Archive for February, 2012

Hiding Exchange Mailboxes from the Global Address List

Wednesday, February 29th, 2012

By default, users in Exchange 2010 appear in the Global Address List (aka GAL), or are available for lookup by users within the Exchange organization. You can suppress these so that you create a mailbox that is not seen by any old user. You might want to do this so that a sales, info or other generic externally facing mailboxes aren’t used by your internal users.

In order to hide a user from the Exchange Global Address List, open the Exchange Management Console and click on the Organization Configuration node. Click on Mailbox to bring up a list of mailboxes for the forest and then double-click on a mailbox you’d like to hide from the Global Address List. Next, click on the General tab and you will see a checkbox for Hide from Exchange address lists. Check that box and click on Apply to suppress the account from the Global Address List.

Configuring a Qlogic Fibre Channel switch for Xsan

Tuesday, February 28th, 2012

Qlogic switches can be configured via a built-in Web-based administration tool, or via their Command Line Interface over a serial connection. The Web-based tool is the fastest and easiest method of getting one up and running.

By default, Qlogic switches have an IP address of 10.0.0.1. The default username is “admin”, and the default password is “password”. Set your computer’s IP address to 10.0.0.2, with a Subnet Mask of 255.255.255.0 and no router/gateway. Open a web browser – Firefox is your best option – and go to 10.0.0.1. The Java applet will prompt a security warning – please confirm that the applet can control your computer. It won’t do anything bad.

On first logging in, you will be warned that the default password has not been changed. Please change the password. It’s very easy for somebody to make your fibre fabric not work right. Once you have done so, configure the IP address of the switch.

Please check and see if a firmware update is available for the switch before proceeding any further with setup. It’s definitely going to be easiesr to get a firmware update applied before you’ve got an Xsan using your fabric. Go to Qlogic’s Support Site and click on Switches, then Fibre Channel Switches, choose the correct model, and click “Go”.

Devices on a fibre network are identified by their World Wide Name, or WWN. WWNs are guaranteed to be universally unique, which is a good thing, but they’re not designed to be read by humans. That’s why Qlogic lets you assign Nicknames to your devices. You should assign meaningful and easily decipherable Nicknames to all of your devices. Go to Fabric, and then Nicknames. You’ll see a list of all the WWNs (including vendor information), and which port they’re connected to. Double-click in the “Nickname” box, enter what you like, and when you’re done, click “Apply”. Accurate and comprehensible Nicknames make everything else easier, particularly the next step, which is Zoning.

Communication on a Fibre Channel network is controlled by Zones. In order for Fibre Channel devices to see one another (e.g. for clients to see storage), they must be in a zone together. In a small environment, it’s feasible to create a single zone, and place all devices in that zone. However, it isn’t necessary for Xsan clients and controllers to be able to communicate via Fibre Channel – all of their communication happens across the Metadata Network. If you want the best performance, then, it’s best to separate the devices logically into multiple zones to avoid excessive traffic on the Fibre Channel network. Devices can be added directly to a zone, or they can be grouped into Aliases, which can then be added to a zone.

As an example, imagine an environment with 15 Xsan clients, 2 Metadata controllers, and 2 Promise E-Class arrays. The clients need to communicate with the Promise storage, and the controllers do as well, but the clients and controllers don’t need to communicate with one another. Three aliases should be created and two zones should be created: one alias for each class of device, and one zone for each necessary communications channel.

  • Aliases
    1. clients: Contains all Xsan clients
    2. controllers: Contains both Metadata controllers.
    3. storage: Contains both Promises
  • Zones
    1. XsanControllers: Contains the controllers and storage aliases
    2. XsanClients: Contains the clients and storage aliases

Zones are contained in Zone Sets. Many Zone Sets can be configured, but only one Zone Set can be active at any time. Once you’ve created zones for your devices, put all those zones into a Zone Set, and make sure that you activate that Zone Set when you’re finished with your configuration changes.

Storage devices and clients on a Fibre Channel network present themselves to the switch differently, and require configuration specific to their role. There are port properties that need to be set to provide the best performance. Xsan controllers and clients are “Initiators”, and storage devices are “Targets”. Device Scan, when enabled, queries every newly connected device to determine whether or not it is a Target or an Initiator. I/O Streamguard attempts to prevent disruption by suppressing some types of communication between initiators. Since we know what every device will be, and what port they’re on, we can set Device Scan and I/O Streamguard appropriately and avoid the excess traffic.

