C O N T E N T S

41 Esse
Essential Windows
COVER STORY Server 22008 R2 Features for A PENTON PUBLICATION
Managing Your File Server
Managin
Infrastructure
Infrastru AUGUST 2010
Four tools in the new OS—DFS
Consolidation Root, File Server Resource VOLUME_16
Manager, File Classification Infrastructure,
and Access Based Enumeration—bring you NO_8
greater control over your file structure.

COLUMNS
BY ERIC B. RUX

45 Error Trapping and

Handling in PowerShell CROCKETT | IT PRO PERSPECTIVES
PowerShell 2.0 introduces the Try…Catch…
Finally construct to trap and handle errors.
5 Real Data for IT
Find out why it’s an improvement over the Pros and Developers
Trap construct, which is available in both Richard Campbell, consultant to
PowerShell versions. IT and developer departments,
BY DON JONES discusses Microsoft Visual Studio
2010, which includes new tools
that help IT organizations and
24
4 DNS Enhancements in 48 Setting Up Network developer teams produce efficient
Windows Server 2008 R2 Device Enrollment Service business applications.
Windows Server 2008 R2 introduces powerful Secure your non-Active Directory devices
feature enhancements and new technologies to by setting up Network Device Enrollment THURROTT | NEED TO KNOW
give you confidence in the security of your DNS
infrastructure.
Service, a solution for issuing and managing
security certificates. 7 What You Need
BY JOHN SAVILL BY RUSSELL SMITH to Know About
Windows Server
52 Exchange Server’s Client
FEATURES Access: Deploying Your
2008 R2 SP1,
Communications
Servers Server 14, Windows
29 Mobile Security with Client Access servers are relatively new to
InTune, and More
MDM 2008 SP1 Exchange, and in Exchange 2010 they’re
more important than ever. Learn how to Quick info about what’s new at Microsoft, including
Mobile device management continues to be an IT deploy Client Access server with the GUI and Windows InTune, MCS 14, SP1 for Server 2008 and
headache, but MDM 2008 SP1 can help tame your using automation. Windows 7, and IE 9 HTML 5 compatibility.
Windows Mobile smartphone environment. Follow
these steps to install and implement device control BY KEN ST. CYR
with MDM. MINASI | WINDOWS POWER TOOLS
BY JOHN HOWIE 56 Get Proactive with 9 Creating
SharePoint 2010’s Improved
Monitoring Bootable VHDs with
37 Virtualizing Active Directory SharePoint 2010’s monitoring feature—with
Disk2VHD
Disk2VHD simplifies the
Follow these recommendations to decide what improved timer jobs, reporting, and
you should virtualize for Active Directory, how to process of converting drives
SharePoint Health Analyzer—could make
build and deploy it, and how to administer AD and on running systems into one
you a more efficient, and perhaps, even
maintain security in a virtual environment. or more VHDs.
happier, admin.
BY SEAN DEUBY BY TODD KLINDT
For DCs, Simple Storage is Better Storage 38 SharePoint 2010 Improvements 58 OTEY | TOP 10

11 TCP/IP Ports
Used by VMM 2008
Microsoft System Center Virtual
Machine Manager 2008 relies
on specific TCP/IP ports in order

INTERACT IN EVERY to communicate with other

components; make sure these

ISSUE
ports for the Administrator
Console, the VMM library server,
15 Reader to Reader RDP, and other components are
Create PDF files with the doPDF utility, get the always available.
real workgroup name in VBScript and PowerShell
code, and investigate CPU spikes by using System
Monitor in conjunction with Process Monitor. 79 Directory of Services WHEELER | WHAT WOULD MICROSOFT
SUPPORT DO?

19 Ask the Experts 79 Advertising Index 13 Monitor System

Set up a miniature Virtual Desktop Infrastructure 79 Vendor Directory Startup Performance
lab, create your own self-signed certificates, log on in Windows 7
to ESX’s service console as root, create bootable
Virtual Hard Disks, and more. 80 Ctrl+Alt+Del Use the Windows 7 Event Viewer,
which lets you filter events and
perform queries on XML event
data, along with the Wevtutil tool
Access articles online at www.windowsitpro.com. Enter the article ID (located at the end of each to find and collect event data
article) in the InstantDoc ID text box on the home page. and view boot-time trends.
B7VH966JF98UY YHE445J
J45CJ9G76NNHP9DOG GF2RPQQG
2FGREEHGT4V;RTUA6FW[FV3YX6 6ZW488MXLRH4 476N7
S9DFF494JJ5VT
T7DL1ZAT;ON HEFKO6A990FF
F9ENGF FKF0
L788YKX6
6ZGHH96W8;3TH5 5XD9VV5C3S9MMD0664C6EEHS
O2
29GDFF9GJJDFWEFKKGJEGJJ5J77MANAGMXXD9VV7V5FFC
M6
60FI33U00JFOMROOR4Y5O79DGS0FF9GEM3NT8FG5Y Y3
IFHTUU45DF94JT T9GF8G3G9KRFGF88YUFKELT3 3TE5J
J3LRKKC9
9XC7G8S S9T4KJ44E75T2D3D
DIG5H3F FHTTU45T
Y5H5JJ47
7LR9XC7 7NF6MOTJU5T3KH77JV09GR RQ331RT0
T4R7HH4300YJ4NDDFM2QG6FG40FG699USG94 4J355J4Y
YE
9G
GJPEGG0RRGIB8Y445HR8VB6D87DDF3GFGRH HE7
7BJB00E
GK55JDGOT7UVRG3ER RGMXD9VVX3J6F9RO44T226T4YY4W
W488FXDV
V9VS1MPL3RV5C34GI42OZGH HOEFF5JT3HH5S
5F399V7VC;;XMEEG8S9TYGY35E4GB445FUFFQ7F2 2D09U
E4J3RRG5JWOOI9RG667GK7DU44TWF25GHH94JG00PGW3T T
B7VH966JF98UY YHE445J
J45CJ9G76NNHP9DOG GF2RPQQG
2FGREEHGT4V;RTUA6FW[FV3YX6 6ZW488MXLRH4 476N7
S9DFF494JJ5VT
T7DL1ZAT;ON HEFKO6A990FF
F9ENGF FKF0
L788YKX6
6ZGHH96W8;3TH5 5XD9VV5C3S9MMD0664C6EEHS
O2
29GDFF9GJJDFWEFKKGJEGJJ5J77MANAGMXXD9VV7V5FFC
M6
60FI33U00JFOMROOR4Y5O79DGS0FF9GEM3NT8FG5Y Y3
IFHTUU45DF94JT T9GF8G3G9KRFGF88YUFKELT3 3TE5J
J3LRKKC9
9XC7G8S S9T4KJ44E75T2D3D
DIG5H3F FHTTU45T
Y5H5JJ47
7LR9XC7 7NF6MOTJU5T3KH77JV09GR RQ331RT0
T4R7HH4300YJ4NDDFM2QG6FG40FG699USG94 4J355J4Y
YE
9G
GJPEGG0RRGIB8Y445HR8VB6D87DDF3GFGRH HE7
7BJB00E
GK55JDGOT7UVRG3ER RGMXD9VVX3J6F9RO44T226T4YY4W
W488FXDV
V9VS1MPL3RV5C34GI42OZGH HOEFF5JT3HH5S
5F399V7VC;;XMEEG8S9TYGY35E4GB445FUFFQ7F2 2D09U
E4J3RRG5JWOOI9RG667GK7DU44TWF25GHH94JG00PGW3T T
C O N T E N T S

PRODUCTS
60 New & Improved EDITORIAL ADVERTISING SALES
Check out the latest products to hit the Editorial and Custom Strategy Director Publisher
marketplace. Michele Crockett mcrockett@windowsitpro.com Peg Miller pmiller@windowsitpro.com
PRODUCT SPOTLIGHT: ProStor Systems’ InfiniVault Director, International and Agency Services
Executive Editor, IT Group
Amy Eisenberg amy@windowsitpro.com Don Knox don.knox@penton.com
61 Paul’s Picks Technical Director
EMEA Managing Director
Irene Clapham irene.clapham@penton.com
Apple iOS 4 beefs up the iDevice world; and Michael Otey motey@windowsitpro.com
Hotmail doesn’t get any respect, although it does Director of IT Strategy and Partner Alliances
get Exchange ActiveSync. Senior Technical Analyst Birdie J. Ghiglione birdie.ghiglione@penton.com
619-442-4064
BY PAUL THURROTT Paul Thurrott news@windowsitpro.com
Online Sales and Marketing
Custom Group Editorial Director Manager
62 Best of TechEd 2010 Award Dave Bernard dbernard@windowsitpro.com Dina Baird Dina.Baird@penton.com
Web and Developer Strategic Editor Key Account Director
Winners Anne Grubb agrubb@windowsitpro.com Chrissy Ferraro christina.ferraro@penton.com
The Best of TechEd Awards recognize the most 970-203-2883
innovative Microsoft platform products and Systems Management Account Executives
services offered by Microsoft partners exhibiting at Karen Bemowski kbemowski@windowsitpro.com Barbara Ritter barbara.ritter@penton.com
the annual conference. Here are this year’s winners. Caroline Marwitz cmarwitz@windowsitpro.com 858-367-8058
BY JASON BOVBERG Zac Wiggy zwiggy@windowsitpro.com Cass Schulz cassandra.schulz@penton.com
858-357-7649
Messaging , Mobility, SharePoint, and Office
64 Corner Bowl Disk Monitor 2010 Brian Keith Winstead bwinstead@windowsitpro.com
Client Project Managers
Michelle Andrews 970-613-4964
Check out this feature-packed program for Networking and Hardware Kim Eck 970-203-2953
monitoring and managing enterprise disk data. It’s Ad Production Supervisor
Jason Bovberg jbovberg@windowsitpro.com
a great addition to any IT pro’s toolkit. Glenda Vaught glenda.vaught@penton.com
BY TONY BIEDA Security
Lavon Peters lpeters@windowsitpro.com MARKETING & CIRCULATION
65 Spiceworks 4.5 SQL Server
Megan Bearly Keller mkeller@windowsitpro.com
Customer Service service@windowsitpro.com
Management, monitoring, inventory control, and a IT Group Audience Development Director
ticketing system, all in one package—and it’s free! Sheila Molnar smolnar@windowsitpro.com
Marie Evans marie.evans@penton.com
BY MICHAEL DRAGONE Editorial Web Architect Marketing Director
Brian Reinholz breinholz@windowsitpro.com Sandy Lang sandy.lang@penton.com
67 Rove Mobile Admin IT Media Group Editors
Phone-sized administration tools let you handle Linda Harty, Chris Maxcer, Rita-Lyn Sanders CORPORATE
emergencies as well as perform routine maintenance
on your servers and network infrastructure. CONTRIBUTORS
BY ERIC B. RUX
SharePoint and Office Community Editor
Dan Holme danh@intelliem.com
68 Kerio Connect 7 Senior Contributing Editors
If setting up Exchange for your small business David Chernicoff david@windowsitpro.com
Chief Executive Officer
sounds like too much of a headache, this Sharon Rowlands Sharon.Rowlands@penton.com
Mark Joseph Edwards mje@windowsitpro.com
alternative could be what you need. Chief Financial Officer/Executive Vice President
Kathy Ivens kivens@windowsitpro.com
BY RYAN FEMLING Jean Clifton jean.clifton@penton.com
Mark Minasi mark@minasi.com
Paul Robichaux paul@robichaux.net
69 NetPoint Pro Mark Russinovich mark@sysinternals.com
T E C H N O LO G Y G R O U P
Smaller businesses can benefit from this agent-less Contributing Editors Senior Vice President, Technology Media Group
asset management and inventory system. Alex K. Angelopoulos aka@mvps.org Kim Paulsen kpaulsen@windowsitpro.com
BY JEFFERY HICKS Sean Deuby sdeuby@windowsitpro.com
Michael Dragone mike@mikerochip.com
70 VMware Workstation 7.0 Jeff Fellinge jeff@blackstatic.com
Windows®, Windows Vista®, and Windows Server®
are trademarks or registered trademarks of Microsoft
Brett Hill brett@iisanswers.com Corporation in the United States and/or other countries
Rises Above the Virtual Pack Darren Mar-Elia dmarelia@windowsitpro.com and are used by Penton Media under license from
Take a quick dive into VMware’s Workstation 7.0 and owner. Windows IT Pro is an independent publication
see how this desktop virtualization product works, then Tony Redmond 12knocksinna@gmail.com not affiliated with Microsoft Corporation.
scope out the rest of the desktop virtualization market. Ed Roth eroth@windowsitpro.com WRITING FOR WINDOWS IT PRO
BY MICHAEL OTEY Eric B. Rux ericbrux@whshelp.com Submit queries about topics of importance to Windows
managers and systems administrators to articles@
An Overview of Desktop Virtualization Products 71 John Savill john@savilltech.com
windowsitpro.com.
William Sheldon bsheldon@interknowlogy.com
PROGRAM CODE
73 SharePoint Auditing and Randy Franklin Smith rsmith@montereytechgroup.com
Curt Spanburgh cspanburgh@scg.net
Unless otherwise noted, all programming code in this
issue is © 2009, Penton Media, Inc., all rights reserved.
Reporting Tools Orin Thomas orin@windowsitpro.com These programs may not be reproduced or distrib-
uted in any form without permission in writing from
Explore third-party solutions available to support your Douglas Toombs help@toombs.us the publisher. It is the reader’s responsibility to ensure
organization’s compliance needs through change Ethan Wilansky ewilansky@windowsitpro.com procedures and techniques used from this publication
tracking, reporting, data security features, and more. are accurate and appropriate for the user’s installation.
No warranty is implied or expressed.
BY BRIAN REINHOLZ ART & PRODUCTION
LIST RENTALS
Production Director
76 Industry Bytes Linda Kirchgesler linda@windowsitpro.com
Contact MeritDirect, 333 Westchester Avenue,
White Plains, NY or www.meritdirect.com/penton.

Use biometric security to secure nearly any aspect Senior Graphic Designer REPRINTS
Diane Madzelonka, Diane.madzelonka@penton.com,
of your business, and more. Matt Wiebe matt.wiebe@penton.com 216-931-9268, 888-858-8851
IT PRO PERSPECTIVES
Crockett
“Become familiar with Visual Studio 2010’s
built-in testing features to understand how
applications can perform better in a
production environment.”

Real Data for IT Pros and Developers

New Visual Studio 2010 testing tools improve applications and business productivity

A
s IT organizations look at ways to support their busi-
nesses with fewer resources—a trend that will likely
continue even as the economy improves—one corner
that could benefit from a bright light is the interaction
between the developers who are building applications
and the administrators who commandeer the produc-
tion environment. With the release of Visual Studio 2010, which won
the Best Microsoft Product award in our Best of TechEd program,
Microsoft introduces tools that help sync the IT department and the
developers in a way that helps businesses run more efficiently.
During our series of video interviews from the TechEd show
floor in New Orleans, I spoke with Richard Campbell, a consultant
who co-produces .NET Rocks, a Web-based audio talk show for
.NET developers, and Run As Radio, a show for IT professionals.
Campbell—who often straddles the developer and IT worlds in his
consulting business—pointed out some little-known features of
the Visual Studio 2010 release that further break down the barriers
between the IT and dev worlds. “I work as a consultant with a lot of
teams where you do have a good relationship between IT and dev,
where the way the app runs in the production environment is as
important to the developers as it is to the IT folks,” Campbell said.
“They have a good discipline, and a good feedback mechanism.
But the next phase past this discipline is tooling, and with Visual
Studio 2010, we’re starting to get good tooling. Some of the new
tools in Visual Studio 2010 really speak heavily to how developers
can communicate more effectively with IT pros so that they have
that common language.”
Campbell called IntelliTrace, available in Visual Studio 2010
Ultimate, one of the most important new debugging tools because
it provides developers and IT departments hard data rather than
speculation about an application’s use and points of failure. The tool
reduces time spent in trying to reproduce errors. “IntelliTrace gives
you the ability to capture the machine at the moment of failure,”
Campbell said. “The operators of the app—the production guys—
can get a clean record of how the app fails so developers can see it.
On the test side of things, it’s much easier to communicate back and
forth and see those kinds of failures.”
Getting this level of detail about the application is a big busi-
ness win because IT and developer teams can identify and solve
problems much more quickly. Campbell stressed the importance of
being able to see where real performance issues lie and which appli-
cations’ features are being used. Developers sometimes struggle to
determine which features they should address. Application data
can help developers connect with the IT department’s view of an
app’s performance. “The production environment is where the
rubber meets the road, so that’s a process of getting the truth back,”
Campbell said.
Another tool that helps IT departments and developers get better
application data is Runtime Intelligence, a profiling tool produced
by PreEmptive Solutions that’s available in every version of Visual
Studio 2010. “Runtime Intelligence provides the ability to instrument
the assemblies at a fairly low level and then feed that data back into
a web service,” Campbell said. “And you can do that without actu-
ally recompiling the app. So from an IT perspective, this is detailed
instrumentation of how the app is running, where the errors occurred
in production, and also what parts are being used. So this gives the
ability for a deeper view into the app—not just a focus group but a
day-in, day-out view of how the staff is using the application.”
Typically, this level of detailed application data was available
only in a test lab, but Runtime Intelligence can run in the produc-
tion department full time, providing steady feedback that helps IT
departments and developers make decisions about resource alloca-
tion based on quantitative data rather than conjecture. Campbell
encourages every IT pro to become familiar with all the built-in testing
features that Visual Studio 2010 provides to understand how applica-
tions could perform better in the production environment. Campbell
said that by offering these testing tools, “Microsoft has poured a lot
of energy into making every failure reproducible, so we capture the
image of the machine so we know exactly the state it was in.”
My TechEd talk with Campbell was one of many conversations
we captured on film from our booth. If you couldn’t make it to New
Orleans, you can relive the best of the tech talk (if not the humidity,
the jazz, and the beignets) at our Taste of TechEd virtual trade show
on August 25 (www.vconferenceonline.com/shows/summer10/
teched). We’ll kick off the show with a technology overview from
Michael Otey and Paul Thurrott and follow with more interviews
with IT and developer experts, official TechEd session footage,
and demo booths where you can put new solutions through their
paces.
InstantDoc ID 125491
MICHELE CROCKETT (michele.crockett@penton.com) helped launch
SQL Server Magazine in 1999, has held various business and editorial roles
within Penton Media, and is currently editorial and custom strategy director
of Windows IT Pro, SQL Server Magazine,
e and System iNEWS.

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 5

NEED TO KNOW
“Windows InTune offloads system
management to the cloud and provides
a way to manage all of the PCs in your
environment remotely.”
What You Need to Know about Windows Server 2008 R2
SP1, Communications Server 14, Windows InTune,
and More
A
lthough summer is usually a quiet time in the PC
and electronics industries, Microsoft holds its annual
TechEd conference at this time of year, and there’s
always a lot of good product and technology informa-
tion coming out of the show. Here’s what you need to
know about the news from TechEd 2010.
Windows Server 2008 R2 and Windows 7 SP1 Beta
As of press time, Microsoft is to deliver by the end of July a public
beta version of SP1 for Windows Server 2008 R2 and Windows 7.
The company says it will use feedback from the beta to determine
the final release schedule, but I expect to see the final release hit
before the end of 2010.
SP1 adds almost no new functionality to Windows 7 beyond a
Remote Desktop update. However, it represents a major functional
update to Windows Server 2008 R2, with support for new features
like Hyper-V Dynamic Memory and RemoteFX. Another new fea-
ture, RemoteFX USB Devices, aims to provide better USB device
redirection over RDP than the shipping version of Server 2008 R2.
You’ll be able to use virtually any USB device transparently over RDP,
including scanners, all-in-one printers, web cameras, VoIP phones
and headsets, and biometric devices.
And since I knew you were just thinking about this, yes—the
Dynamic Memory feature from SP1 is being added to Hyper-V Server
2008 R2. And System Center Virtual Machine Manager 2008 R2 will
get an update this year to support Dynamic Memory as well.
Looking Back and Looking Ahead with Windows Server
Speaking of Windows Server, you can expect some changes in
naming and branding when the next version hits in 2012. Microsoft
is dropping the major/minor release cadence silliness and the
even sillier R2 naming scheme. Instead, Windows client and server
releases will be developed and released in lockstep going forward,
starting with vNext, as they call it internally.
Think about this for a second. Windows Vista SP1 and Server
2008 were developed on the same code base, so they were updated
together with the SP2 release that applied to both—although it
was Vista’s second service pack and Server 2008’s first. Meanwhile,
Windows 7 (a major release) and Windows Server 2008 R2 (a minor
release) were developed on the same code base and will be serviced
w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u
Thurrott
together starting with SP1. These two product generations—Vista/
Server 2008 and Windows 7/Server 2008 R2—are incompatible from
a servicing perspective. And Microsoft tells me it has no plans at all
for a Vista/Server 2008 SP3 release. I have to think a rollup will hap-
pen eventually, however.
Of course, some Windows Server users are facing bigger prob-
lems. Windows 2000 will have hit “end of life” by the time you read
this, meaning that it has exited the support lifecycle. So unless you
don’t mind paying for security updates, this OS is dead in the water.
And although Win2K Server usage is down to the single digits, these
machines are still out there.
For Windows Server 2003, it’s even worse. This OS represents
about 50 percent of the installed base and it hits extended support
in July 2010. That means that the majority of Microsoft’s server
customers have five years to move to something more modern. The
big issue with Windows 2003—and as it turns out, Server 2008—is
32-bit application compatibility. In fact, the number-one reason that
Server 2008 R2 customers exercise their downgrade rights is to install
a 32-bit version of Server 2008. Server 2008 R2, as you know, is 64-bit
only, and there’s an entire generation of 32-bit in-house and line of
business (LOB) apps that need to be updated or replaced, and from
what I can see, few are moving to do so with any alacrity.
“Windows Server 2003 is a power-hungry, non-virtualized, x86
world,” Microsoft group product manager Ward Ralston told me
recently. “It’s the classic server sprawl problem. Newer versions of
Windows Server are just so much more efficient.” Exactly right. Get
busy, people. If you’re on Windows Server 2003, it’s time to start
planning a migration today.
Small Business Server “7” and “Aurora”
Microsoft will follow up the current Small Business Server version,
SBS 2008, with two products, each of which serves a particular need.
The first, currently code-named SBS “7”” will be a traditional SBS
product update and will offer, as before, on-premises versions of
Windows Server (2008 R2), Exchange 2010, Windows Server Update
Services (WSUS), and more.
The second product is, perhaps, more interesting. Currently
code-named SBS “Aurora””, this SBS version is based on the same
code base as Windows Home Server “Vail” and assumes that your
email and other services will be hosted in the cloud. It can create but
Windows IT Pro AUGUST 2010 7
 NEED TO KNOW
not join domains, and offers only very sim-
plified on-site management tools. But it has
a super-simple interface and works with the
WHS-based Drive Extender technologies to
consolidate all attached storage as a single
block of storage. Good-bye, drive letters.
I’ll be writing more about Aurora soon.
This is a product that could transform the
small business market.
HTML 5 and the Future
HTML 5 is years away from being ratified as
an international standard, but browser mak-
ers are jumping all over this technology. The
reason is simple: HTML 5 is the future of the
web, and they want to prove that their prod-
uct will get you there. Microsoft’s response
to HTML 5 involves Internet Explorer (IE) 9,
as well as calls to the industry to rally around
standards test that make sense. That last bit
is important because today’s web standards
test seem designed to make IE fail. Though
I don’t expect to see IE 9 until early 2011, it
will include hardware acceleration of video
and SVG graphics.
Microsoft isn’t the first to step up to the
HTML 5 challenge, not by a long shot, and
by the time IE 9 does happen, it could be
swamped by a field of competitors that
have already exceeded whatever HTML 5
compatibility IE offers. Browser makers are
talking up HTML 5, but two in particular,
Apple and Google, have been rapidly ship-
ping new products as well.
Apple’s offering is, perhaps, less inter-
esting, but Safari 5 does offer one IE 9
feature—hardware acceleration, even on
Windows—and it’s aggressively adopting
HTML 5 features, including full-screen
video, closed captioning for video, geolo-
cation, and more. Safari 5 finally offers an
extensibility model, an area in which this
browser was lacking. I don’t expect Safari
to make major inroads in the Windows
market, but it’s not wise to discount Apple.
And Safari is certainly the overwhelming
champion in the mobile space right now.
Google’s latest browser, Chrome 5, also
embraces HTML 5, and Google is shipping
Chrome updates at an amazing clip. Chrome
5 features a great extensions infrastructure,
browser bookmarks and preferences sync,
and should have an integrated version of
Adobe Flash available by the time you read
this. On the HTML front, it now supports
many of the same HTML 5 features that
8 AUGUST 2010 Windows IT Pro
Apple added to Safari 5. Given Chrome’s
update schedule, it might prove the most
popular browser for those who like to use the
latest technologies.
Mozilla Firefox, of course, is still the
alternative browser of choice, though it
seems to have hit a plateau in usage shares.
Current versions of Firefox do support
HTML video and audio, but not with the
popular H.264 video and AAC audio for-
mats. Mozilla has been moving slowly,
not just with HTML but in general, and its
browser updates seem to be on an ever-
slower schedule. I wouldn’t be surprised
to see Firefox begin a gradual decline.
Microsoft’s initial
public beta offering
of Windows InTune
in April 2010 was,
perhaps, too
popular, and the
company had to
shut down the
sign-up site.
Communications Server “14”
A couple of years ago, Microsoft’s Uni-
fied Communications (UC) vision was,
well, more vision than reality. But with
the release of Microsoft Communications
Server (MCS) “14” (it still doesn’t have a
final branding), later this year, the vision is
becoming reality. And that’s especially true
for those environments that can standard-
ize on Exchange 2010, SharePoint 2010, and
Office 2010 as well, given the hooks that tie
each together.
MCS 14 provides real-time communica-
tions solutions around instant messaging
(IM)— text, voice, and video—and it does
so via a tiered experience where you locate
a contact by using presence information
in the MCS client, in Outlook, in Share-
Point, or in other areas, then can escalate
the discussion to different conversation
types, including VoIP. New features include
enterprise skill searching through inte-
gration with SharePoint 2010, and major
W e ’ r e i n I T w i t h Yo u
improvements to the presence model so
that MCS exposes only those conversation
types for your location.
Aside from branding, there are some
other questions around scheduling and
licensing. But Microsoft says you can expect
a public preview release by the end of 2010.
Windows InTune
Thanks to the cloud computing phenom-
enon, Microsoft has scaled back plans for
on-premises server products in small and
medium-sized businesses and is focusing
instead on delivering hosted services that
make more sense for those environments.
The one I think will have the broadest
implications over time is Windows InTune.
Currently aimed at midsized businesses, it
offloads system management to the cloud
and provides a way to manage all of the PCs
in your environment remotely. That it does
so outside of Active Directory (AD) will be
controversial to some.
There are two bit of news up front: First,
Microsoft’s initial public beta offering of
Windows InTune in April 2010 was, perhaps,
too popular, and the company had to shut
down the sign-up site. If you didn’t get in,
there should be a second, larger, public beta
offering by the time you read this. Second,
Microsoft is addressing the concerns of
partners who will want to support their own
customers using InTune by offering a part-
ner dashboard interface so they can manage
multiple sites more easily.
I’m happy to report that Microsoft
is now actively seeking to expand InTune
and will someday offer versions of the ser-
vice for small businesses and AD-wielding
enterprises as well. Although the company
is mum about how it will change InTune to
accommodate AD, in the short term you can
rest easy by understanding that AD-based
policies will always supersede any InTune-
specific policies, so it should be safe to use
in smaller environments. Microsoft plans to
deliver the initial InTune version in the first
quarter of 2011.
InstantDoc ID 125391
PAUL THURROTT (thurrott@windowsitpro
.com) is the news editor for Windows IT Pro.
He writes a weekly editorial for Windows IT Pro
UPDATEE (www.windowsitpro.com/email) and a
daily Windows news and information newsletter
called WinInfo Daily UPDATEE (www.wininformant
.com).
w w w. w i n d o w s i t p ro. c o m
WINDOWS POWER TOOLS
Minasi
“Why would you want to boot a physical system
from a VHD? I can think of several reasons, but two
important reasons relate to ease of OS deployment.”

Creating Bootable VHDs with Disk2VHD

Boot a physical system from a system drive stored as a VHD—a capability that you
might find very handy

T
his month, I’d like to start covering a few tools that
enable a feature in Windows 7 and Windows Server 2008
R2 that could be quite significant: the ability to boot a
physical system not from the physical C drive (as we’re
used to) but from a system drive stored as a virtual hard
disk (VHD). This particular column is a little unusual,
however, because typically when I introduce a tool to solve a prob-
lem, you already understand the nature of that problem. But booting
from a VHD is a new concept, so I’ll start by explaining it, then I’ll
introduce this month’s tool—Disk2VHD.
Why would you want to boot a physical system from a VHD? I
can think of several reasons, but two important reasons relate to ease
of OS deployment. First, consider how you get an OS onto a server
or workstation in the first place. You can install the system manually
by popping the installation DVD into the system’s drive, booting it,
and answering a lot of questions; you could use the installation DVD
and simplify the process with an unattended installation script; or
you could use one of the many available imaging tools to take a pre-
built OS image and blast it onto a new system’s empty hard disk.
Imaging is usually the fastest of the three options, but how do you
accomplish that imaging?
Symantec Ghost is probably the best-known commercial tool,
and Microsoft offers a free alternative called ImageX, but in both
cases the imaging process is fairly opaque. If something goes wrong
during the image transfer, it can be difficult to determine the cause.
In contrast, booting from VHD essentially requires that you copy a
specially prepared VHD file onto the target system’s hard disk. So,
booting from VHD offers what might be called XCOPY deployment. t would copy all volumes—even Window 7’s unlettered volume—to
The second reason is ease of virtual machine (VM) deployment.
By creating and maintaining your system images as VHDs—rather
than, say, as Ghost GHO files or ImageX WIM files—you can quickly
deploy (i.e., copy) those VHD-format images to physical systems or
as new, quickly built VMs under a Hyper-V server by simply copy-
ing the VHDs to the Hyper-V server and creating a new VM around
the VHD. Microsoft has even made VHDs a bit more attractive as
deployment tools by including VHD support in Server 2008 R2’s
Windows Deployment Services (WDS) servers.
To create a system that boots from a VHD, you need to accomplish
several steps. First, you need a VHD file that contains a bootable,
generalized image based on a Windows 7 or Server 2008 R2 system.
(If you’re unfamiliar with the term generalized, d it’s just Microsoft’s
latest word for “Sysprep-prepared.”) Second, you’ll need a VHD that
contains an image of a bootable Windows drive. Acquiring a VHD to
that specification requires that you create an empty VHD file (which
I’ve covered in previous months), grab a bootable system, use Sys-
prep to prepare it, boot it with an OS (probably WinPE), then use
ImageX /capture to convert that working system to a WIM file. Then,
you’d have to select and mount the VHD file as some drive letter and
use ImageX again (this time with /apply) to deploy that image to the
VHD. At that point, you’re done, and you can distribute the VHD to
new VMs or physical systems that will boot from that VHD.
That process is a fairly tall order, and I’ll show you how to do
those things in the coming months. But our friends at Sysinternals
offer some instant gratification with a free tool called Disk2VHD
(technet.microsoft.com/en-us/sysinternals/ee656415.aspx). Disk2-
VHD takes drives on running systems and converts them to one or
more VHDs—no ImageX, no WinPE, no Sysprep—all thanks to the
Volume Shadow Copy Service (VSS). Its syntax is simple:
disk2vhd <drive>|* <vhdfilename>
So, for example,
disk2vhd C: E:\a.vhd
would create a VHD from drive C, and
disk2vhd * E:\a.vhd
a VHD file. Alternatively, just start up Disk2VHD to get a GUI. Even
if you specify more than one volume, Disk2VHD packs them up
into one VHD.
Now, that’ll work in very specific situations, but not in most
cases: Simply creating an image and handing out identical copies
of that image to zillions of machines can cause security trouble. For
non-trivial deployments, however, we’ll need to make the images
generic with Sysprep. Next month, we’ll get closer to making boot-
from-VHD work.
InstantDoc ID 125422
MARK MINASI (www.minasi.com/gethelp) is a senior contributing
editor for Windows IT Pro, an MCSE, and the author of 25 books, including
Mastering Windows Server 2008 R2 (Sybex). He writes and speaks around
the world about Windows networking.

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 9

TOP 10
RDP is a staple in my VM management;
I have one or more RDP sessions going
to my VMs almost all day.
TCP/IP Ports Used by VMM 2008
If you’re using a firewall, be sure to keep these ports open for VMM
M
icrosoft System Center Virtual Machine Manager
2008 (VMM) is Microsoft’s platform for virtualiza-
tion management. VMM offers a host of enterprise-
level virtualization management capabilities that
go far beyond the features in the more basic
Hyper-V Manager. VMM is a complex product
with many different connected components. Knowing what’s actually
going on under the hood in VMM is important when it comes to solv-
ing problems because each of the VMM components relies on specific
TCP/IP ports in order to communicate with other components. If
these ports aren’t available when called upon, select pieces of VMM
functionality won’t be available. If there’s a network firewall between
systems or if you’re using Windows Firewall, you need to make sure
these ports are available. In this column I’ll list the top 10 TCP/IP ports
used by VMM and explain what they’re used for. Bear in mind these
are the default port settings; all the port settings can be customized.
For a complete list of the ports and protocols used by VMM, refer to
the TechNet article “VMM Ports and Protocols” (technet.microsoft
.com/library/cc764268.aspx).
1
Administrator Console to VMM server, Port: 8100;
Protocol: WCF—The VMM Administrator Console and the
VMM server can be installed on the same server, or you can
manage the VMM server remotely. For remote management, you
need to have port 8100 open on the VMM server.
2
VMM server to VMM agents, Port: 80; Protocol: WinRM
(control); Port: 443; Protocol: SMB (data)—VMM
— uses
agents on the target hosts in order to manage them. The
VMM agents use port 80 for management tasks such as viewing or
changing the state of your virtual machines (VMs) and port 443 for
data transfers to the VMM server.
3
VMM library server to Hyper-V hosts, Port: 443; Protocol:
BITS—The VMM library server stores VM templates and
stores gold image VM and Virtual Hard Disk (VHD) files that
the VMM administrator can use to rapidly create new VMs. A gold
imagee is an OS image that you use as a basis for deploying new sys-
tems. The VMM server uses port 443 to transfer these files to the
Hyper-V host.
4
VMM server to Microsoft SQL Server database storage,
Port: 1433; Protocol: T-SQL—VMM uses SQL Server as a
back-end data store. This SQL Server instance can be on the
w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u
Otey
same system as the VMM server, or it can instead be a preexisting
SQL Server instance. VMM uses port 1433 to access a networked
SQL Server system.
5
VMConnect to Hyper-V hosts, Port: 2179; Protocol: RDP—
VMConnect is an application that’s part of Hyper-V Manager
and VMM; it lets you connect to a console session of a
Hyper-V VM. By default VMConnect uses port 2179.
6
VMM Self-Service Web Portal to VMM server, Port: 8100;
Protocol: WCF—In addition to the VMM Administrator Con-
sole, VMM provides a web-based portal that enables end users
to manage their own VMs. The web-based portal must be installed on
a system that has Microsoft IIS, and it uses the same port as the Admin-
istrator Console, port 8100, to communicate to the VMM server.
7
Remote Desktop to Hyper-V VMs, Port: 3389; Protocol:
RDP—Another important protocol for managing VMs is the
standard Remote Desktop Protocol. RDP is a staple in my VM
management; I have one or more RDP sessions going to my VMs
almost all day. RDP uses port 3389.
8
VMM server to VMware vCenter (administration), Port:
443; Protocol: HTTPS—The release of VMM 2008 added
support for managing VMware’s ESX Server via an instance
of VMware vCenter Server. The VMM server communicates with
vCenter Server over port 443.
9
VMM server to ESX 3.0 and 3.5 file transfer, Port: 22; Proto-
col: SFTP—The VMM server can also conduct file transfers
directly with ESX Server 3.5 and ESX Server 3.0. These
versions of ESX Server use the SFTP protocol over port 22 for remote
file access.
VMM server to ESXi file transfer, Port: 443; Protocol: SSH/
10 HTTPS—The free version of VMware’s virtualization server,
ESXi, uses a different port for file transfers. The VMM server
communicates with ESXi hosts through port 443, and it uses both
SSH and HTTPS.
InstantDoc ID 125379
MICHAEL OTEY (motey@windowsitpro.com) is technical director for
Windows IT Pro and SQL Server Magazine and author of Microsoft SQL Server
2008 New Features (Osborne/McGraw-Hill).
Windows IT Pro AUGUST 2010 11
WHAT WOULD MICROSOFT SUPPORT DO?
Wheeler
“You need a way to monitor desktop startup
times across the enterprise and collect boot-
time measurements from every machine.”

Monitor System Startup Performance in Windows 7

Use Windows 7’s Event Viewer and Wevtutil to monitor boot- and start-time
trends on enterprise PCs

R
ecently Microsoft support has fielded inquiries from
several customers asking how to troubleshoot prob-
lems that cause delays during the boot and user
logon processes on a desktop or laptop. The Windows
Performance Toolkit xbootmgr.exe tool works well for
troubleshooting boot and startup issues on a single
machine. But what if you’re a large enterprise with thousands of
desktops? You need a way to identify problem machines before a
user reports them to the Help desk. You need to monitor desktop
startup times over time and across the enterprise. And you need a
way to collect boot-time measurements, similar to those collected by
xbootmgr.exe, from every machine for every boot. Here, I’ll explain
how you can use an event log, the new Windows 7 Event Viewer, and
the Wevtutil tool to do these things.
A New Event Log to Aid in Troubleshooting
Beginning with Windows Vista, Windows now includes a new cate-
gory of event logs: Applications and Services logs. The infrastructure
underlying event logging now conforms to an XML schema. You can
easily access the XML data for any event. The new event log interface
lets you construct XML-based queries against event logs. The Event
Viewer gives you to access to the new XML functionality in an easy-
to-use graphical interface.
One of the logs in this new category is the Diagnostics-
Performance/Operational log. This log contains events that
record performance measurements similar to those provided
by xbootmgr.exe. In fact, the data recorded is generated by the
same mechanisms that Xbootmgr uses. Event IDs 100 through
110 record boot and startup performance statistics.
10 seconds. The other time values listed represent the elapsed time
for various stages during this boot process. You can find more infor-
mation about the stages of the boot process in the Windows On/
Off Transition Performance Analysis white paper at www.microsoft
.com/whdc/system/sysperf/On-Off_Transition.mspx.
The other boot performance events record information about
specific events that contributed to delays during the boot/startup
sequence. The trick is how to know which boot instance these mes-
sages belong to. This is where the ActivityID comes in handy. In
Figure 1, you’ll see the following in the XML data:
<Correlation ActivityID="{00000001-0000-0000-1020-
5CA87BB1CA01}" />
All events related to this boot instance in this Event 100 record have
this same ActivityID. By performing the following steps, we can use
this information to create a more complex filter:
1. Click Filter Current Log… in the Actions Pane of Event
Viewer.
2. On the XML tab, check the box Edit query manually, y then
answer Yes when prompted to continue.

Using the Event Viewer in Windows 7

The new Event Viewer in Windows 7 lets you do more powerful filter-
ing. The new UI lets you specify ranges of events. Under the covers,
it builds an XPath query to filter out the events based on the criteria
you specify. In our example, we will filter for events 100 through 110.
We’re interested in Event ID 100 for the purpose of measuring the
boot performance. Figure 1 shows the XML view for event 100.
The XML presentation of the event contains a lot of interesting
information. The BootTime value represents the number of milli-
seconds that elapsed from the time the system booted to the point
after the user logged in that the system reached 80 percent idle for Figure 1: XML Event Viewer view of event 100

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 13

 WHAT WOULD MICROSOFT SUPPORT DO?
Figure 2: Sample data collected using Wevtutil
3. Enter the following XML text into the
query box:
<QueryList>
<Query Id="0" Path="Microsoft-
Windows-Diagnostics-
Performance/Operational">
<Select Path="Microsoft-Windows-
Diagnostics-Performance/
Operational">*[System[(Correlation
[@ActivityID="{00000001-0000-
0000-1020-5CA87BB1CA01}"])]]
</Select>
</Query>
</QueryList>
4. Click OK.
After the query has been edited, a total of
three events for this ActivityID will be dis-
played. We can now examine these events to
understand the problems that contributed
to any boot/startup delays.
Collecting Data with Wevtutil
So far we’ve looked at only one boot
instance. How do we collect data for all boot
instances? By using Wevtutil, a Windows
command-line tool for querying the Event
logs. Using the following example, you can
extract all the Event ID 100 records from the
event log on a system:
wevtutil qe Microsoft-Windows-
Diagnostics-Performance/
Operational /rd:true /f:xml
/q:"*[System[(EventID = 100)]]"
/e:Events > boot.xml
14 AUGUST 2010 Windows IT Pro
This creates an XML data file that
contains all instances of the boot perfor-
mance event for a machine. With each
ActivityID, you could then query for the
other related events. For example, the
following query extracts the same three
event records displayed after further
filtering the query:
wevtutil qe Microsoft-Windows-
Diagnostics-Performance/
Operational /rd:true /f:xml
/q:"* [System[(Correlation[@
ActivityID='{00000001-0000-0000-
1020-5CA87BB1CA01}'])]]" /e:Events >
bootrelated.xml
Wevtutil.exe has many more options.
Run the utility without any parame-
ters to see a list of available options.
For more information, see the MSDN
article “Event Queries and Event XML”
at msdn.microsoft.com/en-us/library/
bb399427.aspx. And for more informa-
tion about learning XPath to define
event queries, see XPath Syntax at
go.microsoft.com/fwlink/?LinkId=94637
and XPath Examples at go.microsoft
.com/fwlink/?LinkId=94638.
Putting It All Together
Once you have the event data in XML
format, it’s fairly easy to extract the most
interesting data points. Figure 2 shows
some sample data I collected from one
machine. In this example, I converted
the time values to seconds. Differences
in the number of applications that start
W e ’ r e i n I T w i t h Yo u
at boot time could be significant when
you’re investigating changes in perfor-
mance. With historical data like this, you
can now begin to do some trend analysis.
For example, this system was built on
1/13/2010. Application installations and
configuration changes continued over the
next couple of days. By 1/21/2010 the con-
figuration changes had been completed.
After that, the BootTime value was averag-
ing about 124 seconds. However, notice
that on 2/4/2010 and 2/9/2010 the times
were significantly longer than average.
Extending the Value
Now that we have an automated way
to extract the event data in XML form,
we can collect this data periodically
from multiple computers and store the
results in a database. Using some simple
reporting, it’s easy to do trend analysis.
A complete enterprise solution will
require more code development and
data management, but it’s feasible. And
that’s exactly what one of my largest
customers did.
Using a VBScript program I wrote,
the customer collects event data into
a SQL Server database. They’ve used
this data to establish some baseline
statistics for their desktop image build.
They can pivot this data based on the
hardware (e.g., memory, CPU, model)
and software configuration. Using SQL
Server Reporting Services, the customer
built a dashboard view that displays the
boot-time health status of all desktops
in the enterprise. With specific reports,
they can compare this baseline to new
data collected after deploying new group
policies, new security tools, or a hard-
ware upgrade. They also use this data to
proactively identify machines that take
longer than the average baseline. This
information allows IT to address issues
before users call the Help desk, reducing
the time to resolution and making end
users happier.
InstantDoc ID 125383
SEAN WHEELER (seanw@microsoft.com) is
a senior premier field engineer on Microsoft’s
Premier Support team, assigned to support some
of the largest enterprise customers. He’s one
of the original creators of the MPS Reporting
tool. He specializes in scripting, debugging, and
performance issues.
w w w. w i n d o w s i t p ro. c o m
 READER TO READER

■ PDF Files ■ CPU Spikes on a Laptop

■ Workgroup Names

READER TO READER

Tool Time: Use doPDF to Create
PDF Files
When it comes to creating PDF fifiles, Mac
users are probably more happy than
Windows users. Mac OSs include a utility to
create PDF files, whereas Windows OSs don’t.
If Windows users want to create PDF fi files,
they need to install an additional program.
One such program is doPDF (www
.dopdf.com), a freeware PDF
converter that can create PDF
files from virtually any type
of printable document. Al-
though there are a few oth-
er free PDF converters, such
as ActivePDF’s PrimoPDF
(see “Tool Time: Create PDF
Files with PrimoPDF,” March
2009, InstantDoc ID 101217),
most of them require downloading ding
additional software, such as Ghostscript
or the Microsoft .NET Framework. The
doPDF converter doesn’t require any
additional programs, which means you
can install it in seconds.
Once installed, creating PDF fifiles is as
simple as printing a document:
1. Open the document you want to
convert to a PDF.
2. Select Print on the File menu. On the
drop-down list of printers, select doPDF.
3. Click OK or Print (depending on your
Windows OS), and select where you want
to save the PDF file.
The doPDF program has an executable
fi so if you don’t like the method just
file,
described for creating PDF fi
files, you
can simply go to Programs and click the
doPDF icon. You’ll be able to select your
document and create the PDF file from the
program’s interface. You can use doPDF
on Windows 7, Windows Vista, Windows
XP, Windows Server 2008, Windows Server
2003, and Windows 2000 Server.
—Claudiu Spulber, support technician for a
software development company
InstantDoc ID 125413
Getting the Real Workgroup Name credentials used on standalone systems,
in VBScript and PowerShell the local host name is used in the role of
If you have scripts that need to run in both the domain name, making the computer
domain-based and workgroup-based name the correct value to return.
environments, you might encounter However, when you’re dealing with shar-
problems using the %USERDOMAIN% ing issues in a workgroup-based environment
environment variable or the UserDomain (where the computers are not actually mem-
property exposed by Windows Script bers of a domain), you might need the real
Host’s (WSH’s) WshNetwork object to ob- workgroup name. For that purpose, your best
tain wor
workgroup names. You can gen- bet is to use WMI’s Win32_ComputerSystem
erally work around the problem class. Its Domain property specifies
fi the actual
wit
with Windows Management domain or workgroup name for the computer.
Ins
Instrumentation (WMI). The code at callout A in Listing 1
The problem is that if a demonstrates how to use the Domain
co
computer isn’t logged onto a property to retrieve and display the local
do
domain, the %USERDOMAIN% computer’s workgroup name in VBScript
var
variable and the UserDomain code. You can do the same thing in
property don’t return PowerShell with code such as
the computer’s work-
Claudiu Spulber
group membership. (Get-WmiObject `
Instead, they return Win32_ComputerSystem).domain
the name of the local computer. This isn’t
a bug or oversight. The %USERDOMAIN% Note that this technique doesn’t produce
variable and UserDomain property relate the same result if you happen to run it on
to the security domain and not the name a computer within a domain. In a domain,
used for grouping computers. Because the the Win32_ComputerSystem’s domain
security authority for a standalone com- property is the name of the computer’s
puter in a workgroup is the local computer DNS domain.
itself, the value is correct. Furthermore, in The Win32_ComputerSystem class also
has the JoinDomain-
Listing 1: VBScript Code That Displays Then Changes the Local
Computer’s Workgroup Name OrWorkgroup method
A Dim result, results, domain that you can use to set
Set results = GetObject("winmgmts:"). _ the workgroup name
execquery("select domain from win32_computersystem")
For Each result in results for individual comput-
' Returns the workgroup name if in a workgroup. ers. In a workgroup en-
' If a domain member, returns the DNS domain name.
.domain = result.domain vironment, it’s very easy
Next
WScript.Echo domain to use. All you need
to do is specify the
B For Each result in results new workgroup name.
' On Vista and later, only works if script
runs elevated. Note that on Windows
results.JoinDomainOrWorkgroup("Workgroup")
Next Vista or later systems,
you need elevated
Tell the IT community about the free tools you use, your solutions to problems,
or the discoveries you've made. Email your contributions to r2r@windowsitpro.com.
If we print your submission, you’ll get $100.
Submissions and listings are available online at www.windowsitpro.com.
Enter the InstantDoc ID in the InstantDoc ID text box.

