.fi
—William Lefkovics
InstantDoc ID 125320
Q: Can I encrypt the communication between my Hyper-V cluster hosts?
A: Absolutely, although where this setting is done is neither obvious nor
entirely well-publicized anywhere on the Internet. You can fi nd more informationfiabout this nifty feature is in a 2009 Tech Ed presentation by Symon Perriman of Microsoft, “Multi-Site Clustering with Windows Server 2008 Enterprise,” at bit.ly/dilV86. Clusters where every node existswithin the same LAN probably don’tneed intra-cluster traffi c encryption, but ffithose that span to multiple sites can.If you intend to stretch your cluster to another site across a Multiprotocol Label Switching (MPLS) network or other shared Internet connection, consider encryptingyour cluster communication to protect itagainst spying eyes. Setting up encryption requires Windows PowerShell, specifi cally thefi Get-Cluster cmdlet. Running
Get-Cluster clusterName | fl *
against your cluster will display the fulllist of cluster properties. The property you’re interested in for this purpose is SecurityLevel. A SecurityLevel of 0 will use clear text for communication. A SecurityLevel of 1 (the default) will signthe traffi c. Setting SecurityLevel to 2 ffiwill encrypt it communication. To start encrypting, use the command
Get-Cluster clusterName | ForEach-
Object { $_.SecurityLevel = 2 }
The cmdlets that are associated withWindows Failover Clustering are part of a module called FailoverClusters.This module isn’t loaded by defaultwhen you first launch PowerShell,fieven from the console of your clusternodes. To load this cmdlet and enable the use of cmdlets such as Get-Cluster, fi rst runfi
Import-Module FailoverClusters
If, down the road, you forget the exactname of this module, you can always get a listing of the available modules using
Get-Module -ListAvailable
—Greg Shields
InstantDoc ID 125346
ASK THE EXPERTS
24 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
by John Savill
DNSSEC, DNS Devolution,
and DNS Cache Locking
introduce a new world of secure
communications
Dto the digital world. When we access a server by name, we’re trusting NS is our trusted guide t
DNS to give us the IP address of the correct destination. If our DNS infrastructure is compro-DNS to give us the IP ad
mised, names might be resolved to malicious hosts, which could capture sensitive informa-
tion and credentials, distribute misinformation, or just disrupt our access to services.
Today’s infrastructure houses highly sensitive information and forms the backbone
of many businesses, so we need something more. Confidence in our DNS infrastructure
and the information it provides is crucial to maintaining an organization’s security and integrity. With
Windows Server 2008 R2, we have some very powerful technologies with which to gain this confidence.
Let’s start with a little background, then see what new enhancements such as DNS Security Extensions
(DNSSEC), DNS Devolution, and DNS Cache Locking can provide.
Traditional DNS ShortcomingsWith traditional DNS, clients can perform only basic checks to determine whether DNS responses have
been spoofed. A client can check whether the DNS server address matches the expected address; how-
ever, this capability is often disabled due to network infrastructure configurations. This check is also easy
to fake: The port used in the response needs to match the client request’s port, which is easy to guess.
Even with new Server 2008 R2 DNS enhancements to source-port randomization, the risk isn’t
mitigated so much as the time required for an attack is increased. The random XID value sent by the
client (included in the response) is sent in clear text, so it’s easy to duplicate. Also, in traditional DNS,
the client’s query is echoed back by the DNS server, but if a technology is smart enough to capture the
request and spoof a response, echoing back the initial response is easy.
There’s no checksum within the DNS response—say, to ensure that the content of the response hasn’t
been altered. So, man-in-the-middle attacks can modify the content as it’s transmitted to the client. Also,
consider that many of our DNS results don’t come from the authoritative DNS server; rather, they come
from an in-between DNS server that has a cached lookup and returns the information in the cache. Many
hackers poison the cache of DNS servers by bombarding them with false records.
DNSSEC for AllDNS Security Extensions (DNSSEC) isn’t a proprietary Microsoft technology but rather an Internet-
standard extension to DNS defined in RFCs 4033, 4034, and 4035 that Microsoft has implemented as
part of the Server 2008 R2 DNS role. An earlier version of DNSSEC was defined in RFC 2535, but it’s
Windows Server
to the digital world. When we access a server by name, we’re trusting
ddress of the correct destination. If our DNS infrastructure is comproddress of the correct destination. If our DNS infrastructure is compro-
e resolved to malicious hosts, which could capture sensitive informa-
stribute misinformation, or just disrupt our access to services.
ure houses highly sensitive information and forms the backbone
2008 R2in
COVER STORY
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 25
interim solution to enable clients to trust the
DNS zones that are DNSSEC-enabled.
Whenever we talk about digital signa-
tures, we need a mechanism for clients to
be able to validate the signature. This is
achieved through public key cryptography.
A public key for the secured DNS zone
is available for clients to use to validate
the digital signature that was generated
using the DNS zone’s private key. This
public key at the root of a DNSSEC trusted
namespace—for example, .net—is known
as the trust anchor; it’s the anchor of trust
between the client and DNS namespace. If a
client has a trust anchor to a zone, the client
builds a chain of authentication to any child
zone of the trust anchor, removing the need
for DNS clients to explicitly trust every zone
within a namespace. Don’t panic, though:
You don’t need a full PKI deployed in your
environment. The public keys for the secu-
rity zones are actually stored within the DNSrity zones are actually stored within the DNS
infrastructure, but how do you know who to
trust? How do you get valid trust anchors
since the root DNS zone can’t sign?
Through a process called DNSEC Look-
aside Validation (DLV), public keys can be
configured to be trusted by DNS clients.
There are repositories on the Internet that
allow DNSSEC-enabled zones to upload
their public keys, which clients can then use.
These public repositories are trust anchors
on the clients. We trust these repositories to
do the right thing and make sure the public
keys they store are legitimate—the same way
we trust VeriSign to ensure that a company
is genuine before giving the company SSL
or code-signing certificates. An organization
can download the content of this repository,
and Active Directory (AD) can replicate the
DNSSEC information downloaded to all
DNS servers. (DLV isn’t supported in Server
2008 R2.)
Alternatively, you can manually config-
ure trust anchors within DNS by specifying
a zone name and specifying the public key
that zone name servers give, as Figure 2
shows. When the entry point for a trust chain
(i.e., a trust anchor) is being configured, and
you’re specifying the key signing key (more
on this later), you would select the Secure
Entry Point (SEP) option in addition to the
zone signing key. If you want to share your
public key so that another organization or
repository can add it as a trust anchor, that
organization will need the content of the
asked forinin yyyyyouououououuuououur rr DDDNDNNS S zozozoneneneneeee, ,, anananndd yyyyouu u u wweeeree a
rereecccooordrdrdrdrdrdrdrd CCCCCC,, thththe e rerespspppoonoonnsessese wwwwoouuoulldldd bbbbe EA NSEC EA
g you thatwwwiwiiw thththththhhhhh a a aaaaa ssss iigigggnnanaatutuurerre, , , ttththhhhererere eebebbyy y nnooottiifyyyinng
t becauseththhtheee e ee e e e e aasasasa kekekekekekekekekeekekekkek dd-d--ffoor rr rerecococooooooorrrdrdddrdr dddd dddoooeeoesnsnn’’t’’ exxixx sst
d E.thththhththhththhthththttherererrrre e e ararrare e eee nnnononoonnnnnnnnn rreeeccoorordddddsdsdsd b bbbbeteteetwweweeew enenn AAAA aand
t. The cli- TTThehehehe c ccccririririririririririririririiitititititititititititititititititicacaccacccaccccacacacccacacal lll eleleleeeeememmmmeenennentt t iisss tthhheeh tttrruust
y becauseenennt t mumumum stst t ttrururur ststtt t ttttttttttttt ttt ttheheheheheheheheheheheheheheheheheheheheeehehe z z z z z zz z zzz zzzzzzzzzzzzzzzzzzzzzzzoonnnonnooooo ee’e’ee ss s ppuuupuupupupupupp bbllblblblblb iiciciciic k keey
ticate thethththe e puppupublblicicicc kk keyeyeyyeyey i i iss ss s uuuuusuusussuuuuuuuuuuuuuuuuuu ededdee ttttoo oo o o o o o ooo aauauutthhhhennt
re, whichrerrrespspppponononsesee bb bby y dededed crcrrrypyypypppptititititititittitititititiititititttitittittinnnggngnnngnngngngnngngggg t tttttttttttttthhhhhhhehehhhehhhe ss igiggi nnaattu
g Ensurings s s ccrcreaaatetetedd ususinnininngg gg ggwwawaasss tthththhhhththeeeeee eeee eeee eeeeeeee pppppppprrppppppp ivvvaatta e e kkeeyy.
ttt ccclil enennntstststs trurusttsst oooooothththatat ooooonnlllnnlyyy y y y y y y y y yyyyy y y yy y ttthhee rreer aaal horitative aaauuuthl
gh chainsNNS S zozonee oooownwnnwneerererr i i ssDNDNDN s ss aaacaccccccccccccccchhhhhiihhhhhihh eeevvveveeedd ttthrroououg
ruuruststt..ofoff ttttrrr
key infra-IIn n ananan iii idedded laalalal ww wwwwooooooooo ororororororrrlldldlddllldl ,, , , thththththththththt isisisi ppuubbbllicc k
be self-ucttcturururee e (PP(P(PKIKIKIKII))) ) ) ) hhhhhhstsstru hihihihihiiierereererererrarararaarararrchchchchchchhc y y yyyy wwowow ulld
n that thentntaiaineneneedd d d ininini t theehe DDD Dcoc n DDDDNNSSNN hhhhiiieieraraarcrcchyhy in
DNSSEC-tttt o o o of f f DNS—S """ .rorooooo "—"—wwoow uulldd d be D
ll clients.abableled dd ananandd d glglg obbobenenaa aalallyly tttrrrustteedd by y ala
toop-levelenenenen, , ththee rorootot c cThThTheeee ccouououo lld ssiiggn n the e
g)g , whichmamain nnamames ((edodomm .g.g., comm, netet, ororg
domam insululdd ththenen s sigignn ththcocouu hheieir suubobordrdininatte
reating areating agg., ccomompapanyn .com), t(e(e.gg thereby crom), thereby cr
nts wouldst path. This means trus that clien
since the ed only to trust the rnee oot zone, s
te all thet zone is used to aroo authenticat
example,er child zones. In Foth Figure 1’s e
hild zonehild zone.net is DNSSEC enabled, so any cht is DNSSEC-enabled.net d, so any ch
would bethat is signed by the .net parent w
trusted by any DNS client that trusts .net.trusted by any DNS client that trus
You see this today with normal PKI
certificates. Most computers are configured
to trust certain Internet root certificate
authorities (CAs), such as VeriSign, Thawte,
and Equifax. These authorities grant sites
certificates that are signed by the root CAs;
because clients trust the root CA, they
trust certificates signed by a CA that has
effectively been vouched for by the root
CA. DNS works similarly: Clients trust the
root and top-level domains
(assuming the root and
top-level domains are the
trust anchors), which then
authenticate the child sites.
At this time, the DNS
root zone doesn’t support
DNSSEC, and neither does
COM, but this will change
in the near future as the use
of DNSSEC is being man-
dated by many governments
around the world. The
DNS root will be DNSSEC-
enabled in mid-2010, and
COM some time in 2011 or
2012. Therefore, we need an
bebebeb enen replaaced d by tthehe a afofof rereer mmeentntioioionenenedd d RFR CsCssCs
anananananandd d d dddd imimimimplplpp ememene tatatitionons s ththatta f ffoolllolooww RFRFC CC 2525353535. ..
WiWiWiWiW ndndnddndndndndowowowowwwwo s ss s SeSeSeSServrvrvr ererr 2 200003 3 anannd dd evevvenne SSerervev r r 20200080808
ararararararaara enenennennnennnn’t’t’t’’t’’’t c c cc ccomomommomoooo papapapaapap tititiitiblblbblb e e e wiwithth t ttheheh SSS eerrvevever r 20202 0808 R RR2 2 2
imimimmmimimimimmplplplplplplplppplememememememe eenenennene tatatatititit oonnooo .
AAAAAAAttt t t t itititititi s s s s momomommm sststts b bbbasassaa iccic ll levevvevelele , DNDNNNSSSSSSECECECCE ee ensnsnnsnsnsururrururururruresesesesesesessseses
ththththhe e e e ee ininininnnini teteteteegrgrgrgrgrgrrititittity yy yyyy ofoffofo t hehee D DDNSNSN i iinfnfn raraassttruruuuuctctctctcttttctururure e
thththhhthhhhrrrroroor ugugugugh h h h tettetetet chchchchchnnononononololool gigigigiieseseses t thahahat t t veveveeririifyfyfy t theheheh aaaaauuuuuttheheheh n-
titititititiitiitt ciciciciiiitytytyyty o ooff f f rrerereececececeivivivvivi edededddd dddd dataataata a,a,, iincncnclululuudididingnggn aaaauuuttthhheheen-n-
tttttitittt cacateteed d dedededeninininin alalallalalal-o-o-o-o-of-f-f-f exexexe isissistetencncnce e rerer sspsppoononnnnssesees s.s
VVVVeVeVVVVVV ririifififificacacac tititit onon i ii is s s ss enenenennabababbabblelelel d dddd thhthththt rorooougugugh h h h pupup bblbliciccc kkkk eyeye
crcrcrcrcrcrcrcrcrccrypypy totogrgrgrgrapapapaphyhyh , , wwhwhwhwhwhhiciciicicici h h h hh hh eeenennenenene ababababa lelelell s s sss thththe e e uusususee e ofoffo dddd digiggggi i-i-i
tataaaaaaaaaal l l l l ll lll sisis gngnatatatatururururureses o ooonn n n alalalalalll llll l l DDDNDNDNDND S SS rerererespspsssponononssees.s AAA sssuucucccu ---
cec sssssssssssssssssfufuffufufufufuful dididigig tal sisisiiigngngngng atatatturururuuu e e ee vavavaliilidadadatititiononn mmmeeaaansnsssn
ththatt ttttttttheheheeheee d d d d d dd ddata reececeeeivivivi eded i i is s ss s gegegegenununuininini e e anannnd d d cacann n bebebebe
trtrrt usu teteeeeteeeteteddd.dd.d. TT Theeeeeeheheee d d d d ddd d dddigigigiigigigigigiggitititititititititalalalalal s ssiiigigignanaaatututurererere i s s gegeenenenn rraatetedd d
uusuusu ininnnng gggggggg ththhththththht eeee ee DND S zozonene’ss p pppprirririr vavav tetet kkkeyey ( ((whwhhicichh iisisis
kekeptptptptptpttpt s sececrererret)t) a andnddd tt tt thhehehhe conononteteteentntntn of f thhe reer ccordrdd,
ananannnanannddddddd cacann bebee v vvalalllidididaatateded w wwith h ththe e pup blblicic kkeye . If aa
papapapackcketet i iss gegenen raratetedd frfrfromom aaa a m mmaalalicious ssouo rcce,e,,
itiitittits ss ddidigigigitatall sisigngnataturu e wiwill ffaail; iif a papackcketet has g g pp
bebebeen modified,, t thehehe s ssigignanatuturere wwilill no longegerr
matchhh thththe e cocontent.
Facilitating this public key cryptogra-
phy are several new DNS record types—
specifically, DNS Public Key (DNSKEY),
which is a container for a DNS zone s public which is a container for a DNS zone’s public
key; Resource Record Signature (RRSIG),
which contains the digital signature of awhich contains the digital signature of a
DNS response; Delegation Signer (DS),
which is used between a child and par-
ent zone that are both DNSSEC-enabled;
and Next Secure (NSEC), which allows
authenticated denial-of-existence records
by effectively returning the name that would
be prior to the non-existent requested name
(if they were in alphabetical order) and
notifying what the next secure record would
be. For example, if you had records A and E
r
(
t
t
a
r
D
C
i
o
d
a
D
e
C
2Figure 1: Setting the trust anchor
DNS ENHANCEMENTS
26 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
DNS ENHANCEMENTS
what determines how
security should be used
for DNS, whether you
have entries for vari-
ous DNS namespaces
(e.g., microsoft.com),
whether DNSSEC valida-
tion is required for each
namespace, and whether
IPsec should be used
between the client and
its next DNS hop (i.e., the
client’s local DNS server).
You typically manage
NRPT through Group
Policy instead of trying
to manually configure it
across many clients. Figure 4 shows a
sample policy. Note that you can base your
NRPT on more than just the DNS suffix:
You can use prefix, fully qualified domain
name (FQDN), and subnet.
Now that you understand how DNS-
SEC ensures DNS responses are genuine,
how do you get it? In the Microsoft world,
you need your DNS servers to run Server
2008 R2 and your clients to run Windows 7,
and because of the way DNSSEC functions,
there are some restrictions on its use. You
aren’t going to turn DNSSEC on for every
record in your organization; you’ll use DNS-
SEC to secure records that are used with a
wider, Internet-focused audience, such as
your secure website address. A zone that
is digitally signed with DNSSEC will no
longer accept any dynamic updates, which
most environments use for their hosts to
register their host-to-IP mappings without
any manual intervention. Therefore, you’ll
create a separate zone to use for your secure
records, in addition to a zone facing the
Internet for dynamic updates (if necessary).
Every DNS server that hosts a copy of the
signed zone must be running Server 2008
R2, and you need to ensure that your net-
work can handle the increased DNS packet
size that comes with DNSSEC enablement.
For example, ensure that you have support
for Extended DNS 0 (EDNS0), which per-
mits DNS packets up to 4KB instead of the
standard 512 bytes.
To enable DNSSEC on your Server 2008
R2 zones, you use the DnsCmd utility to
generate the key signing keys and zone
signing keys, and store them in the local
computer’s certificate store (MS-DNSSEC).
The zone signing key (ZSK in the codeK
below) signs all the records in the zone, and
the key signing key (KSK in the code) signsK
only other keys. You also need to create the
DNSSEC resource records at the root of the
trust chain. (This occurs automatically.) To
create my certificates, for example, I type
dnscmd /offlinesign /genkey /alg rsasha1
/flags KSK /length 2048 /zone secure
.savilltech.com /SSCert /FriendlyName
KSK-secure.savilltech.com
dnscmd /offlinesign /genkey /alg rsasha1
/length 2048 /zone secure.savilltech
.com /SSCert /FriendlyName ZSK-secure
.savilltech.com
For your AD-integrated zones, you need
to export the zone to a file, sign the file-based
zone with your certificates, and save to a
new file. Then, you need to delete the exist-
ing zone, import the new signed zone file,
and reset the zone to be AD integrated. The
major steps I used in my environment after
creating the aforementioned certificates are
dnscmd /zoneexport secure.savilltech
.net securesavilltechnet.dns
dnscmd /offlinesign /signzone /input
securesavilltechnet.dns /output
securesavilltechnetsigned.dns /zone
secure.savilltech.net /signkey /cert
/friendlyname KSK-secure.savilltech
.net /signkey /cert /friendlyname
ZSK-secure.savilltech.net
dnscmd /zonedelete secure.savilltech
.net /dsdel /f
dnscmd /zoneadd secure.savilltech
.net /primary /file
securesavilltechnetsigned.dns /load
\%systemroot%\System32\dns\keyset-zone
name file, as you see in Figure 3.
This functionality isn’t between a DNS
client (e.g., your workstation) and the
authoritative DNS server for the lookup
you’re performing. We can’t actually define
trust anchors on a DNS client! In fact, even
though I’ve been using the term DNS client, tt
DNSSEC is actually more important between
DNS servers. In the typical DNS-resolution
flow, you ask your local DNS server and it
recursively looks up the answer, so your
DNS server is the component that needs to
validate responses. In most environments,
the client won’t perform DNSSEC validation;
it relies on its DNS server to do that by asking
the DNS server to use DNSSEC.
To provide maximum protection for
end clients, best practice is to use IPsec to
authenticate the data and perhaps encrypt
communication between the client and
the local DNS server. This method ensures
no local corruption of data from the DNS
server to the client.
To configure the DNS clients’ expec-
tation of DNSSEC, you use the Name
Resolution Policy Table (NRPT), which is
w
s
f
h
o
(
w
t
n
I
b
i
c
Y
N
P
tFigure 2: Trusting DNS responses
C:\Windows\System32\dns>type keyset-secure.savilltech.netsecure.savilltech.net. 3600 IN DNSKEY 257 3 5 ( AwEAAZAP23IinKsyBp5WU4YTM7fFj/uutBph HyNp617eps5haOjr0fKanri23VL4DEfjvjRw JMAqh9Sx5QWpXpltudM1WSaRVyvLns/ILSUJ t/1ta0ceVmAwqLmXb6lYzRGat9RK64izJVtz AlTEzdUzW89Q+dmm+2GsXaY4U6bUGaE1pxD6 WKVpGOk3eahJoc4+eUlO9SKvDzrR4othF6hi Wl/YsZs6O8iLTxoXcIfz2EUq9ioYSvpWPxOz KnwnmSFVRBtpJA/bxRPvYNuf6a1l6q2OuTSG JVNbeyOFLcpbCAwlR2uX6G3VPdYxX5HIzF+u B3PQJZvM8pjRgNQDJrgu/lc= ) ; key tag = 33509
Figure 3: Sharing the public key
DNS ENHANCEMENTS
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 27
second-level domain (e.g., savilltech.net).
Setting a devolution level of 3 means you
would devolve only to the third-level DNS
domain (e.g., na.savilltech.net).
You can configure DNS Devolution
using Group Policy, through the Primary
DNS Suffix Devolution and Primary DNS
Suffix Devolution Level policies found
at \Computer Configuration\Policies\
Administrative\Templates\Network\DNS
Client, as Figure 6 shows. You can also set
DNS Devolution directly in the registry with
the HKEY_LOCAL_MACHINE\SOFTWARE\
Policies\Microsoft\Windows NT\DNSClient\
UseDomainNameDevolution and HKEY_
LOCAL_MACHINE\SYSTEM\Current
ControlSet\services\Dnscache\Parameters\
DomainNameDevolutionLevel subkeys.
This functionality is useful in environ-
ments that have multiple levels of DNS
namespace. The Microsoft security advi-
sory “Update for DNS Devolution” (www
.microsoft.com/technet/security/advisory/
971888.mspx) offers an update for older
versions of Windows.
DNS Cache LockingAt the beginning of this article, I mentioned
that one DNS vulnerability was that DNS
servers cache entries for recursive lookups
(lookups for records they aren’t authorita-
tive for, and for which they have to consult
other DNS servers) they’ve performed to
speed up future lookup requests for the
same information. Those lookups have a
specific time to live (TTL) before the record
must be rechecked to see if it’s changed.
The exploit uses DNS cache poisoning to
send incorrect responses to a DNS server
to try and update that cache so that clients
namespace to a parent is a devolution to
one level above.) An example is savdalfile01:
With DNS Devolution enabled, when a
client attempts to resolve savdalfile01,
savdalfile01.dallas.na.savilltech.net would
be initially queried, then it would be up
to the parent to search for savdalfile01
.na.savilltech.net. (It’s checking a third-level
devolution because the DNS suffix has three
parts—na, savilltech, and net.) If there’s no
match, it’s up to that zone’s parent to look for
savdalfile01.savilltech.net (which now has a
devolution level of 2, as this DNS suffix has
two parts). Basically, it allows a member of
a child namespace to access resources in the
parent without having to specify the parent’s
namespace as part of the DNS query.
New to the Server 2008 R2 and Windows 7
DNS client is the ability to set a devolution
level. As an administrator, you can define
whether DNS devolution is enabled and
which DNS devolution level you’ll devolve
down to. For example, setting a devolution
level of 2 means you would devolve down
to the two-part Forest Root Domain (FRD)
dnscmd /zoneresettype secure
.savilltech.net /dsprimary
Figure 5 shows the various DNSSEC-related
entries.
Implementing DNSSEC involves many
steps, and keeping it running and ensuring
that the keys are maintained is similarly
time consuming. The keys we created have
a limited lifetime and need to be updated;
if we have trust anchors configured, those
public keys will change and therefore
require updating. I strongly recommend
reading the Microsoft article “Deploying
DNS Security Extensions (DNSSEC)” at
technet.microsoft.com/en-us/library/
ee649268(WS.10).aspx; it’s a great step-by-
step guide.
DNS DevolutionDNSSEC is probably the most famous Server
2008 R2 DNS feature, but there are some
other useful enhancements. In environ-
ments that have a deep DNS namespace,
it can sometimes be tricky to know the cor-
rect DNS suffix for an address. For example,
in my environment, I know the host is
called savdalfile01, but I’m a member of
dallas.na.savilltech.net, and I’m not sure if
savdalfile01 should be savdalfile01.dallas
.na.savilltech.net, savdalfile01.na.savilltech
.net, or savdalfile01.savilltech.net. In the
past, we would define a global suffix list of all
the DNS suffixes that should be tried when
resolving a name.
Server 2008 R2 and Windows 7 offer an
update to a key feature—DNS Devolution—
that lets DNS resolution requests traverse
up the DNS namespace until a match is
found or until a certain number of devo-
lutions is reached. (Every move up the
Figure 4: Specifying DNSSEC requirements for a DNS zone
Figure 5: DNSSEC-related entries
28 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
DNS ENHANCEMENTS
using the server will receive incorrect
information.
DNS Cache Locking is a new Server
2008 R2 feature that helps mitigate cache
poisoning: It locks the entries in the cache
for the record’s TTL. So, if someone tries to
poison the cache with a replacement record,
the DNS server will ignore it and thus main-
tain the integrity of the cache content.
To use Cache Locking, you set a percent-
age of the TTL of records that the cache
content is locked for—for example, a setting
of 75 means that cached records can’t be
overwritten until 75 percent of their TTL
has passed. The default value is 100, which
means records can’t be updated until the
TTL has expired. However, you can change
this setting’s registry value at HKEY_LOCAL_
MACHINE\SYSTEM\ CurrentControlSet\
services\DNS\ Parameters\CacheLocking
Percent to your desired percentage. Note
that if this value isn’t present, the default of
100 is used.
More on the NRPTI already discussed how the NRPT helps
define the way clients and servers act for
different DNS zone requests. You have
numerous entries in the NRPT, and if a DNS
query matches an entry in it, the query is
handled according to the configuration of
the matching NRPT entry. If no match is
found, the system performs default DNS
handling.
In addition to DNSSEC, the NRPT is
used for one other key piece of Windows 7
and Server 2008 R2 functionality—namely,
DirectAccess, which is the new technology
that lets Windows 7 clients communicate
with corporate resources no matter where
they are on the Internet, without hav-
ing to use VPNs. The client just accesses
a corporate resource, and DirectAccess
facilitates secure communication back to
the corporate network.
This automatic use of DirectAccess
to get to resources raises an important
question: How does the Windows 7 client
know which destinations in the corpo-
rate network should be accessed through
DirectAccess and which should just use
normal Internet connectivity? I don’t want
my Amazon purchases to be sent via my
corporate network when I’m sitting at
home or at Starbucks.
This decision is based on the NRPT—
and just as we can define DNSSEC actions
for various DNS name and IP values, we
can do exactly the same thing for Direct-
Access using the DirectAccess tab as
shown in Figure 7. If you want to check a
machine’s Group Policy rules, you’ll find
them in the HKEY_LOCAL_MACHINE\
SOFTWARE\Policies\Microsoft\Windows
NT\DNSClient\DnsPolicyConfig registry
entry. You can also create exceptions,
which let you establish general rules for
an entire namespace but then treat a
particular host or namespace portion
differently.
Server 2008 R2 brings you a very pow-
erful DNS service that adheres to some
of the most recent specifications. You
should definitely consider Server 2008 R2
DNS to be the most secure release and
use it to replace previous Microsoft DNS
services to provide maximum protection.
DNS is your trusted advisor to the com-
puter world, so make sure it can really be
trusted!
InstantDoc ID 125360
John Savill ([email protected]) is a Windows technical specialist,an 11-time MVP, and an MCITP: Enterprise Administrator forWindows Server 2008. He's a contributing editor for WindowsIT Pro, and his latest book is The Complete Guide to Windows Server 2008 (Addison-Wesley).Figure 7: Enabling the use of DirectAccess
Figure 6: Setting the DNS devolution level
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 29
It’s a complex setup, but you’ll get tight control over mobile devices when you follow these steps
by John Howie
Mobile Securitywith
It’s
MDM 2008 SP1
The use of mobile devices, or smartphones, for business isn t new; however, the patternse of mobile dse of mo dse of mo ddevices, or smartphones, for business isn’t new; however, the patternshe ususe of mobile ddehe us dh use
of use and the features these devices offer have changed radically in recent years. Today, d the feand the f atd the f a
it’s possible to browse the web, send and receive email, and run countless applications—
from customer relationship management (CRM) apps to word processing to social
networking software—all while talking with someone on a call. The increased process-
ing power, memory, and storage make these devices powerful business tools, and your
users probably have corporate documents, customer lists, and sensitive pricing information on their
devices. Responding to the loss of a device might involve sending breach notifications to customersnn
and partners, and potentially paying fines and other penalties.
However, losing devices isn’t the only risk a company faces. Employees who quit or are terminated
could potentially walk out with your company’s intellectual property, and it’s possible that data could
be accidentally leaked to social networking sites, as well as leaked through web browsing and personal
email use. Previously, the response to these risks might have been to ban the use of mobile devices
altogether, but their popularity and usefulness means that more and more organizations are seeking
ways to integrate them into the enterprise while applying corporate policies to them.
There are solutions available today that can be used to integrate mobile devices with corporate
networks and apply policies to them. In this article, I’ll describe Microsoft System Center Mobile
Device Manager (MDM) 2008 SP1, focusing on installation and configuration.
MDM vs. Exchange 2010MDM isn’t the only solution Microsoft has that supports mobile devices. Organizations with Micro-
soft Exchange Server 2010 can use Exchange to manage mobile devices so that devices can send and
receive email using the Exchange infrastructure with Exchange ActiveSync (EAS). In addition, EAS
can be used to push basic policies to mobile devices.
Basic policies for mobile devices can be used to enforce password policies, such as a policy that
requires the use of a complex password. They can also be used to enforce what users can do with
their devices, including disallowing removable storage such as memory cards; preventing use of the
camera and Wi-Fi; restricting what Bluetooth features are available; and controlling which applica-
tions can run, including the browser and non-Exchange email apps. A broad EAS setting lets you
enable or disable nonprovisionable devices, which are devices that won’t or can’t enforce policies
pushed by Exchange.
Exchange 2010 ties basic policies to mailboxes, not devices, and doesn’t offer true end-to-end
management of security and devices. Nor does it offer a remote-access solution, which permits
mobile devices to consume resources on the corporate network. MDM offers these features, and
it has much richer policy and enforcement features. However, MDM supports only Windows
URETTTTTTTTTTTTTTTTTTTTTTTTTUUUUUUUUUUUUUUUUUUUUUATATTFEEFEAAA
MDM 2008 SP1
30 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
corp.infosecresearch.com. When you enter
the command, you’ll be asked to confirm
the action before configuring AD. Take
particular note of the settings you speci-
fied because the instance name can’t be
changed after the command completes.
As the command runs, it tells you what
it’s doing and shows the success or failure
of each configuration change. You’ll be
asked to confirm whether you want to
enable your instance as the final step of
the command.
If you have multiple domains in your
forest and you want the mobile devices
associated with each domain to be managed
by this instance of MDM, you need to run
the command
ADConfig.exe /enableinstance:<instance>
/domain:<domain>
where instance is the name of your
instance and domain is the FQDN for
each domain. You should run ADConfig
with the /enableinstance flag only after
you’re sure that the initial configuration
has replicated throughout the forest.
Next, you create the certificate tem-
plates used by MDM. Certificate templates
are used to control how keys in issued
certificates can be used, what the certificate
policy is, and how long it’s valid for. Run
the command
ADConfig.exe
/createtemplates:<instance>
where instance is the name of your
instance. ADConfig again asks you to con-
firm the operation before proceeding, and
it displays status information as it runs.
After you create the templates, you need
to enable them so that your CA can issue
them. Run the command
ADConfig.exe
/enableTemplates:<instance>
/ca:<CA server FQDN>\<CA instance>
where instance is the name of your MDM e
instance, CA server FQDN is the FQDN of N
the CA that will issue the certificates, and
CA instance is the CA’s instance name. Youe
can find the CA’s instance name by running
certutil.exe from the command line; the
instance is the Name value. As with other
the functional level raised to Server 2008
Forest Functional mode.
Before you install MDM, you need to
configure AD. This configuration doesn’t
extend your AD schema; it simply involves
creating objects to support MDM. Log on
to the server on your network on which you
intend to install either the Device Manage-
ment Server role or the Enrollment Server
role, run MDM Setup.exe, and select the
Configure Active Directory for MDM optionM
under the Prepare section of the setup
splash screen. You need to be logged on
as a member of the Enterprise Administra-
tors group. When you select this option, a
command prompt window opens, and the
command ADConfig.exe /help runs beforep
giving you a command prompt. If you scroll
back through the Help text, you’ll find
that the ADConfig command has many
command-line options.
Despite looking very confusing, using
ADConfig is relatively simple. Run the
command
ADConfig.exe /createinstance:<instance>
/domain:<domain>
where instance is the name you want toe
give to your MDM instance and domain
is the domain in your forest in which it
will run. The instance name can be no
longer than 30 characters and can contain
only alphanumeric characters, the dash
(-), and the underscore (_). The domain
name must be specified as a Fully Quali-
fied Domain Name (FQDN)—for example,
Mobile–based devices running Windows
Mobile 6.1 or later, whereas Exchange
2010 can support any EAS-enabled device.
MDM and Exchange 2010 can coexist and
can be used simultaneously for device
management.
Preparing to Install MDMMDM is a reasonably complex product to
deploy, consisting of several components.
First, MDM requires Microsoft SQL Server
2005 or later to store policy and configu-
ration information. MDM itself requires
a Gateway Server, Device Management
Server, and Enrollment Server. You can
deploy the Device Management Server and
Enrollment Server roles on the same server,
which is a typical scenario for smaller envi-
ronments. The Gateway Server is deployed
in your demilitarized zone (DMZ), and it
requires one network interface for internal
communications and one for external com-
munications. The Gateway Server’s external
interface must have a public IP address,
must have a default route configured, and
can’t be published behind Microsoft ISA
Server or Forefront Threat Management
Gateway (TMG). The Device Management
Server and Enrollment Server roles are
deployed on your intranet.
The three server roles form an instance
of MDM, and an instance can support as
many as 30,000 mobile devices. You can
deploy multiple instances to support more
than 30,000 users, or to accommodate
users in different regions so that users can
connect to a local MDM instance for best
connection speeds, and you can manage
groups with disparate policy requirements.
Note that MDM doesn’t require Exchange
(or its mobility features) but can be used to
offer Exchange services to mobile devices.
MDM is a 64-bit–only product, so it
requires 64-bit–capable hardware and a
64-bit OS: Windows Server 2003 R2 64-bit.
Installation on Windows Server 2008
isn’t supported—some tools and utilities
simply fail to install, although there are
some workarounds. Before you can deploy
MDM, you need a Certification Authority
(CA), which should be an enterprise CA
integrated with Active Directory (AD). The
enterprise CA can run on Server 2008,
and the Windows Server 2003 R2 servers
that you install MDM on can be member
servers in a Server 2008–based forest with
MDM is a 64- bit–only product, so it requires 64-bit– capable hardware and a 64-bit OS: Windows Server 2003 R2 64-bit. Installation on Windows Server 2008 isn’t supported.
MDM 2008 SP1
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 31
and Report Viewer from the Microsoft
Download Center (www.microsoft.com/
downloads/default.aspx).
To install the Device Management
Server, select Mobile Device Management
Server on the setup splash screen. You’ll be
asked to accept the license terms, select the
MDM instance that the Device Manage-
ment Server will be added to, the location
to install the software to, and the database
server to use. Note that if you install the
Device Management Server on the same
server as your Enrollment Server, setup
uses the same installation location and
database server, so these options will be
grayed out.
Next, the installation wizard asks for the
FQDN for the Device Management Server,
which is an intranet FQDN. If you’re install-
ing multiple Device Management Servers,
enter the FQDN of the load balancer that
will front them. Setup validates that the
FQDN exists in DNS. The wizard then
asks you for the Device Management and
Administration website ports. If this is your
first server, take note of the ports chosen
and ensure that they’re used when con-
figuring subsequent Device Management
Servers. The next step asks you for a CA
that can issue SSL certificates during setup
of the Device Management Server. If you’re
installing the Device Management Server
on the same server as the Enrollment
Server, the CA is automatically populated.
At the end of the setup, you’ll be shown the
selections you made. Click Install to begin
the installation process.
Installing the MDM Administrator ToolsThe next step in getting MDM up and run-
ning is to install the MDM Administrator
Tools. You can install the tools on 32-bit
or 64-bit systems. Prerequisites for the
tools are to install Windows PowerShell
1.0, Group Policy Management Console
(GPMC), and the WSUS administration
console. Note that Windows 7 ships with
PowerShell 2.0, which the tools installer
doesn’t recognize. You can’t install Power-
Shell 1.0 alongside PowerShell 2.0, meaning
you can’t install the MDM Administrator
Tools on Windows 7 systems. If you don’t
have PowerShell 1.0 or GPMC, you can get
them from the Microsoft Download Center.
GPMC for Windows Vista SP1 and later is
need to add the external FQDN to your
public DNS and ensure that the server can
be reached from the Internet. The wizard
then asks you to specify the port that the
Enrollment Server Administration web-
site will listen on. You can’t use port 443
because the Enrollment Server itself uses
that port. Setup provides a random port
number, which you can usually use unless
it conflicts with another service or you have
a policy that dictates which ports to use.
Make sure you record the port number
so you can reuse it if you install multiple
Enrollment Servers.
Next, you need to specify the CA server
and instance name you specified when
preparing AD for MDM. The CA issues cer-
tificates to mobile devices. You also need
to specify a CA to issue SSL certificates for
MDM during the remainder of the setup.
This CA can be any issuing CA in your
enterprise, including the CA used during
device enrollment. After you specify the
necessary information, the wizard presents
you with your choices, which you confirm
by clicking Install.
Installing the Device Management ServerYou need to install at least one Device Man-
agement Server for your MDM instance. If
you install multiple Device Management
Servers for scalability and fault tolerance,
you have to use a load balancer to spread
the mobile devices across them. Like the
Enrollment Server, the Device Manage-
ment Server is web-based, so you also need
to install IIS 6.0 along with its full suite of
management tools.
Before you install the Device Manage-
ment Server, you need to install Windows
Server Update Services (WSUS) 3.0 SP1 on
each server that will be a Device Manage-
ment Server. Note that WSUS 3.0 SP2 isn’t
recognized by MDM, so you must use
SP1. MDM uses WSUS to deploy software
packages to mobile devices, but WSUS can
also be used to manage software updates
in your enterprise. If you’re using WSUS
only to deploy software packages to mobile
devices, you can configure it to download
updates only for Microsoft Report Viewer
because you must select at least one prod-
uct to update. WSUS itself requires you to
install the Report Viewer 2005 Redistrib-
utable or later. You can get both WSUS
ADConfig commands, you’ll be asked to
confirm the operation before it runs.
The next step in preparing to install
MDM is to add a domain account to the
SCMDMSecurityAdmins (instance) and
SCMDMServerAdmins (instance) groups,
where instance is the name of the MDMe
instance you’ve used in the previous steps.
An account in the first group can add users
to other MDM groups for the instance, and
an account in the second group can install
and manage MDM servers for the instance.
Although you can use two accounts, I rec-
ommend that you use a single account,
which will become the MDM administrator
account. If you’re logged on with an account
that was added to the MDM groups, you’ll
need to log off and log back on for the addi-
tional group memberships to take effect.
Installing the Enrollment ServerThe next step is to install the MDM Enroll-
ment Server. Every MDM instance requires
an Enrollment Server, and you can install
more than one of this role for fault toler-
ance and load balancing. Mobile devices
must be enrolled through the Enrollment
Server so that MDM can manage them.
This role needs to be published so mobile
devices can access it from both the intra-
net (internal) and the Internet (external).
Before you install the Enrollment Server,
you need to know the internal and external
FQDNs that will identify the server.
To install the server, select Enrollment
Server from the setup splash screen. The
Enrollment Server requires Microsoft IIS
6.0 and the full suite of IIS 6.0 management
tools. Without this prerequisite, the server
won’t install.
The server installation process is wizard-
based. After you accept the license agree-
ment, the wizard asks you to select the
MDM instance you’re installing the Enroll-
ment Server for. Next, it asks you to confirm
the installation location on the file system,
and then to specify the SQL Server instance
the Enrollment Server will use. You can
use an existing instance of SQL Server if
desired. You need systems administrator
access on the SQL Server instance to con-
figure the MDM database.
At this point, you specify the external
and internal Enrollment Server FQDNs.
The external Enrollment Server FQDN
is used by mobile devices to enroll. You
MDM 2008 SP1
32 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
server on which you installed the Admin-
istrator Tools, launch the Mobile Device
Manager Shell, change into a temporary
working directory, and enter
Export-MDMGatewayConfig
A file called GatewayConfig.xml is gener-
ated and written to the working directory.
Copy the file to the Gateway Server.
Now that you’ve prepared the Gateway
Server, you can run Gateway Server setup
by selecting that option from the Install
section of the setup screen. In the Gate-
way Server Setup wizard, after the license
screen, you’re prompted for the internal
IP address that the server will listen on for
connections from the Device Management
Server and the TCP port to listen on. The
default is port 443. Next, you’re prompted
to browse for and select the GatewayConfig
.xml file you copied. You then select the
Gateway Server authentication and root CA
certificates that you’ve imported. Finally,
you’re prompted to confirm your choices
before installing the software.
After installation, you’ll be prompted to
run the Add MDM Gateway Wizard. Before
you do that, however, you need to go back to
a system that has the MDM Administrator
Tools installed, launch the Mobile Device
Manager Shell, and enter the command
Set-EnrollmentConfig
-GatewayURI <ExternalFQDN>
where ExternalFQDN is the FQDN of the N
Gateway Server as mobile devices outside
your network see it. When the command
completes, you’ll see some configuration
information displayed. Now you can launch
the Add MDM Gateway Wizard, which you
do from the MDM Console. In the console,
expand your instance, then select Gateway
Management. In the Actions pane, select
Add MDM Gateway Wizard.
The first step in the wizard is to enter
a name for the Gateway Server. I recom-
mend you use its FQDN to avoid name
conflicts. The next step is to configure
access points. The first access point is the
external IP address that mobile devices
will use to establish a VPN connection
through the Gateway Server. This address
must be a public, routable IP address. The
second access point is the internal FQDN
replacing instance with the name of
your MDM instance. If you have more
than one issuing CA in your forest,
you’ll be prompted to select the CA you
want to use. It must be the same CA you
installed the templates on earlier. Copy
the output file, GatewayCert.cer, back
to your MDM Gateway Server and enter
the command
certreq -accept GatewayCert.cer
Next, you need to install the certificate of
your root CA, any intermediate CAs, and
the issuing CA. If you’re using Certificate
Services, simply browse to the root CA’s
virtual directory (\certsrv) from a domain-
joined machine, click the Download a CA
certificate, certificate chain, or CRL link, then L
click Download CA certificate and save thee
file. By default, the file is named certnew.cer.
If your root CA isn’t the CA that issued your
Gateway Server’s certificate, browse to the
issuing CA’s virtual directory and download
the certificate chain; save the file, then copy
it to your Gateway Server. This file is named
certnew.p7b by default.
You install the certificates on the Gate-
way Server by launching Microsoft Manage-
ment Console (MMC) with the Certificates
snap-in, making sure that you specify you
want the Computer Account option. With
the snap-in loaded, expand the Trusted
Root Certification Authorities node, right-
click Certificates, select All Tasks, then
Import. In the Certificate Import Wizard,
select the file certnew.cer. Repeat this pro-
cess for the intermediate CAs by importing
certnew.p7b to the Intermediate Certifica-
tion Authorities node.
Next, you need to create the Gateway
Server’s configuration file, which is a short
piece of XML used when you install the
Gateway Server. Go to the workstation or
included in the Remote Server Adminis-
tration Tools (RSAT), which you can also
download from Microsoft.
You install the MDM Administrator
Tools by selecting the item on the MDM
setup splash screen. You’re asked to accept
the license and whether to install all tools
(the default) or a custom installation. After
you make your selection, you’re presented
with a summary of what will be installed.
Click the Install button to begin installa-
tion. The installed tools can be found on
the Start menu under a program group
called Microsoft System Center Mobile
Device Manager.
Preparing For and Installing the Gateway ServerThe next-to-last step is to get the Gate-
way Server up and running. The Gateway
Server lets your mobile devices access
resources such as SharePoint sites or file
servers inside your corporate network,
without the need to publish each one or
duplicate them in your DMZ. The Gateway
Server needs IIS 6.0 and the Microsoft .NET
Framework 2.0 SP1.
Before you install the Gateway Server,
you need to configure the server OS with a
certificate that MDM will use to authenticate
it in SSL sessions. The steps to install the cer-
tificate are a bit complex. Start by creating
a Notepad document called GatewayCert
Req.inf, and enter the following text in it:
[NewRequest]
Subject="CN=<MDMGatewayServerFQDN>"
MachineKeySet=True
KeySpec=1
Replace MDMGatewayServerFQDN with
the internal FQDN of the server, not the
external FQDN (although it’s possible
they’re the same). Next, run the command
certreq -new GatewayCertReq.inf
GatewayCertReq.txt
Copy the output file, GatewayCertReq.txt,
to a member server in your domain and
run the command
certreq -submit -attrib
"CertficateTemplate:SCMDMWebServer
(<instance>)"
GatewayCertReq.txt GatewayCert.cer
When entering the name for the Gateway Server, you should use its FQDN to avoid name conflicts.
MDM 2008 SP1
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 33
Server. (MDM extends the Windows logs
to add its own.) Chances are you probably
can’t access the Gateway Server in the DMZ
because of a firewall issue. Alternatively, you
might have a conflict between the address
pools you configured and the networking
setup of the Gateway Server itself.
Configuring ISA Server, TMG, and FirewallsMost of the communication between the
MDM servers and mobile devices uses SSL-
based connections. However, some other
protocols are also used. Depending on how
you deploy MDM, you might need to con-
figure ISA Server or TMG servers, as well as
network and built-in Windows firewalls.
To begin, you need to ensure that the
Device Management Server can commu-
nicate with the Gateway Server. The default
port is 443/TCP (HTTPS), unless you speci-
fied another port during Gateway Server
installation. Mobile devices need to be able
to talk to the Enrollment Server over port
443/TCP, and you’ll need to publish the
Enrollment Server so that it can be seen
from the Internet. Mobile devices also need
to be able to communicate with the Device
Management Server via the IPsec VPN in
the DMZ over port 8443/TCP (unless you
specified another port during installation)
and with the Gateway Server to establish
IPsec tunnels, which require IP protocol 50,
500/UDP and 4500/UDP to be opened.
You also need to open access to DNS
and to specific servers, such as email
servers, using the ports they conventionally
use for VPN access. For clients terminating
in the DMZ, use addresses allocated
from the address pools configured on the
Gateway Server.
connecting through a VPN will need to
reach resources on your intranet, includ-
ing the Device Management Server. When
you’ve entered all the necessary informa-
tion in the wizard, click the Add button.
You can add more gateways if necessary, or
you can click Finish to exit the wizard.
To verify that the Gateway Server is
configured, launch the MDM Console
and select Gateway Management under
your MDM instance. As Figure 2 shows,
the Service Configuration State should be
“Running” and the Sync State should be
“Up to date.” If the service isn’t running or
the state is “Error,” check the MDM logs in
the Windows Event Viewer on the Gateway
of the Gateway Server, which the Device
Management Server uses to connect to,
and the SSL port, which defaults to 443.
Next, you specify the address pool from
which IP addresses are allocated to mobile
devices that connect through a VPN. You
can add one or more address pools, as
Figure 1 shows, and each can have as
many as 65,535 addresses (using a subnet
mask of 255.255.0.0). Note that the address
pools must be consistent with the internal
IP address of the Gateway Server, meaning
that the subnets and subnet masks must
be complementary, with no conflict or
overlaps. If required, you can also specify a
default gateway for clients to access intra-
net resources, which might be
necessary if the address pools
aren’t on the same subnet as
the Gateway Server itself.
