This IS the short version ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________ From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Sun 11/6/2005 10:16 AM To: [email protected] Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes damn... do you have a short version of this story? ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 11/6/2005 5:12 PM To: [email protected] Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes Oh I understand. I definitely understand I wasn't the only one, I don't think it would have been fixed if it was just me. My contributions included 1. Debating strongly with Alliance PSS (on and offsite people). 2. Debating strongly with onsite MCS. 3. Debating strongly with Dev 4. Wrote Steve Balmer as a concerned MVP. 5. Posted this issue (pointing out the security aspects) both in groups like this and in the public newsgroups. (The public delegates aspect is a security issue). 6. Reposting every single time I saw anything that related to it. Initially I hit it with DLs and I got beaten down by PSS and MCS because they said the design the company had that I worked with at the time (we will call widget company again) was based on the idea that they didn't need DLs so it was specifically designed without DLs in mind and had we wanted DLs the design would have been different because they knew all about this problem. Then several months later reports of issues with public delegates started surfacing. I was working on some other thing at the time, I believe it was setting up web pages to do things like short term delegation of mailbox access so that the third level outlook people could ask to get access to a mailbox and it would all be logged, quota management, mailbox permission reports, conference room setup, etc. Anyway, I sat in the Friday con call while onsite PSS discussed the issue and it sounded like the same GC issue as I had stumbled on before. I mentioned that they would want to check that out and verify what GCs where being talked to and redirect them to a more appropriate GC as I had documented and shown for the DL issue before. I didn't want to jump into it and really look at it as I always seemed to get into some sort of trouble for finding and pointing out MS screwups and any issues in the Exchange design. My boss loved it because it meant we fixed something that would hurt once in production, my bosses boss hated it because it slowed down the project he was being graded on with the execs which was way over budget and way over timeline. Next Monday's con call they still didn't have a clue, more descriptions still sounded like a GC issue, I said so again. Ditto Tuesday con call. On Wednesday we had our "everyone gets in one room" meeting and discusses the problems and when that problem came up I yet again pointed it out that it really sounded like the GC issue. Either MS really didn't want it to be that and they were looking for anything else it could be or the analysts really had no clue what they were looking at. I expect the later. I told my friends in MCS that the PSS guy was screwing this up and they needed to birddog him because he was going to make MS look like idiots again. They said they couldn't for some reason or another. Thurs con call same issue, no progress. Thurs around 6PM when I was settling into the lab to get some serious work done[1] I got grabbed by one of our third level Outlook folks (a good friend) who was working the issue[2] and she said I had no choice as she would kick my butt and that she was making me work on that issue. Within 15 minutes I proved that what I had said the previous Friday was the issue and also learned about how badly Outlook handled the issue in that if you removed a public delegate it would disappear from the list because it was removed from the store but was still in AD so it was still active and outlook never showed an error message and from them on showed the value incorrectly so someone had permissions to send on behalf of that were not shown unless you looked directly at the directory (security issue). MS PSS reported again in the Friday con call that they had no idea and they were bumping the issue to Sev-A to get ROSS onsite to do a debug and I waited until the TAM was completely done with what she wanted to say and then said, the issue is the GC issue. MS said, no it wasn't, they couldn't confirm that. Then I said that I knew absolutely it was the issue. The people on the call knew me long enough not to question when I said absolutely versus it should be checked or it appears or possibly. So the following week we had the same meetings we had from several months ago only I was holding the hammer and I was bringing up everything MS had said previously about the design and so I asked the obvious question of were we designed to have public delegates work or did we say we didn't need those too? That was an obvious setup question because most large companies use public delegates a lot and this widget company really used public delegates a whole lot. That spawned a whole bunch of debating which ended up with me indicating the solutions one of which was a complete redesign of the Exchange infrastructure that MS had worked hand in hand on with our Exchange dev folks for a couple of years[3]... Things got hot. In the end Dev still came back and said it was by design and would not be changed. That prompted my note to