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 15

 privileges to use the JoinDomainOrWork- InstantDoc ID 102479) interest-
group method. ing and thought I would share
The code at callout B in Listing 1 a technique I used to deal with
demonstrates how to use the the same issue. I had a particu-
JoinDomainOrWorkgroup method lar process (BESClient.exe) that
to change the workgroup name in was spiking the CPU on my
VBScript. In PowerShell, you can run laptop. The BESClient process
code such as is the client for the BigFix patch
management solution. I used
(Get-WmiObject ` System Monitor in conjunction
Win32_ComputerSystem).` with the Sysinternals Process
JoinDomainOrWorkgroup("Wkgp") Monitor utility (technet
.m
.microsoft
Before using either the VBScript .co
.com/en-us/
or PowerShell code, you’d need sys
sysinternals/
to replace Wkgp with your bb
bb896645
workgroup’s name. Although it .as
.aspx) to gain Figure 3: Configuring the arguments
can take a few minutes for the so
some insight as to what was occur when an alert is triggered, you have
workgroup change information go
going on with my system several options, as Figure 2 shows. When
to propagate on a network, du
during the spikes. you want to run a batch file or another
the change will take effect
ff im- First, I created a short type of program, you must pass at least
mediately on the PC without a batch fi
file, one argument to it, whether or not that
reboot. Alex K. Angelopoulos BigFix.bat, to argument is used. In my case, BigFix.bat
—Alex K. Angelopoulos, IT
T consultant
lt t run Process didn’t need an argument, so I simply used
InstantDoc ID 125503 Monitor and put it in the C:\data\bat a text-message argument that I tailored to
folder. Listing 2 shows this batch fi file. A be self-documenting, as Figure 3 shows.
Dealing with CPU Spikes on a Laptop fifilter that limits the normally extensive • If the program needs to run interactively,
I found the article on how to solve output can be created within Process you must change some settings in
high CPU usage problems by Michael Monitor if desired. the Performance Logs and Alerts
Morales (“Got High-CPU-Usage Prob- Then, within System Monitor, I created service properties page—a situation
lems? ProcDump ‘Em!” September 2009, an alert that would both log an entry in that the “How to create and configure
the application event log performance alerts in Windows Server
Listing 2: BigFix.bat and run my batch fi file when 2003” article doesn’t mention. If you
"C:\Utilities\Sysinternals\Process Monitor\Procmon.exe" CPU usage (%Processor want to trigger an interactive program,
/BackingFile "C:\Tmp\Sysinternals\Process Monitor\
EventStore.PML" /Quiet Time) was more than 95 you need to do the following:
percent for the BESClient 1. In the Performance Logs and
pprocess. The Microsoft Alerts page, select the Log On tab.
aarticle “How to create and 2. Choose Local System accountt in
cconfigure
fi performance the Log on as option and select the Allow
aalerts in Windows Server service to interact with desktop check box.
22003” (support.microsoft 3. Click Apply.
.c
.com/kb/324752) explains
hhow to create an alert. When you’re done troubleshooting the
AAlthough the article is problem, make sure that you change
wwritten for Windows 2003, the Log on as option back to the default
th
the instructions are appli- NT Authority\Network Service setting.
ccable to other OSs. I used Leave the password box blank because
th
them to create an alert the system will create and manage one.
oon my laptop, which runs
WWindows XP SP3. By using System Monitor in conjunction
The instructions for with Process Monitor, I was able to
ccreating an alert are determine the reason for the spikes: The
ggenerally easy to follow, BigFix client was iterating through all the
eexcept for two tricky parts: thousands of files on my laptop.
• When selecting the —Dave Bartholomew, IT consultant
Figure 2: Selecting the actions that you want to occur actions that you want to InstantDoc ID 125439

16 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

 ASK THE EXPERTS
■ PowerShell ■ Outlook
■ VDI ■ ESX
■ Hyper-V
Q: How can I schedule a
Windows PowerShell script?
ANSWERS TO YOUR QUESTIONS
A: Scheduling a PowerShell script is
easy: Just schedule PowerShell.exe,
which is located in \Windows\System32\
WindowsPowerShell\v1.0 (even v2 is
located in that folder for some reason).
You can add help simply by creating spe- PowerShell.exe has command-line
cially formatted comments, as described in parameters that let you specify a
PowerShell’s own online help. Run command—such as the name of a
script—that you want to run. Be sure
help about_comment_based_help that the scheduled task is running under
a user account that has permission to do
to read about it. The shell parses these spe- whatever the script is trying to do.
cially formatted comments and constructs a —Don Jones
Help page that looks exactly like the “real” help InstantDoc ID 125135
Q: If I use application
tion virtu
virtualization, that comes with shell cmdlets. Adding this
how does application activatio
activation work? Help page is a great idea. It helps to document an equal chance of being given the job.
your functions and scripts, making it easier for While this responsibility doesn’t come into
A: Youu shouldn’t think of application vivirtu- someone else to use them. By integrating the play often—typically, Hyper-V interacts
on as a way around activation. When
alization Whe information into the shell’s existing Help fea- with its disk files directly, not necessarily
you virtualize an application, you typically ture, your scripts and functions will look more through a coordinator node—it’s impor-
don’t activate it. Instead, it’s confi
figured like “real” commands, and other users will have tant for certain types of actions. One of
with the required information as part of the t an easier time fi
finding the information. those actions is copying VHD fi files to a LUN.
encing, but activated when it’s exec
sequencing, executed —Don Jones Hyper-V transparently redirects the file fi
on userr desktops. Many applications check
ch InstantDoc ID 125329 copy through the coordinator node.
ware that they’re running on
the hardware on, so This redirection obviously means that
ivate them during sequencing,
even if you activate Q: What’s a Hyper-V cluster’s VHD file copies can take longer if you initiate
you have to reactivate them when the appli- coordinator node, and what does them from servers other than the coordina-
cation actually runs on the user’s desktop. it do? How can I tell which Hyper-V tor node. So always do heavy VHD fi file work
This also applies to licensing—you need to host is also the coordinator node? so from the coordinator node to save your-
consider which desktops will run the virtual- self time. So how do you know which node
ized application and license accordingly. Just A: Hyper-V R2 added a new capability called is the coordinator node? There are a couple
because you virtualize an application doesn’t Cluster Shared Volumes (CSV). This feature of ways to discover who’s got the job:
mean the license model of the applica- provides the much-desired ability to handle • Inside the Failover Cluster Manager con-
tion changes to, for example, concurrent individual Virtual Hard Disk (VHD) fi files as indi- sole, click on the Cluster Shared Volumes
executions instead of per desktop. vidual items for failover. Prior to CSV, as you link and browse through the CSVs you’ve
—John Savill probably know, you had to fail over an entire created. You’ll notice that each CSV has a
InstantDoc ID 125275 disk, rather than individual VHD fi files within it. listing for a Current Owner. The Current
Fast-forward to today. The technologies Owner is the coordinator node.
Q: How can I add syntax help to that let CSV-enabled volumes operate still • Using Windows PowerShell, you can
my Windows PowerShell scripts or require one cluster node that’s responsible identify the coordinator node with the
functions? for the coordination of fi file access. This Get-ClusterSharedVolume cmdlet. Look
cluster node is called the coordinator node, for the Node column in the results for
A: I’ve seen a number of folks spend a lot with each individual LUN having its own your current coordinator node.
of eff
ffort adding a -help parameter to their coordinator node. That node can be any of —Greg Shields
scripts or functions—and there’s no need! your cluster hosts, with each host having InstantDoc IDs 125303 and 125325

Jan De Clercq | jan.declercq@hp.com John Savill | jsavill@windowsitpro.com

Don Jones | powershell@concentratedtech.com Greg Shields | virtualgreg@concentratedtech.com
William Lefkovics | william@mojavemediagroup.com

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 19

 ASK THE EXPERTS
Q: I don’t have a Certification
Authority (CA) or Public Key
Infrastructure (PKI). Can I use
SSL on my test website without
purchasing a certificate?
A: Microsoft has built in support for
the creation of self-signed certificates
In IIS 7.0. These allow you to create web
server certificates easily, without the
need for a PKI or an externally purchased
certificate.
You can create self-signed certificates fi
from the Server Certifi ficates section in the
IIS Manager MMC snap-in. To get to this
section, click the root machine node in
the left-hand pane of the IIS Manager, and
then select the “Server Certifi ficates” icon
in the right pane. The Server Certificates fi
section lists all certificates
fi that are regis-
tered on the machine, and it allows you to
import and create certificates.fi
To create a self-signed certificate, fi
Create Self-Signed Certificate… fi in the
Actions pane of the IIS Manager. IIS will
prompt you to enter a name for the cer-
tificate.
fi When you click OK, IIS automati-
cally creates a self-signed certificate fi
registers it on the machine.
Once you’ve registered an SSL certifi-
cate on your IIS machine, you still need to
SSL-enable the website itself. To do so,
select your website in the Web Sites node in
the left-hand pane of the IIS Manager and
click the Bindings link in the Actions pane.
This brings up a dialog box that shows all
the binding rules for the site. To enable SSL
for your site, click the Add… button. This
brings up an Add Web Site Binding dialog
box that you can use to add HTTPs protocol
support. In this dialog, you must select
https in for Type: and the self-signed certifi-
cate you created earlier for SSL certificate:. fi
Finally, click the OK button.
There’s one small but important
problem you must be aware of that has to
do with the way IIS 7.0 creates self-signed
certificates.
fi IIS 7.0 always creates the SSL
certificate
fi with the local computer name
as the Common Name (CN). To make SSL
function properly, the certificate’s
fi CN
should match the website’s DNS address,
and in many cases the website’s DNS name
is diff
fferent from the computer name. If
your certificate
fi CN doesn’t match the web-
site DNS address, browsers will tell your
20 AUGUST 2010 Windows IT Pro
users that something is wrong with the SSL
setup or refuse to open the site.
To fi
fix this problem, you can use the
SelfSSL.exe utility to generate a self-signed
SSL certificate
fi for your web server and link
it to your website. SelfSSL is part of the IIS6
Resource Kit and can be used to generate
self-signed certificates
fi in earlier IIS versions.
You can download the IIS6 Resource Kit Tools
from Microsoft. Run SelfSSL using the syntax
Selfssl /N:CN=<your_websitename>
/V: <cert_validityperiod>
/S: <site_ID> /P: <portnumber>
Make sure that in the above command,
you replace <your_websitename> with
the actual name of your website (such
as mytest.internal.net), <cert_validity-
period> with the numbers of days the
certificate
fi should be valid, <site_ID>
with the actual site ID (see note below)
click and <portnumber> with the actual port
number (defaults to 443 for HTTPs). To
look up the site ID of your website, select
the Sites node in the IIS Manager—you
can find the site ID in the ID column in
and the right pane.
—Jan De Clercq
fi InstantDoc ID 125195
Q: How can I directly log on to
ESX’s Service Console as root?
A: Right out of the box, you can’t.
And most security guidelines say you
shouldn’t.
What you’re asking for is the ability
to use Secure Shell (SSH) to connect
directly to an ESX server’s Service
Console, login as root, and manage the
fi server with your administrative cre-
dentials. You’re used to doing that in
Windows, but in the UNIX world, root is
intended only for limited use.
That’s why the standard procedure
is to log on to your ESX server’s Service
Console as someone else and use the
sudo command to run specific fi com-
mands that require root privileges. Some-
times, when you have lots of commands
to run, you can elevate your privileges
to root using the “su –” command and
the root password. This separation helps
protect you against an errant keystroke
that accidentally causes catastrophic
W e ’ r e i n I T w i t h Yo u
damage to your ESX environment. Being
a command line-based UI, you can see
how just a few characters in the wrong
place can do that.
If you insist on having the ability
to log on as root, you can enable root
logons by editing the /etc/ssh/sshd_
confifig file using your favorite text editor,
such as nano or vi. Look for the line that
says PermitRootLogin and change its no
entry to yes. Restart the sshd daemon
with the command service sshd restart
and you’re done.
—Greg Shields
InstantDoc ID 125225
Q: How do I quote command
parameters for an external
command in Windows PowerShell?
A: Normally, PowerShell can run external
commands, such as ipconfig,
fi ping, and
nslookup, if you simply type the com-
mand name. However, some commands
require extensive command-line param-
eters. When those parameters start to
involve quotation marks, it can get tricky
to get PowerShell to properly parse the
arguments and pass them to the external
command. For example, consider this
simple command:
Wdsutil /replace-image /
image:"MyImage"
The easiest way to run it to use Power-
Shell’s Start-Process cmdlet, which can
accept the complete argument as a
here-string:
Start-Process WdsUtil -argument @"
/replace-image /image:"MyImage"
"@
Note that you have to type it just like
this: The @” must be the last thing on
the first line, then you type whatever
arguments you want passed, and finally
the closing “@ must be the first
fi two
characters on the next line. There’s a
more technical discussion of this trick
at bit.ly/9c0p5Y, which also discusses
how PowerShell parses arguments for
external commands.
—Don Jones
InstantDoc ID 125140
w w w. w i n d o w s i t p ro. c o m
 ASK THE EXPERTS
Q: How can I publish a Q: How do I open Outlook 2010 entirely well-publicized anywhere on the
Certificate Revocation List (CRL) email in a web browser? Internet. You can find more information
or Certification Authority (CA) about this nifty feature is in a 2009 Tech
certificate to an Active Directory A: There are some circumstances where you Ed presentation by Symon Perriman of
(AD) Lightweight Directory might want to view an email in a web browser. Microsoft, “Multi-Site Clustering with
Services (LDS) instance? For example, you might receive an email that Windows Server 2008 Enterprise,” at bit
doesn’t render well in Microsoft Outlook. Or .ly/dilV86.
A: A Windows Enterprise CA (that is, an perhaps you want to print an email using a Clusters where every node exists
AD-integrated CA) automatically publishes more controlled interface; for example you within the same LAN probably don’t
its certificates
fi and CRLs in AD. But if you’re might want to print a single page of an email, need intra-cluster traffi
ffic encryption, but
using a different
ff LDAP server, such as an see my tip Printing Only the First Page of an those that span to multiple sites can.
AD LDS instance, you must publish the Outlook 2007 Email, InstantDoc ID 100555. If you intend to stretch your cluster to
certificates
fi and CRLs manually. The easiest Outlook 2010 provides a simple mechanism another site across a Multiprotocol Label
way to do this is to use the Certutil com- for viewing emails in a browser. Switching (MPLS) network or other shared
mand line utility. To manually publish a When Outlook identifies fi that a mes- Internet connection, consider encrypting
certificate
fi to an AD LDS instance, use the sage might have some rendering issues, it your cluster communication to protect it
command includes advice in the MailTips section of against spying eyes.
the message: “If there are problems with Setting up encryption requires
certutil –addstore "ldap://<Server_ how this message is displayed, click here to Windows PowerShell, specifi fically the
name>/<Distinguished_Name>? view it in a web browser.” Clicking this ban- Get-Cluster cmdlet. Running
CACertificate?base?ObjectClass= ner reveals a context menu, which includes
CertificationAuthority" <Cert_ the option to View in Browser. You can Get-Cluster clusterName | fl *
file_name> also find the View in Browser option in the
Move section of the Ribbon of an opened against your cluster will display the full
For example, message. Select Actions, View in Browser. list of cluster properties. The property
This option opens Internet Explorer (IE). It you’re interested in for this purpose is
certutil -addstore "ldap:// won’t open your default browser, if you use SecurityLevel. A SecurityLevel of 0 will
myadldsserver.mycompany a default browser other than IE. use clear text for communication. A
.net/CN=myCA,CN=Certification Outlook saves a copy of your message SecurityLevel of 1 (the default) will sign
Authorities,CN=Public Key Services, as a web archive (a Microsoft proprietary the traffi
ffic. Setting SecurityLevel to 2
CN=Services,CN=Configuration, format) with the extension .mht in a tem- will encrypt it communication. To start
DC=mycompany,DC=net?CACertificate? porary fifiles folder. For example: encrypting, use the command
base?ObjectClass=Certification
Authority" mycacertificate.cer file://localhost/C:/ Get-Cluster clusterName | ForEach-
Users/<username>/AppData/Local/ Object { $_.SecurityLevel = 2 }
To manually publish a CRL to an AD LDS Microsoft/Windows/Temporary%20
instance, use the command Internet%20Files/Content.Outlook/ The cmdlets that are associated with
WW7HRH1C/email%20(3).mht. Windows Failover Clustering are part
certutil –addstore "ldap://<Server_ of a module called FailoverClusters.
name>/<Distinguished_Name>? By default, fi
files with the .mht extension are This module isn’t loaded by default
CertificateRevocationList?base? associated with IE. It’s this file association that when you fifirst launch PowerShell,
Objectclass=CRLDistributionPoint" determines which application is opened. even from the console of your cluster
<CRL_file_name> You can change this fi file association within nodes. To load this cmdlet and enable
Windows if you want another browser to the use of cmdlets such as Get-Cluster,
In the above commands, you must try to view messages, but not all can render first run
replace <Server_name> with the name .mht fi
files—Firefox and Chrome can’t do it by
of the AD LDS server, <Distinguished_ default, but Opera can render .mht fi files. Import-Module FailoverClusters
Name> with the LDAP path you’ve used to —William Lefkovics
publish CRLs in the CA configuration
fi (this InstantDoc ID 125320 If, down the road, you forget the exact
is a CRL Distribution Point), <CRL_fi file_ name of this module, you can always
name> with the fi file name of the CRL you Q: Can I encrypt the get a listing of the available modules
want to publish, and <Cert_file_name>
fi communication between my using
with the file name of the certifificate you Hyper-V cluster hosts?
want to publish. Get-Module -ListAvailable
—Jan De Clercq A: Absolutely, although where this —Greg Shields
InstantDoc ID 125193 setting is done is neither obvious nor InstantDoc ID 125346

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 21

 COVER STORY

in
Windows Server
2008 R2
D
DNSSEC, DNS NS is our trusted guide to
DNS to give us the IP ad
t the digital world. When we access a server by name, we’re trusting
address
ddress of the correct destination. If our DNS infrastructure is compro
compro-
Devolution, mised, names might bee resolved to malicious hosts, which could capture sensitive informa-
stribute misinformation, or just disrupt our access to services.
tion and credentials, distribute
and DNS ure houses highly sensitive information and forms the backbone
Today’s infrastructure

Cache Locking of many businesses, so we need something more. Confidence in our DNS infrastructure
and the information it provides is crucial to maintaining an organization’s security and integrity. With
introduce a new Windows Server 2008 R2, we have some very powerful technologies with which to gain this confidence.
Let’s start with a little background, then see what new enhancements such as DNS Security Extensions
world of secure (DNSSEC), DNS Devolution, and DNS Cache Locking can provide.

communications Traditional DNS Shortcomings

With traditional DNS, clients can perform only basic checks to determine whether DNS responses have
been spoofed. A client can check whether the DNS server address matches the expected address; how-
by John Savill ever, this capability is often disabled due to network infrastructure configurations. This check is also easy
to fake: The port used in the response needs to match the client request’s port, which is easy to guess.
Even with new Server 2008 R2 DNS enhancements to source-port randomization, the risk isn’t
mitigated so much as the time required for an attack is increased. The random XID value sent by the
client (included in the response) is sent in clear text, so it’s easy to duplicate. Also, in traditional DNS,
the client’s query is echoed back by the DNS server, but if a technology is smart enough to capture the
request and spoof a response, echoing back the initial response is easy.
There’s no checksum within the DNS response—say, to ensure that the content of the response hasn’t
been altered. So, man-in-the-middle attacks can modify the content as it’s transmitted to the client. Also,
consider that many of our DNS results don’t come from the authoritative DNS server; rather, they come
from an in-between DNS server that has a cached lookup and returns the information in the cache. Many
hackers poison the cache of DNS servers by bombarding them with false records.

DNSSEC for All

DNS Security Extensions (DNSSEC) isn’t a proprietary Microsoft technology but rather an Internet-
standard extension to DNS defined in RFCs 4033, 4034, and 4035 that Microsoft has implemented as
part of the Server 2008 R2 DNS role. An earlier version of DNSSEC was defined in RFC 2535, but it’s

24 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

 DNS ENHANCEMENTS
b en replaaced
be d by the aafo f rreement
fo ntio
ione
io ned
ne d RF
R Css in you ur DNDNS zo zone
nee, an nd you u weree aasked for interim solution to enable clients to trust the
and
an d imimpl p em
pl emen e ta tati
tion
onss ththatat follo ow RFRFC C 252535 35..
35 reecord C, th thee re
resp
spponse se woulouldld be A NSEC E DNS zones that are DNSSEC-enabled.
W nd
Wi ndow
do owws Se Serv r err 2200
rv 0033 an nd evveen n Sererve
v r 20008 wiith
w h a sig igna
natu ure
re,, th
ther e eb
eby notifyyin ng you that Whenever we talk about digital signa-
aarren n’’tt com ompa patibltiib
blle wiwith
th theh Serve verr 20
2 08 R2 th
the
he as askkeed-
d-for re recoco
ordrd doesn
oesn n’t exxist because tures, we need a mechanism for clients to
im mpl plem
e en
em entatati t on.
ti th
th
her
erre are
arre nno o record
ordsds bet etwweeen
w n A and d E. be able to validate the signature. This is
At iti s mom sstt baassicc llev evvel
evele , DN NSSSSEC
EC
E C eens
nsures
nsur
ns urress The criiti tica
cal el
cal
ca eleem
ement ent is the trustt. The cli-
en achieved through public key cryptography.
th he in inteegrrityitty of of thee DNS N inf n raastru uctur
cttur
uree ennt mum st tru r stt thee zo on ne’
e’s pu
publblicic ke
key because A public key for the secured DNS zone
th hrrooug
ugh h tetech
chn nollo
nolo
no ogiies ttha
hatt veeriify tthe
ha h authe
he h n- thee publ
th public
pu icc kkey
eyy iiss u
usseed d to au authen ntticate the is available for clients to use to validate
ttiiciityy of re rece
ceiv ived
iv d d dat
ata,, inc nclu
luudi
ding
ngg authe
n hen- resp
re sppon
onsesee by ded crrypypttiin
ing
ng th hee siiggnature, which the digital signature that was generated
tica
ti cateteed de deni n al
ni al-o
l-o
-of-f ex
f- e iste
isstenc ncee re
nc r sp
spononssees. s was crea
wa cr ate tedd us
usinin
ng ththe privvate key. Ensuringg
the using the DNS zone’s private key. This
Veriifi
Ve fica
c ti
ca t on iiss en nab ble
l d th thro oug
ugh h pup blic
blicc key e that
th att cli
l ennts trurustst only ly the real auth horitative public key at the root of a DNSSEC trusted
cryp
cr y to
yp togr
grap
gr aphy
ap h , wh
hy whic ich enenaba le l s th
thee us
use o
use off d
dig
iiggi-
i DN NS zozonee owne wn ner
er is acachieve
eved thrroug ough chains namespace—for example, .net—is known
taal si
s gngnatatur
at ures
ur es on alll DN DNS re resp
spon
sp onsses.
on s A su ucc- off trrust
ru
ustt. as the trust anchor; it’s the anchor of trust
c sssfu
ce fu di
ful digi
g tal siign g atturu e va vali
lida
ida
dati
tion
ti on
n mean nss In an iide dealal wo orrlld
d, th
t is
i publicc kkey infra- between the client and DNS namespace. If a
thatt thee data reeceeiv
th i ed iiss ge
genunuin
nu i e an
in nd cacann be stru
st uctctur
tur
uree (P (PKI
PKII) hi hier
erararcchhy wowoulld be self- client has a trust anchor to a zone, the client
ttrrus
u teted
ed.
d. T The
hee dig igit
ital
al sigignaatu
igna ture
re is geene n rate tedd c n
co ntai
nt aine
need in i tthe
hee DNS hiera ieraarcchy in n that the builds a chain of authentication to any child
usin ng tth he DN D S zo zonene’ss pri riva
v tet key (wh hicichh isis roo
ro ot o off DNS— S " . "— "—w would be D DNSSEC- zone of the trust anchor, removing the need
kept
ke ptt ssec
ecre ret)
ret) aand nd d tth
he con
he onte
on teent
n off th he rreecord rdd, enaaab
en ableledd an
and d gl
g ob bally
ally trustted byy al all clients. for DNS clients to explicitly trust every zone
an nd cacan n bee vallid idaated
ated with h th
thee pup bl
blic
ic key
e . If a Theeen
Th en,, th
thee ro rootot cou o ld sign thee to op-level within a namespace. Don’t panic, though:
pack
pa cket et iiss ge
genen ra rate
ted d fr
from
om a malicious
al sou
o rcce,, dom
do main nam
ma
m ames (e.g. g., com m, net et, or
orgg)
g , which You don’t need a full PKI deployed in your
its digi
it
its diggi
gita
tall si
signggnataturu e wiwill fail; if a p pack
pa cket
et has cou
co uld
ul
u d th
thenen ssig
ignn th hei
eir su ubo
bordrdininatte doma m ins environment. The public keys for the secu-
been modified,, tthe
be he sigigna
natu ture
re wil ill no longe gerr (e.gg., com
(e ompa panyn .com),
om), thereby
t crreating a rity zones are actually stored within the DNS
match h th
thee cocontent. trusst path. This means that clien nts would infrastructure, but how do you know who to
Facilitating this public key cryptogra- neeed only to trust the root zone, ssince the trust? How do you get valid trust anchors
phy are several new DNS record types— root zone is used to authenticat a te all the since the root DNS zone can’t sign?
specifically, DNS Public Key (DNSKEY), other child zones. In Figure F 1’s eexample, Through a process called DNSEC Look-
which is a container for a DNS zone’s zone s public .nett is DNSSEC
DNSSEC-enabled enabled, d, so any ch hild zone aside Validation (DLV), public keys can be
key; Resource Record Signature (RRSIG), that is signed by the .net parent w would be configured to be trusted by DNS clients.
which contains the digital signature of a trusted by any DNS client that trus trusts .net. There are repositories on the Internet that
DNS response; Delegation Signer (DS), You see this today with normal PKI allow DNSSEC-enabled zones to upload
which is used between a child and par- certificates. Most computers are configured their public keys, which clients can then use.
ent zone that are both DNSSEC-enabled; to trust certain Internet root certificate These public repositories are trust anchors
and Next Secure (NSEC), which allows authorities (CAs), such as VeriSign, Thawte, on the clients. We trust these repositories to
authenticated denial-of-existence records and Equifax. These authorities grant sites do the right thing and make sure the public
by effectively returning the name that would certificates that are signed by the root CAs; keys they store are legitimate—the same way
be prior to the non-existent requested name because clients trust the root CA, they we trust VeriSign to ensure that a company
(if they were in alphabetical order) and trust certificates signed by a CA that has is genuine before giving the company SSL
notifying what the next secure record would effectively been vouched for by the root or code-signing certificates. An organization
be. For example, if you had records A and E CA. DNS works similarly: Clients trust the can download the content of this repository,
r
root and top-level domains and Active Directory (AD) can replicate the
(
(assuming the root and DNSSEC information downloaded to all
t
top-level domains are the DNS servers. (DLV isn’t supported in Server
t
trust anchors), which then 2008 R2.)
a
authenticate the child sites. Alternatively, you can manually config-
At this time, the DNS ure trust anchors within DNS by specifying
r
root zone doesn’t support a zone name and specifying the public key
D
DNSSEC, and neither does that zone name servers give, as Figure 2
C
COM, but this will change shows. When the entry point for a trust chain
i the near future as the use
in (i.e., a trust anchor) is being configured, and
o DNSSEC is being man-
of you’re specifying the key signing key (more
d
dated by many governments on this later), you would select the Secure
a
around the world. The Entry Point (SEP) option in addition to the
D
DNS root will be DNSSEC- zone signing key. If you want to share your
e
enabled in mid-2010, and public key so that another organization or
C
COM some time in 2011 or repository can add it as a trust anchor, that
Figure 1: Setting the trust anchor 2
2012. Therefore, we need an organization will need the content of the

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 25

 DNS ENHANCEMENTS
w
what determines how
ssecurity should be used
ffor DNS, whether you
h
have entries for vari-
o
ous DNS namespaces
((e.g., microsoft.com),
w
whether DNSSEC valida-
ttion is required for each
n
namespace, and whether
IIPsec should be used
b
between the client and
iits next DNS hop (i.e., the
cclient’s local DNS server).
Y
You typically manage
N
NRPT through Group
P
Policy instead of trying
Figure 2: Trusting DNS responses
tto manually configure it
\%systemroot%\System32\dns\keyset-zone across many clients. Figure 4 shows a
name file, as you see in Figure 3. sample policy. Note that you can base your
This functionality isn’t between a DNS NRPT on more than just the DNS suffix:
client (e.g., your workstation) and the You can use prefix, fully qualified domain
authoritative DNS server for the lookup name (FQDN), and subnet.
you’re performing. We can’t actually define Now that you understand how DNS-
trust anchors on a DNS client! In fact, even SEC ensures DNS responses are genuine,
though I’ve been using the term DNS client, t how do you get it? In the Microsoft world,
DNSSEC is actually more important between you need your DNS servers to run Server
DNS servers. In the typical DNS-resolution 2008 R2 and your clients to run Windows 7,
flow, you ask your local DNS server and it and because of the way DNSSEC functions,
recursively looks up the answer, so your there are some restrictions on its use. You
DNS server is the component that needs to aren’t going to turn DNSSEC on for every
validate responses. In most environments, record in your organization; you’ll use DNS-
the client won’t perform DNSSEC validation; SEC to secure records that are used with a
it relies on its DNS server to do that by asking wider, Internet-focused audience, such as
the DNS server to use DNSSEC. your secure website address. A zone that
To provide maximum protection for is digitally signed with DNSSEC will no
end clients, best practice is to use IPsec to longer accept any dynamic updates, which
authenticate the data and perhaps encrypt most environments use for their hosts to
communication between the client and register their host-to-IP mappings without
the local DNS server. This method ensures any manual intervention. Therefore, you’ll
no local corruption of data from the DNS create a separate zone to use for your secure
server to the client. records, in addition to a zone facing the
To configure the DNS clients’ expec- Internet for dynamic updates (if necessary).
tation of DNSSEC, you use the Name Every DNS server that hosts a copy of the
Resolution Policy Table (NRPT), which is signed zone must be running Server 2008
C:\Windows\System32\dns>type keyset-secure.savilltech.net
secure.savilltech.net. 3600 IN DNSKEY 257 3 5 (
AwEAAZAP23IinKsyBp5WU4YTM7fFj/uutBph
HyNp617eps5haOjr0fKanri23VL4DEfjvjRw
JMAqh9Sx5QWpXpltudM1WSaRVyvLns/ILSUJ
t/1ta0ceVmAwqLmXb6lYzRGat9RK64izJVtz
AlTEzdUzW89Q+dmm+2GsXaY4U6bUGaE1pxD6
WKVpGOk3eahJoc4+eUlO9SKvDzrR4othF6hi
Wl/YsZs6O8iLTxoXcIfz2EUq9ioYSvpWPxOz
KnwnmSFVRBtpJA/bxRPvYNuf6a1l6q2OuTSG
JVNbeyOFLcpbCAwlR2uX6G3VPdYxX5HIzF+u
B3PQJZvM8pjRgNQDJrgu/lc=
) ; key tag = 33509
Figure 3: Sharing the public key
26 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u
R2, and you need to ensure that your net-
work can handle the increased DNS packet
size that comes with DNSSEC enablement.
For example, ensure that you have support
for Extended DNS 0 (EDNS0), which per-
mits DNS packets up to 4KB instead of the
standard 512 bytes.
To enable DNSSEC on your Server 2008
R2 zones, you use the DnsCmd utility to
generate the key signing keys and zone
signing keys, and store them in the local
computer’s certificate store (MS-DNSSEC).
The zone signing key (ZSK K in the code
below) signs all the records in the zone, and
the key signing key (KSK K in the code) signs
only other keys. You also need to create the
DNSSEC resource records at the root of the
trust chain. (This occurs automatically.) To
create my certificates, for example, I type
dnscmd /offlinesign /genkey /alg rsasha1
/flags KSK /length 2048 /zone secure
.savilltech.com /SSCert /FriendlyName
KSK-secure.savilltech.com
dnscmd /offlinesign /genkey /alg rsasha1
/length 2048 /zone secure.savilltech
.com /SSCert /FriendlyName ZSK-secure
.savilltech.com
For your AD-integrated zones, you need
to export the zone to a file, sign the file-based
zone with your certificates, and save to a
new file. Then, you need to delete the exist-
ing zone, import the new signed zone file,
and reset the zone to be AD integrated. The
major steps I used in my environment after
creating the aforementioned certificates are
dnscmd /zoneexport secure.savilltech
.net securesavilltechnet.dns
dnscmd /offlinesign /signzone /input
securesavilltechnet.dns /output
securesavilltechnetsigned.dns /zone
secure.savilltech.net /signkey /cert
/friendlyname KSK-secure.savilltech
.net /signkey /cert /friendlyname
ZSK-secure.savilltech.net
dnscmd /zonedelete secure.savilltech
.net /dsdel /f
dnscmd /zoneadd secure.savilltech
.net /primary /file
securesavilltechnetsigned.dns /load
w w w. w i n d o w s i t p ro. c o m

Figure 4: Specifying DNSSEC requirements for a DNS zone
dnscmd /zoneresettype secure
.savilltech.net /dsprimary
Figure 5 shows the various DNSSEC-related
entries.
Implementing DNSSEC involves many
steps, and keeping it running and ensuring
that the keys are maintained is similarly
time consuming. The keys we created have
a limited lifetime and need to be updated;
if we have trust anchors configured, those
public keys will change and therefore
require updating. I strongly recommend
reading the Microsoft article “Deploying
DNS Security Extensions (DNSSEC)” at
technet.microsoft.com/en-us/library/
ee649268(WS.10).aspx; it’s a great step-by-
step guide.
DNS Devolution
DNSSEC is probably the most famous Server
2008 R2 DNS feature, but there are some
other useful enhancements. In environ-
ments that have a deep DNS namespace,
it can sometimes be tricky to know the cor-
rect DNS suffix for an address. For example,
in my environment, I know the host is
called savdalfile01, but I’m a member of
dallas.na.savilltech.net, and I’m not sure if
savdalfile01 should be savdalfile01.dallas
.na.savilltech.net, savdalfile01.na.savilltech
.net, or savdalfile01.savilltech.net. In the
past, we would define a global suffix list of all
the DNS suffixes that should be tried when
resolving a name.
Server 2008 R2 and Windows 7 offer an
update to a key feature—DNS Devolution—
that lets DNS resolution requests traverse
up the DNS namespace until a match is
found or until a certain number of devo-
lutions is reached. (Every move up the
w w w. w i n d o w s i t p ro. c o m
namespace to a parent is a devolution to
one level above.) An example is savdalfile01:
With DNS Devolution enabled, when a
client attempts to resolve savdalfile01,
savdalfile01.dallas.na.savilltech.net would
be initially queried, then it would be up
to the parent to search for savdalfile01
.na.savilltech.net. (It’s checking a third-level
devolution because the DNS suffix has three
parts—na, savilltech, and net.) If there’s no
match, it’s up to that zone’s parent to look for
savdalfile01.savilltech.net (which now has a
devolution level of 2, as this DNS suffix has
two parts). Basically, it allows a member of
a child namespace to access resources in the
parent without having to specify the parent’s
namespace as part of the DNS query.
New to the Server 2008 R2 and Windows 7
DNS client is the ability to set a devolution
level. As an administrator, you can define
whether DNS devolution is enabled and
which DNS devolution level you’ll devolve
down to. For example, setting a devolution
level of 2 means you would devolve down
to the two-part Forest Root Domain (FRD)
Figure 5: DNSSEC-related entries
W e ’ r e i n I T w i t h Yo u
DNS ENHANCEMENTS
second-level domain (e.g., savilltech.net).
Setting a devolution level of 3 means you
would devolve only to the third-level DNS
domain (e.g., na.savilltech.net).
You can configure DNS Devolution
using Group Policy, through the Primary
DNS Suffix Devolution and Primary DNS
Suffix Devolution Level policies found
at \Computer Configuration\Policies\
Administrative\Templates\Network\DNS
Client, as Figure 6 shows. You can also set
DNS Devolution directly in the registry with
the HKEY_LOCAL_MACHINE\SOFTWARE\
Policies\Microsoft\Windows NT\DNSClient\
UseDomainNameDevolution and HKEY_
LOCAL_MACHINE\SYSTEM\Current
ControlSet\services\Dnscache\Parameters\
DomainNameDevolutionLevel subkeys.
This functionality is useful in environ-
ments that have multiple levels of DNS
namespace. The Microsoft security advi-
sory “Update for DNS Devolution” (www
.microsoft.com/technet/security/advisory/
971888.mspx) offers an update for older
versions of Windows.
DNS Cache Locking
At the beginning of this article, I mentioned
that one DNS vulnerability was that DNS
servers cache entries for recursive lookups
(lookups for records they aren’t authorita-
tive for, and for which they have to consult
other DNS servers) they’ve performed to
speed up future lookup requests for the
same information. Those lookups have a
specific time to live (TTL) before the record
must be rechecked to see if it’s changed.
The exploit uses DNS cache poisoning to
send incorrect responses to a DNS server
to try and update that cache so that clients
Windows IT Pro AUGUST 2010 27
 DNS ENHANCEMENTS
Figure 6: Setting the DNS devolution level
using the server will receive incorrect
information.
DNS Cache Locking is a new Server
2008 R2 feature that helps mitigate cache
poisoning: It locks the entries in the cache
for the record’s TTL. So, if someone tries to
poison the cache with a replacement record,
the DNS server will ignore it and thus main-
tain the integrity of the cache content.
To use Cache Locking, you set a percent-
age of the TTL of records that the cache
content is locked for—for example, a setting
of 75 means that cached records can’t be
overwritten until 75 percent of their TTL
has passed. The default value is 100, which
means records can’t be updated until the
TTL has expired. However, you can change
Figure 7: Enabling the use of DirectAccess
28 AUGUST 2010 Windows IT Pro
this setting’s registry value at HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\
services\DNS\Parameters\CacheLocking
Percent to your desired percentage. Note
that if this value isn’t present, the default of
100 is used.
More on the NRPT
I already discussed how the NRPT helps
define the way clients and servers act for
different DNS zone requests. You have
numerous entries in the NRPT, and if a DNS
query matches an entry in it, the query is
handled according to the configuration of
the matching NRPT entry. If no match is
found, the system performs default DNS
handling.
W e ’ r e i n I T w i t h Yo u
In addition to DNSSEC, the NRPT is
used for one other key piece of Windows 7
and Server 2008 R2 functionality—namely,
DirectAccess, which is the new technology
that lets Windows 7 clients communicate
with corporate resources no matter where
they are on the Internet, without hav-
ing to use VPNs. The client just accesses
a corporate resource, and DirectAccess
facilitates secure communication back to
the corporate network.
This automatic use of DirectAccess
to get to resources raises an important
question: How does the Windows 7 client
know which destinations in the corpo-
rate network should be accessed through
DirectAccess and which should just use
normal Internet connectivity? I don’t want
my Amazon purchases to be sent via my
corporate network when I’m sitting at
home or at Starbucks.
This decision is based on the NRPT—
and just as we can define DNSSEC actions
for various DNS name and IP values, we
can do exactly the same thing for Direct-
Access using the DirectAccess tab as
shown in Figure 7. If you want to check a
machine’s Group Policy rules, you’ll find
them in the HKEY_LOCAL_MACHINE\
SOFTWARE\Policies\Microsoft\Windows
NT\DNSClient\DnsPolicyConfig registry
entry. You can also create exceptions,
which let you establish general rules for
an entire namespace but then treat a
particular host or namespace portion
differently.
Server 2008 R2 brings you a very pow-
erful DNS service that adheres to some
of the most recent specifications. You
should definitely consider Server 2008 R2
DNS to be the most secure release and
use it to replace previous Microsoft DNS
services to provide maximum protection.
DNS is your trusted advisor to the com-
puter world, so make sure it can really be
trusted!
InstantDoc ID 125360
John Savill
(john@savilltech.com) is a
Windows technical specialist,
an 11-time MVP, and an MCITP:
Enterprise Administrator for
Windows Server 2008. He's a
contributing editor for Windows
IT Pro, and his latest book is The
Complete Guide to Windows
Server 2008 (Addison-Wesley).
w w w. w i n d o w s i t p ro. c o m
 FEATURE

Mobile
Security
with
MDM 2008 SP1
T
h use
he ussee of mobile
mo d
devices,
evices,
e or smartphones, for business isn’t
isn t new; however, the patterns
of use and ndd the ffea
features
aat these devices offer have changed radically in recent years. Today, It’s a complex
it’s possible to browse the web, send and receive email, and run countless applications—
from customer relationship management (CRM) apps to word processing to social
setup, but you’ll
networking software—all while talking with someone on a call. The increased process- get tight control
ing power, memory, and storage make these devices powerful business tools, and your
users probably have corporate documents, customer lists, and sensitive pricing information on their over mobile
devices. Responding to the loss of a device might involve n
and partners, and potentially paying fines and other penalties.
sending breach notifications to customers
devices when
However, losing devices isn’t the only risk a company faces. Employees who quit or are terminated you follow these
could potentially walk out with your company’s intellectual property, and it’s possible that data could
be accidentally leaked to social networking sites, as well as leaked through web browsing and personal steps
email use. Previously, the response to these risks might have been to ban the use of mobile devices
altogether, but their popularity and usefulness means that more and more organizations are seeking
ways to integrate them into the enterprise while applying corporate policies to them. by John Howie
There are solutions available today that can be used to integrate mobile devices with corporate
networks and apply policies to them. In this article, I’ll describe Microsoft System Center Mobile
Device Manager (MDM) 2008 SP1, focusing on installation and configuration.

