Wednesday, November 18, 2009

Data Protection Manager: A look at 2007 and 2010 Beta

In Microsoft's world, where every service a business could ever need is run by a Microsoft application, storage is dirt cheap, all your Servers run modern operating systems, and the only files users lose are recoverable with VSS "Previous Versions," DPM is a great fit. You could keep a month of file, Exchange, and SQL backups, replicate them to a second DPM server offsite, and call your DR plan complete.

However, in today's world our infrastructures are often more complicated. We might have virtual machines running on (gasp!) VMWare, old Windows servers, non-Windows servers and budget limitations. But we'll get into that later...

If you are interested DPM as a backup solution, there are some definite major improvements in DPM 2010 over DPM 2007. This list is not comprehensive, but a selection of those features with the biggest improvements.

Auto-heal features
In DPM 2007, anytime a job failed an alert was logged in the management console, and no more jobs would run until the error was resolved, usually manually. This was extremely time consuming. Consistency checks and recovery points would often fail due to the partition DPM allocated for that server's backup filling up, and the partition had to be manually resized by "modifying disk allocation" in DPM. Now there are auto-heal features so that DPM can re-run failed consistency checks and recovery points automatically as well as automatically resize partitions as they fill.

Continue on Failure
In prior DPM versions if a backup came across a file it could not backup for any reason, such as permission denied errors or a corrupt file, the entire backup would fail and you would have no recoverable data until the issue with that single file was resolved. DPM 2010 will now continue to back up other files, skipping the one with the problem, and log those files that are skipped at the end of the backup.

Backup Engine Failure Auto-restart
In earlier DPM versions the backup agent service would periodically crash on some servers. DPM would then fail the backup and raise a critical alert in the management console. Now DPM will try and restart the backup service and the job itself before logging errors. Another administrative timesaver.

End User Recovery for SQL
As an add-on to regular end user recovery for files, DPM 2010 Beta now touts a similar model for SQL databases, which will allow DPM administrators to give certain users access to restore SQL databases themselves. This user role can be added through powershell.

Exchange 2010
Aside from Windows Server Backup, DPM is the first backup product on the market to support Exchange 2010 out of the box.

Do I have you excited yet? Now onto the limitations:

  • No compression or deduplication of backups on disk, which causes the need for large amounts of disk space.
  • No long-term disk storage, long term protection must be to tape. If you have any compliancy regulations to adhere to, you can forget a disk-only backup solution with DPM. Based on VSS, which has a limitation of 64 copies, you cannot store more than 64 backups per volume. If you need to keep more than that, you have to back it up to tape. Note that this limit does not apply to application data like SQL and Exchange.
  • Lack of encryption options. DPM 2007 allowed encryption of data at rest on disk only through the Windows Encrypting File System (EFS) but little documentation on it. DPM 2010 Beta documentation doesn’t mention encryption at all, but I imagine it hasn't changed. Tape encryption is certificate based only. You better back up your certificates!
  • No support for Legacy operating systems. DPM 2010 can only back up Windows 2003 and later
  • No support for non-Windows operating systems
  • Virtualization support. DPM offers some excellent features such as granular VM file restores from .VHD snapshots, but only if you are running Hyper-V. There is no snapshot support for VMWare or other virtualization technologies
  • Clunky use of Windows disk management for backup sizing. When you set up backups for the first time, DPM estimates for you how much space you will need based on your retention and the size of the files you select for backup. Then it allocates this space from the DPM disk pool by creating a disk partition based on the estimated size. A separate partition is created for each volume you want to back up. So if one server has 4 drives, C:, D:, E:, and F:, there will be 4 partitions created. When a partition is filled, it has to be resized before more backups can take place for that protected volume. Here is a view of disk management on a DPM server. Note that there is a partition for every volume. Messy, to say the least:

  • Manual failover switching. You have to manually fail over each volume you are backing up in the case that your primary DPM server fails and you need to switch to the secondary. And there is no multi-selecting volumes, so make sure you add this time into your DR plan if you have a lot of volumes to protect.

The reliability enhancements in DPM 2010 now make DPM a worthy purchase for a small shop with a limited budget for software and a small amount of data. It's hard to argue with the low pricing of DPM licensing.

But if you have a lot of data the storage costs quickly get out of hand. DPM estimated 221 GB of storage space in DPM to keep 104 GB of data backed up for 30 days. And chances are the actual storage space ends up being more than that. If you choose to use DPM, make sure your storage model is scalable.

