I attended the national Church IT Roundtable event last week, this time held at Saddleback Church around Los Angeles. I was asked by the editor of IndyGeek.net if I would write up the event and, since my blog is in transition (and somewhat unattended :-) and he asked nicely, I’ve posted the article over there. Here’s an excerpt followed with a link to the full thing:

Last week, listening to my iPhone while traveling home, I heard the first verse of the song Calling All Friends by The Low Stars:

Calling all friends, and people I met on the way down.
Calling all friends, and people I don’t even know.
Calling on high, I wanna believe there’s a way now.
I’m too tired to pretend I don’t wanna be alone, I’m calling all friends.

For those working with Information Technology in churches, it’s easy to feel isolated and alone, trying to figure out what the best technology solutions are (and how to afford them!), how to best support your staff, recruit and manage volunteers, and figure out how to communicate your needs and solutions to leadership and users in ways they understand, go along with, and fund. Most churches have either a volunteer IT staff, a paid staff member who does IT as part of their job, or perhaps one full-time IT position. If you’re really large and fortunate, you may have a small team of two or more to support your environment, creating some camaraderie, but it’s still easy to feel alone, isolated and seldom understood.

Read the rest at IndyGeek.net.

Also, for more technical notes, Tony Dye posted his excellent rough notes of Day 1 and Day 2, my article is a high-level overview but Tony provides a blow-by-technical-blow of the sessions he was in (and the main ones), even though it’s unedited there’s a ton of useful information there. Worth checking out, thanks for sharing Tony!

So I’ve been at my new job with PC Help Services for a couple of weeks now. And this blog hasn’t been updated, nor moved to a new address (this one should redirect for a while). Don’t worry it’s coming, just have to figure out where to move it and have some time to update it! Been busy, you know, working… :-)

I’m excited, nervous, and sad all at the same time. And busy. I’ve decided to leave my awesome, comfortable, flexible, almost-7-year job/family of seven years (as an employee, my family will still be attending Lakeview) and jump into a scary, new position with a small-but-growing local IT service company. Why? Well, Lakeview is running smoothly overall, certainly better than I found it in 2003 when I was hired as the first paid IT staff. We’ve done managed switches and wireless networking, server virtualization (in a big way), a little desktop standardization (this is where I feel there’s the most room yet to grow, see Jason Powell’s reasons why standardization is important!), and a few other things that have increased efficiency and IT responsiveness that aren’t worth detailing here. Helpdesk requests still come in but not usually at a frenzied rate. Frankly, there’s always more to do, and always will be, and I enjoy the calm sometimes. And I love it.

But, I’m still pretty young, and it’s time to move on to an environment that will provide some new challenges and experience in a wide variety of settings. So I’m moving to a small company with a Christian owner that provides residential and small business IT services to the Indianapolis and surrounding communities. Based in Fishers, IN, I’ll be working out of a new satellite office on the West side of Indy, not far from Lakeview in fact, and I’ll be working primarily with larger clients, including several churches in the area. What the job will look like day to day I can’t tell you precisely yet, but that will certainly be part of the excitement! And I’m still going to be involved with the Church IT Roundtable online and in person to a large extent (it’s still relevant as I’ll still be serving churches!), which I’m very excited about, as I have many close friends in the CITRT and their expertise has proved invaluable (and I have hopefully reciprocated with valuable tidbits of my own from time to time).

I’m really going to miss all of the Lakeview family on a daily basis. The staff are basically like close friends and family; it’s where I’ve spent all of my adult life in fact (and some volunteer time for years before that). God gave me peace about moving to this new position and I know He’ll provide, but I already miss everyone and I’m not gone yet!

There are still some details to be worked out about the transition, so I’m sure I’ll have some more to post later, and I certainly appreciate any prayers. It looks like I am going to the Church IT Roundtable at Saddleback Church in California on March 11-12! If you work in Church IT or you support or volunteer with Church IT in some way, you should be there! The cost should be under $100 plus travel, though final details should be coming soon.

My first day on the new job is set for February 10th, 2010 (though a few current coworkers said they hoped when I said Feb. 10th it meant 2011! Nothing like feeling wanted!).

