Kurt Shintaku's Blog

My brain has been burnt to a crisp recently and I’ve been looking forward to visiting Las Vegas.  While I’m there, you can bet that I’ll be stopping by the Rio’s iBar.

(And yes, I know about the hilarious parody.  No need to email me.  Seen it and ROFLed ‘til it hurt.)

Bank of America

Global Financial Leader Deploys Solution for Compliance and Operational Advantages

Posted: 07/17/2008

Bank of America, one of the world’s leading financial institutions, provides its services through 6,100 retail banking offices and nearly 18,500 ATMs. For a large and complex organization like Bank of America, compliance with the numerous U.S. and international financial regulations is of vital importance. One of the most significant of those regulations is the Basel II Accord, which establishes rigorous requirements designed to ensure that banks hold capital reserves appropriate to the risk to which they are exposed. To comply with the operational risk aspects of Basel II, the bank created a portal solution based on Microsoft® Office SharePoint® Server 2007. Developed and deployed in just four months, the solution has been rapidly adopted by managers and staff, who are using it to comply with Basel II and to better measure and address operational risk throughout the enterprise.

Business Situation
Bank of America needed a robust and scalable way of meeting the compliance challenge of the Basel II Accord, which mandates specific ways of assessing and mitigating operational risk.

Solution
With the help of Microsoft® Office SharePoint® Server 2007 and other Microsoft technologies, the bank developed and deployed a portal solution that aggregates operational-risk data from 200 business units.

Benefits

• Ease of development, deployment, and adoption
• Greater motivation for staff to maintain risk data
• Faster trend assessment and understanding
• Easier risk mitigation at all levels

Software and Services

• Active Directory Directory Services
• Excel Services
• Feature: Reporting Services
• Microsoft Office 2007
• Microsoft Office InfoPath 2007
• Microsoft Office SharePoint Server 2007
• Microsoft SQL Server 2005
• Windows Server 2008

• VIDEO:  http://www.microsoft.com/casestudies/resources/Files/4000002415/BankofAmericavideo.wvx
• TEXT:  http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000002415

The session list for the PDC 2008 got posted a couple days ago.

• PDC 2008 Session List
  https://sessions.microsoftpdc.com/public/sessions.aspx

Folks – I normally don’t talk much about development being that my brain hung up the developer gloves over 13 years ago, however based on some information I got recently from my trip to Seattle, I have to let you in on a little something I got while I was in Seattle last week:  PDC is the start of something big.  Really big.  And if you’re a developer you really ought to do everything in your power to get to the Los Angeles Convention Center.  This is the big enchilada, baby.

• PDC 2008
  http://www.microsoftpdc.com/

Yep.  There’s a reason there was no PDC 2007. 

And that’s all I have to say about that. 

For you App-V (Softgrid) sequencers out there, here’s a document that J.C. Hornbeck wrote on how to sequence Office Professional 2007 for your organization in just a few easy steps.

Admittedly, I skimmed through the paper and it really is quite easy to understand, even if you have a relatively limited knowledge of App-V 4.2.

Introduction:
The goal of this document is to demonstrate one particular way that Microsoft Office 2007 can be sequenced using Microsoft SoftGrid 4.2. It’s not the only way, or the best way, it’s just one way that seems to work well for me. I have not fully tested every single Office related function within this package so it’s possible there could be issues although I’ve yet to come across any.

Before you begin your own Office sequencing project I would highly recommend that you read this document fully along with KB939796 – Prescriptive guidance for sequencing 2007 Office programs in Microsoft SoftGrid. All of the steps are in here for a reason so failure to follow any one can potentially lead to total failure of your package.

DOWNLOAD:
http://blogs.technet.com/softgrid/attachment/3096090.ashx

Go ahead.  You can say it.  “FINALLY!”

Yes, we’ve finally released the System Center Operations Manager 2007 Management Packs for Windows Server 2008.  For those paying attention, we’ve been missing these since the release of Windows Server 2008 (only having the mgmt packs for Windows Server 2003) and thankfully we finally have them available.

• Windows Server Operating System Management Pack for Operations Manager 2007
  The Windows Server Operating System Management Pack provides the fundamental monitoring basics for computers running the Windows 2000 Server, Windows Server 2003, and Windows Server 2008 Operating System.
• Terminal Services Management Pack for Operations Manager 2007
  The Terminal Services Management Pack monitors the individual Terminal Services components on Windows Server 2000, 2003 and 2008.
• Windows Server 2008 Application Server Management Pack for System Center OpsMgr 2007
  The Windows Server 2008 Application Server Management Pack provides fundamental monitoring for the Application Server role of Windows Server 2008 Operating System.
• Microsoft Windows Key Management Service MP for SC OpsMgr 2007
  The KMS MP monitors core Key Management Service offered by Windows Server 2008, Windows Server 2003 and Vista.

