Devin on Earth

I’ve had two technological experiences this morning that can be summed up thusly: I love living in the future!

The first involved the new VoIP PBX we had installed earlier this week. The installer kindly left the TAPI integration driver on my desk for me, so I loaded it up this morning. A few minutes of setting up my new dialing rules for this location and I was placing calls directly from my Address Book:

Call options within Outlook

When you select the call, you get the following window:

The New Call window

Click Start Call and your PC contacts the PBX and establishes the call. Once it’s dialed, the PBX activates the phone set on your desk, placing it into speakerphone automatically. How cool is that? It’s not bleeding-edge technology; I’ve seen the same configuration with traditional PBXs for several years, but now that I have access to it, this is one piece of technology that will continue to make Outlook my most critical app.

I already live and die around my email, and my choice of mobile device was dictated by the desire to have my calendar and contact data work seamlessly with Outlook; this telephony integration just reinforces that tendency. (And wait until we get Exchange 2007 UM deployed, so I can listen to my voicemail from within Outlook…or from my mobile device, thanks to the wonders of Exchange ActiveSync.)

The second was definitely far more old-school. I wanted to play some music on my desktop system and take advantage of no one else being around to really crank it up. I was about to whip out my 1GB thumb drive and copy a few new songs over when I remembered that I’d packed my old 40GB iPod in my backpack. A minute scrounging around for a spare M-M 1/4″ two-channel cable and my iPod was happily pumping my entire music selection through my desktop’s Line-In port and out to my speakers, without me even needing to fire up an app. That was cool…how cool would it have been if my iPod and desktop both had Bluetooth so I could have done it without cords?

I love living in the future.

A YouTube clip of David Lee Roth performing Van Halen's classic "Jump." Nothing odd there, right?

Try it as a bluegrass song.

I blame John Scalzi. 

• Some very nice uses of returning characters from the 2005 season.


• Episode 3, “School Reunion”: the return of Sarah Jane Smith, one of the most beloved Companions of all time. Elisabeth Sladen reprises her role with a lot more grace, intelligence, and character than I remember her having in her time-hopping days. I always liked Sarah Jane (even if her first inclination was to scream), but both the character and the actress have clearly matured and grown. Mickey gets off one of the best shots against the Doctor: “Ho ho, mate! The missus and the ex. Welcome to every man’s worst nightmare!”


• Bringing back the Cybermen…and how!


• Torchwood and the continuing tie-ins with the Bad Wold theme of Season 1.


• Revisiting Rose’s Dad…again, yet different.


• Mickey finally comes into his own and discovers his center.
  


• Best line of the season in the finale: “It’s like Stephen Hawking meets the Speaking Clock.” Again, uttered by Mickey.


• Best exchange of the season, again in the finale: “Daleks have no concept of elegance!” “This is obvious.”


• An ending that actually made me cry. I knew that Billie Piper was leaving the show, but they wrote Rose out with a bang.
  

My friend Mir was telling me about a writing challenge she's been working on lately on one of her web forums; someone posts nine words and then people write a poem incorporating them.

A lot of my work at 3Sharp involves working with virtual machines. (And when I say “a lot” I really mean “the majority.”) When it comes to working with virtual machines, I have a choice: I can use Virtual PC or Virtual Server. Non-Microsoft virtualization environments offer some nice features, but I usually can’t use them for some reason or other. Given my choices, I tend to stick with Virtual Server; it isn’t quite as user-friendly in some options as Virtual PC, but it doesn’t have some of the brain-dead limitations either.

Today, I found a new way in which Virtual Server helps break machines, at least if you operate it in PEBCAK[1] mode. Let me ’splain. I had to deploy a new test lab environment consisting of six virtual machines configured as a single-domain Active Directory forest with a DNS name of contoso.demo and a NetBIOS name of CONTOSO. The only spare machines that we had to run these virtual machines, which are fairly resource-intensive, were a pair of 64-bit servers hanging around after having just been used for a different project. They were still configured as part of their test domain contoso.com with a NetBIOS name of CONTOSO. Now, I might have expected there to be some problems based on the recurring NetBIOS domain name, but when I deployed the VMs everything worked out fine. Since I had the six VMs split over two machines, I threw a crossover cable onto the second network adapters on the hosts, changed the Internal network to bind to those adapters, and away I went.

Unfortunately, I needed to be able to pass data in and out of the test network, so I did was has become my standard practice: shut down one of the machines (usually the DC, since it inevtiably ends up doing the least amount of work in my labs) and configure a second network interface, bound to the external network. I made the changes and started the VM back up…and suddenly the host falls off the network. Can’t talk to the VS web page, can’t ping it, can’t RDP to it. I walk into the server room and check the console — no, it’s still running, but I can’t logon using the cached domain credentials and the local admin password isn’t taking. What’s going on here?

