Deploying Groove Server 2007 and Groove 2007 at Microsoft
Technical White Paper
Published: February 27, 2007
Technical White Paper, 1.52 KB, Microsoft Word file
PowerPoint Presentation, 1.96 MB, Microsoft PowerPoint file
Groove 2007 gave Microsoft IT the opportunity to validate the product's key collaboration features and functionality in a large-scale deployment and to increase individual and team productivity across the enterprise.
Microsoft IT partnered with the Office product group to deploy an on-site server infrastructure based on Groove Server 2007 that supports dynamic team collaboration for 60,000 Groove users in the enterprise. The deployment of Groove Server 2007 and the Groove 2007 client played a significant role in helping to validate the business value of a large enterprise deployment and in helping to improve the final configuration of the product.
At Microsoft, as in many organizations, the majority of collaborative work occurs in small teams. In today's highly distributed and decentralized business environment, teams span multiple locations, organizations, and time zones. Also, the workforce has become more mobile than ever. It has become increasingly more challenging for team members to effectively work together on projects, share information, and maintain a high level of productivity.
Microsoft® Office Groove® 2007 is a new collaboration tool in the 2007 Microsoft Office system that increases individual and team productivity by enabling teams to dynamically work together on projects, even when team members work for different organizations, work remotely, or work offline. The Groove 2007 platform employs a unique decentralized, hybrid architecture. Core components are decentralized client software (Groove 2007) and server software that provides services to Groove clients (Microsoft Office Groove Server 2007 or Microsoft Office Groove Enterprise Services).
Microsoft Information Technology (Microsoft IT) partnered with the Office product group to deploy Groove 2007 within Microsoft. The primary goal of the project was to establish an on-site server infrastructure based on Groove Server 2007 from which to support dynamic team collaboration for 60,000 Groove 2007 users in the enterprise. The Microsoft IT deployment of Groove 2007 was an opportunity to increase individual and team productivity by helping employees to bridge boundaries, collaborate on projects more efficiently, and engage partners and customers more effectively.
With the Groove 2007 infrastructure in place, Microsoft IT is currently overseeing the internal worldwide deployment of the release-to-manufacturing (RTM) version of the Groove 2007 client (as part of Microsoft Office Enterprise 2007). As of January 2007, more than 45,000 users at Microsoft have installed Office Enterprise 2007 on more than 78,000 computers. Of these, 14,000 users have active Groove user accounts.
As the first pre-release customer of Groove 2007, Microsoft IT played an important role in helping to validate the business value and IT benefit gained from a large enterprise-wide deployment in addition to helping to improve and shape the final configuration of the product. During this process, Microsoft IT learned many valuable lessons and developed best practices that provide meaningful guidance to other organizations that want to deploy and manage a Groove 2007 infrastructure to enable dynamic team collaboration.
This paper shares Microsoft IT's early-adopter experiences in the deployment of Groove 2007 at Microsoft, with a focus on the on-site server architecture. The information shared in this paper captures early-stage discoveries and learnings to date. It is intended for technical decision makers, business decision makers, and IT architects. The Microsoft IT deployment plan included tasks that other organizations may never encounter or that may need to be completed at different times. Therefore, although this paper provides recommendations based on Microsoft IT's experiences, it is not intended to serve as a procedural guide. Because each enterprise environment has unique circumstances, each organization should adapt the information in this paper to meet its own specific requirements.
Note: For security reasons, the names of domains and other internal resources do not represent real names used within Microsoft. The names are for illustration purposes only.
At Microsoft, as in many organizations, the majority of collaborative work occurs in small teams. Activities within a team are typically task-driven or project-oriented, in which team members work closely together to create content and produce a defined deliverable. From these core teams, the final work product is shared with and extended to broader virtual teams and groups in the enterprise. The ability to work together, to share information, and to communicate effectively and efficiently within and across teams worldwide is critical to business productivity.
With advances in computing technology, wireless connectivity, and the proliferation of broadband Internet and mobile devices, the nature of work has changed. The workplace is no longer confined to an office space or building. For many at Microsoft, the workplace can be any place where an employee can use a laptop—on an airplane, in an off-site conference room, in a hotel room, at a coffee shop, or at a home office. Furthermore, team members are spread across multiple locations, organizations, time zones, and even continents. Team members are likely to work with people whom they have not met in person. Additionally, a team often includes not only coworkers, but also partners, customers, and other individuals who do not share a common network infrastructure.
In such a dynamic business environment, it is increasingly challenging for teams to collaborate on projects directly and effectively. Because teams often consist of individuals from multiple locations and organizations, in addition to mobile and remote workers, they often rely on a combination of technologies, tools, and methods from which to communicate and collaborate. However, the myriad of tools such as e-mail, phone calls, file shares, and Web sites do not provide a consistent work environment. Moreover, many tools use a centralized architecture that requires all team members to be on the same network. Providing network access for all team members by setting up a virtual private network (VPN) infrastructure or an extranet may not be practical or cost-effective from an IT perspective. At the same time, information workers face rising expectations of availability, self-sufficiency, and service quality.
The primary challenges in today's fast-paced, distributed business environment revolve around simplifying the process of working together by connecting people, business processes, and information. Organizations must find methods that enable team members to work together in context, at any time, and from anywhere. With offices in more than 100 countries around the world and with a large, diverse, and dispersed workforce that includes full-time employees, numerous vendors, and partners, Microsoft recognized the factors that drive today's business environment. Challenges that Microsoft experienced and that other organizations face include how to address the following:
Bring teams together across organizational, geographical, and technological boundaries.
Empower teams to work together independently, while at the same time, maintain centralized management and control.
Cost-effectively extend collaborative tools to mobile and remote workers, partners, and customers.
Help ensure the integrity and confidentiality of company intellectual property that is shared across organizational boundaries.
Extend information assets and business processes to teams wherever they work.
Increase business productivity by minimizing redundancy and automating activities that occur during team collaboration.
With the acquisition of Groove Networks in 2005, Microsoft added a dynamic tool to its collaboration and productivity offerings. As part of the 2007 Microsoft Office system, Groove 2007 complements and broadens the capabilities of collaboration products and technologies such as Microsoft Office SharePoint® Server 2007 and Windows® SharePoint Services version 3.0. Groove 2007 enables teams of information workers to dynamically collaborate on projects, even if team members work for different organizations, work remotely, or work offline. Groove 2007 meets the needs of:
Teams that are geographically dispersed.
Teams that are increasingly virtual.
Teams that have members who are mobile.
Teams that require cross-organizational coordination, information sharing, and collaboration.
Teams that need to stay up to date and productive anywhere, whether online, offline, or intermittently connected.
Shortly after the acquisition, Microsoft IT partnered with the Office product group and other internal teams to plan and deploy Groove within the company. In parallel to the product development cycle, the project involved deploying pre-release versions prior to deploying the RTM version of Groove Server 2007 and the Groove 2007 client. As of this writing, with the server infrastructure in place, Microsoft IT is actively deploying the Groove 2007 client to all employees as part of the worldwide deployment of the RTM version of Office Enterprise 2007.
In addition to addressing the challenges mentioned earlier, the Microsoft IT deployment of Groove 2007 set out to accomplish the following goals:
Build an on-site server infrastructure based on Groove Server 2007 to support dynamic team collaboration for 60,000 users in the enterprise.
Increase individual and team productivity at Microsoft by providing employees with a contextual collaborative environment from which they can dynamically work together on projects with other team members, unconstrained by time, location, or organizational affiliation.
Provide a real-world testing ground for a large-scale, enterprise-wide deployment of Groove 2007. Use the deployment as a model from which to confirm technical requirements, thoroughly field-test the product, and identify best practices to guide customer deployments. Additionally, use the live enterprise production environment as a platform to validate the business value of product features and help drive product enhancements by providing constructive feedback back to the product group.
To better understand the Groove 2007 solution that Microsoft IT deployed, it is important to be familiar with the Groove 2007 platform and its decentralized, hybrid architecture. That is the focus of the following section. From this broader discussion, subsequent sections explore Microsoft IT's deployment of Groove Server 2007 and the Groove 2007 client. Readers who are already familiar with the technology may choose to skip to the "Deployment" section.
Overview of the Groove 2007 Platform
The Groove 2007 platform uses a decentralized architecture that consists of a hybrid mix of client and server software. Core components of the Groove 2007 platform are:
Groove 2007, which is decentralized client software that is installed on each user's desktop computer or laptop, for information worker productivity.
Groove Server 2007 or Groove Enterprise Services, which is server software that provides centralized management, data relay, and data integration services to Groove 2007 clients.
Groove 2007 Client
Groove 2007 is the Microsoft Win32®-based, rich-client application that enables individuals to work together as teams within collaborative workspaces. A workspace is the virtual environment that seamlessly brings together all team members, communications, content, and tools. Within a workspace, teams of information workers can dynamically collaborate on projects, as if they were in the same physical location.
The Groove client contains all application logic and data. Collaboration begins when a user creates a workspace, adds tools and content, and then invites others to join the workspace as workspace members. Although membership to a workspace is limited to only those users who explicitly receive an invitation from another workspace member, a common organizational affiliation or a common network infrastructure among members is not required. After accepting an invitation, each workspace member receives an exact copy of the workspace (including all tools and content), which is stored locally on his or her computer. Therefore, each member has full access to the workspace and can work in it and stay productive, even when he or she is offline.
As members collaborate in a workspace, Groove 2007 ensures that the copy of the workspace on each member's computer is up to date and synchronized. Synchronization operates continuously, occurs automatically, and requires no user intervention. Each change (and only the change) that a workspace member makes to a document or item in a workspace is automatically encrypted, transmitted over the corporate network or over the Internet to the computer (or computers) of each of the other members, and then synchronized to the workspace. For those workspace members who are online, changes are synchronized in near real time. If a workspace member is offline when a change is made, the change is pushed to that member's workspace the next time he or she is online. Similarly, if a workspace member makes a change while offline, that change is pushed to the workspaces of all other members the next time that he or she is online.
Groove 2007 employs an end-to-end encryption model that uses 192-bit Advanced Encryption System (AES) encryption to help protect a workspace and its contents. This built-in, always-on encryption system helps maintain the integrity, confidentiality, and authenticity of data on each workspace member's computer and over wired and wireless networks.
