Paul's Down-Home Page: Exchange, security, and more

Last month I wrote a bit about MailTips and Group Metrics processing that happens on Exchange 2010 mailbox servers. Now for some deeper follow-up.

First, E.J. Dyksen has a good post on general MailTips troubleshooting on the Exchange team blog. Go read it. (Don't worry; I'll wait for you to come back.)

Back already? Great. Now let's get to it.

Group Metrics creation is on by default; it's controlled by the organizational GroupMetricsGenerationEnabled setting. Every mailbox server that generates an OAB will also generate Group Metric data for the entire organization. Other mailbox servers will not generate any GM data, unless and until you enable them to do so.

Clients ask the CAS for Group Metric data. A given CAS server will assemble a list of Group Metrics servers, then use AD sites and site link definitions to find the "best" server for getting a copy of the Group Metrics data. The list contains servers that generate OABs for that CAS, plus mailbox servers that are explicitly enabled for Group Metrics generation. (Note that this means that CAS servers that don't host any OABs also won't host any Group Metrics data.)

When does all this happen? By default, Group Metric generation happens at midnight, plus or minus three hours. You can change that time using the GroupMetricsGenerationTime parameter, in which case the +/- 3-hour offset doesn't apply. Also, after you change the time, you'll notice that the next Group Metrics generation follows the old schedule, then the new schedule kicks in.

There's no way to force regeneration from the UI, although you can stop and restart the Microsoft Exchange Service Host service on any server to force an update. However, updating the Group Metrics data won't force the CAS servers to pull the new update; for that, you have to restart the Microsoft Exchange File Distribution service.

I am an early adopter (but then if you've been reading this blog for more than 10 minutes, you knew that already). Recently, two fairly new pieces of technology have been working together in a, shall we say, unexpected way.

First is Outlook 2010, which I've been running for some time. Overall I like it a lot; it performs well, it supports multiple Exchange accounts, and it has lots of grace notes (like the configurable "Quick Steps" feature) that make using it both easier and more pleasant than earlier versions.

Second is the newest release (3.1) of the Facebook client for the iPhone. It has the option to automatically sync Facebook data (including profile links and pictures) for contacts it finds in your iPhone address book.

Put these two together, and what do you get? Pictures of people you don't really know showing up in Outlook, like this:

Yes, that's right: any time I exchange mail with someone whose e-mail address is registered with Facebook, I get their picture! In this case, a college student bought a book I had listed on Amazon, and she was writing to ask whether I'd shipped it or not. Imagine my surprise to see a picture of her and her two BFFs (at least that's who I assume the other two girls are.)

What's making that happen? Outlook 2010 has a feature called "Suggested Contacts" that automatically adds the e-mail addresses of people you correspond with to a new "Suggested Contacts" folder. This replaces the old .nk2 file that earlier versions used for nickname autocompletion. Unfortunately, Suggested Contacts appears to most applications (well, the ones that aren't Outlook 2010) as a regular Contacts folder. On the iPhone (and in Mail.app) that means that people you've exchanged e-mail with show up in your contact list until you manually purge them.

The Facebook app on the iPhone is trying to be helpful, so it looks for people in your address book—which now includes the contents of Suggested Contacts—and downloads their pictures. Ta da! Instant confusion.

The contact-picture feature is one of my favorite Outlook 2010 enhancements, so I'm not going to turn it off. Likewise, having up-to-date pictures of my actual Facebook friends is a neat feature, so i"m leaving it on as well. For now, that means that I'm stuck occasionally seeing pictures of people I don't know—part of the price for being an early adopter, I guess.

Good news: I have tag clouds working on my blog, about five years after the rest of the Internet got them working.

Bad news: now I have to go back and retag a thousand-plus posts if I want the cloud to be useful.

Windows users have more security options, and that's just the way it is. Or is it?

Let's start with the obvious: I love BitLocker and I cannot lie. Despite its faults, it remains a great example of a real-world security feature that delivers immediate value. It's fully supported by the OS manufacturer, meets government security standards, and doesn't have to rely on skanky hacks to work its magic.