Tuesday, November 17, 2009

Exchange 2010, Outlook Mobile 6.1 and Text (SMS) Messaging

One of the new Client Access Role features of Exchange 2010 is SMS messaging. The first thing to know about this… Exchange did not learn to speak SMS. Exchange doesn't dial a modem. Exchange doesn't do SMS, per se. Exchange does do Activesync. And the Activesync and Windows Mobile team made this possible. Activesync actually sends/reads/synchronizes text messages to your phone. So when a text is sent, it's sent from your phone because Activesync told it to!

First, lets talk environment. Exchange 2010 RTM, Windows 2008 R2. Mailbox and CAS are 2010. The mobile device is a Windows Mobile 6.1 - This requires a Windows Mobile 6.1 or better device. No iPhone, no Blackberries have this functionality.

Install Outlook Mobile 6.1 on your WM 6.1+ device - Download from Microsoft at:

Thanks to Mike here for this link:

Configure Acticesync to your Exchange 2010 CAS server(s), and the next time you go into text messages, your device will prompt you asking if you want to sync texts with Outlook. When you accept this, you will get an email like this one:

The link for this is:

When you log into OWA (or Outlook 2010 when available) you can send texts to contacts from OWA:

Exchange uses Activesync to instruct your device to text on your behalf.

When a reply is received to your phone, the next activesync (aka, when you get an email) will pull that text into your inbox:

Users can disable/turn off/edit this feature in OWA options:

Of course, this can be disabled entirely for all users of a CAS server using:

set-owavirtualdirectory -TextMessagingEnabled:$false

Or this can be disabled per user using new Exchange 2010 OWA Mailbox Policies!

Wednesday, November 11, 2009

Implementing integrated OCS in Exchange 2010

UPDATED on 8/31/2010 for Exchange 2010 SP1 here!

This entry is to show you how to integrate OCS 2007 R2 into your Exchange 2010 OWA experience. This is based on the following Technet article:

First, download and extract OCS 2007 R2 Web Trust Tool from Running and installing this will only extract these additional files. Each of these will need to be installed on each CAS server in your environment that you are enabling OCS Messaging on. Remember, there is no right click run as Administrator for MSI's - so run from an elevated command prompt if needed!
  • Install the vc_redistx64
  • Install UCMAredist.msi
  • Install CWAOWASSP.msi

On your Exchange 2010 CAS server(s), edit c:\program files\Microsoft\Exchange\V14\ClientAccess\Owa\web.config - look for the IMPoolName field. Update the webconfig file as follows:

FieldInsert Value FromExample
IMPoolNameFQDN of OCS R2 Poolocsr2pool.domain.local
IMCertificateIssuerDN of IssuerCN=DigiCert Global CA, OU=, O=DigiCert Inc,C=US
IMCertificateserialNumberSerial Number

01 F9 4E 46 AA 3C 4C 9E BD 8F 2C

(include spaces between octets!)

Look for this:

And based on this (where thumbprint is the certificate your CAS server uses for IIS)
Get-ExchangeCertificate -Thumbprint BJBHDS78FG6D8GFYH49SDF34TH9 | ft Issuer, SerialNumber, subject

Change to this:

The "subject" gives us the common name that we use in a bit to configure OCS.

Additionally, if your Issuer has funky characters, you need to replace them as they will break your web.config file, causing generic IIS errors. Just removing those characters will make for application event log errors that the certificate was not found in your certificate store.

Since the web.config is an XML file, and you need to use XML character special escapes

""(double) quotation mark
''apostrophe (= apostrophe-quote
&lt;<less-than sign
&gt;>greater-than sign

So if your SSL provider's issuer field causes you a problem here, this should help you work around it.

In Powershell, configure OCS:
Get-OWAVirtualDirectory -server SERVER | set-owaVirtualDirectory -InstantMessagingType 1

(The above line *did* say -InstantMessagingType OCS, but RTM documentation says 1 for OCS - thanks to Brian Day for this!)

Restart IIS (IISreset is fine)

On your OCS R2 Pool server, under the server properties of your pool, on the Hosts Authorization tab, you need to add the Client Access server. This can be FQDN or IP. If you use FQDN, OCS will additionally authenticate the FQDN against the certificate names - the FQDN here has to match the "subject" we found above (NOTE: Not the whole string, just the FQDN common name given in the subject) Additionally, you can choose to use FQDN and then use a hosts file to ensure that OCS is communicating with the correct server/IP.

Now I am able to log into OWA 2010 and get the light CWA client as well:

Upper right allows me to see and update my presence, as well as see how many IM conversations I have active and switch between them as well.