I opened a case with Microsoft four weeks ago and tried a number of hotfixes such as KB2799728 and KB2791729 that did not work as they were supposed to. KB2799728 was the most problematic as it resulted in a memory leak as reported here by Aidin Finn and here in this TechNet Social thread.

KB2813630 (also mentioned in the same TechNet thread) was finally released today which appears to properly fix the biggest problems. I’ve made it through the first round of backups with no serialization of the CSV access so only time will tell at this point as to whether we’ll require another fix, but everything looks good so far. I’d recommend making this hotfix part of your deployment strategy immediately for any Hyper-V 2012 Clusters.

I’m guessing this problem is a result of Microsoft making big changes to the way the entire Messenger service works. With MSN Messenger going away in a few months to give way to Skype as Microsoft’s new (and only) Personal Unified Communications product there have likely been a number of underlying changes to enable the merger of MSN Messenger and Skype. I think this is a great move as long as Microsoft can pull it off smoothly. With that said, the problem I’ve ran into is likely one of their first mistakes during this transition.

It seems Microsoft updated the Public IM Connectivity Access Edge FQDN for MSN without notifying Lync PIC subscribers or releasing a patch for Lync 2010 to update/add the new FQDN. The MSN provider Access Edge FQDN has always been “federation.messenger.msn.com”. This FQDN is still required as far as I could tell during testing, but I found that you now need to add a new Public IM provider with an additional FQDN to make Messenger PIC work in both directions (otherwise you’ll experience many presence/messaging problems). The new (additional) FQDN to be added is “external.ap.messenger.online.lync.com”.

Figuring this out took about a day of troubleshooting because of everything to double-check, but in the end I figured it out by reading the Event Viewer Lync logs on the edge server. The Event Viewer listed the following:

Log Name: Lync Server
Source: LS Protocol Stack
Date: 12/2/2012 7:42:18 PM
Event ID: 14428
Task Category: (1001)
Level: Error
Keywords: Classic
User: N/A
Computer: lsedge.mysipdomain.com
Description:
TLS outgoing connection failures.

Over the past 90 minutes, Lync Server has experienced TLS outgoing connection failures 10 time(s). The error code of the last failure is 0×80090328 (The received certificate has expired.) while trying to connect to the server “federation.messenger.msn.com” at address [64.4.50.110:5061], and the display name in the peer certificate is “Unavailable”.
Cause: Most often a problem with the peer certificate or perhaps the DNS A record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
Resolution:
Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”LS Protocol Stack” />
<EventID Qualifiers=”50153″>14428</EventID>
<Level>2</Level>
<Task>1001</Task>
<Keywords>0×80000000000000</Keywords>
<TimeCreated SystemTime=”2012-12-03T03:42:18.000000000Z” />
<EventRecordID>78765</EventRecordID>
<Channel>Lync Server</Channel>
<Computer>lsedge.mysipdomain.com</Computer>
<Security />
</System>
<EventData>
<Data>90</Data>
<Data>10</Data>
<Data>0×80090328</Data>
<Data>The received certificate has expired.</Data>
<Data>federation.messenger.msn.com</Data>
<Data>64.4.50.110</Data>
<Data>5061</Data>
<Data>Unavailable</Data>
</EventData>
</Event>

After reading this I got curious about why there would be a certificate problem with federation.messenger.msn.com since it seems unlikely Microsoft would forget to renew a public service certificate. Next step was to perform DNS and IP checks on federation.messenger.msn.com. Looking up the A record proved to be interesting because I found it was non-existant and it is actually a CNAME pointing to external.ap.messenger.online.lync.com.

After many more troubleshooting steps I realized that in order for Messenger to continue to work you have to create a new Public IM provider to allow communication with the Access Edge of external.ap.messenger.online.lync.com. After doing this, making sure the Lync configuration database was up-to-date, and restarting the test clients everything was working.

There is more testing that I’m going to perform over the next week but I wanted to get this article out as soon as possible so others don’t have to repeat my work. I’ll be updating this article with more info and pictures in the days to come as I have time. Anyone else out there running into this problem too?

First off, getting your Client Access Servers (CAS) up and running with the proper hostnames and associated SAN certificate is essential. The initial plan was to bring up the 2010 Outlook Anywhere (OA a.k.a. RPC over HTTP) and then disable the 2007 OA due to Microsoft’s recommendation to transition the CAS fully before proceeding with the migration. With this latest transition, I needed to keep both the Exchange 2007 and 2010 OA proxies running side-by-side. This was necessary due to having numerous domains that were hosted on this Exchange environment that wouldn’t be able to have their external DNS edited in time for the beginning of the migration (for a variety of reasons that are outside the scope of this post).

Due to Microsoft’s best practice recommendations, you would assume with two OA proxies that you would want to direct traffic to the 2010 OA as early in the migration as possible via Autodiscover. You can have Autodiscover point to a specific OA proxy by editing the EXPR Outlook Provider. You could run a command such as:

Set-OutlookProvider –Identity:EXPR –Server:mail.contoso.com

The problem with doing this though is that Autodiscover will start passing an “AuthPackage: unspecified” for the EXPR Outlook Provider. I’m not sure what the reason for this limitation is but the Exchange Team likely has a reason for this since they have already posted a TechNet article on this exact issue.

This wouldn’t be a problem for anyone expecting to use Basic authentication for OA (Basic is the default AuthPackage used by Outlook when one is not specified), but anyone with an environment that is compatible with NTLM should be setting:

Set-OutlookAnywhere -Identity:”SERVER\Rpc (Default Web Site)” -ClientAuthenticationMethod:Ntlm -IISAuthenticationMethods:Ntlm

NTLM is the ideal OA authentication mechanism due to its ability to pass stored credentials under all conditions. Microsoft states in multiple places on the Exchange Team Blog, TechNet, and various support articles that NTLM is the recommended method of authentication when possible (Kerberos is alternatively recommended for larger deployments):

“If you click Basic Authentication or NTLM Authentication and an LM Compatibility Level of less than 2, you will be prompted for a password each time a connection is made to Exchange. With Basic Authentication, the password is sent in clear text. For increased security, we recommend that you select the NTLM Authentication…”

I determined that the correct procedure after studying the problem is to actually leave the EXPR Outlook Provider’s “-Server:$null” and to leave both OA versions running. Users on the 2010 Mailbox server will proxy through the OA 2010 server and users on the 2007 Mailbox server will proxy through the OA 2007 server.

My main concern with running both the 2007 and 2010 OA was that the Move-Mailbox would not correctly alert the clients to change the OA settings and Mailbox server simultaneously. Fortunately, Outlook does an Autodiscover check every time that it boots up. The way this ends up working in practice is as follows:

1. User is on 2007 Mailbox server communicating with 2007 CAS via an Outlook client that is configured via the 2010 CAS’ Autodiscover.
2. Once the Move-Mailbox completes on their Mailbox, the 2007 Mailbox server alerts the Outlook client that it needs to display a pop-up message instructing the user to restart Outlook for changes made by the Administrator to take affect.
3. User restarts Outlook.
4. Outlook switches the mailbox server over automatically to the 2010 server because it was instructed to do this before Outlook was restarted.
5. Outlook also speaks to the 2010 CAS’ Autodiscover which once again now knows that the mailbox was moved over to the 2010 Mailbox server and intelligently knows that the best CAS will be the 2010 CAS, thus informing the Outlook client of the new 2010 OA settings.
6. User is now fully reconfigured in a relatively seamless process.

I hope this helps fellow system administrators out there running through a similar migration. Please let me know if this did the trick for your migration, if you had different experiences, or have any related advice for how others and myself can further improve our Exchange transitions.

Here are a couple useful pieces to read as well:
- Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere on iLantz’ Blog
- The Autodiscover Service and Outlook Providers – how does this stuff work? on the Exchange Team Blog
- Outlook Anywhere Basic vs. Ntlm Authentication Explained on the SysAdmin Lab Blog

1. As it aged the screen dimmed (common with CCFL backlit displays). It really was only dim while it was heating up but it seemed to take longer to get to full brightness than when it was brand new, and the brightness was uneven during the warming-up period.
2. The battery life was awful, and before you go tell me to go buy a new battery, I already did that. While running Boot Camp, I was lucky to get 1:10 out of the battery. This was just not enough time for me while I was out visiting clients and attending meetings that are frequently longer than 2 hours.
3. The case was not very solid and slightly bulged out around the latch and Express Card area. This never caused an actual problem, nor did it ever actually fall apart, but it just looked horrible. I’ve never really concerned myself with this problem too much though since I’ve always had this problem with my PowerBooks/MacBook Pros.
4. The hard drive was a PITA to swap out. With the type of work I do, I need it to be easier to swap the hard drive out of my laptop and doing this with a MacBook Pro takes at least 10 minutes. For an inexperienced tech, disassembling can take over a half hour or more.

Even with those complaints out on the table, I loved my C2D MacBook Pro as my day-to-day Windows Vista laptop. With my own tweaking of the Boot Camp drivers I had absolutely everything working perfectly; even the things that people normally have problems with like the video card drivers and proper scrolling gestures (another post to come on that some other day).

With all the success I had with my previous Apple Laptops I had really high hopes for my new Late 2008 MacBook Pro. Let’s look at all of the improvements:

1. New unibody construction. The new MacBooks are much more solid and thinner than their predecessors.
2. LED back lit screens are standard on all MacBooks now.
3. Better battery life from the now bigger battery.
4. Extremely easy access to the hard drive.
5. Updated keyboard design.
6. Magnetic latch.
7. All of the connections have been moved to one side of the computer
8. Faster speeds standard.
9. 4GB RAM standard.

It looks pretty promising, but no computer is without its faults and here are some of them for the new MBP:

1. Lack of choice in screen finish; i.e. no matte screens.
2. Still no docking station.
3. Inability to add larger capacity batteries (but we may never get this with Apple laptops).

