Sync Active Directory with Postini
About a year ago I had the opportunity to set up Postini for my organization as a part of my Exchange 2007 setup/migration.
I selected Postini as our anti-spam service - mainly because our users were already used to the interface. One of the biggest challenges during planning was how to keep Postini current with my organizations mailboxes. I could let Postini create an account when an email is received, but that sounded like a really bad idea. Thankfully, in my research I found out about an application that will sync AD to Postini: Google Apps Directory Sync for Email Security.
The tool isn't overly difficult to set up, but it does have a few quirks that I feel I should share - especially since Postini's paid support is awful. We paid $750 for support and when I needed help getting it working I was informed that they didn't support syncing and referred me to knowledge base articles. I managed to figure it out on my own (on time!) and I've had it working perfectly ever since. Below you can find some set up information that may help you. Please keep in mind that this setup works in my environment and may not work in yours.
Once you download the application (link above), you will need to create a "profile" that you will use to run the syncing application.
The first screen you will see is Authentication. This is where you input your administrator login for your Postini organization.
The second screen you will see is Orgs - you can select a specific organization to sync to (for instance, if you had multiple domains). I have it set to "All users in all orgs under your account," and it works perfectly with a 3 org nested setup like mine.
Exclusion filters. I don't use these, but it will allow you to exempt accounts from being syncronized.
LDAP settings: This is where you input your Active Directory information. You can use either LDAP or LDAPS (SSL LDAP). If you opt to use LDAPS, don't forget to change the port to 636. Input a domain controller IP under Host Name, add in your base domain - for example: DC=subdomain,DC=domain,DC=com. Authentication is an account with read access to your AD - use the DOMAIN\user format.
For LDAP User Attributes, select MS Active Directory. The email address attribute is "mail." Alias Address Attributes are "proxyAddresses."
For user sync - this is an important part: If you don't add a search string for users, it will also pull computer accounts. It won't add them, but it will error your log report. I added my Org Name, SUBTREE, (sAMAccountType=805306368) - this will filter out everything, but users. You could add any kind of filter you wanted here. More about LDAP filters.
Mailing Lists - I don't sync them. They are almost all internal only. Since you have to also make a change in Exchange 2007 to allow for non-authenticated users, I make exceptions for dist lists through the web interface for public facing mailing lists. This is up to you.
Notification - This will email you a report every time it runs that tells you if there were any errors, how many users were added/removed, etc. I recommend this.
Delete limit - I have this left at the default 5% - I can see the wisdom in this setting 
Log files - lets you set the file path/limit on the synchronization log. I left as is.
Now you should be done. Go ahead and run the sync simulation. At the bottom of the log in the Sync Log tab, you should see: Simulation completed successfully - good job! Go ahead and save the profile by going to the file menu to a location you will remember easily.
The sync tool will not run automatically on its own - and for that I set up a scheduled task that runs every day at midnight and runs a cmd script that contains the following:
sync-cmd -a -c emailsync.xml
WAIT
sync-cmd is located in your Postini sync tool location - most likely C:\Program Files\Google Apps Directory Sync for Email Security. The -a option commits the changes and the -c option specifies the configuration file you created above. Voila! Every midnight you should get an email letting you know what has changed.
Hope that helps!
Need to move mailboxes quickly?
I'm supposed to have this week off for our company's annual winter break, but like most sysadmins I will end up having to work when everyone else doesn't.
I get the pleasure of moving about 250GB worth of mail around in an effort to get rid of 2 corrupted mailstores. Mailstores that even Microsoft can't fix. I have spent about 15 hours on the phone with Microsoft since Friday - it is now Monday. The original call was to remove a couple of mailboxes that weren't being deleted normally. Somehow a user (it's always the users fault... right? 
) of mine managed to create a looped folder in her deleted items box. Imagine a folder structure like this:
Deleted Items
A+
B+
A+
B+
A...B...A...B... for eternity.
I tried everything. Moving the mailbox, disconnecting and reconnecting the mailbox, mfcmapi, pfdavadmin, screaming and pounding on the keyboard. Nothing worked. Microsoft couldn't figure it out either. I now believe that this may be the cause of my latest BackupExec issues alluded to in my previous blog post- a belief that is strong enough that I have actually halted publishing it until I'm sure. Don't get me wrong though, Symantec hasn't made a good product in years...