Installing Windows 7 is not hard when installing fresh, it’s pretty fast and easy. But when you’re deploying it in an organization, you should probably automate as much as possible, including the installation of software after the operating system. There are various levels of automation you can set up for Windows 7 deployments, but what I’ve done is some very basic setup using the Microsoft Deployment Toolkit 2010 that works for me without going too deep into setup and configuration–remember I’m trying to save time! I’m not doing a fast deployment and I’m OK with some manual tweaks at the end, I just want to make the initial load faster and preinstall some applications. There are several other resources you can look at for a more in-depth view of the options and configuration; I’m just going to polish the IRC chat I had with Justin Moore earlier mentioning an overview of the process as I did it, along with a list of silent install commands for the apps I’m auto-installing at the end of deployment. For more depth, try these that either I’ve used or friends have mentioned:

• Deploying Windows 7 – Part 5: MDT 2010 Enhancements (from WindowsNetworking.com)
• Windows 7 Deployment Class from author of DeployVista.com (a blog with more deployment info)
• The Deployment Guys (Microsoft Technet Blog)
• MDT 2010 Webcast (a webcast from the Deployment Guys blog above)

First I downloaded MDT 2010 from Microsoft, installed it and then opened the Deployment Workbench. You’ll need the AIK (Automated Installation Kit) for Windows 7 as well for some of the steps later, which is huge (1.7 GB), so you might as well get that started downloading now, too.

What I did to learn is I found some Microsoft pages with info on MDT and some videos that showed the basics, and I watched/followed one of them, but I don’t recall exactly which video it was that I found. You don’t want to focus on the AIK, I did a while back and it’s more for OEMs like Dell making system images for presale. Similar tools; the MDT uses AIK but has the Workbench that you do most stuff from (or that I did most stuff from :-)

I did read the help in Workbench a lot, and did some Googling, plus that walkthrough video that I can’t seem to find. The documentation built-in to MDT is actually pretty good, I recommend digging in. The basic idea is you need to know what steps to go through in the Deployment Workbench. You aren’t necessarily creating an “image” for deployment as you are making the installation more automated, providing install media from a network share and also packaging some applications with silent installs together. You can optionally build a Windows 7 box, capture it with ImageX, and pull that into MDT to deploy (with or without additional applications installed during deployment) but I didn’t go that far, I’m using a stock Windows 7 Enterprise image (I imported both the 64-bit and 32-bit install discs).

Basically in MDT, you go to Deployment Shares, and create a new one. You’re basically creating a network share that will hold all the install files. You take the Windows 7 DVD for example, and Import it into the Operating Systems “subfolder” of the Deployment Share you create within MDT, and it copies the disc into a subfolder of that share for you and lets you set some properties and name the image. I haven’t done so, but there’s another folder called Out-of-Box Drivers you can import drivers into for your specific hardware.

As for application install after deployment, there were two applications I couldn’t get to install silently and thus won’t work to be installed automatically. Those two apps were iTunes and Shelby v5 (our Church Management System). Shelby doesn’t have a silent install option but it’s easy to manually install afterwards. iTunes is supposed to pass your arguments to it’s .exe installer into the .msi files inside, but it failed for me every way I tried it (always left some component uninstalled) so I gave up. You can use 7-Zip to extract the iTunes install file into it’s component .msi files and manually install them (careful of the order) if you want, which works but is “unsupported” by Apple (not that I’ve ever contacted them for support). For now, I’m not installing iTunes automatically either. I spent a few hours on iTunes so I’m pretty confident of how messed up it is :-)

In general, anything you can install silently with command line arguments will work, and anything else won’t. For Adobe Reader, I downloaded Adobe’s Customization yep Reader works fine; I actually used the Adobe Customization Wizard to make an .mst (MSI transform) and install the version with the transform so my preferences are applied and the transform automatically specifies a silent install (based on how I configured it in the wizard).

Within MDT’s Deployment Workbench, inside your Deployment Share’s Applications folder, you add applications that you want to be able to select to install during each deployment. You can create folders to organize the applications (as they display for you to select during deployment), and you can show or hide applications as you wish. You can also crate Application Bundles, which basically install a group of other applications you’ve already defined. You can use both features together to create applications but hide them (even in their own folder, like “Linked Only” or “Bundled Only” or some such), but put them all in a bundle with one name for easy selection at install time. I also created separate folders for apps that have both a 32-bit version and a 64-bit version so I can select the apppropriate one for each system as needed.

For example, I created a Mozilla Firefox application, and one each for Adobe Flash 10 ActiveX and Plugin versions (you must complete a licensing agreement just as for Adobe Reader to get the .msi versions of the ActiveX and Plugin versions of Flash for deployment like this). I hid them and put them in a subfolder, but created a “Firefox and Flash Player” app in the root that is just a Bundle that installs all three at one time, and it works great.