Windows laptop users can also take advantage of Seagate's Momentus FDE line of disk drives. These disks, sometimes called self-encrypting disks or just SEDs, perform hardware encryption, and they are qualified by the US National Security Agency as meeting NSTISSP #11. Unfortunately, these drives require support in the BIOS. Since Apple's laptops all use EFI instead of the standard x86/x64 BIOS, you can't just plop a Momentus FDE into your Mac and expect it to work.

The only solution I've found to get an SED to work in a modern Mac laptop is from WinMagic. Their SecureDoc product is essentially a full-volume encryption tool that competes directly with BitLocker, as well as with other FVE products from PGP, PointSec, and so on. The big difference: the Mac version of SecureDoc supports Momentus FDE disks. Naturally I had to try it.

Installation is simple: you run an installer, which adds a couple of kernel drivers and modifies the boot loader. If (and only if) it detects an unlocked Momentus FDE as the boot volume, it will ask whether you want to use hardware or software encryption. (The installer also tells you that it will change the system's hibernation mode, but let's not get ahead of ourselves yet…)

When you're done, you must reboot, at which point you see the new (and quite ugly) SecureDoc login screen. When you log in here, the SecureDoc bootloader unlocks the FDE disk and the normal Mac OS X boot cycle proceeds.

The docs ask that you turn off pagefile encryption by unchecking the "Use secure virtual memory" option in the General pane of the Security preferences tool. This makes sense: there's no reason to ask the OS to encrypt the page file if the disk on which it lives is already encrypted. You must also turn off the "Put hard drive to sleep whenever possible" checkbox, as the OS doesn't deal well with having the disk go to sleep (and thus get locked) while you're using it.

In my test install, I ran into an odd problem: the machine would freeze when waking from sleep. The cursor and keyboard would work normally, but I'd get the spinning rainbow pizza of death. After doing some digging, and with the help of WinMagic's tech support folks, I determined that the system's hibernation mode wasn't properly set by the installer. (Page 4 of this document is the only place I've found the different hibernation mode codes explained.) Uninstalling the SecureDoc software, manually setting the hibernation mode with the pmset tool, and reinstalling it fixed the problem and it has worked flawlessly since.

The standalone version of SecureDoc doesn't have the same set of management or control features that BitLocker does. Of course, that's because WinMagic wants you to buy their server-based toolset, which uses a group policy-like mechanism to enforce whatever encryption policies you choose. Without having tested either the server tool or the Windows version, I'm not ready to pick a winner between BitLocker and SecureDoc, but for the Mac it's a low-impact solution that does what it says, and I'm happy with it so far.

In part 1, I started talking about how I got into the writing business. Part 1 ended with me having written a couple of non-Windows-related books (including this) and contributing to several Windows-oriented books (like this). I began to wonder if it made sense for me to get an agent, so I started talking to David Rogelberg, the owner of StudioB. He offered me the tempting possibility of being able to write for O'Reilly, something I had always wanted to do. I signed on as a StudioB client and, true to his word, David got me in touch with O'Reilly about writing a book on programming for the Palm Pilot.

Of course, I didn't know anything about programming for the Pilot, but I wasn't about to let a minor technicality stop me.

What did stop me was a communications mixup between Robert Denn, my editor at O'Reilly, and another ORA editor who shall remain nameless. This other editor had signed Rhodes and McKeehan-- the experts who had written a book on Newton development too-- to write a Palm programming book. That left them in the position of having two PalmOS books under contract, only one of which would be written by, y'know, people who knew what they were doing.

Robert offered to let me write a book on another topic. In fact, he even gave me my pick of topics. I wish I could say that I jumped at the chance to write about Exchange, but I didn't. I had to be more-or-less bullied into it my my agent, who realized the long-term potential of working in the Exchange market. I didn't know anything about Exchange either, but I was quickly determined to learn, given that I had just signed a contract to write about it. I started joining every Exchange-related mailing list in sight, printed out all the product documentation, and set up Exchange using Virtual PC on my Powerbook. (Yes, that's right; my O'Reilly Exchange book was written on a Mac-- a trend which continues to this day).

I learned sooooo much from the folks on the swynk Exchange list. Not only were there rock stars like Andy Webb, Missy Koslosky, and Ed Crowley there; there were also a ton of Exchange developers. Just to cite one example, one of the primary perpetrators of the Exchange 5.5 MTA was on the list, as was Laurion Burchall, one of the key ESE developers. Everyone on the list was super generous with their time and knowledge, and it didn't take me long to get up to speed. (My first "live" exposure to the community, though, was attending the 1998 MEC. I was there when Tony Redmond made his famous "I'll pass on the clap" remark, and I heard Pierre Bijaoui explain that the average human has one breast and one testicle!)