MDM vs. Exchange 2010

MDM isn’t the only solution Microsoft has that supports mobile devices. Organizations with Micro-
soft Exchange Server 2010 can use Exchange to manage mobile devices so that devices can send and
receive email using the Exchange infrastructure with Exchange ActiveSync (EAS). In addition, EAS
can be used to push basic policies to mobile devices.
Basic policies for mobile devices can be used to enforce password policies, such as a policy that
requires the use of a complex password. They can also be used to enforce what users can do with
their devices, including disallowing removable storage such as memory cards; preventing use of the
camera and Wi-Fi; restricting what Bluetooth features are available; and controlling which applica-
tions can run, including the browser and non-Exchange email apps. A broad EAS setting lets you
enable or disable nonprovisionable devices, which are devices that won’t or can’t enforce policies
pushed by Exchange.
Exchange 2010 ties basic policies to mailboxes, not devices, and doesn’t offer true end-to-end
management of security and devices. Nor does it offer a remote-access solution, which permits
mobile devices to consume resources on the corporate network. MDM offers these features, and
it has much richer policy and enforcement features. However, MDM supports only Windows

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 29

 MDM 2008 SP1
Mobile–based devices running Windows
Mobile 6.1 or later, whereas Exchange
2010 can support any EAS-enabled device.
MDM and Exchange 2010 can coexist and
can be used simultaneously for device
management.
Preparing to Install MDM
MDM is a reasonably complex product to
deploy, consisting of several components.
First, MDM requires Microsoft SQL Server
2005 or later to store policy and configu-
ration information. MDM itself requires
a Gateway Server, Device Management
Server, and Enrollment Server. You can
deploy the Device Management Server and
Enrollment Server roles on the same server,
which is a typical scenario for smaller envi-
ronments. The Gateway Server is deployed
in your demilitarized zone (DMZ), and it
requires one network interface for internal
communications and one for external com-
munications. The Gateway Server’s external
interface must have a public IP address,
must have a default route configured, and
can’t be published behind Microsoft ISA
Server or Forefront Threat Management
Gateway (TMG). The Device Management
Server and Enrollment Server roles are
deployed on your intranet.
The three server roles form an instance
of MDM, and an instance can support as
many as 30,000 mobile devices. You can
deploy multiple instances to support more
than 30,000 users, or to accommodate
users in different regions so that users can
connect to a local MDM instance for best
connection speeds, and you can manage
groups with disparate policy requirements.
Note that MDM doesn’t require Exchange
(or its mobility features) but can be used to
offer Exchange services to mobile devices.
MDM is a 64-bit–only product, so it
requires 64-bit–capable hardware and a
64-bit OS: Windows Server 2003 R2 64-bit.
Installation on Windows Server 2008
isn’t supported—some tools and utilities
simply fail to install, although there are
some workarounds. Before you can deploy
MDM, you need a Certification Authority
(CA), which should be an enterprise CA
integrated with Active Directory (AD). The
enterprise CA can run on Server 2008,
and the Windows Server 2003 R2 servers
that you install MDM on can be member
servers in a Server 2008–based forest with
30 AUGUST 2010 Windows IT Pro
the functional level raised to Server 2008
Forest Functional mode.
Before you install MDM, you need to
configure AD. This configuration doesn’t
extend your AD schema; it simply involves
creating objects to support MDM. Log on
to the server on your network on which you
intend to install either the Device Manage-
ment Server role or the Enrollment Server
role, run MDM Setup.exe, and select the
Configure Active Directory for MDM M option
under the Prepare section of the setup
splash screen. You need to be logged on
as a member of the Enterprise Administra-
tors group. When you select this option, a
command prompt window opens, and the
MDM is a 64-bit–
only product, so
it requires 64-bit–
capable hardware
and a 64-bit OS:
Windows Server
2003 R2 64-bit.
Installation on
Windows Server
2008 isn’t supported.
command ADConfig.exe /help p runs before
giving you a command prompt. If you scroll
back through the Help text, you’ll find
that the ADConfig command has many
command-line options.
Despite looking very confusing, using
ADConfig is relatively simple. Run the
command
ADConfig.exe /createinstance:<instance>
/domain:<domain>
where instancee is the name you want to
give to your MDM instance and domain
is the domain in your forest in which it
will run. The instance name can be no
longer than 30 characters and can contain
only alphanumeric characters, the dash
(-), and the underscore (_). The domain
name must be specified as a Fully Quali-
fied Domain Name (FQDN)—for example,
W e ’ r e i n I T w i t h Yo u
corp.infosecresearch.com. When you enter
the command, you’ll be asked to confirm
the action before configuring AD. Take
particular note of the settings you speci-
fied because the instance name can’t be
changed after the command completes.
As the command runs, it tells you what
it’s doing and shows the success or failure
of each configuration change. You’ll be
asked to confirm whether you want to
enable your instance as the final step of
the command.
If you have multiple domains in your
forest and you want the mobile devices
associated with each domain to be managed
by this instance of MDM, you need to run
the command
ADConfig.exe /enableinstance:<instance>
/domain:<domain>
where instance is the name of your
instance and domain is the FQDN for
each domain. You should run ADConfig
with the /enableinstance flag only after
you’re sure that the initial configuration
has replicated throughout the forest.
Next, you create the certificate tem-
plates used by MDM. Certificate templates
are used to control how keys in issued
certificates can be used, what the certificate
policy is, and how long it’s valid for. Run
the command
ADConfig.exe
/createtemplates:<instance>
where instance is the name of your
instance. ADConfig again asks you to con-
firm the operation before proceeding, and
it displays status information as it runs.
After you create the templates, you need
to enable them so that your CA can issue
them. Run the command
ADConfig.exe
/enableTemplates:<instance>
/ca:<CA server FQDN>\<CA instance>
where instancee is the name of your MDM
instance, CA server FQDN N is the FQDN of
the CA that will issue the certificates, and
CA instancee is the CA’s instance name. You
can find the CA’s instance name by running
certutil.exe from the command line; the
instance is the Name value. As with other
w w w. w i n d o w s i t p ro. c o m

ADConfig commands, you’ll be asked to
confirm the operation before it runs.
The next step in preparing to install
MDM is to add a domain account to the
SCMDMSecurityAdmins (instance) and
SCMDMServerAdmins (instance) groups,
where instancee is the name of the MDM
instance you’ve used in the previous steps.
An account in the first group can add users
to other MDM groups for the instance, and
an account in the second group can install
and manage MDM servers for the instance.
Although you can use two accounts, I rec-
ommend that you use a single account,
which will become the MDM administrator
account. If you’re logged on with an account
that was added to the MDM groups, you’ll
need to log off and log back on for the addi-
tional group memberships to take effect.
Installing the Enrollment Server
The next step is to install the MDM Enroll-
ment Server. Every MDM instance requires
an Enrollment Server, and you can install
more than one of this role for fault toler-
ance and load balancing. Mobile devices
must be enrolled through the Enrollment
Server so that MDM can manage them.
This role needs to be published so mobile
devices can access it from both the intra-
net (internal) and the Internet (external).
Before you install the Enrollment Server,
you need to know the internal and external
FQDNs that will identify the server.
To install the server, select Enrollment
Server from the setup splash screen. The
Enrollment Server requires Microsoft IIS
6.0 and the full suite of IIS 6.0 management
tools. Without this prerequisite, the server
won’t install.
The server installation process is wizard-
based. After you accept the license agree-
ment, the wizard asks you to select the
MDM instance you’re installing the Enroll-
ment Server for. Next, it asks you to confirm
the installation location on the file system,
and then to specify the SQL Server instance
the Enrollment Server will use. You can
use an existing instance of SQL Server if
desired. You need systems administrator
access on the SQL Server instance to con-
figure the MDM database.
At this point, you specify the external
and internal Enrollment Server FQDNs.
The external Enrollment Server FQDN
is used by mobile devices to enroll. You
w w w. w i n d o w s i t p ro. c o m
need to add the external FQDN to your
public DNS and ensure that the server can
be reached from the Internet. The wizard
then asks you to specify the port that the
Enrollment Server Administration web-
site will listen on. You can’t use port 443
because the Enrollment Server itself uses
that port. Setup provides a random port
number, which you can usually use unless
it conflicts with another service or you have
a policy that dictates which ports to use.
Make sure you record the port number
so you can reuse it if you install multiple
Enrollment Servers.
Next, you need to specify the CA server
and instance name you specified when
preparing AD for MDM. The CA issues cer-
tificates to mobile devices. You also need
to specify a CA to issue SSL certificates for
MDM during the remainder of the setup.
This CA can be any issuing CA in your
enterprise, including the CA used during
device enrollment. After you specify the
necessary information, the wizard presents
you with your choices, which you confirm
by clicking Install.
Installing the Device Management
Server
You need to install at least one Device Man-
agement Server for your MDM instance. If
you install multiple Device Management
Servers for scalability and fault tolerance,
you have to use a load balancer to spread
the mobile devices across them. Like the
Enrollment Server, the Device Manage-
ment Server is web-based, so you also need
to install IIS 6.0 along with its full suite of
management tools.
Before you install the Device Manage-
ment Server, you need to install Windows
Server Update Services (WSUS) 3.0 SP1 on
each server that will be a Device Manage-
ment Server. Note that WSUS 3.0 SP2 isn’t
recognized by MDM, so you must use
SP1. MDM uses WSUS to deploy software
packages to mobile devices, but WSUS can
also be used to manage software updates
in your enterprise. If you’re using WSUS
only to deploy software packages to mobile
devices, you can configure it to download
updates only for Microsoft Report Viewer
because you must select at least one prod-
uct to update. WSUS itself requires you to
install the Report Viewer 2005 Redistrib-
utable or later. You can get both WSUS
W e ’ r e i n I T w i t h Yo u
MDM 2008 SP1
and Report Viewer from the Microsoft
Download Center (www.microsoft.com/
downloads/default.aspx).
To install the Device Management
Server, select Mobile Device Management
Server on the setup splash screen. You’ll be
asked to accept the license terms, select the
MDM instance that the Device Manage-
ment Server will be added to, the location
to install the software to, and the database
server to use. Note that if you install the
Device Management Server on the same
server as your Enrollment Server, setup
uses the same installation location and
database server, so these options will be
grayed out.
Next, the installation wizard asks for the
FQDN for the Device Management Server,
which is an intranet FQDN. If you’re install-
ing multiple Device Management Servers,
enter the FQDN of the load balancer that
will front them. Setup validates that the
FQDN exists in DNS. The wizard then
asks you for the Device Management and
Administration website ports. If this is your
first server, take note of the ports chosen
and ensure that they’re used when con-
figuring subsequent Device Management
Servers. The next step asks you for a CA
that can issue SSL certificates during setup
of the Device Management Server. If you’re
installing the Device Management Server
on the same server as the Enrollment
Server, the CA is automatically populated.
At the end of the setup, you’ll be shown the
selections you made. Click Install to begin
the installation process.
Installing the MDM Administrator
Tools
The next step in getting MDM up and run-
ning is to install the MDM Administrator
Tools. You can install the tools on 32-bit
or 64-bit systems. Prerequisites for the
tools are to install Windows PowerShell
1.0, Group Policy Management Console
(GPMC), and the WSUS administration
console. Note that Windows 7 ships with
PowerShell 2.0, which the tools installer
doesn’t recognize. You can’t install Power-
Shell 1.0 alongside PowerShell 2.0, meaning
you can’t install the MDM Administrator
Tools on Windows 7 systems. If you don’t
have PowerShell 1.0 or GPMC, you can get
them from the Microsoft Download Center.
GPMC for Windows Vista SP1 and later is
Windows IT Pro AUGUST 2010 31
 MDM 2008 SP1
included in the Remote Server Adminis-
tration Tools (RSAT), which you can also
download from Microsoft.
You install the MDM Administrator
Tools by selecting the item on the MDM
setup splash screen. You’re asked to accept
the license and whether to install all tools
(the default) or a custom installation. After
you make your selection, you’re presented
with a summary of what will be installed.
Click the Install button to begin installa-
tion. The installed tools can be found on
the Start menu under a program group
called Microsoft System Center Mobile
Device Manager.
Preparing For and Installing the
Gateway Server
The next-to-last step is to get the Gate-
way Server up and running. The Gateway
Server lets your mobile devices access
resources such as SharePoint sites or file
servers inside your corporate network,
without the need to publish each one or
duplicate them in your DMZ. The Gateway
Server needs IIS 6.0 and the Microsoft .NET
Framework 2.0 SP1.
Before you install the Gateway Server,
you need to configure the server OS with a
certificate that MDM will use to authenticate
it in SSL sessions. The steps to install the cer-
tificate are a bit complex. Start by creating
a Notepad document called GatewayCert
Req.inf, and enter the following text in it:
[NewRequest]
Subject="CN=<MDMGatewayServerFQDN>"
MachineKeySet=True
KeySpec=1
Replace MDMGatewayServerFQDN with
the internal FQDN of the server, not the
external FQDN (although it’s possible
they’re the same). Next, run the command
certreq -new GatewayCertReq.inf
GatewayCertReq.txt
Copy the output file, GatewayCertReq.txt,
to a member server in your domain and
run the command
certreq -submit -attrib
"CertficateTemplate:SCMDMWebServer
(<instance>)"
GatewayCertReq.txt GatewayCert.cer
32 AUGUST 2010 Windows IT Pro
replacing instance with the name of
your MDM instance. If you have more
than one issuing CA in your forest,
you’ll be prompted to select the CA you
want to use. It must be the same CA you
installed the templates on earlier. Copy
the output file, GatewayCert.cer, back
to your MDM Gateway Server and enter
the command
certreq -accept GatewayCert.cer
Next, you need to install the certificate of
your root CA, any intermediate CAs, and
the issuing CA. If you’re using Certificate
Services, simply browse to the root CA’s
virtual directory (\certsrv) from a domain-
joined machine, click the Download a CA
certificate, certificate chain, or CRL
L link, then
click Download CA certificatee and save the
file. By default, the file is named certnew.cer.
If your root CA isn’t the CA that issued your
When entering
the name for the
Gateway Server, you
should use its FQDN
to avoid name
conflicts.
Gateway Server’s certificate, browse to the
issuing CA’s virtual directory and download
the certificate chain; save the file, then copy
it to your Gateway Server. This file is named
certnew.p7b by default.
You install the certificates on the Gate-
way Server by launching Microsoft Manage-
ment Console (MMC) with the Certificates
snap-in, making sure that you specify you
want the Computer Account option. With
the snap-in loaded, expand the Trusted
Root Certification Authorities node, right-
click Certificates, select All Tasks, then
Import. In the Certificate Import Wizard,
select the file certnew.cer. Repeat this pro-
cess for the intermediate CAs by importing
certnew.p7b to the Intermediate Certifica-
tion Authorities node.
Next, you need to create the Gateway
Server’s configuration file, which is a short
piece of XML used when you install the
Gateway Server. Go to the workstation or
W e ’ r e i n I T w i t h Yo u
server on which you installed the Admin-
istrator Tools, launch the Mobile Device
Manager Shell, change into a temporary
working directory, and enter
Export-MDMGatewayConfig
A file called GatewayConfig.xml is gener-
ated and written to the working directory.
Copy the file to the Gateway Server.
Now that you’ve prepared the Gateway
Server, you can run Gateway Server setup
by selecting that option from the Install
section of the setup screen. In the Gate-
way Server Setup wizard, after the license
screen, you’re prompted for the internal
IP address that the server will listen on for
connections from the Device Management
Server and the TCP port to listen on. The
default is port 443. Next, you’re prompted
to browse for and select the GatewayConfig
.xml file you copied. You then select the
Gateway Server authentication and root CA
certificates that you’ve imported. Finally,
you’re prompted to confirm your choices
before installing the software.
After installation, you’ll be prompted to
run the Add MDM Gateway Wizard. Before
you do that, however, you need to go back to
a system that has the MDM Administrator
Tools installed, launch the Mobile Device
Manager Shell, and enter the command
Set-EnrollmentConfig
-GatewayURI <ExternalFQDN>
where ExternalFQDN N is the FQDN of the
Gateway Server as mobile devices outside
your network see it. When the command
completes, you’ll see some configuration
information displayed. Now you can launch
the Add MDM Gateway Wizard, which you
do from the MDM Console. In the console,
expand your instance, then select Gateway
Management. In the Actions pane, select
Add MDM Gateway Wizard.
The first step in the wizard is to enter
a name for the Gateway Server. I recom-
mend you use its FQDN to avoid name
conflicts. The next step is to configure
access points. The first access point is the
external IP address that mobile devices
will use to establish a VPN connection
through the Gateway Server. This address
must be a public, routable IP address. The
second access point is the internal FQDN
w w w. w i n d o w s i t p ro. c o m
 MDM 2008 SP1
Server. (MDM extends the Windows logs
to add its own.) Chances are you probably
can’t access the Gateway Server in the DMZ
because of a firewall issue. Alternatively, you
might have a conflict between the address
pools you configured and the networking
setup of the Gateway Server itself.

Configuring ISA Server, TMG, and

Firewalls
Most of the communication between the
MDM servers and mobile devices uses SSL-
based connections. However, some other
protocols are also used. Depending on how
you deploy MDM, you might need to con-
figure ISA Server or TMG servers, as well as
network and built-in Windows firewalls.
To begin, you need to ensure that the
Device Management Server can commu-
nicate with the Gateway Server. The default
port is 443/TCP (HTTPS), unless you speci-
fied another port during Gateway Server
installation. Mobile devices need to be able
Figure 1: Adding address pools in the Add MDM Gateway Wizard to talk to the Enrollment Server over port
443/TCP, and you’ll need to publish the
of the Gateway Server, which the Device connecting through a VPN will need to Enrollment Server so that it can be seen
Management Server uses to connect to, reach resources on your intranet, includ- from the Internet. Mobile devices also need
and the SSL port, which defaults to 443. ing the Device Management Server. When to be able to communicate with the Device
Next, you specify the address pool from you’ve entered all the necessary informa- Management Server via the IPsec VPN in
which IP addresses are allocated to mobile tion in the wizard, click the Add button. the DMZ over port 8443/TCP (unless you
devices that connect through a VPN. You You can add more gateways if necessary, or specified another port during installation)
can add one or more address pools, as you can click Finish to exit the wizard. and with the Gateway Server to establish
Figure 1 shows, and each can have as To verify that the Gateway Server is IPsec tunnels, which require IP protocol 50,
many as 65,535 addresses (using a subnet configured, launch the MDM Console 500/UDP and 4500/UDP to be opened.
mask of 255.255.0.0). Note that the address and select Gateway Management under You also need to open access to DNS
pools must be consistent with the internal your MDM instance. As Figure 2 shows, and to specific servers, such as email
IP address of the Gateway Server, meaning the Service Configuration State should be servers, using the ports they conventionally
that the subnets and subnet masks must “Running” and the Sync State should be use for VPN access. For clients terminating
be complementary, with no conflict or “Up to date.” If the service isn’t running or in the DMZ, use addresses allocated
overlaps. If required, you can also specify a the state is “Error,” check the MDM logs in from the address pools configured on the
default gateway for clients to access intra- the Windows Event Viewer on the Gateway Gateway Server.
net resources, which might be
necessary if the address pools
aren’t on the same subnet as
the Gateway Server itself.
After the address pool
is configured, you’re asked
for the IP addresses of your
DNS and WINS servers. You
must specify at least one DNS
server. The IP addresses you
provide should be for DNS
servers either in your DMZ or
reachable from it. You should
also enter any routing infor-
mation that mobile devices Figure 2: Verify Gateway Server configuration in the MDM Console

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 33

 MDM 2008 SP1
Figure 3: A completed pre-enrollment request in the Pre-Enrollment Wizard
Enrolling Devices
With MDM successfully installed, you can
begin enrolling mobile devices by creating
enrollment requests. In limited deploy-
ments and in smaller organizations, it’s
possible to manage enrollment requests
manually, but in larger deployments and
organizations, you’ll want to install and
configure the Self Service Portal so users
can manage their own enrollment and
device configuration. For information
about installing the Self Service Portal,
see the Microsoft article “Install MDM Self
Service Portal” (technet.microsoft.com/
library/dd261730.aspx).
To manually enroll a mobile device,
launch the MDM Console, expand the
MDM instance you want to manage,
expand the Device Management node,
then select All Managed Devices. In the
Actions pane, click Create Pre-Enrollment
to launch the Pre-Enrollment Wizard.
After the introductory step, the wizard
prompts you for a name for the mobile
device that will be enrolled; this name
must be unique and a maximum of 15
characters in length. You can override the
organizational unit (OU) that a mobile
device object is placed into in AD. For
large environments or environments in
which you use OUs to set different policies
34 AUGUST 2010 Windows IT Pro
only the E-mail address/User namee and
Enrollment password. A pre-enrollment is
valid for only eight hours by default.
To use the pre-enrollment, the device
owner needs to go into the phone’s Set-
tings menu, select Connections, then
select Domain Enroll to launch the device
Domain Enrollment. When launched, the
owner selects the Enroll option and enters
the E-mail address/User namee and Enroll-
ment password d provided. If the mobile
device isn’t able to automatically find an
Enrollment Server, the device owner is
alerted and can manually enter the public
FQDN. The phone contacts the enroll-
ment server, downloads necessary enroll-
ment information, completes enrollment,
then prompts the user to connect to the
Device Management Server to finish the
configuration. The mobile device needs
to reboot during enrollment and con-
figuration. When the device has completed
enrollment and configuration, the Domain
Enroll function on the device is disabled
and enrollment information is displayed,
for mobile devices, you might want to as Figure 4 shows. The enrolled mobile
create new OUs and place mobile device device is also visible in the MDM Console,
objects in those OUs. If you use alternative as Figure 5 shows.
OUs, you must run the PowerShell cmdlet Enrolled and configured devices
Set-EnrollmentPermissions and specify establish VPN connections to the
each OU to prepare it.
Next, you’re prompted to specify the
device’s user, for which you have three
options: Active Directory User, Other user
identifier,
r and Anonymous User. If you
select Active Directory User, you can use
Group Policy to manage the mobile device,
and you can email the selected user with
enrollment information, which makes
setup easy for users who already get email
on their mobile devices. I recommend that
you avoid the other options because their
usefulness is limited. An example of when
you might use these options is if multiple
people share a mobile device. When add-
ing AD users, you select them from a list by
using the Browse button in the wizard, or
you can manually enter their distinguished
name (DN).
Next, you need to confirm the choices
you’ve made and create the pre-enroll-
ment. When the pre-enrollment operation
completes, the wizard provides you with
information to pass along to the owner
of the device to complete enrollment, as Figure 4: Enrollment information displayed on
Figure 3 shows. The device owner needs an enrolled mobile device
W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

Figure 5: An enrolled mobile device displayed in the MDM Console
Gateway Server, then on to the Device
Management Server as well as to other
resources on your corporate network.
Keeping a constant VPN connection
can drain batteries on mobile devices;
therefore you might want to advise your
users to disconnect the mobile VPN on
the device when not in use. However,
you might need to configure an option
through Group Policy to let users discon-
nect the VPN.
You can use the Update Device Details
option in the MDM Console to refresh
device information at any time. It’s from the
MDM Console that you can wipe a lost or
stolen device, or block it from connecting
to the corporate network via the Gateway
Server.
Managing Mobile Devices by GPO
Mobile devices can be managed in a
fashion similar to desktops or laptops
through the use of Group Policy Objects
(GPOs). However, you first need to load
an administrative template contain-
ing mobile settings. To do so, launch
GPMC from Administrative Tools on the
machine where you installed the MDM
Administrator Tools. Next, right-click
Group Policy Objects, select New, and
give the GPO a name to create it. Next,
edit the GPO and expand the Policies
node under Computer Configuration.
Right-click Administrative Templates and
select Add/Remove Templates. In the
w w w. w i n d o w s i t p ro. c o m
dialog box that appears, click the Add
button, then scroll down the list of fold-
ers and templates displayed in the Policy
Templates picker until you find one called
mobile.adm. Double-click it.
After the mobile device policy tem-
plate is loaded, you’ll find that addi-
tional policies have been added to
the Group Policy Management Editor
under both Computer Configuration
and User Configuration. In each one,
you’ll find Windows Mobile Settings
under Administrative Templates in the
Policies node. On Vista systems, they’re
under Classic Administrative Templates
(ADM). Device policies let you control
things such as passwords, device fea-
tures (e.g., camera, Bluetooth), appli-
cations, encryption, VPN connections,
and software distribution. User policies
are limited to EAS settings and the use
of Secure MIME (S/MIME) for secure
email.
To apply a policy to mobile devices,
simply link the GPO to an OU contain-
ing objects representing mobile devices.
Note that the Group Policy modeling
tools don’t work well with mobile device
settings, but you can use the Windows
Mobile Group Policy Results Wizard
to generate a report of settings that
apply to a device or user. This wizard
is available from GPMC on the sys-
tem on which you installed the MDM
Administrator Tools.
W e ’ r e i n I T w i t h Yo u
MDM 2008 SP1
Distributing Software to Mobile
Devices
You can create and distribute software
packages to mobile devices by launching
the MDM Software Distribution Console,
which is available in the MDM Adminis-
trator Tools collection. Before you create
a package, you need to point the console
to a WSUS server running on a Device
Management Server. You then launch the
Create Package Wizard from the console
by expanding the Software Distribution
node, the node representing the WSUS
server, and the Packages node. In the Pack-
ages node, right-click Software Packages to
launch the wizard.
In the wizard, you specify the location
of the .cab file containing the software to
be distributed, along with information
to sign the .cab file if desired. You can
restrict software on mobile devices to only
that which is distributed with MDM or
Group Policy. Other information required
when creating packages for distribution
to mobile devices includes which devices,
mobile OS versions, and languages the
package is intended for, as well as depen-
dencies and uninstall options. After a
package has been created for distribution,
you can track its installation by running
reports with the Software Distribution
Console.
Complex, Yet Versatile
You should now have a good grasp of
how to deploy MDM 2008 SP1, as well as
some of its capabilities for mobile device
management. Although it’s a reasonably
complex product to get up and running,
MDM offers an excellent platform to man-
age security of mobile devices, especially
to enterprises with sophisticated mobile
device management needs. However,
MDM can be used to manage just a small
number of mobile devices as well—for
instance, those belonging to key personnel
or other employees who have business-
critical data on their devices.
InstantDoc ID 125481
John Howie
(jhowie@microsoft.com) is a
senior director in the Online
Services Security & Compliance
team at Microsoft, where he
manages cloud security.
Windows IT Pro AUGUST 2010 35
 FEATURE

Virtualizing
Active Directory
V
irtualization is all the rage b
because
c of
o the cost savings and flexibility it can
a bring to yo
our
ur
data center. The first step companiess usually take is to consolidate their physical servers Implement
onto host machines as virtual machinesi (VM
(VMs).) C
Company management naturally
to maximize savings by virtualizing as many servers as possible. When companies go
ll wants
virtual domain
through this process, the policy is often “virtual by default”: Applications will be vir- controllers while
tualized unless you can provide a good reason they shouldn’t be virtualized. Can you
virtualize Active Directory (AD)? Should you virtualize your AD forest, or part of it? maintaining
Virtual vs. Physical
fault tolerance
The first and most important question is: “Does Microsoft support virtual domain controllers and security
(VDCs)?” Moving a chunk of your critical infrastructure to an unsupported configuration is definitely
a career-limiting move. Fortunately, Microsoft does support VDCs as part of Microsoft server software
on both Microsoft and third-party virtualization products; you can find complete details of the com- by Sean Deuby
pany’s support policies in the Microsoft article “Microsoft server software and supported virtualiza-
tion environments” (support.microsoft.com/kb/957006). However, there are some important best
practices you must pay attention to. Just because a configuration is supported doesn’t mean you can’t
get yourself in trouble with it. Microsoft’s Problem Resolution Services will be happy to help you—at
a price—but if you follow the recommendations in this article, you won’t need their help.
The next decision is when to virtualize a domain controller (DC) and when you should leave it
physical. Performance isn’t really a factor anymore; the 64-bit hypervisors available from VMware
and Microsoft provide excellent performance compared with physical hardware; for instance, the
Microsoft article “Performance and capacity requirements for Hyper-V” (technet.microsoft.com/
library/dd277865(office.12).aspx) reports results of running Microsoft Office SharePoint Server 2007
in a virtual environment. Virtualization host clusters let you use features such as VMware VMotion or
Hyper-V Live Migration to create highly available DCs more easily than ever. Still, I think there are two
compelling reasons to keep at least some physical DCs in a forest: fault tolerance and security.
AD is fault tolerant because it’s a distributed system. A company might have anywhere from the
recommended minimum of two up to hundreds of DCs providing AD services. The domain or for-
est will survive the loss of one or more DCs because no single DC contains unique information that
can’t be recovered or otherwise reset. In a purely physical AD installation, there’s an implied fault
tolerance provided because each DC is a different physical box, and they’re spread across physical
locations. In a virtual infrastructure, you can’t make these assumptions. For example, you could have
several DCs on a single host, putting them all at riskk if the host fails. Or your company’s standard
virtualization plan might call for all servers to use a SAN instead of local disks, which exposes much
or all of your AD to a SAN failure. (For more information about AD storage, see the sidebar “For DCs,

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 37

 VIRTUALIZING AD
installation, be sure the VDC is using the

For DCs, Simple Storage Is synthetic network adapter rather than the
legacy emulated adapter; the synthetic NIC

Better Storage is much faster.

You can use either fixed or dynamically
expanding disks for the hard disk configu-
Virtualization frees systems from residing on a single piece of hardware, giving virtualized ration; Microsoft now claims that Hyper-V
systems a flexibility of location that’s restricted mainly by where the virtual machine’s (VM’s) R2’s dynamic disk performance is nearly
disk files can be accessed from. In a simple network, if you want to use a virtual disk on identical to fixed disks. However, a DC’s
another host, you must copy that multigigabyte file over your network, which takes time disk requirements are fairly static, so after
and can be a complicated sequence of exporting, copying, and importing files. you’ve determined the optimal disk size for
A SAN can simplify this process because the disk files don’t necessarily move—the your DC—by looking at your physical DC’s
machines that access them are what changes. Depending on how it’s configured, in a cen- disk usage—I would recommend creating
tralized SAN an available VM disk file can run in a data center in California, then quickly be a fixed disk of the same size. Write caching
changed so a server in New York is using it. When the SAN is configured for shared storage, on volumes that contain the AD database
you can put multiple VMs into a virtualization failover cluster. and log files is disabled by default to ensure
But should you place your domain controllers (DCs) on a SAN? Active Directory (AD) that any interruption in the I/O process
is a distributed system. Its fault tolerance stems from the fact that its components—for doesn’t corrupt data.
example, its disks—are scattered throughout the enterprise. As you begin to consolidate You should also evaluate deploying
its pieces, it begins to lose its fault tolerance. A DC’s disk needs are modest. It must support read-only domain controllers (RODCs) in
an indexed, sequential database file that’s read from more frequently than it’s written to, your forest. Because an RODC has only a
and is usually less than 10GB in size. But the availability of every AD domain is absolutely read-only copy of AD, with no passwords
essential. by default, it helps mitigate some of the
If your data center rules are that every VM’s disk must be on the SAN, and you lose the security concerns associated with VDCs.
SAN, you’ve lost your domain or even your forest until the SAN is back up. You can argue that RODCs require at least Server 2008.
SANs don’t often fail, but when you’re working with such a basic level of your company’s IT Disable the Synchronize time with host
infrastructure as AD, systems should depend on each other as little as possible. You expect setting for your VDC; DCs have their own
a SAN failure to prevent multiple application servers from functioning, but a completely time-synchronization architecture and
redundant SAN can be extremely expensive and cost-prohibitive. But do you want to lose don’t need or expect any other synchroni-
the ability to log on to the network also? zation. If you’re using Hyper-V, be sure that
With a distributed, straightforward database application such as AD, SAN storage is the virus scanner in the parent partition is
not only unnecessary, but it also increases the risk of a single point of failure. Using local excluding the VHD files of the child parti-
disks, a single DC might fail due to disk failure, but the outage will be isolated to the DC. tions or you might encounter performance
Locating your DC’s AD databases on a SAN makes your forest dependent on the SAN. The problems and error messages when trying
recommendation: Keep it simple. Keep it local. to start up VMs.
InstantDoc ID 125463 A VDC can be deployed in the same
manner as other VMs—typically, with a
management product such as Microsoft
Simple Storage Is Better Storage.”) There- is dwarfed by the potential cost to your System Center Virtual Machine Manager
fore, when you’re designing a virtualiza- company of losing an entire domain. (VMM) or VMware vCenter. If you need to
tion plan for your AD forest, look closely run a highly automated DC deployment,
at the supporting infrastructure and work Building and Deploying VDCs the Dcpromo process can be scripted
with the virtualization team to eliminate After you’ve decided what to virtualize, it’s to run as a post-deployment option; see
any single points of failure. I’ll talk about time to configure your VDCs. From a purely the Microsoft articles “Configuring the
security reasons to not virtualize your DCs technical viewpoint, this is a straightfor- Automatic Installation of Active Direc-
later in this article. ward process. If your DCs run Windows tory” (tinyurl.com/22umult) and “How to
I recommend leaving at least two physi- Server 2008 or Server 2008 R2, consider Configure Guest Operating System Profile
cal DCs in each domain, one of which using Server Core for the OS because of Scripts” (tinyurl.com/2fzotwg).
should be the PDC Flexible Single-Master its reduced attack surface. Choose proces-
Operation (FSMO) role holder. This archi- sor and memory requirements to emulate Administering VDCs
tecture ensures that if your entire virtual your current configuration—or what you’d The most important technical principle to
infrastructure becomes unavailable, you’ll like your current configuration to be if you remember when administering VDCs is that
still have a fully functional domain with could have afforded it. Ensure that the you don’t want to pull any virtualization
distributed fault tolerance. It’s up to you to virtual machine enhancement for your tricks on a VDC that the directory service
provide a sense of perspective: The cost of virtualization solution (e.g., VMware Tools) isn’t aware of. What does this mean? Virtu-
keeping two servers on physical hardware is installed on the VDC. If it’s a Hyper-V alization lets you do interesting and useful

38 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


things with a VM that you can’t do with a
physical machine, such as take snapshots
that let you quickly roll a system back to
a previous state, or restore the entire VM
from a backup of the image file, or make
copies of the image file for safe keeping or
reuse. Don’t do these things with a VDC, or
you’ll be setting yourself up for that Micro-
soft support phone call.
Why? Remember, AD is a distributed
system. If AD resided on only one DC,
these operations might be safely possible.
But because the multiple DCs in a domain
or forest must communicate with each
other, each DC must therefore have a cor-
rect understanding of every other DC’s
state. Virtualization capabilities such as
snapshots, image-based restores (with one
exception), and cloning don’t pass their
state changes to the directory service on
the target VM; it has no idea what’s been
done to it and therefore neither do its rep-
lication partners. This condition can wreak
havoc in your domain or forest. Let’s review
what virtualization operations are sup-
ported for DCs, and which aren’t.
Image-based (aka host-based) back-
ups. Restoration from image-based back-
ups, in which you copy or otherwise back
up the virtual hard disk files that contain the
VDC, isn’t supported (with one exception).
In this kind of operation, the OS and AD
database are returned to a previous state
without resetting the invocation ID (the
version of the local database) so the other
DCs don’t know the target DC has been
restored. This situation violates AD’s data
integrity and can create lingering objects
or an update sequence number (USN)
rollback scenario; you can find out more
about this problem in the Microsoft article
“How to detect and recover from a USN
rollback in Windows Server 2003” (support
.microsoft.com/kb/875495).
The exception is when the guest OS
is running Windows Server 2003 or later
and the backup utility on the host, such as
Windows Server Backup, calls the guest’s
Volume Shadow Copy Service (VSS) writer
to ensure the guest is backed up properly;
Windows 2003 was the first OS to include
this service. The guest VSS writer takes
a volume snapshot of the guest, which
ensures data integrity of the backup. In the
event of a restore, the VSS-aware restore
program notifies the guest’s directory
w w w. w i n d o w s i t p ro. c o m
service that a restore has taken place. This
process resets the AD database’s invocation
ID, which causes the DC’s replication
partners to recognize a restore has been
Moving a chunk
of your critical
infrastructure to
an unsupported
configuration is
definitely a career-
limiting move.
Fortunately,
Microsoft does
support VDCs.
performed, so replication coming from the
DC is valid.
Client backups. The other supported
method of backing up a VDC is by run-
ning client backups, just as if it were a
physical DC. This process isn’t as speedy
as a host-based backup that uses the VSS
writer, but it has an advantage over many
current host-based backup applications
because you can restore individual files on
the guest. Most host-based backup applica-
tions don’t support file-level restore, but
as they become more sophisticated (for
example, Microsoft System Center Data
Protection Manager 2010), they, too, can
Frankly, I believe
provisioning and
promoting a new
VDC is safer and
just about as fast as
performing a P2V
conversion on an
existing DC.
restore individual files from guest OSs that
support VSS. Microsoft has documented its
best practices for backing up and restoring
VDCs in the article “Backup and Restore
W e ’ r e i n I T w i t h Yo u
VIRTUALIZING AD
Considerations for Virtualized Domain
Controllers” (tinyurl.com/ydw8b5w).
Should you even back up every VDC?
I’d argue that for small forests, you should
take system-state backups of two DCs in
every domain, period. Larger forests with
large (over 5GB) AD databases (ntds.dit)
or geographically dispersed DCs should
have more, following the principle of keep-
ing a backup on the same LAN as the
DCs, to speed the process of performing a
Dcpromo from media. If you should lose
a VDC for some reason, there are faster
options for recovery than restoring one
from backup. (For other options, see the
DC Recovery page of my Active Direc-
tory Recovery Flowchart at tinyurl.com/
adrecovery.)
VM snapshots. Restoring a VDC using
VM snapshots isn’t supported. These snap-
shots (not to be confused with directory
snapshots taken with Ntdsutil or volume
snapshots taken by VSS) are a point-in-
time capture of a VM’s state. Restoring a
VDC to its previous state by using a saved
snapshot causes the same inconsistency
problems in your directory as an image-
based backup.
Cloning. Cloning a DC by duplicating
a VDC’s hard disk file isn’t supported. If
the cloned VDC comes online in the same
forest as the original, and you resolve
the immediate problems with identical
server names and IP addresses, you’ll
encounter problems with duplicate direc-
tory service agent (DSA) GUIDs, duplicate
SIDs, duplicate Relative Identifier (RID)
pools—and worse if the cloned VDC is a
RID master—secure channel problems,
machine account password updates . . . you
just don’t want to go there.
Physical to virtual (P2V) conversion.
P2V conversion is supported, but only if the
source physical DC is offline; VMM 2008
enforces this requirement. DC P2V conver-
sion with the source DC online creates a
problem similar to cloning. Frankly, I believe
provisioning and promoting a new VDC is
safer and just about as fast as performing a
P2V conversion on an existing DC.
Pausing. Pausing a VDC (i.e., putting
it in suspended animation) is actually OK,
just “do not pause the domain controller
for long periods,” to quote the Microsoft
article “Considerations when hosting
Active Directory domain controller in
Windows IT Pro AUGUST 2010 39
 VIRTUALIZING AD
virtual hosting environments” (support
.microsoft.com/kb/888794). What hap-
pens when you pause a DC? To its rep-
lication partners, it suddenly falls off the
network—the equivalent of pulling out
the network cable. When the paused DC
comes back online, time has suddenly
jumped forward. Its Kerberos tickets
have expired, its machine passwords
might need to be updated, and if it’s been
paused longer than the tombstone life-
time, it can no longer replicate and must
be rebuilt. I’d suggest pausing be used
sparingly and not for extended periods
of time.
Standardized configuration. Because
a VM requires a different hardware
abstraction layer (HAL) and a different
device driver set than what you’re using
for your physical DCs, VDCs require a
separate OS build standard. Most com-
panies have at least two standard build
configurations, one for widely deployed
hardware nearing its end of life, and one
for new hardware beginning a broader
adoption. VMs, because of their HAL and
device driver set, will require a third build
configuration.
VDC Security
Security best practices for VDCs are a com-
bination of the established best practices
for DC security, such as physical security,
and virtualization security, such as isolated
networks. One hazard of virtualizing DCs
is that your directory services team and
virtualization team probably aren’t familiar
with each other’s security practices. These
teams must sit down together and review
how to accomplish both teams’ require-
ments. Here are a few examples of impor-
tant security considerations.
Virtual disk security. Access to the
VDC’s virtual disks is the same as granting
physical access to a physical DC; if you
grant access, you can’t guarantee secu-
rity. Access to these virtual disk files must
be carefully protected, especially because
more people will require access to them
as a result of virtual host administration
needs. Therefore, host admins, enclosure
admins, SAN storage admins, and data cen-
ter admins are all groups that might need
to be added to the list of personnel that
are flagged as having access to corporate
directory information.
40 AUGUST 2010 Windows IT Pro
Console access. DC administrators
should be granted console access to VDCs
in the same manner they would have
access to physical DCs via an out-of-band
console utility that doesn’t require an
installed OS. In a VMware shop, you can
use vCenter Server to manage console
access, and in a Hyper-V installation you
can use Authorization Manager (AzMan)
or VMM’s Self-Service Portal.
DC awareness. Full VDCs hold the
“keys to the kingdom,” and personnel with
administrative access to the host have the
ability to access and possibly disrupt activ-
ity of the VDC on that host. It’s essential
that all personnel with host access be
trained to understand the implications of
having a DC on their host servers.
RODCs.You can reduce some of the secu-
rity risks associated with VDCs by deploying
I recommend
leaving at least two
physical DCs in
each domain, one
of which should be
the PDC FSMO role
holder.
RODCs instead of full DCs wherever possi-
ble. RODCs don’t perform any writes to AD,
and by default user and machine account
passwords aren’t replicated to them. So, for
example, if a virtual RODC’s hard disk file is
stolen, the attacker can’t crack passwords
out of it. A corrupted RODC hard disk file
can’t harm the rest of the forest, nor will any
changes made to it be replicated to the rest
of the forest. This situation doesn’t mean a
compromised RODC is harmless; possession
will reveal organization structures, DNS
records—in general, lots of information you
don’t want to share.
Do Your Homework
Virtualizing some of your AD infrastructure
might yield corporate benefits, but there’s
practically no benefit to the AD administra-
tor. It can be done though, and Microsoft
supports it, but you must do your homework
before you begin. The key Microsoft VDC
documentation can be found in TechNet
W e ’ r e i n I T w i t h Yo u
Learning Path
Q&As on Active Directory and virtualization:
“Q. What Active Directory (AD) domain mode do I need
to be in to use System Center Virtual Machine Man-
ager (SCVMM) 2008 R2?” InstantDoc ID 125408
“Q. I’m using System Center Virtual Machine Manager
(SCVMM). How can I delete an emulated NIC from
a virtual machine (VM) within a script?”
InstantDoc ID 125421
“Q. How does dynamic memory in Hyper-V in Win-
dows 2008 R2 SP1 work?” InstantDoc ID 125409
“Q. Is dynamic memory a good solution for all types of
virtualized application?” InstantDoc ID 125426
“Q. Can I roll back Active Directory (AD) to an AD
snapshot?” InstantDoc ID 125471
“Q. I need to make a major change to the schema
of my Active Directory (AD). If it goes wrong,
can I perform an authoritative restore to reset?”
InstantDoc ID 125456
“Q. How can I estimate the size of my Active Directory
(AD) based on a number of objects?”
InstantDoc ID 101617
More articles about using virtualization:
“Going Virtual with SharePoint 2010,”
InstantDoc ID 125111
“Going Virtual with Exchange 2010,”
InstantDoc ID 104653
“Make SQL Server Sing on Hyper-V,”
InstantDoc ID 103658
“The Virtualization Stakes,” InstantDoc ID 103476
“Understanding Microsoft’s Virtualization
Technologies,” InstantDoc ID 103245
“Hyper-V Live Migration: A Step-by-Step Guide,”
InstantDoc ID 125262
article “Running Domain Controllers in
Hyper-V” (tinyurl.com/2fm7hd8). Don’t do
anything to your VDCs that their directory
services can’t comprehend, and be aware
that the very advantages virtualization brings
to VDCs also mean that their security is more
complicated.
InstantDoc ID 125464
Sean Deuby
(sdeuby@windowsitpro.com) is a
contributing editor for Windows
IT Pro, a senior analyst with Plat-
form Vision, and former technical
lead of Intel’s core directory ser-
vices team. He’s been a directory
services MVP since 2004.
w w w. w i n d o w s i t p ro. c o m
 FEATURE
Essential Windows Server 2008 R2
Features for
Managing Your
File Server
Infrastructure

O
ne of the first articles I wrote for Windows IT Pro—“Let’s Get Organized: File Server
Basics” (InstantDoc ID 95354)—discussed some time-tested methods for getting the
Four tools in
most out of your file server. If your data is scattered all over your network, or your file
system security is all over the place, or your folder structure is a mess, that article pro-
the new OS
vides some good ideas for organizing your file server. Now that Windows Server 2008 bring you
R2 has been out in the wild for some time, I thought I’d revisit this topic, update it for
Microsoft’s newest OS, and talk about some of the great tools you can use for migration and file-server
greater control
management. over your file
First, Migrate! structure
Before you can even get started using your new Server 2008 R2 server, you need to migrate your data
from the old server. Don’t underestimate this process. I’m always surprised by how many adminis-
trators don’t take the time to plan their migration. Many servers have hundreds of gigabytes—if not by Eric B. Rux
terabytes—of data that can take a long time to copy from one server to another. If you use drive map-
pings (most companies do), you’ll need to change them to reflect the new file server name (unless you
name it the same as the old server). You also need to consider that many users have created their own
shortcuts to the UNC path (\\Server\Share), and that
yyou’ll invalidate all their links if you change the name
of the file server. These are just some of the challenges
yyou’ll face when your shiny new server arrives on your
front doorstep.
Fortunately, you don’t have to go it alone. The File
Server Migration Toolkit (FSMT) is a free Microsoft
tool that helps you migrate any Microsoft file server
to Server 2008. You can find it at www.microsoft.com/
downloads/details.aspx?FamilyID=d00e3eae-930a-
42b0-b595-66f462f5d87b. The FSMT comes in both
32-bit and 64-bit versions, so be sure to download
the correct file. After you download the 1.3MB file,
yyou’re ready to test it in your lab. I highly recommend
kicking the tires on a non-production server before
going for broke on something as important as your
company’s files.
The application walks you through the complete
migration process, from setting up shares on the new
sserver to ensuring that all the data has been copied
b
before going live. It even shuts down the old file shares
w
when the time is right. Figure 1 shows you what this
Figure 1: The migration process p
process looks like.