I’m personally not too concerned with any of the problems listed above since none of them affect me, but I know that some things, like the lack of a docking station, are deal breakers for others. With that said though, there was a serious deal breaker with my new MacBook Pro that has me thinking I may have to return it. Before I delve into that, I think I need to explain my absolute favorite MacBook feature, Boot Camp!

Trackpad in Boot Camp

I was ecstatic when I heard Apple was releasing Boot Camp close to the release of the Intel Macs. I finally would be able to have just one computer for everything; I could use a MacBook for testing OS X and then use Windows for my day-to-day work and IT troubleshooting. The biggest problem with Boot Camp all along on the Apple laptops has been Apple’s lack of proper support for their trackpads and I’m sad to report that Apple has done worse than ever with the new Late 2008 Mac Book Pro. The new trackpad is rendered unusable while running Windows with the latest Boot Camp driver (the ones that come on the new MBP OS X disc).

The problems with the trackpad were immediately apparent. The buggy trackpad shows itself in the following ways:

1. Dragging/Highlighting doesn’t work: If you try to click on the physical trackpad button with your thumb and use your index finger to drag or highlight text/files, the dragging/highlighting will fail randomly. It is impossible to do either of these tasks in the trackpad driver’s current state.
2. Clicking: Using your thumb to click on the physical trackpad button is impossible because depressing the button with your thumb causes the mouse pointer to move erratically. Basically the driver needs to be programmed to not be so sensitive when a finger is first placed on the trackpad.
3. Right-clicking: Currently, right-clicking requires using 3 fingers. 2 fingers have to be placed on the trackpad while the 3rd (the thumb) has to be used to press depress the physical button. This is clumsy and ridiculous since right-tap-clicking doesn’t work.

The thing that upsets me most about this isn’t that Apple wouldn’t refund my laptop without a restocking fee, or that Apple denies that this problem exists, or even that Apple obviously doesn’t hold Boot Camp as a very high priority. What upsets me the most is that Apple is pushing these new laptops with false advertising saying that they run Windows just as well or better than most PCs. It just seems criminal to me when you consider that there is no reason for there not being a working mouse driver other than pure negligence.

The problem has been discussed in the Ars Technica review of the new MacBook Pro (starting in the second to last paragraph) and over on the Apple Discussion Board.

Virtualization as an alternative to Boot Camp:

Anyways, so here I am with my brand-new $3000 laptop that can’t fulfill my most basic need of running Windows natively. I haven’t yet decided what I’m going to do, but in the meantime I’m using Parallels to run Windows XP Professional SP3 for Office 2007 and QuickBooks which are my must have Windows apps.

In the meantime, I’ve been impressed with Parallels 3, but not so impressed with VMware Fusion 2. VMware Fusion 2 has a buggier “Unity” mode when compared with Parallels “Coherence” mode, but Parallels also has a problem when in shared networking mode of not flushing the DNS cache when switching networks (VMware seems to have a script that auto runs in the background to take care of this). Anyways, all of this talk about virtualization on the Mac could be saved for another post.

At least in the meantime, the mouse is working well in OS X, but it isn’t perfect. I’m experiencing a problem where frequently OS X stops responding to the trackpad. When the trackpad stops responding, I’m forced to just keep tapping on the trackpad until it starts working again. This seemed like a minor inconvenience at first, but it has quickly become annoying as I’ve used the computer more and more. I’m not going to go to much into this bug other than to mention that it was mentioned over on TechCrunch/CrunchGear and on Apple’s Discussion Board.

Summary:

Today, I’m just debating how long it is going to take Apple to pull their heads out of their asses and write a working x86 and x64 mouse driver for Windows; a couple weeks, a month, 2 months, 6 monts, a year, never?

The most unfortunate part about this is that Microsoft is still yet to release any information publicly about this problem, which is really sad because they generally do such a great job of at least posting limitations of their products on many of their wonderful blogs.  I had to search the Internet and eventually found articles that led me in the right direction but I was never able to find a blog/article that outlined the exact steps that I used to fix/diagnose Outlook Anywhere which is why I really felt the need to write this post.

The basis of the problem is that Windows Server 2008 (like Windows Vista) gives precedence to IPv6 over IPv4 and this is especially a problem if you have your mailbox and CAS on the same server (the normal default configuration).  Let me start from the beginning though in describing how the bug can be replicated, diagnosed, and then fixed.

Replication:

Normally, if you wanted to start using Outlook Anywhere on an Exchange 2007/Windows 2008 Server, the first command you would enter into a command prompt would be:

ServerManagerCmd -i RPC-over-HTTP-proxy

After this you would wait a few minutes while the server installs the RPC over HTTP proxy into IIS 7.  I generally restart the server at this point even though you don’t have to.

The most important part of this next step is to be patient (specifically, about 15 minutes).  Now you need to actually enable Outlook Anywhere using either the Exchange Management Console or the Exchange Management Shell.  I prefer the shell and it is easier to show on the blog so this is approximately what the command should look like:

[PS] C:\>Enable-OutlookAnywhere -Server host.domain.tld -DefaultAuthenticationMethod:Basic -SSLOffloading:$false

Now you have to wait about 15 minutes for the server to register an Event ID 3006 in the Application log:

Log Name:      Application
Source:        MSExchange RPC Over HTTP Autoconfig
Date:          3/25/2008 1:26:55 AM
Event ID:      3006
Task Category: General
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      host.domain.tld
Description:
The Outlook Anywhere feature has been enabled. The ValidPorts registry setting has been modified to reflect this change.
New value:     HOST:6001-6002; HOST:6004;host.domain.tld:6001-6002; host.domain.tld:6004

Now set up an Outlook 2007 client and connect it to the mailbox using the correct settings for Outlook Anywhere access (Autodiscover should take care of this for you if you have it set up properly).  Then at this point everything should be working, right? WRONG! Don’t make the same mistake I did and keep trying to fix something that just can’t be fixed (unless you work and Microsoft and if you do please contact me via the contact page so we can work out a hotfix together).  You can now go to your Outlook icon in the system tray and ctrl+click on it to bring up the “Connection Status” window.  In it you will notice that things aren’t connecting exactly as they should (YMMV from the picture below since I took this after-the-fact just trying to reproduce what you may see):

Diagnosis:

This is the part that drove me crazy and I honestly couldn’t have diagnosed it on my own if it weren’t for some pointers on the Internet which I want to cite here and here.  I’d suggest you read those two links for starters since they are where I learned about the problem from, but to be honest, the reason why it took me so long to find these posts was because I was beyond baffled and was originally looking down the completely wrong paths for a solution.  I could go on and on explaining all of the things that I thought were leading to the problem, but it would be a waste of time since the bug is so obvious now.

The problem we are experiencing here is that the RPC over HTTP proxy isn’t able to communicate over port 6004 with the localhost because there is a bug that is causing the Windows Server 2008 to not listen for connections on port 6004 via IPv6.  This can be confirmed by pulling up a command prompt and typing:

netstat -a -n

The netstat command will return a bunch of source/destination IP addresses and ports, but what is really important to us is the ports relevant to the RPC over HTTP proxy which will be these parts of the output as seen below:

TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6004 0.0.0.0:0 LISTENING
TCP [::]:6001 [::]:0 LISTENING
TCP [::]:6002 [::]:0 LISTENING

As we can see, the server is for some reason not listening on port 6004 via the IPv6 loopback.  This tells a couple of things, but most importantly, someone at Microsoft really screwed up by letting this one out the door without fixing it (especially since it was known about in the RC stage).  This also tells us that we can fix this problem by disabling IPv6 entirely.

You can confirm that the server isn’t listening on port 6004 by telnet’ing to localhost 6004 via (FYI, the telnet client/server are not default features in Windows 2008):

telnet localhost 6004

Fix:

IPv6 is disabled the same way in Windows Server 2008 as it is in Windows Vista, but just for good measure, I recommend that you also uncheck IPv6 TCP/IP on your NIC through the “Manage Network Connections” control panel. But to truly disable IPv6 you need to open regedit and navigate to:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

Then you will need to add a 32-bit D-WORD with the name DisabledComponents and give it a value of 0xff. This will disable IPv6 on all interfaces and all tunneling interfaces but unfortunately it still doesn’t disable the loopback interface. In order to disable the loopback interface you will need to comment out the following line in your hosts file under %SYSTEMROOT%\System32\drivers\etc\:

::1 localhost

…by changing it to:

# ::1 localhost

…and while you’re at it you may as well add a couple more lines to directly map your HOSTNAME and FQDN to your IPv4 address of the Exchange server.  In the end your hosts file should look something like this:

10.0.0.10 host.domain.tld
10.0.0.10 HOST
127.0.0.1 localhost
# ::1 localhost

I would now recommend rebooting your server so that the registry changes take effect.  Once your server has rebooted you should now be able to run ipconfig without seeing all of the extra IPv6 tunneling interfaces; the only thing that should be visible is the IPv4 network interface. You should also now be able to successfully issue a:

telnet localhost 6004

The final and most important confirmation that this all worked will be to log on to a client workstation again and open up the connection status in Outlook 2007 to make sure that both the Directory and Mail are connected via RPC over HTTPS.

Side Notes:

I have been unsuccessful at setting up NTLM passthrough authentication in Outlook Anywhere on Windows Server 2008. For some reason NTLM continually causes Test-OutlookWebServices to fail the RPC test, but when I Set-OutlookAnywhere to -DefaultAuthentication:Basic I don’t have any problems other than that users complain about having to enter their password every time Outlook opens. If anyone has any advice on this topic, please comment.

Now get off the caffeine and get some sleep.