Coincidentally, at about the same time I got a call from O'Reilly: Windows NT Pro magazine was looking for someone to write a regular Exchange column. Was I interested? You bet I was! I started writing it in September of 1998 and it's been in print ever since, although it's morphed into a few different forms.

All this time I was still holding down a real job at LJL Enterprises, writing crypto code on the Mac. Eventually my agent brought me an offer that was too good to refuse: Ford Motor Company wanted someone to write a book about their CAD system. I gave my two weeks' notice, set up my home office, and got ready to hang out my own shingle as a full-time author. That's when the real adventures started...

A thoughtful post from my pal Bo Williams on his decision that he wants to weigh less than 300 lbs. I am right there, except that 200 is my personal high-water mark (and one, frankly, that I'm already over). I was holding steady at about 190 for a good while, but not long after Dad died I put on around 10 lbs. Not for any reason, mind you; it just sort of happened. Since then I've hovered right around 205, which is a bit more of me to love than I think there should be.

In the back of my mind lurk two things. First is the shadow of Dad's diabetes. At his funeral, I was sitting around a table with a first cousin, two aunts, and two uncles... all of whom are either diabetic or pre-diabetic. The last time I had my bloodwork done (in September), my glucose was 94; the cutoff for being considered pre-diabetic is 100. I have a huge weakness for sweets, and that's something I need to really work on. Apart from that, my lipid levels are all pretty good, so I'm not immediately worried about them.

Second is what my kids see: they see me making essentially no daily effort to exercise. In the past I've been regular about running on our treadmill (which, sadly, is now gone), but with the dawn of a new year it's time for me to get back in the groove. Accordingly, today I went and signed us up at the local Anytime Fitness. Arlene, David, and I now have 24/7/365 access to a really nicely-equipped gym less than 2 miles from our house.

I plan to couple that with a return to logging my food intake, which worked pretty well the last time I tried it. Seven years ago I said my target was 181, and this time I really mean it!

I love using RSS to keep track of various information sources, and I just found out that there's an RSS feed of KB articles for Exchange Server 2010. Use this feed along with your preferred aggregator to keep track of the latest support information for Exchange 2010. (If you don't already know how to use an aggregator, try Google Reader for a quick, easy, and free introduction.)

Wow, how did it get to be the end of the year already? I've fallen down on my blogging bigtime, but I have ambitious plans for 2010-- mostly consisting of posting a batch of articles at once and letting MovableType publish them on a schedule. That way when I'm in the blogging mood I can write up a bunch of stuff and post it.

A few end-of-the-year notes:

• Christmas was wonderful, even though (or perhaps because) we were here by ourselves. We gave Mom and our boys a Disney cruise, which means I'll miss the MVP summit this year. I think it's a reasonable tradeoff, though.
• Julie and Paul gave me Cruise Ship Confidential, which was a real hoot. The author struck me as someone I'd love to sit down with over lunch. If you like true-confessions-style books, this one's excellent.
• Lego Rock Band is a ton of fun, especially with the boys. We also gave them Lips: #1 Hits, which is way more fun than I expected it would be. No surprise that the Lips wireless mic works with the Rock Band family, and having a wireless mic makes those games more fun (and easier for us to stage).
• I bought a USMC license plate frame from the Stars and Stripes Shop. It was cheaper than any place else I found, I got it in two days, and they sent me a 10% off code to share: sssfrienddec09. Share and enjoy!
• This year's Aviation Week & Space Technology photo contest winners are even more awesome than usual. The little tiny online versions don't really do the pictures justice; if you can find the print magazine, you'll see what I mean.
• One of my coworkers is an Iowa fan-- the first one I've ever met in the flesh. Too bad his team is going down when they play the mighty Yellow Jackets.
• Speaking of work, I'm really excited about some of the stuff we're going to be doing. I can't share any details yet but there are some exciting things coming up.

I probably won't be posting again this year, so until next time, have a wonderful New Year's Eve and get ready for a great 2010!