SteveB with a question of what the hell is wrong with the Exchange Dev people? Indicated we currently had a big push to go towards Linux and were doing everything we could to show how conducive MS was to making things work for us and Exchange comes along and tells us to piss off our product sucks by design and we aren't fixing it. Then went out and made sure everyone I could think of was aware of that limitation and how it would impact Enterprise deployments and the security implications and how there was no real way to really know if you had a problem with your currently configured public delegates or not without auditing every single mailbox. If just one large company or military org listened and started complaining to MS to it was a good thing. A couple of weeks later Dev came back and said it would be corrected in 2K3, probably SP2. MS then sent someone onsite to build a website for users to use to configure their public delegates and we had to retrain all of the users to use that instead of outlook. That was pretty funny too because the guy came straight to me and asked if I knew which .NET objects he could use to manipulate the Exchange pieces he needed to monkey with. I told him he needed to learn two works P-Invoke. He wasn't happy. A week later he came and asked if he could have some vbscript code I had written for manipulating the folder roles, etc in a mailbox. There is even more to that story that impacted me but this is long enough already. Hopefully it illustrates things for folks. There are good and bad PSS/MCS folks, it is your duty as a technical person representing your company to understand which ones you are working with and to question them on everything that you don't understand or don't agree with. Don't be afraid to fight for what you think is right. If you are told, well you are the only that has ever said that is an issue[4], go out into the public and start asking people. The Exchange PSS person who was working onsite at the widget company was almost completely worthless and was actually often dangerous. The TAM had ordered this person not to speak during con calls or meetings unless the TAM signaled the person. The sad thing was that everyone on the account at the tech level knew this person was trouble but when I talked to them they said the person couldn't be removed unless the customer (I was a contractor for the customer) actually officially complained and I explained what my manager's manager felt about my "meddling" already. All of that and I still like MS and think they are best suited for many/most companies. I still consider Exchange to be a serious pain, but I also see it as one of the best out there that I intend to keep pushing on to get better. Currently being the best doesn't mean you can suck indefinitely. ;o) Note I don't know all aspects of Exchange and don't really intend to. I have been told the routing engines are amazing, etc. My focus is the AD integration and permissioning and monitoring and troubleshooting I find it lacking and have no issue broadcasting the lacks that I find so others won't be surprised by them at 3AM some time. Right now I am working with them on a WMI monitoring issue and I am starting to hear the By Design comments again and I am sliding into the it is by design that you can't use the interfaces designed to monitor the health to actually monitor the health response mode.... joe [1] All serious work happened after the normal 8 hour day when people would leave me alone. [2] Same person who did majority of the alpha/beta testing and spec'ing of the Auto Accept Agent that is publicly available now. [3] That woke up our upper Messaging management. That design cost probably millions in actual dollars for billable time to PSS/MCS over the years. [4] That is one of my particular favorites right after the its by design for something you know that they never thought of or intended. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Sunday, November 06, 2005 12:12 AM To: [email protected] Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes You weren't the only one [1] Tony [1] ...but I'm guessing you were the most vocal. ;-) ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, 5 November 2005 10:41 a.m. To: [email protected] Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes You are all welcome. ;o) This is the issue I posted about back in I think 2003 (end of summer / fall) and again in 2004 (spring) that I "discussed" with MS. :o) As it mentions, this doesn't help much with DLs, it is primarily targeted to help issues with outlook modifying the account of the user who is running outlook such as public delegates and certs. If you make sure that people can only manage DLs in the same domain as their userid, this can offer relief from the issues there as well obviously. Oh, BTW, there is a new KB article concerning some folks that may have been burned by this new functionality. http://support.microsoft.com/?id=908443 <http://support.microsoft.com/default.aspx?scid=kb;en-us;908443&sd=rss&spid=1 773> ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Friday, November 04, 2005 2:57 PM To: [email protected] Subject: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes It's been discussed here several times. An interesting read: http://blogs.technet.com/exchange/archive/2005/11/04/413669.aspx Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