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 41

 MANAGE YOUR FILE SERVER
Figure 2: Sample reports
One extremely cool FSMT feature is the
Distributed File System (DFS) Consolida-
tion Root, which lets your users continue
to use their old UNC paths even after the
old server is long gone. For a walkthrough
of a sample migration, check out the web-
exclusive sidebar “A Simple File Server
Migration” (InstantDoc ID 125461).
Who’s Using the Storage?
Setting up a file server has always meant
one thing: “Build it, and they will fill it up.”
It's a universal truth. Users will still manage
to take all the space on the server if you let
them. Unfortunately, you have no real idea
of the types of files that are stored on your
drives. To get that “look” into your file server
that you’ve always wanted, check out the
File Server Resource Manager (FSRM).
In just a few minutes, you can have
reports about exactly the kind of data that’s
stored on the file server—for example,
what kind of files (e.g., documents, movies,
music), where the data is located, and who
owns the data. A few examples of the built-in
HTML-based reports are Duplicate Files,
Large Files, Least Recently Accessed Files,
Most Recently Accessed Files, and Files by
Owner. Figure 2 shows an example of the
kind of reports that you can generate.
42 AUGUST 2010 Windows IT Pro
For example, to generate a report on dupli-
cate files, you’d walk through these steps:
1. Open FSRM.
2. Right-click Storage Report Man-
agement, and choose Generate Reports
Now. (You can schedule this procedure by
choosing Schedule a New Report Task.)
3. Add the folder or partition that you
want to analyze.
4. Click Duplicate Files.
5. Choose the report format that you
want (e.g., DHTML, HTML, XML, CSV, Text).
6. Click OK to generate the report.
The report is neatly laid out, displaying the
duplicate files in descending order with the
larger offenders at the top of the page.
FSRM also lets you set quotas. And
unlike Windows Server 2003’s Disk Quota
feature, Server 2008 R2’s implementation
lets you set quotas on individual folders
Figure 3: File Screen Templates
W e ’ r e i n I T w i t h Yo u
instead of the entire volume. The settings
are pretty granular, including distinctions
for hard and soft limits. Setting a hard limit
prevents the user from using more space
than he or she is allowed. A soft limit is only
a “warning” and doesn’t actually prevent the
user from using more space than allocated.
Multiple notification methods—including
email, event log entry, custom report, and
a script of your choice—keep you informed
about the quota status. The quota section is
by far the easiest area of FSRM to understand
and configure: You simply click Quotas in
FSRM, choose Create Quota, enter the path
(either an entire volume or a specific folder),
select a predefined quota template, and click
Create. If the built-in Quota Templates don’t
meet your needs, you can create your own in
the Quota Template area.
Another new feature worth mentioning
is File Screening Management, which lets
you block certain types of files from being
stored in a specific folder. For example,
the marketing department probably has
a business case for storing movies and
videos on its departmental folder. Other
departments, however, might not have
that same business need, and preventing
them from storing such large files on the
server can save gigabytes of space. Server
2008 R2 comes with 11 predefined, built-in
File Groups, but you can create your own if
the file type you want to block isn’t listed.
Some of the built-in File Groups are Audio
and Video Files (37 file types), Executable
Files (20 file types), and Image Files (18 file
types). Figure 3 shows a few of the provided
File Screen Templates.
The FSRM installation process is quick
and easy—once you find the silly thing.
You install the application from Server
Manager, Role Services near the bottom of
the page. (Don’t confuse Role Services with
Roles at the top of the screen.) When the
installation is complete, you can find the
Microsoft Management Console (MMC)
FSRM snap-in under Administrative tools.
w w w. w i n d o w s i t p ro. c o m

Figure 4: Before ABE file server cleanup
Figure 5: After ABE file server cleanup
How Important Is the Data?
All files have levels of importance, and
some need to be handled a certain way.
Unfortunately, the only ways to differentiate
between files have been the file type (by
extension) and the date they were last
accessed. This limitation severely affects
your ability to manage files based on their
actual usage. Wouldn’t it be nice if you could
ensure that files with personal data were
stored on an encrypted drive? Wouldn’t you
love to ensure that your most important files
are stored on high-availability storage?
The answer lies in Server 2008 R2’s File
Classification Infrastructure (FCI). The FCI
process isn’t exactly intuitive, but once
you’ve played with it for a while, it starts to
make sense.
The first step is to create one or more
Classification Properties. These can be
confusing the first time you set them up,
but essentially they’re the “tag” you’ll
place on a file. For example, I can set a
level of Confidentiality as either Low,
Medium, or High.
w w w. w i n d o w s i t p ro. c o m
MANAGE YOUR FILE SERVER
Next, you create a rule that defines
exactly what each level of Confidentiality
means. In my hypothetical example, I want
to make sure that all files dealing with NASA’s
Space Shuttle are kept secure. So, I can cre-
ate a rule that marks any file containing the
word “shuttle” as Confidential; High.
The final step in this simple example is
to create a task that acts on the files that fall
within a Classification Rule. I can create a
task that moves files that are Confidential;
High h (those with the word “shuttle” within
the text of the file) to a more secure loca-
tion. You could set up a similar process
for files that contain a United States Social
Security Number (SSN), or even for files
that haven’t been accessed for a specified
amount of time.
Moving the file is just one of the actions
that can be taken on a file that meets the clas-
sification criteria—as long as you’re versed
in scripting. The plan is that Microsoft and
even third-party vendors (e.g., SAN manu-
facturers) can tap into the FCI API. In the
meantime, you’re a bit limited.
W e ’ r e i n I T w i t h Yo u
Clean Up that Clutter!
Access Based Enumeration (ABE) is a
relatively new technology in the Microsoft
world, but it’s one that’s been around for
quite a while. I can still see the puzzled
look of those Novell administrators when I
told them that my users could see (but not
access) folders that they didn’t have per-
missions to. It wasn’t until a special out-of-
band download for Windows 2003 that this
feature came to Windows file servers.
What exactly is ABE? In short, ABE
hides folders that users don’t have at least
Read access to. Figures 4 and 5 show a
simple before-and-after example of how
ABE can clean up your file server and make
it easier for your users to navigate through
Windows Explorer.
ABE was available for Windows 2003 only
via a separate download. But Server 2008
includes ABE and is ready to go out of the
box. You don’t have to download it, install it,
or even enable it. Folders that are shared are
ABE-enabled by default. If you decide that
you don’t want to use ABE on a particular
folder, you can disable it on a share-by-share
basis in Server Manager. Once Server Man-
ager is open, expand Roles, File Services,
Share and Storage Management. Choose
the share for which you want to disable ABE,
right-click it, and choose Properties. Click
Advanced, then clear the Enable access-
based enumeration n check box.
Go Forth and Organize!
You’d think that serving up files would be
the least of our worries in today’s high-tech
server rooms. But as data stores get bigger
and regulations get tighter, we need to learn
to use the built-in tools that can make our
jobs easier. If you know of a server that’s
completely disorganized, try the techniques
I discussed in the first article, then enhance
what you offer your users by using these
new, powerful Server 2008 R2 features.
InstantDoc ID 125461
Eric B. Rux
(ebrux@whshelp.com) is a
contributing editor for Windows
IT Pro, is cofounder of WHSHelp
.com, and writes a monthly
column at svconline.com/
connectedhome/windows
homeserver. Eric teaches the
Microsoft Certified Systems
Administrator (MCSA) program at
a tech college.
Windows IT Pro AUGUST 2010 43
 FEATURE

and

in
PowerShell

S
omet etim
iss, th
imes
her
es whe
ere ar
ere
hen some
someetth
so
are ceerttaaiin co
are
hin
hin
cond
cond
ing go
ndit
itio
it
goes wro
ionnss tha
rong
h t yo
ng in Wi
ng
youu ca
Window
nd
n
can anti
an
dow
ows
ntici
ws P
ticipa
ticip
Po
paaate
owweerS
erS
te aand
te nd
She
hell
d poten
l , it iisn
otten
enti tial
ti
sn’t
sn ’t a bad
allly d
ally
d thin
deeal wi
with
hing.
hing Th
ng Thaat
th, such
th
th,
at
such aas
su
How to use the
a mi
miss
migh
migh
mi
ssiing file
ghtt wa
want
file or a co
ntt tto
o pr
prom
comp
ompt
mput
mp
mpututer
er tth
pt the use
hat ca
hat
serr fo
can’
n’t
’t be
be ccon
forr an act
cti
tion
onta
tact
tac
ta
ion to
cted o
cted
to take
ove
verr th
thee ne
k or just logg th
netw twork.
thee er
k. IIn
erro
n res
respon
ror so th
onsse, yo
you
hat you can
u Trap and Try…
trry again laater. PowerShell makes this possibl b e through a scheme called error trappingg Catch…Finally
and handliing.
constructs
First, You Need an Error
To trap and handle an error, you actually need one to occur. Technically, in PowerShell terminology,
youu need an exception to occur. That can actually be a little tricky to do, believe it or not. For example, by DDon Jones
try running th
he followiing command. It will fail, but pay attention to what happens:

Get
t-WmiObjec
Object
ct Win32
3 _BIOS
OS -comp
co p 'localhost','not-here'
oca ost , ot e e

First, you should see the Win32_BIOS instance from your local computer. Then, you should see an
error message (unless you actually have a computer named not-heree on your network). Think you’ve
seen an exception? Wrong. In PowerShell, just because you’ve seen an error message doesn’t mean
an exception was created. You can’t trap or handle an error message. You can only trap and handle
exceptions.
What you just saw was an example of a non-terminating exception. That is, an exception really did
happen, but it wasn’t so bad that the cmdlet needed to stop executing. So the cmdlet basically held
the exception deep inside, suppressing its feelings of failure, and continued trying to do what you’d
asked. You can’t help the cmdlet if it isn’t going to be more open with its feelings. In other words, you
can’t trap and handle non-terminating exceptions. Many of the problems a cmdlet can run into will
typically generate a non-terminating exception. That’s because cmdlets don’t want folks to start calling
them crybabies, so if something moderately bad happens, they just shut up and keep going.
This cmdlet behavior is controlled by a built-in PowerShell variable named $ErrorAction
Preference. You can view its contents by simply typing the variable’s name at the command line:

$ErrorActionPreference

By default, it’s set to Continue, which is what cmdlets do when they encounter a non-terminating
error—they keep going. The cmdlets also display error messages by default, but you can shut them
off by setting $ErrorActionPreference to SilentlyContinue. Try it:

$ErrorActionPreference = "SilentlyContinue"
Get-WmiObject Win32_BIOS -comp 'localhost','not-here'

This time, the failure occurred but not a word was said about it. Our cmdlet just bit its lip and kept on
going, not so much as whimpering about the error. Now, this is where a lot of new PowerShell users go

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 45

 ERROR TRAPPING AND HANDLING

Listing 1: A Trap Construct

Function Do-Something {
Trap {
Write-Host 'Error in function' -fore white -back red
Continue
}
Write-Host 'Trying' -fore white -back black
gwmi Win32_BIOS -comp localhost,not-here -ea stop
Write-Host 'Tried' -fore white -back black
}

Write-Host 'Starting' -fore white -back green

Do-Something
Write-Host 'Ending' -fore white -back green

wrong, so I need you to picture me standing

up on a table and screaming, “Do not set
$ErrorActionPreference to SilentlyContinue
just to make the error messages go away.”
Error messages are, by and large, good
things. They tell us what’s broken. They’re
like the nerves in your fingertips that tell
you the stove you’re about to touch is very
hot. People who have problems with those
nerves often burn themselves. We usually
wantt to see error messages. What we don’t
want to see are the error messages that we
can anticipate and deal with on our own.
Just Cry Out Loud
When you anticipate a cmdlet running into
a problem that you want to deal with, you
need to tell that cmdlet to stop bottling
up its emotions. You’re not doing this for
every cmdlet across the shell, but just for
a specific cmdlet that you know you can
handle. Since you don’t want to make a
global behavior change, you should leave
$ErrorActionPreference set to Continue.
Instead, you can modify the error action for
just one cmdlet.
Every cmdlet in PowerShell sup-
ports a set of common parameters, one
of which is -ErrorAction (which can be
abbreviated -ea). It accepts the same values
as $ErrorActionPreference, including
Figure 1: Results from the Trap construct in Listing 1
stop, which tells the cmdlet to turn a
non-terminating exception into a terminat-
ing exception—and terminating exceptions
are ones you can trap and handle. For this
example, you’d run the command
Get-WmiObject Win32_BIOS
-comp 'localhost','not-here' -ea stop
(Although this command wraps here, you’d
enter it all on one line in the PowerShell
console. The same holds true for the next
command that wraps.)
Tricky Traps
The first way you can trap an error is to
use a Trap construct. Listing 1 shows an
example of a trap that’s defined within a
function. This code works in PowerShell 1.0
as well as PowerShell 2.0.
Figure 1 shows the output from the code in
Listing 1. As you can see, PowerShell first dis-
played the line Starting.
g It then executed the
function, which displayed the line Trying.
Next, PowerShell ran Get-WmiObject,
which can be abbreviated as gwmi. It first
ran this cmdlet against localhost, and you
can see the Win32_BIOS output. But it ran
into a problem trying to contact not-here,
so an exception occurred. The -ea stop
parameter turned that into a terminating
exception, so PowerShell looked for a Trap
construct within the same scope. It found
one inside the function and executed it.
That’s why Error in function displayed. The
trap finished with the Continue statement,
which kept the execution inside the same
scope (i.e., inside the function), and Tried
was displayed. Finally, the function exited
and Endingg was displayed.
Traps can be tricky because they are
their own scope. Specifically, they’re a child
of whatever scope they live in. Consider
the modified Trap construct in Listing 2.
Figure 2 shows the output from this version,
and I want you to follow the value of the
$test variable.
The script set the $test variable to One,
and that’s displayed in the Trying One
output. When the exception occurred, the
trap set the $test variable to Two. How-
ever, when the trap exited, the output still
displayed Tried One. What happened? As
a child scope, a trap can access its parent’s
variables for reading only. So, when the
trap tried to modify $test, it actually created

Listing 2: A Problematic Trap Construct

Function Do-Something {
Trap {
Write-Host 'Error in function' -fore white
-back red

A $test = 'Two'
Continue
}
$test = 'One'
Write-Host "Trying $test" -fore white -back black
gwmi Win32_BIOS -comp localhost,not- here -ea stop
Write-Host "Tried $test" -fore white -back black
}

Write-Host 'Starting' -fore white -back green

Do-Something
Write-Host 'Ending' -fore white -back green
Figure 2: Results from the problematic Trap construct in Listing 2

46 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


Listing 3: An Alternative Trap Construct
Trap {
Write-Host 'Error in script' -fore white -back red
Continue
}
Function Do-Something {
Trap {
Write-Host 'Error in function' -fore white -back red
Break
}
Write-Host "Trying" -fore white -back black
gwmi Win32_BIOS -comp localhost,not-here -ea stop
Write-Host "Tried" -fore white -back black
}
Write-Host 'Starting' -fore white -back green
Do-Something
Write-Host 'Ending' -fore white -back green
a new local $test variable, which means
that $test from the parent scope (i.e., the
function) was never changed. This is a real
bummer if you want your trap to modify
something so that your script can continue.
There are ways to remedy this. For example,
you can replace the command in callout A
in Listing 2 with the following command to
change the variable’s contents:
Set-Variable -name test
-value 'Two' -scope 1
The -scope parameter treats scope 0 as
the local scope, which is within the trap.
The next scope up—the trap’s parent—is
scope 1. So by changing testt in scope 1,
you’re modifying the variable that had
been set to One. Note that when you use
the Set-Variable cmdlet (as well as the other
-Variable cmdlets), you don’t use a dollar
sign ($) when specifying a variable’s name.
There’s one more tricky bit about traps
that I want to share. Take a look at the
alternative Trap construct in Listing 3.
What I’ve done is defined a trap within the
script itself, prior to the function’s defini-
tion. I’ve also modified the trap within the
function to use a Break statement rather
than a Continue statement. The Break
statement forces the trap to exit the scope
in which the error occurred (in this case,
the function) and to pass the exception to
the parent scope, which is the script. The
Listing 4: A Try . . . Catch . . . Finally Construct
Try {
gwmi Win32_BIOS -comp localhost,not-here -ea stop
} Catch {
Write-Host 'Something bad happened' -fore white -back red
} Finally {
Write-Host 'Glad that is over'
} struct, which Listing 4
w w w. w i n d o w s i t p ro. c o m
ERROR TRAPPING AND HANDLING
Figure 3: Results from the alternative Trap construct in Listing 3
shell will then look
to see if a trap exists
in thatt scope, and I have indeed defined
one.
Figure 3 shows what the results look
like. When the exception occurred in the
function, its trap executed and “broke out
of” the function. The exception was passed
to the script, so its trap executed. Notice
that Triedd isn’t displayed. That’s because
the function exited before that command
could run. All you see is Ending, g which
is the last line in the script. Although the
script’s trap concludes with the Continue
statement, all it does is keep the shell’s
execution in the same scopee (i.e., the script).
The shell can’t dive back into the function;
it broke out of the function and is out for
good unless you call the function afresh.
As this example shows, you can include
more than one Trap construct in a script.
This means you can set different traps
for different types of errors. To get more
details, run the command
Help about_Trap
if you’re using PowerShell 2.0. Although
PowerShell 1.0 supports the Trap construct,
there isn’t a Help file for it. So, if you’re
using PowerShell 1.0, you need to access
the information at technet.microsoft.com/
en-us/library/dd347548.aspx.
Try a Different Approach
Frankly, I find the Trap construct and its
scope rules pretty con-
fusing. But fortunately,
PowerShell 2.0 provides
an alternative: the Try
. . . Catch . . . Finally con-
shows. As you can see,
W e ’ r e i n I T w i t h Yo u
you put the command that might fail in the
Try block and the command that deals with
the failure in the Catch block. You can even
add a Finally block that will execute whether
or not an error occurred.
Within the Catch block, you can do
almost anything, including writing to log
files, logging an event log entry, and send-
ing email messages. It’s even possible to
create multiple Catch blocks, each of which
deals with a certain kind of error. In Power-
Shell 2.0, you can run the command
Help about_Try_Catch_Finally
for more details.
What’s Your Preference?
In PowerShell 1.0, you must use the Trap con-
struct to trap and handle errors. In Power-
Shell 2.0, you have a choice between the
Trap and Try . . . Catch . . . Finally constructs.
I prefer using the latter. Not only is the Try
. . . Catch . . . Finally construct easier to use,
but it also keeps the error-handling logic
closer to the location of the command that
might fail. If you’re using PowerShell 1.0
and you often need to catch and handle
exceptions, you might consider upgrad-
ing to PowerShell 2.0 so that you can take
advantage of this new error trapping and
handling tool.
InstantDoc ID 125327
Don Jones
(powershell@concentratedtech
.com) is the author of more than
35 books and is a speaker at
technology conferences such as
Microsoft TechEd and Windows
Connections. He’s a multiple-year
recipient of Microsoft’s MVP and
is technical guide for PowerShell
at www.windowsitpro.com/go/
DonJonesPowerShell.
Windows IT Pro AUGUST 2010 47
 FEATURE

Setting Up

D
ist
is
str
trib
bu
uttin
ing
ng cert
cceert
rtiffic
icat
cates
ates
tes to Wi
Wind
ndow
do
dowss OS
ow OSs fr
OSs from
om aan
om nAAccti
cttiivee D
Dir
i ec
irecto
tory
ryy ((AD
AD)) en
AD ente
e teerp
pri
rise
isee cer
ceer
e-
er-
Windows Server tifi
ifi
fication
i autthorit ity ((CA
CA)) is relati
CA l ivelly simple and can be automated using Gr G oup Poli licy
2008 R2 lets you Ce t cate Auto
Certificate utoeenrollment
o e t after
a te a PKI iss in place.
p ace. But ut to issue
ssue certificates
ce t cates to devices
that don’t have accounts in AD, admins must manually create Public-Key Cryptogra-
de ces

issue certificates phy Standards (PKCS) requests and install certificates on those devices. This can be a
time-consuming task for organizations with hundreds of devices that aren’t part of AD.
to network If you have a large network with many network devices that need to be issued with a certificate
devices that must also be trusted by Windows clients, Windows Server 2008 R2’s Network Device Enroll-
ment Service (NDES) provides a solution for issuing and managing certificates. NDES is Microsoft’s
implementation of the Simple Certificate Enrollment Protocol. SCEP is an Internet-Draft standard

by Russell Smith developed by Cisco Systems that helps solve the problem of manually requesting and installing cer-
tificates by enabling devices to enroll for x509 v3 certificates from any CA that supports SCEP. NDES
in Server 2008 and later includes some welcome improvements over the old SCEP add-on, such as
the ability to renew certificates using a previously issued certificate to validate the request.
This article provides an overview of how to set up NDES as part of an already existing PKI, and the
steps for issuing a network device with a certificate. Due to the complexity of PKIs and the varying
requirements for different scenarios, you should carefully study “Microsoft SCEP Implementation
Whitepaper” (www.microsoft.com/downloads/details.aspx?familyid=E11780DE-819F-40D7-8B8E-
10845BC8D446) for how to implement NDES. You should also test thoroughly in a lab environment
before deploying NDES in your production environment.

SCEP in Windows Server

NDES is a native component of Server 2008 (Enterprise and Datacenter editions only) and later. It can
be installed on a machine that’s running a standalone CA or on a dedicated server that communicates
with an issuing enterprise CA. The NDES server role shouldn’t be installed on a device that’s running
the enterprise CA role, to minimize the attack surface and protect the CA’s private key.
NDES is intended for organizations that already have a PKI in place and want to issue certificates
to network devices, such as routers and firewalls, to improve security by protecting network traffic with
IPsec. For example, this could include IPsec VPNs between routers or from notebooks to network edge
devices. Not all devices support SCEP, so you should check with the equipment manufacturer.
Previous implementations of SCEP were available in the Windows Server 2003 Resource Kitt or as a
downloadable add-on for Windows 2000 Server, but differ from what’s outlined in this article. If you’re
working with versions of Windows earlier than Server 2008, you should check Microsoft’s website,
where you can download the add-on for Windows Server 2003 (www.microsoft.com/downloads/
details.aspx?familyid=9f306763-d036-41d8-8860-1636411b2d01). For additional information, see

48 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


“Setting Up a VPN that Uses Certificates,”
InstantDoc ID 49738.
NDES in Windows Server 2008 R2
Server 2008 R2 and Server 2008 SP2 include
changes to NDES that let administrators
more easily request and renew expired cer-
tificates. Single Password Mode, which can
be enabled on the NDES machine by setting
the HKEY_LOCAL_MACHINE\Microsoft\
Cryyptography\MSCEP\UseSinglePassword
REEG_DWORD registry value to 1, lets
adm mins request a password for certificate
enrrollment that doesn’t expire and is stored
and encrypted in the system registry. This
maakes it easier to renew expired certificates,
and a single password can be deployed
to multiple network devices. Certificate
rennewal is enabled by default in Server 2008
R2 and Server 2008 SP2.
Design Considerations
If your PKI consists of a standalone CA, it
should be in an isolated certification hierar-
chy that serves only SCEP-enabled devices.
The root CA shouldn’t be trusted by other
devices on the network. If your organization
uses Cisco equipment and your Windows
clients don’t need to trust network devices,
you might be able to deploy a Cisco IOS
Certification Authority server—a CA that
runs on a Cisco device running Internet-
work Operating System. Additionally, some
devices have limited support for certain PKI
configurations, including long encryption
key lengths, subordinate CAs, and multi-
tier PKI hierarchies.
Standalone or Enterprise CA?
Implementing NDES with a standalone
CA that’s dedicated to providing network
devices with certificates might be better
suited to situations in which Windows
clients aren’t required to trust network
devices; for instance, when router-to-router
VPNs will be configured with IPsec encryp-
tion. An enterprise CA and an NDES server
might be more convenient if Windows
clients need to trust network devices for the
purposes of establishing VPN connections.
Setting up NDES
Let’s install the NDES server role to commu-
nicate with an issuing enterprise CA. This is a
typical setup in which certificates are issued
to network devices that will be trusted by
w w w. w i n d o w s i t p ro. c o m
NETWORK DEVICE ENROLLMENT SERVICE
domain-joined Windows clients. You’ll need
an AD enterprise CA already in place, with a
root CA configured and taken offline.
Prerequisites
Before installing NDES, we need to create
two domain user accounts: NDES_Admin
and NDES_ServiceAccount. The NDES_
Admin account is used for installing the
NDES server role and requesting an enroll-
ment password. The NDES_ServiceAccount
is used to run the service and is specified
during the setup process.
Add NDES_Admin to the local Admin-
istrators group on the NDES box and to the
Enterprise Admins group in the AD domain.
Add the NDES_ServiceAccount group to the
local IIS_IUSRS group on the NDES box.
Duplicate the Certificates
Now we need to duplicate the CEP
Encryption, Exchange Enrollment Agent
(Offline Request), and IPsec (Offline
Request) certificates. To do so, log on to your
issuing CA as a domain administrator.
1. Open the Microsoft Management
Console (MMC) Certification Authority
snap-in from Administrative Tools on the
Start menu.
2. In the left pane, expand the CA. Right-
click the Certificate Templates folder and
select Manage from the menu. The MMC
Certificate Templates snap-in will open.
3. In the Certificate Templates
snap-in, right-click the Exchange
Enrollment Agent (Offline request)
template and select Duplicate Template
from the menu.
Figure 1: Enable Certificate Templates dialog box
W e ’ r e i n I T w i t h Yo u
4. In the Duplicate Template dialog
box, select Windows Server 2008 Enter-
prise and click OK.
5. In the Properties dialog box on
the General tab, enter NDES Exchange
Enrollment Agent (Offline request) into the
Template display name box.
6. Switch to the Security tab and click
Add to assign permissions for the NDES_
Admin group. Enter NDES_Admin in the
box and click OK.
7. Set permissions on the Security tab
for NDES_Admin to Read d and Enroll.
8. Repeat steps 3 through 7 for the
CEP Encryption template.
9. Repeat steps 3 through 7 for the
IPsec (Offline Request) template. You also
need to set permissions for NDES_Service
Account on the NDES IPsec (Offline
Request) template to Read d and Enroll.
10. Close Certificate Templates.
11. In the Certification Authority
snap-in, click the Certificate Templates
folder in the left pane. The currently
published templates will be displayed
on the right.
12. Right-click the Certificate
Templates folder in the left pane and
select New, Certificate Template to Issue
from the menu.
13. In the Enable Certificate Tem-
plates dialog box, which Figure 1 shows,
select the three NDES templates and
click OK.
Assign Permissions
Now that you’ve put the necessary tem-
plates in place, you need to assign the
Windows IT Pro AUGUST 2010 49
 NETWORK DEVICE ENROLLMENT SERVICE
Figure 2: Setting permissions for NDES ServiceAccount
NDES_ServiceAccount
accounts appropriate permissions to the the username and password for the NDES_
issuing CA.
1. In the Certification Authority
snap-in, right-click the CA in the left
pane and select Properties from the
menu.
2. Select the Security tab and click
Add to assign permissions for NDES_
ServiceAccount.
3. Type NDES_ServiceAccount into
the box and click OK.
4. Set permissions on the Security tab
for NDES_ServiceAccount to Read d and
Request Certificatess (see Figure 2).
5. Click OK to close the properties
dialog box.
Install NDES
The issuing CA is properly configured. Now
you can install the NDES server role on a
separate server.
1. Log on to the NDES box using
the NDES_Admin account created
earlier.
2. Open Server Manager from the
Start menu.
3. In the left pane of Server Manager,
right-click Roles and select Add Roles
from the menu.
4. Click Next on the Before You Begin
screen in the Add Roles Wizard.
50 AUGUST 2010 Windows IT Pro
5. Select Active Direc-
ttory Certificate Services
oon the Select Server Roles
sscreen and click Next.
6. Click Next on the
IIntroduction screen.
7. On the Select Role
SServices screen, clear
CCertification Authority
aand select Network Device
EEnrollment Service. As
I mentioned previously,
NNDES can’t be installed on
tthe same machine as a CA.
8. In the Add Roles
WWizard dialog box, click
AAdd Required Role
SServices to install the
nnecessary IIS and Remote
SServer Administration Tool
ccomponents.
9. On the Specify
UUser Account screen click
SSelect User. In the Windows
Security dialog box, enter
ServiceAccount and click Next.
10. Click Browse in the Specify CA
for Network Device Enrollment Service
dialog box.
11. In the Select Certification
Authority dialog box, select the issuing
CA, then click OK and Next to continue.
12. On the Specify Registration
Authority Information screen, modify
Figure 3: Add Roles Wizard
W e ’ r e i n I T w i t h Yo u
the Country/Region field as necessary
and click Next.
13. On the Configure Cryptography
for Registration Authorityy screen, accept
the default settings, which you can see in
Figure 3, and click Next.
14. Click Next on the Web Server (IIS)
introduction screen.
15. Accept the defaults on the Select
Role Services screen by clicking Next.
16. Click Install on the Confirm
Installation Selections screen.
17. Click Close on the Installation
Results screen.
Modify the NDES Registry
Before you can request a password from
NDES to start the certificate request process,
you need to set some registry keys on the
NDES server to point to the NDES IPsec
(Offline Request) certificate, then restart IIS.
1. Open regedit from the Search
programs and filess box on the Start menu.
2. In the left pane of Registry Editor,
navigate to the following registry key:
HKLM\Software\Microsoft\
Cryptography\MSCEP (see Figure 4).
3. You’ll find three REG_SZ
values: EncryptionTemplate, General-
PurposeTemplate and Signature-
Template. Set all three values to
NDESIPSECIntermediateOffline, then
close Registry Editor.
4. Type cmd into the Search programs
and filess box on the Start menu and press
w w w. w i n d o w s i t p ro. c o m

Figure 4: Changing the registry setting
Ctrl+Shift+Enter to start the command
prompt with administrative privileges.
5. Type the following two commands
to restart IIS:
net stop w3svc
net start w3svc
6. Close the command prompt.
Request a Certificate
Next, you need to request a certificate
for the network device. The first step in
the process of setting up a certificate
is to generate a public/private key pair
on the device. This procedure will vary
depending on your equipment. In Cisco
Figure 5: CA certificate and enrollment challenge password
w w w. w i n d o w s i t p ro. c o m
NETWORK DEVICE ENROLLMENT SERVICE
IOS, the command might look something
like this:
crypto key generate rsa general-keys
modulus 2048
If you don’t specify the label switch in
the crypto command, the name of the
key pair defaults to the name of the net-
work device. The key length, stated here
as 2048, should match that specified on
the Configure Cryptography for Registra-
tion Authorityy screen when NDES was
set up.
On the NDES server, log on using the
NDES_Admin account and open Internet
Explorer. Enter the NDES admin page
W e ’ r e i n I T w i t h Yo u
address http://localhost/certsrv/mscep_
admin/. You’ll be presented with a hash
value for the CA certificate and an enroll-
ment challenge password that’s good for
60 minutes (Figure 5).
The network device then needs to be
configured to trust the enterprise CA.
Again, this procedure differs with every
device, and you will need to refer to the
manufacturer’s instructions. When con-
figuring the device to trust the enterprise
CA, you’ll need to specify the name of the
key pair created earlier and the enrollment
URL for the enterprise CA, http://NDES1/
certsrv/mscep.dll?operation=GetCACert&
message=NetworkDeviceID. SCEP calls to
the NDES server are made via mscep.dll
and HTTP GET commands. In the URL
above you can see that the GetCACert com-
mand is issued to NDES.
After the network device trusts the enter-
prise CA, you can issue a certificate request.
Some devices require you to authenticate
the enterprise as a separate step before you
can issue a certificate request. You also need
the one-time enrollment password (OTP)
issued by NDES to complete the request.
If a value for the KeyUsage extension
isn’t specified in the request, a default
value of 0xa0 is used that refers to the
GeneralPurposeTemplate as specified in
the system registry. Other possible values
include 0x80 for the SignatureTemplate
and 0x20 for the EncryptionTemplate.
The enterprise CA processes the certifi-
cate request on behalf of NDES, which
then issues the certificate to the network
device.
Complexity Worth the Trouble
You now know how to set up NDES as
part of an already existing PKI. However,
before you ever do so, you should read the
Microsoft white paper I referenced at the
beginning of the article, and you should
also test thoroughly in a lab environment
before deploying NDES in your production
environment.
InstantDoc ID 125385
Russell Smith
(rms45@rsitc.com) is an indepen-
dent IT consultant specializing
in systems management and
security, and author of Least
Privilege Security for Windows 7,
Vista and XPP (Packt).
Windows IT Pro AUGUST 2010 51
 FEATURE

Exchange Server’s

Deploying Your Servers

I
n Exchange
c a ge Se
Server
e 2010,
0 0, tthee C
Client
e t Access
ccess server
se e role
o e plays
p ays a much
uc larger
a ge papartt in tthee messag-
essag
Get this ing organization than in any previous version. Because of this, it’s critical to deploy the Client
important Access server role correctly up front and avoid any unnecessary or unplanned downtime.
In my previous article, “Exchange Server’s Client Access: An Introduction,” InstantDoc ID
part of your 125061, I provided an introduction to the Client Access server role in Microsoft Exchange
Server 2010 and Exchange 2007. In this article, I’ll expand on that topic and talk about
Exchange deploying and installing Client Access server. I’ll focus on Exchange Server 2010, but I’ll point out the
infrastructure differences for Exchange 2007 as I go. I’ll walk you through a manual, GUI-based installation and an
unattended installation, as well as discuss the prerequisites. I’ll wrap up by looking at coexistence and
running transition, including transitioning to the Exchange 2010 Client Access server from older versions of
Exchange, and how to ensure that multiple versions of the Client Access server live in harmony.

by Ken St. Cyr Prerequisites

Before installing the Client Access server role, make sure your server meets the prerequisites.
I prefer to install prerequisites in a scriptable, repeatable manner that requires as little admin-
istrator interaction as possible. Therefore, I’ll supply the commands you need to install the
prerequisites rather than use the GUI. Table 1 outlines the prerequisites; note that they differ
between Exchange 2007 and Exchange 2010. The .NET Framework, Windows PowerShell, and
Windows Remote Management (WinRM) are base system requirements for Exchange. The web
server and remote procedure call (RPC) over HTTP requirements are specifically for the Client
Access server role.
When installing Exchange 2010 on Windows Server 2008, you’ll need to download the .NET
Framework 3.5 SP1 from the Microsoft website at bit.ly/9aZw and install it separately. You can install
the framework without user interaction by running the executable you download with the /passive
switch. The installation still displays status dialog boxes so you can see its progression.
The .NET Framework 3.5 SP1 is included as a feature that you can add in Server 2008 R2. You
can install it using the Add Features option in Server Manager or with PowerShell. To install it using
PowerShell, you first have to open PowerShell with the system modules loaded, which you do by right-
clicking the PowerShell application and selecting Import system modules, as Figure 1 shows. Note that
this option isn’t available to you until you’ve run PowerShell at least once as the current user. After
you’ve imported the system modules, use the command

Add-WindowsFeature Net-Framework-Core

PowerShell 2.0 and WinRM are already installed in Server 2008 R2, so there are no additional
steps to get those components working, but you need to install them in Server 2008. Microsoft
offers PowerShell 2.0 and WinRM packaged into a single download called the Windows Manage-
ment Framework Core, available from support.microsoft.com/kb/968929. You only need the Core
version of the framework, not the other downloads on that page. Install the update silently using
the command

Windows6.0-KB968930-x64.msu /quiet

52 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


Table 1: Software Prerequisites for Installing the Client Access Server Role
Prerequisite Exchange Server 2007
.NET Framework .NET 3.0
PowerShell PowerShell 1.0
Windows Remote Management Not required
Web server IIS 6.0
After you install the correct version of
the .NET Framework and PowerShell,
you’ll need to make sure the following
components are installed before you can
install the Client Access server role on
your server:
• Web Server role on Server 2008
• Web Server: basic authentication
feature
• Web Server: Windows authentication
feature
• Web Server: digest authentication
feature
• Web Server: Microsoft IIS 6.0 metabase
compatibility feature
• Web Server: .NET extensibility feature
• Web Server: IIS 6.0 management
console feature
• Web Server: Internet Server API (ISAPI)
extensions feature
• Web Server: dynamic content
compression feature
• Windows Process Activation Service:
process model feature
• Remote Server Administration Tools:
web server tools feature
• .NET Framework: HTTP activation
feature
• RPC over HTTP Proxy feature
You don’t have to install each of these
components through the Server Manager
interface—the Exchange team provides
a much easier way. There’s a set of XML
files in the Scripts folder on the Exchange
DVD. The Exchange-CAS.xml file contains
the Server Manager packages that you
need for the Client Access server role.
You can install these packages using the
command
ServerManagerCmd.exe
-ip d:\scripts\Exchange-CAS.xml
ServerManagerCmd.exe is deprecated in
Server 2008 R2, so it might not be there
in future versions. To install the pack-
ages without ServerManagerCmd, use
w w w. w i n d o w s i t p ro. c o m
DEPLOYING CLIENT ACCESS
Exchange Server 2010
.NET 3.5 SP1
PowerShell 2.0
WinRM 2.0
IIS 7.0
the Add-WindowsFeature PowerShell
cmdlet:
Add-WindowsFeature NET-Framework,
NET-HTTP-Activation,
RPC-Over-HTTP-Proxy,RSAT-ADDS,
Web-Server,Web-Basic-Auth,
Web-Windows-Auth,Web-Metabase,
Web-Net-Ext,Web-Lgcy-Mgmt-Console,
WAS-Process-Model,RSAT-Web-Server,
Web-ISAPI-Ext,Web-Digest-Auth,
Web-Dyn-Compression -Restart
The Client Access server role requires
that the .NET TCP Port Sharing Service
(NetTcpPortSharing) be set to automatic.
This service allows multiple processes
running on a server to use a single port. It
adds a layer of logic between the network
and the application. In Exchange 2010, the
Mailbox Replication service relies on TCP
Port Sharing to coordinate move requests
originating from multiple clients. You can
set up the service manually through the
Services snap-in, or use one of the follow-
ing commands. At a Windows command
prompt, use
sc config NetTcpPortSharing start=
auto
Or in PowerShell, you can use
Set-Service NetTcpPortSharing
-StartupType Automatic
GUI-Based Installation
Now that the prerequisites are installed,
you can install a Client Access server using
the setup wizard. The Client Access server
role can be installed on servers alongside of
other roles, but in this example, I’m install-
ing only the Client Access server role on
the server.
Insert the Exchange 2010 installation
media. If AutoPlay doesn’t fire up the installer,
you can launch setup.exe from the root of
the DVD. Note that there are two versions of
W e ’ r e i n I T w i t h Yo u
setup on the DVD—setup.exe and setup.com.
Setup.com is the command-line installer,
which I’ll talk about later. Launch setup.exe.
In this example, steps 1 and 2 are grayed out
because I already took care of these items
when I installed the prerequisites. Click Step
3 and choose the language options you want
to use. For this example, I’m going to use only
the languages that are on the DVD.
You can then click Step 4 to launch the
setup wizard. You’ll see an introduction
screen, followed by a License Agreement
that you must accept, then the option to
report errors to Microsoft automatically.
When you come to the Installation Type
screen, select Custom Exchange Server
Installation and click Next.
Next is the Server Role Selection screen.
This screen is where you’ll select the option
for installing the Client Access server role.
When you do this, the Management Tools
are automatically selected as well. Because
I’m installing only the Client Access server
role, those are the only two options I select,
as Figure 2 shows.
The Configure Client Access Server
External Domain screen is next. This screen
is new in Exchange 2010 and lets you specify
(during install) the external namespace that
the Client Access server will service. As part of
the installation, your virtual directories will be
configured with this external namespace, so
you don’t have to do it manually after setup.
This screen is completely optional, and you
should only configure it for Internet-facing
Client Access servers. If you’re setting up an
Internet-facing Client Access server and you
don’t specify the external namespace, you
can still go back in and configure it after-
ward.
The remaining screens in the setup
wizard run the prerequisite check for
Figure 1: Importing system modules in PowerShell
Windows IT Pro AUGUST 2010 53
 DEPLOYING CLIENT ACCESS
Figure 2: Installing only the Client Access server role
the Client Access server and perform the
installation. If you followed the guidance
I provided for the prerequisite software,
you shouldn’t run into any problems in
the prerequisite check. After Exchange
installs successfully, you should see a
screen similar to Figure 3.
Unattended Installation
Running through the setup wizard makes
the installation of a Client Access server
fairly simple, but if you’re deploying mul-
tiple Exchange servers running the Client
Access server role, you might be better
off using a less interactive installation.
Exchange lets you run unattended instal-
lations using the command-line setup
.com tool on the Exchange installation
media.
You can run setup.com with command-
line parameters or you can specify an
answer file. Answer files are helpful if you
have a lot of options that you want to specify
for a command, but unless you’re install-
ing and customizing additional roles on
the same server, they won’t help much for
the Client Access server role. If you’re not
specifying any additional setup options, you
can install the Client Access server role with
the command
setup.com /mode:install
/roles:clientaccess
You might want to use the NoSelf-
SignedCertificates parameter for your
installation. This parameter installs the
role without a self-signed certificate,
which can be helpful if you’re plan-
ning to remove the default self-signed
54 AUGUST 2010 Windows IT Pro
c
certificate and use one issued servers, you want your Exchange 2010
b
by a trusted third-party Cer- Client Access servers to use your existing
ttificate Authority. Don’t use this namespace and you want to adopt a new
ccommand unless you intend namespace for your legacy servers.
tto install an issued certificate. For example, if your external name-
Y
You should also consider using space with your current Exchange 2007
tthe ExternalCASServerDomain or Exchange 2003 servers is mail.contoso
p
parameter. For example: .com, you probably want to use this
namespace for Exchange 2010. If you
setup.com /mode:install
s keep it, users won’t have to remember a
/roles:clientaccess new URL for Outlook Web App (OWA; for-
/ExternalCASServerDomain: merly Outlook Web Access) or reconfigure
mail.contoso.com their mobile phones or IMAP/POP clients.
If you’re keeping your legacy Exchange
T parameter lets you specify
This 2003 front-end servers or Exchange 2007
your external domain name for Client Access servers online, temporarily
Internet-facing Client Access servers, as I or permanently, there might be cases in
mentioned in the section using the setup which your Exchange 2010 Client Access
wizard. After you're fininshed executing server has to redirect an external client
the setup.com command, the installation to a legacy front-end or Client Access
is hands-off. server. For this redirection to work, your
legacy servers need to have a differ-
Coexistence and Transition ent external namespace, such as legacy
Coexisting with and transitioning from .contoso.com.
legacy versions of Exchange aren’t too dif- When you’re ready to transition, you
ficult in Exchange 2010—if you understand can deploy your Exchange 2010 Client
a few basics. Remember that Exchange Access servers without affecting your leg-
2010 Client Access servers can’t commu- acy Exchange infrastructure. Make sure
nicate with Exchange 2003 or Exchange that you don’t make any DNS changes
2007 Mailbox servers by using MAPI. to your production external namespace
Your external-facing legacy servers need (e.g., mail.contoso.com) until after you
a different external namespace than your configure the legacy namespace and are
external-facing Exchange 2010 Client ready for your external users to use the
Access server. You might require new cer- Exchange 2010 Client Access servers. The
tificates—your legacy servers will have a steps to configure the legacy namespace
different namespace, so if you don’t have a differ between Exchange 2007 and
wildcard certificate, you’ll have to request Exchange 2003.
a new SAN certificate.
And you should always
transition Internet-fac-
ing Client Access serv-
ers first, followed by
those that don’t face
the Internet.
Maintaining an
additional namespace
is the portion of the
coexistence and tran-
sition process that has
the most impact on
your Exchange setup.
Because Exchange
2010 is designed to
interoperate with
legacy Client Access
servers and front-end Figure 3: An example successful installation screen
W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

For Exchange 2003 front-end servers:
1. Create DNS entries for the legacy
namespace (e.g., legacy.contoso.com)
and point them to your Internet-facing
Exchange 2003 front-end infrastructure.
2. Use the Set-OwaVirtualDirectory
Exchange Management Shell cmdlet to tell
Exchange 2010 OWA what the legacy URL is
so it knows where to redirect users. Specify
the Exchange2003URL parameter on all
Client Access servers that legacy Exchange
2003 mailboxes connect to for OWA. For
example,
Set-OwaVirtualDirectory
"CONTOSO-CAS01\owa*"
-Exchange2003URL
https://legacy.contoso.com/exchange
3. If you use ActiveSync, ensure that
Integrated Windows authentication is
turned on for ActiveSync at your Exchange
2003 mailbox server. You need this authen-
tication so that the Exchange 2003 server
hosting ActiveSync can accept Kerberos
credentials from the Exchange 2010 Client
Access server.
4. Update the certificates on your
Exchange 2003 front-end servers to include
the legacy namespace.
5. When you’re ready for your users
to use the Exchange 2010 Client Access
servers, modify the DNS records of your
production namespace to point to your
Exchange 2010 servers.
6. Reconfigure the Offline Address
Book (OAB). If you have Outlook 2007
or Outlook 2010 clients running in
your organization, you’ll want to move
the OAB to an Exchange 2010 Mailbox
server so you can take advantage of
web-based OAB distribution, which is
more efficient than public folder–based
distribution and requires less network
bandwidth. Although web-based OAB
distribution is performed by the Cli-
ent Access server, the generation of the
OAB is performed by the Mailbox server.
Therefore, if you want to enable web-
based distribution, you need to move the
OAB generation process to an Exchange
2010 Mailbox server first using the
Move-OfflineAddressBook cmdlet.
Outlook 2003 and older clients still
use public folders to download the
OAB, so if you have these clients in your
w w w. w i n d o w s i t p ro. c o m
DEPLOYING CLIENT ACCESS
environment, make sure public folder–
based distribution is still enabled as
well. The virtual directory for web-
based OAB distribution is added by
default on the Client Access server, but
you’ll need to configure the OAB itself
by adding the virtual directory as a
web distribution point. Use the Set-Of-
flineAddressBook cmdlet in Exchange
2010 to add the Client Access server
OAB virtual directory to the list of vir-
tual directories allowed for your OABs.
When you make this change, you must
ensure that version 4 OABs are being
generated. Also, make sure you include
all of the existing virtual directories
and the virtual directory you’re adding
when you execute this command. Any
virtual directories that you omit will be
removed from the list. Your commands
should look like this:
Move-OfflineAddressBook
"Default Offline Address Book"
-Server CONTOSO-MBX01
Set-OfflineAddressBook
"Default Offline Address Book"
-VirtualDirectories
"CONTOSO-CAS01\oab*"
7. If you use RPC over HTTP, move the
connection point to Exchange 2010 and
turn off RPC over HTTP on your Exchange
2003 servers.
To create a legacy namespace for Exchange
2007 Client Access servers:
1. Create DNS entries for the legacy
namespace (e.g., legacy.contoso.com)
and point them to your Internet-facing
Exchange 2007 Client Access server
infrastructure.
2. Update the External URLs on your
Exchange 2007 Client Access servers so
they use the legacy namespace.
3. When you’re ready for your users
to use the Exchange 2010 Client Access
servers, modify the DNS records of your
production namespace to point to your
Exchange 2010 servers. Make sure to
change the AutoDiscover record, too.
4. Reconfigure the OAB. Use the
Set-OfflineAddressBook cmdlet to allow
your Exchange 2010 Client Access servers
to distribute the OAB. The cmdlet modifies
W e ’ r e i n I T w i t h Yo u
the OAB to add the Exchange 2010 web
service to the list of virtual directories.
Similar to the Exchange 2003 transition
process described above, make sure you’re
using version 4 OABs. Also, when you
execute the Set-OfflineAddressBook com-
mand, keep the existing virtual directories
in the VirtualDirectories parameter or
they’ll be omitted. For example,
Set-OfflineAddressBook
"Default Offline Address Book"
-VirtualDirectories
"CONTOSO-CAS01\oab*"
5. Turn off Outlook Anywhere on your
Exchange 2007 Client Access servers and
turn it on on your Exchange 2010 Client
Access servers.
The process of transitioning your legacy
infrastructure will vary between different
Exchange environments. I’ve given you
a high-level understanding of this pro-
cess, but you should thoroughly test
your transition and coexistence scenarios
before rolling out Exchange 2010 to
production.
Deployed, and Ready for
the Next Layer
You should now have a good grasp of the
work involved with deploying the Client
Access server role in your Exchange envi-
ronment. Of course, the Client Access server
role has many layers. In the next article in
this series, I’m going to peel back another
layer and show you how you can add
redundancy and high availability to your
Client Access servers. Until then, you might
want to take a look at the Exchange team
blog post “Transitioning Client Access to
Exchange Server 2010,” msexchangeteam
.com/archive/2009/11/20/453272.aspx.
It’s a great resource to learn more about the
Client Access server role.
InstantDoc ID 125347
Ken St. Cyr
(ken.stcyr@microsoft.com) is a
solution architect at Microsoft with
more than 10 years of industry
experience. He’s a Microsoft
Certified Master in Directory
Services and the author of
Exchange Server 2010 Administra-
tion Instant Referencee (Sybex).
Windows IT Pro AUGUST 2010 55
 FFEEAATTUURREE

Get Proactive with

SharePoint
2010's
Improved Monitoring

S
Harness
a
arness the harePo
hare Poin
intt 20
2010
10’ss n
neew andd improved features can help administrators in man
(see the sidebar “SharePoint 2010 Improvements””, page 58), including finding prob-
power
o of Health
ower llems iin their
Point
P
h i Sh
i 2010—in
SharePoint
2010 i particular,
i ffarm. Let’s
i l timer
i
’ llookk at the
jobs,
j b reporting,
h iimproved
i and
d monitoring
d the
i i ffeatures iin Sh
h Health
H l hAAnalyzer,
l
Share-
as they
h show
h
Analyzer and up in Central Administration—and examine how they can help you manage SharePoint

reporting to in a more proactive way. By the end of this article, your powers to prevent SharePoint
problems will make it seem like you can almost predict the future.
improve your Timer Jobs
farm The first stop on our whirlwind tour of SharePoint 2010’s monitoring improvements is timer jobs.
Timer jobs are the workhorses of SharePoint, making sure things are provisioned, email alerts are
sent, and other ugly tasks get done. In SharePoint 2007, the problem was there was no good way to
by Todd Klindt troubleshoot timer jobs, and if you needed a timer job to run, you had no choice but to wait for it to
run the next time it was scheduled.
The first improvement in SharePoint 2010 monitoring is the timer job dashboard, which now
offers a snapshot of the timer job subsystem and what’s going on. You get to the dashboard by going
to Central Administration and clicking the Monitoring link in the left pane, which Figure 1 shows. The
set of links pertaining to timer jobs is in the second group of links, cleverly hidden under the heading
labeled Timer Jobs. When you click the Check job statuss link, you see what Figure 2 shows: the ghosts
of timer jobs past, present, and future.
The top of the page shows the timer jobs that are scheduled to run. Clicking on any of the
timer jobs brings up its definition, a screen that explains what the timer job does. You can also
edit the schedule of the timer job, as Figure 3 shows, including disabling it completely or running
it immediately. This is a huge improvement.

