Management summary?
Ok...
I took care of it, go back to sleep.
:o)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Sunday, November 06, 2005 4:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
who says you can't hope for
it?! ;-) <grin>there may be some hope left from him to
try</grin>
is a management summary possible?
;-)
Jorge
From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Sun 11/6/2005 10:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
How long have you known joe? Short version....
PLEASE!
Rick
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Sunday, November 06, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
damn... do you have a short
version of this story?
From: [EMAIL PROTECTED] on behalf of joe
Sent: Sun 11/6/2005 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
Oh I understand. I definitely understand I wasn't the only
one, I don't think it would have been fixed if it was just me.
My contributions included
1. Debating strongly with Alliance PSS (on and offsite
people).
2. Debating strongly with onsite MCS.
3. Debating strongly with Dev
4. Wrote Steve Balmer as a
concerned MVP.
5. Posted this issue (pointing out the security
aspects) both in groups like this and in the public newsgroups. (The public
delegates aspect is a security issue).
6. Reposting every single time I saw anything that related
to it.
Initially I hit it with DLs and I got beaten down by PSS
and MCS because they said the design the company had that I worked with at the
time (we will call widget company again) was based on the idea that they didn't
need DLs so it was specifically designed without DLs in mind and had we wanted
DLs the design would have been different because they knew all about this
problem.
Then several months later reports of issues with public
delegates started surfacing. I was working on some other thing at the time, I
believe it was setting up web pages to do things like short term delegation of
mailbox access so that the third level outlook people could ask to get access to
a mailbox and it would all be logged, quota management, mailbox permission
reports, conference room setup, etc. Anyway, I sat in the Friday con
call while onsite PSS discussed the issue and it sounded like the
same GC issue as I had stumbled on before. I mentioned that they would
want to check that out and verify what GCs where being talked to and
redirect them to a more appropriate GC as I had documented and shown for the DL
issue before. I didn't want to jump into it and really look at it as I always
seemed to get into some sort of trouble for finding and pointing out MS screwups
and any issues in the Exchange design. My boss loved it because it meant we
fixed something that would hurt once in production, my bosses boss hated it
because it slowed down the project he was being graded on with the execs which
was way over budget and way over timeline.
Next Monday's con call they still didn't have a clue, more
descriptions still sounded like a GC issue, I said so again. Ditto Tuesday con
call. On Wednesday we had our "everyone gets in one room" meeting and discusses
the problems and when that problem came up I yet again pointed it out that it
really sounded like the GC issue. Either MS really didn't want it to be that and
they were looking for anything else it could be or the analysts really had no
clue what they were looking at. I expect the later. I told my friends in MCS
that the PSS guy was screwing this up and they needed to birddog him because he
was going to make MS look like idiots again. They said they couldn't for some
reason or another.
Thurs con call same issue, no progress. Thurs around 6PM
when I was settling into the lab to get some serious work done[1] I got grabbed
by one of our third level Outlook folks (a good friend) who was working the
issue[2] and she said I had no choice as she would kick my butt and that she was
making me work on that issue. Within 15 minutes I proved that what I had said
the previous Friday was the issue and also learned about how badly Outlook
handled the issue in that if you removed a public delegate it would disappear
from the list because it was removed from the store but was still in AD so it
was still active and outlook never showed an error message and from them on
showed the value incorrectly so someone had permissions to send on behalf of
that were not shown unless you looked directly at the directory (security
issue).
MS PSS reported again in the Friday con call that they had
no idea and they were bumping the issue to Sev-A to get ROSS onsite to do a
debug and I waited until the TAM was completely done with what she wanted
to say and then said, the issue is the GC issue. MS said, no it wasn't, they
couldn't confirm that. Then I said that I knew absolutely it was the issue. The
people on the call knew me long enough not to question when I said absolutely
versus it should be checked or it appears or possibly. So the following
week we had the same meetings we had from several months ago only I was holding
the hammer and I was bringing up everything MS had said previously about the
design and so I asked the obvious question of were we designed to have public
delegates work or did we say we didn't need those too? That was an obvious
setup question because most large companies use public delegates a lot and
this widget company really used public delegates a whole lot.