To make a long story short, I did more poking around and finally came up with a theory. As far as I can tell, what happened was that when the DC started up, about the time the Netlogon service started up and it began registering itself with NetBIOS, it would cause the host’s network stack to flip out. The host, you see, was a member of a CONTOSO domain already, and to have another one get announced through its physical interface was apparently too much. My fix was to remove the external network interface; instead, I’ll just use a two-step copy process to move data in and out (once from the external network to the host, the second from the host to the guest).

I don’t have time to play with it and figure out exactly what happened; is it a quirk of this network driver, of 64-bit Windows Server, or a generic “don’t do this” kind of bug with VMs? Does it happen under VPC too? While I wish I could track this down, the reality is that I don’t have the time.

[1] Problem Exists Between Chair And Keyboard. Related to the infamous I-D-Ten-T error.

The busy folks at HP are wasting no time in getting their Exchange 2007 consulting groove on. They’ve got a ton of guidance on using Exchange 2007 on HP hardware (servers and storage). It makes for interesting reading, seeing the recommendations they’re making and the configurations they’re using, as real-world deployment and sizing information is still hard to find at this point.

As I’ve been working more and more with PowerShell, I’ve discovered a few gaps in coverage in the cmdlets it offers. Most of my PowerShell noodling has been with Exchange 2007, so represents holes in the Exchange Management Shell extensions, but the one I just ran across is basic PowerShell.

PowerShell provides a series of cmdlets for querying and manipulating Windows Services, among them New-Service, Set-Service, and Get-Service:

• New-Service, of course, allows me to create a new service instance, including setting dependencies and credentials.
• With Set-Service I can change various parameters associated with a service: its display name, description, and startup type (Automatic, Manual, or Disabled). However, I can’t change its credentials or dependencies.
• Get-Service is the most disappointing. It doesn’t return the startup type parameter, so even though I can return an arbitrary list of services (using built-in rich wildcard support for service names and our friend the where cmdlet to sift through other parameters) I can’t tell whether my returned services are set to automatically run or not!

This makes it pretty difficult to use native PowerShell to (say) write a quick script to capture the status of a set of services for later retrival, then shut them down and set them to Disabled for a time. If I were able to capture that status, I could use a second quick script that would use the saved settings and reset the services to their prior configuration. This script would then be generic and could be used in all sorts of situations. Instead, I get to hardwire stuff in or do it by hand.

The second major hole I’ve found so far is in the Exchange Management Shell extensions, in particular the Set-PublicFolder cmdlet. I’ve finally figured out the right syntax for specifying multiple servers for the -Replicas parameter, but it would have been really be nice if the cmdlet had distinct -AddReplicaTo and -RemoveReplicaFrom parameters. As it is now, if I’m making changes, I have to capture the existing list of replica databases, add or remove the desired entries, then feed the entire list back in to Set-PublicFolder. If I try to pass in a single database, I overwrite the existing value of Replicas. This may be acceptable for large-scale public folder operations, but it makes it a pain to do quick one-off operations.

This is matched by a minor gripe with Get-PublicFolder: when it displays the replicas in a table or list format, it displays only the database names. If I’ve named multiple public folder databases the same name (like, say, “Public Folders”), then I can’t tell by inspecting this list which servers the replicas are on. I need to indulge in further script-foo to figure it out. Again, this makes casual administration from EMS much more of a chore than it should be.

Finally, I’d like to thank both the Exchange team and the PowerShell team for all the hard work they’ve done, both on the code and on the docs. My only complaint about the docs is that often there are not enough examples, especially when you have parameters whose use isn’t immediately obvious (such as the -Replicas parameter for the Set-PublicFolder cmdlet).

Have you found a puzzling gap in cmdlet coverage? If so, let me know, and I’ll start compiling a list.

1. The only hsots that should be allowed to initiate SMTP into the external untrusted network are the Edge servers.
2. The only hosts that should be allowed to initiate SMTP into the Edge server are the Hub Transport servers.
3. The Edge servers must be able to initiate SMTP into the Hub Transport servers to relay in incoming mail.
4. The Hub Transport servers must be able to initiate Edge Subscription connections to the Edge servers over the default custom LDAP ports (TCP 50389 and TCP 50636).
5. We’re only concerned about SMTP; if we need SSL, we’ll use TLS over TCP 25.

So, with that in mind, we first need to create two new computer sets:

Computer set: Internal mail servers

• Add entries for all your HT servers.

Computer set: Perimeter mail servers

• Add entries for all your Edge servers.

Next we create a new protocol:

Protocol: Exchange Edge Subscription

• TCP 50389 outbound
• TCP 50636 outbound

And now, we’ll create three rules:

Rule: Allow SMTP between perimeter and internal mail servers

• Action: Allow
• Protocol: SMTP
• From: Internal mail servers, Perimeter mail servers
• To: Internal mail servers, Perimeter mail servers

Rule: Allow outbound SMTP from perimeter mail servers

• Action: Allow
• Protocol: SMTP
• From: Perimeter mail servers
• To: External

Rule: Allow Edge Subscription updates

• Action: Allow
• Protocol: Exchange Edge Subscription
• From: Internal mail servers
• To: Perimeter mail servers

Note that on the “Allow SMTP between perimeter and internal mail servers” rule, we’ve listed both sets of servers in both the To and From fields. This allows a single rule to cover all SMTP traffic regardless of which side initiates the connection.