Microsoft's solution is the same one that I had come up with before I had called them. I have to move all of my mailboxes off the affected mail stores. Which means about 400 mailboxes and 250GB.
Not wanting to sit there and manually move one mailbox at a time, I decided to seek out a powershell script to do the moving for me. I needed something that could read from a CSV file and do a multithreaded (more than one a time) moves. The multithreaded part turned out to be the big problem. Writing a powershell script to move 1 mailbox at a time is something that takes no real effort, but multithreaded requires a little bit more complexity. Since I'm never one to reinvent the wheel, I turned to Google and stumbled (after way too much keyword manipulation) to find a MSExchangeTeam blog article on it.
It allows you to import a CSV file with the following format (I'll save you from trying to find it in the documentation):
Identity,targetmbserver,targetmbsg,targetmbdb
Bob Smith,mailserver,storagegroup,mailboxdatabase
Jane Doe,mailserver,storagegroup,mailboxdatabase
It will then move 4 at a time and display the progress. Perfect. Now if only they could move faster...
Backup Exec – the bane of my existence. Part 1.
This is one of those times I'm glad to have a blog - a place that I can write down my thoughts for Google eternity to go back on.
Backup Exec. I've been using it since version 9 when it was still Veritas and unlike a fine wine, it has not been getting better with age. 9 was the last good version. I never had any problems with it and backups and restores were never a hassle.Version 9 and I were friends.
I don't remember 10 and 10d very well, but I do remember the amount of pain they caused me. 10d was also when Symantec re-branded the product and marks when the software really started to take a nose dive.
Fast forward to 11. It's now Symantec Backup exec. Symantec adds a really nice (sounding) feature called GRT, or Granular Restore Technology. In previous versions, Backup Exec had to back up the entire mail store and you had to go through a lengthy process if you wanted to restore individual mailboxes or email messages. Not so with GRT.
I remember being very excited about this feature and the moment I got the upgrade I turned it on. Backups worked well enough. The usual random failures for no particular reason.
One day I received a call from my boss asking if I could restore a mailbox for an ex-employee. The ex-employee needed a couple of emails for a personal matter and had left on good terms. I said "No problem boss, I'll get right on it," like the good PFY I was.
I set up the restore job, ran it, and Backup Exec told me which tape to insert. I slapped the tape the tape drive. The job starts, gets almost all the way to the end and then fails. Oh crap.
Typical error message from hell... you know, the one that doesn't actually tell you anything. This was before they had a functional knowledge base.
I called Symantec for support and was connected to the usual under-trained tech support employee. To make a long story short, after a fair amount of troubleshooting the guy said that it was a known issue. What was a known issue? You couldn't restore a mailbox if the mailbox owner had an email signature. Right.
In the next part of this series, I go over Backup Exec 12.5 and my constant battle for working backups as well as outline a few fixes that seem to resolve most Backup Exec errors.
vSphere U1, 1 down, 1 to go.
Good news first - in my previous blog post I had mentioned that there was a serious bug with updating to ESX 4 U1 and HP SIM agents. This has been resolved, U1 has been re-released and people should not have this issue any more (I have not tested this myself). That KB article has been updated and is available here.
The bad news is that there is now a bug with U1 and vCenter if it manages ESXi hosts.
It does not seem nearly as drastic as the previous issue I blogged about, but you should be aware of it. For now, it seems that you can avoid running into it by not adding, removing and then readding an ESXi host to vCenter.
Stay tuned for my next post (possibly a series?) about backups.
vSphere Update 1 is out!
Apparently as I lay in bed in dreamland last night VMWare released vSphere update 1 - took long enough!
Update 1 brings several notable improvements:
• vSphere client works in Windows 7 - without a hack!
• You can run Windows 7 and Windows Server 2008 R2 as guest operating systems.
• View 4.0 support.
• Improved MSCS support.
• PVSCSI for 2003 and 2008.
• Improved dvswitch performance.
• 25 vCPU's per core!
• Support for Intel Xeon 3400 Series.
• And a whole lot of bug fixes.
No USB pass-through fix, and it seems like there are more known issues than fixed. To be fair, one of my VMWare colleagues mentioned that there were more known issues when 4 released than now, and most of these have existed since then.
For those of you with ESXi free, it's not available yet. No word on when it will be released - sorry!
Reports are already coming in of successful deployments, and I will probably update myself during next week’s rather large maintenance window (read: Thanksgiving).