When in a workspace, a team can easily work together, in context, to achieve project goals. Common tasks include reviewing and sharing documents, coordinating project plans, tracking tasks and issues, organizing meetings, participating in discussions, collecting structured data, and exchanging ideas by voice or by chat.
Figure 1 shows a Groove workspace.
Figure 1. An example of a Groove workspace
Each workspace includes a rich set of extensible, user-friendly tools that workspace members can use to share and manipulate data. Tools are programs that support a range of activities that include project planning, file sharing, discussions, and meetings. For example, tools like the Groove InfoPath® Forms tool and the Groove Forms tool collect structured data. Other tools enable teams to work with unstructured data such as documents, images, and discussion threads. Additionally, Groove 2007 offers out-of-the-box integration with SharePoint Server 2007 and Windows SharePoint Services 3.0. By using the Groove SharePoint Files tool, teams can synchronize documents between a workspace and a SharePoint document library. Other features of a workspace include presence awareness, alert notifications, chat and messaging functionality, and integration with Microsoft Office Communicator 2007 and 2005.
Groove Server 2007 or Groove Enterprise Services
Whether an organization chooses to deploy Groove Server 2007 or subscribe to Groove Enterprise Services depends on the size and scale of the deployment and required functionality. Groove Server 2007 requires an on-site server infrastructure and is the choice for large enterprise deployments. Additionally, Groove Server 2007 provides capabilities that include synchronization with the Active Directory® directory service and other Lightweight Directory Access Protocol (LDAP)-compliant directories, automation of the user account configuration process (Auto-Account Configuration), the option to use an enterprise Public Key Infrastructure (PKI), the ability to create multiple domains, roles-based administrative control, and server-side data integration. Groove Enterprise Services is a hosted environment whose servers are maintained by Microsoft. It is typically best suited to smaller deployments of less than 1,000 users.
A hosted environment often acts as a precursor to an on-site deployment of Groove Server 2007. Microsoft IT used this deployment strategy for the internal deployment of Groove 2007 at Microsoft.
Groove Server 2007
Groove Server 2007 consists of three components: Groove Server 2007 Manager, Groove Server 2007 Relay, and Groove Server 2007 Data Bridge. Each component must be installed on a separate server. Groove Server 2007 Manager and Groove Server 2007 Relay are required components in the Groove collaboration framework. Organizations that want to integrate workspaces with existing centralized data sources or that require basic workspace archiving functionality can also choose to deploy Groove Server 2007 Data Bridge.
Existing components of an organization's infrastructure that integrate or interact with Groove Server 2007 Manager and that may also play a role in an enterprise deployment include LDAP directory servers, an enterprise PKI, and mail routing systems.
Figure 2 is a high-level overview of components in the decentralized, hybrid architecture of Groove Server 2007 and Groove 2007.
Figure 2. The decentralized, hybrid architecture of Groove Server 2007 and Groove 2007
Groove Server 2007 Manager
Groove Server 2007 Manager presents administrators with a Web-based interface from which to centrally deploy, manage, and monitor Groove 2007 clients in the enterprise. In addition to centralized management services and policy enforcement, Groove Server 2007 Manager provides oversight of Groove Server 2007 Relay. Supported by a back-end Microsoft SQL Server™ database, Groove Server 2007 Manager also contains a central directory of managed contacts so that Groove 2007 users across the enterprise can locate each other.
The top-level unit of administration is the Groove management domain. Within a Groove domain, users and devices (desktop computers and laptops) are further categorized into domain groups. Each domain contains a collection of managed user identities, managed devices, identity policy templates, device policy templates, and relay sets. After a domain is set up, administrators use Groove Server 2007 Manager to manage Groove usage in the domain. Key administrative tasks include:
Create and manage user identities and devices. A managed user is a member of a domain. Each managed user must have a managed identity before that user is subject to the policies that are configured for the domain. Groove Server 2007 Manager creates a managed identity for a user after that user activates his or her Groove user account through an account configuration process. Similarly, each device must be registered with a domain before security policies can be applied to it.
Establish identity policies and device policies. Policies that administrators can apply to users and devices in the domain include identity-based usage policies, device-based installation policies, and security policies. These policies govern settings such as user account backup schedules, publication of contact information, and password creation and reset.
Provision users with relay servers. In a managed environment, after each server that is running Groove Server 2007 Relay is registered with Groove Server 2007 Manager and added to a relay server set in the domain, administrators can manage the provisioning of relay servers to users.
Monitor usage data and audit Groove 2007 events. Reporting tools enable administrators to monitor usage data for users, workspaces, and tools in the domain. Auditing is an optional feature in Groove Server 2007 Manager that can be implemented on separate servers from which to log specific Groove 2007 client events.
Groove 2007 clients periodically (approximately every five hours) connect to Groove Server 2007 Manager to receive updates to policies, relay server assignments, and managed contact information, and to report usage data. The connections are always initiated by Groove 2007 clients and never by Groove Server 2007 Manager. However, Groove Server 2007 Manager does initiate connections with the relay servers that it manages, to communicate relay server assignments of managed users. These connections—from Groove 2007 clients to Groove Server 2007 Manager and between Groove Server 2007 Manager and Groove Server 2007 Relay—are facilitated through Simple Object Access Protocol (SOAP) requests over Hypertext Transfer Protocol (HTTP).
Groove Server 2007 Relay
Groove Server 2007 Relay provides essential services to Groove clients, enabling teams to work together in synchronized workspaces in a dynamic manner. By supporting multiple protocols, Groove Server 2007 Relay facilitates uninterrupted, efficient data transmission between Groove 2007 clients across network boundaries. All processes that occur in Groove Server 2007 Relay are automatic and transparent to users.
Services that Groove Server 2007 Relay provides to Groove 2007 clients are offline support, firewall traversal, bandwidth optimization, and presence awareness.
Offline Support and Firewall Traversal
Whenever possible, Groove 2007 clients transmit data directly to other Groove 2007 clients in a peer-to-peer manner. However, in scenarios where Groove 2007 clients cannot connect directly, such as when workspace members are offline or are on different networks, Groove 2007 clients automatically initiate connections to Groove Server 2007 Relay.
Groove Server 2007 Relay provides a store-and-forward service that temporarily stores changes to workspace data when one or more workspace members are offline. If a workspace member is offline when a user makes a change to a workspace, the user's Groove 2007 client automatically routes the encrypted data packet that represents the change to the relay server that is assigned to that offline member, and then deposits it in a queue. When the workspace member returns online, his or her Groove 2007 client automatically retrieves the encrypted data packet from the queue, decrypts it, and then synchronizes it to the workspace where it is encrypted on the computer again.
If a network boundary such as a firewall prevents a direct connection with another workspace member, the user's Groove 2007 client automatically routes the encrypted data packet to the designated relay server of that member. Groove Server 2007 Relay therefore enables communications across network boundaries.
Groove 2007 clients have an intelligent routing capability that determines the most efficient ports and protocols to use for transport. The primary protocol used for client-to-client and client-to-relay connections is Simple Symmetrical Transmission Protocol (SSTP), a proprietary protocol that enables bidirectional, asynchronous communication. Direct connections between Groove 2007 clients are carried out through SSTP on port 2492/TCP. However, if port 2492/TCP is unavailable, Groove 2007 clients automatically try to establish an outbound connection to Groove Server 2007 Relay by using SSTP on port 443/TCP. If port 443/TCP is also unavailable, Groove 2007 clients encapsulate SSTP within an HTTP data stream and connect to Groove Server 2007 Relay on port 80/TCP. Because of the overhead due to encapsulation and the HTTP connection mechanism, these types of connections on port 80/TCP are less efficient. Groove 2007 clients can also connect to Groove Server 2007 Relay across proxies on port 443/TCP or on port 80/TCP.
Figure 3 shows some of the protocols involved in the interaction between Groove 2007 clients, Groove Server 2007 Manager, and Groove Server 2007 Relay.
Figure 3. Some of the protocols involved in the interaction between Groove 2007 clients, Groove Server 2007 Manager, and Groove Server 2007 Relay
Groove Server 2007 Relay enables workspace members to share large documents in workspaces by using an intelligent "fan out" technology. For example, if a user adds a 4-megabyte (MB) document to a workspace, the Groove 2007 client assesses the size of the document, the speed of the user's connection, and the number of members in the workspace. Then, if it is most efficient to do so, the Groove 2007 client sends a single copy of the document to Groove Server 2007 Relay to fan out (distribute) to other workspace members, instead of sending the document directly to each member. This process optimizes bandwidth over slow connections and when the client is sending large amounts of data by reducing the amount of data that an individual user transmits across the network.
Groove Server 2007 Relay provides wide area network (WAN) device presence and awareness services, which are facilitated by the proprietary protocol WAN Device Presence Protocol (WAN DPP). On a local area network (LAN), device awareness is achieved through a different proprietary protocol, Local Area Network Device Presence Protocol (LAN DPP), which does not require that Groove 2007 clients connect to Groove Server 2007 Relay. On a WAN, a Groove 2007 user must publish presence state information to Groove Server 2007 Relay. Awareness of the online status of that Groove 2007 user is achieved after other workspace members automatically connect to and subscribe to the presence information on the relay server.
Groove Server 2007 Data Bridge
Groove Server 2007 Data Bridge integrates Groove 2007 workspaces with centralized data sources such as enterprise line-of-business (LOB) applications. It provides a scalable, server-based platform that exposes Web services from which developers build custom integration solutions to meet unique requirements of team projects.
By using an identity that is a server-based equivalent of a user identity, Groove Server 2007 Data Bridge facilitates interaction between workspaces and enterprise business systems through a services-oriented architecture. By acting as a single point of integration, Groove Server 2007 Data Bridge can be used to push data to workspaces, pull data from workspaces, or synchronize data in both directions between workspaces and enterprise business systems.
Groove Server 2007 Data Bridge also includes workspace archiving functionality. Administrators can schedule data archiving for all workspaces of which the server-based identity is a member.
The Microsoft IT deployment of Groove 2007 occurred over the course of many months in an effort to not only provide an on-site server infrastructure from which to support dynamic team collaboration in the enterprise, but also to demonstrate the business value of a large-scale enterprise-wide deployment.