Combined with the SCW hardening and other security measures, we’ve now formed an effective isolation between Edge and the HT servers.

I’m subscribed to a slowly growing number of mailing lists and services that are aimed at keeping journalists and other such folk informed of trends and developments in the IT industry. Last night on one such list run by Ferris Research, I received an article that talks about how the practice of using a backup MX service can cause problems when used in conjunction with an improperly configured SPF/Sender ID screening implementation.

The problem they’re addressing: many people who use SPF or Sender ID forget to whitelist the hosts used by their backup MX service. Thus, when messages get submitted to those hosts and passed along, they may fail the SPF/Sender ID checks and cause mail to get improperly rejected or marked as spam.

While the article is for subscribers only, I received permission to quote from the article here:

One way to avoid this situation is to ensure that SPF/SIDF checks are not performed on mail received from the backup mail services. However, this will either negate the effect of part of your spam filtering or require that the backup MX also perform backup spam filtering.

So far, so good…

We recommend, where possible, to simply not use a backup MX. If your primary MX is unavailable, mail should still queue at the sending MTA for several days. The sending MTA should continue to retry periodically until your site is available again. In many ways, backup MX configurations are an anachronism — a holdover from the days when connectivity was unreliable and some MTAs’ queuing algorithms weren’t great.

Hold the phone! This is where I disagree with the authors. While most MTAs have decent queuing algorithms and connectivity is usually a lot more stable, those vcery factors have combined to convince many mail admins that it’s no longer necessary to hold mail for the once-customary time of 7 days before NDRing it. (Ah, the good old days when everyone ran Sendmail. Of course, I hated Sendmail, but at least you knew what to expect.) And I’m not talking about small, insignificant hosts either. There are many major ISPs and mailing list services that will start bouncing mail in a shorter time than you might think.

And while connectivity is usually good, that’s not to say it’s perfect. When we moved the office, a simple misconfiguration by our data provider left a fair chunk of our public IP addresses unroutable for several days. It’s not hard to conceive of circumstances that could keep your mail servers offline for 48, 72, even 96 hours, and you could very well be losing important messages in that timeframe. Backup MXs are still a very good idea.

The real problem is identified in the first quote: never use backup MX hosts that aren’t doing all of the same basic filtering you are. Now, some types of filtering are hard to push out to backup MX hosts (legitimate recipient filtering) and don’t really need to be done until the message is ready to enter your organization. However, position-sensitive mechanisms like SPF/Sender ID, RBLs, and other IP-based techniques should be done by the first host that accepts responsibility for them in your domain.

Folks I’ve talked to are seeing a rise in the right kind of solutions for these problems: hosted MX services and hosted mail services. If you can’t maintain your own backup MX servers that have consistent message hygience configurations and features as your primary MX hosts, then you should at least have a service that accepts all incoming mail to you, processes it consistently, and passes the resulting clean feed back to your mail server.

[1] Even so, it’s best practice to have your backup MX hosts do your recipient filtering too. Otherwise, they’re stuck having accepted responsbility for messages addressed to non-existent recipients, and they’re going to generate NDRs. They could very well be contributing to backscatter.

Edit 0723 PST: The author of the article, Richi Jennings, also posted his argument on his blog, so you can go read it there.

We work pretty hard at 3Sharp, but we don’t work hard all the time. Our new offices have lately been plagued by an infestation of tiny remote-control helicopters. Well, all I can say to that is I need one of these remote-control ornithopters.

I can’t think of ornithopters without thinking of Dune (hence the title of this post), but this would be seriously cool to have.

Thanks to this nifty article on Exchange 2003 hacks by Exchange MVP Rodney Buike, I learned about the Contig tool. This tool, freely available from Microsoft as part of the SysInternals offerings, offers the ability to perform file-level defragmentation. This can be a good thing for volatile data files such as Outlook’s .ost file.

Don’t forget the basics, though. Keep the number of items in your Inbox down as much as you can, and try to keep the number of messages in any given folder lower than 1,000. Don’t be afraid to make use of folders and a hierarchy. Just as proper use of containers helps you keep physical stuff organized, proper use of folders will keep your mail organized.

I’d managed to overlook this during the beta cycle, but yesterday I ran across the following statement in the release Exchange 2007 docs:

"An Edge Transport server that is in the perimeter network typically has two network adapters:
A network adapter that connects to the Internet, or external, network.
A network adapter that connects to the corporate, or internal, network."

Don’t believe me? Check it out for yourself.
Update 12 Apr 2007: This month’s content update removes this assumption from the documentation, so this is no longer the case.