Figure 1: Monitoring options in SharePoint 2010's Central Administration

56 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


Figure 2: The Timer Job Status page
If a timer job b fails for some reason
or if you need d to execute a timer job’s
functionality (like collecting incoming
email), you don’t have to wait for its
regularly scheduled occurrence. To get
the full list of scheduled timer jobs, click
Scheduled Jobs under Timer Links in the
upper left pane.
The middle section of the Timer Job Sta-
tus page in Figure 2 shows running tasks.
This is an improvement over SharePoint
2007, where we had no idea what timer
jobs were currently running nor did we
have any information about them. With
SharePoint 2010, you see which jobs are
currently running on which servers, how
far along they are, and when they started—
and it comes with a progress bar at no extra
charge. You’ll also see a page dedicated to
displaying the running jobs only. You can
get to it by clicking Running Jobs in the
upper left pane.
The bottom part of the Timer Job Status
page shows the timer jobs that have run
in the past. SharePoint 2007 has a similar
screen, but SharePoint 2010 takes it a step
farther. Each finished timer job has a status
attached to it: Succeeded or Failed. Click-
ing the status takes you to the job history
page, where you can get information about
that instance of the timer job execution,
such as how long the job took, and which
web apps and content databases it ran
against. In the case of a timer job failure,
the history screen tells why the failure
occurred, which helps in troubleshooting.
Finally, the trusty timer job definition
from SharePoint 2007 has gotten a facelift
w w w. w i n d o w s i t p ro. c o m
SHAREPOINT MONITORING
in SharePoint 2010. It now lists all the
timer jobs defined in the farm, regardless
of whether they’re scheduled to run or not.
Clicking a job definition opens its proper-
ties. You can also view the definition by
clicking the Scheduled Jobs link in the left
pane of the Timer Job Status page.
Not to be left out, Windows PowerShell
also lets you manage timer jobs in the
SharePoint Management Console. I won’t
cover PowerShell options very deeply here,
but I will do so in a later article. Open the
SharePoint Management Console and type
Get-Command *SPTimerJob
to get a list of all the cmdlets you can use to
manipulate timer jobs. To get specific help
on any of them, use Get-Help, like this:
Get-Help Start-SPTimerJob
Figure 3: Editing an existing timer job
W e ’ r e i n I T w i t h Yo u
This command shows you how to start
timer jobs at will. The other cmdlets
work similarly. Although timer jobs in
SharePoint 2010 and SharePoint 2007
function in similar ways, in SharePoint
2010 the administration experience is
much better.
Reporting
The reporting system in SharePoint 2010
has also been improved and enhanced. Like
timer jobs, Reporting has its own heading
with links (see Figure 1) on the Monitoring
page of Central Administration. The first
link, View administrative reports, takes you
to a library of administrative reports. As of
the beta, this library included reports only
from the Search team on statistics like query
latency and crawl rate per content source. I
hope other groups will eventually include
reports here, too. The structure for these
reports will be documented, so you’ll be
able to create custom reports as well.
The second link takes you to the page
where diagnostic logging is configured.
Several aspects of logging are configured
here, and you’ll see two big improvements.
First, any category not using the default
logging settings now shows up in bold. In
SharePoint 2007, if you altered any cat-
egory’s settings, you had no way of knowing
which ones you had changed or what value
you had changed them from. That leads us
to the second improvement: a new logging
level, Reset to default. Now you can crank
up your SharePoint logging with reckless
abandon, knowing that bolded categories
and Reset to defaultt will help you get things
back to normal. This page also lets you
Windows IT Pro AUGUST 2010 57
 SHAREPOINT MONITORING

SharePoint 2010 Improvements

SharePoint 2010 has improved in many areas. These are a few gems that really get my IT pro juices flowing.

Windows PowerShell
In SharePoint 2003 and 2007, command-line junkie administrators had a powerful tool, Stsadm. With it, we could do repetitive tasks quickly
without wearing out our clicking fingers. We thought we had it made. Then SharePoint 2010 introduced us to Windows PowerShell. Power-
Shell is replacing Stsadm, which is deprecated. The good news is that anything Stsadm can do, PowerShell can do better. Since PowerShell
lets us access SharePoint at the object model level we can make scripts with unprecedented power, things we could only dream of with
Stsadm. Want to get a list of all the blog sites in your farm? PowerShell can do that. Want to back up all of your site collections with a single
line? PowerShell can do that too. Now that your appetite is whetted you can look forward to a future issue of this magazine, where we’ll
run an article dedicated to PowerShell with SharePoint.

Throttling
Most articles about SharePoint 2010 tell you about all the new things you can do. There are also a few things that SharePoint 2010 won’t let
you do anymore. For instance, if you want to load up a list view with 10,000 items in it, well, you can’t anymore. Do you want to overload
your server so that form submissions fail? You can’t do that anymore, either. SharePoint has implemented some throttling options to help
save users from themselves. We now have large list throttling that will truncate a large list view to 5,000 items to keep users from bogging
down SQL Server with large queries or killing their web browser. SharePoint also keeps a close tab on its wellbeing; if it gets too busy, it will
pause its timer jobs and reject new connections so that existing connections can be completed. This means that users submitting surveys
won’t get their hard work rejected because the server is too busy to handle their requests. Survey users around the world rejoice!

Monitoring
SharePoint 2010 has also expanded its monitoring capabilities. SharePoint 2010 introduces a new database dedicated to the purpose of
collecting logging information. This database collects logs—your Unified Logging Service (ULS) trace logs, IIS logs, and even Windows Event
Log events—from all the servers in your farm and puts them all in one database. Even better, this database is completely documented, and
we can read and write to it. SharePoint 2010 also has a Health Analyzer to monitor different aspects about itself; it alerts administrators
when there are problems. It can even fix some problems. It’s a lazy administrator’s dream.

Service Applications
SharePoint Server 2007 had Shared Service Providers (SSPs) that provided common services to web applications. Search, profile import, Excel
services, and InfoPath forms are some examples of services the SSP provided. SharePoint 2010 has taken the SSP model and broken it into
its individual components. This gives you more flexibility to run the service applications you want. You can also have multiple instances of
some service applications if you choose, and now different people can administer the individual service applications. If you want to take
your SharePoint 2010 administration to the next level, you can even share individual service applications across farms.

Database Mirroring
SharePoint has become as critical to business these days as email. Since SharePoint lives in SQL Server, making your databases fault toler-
ant is one step an administrator can take to keep SharePoint from going offline in case there is trouble. If you had your SharePoint 2007
databases mirrored, failing over to your mirrored databases was a completely manual task. SharePoint 2010 has native support for database
mirroring. After you have your databases mirrored in SQL Server, SharePoint can fail over automatically without any intervention from an
administrator. Less downtime for users, less work for administrators. It’s a classic win-win scenario.
InstantDoc ID 125095

restrict log size by number of days kept or
by space used. It’s also a good idea to use
this page to move the Unified Logging Ser-
vice (ULS) logs off of your servers’ C drives
and onto another drive. Just remember that
this setting is a farm setting, so all of your
SharePoint servers must have the location
you move your logs to.
At the View health reportss link, auto-
matically generated health reports give you
information about two potential problem
areas concerning your farm. One report
provides a list of the slowest pages in your
farm, which should let you isolate and
deal with trouble pages before the users
come to you. The second report lists your
most active users and their activity. These
reports, like the administrative reports,
allow some basic filtering to help you get
the information you’re interested in.
The next link under Reporting lets you
configure usage and health data collection.
This screen lets you configure which data,
if any, is logged by SharePoint. You can
choose which events SharePoint logs as
well as where SharePoint stores its usage
files. As with your ULS logs, it’s a good idea
to save your usage logs on a drive other
than the C drive.
The page does have one setting you can’t
change: the location of the logging database.
SharePoint 2010 requires you to use the
PowerShell cmdlet Set-SPUsageApplication
to alter the location of this database. Central
Administration reports only the location of
the logging database.
Moving the logging database is a good
idea. Because SharePoint aggregates all its
usage and health data to this database, it

58 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


Figure 4: Health Analyzer’s Review problems and solutions page
can get large, and it can also experience a
lot of disk I/O. If either of these becomes
a problem for your Microsoft SQL Server
instance, you might consider moving the
logging database to its own instance or at
least to its own spindles on your default
SQL Server instance. Both SQL Server and
your users will appreciate it.
SharePoint Health Analyzer
You might have noticed I didn’t start at the top
of the Monitoring page in Central Admin and
work down. This was by design. I was building
anticipation for the big finish, the SharePoint
Health Analyzer. If there is any part of Share-
Point 2010 that’s magic, this is it.
The Health Analyzer uses XML-based
rules combined with timer jobs to periodi-
cally scan different aspects of your Share-
Point farm and look for problems. When
it finds aspects of your farm that violate
the rules that are defined, it reports them
under the Review problems and solutions
Figure 5: Health Analyzer pop-up window
w w w. w i n d o w s i t p ro. c o m
SHAREPOINT MONITORING
link on the Monitoring page. This link not
only shows the problems but also the solu-
tions. Each of the rules specifies the error
condition and provides an explanation of
the problem and a link to the remedy for the
problem.
For most of us, our first introduc-
tion to the SharePoint Health Analyzer is
after installation. Unless you did a very
good and thorough scripted installation of
SharePoint, the Health Analyzer will show
up the first time Central Administration
is loaded. You’ll recognize it as a red bar
across the top of Central Administration.
Clicking the View these issuess link takes
you to the same page as Review problems
and solutions does under the Monitoring
section. To fully appreciate the gift we’ve
been given with Health Analyzer, let’s look
at that page, which Figure 4 shows.
As you can see, the list of problems is
a SharePoint list. Because of that, you can
subscribe to alerts to that list, or follow it
W e ’ r e i n I T w i t h Yo u
with an RSS feed. Not only is Health Ana-
lyzer out there patrolling your perimeter,
but it also contacts you when it finds some-
thing. When a problem does show up in the
list, you have some options. If you click the
item, a pop-up window, which you can see
in Figure 5, shows a wealth of information.
I’ll point out some notable features. First,
you can see a good explanation of the prob-
lem. There’s also a Remedy section that
describes how to fix the problem and an
external link with more information. Micro-
soft really put a lot of work into making sure
that administrators have all the information
we need to understand and deal with prob-
lems when they surface. If the problem is
scoped to a particular server, web app, or
service, it’s also called out here. The Ribbon
at the top also offers a few more options. For
all rules, the Reanalyze Now button offers
the chance to verify you’ve fixed a problem.
This way you don’t have to wait for the next
scheduled run for verification.
Some, though not all, rules also have
a button labeled Repair Automatically.
Click View next to Rule Settings, then Edit
Item and select the box next to Repair
Automatically. That tells SharePoint to
fix this problem any time it comes up.
Or you can leave the check box alone
and just click the Repair Automatically
button when the problem occurs. Not all
rules offer this option, which isn’t a bad
thing, necessarily. Letting the rule Drives
are running out of free space do anything
automatically seems a touch scary.
All’s Well on the Farm
SharePoint 2010’s improved monitoring
should help overworked and under-
appreciated administrators keep a better
eye on the SharePoint farm. This will free up
your time to do things other than fight fires,
and you’ll be able to keep your users happy,
too. But whatever you do, don’t let it clean up
drive space for you automatically—that’s just
asking for trouble.
InstantDoc ID 125029
Todd Klindt
(todd@sharepoint911.com) is a
SharePoint MVP and a consultant
working for SharePoint911. When
he’s not writing magazine articles,
he's speaking at conferences, writ-
ing books, or fighting his cats for
sunspots on the carpet.
Windows IT Pro AUGUST 2010 59
P R O D U C T S
NEW & IMPROVED
■ Storage
■ Cloud Computing
TS1U-B SATA Utilizes USB 3.0
Sans Digital has released a single bay USB
3.0 product, the TowerSTOR TS1U-B.
According to the vendor, the TS1U-B pro-
vides 10x the data bandwidth of USB 2.0 (up
to 5Gb/s). Additionally, the single bay enclo-
sure supports 3.5" SATA hard drives with
USB 3.0 interface, and the device is cooled
without a fan, so it is quieter than traditional
solutions. If your computers do not have
USB 3.0 ports, you’ll need a Sans Digital con-
troller card. The TS1U-B costs $59. To learn
more, visit www.sansdigital.com.
PRODUCT
SPOTLIGHT
ProStor InfiniVault Offers 1TB RDX
Removable Disk Cartridges
ProStor Systems has announced the
general availability of its ProStor
InfiniVault product line and a newly
released 1TB RDX removable disk
cartridge. RDX is ProStor’s brand of
removable disk-based storage, a
growing alternative to tape-based
backup solutions. According to an IDC
study cited by the vendor, RDX-based
storage systems are expected to grow
in revenue by 1,400 percent between
2008 and 2012.
“The rapid growth and adoption of
ProStor InfiniVault and RDX removable
disk technology through our global
OEMs, valued partners like SSL DV, and
end-users like Atlanta Interfaith Broad-
casters validates the markets’ universal
demand for higher capacity and more
scalable data protection solutions—
whether on-site or in the cloud,” said
Frank Harbist, president and CEO of
AUGUST 2010 Windows IT Pro
■ Backup and Recovery
■ Security
Specops Upgrades
Password Management
Products
Specops Software has
upgraded its password
management products,
Password Reset and Pass-
word Policy. Password
Reset lets users unlock
their own Active Directory
accounts to reset their pass-
words without a Help desk
call, and Password Policy
enforces strong password
policies set by your organization. The new
versions offer real-time reporting and
monitoring of system activity, enrollment
of mobile numbers for mobile authentica-
tion, and email notification for passwords
ProStor Systems. “The availability of 1TB
RDX drives is a significant milestone that
greatly expands this technology’s fit for
data-intensive customer environments and
markets.”
ProStor’s RDX-based storage systems
are resold through a number of large-scale
vendors, such as Dell (as RD 1000) and HP
(as StorageWorks RDX).
“The adoption of RDX technology
by all the major computer vendors
including Dell, Fujitsu, HP, IBM and
Lenovo have validated the growing role
of these products in backup and archive
environments,” said Henry Baltazar, senior
analyst, Storage & Systems for The 451
Group. “With the current disk capacity
roadmap, the RDX capacity point is
forecasted to surpass many magnetic
tape formats by 2011.”
To learn more about ProStor’s solutions,
visit www.prostorsystems.com.
W e ’ r e i n I T w i t h Yo u
that are expiring. To learn more or
download 30-day trials of either product,
visit www.specopssoftware.com.
Symplified Trust Cloud Enhances
Amazon EC2
Symplified has announced Symplified Trust
Cloud, an identity and access management
solution designed for companies using
Amazon EC2, Amazon’s cloud platform.
Symplified Trust Cloud addresses regulatory
compliance, single sign-on, and access man-
agement issues on the Amazon platform. It
also offers tools for multinational companies
to manage various global data governance
protocols. Finally, the product removes the
need for federation software, according to
the vendor. To learn more about Trust Cloud,
visit www.thetrustcloud.com.
Aprigo Unleashes SaaS Data
Governance NINJA
Aprigo has announced Aprigo NINJA, a
Software-as-a-Service (SaaS) data gov-
ernance application. According to the
vendor, “Aprigo NINJA quickly discovers
data vulnerabilities, identifies cost saving
opportunities, remediates and monitors the
environment by alerting of changes, con-
trols data vulnerabilities, and streamlines
the fixing of file permissions and access
rights.” As a hosted product, NINJA requires
no changes to a company’s existing
infrastructure and can easily process across
sites, according to Aprigo. To learn more or
download a free trial, visit www.aprigo.com.
w w w. w i n d o w s i t p ro. c o m

Rebit Offers Automatic
Backup on NAS
Rebit has announced NetSmart, a
fully automatic backup solution that
supports Network Attached Storage
(NAS). NetSmart automatically and
continuously backs up laptops and
PCs to NAS, even as users come and
go from the network, according to
the vendor. The software behind the
automatic backup, called SaveMe, is
also available for use with USB hard
drives. SaveMe NetSmart starts at
$34.95. To learn more, visit www.rebit
.com.
w w w. w i n d o w s i t p ro. c o m
P R O D U C T S
NEW & IMPROVED
Lyzasoft Announces Free Version of
Lyza in the Cloud
Lyzasoft announced a free version of
Lyza Commons, a cloud-based version of
Lyza that enables data analysts to mine
volumes of data, extract information, and
socialize those insights with team mem-
bers. Lyza Commons integrates with all
the leading database solutions and offers
a variety of analysis features to focus on
trends, specific groups, and anomalies.
Finally, Lyza offers a social networking
tool to build customer profiles and col-
laborate on information with your group.
To learn more, visit www.lyzasoft.com.
W e ’ r e i n I T w i t h Yo u
Paul’s Picks
www.winsupersite.com
SUMMARIES of in-depth pth product
reviews on Paul Thurrott’s
t’s SuperSite
for Windows
Apple iOS 4
PROS: Free; multitasking and folders are impor-
tant updates; many enterprise features and small
niceties
CONS: Not all features are available on older
devices; no iPad update yet; no answer to
Windows Phone’s integrated apps approach
RATING:
RECOMMENDATION: Apple iOS 4 is a nice
update to an already impressive smartphone
platform. Even those with more antiquated
hardware can take advantage of some of the iOS
4 features, and when you factor in the price—
free—and Apple’s aggressive habit of obsolesc-
ing old hardware, that's not bad. Apple iOS 4
puts the iDevice world—iPhones, iPod Touches,
and, eventually, iPads—on par with what’s hap-
pening at Google with Android. Looking ahead,
Windows Phone 7 still retains its single important
advantage—a rejection of the app-based inter-
face metaphor—and that’s something Apple
will need to address by the next-generation iOS
release. But when it comes to technical prowess,
capability, and usability, iOS 4 really delivers.
CONTACT: Apple • www.apple.com
DISCUSSION: www.winsupersite.com/alt/ios4.asp
Hotmail (2010 Update)
PROS: Free; finally supports Exchange
ActiveSync; email de-clutter features really work
CONS: Performance efficiency issues; EAS
works only on mobile devices, not PC clients
RATING:
RECOMMENDATION: Microsoft’s popular
web mail client almost gets what it needs
to take on Google’s excellent Gmail service.
Almost. On the good-news front, Hotmail picks
up Exchange ActiveSync (EAS) support, allowing
it to push-sync email, contacts, and calendars
over the air with mobile devices like the iPhone
or those based on Google Android. It adopts
decent Inbox anti-clutter features that actually
work. And it offers nice integration with vari-
ous Microsoft online services, including Live
Photos and, more important to business users,
Office 2010 and SkyDrive web storage. On the
minus side, Hotmail is still a performance dog
compared to Gmail, and it’s slow to update the
Inbox with new messages. It’s also less efficient,
with annoying interim screens that pop up after
responding to messages. Too, Hotmail’s ads
are a lot heavier than what Google offers. It’s a
mixed bag: The new Hotmail is good enough to
retain existing users but not good enough for
most Gmail users to consider switching.
CONTACT: Microsoft • www.microsoft.com
DISCUSSION: www.winsupersite.com/live/
hotmail.asp
InstantDoc ID 125451
Windows IT Pro AUGUST 2010 61
 Best of TechEd 2010
AWARD WINNERS
In the heart (and heat)
of New Orleans, we
narrowed an impressive
field of nearly 300
submissions down to
14 winners
Idera takes the prize
62 AUGUST 2010 Windows IT Pro
by Jason Bovberg
M
icrosoft TechEd was a wild, jazzy, hot, humid affair this year in New
Orleans, and Windows IT Pro and SQL Server Magazine’s editors were
in the spirit when they recognized this year’s Best of TechEd Award
winners. The team interviewed the finalists and evaluated the prod-
ucts to determine a final list of winners. As always, the three criteria for
the judging process were strategic importance, competitive advantage,
and value to customers. Show attendees also cast their votes to determine the winner of
the prestigious Attendees’ Pick Award. We would like to congratulate our 2010 winners!
Backup & Recovery: Symantec—Backup Exec 2010
Backup Exec 2010 wins because of the exciting new energy poured into version 2010 (the
fastest-adopted version of the tool ever). With new integrated features such as data dedu-
plication, archiving, OST-based management features, and granular restore technology—
all leveraging powerful Symantec technologies and teams—Backup Exec 2010 expands its
horizons while becoming extremely user-friendly and community-aware.
Business Intelligence: Dundas Data Visualization—Dundas Dashboard 2.0
Dundas is back with Dundas Dashboard 2.0! The company, well known for its wide array of
components, came on strong with the new version of its web-based platform for digital dash-
board creation, integration, and delivery. This version—leveraging Silverlight 4.0
and offering OLAP capabilities, SharePoint integration, customization and exten-
sibility, DashFlow-streamlined development, Key Performance Indicator (KPI)
mashups, and more—is sure to please the business intelligence (BI) community.
Database Administration: Idera—SQL toolbox
Idera, a finalist last year with its fine SQL admin toolset, wins this year with a
cost-effective uber-toolset (SQL toolbox) that includes the admin toolset (with
its 24 tools, plus three more offerings—SQL comparison toolset, SQL safe lite,
and SQL virtual database). The virtual database is a unique product that lets
administrators recover data from backup files without doing a restore. DBAs can
use that virtual database in as many ways as their imaginations allow—reporting,
data extraction, data analysis, and more.
Database Development: Quest Software—Toad for SQL Server 4.6
Toad for SQL Server is the Swiss Army knife of development tools. This product
won because it offers an incredibly wide range of functionality, including Intelli-
Sense, group server query execute for running queries on multiple servers, and an
W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m
advanced SQL optimizer to analyze alterna-
tive SQL statements, as well as server, data-
base, and data-comparison tools.
Developer Tools:
AVIcode—Intercept Studio 5.6
AVIcode’s Intercept Studio wins for its end-
to-end web application troubleshooting
tools. The new release offers a unique web
application capture feature and full sup-
port for troubleshooting the performance
of SharePoint applications.
Hardware & Storage:
Brocade—Brocade DCX-4S Backbone
The Brocade DCX-4S Backbone network
switching platform wins for its robust focus
on the evolving data center. Extremely
scalable and reliable—far surpassing “five
9s” and entering the realm of “six and
seven 9s”—the DCX-4S is a powerhouse
that will grow with any business, bringing
authoritative focus to the storage network.
A future-aware multiprotocol architecture
and intelligent traffic management func-
tionality cap off an impressive backbone.
Messaging: Argent Software—
Argent for Exchange 2.0
Argent for Exchange is both automated
and highly customizable. Argent Software’s
round-the-clock support, quarterly updates
to customers, and ability to monitor
Exchange transport, storage, traffic logs, and
account rules (among others)—through
PowerShell, Exchange Management Shell,
WMI, and classic Windows APIs—offer a
strong value proposition to customers.
Microsoft Product:
Microsoft—Visual Studio 2010
Visual Studio 2010 raises the standard for
development tools, providing new native
WPF support, support for multiple moni-
tors, a new historical debugging capabil-
ity, and significantly enhanced SharePoint
development and deployment capabilities.
Networking:
A10 Networks—64-bit AX Series
The 64-bit AX Series wins this award because
of its innovative approach to network load
balancing, high availability, and health moni-
toring. A10 Networks strives to “monitor the
water, not the plumbing.” Site-level and global-
level geographic redundancy—through a
w w w. w i n d o w s i t p ro. c o m
1 2
1. A10 gets the nod. 2. Argent is all smiles. 3. Quest is looking proud. 4. Brocade seals the deal.
The Bestof Tech Ed
3 4
uniquely flexible architecture—provide for a
truly scalable solution that boasts excellent
security and 64-bit performance.
Security: Symantec—Symantec End-
point Protection Small Business Edition 12
Symantec Endpoint Protection Small Busi-
ness Edition 12 provides smaller busi-
nesses with a centrally managed security
system similar to what enterprises have,
but with a price and ease of use suited to
SMBs. This product won because of its
focus on a market where there have been
few choices for small businesses that need
suites with these kinds of features.
SharePoint: Quest Software—
Site Administrator for SharePoint 4.0
In the explosive SharePoint market, Quest’s
Site Administrator for SharePoint 4.0 is a
winner because it provides administrators
(and “accidental” SharePoint admins) a
comprehensive means to take control of
their burgeoning SharePoint environments.
This product offers tools that provide cen-
tralized administration, discovery, site
and content browsing, data collection and
reporting, global policy and permissions
management, and audit data collection
and reporting.
Software Components &
Middleware: Telerik—
Telerik Ultimate Collection for .NET 2010
The Telerik Ultimate Collection provides a
complete set of WinForms, ASP.NET, and
Silverlight Controls. This product also sup-
ports the OpenAccess data access frame-
work and WebUI Test Studio for testing web
applications.
W e ’ r e i n I T w i t h Yo u
Systems Management & Operations:
ScriptLogic—Active Administrator 5.5
For businesses that rely on Active Direc-
tory (AD), Active Administrator is the
go-to choice. With the functions of several
other products built into one, it’s a leader
in AD management. This product won
because, as we all know, AD administra-
tion is a big task in many shops, and this
single product covers what most of these
shops need.
Virtualization:
VMware—VMware vSphere 4
Industry-standard VMware vSphere 4 won
this award because it’s a mature, stable,
well-known technology that continues to
be an essential component of a large per-
centage of IT shops.
Breakthrough Product:
Citrix Systems—XenDesktop 4
Although Virtual Desktop Infrastructure
(VDI) isn’t even mainstream yet, Citrix
Systems is already working to expand what
the phrase “virtual desktop” means. This
product wins as breakthrough product
because Citrix Systems is providing easy
and powerful virtual desktops, and there’s a
good chance that will be the future of IT.
Attendees’ Pick:
VMware—VMware vSphere 4
VMware vSphere 4 also took the coveted
Attendees’ Pick award this year. VMware’s
support for private and public clouds,
added to its well-respected features, has
ensured the company a continuing place
in many environments.
InstantDoc ID 125376
Windows IT Pro AUGUST 2010 63
P R O D U C T S
REVIEW
Corner Bowl Disk Monitor 2010
Mounting piles of data—common in the
corporate environment—can easily bury an
organization’s servers. Storage is inexpensive,
but data management, data tiering, and
backup can be costly. Server space hogs such
as image-based backup files and videocon-
ferencing data can quickly overtake network
drive space. Corner Bowl Disk Monitor
helps keep tabs on data by monitoring drive-
space usage, directories and files, and SMART
drive health. In addition to monitoring and
reporting, an easy-to-configure and easy-to-
schedule feature is also included for deleting
profile or Windows temp files.
The program’s opening view features four
tabs for configuration in a Microsoft Outlook–
style user environment: Disk Explorer, Disk
Monitors, Directory Monitors, and Reports
and Views. Machines chosen for monitoring
can be either mapped manually or added
via Active Directory (AD) integration. Within
a few minutes of opening the program, you
can analyze a problematic server for disk-
space concerns by, for example, reviewing
the 25 largest files and directories taking up
most of the storage space. Doing so lets you
reduce the space used on the server. The
system is fast: Scanning a 40GB partition took
less than a minute over a 100Base-T network.
The program’s Disk Monitors are very
useful, letting you monitor disk space
used by the administration shares and the
Windows shares. A wizard-based approach
makes it easy to add new monitors. The
alerting capabilities are flexible, and they’re
separately configurable for warning and
critical alert thresholds. Alerts for disks/
shares or directories can be logged to email,
event logs, files, message boxes, SNMP
traps, sounds, or Syslog. Additional historical
data can be stored as text files or logged to
a Microsoft SQL Server or MySQL database.
In addition to logging, a process can also be
launched to fix the condition.
The numerous alerts include default
options for when storage grows by more
than a preset size or percentage, or when
the free space drops below a certain per-
centage. These options are helpful since IIS
log files, SQL Server backups, and disk-to-
disk backups can sometimes routinely fill
up local disks. There are several practical
uses for these alerts, such as monitoring FTP
64 AUGUST 2010 Windows IT Pro
folders for when a large
file is added or tracking
server disk space before
it reaches critically low
levels. The email alerts
are the most useful. The
graphical HTML email
messages are easy to
read and decipher; they
feature graphs and a
text breakdown of the
state of the share or
drive, as you can see in
Figure 1. You can use a Figure 1: Graphical HTML email alert
custom HTML template, as well. a server must be part of a disk monitor or
Further digging into the product reveals directory monitor. This approach is less than
a feature for viewing access permissions by ideal if you simply want to analyze network
any of the NTFS permission levels. This fea- space on the fly for a particular server.
ture is handy not only for compliance pur- As you become accustomed to the prod-
poses but also for configuration purposes. uct, you’ll find more uses for it. However,
The access permission is selectable based defining too many alerts will quickly over-
on all NTFS permissions. A few quick clicks, whelm your email. Also, I found it difficult
and you can ensure that sensitive data has to view all the different disk and directory
the correct permissions applied. monitors on a per-server basis. But after
The Directory Monitors functionality is using Corner Bowl Disk Monitor for several
broken down into two components—the weeks, I saved numerous hours of research
Directory Size Monitor and the Directory time by quickly developing an alert or
Watcher—that detect when certain types cleanup job using the disk monitor.
of files are added to a directory. You can InstantDoc ID 125428
define a Directory Size Monitor to check
for increases in directory size when the
size exceeds a certain amount, when it Corner Bowl Disk Monitor 2010
changes in size, or even when the directory PROS: Easy to install and configure; wide range
changes. The functionality is granular and of monitoring features; flexible alerting options;
can be set on a per-directory basis for customizable
monitoring, even when you’ve configured CONS: Unintuitive report development; difficult
the wizard to monitor only a parent to track multiple configurations of disk monitors
and disk alerts per server
directory.
The Directory Watcher lets you break RATING:
down your analysis to changed, created, PRICE: Starts at $29 for one computer; $99 to
deleted, and renamed files by file masks. monitor 20 computers from a desktop; $269 to
monitor 50 disks with one server license
This capability is useful for compliance
purposes because it logs or alerts you to RECOMMENDATION: Corner Bowl Disk
Monitor 2010 automates routine scans of drives
changes in directories.
and directories and is extremely configurable at
The Reports and Views module is less the most granular storage levels. Setup simplicity
polished than the rest of the program. and excellent support make this an easy recom-
Reports come in four different templates: mendation, despite some caveats.
Disk Summary, Directory Summary, File CONTACT: Corner Bowl Software • 866-501-8670 •
Access, and Duplicate Files. For reporting, www.diskmonitor.com
Tony Bieda | tonybieda@yahoo.com
W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 1

“ THE CONVERSATION BEGINS HERE

”
QUESTIONS ANSWERED • STRATEGY DEFINED • RELATIONSHIPS BUILT

NOVEMBER 1-4, 2010

LAS VEGAS • MANDALAY BAY RESORT & CASINO

WinConnections ... Providing the vision

intelligence to keep you and your company competitive in today’s market!
+
Only Microsoft and Industry Experts speak at WinConnections! A sampling of our speakers ...

JEREMY KEVIN LAAHS MIKE DANSEGLIO ALAN SUGANO MARK MINASI DON JONES
MOSKOWITZ HP MICROSOFT ADS CONSULTING MR&D CONCENTRATED
MOSKOWITZ, INC GROUP TECHNOLOGY

STEVE RILEY RHONDA LAYFIELD CHRIS AVIS PAUL ROBICHAUX TONY REDMOND KIERAN MCCORRY
AMAZON WEB CONSULTANT/TRAINER MICROSOFT TRAINER/AUTHOR TONY REDMOND HP
SERVICES AND ASSOCIATES

EARLY BIRD DISCOUNT! Register by July 29 and book a minimum of three nights at
Mandalay Bay and you’ll receive a $100 Mandalay Bay Gift Certificate
and save $100 off conference registration!

800.505.1201 • 203.400.6121 • www.WinConnections.com

F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 2 F1

THE CONVERSATION STARTS WITH YOU

THE CONVERSATION STARTS ON NOVEMBER 1.
Come to Las Vegas and participate in the IT Professionals community! Meet other professionals in sessions,
in the expo hall, and at conference events. This is your chance to network and make those personal connections
with conference speakers, the product teams from Microsoft plus our sponsors and vendors. Round out your
professional educational experience with great evening entertainment available only in Las Vegas!

WINDOWS CONNECTIONS, FALL 2010: EXCHANGE CONNECTIONS FALL 2010:

LEARN TO DO MORE WITH LESS!
WINDOWS CONNECTIONS brings you the
top names from today’s IT industry… the most well-
known experts, delivering the most hard-hitting
sessions that help you solve today’s IT challenges
and prepare for tomorrow.
We know that today’s IT professionals are being asked
to do more, with less, and we want to help. We
assembled a business-focused group of technology
experts, to bring you the answers to your technology
questions. You’ll find original content specifically
crafted to help you succeed in today’s business
technology environments, organized around five key
focus areas:
■ Virtualization
■ Windows 7
■ Windows Server 2008 R2
■ Business, not “Information,” Technology
■ Build Your Skill Set - and Your Resume
GET THE STRAIGHT SCOOP
Messaging and collaboration technologies move at a
dizzying pace. Microsoft and its ecosystem partners
are continually releasing new software, hardware,
procedures, and updates that make the world of
Unified Communications ever more complicated.
What's the best way to keep up? Come to Exchange
Connections to get the answers you need! Our
sessions cover using Exchange and other related
products the real world: deploying, managing, and
maintaining Microsoft’s Exchange and OCS products in
your business to get the functionality you need.
This year, we’re going deep on Exchange 2010,
including coverage of deployment and information
protection, as well as the new features to expect in SP1.
We’ll be delving into discussions of how to integrate
Exchange with SharePoint (and other collaboration
solutions), as well as exploring the best way to make
use of Unified Communications in your organization.
If you’re still running Exchange 2003 or Exchange 2007,
don’t worry— we're covering them too, with content to
help you make the most out of your existing
investments and to prepare for the future, whether it's
on Exchange 2010 or Microsoft's Business Productivity
Online Services (BPOS) cloud offering.

SHAREPOINT CONNECTIONS, FALL 2010: GET A HEAD START ON THE NEW VERSION
Leading SharePoint experts from Microsoft and from
the field have teamed up to bring to you the
knowledge you need to succeed with SharePoint 2010.
IT PROS! Come hear Dan Holme, Michael Noel and
others lay out the best practices for installing,
upgrading, configuring, securing, and managing
SharePoint 2010. Go beyond the hype and dive deep
into what it takes to successfully deploy SharePoint
2010 in the real world.
DEVELOPERS! Come hear Andrew Connell,
Ted Pattison, Scot Hiller and others provide guidance
on how to best customize and extend your SharePoint
2010 investments using the new data access methods
on the server (LINQ) and off the server (client object
model), leveraging Silverlight, working with data that
does not live within SharePoint with the new Business
Connectivity Services.
SOLUTIONS! Join Asif Rehmani and special guest
speakers from our IT Pro and Developer tracks as they
unveil the big-win solutions that SharePoint delivers,
out-of-the-box. Learn to create high-value, no-code
solutions with tools like SharePoint Designer, InfoPath,
SharePoint Workspaces, Excel and Access Services, and
Office Web Apps. Discover what you can do to
automate processes and deliver the composite and
collaboration solutions that your users are demanding.

2 I Register Today! Call 800-505-1201 I www.WinConnections.com

F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:04 PM Page 3

JOIN THE CONVERSATION

Schedule at a Glance
MONDAY, NOVEMBER 1, 2010
7:30 am Registration Opens
9:00am - 4:00 pm Pre-conference Workshops
TUESDAY, NOVEMBER 2, 2010
7:00 am - 5:00 pm Conference Registration
7:30 am - 8:30 am Continental Breakfast

WIN!
8:30 am - 10:00 am Keynote C R U I S E G I V E A W AY

Enter to
10:00 am - 11:00 am Expo Hall Open
11:00 am - 12:15 pm Conference Sessions
12:15 pm - 1:45 pm Lunch
1:45 pm - 6:15 pm Conference Sessions
WEDNESDAY, NOVEMBER 3, 2010
7:00 am - 5:00 pm Conference Registration Enter the contest in the Expo Hall to
7:00 am - 8:00 am Continental Breakfast WIN a 1 week Caribbean Cruise for two!
8:00 am - 9:15 am Keynote You must be present in the Expo Hall at the time of the drawing to win.
9:15 am - 11:45 am Expo Hall Open
10:15 am - 1:00 pm Conference Sessions KEYNOTES
1:00 pm - 2:30 pm Lunch
2:30 pm - 5:15 pm Conference Sessions
5:15 pm - 6:45 pm Expo Hall Reception MARK TONY
MINASI REDMOND
6:30 pm - 7:30 pm Vendor Sessions
MR&D Tony Redmond
THURSDAY, NOVEMBER 4, 2010 and Associates
7:00 am - 8:00 am Continental Breakfast
8:00 am - 1:00 pm Conference Sessions
10:30 am - 2:30 pm Expo Hall
1:00 pm - 2:30 pm Lunch
STEVE STEVE
2:15 pm Cruise Raffle FOX RILEY
2:30 pm - 3:30 pm Conference Sessions Microsoft Amazon Web
Closing Session Services
4:00 pm - 4:30 pm & Prize Drawing
FRIDAY, NOVEMBER 5, 2010
9:00 am - 4:00 pm Post-conference Workshops Check online for speaker bios and additional keynotes to be announced.

CONFERENCE AND EXPO INCLUDES:

Exchange and Windows Connections registration includes a one-year Your Conference & Expo registration
(12 issues) print subscription to Windows IT Pro magazine for Exchange includes:
and Windows conference attendees only. Current subscribers will have ■ Three Continental Breakfasts
an additional 12-months added to their subscription. Subscriptions out- ■ Three Lunches
side of the United States will be served in digital; $12.50 of the funds will ■ Reception
be allocated toward a subscription to Windows IT Pro ($49.95 value) ■ Conference T-Shirt and Bag

■ Proceedings Resource CD … and more

SharePoint Connections registration includes a print subscription (4 issues: Nov, March, June, Sept) to SharePointPro-
Connections magazine for SharePoint and Windows conference attendees only. Current subscribers will have an addi-
tional one year (4 issues) added to their subscription. Subscriptions outside of the United States will be served in digital.