The Deployment Share has another “subfolder” in the tree called Task Sequences. You’ll want to create a Task Sequence for each OS (one for 32-bit and one for 64-bit in my case), giving each sequence a unique number (I just started at one, then used two for the second one, etc.). Make it a Standard Client Task Sequence (the default in the wizard), select the OS version at the next step, and optionally specifiy a product key (you can enter this during deployment or after install as well). Fill out some basic organization name info and default IE homepage, then set a Local Administrator password (optional–I left this blank here and specify it at install time in the wizard as well), and click Next one last time to create the Task Sequence.

Once your apps are defined as well as your task sequences, and your operating system install images are imported, right-click on the name of the deployment share under the Deployment Shares root in the Workbench, and choose to Update Deployment Share. This wizard will create the stuff needed to actually deploy from the share, including the LiteTouch boot images (images are also created in .wim format, and I imagine you can set it up in WDS (Windows Deployment Services) on Windows 2008 (or 2003 with updates) to use PXE booting to deploy as well if you want to get into that). I’m using the boot CD method. After the Deployment Share Update completes, use Windows Explorer to browse to the deployment share folder, and then go to the Boot subfolder. You should find a LiteTouchPE_x86.iso file and a LiteTouchPE_x64.iso file as well as the .wim versions and .xml configuration files as well. Burn the .iso files to CDs (Windows 7 support right-click-and-burn for ISOs, plenty of free options for other OSes).

Now you can boot whichever version you want on a computer, and depending on the architecture version of the CD each will only give you the OS options that are compatible on the deployment share. Basically you boot to a UI from the LiteTouch boot disc that asks for username/password/domain to access the Deployment Share. The share location is all hardcoded during the Update Deployment Share process. I don’t have it in front of me and haven’t done it since Monday, but the basic steps it goes through are: It asks for computer name, and whether you want to join the domain (if you do, it prefills the same user/pass/domain you entered earlier for share access which is handy). Then you pick which OS from the list, and on the next screen it shows you a list of apps in the folders you set up earlier (this list is pulled from the share, so if you Update the share later with app changes you don’t need to burn the disc again, in case that’s not obvious). You just check the boxes of the ones you want (like I have a 32-bit and 64-bit 7-Zip app, and I have to select which. Also, my VIPRE antivirus app has two installers depending on if I want it to be in the Laptops or Desktops group by default, so I pick the right one as well).

Then hit Finish, and come back in about an hour or so depending on the system, and it’s logged in as Local Admin with a status window showing you any errors (or not) from the app installs. I just did it for a new laptop on Monday, was very easy! I still had to install some drivers since I didn’t add them to the deployment share.

Here are the apps I got to install silently: Adobe Reader 9.2, Firefox 3.5.5, Flash Player 10 (plugin & ActiveX), CDBurnerXP 4.2.7.1801, Pidgin 2.6.4, LogMeIn Free 4.0.982, RDP Enable Script (custom batch file that enables RDP and firewall hole for it), VIPRE, 7-zip, and Office Enterprise 2007 (customized with .mst). The Deployment Workbench will actually let you create an Office 2007 customization and run the wizard and everything for you right from the app properties, which is nice, though I had my own .mst already that I used. For each app I created I selected the option to create an Application with Source Files so it would copy the whole install folder to the Deployment Folder. Also, there’s some stuff you can do that lets you automatically run the USMT on XP for example, backing up user profile to a folder on the hard drive or on the network, then have the MDT deployment run USMT again restoring state after the install, all automatically…I saw it in the video I watched but didn’t get it working (I didn’t try).

Here are the silent install commands I used for the apps I got working, for reference:

Adobe Reader 9.2
msiexec /i AcroRead.msi ALLUSERS=TRUE TRANSFORMS=AcroRead.mst /quiet
Microsoft Office Enterprise 2007
setup.exe
You can use the Office Products tab when editing the application definition to customize the app, or if you already have a .mst transform, put it in the Updates folder inside the Office installation structure and it will be automatically applied, no need to pass it in as an argument.
CDBurnerXP (the .msi, available as a separate download)
msiexec /i cdbxp_setup_4.2.7.1801.msi AI_DESKTOP_SH=0 AI_QUICKLAUNCH_SH=0 AI_STARTUP_SH=0 VIEWREADME=0 /qn
Pidgin
pidgin-2.6.4.exe /DS=0 /SMS=1 /S
LogMeIn Free (I’ll leave you to get it; the way I do it it prompts for the account to join it to after install, but it’s possible to find ways to make it auto-join to a LogMeIn.com account)
msiexec /i LogMeIn.msi /qn
Sunbelt Software VIPRE Enterprise (create MSI deployment files from the console)
MSIEXEC /I SBEAgent-ProfileNameHere.msi ALLUSERS=TRUE /quiet
7-Zip 32-bit (.msi is available if you dig on their site as a separate download, default for 32-bit is .exe)
msiexec /i 7z465.msi /qn
7-Zip 64-bit
msiexec /i 7z465-x64.msi /qn
Mozilla Firefox
Firefox Setup 3.5.5.exe -ms
Adobe Flash Player 10 for IE (ActiveX)
msiexec /i install_flash_player_10_active_x.msi /qn
Adobe Flash Player 10 for Firefox (Plugin)
msiexec /i install_flash_player_10_plugin.msi /qn
Java (get the FULL OFFLINE installer here) (thanks to Justin Moore for finding this one and commenting!)
jre-6u17-windows-i586-s.exe /s ADDLOCAL=ALL