Now, the way this passage is written, it implies to me that the two network interfaces are directly connected to the appropriate networks. That’s not the definition of “perimeter network” I’m familiar with; interfaces that reach out of the perimeter tend to conveniently bypass the other layers of security. Your perimeter network (or networks, if you find multiple perimeter networks to your taste) is protected from direct access by firewalls and proxies. Microsoft can’t really be advocating a box with one lead stuck into the external network and the other stuck into my interior network, can they?

I could suppose they mean one box with two interfaces in the perimeter network….but no, that just doesn’t make sense unless I’m overlooking something. I already expect my Edge server to live in the perimeter, so I’ve taken the appropriate steps to harden it, including running the Security Configuration Wizard (SCW). Microsoft’s recommended SCW configuration gives you instructions on setting up restrictions in the SCW policy to limit which machines can talk to the Edge server on which ports. By it’s nature, an Edge server needs to talk SMTP with at a minimum all external mail servers (I’m making the assumption that you’re not using a smarthost) and with the Hub Transport servers in the interior network. However, the LDAP connection for the Edge Subscription information only needs to listen to the interior Hub Transport machines. Microsoft’s guidance tells you how to configure the SCW policy to achieve this based on network adapter.

I can see some pros to this approach, but the cons are really getting to me. Yeah, it’s easier to define policies by adapter, but I can just as easily configure SCW on a single-interface Edge box to lock down Edge Sucscription to the internal network, allow SMTP to all hosts, and prevent everything else — and by haivng this single interface actually within my perimeter I can enforce these restrictions in my firewall rules, giving me an extra layer of security. In fact, later today I’ll describe the ISA rules I used to secure access to the Edge server after hardening it with SCW.

I’ve tried to think of compelling reasons why I’d hypothetically want dual interfaces on a perimeter machine. I can think of lots of reasons why I wouldn’t:

• It increases the level of complexity but doesn’t really give me an increase in the security it offers. Not only that, I’m more likely to have to replace an interface when hardware goes bad, than I am going to have to change which subnets everything lives on. In our recent office move, I had a server lose its interface and I had to replace it. Had it been my Edge server, would I have remembered to re-configure the SCW policy to tie it into the new interface? (Would I have needed to? I don’t know…and I’d be willing to bet there are very few people out there who can answer that off the top of their head, discounting the guys at Microsoft who worked on the SCW). If my policy is based on network addresses and subnets, as long as I configure the new interface with the same address as the old, my policy is still valid.
• Say I have an attacker go after my Edge server. If this attacker gets into the box, they can shut off the SCW policy and turn on IP forwarding. Boom! Instant egress into my network, bypassing my other controls and layers of security.
• Speaking of layers of security, I being the conscientious admin[1][2] have of course have deployed IPSec filters on my internal network to make sure that my important machines (like my domain controllers and Exchange servers) won’t respond to queries initiated from anywhere other than the trusted hosts on my internal network. These filters just got more complicated; now I have an internal IP address I can’t trust incoming traffic from….unless I’m an Exchange server and it’s SMTP traffic on TCP25.

So, can anyone help me figure out what I am missing, or is this really the bad guidance that it appears to be?

[1] In the hypothetical situation we’re describing here.

[2] Ryan and Doug, I can hear you snickering.

Posting here because who knows how long the entry will be active, and I want this sucker immortalized. Live in infamy forever, thanks to the power of the Internet!

Anybody out there interested in hiking the entirety of the Pacific Crest Trail as part of a role-playing group?

The two ideas people are voting on right now are Lord of the Rings and Lost. The idea is that everyone who goes would have a character that they’d pretty much be, exclusively, for the duration.

 For those of you who don’t understand the full inanity, somebody is looking for a group of people to dress up and pretend to be Aragorn, Legolas, Gimli, Frodo, Gandalf, and company while going for a hike from Canada to Mexico. In costume. In character. The whole way.

I, for one, won’t be at all impressed with them unless they do it all with authentic equipment and clothing. No modern synthetics, fibers, or materials. No freeze-dried food. No firearms. The person playing Legolas damn well better be able to outrun those deer. That would make it fun.

Oh, crap. You know what I’ve gone and done? Invented a concept for a reality show. 

iPod. Mac mini. MacBook Pro. OS X. These are Apple products that I have acquired in the last several years and that cause me much love, because for the most part, they just work. So what do I think about the iPhone?

Simple. I think it’s going to be a boutique phone/media player for folks with money to burn and who want convergence between their phone, media players, and PDA. It’s sleek and has a great-looking UI — an Apple standard — but the price tag keeps it from being a casual purchase.

I don’t forsee it making inroads into the lucrative corporate messaging environment, though, because it doesn’t offer any sort of synchronization support for the full Exchange experience. POP3 and IMAP don’t cut it here. There’s a reason RIM offers the BES option for BlackBerry devices, because individual cradle synch doesn’t cut it. Businesses are demanding and using over-the-air sync with full support for all features of the messaging environment — contacts, calendars, messaging, documents.

Now, I’m pretty certain the iPhone is going to hurt Windows Mobile in the consumer market…but its lack of support for Exchange or even Notes and Groupwise will keep it out of most enterprises.