" The Microsoft IT deployment of Groove 2007 has provided employees across the enterprise with an easy way to collaborate with others inside or outside organizational boundaries and on or off the corporate network. One of the key wins from an IT perspective is that once the server infrastructure is in place, minimal administrative effort is required. The Groove service, at a run state, is always available. "
To meet immediate business requirements for Groove within Microsoft, the on-site server infrastructure was initially implemented on the Groove 3.1 platform to support a subset of the potential user population. This phase of the project began shortly after Microsoft acquired Groove Networks in early April 2005 and was completed in four months. After that, Microsoft IT upgraded the servers and the client to Groove Server 2007 (Groove Server 2007 Manager and Groove Server 2007 Relay) and Groove 2007 as pre-release versions became available. Microsoft IT also phased additional hardware into the infrastructure. The Groove Server 2007 upgrade process was a significant factor in helping Microsoft IT to achieve the total system capacity goal that it had set for the number of users supported.
An important input into the timeline of the deployment was the planned internal release dates of milestone versions of the products, as determined by the product group. As of this writing, the RTM version of the Groove 2007 client is being deployed to all employees as part of the worldwide deployment of Office Enterprise 2007. Therefore, the time frame that Microsoft IT developed in the project plan and the overall timeline of the deployment itself may not be indicative of the time requirements for other enterprise deployments of Groove 2007.
Because this was the first enterprise deployment of Groove 2007 in the Microsoft IT environment, no previous model existed for it. Along the way, some new processes had to be defined. Microsoft IT also looked to earlier Microsoft IT internal deployments of enterprise-class server software and examined successful patterns of implementation. The team adapted relevant methodologies and practices and applied these to the Groove 2007 deployment.
The deployment of Groove 2007 at Microsoft was the result of a close collaboration between a number of different groups, which together formed a project team. Within Microsoft IT, the Messaging and Collaboration Services (MACS) team led the project, working in partnership with the Groove members of the Office product group.
Microsoft IT Organization
The Microsoft IT group is responsible for driving global operations and delivering IT services to the entire Microsoft organization. The group directs all activities related to running and maintaining Microsoft information systems worldwide: technology infrastructure and corporate and marketing information systems that include production, distribution, and other key internal systems. Microsoft IT works to provide a world-class utility and excellence in business operations through its leadership in the design and integration of company strategies, processes, and architecture.
Microsoft IT provides a full range of services that include server and end-user support, telecommunications management, network operations, and information security. The group is responsible for managing connectivity for more than 300,000 personal computers worldwide. Microsoft IT ensures that more than 60,000 employees, and 20,000 contractors and vendors, in more than 400 Microsoft locations around the world are able to access corporate network services and resources 24 hours a day, seven days a week.
Because the primary business of Microsoft is software design, Microsoft IT has an additional responsibility that is unique among global providers. In addition to running the company's IT utility, Microsoft IT is an early adopter of Microsoft technologies. The group is responsible for testing and deploying Microsoft products such as the 2007 Microsoft Office system (including the Groove 2007 client), Groove Server 2007, and Microsoft SharePoint Products and Technologies, before the products are released to customers.
By deploying pre-release versions of products internally to employees, Microsoft IT has a large early deployment user base from which to rigorously test the products in a live enterprise production environment. In its role as "first and best customer," Microsoft IT provides real-world feedback to the product groups. In doing so, Microsoft IT helps to validate the business value and helps to ensure that the released products are of the highest quality. Microsoft employees call this process "eating our own dog food," or simply "dogfooding."
Messaging and Collaboration Services Team
The MACS team is responsible for providing services related to messaging and collaboration. Messaging services include managing and supporting the corporate Microsoft Exchange Server environment, e-mail communications, and mobile messaging. Collaboration services include managing and supporting SharePoint Products and Technologies, Microsoft Office Project Server, Microsoft Office client applications (including Groove), Microsoft Office Live Meeting, personal storage services, and Microsoft Office Communicator.
Project Team Roles and Resources
Members of the MACS team who were directly involved in the project included two program managers responsible for overseeing deployment, one service manager responsible for service delivery, Enterprise Client Support (ECS) group personnel responsible for end-user support, and Global Technology Services/Monitoring group personnel responsible for basic server operations.
Because Groove 2007 is a new product offering and Microsoft IT had no previous experience in deploying or supporting it, Microsoft IT used the technical expertise of members of the product group, who consulted in planning, design, implementation, and configuration. Additional stakeholders included the corporate security group, which is responsible for the security of the Microsoft worldwide network and company assets. The corporate security group evaluated the security aspects of Groove 2007 within the Microsoft IT environment with respect to corporate security standards and policies.
Microsoft IT already had designated personnel and processes in place for deploying new hardware at the data center in Tukwila, Washington, where the servers reside. Therefore, additional personnel were not needed to deploy the servers.
Prior to the acquisition of Groove Networks and the subsequent internal deployment of Groove Server 2007 and the Groove 2007 client, some users at Microsoft were already using Groove 3.1 for dynamic team collaboration. However, the users, who were supported in a hosted Groove 3.1 environment (provided by Groove.Net services), were unmanaged. That is, they did not have managed identities, nor were policies enforced to manage and control Groove usage within the company.
To satisfy immediate and strong business demand for Groove within Microsoft, the first step for the project team was to create a management domain in the hosted Groove.Net services environment. Then, the project team established appropriate identity-based usage, device-based installation, and security policies from which to provision new and existing users. The project team also set up a registration portal. Users who did not have Groove and who required it could request a Groove user account and receive installation instructions.
Implementation of an on-site server infrastructure typically takes three to six months. Therefore, this approach enabled employees to obtain and use Groove in a managed environment without any delay while the project team worked to plan, design, and build the on-site server infrastructure. After the on-site infrastructure was in place, the project team migrated users from the hosted environment to it.
By using the hosted environment as a precursor to an on-site deployment, Microsoft IT enabled individuals and teams to use Groove and stay productive, while at the same time enabling the project team to work toward implementing the on-site server infrastructure. Microsoft IT used this deployment strategy to migrate Groove 3.1 users from a hosted environment to an on-site infrastructure based on the Groove 3.1 platform. This deployment model also applies to enterprise deployments of Groove 2007. To enable the business to gain immediate benefit from the highly collaborative environment that Groove provides, users can be hosted in Groove Enterprise Services, and then later migrated to an on-site infrastructure based on Groove Server 2007. Figure 4 summarizes this deployment model and the stages in the deployment of an on-site infrastructure.
Figure 4. The deployment model and deployment stages
The following sections provide an overview of some of the main tasks that composed each stage in the deployment of the on-site server infrastructure.
Requirements Analysis and Planning
The primary goal that Microsoft IT identified for the project was straightforward—build an on-site server infrastructure based on Groove Server 2007 Manager and Groove Server 2007 Relay that can support 60,000 Groove users across the enterprise. The infrastructure had to employ an open usage model so that it would service Groove users from the corporate intranet and from the Internet.
The project team began its work with extensive planning and careful consideration of business requirements, technical requirements, and product capabilities. The team defined project goals, outlined the project scope, devised a communication plan, and set the timeline to ensure that the deployment would satisfy business requirements. Core objectives of this stage were also to formulate network, capacity, and security planning aspects of the infrastructure.
A variety of administrative, technical, and environmental factors contribute to the design of a Groove infrastructure. Where and how Groove Server 2007 Manager servers and Groove Server 2007 Relay servers are positioned within a network environment depends largely on capacity, performance, and security requirements. The project team therefore thoroughly assessed operational, network, and configuration requirements of Groove 2007, and the network topology of the Microsoft IT environment. Elements of the existing network topology that the project team examined included the location of the perimeter network (also known as DMZ, demilitarized zone, and screened subnet), firewalls and proxies, Domain Name Server (DNS) implementation, site links, and communication routes.
Core objectives of this stage were to determine the required number and types of servers, map out the location of the servers in the enterprise network topology, and determine how the servers would integrate with existing enterprise systems. Additionally, the project team had to make certain key high-level design decisions early in the design phase. Table 1 lists these design decision points and shows what the project team decided on for the Microsoft IT deployment.
Table 1. Key High-Level Design Decision Points
|Key high-level design decision points||Microsoft IT deployment design decisions|
Size of the projected user base
Phase 1: 6,000 users
Phase 2: 12,000 users
Phase 3: 60,000 users (system capacity goal)
Locate servers in a single data center or in multiple data centers
Single data center
Implement relay server redundancy for high availability and reliability
Implement the Directory Integration feature
Yes; integrate with Active Directory
Implement the Auto-Account Configuration feature
Use the native Groove PKI or use an external enterprise PKI for user authentication
The pre-installation phase contained the work that was required to prepare for the server installations. Typical activities included determining hardware requirements and specifications, ordering and procuring hardware, creating work orders for server installations, and preparing the operating system images.
On-site staff at the Tukwila data center set up and installed all server hardware and software, and they configured network protocols and ports. The project team provided installation worksheets to facilitate this process. These worksheets outlined the operating system parameters and Groove configuration options for each server component of the infrastructure.
Post-installation, Configuration, and Test
After the server infrastructure was in place, the project team performed a comprehensive series of verification procedures to confirm that all components were fully operational. These tests involved making sure that all components were implemented and configured correctly and could communicate. For example, the project team verified that firewalls and proxies were configured correctly to accommodate the multiple protocols and ports that Groove uses.
After the project team confirmed the readiness of the infrastructure, it created and configured a Groove management domain from which to centrally manage and monitor Groove usage, with respect to business and security requirements.
Microsoft IT Groove Environments
Microsoft IT is committed to working with pre-release versions of Microsoft products as fully deployed enterprise solutions before the products are released to customers. This practice helps to ensure that products scale to meet the business challenges of other enterprises. To accomplish this, Microsoft IT uses its own global enterprise infrastructure as a model for deployment from which to guide customer deployments.
As outlined in the deployment plan, Microsoft IT initially implemented the on-site server infrastructure in the production environment on the Groove 3.1 platform, which was to be later upgraded to Groove Server 2007. Prior to the upgrade procedure to the production environment, Microsoft IT set up a separate pre-release environment in parallel to it. Built on the Groove Server 2007 infrastructure and with a capacity to support 6,000 users, the pre-release environment served the product group members who used Groove 2007 on a daily basis. In alignment with Microsoft IT's commitment to dogfooding, each milestone release of Groove Server 2007 and the Groove 2007 client (from pre-release versions to the RTM version) was first deployed in the pre-release environment. Microsoft IT and the product group used this staging ground to identify and resolve any potential issues before deploying the products enterprise wide in the production environment.