After the address pool
is configured, you’re asked
for the IP addresses of your
DNS and WINS servers. You
must specify at least one DNS
server. The IP addresses you
provide should be for DNS
servers either in your DMZ or
reachable from it. You should
also enter any routing infor-
mation that mobile devices
Figure 1: Adding address pools in the Add MDM Gateway Wizard
Figure 2: Verify Gateway Server confi guration in the MDM Console
MDM 2008 SP1
34 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
only the E-mail address/User name and e
Enrollment password. A pre-enrollment is
valid for only eight hours by default.
To use the pre-enrollment, the device
owner needs to go into the phone’s Set-
tings menu, select Connections, then
select Domain Enroll to launch the device
Domain Enrollment. When launched, the
owner selects the Enroll option and enters
the E-mail address/User name ande Enroll-
ment password provided. If the mobile d
device isn’t able to automatically find an
Enrollment Server, the device owner is
alerted and can manually enter the public
FQDN. The phone contacts the enroll-
ment server, downloads necessary enroll-
ment information, completes enrollment,
then prompts the user to connect to the
Device Management Server to finish the
configuration. The mobile device needs
to reboot during enrollment and con-
figuration. When the device has completed
enrollment and configuration, the Domain
Enroll function on the device is disabled
and enrollment information is displayed,
as Figure 4 shows. The enrolled mobile
device is also visible in the MDM Console,
as Figure 5 shows.
Enrolled and configured devices
establish VPN connections to the
for mobile devices, you might want to
create new OUs and place mobile device
objects in those OUs. If you use alternative
OUs, you must run the PowerShell cmdlet
Set-EnrollmentPermissions and specify
each OU to prepare it.
Next, you’re prompted to specify the
device’s user, for which you have three
options: Active Directory User, Other user
identifier, and Anonymous User. If your
select Active Directory User, you can use
Group Policy to manage the mobile device,
and you can email the selected user with
enrollment information, which makes
setup easy for users who already get email
on their mobile devices. I recommend that
you avoid the other options because their
usefulness is limited. An example of when
you might use these options is if multiple
people share a mobile device. When add-
ing AD users, you select them from a list by
using the Browse button in the wizard, or
you can manually enter their distinguished
name (DN).
Next, you need to confirm the choices
you’ve made and create the pre-enroll-
ment. When the pre-enrollment operation
completes, the wizard provides you with
information to pass along to the owner
of the device to complete enrollment, as
Figure 3 shows. The device owner needs
Enrolling DevicesWith MDM successfully installed, you can
begin enrolling mobile devices by creating
enrollment requests. In limited deploy-
ments and in smaller organizations, it’s
possible to manage enrollment requests
manually, but in larger deployments and
organizations, you’ll want to install and
configure the Self Service Portal so users
can manage their own enrollment and
device configuration. For information
about installing the Self Service Portal,
see the Microsoft article “Install MDM Self
Service Portal” (technet.microsoft.com/
library/dd261730.aspx).
To manually enroll a mobile device,
launch the MDM Console, expand the
MDM instance you want to manage,
expand the Device Management node,
then select All Managed Devices. In the
Actions pane, click Create Pre-Enrollment
to launch the Pre-Enrollment Wizard.
After the introductory step, the wizard
prompts you for a name for the mobile
device that will be enrolled; this name
must be unique and a maximum of 15
characters in length. You can override the
organizational unit (OU) that a mobile
device object is placed into in AD. For
large environments or environments in
which you use OUs to set different policies
Figure 3: A completed pre-enrollment request in the Pre-Enrollment Wizard
Figure 4: Enrollment information displayed on an enrolled mobile device
MDM 2008 SP1
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 35
Distributing Software to Mobile DevicesYou can create and distribute software
packages to mobile devices by launching
the MDM Software Distribution Console,
which is available in the MDM Adminis-
trator Tools collection. Before you create
a package, you need to point the console
to a WSUS server running on a Device
Management Server. You then launch the
Create Package Wizard from the console
by expanding the Software Distribution
node, the node representing the WSUS
server, and the Packages node. In the Pack-
ages node, right-click Software Packages to
launch the wizard.
In the wizard, you specify the location
of the .cab file containing the software to
be distributed, along with information
to sign the .cab file if desired. You can
restrict software on mobile devices to only
that which is distributed with MDM or
Group Policy. Other information required
when creating packages for distribution
to mobile devices includes which devices,
mobile OS versions, and languages the
package is intended for, as well as depen-
dencies and uninstall options. After a
package has been created for distribution,
you can track its installation by running
reports with the Software Distribution
Console.
Complex, Yet VersatileYou should now have a good grasp of
how to deploy MDM 2008 SP1, as well as
some of its capabilities for mobile device
management. Although it’s a reasonably
complex product to get up and running,
MDM offers an excellent platform to man-
age security of mobile devices, especially
to enterprises with sophisticated mobile
device management needs. However,
MDM can be used to manage just a small
number of mobile devices as well—for
instance, those belonging to key personnel
or other employees who have business-
critical data on their devices.
InstantDoc ID 125481
John Howie([email protected]) is a
senior director in the OnlineServices Security & Compliance team at Microsoft, where hemanages cloud security.
dialog box that appears, click the Add
button, then scroll down the list of fold-
ers and templates displayed in the Policy
Templates picker until you find one called
mobile.adm. Double-click it.
After the mobile device policy tem-
plate is loaded, you’ll find that addi-
tional policies have been added to
the Group Policy Management Editor
under both Computer Configuration
and User Configuration. In each one,
you’ll find Windows Mobile Settings
under Administrative Templates in the
Policies node. On Vista systems, they’re
under Classic Administrative Templates
(ADM). Device policies let you control
things such as passwords, device fea-
tures (e.g., camera, Bluetooth), appli-
cations, encryption, VPN connections,
and software distribution. User policies
are limited to EAS settings and the use
of Secure MIME (S/MIME) for secure
email.
To apply a policy to mobile devices,
simply link the GPO to an OU contain-
ing objects representing mobile devices.
Note that the Group Policy modeling
tools don’t work well with mobile device
settings, but you can use the Windows
Mobile Group Policy Results Wizard
to generate a report of settings that
apply to a device or user. This wizard
is available from GPMC on the sys-
tem on which you installed the MDM
Administrator Tools.
Gateway Server, then on to the Device
Management Server as well as to other
resources on your corporate network.
Keeping a constant VPN connection
can drain batteries on mobile devices;
therefore you might want to advise your
users to disconnect the mobile VPN on
the device when not in use. However,
you might need to configure an option
through Group Policy to let users discon-
nect the VPN.
You can use the Update Device Details
option in the MDM Console to refresh
device information at any time. It’s from the
MDM Console that you can wipe a lost or
stolen device, or block it from connecting
to the corporate network via the Gateway
Server.
Managing Mobile Devices by GPOMobile devices can be managed in a
fashion similar to desktops or laptops
through the use of Group Policy Objects
(GPOs). However, you first need to load
an administrative template contain-
ing mobile settings. To do so, launch
GPMC from Administrative Tools on the
machine where you installed the MDM
Administrator Tools. Next, right-click
Group Policy Objects, select New, and
give the GPO a name to create it. Next,
edit the GPO and expand the Policies
node under Computer Configuration.
Right-click Administrative Templates and
select Add/Remove Templates. In the
Figure 5: An enrolled mobile device displayed in the MDM Console
FEATURE
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 37
Virtualization is all the rage because obb cb of the cost savings and flexibility it cana bring to yoouruururrr
data center. The first step companiess usually take is to consolidate their physical servers
onto host machines as virtual machines (VMs). Company management naturally wantsi (VM ) C ll
to maximize savings by virtualizing as many servers as possible. When companies go
through this process, the policy is often “virtual by default”: Applications will be vir-
tualized unless you can provide a good reason they shouldn’t be virtualized. Can you
virtualize Active Directory (AD)? Should you virtualize your AD forest, or part of it?
Virtual vs. PhysicalThe first and most important question is: “Does Microsoft support virtual domain controllers
(VDCs)?” Moving a chunk of your critical infrastructure to an unsupported configuration is definitely
a career-limiting move. Fortunately, Microsoft does support VDCs as part of Microsoft server software
on both Microsoft and third-party virtualization products; you can find complete details of the com-
pany’s support policies in the Microsoft article “Microsoft server software and supported virtualiza-
tion environments” (support.microsoft.com/kb/957006). However, there are some important best
practices you must pay attention to. Just because a configuration is supported doesn’t mean you can’t
get yourself in trouble with it. Microsoft’s Problem Resolution Services will be happy to help you—at
a price—but if you follow the recommendations in this article, you won’t need their help.
The next decision is when to virtualize a domain controller (DC) and when you should leave it
physical. Performance isn’t really a factor anymore; the 64-bit hypervisors available from VMware
and Microsoft provide excellent performance compared with physical hardware; for instance, the
Microsoft article “Performance and capacity requirements for Hyper-V” (technet.microsoft.com/
library/dd277865(office.12).aspx) reports results of running Microsoft Office SharePoint Server 2007
in a virtual environment. Virtualization host clusters let you use features such as VMware VMotion or
Hyper-V Live Migration to create highly available DCs more easily than ever. Still, I think there are two
compelling reasons to keep at least some physical DCs in a forest: fault tolerance and security.
AD is fault tolerant because it’s a distributed system. A company might have anywhere from the
recommended minimum of two up to hundreds of DCs providing AD services. The domain or for-
est will survive the loss of one or more DCs because no single DC contains unique information that
can’t be recovered or otherwise reset. In a purely physical AD installation, there’s an implied fault
tolerance provided because each DC is a different physical box, and they’re spread across physical
locations. In a virtual infrastructure, you can’t make these assumptions. For example, you could have
several DCs on a single host, putting them all at risk if the host fails. Or your company’s standard k
virtualization plan might call for all servers to use a SAN instead of local disks, which exposes much
or all of your AD to a SAN failure. (For more information about AD storage, see the sidebar “For DCs,
Implement virtual domain controllers while maintaining fault tolerance and security
by Sean Deuby
Virtualizing Active Directory
VIRTUALIZING AD
38 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
installation, be sure the VDC is using the
synthetic network adapter rather than the
legacy emulated adapter; the synthetic NIC
is much faster.
You can use either fixed or dynamically
expanding disks for the hard disk configu-
ration; Microsoft now claims that Hyper-V
R2’s dynamic disk performance is nearly
identical to fixed disks. However, a DC’s
disk requirements are fairly static, so after
you’ve determined the optimal disk size for
your DC—by looking at your physical DC’s
disk usage—I would recommend creating
a fixed disk of the same size. Write caching
on volumes that contain the AD database
and log files is disabled by default to ensure
that any interruption in the I/O process
doesn’t corrupt data.
You should also evaluate deploying
read-only domain controllers (RODCs) in
your forest. Because an RODC has only a
read-only copy of AD, with no passwords
by default, it helps mitigate some of the
security concerns associated with VDCs.
RODCs require at least Server 2008.
Disable the Synchronize time with host
setting for your VDC; DCs have their own
time-synchronization architecture and
don’t need or expect any other synchroni-
zation. If you’re using Hyper-V, be sure that
the virus scanner in the parent partition is
excluding the VHD files of the child parti-
tions or you might encounter performance
problems and error messages when trying
to start up VMs.
A VDC can be deployed in the same
manner as other VMs—typically, with a
management product such as Microsoft
System Center Virtual Machine Manager
(VMM) or VMware vCenter. If you need to
run a highly automated DC deployment,
the Dcpromo process can be scripted
to run as a post-deployment option; see
the Microsoft articles “Configuring the
Automatic Installation of Active Direc-
tory” (tinyurl.com/22umult) and “How to
Configure Guest Operating System Profile
Scripts” (tinyurl.com/2fzotwg).
Administering VDCsThe most important technical principle to
remember when administering VDCs is that
you don’t want to pull any virtualization
tricks on a VDC that the directory service
isn’t aware of. What does this mean? Virtu-
alization lets you do interesting and useful
is dwarfed by the potential cost to your
company of losing an entire domain.
Building and Deploying VDCsAfter you’ve decided what to virtualize, it’s
time to configure your VDCs. From a purely
technical viewpoint, this is a straightfor-
ward process. If your DCs run Windows
Server 2008 or Server 2008 R2, consider
using Server Core for the OS because of
its reduced attack surface. Choose proces-
sor and memory requirements to emulate
your current configuration—or what you’d
like your current configuration to be if you
could have afforded it. Ensure that the
virtual machine enhancement for your
virtualization solution (e.g., VMware Tools)
is installed on the VDC. If it’s a Hyper-V
Simple Storage Is Better Storage.”) There-
fore, when you’re designing a virtualiza-
tion plan for your AD forest, look closely
at the supporting infrastructure and work
with the virtualization team to eliminate
any single points of failure. I’ll talk about
security reasons to not virtualize your DCs
later in this article.
I recommend leaving at least two physi-
cal DCs in each domain, one of which
should be the PDC Flexible Single-Master
Operation (FSMO) role holder. This archi-
tecture ensures that if your entire virtual
infrastructure becomes unavailable, you’ll
still have a fully functional domain with
distributed fault tolerance. It’s up to you to
provide a sense of perspective: The cost of
keeping two servers on physical hardware
Virtualization frees systems from residing on a single piece of hardware, giving virtualized systems a flexibility of location that’s restricted mainly by where the virtual machine’s (VM’s) disk files can be accessed from. In a simple network, if you want to use a virtual disk on another host, you must copy that multigigabyte file over your network, which takes time and can be a complicated sequence of exporting, copying, and importing files. A SAN can simplify this process because the disk files don’t necessarily move—the machines that access them are what changes. Depending on how it’s configured, in a cen-tralized SAN an available VM disk file can run in a data center in California, then quickly be changed so a server in New York is using it. When the SAN is configured for shared storage, you can put multiple VMs into a virtualization failover cluster. But should you place your domain controllers (DCs) on a SAN? Active Directory (AD) is a distributed system. Its fault tolerance stems from the fact that its components—for example, its disks—are scattered throughout the enterprise. As you begin to consolidate its pieces, it begins to lose its fault tolerance. A DC’s disk needs are modest. It must support an indexed, sequential database file that’s read from more frequently than it’s written to, and is usually less than 10GB in size. But the availability of every AD domain is absolutely essential. If your data center rules are that every VM’s disk must be on the SAN, and you lose the SAN, you’ve lost your domain or even your forest until the SAN is back up. You can argue that SANs don’t often fail, but when you’re working with such a basic level of your company’s IT infrastructure as AD, systems should depend on each other as little as possible. You expect a SAN failure to prevent multiple application servers from functioning, but a completely redundant SAN can be extremely expensive and cost-prohibitive. But do you want to lose the ability to log on to the network also? With a distributed, straightforward database application such as AD, SAN storage is not only unnecessary, but it also increases the risk of a single point of failure. Using local disks, a single DC might fail due to disk failure, but the outage will be isolated to the DC. Locating your DC’s AD databases on a SAN makes your forest dependent on the SAN. The recommendation: Keep it simple. Keep it local.
InstantDoc ID 125463
For DCs, Simple Storage Is Better Storage
VIRTUALIZING AD
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 39
Considerations for Virtualized Domain
Controllers” (tinyurl.com/ydw8b5w).
Should you even back up every VDC?
I’d argue that for small forests, you should
take system-state backups of two DCs in
every domain, period. Larger forests with
large (over 5GB) AD databases (ntds.dit)
or geographically dispersed DCs should
have more, following the principle of keep-
ing a backup on the same LAN as the
DCs, to speed the process of performing a
Dcpromo from media. If you should lose
a VDC for some reason, there are faster
options for recovery than restoring one
from backup. (For other options, see the
DC Recovery page of my Active Direc-
tory Recovery Flowchart at tinyurl.com/
adrecovery.)
VM snapshots. Restoring a VDC using
VM snapshots isn’t supported. These snap-
shots (not to be confused with directory
snapshots taken with Ntdsutil or volume
snapshots taken by VSS) are a point-in-
time capture of a VM’s state. Restoring a
VDC to its previous state by using a saved
snapshot causes the same inconsistency
problems in your directory as an image-
based backup.
Cloning. Cloning a DC by duplicating
a VDC’s hard disk file isn’t supported. If
the cloned VDC comes online in the same
forest as the original, and you resolve
the immediate problems with identical
server names and IP addresses, you’ll
encounter problems with duplicate direc-
tory service agent (DSA) GUIDs, duplicate
SIDs, duplicate Relative Identifier (RID)
pools—and worse if the cloned VDC is a
RID master—secure channel problems,
machine account password updates . . . you
just don’t want to go there.
Physical to virtual (P2V) conversion.P2V conversion is supported, but only if the
source physical DC is offline; VMM 2008
enforces this requirement. DC P2V conver-
sion with the source DC online creates a
problem similar to cloning. Frankly, I believe
provisioning and promoting a new VDC is
safer and just about as fast as performing a
P2V conversion on an existing DC.
Pausing. Pausing a VDC (i.e., putting
it in suspended animation) is actually OK,
just “do not pause the domain controller
for long periods,” to quote the Microsoft
article “Considerations when hosting
Active Directory domain controller in
service that a restore has taken place. This
process resets the AD database’s invocation
ID, which causes the DC’s replication
partners to recognize a restore has been
performed, so replication coming from the
DC is valid.
Client backups. The other supported
method of backing up a VDC is by run-
ning client backups, just as if it were a
physical DC. This process isn’t as speedy
as a host-based backup that uses the VSS
writer, but it has an advantage over many
current host-based backup applications
because you can restore individual files on
the guest. Most host-based backup applica-
tions don’t support file-level restore, but
as they become more sophisticated (for
example, Microsoft System Center Data
Protection Manager 2010), they, too, can
restore individual files from guest OSs that
support VSS. Microsoft has documented its
best practices for backing up and restoring
VDCs in the article “Backup and Restore
things with a VM that you can’t do with a
physical machine, such as take snapshots
that let you quickly roll a system back to
a previous state, or restore the entire VM
from a backup of the image file, or make
copies of the image file for safe keeping or
reuse. Don’t do these things with a VDC, or
you’ll be setting yourself up for that Micro-
soft support phone call.
Why? Remember, AD is a distributed
system. If AD resided on only one DC,
these operations might be safely possible.
But because the multiple DCs in a domain
or forest must communicate with each
other, each DC must therefore have a cor-
rect understanding of every other DC’s
state. Virtualization capabilities such as
snapshots, image-based restores (with one
exception), and cloning don’t pass their
state changes to the directory service on
the target VM; it has no idea what’s been
done to it and therefore neither do its rep-
lication partners. This condition can wreak
havoc in your domain or forest. Let’s review
what virtualization operations are sup-
ported for DCs, and which aren’t.
Image-based (aka host-based) back-ups. Restoration from image-based back-
ups, in which you copy or otherwise back
up the virtual hard disk files that contain the
VDC, isn’t supported (with one exception).
In this kind of operation, the OS and AD
database are returned to a previous state
without resetting the invocation ID (the
version of the local database) so the other
DCs don’t know the target DC has been
restored. This situation violates AD’s data
integrity and can create lingering objects
or an update sequence number (USN)
rollback scenario; you can find out more
about this problem in the Microsoft article
“How to detect and recover from a USN
rollback in Windows Server 2003” (support
.microsoft.com/kb/875495).
The exception is when the guest OS
is running Windows Server 2003 or later
and the backup utility on the host, such as
Windows Server Backup, calls the guest’s
Volume Shadow Copy Service (VSS) writer
to ensure the guest is backed up properly;
Windows 2003 was the first OS to include
this service. The guest VSS writer takes
a volume snapshot of the guest, which
ensures data integrity of the backup. In the
event of a restore, the VSS-aware restore
program notifies the guest’s directory
Moving a chunk of your critical infrastructure to an unsupported configuration is definitely a career-limiting move. Fortunately, Microsoft does support VDCs.
Frankly, I believe provisioning and promoting a new VDC is safer and just about as fast as performing a P2V conversion on an existing DC.
VIRTUALIZING AD
40 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
article “Running Domain Controllers in
Hyper-V” (tinyurl.com/2fm7hd8). Don’t do
anything to your VDCs that their directory
services can’t comprehend, and be aware
that the very advantages virtualization brings
to VDCs also mean that their security is more
complicated.
InstantDoc ID 125464
Sean Deuby ([email protected]) is a contributing editor for Windows IT Pro, a senior analyst with Plat-form Vision, and former technicallead of Intel’s core directory ser-vices team. He’s been a directoryservices MVP since 2004.
Console access. DC administrators
should be granted console access to VDCs
in the same manner they would have
access to physical DCs via an out-of-band
console utility that doesn’t require an
installed OS. In a VMware shop, you can
use vCenter Server to manage console
access, and in a Hyper-V installation you
can use Authorization Manager (AzMan)
or VMM’s Self-Service Portal.
DC awareness. Full VDCs hold the
“keys to the kingdom,” and personnel with
administrative access to the host have the
ability to access and possibly disrupt activ-
ity of the VDC on that host. It’s essential
that all personnel with host access be
trained to understand the implications of
having a DC on their host servers.
RODCs.You can reduce some of the secu-
rity risks associated with VDCs by deploying
RODCs instead of full DCs wherever possi-
ble. RODCs don’t perform any writes to AD,
and by default user and machine account
passwords aren’t replicated to them. So, for
example, if a virtual RODC’s hard disk file is
stolen, the attacker can’t crack passwords
out of it. A corrupted RODC hard disk file
can’t harm the rest of the forest, nor will any
changes made to it be replicated to the rest
of the forest. This situation doesn’t mean a
compromised RODC is harmless; possession
will reveal organization structures, DNS
records—in general, lots of information you
don’t want to share.
Do Your HomeworkVirtualizing some of your AD infrastructure
might yield corporate benefits, but there’s
practically no benefit to the AD administra-
tor. It can be done though, and Microsoft
supports it, but you must do your homework
before you begin. The key Microsoft VDC
documentation can be found in TechNet
virtual hosting environments” (support
.microsoft.com/kb/888794). What hap-
pens when you pause a DC? To its rep-
lication partners, it suddenly falls off the
network—the equivalent of pulling out
the network cable. When the paused DC
comes back online, time has suddenly
jumped forward. Its Kerberos tickets
have expired, its machine passwords
might need to be updated, and if it’s been
paused longer than the tombstone life-
time, it can no longer replicate and must
be rebuilt. I’d suggest pausing be used
sparingly and not for extended periods
of time.
Standardized configuration. Because
a VM requires a different hardware
abstraction layer (HAL) and a different
device driver set than what you’re using
for your physical DCs, VDCs require a
separate OS build standard. Most com-
panies have at least two standard build
configurations, one for widely deployed
hardware nearing its end of life, and one
for new hardware beginning a broader
adoption. VMs, because of their HAL and
device driver set, will require a third build
configuration.
VDC SecuritySecurity best practices for VDCs are a com-
bination of the established best practices
for DC security, such as physical security,
and virtualization security, such as isolated
networks. One hazard of virtualizing DCs
is that your directory services team and
virtualization team probably aren’t familiar
with each other’s security practices. These
teams must sit down together and review
how to accomplish both teams’ require-
ments. Here are a few examples of impor-
tant security considerations.
Virtual disk security. Access to the
VDC’s virtual disks is the same as granting
physical access to a physical DC; if you
grant access, you can’t guarantee secu-
rity. Access to these virtual disk files must
be carefully protected, especially because
more people will require access to them
as a result of virtual host administration
needs. Therefore, host admins, enclosure
admins, SAN storage admins, and data cen-
ter admins are all groups that might need
to be added to the list of personnel that
are flagged as having access to corporate
directory information.
Q&As on Active Directory and virtualization:
“Q. What Active Directory (AD) domain mode do I need
to be in to use System Center Virtual Machine Man-
ager (SCVMM) 2008 R2?” InstantDoc ID 125408
“Q. I’m using System Center Virtual Machine Manager
(SCVMM). How can I delete an emulated NIC from
a virtual machine (VM) within a script?”
InstantDoc ID 125421
“Q. How does dynamic memory in Hyper-V in Win-
dows 2008 R2 SP1 work?” InstantDoc ID 125409
“Q. Is dynamic memory a good solution for all types of
virtualized application?” InstantDoc ID 125426
“Q. Can I roll back Active Directory (AD) to an AD
snapshot?” InstantDoc ID 125471
“Q. I need to make a major change to the schema
of my Active Directory (AD). If it goes wrong,
can I perform an authoritative restore to reset?”
InstantDoc ID 125456
“Q. How can I estimate the size of my Active Directory
(AD) based on a number of objects?”
InstantDoc ID 101617
More articles about using virtualization:
“Going Virtual with SharePoint 2010,”
InstantDoc ID 125111
“Going Virtual with Exchange 2010,”
InstantDoc ID 104653
“Make SQL Server Sing on Hyper-V,”
InstantDoc ID 103658
“The Virtualization Stakes,” InstantDoc ID 103476
“Understanding Microsoft’s Virtualization
Technologies,” InstantDoc ID 103245
“Hyper-V Live Migration: A Step-by-Step Guide,”
InstantDoc ID 125262
Learning Path
I recommend leaving at least two physical DCs in each domain, one of which should be the PDC FSMO role holder.
FEATURE
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 41
FEFEFEFFEFEFEFEEFEEEEEEEEEEEEEEEFEEFEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFEFEEEEEEEEEEEEEEFFEEEEEEEEEEEEEEEEEEEEEEEFEEEEEEEEEEEEFEEEEFEEEEEEEEEFEEEEEEEEEEEEEEEEFEEEEEEEEEEEEEEEEEEEEFEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFEEEEEEEEFFEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEAAAAAAAAAAAAAAAAAAAAATATATATAAAAAAAAAAAAAAAAAATAAAAAAAAAAAAAAAAAAAATTATTTAAAAAAAAAAAAAAAATTAAAAAAAAAAAAATATAAAAAAAAAAAAAAAAATAAAAAAATTAATAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATTATAAATTTATAATAATATAATTAAAAAAAAATAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUUUUUURURURUUURUUURRRRRRRRRRRRRRRRRRURRRRRRRRRRRRRRRRRRUUURRRRRRRRRRRRRRRRRRRRUURURRRUURURUURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRURRRRRRRRRRRREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
Four tools in the new OS bring you greater control over your file structure
by Eric B. Rux
One of the first articles I wrote for Windows IT Pro—“Let’s Get Organized: File Server
Basics” (InstantDoc ID 95354)—discussed some time-tested methods for getting the
most out of your file server. If your data is scattered all over your network, or your file
system security is all over the place, or your folder structure is a mess, that article pro-
vides some good ideas for organizing your file server. Now that Windows Server 2008
R2 has been out in the wild for some time, I thought I’d revisit this topic, update it for
Microsoft’s newest OS, and talk about some of the great tools you can use for migration and file-server
management.
First, Migrate!Before you can even get started using your new Server 2008 R2 server, you need to migrate your data
from the old server. Don’t underestimate this process. I’m always surprised by how many adminis-
trators don’t take the time to plan their migration. Many servers have hundreds of gigabytes—if not
terabytes—of data that can take a long time to copy from one server to another. If you use drive map-
pings (most companies do), you’ll need to change them to reflect the new file server name (unless you
name it the same as the old server). You also need to consider that many users have created their own
shortcuts to the UNC path (\\Server\Share), and that
you’ll invalidate all their links if you change the name
of the file server. These are just some of the challenges
you’ll face when your shiny new server arrives on your
front doorstep.
Fortunately, you don’t have to go it alone. The File
Server Migration Toolkit (FSMT) is a free Microsoft
tool that helps you migrate any Microsoft file server
to Server 2008. You can find it at www.microsoft.com/
downloads/details.aspx?FamilyID=d00e3eae-930a-
42b0-b595-66f462f5d87b. The FSMT comes in both
32-bit and 64-bit versions, so be sure to download
the correct file. After you download the 1.3MB file,
you’re ready to test it in your lab. I highly recommend
kicking the tires on a non-production server before
going for broke on something as important as your
company’s files.
The application walks you through the complete
migration process, from setting up shares on the new
server to ensuring that all the data has been copied
before going live. It even shuts down the old file shares
when the time is right. Figure 1 shows you what this
process looks like.
FEATUREEssential Windows Server 2008 R2 Essential Windows Server 2008 R2 Features forFeatures for
y
y
y
s
b
w
pFigure 1: The migration process
Managing Your Managing Your File ServerFile ServerInfrastructureInfrastructure
MANAGE YOUR FILE SERVER
42 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
instead of the entire volume. The settings
are pretty granular, including distinctions
for hard and soft limits. Setting a hard limit
prevents the user from using more space
than he or she is allowed. A soft limit is only
a “warning” and doesn’t actually prevent the
user from using more space than allocated.
Multiple notification methods—including
email, event log entry, custom report, and
a script of your choice—keep you informed
about the quota status. The quota section is
by far the easiest area of FSRM to understand
and configure: You simply click Quotas in
FSRM, choose Create Quota, enter the path
(either an entire volume or a specific folder),
select a predefined quota template, and click
Create. If the built-in Quota Templates don’t
meet your needs, you can create your own in
the Quota Template area.
Another new feature worth mentioning
is File Screening Management, which lets
you block certain types of files from being
stored in a specific folder. For example,
the marketing department probably has
a business case for storing movies and
videos on its departmental folder. Other
departments, however, might not have
that same business need, and preventing
them from storing such large files on the
server can save gigabytes of space. Server
2008 R2 comes with 11 predefined, built-in
File Groups, but you can create your own if
the file type you want to block isn’t listed.
Some of the built-in File Groups are Audio
and Video Files (37 file types), Executable
Files (20 file types), and Image Files (18 file
types). Figure 3 shows a few of the provided
File Screen Templates.
The FSRM installation process is quick
and easy—once you find the silly thing.
You install the application from Server
Manager, Role Services near the bottom of
the page. (Don’t confuse Role Services with
Roles at the top of the screen.) When the
installation is complete, you can find the
Microsoft Management Console (MMC)
FSRM snap-in under Administrative tools.
For example, to generate a report on dupli-
cate files, you’d walk through these steps:
Open FSRM.1.
Right-click Storage Report Man-2.
agement, and choose Generate Reports
Now. (You can schedule this procedure by
choosing Schedule a New Report Task.)
Add the folder or partition that you3.
want to analyze.
Click Duplicate Files.4.
Choose the report format that you5.
want (e.g., DHTML, HTML, XML, CSV, Text).
Click OK to generate the report.6.
The report is neatly laid out, displaying the
duplicate files in descending order with the
larger offenders at the top of the page.
FSRM also lets you set quotas. And
unlike Windows Server 2003’s Disk Quota
feature, Server 2008 R2’s implementation
lets you set quotas on individual folders
One extremely cool FSMT feature is the
Distributed File System (DFS) Consolida-
tion Root, which lets your users continue
to use their old UNC paths even after the
old server is long gone. For a walkthrough
of a sample migration, check out the web-
exclusive sidebar “A Simple File Server
Migration” (InstantDoc ID 125461).
Who’s Using the Storage?Setting up a file server has always meant
one thing: “Build it, and they will fill it up.”
It's a universal truth. Users will still manage
to take all the space on the server if you let
them. Unfortunately, you have no real idea
of the types of files that are stored on your
drives. To get that “look” into your file server
that you’ve always wanted, check out the
File Server Resource Manager (FSRM).
In just a few minutes, you can have
reports about exactly the kind of data that’s
stored on the file server—for example,
what kind of files (e.g., documents, movies,
music), where the data is located, and who
owns the data. A few examples of the built-in
HTML-based reports are Duplicate Files,
Large Files, Least Recently Accessed Files,
Most Recently Accessed Files, and Files by
Owner. Figure 2 shows an example of the
kind of reports that you can generate.
Figure 2: Sample reports
Figure 3: File Screen Templates
MANAGE YOUR FILE SERVER
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 43
Clean Up that Clutter!Access Based Enumeration (ABE) is a
relatively new technology in the Microsoft
world, but it’s one that’s been around for
quite a while. I can still see the puzzled
look of those Novell administrators when I
told them that my users could see (but not
access) folders that they didn’t have per-
missions to. It wasn’t until a special out-of-
band download for Windows 2003 that this
feature came to Windows file servers.
What exactly is ABE? In short, ABE
hides folders that users don’t have at least
Read access to. Figures 4 and 5 show a
simple before-and-after example of how
ABE can clean up your file server and make
it easier for your users to navigate through
Windows Explorer.
ABE was available for Windows 2003 only
via a separate download. But Server 2008
includes ABE and is ready to go out of the
box. You don’t have to download it, install it,
or even enable it. Folders that are shared are
ABE-enabled by default. If you decide that
you don’t want to use ABE on a particular
folder, you can disable it on a share-by-share
basis in Server Manager. Once Server Man-
ager is open, expand Roles, File Services,
Share and Storage Management. Choose
the share for which you want to disable ABE,
right-click it, and choose Properties. Click
Advanced, then clear the Enable access-
based enumeration check box.n
Go Forth and Organize!You’d think that serving up files would be
the least of our worries in today’s high-tech
server rooms. But as data stores get bigger
and regulations get tighter, we need to learn
to use the built-in tools that can make our
jobs easier. If you know of a server that’s
completely disorganized, try the techniques
I discussed in the first article, then enhance
what you offer your users by using these
new, powerful Server 2008 R2 features.
InstantDoc ID 125461
Eric B. Rux ([email protected]) is a contributing editor for WindowsIT Pro, is cofounder of WHSHelp.com, and writes a monthly column at svconline.com/connectedhome/windowshomeserver. Eric teaches theMicrosoft Certified SystemsAdministrator (MCSA) program ata tech college.
Next, you create a rule that defines
exactly what each level of Confidentiality
means. In my hypothetical example, I want
to make sure that all files dealing with NASA’s
Space Shuttle are kept secure. So, I can cre-
ate a rule that marks any file containing the
word “shuttle” as Confidential; High.
The final step in this simple example is
to create a task that acts on the files that fall
within a Classification Rule. I can create a
task that moves files that are Confidential;
High (those with the word “shuttle” withinh
the text of the file) to a more secure loca-
tion. You could set up a similar process
for files that contain a United States Social
Security Number (SSN), or even for files
that haven’t been accessed for a specified
amount of time.
Moving the file is just one of the actions
that can be taken on a file that meets the clas-
sification criteria—as long as you’re versed
in scripting. The plan is that Microsoft and
even third-party vendors (e.g., SAN manu-
facturers) can tap into the FCI API. In the
meantime, you’re a bit limited.
How Important Is the Data?All files have levels of importance, and
some need to be handled a certain way.
Unfortunately, the only ways to differentiate
between files have been the file type (by
extension) and the date they were last
accessed. This limitation severely affects
your ability to manage files based on their
actual usage. Wouldn’t it be nice if you could
ensure that files with personal data were
stored on an encrypted drive? Wouldn’t you
love to ensure that your most important files
are stored on high-availability storage?
The answer lies in Server 2008 R2’s File
Classification Infrastructure (FCI). The FCI
process isn’t exactly intuitive, but once
you’ve played with it for a while, it starts to
make sense.
The first step is to create one or more
Classification Properties. These can be
confusing the first time you set them up,
but essentially they’re the “tag” you’ll
place on a file. For example, I can set a
level of Confidentiality as either Low,
Medium, or High.
Figure 4: Before ABE fi le server cleanup
Figure 5: After ABE fi le server cleanup
FEATURE
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 45
TTTT RUUUUUUUUUUURURURURURURURURURRURURURRURUUURURURURUUUURURUUURRUURUUUUUUUUUUUUUUUUUUUUUURURUUUUUUUUUUUUURUUUUUUUURUUUUUUUUUUU EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
Sooommmmmmmmetettettetetettteteetete imimimimimiiiiimimi eseseseseseseees w ww wwwwwhehheeeheeeeheheeeeenn nn nnn nnn sososssoooosoosomemememememememememeemeeththththththththththhhtthininininininiininini gggg g gg gg gg g gogogogogogogogoogogog eseseseseseseses w w w w ww wwwwrorororororororongngngngnggngngngngn i i i iiiiii ii nn nnn nnnnnnnn WiWiWiWiWiWiWiWiWiWiWiWiWWWiWWiWiWW ndnddndndndndndndndndndnddnndndowowowowowowowowowwowowowsssssssss s s PoPoPoPoPoPoPoPooP wewwwwewewwewwerSrSrSSrSrSSrSrSSSShehehheheheheheheheheheheellllllllllllllllllllllll , , , ititititit i i i isnsnsnsn’t’t’t’t aa a aa b b bbbaddadadad t t ttttttttttthhhhihhihihihhihhihihihiihiihinnngngngngngngnggng. ThThThThThaaatat
isisss, , thththhhheereerererere ee araararareeeee e e cececeeeeeertrtrtrtrtrtrtttaiiaiaiaaaiia nn nn n cocccococondndndndndndndititiititi iiooioiioooonsnsnnsssn tt tthahahahahh ttt t t yoyoyoyoyou u u uu cacacaacac nn nnn anananannnantititittiticiccicipapaaapppatetteeeteteeee a a a a a a andndndndndndndd p ppotttttottttotenenentititialalllallylly d deeaalll l l wiwiwiwithththththttthth, , , sussusuchch a as
a a mimissssiinng g fffifilele ooor r a a cocococompmpmmpmputututererer t thhahat tt cacan’’n’t t bbebe c conontattatatacctctctedededed o oveverr ththee nennetwtwork.k.k. I I In n n rreressppononsse, yoyouu
mmimimighghghtt wawantnttt t too prpromomptpt tthehe uuseser r foforr anan aa tctctiioionn ttototo t t kake or jjust log gg ththe e ererroror soso thhat you can
trry again laater. PowerShell makes this possiblb e through a scheme called gerror trapping
and handliing.
First, You Need an ErrorTo ttrap and hhandle an error, you actually need one to occur. Technically, in PowerShell terminology,
youu need an exception to occur. That can actually be a little tricky to do, believe it or not. For example,
try running thhe followiing command. It will fail, but pay attention to what happens:
Get Object 3 _ OS co p oca ost , ot e eGett-WmiObjecct Win32 BBIOS -comp 'localhost','not-here'
First, you should see the Win32_BIOS instance from your local computer. Then, you should see an
error message (unless you actually have a computer named not-here on your network). Think you’vee
seen an exception? Wrong. In PowerShell, just because you’ve seen an error message doesn’t mean
an exception was created. You can’t trap or handle an error message. You can only trap and handle
exceptions.
What you just saw was an example of a non-terminating exception. That is, an exception really did
happen, but it wasn’t so bad that the cmdlet needed to stop executing. So the cmdlet basically held
the exception deep inside, suppressing its feelings of failure, and continued trying to do what you’d
asked. You can’t help the cmdlet if it isn’t going to be more open with its feelings. In other words, you
can’t trap and handle non-terminating exceptions. Many of the problems a cmdlet can run into will
typically generate a non-terminating exception. That’s because cmdlets don’t want folks to start calling
them crybabies, so if something moderately bad happens, they just shut up and keep going.
This cmdlet behavior is controlled by a built-in PowerShell variable named $ErrorAction
Preference. You can view its contents by simply typing the variable’s name at the command line:
$ErrorActionPreference
By default, it’s set to Continue, which is what cmdlets do when they encounter a non-terminating
error—they keep going. The cmdlets also display error messages by default, but you can shut them
off by setting $ErrorActionPreference to SilentlyContinue. Try it:
$ErrorActionPreference = "SilentlyContinue"
Get-WmiObject Win32_BIOS -comp 'localhost','not-here'
This time, the failure occurred but not a word was said about it. Our cmdlet just bit its lip and kept on
going, not so much as whimpering about the error. Now, this is where a lot of new PowerShell users go
How to use the Trap and Try…Catch…Finally constructs
nesDon Joby D
in
PowerShell
FEFFEFEFFEFEFEFEFFEFEFEFEEEEEEEFEFEEEEFEFEFEFEFEEEFEFEFEFEFEFEFFEFEFFEFEFEEEFEFEFEFEEEEEEFFFEFEFEEEFFEFFEEFEFEFEFEFEFEFFEFEFEEEFEEEFFFEFFEEEEEEEEFEEFEEEEFFEFEEEFFEEEEFEEEEEEEEEEEATATAAAAATATAAAAAAA
and
inin
and
FEATURE
ERROR TRAPPING AND HANDLING
46 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
wrong, so I need you to picture me standing
up on a table and screaming, “Do not set
$ErrorActionPreference to SilentlyContinue
just to make the error messages go away.”
Error messages are, by and large, good
things. They tell us what’s broken. They’re
like the nerves in your fingertips that tell
you the stove you’re about to touch is very
hot. People who have problems with those
nerves often burn themselves. We usually
want to see error messages. What we don’tt
want to see are the error messages that we
can anticipate and deal with on our own.
Just Cry Out LoudWhen you anticipate a cmdlet running into
a problem that you want to deal with, you
need to tell that cmdlet to stop bottling
up its emotions. You’re not doing this for
every cmdlet across the shell, but just for
a specific cmdlet that you know you can
handle. Since you don’t want to make a
global behavior change, you should leave
$ErrorActionPreference set to Continue.
Instead, you can modify the error action for
just one cmdlet.
Every cmdlet in PowerShell sup-
ports a set of common parameters, one
of which is -ErrorAction (which can be
abbreviated -ea). It accepts the same values
as $ErrorActionPreference, including
stop, which tells the cmdlet to turn a
non-terminating exception into a terminat-
ing exception—and terminating exceptions
are ones you can trap and handle. For this
example, you’d run the command
Get-WmiObject Win32_BIOS
-comp 'localhost','not-here' -ea stop
(Although this command wraps here, you’d
enter it all on one line in the PowerShell
console. The same holds true for the next
command that wraps.)
Tricky TrapsThe first way you can trap an error is to
use a Trap construct. Listing 1 shows an
example of a trap that’s defined within a
function. This code works in PowerShell 1.0
as well as Power Shell 2.0.
Figure 1 shows the output from the code in
Listing 1. As you can see, PowerShell first dis-
played the line Starting. It then executed the gg
function, which displayed the line Trying.
Next, PowerShell ran Get-WmiObject,
which can be abbreviated as gwmi. It first
ran this cmdlet against localhost, and you
can see the Win32_BIOS output. But it ran
into a problem trying to contact not-here,
so an exception occurred. The -ea stop
parameter turned that into a terminating
exception, so PowerShell looked for a Trap
construct within the same scope. It found
one inside the function and executed it.
That’s why Error in function displayed. The
trap finished with the Continue statement,
which kept the execution inside the same
scope (i.e., inside the function), and Tried
was displayed. Finally, the function exited
and Ending was displayed.g
Traps can be tricky because they are
their own scope. Specifically, they’re a child
of whatever scope they live in. Consider
the modified Trap construct in Listing 2.
Figure 2 shows the output from this version,
and I want you to follow the value of the
$test variable.
The script set the $test variable to One,
and that’s displayed in the Trying One
output. When the exception occurred, the
trap set the $test variable to Two. How-
ever, when the trap exited, the output still
displayed Tried One. What happened? As
a child scope, a trap can access its parent’s
variables for reading only. So, when the
trap tried to modify $test, it actually created
Figure 2: Results from the problematic Trap construct in Listing 2
Listing 1: A Trap Construct
Function Do-Something { Trap { Write-Host 'Error in function' -fore white -back red Continue } Write-Host 'Trying' -fore white -back black gwmi Win32_BIOS -comp localhost,not-here -ea stop Write-Host 'Tried' -fore white -back black}
Write-Host 'Starting' -fore white -back greenDo-SomethingWrite-Host 'Ending' -fore white -back green
Figure 1: Results from the Trap construct in Listing 1
Listing 2: A Problematic Trap Construct
Function Do-Something { Trap { Write-Host 'Error in function' -fore white
-back red
$test = 'Two' Continue } $test = 'One' Write-Host "Trying $test" -fore white -back black gwmi Win32_BIOS -comp localhost,not- here -ea stop Write-Host "Tried $test" -fore white -back black}
Write-Host 'Starting' -fore white -back greenDo-SomethingWrite-Host 'Ending' -fore white -back green
A
ERROR TRAPPING AND HANDLING
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 47
a new local $test variable, which means
that $test from the parent scope (i.e., the
function) was never changed. This is a real
bummer if you want your trap to modify
something so that your script can continue.
There are ways to remedy this. For example,
you can replace the command in callout A
in Listing 2 with the following command to
change the variable’s contents:
Set-Variable -name test
-value 'Two' -scope 1
The -scope parameter treats scope 0 as
the local scope, which is within the trap.
The next scope up—the trap’s parent—is
scope 1. So by changing test in scope 1,t
you’re modifying the variable that had
been set to One. Note that when you use
the Set- Variable cmdlet (as well as the other
- Variable cmdlets), you don’t use a dollar
sign ($) when specifying a variable’s name.
There’s one more tricky bit about traps
that I want to share. Take a look at the
alternative Trap construct in Listing 3.
What I’ve done is defined a trap within the
script itself, prior to the function’s defini-
tion. I’ve also modified the trap within the
function to use a Break statement rather
than a Continue statement. The Break
statement forces the trap to exit the scope
in which the error occurred (in this case,
the function) and to pass the exception to
the parent scope, which is the script. The
shell will then look
to see if a trap exists
in that scope, and I have indeed defined t
one.
Figure 3 shows what the results look
like. When the exception occurred in the
function, its trap executed and “broke out
of” the function. The exception was passed
to the script, so its trap executed. Notice
that Tried isn’t displayed. That’s becaused
the function exited before that command
could run. All you see is Ending, which gg
is the last line in the script. Although the
script’s trap concludes with the Continue
statement, all it does is keep the shell’s
execution in the same scope (i.e., the script).e
The shell can’t dive back into the function;
it broke out of the function and is out for
good unless you call the function afresh.
As this example shows, you can include
more than one Trap construct in a script.
This means you can set different traps
for different types of errors. To get more
details, run the command
Help about_Trap
if you’re using PowerShell 2.0. Although
PowerShell 1.0 supports the Trap construct,
there isn’t a Help file for it. So, if you’re
using PowerShell 1.0, you need to access
the information at technet.microsoft.com/
en-us/library/dd347548.aspx.
Try a Different ApproachFrankly, I find the Trap construct and its
scope rules pretty con-
fusing. But fortunately,
PowerShell 2.0 provides
an alternative: the Try
. . . Catch . . . Finally con-
struct, which Listing 4
shows. As you can see,
you put the command that might fail in the
Try block and the command that deals with
the failure in the Catch block. You can even
add a Finally block that will execute whether
or not an error occurred.
Within the Catch block, you can do
almost anything, including writing to log
files, logging an event log entry, and send-
ing email messages. It’s even possible to
create multiple Catch blocks, each of which
deals with a certain kind of error. In Power-
Shell 2.0, you can run the command
Help about_Try_Catch_Finally
for more details.
What’s Your Preference?In PowerShell 1.0, you must use the Trap con-
struct to trap and handle errors. In Power-
Shell 2.0, you have a choice between the
Trap and Try . . . Catch . . . Finally constructs.
I prefer using the latter. Not only is the Try
. . . Catch . . . Finally construct easier to use,
but it also keeps the error-handling logic
closer to the location of the command that
might fail. If you’re using PowerShell 1.0
and you often need to catch and handle
exceptions, you might consider upgrad-
ing to PowerShell 2.0 so that you can take
advantage of this new error trapping and
handling tool.
InstantDoc ID 125327
Don Jones ([email protected]) is the author of more than35 books and is a speaker attechnology conferences such asMicrosoft TechEd and Windows Connections. He’s a multiple-yearrecipient of Microsoft’s MVP and is technical guide for PowerShell at www.windowsitpro.com/go/DonJonesPowerShell.
Figure 3: Results from the alternative Trap construct in Listing 3
Listing 4: A Try . . . Catch . . . Finally Construct
Try { gwmi Win32_BIOS -comp localhost,not-here -ea stop} Catch { Write-Host 'Something bad happened' -fore white -back red} Finally { Write-Host 'Glad that is over'}
Listing 3: An Alternative Trap Construct
Trap { Write-Host 'Error in script' -fore white -back red Continue}Function Do-Something { Trap { Write-Host 'Error in function' -fore white -back red Break } Write-Host "Trying" -fore white -back black gwmi Win32_BIOS -comp localhost,not-here -ea stop Write-Host "Tried" -fore white -back black}
Write-Host 'Starting' -fore white -back greenDo-SomethingWrite-Host 'Ending' -fore white -back green
FEATURE
48 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
FEFEEFEATATATATURURURU EFEATURE
Windows Server 2008 R2 lets you issue certificates to network devices
by Russell Smith
Windows Server
Setting Up
Dstt bbbbutut gg cee tt cates ttoooo do s OSOSss oo aaa ccttt eee ecto y ( ) e tee ppp seesee ceeeeee cererer--iisisisi trtrrribibibibbututuutuu innininggg g ceeeccecertrtrrr ififficicatttateses tttoo o o o WiWWiWiWiW ndnddnddndndowowowowowowowowsssss s OSOOOSOSOSsssss s frfrfrfrfrfromomomomomm a a a annnn nn AcAcAcAAcAAActititittit veeeevee DD DDD Diririi ecectotoryry ( (ADADAD))) enenteteteerppp iririsese
itifififica ition auttthhhho iiritty (( (CACACA))) iiis r lllelatiivellly simple and can be automated using GrG oup Polilicy
Ce t cate utoe o e t a te a s p ace. ut to ssue ce t cates to de cesCertificate Auto enrollment after a PKI is in place. But to issue certificates to devices
that don’t have accounts in AD, admins must manually create Public-Key Cryptogra-
phy Standards (PKCS) requests and install certificates on those devices. This can be a
time-consuming task for organizations with hundreds of devices that aren’t part of AD.