November 1-4, 2010 I Las Vegas, NV I Register Today! I3

F10_Win_ITBrochure_v5:Layout 1 6/23/10
MICROSOFT EXCHANGE SESSIONS
EXC04: CAS 2010 – MORE FOOD
FOR THOUGHT
KEVIN LAAHS
The Client Access Server (CAS) plays a big-
ger role in Exchange 2010 environments
than it does in Exchange 2007. While it still
supports Outlook Web Access (OWA),
ActiveSync, Web Services and Outlook
Anywhere, there are some fundamental
changes that affect the way you architect
Exchange environments. This session looks
at major architectural changes (such as
RPC Client Access Service) as well as all the
features that are delivered by the likes of
OWA (even to Firefox and Safari browsers!)
and ActiveSync, such as the ability to send
and receive text messages from
Outlook/OWA.
EXC24: CLOUD-PROOFING
YOUR CAREER
PAUL ROBICHAUX
You can’t throw a poker chip around an IT
department without hitting someone
who’s interested in cloud services – but
where does that leave the on-premises
admins? Can you take effective steps to
cloud-proof your job? What kinds of things
should you be doing to build a protective
umbrella of your own value to help you if
the clouds come to your office? This ses-
sion will offer some practical tips to help
you weather cloudy times.
EXC18: COMMUNICATIONS SERVER
2010: WHAT’S NEW AND IMPROVED?
LEE MACKEY
This session will walk you through the var-
ious versions of Communications Server 14
starting with Live Communications Server
2005, through OCS 2007 and R2. We’ll talk
about what’s new and improved for CS 14,
design considerations, changes from cur-
rent hardware required, and through the
new pieces that will help build a better ROI
for your organization. We’ll also talk
through the various partners you might
want to work with to leverage your organ-
ization and improve your overall cost to
deploy and support an environment run-
ning CS 14.
EXC07: EXCHANGE 2010
DEPLOYMENT AND MIGRATION
BEST PRACTICES
KIERAN MCCORRY
Exchange 2010 is yet another version of
Exchange. Its architecture and topology is
similar to that introduced with Exchange
4 I Register Today! Call 800-505-1201 I www.WinConnections.com
2:04 PM Page 4
2007, but there are some important
changes and restrictions on interoperabili-
ty that any organization in the early stages
of planning a move to Exchange 2010
should be aware of. This session will give an
overview of the best practices for Exchange
2010 deployment and focus on the inter-
operability and migration aspects from
previous versions of Exchange.
EXC08: EXCHANGE 2010
INFORMATION PROTECTION
AND RETENTION
KIERAN MCCORRY
Exchange 2010 brings with it the most
comprehensive set of Exchange features
yet from Microsoft to help you safeguard
and protect your data and where it goes in
your Exchange organization. This new ver-
sion has sophisticated rules for controlling
information flows within the organization
and taking actions when certain events
occur. In addition, Exchange 2010 has a
completely revamped model for informa-
tion retention and archiving by means of
the ONline Archive. This session will
describe those new features and explain
what it means for you as a system admin-
istrator and your users as information
workers.
EXC09: EXCHANGE 2010 SERVICE
PACK 1
KIERAN MCCORRY
There’s nothing like waiting for the first
service pack before looking in earnest at a
new product deployment. Exchange 2010
Service Pack 1 brings a host of improve-
ments and enhancements to the core plat-
form. In this session, we’ll see what comes
with the update and why it makes sense to
think about deploying Exchange now that
SP1 is here.
EXC05: EXCHANGE 2010, OFFICE 2010
AND SHAREPOINT 2010 –
BETTER TOGETHER?
KEVIN LAAHS
What integration points exist between
SharePoint 2010, Office 2010 and
Exchange 2010? Does the combination of
these three flagship products (and other
such as OCS) bring any new opportunities
for my overall environment? And what
about the existing integration points that
were there in the 2007 suite of products?
Are they still available? In this session, we
answer the numerous questions in this
abstract!
F1
EXC20: FAULT TOLERANT CLIENT
ACCESS SERVERS FOR SMALL AND
MEDIUM SIZED BUSINESS
BRIAN REID
It is easy to see the benefits of a highly
available CAS infrastructure for large
Exchange Server 2010 deployments, but
what about the majority of businesses who
are in the small to medium business cate-
gory? This session will cover the benefits of
considering why to build your Exchange
infrastructure to include high availability
for CAS. You will learn to build your
Exchange infrastructure with recovery and
growth in mind. Building for high availabil-
ity, even for small/medium businesses,
brings many benefits. In the event of a fail-
ure of an Exchange Server, having consid-
ered a highly available infrastructure will
reduce your recovery time.
EXC06: FEAR WEB SERVICES NO MORE
– HOW ADMINISTRATORS AND END
USERS CAN EASILY LEVERAGE
EXCHANGE WEB SERVICES
KEVIN LAAHS
PowerShell is often considered within the
realm of IT Administrators, whereas Web
Services is firmly in the developer camp –
and usually, never the twain shall meet! But
now the combination of PowerShell and
Exchange Web Services can be harnessed
by end users to build and run scripts to
manage mailbox data on desktop
machines. This session shows IT
Administrators how friendly Web Services
can be, and how you can easily leverage
them to automate many operations in
your Exchange environment.
EXC01: GOING BIG! DEPLOYING
LARGE MAILBOXES WITH MICROSOFT
EXCHANGE SERVER 2010 WITHOUT
BREAKING THE BANK
KARL ROBINSON
With each new generation of Microsoft
Exchange, features are added and
Exchange is further refined in its capabilities
as an email system. Exchange Server 2010
enables the use of multiple storage options
in its deployment, and allows you to pro-
vide large mailboxes at a cheaper cost. Will
it work in your environment? Are you hesi-
tant to increase mailbox sizes due to chal-
lenges around storage? How do you know
when to use a specific type of storage? Do
you need to enable Exchange high-avail-
ability when using a JBOD configuration?
Can you really use SATA disks with
F10_Win_ITBrochure_v5:Layout 1 6/23/10
Exchange? If you want the answers to these
questions; be sure to attend this session.
EXC22: HEY! YOU! GET OFF
MY CLOUD!
PAUL ROBICHAUX
Cloud services are great – some of the
time. Unfortunately, there’s too much hype
and hot air surrounding cloud-based mes-
saging and collaboration services, so it’s
hard to see what’s real and what’s not. In
this session, you’ll gain a clear understand-
ing of what cloud vendors aren’t telling
you about retention, regulatory compli-
ance, maintenance, migration, and coexis-
tence. Come learn about the pros and cons
of cloud-based and hybrid Exchange
deployments so you’ll be prepared for the
inevitable questions.
EXC10: HIGH AVAILABILITY FOR
SMALL AND MEDIUM-SIZED BUSI-
NESSES WITHOUT THE HIGH COST
JIM MCBEE
In older versions of Exchange, achieving
high availability and site resiliency usually
entailed having four or more servers, third-
party products and/or additional storage
technologies. Clustering in Exchange
Server 2010 has evolved into database
availability groups (DAGs). Unlike previous
versions where availability and databases
are tied to a specific servers, with DAGs a
database can be active on any server with-
in the availability group and each database
can be made active on any server within
the group. This session will cover using
Exchange Server 2010 in a small or medi-
um sized business (under 1,000 users) that
want to achieve high availability and/or
site resilience using only two Exchange
2010 servers. Topics include database
availability groups, Client Access arrays,
and providing high availability for the mes-
sage transport when using two server
DAGs.
EXC15: LOAD BALANCING YOUR
EXCHANGE DEPLOYMENT
DEVIN L. GANGER
When it comes to highly available
Exchange deployments, a lot of attention is
focused on the Mailbox role. As the CAS
role in Exchange 2007 and Exchange 2010
takes over more of the client connections,
load balancing incoming connections at
the CAS and Hub Transport becomes more
important to successful Exchange deploy-
ments. This session, drawn from real-world
2:04 PM Page 5
MICROSOFT EXCHANGE SESSIONS
examples, examines the requirements,
caveats, and best practices available for
designing appropriate load balancing
solutions for Exchange 2007 and 2010
deployments. It compares Windows
Network Load Balancing, software load
balancers, and hardware load balancers.
We recommend you take this session in
conjunction with the session: The RPC
Client Access Array: The Missing Piece of
Exchange HA.
EXC23: MICROSOFT ADVANCED
CERTIFICATIONS: BEYOND THE
BRAIN DUMP
PAUL ROBICHAUX
Certification is more important than ever –
but how do you prove to employers that
you’re more than a run-of-the-mill MCSE
or MCITP? Microsoft’s solution is to offer
more advanced certifications like the
Microsoft Certified Master (MCM) and
Microsoft Certified Architect (MCA) pro-
grams. They’re expensive and intensive –
but are they worth it? In this session, Paul
Paul Robichaux (who teaches in the MCM
Exchange program) will bring you up to
speed on these certifications and discuss
their costs and benefits. (Special guest
appearances by current MCMs are likely, so
be prepared!)
EXC02: MICROSOFT EXCHANGE
SERVER 2010: SIZING AND
PERFORMANCE – GET IT RIGHT
THE FIRST TIME
KARL ROBINSON
Microsoft Exchange is a mission-critical
infrastructure staple in organizations of all
sizes. As an application which demands
high levels of the "-abilities" (availability,
reliability, scalability, etc.) and stringent
resource demands, the sizing process is
critical to ensuring a healthy production
environment. Sizing Exchange 2010, which
introduces a new replication and resiliency
model (DAGs), a personal archive as well as
dramatic I/O reductions, radically changes
the approach to storage design.
Enhancements and new functionality host-
ed in the client access server, support for
role consolidation on a single server and
optimization for software + services mod-
els bring similar challenges when design-
ing servers. This session addresses sizing
and performance tuning methodology,
and a time-tested approach for applying
this methodology to your environment.
The session covers key enabling hardware
November 1-4, 2010 I Las Vegas, NV I Register Today!
advancements such as x64 architectures,
multi-core processors, SATA, SAS and SSD
disk technology, and how these technolo-
gies will play a key role moving forward
with Exchange 2010. Finally, the session
provides rules of thumb, based jointly on
HP characterization testing and HP /
Microsoft best practices, for sizing the key
server roles and technologies associated
with typical Exchange 2010 deployments.
EXC11: MIGRATING TO EXCHANGE
2010 FROM EXCHANGE 2003
JIM MCBEE
This session will cover the practical aspects
of migrating from Exchange Server 2003 to
Exchange 2010 including meeting the nec-
essary prerequisites, interoperability, and
potential showstoppers. Topics include fac-
tors to evaluate before migrating, the steps
necessary to prepare your organization,
mail routing, web client redirection, mov-
ing public folder content, and moving
mailbox data.
EXC21: MODERATED EMAILS – THE
GOOD, THE BAD AND THE UGLY
BRIAN REID
There can be significant impacts with inap-
propriate emails send to the wrong distri-
bution group, or off subject emails sent to
specific mailboxes. With moderation
implemented correctly you can remove
these issues from your business. This ses-
sion will look at how to configure modera-
tion in Exchange 2010, and how to imple-
mented it in a coexistence legacy Exchange
organization.
EXC14: OUTLOOK: MAC 101
BILL SMITH
NADYNE RICHMOND
Office:Mac 2011 brings Outlook to the
Mac. What can your Mac users expect of
this new application? What can you as the
Exchange admin expect from it? Learn how
Outlook:Mac fits into your Exchange envi-
ronment, and see a side-by-side compari-
son of Outlook 2010 for Windows and
Outlook:Mac 2011.
EXC12: OUTSOURCED E-MAIL:
IS IT FOR MY ORGANIZATION?
JIM MCBEE
Depending on whose marketing material
you read, EVERYONE should outsource
their e-mail to a hosted provider. There are
definitely advantages to this approach
including significant cost savings,
I5
F10_Win_ITBrochure_v5:Layout 1 6/23/10
MICROSOFT EXCHANGE SESSIONS
improved availability, and allowing some-
one else to take on the hassle of fighting
spam and viruses. But there are many fac-
tors you need to consider before leaping in
to hosted Exchange including determining
if there are legal or corporate restrictions
on doing so, establishing service-level
agreements, and determining exactly what
you will get for your money. This session
will discuss the pros and cons of outsourc-
ing e-mail as well as reviewing some case
studies of organizations that have done so.
EXC19: PROVIDING FAULT TOLERANT
MAIL DELIVERY WITHIN AND
BETWEEN ORGANIZATIONS
BRIAN REID
A new core feature of Exchange Server
2010 is the ability to ensure email delivery
even if you have outages in your transport
infrastructure. This session looks at how
fault tolerant mail delivery works, and then
how to extend it to operate across different
Exchange organizations.
EXC03: STORAGE OPTIONS FOR
EXCHANGE 2010
KARL ROBINSON
With each new generation of Microsoft
Exchange, features are added and
Exchange is further refined in its capabili-
ties as an e-mail system. This can lead to
confusion as the number of options
increases. Exchange 2010 enables the use
of multiple storage options in its deploy-
ment ranging from Storage Area Networks
(SAN) to Direct-attached storage (DAS).
How do you know when to use a specific
type of storage? Will it work in your envi-
ronment? Do you need to enable
Exchange high-availability when using a
JBOD configuration? Can you use SATA
disks to provide your users with 5GB mail-
boxes? If you want the answers to these
questions, be sure to attend this session.
EXC16: THE RPC CLIENT ACCESS
ARRAY: THE MISSING PIECE OF
EXCHANGE AVAILABILITY
DEVIN L. GANGER
Exchange 2010’s Database Availability
Group functionality has received a lot of
press and hype (and deservedly so) for
enabling better, easier HA scenarios.
There’s a missing piece, however: the RPC
Client Access Array. This session, drawn
from real-world examples, explains what
the RPC Client Access Array object is (and
what it isn’t), when you need it, and how to
6 I Register Today! Call 800-505-1201 I www.WinConnections.com
2:05 PM Page 6
deploy it. Devin will also examine how
deploying RPC Client Access Arrays affects
the clients, load balancers, reverse proxies,
and other parts of your Exchange organi-
zation. We recommend you take this ses-
sion in conjunction with the session: Load
Balancing for Exchange Deployments.
EXC17: WAN OPTIMIZATION FOR
EXCHANGE
DEVIN L. GANGER
WAN optimizers provide on-the-fly band-
width reduction for a variety of applica-
tions, mainly websites and file services.
However, Exchange MAPI-RPC client ses-
sions may also benefit from these devices.
This session, drawn from real-world exam-
ples, explains how current WAN optimizer
offerings work with MAPI, both client-to-
server and server-to-server, and helps give
you information to assess what kind of
bandwidth savings you might see in your
environment. How does SMB signing affect
your optimization? Can optimization be
extended to mobile clients? Can optimiza-
tion help with the replication of multiple
DAG copies into a secondary site? Devin
will examine these topics and provide clear
answers to help you determine if WAN
optimization is right for you.
EXC13: ADMINISTRATING MACS IN
AN EXCHANGE ENVIRONMENT
BILL SMITH
NADYNE RICHMOND
This session provides an in-depth look at
how to administer Macs in your Exchange
environment. Learn how to set up your
Exchange servers to maximize the experi-
ence for your Mac users. Also, learn how to
use AppleScript to quickly deploy and
update Entourage (in Office:Mac 2008) or
Outlook (in Office:Mac 2011) to all of your
Mac users at once. Tips, tricks, and trou-
bleshooting are all included.
CHECK WEB SITE AS WE
CONTINUE TO ADD MORE
SESSIONS, SPEAKERS
AND MAKE UPDATES
WWW.WINCONNECTIONS.COM
F1
MICROSOFT DAY
EXCHANGE SESSIONS
■ How Microsoft IT Implemented
Microsoft Exchange Server 2010
■ Microsoft Exchange Server 2010
Unified Messaging in the Real World
■ Using Microsoft Exchange Server
2010 to Achieve Rich Coexistence
with Exchange Online
■ Microsoft Communications Server
“14”: What's New in Microsoft
Communicator “14” Experience
and Backend
■ Microsoft Exchange Server 2010:
Sizing and Performance - Get It Right
the First Time
■ What's New in Archiving, Retention,
and Discovery in Microsoft Exchange
Server 2010 SP1
■ What's New in OWA, Mobility, and
Calendaring in Microsoft Exchange
Server 2010 SP1
■ Microsoft Exchange Server 2010
High Availability Design
Considerations
WINDOWS SESSIONS
■ Deploying Windows
■ PowerShell – The Basics and More
■ Three Screens and a Cloud -
Bringing Traditional Desktop
Computing, Mobility and Cloud
Computing Together
■ Windows XP-Mode in Windows 7
■ Direct Access: The Death of the VPN
■ Top 10 Reasons to Upgrade to
Windows 7
■ Top 10 Reasons to Upgrade to
Windows Server 2008 R2
■ Hyper-V: Securing your
Virtualization Environment
■ Windows Azure: Clear or Cloudy?
■ Introduction to Application
Virtualization (APP-V)
■ Introduction to Microsoft Enterprise
Desktop Virtualization (MED-V)
F10_Win_ITBrochure_v5:Layout 1 6/23/10
WIN12: ASSESSING AND
INTEGRATING CLOUD SERVICES
IN YOUR INFRASTRUCTURE
MIKE DANSEGLIO
Cloud computing is one of the hottest,
fastest growing services in the IT industry
today. It is changing the way enterprises
and small business interact and collaborate:
providing access to IT computer resources,
enabling sharing and distribution of data,
integrating communications and many
more business critical services, all on a pay-
as-you-go model that makes it affordable
to virtually any size organization. In this ses-
sion, we examine how cloud computing
services extend IT capabilities seamlessly
and with nearly infinite resources and serv-
ices. Commercial cloud service examples
are shown, many of which require very little
work before you can extend your infra-
structure into the space.
WIN09: AUTOMATING YOUR AD:
OPERATE AND DOCUMENT YOUR
DOMAIN MORE EASILY,
AUTOMATICALLY AND REPEATABLY
WITH WINDOWS’ FREE TOOLS
MARK MINASI
Still administering your AD the click-and-
drag way? For most AD admins, the answer
is sadly "yes," and often for the same rea-
son: busy AD admins just don’t get the
time to learn how to use the many free AD
automation tools built right into
Windows... until now. Join Mark Minasi, AD
expert and author of over 150 installments
of the popular "Windows Power Tools" and
"This Old Resource Kit" columns, in a clear,
example-filled explanation of some of the
best in-the-box Active Directory automa-
tion tools. First, you’ll learn bulk account
creation with CSVDE and LDIFDE. Then
we’ll take a quick peek under the hood of
AD’s structure with ADSIEdit to enable us
to speak a bit of "LDAP-ese," a skill we’ll
need to take the next step and start bene-
fiting from 2008 R2’s 76 new Active
Directory-oriented cmdlets. With these
new cmdlets, you can often convert a task
that once required a few hundred clicks –
or two days of VBScripting – into just a few
commands. What’s that you say, you don’t
have 2008 R2? No problem; Mark will show
you how you can get the PowerShell tools
running on any 2003-based AD. Or per-
haps you don’t know PowerShell yet? No
need to worry, as this session tosses in
enough PowerShell basics to enable any-
one comfortable with Active Directory to
2:05 PM Page 7
get productive with the AD PoSH cmdlets
in no time. Every attendee will scratch his
or her head and say, "hey, I could use that!"
at least once in this session!
WIN11: CONDUCTING A FORENSIC
COMPUTER INVESTIGATION FOR
IT STAFF
MIKE DANSEGLIO
Computer crime has been on the rise for
decades. There are many situations where
an incident occurs that doesn’t break the
law but is still cause for concern, such as
corporate policy violations, information
mishandling, or internal system compro-
mise. Many companies are forming their
own internal investigative units to address
these situations. In this session, we’ll exam-
ine what kinds of investigations can be
handled internally, when and how to
engage law enforcement, how to best pre-
pare for incidents, and the best practices to
use. We will also focus on building your
computer investigation toolkit including
the tools you should have and how you
should use them.
WIN14: ENEMY AT THE GATES:
YOUR WIRELESS NETWORK IS WEAK
MIKE DANSEGLIO
The proliferation of wireless networks has
exploded to the point that virtually every
enterprise has one – whether they know it
or not. And increasingly the wireless net-
work is the primary target of malicious
attackers. Can wireless networks be pro-
tected? What does that cute little padlock
icon mean? Is it ‘security theater’ – the illu-
sion of security without real substance? In
this session, you’ll see the technical details
of a variety of wireless security technolo-
gies including cryptography, authentica-
tion, authorization, filtering, and more.
Hands on demonstrations will illustrate
both strong and weak wireless security
strategies. The knowledge you’ll gain from
this session will help you decide what level
of security is necessary to protect your own
assets against the barbarians.
WIN17: ESX AND HYPER-V
COMPARISON
ALAN SUGANO
Microsoft’s own hypervisor, Hyper-V, was
released with Windows Server 2008. It is
designed to compete directly against
VMware’s ESX server. How do the two
products compare? We’ll consider price,
performance, hardware requirements, high
November 1-4, 2010 I Las Vegas, NV I Register Today!
WINDOWS SESSIONS
availability, management and other fea-
tures in the comparison shootout. If you’re
evaluating virtualization platforms, make
sure to attend this session to assist in your
decision making process.
WIN02: GOING, GOING, GONE?
VIRTUALIZING YOUR ACTIVE
DIRECTORY FOREST
SEAN DEUBY
Virtualization is all the rage today. Can
you apply virtualization to the critical
infrastructure of your Active Directory for-
est? What about backup and recovery?
Learn from Sean how to safely virtualize
and manage your domain controllers with
the latest recommendations and best
practices from the Microsoft Directory
Services Team.
WIN01: HOW DO YOU SCORE
AGAINST THE ACTIVE DIRECTORY
BEST PRACTICES ANALYZER?
SEAN DEUBY
Windows Server 2008 R2 features a Best
Practices Analyzer for Active Directory that
will tell you how to improve your AD con-
figuration. It’s a great tool, but you have to
upgrade to R2 to use it. Besides, you can
get all the best practices advice right in this
session! See how your AD shapes up
against the rules and recommendations of
the R2 AD Best Practices Analyzer.
WIN23: IMPLEMENTING AFFORDABLE
DISASTER RECOVERY WITH HYPER-V
AND MULTI-SITE CLUSTERING
GREG SHIELDS
You already know that Hyper-V can be an
inexpensive solution for virtualization. But
did you know it can also be an inexpensive
solution for disaster recovery? All you need
is a bit of VHD replication and an extension
of your Windows Failover Cluster to a sec-
ondary site. What’s hard is correctly con-
necting the pieces. Join renowned Hyper-V
guru Greg Shields to learn the step-by-step
along with a set of smart strategies for
implementation. Greg will show you the
very best ways to extend a Hyper-V cluster
to a DR site as well as reveal the costly mis-
takes that you’ll want to avoid.
WIN13: IMPLEMENTING SERVER
CONSOLIDATION WITH
VIRTUALIZATION
MIKE DANSEGLIO
We all hear the "do more with less"
mantra from our pointy-haired boss. But
I7
F10_Win_ITBrochure_v5:Layout 1 6/23/10
WINDOWS SESSIONS
how do we actually implement the
changes in our IT infrastructure to make it
happen? One effective method is server
consolidation through virtualization. But
is it really possible to take a rack of bare-
ly-used servers and collapse them into a
single physical host while keeping the
changes transparent to users and business
services? It’s not only possible, it’s right at
your fingertips. Come see how you can
implement these kinds of changes using
tools and resources that you have today
in your effort to lower operational costs
and offer more services with less equip-
ment. You’ll see demonstrations of com-
monly used tools and technologies.
WIN06: MICROSOFT AND 3RD-PARTY
GPO TOOLS YOU NEVER HEARD OF
(AND SHOULDN’T MISS)
JEREMY MOSKOWITZ
It’s now more important to "do more with
less." And if you’re an Active Directory
administrator, you’re also a Group Policy
administrator. And that means you need to
do more with what you’ve got. The good
news is, there are a gaggle of free, low cost,
and pay tools to help round out your
Group Policy experiences. Some tools are
in the box, downloadable from Microsoft
or available with a license. Some tools we’ll
explore are 3rd-party tools. Together, these
tools can help you troubleshoot, lock down
your desktops, make your applications
more secure, manage what you’ve got
more efficiently and be a better adminis-
trator. In this session, you’ll walk away with
a huge list of applications you can experi-
ment with today to see if they’re a good fit
for your environment and see if you can
really "do more with less."
WIN07: MICROSOFT APPLICATION
VIRTUALIZATION (APP-V / SOFTGRID)
JEREMY MOSKOWITZ
Let me guess: your machines just “blow up“
now and again. And I know why. It’s
because you have a zillion applications on
them with a half a zillion conflicts and
things just “deteriorate“ over time.
Wouldn’t it be neat if you could just elimi-
nate that problem altogether? Well, with
Microsoft’s newest App-V technology, you
can. It works by “wrapping up“ your exist-
ing software into “sequences,” and then
putting them into a virtual sandbox. The
upshot? Your applications aren’t running
“on” Windows. They’re running within the
sandbox. So, no more desktop deteriora-
8 I Register Today! Call 800-505-1201 I www.WinConnections.com
2:05 PM Page 8
tion. App-V is a big place, but come to this
session to make sure you know the ins and
outs before you get it in your test lab and
then into your organization!
WIN19: MIGRATE YOUR XP
MACHINES TO WINDOWS 7
RHONDA LAYFIELD
Whether migrating 20 or 20,000 XP
machines to Windows 7, the Microsoft
Deployment Toolkit 2010 Update 1 (MDT)
is the tool to use. In this session, Rhonda
will show you how to install, deploy and
automate your XP migrations and
Windows 7 bare metal installations. Don’t
just consider migration but creating a
complete deployment solution including
re-imaging for troubleshooting your desk-
top environment. MDTs task sequences can
be a little tricky until you understand them
and how to make them do your bidding.
Also learn how to integrate MDT and WDS
to get the best of both tools!
WON08: NIGHT OF THE LIVING
DIRECTORY: UNDERSTANDING THE
WINDOWS SERVER 2008 R2 ACTIVE
DIRECTORY RECYCLE BIN
MARK MINASI
Windows Server 2008 R2 brought a num-
ber of nice changes to Active Directory, but
the number one crowd pleaser had to be
the Active Directory Recycle Bin, a useful
tool for undeleting Active Directory objects
that have been deleted, so to speak,
"before their time." Powerful and useful as
the Recycle Bin is, however, there is more
to it than a bit of clicking and dragging, as
there is no Recycle Bin GUI built into R2 –
the only in-the-box way to make use of the
Recycle Bin is a set of PowerShell com-
mands. (There ARE third-party GUIs for the
Recycle Bin, though, as you’ll learn in this
session.) How long can something stay
"dead" before it can’t be revived? Must you
reboot your domain controllers to un-
delete things? Is there a way in an R2
domain to delete something and ensure
that it CAN’T be revived? Find out in this
fast-paced, comprehensive look at the new
Active Directory Recycle Bin, presented by
Mark Minasi, author of some of the best-
selling books on Active Directory around!
WIN04: SERVER VIRTUALIZATION
ESSENTIALS
ALAN SUGANO
As server hardware becomes more power-
ful, much of the processing power of the
F1
server is wasted. Server virtualization
allows you to efficiently use the processing
power of new servers and the 64-bit plat-
form by consolidating multiple physical
servers onto a single virtual server host.
We’ll look at virtualization software tech-
nologies and how they work with server
virtualization. We’ll examine hardware
configuration issues in the virtualization
environment and tips on selecting the
proper hardware for server consolidation.
We’ll review management options with
demos of VMware ESX (vSphere and
vCenter) and Hyper-V (Hyper-V Manager
and the System Center Virtual Machine
Manager).
WIN03: SYSTEM CENTER
ESSENTIALS 2010
SEAN DEUBY
If you’re handling IT for a small to mid-
sized business, one of the biggest chal-
lenges you face is proactively managing
your environment. Staying ahead of prob-
lems, instead of getting pulled off more
strategically important work to fix them, is
a far better way to spend your day.
Growing IT when you need to is also tough
due to the capital costs a new server
requires. System Center Essentials (SCE)
2010 is designed specifically to address
these problems. It simplifies the manage-
ment tasks for servers, clients, hardware,
and software for mid-sized companies. It
handles monitoring, software distribution
and inventory, and – new for 2010 – virtu-
alization management. Come see what
SCE 2010 is all about in this overview and
demo session.
WIN10: TEN (OR MORE) THINGS YOU
PROBABLY DON’T KNOW ABOUT
WINDOWS SERVER 2008 R2
MARK MINASI
Okay, so maybe you’ve read about or even
played around with Windows Server 2008
R2. You know a bit about Active Directory’s
PowerShell cmdlets, DirectAccess,
BranchCache and the new backup pro-
gram. It’s all great stuff, but... did you know
that R2’s the first print server whose spool-
er service WON’T crash just because a print
driver failed? Or that R2’s DHCP server
service has a cool new MAC filter feature,
combined with helpful new support for
split scopes? Well, that’s just the start. Ever
needed to resize a VHD? R2’s got com-
mand-line support for that, as well as a
whole new kind of built-in SMB cache. And
F10_Win_ITBrochure_v5:Layout 1 6/23/10
of course you know that R2 shores up your
system’s security by blocking those scary
old 1980s LM-type logons – but did you
know that R2’s got the tool that you need
to smoke out and stomp those persistent
early 90s NTLM logons? Join server geek
Mark Minasi in a fast-paced review of all of
the R2 features that haven’t really gotten
the attention that he thinks that they
ought to, complete with demos and step-
by-step instructions to try them out in your
own network. Hey, what would be crazier
than paying for a new server operating
system and not squeezing all of the juice
out of it?
WIN21: THE BEST FREE TOOLS
FOR WINDOWS DESKTOP
ADMINISTRATION
GREG SHIELDS
IT professionals are a unique group. We’re
tasked with the ultimate responsibility of
our business’ critical applications and data,
but we’re rarely given a budget to do so.
Heck, many of us aren’t even allowed to
see the budget. As a result, we’re forced to
either beg for tools or find them for free on
the Internet. Cheapskate IT Pro Greg
Shields has been collecting the very best
free tools for over ten years, and wants to
share those in his quiver with you! In this
must-see session, Greg highlights the very
best no cost Windows tools – some you’ve
used, many you’ve never seen. Join this
session and leave Windows Connections
with a brand new toolset for solving the
daily tasks in desktop administration.
WIN05: TOTAL WORKSTATION
LOCKDOWN: YOUR ACTION PLAN
JEREMY MOSKOWITZ
Total workstation lockdown isn’t for every
machine in your organization but some
machines require it. It’s usually those "pub-
lic walk up" machines that we need to
manage a little bit differently. These kinds
of machines are in the cafeterias, the lobby
and the library. Microsoft has a variety of
technologies you can choose (and mix and
match) to make your workstations as
locked down as they need to be. In this
session, Group Policy MVP Jeremy
Moskowitz will demonstrate a myriad of
ways to make your public desktops more
secure. If your team is already using Group
Policy, come learn about Starter GPOs,
common GP Scenarios, the GP Preferences,
and how to efficiently use loopback pro-
cessing. Learn about Microsoft’s
2:05 PM Page 9
SteadyState tool and some non-Microsoft
tools to help enhance your PC control.
WIN22: USING FREE TOOLS TO
RAPIDLY DEPLOY SOFTWARE IN YOUR
ENVIRONMENT
GREG SHIELDS
Running around the office with installation
DVDs is a massive time waste. But investing
in an automated software deployment
solution can be expensive. So if you’re a
small environment, how do you get soft-
ware installed everywhere with a minimum
of effort? Free tools along with a few nifty
tricks can help. Master Packager Greg
Shields shares his experience with software
packaging and automated deployment in
this make-your-brain-explode session. He’ll
give you the secret knowledge to reconfig-
ure virtually any piece of software for silent
installation, and explain how free tools can
rapidly deploy that software to anywhere
you need.
WIN24: VDI, RDS, MED-V, AND
APP-V: MAKING THE RIGHT
DECISION IN DEPLOYING
APPLICATIONS
GREG SHIELDS
There’s an alphabet soup of options for
connecting users to applications and data.
You can stream down that app. You can
present it atop RDS or XenApp. You can
deliver an entire desktop, either over the
network or atop an existing workstation.
But while the technology is exciting, the
hardest part is determining when to use
each approach. When is presentation bet-
ter than streaming? When is a virtual desk-
top better than a RemoteApp, and when is
VDI better for your vendor’s pocketbook
than your own budget? Join virtualization
expert Greg Shields for the no-nonsense
facts. He’ll share his experience in right-siz-
ing application delivery, ensuring that your
users, your budget, and your employer will
thank you.
WIN15: VMWARE ESX BEST
PRACTICES
ALAN SUGANO
Over the years of installing ESX, we have
developed a list of best practices when
implementing ESX. These include ESX Host
Selection, Storage Groups, SAN Design,
Storage Planning – Thin versus Thick provi-
sioning, vCenter Server, Backup, Cloning
Virtual Machines, Security, Virtual Machine
OS Selection, Physical to Virtual (PtoV)
November 1-4, 2010 I Las Vegas, NV I Register Today!
WINDOWS SESSIONS
Conversions. All of these practices were
developed as a result of real-world imple-
mentations of ESX. Find out how to avoid
potential pitfalls when implementing ESX
and ensure a stable, secure and fast virtu-
alization infrastructure.
WIN16: WHAT TYPE OF
VIRTUALIZATION TECHNOLOGY
IS RIGHT FOR MY COMPANY?
ALAN SUGANO
Virtualization has now become main
stream in the IT Infrastructure world.
Everyone knows about server virtualiza-
tion, but what about other virtualization
technologies? This session will give an
overview of virtualization technologies and
how they might be used in your company.
These technologies include server virtual-
ization, desktop virtualization, application
virtualization, storage virtualization, and
database virtualization. Learn how your
company can benefit from these technolo-
gies and which ones are a good fit for your
company’s IT strategy.
WIN18: WINDOWS POWERSHELL
CRASH COURSE
DON JONES
Ready to start using Windows PowerShell
v2? PowerShell guru Don Jones gives you a
jump start with this information-packed
crash course that involves no scripting!
That’s right, no programming allowed –
just killer commands, remote control capa-
bilities, background jobs, and other key
PowerShell skills that will make you effec-
tive in Windows, SQL Server, Exchange,
SharePoint, and more.
WIN20: ZERO TOUCH INSTALLATIONS
WITH SYSTEM CENTER CONFIGURA-
TION MANAGER (SCCM)
RHONDA LAYFIELD
When learning the Microsoft Deployment
Tools there is only one tool that can per-
form an Operating System Deployment
(OSD) with no human intervention
required on the client machines and that’s
SCCM. In this session, Rhonda will show
you how to deploy Windows 7 using SCCM
along with all its options. Beginning with a
quick tutorial through SCCM’s terminology
and server roles right into SCCMs OSD
advanced features – this session has it all.
I9
F10_Win_ITBrochure_v5:Layout 1 6/23/10
SHAREPOINT SESSIONS
IT PROFESSIONAL
HITP09: ADMINISTRATION OF
SHAREPOINT 2010 USING WINDOWS
POWERSHELL, THE NEW COOLNESS
TODD KLINDT
SHANE YOUNG
All your friends are doing it, why aren’t
you? Stsadm.exe is so 2007. Come to this
session to figure out why you need to be a
PowerShell guru ASAP and how to amaze
your friends and confound your enemies
with your new PowerShell skills. When you
leave this session, you’ll have a good foun-
dation for figuring out PowerShell with
SharePoint, as well as some practical scripts
you can use.
HITP05: ARCHITECTING AND
MANAGING VIRTUALIZED
SHAREPOINT 2010 FARMS
MICHAEL NOEL
Organizations have been taking advantage
of Server virtualization in great numbers
over the past few years, and more and
more SharePoint environments are subse-
quently being virtualized. There are design
caveats associated with virtual SharePoint
farms, however, which must be taken into
account when considering SharePoint
2010 virtualization. In addition, manage-
ment of a distributed virtual SharePoint
environment can be tricky without the
proper tools to help provision servers
quickly and properly. This session focuses
on outlining the design criteria for virtual
SharePoint farms, and demonstrates how
virtualization management can allow for
quick provisioning of a virtual SharePoint
farm or adding a new server into an exist-
ing farm within a matter of minutes. Exact
design criteria and sample real-world
SharePoint 2010 designs will be illustrated,
and specific PowerShell commandlets to
be used will be provided.
• Learn best practice architectural guide-
lines for SharePoint 2010 role virtual-
ization
• Learn how virtualization management
software can be used to allow develop-
ers and others the ability to quickly
provision SharePoint environments or
add new servers to farms
• Gain access to custom PowerShell
scripts that can be used in a virtual
environment for automatic provision-
ing of SharePoint 2010 farms
10 I Register Today! Call 800-505-1201 I www.WinConnections.com
2:05 PM Page 10
HITP12: AUTHENTICATION CHANGES
IN SHAREPOINT 2010
TODD KLINDT
SHANE YOUNG
SharePoint 2010 brings with it some excit-
ing changes to authentication. Not only do
we have the options we had in SharePoint
2007, but we have a new option, Claims. In
this session, we’ll explain exactly what a
claim is and why it could revolutionize how
your users get into SharePoint 2010. Then
we’ll show how to use Claims to access
SharePoint 2010.
HITP01: BEST PRACTICES FOR
LEAST-PRIVILEGE INSTALLATION,
ADMINISTRATION, AND SECURITY OF
SHAREPOINT 2010
DAN HOLME
It’s one thing to install and administer
SharePoint with all of the defaults, perhaps
even running as a Domain Admin. It’s
another to make it work with a nod to least
privilege, manageability, and auditability.
In this highly practical session, SharePoint
MVP Dan Holme discusses everything you
ever wanted to know about user accounts
and SharePoint, across a variety of
SharePoint scenarios. You’ll learn exactly
what service accounts are necessary to cre-
ate a least-privilege installation of
SharePoint, and how they must be config-
ured. You’ll learn how to manage service
accounts and their passwords to ensure
compliance with your IT security policies.
You’ll explore the pros and cons of multiple
app pools and identities. You’ll examine
approaches to user and group manage-
ment to identify the best practices for dif-
ferent parts of your intranet. And you’ll
learn how to delegate administrators the
ability to use PowerShell to administer
SharePoint. You’ll be surprised by some of
the very important, underdocumented
guidance you’ll take away, and you’ll be
equipped to succeed.
HITP02: DESIGNING GOVERNANCE:
HOW INFORMATION MANAGEMENT
AND SECURITY MUST DRIVE YOUR
DESIGN
DAN HOLME
You’ve read the white papers, you’ve
“Binged” governance, but how, exactly, do
you design a SharePoint implementation
that will support governance, security, and
information management? Join SharePoint
MVP and consultant Dan Holme for a
F1
practical, nuts-and-bolts look at the close
relationship between your information
management requirements and
SharePoint’s manageability controls, and
the demands that relationship places on
your design and infrastructure. This session
is focused on architecting a logical design
of SharePoint that effectively supports your
information management requirements
and governance plan—the “technical” side
of governance. You will learn how to align
your governance requirements with
SharePoint farms, Web applications, and
site collections. You’ll discover why some
third-party applications are a “design poi-
son pill” and what SharePoint 2010 offers
to greatly improve the deployment of a
governable design. Gain a deeper under-
standing of the intricacies and challenges
of designing the logical structure of
SharePoint, and take away practical, blue-
print-like guidance to what a governed
SharePoint implementation might look like
in your enterprise.
HITP18: ENTERPRISE SOCIAL
COMPUTING WITH
SHAREPOINT 2010
MATTHEW MCDERMOTT
SharePoint 2010 introduces new features
that support Social Computing for organi-
zations of all types. Whether you have a
“formal vision” or loose idea of what
“Social” means to your organization, this
session will introduce you to the key con-
cepts and features that can aid in your
planning and implementation of Social
Computing for your organization. This ses-
sion will highlight how companies gain
value out of the Social Computing capabil-
ities of SharePoint.
• Introduction to the “Social Vision” for
SharePoint 2010
• What’s Important: Tagging, Rating and
Notes
• What’s Happening: Activity Feeds
• Where Is It: Social Search
• Who Can Help: People and Expertise
Search
HITP14: FARM ARCHITECTURE
PLANNING AND PERFORMANCE
TESTING
BEN CURRY
There are many tools that can be used to
plan and test a SharePoint Server 2010
server farm. In the year 2010, there’s just
no reason to guess what will happen when
F10_Win_ITBrochure_v5:Layout 1 6/23/10
you turn on the brand new, shiny server
farm! But, understanding how each Web
and Application Service functions in the
farm and how those services can impact
the end user experience is critical to user
adoption and system success. The real fun
of this session will be the live demonstra-
tion of tools to stress and test a live server
farm. Come prepared for a fast-paced ses-
sion with tons of live demonstrations!
HITP03: FILE SHARING SMACKDOWN:
SHARES VS. SHAREPOINT
DAN HOLME
SharePoint document libraries are the new
file share, or are they? What are the pros
and cons of using SharePoint as a file store,
particularly with SharePoint 2010? What
do file servers offer that SharePoint does
not, particularly with Windows Server 2008
R2? Is a hybrid environment desirable or
even possible? How can an enterprise
migrate and integrate these two disparate
approaches to a common goal? These
questions and more will be answered by
Dan Holme as you take a deep dive into
the best practices and real-world experi-
ences of enterprises large and small. This
session will address both the strategic and
technical details you need to know to sup-
port collaboration around files in your
organization. You’ll also learn what’s new in
SharePoint 2010 document libraries,
including document sets, document IDs,
in-place records management, document
routing, location-based metadata, and
metadata-based navigation.
HITP10: GETTING COZY WITH
SERVICE APPLICATIONS
TODD KLINDT
SHANE YOUNG
Just when you got comfortable with
Shared Service Providers, SharePoint 2010
throws them out and replaces them with
Service Applications. In this session, we’ll
explain what Service Applications are. Then
we’ll talk through the decisions you’ll make
when deploying them. We’ll show several
different ways to deploy them in your envi-
ronment whether you’re a single server or
a worldwide installation. After this session
you won’t miss your SSPs at all, we promise.
2:05 PM Page 11
HITP04: INFORMATION
ARCHITECTURE AND THE MANAGED
METADATA SERVICE
DAN HOLME
Join SharePoint MVP Dan Holme for a
down-and-dirty, deep examination of the
configuration and management of the
Managed Metadata Service, and what the
MMS does to support your enterprise
information architecture. You’ll explore
every nook and cranny of this powerful
service application, and see how to provide
both centrally managed taxonomy and
user-driven folksonomy for enterprise tags.
You’ll also explore content type syndication
and best-practice guidance for topologies
to support your information architecture.
HITP11: KEEPING AN EYE ON
SHAREPOINT 2010
TODD KLINDT
SHANE YOUNG
You’ve got SharePoint 2010 installed, but
how do you make sure it’s running at peak
performance? In this session, we’ll cover all
the built-in monitoring tools in SharePoint
2010. We’ll show how logging and usage
analysis all come together to give you a
view of exactly what your SharePoint 2010
server is up to. By the end of this session,
you’ll be able to look at your SharePoint
2010 farm and fix problems before they
actually become problems. You won’t be
able to predict the future, but it will sure
look like it.
ITP07: MANAGING MULTIPLE
AUTHENTICATION PROVIDERS IN
SHAREPOINT 2010 FOR EXTRANETS
MICHAEL NOEL
Organizations planning for Extranet access
to SharePoint 2010 or faced with providing
access to an Intranet from multiple internal
authentication platforms often find it chal-
lenging to manage identities across these
disparate systems. The complexity involved
in provisioning and deprovisioning
account access to SharePoint can lead to
security breaches and confusion. This ses-
sion focuses on Extranet and Intranet
authentication approaches with SharePoint
2010, and how various tools and processes
such as Microsoft’s Forefront Identity
Manager (FIM) 2010 can be used for better
control, automatic account provisioning,
and synchronization of profile information
across multiple SharePoint authentication
providers.
November 1-4, 2010 I Las Vegas, NV I Register Today!
SHAREPOINT SESSIONS
• View various Extranet and Intranet
deployment models using SharePoint
2010
• Understand the need for identity man-
agement across SharePoint farms
• Examine real-world deployment guid-
ance and architecture for SharePoint
environments using FIM
HITP17: PLANNING AND DEPLOYING
SOCIAL COMPUTING FOR
SHAREPOINT 2010
MATTHEW MCDERMOTT
SharePoint 2010 introduces new features
that support social computing for organi-
zations of all types. This session details the
considerations for planning and deploying
the Enterprise Social features of SharePoint
2010. This session will detail the adminis-
trative controls and best practices for
deploying the User Profile Service and
other features that support SharePoint
Social features. This session will highlight
how organizations can plan, design and
deploy the social features that will provide
business value to help increase employee
connection to their work and workforce.
• Review the “Social Vision” for SharePoint
2010
• Implementing the User Profile Service
• Import/Export Connections for People
Data
• Extending the User Profile
• Management and Governance of Social
Data
HITP13: SHAREPOINT 2010
DEPLOYMENT DEMOFEST
BEN CURRY
Come get a first look at proven SharePoint
Server 2010 deployment Best Practices.
This session is full of real-world lessons
learned, tips, and tricks learned from the
field. Ben will give you a LIVE guided tour
of a multi-server farm deployment. Learn
the basics for creating and managing Web
and Service applications, scaling services,
and selecting basic server farm topologies
for most implementations.
HITP06: SHAREPOINT 2010 DISASTER
RECOVERY AND HIGH AVAILABILITY
MICHAEL NOEL
Significant architectural changes have
been made between SharePoint 2007 and
SharePoint 2010, including a complete
removal of the infamous Shared Services
Provider and the ability to have redundant
I 11
F10_Win_ITBrochure_v5:Layout 1 6/23/10
SHAREPOINT SESSIONS
indexing functionality in a farm. In addi-
tion, the number of databases in a single
farm has increased significantly and
Microsoft has overhauled the authentica-
tion model used by SharePoint. All of this
translates to some significant architectural
changes between SharePoint 2007 farm
architecture and SharePoint 2010 farm
architecture, changing the paradigm for
SharePoint infrastructure architects and
changing the Disaster Recovery and High
Availability requirements of the applica-
tion. This session focuses on outlining how
the changes in SharePoint 2010 architec-
ture allow for new design scenarios, and
how you can design a new fault tolerant
and high performance SharePoint 2010
environment to migrate your existing
SharePoint 2007 content into.
• Learn how the significant architectural
changes between SharePoint 2007 and
SharePoint 2010 change how to build in
fault tolerance and high availability in a
SharePoint farm
• Examine best practice farm architecture
and real world SharePoint design models
that are both disaster tolerant and high-
ly available
• Understand Backup and Restore con-
cepts in SharePoint 2010, and how the
out-of-the-box backup can be extend-
ed and streamlined with new tools and
technologies.
HITP16: SHAREPOINT 2010 SEARCH
MATTHEW MCDERMOTT
Search has taken a huge step forward with
the introduction of SharePoint 2010. This
session will focus on what is new to Search
in SharePoint 2010. Presented through
demonstrations of the search capabilities
and advancements, this presentation will
provide the background necessary to
understand how Search has improved and
how to plan for the smooth implementa-
tion of SharePoint Search for your organi-
zation.
• SharePoint 2010 Search Scalability
Options
• Improved User Experience
• Social and People Search
• Improved Metadata Processing
• Improved Management and Tuning
• FAST Search for SharePoint 2010
12 I Register Today! Call 800-505-1201 I www.WinConnections.com
2:05 PM Page 12
HITP08: SHAREPOINT 2010 UPGRADE
DRILL-DOWN
JOEL OLESON
You’ve heard about the upgrade methods,
but where are the real-world pros and
cons? What happens when in-place
upgrade fails? How do you roll back visual
upgrades and what are the best strategies
around visual upgrade? We’ll cover this
and much more as we take things down a
level and really dig into the strategy.
• Determine the best approach to
upgrade for your environment
• Walk through visual upgrade delegation
options
• Identify upgrade issues in upgrading site
definition, features, and workflows
HITP15: WHAT DO YOU NEED FOR
EFFECTIVE COMMUNICATION
BETWEEN IT PROS AND DEVELOPERS?
A REFEREE!
BEN CURRY
Come learn how you can fire the referee
and get on the same team with your devel-
opers. This session will focus on developing
goals and strategies that we can all agree
on. You’ll learn how to define the rules of
engagement and accompanying terminol-
ogy so IT Pros are doing what they like to
do, and Developers spend their time writ-
ing code (because that’s what Developers
like to do!). See how to agree on a devel-
opment life cycle, how to be nice to your
Developers, and how to get something in
return! Developers can be great allies in
scaling one-off solutions, creating sand-
boxed solutions, automating tasks, and
getting home before midnight. Seriously,
come to this session to learn how to better
communicate with your developers, and
how to make them your allies in your
SharePoint adventure.
NO CODE SOLUTIONS
HNCS07: AUTOMATING BUSINESS
PROCESSES USING INFOPATH 2010
FORMS WITH INTEGRATED
SHAREPOINT DESIGNER 2010
WORKFLOWS
ASIF REHMANI
Forms and Workflows are essential to busi-
ness processes. Companies usually rely on
programmers to create the forms and
workflows using code. Not any more! If
you have access to Microsoft InfoPath
2010 and Microsoft SharePoint Designer
F1
2010, you can create powerful data-driven
form solutions on your SharePoint sites.
InfoPath gives you the ability to pull data
from databases and lists, and create forms
with data validation and conditional for-
matting. SharePoint Designer’s workflows
let you then design powerful multi-step
workflows centered around the form col-
lected data. In this session, you see how to
design a robust form using InfoPath and
then design a workflow using SharePoint
Designer to route this form appropriately.
HNCS02: CREATING BI SOLUTIONS
WITH SHAREPOINT 2010 USING
PERFORMANCEPOINT SERVICES
TED PATTISON
SharePoint Server 2010 provides a power-
ful platform for creating Business
Intelligence (BI) solutions using
PerformancePoint Services (PPS). PPS
makes it possible to create a visual front
end to Data warehouses and cubes created
with SQL Server 2008 R2 Analysis Services.
This session shows you how to use
PerformancePoint Services and the
Dashboard Designer to create SharePoint
2010 sites with Dashboard components
such as Key Performance Indicators (KPIs),
Scorecards, Reports and Filters.
HNCS01: CREATING CONTENT-
CENTRIC SITES WITH SHAREPOINT
2010 WEB CONTENT MANAGEMENT
ANDREW CONNELL
SharePoint 2010 provides all the tools you
need to create content-centric
Internet/Extranet/Intranet-facing solutions
that do not fit the mold of traditional
SharePoint collaboration solutions. These
capabailities, dubbed Web Content
Management (WCM), enable content
owners and managers to create sites that
are consumed by a very large user base. In
this session, you’ll learn how to create
compelling content-centric sites using just
the browser and SharePoint Designer 2010
including creating custom page types,
page templates, modifying the user expe-
rience as well as enforcing certain business
rules for content publication and storage.
HNCS05: LEVERAGE EXCEL SERVICES
TO DRIVE OTHER WEB PARTS
WITHOUT CODE!
MAURICE PRATHER
Everyone knows that Excel and Excel
Services are great for calculations. Most
F10_Win_ITBrochure_v5:Layout 1
folks tend to think Excel Services is the
endpoint of a business process — input
data, read results. Wouldn’t it be cool to
leverage the calculation power of Excel
Services to drive other Web Parts? We’ll
learn how to do this without writing a sin-
gle line of code.
HNCS08: MANAGE YOUR EXTERNAL
DATA USING BUSINESS
CONNECTIVITY SERVICES …
WITHOUT CODE!
ASIF REHMANI
The Business Connectivity Services (BCS) is
an evolution of the concept of Business
Data Catalog (BDC) that was introduced in
SharePoint 2007 to get access to your line
of business data. In addition to consuming
your data, BCS lets you also write back data
to your external systems. SharePoint
Designer 2010 is used to define your con-
nection properties by creating External
Content Types (ECT) without the need for
programming! In this session, you see how
you can surface this data using external
lists, metadata in SharePoint lists and also
your Outlook application to create robust
business solutions.
HNCS06: USE DATA VIEWS TO GET TO
YOUR DATA — BOTH INSIDE AND
OUTSIDE OF SHAREPOINT
ASIF REHMANI
You can use SharePoint Designer to make
connections to and present data from
internal and external data sources such as
SharePoint lists, libraries, xml files, databas-
es and Web services. The focus of this ses-
sion is on exposing the data to the user
using the XSLT Web Parts. These Web Parts
can be manipulated in a variety of ways to
present the information to the end user. In
this session, it is shown how the list view
and data view tools available can be used
to reformat the presentation of the data
using conditional formatting, pre-format-
ted styles, xPath expressions and more.
HNCS09: USING INFOPATH 2010 AND
SHAREPOINT DESIGNER 2010 TO
MANAGE SHAREPOINT LIST FORMS
ASIF REHMANI
SharePoint Designer has been a great tool
to customize SharePoint list forms for a
long time. Now in SharePoint 2010, you
can use InfoPath 2010 to customize the
forms as well. What’s the difference? Why
should you use one tool over the other for
6/23/10 2:06 PM Page 13
this purpose? This session shows how each
functionality works and explores the pros
and cons of using each method to cus-
tomize your SharePoint list forms.
HNCS03: USING OUTLOOK AND THE
SHAREPOINT WORKSPACE WITH
SHAREPOINT 2010
SCOT HILLIER
SharePoint 2010 provides powerful ways to
use data offline through Outlook 2010 and
the SharePoint Workspace. In this session,
you’ll learn how to synchronize sites, lists,
and libraries with Outlook and the
SharePoint Workspace. You’ll learn how
data is installed and managed on the client
so that you can understand the proper way
to work with offline data. You’ll learn limi-
tations and workarounds associated with
offline data including conflict resolution
and collaborative document creation.
Attendees will exit this session with a com-
plete understanding of how offline data is
synchronized, managed, and utilized in
Office clients.
HNCS04: VISUALLY CREATING
VISUALLY COMPELLING WORKFLOWS
(WITHOUT WRITING ANY CODE!)
TODD BAGINSKI
Modeling SharePoint workflows has never
been easier to do, and understanding the
current state of a workflow status has never
been easier on the eyes! Microsoft Visio
and SharePoint Designer are now capable
of modeling, editing, configuring, and
deploying workflows to SharePoint sites
and lists. Additionally, the Visio Graphics
Service now provides the ability to repre-
sent the status of a workflow in a visual
manner! This session demonstrates how to
create a SharePoint workflow in Microsoft
Visio and export it to SharePoint Designer.
The session goes on to demonstrate how
to edit the workflow in SharePoint design-
er, add a custom coded workflow activity
to it, and publish it to a SharePoint site as a
reusable workflow. Finally, the session
demonstrates how to configure workflow
visualizations with the Visio Graphics
Service to see the current state of a work-
flow. In this session, you will learn how to
create a SharePoint workflow in Microsoft
Visio, make changes to it in SharePoint
Designer, publish it to a SharePoint site,
configure the Visio Graphics Service, and
visually view the status of the workflow as
represented in the workflow diagram.
November 1-4, 2010 I Las Vegas, NV I Register Today!
SHAREPOINT SESSIONS
DEVELOPMENT
HDEV07: ADVANCED EXTERNAL LISTS
IN SHAREPOINT 2010
SCOT HILLIER
External Lists allow data from External
Systems to appear as lists in SharePoint
2010. External Lists, however, do not have
all of the capabilities of standard lists and
database tables. This session will present
the differences, limitations, and work-
arounds that allow you to get the most out
of External Lists. The differences between
standard SharePoint lists and External Lists
will be presented first along with strategies
and workarounds for limitations such as
attachments and workflow support. Then,
the differences between database tables
and External Lists will be presented along
with strategies and workarounds for limita-
tions such as attachments, folders, and ver-
sions. Attendees will exit the session with
new ideas for implementing External Lists
in their SharePoint 2010 solutions.
HDEV09: BEST PRACTICES FOR
SANDBOXED SOLUTIONS
SCOT HILLIER
SharePoint 2010 introduces a new para-
digm for feature development known as
Sandboxed Solutions. While the
Sandboxed Solutions paradigm con-
tributes significantly to overall farm stabili-
ty, it also presents unique challenges for
the SharePoint developer due to the severe
restrictions placed on such solutions. In this
session, we will examine the limitations
placed on Sandboxed Solutions and pres-
ent several patterns that can be used to
work within these limitations. These pat-
terns will include the use of web parts, site
pages, client object model code, and fully-
trusted proxies. Attendees will exit the ses-
sion with a strong understanding of
Sandboxed Solution development, limita-
tions, and best practices.
HDEV14: BEST PRACTICES FOR UP-
GRADING WEB PARTS
MAURICE PRATHER
Web Parts have been around for three
generations. We’ll talk about all the differ-
ent ways Web Part code can be upgraded.
We’ll discuss how to best move your Web
Parts from where they are today to where
you want them tomorrow.
I 13
F10_Win_ITBrochure_v5:Layout 1
SHAREPOINT SESSIONS
HDEV11: BUILDING CUSTOM
APPLICATIONS (MASHUPS) ON
THE SHAREPOINT PLATFORM
TODD BAGINSKI
Custom applications which combine com-
ponents from several different systems,
services, and data sources are more com-
monplace in today’s world than ever
before, not to mention they are usually the
most fun to build! This session shows how
to combine Business Connectivity Services,
the SharePoint Client Object Model,
SharePoint Search, Silverlight, Bing Maps,
the Digital Assets Library (Images &
Videos), SharePoint list data, and even
SharePoint’s new rating functionality to
create a "mashup" application that pro-
vides a wide variety of functionality. In this
session, you will learn how to combine all
of these components to create eye catch-
ing applications that provide a wide variety
of functionality.
HDEV13: BUILDING CUSTOM
APPLICATIONS WITH THE
POWERPIVOT API
MAURICE PRATHER
PowerPivot is an exciting new data analysis
feature set. It’s tied closely to Excel Web
Access, but did you know that it doesn’t
have to be? The PowerPivot API will allow
you to create custom Web Part and con-
trols that are designed to fit your business
needs. We’ll look at how to easily integrate
your data into your own controls.
HDEV01: CREATING A RICH BUSINESS
APPLICATION WITH THE MANAGED
CLIENT OBJECT MODELS IN SHARE-
POINT 2010
ANDREW CONNELL
SharePoint 2010 introduced a new way to
work with SharePoint data when you have
an application that does not run on the
server: the Client Object Model
(ClientOM). In this session, you’ll see how
to create rich desktop applications with
WPF and the .NET ClientOM. In addition,
see how to create robust business applica-
tions deployed as sandbox solutions using
the Silverlight ClientOM.
HDEV10: CREATING CUSTOM LINE
OF BUSINESS SOLUTIONS WITH
BUSINESS CONNECTIVITY SERVICES
TODD BAGINSKI
Business Connectivity Services and
Microsoft SharePoint Server provide devel-
opers an excellent platform to quickly
14 I Register Today! Call 800-505-1201 I www.WinConnections.com
6/23/10 2:06 PM Page 14
build line of business applications upon.
The BDC and SharePoint make connecting
to data in external systems and working
with it easier than ever before. This session
shows how to combine External Content
Types, External Lists, .NET Assembly
Connectors, External Data Web Parts, and
the SharePoint search service to search,
create, read, update, and delete data from
multiple external data sources. In this ses-
sion, you will learn how to create and con-
figure all of these components to create a
powerful line-of-business application with
the SharePoint platform.
HDEV12: CREATING CUSTOM
WORKFLOWS AND REUSABLE
WORKFLOW ACTIVITIES FOR
SHAREPOINT DESIGNER
TODD BAGINSKI
Complex business processes often demand
custom coded workflows. Understanding
how to reuse pieces of the custom work-
flows you create saves time and effort in
the future and empowers end users to cre-
ate their own workflows with custom activ-
ities inside them. In the long run, taking
this approach saves your IT department
time and money. This session demon-
strates how to create custom workflows
with Visual Studio 2010 which use out-of-
the-box workflow activities, as well as cus-
tom-coded workflow activities. This session
also demonstrates how to create custom
workflow activities that may be reused
inside of SharePoint Designer workflows. In
this session, you will learn how to create
custom coded workflows and activities in
Visual Studio 2010 and how to package,
deploy, and reuse them in SharePoint
Designer workflows.
HDEV08: CREATING SEARCH-BASED
SOLUTIONS WITH SHAREPOINT 2010
SCOT HILLIER
Search-based solutions are applications
that use a search page as the primary inter-
face. Solutions such as image searching or
travel searching in Bing are good examples
of search-based solutions. SharePoint 2010
offers developers new ways to extend
search and create search-based solutions.
In this session, attendees will learn to cre-
ate search-based solutions by using cus-
tom relevance models, extending
SharePoint 2010 search parts, and utilizing
.NET Assembly Connectors to access exter-
nal systems. The techniques presented will
prepare attendees to create search-based
solutions on their own.
F1
HDEV04: DEVELOPING A CUSTOM
CLAIMS PROVIDER
TED PATTISON
SharePoint 2010 introduces a new security
architecture based on claims, federation
and the Windows Identity Framework
(WIF). This session introduces the concepts
and architecture of claim-based security in
SharePoint 2010 and demonstrates how to
create and debug a custom claim provider.
HDEV18: EXTENDING THE SOCIAL
EXPERIENCE USING THE SHAREPOINT
2010 SOCIAL NETWORKING API
GARY LAPOINTE
SharePoint 2010 introduces several new
capabilities to allow end-users to share
what they’re doing, discover what others
are doing, and more easily locate col-
leagues and data that are relevant to their
specific needs. The out-of-the-box user
experience gets you part of the way by
exposing most of the capabilities of the
API, but by writing our own custom appli-
cations we can take it to the next level. In
this session, we’ll take a deep dive into the
SharePoint Social Networking APIs and see
how to use the wealth of information pro-
vided to extend and enhance the end-user
experience by providing rich and intuitive
access to social data. This session is appli-
cable to any developers who are wishing to
leverage and extend the social capabilities
of SharePoint in their own applications.
HDEV05: EXTENDING THE VISUAL
STUDIO 2010 SHAREPOINT TOOLS
TED PATTISON
The new Visual Studio 2010 SharePoint
Tools represent a significant step forward
for SharePoint as a development platform.
While this new tools set provides a great
deal of functionaility out of the box, there
are scenarios where you must extend them
to accomplish certain tasks. This session
will teach you the concepts and techniques
required to create extensions so you can
leverage the full extent of your SharePoint
development knowledge when developing
SharePoint 2010 solutions.
HDEV15: HOW TO BUILD
CLAIMS-AWARE APPLICATIONS
AND CONTROLS
MAURICE PRATHER
What exactly are claims? In this session,
we’ll quickly cover the fundamentals of
claims authentication. Then we’ll dive into
details needed to leverage claims within
your applications.
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:06 PM Page 15