Collectively between the enterprise production environment and the pre-release environment, 30 servers were deployed.
Note: Although the pre-release environment is mentioned briefly in this section and at other points in this discussion, the focus of this paper is to share Microsoft IT's early-adopter experiences in the deployment of Groove 2007 in the enterprise production environment, with an emphasis on the on-site server infrastructure.
The number and the configuration of servers deployed in a server infrastructure depend on a number of factors, such as projected user base and service level requirements. The Microsoft IT deployment of the Groove infrastructure can be summarized into three main phases. The defining characteristic of each phase was the total system capacity for the number of users supported. A limiting factor for total system capacity was the number of relay servers implemented at each phase, and in the case of Phase 1 and Phase 2, the software version of the relay servers. Table 2 provides an overview of the Groove Manager server components and the Groove Relay server components implemented at each phase and the total system capacity of each phase.
Table 2. Phases in the Microsoft IT Deployment of Groove
|Phase 1: Groove 3.1 Initial Deployment||Phase 2: Groove 3.1 System Expansion||Phase 3: Groove 2007 Beta 2, Beta 2 Technical Refresh, and RTM|
Two load-balanced front-end Web servers (extranet)
One front-end Web server (intranet)
One Microsoft SQL Server 2000 back-end server (capacity for up to 30,000 users)
Two load-balanced front-end Web servers (extranet)
Two load-balanced front-end Web servers (intranet)
One SQL Server 2000 back-end server (capacity for up to 60,000 users)
Two load-balanced front-end Web servers (extranet)
Two load-balanced front-end Web servers (intranet)
One Microsoft SQL Server 2005 back-end server (capacity for 60,000 or more users)
Two redundant relay servers
(capacity for up to 6,000 users)
Four redundant relay servers
(capacity for up to 12,000 users)
10 redundant relay servers
(capacity for 60,000 or more users)
Total capacity: 6,000 users
Total capacity: 12,000 users
Total capacity: 60,000+ users
On the Groove 3.1 platform, one relay server (or two redundant relay servers in a relay server set) can typically support 6,000 users. Therefore, although the Groove Manager system could support up to 30,000 users in Phase 1 and up to 60,000 users in Phase 2, the total system capacity of Phase 1 and Phase 2 was 6,000 and 12,000 users, respectively, because of capacity constraints of the relay servers.
Since the acquisition of Groove, a priority of the product group was to improve the performance capabilities of Groove server components to provide better support for large-scale enterprise environments. Groove Server 2007 is optimized for 64-bit architectures only. In particular, Groove Server 2007 Relay offers significant enhancements in scalability and performance.
On the Groove Server 2007 platform, one relay server (or two redundant relay servers in a relay server set) can support 12,000 to 18,000 users. In the Microsoft IT deployment, the capacity of existing relay servers more than doubled after the installation of Groove Server 2007 Relay on the same hardware. These performance enhancements, coupled with the planned addition of more relay servers, helped Microsoft IT to achieve and surpass the total system capacity goal of 60,000 users. In addition to upgrading the front-end servers to Groove Server 2007 Manager, other contributing factors included upgrading the back-end server to SQL Server 2005 and expected performance gains attributed to the 64-bit computing environment.
Fully deployed, the Groove 2007 infrastructure at Microsoft consists of 22 servers and has a total system capacity to support more than 60,000 Groove users in the enterprise. As mentioned earlier in Table 2, the main components of the infrastructure are Groove Server 2007 Manager, which comprises four front-end Web servers and one back-end database server, and Groove Server 2007 Relay, which comprises 10 relay servers.
Additional components of the infrastructure that Microsoft IT deployed include a Groove Server 2007 Manager audit system, which comprises three front-end Web servers and three back-end database servers, and one server that is running Groove Server 2007 Data Bridge. Figure 5 shows the architecture of the main components in the Groove 2007 infrastructure at Microsoft.
Note: For the purposes of this discussion and for the remainder of this paper, the term "Groove Manager" will be used to collectively refer to the servers that compose the Groove Server 2007 Manager component. Additionally, the term "Groove Relay" will be used to collectively refer to the servers that run Groove Server 2007 Relay when the context is the architecture of the on-site infrastructure.
Figure 5. Architecture of the main components in the Groove 2007 infrastructure at Microsoft
Because it is essentially a Web site, Groove Manager requires one or more front-end Web servers that are running Groove Server 2007 Manager and Internet Information Services (IIS) version 6.0, and a back-end SQL Server database server.
Groove Manager stores data, such as user account backups and device information, in a back-end SQL Server database. To accommodate the total system capacity goal, the project team considered disk space requirements of the SQL Server computer. They planned for 6 MB of disk space storage per Groove user.
Front-end Web servers do not contain data. Front-end Web servers perform user management, administration, directory integration, and account configuration functions in addition to communicating relay server assignments to relay servers (relay advice). In a standard installation with the recommended hardware configuration, one front-end Web server that functions in a universal role typically supports 23,000 to 35,000 users.
In the Microsoft IT deployment, the project team implemented two pairs of redundant front-end Web servers. The project team appointed different Groove Manager functional roles to each pair of servers; these roles served to optimize performance and respect certain network topological constraints. More specifically, the project team segregated the administrative and client-facing functions of Groove Manager. To accomplish this, the project team installed the administrative portion of the Groove Manager Web site on one pair of servers and installed the portion of the Web site that is accessed by Groove clients on the other pair of servers.
The architecture of Groove Manager in the Groove infrastructure at Microsoft is as follows:
Two load-balanced front-end Web servers located in the extranet. This pair of servers is dedicated to user management activities such as day-to-day interactions with Groove clients.
Two load-balanced front-end Web servers located in the intranet. This pair of servers is dedicated to performing administration, automatic account configuration, Active Directory synchronization, and relay advice functions.
One SQL Server back-end database server located in the extranet that the four front-end Web servers share.
Figure 6 shows the architecture of Groove Manager at Microsoft.
Figure 6. Architecture of Groove Manager in the Microsoft IT deployment
This role-based approach not only enhanced performance by distributing the server load, but also provided flexibility for positioning the servers within appropriate zones of the network topology to comply with security and operational requirements. For example, Groove Manager servers that synchronize user account information with Active Directory were placed on the corporate network. And, Groove Manager servers that respond to SOAP requests from Groove clients were placed in the extranet. Table 3 shows the hardware and software configuration of servers in the Microsoft IT implementation of Groove Manager.
Table 3. Hardware and Software Configuration of Servers in the Microsoft IT Implementation of Groove Manager
Front-end Web servers
Dual Intel EM64T or dual AMD64 2.2-gigahertz (GHz) processor
4 gigabytes (GB) of RAM
72-GB hard disk drive
Groove Server 2007 Manager
Microsoft Windows Server® 2003 with Service Pack 1 (SP1), Enterprise x64 Edition
Microsoft ASP.NET version 2.050727 or later
Simple Mail Transfer Protocol (SMTP) service
World Wide Web Publishing service with Active Server Pages (ASP) support
Back-end database server
Quad Intel EM64T or dual AMD64 2.2-GHz processor
8 GB of RAM
1.2 terabytes (data), 675-GB (TLog) hard disk drive
Windows Server 2003 with SP1, Enterprise x64 Edition
Microsoft SQL Server 2005 Standard x64 Edition
During planning and design for Groove Relay, the project team had to consider the number of relay servers required to meet the total system capacity goal and whether to implement redundant relay servers. As mentioned earlier, one relay server typically supports 12,000 to 18,000 users. This capacity range was derived from the following assumptions:
A relay server in a steady state supports a maximum of 33,000 concurrent, operational connections.
Each provisioned user may consume three to five connections.
At any time, up to 60 percent of provisioned users are expected to be online.
To satisfy service level requirements, the project team implemented redundant relay servers. The project team decided to use two redundant relay servers in a relay server set. The baseline margin of 12,000 users per single relay server is equivalent to 6,000 users per redundant relay server in a set of two relay servers. Therefore, the project team deployed 10 redundant relay servers. This implementation met the total system capacity goal of 60,000 users and also allowed for an upper limit of support for 90,000 users without the need to deploy additional hardware. Table 4 shows the nominal and maximum provisioned users for Groove Relay.
Table 4. Nominal and Maximum Provisioned Users for Groove Relay
|Single relay server||Redundant relay servers (two servers per set)|
Maximum provisioned users
Relay A: 9,000
Relay A: 9,000
Nominal provisioned users
Relay B: 6,000
Relay B: 6,000
Built-in application logic within the Groove client enables it to detect the fault-tolerance and failover status of relay servers that it is provisioned to. Each Groove client is assigned to a primary relay server and a secondary relay server in a relay server set. If the primary relay server is not available, the Groove client automatically uses a connection to the secondary relay server.
To distribute the load between redundant relay servers in a relay server set, the project team employed a cross-provisioning approach. The team provisioned Groove clients to the same relay server set, but the team assigned the clients to different primary relay servers in the set. For example, the team provisioned half the Groove user base to one relay server as the primary, and it provisioned the other half the Groove user base to the other relay server as the primary. This strategy ensured that both relay servers in a relay server set are used and provide services to Groove clients. In the event of a failover, one relay server in the relay server set assumes the entire load.
Figure 7 shows how Groove clients are cross-provisioned in a relay server set with redundant relay servers.
Figure 7. Cross-provisioning in a relay server set with redundant relay servers
As is typical of an open usage model, the relay servers were placed in the extranet, with network ports and protocols configured appropriately to comply with security and operational requirements. This framework provides mobility to the Groove client. Groove users can fluidly and reliably communicate from within the corporate intranet and from the Internet, without the need for a VPN connection. Table 5 shows the hardware and software configuration of servers in the Microsoft IT implementation of Groove Relay.
Table 5. Hardware and Software Configuration of Servers in the Microsoft IT Implementation of Groove Relay
Dual Intel EM64T or dual AMD64 2.2-GHz processor
8 GB of RAM
650-GB (data) hard disk drive
Groove Server 2007 Relay
Windows Server 2003 with SP1, Enterprise x64 Edition
The relatively simple design of Groove Relay enables a flexible, scalable implementation that provides high availability and enhanced performance. Because there is no single point of failure, deploying redundant relay servers provides uninterrupted, efficient data transmission services to Groove clients.