If you have a large network with many network devices that need to be issued with a certificate
that must also be trusted by Windows clients, Windows Server 2008 R2’s Network Device Enroll-
ment Service (NDES) provides a solution for issuing and managing certificates. NDES is Microsoft’s
implementation of the Simple Certificate Enrollment Protocol. SCEP is an Internet-Draft standard
developed by Cisco Systems that helps solve the problem of manually requesting and installing cer-
tificates by enabling devices to enroll for x509 v3 certificates from any CA that supports SCEP. NDES
in Server 2008 and later includes some welcome improvements over the old SCEP add-on, such as
the ability to renew certificates using a previously issued certificate to validate the request.
This article provides an overview of how to set up NDES as part of an already existing PKI, and the
steps for issuing a network device with a certificate. Due to the complexity of PKIs and the varying
requirements for different scenarios, you should carefully study “Microsoft SCEP Implementation
Whitepaper” (www.microsoft.com/downloads/details.aspx?familyid=E11780DE-819F-40D7-8B8E-
10845BC8D446) for how to implement NDES. You should also test thoroughly in a lab environment
before deploying NDES in your production environment.
SCEP in Windows ServerNDES is a native component of Server 2008 (Enterprise and Datacenter editions only) and later. It can
be installed on a machine that’s running a standalone CA or on a dedicated server that communicates
with an issuing enterprise CA. The NDES server role shouldn’t be installed on a device that’s running
the enterprise CA role, to minimize the attack surface and protect the CA’s private key.
NDES is intended for organizations that already have a PKI in place and want to issue certificates
to network devices, such as routers and firewalls, to improve security by protecting network traffic with
IPsec. For example, this could include IPsec VPNs between routers or from notebooks to network edge
devices. Not all devices support SCEP, so you should check with the equipment manufacturer.
Previous implementations of SCEP were available in the Windows Server 2003 Resource Kit or as at
downloadable add-on for Windows 2000 Server, but differ from what’s outlined in this article. If you’re
working with versions of Windows earlier than Server 2008, you should check Microsoft’s website,
where you can download the add-on for Windows Server 2003 (www.microsoft.com/downloads/
details.aspx?familyid=9f306763-d036-41d8-8860-1636411b2d01). For additional information, see
NETWORK DEVICE ENROLLMENT SERVICE
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 49
In the Duplicate Template dialog 4.
box, select Windows Server 2008 Enter-
prise and click OK.
In the Properties dialog box on 5.
the General tab, enter NDES Exchange
Enrollment Agent (Offline request) into the
Template display name box.
Switch to the Security tab and click 6.
Add to assign permissions for the NDES_
Admin group. Enter NDES_Admin in the
box and click OK.
Set permissions on the Security tab7.
for NDES_Admin to Read andd Enroll.
Repeat steps 3 through 7 for the 8.
CEP Encryption template.
Repeat steps 3 through 7 for the 9.
IPsec (Offline Request) template. You also
need to set permissions for NDES_Service
Account on the NDES IPsec (Offline
Request) template to Read and d Enroll.
Close Certificate Templates.10.
In the Certification Authority 11.
snap-in, click the Certificate Templates
folder in the left pane. The currently
published templates will be displayed
on the right.
Right-click the Certificate12.
Templates folder in the left pane and
select New, Certificate Template to Issue
from the menu.
In the Enable Certificate Tem-13.
plates dialog box, which Figure 1 shows,
select the three NDES templates and
click OK.
Assign PermissionsNow that you’ve put the necessary tem-
plates in place, you need to assign the
domain-joined Windows clients. You’ll need
an AD enterprise CA already in place, with a
root CA configured and taken offline.
PrerequisitesBefore installing NDES, we need to create
two domain user accounts: NDES_Admin
and NDES_ServiceAccount. The NDES_
Admin account is used for installing the
NDES server role and requesting an enroll-
ment password. The NDES_ServiceAccount
is used to run the service and is specified
during the setup process.
Add NDES_Admin to the local Admin-
istrators group on the NDES box and to the
Enterprise Admins group in the AD domain.
Add the NDES_ServiceAccount group to the
local IIS_IUSRS group on the NDES box.
Duplicate the CertificatesNow we need to duplicate the CEP
Encryption, Exchange Enrollment Agent
(Offline Request), and IPsec (Offline
Request) certificates. To do so, log on to your
issuing CA as a domain administrator.
Open the Microsoft Management1.
Console (MMC) Certification Authority
snap-in from Administrative Tools on the
Start menu.
In the left pane, expand the CA. Right-2.
click the Certificate Templates folder and
select Manage from the menu. The MMC
Certificate Templates snap-in will open.
In the Certificate Templates 3.
snap-in, right-click the Exchange
Enrollment Agent (Offline request)
template and select Duplicate Template
from the menu.
“Setting Up a VPN that Uses Certificates,”
InstantDoc ID 49738.
NDES in Windows Server 2008 R2Server 2008 R2 and Server 2008 SP2 include
changes to NDES that let administrators
more easily request and renew expired cer-
tificates. Single Password Mode, which can
be enabled on the NDES machine by setting
the HKEY_LOCAL_MACHINE\Microsoft\the
yptography\MSCEP\Use SinglePassword Cry
EG_DWORD registry value to 1, letsRE
mins request a password for certificateadm
rollment that doesn’t expire and is stored enr
d encrypted in the system registry. This an
akes it easier to renew expired certificates,ma
d a single password can be deployed an
multiple network devices. Certificate to
newal is enabled by default in Server 2008 ren
and Server 2008 SP2.R2
Design ConsiderationsIf your PKI consists of a standalone CA, it
should be in an isolated certification hierar-
chy that serves only SCEP-enabled devices.
The root CA shouldn’t be trusted by other
devices on the network. If your organization
uses Cisco equipment and your Windows
clients don’t need to trust network devices,
you might be able to deploy a Cisco IOS
Certification Authority server—a CA that
runs on a Cisco device running Internet-
work Operating System. Additionally, some
devices have limited support for certain PKI
configurations, including long encryption
key lengths, subordinate CAs, and multi-
tier PKI hierarchies.
Standalone or Enterprise CA?Implementing NDES with a standalone
CA that’s dedicated to providing network
devices with certificates might be better
suited to situations in which Windows
clients aren’t required to trust network
devices; for instance, when router-to-router
VPNs will be configured with IPsec encryp-
tion. An enterprise CA and an NDES server
might be more convenient if Windows
clients need to trust network devices for the
purposes of establishing VPN connections.
Setting up NDESLet’s install the NDES server role to commu-
nicate with an issuing enterprise CA. This is a
typical setup in which certificates are issued
to network devices that will be trusted by Figure 1: Enable Certificate Templates dialog box
NETWORK DEVICE ENROLLMENT SERVICE
50 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
the Country/Region field as necessary
and click Next.
13. On the Configure Cryptography
for Registration Authority screen, accept y
the default settings, which you can see in
Figure 3, and click Next.
14. Click Next on the Web Server (IIS)
introduction screen.
15. Accept the defaults on the Select
Role Services screen by clicking Next.
16. Click Install on the Confirm
Installation Selections screen.
17. Click Close on the Installation
Results screen.
Modify the NDES RegistryBefore you can request a password from
NDES to start the certificate request process,
you need to set some registry keys on the
NDES server to point to the NDES IPsec
(Offline Request) certificate, then restart IIS.
Open regedit from the1. Search
programs and files box on the Start menu.s
In the left pane of Registry Editor,2.
navigate to the following registry key:
HKLM\Software\Microsoft\
Crypto graphy\MSCEP (see Figure 4).
You’ll find three REG_SZ3.
values: EncryptionTemplate, General-
PurposeTemplate and Signature-
Template. Set all three values to
NDESIPSECIntermediate Offline, then
close Registry Editor.
Type cmd into the4. Search programs
and files box on the Start menu and press s
5. Select Active Direc-
tory Certificate Services
on the Select Server Roles
screen and click Next.
6. Click Next on the
Introduction screen.
7. On the Select Role
Services screen, clear
Certification Authority
and select Network Device
Enrollment Service. As
I mentioned previously,
NDES can’t be installed on
the same machine as a CA.
8. In the Add Roles
Wizard dialog box, click
Add Required Role
Services to install the
necessary IIS and Remote
Server Administration Tool
components.
9. On the Specify
User Account screen click
Select User. In the Windows
Security dialog box, enter
the username and password for the NDES_
Service Account and click Next.
10. Click Browse in the Specify CA
for Network Device Enrollment Service
dialog box.
11. In the Select Certification
Authority dialog box, select the issuing
CA, then click OK and Next to continue.
12. On the Specify Registration
Authority Information screen, modify
accounts appropriate permissions to the
issuing CA.
In the Certification Authority 1.
snap-in, right-click the CA in the left
pane and select Properties from the
menu.
Select the Security tab and click 2.
Add to assign permissions for NDES_
ServiceAccount.
Type NDES_ServiceAccount into 3.
the box and click OK.
Set permissions on the Security tab4.
for NDES_ServiceAccount to Read and d
Request Certificates (see Figure 2).s
Click OK to close the properties5.
dialog box.
Install NDESThe issuing CA is properly configured. Now
you can install the NDES server role on a
separate server.
Log on to the NDES box using 1.
the NDES_Admin account created
earlier.
Open Server Manager from the2.
Start menu.
In the left pane of Server Manager, 3.
right-click Roles and select Add Roles
from the menu.
4. Click Next on the Before You Begin
screen in the Add Roles Wizard. Figure 3: Add Roles Wizard
Figure 2: Setting permissions for NDES_ServiceAccount
t
o
s
I
S
C
a
E
I
N
t
W
A
S
n
S
c
U
SFigure 2: Setting permissions for NDES ServiceAccount
NETWORK DEVICE ENROLLMENT SERVICE
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 51
address http://localhost/certsrv/ mscep_
admin/. You’ll be presented with a hash
value for the CA certificate and an enroll-
ment challenge password that’s good for
60 minutes (Figure 5).
The network device then needs to be
configured to trust the enterprise CA.
Again, this procedure differs with every
device, and you will need to refer to the
manufacturer’s instructions. When con-
figuring the device to trust the enterprise
CA, you’ll need to specify the name of the
key pair created earlier and the enrollment
URL for the enterprise CA, http://NDES1/
certsrv/mscep.dll?operation=GetCACert&
message=NetworkDeviceID. SCEP calls to
the NDES server are made via mscep.dll
and HTTP GET commands. In the URL
above you can see that the GetCACert com-
mand is issued to NDES.
After the network device trusts the enter-
prise CA, you can issue a certificate request.
Some devices require you to authenticate
the enterprise as a separate step before you
can issue a certificate request. You also need
the one-time enrollment password (OTP)
issued by NDES to complete the request.
If a value for the KeyUsage extension
isn’t specified in the request, a default
value of 0xa0 is used that refers to the
GeneralPurposeTemplate as specified in
the system registry. Other possible values
include 0x80 for the Signature Template
and 0x20 for the EncryptionTemplate.
The enterprise CA processes the certifi-
cate request on behalf of NDES, which
then issues the certificate to the network
device.
Complexity Worth the TroubleYou now know how to set up NDES as
part of an already existing PKI. However,
before you ever do so, you should read the
Microsoft white paper I referenced at the
beginning of the article, and you should
also test thoroughly in a lab environment
before deploying NDES in your production
environment.
InstantDoc ID 125385
Russell Smith ([email protected]) is an indepen-dent IT consultant specializing in systems management and security, and author of Least Privilege Security for Windows 7,Vista and XP (Packt).P
IOS, the command might look something
like this:
crypto key generate rsa general-keys
modulus 2048
If you don’t specify the label switch in
the crypto command, the name of the
key pair defaults to the name of the net-
work device. The key length, stated here
as 2048, should match that specified on
the Configure Cryptography for Registra-
tion Authority screen when NDES was y
set up.
On the NDES server, log on using the
NDES_Admin account and open Internet
Explorer. Enter the NDES admin page
Ctrl+Shift+Enter to start the command
prompt with administrative privileges.
Type the following two commands 5.
to restart IIS:
net stop w3svc
net start w3svc
Close the command prompt.6.
Request a CertificateNext, you need to request a certificate
for the network device. The first step in
the process of setting up a certificate
is to generate a public/private key pair
on the device. This procedure will vary
depending on your equipment. In Cisco
Figure 4: Changing the registry setting
Figure 5: CA certificate and enrollment challenge password
52 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
In Exchange Server 2010, the Client Access server role plays a much larger part in the messag-
ing organization than in any previous version. Because of this, it’s critical to deploy the Client
Access server role correctly up front and avoid any unnecessary or unplanned downtime.
In my previous article, “Exchange Server’s Client Access: An Introduction,” InstantDoc ID
125061, I provided an introduction to the Client Access server role in Microsoft Exchange
Server 2010 and Exchange 2007. In this article, I’ll expand on that topic and talk about
deploying and installing Client Access server. I’ll focus on Exchange Server 2010, but I’ll point out the
differences for Exchange 2007 as I go. I’ll walk you through a manual, GUI-based installation and an
unattended installation, as well as discuss the prerequisites. I’ll wrap up by looking at coexistence and
transition, including transitioning to the Exchange 2010 Client Access server from older versions of
Exchange, and how to ensure that multiple versions of the Client Access server live in harmony.
PrerequisitesBefore installing the Client Access server role, make sure your server meets the prerequisites.
I prefer to install prerequisites in a scriptable, repeatable manner that requires as little admin-
istrator interaction as possible. Therefore, I’ll supply the commands you need to install the
prerequisites rather than use the GUI. Table 1 outlines the prerequisites; note that they differ
between Exchange 2007 and Exchange 2010. The .NET Framework, Windows PowerShell, and
Windows Remote Management (WinRM) are base system requirements for Exchange. The web
server and remote procedure call (RPC) over HTTP requirements are specifically for the Client
Access server role.
When installing Exchange 2010 on Windows Server 2008, you’ll need to download the .NET
Framework 3.5 SP1 from the Microsoft website at bit.ly/9aZw and install it separately. You can install
the framework without user interaction by running the executable you download with the /passive
switch. The installation still displays status dialog boxes so you can see its progression.
The .NET Framework 3.5 SP1 is included as a feature that you can add in Server 2008 R2. You
can install it using the Add Features option in Server Manager or with PowerShell. To install it using
PowerShell, you first have to open PowerShell with the system modules loaded, which you do by right-
clicking the PowerShell application and selecting Import system modules, as Figure 1 shows. Note that
this option isn’t available to you until you’ve run PowerShell at least once as the current user. After
you’ve imported the system modules, use the command
Add-WindowsFeature Net-Framework-Core
PowerShell 2.0 and WinRM are already installed in Server 2008 R2, so there are no additional
steps to get those components working, but you need to install them in Server 2008. Microsoft
offers PowerShell 2.0 and WinRM packaged into a single download called the Windows Manage-
ment Framework Core, available from support.microsoft.com/kb/968929. You only need the Core
version of the framework, not the other downloads on that page. Install the update silently using
the command
Windows6.0-KB968930-x64.msu /quiet
by Ken St. Cyr
Get this important part of your Exchange infrastructure running
Exchange Server’s
c a ge Se e 0 0, t e C e t ccess se e o e p ays a uc a ge pa t t e essagn Exchange Server 2010, the Client Access server role plays a much larger part in the messag-thisthis
Deploying Your Servers
FEATURE
DEPLOYING CLIENT ACCESS
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 53
setup on the DVD—setup.exe and setup.com.
Setup.com is the command-line installer,
which I’ll talk about later. Launch setup.exe.
In this example, steps 1 and 2 are grayed out
because I already took care of these items
when I installed the prerequisites. Click Step
3 and choose the language options you want
to use. For this example, I’m going to use only
the languages that are on the DVD.
You can then click Step 4 to launch the
setup wizard. You’ll see an introduction
screen, followed by a License Agreement
that you must accept, then the option to
report errors to Microsoft automatically.
When you come to the Installation Type
screen, select Custom Exchange Server
Installation and click Next.
Next is the Server Role Selection screen.
This screen is where you’ll select the option
for installing the Client Access server role.
When you do this, the Management Tools
are automatically selected as well. Because
I’m installing only the Client Access server
role, those are the only two options I select,
as Figure 2 shows.
The Configure Client Access Server
External Domain screen is next. This screen
is new in Exchange 2010 and lets you specify
(during install) the external namespace that
the Client Access server will service. As part of
the installation, your virtual directories will be
configured with this external namespace, so
you don’t have to do it manually after setup.
This screen is completely optional, and you
should only configure it for Internet-facing
Client Access servers. If you’re setting up an
Internet-facing Client Access server and you
don’t specify the external namespace, you
can still go back in and configure it after-
ward.
The remaining screens in the setup
wizard run the prerequisite check for
the Add-WindowsFeature PowerShell
cmdlet:
Add-WindowsFeature NET-Framework,
NET-HTTP-Activation,
RPC-Over-HTTP-Proxy,RSAT-ADDS,
Web-Server,Web-Basic-Auth,
Web-Windows-Auth,Web-Metabase,
Web-Net-Ext,Web-Lgcy-Mgmt-Console,
WAS-Process-Model,RSAT-Web-Server,
Web-ISAPI-Ext,Web-Digest-Auth,
Web-Dyn-Compression -Restart
The Client Access server role requires
that the .NET TCP Port Sharing Service
(NetTcpPortSharing) be set to automatic.
This service allows multiple processes
running on a server to use a single port. It
adds a layer of logic between the network
and the application. In Exchange 2010, the
Mailbox Replication service relies on TCP
Port Sharing to coordinate move requests
originating from multiple clients. You can
set up the service manually through the
Services snap-in, or use one of the follow-
ing commands. At a Windows command
prompt, use
sc config NetTcpPortSharing start=
auto
Or in PowerShell, you can use
Set-Service NetTcpPortSharing
-StartupType Automatic
GUI-Based InstallationNow that the prerequisites are installed,
you can install a Client Access server using
the setup wizard. The Client Access server
role can be installed on servers alongside of
other roles, but in this example, I’m install-
ing only the Client Access server role on
the server.
Insert the Exchange 2010 installation
media. If AutoPlay doesn’t fire up the installer,
you can launch setup.exe from the root of
the DVD. Note that there are two versions of
After you install the correct version of
the .NET Framework and PowerShell,
you’ll need to make sure the following
components are installed before you can
install the Client Access server role on
your server:
Web Server role on Server 2008•
Web Server: basic authentication•
feature
Web Server: Windows authentication •
feature
Web Server: digest authentication •
feature
Web Server: Microsoft IIS 6.0 metabase •
compatibility feature
Web Server: .NET extensibility feature•
Web Server: IIS 6.0 management •
console feature
Web Server: Internet Server API (ISAPI)•
extensions feature
Web Server: dynamic content •
compression feature
Windows Process Activation Service:•
process model feature
Remote Server Administration Tools: •
web server tools feature
.NET Framework: HTTP activation •
feature
RPC over HTTP Proxy feature•
You don’t have to install each of these
components through the Server Manager
interface—the Exchange team provides
a much easier way. There’s a set of XML
files in the Scripts folder on the Exchange
DVD. The Exchange-CAS.xml file contains
the Server Manager packages that you
need for the Client Access server role.
You can install these packages using the
command
ServerManagerCmd.exe
-ip d:\scripts\Exchange-CAS.xml
ServerManagerCmd.exe is deprecated in
Server 2008 R2, so it might not be there
in future versions. To install the pack-
ages without ServerManagerCmd, use
Table 1: Software Prerequisites for Installing the Client Access Server Role
Prerequisite Exchange Server 2007 Exchange Server 2010
.NET Framework .NET 3.0 .NET 3.5 SP1.NET 3.0
PowerShell PowerShell 1.0 PowerShell 2.0PowerShell 1.0
Windows Remote Management Not required WinRM 2.0Not requiredWeb server IIS 6.0 IIS 7.0IIS 6.0
Figure 1: Importing system modules in PowerShell
54 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
DEPLOYING CLIENT ACCESS
servers, you want your Exchange 2010
Client Access servers to use your existing
namespace and you want to adopt a new
namespace for your legacy servers.
For example, if your external name-
space with your current Exchange 2007
or Exchange 2003 servers is mail.contoso
.com, you probably want to use this
namespace for Exchange 2010. If you
keep it, users won’t have to remember a
new URL for Outlook Web App (OWA; for-
merly Outlook Web Access) or reconfigure
their mobile phones or IMAP/POP clients.
If you’re keeping your legacy Exchange
2003 front-end servers or Exchange 2007
Client Access servers online, temporarily
or permanently, there might be cases in
which your Exchange 2010 Client Access
server has to redirect an external client
to a legacy front-end or Client Access
server. For this redirection to work, your
legacy servers need to have a differ-
ent external namespace, such as legacy
.contoso.com.
When you’re ready to transition, you
can deploy your Exchange 2010 Client
Access servers without affecting your leg-
acy Exchange infrastructure. Make sure
that you don’t make any DNS changes
to your production external namespace
(e.g., mail.contoso.com) until after you
configure the legacy namespace and are
ready for your external users to use the
Exchange 2010 Client Access servers. The
steps to configure the legacy namespace
differ between Exchange 2007 and
Exchange 2003.
the Client Access server and perform the
installation. If you followed the guidance
I provided for the prerequisite software,
you shouldn’t run into any problems in
the prerequisite check. After Exchange
installs successfully, you should see a
screen similar to Figure 3.
Unattended InstallationRunning through the setup wizard makes
the installation of a Client Access server
fairly simple, but if you’re deploying mul-
tiple Exchange servers running the Client
Access server role, you might be better
off using a less interactive installation.
Exchange lets you run unattended instal-
lations using the command-line setup
.com tool on the Exchange installation
media.
You can run setup.com with command-
line parameters or you can specify an
answer file. Answer files are helpful if you
have a lot of options that you want to specify
for a command, but unless you’re install-
ing and customizing additional roles on
the same server, they won’t help much for
the Client Access server role. If you’re not
specifying any additional setup options, you
can install the Client Access server role with
the command
setup.com /mode:install
/roles:clientaccess
You might want to use the NoSelf-
SignedCertificates parameter for your
installation. This parameter installs the
role without a self-signed certificate,
which can be helpful if you’re plan-
ning to remove the default self-signed
certificate and use one issued
by a trusted third-party Cer-
tificate Authority. Don’t use this
command unless you intend
to install an issued certificate.
You should also consider using
the ExternalCASServer Domain
parameter. For example:
setup.com /mode:install
/roles:clientaccess
/ExternalCASServerDomain:
mail.contoso.com
This parameter lets you specify
your external domain name for
Internet-facing Client Access servers, as I
mentioned in the section using the setup
wizard. After you're fininshed executing
the setup.com command, the installation
is hands-off.
Coexistence and TransitionCoexisting with and transitioning from
legacy versions of Exchange aren’t too dif-
ficult in Exchange 2010—if you understand
a few basics. Remember that Exchange
2010 Client Access servers can’t commu-
nicate with Exchange 2003 or Exchange
2007 Mailbox servers by using MAPI.
Your external-facing legacy servers need
a different external namespace than your
external-facing Exchange 2010 Client
Access server. You might require new cer-
tificates—your legacy servers will have a
different namespace, so if you don’t have a
wildcard certificate, you’ll have to request
a new SAN certificate.
And you should always
transition Internet-fac-
ing Client Access serv-
ers first, followed by
those that don’t face
the Internet.
Maintaining an
additional namespace
is the portion of the
coexistence and tran-
sition process that has
the most impact on
your Exchange setup.
Because Exchange
2010 is designed to
interoperate with
legacy Client Access
servers and front-end
c
b
t
c
t
Y
t
p
s
TFigure 2: Installing only the Client Access server role
Figure 3: An example successful installation screen
DEPLOYING CLIENT ACCESS
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 55
environment, make sure public folder–
based distribution is still enabled as
well. The virtual directory for web-
based OAB distribution is added by
default on the Client Access server, but
you’ll need to configure the OAB itself
by adding the virtual directory as a
web distribution point. Use the Set-Of-
flineAddressBook cmdlet in Exchange
2010 to add the Client Access server
OAB virtual directory to the list of vir-
tual directories allowed for your OABs.
When you make this change, you must
ensure that version 4 OABs are being
generated. Also, make sure you include
all of the existing virtual directories
and the virtual directory you’re adding
when you execute this command. Any
virtual directories that you omit will be
removed from the list. Your commands
should look like this:
Move-OfflineAddressBook
"Default Offline Address Book"
-Server CONTOSO-MBX01
Set-OfflineAddressBook
"Default Offline Address Book"
-VirtualDirectories
"CONTOSO-CAS01\oab*"
If you use RPC over HTTP, move the7.
connection point to Exchange 2010 and
turn off RPC over HTTP on your Exchange
2003 servers.
To create a legacy namespace for Exchange
2007 Client Access servers:
Create DNS entries for the legacy 1.
namespace (e.g., legacy.contoso.com)
and point them to your Internet-facing
Exchange 2007 Client Access server
infrastructure.
Update the External URLs on your 2.
Exchange 2007 Client Access servers so
they use the legacy namespace.
When you’re ready for your users3.
to use the Exchange 2010 Client Access
servers, modify the DNS records of your
production namespace to point to your
Exchange 2010 servers. Make sure to
change the AutoDiscover record, too.
Reconfigure the OAB. Use the 4.
Set-OfflineAddressBook cmdlet to allow
your Exchange 2010 Client Access servers
to distribute the OAB. The cmdlet modifies
the OAB to add the Exchange 2010 web
service to the list of virtual directories.
Similar to the Exchange 2003 transition
process described above, make sure you’re
using version 4 OABs. Also, when you
execute the Set-OfflineAddressBook com-
mand, keep the existing virtual directories
in the VirtualDirectories parameter or
they’ll be omitted. For example,
Set-OfflineAddressBook
"Default Offline Address Book"
-VirtualDirectories
"CONTOSO-CAS01\oab*"
Turn off Outlook Anywhere on your 5.
Exchange 2007 Client Access servers and
turn it on on your Exchange 2010 Client
Access servers.
The process of transitioning your legacy
infrastructure will vary between different
Exchange environments. I’ve given you
a high-level understanding of this pro-
cess, but you should thoroughly test
your transition and coexistence scenarios
before rolling out Exchange 2010 to
production.
Deployed, and Ready for the Next LayerYou should now have a good grasp of the
work involved with deploying the Client
Access server role in your Exchange envi-
ronment. Of course, the Client Access server
role has many layers. In the next article in
this series, I’m going to peel back another
layer and show you how you can add
redundancy and high availability to your
Client Access servers. Until then, you might
want to take a look at the Exchange team
blog post “Transitioning Client Access to
Exchange Server 2010,” msexchangeteam
.com/archive/2009/11/20/453272.aspx.
It’s a great resource to learn more about the
Client Access server role.
InstantDoc ID 125347
Ken St. Cyr ([email protected]) is asolution architect at Microsoft withmore than 10 years of industryexperience. He’s a MicrosoftCertified Master in Directory Services and the author of Exchange Server 2010 Administra-tion Instant Reference (Sybex).e
For Exchange 2003 front-end servers:
Create DNS entries for the legacy 1.
namespace (e.g., legacy.contoso.com)
and point them to your Internet-facing
Exchange 2003 front-end infrastructure.
Use the Set-OwaVirtualDirectory 2.
Exchange Management Shell cmdlet to tell
Exchange 2010 OWA what the legacy URL is
so it knows where to redirect users. Specify
the Exchange2003URL parameter on all
Client Access servers that legacy Exchange
2003 mailboxes connect to for OWA. For
example,
Set-OwaVirtualDirectory
"CONTOSO-CAS01\owa*"
-Exchange2003URL
https://legacy.contoso.com/exchange
If you use ActiveSync, ensure that3.
Integrated Windows authentication is
turned on for ActiveSync at your Exchange
2003 mailbox server. You need this authen-
tication so that the Exchange 2003 server
hosting ActiveSync can accept Kerberos
credentials from the Exchange 2010 Client
Access server.
Update the certificates on your 4.
Exchange 2003 front-end servers to include
the legacy namespace.
When you’re ready for your users 5.
to use the Exchange 2010 Client Access
servers, modify the DNS records of your
production namespace to point to your
Exchange 2010 servers.
Reconfigure the Offline Address6.
Book (OAB). If you have Outlook 2007
or Outlook 2010 clients running in
your organization, you’ll want to move
the OAB to an Exchange 2010 Mailbox
server so you can take advantage of
web-based OAB distribution, which is
more efficient than public folder–based
distribution and requires less network
bandwidth. Although web-based OAB
distribution is performed by the Cli-
ent Access server, the generation of the
OAB is performed by the Mailbox server.
Therefore, if you want to enable web-
based distribution, you need to move the
OAB generation process to an Exchange
2010 Mailbox server first using the
Move-OfflineAddressBook cmdlet.
Outlook 2003 and older clients still
use public folders to download the
OAB, so if you have these clients in your
FEATURE
56 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
FEATURRURREEEE
Harness the power of Health Analyzer and reporting to improve your farm
by Todd Klindt
Figure 1: Monitoring options in SharePoint 2010's Central Administration
Get Proactive with Get Proactive with
ao
SharePointSharePoint 2010's 2010's
ower of Healtharness theower of Health
Improved Monitoring
ShaharerePoPoinintt 20201010’ss n neew a dndd improved features can help administrators in man
(see the sidebar “SharePoint 2010 Improvements” g prob-, page 58), including findin”
lems in their SharePoint farm. Let’s look at the improved monitoring features in Share-Shlems in their SharePoint farm. Let’s look at the improved monitoring features inl i h i Sh i f ’ l k h i d i i f i
Point 2010—in particular, timer jobs, reporting, and the Health Analyzer, as they show P i 2010 i i l i j b i d h H l h A l h h
up in Central Administration—and examine how they can help you manage SharePoint
in a more proactive way. By the end of this article, your powers to prevent SharePoint
problems will make it seem like you can almost predict the future.
Timer JobsThe first stop on our whirlwind tour of SharePoint 2010’s monitoring improvements is timer jobs.
Timer jobs are the workhorses of SharePoint, making sure things are provisioned, email alerts are
sent, and other ugly tasks get done. In SharePoint 2007, the problem was there was no good way to
troubleshoot timer jobs, and if you needed a timer job to run, you had no choice but to wait for it to
run the next time it was scheduled.
The first improvement in SharePoint 2010 monitoring is the timer job dashboard, which now
offers a snapshot of the timer job subsystem and what’s going on. You get to the dashboard by going
to Central Administration and clicking the Monitoring link in the left pane, which Figure 1 shows. The
set of links pertaining to timer jobs is in the second group of links, cleverly hidden under the heading
labeled Timer Jobs. When you click the Check job status link, you see what Figure 2 shows: the ghostss
of timer jobs past, present, and future.
The top of the page shows the timer jobs that are scheduled to run. Clicking on any of the
timer jobs brings up its definition, a screen that explains what the timer job does. You can also
edit the schedule of the timer job, as Figure 3 shows, including disabling it completely or running
it immediately. This is a huge improvement.
FEATURE
SHAREPOINT MONITORING
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 57
SharePoint 2010's
This command shows you how to start
timer jobs at will. The other cmdlets
work similarly. Although timer jobs in
SharePoint 2010 and SharePoint 2007
function in similar ways, in SharePoint
2010 the administration experience is
much better.
ReportingThe reporting system in SharePoint 2010
has also been improved and enhanced. Like
timer jobs, Reporting has its own heading
with links (see Figure 1) on the Monitoring
page of Central Administration. The first
link, View administrative reports, takes you
to a library of administrative reports. As of
the beta, this library included reports only
from the Search team on statistics like query
latency and crawl rate per content source. I
hope other groups will eventually include
reports here, too. The structure for these
reports will be documented, so you’ll be
able to create custom reports as well.
The second link takes you to the page
where diagnostic logging is configured.
Several aspects of logging are configured
here, and you’ll see two big improvements.
First, any category not using the default
logging settings now shows up in bold. In
SharePoint 2007, if you altered any cat-
egory’s settings, you had no way of knowing
which ones you had changed or what value
you had changed them from. That leads us
to the second improvement: a new logging
level, Reset to default. Now you can crank
up your SharePoint logging with reckless
abandon, knowing that bolded categories
and Reset to default will help you get thingst
back to normal. This page also lets you
in SharePoint 2010. It now lists all the
timer jobs defined in the farm, regardless
of whether they’re scheduled to run or not.
Clicking a job definition opens its proper-
ties. You can also view the definition by
clicking the Scheduled Jobs link in the left
pane of the Timer Job Status page.
Not to be left out, Windows PowerShell
also lets you manage timer jobs in the
SharePoint Management Console. I won’t
cover PowerShell options very deeply here,
but I will do so in a later article. Open the
SharePoint Management Console and type
Get-Command *SPTimerJob
to get a list of all the cmdlets you can use to
manipulate timer jobs. To get specific help
on any of them, use Get-Help, like this:
Get-Help Start-SPTimerJob
b fails for some reason If aa timer job
or if you need to execute a timer job’s if d
functionality (like collecting incoming
email), you don’t have to wait for its
regularly scheduled occurrence. To get
the full list of scheduled timer jobs, click
Scheduled Jobs under Timer Links in the
upper left pane.
The middle section of the Timer Job Sta-
tus page in Figure 2 shows running tasks.
This is an improvement over SharePoint
2007, where we had no idea what timer
jobs were currently running nor did we
have any information about them. With
SharePoint 2010, you see which jobs are
currently running on which servers, how
far along they are, and when they started—
and it comes with a progress bar at no extra
charge. You’ll also see a page dedicated to
displaying the running jobs only. You can
get to it by clicking Running Jobs in the
upper left pane.
The bottom part of the Timer Job Status
page shows the timer jobs that have run
in the past. SharePoint 2007 has a similar
screen, but SharePoint 2010 takes it a step
farther. Each finished timer job has a status
attached to it: Succeeded or Failed. Click-
ing the status takes you to the job history
page, where you can get information about
that instance of the timer job execution,
such as how long the job took, and which
web apps and content databases it ran
against. In the case of a timer job failure,
the history screen tells why the failure
occurred, which helps in troubleshooting.
Finally, the trusty timer job definition
from SharePoint 2007 has gotten a facelift
Figure 2: The Timer Job Status page
Figure 3: Editing an existing timer job
SHAREPOINT MONITORING
58 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
files. As with your ULS logs, it’s a good idea
to save your usage logs on a drive other
than the C drive.
The page does have one setting you can’t
change: the location of the logging database.
SharePoint 2010 requires you to use the
PowerShell cmdlet Set-SP UsageApplication
to alter the location of this database. Central
Administration reports only the location of
the logging database.
Moving the logging database is a good
idea. Because SharePoint aggregates all its
usage and health data to this database, it
farm, which should let you isolate and
deal with trouble pages before the users
come to you. The second report lists your
most active users and their activity. These
reports, like the administrative reports,
allow some basic filtering to help you get
the information you’re interested in.
The next link under Reporting lets you
configure usage and health data collection.
This screen lets you configure which data,
if any, is logged by SharePoint. You can
choose which events SharePoint logs as
well as where SharePoint stores its usage
restrict log size by number of days kept or
by space used. It’s also a good idea to use
this page to move the Unified Logging Ser-
vice (ULS) logs off of your servers’ C drives
and onto another drive. Just remember that
this setting is a farm setting, so all of your
SharePoint servers must have the location
you move your logs to.
At the View health reports link, auto-s
matically generated health reports give you
information about two potential problem
areas concerning your farm. One report
provides a list of the slowest pages in your
SharePoint 2010 has improved in many areas. These are a few gems that really get my IT pro juices flowing.
Windows PowerShellIn SharePoint 2003 and 2007, command-line junkie administrators had a powerful tool, Stsadm. With it, we could do repetitive tasks quickly without wearing out our clicking fingers. We thought we had it made. Then SharePoint 2010 introduced us to Windows PowerShell. Power-Shell is replacing Stsadm, which is deprecated. The good news is that anything Stsadm can do, PowerShell can do better. Since PowerShell lets us access SharePoint at the object model level we can make scripts with unprecedented power, things we could only dream of with Stsadm. Want to get a list of all the blog sites in your farm? PowerShell can do that. Want to back up all of your site collections with a single line? PowerShell can do that too. Now that your appetite is whetted you can look forward to a future issue of this magazine, where we’ll run an article dedicated to PowerShell with SharePoint.
ThrottlingMost articles about SharePoint 2010 tell you about all the new things you can do. There are also a few things that SharePoint 2010 won’t let you do anymore. For instance, if you want to load up a list view with 10,000 items in it, well, you can’t anymore. Do you want to overload your server so that form submissions fail? You can’t do that anymore, either. SharePoint has implemented some throttling options to help save users from themselves. We now have large list throttling that will truncate a large list view to 5,000 items to keep users from bogging down SQL Server with large queries or killing their web browser. SharePoint also keeps a close tab on its wellbeing; if it gets too busy, it will pause its timer jobs and reject new connections so that existing connections can be completed. This means that users submitting surveys won’t get their hard work rejected because the server is too busy to handle their requests. Survey users around the world rejoice!
MonitoringSharePoint 2010 has also expanded its monitoring capabilities. SharePoint 2010 introduces a new database dedicated to the purpose of collecting logging information. This database collects logs—your Unified Logging Service (ULS) trace logs, IIS logs, and even Windows Event Log events—from all the servers in your farm and puts them all in one database. Even better, this database is completely documented, and we can read and write to it. SharePoint 2010 also has a Health Analyzer to monitor different aspects about itself; it alerts administrators when there are problems. It can even fix some problems. It’s a lazy administrator’s dream.
Service Applications SharePoint Server 2007 had Shared Service Providers (SSPs) that provided common services to web applications. Search, profile import, Excel services, and InfoPath forms are some examples of services the SSP provided. SharePoint 2010 has taken the SSP model and broken it into its individual components. This gives you more flexibility to run the service applications you want. You can also have multiple instances of some service applications if you choose, and now different people can administer the individual service applications. If you want to take your SharePoint 2010 administration to the next level, you can even share individual service applications across farms.
Database MirroringSharePoint has become as critical to business these days as email. Since SharePoint lives in SQL Server, making your databases fault toler-ant is one step an administrator can take to keep SharePoint from going offline in case there is trouble. If you had your SharePoint 2007 databases mirrored, failing over to your mirrored databases was a completely manual task. SharePoint 2010 has native support for database mirroring. After you have your databases mirrored in SQL Server, SharePoint can fail over automatically without any intervention from an administrator. Less downtime for users, less work for administrators. It’s a classic win-win scenario.
InstantDoc ID 125095
SharePoint 2010 Improvements
SHAREPOINT MONITORING
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 59
with an RSS feed. Not only is Health Ana-
lyzer out there patrolling your perimeter,
but it also contacts you when it finds some-
thing. When a problem does show up in the
list, you have some options. If you click the
item, a pop-up window, which you can see
in Figure 5, shows a wealth of information.
I’ll point out some notable features. First,
you can see a good explanation of the prob-
lem. There’s also a Remedy section that
describes how to fix the problem and an
external link with more information. Micro-
soft really put a lot of work into making sure
that administrators have all the information
we need to understand and deal with prob-
lems when they surface. If the problem is
scoped to a particular server, web app, or
service, it’s also called out here. The Ribbon
at the top also offers a few more options. For
all rules, the Reanalyze Now button offers
the chance to verify you’ve fixed a problem.
This way you don’t have to wait for the next
scheduled run for verification.
Some, though not all, rules also have
a button labeled Repair Automatically.
Click View next to Rule Settings, then Edit
Item and select the box next to Repair
Automatically. That tells SharePoint to
fix this problem any time it comes up.
Or you can leave the check box alone
and just click the Repair Automatically
button when the problem occurs. Not all
rules offer this option, which isn’t a bad
thing, necessarily. Letting the rule Drives
are running out of free space do anything
automatically seems a touch scary.
All’s Well on the FarmSharePoint 2010’s improved monitoring
should help overworked and under-
appreciated administrators keep a better
eye on the SharePoint farm. This will free up
your time to do things other than fight fires,
and you’ll be able to keep your users happy,
too. But whatever you do, don’t let it clean up
drive space for you automatically—that’s just
asking for trouble.
InstantDoc ID 125029
Todd Klindt ([email protected]) is aSharePoint MVP and a consultantworking for SharePoint911. When he’s not writing magazine articles, he's speaking at conferences, writ-ing books, or fighting his cats for sunspots on the carpet.
link on the Monitoring page. This link not
only shows the problems but also the solu-
tions. Each of the rules specifies the error
condition and provides an explanation of
the problem and a link to the remedy for the
problem.
For most of us, our first introduc-
tion to the SharePoint Health Analyzer is
after installation. Unless you did a very
good and thorough scripted installation of
SharePoint, the Health Analyzer will show
up the first time Central Administration
is loaded. You’ll recognize it as a red bar
across the top of Central Administration.
Clicking the View these issues link takes s
you to the same page as Review problems
and solutions does under the Monitoring
section. To fully appreciate the gift we’ve
been given with Health Analyzer, let’s look
at that page, which Figure 4 shows.
As you can see, the list of problems is
a SharePoint list. Because of that, you can
subscribe to alerts to that list, or follow it
can get large, and it can also experience a
lot of disk I/O. If either of these becomes
a problem for your Microsoft SQL Server
instance, you might consider moving the
logging database to its own instance or at
least to its own spindles on your default
SQL Server instance. Both SQL Server and
your users will appreciate it.
SharePoint Health AnalyzerYou might have noticed I didn’t start at the top
of the Monitoring page in Central Admin and
work down. This was by design. I was building
anticipation for the big finish, the SharePoint
Health Analyzer. If there is any part of Share-
Point 2010 that’s magic, this is it.
The Health Analyzer uses XML-based
rules combined with timer jobs to periodi-
cally scan different aspects of your Share-
Point farm and look for problems. When
it finds aspects of your farm that violate
the rules that are defined, it reports them
under the Review problems and solutions
Figure 4: Health Analyzer’s Review problems and solutions page
Figure 5: Health Analyzer pop-up window
NEW & IMPROVED
P R O D U C T S
A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
Storage ■Cloud Computing ■
Backup and Recovery ■Security ■
ProStor Systems has announced the general availability of its ProStor InfiniVault product line and a newly released 1TB RDX removable disk cartridge. RDX is ProStor’s brand of removable disk-based storage, a growing alternative to tape-based backup solutions. According to an IDC study cited by the vendor, RDX-based storage systems are expected to grow in revenue by 1,400 percent between 2008 and 2012. “The rapid growth and adoption of ProStor InfiniVault and RDX removable disk technology through our global OEMs, valued partners like SSL DV, and end-users like Atlanta Interfaith Broad-casters validates the markets’ universal demand for higher capacity and more scalable data protection solutions—whether on-site or in the cloud,” said Frank Harbist, president and CEO of
ProStor Systems. “The availability of 1TB RDX drives is a significant milestone that greatly expands this technology’s fit for data-intensive customer environments and markets.” ProStor’s RDX-based storage systems are resold through a number of large-scale vendors, such as Dell (as RD 1000) and HP (as StorageWorks RDX). “The adoption of RDX technology by all the major computer vendors including Dell, Fujitsu, HP, IBM and Lenovo have validated the growing role of these products in backup and archive environments,” said Henry Baltazar, senior analyst, Storage & Systems for The 451 Group. “With the current disk capacity roadmap, the RDX capacity point is forecasted to surpass many magnetic tape formats by 2011.” To learn more about ProStor’s solutions, visit www.prostorsystems.com.
PRODUCTSPOTLIGHT
ProStor InfiniVault Offers 1TB RDX Removable Disk Cartridges
that are expiring. To learn more or download 30-day trials of either product,visit www.specopssoftware.com.
Symplifi ed Trust Cloud Enhances Amazon EC2Symplified has announced Symplified Trust
Cloud, an identity and access managementsolution designed for companies usingAmazon EC2, Amazon’s cloud platform. Symplified Trust Cloud addresses regulatory compliance, single sign-on, and access man-agement issues on the Amazon platform. It also offers tools for multinational companies to manage various global data governance protocols. Finally, the product removes theneed for federation software, according to the vendor. To learn more about Trust Cloud,visit www.thetrustcloud.com.
Aprigo Unleashes SaaS Data Governance NINJAAprigo has announced Aprigo NINJA, a Software-as-a-Service (SaaS) data gov-ernance application. According to the vendor, “Aprigo NINJA quickly discoversdata vulnerabilities, identifies cost saving opportunities, remediates and monitors theenvironment by alerting of changes, con-trols data vulnerabilities, and streamlinesthe fixing of file permissions and accessrights.” As a hosted product, NINJA requiresno changes to a company’s existing infrastructure and can easily process across sites, according to Aprigo. To learn more ordownload a free trial, visit www.aprigo.com.
Specops Upgrades Password Management ProductsSpecops Software has upgraded its passwordmanagement products, Password Reset and Pass-
word Policy. Password Reset lets users unlock their own Active Directory accounts to reset their pass-words without a Help desk call, and Password Policyenforces strong password policies set by your organization. The new versions offer real-time reporting andmonitoring of system activity, enrollmentof mobile numbers for mobile authentica-tion, and email notification for passwords
TS1U-B SATA Utilizes USB 3.0Sans Digital has released a single bay USB3.0 product, the TowerSTOR TS1U-B.
According to the vendor, the TS1U-B pro-vides 10x the data bandwidth of USB 2.0 (up to 5Gb/s). Additionally, the single bay enclo-sure supports 3.5" SATA hard drives withUSB 3.0 interface, and the device is cooled without a fan, so it is quieter than traditionalsolutions. If your computers do not have USB 3.0 ports, you’ll need a Sans Digital con-troller card. The TS1U-B costs $59. To learnmore, visit www.sansdigital.com.
NEW & IMPROVED
W i n d o w s I T P r o A U G U S T 2 0 1 0 61
Paul’s Pickswww.winsupersite.com
Lyzasoft Announces Free Version of Lyza in the CloudLyzasoft announced a free version of Lyza Commons, a cloud-based version of Lyza that enables data analysts to minevolumes of data, extract information, andsocialize those insights with team mem-bers. Lyza Commons integrates with allthe leading database solutions and offers a variety of analysis features to focus on trends, specific groups, and anomalies.Finally, Lyza offers a social networkingtool to build customer profiles and col-laborate on information with your group. To learn more, visit www.lyzasoft.com.