BTW, note to Apple: I’d love to be proven wrong about this. You’re more than welcome to send me a review unit, once they’re available (FCC licensing is still pending according to the note at the bottom of Apple’s website today), and I’ll happily take it through its paces.

There’s one nice feature in Exchange 2007 that I suspect will get overlooked far more than it deserves, and that’s the built in support for the Windows Server 2003 SP1 Security Configuration Wizard. Out of the box, the SCW provided support for an impressive number of current-generation Microsoft applications, but the big question was always what would happen when newer versions of software were released.

Exchange 2007 comes with SCW support. While it doesn’t register the SCW extensions during installation (or even give you the option of doing so, which would have been a nice touch), the Post-Install steps in the Exchange Management Console (and the Exchange documentation) give you the complete process for using the SCW to harden your Exchange 2007 servers. While the documentation is impressively complete, I found a couple of typos that might put some small bumps in the road.

In the How to Register Exchange Server Role SCW Extensions topic, they give you a couple of command lines to register the extensions used to tell SCW how to secure Exchange 2007. Here’s the command lines I ended up using:

scwcmd register /kbname:"Ex2007KB" /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007.xml"

scwcmd register /kbname:"Ex2007EdgeKB" /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007Edge.xml"

Let me know how it works for you.

In general, I love Exchange 2007. I love Exchange 2007 with a love that is brighter than the aggregate IQ of a science fiction convention and stronger than the body odor of the RPG section of that same convention[1].

However, one area of Exchange 2007 that I don’t love is public folder management. It is a downright shame that the best interface for managing public folders in Exchange 2007 remains the Exchange 2003 System Manager. Creating a simple public folder in the Exchange Management Shell isn’t a problem, but the docs are very weak on practical, usable examples of everyday tasks like adding and removing replicas to existing public folders, or working with the system public folders.

There is a great need for an “Exchange 2007 Administrator’s Guide to Public Folders.” Unfortunately, I don’t see it happening any time soon.

[1]I used to be a freelancer in the RPG industry and I’ve spent my share of time at conventions. I’ve even run games at conventions, so I get to make this joke.

This weekend I was playing with the Exchange Management Shell while performing some troubleshooting on our Exchange 2007 system and discovered some fun combinations of cmdlets I thought I’d share.

First, let’s start with a command that lists all of the mailboxes in a given server, sorted by size. There are two variants for ascending and descending, differing only in the inclusion of the -Descending paramter in the Sort-Object cmdlet in the latter:

Get-MailboxStatistics -Server RED-MSG01 | Sort-Object -Property TotalItemSize | `
  Format-Table DisplayName,TotalItemSize

Get-MailboxStatistics -Server RED-MSG01 | Sort-Object -Property TotalItemSize -Descending | `
  Format-Table DisplayName,TotalItemSize

Pretty simple stuff, really; your basic pipeline exercise. You can also use Get-Mailbox -Server SERVER | Get-MailboxStatistics like I originally was, but since the Get-MailboxStatistics cmdlet already supports the -Server parameter it would be redundant. If you have some other way you need to define your collection of mailboxes, once you figure out how to define it, pipe the collection into Get-MailboxStatistics and away you go.

Next up, a variant of the same, only this time I want to only show those mailboxes larger than, say 1GB:

Get-MailboxStatistics -Server RED-MSG01 | Where {$_.TotalItemSize -gt 1GB} | `
  Sort-Object -Property TotalItemSize -Descending | Format-Table DisplayName,TotalItemSize

The Where cmdlet gives me access to comparisons against any propertDispy on the collection of objects passed into it, so be careful where you use it in the pipeline. The collection of objects given by Get-Mailbox is not the same collection of objects given by Get-MailboxStatistics, and they will have different sets of properties. And yes, you put multiple Where cmdlets into different places in your pipeline to fine-tune your selections, as the following search for the Kelly brothers illustrates:

Get-Mailbox -Server RED-MSG01 | Where {$_.DisplayName -imatch "kelly"} | `
  Get-MailboxStatistics | Where {$_.TotalItemSize -gt 1GB} | `
  Sort-Object -Property TotalItemSize -Descending | Format-Table DisplayName,TotalItemSize

This would show me all mailboxes whose display name contains the string “kelly” (without considering the case of the characters) and that was larger than 1GB in size. The -imatch comparison is a case-insensitive regular expression match, so I could have gotten fairly fancy in my comparison.

Last one: let’s take the list of mailboxes, in ascending order, and feed it to the Move-Mailbox cmdlet. This way, we’ll be moving the smaller mailboxes first, allowing us to get through more moves in the beginning and saving the real packrats for last:

Get-MailboxStatistics -Server RED-MSG01 | Sort-Object -Property TotalItemSize | `
  Move-Mailbox -TargetDatabase "RED-MSG02\Mailbox Database"

Let me know if you have questions or comments!