I have written posts in the past about the flaws in Apple’s Open Directory and my preference in Active Directory, but it finally looks like Apple may understand the importance of integrating their product with Active Directory.  Integrating Active Directory into Open Directory is now so easy you could probably do it with your eyes closed (well, that may be a stretch, but you could probably do it in under 5 minutes).

I’ll leave out painfulness of describing all of the past challenges involved in 10.4 Active Directory integration, but in short, it was horrific most of the time. The last 10.4.11 server that I tried to join to Active Directory (just join, not even integrate) failed to login ever again.  I’m sure that I could have troubleshooted the problem and fixed it, but it was easier for me to just transition the server to 10.5.

This time around, Apple has made a conscious effort to keep things simple.  Granted, all of the same processes still happen in the background that happened manually before, but at least now they happen in a supported and automated fashion. Below is the new process for AD-OD integration assuming that you have a fresh install of 10.5 Server in advanced mode (or freshly demoted to OD Standalone) and a healthy DNS configuration:

1. Make sure your server is an OD Standalone Server.
2. Open the Directory Utility and join the Active Directory (use the FQDN of your AD domain)
3. Open Server Admin and promote your server to an OD Master.
4. … wait… there is no 4?!?!?

That’s right, only 3 steps.  You will now notice that your server says under the OD overview that Kerberos is stopped and if you investigate further you will be able to see that you server is now properly joined to the AD Kerberos REALM and that all services have been “kerberized” via dsconfigad which was silently ran in

“To create a new standard, it takes something that’s not just a little bit different, it takes something that’s really new and really captures people’s imagination and the Macintosh, of all the machines I’ve ever seen, is the only one that meets that standard.” –Microsoft founder Bill Gates, 1984

“If I were running Apple, I would milk the Macintosh for all it’s worth–and get busy on the next great thing. The PC wars are over. Done. Microsoft won a long time ago.” –Steve Jobs, 1996

With Apple’s anti-Vista campaign and much of the negative media about Vista, it can be hard for most people to make a decision as to how they feel about Microsoft’s latest OS. The only way to make this decision though is to just test it for yourself. Vista brings with it a whole host of new features that increase end-user satisfaction and ease IT administration, and Microsoft is going to make sure this time around that people realize this as quickly as possible.

Managing mixed environments can be a challenge, but we still often see many business running a combination of Windows 2000 Professional and Windows XP Professional. With Windows 2000, Microsoft waited 4 years after Windows XP was released before they stopped selling it to OEM’s and through Retail channels. This time around with the release of Vista, Microsoft is going to end XP sales by on January 31, 2008. This will definitely come as a surprise to many IT administrators and decision-makers that were considering waiting for a few years before moving to Vista.

What does this really mean, aren’t I still going to be able to run all of the current Windows XP computers that I have? Yes, of course you can keep the computers that you currently own, but all computer purchases in/after 2008 are going to come with Windows Vista.

The good:

1. Software developers will be forced to make their software compatible with Windows Vista sooner (if you are a developer and your software doesn’t work with Vista right now, you better hop to it if you want your customers to stay loyal to your product)
2. Employees will get the newer operating system they are already requesting and IT administrators will have an easier time justifying deploying Vista with its product life-cycle end date approaching soon.

The bad:

1. Some businesses are going to have a hard time preparing for Vista in less than a year. Although small businesses can easily run mixed environments, this just does not work for larger businesses since the two operating systems can be very hard to support from a help-desk perspective.
2. This can be seen as a forced upgrade (I approve of it though since Windows XP was supposed to be replaced a lot sooner and many of the features in Vista are standards that were needed a long time ago).

My final question to any of you reading this is, are you ready for Vista? What are your plans? Options:

1. Freeze computer purchases after 1/31/08
2. Purchase surplus computers loaded with XP in December of 2007
3. Allow computer purchases with Vista immediately and support a mixed environment
4. Deploy Vista immediately on all computers
5. Allow computer purchases with Vista after Service Pack 1 is released
6. Deploy Vista after Service Pack 1 on all computers
7. Never buy new computers again and just fix all your current computers
8. Mac OS X
9. Linux
10. Uhhh, what’s this Vista thing? We are going to upgrade from Windows 95 this year to Windows 98!
11. Slide rule and punch cards

On December 24, when I wanted to move my test machine over from Beta 2 to RTM I had to make a decision. The choices were that I could format the hard drive and reinstall Windows 2003 R2 x64 and Exchange 2007 RTM, or I could just upgrade to the RTM version.  Upgrade’s are always less desirable and in this case completely unsupported by Microsoft for a production environment.  In my case though, this was just for a testing environment and I was in a hurry to get to RTM since I was tired of some of the bugs in my Beta 2 configuration.  This was the process that I used which worked well for me:

1. Uninstall CA role (add/remove programs and then press the remove button on Exchange 2007)
2. Open IIS and delete Exchweb from the Default Site
3. Uninstall Monad
4. Install Microsoft Power Shell
5. Upgrade the AD schema from a command line: setup.exe /preparead
6. From a command prompt run: setup /mode:upgrade
7. If setup failes then install updates the updates that it says you are missing and reboot if necessary
8. Open a command prompt and run: setup /mode:upgrade (again if necessary)
9. Install the CA role (add/remove programs and then press the change button on Exchange 2007)
10. Delete your current receive connectors and reconfigure new ones

The biggest problem with running a setup /mode:upgrade is that you are leaving the Mailbox role as a beta 2 version.  The exchange search function is unfortunately part of the mailbox role and as a result it never gets upgraded to the RTM version.  There is no way around this from what I have heard from the guys at Microsoft.  Please make sure that you don’t use this for any permanent production environments, but I hope these steps help in your migration process.

As a side note, I recommend that you use a setup /mode:recoverserver after you do a setup/mode:upgrade to get your server to a stable RTM state that is fully supported by Microsoft.  I’ll create a post on this soon as well.

This is Apple’s list of fixes for Server:

About Mac OS X Server 10.4.9 Combo Update (Universal)
The 10.4.9 Server Update is recommended for all servers and includes fixes for the operating system and various applications, services and technologies. It includes fixes for:

- using AFP, SMB/CIFS, NFS and FTP file sharing protocols
- login and authentication in Open Directory and Active Directory environments
- ensuring server’s host name is set to valid name in DNS at startup
- synchronizing Open Directory servers and ensuring reliable replica promotion
- membership and permissions issues when users are in more than 16 groups
- clearing old password entries when changing password types
- copying read-only files to AFP shares on Xsan and UFS volumes
- copying files with extended attributes from an AFP share of an Xsan volume
- serving files larger than 64k with Apache 2, and running JBoss
- hosting MySQL databases and authenticating with PHP programs
- reliably hosting mail services when handling thousands of user accounts
- directory service usage affecting Mail server performance
- virus filtering and quarantine; update to ClamAV version 0.88.2
- publishing iTunes music and video formats using the Weblog server and RSS2
- creating and hosting NetBoot and Network Install images for Intel-based Macs
- Software Update server notifications and package synchronization
- creating and editing reverse DNS zones in Server Admin
- configuring up to 64 NFS server daemons in Server Admin
- streaming movies to localized versions of the QuickTime Player
- using VPN and DHCP services after running Gateway Setup Assistant
- creating and rebuilding software RAID sets with Disk Utility
- updating Kerberos keytab files when using changeip
- pre-allocating files when using tar, cp and mv with Xsan volumes
- rebooting SAN clients without causing other clients to hang
- time zone and daylight saving time changes for 2006 and 2007
- reliably running periodic scripts following server restart
- importing users with multiple short names into LDAP domain
- creating and managing VLANs from the command-line
- using rsync to copy files with extended attributes
- handling TCP Selective Acknowledgments in congested networks
- better TCP performance with Windows clients and servers
- compatibility with third party applications and devices
- previous standalone security updates

And then here is Apple’s list of fixes for the client:

What’s New in this Version
The 10.4.9 Update is recommended for PowerPC and Intel-based Mac computers currently running Mac OS X Tiger versions 10.4.0 through 10.4.7 and includes general operating system fixes, as well as specific fixes or compatibility updates for the following applications and technologies:

- Application launch times
- RAW camera support
- Updated ATI and NVIDIA graphics drivers
- Handling of large or malformed images that could cause crashes
- Image capture performance
- Mouse scrolling and keyboard shortcuts
- Font handling
- Dashboard stability
- Playback quality, and bookmarks in DVD Player
- USB video conferencing cameras for use with iChat
- Bluetooth devices
- Browsing AFP servers
- Apple USB Modem
- Windows-created digital certificates
- Open and Print dialogs in applications that use Rosetta on Intel-based Macs
- Sharing using AFP, SMB/CIFS, NFS and FTP file sharing protocols
- Login and authentication in a variety of network environments
- Connecting to Cisco VPN servers using IP/Sec and NAT
- AirPort including connectivity to EAP-FAST networks
- Searching iWork ‘06 and Microsoft Office documents using Spotlight
- Viewing of QuickTime streaming media behind a firewall
- Audio playback in QuickTime, iTunes, Final Cut Pro, and Soundtrack applications
- Determining the space required to burn folders
- Synchronizing contacts, bookmarks, and calendars to .Mac and mobile phones
- Mounting and unmounting iDisk volumes
- Time zone and daylight saving for 2006 and 2007
- Security updates

I have always had the feeling with Mac OS X that until we get to 10.x.9 releases, we are really just beta testing for Apple. Meanwhile it has seemed that the beta/developer releases are more like alphas (feature incomplete). Hopefully 10.4.9 will start behaving like a final product now.

Another interesting side note is that 14 days after 10.3.9 was released, Apple released 10.4. My testing has shown though that the current Leopard developer builds are not ready for prime-time (they seem more like alphas than betas, not allowed to say any more than that though).