Groove Domain Considerations
Although multiple Groove management domains are possible, the project team decided to create one Groove domain in Groove Server 2007 Manager from which to perform all administrative tasks. To automate the addition of users to the domain, the project team configured Groove Manager to import user account attributes from Active Directory. Other existing systems that Groove Manager depends on are the enterprise PKI system based on Windows Server 2003 Certificate Services (which Microsoft IT had implemented some years earlier), and smart mail hosts for mail routing.
The Directory Integration feature in Groove Server 2007 Manager enables administrators to import and synchronize user account attributes from any one of the following LDAP-compliant directories to a Groove domain:
Lotus Domino R5 or later
After specifying a directory server in Groove Manager, administrators can manually import user information to the Groove domain or set up integration points to automate the process. Integration points, which are specific locations in the directory server hierarchy from which user information is integrated, provide the ability to re-create the organizational unit (OU) container structure of the directory server in the Groove domain as folders.
In the Microsoft IT deployment, the project team set up 14 integration points to specific OUs in Active Directory from which to import and synchronize user information. To customize the default mapping schema in Groove Manager to apply to the Microsoft IT environment, the project team included the following additional Active Directory user account attributes for import:
The project team scheduled synchronization to occur two times a day. Every 12 hours, more than 130,000 user objects from 11 Active Directory servers in five of the six Active Directory forests that Microsoft IT manages are synchronized to the Groove domain.
Each user who is added to a Groove domain in Groove Manager is assigned a unique 25-character account configuration code, automatically placed in the "pending" domain group with a "pending" status, and assigned to a temporary relay server set. After a user activates his or her Groove user account through the account configuration process and becomes a member of the domain, the status of the user changes to "active." The user is then manually moved to the appropriate "active" domain group, which automatically provisions the user to the respective permanent relay server set. In the Microsoft IT deployment, the project team created domain groups in Groove Manager that corresponded to Active Directory domains in which to allocate active users.
Auto-Account Configuration and Account Restoration
A managed identity must be established for a user before that user becomes a member of the domain. As members of the domain, users are subject to its usage and security polices and are provisioned to relay server sets. A managed identity is associated with the account configuration code that is assigned to each user. When a user installs and then starts the Groove 2007 client for the first time, the account configuration code must be applied to the Groove 2007 client on the user's computer, either manually by the user or automatically through the Auto-Account Configuration feature. During automatic account configuration, Groove Manager authenticates the user, and then uses the member's identity information to either configure the user's new managed identity or (in the case of an existing Groove user) automatically restore the user account.
Initial Deployment on the Groove 3.1 Platform
In the initial Microsoft IT deployment on the Groove 3.1 platform, the project team did not enable the Auto-Activation feature to automate the account configuration process. The project team distributed account configuration codes to users by e-mail; users were then prompted to enter the configuration code in the Groove client the first time they started it.
Additionally, account restoration was a manual process on the Groove 3.1 platform. In scenarios where users had to restore a user account that was already activated, users received an e-mail message that contained a copy of their backed-up user account. Users then had to work through steps in a wizard in the Groove client to manually restore the user account.
Because employees at Microsoft were not accustomed to either of these processes, the requirement to enter a configuration code to activate a Groove user account and the manual account restoration procedure were a source of user confusion and calls to the internal Helpdesk.
Note: The Auto-Account Configuration feature in Groove Server 2007 Manager supersedes the earlier Auto-Activation feature in Groove 3.1. However, Groove Server 2007 Manager still supports the Auto-Activation feature in environments that include the Groove 3.1 client and earlier versions.
Deployment on the Groove Server 2007 Platform
When the on-site infrastructure was upgraded to the Groove Server 2007 platform, the project team implemented the Auto-Account Configuration feature to automate both account configuration and account restoration. Auto-Account Configuration eliminates the need for users to manually enter an account configuration code the first time they start the Groove 2007 client and eliminates the need for users to use a wizard to manually restore a previously activated user account. Additionally, Auto-Account Configuration makes it easy for users to configure their Groove user account for use on multiple computers.
The mechanism for Auto-Account Configuration proceeds as follows. Upon startup, the Groove 2007 client contacts the Groove Manager server based on a registry entry that was deployed to each user's computer through a Group Policy object (GPO). Groove Manager then compares the user's authenticated Windows domain logon information with the user account attributes imported from Active Directory. If this information corresponds, the Groove user account is automatically configured, or the backed-up user account in Groove Manager is automatically restored to the user's computer.
In addition to integration with Active Directory, the Auto-Account Configuration feature requires that Integrated Windows authentication and Secure Sockets Layer (SSL) be enabled on the front-end Web server.
Implementation of the Auto-Account Configuration feature enabled the project team to improve the user experience significantly at Microsoft. As a result, calls to the internal Helpdesk decreased.
Groove relies on PKI certificates for user authentication, either through the native Groove PKI implementation or through an external enterprise PKI. With the application-specific Groove PKI, Groove Manager automatically signs the Groove identities of managed users. In this context, the Groove domain acts as the certification authority (CA). Alternatively, with an enterprise PKI, personal certificates that the enterprise CA has already issued to users are used to sign the users' Groove identities at the time when the user account is first configured on the client.
Administrators must specify the method by which identities are signed and authenticated during creation and configuration of a Groove domain. Because Microsoft IT had its own internal enterprise PKI infrastructure already in place, the project team opted to use it.
User Uncertainty When Prompted to Select a Certificate
The early deployment of Groove 2007 at Microsoft helped to highlight an area for future product improvements in the certificate selection process specific to using an enterprise PKI.
When a domain is configured to use an enterprise PKI for user authentication, users must select a personal certificate during the account configuration process. When a user starts the Groove client for the first time, a dialog box appears that prompts the user to choose the personal certificate that he or she wants from a list of available certificates. Administrators can set an identity policy setting to control which certificates are available to users for selection in the Groove domain. This policy setting helps minimize potential user uncertainty by limiting the certificate choices to those that specific CAs issue.
In the Microsoft IT environment, employees typically have more than one personal certificate issued to them from the same enterprise CA. Therefore, more than one certificate was listed in the dialog box that appeared when users started the Groove client for the first time. Because employees at Microsoft were not familiar with having to select a certificate, this procedure sometimes confused them.
In some cases, employees inadvertently selected the certificate that was issued for smart card logon to the Windows domain. By doing so, each subsequent time a user started the Groove client, the user was prompted to type a smart card personal identification number (PIN). This scenario initiated calls to the internal Helpdesk, which stepped users through how to resolve the issue by resetting the certificate in the Groove client.
As a direct result of user and IT feedback from the early deployment at Microsoft, the product group is working toward a solution to help make the certification selection process more seamless for users when an enterprise PKI is used for user authentication.
Process Enhancement for Using the Groove Client on a Computer That Is Not a Member of the Windows Domain
During the early phases of the internal deployment, Microsoft IT discovered a process-related issue that was unique to using an enterprise PKI.
Employees at Microsoft often work from multiple computers, such as a laptop at the office and a desktop computer at the home office. The decentralized architecture of the Groove client enables users to easily access workspace data wherever and whenever they need it, even on multiple computers. After an employee adds his or her Groove user account to the other computer, all workspaces that are associated with the user account are automatically synchronized to that computer.
Each computer at Microsoft that is a member of a Windows domain in the Microsoft IT-managed environment has a copy of the trusted root CA certificate, which is located in the Trusted Root Certification Authorities store. Computers that are not members of the Windows domain or that have not previously established a remote access connection to the corporate network do not have a copy of the trusted root CA certificate. Therefore, users who had a managed identity in the Groove domain could not use their Groove user account on a Groove client from a home computer because the home computer was missing a copy of the trusted root CA certificate.
The project team developed a process enhancement that satisfied the requirements of the Groove 2007 client when an enterprise PKI is used for user authentication. The solution was to use the Office Customization Tool to customize the installation of Office Enterprise 2007. The project team incorporated the trusted root CA certificate directly into the installation package for the Groove 2007 client. In this way, when a user installs the Groove 2007 client (as part of Office Enterprise 2007), the trusted root CA certificate is also installed on the computer.
Groove Manager uses the IIS 6.0 SMTP virtual server to send mail. The three main types of mail that Groove Manager sends are:
Account configuration e-mail. E-mail sent to users to establish their managed identities in the domain. Each e-mail contains the user's account configuration code that must be entered in the Groove client.
Account restoration e-mail. E-mail sent to users when they need to restore their user account. A copy of the user's backed-up account is attached to the e-mail.
Password reset e-mail. E-mail sent to users when they need to reset their Groove password.
Note: If the domain is configured to use the Auto-Account Configuration feature, account configuration and account restoration occur automatically. Therefore, Groove Manager does not send account configuration e-mail or account restoration e-mail to users.
Groove Manager behaves much like an SMTP mail client in that it only sends mail and does not receive mail. In the Microsoft IT deployment, the project team configured each pair of load-balanced front-end Web servers to forward mail to a smart mail host for routing and delivery.
When the initial on-site infrastructure was in place, the project team migrated users from the domain in the hosted Groove.Net services environment to a new domain in the on-site Groove 3.1 environment. In Groove 3.1, migration was a manual process.
To perform a manual migration, the project team had to first establish all Active Directory integration points for the corporate forest and synchronize all users to the Groove domain. After that, the project team sent e-mail messages that contained account configuration codes to users. The next time that users started Groove, they had to enter their new account configuration code to migrate their user accounts for membership into the new destination domain.
Groove Server 2007 Manager includes a new feature that automates the migration process. Auto-Migration enables administrators to automatically migrate active users from one Groove 2007 domain to another Groove 2007 domain on the same or a different server by simply providing the name of the destination server. To use Auto-Migration, an administrator must set up the destination domain to integrate with Active Directory and to use the Auto-Account Configuration feature.
In short, the Auto-Migration process proceeds as follows. After user account information from a directory server is imported to the destination domain, the administrator uses Groove Manager on the source domain to mark the users to be migrated. The next time a user starts the Groove 2007 client, his or her managed identity is moved from the source domain to the destination domain, and his or her user account is automatically migrated. The status of the users change from "pending migration" to "migrated," and they emerge as active members with managed identities in the destination domain.