I hope that’s helpful to someone! Or maybe me in the future :-)

Microsoft Exchange 2010 became Generally Available on Monday, November 9th. That was two days ago. A few things coincided that made moving to Exchange 2010 a good decision (I think), even though we just finished moving to Exchange 2007 from 2003 about a month ago, including some snapshot/backup issues with my Exchange 2007 server that made me want to build a new box and start fresh. And what better than to migrate to 2010 while I’m was at it? The management interface is similar, there are some cool new features, and it’s been used by Microsoft for their Live@EDU system as well as other testers for a while, so I don’t forsee any major stability problems even immediately after release.

Also, it’s much easier for an Exchange 2010 and Exchange 2007 box to cohabitate on a network and still allow ActiveSync and OWA access than doing the same with Exchange 2007 and Exchange 2003 (which requires a separate Exchange 2007 CAS, or Client Access Server). Granted, making it work with the ISA firewall was a little tricky, but with a little experimentation it went well and is working fully. So well in fact, that only my Mac user and my Blackberry user are on the old 2007 box now until I stuff is compatible (in the Blackberry case) and I can babysit the migration (in the Mac user’s case, with Entourage–Snow Leopard isn’t an option on our PowerPC hardware). Those will come soon enough. But frankly with Google for the help docs and processes (there’s a lot of good information directly from Microsoft out there already!), the process only required two remote nights working until 3:30am, and some time during one day to work out the ISA stuff to keep ActiveSync and OWA working.

I’m not going to elaborate on the entire installation process here. Microsoft documents it well, it requires installing Exchange 2010 on a new server (no in-place upgrades) to do the transition (that’s how I prefer it anyway, and with virtualization that’s easy!). But it was mostly smooth, similar to 2007 in many ways (different enough to require some reading but familiar enough it was much easier to pick up than 2007 was from 2003). And, as I discovered this morning, for Outlook 2003 clients to connect, you should also run this in the Exchange PowerShell console:

Set-RpcClientAccess -Server [servername] -EncryptionRequired $false

Otherwise, Outlook 2003 will stare at you (or, rather, the user) blankly and not connect (at least if you have internal encryption to Exchange disabled, which I do–I didn’t test enabling it).

Do I recommend going with 2010 now? Yes, as long as stuff you use like Blackberry and Mac supports it or you’re prepared to learn how to make it work. Also, your “now” may not be the day of General Availability depending on the size of your environment and current needs and plans :-)

Any thoughts? Do you think I should have gone with Exchange 2010 the week it was released? I think it’s a reasonably well proven product even though I didn’t participate in the testing myself like I did with Windows 7. Are you migrating soon? (Microsoft likes to call moving from one version to another of the same software a “transition.” I like the term “migration” better, but whatever. They reserve that for when you “migrate” from one of their competitors. I don’t care :-)

A new feature of Microsoft  Exchange 2010 (yes it’s out, yes we’re using it now, and yes I’m jumping ahead with this post rather than talking about implementing it :-) is called Moderation. It’s pretty slick, you can basically take a mailbox or Distribution Group and make it moderated so emails sent to it are held and any number of moderators are notified that there is a message they should approve or reject, which they can do easily (from Outlook or OWA) and it’s taken care of from there by the system. The official Exchange blog has a great post with the basics of Moderation (UPDATE: Thanks to E.J. Dyksen, Microsoft Exchange Program Manager and the author of the linked post, the linked article has been corrected, per his comment on this post (I verified it was changed)) so I don’t go into more detail, suffice it to say that we’re already using it and it works!