SHAREPOINT SESSIONS

HDEV03: INCORPORATING
MANAGED METADATA IN CUSTOM
SOLUTIONS
ANDREW CONNELL
Microsoft injected strong support for
metadata, taxonomies and folksonomies in
SharePoint 2010 with the addition of the
Managed Metadata service application
and Managed Metadata field type. While
there is plenty of support for metadata
across the platform out-of-the-box,
Microsoft has included a very robust API in
this latest release of SharePoint 2010 to
create custom solutions. In this session,
we’ll explore how we can create custom
metadata-based solutions for use in
SharePoint 2010.
HDEV17: LEVERAGING THE
SHAREPOINT 2010 USER EXPERIENCE
ENHANCEMENTS
GARY LAPOINTE
SharePoint 2010 has introduced several
new capabilities for interacting with end-
users. The most obvious of these new capa-
bilities is the implementation of the Fluent
UI, or Ribbon, but significant work has also
gone into reducing pop-ups and page
refreshes through the use of a new Dialog
Framework and Notification capabilities. In
this session, we’ll examine how to extend
the Ribbon and plug into the Dialog
Framework as well as how to show transient
and persistent messages to your users using
the new Notification capabilities. This ses-
sion is applicable to any developers who
are creating applications for SharePoint
which need to interact with the end-user.
HDEV02: LOCAL DATA ACCESS IN
SHAREPOINT 2010: LINQ AND BEST
PRACTICES
ANDREW CONNELL
One of the most common tasks developers
do day-to-day is accessing data stored
within SharePoint. In the past, this always
meant getting data out using CAML-based
queries or tediously creating items one by
one. In this session, you’ll learn about the
new LINQ support in SharePoint 2010 and
what you’ll need to do in order to leverage
this new support. In addition, we’ll cover
some best practices to employ when utiliz-
ing the new LINQ support in SharePoint
2010 to ensure users do not inadvertantly
break your LINQ queries.
HDEV06: REMOTE DATA ACCESS IN
SHAREPOINT 2010
TED PATTISON
SharePoint 2010 provides new opportuni-
tiies to access list-based items from across
the network. This session demonstrates
development techniques involving the
Client Object Model and WCF Data
Services. You will see how to access lists
using the native support for REST-based
Web services in SharePoint 2010. The ses-
sion will also describe how to develop
components for SharePoint 2010 using the
new Open Data Protocol (OData).
HDEV16: SHAREPOINT 2010
POWERSHELL FOR DEVELOPERS
GARY LAPOINTE
In this session, we’ll examine how
SharePoint developers can leverage the
capabilities of the PowerShell scripting lan-
guage and the various tools available to
help create and debug scripts. We’ll exam-
ine Visual Studio 2010’s support for
PowerShell and dive deep into creating
custom PowerShell cmdlets and PipeBind
objects as well as custom type modifiers,
help files, and views. This session is applica-
ble to any developers who need to build
custom cmdlets to support an application
or product or who needs to automate cer-
tain aspects of their development process-
es; it is not meant to teach you PowerShell
scripting.

W O R K S H O P S
PRE-CONFERENCE WORKSHOPS
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
EPR01: MAKING EXCHANGE HIGHLY AVAILABLE –
BRILLIANCE IN RESILIENCE (HANDS-ON WORKSHOP)
PETER O’DOWD
Microsoft has made some outstanding improvements to
Exchange 2010 redundancy and the rules have all changed; SANs
are less important, JBOD can be supported, Outlook talking to
CAS, movable databases, and logs and EDBs living together in
harmony. This one day workshop will focus on how you can con-
figure your Exchange Server organization to increase availability
with Database Availability Groups, CAS clusters, and more. In this
information-packed day, you’ll use an 8GB Windows Server 2008
R2 laptop provided by Microsoft to walk through several hands-
on labs developed by Wadeware® with Exchange MVP Peter
O’Dowd. Space is limited so sign up now.
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
WPR01: WINDOWS 7 DEPLOYMENT MASTER CLASS
RHONDA LAYFIELD
Learning Windows Deployment Tools can be quite a daunting task
– where do you start and which one do you use? Windows
Automated Installation Kit for Windows 7 (WAIK), Windows
Deployment Service (WDS), Microsoft Deployment Toolkit 2010
Update 1 (MDT) or System Center Configuration Manager (SCCM)?
The last thing you want to do is waste time learning a tool that’s
not right for you or your environment. Let Setup and Deployment
MVP and Desktop Deployment Product Specialist Rhonda Layfield
help you figure out which tool is right for you. In this full day
deployment workshop, you’ll learn how create, deploy and man-
age your images using the Windows Automated Installation Kit for
Windows 7 (ImageX, DISM, CopyPE, OSCDImg, USMT 4.0). Perform
bare metal installations using WDS – learn to install, configure and
troubleshoot WDS. Migrate your XP machines to Windows 7 using
the MDT 2010 Update 1. Then there’s the golden tool – SCCM –
which allows you to perform zero touch installations. More impor-
tantly, learn the differences between these tools so you can make
your deployment solution work for you.
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
HPR01: SHAREPOINT 2010 PROFESSIONAL
DEVELOPMENT WORKSHOP
ERIC SHUPPS, ROBERT BOGUE
Go to www.devconnections.com for complete abstract.

November 1-4, 2010 I Las Vegas, NV I Register Today! I 15

F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:06 PM
WORKSHOPS CONTINUED
MONDAY, NOVEMBER 1, 2010 9AM - 4PM
HPR02: SHAREPOINT COLLABORATION JUMPSTART
DAN HOLME
Go to www.devconnections.com for complete abstract.
POST-CONFERENCE WORKSHOPS
FRIDAY, NOVEMBER 5, 2010 9AM - 4PM
EPS01: EXPLORING EXCHANGE 2010 - CONFIGURE AND
SUPPORTING (HANDS-ON WORKSHOP)
PETER O’DOWD & TOM PHILLIPS
With your head packed full of valuable information from a week of
Exchange 2010 sessions, put it all together in this one-day journey
through Microsoft Exchange Server 2010 and experience its new
and improved features hands-on. Let the MVP Peter O’Dowd and
Tom Phillips lead you through hands-on-labs, including:
■ Archiving – yes, now available out of the box.
■ Mailtips – find out if your recipient isn’t available before
sending the message.
■ Exchange Control Panel – Where users can manage their di-
rectory data and groups.
■ Role Based Access Control – Allows different types of users
to search for different types of content across the organiza-
tion.
■ Information Leakage and Protection – Transport rules and
Rights Management Server unite.
■ Database Availability Groups – The new HA. No longer does
a database need be associated with a single server.
■ Unified Messaging – Try the new voice to text translation,
dial plans, and more…
This instructor led hands-on-lab experience will get you deep into
Exchange and guide you through these features, showing you how
they are configured and how they can be used to improve your
organization’s Unified Communications platform. No need to
bring your laptop, 8GB Windows Server 2008 R2 laptop will be pro-
vided by Microsoft for this event. Space is limited, so sign up now.
FRIDAY, NOVEMBER 5, 2010 9AM - 4PM
EPS02: COMMUNICATION SERVER 14 (AKA OCS)
– FIRST LOOK PREVIEW
THOMAS FOREMAN
Be one of the first to get your hands on Communications Server
14. See what all the fuss is about and how this version of OCS has
taken a big step forward. This one day workshop will walk you
through several hands-on-labs such as:
■ New install process and tools
■ PowerShell features
■ Configuration tools
■ Client experience
In this information-packed day, you’ll use an 8GB Windows Server
2008 laptop provided by Microsoft to walk through several hands-
on labs developed by Wadeware® with CS expert Thomas
Foreman. Space is limited so sign up now.
16 I Register Today! Call 800-505-1201 I www.WinConnections.com
Page 16 F1
FRIDAY, NOVEMBER 5, 2010 9AM - 4PM
HPS302: DAN HOLME’S WINDOWS ADMINISTRATION
MASTER CLASS
DAN HOLME
Join best-selling author and world-famous consultant Dan Holme
for a master class in administration. A full day of best practices, tips,
tricks, and tools that will enable you to accelerate, automate,
secure, and manage your Windows clients, servers, and Active
Directory. Dan Holme has amassed a wealth of experience and
expertise—solutions which enable you to deliver real-world
administrative best practices within the constraints of real-world
budgets and technologies.
THIS WORKSHOP WILL FEATURE:
■ Provisioning Applications and Configuration
■ Role-Based Management Extreme Makeover
■ Advanced Active Directory & Administrative Delegation
■ Administrators’ Idol: Tips and Tricks for Administrative
Automation and Brilliance
■ Ten Years Later: Best practice administration and design for
Active Directory.
FRIDAY, NOVEMBER 5, 2010 9AM - 4PM
WPS01: WINDOWS POWERSHELL V2 “ZERO SCRIPTING”
MASTER CLASS
DON JONES
Are you ready to take Windows PowerShell as far as you possibly
can—without writing a single line of “script code?” Join the
PowerShell “War on Scripting” with this exclusive full-day session
by Windows PowerShell guru Don Jones, author of the “PowerShell
with a Purpose” blog at WindowsITPro.com, more than 45 books,
and the PowerShell columnist for TechNet Magazine. No
PowerShell experience is necessary, and even if you have some,
you’ll discover new (and easier) approaches to some of the tricki-
est administrative tasks. Learn to use PowerShell remoting, how to
master pipeline parameter binding, and how to create simple
parameterized “batch files” that require no programming—just
copying and pasting! This isn’t “dumbed down” PowerShell, either
—this is PowerShell as it was meant to be used and experienced.
Customize visual displays, create custom inventory reports, sched-
ule PowerShell commands to run at specific times, create and man-
age configuration baselines, and much more. This workshop focus-
es on Windows Server 2008 R2 but is also perfect for Win2003
shops using WinXP, Vista, or Win7 clients. This is not a hands-on
workshop; no need to bring your laptop. A complete transcript will
be made of everything Don types, and made available to you for
downloading a few days after the conference is over. This is the
only sure bet in Las Vegas—you’re sure to go home ready to start
automating key administrative tasks, saving time, improving con-
sistency, and building out your resume!
FRIDAY, NOVEMBER 5, 2010 9AM - 4PM
HPS301: ADVANCED SHAREPOINT 2010
ADMINISTRATION WITH TODD AND SHANE
TODD KLINDT & SHANE YOUNG
Go to www.devconnections.com for complete abstract.
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:07 PM Page 17

Check Web site for Microsoft and additional speakers.

A UNIQUE OPPORTUNITY TO GET YOUR TECHNOLOGY AND TRAINING FROM MICROSOFT AND INDUSTRY EXPERTS!

SPEAKERS

SCOTT ALLEN CHRIS AVIS ANDREW BEN CURRY MIKE SEAN DEUBY THOMAS DEVIN L.
MICROSOFT CONNELL DANSEGLIO FOREMAN GANGER
PLURALSIGHT SUMMIT 7 ADVAIYA INC.
CRITICAL PATH SYSTEMS MICROSOFT WADEWARE CONSULTANT/
TRAINING, LLC AUTHOR

SCOT HILLIER DAN HOLME DON JONES TODD KLINDT KEVIN LAAHS GARY LAPOINTE RHONDA LEE MACKEY
SCOT HILLIER INTELLIEM, INC. CONCENTRATED SHAREPOINT 911 HP SHARESQUARED, LAYFIELD HP
TECHNICAL TECHNOLOGY INC. CONSULTANT/
SOLUTIONS, LLC TRAINER

JIM MCBEE KIERAN MATTHEW MARK MINASI JEREMY MICHAEL NOEL PETER O'DOWD JOEL OLESON
ITHICOS MCCORRY MCDERMOTT MINASI RESEARCH MOSKOWITZ CONVERGENT BLADE/ QUEST SOFTWARE
SOLUTIONS HP ABLEBLUE AND MOSKOWITZ, INC. COMPUTING WADEWARE
DEVELOPMENT

TED PATTISON TOM PHILLIPS MAURICE TONY REDMOND ASIF REHMANI NADYNE STEVE RILEY BRIAN REID
TED PATTISON WADEWARE PRATHER TONY REDMOND SHAREPOINT- RICHMOND AMAZON WEB C7 SOLUTIONS
GROUP, INC. INDEPENDENT AND ASSOCIATES ELEARNING.COM MICROSOFT SERVICES
CONSULTANT

PAUL KARL ROBINSON WILLIAM SMITH ALAN SUGANO SHANE YOUNG

GREG SHIELDS
ROBICHAUX HP MERRILL ADS CONSULTING SHAREPOINT 911
TRAINER/AUTHOR
CONCENTRATED COMMUNICATIONS GROUP
TECHNOLOGY LLC

And many more... Check our Web site as we continue to update it with speaker pictures and bios!
November 1-4, 2010 I Las Vegas, NV I Register Today! I 17
F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:07 PM Page 18 F1

HOTEL INFORMATION

Enjoy the excitement of one

of Las Vegas’ premiere hotels!
Positioned at the south end of The Strip, Mandalay Bay
Resort and Casino offers elegance, excitement and
escape. Enjoy its restaurants, entertainment and
enormous beach-pool, as well as wireless internet in
your room and optional VIP access to shows, restaurants,
the spa and more.

HOTEL ACCOMMODATIONS
Mandalay Bay Resort and Casino, 3950 Las Vegas Blvd.
South, Las Vegas, Nevada, is the conference site and host hotel.
SPACE IS LIMITED so reserve your room early by calling the
conference hotline at 800-505-1201 or 203-400-6121.

AIRLINE
Please call Pericas Travel at 203-562-6668 for airline reservations.
TAX DEDUCTION
Your attendance to a DevConnections CAR RENTAL
conference may be tax deductible. Visit Hertz is offering auto rental discounts to attendees. Call the
www.irs.ustreas.gov. Look for topic 513 - Hertz Meeting Desk at 800-654-2240 for reservations and refer
Educational Expenses. You may be able to to code CV# 010R0043 (Hertz) under Connections Vegas to
deduct the conference fee if you undertake to receive your attendee discount.
(1) maintain or improve skills required in your
present job; (2) fulfill an employment condition ATTIRE
mandated by your employer to keep your The recommended dress for the conference is casual and
salary, status, or job. comfortable. Please bring along a sweater or jacket, as
the ballrooms can get cool with the hotel’s air conditioning.
GROUP DISCOUNT
Register individuals from one company at the SPONSORSHIP/EXHIBIT INFORMATION
same time and receive a group discount. For sponsorship information,
contact Rod Dunlap
1-3 registrants $1,595 per person 480-917-3527 phone
Additional registrants $1,395 per person E-mail rod@devconnections.com
after the 3rd ($200 off each) See Web site for more details. www.WinConnections.com
(4th, 5th, 6th...)

Call 800-438-6720 to take advantage of group

discount pricing.

Notes & Policies: The Conference Producers reserve the right to cancel the conference by refunding the registration fee. Producers can substitute speakers and topics and cancel sessions with-
out notice or obligation. Updates will be posted on our Web site at www.DevConnections.com. Tape recording, photography is not allowed at any session. Conference producers will be taking
candid pictures of events and reserve the right to reproduce. By attending this conference you agree to this policy. You may transfer this registration to a colleague by notifying us before the
start of the event. Please inform us if you have any special needs or dietary restrictions when you register. The conference registration includes the following subscriptions. This is not an addi-
tional expense and subtraction from prices listed is not permissible. Exchange and Windows Connections registration includes a one-year (12 issues) print subscription to Windows IT Pro mag-
azine for Exchange and Windows conference attendees only. Current subscribers will have an additional 12-months added to their subscription. Subscriptions outside of the United States will
be served in digital; $12.50 of the funds will be allocated toward a subscription to Windows IT Pro ($49.95 value). SharePoint Connections registration includes a print subscription (4 issues;
Nov, March, June, Sept) to SharePointProConnections magazine for SharePoint and Windows conference attendees only. Current subscribers will have an additional one year (4 issues) added
to their subscription. Subscriptions outside of the United States will be served in digital.
Registration & Cancellation Policy: Registrations are not confirmed until payment is received. Cancellations before September 28, 2010 must be received in writing and will be refunded minus
a $100 processing fee. After September 28, 2010 cancellations and no shows are liable for full registration; it can be transferred to the next Conference within 12 months or to another person.
Microsoft, Microsoft .NET, ASP.NET, Visual Studio.NET, Microsoft SQL Server, Exchange and Windows are either trademarks or registered trademarks of Microsoft Corporation. All other trade-
marks are property of their owners.

18 I Register Today! Call 800-505-1201 I www.WinConnections.com

F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:15 PM Page 19

CONFERENCE REGISTRATION • NOVEMBER 1-4, 2010 ONLINE: www.WinConnections.com

FULL CONFERENCE REGISTRATION INCLUDES KEYNOTE ON NOVEMBER 2ND 8:00AM, E-MAIL: info@DevConnections.com
THROUGH CLOSING SESSION NOVEMBER 4TH, 4:30PM PHONE: (800) 438-6720
(203) 400-6121
FAX: (913) 514-9362
NAME PRIORITY CODE
MAIL:

COMPANY TITLE
Penton Media
c/o Tech Conferences, Inc.
STREET ADDRESS (REQUIRED TO SHIP MATERIALS) 731 Main Street Ste C3
Monroe CT 06468
CITY, STATE, POSTAL CODE COUNTRY

TELEPHONE FAX E-MAIL ADDRESS (IMPORTANT)

� Microsoft Exchange Connections Conference and Expo

� Windows Connections Conference and Expo
� SharePoint Connections Conference and Expo
On or Before August 19th, 2010 ..................................................................................................................................$1495 ________________
After August 19th, 2010 ............................................................................................................................................................$1595 ________________

LAS VEGAS, NEVADA

FOR WHICH CONFERENCE ARE YOU REGISTERING? __________________________________________________________

PRE-CONFERENCE WORKSHOP MONDAY, NOVEMBER 1, 2010 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS.
� EPR01: Making Exchange Highly Available – Brilliance in Resilience
(HANDS-ON WORKSHOP) O’DOWD..............................................................................................................................................................9AM – 4PM ..................................$449 __________________
� WPR01: Windows 7 Deployment Master Class LAYFIELD ............................................................................................9AM – 4PM ..................................$399 __________________
� HPR01: SharePoint 2010 Professional Development Workshop SHUPPS & BOGUE ..................9AM – 4PM ..................................$399 __________________
� HPR02: SharePoint Collaboration Jumpstart HOLME ......................................................................................................9AM – 4PM ..................................$399 __________________

POST-CONFERENCE WORKSHOPS FRIDAY, NOVEMBER 5, 2010 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS.
� EPS01: Exploring Exchange 2010 - Configure and Supporting
(HANDS-ON WORKSHOP) O’DOWD & PHILLIPS ..........................................................................................................9AM – 4PM ..............................$449 ________________
� EPS02: COMMUNICATION SERVER 14 (AKA OCS)–FIRST LOOK PREVIEW
(HANDS-ON WORKSHOP) FOREMAN............................................................................................................................9AM – 4PM ..............................$449 ________________
� HPS302: Dan Holme’s Windows Administration Master Class HOLME ..........................................9AM – 4PM ..............................$399 ________________
� WPS01: Windows PowerShell v2 “Zero Scripting” Master Class JONES ........................................9AM – 4PM ..............................$399 ________________
� HPS301: Advanced SharePoint 2010 Administration
with Todd and Shane KLINDT & YOUNG ..............................................................................................................................9AM – 4PM ..............................$399 ________________

CONFERENCE MATERIALS
FULL CONFERENCE REGISTRATION INCLUDES MATERIALS FOR THE CONFERENCE FOR WHICH YOU REGISTER;
YOU MAY PURCHASE MATERIALS FOR THE OTHER CONCURRENTLY RUN EVENTS.
� Microsoft Exchange Connections Conference and Expo CD ..................................................................................................................................$75 ________________
� Windows Connections Conference and Expo CD ....................................................................................................................................................$75 ________________
� SharePoint Connections Conference and Expo CD..................................................................................................................................................$75 ________________

TOTAL
� CHECK (payable to Penton Media) All payments must be in US Currency. Checks must be drawn on a US bank.
� CREDIT CARD � VISA � MASTERCARD � AMEX
CREDIT CARD NO. EXPIRATION DATE

Cardholder’s Signature Cardholder’s Name (print)

F10_Win_ITBrochure_v5:Layout 1 6/23/10 2:07 PM Page 20

Penton Media
c/o Tech Conferences, Inc.
731 Main Street, Suite C-3
Monroe, CT 06468
Mailroom: If addressee is no longer here,
please route to MIS Manager or Training Director

“ THE CONVERSATION BEGINS HERE

NOVEMBER 1-4, 2010

LAS VEGAS • MANDALAY BAY RESORT & CASINO
”

Book by July 29th to get a special rate of $149 (a limited number of rooms at this rate, so reserve today).

CHECK WEB SITE FOR DESCRIPTIONS OF SESSIONS AND WORKSHOPS

www.WinConnections.com • 800.505.1201 • 203.400.6121 • Register Early!

Spiceworks 4.5
IT management tools are as varied as
blades of grass on a freshly mowed lawn.
It’s often difficult to slice through vendor
marketing-speak to obtain the details you
need to determine if a management tool
is right for you and your environment. For
example: Does the tool support all the
OSs you use? What about non-computer
devices, such as routers and switches?
Does the tool take a software inventory
from your computers, or just a hardware
inventory? How do you obtain technical
support if you need it? How much will the
product cost you in licensing fees?
One product that aims to solve all of
your IT management woes is Spiceworks.
This software includes management,
monitoring, inventory control, and a
ticketing system, all in one package. You
might have already heard of Spiceworks
from a colleague, because it’s reasonably
popular for one key reason: It’s free. The
caveat of the software being free is that
you have to see ads while you use it-
but I found the ads to be unobtrusive.
You can purchase a version that has the
ads removed if you find them to be too
cumbersome.
I reviewed Spiceworks 4.5 from the
perspective of someone who has heard
good things about the software but
doesn’t know much about it other than the
fact that it’s a free IT management product.
I installed Spiceworks on a Windows XP
SP3 machine and ran it against a mixed
test network consisting of XP, Windows
Vista, Mac OS X 10.6, and Red Hat Enter-
prise Linux 10 computers. The network also
contains a variety of networking gear from
Cisco. Spiceworks’ system requirements are
modest; the documentation states that a
machine with a 1GHz Pentium III proces-
sor (remember those?), with 1GB of RAM,
running XP SP2, Windows Server 2003 SP1,
or Windows Server 2008 is sufficient. For a
comprehensive list of the items Spiceworks
can discover and manage, see the Spice-
works Requirements page at community
.spiceworks.com/help/Spiceworks_
Requirements.
Installing Spiceworks appears to be
a cinch at first. You go to the Spiceworks
website and click any of the bright orange
w w w. w i n d o w s i t p ro. c o m
P R O D U C T S
links that invite you to download and
install the product. A single executable
file downloads to your computer without
you having to sign up for any type of
account or provide an email address. The
file is reasonably sized (about 20MB) and
downloads quickly.
When the installation routine launches,
the first screen asks which port you want
to have Spiceworks listen on. The default is
port 80, which is a clue that indicates how
Spiceworks will interact with you; the soft-
ware installs the Apache web server. This
is important to note if you plan to install
Spiceworks on a machine that’s already
running a web server on port 80. You’ll
either need to adjust one of the servers
to run on a port other than 80 or install
Spiceworks on a different machine.
The installation process proceeds
quickly from that point and offers to
launch Spiceworks when the install is
complete. Here is where I ran into my
only real technical issue. The initial
launch of Spiceworks took an abnormally
long time, about two minutes, with the
Spiceworks.exe process consuming 50
percent of the CPU usage. This occurred
only on the first launch of the product,
however.
One annoying requirement is that you
must sign up for a Spiceworks account
when you launch
the product for the
first time. It’s unclear
from the sign-up
form if this is a local
account, isolated
to your own Spice-
works installation,
or if your informa-
tion will be sent to
Spiceworks even if
you clear the check
boxes for receiving
partner offers and
participating in sur-
veys. I cleared both
check boxes and Figure 1: Viewing configuration details
Michael Dragone | mike@mikerochip.com
W e ’ r e i n I T w i t h Yo u
REVIEW
signed up with a valid email address that
I use for testing—and I did receive a few
email messages of the “Welcome to Spice-
works” variety.
The next screen is where the good stuff
starts to happen. You can configure the
product to start with an inventory, the Help
desk (ticketing) feature, or Spiceworks com-
munity support. I was most interested in the
inventory functionality because I wanted
to see how well Spiceworks could find and
analyze my network, so I selected Start with
Inventory.
To avoid immediately subjecting my
network to any invasive testing, I opted to
have the software first scan the machine
it was running on. Isolating the selection
process to target just the local machine
by IP address and selecting an account
with administrator-level privileges to
run the scan with was easy. A dialog box
launches to indicate that the scan is in
process.
Scanning a machine is a quick yet
thorough process. If you have a host-
based firewall installed, you need to
ensure that exceptions are created to
allow Spiceworks to access the sys-
tem. After this is done, Spiceworks can
determine a myriad of details from the
base hardware (e.g., CPU, RAM, free disk
space), as Figure 1 shows, all the way to
Windows IT Pro AUGUST 2010 65
P R O D U C T S
REVIEW
a list of installed software, including vari-
ous updates to the software, as Figure 2
shows. The software also captures details
such as the last time the system was
rebooted.
After my local machine was success-
fully scanned, I expanded the scan to a
local subnet, supplied the appropriate
credentials, and received results with
similar details. One item to note is that
Spiceworks never detected any antivirus
software on any of the machines I ran it
against, although I do have up-to-date
antivirus software installed. Some quick
investigating on the Spiceworks website
proved this behavior is to be expected.
Spiceworks claims to be able to detect
any antivirus software that integrates with
Windows Security Center. Although all the
test machines I was using had managed
antivirus software installed, Windows
Security Center was turned off.
I attempted to have Spiceworks scan a
subnet consisting primarily of networking
devices. This was far less successful, because
many of these devices are desktop switches
and consumer routers that don’t respond
to SNMP queries. Spiceworks can’t query a
networking device that doesn’t respond to
SNMP, even if the device supports Secure
Shell (SSH) access, as some of my devices
do. This might also explain why when I
asked Spiceworks to create a map of my
network, several intermediary switches were
missing from the map. I had to manually
add some devices that Spiceworks couldn’t
capture automatically.
The product was also unable to moni-
tor the health of an Exchange 2007 server
on my network. Unfortunately, Spiceworks
can monitor only Exchange 2003 servers.
This limitation is especially disappointing
because Exchange 2003 will soon leave
Microsoft’s Extended Support phase. It
would be nice to see support for newer
versions of Exchange.
Despite the few shortcomings,
overall I was impressed with Spiceworks’
inventory capabilities. After I was done
giving the inventory functionality a
thorough test, I moved on to the Help
desk component.
Spiceworks provides a comprehensive
ticketing system in the Help desk arena.
Creating a new ticket is a straightforward
66 AUGUST 2010 Windows IT Pro
process. The tick-
eting system is
fully aware of the
gathered inven-
tory and lets you
reference any of
your assets. A list
of open tickets and
their assignees is
provided. Editing
an existing ticket is
also very straight-
forward. Any IT pro-
fessional who has
used even the most
basic of ticketing
systems will feel
right at home with
the Spiceworks
system.
The software Figure 2: Finding installed software
also includes the
ability to track services, such as support simplicity is a bit deceiving at first. If you
contracts and ISP subscriptions. This is a dive right in like I did for review purposes,
great feature because it lets you see the sta- you could be caught off-guard. You need
tus of your services at a glance. You can also to think about where you will install
reference your services in Help desk tickets Spiceworks, especially if you already have
just as you can reference your assets. These a web server installed. In addition, you
features all tie together nicely with Spice- need to make sure you have the proper
works’ monitoring and alerts. credentials to access your devices and
The product lets you specify a plethora computers and ensure that any host-
of options for monitoring not only your based firewalls are configured to allow
connected computers and devices but Spiceworks access.
also your services (e.g., the end date of a Taking these few preliminary steps
contract). Options range from the basics, before you jump in will ensure a good
such as remaining disk space, to the experience from the get-go. Uninstallation
advanced, such as software compliance. is also a cinch, leaving little to no cruft
At a periodic interval that you can adjust, behind. You have little to lose and a lot to
Spiceworks sniffs your connected com- gain by giving Spiceworks a try. I highly
puters and devices to ensure they are recommend it.
in compliance. No agents are necessary, InstantDoc ID 125235
although you need administrator-level
access to the scanned machines. Windows
Management Instrumentation (WMI)
Spiceworks 4.5
must also be configured for Spiceworks to PROS: Comprehensive; easy to use; free
gather information.
CONS: More involved setup and installation than
Overall, I was impressed with Spice- the documentation suggests
works. The most compelling feature of the
product, aside from the $0 price tag, is the RATING:
way all the components tie in together. PRICE: Free
You don’t have to maintain separate lists RECOMMENDATION: Recommended for
of assets or use another interface to query administrators who want a comprehensive
a network device. Everything is integrated management package that won’t break the bank.
in the single Spiceworks interface. My CONTACT: Spiceworks • 512-346-7743 •
only concern with the product is that its www.spiceworks.com
W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

