Unfortunately this isn't one of those success stores. But then again if I wrote about those I'd be hitting a few thousand posts a year, and plus they're really boring to write about.
We began the project by powering up some virtual machines and test importing the configuration from ISA 2006 to Forefront TMG 2010, and all appeared fine. The ruleset was there, the VPN configurations were there, and so on. Test data seemed to pass through nicely.
The migration went through and we put the box live, decommissioning the old ISA 2006 hardware. Everything seemed fine until larger quantities of traffic started passing through the box. The logging was showing a lot of packets getting dropped on the floor, but with no source, destination or protocol, active FTP and SIP traffic was also being problematic, and the box would randomly decide to stop passing everything, like the service had stopped. The irritating thing was that it simply wasn't consistent.
After poking into the configuration we started noticing that a lot of problems were evident in the configuration;
- The domain controllers computer set had entries that were flat out wrong and not present in the ISA configuration
- The Web Proxy Auto-Discovery Protocol (WPAD) file was wrong
- DNS was starting to go down VPN tunnels, but there were no DNS addresses configured on the interfaces
- And a whole host of other niggly issues
After fixing these the box was still randomly dropping things, but as the data flow increased (and not to extreme levels - we're talking a 10Mbit/s leased line here) so did the drop outs. At this point it was starting to become more than an irritation and more of a service affecting problem. I elected to rebuild it with non-R2 Windows Server 2008, and to manually create the configuration from documentation. Although I would've loved to have got to the bottom of the problem rolling back would've been as much of a pain at this point, and the customer was rightly beginning to get fidgetity.
So why non-R2 Windows Server 2008? A couple of reasons; All our other deployments of TMG 2010 are on non-R2 and are stable, we noticed our original test box for this project was non-R2, and there are also rumblings of other people having issues with R2 on a couple of technet threads. Although I'm not 100% convinced that R2 is to blame here frankly we didn't need R2, and I only wanted to do this the once as the whole job needed to be done out of working hours.
Since the OS rebuild and manual build of the configuration, touch wood, it seems to be a lot more stable. No more weird packets getting logged, no more weird FTP or SIP problems, no more random drop outs.
My thoughts on TMG 2010 aren't favourable at this point, but it's not just because of the problems. Ostensibly it feels like ISA 2006 with a few interesting bits bolted on, but unless you require ISA or TMG in your environment, I wouldn't recommend it. There's still no real IPv6 support, without SP1 it feels very wobbly, and for a few features that you might not need its an expensive upgrade.
Realistically you can pull off the same feature set with a different combination of products; a "real" firewall, and an internal proxy server, for example. This isn't to say that you shouldn't put TMG 2010 in anywhere. It does have some very useful features, but just look at your options carefully. Perhaps you don't need to upgrade. Perhaps you may find a better fit solution.
A little less than a month ago Patrick from Red-Track online marketing contacted me and wanted to know if I'd be interested in reviewing a TrainSignal training DVD, specifically one about Exchange 2010.
If you want the final word on the quality of the training head straight to the final paragraph, otherwise strap in; This is a long post.
I'll have to be honest, I had never heard of TrainSignal until that point, and I was wondering if it was a bit of a scam. However, several days later a set of DVDs arrive via UPS. What I received was a set of 3 DVDs, in a standard DVD case, and a little shipping note. Having not actually ordered them themself I don't know if I should've got a little "this is your training" letter, or if thats just it. I would say that a little note would have been nice, especially pointing out the interesting bits about DVD 3. To me this DVD would be the one that would most interest a lot of the busier, and perhaps younger, generation. It has pre-converted versions of all the training videos, for iPods/iPhones, and it also has audio-only versions. The README on DVD 1 and 2 didn't mention this at all, and it would've been nice.
In terms of the actual content of DVD 1 and 2, you get a DVD with a bunch of folders, one of which is a codec directory, a bunch of lesson directories, a notes directory that has a nice set of PDFs you can print to take notes on (very useful for a class environment) and another about the lab setup, along with the obligatory Windows autorun, and a small README. There are a few other files and folders, but you probably won't care too much about them.
The README itself says that the DVDs require Windows and Internet Explorer, however you can just dive into the directories and open up the AVI files using your favourite video player. In my case I watched some of the videos on my desktop, under Windows using IE, and then I switched to using VLC under OS X and later Ubuntu. If you're a "power user" understanding this won't be an issue for you, however on the off chance that a less experienced user receives these and has a non-Windows desktop it may've been nice to detail as such.