However, there is a flag you can set on a moderated object that will allow a moderator for a “parent” group to moderate an email once regardless if subgroups also require modification. Think a moderated all-staff list that contains a moderated group for a specific department; by default both the all-staff moderator and the department list moderator would have to approve a message to all-staff before the department recipients would receive it. If you’d rather have some groups like all-staff set so whoever moderates a message to that group auto-approves any subgroups as well (this is precisely why I wanted it, although we don’t have moderated subgroups yet), that’s why they added the flag called “BypassNestedModerationEnabled” which you can set to true with PowerShell.

The problem is, the few places that talk about that flag online call it a completely different name! Sure you can do “get-help Set-DistributionGroup -full” to see all the options (there are many) or you can find the same help online, but it’s not easy to track down if you’re looking for the wrong setting name! The correct syntax to enable this moderation bypass on a group (from within the Exchange PowerShell console) is:

Set-DistributionGroup -Identity "[group name]" -BypassNestedModerationEnabled $true

However the Exchange Team’s official blog says in it’s moderation post, in the FAQ section where it mentions nested approvals (near the end of the post), “If you set the BypassModerationEnabled flag to $true on the parent group, any messages sent to that group will bypass moderation by child groups.” Close, but it’s actually the BypassNestedModeration flag. If you do some searching, you’ll find a TechNet article called Understanding Moderated Transport which, again near the end in the Handling Multiple Moderated Recipients section, says, “To do this, you set the AutoApproveNestedDLEnabled parameter of the moderated distribution group to $true.” Which provides an even farther-off version of the same thing! At least with the correct version, you can more easily look it up in the TechNet Set-DistributionGroup topic where is is correct!

It’s likely the incorrect articles were both correct at the time they were written, during beta and release candidate cycles of Exchange 2010, with the final flag name being changed in the generally available version that came out this past Monday. I don’t know for sure as the GA version is all I’ve run, but it seems a likely explanation given that the articles are almost a month (the TechNet one) and five months (the Exchange Team blog) old. But apparently I’m the first person to write about it outside of them (that Google knows about).

A tweet yesterday from James Edwards (which led to a discussion and a series of tweets) got me a little scared about the future of Adobe Non-Profit Pricing that I’ve written about before. Then today I got an email from Adobe with the subject “Notice of new volume licensing program and temporary Adobe system shut down” with more acronyms than should be allowed in an IT email (and that’s saying a lot…and ILA (I Love Acronyms)!), which was more confusing than anything, I think because I don’t deal with points and discounts for non-profit pricing with Adobe, it’s just a straight price (and better than the points discounts anyway).

I talked to my Zones sales rep, Eric Inabnit (Eric.Inabnit@zones.com), about it to see what the real deal was. He did some checking, and like James found out from his CDW rep, it appears that Adobe is consolidating their Educational and Non-Profit SKUs to simplify things, but it appears the pricing will stay relatively similar to its present levels, with a few minor adjustments. To quote Eric, he is hearing that, “they will be combining the nonprofit and academic price sheets to simplify management on their end. They are saying that if you qualified before you will still qualify, your sku’s will most likely change however pricing changes if any, will be negligible.”

Adobe will be shutting down its entire licensing system from October 7th to October 14th, however, so you cannot retrieve your license information for existing licenses nor can you order new licenses during that time. I can live with that, I wasn’t planning on any October Adobe orders.

This is good news, and while it’s by no means the final word, it does make me worry less about the potential budget impact it might have on churches! Adobe’s products are already some of the highest-priced software packages we buy that aren’t for servers (and frankly, much of our software (Microsoft, especially) costs a lot less than some single Adobe licenses), even with the reasonably significant non-profit discount.

If I discover any additional information I’ll update this post; send me any new information if you’ve got it! (Leave a comment or mention @dszp on Twitter.) Thanks, James, for bringing the Adobe changes to my attention and checking into it as well.

Did you upgrade to Exchange 2007 but are having issues with Palm OS devices like the Palm Treo 755p and the Palm Centro? I did this past weekend, and I have one Centro that worked fine, but three other PalmOS devices (two Treo 755p units and a Centro) had issues. They would connect, say Receiving, and eventually error out saying they couldn’t establish a connection with the server. Microsoft provides a very useful site at https://www.testexchangeconnectivity.com/ that will let you test ActiveSync (I tested without Autoconfiguration since PalmOS is not capable of autoconfiguration), and after testing, my users passed and could connect. But their phones wouldn’t! I made sure to set the Default Exchange ActiveSync Mailbox Policy in Exchange 2007 (under Organization Configuration->Client Access) so the checkbox to “Allow non-provisionable devices” is checked. (I should note that an iPhone and four Palm Pre devices are using ActiveSync successfully on the same server, so I know it’s configured correctly on teh server-side.)