I did not run into any issues when using Exchange 2007 with Outlook when the Exchange server was also the Domain Controller (DC) and Global Catalog (GC) server. When I separated the Exchange 2007 server and the DC/GC I ran into an issue with Outlook not authenticating properly to the Directory Service through the RPC over HTTPS proxy. I was not able to track down the full reason behind the problem, but I figured out the solution as well as contributing factors.

Symptoms:

1. Even when the RPC over HTTPS proxy in Outlook is configured to use NTLM authentication instead of basic it attempts to authenticate every time that Outlook opens. If Outlook does not ask for authentication at startup, then a simple peak into the connection status (right-click on the Outlook icon in the system tray while holding down the left-control key or launching Outlook using Run… outlook.exe /rpcdiag) will say that Directory is still connecting while Mail will say that it established.
2. While the “Directory” says that it is still connecting in the connection status, Outlook will appear to be constantly synchronizing. This will eventually timeout and the user will be prompted for a password about 15 to 30 minutes into their Outlook session.
3. No matter how many times the user specifies to “remember password”, the password will not be remembered.

Contributing factors:

1. The directory authentication is not being properly proxied through to the DC/GC.
2. The DC and Exchange server have different names; i.e. longhorn.aaronmarks.com (my Exchange server) and blackcomb.aaronmarks.com (my DC/GC)
3. Exchange 2007 has a field that is not automatically filled in under the Management Console. Right-click on “Server Configuration” and select “Configuration Domain Controller”. These settings were not filled in for me, so if necessary fill them in appropriately.

Solution:

1. The solution is to save the user’s password. In Windows XP and Vista this is referred to as saving a network password.
2. This can be done in one of two ways, either for all server names or as a wildcard entry.
3. I chose to do the easier of the two, being a wildcard entry; i.e. “*.aaronmarks.com”
4. To save the network password you have to go under the Users control panel and on the left side there is a link that says “Manage your network passwords”
5. Then just edit the current saved entry or create a new one using wildcard/asterisk; i.e. “*.domain.tld”

Now everything should be functioning as expected. The password should be saved for the user and they should not be continuously prompted. The only thing that I have yet to test is what will happen if/when the user is required to change their password.

On a Mac there are really only two options for accessing your Exchange mailbox, and that is an IMAP client or an OWA (Outlook Web Access) based client. Thankfully for us, most Apple computers already have both of these; Apple Mail and Microsoft Entourage. Both of these clients can interface with Exchange both over OWA or IMAP.

Apple Mail is the email client of choice for most Mac users, but its not the most ideal for an Exchange environment. Apple Mail includes the Exchange protocol as a choice when setting up a new account, but it is a hybrid of sorts. The Exchange protocol in Apple Mail uses IMAP to access the mailboxes and then it uses OWA to access the public folders. This works decently with Exchange 2003, but unfortunately support for Exchange 2007 is completely broken (and as far as I have been able to test is completely broken in Mail.app 3.0 included with 10.5). At least with Exchange 2003 the email function works, but many users have reported problems when working with large mailboxes (2GB+) and when working with public folders. Mail.app has a tendency to corrupt its message database when it is working with large folders and then the mailbox has to be rebuilt. Rebuilding the mailboxes is a very easy procedure, but it is still an unnecessary waste of a few minutes while you have to wait for the database to piece itself back together from the .emlx message store.

Next we have the issue of using Exchange’s collaborative features with Apple Mail. Exchange allows users to share address lists and resources/events through calendars. Apple’s programs for dealing with calendars and address lists are iCal and Address Book respectively. Apple’s sync services can synchronize with the user’s address list from Address Book on an hourly interval to save changes back to the server. This is not the greatest solution because if a users is only logging in for short periods of time their information may not always be synced back to the server. Apple’s Address Book application also allows for the Global Address List (GAL) to be accessed as an LDAP directory.

Accessing Exchange calendars through iCal is possible using a third party program called Groupcal by Snerdware. Snerdware’s Groupcal is supposed to be able to map Exchange categories to different iCal calendars and synchronize at a user specified interval. I purchased and tried using Groupcal with Exchange 2003, and ultimately became frustrated with the mistakes that it made, such as duplicates and recurring event errors. Also, Groupcal struggled while I was editing other users’ shared Exchange calendars.

Ultimately, I recommend users stay away from using the Apple messaging/collaboration products in an Exchange environment due to the complexity of configuration and broken support for Exchange 2007 with IMAP and Exchange protocols in Mail.app.

Here enters our second contender for Microsoft Exchange connectivity on a Mac, Microsoft Entourage 2004. Entourage 2004 by no means offers perfect Exchange support, but at the moment it is the best solution that I have tested for Apple computers. Entourage 2004 offers access to all of the primary Exchange features such as:

1. Mail via OWA
2. Read/unread & follow-up message flags
3. Public Folders
4. Personal Contacts
5. Shared Contacts
6. GAL via LDAP
7. Personal Calendar
8. Shared Calendars
9. Public Calendars

And what it does not support:

1. MAPI (RPC over HTTPS)
2. Server-side categories
3. Server-side rules
4. Message reply flags
5. Free/Busy scheduling – Updating attendee status
6. Shared resource scheduling

Here are some Mac extras that Entourage 2004 has to offer:

1. Spotlight indexing/searching
2. Sync Services (iSync support for mobile devices and Synchronization with iCal and Address Book)

Most basic Exchange users will have no idea that they are missing any features that their Outlook counterparts have access too. The differences between Outlook and Entourage are even less noticeable when a user only uses a single computer. It is likely that Entourage 2008 will fill in many of the voids of Entourage 2004, with features such as server-side search, message reply flags, server-side categories, server-side rules, and free/busy scheduling (when paired with Exchange 2007). If you are trying to decide which platform to put your Mac organization on, it at least makes sense to go with Entourage 2004 knowing that it will be an easy upgrade to Entourage 2008 later this year.

As a side note, I run Parallels on my Mac in coherence and use Outlook 2007 as my mail client with Entourage 2004 configured just for the purpose of mailto: links. I intend on asking the Parallels team if they can at some point make some code so that Outlook can grab the Mac mailto: links.

1. Direct download access to all Microsoft products
2. 2 free professional support incidents
3. 24×7 Online Concierge
4. Microsoft TechNet user forum
5. Subscribution to TechNet Magazine
6. Access to e-Learning courses to help prep for MS Certification Exams
7. Access to Beta software

Most IT pros will subscribe to TechNet for access to Microsoft’s entire software library for testing, but the other benefits should not be overlooked. Microsoft’s support that comes along with TechNet is top-notch in many different ways

No matter how good of an administrator you are or how long you have spent working with a product, there will likely be a time you will run into a roadblock while working with a new product. Depending on how much of the bleeding edge the product is on determines what kind of documentation about the product will be available on the internet. With a new product like Exchange 2007, which is just an infant at one month old, there is very little documentation for anything other than what is needed for configuring and installing,

When I ran into issues with my Exchange 2007 server this last month I had to call Microsoft’s Professional Support Services (PSS), and the support that I received was top-notch. Many of the issues that I ran into ended up being bugs, but regardless, it was excellent having someone at Microsoft to call and convey problems too and receive fixes for. I have to admit that I got very lucky with the level of support that I received, because when I called them Exchange 2007 had just came out and only PSS’s Severity-A level of support was qualified to support my Exchange 2007 issue. As a result of getting a Critical Sev-A case number I was able to call and have somebody on the phone from Microsoft within 5 minutes, 24 hours a day, 7 days a week, who was incredibly knowledgeable and had almost unlimited resources. These engineers do an excellent job and should not be compared to what we normally consider technical support. When these guys run into problems, they actually start digging into the code, and sometimes even write programs to fix small issues. I tip my hat to these guys for doing an excellent job. Thank you once again for incredible support (for free), and thank you for just caring about your job and putting a great deal of effort into everything you do.

With the level of importance of SSL certificates, you would think that the Exchange developers would have made it a top priority to make sure that it is easy to generate the certificate signing requests (CSR) to send to the certificate authorities (CA) to generate a trusted root for the Exchange organization.  The process is not easy though and it involves using Exchange’s PowerShell to generate the CSR.  There should be a utility in the Exchange Management Console for generating the necessary CSR’s, but for now this was the command that I used:

New-ExchangeCertificate -GenerateRequest -DomainName longhorn.aaronmarks.com -SubjectName "C=US,DC=aaronmarks,DC=com,S=Washington,L=Seattle,O=AM IT Consulting,OU=IT,CN=longhorn.aaronmarks.com" -path D:\certificates\longhorn.aaronmarks.com.req

I would detail all of the parameters necessary for creating an SSL certificate, but John Speare’s from Microsoft has already written up a great Knowledge Base article about all of the parameters to use when generating an SSL certificate in the PowerShell. He has also gone into depth in this blog post detailing issues he ran into while creating Exchange 2007 SSL certificates.

A really interesting thing to note about the way Exchange 2007 works is that it is broken up into a lot of different roles that can be installed on a number of different servers. Because of this and the requirements of the new Exchange 2007′s new Autodiscover service, it is sometimes necessary to have multiple (sub)domain names in a certificate. There are currently only a handful of CA’s offering this new “Exchange 2007″ certificate, but Microsoft has a KB that will be updated over time showing who does offer the service.

With the introduction of Windows Mobile 5 and Exchange 2003 SP2, Microsoft released an incredible new feature called Direct Push. Direct Push is basically Microsoft’s way of cutting out the middle-man. The middle-man in the past has always been the middleware like BlackBerry’s Enterprise Server (BES). BES’s advantage over all of the competing products on the market was that it provides push email that shows up instantly on the mobile device, and it does this by interfacing primarily with Microsoft Exchange 2000 and 2003 servers. With Microsoft’s Windows CE devices it didn’t take Microsoft very long to realize that it would be beneficial to them if they could offer an integrated all-in-one solution for mobile devices. They already had Windows CE and Microsoft Exchange so all that was necessary was to bridge the gap between the two so that customers didn’t have to purchase a third party solution or subscribe to a third party service.