  • Initiators:
    • Enable I/O Streamguard
    • Disable Device Scan
  • Targets:
    • Disable I/O Streamguard
    • Enable Device Scan

Once you have your Nicknames, Zones, and port settings configured, you switch should be ready for use, and you can move on to configuring your storage, clients, and controllers.

Lion’s New Security Features, Manageable for Businesses with a Solution from Google

Friday, February 24th, 2012

The big cat, Lion, has been out of the bag for a while, and even with Mountain Lion slated to come out this Summer, many are still devising strategies to tame it. In particular, there’s been uncertainty about the update to Apple’s encryption solution, FileVault. In the past it wasn’t as fully featured as encryption solutions from Symantec (PGP) and others, but the functionality of those third party products has been faltering due to ‘plumbing’ changes Apple’s made in order to accommodate, new with Lion, FileVault2 – their higher-performance, whole disk encryption solution.

From a security and ease-of-use perspective, when you encrypt the entire hard drive (or ‘disk’), your documents are much safer if your laptop should happen to be lost or stolen. Only user accounts granted access to un-encrypt the computer (which happens just by logging in with your user name and password like normal) can get at the files. However, there is a ‘get out of jail free’ card provided, just in case you forget your password – the Recovery Key, which is a 24-character code that Apple can even store for you.

When using FileVault 2 in Lion, businesses lose several features they would otherwise have with 3rd party whole disk encryption solutions: we’d like to store that key centrally for our company, keep an inventory on which computers are encrypted, and not worry what user account encrypted the computer when we need to re-deploy it for someone else. Apple’s consumer-focused, manual process for storing the Recovery Key doesn’t help us, so Macintosh Operations at Google have stepped onto the scene with a solution: Cauliflower Vest.
Yes, the name is… distinct, but really it’s just an anagram (same letters, different words) for FileVault Escrow, which means storing the FileVault Recovery Key centrally. A big caveat of using this solution is that it relies on a Google Apps account for every employee whose machine you’d like to use FileVault with. Generously, Google’s Mac Ops team took the time and went the distance to allow us to adapt their tool for use with other centralized systems.

Adjusting to the new changes in Lion can be a considerable amount of work for many administrators. 318 has been a reseller for Google Apps and can also build custom solutions that adapt open source products to your businesses needs. For assistance, please contact your 318 Professional Services Manager, or sales@318.com if you are not yet a customer.

Using Archive Mailboxes in Exchange 2010

Wednesday, February 15th, 2012

Once upon a time, in a dark and dreary place, Exchange administrators (an already downtrodden lot mind you) had to let users archive their mail to pst files. These files, open while Outlook was open and distributed across the enterprise file servers, caused the poor Exchange administrators great pain and suffering as they were uncontrollable. The pst files roamed, causing great pains to SMB/CIFS, switching and other admins and these pst files worse of all had no policies applied to them.

Then came a bright knight in shining armor. She brought with her Exchange 2010 and stories of mailboxes that could be used for archival to replace the monstrosity pst files that had been in use for decades (ok, maybe just a decade, or a tad more, but close enough).

For environments running Exchange 2010, she explained that to configure archive mailboxes:

  • Open the Exchange Management Console from Administrative Tools
  • Click on Recipient Configuration
  • Click on the user who you would like to configure
  • Using the action pane, click on Enable Archive
  • To see an archive, log in to Outlook Web App with the user. You can then drag and drop some items into the online archive and change its name.

Then everyone realized that Microsoft, in their infinite wisdom, invented online archiving because it requires a CAL of its own. Each of the Exchange Admins then realized that the cost of said CAL would come from their own allotment of porridge!

Mac OS X 10.7.3 and 10.7.3 Server Now Available

Wednesday, February 1st, 2012

Mac OS X 10.7.3 and Mac OS X Server 10.7.3 are now available for download through software update:


The update comes with fixes to better language, smart card ServerBackup, Profile Manager, opendirectoryd/directory images, file sharing and support for a number of other aspects of the OS. Some specific aspects include disconnecting specific users w/ Server.app, more ACL information in Server.app, setting login greetings, etc.

The client update and available information is available at OS X Lion Update 10.7.3 (Client)

The client combo update and available information is available at OS X Lion Update 10.7.3 (Client Combo)

The server update is available at OS X Lion Update 10.7.3 (Server)

The server combo update is available at OS X Lion Update 10.7.3 (Server) Combo

The Server Admin Tools are available at Server Admin Tools 10.7.3

Also, ARD has been revved up to 3.5.2. It is available at Apple Remote Desktop 3.5.2 Client

Also, of note, AirPort Utility also got an update yesterday. It is available at AirPort Utility 6.0 for Mac OS X Lion