Rebit Off ers Automatic Backup on NASRebit has announced NetSmart, afully automatic backup solution that supports Network Attached Storage (NAS). NetSmart automatically and continuously backs up laptops and PCs to NAS, even as users come and go from the network, according to the vendor. The software behind the automatic backup, called SaveMe, isalso available for use with USB harddrives. SaveMe NetSmart starts at$34.95. To learn more, visit www.rebit.com.
www.winsupersite.comPaul’s Pickswww.winsupersite.com
SUMMARIES of in-depth product reviews on Paul Thurrott’s SuperSite for Windows
Apple iOS 4PROS: Free; multitasking and folders are impor-tant updates; many enterprise features and small niceties CONS: Not all features are available on older devices; no iPad update yet; no answer to Windows Phone’s integrated apps approach
RATING:
RECOMMENDATION: Apple iOS 4 is a nice update to an already impressive smartphone platform. Even those with more antiquated hardware can take advantage of some of the iOS 4 features, and when you factor in the price—free—and Apple’s aggressive habit of obsolesc-ing old hardware, that's not bad. Apple iOS 4 puts the iDevice world—iPhones, iPod Touches, and, eventually, iPads—on par with what’s hap-pening at Google with Android. Looking ahead, Windows Phone 7 still retains its single important advantage—a rejection of the app-based inter-face metaphor—and that’s something Apple will need to address by the next-generation iOS release. But when it comes to technical prowess, capability, and usability, iOS 4 really delivers.CONTACT: Apple • www.apple.comDISCUSSION: www.winsupersite.com/alt/ios4.asp
Hotmail (2010 Update)PROS: Free; finally supports Exchange ActiveSync; email de-clutter features really workCONS: Performance efficiency issues; EAS works only on mobile devices, not PC clientsRATING:
RECOMMENDATION: Microsoft’s popular web mail client almost gets what it needs to take on Google’s excellent Gmail service. Almost. On the good-news front, Hotmail picks up Exchange ActiveSync (EAS) support, allowing it to push-sync email, contacts, and calendars over the air with mobile devices like the iPhone or those based on Google Android. It adopts decent Inbox anti-clutter features that actually work. And it offers nice integration with vari-ous Microsoft online services, including Live Photos and, more important to business users, Office 2010 and SkyDrive web storage. On the minus side, Hotmail is still a performance dog compared to Gmail, and it’s slow to update the Inbox with new messages. It’s also less efficient, with annoying interim screens that pop up after responding to messages. Too, Hotmail’s ads are a lot heavier than what Google offers. It’s a mixed bag: The new Hotmail is good enough to retain existing users but not good enough for most Gmail users to consider switching.CONTACT: Microsoft • www.microsoft.comDISCUSSION: www.winsupersite.com/live/hotmail.asp
InstantDoc ID 125451
pth productt’s SuperSite
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 61
P R O D U C T S
Microsoft TechEd was a wild, jazzy, hot, humid affair this year in New
Orleans, and Windows IT Pro and SQL Server Magazine’s editors were
in the spirit when they recognized this year’s Best of TechEd Award
winners. The team interviewed the finalists and evaluated the prod-
ucts to determine a final list of winners. As always, the three criteria for
the judging process were strategic importance, competitive advantage,
and value to customers. Show attendees also cast their votes to determine the winner of
the prestigious Attendees’ Pick Award. We would like to congratulate our 2010 winners!
Backup & Recovery: Symantec—Backup Exec 2010Backup Exec 2010 wins because of the exciting new energy poured into version 2010 (the
fastest-adopted version of the tool ever). With new integrated features such as data dedu-
plication, archiving, OST-based management features, and granular restore technology—
all leveraging powerful Symantec technologies and teams—Backup Exec 2010 expands its
horizons while becoming extremely user-friendly and community-aware.
Business Intelligence: Dundas Data Visualization—Dundas Dashboard 2.0Dundas is back with Dundas Dashboard 2.0! The company, well known for its wide array of
components, came on strong with the new version of its web-based platform for digital dash-
board creation, integration, and delivery. This version—leveraging Silverlight 4.0
and offering OLAP capabilities, SharePoint integration, customization and exten-
sibility, DashFlow-streamlined development, Key Performance Indicator (KPI)
mashups, and more—is sure to please the business intelligence (BI) community.
Database Administration: Idera—SQL toolboxIdera, a finalist last year with its fine SQL admin toolset, wins this year with a
cost-effective uber-toolset (SQL toolbox) that includes the admin toolset (with
its 24 tools, plus three more offerings—SQL comparison toolset, SQL safe lite,
and SQL virtual database). The virtual database is a unique product that lets
administrators recover data from backup files without doing a restore. DBAs can
use that virtual database in as many ways as their imaginations allow—reporting,
data extraction, data analysis, and more.
Database Development: Quest Software—Toad for SQL Server 4.6Toad for SQL Server is the Swiss Army knife of development tools. This product
won because it offers an incredibly wide range of functionality, including Intelli-
Sense, group server query execute for running queries on multiple servers, and an Idera takes the prize
62 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
In the heart (and heat)
of New Orleans, we
narrowed an impressive
field of nearly 300
submissions down to
14 winners
AWARD WINNERSby Jason Bovberg
Best of TechEd 2010
Systems Management & Operations:ScriptLogic—Active Administrator 5.5For businesses that rely on Active Direc-
tory (AD), Active Administrator is the
go-to choice. With the functions of several
other products built into one, it’s a leader
in AD management. This product won
because, as we all know, AD administra-
tion is a big task in many shops, and this
single product covers what most of these
shops need.
Virtualization: VMware—VMware vSphere 4Industry-standard VMware vSphere 4 won
this award because it’s a mature, stable,
well-known technology that continues to
be an essential component of a large per-
centage of IT shops.
Breakthrough Product: Citrix Systems—XenDesktop 4Although Virtual Desktop Infrastructure
(VDI) isn’t even mainstream yet, Citrix
Systems is already working to expand what
the phrase “virtual desktop” means. This
product wins as breakthrough product
because Citrix Systems is providing easy
and powerful virtual desktops, and there’s a
good chance that will be the future of IT.
Attendees’ Pick: VMware—VMware vSphere 4VMware vSphere 4 also took the coveted
Attendees’ Pick award this year. VMware’s
support for private and public clouds,
added to its well-respected features, has
ensured the company a continuing place
in many environments.
InstantDoc ID 125376
advanced SQL optimizer to analyze alterna-
tive SQL statements, as well as server, data-
base, and data-comparison tools.
Developer Tools: AVIcode—Intercept Studio 5.6AVIcode’s Intercept Studio wins for its end-
to-end web application trouble shooting
tools. The new release offers a unique web
application capture feature and full sup-
port for troubleshooting the performance
of SharePoint applications.
Hardware & Storage: Brocade—Brocade DCX-4S BackboneThe Brocade DCX-4S Backbone network
switching platform wins for its robust focus
on the evolving data center. Extremely
scalable and reliable—far surpassing “five
9s” and entering the realm of “six and
seven 9s”—the DCX-4S is a powerhouse
that will grow with any business, bringing
authoritative focus to the storage network.
A future-aware multiprotocol architecture
and intelligent traffic management func-
tionality cap off an impressive backbone.
Messaging: Argent Software—Argent for Exchange 2.0Argent for Exchange is both automated
and highly customizable. Argent Software’s
round-the-clock support, quarterly updates
to customers, and ability to monitor
Exchange transport, storage, traffic logs, and
account rules (among others)—through
PowerShell, Exchange Management Shell,
WMI, and classic Windows APIs—offer a
strong value proposition to customers.
Microsoft Product: Microsoft—Visual Studio 2010Visual Studio 2010 raises the standard for
development tools, providing new native
WPF support, support for multiple moni-
tors, a new historical debugging capabil-
ity, and significantly enhanced SharePoint
development and deployment capabilities.
Networking: A10 Networks—64-bit AX SeriesThe 64-bit AX Series wins this award because
of its innovative approach to network load
balancing, high availability, and health moni-
toring. A10 Networks strives to “monitor the
water, not the plumbing.” Site-level and global-
level geographic redundancy—through a
uniquely flexible architecture—provide for a
truly scalable solution that boasts excellent
security and 64-bit performance.
Security: Symantec—Symantec End-point Protection Small Business Edition 12Symantec Endpoint Protection Small Busi-
ness Edition 12 provides smaller busi-
nesses with a centrally managed security
system similar to what enterprises have,
but with a price and ease of use suited to
SMBs. This product won because of its
focus on a market where there have been
few choices for small businesses that need
suites with these kinds of features.
SharePoint: Quest Software—Site Administrator for SharePoint 4.0In the explosive SharePoint market, Quest’s
Site Administrator for SharePoint 4.0 is a
winner because it provides administrators
(and “accidental” SharePoint admins) a
comprehensive means to take control of
their burgeoning SharePoint environments.
This product offers tools that provide cen-
tralized administration, discovery, site
and content browsing, data collection and
reporting, global policy and permissions
management, and audit data collection
and reporting.
Software Components & Middleware: Telerik—Telerik Ultimate Collection for .NET 2010The Telerik Ultimate Collection provides a
complete set of WinForms, ASP.NET, and
Silverlight Controls. This product also sup-
ports the OpenAccess data access frame-
work and WebUI Test Studio for testing web
applications.
The Bestof Tech Ed
4
1 2
3
1. A10 gets the nod. 2. Argent is all smiles. 3. Quest is looking proud. 4. Brocade seals the deal.
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 63
P R O D U C T SREVIEW
64 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
Tony Bieda | [email protected]
Corner Bowl Disk Monitor 2010Mounting piles of data—common in the corporate environment—can easily bury an organization’s servers. Storage is inexpensive,but data management, data tiering, and backup can be costly. Server space hogs such as image-based backup files and videocon-ferencing data can quickly overtake network drive space. Corner Bowl Disk Monitor
helps keep tabs on data by monitoring drive-space usage, directories and files, and SMART drive health. In addition to monitoring and reporting, an easy-to- configure and easy-to-schedule feature is also included for deleting profile or Windows temp files. The program’s opening view features fourtabs for configuration in a Microsoft Outlook–style user environment: Disk Explorer, Disk Monitors, Directory Monitors, and Reportsand Views. Machines chosen for monitoringcan be either mapped manually or addedvia Active Directory (AD) integration. Within a few minutes of opening the program, youcan analyze a problematic server for disk-space concerns by, for example, reviewingthe 25 largest files and directories taking upmost of the storage space. Doing so lets you reduce the space used on the server. The system is fast: Scanning a 40GB partition took less than a minute over a 100Base-T network. The program’s Disk Monitors are veryuseful, letting you monitor disk spaceused by the administration shares and theWindows shares. A wizard-based approachmakes it easy to add new monitors. The alerting capabilities are flexible, and they’reseparately configurable for warning andcritical alert thresholds. Alerts for disks/shares or directories can be logged to email, event logs, files, message boxes, SNMPtraps, sounds, or Syslog. Additional historical data can be stored as text files or logged to a Microsoft SQL Server or MySQL database.In addition to logging, a process can also be launched to fix the condition. The numerous alerts include default options for when storage grows by morethan a preset size or percentage, or whenthe free space drops below a certain per-centage. These options are helpful since IIS log files, SQL Server backups, and disk-to-disk backups can sometimes routinely fillup local disks. There are several practical uses for these alerts, such as monitoring FTP
folders for when a large file is added or tracking server disk space beforeit reaches critically lowlevels. The email alerts are the most useful. The graphical HTML emailmessages are easy to read and decipher; theyfeature graphs and a text breakdown of the state of the share or drive, as you can see inFigure 1. You can use a custom HTML template, as well. Further digging into the product revealsa feature for viewing access permissions byany of the NTFS permission levels. This fea-ture is handy not only for compliance pur-poses but also for configuration purposes. The access permission is selectable based on all NTFS permissions. A few quick clicks,and you can ensure that sensitive data hasthe correct permissions applied. The Directory Monitors functionality isbroken down into two components—the Directory Size Monitor and the Directory Watcher—that detect when certain types of files are added to a directory. You can define a Directory Size Monitor to check for increases in directory size when thesize exceeds a certain amount, when itchanges in size, or even when the directorychanges. The functionality is granular and can be set on a per-directory basis formonitoring, even when you’ve configuredthe wizard to monitor only a parent directory. The Directory Watcher lets you break down your analysis to changed, created, deleted, and renamed files by file masks.This capability is useful for compliancepurposes because it logs or alerts you tochanges in directories. The Reports and Views module is less polished than the rest of the program.Reports come in four different templates: Disk Summary, Directory Summary, File Access, and Duplicate Files. For reporting,
a server must be part of a disk monitor ordirectory monitor. This approach is less thanideal if you simply want to analyze network space on the fly for a particular server.
As you become accustomed to the prod-uct, you’ll find more uses for it. However, defining too many alerts will quickly over-whelm your email. Also, I found it difficultto view all the different disk and directorymonitors on a per-server basis. But afterusing Corner Bowl Disk Monitor for severalweeks, I saved numerous hours of research time by quickly developing an alert or cleanup job using the disk monitor.
InstantDoc ID 125428
Corner Bowl Disk Monitor 2010
PROS: Easy to install and configure; wide range of monitoring features; flexible alerting options; customizable
CONS: Unintuitive report development; difficult to track multiple configurations of disk monitors and disk alerts per server
RATING:
PRICE: Starts at $29 for one computer; $99 to monitor 20 computers from a desktop; $269 to monitor 50 disks with one server license
RECOMMENDATION: Corner Bowl Disk Monitor 2010 automates routine scans of drives and directories and is extremely configurable at the most granular storage levels. Setup simplicity and excellent support make this an easy recom-mendation, despite some caveats.
CONTACT: Corner Bowl Software • 866-501-8670 • www.diskmonitor.com
Figure 1: Graphical HTML email alert
THE CONVERSATION BEGINS HERE
800.505.1201 • 203.400.6121 • www.WinConnections.com
KEVIN LAAHSHP
JEREMY MOSKOWITZ
MOSKOWITZ, INC
MIKE DANSEGLIOMICROSOFT
ALAN SUGANOADS CONSULTING
GROUP
MARK MINASIMR&D
DON JONESCONCENTRATED
TECHNOLOGY
STEVE RILEYAMAZON WEB
SERVICES
RHONDA LAYFIELDCONSULTANT/TRAINER
CHRIS AVISMICROSOFT
PAUL ROBICHAUXTRAINER/AUTHOR
TONY REDMONDTONY REDMOND AND ASSOCIATES
KIERAN MCCORRYHP
“ ”QUESTIONS ANSWERED • STRATEGY DEFINED • RELATIONSHIPS BUILT
EARLY BIRD DISCOUNT! Register by July 29 and book a minimum of three nights at Mandalay Bay and you’ll receive a $100 Mandalay Bay Gift Certificate and save $100 off conference registration!
NOVEMBER 1-4, 2010LAS VEGAS • MANDALAY BAY RESORT & CASINO
WinConnections ... Providing the vision+intelligence to keep you and your company competitive in today’s market!
Only Microsoft and Industry Experts speak at WinConnections! A sampling of our speakers ...
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 1
Schedule at a GlanceMONDAY, NOVEMBER 1, 2010
7:30 am Registration Opens9:00am - 4:00 pm Pre-conference Workshops
TUESDAY, NOVEMBER 2, 20107:00 am - 5:00 pm Conference Registration7:30 am - 8:30 am Continental Breakfast8:30 am - 10:00 am Keynote
10:00 am - 11:00 am Expo Hall Open11:00 am - 12:15 pm Conference Sessions12:15 pm - 1:45 pm Lunch1:45 pm - 6:15 pm Conference Sessions
WEDNESDAY, NOVEMBER 3, 20107:00 am - 5:00 pm Conference Registration7:00 am - 8:00 am Continental Breakfast8:00 am - 9:15 am Keynote9:15 am - 11:45 am Expo Hall Open
10:15 am - 1:00 pm Conference Sessions1:00 pm - 2:30 pm Lunch2:30 pm - 5:15 pm Conference Sessions5:15 pm - 6:45 pm Expo Hall Reception6:30 pm - 7:30 pm Vendor Sessions
THURSDAY, NOVEMBER 4, 20107:00 am - 8:00 am Continental Breakfast8:00 am - 1:00 pm Conference Sessions
10:30 am - 2:30 pm Expo Hall 1:00 pm - 2:30 pm Lunch
2:15 pm Cruise Raffle2:30 pm - 3:30 pm Conference Sessions
4:00 pm - 4:30 pm Closing Session & Prize Drawing
FRIDAY, NOVEMBER 5, 20109:00 am - 4:00 pm Post-conference Workshops
JOIN THE CONVERSATION
C O N F E R E N C E A N D E X P O I N C L U D E S :
MARK MINASIMR&D
STEVERILEYAmazon Web Services
C R U I S E G I V E A WAY
WIN!Enter to
KEYNOTES
Check online for speaker bios and additional keynotes to be announced.
Enter the contest in the Expo Hall to
WIN a 1 week Caribbean Cruise for two!You must be present in the Expo Hall at the time of the drawing to win.
November 1-4, 2010 I Las Vegas, NV I Register Today! I 3
Your Conference & Expo registrationincludes:
■ Three Continental Breakfasts■ Three Lunches■ Reception■ Conference T-Shirt and Bag■ Proceedings Resource CD … and more
Exchange and Windows Connections registration includes a one-year(12 issues) print subscription to Windows IT Pro magazine for Exchangeand Windows conference attendees only. Current subscribers will havean additional 12-months added to their subscription. Subscriptions out-side of the United States will be served in digital; $12.50 of the funds willbe allocated toward a subscription to Windows IT Pro ($49.95 value)
SharePoint Connections registration includes a print subscription (4 issues: Nov, March, June, Sept) to SharePointPro-Connections magazine for SharePoint and Windows conference attendees only. Current subscribers will have an addi-tional one year (4 issues) added to their subscription. Subscriptions outside of the United States will be served in digital.
TONY REDMONDTony Redmond and Associates
STEVEFOXMicrosoft
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 3
WINDOWS CONNECTIONS, FALL 2010: LEARN TO DO MORE WITH LESS!
WINDOWS CONNECTIONS brings you the top names from today’s IT industry… the most well-known experts, delivering the most hard-hittingsessions that help you solve today’s IT challengesand prepare for tomorrow.
We know that today’s IT professionals are being askedto do more, with less, and we want to help. Weassembled a business-focused group of technologyexperts, to bring you the answers to your technologyquestions. You’ll find original content specificallycrafted to help you succeed in today’s businesstechnology environments, organized around five keyfocus areas:
■ Virtualization■ Windows 7■ Windows Server 2008 R2■ Business, not “Information,” Technology■ Build Your Skill Set - and Your Resume
THE CONVERSATION STARTS WITH YOU
Leading SharePoint experts from Microsoft and fromthe field have teamed up to bring to you theknowledge you need to succeed with SharePoint 2010.IT PROS! Come hear Dan Holme, Michael Noel andothers lay out the best practices for installing,upgrading, configuring, securing, and managingSharePoint 2010. Go beyond the hype and dive deepinto what it takes to successfully deploy SharePoint2010 in the real world.DEVELOPERS! Come hear Andrew Connell, Ted Pattison, Scot Hiller and others provide guidanceon how to best customize and extend your SharePoint2010 investments using the new data access methods
THE CONVERSATION STARTS ON NOVEMBER 1.Come to Las Vegas and participate in the IT Professionals community! Meet other professionals in sessions, in the expo hall, and at conference events. This is your chance to network and make those personal connectionswith conference speakers, the product teams from Microsoft plus our sponsors and vendors. Round out your professional educational experience with great evening entertainment available only in Las Vegas!
EXCHANGE CONNECTIONS FALL 2010: GET THE STRAIGHT SCOOPMessaging and collaboration technologies move at adizzying pace. Microsoft and its ecosystem partnersare continually releasing new software, hardware,procedures, and updates that make the world ofUnified Communications ever more complicated.What's the best way to keep up? Come to ExchangeConnections to get the answers you need! Oursessions cover using Exchange and other relatedproducts the real world: deploying, managing, andmaintaining Microsoft’s Exchange and OCS products inyour business to get the functionality you need.
This year, we’re going deep on Exchange 2010,including coverage of deployment and informationprotection, as well as the new features to expect in SP1.We’ll be delving into discussions of how to integrateExchange with SharePoint (and other collaborationsolutions), as well as exploring the best way to makeuse of Unified Communications in your organization. If you’re still running Exchange 2003 or Exchange 2007,don’t worry— we're covering them too, with content tohelp you make the most out of your existinginvestments and to prepare for the future, whether it'son Exchange 2010 or Microsoft's Business ProductivityOnline Services (BPOS) cloud offering.
on the server (LINQ) and off the server (client objectmodel), leveraging Silverlight, working with data thatdoes not live within SharePoint with the new Business Connectivity Services.SOLUTIONS! Join Asif Rehmani and special guestspeakers from our IT Pro and Developer tracks as theyunveil the big-win solutions that SharePoint delivers,out-of-the-box. Learn to create high-value, no-codesolutions with tools like SharePoint Designer, InfoPath,SharePoint Workspaces, Excel and Access Services, and Office Web Apps. Discover what you can do toautomate processes and deliver the composite andcollaboration solutions that your users are demanding.
SHAREPOINT CONNECTIONS, FALL 2010: GET A HEAD START ON THE NEW VERSION
2 I Register Today! Call 800-505-1201 I www.WinConnections.com
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 2
Schedule at a GlanceMONDAY, NOVEMBER 1, 2010
7:30 am Registration Opens9:00am - 4:00 pm Pre-conference Workshops
TUESDAY, NOVEMBER 2, 20107:00 am - 5:00 pm Conference Registration7:30 am - 8:30 am Continental Breakfast8:30 am - 10:00 am Keynote
10:00 am - 11:00 am Expo Hall Open11:00 am - 12:15 pm Conference Sessions12:15 pm - 1:45 pm Lunch1:45 pm - 6:15 pm Conference Sessions
WEDNESDAY, NOVEMBER 3, 20107:00 am - 5:00 pm Conference Registration7:00 am - 8:00 am Continental Breakfast8:00 am - 9:15 am Keynote9:15 am - 11:45 am Expo Hall Open
10:15 am - 1:00 pm Conference Sessions1:00 pm - 2:30 pm Lunch2:30 pm - 5:15 pm Conference Sessions5:15 pm - 6:45 pm Expo Hall Reception6:30 pm - 7:30 pm Vendor Sessions
THURSDAY, NOVEMBER 4, 20107:00 am - 8:00 am Continental Breakfast8:00 am - 1:00 pm Conference Sessions
10:30 am - 2:30 pm Expo Hall 1:00 pm - 2:30 pm Lunch
2:15 pm Cruise Raffle2:30 pm - 3:30 pm Conference Sessions
4:00 pm - 4:30 pm Closing Session & Prize Drawing
FRIDAY, NOVEMBER 5, 20109:00 am - 4:00 pm Post-conference Workshops
JOIN THE CONVERSATION
C O N F E R E N C E A N D E X P O I N C L U D E S :
MARK MINASIMR&D
STEVERILEYAmazon Web Services
C R U I S E G I V E A WAY
WIN!Enter to
KEYNOTES
Check online for speaker bios and additional keynotes to be announced.
Enter the contest in the Expo Hall to
WIN a 1 week Caribbean Cruise for two!You must be present in the Expo Hall at the time of the drawing to win.
November 1-4, 2010 I Las Vegas, NV I Register Today! I 3
Your Conference & Expo registrationincludes:
■ Three Continental Breakfasts■ Three Lunches■ Reception■ Conference T-Shirt and Bag■ Proceedings Resource CD … and more
Exchange and Windows Connections registration includes a one-year(12 issues) print subscription to Windows IT Pro magazine for Exchangeand Windows conference attendees only. Current subscribers will havean additional 12-months added to their subscription. Subscriptions out-side of the United States will be served in digital; $12.50 of the funds willbe allocated toward a subscription to Windows IT Pro ($49.95 value)
SharePoint Connections registration includes a print subscription (4 issues: Nov, March, June, Sept) to SharePointPro-Connections magazine for SharePoint and Windows conference attendees only. Current subscribers will have an addi-tional one year (4 issues) added to their subscription. Subscriptions outside of the United States will be served in digital.
TONY REDMONDTony Redmond and Associates
STEVEFOXMicrosoft
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 3
WINDOWS CONNECTIONS, FALL 2010: LEARN TO DO MORE WITH LESS!
WINDOWS CONNECTIONS brings you the top names from today’s IT industry… the most well-known experts, delivering the most hard-hittingsessions that help you solve today’s IT challengesand prepare for tomorrow.
We know that today’s IT professionals are being askedto do more, with less, and we want to help. Weassembled a business-focused group of technologyexperts, to bring you the answers to your technologyquestions. You’ll find original content specificallycrafted to help you succeed in today’s businesstechnology environments, organized around five keyfocus areas:
■ Virtualization■ Windows 7■ Windows Server 2008 R2■ Business, not “Information,” Technology■ Build Your Skill Set - and Your Resume
THE CONVERSATION STARTS WITH YOU
Leading SharePoint experts from Microsoft and fromthe field have teamed up to bring to you theknowledge you need to succeed with SharePoint 2010.IT PROS! Come hear Dan Holme, Michael Noel andothers lay out the best practices for installing,upgrading, configuring, securing, and managingSharePoint 2010. Go beyond the hype and dive deepinto what it takes to successfully deploy SharePoint2010 in the real world.DEVELOPERS! Come hear Andrew Connell, Ted Pattison, Scot Hiller and others provide guidanceon how to best customize and extend your SharePoint2010 investments using the new data access methods
THE CONVERSATION STARTS ON NOVEMBER 1.Come to Las Vegas and participate in the IT Professionals community! Meet other professionals in sessions, in the expo hall, and at conference events. This is your chance to network and make those personal connectionswith conference speakers, the product teams from Microsoft plus our sponsors and vendors. Round out your professional educational experience with great evening entertainment available only in Las Vegas!
EXCHANGE CONNECTIONS FALL 2010: GET THE STRAIGHT SCOOPMessaging and collaboration technologies move at adizzying pace. Microsoft and its ecosystem partnersare continually releasing new software, hardware,procedures, and updates that make the world ofUnified Communications ever more complicated.What's the best way to keep up? Come to ExchangeConnections to get the answers you need! Oursessions cover using Exchange and other relatedproducts the real world: deploying, managing, andmaintaining Microsoft’s Exchange and OCS products inyour business to get the functionality you need.
This year, we’re going deep on Exchange 2010,including coverage of deployment and informationprotection, as well as the new features to expect in SP1.We’ll be delving into discussions of how to integrateExchange with SharePoint (and other collaborationsolutions), as well as exploring the best way to makeuse of Unified Communications in your organization. If you’re still running Exchange 2003 or Exchange 2007,don’t worry— we're covering them too, with content tohelp you make the most out of your existinginvestments and to prepare for the future, whether it'son Exchange 2010 or Microsoft's Business ProductivityOnline Services (BPOS) cloud offering.
on the server (LINQ) and off the server (client objectmodel), leveraging Silverlight, working with data thatdoes not live within SharePoint with the new Business Connectivity Services.SOLUTIONS! Join Asif Rehmani and special guestspeakers from our IT Pro and Developer tracks as theyunveil the big-win solutions that SharePoint delivers,out-of-the-box. Learn to create high-value, no-codesolutions with tools like SharePoint Designer, InfoPath,SharePoint Workspaces, Excel and Access Services, and Office Web Apps. Discover what you can do toautomate processes and deliver the composite andcollaboration solutions that your users are demanding.
SHAREPOINT CONNECTIONS, FALL 2010: GET A HEAD START ON THE NEW VERSION
2 I Register Today! Call 800-505-1201 I www.WinConnections.com
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 2
Exchange? If you want the answers to thesequestions; be sure to attend this session.
EXC22: HEY! YOU! GET OFF MY CLOUD!PAUL ROBICHAUXCloud services are great – some of thetime. Unfortunately, there’s too much hypeand hot air surrounding cloud-based mes-saging and collaboration services, so it’shard to see what’s real and what’s not. Inthis session, you’ll gain a clear understand-ing of what cloud vendors aren’t tellingyou about retention, regulatory compli-ance, maintenance, migration, and coexis-tence. Come learn about the pros and consof cloud-based and hybrid Exchangedeployments so you’ll be prepared for theinevitable questions.
EXC10: HIGH AVAILABILITY FORSMALL AND MEDIUM-SIZED BUSI-NESSES WITHOUT THE HIGH COST JIM MCBEEIn older versions of Exchange, achievinghigh availability and site resiliency usuallyentailed having four or more servers, third-party products and/or additional storagetechnologies. Clustering in ExchangeServer 2010 has evolved into databaseavailability groups (DAGs). Unlike previousversions where availability and databasesare tied to a specific servers, with DAGs adatabase can be active on any server with-in the availability group and each databasecan be made active on any server withinthe group. This session will cover usingExchange Server 2010 in a small or medi-um sized business (under 1,000 users) thatwant to achieve high availability and/orsite resilience using only two Exchange2010 servers. Topics include databaseavailability groups, Client Access arrays,and providing high availability for the mes-sage transport when using two serverDAGs.
EXC15: LOAD BALANCING YOUR EXCHANGE DEPLOYMENTDEVIN L. GANGERWhen it comes to highly availableExchange deployments, a lot of attention isfocused on the Mailbox role. As the CASrole in Exchange 2007 and Exchange 2010takes over more of the client connections,load balancing incoming connections atthe CAS and Hub Transport becomes moreimportant to successful Exchange deploy-ments. This session, drawn from real-world
examples, examines the requirements,caveats, and best practices available fordesigning appropriate load balancingsolutions for Exchange 2007 and 2010deployments. It compares WindowsNetwork Load Balancing, software loadbalancers, and hardware load balancers.We recommend you take this session inconjunction with the session: The RPCClient Access Array: The Missing Piece ofExchange HA.
EXC23: MICROSOFT ADVANCED CERTIFICATIONS: BEYOND THE BRAIN DUMPPAUL ROBICHAUXCertification is more important than ever –but how do you prove to employers thatyou’re more than a run-of-the-mill MCSEor MCITP? Microsoft’s solution is to offermore advanced certifications like theMicrosoft Certified Master (MCM) andMicrosoft Certified Architect (MCA) pro-grams. They’re expensive and intensive –but are they worth it? In this session, PaulPaul Robichaux (who teaches in the MCMExchange program) will bring you up tospeed on these certifications and discusstheir costs and benefits. (Special guestappearances by current MCMs are likely, sobe prepared!)
EXC02: MICROSOFT EXCHANGESERVER 2010: SIZING AND PERFORMANCE – GET IT RIGHT THE FIRST TIMEKARL ROBINSONMicrosoft Exchange is a mission-criticalinfrastructure staple in organizations of allsizes. As an application which demandshigh levels of the "-abilities" (availability,reliability, scalability, etc.) and stringentresource demands, the sizing process iscritical to ensuring a healthy productionenvironment. Sizing Exchange 2010, whichintroduces a new replication and resiliencymodel (DAGs), a personal archive as well asdramatic I/O reductions, radically changesthe approach to storage design.Enhancements and new functionality host-ed in the client access server, support forrole consolidation on a single server andoptimization for software + services mod-els bring similar challenges when design-ing servers. This session addresses sizingand performance tuning methodology,and a time-tested approach for applyingthis methodology to your environment.The session covers key enabling hardware
advancements such as x64 architectures,multi-core processors, SATA, SAS and SSDdisk technology, and how these technolo-gies will play a key role moving forwardwith Exchange 2010. Finally, the sessionprovides rules of thumb, based jointly onHP characterization testing and HP /Microsoft best practices, for sizing the keyserver roles and technologies associatedwith typical Exchange 2010 deployments.
EXC11: MIGRATING TO EXCHANGE2010 FROM EXCHANGE 2003JIM MCBEEThis session will cover the practical aspectsof migrating from Exchange Server 2003 toExchange 2010 including meeting the nec-essary prerequisites, interoperability, andpotential showstoppers. Topics include fac-tors to evaluate before migrating, the stepsnecessary to prepare your organization,mail routing, web client redirection, mov-ing public folder content, and movingmailbox data.
EXC21: MODERATED EMAILS – THEGOOD, THE BAD AND THE UGLYBRIAN REIDThere can be significant impacts with inap-propriate emails send to the wrong distri-bution group, or off subject emails sent tospecific mailboxes. With moderationimplemented correctly you can removethese issues from your business. This ses-sion will look at how to configure modera-tion in Exchange 2010, and how to imple-mented it in a coexistence legacy Exchangeorganization.
EXC14: OUTLOOK: MAC 101BILL SMITHNADYNE RICHMONDOffice:Mac 2011 brings Outlook to theMac. What can your Mac users expect ofthis new application? What can you as theExchange admin expect from it? Learn howOutlook:Mac fits into your Exchange envi-ronment, and see a side-by-side compari-son of Outlook 2010 for Windows andOutlook:Mac 2011.
EXC12: OUTSOURCED E-MAIL: IS IT FOR MY ORGANIZATION? JIM MCBEEDepending on whose marketing materialyou read, EVERYONE should outsourcetheir e-mail to a hosted provider. There aredefinitely advantages to this approachincluding significant cost savings,
November 1-4, 2010 I Las Vegas, NV I Register Today! I 5
MICROSOFT EXCHANGE SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 5
EXC04: CAS 2010 – MORE FOOD FOR THOUGHTKEVIN LAAHSThe Client Access Server (CAS) plays a big-ger role in Exchange 2010 environmentsthan it does in Exchange 2007. While it stillsupports Outlook Web Access (OWA),ActiveSync, Web Services and OutlookAnywhere, there are some fundamentalchanges that affect the way you architectExchange environments. This session looksat major architectural changes (such asRPC Client Access Service) as well as all thefeatures that are delivered by the likes ofOWA (even to Firefox and Safari browsers!)and ActiveSync, such as the ability to sendand receive text messages fromOutlook/OWA.
EXC24: CLOUD-PROOFING YOUR CAREERPAUL ROBICHAUXYou can’t throw a poker chip around an ITdepartment without hitting someonewho’s interested in cloud services – butwhere does that leave the on-premisesadmins? Can you take effective steps tocloud-proof your job? What kinds of thingsshould you be doing to build a protectiveumbrella of your own value to help you ifthe clouds come to your office? This ses-sion will offer some practical tips to helpyou weather cloudy times.
EXC18: COMMUNICATIONS SERVER2010: WHAT’S NEW AND IMPROVED? LEE MACKEYThis session will walk you through the var-ious versions of Communications Server 14starting with Live Communications Server2005, through OCS 2007 and R2. We’ll talkabout what’s new and improved for CS 14,design considerations, changes from cur-rent hardware required, and through thenew pieces that will help build a better ROIfor your organization. We’ll also talkthrough the various partners you mightwant to work with to leverage your organ-ization and improve your overall cost todeploy and support an environment run-ning CS 14.
EXC07: EXCHANGE 2010 DEPLOYMENT AND MIGRATION BEST PRACTICESKIERAN MCCORRYExchange 2010 is yet another version ofExchange. Its architecture and topology issimilar to that introduced with Exchange
2007, but there are some importantchanges and restrictions on interoperabili-ty that any organization in the early stagesof planning a move to Exchange 2010should be aware of. This session will give anoverview of the best practices for Exchange2010 deployment and focus on the inter-operability and migration aspects fromprevious versions of Exchange.
EXC08: EXCHANGE 2010 INFORMATION PROTECTION AND RETENTIONKIERAN MCCORRYExchange 2010 brings with it the mostcomprehensive set of Exchange featuresyet from Microsoft to help you safeguardand protect your data and where it goes inyour Exchange organization. This new ver-sion has sophisticated rules for controllinginformation flows within the organizationand taking actions when certain eventsoccur. In addition, Exchange 2010 has acompletely revamped model for informa-tion retention and archiving by means ofthe ONline Archive. This session willdescribe those new features and explainwhat it means for you as a system admin-istrator and your users as informationworkers.
EXC09: EXCHANGE 2010 SERVICEPACK 1KIERAN MCCORRYThere’s nothing like waiting for the firstservice pack before looking in earnest at anew product deployment. Exchange 2010Service Pack 1 brings a host of improve-ments and enhancements to the core plat-form. In this session, we’ll see what comeswith the update and why it makes sense tothink about deploying Exchange now thatSP1 is here.
EXC05: EXCHANGE 2010, OFFICE 2010AND SHAREPOINT 2010 – BETTER TOGETHER?KEVIN LAAHSWhat integration points exist betweenSharePoint 2010, Office 2010 andExchange 2010? Does the combination ofthese three flagship products (and othersuch as OCS) bring any new opportunitiesfor my overall environment? And whatabout the existing integration points thatwere there in the 2007 suite of products?Are they still available? In this session, weanswer the numerous questions in thisabstract!
EXC20: FAULT TOLERANT CLIENT ACCESS SERVERS FOR SMALL ANDMEDIUM SIZED BUSINESSBRIAN REIDIt is easy to see the benefits of a highlyavailable CAS infrastructure for largeExchange Server 2010 deployments, butwhat about the majority of businesses whoare in the small to medium business cate-gory? This session will cover the benefits ofconsidering why to build your Exchangeinfrastructure to include high availabilityfor CAS. You will learn to build yourExchange infrastructure with recovery andgrowth in mind. Building for high availabil-ity, even for small/medium businesses,brings many benefits. In the event of a fail-ure of an Exchange Server, having consid-ered a highly available infrastructure willreduce your recovery time.
EXC06: FEAR WEB SERVICES NO MORE– HOW ADMINISTRATORS AND ENDUSERS CAN EASILY LEVERAGE EXCHANGE WEB SERVICESKEVIN LAAHSPowerShell is often considered within therealm of IT Administrators, whereas WebServices is firmly in the developer camp –and usually, never the twain shall meet! Butnow the combination of PowerShell andExchange Web Services can be harnessedby end users to build and run scripts tomanage mailbox data on desktopmachines. This session shows ITAdministrators how friendly Web Servicescan be, and how you can easily leveragethem to automate many operations inyour Exchange environment.
EXC01: GOING BIG! DEPLOYINGLARGE MAILBOXES WITH MICROSOFTEXCHANGE SERVER 2010 WITHOUTBREAKING THE BANKKARL ROBINSONWith each new generation of MicrosoftExchange, features are added andExchange is further refined in its capabilitiesas an email system. Exchange Server 2010enables the use of multiple storage optionsin its deployment, and allows you to pro-vide large mailboxes at a cheaper cost. Willit work in your environment? Are you hesi-tant to increase mailbox sizes due to chal-lenges around storage? How do you knowwhen to use a specific type of storage? Doyou need to enable Exchange high-avail-ability when using a JBOD configuration?Can you really use SATA disks with
4 I Register Today! Call 800-505-1201 I www.WinConnections.com
MICROSOFT EXCHANGE SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 4
Exchange? If you want the answers to thesequestions; be sure to attend this session.
EXC22: HEY! YOU! GET OFF MY CLOUD!PAUL ROBICHAUXCloud services are great – some of thetime. Unfortunately, there’s too much hypeand hot air surrounding cloud-based mes-saging and collaboration services, so it’shard to see what’s real and what’s not. Inthis session, you’ll gain a clear understand-ing of what cloud vendors aren’t tellingyou about retention, regulatory compli-ance, maintenance, migration, and coexis-tence. Come learn about the pros and consof cloud-based and hybrid Exchangedeployments so you’ll be prepared for theinevitable questions.
EXC10: HIGH AVAILABILITY FORSMALL AND MEDIUM-SIZED BUSI-NESSES WITHOUT THE HIGH COST JIM MCBEEIn older versions of Exchange, achievinghigh availability and site resiliency usuallyentailed having four or more servers, third-party products and/or additional storagetechnologies. Clustering in ExchangeServer 2010 has evolved into databaseavailability groups (DAGs). Unlike previousversions where availability and databasesare tied to a specific servers, with DAGs adatabase can be active on any server with-in the availability group and each databasecan be made active on any server withinthe group. This session will cover usingExchange Server 2010 in a small or medi-um sized business (under 1,000 users) thatwant to achieve high availability and/orsite resilience using only two Exchange2010 servers. Topics include databaseavailability groups, Client Access arrays,and providing high availability for the mes-sage transport when using two serverDAGs.
EXC15: LOAD BALANCING YOUR EXCHANGE DEPLOYMENTDEVIN L. GANGERWhen it comes to highly availableExchange deployments, a lot of attention isfocused on the Mailbox role. As the CASrole in Exchange 2007 and Exchange 2010takes over more of the client connections,load balancing incoming connections atthe CAS and Hub Transport becomes moreimportant to successful Exchange deploy-ments. This session, drawn from real-world
examples, examines the requirements,caveats, and best practices available fordesigning appropriate load balancingsolutions for Exchange 2007 and 2010deployments. It compares WindowsNetwork Load Balancing, software loadbalancers, and hardware load balancers.We recommend you take this session inconjunction with the session: The RPCClient Access Array: The Missing Piece ofExchange HA.
EXC23: MICROSOFT ADVANCED CERTIFICATIONS: BEYOND THE BRAIN DUMPPAUL ROBICHAUXCertification is more important than ever –but how do you prove to employers thatyou’re more than a run-of-the-mill MCSEor MCITP? Microsoft’s solution is to offermore advanced certifications like theMicrosoft Certified Master (MCM) andMicrosoft Certified Architect (MCA) pro-grams. They’re expensive and intensive –but are they worth it? In this session, PaulPaul Robichaux (who teaches in the MCMExchange program) will bring you up tospeed on these certifications and discusstheir costs and benefits. (Special guestappearances by current MCMs are likely, sobe prepared!)
EXC02: MICROSOFT EXCHANGESERVER 2010: SIZING AND PERFORMANCE – GET IT RIGHT THE FIRST TIMEKARL ROBINSONMicrosoft Exchange is a mission-criticalinfrastructure staple in organizations of allsizes. As an application which demandshigh levels of the "-abilities" (availability,reliability, scalability, etc.) and stringentresource demands, the sizing process iscritical to ensuring a healthy productionenvironment. Sizing Exchange 2010, whichintroduces a new replication and resiliencymodel (DAGs), a personal archive as well asdramatic I/O reductions, radically changesthe approach to storage design.Enhancements and new functionality host-ed in the client access server, support forrole consolidation on a single server andoptimization for software + services mod-els bring similar challenges when design-ing servers. This session addresses sizingand performance tuning methodology,and a time-tested approach for applyingthis methodology to your environment.The session covers key enabling hardware
advancements such as x64 architectures,multi-core processors, SATA, SAS and SSDdisk technology, and how these technolo-gies will play a key role moving forwardwith Exchange 2010. Finally, the sessionprovides rules of thumb, based jointly onHP characterization testing and HP /Microsoft best practices, for sizing the keyserver roles and technologies associatedwith typical Exchange 2010 deployments.
EXC11: MIGRATING TO EXCHANGE2010 FROM EXCHANGE 2003JIM MCBEEThis session will cover the practical aspectsof migrating from Exchange Server 2003 toExchange 2010 including meeting the nec-essary prerequisites, interoperability, andpotential showstoppers. Topics include fac-tors to evaluate before migrating, the stepsnecessary to prepare your organization,mail routing, web client redirection, mov-ing public folder content, and movingmailbox data.
EXC21: MODERATED EMAILS – THEGOOD, THE BAD AND THE UGLYBRIAN REIDThere can be significant impacts with inap-propriate emails send to the wrong distri-bution group, or off subject emails sent tospecific mailboxes. With moderationimplemented correctly you can removethese issues from your business. This ses-sion will look at how to configure modera-tion in Exchange 2010, and how to imple-mented it in a coexistence legacy Exchangeorganization.
EXC14: OUTLOOK: MAC 101BILL SMITHNADYNE RICHMONDOffice:Mac 2011 brings Outlook to theMac. What can your Mac users expect ofthis new application? What can you as theExchange admin expect from it? Learn howOutlook:Mac fits into your Exchange envi-ronment, and see a side-by-side compari-son of Outlook 2010 for Windows andOutlook:Mac 2011.
EXC12: OUTSOURCED E-MAIL: IS IT FOR MY ORGANIZATION? JIM MCBEEDepending on whose marketing materialyou read, EVERYONE should outsourcetheir e-mail to a hosted provider. There aredefinitely advantages to this approachincluding significant cost savings,
November 1-4, 2010 I Las Vegas, NV I Register Today! I 5
MICROSOFT EXCHANGE SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 5
EXC04: CAS 2010 – MORE FOOD FOR THOUGHTKEVIN LAAHSThe Client Access Server (CAS) plays a big-ger role in Exchange 2010 environmentsthan it does in Exchange 2007. While it stillsupports Outlook Web Access (OWA),ActiveSync, Web Services and OutlookAnywhere, there are some fundamentalchanges that affect the way you architectExchange environments. This session looksat major architectural changes (such asRPC Client Access Service) as well as all thefeatures that are delivered by the likes ofOWA (even to Firefox and Safari browsers!)and ActiveSync, such as the ability to sendand receive text messages fromOutlook/OWA.
EXC24: CLOUD-PROOFING YOUR CAREERPAUL ROBICHAUXYou can’t throw a poker chip around an ITdepartment without hitting someonewho’s interested in cloud services – butwhere does that leave the on-premisesadmins? Can you take effective steps tocloud-proof your job? What kinds of thingsshould you be doing to build a protectiveumbrella of your own value to help you ifthe clouds come to your office? This ses-sion will offer some practical tips to helpyou weather cloudy times.
EXC18: COMMUNICATIONS SERVER2010: WHAT’S NEW AND IMPROVED? LEE MACKEYThis session will walk you through the var-ious versions of Communications Server 14starting with Live Communications Server2005, through OCS 2007 and R2. We’ll talkabout what’s new and improved for CS 14,design considerations, changes from cur-rent hardware required, and through thenew pieces that will help build a better ROIfor your organization. We’ll also talkthrough the various partners you mightwant to work with to leverage your organ-ization and improve your overall cost todeploy and support an environment run-ning CS 14.
EXC07: EXCHANGE 2010 DEPLOYMENT AND MIGRATION BEST PRACTICESKIERAN MCCORRYExchange 2010 is yet another version ofExchange. Its architecture and topology issimilar to that introduced with Exchange
2007, but there are some importantchanges and restrictions on interoperabili-ty that any organization in the early stagesof planning a move to Exchange 2010should be aware of. This session will give anoverview of the best practices for Exchange2010 deployment and focus on the inter-operability and migration aspects fromprevious versions of Exchange.
EXC08: EXCHANGE 2010 INFORMATION PROTECTION AND RETENTIONKIERAN MCCORRYExchange 2010 brings with it the mostcomprehensive set of Exchange featuresyet from Microsoft to help you safeguardand protect your data and where it goes inyour Exchange organization. This new ver-sion has sophisticated rules for controllinginformation flows within the organizationand taking actions when certain eventsoccur. In addition, Exchange 2010 has acompletely revamped model for informa-tion retention and archiving by means ofthe ONline Archive. This session willdescribe those new features and explainwhat it means for you as a system admin-istrator and your users as informationworkers.
EXC09: EXCHANGE 2010 SERVICEPACK 1KIERAN MCCORRYThere’s nothing like waiting for the firstservice pack before looking in earnest at anew product deployment. Exchange 2010Service Pack 1 brings a host of improve-ments and enhancements to the core plat-form. In this session, we’ll see what comeswith the update and why it makes sense tothink about deploying Exchange now thatSP1 is here.
EXC05: EXCHANGE 2010, OFFICE 2010AND SHAREPOINT 2010 – BETTER TOGETHER?KEVIN LAAHSWhat integration points exist betweenSharePoint 2010, Office 2010 andExchange 2010? Does the combination ofthese three flagship products (and othersuch as OCS) bring any new opportunitiesfor my overall environment? And whatabout the existing integration points thatwere there in the 2007 suite of products?Are they still available? In this session, weanswer the numerous questions in thisabstract!
EXC20: FAULT TOLERANT CLIENT ACCESS SERVERS FOR SMALL ANDMEDIUM SIZED BUSINESSBRIAN REIDIt is easy to see the benefits of a highlyavailable CAS infrastructure for largeExchange Server 2010 deployments, butwhat about the majority of businesses whoare in the small to medium business cate-gory? This session will cover the benefits ofconsidering why to build your Exchangeinfrastructure to include high availabilityfor CAS. You will learn to build yourExchange infrastructure with recovery andgrowth in mind. Building for high availabil-ity, even for small/medium businesses,brings many benefits. In the event of a fail-ure of an Exchange Server, having consid-ered a highly available infrastructure willreduce your recovery time.
EXC06: FEAR WEB SERVICES NO MORE– HOW ADMINISTRATORS AND ENDUSERS CAN EASILY LEVERAGE EXCHANGE WEB SERVICESKEVIN LAAHSPowerShell is often considered within therealm of IT Administrators, whereas WebServices is firmly in the developer camp –and usually, never the twain shall meet! Butnow the combination of PowerShell andExchange Web Services can be harnessedby end users to build and run scripts tomanage mailbox data on desktopmachines. This session shows ITAdministrators how friendly Web Servicescan be, and how you can easily leveragethem to automate many operations inyour Exchange environment.
EXC01: GOING BIG! DEPLOYINGLARGE MAILBOXES WITH MICROSOFTEXCHANGE SERVER 2010 WITHOUTBREAKING THE BANKKARL ROBINSONWith each new generation of MicrosoftExchange, features are added andExchange is further refined in its capabilitiesas an email system. Exchange Server 2010enables the use of multiple storage optionsin its deployment, and allows you to pro-vide large mailboxes at a cheaper cost. Willit work in your environment? Are you hesi-tant to increase mailbox sizes due to chal-lenges around storage? How do you knowwhen to use a specific type of storage? Doyou need to enable Exchange high-avail-ability when using a JBOD configuration?Can you really use SATA disks with
4 I Register Today! Call 800-505-1201 I www.WinConnections.com
MICROSOFT EXCHANGE SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 4
WIN12: ASSESSING AND INTEGRATING CLOUD SERVICES IN YOUR INFRASTRUCTUREMIKE DANSEGLIOCloud computing is one of the hottest,fastest growing services in the IT industrytoday. It is changing the way enterprisesand small business interact and collaborate:providing access to IT computer resources,enabling sharing and distribution of data,integrating communications and manymore business critical services, all on a pay-as-you-go model that makes it affordableto virtually any size organization. In this ses-sion, we examine how cloud computingservices extend IT capabilities seamlesslyand with nearly infinite resources and serv-ices. Commercial cloud service examplesare shown, many of which require very littlework before you can extend your infra-structure into the space.