Or, you should be able to create a new policy with this checked, and apply it to each user’s mailbox directly (Recipient Configuration->Mailbox->right-click user, Properties->Mailbox Features->Exchange ActiveSync->Properties and then select a profile, and make sure ActiveSync is Enabled). Regardless, once Exchange is configured correctly, it appears that you need VersaMail 4.0.1 in order to connect to ActiveSync properly with Exchange 2007, and even on the Centro (where it may have already been installed), reinstalling it with this method fixed my problem. The update is supposed to be for the Centro, but I read several forum posts I found via Google that said it worked on the Treo 755p just fine (one had VersaMail 3.5.5 installed, the other had 3.5.4 installed), and it did for me. YMMV, don’t blame me for problems!

1. Open Email (VersaMail) on the phone and add a secondary account if only one exists (a dummy POP3 account is fine, just enough fake info that the account will be created, it doesn’t need to be checked but you can’t delete an ActiveSync account if it’s the only account).
2. Delete the Exchange ActiveSync account that is not working, leave the POP account in place but no need to verify/check it (it’s just a dummy account).
3. Tap the Home button to return to the phone’s Home Screen.
4. Go to http://ws.palm.com/mypalm/MyPalmGenericUser/ControllerGeneric.jsp?&action=showbonus&productName=CENTRO690P
5. Click Learn More under Palm VersaMail (Not VersaMail Personal Edition), link: here
6. On Treo device, open Web browser, type this URL into address bar: http://dl.svs.palm.com/bonus/VM40_Installer_Stan.prc (capitalization matters)
7. Hit Yes to confirm the download.
8. Hit Yes to download to Device.
9. Hit Save and Open.
10. Wait for file to download, it’s 1.21MB.
11. Hit Yes to accept the .prc file into Applications.
12. Will return to Home screen with new application icon called Install Email selected. Run it.
13. Tap the Update Now button on the screen that pops up titled “VersaMail 4.0″
14. Hit Accept to accept the license.
15. Wait for installation to complete; the phone will restart automatically.
16. Re-add the “Outlook (EAS)” Exchange account to the Email (VersaMail) application. Make sure to use “domain\user” format for the username field.

Make sure to hit Test and make sure it’s successful, then continue with the initial sync. This all assumes that you have a certificate installed on your Exchange 2007 server that functions properly with Palm OS devices; e.g. that they trust the certificate root and the certificate is not in the incorrect format and it doesn’t have SANs (Subject Alternative Names) like a UCC cert. But I covered this, and why I’m using RapidSSLOnline.com, in my last post, Palm Centro and GoDaddy SSL Certificates: Fixed! so you can read more about the server side there.

My Palm devices are all on the Sprint network, I don’t know if the same steps apply for Verizon, AT&T, or other providers, although it’s likely they would.

It worked for me! That’s why I’m writing it out here so I remember how to do it when someone else has issues, but I hope it helps others as well. I know I saw a lot of forum posts discussing Palm and ActiveSync (and I’ve run into plenty of issues myself in the past that I’ve had to deal with). Frankly, I will be very happy when PalmOS devices are dead…the Palm Pre is a good replacement, and the iPhone is an even better one. Windows Mobile I haven’t used enough to have an opinion on (it will likely stay that way), and BlackBerry I’ve only used enough to know that the pain of the last two weeks trying to solve a BlackBerry issue that mightbe solved now and might not be, isn’t worth it, but if you have to support it, the features are there if you can get them to work. But my BlackBerry and BlackBerry Professional Server woes are for another post, if I find time to write it :-)

We have many Palm phones running Palm OS, in particular we have a lot of Palm Centros although we have some other models as well (but they all run Palm OS, not Windows Mobile). We’ve had GoDaddy SSL certificates for a while for our Exchange 2003 server. Until now, I’ve never had an issue with GoDaddy certificates where the phone would reject them, but yesterday I renewed the two-year SSL certificate we had (since it expires October 3rd and I don’t want to let it run out–again :-)

So I make it through the renewal process, which required generating a new CSR (Certificate Signing Request) for a brand new certificate from the server since the original one had a bit length of 1024 and GoDaddy only accepts 2048 to 4096 bit lenghts (this is a new requirement). After completing the process and getting the certificate installed, I got a nice helpdesk call from a user this morning who has a Centro: “SSL certificate not accepted due to possible expiration.  Check device date & time and re-sync.”

Joy oh joy, exactly what I’d been looking for, another problem and wasted time!