I am torn. On the one hand, 750 words a day for 90 days is a lot more sustainable in the long run than NaNoWriMo's frantic pace. NaNoWriMo always comes at a really bad time of the year. There's not even a set starting date, or any other of the various formalities that NaNoWriMo has grown. There's just you, the community, the wordcount, and the mocking. I really need to get some of this fiction inside my head out on paper. My fiction writing has been getting short shrift for years and I'm going to be busy for the forseeable future; I just need to pony up and carve the time out from somewhere, or stop talking about being a fiction author.

On the other hand, I'm pretty damn busy in the writing department. I've got four chapters I'm finishing up for a forthcoming Exchange 2007 book, I've got another chapter that I'll be writing for another Exchange 2007 book in February, and my editor and I are settling the details of a book I'll be writing with a co-worker come March. Let's not add in there that I have presentations for Exchange Connections in April to be developing, let alone the normal work load and the blogging. My family expects time from me, for some reason — more than they've been getting. All of the above writing gigs are paying gigs, agreed to with Steph's approval.

On the gripping hand…I subscribed to the community almost immediately. I've been watching the introductory posts roll in. Good Lord…it's is quite easy to separate the pros from the wannabes. One group is talking about deadlines, editors, revisions, and all the other nuts-n-bolts of the publication trade. The other group is talking about inspiration, the stuff they did in high school, and how they've had these ideas eating their brains for years.

When it comes to the technical writing, I'm firmly in the pro camp, even if I still struggle with time management and discipline. I know now how much work goes into writing and publishing a technical book. I don't look forward to it, but it's a known quantity and I know I'm capable of doing it. When it comes to fiction, however, I'm the wannabe.

So here's the decision: once I get these four chapters done, do I take the plunge to get The Next Day back in gear? 750 words isn't a lot at all, especially once I get writing. I can do that easily in less than an hour — 25-30 minutes once I get warmed up. And if I'm doing it every day, I'll stay warmed up. All I have to do is give up the faffing about that I do around the house. All I have to do is decide whether I want to be a wannabe or a pro.
 

Score another UI/usability win for Apple. They’ve done something I never thought anybody could ever do: not only get me to use a trackpad on a laptop, but to like it — to the point that I don’t miss the “eraser mouse” (sometimes called a trackpoint) that I’ve loved on my IBM Thinkpads. While we’re at it, Apple has also managed to convince me that life with one mouse button not only doesn’t suck, but can be fun and productive.

As I mentioned in a previous post, I’m now the proud owner of a new Apple MacBook Pro. It’s a very sweet laptop — all sleek burnished aluminum and lush styling — but when I first unpacked it, I was concerned because the only built-in mousing surface is one of those damnable trackpads. Bleh! I’ve been a confirmed member of the Church of Apocalypse of Trackpads for years, so I spent a few minutes of anticipation mourning the loss of my little red nubbin, nestled comfortingly between the G, H, and B keys.

Much to my surprise, I immediately found that I was able to live with the MacBook Pro trackpad for a multitude of reasons:

• The first thing I noticed was that unlike PC trackpads, Apple doesn’t have the default configuration set to react to heavy pushes as if it were a mouse button. Years of typing on a Focus keyboard have given me a heavy typing action, and on PC laptops I often find that I’ve put my finger down on the trackpad just a little too forcefully, causing the computer to interpret it as a left-click. My typical reaction is to disable the trackpad entirely (usually in Device Manager). On the MacBook Pro, you can turn this feature on if you want to….but it’s off by default, and you don’t really need to because…
• …there’s only one mouse button. This is a typical Apple-ism (at least until they finally capitulated by creating an optional multi-button mouse for those who just can’t live without that sweet sweet right-clicking action), but in the case of the MacBook Pro, it’s not a wimpy little button. Heck, no — this sucker is a good inch deep and five inches wide. It’s bigger than the space bar. This means you can easily depress it no matter where your finger is on the trackpad, which oddly enough makes it far superior to the typical split buttons on PC laptops. Only having to lift one hand off the keyboard to use the trackpad means that the other hand can hit the necessary keys to produce the shifted click combos necessary to duplicate the functionality of right-clicking. I’ve already caught myself trying to do it in Windows.
• The shape of the Apple touchpad also makes it easier to use, because it replicates the screen in miniature. It’s a big long rectangle, just like my screen, in roughly the same proportions. This means that with the right sensitivity settings, I can easily move the mouse across my entire screen without having to re-track my finger.
• Did I mention that Apple’s mouse sensitivity settings actually allowed me to find a setting that worked for me within one or two adjustments? On most PCs, I have to crank it to the maximum and even then, that pointer isn’t moving fast enough.

However nice all these reasons are, they’re nothing compared to the Big Kahuna: the scrolling feature. This, quite frankly, kicks serious a**. When I use a single finger, OS X moves the cursor over the screen as normal. When I use two fingers in tandem, OS X immediately detects that, figures out which screen region my mouse is in, and scrolls that region if it can be scrolled.

