Yes, thank you! LogicMail rocks.
I have not worked with BES 5, but it was certainly commonplace on 2.2, 3.6, and 4.0 to have to reset the devices on occasion because they would just stop syncing. I was present for numerous calls involving a help desk person, RIM support, and the carrier to try to get some traveling exec's blackberry working.
The BES is a steaming pile of shit layered upon several other steaming piles of shit. It hammers the crap out of mail servers. The install process involves magical incantations and occasionally modifying the AD schema (this one admittedly is the fault of MS and lazy admins who use domain admin accounts for their mail.) The upgrade process involves something called a "knife edge cutover" I think because slitting your wrists can seem like a practical alternative. There's no reason removing a user from the server and then adding him again should require mucking with the DB tables directly with osql, yet that was the recommended procedure for a while. Wireless activation was a total game of chance well into when activating a Activesync device took a couple minutes and then it never had to be looked at again.
RIM's architecture made sense in 1999 when you couldn't get Internet access via cell. At this point though its an anachronism. I can appreciate the security features and policy management, but there's zero reason that this huge extra infrastructure be required in the days of unlimited mobile Internet access. Why install a BES, an MDS, a bb router, only to send your traffic to RIMs network (which has suffered several outages recently) which then goes to the carriers and to the devices?
BIS pisses me off even more. Why provide an IMAP client when you can force people to provide their login credentials to their honest and trustworthy cell phone carrier? Not to mention that well into 2008 the idea of syncing e-mail (as opposed to POP3 download) was looked at as some sort of freak request. It's not like anyone would want to get their mail from both their phone AND their PC.
I can't speak to what happened in your particular scenario, but yes, staff, power cooling, etc. are big drivers for virtualization. I've seen multiple racks of servers condensed down into two servers and a SAN running in about 20U. You can get to everything remotely (out-of-band) without needing an IP-KVM and can restart hung servers without needing an IP/Serial PDU.
Setup time for new servers is orders of magnitude faster. fill out a couple screens in a click-and-drool GUI and you have a new server up and running.
Redundancy and reliability are also quite a bit better. While you're right a catastrophic failure of physical server hardware will bring down the VMs hosted on that server, they can immediately be powered on again on one of the other physical hosts. (Of course if you use local storage with virtual servers, you're playing with fire and will get burned eventually) Virtualization also makes it reasonable to cluster services for HA since you don't need 100% more hardware for failover. VMotion or XenMotion (which I haven't yet tried) will let you move running VMs off a physical box you suspect of failing or need to service which is damn handy, though I don't know that it's worth the price VMWare charges in most cases.
Virtualization means NOT needing to buy new hardware since the hardware becomes a commodity, run it till it fails and then replace it. You get out of proactive replacement cycles and expensive 7x24x4 support contracts. When you need more capacity, you just add another node and redistribute your VMs rather than having to deal with the headache of migrating an overutilized server to new hardware.
I don't know why you'd run Windows on top of Linux (or vice-versa) outside of test-dev (a sales laptop running a 3-tier application on 3 VMs via VMWare Player or Workstation for example) Server-based hypervisors run on bare metal.
This is certainly a big step forward for what are otherwise niche also-ran hypervisors. I'm certainly glad to see competition to VMWare, but there's still nothing that actually comes close to it in terms of real-world performance. (specifically stability and manageability)
One feature that it would be interesting to see incorporated into server virtualization products is storage abstraction and network RAID. Right now you can do it with a VM (LeftHand's software iSCSI SAN or Openfiler) but it would be cool if that were a built-in feature of the hypervisor. Currently if you're not using shared storage (SAN or NAS) virtualization presents some pretty serious risks if you suffer hardware failure. Instead of hardware failure taking down one server now it takes down five. If one of the competing virtualization products gave you the ability to mirror local storage between two physical servers, that would be a killer feature for branch/small office settings where the budget doesn't justify a SAN. I don't see VMWare doing this because they don't want to piss off their expensive SAN hawking partners or parent company.
Here's an example of one I came across recently: http://www.dslreports.com/forum/r21704795-Browser-Redirect-to-7770-interesting
Also at the time I'm writing this, there are at least three PDF droppers listed here: http://www.techzoom.net/security-radar/latest-virus.en
Generally tracking things back to the original infection vector is fairly straight forward if it happened recently - there's usually cruft all over the system that wasn't there prior to the infection, and log file entries or application crash memory dumps correlate to the time things started getting hinkie. Often it's as easy as loading up the browser history in IEHV and seeing what the user did (google search for some topic, the 3rd URL down points to http://ssladjfkfj.fjdskjff.cn/ and if you're quick enough and the site is still up you can usually grab a copy to see exactly what the page is doing.)
Acrobat Reader that hasn't been upgraded to 8.1.3 (I'm not sure if there are patches for 7) is vulnerable. There are lots of PCs out there with an older version of Acrobat, especially since many people disabled the update notifications after getting sick of being prompted to install Photoshop Elements (or whatever else Adobe was pimping) over and over.
Pretty much every virus infected PC I've seen in the past few months was originally infected via the magnificence that is Acrobat Reader (and most of the remainder were infected by the meth-using-crack-whore that is the Sun JRE)
The time is right to go after Acrobat. After explaining to someone that the virus that just trashed their PC (or office's PCs) came in by way of a hidden PDF in an infected web page, not only are they OK with removing the Acrobat browser plugins, but they're often open to getting Acrobat off the machine entirely.
Given the rash of shit that Microsoft has (rightfully) received over the years for browser exploits, it's time to hold Adobe and Sun accountable for their dangerously insecure products. Both companies patch management is terrible. Neither provide any decent support for sysadmins to push out updates ("uh, try to find the MSI that the installer drops and then, you know, push it out with something. I think you can do it with Group Policies!" is about as far as they go) For Java it's been easy to say "just get rid of it" since for 99% of people it's unnecessary, but Acrobat and Acrobat Reader have been more of a challenge. Perhaps highlighting how insecure Acrobat is will help move the effort to replace it along.
Thanks, I'll check it out.
The costs for AD/Exchange, etc. pale in comparison to the administrative salary costs associated with supporting an IT infrastructure and the lost productivity costs of down time.
I've found Samba in a Domain environment to be kind of flaky, and while it's useful for accessing the file system on a Linux server (though I prefer scp) there's no way I would look at replacing any Windows file server that had an SLA with a Samba server. The licensing costs for a Windows server (especially virtualized) are negligible.
On the other hand, there's still no great solution for something similar to AD on Linux. NIS+ is old and sucks. Going through the whole LDAP rigmarole only gets you part of the way and requires a hell of a lot of upkeep depending on the server. Winbind against AD isn't bad though again it's flaky and requires way too much work to setup. I supposed there's the tried and true method of rsync-ing passwd, group and shadow files around.
The combo of AD and Group Policy is pretty killer, It would be really nice to see something similar for Linux, or at the very least improved AD integration would be awesome.
Conversely, virtualization allows you to keep older server hardware on-line longer and less expensively - you can avoid renewing service contracts and just run servers till they die since you can just vmotion the VMs to another physical server when the time comes. The only downside is per-CPU licensing for VMWare which may be way cheaper per app/VM on newer hardware. (More VMs per CPU license)
1.79 x 10^12 furlongs per fortnight -- it's not just a good idea, it's the law!