OK, enough sarcasm (but really, can you ever have enough?). Time for Google and Daryl Hunter from the Church IT Roundtable! Although GoDaddy auto-renewed my SSL certificate, I was actually contemplating buying one of their UCC certificates to be ready for when we went to Exchange 2007. Fortunately I read Daryl Hunter’s post about Exchange 2007 without UCC certs, and stuck with the regular certificate for now, because per Palm KB article 43375, certificates with Subject Alternate Names (SANs), such as UCC certs, are not supported at all on Palm devices (“SSL v3 certificates which rely on the Subject Alternate Name field to do load balancing across virtual site names do not work with Palm OS devices.”). So a UCC cert isn’t even an option for me, but it’s cheaper to do Daryl’s method anyway! For now I don’t have to worry about it, since I just have Exchange 2003 for now, and that’s not the present issue (but we will likely be on Exchange 2007 or Exchange 2010 by the time the certificate expires). Additionally, the same article (which has a tool for installing new trusted root certificates on some Palm OS devices–but I didn’t want to mess with touching every single Palm OS device here! And, the tool works on Windows 2000 or XP only, not Vista (and I’m sure not Windows 7 either)) specifically states that, “GoDaddy Class 2 certificates do not work with Palm OS devices.” Time to drop GoDaddy!

Daryl’s favorite SSL certificate vendor (and now, mine too!) is RapidSSL Online. They sell certificates from RapidSSL.com for $17.95 per year (or cheaper, for multiple years), and they’re single root certificates (which menas you don’t have to install intermediate certificates on your server). While RapidSSL Online is cheap, RapidSSL.com directly has a 30 day trial certificate you can sign up for to test for a month, and this is the way I went. When that certificate expires I’ll be purchasing a multi-year certificate from RapidSSL Online, but I wanted to make sure it would work, and it does! I don’t know for sure, but it appears that RapidSSL.com is the company holding the root certificate, while RapidSSL Online is either a reseller or a sub-company of the parent selling the certificates at a discount (the RapidSSL.com certificates aren’t expenive but still cost a lot more than from RapidSSL Online!). Either way, RapidSSL Online claims that their RapidSSL certificates are issued by RapidSSL.com so they should be the same (I haven’t made a purchase yet), and Daryl Hunter has used RapidSSL Online successfully for years across multiple installations.

I generated a new CSR for a new certificate, again (just like I had to do for GoDaddy). I installed the free certificate on my Exchange server’s IIS (I also then exported it and imported the .pfx file onto my ISA 2004 firewall since it does the authentication up front for external clients, but that’s a pretty unique case and in most cases you want this done on the Exchange server). They were right, it’s just a single root on the certificate, signed by Equifax! I had my Palm Centro users (two had complained by this point) try syncing again. It worked! My iPhone also works fine still, and I haven’t had any negative reports from the four Palm Pre users here either. None of my users have Windows Mobile, and my one Blackberry user connects though Blackberry Professional Server rather than with ActiveSync.

So, adios GoDaddy SSL; fortunately they will refund all but $15 of my certificate (for processing since it was issued), and I’ll still come out ahead with RapidSSL Online (GoDaddy was $60 for two years, while RapidSSL Online is only $70 for five years!).

One thing I’ll have to be careful of when I go to Exchange 2007 is that once I use Windows Server 2008 to generate the CSR, it appears I will need to go to extra pains to make sure the CSR is in Printstring format instead of UTF-8, as Palm OS doesn’t support UTF-8 certificates either (Server 2003 uses Printstring by default). Daryl located this useful post while helping me troubleshoot: Ranting about Palm Centro Versamail ActiveSync and SBS 2008. Useful info, I’m sure I’ll be going back when it’s time to renew next time and Server 2008 is in place. By then, I hope we are Palm OS-free; although I loved my Treo 600 and Treo 650 both, the web is littered with forum and blog posts from people who have SSL issues with Palm OS devices (the Palm Pre and Pixi are much more flexible and up-to-date with the Palm WebOS). I was happy GoDaddy “just worked” in the past, frustrated that they “just didn’t work” this time, and happy to save money and move to a company that’s quicker/faster/easier!

Back in July (I’ve been meaning to write about it since!) I did some maintenance and upgrades on our nursery checkin system. Originally installed on a domain using Windows Server 2000 years ago (although it’s been running on Server 2003 for years), the “server “was and old Dell desktop workstation without even room in the chassis for a second hard drive to run a software RAID mirror. I never got an acceptable configuration through using a domain user and group policy to lock down the system while allowing enough rights to troubleshoot the seven checkin stations (all running Windows XP Pro), and in fact they were all using Local Administer local users, not domain users at all! The system worked, but there were other reasons for some changes.