WIN09: AUTOMATING YOUR AD: OPERATE AND DOCUMENT YOUR DOMAIN MORE EASILY, AUTOMATICALLY AND REPEATABLYWITH WINDOWS’ FREE TOOLSMARK MINASIStill administering your AD the click-and-drag way? For most AD admins, the answeris sadly "yes," and often for the same rea-son: busy AD admins just don’t get thetime to learn how to use the many free ADautomation tools built right intoWindows... until now. Join Mark Minasi, ADexpert and author of over 150 installmentsof the popular "Windows Power Tools" and"This Old Resource Kit" columns, in a clear,example-filled explanation of some of thebest in-the-box Active Directory automa-tion tools. First, you’ll learn bulk accountcreation with CSVDE and LDIFDE. Thenwe’ll take a quick peek under the hood ofAD’s structure with ADSIEdit to enable usto speak a bit of "LDAP-ese," a skill we’llneed to take the next step and start bene-fiting from 2008 R2’s 76 new ActiveDirectory-oriented cmdlets. With thesenew cmdlets, you can often convert a taskthat once required a few hundred clicks –or two days of VBScripting – into just a fewcommands. What’s that you say, you don’thave 2008 R2? No problem; Mark will showyou how you can get the PowerShell toolsrunning on any 2003-based AD. Or per-haps you don’t know PowerShell yet? Noneed to worry, as this session tosses inenough PowerShell basics to enable any-one comfortable with Active Directory to
get productive with the AD PoSH cmdletsin no time. Every attendee will scratch hisor her head and say, "hey, I could use that!"at least once in this session!
WIN11: CONDUCTING A FORENSICCOMPUTER INVESTIGATION FOR IT STAFFMIKE DANSEGLIOComputer crime has been on the rise fordecades. There are many situations wherean incident occurs that doesn’t break thelaw but is still cause for concern, such ascorporate policy violations, informationmishandling, or internal system compro-mise. Many companies are forming theirown internal investigative units to addressthese situations. In this session, we’ll exam-ine what kinds of investigations can behandled internally, when and how toengage law enforcement, how to best pre-pare for incidents, and the best practices touse. We will also focus on building yourcomputer investigation toolkit includingthe tools you should have and how youshould use them.
WIN14: ENEMY AT THE GATES: YOUR WIRELESS NETWORK IS WEAKMIKE DANSEGLIOThe proliferation of wireless networks hasexploded to the point that virtually everyenterprise has one – whether they know itor not. And increasingly the wireless net-work is the primary target of maliciousattackers. Can wireless networks be pro-tected? What does that cute little padlockicon mean? Is it ‘security theater’ – the illu-sion of security without real substance? Inthis session, you’ll see the technical detailsof a variety of wireless security technolo-gies including cryptography, authentica-tion, authorization, filtering, and more.Hands on demonstrations will illustrateboth strong and weak wireless securitystrategies. The knowledge you’ll gain fromthis session will help you decide what levelof security is necessary to protect your ownassets against the barbarians.
WIN17: ESX AND HYPER-V COMPARISONALAN SUGANOMicrosoft’s own hypervisor, Hyper-V, wasreleased with Windows Server 2008. It isdesigned to compete directly againstVMware’s ESX server. How do the twoproducts compare? We’ll consider price,performance, hardware requirements, high
availability, management and other fea-tures in the comparison shootout. If you’reevaluating virtualization platforms, makesure to attend this session to assist in yourdecision making process.
WIN02: GOING, GOING, GONE? VIRTUALIZING YOUR ACTIVE DIRECTORY FORESTSEAN DEUBYVirtualization is all the rage today. Canyou apply virtualization to the criticalinfrastructure of your Active Directory for-est? What about backup and recovery?Learn from Sean how to safely virtualizeand manage your domain controllers withthe latest recommendations and bestpractices from the Microsoft DirectoryServices Team.
WIN01: HOW DO YOU SCOREAGAINST THE ACTIVE DIRECTORYBEST PRACTICES ANALYZER?SEAN DEUBYWindows Server 2008 R2 features a BestPractices Analyzer for Active Directory thatwill tell you how to improve your AD con-figuration. It’s a great tool, but you have toupgrade to R2 to use it. Besides, you canget all the best practices advice right in thissession! See how your AD shapes upagainst the rules and recommendations ofthe R2 AD Best Practices Analyzer.
WIN23: IMPLEMENTING AFFORDABLEDISASTER RECOVERY WITH HYPER-VAND MULTI-SITE CLUSTERINGGREG SHIELDSYou already know that Hyper-V can be aninexpensive solution for virtualization. Butdid you know it can also be an inexpensivesolution for disaster recovery? All you needis a bit of VHD replication and an extensionof your Windows Failover Cluster to a sec-ondary site. What’s hard is correctly con-necting the pieces. Join renowned Hyper-Vguru Greg Shields to learn the step-by-stepalong with a set of smart strategies forimplementation. Greg will show you thevery best ways to extend a Hyper-V clusterto a DR site as well as reveal the costly mis-takes that you’ll want to avoid.
WIN13: IMPLEMENTING SERVERCONSOLIDATION WITH VIRTUALIZATIONMIKE DANSEGLIOWe all hear the "do more with less"mantra from our pointy-haired boss. But
November 1-4, 2010 I Las Vegas, NV I Register Today! I 7
WINDOWS SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 7
improved availability, and allowing some-one else to take on the hassle of fightingspam and viruses. But there are many fac-tors you need to consider before leaping into hosted Exchange including determiningif there are legal or corporate restrictionson doing so, establishing service-levelagreements, and determining exactly whatyou will get for your money. This sessionwill discuss the pros and cons of outsourc-ing e-mail as well as reviewing some casestudies of organizations that have done so.
EXC19: PROVIDING FAULT TOLERANTMAIL DELIVERY WITHIN AND BETWEEN ORGANIZATIONSBRIAN REIDA new core feature of Exchange Server2010 is the ability to ensure email deliveryeven if you have outages in your transportinfrastructure. This session looks at howfault tolerant mail delivery works, and thenhow to extend it to operate across differentExchange organizations.
EXC03: STORAGE OPTIONS FOR EXCHANGE 2010KARL ROBINSONWith each new generation of MicrosoftExchange, features are added andExchange is further refined in its capabili-ties as an e-mail system. This can lead toconfusion as the number of optionsincreases. Exchange 2010 enables the useof multiple storage options in its deploy-ment ranging from Storage Area Networks(SAN) to Direct-attached storage (DAS).How do you know when to use a specifictype of storage? Will it work in your envi-ronment? Do you need to enableExchange high-availability when using aJBOD configuration? Can you use SATAdisks to provide your users with 5GB mail-boxes? If you want the answers to thesequestions, be sure to attend this session.
EXC16: THE RPC CLIENT ACCESSARRAY: THE MISSING PIECE OF EXCHANGE AVAILABILITYDEVIN L. GANGERExchange 2010’s Database AvailabilityGroup functionality has received a lot ofpress and hype (and deservedly so) forenabling better, easier HA scenarios.There’s a missing piece, however: the RPCClient Access Array. This session, drawnfrom real-world examples, explains whatthe RPC Client Access Array object is (andwhat it isn’t), when you need it, and how to
deploy it. Devin will also examine howdeploying RPC Client Access Arrays affectsthe clients, load balancers, reverse proxies,and other parts of your Exchange organi-zation. We recommend you take this ses-sion in conjunction with the session: LoadBalancing for Exchange Deployments.
EXC17: WAN OPTIMIZATION FOR EXCHANGEDEVIN L. GANGERWAN optimizers provide on-the-fly band-width reduction for a variety of applica-tions, mainly websites and file services.However, Exchange MAPI-RPC client ses-sions may also benefit from these devices.This session, drawn from real-world exam-ples, explains how current WAN optimizerofferings work with MAPI, both client-to-server and server-to-server, and helps giveyou information to assess what kind ofbandwidth savings you might see in yourenvironment. How does SMB signing affectyour optimization? Can optimization beextended to mobile clients? Can optimiza-tion help with the replication of multipleDAG copies into a secondary site? Devinwill examine these topics and provide clearanswers to help you determine if WANoptimization is right for you.
EXC13: ADMINISTRATING MACS INAN EXCHANGE ENVIRONMENTBILL SMITHNADYNE RICHMONDThis session provides an in-depth look athow to administer Macs in your Exchangeenvironment. Learn how to set up yourExchange servers to maximize the experi-ence for your Mac users. Also, learn how touse AppleScript to quickly deploy andupdate Entourage (in Office:Mac 2008) orOutlook (in Office:Mac 2011) to all of yourMac users at once. Tips, tricks, and trou-bleshooting are all included.
6 I Register Today! Call 800-505-1201 I www.WinConnections.com
MICROSOFT EXCHANGE SESSIONS MICROSOFT DAY
EXCHANGE SESSIONS■ How Microsoft IT Implemented
Microsoft Exchange Server 2010
■ Microsoft Exchange Server 2010 Unified Messaging in the Real World
■ Using Microsoft Exchange Server2010 to Achieve Rich Coexistencewith Exchange Online
■ Microsoft Communications Server“14”: What's New in Microsoft Communicator “14” Experience and Backend
■ Microsoft Exchange Server 2010: Sizing and Performance - Get It Rightthe First Time
■ What's New in Archiving, Retention,and Discovery in Microsoft ExchangeServer 2010 SP1
■ What's New in OWA, Mobility, andCalendaring in Microsoft ExchangeServer 2010 SP1
■ Microsoft Exchange Server 2010High Availability Design Considerations
WINDOWS SESSIONS■ Deploying Windows
■ PowerShell – The Basics and More
■ Three Screens and a Cloud - Bringing Traditional Desktop Computing, Mobility and CloudComputing Together
■ Windows XP-Mode in Windows 7
■ Direct Access: The Death of the VPN
■ Top 10 Reasons to Upgrade to Windows 7
■ Top 10 Reasons to Upgrade to Windows Server 2008 R2
■ Hyper-V: Securing your Virtualization Environment
■ Windows Azure: Clear or Cloudy?
■ Introduction to Application Virtualization (APP-V)
■ Introduction to Microsoft EnterpriseDesktop Virtualization (MED-V)
CHECK WEB SITE AS WE CONTINUE TO ADD MORE
SESSIONS, SPEAKERS AND MAKE UPDATES
WWW.WINCONNECTIONS.COM
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 6
WIN12: ASSESSING AND INTEGRATING CLOUD SERVICES IN YOUR INFRASTRUCTUREMIKE DANSEGLIOCloud computing is one of the hottest,fastest growing services in the IT industrytoday. It is changing the way enterprisesand small business interact and collaborate:providing access to IT computer resources,enabling sharing and distribution of data,integrating communications and manymore business critical services, all on a pay-as-you-go model that makes it affordableto virtually any size organization. In this ses-sion, we examine how cloud computingservices extend IT capabilities seamlesslyand with nearly infinite resources and serv-ices. Commercial cloud service examplesare shown, many of which require very littlework before you can extend your infra-structure into the space.
WIN09: AUTOMATING YOUR AD: OPERATE AND DOCUMENT YOUR DOMAIN MORE EASILY, AUTOMATICALLY AND REPEATABLYWITH WINDOWS’ FREE TOOLSMARK MINASIStill administering your AD the click-and-drag way? For most AD admins, the answeris sadly "yes," and often for the same rea-son: busy AD admins just don’t get thetime to learn how to use the many free ADautomation tools built right intoWindows... until now. Join Mark Minasi, ADexpert and author of over 150 installmentsof the popular "Windows Power Tools" and"This Old Resource Kit" columns, in a clear,example-filled explanation of some of thebest in-the-box Active Directory automa-tion tools. First, you’ll learn bulk accountcreation with CSVDE and LDIFDE. Thenwe’ll take a quick peek under the hood ofAD’s structure with ADSIEdit to enable usto speak a bit of "LDAP-ese," a skill we’llneed to take the next step and start bene-fiting from 2008 R2’s 76 new ActiveDirectory-oriented cmdlets. With thesenew cmdlets, you can often convert a taskthat once required a few hundred clicks –or two days of VBScripting – into just a fewcommands. What’s that you say, you don’thave 2008 R2? No problem; Mark will showyou how you can get the PowerShell toolsrunning on any 2003-based AD. Or per-haps you don’t know PowerShell yet? Noneed to worry, as this session tosses inenough PowerShell basics to enable any-one comfortable with Active Directory to
get productive with the AD PoSH cmdletsin no time. Every attendee will scratch hisor her head and say, "hey, I could use that!"at least once in this session!
WIN11: CONDUCTING A FORENSICCOMPUTER INVESTIGATION FOR IT STAFFMIKE DANSEGLIOComputer crime has been on the rise fordecades. There are many situations wherean incident occurs that doesn’t break thelaw but is still cause for concern, such ascorporate policy violations, informationmishandling, or internal system compro-mise. Many companies are forming theirown internal investigative units to addressthese situations. In this session, we’ll exam-ine what kinds of investigations can behandled internally, when and how toengage law enforcement, how to best pre-pare for incidents, and the best practices touse. We will also focus on building yourcomputer investigation toolkit includingthe tools you should have and how youshould use them.
WIN14: ENEMY AT THE GATES: YOUR WIRELESS NETWORK IS WEAKMIKE DANSEGLIOThe proliferation of wireless networks hasexploded to the point that virtually everyenterprise has one – whether they know itor not. And increasingly the wireless net-work is the primary target of maliciousattackers. Can wireless networks be pro-tected? What does that cute little padlockicon mean? Is it ‘security theater’ – the illu-sion of security without real substance? Inthis session, you’ll see the technical detailsof a variety of wireless security technolo-gies including cryptography, authentica-tion, authorization, filtering, and more.Hands on demonstrations will illustrateboth strong and weak wireless securitystrategies. The knowledge you’ll gain fromthis session will help you decide what levelof security is necessary to protect your ownassets against the barbarians.
WIN17: ESX AND HYPER-V COMPARISONALAN SUGANOMicrosoft’s own hypervisor, Hyper-V, wasreleased with Windows Server 2008. It isdesigned to compete directly againstVMware’s ESX server. How do the twoproducts compare? We’ll consider price,performance, hardware requirements, high
availability, management and other fea-tures in the comparison shootout. If you’reevaluating virtualization platforms, makesure to attend this session to assist in yourdecision making process.
WIN02: GOING, GOING, GONE? VIRTUALIZING YOUR ACTIVE DIRECTORY FORESTSEAN DEUBYVirtualization is all the rage today. Canyou apply virtualization to the criticalinfrastructure of your Active Directory for-est? What about backup and recovery?Learn from Sean how to safely virtualizeand manage your domain controllers withthe latest recommendations and bestpractices from the Microsoft DirectoryServices Team.
WIN01: HOW DO YOU SCOREAGAINST THE ACTIVE DIRECTORYBEST PRACTICES ANALYZER?SEAN DEUBYWindows Server 2008 R2 features a BestPractices Analyzer for Active Directory thatwill tell you how to improve your AD con-figuration. It’s a great tool, but you have toupgrade to R2 to use it. Besides, you canget all the best practices advice right in thissession! See how your AD shapes upagainst the rules and recommendations ofthe R2 AD Best Practices Analyzer.
WIN23: IMPLEMENTING AFFORDABLEDISASTER RECOVERY WITH HYPER-VAND MULTI-SITE CLUSTERINGGREG SHIELDSYou already know that Hyper-V can be aninexpensive solution for virtualization. Butdid you know it can also be an inexpensivesolution for disaster recovery? All you needis a bit of VHD replication and an extensionof your Windows Failover Cluster to a sec-ondary site. What’s hard is correctly con-necting the pieces. Join renowned Hyper-Vguru Greg Shields to learn the step-by-stepalong with a set of smart strategies forimplementation. Greg will show you thevery best ways to extend a Hyper-V clusterto a DR site as well as reveal the costly mis-takes that you’ll want to avoid.
WIN13: IMPLEMENTING SERVERCONSOLIDATION WITH VIRTUALIZATIONMIKE DANSEGLIOWe all hear the "do more with less"mantra from our pointy-haired boss. But
November 1-4, 2010 I Las Vegas, NV I Register Today! I 7
WINDOWS SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 7
improved availability, and allowing some-one else to take on the hassle of fightingspam and viruses. But there are many fac-tors you need to consider before leaping into hosted Exchange including determiningif there are legal or corporate restrictionson doing so, establishing service-levelagreements, and determining exactly whatyou will get for your money. This sessionwill discuss the pros and cons of outsourc-ing e-mail as well as reviewing some casestudies of organizations that have done so.
EXC19: PROVIDING FAULT TOLERANTMAIL DELIVERY WITHIN AND BETWEEN ORGANIZATIONSBRIAN REIDA new core feature of Exchange Server2010 is the ability to ensure email deliveryeven if you have outages in your transportinfrastructure. This session looks at howfault tolerant mail delivery works, and thenhow to extend it to operate across differentExchange organizations.
EXC03: STORAGE OPTIONS FOR EXCHANGE 2010KARL ROBINSONWith each new generation of MicrosoftExchange, features are added andExchange is further refined in its capabili-ties as an e-mail system. This can lead toconfusion as the number of optionsincreases. Exchange 2010 enables the useof multiple storage options in its deploy-ment ranging from Storage Area Networks(SAN) to Direct-attached storage (DAS).How do you know when to use a specifictype of storage? Will it work in your envi-ronment? Do you need to enableExchange high-availability when using aJBOD configuration? Can you use SATAdisks to provide your users with 5GB mail-boxes? If you want the answers to thesequestions, be sure to attend this session.
EXC16: THE RPC CLIENT ACCESSARRAY: THE MISSING PIECE OF EXCHANGE AVAILABILITYDEVIN L. GANGERExchange 2010’s Database AvailabilityGroup functionality has received a lot ofpress and hype (and deservedly so) forenabling better, easier HA scenarios.There’s a missing piece, however: the RPCClient Access Array. This session, drawnfrom real-world examples, explains whatthe RPC Client Access Array object is (andwhat it isn’t), when you need it, and how to
deploy it. Devin will also examine howdeploying RPC Client Access Arrays affectsthe clients, load balancers, reverse proxies,and other parts of your Exchange organi-zation. We recommend you take this ses-sion in conjunction with the session: LoadBalancing for Exchange Deployments.
EXC17: WAN OPTIMIZATION FOR EXCHANGEDEVIN L. GANGERWAN optimizers provide on-the-fly band-width reduction for a variety of applica-tions, mainly websites and file services.However, Exchange MAPI-RPC client ses-sions may also benefit from these devices.This session, drawn from real-world exam-ples, explains how current WAN optimizerofferings work with MAPI, both client-to-server and server-to-server, and helps giveyou information to assess what kind ofbandwidth savings you might see in yourenvironment. How does SMB signing affectyour optimization? Can optimization beextended to mobile clients? Can optimiza-tion help with the replication of multipleDAG copies into a secondary site? Devinwill examine these topics and provide clearanswers to help you determine if WANoptimization is right for you.
EXC13: ADMINISTRATING MACS INAN EXCHANGE ENVIRONMENTBILL SMITHNADYNE RICHMONDThis session provides an in-depth look athow to administer Macs in your Exchangeenvironment. Learn how to set up yourExchange servers to maximize the experi-ence for your Mac users. Also, learn how touse AppleScript to quickly deploy andupdate Entourage (in Office:Mac 2008) orOutlook (in Office:Mac 2011) to all of yourMac users at once. Tips, tricks, and trou-bleshooting are all included.
6 I Register Today! Call 800-505-1201 I www.WinConnections.com
MICROSOFT EXCHANGE SESSIONS MICROSOFT DAY
EXCHANGE SESSIONS■ How Microsoft IT Implemented
Microsoft Exchange Server 2010
■ Microsoft Exchange Server 2010 Unified Messaging in the Real World
■ Using Microsoft Exchange Server2010 to Achieve Rich Coexistencewith Exchange Online
■ Microsoft Communications Server“14”: What's New in Microsoft Communicator “14” Experience and Backend
■ Microsoft Exchange Server 2010: Sizing and Performance - Get It Rightthe First Time
■ What's New in Archiving, Retention,and Discovery in Microsoft ExchangeServer 2010 SP1
■ What's New in OWA, Mobility, andCalendaring in Microsoft ExchangeServer 2010 SP1
■ Microsoft Exchange Server 2010High Availability Design Considerations
WINDOWS SESSIONS■ Deploying Windows
■ PowerShell – The Basics and More
■ Three Screens and a Cloud - Bringing Traditional Desktop Computing, Mobility and CloudComputing Together
■ Windows XP-Mode in Windows 7
■ Direct Access: The Death of the VPN
■ Top 10 Reasons to Upgrade to Windows 7
■ Top 10 Reasons to Upgrade to Windows Server 2008 R2
■ Hyper-V: Securing your Virtualization Environment
■ Windows Azure: Clear or Cloudy?
■ Introduction to Application Virtualization (APP-V)
■ Introduction to Microsoft EnterpriseDesktop Virtualization (MED-V)
CHECK WEB SITE AS WE CONTINUE TO ADD MORE
SESSIONS, SPEAKERS AND MAKE UPDATES
WWW.WINCONNECTIONS.COM
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 6
of course you know that R2 shores up yoursystem’s security by blocking those scaryold 1980s LM-type logons – but did youknow that R2’s got the tool that you needto smoke out and stomp those persistentearly 90s NTLM logons? Join server geekMark Minasi in a fast-paced review of all ofthe R2 features that haven’t really gottenthe attention that he thinks that theyought to, complete with demos and step-by-step instructions to try them out in yourown network. Hey, what would be crazierthan paying for a new server operatingsystem and not squeezing all of the juiceout of it?
WIN21: THE BEST FREE TOOLS FOR WINDOWS DESKTOP ADMINISTRATIONGREG SHIELDSIT professionals are a unique group. We’retasked with the ultimate responsibility ofour business’ critical applications and data,but we’re rarely given a budget to do so.Heck, many of us aren’t even allowed tosee the budget. As a result, we’re forced toeither beg for tools or find them for free onthe Internet. Cheapskate IT Pro GregShields has been collecting the very bestfree tools for over ten years, and wants toshare those in his quiver with you! In thismust-see session, Greg highlights the verybest no cost Windows tools – some you’veused, many you’ve never seen. Join thissession and leave Windows Connectionswith a brand new toolset for solving thedaily tasks in desktop administration.
WIN05: TOTAL WORKSTATION LOCKDOWN: YOUR ACTION PLANJEREMY MOSKOWITZTotal workstation lockdown isn’t for everymachine in your organization but somemachines require it. It’s usually those "pub-lic walk up" machines that we need tomanage a little bit differently. These kindsof machines are in the cafeterias, the lobbyand the library. Microsoft has a variety oftechnologies you can choose (and mix andmatch) to make your workstations aslocked down as they need to be. In thissession, Group Policy MVP JeremyMoskowitz will demonstrate a myriad ofways to make your public desktops moresecure. If your team is already using GroupPolicy, come learn about Starter GPOs,common GP Scenarios, the GP Preferences,and how to efficiently use loopback pro-cessing. Learn about Microsoft’s
SteadyState tool and some non-Microsofttools to help enhance your PC control.
WIN22: USING FREE TOOLS TO RAPIDLY DEPLOY SOFTWARE IN YOURENVIRONMENTGREG SHIELDSRunning around the office with installationDVDs is a massive time waste. But investingin an automated software deploymentsolution can be expensive. So if you’re asmall environment, how do you get soft-ware installed everywhere with a minimumof effort? Free tools along with a few niftytricks can help. Master Packager GregShields shares his experience with softwarepackaging and automated deployment inthis make-your-brain-explode session. He’llgive you the secret knowledge to reconfig-ure virtually any piece of software for silentinstallation, and explain how free tools canrapidly deploy that software to anywhereyou need.
WIN24: VDI, RDS, MED-V, AND APP-V: MAKING THE RIGHT DECISION IN DEPLOYING APPLICATIONSGREG SHIELDSThere’s an alphabet soup of options forconnecting users to applications and data.You can stream down that app. You canpresent it atop RDS or XenApp. You candeliver an entire desktop, either over thenetwork or atop an existing workstation.But while the technology is exciting, thehardest part is determining when to useeach approach. When is presentation bet-ter than streaming? When is a virtual desk-top better than a RemoteApp, and when isVDI better for your vendor’s pocketbookthan your own budget? Join virtualizationexpert Greg Shields for the no-nonsensefacts. He’ll share his experience in right-siz-ing application delivery, ensuring that yourusers, your budget, and your employer willthank you.
WIN15: VMWARE ESX BEST PRACTICESALAN SUGANOOver the years of installing ESX, we havedeveloped a list of best practices whenimplementing ESX. These include ESX HostSelection, Storage Groups, SAN Design,Storage Planning – Thin versus Thick provi-sioning, vCenter Server, Backup, CloningVirtual Machines, Security, Virtual MachineOS Selection, Physical to Virtual (PtoV)
Conversions. All of these practices weredeveloped as a result of real-world imple-mentations of ESX. Find out how to avoidpotential pitfalls when implementing ESXand ensure a stable, secure and fast virtu-alization infrastructure.
WIN16: WHAT TYPE OF VIRTUALIZATION TECHNOLOGY IS RIGHT FOR MY COMPANY?ALAN SUGANOVirtualization has now become mainstream in the IT Infrastructure world.Everyone knows about server virtualiza-tion, but what about other virtualizationtechnologies? This session will give anoverview of virtualization technologies andhow they might be used in your company.These technologies include server virtual-ization, desktop virtualization, applicationvirtualization, storage virtualization, anddatabase virtualization. Learn how yourcompany can benefit from these technolo-gies and which ones are a good fit for yourcompany’s IT strategy.
WIN18: WINDOWS POWERSHELLCRASH COURSEDON JONESReady to start using Windows PowerShellv2? PowerShell guru Don Jones gives you ajump start with this information-packedcrash course that involves no scripting!That’s right, no programming allowed –just killer commands, remote control capa-bilities, background jobs, and other keyPowerShell skills that will make you effec-tive in Windows, SQL Server, Exchange,SharePoint, and more.
WIN20: ZERO TOUCH INSTALLATIONSWITH SYSTEM CENTER CONFIGURA-TION MANAGER (SCCM)RHONDA LAYFIELDWhen learning the Microsoft DeploymentTools there is only one tool that can per-form an Operating System Deployment(OSD) with no human interventionrequired on the client machines and that’sSCCM. In this session, Rhonda will showyou how to deploy Windows 7 using SCCMalong with all its options. Beginning with aquick tutorial through SCCM’s terminologyand server roles right into SCCMs OSDadvanced features – this session has it all.
November 1-4, 2010 I Las Vegas, NV I Register Today! I 9
WINDOWS SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 9
how do we actually implement thechanges in our IT infrastructure to make ithappen? One effective method is serverconsolidation through virtualization. Butis it really possible to take a rack of bare-ly-used servers and collapse them into asingle physical host while keeping thechanges transparent to users and businessservices? It’s not only possible, it’s right atyour fingertips. Come see how you canimplement these kinds of changes usingtools and resources that you have todayin your effort to lower operational costsand offer more services with less equip-ment. You’ll see demonstrations of com-monly used tools and technologies.
WIN06: MICROSOFT AND 3RD-PARTYGPO TOOLS YOU NEVER HEARD OF(AND SHOULDN’T MISS)JEREMY MOSKOWITZIt’s now more important to "do more withless." And if you’re an Active Directoryadministrator, you’re also a Group Policyadministrator. And that means you need todo more with what you’ve got. The goodnews is, there are a gaggle of free, low cost,and pay tools to help round out yourGroup Policy experiences. Some tools arein the box, downloadable from Microsoftor available with a license. Some tools we’llexplore are 3rd-party tools. Together, thesetools can help you troubleshoot, lock downyour desktops, make your applicationsmore secure, manage what you’ve gotmore efficiently and be a better adminis-trator. In this session, you’ll walk away witha huge list of applications you can experi-ment with today to see if they’re a good fitfor your environment and see if you canreally "do more with less."
WIN07: MICROSOFT APPLICATIONVIRTUALIZATION (APP-V / SOFTGRID)JEREMY MOSKOWITZLet me guess: your machines just “blow up“now and again. And I know why. It’sbecause you have a zillion applications onthem with a half a zillion conflicts andthings just “deteriorate“ over time.Wouldn’t it be neat if you could just elimi-nate that problem altogether? Well, withMicrosoft’s newest App-V technology, youcan. It works by “wrapping up“ your exist-ing software into “sequences,” and thenputting them into a virtual sandbox. Theupshot? Your applications aren’t running“on” Windows. They’re running within thesandbox. So, no more desktop deteriora-
tion. App-V is a big place, but come to thissession to make sure you know the ins andouts before you get it in your test lab andthen into your organization!
WIN19: MIGRATE YOUR XP MACHINES TO WINDOWS 7RHONDA LAYFIELDWhether migrating 20 or 20,000 XPmachines to Windows 7, the MicrosoftDeployment Toolkit 2010 Update 1 (MDT)is the tool to use. In this session, Rhondawill show you how to install, deploy andautomate your XP migrations andWindows 7 bare metal installations. Don’tjust consider migration but creating acomplete deployment solution includingre-imaging for troubleshooting your desk-top environment. MDTs task sequences canbe a little tricky until you understand themand how to make them do your bidding.Also learn how to integrate MDT and WDSto get the best of both tools!
WON08: NIGHT OF THE LIVING DIRECTORY: UNDERSTANDING THEWINDOWS SERVER 2008 R2 ACTIVEDIRECTORY RECYCLE BINMARK MINASIWindows Server 2008 R2 brought a num-ber of nice changes to Active Directory, butthe number one crowd pleaser had to bethe Active Directory Recycle Bin, a usefultool for undeleting Active Directory objectsthat have been deleted, so to speak,"before their time." Powerful and useful asthe Recycle Bin is, however, there is moreto it than a bit of clicking and dragging, asthere is no Recycle Bin GUI built into R2 –the only in-the-box way to make use of theRecycle Bin is a set of PowerShell com-mands. (There ARE third-party GUIs for theRecycle Bin, though, as you’ll learn in thissession.) How long can something stay"dead" before it can’t be revived? Must youreboot your domain controllers to un-delete things? Is there a way in an R2domain to delete something and ensurethat it CAN’T be revived? Find out in thisfast-paced, comprehensive look at the newActive Directory Recycle Bin, presented byMark Minasi, author of some of the best-selling books on Active Directory around!
WIN04: SERVER VIRTUALIZATION ESSENTIALSALAN SUGANOAs server hardware becomes more power-ful, much of the processing power of the
server is wasted. Server virtualizationallows you to efficiently use the processingpower of new servers and the 64-bit plat-form by consolidating multiple physicalservers onto a single virtual server host.We’ll look at virtualization software tech-nologies and how they work with servervirtualization. We’ll examine hardwareconfiguration issues in the virtualizationenvironment and tips on selecting theproper hardware for server consolidation.We’ll review management options withdemos of VMware ESX (vSphere andvCenter) and Hyper-V (Hyper-V Managerand the System Center Virtual MachineManager).
WIN03: SYSTEM CENTER ESSENTIALS 2010SEAN DEUBYIf you’re handling IT for a small to mid-sized business, one of the biggest chal-lenges you face is proactively managingyour environment. Staying ahead of prob-lems, instead of getting pulled off morestrategically important work to fix them, isa far better way to spend your day.Growing IT when you need to is also toughdue to the capital costs a new serverrequires. System Center Essentials (SCE)2010 is designed specifically to addressthese problems. It simplifies the manage-ment tasks for servers, clients, hardware,and software for mid-sized companies. Ithandles monitoring, software distributionand inventory, and – new for 2010 – virtu-alization management. Come see whatSCE 2010 is all about in this overview anddemo session.
WIN10: TEN (OR MORE) THINGS YOUPROBABLY DON’T KNOW ABOUTWINDOWS SERVER 2008 R2MARK MINASIOkay, so maybe you’ve read about or evenplayed around with Windows Server 2008R2. You know a bit about Active Directory’sPowerShell cmdlets, DirectAccess,BranchCache and the new backup pro-gram. It’s all great stuff, but... did you knowthat R2’s the first print server whose spool-er service WON’T crash just because a printdriver failed? Or that R2’s DHCP serverservice has a cool new MAC filter feature,combined with helpful new support forsplit scopes? Well, that’s just the start. Everneeded to resize a VHD? R2’s got com-mand-line support for that, as well as awhole new kind of built-in SMB cache. And
8 I Register Today! Call 800-505-1201 I www.WinConnections.com
WINDOWS SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 8
of course you know that R2 shores up yoursystem’s security by blocking those scaryold 1980s LM-type logons – but did youknow that R2’s got the tool that you needto smoke out and stomp those persistentearly 90s NTLM logons? Join server geekMark Minasi in a fast-paced review of all ofthe R2 features that haven’t really gottenthe attention that he thinks that theyought to, complete with demos and step-by-step instructions to try them out in yourown network. Hey, what would be crazierthan paying for a new server operatingsystem and not squeezing all of the juiceout of it?
WIN21: THE BEST FREE TOOLS FOR WINDOWS DESKTOP ADMINISTRATIONGREG SHIELDSIT professionals are a unique group. We’retasked with the ultimate responsibility ofour business’ critical applications and data,but we’re rarely given a budget to do so.Heck, many of us aren’t even allowed tosee the budget. As a result, we’re forced toeither beg for tools or find them for free onthe Internet. Cheapskate IT Pro GregShields has been collecting the very bestfree tools for over ten years, and wants toshare those in his quiver with you! In thismust-see session, Greg highlights the verybest no cost Windows tools – some you’veused, many you’ve never seen. Join thissession and leave Windows Connectionswith a brand new toolset for solving thedaily tasks in desktop administration.
WIN05: TOTAL WORKSTATION LOCKDOWN: YOUR ACTION PLANJEREMY MOSKOWITZTotal workstation lockdown isn’t for everymachine in your organization but somemachines require it. It’s usually those "pub-lic walk up" machines that we need tomanage a little bit differently. These kindsof machines are in the cafeterias, the lobbyand the library. Microsoft has a variety oftechnologies you can choose (and mix andmatch) to make your workstations aslocked down as they need to be. In thissession, Group Policy MVP JeremyMoskowitz will demonstrate a myriad ofways to make your public desktops moresecure. If your team is already using GroupPolicy, come learn about Starter GPOs,common GP Scenarios, the GP Preferences,and how to efficiently use loopback pro-cessing. Learn about Microsoft’s
SteadyState tool and some non-Microsofttools to help enhance your PC control.
WIN22: USING FREE TOOLS TO RAPIDLY DEPLOY SOFTWARE IN YOURENVIRONMENTGREG SHIELDSRunning around the office with installationDVDs is a massive time waste. But investingin an automated software deploymentsolution can be expensive. So if you’re asmall environment, how do you get soft-ware installed everywhere with a minimumof effort? Free tools along with a few niftytricks can help. Master Packager GregShields shares his experience with softwarepackaging and automated deployment inthis make-your-brain-explode session. He’llgive you the secret knowledge to reconfig-ure virtually any piece of software for silentinstallation, and explain how free tools canrapidly deploy that software to anywhereyou need.
WIN24: VDI, RDS, MED-V, AND APP-V: MAKING THE RIGHT DECISION IN DEPLOYING APPLICATIONSGREG SHIELDSThere’s an alphabet soup of options forconnecting users to applications and data.You can stream down that app. You canpresent it atop RDS or XenApp. You candeliver an entire desktop, either over thenetwork or atop an existing workstation.But while the technology is exciting, thehardest part is determining when to useeach approach. When is presentation bet-ter than streaming? When is a virtual desk-top better than a RemoteApp, and when isVDI better for your vendor’s pocketbookthan your own budget? Join virtualizationexpert Greg Shields for the no-nonsensefacts. He’ll share his experience in right-siz-ing application delivery, ensuring that yourusers, your budget, and your employer willthank you.
WIN15: VMWARE ESX BEST PRACTICESALAN SUGANOOver the years of installing ESX, we havedeveloped a list of best practices whenimplementing ESX. These include ESX HostSelection, Storage Groups, SAN Design,Storage Planning – Thin versus Thick provi-sioning, vCenter Server, Backup, CloningVirtual Machines, Security, Virtual MachineOS Selection, Physical to Virtual (PtoV)
Conversions. All of these practices weredeveloped as a result of real-world imple-mentations of ESX. Find out how to avoidpotential pitfalls when implementing ESXand ensure a stable, secure and fast virtu-alization infrastructure.
WIN16: WHAT TYPE OF VIRTUALIZATION TECHNOLOGY IS RIGHT FOR MY COMPANY?ALAN SUGANOVirtualization has now become mainstream in the IT Infrastructure world.Everyone knows about server virtualiza-tion, but what about other virtualizationtechnologies? This session will give anoverview of virtualization technologies andhow they might be used in your company.These technologies include server virtual-ization, desktop virtualization, applicationvirtualization, storage virtualization, anddatabase virtualization. Learn how yourcompany can benefit from these technolo-gies and which ones are a good fit for yourcompany’s IT strategy.
WIN18: WINDOWS POWERSHELLCRASH COURSEDON JONESReady to start using Windows PowerShellv2? PowerShell guru Don Jones gives you ajump start with this information-packedcrash course that involves no scripting!That’s right, no programming allowed –just killer commands, remote control capa-bilities, background jobs, and other keyPowerShell skills that will make you effec-tive in Windows, SQL Server, Exchange,SharePoint, and more.
WIN20: ZERO TOUCH INSTALLATIONSWITH SYSTEM CENTER CONFIGURA-TION MANAGER (SCCM)RHONDA LAYFIELDWhen learning the Microsoft DeploymentTools there is only one tool that can per-form an Operating System Deployment(OSD) with no human interventionrequired on the client machines and that’sSCCM. In this session, Rhonda will showyou how to deploy Windows 7 using SCCMalong with all its options. Beginning with aquick tutorial through SCCM’s terminologyand server roles right into SCCMs OSDadvanced features – this session has it all.
November 1-4, 2010 I Las Vegas, NV I Register Today! I 9
WINDOWS SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 9
how do we actually implement thechanges in our IT infrastructure to make ithappen? One effective method is serverconsolidation through virtualization. Butis it really possible to take a rack of bare-ly-used servers and collapse them into asingle physical host while keeping thechanges transparent to users and businessservices? It’s not only possible, it’s right atyour fingertips. Come see how you canimplement these kinds of changes usingtools and resources that you have todayin your effort to lower operational costsand offer more services with less equip-ment. You’ll see demonstrations of com-monly used tools and technologies.
WIN06: MICROSOFT AND 3RD-PARTYGPO TOOLS YOU NEVER HEARD OF(AND SHOULDN’T MISS)JEREMY MOSKOWITZIt’s now more important to "do more withless." And if you’re an Active Directoryadministrator, you’re also a Group Policyadministrator. And that means you need todo more with what you’ve got. The goodnews is, there are a gaggle of free, low cost,and pay tools to help round out yourGroup Policy experiences. Some tools arein the box, downloadable from Microsoftor available with a license. Some tools we’llexplore are 3rd-party tools. Together, thesetools can help you troubleshoot, lock downyour desktops, make your applicationsmore secure, manage what you’ve gotmore efficiently and be a better adminis-trator. In this session, you’ll walk away witha huge list of applications you can experi-ment with today to see if they’re a good fitfor your environment and see if you canreally "do more with less."
WIN07: MICROSOFT APPLICATIONVIRTUALIZATION (APP-V / SOFTGRID)JEREMY MOSKOWITZLet me guess: your machines just “blow up“now and again. And I know why. It’sbecause you have a zillion applications onthem with a half a zillion conflicts andthings just “deteriorate“ over time.Wouldn’t it be neat if you could just elimi-nate that problem altogether? Well, withMicrosoft’s newest App-V technology, youcan. It works by “wrapping up“ your exist-ing software into “sequences,” and thenputting them into a virtual sandbox. Theupshot? Your applications aren’t running“on” Windows. They’re running within thesandbox. So, no more desktop deteriora-
tion. App-V is a big place, but come to thissession to make sure you know the ins andouts before you get it in your test lab andthen into your organization!
WIN19: MIGRATE YOUR XP MACHINES TO WINDOWS 7RHONDA LAYFIELDWhether migrating 20 or 20,000 XPmachines to Windows 7, the MicrosoftDeployment Toolkit 2010 Update 1 (MDT)is the tool to use. In this session, Rhondawill show you how to install, deploy andautomate your XP migrations andWindows 7 bare metal installations. Don’tjust consider migration but creating acomplete deployment solution includingre-imaging for troubleshooting your desk-top environment. MDTs task sequences canbe a little tricky until you understand themand how to make them do your bidding.Also learn how to integrate MDT and WDSto get the best of both tools!
WON08: NIGHT OF THE LIVING DIRECTORY: UNDERSTANDING THEWINDOWS SERVER 2008 R2 ACTIVEDIRECTORY RECYCLE BINMARK MINASIWindows Server 2008 R2 brought a num-ber of nice changes to Active Directory, butthe number one crowd pleaser had to bethe Active Directory Recycle Bin, a usefultool for undeleting Active Directory objectsthat have been deleted, so to speak,"before their time." Powerful and useful asthe Recycle Bin is, however, there is moreto it than a bit of clicking and dragging, asthere is no Recycle Bin GUI built into R2 –the only in-the-box way to make use of theRecycle Bin is a set of PowerShell com-mands. (There ARE third-party GUIs for theRecycle Bin, though, as you’ll learn in thissession.) How long can something stay"dead" before it can’t be revived? Must youreboot your domain controllers to un-delete things? Is there a way in an R2domain to delete something and ensurethat it CAN’T be revived? Find out in thisfast-paced, comprehensive look at the newActive Directory Recycle Bin, presented byMark Minasi, author of some of the best-selling books on Active Directory around!
WIN04: SERVER VIRTUALIZATION ESSENTIALSALAN SUGANOAs server hardware becomes more power-ful, much of the processing power of the
server is wasted. Server virtualizationallows you to efficiently use the processingpower of new servers and the 64-bit plat-form by consolidating multiple physicalservers onto a single virtual server host.We’ll look at virtualization software tech-nologies and how they work with servervirtualization. We’ll examine hardwareconfiguration issues in the virtualizationenvironment and tips on selecting theproper hardware for server consolidation.We’ll review management options withdemos of VMware ESX (vSphere andvCenter) and Hyper-V (Hyper-V Managerand the System Center Virtual MachineManager).
WIN03: SYSTEM CENTER ESSENTIALS 2010SEAN DEUBYIf you’re handling IT for a small to mid-sized business, one of the biggest chal-lenges you face is proactively managingyour environment. Staying ahead of prob-lems, instead of getting pulled off morestrategically important work to fix them, isa far better way to spend your day.Growing IT when you need to is also toughdue to the capital costs a new serverrequires. System Center Essentials (SCE)2010 is designed specifically to addressthese problems. It simplifies the manage-ment tasks for servers, clients, hardware,and software for mid-sized companies. Ithandles monitoring, software distributionand inventory, and – new for 2010 – virtu-alization management. Come see whatSCE 2010 is all about in this overview anddemo session.
WIN10: TEN (OR MORE) THINGS YOUPROBABLY DON’T KNOW ABOUTWINDOWS SERVER 2008 R2MARK MINASIOkay, so maybe you’ve read about or evenplayed around with Windows Server 2008R2. You know a bit about Active Directory’sPowerShell cmdlets, DirectAccess,BranchCache and the new backup pro-gram. It’s all great stuff, but... did you knowthat R2’s the first print server whose spool-er service WON’T crash just because a printdriver failed? Or that R2’s DHCP serverservice has a cool new MAC filter feature,combined with helpful new support forsplit scopes? Well, that’s just the start. Everneeded to resize a VHD? R2’s got com-mand-line support for that, as well as awhole new kind of built-in SMB cache. And
8 I Register Today! Call 800-505-1201 I www.WinConnections.com
WINDOWS SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 8
you turn on the brand new, shiny serverfarm! But, understanding how each Weband Application Service functions in thefarm and how those services can impactthe end user experience is critical to useradoption and system success. The real funof this session will be the live demonstra-tion of tools to stress and test a live serverfarm. Come prepared for a fast-paced ses-sion with tons of live demonstrations!
HITP03: FILE SHARING SMACKDOWN:SHARES VS. SHAREPOINTDAN HOLMESharePoint document libraries are the newfile share, or are they? What are the prosand cons of using SharePoint as a file store,particularly with SharePoint 2010? Whatdo file servers offer that SharePoint doesnot, particularly with Windows Server 2008R2? Is a hybrid environment desirable oreven possible? How can an enterprisemigrate and integrate these two disparateapproaches to a common goal? Thesequestions and more will be answered byDan Holme as you take a deep dive intothe best practices and real-world experi-ences of enterprises large and small. Thissession will address both the strategic andtechnical details you need to know to sup-port collaboration around files in yourorganization. You’ll also learn what’s new inSharePoint 2010 document libraries,including document sets, document IDs,in-place records management, documentrouting, location-based metadata, andmetadata-based navigation.
HITP10: GETTING COZY WITH SERVICE APPLICATIONSTODD KLINDTSHANE YOUNGJust when you got comfortable withShared Service Providers, SharePoint 2010throws them out and replaces them withService Applications. In this session, we’llexplain what Service Applications are. Thenwe’ll talk through the decisions you’ll makewhen deploying them. We’ll show severaldifferent ways to deploy them in your envi-ronment whether you’re a single server ora worldwide installation. After this sessionyou won’t miss your SSPs at all, we promise.
HITP04: INFORMATION ARCHITECTURE AND THE MANAGEDMETADATA SERVICEDAN HOLMEJoin SharePoint MVP Dan Holme for adown-and-dirty, deep examination of theconfiguration and management of theManaged Metadata Service, and what theMMS does to support your enterpriseinformation architecture. You’ll exploreevery nook and cranny of this powerfulservice application, and see how to provideboth centrally managed taxonomy anduser-driven folksonomy for enterprise tags.You’ll also explore content type syndicationand best-practice guidance for topologiesto support your information architecture.
HITP11: KEEPING AN EYE ON SHAREPOINT 2010TODD KLINDTSHANE YOUNGYou’ve got SharePoint 2010 installed, buthow do you make sure it’s running at peakperformance? In this session, we’ll cover allthe built-in monitoring tools in SharePoint2010. We’ll show how logging and usageanalysis all come together to give you aview of exactly what your SharePoint 2010server is up to. By the end of this session,you’ll be able to look at your SharePoint2010 farm and fix problems before theyactually become problems. You won’t beable to predict the future, but it will surelook like it.
ITP07: MANAGING MULTIPLE AUTHENTICATION PROVIDERS INSHAREPOINT 2010 FOR EXTRANETSMICHAEL NOELOrganizations planning for Extranet accessto SharePoint 2010 or faced with providingaccess to an Intranet from multiple internalauthentication platforms often find it chal-lenging to manage identities across thesedisparate systems. The complexity involvedin provisioning and deprovisioningaccount access to SharePoint can lead tosecurity breaches and confusion. This ses-sion focuses on Extranet and Intranetauthentication approaches with SharePoint2010, and how various tools and processessuch as Microsoft’s Forefront IdentityManager (FIM) 2010 can be used for bettercontrol, automatic account provisioning,and synchronization of profile informationacross multiple SharePoint authenticationproviders.
• View various Extranet and Intranetdeployment models using SharePoint2010
• Understand the need for identity man-agement across SharePoint farms
• Examine real-world deployment guid-ance and architecture for SharePointenvironments using FIM
HITP17: PLANNING AND DEPLOYINGSOCIAL COMPUTING FOR SHAREPOINT 2010MATTHEW MCDERMOTTSharePoint 2010 introduces new featuresthat support social computing for organi-zations of all types. This session details theconsiderations for planning and deployingthe Enterprise Social features of SharePoint2010. This session will detail the adminis-trative controls and best practices fordeploying the User Profile Service andother features that support SharePointSocial features. This session will highlighthow organizations can plan, design anddeploy the social features that will providebusiness value to help increase employeeconnection to their work and workforce. • Review the “Social Vision” for SharePoint
2010• Implementing the User Profile Service• Import/Export Connections for People
Data• Extending the User Profile• Management and Governance of Social
Data
HITP13: SHAREPOINT 2010 DEPLOYMENT DEMOFESTBEN CURRYCome get a first look at proven SharePointServer 2010 deployment Best Practices.This session is full of real-world lessonslearned, tips, and tricks learned from thefield. Ben will give you a LIVE guided tourof a multi-server farm deployment. Learnthe basics for creating and managing Weband Service applications, scaling services,and selecting basic server farm topologiesfor most implementations.