That spawned a whole bunch of debating which ended up with
me indicating the solutions one of which was a complete redesign of the Exchange
infrastructure that MS had worked hand in hand on with our Exchange dev
folks for a couple of years[3]... Things got hot. In the end Dev still came back
and said it was by design and would not be changed. That prompted my note to
SteveB with a question of what the hell is wrong with the Exchange Dev
people? Indicated we currently had a big push to go towards Linux and were
doing everything we could to show how conducive MS was to making things
work for us and Exchange comes along and tells us to piss off our product sucks
by design and we aren't fixing it. Then went out and made sure everyone I could
think of was aware of that limitation and how it would impact Enterprise
deployments and the security implications and how there was no real way to
really know if you had a problem with your currently configured public delegates
or not without auditing every single mailbox. If just one large company or
military org listened and started complaining to MS to it was a good thing. A
couple of weeks later Dev came back and said it would be corrected in 2K3,
probably SP2. MS then sent someone onsite to build a website for users to
use to configure their public delegates and we had to retrain all of the users
to use that instead of outlook. That was pretty funny too because the guy came
straight to me and asked if I knew which .NET objects he could use to manipulate
the Exchange pieces he needed to monkey with. I told him he needed to learn two
works P-Invoke. He wasn't happy. A week later he came and asked if he could have
some _vbscript_ code I had written for manipulating the folder roles, etc in a
mailbox.
There is even more to that story that impacted me but this
is long enough already. Hopefully it illustrates things for folks. There are
good and bad PSS/MCS folks, it is your duty as a technical person representing
your company to understand which ones you are working with and to question them
on everything that you don't understand or don't agree with. Don't be afraid to
fight for what you think is right. If you are told, well you are the only that
has ever said that is an issue[4], go out into the public and start asking
people. The Exchange PSS person who was working onsite at the widget
company was almost completely worthless and was actually often dangerous. The
TAM had ordered this person not to speak during con calls or meetings unless the
TAM signaled the person. The sad thing was that everyone on the account at the
tech level knew this person was trouble but when I talked to them they said the
person couldn't be removed unless the customer (I was a contractor for the
customer) actually officially complained and I explained what my manager's
manager felt about my "meddling" already.
All of that and I still like MS and think they are best
suited for many/most companies. I still consider Exchange to be a serious pain,
but I also see it as one of the best out there that I intend to keep pushing on
to get better. Currently being the best doesn't mean you can suck indefinitely.
;o) Note I don't know all aspects of Exchange and don't really intend to.
I have been told the routing engines are amazing, etc. My focus is the AD
integration and permissioning and monitoring and troubleshooting I find
it lacking and have no issue broadcasting the lacks that I find so others
won't be surprised by them at 3AM some time. Right now I am working with them on
a WMI monitoring issue and I am starting to hear the By Design comments again
and I am sliding into the it is by design that you can't use the interfaces
designed to monitor the health to actually monitor the health response mode....
joe
[1] All serious work happened after the normal 8 hour day
when people would leave me alone.
[2] Same person who did majority of the alpha/beta
testing and spec'ing of the Auto Accept Agent that is publicly available
now.
[3] That woke up our upper Messaging management. That
design cost probably millions in actual dollars for billable time to PSS/MCS
over the years.
[4] That is one of my particular favorites right after the
its by design for something you know that they never thought of or
intended.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Sunday, November 06, 2005 12:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
You weren't the only one [1]
Tony
[1] ...but I'm guessing you were the most vocal.
;-)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, 5 November 2005 10:41 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
You are all welcome. ;o)
This is the issue I posted about back in I think 2003 (end
of summer / fall) and again in 2004 (spring) that I "discussed" with MS.
:o)
As it mentions, this doesn't help much with DLs, it is
primarily targeted to help issues with outlook modifying the account of the user
who is running outlook such as public delegates and certs. If you make sure that
people can only manage DLs in the same domain as their userid, this can offer
relief from the issues there as well obviously.
Oh, BTW, there is a new KB article concerning some folks
that may have been burned by this new functionality.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Friday, November 04, 2005 2:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
It's been discussed
here several times. An interesting read:
Exchange Server 2003
Service Pack 2 DSProxy Referral Process Changes
This e-mail and any attachment is for authorised use
by the intended recipient(s) only. It may contain proprietary material,
confidential information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank
you.