Near the beginning of the year, I did a P2V (Physical to Virtual) move of the server onto our VMWare infrastructure from the old desktop. Our network, when the checkin system (Parent Pager Plus) was set up seven or eight years ago (before I was hired and was just an occasional volunteer!), wasn’t really reliable from one end of the building (where the server room is) to the other end where the checkin system was located, and thus the “desktop” server placed local to the checkin stations, which were at that time isolated from the rest of the network behind a Linksys cable/DSL router (for security). It worked, mostly, especially when we upgraded to new (but low-end) desktops for the actual checkin stations rather than the first systems we used that were only supposed to support Windows 2000 Professional and had countless hangs, errors, and just weird random stuff happen. The new systems practically ran themselves!

We built a large building addition, including a new lobby, and moved the checkin stations and server a couple of years ago. But none of the hardware changed (we added a few stations and got some (not all) of the stations set up with LCD touchscreen monitors over the years, too). A part of the new building included a new core network including managed HP ProCurve switches with fiber optic connections between the MDF and two IDFs (one of them brand new). The infrastructure could now reliably support moving the server into the server room and into more reliable hardware, so like I said, P2V was the solution! It worked great, except the server was also a Domain Controller for it’s own Active Directory subdomain, and some things didn’t go quite right with the P2V and Active Directory, and replication failed with my main domain controllers. I won’t go into details, but suffice it to say don’t P2V a DC, at least not without knowing what special precautions to take :-) After 60 days of not talking to my other Domain Controllers, the tombstone period was past by the time I looked at it, and I ended up needing to manually remove the entire subdomain from Active Directory, which is beyond the scope of this post. Suffice it to say, I managed to do so, and then I spun up a new virtual machine, running Server 2008, setting it up as a Domain Controller and recreating the subdomain I’d just cleaned up. Before I did this, I went to each checkin station and unjoined it from the old domain, and then re-joined them to the new domain.

Why set up a whole subdomain for checkin stations? Cleanliness and separation/security mainly. It’s not as important now with our current network but I still have the whole system on a separate subnet and VLAN (no Linksys router now :-) and pretty isolated. The clients and the virtual server are the only thing other than the firewall/router that’s on the subnet. And it’s what I did last time, and even though I basically ripped everything out, I was happy with the design decisions still, just not the implementation. So it’s still a subdomain, but with a Server 2008 DC that’s properly replicating to my other DCs.

What else changed? Well, we’re running SQL Express rather than MSDE 2000, for one. Also, Windows XP’s new Client Side Preferences addon was released, adding a ton of easy control via Group Policy! Using the new Preferences, I was able to reduce the user permissions while still allowing things like hidden drive maps to utilities, forcing custom registry entries to be maintained on login for many Parent Pager Plus settings that the checkin systems all shared (so if you log off and back on or reboot, those common settings return to their correct defaults regardless of whether they had been changed). I even customized the screen saver that says “TOUCH HERE TO START” in the Marquee so it is automatically pushed down to each client with the correct text and timeouts! Basically, the environment for each checkin station is very controlled with limited visibility, but there’s enough there to make troubleshooting easy if you know what to look for. I was also able to use the Preferences targeting options to very easily apply different registry settings in some cases to the checkin stations used at the manned desk area vs. the unmanned stations, so Parent Pager Plus defaults to the correct (but different) username at each login, for instance. The flexibility in the Preferences is absolutely amazing, and is the missing piece that I wished I’d had the last time I tried locking the systems down years ago with Group Policies when I failed. All checkin stations are not only joined to the domain but log in to a common domain username instead of local users. Although there are a lot of tweaks in Group Policy, there are only a couple of GPOs and thus policy processing time is short and the computers boot reasonably fast given their age.

I basically spent two (long) days dedicated entirely to this project, on a Monday and Tuesday one week in late July. In those two days, I managed to convert the old subdomain to a new one on a new server with a new database, restored the database from the old server’s backup, upgraded Parent Pager Plus to the newest version (forgot to mention this earlier but it needed to be upgraded so I went ahead and did it while I was working on it already), rejoined all computers to the new domain, set up group policies in excruciating detail and tested extensively. I think the efford was well worth it and the result is a system that feels current and up-to-date even though the hardware is still years old and I spent nothing but time! It feels good to complete a project quickly and successfully. If you have questions about any of the process including Group Policy Preferences, let me know. If I took the time to detail every change I made to do the lockdown, I’d spend a lot more time on this post and ever get it published, but my original intention was to document it all here. That may come later, but if you have specific questions let me know!