HITP06: SHAREPOINT 2010 DISASTERRECOVERY AND HIGH AVAILABILITYMICHAEL NOELSignificant architectural changes havebeen made between SharePoint 2007 andSharePoint 2010, including a completeremoval of the infamous Shared ServicesProvider and the ability to have redundant
November 1-4, 2010 I Las Vegas, NV I Register Today! I 11
SHAREPOINT SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 11
IT PROFESSIONAL
HITP09: ADMINISTRATION OFSHAREPOINT 2010 USING WINDOWSPOWERSHELL, THE NEW COOLNESSTODD KLINDTSHANE YOUNGAll your friends are doing it, why aren’tyou? Stsadm.exe is so 2007. Come to thissession to figure out why you need to be aPowerShell guru ASAP and how to amazeyour friends and confound your enemieswith your new PowerShell skills. When youleave this session, you’ll have a good foun-dation for figuring out PowerShell withSharePoint, as well as some practical scriptsyou can use.
HITP05: ARCHITECTING AND MANAGING VIRTUALIZED SHAREPOINT 2010 FARMSMICHAEL NOELOrganizations have been taking advantageof Server virtualization in great numbersover the past few years, and more andmore SharePoint environments are subse-quently being virtualized. There are designcaveats associated with virtual SharePointfarms, however, which must be taken intoaccount when considering SharePoint2010 virtualization. In addition, manage-ment of a distributed virtual SharePointenvironment can be tricky without theproper tools to help provision serversquickly and properly. This session focuseson outlining the design criteria for virtualSharePoint farms, and demonstrates howvirtualization management can allow forquick provisioning of a virtual SharePointfarm or adding a new server into an exist-ing farm within a matter of minutes. Exactdesign criteria and sample real-worldSharePoint 2010 designs will be illustrated,and specific PowerShell commandlets tobe used will be provided.• Learn best practice architectural guide-
lines for SharePoint 2010 role virtual-ization
• Learn how virtualization managementsoftware can be used to allow develop-ers and others the ability to quicklyprovision SharePoint environments oradd new servers to farms
• Gain access to custom PowerShellscripts that can be used in a virtualenvironment for automatic provision-ing of SharePoint 2010 farms
HITP12: AUTHENTICATION CHANGESIN SHAREPOINT 2010TODD KLINDTSHANE YOUNGSharePoint 2010 brings with it some excit-ing changes to authentication. Not only dowe have the options we had in SharePoint2007, but we have a new option, Claims. Inthis session, we’ll explain exactly what aclaim is and why it could revolutionize howyour users get into SharePoint 2010. Thenwe’ll show how to use Claims to accessSharePoint 2010.
HITP01: BEST PRACTICES FOR LEAST-PRIVILEGE INSTALLATION, ADMINISTRATION, AND SECURITY OFSHAREPOINT 2010DAN HOLMEIt’s one thing to install and administerSharePoint with all of the defaults, perhapseven running as a Domain Admin. It’sanother to make it work with a nod to leastprivilege, manageability, and auditability.In this highly practical session, SharePointMVP Dan Holme discusses everything youever wanted to know about user accountsand SharePoint, across a variety ofSharePoint scenarios. You’ll learn exactlywhat service accounts are necessary to cre-ate a least-privilege installation ofSharePoint, and how they must be config-ured. You’ll learn how to manage serviceaccounts and their passwords to ensurecompliance with your IT security policies.You’ll explore the pros and cons of multipleapp pools and identities. You’ll examineapproaches to user and group manage-ment to identify the best practices for dif-ferent parts of your intranet. And you’lllearn how to delegate administrators theability to use PowerShell to administerSharePoint. You’ll be surprised by some ofthe very important, underdocumentedguidance you’ll take away, and you’ll beequipped to succeed.
HITP02: DESIGNING GOVERNANCE:HOW INFORMATION MANAGEMENTAND SECURITY MUST DRIVE YOURDESIGNDAN HOLMEYou’ve read the white papers, you’ve“Binged” governance, but how, exactly, doyou design a SharePoint implementationthat will support governance, security, andinformation management? Join SharePointMVP and consultant Dan Holme for a
practical, nuts-and-bolts look at the closerelationship between your informationmanagement requirements andSharePoint’s manageability controls, andthe demands that relationship places onyour design and infrastructure. This sessionis focused on architecting a logical designof SharePoint that effectively supports yourinformation management requirementsand governance plan—the “technical” sideof governance. You will learn how to alignyour governance requirements withSharePoint farms, Web applications, andsite collections. You’ll discover why somethird-party applications are a “design poi-son pill” and what SharePoint 2010 offersto greatly improve the deployment of agovernable design. Gain a deeper under-standing of the intricacies and challengesof designing the logical structure ofSharePoint, and take away practical, blue-print-like guidance to what a governedSharePoint implementation might look likein your enterprise.
HITP18: ENTERPRISE SOCIAL COMPUTING WITH SHAREPOINT 2010MATTHEW MCDERMOTTSharePoint 2010 introduces new featuresthat support Social Computing for organi-zations of all types. Whether you have a“formal vision” or loose idea of what“Social” means to your organization, thissession will introduce you to the key con-cepts and features that can aid in yourplanning and implementation of SocialComputing for your organization. This ses-sion will highlight how companies gainvalue out of the Social Computing capabil-ities of SharePoint.• Introduction to the “Social Vision” for
SharePoint 2010• What’s Important: Tagging, Rating and
Notes• What’s Happening: Activity Feeds• Where Is It: Social Search• Who Can Help: People and Expertise
Search
HITP14: FARM ARCHITECTURE PLANNING AND PERFORMANCETESTINGBEN CURRYThere are many tools that can be used toplan and test a SharePoint Server 2010server farm. In the year 2010, there’s justno reason to guess what will happen when
10 I Register Today! Call 800-505-1201 I www.WinConnections.com
SHAREPOINT SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 10
you turn on the brand new, shiny serverfarm! But, understanding how each Weband Application Service functions in thefarm and how those services can impactthe end user experience is critical to useradoption and system success. The real funof this session will be the live demonstra-tion of tools to stress and test a live serverfarm. Come prepared for a fast-paced ses-sion with tons of live demonstrations!
HITP03: FILE SHARING SMACKDOWN:SHARES VS. SHAREPOINTDAN HOLMESharePoint document libraries are the newfile share, or are they? What are the prosand cons of using SharePoint as a file store,particularly with SharePoint 2010? Whatdo file servers offer that SharePoint doesnot, particularly with Windows Server 2008R2? Is a hybrid environment desirable oreven possible? How can an enterprisemigrate and integrate these two disparateapproaches to a common goal? Thesequestions and more will be answered byDan Holme as you take a deep dive intothe best practices and real-world experi-ences of enterprises large and small. Thissession will address both the strategic andtechnical details you need to know to sup-port collaboration around files in yourorganization. You’ll also learn what’s new inSharePoint 2010 document libraries,including document sets, document IDs,in-place records management, documentrouting, location-based metadata, andmetadata-based navigation.
HITP10: GETTING COZY WITH SERVICE APPLICATIONSTODD KLINDTSHANE YOUNGJust when you got comfortable withShared Service Providers, SharePoint 2010throws them out and replaces them withService Applications. In this session, we’llexplain what Service Applications are. Thenwe’ll talk through the decisions you’ll makewhen deploying them. We’ll show severaldifferent ways to deploy them in your envi-ronment whether you’re a single server ora worldwide installation. After this sessionyou won’t miss your SSPs at all, we promise.
HITP04: INFORMATION ARCHITECTURE AND THE MANAGEDMETADATA SERVICEDAN HOLMEJoin SharePoint MVP Dan Holme for adown-and-dirty, deep examination of theconfiguration and management of theManaged Metadata Service, and what theMMS does to support your enterpriseinformation architecture. You’ll exploreevery nook and cranny of this powerfulservice application, and see how to provideboth centrally managed taxonomy anduser-driven folksonomy for enterprise tags.You’ll also explore content type syndicationand best-practice guidance for topologiesto support your information architecture.
HITP11: KEEPING AN EYE ON SHAREPOINT 2010TODD KLINDTSHANE YOUNGYou’ve got SharePoint 2010 installed, buthow do you make sure it’s running at peakperformance? In this session, we’ll cover allthe built-in monitoring tools in SharePoint2010. We’ll show how logging and usageanalysis all come together to give you aview of exactly what your SharePoint 2010server is up to. By the end of this session,you’ll be able to look at your SharePoint2010 farm and fix problems before theyactually become problems. You won’t beable to predict the future, but it will surelook like it.
ITP07: MANAGING MULTIPLE AUTHENTICATION PROVIDERS INSHAREPOINT 2010 FOR EXTRANETSMICHAEL NOELOrganizations planning for Extranet accessto SharePoint 2010 or faced with providingaccess to an Intranet from multiple internalauthentication platforms often find it chal-lenging to manage identities across thesedisparate systems. The complexity involvedin provisioning and deprovisioningaccount access to SharePoint can lead tosecurity breaches and confusion. This ses-sion focuses on Extranet and Intranetauthentication approaches with SharePoint2010, and how various tools and processessuch as Microsoft’s Forefront IdentityManager (FIM) 2010 can be used for bettercontrol, automatic account provisioning,and synchronization of profile informationacross multiple SharePoint authenticationproviders.
• View various Extranet and Intranetdeployment models using SharePoint2010
• Understand the need for identity man-agement across SharePoint farms
• Examine real-world deployment guid-ance and architecture for SharePointenvironments using FIM
HITP17: PLANNING AND DEPLOYINGSOCIAL COMPUTING FOR SHAREPOINT 2010MATTHEW MCDERMOTTSharePoint 2010 introduces new featuresthat support social computing for organi-zations of all types. This session details theconsiderations for planning and deployingthe Enterprise Social features of SharePoint2010. This session will detail the adminis-trative controls and best practices fordeploying the User Profile Service andother features that support SharePointSocial features. This session will highlighthow organizations can plan, design anddeploy the social features that will providebusiness value to help increase employeeconnection to their work and workforce. • Review the “Social Vision” for SharePoint
2010• Implementing the User Profile Service• Import/Export Connections for People
Data• Extending the User Profile• Management and Governance of Social
Data
HITP13: SHAREPOINT 2010 DEPLOYMENT DEMOFESTBEN CURRYCome get a first look at proven SharePointServer 2010 deployment Best Practices.This session is full of real-world lessonslearned, tips, and tricks learned from thefield. Ben will give you a LIVE guided tourof a multi-server farm deployment. Learnthe basics for creating and managing Weband Service applications, scaling services,and selecting basic server farm topologiesfor most implementations.
HITP06: SHAREPOINT 2010 DISASTERRECOVERY AND HIGH AVAILABILITYMICHAEL NOELSignificant architectural changes havebeen made between SharePoint 2007 andSharePoint 2010, including a completeremoval of the infamous Shared ServicesProvider and the ability to have redundant
November 1-4, 2010 I Las Vegas, NV I Register Today! I 11
SHAREPOINT SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 11
IT PROFESSIONAL
HITP09: ADMINISTRATION OFSHAREPOINT 2010 USING WINDOWSPOWERSHELL, THE NEW COOLNESSTODD KLINDTSHANE YOUNGAll your friends are doing it, why aren’tyou? Stsadm.exe is so 2007. Come to thissession to figure out why you need to be aPowerShell guru ASAP and how to amazeyour friends and confound your enemieswith your new PowerShell skills. When youleave this session, you’ll have a good foun-dation for figuring out PowerShell withSharePoint, as well as some practical scriptsyou can use.
HITP05: ARCHITECTING AND MANAGING VIRTUALIZED SHAREPOINT 2010 FARMSMICHAEL NOELOrganizations have been taking advantageof Server virtualization in great numbersover the past few years, and more andmore SharePoint environments are subse-quently being virtualized. There are designcaveats associated with virtual SharePointfarms, however, which must be taken intoaccount when considering SharePoint2010 virtualization. In addition, manage-ment of a distributed virtual SharePointenvironment can be tricky without theproper tools to help provision serversquickly and properly. This session focuseson outlining the design criteria for virtualSharePoint farms, and demonstrates howvirtualization management can allow forquick provisioning of a virtual SharePointfarm or adding a new server into an exist-ing farm within a matter of minutes. Exactdesign criteria and sample real-worldSharePoint 2010 designs will be illustrated,and specific PowerShell commandlets tobe used will be provided.• Learn best practice architectural guide-
lines for SharePoint 2010 role virtual-ization
• Learn how virtualization managementsoftware can be used to allow develop-ers and others the ability to quicklyprovision SharePoint environments oradd new servers to farms
• Gain access to custom PowerShellscripts that can be used in a virtualenvironment for automatic provision-ing of SharePoint 2010 farms
HITP12: AUTHENTICATION CHANGESIN SHAREPOINT 2010TODD KLINDTSHANE YOUNGSharePoint 2010 brings with it some excit-ing changes to authentication. Not only dowe have the options we had in SharePoint2007, but we have a new option, Claims. Inthis session, we’ll explain exactly what aclaim is and why it could revolutionize howyour users get into SharePoint 2010. Thenwe’ll show how to use Claims to accessSharePoint 2010.
HITP01: BEST PRACTICES FOR LEAST-PRIVILEGE INSTALLATION, ADMINISTRATION, AND SECURITY OFSHAREPOINT 2010DAN HOLMEIt’s one thing to install and administerSharePoint with all of the defaults, perhapseven running as a Domain Admin. It’sanother to make it work with a nod to leastprivilege, manageability, and auditability.In this highly practical session, SharePointMVP Dan Holme discusses everything youever wanted to know about user accountsand SharePoint, across a variety ofSharePoint scenarios. You’ll learn exactlywhat service accounts are necessary to cre-ate a least-privilege installation ofSharePoint, and how they must be config-ured. You’ll learn how to manage serviceaccounts and their passwords to ensurecompliance with your IT security policies.You’ll explore the pros and cons of multipleapp pools and identities. You’ll examineapproaches to user and group manage-ment to identify the best practices for dif-ferent parts of your intranet. And you’lllearn how to delegate administrators theability to use PowerShell to administerSharePoint. You’ll be surprised by some ofthe very important, underdocumentedguidance you’ll take away, and you’ll beequipped to succeed.
HITP02: DESIGNING GOVERNANCE:HOW INFORMATION MANAGEMENTAND SECURITY MUST DRIVE YOURDESIGNDAN HOLMEYou’ve read the white papers, you’ve“Binged” governance, but how, exactly, doyou design a SharePoint implementationthat will support governance, security, andinformation management? Join SharePointMVP and consultant Dan Holme for a
practical, nuts-and-bolts look at the closerelationship between your informationmanagement requirements andSharePoint’s manageability controls, andthe demands that relationship places onyour design and infrastructure. This sessionis focused on architecting a logical designof SharePoint that effectively supports yourinformation management requirementsand governance plan—the “technical” sideof governance. You will learn how to alignyour governance requirements withSharePoint farms, Web applications, andsite collections. You’ll discover why somethird-party applications are a “design poi-son pill” and what SharePoint 2010 offersto greatly improve the deployment of agovernable design. Gain a deeper under-standing of the intricacies and challengesof designing the logical structure ofSharePoint, and take away practical, blue-print-like guidance to what a governedSharePoint implementation might look likein your enterprise.
HITP18: ENTERPRISE SOCIAL COMPUTING WITH SHAREPOINT 2010MATTHEW MCDERMOTTSharePoint 2010 introduces new featuresthat support Social Computing for organi-zations of all types. Whether you have a“formal vision” or loose idea of what“Social” means to your organization, thissession will introduce you to the key con-cepts and features that can aid in yourplanning and implementation of SocialComputing for your organization. This ses-sion will highlight how companies gainvalue out of the Social Computing capabil-ities of SharePoint.• Introduction to the “Social Vision” for
SharePoint 2010• What’s Important: Tagging, Rating and
Notes• What’s Happening: Activity Feeds• Where Is It: Social Search• Who Can Help: People and Expertise
Search
HITP14: FARM ARCHITECTURE PLANNING AND PERFORMANCETESTINGBEN CURRYThere are many tools that can be used toplan and test a SharePoint Server 2010server farm. In the year 2010, there’s justno reason to guess what will happen when
10 I Register Today! Call 800-505-1201 I www.WinConnections.com
SHAREPOINT SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 10
folks tend to think Excel Services is theendpoint of a business process — inputdata, read results. Wouldn’t it be cool toleverage the calculation power of ExcelServices to drive other Web Parts? We’lllearn how to do this without writing a sin-gle line of code.
HNCS08: MANAGE YOUR EXTERNALDATA USING BUSINESS CONNECTIVITY SERVICES … WITHOUT CODE!ASIF REHMANIThe Business Connectivity Services (BCS) isan evolution of the concept of BusinessData Catalog (BDC) that was introduced inSharePoint 2007 to get access to your lineof business data. In addition to consumingyour data, BCS lets you also write back datato your external systems. SharePointDesigner 2010 is used to define your con-nection properties by creating ExternalContent Types (ECT) without the need forprogramming! In this session, you see howyou can surface this data using externallists, metadata in SharePoint lists and alsoyour Outlook application to create robustbusiness solutions.
HNCS06: USE DATA VIEWS TO GET TOYOUR DATA — BOTH INSIDE ANDOUTSIDE OF SHAREPOINTASIF REHMANIYou can use SharePoint Designer to makeconnections to and present data frominternal and external data sources such asSharePoint lists, libraries, xml files, databas-es and Web services. The focus of this ses-sion is on exposing the data to the userusing the XSLT Web Parts. These Web Partscan be manipulated in a variety of ways topresent the information to the end user. Inthis session, it is shown how the list viewand data view tools available can be usedto reformat the presentation of the datausing conditional formatting, pre-format-ted styles, xPath expressions and more.
HNCS09: USING INFOPATH 2010 ANDSHAREPOINT DESIGNER 2010 TOMANAGE SHAREPOINT LIST FORMSASIF REHMANISharePoint Designer has been a great toolto customize SharePoint list forms for along time. Now in SharePoint 2010, youcan use InfoPath 2010 to customize theforms as well. What’s the difference? Whyshould you use one tool over the other for
this purpose? This session shows how eachfunctionality works and explores the prosand cons of using each method to cus-tomize your SharePoint list forms.
HNCS03: USING OUTLOOK AND THESHAREPOINT WORKSPACE WITHSHAREPOINT 2010SCOT HILLIERSharePoint 2010 provides powerful ways touse data offline through Outlook 2010 andthe SharePoint Workspace. In this session,you’ll learn how to synchronize sites, lists,and libraries with Outlook and theSharePoint Workspace. You’ll learn howdata is installed and managed on the clientso that you can understand the proper wayto work with offline data. You’ll learn limi-tations and workarounds associated withoffline data including conflict resolutionand collaborative document creation.Attendees will exit this session with a com-plete understanding of how offline data issynchronized, managed, and utilized inOffice clients.
HNCS04: VISUALLY CREATING VISUALLY COMPELLING WORKFLOWS(WITHOUT WRITING ANY CODE!)TODD BAGINSKIModeling SharePoint workflows has neverbeen easier to do, and understanding thecurrent state of a workflow status has neverbeen easier on the eyes! Microsoft Visioand SharePoint Designer are now capableof modeling, editing, configuring, anddeploying workflows to SharePoint sitesand lists. Additionally, the Visio GraphicsService now provides the ability to repre-sent the status of a workflow in a visualmanner! This session demonstrates how tocreate a SharePoint workflow in MicrosoftVisio and export it to SharePoint Designer.The session goes on to demonstrate howto edit the workflow in SharePoint design-er, add a custom coded workflow activityto it, and publish it to a SharePoint site as areusable workflow. Finally, the sessiondemonstrates how to configure workflowvisualizations with the Visio GraphicsService to see the current state of a work-flow. In this session, you will learn how tocreate a SharePoint workflow in MicrosoftVisio, make changes to it in SharePointDesigner, publish it to a SharePoint site,configure the Visio Graphics Service, andvisually view the status of the workflow asrepresented in the workflow diagram.
DEVELOPMENT
HDEV07: ADVANCED EXTERNAL LISTSIN SHAREPOINT 2010SCOT HILLIERExternal Lists allow data from ExternalSystems to appear as lists in SharePoint2010. External Lists, however, do not haveall of the capabilities of standard lists anddatabase tables. This session will presentthe differences, limitations, and work-arounds that allow you to get the most outof External Lists. The differences betweenstandard SharePoint lists and External Listswill be presented first along with strategiesand workarounds for limitations such asattachments and workflow support. Then,the differences between database tablesand External Lists will be presented alongwith strategies and workarounds for limita-tions such as attachments, folders, and ver-sions. Attendees will exit the session withnew ideas for implementing External Listsin their SharePoint 2010 solutions.
HDEV09: BEST PRACTICES FOR SANDBOXED SOLUTIONSSCOT HILLIERSharePoint 2010 introduces a new para-digm for feature development known asSandboxed Solutions. While theSandboxed Solutions paradigm con-tributes significantly to overall farm stabili-ty, it also presents unique challenges forthe SharePoint developer due to the severerestrictions placed on such solutions. In thissession, we will examine the limitationsplaced on Sandboxed Solutions and pres-ent several patterns that can be used towork within these limitations. These pat-terns will include the use of web parts, sitepages, client object model code, and fully-trusted proxies. Attendees will exit the ses-sion with a strong understanding ofSandboxed Solution development, limita-tions, and best practices.
HDEV14: BEST PRACTICES FOR UP-GRADING WEB PARTSMAURICE PRATHERWeb Parts have been around for threegenerations. We’ll talk about all the differ-ent ways Web Part code can be upgraded.We’ll discuss how to best move your WebParts from where they are today to whereyou want them tomorrow.
November 1-4, 2010 I Las Vegas, NV I Register Today! I 13
SHAREPOINT SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:06 PM Page 13
indexing functionality in a farm. In addi-tion, the number of databases in a singlefarm has increased significantly andMicrosoft has overhauled the authentica-tion model used by SharePoint. All of thistranslates to some significant architecturalchanges between SharePoint 2007 farmarchitecture and SharePoint 2010 farmarchitecture, changing the paradigm forSharePoint infrastructure architects andchanging the Disaster Recovery and HighAvailability requirements of the applica-tion. This session focuses on outlining howthe changes in SharePoint 2010 architec-ture allow for new design scenarios, andhow you can design a new fault tolerantand high performance SharePoint 2010environment to migrate your existingSharePoint 2007 content into.• Learn how the significant architectural
changes between SharePoint 2007 andSharePoint 2010 change how to build infault tolerance and high availability in aSharePoint farm
• Examine best practice farm architectureand real world SharePoint design modelsthat are both disaster tolerant and high-ly available
• Understand Backup and Restore con-cepts in SharePoint 2010, and how theout-of-the-box backup can be extend-ed and streamlined with new tools and technologies.
HITP16: SHAREPOINT 2010 SEARCHMATTHEW MCDERMOTTSearch has taken a huge step forward withthe introduction of SharePoint 2010. Thissession will focus on what is new to Searchin SharePoint 2010. Presented throughdemonstrations of the search capabilitiesand advancements, this presentation willprovide the background necessary tounderstand how Search has improved andhow to plan for the smooth implementa-tion of SharePoint Search for your organi-zation.• SharePoint 2010 Search Scalability
Options• Improved User Experience• Social and People Search• Improved Metadata Processing• Improved Management and Tuning• FAST Search for SharePoint 2010
HITP08: SHAREPOINT 2010 UPGRADEDRILL-DOWNJOEL OLESONYou’ve heard about the upgrade methods,but where are the real-world pros andcons? What happens when in-placeupgrade fails? How do you roll back visualupgrades and what are the best strategiesaround visual upgrade? We’ll cover thisand much more as we take things down alevel and really dig into the strategy.• Determine the best approach to
upgrade for your environment • Walk through visual upgrade delegation
options • Identify upgrade issues in upgrading site
definition, features, and workflows
HITP15: WHAT DO YOU NEED FOR EFFECTIVE COMMUNICATION BETWEEN IT PROS AND DEVELOPERS?A REFEREE!BEN CURRYCome learn how you can fire the refereeand get on the same team with your devel-opers. This session will focus on developinggoals and strategies that we can all agreeon. You’ll learn how to define the rules ofengagement and accompanying terminol-ogy so IT Pros are doing what they like todo, and Developers spend their time writ-ing code (because that’s what Developerslike to do!). See how to agree on a devel-opment life cycle, how to be nice to yourDevelopers, and how to get something inreturn! Developers can be great allies inscaling one-off solutions, creating sand-boxed solutions, automating tasks, andgetting home before midnight. Seriously,come to this session to learn how to bettercommunicate with your developers, andhow to make them your allies in yourSharePoint adventure.
NO CODE SOLUTIONS
HNCS07: AUTOMATING BUSINESSPROCESSES USING INFOPATH 2010FORMS WITH INTEGRATED SHAREPOINT DESIGNER 2010 WORKFLOWSASIF REHMANIForms and Workflows are essential to busi-ness processes. Companies usually rely onprogrammers to create the forms andworkflows using code. Not any more! Ifyou have access to Microsoft InfoPath2010 and Microsoft SharePoint Designer
2010, you can create powerful data-drivenform solutions on your SharePoint sites.InfoPath gives you the ability to pull datafrom databases and lists, and create formswith data validation and conditional for-matting. SharePoint Designer’s workflowslet you then design powerful multi-stepworkflows centered around the form col-lected data. In this session, you see how todesign a robust form using InfoPath andthen design a workflow using SharePointDesigner to route this form appropriately.
HNCS02: CREATING BI SOLUTIONSWITH SHAREPOINT 2010 USING PERFORMANCEPOINT SERVICESTED PATTISONSharePoint Server 2010 provides a power-ful platform for creating BusinessIntelligence (BI) solutions usingPerformancePoint Services (PPS). PPSmakes it possible to create a visual frontend to Data warehouses and cubes createdwith SQL Server 2008 R2 Analysis Services.This session shows you how to usePerformancePoint Services and theDashboard Designer to create SharePoint2010 sites with Dashboard componentssuch as Key Performance Indicators (KPIs),Scorecards, Reports and Filters.
HNCS01: CREATING CONTENT-CENTRIC SITES WITH SHAREPOINT2010 WEB CONTENT MANAGEMENTANDREW CONNELLSharePoint 2010 provides all the tools youneed to create content-centricInternet/Extranet/Intranet-facing solutionsthat do not fit the mold of traditionalSharePoint collaboration solutions. Thesecapabailities, dubbed Web ContentManagement (WCM), enable contentowners and managers to create sites thatare consumed by a very large user base. Inthis session, you’ll learn how to createcompelling content-centric sites using justthe browser and SharePoint Designer 2010including creating custom page types,page templates, modifying the user expe-rience as well as enforcing certain businessrules for content publication and storage.
HNCS05: LEVERAGE EXCEL SERVICESTO DRIVE OTHER WEB PARTS WITHOUT CODE!MAURICE PRATHEREveryone knows that Excel and ExcelServices are great for calculations. Most
12 I Register Today! Call 800-505-1201 I www.WinConnections.com
SHAREPOINT SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 12
folks tend to think Excel Services is theendpoint of a business process — inputdata, read results. Wouldn’t it be cool toleverage the calculation power of ExcelServices to drive other Web Parts? We’lllearn how to do this without writing a sin-gle line of code.
HNCS08: MANAGE YOUR EXTERNALDATA USING BUSINESS CONNECTIVITY SERVICES … WITHOUT CODE!ASIF REHMANIThe Business Connectivity Services (BCS) isan evolution of the concept of BusinessData Catalog (BDC) that was introduced inSharePoint 2007 to get access to your lineof business data. In addition to consumingyour data, BCS lets you also write back datato your external systems. SharePointDesigner 2010 is used to define your con-nection properties by creating ExternalContent Types (ECT) without the need forprogramming! In this session, you see howyou can surface this data using externallists, metadata in SharePoint lists and alsoyour Outlook application to create robustbusiness solutions.
HNCS06: USE DATA VIEWS TO GET TOYOUR DATA — BOTH INSIDE ANDOUTSIDE OF SHAREPOINTASIF REHMANIYou can use SharePoint Designer to makeconnections to and present data frominternal and external data sources such asSharePoint lists, libraries, xml files, databas-es and Web services. The focus of this ses-sion is on exposing the data to the userusing the XSLT Web Parts. These Web Partscan be manipulated in a variety of ways topresent the information to the end user. Inthis session, it is shown how the list viewand data view tools available can be usedto reformat the presentation of the datausing conditional formatting, pre-format-ted styles, xPath expressions and more.
HNCS09: USING INFOPATH 2010 ANDSHAREPOINT DESIGNER 2010 TOMANAGE SHAREPOINT LIST FORMSASIF REHMANISharePoint Designer has been a great toolto customize SharePoint list forms for along time. Now in SharePoint 2010, youcan use InfoPath 2010 to customize theforms as well. What’s the difference? Whyshould you use one tool over the other for
this purpose? This session shows how eachfunctionality works and explores the prosand cons of using each method to cus-tomize your SharePoint list forms.
HNCS03: USING OUTLOOK AND THESHAREPOINT WORKSPACE WITHSHAREPOINT 2010SCOT HILLIERSharePoint 2010 provides powerful ways touse data offline through Outlook 2010 andthe SharePoint Workspace. In this session,you’ll learn how to synchronize sites, lists,and libraries with Outlook and theSharePoint Workspace. You’ll learn howdata is installed and managed on the clientso that you can understand the proper wayto work with offline data. You’ll learn limi-tations and workarounds associated withoffline data including conflict resolutionand collaborative document creation.Attendees will exit this session with a com-plete understanding of how offline data issynchronized, managed, and utilized inOffice clients.
HNCS04: VISUALLY CREATING VISUALLY COMPELLING WORKFLOWS(WITHOUT WRITING ANY CODE!)TODD BAGINSKIModeling SharePoint workflows has neverbeen easier to do, and understanding thecurrent state of a workflow status has neverbeen easier on the eyes! Microsoft Visioand SharePoint Designer are now capableof modeling, editing, configuring, anddeploying workflows to SharePoint sitesand lists. Additionally, the Visio GraphicsService now provides the ability to repre-sent the status of a workflow in a visualmanner! This session demonstrates how tocreate a SharePoint workflow in MicrosoftVisio and export it to SharePoint Designer.The session goes on to demonstrate howto edit the workflow in SharePoint design-er, add a custom coded workflow activityto it, and publish it to a SharePoint site as areusable workflow. Finally, the sessiondemonstrates how to configure workflowvisualizations with the Visio GraphicsService to see the current state of a work-flow. In this session, you will learn how tocreate a SharePoint workflow in MicrosoftVisio, make changes to it in SharePointDesigner, publish it to a SharePoint site,configure the Visio Graphics Service, andvisually view the status of the workflow asrepresented in the workflow diagram.
DEVELOPMENT
HDEV07: ADVANCED EXTERNAL LISTSIN SHAREPOINT 2010SCOT HILLIERExternal Lists allow data from ExternalSystems to appear as lists in SharePoint2010. External Lists, however, do not haveall of the capabilities of standard lists anddatabase tables. This session will presentthe differences, limitations, and work-arounds that allow you to get the most outof External Lists. The differences betweenstandard SharePoint lists and External Listswill be presented first along with strategiesand workarounds for limitations such asattachments and workflow support. Then,the differences between database tablesand External Lists will be presented alongwith strategies and workarounds for limita-tions such as attachments, folders, and ver-sions. Attendees will exit the session withnew ideas for implementing External Listsin their SharePoint 2010 solutions.
HDEV09: BEST PRACTICES FOR SANDBOXED SOLUTIONSSCOT HILLIERSharePoint 2010 introduces a new para-digm for feature development known asSandboxed Solutions. While theSandboxed Solutions paradigm con-tributes significantly to overall farm stabili-ty, it also presents unique challenges forthe SharePoint developer due to the severerestrictions placed on such solutions. In thissession, we will examine the limitationsplaced on Sandboxed Solutions and pres-ent several patterns that can be used towork within these limitations. These pat-terns will include the use of web parts, sitepages, client object model code, and fully-trusted proxies. Attendees will exit the ses-sion with a strong understanding ofSandboxed Solution development, limita-tions, and best practices.
HDEV14: BEST PRACTICES FOR UP-GRADING WEB PARTSMAURICE PRATHERWeb Parts have been around for threegenerations. We’ll talk about all the differ-ent ways Web Part code can be upgraded.We’ll discuss how to best move your WebParts from where they are today to whereyou want them tomorrow.
November 1-4, 2010 I Las Vegas, NV I Register Today! I 13
SHAREPOINT SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:06 PM Page 13
indexing functionality in a farm. In addi-tion, the number of databases in a singlefarm has increased significantly andMicrosoft has overhauled the authentica-tion model used by SharePoint. All of thistranslates to some significant architecturalchanges between SharePoint 2007 farmarchitecture and SharePoint 2010 farmarchitecture, changing the paradigm forSharePoint infrastructure architects andchanging the Disaster Recovery and HighAvailability requirements of the applica-tion. This session focuses on outlining howthe changes in SharePoint 2010 architec-ture allow for new design scenarios, andhow you can design a new fault tolerantand high performance SharePoint 2010environment to migrate your existingSharePoint 2007 content into.• Learn how the significant architectural
changes between SharePoint 2007 andSharePoint 2010 change how to build infault tolerance and high availability in aSharePoint farm
• Examine best practice farm architectureand real world SharePoint design modelsthat are both disaster tolerant and high-ly available
• Understand Backup and Restore con-cepts in SharePoint 2010, and how theout-of-the-box backup can be extend-ed and streamlined with new tools and technologies.
HITP16: SHAREPOINT 2010 SEARCHMATTHEW MCDERMOTTSearch has taken a huge step forward withthe introduction of SharePoint 2010. Thissession will focus on what is new to Searchin SharePoint 2010. Presented throughdemonstrations of the search capabilitiesand advancements, this presentation willprovide the background necessary tounderstand how Search has improved andhow to plan for the smooth implementa-tion of SharePoint Search for your organi-zation.• SharePoint 2010 Search Scalability
Options• Improved User Experience• Social and People Search• Improved Metadata Processing• Improved Management and Tuning• FAST Search for SharePoint 2010
HITP08: SHAREPOINT 2010 UPGRADEDRILL-DOWNJOEL OLESONYou’ve heard about the upgrade methods,but where are the real-world pros andcons? What happens when in-placeupgrade fails? How do you roll back visualupgrades and what are the best strategiesaround visual upgrade? We’ll cover thisand much more as we take things down alevel and really dig into the strategy.• Determine the best approach to
upgrade for your environment • Walk through visual upgrade delegation
options • Identify upgrade issues in upgrading site
definition, features, and workflows
HITP15: WHAT DO YOU NEED FOR EFFECTIVE COMMUNICATION BETWEEN IT PROS AND DEVELOPERS?A REFEREE!BEN CURRYCome learn how you can fire the refereeand get on the same team with your devel-opers. This session will focus on developinggoals and strategies that we can all agreeon. You’ll learn how to define the rules ofengagement and accompanying terminol-ogy so IT Pros are doing what they like todo, and Developers spend their time writ-ing code (because that’s what Developerslike to do!). See how to agree on a devel-opment life cycle, how to be nice to yourDevelopers, and how to get something inreturn! Developers can be great allies inscaling one-off solutions, creating sand-boxed solutions, automating tasks, andgetting home before midnight. Seriously,come to this session to learn how to bettercommunicate with your developers, andhow to make them your allies in yourSharePoint adventure.
NO CODE SOLUTIONS
HNCS07: AUTOMATING BUSINESSPROCESSES USING INFOPATH 2010FORMS WITH INTEGRATED SHAREPOINT DESIGNER 2010 WORKFLOWSASIF REHMANIForms and Workflows are essential to busi-ness processes. Companies usually rely onprogrammers to create the forms andworkflows using code. Not any more! Ifyou have access to Microsoft InfoPath2010 and Microsoft SharePoint Designer
2010, you can create powerful data-drivenform solutions on your SharePoint sites.InfoPath gives you the ability to pull datafrom databases and lists, and create formswith data validation and conditional for-matting. SharePoint Designer’s workflowslet you then design powerful multi-stepworkflows centered around the form col-lected data. In this session, you see how todesign a robust form using InfoPath andthen design a workflow using SharePointDesigner to route this form appropriately.
HNCS02: CREATING BI SOLUTIONSWITH SHAREPOINT 2010 USING PERFORMANCEPOINT SERVICESTED PATTISONSharePoint Server 2010 provides a power-ful platform for creating BusinessIntelligence (BI) solutions usingPerformancePoint Services (PPS). PPSmakes it possible to create a visual frontend to Data warehouses and cubes createdwith SQL Server 2008 R2 Analysis Services.This session shows you how to usePerformancePoint Services and theDashboard Designer to create SharePoint2010 sites with Dashboard componentssuch as Key Performance Indicators (KPIs),Scorecards, Reports and Filters.
HNCS01: CREATING CONTENT-CENTRIC SITES WITH SHAREPOINT2010 WEB CONTENT MANAGEMENTANDREW CONNELLSharePoint 2010 provides all the tools youneed to create content-centricInternet/Extranet/Intranet-facing solutionsthat do not fit the mold of traditionalSharePoint collaboration solutions. Thesecapabailities, dubbed Web ContentManagement (WCM), enable contentowners and managers to create sites thatare consumed by a very large user base. Inthis session, you’ll learn how to createcompelling content-centric sites using justthe browser and SharePoint Designer 2010including creating custom page types,page templates, modifying the user expe-rience as well as enforcing certain businessrules for content publication and storage.
HNCS05: LEVERAGE EXCEL SERVICESTO DRIVE OTHER WEB PARTS WITHOUT CODE!MAURICE PRATHEREveryone knows that Excel and ExcelServices are great for calculations. Most
12 I Register Today! Call 800-505-1201 I www.WinConnections.com
SHAREPOINT SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:05 PM Page 12
HDEV03: INCORPORATING MANAGED METADATA IN CUSTOMSOLUTIONSANDREW CONNELLMicrosoft injected strong support formetadata, taxonomies and folksonomies inSharePoint 2010 with the addition of theManaged Metadata service applicationand Managed Metadata field type. Whilethere is plenty of support for metadataacross the platform out-of-the-box,Microsoft has included a very robust API inthis latest release of SharePoint 2010 tocreate custom solutions. In this session,we’ll explore how we can create custommetadata-based solutions for use inSharePoint 2010.
HDEV17: LEVERAGING THE SHAREPOINT 2010 USER EXPERIENCEENHANCEMENTSGARY LAPOINTESharePoint 2010 has introduced severalnew capabilities for interacting with end-users. The most obvious of these new capa-bilities is the implementation of the FluentUI, or Ribbon, but significant work has alsogone into reducing pop-ups and pagerefreshes through the use of a new DialogFramework and Notification capabilities. Inthis session, we’ll examine how to extend
the Ribbon and plug into the DialogFramework as well as how to show transientand persistent messages to your users usingthe new Notification capabilities. This ses-sion is applicable to any developers whoare creating applications for SharePointwhich need to interact with the end-user.
HDEV02: LOCAL DATA ACCESS INSHAREPOINT 2010: LINQ AND BESTPRACTICESANDREW CONNELLOne of the most common tasks developersdo day-to-day is accessing data storedwithin SharePoint. In the past, this alwaysmeant getting data out using CAML-basedqueries or tediously creating items one byone. In this session, you’ll learn about thenew LINQ support in SharePoint 2010 andwhat you’ll need to do in order to leveragethis new support. In addition, we’ll coversome best practices to employ when utiliz-ing the new LINQ support in SharePoint2010 to ensure users do not inadvertantlybreak your LINQ queries.
HDEV06: REMOTE DATA ACCESS INSHAREPOINT 2010TED PATTISONSharePoint 2010 provides new opportuni-tiies to access list-based items from across
the network. This session demonstratesdevelopment techniques involving theClient Object Model and WCF DataServices. You will see how to access listsusing the native support for REST-basedWeb services in SharePoint 2010. The ses-sion will also describe how to developcomponents for SharePoint 2010 using thenew Open Data Protocol (OData).
HDEV16: SHAREPOINT 2010 POWERSHELL FOR DEVELOPERSGARY LAPOINTEIn this session, we’ll examine howSharePoint developers can leverage thecapabilities of the PowerShell scripting lan-guage and the various tools available tohelp create and debug scripts. We’ll exam-ine Visual Studio 2010’s support forPowerShell and dive deep into creatingcustom PowerShell cmdlets and PipeBindobjects as well as custom type modifiers,help files, and views. This session is applica-ble to any developers who need to buildcustom cmdlets to support an applicationor product or who needs to automate cer-tain aspects of their development process-es; it is not meant to teach you PowerShellscripting.
November 1-4, 2010 I Las Vegas, NV I Register Today! I 15
SHAREPOINT SESSIONS
PRE-CONFERENCE WORKSHOPS
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
EPR01: MAKING EXCHANGE HIGHLY AVAILABLE – BRILLIANCE IN RESILIENCE (HANDS-ON WORKSHOP)PETER O’DOWDMicrosoft has made some outstanding improvements toExchange 2010 redundancy and the rules have all changed; SANsare less important, JBOD can be supported, Outlook talking toCAS, movable databases, and logs and EDBs living together inharmony. This one day workshop will focus on how you can con-figure your Exchange Server organization to increase availabilitywith Database Availability Groups, CAS clusters, and more. In thisinformation-packed day, you’ll use an 8GB Windows Server 2008R2 laptop provided by Microsoft to walk through several hands-on labs developed by Wadeware® with Exchange MVP PeterO’Dowd. Space is limited so sign up now.
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
WPR01: WINDOWS 7 DEPLOYMENT MASTER CLASSRHONDA LAYFIELDLearning Windows Deployment Tools can be quite a daunting task– where do you start and which one do you use? Windows
Automated Installation Kit for Windows 7 (WAIK), WindowsDeployment Service (WDS), Microsoft Deployment Toolkit 2010Update 1 (MDT) or System Center Configuration Manager (SCCM)?The last thing you want to do is waste time learning a tool that’snot right for you or your environment. Let Setup and DeploymentMVP and Desktop Deployment Product Specialist Rhonda Layfieldhelp you figure out which tool is right for you. In this full daydeployment workshop, you’ll learn how create, deploy and man-age your images using the Windows Automated Installation Kit forWindows 7 (ImageX, DISM, CopyPE, OSCDImg, USMT 4.0). Performbare metal installations using WDS – learn to install, configure andtroubleshoot WDS. Migrate your XP machines to Windows 7 usingthe MDT 2010 Update 1. Then there’s the golden tool – SCCM –which allows you to perform zero touch installations. More impor-tantly, learn the differences between these tools so you can makeyour deployment solution work for you.
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
HPR01: SHAREPOINT 2010 PROFESSIONAL DEVELOPMENT WORKSHOPERIC SHUPPS, ROBERT BOGUEGo to www.devconnections.com for complete abstract.
W O R K S H O P S
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:06 PM Page 15
HDEV11: BUILDING CUSTOM APPLICATIONS (MASHUPS) ON THE SHAREPOINT PLATFORMTODD BAGINSKICustom applications which combine com-ponents from several different systems,services, and data sources are more com-monplace in today’s world than everbefore, not to mention they are usually themost fun to build! This session shows howto combine Business Connectivity Services,the SharePoint Client Object Model,SharePoint Search, Silverlight, Bing Maps,the Digital Assets Library (Images &Videos), SharePoint list data, and evenSharePoint’s new rating functionality tocreate a "mashup" application that pro-vides a wide variety of functionality. In thissession, you will learn how to combine allof these components to create eye catch-ing applications that provide a wide varietyof functionality.
HDEV13: BUILDING CUSTOM APPLICATIONS WITH THE POWERPIVOT APIMAURICE PRATHERPowerPivot is an exciting new data analysisfeature set. It’s tied closely to Excel WebAccess, but did you know that it doesn’thave to be? The PowerPivot API will allowyou to create custom Web Part and con-trols that are designed to fit your businessneeds. We’ll look at how to easily integrateyour data into your own controls.
HDEV01: CREATING A RICH BUSINESSAPPLICATION WITH THE MANAGEDCLIENT OBJECT MODELS IN SHARE-POINT 2010ANDREW CONNELLSharePoint 2010 introduced a new way towork with SharePoint data when you havean application that does not run on theserver: the Client Object Model(ClientOM). In this session, you’ll see howto create rich desktop applications withWPF and the .NET ClientOM. In addition,see how to create robust business applica-tions deployed as sandbox solutions usingthe Silverlight ClientOM.
HDEV10: CREATING CUSTOM LINE OF BUSINESS SOLUTIONS WITH BUSINESS CONNECTIVITY SERVICESTODD BAGINSKIBusiness Connectivity Services andMicrosoft SharePoint Server provide devel-opers an excellent platform to quickly
build line of business applications upon.The BDC and SharePoint make connectingto data in external systems and workingwith it easier than ever before. This sessionshows how to combine External ContentTypes, External Lists, .NET AssemblyConnectors, External Data Web Parts, andthe SharePoint search service to search,create, read, update, and delete data frommultiple external data sources. In this ses-sion, you will learn how to create and con-figure all of these components to create apowerful line-of-business application withthe SharePoint platform.
HDEV12: CREATING CUSTOM WORKFLOWS AND REUSABLE WORKFLOW ACTIVITIES FOR SHAREPOINT DESIGNERTODD BAGINSKIComplex business processes often demandcustom coded workflows. Understandinghow to reuse pieces of the custom work-flows you create saves time and effort inthe future and empowers end users to cre-ate their own workflows with custom activ-ities inside them. In the long run, takingthis approach saves your IT departmenttime and money. This session demon-strates how to create custom workflowswith Visual Studio 2010 which use out-of-the-box workflow activities, as well as cus-tom-coded workflow activities. This sessionalso demonstrates how to create customworkflow activities that may be reusedinside of SharePoint Designer workflows. Inthis session, you will learn how to createcustom coded workflows and activities inVisual Studio 2010 and how to package,deploy, and reuse them in SharePointDesigner workflows.
HDEV08: CREATING SEARCH-BASEDSOLUTIONS WITH SHAREPOINT 2010SCOT HILLIERSearch-based solutions are applicationsthat use a search page as the primary inter-face. Solutions such as image searching ortravel searching in Bing are good examplesof search-based solutions. SharePoint 2010offers developers new ways to extendsearch and create search-based solutions.In this session, attendees will learn to cre-ate search-based solutions by using cus-tom relevance models, extendingSharePoint 2010 search parts, and utilizing.NET Assembly Connectors to access exter-nal systems. The techniques presented willprepare attendees to create search-basedsolutions on their own.
HDEV04: DEVELOPING A CUSTOMCLAIMS PROVIDERTED PATTISONSharePoint 2010 introduces a new securityarchitecture based on claims, federationand the Windows Identity Framework(WIF). This session introduces the conceptsand architecture of claim-based security inSharePoint 2010 and demonstrates how tocreate and debug a custom claim provider.
HDEV18: EXTENDING THE SOCIAL EXPERIENCE USING THE SHAREPOINT2010 SOCIAL NETWORKING APIGARY LAPOINTESharePoint 2010 introduces several newcapabilities to allow end-users to sharewhat they’re doing, discover what othersare doing, and more easily locate col-leagues and data that are relevant to theirspecific needs. The out-of-the-box userexperience gets you part of the way byexposing most of the capabilities of theAPI, but by writing our own custom appli-cations we can take it to the next level. Inthis session, we’ll take a deep dive into theSharePoint Social Networking APIs and seehow to use the wealth of information pro-vided to extend and enhance the end-userexperience by providing rich and intuitiveaccess to social data. This session is appli-cable to any developers who are wishing toleverage and extend the social capabilitiesof SharePoint in their own applications.
HDEV05: EXTENDING THE VISUALSTUDIO 2010 SHAREPOINT TOOLSTED PATTISONThe new Visual Studio 2010 SharePointTools represent a significant step forwardfor SharePoint as a development platform.While this new tools set provides a greatdeal of functionaility out of the box, thereare scenarios where you must extend themto accomplish certain tasks. This sessionwill teach you the concepts and techniquesrequired to create extensions so you canleverage the full extent of your SharePointdevelopment knowledge when developingSharePoint 2010 solutions.