Note that ALL SCOM Management Packs are listed here:
http://www.microsoft.com/technet/prodtechnol/scp/opsmgr07.aspx

<stolen from the Microsoft Storage blog>

After requests to release a version of File Server Migration Toolkit (FSMT) compatible with Windows Server 2008, the Storage Solutions Division at Microsoft brings you FSMT 1.1 Beta!

Microsoft File Server Migration Toolkit v 1.1 adds the possibility to migrate and consolidate data to file servers running Windows Server 2008. With that, FSMT aims to reduce total cost of ownership (TCO) and increase the efficiency of storage management and backup tasks. It covers two main features:

• File Server Migration Wizard which copy shared folders, files, and their security settings from a source file server to a target file server.
• DFS consolidation root wizard which maintain the original Universal Naming Convention (UNC) path of files after they are migrated to a new server.

We are running a short beta for the tool. If you’d like to have first hand access to FSMT 1.1, follow the instructions below before August 8^th:

1. Go to http://connect.microsoft.com
2. Sign in with your live ID. If it’s your first time at Connect, you might have to fill in a small profile.
3. Under the Connection Directory session, look for “File Server Tools” program and click “Apply Now”.
4. In the left menu, click the “Download” link to download FSRM 1.1 beta.

Instructions for download and submitting feedback can be found inside the program main page.

<stolen from the Microsoft Deployment Guys blog>

The MDT Team has released the first Update to MDT 2008 (which is really the second update to MDT, hence the 4.2 version number).  The main new features for this release are support for OEM preload scenarios (i.e. having the PC vendor preload an image onto your hardware that will work with MDT in your environment) and a revised System Center Operations Manager Management Pack.  Minor updates include bug fixes and design changes to override driver platforms as well as the ability to inject all drivers into Windows PE.  This release also has revised documentation.

I’m sure that once we’ve had a chance to give this update a thorough review, the Deployment Guys will have more to say about how this update will impact your deployments.

DOWNLOAD: 
http://www.microsoft.com/downloads/details.aspx?familyid=3bd8561f-77ac-4400-a0c1-fe871c461a89&displaylang=en

This guide describes important tuning parameters and settings that can result in improved performance for the Windows Server 2008 operating system.  Each setting and its potential effect are described to help you make an informed judgment about its relevance to your system, workload, and performance goals.

This information applies for the Windows Server 2008 operating system.

What’s New:

• Added "Power Guidelines" under Server Hardware section and added "Performance Tuning for Virtualization Servers" section.

Included in this paper:

• Performance Tuning for Server Hardware
• Performance Tuning for Networking Subsystem
• Performance Tuning for Storage Subsystem
• Performance Tuning for Web Servers
• Performance Tuning for File Servers
• Performance Tuning for Active Directory Servers
• Performance Tuning for Terminal Server
• Performance Tuning for Terminal Server Gateway
• Performance Tuning for Hyper-V Virtualization Servers
• Performance Tuning for File Server Workload (NetBench)
• Performance Tuning for Network Workload (NTttcp)
• Performance Tuning for Terminal Server Knowledge Worker Workload
• Performance Tuning for SAP Sales and Distribution Two-Tier Workload

DOWNLOAD: 
http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Perf-tun-srv.docx

So here’s yet even more of my notes around Active Directory Rights Management Services in Windows Server 2008.

—————————

MANAGEMENT

1. ADRMS Group Policy Templates
   (Note:  Policy Templates are the IT managed categories by which you may protect a document or mail.  For example:  “Do not forward” is a policy template that can be applied to email in Outlook.  “Company Confidential” might be another policy template that might apply to Office documents to prevent anyone without domain credentials from opening the document.  This policies are magically selectable when applying RMS protection on an email & document.)
1. RMS Clients GP Template propagation uses Task Scheduler built into the operating system;  distribution of the templates is basically ALL or nothing if you use GP driven distribution.  This means that every person configured with RMS will get these templates.
   (Some people want executives to have special templates, and if this is necessary, another method of policy template distribution needs to be considered.  They are just files in a protected directory that need to be copied to each person’s machine so there are numerous ways that this can be done.)
2. Group Policy Templates can provide all the functionality of RMS.  Office and Sharepoint inherently do NOT expose all the RMS protection options available to the user.  For example:  Some of these options include, “do not copy & paste”, “do not print”, “do not forward”, “validate every time the document is opened”, “self destruct document after x days”, “validate user ever 3rd day”.
3. The most restrictive policy is “Check for validation on each access”:  This will require contact with the authentication server every time the document is opened.  Chatty but secure.
4. When applying rights, do not give “ANYONE” rights to a document.  This will include contractors and others.  Always apply rights to a group of people.
5. Internet Explorer 6 & 7 both work with the Rights Management Client and the IE plug in for viewing RMS content within the browser without having an Office product installed.
6. “Enable users to view protected content in browser” is neat because it enables people to view RMS protected content within Internet Explorer with full fidelity and protection…
   …HOWEVER it will grow the size of the document because it provides and HTML rendering of the document in the container of the document itself.