Rove Mobile Admin
If you’re like most system administrators,
you’re either on-call on a set rotation or
on-call all of the time. With laptops and
netbooks, you can roam freely when you
aren’t physically at work, but even a light
computer is a pain to lug around. Rove
Mobile Admin solves this problem by
providing phone-sized administration
tools that let you handle emergencies as
well as perform routine maintenance on
your servers and network infrastructure.
What can you do with Rove Mobile
Admin? Besides managing Windows and
Active Directory (AD) from your phone, you
can manage Cluster service, DHCP, DNS,
Exchange Server, Hyper-V, IIS, and SQL
Server. That’s just the supported Microsoft
software. You can also manage Citrix, HP
Integrated Lights-Out (iLO), IBM Lotus
Domino, Novell NetWare, Oracle, Research
in Motion BlackBerry Enterprise Server, RSA,
Symantec Backup Exec, VMware, and more.
If the software that you need to manage isn’t
supported, you can use the included remote
desktop client and do it the old-fashioned
way. You can also manage a network
through a Telnet or Secure Shell (SSH) con-
nection.
There are two editions of the product:
Professional ($595 per CAL) and Basics
($295 per CAL). For the most part, the
Basics edition supports only Windows
and AD, but that might be enough to
meet your needs. If you need to manage
a NetWare, Oracle, SQL Server, or virtual
environment or advanced Microsoft tech-
nologies like Cluster service or IIS, you’ll
need to invest in the Professional ver-
sion. (You can check out the differences
between the two editions at www.roveit
.com/products.)
Rove Mobile Admin requires the .NET
Framework 2.0 and can be installed on
a domain controller (DC) or another
server. Licensing for the product is
provided by an activation code that
requires that the server be connected to
the Internet.
The installation is quick and painless
—it literally takes two minutes from start
to finish. After the software has been
installed, you simply point your mobile
device to Rove Mobile Admin’s website
w w w. w i n d o w s i t p ro. c o m
P R O D U C T S
REVIEW
and install the client on your
phone. However, if you have an
iPhone, you need to download the
app from the iTunes Store.
I used my iPhone to test the
functionality of the Rove Mobile
Admin Professional edition. You
can also use it with Apple iPod,
BlackBerry, Google Android 1.5+,
and Windows Mobile 6 mobile
devices.
Like any form of remote
access, the first hurdle is to open
a secure network path from your
phone to the Rove Mobile Admin
server. Make sure that your con-
nection adheres to your compa-
ny’s security policy. For example,
some companies might require a
VPN connection, whereas others
might simply require an SSL con-
nection through port 4054.
For my tests, I used the iPhone’s
Wi-Fi connection to access my virtual
test network, which consists of a DC
running Windows Server 2003 and
Exchange Server 2003. The first thing
I noticed was how simple and clean
the interface was. There isn’t a lot of Figure 1: Managing services with Rove
real estate on a smartphone screen, Mobile Admin
and Rove Mobile Admin makes good
use of the limited space, as Figure 1 I can quickly solve the problem with this
shows. useful tool.
I spent some time in the various InstantDoc ID 125358
areas of the Rove Mobile Admin tool and
found each area intuitive and easy to Rove Mobile Admin
use. I tested the command-prompt fea- PROS: Easy to set up; makes remote administra-
ture and remote desktop connection—I tion a breeze; supports the software you’d expect
could see myself using these in times it to, plus tons more
when I didn’t have a laptop handy. On CONS: None
my Exchange server, I edited the storage
RATING:
limits and viewed the mail queue. And
I quickly reset a user’s password with PRICE: $595 per CAL for the Professional version;
just a few clicks—a perfect example of a $295 for the Basics version
problem that often pops up at the most RECOMMENDATION: If you need remote
inopportune time. administration capabilities on a mobile device,
I sure don’t like to be called in the you owe it to yourself to give this product a
middle of my golf game to fix a network- serious look.
ing issue. However, if I do, at least I know CONTACT: Rove • 888-482-3646 • www.roveit.com
Eric B. Rux | ebrux@whshelp.com
W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 67
P R O D U C T S
REVIEW
Kerio Connect 7
I have to admit that, being an Exchange
guy, I came into this review with a bit of a
prejudice against any Exchange alterna-
tive. I’ve been asked to look at several
during my career with the aim of saving
money, and none of them passed my
tests for functionality or usability. Kerio
Connect 7 succeeded where competitors
haved failed. Aimed at small companies
and offered at a very attractive price,
Kerio Connect 7 delivers the functions
that most small companies want—email,
calendaring, and mobile access.
Installation is quick and easy, and the
administration interface, which Figure 1
shows, is well laid out. When I set it up in
my lab to do this evaluation, I found that
the Linux install (Kerio runs on Windows,
Linux, and Mac OS) wasn’t any more dif-
ficult than the Windows install, again put-
ting it ahead of much of its competition.
The wizard asks you most of what you
need to get up and running, including
DNS domain information, and enables all
of the common client protocols for you.
Integration with Active Directory (AD)
is straightforward and requires little effort
on the part of the administrator. The only
negative here is that although it’s easy to
import users from AD, there’s no ability
to bring in groups to use as mailing lists.
These must be managed separately within
Kerio Connect.
All of the security features you’d expect
in a mail server are present, including anti-
virus, spam, and attachment filtering. The
attachment filtering is configured to block
according to common best practices by
default. Like everything else in the prod-
uct, security is easy to configure. McAfee’s
antivirus engine is included and activated
by default, and there’s also an option to
enable other engines. Backup capabilities
are included as well, allowing for tradi-
tional backup scheduling, and again, the
defaults are configured out of the box
according to long standing best practices.
Tape backup isn’t supported, but backup
to a network location is available. Robust
logging and a traffic-chart feature make
troubleshooting and monitoring easy.
The logs are well organized and verbose
without confusing the reader.
68 AUGUST 2010 Windows IT Pro
Mobile devices
are supported via
ActiveSync functionality.
To end users, this means
that they won’t know the
difference between an
Exchange back end and
the Kerio Connect server.
Also added to the new
release is native support
for Apple’s iPad device,
giving Kerio the unique
bragging rights to being
the first to explicitly
support the iPad. Figure 1: Kerio’s interface
Finally, included in the list of features first year, server renewal is $162, and your
is a must-have for any Exchange additional users are $8.60 each. You can
alternative—an Outlook plugin that order without the antivirus licensing, but
gives your end users the experience the pricing more than justifies going for
they know and are comfortable with by the whole package.
allowing Outlook to connect with Kerio I stated earlier that I had a prejudice
Connect. against Exchange alternatives, but I have
So, what does it all mean? Well, it to say that if I had a small customer
means that if you have a small company, who was looking for an inhouse email
and no need for a highly available (which solution that was affordable, I’d definitely
usually means highly expensive) solution, recommend Kerio.
Kerio will probably be a good fit for you. InstantDoc ID 125453
Most Exchange alternatives currently on
the market have made big investments in Kerio Connect 7
adding features to their webmail in order
to woo customers. Although this is attrac- PROS: Inexpensive; easy to configure and main-
tain; low barrier to entry for small businesses
tive to those of us who go in for those
things, our users typically want comfort CONS: No high availability option; no native use
more than anything, and that’s where of AD groups for mailing lists, so user and group
administration has to happen in two places; not
Kerio Connect shines. It presents a familiar
feasible for larger businesses because of these
end-user experience regardless of the weaknesses
connection method.
RATING:
Kerio really seems to know its target
market, and the company is giving users PRICE: First year: $540/server with five user
exactly what they want—a simple solu- licenses, $28.80/user (sold in packs of 5);
renewals: $162/server and $8.60/user
tion that meets their needs without a
steep learning curve. Not only that, but RECOMMENDATION: Kerio Connect is an
the company does it at an initial price of affordable and easy-to-maintain solution for
small companies. The product might not be a
$540 for a server license, which includes
good option for a small business with a large
five user licenses. (Additional user budget that wants advanced Exchange features
licenses are a reasonable $28.80 each.) such as high availability, Outlook Voice Access,
These prices are for one-year licenses and Unified Messaging.
that include support, virus definition CONTACT: Kerio Technologies • 888-775-3746 •
updates, and version updates. After your www.kerio.com
Ryan Femling | ryan@palador.com
W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

NetPoint Pro
Hardware inventory and asset manage-
ment have never been administrators’
favorite tasks. In small to midsized IT
shops, or those with limited budgets,
administrators often get by with ad hoc
scripted solutions using Windows Manage-
ment Instrumentation (WMI) and a hodge-
podge of spreadsheets, text files, and duct
tape. However, Neutex Systems offers a
more cost-effective and easier-to-use solu-
tion called NetPoint Pro. This agentless
solution leverages existing Windows tech-
nologies such as WMI and Active Directory
(AD) that you already know and trust.
Installation
NetPoint installs on just about every
Windows OS. But because it requires IIS,
you’ll most likely install it on a server.
It also requires a Microsoft SQL Server
back end, but this can be one of the free
express editions of SQL Server 2008 or
2005. You don’t need to run the web
server on the database server, but for my
small scale test I elected to use Windows
Server 2008 R2. During setup, you can
specify what database server to use. If you
want to use the included Windows Power-
Shell snap-in, you’ll need PowerShell 2.0.
NetPoint ships 32- and 64-bit versions
that install with minimal configuration.
The current version is limited to managing
computers in a single AD domain. Future
versions should support querying a global
catalog server, which will simplify configu-
ration for more complex environments.
My installation, using an existing SQL
Server instance, took only a few minutes.
After it loaded, I configured NetPoint
through its web interface. There I added
my license file and set up my polling
schedule. The server will poll all computer
accounts it finds in the current AD domain
for hardware and software inventory infor-
mation. I quickly inventoried items such as
memory, disks, printers, drivers, and OSs.
Uses Existing Technologies
NetPoint uses WMI primarily for its inven-
torying. In almost all Windows-based net-
works WMI is enabled and accessible, which
means no agents to install. Because it uses
WMI, your computers are most likely already
w w w. w i n d o w s i t p ro. c o m
P R O D U C T S
REVIEW
properly configured.
You don’t have to worry
about what WMI class
to use. All results are
stored in the SQL Server
database. NetPoint also
tracks when components
are added or removed,
such as memory or disk
drives. You can even sub-
scribe to an RSS feed to
alert you when a change
is made. Email alerts
aren’t supported in the
Figure 1: NetPointPro OS display
current version.
NetPoint utilizes AD to discover com- polling. You can unlock these features by
puter objects and can’t manage non-domain installing a NetPoint Pro license.
and non-Windows computers. You can
configure a standard polling schedule for Great for Small Shops
all computers, perform on-demand polling, For large and complex enterprises, I don’t
or use an included VBScript as a computer feel NetPoint Pro’s feature set is mature
start-up script to provide auto-polling. enough to meet their needs. For example,
multi-domain environments require a
Asset and System Management polling server in each domain and some
The web interface is easy to use and query- tweaking via scripts. But for small to
ing systems couldn’t be simpler. Need to midsized shops lacking an affordable,
know what OSs are deployed? A click or easy-to-use inventory and asset manage-
two provides the answer. (See Figure 1.) ment solution, NetPoint Pro is the solution
You can also supply non-WMI information you’ve been looking for.
such as purchase order and procurement InstantDoc ID 125442
dates, making this a basic, yet effective,
NetPoint Pro
asset management system. NetPoint Pro
includes a great set of PowerShell cmdlets PROS: Easy to install and use; cost-effective price
for managing inventory information. point; leverages existing technologies such as
WMI and Active Directory; PowerShell cmdlets
Another terrific feature is the ability to
available
track application licenses. You define the
application by associating one or more CONS: Limited access control; can query only
queried products with a license count and single-domain members; no email notifications;
simple polling options, typical of its limited enter-
purchase information. You can then tell at
prise features
a glance if you’re in compliance or not.
NetPoint Pro is licensed per invento- RATING:
ried computer on a sliding scale starting PRICE: NetPoint Pro starts at $5 per computer;
at $5 per computer in 25-unit bundles. NetPoint Essentials is free
Neutex also offers a free version, NetPoint RECOMMENDATION: Small to midsized shops
Essentials. You can inventory (hardware- should give NetPoint Pro a try; larger, more com-
only) an unlimited number of systems for plex organizations will need a more complete
free. But you miss out on other features solution. Watch Neutex for future releases.
such as PowerShell support, license track- CONTACT: Neutex Systems • 415-763-8839 •
ing, remote desktop, and on-demand www.neutex.net
Jeffery Hicks | jdhitsolutions.com/blog and twitter.com/jeffhicks
W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 69
P R O D U C T S
REVIEW

VMware Workstation 7.0 Rises Above the Virtual Pack

Desktop virtualization products in a nutshell

virtualization currently revolves around

server virtualization products such as
Microsoft’s Hyper-V technology and
VMware’s ESX Server, the virtualization
trend actually began on the desktop with
the original VMware Workstation product
launched back in 1999. Today, desktop
virtualization remains a vital technology
for IT and developers. Developers use
desktop virtualization to test applica-
tions on multiple platforms and to eas-
ily roll back changes brought about by
application testing. Help desk and QA
professionals use it to replicate end-user
scenarios. IT professionals use it for host-
ing legacy applications and testing OS
changes and patches. The latest release
of the Workstation product, VMware
Workstation 7.0, sets a new standard for
desktop virtualization.
Desktop vs. Server Virtualization
Unlike the current crop of server virtu-
alization products that are hypervisor
based, VMware Workstation is a hosted
virtualization solution. This means that
the virtualization layer runs on top of a
host OS. Hosted virtualization doesn’t
offer the same levels of performance and
scalability as hypervisor-based virtual-
ization. However, hosted virtualization
solutions can offer a level of integration
with the host OS that exceeds what
hypervisor-based solutions can offer. This
integration makes desktop virtualization
a good solution for desktop develop-
ment scenarios, which don’t need the
scalability or performance required by
server virtualization but can benefit
from the greater degree of host desktop
integration. For more information about
desktop virtualization products using a
hosted virtualization architecture, refer
to the sidebar, “An Overview of Desktop
Virtualization Products”, page 71.
Figure 1: VMware Workstation 7.0
400 guest OSs including Windows 7 and
Windows Server 2008 R2. I installed Work-
station 7.0 on a 64-bit Windows 7 desktop
with 4GB of RAM. After completing a
pretty hefty 525MB download, the instal-
lation of Workstation 7.0 was uneventful,
taking only a few minutes. The installation
process required me to input a rather
lengthy license code, then rebooted the
system when it was complete. You can see
the VMware Workstation 7.0 console in
Figure 1.
Creating and Importing Virtual
Machines
On the technical side, Workstation 7.0
supports virtual machines (VMs) with
up to four virtual processors. To take
advantage of this, you must have at least
four cores in your host. Support is avail-
able for up to 32GB of RAM per VM. VMs
can also be encrypted using 256-bit AES
encryption. Workstation 7.0 VMs support
USB, DVD, CD-ROM, sound, and webcam
devices.
With Workstation 7.0, you create
new VMs using the New Virtual Machine
wizard, which steps you through creating
a VM, including installing the OS. As you
can see in Figure 2, the wizard even lets
you set your Windows product code and
the Windows machine name and initial
password. Another nice touch is that
VMware tools are automatically installed
in the guest OS.
In addition, Workstation 7.0 can
import VMs using its built-in Conversion
Wizard. You launch this wizard using the
File, Import and Export option. The Con-
version Wizard can perform a Physical-
to-Virtual (P2V) conversion as well as
convert Microsoft Virtual PC and Virtual
Server VMs, but it doesn’t support the
conversion of Hyper-V VMs. The wizard
leaves the source VM intact and outputs
a new VM that contains the VMware
device drivers.
3D Graphics Support
One limitation of VMs has been their lack
of support for graphically intensive appli-
cations. Graphical drawing and rendering
programs, games, and advanced graphics
such as the Windows Aero interface

Installation and Testing

VMware Workstation runs on virtually
Michael Otey | motey@windowsitpro.com
all releases of Windows as well as every
major Linux distribution. It supports over

70 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


An Overview of Desktop Virtualization Products
They say you get what you pay for; however, in terms of desktop
virtualization products, you can get a lot of value from the free
products that are available. Although these products don’t offer
anywhere near the same feature set as VMware Workstation, they
are all very capable and most of them are free.
Parallels Desktop 4 for Windows & Linux
Parallels plays primarily in the desktop virtualization space with its
Mac product, Parallels Desktop for Mac. Lagging behind the flagship
Mac version is its Windows version, Parallels Desktop 4 for Windows
& Linux, which runs on either x86 or x64 platforms. Unlike the other
desktop virtualization products in this sidebar, Parallels Desktop 4 for
Windows & Linux isn’t free: The product retails for $79. For the price,
the product does offer several cool features. On the technological side
it supports VMs with up to eight virtual CPUs and up to 8GB of RAM
per VM. It provides USB support for VMs and can take advantage of
Intel-VT or AMD-V hardware virtualization if present. Parallels Desktop
brings the Convergence feature to Windows, which essentially lets
you seamlessly integrate VM applications with your Windows desktop
similar to Windows 7 XP Mode. You can download a free trial of Paral-
lels Desktop 4 for Windows & Linux at www.parallels.com/download/
desktop/pd4wl.
Parallels is currently working on a new version of Parallels
Desktop for Windows & Linux, which should be out about the time
this review is published. In addition, Parallels also offers the Paral-
lels Workstation 4.0 Extreme desktop virtualization product. Like
VMware Workstation 7.0, Parallels Workstation 4.0 Extreme provides
support for 3D graphics. It supports up to 16 virtual CPUs per VM
and up to 64GB of RAM per VM. The current version requires the
Intel Xeon 5500 processor and NVIDIA Quadro FX graphics card with
SLI-MOS technology. Parallels Workstation 4.0 Extreme costs $399.
You can find out more about it at www.parallels.com/products/
extreme/features#faster.
Microsoft Virtual PC 2007 and
Windows Virtual PC
Microsoft’s Virtual PC 2007 is more than three years old, which is like
a millennia in the fast-moving virtualization market. When you com-
bine that with the fact that this product was never close to being the
technological leader in this space, well, you get the idea. However, the
product still provides basic desktop virtualization for Windows-based
VMs. Supported guests are limited to Windows. Linux will run, but
Virtual PC 2007 has no Linux VM integration components and Linux
isn’t officially supported. Virtual PC 2007 supports x86 and x64 hosts.
There is no x64 guest support, but it does support a single virtual CPU.
VMs can access up to 3.6GB of RAM. It offers good multiple monitor
support but no USB support in the VMs.
Although Microsoft has essentially put Virtual PC 2007 out to pasture, it’s
the technology behind a couple of other Microsoft virtualization technol-
ogy, including the Med-V product, which is part of the Microsoft Desktop
w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u
P R O D U C T S
REVIEW
Optimization Pack (MDOP), and the new Windows Virtual PC for Windows 7.
Virtual PC 2007 is free and can be downloaded at Microsoft’s website (www
.microsoft.com/windows/virtual-pc/support/virtual-pc-2007.aspx).
Windows Virtual PC is the successor to Virtual PC 2007. It runs only on
Windows 7, and it supports both x86 and x64 hardware. It offers several
important improvements over Virtual PC 2007, including support for USB
ports, support for Windows XP Mode—which allows seamless running
of VM applications from a Windows 7 desktop—and integration with
Windows Explorer for VM management, support for multiple threads, and
host printer access for VMs. Like Virtual PC 2007, Windows Virtual PC lacks
support for 64-bit guest OSs, and it’s limited to one virtual CPU and 3.6GB
of RAM per VM.
Windows Virtual PC is an improvement over Virtual PC 2007, but
its main purpose is really to support Windows XP Mode in Windows 7.
Windows Virtual PC is a prerequisite for Windows XP Mode and is a
separate download that you can find at www.microsoft.com/windows/
virtual-pc/download.aspx. If you’re confused about Virtual PC 2007
and Windows Virtual PC, just remember that Virtual PC 2007 is for Vista
and earlier, whereas Windows Virtual PC is for Windows 7. You can get
Windows Virtual PC from www.microsoft.com/windows/virtual-pc.
VMware Player 3.0
Another VMware product in the desktop virtualization space is the free
VMware Player product. Previously, VMware Player was able to run only
existing VMs and couldn’t create new VMs. VMware Player 3.0 is now
completely capable of creating VMs as well as running them. Player 3.0
runs on both x86 and x64 hardware and supports most Windows and
Linux OSs for the host and in the guest VMs. Player supports VMs with
four virtual processors and up to 32GB of RAM per VM. However, as you
would expect, it lacks the high-end features found in VMware’s Work-
station product. For instance, Player doesn’t support clones, snapshots,
or VM recording. VMware Player 3.0 is free and can be downloaded at
VMware’s website (www.vmware.com/tryvmware/?p=player&lp=1).
Oracle VirtualBox 3.2
If you’re immersed in the Windows world, you might not be familiar
with the other major player in the desktop virtualization market:
Oracle’s VirtualBox (formerly Sun’s VirtualBox). VirtualBox runs on x86
and x64 hardware and has the broadest host OS support of any of the
desktop virtualization products. VirtualBox runs on Windows, Linux, Mac
OS, and OpenSolaris. It provides support for VMs with up to 32 virtual
CPUs and up to 1.5GB of RAM per VM on a 32-bit Windows host. This
limit doesn’t apply to 64-bit hosts. VirtualBox provides a virtual USB
controller, enabling you to connect to physical USB devices on the host
for your VMs. It also provides built-in support for up to eight monitors.
One unique feature in VirtualBox is its support for teleportation, which
is like live migration. Teleportation enables you to move VMs between
hosts with no downtime for the VM. VirtualBox 3.2 is free and can be
downloaded from dlc.sun.com/virtualbox/vboxdownload.html.
InstantDoc ID 125517
Windows IT Pro AUGUST 2010 71
P R O D U C T S
REVIEW
Figure 2: Creating a new VM
couldn’t run in a VM because they used
the physical graphics adapter, which VMs
couldn’t directly address. Instead, VMs were
limited to the capabilities provided by a
virtual graphics adapter.
However, Workstation 7.0 includes
advanced 3D graphics for VMs, includ-
ing the ability to support the Windows
Aero interface. VMware developed a
new graphics driver that’s compliant
with the Windows Display Driver Model
Figure 3: VMware Workstation Jump Lists
72 AUGUST 2010 Windows IT Pro
Windows Vista and Windows 7 VMs and
is capable of displaying the Windows
Aero UI. (It also supports OpenGL
1.4 and Shader Model 3.0.) Worksta-
tion 7.0 is well integrated with the
new Windows 7 desktop. You can see
Workstation 7.0’s integration with the
Windows 7 taskbar and its support for
showing running VMs in Jump Lists in
Figure 3.
W e ’ r e i n I T w i t h Yo u
Other advanced features include sup-
port for the Unity feature. Introduced in
Workstation 6.5, Unity provides seamless
desktop VM application integration similar
to Windows 7’s XP Mode. Workstation
also has a capture movie feature that can
record all activity in a VM and save it in
AVI format.
Workstation 7.0 offers the ability
to take an unlimited number of VM
snapshots, to create full or linked VM
clones, and to create VM teams, which
are a collection of VMs connected by one
or more private network segments. You
can control the boot order between the
different VMs.
Another cool feature in Workstation
7.0 is the ability to print from VMs
without mapping network printers
or installing printer drivers in each
VM. Virtual printing enables all of the
printers installed on the host OS to be
automatically available to the guest OSs
in each VM.
At the Top of the Heap
VMware Workstation was the first product
in the desktop virtualization space, and its
maturity shows in its advanced feature set:
Workstation 7.0 is the clear leader in the
desktop virtualization market. However,
at $189, Workstation 7.0 is also one of the
most expensive desktop virtualization
products on the market. If you need 3D
support or Workstation’s other advanced
features, it’s worth the price. A 30-day trial
is available. Desktop virtualization doesn’t
get any better than this.
InstantDoc ID 125447
VMware Workstation 7.0
PROS: Extremely broad host and guest OS
support; VM support for 3D graphics and the
Windows Aero interface; support for snapshots,
clones, and virtual printers
CONS: More expensive than all the competing
desktop virtualization products
RATING:
PRICE: $189
RECOMMENDATION: If you need a desktop
virtualization product with a full set of top-of-
the-line features, then VMware Workstation 7.0 is
a must-have.
CONTACT: VMware • www.vmware.com/
products/workstation
w w w. w i n d o w s i t p ro. c o m

SharePoint Auditing
and Reporting Tools
Navigate the sea of compliance laws and security “what ifs”
by Brian Reinholz
Information in this buyer’s guide comes from vendor
representatives and resources and is meant to jump-start, not replace,
your own research; also, some products might have been left out,
either as an oversight or from lack of vendor response.
S
harePoint can be used for a variety of functions, including
as a document management solution, an organization-
wide intranet, a project management tool, and even as an
external-facing website. But at its core, SharePoint is an
information storehouse, logically segmenting your data
and enabling efficient collaboration, thereby reducing fear
of miscommunication, inconsistent versions, and lost documents.
Storing data on a SharePoint site makes sense for many organi-
zations. It reduces the load the local network handles and makes
collaborating on documents much easier. Plus, it offers customiz-
ability in terms of restricting and managing access to individuals
at varying levels within the company.
However, there is a downside. The Internet is only as secure as
the systems that protect it, and threats grow and evolve every day. In
today’s Internet age, where 10 million people were victims of identity
theft in 2008 (according to Javelin Strategy & Research Center), many
governmental agencies have pushed for compliance laws to prevent
future attacks. And according to the Privacy Rights Clearing House
data, which documents significant data breaches, wide-scale secu-
rity breaches occur almost every day in the United States (and since
2005, 354,537,108 records have been lost or stolen).
Evolution of Compliance Laws
Compliance laws are good, in principle. They protect individuals and
businesses, and they force organizations to take seriously the threat
of data theft before it’s too late. However, each ounce of prevention
in compliance comes at a cost. According to a Financial Executives
International study, the average cost of Sarbanes-Oxley (SOX) com-
pliance in 2007 for large-scale enterprises was $1.7 million.
Like it or not, SOX is here, forcing all public companies to keep
industrious financial records. A number of other laws exist for specific
industries, such as the financial and medical industries (Gramm-
Leach-Bliley Act and Health Insurance Portability and Accountability
w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u
P R O D U C T S
BUYER’S GUIDE
Act, respectively), where businesses have a special responsibility to
protect the personal information of clients. Finally, all companies
need to be aware of the possibility of e-discovery, when a lawsuit
requires a company to sift through all available electronic data (on
that company’s dime) for some form of data that holds weight in the
case. Lastly, there are specific statewide compliance laws that every
organization should be aware of. Together, these laws and standards
make ignorance out of the question, even for small organizations,
and force all companies to take compliance very seriously.
Native Tools on SharePoint and Their Limitations
Fortunately, native compliance tools do exist on SharePoint.
Although they do not cover the same scope as third-party solutions,
they might offer sufficient compliance protection for some organiza-
tions. First, SharePoint lets you configure user permissions, letting
you prevent unauthorized access that could lead to data loss or theft.
SharePoint also has basic reports to audit site collections.
Some of the things that SharePoint’s native tools can’t do include:
audit data at levels other than the site collection level, prevent data
from being uploaded beforehand, audit sites based on more robust
criteria such as time frame, and track all site changes and deletions.
What to Look for in Third-Party Solutions
It’s important to note that although each third-party solution in this
buyer’s guide seeks to solve the same common SharePoint difficulties,
each works differently. Which solution is best will vary by organization.
For instance, some of the more suite-like products, such as AvePoint’s
DocAve Auditor and Vyapin’s Admin Report Kit, offer auditing/
reporting, migration, and backup and recovery. Other products, such
as Muhimbi’s SharePoint Audit Suite, offer similar capabilities to
SharePoint’s native tools, but expand on the capabilities, offering more
in-depth auditing. Netwrix’s SharePoint Change Reporter, meanwhile,
offers change tracking but doesn’t focus on reporting.
In addition to auditing for compliance, you’ll also find that some
of the products that focus more heavily on reporting, such as Nintex
Reporting, also offer business efficiencies through this reporting. The
same types of reports that aid in compliance can help the business to
remain efficient through visibility into the organizational structure.
Windows IT Pro AUGUST 2010 73
 SHAREPOINT AUDITING & REPORTING TOOLS

In other words, individual compliance
needs will vary extensively depending on
the organization. Some organizations will
have constantly changing user documents
and spreadsheets that contain key informa-
tion, so tracking changes to these docu-
ments on a step-by-step level is essential for
measuring compliance. Other companies
will have stores of sales and contractual
data continually being uploaded to the
SharePoint site, so controlling, tracking,
and restricting new files uploaded to the
site would be very important. Whatever
your need, there is likely a solution in
place, but it’s important to understand the
differences.
Customization Is Always an Option
Because SharePoint is a very flexible tool, you
might decide to have a developer custom-
tailor reports that best serve your compliance

Company Name Product Price (Per Change Change Multiple Site Change Track User Track Details
Server) Tracking Tracking to Tracking Tracking to Permissions of Document
SQL Server Web Parts Usage

AvePoint DocAve Auditor $2,290 Yes Yes Yes Yes Yes Yes
www.avepoint.com
201-793-1111
800-661-6588

Muhimbi SharePoint Audit $799 Yes No Yes No Yes Yes

www.muhimbi.com Suite
+44-7799-624931

NetWrix NetWrix $300 first Yes Yes Yes No Yes Yes

www.netwrix.com SharePoint server, $75
201-490-8840 Change per additional
888-638-9749 Reporter server

Nintex Nintex Call for quote No No Yes No No Yes

www.nintex.com Reporting 2008
425-201-5840

Quest Software Site $2,995 Yes No Yes No Yes Yes

www.quest.com Administrator
614-726-4768 for SharePoint

ScriptLogic Enterprise $616 Yes Yes Yes Yes Yes Yes

www.scriptlogic.com Security
800-813-6415 Reporter

Syntergy Audit for $7,500 Yes Yes Yes No Yes Yes

www.syntergy.com SharePoint
905-266-0676

Vyapin Software Admin $1,099 Yes No Yes No Yes Yes

Systems Report Kit for
www.vyapin.com SharePoint
+91-44-24717142 2003/2007/2010

74 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

 SHAREPOINT AUDITING & REPORTING TOOLS

needs. Although this might not be the most with the vendors in this space to see how
efficient model (in terms of cost and time), their solutions stack up. In the meantime, I Brian Reinholz
(breinholz@windowsitpro
it might be valuable if you feel that your encourage you to review the buyer’s guide .com) is editorial web
company’s needs are radically different from table, which will shed insight on the capa- architect for Windows
most. My advice would be to carefully review bilities of each offering and provide you with IT Pro and SQL Server
Magazine, specializing
your company’s compliance needs with a a head start. in training and
security expert, and then discuss these needs InstantDoc ID 125249 certification.

Export Real-Time Native Customizable Custom SharePoint Versions Windows Server Windows Desktop
Formats Alerting Reports to Data Auditing Report Supported OSs Supported OSs Supported
Measure Creation
Compliance

CSV, PDF, XML No No Yes Yes SharePoint 2010, Windows Server Windows 7, Vista,
2007 MOSS Enter- 2008 R2, 2008, XP
prise, 2007 MOSS 2003
Standard, Share-
Point Portal Server
2003, WSS 3.0

Excel No No Yes Yes 2007 MOSS Enter- Windows Server

prise, 2007 MOSS 2008 R2, 2008,
Standard, WSS 3.0 2003

Email, Excel, No No Yes Yes SharePoint 2010, Windows Server Windows 7, Vista,
HTML, PDF 2007 MOSS Enter- 2008 R2, 2008, XP
prise, 2007 MOSS 2003
Standard, Share-
Point Portal Server
2003, WSS 3.0

Excel, HTML, PDF Yes No Yes Yes 2007 MOSS Enter- Windows Server
prise, 2007 MOSS 2008 R2, 2008,
Standard, WSS 3.0 2003

Excel, PDF, RTF No No Yes Yes SharePoint 2010, Windows Server Windows XP
2007 MOSS Enter- 2008 R2, 2008,
prise, 2007 MOSS 2003
Standard, Share-
Point Portal Server
2003, WSS 3.0

CSV, HTML, PDF, No Yes Yes Yes SharePoint 2010, Windows Server Windows 7, Vista,
RTF, TIF, TXT 2007 MOSS Enter- 2008 R2, 2008, XP
prise, 2007 MOSS 2003
Standard, WSS 3.0

Excel Yes No Yes Yes 2007 MOSS Enter- Windows Server

prise, 2007 MOSS 2008 R2, 2008,
Standard, Share- 2003
Point Portal Server
2003, WSS 3.0

Excel, CSV, HTML, No No Yes Yes SharePoint 2010, Windows Server

MDB, PDF, TIF 2007 MOSS Enter- 2008 R2, 2008,
prise, 2007 MOSS 2003
Standard, Share-
Point Portal Server
2003, WSS 3.0

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 75

P R O D U C T S
INDUSTRY BYTES
■ Security
INSIGHTS FROM THE INDUSTRY
Biometric Security Done Right
When I wrote about current biometric
security devices recently (windowsitpro
.com, InstantDoc ID 125285), I was a
bit disappointed that the security on
these devices wasn’t that robust. But
shortly after that article was published,
I was contacted by Stephen Nation with
Nation Technologies, a small start-up that
specializes in a biometric-based security
product called BIOWRAP.
Unlike a lot of the current biometric
products, which offer convenience and a
little bit of security (plus some added risk),
BIOWRAP is all business when it comes to
security. It offers two-factor authentication
(username/password and fingerprint
recognition), and it has an extensive veri-
fication process, which I’ll get to. Another
advantage of BIOWRAP is that it offers one
central management infrastructure for the
biometric identity, versus having a bunch
of separate biometric identities (which
is just as confusing as today’s username/
password situation.)
“The biometrics market today is
focused on biometrics simply as a matter
of convenience. I mentioned facility
control and access management—
that’s really a convenience. Yes you
have an additional level of security and
transparency, but it conveniently allows
you to get access to the door, or log in
to your PC, but outside that transaction
there’s no value to the biometrics. And
I say that because it’s typically a self-
enrolled or admistrative-enrolled bio-
metric, and outside that enterprise or PC
there’s no true value to it. And it requires
every time you perform a transaction in a
separate system, you have to do another
enrollment. So we get back to this same
model where you have 10 identities, or
10 biometric identities, that are all cre-
dentialed, as opposed to having a single
source of identity,” said Nation.
76 AUGUST 2010 Windows IT Pro
■ Exchange
Founding Principles of BIOWRAP first is to make sure to use high-quality fin-
Essentially, BIOWRAP cuts through the clut- gerprint readers. All readers are not created
ter by offering one central management equal, and the best readers can choose
system, but then puts extra verification pro- what level of resolution to scan for, weigh-
cesses in place to make sure that that one ing convenience (more false positives)
identity is really secure. The primary way against security (more false negatives).
that they do this is in the initial verification According to Nation, “I’ve had this system
process. Before you can get an identity, you up and running and have yet to hear of a
need to meet with a notary-like individual false positive.”
called a registar. The registrar meets with The second step is to also have a
you in person, and only by that individual username/password authentication. The
being an eyewitness to your biometric username and password are encrypted and
scanning (and running the same type of the password isn’t stored anywhere, but it
proof-of-identity checks that a financial promises that even if someone can somehow
company would when you want a loan) get your fingerprint, they still won’t be able
can you get the identity.
Oh, and they have to verify
this process with their own
fingerprint scan too.
Sound a little over the
top? Perhaps, but if you’re
a financial or medical
company, a government
agency, or any enterprise
that handles loads of
sensitive data, it’s better
safe than sorry. “In today’s
environment, there’s no
way to prove that a person
is physically present to indi-
cate they are who they say
they are. It’s a username/
password, or a token, or
something. But with the
registrar, they have to be
physically present, and have
to verify that they are physi-
cally present with their own
fingerprint,” said Nation.
So, let’s assume the
company has a pretty
good idea that you are
you. From there, Nation
Technologies performs two
more security steps. The
W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m
P R O D U C T S
INDUSTRY BYTES
to get in. (Similarly, your username and pass-
word are useless without your finger.)
Additionally, this multi-factor authen-
tication makes the biometric scan more
accurate. Instead of skimming through a
database of available fingerprints in your
company, this system knows exactly who
it’s looking for (because of the username/
password), so it’s just scanning your
fingerprint reading against it.
“When you perform the authentication
[with other solutions], it has to scan through
all the other fingerprints to match against the
enrolled fingerprint. That’s why we operate
Azaleos Takes a Hybrid Approach to Exchange Storage
Microsoft has made some big storage-
related changes in Exchange Server 2010.
Specifically, it’s now easier to afford a
high-availability Exchange infrastructure
by using existing or inexpensive commod-
ity hardware (SATA in some cases)—rather
than expensive, new SAN devices, for
example. So, what’s the safest and most
economical storage approach for the next
generation of Exchange Server?
I recently spoke with Azaleos’s Lee
Dumas, a Microsoft Ranger and a leading
Exchange authority outside of Microsoft. In
the past, Dumas has written for Windows IT
Pro about storage basics. We talked about
how today’s companies—stretched thin
by the economy, or just looking for a more
manageable approach to a highly complex
back-end technology—can best handle
the changes that Microsoft has made in
Exchange 2010’s storage architecture.
78 AUGUST 2010 Windows IT Pro
with multiple-factor authentication—
username, password, and fingerprint. We
perform a one-to-few comparison."
As one final feature, you can create contact
groups and have access based on the groups.
For instance, if HR is a group, you could make
all personnel files encrypted access to work
only for people in HR. “It’s basically an Active
Directory on steroids,” said Nation.
Implementation Details and Cost
The BIOWRAP technology currently works
for hardware logins, file access, and facility
access. BIOWRAP has a standalone file
“Exchange 2010 is the most stable ver-
sion of Exchange yet,” says Dumas, “but it
comes with extra complexities. At a time
when companies just want to lower their
costs, that’s a difficult pill to swallow. Yes,
Exchange 2010 has made it possible to
achieve lower-cost storage. Don’t throw
away your SAN! Microsoft is saying you can
take advantage of that low-cost storage. But
you still need management and alerting. The
complexity is still there.”
Azaleos is taking a unique approach
to the challenge by offering a hybrid solu-
tion that’s essentially a managed-service
product. The data stays in-house, and
management occurs from afar. The com-
pany’s patented technology remotely
monitors Exchange 2003, Exchange 2007, or
Exchange 2010 wherever it resides, sending
key data points to Azaleos’s Network Opera-
tions Centers, where certified Exchange
W e ’ r e i n I T w i t h Yo u
management solution that comes with it,
but most enterprises will prefer to integrate
it with their existing content management
system in place. (It currently does not
integrate with SharePoint but it may in the
future.) Down the road, the technology
should also work with website logins.
The per-device cost of BIOWRAP is:
$250 for a one-time set up, and a licensing
fee is $20/month for unlimited usage and
support. BIOWRAP has just recently made
its national debut—Nation Technologies
was founded in 2005.
—Brian Reinholz
experts proactively manage the environ-
ment on a 24x7x365 basis. “Our software
lets us manage data remotely,” Dumas says.
“Software sits on both sides. We’ve invested
a lot in our operations team. We’re all Aza-
leos employees; there’s no outsourcing.”
Azaleos offers a comprehensive, reli-
able set of remotely managed services for
Exchange messaging, SharePoint Server, and
Office Communications Server. Azaleos is
offering four different Exchange 2010 stor-
age configurations designed to decrease
hardware costs and meet each organization’s
unique business requirements. Depending
on the configuration chosen and the type
of infrastructure already in place, companies
can reduce their deployment costs by up to
40 percent when migrating from Exchange
2007 to Exchange 2010, and even more
when switching from Exchange 2003.
—Jason Bovberg
w w w. w i n d o w s i t p ro. c o m
 AD INDEX
For detailed information about products in this issue of Windows IT Pro, visit the web sites listed below.

COMPANY/URL PAGE COMPANY/URL PAGE COMPANY/URL PAGE

1&1 Internet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Hotels.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Sunbelt Software Inc. . . . . . . . . . . . . . . .Cover 3

www.1and1.com www.hotels.com/hotel-deals/wrwin1 www.sunbelt-software.com
APC/Schneider Electric . . . . . . . . . . . . . . . . . . .17 IBM Corporation . . . . . . . . . . . . . . . . . Cover 2, 1
Train Signal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
www.apcc.com/promo www.ibm.com/systems/ex5
Citrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 23 PowerWF Studio. . . . . . . . . . . . . . . . . . . . . . . . . .78 www.trainsignal.com
www.citrix.com/XenDesktop www.powerwf.com/mg1 WinConnections Fall Event . . . . . . . . . . 12, 64B
Diskeeper Corporation . . . . . . . . . . . . . . . . . . . . 6 Privacyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
www.WinConnections
www.diskeeper.com/v2 www.privacyware.com
Windows IT Pro. . . . . . . . . . . . . . . . . . . . . . . 18, 44
HP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Cover 4 Quest Software Inc. . . . . . . . . . . . . . . . . . . . . . . . 3
www.hp.com/servers/unleash12 www.quest.com/trabsform www.windowsitpro.com

VENDOR DIRECTORY The following vendors or their products are mentioned in this issue of Windows IT Pro on the pages listed below.

A10 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Kerio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Rove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

Apple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Aprigo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Argent Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
AvePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
AVIcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Azaleos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Brocade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Citrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Lyzasoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Muhimbi Ltd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Nation Technologies. . . . . . . . . . . . . . . . . . . . . . . . . .76
NetWrix Corporation . . . . . . . . . . . . . . . . . . . . . . . . .74
Neutex Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Nintex. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Oracle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Parallels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Sans Digital . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
ScriptLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63, 74
Specops Software . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Spiceworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Symantec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Symplified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Syntergy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

Corner Bowl Software . . . . . . . . . . . . . . . . . . . . . . . .64 ProStor Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Telerik. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Dundas Data Visualization . . . . . . . . . . . . . . . . . . . .62 Quest Software. . . . . . . . . . . . . . . . . . . . . . . . . . . 62, 74 VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63, 70
Idera . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Rebit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Vyapin Software Systems . . . . . . . . . . . . . . . . . . . . .74

DIRECTORY OF SERVICES | WINDOWS IT PRO NETWORK

Search our network of sites dedicated to hands- Windows IT Pro VIP NEW WAYS TO REACH
on technical information for IT professionals. Get exclusive access to over 40,000 articles and WINDOWS IT PRO EDITORS:
www.windowsitpro.com solutions on CD and via the Web. Includes FREE
Support access to eBooks and archived eLearning events, LinkedIn: To check out the Windows IT Pro
Join our discussion forums. Post your questions plus a subscription to either Windows IT Pro or group on LinkedIn, sign in on the LinkedIn
and get advice from authors, vendors, and other SQL Server Magazine. homepage (www.linkedin.com), select the Search
IT professionals. www.windowsitpro.com/go/vipsub Groups option from the pull-down menu, and use
www.windowsitpro.com/go/forums “Windows IT Pro” as your search term.

News
Check out the current news and information
Facebook: We’ve created a page on Face-
book for Windows IT Pro, which you can access
about Microsoft Windows technologies. SQL
Q SERVER MAGAZINE at: http://tinyurl.com/d5bquf. Visit our Facebook
www.windowsitpro.com/go/news page to read the latest reader comments, see links
Explore the hottest new features of SQL Server, and
EMAIL NEWSLETTERS discover practical tips and tools. to our latest web content, browse our classic cover
www.sqlmag.com gallery, and participate in our Facebook discus-
Get free news, commentary, and tips delivered sion board.
automatically to your desktop.
asp.netNOW
ASSOCIATED WEBSITES Twitter: Visit the Windows IT Pro Twitter page at
DevProConnections UPDATE www.twitter.com/windowsitpro.
Exchange & Outlook UPDATE DevProConnections
Security UPDATE Discover up-to-the-minute expert insights, infor-
SharepointPro Connections UPDATE mation on development for IT optimization, and
solutions-focused articles at DevProConnections.com,
SQL Server Magazine UPDATE
where IT pros creatively and proactively drive busi-
Windows IT Pro UPDATE ness value through technology.
Windows Tips & Tricks UPDATE www.devproconnections.com
WinInfo Daily UPDATE
www.windowsitpro.com/email SharePointPro Connections
RELATED PRODUCTS Dive into Microsoft SharePoint content offered in
specialized articles, member forums, expert tips,
Custom Reprint Services and Web seminars mentored by a community of
Order reprints of Windows IT Pro articles. Diane peers and professionals.
Madzelonka at Diane.madzelonka@penton.com. www.sharepointproconnections.com

w w w. w i n d o w s i t p ro. c o m W e ’ r e i n I T w i t h Yo u Windows IT Pro AUGUST 2010 79

 CTRL+ALT+DEL
by Jason Bovberg

For the Ladies

PRODUCT OF THE MONTH
Our favorite product this month is Efficient Software’s Efficient Lady’s
Organizer, a Windows personal information management (PIM)
application designed especially for women—by women. “Behind the
stunningly fashionable interface is a software powerhouse that com-
bines a calendar, contact manager, planner, reminder, diary, notepad,
and password manager,” the company’s decidedly pink website reads.
Our favorite quote? “It has a fashionable and pretty interface—a
ce—a
e—a
choice only of happy and demanding ladies!” product
ies! This produ
roduct
ct iiss id
ideal
for the Sex and the Cityy fan. information,
an. For more iinforma
ati
tion, visit
sit the Effi
E
Efficient
Softwaree website at www
www.ladysorganizer.com.
w.ladysorganizer.co
l r.co
com.
om
EEfficient
Effic
ficient Lady’s
y Organizer
g

User Moment of
… um
um … the Month
In the 1990s, I worked as temporary Desktop Support
at a software company. One of the first tickets given to
me read, “I need a battery recharger that doesn’t plug
into a wall outlet.” I called the user and asked for more
clarification to better assist her. She said, “I’m flying to
Asia in two weeks, and it’ll be about a 20-hour flight.
… ye
y ah
h… I’m taking my laptop and two laptop batteries with
me. Since I’ll be using one battery to do work on my
SEND US YOUR laptop, I figured I could plug the other battery into the

INDUSTRY HUMOR! recharger. But there are no outlets on the airplane, so

the battery recharger needs to be able to recharge with-
Email your industry humor, out using a wall outlet.” I told the user to go ahead and
scandalous rumors, funny screenshots, submit the paperwork to purchasing. The purchasing
favorite end-user moments, and
department still gets on my case about that one.
IT-related pics to rumors@
windowsitpro.com. If we use your —Paul
submission, you’ll receive a
CTRL+ALT+DEL
GIFT.
August 2010 issue no. 192, Windows IT Pro (ISSN 1552-3136) is published monmonthly.
nthly. Copyright 2010, Penton Media, Inc., all rights reserved. Windows is a trademark or registered trademark rk of
Microsoft Corporation in the United States and/or other countries, and Win Windows
ndows IT Pro is used under license from owner. Windows IT Pro is an independent publication not affiliated
affili with
Microsoft Corporation. Microsoft Corporation is not responsible in any way for th
the editorial policy or other contents of the publication. Windows IT Pro, 221 E. 29th St.,
St. Loveland,
Lo CO 80538, (800)
793-5697 or (970) 663-4700. Sales and Marketing Offices: 221 E. 29th St., Loveland
Loveland,
nd, CO 80538. Advertising rates furnished upon request. Periodicals Classlass postage
posta paid at Loveland, Colorado, and
additional mailing offices. POSTMASTER: Send address changes to Windows IT T Pro,
P 221 E. 29th St., Loveland, CO 80538. SUBSCRIBERS: RS: Send all inquiries, payments, and address changes to
Windows IT Pro, Circulation Department, 221 E. 29th St., Loveland, CO 80538. Printed
Printted in the USA.

80 AUGUST 2010 Windows IT Pro W e ’ r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m