Yes, that’s right. Use one finger to move into my web browser, then put down a second finger and immediately scroll through the current page, without having to click to change focus. If I need to zip over and scroll the document in the window next door, I lift a finger, move the cursor, put the finger back down. And it works for both horizontal and vertical scrolling. This, my friends and readers, is Pure Mousing Heaven. It’s so easy to use that I have spent more time telling you how it works than you’d need to master it if you were in front of my MacBook Pro (and I were to let you touch it).

Genius, Apple. Genius.

It’s already that time of year, when presenters start putting together PowerPoint slide decks. This year, the spring session of Windows/Exchange Connections is April 1-4 and we’ll be back in Orlando, FL (although not, sadly, at the Disney Swan and Dolphin hotels as we were last year). I’m used to Paul being there, but this year we’ll have two other 3Sharp presenters infiltrating the Windows Connections side of things: David Gerhardt and Doug VanBenthuysen.

I’ll be speaking on the following topics:

• DCAR with Exchange — Discovery, Compliance, Archival, and Retention: they’re challenges every Exchange administrator faces. Whether you’re using Exchange 2000, 2003, or 2007, join me to find out how to solve these challenges using Exchange.
• 10 Tips to Make Your Exchange Server a Good Net Neighbor — Many Internet mail administrators consider Exchange to be a poorly behaved SMTP MTA. All too often, these perceptions are rooted in configuration errors surrounding Exchange, rather than in any flaw in the product. Learn these common (and in many cases) simple configuration changes you can make that will keep your external mail running smoothly.
• Iron Chef: Using Powershell with Exchange 2003 — While the new Exchange Management Shell is only designed to manage Exchange 2007 servers, the underlying Powershell technology can make managing and scripting your Exchange 2000 and 2003 servers a lot easier. Join one of the authors of the Exchange Server Cookbook and learn how to take advantage of Powershell to make scripting Exchange easier than ever.

Drop me a note if you’re planning on being there — I’d love to meet you! And as always, if you’ve got some practical experience that relates to one or more of the above topics and you think I’d benefit from hearing about, let me know.

Read this press release on Friday:

SAN JOSE, Calif., January 4, 2007 – Cisco (NASDAQ: CSCO) – Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection.

For many years now, the Cisco PIX firewalls have been a big part of the security landscape. From most reports, they’re good boxes and do their jobs well. However, I inevitably watch mail admins come to loathe them with a deep and unending hatred, because they include one of the lamest, most brain-dead SMTP proxy modules in existence. In both the Postfix and Exchange communities, the advice is inevitably, “Oh, you’re running a PIX? Shut off the SMTP screener. It’s breaking your email.”

Now, of course, they’re going to have access to the tasty goodness of the IronPort appliances. I’ve not used one myself, but everyone I know who has raves about them and thinks they’re the best thing on earth. It will be very interesting to see whether they continue to be a separate product offering in the next couple of years, or whether they get broken apart for the crunchy technological bits and integrated into existing Cisco offerings.

Of course, I’ve never been big on the appliance route myself anyway. I want control over my border mail router, and the typical appliance doesn’t tend to give you that deep level of access you occasionally need to really understand why things aren’t working (and to get them fixed quickly). I have a special dark place in my heart for appliances and appliance makers that reserve backdoor channels into the appliance (which you’ve bought) to perform specific administrative functions and won’t give you that access in return, even when you assure them that yes, you understand that if you break it you’ll need to jump through extra hoops/sacrifice extra goats/pay extra money to get it all set right again. It’s bad enough to have to pay an ongoing subscription fee for updates to the anti-spam filters; to lock me out of administrative access of the box I bought and paid for is beyond the pale and bespeaks a certain arrogance for one’s customers that I don’t like to see rewarded with financial success. I’m all for targeting your product to a less-knowledgeable crowd, but when the customer says, “Yes, I understand that this course of action I want to pursue could really break things and that I’ll have to pay above and beyond to get it fixed,” you give the customer access to their hardware.

Thank goodness for the Exchange 2007 Edge role. I can run it on my hardware of choice, it integrates fully with Active Directory and my Exchange organization without lots of silly generic LDAP configuration, and it will even recognize and use my users’ Blocked Senders and Safe Senders lists. I’ve got decent spam and virus filtering capabilities, I’ve got lots of other crunchy message hygiene options, and there’s a good API for developing additional plugins and functionality. In my opinion, Exchange admins are beter off with Exchange 2007 Edge than any appliance….and then they’ll never have to admit to have a PIX mangling their SMTP.

First, I would like it to be known that I am only doing this under protest. I don’t usually participate in blog memes, because most of them are damned silly. However, I got tagged on this one by Paul in what looks like a fairly typical spree of spreading the love, so I’ll go ahead and do it.

So here’s the meme, in Paul’s words:

The latest craze sweeping the series of tubes is “5 Things”, a sort of chain letter in which victims participants are supposed to list 5 things that others may not know about them, then pass the baton on to some other people.