   A 200k document can grow to 2MB in size with this option turned on.

7. “Print” rights is a HOLE.  A user can always print to PDF and then reverse engineer the PDF into a document.
8. Watermarking or “stamping the background” of an RMS document with the end users name/title/email when they print is possible through third parties.
9. The recommended method of distributing templates is to establish a Network Share that everyone has access to, enable Offline folders for that share, and place the appropriate templates on the share that people need.
   This enables specific templates to be distributed “per user/group” by redirecting the users to different folders depending on their group membership.
10. IMPORTANT:  You can NEVER remove or retire a template from the organization without killing all the documentation that was protected by it previously.  Disaster Recovery plans must export all templates to preserve integrity of all protected documents.
11. IMPORTANT:  Office 2003/2007 have a 20 template limitation in their UIs.  You may publish more than 20 but only 20 will be accessible by the users.

So here’s some more of my notes around Active Directory Rights Management Services in Windows Server 2008.

—————————

ARCHITECTURE & DESIGN (cont’d)

1. Active Directory Rights Management Services does NOT require Windows Server 2008 Domain Controllers.  You do NOT have to upgrade these authentication servers.
2. You additionally do NOT need to upgrade older RMS Clients if it’s already deployed to existing workstations.  They will work with the new ADRMS infrastructure.

IMPLEMENTATION

1. SUPER, MAJOR, IMPORTANT BEST PRACTICES
1. Always used fully qualified domain names (.com) when configuring ADRMS trusts however be very careful about selecting these names because you will never be able to change them once applied, without re
2. Always use virtual names – not actual server names – whenever you’re configuring ADRMS for seamless agility of servers.  If you configure actual server names, you’ll have to use the same configured servers forever.
3. Always use both HTTP: & a HTTPS: (for external authentication) in case you later want to work with partners via ADFS or need external access to documents without a VPN.  Make it some sort of domain name like https://virtualname.customerdomain.com.  Seriously.  Even if you never, ever think you’ll ever need it, configure it anyway because once millions of files are protected using a “configuration policy” referencing a set of authentication servers, if you ever need access to an authentication server externally, you’ll need to have an encrypted pipe, and that’s going to requires HTTPS:. 
4. Never use self-signed certificates when you’re configuring your HTTPS: configuration.  Remember that people won’t have your root cert if it’s a 3rd party that you’re looking to share with.
2. CLUSTERS
1. You can expect 60 connections per second per cluster.
2. You can NOT have bothe RMS 1.1 and RMS 2008 servers within a cluster.
3. RMS 1.1 licensing clusters should work but it’s not recommended by the product group.
3. ADRMS Client
1. There is a new registry key i.e. a “publishing bit” that enables/disables the ability to ‘create/originate new RMS encrypted content’ .  This allows an organization to control who has the ability on a Group Policy basis to protect documents based on the Office Edition the user owns.   (ONLY Office Professional licensees may ‘create new protected content’ from Outlook/Word/Excel/Powerpoint.  Office Standard licensees & Exchange Outlook users may only ‘receive/read/reply to protected content’.)
   KEY –> HK_CURRENT_USERSoftwareMicrosoftOffice12.0CommonDRM
   DWORD Value –> Disable Creation 0/1
2. Clients must have fully qualified domain names of the ADRMS Cluster in the local Intranet Zone of their Internet Explorer security configuration.
4. ADRMS & Sharepoint, Exchange, and Windows Servers
1. Sharepoint Server & RMS must exist in the same forest; ADFS doesn’t matter in this case.
2. When configuring the Exchange 2007 Pre-licensing Agent, you must have both Exchange Server 2007 Service Pack 1 applied and the RMS Client installed on the server.
3. Windows Server 2008 has RMS Client built directly into the OS.  There is no “install"/”uninstall”.  It’s just there.  Warning:  If something goes irreparably wrong with the client for some reason on the server, it’s hosed.  You’ll need to reinstall the whole server.