Virtual Certification

Several years ago I worked with an avant-garde team with the goal of bringing real-world performance based assessments to the world of Microsoft Certification. I know we weren’t alone in our desires – in fact I’ve seen Brian Egler blog about such dreams recently.

This crack crew of consultants, educators, and developers nearly got such products to market not just for Microsoft technology certifications, but other technologies as well. It was the best of times… almost. At the time, perhaps the world just wasn’t ready for performance based assessments.

In any event, let’s not dwell on the past, for the present and the future is looking very exciting right about now.

Microsoft Technology Specialist Exam 83-640 on Windows Server 2008 Active Directory: Configuring is live. Indeed, this is a lab practical – a performance-based assessment.

Well OK, so it’s not 100% news if you’ve taken a beta of it or taken a live version in some parts of the world where it’s been around since November 2008. Please read the brief on it at <http://www.microsoft.com/learning/en/us/exams/83-640.aspx>.

If this exam has reached your part of the world (currently only in English, FWIW), it may have replaced the traditional exam 70-640.

Why would you want to take a lab practical instead of a largely multiple-choice exam? Why would a vendor like Microsoft want to offer one? Will such moves improve the industry? Will this cross-pollinate over to other exams? If so, how quickly? Will the world be a better place a year from now because of this? So many questions… so many questions…

With respect to the first question: “Why would you want to take it?,” my opinion is that it really depends on your learning style, your testing abilities, and your actual skills at the console(s) of some virtual servers. One of the motivations of that avant-garde group I’d referred to earlier was to eradicate the issues with a glut of “paper-MCSEs” (that was prior to the MCTS+MCITP days). Yet I know many people who can configure Active Directory, teach other people how to do so, and regularly do consulting on it, and yet freeze up when there’s a multiple choice question staring them in the face which doesn’t have any 100% correct answers. Some of these people might know more than the people who wrote the exams. Others are probably just overthinking the question. Many of these types are prone to embrace a lab practical. Just do it. That’s the ticket. What a bargain.

But then there are many other people who love the multiple choice exams. Well, perhaps love isn’t the right word, but thrive and succeed is probably more what I meant. And some of these people who might already be MCITP or MCTS certified well beyond the 70-640 might just freeze up when faced with the hands-on 83-640. Well, if the lab systems don’t freeze up first. Some of the people who apparently took betas reported that the test vendor was scrambling to keep things running smoothly.

What do you think? Hypothetically, if you felt you were ready for 70-640 and you found out that your test vendor or region was going to be transitioned to 83-640 a month from today, would you rush out and take 70-640, or would you wait until it wasn’t available anymore and take 83-640 instead a month from now?

Five Things About Exchange Server 2007 You Probably Don’t Know (part 4)

After four posts, we reach the end of the saga about “five things you probably don’t know about Exchange Server 2007.” And now, #5/5 on the list:

5. Edge Transport is optional… depending on what you want to do.

Many people are inclined to think that if a vendor includes a component with a product that it must be used for the system to work. For example, would you use a computer without a mouse? Well, actually that’s a complicated question based on a plethora of factors. How about the crevice tool on your vacuum? Do you need to you use it, or is it optional?

Exchange Server 2007 includes several roles which could be performed: Mailbox, Active Clustered Mailbox, Passive Clustered Mailbox, Hub Transport, Client Access, Unified Messaging, and Edge Transport. Yes, Virginia, you can choose whether your organization really wants to use Microsoft’s Edge Transport service or not. Here are some guidelines.

If you already have Barracuda, IronPort, Postini, etc. type filtering devices, you may want to preserve that investment and not use Microsoft’s Edge Transport service role for Exchange Server 2007. That saves some hardware, a Windows Server license, and an Exchange Server 2007 license because the Edge Transport role cannot be installed on the same Exchange/Windows server as any other E2K7 role. It is possible to use both E2K7 Edge Transport in conjunction with those sorts of devices, but not always a productive use of money unless having “double coverage” for SPAM or AntiVirus scanning with different products is gives you some actual advantage.

For small deployments, it’s worth noting that it is possible to make a Hub Transport server (or servers) do the kinds of filtering an Edge Transport server would do. That saves having a separate server box (or two) for Edge Transport. Certainly, if you have more than one or two servers with the Hub Transport role, you could choose which ones act as gateways/bridgeheads to/from the outside world and would do AntiSPAM + AntiVirus scanning, and which would not.

When you don’t have Barracuda type filters and you want to isolate your SPAM and Virus checking (along with other filtering, processing, and routing potentially), you could install one or two separate servers running Exchange Server 2007 out in a DMZ (DeMilitarizedZone, edge network, perimeter network, extranet) and install only the Edge Transport role. Active Directory Lightweight Directory Services (AD LDS, formerly known as ADAM) and some other prerequisites are required.

Then you’d configure the Hub Transport servers inside your Exchange organization to work with the Edge Transport server(s) outside and vice versa. The magic is in the details.

In summary, based on your needs and other messaging filtering and services, you may or may not need E2K7 Edge Transport services in (the perimeter network of your) Exchange organization. In that sense, it’s conditionally optional.

I hope you’ve enjoyed these Five Things About Exchange Server 2007 You Probably Don’t Know.

Next I’ll probably post about something other than Exchange since I suspect Rich Luckett will likely be writing about Exchange on the blog. That, and I’ve been getting some great questions on Windows Server 2008 topics lately that I feel like writing about.

Preventing Private NIC Registration in DNS

A student from a class I taught a few weeks ago wrote to me asking the following question.

“I was in your networking class a couple of weeks ago for the Networking Infrastructure.  Our AD server has dual NICs with one NIC on an isolated VLAN with the SAN.  How do we keep the IP of the isolated VLAN from auto-populating into DNS?  This causing traffic to route out that NIC but can’t go anywhere.”

Great question. If any of you have to deal with this sort of scenario, here’s what I’d suggest.

Via Control Panel, you can get to the Network and Sharing Center, then from there get the Status of the NIC which connects to your isolated VLAN (e.g. Local Area Connection 2, or whatever it’s called).

From the connection status you can get the Properties. Then from the Properties, you can choose Internet Protocol Version 4 (TCP/IPv4) and obtain this item’s Properties.

In the Internet Protocol Version 4 (TCP/IPv4) Properties, hit the Advanced… button. In the resulting Advanced TCP/IP Settings dialog there should be three tabs: IP Settings, DNS, and WINS. Pull the DNS tab.

At the bottom of the DNS property sheet in the Advanced TCP/IP Settings of your isolated VLAN connection, there should be a check box labeled “Register this connection’s addresses in DNS.” Please uncheck that box, and hit OK, OK, Close, and Close to close the dialogs. Then close the Network and Sharing Center.

To test this, you could do an “ipconfig /registerdns” at a cmd prompt for that server. If necessary, you could manually remove the entries from the DNS zone. The records for that NIC should not be re-added by the server as long as that “Register this connection’s addresses in DNS” setting is not set – it’s unchecked.

That’s it really.

Any time you have multiple network interfaces in a machine (e.g. server or multi-homed workstation, or notebook with wired and wireless) it’s good to be aware of what the machine is receiving and registering (advertising) via each network interface.