By releasing Windows Mobile 5 and Direct Push with Exchange 2003 SP2, Microsoft has now made companies like RIM an unnecessary part of the mobile synchronization puzzle. Microsoft has now created a way once again to push the competition out of the market and sell their Windows Mobile 5 devices to business users. These devices are great for both admins and users on many different levels. Windows Mobile 5 devices can be configured in under a minute, they are relatively easy to use, they come in many different form factors to please a wide array of users, and they most importantly are really easy to administer. When a Windows Mobile 5 device is lost or stolen, it can be erased by both the Exchange administrator or the user.

Currently there are two main different categories of Windows Mobile devices. Smartphones and Pocket PCs. Windows Mobile Smartphones are the most common of these devices being sold currently, thanks to the Motorola Q and Samsung BlackJack. Smartphones come in three different form factors currently; they can either be candybar style with a normal T9 10 digit keypad, a flip phone with a T9 10 digit keypad, or a candybar QWERTY style phone. For frequent emailers the QWERTY style is an easy choice, but for those who are reluctant to carry around a phone with a keyboard, the 10 digit T9 input is still great for keeping in-touch while out of the office if you don’t intend on sending a lot of email. Smartphones are capable of reading/writing email, calendar, and contacts. They also can read, but not write to Word, Excel, and PowerPoint documents.

Then there are the true mobile offices, the Pocket PCs (PPC). These PPCs include a touch screen and always have a QWERTY keyboard. These devices are primarily being sold currently in either the slider keyboard form factor, such as the HTC TyTN, or as a candybar style with the keyboard on the front, such as the Palm Treo’s. These devices include the full suite mobile Microsoft Office programs, which have the ability to edit Microsoft Office documents while on the go. These devices are excellent for web browsing and emailing since the touch screen is a worthy mobile substitute for a mouse.

Microsoft Exchange ActiveSync goes beyond Research in Motion’s solution in software as well.  Exchange Activesync has the ability to show and synchronize with all Exchange mail folders, unlike BlackBerry Enterprise Server which only synchronizes inbox and sent items.  Another great feature worth noting is that now with Windows Mobile 6, Exchange 2007′s server-side indexed search can be access from the mobile device which allows the user to search through thousands of messages and retrieve results within seconds.  The details of Windows Mobile 6 can be saved for another post, but even with Windows Mobile 5, Exchange Activesync with Direct Push is the ultimate mobile messaging platform.

If the intentions are to move directly from 2000/2003 to 2007 then the process is called a migration instead of a transition.  The difference between the terminology of a transition and a migration can be somewhat confusing, but it basically means that you are removing the middle step of letting the servers coexist. Depending on the size of the organization a migration may be a better choice. For massive organizations a transition makes the most sense since you will be able to move mailboxes over a long period of time with no downtime for the user. With a migration, all of the mailboxes need to be moved at once. Here is Microsoft’s diagram of the various phases and options:

The simplest option for moving from IMAP to Exchange 2007 requires a second server, but only for the purpose of running the Exchange Migration Tool. This can be done simply with a virtual machine (VMware Player/Server or Virtual PC/Server) that has Windows 2003 and Exchange 2003 pre-installed on. If licenses are not easily accessible to these products, Microsoft offers free evaluation copies as well as pre-configured virtual hard disk images.

Once the temporary server is up and running, simply follow Microsoft’s instructions for using the Exchange Migration Tool, and create a separate PST file for each individual user saved to a network share. Once the PST files are created, you can then distribute them to your users with their password that is saved to the log file, or you can take care of importing them for them onto the new Exchange 2007 server for the users. If you are going to import the PSTs manually then this has to be done using Outlook 2003/2007 for each user separately. Depending on the knowledge level of your users you could potentially distribute instructions to all users on how to import their PST file once they are configured with Exchange 2007 and Outlook 2007 and save yourself from the tedious work of waiting for large potentially large PSTs to import.

1. It’s not supported by Microsoft anymore
2. It doesn’t work with Active Directory
3. Unless you have Enterprise edition you are limited to 16GB per database; Good luck finding an upgrade from Standard to Enterprise.
4. Outlook 2007 is now incompatible with Exchange 5.5 and requires 2000 at a minimum
5. Microsoft Entourage for Mac is incompatible with Exchange 5.5. Now that Intel Macs can’t run Microsoft Outlook 2001:mac, Entourage needs to work if you plan on having new Intel Macs in your organization.
6. Your ancient hardware is probably on its way out or it can’t be depended on. (yes, you could move your Exchange server to Virtual Machines)

Before you start the process of moving from Exchange 5.5, I suggest purchasing your new Exchange 2007 server(s) and setup a virtual machine running Windows 2003/Exchange 2003. There is no way to move directly from Exchange 5.5 to 2007 so you are going to need a virtual bridge. I highly recommend Microsoft’s free Virtual Server 2005 R2. There are two great articles that I have found that outline the steps and concerns that will need to be addressed. The first article is the original Microsoft knowledge base article on moving from Exchange 5.5 to Exchange 2003, and the second is an overview from the MS Exchange Team Blog on the general process of moving from 5.5 to 2007.

December 24, 2006 was an even more exciting day for many IT administrators that had been eagerly awaiting the introduction of Exchange Server 2007. On this special day in December, Microsoft released Exchange 2007 to manufacturing as well as to the IT community through their TechNet program.

Microsoft Exchange Server 2007 is the largest leap that Microsoft has taken with a product since it made the move to Windows 95 or to standardizing their Windows platform on NT. Exchange 2007 is Microsoft’s first product to require 64-bit hardware and a copy of Windows Server 2003 R2 x64, but if that did not shake things up enough, Microsoft has also laid Exchange 2007 on top of their new Monad/PowerShell command line technology. Many of Exchange’s features and settings can now only be accessed through a new and very powerful Unix like command line.

Other big changes to Exchange 2007 include the new way that Exchange’s roles have been broken up. Exchange 2007 now features 5 different roles that can each be installed on different servers, and with the Enterprise edition these roles can be clustered as well. Here is a list of each of the roles (quoted from the MS Exchange Team Blog):

1. Mailbox role (MB): The Mailbox server role is responsible for hosting mailbox and public folder data. This role also provides MAPI access for Outlook clients. Note that there is also a variation of this role called Clustered Mailbox role, for use with high-availability MSCS clustering of mailbox data. When Clustered Mailbox role is selected, other server roles cannot be combined on the same physical server.
2. Client Access role (CA): The Client Access server role provides the other mailbox server protocol access apart from MAPI. Similar to Exchange 2003 FrontEnd server, it enables user to use an Internet browser (OWA), 3rd party mail client (POP3/IMAP4) and mobile device (ActiveSync) to access their mailbox.
3. Unified Messaging (UM) role: This role enables end users to access their mailbox, address book, and calendar using telephone and voice. IP-PBX or VoIP gateway needs to be installed and configured to facilitate much of the functionality of this server role.
4. Hub Transport role (HT): The Hub Transport role handles mails by routing them to next hop: another Hub Transport server, Edge server or mailbox server. Unlike Exchange 2003 Bridgehead that needs Exchange admin defined routing groups, Exchange 2007 Hub Transport role uses AD site info to determine the mail flow.
5. Edge Transport (ET): The last hop of outgoing mail and first hop of incoming mail, acting as a “smart host” and usually deployed in a perimeter network, Edge Transport provides mail quarantine and SMTP service to enhance security. One advantage of this role is that is does not require Active Directory access, so it can function with limited access to the corporate network for increased security.

Many admins are claiming that they are not ready for the change of not having a graphical user interface for every feature, but this is a welcome new addition for most Exchange admins. Although the GUI management console is lacking, the MS Exchange team has added a plethora of new features into Exchange’s new solid foundation, the PowerShell (I will save discussing the PowerShell though for its own post).

Finally, with the requirement of Exchange Server 2007 running on 64-bit hardware, Microsoft is able to break the 4GB barrier. This is nothing but positive for Exchange organizations everywhere as Exchange servers with currently available technology can utilize 64GB of RAM and 8×3.0GHz 64-bit Xeon CPU cores which offers incredible possibilities. Exchange 2003 was only capable of using 4GB of RAM and 32-bit processors and thus was never capable of taking advantage of what has become available in server hardware.

There are also many other improved features that I will just list (courtesy of Wikipedia):

1. Protection: anti-spam, anti-virus, compliance, clustering with data replication, improved security and encryption
2. Improved Information Worker Access: improved calendaring, unified messaging, improved mobility, improved web access
3. Improved IT Experience: 64-bit performance & scalability, command-line shell & simplified GUI, improved deployment, role separation, simplified routing
4. “Exchange Management Shell”: a new command-line shell and scripting language for system administration (based on the Windows PowerShell scripting language — formerly called “Monad” — developed for Windows Vista). Shell users can perform every task that can be performed in the Exchange graphical user interface plus additional tasks, and can program often-used or complex tasks into “scripts” that can be saved, shared, and re-used.
5. “Unified Messaging” that lets users receive voice mail, e-mail, and faxes in their mailboxes, and lets them access their mailboxes from cell phones and other wireless devices. Voice commands can be given to control and listen to e-mail over the phone (and also send some basic messages, like “I’ll be late”)
6. Removed the database maximum size limit. Database size is now limited by hardware capability and the window for backups and maintenance.
7. Increased the maximum number of storage groups and mail databases per server, to 5 each for Standard Edition (from 1 each in Exchange 2003 Standard), and to 50 each for Enterprise Edition (from 4 groups and 20 databases in Exchange 2003 Enterprise).