And here are my responses:

1. Those folks who read my professional blog (e)Mail Insecurity have already figured it out, but those of you here have probably not heard about it yet. This week, I got the official notice that I had been awarded the the 2007 Microsoft® Most Valuable Professional (MVP) Award in the technical community of Microsoft Exchange. Basically, this means that Microsoft has noticed and appreciated the work I’ve done out in the real world (blogging, speaking, writing, spending time on mailing lists) helping people learn about and use Microsoft Exchange Server. It’s has some neat perqs that come with it, including a great network of other MVPs (many of whom I’ve already been blessed to work with over the years) and more direct access to the Exchange product group at Microsoft. Of all the things I’d envisioned for my five-year goals, this wasn’t one of them, and I’m truly blown away that I’ve been selected.


2. Most of you know that my ambition is to be a full-time sf author and have many novels and story ideas in progress. Many of you know that I also enjoy singing and writing music, going so far as to dabble with guitar and keyboard. What almost none of you know (hush, Steph) is that I have the ambition to write and produce my own professional fully-sung Eucharist liturgy (a Christian Communion service, for those of you not up on high church terminology). I’d write it so that the congregation would definitely have parts that they’d join in, but there’d be four main celebrants (SATB, of course) with much harder parts to perform. In my perfect world, I’d be able to entice Jason Michael Carroll, Sting, Alison Krauss, and Sarah McLachlan into performing at the inaugural celebration of the liturgy.


3. Taking a cue from Paul, I had my first paid computer job when I was 12. The secretary at the resort Dad was working at needed someone to do some data entry for her, as they’d just switched her IBM PC from one accounting package to another and she needed to get the accounts receivable data into the new software. IIRC, I was offered the princely (for the time) sum of $8 an hour. We estimated that it would take around 24 hours or so, so I was standing to make quite a decent chunk of change. The first morning, I went into the office, acquainted myself with PC-DOS for the first time, and spent the first four hours doing data entry. When lunch came around, I grabbed the manuals and read them while I ate. I noticed that the new package talked about being able to import data from a variety of programs (none of which was the old package) and formats, so I checked the manual for the old program. Sure enough, it could export to one of those same formats. I backed up the work I’d done so far and tried the export/import. Perfect! You’d think she would be happy, but no — she was quite upset that a 12-year-old had figured this out and somehow made her look bad. She paid me for one single hour of my time — since the actual export/import work had taken one hour and was in a separate data file from the one I’d spent the morning on, she claimed that it was the only work that counted — and that was that.


4. While I grew up in Oregon and have spent the majority of my post-college years in Washington, I am not in fact a native Pacific Northwesterner. My family actually comes from back ’round Wisconsin and Michigan, and we moved out to Corvallis, OR when I was just 11 months old. The Pacific Northwest Native Advisory Board did, in fact, take this into consideration, decided that it wasn’t my fault I couldn’t get my parents to move out here before I was born (and in fact one member of the panel commended me for “extraordinary action in relocating his family while still shy of his first birthday”), and granted me PNW native status anyway. This is good, because if I didn’t have that status, I wouldn’t be able to gripe about the Californians as is the right of all native PNWers.


5. During high school, I participated in an academic competition at our local community college. To fill out an empty time slot so I could take the entire day off, I picked the radio broadcasting competition, since when I was a young lad I used to spend hours in my room with cassette recorders pretending to be a DJ. The next year after the competition, I spoke to the college radio faculty director about doing a 15-minute radio show focused on events at the high school. Suddenly, I found myself gathering information for, recording, and producing a weekly radio show. The poor college DJ who had to run my piece before his own show quickly grew to hate me, as I pushed the envelope of what I could do by including clips of favorite pop songs and completely harshed the mellow of his own show (which was heavy metal, IIRC). I had the complete backing of the faculty director, though, so there wasn’t much he could do. My first year of college, I took radio as a pass/fail credit and continued harshing the mellows of the broadcasting program students; my format, right in the middle of a highly-desired timeslot, was an eclectic combination of news commentary, music selection and experimentation from all genres (there was literally nothing I wouldn’t play), and pure naked listener gratification. I must have been making someone happy, though it wasn’t the “serious” broadcasting students; I enjoyed a constant high level of feedback from the surrounding community. Again, that kept The Powers That Be from stepping in and messing with my groove.

I’ll just note here, for the record, that I’m only doing this because I already have a couple of things I wanted to blog about and I can twist this meme to my service. The fact that I’ve been needing to update here is just extra gravy. The fact that one of my other co-victims needs to actually fix his blog server before he can respond just makes me feel better about the whole thing.

And now on to my victims, which is the hard part. I’ve been seeing this meme running around the tubes for a while, so anyone who hasn’t already done it is either less connected than I am or just as likely as I am to say “Poppycock!” at the whole concept and just not participate. With that caveat in mind….

….I choose you, Alistair, Andrew, Brian, Nick, and Steph (in alphabetical order so no ranking is implied).

Greetings, everyone. I hope you had a great holiday season. Mine was pretty decent; I received a Macbook Pro and survived the office move. I also got some good news today.

Back to Exchange blogging!