HDEV15: HOW TO BUILD CLAIMS-AWARE APPLICATIONS AND CONTROLSMAURICE PRATHERWhat exactly are claims? In this session,we’ll quickly cover the fundamentals ofclaims authentication. Then we’ll dive intodetails needed to leverage claims withinyour applications.
14 I Register Today! Call 800-505-1201 I www.WinConnections.com
SHAREPOINT SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:06 PM Page 14
HDEV03: INCORPORATING MANAGED METADATA IN CUSTOMSOLUTIONSANDREW CONNELLMicrosoft injected strong support formetadata, taxonomies and folksonomies inSharePoint 2010 with the addition of theManaged Metadata service applicationand Managed Metadata field type. Whilethere is plenty of support for metadataacross the platform out-of-the-box,Microsoft has included a very robust API inthis latest release of SharePoint 2010 tocreate custom solutions. In this session,we’ll explore how we can create custommetadata-based solutions for use inSharePoint 2010.
HDEV17: LEVERAGING THE SHAREPOINT 2010 USER EXPERIENCEENHANCEMENTSGARY LAPOINTESharePoint 2010 has introduced severalnew capabilities for interacting with end-users. The most obvious of these new capa-bilities is the implementation of the FluentUI, or Ribbon, but significant work has alsogone into reducing pop-ups and pagerefreshes through the use of a new DialogFramework and Notification capabilities. Inthis session, we’ll examine how to extend
the Ribbon and plug into the DialogFramework as well as how to show transientand persistent messages to your users usingthe new Notification capabilities. This ses-sion is applicable to any developers whoare creating applications for SharePointwhich need to interact with the end-user.
HDEV02: LOCAL DATA ACCESS INSHAREPOINT 2010: LINQ AND BESTPRACTICESANDREW CONNELLOne of the most common tasks developersdo day-to-day is accessing data storedwithin SharePoint. In the past, this alwaysmeant getting data out using CAML-basedqueries or tediously creating items one byone. In this session, you’ll learn about thenew LINQ support in SharePoint 2010 andwhat you’ll need to do in order to leveragethis new support. In addition, we’ll coversome best practices to employ when utiliz-ing the new LINQ support in SharePoint2010 to ensure users do not inadvertantlybreak your LINQ queries.
HDEV06: REMOTE DATA ACCESS INSHAREPOINT 2010TED PATTISONSharePoint 2010 provides new opportuni-tiies to access list-based items from across
the network. This session demonstratesdevelopment techniques involving theClient Object Model and WCF DataServices. You will see how to access listsusing the native support for REST-basedWeb services in SharePoint 2010. The ses-sion will also describe how to developcomponents for SharePoint 2010 using thenew Open Data Protocol (OData).
HDEV16: SHAREPOINT 2010 POWERSHELL FOR DEVELOPERSGARY LAPOINTEIn this session, we’ll examine howSharePoint developers can leverage thecapabilities of the PowerShell scripting lan-guage and the various tools available tohelp create and debug scripts. We’ll exam-ine Visual Studio 2010’s support forPowerShell and dive deep into creatingcustom PowerShell cmdlets and PipeBindobjects as well as custom type modifiers,help files, and views. This session is applica-ble to any developers who need to buildcustom cmdlets to support an applicationor product or who needs to automate cer-tain aspects of their development process-es; it is not meant to teach you PowerShellscripting.
November 1-4, 2010 I Las Vegas, NV I Register Today! I 15
SHAREPOINT SESSIONS
PRE-CONFERENCE WORKSHOPS
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
EPR01: MAKING EXCHANGE HIGHLY AVAILABLE – BRILLIANCE IN RESILIENCE (HANDS-ON WORKSHOP)PETER O’DOWDMicrosoft has made some outstanding improvements toExchange 2010 redundancy and the rules have all changed; SANsare less important, JBOD can be supported, Outlook talking toCAS, movable databases, and logs and EDBs living together inharmony. This one day workshop will focus on how you can con-figure your Exchange Server organization to increase availabilitywith Database Availability Groups, CAS clusters, and more. In thisinformation-packed day, you’ll use an 8GB Windows Server 2008R2 laptop provided by Microsoft to walk through several hands-on labs developed by Wadeware® with Exchange MVP PeterO’Dowd. Space is limited so sign up now.
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
WPR01: WINDOWS 7 DEPLOYMENT MASTER CLASSRHONDA LAYFIELDLearning Windows Deployment Tools can be quite a daunting task– where do you start and which one do you use? Windows
Automated Installation Kit for Windows 7 (WAIK), WindowsDeployment Service (WDS), Microsoft Deployment Toolkit 2010Update 1 (MDT) or System Center Configuration Manager (SCCM)?The last thing you want to do is waste time learning a tool that’snot right for you or your environment. Let Setup and DeploymentMVP and Desktop Deployment Product Specialist Rhonda Layfieldhelp you figure out which tool is right for you. In this full daydeployment workshop, you’ll learn how create, deploy and man-age your images using the Windows Automated Installation Kit forWindows 7 (ImageX, DISM, CopyPE, OSCDImg, USMT 4.0). Performbare metal installations using WDS – learn to install, configure andtroubleshoot WDS. Migrate your XP machines to Windows 7 usingthe MDT 2010 Update 1. Then there’s the golden tool – SCCM –which allows you to perform zero touch installations. More impor-tantly, learn the differences between these tools so you can makeyour deployment solution work for you.
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
HPR01: SHAREPOINT 2010 PROFESSIONAL DEVELOPMENT WORKSHOPERIC SHUPPS, ROBERT BOGUEGo to www.devconnections.com for complete abstract.
W O R K S H O P S
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:06 PM Page 15
HDEV11: BUILDING CUSTOM APPLICATIONS (MASHUPS) ON THE SHAREPOINT PLATFORMTODD BAGINSKICustom applications which combine com-ponents from several different systems,services, and data sources are more com-monplace in today’s world than everbefore, not to mention they are usually themost fun to build! This session shows howto combine Business Connectivity Services,the SharePoint Client Object Model,SharePoint Search, Silverlight, Bing Maps,the Digital Assets Library (Images &Videos), SharePoint list data, and evenSharePoint’s new rating functionality tocreate a "mashup" application that pro-vides a wide variety of functionality. In thissession, you will learn how to combine allof these components to create eye catch-ing applications that provide a wide varietyof functionality.
HDEV13: BUILDING CUSTOM APPLICATIONS WITH THE POWERPIVOT APIMAURICE PRATHERPowerPivot is an exciting new data analysisfeature set. It’s tied closely to Excel WebAccess, but did you know that it doesn’thave to be? The PowerPivot API will allowyou to create custom Web Part and con-trols that are designed to fit your businessneeds. We’ll look at how to easily integrateyour data into your own controls.
HDEV01: CREATING A RICH BUSINESSAPPLICATION WITH THE MANAGEDCLIENT OBJECT MODELS IN SHARE-POINT 2010ANDREW CONNELLSharePoint 2010 introduced a new way towork with SharePoint data when you havean application that does not run on theserver: the Client Object Model(ClientOM). In this session, you’ll see howto create rich desktop applications withWPF and the .NET ClientOM. In addition,see how to create robust business applica-tions deployed as sandbox solutions usingthe Silverlight ClientOM.
HDEV10: CREATING CUSTOM LINE OF BUSINESS SOLUTIONS WITH BUSINESS CONNECTIVITY SERVICESTODD BAGINSKIBusiness Connectivity Services andMicrosoft SharePoint Server provide devel-opers an excellent platform to quickly
build line of business applications upon.The BDC and SharePoint make connectingto data in external systems and workingwith it easier than ever before. This sessionshows how to combine External ContentTypes, External Lists, .NET AssemblyConnectors, External Data Web Parts, andthe SharePoint search service to search,create, read, update, and delete data frommultiple external data sources. In this ses-sion, you will learn how to create and con-figure all of these components to create apowerful line-of-business application withthe SharePoint platform.
HDEV12: CREATING CUSTOM WORKFLOWS AND REUSABLE WORKFLOW ACTIVITIES FOR SHAREPOINT DESIGNERTODD BAGINSKIComplex business processes often demandcustom coded workflows. Understandinghow to reuse pieces of the custom work-flows you create saves time and effort inthe future and empowers end users to cre-ate their own workflows with custom activ-ities inside them. In the long run, takingthis approach saves your IT departmenttime and money. This session demon-strates how to create custom workflowswith Visual Studio 2010 which use out-of-the-box workflow activities, as well as cus-tom-coded workflow activities. This sessionalso demonstrates how to create customworkflow activities that may be reusedinside of SharePoint Designer workflows. Inthis session, you will learn how to createcustom coded workflows and activities inVisual Studio 2010 and how to package,deploy, and reuse them in SharePointDesigner workflows.
HDEV08: CREATING SEARCH-BASEDSOLUTIONS WITH SHAREPOINT 2010SCOT HILLIERSearch-based solutions are applicationsthat use a search page as the primary inter-face. Solutions such as image searching ortravel searching in Bing are good examplesof search-based solutions. SharePoint 2010offers developers new ways to extendsearch and create search-based solutions.In this session, attendees will learn to cre-ate search-based solutions by using cus-tom relevance models, extendingSharePoint 2010 search parts, and utilizing.NET Assembly Connectors to access exter-nal systems. The techniques presented willprepare attendees to create search-basedsolutions on their own.
HDEV04: DEVELOPING A CUSTOMCLAIMS PROVIDERTED PATTISONSharePoint 2010 introduces a new securityarchitecture based on claims, federationand the Windows Identity Framework(WIF). This session introduces the conceptsand architecture of claim-based security inSharePoint 2010 and demonstrates how tocreate and debug a custom claim provider.
HDEV18: EXTENDING THE SOCIAL EXPERIENCE USING THE SHAREPOINT2010 SOCIAL NETWORKING APIGARY LAPOINTESharePoint 2010 introduces several newcapabilities to allow end-users to sharewhat they’re doing, discover what othersare doing, and more easily locate col-leagues and data that are relevant to theirspecific needs. The out-of-the-box userexperience gets you part of the way byexposing most of the capabilities of theAPI, but by writing our own custom appli-cations we can take it to the next level. Inthis session, we’ll take a deep dive into theSharePoint Social Networking APIs and seehow to use the wealth of information pro-vided to extend and enhance the end-userexperience by providing rich and intuitiveaccess to social data. This session is appli-cable to any developers who are wishing toleverage and extend the social capabilitiesof SharePoint in their own applications.
HDEV05: EXTENDING THE VISUALSTUDIO 2010 SHAREPOINT TOOLSTED PATTISONThe new Visual Studio 2010 SharePointTools represent a significant step forwardfor SharePoint as a development platform.While this new tools set provides a greatdeal of functionaility out of the box, thereare scenarios where you must extend themto accomplish certain tasks. This sessionwill teach you the concepts and techniquesrequired to create extensions so you canleverage the full extent of your SharePointdevelopment knowledge when developingSharePoint 2010 solutions.
HDEV15: HOW TO BUILD CLAIMS-AWARE APPLICATIONS AND CONTROLSMAURICE PRATHERWhat exactly are claims? In this session,we’ll quickly cover the fundamentals ofclaims authentication. Then we’ll dive intodetails needed to leverage claims withinyour applications.
14 I Register Today! Call 800-505-1201 I www.WinConnections.com
SHAREPOINT SESSIONS
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:06 PM Page 14
November 1-4, 2010 I Las Vegas, NV I Register Today! I 17
SPEAKERS
A UNIQUE OPPORTUNITY TO GET YOUR TECHNOLOGY AND TRAINING FROM MICROSOFT AND INDUSTRY EXPERTS!
SCOTT ALLENPLURALSIGHT
CHRIS AVISMICROSOFT
ANDREWCONNELL
CRITICAL PATH TRAINING, LLC
BEN CURRYSUMMIT 7 SYSTEMS
MIKEDANSEGLIOMICROSOFT
DEVIN L.GANGER
CONSULTANT/AUTHOR
THOMASFOREMANWADEWARE
SEAN DEUBYADVAIYA INC.
SCOT HILLIERSCOT HILLIER TECHNICAL
SOLUTIONS, LLC
DAN HOLMEINTELLIEM, INC.
DON JONESCONCENTRATEDTECHNOLOGY
TODD KLINDTSHAREPOINT 911
KEVIN LAAHSHP
RHONDALAYFIELD
CONSULTANT/TRAINER
GARY LAPOINTESHARESQUARED,
INC.
LEE MACKEYHP
JIM MCBEEITHICOS
SOLUTIONS
KIERANMCCORRY
HP
MATTHEWMCDERMOTT
ABLEBLUE
MARK MINASIMINASI RESEARCH
AND DEVELOPMENT
MICHAEL NOELCONVERGENT COMPUTING
JEREMYMOSKOWITZ
MOSKOWITZ, INC.
JOEL OLESONQUEST SOFTWARE
TED PATTISONTED PATTISONGROUP, INC.
MAURICEPRATHER
INDEPENDENT CONSULTANT
ASIF REHMANISHAREPOINT-
ELEARNING.COM
NADYNERICHMONDMICROSOFT
KARL ROBINSONHP
PAULROBICHAUX
TRAINER/AUTHOR
GREG SHIELDSCONCENTRATEDTECHNOLOGY
ALAN SUGANOADS CONSULTING
GROUP
STEVE RILEYAMAZON WEB
SERVICES
SHANE YOUNGSHAREPOINT 911
And many more... Check our Web site as we continue to update it with speaker pictures and bios!
Check Web site for Microsoft and additional speakers.
TONY REDMONDTONY REDMOND AND ASSOCIATES
PETER O'DOWDBLADE/
WADEWARE
TOM PHILLIPSWADEWARE
BRIAN REIDC7 SOLUTIONS
WILLIAM SMITHMERRILL
COMMUNICATIONSLLC
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:07 PM Page 17
16 I Register Today! Call 800-505-1201 I www.WinConnections.com
WORKSHOPS CONTINUED
FRIDAY, NOVEMBER 5, 2010 9AM - 4PMHPS302: DAN HOLME’S WINDOWS ADMINISTRATIONMASTER CLASSDAN HOLMEJoin best-selling author and world-famous consultant Dan Holmefor a master class in administration. A full day of best practices, tips,tricks, and tools that will enable you to accelerate, automate,secure, and manage your Windows clients, servers, and ActiveDirectory. Dan Holme has amassed a wealth of experience andexpertise—solutions which enable you to deliver real-worldadministrative best practices within the constraints of real-worldbudgets and technologies.
THIS WORKSHOP WILL FEATURE:
■ Provisioning Applications and Configuration
■ Role-Based Management Extreme Makeover
■ Advanced Active Directory & Administrative Delegation
■ Administrators’ Idol: Tips and Tricks for Administrative Automation and Brilliance
■ Ten Years Later: Best practice administration and design forActive Directory.
FRIDAY, NOVEMBER 5, 2010 9AM - 4PMWPS01: WINDOWS POWERSHELL V2 “ZERO SCRIPTING”MASTER CLASSDON JONESAre you ready to take Windows PowerShell as far as you possiblycan—without writing a single line of “script code?” Join thePowerShell “War on Scripting” with this exclusive full-day sessionby Windows PowerShell guru Don Jones, author of the “PowerShellwith a Purpose” blog at WindowsITPro.com, more than 45 books,and the PowerShell columnist for TechNet Magazine. NoPowerShell experience is necessary, and even if you have some,you’ll discover new (and easier) approaches to some of the tricki-est administrative tasks. Learn to use PowerShell remoting, how tomaster pipeline parameter binding, and how to create simpleparameterized “batch files” that require no programming—justcopying and pasting! This isn’t “dumbed down” PowerShell, either—this is PowerShell as it was meant to be used and experienced.Customize visual displays, create custom inventory reports, sched-ule PowerShell commands to run at specific times, create and man-age configuration baselines, and much more. This workshop focus-es on Windows Server 2008 R2 but is also perfect for Win2003shops using WinXP, Vista, or Win7 clients. This is not a hands-onworkshop; no need to bring your laptop. A complete transcript willbe made of everything Don types, and made available to you fordownloading a few days after the conference is over. This is theonly sure bet in Las Vegas—you’re sure to go home ready to startautomating key administrative tasks, saving time, improving con-sistency, and building out your resume!
FRIDAY, NOVEMBER 5, 2010 9AM - 4PMHPS301: ADVANCED SHAREPOINT 2010 ADMINISTRATION WITH TODD AND SHANETODD KLINDT & SHANE YOUNGGo to www.devconnections.com for complete abstract.
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
HPR02: SHAREPOINT COLLABORATION JUMPSTARTDAN HOLMEGo to www.devconnections.com for complete abstract.
POST-CONFERENCE WORKSHOPS
FRIDAY, NOVEMBER 5, 2010 9AM - 4PMEPS01: EXPLORING EXCHANGE 2010 - CONFIGURE ANDSUPPORTING (HANDS-ON WORKSHOP)PETER O’DOWD & TOM PHILLIPSWith your head packed full of valuable information from a week ofExchange 2010 sessions, put it all together in this one-day journeythrough Microsoft Exchange Server 2010 and experience its newand improved features hands-on. Let the MVP Peter O’Dowd andTom Phillips lead you through hands-on-labs, including:
■ Archiving – yes, now available out of the box.
■ Mailtips – find out if your recipient isn’t available beforesending the message.
■ Exchange Control Panel – Where users can manage their di-rectory data and groups.
■ Role Based Access Control – Allows different types of usersto search for different types of content across the organiza-tion.
■ Information Leakage and Protection – Transport rules andRights Management Server unite.
■ Database Availability Groups – The new HA. No longer doesa database need be associated with a single server.
■ Unified Messaging – Try the new voice to text translation,dial plans, and more…
This instructor led hands-on-lab experience will get you deep intoExchange and guide you through these features, showing you howthey are configured and how they can be used to improve yourorganization’s Unified Communications platform. No need tobring your laptop, 8GB Windows Server 2008 R2 laptop will be pro-vided by Microsoft for this event. Space is limited, so sign up now.
FRIDAY, NOVEMBER 5, 2010 9AM - 4PMEPS02: COMMUNICATION SERVER 14 (AKA OCS)– FIRST LOOK PREVIEWTHOMAS FOREMANBe one of the first to get your hands on Communications Server14. See what all the fuss is about and how this version of OCS hastaken a big step forward. This one day workshop will walk youthrough several hands-on-labs such as:
■ New install process and tools
■ PowerShell features
■ Configuration tools
■ Client experienceIn this information-packed day, you’ll use an 8GB Windows Server2008 laptop provided by Microsoft to walk through several hands-on labs developed by Wadeware® with CS expert ThomasForeman. Space is limited so sign up now.
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:06 PM Page 16
November 1-4, 2010 I Las Vegas, NV I Register Today! I 17
SPEAKERS
A UNIQUE OPPORTUNITY TO GET YOUR TECHNOLOGY AND TRAINING FROM MICROSOFT AND INDUSTRY EXPERTS!
SCOTT ALLENPLURALSIGHT
CHRIS AVISMICROSOFT
ANDREWCONNELL
CRITICAL PATH TRAINING, LLC
BEN CURRYSUMMIT 7 SYSTEMS
MIKEDANSEGLIOMICROSOFT
DEVIN L.GANGER
CONSULTANT/AUTHOR
THOMASFOREMANWADEWARE
SEAN DEUBYADVAIYA INC.
SCOT HILLIERSCOT HILLIER TECHNICAL
SOLUTIONS, LLC
DAN HOLMEINTELLIEM, INC.
DON JONESCONCENTRATEDTECHNOLOGY
TODD KLINDTSHAREPOINT 911
KEVIN LAAHSHP
RHONDALAYFIELD
CONSULTANT/TRAINER
GARY LAPOINTESHARESQUARED,
INC.
LEE MACKEYHP
JIM MCBEEITHICOS
SOLUTIONS
KIERANMCCORRY
HP
MATTHEWMCDERMOTT
ABLEBLUE
MARK MINASIMINASI RESEARCH
AND DEVELOPMENT
MICHAEL NOELCONVERGENT COMPUTING
JEREMYMOSKOWITZ
MOSKOWITZ, INC.
JOEL OLESONQUEST SOFTWARE
TED PATTISONTED PATTISONGROUP, INC.
MAURICEPRATHER
INDEPENDENT CONSULTANT
ASIF REHMANISHAREPOINT-
ELEARNING.COM
NADYNERICHMONDMICROSOFT
KARL ROBINSONHP
PAULROBICHAUX
TRAINER/AUTHOR
GREG SHIELDSCONCENTRATEDTECHNOLOGY
ALAN SUGANOADS CONSULTING
GROUP
STEVE RILEYAMAZON WEB
SERVICES
SHANE YOUNGSHAREPOINT 911
And many more... Check our Web site as we continue to update it with speaker pictures and bios!
Check Web site for Microsoft and additional speakers.
TONY REDMONDTONY REDMOND AND ASSOCIATES
PETER O'DOWDBLADE/
WADEWARE
TOM PHILLIPSWADEWARE
BRIAN REIDC7 SOLUTIONS
WILLIAM SMITHMERRILL
COMMUNICATIONSLLC
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:07 PM Page 17
16 I Register Today! Call 800-505-1201 I www.WinConnections.com
WORKSHOPS CONTINUED
FRIDAY, NOVEMBER 5, 2010 9AM - 4PMHPS302: DAN HOLME’S WINDOWS ADMINISTRATIONMASTER CLASSDAN HOLMEJoin best-selling author and world-famous consultant Dan Holmefor a master class in administration. A full day of best practices, tips,tricks, and tools that will enable you to accelerate, automate,secure, and manage your Windows clients, servers, and ActiveDirectory. Dan Holme has amassed a wealth of experience andexpertise—solutions which enable you to deliver real-worldadministrative best practices within the constraints of real-worldbudgets and technologies.
THIS WORKSHOP WILL FEATURE:
■ Provisioning Applications and Configuration
■ Role-Based Management Extreme Makeover
■ Advanced Active Directory & Administrative Delegation
■ Administrators’ Idol: Tips and Tricks for Administrative Automation and Brilliance
■ Ten Years Later: Best practice administration and design forActive Directory.
FRIDAY, NOVEMBER 5, 2010 9AM - 4PMWPS01: WINDOWS POWERSHELL V2 “ZERO SCRIPTING”MASTER CLASSDON JONESAre you ready to take Windows PowerShell as far as you possiblycan—without writing a single line of “script code?” Join thePowerShell “War on Scripting” with this exclusive full-day sessionby Windows PowerShell guru Don Jones, author of the “PowerShellwith a Purpose” blog at WindowsITPro.com, more than 45 books,and the PowerShell columnist for TechNet Magazine. NoPowerShell experience is necessary, and even if you have some,you’ll discover new (and easier) approaches to some of the tricki-est administrative tasks. Learn to use PowerShell remoting, how tomaster pipeline parameter binding, and how to create simpleparameterized “batch files” that require no programming—justcopying and pasting! This isn’t “dumbed down” PowerShell, either—this is PowerShell as it was meant to be used and experienced.Customize visual displays, create custom inventory reports, sched-ule PowerShell commands to run at specific times, create and man-age configuration baselines, and much more. This workshop focus-es on Windows Server 2008 R2 but is also perfect for Win2003shops using WinXP, Vista, or Win7 clients. This is not a hands-onworkshop; no need to bring your laptop. A complete transcript willbe made of everything Don types, and made available to you fordownloading a few days after the conference is over. This is theonly sure bet in Las Vegas—you’re sure to go home ready to startautomating key administrative tasks, saving time, improving con-sistency, and building out your resume!
FRIDAY, NOVEMBER 5, 2010 9AM - 4PMHPS301: ADVANCED SHAREPOINT 2010 ADMINISTRATION WITH TODD AND SHANETODD KLINDT & SHANE YOUNGGo to www.devconnections.com for complete abstract.
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
HPR02: SHAREPOINT COLLABORATION JUMPSTARTDAN HOLMEGo to www.devconnections.com for complete abstract.
POST-CONFERENCE WORKSHOPS
FRIDAY, NOVEMBER 5, 2010 9AM - 4PMEPS01: EXPLORING EXCHANGE 2010 - CONFIGURE ANDSUPPORTING (HANDS-ON WORKSHOP)PETER O’DOWD & TOM PHILLIPSWith your head packed full of valuable information from a week ofExchange 2010 sessions, put it all together in this one-day journeythrough Microsoft Exchange Server 2010 and experience its newand improved features hands-on. Let the MVP Peter O’Dowd andTom Phillips lead you through hands-on-labs, including:
■ Archiving – yes, now available out of the box.
■ Mailtips – find out if your recipient isn’t available beforesending the message.
■ Exchange Control Panel – Where users can manage their di-rectory data and groups.
■ Role Based Access Control – Allows different types of usersto search for different types of content across the organiza-tion.
■ Information Leakage and Protection – Transport rules andRights Management Server unite.
■ Database Availability Groups – The new HA. No longer doesa database need be associated with a single server.
■ Unified Messaging – Try the new voice to text translation,dial plans, and more…
This instructor led hands-on-lab experience will get you deep intoExchange and guide you through these features, showing you howthey are configured and how they can be used to improve yourorganization’s Unified Communications platform. No need tobring your laptop, 8GB Windows Server 2008 R2 laptop will be pro-vided by Microsoft for this event. Space is limited, so sign up now.
FRIDAY, NOVEMBER 5, 2010 9AM - 4PMEPS02: COMMUNICATION SERVER 14 (AKA OCS)– FIRST LOOK PREVIEWTHOMAS FOREMANBe one of the first to get your hands on Communications Server14. See what all the fuss is about and how this version of OCS hastaken a big step forward. This one day workshop will walk youthrough several hands-on-labs such as:
■ New install process and tools
■ PowerShell features
■ Configuration tools
■ Client experienceIn this information-packed day, you’ll use an 8GB Windows Server2008 laptop provided by Microsoft to walk through several hands-on labs developed by Wadeware® with CS expert ThomasForeman. Space is limited so sign up now.
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:06 PM Page 16
LAS VEGAS, NEVADA
NAME PRIORITY CODE
COMPANY TITLE
STREET ADDRESS (REQUIRED TO SHIP MATERIALS)
CITY, STATE, POSTAL CODE COUNTRY
TELEPHONE FAX E-MAIL ADDRESS (IMPORTANT)
ONLINE: www.WinConnections.comE-MAIL: [email protected]: (800) 438-6720
(203) 400-6121FAX: (913) 514-9362
MAIL:Penton Mediac/o Tech Conferences, Inc.731 Main Street Ste C3Monroe CT 06468
FULL CONFERENCE REGISTRATION INCLUDES KEYNOTE ON NOVEMBER 2ND 8:00AM, THROUGH CLOSING SESSION NOVEMBER 4TH, 4:30PM
CONFERENCE REGISTRATION • NOVEMBER 1-4, 2010
� Microsoft Exchange Connections Conference and Expo� Windows Connections Conference and Expo� SharePoint Connections Conference and Expo
On or Before August 19th, 2010 ..................................................................................................................................$1495 ________________After August 19th, 2010 ............................................................................................................................................................$1595 ________________
FOR WHICH CONFERENCE ARE YOU REGISTERING? __________________________________________________________
PRE-CONFERENCE WORKSHOP MONDAY, NOVEMBER 1, 2010 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS.
� EPR01: Making Exchange Highly Available – Brilliance in Resilience (HANDS-ON WORKSHOP) O’DOWD..............................................................................................................................................................9AM – 4PM ..................................$449 __________________
� WPR01: Windows 7 Deployment Master Class LAYFIELD............................................................................................9AM – 4PM ..................................$399 __________________� HPR01: SharePoint 2010 Professional Development Workshop SHUPPS & BOGUE..................9AM – 4PM ..................................$399 __________________� HPR02: SharePoint Collaboration Jumpstart HOLME ......................................................................................................9AM – 4PM ..................................$399 __________________
POST-CONFERENCE WORKSHOPS FRIDAY, NOVEMBER 5, 2010 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS.
� EPS01: Exploring Exchange 2010 - Configure and Supporting (HANDS-ON WORKSHOP) O’DOWD & PHILLIPS ..........................................................................................................9AM – 4PM ..............................$449 ________________
� EPS02: COMMUNICATION SERVER 14 (AKA OCS)–FIRST LOOK PREVIEW(HANDS-ON WORKSHOP) FOREMAN............................................................................................................................9AM – 4PM ..............................$449 ________________
� HPS302: Dan Holme’s Windows Administration Master Class HOLME ..........................................9AM – 4PM ..............................$399 ________________� WPS01: Windows PowerShell v2 “Zero Scripting” Master Class JONES ........................................9AM – 4PM ..............................$399 ________________� HPS301: Advanced SharePoint 2010 Administration
with Todd and Shane KLINDT & YOUNG ..............................................................................................................................9AM – 4PM ..............................$399 ________________
CONFERENCE MATERIALSFULL CONFERENCE REGISTRATION INCLUDES MATERIALS FOR THE CONFERENCE FOR WHICH YOU REGISTER; YOU MAY PURCHASE MATERIALS FOR THE OTHER CONCURRENTLY RUN EVENTS.
� Microsoft Exchange Connections Conference and Expo CD ..................................................................................................................................$75 ________________
� Windows Connections Conference and Expo CD ....................................................................................................................................................$75 ________________
� SharePoint Connections Conference and Expo CD ..................................................................................................................................................$75 ________________
� CHECK (payable to Penton Media) All payments must be in US Currency. Checks must be drawn on a US bank.
� CREDIT CARD � VISA � MASTERCARD � AMEX
CREDIT CARD NO. EXPIRATION DATE
Cardholder’s Signature Cardholder’s Name (print)
TOTAL
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:15 PM Page 19
TAX DEDUCTIONYour attendance to a DevConnections conference may be tax deductible. Visitwww.irs.ustreas.gov. Look for topic 513 - Educational Expenses. You may be able todeduct the conference fee if you undertake to(1) maintain or improve skills required in yourpresent job; (2) fulfill an employment conditionmandated by your employer to keep yoursalary, status, or job.
GROUP DISCOUNTRegister individuals from one company at thesame time and receive a group discount.
Call 800-438-6720 to take advantage of groupdiscount pricing.
18 I Register Today! Call 800-505-1201 I www.WinConnections.com
Notes & Policies: The Conference Producers reserve the right to cancel the conference by refunding the registration fee. Producers can substitute speakers and topics and cancel sessions with-out notice or obligation. Updates will be posted on our Web site at www.DevConnections.com. Tape recording, photography is not allowed at any session. Conference producers will be takingcandid pictures of events and reserve the right to reproduce. By attending this conference you agree to this policy. You may transfer this registration to a colleague by notifying us before thestart of the event. Please inform us if you have any special needs or dietary restrictions when you register. The conference registration includes the following subscriptions. This is not an addi-tional expense and subtraction from prices listed is not permissible. Exchange and Windows Connections registration includes a one-year (12 issues) print subscription to Windows IT Pro mag-azine for Exchange and Windows conference attendees only. Current subscribers will have an additional 12-months added to their subscription. Subscriptions outside of the United States willbe served in digital; $12.50 of the funds will be allocated toward a subscription to Windows IT Pro ($49.95 value). SharePoint Connections registration includes a print subscription (4 issues;Nov, March, June, Sept) to SharePointProConnections magazine for SharePoint and Windows conference attendees only. Current subscribers will have an additional one year (4 issues) addedto their subscription. Subscriptions outside of the United States will be served in digital. Registration & Cancellation Policy: Registrations are not confirmed until payment is received. Cancellations before September 28, 2010 must be received in writing and will be refunded minusa $100 processing fee. After September 28, 2010 cancellations and no shows are liable for full registration; it can be transferred to the next Conference within 12 months or to another person.Microsoft, Microsoft .NET, ASP.NET, Visual Studio.NET, Microsoft SQL Server, Exchange and Windows are either trademarks or registered trademarks of Microsoft Corporation. All other trade-marks are property of their owners.
1-3 registrants $1,595 per personAdditional registrantsafter the 3rd(4th, 5th, 6th...)
$1,395 per person($200 off each)
HOTEL ACCOMMODATIONSMandalay Bay Resort and Casino, 3950 Las Vegas Blvd. South, Las Vegas, Nevada, is the conference site and host hotel.SPACE IS LIMITED so reserve your room early by calling the conference hotline at 800-505-1201 or 203-400-6121.
AIRLINEPlease call Pericas Travel at 203-562-6668 for airline reservations.
CAR RENTALHertz is offering auto rental discounts to attendees. Call theHertz Meeting Desk at 800-654-2240 for reservations and referto code CV# 010R0043 (Hertz) under Connections Vegas to receive your attendee discount.
ATTIREThe recommended dress for the conference is casual and comfortable. Please bring along a sweater or jacket, as the ballrooms can get cool with the hotel’s air conditioning.
SPONSORSHIP/EXHIBIT INFORMATIONFor sponsorship information, contact Rod Dunlap 480-917-3527 phoneE-mail [email protected] See Web site for more details. www.WinConnections.com
Enjoy the excitement of oneof Las Vegas’ premiere hotels!Positioned at the south end of The Strip, Mandalay BayResort and Casino offers elegance, excitement and escape. Enjoy its restaurants, entertainment and enormous beach-pool, as well as wireless internet in your room and optional VIP access to shows, restaurants,the spa and more.
HOTEL INFORMATION
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:07 PM Page 18
LAS VEGAS, NEVADA
NAME PRIORITY CODE
COMPANY TITLE
STREET ADDRESS (REQUIRED TO SHIP MATERIALS)
CITY, STATE, POSTAL CODE COUNTRY
TELEPHONE FAX E-MAIL ADDRESS (IMPORTANT)
ONLINE: www.WinConnections.comE-MAIL: [email protected]: (800) 438-6720
(203) 400-6121FAX: (913) 514-9362
MAIL:Penton Mediac/o Tech Conferences, Inc.731 Main Street Ste C3Monroe CT 06468
FULL CONFERENCE REGISTRATION INCLUDES KEYNOTE ON NOVEMBER 2ND 8:00AM, THROUGH CLOSING SESSION NOVEMBER 4TH, 4:30PM
CONFERENCE REGISTRATION • NOVEMBER 1-4, 2010
� Microsoft Exchange Connections Conference and Expo� Windows Connections Conference and Expo� SharePoint Connections Conference and Expo
On or Before August 19th, 2010 ..................................................................................................................................$1495 ________________After August 19th, 2010 ............................................................................................................................................................$1595 ________________
FOR WHICH CONFERENCE ARE YOU REGISTERING? __________________________________________________________
PRE-CONFERENCE WORKSHOP MONDAY, NOVEMBER 1, 2010 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS.
� EPR01: Making Exchange Highly Available – Brilliance in Resilience (HANDS-ON WORKSHOP) O’DOWD..............................................................................................................................................................9AM – 4PM ..................................$449 __________________
� WPR01: Windows 7 Deployment Master Class LAYFIELD............................................................................................9AM – 4PM ..................................$399 __________________� HPR01: SharePoint 2010 Professional Development Workshop SHUPPS & BOGUE..................9AM – 4PM ..................................$399 __________________� HPR02: SharePoint Collaboration Jumpstart HOLME ......................................................................................................9AM – 4PM ..................................$399 __________________
POST-CONFERENCE WORKSHOPS FRIDAY, NOVEMBER 5, 2010 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS.
� EPS01: Exploring Exchange 2010 - Configure and Supporting (HANDS-ON WORKSHOP) O’DOWD & PHILLIPS ..........................................................................................................9AM – 4PM ..............................$449 ________________
� EPS02: COMMUNICATION SERVER 14 (AKA OCS)–FIRST LOOK PREVIEW(HANDS-ON WORKSHOP) FOREMAN............................................................................................................................9AM – 4PM ..............................$449 ________________
� HPS302: Dan Holme’s Windows Administration Master Class HOLME ..........................................9AM – 4PM ..............................$399 ________________� WPS01: Windows PowerShell v2 “Zero Scripting” Master Class JONES ........................................9AM – 4PM ..............................$399 ________________� HPS301: Advanced SharePoint 2010 Administration
with Todd and Shane KLINDT & YOUNG ..............................................................................................................................9AM – 4PM ..............................$399 ________________
CONFERENCE MATERIALSFULL CONFERENCE REGISTRATION INCLUDES MATERIALS FOR THE CONFERENCE FOR WHICH YOU REGISTER; YOU MAY PURCHASE MATERIALS FOR THE OTHER CONCURRENTLY RUN EVENTS.
� Microsoft Exchange Connections Conference and Expo CD ..................................................................................................................................$75 ________________
� Windows Connections Conference and Expo CD ....................................................................................................................................................$75 ________________
� SharePoint Connections Conference and Expo CD ..................................................................................................................................................$75 ________________
� CHECK (payable to Penton Media) All payments must be in US Currency. Checks must be drawn on a US bank.
� CREDIT CARD � VISA � MASTERCARD � AMEX
CREDIT CARD NO. EXPIRATION DATE
Cardholder’s Signature Cardholder’s Name (print)
TOTAL
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:15 PM Page 19
TAX DEDUCTIONYour attendance to a DevConnections conference may be tax deductible. Visitwww.irs.ustreas.gov. Look for topic 513 - Educational Expenses. You may be able todeduct the conference fee if you undertake to(1) maintain or improve skills required in yourpresent job; (2) fulfill an employment conditionmandated by your employer to keep yoursalary, status, or job.
GROUP DISCOUNTRegister individuals from one company at thesame time and receive a group discount.
Call 800-438-6720 to take advantage of groupdiscount pricing.
18 I Register Today! Call 800-505-1201 I www.WinConnections.com
Notes & Policies: The Conference Producers reserve the right to cancel the conference by refunding the registration fee. Producers can substitute speakers and topics and cancel sessions with-out notice or obligation. Updates will be posted on our Web site at www.DevConnections.com. Tape recording, photography is not allowed at any session. Conference producers will be takingcandid pictures of events and reserve the right to reproduce. By attending this conference you agree to this policy. You may transfer this registration to a colleague by notifying us before thestart of the event. Please inform us if you have any special needs or dietary restrictions when you register. The conference registration includes the following subscriptions. This is not an addi-tional expense and subtraction from prices listed is not permissible. Exchange and Windows Connections registration includes a one-year (12 issues) print subscription to Windows IT Pro mag-azine for Exchange and Windows conference attendees only. Current subscribers will have an additional 12-months added to their subscription. Subscriptions outside of the United States willbe served in digital; $12.50 of the funds will be allocated toward a subscription to Windows IT Pro ($49.95 value). SharePoint Connections registration includes a print subscription (4 issues;Nov, March, June, Sept) to SharePointProConnections magazine for SharePoint and Windows conference attendees only. Current subscribers will have an additional one year (4 issues) addedto their subscription. Subscriptions outside of the United States will be served in digital. Registration & Cancellation Policy: Registrations are not confirmed until payment is received. Cancellations before September 28, 2010 must be received in writing and will be refunded minusa $100 processing fee. After September 28, 2010 cancellations and no shows are liable for full registration; it can be transferred to the next Conference within 12 months or to another person.Microsoft, Microsoft .NET, ASP.NET, Visual Studio.NET, Microsoft SQL Server, Exchange and Windows are either trademarks or registered trademarks of Microsoft Corporation. All other trade-marks are property of their owners.
1-3 registrants $1,595 per personAdditional registrantsafter the 3rd(4th, 5th, 6th...)
$1,395 per person($200 off each)
HOTEL ACCOMMODATIONSMandalay Bay Resort and Casino, 3950 Las Vegas Blvd. South, Las Vegas, Nevada, is the conference site and host hotel.SPACE IS LIMITED so reserve your room early by calling the conference hotline at 800-505-1201 or 203-400-6121.
AIRLINEPlease call Pericas Travel at 203-562-6668 for airline reservations.
CAR RENTALHertz is offering auto rental discounts to attendees. Call theHertz Meeting Desk at 800-654-2240 for reservations and referto code CV# 010R0043 (Hertz) under Connections Vegas to receive your attendee discount.
ATTIREThe recommended dress for the conference is casual and comfortable. Please bring along a sweater or jacket, as the ballrooms can get cool with the hotel’s air conditioning.
SPONSORSHIP/EXHIBIT INFORMATIONFor sponsorship information, contact Rod Dunlap 480-917-3527 phoneE-mail [email protected] See Web site for more details. www.WinConnections.com
Enjoy the excitement of oneof Las Vegas’ premiere hotels!Positioned at the south end of The Strip, Mandalay BayResort and Casino offers elegance, excitement and escape. Enjoy its restaurants, entertainment and enormous beach-pool, as well as wireless internet in your room and optional VIP access to shows, restaurants,the spa and more.
HOTEL INFORMATION
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:07 PM Page 18
Penton Mediac/o Tech Conferences, Inc.731 Main Street, Suite C-3Monroe, CT 06468
Mailroom: If addressee is no longer here,please route to MIS Manager or Training Director
CHECK WEB SITE FOR DESCRIPTIONS OF SESSIONS AND WORKSHOPS
www.WinConnections.com • 800.505.1201 • 203.400.6121 • Register Early!
Book by July 29th to get a special rate of $149 (a limited number of rooms at this rate, so reserve today).
THE CONVERSATION BEGINS HERE“ ”NOVEMBER 1-4, 2010
LAS VEGAS • MANDALAY BAY RESORT & CASINO
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:07 PM Page 20
REVIEW
O U C SP R O D U C T
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 65
Michael Dragone | [email protected]
Spiceworks 4.5IT management tools are as varied asblades of grass on a freshly mowed lawn.It’s often difficult to slice through vendor marketing-speak to obtain the details youneed to determine if a management toolis right for you and your environment. For example: Does the tool support all the OSs you use? What about non-computer devices, such as routers and switches?Does the tool take a software inventory from your computers, or just a hardwareinventory? How do you obtain technical support if you need it? How much will the product cost you in licensing fees? One product that aims to solve all of your IT management woes is Spiceworks.
This software includes management,monitoring, inventory control, and a ticketing system, all in one package. You might have already heard of Spiceworks from a colleague, because it’s reasonablypopular for one key reason: It’s free. The caveat of the software being free is that you have to see ads while you use it-but I found the ads to be unobtrusive. You can purchase a version that has the ads removed if you find them to be too cumbersome. I reviewed Spiceworks 4.5 from the perspective of someone who has heard good things about the software but doesn’t know much about it other than the fact that it’s a free IT management product.I installed Spiceworks on a Windows XPSP3 machine and ran it against a mixed test network consisting of XP, Windows Vista, Mac OS X 10.6, and Red Hat Enter-prise Linux 10 computers. The network alsocontains a variety of networking gear fromCisco. Spiceworks’ system requirements aremodest; the documentation states that a machine with a 1GHz Pentium III proces-sor (remember those?), with 1GB of RAM, running XP SP2, Windows Server 2003 SP1,or Windows Server 2008 is sufficient. For acomprehensive list of the items Spiceworks can discover and manage, see the Spice-works Requirements page at community.spiceworks.com/help/Spiceworks_Requirements. Installing Spiceworks appears to be a cinch at first. You go to the Spiceworkswebsite and click any of the bright orange
links that invite you to download and install the product. A single executablefile downloads to your computer without you having to sign up for any type of account or provide an email address. Thefile is reasonably sized (about 20MB) and downloads quickly. When the installation routine launches, the first screen asks which port you want to have Spiceworks listen on. The default isport 80, which is a clue that indicates howSpiceworks will interact with you; the soft-ware installs the Apache web server. This is important to note if you plan to installSpiceworks on a machine that’s already running a web server on port 80. You’lleither need to adjust one of the servers to run on a port other than 80 or install Spiceworks on a different machine. The installation process proceedsquickly from that point and offers to launch Spiceworks when the install is complete. Here is where I ran into my only real technical issue. The initial launch of Spiceworks took an abnormallylong time, about two minutes, with theSpiceworks.exe process consuming 50percent of the CPU usage. This occurred only on the first launch of the product, however. One annoying requirement is that youmust sign up for a Spiceworks account when you launch the product for thefirst time. It’s unclearfrom the sign-up form if this is a local account, isolatedto your own Spice-works installation, or if your informa-tion will be sent to Spiceworks even if you clear the check boxes for receivingpartner offers andparticipating in sur-veys. I cleared bothcheck boxes and
signed up with a valid email address that I use for testing—and I did receive a few email messages of the “Welcome to Spice-works” variety.
The next screen is where the good stuff starts to happen. You can configure the product to start with an inventory, the Helpdesk (ticketing) feature, or Spiceworks com-munity support. I was most interested in the inventory functionality because I wanted to see how well Spiceworks could find and analyze my network, so I selected Start with
Inventory.
To avoid immediately subjecting mynetwork to any invasive testing, I opted tohave the software first scan the machine it was running on. Isolating the selectionprocess to target just the local machineby IP address and selecting an account with administrator-level privileges to run the scan with was easy. A dialog box launches to indicate that the scan is in process.
Scanning a machine is a quick yetthorough process. If you have a host-based firewall installed, you need toensure that exceptions are created toallow Spiceworks to access the sys-tem. After this is done, Spiceworks candetermine a myriad of details from the base hardware (e.g., CPU, RAM, free disk space), as Figure 1 shows, all the way to
Figure 1: Viewing confi guration details
P R O D U C T SREVIEW
66 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
simplicity is a bit deceiving at first. If youdive right in like I did for review purposes,you could be caught off-guard. You need to think about where you will installSpiceworks, especially if you already havea web server installed. In addition, you need to make sure you have the proper credentials to access your devices andcomputers and ensure that any host-based firewalls are configured to allowSpiceworks access. Taking these few preliminary stepsbefore you jump in will ensure a goodexperience from the get-go. Uninstallation is also a cinch, leaving little to no cruftbehind. You have little to lose and a lot togain by giving Spiceworks a try. I highlyrecommend it.
InstantDoc ID 125235
Spiceworks 4.5
PROS: Comprehensive; easy to use; free
CONS: More involved setup and installation than the documentation suggests
RATING:
PRICE: Free
RECOMMENDATION: Recommended for administrators who want a comprehensive management package that won’t break the bank.
CONTACT: Spiceworks • 512-346-7743 • www.spiceworks.com
process. The tick-eting system is fully aware of the gathered inven-tory and lets you reference any of your assets. A listof open tickets andtheir assignees is provided. Editingan existing ticket isalso very straight-forward. Any IT pro-fessional who hasused even the mostbasic of ticketingsystems will feelright at home withthe Spiceworks system. The software also includes the ability to track services, such as support contracts and ISP subscriptions. This is agreat feature because it lets you see the sta-tus of your services at a glance. You can also reference your services in Help desk tickets just as you can reference your assets. These features all tie together nicely with Spice-works’ monitoring and alerts.
The product lets you specify a plethoraof options for monitoring not only yourconnected computers and devices but also your services (e.g., the end date of a contract). Options range from the basics, such as remaining disk space, to theadvanced, such as software compliance. At a periodic interval that you can adjust,Spiceworks sniffs your connected com-puters and devices to ensure they arein compliance. No agents are necessary, although you need administrator-levelaccess to the scanned machines. Windows Management Instrumentation (WMI)must also be configured for Spiceworks to gather information. Overall, I was impressed with Spice-works. The most compelling feature of the product, aside from the $0 price tag, is theway all the components tie in together. You don’t have to maintain separate listsof assets or use another interface to querya network device. Everything is integratedin the single Spiceworks interface. My only concern with the product is that its
a list of installed software, including vari-ous updates to the software, as Figure 2shows. The software also captures detailssuch as the last time the system was rebooted.
After my local machine was success-fully scanned, I expanded the scan to a local subnet, supplied the appropriatecredentials, and received results withsimilar details. One item to note is that Spiceworks never detected any antivirus software on any of the machines I ran itagainst, although I do have up-to-date antivirus software installed. Some quick investigating on the Spiceworks websiteproved this behavior is to be expected. Spiceworks claims to be able to detectany antivirus software that integrates with Windows Security Center. Although all the test machines I was using had managed antivirus software installed, Windows Security Center was turned off.
I attempted to have Spiceworks scan asubnet consisting primarily of networking devices. This was far less successful, becausemany of these devices are desktop switchesand consumer routers that don’t respond to SNMP queries. Spiceworks can’t query anetworking device that doesn’t respond to SNMP, even if the device supports SecureShell (SSH) access, as some of my devicesdo. This might also explain why when I asked Spiceworks to create a map of mynetwork, several intermediary switches weremissing from the map. I had to manuallyadd some devices that Spiceworks couldn’t capture automatically.
The product was also unable to moni-tor the health of an Exchange 2007 server on my network. Unfortunately, Spiceworks can monitor only Exchange 2003 servers. This limitation is especially disappointingbecause Exchange 2003 will soon leave Microsoft’s Extended Support phase. It would be nice to see support for newerversions of Exchange.