The option to manually migrate users is also available in Groove Server 2007 Manager. However, Auto-Migration streamlines the process considerably for both administrators and users. Auto-Migration eliminates the administrative overhead involved in manual migration and the need for users to enter account configuration codes.
User Account Backups
A Groove user account consists of identity information, security keys, a list of contacts, a list of workspaces that the user is a member of, and domain management settings. User accounts do not contain workspace data. With the decentralized nature of the Groove client, all workspace content is stored locally on each workspace member's computer.
An identity policy setting in Groove Manager enables automatic backup of user accounts at scheduled intervals. In the Microsoft IT deployment, the project team scheduled automatic backups of user accounts to occur every four days. If a user account is lost or damaged, the backed-up user account is available for restoration. For example, a user may need to restore a Groove user account after acquiring a new computer or rebuilding an existing computer. Restoring a user account gives a user the list of workspaces he or she belongs to. The user can then easily retrieve workspace data directly from other workspace members.
Groove user accounts are backed up to Groove Manager only if the user is logged on to the Groove client. User account backups have a 60-day expiration period. That is, if a user has not logged on to the Groove client for 60 days, the copy of the backed-up account on the server expires and cannot be used to restore a user's account. In this scenario, a new user account must be created before the user can use the Groove client again.
Account backup expiration became the most common source of calls to the internal Helpdesk from Microsoft employees in the early phases of the Microsoft IT deployment. Many employees initially installed the Groove client to learn it and then did not use it again for a period of time. Or, employees used the Groove client for the duration of a specific project and then did not log on again until it was time to start their next project. If more than 60 days passed since the previous account backup, employees could not log on to the Groove client because their user account backup expired. Users had to call the internal Helpdesk to request a new user account. After activating the new user account, users had to be re-invited to all workspaces that they were members of.
Microsoft IT educated and reminded users to log on to the Groove client more frequently (at least once a month) to avoid the issue of account backup expiration. As a direct result of these early-adopter experiences, the product group is planning a feature change to address this issue.
Groove Server 2007 Data Bridge offers an optional workspace archiving feature in which archiving can be scheduled for all workspaces of which the server-based identity is a member. In the Microsoft IT deployment, the project team deployed one Groove Server 2007 Data Bridge server to demonstrate workspace archiving functionality. This functionality was deployed in the enterprise production environment for testing purposes only and is not available as a general service offering to internal users.
Instead of using Groove Server 2007 Data Bridge to archive workspaces to a central location and then restore archived workspaces, users at Microsoft who require a copy of a workspace can use the workspace list in the Groove 2007 client to retrieve workspace data directly from other workspace members.
The optional auditing feature of Groove Server 2007 Manager can be used to log specific Groove client activities to a SQL Server database. Groove auditing is a resource-intensive process. Because it can substantially affect system resources such as bandwidth usage and hard disk space, administrators must use discretion when configuring policies that enable and control auditing.
At Microsoft, the project team deployed server infrastructure to support auditing capabilities. However, as of this writing, auditing is implemented only on a limited, case-by-case basis within the Microsoft IT environment. Microsoft IT is working on defining processes that characterize how collected data is retained, queried, and analyzed before deciding to implement auditing to a wider user base.
The Groove security architecture enhances collaboration by helping to ensure secure data storage and communications. As mentioned earlier, Groove 2007 employs a strong authentication model that uses public key technology to bind users to identities and to map actions within a Groove workspace to identities. Built-in, end-to-end encryption helps ensure the integrity and confidentiality of workspace data, whether it is stored locally on a workspace member's computer, transmitted over the network, or temporarily stored on a relay server. These security features are automatic, always on, and transparent to users.
Groove Manager enables administrators to set identity and device policies from which to centrally manage and control Groove usage in the domain. At the workspace level, user-driven access control determines the actions that members can perform in a workspace based on roles. The roles are Manager, Participant, and Guest. By default, the creator of a workspace is assigned to a Manager role, and users who are invited to a workspace are assigned to a Participant role. Workspace managers have the ability to change the permissions of other workspace members by assigning them to different roles.
At Microsoft, the corporate security group conducted a thorough evaluation of the security aspects of Groove within the Microsoft IT environment to ensure that the internal deployment would meet the necessary security requirements. This was the first deployment of Groove in the Microsoft IT enterprise production environment. Therefore, even though Groove was a recent Microsoft acquisition, the corporate security group approached the initial security design review, risk analysis, and other security measures in the same manner as it would for a third-party software product. The group exercised due diligence in assessing the Groove implementation with respect to established corporate security standards and guidelines.
Microsoft IT technical and security requirements are among the most challenging in the world. Historically, applications that communicate in a peer-to-peer manner are typically not sanctioned within the Microsoft IT environment. The internal deployment of Groove included creating exceptions and revising certain security policies.
The earlier Groove 3.1 client and pre-release versions of the Groove 2007 client had been available for employees to download and install on an as-needed basis. With the availability of the RTM version of the 2007 Microsoft Office system, Microsoft IT is actively deploying the Groove 2007 client to all Microsoft employees as part of the worldwide deployment of Office Enterprise 2007.
Most employees at Microsoft download and install the software themselves from installation servers, a task that employees are familiar with. Microsoft IT also uses Microsoft Systems Management Server (SMS) to deploy the software to a small segment of users. As of this writing, the deployment of the RTM version is just underway. More than 78,000 computers used by more than 45,000 employees are running Office Enterprise 2007. Of these, more than 14,000 users have active Groove user accounts. Microsoft IT is planning to embark on an internal campaign to promote Groove 2007 internally to different business groups and units throughout the enterprise. Therefore, Microsoft IT anticipates that the rate of internal deployment and user acceptance will increase considerably in the near future.
To help ensure a smooth deployment, Microsoft IT dedicated a portion of the internal Microsoft IT Web site to providing employees with an easy-to-reference, single location for Groove resources. The Web site includes the following information:
Product information and system requirements.
Frequently asked questions (FAQ).
Links to installation locations.
Detailed installation and upgrade instructions for users who are running Groove 3.1 or a pre-release version of Groove 2007.
Support information and links to known issues.
Links to training and educational materials such as online demonstrations, tutorials, training sessions, and self-service user guides. These materials focus on educating users about Groove 2007, its collaboration features, and how to use them.
Links to internal Groove user communities.
Links to internal usage policies.
The support structure adopted for Groove is the standard Microsoft IT three-tier support model that was established for other Office applications. When a Microsoft employee experiences an issue with Groove, the support hierarchy is as follows.
Tier 1: Helpdesk Personnel
Tier 1 Helpdesk personnel provide the first level of response for all questions and issues related to Groove. Available 24 hours a day, seven days a week, this team offers basic product support and resolves known issues. If a Tier 1 Helpdesk support technician identifies that an issue requires escalation, the service request is escalated to the Tier 2 support team for further action.
Tier 2: ECS Technicians
The Tier 2 support team—the Enterprise Client Support team within MACS—receives service requests that are escalated from the Tier 1 support team and manages them through to resolution. The team, with members located in Redmond, Washington, and in Hyderabad, India, is collectively responsible for providing second-level support for messaging and collaboration issues. Of the 21 support technicians on the team, seven technicians are focused on supporting collaboration technologies and products, including Windows SharePoint Services and Office client applications such as Groove.
Available 24 hours a day, five days a week, the ECS technicians have two main roles. First, they validate issues and review troubleshooting procedures that the Tier 1 support team conducted. Second, they have administrative access to Groove Manager with responsibility to perform routine administrative tasks and resolve common user-related issues that require administrator access to the Groove domain.
If a Tier 2 support technician determines that the issue is a server-related issue that the team does not cover, the technician transfers the service request to the Global Technology Services/Monitoring team for further investigation. If the Tier 2 support technician determines that a Groove client issue cannot be resolved at the Tier 2 level and requires further analysis, the technician escalates the service request to the senior operations analyst (team lead) for follow-up.
Tier 3: ECS Senior Operations Analyst
The senior operations analyst on the ECS team assesses issues escalated from Tier 2 support technicians. This person has the responsibility to escalate issues to the product group for further examination with regard to possible product enhancements or feature functionality.
Training of Support Personnel
Prior to and throughout deployment, the Tier 2 support team underwent training. The training sessions involved learning the product itself in addition to learning how to troubleshoot potential issues that are unique to Tier 2-level support.
To fully engage support technicians, the senior operations analyst created a Groove workspace for the team. The workspace served a dual purpose. It facilitated the learning process, and it provided a collaborative environment from which to share and review certain Groove-related troubleshooting and support documentation as it was being developed.
To prepare Tier 1 Helpdesk support technicians, the Tier 2 support team held training sessions with Tier 1 Helpdesk subject matter experts (SMEs), who in turn provided training to the Tier 1 support team. Because the deployment involved a software version change from Groove 3.1 to Groove 2007, training sessions occurred at intervals throughout the deployment to ensure that the support knowledge of the team was up to date.
With the server infrastructure in place and the Groove 2007 client deployed, employees at Microsoft who activate their user account can use Groove 2007 to collaborate with others, anytime and anywhere. The Groove Manager and Groove Relay components of the server infrastructure provide services to Groove 2007 clients 24 hours a day, seven days a week.
The decentralized Groove 2007 client enables users to manage their own collaborative environments. Users create workspaces, add tools, and invite others without depending on assistance from IT.
Because workspaces are stored locally on each workspace member's computer, the project team did not have to deploy or maintain application servers for workspace storage. Additionally, because of the ephemeral nature of the data stored on relay servers, the project team decided that data backup of relay servers was not necessary. Other than routine maintenance of the servers that compose the infrastructure and provisioning users who have activated their user accounts to "active" domain groups, the amount of administration required from an operational perspective is minimal.
Using Groove 2007 at Microsoft
With the worldwide deployment of the Groove 2007 client actively in progress, employees at Microsoft have only just begun to explore and benefit from the integrated collaboration capabilities that Groove 2007 offers. This section discusses some user experiences and collaboration opportunities made possible by Groove 2007 thus far in the internal deployment.
Groove 2007 and Windows SharePoint Services 3.0
Web sites based on Windows SharePoint Services 3.0 are used extensively throughout Microsoft for information sharing and team collaboration. With the introduction of Groove into the enterprise production environment, employees at Microsoft had questions about the differences between Groove 2007 and Windows SharePoint Services 3.0. Some uncertainty arose as to which was the appropriate tool to use for specific individual and team collaboration needs.