The actual content of the training videos is very professional, as you should expect. You have a voice over from J. Peter Bruzzese, and a video that has slides and screen capture, which is all clearly explained. The video starts off with an introduction and an explanation as to what you should expect from the series, and even better does tell you that if you've got experience with Exchange 2007 that you can just jump about a bit. I thought that was a nice touch. It could be argued that it's a bit redundant, however it's a nice nod to those who know the previous version nicely.
The videos will take you through the configuration, how to build a similar lab setup, and outlines a real world scenario. It's this scenario that the rest of the videos are based around. To me I think thats a very important thing to have done. A number of the other training videos I've had to sit through have been very abstract, and forced. It prevents you from really connecting with the content, and you don't always learn.
Having setup 2 production Exchange 2010 organisations in the last year, one of which is using what many will consider an "advanced feature" (Database Availability Groups), and another that was running from the Beta, I found the pace to be very slow and I actually watched all of the videos at an accelerated rate. By the end I had managed to ramp upto 2.2x speed, only dipping slower to listen in on the bits that I've not yet used or I was concerned may've been lacking. I'm not suggesting that you do this, but if you do know Exchange 2010 I'd suggest that you select the videos you want to watch carefully.
However, it's I have no doubt that it's extremely accessible if you're completely new to Exchange, or if you're coming to it from Exchange 2003 or prior.
The videos end with an outline of the Exchange 2010 certification exam. My concern with that would be that some may rely on that a little too much. It would've been nice to hear a statement outlining that you should really check to see if there have been any ammendments, or so forth.
The only other concerns that I've got are that it is pre-service pack 1, it brings up remote file servers (which I thought had been dropped from Exchange 2010, despite being left in the GUI), and I found the video on Database Availability Group to be a little lacking.
Now, in Peter's defence I've only recently setup DAG, and it is very much a feature that you should do research into before deploying. But it would've been nice to see a mention about running multiple networks, and more DAG customisation. In constrast the other "advanced" section on Unified Messaging was detailed enough to bring you upto date on what you need to know, common issues, and what you may need from your phone guys.
Ultimately J. Peter Bruzzese is a knowledgable, well spoken instructor. The training is good quality, although you certainly want to ensure that you know what you're buying. If you have been working with Exchange 2010 in production for some time, and have been playing with it during beta, you may want to look elsewhere. This is definitely training for those with little to no experience of Exchange since 2003, or prior, or none at all. However, if you have other staff who have little experience with Exchange 2010 then I heartily recommend TrainSignal's Exchange 2010 training. You won't be disappointed.
If you're using a combination of a scripting language, diskshadow and task scheduler to backup your Hyper-V machines take special care to make sure that task scheduler does not cut off the job whatsoever. Doing so can cause the host server to crash out, although it doesn't seem to be perfectly repeatable I've been able to track down an issue we were having at work where the power was blipping at a customer's site very briefly causing task scheduler to stop the job which immediately crashed out the host box. Unfortuantely it only seems to crash out in this circumstance, when attempting to backup certain virtual machines, although I'm yet to figure out a pattern.
Removing the "stop task if computer goes onto battery power" option and then ensuring that the UPS interface software takes care of it when the battery runs low is a good enough solution for us, for now.
One point twenty one jiggawatts! Yesterday (March 8, 2010) the OpenSSH project released version 5.4 and naturally will start hitting the various distributions and platforms soon, and again there are some great things to be interested in:
- Although many distributions of OpenSSH have SSH1 disabled, the project is now shipping with SSH1 disabled by default.
- There is the ability to revoke keys (host and user) in both sshd and ssh.
- Netcat mode connects stdio on the client to a single port forward on the server. For example the following would connect to smtp.server.example.org on port 25, and redirect the output to stdio on my client side. Useful if you need to test connectivity to a mail server, but can't from your direct location, but can from your SSH server (my.ssh.server.example.org).
ssh -W smtp.server.example.org:25 my.ssh.server.example.org That has pretty much bags of possibilities, ranging from simple connection tests to piping a file to a remote server that you can't get to directly. - sftp-server has gained a read only mode!
- Passphrase-protected SSH2 private keys are now protected with AES-128 instead of 3DES. This counts if you reencrypt your key or create a new one.
- Feb 24, 2010 by the_angry_angel
- Geek, Windows, Daily HTF and System Administration
Mark Baggett over at PauldotCom put together an interesting article on running a command on every machine in your domain from the command line. I genuinely hadn't considered tying dsquery and wmi together in this way. The best thing is that with a little tweaking you can easily run the same command against a subset of your domain. For instance, say you had X terminal/web/sql servers that all lived in the same OU - just dsquery against that and you're laughing.
If you're looking after any more than a handful of servers, without something like SMS/MOM/something you've rolled yourself, then this is a real time saver.