Windows Small Business Server 2003 (SBS) R2 does an excellent job of being very attractive in these 4 key categories for server purchases. When you look at the fact that Microsoft Windows Server 2003 R2 x64 with 10 CALs and Microsoft Exchange 2007 Standard Edition with 10 CALs together cost $2568 at list price from Microsoft, it can start to become obvious that there needs to be a cheaper solution for small businesses. Then when you throw on the large dollars in consulting time to configure a server environment like this it becomes even more obvious why a cheaper and easier to configure solution might be necessary for a business buying its first server. Enter Microsoft’s current small business server solution, Microsoft Small Business Server 2003 R2 Standard Edition that can be purchased with 10 CALs for $1088 list price from Microsoft.

Microsoft released their first Small Business Server product on October 22, 1997 when they launched BackOffice Small Business Server 4.0, but it wasn’t until Windows Small Business Server 2000 was launched on February 21, 2001 that Microsoft’s SBS product line really took off. By the time SBS 2003 was released on October 9, 2003 the process on installing and setting up a Microsoft Small Business Server became so easy that it takes almost no Windows Server knowledge to complete a basic install (can be done in about 5 hours).

Many IT consultants can tell you though that fun stops there with SBS 2003 since any advanced configuration; including editing DNS, configuring files shares with ACLs, modifying Exchange mailbox properties, and configuring IIS all still require a fair amount of Windows Server knowledge. Microsoft has spared admins in SBS of needing any knowledge of how Active Directory works, and they have made it so easy to add users and computers that almost any small business owner can be trained to do it themselves after an IT consultant helps implement the SBS.

There are a number off minor issues though with SBS that may make a lot of businesses stick with the full Windows Server products; and some of the biggest issues are tied to Microsoft Exchange Server.

The first issue is very general and it has to do with the 75 user limit. This by itself isn’t much of an issue by itself, but when you look at some of the other limitations of Microsoft Exchange this number starts to look like its a lot more like a 30 user limit; but for the time being we will just look at the 75 user limit by itself. For growing businesses there is sometimes the possibility of needing more than 75 users and when this happens the Microsoft has created the SBS Transition Pack. There are few downsides though to the transition pack:

1. The transition pack is not a clean transition. Users that have completed the transition have reported that their servers have problems afterwards or that the install/transition process had error messages. Because of this many admins ending up separating their old SBS from their server environment when the process is complete. This adds unnecessary cost of the labor involved in tearing down deprecated SBS server and reinstalling a full version of Windows Server 2003.
2. If there are any thoughts of upgrading to Exchange Server 2007 and a business is close to 75 users and making their initial purchase it makes the most sense to purchase the full server products. A transitioned standard SBS environment costs $9520 for software and CALs which is the exact same price for Windows Server 2003 R2 x64 Standard and Exchange Server 2007 Standard with 75 CALs.
3. Upgrading to Exchange 2007 will take a lot of labor compared to just starting out with Exchange 2007 since the only method to move to Exchange 2007 is through transitioning; i.e. using a separate Domain Controller and running a move-mailbox command to move mailboxes from the Exchange 2003 server to the Exchange 2007 mailbox server. This takes at least 3 servers to complete; the old Exchange 2003 server, the new Exchange 2007 server, and a Domain Controller/Global Catalog server.

The next issue which will not be completely relevant with future versions of Small Business Server is that the current version, SBS 2003 R2 is 32-bit. Because SBS 2003 R2 is 32-bit, it will not be possible to do in-place migrations to SBS 2008 which will be 64-bit since it will include Exchange 2007 which must be ran on 64-bit hardware.

Then there is the issue of flexibility between versions of Small Business Server. Small Business Server isn’t nearly as flexible as its full server counterpart. SBS doesn’t allow for domain joined server to trade Flexible Single Master Operations (FSMO) roles and Global Catalogs, and because of this it is not possible to keep the same internal domain name during migrations. This means that small business servers need to keep a separate internal and external domain name which is unconventional and also confusing to users. Comparison of upgrading Windows Server versions (comparing SBS to full product):

1. The only way to migrate from an old version of SBS to a new one is to change the NETBIOS domain name (as well as internal FQDN).; i.e. SBS 2000 to SBS 2003
2. Transitioning between new versions of full Windows server products requires almost no down time, is much easier, requires less labor for an experienced IT consultant (less labor cost to the business)

The last issue has been mostly resolved in the most recent release of SBS, Small Business Server 2003 R2. Previous versions of SBS only allowed for a 16GB Storage Group for mailboxes, and once the 16GB limit was passed the mailbox database would dismount. With a 75 user limit, the 16GB limit started become very painful for many administrators since most users expect to have 1-2GB mailboxes these days with services like Google offering 3GB for free. Finally with SBS 2003 R2 Microsoft lifted the 16GB limit to 75GB which allows for each SBS user to have a 1GB mailbox limit. 1GB is plenty for most users if they keep their mailboxes clean, but there are still many employees that will have a need for 2-4GB mailboxes and this just really isn’t possibly for a higher-end SBS install. With 2GB quotas for users mailboxes, an SBS 2003 R2 server can really only support a 37 users and even less if you start having users with 4GB plus mailboxes (and yes, I see the demand with a lot of my clients).

I completely recommend SBS 2003 to small businesses with about 10 employees or less looking for a full server solution to take care of all their IT needs. With Exhcnage 2007 now being available though, it makes the most sense for many businesses considering a new solution that will prepare them for the future to invest in the full Microsoft server products.

The main advantage of running Mac OS X client computers connected to an Open Directory Master is that they can have managed preferences pushed down to them from the server. Some of these managed preferences include, but are not limited to, the ability to have a client computer perform a mobility synchronization which allows it to sync its home directory’s files while connected to the server. Another one of these managed preferences is the ability to tell a desktop workstation to just work off of a network home directory instead of locally on the hard drive (good for central storage and constant backup of workstations). These among many other managed preferences can only be taken advantage of in a Windows NT Server environment when the Apple Client computer is connected to an Open Directory server at the same time as an Active Directory server. The complications in this model come in the form of modifying which directory is used for what purposes.

The first scenario is the most common for businesses that have already been purchasing and using Windows NT based server solutions for the last decade. Most businesses are windows centric; even the ones that have a large percentage of Apple computers. For these companies there are many different routes to take to support cross-platform file sharing, but in this case we are going to assume that a company is looking to add on some of the features included with OS X Server, most importantly the managed preferences.

The second scenario is the business that is Apple centric and considering the purchase of an Xserve. In this scenario a business would be concerned about stability and want the proven uptime and reliability of a Microsoft Windows Active Directory server. There are other reasons that businesses like these may opt for incorporating a Windows Server into their environment as well, such as Microsoft Exchange, better administration domain joined PCs through Group Policy, and more, but that could be an entirely different discussion. Due to my research of the problems with Apple’s Open Directory operating alone as an OD Master, there is a need for businesses that demand high availability in their IT solutions to integrate AD with OD.

The process of AD/OD integration in previous version of Mac OS X was very difficult, but with each version of OS X it has become drastically simplified. Apple’s up and coming OS X Server 10.5 “Leopard” promises to make this process almost an afterthought. For the time being though I will point those interested in this procedure over to the resource that I learned from, the AD/OD Integration White Paper over on AFP548.com. The White Paper is excellently put together and addresses the procedure for joining OS X 10.3 and OS X 10.4 clients/servers to Active Directory. The paper is slightly outdated though due to the fact that Apple changed a few minor things to make this process easier with the release of the 10.4.6 update (10.4.9 should be out any day now). For the remainder of this post I will give a simplified version of the AD/OD integration process that applies to OS X at its current version of 10.4.8 while integrating with Microsoft Windows Server 2003 R2.

1. From the OS X Server join the active directory domain using the FQDN of the NT Domain
2. Now go into the Server Admin application and join your OS X Server’s “Windows Service” to the Domain. Specify your server as a “Domain Member” and then enter your NETBIOS Domain Name (the OS X Windows Service uses old NT4 technology). After you hit save you will be prompted for a user name and password; enter an AD Domain Admins username and password.
3. Now bring up a terminal window and type in dsconfigad -enableSSO (MOST IMPORTANT STEP!, make sure all services such as AFP and SMB are enabled before this)
4. Now if you go back to the Windows service you should see the addition of a Realm as pictured (if it is visible then your services have been kerberized:

1. Now it is necessary to create a home sharepoint… On a large partition that is part of a redundant raid array and separate from the OS partition create a folder named “OSXHome” from the Workgroup manager
2. Share the OSXHome folder with the permissions of User=Local Administrator R/W, Group=NTDOMAIN\Domain Users R, and Everyone=None.
3. Now it is necessary to create a home folder for each user and this should be done using the template provided by OS X Server. The command to be issued in the terminal is:

sudo cp –r /System/Library/User\ Template/English.lproj
/Volumes/Data0/OSXHome/user

sudo chown –R user/Volumes/Data0/OSXHome/user

4. After creating a home folder for each user you can move on to the next step of configurating the Active Directory. For this step going under each users account in the AD Users and Computer Microsoft Management Console and specify the sharepoint in the UNC. For example: \\XSERVE.fqdn.tld\OSXHome\user
5. Once the AD is configured for each user’s home folder then it is time to configure the Open Directory. The first step is to enable the server as an OD master, and then go to the directory access utility and make sure that AD is above OD/LDAPv3 under the Authentication tab. This will ensure that the AD server is used for authenticating clients at logon.
6. Now it is necessary to make sure that the Open Directory master doesn’t hand out a Kerberos configuration file to the clients when they join. This will have to be disabled and can be done according to this document in Apple’s knowledge base.
7. You can now add Active Directory users to Open Directory groups using Apple’s Workgroup Manager. The Open Directory groups can then be used to apply managed preferences and permissions to Sharepoints that will be access by Apple only clients (not recommended, better off just using AD groups for sharepoints).
8. The final steps are for configuring OS X Client computers. The first part of this is to connect an OS X client to the Active Directory. Open Directory Access and do this the same way that you did on the server. It is important though on the client to drop down into the advanced options and specify that you want to use AFP for the home directory mount as well as disable local home folders.
9. The client will also need to join the Open Directory, so follow the normal procedure for doing this, but also go under the advanced options and uncheck the box that says “Disable Clear Text Passwords”.
10. The final step is to make sure that AD is listed above OD/LDAPv3 under the authentication tab.
11. Now you should be able to log out and log back in as an Active Directory user, but will end up using the home folder listed in Active Directory as a network home directory.
12. Also, if you specify that a client is supposed to have a mobility synchronization then this will happen at login too, just as it normally would if a client were connected to just a standalone OD Master server.

Please comment and let others know if you run into any issues or have found any shortcuts or helpful additions.

IMAP was originally conceived at Stanford in 1986 by Mark Crispin who was later hired by the University of Washington in 1989. The first IMAP server was deployed at Stanford for testing in 1987, but it wasn’t until 1992 that the first IMAP server was truly implemented. In 1992 with the help of Mark Crispin and many others contributing to the UW-IMAP server application, the University of Washington rolled out one of the largest IMAP implementations to date using the IMAP2bis protocol, along with the Pine 2.0 front-end client application. It was during this same year, 1992, that Carnegie Mellon University began development of their own Cyrus IMAP project which is the mostly widely used IMAP service today. It was at the University of Washington in 1996 that together with vendors such as Sun and Netscape, the current IMAP4rev1 protocols specifications were completed.

UW-IMAP is still used by educational institutions such as the University of Washington, but Cyrus IMAP has become the most popular IMAP server world-wide due to its fast performance, scalability, compatibility, and ease of implementation. Cyrus IMAP has been the IMAP server of choice in nearly all Linux distributions as well as Apple Mac OS X Server recently.

Apple’s Server Email implementation is based on a combination of Cyrus IMAP, Postfix, and Squirrel Mail. Postfix is simply used for SMTP traffic, and Squirrel Mail is used for the Webmail front-end. Postfix’s basic settings on OS X Server are configured through the Server Admin application’s Mail component, whereas Squirrel Mail is simply enabled or disabled through the Web component of Server Admin. Any advanced settings for Postfix need to be set through either it’s master.cf or main.cf configuration files in /etc/postfix/.

There are some other small components that contribute to Apple’s mail implementation that are mainly implemented through Cyrus’ feature called Sieve filtering. The most notable addition is Spam Assassin which is configured as well through the Mail component of Server Admin. The biggest complaint that I have with Spam Assassin on OS X is that it just does not work well. I have found that Spam Assassin will not tag enough messages as SPAM even when set to its strongest level. Spam Assassin can be configured property through the terminal, but it will never be anywhere near as accurate as many of its competing solutions on the market such as Microsoft’s Intelligent Message Filter.

Now onto the problems with Apple’s IMAP Experience; Configuration of shared email folders, poor junk mail filtering, configuration glitches with Server Admin, and Cyrus database corruption.

The first issue that should be addressed by Apple is some form of collaboration, even if we have to wait until 10.5 to get the share calendars and address book with CalDAV. The version of Cyrus IMAP included with 10.4 server supports shared email folders through Access Control Lists, similar to how users are able to share resources through Microsoft Exchange and other groupware products. The problem though is that Apple never gives the user or administrator any way to edit these ACLs. This leaves the admin/user with only two options. The first option that is included with OS X Server is to use the command line tool cyradm which allows for editing of the ACL’s in a very complicated way that is only accessible by Unix savvy admins. The next and slightly simpler way is to download a tool called Sir Admin by Nigel Kersten that allows editing of the ACLs in the Cyrus Database through his GUI tool. Which ever route is taken, a configuration an admin account needs to be set up through the command line, and the process is overly complicated when it could simply be part of Server Admin or Workgroup Manager.

The second problem has to do with the poor junk mail filtering. Apple’s implementation of Spam Assassin only allows for tagging of messages as SPAM by changing their subject line. For example, Spam Assassin will append *** JUNK MAIL *** by default to messages that are believed to be SPAM. The problem though is that administrators need to create a rule in each users mail application to move these junk mail messages into the users junk mail folder. Ideally Spam Assassin should be able to reject/delete messages with a specified likelihood of being spam and be capable of moving possible spam messages at a different level to the users IMAP junk mail folder.

The third issue has to do with Apple’s configuration of Unix config files through the graphical user interface (GUI) tool Server Admin. Server Admin configures the configuration files correctly 99% of the time, but occasionally it will make a mistake in one of the configuration files that will either crash a certain feature and sometimes the whole mail service. The biggest problem with this issue is that admins who aren’t familiar with UNIX would have lots of trouble diagnosing the problem. The configuration errors always seem to be with the /postfix/main.cf file, but even the smallest errors seem to be capable of stopping the whole service. I have seen simple problems such as errors in the name of a RBL (real-time blacklist) server causing the blacklist box to be grayed out in Server Admin. These issues have been present in 10.4 since its release, but my testing doesn’t date far enough back to 10.3 to make any statements about previous versions.

Then the fourth and largest problem is corruption of the Cyrus Mail Store. The Cyrus Mail Store consists of a database with references to a flat file system that contains all of the email messages and attachments. Due to the mail stores simple layout it never seems to have any problems, but there is a problem with the version of Cyrus IMAP included with OS X 10.4 that causes the database to be corrupted under certain circumstances. I have seen Corruption occur in primarily one way and it has to do with Email folders. Unfortunately for Apple, this problem can only be created when using Apple Mail. Mail.app can cause this problem when a user moves a group of folders and then decides to either move the folders back to their original location before the mailbox move is complete or by deleting the folder before the mailbox move is complete. The issue is both a problem with Mail.app and Cyrus because both programs should protect against this issue. After this error/corruption has occurred the folder will still be referenced by the database, but it won’t exist in the mail store. I have found in my testing no other way to take care of this problem other than flushing out the database and rebuilding it from the current mail store using a tool called mailbfr that has the ability to generate a new mail database using the cyrusimap tool included with OS X server. The problem with recreating the database is that it affects all users by removing any mail flags such as reply, forward, or follow-up, and it also loses any links between messages in the mail folders and sent messages.

Apple’s Email implementation will work well for many small businesses, but if email is primary concern to your IT, then I would suggest taking a pass on Apple’s IMAP Experience.

There are many reasons why a problem like this can possibly go undetected by the IT community at large, but with OS X I assume that it has to do with its highly specialized and small audience. The nature of OS X Server’s audience tends to fall into two categories; the first being highly knowledgeable UNIX administrators and the second being small business owners setting a server up on their own.

During my consulting I have worked on servers that have been set up by both types and I have noticed a common thread in both that explains why this problem has not been publicized. With the more popular segment of OS X Server administrators being the small business owner trying to do things on his own, many do not even configure even the most basic services of OS X Server that exhibit these problems. The typical small business owner that tries doing things on his own will configure OS X as an AFP and SMB file server and generally go no deeper than this. The most interesting part that I found with this set up is that very few of these administrators ever turned their OS X Server into an Open Directory Master which in effect enables Open Directory. The option they chose was to leave the server running as a Standalone server which just uses Apple’s local Net Info database for storing user names and passwords. This set up in affect disables not only LDAP but also Kerberos and Apple’s own PasswordService.

The next category of administrators that I came across was the highly-trained full time IT Administrators. These full time administrators either had UNIX or Active Directory Servers that integrated Open Directory. These admins used their Mac OS X server as a File Server, but were authenticating through either UNIX hosted LDAP/Kerberos or Active Directory.

The common trend between these two different scenarios is that neither is actually using Open Directory as the core directory service environment. This brings up a third, and what I believe to be the smallest segment of the Mac OS X Server environments, which is the IT admin/consultant implementing Mac OS X Server as the primary directory platform. When implementing OS X Server as the primary directory service environment it is configured as an Open Directory Master under the Server Admin application. Once configured as an Open Directory Master, OS X Server automatically creates the LDAP database, enables the Kerberos Domain Controller (KDC), and runs Apple’s sso_util to configure Kerberos. Apple defines their sso_util as follows:

sso_util is a tool for setting up, interrogating and tearing down Kerberos configurations within the Apple Single Sign On environment. This tool can configure services, create and consume encrypted config records and tear down Kerberos installations

Apple claims that Kerberos is optional for OS X to work correctly, when in my testing I have found that it is essential to Mac OS X Server operating correctly. Although users do have the option of using Apple’s PasswordService for authentication, Kerberos is the preferred method and it is what OS X Server uses behind the scenes for its authentication verification. The alternative authentication method that is always running on OS X Server regardless of directory mode is Apple’s PasswordService which has been part of OS X since the NeXT days. I believe that the problems with OS X while operating as a directory master lies in some form of miscommunication between the PasswordService, LDAP, and Kerberos. Due to the fact that I haven’t received any useful information from Apple on this issue, I’m not able to provide any truly insightful explanations of the process in which the problem produces itself. As a result all of my deductions are purely speculative.

The problem/bug can be experienced on every Open Directory Master server immediately after a clean install of the OS and promotion to OD Master simply by making repeated VPN attempts on a server. After repeated authentication attempts the DirectoryService reports:

Aug 29 21:34:23 xserve DirectoryService[72]: Search connection failure: During an attempt to bind to [127.0.0.1] LDAP server.Aug 29 21:34:23 xserve DirectoryService[72]: Search connection failure: Disabled future attempts to bind to [127.0.0.1] LDAP server for next 0 seconds.