Groove 2007 is the decentralized, rich client where teamwork happens. Best suited to small teams of 2 to 50 members, it is a collaborative environment geared toward time-bound, project-oriented work. Groove 2007 is ideal for ad hoc, dynamic teamwork in which team members can work easily from their computers and stay synchronized, even if team members work for different organizations, work remotely, or work offline. Unlike Windows SharePoint Services 3.0, Groove 2007 is not intended as a publishing system for broader sharing or as an environment for longer-term data storage.
Windows SharePoint Services 3.0 is a Web-based environment that has a scalable, searchable back end. The centralized system provides a collaborative environment where work is published, shared, searched, and integrated with structured business applications. This system requires that users have access to the corporate network. Windows SharePoint Services 3.0 is ideal for broader information sharing across a team or organization and for helping to manage business processes and workflow.
Although they can operate independently, using Groove 2007 and Windows SharePoint Services 3.0 in concert provides a highly complementary, integrated collaboration environment to help teams work better together. At Microsoft, core project teams can use Groove 2007 workspaces to dynamically collaborate and produce a defined deliverable, and then use the SharePoint Files tool to seamlessly publish that final work product to a Windows SharePoint Services site for broader sharing. These integration capabilities are especially valuable to the mobile workforce, such as sales and field service personnel. Groove 2007 integration with SharePoint document libraries supports the need for a user to work on SharePoint documents while offline or when corporate network access is not available. Changes to documents are automatically synchronized or published back to SharePoint document libraries when the user returns online.
The following are some early examples of how internal teams at Microsoft have used Groove 2007 to collaborate and enhance individual and team productivity. The first two examples are usage scenarios from the deployment itself.
Groove Deployment Workspace
The Groove deployment project team thoroughly documented configuration settings and certain operational procedures at each stage of the deployment process for both the production environment and the pre-release environment. The team also maintained a collection of document templates and other reference documentation. Project-related documents included design documentation such as detailed network topology diagrams, procedural information such as installation worksheets and specifications documents, reports for usage and performance analysis, and product-related materials such as Groove administration guides.
The majority of project team members worked in two different Microsoft office locations. Project team members from the MACS group worked in Redmond, Washington, and project team members from the product group worked in Beverly, Massachusetts. To ensure a successful deployment, all members of the project team needed to be synchronized and have easy access to the growing amount of project-related information. Team members wanted to review documents without having to perform multiple uploads or downloads.
The project team created a Groove workspace to bring all team members and all project information related to the deployment of the on-site infrastructure together in one place. The project team customized the workspace by adding a Files tool to manage the documents associated with each Groove environment for the duration of the project. Using a separate Files tool for the production environment and the pre-release environment enabled the project team to easily organize and share all deployment-related documentation with all team members.
Additional workspace customizations included a Discussion tool for posting messages and an Issues tool to track issues that arose during the deployment.
ECS Team Workspace
As mentioned earlier, the senior operations analyst on the ECS team created a Groove workspace to share Groove-related support and training documentation with members of the Tier 2 support team. Using the Files tool enabled team members to easily stay up to date on all Groove-specific support and troubleshooting documentation as it was being developed during the deployment.
For broader sharing and distribution, the senior operations analyst uses the SharePoint Files tool to synchronize documents in the workspace with a document library on the team's Windows SharePoint Services 3.0 site. The site contains support documentation of all products that the ECS team supports in addition to other team-specific resources, such as workflow-related information. After the senior operations analyst signs off on a support document that is under review in the workspace, that final work product is synchronized to the SharePoint document library to broadly share to the entire ECS team. The senior operations analyst can also fine-tune a document offline, and then automatically synchronize the latest revision of the document to the SharePoint document library when online again.
The senior operations analyst, who often works from multiple computers, wanted to access content in the workspace from a home computer. To accomplish this, the senior operations analyst added his Groove user account to the home computer, which enabled a copy of the workspace to be synchronized on that computer. Therefore, when working from the home computer, the senior operations analyst can now review documents in the workspace without having to establish a VPN connection to the corporate network. In addition to helping to keep the support team up to date, automatic synchronization capabilities of Groove 2007 help to keep the workspace up to date across multiple computers of individual team members.
IW Analyst Relations Group Workspaces
The Information Worker (IW) Analyst Relations group at Microsoft serves as the strategic link to the industry analyst community for the broader Information Worker Group. The Information Worker Group at Microsoft develops and delivers technologies that improve personal, team, and organizational productivity for information workers in companies and organizations around the globe. The IW Analyst Relations group fosters relationships with industry analysts and provides opportunities for product managers and program managers at Microsoft to gather analyst and customer insight for use in product development and marketing processes.
To facilitate and coordinate ongoing work, members of the IW Analyst Relations group need to share documents with business contacts in the industry analyst community. To accomplish this, the group members previously relied mostly on e-mail. However, e-mail was an imperfect solution. File size restrictions made sharing large documents as attachments difficult. Keeping track of the various file versions that often resulted was time-consuming. Moreover, the lack of a shared context meant that e-mail threads frequently became fragmented, especially when additional members or business contacts had to be added to subsequent threads. An alternate method, which was also time-consuming, was to copy documents to a CD or DVD, and then mail the disc.
The deployment of Groove at Microsoft has enabled the IW Analyst Relations group to simplify collaboration. The group uses Groove workspaces to share documents across firewalls to key business contacts within the industry analyst community. As a result, members no longer have to be concerned with attaching, uploading, or copying new versions of documents, large or small. Using Groove 2007 has enhanced productivity by enabling the IW Analyst Relations group and key business contacts to spend less time coordinating with each other and more time on doing business.
IW BSC Team Workspaces
The IW Business Strategy Consultant (BSC) team at Microsoft helps customers identify solutions that drive increased and quantifiable business value from existing Information Worker Group technology investments. The team focuses on establishing relationships with business decision makers in specific industries to develop a deep understanding of the business and to help discover opportunities that maximize business value.
Like many other groups at Microsoft, the team relied heavily on e-mail to share and communicate project-related content. Although e-mail has its strengths for particular work activities, as mentioned earlier, it has logistical drawbacks when used for collaborative team-based work activities. Team members found that they were spending too much time on basic document assembly and e-mail management. E-mail also lacks the security that is required in many business scenarios.
The IW BSC team created project-specific Groove workspaces to share content internally with team members and across network boundaries to customers. In addition to the Files tool, workspace customizations include the Meetings tool from which to organize and conduct team meetings, the Calendar tool from which to build collaborative schedules with other workspace members, and the Discussions tool for exchanging ideas in discussion threads. Not only have Groove workspaces eliminated the difficulty that the team experienced when sharing files in e-mail, but team members have also found discussion threads in Groove easier to follow than in e-mail. A common practice is to move conversations that were initially started in e-mail to Groove.
The IW BSC team members are highly mobile and work off-site at customer locations. Groove enables team members to stay productive when offline. Team members are able to retain full access to all project content and tools in the workspace when not connected to the corporate network. Additionally, team members no longer have to worry about downloading information prior to disconnecting from the corporate network and then uploading the latest versions of documents when online again.
The context-rich environment and cross-organizational collaboration capabilities of Groove have enabled the IW BSC team to streamline collaboration and enhance productivity by saving time, engaging customers more effectively, and extending project-related information across corporate boundaries more efficiently.
Lessons Learned and Best Practices
Lessons learned and best practices that the project team embraced when it planned, designed, and deployed Groove included the following.
Understand Groove Architecture and Collaboration Features Before Deployment
Because Groove is a new product offering, Microsoft IT needed to attain an understanding of its unique decentralized, hybrid architecture and collaboration features before planning, designing, deploying, and promoting it internally. Having a thorough understanding of the technology helps an organization to better envisage how Groove 2007 will enable dynamic team collaboration and increase business productivity in the enterprise. Doing so results in a more robust implementation and an enhanced user experience.
Train Support Personnel Early in the Deployment
To effectively manage support issues that arise, an organization must train support staff early in the deployment. As in most deployments, relatively higher volumes of support calls typically occur shortly after deployment. Support personnel must be prepared to handle a variety of issues.
At Microsoft, support personnel underwent training in preparation for the initial Microsoft IT deployment on the Groove 3.1 platform. Subsequent training sessions occurred at intervals throughout successive phases of deployment. As a result, support personnel were well prepared for the large-scale deployment of the Groove 2007 client to the enterprise production environment. The most common service requests that the internal Helpdesk and the ECS team have handled since the initial Microsoft IT deployment include account configuration, account backup expiration, and password reset issues.
Identify External Dependencies
As with any implementation that involves server infrastructure, an organization must identify and appropriately configure external dependencies to ensure a successful deployment. External factors that an organization should consider for integration with a Groove deployment include:
Server IP addresses and DNS names and registrations, which may involve split DNS name assignments.
Firewall and proxy rule settings to accommodate the protocols that Groove uses and the servers deployed in the extranet. Groove protocols include:
For more information about the specific protocols that Groove uses, see the Groove 2007 Planning and Deployment Guide. To obtain the guide, visit the following Microsoft Web site: http://www.microsoft.com/downloads/details.aspx?familyid=1379161b-74cb-4f46-bf30-86074915dcb8&displaylang=en&tm
A Groove Manager authentication scheme for domain administration.
An LDAP-compliant directory for directory integration with Groove Manager (optional).
SSL certificates for helping to secure Groove domain administration and Auto-Account Configuration (optional).
An SMTP mail routing system.
Conduct a Security Review
An organization should clearly understand the objectives of the deployment and the planned use of Groove 2007 from a security perspective. At Microsoft, the project team worked with the corporate security group, which evaluated the Groove deployment within the Microsoft IT environment, with respect to corporate security requirements.
To ensure that all employees are aware of the internal security policies that apply to Groove usage at Microsoft, the project team posted links to the policies on the portion of the internal Microsoft IT Web site dedicated to Groove 2007. The corporate security group created these security policies to address user responsibilities such as the treatment of company information assets.
Implement Automation Features
An organization should implement automation features to minimize manual administrative tasks and reduce user intervention as much as possible.
If the network environment includes an LDAP-compliant directory, an organization should use the Directory Integration feature to import and synchronize a corporate directory of user information into Groove Manager. Enterprise users from the corporate directory are then automatically imported to domain groups, making them intended domain members.