Despite the few shortcomings, overall I was impressed with Spiceworks’ inventory capabilities. After I was donegiving the inventory functionality athorough test, I moved on to the Help desk component.
Spiceworks provides a comprehensiveticketing system in the Help desk arena. Creating a new ticket is a straightforward
Figure 2: Finding installed software
SP R O D U C T
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 67
Rove Mobile AdminIf you’re like most system administrators,you’re either on-call on a set rotation oron-call all of the time. With laptops andnetbooks, you can roam freely when youaren’t physically at work, but even a lightcomputer is a pain to lug around. Rove
Mobile Admin solves this problem byproviding phone-sized administrationtools that let you handle emergencies as well as perform routine maintenance on your servers and network infrastructure. What can you do with Rove MobileAdmin? Besides managing Windows and Active Directory (AD) from your phone, you can manage Cluster service, DHCP, DNS, Exchange Server, Hyper-V, IIS, and SQL Server. That’s just the supported Microsoftsoftware. You can also manage Citrix, HPIntegrated Lights-Out (iLO), IBM Lotus Domino, Novell NetWare, Oracle, Researchin Motion BlackBerry Enterprise Server, RSA,Symantec Backup Exec, VMware, and more. If the software that you need to manage isn’tsupported, you can use the included remotedesktop client and do it the old-fashionedway. You can also manage a network through a Telnet or Secure Shell (SSH) con-nection. There are two editions of the product: Professional ($595 per CAL) and Basics($295 per CAL). For the most part, theBasics edition supports only Windowsand AD, but that might be enough tomeet your needs. If you need to manage a NetWare, Oracle, SQL Server, or virtual environment or advanced Microsoft tech-nologies like Cluster service or IIS, you’llneed to invest in the Professional ver-sion. (You can check out the differencesbetween the two editions at www.roveit.com/products.) Rove Mobile Admin requires the .NET Framework 2.0 and can be installed ona domain controller (DC) or anotherserver. Licensing for the product is provided by an activation code that requires that the server be connected to the Internet. The installation is quick and painless —it literally takes two minutes from start to finish. After the software has been installed, you simply point your mobiledevice to Rove Mobile Admin’s website
and install the client on your phone. However, if you have aniPhone, you need to download theapp from the iTunes Store. I used my iPhone to test the functionality of the Rove Mobile Admin Professional edition. You can also use it with Apple iPod,BlackBerry, Google Android 1.5+, and Windows Mobile 6 mobile devices. Like any form of remoteaccess, the first hurdle is to open a secure network path from your phone to the Rove Mobile Admin server. Make sure that your con-nection adheres to your compa-ny’s security policy. For example, some companies might require aVPN connection, whereas others might simply require an SSL con-nection through port 4054. For my tests, I used the iPhone’sWi-Fi connection to access my virtualtest network, which consists of a DCrunning Windows Server 2003 and Exchange Server 2003. The first thing I noticed was how simple and clean the interface was. There isn’t a lot of real estate on a smartphone screen, and Rove Mobile Admin makes gooduse of the limited space, as Figure 1shows. I spent some time in the variousareas of the Rove Mobile Admin tool and found each area intuitive and easy touse. I tested the command-prompt fea-ture and remote desktop connection—I could see myself using these in times when I didn’t have a laptop handy. On my Exchange server, I edited the storagelimits and viewed the mail queue. AndI quickly reset a user’s password withjust a few clicks—a perfect example of a problem that often pops up at the most inopportune time. I sure don’t like to be called in themiddle of my golf game to fix a network-ing issue. However, if I do, at least I know
I can quickly solve the problem with thisuseful tool.
InstantDoc ID 125358
Rove Mobile Admin
PROS: Easy to set up; makes remote administra-tion a breeze; supports the software you’d expect it to, plus tons more
CONS: None
RATING:
PRICE: $595 per CAL for the Professional version; $295 for the Basics version
RECOMMENDATION: If you need remote administration capabilities on a mobile device, you owe it to yourself to give this product a serious look.
CONTACT: Rove • 888-482-3646 • www.roveit.com
Figure 1: Managing services with Rove Mobile Admin
Eric B. Rux | [email protected]
REVIEW
68 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
P R O D U C T S
I have to admit that, being an Exchangeguy, I came into this review with a bit of a prejudice against any Exchange alterna-tive. I’ve been asked to look at severalduring my career with the aim of saving money, and none of them passed my tests for functionality or usability. Kerio
Connect 7 succeeded where competitorshaved failed. Aimed at small companies and offered at a very attractive price, Kerio Connect 7 delivers the functions that most small companies want—email, calendaring, and mobile access. Installation is quick and easy, and the administration interface, which Figure 1 shows, is well laid out. When I set it up in my lab to do this evaluation, I found thatthe Linux install (Kerio runs on Windows, Linux, and Mac OS) wasn’t any more dif-ficult than the Windows install, again put-ting it ahead of much of its competition. The wizard asks you most of what you need to get up and running, includingDNS domain information, and enables allof the common client protocols for you. Integration with Active Directory (AD) is straightforward and requires little effort on the part of the administrator. The only negative here is that although it’s easy to import users from AD, there’s no abilityto bring in groups to use as mailing lists.These must be managed separately within Kerio Connect. All of the security features you’d expectin a mail server are present, including anti-virus, spam, and attachment filtering. The attachment filtering is configured to block according to common best practices bydefault. Like everything else in the prod-uct, security is easy to configure. McAfee’s antivirus engine is included and activated by default, and there’s also an option to enable other engines. Backup capabilitiesare included as well, allowing for tradi-tional backup scheduling, and again, thedefaults are configured out of the box according to long standing best practices.Tape backup isn’t supported, but backupto a network location is available. Robust logging and a traffic-chart feature maketroubleshooting and monitoring easy.The logs are well organized and verbose without confusing the reader.
Mobile devices are supported via ActiveSync functionality.To end users, this means that they won’t know thedifference between anExchange back end andthe Kerio Connect server. Also added to the newrelease is native support for Apple’s iPad device,giving Kerio the unique bragging rights to being the first to explicitly support the iPad. Finally, included in the list of featuresis a must-have for any Exchange alternative—an Outlook plugin thatgives your end users the experience they know and are comfortable with by allowing Outlook to connect with KerioConnect. So, what does it all mean? Well, it means that if you have a small company, and no need for a highly available (whichusually means highly expensive) solution,Kerio will probably be a good fit for you. Most Exchange alternatives currently onthe market have made big investments inadding features to their webmail in orderto woo customers. Although this is attrac-tive to those of us who go in for thosethings, our users typically want comfort more than anything, and that’s where Kerio Connect shines. It presents a familiarend-user experience regardless of the connection method. Kerio really seems to know its targetmarket, and the company is giving users exactly what they want—a simple solu-tion that meets their needs without asteep learning curve. Not only that, butthe company does it at an initial price of $540 for a server license, which includes five user licenses. (Additional userlicenses are a reasonable $28.80 each.)These prices are for one-year licenses that include support, virus definitionupdates, and version updates. After your
first year, server renewal is $162, and your additional users are $8.60 each. You can order without the antivirus licensing, but the pricing more than justifies going forthe whole package. I stated earlier that I had a prejudiceagainst Exchange alternatives, but I have to say that if I had a small customerwho was looking for an inhouse email solution that was affordable, I’d definitely recommend Kerio.
InstantDoc ID 125453
Kerio Connect 7
PROS: Inexpensive; easy to configure and main-tain; low barrier to entry for small businesses
CONS: No high availability option; no native use of AD groups for mailing lists, so user and group administration has to happen in two places; not feasible for larger businesses because of these weaknesses
RATING:
PRICE: First year: $540/server with five user licenses, $28.80/user (sold in packs of 5); renewals: $162/server and $8.60/user
RECOMMENDATION: Kerio Connect is an affordable and easy-to- maintain solution for small companies. The product might not be a good option for a small business with a large budget that wants advanced Exchange features such as high availability, Outlook Voice Access, and Unified Messaging.
CONTACT: Kerio Technologies • 888-775-3746 • www.kerio.com
Ryan Femling | [email protected]
Figure 1: Kerio’s interface
REVIEW
Kerio Connect 7
SP R O D U C T
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 69
Hardware inventory and asset manage-ment have never been administrators’ favorite tasks. In small to midsized IT shops, or those with limited budgets,administrators often get by with ad hocscripted solutions using Windows Manage-ment Instrumentation (WMI) and a hodge-podge of spreadsheets, text files, and ducttape. However, Neutex Systems offers a more cost-effective and easier-to-use solu-tion called NetPoint Pro. This agentless solution leverages existing Windows tech-nologies such as WMI and Active Directory(AD) that you already know and trust.
InstallationNetPoint installs on just about every Windows OS. But because it requires IIS, you’ll most likely install it on a server.It also requires a Microsoft SQL Server back end, but this can be one of the free express editions of SQL Server 2008 or2005. You don’t need to run the web server on the database server, but for mysmall scale test I elected to use WindowsServer 2008 R2. During setup, you can specify what database server to use. If you want to use the included Windows Power-Shell snap-in, you’ll need PowerShell 2.0.
NetPoint ships 32- and 64-bit versionsthat install with minimal configuration.The current version is limited to managing computers in a single AD domain. Future versions should support querying a global catalog server, which will simplify configu-ration for more complex environments.
My installation, using an existing SQL Server instance, took only a few minutes. After it loaded, I configured NetPointthrough its web interface. There I addedmy license file and set up my polling schedule. The server will poll all computeraccounts it finds in the current AD domain for hardware and software inventory infor-mation. I quickly inventoried items such asmemory, disks, printers, drivers, and OSs.
Uses Existing TechnologiesNetPoint uses WMI primarily for its inven-torying. In almost all Windows-based net-works WMI is enabled and accessible, whichmeans no agents to install. Because it uses WMI, your computers are most likely already
properly configured.You don’t have to worry about what WMI classto use. All results arestored in the SQL Server database. NetPoint also tracks when components are added or removed, such as memory or disk drives. You can even sub-scribe to an RSS feed to alert you when a change is made. Email alertsaren’t supported in the current version.
NetPoint utilizes AD to discover com-puter objects and can’t manage non- domainand non-Windows computers. You can configure a standard polling schedule for all computers, perform on-demand polling,or use an included VBScript as a computer start-up script to provide auto-polling.
Asset and System ManagementThe web interface is easy to use and query-ing systems couldn’t be simpler. Need to know what OSs are deployed? A click or two provides the answer. (See Figure 1.)You can also supply non-WMI information such as purchase order and procurement dates, making this a basic, yet effective,asset management system. NetPoint Pro includes a great set of PowerShell cmdletsfor managing inventory information.
Another terrific feature is the ability totrack application licenses. You define the application by associating one or morequeried products with a license count and purchase information. You can then tell at a glance if you’re in compliance or not.
NetPoint Pro is licensed per invento-ried computer on a sliding scale starting at $5 per computer in 25-unit bundles. Neutex also offers a free version, NetPointEssentials. You can inventory (hardware-only) an unlimited number of systems for free. But you miss out on other featuressuch as PowerShell support, license track-ing, remote desktop, and on-demand
polling. You can unlock these features by installing a NetPoint Pro license.
Great for Small ShopsFor large and complex enterprises, I don’tfeel NetPoint Pro’s feature set is mature enough to meet their needs. For example,multi-domain environments require a polling server in each domain and sometweaking via scripts. But for small tomidsized shops lacking an affordable, easy-to-use inventory and asset manage-ment solution, NetPoint Pro is the solutionyou’ve been looking for.
InstantDoc ID 125442
NetPoint Pro
PROS: Easy to install and use; cost-effective price point; leverages existing technologies such as WMI and Active Directory; PowerShell cmdlets available
CONS: Limited access control; can query only single-domain members; no email notifications; simple polling options, typical of its limited enter-prise features
RATING:
PRICE: NetPoint Pro starts at $5 per computer; NetPoint Essentials is free
RECOMMENDATION: Small to midsized shops should give NetPoint Pro a try; larger, more com-plex organizations will need a more complete solution. Watch Neutex for future releases.
CONTACT: Neutex Systems • 415-763-8839 • www.neutex.net
Jeff ery Hicks | jdhitsolutions.com/blog and twitter.com/jeff hicks
Figure 1: NetPointPro OS display
REVIEW
NetPoint Pro
70 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
P R O D U C T S
virtualization currently revolves around server virtualization products such as Microsoft’s Hyper-V technology andVMware’s ESX Server, the virtualizationtrend actually began on the desktop withthe original VMware Workstation productlaunched back in 1999. Today, desktop virtualization remains a vital technology for IT and developers. Developers usedesktop virtualization to test applica-tions on multiple platforms and to eas-ily roll back changes brought about byapplication testing. Help desk and QAprofessionals use it to replicate end-user scenarios. IT professionals use it for host-ing legacy applications and testing OS changes and patches. The latest releaseof the Workstation product, VMware
Workstation 7.0, sets a new standard for desktop virtualization.
Desktop vs. Server VirtualizationUnlike the current crop of server virtu-alization products that are hypervisor based, VMware Workstation is a hosted virtualization solution. This means thatthe virtualization layer runs on top of ahost OS. Hosted virtualization doesn’t offer the same levels of performance and scalability as hypervisor-based virtual-ization. However, hosted virtualization solutions can offer a level of integration with the host OS that exceeds whathypervisor-based solutions can offer. Thisintegration makes desktop virtualization a good solution for desktop develop-ment scenarios, which don’t need the scalability or performance required by server virtualization but can benefitfrom the greater degree of host desktopintegration. For more information aboutdesktop virtualization products using a hosted virtualization architecture, referto the sidebar, “An Overview of DesktopVirtualization Products”, page 71.
Installation and TestingVMware Workstation runs on virtually all releases of Windows as well as everymajor Linux distribution. It supports over
400 guest OSs including Windows 7 and Windows Server 2008 R2. I installed Work-station 7.0 on a 64-bit Windows 7 desktop with 4GB of RAM. After completing a pretty hefty 525MB download, the instal-lation of Workstation 7.0 was uneventful, taking only a few minutes. The installation process required me to input a rather lengthy license code, then rebooted the system when it was complete. You can see the VMware Workstation 7.0 console inFigure 1.
Creating and Importing Virtual MachinesOn the technical side, Workstation 7.0supports virtual machines (VMs) withup to four virtual processors. To takeadvantage of this, you must have at leastfour cores in your host. Support is avail-able for up to 32GB of RAM per VM. VMscan also be encrypted using 256-bit AES encryption. Workstation 7.0 VMs support USB, DVD, CD-ROM, sound, and webcam devices. With Workstation 7.0, you createnew VMs using the New Virtual Machine
wizard, which steps you through creating a VM, including installing the OS. As you can see in Figure 2, the wizard even lets you set your Windows product code and the Windows machine name and initial password. Another nice touch is thatVMware tools are automatically installed in the guest OS. In addition, Workstation 7.0 canimport VMs using its built-in ConversionWizard. You launch this wizard using the File, Import and Export option. The Con-version Wizard can perform a Physical-to-Virtual (P2V) conversion as well as convert Microsoft Virtual PC and VirtualServer VMs, but it doesn’t support theconversion of Hyper-V VMs. The wizard leaves the source VM intact and outputsa new VM that contains the VMwaredevice drivers.
3D Graphics SupportOne limitation of VMs has been their lack of support for graphically intensive appli-cations. Graphical drawing and rendering programs, games, and advanced graphicssuch as the Windows Aero interface
Michael Otey | [email protected]
Figure 1: VMware Workstation 7.0
REVIEW
VMware Workstation 7.0 Rises Above the Virtual PackDesktop virtualization products in a nutshell
SP R O D U C T
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 71
REVIEW
They say you get what you pay for; however, in terms of desktop virtualization products, you can get a lot of value from the free products that are available. Although these products don’t offer anywhere near the same feature set as VMware Workstation, they are all very capable and most of them are free.
Parallels Desktop 4 for Windows & LinuxParallels plays primarily in the desktop virtualization space with its Mac product, Parallels Desktop for Mac. Lagging behind the flagship Mac version is its Windows version, Parallels Desktop 4 for Windows & Linux, which runs on either x86 or x64 platforms. Unlike the other desktop virtualization products in this sidebar, Parallels Desktop 4 for Windows & Linux isn’t free: The product retails for $79. For the price, the product does offer several cool features. On the technological side it supports VMs with up to eight virtual CPUs and up to 8GB of RAM per VM. It provides USB support for VMs and can take advantage of Intel-VT or AMD-V hardware virtualization if present. Parallels Desktop brings the Convergence feature to Windows, which essentially lets you seamlessly integrate VM applications with your Windows desktop similar to Windows 7 XP Mode. You can download a free trial of Paral-lels Desktop 4 for Windows & Linux at www.parallels.com/download/desktop/pd4wl. Parallels is currently working on a new version of Parallels Desktop for Windows & Linux, which should be out about the time this review is published. In addition, Parallels also offers the Paral-lels Workstation 4.0 Extreme desktop virtualization product. Like VMware Workstation 7.0, Parallels Workstation 4.0 Extreme provides support for 3D graphics. It supports up to 16 virtual CPUs per VM and up to 64GB of RAM per VM. The current version requires the Intel Xeon 5500 processor and NVIDIA Quadro FX graphics card with SLI-MOS technology. Parallels Workstation 4.0 Extreme costs $399. You can find out more about it at www.parallels.com/products/extreme/features#faster.
Microsoft Virtual PC 2007 and Windows Virtual PCMicrosoft’s Virtual PC 2007 is more than three years old, which is like a millennia in the fast-moving virtualization market. When you com-bine that with the fact that this product was never close to being the technological leader in this space, well, you get the idea. However, the product still provides basic desktop virtualization for Windows-based VMs. Supported guests are limited to Windows. Linux will run, but Virtual PC 2007 has no Linux VM integration components and Linux isn’t officially supported. Virtual PC 2007 supports x86 and x64 hosts. There is no x64 guest support, but it does support a single virtual CPU. VMs can access up to 3.6GB of RAM. It offers good multiple monitor support but no USB support in the VMs. Although Microsoft has essentially put Virtual PC 2007 out to pasture, it’s the technology behind a couple of other Microsoft virtualization technol-ogy, including the Med-V product, which is part of the Microsoft Desktop
Optimization Pack (MDOP), and the new Windows Virtual PC for Windows 7. Virtual PC 2007 is free and can be downloaded at Microsoft’s website (www.microsoft.com/windows/virtual-pc/support/virtual- pc-2007.aspx). Windows Virtual PC is the successor to Virtual PC 2007. It runs only on Windows 7, and it supports both x86 and x64 hardware. It offers several important improvements over Virtual PC 2007, including support for USB ports, support for Windows XP Mode—which allows seamless running of VM applications from a Windows 7 desktop—and integration with Windows Explorer for VM management, support for multiple threads, and host printer access for VMs. Like Virtual PC 2007, Windows Virtual PC lacks support for 64-bit guest OSs, and it’s limited to one virtual CPU and 3.6GB of RAM per VM. Windows Virtual PC is an improvement over Virtual PC 2007, but its main purpose is really to support Windows XP Mode in Windows 7. Windows Virtual PC is a prerequisite for Windows XP Mode and is a separate download that you can find at www.microsoft.com/windows/virtual-pc/download.aspx. If you’re confused about Virtual PC 2007 and Windows Virtual PC, just remember that Virtual PC 2007 is for Vista and earlier, whereas Windows Virtual PC is for Windows 7. You can get Windows Virtual PC from www.microsoft.com/windows/virtual-pc.
VMware Player 3.0Another VMware product in the desktop virtualization space is the free VMware Player product. Previously, VMware Player was able to run only existing VMs and couldn’t create new VMs. VMware Player 3.0 is now completely capable of creating VMs as well as running them. Player 3.0 runs on both x86 and x64 hardware and supports most Windows and Linux OSs for the host and in the guest VMs. Player supports VMs with four virtual processors and up to 32GB of RAM per VM. However, as you would expect, it lacks the high-end features found in VMware’s Work-station product. For instance, Player doesn’t support clones, snapshots, or VM recording. VMware Player 3.0 is free and can be downloaded at VMware’s website (www.vmware.com/tryvmware/?p=player&lp=1).
Oracle VirtualBox 3.2If you’re immersed in the Windows world, you might not be familiar with the other major player in the desktop virtualization market: Oracle’s VirtualBox (formerly Sun’s VirtualBox). VirtualBox runs on x86 and x64 hardware and has the broadest host OS support of any of the desktop virtualization products. VirtualBox runs on Windows, Linux, Mac OS, and OpenSolaris. It provides support for VMs with up to 32 virtual CPUs and up to 1.5GB of RAM per VM on a 32-bit Windows host. This limit doesn’t apply to 64-bit hosts. VirtualBox provides a virtual USB controller, enabling you to connect to physical USB devices on the host for your VMs. It also provides built-in support for up to eight monitors. One unique feature in VirtualBox is its support for teleportation, which is like live migration. Teleportation enables you to move VMs between hosts with no downtime for the VM. VirtualBox 3.2 is free and can be downloaded from dlc.sun.com/virtualbox/vboxdownload.html.
InstantDoc ID 125517
An Overview of Desktop Virtualization Products
72 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
P R O D U C T S
Other advanced features include sup-port for the Unity feature. Introduced inWorkstation 6.5, Unity provides seamless desktop VM application integration similar to Windows 7’s XP Mode. Workstation also has a capture movie feature that can record all activity in a VM and save it in AVI format.
Workstation 7.0 offers the abilityto take an unlimited number of VM snapshots, to create full or linked VM clones, and to create VM teams, whichare a collection of VMs connected by oneor more private network segments. You can control the boot order between the different VMs.
Another cool feature in Workstation7.0 is the ability to print from VMswithout mapping network printersor installing printer drivers in eachVM. Virtual printing enables all of theprinters installed on the host OS to beautomatically available to the guest OSs in each VM.
At the Top of the HeapVMware Workstation was the first product in the desktop virtualization space, and itsmaturity shows in its advanced feature set:Workstation 7.0 is the clear leader in thedesktop virtualization market. However, at $189, Workstation 7.0 is also one of themost expensive desktop virtualization products on the market. If you need 3Dsupport or Workstation’s other advanced features, it’s worth the price. A 30-day trialis available. Desktop virtualization doesn’tget any better than this.
InstantDoc ID 125447
VMware Workstation 7.0
PROS: Extremely broad host and guest OS support; VM support for 3D graphics and the Windows Aero interface; support for snapshots, clones, and virtual printers
CONS: More expensive than all the competing desktop virtualization products
RATING:
PRICE: $189
RECOMMENDATION: If you need a desktop virtualization product with a full set of top-of-the-line features, then VMware Workstation 7.0 is a must-have.
CONTACT: VMware • www.vmware.com/ products/workstation
Windows Vista and Windows 7 VMs and is capable of displaying the Windows Aero UI. (It also supports OpenGL1.4 and Shader Model 3.0.) Worksta-tion 7.0 is well integrated with the new Windows 7 desktop. You can see Workstation 7.0’s integration with the Windows 7 taskbar and its support forshowing running VMs in Jump Lists inFigure 3.
couldn’t run in a VM because they usedthe physical graphics adapter, which VMscouldn’t directly address. Instead, VMs werelimited to the capabilities provided by a virtual graphics adapter.
However, Workstation 7.0 includesadvanced 3D graphics for VMs, includ-ing the ability to support the WindowsAero interface. VMware developed anew graphics driver that’s compliantwith the Windows Display Driver Model
Figure 3: VMware Workstation Jump Lists
Figure 2: Creating a new VM
REVIEW
BUYER’S GUIDE
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 73
SP R O D U C T
Information in this buyer’s guide comes from vendor
representatives and resources and is meant to jump-start, not replace,
your own research; also, some products might have been left out,
either as an oversight or from lack of vendor response.
SharePoint can be used for a variety of functions, including
as a document management solution, an organization-
wide intranet, a project management tool, and even as an
external-facing website. But at its core, SharePoint is an
information storehouse, logically segmenting your data
and enabling efficient collaboration, thereby reducing fear
of miscommunication, inconsistent versions, and lost documents.
Storing data on a SharePoint site makes sense for many organi-
zations. It reduces the load the local network handles and makes
collaborating on documents much easier. Plus, it offers customiz-
ability in terms of restricting and managing access to individuals
at varying levels within the company.
However, there is a downside. The Internet is only as secure as
the systems that protect it, and threats grow and evolve every day. In
today’s Internet age, where 10 million people were victims of identity
theft in 2008 (according to Javelin Strategy & Research Center), many
governmental agencies have pushed for compliance laws to prevent
future attacks. And according to the Privacy Rights Clearing House
data, which documents significant data breaches, wide-scale secu-
rity breaches occur almost every day in the United States (and since
2005, 354,537,108 records have been lost or stolen).
Evolution of Compliance LawsCompliance laws are good, in principle. They protect individuals and
businesses, and they force organizations to take seriously the threat
of data theft before it’s too late. However, each ounce of prevention
in compliance comes at a cost. According to a Financial Executives
International study, the average cost of Sarbanes-Oxley (SOX) com-
pliance in 2007 for large-scale enterprises was $1.7 million.
Like it or not, SOX is here, forcing all public companies to keep
industrious financial records. A number of other laws exist for specific
industries, such as the financial and medical industries (Gramm-
Leach-Bliley Act and Health Insurance Portability and Accountability
Act, respectively), where businesses have a special responsibility to
protect the personal information of clients. Finally, all companies
need to be aware of the possibility of e-discovery, when a lawsuit
requires a company to sift through all available electronic data (on
that company’s dime) for some form of data that holds weight in the
case. Lastly, there are specific statewide compliance laws that every
organization should be aware of. Together, these laws and standards
make ignorance out of the question, even for small organizations,
and force all companies to take compliance very seriously.
Native Tools on SharePoint and Their LimitationsFortunately, native compliance tools do exist on SharePoint.
Although they do not cover the same scope as third-party solutions,
they might offer sufficient compliance protection for some organiza-
tions. First, SharePoint lets you configure user permissions, letting
you prevent unauthorized access that could lead to data loss or theft.
SharePoint also has basic reports to audit site collections.
Some of the things that SharePoint’s native tools can’t do include:
audit data at levels other than the site collection level, prevent data
from being uploaded beforehand, audit sites based on more robust
criteria such as time frame, and track all site changes and deletions.
What to Look for in Third-Party SolutionsIt’s important to note that although each third-party solution in this
buyer’s guide seeks to solve the same common SharePoint difficulties,
each works differently. Which solution is best will vary by organization.
For instance, some of the more suite-like products, such as AvePoint’s
DocAve Auditor and Vyapin’s Admin Report Kit, offer auditing/
reporting, migration, and backup and recovery. Other products, such
as Muhimbi’s SharePoint Audit Suite, offer similar capabilities to
SharePoint’s native tools, but expand on the capabilities, offering more
in-depth auditing. Netwrix’s SharePoint Change Reporter, meanwhile,
offers change tracking but doesn’t focus on reporting.
In addition to auditing for compliance, you’ll also find that some
of the products that focus more heavily on reporting, such as Nintex
Reporting, also offer business efficiencies through this reporting. The
same types of reports that aid in compliance can help the business to
remain efficient through visibility into the organizational structure.
SharePoint Auditing and Reporting ToolsNavigate the sea of compliance laws and security “what ifs”
by Brian Reinholz
SHAREPOINT AUDITING & REPORTING TOOLS
74 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
Company Name Product Price (Per Server)
Change Tracking
Change Tracking to SQL Server
Multiple Site Tracking
Change Tracking to Web Parts
Track User Permissions
Track Details of Document Usage
AvePoint
www.avepoint.com 201-793-1111800-661-6588
DocAve Auditor $2,290 Yes Yes Yes Yes Yes Yes$2,290 Yes Yes Yes Yes Yes
Muhimbi
www.muhimbi.com+44-7799-624931
SharePoint AuditSuite
$799 Yes No Yes No Yes YesYes No Yes No Yes
NetWrix
www.netwrix.com201-490-8840888-638-9749
NetWrixSharePoint ChangeReporter
$300 firstserver, $75per additional server
Yes Yes Yes No Yes YesYes Yes No Yes
Nintex
www.nintex.com425-201-5840
Nintex Reporting 2008
Call for quote No No Yes No No YesNo No Yes No No
Quest Software
www.quest.com614-726-4768
Site Administrator for SharePoint
$2,995 Yes No Yes No Yes YesYes No Yes No Yes
ScriptLogic
www.scriptlogic.com800-813-6415
Enterprise SecurityReporter
$616 Yes Yes Yes Yes Yes YesYes Yes Yes Yes Yes
Syntergy
www.syntergy.com905-266-0676
Audit for SharePoint
$7,500 Yes Yes Yes No Yes YesYes Yes Yes No Yes
Vyapin Software
Systems
www.vyapin.com+91-44-24717142
Admin Report Kit forSharePoint2003/2007/2010
$1,099 Yes No Yes No Yes YesYes No Yes No Yes
In other words, individual compliance
needs will vary extensively depending on
the organization. Some organizations will
have constantly changing user documents
and spreadsheets that contain key informa-
tion, so tracking changes to these docu-
ments on a step-by-step level is essential for
measuring compliance. Other companies
will have stores of sales and contractual
data continually being uploaded to the
SharePoint site, so controlling, tracking,
and restricting new files uploaded to the
site would be very important. Whatever
your need, there is likely a solution in
place, but it’s important to understand the
differences.
Customization Is Always an OptionBecause SharePoint is a very flexible tool, you
might decide to have a developer custom-
tailor reports that best serve your compliance
SHAREPOINT AUDITING & REPORTING TOOLS
w w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 75
Brian Reinholz([email protected]) is editorial web architect for Windows IT Pro and SQL Server Magazine, specializingin training and certification.
Export Formats
Real-Time Alerting
Native Reports to Measure Compliance
Customizable Data Auditing
Custom Report Creation
SharePoint Versions Supported
Windows Server OSs Supported
Windows Desktop OSs Supported
CSV, PDF, XML No No Yes Yes SharePoint 2010, No No Yes Yes2007 MOSS Enter-prise, 2007 MOSSStandard, Share-Point Portal Server2003, WSS 3.0
Windows Server 2008 R2, 2008, 2003
Windows 7, Vista, XP
Excel No No Yes Yes 2007 MOSS Enter-No No Yes Yesprise, 2007 MOSSStandard, WSS 3.0
Windows Server 2008 R2, 2008, 2003
Email, Excel, HTML, PDF
No No Yes Yes SharePoint 2010,No Yes Yes2007 MOSS Enter-prise, 2007 MOSSStandard, Share-Point Portal Server2003, WSS 3.0
Windows Server 2008 R2, 2008, 2003
Windows 7, Vista, XP
Excel, HTML, PDF Yes No Yes Yes 2007 MOSS Enter-Yes No Yes Yesprise, 2007 MOSSStandard, WSS 3.0
Windows Server 2008 R2, 2008, 2003
Excel, PDF, RTF No No Yes Yes SharePoint 2010, No No Yes Yes2007 MOSS Enter-prise, 2007 MOSSStandard, Share-Point Portal Server2003, WSS 3.0
Windows Server 2008 R2, 2008, 2003
Windows XP
CSV, HTML, PDF,RTF, TIF, TXT
No Yes Yes Yes SharePoint 2010, Yes Yes Yes2007 MOSS Enter-prise, 2007 MOSSStandard, WSS 3.0
Windows Server 2008 R2, 2008, 2003
Windows 7, Vista, XP
Excel Yes No Yes Yes 2007 MOSS Enter-Yes No Yes Yesprise, 2007 MOSSStandard, Share-Point Portal Server2003, WSS 3.0
Windows Server 2008 R2, 2008, 2003
Excel, CSV, HTML, MDB, PDF, TIF
No No Yes Yes SharePoint 2010,No Yes Yes2007 MOSS Enter-prise, 2007 MOSSStandard, Share-Point Portal Server2003, WSS 3.0
Windows Server 2008 R2, 2008, 2003
needs. Although this might not be the most
efficient model (in terms of cost and time),
it might be valuable if you feel that your
company’s needs are radically different from
most. My advice would be to carefully review
your company’s compliance needs with a
security expert, and then discuss these needs
with the vendors in this space to see how
their solutions stack up. In the meantime, I
encourage you to review the buyer’s guide
table, which will shed insight on the capa-
bilities of each offering and provide you with
a head start.
InstantDoc ID 125249
76 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
P R O D U C T S
When I wrote about current biometric security devices recently (windowsitpro.com, InstantDoc ID 125285), I was abit disappointed that the security onthese devices wasn’t that robust. But shortly after that article was published,I was contacted by Stephen Nation withNation Technologies, a small start-up that specializes in a biometric-based security product called BIOWRAP. Unlike a lot of the current biometricproducts, which offer convenience and a little bit of security (plus some added risk),BIOWRAP is all business when it comes to security. It offers two-factor authentication(username/password and fingerprint recognition), and it has an extensive veri-fication process, which I’ll get to. Another advantage of BIOWRAP is that it offers one central management infrastructure for thebiometric identity, versus having a bunchof separate biometric identities (whichis just as confusing as today’s username/password situation.) “The biometrics market today isfocused on biometrics simply as a matter of convenience. I mentioned facilitycontrol and access management—that’s really a convenience. Yes you have an additional level of security and transparency, but it conveniently allows you to get access to the door, or log into your PC, but outside that transaction there’s no value to the biometrics. AndI say that because it’s typically a self-enrolled or admistrative-enrolled bio-metric, and outside that enterprise or PC there’s no true value to it. And it requiresevery time you perform a transaction in a separate system, you have to do another enrollment. So we get back to this same model where you have 10 identities, or10 biometric identities, that are all cre-dentialed, as opposed to having a single source of identity,” said Nation.
Founding Principles of BIOWRAPEssentially, BIOWRAP cuts through the clut-ter by offering one central managementsystem, but then puts extra verification pro-cesses in place to make sure that that one identity is really secure. The primary way that they do this is in the initial verification process. Before you can get an identity, youneed to meet with a notary-like individualcalled a registar. The registrar meets withyou in person, and only by that individualbeing an eyewitness to your biometricscanning (and running the same type of proof-of-identity checks that a financialcompany would when you want a loan)can you get the identity. Oh, and they have to verifythis process with their own fingerprint scan too. Sound a little over thetop? Perhaps, but if you’rea financial or medical company, a government agency, or any enterprisethat handles loads of sensitive data, it’s better safe than sorry. “In today’s environment, there’s noway to prove that a personis physically present to indi-cate they are who they saythey are. It’s a username/password, or a token, or something. But with the registrar, they have to bephysically present, and have to verify that they are physi-cally present with their own fingerprint,” said Nation. So, let’s assume the company has a pretty good idea that you are you. From there, NationTechnologies performs twomore security steps. The
first is to make sure to use high-quality fin-gerprint readers. All readers are not created equal, and the best readers can choose what level of resolution to scan for, weigh-ing convenience (more false positives)against security (more false negatives).According to Nation, “I’ve had this system up and running and have yet to hear of afalse positive.” The second step is to also have a username/password authentication. The username and password are encrypted and the password isn’t stored anywhere, but itpromises that even if someone can somehow get your fingerprint, they still won’t be able
Security ■ Exchange ■
INDUSTRY BYTES
INSIGHTS FROM THE INDUSTRY
Biometric Security Done Right
78 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
P R O D U C T S
to get in. (Similarly, your username and pass-word are useless without your finger.) Additionally, this multi-factor authen-tication makes the biometric scan more accurate. Instead of skimming through adatabase of available fingerprints in yourcompany, this system knows exactly whoit’s looking for (because of the username/ password), so it’s just scanning your fingerprint reading against it. “When you perform the authentication[with other solutions], it has to scan throughall the other fingerprints to match against the enrolled fingerprint. That’s why we operate
with multiple-factor authentication—username, password, and fingerprint. Weperform a one-to-few comparison." As one final feature, you can create contact groups and have access based on the groups. For instance, if HR is a group, you could make all personnel files encrypted access to work only for people in HR. “It’s basically an Active Directory on steroids,” said Nation.
Implementation Details and CostThe BIOWRAP technology currently worksfor hardware logins, file access, and facilityaccess. BIOWRAP has a standalone file
management solution that comes with it,but most enterprises will prefer to integrate it with their existing content management system in place. (It currently does notintegrate with SharePoint but it may in the future.) Down the road, the technology should also work with website logins. The per-device cost of BIOWRAP is:$250 for a one-time set up, and a licensingfee is $20/month for unlimited usage and support. BIOWRAP has just recently madeits national debut—Nation Technologieswas founded in 2005.
—Brian Reinholz
Azaleos Takes a Hybrid Approach to Exchange StorageMicrosoft has made some big storage-related changes in Exchange Server 2010.Specifically, it’s now easier to afford ahigh-availability Exchange infrastructureby using existing or inexpensive commod-ity hardware (SATA in some cases)—ratherthan expensive, new SAN devices, forexample. So, what’s the safest and most economical storage approach for the next generation of Exchange Server? I recently spoke with Azaleos’s Lee Dumas, a Microsoft Ranger and a leading Exchange authority outside of Microsoft. Inthe past, Dumas has written for Windows IT
Pro about storage basics. We talked about how today’s companies—stretched thin by the economy, or just looking for a more manageable approach to a highly complexback-end technology—can best handlethe changes that Microsoft has made in Exchange 2010’s storage architecture.
“Exchange 2010 is the most stable ver-sion of Exchange yet,” says Dumas, “but it comes with extra complexities. At a time when companies just want to lower theircosts, that’s a difficult pill to swallow. Yes,Exchange 2010 has made it possible to achieve lower-cost storage. Don’t throwaway your SAN! Microsoft is saying you can take advantage of that low-cost storage. Butyou still need management and alerting. Thecomplexity is still there.” Azaleos is taking a unique approach to the challenge by offering a hybrid solu-tion that’s essentially a managed-service product. The data stays in-house, and management occurs from afar. The com-pany’s patented technology remotelymonitors Exchange 2003, Exchange 2007, orExchange 2010 wherever it resides, sending key data points to Azaleos’s Network Opera-tions Centers, where certified Exchange
experts proactively manage the environ-ment on a 24x7x365 basis. “Our software lets us manage data remotely,” Dumas says. “Software sits on both sides. We’ve investeda lot in our operations team. We’re all Aza-leos employees; there’s no outsourcing.” Azaleos offers a comprehensive, reli-able set of remotely managed services for Exchange messaging, SharePoint Server, andOffice Communications Server. Azaleos is offering four different Exchange 2010 stor-age configurations designed to decrease hardware costs and meet each organization’s unique business requirements. Dependingon the configuration chosen and the type of infrastructure already in place, companies can reduce their deployment costs by up to 40 percent when migrating from Exchange2007 to Exchange 2010, and even morewhen switching from Exchange 2003.
—Jason Bovberg
INDUSTRY BYTES
AD INDEXFor detailed information about products in this issue of Windows IT Pro, visit the web sites listed below.
COMPANY/URL PAGE COMPANY/URL PAGE COMPANY/URL PAGE
Search our network of sites dedicated to hands-on tech nical information for IT professionals.
www.windowsitpro.com
SupportJoin our discussion forums. Post your questionsJoin our discussion forums. Post your questions and get advice from authors, vendors, and otherIT professionals.
www.windowsitpro.com/go/forums
NewsCheck out the current news and information about Microsoft Windows technologies.
www.windowsitpro.com/go/news
EMAIL NEWSLETTERS
Get free news, commentary, and tips deliveredautomatically to your desktop. asp.netNOW
DevProConnections UPDATE
Exchange & Outlook UPDATE
Security UPDATE
SharepointPro Connections UPDATE
SQL Server Magazine UPDATE
Windows IT Pro UPDATE
Windows Tips & Tricks UPDATE
WinInfo Daily UPDATEwww.windowsitpro.com/email
RELATED PRODUCTS
Custom Reprint ServicesOrder reprints of Windows IT Pro articles. DianeMadzelonka at [email protected].
NEW WAYS TO REACH
WINDOWS IT PRO EDITORS:
LinkedIn: To check out the Windows IT Progroup on LinkedIn, sign in on the LinkedIn homepage (www.linkedin.com), select the SearchGroups option from the pull-down menu, and use“Windows IT Pro” as your search term.
Facebook: We’ve created a page on Face-book for Windows IT Pro, which you can accessat: http://tinyurl.com/d5bquf. Visit our Facebook page to read the latest reader comments, see linksto our latest web content, browse our classic cover gallery, and participate in our Facebook discus-sion board.
Twitter: Visit the Windows IT Pro Twitter page at www.twitter.com/windowsitpro.
Search our network of sites dedicated to hands-on tech nical information for IT professionals.
www.windowsitpro.com
SupportJoin our discussion forums. Post your questions
NEW WAYS TO REACH
WINDOWS IT PRO EDITORS:
LinkedIn: To check out the Windows IT Progroup on LinkedIn, sign in on the LinkedIn
DIRECTORY OF SERVICES | WINDOWS IT PRO NETWORK
Windows IT Pro VIPGet exclusive access to over 40,000 articles and solutions on CD and via the Web. Includes FREEaccess to eBooks and archived eLearning events,plus a subscription to either Windows IT Pro or SQL Server Magazine.
www.windowsitpro.com/go/vipsub
SQL SERVER MAGAZINEQ
Explore the hottest new features of SQL Server, and discover practical tips and tools.
www.sqlmag.com
ASSOCIATED WEBSITES
DevProConnectionsDiscover up-to-the-minute expert insights, infor-mation on development for IT optimization, and solutions-focused articles at DevProConnections.com, where IT pros creatively and proactively drive busi-ness value through technology.
www.devproconnections.com
SharePointPro ConnectionsDive into Microsoft SharePoint content offered in specialized articles, member forums, expert tips,and Web seminars mentored by a community of peers and professionals.
www.sharepointproconnections.com
The following vendors or their products are mentioned in this issue of Windows IT Pro on the pages listed below.VENDOR DIRECTORY
pw w w. w i n d o w s i t p r o . c o m W e ’r e i n I T w i t h Yo u W i n d o w s I T P r o A U G U S T 2 0 1 0 79
1&1 Internet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
www.1and1.com
APC/Schneider Electric . . . . . . . . . . . . . . . . . . .17
www.apcc.com/promo
Citrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 23
www.citrix.com/XenDesktop
Diskeeper Corporation . . . . . . . . . . . . . . . . . . . . 6
www.diskeeper.com/v2
HP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cover 4
www.hp.com/servers/unleash12
Hotels.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
www.hotels.com/hotel-deals/wrwin1
IBM Corporation . . . . . . . . . . . . . . . . . Cover 2, 1
www.ibm.com/systems/ex5
PowerWF Studio. . . . . . . . . . . . . . . . . . . . . . . . . .78
www.powerwf.com/mg1
Privacyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
www.privacyware.com
Quest Software Inc. . . . . . . . . . . . . . . . . . . . . . . . 3
www.quest.com/trabsform
Sunbelt Software Inc. . . . . . . . . . . . . . . .Cover 3
www.sunbelt-software.com
Train Signal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
www.trainsignal.com
WinConnections Fall Event . . . . . . . . . . 12, 64B
www.WinConnections
Windows IT Pro. . . . . . . . . . . . . . . . . . . . . . . 18, 44
www.windowsitpro.com
A10 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Apple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Aprigo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Argent Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
AvePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
AVIcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Azaleos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Brocade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Citrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Corner Bowl Software . . . . . . . . . . . . . . . . . . . . . . . .64
Dundas Data Visualization . . . . . . . . . . . . . . . . . . . .62
Idera . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Kerio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Lyzasoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Muhimbi Ltd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Nation Technologies. . . . . . . . . . . . . . . . . . . . . . . . . .76
NetWrix Corporation . . . . . . . . . . . . . . . . . . . . . . . . .74
Neutex Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Nintex. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Oracle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Parallels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
ProStor Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Quest Software. . . . . . . . . . . . . . . . . . . . . . . . . . . 62, 74
Rebit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Rove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Sans Digital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
ScriptLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63, 74
Specops Software . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Spiceworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Symantec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Symplified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Syntergy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Telerik. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63, 70
Vyapin Software Systems . . . . . . . . . . . . . . . . . . . . .74
80 A U G U S T 2 0 1 0 W i n d o w s I T P r o W e ’r e i n I T w i t h Yo u w w w. w i n d o w s i t p r o . c o m
CTRL+ALT+DELby Jason Bovberg
w s i t p r o . c o m
August 2010 issue no. 192, Windows IT Pro (ISSN 1552-3136) is published monthly. Copyright 2010, Penton Media, Inc., all rights reserved. Windows is a trademark or registered trademark of Microsoft Corporation in the United States and/or other countries, and Windows IT Pro is used under license from owner. Win dows IT Pro is an independent publication not affiliated with Micro soft Corporation. Microsoft Corpora tion is not responsible in any way for the editorial policy or other contents of the publication. Windows IT Pro, 221 E. 29th St., Loveland, CO 80538, (800) 793-5697 or (970) 663-4700. Sales and Marketing Offices: 221 E. 29th St., Loveland, CO 80538. Advertising rates furnished upon request. Periodicals Class postage paid at Loveland, Colorado, and additional mailing offices. POST MASTER: Send address changes to Win dows IT Pro, 221 E. 29th St., Loveland, CO 80538. SUBSCRIBERS: Send all inquiries, payments, and address changes to Windows IT Pro, Circulation Department, 221 E. 29th St., Loveland, CO 80538. Printed in the USA.
by Jason Bovberg
For the For the LadiesLadies
Efficient Lady’s Organizer
PRODUCT OF THE MONTHPRODUCT OF THE MONTHOur favorite product this month is Efficient Software’s Efficient Lady’s
Organizer, a Windows personal information management (PIM)
application designed especially for women—by women. “Behind the
stunningly fashionable interface is a software powerhouse that com-
bines a calendar, contact manager, planner, reminder, diary, notepad,
and password manager,” the company’s decidedly pink website reads.
Our favorite quote? “It has a fashionable and pretty interface—a
choice only of happy and demanding ladies!” This product is ideal
for the Sex and the City fan. For more information, visit the Efficient y
Software website at www.ladysorganizer.com.
80 A U G U S T 2 0 1 0 W i n d o w s I T P r o
August 2010 issue no. 192, Windows IT Pro (ISSN 1552-3136) is published monMicrosoft Corporation in the United States and/or other countries, and WinMicro soft Corporation. Microsoft Corpora tion is not responsible in any way for th793-5697 or (970) 663-4700. Sales and Marketing Offices: 221 E. 29th St., Lovelandadditional mailing offices. POST MASTER: Send address changes to Win dows IT PWindows IT Pro, Circulation Department, 221 E. 29th St., Loveland, CO 80538. Print
ce—a
ies! This p
y an. For more i
e website at www l
r e i n I T w i t h Yo u
rk of not affiliated with
St., Loveland, CO 80538, (800)lass postage paid at Loveland, Colorado, and
RS: Send all inquiries, payments, and address changes to
nthly. Copyright 2010, Penton Media, Inc., all rights reserved. Windows is a trademark or registered trademark ofndows IT Pro is used under license from owner. Win dows IT Pro is an independent publication not affilithe editorial policy or other contents of the publication. Windows IT Pro, 221 E. 29th St. Lond, CO 80538. Advertising rates furnished upon request. Periodicals Class postaT Pro, 221 E. 29th St., Loveland, CO 80538. SUBSCRIBERS: Send
ted in the USA.
y gccient Lady’s Organizer
e—a
This pproroduductct i iss idideal
more informaatition, visit the E
w.ladysorganizer.coom E fiEfficc
sit the Efficient sit the Effi
r.cocom.
SEND US YOUR SEND US YOUR INDUSTRY HUMOR!INDUSTRY HUMOR!
Email your industry humor, scandalous rumors, funny screenshots,
favorite end-user moments, and IT-related pics to rumors@
windowsitpro.com. If we use your submission, you’ll receive a
CTRL+ALT+DEL GIFT.
… uum ………… um …
…… yey ahh ……
User Moment of the MonthIn the 1990s, I worked as temporary Desktop Support
at a software company. One of the first tickets given to
me read, “I need a battery recharger that doesn’t plug
into a wall outlet.” I called the user and asked for more
clarification to better assist her. She said, “I’m flying to
Asia in two weeks, and it’ll be about a 20-hour flight.
I’m taking my laptop and two laptop batteries with
me. Since I’ll be using one battery to do work on my
laptop, I figured I could plug the other battery into the
recharger. But there are no outlets on the airplane, so
the battery recharger needs to be able to recharge with-
out using a wall outlet.” I told the user to go ahead and
submit the paperwork to purchasing. The purchasing
department still gets on my case about that one.
—Paul