I have never seen an OS X Open Directory Master that did not exhibit this behavior and the fact that Apple will not acknowledge the problems leads me to believe that they either know the problem exists and do not care or they know it exists and they have no idea how to fix it. The symptoms of this problem are that the DirectoryService crashes and no authentication attempts will be authenticated which basically means the server is stalled. From the error message it appears that the server is having a problem authenticating to localhost, it’s own IP address, or 127.0.0.1, and that it will disable future attempts for an unspecified amount of time. I have found that the unspecified amount of time will generally end up being a server stall for approximately 5 minutes and an occasional full crash requiring a reboot of the server.

Key components to making sure that Kerberos and Apple’s directory service function properly are tied to domain name service (DNS). I have configured all DNS settings properly. This can be tested before promoting a server to OD master by testing hostname, forward name resolution, and reverse name resolution.

For my example, my server is named miniserve.aaronmarks.com. The first test at a terminal window is to type to test the forward lookup:

miniserve:/ localadmin$ host miniserve.aaronmarks.com

You should be returned something like this:

miniserve.aaronmarks.com has address 10.11.12.13

The next test is for the reverse lookup, so enter something like this (replace with the IP address of your server)

miniserve:/ localadmin$ host 10.11.12.13

If things are configured properly you should receive something like this:

13.12.11.10.in-addr.arpa domain name pointer miniserve.aaronmarks.com.

Lastly, we need to test the hostname of the server, so just type in:

miniserve:/ localadmin$ hostname

The returned value should be the FQDN of your server:

miniserve.aaronmarks.com

If all of these tests were completed successfully like they were for me then theoretically a server should be able to be promoted to Open Directory Master.  If this is done and then repeated authentication attempts are made to a 10.4.8 server’s VPN service (repeated connects and disconnects), the server will crash.

Similar to other directory service environments, Open Directory stores and organizes information about users and computers, that is supposed to allow administrators to control network security and access control lists for file server access. A big difference between Open Directory and Active Directory is that Open Directory does not store server configuration information in its LDAP schema like Microsoft’s solution.

Open Directory natively only communicates with other Open Directory servers, but with tools available from Apple in the Directory Services application, it is possible to connect to Microsoft’s Active Directory as well.  Once Open Directory and Active Directory are connected it is possible for them to share the same Kerberos domain controller (KDC) for many important services (AFP, SMB, Login, WWW).

Open Directory include enterprise grade features that are beneficial to larger implementation such as Directory replication to a mirrored member server as well as integration with all of OS X’s other services such as Mail, VPN, Chat, Web, Xgrid, AFP, SMB, NFS, Windows, and Kerberos (In Open Directory exclusive implementations).

The seed was planted for Mac OS X’s birth in 1985 when Steve Jobs met with Paul Berg, a Nobel Laureate and biochemist from Stanford, at an event held in Silicon Valley. Berg complained to Jobs about the of expense in teaching students about recombinant DNA from textbooks instead of in the wet lab. Berg explained to Jobs that he needed Apple to create something similar to a 3M workstation, due to the fact that they had more than 1MB of RAM, a megapixel display and over a megaflop of performance.

Berg’s concept for a workstation was far beyond anything that Apple was offering at the time and the concept of a workstation had Steve Jobs contemplating starting a higher education computer compny during his last days at Apple in the fall of 1985. This idea led Jobs to starting his own computer company immediately after resigning from Apple on September 13, 1985. Jobs started Next with his fellow Apple employees Bud Tribble, George Crow, Rich Page, and Susan Barnes who were some of the largest contributers to Apple’s early successes.

NeXTSTEP was intended to be a highly advanced object-oriented programming environment and user interface, and the original plans for the NeXT computer were to purchase an already available operating system to meet NeXT’s demanding specifications. They needed an object-oriented programming environment and a Unix-like Mach-based OS for the toolkit to run on. As a result Steve Jobs went to Carnegie Mellon University and recruited Avie Tevanian, one of the original Mach Engineers, to lead NeXT’s team of software developement. At this time NeXT began developement of their operating system using Objective-C just as Mac OS X still uses today. Objective C is a reflective object-oriented programming language that adds Smalltalk-style messaging to C.

Jobs unveiled the first NeXT computer that was running NeXTSTEP 0.8 on October 12, 1988 in San Francisco. It wasn’t until a year later though that the final version of the product, NeXTSTEP 1.0 shipped on September 18, 1989. NeXTSTEP was based on Mach 2.5 and 4.3BSD just like OS X which today is based on Mach 3 and FreeBSD 5.

Here’s a video of Steve Jobs demoing NeXTSTEP:

Another interesting note about Mac OS X’s history as NeXTSTEP is that Sir Tim Berners-Lee used a NeXTcube in 1991 to create the first web browser and web server, which was the beginning of the World Wide Web that we use today. Another not nearly as important piece of history, but still intersting is that John Caramack used a NeXTcube to build two of the most popular games ever; Doom and Wolfenstein 3D.

After NeXT’s failure as a hardware company in the late 80′s and early 90′s it began porting the NeXTSTEP OS to run on Intel systems in 1992. NeXT soon after dropped their hardware business altogether and re-named the company NeXT Software, Inc. NeXTSTEP 3 was eventually ported to four differente Platforms, PA-RISC, SPARC, Intel x86, and Motorola 68000. Due to the flexible nature of the NeXT OS it became very popular with some popular organizations such as the CIA and various other government organizations.

The final part of NeXTSTEP’s development continued under the name OpenStep after NeXT teamed up with Sun Microsystems. OpenStep was basically NeXTSTEP without the Mach Unix kernel. OpenStep was supposed to be a toolkit that ran on top of other OS’s much like the NeXT orginally intended.

On December 20, 1996 Apple purchased NeXT Software, Inc. for $429 million. Apple’s purchase of NeXT was primarily for the use of the NeXTSTEP as Apple’s next operating system which we all know today as Mac OS X. At this same time Steve Jobs assumed the role of CEO and all of the executives of NeXT replaced their counterparts at Apple. Over the next four years the NeXTSTEP operating system was ported to the IBM based PowerPC architecture that Apple was using in all of its current computers. Apple’s code name for the development of the NeXT software to their own platform was Rhapsody and the name for the OpenStep Toolkit was Yellow Box. A lot of Rhapsody’s development was focused on ensuring backwards compatibility by allowing older Mac applications to run in a self-contained environment known as Blue Box, as well as porting existing tools such as QuickTime and ColorSync.

After two beta releases of Rhapsody, it finally became known as Mac OS X Server 1.0. Then two years after the release of Server 1.0, Mac OS X was released in a consumer version known as Mac OS X 10.0. Soon after the release of the consumer verison of OS X 10.0 the server version was brought into sync, and has continued to do so over the last 6 years. The Yellow Box toolkit was renamed to Cocoa and the Blue Box/Classic toolkit was renamed to Carbon just before the release of the consumer version of Mac OS X.

Mac OS X continued from NeXT’s roots and today still runs on many of the same revolutionary technologies that were developed in the late 80′s such as preemptive multitasking and memory protection.

Most businesses looking for a server are going to be looking for a minimum of 4 roles in their server.  The first role is the central hub to any server system, its directory and authentication system. Mac OS X Server 10.4 is no exception to this rule. 10.4 Server is based on Apple’s Open Directory architecture which is primarily just an LDAP version 3 (Lightweight Directory Access Protocol) server with Kerberos authentication. It is based on a great set of core technologies that have been tried and tested, and have proven themselves in the Open Source world. These are the same set of core technologies that power nearly every enterprise-grade Linux/UNIX server that most companies have been deploying for years now.

The next critical role is the company file server. Many businesses regard this as the heart and soul of their IT world and Apple has taken a lot of notice to this. Apple’s file server contains almost every necessary protocol on paper to allow almost any platform to connect to the server and share files seamlessly. Apple offers access to files shares in AFP (Apple Filing Protocol), SMB (Samba or Small Message Block), and NFS (Network File System). All three of these protocols are directed at specific platforms; AFP is the native network file sharing protocol for Apple computers, SMB is the same for Windows, and NFS is typically used in SAN applications and for UNIX-based clients. Apple has gone to great lengths to insure interoperability among all platforms with most aspects of their server – the filing protocols are no exception.

The third server role is the messaging platform. This is usually the largest focus for most businesses making server decisions these days. Not all messaging platforms are to be treated equally, but there is plenty of room for this discussion in another post. Apple chose to base their messaging platform on the most popular and developed open source IMAP protocol, Cyrus IMAP developed at Carnegie Melon University. Cyrus IMAP is widely supported in the Information Technology community and is regarded as a flexible and robust messaging platform that can support hundreds of thousands of mailboxes. On the connector side of things, Apple has chosen to use Postfix for SMTP which is a highly scalable and efficient SMTP service that has been around for years. The biggest thing left to be desired from Apple’s messaging platform in their 10.4 Tiger version is the inclusion of some form of groupware; the ability to share calendars, availability information, company resource tracking, and contacts lists.

Last but not least, the fourth role is the web server. Apple has included the reliable, secure, and industry standard Apache web server in their server solution. Apache’s httpd web server is highly extensible and ready to be interfaced with many other interent standards for web developement and publishing such as PHP and mySQL. Apple has even gone as far as precompiling Apache with mySQL and PHP integrated into OS X server. This solution will allow for most businesses to implement their web pages with almost zero time spent hassling with the messy testing of different compiled configurations. Apple chose a solution for their web server that will “just work” for most users.

As we can see, Apple has a great list of features for their current server operating system. The server is essentially a compilation of many different open source projects, but Apple has done an excellent job of choosing from many of the best projects. In future posts we will explore Apple’s offering in greater depth and how it stacks up against the competition.