Implementing the Directory Integration feature facilitates user provisioning by enabling administrators to efficiently populate the Groove domain with users. It also helps to ensure that consistent and accurate user information is provided to the authentication processes used for Auto-Account Configuration and other features. Integration with an Active Directory server is a prerequisite for the Auto-Account Configuration feature.
An organization should implement the Auto-Account Configuration feature of Groove Manager in enterprise environments. The Auto-Account Configuration feature expedites deployment of the Groove 2007 client by automating account configuration and facilitates restoration of backed-up user accounts. Additionally, the Auto-Account Configuration feature is a prerequisite for the domain Auto-Migration feature.
In the Microsoft IT deployment, user input required for manual account configuration and manual account restoration became a cumbersome chore for users. Auto-Account Configuration significantly enhanced the user experience by making account configuration and account restoration transparent for users. When a user starts the Groove 2007 client, the user account is automatically configured or the backed-up user account is automatically restored.
The project team used a Windows Internet Naming Service (WINS) name instead of a fully qualified domain name (FQDN) for the Groove Manager server that is used to direct Auto-Account Configuration requests from Groove 2007 clients. The team did this because Groove clients detected that the Groove Manager server was located in the Internet security zone. Auto-Account Configuration depends on Groove clients to send Integrated Windows authentication credentials. Therefore, the front-end Groove Manager server that is used for Auto-Account Configuration needed to be automatically detected to be in the local intranet zone. Using WINS satisfied this dependency.
If Groove 2007 users need to be moved from one Groove domain to another domain or from a Microsoft-hosted Groove Enterprise Services domain to an on-site Groove domain, an organization should use the Auto-Migration feature of Groove Manager. This feature eliminates the administrative burden associated with manual migration and the user input required with manual account configuration. When users start the Groove 2007 client for the first time after migration to the new domain, user accounts are automatically configured.
Deploy Roles-Based Groove Manager Front-End Servers
In the Microsoft IT implementation, the project team configured the Groove Manager front-end servers to perform specific functional roles. The team deployed the administrative and client-facing functions of Groove Manager on separate front-end servers. To optimize performance and to allow for flexibility in the placement of the servers within the network topology, an organization should consider using this roles-based approach if the server infrastructure includes multiple Groove Manager front-end servers.
Implement Redundant Relay Servers
An organization should install and configure redundant relay servers to provide failover and to ensure robust synchronization and continuous data transmissions. A redundant relay server set can contain two to five relay servers. Additionally, an organization should consider prioritizing redundant relay servers in each relay server set such that different groups of users are assigned to a different primary relay server.
In the Microsoft IT implementation, the project team employed such a cross-provisioning approach by using two relay servers per relay server set. In scenarios where the primary relay server is not available, the Groove 2007 client automatically connects to the secondary relay server. Workspace changes that occur during a failover are not permanently lost. Instead, workspace changes are automatically retrieved from other members of the workspace, as necessary.
The project team decided to use a single data-center location for relay servers. The team had considered implementing relay servers in multiple data centers. However, the team deferred this option because of cost and operational considerations. Re-deployment to multiple data centers, which will be a straightforward process, is a future option.
Prepare Installation Worksheets
The Groove 2007 Planning and Deployment Guide includes installation worksheets to facilitate setup of Groove Manager and Groove Relay. An organization should use these worksheets to record installation parameters for each server deployed in the server infrastructure. This documentation is especially useful in large enterprise deployments, such as the Microsoft IT implementation.
Keep Policies As Simple As Possible
Groove Manager provides a default identity policy template and a default device policy template that contain a collection of policy settings used to manage Groove usage in the Groove domain. For comprehensive oversight of the Groove environment, an organization should review the default policy settings in each of these templates and then make adjustments as necessary according to corporate security and business requirements. For example, an identity-based security policy setting exists that blocks files with certain extensions. Administrators can modify the default list of file extensions to block.
To simplify administration, an organization should avoid using multiple policies or over-engineering policies. It should keep policies as simple as possible. In the Microsoft IT implementation, the project team configured one identity policy and one device policy for the Groove domain. Recommended policy settings to configure include:
The identity policy setting that schedules periodic account backups.
The identity policy setting that enables Groove device management during account configuration and during logon. Through this setting, devices are automatically registered with a Groove domain and are immediately available to receive device policies. Setting important device-based security policies, such as those that control password creation, requires device management.
The identity policy setting that requires managed devices for managed identities.
Device policy settings to enforce strong passwords. The password used to log on to Groove is defined by the user when he or she first activates a Groove user account. It is separate from the password used to log on to Windows. Groove Manager includes device policy settings that enable administrators to control length, uniqueness, expiration, and case characteristics of passwords.
An identity policy setting to allow the appropriate versions of Groove for backward compatibility, if the collaboration environment includes earlier versions of Groove. By default, only Groove 2007 workspaces are allowed.
Prepackage the Trusted Root CA Certificate with the Groove 2007 Client Installation Package If Using an Enterprise PKI
When using an enterprise PKI for user authentication, an organization should consider using the Office Customization Tool to customize the installation of the Groove 2007 client by including the trusted root CA certificate in the installation package. Through this method, the trusted root CA certificate is automatically installed when the Groove 2007 client is deployed to users' computers.
For the Microsoft IT deployment, this method was a process enhancement that the project team devised to ensure that the trusted root CA certificate is present on the computers of all users at Microsoft who have installed the Groove 2007 client. In this way, users who have a managed identity in the Groove domain can use their Groove user account on computers that are not members of the Windows domain or that have not previously established a remote access connection to the corporate network.
Provide Clear Instructions to Users for Manual Account Configuration and Manual Account Restoration
In scenarios where users manually activate their Groove user account by entering their account configuration code or where users manually restore their Groove user account, an organization should ensure that instructions to users are clear and concise. As mentioned earlier, at Microsoft, the project team discovered that user input required for both of these processes proved to be awkward for many employees.
Groove Manager enables administrators to create templates for account configuration e-mail and account restoration e-mail that Groove Manager sends. In the templates, administrators should specify the instructions to include in the body of the e-mail messages. Administrators should make sure that instructions contain specific steps for how to manually configure an account or how to manually restore an account, in addition to information about how users can obtain support, if needed.
Pilot the Deployment
After the on-site server infrastructure is in place, an organization should:
Deploy the Groove 2007 client to a small, closely monitored group of users.
Test the range of possible usage scenarios during the pilot.
Identify and resolve any issues that arise before proceeding with the full-scale deployment of the Groove 2007 client to the enterprise production environment.
Promote User Education and Awareness
An organization should develop and distribute user education and training materials to help users learn Groove and understand how they can use it to collaborate with other team members.
Microsoft IT organized the Groove portion of the internal Web site to promote the Groove 2007 collaboration solution within the company and to prepare employees for the Groove service. Among the resources available on the Web site were self-service user guides that were developed to help users get started with Groove 2007 as quickly and effortlessly as possible. These guides included easy-to-follow instructions for how to install the Groove 2007 client; how to create a workspace and invite others; and how to use Groove 2007 collaboration features and tools to communicate with others, share information, and stay productive anywhere, online or offline.
Thus far, employees at Microsoft have been able to learn and use Groove 2007 with relative ease. However, the project team discovered that it was important to educate users and set expectations with regard to certain Groove user account-related scenarios, especially those scenarios that required user input. Employees at Microsoft required guidance for manual account configuration, manual account restoration, and certificate selection. Additionally, users were encouraged to log on to Groove frequently to prevent user account backups from expiring. Because these scenarios are unique to Groove, instructions provided to users should be clear and concise.
With the introduction of Groove 2007 as a new collaboration tool in the Microsoft IT environment, some employees were unsure about how Groove 2007 fit in with existing collaborative software offerings. Employees were accustomed to using e-mail, SharePoint sites, and a combination of other tools and methods. Some employees were hesitant to adopt a new technology. Others were not fully aware of the collaboration features derived from the decentralized architecture of Groove 2007 and its out-of-the-box integration with Windows SharePoint Services 3.0. Questions arose as to which was the best tool to use for specific individual and team collaboration needs.
To help drive a cultural shift to and to help users make better-informed decisions, an organization should build awareness of the benefits and features of the different collaboration technologies available to users. Users will then have the information they need to choose the right tool for the right job. Microsoft IT developed content to compare the collaboration tools used at Microsoft and to explain how and when to make the best use of each tool.
The decentralized, hybrid architecture of Groove 2007 provides users with the autonomy that they require to collaborate efficiently and effectively with colleagues, partners, and customers. It also helps to ensure that administrators maintain centralized management and control.
Groove 2007 enables business teams to dynamically work together on projects, even when team members work for different organizations, work from different locations, or work offline. Automatic synchronization keeps all team members up to date, firewall traversal extends collaboration across network boundaries, and offline capabilities enable team members to stay productive even when a connection to the corporate network or the Internet is not available. These core competencies are especially relevant in helping to maintain business agility in today's global business environment.
The internal deployment of the Groove Server 2007 on-site infrastructure provided Microsoft with the foundation to enable "anywhere anytime" collaboration in its own environment. It also provided the opportunity to test and validate the business value of product features and functionality in a large-scale enterprise production environment. Only minimal administrative overhead is required to operate and maintain the system. Feedback to the product group as a result of user and IT experiences led to process and product enhancements.
Benefits that Microsoft has gained from the internal Groove 2007 deployment are just beginning. Groove 2007 enhances individual and team productivity, strengthens the quality of team deliverables, and helps increase the speed of business. Other benefits can include reduced IT infrastructure and support costs, lowered travel and phone costs, and reduced e-mail storage costs.
Microsoft IT is currently working on defining the Groove service offering within Microsoft. This task involves characterizing the integrated, end-to-end delivery of the business service. Microsoft IT also plans to launch an internal campaign to promote Groove 2007 to different business units and groups throughout the enterprise. With the initiation of these two projects, Microsoft IT anticipates Groove usage to increase considerably within the company. Microsoft will realize additional benefits as more employees embrace Groove 2007 as the tool for dynamic team collaboration.
For More Information
For more information about the Microsoft IT deployment of Groove 2007 at Microsoft, see TechNet Webcast: How Microsoft IT Deployed Office Groove 2007. To view this Webcast, visit the following Microsoft Web site:
For more information about Groove Server 2007, visit the following Microsoft Web site:
For more information about Groove 2007, visit the following Microsoft Web site:
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to: