System Center Data Protection Manager SP1 offers great "Asset protection"

I don't know who invents these cumbersome product names at Microsoft ...but the product certainly is much better than the name suggests.
 
With the Service Pack 1 (SP1), which was released a couple of months ago, the product has been improved to a level that will make it very hard to ignore when it comes to backup needs for assets that are stored in SharePoint, SQL server, Exchange Server or any kind of Hyper-V virtual machines. See an overview of the latest improvements here.
 
From our perspective the product has numerous outstanding features. "Item-level" restore of SharePoint assets comes to mind first, but it is the deep integration with several of the major Microsoft server products - a strategy that Microsoft has played time and time again - which makes it increasingly harder for any competitor.
 
Also, the simple and elegant way of implementing a two-stage backup process (disk and - optionally - tape) is just great. So far only Iron Mountain is offering a hosted solution for tape-backup, which I believe is a very good way to implement this. So far they have been "hush hush" about the pricing on this solution, so I wonder if it's really available yet, but I guess it's just a matter of time for them, or their competitors, to make this available.
 
The DPM install process altogether is not too bad, but there are a few things that have to be configured manually. There are also still a few major issues to be aware of, when implementing the latest release, especially with the Hyper-V support. It might just take the "famous 3rd release" for DPM to gain mainstream acceptance, but I am sure it won't be long before this will be out.
 
Another potential issue is around Firewalls, as the solution requires the install of an "agent" on the managed servers. In our experience, disabling the local firewall, installing the agent, and then re-enabling the firewall worked fine, but there are reports from people that came across the need to do some more manual work to open up the specific ports, e.g. as mentioned here.
 
The one potential problem that did take us a good couple of hours to track down was not specific to DPM itself, but to our ISA server that provides a VPN tunnel/gateway: even though the respective ISA rule was set to "Allow all outbound trafffic" the RPC filter had to be disabled in the System Policy editor and the firewall rule.
 
Picture
 
To sum up, the current release is definitely great value, as it makes not just backup, but also restore, so simple. Do yourself a favor, especially if you have been backing up your SharePoint data with nothing but stsadm, look at least at this document to get yourself convinced about the great added value of SCDPM. Also, here's the overview page for the SharePoint&SCDPM integration.

Published: May-08-09 | 0 Comments | Link to this post

Use FTPS instead of FTP! It's easy to set up with Windows Server 2008.

I had a wonderful time over the holidays with my family and I hope that everyone that reads this had the same ...but that feels like ages ago, as the new year started with all kinds of unexpected logistical challenges for me ...and "only" a month later, I am finally ready to be really productive again :-)
 
One of the last things I needed to do before my holiday break was to set up an FTP Server ...well, of course I didn't want to set up something that would involve clear text passwords and unencrypted connections, so I investigated options. The main choices are SFTP and FTPS, but as I am using Windows Server 2008 it was an easy choice to go with FTPS.
 
As with almost all things it's not too difficult to set up and a few posts already exist that give a lot of the information, e.g. from the IIS site. However, there were still a few things that can easily go wrong.
 
The first thing I wasted time with was that I just didn't understand that the FTPS functionality was not part of the latest IIS7 release. Instead, one has to download it separately. The next two areas of potential problems come from the Firewalls involved (my FTPS Server machine has its own built-in firewall activated and we're using ISA as the corporate firewall), which can be tricky to configure as the FTP protocol uses a dynamic range of data ports. This article from the IIS site provides the important additional information.
 
I also got a bit confused when trying to set up the data port range for my ftps enabled site: I somehow entered my choice there in the first place but then couldn't change it there anymore: the ftps data port range is actually per server, so one has to really set this up at the server level in IIS. Also, an IIS reset might be necessary after a change to the data port range.
 
I recommed setting it up so that SSL encryption is "required" for credentials, but "allowed" for the data, leaving that choice to the ftps client.
 
Settings up the ISA rule for the FTPS protocol was straight forward. I created an "FTP Server" rule, as well as a new Protocol object that defined my data port range, which I used to create my "FTPS" rule (using the "Publish Non Web server" task).
 
A last thing to consider is whether to use "Explicit or Implicit" FTPS. I went with Explicit, but both are supported with my SmartFTP client software.
 
Update (28-09-09): I just switched to FileZilla and that works perfectly fine with IIS 7 too ...and it's free!

Published: Feb-01-09 | 0 Comments | Link to this post

A Cloud for Everyone

Hype ...it seems inevitable for business. Microsoft just joined the bandwagon and announced Azure. Meanwhile, Richard Stallman clarifies that this most likely will lead to the same kind of lock-in with one vendor as we've seen it many times before. But this time it's worse, it bears incredible privacy issues.
 
Well, while we wait to see what great offers will come via cloud computing, let's just remember what the promise is all about. The first thing that comes to mind is highly-available solutions, paired with little need for knowledge to set up these rather complex multi-server solutions. Then there is the promise of lower cost (but then we know that the cost will be just as before once they have the majority of us consumers on the hook, right? ;-) However, even a single server that's well-connected to the internet in many countries still costs you an arm and a leg (try Dubai!). And even in "first world" countries like Germany it is quite typical to pay as much 2000 Euros per month just for a dedicated 100MBit line, which is less than an arm but still more than most small businesses would like to invest into what is only a small part of the overall investment into their portal solution.
 
Enter Strato: they're one of two major mass market hosting companies in Germany and offer servers starting at slightly above 200 Euros a month (includes the rent for server and the shared 100MBit internet connection) that are spec'ed well enough to run a small server farm on them. The offer is well hidden on their site, so here's a direct link to the XLW-5 and XPro-5 servers.
 
There's a couple of caveats though:
- they come with a Web Server Edition of Windows Server 2008, which is pretty useless. They also only sport 1 Network card, whereas for Hyper-V you really need 2. However, you can get their KVM (Keyboard, Video, Mouse) service hooked up for a little extra money per month to compensate for that.
- Installation of the new OS version is a bit tricky, but nothing a good geek couldn't find a solution for (did I just call myself a geek? ;-) The biggest challenge was that the virtual network adapter of the virtual ISA server had to be set to a MAC address that matches the MAC address of the physical network card of that server, as otherwise traffic will be blocked by the Strato internal routers.
 
Static MAC address
 
The connection to the internet is quite excellent (even though it is not a dedicated line) as most of Strato's customers are consumers that download from the internet, rather than upload to it.
 
The net result with this setup is an enormous yearly saving over a comparable dedicated internet connection. So, while we await the cloud computing to hit us, here's a very real opportunity for small companies to save as much as 20k Euros per year on each physical server.

Published: Nov-09-08 | 0 Comments | Link to this post

The Virtual ISA Server

ISA Server and SharePoint get along very well. E.g. the Alternate Access Mappings concept in SharePoint 2007 ties in well with the link mapping capabilities of ISA Server 2006.
 
Then again, Hyper-V is a perfect platform to run a SharePoint server farm. So I was wondering when we first started deploying SharePoint on Hyper-V at the end of 2007, whether we could also virtualize the load-balanced ISA servers with it. That would be so much easier to administrate altogether!
 
I found this article that confirmed my gut-level feeling: Understanding Networking with Hyper-V. This clearly looked like the Host server could be entirely disconnected from the network, and that all traffic would have to go through the virtual ISA servers, making this a pretty secure virtual solution!
 
Well, we weren't quite there yet! After a successful installation of the ISA servers we later experienced quite some problems with the load-balancing and, through trial and error, solved the problem by using Legacy network adapters for the ISA servers.
 
A couple of weeks later Ben Armstrong hinted in the right direction, stating that Offloading was the cause of the problem. Mark Wilson summed it up quite well, again a few weeks later, and in June, Microsoft finally released some definitive information about the issue.
 
Long story short: ISA Server 2006 works great on Hyper-V. We are using it both for load-balancing ISA servers and SharePoint Web Frontends and it hasn't let us down once in all these months.
 
Of course, one can still add more hardware-based firewalls as a first-line defence for additional security. However, I love the additional functionality the ISA Server offers, on top of the security it provides.

Published: Nov-04-08 | 0 Comments | Link to this post